diff --git a/initrd/bin/kexec-save-default b/initrd/bin/kexec-save-default index 0008db37..e7c88be0 100755 --- a/initrd/bin/kexec-save-default +++ b/initrd/bin/kexec-save-default @@ -3,7 +3,7 @@ set -e -o pipefail . /etc/functions -while getopts "b:d:p:e:i:" arg; do +while getopts "b:d:p:i:" arg; do case $arg in b) bootdir="$OPTARG" ;; d) paramsdev="$OPTARG" ;; @@ -41,6 +41,37 @@ if [ -z "$entry" ]; then die "Invalid menu index $index" fi +KEY_DEVICE_FILE="$paramsdir/kexec_key_devices.txt" +if [ ! -r "$KEY_DEVICE_FILE" ]; then + read \ + -n 1 \ + -p "Do you wish to add a disk encryption to the TPM [y/N]: " \ + add_key_confirm + echo + + if [ "$add_key_confirm" = "y" \ + -o "$add_key_confirm" = "Y" ] \ + ; then + read \ + -p "Encrypted LVM group? (e.g. qubes_dom0 or blank): " \ + lvm_volume_group + + read \ + -p "Encrypted devices? (e.g. /dev/sda2 or blank): " \ + key_devices + + save_key_params="-s -p $paramsdev" + if [ -n "$lvm_volume_group" ]; then + save_key_params="$save_key_params -l $lvm_volume_group $key_devices" + else + save_key_params="$save_key_params $key_devices" + fi + echo "Running kexec-save-key with params: $save_key_params" + kexec-save-key $save_key_params \ + || die "Failed to save the disk key" + fi +fi + # try to switch to rw mode mount -o rw,remount $paramsdev diff --git a/initrd/bin/kexec-save-key b/initrd/bin/kexec-save-key index 6b3ec4e5..2ea17f63 100755 --- a/initrd/bin/kexec-save-key +++ b/initrd/bin/kexec-save-key @@ -4,8 +4,10 @@ set -e -o pipefail . /etc/functions lvm_volume_group="" -while getopts "p:d:l:" arg; do +skip_sign="n" +while getopts "sp:d:l:" arg; do case $arg in + s) skip_sign="y" ;; p) paramsdir="$OPTARG" ;; d) paramsdev="$OPTARG" ;; l) lvm_volume_group="$OPTARG" ;; @@ -15,7 +17,7 @@ shift `expr $OPTIND - 1` key_devices="$@" if [ -z "$paramsdir" ]; then - die "Usage: $0 -p /boot [-l qubes_dom0] [/dev/sda2 /dev/sda5 ...] " + die "Usage: $0 [-s] -p /boot [-l qubes_dom0] [/dev/sda2 /dev/sda5 ...] " fi if [ -z "$paramsdev" ]; then @@ -58,9 +60,11 @@ done kexec-seal-key $paramsdir \ || die "Failed to save and generate key in TPM" -# sign and auto-roll config counter -kexec-sign-config -p $paramsdir -u \ -|| die "Failed to sign updated config" +if [ "$skip_sign" != "y" ]; then + # sign and auto-roll config counter + kexec-sign-config -p $paramsdir -u \ + || die "Failed to sign updated config" +fi # switch back to ro mode mount -o ro,remount $paramsdev diff --git a/initrd/bin/kexec-sign-config b/initrd/bin/kexec-sign-config index a409d521..bf47d804 100755 --- a/initrd/bin/kexec-sign-config +++ b/initrd/bin/kexec-sign-config @@ -54,6 +54,8 @@ for tries in 1 2 3; do -a \ > $paramsdir/kexec.sig \ ; then + # successful - update the validated params + check_config $paramsdir exit 0 fi done diff --git a/initrd/bin/usb-scan b/initrd/bin/usb-scan index 3d0995fe..aa5b7d7f 100755 --- a/initrd/bin/usb-scan +++ b/initrd/bin/usb-scan @@ -7,13 +7,13 @@ set -e -o pipefail # Unmount any previous boot device if grep -q /boot /proc/mounts ; then umount /boot \ - || die '$CONFIG_USB_BOOT_DEV: Unable to unmount /boot' + || die "Unable to unmount /boot" fi # Mount the USB boot device if ! grep -q /media /proc/mounts ; then mount-usb "$CONFIG_USB_BOOT_DEV" \ - || die '$CONFIG_USB_BOOT_DEV: Unable to mount /media' + || die "Unable to mount /media" fi # Check for ISO first diff --git a/initrd/etc/functions b/initrd/etc/functions index 59aabdbb..eb8a7289 100755 --- a/initrd/etc/functions +++ b/initrd/etc/functions @@ -70,6 +70,19 @@ confirm_totp() confirm_gpg_card() { + read \ + -n 1 \ + -p "Please confirm that your GPG card is inserted [Y/n]: " \ + card_confirm + echo + + if [ "$card_confirm" != "y" \ + -a "$card_confirm" != "Y" \ + -a -n "$card_confirm" ] \ + ; then + die "gpg card not confirmed" + fi + # setup the USB so we can reach the GPG card if ! lsmod | grep -q ehci_hcd; then insmod /lib/modules/ehci-hcd.ko \