Merge branch 'generic-boot-cleanup' PR #230

config/x230-generic.config

@@ -22,5 +22,7 @@ CONFIG_BOOTSCRIPT=/bin/generic-init
 
 CONFIG_BOOT_REQ_HASH=n
 CONFIG_BOOT_REQ_ROLLBACK=n
+CONFIG_BOOT_KERNEL_ADD="intel_iommu=on"
+CONFIG_BOOT_KERNEL_REMOVE="quiet"
 CONFIG_BOOT_DEV="/dev/sda1"
 CONFIG_USB_BOOT_DEV="/dev/sdb1"

initrd/bin/generic-init

@@ -30,7 +30,7 @@ while true; do
 		recovery "User requested recovery shell"
 	fi
 
-	if [ "$totp_confim" = "n" ]; then
+	if [ "$totp_confirm" = "n" ]; then
 		echo ""
 		echo "To correct clock drift: 'date -s HH:MM:SS'"
 		echo "and save it to the RTC: 'hwclock -w'"
@@ -41,18 +41,21 @@ while true; do
 
 	if [ "$totp_confirm" = "u" ]; then
 		exec /bin/usb-init
+		continue
 	fi
 
 	if [ "$totp_confirm" = "m" ]; then
 		# Try to select a kernel from the menu
 		mount_boot
 		kexec-select-boot -m -b /boot -c "grub.cfg"
+		continue
 	fi
 
-	if [ "$totp_confirm" = "y" -o "$totp_confirm" != " " ]; then
+	if [ "$totp_confirm" = "y" -o -n "$totp_confirm" ]; then
 		# Try to boot the default
 		mount_boot
-		kexec-select-boot -b /boot -c "grub.cfg"
+		kexec-select-boot -b /boot -c "grub.cfg" \
+		|| recovery "Failed default boot"
 	fi
 
 done

initrd/bin/kexec-boot

@@ -1,6 +1,7 @@
 #!/bin/sh
 # Launches kexec from saved configuration entries
 set -e -o pipefail
+. /etc/config
 . /etc/functions
 
 dryrun="n"
@@ -22,15 +23,14 @@ if [ -z "$bootdir" -o -z "$entry" ]; then
 	die "Usage: $0 -b /boot -e 'kexec params|...|...'"
 fi
 
-bootdir=${bootdir%%"/"}
+bootdir="${bootdir%%/}"
 
 kexectype=`echo $entry | cut -d\| -f2`
 kexecparams=`echo $entry | cut -d\| -f3- | tr '|' '\n'`
 kexeccmd="kexec"
 
-# TODO: make this configurable
-cmdadd="intel_iommu=on $cmdadd"
-cmdremove="quiet $cmdremove"
+cmdadd="$CONFIG_BOOT_KERNEL_ADD $cmdadd"
+cmdremove="$CONFIG_BOOT_KERNEL_REMOVE $cmdremove"
 
 fix_file_path() {
 	if [ "$printfiles" = "y" ]; then

initrd/bin/kexec-insert-key

@@ -39,14 +39,32 @@ mkdir -p "$INITRD_DIR/etc"
 
 # Attempt to unseal the disk key from the TPM
 # should we give this some number of tries?
+unseal_failed="n"
 if ! kexec-unseal-key "$INITRD_DIR/secret.key" ; then
-	die 'Unseal disk key failed'
+	unseal_failed="y"
+	echo "!!! Failed to unseal the TPM LUKS disk key"
 fi
 
 # Override PCR 4 so that user can't read the key
 tpm extend -ix 4 -ic generic \
 	|| die 'Unable to scramble PCR'
 
+# Check to continue
+if [ "$unseal_failed" = "y" ]; then
+	confirm_boot="n"
+	read \
+		-n 1 \
+		-p "Do you wish to boot and use the disk recovery key? [Y/n] " \
+		confirm_boot
+
+	if [ "$confirm_boot" != 'y' \
+		-a "$confirm_boot" != 'Y' \
+		-a -n "$confirm_boot" ] \
+	; then
+		die "!!! Aborting boot due to failure to unseal TPM disk key"
+	fi
+fi
+
 echo '+++ Building initrd'
 # pad the initramfs (dracut doesn't pad the last gz blob)
 # without this the kernel init/initramfs.c fails to read
@@ -54,8 +72,10 @@ echo '+++ Building initrd'
 dd if="$INITRD" of="$SECRET_CPIO" bs=512 conv=sync \
 || die "Failed to copy initrd to /tmp"
 
