ExternalVendorCode/heads
1
0
Fork 0
mirror of https://github.com/linuxboot/heads.git synced 2025-02-02 01:08:15 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge pull request #1875 from tlaurion/introduce_quiet_mode-diceware_STAGING

Browse Source 
TESTING NEEDED: STAGING PR  (quiet mode + diceware + nk3 fixes)
This commit is contained in:
Thierry Laurion 2025-01-20 14:53:29 -05:00 committed by GitHub
commit 36e30d0174
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
89 changed files with 4840 additions and 2807 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
BOARD_TESTERS.md
View File

@ -44,8 +44,8 @@ Librems:
Clevo:
===
- [ ] Nitropad NS50 (AlderLake) : @daringer
- [ ] Nitropad NV41 (AlderLake) : @tlaurion @daringer
- [ ] Novacustom NV4x (AlderLake) : @tlaurion @daringer
- [ ] Novacustom v560tu (MeteorLake) : @tlaurion @daringer @mkopec
Desktops/Servers
==

7
boards/UNMAINTAINED_kgpe-d16_server-whiptail/UNMAINTAINED_kgpe-d16_server-whiptail.config
View File

@ -51,6 +51,13 @@ export CONFIG_LINUX_USB_COMPANION_CONTROLLER=y
export CONFIG_TPM=y
#BOOT SCRIPT SELECTION
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=n
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=n
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=y
#export CONFIG_BOOTSCRIPT=/bin/generic-init
export CONFIG_BOOTSCRIPT=/bin/gui-init
#export CONFIG_BOOTSCRIPT_NETWORK=/bin/network-init-recovery

7
boards/UNMAINTAINED_kgpe-d16_server/UNMAINTAINED_kgpe-d16_server.config
View File

@ -43,6 +43,13 @@ CONFIG_LINUX_E1000E=y
export CONFIG_LINUX_USB_COMPANION_CONTROLLER=y
export CONFIG_TPM=y
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=n
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=n
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=y
#BOOT SCRIPT SELECTION
export CONFIG_BOOTSCRIPT=/bin/generic-init
#export CONFIG_BOOTSCRIPT_NETWORK=/bin/network-init-recovery

7
boards/UNMAINTAINED_kgpe-d16_workstation-usb_keyboard/UNMAINTAINED_kgpe-d16_workstation-usb_keyboard.config
View File

@ -49,6 +49,13 @@ export CONFIG_USB_KEYBOARD_REQUIRED=y
export CONFIG_TPM=y
#BOOT SCRIPT SELECTION
#export CONFIG_BOOTSCRIPT=/bin/generic-init
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=n
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=n
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=y
export CONFIG_BOOTSCRIPT=/bin/gui-init
#export CONFIG_BOOTSCRIPT_NETWORK=/bin/network-init-recovery

7
boards/UNMAINTAINED_kgpe-d16_workstation/UNMAINTAINED_kgpe-d16_workstation.config
View File

@ -50,6 +50,13 @@ export CONFIG_LINUX_USB_COMPANION_CONTROLLER=y
export CONFIG_TPM=y
#BOOT SCRIPT SELECTION
#export CONFIG_BOOTSCRIPT=/bin/generic-init
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=n
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=n
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=y
export CONFIG_BOOTSCRIPT=/bin/gui-init
#export CONFIG_BOOTSCRIPT_NETWORK=/bin/network-init-recovery

14
boards/UNTESTED_nitropad-ns50/UNTESTED_nitropad-ns50.config
View File

@ -8,12 +8,6 @@ export CONFIG_LINUX_VERSION=6.1.8
CONFIG_COREBOOT_CONFIG=config/coreboot-nitropad-ns50.config
CONFIG_LINUX_CONFIG=config/linux-novacustom-common.config
#Enable DEBUG output
#export CONFIG_DEBUG_OUTPUT=y
#export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y
#Enable TPM2 pcap output under /tmp
#export CONFIG_TPM2_CAPTURE_PCAP=y
#On-demand hardware support (modules.cpio)
CONFIG_LINUX_USB=y
CONFIG_LINUX_E1000=y
@ -68,6 +62,13 @@ export CONFIG_TPM2_TOOLS=y
export CONFIG_PRIMARY_KEY_TYPE=ecc
#TPM1 requirements
#export CONFIG_TPM=y
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=n
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=n
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=y
export CONFIG_BOOTSCRIPT=/bin/gui-init
export CONFIG_BOOT_REQ_HASH=n
export CONFIG_BOOT_REQ_ROLLBACK=n
@ -75,4 +76,3 @@ export CONFIG_BOOT_KERNEL_ADD=""
export CONFIG_BOOT_KERNEL_REMOVE="intel_iommu=on intel_iommu=igfx_off"
export CONFIG_BOARD_NAME="Nitropad NS50"
export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal"
export CONFIG_AUTO_BOOT_TIMEOUT=5

7
boards/UNTESTED_t440p-maximized/UNTESTED_t440p-maximized.config
View File

@ -34,6 +34,13 @@ CONFIG_LINUX_USB=y
CONFIG_MOBILE_TETHERING=y
export CONFIG_TPM=y
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=n
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=n
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=y
export CONFIG_BOOTSCRIPT=/bin/gui-init
export CONFIG_BOOT_REQ_HASH=n
export CONFIG_BOOT_REQ_ROLLBACK=n

7
boards/UNTESTED_talos-2/UNTESTED_talos-2.config
View File

@ -41,6 +41,13 @@ export CONFIG_USB_KEYBOARD_REQUIRED=y
export CONFIG_BOOT_EXTRA_TTYS="tty0"
export CONFIG_TPM=y
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=n
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=n
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=y
export CONFIG_BOOTSCRIPT=/bin/talos-init
export CONFIG_BOOT_REQ_HASH=n
export CONFIG_BOOT_REQ_ROLLBACK=n

7
boards/UNTESTED_w541-maximized/UNTESTED_w541-maximized.config
View File

@ -34,6 +34,13 @@ CONFIG_LINUX_USB=y
CONFIG_MOBILE_TETHERING=y
export CONFIG_TPM=y
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=n
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=n
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=y
export CONFIG_BOOTSCRIPT=/bin/gui-init
export CONFIG_BOOT_REQ_HASH=n
export CONFIG_BOOT_REQ_ROLLBACK=n

7
boards/librem_11/librem_11.config
View File

@ -30,6 +30,13 @@ CONFIG_MOBILE_TETHERING=y
export CONFIG_TPM=n
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=n
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=n
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=y
export CONFIG_BOOTSCRIPT=/bin/gui-init
export CONFIG_BOOT_REQ_HASH=n
export CONFIG_BOOT_REQ_ROLLBACK=n

7
boards/librem_13v2/librem_13v2.config
View File

@ -29,6 +29,13 @@ CONFIG_LINUX_USB=y
CONFIG_MOBILE_TETHERING=y
export CONFIG_TPM=y
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=n
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=n
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=y
export CONFIG_BOOTSCRIPT=/bin/gui-init
export CONFIG_BOOT_REQ_HASH=n
export CONFIG_BOOT_REQ_ROLLBACK=n

7
boards/librem_13v4/librem_13v4.config
View File

@ -29,6 +29,13 @@ CONFIG_LINUX_USB=y
CONFIG_MOBILE_TETHERING=y
export CONFIG_TPM=y
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=n
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=n
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=y
export CONFIG_BOOTSCRIPT=/bin/gui-init
export CONFIG_BOOT_REQ_HASH=n
export CONFIG_BOOT_REQ_ROLLBACK=n

7
boards/librem_14/librem_14.config
View File

@ -28,6 +28,13 @@ CONFIG_MOBILE_TETHERING=y
export CONFIG_TPM=y
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=n
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=n
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=y
export CONFIG_BOOTSCRIPT=/bin/gui-init
export CONFIG_BOOT_REQ_HASH=n
export CONFIG_BOOT_REQ_ROLLBACK=n

7
boards/librem_15v3/librem_15v3.config
View File

@ -29,6 +29,13 @@ CONFIG_LINUX_USB=y
CONFIG_MOBILE_TETHERING=y
export CONFIG_TPM=y
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=n
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=n
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=y
export CONFIG_BOOTSCRIPT=/bin/gui-init
export CONFIG_BOOT_REQ_HASH=n
export CONFIG_BOOT_REQ_ROLLBACK=n

7
boards/librem_15v4/librem_15v4.config
View File

@ -30,6 +30,13 @@ CONFIG_LINUX_USB=y
CONFIG_MOBILE_TETHERING=y
export CONFIG_TPM=y
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=n
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=n
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=y
export CONFIG_BOOTSCRIPT=/bin/gui-init
export CONFIG_BOOT_REQ_HASH=n
export CONFIG_BOOT_REQ_ROLLBACK=n

7
boards/librem_l1um/librem_l1um.config
View File

@ -29,6 +29,13 @@ CONFIG_MOBILE_TETHERING=y
export CONFIG_TPM=y
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=n
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=n
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=y
export CONFIG_BOOTSCRIPT=/bin/gui-init
export CONFIG_BOOT_REQ_HASH=n
export CONFIG_BOOT_REQ_ROLLBACK=n

7
boards/librem_l1um_v2/librem_l1um_v2.config
View File

@ -32,6 +32,13 @@ CONFIG_TPM2_TSS=y
CONFIG_OPENSSL=y
CONFIG_PRIMARY_KEY_TYPE=ecc
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=n
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=n
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=y
export CONFIG_BOOTSCRIPT=/bin/gui-init
export CONFIG_BOOT_REQ_HASH=n
export CONFIG_BOOT_REQ_ROLLBACK=n

7
boards/librem_mini/librem_mini.config
View File

@ -30,6 +30,13 @@ CONFIG_MOBILE_TETHERING=y
export CONFIG_TPM=n
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=n
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=n
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=y
export CONFIG_BOOTSCRIPT=/bin/gui-init
export CONFIG_BOOT_REQ_HASH=n
export CONFIG_BOOT_REQ_ROLLBACK=n

7
boards/librem_mini_v2/librem_mini_v2.config
View File

@ -30,6 +30,13 @@ CONFIG_MOBILE_TETHERING=y
export CONFIG_TPM=n
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=n
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=n
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=y
export CONFIG_BOOTSCRIPT=/bin/gui-init
export CONFIG_BOOT_REQ_HASH=n
export CONFIG_BOOT_REQ_ROLLBACK=n

15
boards/novacustom-v560tu/novacustom-v560tu.config
View File

@ -3,7 +3,7 @@
# This excludes gbe from internal flashing, otherwise mac address would revert to '88:88:88:88:87:88' see https://github.com/linuxboot/heads/pull/1871#discussion_r1870134788
# Same options should be used when externally flashing the first time, otherwise Intel GBE region (Ethernet config blob) will be overwitten and MAC reverted to '88:88:88:88:87:88'
# Meteor Lake (Intel Gen 14) is not supposed to support s3 but coincidently does. In case s3 is broken, user must configure settings to not suspend or otherwise enable ME/CSME for s01x to work (unsupported by QubesOS when writing those lines) or use Hibernate (Not supported by QubesOS either)
# Meteor Lake (Intel Gen 14) is not supposed to support s3 but coincidently does. In case s3 is broken, user must configure settings to not suspend or otherwise enable ME/CSME for s0ix to work (unsupported by QubesOS when writing those lines) or use Hibernate (Not supported by QubesOS either)
export CONFIG_COREBOOT=y
export CONFIG_COREBOOT_VERSION=dasharo
@ -12,12 +12,6 @@ export CONFIG_LINUX_VERSION=6.1.8
CONFIG_COREBOOT_CONFIG=config/coreboot-novacustom-v560tu.config
CONFIG_LINUX_CONFIG=config/linux-novacustom-common.config
#Enable DEBUG output
#export CONFIG_DEBUG_OUTPUT=y
#export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y
#Enable TPM2 pcap output under /tmp
#export CONFIG_TPM2_CAPTURE_PCAP=y
#On-demand hardware support (modules.cpio)
CONFIG_LINUX_USB=y
CONFIG_LINUX_E1000=y
@ -71,6 +65,13 @@ export CONFIG_TPM2_TOOLS=y
export CONFIG_PRIMARY_KEY_TYPE=ecc
#TPM1 requirements
#export CONFIG_TPM=y
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=n
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=n
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=y
export CONFIG_BOOTSCRIPT=/bin/gui-init
export CONFIG_BOOT_REQ_HASH=n
export CONFIG_BOOT_REQ_ROLLBACK=n

14
boards/novacustom_nv4x_adl/novacustom_nv4x_adl.config
View File

@ -8,12 +8,6 @@ export CONFIG_LINUX_VERSION=6.1.8
CONFIG_COREBOOT_CONFIG=config/coreboot-novacustom_nv4x_adl.config
CONFIG_LINUX_CONFIG=config/linux-novacustom-common.config
#Enable DEBUG output
#export CONFIG_DEBUG_OUTPUT=y
#export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y
#Enable TPM2 pcap output under /tmp
#export CONFIG_TPM2_CAPTURE_PCAP=y
#On-demand hardware support (modules.cpio)
CONFIG_LINUX_USB=y
CONFIG_LINUX_E1000=y
@ -67,6 +61,13 @@ export CONFIG_TPM2_TOOLS=y
export CONFIG_PRIMARY_KEY_TYPE=ecc
#TPM1 requirements
#export CONFIG_TPM=y
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=n
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=n
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=y
export CONFIG_BOOTSCRIPT=/bin/gui-init
export CONFIG_BOOT_REQ_HASH=n
export CONFIG_BOOT_REQ_ROLLBACK=n
@ -74,4 +75,3 @@ export CONFIG_BOOT_KERNEL_ADD=""
export CONFIG_BOOT_KERNEL_REMOVE="intel_iommu=on intel_iommu=igfx_off"
export CONFIG_BOARD_NAME="NovaCustom NV4x 12th Gen"
export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal"
export CONFIG_AUTO_BOOT_TIMEOUT=5

11
boards/optiplex-7010_9010-hotp-maximized/optiplex-7010_9010-hotp-maximized.config
View File

@ -13,10 +13,6 @@ export CONFIG_LINUX_VERSION=6.1.8
CONFIG_COREBOOT_CONFIG=config/coreboot-optiplex-7019_9010-maximized.config
CONFIG_LINUX_CONFIG=config/linux-x230-maximized.config
#Enable DEBUG output
#export CONFIG_DEBUG_OUTPUT=y
#export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y
#Additional hardware support
CONFIG_LINUX_USB=y
CONFIG_LINUX_E1000E=y
@ -74,6 +70,13 @@ export CONFIG_AUTO_BOOT_TIMEOUT=5
#export CONFIG_PRIMARY_KEY_TYPE=ecc
#TPM1 requirements
export CONFIG_TPM=y
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=n
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=n
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=y
export CONFIG_BOOTSCRIPT=/bin/gui-init
export CONFIG_BOOT_REQ_HASH=n
export CONFIG_BOOT_REQ_ROLLBACK=n

11
boards/optiplex-7010_9010-maximized/optiplex-7010_9010-maximized.config
View File

@ -13,10 +13,6 @@ export CONFIG_LINUX_VERSION=6.1.8
CONFIG_COREBOOT_CONFIG=config/coreboot-optiplex-7019_9010-maximized.config
CONFIG_LINUX_CONFIG=config/linux-x230-maximized.config
#Enable DEBUG output
#export CONFIG_DEBUG_OUTPUT=y
#export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y
#Additional hardware support
CONFIG_LINUX_USB=y
CONFIG_LINUX_E1000E=y
@ -74,6 +70,13 @@ export CONFIG_AUTO_BOOT_TIMEOUT=5
#export CONFIG_PRIMARY_KEY_TYPE=ecc
#TPM1 requirements
export CONFIG_TPM=y
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=n
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=n
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=y
export CONFIG_BOOTSCRIPT=/bin/gui-init
export CONFIG_BOOT_REQ_HASH=n
export CONFIG_BOOT_REQ_ROLLBACK=n

11
boards/optiplex-7010_9010_TXT-hotp-maximized/optiplex-7010_9010_TXT-hotp-maximized.config
View File

@ -13,10 +13,6 @@ export CONFIG_LINUX_VERSION=6.1.8
CONFIG_COREBOOT_CONFIG=config/coreboot-optiplex-7019_9010_TXT-maximized.config
CONFIG_LINUX_CONFIG=config/linux-x230-maximized.config
#Enable DEBUG output
#export CONFIG_DEBUG_OUTPUT=y
#export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y
#Additional hardware support
CONFIG_LINUX_USB=y
CONFIG_LINUX_E1000E=y
@ -74,6 +70,13 @@ export CONFIG_AUTO_BOOT_TIMEOUT=5
#export CONFIG_PRIMARY_KEY_TYPE=ecc
#TPM1 requirements
export CONFIG_TPM=y
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=n
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=n
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=y
export CONFIG_BOOTSCRIPT=/bin/gui-init
export CONFIG_BOOT_REQ_HASH=n
export CONFIG_BOOT_REQ_ROLLBACK=n

11
boards/optiplex-7010_9010_TXT-maximized/optiplex-7010_9010_TXT-maximized.config
View File

@ -13,10 +13,6 @@ export CONFIG_LINUX_VERSION=6.1.8
CONFIG_COREBOOT_CONFIG=config/coreboot-optiplex-7019_9010_TXT-maximized.config
CONFIG_LINUX_CONFIG=config/linux-x230-maximized.config
#Enable DEBUG output
#export CONFIG_DEBUG_OUTPUT=y
#export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y
#Additional hardware support
CONFIG_LINUX_USB=y
CONFIG_LINUX_E1000E=y
@ -74,6 +70,13 @@ export CONFIG_AUTO_BOOT_TIMEOUT=5
#export CONFIG_PRIMARY_KEY_TYPE=ecc
#TPM1 requirements
export CONFIG_TPM=y
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=n
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=n
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=y
export CONFIG_BOOTSCRIPT=/bin/gui-init
export CONFIG_BOOT_REQ_HASH=n
export CONFIG_BOOT_REQ_ROLLBACK=n

97
boards/qemu-coreboot-fbwhiptail-tpm1-hotp-prod_quiet/qemu-coreboot-fbwhiptail-tpm1-hotp-prod_quiet.config Normal file
View File

@ -0,0 +1,97 @@
# Configuration for building a coreboot ROM that works in
# the qemu emulator in console mode thanks to Whiptail
#
# TPM can be used with a qemu software TPM (TIS, 1.2). A Librem Key or
# Nitrokey Pro can also be used by forwarding the USB device from the host to
# the VM.
export CONFIG_COREBOOT=y
export CONFIG_COREBOOT_VERSION=24.02.01
export CONFIG_LINUX_VERSION=6.1.8
CONFIG_COREBOOT_CONFIG=config/coreboot-qemu-tpm1-prod.config
CONFIG_LINUX_CONFIG=config/linux-qemu.config
#Enable only one RESTRICTED/BASIC boot modes below to test them manually (we cannot inject config under QEMU (no internal flashing)
#export CONFIG_RESTRICTED_BOOT=y
#export CONFIG_BASIC=y
#Enable HAVE_GPG_KEY_BACKUP to test GPG key backup drive (we cannot inject config under QEMU (no internal flashing))
#export CONFIG_HAVE_GPG_KEY_BACKUP=y
#On-demand hardware support (modules.cpio)
CONFIG_LINUX_USB=y
CONFIG_LINUX_E1000=y
#CONFIG_MOBILE_TETHERING=y
#Runtime on-demand additional hardware support (modules.cpio)
export CONFIG_LINUX_USB_COMPANION_CONTROLLER=y
#Modules packed into tools.cpio
ifeq "$(CONFIG_UROOT)" "y"
CONFIG_BUSYBOX=n
else
#Modules packed into tools.cpio
CONFIG_CRYPTSETUP2=y
CONFIG_FLASHPROG=y
CONFIG_FLASHTOOLS=y
CONFIG_GPG2=y
CONFIG_KEXEC=y
CONFIG_UTIL_LINUX=y
CONFIG_LVM2=y
CONFIG_MBEDTLS=y
CONFIG_PCIUTILS=y
#Runtime tools to write to MSR
#CONFIG_MSRTOOLS=y
#Remote attestation support
# TPM2 requirements
#CONFIG_TPM2_TSS=y
#CONFIG_OPENSSL=y
#Remote Attestation common tools
CONFIG_POPT=y
CONFIG_QRENCODE=y
CONFIG_TPMTOTP=y
#HOTP based remote attestation for supported USB Security dongle
#With/Without TPM support
CONFIG_HOTPKEY=y
#Nitrokey Storage admin tool (deprecated)
#CONFIG_NKSTORECLI=n
#GUI Support
#Console based Whiptail support(Console based, no FB):
#CONFIG_SLANG=y
#CONFIG_NEWT=y
#FBWhiptail based (Graphical):
CONFIG_CAIRO=y
CONFIG_FBWHIPTAIL=y
#Additional tools (tools.cpio):
#SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E)
CONFIG_DROPBEAR=y
endif
#Runtime configuration
#Automatically boot if HOTP is valid
export CONFIG_AUTO_BOOT_TIMEOUT=5
#TPM2 requirements
#export CONFIG_TPM2_TOOLS=y
#export CONFIG_PRIMARY_KEY_TYPE=ecc
#TPM1 requirements
export CONFIG_TPM=y
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=n
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=n
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=y
export CONFIG_BOOTSCRIPT=/bin/gui-init
#text-based original init:
#export CONFIG_BOOTSCRIPT=/bin/generic-init
export CONFIG_BOOT_REQ_HASH=n
export CONFIG_BOOT_REQ_ROLLBACK=n
export CONFIG_BOOT_RECOVERY_SERIAL="/dev/ttyS0"
export CONFIG_BOOT_KERNEL_ADD="console=ttyS0 console=tty systemd.zram=0"
export CONFIG_BOOT_KERNEL_REMOVE="quiet rhgb splash"
export CONFIG_BOARD_NAME="qemu-coreboot-fbwhiptail-tpm1-hotp"
#export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal"
BOARD_TARGETS := qemu

14
boards/qemu-coreboot-fbwhiptail-tpm1-hotp/qemu-coreboot-fbwhiptail-tpm1-hotp.config
View File

@ -18,12 +18,6 @@ CONFIG_LINUX_CONFIG=config/linux-qemu.config
#Enable HAVE_GPG_KEY_BACKUP to test GPG key backup drive (we cannot inject config under QEMU (no internal flashing))
#export CONFIG_HAVE_GPG_KEY_BACKUP=y
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=y
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y
#Enable TPM2 pcap output under /tmp
#export CONFIG_TPM2_CAPTURE_PCAP=y
#On-demand hardware support (modules.cpio)
CONFIG_LINUX_USB=y
CONFIG_LINUX_E1000=y
@ -82,6 +76,13 @@ export CONFIG_AUTO_BOOT_TIMEOUT=5
#export CONFIG_PRIMARY_KEY_TYPE=ecc
#TPM1 requirements
export CONFIG_TPM=y
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=y
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y
#Enable TPM2 pcap output under /tmp
#export CONFIG_TPM2_CAPTURE_PCAP=n
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=n
export CONFIG_BOOTSCRIPT=/bin/gui-init
#text-based original init:
#export CONFIG_BOOTSCRIPT=/bin/generic-init
@ -92,6 +93,5 @@ export CONFIG_BOOT_KERNEL_ADD="console=ttyS0 console=tty systemd.zram=0"
export CONFIG_BOOT_KERNEL_REMOVE="quiet rhgb splash"
export CONFIG_BOARD_NAME="qemu-coreboot-fbwhiptail-tpm1-hotp"
#export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal"
export CONFIG_AUTO_BOOT_TIMEOUT=5
BOARD_TARGETS := qemu

14
boards/qemu-coreboot-fbwhiptail-tpm1/qemu-coreboot-fbwhiptail-tpm1.config
View File

@ -16,12 +16,6 @@ CONFIG_LINUX_CONFIG=config/linux-qemu.config
#Enable HAVE_GPG_KEY_BACKUP to test GPG key backup drive (we cannot inject config under QEMU (no internal flashing))
#export CONFIG_HAVE_GPG_KEY_BACKUP=y
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=y
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y
#Enable TPM2 pcap output under /tmp
#export CONFIG_TPM2_CAPTURE_PCAP=y
#On-demand hardware support (modules.cpio)
CONFIG_LINUX_USB=y
CONFIG_LINUX_E1000=y
@ -80,6 +74,13 @@ export CONFIG_AUTO_BOOT_TIMEOUT=5
#export CONFIG_PRIMARY_KEY_TYPE=ecc
#TPM1 requirements
export CONFIG_TPM=y
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=y
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y
#Enable TPM2 pcap output under /tmp
#export CONFIG_TPM2_CAPTURE_PCAP=n
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=n
export CONFIG_BOOTSCRIPT=/bin/gui-init
#text-based original init:
#export CONFIG_BOOTSCRIPT=/bin/generic-init
@ -90,6 +91,5 @@ export CONFIG_BOOT_KERNEL_ADD="console=ttyS0 console=tty systemd.zram=0"
export CONFIG_BOOT_KERNEL_REMOVE="quiet rhgb splash"
export CONFIG_BOARD_NAME="qemu-coreboot-fbwhiptail-tpm1"
#export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal"
#export CONFIG_AUTO_BOOT_TIMEOUT=5
BOARD_TARGETS := qemu

14
boards/qemu-coreboot-fbwhiptail-tpm2-hotp-prod/qemu-coreboot-fbwhiptail-tpm2-hotp-prod.config
View File

@ -17,12 +17,6 @@ CONFIG_LINUX_CONFIG=config/linux-qemu.config
#Enable HAVE_GPG_KEY_BACKUP to test GPG key backup drive (we cannot inject config under QEMU (no internal flashing))
#export CONFIG_HAVE_GPG_KEY_BACKUP=y
#Enable DEBUG output
#export CONFIG_DEBUG_OUTPUT=y
#export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y
#Enable TPM2 pcap output under /tmp
#export CONFIG_TPM2_CAPTURE_PCAP=y
#On-demand hardware support (modules.cpio)
CONFIG_LINUX_USB=y
CONFIG_LINUX_E1000=y
@ -81,6 +75,13 @@ export CONFIG_TPM2_TOOLS=y
export CONFIG_PRIMARY_KEY_TYPE=ecc
#TPM1 requirements
#export CONFIG_TPM=y
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=n
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=n
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=n
export CONFIG_BOOTSCRIPT=/bin/gui-init
#text-based original init:
#export CONFIG_BOOTSCRIPT=/bin/generic-init
@ -91,6 +92,5 @@ export CONFIG_BOOT_KERNEL_ADD="console=ttyS0 console=tty systemd.zram=0"
export CONFIG_BOOT_KERNEL_REMOVE="quiet rhgb splash"
export CONFIG_BOARD_NAME="qemu-coreboot-fbwhiptail-tpm2-hotp"
#export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal"
export CONFIG_AUTO_BOOT_TIMEOUT=5
BOARD_TARGETS := qemu

