2023-02-08 21:01:48 +00:00
#!/bin/bash
2018-12-06 18:43:34 +00:00
#
set -e -o pipefail
. /etc/functions
2020-07-10 17:58:32 +00:00
. /etc/gui_functions
2018-12-06 23:24:28 +00:00
. /tmp/config
2018-12-06 18:43:34 +00:00
2024-02-01 19:30:31 +00:00
TRACE_FUNC
2023-02-18 17:58:43 +00:00
2021-09-03 21:20:46 +00:00
ROOT_HASH_FILE = "/boot/kexec_root_hashes.txt"
2019-07-09 03:20:45 +00:00
param = $1
2022-11-03 18:13:16 +00:00
# Read the current ROM; if it fails display an error and exit.
read_rom( ) {
/bin/flash.sh -r " $1 "
if [ ! -s " $1 " ] ; then
2024-06-06 22:59:13 +00:00
whiptail_error --title 'ERROR: BIOS Read Failed!' \
2023-06-30 18:21:11 +00:00
--msgbox "Unable to read BIOS" 0 80
2022-11-03 18:13:16 +00:00
exit 1
fi
}
2018-12-06 18:43:34 +00:00
while true; do
2019-07-09 03:20:45 +00:00
if [ ! -z " $param " ] ; then
# use first char from parameter
menu_choice = ${ param : : 1 }
unset param
else
2023-03-25 14:29:12 +00:00
# Re-source config because we change it when an option is toggled
. /tmp/config
2022-03-15 17:05:04 +00:00
2023-06-21 19:15:23 +00:00
dynamic_config_options = (
'b' ' Change the /boot device'
)
2022-03-15 17:05:04 +00:00
2022-01-07 19:30:57 +00:00
# Options that don't apply to basic mode
2023-06-21 18:36:28 +00:00
[ " $CONFIG_BASIC " != "y" ] && dynamic_config_options += (
2022-01-07 19:30:57 +00:00
'r' ' Clear GPG key(s) and reset all user settings'
'R' ' Change the root device for hashing'
'D' ' Change the root directories to hash'
2024-01-10 22:09:57 +00:00
'B' " $( get_config_display_action " $CONFIG_ROOT_CHECK_AT_BOOT " ) root check at boot "
2023-03-25 14:29:12 +00:00
'L' " $( get_config_display_action " $CONFIG_RESTRICTED_BOOT " ) Restricted Boot "
2022-01-07 19:30:57 +00:00
)
2023-03-25 14:29:12 +00:00
# Basic itself is always available (though RB will refuse to enable it)
2022-01-07 19:30:57 +00:00
dynamic_config_options += (
2023-06-21 18:19:41 +00:00
'P' " $( get_config_display_action " $CONFIG_BASIC " ) $CONFIG_BRAND_NAME Basic Mode "
2022-01-07 19:30:57 +00:00
)
# Blob jail is only offered if this is a configuration with the blobs in
# firmware
[ " $CONFIG_SUPPORT_BLOB_JAIL " = "y" ] && dynamic_config_options += (
2023-03-25 14:29:12 +00:00
'J' " $( get_config_display_action " $CONFIG_USE_BLOB_JAIL " ) Firmware Blob Jail "
2022-01-07 19:30:57 +00:00
)
2024-01-05 21:45:48 +00:00
# Automatic boot
dynamic_config_options += (
'M' " Configure automatic boot"
)
2022-01-07 19:30:57 +00:00
# Basic-only options for automatic boot
2023-06-21 18:36:28 +00:00
[ " $CONFIG_BASIC " = "y" ] && dynamic_config_options += (
2024-01-05 21:45:48 +00:00
'A' " $( get_inverted_config_display_action " $CONFIG_BASIC_NO_AUTOMATIC_DEFAULT " ) automatic default boot option "
2023-03-25 14:29:12 +00:00
'U' " $( get_config_display_action " $CONFIG_BASIC_USB_AUTOBOOT " ) USB automatic boot "
2022-01-07 19:30:57 +00:00
)
# Automatic power on - requires board support
[ " $CONFIG_SUPPORT_AUTOMATIC_POWERON " = "y" ] && dynamic_config_options += (
2023-03-25 14:29:12 +00:00
'N' " $( get_config_display_action " $CONFIG_AUTOMATIC_POWERON " ) automatic power-on "
2022-01-07 19:30:57 +00:00
)
