From 4354cd4c229aa7b15d1c56f91aacee5679e13692 Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Sun, 15 Dec 2024 20:41:08 -0500 Subject: [PATCH] config-gui.sh: Add quiet mode toggle, which turns off debug+tracing if enabled, and where enabling debug+tracing disables Quiet mode Signed-off-by: Thierry Laurion --- initrd/bin/config-gui.sh | 952 ++++++++++++++++++++------------------- 1 file changed, 490 insertions(+), 462 deletions(-) diff --git a/initrd/bin/config-gui.sh b/initrd/bin/config-gui.sh index b09860ea..f3299d1a 100755 --- a/initrd/bin/config-gui.sh +++ b/initrd/bin/config-gui.sh @@ -13,329 +13,334 @@ param=$1 # Read the current ROM; if it fails display an error and exit. read_rom() { - /bin/flash.sh -r "$1" - if [ ! -s "$1" ]; then - whiptail_error --title 'ERROR: BIOS Read Failed!' \ - --msgbox "Unable to read BIOS" 0 80 - exit 1 - fi + /bin/flash.sh -r "$1" + if [ ! -s "$1" ]; then + whiptail_error --title 'ERROR: BIOS Read Failed!' \ + --msgbox "Unable to read BIOS" 0 80 + exit 1 + fi } while true; do - if [ ! -z "$param" ]; then - # use first char from parameter - menu_choice=${param::1} - unset param - else - # Re-source config because we change it when an option is toggled - . /tmp/config + if [ ! -z "$param" ]; then + # use first char from parameter + menu_choice=${param::1} + unset param + else + # Re-source config because we change it when an option is toggled + . /tmp/config - dynamic_config_options=( - 'b' ' Change the /boot device' - ) + dynamic_config_options=( + 'b' ' Change the /boot device' + ) - # Options that don't apply to basic mode - [ "$CONFIG_BASIC" != "y" ] && dynamic_config_options+=( - 'r' ' Clear GPG key(s) and reset all user settings' - 'R' ' Change the root device for hashing' - 'D' ' Change the root directories to hash' - 'B' " $(get_config_display_action "$CONFIG_ROOT_CHECK_AT_BOOT") root check at boot" - 'L' " $(get_config_display_action "$CONFIG_RESTRICTED_BOOT") Restricted Boot" - ) + # Options that don't apply to basic mode + [ "$CONFIG_BASIC" != "y" ] && dynamic_config_options+=( + 'r' ' Clear GPG key(s) and reset all user settings' + 'R' ' Change the root device for hashing' + 'D' ' Change the root directories to hash' + 'B' " $(get_config_display_action "$CONFIG_ROOT_CHECK_AT_BOOT") root check at boot" + 'L' " $(get_config_display_action "$CONFIG_RESTRICTED_BOOT") Restricted Boot" + ) - # Basic itself is always available (though RB will refuse to enable it) - dynamic_config_options+=( - 'P' " $(get_config_display_action "$CONFIG_BASIC") $CONFIG_BRAND_NAME Basic Mode" - ) + # Basic itself is always available (though RB will refuse to enable it) + dynamic_config_options+=( + 'P' " $(get_config_display_action "$CONFIG_BASIC") $CONFIG_BRAND_NAME Basic Mode" + ) - # Blob jail is only offered if this is a configuration with the blobs in - # firmware - [ "$CONFIG_SUPPORT_BLOB_JAIL" = "y" ] && dynamic_config_options+=( - 'J' " $(get_config_display_action "$CONFIG_USE_BLOB_JAIL") Firmware Blob Jail" - ) + # Blob jail is only offered if this is a configuration with the blobs in + # firmware + [ "$CONFIG_SUPPORT_BLOB_JAIL" = "y" ] && dynamic_config_options+=( + 'J' " $(get_config_display_action "$CONFIG_USE_BLOB_JAIL") Firmware Blob Jail" + ) - # Automatic boot - dynamic_config_options+=( - 'M' " Configure automatic boot" - ) + # Automatic boot + dynamic_config_options+=( + 'M' " Configure automatic boot" + ) - # Basic-only options for automatic boot - [ "$CONFIG_BASIC" = "y" ] && dynamic_config_options+=( - 'A' " $(get_inverted_config_display_action "$CONFIG_BASIC_NO_AUTOMATIC_DEFAULT") automatic default boot option" - 'U' " $(get_config_display_action "$CONFIG_BASIC_USB_AUTOBOOT") USB automatic boot" - ) + # Basic-only options for automatic boot + [ "$CONFIG_BASIC" = "y" ] && dynamic_config_options+=( + 'A' " $(get_inverted_config_display_action "$CONFIG_BASIC_NO_AUTOMATIC_DEFAULT") automatic default boot option" + 'U' " $(get_config_display_action "$CONFIG_BASIC_USB_AUTOBOOT") USB automatic boot" + ) - # Automatic power on - requires board support - [ "$CONFIG_SUPPORT_AUTOMATIC_POWERON" = "y" ] && dynamic_config_options+=( - 'N' " $(get_config_display_action "$CONFIG_AUTOMATIC_POWERON") automatic power-on" - ) + # Automatic power on - requires board support + [ "$CONFIG_SUPPORT_AUTOMATIC_POWERON" = "y" ] && dynamic_config_options+=( + 'N' " $(get_config_display_action "$CONFIG_AUTOMATIC_POWERON") automatic power-on" + ) - # Boards with built-in keyboards can support optional USB keyboards as well. - # Boards that do not have a built-in keyboard/internal keyboard is USB connected export - # CONFIG_USB_KEYBOARD_REQUIRED=y; this hides the config option and ensures - # USB keyboard support always loads. - [ "$CONFIG_USB_KEYBOARD_REQUIRED" != y ] && dynamic_config_options+=( - 'K' " $(get_config_display_action "$CONFIG_USER_USB_KEYBOARD") USB keyboard" - ) + # Boards with built-in keyboards can support optional USB keyboards as well. + # Boards that do not have a built-in keyboard/internal keyboard is USB connected export + # CONFIG_USB_KEYBOARD_REQUIRED=y; this hides the config option and ensures + # USB keyboard