-# overwrite /etc/crypttab to mirror the behavior for in seal-key
-for uuid in `cat "$TMP_KEY_DEVICES" | cut -d\  -f2`; do
-	echo "luks-$uuid UUID=$uuid /secret.key" >> "$INITRD_DIR/etc/crypttab"
-done
-( cd "$INITRD_DIR" ; find . -type f | cpio -H newc -o ) >> "$SECRET_CPIO"
+if [ "$unseal_failed" = "n" ]; then
+	# overwrite /etc/crypttab to mirror the behavior for in seal-key
+	for uuid in `cat "$TMP_KEY_DEVICES" | cut -d\  -f2`; do
+		echo "luks-$uuid UUID=$uuid /secret.key" >> "$INITRD_DIR/etc/crypttab"
+	done
+	( cd "$INITRD_DIR" ; find . -type f | cpio -H newc -o ) >> "$SECRET_CPIO"
+fi

initrd/bin/kexec-iso-init

@@ -15,6 +15,8 @@ if ! [ -r "$ISOSIG" ]; then
 	ISOSIG="$MOUNTED_ISO_PATH.asc"
 fi
 
+ISO_PATH="${ISO_PATH##/}"
+
 gpgv "$ISOSIG" "$MOUNTED_ISO_PATH" \
 	|| die 'ISO signature failed'
 
@@ -26,7 +28,7 @@ DEV_UUID=`blkid $DEV | tail -1 | tr " " "\n" | grep UUID | cut -d\" -f2`
 ADD="fromiso=/dev/disk/by-uuid/$DEV_UUID/$ISO_PATH"
 REMOVE=""
 
-paramsdir="/media/kexec_iso/$ISO_PATH/"
+paramsdir="/media/kexec_iso/$ISO_PATH"
 check_config $paramsdir
 
 ADD_FILE=/tmp/kexec/kexec_iso_add.txt
@@ -43,7 +45,7 @@ if [ -r $REMOVE_FILE ]; then
 fi
 
 # Call kexec and indicate that hashes have been verified
-kexec-select-boot -b /boot -d /media/ -p "$paramsdir" \
+kexec-select-boot -b /boot -d /media -p "$paramsdir" \
 	-a "$ADD" -r "$REMOVE" -c "*.cfg" -u -i
 
 die "Something failed in selecting boot"

initrd/bin/kexec-parse-boot

@@ -17,9 +17,9 @@ reset_entry() {
 }
 
 filedir=`dirname $file`
-bootdir=${bootdir%%"/"}
-bootlen=${#bootdir}
-appenddir=${filedir:$bootlen}
+bootdir="${bootdir%%/}"
+bootlen="${#bootdir}"
+appenddir="${filedir:$bootlen}"
 
 fix_path() {
 	path="$@"

initrd/bin/kexec-save-default

@@ -3,7 +3,7 @@
 set -e -o pipefail
 . /etc/functions
 
-while getopts "b:d:p:e:i:" arg; do
+while getopts "b:d:p:i:" arg; do
 	case $arg in
 		b) bootdir="$OPTARG" ;;
 		d) paramsdev="$OPTARG" ;;
@@ -24,6 +24,10 @@ if [ -z "$paramsdir" ]; then
 	paramsdir="$bootdir"
 fi
 
+bootdir="${bootdir%%/}"
+paramsdev="${paramsdev%%/}"
+paramsdir="${paramsdir%%/}"
+
 TMP_MENU_FILE="/tmp/kexec/kexec_menu.txt"
 ENTRY_FILE="$paramsdir/kexec_default.$index.txt"
 HASH_FILE="$paramsdir/kexec_default_hashes.txt"
@@ -37,6 +41,74 @@ if [ -z "$entry" ]; then
 	die "Invalid menu index $index"
 fi
 