2022-11-28 20:17:02 +00:00
2024-01-09 14:43:28 +00:00
# Boards with built-in keyboards can support optional USB keyboards as well.
2024-11-05 20:26:26 +00:00
# Boards that do not have a built-in keyboard/internal keyboard is USB connected export
2024-01-09 14:43:28 +00:00
# CONFIG_USB_KEYBOARD_REQUIRED=y; this hides the config option and ensures
# USB keyboard support always loads.
2024-11-05 20:26:26 +00:00
[ " $CONFIG_USB_KEYBOARD_REQUIRED " != y ] && dynamic_config_options += (
2024-01-09 14:43:28 +00:00
'K' " $( get_config_display_action " $CONFIG_USER_USB_KEYBOARD " ) USB keyboard "
)
2023-08-25 17:39:04 +00:00
# Debugging option always available
dynamic_config_options += (
'Z' " $( get_config_display_action " $CONFIG_DEBUG_OUTPUT " ) $CONFIG_BRAND_NAME debug and function tracing output "
)
2024-10-22 10:50:41 +00:00
[ " $CONFIG_FINALIZE_PLATFORM_LOCKING " = "y" ] && dynamic_config_options += (
2023-06-21 19:15:23 +00:00
't' ' Deactivate Platform Locking to permit OS write access to firmware'
)
dynamic_config_options += (
's' ' Save the current configuration to the running BIOS' \
'x' ' Return to Main Menu'
)
2019-07-09 03:23:04 +00:00
unset menu_choice
2024-06-06 22:59:13 +00:00
whiptail_type $BG_COLOR_MAIN_MENU --title "Config Management Menu" \
2022-11-09 16:51:27 +00:00
--menu "This menu lets you change settings for the current BIOS session.\n\nAll changes will revert after a reboot,\n\nunless you also save them to the running BIOS." 0 80 10 \
2022-03-15 17:05:04 +00:00
" ${ dynamic_config_options [@] } " \
2018-12-06 18:43:34 +00:00
2>/tmp/whiptail || recovery "GUI menu failed"
2019-07-09 03:23:04 +00:00
menu_choice = $( cat /tmp/whiptail)
2019-07-09 03:20:45 +00:00
fi
2018-12-06 18:43:34 +00:00
case " $menu_choice " in
2023-06-18 21:08:45 +00:00
"t" )
2024-10-22 10:50:41 +00:00
unset CONFIG_FINALIZE_PLATFORM_LOCKING
replace_config /etc/config.user "CONFIG_FINALIZE_PLATFORM_LOCKING" "n"
2023-06-18 21:08:45 +00:00
combine_configs
. /tmp/config
; ;
2018-12-06 18:43:34 +00:00
"x" )
exit 0
; ;
"b" )
2023-06-30 13:50:10 +00:00
CURRENT_OPTION = " $( load_config_value CONFIG_BOOT_DEV) "
2021-01-05 22:13:41 +00:00
if ! fdisk -l | grep "Disk /dev/" | cut -f2 -d " " | cut -f1 -d ":" > /tmp/disklist.txt ; then
2024-06-06 22:59:13 +00:00
whiptail_error --title 'ERROR: No bootable devices found' \
2023-06-30 18:21:11 +00:00
--msgbox " $ERROR \n\n " 0 80
2021-09-23 18:07:07 +00:00
exit 1
fi
2019-07-09 03:23:04 +00:00
# filter out extraneous options
> /tmp/boot_device_list.txt
for i in ` cat /tmp/disklist.txt` ; do
# remove block device from list if numeric partitions exist, since not bootable
2020-02-27 20:39:13 +00:00
DEV_NUM_PARTITIONS = $(( ` ls -1 $i * | wc -l` - 1 ))
2019-07-09 03:23:04 +00:00
if [ ${ DEV_NUM_PARTITIONS } -eq 0 ] ; then
echo $i >> /tmp/boot_device_list.txt
else
ls $i * | tail -${ DEV_NUM_PARTITIONS } >> /tmp/boot_device_list.txt
fi
done
file_selector "/tmp/boot_device_list.txt" \
2023-06-30 13:50:10 +00:00
" Choose the default /boot device.\n\n ${ CURRENT_OPTION : + \n \n Currently set to } $CURRENT_OPTION . " \
2019-07-09 03:23:04 +00:00
"Boot Device Selection"
2018-12-06 18:43:34 +00:00
if [ " $FILE " = = "" ] ; then
return
else
SELECTED_FILE = $FILE
fi
2020-02-29 00:54:14 +00:00
# unmount /boot if needed
if grep -q /boot /proc/mounts ; then
umount /boot 2>/dev/null