support always loads. + [ "$CONFIG_USB_KEYBOARD_REQUIRED" != y ] && dynamic_config_options+=( + 'K' " $(get_config_display_action "$CONFIG_USER_USB_KEYBOARD") USB keyboard" + ) - # Debugging option always available - dynamic_config_options+=( - 'Z' " $(get_config_display_action "$CONFIG_DEBUG_OUTPUT") $CONFIG_BRAND_NAME debug and function tracing output" - ) + # Debugging option always available + dynamic_config_options+=( + 'Z' " $(get_config_display_action "$CONFIG_DEBUG_OUTPUT") $CONFIG_BRAND_NAME debug and function tracing output" + ) - [ "$CONFIG_FINALIZE_PLATFORM_LOCKING" = "y" ] && dynamic_config_options+=( - 't' ' Deactivate Platform Locking to permit OS write access to firmware' - ) + # Quiet option always available + dynamic_config_options+=( + 'Q' " $(get_config_display_action "$CONFIG_QUIET_MODE") $CONFIG_BRAND_NAME quiet mode" + ) - dynamic_config_options+=( - 's' ' Save the current configuration to the running BIOS' \ - 'x' ' Return to Main Menu' - ) + [ "$CONFIG_FINALIZE_PLATFORM_LOCKING" = "y" ] && dynamic_config_options+=( + 't' ' Deactivate Platform Locking to permit OS write access to firmware' + ) - unset menu_choice - whiptail_type $BG_COLOR_MAIN_MENU --title "Config Management Menu" \ - --menu "This menu lets you change settings for the current BIOS session.\n\nAll changes will revert after a reboot,\n\nunless you also save them to the running BIOS." 0 80 10 \ - "${dynamic_config_options[@]}" \ - 2>/tmp/whiptail || recovery "GUI menu failed" + dynamic_config_options+=( + 's' ' Save the current configuration to the running BIOS' + 'x' ' Return to Main Menu' + ) - menu_choice=$(cat /tmp/whiptail) - fi + unset menu_choice + whiptail_type $BG_COLOR_MAIN_MENU --title "Config Management Menu" \ + --menu "This menu lets you change settings for the current BIOS session.\n\nAll changes will revert after a reboot,\n\nunless you also save them to the running BIOS." 0 80 10 \ + "${dynamic_config_options[@]}" \ + 2>/tmp/whiptail || recovery "GUI menu failed" - case "$menu_choice" in - "t" ) - unset CONFIG_FINALIZE_PLATFORM_LOCKING - replace_config /etc/config.user "CONFIG_FINALIZE_PLATFORM_LOCKING" "n" - combine_configs - . /tmp/config - ;; - "x" ) - exit 0 - ;; - "b" ) - CURRENT_OPTION="$(load_config_value CONFIG_BOOT_DEV)" - if ! fdisk -l | grep "Disk /dev/" | cut -f2 -d " " | cut -f1 -d ":" > /tmp/disklist.txt ; then - whiptail_error --title 'ERROR: No bootable devices found' \ - --msgbox " $ERROR\n\n" 0 80 - exit 1 - fi - # filter out extraneous options - > /tmp/boot_device_list.txt - for i in `cat /tmp/disklist.txt`; do - # remove block device from list if numeric partitions exist, since not bootable - DEV_NUM_PARTITIONS=$((`ls -1 $i* | wc -l`-1)) - if [ ${DEV_NUM_PARTITIONS} -eq 0 ]; then - echo $i >> /tmp/boot_device_list.txt - else - ls $i* | tail -${DEV_NUM_PARTITIONS} >> /tmp/boot_device_list.txt - fi - done - file_selector "/tmp/boot_device_list.txt" \ - "Choose the default /boot device.\n\n${CURRENT_OPTION:+\n\nCurrently set to }$CURRENT_OPTION." \ - "Boot Device Selection" - if [ "$FILE" == "" ]; then - return - else - SELECTED_FILE=$FILE - fi + menu_choice=$(cat /tmp/whiptail) + fi - # unmount /boot if needed - if grep -q /boot /proc/mounts ; then - umount /boot 2>/dev/null - fi - # mount newly selected /boot device - if ! mount -o ro $SELECTED_FILE /boot 2>/tmp/error ; then - ERROR=`cat /tmp/error` - whiptail_error --title 'ERROR: unable to mount /boot' \ - --msgbox " $ERROR\n\n" 0 80 - exit 1 - fi + case "$menu_choice" in + "t") + unset CONFIG_FINALIZE_PLATFORM_LOCKING + replace_config /etc/config.user "CONFIG_FINALIZE_PLATFORM_LOCKING" "n" + combine_configs + . /tmp/config + ;; + "x") + exit 0 + ;; + "b") + CURRENT_OPTION="$(load_config_value CONFIG_BOOT_DEV)" + if ! fdisk -l | grep "Disk /dev/" | cut -f2 -d " " | cut -f1 -d ":" >/tmp/disklist.txt; then + whiptail_error --title 'ERROR: No bootable devices found' \ + --msgbox " $ERROR\n\n" 0 80 + exit 1 + fi + # filter out extraneous options + >/tmp/boot_device_list.txt + for i in $(cat /tmp/disklist.txt); do + # remove block device from list if numeric partitions exist, since not bootable + DEV_NUM_PARTITIONS=$(($(ls -1 $i* | wc -l) - 1)) + if [ ${DEV_NUM_PARTITIONS} -eq 0 ]; then + echo $i >>/tmp/boot_device_list.txt + else + ls $i* | tail -${DEV_NUM_PARTITIONS} >>/tmp/boot_device_list.txt + fi + done + file_selector "/tmp/boot_device_list.txt" \ + "Choose the default /boot device.\n\n${CURRENT_OPTION:+\n\nCurrently set to }$CURRENT_OPTION." \ + "Boot Device Selection" + if [ "$FILE" == "" ]; then + return + else + SELECTED_FILE=$FILE + fi - set_config /etc/config.user "CONFIG_BOOT_DEV" "$SELECTED_FILE" - combine_configs + # unmount /boot if needed + if grep -q /boot /proc/mounts; then + umount /boot 2>/dev/null + fi + # mount newly selected /boot device + if ! mount -o ro $SELECTED_FILE /boot 2>/tmp/error; then + ERROR=$(cat /tmp/error) + whiptail_error --title 'ERROR: unable to mount /boot' \ + --msgbox " $ERROR\n\n" 0 80 + exit 1 + fi - whiptail --title 'Config change successful' \ - --msgbox "The /boot device was successfully changed to $SELECTED_FILE" 0 80 - ;; - "s" ) - read_rom /tmp/config-gui.rom + set_config /etc/config.user "CONFIG_BOOT_DEV" "$SELECTED_FILE" + combine_configs - replace_rom_file /tmp/config-gui.rom "heads/initrd/etc/config.user" /etc/config.user + whiptail --title 'Config change successful' \ + --msgbox "The /boot device was successfully changed to $SELECTED_FILE" 0 80 + ;; + "s") + read_rom /tmp/config-gui.rom - if (whiptail --title 'Update ROM?' \ - --yesno "This will reflash your BIOS with the updated version\n\nDo you want to proceed?" 