96
boards/qemu-coreboot-fbwhiptail-tpm2-hotp-prod_quiet/qemu-coreboot-fbwhiptail-tpm2-hotp-prod_quiet.config Normal file
View File

@ -0,0 +1,96 @@
# Configuration for building a coreboot ROM that works in
# the qemu emulator in graphical mode thanks to FBWhiptail
# This version requires a supported HOTP Security dongle (Nitrokey Pro/Storage or Librem Key)
#
# TPM can be used with a qemu software TPM (TIS, 2.0).
export CONFIG_COREBOOT=y
export CONFIG_COREBOOT_VERSION=24.02.01
export CONFIG_LINUX_VERSION=6.1.8
CONFIG_COREBOOT_CONFIG=config/coreboot-qemu-tpm2-prod.config
CONFIG_LINUX_CONFIG=config/linux-qemu.config
#Enable only one RESTRICTED/BASIC boot modes below to test them manually (we cannot inject config under QEMU (no internal flashing)
#export CONFIG_RESTRICTED_BOOT=y
#export CONFIG_BASIC=y
#Enable HAVE_GPG_KEY_BACKUP to test GPG key backup drive (we cannot inject config under QEMU (no internal flashing))
#export CONFIG_HAVE_GPG_KEY_BACKUP=y
#On-demand hardware support (modules.cpio)
CONFIG_LINUX_USB=y
CONFIG_LINUX_E1000=y
#CONFIG_MOBILE_TETHERING=y
#Runtime on-demand additional hardware support (modules.cpio)
export CONFIG_LINUX_USB_COMPANION_CONTROLLER=y
#Modules packed into tools.cpio
ifeq "$(CONFIG_UROOT)" "y"
CONFIG_BUSYBOX=n
else
#Modules packed into tools.cpio
CONFIG_CRYPTSETUP2=y
CONFIG_FLASHPROG=y
CONFIG_FLASHTOOLS=y
CONFIG_GPG2=y
CONFIG_KEXEC=y
CONFIG_UTIL_LINUX=y
CONFIG_LVM2=y
CONFIG_MBEDTLS=y
CONFIG_PCIUTILS=y
#Runtime tools to write to MSR
CONFIG_MSRTOOLS=y
#Remote attestation support
# TPM2 requirements
CONFIG_TPM2_TSS=y
CONFIG_OPENSSL=y
#Remote Attestation common tools
CONFIG_POPT=y
CONFIG_QRENCODE=y
CONFIG_TPMTOTP=y
#HOTP based remote attestation for supported USB Security dongle
#With/Without TPM support
CONFIG_HOTPKEY=y
#Nitrokey Storage admin tool (deprecated)
#CONFIG_NKSTORECLI=n
#GUI Support
#Console based Whiptail support(Console based, no FB):
#CONFIG_SLANG=y
#CONFIG_NEWT=y
#FBWhiptail based (Graphical):
CONFIG_CAIRO=y
CONFIG_FBWHIPTAIL=y
#Additional tools (tools.cpio):
#SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E)
CONFIG_DROPBEAR=y
endif
#Runtime configuration
#Automatically boot if HOTP is valid
export CONFIG_AUTO_BOOT_TIMEOUT=5
#TPM2 requirements
export CONFIG_TPM2_TOOLS=y
export CONFIG_PRIMARY_KEY_TYPE=ecc
#TPM1 requirements
#export CONFIG_TPM=y
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=n
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=n
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=y
export CONFIG_BOOTSCRIPT=/bin/gui-init
#text-based original init:
#export CONFIG_BOOTSCRIPT=/bin/generic-init
export CONFIG_BOOT_REQ_HASH=n
export CONFIG_BOOT_REQ_ROLLBACK=n
export CONFIG_BOOT_RECOVERY_SERIAL="/dev/ttyS0"
export CONFIG_BOOT_KERNEL_ADD="console=ttyS0 console=tty systemd.zram=0"
export CONFIG_BOOT_KERNEL_REMOVE="quiet rhgb splash"
export CONFIG_BOARD_NAME="qemu-coreboot-fbwhiptail-tpm2-hotp"
#export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal"
BOARD_TARGETS := qemu

13
boards/qemu-coreboot-fbwhiptail-tpm2-hotp/qemu-coreboot-fbwhiptail-tpm2-hotp.config
View File

@ -17,11 +17,6 @@ CONFIG_LINUX_CONFIG=config/linux-qemu.config
#Enable HAVE_GPG_KEY_BACKUP to test GPG key backup drive (we cannot inject config under QEMU (no internal flashing))
#export CONFIG_HAVE_GPG_KEY_BACKUP=y
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=y
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=y
#On-demand hardware support (modules.cpio)
CONFIG_LINUX_USB=y
@ -81,6 +76,13 @@ export CONFIG_TPM2_TOOLS=y
export CONFIG_PRIMARY_KEY_TYPE=ecc
#TPM1 requirements
#export CONFIG_TPM=y
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=y
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=y
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=n
export CONFIG_BOOTSCRIPT=/bin/gui-init
#text-based original init:
#export CONFIG_BOOTSCRIPT=/bin/generic-init
@ -91,6 +93,5 @@ export CONFIG_BOOT_KERNEL_ADD="console=ttyS0 console=tty systemd.zram=0"
export CONFIG_BOOT_KERNEL_REMOVE="quiet rhgb splash"
export CONFIG_BOARD_NAME="qemu-coreboot-fbwhiptail-tpm2-hotp"
#export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal"
export CONFIG_AUTO_BOOT_TIMEOUT=5
BOARD_TARGETS := qemu

14
boards/qemu-coreboot-fbwhiptail-tpm2-prod/qemu-coreboot-fbwhiptail-tpm2-prod.config
View File

@ -16,12 +16,6 @@ CONFIG_LINUX_CONFIG=config/linux-qemu.config
#Enable HAVE_GPG_KEY_BACKUP to test GPG key backup drive (we cannot inject config under QEMU (no internal flashing))
#export CONFIG_HAVE_GPG_KEY_BACKUP=y
#Enable DEBUG output
#export CONFIG_DEBUG_OUTPUT=y
#export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y
#Enable TPM2 pcap output under /tmp
#export CONFIG_TPM2_CAPTURE_PCAP=y
#On-demand hardware support (modules.cpio)
CONFIG_LINUX_USB=y
CONFIG_LINUX_E1000=y
@ -80,6 +74,13 @@ export CONFIG_TPM2_TOOLS=y
export CONFIG_PRIMARY_KEY_TYPE=ecc
#TPM1 requirements
#export CONFIG_TPM=y
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=n
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=n
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=n
export CONFIG_BOOTSCRIPT=/bin/gui-init
#text-based original init:
#export CONFIG_BOOTSCRIPT=/bin/generic-init
@ -90,6 +91,5 @@ export CONFIG_BOOT_KERNEL_ADD="console=ttyS0 console=tty systemd.zram=0"
export CONFIG_BOOT_KERNEL_REMOVE="quiet rhgb splash"
export CONFIG_BOARD_NAME="qemu-coreboot-fbwhiptail-tpm2"
#export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal"
#export CONFIG_AUTO_BOOT_TIMEOUT=5
BOARD_TARGETS := qemu

13
boards/qemu-coreboot-fbwhiptail-tpm2/qemu-coreboot-fbwhiptail-tpm2.config
View File

@ -16,11 +16,6 @@ CONFIG_LINUX_CONFIG=config/linux-qemu.config
#Enable HAVE_GPG_KEY_BACKUP to test GPG key backup drive (we cannot inject config under QEMU (no internal flashing))
#export CONFIG_HAVE_GPG_KEY_BACKUP=y
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=y
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=y
#On-demand hardware support (modules.cpio)
CONFIG_LINUX_USB=y
@ -80,6 +75,13 @@ export CONFIG_TPM2_TOOLS=y
export CONFIG_PRIMARY_KEY_TYPE=ecc
#TPM1 requirements
#export CONFIG_TPM=y
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=y
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=y
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=n
export CONFIG_BOOTSCRIPT=/bin/gui-init
#text-based original init:
#export CONFIG_BOOTSCRIPT=/bin/generic-init
@ -90,6 +92,5 @@ export CONFIG_BOOT_KERNEL_ADD="console=ttyS0 console=tty systemd.zram=0"
export CONFIG_BOOT_KERNEL_REMOVE="quiet rhgb splash"
export CONFIG_BOARD_NAME="qemu-coreboot-fbwhiptail-tpm2"
#export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal"
#export CONFIG_AUTO_BOOT_TIMEOUT=5
BOARD_TARGETS := qemu

14
boards/qemu-coreboot-whiptail-tpm1-hotp/qemu-coreboot-whiptail-tpm1-hotp.config
View File

@ -18,12 +18,6 @@ CONFIG_LINUX_CONFIG=config/linux-qemu.config
#Enable HAVE_GPG_KEY_BACKUP to test GPG key backup drive (we cannot inject config under QEMU (no internal flashing))
#export CONFIG_HAVE_GPG_KEY_BACKUP=y
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=y
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y
#Enable TPM2 pcap output under /tmp
#export CONFIG_TPM2_CAPTURE_PCAP=y
#On-demand hardware support (modules.cpio)
CONFIG_LINUX_USB=y
CONFIG_LINUX_E1000=y
@ -82,6 +76,13 @@ export CONFIG_AUTO_BOOT_TIMEOUT=5
#export CONFIG_PRIMARY_KEY_TYPE=ecc
#TPM1 requirements
export CONFIG_TPM=y
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=y
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y
#Enable TPM2 pcap output under /tmp
#export CONFIG_TPM2_CAPTURE_PCAP=n
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=n
export CONFIG_BOOTSCRIPT=/bin/gui-init
#text-based original init:
#export CONFIG_BOOTSCRIPT=/bin/generic-init
@ -92,6 +93,5 @@ export CONFIG_BOOT_KERNEL_ADD="console=ttyS0 console=tty systemd.zram=0"
export CONFIG_BOOT_KERNEL_REMOVE="quiet rhgb splash"
export CONFIG_BOARD_NAME="qemu-coreboot-whiptail-tpm1-hotp"
#export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal"
export CONFIG_AUTO_BOOT_TIMEOUT=5
BOARD_TARGETS := qemu

14
boards/qemu-coreboot-whiptail-tpm1/qemu-coreboot-whiptail-tpm1.config
View File

@ -16,12 +16,6 @@ CONFIG_LINUX_CONFIG=config/linux-qemu.config
#Enable HAVE_GPG_KEY_BACKUP to test GPG key backup drive (we cannot inject config under QEMU (no internal flashing))
#export CONFIG_HAVE_GPG_KEY_BACKUP=y
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=y
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y
#Enable TPM2 pcap output under /tmp
#export CONFIG_TPM2_CAPTURE_PCAP=y
#On-demand hardware support (modules.cpio)
CONFIG_LINUX_USB=y
CONFIG_LINUX_E1000=y
@ -80,6 +74,13 @@ export CONFIG_AUTO_BOOT_TIMEOUT=5
#export CONFIG_PRIMARY_KEY_TYPE=ecc
#TPM1 requirements
export CONFIG_TPM=y
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=y
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y
#Enable TPM2 pcap output under /tmp
#export CONFIG_TPM2_CAPTURE_PCAP=n
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=n
export CONFIG_BOOTSCRIPT=/bin/gui-init
#text-based original init:
#export CONFIG_BOOTSCRIPT=/bin/generic-init
@ -90,6 +91,5 @@ export CONFIG_BOOT_KERNEL_ADD="console=ttyS0 console=tty systemd.zram=0"
export CONFIG_BOOT_KERNEL_REMOVE="quiet rhgb splash"
export CONFIG_BOARD_NAME="qemu-coreboot-whiptail-tpm1"
#export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal"
#export CONFIG_AUTO_BOOT_TIMEOUT=5
BOARD_TARGETS := qemu

14
boards/qemu-coreboot-whiptail-tpm2-hotp-prod/qemu-coreboot-whiptail-tpm2-hotp-prod.config
View File

@ -17,12 +17,6 @@ CONFIG_LINUX_CONFIG=config/linux-qemu.config
#Enable HAVE_GPG_KEY_BACKUP to test GPG key backup drive (we cannot inject config under QEMU (no internal flashing))
#export CONFIG_HAVE_GPG_KEY_BACKUP=y
#Enable DEBUG output
#export CONFIG_DEBUG_OUTPUT=y
#export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y
#Enable TPM2 pcap output under /tmp
#export CONFIG_TPM2_CAPTURE_PCAP=y
#On-demand hardware support (modules.cpio)
CONFIG_LINUX_USB=y
CONFIG_LINUX_E1000=y
@ -81,6 +75,13 @@ export CONFIG_TPM2_TOOLS=y
export CONFIG_PRIMARY_KEY_TYPE=ecc
#TPM1 requirements
#export CONFIG_TPM=y
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=n
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=n
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=n
export CONFIG_BOOTSCRIPT=/bin/gui-init
#text-based original init:
#export CONFIG_BOOTSCRIPT=/bin/generic-init
@ -91,6 +92,5 @@ export CONFIG_BOOT_KERNEL_ADD="console=ttyS0 console=tty systemd.zram=0"
export CONFIG_BOOT_KERNEL_REMOVE="quiet rhgb splash"
export CONFIG_BOARD_NAME="qemu-coreboot-whiptail-tpm2-hotp"
#export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal"
export CONFIG_AUTO_BOOT_TIMEOUT=5
BOARD_TARGETS := qemu

13
boards/qemu-coreboot-whiptail-tpm2-hotp/qemu-coreboot-whiptail-tpm2-hotp.config
View File

@ -17,11 +17,6 @@ CONFIG_LINUX_CONFIG=config/linux-qemu.config
#Enable HAVE_GPG_KEY_BACKUP to test GPG key backup drive (we cannot inject config under QEMU (no internal flashing))
#export CONFIG_HAVE_GPG_KEY_BACKUP=y
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=y
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=y
#On-demand hardware support (modules.cpio)
CONFIG_LINUX_USB=y
@ -81,6 +76,13 @@ export CONFIG_TPM2_TOOLS=y
export CONFIG_PRIMARY_KEY_TYPE=ecc
#TPM1 requirements
#export CONFIG_TPM=y
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=y
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=y
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=n
export CONFIG_BOOTSCRIPT=/bin/gui-init
#text-based original init:
#export CONFIG_BOOTSCRIPT=/bin/generic-init
@ -91,6 +93,5 @@ export CONFIG_BOOT_KERNEL_ADD="console=ttyS0 console=tty systemd.zram=0"
export CONFIG_BOOT_KERNEL_REMOVE="quiet rhgb splash"
export CONFIG_BOARD_NAME="qemu-coreboot-whiptail-tpm2-hotp"
#export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal"
export CONFIG_AUTO_BOOT_TIMEOUT=5
BOARD_TARGETS := qemu

14
boards/qemu-coreboot-whiptail-tpm2-prod/qemu-coreboot-whiptail-tpm2-prod.config
View File

@ -16,12 +16,6 @@ CONFIG_LINUX_CONFIG=config/linux-qemu.config
#Enable HAVE_GPG_KEY_BACKUP to test GPG key backup drive (we cannot inject config under QEMU (no internal flashing))
#export CONFIG_HAVE_GPG_KEY_BACKUP=y
#Enable DEBUG output
#export CONFIG_DEBUG_OUTPUT=y
#export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y
#Enable TPM2 pcap output under /tmp
#export CONFIG_TPM2_CAPTURE_PCAP=y
#On-demand hardware support (modules.cpio)
CONFIG_LINUX_USB=y
CONFIG_LINUX_E1000=y
@ -80,6 +74,13 @@ export CONFIG_TPM2_TOOLS=y
export CONFIG_PRIMARY_KEY_TYPE=ecc
#TPM1 requirements
#export CONFIG_TPM=y
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=n
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=n
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=n
export CONFIG_BOOTSCRIPT=/bin/gui-init
#text-based original init:
#export CONFIG_BOOTSCRIPT=/bin/generic-init
@ -90,6 +91,5 @@ export CONFIG_BOOT_KERNEL_ADD="console=ttyS0 console=tty systemd.zram=0"
export CONFIG_BOOT_KERNEL_REMOVE="quiet rhgb splash"
export CONFIG_BOARD_NAME="qemu-coreboot-whiptail-tpm2"
#export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal"
#export CONFIG_AUTO_BOOT_TIMEOUT=5
BOARD_TARGETS := qemu

12
boards/qemu-coreboot-whiptail-tpm2/qemu-coreboot-whiptail-tpm2.config
View File

@ -16,11 +16,6 @@ CONFIG_LINUX_CONFIG=config/linux-qemu.config
#Enable HAVE_GPG_KEY_BACKUP to test GPG key backup drive (we cannot inject config under QEMU (no internal flashing))
#export CONFIG_HAVE_GPG_KEY_BACKUP=y
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=y
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=y
#On-demand hardware support (modules.cpio)
CONFIG_LINUX_USB=y
@ -80,6 +75,13 @@ export CONFIG_TPM2_TOOLS=y
export CONFIG_PRIMARY_KEY_TYPE=ecc
#TPM1 requirements
#export CONFIG_TPM=y
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=y
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=y
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=n
export CONFIG_BOOTSCRIPT=/bin/gui-init
#text-based original init:
#export CONFIG_BOOTSCRIPT=/bin/generic-init

7
boards/t420-hotp-maximized/t420-hotp-maximized.config
View File

@ -60,6 +60,13 @@ CONFIG_FBWHIPTAIL=y
#SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E)
CONFIG_DROPBEAR=n
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=n
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=n
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=y
export CONFIG_BOOTSCRIPT=/bin/gui-init
export CONFIG_BOOT_REQ_HASH=n
export CONFIG_BOOT_REQ_ROLLBACK=n

7
boards/t420-maximized/t420-maximized.config
View File

@ -58,6 +58,13 @@ CONFIG_FBWHIPTAIL=y
#SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E)
CONFIG_DROPBEAR=n
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=n
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=n
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=y
export CONFIG_BOOTSCRIPT=/bin/gui-init
export CONFIG_BOOT_REQ_HASH=n
export CONFIG_BOOT_REQ_ROLLBACK=n

7
boards/t430-hotp-maximized/t430-hotp-maximized.config
View File

@ -58,6 +58,13 @@ CONFIG_FBWHIPTAIL=y
#SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E)
CONFIG_DROPBEAR=y
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=n
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=n
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=y
export CONFIG_BOOTSCRIPT=/bin/gui-init
export CONFIG_BOOT_REQ_HASH=n
export CONFIG_BOOT_REQ_ROLLBACK=n

7
boards/t430-maximized/t430-maximized.config
View File

@ -58,6 +58,13 @@ CONFIG_FBWHIPTAIL=y
#SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E)
CONFIG_DROPBEAR=y
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=n
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=n
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=y
export CONFIG_BOOTSCRIPT=/bin/gui-init
export CONFIG_BOOT_REQ_HASH=n
export CONFIG_BOOT_REQ_ROLLBACK=n

7
boards/t530-hotp-maximized/t530-hotp-maximized.config
View File

@ -60,6 +60,13 @@ CONFIG_FBWHIPTAIL=y
#SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E)
CONFIG_DROPBEAR=y
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=n
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=n
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=y
export CONFIG_BOOTSCRIPT=/bin/gui-init
export CONFIG_BOOT_REQ_HASH=n
export CONFIG_BOOT_REQ_ROLLBACK=n

7
boards/t530-maximized/t530-maximized.config
View File

@ -59,6 +59,13 @@ CONFIG_FBWHIPTAIL=y
#SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E)
CONFIG_DROPBEAR=y
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=n
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=n
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=y
export CONFIG_BOOTSCRIPT=/bin/gui-init
export CONFIG_BOOT_REQ_HASH=n
export CONFIG_BOOT_REQ_ROLLBACK=n

7
boards/w530-hotp-maximized/w530-hotp-maximized.config
View File

@ -60,6 +60,13 @@ CONFIG_FBWHIPTAIL=y
#SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E)
CONFIG_DROPBEAR=y
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=n
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=n
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=y
export CONFIG_BOOTSCRIPT=/bin/gui-init
export CONFIG_BOOT_REQ_HASH=n
export CONFIG_BOOT_REQ_ROLLBACK=n

7
boards/w530-maximized/w530-maximized.config
View File

@ -59,6 +59,13 @@ CONFIG_FBWHIPTAIL=y
#SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E)
CONFIG_DROPBEAR=y
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=n
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=n
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=y
export CONFIG_BOOTSCRIPT=/bin/gui-init
export CONFIG_BOOT_REQ_HASH=n
export CONFIG_BOOT_REQ_ROLLBACK=n

7
boards/x220-hotp-maximized/x220-hotp-maximized.config
View File

@ -60,6 +60,13 @@ CONFIG_FBWHIPTAIL=y
#SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E)
CONFIG_DROPBEAR=n
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=n
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=n
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=y
export CONFIG_BOOTSCRIPT=/bin/gui-init
export CONFIG_BOOT_REQ_HASH=n
export CONFIG_BOOT_REQ_ROLLBACK=n

7
boards/x220-maximized/x220-maximized.config
View File

@ -59,6 +59,13 @@ CONFIG_FBWHIPTAIL=y
#SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E)
CONFIG_DROPBEAR=n
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=n
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=n
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=y
export CONFIG_BOOTSCRIPT=/bin/gui-init
export CONFIG_BOOT_REQ_HASH=n
export CONFIG_BOOT_REQ_ROLLBACK=n

7
boards/x230-hotp-maximized-fhd_edp/x230-hotp-maximized-fhd_edp.config
View File

@ -72,6 +72,13 @@ CONFIG_FBWHIPTAIL=y
#SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E)
CONFIG_DROPBEAR=y
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=n
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=n
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=y
export CONFIG_BOOTSCRIPT=/bin/gui-init
export CONFIG_BOOT_REQ_HASH=n
export CONFIG_BOOT_REQ_ROLLBACK=n

11
boards/x230-hotp-maximized/x230-hotp-maximized.config
View File

@ -13,10 +13,6 @@ export CONFIG_LINUX_VERSION=6.1.8
CONFIG_COREBOOT_CONFIG=config/coreboot-x230-maximized.config
CONFIG_LINUX_CONFIG=config/linux-x230-maximized.config
#Enable DEBUG output
#export CONFIG_DEBUG_OUTPUT=y
#export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y
#On-demand hardware support (modules.cpio)
CONFIG_LINUX_USB=y
CONFIG_LINUX_E1000E=y
@ -74,6 +70,13 @@ export CONFIG_AUTO_BOOT_TIMEOUT=5
#export CONFIG_PRIMARY_KEY_TYPE=ecc
#TPM1 requirements
export CONFIG_TPM=y
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=n
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=n
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=y
export CONFIG_BOOTSCRIPT=/bin/gui-init
export CONFIG_BOOT_REQ_HASH=n
export CONFIG_BOOT_REQ_ROLLBACK=n

11
boards/x230-hotp-maximized_usb-kb/x230-hotp-maximized_usb-kb.config
View File

@ -15,10 +15,6 @@ export CONFIG_LINUX_VERSION=6.1.8
CONFIG_COREBOOT_CONFIG=config/coreboot-x230-maximized.config
CONFIG_LINUX_CONFIG=config/linux-x230-maximized.config
#Enable DEBUG output
#export CONFIG_DEBUG_OUTPUT=y
#export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y
#Additional hardware support
CONFIG_LINUX_USB=y
CONFIG_LINUX_E1000E=y
@ -68,6 +64,13 @@ CONFIG_FBWHIPTAIL=y
#SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E)
CONFIG_DROPBEAR=y
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=n
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=n
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=y
export CONFIG_BOOTSCRIPT=/bin/gui-init
export CONFIG_BOOT_REQ_HASH=n
export CONFIG_BOOT_REQ_ROLLBACK=n

7
boards/x230-maximized-fhd_edp/x230-maximized-fhd_edp.config
View File

@ -71,6 +71,13 @@ CONFIG_FBWHIPTAIL=y
#SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E)
CONFIG_DROPBEAR=y
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=n
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=n
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=y
export CONFIG_BOOTSCRIPT=/bin/gui-init
export CONFIG_BOOT_REQ_HASH=n
export CONFIG_BOOT_REQ_ROLLBACK=n

11
boards/x230-maximized/x230-maximized.config
View File

@ -13,10 +13,6 @@ export CONFIG_LINUX_VERSION=6.1.8
CONFIG_COREBOOT_CONFIG=config/coreboot-x230-maximized.config
CONFIG_LINUX_CONFIG=config/linux-x230-maximized.config
#Enable DEBUG output
#export CONFIG_DEBUG_OUTPUT=y
#export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y
#Additional hardware support
CONFIG_LINUX_USB=y
CONFIG_LINUX_E1000E=y
@ -62,6 +58,13 @@ CONFIG_FBWHIPTAIL=y
#SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E)
CONFIG_DROPBEAR=y
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=n
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=n
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=y
export CONFIG_BOOTSCRIPT=/bin/gui-init
export CONFIG_BOOT_REQ_HASH=n
export CONFIG_BOOT_REQ_ROLLBACK=n

7
boards/z220-cmt-maximized/z220-cmt-maximized.config
View File

@ -54,6 +54,13 @@ CONFIG_LINUX_USB=y
CONFIG_MOBILE_TETHERING=y
export CONFIG_TPM=y
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=n
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=n
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=y
export CONFIG_BOOTSCRIPT=/bin/gui-init
export CONFIG_BOOT_REQ_HASH=n
export CONFIG_BOOT_REQ_ROLLBACK=n

2
initrd/.ash_history → initrd/.bash_history
View File

@ -4,7 +4,7 @@ mount /boot
find /boot/kexec*.txt | gpg --verify /boot/kexec.sig -
#remove invalid kexec_* signed files
mount /dev/sda1 /boot && mount -o remount,rw /boot && rm /boot/kexec* && mount -o remount,ro /boot
#Generate keys from GPG smartcard:
#Generate keys on OpenPGP smartcard:
mount-usb && gpg --home=/.gnupg/ --card-edit
#Copy generated public key, private_subkey, trustdb and artifacts to external media for backup:
mount -o remount,rw /media && mkdir -p /media/gpg_keys; gpg --export-secret-keys --armor email@address.com > /media/gpg_keys/private.key && gpg --export --armor email@address.com > /media/gpg_keys/public.key && gpg --export-ownertrust > /media/gpg_keys/otrust.txt && cp -r ./.gnupg/* /media/gpg_keys/ 2> /dev/null