fi
2019-08-29 02:47:45 +00:00
# mount newly selected /boot device
2020-02-29 00:54:14 +00:00
if ! mount -o ro $SELECTED_FILE /boot 2>/tmp/error ; then
2019-08-29 02:47:45 +00:00
ERROR = ` cat /tmp/error`
2024-06-06 22:59:13 +00:00
whiptail_error --title 'ERROR: unable to mount /boot' \
2023-06-30 18:21:11 +00:00
--msgbox " $ERROR \n\n " 0 80
2019-08-29 02:47:45 +00:00
exit 1
fi
2023-06-30 13:50:10 +00:00
set_config /etc/config.user "CONFIG_BOOT_DEV" " $SELECTED_FILE "
2020-02-29 00:54:14 +00:00
combine_configs
2018-12-06 18:43:34 +00:00
whiptail --title 'Config change successful' \
2023-06-30 18:21:11 +00:00
--msgbox " The /boot device was successfully changed to $SELECTED_FILE " 0 80
2018-12-06 18:43:34 +00:00
; ;
"s" )
2022-11-03 18:13:16 +00:00
read_rom /tmp/config-gui.rom
2018-12-06 18:43:34 +00:00
2022-11-03 18:13:16 +00:00
replace_rom_file /tmp/config-gui.rom "heads/initrd/etc/config.user" /etc/config.user
2019-11-18 17:13:27 +00:00
if ( whiptail --title 'Update ROM?' \
2022-11-09 16:51:27 +00:00
--yesno "This will reflash your BIOS with the updated version\n\nDo you want to proceed?" 0 80) then
2019-11-18 17:13:27 +00:00
/bin/flash.sh /tmp/config-gui.rom
whiptail --title 'BIOS Updated Successfully' \
2023-06-30 18:21:11 +00:00
--msgbox "BIOS updated successfully.\n\nIf your keys have changed, be sure to re-sign all files in /boot\nafter you reboot.\n\nPress Enter to reboot" 0 80
2019-11-18 17:13:27 +00:00
/bin/reboot
else
exit 0
fi
2019-07-09 14:02:46 +00:00
; ;
"r" )
# prompt for confirmation
2024-06-06 22:59:13 +00:00
if ( whiptail_warning --title 'Reset Configuration?' \
2019-07-09 14:02:46 +00:00
--yesno " This will clear all GPG keys, clear boot signatures and checksums,
\n reset the /boot device, clear/reset the TPM ( if present) ,
\n and reflash your BIOS with the cleaned configuration.
2022-11-09 16:51:27 +00:00
\n \n Do you want to proceed?" 0 80) then
2022-11-03 18:13:16 +00:00
read_rom /tmp/config-gui.rom
2019-07-09 14:02:46 +00:00
# clear local keyring
2024-10-28 20:24:35 +00:00
rm -rf /.gnupg/* || true
2019-07-09 14:02:46 +00:00
# clear /boot signatures/checksums
2024-10-28 20:24:35 +00:00
detect_boot_device
2019-07-09 14:02:46 +00:00
mount -o remount,rw /boot
2024-10-28 20:24:35 +00:00
rm -f /boot/kexec* || true
2019-07-09 14:02:46 +00:00
mount -o remount,ro /boot
2024-10-28 20:24:35 +00:00
2019-07-09 14:02:46 +00:00
# clear GPG keys and user settings
2022-10-09 21:24:16 +00:00
for i in ` cbfs.sh -o /tmp/config-gui.rom -l | grep -e "heads/" ` ; do
cbfs.sh -o /tmp/config-gui.rom -d $i
2019-07-09 14:02:46 +00:00
done
# flash cleared ROM
/bin/flash.sh -c /tmp/config-gui.rom
2024-10-28 20:24:35 +00:00
2019-07-09 14:02:46 +00:00
# reset TPM if present
tpm2-tools: Change sense of CONFIG_TPM to mean any TPM, not just TPM1.
Most logic throughout Heads doesn't need to know TPM1 versus TPM2 (and
shouldn't, the differences should be localized). Some checks were
incorrect and are fixed by this change. Most checks are now unchanged
relative to master.
There are not that many places outside of tpmr that need to
differentiate TPM1 and TPM2. Some of those are duplicate code that
should be consolidated (seal-hotpkey, unseal-totp, unseal-hotp), and
some more are probably good candidates for abstracting in tpmr so the
business logic doesn't have to know TPM1 vs. TPM2.
