ExternalVendorCode/heads
1
0
Fork 0
mirror of https://github.com/linuxboot/heads.git synced 2025-01-31 00:24:17 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

gui-init: refactor into functions

Browse Source 
Break menus and menu items into functions where possible.
Improves readability of code / functional flow, and
makes future refactoring easier.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
This commit is contained in:
Matt DeVillier 2021-09-22 12:17:04 -05:00 committed by tlaurion
parent e6d6594e67
commit 1f27dea220
1 changed files with 259 additions and 196 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

375
initrd/bin/gui-init
View File

@ -124,6 +124,67 @@ generate_totp_htop()
fi
}
update_totp()
{
# update the TOTP code every thirty seconds
date=`date "+%Y-%m-%d %H:%M:%S"`
seconds=`date "+%s"`
half=`expr \( $seconds % 60 \) / 30`
if [ "$CONFIG_TPM" = n ]; then
TOTP="NO TPM"
elif [ "$half" != "$last_half" ]; then
last_half=$half;
TOTP=`unseal-totp`
if [ $? -ne 0 ]; then
whiptail $BG_COLOR_ERROR --clear --title "ERROR: TOTP Generation Failed!" \
--menu " ERROR: Heads couldn't generate the TOTP code.\n
If you have just completed a Factory Reset, or just reflashed
your BIOS, you should generate a new HOTP/TOTP secret.\n
If this is the first time the system has booted, you should
reset the TPM and set your own password.\n
If you have not just reflashed your BIOS, THIS COULD INDICATE TAMPERING!\n
How would you like to proceed?" 30 90 4 \
'g' ' Generate new HOTP/TOTP secret' \
'i' ' Ignore error and continue to main menu' \
'p' ' Reset the TPM' \
'x' ' Exit to recovery shell' \
2>/tmp/whiptail || recovery "GUI menu failed"
totp_confirm=$(cat /tmp/whiptail)
fi
fi
}
update_hotp()
{
if [ -x /bin/hotp_verification ]; then
HOTP=`unseal-hotp`
enable_usb
if ! hotp_verification info ; then
whiptail $BG_COLOR_WARNING --clear \
--title "WARNING: Please Insert Your $HOTPKEY_BRANDING" \
--msgbox "Your $HOTPKEY_BRANDING was not detected.\n\nPlease insert your $HOTPKEY_BRANDING" 30 90
fi
# Don't output HOTP codes to screen, so as to make replay attacks harder
hotp_verification check $HOTP
case "$?" in
0 )
HOTP="Success"
;;
4 )
HOTP="Invalid code"
MAIN_MENU_BG_COLOR=$BG_COLOR_ERROR
;;
* )
HOTP="Error checking code, Insert $HOTPKEY_BRANDING and retry"
MAIN_MENU_BG_COLOR=$BG_COLOR_WARNING
;;
esac
else
HOTP='N/A'
fi
}
clean_boot_check()
{
# assume /boot mounted
@ -153,28 +214,8 @@ clean_boot_check()
"Clean Boot Detected - Perform OEM Factory Reset?" "$BG_COLOR_WARNING"
}
if detect_boot_device ; then
# /boot device with installed OS found
clean_boot_check
else
# can't determine /boot device or no OS installed,
# so fall back to interactive selection
mount_boot
fi
# Use stored HOTP key branding
if [ -r /boot/kexec_hotp_key ]; then
HOTPKEY_BRANDING="$(cat /boot/kexec_hotp_key)"
else
HOTPKEY_BRANDING="HOTP USB Security Dongle"
fi
last_half=X
while true; do
MAIN_MENU_OPTIONS=""
MAIN_MENU_BG_COLOR=""
unset totp_confirm
# detect whether any GPG keys exist in the keyring, if not, initialize that first
check_gpg_key()
{
GPG_KEY_COUNT=`gpg -k 2>/dev/null | wc -l`
if [ $GPG_KEY_COUNT -eq 0 ]; then
whiptail $BG_COLOR_ERROR --clear --title "ERROR: GPG keyring empty!" \
@ -186,65 +227,10 @@ while true; do
totp_confirm=$(cat /tmp/whiptail)
