heads/initrd/etc/functions

#!/bin/sh
# Shell functions for most initialization scripts

die() {
	echo >&2 "$*";
	exit 1;
}

warn() {
	echo >&2 "$*";
}

recovery() {
	echo >&2 "!!!!! $*"

	# Remove any temporary secret files that might be hanging around
	# but recreate the directory so that new tools can use it.
	rm -rf /tmp/secret
	mkdir -p /tmp/secret
	tpm extend -ix 4 -ic recovery

	echo >&2 "!!!!! Starting recovery shell"
	sleep 1
	exec /bin/ash
}


pcrs() {
	head -7 /sys/class/tpm/tpm0/pcrs
}

confirm_totp()
{
	last_half=X

	while true; do

		# update the TOTP code every thirty seconds
		date=`date "+%Y-%m-%d %H:%M:%S"`
		seconds=`date "+%s"`
		half=`expr \( $seconds % 60 \) / 30`
		if [ "$half" != "$last_half" ]; then
			last_half=$half;
			TOTP=`unseal-totp` \
			|| recovery "TOTP code generation failed"
		fi

		echo -n "$date $TOTP: "

		# read the first character, non-blocking
		read \
			-t 1 \
			-n 1 \
			-s \
			-p "Confirm TOTP with a 'y': " \
			totp_confirm \
		&& break

		# nothing typed, redraw the line
		echo -ne '\r'
	done

	# clean up with a newline
	echo
}

confirm_gpg_card()
{
	# setup the USB so we can reach the GPG card
	if ! lsmod | grep -q ehci_hcd; then
		insmod /lib/modules/ehci-hcd.ko \
		|| die "ehci_hcd: module load failed"
	fi
	if ! lsmod | grep -q ehci_pci; then
		insmod /lib/modules/ehci-pci.ko \
		|| die "ehci_pci: module load failed"
	fi
	if ! lsmod | grep -q xhci_hcd; then
		insmod /lib/modules/xhci-hcd.ko \
		|| die "ehci_hcd: module load failed"
	fi
	if ! lsmod | grep -q xhci_pci; then
		insmod /lib/modules/xhci-pci.ko \
		|| die "ehci_pci: module load failed"
		sleep 2
	fi

	gpg --card-status \
	|| die "gpg card read failed"
}
common recovery shell functions (issue #161) 2017-04-12 10:48:38 +00:00			`#!/bin/sh`
			`# Shell functions for most initialization scripts`

			`die() {`
			`echo >&2 "$*";`
			`exit 1;`
			`}`

			`warn() {`
			`echo >&2 "$*";`
			`}`

			`recovery() {`
			`echo >&2 "!!!!! $*"`

			`# Remove any temporary secret files that might be hanging around`
			`# but recreate the directory so that new tools can use it.`
			`rm -rf /tmp/secret`
			`mkdir -p /tmp/secret`
			`tpm extend -ix 4 -ic recovery`

			`echo >&2 "!!!!! Starting recovery shell"`
			`sleep 1`
			`exec /bin/ash`
			`}`


			`pcrs() {`
			`head -7 /sys/class/tpm/tpm0/pcrs`
			`}`
adds a USB boot option with basic parsing to kexec Supports booting from USB media using either the root device or a signed ISO as the boot device. Boot options are parsed with quick/dirty shell scripts to infer kexec params. Closes #195 and begins to address #196 2017-04-29 17:40:34 +00:00
			`confirm_totp()`
			`{`
			`last_half=X`

			`while true; do`

			`# update the TOTP code every thirty seconds`
			date=`date "+%Y-%m-%d %H:%M:%S"`
			seconds=`date "+%s"`
			half=`expr \( $seconds % 60 \) / 30`
			`if [ "$half" != "$last_half" ]; then`
			`last_half=$half;`
			TOTP=`unseal-totp` \
			`\|\| recovery "TOTP code generation failed"`
			`fi`

			`echo -n "$date $TOTP: "`

			`# read the first character, non-blocking`
			`read \`
			`-t 1 \`
			`-n 1 \`
			`-s \`
			`-p "Confirm TOTP with a 'y': " \`
			`totp_confirm \`
			`&& break`

			`# nothing typed, redraw the line`
			`echo -ne '\r'`
			`done`

			`# clean up with a newline`
			`echo`
			`}`
Added the ability to persist a default boot option Similar to qubes-update, it will save then verify the hashes of the kexec files. Once TOTP is verified, a normal boot will verify that the file hashes and all the kexec params match and if successful, boot directly to OS. Also added a config option to require hash verification for non-recovery boots, failing to recovery not met. 2017-07-04 23:49:14 +00:00
			`confirm_gpg_card()`
			`{`
			`# setup the USB so we can reach the GPG card`
			`if ! lsmod \| grep -q ehci_hcd; then`
			`insmod /lib/modules/ehci-hcd.ko \`
			`\|\| die "ehci_hcd: module load failed"`
			`fi`
			`if ! lsmod \| grep -q ehci_pci; then`
			`insmod /lib/modules/ehci-pci.ko \`
			`\|\| die "ehci_pci: module load failed"`
			`fi`
			`if ! lsmod \| grep -q xhci_hcd; then`
			`insmod /lib/modules/xhci-hcd.ko \`
			`\|\| die "ehci_hcd: module load failed"`
			`fi`
			`if ! lsmod \| grep -q xhci_pci; then`
			`insmod /lib/modules/xhci-pci.ko \`
			`\|\| die "ehci_pci: module load failed"`
			`sleep 2`
			`fi`

			`gpg --card-status \`
			`\|\| die "gpg card read failed"`
			`}`