Previously, CONFIG_TPM could be variously 'y', 'n', or empty. Now it
is always 'y' or 'n', and 'y' means "any TPM". Board configs are
unchanged, setting CONFIG_TPM2_TOOLS=y implies CONFIG_TPM=y so this
doesn't have to be duplicated and can't be mistakenly mismatched.
There were a few checks for CONFIG_TPM = n that only coincidentally
worked for TPM2 because CONFIG_TPM was empty (not 'n'). This test is
now OK, but the checks were also cleaned up to '!= "y"' for robustness.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-02-22 21:30:07 +00:00
if [ " $CONFIG_TPM " = "y" ] ; then
2019-07-09 14:02:46 +00:00
/bin/tpm-reset
fi
whiptail --title 'Configuration Reset Updated Successfully' \
2023-06-30 18:21:11 +00:00
--msgbox "Configuration reset and BIOS updated successfully.\n\nPress Enter to reboot" 0 80
2018-12-06 18:43:34 +00:00
/bin/reboot
2019-11-18 17:13:27 +00:00
else
exit 0
2018-12-06 18:43:34 +00:00
fi
; ;
2021-09-03 21:20:46 +00:00
"R" )
2023-06-30 13:50:10 +00:00
CURRENT_OPTION = " $( load_config_value CONFIG_ROOT_DEV) "
2021-09-03 21:20:46 +00:00
fdisk -l | grep "Disk /dev/" | cut -f2 -d " " | cut -f1 -d ":" > /tmp/disklist.txt
# filter out extraneous options
> /tmp/root_device_list.txt
for i in ` cat /tmp/disklist.txt` ; do
# remove block device from list if numeric partitions exist, since not bootable
DEV_NUM_PARTITIONS = $(( ` ls -1 $i * | wc -l` - 1 ))
if [ ${ DEV_NUM_PARTITIONS } -eq 0 ] ; then
echo $i >> /tmp/root_device_list.txt
else
ls $i * | tail -${ DEV_NUM_PARTITIONS } >> /tmp/root_device_list.txt
fi
done
file_selector "/tmp/root_device_list.txt" \
2023-06-30 13:50:10 +00:00
" Choose the default root device. ${ CURRENT_OPTION : + \n \n Currently set to } $CURRENT_OPTION . " \
2021-09-03 21:20:46 +00:00
"Root Device Selection"
if [ " $FILE " = = "" ] ; then
2023-06-30 13:50:10 +00:00
break
2021-09-03 21:20:46 +00:00
else
SELECTED_FILE = $FILE
fi
2023-06-30 13:50:10 +00:00
set_config /etc/config.user "CONFIG_ROOT_DEV" " $SELECTED_FILE "
2021-09-03 21:20:46 +00:00
combine_configs
whiptail --title 'Config change successful' \
2023-06-30 18:21:11 +00:00
--msgbox " The root device was successfully changed to $SELECTED_FILE " 0 80
2021-09-03 21:20:46 +00:00
; ;
"D" )
2023-06-30 13:50:10 +00:00
CURRENT_OPTION = " $( load_config_value CONFIG_ROOT_DIRLIST) "
# Separate from prior prompt history on the terminal with two blanks
echo -e "\n"
if [ -n " $CURRENT_OPTION " ] ; then
echo -e " The current list of directories to hash is $CURRENT_OPTION "
fi
2023-06-30 16:45:06 +00:00
echo -e "Enter the new list of directories separated by spaces:"
2021-09-03 21:20:46 +00:00
echo -e "(Press enter with the list empty to cancel)"
read -r NEW_CONFIG_ROOT_DIRLIST
2023-06-30 16:45:06 +00:00
# strip any leading forward slashes
2021-09-03 21:20:46 +00:00
NEW_CONFIG_ROOT_DIRLIST = $( echo $NEW_CONFIG_ROOT_DIRLIST | sed -e 's/^\///;s/ \// /g' )
#check if list empty
2023-06-30 13:50:10 +00:00
if [ -z " $NEW_CONFIG_ROOT_DIRLIST " ] ; then
2021-09-03 21:20:46 +00:00
whiptail --title 'Config change canceled' \
2023-06-30 18:21:11 +00:00
--msgbox "Root device directory change canceled by user" 0 80
2021-09-03 21:20:46 +00:00
break
fi
2023-06-30 13:50:10 +00:00
set_config /etc/config.user "CONFIG_ROOT_DIRLIST" " $NEW_CONFIG_ROOT_DIRLIST "
2021-09-03 21:20:46 +00:00
combine_configs
whiptail --title 'Config change successful' \
2023-06-30 18:21:11 +00:00
--msgbox " The root directories to hash was successfully changed to:\n $NEW_CONFIG_ROOT_DIRLIST " 0 80
2021-09-03 21:20:46 +00:00
; ;
"B" )
2024-01-10 22:09:57 +00:00
if [ " $CONFIG_ROOT_CHECK_AT_BOOT " != "y" ] ; then
2023-06-30 13:50:10 +00:00
# Root device and directories must be set to enable this
2024-01-10 22:09:57 +00:00
if [ -z " $CONFIG_ROOT_DEV " ] || [ -z " $CONFIG_ROOT_DIRLIST " ] ; then
2024-06-06 22:59:13 +00:00
whiptail_error --title 'Root Check Not Configured' \
2023-06-30 18:21:11 +00:00
--msgbox "Set the root device and directories to hash before enabling this feature." 0 80
2023-06-30 13:50:10 +00:00
elif ( whiptail --title 'Enable Root Hash Check at Boot?' \
2021-09-03 21:20:46 +00:00
--yesno " This will enable checking root hashes each time you boot.