13
initrd/bin/cbfs-init
View File

@ -2,6 +2,13 @@
set -e -o pipefail
. /etc/functions
# CBFS extraction and measurement
# This extraction and measurement cannot be suppressed by quiet mode, since
# config.user is not yet loaded at this point.
# To suppress this output, set CONFIG_QUIET_MODE=y needs be be set in /etc/config
# which is defined at build time under board configuration file to be part of initrd.cpio
# This script is called from initrd/init so really early in the boot process to put files in place in initramfs
TRACE_FUNC
# Update initrd with CBFS files
@ -17,12 +24,12 @@ for cbfsname in `echo $cbfsfiles`; do
if [ ! -z "$filename" ]; then
mkdir -p `dirname $filename` \
|| die "$filename: mkdir failed"
echo "Extracting CBFS file $cbfsname into $filename"
INFO "Extracting CBFS file $cbfsname into $filename"
cbfs -t 50 $CBFS_ARG -r $cbfsname > "$filename" \
|| die "$filename: cbfs file read failed"
if [ "$CONFIG_TPM" = "y" ]; then
TRACE_FUNC
echo "TPM: Extending PCR[$CONFIG_PCR] with $filename"
INFO "TPM: Extending PCR[$CONFIG_PCR] with filename $filename and then its content"
# Measure both the filename and its content. This
# ensures that renaming files or pivoting file content
# will still affect the resulting PCR measurement.
@ -32,5 +39,3 @@ for cbfsname in `echo $cbfsfiles`; do
fi
fi
done
# TODO: copy CBFS file named "heads/initrd.tgz" to /tmp, measure and extract

157
initrd/bin/config-gui.sh
View File

@ -80,7 +80,7 @@ while true; do
# Debugging option always available
dynamic_config_options+=(
'Z' " $(get_config_display_action "$CONFIG_DEBUG_OUTPUT") $CONFIG_BRAND_NAME debug and function tracing output"
'Z' " Configure $CONFIG_BRAND_NAME informational / debug output"
)
[ "$CONFIG_FINALIZE_PLATFORM_LOCKING" = "y" ] && dynamic_config_options+=(
@ -88,7 +88,7 @@ while true; do
)
dynamic_config_options+=(
's' ' Save the current configuration to the running BIOS' \
's' ' Save the current configuration to the running BIOS'
'x' ' Return to Main Menu'
)
@ -102,31 +102,31 @@ while true; do
fi
case "$menu_choice" in
"t" )
"t")
unset CONFIG_FINALIZE_PLATFORM_LOCKING
replace_config /etc/config.user "CONFIG_FINALIZE_PLATFORM_LOCKING" "n"
combine_configs
. /tmp/config
;;
"x" )
"x")
exit 0
;;
"b" )
"b")
CURRENT_OPTION="$(load_config_value CONFIG_BOOT_DEV)"
if ! fdisk -l | grep "Disk /dev/" | cut -f2 -d " " | cut -f1 -d ":" > /tmp/disklist.txt ; then
if ! fdisk -l 2>/dev/null | grep "Disk /dev/" | cut -f2 -d " " | cut -f1 -d ":" >/tmp/disklist.txt; then
whiptail_error --title 'ERROR: No bootable devices found' \
--msgbox " $ERROR\n\n" 0 80
exit 1
fi
# filter out extraneous options
> /tmp/boot_device_list.txt
for i in `cat /tmp/disklist.txt`; do
>/tmp/boot_device_list.txt
for i in $(cat /tmp/disklist.txt); do
# remove block device from list if numeric partitions exist, since not bootable
DEV_NUM_PARTITIONS=$((`ls -1 $i* | wc -l`-1))
DEV_NUM_PARTITIONS=$(($(ls -1 $i* | wc -l) - 1))
if [ ${DEV_NUM_PARTITIONS} -eq 0 ]; then
echo $i >> /tmp/boot_device_list.txt
echo $i >>/tmp/boot_device_list.txt
else
ls $i* | tail -${DEV_NUM_PARTITIONS} >> /tmp/boot_device_list.txt
ls $i* | tail -${DEV_NUM_PARTITIONS} >>/tmp/boot_device_list.txt
fi
done
file_selector "/tmp/boot_device_list.txt" \
@ -139,12 +139,12 @@ while true; do
fi
# unmount /boot if needed
if grep -q /boot /proc/mounts ; then
if grep -q /boot /proc/mounts; then
umount /boot 2>/dev/null
fi
# mount newly selected /boot device
if ! mount -o ro $SELECTED_FILE /boot 2>/tmp/error ; then
ERROR=`cat /tmp/error`
if ! mount -o ro $SELECTED_FILE /boot 2>/tmp/error; then
ERROR=$(cat /tmp/error)
whiptail_error --title 'ERROR: unable to mount /boot' \
--msgbox " $ERROR\n\n" 0 80
exit 1
@ -156,13 +156,13 @@ while true; do
whiptail --title 'Config change successful' \
--msgbox "The /boot device was successfully changed to $SELECTED_FILE" 0 80
;;
"s" )
"s")
read_rom /tmp/config-gui.rom
replace_rom_file /tmp/config-gui.rom "heads/initrd/etc/config.user" /etc/config.user
if (whiptail --title 'Update ROM?' \
--yesno "This will reflash your BIOS with the updated version\n\nDo you want to proceed?" 0 80) then
--yesno "This will reflash your BIOS with the updated version\n\nDo you want to proceed?" 0 80); then
/bin/flash.sh /tmp/config-gui.rom
whiptail --title 'BIOS Updated Successfully' \
--msgbox "BIOS updated successfully.\n\nIf your keys have changed, be sure to re-sign all files in /boot\nafter you reboot.\n\nPress Enter to reboot" 0 80
@ -171,13 +171,13 @@ while true; do
exit 0
fi
;;
"r" )
"r")
# prompt for confirmation
if (whiptail_warning --title 'Reset Configuration?' \
--yesno "This will clear all GPG keys, clear boot signatures and checksums,
\nreset the /boot device, clear/reset the TPM (if present),
\nand reflash your BIOS with the cleaned configuration.
\n\nDo you want to proceed?" 0 80) then
\n\nDo you want to proceed?" 0 80); then
read_rom /tmp/config-gui.rom
# clear local keyring
rm -rf /.gnupg/* || true
@ -189,7 +189,7 @@ while true; do
mount -o remount,ro /boot
# clear GPG keys and user settings
for i in `cbfs.sh -o /tmp/config-gui.rom -l | grep -e "heads/"`; do
for i in $(cbfs.sh -o /tmp/config-gui.rom -l | grep -e "heads/"); do
cbfs.sh -o /tmp/config-gui.rom -d $i
done
# flash cleared ROM
@ -206,18 +206,18 @@ while true; do
exit 0
fi
;;
"R" )
"R")
CURRENT_OPTION="$(load_config_value CONFIG_ROOT_DEV)"
fdisk -l | grep "Disk /dev/" | cut -f2 -d " " | cut -f1 -d ":" > /tmp/disklist.txt
fdisk -l 2>/dev/null | grep "Disk /dev/" | cut -f2 -d " " | cut -f1 -d ":" >/tmp/disklist.txt
# filter out extraneous options
> /tmp/root_device_list.txt
for i in `cat /tmp/disklist.txt`; do
>/tmp/root_device_list.txt
for i in $(cat /tmp/disklist.txt); do
# remove block device from list if numeric partitions exist, since not bootable
DEV_NUM_PARTITIONS=$((`ls -1 $i* | wc -l`-1))
DEV_NUM_PARTITIONS=$(($(ls -1 $i* | wc -l) - 1))
if [ ${DEV_NUM_PARTITIONS} -eq 0 ]; then
echo $i >> /tmp/root_device_list.txt
echo $i >>/tmp/root_device_list.txt
else
ls $i* | tail -${DEV_NUM_PARTITIONS} >> /tmp/root_device_list.txt
ls $i* | tail -${DEV_NUM_PARTITIONS} >>/tmp/root_device_list.txt
fi
done
file_selector "/tmp/root_device_list.txt" \
@ -235,7 +235,7 @@ while true; do
whiptail --title 'Config change successful' \
--msgbox "The root device was successfully changed to $SELECTED_FILE" 0 80
;;
"D" )
"D")
CURRENT_OPTION="$(load_config_value CONFIG_ROOT_DIRLIST)"
# Separate from prior prompt history on the terminal with two blanks
@ -252,7 +252,7 @@ while true; do
NEW_CONFIG_ROOT_DIRLIST=$(echo $NEW_CONFIG_ROOT_DIRLIST | sed -e 's/^\///;s/ \// /g')
#check if list empty
if [ -z "$NEW_CONFIG_ROOT_DIRLIST" ] ; then
if [ -z "$NEW_CONFIG_ROOT_DIRLIST" ]; then
whiptail --title 'Config change canceled' \
--msgbox "Root device directory change canceled by user" 0 80
break
@ -264,7 +264,7 @@ while true; do
whiptail --title 'Config change successful' \
--msgbox "The root directories to hash was successfully changed to:\n$NEW_CONFIG_ROOT_DIRLIST" 0 80
;;
"B" )
"B")
if [ "$CONFIG_ROOT_CHECK_AT_BOOT" != "y" ]; then
# Root device and directories must be set to enable this
if [ -z "$CONFIG_ROOT_DEV" ] || [ -z "$CONFIG_ROOT_DIRLIST" ]; then
@ -274,7 +274,7 @@ while true; do
--yesno "This will enable checking root hashes each time you boot.
\nDepending on the directories you are checking, this might add
\na minute or more to the boot time.
\n\nDo you want to proceed?" 0 80) then
\n\nDo you want to proceed?" 0 80); then
set_user_config "CONFIG_ROOT_CHECK_AT_BOOT" "y"
@ -282,7 +282,7 @@ while true; do
if [ ! -f ${ROOT_HASH_FILE} ]; then
if (whiptail --title 'Generate Root Hash File' \
--yesno "\nNo root hash file exists.
\nWould you like to create the initial hash file now?" 0 80) then
\nWould you like to create the initial hash file now?" 0 80); then
root-hashes-gui.sh -n
fi
fi
@ -294,7 +294,7 @@ while true; do
else
if (whiptail --title 'Disable Root Hash Check at Boot?' \
--yesno "This will disable checking root hashes each time you boot.
\n\nDo you want to proceed?" 0 80) then
\n\nDo you want to proceed?" 0 80); then
set_user_config "CONFIG_ROOT_CHECK_AT_BOOT" "n"
@ -303,7 +303,7 @@ while true; do
fi
fi
;;
"P" )
"P")
if [ "$CONFIG_RESTRICTED_BOOT" = "y" ]; then
whiptail_error --title 'Restricted Boot Active' \
--msgbox "Disable Restricted Boot to enable Basic Mode." 0 80
@ -311,7 +311,7 @@ while true; do
if (whiptail --title "Enable $CONFIG_BRAND_NAME Basic Mode?" \
--yesno "This will remove all signature checking on the firmware
\nand boot files, and disable use of the Librem Key.
\n\nDo you want to proceed?" 0 80) then
\n\nDo you want to proceed?" 0 80); then
set_user_config "CONFIG_BASIC" "y"
@ -323,7 +323,7 @@ while true; do
if (whiptail --title "Disable $CONFIG_BRAND_NAME Basic Mode?" \
--yesno "This will enable all signature checking on the firmware
\nand boot files, and enable use of the Librem Key.
\n\nDo you want to proceed?" 0 80) then
\n\nDo you want to proceed?" 0 80); then
set_user_config "CONFIG_BASIC" "n"
@ -332,7 +332,7 @@ while true; do
fi
fi
;;
"L" )
"L")
if [ "$CONFIG_RESTRICTED_BOOT" != "y" ]; then
if (whiptail --title 'Enable Restricted Boot Mode?' \
--yesno "Restricted Boot allows booting:
@ -343,7 +343,7 @@ while true; do
\nRestricted boot can be disabled at any time. This resets TOTP/HOTP so it
\nis evident that Restricted Boot was disabled.
\n
\nDo you want to proceed?" 0 80) then
\nDo you want to proceed?" 0 80); then
set_user_config "CONFIG_RESTRICTED_BOOT" "y"
@ -357,7 +357,7 @@ while true; do
\nupdates.
\nThis will also erase the TOTP/HOTP secret.
\nProceeding will automatically update the boot firmware and reboot!
\n\nDo you want to proceed?" 0 80) then
\n\nDo you want to proceed?" 0 80); then
# Wipe the TPM TOTP/HOTP secret before flashing. Otherwise, enabling
# Restricted Boot again might restore the firmware to an identical
@ -389,11 +389,11 @@ while true; do
fi
fi
;;
"J" )
"J")
if [ "$CONFIG_USE_BLOB_JAIL" != "y" ]; then
if (whiptail --title 'Enable Firmware Blob Jail?' \
--yesno "This will enable loading of firmware from flash on each boot
\n\nDo you want to proceed?" 0 80) then
\n\nDo you want to proceed?" 0 80); then
set_user_config "CONFIG_USE_BLOB_JAIL" "y"
@ -404,7 +404,7 @@ while true; do
else
if (whiptail --title 'Disable Firmware Blob Jail?' \
--yesno "This will disable loading of firmware from flash on each boot.
\n\nDo you want to proceed?" 0 80) then
\n\nDo you want to proceed?" 0 80); then
set_user_config "CONFIG_USE_BLOB_JAIL" "n"
@ -413,7 +413,7 @@ while true; do
fi
fi
;;
"M" )
"M")
if [ -z "$CONFIG_AUTO_BOOT_TIMEOUT" ]; then
current_msg="Automatic boot is currently disabled."
elif [ "$CONFIG_AUTO_BOOT_TIMEOUT" = 1 ]; then
@ -444,13 +444,13 @@ while true; do
--msgbox "$current_msg\nSave the config change and reboot for it to go into effect." 0 80
fi
;;
"A" )
"A")
if [ "$CONFIG_BASIC_NO_AUTOMATIC_DEFAULT" != "y" ]; then
if (whiptail --title 'Disable automatic default boot?' \
--yesno "You will need to select a default boot option.
\nIf the boot options are changed, such as for an OS update,
\nyou will be prompted to select a new default.
\n\nDo you want to proceed?" 0 80) then
\n\nDo you want to proceed?" 0 80); then
set_user_config "CONFIG_BASIC_NO_AUTOMATIC_DEFAULT" "y"
@ -460,7 +460,7 @@ while true; do
else
if (whiptail --title 'Enable automatic default boot?' \
--yesno "The first boot option will be used automatically.
\n\nDo you want to proceed?" 0 80) then
\n\nDo you want to proceed?" 0 80); then
set_user_config "CONFIG_BASIC_NO_AUTOMATIC_DEFAULT" "n"
@ -469,12 +469,12 @@ while true; do
fi
fi
;;
"U" )
"U")
if [ "$CONFIG_BASIC_USB_AUTOBOOT" != "y" ]; then
if (whiptail --title 'Enable USB automatic boot?' \
--yesno "During boot, an attached bootable USB disk will be booted
\nby default instead of the installed operating system.
\n\nDo you want to proceed?" 0 80) then
\n\nDo you want to proceed?" 0 80); then
set_user_config "CONFIG_BASIC_USB_AUTOBOOT" "y"
@ -484,7 +484,7 @@ while true; do
else
if (whiptail --title 'Disable USB automatic boot?' \
--yesno "USB disks will no longer be booted by default.
\n\nDo you want to proceed?" 0 80) then
\n\nDo you want to proceed?" 0 80); then
set_user_config "CONFIG_BASIC_USB_AUTOBOOT" "n"
@ -493,11 +493,11 @@ while true; do
fi
fi
;;
"N" )
"N")
if [ "$CONFIG_AUTOMATIC_POWERON" != "y" ]; then
if (whiptail --title 'Enable automatic power-on?' \
--yesno "The system will boot automatically when power is applied.
\n\nDo you want to proceed?" 0 80) then
\n\nDo you want to proceed?" 0 80); then
set_user_config "CONFIG_AUTOMATIC_POWERON" "y"
@ -507,7 +507,7 @@ while true; do
else
if (whiptail --title 'Disable automatic power-on?' \
--yesno "The system will stay off when power is applied.
\n\nDo you want to proceed?" 0 80) then
\n\nDo you want to proceed?" 0 80); then
set_user_config "CONFIG_AUTOMATIC_POWERON" "n"
@ -521,13 +521,13 @@ while true; do
fi
fi
;;
"K" )
"K")
if [ "$CONFIG_USER_USB_KEYBOARD" != "y" ]; then
if (whiptail --title 'Enable USB Keyboard?' \
--yesno "USB keyboards will be usable in $CONFIG_BRAND_NAME.
\n\nEnabling USB keyboards could allow a compromised USB device to control
\n$CONFIG_BRAND_NAME.
\n\nDo you want to proceed?" 0 80) then
\n\nDo you want to proceed?" 0 80); then
set_user_config "CONFIG_USER_USB_KEYBOARD" "y"
@ -538,7 +538,7 @@ while true; do
else
if (whiptail --title 'Disable USB Keyboard?' \
--yesno "Only the built-in keyboard will be usable in $CONFIG_BRAND_NAME.
\n\nDo you want to proceed?" 0 80) then
\n\nDo you want to proceed?" 0 80); then
set_user_config "CONFIG_USER_USB_KEYBOARD" "n"
@ -547,31 +547,36 @@ while true; do
fi
fi
;;
"Z" )
if [ "$CONFIG_DEBUG_OUTPUT" != "y" ]; then
if (whiptail --title 'Enable Debugging and Tracing output?' \
--yesno "This will enable DEBUG and TRACE output from scripts.
\n\nDo you want to proceed?" 0 80) then
set_user_config "CONFIG_DEBUG_OUTPUT" "y"
set_user_config "CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT" "y"
whiptail --title 'Config change successful' \
--msgbox "Debugging and Tracing output enabled;\nsave the config change and reboot for it to go into effect." 0 80
fi
else
if (whiptail --title 'Disable Enable Debugging and Tracing output?' \
--yesno "This will disable DEBUG and TRACE output from scripts.
\n\nDo you want to proceed?" 0 80) then
"Z")
unset output_choice
whiptail_type $BG_COLOR_MAIN_MENU --title "Informational / Debug Output" \
--menu "$CONFIG_BRAND_NAME can display informational or debug output.\n\nChoose the output level:" 0 80 10 \
0 'None - Show no extra output' \
1 "Info - Show information about operations in $CONFIG_BRAND_NAME" \
2 "Debug - Show detailed information suitable for debugging $CONFIG_BRAND_NAME" \
2>/tmp/whiptail || recovery "GUI menu failed"
output_choice=$(cat /tmp/whiptail)
case "$output_choice" in
0)
set_user_config "CONFIG_DEBUG_OUTPUT" "n"
set_user_config "CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT" "n"
whiptail --title 'Config change successful' \
--msgbox "Debugging and Tracing output disabled;\nsave the config change and reboot for it to go into effect." 0 80
fi
fi
set_user_config "CONFIG_QUIET_MODE" "y"
;;
1)
set_user_config "CONFIG_DEBUG_OUTPUT" "n"
set_user_config "CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT" "n"
set_user_config "CONFIG_QUIET_MODE" "n"
;;
2)
set_user_config "CONFIG_DEBUG_OUTPUT" "y"
set_user_config "CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT" "y"
set_user_config "CONFIG_QUIET_MODE" "n"
;;
esac
whiptail --title 'Config change successful' \
--msgbox "Output level changed.\nSave the config change and reboot for it to go into effect." 0 80
;;
esac
done
exit 0

6
initrd/bin/flash.sh
View File

@ -1,14 +1,14 @@
#!/bin/ash
#!/bin/bash
#
# NOTE: This script is used on legacy-flash boards and runs with busybox ash,
# not bash
set -e -o pipefail
. /etc/ash_functions
. /etc/functions
. /tmp/config
echo
TRACE "Under /bin/flash.sh"
TRACE_FUNC
case "$CONFIG_FLASH_OPTIONS" in
"" )

2
initrd/bin/gpg-gui.sh
View File

@ -148,7 +148,7 @@ while true; do
'e' ' Replace GPG key(s) in the current ROM and reflash' \
'l' ' List GPG keys in your keyring' \
'p' ' Export public GPG key to USB drive' \
'g' ' Generate GPG keys manually on a USB security token' \
'g' ' Generate GPG keys manually on a USB security dongle' \
'x' ' Exit' \
2>/tmp/whiptail || recovery "GUI menu failed"

