ExternalVendorCode/heads
1
0
Fork 0
mirror of https://github.com/linuxboot/heads.git synced 2024-12-20 21:43:11 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
a1343666d5
heads/initrd/bin/kexec-select-boot

431 lines
12 KiB
Plaintext
Raw Normal View History

Add dual support for real bash and busybox's bash(ash) - modify bash to have it configured with -Os
2023-02-08 21:01:48 +00:00
#!/bin/bash
Added rollback protection to generic boot Changed the checking of required hashes or required rollback state to be right before boot, allowing the user to sign/set defaults in interactive mode. Also cleaned up usages of recovery and fixed iso parameter regression.
2017-07-08 20:59:37 +00:00
# Generic configurable boot script via kexec
Added TPM secret management to generic boot Also cleaned up error handling and boot parsing edge cases
2017-07-12 04:17:45 +00:00
set -e -o pipefail
Use global /tmp/config that combines multiple config files As part of the config gui we want to be able to have the system define new config options without them being lost if the user makes their own changes in CBFS. To allow that this change creates a function initiated in init that combines all /etc/config* files into /tmp/config. All existing scripts have been changed to source /tmp/config instead of /etc/config. The config-gui.sh script now uses /etc/config.user to hold user configuration options but the combine_configs function will allow that to expand as others want to split configuration out further. As it stands here are the current config files: /etc/config -- Compiled-in configuration options /etc/config.user -- User preferences that override /etc/config /tmp/config -- Running config referenced by the BIOS, combination of existing configs
2018-12-06 23:24:28 +00:00
. /tmp/config
Added a generic boot config and persistent params Refactored boot parsing code and applied that in local-init to scan /boot for grub options and allow the user to unsafely boot anything. This goes a long way to addressing #196. Optionally the user can customize those boot parameters or enforce arbitrary hashes on the boot device by creating and signing config files in /boot/ or /media/ or /media/kexec_iso/ISO_FILENAME/.
2017-07-03 03:01:04 +00:00
. /etc/functions
Add functions to handle normal, warning, and error for whiptail and fbwhiptail. Signed-off-by: Matthew Drobnak <matthew@drobnak.com>
2024-06-06 22:59:13 +00:00
. /etc/gui_functions
Added a generic boot config and persistent params Refactored boot parsing code and applied that in local-init to scan /boot for grub options and allow the user to unsafely boot anything. This goes a long way to addressing #196. Optionally the user can customize those boot parameters or enforce arbitrary hashes on the boot device by creating and signing config files in /boot/ or /media/ or /media/kexec_iso/ISO_FILENAME/.
2017-07-03 03:01:04 +00:00
all scripts: replace TRACE manual strings with dynamic tracing by bash debug Exception: scripts sourcing/calls within etc/ash_functions continues to use old TRACE functions until we switch to bash completely getting rid of ash. This would mean getting rid of legacy boards (flash + legacy boards which do not have enough space for bash in flash boards) once and for all. Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-02-01 19:30:31 +00:00
TRACE_FUNC
All scripts and functions: Add DEBUG calling trace on console when CONFIG_DEBUG_OUTPUT is exported in board config -qemu-coreboot-*whiptail-tpm1(-hotp) boards have 'export CONFIG_DEBUG_OUTPUT=y' by default now
2023-02-18 17:58:43 +00:00
Added the ability to persist a default boot option Similar to qubes-update, it will save then verify the hashes of the kexec files. Once TOTP is verified, a normal boot will verify that the file hashes and all the kexec params match and if successful, boot directly to OS. Also added a config option to require hash verification for non-recovery boots, failing to recovery not met.
2017-07-04 23:49:14 +00:00
add=""
remove=""
config="*.cfg"
unique="n"
Added rollback protection to generic boot Changed the checking of required hashes or required rollback state to be right before boot, allowing the user to sign/set defaults in interactive mode. Also cleaned up usages of recovery and fixed iso parameter regression.
2017-07-08 20:59:37 +00:00
valid_hash="n"
valid_global_hash="n"
valid_rollback="n"
Ensure recovery for failed default boot Should close #223 Added reboot and poweroff scripts using /proc/sysrq-trigger Also cleaned up the boot loop in generic-init
2017-07-22 18:57:46 +00:00
force_menu="n"
Add gui option to kexec-select-boot, use in gui-init menu option When selecting the boot menu option (m) in the gui-init you call out to kexec-select-boot. To better maintain the graphical menu experience, I've added a -g option to kexec-select-boot that, when set, will use a graphical whiptail menu for the most common menu selection modes.
2018-02-22 21:18:16 +00:00
gui_menu="n"
Add a "force" option to kexec-select-boot to bypass hash checks The point of this change is to provide a failsafe (failunsafe?) mode for less technically-savvy users who will ultimately be using Heads by default on Librem laptops. There are some scenarios where an end user might forget to update hashes in /boot after an initrd change or might have some other hash mismatch. Currently that user would then be stuck in a recovery console in Heads not knowing what to do within that limited shell environment to fix the situation. This change adds a 'force' mode to kexec-select-boot that goes straight into a boot menu and bypasses the hash checks so the user could more easily get back into their system to attempt to repair it. It adds appropriate warnings about why this is a risky option and moves it down toward the bottom of the menu. The goal would be to just have this be an emergency option our support could guide a user to if they ended up in this situation.
2018-03-05 22:46:15 +00:00
force_boot="n"
Skip prompt to set default boot when booting from USB Since a USB boot target can't be the default (at least currently, /boot must be on internal media), skip the extraneous prompt to set it as such when booting from USB. Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2019-05-19 01:13:32 +00:00
skip_confirm="n"
while getopts "b:d:p:a:r:c:uimgfs" arg; do
Added the ability to persist a default boot option Similar to qubes-update, it will save then verify the hashes of the kexec files. Once TOTP is verified, a normal boot will verify that the file hashes and all the kexec params match and if successful, boot directly to OS. Also added a config option to require hash verification for non-recovery boots, failing to recovery not met.
2017-07-04 23:49:14 +00:00
case $arg in
TPM2: add DEBUG and fix path for TPM2 primary key handle hash. Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-02 18:17:38 +00:00
b) bootdir="$OPTARG" ;;
d) paramsdev="$OPTARG" ;;
p) paramsdir="$OPTARG" ;;
a) add="$OPTARG" ;;
r) remove="$OPTARG" ;;
c) config="$OPTARG" ;;
u) unique="y" ;;
m) force_menu="y" ;;
i)
valid_hash="y"
valid_rollback="y"
;;
g) gui_menu="y" ;;
f)
force_boot="y"
valid_hash="y"
valid_rollback="y"
;;
s) skip_confirm="y" ;;
Added the ability to persist a default boot option Similar to qubes-update, it will save then verify the hashes of the kexec files. Once TOTP is verified, a normal boot will verify that the file hashes and all the kexec params match and if successful, boot directly to OS. Also added a config option to require hash verification for non-recovery boots, failing to recovery not met.
2017-07-04 23:49:14 +00:00
esac
done
if [ -z "$bootdir" ]; then
remove trailing / on the /boot device parameter
2017-07-17 16:43:14 +00:00
die "Usage: $0 -b /boot"
Added the ability to persist a default boot option Similar to qubes-update, it will save then verify the hashes of the kexec files. Once TOTP is verified, a normal boot will verify that the file hashes and all the kexec params match and if successful, boot directly to OS. Also added a config option to require hash verification for non-recovery boots, failing to recovery not met.
2017-07-04 23:49:14 +00:00
fi
Added a generic boot config and persistent params Refactored boot parsing code and applied that in local-init to scan /boot for grub options and allow the user to unsafely boot anything. This goes a long way to addressing #196. Optionally the user can customize those boot parameters or enforce arbitrary hashes on the boot device by creating and signing config files in /boot/ or /media/ or /media/kexec_iso/ISO_FILENAME/.
2017-07-03 03:01:04 +00:00
Added the ability to persist a default boot option Similar to qubes-update, it will save then verify the hashes of the kexec files. Once TOTP is verified, a normal boot will verify that the file hashes and all the kexec params match and if successful, boot directly to OS. Also added a config option to require hash verification for non-recovery boots, failing to recovery not met.
2017-07-04 23:49:14 +00:00
if [ -z "$paramsdev" ]; then
paramsdev="$bootdir"
fi
if [ -z "$paramsdir" ]; then
paramsdir="$bootdir"
fi
Added a generic boot config and persistent params Refactored boot parsing code and applied that in local-init to scan /boot for grub options and allow the user to unsafely boot anything. This goes a long way to addressing #196. Optionally the user can customize those boot parameters or enforce arbitrary hashes on the boot device by creating and signing config files in /boot/ or /media/ or /media/kexec_iso/ISO_FILENAME/.