\n Depending on the directories you are checking, this might add
\n a minute or more to the boot time.
\n \n Do you want to proceed?" 0 80) then
2024-01-10 22:09:57 +00:00
set_user_config "CONFIG_ROOT_CHECK_AT_BOOT" "y"
2021-09-03 21:20:46 +00:00
# check that root hash file exists
if [ ! -f ${ ROOT_HASH_FILE } ] ; then
if ( whiptail --title 'Generate Root Hash File' \
--yesno " \nNo root hash file exists.
\n Would you like to create the initial hash file now?" 0 80) then
root-hashes-gui.sh -n
fi
fi
whiptail --title 'Config change successful' \
2023-06-30 18:21:11 +00:00
--msgbox "The root device will be checked at each boot." 0 80
2021-09-03 21:20:46 +00:00
fi
else
if ( whiptail --title 'Disable Root Hash Check at Boot?' \
--yesno " This will disable checking root hashes each time you boot.
\n \n Do you want to proceed?" 0 80) then
2024-01-10 22:09:57 +00:00
set_user_config "CONFIG_ROOT_CHECK_AT_BOOT" "n"
2021-09-03 21:20:46 +00:00
whiptail --title 'Config change successful' \
2023-06-30 18:21:11 +00:00
--msgbox "The root device will not be checked at each boot." 0 80
2021-09-03 21:20:46 +00:00
fi
fi
; ;
2022-03-15 17:05:04 +00:00
"P" )
2023-03-25 14:29:12 +00:00
if [ " $CONFIG_RESTRICTED_BOOT " = "y" ] ; then
2024-06-06 22:59:13 +00:00
whiptail_error --title 'Restricted Boot Active' \
2023-06-30 18:21:11 +00:00
--msgbox "Disable Restricted Boot to enable Basic Mode." 0 80
2023-06-21 18:36:28 +00:00
elif [ " $CONFIG_BASIC " != "y" ] ; then
2023-06-21 18:19:41 +00:00
if ( whiptail --title " Enable $CONFIG_BRAND_NAME Basic Mode? " \
2022-03-15 17:05:04 +00:00
--yesno " This will remove all signature checking on the firmware
\n and boot files, and disable use of the Librem Key.
\n \n Do you want to proceed?" 0 80) then
2023-06-21 18:36:28 +00:00
set_user_config "CONFIG_BASIC" "y"
2022-03-15 17:05:04 +00:00
whiptail --title 'Config change successful' \
2023-06-30 18:21:11 +00:00
--msgbox " $CONFIG_BRAND_NAME Basic mode enabled;\nsave the config change and reboot for it to go into effect. " 0 80
2022-03-15 17:05:04 +00:00
fi
else
2023-06-21 18:19:41 +00:00
if ( whiptail --title " Disable $CONFIG_BRAND_NAME Basic Mode? " \
2022-03-15 17:05:04 +00:00
--yesno " This will enable all signature checking on the firmware
\n and boot files, and enable use of the Librem Key.