248
initrd/bin/gui-init
View File

@ -16,13 +16,10 @@ export BG_COLOR_MAIN_MENU="normal"
# # see errors again.
skip_to_menu="false"
mount_boot()
{
mount_boot() {
TRACE_FUNC
# Mount local disk if it is not already mounted
while ! grep -q /boot /proc/mounts ; do
while ! grep -q /boot /proc/mounts; do
# try to mount if CONFIG_BOOT_DEV exists
if [ -e "$CONFIG_BOOT_DEV" ]; then
mount -o ro $CONFIG_BOOT_DEV /boot
@ -42,7 +39,7 @@ mount_boot()
option=$(cat /tmp/whiptail)
case "$option" in
b )
b)
config-gui.sh boot_device_select
if [ $? -eq 0 ]; then
# update CONFIG_BOOT_DEV
@ -50,22 +47,21 @@ mount_boot()
BG_COLOR_MAIN_MENU="normal"
fi
;;
u )
u)
exec /bin/usb-init
;;
m )
m)
skip_to_menu="true"
break
;;
* )
*)
recovery "User requested recovery shell"
;;
esac
done
}
verify_global_hashes()
{
verify_global_hashes() {
TRACE_FUNC
# Check the hashes of all the files, ignoring signatures for now
check_config /boot force
@ -74,14 +70,14 @@ verify_global_hashes()
TMP_PACKAGE_TRIGGER_PRE="/tmp/kexec/kexec_package_trigger_pre.txt"
TMP_PACKAGE_TRIGGER_POST="/tmp/kexec/kexec_package_trigger_post.txt"
if verify_checksums /boot ; then
if verify_checksums /boot; then
return 0
elif [[ ! -f "$TMP_HASH_FILE" || ! -f "$TMP_TREE_FILE" ]] ; then
elif [[ ! -f "$TMP_HASH_FILE" || ! -f "$TMP_TREE_FILE" ]]; then
if (whiptail_error --title 'ERROR: Missing File!' \
--yesno "One of the files containing integrity information for /boot is missing!\n\nIf you are setting up heads for the first time or upgrading from an\nolder version, select Yes to create the missing files.\n\nOtherwise this could indicate a compromise and you should select No to\nreturn to the main menu.\n\nWould you like to create the missing files now?" 0 80) then
if update_checksums ; then
--yesno "One of the files containing integrity information for /boot is missing!\n\nIf you are setting up heads for the first time or upgrading from an\nolder version, select Yes to create the missing files.\n\nOtherwise this could indicate a compromise and you should select No to\nreturn to the main menu.\n\nWould you like to create the missing files now?" 0 80); then
if update_checksums; then
BG_COLOR_MAIN_MENU="normal"
return 0;
return 0
else
whiptail_error --title 'ERROR' \
--msgbox "Failed to update checksums / sign default config" 0 80
@ -115,7 +111,7 @@ verify_global_hashes()
whiptail_error --title 'ERROR: Boot Hash Mismatch' \
--msgbox "${CHANGED_FILES_COUNT} files failed the verification process!\\n\nThis could indicate a compromise!\n\nHit OK to review the list of files.\n\nType \"q\" to exit the list and return." 0 80
echo "Type \"q\" to exit the list and return." >> /tmp/hash_output_mismatches
echo "Type \"q\" to exit the list and return." >>/tmp/hash_output_mismatches
less /tmp/hash_output_mismatches
#move outdated hash mismatch list
mv /tmp/hash_output_mismatches /tmp/hash_output_mismatch_old
@ -125,10 +121,10 @@ verify_global_hashes()
fi
fi
if (whiptail_error --title 'ERROR: Boot Hash Mismatch' --yesno "$TEXT" 0 80) then
if update_checksums ; then
if (whiptail_error --title 'ERROR: Boot Hash Mismatch' --yesno "$TEXT" 0 80); then
if update_checksums; then
BG_COLOR_MAIN_MENU="normal"
return 0;
return 0
else
whiptail_error --title 'ERROR' \
--msgbox "Failed to update checksums / sign default config" 0 80
@ -139,20 +135,18 @@ verify_global_hashes()
fi
}
prompt_update_checksums()
{
prompt_update_checksums() {
TRACE_FUNC
if (whiptail_warning --title 'Update Checksums and sign all files in /boot' \
--yesno "You have chosen to update the checksums and sign all of the files in /boot.\n\nThis means that you trust that these files have not been tampered with.\n\nYou will need your GPG key available, and this change will modify your disk.\n\nDo you want to continue?" 0 80) then
if ! update_checksums ; then
--yesno "You have chosen to update the checksums and sign all of the files in /boot.\n\nThis means that you trust that these files have not been tampered with.\n\nYou will need your GPG key available, and this change will modify your disk.\n\nDo you want to continue?" 0 80); then
if ! update_checksums; then
whiptail_error --title 'ERROR' \
--msgbox "Failed to update checksums / sign default config" 0 80
fi
fi
}
generate_totp_hotp()
{
generate_totp_hotp() {
TRACE_FUNC
tpm_owner_password="$1" # May be empty, will prompt if needed and empty
if [ "$CONFIG_TPM" != "y" ] && [ -x /bin/hotp_verification ]; then
@ -162,7 +156,7 @@ generate_totp_hotp()
echo
if [ -x /bin/hotp_verification ]; then
if [ "$CONFIG_TOTP_SKIP_QRCODE" != y ]; then
echo "Once you have scanned the QR code, hit Enter to configure your HOTP USB Security Dongle (e.g. Librem Key or Nitrokey)"
echo "Once you have scanned the QR code, hit Enter to configure your HOTP USB Security dongle (e.g. Librem Key or Nitrokey)"
read
fi
/bin/seal-hotpkey
@ -180,16 +174,15 @@ generate_totp_hotp()
fi
}
update_totp()
{
update_totp() {
TRACE_FUNC
# update the TOTP code
date=`date "+%Y-%m-%d %H:%M:%S %Z"`
date=$(date "+%Y-%m-%d %H:%M:%S %Z")
tries=0
if [ "$CONFIG_TPM" != "y" ]; then
TOTP="NO TPM"
else
TOTP=`unseal-totp`
TOTP=$(unseal-totp)
# On platforms using CONFIG_BOOT_EXTRA_TTYS multiple processes may try to
# access TPM at the same time, failing with EBUSY. The order of execution
# is unpredictable, so the error may appear on main console, secondary one,
@ -199,7 +192,7 @@ update_totp()
while [ $? -ne 0 ] && [ $tries -lt 2 ]; do
sleep 0.5
((tries++))
TOTP=`unseal-totp`
TOTP=$(unseal-totp)
done
if [ $? -ne 0 ]; then
BG_COLOR_MAIN_MENU="error"
@ -228,20 +221,20 @@ update_totp()
option=$(cat /tmp/whiptail)
case "$option" in
g )
g)
if (whiptail_warning --title 'Generate new TOTP/HOTP secret' \
--yesno "This will erase your old secret and replace it with a new one!\n\nDo you want to proceed?" 0 80) then
--yesno "This will erase your old secret and replace it with a new one!\n\nDo you want to proceed?" 0 80); then
generate_totp_hotp && update_totp && BG_COLOR_MAIN_MENU="normal" && reseal_tpm_disk_decryption_key
fi
;;
i )
i)
skip_to_menu="true"
return 1
;;
p )
p)
reset_tpm && update_totp && BG_COLOR_MAIN_MENU="normal" && reseal_tpm_disk_decryption_key
;;
x )
x)
recovery "User requested recovery shell"
;;
esac
@ -249,37 +242,36 @@ update_totp()
fi
}
update_hotp()
{
update_hotp() {
TRACE_FUNC
HOTP="Unverified"
if [ -x /bin/hotp_verification ]; then
if ! hotp_verification info ; then
if ! hotp_verification info; then
if [ "$skip_to_menu" = "true" ]; then
return 1 # Already asked to skip to menu from a prior error
fi
if ! whiptail_warning \
--title "WARNING: Please Insert Your $HOTPKEY_BRANDING" \
--yes-button "Retry" --no-button "Skip" \
--yesno "Your $HOTPKEY_BRANDING was not detected.\n\nPlease insert your $HOTPKEY_BRANDING" 0 80 ; then
--yesno "Your $HOTPKEY_BRANDING was not detected.\n\nPlease insert your $HOTPKEY_BRANDING" 0 80; then
HOTP="Error checking code, Insert $HOTPKEY_BRANDING and retry"
BG_COLOR_MAIN_MENU="warning"
return
fi
fi
HOTP=`unseal-hotp`
HOTP=$(unseal-hotp)
# Don't output HOTP codes to screen, so as to make replay attacks harder
hotp_verification check "$HOTP"
case "$?" in
0 )
0)
HOTP="Success"
BG_COLOR_MAIN_MENU="normal"
;;
4|7 ) # 4: code was incorrect, 7: code was not a valid HOTP code at all
4 | 7) # 4: code was incorrect, 7: code was not a valid HOTP code at all
HOTP="Invalid code"
BG_COLOR_MAIN_MENU="error"
;;
* )
*)
HOTP="Error checking code, Insert $HOTPKEY_BRANDING and retry"
BG_COLOR_MAIN_MENU="warning"
;;
@ -298,41 +290,40 @@ update_hotp()
option=$(cat /tmp/whiptail)
case "$option" in
g )
g)
if (whiptail_warning --title 'Generate new TOTP/HOTP secret' \
--yesno "This will erase your old secret and replace it with a new one!\n\nDo you want to proceed?" 0 80) then
--yesno "This will erase your old secret and replace it with a new one!\n\nDo you want to proceed?" 0 80); then
generate_totp_hotp && BG_COLOR_MAIN_MENU="normal" && reseal_tpm_disk_decryption_key
fi
;;
i )
i)
return 1
;;
x )
x)
recovery "User requested recovery shell"
;;
esac
fi
}
clean_boot_check()
{
clean_boot_check() {
TRACE_FUNC
# assume /boot mounted
if ! grep -q /boot /proc/mounts ; then
if ! grep -q /boot /proc/mounts; then
return
fi
# check for any kexec files in /boot
kexec_files=`find /boot -name kexec*.txt`
kexec_files=$(find /boot -name kexec*.txt)
[ ! -z "$kexec_files" ] && return
#check for GPG key in keyring
GPG_KEY_COUNT=`gpg -k 2>/dev/null | wc -l`
GPG_KEY_COUNT=$(gpg -k 2>/dev/null | wc -l)
[ $GPG_KEY_COUNT -ne 0 ] && return
# check for USB security token
if [ -x /bin/hotp_verification ]; then
if ! gpg --card-status > /dev/null ; then
if ! gpg --card-status >/dev/null; then
return
fi
fi
@ -343,10 +334,9 @@ clean_boot_check()
"Clean Boot Detected - Perform OEM Factory Reset / Re-Ownership?"
}
check_gpg_key()
{
check_gpg_key() {
TRACE_FUNC
GPG_KEY_COUNT=`gpg -k 2>/dev/null | wc -l`
GPG_KEY_COUNT=$(gpg -k 2>/dev/null | wc -l)
if [ $GPG_KEY_COUNT -eq 0 ]; then
BG_COLOR_MAIN_MENU="error"
if [ "$skip_to_menu" = "true" ]; then
@ -362,26 +352,25 @@ check_gpg_key()
option=$(cat /tmp/whiptail)
case "$option" in
g )
g)
gpg-gui.sh && BG_COLOR_MAIN_MENU="normal"
;;
i )
i)
skip_to_menu="true"
return 1
;;
F )
F)
oem-factory-reset
;;
x )
x)
recovery "User requested recovery shell"
;;
esac
fi
}
prompt_auto_default_boot()
{
prompt_auto_default_boot() {
TRACE_FUNC
echo -e "\nHOTP verification success\n\n"
if pause_automatic_boot; then
@ -390,10 +379,9 @@ prompt_auto_default_boot()
fi
}
show_main_menu()
{
show_main_menu() {
TRACE_FUNC
date=`date "+%Y-%m-%d %H:%M:%S %Z"`
date=$(date "+%Y-%m-%d %H:%M:%S %Z")
whiptail_type $BG_COLOR_MAIN_MENU --title "$MAIN_MENU_TITLE" \
--menu "$date\nTOTP: $TOTP | HOTP: $HOTP" 0 80 10 \
'd' ' Default boot' \
@ -405,26 +393,25 @@ show_main_menu()
option=$(cat /tmp/whiptail)
case "$option" in
d )
d)
attempt_default_boot
;;
r )
r)
update_totp && update_hotp
;;
o )
o)
show_options_menu
;;
s )
s)
show_system_info
;;
p )
p)
poweroff
;;
esac
}
show_options_menu()
{
show_options_menu() {
TRACE_FUNC
whiptail_type $BG_COLOR_MAIN_MENU --title "$CONFIG_BRAND_NAME Options" \
--menu "" 0 80 10 \
@ -445,51 +432,49 @@ show_options_menu()
option=$(cat /tmp/whiptail)
case "$option" in
b )
b)
show_boot_options_menu
;;
t )
t)
show_tpm_totp_hotp_options_menu
;;
h )
h)
change-time.sh
;;
u )
u)
prompt_update_checksums
;;
c )
c)
config-gui.sh
;;
f )
f)
flash-gui.sh
;;
g )
g)
gpg-gui.sh
;;
F )
F)
oem-factory-reset
;;
C )
C)
luks_reencrypt
luks_secrets_cleanup
;;
P )
P)
luks_change_passphrase
luks_secrets_cleanup
;;
R )
R)
root-hashes-gui.sh
;;
x )
x)
recovery "User requested recovery shell"
;;
r )
;;
r) ;;
esac
}
show_boot_options_menu()
{
show_boot_options_menu() {
TRACE_FUNC
whiptail_type $BG_COLOR_MAIN_MENU --title "Boot Options" \
--menu "Select A Boot Option" 0 80 10 \
@ -501,23 +486,21 @@ show_boot_options_menu()
option=$(cat /tmp/whiptail)
case "$option" in
m )
m)
# select a kernel from the menu
select_os_boot_option
;;
u )
u)
exec /bin/usb-init
;;
i )
i)
force_unsafe_boot
;;
r )
;;
r) ;;
esac
}
show_tpm_totp_hotp_options_menu()
{
show_tpm_totp_hotp_options_menu() {
TRACE_FUNC
whiptail_type $BG_COLOR_MAIN_MENU --title "TPM/TOTP/HOTP Options" \
--menu "Select An Option" 0 80 10 \
@ -529,35 +512,32 @@ show_tpm_totp_hotp_options_menu()
option=$(cat /tmp/whiptail)
case "$option" in
g )
g)
generate_totp_hotp && reseal_tpm_disk_decryption_key
;;
r )
r)
reset_tpm && reseal_tpm_disk_decryption_key
;;
t )
t)
prompt_totp_mismatch
;;
m )
;;
m) ;;
esac
}
prompt_totp_mismatch()
{
prompt_totp_mismatch() {
TRACE_FUNC
if (whiptail_warning --title "TOTP/HOTP code mismatched" \
--yesno "TOTP/HOTP code mismatches could indicate TPM tampering or clock drift.\n\nThe current UTC time is: $(date "+%Y-%m-%d %H:%M:%S")\nIf this is incorrect, set the correct time and check TOTP/HOTP again.\n\nDo you want to change the time?" 0 80) then
--yesno "TOTP/HOTP code mismatches could indicate TPM tampering or clock drift.\n\nThe current UTC time is: $(date "+%Y-%m-%d %H:%M:%S")\nIf this is incorrect, set the correct time and check TOTP/HOTP again.\n\nDo you want to change the time?" 0 80); then
change-time.sh
fi
}
reset_tpm()
{
reset_tpm() {
TRACE_FUNC
if [ "$CONFIG_TPM" = "y" ]; then
if (whiptail_warning --title 'Reset the TPM' \
--yesno "This will clear the TPM and TPM password, replace them with new ones!\n\nDo you want to proceed?" 0 80) then
--yesno "This will clear the TPM and replace its Owner password with a new one!\n\nDo you want to proceed?" 0 80); then
if ! prompt_new_owner_password; then
echo "Press Enter to return to the menu..."
@ -571,20 +551,33 @@ reset_tpm()
# now that the TPM is reset, remove invalid TPM counter files
mount_boot
mount -o rw,remount /boot
warn "Removing rollback and primary handle hash under /boot"
#TODO: this is really problematic, we should really remove the primary handle hash
INFO "Removing rollback and primary handle hash under /boot"
rm -f /boot/kexec_rollback.txt
rm -f /boot/kexec_primhdl_hash.txt
# create Heads TPM counter before any others
check_tpm_counter /boot/kexec_rollback.txt "" "$tpm_owner_password" \
|| die "Unable to find/create tpm counter"
check_tpm_counter /boot/kexec_rollback.txt "" "$tpm_owner_password" ||
die "Unable to find/create tpm counter"
counter="$TPM_COUNTER"
increment_tpm_counter $counter \
|| die "Unable to increment tpm counter"
increment_tpm_counter $counter >/dev/null 2>&1 ||
die "Unable to increment tpm counter"
sha256sum /tmp/counter-$counter > /boot/kexec_rollback.txt \
|| die "Unable to create rollback file"
sha256sum /tmp/counter-$counter >/boot/kexec_rollback.txt ||
die "Unable to create rollback file"
# As a countermeasure for existing primary handle hash, we will now force sign /boot without it
if (whiptail --title 'TPM Reset Successfully' \
--yesno "Would you like to update the checksums and sign all of the files in /boot?\n\nYou will need your GPG key to continue and this will modify your disk.\n\nOtherwise the system will reboot immediately." 0 80); then
if ! update_checksums; then
whiptail_error --title 'ERROR' \
--msgbox "Failed to update checksums / sign default config" 0 80
fi
else
die "TPM reset successful, but user chose not to update checksums"
fi
mount -o ro,remount /boot
generate_totp_hotp "$tpm_owner_password"
@ -596,35 +589,32 @@ reset_tpm()
fi
}
select_os_boot_option()
{
select_os_boot_option() {
TRACE_FUNC
mount_boot
if verify_global_hashes ; then
if verify_global_hashes; then
kexec-select-boot -m -b /boot -c "grub.cfg" -g
fi
}
attempt_default_boot()
{
attempt_default_boot() {
TRACE_FUNC
mount_boot
if ! verify_global_hashes; then
return
fi
DEFAULT_FILE=`find /boot/kexec_default.*.txt 2>/dev/null | head -1`
DEFAULT_FILE=$(find /boot/kexec_default.*.txt 2>/dev/null | head -1)
if [ -r "$DEFAULT_FILE" ]; then
kexec-select-boot -b /boot -c "grub.cfg" -g \
|| recovery "Failed default boot"
kexec-select-boot -b /boot -c "grub.cfg" -g ||
recovery "Failed default boot"
elif (whiptail_warning --title 'No Default Boot Option Configured' \
--yesno "There is no default boot option configured yet.\nWould you like to load a menu of boot options?\nOtherwise you will return to the main menu." 0 80) then
--yesno "There is no default boot option configured yet.\nWould you like to load a menu of boot options?\nOtherwise you will return to the main menu." 0 80); then
kexec-select-boot -m -b /boot -c "grub.cfg" -g
fi
}
force_unsafe_boot()
{
force_unsafe_boot() {
TRACE_FUNC
if [ "$CONFIG_RESTRICTED_BOOT" = y ]; then
whiptail_error --title 'ERROR: Restricted Boot Enabled' --msgbox "Restricted Boot is Enabled, forced boot not allowed.\n\nPress OK to return to the Main Menu" 0 80
@ -632,7 +622,7 @@ force_unsafe_boot()
fi
# Run the menu selection in "force" mode, bypassing hash checks
if (whiptail_warning --title 'Unsafe Forced Boot Selected!' \
--yesno "WARNING: You have chosen to skip all tamper checks and boot anyway.\n\nThis is an unsafe option!\n\nDo you want to proceed?" 0 80) then
--yesno "WARNING: You have chosen to skip all tamper checks and boot anyway.\n\nThis is an unsafe option!\n\nDo you want to proceed?" 0 80); then
mount_boot && kexec-select-boot -m -b /boot -c "grub.cfg" -g -f
fi
}
@ -644,14 +634,14 @@ TRACE_FUNC
if [ -r /boot/kexec_hotp_key ]; then
HOTPKEY_BRANDING="$(cat /boot/kexec_hotp_key)"
else
HOTPKEY_BRANDING="HOTP USB Security Dongle"
HOTPKEY_BRANDING="HOTP USB Security dongle"
fi
if [ -x /bin/hotp_verification ]; then
enable_usb
fi
if detect_boot_device ; then
if detect_boot_device; then
# /boot device with installed OS found
clean_boot_check
else

2
initrd/bin/inject_firmware.sh
View File

@ -96,7 +96,7 @@ chmod a+x "$INITRD_ROOT/init"
# Linux ignores zeros between archive segments, so any extra padding is not
# harmful.
FW_INITRD="/tmp/inject_firmware_initrd.cpio.gz"
dd if="$ORIG_INITRD" of="$FW_INITRD" bs=512 conv=sync status=none
dd if="$ORIG_INITRD" of="$FW_INITRD" bs=512 conv=sync status=none > /dev/null 2>&1
# Pack up the new contents and append to the initrd. Don't spend time
# compressing this.
(cd "$INITRD_ROOT"; find . | cpio -o -H newc) >>"$FW_INITRD"

4
initrd/bin/kexec-insert-key
View File

@ -66,7 +66,7 @@ fi
# Override PCR 4 so that user can't read the key
TRACE_FUNC
echo "TPM: Extending PCR[4] to prevent any future secret unsealing"
INFO "TPM: Extending PCR[4] to prevent any future secret unsealing"
tpmr extend -ix 4 -ic generic ||
die 'Unable to scramble PCR'
@ -92,7 +92,7 @@ echo '+++ Building initrd'
# pad the initramfs (dracut doesn't pad the last gz blob)
# without this the kernel init/initramfs.c fails to read
# the subsequent uncompressed/compressed cpio
dd if="$INITRD" of="$SECRET_CPIO" bs=512 conv=sync ||
dd if="$INITRD" of="$SECRET_CPIO" bs=512 conv=sync > /dev/null 2>&1 ||
die "Failed to copy initrd to /tmp"
if [ "$unseal_failed" = "n" ]; then

7
initrd/bin/kexec-save-default
View File

@ -277,9 +277,14 @@ if [ ! -d $paramsdir ]; then
fi
if [ "$CONFIG_TPM2_TOOLS" = "y" ]; then
sha256sum /tmp/secret/primary.handle >"$PRIMHASH_FILE" ||
if [ -f /tmp/secret/primary.handle ]; then
DEBUG "Hashing TPM2 primary key handle..."
sha256sum /tmp/secret/primary.handle > "$PRIMHASH_FILE" ||
die "ERROR: Failed to Hash TPM2 primary key handle!"
DEBUG "TPM2 primary key handle hash saved to $PRIMHASH_FILE"
else
die "ERROR: TPM2 primary key handle file does not exist!"
fi
fi
rm $paramsdir/kexec_default.*.txt 2>/dev/null || true

8
initrd/bin/kexec-seal-key
View File

@ -97,16 +97,16 @@ done
attempts=0
while [ $attempts -lt 3 ]; do
read -s -p "New LUKS TPM Disk Unlock Key passphrase (DUK) for booting: " key_password
read -s -p "New LUKS TPM Disk Unlock Key (DUK) passphrase for booting: " key_password
echo
read -s -p "Repeat LUKS TPM Disk Unlock Key (DUK) passphrase for booting: " key_password2
echo
if [ "$key_password" != "$key_password2" ]; then
attempts=$((attempts + 1))
if [ "$attempts" == "3" ]; then
die "Disk Unlock Key passphrases do not match. Exiting..."
die "Disk Unlock Key (DUK) passphrases do not match. Exiting..."
else
warn "Disk Unlock Key passphrases do not match. Please try again."
warn "Disk Unlock Key (DUK) passphrases do not match. Please try again."
fi
else
break
@ -168,7 +168,7 @@ for dev in $key_devices; do
die "$dev: Unable to find a key slot that can be unlocked with provided passphrase. Exiting..."
fi
# If the key slot is not the expected DUK o FRK key slot, we will ask the user to confirm the wipe
# If the key slot is not the expected DUK or DRK key slot, we will ask the user to confirm the wipe
for keyslot in "${luks_used_keyslots[@]}"; do
if [ "$keyslot" != "$drk_key_slot" ]; then
#set wipe_desired to no by default

27
initrd/bin/kexec-select-boot
View File

@ -60,17 +60,20 @@ paramsdir="${paramsdir%%/}"
PRIMHASH_FILE="$paramsdir/kexec_primhdl_hash.txt"
if [ "$CONFIG_TPM2_TOOLS" = "y" ]; then
if [ -r "$PRIMHASH_FILE" ]; then
sha256sum -c "$PRIMHASH_FILE" ||
if [ -s "$PRIMHASH_FILE" ]; then
#PRIMHASH_FILE (normally /boot/kexec_primhdl_hash.txt) exists and is not empty
sha256sum -c "$PRIMHASH_FILE" >/dev/null 2>&1 ||
{
echo "FATAL: Hash of TPM2 primary key handle mismatch!"
warn "If you have not intentionally regenerated TPM2 primary key,"
warn "your system may have been compromised"
DEBUG "Hash of TPM2 primary key handle mismatched for $PRIMHASH_FILE"
DEBUG "Contents of $PRIMHASH_FILE:"
DEBUG "$(cat $PRIMHASH_FILE)"
}
else
warn "Hash of TPM2 primary key handle does not exist"
warn "Please rebuild the TPM2 primary key handle by settings a default OS to boot."
warn "Please rebuild the TPM2 primary key handle hash by setting a default OS to boot."
warn "Select Options-> Boot Options -> Show OS Boot Menu -> <Pick OS> -> Make default"
#TODO: Simplify/Automatize TPM2 firmware upgrade process. Today: upgrade, reboot, reseal(type TPM owner pass), resign, boot
default_failed="y"
@ -79,10 +82,10 @@ if [ "$CONFIG_TPM2_TOOLS" = "y" ]; then
fi
verify_global_hashes() {
echo "+++ Checking verified boot hash file "
INFO "+++ Checking verified boot hash file "
# Check the hashes of all the files
if verify_checksums "$bootdir" "$gui_menu"; then
echo "+++ Verified boot hashes "
INFO "+++ Verified boot hashes "
valid_hash='y'
valid_global_hash='y'
else
@ -113,16 +116,18 @@ verify_global_hashes() {
}
verify_rollback_counter() {
TRACE_FUNC
TPM_COUNTER=$(grep counter $TMP_ROLLBACK_FILE | cut -d- -f2)
if [ -z "$TPM_COUNTER" ]; then
die "$TMP_ROLLBACK_FILE: TPM counter not found?"
fi
read_tpm_counter $TPM_COUNTER ||
read_tpm_counter $TPM_COUNTER >/dev/null 2>&1 ||
die "Failed to read TPM counter"
sha256sum -c $TMP_ROLLBACK_FILE ||
die "Invalid TPM counter state"
sha256sum -c $TMP_ROLLBACK_FILE >/dev/null 2>&1 ||
die "Invalid TPM counter state. TPM Reset required"
valid_rollback="y"
}
@ -203,7 +208,7 @@ parse_option() {
}
scan_options() {
echo "+++ Scanning for unsigned boot options"
INFO "+++ Scanning for unsigned boot options"
option_file="/tmp/kexec_options.txt"
scan_boot_options "$bootdir" "$config" "$option_file"
if [ ! -s $option_file ]; then
@ -267,7 +272,7 @@ default_select() {
if [ "$CONFIG_BASIC" != "y" ]; then
# Enforce that default option hashes are valid
echo "+++ Checking verified default boot hash file "
INFO "+++ Checking verified default boot hash file "
# Check the hashes of all the files
if (cd $bootdir && sha256sum -c "$TMP_DEFAULT_HASH_FILE" >/tmp/hash_output); then
echo "+++ Verified default boot hashes "
@ -385,7 +390,7 @@ while true; do
if [ ! -r "$TMP_KEY_DEVICES" ]; then
# Extend PCR4 as soon as possible
TRACE_FUNC
DEBUG "TPM: Extending PCR[4] to prevent further secret unsealing"
INFO "TPM: Extending PCR[4] to prevent further secret unsealing"
tpmr extend -ix 4 -ic generic ||
die "Failed to extend TPM PCR[4]"
fi

41
initrd/bin/kexec-sign-config
View File

@ -11,7 +11,10 @@ update="n"
while getopts "p:c:ur" arg; do
case $arg in
p) paramsdir="$OPTARG" ;;
c) counter="$OPTARG"; rollback="y" ;;
c)
counter="$OPTARG"
rollback="y"
;;
u) update="y" ;;
r) rollback="y" ;;
esac
@ -27,18 +30,21 @@ assert_signable
confirm_gpg_card
# remount /boot as rw
mount -o remount,rw /boot
# update hashes in /boot before signing
if [ "$update" = "y" ]; then
(
cd /boot
find ./ -type f ! -path './kexec*' -print0 | xargs -0 sha256sum > /boot/kexec_hashes.txt
find ./ -type f ! -path './kexec*' -print0 | xargs -0 sha256sum >/boot/kexec_hashes.txt
if [ -e /boot/kexec_default_hashes.txt ]; then
DEFAULT_FILES=$(cat /boot/kexec_default_hashes.txt | cut -f3 -d ' ')
echo $DEFAULT_FILES | xargs sha256sum > /boot/kexec_default_hashes.txt
echo $DEFAULT_FILES | xargs sha256sum >/boot/kexec_default_hashes.txt
fi
#also save the file & directory structure to detect added files
print_tree > /boot/kexec_tree.txt
print_tree >/boot/kexec_tree.txt
)
[ $? -eq 0 ] || die "$paramsdir: Failed to update hashes."
@ -52,23 +58,23 @@ if [ "$rollback" = "y" ]; then
if [ -n "$counter" ]; then
# use existing counter
read_tpm_counter $counter \
|| die "$paramsdir: Unable to read tpm counter '$counter'"
read_tpm_counter $counter >/dev/null 2>&1 ||
die "$paramsdir: Unable to read tpm counter '$counter'"
else
# increment counter
check_tpm_counter $rollback_file \
|| die "$paramsdir: Unable to find/create tpm counter"
check_tpm_counter $rollback_file >/dev/null 2>&1 ||
die "$paramsdir: Unable to find/create tpm counter"
counter="$TPM_COUNTER"
increment_tpm_counter $counter \
|| die "$paramsdir: Unable to increment tpm counter"
increment_tpm_counter $counter >/dev/null 2>&1 ||
die "$paramsdir: Unable to increment tpm counter"
fi
sha256sum /tmp/counter-$counter > $rollback_file \
|| die "$paramsdir: Unable to create rollback file"
sha256sum /tmp/counter-$counter >$rollback_file ||
die "$paramsdir: Unable to create rollback file"
fi
param_files=`find $paramsdir/kexec*.txt`
param_files=$(find $paramsdir/kexec*.txt)
if [ -z "$param_files" ]; then
die "$paramsdir: No kexec parameter files to sign"
fi
@ -77,12 +83,19 @@ for tries in 1 2 3; do
if sha256sum $param_files | gpg \
--detach-sign \
-a \
> $paramsdir/kexec.sig \
>$paramsdir/kexec.sig \
; then
# successful - update the validated params
check_config $paramsdir
# remount /boot as ro
mount -o remount,ro /boot
exit 0
fi
done
# remount /boot as ro
mount -o remount,ro /boot
die "$paramsdir: Unable to sign kexec hashes"