2017-07-03 03:01:04 +00:00
Strip invalid leading/trailing '/' from script params
2017-07-22 18:25:39 +00:00
bootdir="${bootdir%%/}"
paramsdev="${paramsdev%%/}"
paramsdir="${paramsdir%%/}"
TPM2: add DEBUG and fix path for TPM2 primary key handle hash. Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-02 18:17:38 +00:00
PRIMHASH_FILE="$paramsdir/kexec_primhdl_hash.txt"
if [ "$CONFIG_TPM2_TOOLS" = "y" ]; then
if [ -r "$PRIMHASH_FILE" ]; then
sha256sum -c "$PRIMHASH_FILE" ||
{
echo "FATAL: Hash of TPM2 primary key handle mismatch!"
warn "If you have not intentionally regenerated TPM2 primary key,"
warn "your system may have been compromised"
DEBUG "Hash of TPM2 primary key handle mismatched for $PRIMHASH_FILE"
}
else
warn "Hash of TPM2 primary key handle does not exist"
1692 Update text for TPM Primary Handle error with correct remediation steps. Signed-off-by: Matthew Drobnak <matthew@drobnak.com>
2024-06-03 22:07:08 +00:00
warn "Please rebuild the TPM2 primary key handle by settings a default OS to boot."
warn "Select Options-> Boot Options -> Show OS Boot Menu -> <Pick OS> -> Make default"
Change disk encryption -> LUKS Disk Key and other relative/relative verbiage, remove irrelevant DEBUG trace under kexec-unseal-key TODO: - $(pcrs) call sometimes fail in DEBUG call, outputting too many chars to be inserted in kmesg. Call removed here since redundant (PCR6 already extended with LUKS header) - Notes added for TPM2 simplification over TPM1 in code as TODO Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-03-27 14:04:10 +00:00
#TODO: Simplify/Automatize TPM2 firmware upgrade process. Today: upgrade, reboot, reseal(type TPM owner pass), resign, boot
TPM2: add DEBUG and fix path for TPM2 primary key handle hash. Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-02 18:17:38 +00:00
default_failed="y"
DEBUG "Hash of TPM2 primary key handle does not exist under $PRIMHASH_FILE"
fi
fi
WiP to be squashed: we need to refactor prompt_tpm_password which is used both for TPM Owner Password prompt and caching reused for TPM disk unlock key passphrase which of course fails Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-10-23 21:23:38 +00:00
TPM2: add DEBUG and fix path for TPM2 primary key handle hash. Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-02 18:17:38 +00:00
verify_global_hashes() {
Added rollback protection to generic boot Changed the checking of required hashes or required rollback state to be right before boot, allowing the user to sign/set defaults in interactive mode. Also cleaned up usages of recovery and fixed iso parameter regression.
2017-07-08 20:59:37 +00:00
echo "+++ Checking verified boot hash file "
# Check the hashes of all the files
TPM2: add DEBUG and fix path for TPM2 primary key handle hash. Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-02 18:17:38 +00:00
if verify_checksums "$bootdir" "$gui_menu"; then
Added rollback protection to generic boot Changed the checking of required hashes or required rollback state to be right before boot, allowing the user to sign/set defaults in interactive mode. Also cleaned up usages of recovery and fixed iso parameter regression.
2017-07-08 20:59:37 +00:00
echo "+++ Verified boot hashes "
valid_hash='y'
valid_global_hash='y'
else
Merge branch 'add_gui_hash_alert' of https://github.com/kylerankin/heads
2018-03-08 19:41:44 +00:00
if [ "$gui_menu" = "y" ]; then
CHANGED_FILES=$(grep -v 'OK$' /tmp/hash_output | cut -f1 -d ':')
Add functions to handle normal, warning, and error for whiptail and fbwhiptail. Signed-off-by: Matthew Drobnak <matthew@drobnak.com>
2024-06-06 22:59:13 +00:00
whiptail_error --title 'ERROR: Boot Hash Mismatch' \
whiptail: fixate width to 80 characters and have height dynamic to all whiptail/fbwhiptail prompts
2022-11-09 16:51:27 +00:00
--msgbox "The following files failed the verification process:\n${CHANGED_FILES}\nExiting to a recovery shell" 0 80
Merge branch 'add_gui_hash_alert' of https://github.com/kylerankin/heads
2018-03-08 19:41:44 +00:00
fi
Added rollback protection to generic boot Changed the checking of required hashes or required rollback state to be right before boot, allowing the user to sign/set defaults in interactive mode. Also cleaned up usages of recovery and fixed iso parameter regression.
2017-07-08 20:59:37 +00:00
die "$TMP_HASH_FILE: boot hash mismatch"
fi
TPM2: add DEBUG and fix path for TPM2 primary key handle hash. Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-02 18:17:38 +00:00
# If user enables it, check root hashes before boot as well
if [[ "$CONFIG_ROOT_CHECK_AT_BOOT" = "y" && "$force_menu" == "n" ]]; then
if root-hashes-gui.sh -c; then
echo "+++ Verified root hashes, continuing boot "
# if user re-signs, it wipes out saved options, so scan the boot directory and generate
if [ ! -r "$TMP_MENU_FILE" ]; then
scan_options
fi
else
# root-hashes-gui.sh handles the GUI error menu, just die here
if [ "$gui_menu" = "y" ]; then
Add functions to handle normal, warning, and error for whiptail and fbwhiptail. Signed-off-by: Matthew Drobnak <matthew@drobnak.com>
2024-06-06 22:59:13 +00:00
whiptail_error --title 'ERROR: Root Hash Mismatch' \
TPM2: add DEBUG and fix path for TPM2 primary key handle hash. Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-02 18:17:38 +00:00
--msgbox "The root hash check failed!\nExiting to a recovery shell" 0 80
fi
die "root hash mismatch, see /tmp/hash_output_mismatches for details"
fi
fi
Added rollback protection to generic boot Changed the checking of required hashes or required rollback state to be right before boot, allowing the user to sign/set defaults in interactive mode. Also cleaned up usages of recovery and fixed iso parameter regression.
2017-07-08 20:59:37 +00:00
}
TPM2: add DEBUG and fix path for TPM2 primary key handle hash. Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-02 18:17:38 +00:00
verify_rollback_counter() {
TPM_COUNTER=$(grep counter $TMP_ROLLBACK_FILE | cut -d- -f2)
Added rollback protection to generic boot Changed the checking of required hashes or required rollback state to be right before boot, allowing the user to sign/set defaults in interactive mode. Also cleaned up usages of recovery and fixed iso parameter regression.
2017-07-08 20:59:37 +00:00
if [ -z "$TPM_COUNTER" ]; then
die "$TMP_ROLLBACK_FILE: TPM counter not found?"
fi
TPM2: add DEBUG and fix path for TPM2 primary key handle hash. Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-02 18:17:38 +00:00
read_tpm_counter $TPM_COUNTER ||
die "Failed to read TPM counter"
Added rollback protection to generic boot Changed the checking of required hashes or required rollback state to be right before boot, allowing the user to sign/set defaults in interactive mode. Also cleaned up usages of recovery and fixed iso parameter regression.
2017-07-08 20:59:37 +00:00
TPM2: add DEBUG and fix path for TPM2 primary key handle hash. Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-02 18:17:38 +00:00
sha256sum -c $TMP_ROLLBACK_FILE ||
die "Invalid TPM counter state"
Added rollback protection to generic boot Changed the checking of required hashes or required rollback state to be right before boot, allowing the user to sign/set defaults in interactive mode. Also cleaned up usages of recovery and fixed iso parameter regression.
2017-07-08 20:59:37 +00:00
valid_rollback="y"
}
Minor tweaks to signing params and boot options Also split out usb-scan to allow manual initiation of scan from the recovery shell
2017-07-03 17:07:03 +00:00
first_menu="y"
Added a generic boot config and persistent params Refactored boot parsing code and applied that in local-init to scan /boot for grub options and allow the user to unsafely boot anything. This goes a long way to addressing #196. Optionally the user can customize those boot parameters or enforce arbitrary hashes on the boot device by creating and signing config files in /boot/ or /media/ or /media/kexec_iso/ISO_FILENAME/.
2017-07-03 03:01:04 +00:00
get_menu_option() {
TPM2: add DEBUG and fix path for TPM2 primary key handle hash. Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-02 18:17:38 +00:00
num_options=$(cat $TMP_MENU_FILE | wc -l)
Minor tweaks to signing params and boot options Also split out usb-scan to allow manual initiation of scan from the recovery shell
2017-07-03 17:07:03 +00:00
if [ $num_options -eq 0 ]; then
Added rollback protection to generic boot Changed the checking of required hashes or required rollback state to be right before boot, allowing the user to sign/set defaults in interactive mode. Also cleaned up usages of recovery and fixed iso parameter regression.
2017-07-08 20:59:37 +00:00
die "No boot options"
Minor tweaks to signing params and boot options Also split out usb-scan to allow manual initiation of scan from the recovery shell
2017-07-03 17:07:03 +00:00
fi
Added a generic boot config and persistent params Refactored boot parsing code and applied that in local-init to scan /boot for grub options and allow the user to unsafely boot anything. This goes a long way to addressing #196. Optionally the user can customize those boot parameters or enforce arbitrary hashes on the boot device by creating and signing config files in /boot/ or /media/ or /media/kexec_iso/ISO_FILENAME/.
2017-07-03 03:01:04 +00:00
Minor tweaks to signing params and boot options Also split out usb-scan to allow manual initiation of scan from the recovery shell
2017-07-03 17:07:03 +00:00
if [ $num_options -eq 1 -a $first_menu = "y" ]; then
option_index=1
Add gui option to kexec-select-boot, use in gui-init menu option When selecting the boot menu option (m) in the gui-init you call out to kexec-select-boot. To better maintain the graphical menu experience, I've added a -g option to kexec-select-boot that, when set, will use a graphical whiptail menu for the most common menu selection modes.
2018-02-22 21:18:16 +00:00
elif [ "$gui_menu" = "y" ]; then
MENU_OPTIONS=""
n=0
TPM2: add DEBUG and fix path for TPM2 primary key handle hash. Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-02 18:17:38 +00:00
while read option; do
Add gui option to kexec-select-boot, use in gui-init menu option When selecting the boot menu option (m) in the gui-init you call out to kexec-select-boot. To better maintain the graphical menu experience, I've added a -g option to kexec-select-boot that, when set, will use a graphical whiptail menu for the most common menu selection modes.
2018-02-22 21:18:16 +00:00
parse_option
TPM2: add DEBUG and fix path for TPM2 primary key handle hash. Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-02 18:17:38 +00:00
n=$(expr $n + 1)
Add gui option to kexec-select-boot, use in gui-init menu option When selecting the boot menu option (m) in the gui-init you call out to kexec-select-boot. To better maintain the graphical menu experience, I've added a -g option to kexec-select-boot that, when set, will use a graphical whiptail menu for the most common menu selection modes.