0 80) then - /bin/flash.sh /tmp/config-gui.rom - whiptail --title 'BIOS Updated Successfully' \ - --msgbox "BIOS updated successfully.\n\nIf your keys have changed, be sure to re-sign all files in /boot\nafter you reboot.\n\nPress Enter to reboot" 0 80 - /bin/reboot - else - exit 0 - fi - ;; - "r" ) - # prompt for confirmation - if (whiptail_warning --title 'Reset Configuration?' \ - --yesno "This will clear all GPG keys, clear boot signatures and checksums, + replace_rom_file /tmp/config-gui.rom "heads/initrd/etc/config.user" /etc/config.user + + if (whiptail --title 'Update ROM?' \ + --yesno "This will reflash your BIOS with the updated version\n\nDo you want to proceed?" 0 80); then + /bin/flash.sh /tmp/config-gui.rom + whiptail --title 'BIOS Updated Successfully' \ + --msgbox "BIOS updated successfully.\n\nIf your keys have changed, be sure to re-sign all files in /boot\nafter you reboot.\n\nPress Enter to reboot" 0 80 + /bin/reboot + else + exit 0 + fi + ;; + "r") + # prompt for confirmation + if (whiptail_warning --title 'Reset Configuration?' \ + --yesno "This will clear all GPG keys, clear boot signatures and checksums, \nreset the /boot device, clear/reset the TPM (if present), \nand reflash your BIOS with the cleaned configuration. - \n\nDo you want to proceed?" 0 80) then - read_rom /tmp/config-gui.rom - # clear local keyring - rm -rf /.gnupg/* || true + \n\nDo you want to proceed?" 0 80); then + read_rom /tmp/config-gui.rom + # clear local keyring + rm -rf /.gnupg/* || true - # clear /boot signatures/checksums - detect_boot_device - mount -o remount,rw /boot - rm -f /boot/kexec* || true - mount -o remount,ro /boot - - # clear GPG keys and user settings - for i in `cbfs.sh -o /tmp/config-gui.rom -l | grep -e "heads/"`; do - cbfs.sh -o /tmp/config-gui.rom -d $i - done - # flash cleared ROM - /bin/flash.sh -c /tmp/config-gui.rom - - # reset TPM if present - if [ "$CONFIG_TPM" = "y" ]; then - /bin/tpm-reset - fi - whiptail --title 'Configuration Reset Updated Successfully' \ - --msgbox "Configuration reset and BIOS updated successfully.\n\nPress Enter to reboot" 0 80 - /bin/reboot - else - exit 0 - fi - ;; - "R" ) - CURRENT_OPTION="$(load_config_value CONFIG_ROOT_DEV)" - fdisk -l | grep "Disk /dev/" | cut -f2 -d " " | cut -f1 -d ":" > /tmp/disklist.txt - # filter out extraneous options - > /tmp/root_device_list.txt - for i in `cat /tmp/disklist.txt`; do - # remove block device from list if numeric partitions exist, since not bootable - DEV_NUM_PARTITIONS=$((`ls -1 $i* | wc -l`-1)) - if [ ${DEV_NUM_PARTITIONS} -eq 0 ]; then - echo $i >> /tmp/root_device_list.txt - else - ls $i* | tail -${DEV_NUM_PARTITIONS} >> /tmp/root_device_list.txt - fi - done - file_selector "/tmp/root_device_list.txt" \ - "Choose the default root device.${CURRENT_OPTION:+\n\nCurrently set to }$CURRENT_OPTION." \ - "Root Device Selection" - if [ "$FILE" == "" ]; then - break - else - SELECTED_FILE=$FILE - fi + # clear /boot signatures/checksums + detect_boot_device + mount -o remount,rw /boot + rm -f /boot/kexec* || true + mount -o remount,ro /boot - set_config /etc/config.user "CONFIG_ROOT_DEV" "$SELECTED_FILE" - combine_configs + # clear GPG keys and user settings + for i in $(cbfs.sh -o /tmp/config-gui.rom -l | grep -e "heads/"); do + cbfs.sh -o /tmp/config-gui.rom -d $i + done + # flash cleared ROM + /bin/flash.sh -c /tmp/config-gui.rom - whiptail --title 'Config change successful' \ - --msgbox "The root device was successfully changed to $SELECTED_FILE" 0 80 - ;; - "D" ) - CURRENT_OPTION="$(load_config_value CONFIG_ROOT_DIRLIST)" + # reset TPM if present + if [ "$CONFIG_TPM" = "y" ]; then + /bin/tpm-reset + fi + whiptail --title 'Configuration Reset Updated Successfully' \ + --msgbox "Configuration reset and BIOS updated successfully.\n\nPress Enter to reboot" 0 80 + /bin/reboot + else + exit 0 + fi + ;; + "R") + CURRENT_OPTION="$(load_config_value CONFIG_ROOT_DEV)" + fdisk -l | grep "Disk /dev/" | cut -f2 -d " " | cut -f1 -d ":" >/tmp/disklist.txt + # filter out extraneous options + >/tmp/root_device_list.txt + for i in $(cat /tmp/disklist.txt); do + # remove block device from list if numeric partitions exist, since not bootable + DEV_NUM_PARTITIONS=$(($(ls -1 $i* | wc -l) - 1)) + if [ ${DEV_NUM_PARTITIONS} -eq 0 ]; then + echo $i >>/tmp/root_device_list.txt + else + ls $i* | tail -${DEV_NUM_PARTITIONS} >>/tmp/root_device_list.txt + fi + done + file_selector "/tmp/root_device_list.txt" \ + "Choose the default root device.