mirror of
https://github.com/linuxboot/heads.git
synced 2024-12-19 21:17:55 +00:00
oem-factory-reset: Add 'use defaults' prompt to simplify user options
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
This commit is contained in:
Matt DeVillier
Jonathon Hall
parent
3766d32034
commit
3191bfbdaf
@ -392,151 +392,153 @@ fi
|
||||
# We show current integrity measurements status and time
|
||||
report_integrity_measurements
|
||||
|
||||
# Re-ownership of encrypted disk key, content and passphrase
|
||||
echo -e -n "Would you like to change the current LUKS Disk Recovery Key passphrase?\n (Highly recommended if you didn't install the Operating System yourself, so that past provisioned passphrase would not permit to access content.\n Note that without re-encrypting disk, a backuped header could be restored to access encrypted content with old passphrase) [y/N]: "
|
||||
read -n 1 prompt_output
|
||||
echo
|
||||
if [ "$prompt_output" == "y" \
|
||||
-o "$prompt_output" == "Y" ];then
|
||||
luks_new_Disk_Recovery_Key_passphrase_desired=1
|
||||
echo -e "\n"
|
||||
fi
|
||||
echo -e -n "Would you like to use default configuration options?\nIf N, you will be prompted for each option [Y/n]: "
|
||||
read -n 1 use_defaults
|
||||
|
||||
echo -e -n "Would you like to re-encrypt LUKS encrypted container and generate new Disk Recovery key?\n (Highly recommended if you didn't install the operating system yourself: this would prevent any LUKS backuped header to be restored to access encrypted data) [y/N]: "
|
||||
read -n 1 prompt_output
|
||||
echo
|
||||
if [ "$prompt_output" == "y" \
|
||||
-o "$prompt_output" == "Y" ];then
|
||||
test_luks_current_disk_recovery_key_passphrase
|
||||
luks_new_Disk_Recovery_Key_desired=1
|
||||
echo -e "\n"
|
||||
fi
|
||||
if [ "$use_defaults" == "n" -o "$use_defaults" == "N" ]; then
|
||||
# Re-ownership of encrypted disk key, content and passphrase
|
||||
echo -e -n "\n\nWould you like to change the current LUKS Disk Recovery Key passphrase?\n (Highly recommended if you didn't install the Operating System yourself, so that past provisioned passphrase would not permit to access content.\n Note that without re-encrypting disk, a backuped header could be restored to access encrypted content with old passphrase) [y/N]: "
|
||||
read -n 1 prompt_output
|
||||
echo
|
||||
if [ "$prompt_output" == "y" \
|
||||
-o "$prompt_output" == "Y" ];then
|
||||
luks_new_Disk_Recovery_Key_passphrase_desired=1
|
||||
echo -e "\n"
|
||||
fi
|
||||
|
||||
# Adapt message to be given to user in terms of security components that will be applied.
|
||||
if [ -n "$luks_new_Disk_Recovery_Key_passphrase_desired" -o -n "$luks_new_Disk_Recovery_Key_passphrase" ]; then
|
||||
CUSTOM_PASS_AFFECTED_COMPONENTS="LUKS Disk Recovery Key passphrase"
|
||||
fi
|
||||
if [ "$CONFIG_TPM" = "y" ]; then
|
||||
CUSTOM_PASS_AFFECTED_COMPONENTS="$CUSTOM_PASS_AFFECTED_COMPONENTS
|
||||
echo -e -n "Would you like to re-encrypt LUKS encrypted container and generate new Disk Recovery key?\n (Highly recommended if you didn't install the operating system yourself: this would prevent any LUKS backuped header to be restored to access encrypted data) [y/N]: "
|
||||
read -n 1 prompt_output
|
||||
echo
|
||||
if [ "$prompt_output" == "y" \
|
||||
-o "$prompt_output" == "Y" ];then
|
||||
test_luks_current_disk_recovery_key_passphrase
|
||||
luks_new_Disk_Recovery_Key_desired=1
|
||||
echo -e "\n"