2018-02-22 21:18:16 +00:00
name=$(echo $name | tr " " "_")
kexec-select-boot: Simplify boot menu entries Drop the duplicated kernel info which hurts readability, runs off the end of the menu window. This also makes it easier to identify which menu option is the default, and more closely resembles the grub menu shown in a traditional BIOS boot. Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2022-03-15 17:00:20 +00:00
MENU_OPTIONS="$MENU_OPTIONS $n ${name} "
TPM2: add DEBUG and fix path for TPM2 primary key handle hash. Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-02 18:17:38 +00:00
done <$TMP_MENU_FILE
Add gui option to kexec-select-boot, use in gui-init menu option When selecting the boot menu option (m) in the gui-init you call out to kexec-select-boot. To better maintain the graphical menu experience, I've added a -g option to kexec-select-boot that, when set, will use a graphical whiptail menu for the most common menu selection modes.
2018-02-22 21:18:16 +00:00
whiptail: no more whiptail reseting console on call (--clear) So we have console logs to troubleshoot errors and catch them correctly
2022-11-15 20:11:58 +00:00
whiptail --title "Select your boot option" \
whiptail: fixate width to 80 characters and have height dynamic to all whiptail/fbwhiptail prompts
2022-11-09 16:51:27 +00:00
--menu "Choose the boot option [1-$n, a to abort]:" 0 80 8 \
Add gui option to kexec-select-boot, use in gui-init menu option When selecting the boot menu option (m) in the gui-init you call out to kexec-select-boot. To better maintain the graphical menu experience, I've added a -g option to kexec-select-boot that, when set, will use a graphical whiptail menu for the most common menu selection modes.
2018-02-22 21:18:16 +00:00
-- $MENU_OPTIONS \
2>/tmp/whiptail || die "Aborting boot attempt"
option_index=$(cat /tmp/whiptail)
Minor tweaks to signing params and boot options Also split out usb-scan to allow manual initiation of scan from the recovery shell
2017-07-03 17:07:03 +00:00
else
echo "+++ Select your boot option:"
n=0
TPM2: add DEBUG and fix path for TPM2 primary key handle hash. Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-02 18:17:38 +00:00
while read option; do
Minor tweaks to signing params and boot options Also split out usb-scan to allow manual initiation of scan from the recovery shell
2017-07-03 17:07:03 +00:00
parse_option
TPM2: add DEBUG and fix path for TPM2 primary key handle hash. Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-02 18:17:38 +00:00
n=$(expr $n + 1)
Minor tweaks to signing params and boot options Also split out usb-scan to allow manual initiation of scan from the recovery shell
2017-07-03 17:07:03 +00:00
echo "$n. $name [$kernel]"
TPM2: add DEBUG and fix path for TPM2 primary key handle hash. Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-02 18:17:38 +00:00
done <$TMP_MENU_FILE
Minor tweaks to signing params and boot options Also split out usb-scan to allow manual initiation of scan from the recovery shell
2017-07-03 17:07:03 +00:00
read \
-p "Choose the boot option [1-$n, a to abort]: " \
option_index
Added a generic boot config and persistent params Refactored boot parsing code and applied that in local-init to scan /boot for grub options and allow the user to unsafely boot anything. This goes a long way to addressing #196. Optionally the user can customize those boot parameters or enforce arbitrary hashes on the boot device by creating and signing config files in /boot/ or /media/ or /media/kexec_iso/ISO_FILENAME/.
2017-07-03 03:01:04 +00:00
Minor tweaks to signing params and boot options Also split out usb-scan to allow manual initiation of scan from the recovery shell
2017-07-03 17:07:03 +00:00
if [ "$option_index" = "a" ]; then
Added rollback protection to generic boot Changed the checking of required hashes or required rollback state to be right before boot, allowing the user to sign/set defaults in interactive mode. Also cleaned up usages of recovery and fixed iso parameter regression.
2017-07-08 20:59:37 +00:00
die "Aborting boot attempt"
Minor tweaks to signing params and boot options Also split out usb-scan to allow manual initiation of scan from the recovery shell
2017-07-03 17:07:03 +00:00
fi
Added a generic boot config and persistent params Refactored boot parsing code and applied that in local-init to scan /boot for grub options and allow the user to unsafely boot anything. This goes a long way to addressing #196. Optionally the user can customize those boot parameters or enforce arbitrary hashes on the boot device by creating and signing config files in /boot/ or /media/ or /media/kexec_iso/ISO_FILENAME/.
2017-07-03 03:01:04 +00:00
fi
Minor tweaks to signing params and boot options Also split out usb-scan to allow manual initiation of scan from the recovery shell
2017-07-03 17:07:03 +00:00
first_menu="n"
Added a generic boot config and persistent params Refactored boot parsing code and applied that in local-init to scan /boot for grub options and allow the user to unsafely boot anything. This goes a long way to addressing #196. Optionally the user can customize those boot parameters or enforce arbitrary hashes on the boot device by creating and signing config files in /boot/ or /media/ or /media/kexec_iso/ISO_FILENAME/.
2017-07-03 03:01:04 +00:00
TPM2: add DEBUG and fix path for TPM2 primary key handle hash. Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-02 18:17:38 +00:00
option=$(head -n $option_index $TMP_MENU_FILE | tail -1)
Added a generic boot config and persistent params Refactored boot parsing code and applied that in local-init to scan /boot for grub options and allow the user to unsafely boot anything. This goes a long way to addressing #196. Optionally the user can customize those boot parameters or enforce arbitrary hashes on the boot device by creating and signing config files in /boot/ or /media/ or /media/kexec_iso/ISO_FILENAME/.
2017-07-03 03:01:04 +00:00
parse_option
}
confirm_menu_option() {
Merge branch 'add_gui_init' of https://github.com/kylerankin/heads into kylerankin-add_gui_init
2018-02-28 20:06:06 +00:00
if [ "$gui_menu" = "y" ]; then
kexec-select-boot: Simplify boot selection confirmation, reverse order Simplify the menu options by removing the duplication of the entry name in the menu selections; instead, use clear verbiage to distinish between booting one time and making the default. And as the majority of the boot menu is shown is when the grub entires have changed and the user is prompted to select a new default, so make that the first/default menu option. Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2022-03-15 17:01:49 +00:00
default_text="Make default"
[[ "$CONFIG_TPM_NO_LUKS_DISK_UNLOCK" = "y" ]] && default_text="${default_text} and boot"
Add functions to handle normal, warning, and error for whiptail and fbwhiptail. Signed-off-by: Matthew Drobnak <matthew@drobnak.com>
2024-06-06 22:59:13 +00:00
whiptail_warning --title "Confirm boot details" \
TPM2: add DEBUG and fix path for TPM2 primary key handle hash. Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-02 18:17:38 +00:00
--menu "Confirm the boot details for $name:\n\n$(echo $kernel | fold -s -w 80) \n\n" 0 80 8 \
kexec-select-boot: Simplify boot selection confirmation, reverse order Simplify the menu options by removing the duplication of the entry name in the menu selections; instead, use clear verbiage to distinish between booting one time and making the default. And as the majority of the boot menu is shown is when the grub entires have changed and the user is prompted to select a new default, so make that the first/default menu option. Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2022-03-15 17:01:49 +00:00
-- 'd' "${default_text}" 'y' "Boot one time" \
Add gui option to kexec-select-boot, use in gui-init menu option When selecting the boot menu option (m) in the gui-init you call out to kexec-select-boot. To better maintain the graphical menu experience, I've added a -g option to kexec-select-boot that, when set, will use a graphical whiptail menu for the most common menu selection modes.
2018-02-22 21:18:16 +00:00
2>/tmp/whiptail || die "Aborting boot attempt"
Added a generic boot config and persistent params Refactored boot parsing code and applied that in local-init to scan /boot for grub options and allow the user to unsafely boot anything. This goes a long way to addressing #196. Optionally the user can customize those boot parameters or enforce arbitrary hashes on the boot device by creating and signing config files in /boot/ or /media/ or /media/kexec_iso/ISO_FILENAME/.
2017-07-03 03:01:04 +00:00
Add gui option to kexec-select-boot, use in gui-init menu option When selecting the boot menu option (m) in the gui-init you call out to kexec-select-boot. To better maintain the graphical menu experience, I've added a -g option to kexec-select-boot that, when set, will use a graphical whiptail menu for the most common menu selection modes.
2018-02-22 21:18:16 +00:00
option_confirm=$(cat /tmp/whiptail)
Merge branch 'add_gui_init' of https://github.com/kylerankin/heads into kylerankin-add_gui_init
2018-02-28 20:06:06 +00:00
else
Add gui option to kexec-select-boot, use in gui-init menu option When selecting the boot menu option (m) in the gui-init you call out to kexec-select-boot. To better maintain the graphical menu experience, I've added a -g option to kexec-select-boot that, when set, will use a graphical whiptail menu for the most common menu selection modes.
2018-02-22 21:18:16 +00:00
echo "+++ Please confirm the boot details for $name:"
echo $option
read \
-n 1 \
-p "Confirm selection by pressing 'y', make default with 'd': " \
option_confirm
echo
Merge branch 'add_gui_init' of https://github.com/kylerankin/heads into kylerankin-add_gui_init
2018-02-28 20:06:06 +00:00
fi
Added a generic boot config and persistent params Refactored boot parsing code and applied that in local-init to scan /boot for grub options and allow the user to unsafely boot anything. This goes a long way to addressing #196. Optionally the user can customize those boot parameters or enforce arbitrary hashes on the boot device by creating and signing config files in /boot/ or /media/ or /media/kexec_iso/ISO_FILENAME/.