\n \n Do you want to proceed?" 0 80) then
2023-06-21 18:36:28 +00:00
set_user_config "CONFIG_BASIC" "n"
2022-03-15 17:05:04 +00:00
whiptail --title 'Config change successful' \
2023-06-30 18:21:11 +00:00
--msgbox " $CONFIG_BRAND_NAME Basic mode has been disabled;\nsave the config change and reboot for it to go into effect. " 0 80
2022-03-15 17:05:04 +00:00
fi
fi
; ;
2022-10-25 22:09:15 +00:00
"L" )
2023-03-25 14:29:12 +00:00
if [ " $CONFIG_RESTRICTED_BOOT " != "y" ] ; then
2022-10-25 22:09:15 +00:00
if ( whiptail --title 'Enable Restricted Boot Mode?' \
2023-07-11 19:58:57 +00:00
--yesno " Restricted Boot allows booting:
\n * Signed installed OS
\n * Signed ISOs from USB
\n All other boot methods are blocked. Recovery console and firmware updates
\n will be blocked.
\n Restricted boot can be disabled at any time. This resets TOTP/HOTP so it
\n is evident that Restricted Boot was disabled.
\n
\n Do you want to proceed?" 0 80) then
2022-10-25 22:09:15 +00:00
2023-03-25 14:29:12 +00:00
set_user_config "CONFIG_RESTRICTED_BOOT" "y"
2022-10-25 22:09:15 +00:00
whiptail --title 'Config change successful' \
2023-06-30 18:21:11 +00:00
--msgbox "Restricted Boot mode enabled;\nsave the config change and reboot for it to go into effect." 0 80
2022-10-25 22:09:15 +00:00
fi
else
if ( whiptail --title 'Disable Restricted Boot Mode?' \
2023-07-11 19:58:57 +00:00
--yesno " This will re-enable all boot methods, the recovery console, and firmware
\n updates.
\n This will also erase the TOTP/HOTP secret.
\n Proceeding will automatically update the boot firmware and reboot!
2022-10-25 22:09:15 +00:00
\n \n Do you want to proceed?" 0 80) then
# Wipe the TPM TOTP/HOTP secret before flashing. Otherwise, enabling
# Restricted Boot again might restore the firmware to an identical
# state, and there would be no evidence that it had been temporarily
# disabled.
if ! wipe-totp >/dev/null 2>/tmp/error; then
ERROR = $( tail -n 1 /tmp/error | fold -s)
2024-06-06 22:59:13 +00:00
whiptail_error --title 'ERROR: erasing TOTP secret' \
2023-06-30 18:21:11 +00:00
--msgbox " Erasing TOTP Secret Failed\n\n ${ ERROR } " 0 80
2022-10-25 22:09:15 +00:00
exit 1
fi
# We can't allow Restricted Boot to be disabled without flashing the
# firmware - this would allow the use of unrestricted mode without
# leaving evidence in the firmware. Disable it by flashing the new
# config directly.
FLASH_USER_CONFIG = /tmp/config-gui-config-user
cp /etc/config.user " $FLASH_USER_CONFIG "
set_config " $FLASH_USER_CONFIG " "CONFIG_RESTRICTED_BOOT" "n"
read_rom /tmp/config-gui.rom
replace_rom_file /tmp/config-gui.rom "heads/initrd/etc/config.user" " $FLASH_USER_CONFIG "
/bin/flash.sh /tmp/config-gui.rom
whiptail --title 'BIOS Updated Successfully' \
2023-06-30 18:21:11 +00:00
--msgbox "BIOS updated successfully.\n\nIf your keys have changed, be sure to re-sign all files in /boot\nafter you reboot.\n\nPress Enter to reboot" 0 80
2022-10-25 22:09:15 +00:00
/bin/reboot
fi
fi
; ;
2022-01-07 19:30:57 +00:00
"J" )
2023-03-25 14:29:12 +00:00
if [ " $CONFIG_USE_BLOB_JAIL " != "y" ] ; then
2022-01-07 19:30:57 +00:00
if ( whiptail --title 'Enable Firmware Blob Jail?' \
--yesno " This will enable loading of firmware from flash on each boot
\n \n Do you want to proceed?" 0 80) then
2023-03-25 14:29:12 +00:00
set_user_config "CONFIG_USE_BLOB_JAIL" "y"
2022-01-07 19:30:57 +00:00
whiptail --title 'Config change successful' \
2023-06-30 18:21:11 +00:00
--msgbox "Firmware Blob Jail use has been enabled;\nsave the config change and reboot for it to go into effect." 0 80
2022-01-07 19:30:57 +00:00
fi
else
if ( whiptail --title 'Disable Firmware Blob Jail?' \
--yesno " This will disable loading of firmware from flash on each boot.