7
initrd/bin/lock_chip
View File

@ -1,14 +1,13 @@
#!/bin/sh
#!/bin/bash
# For this to work:
# - io386 module needs to be enabled in board config
# - <Skylake: coreboot config need to enable CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y without enabling CONFIG_INTEL_CHIPSET_LOCKDOWN
# - >=Skylake: same as above and CONFIG_SOC_INTEL_COMMON_SPI_LOCKDOWN_SMM=y, CONFIG_SPI_FLASH_SMM=y and mode (eg: CONFIG_BOOTMEDIA_LOCK_WHOLE_RO=y)
# - Heads is actually doing the CONFIG_INTEL_CHIPSET_LOCKDOWN equivalent here.
#include ash shell functions (TRACE requires it)
. /etc/ash_functions
. /etc/functions
TRACE "Under /bin/lock_chip"
TRACE_FUNC
if [ "$CONFIG_FINALIZE_PLATFORM_LOCKING" = "y" ]; then
APM_CNT=0xb2
FIN_CODE=0xcb

196
initrd/bin/oem-factory-reset
View File

@ -23,12 +23,10 @@ CANCEL="--no-button Cancel"
HEIGHT="0"
WIDTH="80"
# Default values
USER_PIN_DEF=123456
ADMIN_PIN_DEF=12345678
TPM_PASS_DEF=12345678
USER_PIN=""
ADMIN_PIN=""
TPM_PASS=""
GPG_GEN_KEY_IN_MEMORY="n"
GPG_GEN_KEY_IN_MEMORY_COPY_TO_SMARTCARD="n"
@ -44,6 +42,64 @@ GPG_ALGO="RSA"
# Default RSA key length is 3072 bits for OEM key gen. 4096 are way longer to generate in smartcard
RSA_KEY_LENGTH=3072
# If we use complex generated passphrases, we will really try hard to make the
# user record them
MAKE_USER_RECORD_PASSPHRASES=
# Function to handle --mode parameter
handle_mode() {
local mode=$1
case $mode in
oem)
DEBUG "OEM mode selected"
CUSTOM_SINGLE_PASS=$(generate_passphrase --number_words 2 --max_length $MAX_HOTP_GPG_PIN_LENGTH)
USER_PIN=$CUSTOM_SINGLE_PASS
ADMIN_PIN=$CUSTOM_SINGLE_PASS
TPM_PASS=$CUSTOM_SINGLE_PASS
# User doesn't know this password, really badger them to record it
MAKE_USER_RECORD_PASSPHRASES=y
title_text="OEM Factory Reset Mode"
;;
user)
DEBUG "User mode selected"
USER_PIN=$(generate_passphrase --number_words 2 --max_length $MAX_HOTP_GPG_PIN_LENGTH)
ADMIN_PIN=$(generate_passphrase --number_words 2 --max_length $MAX_HOTP_GPG_PIN_LENGTH)
TPM_PASS=$ADMIN_PIN
# User doesn't know this password, really badger them to record it
MAKE_USER_RECORD_PASSPHRASES=y
title_text="User Re-Ownership Mode"
;;
*)
warn "Unknown oem-factory-reset lauched mode, setting PINs to weak defaults"
USER_PIN=$USER_PIN_DEF
ADMIN_PIN=$ADMIN_PIN_DEF
TPM_PASS=$ADMIN_PIN_DEF
;;
esac
}
# Parse command-line arguments
while [[ $# -gt 0 ]]; do
key="$1"
case $key in
--mode)
MODE="$2"
shift # past argument
shift # past value
;;
*)
shift # past unrecognized argument
;;
esac
done
# Handle the --mode parameter if provided
if [[ -n "$MODE" ]]; then
handle_mode "$MODE"
fi
#Override RSA_KEY_LENGTH to 2048 bits for Canokey under qemu testing boards until canokey fixes
if [[ "$CONFIG_BOARD_NAME" == qemu-* ]]; then
DEBUG "Overriding RSA_KEY_LENGTH to 2048 bits for Canokey under qemu testing boards"
@ -93,6 +149,31 @@ mount_boot() {
fi
}
reset_nk3_secret_app() {
TRACE_FUNC
# Reset Nitrokey 3 Secrets app with $ADMIN_PIN (default 12345678, or customised)
if lsusb | grep -q "20a0:42b2"; then
echo
warn "Resetting Nitrokey 3's Secrets App with PIN. Physical presence (touch) will be required"
# TODO: change message when https://github.com/Nitrokey/nitrokey-hotp-verification/issues/41 is fixed
# Reset Nitrokey 3 secret app with PIN
# Do 3 attempts to reset Nitrokey 3 Secrets App if return code is 3 (no touch)
for attempt in 1 2 3; do
if /bin/hotp_verification reset "${ADMIN_PIN}"; then
echo
return 0
else
error_code=$?
if [ $error_code -eq 3 ] && [ $attempt -lt 3 ]; then
whiptail --msgbox "Nitrokey 3 requires physical presence: touch the dongle when requested" $HEIGHT $WIDTH --title "Nk3 cecrets app reset attempt: $attempt/3"
else
whiptail_error_die "Nitrokey 3's secrets app reset failed with error:$error_code. Contact Nitrokey support"
fi
fi
done
fi
}
#Generate a gpg master key: no expiration date, ${RSA_KEY_LENGTH} bits
#This key will be used to sign 3 subkeys: encryption, authentication and signing
#The master key and subkeys will be copied to backup, and the subkeys moved from memory keyring to the smartcard
@ -261,7 +342,7 @@ generate_inmemory_p256_master_and_subkeys() {
keytocard_subkeys_to_smartcard() {
TRACE_FUNC
#make sure usb ready and USB Security Dongle ready to communicate with
#make sure usb ready and USB Security dongle ready to communicate with
enable_usb
enable_usb_storage
gpg --card-status >/dev/null 2>&1 || die "Error getting GPG card status"
@ -423,7 +504,7 @@ select_thumb_drive_for_key_material() {
[ -n "$FILE" ]; then
# Obtain size of thumb drive to be wiped with fdisk
disk_size_bytes="$(blockdev --getsize64 "$FILE")"
if [ "$disk_size_bytes" -lt "$((128*1024*1024))" ]; then
if [ "$disk_size_bytes" -lt "$((128 * 1024 * 1024))" ]; then
warn "Thumb drive size is less than 128MB!"
warn "LUKS container needs to be at least 8MB!"
warn "If the next operation fails, try with a bigger thumb drive"
@ -476,7 +557,7 @@ gpg_key_factory_reset() {
enable_usb
# Factory reset GPG card
echo "GPG factory reset of USB Security Dongle's smartcard..."
echo "GPG factory reset of USB Security dongle's OpenPGP smartcard..."
{
echo admin # admin menu
echo factory-reset # factory reset smartcard
@ -488,6 +569,7 @@ gpg_key_factory_reset() {
ERROR=$(cat /tmp/gpg_card_edit_output)
whiptail_error_die "GPG Key factory reset failed!\n\n$ERROR"
fi
# If Nitrokey Storage is inserted, reset AES keys as well
if lsusb | grep -q "20a0:4109" && [ -x /bin/hotp_verification ]; then
DEBUG "Nitrokey Storage detected, resetting AES keys..."
@ -495,6 +577,7 @@ gpg_key_factory_reset() {
DEBUG "Restarting scdaemon to remove possible exclusive lock of dongle"
killall -9 scdaemon
fi
# Toggle forced sig (good security practice, forcing PIN request for each signature request)
if gpg --card-status | grep "Signature PIN" | grep -q "not forced"; then
DEBUG "GPG toggling forcesig on since off..."
@ -509,6 +592,7 @@ gpg_key_factory_reset() {
whiptail_error_die "GPG Key forcesig toggle on failed!\n\n$ERROR"
fi
fi
# use p256 for key generation if requested
if [ "$GPG_ALGO" = "p256" ]; then
{
@ -527,7 +611,7 @@ gpg_key_factory_reset() {
>/tmp/gpg_card_edit_output 2>&1
if [ $? -ne 0 ]; then
ERROR=$(cat /tmp/gpg_card_edit_output)
whiptail_error_die "Setting key to NIST-P256 in USB Security Dongle failed."
whiptail_error_die "Setting key to NIST-P256 in USB Security dongle failed."
fi
# fallback to RSA key generation by default
elif [ "$GPG_ALGO" = "RSA" ]; then
@ -549,7 +633,7 @@ gpg_key_factory_reset() {
>/tmp/gpg_card_edit_output 2>&1
if [ $? -ne 0 ]; then
ERROR=$(cat /tmp/gpg_card_edit_output)
whiptail_error_die "Setting key attributed to RSA ${RSA_KEY_LENGTH} bits in USB Security Dongle failed."
whiptail_error_die "Setting key attributed to RSA ${RSA_KEY_LENGTH} bits in USB Security dongle failed."
fi
else
#Unknown GPG_ALGO
@ -563,7 +647,7 @@ generate_OEM_gpg_keys() {
TRACE_FUNC
#This function simply generates subkeys in smartcard following smarcard config from gpg_key_factory_reset
echo "Generating GPG keys in USB Security Dongle's smartcard..."
echo "Generating GPG keys in USB Security dongle's OpenPGP smartcard..."
{
echo admin # admin menu
echo generate # generate keys
@ -577,6 +661,11 @@ generate_OEM_gpg_keys() {
echo ${USER_PIN_DEF} # Default user PIN since we just factory reset
} | DO_WITH_DEBUG gpg --command-fd=0 --status-fd=2 --pinentry-mode=loopback --card-edit \
>/tmp/gpg_card_edit_output 2>&1
#This outputs to console \
# "gpg: checking the trustdb"
# "gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model"
# "gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u"
#TODO: Suppress this output to console (stdout shown in DEBUG mode)?
if [ $? -ne 0 ]; then
ERROR=$(cat /tmp/gpg_card_edit_output)
whiptail_error_die "GPG Key automatic keygen failed!\n\n$ERROR"
@ -587,6 +676,7 @@ generate_OEM_gpg_keys() {
gpg_key_change_pin() {
TRACE_FUNC
DEBUG "Changing GPG key PIN"
# 1 = user PIN, 3 = admin PIN
PIN_TYPE=$1
@ -636,7 +726,7 @@ generate_checksums() {
tpmr counter_create \
-pwdc '' \
-la -3135106223 |
tee /tmp/counter ||
tee /tmp/counter >/dev/null 2>&1 ||
whiptail_error_die "Unable to create TPM counter"
TPM_COUNTER=$(cut -d: -f1 </tmp/counter)
@ -680,9 +770,10 @@ generate_checksums() {
fi
DEBUG "Detach-signing boot files under kexec.sig: ${param_files}"
if sha256sum $param_files 2>/dev/null | DO_WITH_DEBUG --mask-position 4 gpg \
if sha256sum $param_files 2>/dev/null | gpg \
--pinentry-mode loopback \
--passphrase "${USER_PIN}" \
--passphrase-file <(echo -n "$USER_PIN") \
--digest-algo SHA256 \
--detach-sign \
-a \
@ -781,14 +872,14 @@ report_integrity_measurements() {
enable_usb
for attempt in 1 2 3; do
if ! hotp_verification info >/dev/null 2>&1; then
whiptail_warning --title "WARNING: Please insert your HOTP enabled USB Security Dongle (Attempt $attempt/3)" --msgbox "Your HOTP enabled USB Security Dongle was not detected.\n\nPlease remove it and insert it again." 0 80
whiptail_warning --title "WARNING: Please insert your HOTP enabled USB Security dongle (Attempt $attempt/3)" --msgbox "Your HOTP enabled USB Security dongle was not detected.\n\nPlease remove it and insert it again." 0 80
else
break
fi
done
if [ $attempt -eq 3 ]; then
die "No HOTP enabled USB Security Dongle detected. Please disable 'CONFIG_HOTPKEY' in the board config and rebuild."
die "No HOTP enabled USB Security dongle detected. Please disable 'CONFIG_HOTPKEY' in the board config and rebuild."
fi
# Don't output HOTP codes to screen, so as to make replay attacks harder
@ -803,7 +894,7 @@ report_integrity_measurements() {
BG_COLOR_MAIN_MENU="error"
;;
*)
HOTP="Error checking code, Insert USB Security Dongle and retry"
HOTP="Error checking code, Insert USB Security dongle and retry"
BG_COLOR_MAIN_MENU="warning"
;;
esac
@ -830,6 +921,8 @@ report_integrity_measurements() {
usb_security_token_capabilities_check() {
TRACE_FUNC
echo -e "\nChecking for USB Security dongle...\n"
enable_usb
# ... first set board config preference
if [ -n "$CONFIG_GPG_ALGO" ]; then
@ -841,14 +934,14 @@ usb_security_token_capabilities_check() {
GPG_ALGO="p256"
DEBUG "Nitrokey 3 detected: Setting GPG_ALGO to: $GPG_ALGO"
fi
#TODO: put everything related to USB Security dongle here
}
## main script start
# check for args
if [ "$1" != "" ]; then
title_text=$1
else
if [ -z "$title_text" ]; then
title_text="OEM Factory Reset / Re-Ownership"
fi
if [ "$2" != "" ]; then
@ -930,21 +1023,21 @@ if [ "$use_defaults" == "n" -o "$use_defaults" == "N" ]; then
; then
GPG_GEN_KEY_IN_MEMORY="y"
echo " ++++ Master key and subkeys will be generated in memory, backed up to dedicated LUKS container +++"
echo -e -n "Would you like in-memory generated subkeys to be copied to USB Security Dongle's smartcard?\n (Highly recommended so the smartcard is used on daily basis and backup is kept safe, but not required) [Y/n]: "
echo -e -n "Would you like in-memory generated subkeys to be copied to USB Security dongle's OpenPGP smartcard?\n (Highly recommended so the smartcard is used on daily basis and backup is kept safe, but not required) [Y/n]: "
read -n 1 prompt_output
echo
if [ "$prompt_output" == "n" \
-o "$prompt_output" == "N" ]; then
warn "Subkeys will NOT be copied to USB Security Dongle's smartcard"
warn "Subkeys will NOT be copied to USB Security dongle's OpenPGP smartcard"
warn "Your GPG key material backup thumb drive should be cloned to a second thumb drive for redundancy for production environements"
GPG_GEN_KEY_IN_MEMORY_COPY_TO_SMARTCARD="n"
else
echo "++++ Subkeys will be copied to USB Security Dongle's smartcard ++++"
echo "++++ Subkeys will be copied to USB Security dongle's OpenPGP smartcard ++++"
warn "Please keep your GPG key material backup thumb drive safe"
GPG_GEN_KEY_IN_MEMORY_COPY_TO_SMARTCARD="y"
fi
else
echo "GPG key material will be generated on USB Security Dongle's smartcard without backup"
echo "GPG key material will be generated on USB Security dongle's OpenPGP smartcard without backup"
GPG_GEN_KEY_IN_MEMORY="n"
GPG_GEN_KEY_IN_MEMORY_COPY_TO_SMARTCARD="n"
fi
@ -993,6 +1086,10 @@ if [ "$use_defaults" == "n" -o "$use_defaults" == "N" ]; then
if [ -n "$luks_new_Disk_Recovery_Key_passphrase_desired" ]; then
luks_new_Disk_Recovery_Key_passphrase=${CUSTOM_SINGLE_PASS}
fi
# The user knows this password, we don't need to badger them to
# record it
MAKE_USER_RECORD_PASSPHRASES=
else
echo -e -n "Would you like to set distinct PINs/passwords to configure previously stated security components? [y/N]: "
read -n 1 prompt_output
@ -1023,6 +1120,9 @@ if [ "$use_defaults" == "n" -o "$use_defaults" == "N" ]; then
done
fi
echo
# The user knows these passwords, we don't need to
# badger them to record them
MAKE_USER_RECORD_PASSPHRASES=
fi
fi
@ -1110,24 +1210,23 @@ if [ "$GPG_GEN_KEY_IN_MEMORY" = "n" ]; then
fi
else
GPG_EXPORT=0
# needed for USB Security Dongle below and is ensured via mount-usb in case of GPG_EXPORT=1
# needed for USB Security dongle below and is ensured via mount-usb in case of GPG_EXPORT=1
enable_usb
fi
fi
# ensure USB Security Dongle connected if GPG_GEN_KEY_IN_MEMORY=n or if GPG_GEN_KEY_IN_MEMORY_COPY_TO_SMARTCARD=y
# ensure USB Security dongle connected if GPG_GEN_KEY_IN_MEMORY=n or if GPG_GEN_KEY_IN_MEMORY_COPY_TO_SMARTCARD=y
if [ "$GPG_GEN_KEY_IN_MEMORY" = "n" -o "$GPG_GEN_KEY_IN_MEMORY_COPY_TO_SMARTCARD" = "y" ]; then
echo -e "\nChecking for USB Security Dongle...\n"
enable_usb
if ! gpg --card-status >/dev/null 2>&1; then
local_whiptail_error "Can't access USB Security Dongle; \nPlease remove and reinsert, then press Enter."
local_whiptail_error "Can't access USB Security dongle; \nPlease remove and reinsert, then press Enter."
if ! gpg --card-status >/dev/null 2>/tmp/error; then
ERROR=$(tail -n 1 /tmp/error | fold -s)
whiptail_error_die "Unable to detect USB Security Dongle:\n\n${ERROR}"
whiptail_error_die "Unable to detect USB Security dongle:\n\n${ERROR}"
fi
fi
#Now that USB Security Dongle is detected, we can check its capabilities and limitations
#Now that USB Security dongle is detected, we can check its capabilities and limitations
usb_security_token_capabilities_check
fi
@ -1198,8 +1297,12 @@ if [ "$GPG_GEN_KEY_IN_MEMORY" = "y" ]; then
keytocard_subkeys_to_smartcard
fi
else
#enable usb storage
enable_usb
#Reset Nitrokey 3 secret app
reset_nk3_secret_app
#Generate GPG key and subkeys on smartcard only
echo -e "\nResetting USB Security Dongle's GPG smartcard...\n(this will take around 3 minutes...)\n"
echo -e "\nResetting USB Security dongle's OpenPGP smartcard with GPG...\n(this may take up to 3 minutes...)\n"
gpg_key_factory_reset
generate_OEM_gpg_keys
fi
@ -1218,7 +1321,7 @@ fi
#Applying custom GPG PINs to the smartcard if they were provided
if [ "$GPG_GEN_KEY_IN_MEMORY" = "n" -o "$GPG_GEN_KEY_IN_MEMORY_COPY_TO_SMARTCARD" = "y" ]; then
#Only apply smartcard PIN change if smartcard only or if keytocard op is expected next
if [ "${USER_PIN}" != "" -o "${ADMIN_PIN}" != "" ]; then
if [ "${USER_PIN}" != "${USER_PIN_DEF}" -o "${ADMIN_PIN}" != "${ADMIN_PIN_DEF}" ]; then
echo -e "\nChanging default GPG Admin PIN\n"
gpg_key_change_pin "3" "${ADMIN_PIN_DEF}" "${ADMIN_PIN}"
echo -e "\nChanging default GPG User PIN\n"
@ -1264,7 +1367,7 @@ else
#We are not running in QEMU, so flash the key to ROM
## flash generated key to ROM
echo -e "\nReading current firmware...\n(this will take a minute or two)\n"
echo -e "\nReading current firmware...\n(this may take up to two minutes...)\n"
/bin/flash.sh -r /tmp/oem-setup.rom >/dev/null 2>/tmp/error
if [ ! -s /tmp/oem-setup.rom ]; then
ERROR=$(tail -n 1 /tmp/error | fold -s)
@ -1304,12 +1407,12 @@ fi
## sign files in /boot and generate checksums
if [[ "$SKIP_BOOT" == "n" ]]; then
echo -e "\nSigning boot files and generating checksums...\n"
echo -e "\nUpdating checksums and signing all files in /boot...\n"
generate_checksums
fi
# passphrases set to be empty first
passphrases="\n"
passphrases=""
# Prepare whiptail output of configured secrets
if [ -n "$luks_new_Disk_Recovery_Key_passphrase" -o -n "$luks_new_Disk_Recovery_Key_passphrase_desired" ]; then
@ -1320,6 +1423,11 @@ if [ "$CONFIG_TPM" = "y" ]; then
passphrases+="TPM Owner Password: ${TPM_PASS}\n"
fi
#if nk3 detected, we add the NK3 Secre App PIN. Detect by product ID
if lsusb | grep -q "20a0:42b2"; then
passphrases+="Nitrokey 3 Secrets app PIN: ${ADMIN_PIN}\n"
fi
#GPG PINs output
passphrases+="GPG Admin PIN: ${ADMIN_PIN}\n"
#USER PIN was configured if GPG_GEN_KEY_IN_MEMORY is not active or if GPG_GEN_KEY_IN_MEMORY_COPY_TO_SMARTCARD is active
@ -1332,10 +1440,26 @@ if [ "$GPG_GEN_KEY_IN_MEMORY" = "y" ]; then
passphrases+="GPG key material backup passphrase: ${ADMIN_PIN}\n"
fi
## Show to user current configured secrets prior of rebooting
whiptail --msgbox "
$(echo -e "$passphrases" | fold -w $((WIDTH-5)))" \
# Show configured secrets in whiptail and loop until user confirms qr code was scanned
while true; do
whiptail --msgbox "$(echo -e "$passphrases" | fold -w $((WIDTH - 5)))" \
$HEIGHT $WIDTH --title "Configured secrets"
if [ "$MAKE_USER_RECORD_PASSPHRASES" != y ]; then
# Passwords were user-supplied or not complex, we do not need to
# badger the user to record them
break
fi
#Tell user to scan the QR code containing all configured secrets
echo -e "\nScan the QR code below to save the secrets to a secure location"
qrenc "$(echo -e "$passphrases")"
# Prompt user to confirm scanning of qrcode on console prompt not whiptail: y/n
echo -e -n "Please confirm you have scanned the QR code above and/or written down the secrets? [y/N]: "
read -n 1 prompt_output
echo
if [ "$prompt_output" == "y" -o "$prompt_output" == "Y" ]; then
break
fi
done
## all done -- reboot
whiptail --msgbox "

6
initrd/bin/poweroff
View File

@ -1,7 +1,7 @@
#!/bin/ash
. /etc/ash_functions
#!/bin/bash
. /etc/functions
TRACE "Under /bin/poweroff"
TRACE_FUNC
# Shut down TPM
if [ "$CONFIG_TPM" = "y" ]; then

2
initrd/bin/qubes-measure-luks
View File

@ -20,6 +20,6 @@ DEBUG "Removing /tmp/lukshdr-*"
rm /tmp/lukshdr-*
TRACE_FUNC
echo "TPM: Extending PCR[6] with hash of LUKS headers from /tmp/luksDump.txt"
INFO "TPM: Extending PCR[6] with hash of LUKS headers from /tmp/luksDump.txt"
tpmr extend -ix 6 -if /tmp/luksDump.txt ||
die "Unable to extend PCR"

6
initrd/bin/reboot
View File

@ -1,7 +1,7 @@
#!/bin/ash
. /etc/ash_functions
#!/bin/bash
. /etc/functions
TRACE "Under /bin/reboot"
TRACE_FUNC
if [ "$CONFIG_DEBUG_OUTPUT" = "y" ]; then
#Generalize user prompt to continue reboot or go to recovery shell

2
initrd/bin/root-hashes-gui.sh
View File

@ -367,7 +367,7 @@ detect_root_device()
fi
# generate list of possible boot devices
fdisk -l | grep "Disk /dev/" | cut -f2 -d " " | cut -f1 -d ":" > /tmp/disklist
fdisk -l 2>/dev/null | grep "Disk /dev/" | cut -f2 -d " " | cut -f1 -d ":" > /tmp/disklist
# filter out extraneous options
> /tmp_root_device_list