2017-07-03 03:01:04 +00:00
}
parse_option() {
TPM2: add DEBUG and fix path for TPM2 primary key handle hash. Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-02 18:17:38 +00:00
name=$(echo $option | cut -d\| -f1)
kernel=$(echo $option | cut -d\| -f3)
Added a generic boot config and persistent params Refactored boot parsing code and applied that in local-init to scan /boot for grub options and allow the user to unsafely boot anything. This goes a long way to addressing #196. Optionally the user can customize those boot parameters or enforce arbitrary hashes on the boot device by creating and signing config files in /boot/ or /media/ or /media/kexec_iso/ISO_FILENAME/.
2017-07-03 03:01:04 +00:00
}
Added the ability to persist a default boot option Similar to qubes-update, it will save then verify the hashes of the kexec files. Once TOTP is verified, a normal boot will verify that the file hashes and all the kexec params match and if successful, boot directly to OS. Also added a config option to require hash verification for non-recovery boots, failing to recovery not met.
2017-07-04 23:49:14 +00:00
scan_options() {
Added a generic boot config and persistent params Refactored boot parsing code and applied that in local-init to scan /boot for grub options and allow the user to unsafely boot anything. This goes a long way to addressing #196. Optionally the user can customize those boot parameters or enforce arbitrary hashes on the boot device by creating and signing config files in /boot/ or /media/ or /media/kexec_iso/ISO_FILENAME/.
2017-07-03 03:01:04 +00:00
echo "+++ Scanning for unsigned boot options"
option_file="/tmp/kexec_options.txt"
kexec-select-boot: Extract boot menu scanning logic Move boot menu scanning logic to scan_boot_options() in /etc/functions Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2022-11-16 19:24:28 +00:00
scan_boot_options "$bootdir" "$config" "$option_file"
Fix check for valid boot options -r will always succeed since the file will be generated regardless of number of boot entries found. Use -s instead to check for zero file size. Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2020-07-29 03:26:20 +00:00
if [ ! -s $option_file ]; then
Added rollback protection to generic boot Changed the checking of required hashes or required rollback state to be right before boot, allowing the user to sign/set defaults in interactive mode. Also cleaned up usages of recovery and fixed iso parameter regression.
2017-07-08 20:59:37 +00:00
die "Failed to parse any boot options"
Added a generic boot config and persistent params Refactored boot parsing code and applied that in local-init to scan /boot for grub options and allow the user to unsafely boot anything. This goes a long way to addressing #196. Optionally the user can customize those boot parameters or enforce arbitrary hashes on the boot device by creating and signing config files in /boot/ or /media/ or /media/kexec_iso/ISO_FILENAME/.
2017-07-03 03:01:04 +00:00
fi
Added the ability to persist a default boot option Similar to qubes-update, it will save then verify the hashes of the kexec files. Once TOTP is verified, a normal boot will verify that the file hashes and all the kexec params match and if successful, boot directly to OS. Also added a config option to require hash verification for non-recovery boots, failing to recovery not met.
2017-07-04 23:49:14 +00:00
if [ "$unique" = 'y' ]; then
TPM2: add DEBUG and fix path for TPM2 primary key handle hash. Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-02 18:17:38 +00:00
sort -r $option_file | uniq >$TMP_MENU_FILE
Added the ability to persist a default boot option Similar to qubes-update, it will save then verify the hashes of the kexec files. Once TOTP is verified, a normal boot will verify that the file hashes and all the kexec params match and if successful, boot directly to OS. Also added a config option to require hash verification for non-recovery boots, failing to recovery not met.
2017-07-04 23:49:14 +00:00
else
cp $option_file $TMP_MENU_FILE
fi
}
Added a generic boot config and persistent params Refactored boot parsing code and applied that in local-init to scan /boot for grub options and allow the user to unsafely boot anything. This goes a long way to addressing #196. Optionally the user can customize those boot parameters or enforce arbitrary hashes on the boot device by creating and signing config files in /boot/ or /media/ or /media/kexec_iso/ISO_FILENAME/.
2017-07-03 03:01:04 +00:00
Added rollback protection to generic boot Changed the checking of required hashes or required rollback state to be right before boot, allowing the user to sign/set defaults in interactive mode. Also cleaned up usages of recovery and fixed iso parameter regression.
2017-07-08 20:59:37 +00:00
save_default_option() {
kexec-select-boot: Skip duplicate prompt when setting new default boot entry The text based prompt isn't needed when using a GUI menu for selection/confirmation, so skip it Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2022-03-15 17:03:04 +00:00
if [ "$gui_menu" != "y" ]; then
read \
-n 1 \
-p "Saving a default will modify the disk. Proceed? (Y/n): " \
default_confirm
echo
fi
Added rollback protection to generic boot Changed the checking of required hashes or required rollback state to be right before boot, allowing the user to sign/set defaults in interactive mode. Also cleaned up usages of recovery and fixed iso parameter regression.
2017-07-08 20:59:37 +00:00
kecec_select_boot: default to Y when setting new boot option Next prompt will be to ensure GPG key is attached, which defaults to Y, so default here as well for consistency Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2019-07-09 16:43:06 +00:00
[ "$default_confirm" = "" ] && default_confirm="y"
if [[ "$default_confirm" = "y" || "$default_confirm" = "Y" ]]; then
Added rollback protection to generic boot Changed the checking of required hashes or required rollback state to be right before boot, allowing the user to sign/set defaults in interactive mode. Also cleaned up usages of recovery and fixed iso parameter regression.
2017-07-08 20:59:37 +00:00
if kexec-save-default \
-b "$bootdir" \
-d "$paramsdev" \
-p "$paramsdir" \
-i "$option_index" \
TPM2: add DEBUG and fix path for TPM2 primary key handle hash. Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-02 18:17:38 +00:00
; then
Added rollback protection to generic boot Changed the checking of required hashes or required rollback state to be right before boot, allowing the user to sign/set defaults in interactive mode. Also cleaned up usages of recovery and fixed iso parameter regression.
2017-07-08 20:59:37 +00:00
echo "+++ Saved defaults to device"
sleep 2
default_failed="n"
Ensure recovery for failed default boot Should close #223 Added reboot and poweroff scripts using /proc/sysrq-trigger Also cleaned up the boot loop in generic-init
2017-07-22 18:57:46 +00:00
force_menu="n"
Added rollback protection to generic boot Changed the checking of required hashes or required rollback state to be right before boot, allowing the user to sign/set defaults in interactive mode. Also cleaned up usages of recovery and fixed iso parameter regression.
2017-07-08 20:59:37 +00:00
return
else
echo "Failed to save defaults"
fi
fi
option_confirm="n"
}
Added the ability to persist a default boot option Similar to qubes-update, it will save then verify the hashes of the kexec files. Once TOTP is verified, a normal boot will verify that the file hashes and all the kexec params match and if successful, boot directly to OS. Also added a config option to require hash verification for non-recovery boots, failing to recovery not met.
2017-07-04 23:49:14 +00:00
default_select() {
# Attempt boot with expected parameters
# Check that entry matches that which is expected from menu
TPM2: add DEBUG and fix path for TPM2 primary key handle hash. Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-02 18:17:38 +00:00
default_index=$(basename "$TMP_DEFAULT_FILE" | cut -d. -f 2)
Added the ability to persist a default boot option Similar to qubes-update, it will save then verify the hashes of the kexec files. Once TOTP is verified, a normal boot will verify that the file hashes and all the kexec params match and if successful, boot directly to OS. Also added a config option to require hash verification for non-recovery boots, failing to recovery not met.
2017-07-04 23:49:14 +00:00
# Check to see if entries have changed - useful for detecting grub update
TPM2: add DEBUG and fix path for TPM2 primary key handle hash. Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-02 18:17:38 +00:00
expectedoption=$(cat $TMP_DEFAULT_FILE)
option=$(head -n $default_index $TMP_MENU_FILE | tail -1)
Added the ability to persist a default boot option Similar to qubes-update, it will save then verify the hashes of the kexec files. Once TOTP is verified, a normal boot will verify that the file hashes and all the kexec params match and if successful, boot directly to OS. Also added a config option to require hash verification for non-recovery boots, failing to recovery not met.
2017-07-04 23:49:14 +00:00
if [ "$option" != "$expectedoption" ]; then
Add a gui menu for changed boot entries Currently when the boot entries change, kexec-select-boot dies. Given the normal loop is set up to catch this event and display a regular boot menu at the next iteration of the loop, instead of dying it would be better to just warn and then return from that function back into the main loop. In addition to that I added a GUI menu for the same warning when in GUI mode.
2018-04-04 21:25:22 +00:00
if [ "$gui_menu" = "y" ]; then
Add functions to handle normal, warning, and error for whiptail and fbwhiptail. Signed-off-by: Matthew Drobnak <matthew@drobnak.com>
2024-06-06 22:59:13 +00:00
whiptail_error --title 'ERROR: Boot Entry Has Changed' \
Change '16 60'-sized whiptail prompts to '0 80' Some prompts were missed when changing to 0 80 the first time around, and some new ones were added thinking that size was intentional. Replace '16 60' with '0 80' globally. Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-06-30 18:21:11 +00:00
--msgbox "The list of boot entries has changed\n\nPlease set a new default" 0 80
Add a gui menu for changed boot entries Currently when the boot entries change, kexec-select-boot dies. Given the normal loop is set up to catch this event and display a regular boot menu at the next iteration of the loop, instead of dying it would be better to just warn and then return from that function back into the main loop. In addition to that I added a GUI menu for the same warning when in GUI mode.