${CURRENT_OPTION:+\n\nCurrently set to }$CURRENT_OPTION." \ + "Root Device Selection" + if [ "$FILE" == "" ]; then + break + else + SELECTED_FILE=$FILE + fi - # Separate from prior prompt history on the terminal with two blanks - echo -e "\n" + set_config /etc/config.user "CONFIG_ROOT_DEV" "$SELECTED_FILE" + combine_configs - if [ -n "$CURRENT_OPTION" ]; then - echo -e "The current list of directories to hash is $CURRENT_OPTION" - fi - echo -e "Enter the new list of directories separated by spaces:" - echo -e "(Press enter with the list empty to cancel)" - read -r NEW_CONFIG_ROOT_DIRLIST + whiptail --title 'Config change successful' \ + --msgbox "The root device was successfully changed to $SELECTED_FILE" 0 80 + ;; + "D") + CURRENT_OPTION="$(load_config_value CONFIG_ROOT_DIRLIST)" - # strip any leading forward slashes - NEW_CONFIG_ROOT_DIRLIST=$(echo $NEW_CONFIG_ROOT_DIRLIST | sed -e 's/^\///;s/ \// /g') + # Separate from prior prompt history on the terminal with two blanks + echo -e "\n" - #check if list empty - if [ -z "$NEW_CONFIG_ROOT_DIRLIST" ] ; then - whiptail --title 'Config change canceled' \ - --msgbox "Root device directory change canceled by user" 0 80 - break - fi + if [ -n "$CURRENT_OPTION" ]; then + echo -e "The current list of directories to hash is $CURRENT_OPTION" + fi + echo -e "Enter the new list of directories separated by spaces:" + echo -e "(Press enter with the list empty to cancel)" + read -r NEW_CONFIG_ROOT_DIRLIST - set_config /etc/config.user "CONFIG_ROOT_DIRLIST" "$NEW_CONFIG_ROOT_DIRLIST" - combine_configs + # strip any leading forward slashes + NEW_CONFIG_ROOT_DIRLIST=$(echo $NEW_CONFIG_ROOT_DIRLIST | sed -e 's/^\///;s/ \// /g') - whiptail --title 'Config change successful' \ - --msgbox "The root directories to hash was successfully changed to:\n$NEW_CONFIG_ROOT_DIRLIST" 0 80 - ;; - "B" ) - if [ "$CONFIG_ROOT_CHECK_AT_BOOT" != "y" ]; then - # Root device and directories must be set to enable this - if [ -z "$CONFIG_ROOT_DEV" ] || [ -z "$CONFIG_ROOT_DIRLIST" ]; then - whiptail_error --title 'Root Check Not Configured' \ - --msgbox "Set the root device and directories to hash before enabling this feature." 0 80 - elif (whiptail --title 'Enable Root Hash Check at Boot?' \ - --yesno "This will enable checking root hashes each time you boot. + #check if list empty + if [ -z "$NEW_CONFIG_ROOT_DIRLIST" ]; then + whiptail --title 'Config change canceled' \ + --msgbox "Root device directory change canceled by user" 0 80 + break + fi + + set_config /etc/config.user "CONFIG_ROOT_DIRLIST" "$NEW_CONFIG_ROOT_DIRLIST" + combine_configs + + whiptail --title 'Config change successful' \ + --msgbox "The root directories to hash was successfully changed to:\n$NEW_CONFIG_ROOT_DIRLIST" 0 80 + ;; + "B") + if [ "$CONFIG_ROOT_CHECK_AT_BOOT" != "y" ]; then + # Root device and directories must be set to enable this + if [ -z "$CONFIG_ROOT_DEV" ] || [ -z "$CONFIG_ROOT_DIRLIST" ]; then + whiptail_error --title 'Root Check Not Configured' \ + --msgbox "Set the root device and directories to hash before enabling this feature." 0 80 + elif (whiptail --title 'Enable Root Hash Check at Boot?' \ + --yesno "This will enable checking root hashes each time you boot. \nDepending on the directories you are checking, this might add \na minute or more to the boot time. - \n\nDo you want to proceed?" 0 80) then + \n\nDo you want to proceed?" 0 80); then - set_user_config "CONFIG_ROOT_CHECK_AT_BOOT" "y" + set_user_config "CONFIG_ROOT_CHECK_AT_BOOT" "y" - # check that root hash file exists - if [ ! -f ${ROOT_HASH_FILE} ]; then - if (whiptail --title 'Generate Root Hash File' \ - --yesno "\nNo root hash file exists. - \nWould you like to create the initial hash file now?" 0 80) then - root-hashes-gui.sh -n - fi - fi + # check that root hash file exists + if [ ! -f ${ROOT_HASH_FILE} ]; then + if (whiptail --title 'Generate Root Hash File' \ + --yesno "\nNo root hash file exists. + \nWould you like to create the initial hash file now?" 0 80); then + root-hashes-gui.sh -n + fi + fi - whiptail --title 'Config change successful' \ - --msgbox "The root device will be checked at each boot." 0 80 + whiptail --title 'Config change successful' \ + --msgbox "The root device will be checked at each boot." 0 80 - fi - else - if (whiptail --title 'Disable Root Hash Check at Boot?' \ - --yesno "This will disable checking root hashes each time you boot. - \n\nDo you want to proceed?" 0 80) then + fi + else + if (whiptail --title 'Disable Root Hash Check at Boot?' \ + --yesno "This will disable checking root hashes each time you boot. + \n\nDo you want to proceed?" 0 80); then - set_user_config "CONFIG_ROOT_CHECK_AT_BOOT" "n" + set_user_config "CONFIG_ROOT_CHECK_AT_BOOT" "n" - whiptail --title 'Config change successful' \ - --msgbox "The root device will not be checked at each boot." 0 80 - fi - fi - ;; - "P" ) - if [ "$CONFIG_RESTRICTED_BOOT" = "y" ]; then - whiptail_error --title 'Restricted Boot Active' \ - --msgbox "Disable Restricted Boot to enable Basic Mode." 0 80 - elif [ "$CONFIG_BASIC" != "y" ]; then - if (whiptail --title "Enable $CONFIG_BRAND_NAME Basic Mode?" \ - --yesno "This will remove all signature checking on the firmware + whiptail --title 'Config change successful' \ + --msgbox "The root device will not be checked at each boot." 0 80 + fi + fi + ;; + "P") + if [ "$CONFIG_RESTRICTED_BOOT" = "y" ]; then + whiptail_error --title 'Restricted Boot Active' \ + --msgbox "Disable Restricted Boot to enable Basic Mode." 0 80 + elif [ "$CONFIG_BASIC" != "y" ]; then + if (whiptail --title "Enable $CONFIG_BRAND_NAME Basic Mode?" \ + --yesno "This will remove all signature checking on the firmware \nand boot files, and disable use of the Librem Key. - \n\nDo you want to proceed?" 