Merge pull request #490 from kylerankin/add_empty_keyring_detection

Add empty keyring detection, clean up main menu
2025-04-15 15:06:42 +00:00 · 2019-02-08 15:01:28 -05:00 · 2019-02-08 15:01:28 -05:00 · 564f3ee201
commit 564f3ee201
parent 98598e7f2f a809c72f7d
3 changed files with 55 additions and 38 deletions
--- a/config/coreboot-librem13v2.config
+++ b/config/coreboot-librem13v2.config
@ -1,4 +1,4 @@
-CONFIG_LOCALVERSION="4.7-Purism-4-heads"
+CONFIG_LOCALVERSION="4.8.1-Purism-1-heads-beta"
 CONFIG_USE_BLOBS=y
 CONFIG_MEASURED_BOOT=y
 CONFIG_VENDOR_PURISM=y
@ -26,7 +26,7 @@ CONFIG_FSP_M_XIP=y
 CONFIG_DEFAULT_CONSOLE_LOGLEVEL_8=y
 CONFIG_PAYLOAD_LINUX=y
 CONFIG_PAYLOAD_FILE="../../build/librem13v2/bzImage"
-CONFIG_LINUX_COMMAND_LINE="intel_iommu=on iommu=pt"
+CONFIG_LINUX_COMMAND_LINE="intel_iommu=on iommu=pt quiet loglevel=3"
 CONFIG_LINUX_INITRD="../../build/librem13v2/initrd.cpio.xz"
 CONFIG_COREINFO_SECONDARY_PAYLOAD=y
 CONFIG_MEMTEST_SECONDARY_PAYLOAD=y
--- a/config/coreboot-librem15v3.config
+++ b/config/coreboot-librem15v3.config
@ -1,4 +1,4 @@
-CONFIG_LOCALVERSION="4.7-Purism-4-heads"
+CONFIG_LOCALVERSION="4.8.1-Purism-1-heads-beta"
 CONFIG_USE_BLOBS=y
 CONFIG_MEASURED_BOOT=y
 CONFIG_VENDOR_PURISM=y
@ -26,7 +26,7 @@ CONFIG_FSP_M_XIP=y
 CONFIG_DEFAULT_CONSOLE_LOGLEVEL_8=y
 CONFIG_PAYLOAD_LINUX=y
 CONFIG_PAYLOAD_FILE="../../build/librem15v3/bzImage"
-CONFIG_LINUX_COMMAND_LINE="intel_iommu=on iommu=pt"
+CONFIG_LINUX_COMMAND_LINE="intel_iommu=on iommu=pt quiet loglevel=3"
 CONFIG_LINUX_INITRD="../../build/librem15v3/initrd.cpio.xz"
 CONFIG_COREINFO_SECONDARY_PAYLOAD=y
 CONFIG_MEMTEST_SECONDARY_PAYLOAD=y
--- a/initrd/bin/gui-init
+++ b/initrd/bin/gui-init
@ -109,25 +109,39 @@ while true; do
  MAIN_MENU_OPTIONS=""
  MAIN_MENU_BG_COLOR=""
  unset totp_confirm
-  # update the TOTP code every thirty seconds
-  date=`date "+%Y-%m-%d %H:%M:%S"`
-  seconds=`date "+%s"`
-  half=`expr \( $seconds % 60 \) / 30`
-  if [ "$CONFIG_TPM" = n ]; then
-    TOTP="NO TPM"
-  elif [ "$half" != "$last_half" ]; then
-    last_half=$half;
-    TOTP=`unseal-totp`
-    if [ $? -ne 0 ]; then
-      whiptail $CONFIG_ERROR_BG_COLOR --clear --title "ERROR: TOTP Generation Failed!" \
-        --menu "ERROR: Heads couldn't generate the TOTP code.\n\nIf you just reflashed your BIOS, you'll need to generate a new TOTP secret.\n\nIf you have not just reflashed your BIOS, THIS COULD INDICATE TAMPERING!\n\nIf this is the first time the system has booted, you should reset the TPM\nand set your own password\n\nHow would you like to proceed?" 30 90 4 \
-        'g' ' Generate new TOTP/HOTP secret' \
-        'i' ' Ignore error and continue to default boot menu' \
-        'p' ' Reset the TPM' \
-        'x' ' Exit to recovery shell' \
-        2>/tmp/whiptail || recovery "GUI menu failed"
+  # detect whether any GPG keys exist in the keyring, if not, initialize that first
+  GPG_KEY_COUNT=`gpg -k 2>/dev/null | wc -l`
+  if [ $GPG_KEY_COUNT -eq 0 ]; then
+    whiptail $CONFIG_ERROR_BG_COLOR --clear --title "ERROR: GPG keyring empty!" \
+      --menu "ERROR: Heads couldn't find any GPG keys in your keyring.\n\nIf this is the first time the system has booted,\nyou should add a public GPG key to the BIOS now.\n\nIf you just reflashed a new BIOS, you'll need to add at least one\npublic key to the keyring.\n\nIf you have not just reflashed your BIOS, THIS COULD INDICATE TAMPERING!\n\nHow would you like to proceed?" 30 90 4 \
+      'f' ' Add a GPG key to the running BIOS' \
+      'i' ' Ignore error and continue to default boot menu' \
+      'x' ' Exit to recovery shell' \
+      2>/tmp/whiptail || recovery "GUI menu failed"