2018-04-04 21:25:22 +00:00
fi
TPM Disk Unlock Key sealing/renewal cleanup (Triggered automatically when resealing TOTP) Changes: - As per master: when TOTP cannot unseal TOTP, user is prompted to either reset or regenerate TOTP - Now, when either is done and a previous TPM Disk Unlock Key was setuped, the user is guided into: - Regenerating checksums and signing them - Regenerating TPM disk Unlock Key and resealing TPM disk Unlock Key with passphrase into TPM - LUKS header being modified, user is asked to resign kexec.sig one last time prior of being able to default boot - When no previous Disk Unlock Key was setuped, the user is guided into: - The above, plus - Detection of LUKS containers,suggesting only relevant partitions - Addition of TRACE and DEBUG statements to troubleshoot actual vs expected behavior while coding - Were missing under TPM Disk Unlock Key setup codepaths - Fixes for #645 : We now check if only one slots exists and we do not use it if its slot1. - Also shows in DEBUG traces now Unrelated staged changes - ash_functions: warn and die now contains proper spacing and eye attaction - all warn and die calls modified if containing warnings and too much punctuation - unify usage of term TPM Disk Unlock Key and Disk Recovery Key
2023-08-22 18:34:29 +00:00
warn "Boot entry has changed - please set a new default"
Fix tab on return line
2018-04-04 21:27:31 +00:00
return
Added the ability to persist a default boot option Similar to qubes-update, it will save then verify the hashes of the kexec files. Once TOTP is verified, a normal boot will verify that the file hashes and all the kexec params match and if successful, boot directly to OS. Also added a config option to require hash verification for non-recovery boots, failing to recovery not met.
2017-07-04 23:49:14 +00:00
fi
parse_option
Rename CONFIG_PUREBOOT_BASIC to CONFIG_BASIC Remove brand name from this configuration variable. For backward compatibility, update config.user in init if the branded variable is present. Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-06-21 18:36:28 +00:00
if [ "$CONFIG_BASIC" != "y" ]; then
Add PureBoot Basic Mode PureBoot Basic mode provides the full Linux userspace in firmware from Heads without requiring verified boot or a Librem Key. Basic and verified boot can be switched freely without changing firmware, such as if a Librem Key is lost. PureBoot Basic can apply firmware updates from a USB flash drive, and having a complete Linux userspace enables more sophisticated recovery options. Basic mode boots to the first boot option by default, setting a default is not required. This can be configured in the config GUI. Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2022-03-15 17:05:04 +00:00
# Enforce that default option hashes are valid
echo "+++ Checking verified default boot hash file "
# Check the hashes of all the files
TPM2: add DEBUG and fix path for TPM2 primary key handle hash. Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-02 18:17:38 +00:00
if (cd $bootdir && sha256sum -c "$TMP_DEFAULT_HASH_FILE" >/tmp/hash_output); then
Add PureBoot Basic Mode PureBoot Basic mode provides the full Linux userspace in firmware from Heads without requiring verified boot or a Librem Key. Basic and verified boot can be switched freely without changing firmware, such as if a Librem Key is lost. PureBoot Basic can apply firmware updates from a USB flash drive, and having a complete Linux userspace enables more sophisticated recovery options. Basic mode boots to the first boot option by default, setting a default is not required. This can be configured in the config GUI. Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2022-03-15 17:05:04 +00:00
echo "+++ Verified default boot hashes "
valid_hash='y'
else
if [ "$gui_menu" = "y" ]; then
CHANGED_FILES=$(grep -v 'OK$' /tmp/hash_output | cut -f1 -d ':')
Add functions to handle normal, warning, and error for whiptail and fbwhiptail. Signed-off-by: Matthew Drobnak <matthew@drobnak.com>
2024-06-06 22:59:13 +00:00
whiptail_error --title 'ERROR: Default Boot Hash Mismatch' \
Add PureBoot Basic Mode PureBoot Basic mode provides the full Linux userspace in firmware from Heads without requiring verified boot or a Librem Key. Basic and verified boot can be switched freely without changing firmware, such as if a Librem Key is lost. PureBoot Basic can apply firmware updates from a USB flash drive, and having a complete Linux userspace enables more sophisticated recovery options. Basic mode boots to the first boot option by default, setting a default is not required. This can be configured in the config GUI. Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2022-03-15 17:05:04 +00:00
--msgbox "The following files failed the verification process:\n${CHANGED_FILES}\nExiting to a recovery shell" 0 80
fi
Merge branch 'add_gui_hash_alert' of https://github.com/kylerankin/heads
2018-03-08 19:41:44 +00:00
fi
Added the ability to persist a default boot option Similar to qubes-update, it will save then verify the hashes of the kexec files. Once TOTP is verified, a normal boot will verify that the file hashes and all the kexec params match and if successful, boot directly to OS. Also added a config option to require hash verification for non-recovery boots, failing to recovery not met.
2017-07-04 23:49:14 +00:00
fi
Added a generic boot config and persistent params Refactored boot parsing code and applied that in local-init to scan /boot for grub options and allow the user to unsafely boot anything. This goes a long way to addressing #196. Optionally the user can customize those boot parameters or enforce arbitrary hashes on the boot device by creating and signing config files in /boot/ or /media/ or /media/kexec_iso/ISO_FILENAME/.
2017-07-03 03:01:04 +00:00
Added the ability to persist a default boot option Similar to qubes-update, it will save then verify the hashes of the kexec files. Once TOTP is verified, a normal boot will verify that the file hashes and all the kexec params match and if successful, boot directly to OS. Also added a config option to require hash verification for non-recovery boots, failing to recovery not met.
2017-07-04 23:49:14 +00:00
echo "+++ Executing default boot for $name:"
Added rollback protection to generic boot Changed the checking of required hashes or required rollback state to be right before boot, allowing the user to sign/set defaults in interactive mode. Also cleaned up usages of recovery and fixed iso parameter regression.
2017-07-08 20:59:37 +00:00
do_boot
warn "Failed to boot default option"
Added the ability to persist a default boot option Similar to qubes-update, it will save then verify the hashes of the kexec files. Once TOTP is verified, a normal boot will verify that the file hashes and all the kexec params match and if successful, boot directly to OS. Also added a config option to require hash verification for non-recovery boots, failing to recovery not met.
2017-07-04 23:49:14 +00:00
}
user_select() {
# No default expected boot parameters, ask user
option_confirm=""
TPM2: add DEBUG and fix path for TPM2 primary key handle hash. Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-02 18:17:38 +00:00
while [ "$option_confirm" != "y" -a "$option_confirm" != "d" ]; do
Added the ability to persist a default boot option Similar to qubes-update, it will save then verify the hashes of the kexec files. Once TOTP is verified, a normal boot will verify that the file hashes and all the kexec params match and if successful, boot directly to OS. Also added a config option to require hash verification for non-recovery boots, failing to recovery not met.
2017-07-04 23:49:14 +00:00
get_menu_option
TPM2: add DEBUG and fix path for TPM2 primary key handle hash. Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-02 18:17:38 +00:00
# In force boot mode, no need offer the option to set a default, just boot
Skip prompt to set default boot when booting from USB Since a USB boot target can't be the default (at least currently, /boot must be on internal media), skip the extraneous prompt to set it as such when booting from USB. Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2019-05-19 01:13:32 +00:00
if [[ "$force_boot" = "y" || "$skip_confirm" = "y" ]]; then
Skip boot choice confirmation in "force" mode When a user gets confirmation of their boot menu choice, that's largely to give them the option of making their boot choice the default. In the case of "force mode" there's no reason for the user to be presented with that dialog so this change skips right ahead to the boot once they have
2018-04-20 21:11:49 +00:00
do_boot
else
confirm_menu_option
fi
Added the ability to persist a default boot option Similar to qubes-update, it will save then verify the hashes of the kexec files. Once TOTP is verified, a normal boot will verify that the file hashes and all the kexec params match and if successful, boot directly to OS. Also added a config option to require hash verification for non-recovery boots, failing to recovery not met.
2017-07-04 23:49:14 +00:00
if [ "$option_confirm" = 'd' ]; then
Added rollback protection to generic boot Changed the checking of required hashes or required rollback state to be right before boot, allowing the user to sign/set defaults in interactive mode. Also cleaned up usages of recovery and fixed iso parameter regression.
2017-07-08 20:59:37 +00:00
save_default_option
Added the ability to persist a default boot option Similar to qubes-update, it will save then verify the hashes of the kexec files. Once TOTP is verified, a normal boot will verify that the file hashes and all the kexec params match and if successful, boot directly to OS. Also added a config option to require hash verification for non-recovery boots, failing to recovery not met.