0 80) then + \n\nDo you want to proceed?" 0 80); then - set_user_config "CONFIG_BASIC" "y" + set_user_config "CONFIG_BASIC" "y" - whiptail --title 'Config change successful' \ - --msgbox "$CONFIG_BRAND_NAME Basic mode enabled;\nsave the config change and reboot for it to go into effect." 0 80 + whiptail --title 'Config change successful' \ + --msgbox "$CONFIG_BRAND_NAME Basic mode enabled;\nsave the config change and reboot for it to go into effect." 0 80 - fi - else - if (whiptail --title "Disable $CONFIG_BRAND_NAME Basic Mode?" \ - --yesno "This will enable all signature checking on the firmware + fi + else + if (whiptail --title "Disable $CONFIG_BRAND_NAME Basic Mode?" \ + --yesno "This will enable all signature checking on the firmware \nand boot files, and enable use of the Librem Key. - \n\nDo you want to proceed?" 0 80) then + \n\nDo you want to proceed?" 0 80); then - set_user_config "CONFIG_BASIC" "n" + set_user_config "CONFIG_BASIC" "n" - whiptail --title 'Config change successful' \ - --msgbox "$CONFIG_BRAND_NAME Basic mode has been disabled;\nsave the config change and reboot for it to go into effect." 0 80 - fi - fi - ;; - "L" ) - if [ "$CONFIG_RESTRICTED_BOOT" != "y" ]; then - if (whiptail --title 'Enable Restricted Boot Mode?' \ - --yesno "Restricted Boot allows booting: + whiptail --title 'Config change successful' \ + --msgbox "$CONFIG_BRAND_NAME Basic mode has been disabled;\nsave the config change and reboot for it to go into effect." 0 80 + fi + fi + ;; + "L") + if [ "$CONFIG_RESTRICTED_BOOT" != "y" ]; then + if (whiptail --title 'Enable Restricted Boot Mode?' \ + --yesno "Restricted Boot allows booting: \n* Signed installed OS \n* Signed ISOs from USB \nAll other boot methods are blocked. Recovery console and firmware updates @@ -343,235 +348,258 @@ while true; do \nRestricted boot can be disabled at any time. This resets TOTP/HOTP so it \nis evident that Restricted Boot was disabled. \n - \nDo you want to proceed?" 0 80) then + \nDo you want to proceed?" 0 80); then - set_user_config "CONFIG_RESTRICTED_BOOT" "y" + set_user_config "CONFIG_RESTRICTED_BOOT" "y" - whiptail --title 'Config change successful' \ - --msgbox "Restricted Boot mode enabled;\nsave the config change and reboot for it to go into effect." 0 80 + whiptail --title 'Config change successful' \ + --msgbox "Restricted Boot mode enabled;\nsave the config change and reboot for it to go into effect." 0 80 - fi - else - if (whiptail --title 'Disable Restricted Boot Mode?' \ - --yesno "This will re-enable all boot methods, the recovery console, and firmware + fi + else + if (whiptail --title 'Disable Restricted Boot Mode?' \ + --yesno "This will re-enable all boot methods, the recovery console, and firmware \nupdates. \nThis will also erase the TOTP/HOTP secret. \nProceeding will automatically update the boot firmware and reboot! - \n\nDo you want to proceed?" 0 80) then + \n\nDo you want to proceed?" 0 80); then - # Wipe the TPM TOTP/HOTP secret before flashing. Otherwise, enabling - # Restricted Boot again might restore the firmware to an identical - # state, and there would be no evidence that it had been temporarily - # disabled. - if ! wipe-totp >/dev/null 2>/tmp/error; then - ERROR=$(tail -n 1 /tmp/error | fold -s) - whiptail_error --title 'ERROR: erasing TOTP secret' \ - --msgbox "Erasing TOTP Secret Failed\n\n${ERROR}" 0 80 - exit 1 - fi + # Wipe the TPM TOTP/HOTP secret before flashing. Otherwise, enabling + # Restricted Boot again might restore the firmware to an identical + # state, and there would be no evidence that it had been temporarily + # disabled. + if ! wipe-totp >/dev/null 2>/tmp/error; then + ERROR=$(tail -n 1 /tmp/error | fold -s) + whiptail_error --title 'ERROR: erasing TOTP secret' \ + --msgbox "Erasing TOTP Secret Failed\n\n${ERROR}" 0 80 + exit 1 + fi - # We can't allow Restricted Boot to be disabled without flashing the - # firmware - this would allow the use of unrestricted mode without - # leaving evidence in the firmware. Disable it by flashing the new - # config directly. - FLASH_USER_CONFIG=/tmp/config-gui-config-user - cp /etc/config.user "$FLASH_USER_CONFIG" - set_config "$FLASH_USER_CONFIG" "CONFIG_RESTRICTED_BOOT" "n" + # We can't allow Restricted Boot to be disabled without flashing the + # firmware - this would allow the use of unrestricted mode without + # leaving evidence in the firmware. Disable it by flashing the new + # config directly. + FLASH_USER_CONFIG=/tmp/config-gui-config-user + cp /etc/config.user "$FLASH_USER_CONFIG" + set_config "$FLASH_USER_CONFIG" "CONFIG_RESTRICTED_BOOT" "n" - read_rom /tmp/config-gui.rom + read_rom /tmp/config-gui.rom - replace_rom_file /tmp/config-gui.rom "heads/initrd/etc/config.user" "$FLASH_USER_CONFIG" + replace_rom_file /tmp/config-gui.rom "heads/initrd/etc/config.user" "$FLASH_USER_CONFIG" - /bin/flash.sh /tmp/config-gui.rom - whiptail --title 'BIOS Updated Successfully' \ - --msgbox "BIOS updated successfully.