+KEY_DEVICES="$paramsdir/kexec_key_devices.txt"
+KEY_LVM="$paramsdir/kexec_key_lvm.txt"
+save_key="n"
+if [ ! -r "$KEY_DEVICES" ]; then
+	read \
+		-n 1 \
+		-p "Do you wish to add a disk encryption to the TPM [y/N]: " \
+		add_key_confirm
+	echo
+
+	if [ "$add_key_confirm" = "y" \
+		-o "$add_key_confirm" = "Y" ] \
+	; then
+		lvm_suggest="e.g. qubes_dom0 or blank"
+		devices_suggest="e.g. /dev/sda2 or blank"
+		save_key="y"
+	fi
+else
+	read \
+		-n 1 \
+		-p "Do you want to reseal a disk key to the TPM [y/N]: " \
+		change_key_confirm
+	echo
+
+	if [ "$change_key_confirm" = "y" \
+		-o "$change_key_confirm" = "Y" ] \
+	; then
+		old_lvm_volume_group=""
+		if [ -r "$KEY_LVM" ]; then
+			old_lvm_volume_group=`cat $KEY_LVM` || true
+			old_key_devices=`cat $KEY_DEVICES | cut -d\  -f1 \
+				| grep -v "$old_lvm_volume_group" | xargs` || true
+		else
+			old_key_devices=`cat $KEY_DEVICES | cut -d\  -f1 | xargs` || true
+		fi
+
+		lvm_suggest="was '$old_lvm_volume_group'"
+		devices_suggest="was '$old_key_devices'"
+		save_key="y"
+	fi
+fi
+
+if [ "$save_key" = "y" ]; then
+	echo "+++ LVM volume groups (lvm vgscan): "
+	lvm vgscan || true
+
+	read \
+		-p "Encrypted LVM group? ($lvm_suggest): " \
+		lvm_volume_group
+
+	echo "+++ Block devices (blkid): "
+	blkid || true
+
+	read \
+		-p "Encrypted devices? ($devices_suggest): " \
+		key_devices
+
+	save_key_params="-s -p $paramsdev"
+	if [ -n "$lvm_volume_group" ]; then
+		save_key_params="$save_key_params -l $lvm_volume_group $key_devices"
+	else
+		save_key_params="$save_key_params $key_devices"
+	fi
+	echo "Running kexec-save-key with params: $save_key_params"
+	kexec-save-key $save_key_params \
+	|| die "Failed to save the disk key"
+fi
+
 # try to switch to rw mode
 mount -o rw,remount $paramsdev
 

initrd/bin/kexec-save-key

@@ -4,8 +4,10 @@ set -e -o pipefail
 . /etc/functions
 
 lvm_volume_group=""
-while getopts "p:d:l:" arg; do
+skip_sign="n"
+while getopts "sp:d:l:" arg; do
 	case $arg in
+		s) skip_sign="y" ;;
 		p) paramsdir="$OPTARG" ;;
 		d) paramsdev="$OPTARG" ;;
 		l) lvm_volume_group="$OPTARG" ;;
@@ -15,13 +17,16 @@ shift `expr $OPTIND - 1`
 key_devices="$@"
 
 if [ -z "$paramsdir" ]; then
-	die "Usage: $0 -p /boot [-l qubes_dom0] [/dev/sda2 /dev/sda5 ...] "
+	die "Usage: $0 [-s] -p /boot [-l qubes_dom0] [/dev/sda2 /dev/sda5 ...] "
 fi
 
 if [ -z "$paramsdev" ]; then
 	paramsdev="$paramsdir"
 fi
 
+paramsdev="${paramsdev%%/}"
+paramsdir="${paramsdir%%/}"
+
 if [ -n "$lvm_volume_group" ]; then
 	lvm vgchange -a y $lvm_volume_group \
 	|| die "Failed to activate the LVM group"
@@ -55,9 +60,11 @@ done
 kexec-seal-key $paramsdir \
 || die "Failed to save and generate key in TPM"
 
-# sign and auto-roll config counter
-kexec-sign-config -p $paramsdir -u \
-|| die "Failed to sign updated config"
+if [ "$skip_sign" != "y" ]; then
+	# sign and auto-roll config counter
+	kexec-sign-config -p $paramsdir -u \
+	|| die "Failed to sign updated config"
+fi
 