\n \n Do you want to proceed?" 0 80) then
2023-03-25 14:29:12 +00:00
set_user_config "CONFIG_USE_BLOB_JAIL" "n"
2022-01-07 19:30:57 +00:00
whiptail --title 'Config change successful' \
2023-06-30 18:21:11 +00:00
--msgbox "Firmware Blob Jail use has been disabled;\nsave the config change and reboot for it to go into effect." 0 80
2022-01-07 19:30:57 +00:00
fi
fi
; ;
2024-01-05 21:45:48 +00:00
"M" )
if [ -z " $CONFIG_AUTO_BOOT_TIMEOUT " ] ; then
current_msg = "Automatic boot is currently disabled."
elif [ " $CONFIG_AUTO_BOOT_TIMEOUT " = 1 ] ; then
current_msg = "Currently boots automatically after 1 second."
else
current_msg = " Currently boots automatically after $CONFIG_AUTO_BOOT_TIMEOUT seconds. "
fi
whiptail --title "Automatic Boot" \
--menu " $CONFIG_BRAND_NAME can boot automatically. Select the amount of time to wait\nbefore booting.\n\n $current_msg " 0 80 10 \
"0" "Don't boot automatically" \
"1" "1 second" \
"5" "5 seconds" \
"10" "10 seconds" \
"C" "Cancel" \
2>/tmp/whiptail
new_setting = " $( cat /tmp/whiptail) "
if ! [ " $new_setting " = "C" ] ; then
if [ " $new_setting " = "0" ] ; then
new_setting = # Empty disables automatic boot
current_msg = " $CONFIG_BRAND_NAME will not boot automatically. "
elif [ " $new_setting " = "1" ] ; then
current_msg = " $CONFIG_BRAND_NAME will boot automatically after 1 second. "
else
current_msg = " $CONFIG_BRAND_NAME will boot automatically after $new_setting seconds. "
fi
set_user_config "CONFIG_AUTO_BOOT_TIMEOUT" " $new_setting "
whiptail --title 'Config change successful' \
--msgbox " $current_msg \nSave the config change and reboot for it to go into effect. " 0 80
fi
; ;
2022-03-15 17:05:04 +00:00
"A" )
2023-03-25 14:29:12 +00:00
if [ " $CONFIG_BASIC_NO_AUTOMATIC_DEFAULT " != "y" ] ; then
2022-03-15 17:05:04 +00:00
if ( whiptail --title 'Disable automatic default boot?' \
--yesno " You will need to select a default boot option.
\n If the boot options are changed, such as for an OS update,
\n you will be prompted to select a new default.
\n \n Do you want to proceed?" 0 80) then
2023-03-25 14:29:12 +00:00
set_user_config "CONFIG_BASIC_NO_AUTOMATIC_DEFAULT" "y"
2022-03-15 17:05:04 +00:00
whiptail --title 'Config change successful' \
2023-06-30 18:21:11 +00:00
--msgbox "Automatic default boot disabled;\nsave the config change and reboot for it to go into effect." 0 80
2022-03-15 17:05:04 +00:00
fi
else
if ( whiptail --title 'Enable automatic default boot?' \
--yesno " The first boot option will be used automatically.
\n \n Do you want to proceed?" 0 80) then
2023-03-25 14:29:12 +00:00
set_user_config "CONFIG_BASIC_NO_AUTOMATIC_DEFAULT" "n"
2022-03-15 17:05:04 +00:00
whiptail --title 'Config change successful' \
2023-06-30 18:21:11 +00:00
--msgbox "Automatic default boot enabled;\nsave the config change and reboot for it to go into effect." 0 80
2022-03-15 17:05:04 +00:00
fi
fi
; ;
2022-11-09 20:03:53 +00:00
"U" )
2023-03-25 14:29:12 +00:00
if [ " $CONFIG_BASIC_USB_AUTOBOOT " != "y" ] ; then
2022-11-09 20:03:53 +00:00
if ( whiptail --title 'Enable USB automatic boot?' \
--yesno " During boot, an attached bootable USB disk will be booted
\n by default instead of the installed operating system.
\n \n Do you want to proceed?" 0 80) then
2023-03-25 14:29:12 +00:00
set_user_config "CONFIG_BASIC_USB_AUTOBOOT" "y"
2022-11-09 20:03:53 +00:00
whiptail --title 'Config change successful' \
2023-06-30 18:21:11 +00:00
--msgbox "USB automatic boot enabled;\nsave the config change and reboot for it to go into effect." 0 80
2022-11-09 20:03:53 +00:00
fi
else
if ( whiptail --title 'Disable USB automatic boot?' \
--yesno " USB disks will no longer be booted by default.