\n\nIf your keys have changed, be sure to re-sign all files in /boot\nafter you reboot.\n\nPress Enter to reboot" 0 80 - /bin/reboot - fi - fi - ;; - "J" ) - if [ "$CONFIG_USE_BLOB_JAIL" != "y" ]; then - if (whiptail --title 'Enable Firmware Blob Jail?' \ - --yesno "This will enable loading of firmware from flash on each boot - \n\nDo you want to proceed?" 0 80) then + /bin/flash.sh /tmp/config-gui.rom + whiptail --title 'BIOS Updated Successfully' \ + --msgbox "BIOS updated successfully.\n\nIf your keys have changed, be sure to re-sign all files in /boot\nafter you reboot.\n\nPress Enter to reboot" 0 80 + /bin/reboot + fi + fi + ;; + "J") + if [ "$CONFIG_USE_BLOB_JAIL" != "y" ]; then + if (whiptail --title 'Enable Firmware Blob Jail?' \ + --yesno "This will enable loading of firmware from flash on each boot + \n\nDo you want to proceed?" 0 80); then - set_user_config "CONFIG_USE_BLOB_JAIL" "y" + set_user_config "CONFIG_USE_BLOB_JAIL" "y" - whiptail --title 'Config change successful' \ - --msgbox "Firmware Blob Jail use has been enabled;\nsave the config change and reboot for it to go into effect." 0 80 + whiptail --title 'Config change successful' \ + --msgbox "Firmware Blob Jail use has been enabled;\nsave the config change and reboot for it to go into effect." 0 80 - fi - else - if (whiptail --title 'Disable Firmware Blob Jail?' \ - --yesno "This will disable loading of firmware from flash on each boot. - \n\nDo you want to proceed?" 0 80) then + fi + else + if (whiptail --title 'Disable Firmware Blob Jail?' \ + --yesno "This will disable loading of firmware from flash on each boot. + \n\nDo you want to proceed?" 0 80); then - set_user_config "CONFIG_USE_BLOB_JAIL" "n" + set_user_config "CONFIG_USE_BLOB_JAIL" "n" - whiptail --title 'Config change successful' \ - --msgbox "Firmware Blob Jail use has been disabled;\nsave the config change and reboot for it to go into effect." 0 80 - fi - fi - ;; - "M" ) - if [ -z "$CONFIG_AUTO_BOOT_TIMEOUT" ]; then - current_msg="Automatic boot is currently disabled." - elif [ "$CONFIG_AUTO_BOOT_TIMEOUT" = 1 ]; then - current_msg="Currently boots automatically after 1 second." - else - current_msg="Currently boots automatically after $CONFIG_AUTO_BOOT_TIMEOUT seconds." - fi - whiptail --title "Automatic Boot" \ - --menu "$CONFIG_BRAND_NAME can boot automatically. Select the amount of time to wait\nbefore booting.\n\n$current_msg" 0 80 10 \ - "0" "Don't boot automatically" \ - "1" "1 second" \ - "5" "5 seconds" \ - "10" "10 seconds" \ - "C" "Cancel" \ - 2>/tmp/whiptail - new_setting="$(cat /tmp/whiptail)" - if ! [ "$new_setting" = "C" ]; then - if [ "$new_setting" = "0" ]; then - new_setting= # Empty disables automatic boot - current_msg="$CONFIG_BRAND_NAME will not boot automatically." - elif [ "$new_setting" = "1" ]; then - current_msg="$CONFIG_BRAND_NAME will boot automatically after 1 second." - else - current_msg="$CONFIG_BRAND_NAME will boot automatically after $new_setting seconds." - fi - set_user_config "CONFIG_AUTO_BOOT_TIMEOUT" "$new_setting" - whiptail --title 'Config change successful' \ - --msgbox "$current_msg\nSave the config change and reboot for it to go into effect." 0 80 - fi - ;; - "A" ) - if [ "$CONFIG_BASIC_NO_AUTOMATIC_DEFAULT" != "y" ]; then - if (whiptail --title 'Disable automatic default boot?' \ - --yesno "You will need to select a default boot option. + whiptail --title 'Config change successful' \ + --msgbox "Firmware Blob Jail use has been disabled;\nsave the config change and reboot for it to go into effect." 0 80 + fi + fi + ;; + "M") + if [ -z "$CONFIG_AUTO_BOOT_TIMEOUT" ]; then + current_msg="Automatic boot is currently disabled." + elif [ "$CONFIG_AUTO_BOOT_TIMEOUT" = 1 ]; then + current_msg="Currently boots automatically after 1 second." + else + current_msg="Currently boots automatically after $CONFIG_AUTO_BOOT_TIMEOUT seconds." + fi + whiptail --title "Automatic Boot" \ + --menu "$CONFIG_BRAND_NAME can boot automatically. Select the amount of time to wait\nbefore booting.\n\n$current_msg" 0 80 10 \ + "0" "Don't boot automatically" \ + "1" "1 second" \ + "5" "5 seconds" \ + "10" "10 seconds" \ + "C" "Cancel" \ + 2>/tmp/whiptail + new_setting="$(cat /tmp/whiptail)" + if ! [ "$new_setting" = "C" ]; then + if [ "$new_setting" = "0" ]; then + new_setting= # Empty disables automatic boot + current_msg="$CONFIG_BRAND_NAME will not boot automatically." + elif [ "$new_setting" = "1" ]; then + current_msg="$CONFIG_BRAND_NAME will boot automatically after 1 second." + else + current_msg="$CONFIG_BRAND_NAME will boot automatically after $new_setting seconds." + fi + set_user_config "CONFIG_AUTO_BOOT_TIMEOUT" "$new_setting" + whiptail --title 'Config change successful' \ + --msgbox "$current_msg\nSave the config change and reboot for it to go into effect." 