 # switch back to ro mode
 mount -o ro,remount $paramsdev

initrd/bin/kexec-select-boot

@@ -11,6 +11,7 @@ unique="n"
 valid_hash="n"
 valid_global_hash="n"
 valid_rollback="n"
+force_menu="n"
 while getopts "b:d:p:a:r:c:uim" arg; do
 	case $arg in
 		b) bootdir="$OPTARG" ;;
@@ -20,7 +21,7 @@ while getopts "b:d:p:a:r:c:uim" arg; do
 		r) remove="$OPTARG" ;;
 		c) config="$OPTARG" ;;
 		u) unique="y" ;;
-		m) show_menu="y" ;;
+		m) force_menu="y" ;;
 		i) valid_hash="y"; valid_rollback="y" ;;
 	esac
 done
@@ -37,6 +38,10 @@ if [ -z "$paramsdir" ]; then
 	paramsdir="$bootdir"
 fi
 
+bootdir="${bootdir%%/}"
+paramsdev="${paramsdev%%/}"
+paramsdir="${paramsdir%%/}"
+
 verify_global_hashes()
 {
 	echo "+++ Checking verified boot hash file "
@@ -149,6 +154,7 @@ save_default_option() {
 			echo "+++ Saved defaults to device"
 			sleep 2
 			default_failed="n"
+			force_menu="n"
 			return
 		else
 			echo "Failed to save defaults"
@@ -168,9 +174,7 @@ default_select() {
 	expectedoption=`cat $TMP_DEFAULT_FILE`
 	option=`head -n $default_index $TMP_MENU_FILE | tail -1`
 	if [ "$option" != "$expectedoption" ]; then
-		warn "!!! Boot entry has changed - please set a new default"
-		sleep 5
-		return
+		die "!!! Boot entry has changed - please set a new default"
 	fi
 	parse_option
 
@@ -181,7 +185,7 @@ default_select() {
 		echo "+++ Verified default boot hashes "
 		valid_hash='y'
 	else
-		die "$TMP_DEFAULT_HASH_FILE: default boot hash mismatch"
+		die "!!! $TMP_DEFAULT_HASH_FILE: default boot hash mismatch"
 	fi
 
 	echo "+++ Executing default boot for $name:"
@@ -204,8 +208,15 @@ user_select() {
 	done
 
 	if [ "$option_confirm" = "d" ]; then
-		# reload settings to reflect new default
-		continue
+		if [ ! -r "$TMP_KEY_DEVICES" ]; then
+			# rerun primary boot loop to boot the new default option
+			continue
+		else
+			echo "+++ Rebooting to start the new default option"
+			sleep 2
+			reboot \
+			|| die "!!! Failed to reboot system"
+		fi
 	fi
 
 	do_boot
@@ -214,13 +225,11 @@ user_select() {
 do_boot()
 {
 	if [ "$CONFIG_BOOT_REQ_ROLLBACK" = "y" -a "$valid_rollback" = "n" ]; then
-		warn "!!! Missing required rollback counter state"
-		return
+		die "!!! Missing required rollback counter state"
 	fi
 
 	if [ "$CONFIG_BOOT_REQ_HASH" = "y" -a "$valid_hash" = "n" ]; then
-		warn "!!! Missing required boot hashes"
-		return
+		die "!!! Missing required boot hashes"
 	fi
 
 	if [ -r "$TMP_KEY_DEVICES" ]; then
@@ -282,6 +291,7 @@ while true; do
 	fi
 
 	if [ "$default_failed" != "y" \
+		-a "$force_menu" = "n" \
 		-a -r "$TMP_DEFAULT_FILE" \
 		-a -r "$TMP_DEFAULT_HASH_FILE" ] \
 	; then

initrd/bin/kexec-sign-config

@@ -17,6 +17,8 @@ if [ -z "$paramsdir" ]; then
 	die "Usage: $0 -p /boot [ -u | -c counter ]"
 fi
 