|
||||
fi
|
||||
|
||||
# Adapt message to be given to user in terms of security components that will be applied.
|
||||
if [ -n "$luks_new_Disk_Recovery_Key_passphrase_desired" -o -n "$luks_new_Disk_Recovery_Key_passphrase" ]; then
|
||||
CUSTOM_PASS_AFFECTED_COMPONENTS="LUKS Disk Recovery Key passphrase"
|
||||
fi
|
||||
if [ "$CONFIG_TPM" = "y" ]; then
|
||||
CUSTOM_PASS_AFFECTED_COMPONENTS="$CUSTOM_PASS_AFFECTED_COMPONENTS
|
||||
TPM Ownership password"
|
||||
fi
|
||||
CUSTOM_PASS_AFFECTED_COMPONENTS="$CUSTOM_PASS_AFFECTED_COMPONENTS
|
||||
fi
|
||||
CUSTOM_PASS_AFFECTED_COMPONENTS="$CUSTOM_PASS_AFFECTED_COMPONENTS
|
||||
GPG Admin PIN
|
||||
GPG User PIN"
|
||||
|
||||
# Inform user of security components affected for the following prompts
|
||||
echo -e "The following security components will be provisioned with defaults or chosen PINs/passwords:
|
||||
$CUSTOM_PASS_AFFECTED_COMPONENTS\n"
|
||||
# Inform user of security components affected for the following prompts
|
||||
echo -e "The following security components will be provisioned with defaults or chosen PINs/passwords:
|
||||
$CUSTOM_PASS_AFFECTED_COMPONENTS\n"
|
||||
|
||||
# Prompt to change default passwords
|
||||
echo -e -n "Would you like to set a single custom password that will be provisioned to previously stated security components? [y/N]: "
|
||||
read -n 1 prompt_output
|
||||
echo
|
||||
if [ "$prompt_output" == "y" \
|
||||
-o "$prompt_output" == "Y" ] \
|
||||
; then
|
||||
echo -e "\nThe chosen custom password must be between 8 and $MAX_HOTP_GPG_PIN_LENGTH characters in length.\n"
|
||||
echo
|
||||
while [[ ${#CUSTOM_SINGLE_PASS} -lt 8 ]] || [[ ${#CUSTOM_SINGLE_PASS} -gt $MAX_HOTP_GPG_PIN_LENGTH ]] ; do
|
||||
echo -e -n "Enter the custom password: "
|
||||
read CUSTOM_SINGLE_PASS
|
||||
done
|
||||
echo
|
||||
TPM_PASS=$CUSTOM_SINGLE_PASS
|
||||
USER_PIN=$CUSTOM_SINGLE_PASS
|
||||
ADMIN_PIN=$CUSTOM_SINGLE_PASS
|
||||
|
||||
# Only set if user said desired. Matches rest of logic
|
||||
if [ -n "$luks_new_Disk_Recovery_Key_passphrase_desired" ]; then
|
||||
luks_new_Disk_Recovery_Key_passphrase=$CUSTOM_SINGLE_PASS
|
||||
# Prompt to change default passwords
|
||||
echo -e -n "Would you like to set a single custom password that will be provisioned to previously stated security components? [y/N]: "
|
||||
read -n 1 prompt_output
|
||||
echo
|
||||
if [ "$prompt_output" == "y" \
|
||||
-o "$prompt_output" == "Y" ]; then
|
||||
echo -e "\nThe chosen custom password must be between 8 and $MAX_HOTP_GPG_PIN_LENGTH characters in length.\n"
|
||||
echo
|
||||
while [[ ${#CUSTOM_SINGLE_PASS} -lt 8 ]] || [[ ${#CUSTOM_SINGLE_PASS} -gt $MAX_HOTP_GPG_PIN_LENGTH ]] ; do
|
||||
echo -e -n "Enter the custom password: "
|
||||
read CUSTOM_SINGLE_PASS
|
||||
done
|
||||
echo
|
||||
TPM_PASS=$CUSTOM_SINGLE_PASS
|
||||
USER_PIN=$CUSTOM_SINGLE_PASS
|
||||
ADMIN_PIN=$CUSTOM_SINGLE_PASS
|
||||
|
||||
# Only set if user said desired. Matches rest of logic
|
||||
if [ -n "$luks_new_Disk_Recovery_Key_passphrase_desired" ]; then
|
||||
luks_new_Disk_Recovery_Key_passphrase=$CUSTOM_SINGLE_PASS
|
||||
fi
|
||||
else
|
||||
echo -e -n "Would you like to set distinct PINs/passwords to be provisioned to previously stated security components? [y/N]: "
|
||||
read -n 1 prompt_output
|
||||
echo
|
||||
if [ "$prompt_output" == "y" \
|
||||
-o "$prompt_output" == "Y" ]; then
|
||||
echo -e "\nThey must be each at least 8 characters in length.\n"
|
||||