0 80 + fi + ;; + "A") + if [ "$CONFIG_BASIC_NO_AUTOMATIC_DEFAULT" != "y" ]; then + if (whiptail --title 'Disable automatic default boot?' \ + --yesno "You will need to select a default boot option. \nIf the boot options are changed, such as for an OS update, \nyou will be prompted to select a new default. - \n\nDo you want to proceed?" 0 80) then + \n\nDo you want to proceed?" 0 80); then - set_user_config "CONFIG_BASIC_NO_AUTOMATIC_DEFAULT" "y" + set_user_config "CONFIG_BASIC_NO_AUTOMATIC_DEFAULT" "y" - whiptail --title 'Config change successful' \ - --msgbox "Automatic default boot disabled;\nsave the config change and reboot for it to go into effect." 0 80 - fi - else - if (whiptail --title 'Enable automatic default boot?' \ - --yesno "The first boot option will be used automatically. - \n\nDo you want to proceed?" 0 80) then + whiptail --title 'Config change successful' \ + --msgbox "Automatic default boot disabled;\nsave the config change and reboot for it to go into effect." 0 80 + fi + else + if (whiptail --title 'Enable automatic default boot?' \ + --yesno "The first boot option will be used automatically. + \n\nDo you want to proceed?" 0 80); then - set_user_config "CONFIG_BASIC_NO_AUTOMATIC_DEFAULT" "n" + set_user_config "CONFIG_BASIC_NO_AUTOMATIC_DEFAULT" "n" - whiptail --title 'Config change successful' \ - --msgbox "Automatic default boot enabled;\nsave the config change and reboot for it to go into effect." 0 80 - fi - fi - ;; - "U" ) - if [ "$CONFIG_BASIC_USB_AUTOBOOT" != "y" ]; then - if (whiptail --title 'Enable USB automatic boot?' \ - --yesno "During boot, an attached bootable USB disk will be booted + whiptail --title 'Config change successful' \ + --msgbox "Automatic default boot enabled;\nsave the config change and reboot for it to go into effect." 0 80 + fi + fi + ;; + "U") + if [ "$CONFIG_BASIC_USB_AUTOBOOT" != "y" ]; then + if (whiptail --title 'Enable USB automatic boot?' \ + --yesno "During boot, an attached bootable USB disk will be booted \nby default instead of the installed operating system. - \n\nDo you want to proceed?" 0 80) then + \n\nDo you want to proceed?" 0 80); then - set_user_config "CONFIG_BASIC_USB_AUTOBOOT" "y" + set_user_config "CONFIG_BASIC_USB_AUTOBOOT" "y" - whiptail --title 'Config change successful' \ - --msgbox "USB automatic boot enabled;\nsave the config change and reboot for it to go into effect." 0 80 - fi - else - if (whiptail --title 'Disable USB automatic boot?' \ - --yesno "USB disks will no longer be booted by default. - \n\nDo you want to proceed?" 0 80) then + whiptail --title 'Config change successful' \ + --msgbox "USB automatic boot enabled;\nsave the config change and reboot for it to go into effect." 0 80 + fi + else + if (whiptail --title 'Disable USB automatic boot?' \ + --yesno "USB disks will no longer be booted by default. + \n\nDo you want to proceed?" 0 80); then - set_user_config "CONFIG_BASIC_USB_AUTOBOOT" "n" + set_user_config "CONFIG_BASIC_USB_AUTOBOOT" "n" - whiptail --title 'Config change successful' \ - --msgbox "USB automatic boot disabled;\nsave the config change and reboot for it to go into effect." 0 80 - fi - fi - ;; - "N" ) - if [ "$CONFIG_AUTOMATIC_POWERON" != "y" ]; then - if (whiptail --title 'Enable automatic power-on?' \ - --yesno "The system will boot automatically when power is applied. - \n\nDo you want to proceed?" 0 80) then + whiptail --title 'Config change successful' \ + --msgbox "USB automatic boot disabled;\nsave the config change and reboot for it to go into effect." 0 80 + fi + fi + ;; + "N") + if [ "$CONFIG_AUTOMATIC_POWERON" != "y" ]; then + if (whiptail --title 'Enable automatic power-on?' \ + --yesno "The system will boot automatically when power is applied. + \n\nDo you want to proceed?" 0 80); then - set_user_config "CONFIG_AUTOMATIC_POWERON" "y" + set_user_config "CONFIG_AUTOMATIC_POWERON" "y" - whiptail --title 'Config change successful' \ - --msgbox "Automatic power-on enabled;\nsave the config change and reboot for it to go into effect." 0 80 - fi - else - if (whiptail --title 'Disable automatic power-on?' \ - --yesno "The system will stay off when power is applied. - \n\nDo you want to proceed?" 0 80) then + whiptail --title 'Config change successful' \ + --msgbox "Automatic power-on enabled;\nsave the config change and reboot for it to go into effect." 0 80 + fi + else + if (whiptail --title 'Disable automatic power-on?' \ + --yesno "The system will stay off when power is applied. + \n\nDo you want to proceed?" 0 80); then - set_user_config "CONFIG_AUTOMATIC_POWERON" "n" + set_user_config "CONFIG_AUTOMATIC_POWERON" "n" - # Disable the EC BRAM setting too, otherwise it persists until - # manually disabled. On the off chance the user does not actually - # flash this change, we'll enable it again during boot. - set_ec_poweron.sh n + # Disable the EC BRAM setting too, otherwise it persists until + # manually disabled. On the off chance the user does not actually + # flash this change, we'll enable it again during boot. + set_ec_poweron.sh n - whiptail --title 'Config change successful' \ - --msgbox "Automatic power-on disabled;\nsave the config change and reboot for it to go into effect." 