\n \n Do you want to proceed?" 0 80) then
2023-03-25 14:29:12 +00:00
set_user_config "CONFIG_BASIC_USB_AUTOBOOT" "n"
2022-11-09 20:03:53 +00:00
whiptail --title 'Config change successful' \
2023-06-30 18:21:11 +00:00
--msgbox "USB automatic boot disabled;\nsave the config change and reboot for it to go into effect." 0 80
2022-11-09 20:03:53 +00:00
fi
fi
; ;
2022-11-28 20:17:02 +00:00
"N" )
2023-03-25 14:29:12 +00:00
if [ " $CONFIG_AUTOMATIC_POWERON " != "y" ] ; then
2022-11-28 20:17:02 +00:00
if ( whiptail --title 'Enable automatic power-on?' \
--yesno " The system will boot automatically when power is applied.
\n \n Do you want to proceed?" 0 80) then
2023-03-25 14:29:12 +00:00
set_user_config "CONFIG_AUTOMATIC_POWERON" "y"
2022-11-28 20:17:02 +00:00
whiptail --title 'Config change successful' \
2023-06-30 18:21:11 +00:00
--msgbox "Automatic power-on enabled;\nsave the config change and reboot for it to go into effect." 0 80
2022-11-28 20:17:02 +00:00
fi
else
if ( whiptail --title 'Disable automatic power-on?' \
--yesno " The system will stay off when power is applied.
\n \n Do you want to proceed?" 0 80) then
2023-03-25 14:29:12 +00:00
set_user_config "CONFIG_AUTOMATIC_POWERON" "n"
2022-11-28 20:17:02 +00:00
2023-03-25 14:49:15 +00:00
# Disable the EC BRAM setting too, otherwise it persists until
# manually disabled. On the off chance the user does not actually
# flash this change, we'll enable it again during boot.
set_ec_poweron.sh n
2022-11-28 20:17:02 +00:00
whiptail --title 'Config change successful' \
2023-06-30 18:21:11 +00:00
--msgbox "Automatic power-on disabled;\nsave the config change and reboot for it to go into effect." 0 80
2022-11-28 20:17:02 +00:00
fi
fi
; ;
2024-01-09 14:43:28 +00:00
"K" )
if [ " $CONFIG_USER_USB_KEYBOARD " != "y" ] ; then
if ( whiptail --title 'Enable USB Keyboard?' \
--yesno " USB keyboards will be usable in $CONFIG_BRAND_NAME .
2024-01-31 14:58:35 +00:00
\n \n Enabling USB keyboards could allow a compromised USB device to control
2024-01-09 14:43:28 +00:00
\n $CONFIG_BRAND_NAME .
\n \n Do you want to proceed?" 0 80) then
set_user_config "CONFIG_USER_USB_KEYBOARD" "y"
whiptail --title 'Config change successful' \
--msgbox "USB Keyboard support has been enabled;\nsave the config change and reboot for it to go into effect." 0 80
fi
else
if ( whiptail --title 'Disable USB Keyboard?' \
--yesno " Only the built-in keyboard will be usable in $CONFIG_BRAND_NAME .
\n \n Do you want to proceed?" 0 80) then
set_user_config "CONFIG_USER_USB_KEYBOARD" "n"
whiptail --title 'Config change successful' \
--msgbox "USB Keyboard support has been disabled;\nsave the config change and reboot for it to go into effect." 0 80
fi
fi
; ;
2023-08-25 17:39:04 +00:00
"Z" )
if [ " $CONFIG_DEBUG_OUTPUT " != "y" ] ; then
if ( whiptail --title 'Enable Debugging and Tracing output?' \
--yesno " This will enable DEBUG and TRACE output from scripts.
\n \n Do you want to proceed?" 0 80) then
set_user_config "CONFIG_DEBUG_OUTPUT" "y"
set_user_config "CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT" "y"
whiptail --title 'Config change successful' \
--msgbox "Debugging and Tracing output enabled;\nsave the config change and reboot for it to go into effect." 0 80
fi
else
if ( whiptail --title 'Disable Enable Debugging and Tracing output?' \
--yesno " This will disable DEBUG and TRACE output from scripts.
\n \n Do you want to proceed?" 0 80) then
set_user_config "CONFIG_DEBUG_OUTPUT" "n"
set_user_config "CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT" "n"
whiptail --title 'Config change successful' \
--msgbox "Debugging and Tracing output disabled;\nsave the config change and reboot for it to go into effect." 0 80
fi
fi
2018-12-06 18:43:34 +00:00
esac
done
exit 0