2017-07-04 23:49:14 +00:00
fi
done
if [ "$option_confirm" = "d" ]; then
Ensure recovery for failed default boot Should close #223 Added reboot and poweroff scripts using /proc/sysrq-trigger Also cleaned up the boot loop in generic-init
2017-07-22 18:57:46 +00:00
if [ ! -r "$TMP_KEY_DEVICES" ]; then
kexec-select-boot: Fix errant continue This isn't in a loop, continue makes no sense. ash had silently ignored it. Proceeding to the do_boot below is the correct behavior. Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-03-25 21:06:47 +00:00
# continue below to boot the new default option
true
Ensure recovery for failed default boot Should close #223 Added reboot and poweroff scripts using /proc/sysrq-trigger Also cleaned up the boot loop in generic-init
2017-07-22 18:57:46 +00:00
else
echo "+++ Rebooting to start the new default option"
sleep 2
Add DEBUG traces and have TPM2 boards enable TRACE and DEBUG calls - /tmp/debug.log is created and appended by all TRACE and DEBUG calls in code - fix some logic errors seen when no DEBUG entry were outputted in /tmp/debug.log
2023-02-23 22:05:15 +00:00
if [ "$CONFIG_DEBUG_OUTPUT" != "y" ]; then
TPM2: add DEBUG and fix path for TPM2 primary key handle hash. Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-02 18:17:38 +00:00
reboot ||
die "!!! Failed to reboot system"
Add DEBUG traces and have TPM2 boards enable TRACE and DEBUG calls - /tmp/debug.log is created and appended by all TRACE and DEBUG calls in code - fix some logic errors seen when no DEBUG entry were outputted in /tmp/debug.log
2023-02-23 22:05:15 +00:00
else
DEBUG "Rebooting is required prior of booting default boot entry"
kexec-select-boot: For debug inspection, drop to recovery After saving a disk unlock key, if debug output is enabled, drop to a recovery shell to allow inspection of debug output. The script isn't intended to return from this point after sealing a key - returning attempts to boot, which can't unseal the key. Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-02-24 21:47:07 +00:00
# Instead of rebooting, drop to a recovery shell
# for a chance to inspect debug output
Small cosmetic/typo related changes, ccache enablement for coreboot and reduction of unseal attempts gui-init: do not consume two unseal attempt to unseal both totp and hotp + cosmetic changes (slow down TPM DA lockout) kexec-seal-key: Add DEBUG statement for PCR precalc seal-totp: add DEBUG statements regarding skipping of PCR5 and PCR6 involvement into TOTP/HOTP sealing ops seal-hotpkey: Add DEBUG statements related to reuse of TOTP sealed secret tpmr: add DO_WITH_DEBUG calls to output pcrread and extend calls tpmr: typo correction stating TRACE calls for tpm2 where it was for tpm1 tpmr: add DO_WITH_DEBUG calls for calcfuturepcr functions: Cosmetic fix on pause_recovery asking user to press Enter to go to recovery shell on host console when board defines CONFIG_BOOT_RECOVERY_SERIAL Not so related but part of output review and corrections: kexec-insert-key: cosmetic changes prepending "+++" to disk related changes kexec-save-default: cosmetic changes prepending "+++" to disk related changes config/coreboot-qemu-tpm*.config: add ccache support for faster coreboot rebuild times
2023-03-09 18:28:04 +00:00
recovery "Entering recovery to permit inspection of /tmp/debug.log output, reboot to continue"
Add DEBUG traces and have TPM2 boards enable TRACE and DEBUG calls - /tmp/debug.log is created and appended by all TRACE and DEBUG calls in code - fix some logic errors seen when no DEBUG entry were outputted in /tmp/debug.log
2023-02-23 22:05:15 +00:00
fi
Ensure recovery for failed default boot Should close #223 Added reboot and poweroff scripts using /proc/sysrq-trigger Also cleaned up the boot loop in generic-init
2017-07-22 18:57:46 +00:00
fi
Added the ability to persist a default boot option Similar to qubes-update, it will save then verify the hashes of the kexec files. Once TOTP is verified, a normal boot will verify that the file hashes and all the kexec params match and if successful, boot directly to OS. Also added a config option to require hash verification for non-recovery boots, failing to recovery not met.
2017-07-04 23:49:14 +00:00
fi
Added rollback protection to generic boot Changed the checking of required hashes or required rollback state to be right before boot, allowing the user to sign/set defaults in interactive mode. Also cleaned up usages of recovery and fixed iso parameter regression.
2017-07-08 20:59:37 +00:00
do_boot
}
TPM2: add DEBUG and fix path for TPM2 primary key handle hash. Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-02 18:17:38 +00:00
do_boot() {
kexec-select-boot: Fix test for basic mode The CONFIG_BASIC test was backwards, as a result it skipped the LUKS disk unlock logic if basic mode was _not_ enabled. This wasn't observed in the PureBoot distribution because we disable the LUKS disk unlock feature. CONFIG_BOOT_REQ_ROLLBACK and CONFIG_BOOT_REQ_HASH logic was also skipped incorrectly, though neither of these are enabled on any board so this had no effect in the PureBoot distribution either. Test basic with each bit of logic to eliminate duplication of the kexec-boot call and fix the LUKS disk unlock feature. Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-07-07 18:34:05 +00:00
if [ "$CONFIG_BASIC" != y ] && [ "$CONFIG_BOOT_REQ_ROLLBACK" = "y" ] && [ "$valid_rollback" = "n" ]; then
Ensure recovery for failed default boot Should close #223 Added reboot and poweroff scripts using /proc/sysrq-trigger Also cleaned up the boot loop in generic-init
2017-07-22 18:57:46 +00:00
die "!!! Missing required rollback counter state"
Added rollback protection to generic boot Changed the checking of required hashes or required rollback state to be right before boot, allowing the user to sign/set defaults in interactive mode. Also cleaned up usages of recovery and fixed iso parameter regression.
2017-07-08 20:59:37 +00:00
fi
kexec-select-boot: Fix test for basic mode The CONFIG_BASIC test was backwards, as a result it skipped the LUKS disk unlock logic if basic mode was _not_ enabled. This wasn't observed in the PureBoot distribution because we disable the LUKS disk unlock feature. CONFIG_BOOT_REQ_ROLLBACK and CONFIG_BOOT_REQ_HASH logic was also skipped incorrectly, though neither of these are enabled on any board so this had no effect in the PureBoot distribution either. Test basic with each bit of logic to eliminate duplication of the kexec-boot call and fix the LUKS disk unlock feature. Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-07-07 18:34:05 +00:00
if [ "$CONFIG_BASIC" != y ] && [ "$CONFIG_BOOT_REQ_HASH" = "y" ] && [ "$valid_hash" = "n" ]; then
Ensure recovery for failed default boot Should close #223 Added reboot and poweroff scripts using /proc/sysrq-trigger Also cleaned up the boot loop in generic-init
2017-07-22 18:57:46 +00:00
die "!!! Missing required boot hashes"
Added the ability to persist a default boot option Similar to qubes-update, it will save then verify the hashes of the kexec files. Once TOTP is verified, a normal boot will verify that the file hashes and all the kexec params match and if successful, boot directly to OS. Also added a config option to require hash verification for non-recovery boots, failing to recovery not met.
2017-07-04 23:49:14 +00:00
fi
kexec-select-boot: Fix test for basic mode The CONFIG_BASIC test was backwards, as a result it skipped the LUKS disk unlock logic if basic mode was _not_ enabled. This wasn't observed in the PureBoot distribution because we disable the LUKS disk unlock feature. CONFIG_BOOT_REQ_ROLLBACK and CONFIG_BOOT_REQ_HASH logic was also skipped incorrectly, though neither of these are enabled on any board so this had no effect in the PureBoot distribution either. Test basic with each bit of logic to eliminate duplication of the kexec-boot call and fix the LUKS disk unlock feature. Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-07-07 18:34:05 +00:00
if [ "$CONFIG_BASIC" != y ] && [ "$CONFIG_TPM" = "y" ] && [ -r "$TMP_KEY_DEVICES" ]; then
TPM2: add DEBUG and fix path for TPM2 primary key handle hash. Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-02 18:17:38 +00:00
INITRD=$(kexec-boot -b "$bootdir" -e "$option" -i) ||
die "!!! Failed to extract the initrd from boot option"
Added TPM secret management to generic boot Also cleaned up error handling and boot parsing edge cases
2017-07-12 04:17:45 +00:00
if [ -z "$INITRD" ]; then
die "!!! No initrd file found in boot option"
fi
TPM2: add DEBUG and fix path for TPM2 primary key handle hash. Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-02 18:17:38 +00:00
kexec-insert-key $INITRD ||
Change disk encryption -> LUKS Disk Key and other relative/relative verbiage, remove irrelevant DEBUG trace under kexec-unseal-key TODO: - $(pcrs) call sometimes fail in DEBUG call, outputting too many chars to be inserted in kmesg. Call removed here since redundant (PCR6 already extended with LUKS header) - Notes added for TPM2 simplification over TPM1 in code as TODO Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-03-27 14:04:10 +00:00
die "!!! Failed to prepare TPM Disk Unlock Key for boot"
Added TPM secret management to generic boot Also cleaned up error handling and boot parsing edge cases
2017-07-12 04:17:45 +00:00
kexec-boot -b "$bootdir" -e "$option" \
TPM2: add DEBUG and fix path for TPM2 primary key handle hash. Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-02 18:17:38 +00:00
-a "$add" -r "$remove" -o "/tmp/secret/initrd.cpio" ||
die "!!! Failed to boot w/ options: $option"
Added TPM secret management to generic boot Also cleaned up error handling and boot parsing edge cases
2017-07-12 04:17:45 +00:00
else
TPM2: add DEBUG and fix path for TPM2 primary key handle hash. Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-02 18:17:38 +00:00
kexec-boot -b "$bootdir" -e "$option" -a "$add" -r "$remove" ||
die "!!! Failed to boot w/ options: $option"
Added TPM secret management to generic boot Also cleaned up error handling and boot parsing edge cases
2017-07-12 04:17:45 +00:00
fi
Added the ability to persist a default boot option Similar to qubes-update, it will save then verify the hashes of the kexec files. Once TOTP is verified, a normal boot will verify that the file hashes and all the kexec params match and if successful, boot directly to OS. Also added a config option to require hash verification for non-recovery boots, failing to recovery not met.
2017-07-04 23:49:14 +00:00
}
while true; do
Rename CONFIG_PUREBOOT_BASIC to CONFIG_BASIC Remove brand name from this configuration variable. For backward compatibility, update config.user in init if the branded variable is present. Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-06-21 18:36:28 +00:00
if [ "$force_boot" = "y" -o "$CONFIG_BASIC" = "y" ]; then
TPM2: add DEBUG and fix path for TPM2 primary key handle hash. Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-02 18:17:38 +00:00
check_config $paramsdir force
Fix tab alignment to conform with rest of script
2018-03-14 17:24:14 +00:00
else
TPM2: add DEBUG and fix path for TPM2 primary key handle hash. Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-02 18:17:38 +00:00
check_config $paramsdir
Fix tab alignment to conform with rest of script
2018-03-14 17:24:14 +00:00
fi
TPM2: add DEBUG and fix path for TPM2 primary key handle hash. Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-02 18:17:38 +00:00
TMP_DEFAULT_FILE=$(find /tmp/kexec/kexec_default.*.txt 2>/dev/null | head -1) || true
Added the ability to persist a default boot option Similar to qubes-update, it will save then verify the hashes of the kexec files. Once TOTP is verified, a normal boot will verify that the file hashes and all the kexec params match and if successful, boot directly to OS. Also added a config option to require hash verification for non-recovery boots, failing to recovery not met.