echo
|
||||
if [ "$CONFIG_TPM" = "y" ]; then
|
||||
while [[ ${#TPM_PASS} -lt 8 ]] ; do
|
||||
echo -e -n "Enter desired TPM Ownership password: "
|
||||
read TPM_PASS
|
||||
done
|
||||
fi
|
||||
while [[ ${#ADMIN_PIN} -lt 8 ]] || [[ ${#ADMIN_PIN} -gt $MAX_HOTP_GPG_PIN_LENGTH ]] ; do
|
||||
echo -e -n "\nThis PIN should be between 8 to $MAX_HOTP_GPG_PIN_LENGTH characters in length.\n"
|
||||
echo -e -n "Enter desired GPG Admin PIN: "
|
||||
read ADMIN_PIN
|
||||
done
|
||||
while [[ ${#USER_PIN} -lt 8 ]] || [[ ${#USER_PIN} -gt 64 ]]; do
|
||||
echo -e -n "\nThis PIN should be between 8 to 64 characters in length.\n"
|
||||
echo -e -n "Enter desired GPG User PIN: "
|
||||
read USER_PIN
|
||||
done
|
||||
echo
|
||||
fi
|
||||
fi
|
||||
else
|
||||
echo -e -n "Would you like to set distinct PINs/passwords to be provisioned to previously stated security components? [y/N]: "
|
||||
read -n 1 prompt_output
|
||||
echo
|
||||
if [ "$prompt_output" == "y" \
|
||||
-o "$prompt_output" == "Y" ] \
|
||||
; then
|
||||
echo -e "\nThey must be each at least 8 characters in length.\n"
|
||||
echo
|
||||
if [ "$CONFIG_TPM" = "y" ]; then
|
||||
while [[ ${#TPM_PASS} -lt 8 ]] ; do
|
||||
echo -e -n "Enter desired TPM Ownership password: "
|
||||
read TPM_PASS
|
||||
done
|
||||
fi
|
||||
while [[ ${#ADMIN_PIN} -lt 8 ]] || [[ ${#ADMIN_PIN} -gt $MAX_HOTP_GPG_PIN_LENGTH ]] ; do
|
||||
echo -e -n "\nThis PIN should be between 8 to $MAX_HOTP_GPG_PIN_LENGTH characters in length.\n"
|
||||
echo -e -n "Enter desired GPG Admin PIN: "
|
||||
read ADMIN_PIN
|
||||
done
|
||||
while [[ ${#USER_PIN} -lt 8 ]] || [[ ${#USER_PIN} -gt 64 ]]; do
|
||||
echo -e -n "\nThis PIN should be between 8 to 64 characters in length.\n"
|
||||
echo -e -n "Enter desired GPG User PIN: "
|
||||
read USER_PIN
|
||||
done
|
||||
echo
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ -n "$luks_new_Disk_Recovery_Key_passphrase_desired" -a -z "$luks_new_Disk_Recovery_Key_passphrase" ]; then
|
||||
# We catch here if changing LUKS Disk Recovery Key passphrase was desired
|
||||
# but yet undone. This is if not being covered by the single password
|
||||
echo -e "\nEnter desired replacement for current Disk Recovery Key passphrase (At least 8 characters long):"
|
||||
while [[ ${#luks_new_Disk_Recovery_Key_passphrase} -lt 8 ]]; do
|
||||
{
|
||||
read -r luks_new_Disk_Recovery_Key_passphrase
|
||||
};done
|
||||
#We test that current Disk Recovery Key passphrase is known prior of going further
|
||||
test_luks_current_disk_recovery_key_passphrase
|
||||
echo -e "\n"
|
||||
fi
|
||||
if [ -n "$luks_new_Disk_Recovery_Key_passphrase_desired" -a -z "$luks_new_Disk_Recovery_Key_passphrase" ]; then
|
||||
# We catch here if changing LUKS Disk Recovery Key passphrase was desired
|
||||
# but yet undone. This is if not being covered by the single password
|
||||
echo -e "\nEnter desired replacement for current Disk Recovery Key passphrase (At least 8 characters long):"
|
||||
while [[ ${#luks_new_Disk_Recovery_Key_passphrase} -lt 8 ]]; do
|
||||
{
|
||||
read -r luks_new_Disk_Recovery_Key_passphrase
|
||||
};done
|
||||
#We test that current Disk Recovery Key passphrase is known prior of going further
|
||||
test_luks_current_disk_recovery_key_passphrase
|
||||
echo -e "\n"
|
||||
fi
|
||||
|
||||
# Prompt to change default GnuPG key information
|
||||
echo -e -n "Would you like to set custom user information for the GnuPG key? [y/N]: "
|
||||
