From 2f9c201f3e9f20c93e432326c0ddfdb19229b02a Mon Sep 17 00:00:00 2001 From: Kyle Rankin Date: Thu, 6 Dec 2018 10:43:34 -0800 Subject: [PATCH] Add a configuration GUI script This change will add a new GUI script that will allow users to change their running configuration (currently just /boot and USB boot options) and optionally persist that modified configuration with reflashing the BIOS with a modified cbfs. --- initrd/bin/config-gui.sh | 135 +++++++++++++++++++++++++++++++++++++++ initrd/bin/gui-init | 6 ++ 2 files changed, 141 insertions(+) create mode 100755 initrd/bin/config-gui.sh diff --git a/initrd/bin/config-gui.sh b/initrd/bin/config-gui.sh new file mode 100755 index 00000000..c716a77d --- /dev/null +++ b/initrd/bin/config-gui.sh @@ -0,0 +1,135 @@ +#!/bin/sh +# +set -e -o pipefail +. /etc/functions +. /etc/config + +file_selector() { + FILE="" + FILE_LIST=$1 + MENU_MSG=${2:-"Choose the file"} +# create file menu options + if [ `cat "$FILE_LIST" | wc -l` -gt 0 ]; then + option="" + while [ -z "$option" ] + do + MENU_OPTIONS="" + n=0 + while read option + do + n=`expr $n + 1` + option=$(echo $option | tr " " "_") + MENU_OPTIONS="$MENU_OPTIONS $n ${option}" + done < $FILE_LIST + + MENU_OPTIONS="$MENU_OPTIONS a Abort" + whiptail --clear --title "Select your File" \ + --menu "${MENU_MSG} [1-$n, a to abort]:" 20 120 8 \ + -- $MENU_OPTIONS \ + 2>/tmp/whiptail || die "Aborting" + + option_index=$(cat /tmp/whiptail) + + if [ "$option_index" = "a" ]; then + option="a" + return + fi + + option=`head -n $option_index $FILE_LIST | tail -1` + if [ "$option" == "a" ]; then + return + fi + done + if [ -n "$option" ]; then + FILE=$option + fi + else + whiptail $CONFIG_ERROR_BG_COLOR --title 'ERROR: No Files Found' \ + --msgbox "No Files found matching the pattern. Aborting." 16 60 + exit 1 + fi +} +replace_config() { + CONFIG_OPTION=$1 + NEW_SETTING=$2 + + awk "gsub(\"^export ${CONFIG_OPTION}=.*\",\"export ${CONFIG_OPTION}=\\\"${NEW_SETTING}\\\"\")" /etc/config > /tmp/config + awk "gsub(\"^${CONFIG_OPTION}=.*\",\"${CONFIG_OPTION}=\\\"${NEW_SETTING}\\\"\")" /etc/config >> /tmp/config + grep -v "^export ${CONFIG_OPTION}=" /etc/config | grep -v "^${CONFIG_OPTION}=" >> /tmp/config + mv /tmp/config /etc/config +} + +while true; do + unset menu_choice + whiptail --clear --title "Config Management Menu" \ + --menu "This menu lets you change existing configuration options for the existing BIOS session.\n\nIf you want those changes to persist after reboot\n\nyou must also save them to the running BIOS." 20 90 10 \ + 'b' ' Change the /boot device' \ + 'u' ' Change the USB boot device' \ + 's' ' Save the current configuration to the running BIOS' \ + 'x' ' Exit' \ + 2>/tmp/whiptail || recovery "GUI menu failed" + + menu_choice=$(cat /tmp/whiptail) + + case "$menu_choice" in + "x" ) + exit 0 + ;; + "b" ) + CURRENT_OPTION=`grep 'CONFIG_BOOT_DEV=' /etc/config | cut -f2 -d '=' | tr -d '"'` + find /dev -name 'sd*' -o -name 'nvme*' > /tmp/filelist.txt + file_selector "/tmp/filelist.txt" "Choose the default /boot device.\n\nCurrently set to $CURRENT_OPTION." + if [ "$FILE" == "" ]; then + return + else + SELECTED_FILE=$FILE + fi + + replace_config "CONFIG_BOOT_DEV" "$SELECTED_FILE" + + whiptail --title 'Config change successful' \ + --msgbox "The /boot device was successfully changed to $SELECTED_FILE" 16 60 + ;; + "u" ) + CURRENT_OPTION=`grep 'CONFIG_USB_BOOT_DEV=' /etc/config | cut -f2 -d '=' | tr -d '"'` + find /dev -name 'sd*' -o -name 'nvme*' > /tmp/filelist.txt + file_selector "/tmp/filelist.txt" "Choose the default USB boot device.\n\nCurrently set to $CURRENT_OPTION." + if [ "$FILE" == "" ]; then + return + else + SELECTED_FILE=$FILE + fi + + replace_config "CONFIG_USB_BOOT_DEV" "$SELECTED_FILE" + + whiptail --title 'Config change successful' \ + --msgbox "The USB boot device was successfully changed to $SELECTED_FILE" 16 60 + ;; + "s" ) + /bin/flash.sh -r /tmp/config-gui.rom + if [ ! -s /tmp/config-gui.rom ]; then + whiptail $CONFIG_ERROR_BG_COLOR --title 'ERROR: BIOS Read Failed!' \ + --msgbox "Unable to read BIOS" 16 60 + exit 1 + fi + + if (cbfs -o /tmp/config-gui.rom -l | grep -q "heads/initrd/etc/config") then + cbfs -o /tmp/config-gui.rom -d "heads/initrd/etc/config" + fi + cbfs -o /tmp/config-gui.rom -a "heads/initrd/etc/config" -f /etc/config + + if (whiptail --title 'Update ROM?' \ + --yesno "This will reflash your BIOS with the updated version\n\nDo you want to proceed?" 16 90) then + /bin/flash.sh /tmp/config-gui.rom + whiptail --title 'BIOS Updated Successfully' \ + --msgbox "BIOS updated successfully.\n\nIf your keys have changed, be sure to re-sign all files in /boot\nafter you reboot.\n\nPress Enter to reboot" 16 60 + umount /media + /bin/reboot + else + exit 0 + fi + ;; + esac + +done +exit 0 diff --git a/initrd/bin/gui-init b/initrd/bin/gui-init index 957ebba4..20f12280 100755 --- a/initrd/bin/gui-init +++ b/initrd/bin/gui-init @@ -183,6 +183,7 @@ while true; do --menu "Configure Advanced Settings" 20 90 10 \ 'g' ' Generate new TOTP/HOTP secret' \ 's' ' Update checksums and sign all files in /boot' \ + 'c' ' Change configuration settings -->' \ 'f' ' Flash/Update the BIOS -->' \ 'p' ' Reset the TPM' \ 'n' ' TOTP/HOTP does not match after refresh, troubleshoot' \ @@ -286,6 +287,11 @@ while true; do continue fi + if [ "$totp_confirm" = "c" ]; then + config-gui.sh + continue + fi + if [ "$totp_confirm" = "f" ]; then flash-gui.sh continue