91
initrd/bin/seal-hotpkey
View File

@ -1,5 +1,5 @@
#!/bin/bash
# Retrieve the sealed TOTP secret and initialize a USB Security Dongle with it
# Retrieve the sealed TOTP secret and initialize a USB Security dongle with it
. /etc/functions
. /etc/gui_functions
@ -8,8 +8,7 @@ HOTP_SECRET="/tmp/secret/hotp.key"
HOTP_COUNTER="/boot/kexec_hotp_counter"
HOTP_KEY="/boot/kexec_hotp_key"
mount_boot()
{
mount_boot() {
TRACE_FUNC
# Mount local disk if it is not already mounted
if ! grep -q /boot /proc/mounts; then
@ -23,8 +22,7 @@ mount_boot()
TRACE_FUNC
fatal_error()
{
fatal_error() {
echo -e "\nERROR: ${1}; press Enter to continue."
read
# get lsusb output for debugging
@ -36,16 +34,16 @@ fatal_error()
if [ -r /boot/kexec_hotp_key ]; then
HOTPKEY_BRANDING="$(cat /boot/kexec_hotp_key)"
else
HOTPKEY_BRANDING="HOTP USB Security Dongle"
HOTPKEY_BRANDING="HOTP USB Security dongle"
fi
if [ "$CONFIG_TPM" = "y" ]; then
DEBUG "Sealing HOTP secret reuses TOTP sealed secret..."
tpmr unseal 4d47 0,1,2,3,4,7 312 "$HOTP_SECRET" \
|| fatal_error "Unable to unseal HOTP secret"
tpmr unseal 4d47 0,1,2,3,4,7 312 "$HOTP_SECRET" ||
fatal_error "Unable to unseal HOTP secret"
else
# without a TPM, generate a secret based on the SHA-256 of the ROM
secret_from_rom_hash > "$HOTP_SECRET" || die "Reading ROM failed"
secret_from_rom_hash >"$HOTP_SECRET" || die "Reading ROM failed"
fi
# Store counter in file instead of TPM for now, as it conflicts with Heads
@ -67,25 +65,29 @@ mount_boot || exit 1
counter_value=1
enable_usb
# Make sure no conflicting GPG related services are running, gpg-agent will respawn
killall gpg-agent scdaemon >/dev/null 2>&1
# While making sure the key is inserted, capture the status so we can check how
# many PIN attempts remain
if ! hotp_token_info="$(hotp_verification info)" ; then
if ! hotp_token_info="$(hotp_verification info)"; then
echo -e "\nInsert your $HOTPKEY_BRANDING and press Enter to configure it"
read
if ! hotp_token_info="$(hotp_verification info)" ; then
if ! hotp_token_info="$(hotp_verification info)"; then
# don't leak key on failure
shred -n 10 -z -u "$HOTP_SECRET" 2> /dev/null
shred -n 10 -z -u "$HOTP_SECRET" 2>/dev/null
fatal_error "Unable to find $HOTPKEY_BRANDING"
fi
fi
# Set HOTP USB Security Dongle branding based on VID
if lsusb | grep -q "20a0:" ; then
# Set HOTP USB Security dongle branding based on VID
if lsusb | grep -q "20a0:"; then
HOTPKEY_BRANDING="Nitrokey"
elif lsusb | grep -q "316d:" ; then
elif lsusb | grep -q "316d:"; then
HOTPKEY_BRANDING="Librem Key"
else
HOTPKEY_BRANDING="HOTP USB Security Dongle"
HOTPKEY_BRANDING="HOTP USB Security dongle"
fi
# Truncate the secret if it is longer than the maximum HOTP secret
@ -99,18 +101,26 @@ gpg_key_create_time="${gpg_key_create_time:-0}"
DEBUG "Signature key was created at $(date -d "@$gpg_key_create_time")"
now_date="$(date '+%s')"
# Get the number of admin PIN retry attempts remaining
awk_admin_counter_regex='/^\s*Card counters: Admin (\d),.*$/'
awk_get_admin_counter="$awk_admin_counter_regex"' { print gensub('"$awk_admin_counter_regex"', "\\1", "") }'
admin_pin_retries="$(echo "$hotp_token_info" | awk "$awk_get_admin_counter")"
# Get the number of HOTP related PIN retry attempts remaining
# if nk3 detected by lsusb, use different regex to get admin counter
if lsusb | grep -q "20a0:42b2"; then
# Nitrokey 3: Secrets app PIN counter: 8
admin_pin_retries=$(echo "$hotp_token_info" | grep "Secrets app PIN counter:" | cut -d ':' -f 2 | tr -d ' ')
prompt_message="Secrets app"
else
# <nk3
admin_pin_retries=$(echo "$hotp_token_info" | grep "Card counters: Admin" | grep -o 'Admin [0-9]*' | grep -o '[0-9]*')
prompt_message="GPG Admin"
fi
admin_pin_retries="${admin_pin_retries:-0}"
DEBUG "Admin PIN retry counter is $admin_pin_retries"
DEBUG "HOTP related PIN retry counter is $admin_pin_retries"
# Try using factory default admin PIN for 1 month following OEM reset to ease
# initial setup. But don't do it forever to encourage changing the PIN and
# so PIN attempts are not consumed by the default attempt.
admin_pin="12345678"
month_secs="$((30*24*60*60))"
month_secs="$((30 * 24 * 60 * 60))"
admin_pin_status=1
if [ "$((now_date - gpg_key_create_time))" -gt "$month_secs" ]; then
# Remind what the default PIN was in case it still hasn't been changed
@ -121,26 +131,35 @@ if [ "$((now_date - gpg_key_create_time))" -gt "$month_secs" ]; then
elif [ "$admin_pin_retries" -lt 3 ]; then
echo "Not trying default PIN ($admin_pin), only $admin_pin_retries attempt(s) left"
else
hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value "$HOTPKEY_BRANDING" >/dev/null 2>&1
echo "Trying $prompt_message PIN ($admin_pin) to seal HOTP secret on $HOTPKEY_BRANDING..."
#if we deal with the nk3, say to the user that touch will be required
if lsusb | grep -q "20a0:42b2"; then
warn "Nitrokey 3 requires physical presence : touch the dongle when prompted"
echo
fi
#TODO: silence the output of hotp_initialize once https://github.com/Nitrokey/nitrokey-hotp-verification/issues/41 is fixed
#hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value "$HOTPKEY_BRANDING" >/dev/null 2>&1
hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value "$HOTPKEY_BRANDING"
admin_pin_status="$?"
fi
if [ "$admin_pin_status" -ne 0 ]; then
# prompt user for PIN and retry
echo ""
read -s -p "Enter your $HOTPKEY_BRANDING Admin PIN: " admin_pin
read -s -p "Enter your $HOTPKEY_BRANDING $prompt_message PIN: " admin_pin
echo -e "\n"
hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value "$HOTPKEY_BRANDING"
if [ $? -ne 0 ]; then
echo -e "\n"
read -s -p "Error setting HOTP secret, re-enter Admin PIN and try again: " admin_pin
read -s -p "Error setting HOTP secret, re-enter $prompt_message PIN and try again: " admin_pin
echo -e "\n"
if ! hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value "$HOTPKEY_BRANDING" ; then
if ! hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value "$HOTPKEY_BRANDING"; then
# don't leak key on failure
shred -n 10 -z -u "$HOTP_SECRET" 2> /dev/null
shred -n 10 -z -u "$HOTP_SECRET" 2>/dev/null
if [ "$HOTPKEY_BRANDING" == "Nitrokey" ]; then
fatal_error "Setting HOTP secret failed, to reset nitrokey pin use: nitropy nk3 secrets reset or the Nitrokey App 2"
fatal_error "Setting HOTP secret failed, to reset $prompt_message PIN, redo Re-Ownership procedure, use the Nitrokey App 2 or contact Nitrokey support"
else
fatal_error "Setting HOTP secret failed"
fi
@ -148,11 +167,11 @@ if [ "$admin_pin_status" -ne 0 ]; then
fi
else
# remind user to change admin password
echo -e "\nWARNING: default admin PIN detected: please change this as soon as possible."
warn "Default $prompt_message PIN detected. Please change this as soon as possible with Options > OEM Factory Reset / Re-Ownership"
fi
# HOTP key no longer needed
shred -n 10 -z -u "$HOTP_SECRET" 2> /dev/null
shred -n 10 -z -u "$HOTP_SECRET" 2>/dev/null
# Make sure our counter is incremented ahead of the next check
#increment_tpm_counter $counter > /dev/null \
@ -162,13 +181,13 @@ shred -n 10 -z -u "$HOTP_SECRET" 2> /dev/null
mount -o remount,rw /boot
counter_value=`expr $counter_value + 1`
echo $counter_value > $HOTP_COUNTER \
|| fatal_error "Unable to create hotp counter file"
counter_value=$(expr $counter_value + 1)
echo $counter_value >$HOTP_COUNTER ||
fatal_error "Unable to create hotp counter file"
# Store/overwrite HOTP USB Security Dongle branding found out beforehand
echo $HOTPKEY_BRANDING > $HOTP_KEY \
|| die "Unable to store hotp key file"
# Store/overwrite HOTP USB Security dongle branding found out beforehand
echo $HOTPKEY_BRANDING >$HOTP_KEY ||
die "Unable to store hotp key file"
#sha256sum /tmp/counter-$counter > $HOTP_COUNTER \
#|| die "Unable to create hotp counter file"

5
initrd/bin/seal-totp
View File

@ -55,8 +55,9 @@ tpmr seal "$TOTP_SECRET" "$TPM_NVRAM_SPACE" 0,1,2,3,4,7 "$pcrf" 312 "" "$TPM_PAS
shred -n 10 -z -u "$TOTP_SEALED" 2>/dev/null
url="otpauth://totp/$HOST?secret=$secret"
secret=""
DEBUG "TOTP secret output on screen (both URL and QR code)"
qrenc "$url"
echo "$url"
echo "TOTP secret for manual input (device without camera): $secret"
secret=""

95
initrd/bin/tpmr
View File

@ -17,7 +17,7 @@ PCR_SIZE=
# Export CONFIG_TPM2_CAPTURE_PCAP=y from your board config to capture tpm2 pcaps to
# /tmp/tpm0.pcap; Wireshark can inspect these. (This must be enabled at build
# time so the pcap TCTI driver is included.)
if [ -n "$CONFIG_TPM2_CAPTURE_PCAP" ]; then
if [ "$CONFIG_TPM2_CAPTURE_PCAP" == "y" ]; then
export TPM2TOOLS_TCTI="pcap:device:/dev/tpmrm0"
export TCTI_PCAP_FILE="/tmp/tpm0.pcap"
fi
@ -29,7 +29,6 @@ else
. /etc/config
fi
# Busybox xxd lacks -r, and we get hex dumps from TPM1 commands. This converts
# a hex dump to binary data using sed and printf
hex2bin() {
@ -258,7 +257,7 @@ tpm2_extend() {
esac
done
tpm2 pcrextend "$index:sha256=$hash"
tpm2 pcrread "sha256:$index"
INFO $(tpm2 pcrread "sha256:$index" 2>&1)
TRACE_FUNC
DEBUG "TPM: Extended PCR[$index] with hash $hash"
@ -307,11 +306,18 @@ tpm1_counter_create() {
# other parameters for TPM1 are passed directly, and TPM2 mimics the
# TPM1 interface.
prompt_tpm_owner_password
if ! tpm counter_create -pwdo "$(cat "/tmp/secret/tpm_owner_password")" "$@"; then
TMP_ERR_FILE=$(mktemp)
if ! tpm counter_create -pwdo "$(cat "/tmp/secret/tpm_owner_password")" "$@" 2>"$TMP_ERR_FILE"; then
DEBUG "Failed to create counter from tpm1_counter_create. Wiping /tmp/secret/tpm_owner_password"
shred -n 10 -z -u /tmp/secret/tpm_owner_password
# Log the contents of the temporary error file
while IFS= read -r line; do
DEBUG "tpm1 stderr: $line"
done <"$TMP_ERR_FILE"
rm -f "$TMP_ERR_FILE"
die "Unable to create counter from tpm1_counter_create"
fi
rm -f "$TMP_ERR_FILE"
}
tpm2_counter_create() {
@ -332,9 +338,9 @@ tpm2_counter_create() {
esac
done
prompt_tpm_owner_password
rand_index="1$(dd if=/dev/urandom bs=1 count=3 | xxd -pc3)"
rand_index="1$(dd if=/dev/urandom bs=1 count=3 2>/dev/null | xxd -pc3)"
tpm2 nvdefine -C o -s 8 -a "ownerread|authread|authwrite|nt=1" \
-P "$(tpm2_password_hex "$(cat "/tmp/secret/tpm_owner_password")")" "0x$rand_index" >/dev/console ||
-P "$(tpm2_password_hex "$(cat "/tmp/secret/tpm_owner_password")")" "0x$rand_index" >/dev/null 2>&1 ||
{
DEBUG "Failed to create counter from tpm2_counter_create. Wiping /tmp/secret/tpm_owner_password"
shred -n 10 -z -u /tmp/secret/tpm_owner_password
@ -357,12 +363,12 @@ tpm2_startsession() {
tpm2 flushcontext -Q \
--saved-session ||
die "tpm2_flushcontext: unable to flush saved session"
tpm2 readpublic -Q -c "$PRIMARY_HANDLE" -t "$PRIMARY_HANDLE_FILE"
tpm2 readpublic -Q -c "$PRIMARY_HANDLE" -t "$PRIMARY_HANDLE_FILE" >/dev/null 2>&1
#TODO: do the right thing to not have to suppress "WARN: check public portion the tpmkey manually" see https://github.com/linuxboot/heads/pull/1630#issuecomment-2075120429
tpm2 startauthsession -Q -c "$PRIMARY_HANDLE_FILE" --hmac-session -S "$ENC_SESSION_FILE" > /dev/null 2>&1
tpm2 startauthsession -Q -c "$PRIMARY_HANDLE_FILE" --hmac-session -S "$ENC_SESSION_FILE" >/dev/null 2>&1
#TODO: do the right thing to not have to suppress "WARN: check public portion the tpmkey manually" see https://github.com/linuxboot/heads/pull/1630#issuecomment-2075120429
tpm2 startauthsession -Q -c "$PRIMARY_HANDLE_FILE" --hmac-session -S "$DEC_SESSION_FILE" > /dev/null 2>&1
tpm2 sessionconfig -Q --disable-encrypt "$DEC_SESSION_FILE"
tpm2 startauthsession -Q -c "$PRIMARY_HANDLE_FILE" --hmac-session -S "$DEC_SESSION_FILE" >/dev/null 2>&1
tpm2 sessionconfig -Q --disable-encrypt "$DEC_SESSION_FILE" >/dev/null 2>&1
}
# Use cleanup_session() with at_exit to release a TPM2 session and delete the
@ -412,7 +418,7 @@ tpm1_destroy() {
index="$1" # Index of the sealed file
size="$2" # Size of zeroes to overwrite for TPM1
dd if=/dev/zero bs="$size" count=1 of=/tmp/wipe-totp-zero
dd if=/dev/zero bs="$size" count=1 of=/tmp/wipe-totp-zero >/dev/null 2>&1
tpm nv_writevalue -in "$index" -if /tmp/wipe-totp-zero ||
die "Unable to wipe sealed secret from TPM NVRAM"
}
@ -512,7 +518,6 @@ tpm1_seal() {
DEBUG "tpm1_seal arguments: file=$file index=$index pcrl=$pcrl pcrf=$pcrf sealed_size=$sealed_size pass=$(mask_param "$pass") tpm_password=$(mask_param "$tpm_password")"
# If a password was given, add it to the policy arguments
if [ "$pass" ]; then
POLICY_ARGS+=(-pwdd "$pass")
@ -605,9 +610,18 @@ tpm2_unseal() {
UNSEAL_PASS_SUFFIX="+$(tpm2_password_hex "$pass")"
fi
tpm2 unseal -Q -c "$handle" -p "session:$POLICY_SESSION$UNSEAL_PASS_SUFFIX" \
-S "$ENC_SESSION_FILE" >"$file"
# tpm2 unseal will write the unsealed data to stdout and any errors to
# stderr; capture stderr to log.
if ! tpm2 unseal -Q -c "$handle" -p "session:$POLICY_SESSION$UNSEAL_PASS_SUFFIX" \
-S "$ENC_SESSION_FILE" >"$file" 2> >(SINK_LOG "tpm2 stderr"); then
INFO "Unable to unseal secret from TPM NVRAM"
# should succeed, exit if it doesn't
exit 1
fi
rm -f "$TMP_ERR_FILE"
}
tpm1_unseal() {
TRACE_FUNC
index="$1"
@ -650,15 +664,15 @@ tpm2_reset() {
# output TPM Owner Password to a file to be reused in this boot session until recovery shell/reboot
DEBUG "Caching TPM Owner Password to $SECRET_DIR/tpm_owner_password"
echo -n "$tpm_owner_password" >"$SECRET_DIR/tpm_owner_password"
tpm2 clear -c platform || warn "Unable to clear TPM on platform hierarchy"
tpm2 changeauth -c owner "$(tpm2_password_hex "$tpm_owner_password")"
tpm2 changeauth -c endorsement "$(tpm2_password_hex "$tpm_owner_password")"
tpm2 createprimary -C owner -g sha256 -G "${CONFIG_PRIMARY_KEY_TYPE:-rsa}" \
-c "$SECRET_DIR/primary.ctx" -P "$(tpm2_password_hex "$tpm_owner_password")"
tpm2 evictcontrol -C owner -c "$SECRET_DIR/primary.ctx" "$PRIMARY_HANDLE" \
-P "$(tpm2_password_hex "$tpm_owner_password")"
shred -u "$SECRET_DIR/primary.ctx"
tpm2_startsession
DO_WITH_DEBUG tpm2 clear -c platform &>/dev/null
DO_WITH_DEBUG tpm2 changeauth -c owner "$(tpm2_password_hex "$tpm_owner_password")" &>/dev/null
DO_WITH_DEBUG tpm2 changeauth -c endorsement "$(tpm2_password_hex "$tpm_owner_password")" &>/dev/null
DO_WITH_DEBUG tpm2 createprimary -C owner -g sha256 -G "${CONFIG_PRIMARY_KEY_TYPE:-rsa}" \
-c "$SECRET_DIR/primary.ctx" -P "$(tpm2_password_hex "$tpm_owner_password")" &>/dev/null
DO_WITH_DEBUG tpm2 evictcontrol -C owner -c "$SECRET_DIR/primary.ctx" "$PRIMARY_HANDLE" \
-P "$(tpm2_password_hex "$tpm_owner_password")" &>/dev/null
shred -u "$SECRET_DIR/primary.ctx" &>/dev/null
DO_WITH_DEBUG tpm2_startsession &>/dev/null
# Set the dictionary attack parameters. TPM2 defaults vary widely, we
# want consistent behavior on any TPM.
@ -681,7 +695,7 @@ tpm2_reset() {
--max-tries=10 \
--recovery-time=3600 \
--lockout-recovery-time=0 \
--auth="session:$ENC_SESSION_FILE"
--auth="session:$ENC_SESSION_FILE" >/dev/null 2>&1 || LOG "Unable to set dictionary lockout parameters"
# Set a random DA lockout password, so the DA lockout can't be cleared
# with a password. Heads doesn't offer dictionary attach reset, instead
@ -690,7 +704,7 @@ tpm2_reset() {
# The default lockout password is empty, so we must set this, and we
# don't need to provide any auth (use the default empty password).
tpm2 changeauth -Q -c lockout \
"hex:$(dd if=/dev/urandom bs=32 count=1 status=none | xxd -p | tr -d ' \n')"
"hex:$(dd if=/dev/urandom bs=32 count=1 status=none 2>/dev/null | xxd -p | tr -d ' \n')" >/dev/null 2>&1 || LOG "Unable to set lockout password"
}
tpm1_reset() {
TRACE_FUNC
@ -700,17 +714,17 @@ tpm1_reset() {
DEBUG "Caching TPM Owner Password to $SECRET_DIR/tpm_owner_password"
echo -n "$tpm_owner_password" >"$SECRET_DIR/tpm_owner_password"
# Make sure the TPM is ready to be reset
tpm physicalpresence -s
tpm physicalenable
tpm physicalsetdeactivated -c
tpm forceclear
tpm physicalenable
tpm takeown -pwdo "$tpm_owner_password"
DO_WITH_DEBUG tpm physicalpresence -s &>/dev/null
DO_WITH_DEBUG tpm physicalenable &>/dev/null
DO_WITH_DEBUG tpm physicalsetdeactivated -c &>/dev/null
DO_WITH_DEBUG tpm forceclear &>/dev/null
DO_WITH_DEBUG tpm physicalenable &>/dev/null
DO_WITH_DEBUG tpm takeown -pwdo "$tpm_owner_password" &>/dev/null
# And now turn it all back on
tpm physicalpresence -s
tpm physicalenable
tpm physicalsetdeactivated -c
DO_WITH_DEBUG tpm physicalpresence -s &>/dev/null
DO_WITH_DEBUG tpm physicalenable &>/dev/null
DO_WITH_DEBUG tpm physicalsetdeactivated -c &>/dev/null
}
# Perform final cleanup before boot and lock the platform heirarchy.
@ -729,7 +743,7 @@ tpm2_kexec_finalize() {
# being cleared in the OS.
# This passphrase is only effective before the next boot.
echo "Locking TPM2 platform hierarchy..."
randpass=$(dd if=/dev/urandom bs=4 count=1 status=none | xxd -p)
randpass=$(dd if=/dev/urandom bs=4 count=1 status=none 2>/dev/null | xxd -p)
tpm2 changeauth -c platform "$randpass" ||
warn "Failed to lock platform hierarchy of TPM2"
}
@ -775,7 +789,7 @@ if [ "$CONFIG_TPM2_TOOLS" != "y" ]; then
tpm1_destroy "$@"
;;
extend)
#check if we extend with a hash or a file
# Check if we extend with a hash or a file
if [ "$4" = "-if" ]; then
DEBUG "TPM: Will extend PCR[$3] hash content of file $5"
hash="$(sha1sum "$5" | cut -d' ' -f1)"
@ -786,8 +800,11 @@ if [ "$CONFIG_TPM2_TOOLS" != "y" ]; then
fi
TRACE_FUNC
DEBUG "TPM: Extending PCR[$3] with hash $hash"
DO_WITH_DEBUG exec tpm "$@"
INFO "TPM: Extending PCR[$3] with hash $hash"
# Silence stdout/stderr, they're only useful for debugging
# and DO_WITH_DEBUG captures them
DO_WITH_DEBUG exec tpm "$@" &>/dev/null
;;
seal)
shift
@ -828,7 +845,7 @@ calcfuturepcr)
;;
extend)
TRACE_FUNC
DEBUG "TPM: Extending PCR[$2] with $4"
INFO "TPM: Extending PCR[$2] with $4"
tpm2_extend "$@"
;;
counter_read)

2
initrd/bin/unpack_initramfs.sh
View File

@ -61,7 +61,7 @@ unpack_first_segment() {
mkdir -p "$dest_dir"
# peek the beginning of the file to determine what type of content is next
magic="$(dd if="$unpack_archive" bs=6 count=1 status=none | xxd -p)"
magic="$(dd if="$unpack_archive" bs=6 count=1 status=none 2>/dev/null | xxd -p)"
# read this segment of the archive, then write the rest to the next file
(

2
initrd/bin/unseal-totp
View File

@ -9,7 +9,7 @@ TRACE_FUNC
if [ "$CONFIG_TPM" = "y" ]; then
tpmr unseal 4d47 0,1,2,3,4,7 312 "$TOTP_SECRET" ||
die "Unable to unseal TOTP secret"
die "Unable to unseal TOTP secret from TPM"
fi
if ! totp -q <"$TOTP_SECRET"; then

27
initrd/bin/xx30-flash.init
View File

@ -1,27 +0,0 @@
#!/bin/ash
# Initialize the USB and network device drivers,
# invoke a recovery shell and prompt the user for how to proceed
. /etc/ash_functions
. /tmp/config
TRACE "Under /bin/xx30-flash.init"
busybox insmod /lib/modules/ehci-hcd.ko
busybox insmod /lib/modules/ehci-pci.ko
busybox insmod /lib/modules/xhci-hcd.ko
busybox insmod /lib/modules/xhci-pci.ko
busybox insmod /lib/modules/e1000e.ko
busybox insmod /lib/modules/usb-storage.ko
sleep 2
echo '***** Starting recovery shell'
echo ''
echo 'To install from flash drive:'
echo ''
echo ' mount -o ro /dev/sdb1 /media'
echo ' flash.sh /media/xx30-legacy.rom'
echo ''
exec /bin/sh