fi
if [ "$totp_confirm" = "i" -o -z "$totp_confirm" ]; then
# update the TOTP code every thirty seconds
date=`date "+%Y-%m-%d %H:%M:%S"`
seconds=`date "+%s"`
half=`expr \( $seconds % 60 \) / 30`
if [ "$CONFIG_TPM" = n ]; then
TOTP="NO TPM"
elif [ "$half" != "$last_half" ]; then
last_half=$half;
TOTP=`unseal-totp`
if [ $? -ne 0 ]; then
whiptail $BG_COLOR_ERROR --clear --title "ERROR: TOTP Generation Failed!" \
--menu " ERROR: Heads couldn't generate the TOTP code.\n
If you have just completed a Factory Reset, or just reflashed
your BIOS, you should generate a new HOTP/TOTP secret.\n
If this is the first time the system has booted, you should
reset the TPM and set your own password.\n
If you have not just reflashed your BIOS, THIS COULD INDICATE TAMPERING!\n
How would you like to proceed?" 30 90 4 \
'g' ' Generate new HOTP/TOTP secret' \
'i' ' Ignore error and continue to main menu' \
'p' ' Reset the TPM' \
'x' ' Exit to recovery shell' \
2>/tmp/whiptail || recovery "GUI menu failed"
}
totp_confirm=$(cat /tmp/whiptail)
fi
fi
fi
if [ "$totp_confirm" = "i" -o -z "$totp_confirm" ]; then
if [ -x /bin/hotp_verification ]; then
HOTP=`unseal-hotp`
enable_usb
if ! hotp_verification info ; then
whiptail $BG_COLOR_WARNING --clear \
--title "WARNING: Please Insert Your $HOTPKEY_BRANDING" \
--msgbox "Your $HOTPKEY_BRANDING was not detected.\n\nPlease insert your $HOTPKEY_BRANDING" 30 90
fi
# Don't output HOTP codes to screen, so as to make replay attacks harder
hotp_verification check $HOTP
case "$?" in
0 )
HOTP="Success"
;;
4 )
HOTP="Invalid code"
MAIN_MENU_BG_COLOR=$BG_COLOR_ERROR
;;
* )
HOTP="Error checking code, Insert $HOTPKEY_BRANDING and retry"
MAIN_MENU_BG_COLOR=$BG_COLOR_WARNING
;;
esac
else
HOTP='N/A'
fi
if [[ "$HOTP" = "Success" && $CONFIG_AUTO_BOOT_TIMEOUT && $first_pass = true ]]; then
prompt_auto_default_boot()
{
# save IFS before changing, restore after read
IFS_DEF=$IFS
IFS=''
@ -258,9 +244,10 @@ while true; do
echo -e "\n\nAttempting default boot...\n\n"
fi
IFS=$IFS_DEF
fi
}
if [ "$totp_confirm" != "y" -o -z "$totp_confirm" ]; then
show_main_menu()
{
whiptail $MAIN_MENU_BG_COLOR --clear --title "$MAIN_MENU_TITLE" \
--menu "$date\nTOTP: $TOTP | HOTP: $HOTP" 20 90 10 \
'y' ' Default boot' \
@ -271,10 +258,10 @@ while true; do
2>/tmp/whiptail || recovery "GUI menu failed"
totp_confirm=$(cat /tmp/whiptail)
fi
fi
}
if [ "$totp_confirm" = "a" ]; then
show_options_menu()
{
whiptail --clear --title "HEADS Options" \
--menu "" 20 90 10 \
'o' ' Boot Options -->' \
@ -289,9 +276,10 @@ while true; do
2>/tmp/whiptail || recovery "GUI menu failed"
totp_confirm=$(cat /tmp/whiptail)
fi
}
if [ "$totp_confirm" = "o" ]; then
show_boot_options_menu()
{
whiptail --clear --title "Boot Options" \
--menu "Select A Boot Option" 20 90 10 \
'm' ' Show OS boot menu' \
@ -301,9 +289,10 @@ while true; do
2>/tmp/whiptail || recovery "GUI menu failed"
totp_confirm=$(cat /tmp/whiptail)
fi
}
if [ "$totp_confirm" = "t" ]; then
show_tpm_totp_hotp_options_menu()
{
whiptail --clear --title "TPM/TOTP/HOTP Options" \
--menu "Select An Option" 20 90 10 \
'g' ' Generate new TOTP/HOTP secret' \
@ -313,17 +302,10 @@ while true; do
2>/tmp/whiptail || recovery "GUI menu failed"
totp_confirm=$(cat /tmp/whiptail)
fi
}
if [ "$totp_confirm" = "x" ]; then