2017-07-04 23:49:14 +00:00
TMP_MENU_FILE="/tmp/kexec/kexec_menu.txt"
TMP_HASH_FILE="/tmp/kexec/kexec_hashes.txt"
initrd: track files in /boot in kexec_tree.txt Fixes #1248
2022-12-31 17:41:24 +00:00
TMP_TREE_FILE="/tmp/kexec/kexec_tree.txt"
Added the ability to persist a default boot option Similar to qubes-update, it will save then verify the hashes of the kexec files. Once TOTP is verified, a normal boot will verify that the file hashes and all the kexec params match and if successful, boot directly to OS. Also added a config option to require hash verification for non-recovery boots, failing to recovery not met.
2017-07-04 23:49:14 +00:00
TMP_DEFAULT_HASH_FILE="/tmp/kexec/kexec_default_hashes.txt"
Added rollback protection to generic boot Changed the checking of required hashes or required rollback state to be right before boot, allowing the user to sign/set defaults in interactive mode. Also cleaned up usages of recovery and fixed iso parameter regression.
2017-07-08 20:59:37 +00:00
TMP_ROLLBACK_FILE="/tmp/kexec/kexec_rollback.txt"
Added TPM secret management to generic boot Also cleaned up error handling and boot parsing edge cases
2017-07-12 04:17:45 +00:00
TMP_KEY_DEVICES="/tmp/kexec/kexec_key_devices.txt"
TMP_KEY_LVM="/tmp/kexec/kexec_key_lvm.txt"
TPM2: add DEBUG and fix path for TPM2 primary key handle hash. Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-02 18:17:38 +00:00
# Allow a way for users to ignore warnings and boot into their systems
# even if hashes don't match
Add a "force" option to kexec-select-boot to bypass hash checks The point of this change is to provide a failsafe (failunsafe?) mode for less technically-savvy users who will ultimately be using Heads by default on Librem laptops. There are some scenarios where an end user might forget to update hashes in /boot after an initrd change or might have some other hash mismatch. Currently that user would then be stuck in a recovery console in Heads not knowing what to do within that limited shell environment to fix the situation. This change adds a 'force' mode to kexec-select-boot that goes straight into a boot menu and bypasses the hash checks so the user could more easily get back into their system to attempt to repair it. It adds appropriate warnings about why this is a risky option and moves it down toward the bottom of the menu. The goal would be to just have this be an emergency option our support could guide a user to if they ended up in this situation.
2018-03-05 22:46:15 +00:00
if [ "$force_boot" = "y" ]; then
scan_options
Rename CONFIG_PUREBOOT_BASIC to CONFIG_BASIC Remove brand name from this configuration variable. For backward compatibility, update config.user in init if the branded variable is present. Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-06-21 18:36:28 +00:00
if [ "$CONFIG_BASIC" != "y" ]; then
Add PureBoot Basic Mode PureBoot Basic mode provides the full Linux userspace in firmware from Heads without requiring verified boot or a Librem Key. Basic and verified boot can be switched freely without changing firmware, such as if a Librem Key is lost. PureBoot Basic can apply firmware updates from a USB flash drive, and having a complete Linux userspace enables more sophisticated recovery options. Basic mode boots to the first boot option by default, setting a default is not required. This can be configured in the config GUI. Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2022-03-15 17:05:04 +00:00
# Remove boot splash and make background red in the event of a forced boot
add="$add vt.default_red=0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff"
remove="$remove splash quiet"
fi
Add a "force" option to kexec-select-boot to bypass hash checks The point of this change is to provide a failsafe (failunsafe?) mode for less technically-savvy users who will ultimately be using Heads by default on Librem laptops. There are some scenarios where an end user might forget to update hashes in /boot after an initrd change or might have some other hash mismatch. Currently that user would then be stuck in a recovery console in Heads not knowing what to do within that limited shell environment to fix the situation. This change adds a 'force' mode to kexec-select-boot that goes straight into a boot menu and bypasses the hash checks so the user could more easily get back into their system to attempt to repair it. It adds appropriate warnings about why this is a risky option and moves it down toward the bottom of the menu. The goal would be to just have this be an emergency option our support could guide a user to if they ended up in this situation.
2018-03-05 22:46:15 +00:00
user_select
fi
tpm2-tools: Change sense of CONFIG_TPM to mean any TPM, not just TPM1. Most logic throughout Heads doesn't need to know TPM1 versus TPM2 (and shouldn't, the differences should be localized). Some checks were incorrect and are fixed by this change. Most checks are now unchanged relative to master. There are not that many places outside of tpmr that need to differentiate TPM1 and TPM2. Some of those are duplicate code that should be consolidated (seal-hotpkey, unseal-totp, unseal-hotp), and some more are probably good candidates for abstracting in tpmr so the business logic doesn't have to know TPM1 vs. TPM2. Previously, CONFIG_TPM could be variously 'y', 'n', or empty. Now it is always 'y' or 'n', and 'y' means "any TPM". Board configs are unchanged, setting CONFIG_TPM2_TOOLS=y implies CONFIG_TPM=y so this doesn't have to be duplicated and can't be mistakenly mismatched. There were a few checks for CONFIG_TPM = n that only coincidentally worked for TPM2 because CONFIG_TPM was empty (not 'n'). This test is now OK, but the checks were also cleaned up to '!= "y"' for robustness. Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-02-22 21:30:07 +00:00
if [ "$CONFIG_TPM" = "y" ]; then
Addition of qemu-(fb)whiptail-tpm2(-hotp) boards -coreboot support of TPM v2.0 (shared config for TPM2 support across all 4 previous variations) -swtpm set to be launched under TPM v2.0 mode under board config -Documentation file under each board.md softlinks to qemu-coreboot-fbwhiptail-tpm1.md (which has been generalized) This is skeleton for TPM v2 integration under Heads ------------- WiP TODO: - libcurl cannot be built as a tpm2-tools dependency as of now not sure why. curl currently needs to be added in board config to be built - Note: tpm-reset (master and here) needs some review, no handle of no tpm use case. Caller is responsible to not call it otherwise does nothing - init tries to bind fd and fails currently - Note: Check if whiptail is different of fbwhiptail in clearing screen. As of now every clear seems to be removed, still whiptail clears previous console output - When no OS' /boot can be mounted, do not try to TPM reset (will fail) - seal-hotpkey is not working properly - setting disk unlock key asks for TPM ownership passphrase (sealing in NV requires ownership, but text is misleading user as if reowning TPM) - We should cache input, feed tpm behind the scene and wipe passphrase and state clearly that this is TPM disk unlock kye passphrase. - primary key from TPM2 is invalid most of the time from kexec-select-boot and verifying global hashes but is setuped correctly at disk unlock key setup - would be nice to take advantage of bash function tracing to understand where we are for debugging purposes, code takes ash in consideration only - tpmr says it implements nv calls but actually doesn't. Removing those falsely wrapped functions would help. - Implementing them would be better - REVIEW TODOS IN CODE - READD CIRCLECI CONFIG Current state: - TPM unseal works without disk unlock key and generates TOTP properly (was missing die condition at unseal to not produce always good TOTP even if invalid) - TPM disk encryption key fails. Hypothesis is that sealing with USB drivers loaded and measures in inconsistent with sealed with/without. - TPM disk unsealing happens without USB modules being loaded in non-HOTP setup. This fails. - Current tests are with fbwhiptail (no clear called so having traces on command line of what happens) - Testing with HOTP implementation for sealing/unsealing since that forces USB module loads on each boot to remove this from failing possibilities
2022-08-25 18:43:31 +00:00
if [ ! -r "$TMP_KEY_DEVICES" ]; then
# Extend PCR4 as soon as possible
All TPM Extend additional context passed from console echo output to DEBUG. Put back console output as of master. TODO: decide what we do with tpmr extend output for the future. Hint: forward sealing of next flashed firmware measurements. Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-06 20:53:17 +00:00
DEBUG "Extending TPM PCR 4 to prevent further secret unsealing"
TPM2: add DEBUG and fix path for TPM2 primary key handle hash. Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-02 18:17:38 +00:00
tpmr extend -ix 4 -ic generic ||
die "Failed to extend PCR 4"
Addition of qemu-(fb)whiptail-tpm2(-hotp) boards -coreboot support of TPM v2.0 (shared config for TPM2 support across all 4 previous variations) -swtpm set to be launched under TPM v2.0 mode under board config -Documentation file under each board.md softlinks to qemu-coreboot-fbwhiptail-tpm1.md (which has been generalized) This is skeleton for TPM v2 integration under Heads ------------- WiP TODO: - libcurl cannot be built as a tpm2-tools dependency as of now not sure why. curl currently needs to be added in board config to be built - Note: tpm-reset (master and here) needs some review, no handle of no tpm use case. Caller is responsible to not call it otherwise does nothing - init tries to bind fd and fails currently - Note: Check if whiptail is different of fbwhiptail in clearing screen. As of now every clear seems to be removed, still whiptail clears previous console output - When no OS' /boot can be mounted, do not try to TPM reset (will fail) - seal-hotpkey is not working properly - setting disk unlock key asks for TPM ownership passphrase (sealing in NV requires ownership, but text is misleading user as if reowning TPM) - We should cache input, feed tpm behind the scene and wipe passphrase and state clearly that this is TPM disk unlock kye passphrase. - primary key from TPM2 is invalid most of the time from kexec-select-boot and verifying global hashes but is setuped correctly at disk unlock key setup - would be nice to take advantage of bash function tracing to understand where we are for debugging purposes, code takes ash in consideration only - tpmr says it implements nv calls but actually doesn't. Removing those falsely wrapped functions would help. - Implementing them would be better - REVIEW TODOS IN CODE - READD CIRCLECI CONFIG Current state: - TPM unseal works without disk unlock key and generates TOTP properly (was missing die condition at unseal to not produce always good TOTP even if invalid) - TPM disk encryption key fails. Hypothesis is that sealing with USB drivers loaded and measures in inconsistent with sealed with/without. - TPM disk unsealing happens without USB modules being loaded in non-HOTP setup. This fails. - Current tests are with fbwhiptail (no clear called so having traces on command line of what happens) - Testing with HOTP implementation for sealing/unsealing since that forces USB module loads on each boot to remove this from failing possibilities
2022-08-25 18:43:31 +00:00
fi
Added TPM secret management to generic boot Also cleaned up error handling and boot parsing edge cases
2017-07-12 04:17:45 +00:00
fi
Added the ability to persist a default boot option Similar to qubes-update, it will save then verify the hashes of the kexec files. Once TOTP is verified, a normal boot will verify that the file hashes and all the kexec params match and if successful, boot directly to OS. Also added a config option to require hash verification for non-recovery boots, failing to recovery not met.
