Colorize warning and error messages in fbwhiptail

Since fbwhiptail allows us to customize the background colors, we should
colorize warnings and error messages to provide a user with an
additional subtle cue that there might be a problem. I have added two
additional configuration options:

CONFIG_WARNING_BG_COLOR
CONFIG_ERROR_BG_COLOR

and in the librem13v2.config file you can see an example for how to set
them to be yellow and red gradients, respectively. I've also updated the
main two scripts that use whiptail to include those background colors.

If you decide to use regular whiptail, just don't set these config
options and it should behave as expected.

boards/librem13v2/librem13v2.config

@@ -31,3 +31,5 @@ export CONFIG_BOOT_KERNEL_REMOVE=""
 export CONFIG_BOOT_DEV="/dev/sda1"
 export CONFIG_BOOT_GUI_MENU_NAME="Purism Librem 13v2 Heads Boot Menu"
 export CONFIG_USB_BOOT_DEV="/dev/sdb1"
+export CONFIG_WARNING_BG_COLOR="--background-gradient 0 0 0 150 125 0"
+export CONFIG_ERROR_BG_COLOR="--background-gradient 0 0 0 150 0 0"

initrd/bin/gui-init

@@ -25,7 +25,7 @@ verify_global_hashes()
   if cd /boot && sha256sum -c "$TMP_HASH_FILE" > /tmp/hash_output ; then
     return 0
   elif [ ! -f $TMP_HASH_FILE ]; then
-    if (whiptail --clear --title 'ERROR: Missing Hash File!' \
+    if (whiptail $CONFIG_ERROR_BG_COLOR --clear --title 'ERROR: Missing Hash File!' \
       --yesno "The file containing hashes for /boot is missing!\n\nIf you are setting this system up for the first time, select Yes to update your list of checksums.\n\nOtherwise this could indicate a compromise and you should select No to return to the main menu.\n\nWould you like to update your checksums now?" 30 80) then
       update_checksums
     fi
@@ -53,7 +53,7 @@ verify_global_hashes()
       TEXT="The following files failed the verification process:\n${CHANGED_FILES}\n\nThis could indicate a compromise!\n\nWould you like to update your checksums now?"
     fi
 
-    if (whiptail --clear --title 'ERROR: Boot Hash Mismatch' --yesno "$TEXT" 30 80) then
+    if (whiptail $CONFIG_ERROR_BG_COLOR --clear --title 'ERROR: Boot Hash Mismatch' --yesno "$TEXT" 30 80) then
       update_checksums
     fi
     return 1
@@ -104,7 +104,7 @@ while true; do
     last_half=$half;
     TOTP=`unseal-totp`
     if [ $? -ne 0 ]; then
-      whiptail --clear --title "ERROR: TOTP Generation Failed!" \
+      whiptail $CONFIG_ERROR_BG_COLOR --clear --title "ERROR: TOTP Generation Failed!" \
         --menu "ERROR: Heads couldn't generate the TOTP code.\n\nIf you have just reflashed your BIOS, you will need to generate a new TOTP secret.\n\nIf you have not just reflashed your BIOS, THIS COULD INDICATE TAMPERING!\n\nIf this is the first time the system has booted, you should reset the TPM and set your own password\n\nHow would you like to proceed?" 30 80 4 \
         'g' ' Generate new TOTP secret' \
         'i' ' Ignore error and continue to default boot menu' \
@@ -163,7 +163,7 @@ while true; do
   fi
 
   if [ "$totp_confirm" = "n" ]; then
-    if (whiptail --title "TOTP code mismatched" \
+    if (whiptail $CONFIG_WARNING_BG_COLOR --title "TOTP code mismatched" \
       --yesno "TOTP code mismatches could indicate either TPM tampering or clock drift:\n\nTo correct clock drift: 'date -s HH:MM:SS'\nand save it to the RTC: 'hwclock -w'\nthen reboot and try again.\n\nWould you like to exit to a recovery console?" 30 80) then
       echo ""
       echo "To correct clock drift: 'date -s HH:MM:SS'"
@@ -230,7 +230,7 @@ while true; do
 
   if [ "$totp_confirm" = "i" ]; then
     # Run the menu selection in "force" mode, bypassing hash checks
-    if (whiptail --title 'Unsafe Forced Boot Selected!' \
+    if (whiptail $CONFIG_WARNING_BG_COLOR --title 'Unsafe Forced Boot Selected!' \
         --yesno "WARNING: You have chosen to skip all tamper checks and boot anyway.\n\nThis is an unsafe option!\n\nDo you want to proceed?" 16 80) then
       mount_boot
       kexec-select-boot -m -b /boot -c "grub.cfg" -g -f

initrd/bin/kexec-select-boot

@@ -57,7 +57,7 @@ verify_global_hashes()
 	else
 		if [ "$gui_menu" = "y" ]; then
 			CHANGED_FILES=$(grep -v 'OK$' /tmp/hash_output | cut -f1 -d ':')
-			whiptail --title 'ERROR: Boot Hash Mismatch' \
+			whiptail $CONFIG_ERROR_BG_COLOR --title 'ERROR: Boot Hash Mismatch' \
 				--msgbox "The following files failed the verification process:\n${CHANGED_FILES}\nExiting to a recovery shell" 16 60
 		fi
 		die "$TMP_HASH_FILE: boot hash mismatch"
@@ -211,7 +211,7 @@ default_select() {
 	option=`head -n $default_index $TMP_MENU_FILE | tail -1`
 	if [ "$option" != "$expectedoption" ]; then
 		if [ "$gui_menu" = "y" ]; then
-			whiptail --title 'ERROR: Boot Entry Has Changed' \
+			whiptail $CONFIG_ERROR_BG_COLOR --title 'ERROR: Boot Entry Has Changed' \
 				--msgbox "The list of boot entries has changed\n\nPlease set a new default" 16 60
 		fi
 		warn "!!! Boot entry has changed - please set a new default"
@@ -228,7 +228,7 @@ default_select() {
 	else
 		if [ "$gui_menu" = "y" ]; then
 			CHANGED_FILES=$(grep -v 'OK$' /tmp/hash_output | cut -f1 -d ':')
-			whiptail --title 'ERROR: Default Boot Hash Mismatch' \
+			whiptail $CONFIG_ERROR_BG_COLOR --title 'ERROR: Default Boot Hash Mismatch' \
 				--msgbox "The following files failed the verification process:\n${CHANGED_FILES}\nExiting to a recovery shell" 16 60
 		fi
 		die "!!! $TMP_DEFAULT_HASH_FILE: default boot hash mismatch"