      totp_confirm=$(cat /tmp/whiptail)
+  fi
+  if [ "$totp_confirm" = "i" -o -z "$totp_confirm" ]; then
+    # update the TOTP code every thirty seconds
+    date=`date "+%Y-%m-%d %H:%M:%S"`
+    seconds=`date "+%s"`
+    half=`expr \( $seconds % 60 \) / 30`
+    if [ "$CONFIG_TPM" = n ]; then
+      TOTP="NO TPM"
+    elif [ "$half" != "$last_half" ]; then
+      last_half=$half;
+      TOTP=`unseal-totp`
+      if [ $? -ne 0 ]; then
+        whiptail $CONFIG_ERROR_BG_COLOR --clear --title "ERROR: TOTP Generation Failed!" \
+          --menu "ERROR: Heads couldn't generate the TOTP code.\n\nIf this is the first time the system has booted, you should reset the TPM\nand set your own password\n\nIf you just reflashed your BIOS, you'll need to generate a new TOTP secret.\n\nIf you have not just reflashed your BIOS, THIS COULD INDICATE TAMPERING!\n\nHow would you like to proceed?" 30 90 4 \
+          'g' ' Generate new TOTP/HOTP secret' \
+          'i' ' Ignore error and continue to default boot menu' \
+          'p' ' Reset the TPM' \
+          'x' ' Exit to recovery shell' \
+          2>/tmp/whiptail || recovery "GUI menu failed"
+
+        totp_confirm=$(cat /tmp/whiptail)
+      fi
    fi
  fi

@ -135,6 +149,9 @@ while true; do
    if [ -x /bin/libremkey_hotp_verification ]; then
      HOTP=`unseal-hotp`
      enable_usb
+      if ! libremkey_hotp_verification info ; then
+        whiptail $CONFIG_WARNING_BG_COLOR --clear --title 'WARNING: Please Insert Your Librem Key' --msgbox "Your Librem Key was not detected.\n\nPlease insert your Librem Key" 30 90
+        fi
      # Don't output HOTP codes to screen, so as to make replay attacks harder
      libremkey_hotp_verification check $HOTP
      case "$?" in
@ -157,8 +174,6 @@ while true; do
    whiptail $MAIN_MENU_BG_COLOR --clear --title "$CONFIG_BOOT_GUI_MENU_NAME" \
      --menu "$date\nTOTP: $TOTP | HOTP: $HOTP" 20 90 10 \
      'y' ' Default boot' \
-      'r' ' TOTP/HOTP does not match, refresh code' \
-      'o' ' Other Boot Options -->' \
      'a' ' Advanced Settings -->' \
      'x' ' Exit to recovery shell' \
      2>/tmp/whiptail || recovery "GUI menu failed"
@ -166,6 +181,23 @@ while true; do
    totp_confirm=$(cat /tmp/whiptail)
  fi

+  if [ "$totp_confirm" = "a" ]; then
+    whiptail --clear --title "Advanced Settings" \
+      --menu "Configure Advanced Settings" 20 90 10 \
+      'o' ' Other Boot Options -->' \
+      'r' ' TOTP/HOTP does not match, refresh code' \
+      'g' ' Generate new TOTP/HOTP secret' \
+      's' ' Update checksums and sign all files in /boot' \
+      'c' ' Change configuration settings -->' \
+      'f' ' Flash/Update the BIOS -->' \
+      'p' ' Reset the TPM' \
+      'n' ' TOTP/HOTP does not match after refresh, troubleshoot' \
+      'r' ' <-- Return to main menu' \
+      2>/tmp/whiptail || recovery "GUI menu failed"
+
+    totp_confirm=$(cat /tmp/whiptail)
+  fi
+
  if [ "$totp_confirm" = "o" ]; then
    whiptail --clear --title "Other Boot Options" \
      --menu "Select A Boot Option" 20 90 10 \
@ -178,21 +210,6 @@ while true; do
    totp_confirm=$(cat /tmp/whiptail)
  fi

-  if [ "$totp_confirm" = "a" ]; then
-    whiptail --clear --title "Advanced Settings" \
-      --menu "Configure Advanced Settings" 20 90 10 \
-      'g' ' Generate new TOTP/HOTP secret' \
-      's' ' Update checksums and sign all files in /boot' \
-      'c' ' Change configuration settings -->' \
-      'f' ' Flash/Update the BIOS -->' \
-      'p' ' Reset the TPM' \
-      'n' ' TOTP/HOTP does not match after refresh, troubleshoot' \
-      'r' ' <-- Return to main menu' \
-      2>/tmp/whiptail || recovery "GUI menu failed"
-
-    totp_confirm=$(cat /tmp/whiptail)
-  fi
-
  if [ "$totp_confirm" = "x" ]; then
    recovery "User requested recovery shell"
  fi