2017-07-04 23:49:14 +00:00
# if no saved options, scan the boot directory and generate
Added rollback protection to generic boot Changed the checking of required hashes or required rollback state to be right before boot, allowing the user to sign/set defaults in interactive mode. Also cleaned up usages of recovery and fixed iso parameter regression.
2017-07-08 20:59:37 +00:00
if [ ! -r "$TMP_MENU_FILE" ]; then
Added the ability to persist a default boot option Similar to qubes-update, it will save then verify the hashes of the kexec files. Once TOTP is verified, a normal boot will verify that the file hashes and all the kexec params match and if successful, boot directly to OS. Also added a config option to require hash verification for non-recovery boots, failing to recovery not met.
2017-07-04 23:49:14 +00:00
scan_options
fi
Root hashes: enable even if there is no TPM This feature doesn't require a TPM. The configuration GUI appears either way, but the actual check was silently skipped on TPM-less devices. Enable it even if there is no TPM. Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-06-30 17:13:48 +00:00
if [ "$CONFIG_BASIC" != "y" ]; then
Make TPM dependency optional and controlled by flag CONFIG_TPM if "CONFIG_TPM=y" is not present in the config file, functionalities needing TPM could be disabled, while leaving other functionalities intact. This will make Heads a more general-usage bootloader payload atop coreboot.
2017-12-05 08:29:07 +00:00
# Optionally enforce device file hashes
if [ -r "$TMP_HASH_FILE" ]; then
valid_global_hash="n"
Added rollback protection to generic boot Changed the checking of required hashes or required rollback state to be right before boot, allowing the user to sign/set defaults in interactive mode. Also cleaned up usages of recovery and fixed iso parameter regression.
2017-07-08 20:59:37 +00:00
Make TPM dependency optional and controlled by flag CONFIG_TPM if "CONFIG_TPM=y" is not present in the config file, functionalities needing TPM could be disabled, while leaving other functionalities intact. This will make Heads a more general-usage bootloader payload atop coreboot.
2017-12-05 08:29:07 +00:00
verify_global_hashes
Added rollback protection to generic boot Changed the checking of required hashes or required rollback state to be right before boot, allowing the user to sign/set defaults in interactive mode. Also cleaned up usages of recovery and fixed iso parameter regression.
2017-07-08 20:59:37 +00:00
Make TPM dependency optional and controlled by flag CONFIG_TPM if "CONFIG_TPM=y" is not present in the config file, functionalities needing TPM could be disabled, while leaving other functionalities intact. This will make Heads a more general-usage bootloader payload atop coreboot.
2017-12-05 08:29:07 +00:00
if [ "$valid_global_hash" = "n" ]; then
die "Failed to verify global hashes"
fi
Added rollback protection to generic boot Changed the checking of required hashes or required rollback state to be right before boot, allowing the user to sign/set defaults in interactive mode. Also cleaned up usages of recovery and fixed iso parameter regression.
2017-07-08 20:59:37 +00:00
fi
Addition of qemu-(fb)whiptail-tpm2(-hotp) boards -coreboot support of TPM v2.0 (shared config for TPM2 support across all 4 previous variations) -swtpm set to be launched under TPM v2.0 mode under board config -Documentation file under each board.md softlinks to qemu-coreboot-fbwhiptail-tpm1.md (which has been generalized) This is skeleton for TPM v2 integration under Heads ------------- WiP TODO: - libcurl cannot be built as a tpm2-tools dependency as of now not sure why. curl currently needs to be added in board config to be built - Note: tpm-reset (master and here) needs some review, no handle of no tpm use case. Caller is responsible to not call it otherwise does nothing - init tries to bind fd and fails currently - Note: Check if whiptail is different of fbwhiptail in clearing screen. As of now every clear seems to be removed, still whiptail clears previous console output - When no OS' /boot can be mounted, do not try to TPM reset (will fail) - seal-hotpkey is not working properly - setting disk unlock key asks for TPM ownership passphrase (sealing in NV requires ownership, but text is misleading user as if reowning TPM) - We should cache input, feed tpm behind the scene and wipe passphrase and state clearly that this is TPM disk unlock kye passphrase. - primary key from TPM2 is invalid most of the time from kexec-select-boot and verifying global hashes but is setuped correctly at disk unlock key setup - would be nice to take advantage of bash function tracing to understand where we are for debugging purposes, code takes ash in consideration only - tpmr says it implements nv calls but actually doesn't. Removing those falsely wrapped functions would help. - Implementing them would be better - REVIEW TODOS IN CODE - READD CIRCLECI CONFIG Current state: - TPM unseal works without disk unlock key and generates TOTP properly (was missing die condition at unseal to not produce always good TOTP even if invalid) - TPM disk encryption key fails. Hypothesis is that sealing with USB drivers loaded and measures in inconsistent with sealed with/without. - TPM disk unsealing happens without USB modules being loaded in non-HOTP setup. This fails. - Current tests are with fbwhiptail (no clear called so having traces on command line of what happens) - Testing with HOTP implementation for sealing/unsealing since that forces USB module loads on each boot to remove this from failing possibilities
2022-08-25 18:43:31 +00:00
if [ "$CONFIG_IGNORE_ROLLBACK" != "y" -a -r "$TMP_ROLLBACK_FILE" ]; then
Make TPM dependency optional and controlled by flag CONFIG_TPM if "CONFIG_TPM=y" is not present in the config file, functionalities needing TPM could be disabled, while leaving other functionalities intact. This will make Heads a more general-usage bootloader payload atop coreboot.
2017-12-05 08:29:07 +00:00
# in the case of iso boot with a rollback file, do not assume valid
valid_rollback="n"
Added rollback protection to generic boot Changed the checking of required hashes or required rollback state to be right before boot, allowing the user to sign/set defaults in interactive mode. Also cleaned up usages of recovery and fixed iso parameter regression.
2017-07-08 20:59:37 +00:00
Make TPM dependency optional and controlled by flag CONFIG_TPM if "CONFIG_TPM=y" is not present in the config file, functionalities needing TPM could be disabled, while leaving other functionalities intact. This will make Heads a more general-usage bootloader payload atop coreboot.
2017-12-05 08:29:07 +00:00
verify_rollback_counter
fi
Added rollback protection to generic boot Changed the checking of required hashes or required rollback state to be right before boot, allowing the user to sign/set defaults in interactive mode. Also cleaned up usages of recovery and fixed iso parameter regression.
2017-07-08 20:59:37 +00:00
fi
if [ "$default_failed" != "y" \
Ensure recovery for failed default boot Should close #223 Added reboot and poweroff scripts using /proc/sysrq-trigger Also cleaned up the boot loop in generic-init
2017-07-22 18:57:46 +00:00
-a "$force_menu" = "n" \
Added rollback protection to generic boot Changed the checking of required hashes or required rollback state to be right before boot, allowing the user to sign/set defaults in interactive mode. Also cleaned up usages of recovery and fixed iso parameter regression.
2017-07-08 20:59:37 +00:00
-a -r "$TMP_DEFAULT_FILE" \
-a -r "$TMP_DEFAULT_HASH_FILE" ] \
TPM2: add DEBUG and fix path for TPM2 primary key handle hash. Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-02 18:17:38 +00:00
; then
Added the ability to persist a default boot option Similar to qubes-update, it will save then verify the hashes of the kexec files. Once TOTP is verified, a normal boot will verify that the file hashes and all the kexec params match and if successful, boot directly to OS. Also added a config option to require hash verification for non-recovery boots, failing to recovery not met.
2017-07-04 23:49:14 +00:00
default_select
Added rollback protection to generic boot Changed the checking of required hashes or required rollback state to be right before boot, allowing the user to sign/set defaults in interactive mode. Also cleaned up usages of recovery and fixed iso parameter regression.
2017-07-08 20:59:37 +00:00
default_failed="y"
Added the ability to persist a default boot option Similar to qubes-update, it will save then verify the hashes of the kexec files. Once TOTP is verified, a normal boot will verify that the file hashes and all the kexec params match and if successful, boot directly to OS. Also added a config option to require hash verification for non-recovery boots, failing to recovery not met.
2017-07-04 23:49:14 +00:00
else
user_select
fi
done
Added rollback protection to generic boot Changed the checking of required hashes or required rollback state to be right before boot, allowing the user to sign/set defaults in interactive mode. Also cleaned up usages of recovery and fixed iso parameter regression.
2017-07-08 20:59:37 +00:00
initrd: track files in /boot in kexec_tree.txt Fixes #1248
2022-12-31 17:41:24 +00:00
die "!!! Shouldn't get here"
Reference in New Issue Copy Permalink