read -n 1 prompt_output
|
||||
echo
|
||||
if [ "$prompt_output" == "y" \
|
||||
-o "$prompt_output" == "Y" ]; then
|
||||
echo -e "\n\n"
|
||||
echo -e "We will generate a GnuPG (PGP) keypair identifiable with the following text form:"
|
||||
echo -e "Real Name (Comment) email@address.org"
|
||||
|
||||
echo -e "\nEnter your Real Name (At least 5 characters long):"
|
||||
read -r GPG_USER_NAME
|
||||
while [[ ${#GPG_USER_NAME} -lt 5 ]]; do
|
||||
{
|
||||
echo -e "\nEnter your Real Name (At least 5 characters long):"
|
||||
read -r GPG_USER_NAME
|
||||
};done
|
||||
|
||||
echo -e "\nEnter your email@adress.org:"
|
||||
read -r GPG_USER_MAIL
|
||||
while ! $(expr "$GPG_USER_MAIL" : '.*@' >/dev/null); do
|
||||
{
|
||||
echo -e "\nEnter your email@address.org:"
|
||||
read -r GPG_USER_MAIL
|
||||
};done
|
||||
|
||||
echo -e "\nEnter Comment (Optional, to distinguish this key from others with same previous attributes. Must be smaller then 60 characters):"
|
||||
read -r GPG_USER_COMMENT
|
||||
while [[ ${#GPG_USER_COMMENT} -gt 60 ]]; do
|
||||
{
|
||||
echo -e "\nEnter Comment (Optional, to distinguish this key from others with same previous attributes. Must be smaller then 60 characters):"
|
||||
read -r GPG_USER_COMMENT
|
||||
};done
|
||||
fi
|
||||
fi
|
||||
|
||||
# If nothing is stored in custom variables, we set them to their defaults
|
||||
if [ "$TPM_PASS" == "" ]; then TPM_PASS=$TPM_PASS_DEF; fi
|
||||
if [ "$USER_PIN" == "" ]; then USER_PIN=$USER_PIN_DEF; fi
|
||||
if [ "$ADMIN_PIN" == "" ]; then ADMIN_PIN=$ADMIN_PIN_DEF; fi
|
||||
|
||||
# Prompt to change default GnuPG key information
|
||||
echo -e -n "Would you like to set custom user information for the GnuPG key? [y/N]: "
|
||||
read -n 1 prompt_output
|
||||
echo
|
||||
if [ "$prompt_output" == "y" \
|
||||
-o "$prompt_output" == "Y" ] \
|
||||
; then
|
||||
echo -e "\n\n"
|
||||
echo -e "We will generate a GnuPG (PGP) keypair identifiable with the following text form:"
|
||||
echo -e "Real Name (Comment) email@address.org"
|
||||
|
||||
echo -e "\nEnter your Real Name (At least 5 characters long):"
|
||||
read -r GPG_USER_NAME
|
||||
while [[ ${#GPG_USER_NAME} -lt 5 ]]; do
|
||||
{
|
||||
echo -e "\nEnter your Real Name (At least 5 characters long):"
|
||||
read -r GPG_USER_NAME
|
||||
};done
|
||||
|
||||
echo -e "\nEnter your email@adress.org:"
|
||||
read -r GPG_USER_MAIL
|
||||
while ! $(expr "$GPG_USER_MAIL" : '.*@' >/dev/null); do
|
||||
{
|
||||
echo -e "\nEnter your email@address.org:"
|
||||
read -r GPG_USER_MAIL
|
||||
};done
|
||||
|
||||
echo -e "\nEnter Comment (Optional, to distinguish this key from others with same previous attributes. Must be smaller then 60 characters):"
|
||||
read -r GPG_USER_COMMENT
|
||||
while [[ ${#GPG_USER_COMMENT} -gt 60 ]]; do
|
||||
{
|
||||
echo -e "\nEnter Comment (Optional, to distinguish this key from others with same previous attributes. Must be smaller then 60 characters):"
|
||||
read -r GPG_USER_COMMENT
|
||||
};done
|
||||
fi
|
||||
|
||||
## sanity check the USB, GPG key, and boot device before proceeding further
|
||||
|
||||
# Prompt to insert USB drive if desired
|
||||
echo -e -n "Would you like to export your public key to an USB drive? [y/N]: "
|
||||
echo -e -n "\nWould you like to export your public key to an USB drive? [y/N]: "
|
||||
read -n 1 prompt_output
|
||||
echo
|
||||
if [ "$prompt_output" == "y" \
|
||||
|
||||
Loading…
Reference in New Issue
Block a user