recovery "User requested recovery shell"
fi
if [ "$totp_confirm" = "r" ]; then
continue
fi
if [ "$totp_confirm" = "n" ]; then
prompt_totp_mismatch()
{
if (whiptail $BG_COLOR_WARNING --title "TOTP/HOTP code mismatched" \
--yesno "TOTP/HOTP code mismatches could indicate either TPM tampering or clock drift:\n\nTo correct clock drift: 'date -s HH:MM:SS'\nand save it to the RTC: 'hwclock -w'\nthen reboot and try again.\n\nWould you like to exit to a recovery console?" 30 90) then
echo ""
@ -332,27 +314,11 @@ while true; do
echo "then reboot and try again"
echo ""
recovery "TOTP/HOTP mismatch"
else
continue
fi
fi
}
if [ "$totp_confirm" = "u" ]; then
exec /bin/usb-init
continue
fi
if [ "$totp_confirm" = "g" ]; then
if (whiptail --title 'Generate new TOTP/HOTP secret' \
--yesno "This will erase your old secret and replace it with a new one!\n\nDo you want to proceed?" 16 90) then
generate_totp_htop
else
echo "Returning to the main menu"
fi
continue
fi
if [ "$totp_confirm" = "p" ]; then
reset_tpm()
{
if [ "$CONFIG_TPM" = "y" ]; then
if (whiptail --title 'Reset the TPM' \
--yesno "This will clear the TPM and TPM password, replace them with new ones!\n\nDo you want to proceed?" 16 90) then
@ -382,29 +348,148 @@ while true; do
else
whiptail --clear --title 'ERROR: No TPM Detected' --msgbox "This device does not have a TPM.\n\nPress OK to return to the Main Menu" 30 90
fi
}
show_system_info()
{
memtotal=$(cat /proc/meminfo | grep 'MemTotal' | tr -s ' ' | cut -f2 -d ' ')
memtotal=$((${memtotal} / 1024 / 1024 + 1))
cpustr=$(cat /proc/cpuinfo | grep 'model name' | uniq | sed -r 's/\(R\)//;s/\(TM\)//;s/CPU //;s/model name.*: //')
kernel=$(uname -s -r)
whiptail --title 'System Info' \
--msgbox "${BOARD_NAME}\n\nFW_VER: ${FW_VER}\nKernel: ${kernel}\n\nCPU: ${cpustr}\nRAM: ${memtotal} GB\n\n$(fdisk -l | grep -e '/dev/sd.:' -e '/dev/nvme.*:' | sed 's/B,.*/B/')" 16 60
}
select_os_boot_option()
{
mount_boot
if verify_global_hashes ; then
kexec-select-boot -m -b /boot -c "grub.cfg" -g
fi
}
attempt_default_boot()
{
mount_boot
if ! verify_global_hashes; then
return
fi
DEFAULT_FILE=`find /boot/kexec_default.*.txt 2>/dev/null | head -1`
if [ -r "$DEFAULT_FILE" ]; then
kexec-select-boot -b /boot -c "grub.cfg" -g \
|| recovery "Failed default boot"
elif (whiptail --title 'No Default Boot Option Configured' \
--yesno "There is no default boot option configured yet.\nWould you like to load a menu of boot options?\nOtherwise you will return to the main menu." 16 90) then
kexec-select-boot -m -b /boot -c "grub.cfg" -g
fi
}
force_unsafe_boot()
{
# Run the menu selection in "force" mode, bypassing hash checks
if (whiptail $BG_COLOR_WARNING --title 'Unsafe Forced Boot Selected!' \
--yesno "WARNING: You have chosen to skip all tamper checks and boot anyway.\n\nThis is an unsafe option!\n\nDo you want to proceed?" 16 90) then
mount_boot && kexec-select-boot -m -b /boot -c "grub.cfg" -g -f
fi
}
# gui-init start
if detect_boot_device ; then
# /boot device with installed OS found
clean_boot_check
else
# can't determine /boot device or no OS installed,
# so fall back to interactive selection
mount_boot
fi
# Use stored HOTP key branding
if [ -r /boot/kexec_hotp_key ]; then
HOTPKEY_BRANDING="$(cat /boot/kexec_hotp_key)"
else
HOTPKEY_BRANDING="HOTP USB Security Dongle"