0 80 - fi - fi - ;; - "K" ) - if [ "$CONFIG_USER_USB_KEYBOARD" != "y" ]; then - if (whiptail --title 'Enable USB Keyboard?' \ - --yesno "USB keyboards will be usable in $CONFIG_BRAND_NAME. + whiptail --title 'Config change successful' \ + --msgbox "Automatic power-on disabled;\nsave the config change and reboot for it to go into effect." 0 80 + fi + fi + ;; + "K") + if [ "$CONFIG_USER_USB_KEYBOARD" != "y" ]; then + if (whiptail --title 'Enable USB Keyboard?' \ + --yesno "USB keyboards will be usable in $CONFIG_BRAND_NAME. \n\nEnabling USB keyboards could allow a compromised USB device to control \n$CONFIG_BRAND_NAME. - \n\nDo you want to proceed?" 0 80) then + \n\nDo you want to proceed?" 0 80); then - set_user_config "CONFIG_USER_USB_KEYBOARD" "y" + set_user_config "CONFIG_USER_USB_KEYBOARD" "y" - whiptail --title 'Config change successful' \ - --msgbox "USB Keyboard support has been enabled;\nsave the config change and reboot for it to go into effect." 0 80 + whiptail --title 'Config change successful' \ + --msgbox "USB Keyboard support has been enabled;\nsave the config change and reboot for it to go into effect." 0 80 - fi - else - if (whiptail --title 'Disable USB Keyboard?' \ - --yesno "Only the built-in keyboard will be usable in $CONFIG_BRAND_NAME. - \n\nDo you want to proceed?" 0 80) then + fi + else + if (whiptail --title 'Disable USB Keyboard?' \ + --yesno "Only the built-in keyboard will be usable in $CONFIG_BRAND_NAME. + \n\nDo you want to proceed?" 0 80); then - set_user_config "CONFIG_USER_USB_KEYBOARD" "n" + set_user_config "CONFIG_USER_USB_KEYBOARD" "n" - whiptail --title 'Config change successful' \ - --msgbox "USB Keyboard support has been disabled;\nsave the config change and reboot for it to go into effect." 0 80 - fi - fi - ;; - "Z" ) - if [ "$CONFIG_DEBUG_OUTPUT" != "y" ]; then - if (whiptail --title 'Enable Debugging and Tracing output?' \ - --yesno "This will enable DEBUG and TRACE output from scripts. - \n\nDo you want to proceed?" 0 80) then + whiptail --title 'Config change successful' \ + --msgbox "USB Keyboard support has been disabled;\nsave the config change and reboot for it to go into effect." 0 80 + fi + fi + ;; + "Z") + if [ "$CONFIG_DEBUG_OUTPUT" != "y" ]; then + if (whiptail --title 'Enable Debugging and Tracing output?' \ + --yesno "This will enable DEBUG and TRACE output from scripts.\n\nDo you want to proceed?" 0 80); then - set_user_config "CONFIG_DEBUG_OUTPUT" "y" - set_user_config "CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT" "y" + set_user_config "CONFIG_DEBUG_OUTPUT" "y" + set_user_config "CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT" "y" + #DEBUG+TRACE is incompatible with QUIET mode, turn it off + set_user_config "CONFIG_QUIET_MODE" "n" - whiptail --title 'Config change successful' \ - --msgbox "Debugging and Tracing output enabled;\nsave the config change and reboot for it to go into effect." 0 80 - fi - else - if (whiptail --title 'Disable Enable Debugging and Tracing output?' \ - --yesno "This will disable DEBUG and TRACE output from scripts. - \n\nDo you want to proceed?" 0 80) then - - set_user_config "CONFIG_DEBUG_OUTPUT" "n" - set_user_config "CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT" "n" + whiptail --title 'Config change successful' \ + --msgbox "Debugging and Tracing output enabled;\nsave the config change and reboot for it to go into effect." 0 80 + fi + else + if (whiptail --title 'Disable Enable Debugging and Tracing output?' \ + --yesno "This will disable DEBUG and TRACE output from scripts.\n\nDo you want to proceed?" 0 80); then - whiptail --title 'Config change successful' \ - --msgbox "Debugging and Tracing output disabled;\nsave the config change and reboot for it to go into effect." 0 80 - fi - fi - esac + set_user_config "CONFIG_DEBUG_OUTPUT" "n" + set_user_config "CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT" "n" + whiptail --title 'Config change successful' \ + --msgbox "Debugging and Tracing output disabled;\nsave the config change and reboot for it to go into effect." 0 80 + fi + fi + ;; + "Q") + #Quiet mode: turn off/on console technical output + if [ "$CONFIG_QUIET_MODE" != "y" ]; then + if (whiptail --title 'Enable Quiet mode?' \ + --yesno "This will enable QUIET mode, which will turn off console technical output.\n\nDo you want to proceed?" 0 80); then + + set_user_config "CONFIG_QUIET_MODE" "y" + #DEBUG+TRACE is incompatible with QUIET mode, turn it off + set_user_config "CONFIG_DEBUG_OUTPUT" "n" + set_user_config "CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT" "n" + whiptail --title 'Config change successful' \ + --msgbox "Quiet mode enabled;\nsave the config change and reboot for it to go into effect." 0 80 + fi + else + if (whiptail --title 'Disable Quiet mode?' \ + --yesno "This will disable QUIET mode, which will turn on console technical output.\n\nDo you want to proceed?" 0 80); then + + set_user_config "CONFIG_QUIET_MODE" "n" + whiptail --title 'Config change successful' \ + --msgbox "Quiet mode disabled;\nsave the config change and reboot for it to go into effect." 0 80 + fi + fi + ;; + esac done exit 0