356
initrd/etc/ash_functions
View File

@ -1,356 +0,0 @@
#!/bin/sh
#
# Core shell functions that do not require bash. These functions are used with
# busybox ash on legacy-flash boards, and with bash on all other boards.
die() {
if [ "$CONFIG_DEBUG_OUTPUT" = "y" ];then
echo -e " !!! ERROR: $* !!!" | tee -a /tmp/debug.log /dev/kmsg > /dev/null;
else
echo -e >&2 "!!! ERROR: $* !!!";
fi
sleep 2;
exit 1;
}
warn() {
if [ "$CONFIG_DEBUG_OUTPUT" = "y" ];then
echo -e " *** WARNING: $* ***" | tee -a /tmp/debug.log /dev/kmsg > /dev/null;
else
echo -e >&2 " *** WARNING: $* ***";
fi
sleep 1;
}
DEBUG() {
if [ "$CONFIG_DEBUG_OUTPUT" = "y" ]; then
# fold -s -w 960 will wrap lines at 960 characters on the last space before the limit
echo "DEBUG: $*" | fold -s -w 960 | while read line; do
echo "$line" | tee -a /tmp/debug.log /dev/kmsg >/dev/null
done
fi
}
TRACE() {
if [ "$CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT" = "y" ];then
echo "TRACE: $*" | tee -a /tmp/debug.log /dev/kmsg > /dev/null;
fi
}
# Write directly to the debug log (but not kmsg), never appears on console
LOG() {
echo "LOG: $*" >>/tmp/debug.log
}
fw_version() {
local FW_VER=$(dmesg | grep 'DMI' | grep -o 'BIOS.*' | cut -f2- -d ' ')
# chop off date, since will always be epoch w/timeless builds
echo "${FW_VER::-10}"
}
preserve_rom() {
TRACE "Under /etc/ash_functions:preserve_rom"
new_rom="$1"
old_files=`cbfs -t 50 -l 2>/dev/null | grep "^heads/"`
for old_file in `echo $old_files`; do
new_file=`cbfs.sh -o $1 -l | grep -x $old_file`
if [ -z "$new_file" ]; then
echo "+++ Adding $old_file to $1"
cbfs -t 50 -r $old_file >/tmp/rom.$$ \
|| die "Failed to read cbfs file from ROM"
cbfs.sh -o $1 -a $old_file -f /tmp/rom.$$ \
|| die "Failed to write cbfs file to new ROM file"
fi
done
}
confirm_gpg_card() {
TRACE "Under /etc/ash_functions:confirm_gpg_card"
#Skip prompts if we are currently using a known GPG key material Thumb drive backup and keys are unlocked pinentry
#TODO: probably export CONFIG_GPG_KEY_BACKUP_IN_USE but not under /etc/user.config?
#Toggle to come in next PR, but currently we don't have a way to toggle it back to n if config.user flashed back in rom
if [[ "$CONFIG_HAVE_GPG_KEY_BACKUP" == "y" && "$CONFIG_GPG_KEY_BACKUP_IN_USE" == "y" ]]; then
DEBUG "Using known GPG key material Thumb drive backup and keys are unlocked and useable through pinentry"
return
fi
if [ "$CONFIG_HAVE_GPG_KEY_BACKUP" == "y" ]; then
message="Please confirm that your GPG card is inserted(Y/n) or your GPG key material (b)backup thumbdrive is inserted [Y/n/b]: "
else
# Generic message if no known key material backup
message="Please confirm that your GPG card is inserted [Y/n]: "
fi
read \
-n 1 \
-p "$message" \
card_confirm
echo
if [ "$card_confirm" != "y" \
-a "$card_confirm" != "Y" \
-a "$card_confirm" != "b" \
-a -n "$card_confirm" ] \
; then
die "gpg card not confirmed"
fi
# If user has known GPG key material Thumb drive backup and asked to use it
if [[ "$CONFIG_HAVE_GPG_KEY_BACKUP" == "y" && "$card_confirm" == "b" ]]; then
#Only mount and import GPG key material thumb drive backup once
if [ ! "$CONFIG_GPG_KEY_BACKUP_IN_USE" == "y" ]; then
CR_NONCE="/tmp/secret/cr_nonce"
CR_SIG="$CR_NONCE.sig"
#Wipe any previous CR_NONCE and CR_SIG
shred -n 10 -z -u "$CR_NONCE" "$CR_SIG" >/dev/null 2>&1 || true
#Prompt user for configured GPG Admin PIN that will be passed along to mount-usb and to import gpg subkeys
echo
gpg_admin_pin=""
while [ -z "$gpg_admin_pin" ]; do
#TODO: change all passphrase prompts in codebase to include -r to prevent backslash escapes
read -r -s -p "Please enter GPG Admin PIN needed to use the GPG backup thumb drive: " gpg_admin_pin
echo
done
#prompt user to select the proper encrypted partition, which should the first one on next prompt
warn "Please select encrypted LUKS on GPG key material backup thumb drive (not public labeled one)"
mount-usb --pass "$gpg_admin_pin" || die "Unable to mount USB with provided GPG Admin PIN"
echo "++++ Testing detach-sign operation and verifiying against fused public key in ROM"
gpg --pinentry-mode=loopback --passphrase-file <(echo -n "${gpg_admin_pin}") --import /media/subkeys.sec >/dev/null 2>&1 ||
die "Unable to import GPG private subkeys"
#Do a detach signature to ensure gpg material is usable and cache passphrase to sign /boot from caller functions
dd if=/dev/urandom of="$CR_NONCE" bs=20 count=1 >/dev/null 2>&1 ||
die "Unable to create $CR_NONCE to be detach-signed with GPG private signing subkey"
gpg --pinentry-mode=loopback --passphrase-file <(echo -n "${gpg_admin_pin}") --detach-sign "$CR_NONCE" >/dev/null 2>&1 ||
die "Unable to detach-sign $CR_NONCE with GPG private signing subkey using GPG Admin PIN"
#verify detached signature against public key in rom
gpg --verify "$CR_SIG" "$CR_NONCE" > /dev/null 2>&1 && \
echo "++++ Local GPG keyring can be used to sign/encrypt/authenticate in this boot session ++++" || \
die "Unable to verify $CR_SIG detached signature against public key in ROM"
#Wipe any previous CR_NONCE and CR_SIG
shred -n 10 -z -u "$CR_NONCE" "$CR_SIG" >/dev/null 2>&1 || true
#TODO: maybe just an export instead of setting /etc/user.config otherwise could be flashed in weird corner case situation
set_user_config "CONFIG_GPG_KEY_BACKUP_IN_USE" "y"
umount /media || die "Unable to unmount USB"
return
fi
fi
# setup the USB so we can reach the USB Security Dongle's smartcard
enable_usb
echo -e "\nVerifying presence of GPG card...\n"
# ensure we don't exit without retrying
errexit=$(set -o | grep errexit | awk '{print $2}')
set +e
gpg --card-status >/dev/null
if [ $? -ne 0 ]; then
# prompt for reinsertion and try a second time
read -n1 -r -p \
"Can't access GPG key; remove and reinsert, then press Enter to retry. " \
ignored
# restore prev errexit state
if [ "$errexit" = "on" ]; then
set -e
fi
# retry card status
gpg --card-status >/dev/null ||
die "gpg card read failed"
fi
# restore prev errexit state
if [ "$errexit" = "on" ]; then
set -e
fi
}
gpg_auth() {
if [[ "$CONFIG_HAVE_GPG_KEY_BACKUP" == "y" ]]; then
TRACE "Under /etc/ash_functions:gpg_auth"
# If we have a GPG key backup, we can use it to authenticate even if the card is lost
echo >&2 "!!!!! Please authenticate with OpenPGP smartcard/backup media to prove you are the owner of this machine !!!!!"
# Wipe any existing nonce and signature
shred -n 10 -z -u "$CR_NONCE" "$CR_SIG" 2>/dev/null || true
# In case of gpg_auth, we require confirmation of the card, so loop with confirm_gpg_card until we get it
false
while [ $? -ne 0 ]; do
# Call confirm_gpg_card in subshell to ensure GPG key material presence
( confirm_gpg_card )
done
# Perform a signing-based challenge-response,
# to authencate that the card plugged in holding
# the key to sign the list of boot files.
CR_NONCE="/tmp/secret/cr_nonce"
CR_SIG="$CR_NONCE.sig"
# Generate a random nonce
dd \
if=/dev/urandom \
of="$CR_NONCE" \
count=1 \
bs=20 \
2>/dev/null \
|| die "Unable to generate 20 random bytes"
# Sign the nonce
for tries in 1 2 3; do
if gpg --digest-algo SHA256 \
--detach-sign \
-o "$CR_SIG" \
"$CR_NONCE" > /dev/null 2>&1 \
&& gpg --verify "$CR_SIG" "$CR_NONCE" > /dev/null 2>&1 \
; then
shred -n 10 -z -u "$CR_NONCE" "$CR_SIG" 2>/dev/null || true
DEBUG "Under /etc/ash_functions:gpg_auth: success"
return 0
else
shred -n 10 -z -u "$CR_SIG" 2>/dev/null || true
if [ "$tries" -lt 3 ]; then
echo >&2 "!!!!! GPG authentication failed, please try again !!!!!"
continue
else
die "GPG authentication failed, please reboot and try again"
fi
fi
done
return 1
fi
}
recovery() {
TRACE "Under /etc/ash_functions:recovery"
echo >&2 "!!!!! $*"
# Remove any temporary secret files that might be hanging around
# but recreate the directory so that new tools can use it.
#safe to always be true. Otherwise "set -e" would make it exit here
shred -n 10 -z -u /tmp/secret/* 2> /dev/null || true
rm -rf /tmp/secret
mkdir -p /tmp/secret
# ensure /tmp/config exists for recovery scripts that depend on it
touch /tmp/config
. /tmp/config
DEBUG "Board $CONFIG_BOARD - version $(fw_version)"
if [ "$CONFIG_TPM" = "y" ]; then
echo "TPM: Extending PCR[4] to prevent any further secret unsealing"
tpmr extend -ix 4 -ic recovery
fi
if [ "$CONFIG_RESTRICTED_BOOT" = y ]; then
echo >&2 "Restricted Boot enabled, recovery console disabled, rebooting in 5 seconds"
sleep 5
/bin/reboot
fi
while [ true ]
do
#Going to recovery shell should be authenticated if supported
gpg_auth
echo >&2 "!!!!! Starting recovery shell"
sleep 1
if [ -x /bin/setsid ]; then
/bin/setsid -c /bin/sh
else
/bin/sh
fi
done
}
pause_recovery() {
TRACE "Under /etc/ash_functions:pause_recovery"
read -p $'!!! Hit enter to proceed to recovery shell !!!\n'
recovery $*
}
combine_configs() {
TRACE "Under /etc/ash_functions:combine_configs"
cat /etc/config* > /tmp/config
}
replace_config() {
TRACE "Under /etc/functions:replace_config"
CONFIG_FILE=$1
CONFIG_OPTION=$2
NEW_SETTING=$3
touch $CONFIG_FILE
# first pull out the existing option from the global config and place in a tmp file
awk "gsub(\"^export ${CONFIG_OPTION}=.*\",\"export ${CONFIG_OPTION}=\\\"${NEW_SETTING}\\\"\")" /tmp/config >${CONFIG_FILE}.tmp
awk "gsub(\"^${CONFIG_OPTION}=.*\",\"${CONFIG_OPTION}=\\\"${NEW_SETTING}\\\"\")" /tmp/config >>${CONFIG_FILE}.tmp
# then copy any remaining settings from the existing config file, minus the option you changed
grep -v "^export ${CONFIG_OPTION}=" ${CONFIG_FILE} | grep -v "^${CONFIG_OPTION}=" >>${CONFIG_FILE}.tmp || true
sort ${CONFIG_FILE}.tmp | uniq >${CONFIG_FILE}
rm -f ${CONFIG_FILE}.tmp
}
# Set a config variable in a specific file to a given value - replace it if it
# exists, or add it. If added, the variable will be exported.
set_config() {
CONFIG_FILE="$1"
CONFIG_OPTION="$2"
NEW_SETTING="$3"
if grep -q "$CONFIG_OPTION" "$CONFIG_FILE"; then
replace_config "$CONFIG_FILE" "$CONFIG_OPTION" "$NEW_SETTING"
else
echo "export $CONFIG_OPTION=\"$NEW_SETTING\"" >>"$CONFIG_FILE"
fi
}
# Set a value in config.user, re-combine configs, and update configs in the
# environment.
set_user_config() {
CONFIG_OPTION="$1"
NEW_SETTING="$2"
set_config /etc/config.user "$CONFIG_OPTION" "$NEW_SETTING"
combine_configs
. /tmp/config
}
# Load a config value to a variable, defaulting to empty. Does not fail if the
# config is not set (since it would expand to empty by default).
load_config_value() {
local config_name="$1"
if grep -q "$config_name=" /tmp/config; then
grep "$config_name=" /tmp/config | tail -n1 | cut -f2 -d '=' | tr -d '"'
fi
}
enable_usb()
{
TRACE "Under /etc/ash_functions:enable_usb"
#insmod ehci_hcd prior of uhdc_hcd and ohci_hcd to suppress dmesg warning
insmod /lib/modules/ehci-hcd.ko || die "ehci_hcd: module load failed"
if [ "$CONFIG_LINUX_USB_COMPANION_CONTROLLER" = y ]; then
insmod /lib/modules/uhci-hcd.ko || die "uhci_hcd: module load failed"
insmod /lib/modules/ohci-hcd.ko || die "ohci_hcd: module load failed"
insmod /lib/modules/ohci-pci.ko || die "ohci_pci: module load failed"
fi
insmod /lib/modules/ehci-pci.ko || die "ehci_pci: module load failed"
insmod /lib/modules/xhci-hcd.ko || die "xhci_hcd: module load failed"
insmod /lib/modules/xhci-pci.ko || die "xhci_pci: module load failed"
sleep 2
# For resiliency, test CONFIG_USB_KEYBOARD_REQUIRED explicitly rather
# than having it imply CONFIG_USER_USB_KEYBOARD at build time.
# Otherwise, if a user got CONFIG_USER_USB_KEYBOARD=n in their
# config.user by mistake (say, by copying config.user from a laptop to a
# desktop/server), they could lock themselves out, only recoverable by
# hardware flash.
if [ "$CONFIG_USB_KEYBOARD_REQUIRED" = y ] || [ "$CONFIG_USER_USB_KEYBOARD" = y ]; then
insmod /lib/modules/usbhid.ko || die "usbhid: module load failed"
fi
}

1296
initrd/etc/diceware_dictionaries/eff_short_wordlist_2_0.txt Normal file
View File

File diff suppressed because it is too large Load Diff

539
initrd/etc/functions Executable file → Normal file
View File

@ -1,6 +1,392 @@
#!/bin/bash
# Shell functions for most initialization scripts
. /etc/ash_functions
# ------- Start of functions coming from /etc/ash_functions
die() {
if [ "$CONFIG_DEBUG_OUTPUT" = "y" ]; then
echo -e " !!! ERROR: $* !!!" | tee -a /tmp/debug.log /dev/kmsg >/dev/null
else
echo -e "!!! ERROR: $* !!!" >&2
fi
sleep 2
exit 1
}
warn() {
if [ "$CONFIG_DEBUG_OUTPUT" = "y" ]; then
echo -e " *** WARNING: $* ***" | tee -a /tmp/debug.log /dev/kmsg >/dev/null
else
echo -e " *** WARNING: $* ***" >&2
fi
sleep 1
}
DEBUG() {
if [ "$CONFIG_DEBUG_OUTPUT" = "y" ]; then
# fold -s -w 960 will wrap lines at 960 characters on the last space before the limit
echo "DEBUG: $*" | fold -s -w 960 | while read line; do
echo "$line" | tee -a /tmp/debug.log /dev/kmsg >/dev/null
done
fi
}
TRACE() {
if [ "$CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT" = "y" ]; then
echo "TRACE: $*" | tee -a /tmp/debug.log /dev/kmsg >/dev/null
fi
}
# Function to manage information output level to the console/debug.log
INFO() {
#TODO: add colors to output, here green for INFO?
# if not CONFIG_QUIET_MODE=y, output to console. If not, output to debug.log
if [ "$CONFIG_DEBUG_OUTPUT" = "y" ]; then
echo "$*" | tee -a /tmp/debug.log /dev/kmsg >/dev/null
elif [ "$CONFIG_QUIET_MODE" = "y" ]; then
echo "$*" >>/tmp/debug.log
else
echo "$*"
fi
}
# Write directly to the debug log (but not kmsg), never appears on console
# Main consumer is DO_WITH_DEBUG, which uses this to log command output
LOG() {
echo "LOG: $*" >>/tmp/debug.log
}
fw_version() {
local FW_VER=$(dmesg | grep 'DMI' | grep -o 'BIOS.*' | cut -f2- -d ' ')
# chop off date, since will always be epoch w/timeless builds
echo "${FW_VER::-10}"
}
preserve_rom() {
TRACE_FUNC
new_rom="$1"
old_files=$(cbfs -t 50 -l 2>/dev/null | grep "^heads/")
for old_file in $(echo $old_files); do
new_file=$(cbfs.sh -o $1 -l | grep -x $old_file)
if [ -z "$new_file" ]; then
echo "+++ Adding $old_file to $1"
cbfs -t 50 -r $old_file >/tmp/rom.$$ ||
die "Failed to read cbfs file from ROM"
cbfs.sh -o $1 -a $old_file -f /tmp/rom.$$ ||
die "Failed to write cbfs file to new ROM file"
fi
done
}
confirm_gpg_card() {
#TODO: ideally, we ask for confirmation only once per boot session
#TODO: even change logic here to try first and then ask user to confirm if not found
#TODO: or ask GPG user PIN once and cache it for the rest of the boot session for reusal
# This is getting in the way of unattended stuff and GPG prompts are confusing anyway, hide them from user.
TRACE_FUNC
#Skip prompts if we are currently using a known GPG key material Thumb drive backup and keys are unlocked pinentry
#TODO: probably export CONFIG_GPG_KEY_BACKUP_IN_USE but not under /etc/user.config?
#Toggle to come in next PR, but currently we don't have a way to toggle it back to n if config.user flashed back in rom
if [[ "$CONFIG_HAVE_GPG_KEY_BACKUP" == "y" && "$CONFIG_GPG_KEY_BACKUP_IN_USE" == "y" ]]; then
DEBUG "Using known GPG key material Thumb drive backup and keys are unlocked and useable through pinentry"
return
fi
if [ "$CONFIG_HAVE_GPG_KEY_BACKUP" == "y" ]; then
message="Please confirm that your GPG card is inserted(Y/n) or your GPG key material (b)backup thumbdrive is inserted [Y/n/b]: "
else
# Generic message if no known key material backup
message="Please confirm that your GPG card is inserted [Y/n]: "
fi
read \
-n 1 \
-p "$message" \
card_confirm
echo
if [ "$card_confirm" != "y" \
-a "$card_confirm" != "Y" \
-a "$card_confirm" != "b" \
-a -n "$card_confirm" ] \
; then
die "gpg card not confirmed"
fi
# If user has known GPG key material Thumb drive backup and asked to use it
if [[ "$CONFIG_HAVE_GPG_KEY_BACKUP" == "y" && "$card_confirm" == "b" ]]; then
#Only mount and import GPG key material thumb drive backup once
if [ ! "$CONFIG_GPG_KEY_BACKUP_IN_USE" == "y" ]; then
CR_NONCE="/tmp/secret/cr_nonce"
CR_SIG="$CR_NONCE.sig"
#Wipe any previous CR_NONCE and CR_SIG
shred -n 10 -z -u "$CR_NONCE" "$CR_SIG" >/dev/null 2>&1 || true
#Prompt user for configured GPG Admin PIN that will be passed along to mount-usb and to import gpg subkeys
echo
gpg_admin_pin=""
while [ -z "$gpg_admin_pin" ]; do
#TODO: change all passphrase prompts in codebase to include -r to prevent backslash escapes
read -r -s -p "Please enter GPG Admin PIN needed to use the GPG backup thumb drive: " gpg_admin_pin
echo
done
#prompt user to select the proper encrypted partition, which should the first one on next prompt
warn "Please select encrypted LUKS on GPG key material backup thumb drive (not public labeled one)"
mount-usb --pass "$gpg_admin_pin" || die "Unable to mount USB with provided GPG Admin PIN"
echo "++++ Testing detach-sign operation and verifiying against fused public key in ROM"
gpg --pinentry-mode=loopback --passphrase-file <(echo -n "${gpg_admin_pin}") --import /media/subkeys.sec >/dev/null 2>&1 ||
die "Unable to import GPG private subkeys"
#Do a detach signature to ensure gpg material is usable and cache passphrase to sign /boot from caller functions
dd if=/dev/urandom of="$CR_NONCE" bs=20 count=1 >/dev/null 2>&1 ||
die "Unable to create $CR_NONCE to be detach-signed with GPG private signing subkey"
gpg --pinentry-mode=loopback --passphrase-file <(echo -n "${gpg_admin_pin}") --detach-sign "$CR_NONCE" >/dev/null 2>&1 ||
die "Unable to detach-sign $CR_NONCE with GPG private signing subkey using GPG Admin PIN"
#verify detached signature against public key in rom
gpg --verify "$CR_SIG" "$CR_NONCE" >/dev/null 2>&1 &&
echo "++++ Local GPG keyring can be used to sign/encrypt/authenticate in this boot session ++++" ||
die "Unable to verify $CR_SIG detached signature against public key in ROM"
#Wipe any previous CR_NONCE and CR_SIG
shred -n 10 -z -u "$CR_NONCE" "$CR_SIG" >/dev/null 2>&1 || true
#TODO: maybe just an export instead of setting /etc/user.config otherwise could be flashed in weird corner case situation
set_user_config "CONFIG_GPG_KEY_BACKUP_IN_USE" "y"
umount /media || die "Unable to unmount USB"
return
fi
fi
# setup the USB so we can reach the USB Security dongle's OpenPGP smartcard
enable_usb
echo -e "\nVerifying presence of GPG card...\n"
# ensure we don't exit without retrying
errexit=$(set -o | grep errexit | awk '{print $2}')
set +e
gpg_output=$(gpg --card-status 2>&1)
if [ $? -ne 0 ]; then
# prompt for reinsertion and try a second time
read -n1 -r -p \
"Can't access GPG key; remove and reinsert, then press Enter to retry. " \
ignored
# restore prev errexit state
if [ "$errexit" = "on" ]; then
set -e
fi
# retry card status
gpg_output=$(gpg --card-status 2>&1) ||
die "gpg card read failed"
fi
# restore prev errexit state
if [ "$errexit" = "on" ]; then
set -e
fi
# Extract and display GPG PIN retry counters
# output excerpt: "PIN retry counter : 3 0 3"
pin_retry_counters=$(echo "$gpg_output" | grep 'PIN retry counter' | awk -F': ' '{print $2}')
user_pin_retries=$(echo "$pin_retry_counters" | awk '{print $1}')
admin_pin_retries=$(echo "$pin_retry_counters" | awk '{print $3}')
echo ""
echo "GPG User PIN retry attempts left before becoming locked: $user_pin_retries"
echo "GPG Admin PIN retry attempts left before becoming locked: $admin_pin_retries"
echo ""
warn "Your GPG User PIN, followed by Enter key will be required for input at: 'Please unlock the card' next prompt"
echo ""
}
gpg_auth() {
if [[ "$CONFIG_HAVE_GPG_KEY_BACKUP" == "y" ]]; then
TRACE_FUNC
# If we have a GPG key backup, we can use it to authenticate even if the card is lost
echo >&2 "!!!!! Please authenticate with OpenPGP smartcard/backup media to prove you are the owner of this machine !!!!!"
# Wipe any existing nonce and signature
shred -n 10 -z -u "$CR_NONCE" "$CR_SIG" 2>/dev/null || true
# In case of gpg_auth, we require confirmation of the card, so loop with confirm_gpg_card until we get it
false
while [ $? -ne 0 ]; do
# Call confirm_gpg_card in subshell to ensure GPG key material presence
(confirm_gpg_card)
done
# Perform a signing-based challenge-response,
# to authencate that the card plugged in holding
# the key to sign the list of boot files.
CR_NONCE="/tmp/secret/cr_nonce"
CR_SIG="$CR_NONCE.sig"
# Generate a random nonce
dd \
if=/dev/urandom \
of="$CR_NONCE" \
count=1 \
bs=20 \
2>/dev/null ||
die "Unable to generate 20 random bytes"
# Sign the nonce
for tries in 1 2 3; do
if gpg --digest-algo SHA256 \
--detach-sign \
-o "$CR_SIG" \
"$CR_NONCE" >/dev/null 2>&1 &&
gpg --verify "$CR_SIG" "$CR_NONCE" >/dev/null 2>&1 \
; then
shred -n 10 -z -u "$CR_NONCE" "$CR_SIG" 2>/dev/null || true
DEBUG "Under /etc/ash_functions:gpg_auth: success"
return 0
else
shred -n 10 -z -u "$CR_SIG" 2>/dev/null || true
if [ "$tries" -lt 3 ]; then
echo >&2 "!!!!! GPG authentication failed, please try again !!!!!"
continue
else
die "GPG authentication failed, please reboot and try again"
fi
fi
done
return 1
fi
}
recovery() {
TRACE_FUNC
echo >&2 "!!!!! $*"
# Remove any temporary secret files that might be hanging around
# but recreate the directory so that new tools can use it.
#safe to always be true. Otherwise "set -e" would make it exit here
shred -n 10 -z -u /tmp/secret/* 2>/dev/null || true
rm -rf /tmp/secret
mkdir -p /tmp/secret
# ensure /tmp/config exists for recovery scripts that depend on it
touch /tmp/config
. /tmp/config
DEBUG "Board $CONFIG_BOARD - version $(fw_version)"
if [ "$CONFIG_TPM" = "y" ]; then
INFO "TPM: Extending PCR[4] to prevent any further secret unsealing"
tpmr extend -ix 4 -ic recovery
fi
if [ "$CONFIG_RESTRICTED_BOOT" = y ]; then
echo >&2 "Restricted Boot enabled, recovery console disabled, rebooting in 5 seconds"
sleep 5
/bin/reboot
fi
while [ true ]; do
#Going to recovery shell should be authenticated if supported
gpg_auth
echo >&2 "!!!!! Starting recovery shell"
sleep 1
if [ -x /bin/setsid ]; then
/bin/setsid -c /bin/bash
else
/bin/bash
fi
done
}
pause_recovery() {
TRACE_FUNC
read -p $'!!! Hit enter to proceed to recovery shell !!!\n'
recovery $*
}
combine_configs() {
TRACE_FUNC
cat /etc/config* >/tmp/config
}
replace_config() {
TRACE_FUNC
CONFIG_FILE=$1
CONFIG_OPTION=$2
NEW_SETTING=$3
touch $CONFIG_FILE
# first pull out the existing option from the global config and place in a tmp file
awk "gsub(\"^export ${CONFIG_OPTION}=.*\",\"export ${CONFIG_OPTION}=\\\"${NEW_SETTING}\\\"\")" /tmp/config >${CONFIG_FILE}.tmp
awk "gsub(\"^${CONFIG_OPTION}=.*\",\"${CONFIG_OPTION}=\\\"${NEW_SETTING}\\\"\")" /tmp/config >>${CONFIG_FILE}.tmp
# then copy any remaining settings from the existing config file, minus the option you changed
grep -v "^export ${CONFIG_OPTION}=" ${CONFIG_FILE} | grep -v "^${CONFIG_OPTION}=" >>${CONFIG_FILE}.tmp || true
sort ${CONFIG_FILE}.tmp | uniq >${CONFIG_FILE}
rm -f ${CONFIG_FILE}.tmp
}
# Set a config variable in a specific file to a given value - replace it if it
# exists, or add it. If added, the variable will be exported.
set_config() {
CONFIG_FILE="$1"
CONFIG_OPTION="$2"
NEW_SETTING="$3"
if grep -q "$CONFIG_OPTION" "$CONFIG_FILE"; then
replace_config "$CONFIG_FILE" "$CONFIG_OPTION" "$NEW_SETTING"
else
echo "export $CONFIG_OPTION=\"$NEW_SETTING\"" >>"$CONFIG_FILE"
fi
}
# Set a value in config.user, re-combine configs, and update configs in the
# environment.
set_user_config() {
CONFIG_OPTION="$1"
NEW_SETTING="$2"
set_config /etc/config.user "$CONFIG_OPTION" "$NEW_SETTING"
combine_configs
. /tmp/config
}
# Load a config value to a variable, defaulting to empty. Does not fail if the
# config is not set (since it would expand to empty by default).
load_config_value() {
local config_name="$1"
if grep -q "$config_name=" /tmp/config; then
grep "$config_name=" /tmp/config | tail -n1 | cut -f2 -d '=' | tr -d '"'
fi
}
enable_usb() {
TRACE_FUNC
#insmod ehci_hcd prior of uhdc_hcd and ohci_hcd to suppress dmesg warning
insmod /lib/modules/ehci-hcd.ko || die "ehci_hcd: module load failed"
if [ "$CONFIG_LINUX_USB_COMPANION_CONTROLLER" = y ]; then
insmod /lib/modules/uhci-hcd.ko || die "uhci_hcd: module load failed"
insmod /lib/modules/ohci-hcd.ko || die "ohci_hcd: module load failed"
insmod /lib/modules/ohci-pci.ko || die "ohci_pci: module load failed"
fi
insmod /lib/modules/ehci-pci.ko || die "ehci_pci: module load failed"
insmod /lib/modules/xhci-hcd.ko || die "xhci_hcd: module load failed"
insmod /lib/modules/xhci-pci.ko || die "xhci_pci: module load failed"
sleep 2
# For resiliency, test CONFIG_USB_KEYBOARD_REQUIRED explicitly rather
# than having it imply CONFIG_USER_USB_KEYBOARD at build time.
# Otherwise, if a user got CONFIG_USER_USB_KEYBOARD=n in their
# config.user by mistake (say, by copying config.user from a laptop to a
# desktop/server), they could lock themselves out, only recoverable by
# hardware flash.
if [ "$CONFIG_USB_KEYBOARD_REQUIRED" = y ] || [ "$CONFIG_USER_USB_KEYBOARD" = y ]; then
insmod /lib/modules/usbhid.ko || die "usbhid: module load failed"
fi
}
# ------- End of functions coming from /etc/ash_functions
# Print <hidden> or <empty> depending on whether $1 is empty. Useful to mask an
# optional password parameter.
@ -18,6 +404,15 @@ mask_param() {
#
# For example:
# ls /boot/vmlinux* | SINK_LOG "/boot kernels"
#
# To capture stderr:
# cryptsetup open /dev/sda1 media-crypt 2> >(SINK_LOG "LUKS unlock sda1 errors")
# (Note: the space between '>' is necessary in '2> >(SINK_LOG ...)')
#
# To capture both:
# tpm reset > >(SINK_LOG "tpm reset") 2>&1
# (Note: 2>&1 must follow the stdout redirection, and space between '>' is
# necessary)
SINK_LOG() {
local name="$1"
local line haveblank
@ -25,8 +420,11 @@ SINK_LOG() {
# last (unterminated) line. Add a line break with echo to ensure we
# don't lose any input. Buffer up to one blank line so we can avoid
# emitting a final (or only) blank line.
(cat; echo) | while IFS= read -r line; do
[[ -n "$haveblank" ]] && DEBUG "$name: " # Emit buffered blank line
(
cat
echo
) | while IFS= read -r line; do
[[ -n "$haveblank" ]] && LOG "$name: " # Emit buffered blank line
if [[ -z "$line" ]]; then
haveblank=y
else
@ -129,10 +527,10 @@ TRACE_FUNC() {
DEBUG_STACK() {
local FRAMES
FRAMES="${#FUNCNAME[@]}"
DEBUG "call stack: ($((FRAMES-1)) frames)"
DEBUG "call stack: ($((FRAMES - 1)) frames)"
# Don't print DEBUG_STACK itself, start from 1
for i in $(seq 1 "$((FRAMES-1))"); do
DEBUG "- $((i-1)) - ${BASH_SOURCE[$i]}(${BASH_LINENO[$((i-1))]}): ${FUNCNAME[$i]}"
for i in $(seq 1 "$((FRAMES - 1))"); do
DEBUG "- $((i - 1)) - ${BASH_SOURCE[$i]}(${BASH_LINENO[$((i - 1))]}): ${FUNCNAME[$i]}"
done
}
@ -247,8 +645,8 @@ device_has_partitions() {
# This check covers that: [ $(fdisk -l "$b" | wc -l) -eq 5 ]
# In both cases the output is 5 lines: 3 about device info, 1 empty line
# and the 5th will be the table header or the invalid message.
local DISK_DATA=$(fdisk -l "$DEVICE")
if echo "$DISK_DATA" | grep -q "doesn't contain a valid partition table" || \
local DISK_DATA=$(fdisk -l "$DEVICE" 2>/dev/null)
if echo "$DISK_DATA" | grep -q "doesn't contain a valid partition table" ||
[ "$(echo "$DISK_DATA" | wc -l)" -eq 5 ]; then
# No partition table
return 1
@ -365,11 +763,11 @@ check_tpm_counter() {
if [ -r "$1" ]; then
TPM_COUNTER=$(grep counter- "$1" | cut -d- -f2)
else
warn "$1 does not exist; creating new TPM counter"
INFO "$1 does not exist; creating new TPM counter"
tpmr counter_create \
-pwdc '' \
-la $LABEL |
tee /tmp/counter ||
tee /tmp/counter >/dev/null 2>&1 ||
die "Unable to create TPM counter"
TPM_COUNTER=$(cut -d: -f1 </tmp/counter)
fi
@ -379,19 +777,22 @@ check_tpm_counter() {
fi
}
# Read the TPM counter value from the TPM.
read_tpm_counter() {
TRACE_FUNC
tpmr counter_read -ix "$1" | tee "/tmp/counter-$1" ||
tpmr counter_read -ix "$1" | tee "/tmp/counter-$1" >/dev/null 2>&1 ||
die "Counter read failed"
}
# Increment the TPM counter value in the TPM.
increment_tpm_counter() {
TRACE_FUNC
tpmr counter_increment -ix "$1" -pwdc '' |
tee /tmp/counter-$1 ||
tee /tmp/counter-$1 >/dev/null 2>&1 ||
die "TPM counter increment failed for rollback prevention. Please reset the TPM"
}
# Check detached signature on kexec boot params
check_config() {
TRACE_FUNC
if [ ! -d /tmp/kexec ]; then
@ -411,12 +812,13 @@ check_config() {
fi
if [ "$2" != "force" ]; then
# Note that kexec.sig detached signature is solely verifying kexec*.txt files here!
if ! sha256sum $(find $1/kexec*.txt) | gpgv $1/kexec.sig -; then
die 'Invalid signature on kexec boot params'
fi
fi
echo "+++ Found verified kexec boot params"
INFO "+++ Found verified kexec boot params"
cp $1/kexec*.txt /tmp/kexec ||
die "Failed to copy kexec boot params to tmp"
}
@ -433,6 +835,7 @@ replace_rom_file() {
cbfs.sh -o "$ROM" -a "$ROM_FILE" -f "$NEW_FILE"
}
# Replace the config file by the changed one
replace_config() {
TRACE_FUNC
CONFIG_FILE=$1
@ -466,6 +869,7 @@ secret_from_rom_hash() {
sha256sum "${ROM_IMAGE}" | cut -f1 -d ' ' | fromhex_plain
}
# Update the checksums of the files in /boot and sign them
update_checksums() {
TRACE_FUNC
# ensure /boot mounted
@ -496,6 +900,7 @@ update_checksums() {
return $rv
}
# Print the file and directory structure of /boot to caller's stdout
print_tree() {
TRACE_FUNC
find ./ ! -path './kexec*' -print0 | sort -z
@ -567,9 +972,7 @@ escape_zero() {
assert_signable() {
TRACE_FUNC
# ensure /boot mounted
if ! grep -q /boot /proc/mounts; then
mount -o ro /boot || die "Unable to mount /boot"
fi
detect_boot_device
find /boot -print0 >/tmp/signable.ref
local del='\001-\037\134\177-\377'
@ -583,6 +986,7 @@ assert_signable() {
rm -f /tmp/signable.*
}
# Verify the checksums of the files in /boot
verify_checksums() {
TRACE_FUNC
local boot_dir="$1"
@ -662,7 +1066,7 @@ is_gpt_bios_grub() {
# Now we know the device and partition number, get the type. This is
# specific to GPT disks, MBR disks are shown differently by fdisk.
TRACE "$PART_DEV is partition $NUMBER of $DEVICE"
if [ "$(fdisk -l "/dev/$DEVICE" | awk '$1 == '"$NUMBER"' {print $5}')" == grub ]; then
if [ "$(fdisk -l "/dev/$DEVICE" 2>/dev/null | awk '$1 == '"$NUMBER"' {print $5}')" == grub ]; then
return 0
fi
return 1
@ -735,7 +1139,7 @@ detect_boot_device() {
fi
# generate list of possible boot devices
fdisk -l | grep "Disk /dev/" | cut -f2 -d " " | cut -f1 -d ":" >/tmp/disklist
fdisk -l 2>/dev/null | grep "Disk /dev/" | cut -f2 -d " " | cut -f1 -d ":" >/tmp/disklist
# Check each possible boot device
for i in $(cat /tmp/disklist); do
@ -868,3 +1272,100 @@ run_at_exit_handlers() {
done
}
trap run_at_exit_handlers EXIT
# Helper function to generate diceware passphrase
generate_passphrase() {
usage_generate_passphrase() {
echo "Usage: generate_passphrase --dictionary|-d <dictionary_file> [--number_words|-n <num_words>] [--max_length|-m <max_size>] [--lowercase|-l]"
echo "Generates a passphrase using a Diceware dictionary."
echo " --dictionary|-d <dictionary_file> Path to the Diceware dictionary file (defaults to /etc/diceware_dictionaries/eff_short_wordlist_2_0.txt )."
echo " [--number_words|-n <num_words>] Number of words in the passphrase (default: 3)."
echo " [--max_length|-m <max_size>] Maximum size of the passphrase (default: 256)."
echo " [--lowercase|-l] Use lowercase words (default: false)."
}
# Helper subfunction to get a random word from the dictionary
get_random_word_from_dictionary() {
local dictionary_file="$1" lines random
lines="$(wc -l <"$dictionary_file")"
# 4 random bytes are used to reduce modulo bias to an acceptable
# level. 4 bytes with modulus 1296 results in 0.000003% bias
# toward the first 1263 words.
random="$(dd if=/dev/random bs=4 count=1 status=none | hexdump -e '1/4 "%u\n"')"
((random %= lines))
((++random)) # tail's line count is 1-based
tail -n +"$random" "$dictionary_file" | head -1 | cut -d$'\t' -f2
}
TRACE_FUNC
local dictionary_file="/etc/diceware_dictionaries/eff_short_wordlist_2_0.txt"
local num_words=3
local max_size=256
local lowercase=false
# Parse parameters
while [[ "$#" -gt 0 ]]; do
case "$1" in
--dictionary | -d)
dictionary_file="$2"
shift
;;
--lowercase | -l)
lowercase=true
;;
--number_words | -n)
if ! [[ "$2" =~ ^[0-9]+$ ]] || [[ "$2" -le 0 ]]; then
warn "Invalid number of words: $2"
usage_generate_passphrase
return 1
fi
num_words="$2"
shift
;;
--max_length | -m)
if ! [[ "$2" =~ ^[0-9]+$ ]] || [[ "$2" -le 0 ]]; then
warn "Invalid maximum size: $2"
usage_generate_passphrase
return 1
fi
max_size="$2"
shift
;;
*)
warn "Unknown parameter: $1"
usage_generate_passphrase
return 1
;;
esac
shift
done
# Validate dictionary file
if [[ -z "$dictionary_file" || ! -f "$dictionary_file" ]]; then
warn "Dictionary file not found or not provided: $dictionary_file"
usage_generate_passphrase
return 1
fi
local passphrase=""
local word=""
for ((i = 0; i < num_words; ++i)); do
word=$(get_random_word_from_dictionary "$dictionary_file")
if [[ "$lowercase" == "false" ]]; then
word=${word^} # Capitalize the first letter
fi
passphrase+="$word "
if [[ ${#passphrase} -gt $max_size ]]; then
DEBUG "Passphrase exceeds max size: $max_size, removing last word"
passphrase=${passphrase% *} # Remove the last word if it exceeds max_size
break
fi
done
#Remove passphrase trailing space from passphrase+="$word"
passphrase=${passphrase% }
echo "$passphrase"
return 0
}