fi
last_half=X
while true; do
MAIN_MENU_OPTIONS=""
MAIN_MENU_BG_COLOR=""
unset totp_confirm
# detect whether any GPG keys exist in the keyring, if not, initialize that first
check_gpg_key
if [ "$totp_confirm" = "i" -o -z "$totp_confirm" ]; then
update_totp
fi
if [ "$totp_confirm" = "i" -o -z "$totp_confirm" ]; then
update_hotp
if [[ "$HOTP" = "Success" && $CONFIG_AUTO_BOOT_TIMEOUT && $first_pass = true ]]; then
prompt_auto_default_boot
fi
if [ "$totp_confirm" != "y" -o -z "$totp_confirm" ]; then
show_main_menu
fi
fi
if [ "$totp_confirm" = "a" ]; then
show_options_menu
fi
if [ "$totp_confirm" = "o" ]; then
show_boot_options_menu
fi
if [ "$totp_confirm" = "t" ]; then
show_tpm_totp_hotp_options_menu
fi
if [ "$totp_confirm" = "x" ]; then
recovery "User requested recovery shell"
fi
if [ "$totp_confirm" = "r" ]; then
continue
fi
if [ "$totp_confirm" = "n" ]; then
prompt_totp_mismatch
continue
fi
if [ "$totp_confirm" = "u" ]; then
exec /bin/usb-init
continue
fi
if [ "$totp_confirm" = "g" ]; then
if (whiptail --title 'Generate new TOTP/HOTP secret' \
--yesno "This will erase your old secret and replace it with a new one!\n\nDo you want to proceed?" 16 90) then
generate_totp_htop
else
echo "Returning to the main menu"
fi
continue
fi
if [ "$totp_confirm" = "p" ]; then
reset_tpm
continue
fi
if [ "$totp_confirm" = "m" ]; then
# Try to select a kernel from the menu
mount_boot
verify_global_hashes
if [ $? -ne 0 ]; then
continue
fi
kexec-select-boot -m -b /boot -c "grub.cfg" -g
select_os_boot_option
continue
fi
if [ "$totp_confirm" = "i" ]; then
# Run the menu selection in "force" mode, bypassing hash checks
if (whiptail $BG_COLOR_WARNING --title 'Unsafe Forced Boot Selected!' \
--yesno "WARNING: You have chosen to skip all tamper checks and boot anyway.\n\nThis is an unsafe option!\n\nDo you want to proceed?" 16 90) then
mount_boot
kexec-select-boot -m -b /boot -c "grub.cfg" -g -f
else
echo "Returning to the main menu"
fi
force_unsafe_boot
continue
fi
@ -429,12 +514,7 @@ while true; do
fi
if [ "$totp_confirm" = "S" ]; then
memtotal=$(cat /proc/meminfo | grep 'MemTotal' | tr -s ' ' | cut -f2 -d ' ')
memtotal=$((${memtotal} / 1024 / 1024 + 1))
cpustr=$(cat /proc/cpuinfo | grep 'model name' | uniq | sed -r 's/\(R\)//;s/\(TM\)//;s/CPU //;s/model name.*: //')
kernel=$(uname -s -r)
whiptail --title 'System Info' \
--msgbox "${BOARD_NAME}\n\nFW_VER: ${FW_VER}\nKernel: ${kernel}\n\nCPU: ${cpustr}\nRAM: ${memtotal} GB\n\n$(fdisk -l | grep -e '/dev/sd.:' -e '/dev/nvme.*:' | sed 's/B,.*/B/')" 16 60
show_system_info
continue
fi
@ -449,24 +529,7 @@ while true; do
if [ "$totp_confirm" = "y" -o -n "$totp_confirm" ]; then
# Try to boot the default
mount_boot
verify_global_hashes
if [ $? -ne 0 ]; then
continue
fi
DEFAULT_FILE=`find /boot/kexec_default.*.txt 2>/dev/null | head -1`
if [ -r "$DEFAULT_FILE" ]; then
kexec-select-boot -b /boot -c "grub.cfg" -g \
|| recovery "Failed default boot"
else
if (whiptail --title 'No Default Boot Option Configured' \
--yesno "There is no default boot option configured yet.\nWould you like to load a menu of boot options?\nOtherwise you will return to the main menu." 16 90) then
kexec-select-boot -m -b /boot -c "grub.cfg" -g
else
echo "Returning to the main menu"
fi
continue
fi
attempt_default_boot
fi
done