+paramsdir="${paramsdir%%/}"
+
 confirm_gpg_card
 
 if [ "$rollback" = "y" ]; then
@@ -52,6 +54,8 @@ for tries in 1 2 3; do
 		-a \
 		> $paramsdir/kexec.sig \
 	; then
+		# successful - update the validated params
+		check_config $paramsdir
 		exit 0
 	fi
 done

initrd/bin/kexec-unseal-key

@@ -24,9 +24,13 @@ tpm nv_readvalue \
 || die "Unable to read key from TPM NVRAM"
 
 for tries in 1 2 3; do
-	read -s -p "Enter unlock password: " tpm_password
+	read -s -p "Enter unlock password (blank to abort): " tpm_password
 	echo
 
+	if [ -z "$tpm_password" ]; then
+		die "Aborting unseal disk encryption key"
+	fi
+
 	if tpm unsealfile \
 		-if "$sealed_file" \
 		-of "$key_file" \

initrd/bin/poweroff

@@ -0,0 +1,10 @@
+#!/bin/sh
+
+# Sync all mounted filesystems
+echo s > /proc/sysrq-trigger
+
+# Remount all mounted filesystems in read-only mode
+echo u > /proc/sysrq-trigger
+
+# Shut off the system
+echo o > /proc/sysrq-trigger

initrd/bin/reboot

@@ -0,0 +1,10 @@
+#!/bin/sh
+
+# Sync all mounted filesystems
+echo s > /proc/sysrq-trigger
+
+# Remount all mounted filesystems in read-only mode
+echo u > /proc/sysrq-trigger
+
+# Immediately reboot the system, without unmounting or syncing filesystems
+echo b > /proc/sysrq-trigger

initrd/bin/usb-scan

@@ -7,13 +7,13 @@ set -e -o pipefail
 # Unmount any previous boot device
 if grep -q /boot /proc/mounts ; then
 	umount /boot \
-		|| die '$CONFIG_USB_BOOT_DEV: Unable to unmount /boot'
+		|| die "Unable to unmount /boot"
 fi
 
 # Mount the USB boot device
 if ! grep -q /media /proc/mounts ; then
 	mount-usb "$CONFIG_USB_BOOT_DEV" \
-		|| die '$CONFIG_USB_BOOT_DEV: Unable to mount /media'
+		|| die "Unable to mount /media"
 fi
 
 # Check for ISO first
@@ -62,6 +62,6 @@ fi
 
 echo "!!! Could not find any ISO, trying bootable USB"
 # Attempt to pull verified config from device
-kexec-select-boot -b /media/ -c "*.cfg" -u
+kexec-select-boot -b /media -c "*.cfg" -u
 
 die "Something failed in selecting boot"

initrd/etc/functions

@@ -70,6 +70,19 @@ confirm_totp()
 
 confirm_gpg_card()
 {
+	read \
+		-n 1 \
+		-p "Please confirm that your GPG card is inserted [Y/n]: " \
+		card_confirm
+	echo
+
+	if [ "$card_confirm" != "y" \
+		-a "$card_confirm" != "Y" \
+		-a -n "$card_confirm" ] \
+	; then
+		die "gpg card not confirmed"
+	fi
+
 	# setup the USB so we can reach the GPG card
 	if ! lsmod | grep -q ehci_hcd; then
 		insmod /lib/modules/ehci-hcd.ko \

modules/xen

@@ -2,12 +2,12 @@ modules-$(CONFIG_XEN) += xen
 
 # We extract the entire Xen tree, but only use the xen/xen hypervisor
 # portion since Qubes provides the rest of it.
-xen_base_version := 4.6.5
-xen_version := $(xen_base_version)-28
+xen_base_version := 4.6.6
+xen_version := $(xen_base_version)-30
 xen_dir := qubes-vmm-xen-$(xen_version)/
 xen_tar := qubes-vmm-xen-$(xen_version).tar.gz
 xen_url := https://github.com/QubesOS/qubes-vmm-xen/archive/v$(xen_version).tar.gz
-xen_hash := 314b01af6726ed7b09dfd72ff8b224636d822d432790765287abeedc81fd86b2
+xen_hash := 65cdbdb77d30475d77d849011343cba970b61c99d6638ccfeca4b7bbc308dc36
 
 xen_depends := musl-cross