2
initrd/etc/gui_functions
View File

@ -181,7 +181,7 @@ show_system_info()
kernel=$(uname -s -r)
whiptail_type $BG_COLOR_MAIN_MENU --title 'System Info' \
--msgbox "${BOARD_NAME}\n\nFW_VER: ${FW_VER}\nKernel: ${kernel}\n\nCPU: ${cpustr}\nRAM: ${memtotal} GB\n$battery_status\n$(fdisk -l | grep -e '/dev/sd.:' -e '/dev/nvme.*:' | sed 's/B,.*/B/')" 0 80
--msgbox "${BOARD_NAME}\n\nFW_VER: ${FW_VER}\nKernel: ${kernel}\n\nCPU: ${cpustr}\nRAM: ${memtotal} GB\n$battery_status\n$(fdisk -l 2>/dev/null | grep -e '/dev/sd.:' -e '/dev/nvme.*:' | sed 's/B,.*/B/')" 0 80
}
# Get "Enable" or "Disable" to display in the configuration menu, based on a

167
initrd/init
View File

@ -1,9 +1,7 @@
#! /bin/ash
# Note this is used on legacy-flash boards that lack bash, it runs with busybox
# ash. Calls to bash scripts must be guarded by checking config.
#! /bin/bash
mknod /dev/ttyprintk c 5 3
echo "hello world" > /dev/ttyprintk
echo "hello world" >/dev/ttyprintk
# Setup our path
export PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin
@ -43,7 +41,7 @@ mkdir -p /tmp/secret
# Now it is safe to print a banner
if [ -r /etc/motd ]; then
cat /etc/motd > /dev/tty0
cat /etc/motd >/dev/tty0
fi
# Load the date from the hardware clock, setting it in local time
@ -55,28 +53,80 @@ hwclock -l -s
# filesystem after exFAT is iso9660, move exFAT last.
(grep -v '^\texfat$' /proc/filesystems && echo -e '\texfat') >/etc/filesystems
# Read the system configuration parameters
. /etc/ash_functions
# Read the system configuration parameters from build time board configuration
. /etc/config
# import global functions
. /etc/functions
# Board config had CONFIG_DEBUG_OUTPUT=y defined.
# Note that boards's coreboot config kernel command line "debug" option only will have all kernel messages output on console prior of this point
if [ "$CONFIG_DEBUG_OUTPUT" = "y" ]; then
#Maximize printk messages to output all to console (8=debug)
#DEBUG and TRACE calls will output to /dev/kmsg, outputting both on dmesg and on console
dmesg -n 8 || true
DEBUG "Debug output enabled from board CONFIG_DEBUG_OUTPUT=y option (/etc/config)"
else
# Board config did't have CONFIG_DEBUG_OUTPUT=y defined
# config.user extracted and combined from CBFS had CONFIG_DEBUG_OUTPUT=y
# Output only print messages with a priority of 4 (warnings) or lower (errors and critical) kernel messages to console
# This way, "debug" kernel command line option will have all kernel messages output on console prior of this point
# This is useful to debug boot issues but permits qemu board to boot without flooding console with kernel messages by disabling CONFIG_DEBUG_OUTPUT=y in qemu board config
dmesg -n 4 || true
DEBUG "Debug output enabled from /etc/config.user's CONFIG_DEBUG_OUTPUT=y after combine_configs (Config menu enabled Debug)"
# export user related content from cbfs
if [ "$CONFIG_COREBOOT" = "y" ]; then
/bin/cbfs-init
fi
TRACE "Under init"
# Override CONFIG_USE_BLOB_JAIL if needed and persist via user config
if lspci -n | grep -E -q "8086:(2723|4df0)"; then
if ! cat /etc/config.user 2>/dev/null | grep -q "USE_BLOB_JAIL"; then
echo "CONFIG_USE_BLOB_JAIL=y" >>/etc/config.user
fi
fi
# Override CONFIG_TPM and CONFIG_TPM2_TOOLS from /etc/config with runtime value
# determined above.
#
# Values in user config have higher priority during combining thus effectively
# changing the value for the rest of the scripts which source /tmp/config.
#Only set CONFIG_TPM and CONFIG_TPM2_TOOLS if they are not already set in /etc/config.user
if ! grep -q 'CONFIG_TPM=' /etc/config.user 2>/dev/null; then
echo "export CONFIG_TPM=\"$CONFIG_TPM\"" >>/etc/config.user
fi
if ! grep -q 'CONFIG_TPM2_TOOLS=' /etc/config.user 2>/dev/null; then
echo "export CONFIG_TPM2_TOOLS=\"$CONFIG_TPM2_TOOLS\"" >>/etc/config.user
fi
# CONFIG_BASIC was previously CONFIG_PUREBOOT_BASIC in the PureBoot distribution.
# Substitute it in config.user if present for backward compatibility.
sed -i -e 's/^export CONFIG_PUREBOOT_BASIC=/export CONFIG_BASIC=/g' /etc/config.user
# Combine user configuration overrides from CBFS's /etc/config.user
combine_configs
# Load the user configuration parameters from combined config
. /tmp/config
# Enable maximum debug info from here if config.user extracted and combined from CBFS had CONFIG_DEBUG_OUTPUT=y
if [ "$CONFIG_DEBUG_OUTPUT" = "y" ]; then
#Output all kernel messages to console (8=debug)
#DEBUG and TRACE calls will be in dmesg and on console
# config.user extracted and combined from CBFS had CONFIG_DEBUG_OUTPUT=y
# DO_WITH_DEBUG redirects stderr and stdout to /tmp/debug.log to not clog console
TRACE_FUNC
dmesg -n 8
DEBUG "Full debug output enabled from this point: output both in dmesg and on console (equivalent of passing debug to kernel cmdline)"
DEBUG "NOTE: DO_WITH_DEBUG std_err and std_out will be redirected to /tmp/debug.log"
fi
# report if we are in quiet mode, tell user measurements logs available under /tmp/debug.log
if [ "$CONFIG_QUIET_MODE" = "y" ]; then
# check origin of quiet mode setting =y: if it is under /etc/config.user then early cbfs-init outputs are not suppressible
# if it is under /etc/config then early cbfs-init outputs are suppressible
if grep -q 'CONFIG_QUIET_MODE="y"' /etc/config 2>/dev/null; then
echo "Quiet mode enabled from board configuration: refer to '/tmp/debug.log' for boot measurements traces" >/dev/tty0
else
echo "Runtime applied Quiet mode: refer to '/tmp/debug.log' for additional boot measurements traces past this point" >/dev/tty0
echo "To suppress earlier boot measurements traces, enable CONFIG_QUIET_MODE=y in your board configuration at build time." >/dev/tty0
fi
# If CONFIG_QUIET_MODE enabled in board config but disabled from Config->Configuration Settings
# warn that early boot measurements output was suppressed prior of this point
elif [ "$CONFIG_QUIET_MODE" = "n" ]; then
# if CONFIG_QUIET_MODE=n in /etc/config.user but CONFIG_QUIET_MODE=y in /etc/config then early cbfs-init outputs are suppressed
# both needs to be checked to determine if early boot measurements traces were suppressed
if grep -q 'CONFIG_QUIET_MODE="y"' /etc/config 2>/dev/null && grep -q 'CONFIG_QUIET_MODE="n"' /etc/config.user 2>/dev/null; then
echo "Early boot measurements traces were suppressed per CONFIG_QUIET_MODE=y in your board configuration at build time (/etc/config)" >/dev/tty0
echo "Runtime applied Quiet mode disabled: refer to '/tmp/debug.log' for cbfs-init related traces prior of this point" >/dev/tty0
fi
fi
TRACE_FUNC
# make sure we have sysctl requirements
if [ ! -d /proc/sys ]; then
@ -91,11 +141,10 @@ if [ ! -e /proc/sys/vm/panic_on_oom ]; then
warn "Please open an issue"
else
DEBUG "Applying panic_on_oom setting to sysctl"
echo 1 > /proc/sys/vm/panic_on_oom
echo 1 >/proc/sys/vm/panic_on_oom
fi
# set CONFIG_TPM dynamically before init
# set CONFIG_TPM dynamically off before init if no TPM device is present
if [ ! -e /dev/tpm0 ]; then
CONFIG_TPM='n'
CONFIG_TPM2_TOOLS='n'
@ -117,67 +166,24 @@ if [ "$CONFIG_TPM" = "y" ]; then
tpmr startsession
fi
if [ "$CONFIG_COREBOOT" = "y" ]; then
[ -x /bin/bash ] && /bin/cbfs-init
fi
if [ "$CONFIG_LINUXBOOT" = "y" ]; then
# Initialize the UEFI environment for linuxboot boards
/bin/uefi-init
fi
# Set GPG_TTY before calling gpg in key-init
#TODO: do better then this; on dual console gpg only interacts with main console (affects Talos-2 and all whiptail variants)
export GPG_TTY=/dev/console
# Initialize gpnupg with distro/user keys and setup the keyrings
[ -x /bin/bash ] && /bin/key-init
# Override CONFIG_USE_BLOB_JAIL if needed and persist via user config
if lspci -n | grep -E -q "8086:(2723|4df0)"; then
if ! cat /etc/config.user 2>/dev/null | grep -q "USE_BLOB_JAIL"; then
echo "CONFIG_USE_BLOB_JAIL=y" >> /etc/config.user
fi
fi
# Override CONFIG_TPM and CONFIG_TPM2_TOOLS from /etc/config with runtime value
# determined above.
#
# Values in user config have higher priority during combining thus effectively
# changing the value for the rest of the scripts which source /tmp/config.
#Only set CONFIG_TPM and CONFIG_TPM2_TOOLS if they are not already set in /etc/config.user
if ! grep -q 'CONFIG_TPM=' /etc/config.user; then
echo "export CONFIG_TPM=\"$CONFIG_TPM\"" >> /etc/config.user
fi
if ! grep -q 'CONFIG_TPM2_TOOLS=' /etc/config.user; then
echo "export CONFIG_TPM2_TOOLS=\"$CONFIG_TPM2_TOOLS\"" >> /etc/config.user
fi
# CONFIG_BASIC was previously CONFIG_PUREBOOT_BASIC in the PureBoot distribution.
# Substitute it in config.user if present for backward compatibility.
sed -i -e 's/^export CONFIG_PUREBOOT_BASIC=/export CONFIG_BASIC=/g' /etc/config.user
combine_configs
. /tmp/config
# Enable maximum debug info from here if config.user extracted and combined from CBFS had CONFIG_DEBUG_OUTPUT=y
if [ "$CONFIG_DEBUG_OUTPUT" = "y" ]; then
#Output all kernel messages to console (8=debug)
#DEBUG and TRACE calls will be in dmesg and on console
if ! grep -q 'CONFIG_DEBUG_OUTPUT="y"' /etc/config;then
# Board config did't have CONFIG_DEBUG_OUTPUT=y defined
# config.user extracted and combined from CBFS had CONFIG_DEBUG_OUTPUT=y
dmesg -n 8
DEBUG "Debug output enabled from /etc/config.user's CONFIG_DEBUG_OUTPUT=y after combine_configs (Config menu enabled Debug)"
TRACE "Under init:after combine_configs"
fi
fi
/bin/key-init
# Setup recovery serial shell
if [ ! -z "$CONFIG_BOOT_RECOVERY_SERIAL" ]; then
stty -F "$CONFIG_BOOT_RECOVERY_SERIAL" 115200
pause_recovery 'Console recovery shell' \
< "$CONFIG_BOOT_RECOVERY_SERIAL" \
> "$CONFIG_BOOT_RECOVERY_SERIAL" 2>&1 &
pause_recovery 'Serial console recovery shell' \
<"$CONFIG_BOOT_RECOVERY_SERIAL" \
>"$CONFIG_BOOT_RECOVERY_SERIAL" 2>&1 &
fi
# load USB modules for boards using a USB keyboard
@ -200,14 +206,15 @@ if [ "$boot_option" = "r" ]; then
# just in case...
exit
elif [ "$boot_option" = "o" ]; then
# Launch OEM Factory Reset/Re-Ownership
oem-factory-reset
# Launch OEM Factory Reset mode
echo -e "***** Entering OEM Factory Reset mode\n" >/dev/tty0
oem-factory-reset --mode oem
# just in case...
exit
fi
if [ "$CONFIG_BASIC" = "y" ]; then
echo -e "***** BASIC mode: tamper detection disabled\n" > /dev/tty0
echo -e "***** BASIC mode: tamper detection disabled\n" >/dev/tty0
fi
# export firmware version
@ -216,11 +223,11 @@ export FW_VER=$(fw_version)
# Add our boot devices into the /etc/fstab, if they are defined
# in the configuration file.
if [ ! -z "$CONFIG_BOOT_DEV" ]; then
echo >> /etc/fstab "$CONFIG_BOOT_DEV /boot auto defaults,ro 0 0"
echo >>/etc/fstab "$CONFIG_BOOT_DEV /boot auto defaults,ro 0 0"
fi
# Set the console font if needed
[ -x /bin/bash ] && setconsolefont.sh
setconsolefont.sh
if [ "$CONFIG_BASIC" = "y" ]; then
CONFIG_BOOTSCRIPT=/bin/gui-init-basic

2
initrd/mount-boot
View File

@ -36,7 +36,7 @@ dev_blocks=`cat "$dev_size_file"`
#
# Extract the signed file from the hard disk image
#
if ! dd if="$dev" of="$cmd_sig" bs=512 skip="`expr $dev_blocks - 1`"; then
if ! dd if="$dev" of="$cmd_sig" bs=512 skip="`expr $dev_blocks - 1`" > /dev/null 2>&1; then
echo >&2 '!!!!!'
echo >&2 '!!!!! Boot block extraction failed'
echo >&2 '!!!!! Dropping to recovery shell'

6
initrd/sbin/insmod
View File

@ -39,19 +39,19 @@ if [ ! -r /sys/class/tpm/tpm0/pcrs -o ! -x /bin/tpm ]; then
fi
if [ -z "$tpm_missing" ]; then
echo "TPM: Extending PCR[$MODULE_PCR] with $MODULE and parameters '$*' before loading"
INFO "TPM: Extending PCR[$MODULE_PCR] with $MODULE and parameters '$*' before loading"
# Extend with the module parameters (even if they are empty) and the
# module. Changing the parameters or the module content will result in a
# different PCR measurement.
if [ -n "$*" ]; then
TRACE_FUNC
DEBUG "Extending with module parameters and the module's content"
INFO "Extending with module parameters and the module's content"
tpmr extend -ix "$MODULE_PCR" -ic "$*"
tpmr extend -ix "$MODULE_PCR" -if "$MODULE" \
|| die "$MODULE: tpm extend failed"
else
TRACE_FUNC
DEBUG "No module parameters, extending only with the module's content"
INFO "No module parameters, extending only with the module's content"
tpmr extend -ix "$MODULE_PCR" -if "$MODULE" \
|| die "$MODULE: tpm extend failed"
fi

6
modules/hotp-verification
View File

@ -2,12 +2,12 @@ modules-$(CONFIG_HOTPKEY) += hotp-verification
hotp-verification_depends := libusb $(musl_dep)
# v1.6
hotp-verification_version := e9050e0c914e7a8ffef5d1c82a014e0e2bf79346
# v1.7 + non-released stuff under 1.7 version bump (Nitrokey will do PR to change this in the future and also fixes to Heads related to regression fixes under Heads)
hotp-verification_version := f4583b701a354dfa50c690075a568bc5cdf160e1
hotp-verification_dir := hotp-verification-$(hotp-verification_version)
hotp-verification_tar := nitrokey-hotp-verification-$(hotp-verification_version).tar.gz
hotp-verification_url := https://github.com/Nitrokey/nitrokey-hotp-verification/archive/$(hotp-verification_version).tar.gz
hotp-verification_hash := 480c978d3585eee73b9aa5186b471d4caeeeeba411217e1544eef7cfd90312ac
hotp-verification_hash := 42efeba9a61e4a00df55bf5337c157948bc76c895410fc76d02b87d6cd3b38eb
hotp-verification_target := \
$(MAKE_JOBS) \

1
modules/linux
View File

@ -40,7 +40,6 @@ endif
linux_base_dir := linux-$(linux_version)
# TODO: fixup the patch process
# input file in the heads config/ dir
# Allow board config to specialize Linux configuration if necessary
linux_kconfig := $(or $(CONFIG_LINUX_CONFIG),config/linux.config)

2
targets/qemu.mk
View File

@ -45,7 +45,7 @@ $(MEMORY_SIZE_FILE):
@echo "$(QEMU_MEMORY_SIZE)" >"$(MEMORY_SIZE_FILE)"
USB_FD_IMG=$(build)/$(BOARD)/usb_fd.raw
$(USB_FD_IMG):
dd if=/dev/zero bs=1M of="$(USB_FD_IMG)" bs=1M count=256
dd if=/dev/zero bs=1M of="$(USB_FD_IMG)" bs=1M count=256 >/dev/null 2>&1
# Debian obnoxiously does not include /usr/sbin in PATH for non-root, even
# though it is meaningful to use mkfs.vfat (etc.) as non-root
MKFS_VFAT=mkfs.vfat; \