From 7f8738d6d82f1f500f5efc74b6d38a8eff1a5fff Mon Sep 17 00:00:00 2001 From: Kyle Rankin Date: Fri, 30 Nov 2018 15:32:29 -0800 Subject: [PATCH 1/4] Add empty keyring detection, clean up main menu To help with onboarding new users to Heads, this change will detect when Heads does not have any keys in its keyring and will guide the user through adding a key to the running BIOS. It's important that this happen *before* guiding them through setting up an initial TOTP/HOTP secret because adding a GPG key changes the BIOS, so the user would have to generate TOTP/HOTP secrets 2x unless we handle the keyring case first. In addition to this change I've simplified the main menu so that the majority of the options appear under an 'advanced' menu. --- initrd/bin/gui-init | 58 ++++++++++++++++++++++++++------------------- 1 file changed, 34 insertions(+), 24 deletions(-) diff --git a/initrd/bin/gui-init b/initrd/bin/gui-init index 957ebba4..d00a98de 100755 --- a/initrd/bin/gui-init +++ b/initrd/bin/gui-init @@ -119,14 +119,24 @@ while true; do last_half=$half; TOTP=`unseal-totp` if [ $? -ne 0 ]; then - whiptail $CONFIG_ERROR_BG_COLOR --clear --title "ERROR: TOTP Generation Failed!" \ - --menu "ERROR: Heads couldn't generate the TOTP code.\n\nIf you just reflashed your BIOS, you'll need to generate a new TOTP secret.\n\nIf you have not just reflashed your BIOS, THIS COULD INDICATE TAMPERING!\n\nIf this is the first time the system has booted, you should reset the TPM\nand set your own password\n\nHow would you like to proceed?" 30 90 4 \ - 'g' ' Generate new TOTP/HOTP secret' \ - 'i' ' Ignore error and continue to default boot menu' \ - 'p' ' Reset the TPM' \ - 'x' ' Exit to recovery shell' \ - 2>/tmp/whiptail || recovery "GUI menu failed" - + # detect whether any GPG keys exist in the keyring, if not, initialize that first + GPG_KEY_COUNT=`gpg -k 2>/dev/null | wc -l` + if [ $GPG_KEY_COUNT -eq 0 ]; then + whiptail $CONFIG_ERROR_BG_COLOR --clear --title "ERROR: GPG keyring empty!" \ + --menu "ERROR: Heads couldn't find any GPG keys in your keyring.\n\nIf this is the first time the system has booted, you should add a public GPG key to the BIOS now.\n\nIf you just reflashed a new BIOS, you'll need to add at least one public key to the keyring.\n\nIf you have not just reflashed your BIOS, THIS COULD INDICATE TAMPERING!\n\nHow would you like to proceed?" 30 90 4 \ + 'f' ' Add a GPG key to the running BIOS' \ + 'i' ' Ignore error and continue to default boot menu' \ + 'x' ' Exit to recovery shell' \ + 2>/tmp/whiptail || recovery "GUI menu failed" + else + whiptail $CONFIG_ERROR_BG_COLOR --clear --title "ERROR: TOTP Generation Failed!" \ + --menu "ERROR: Heads couldn't generate the TOTP code.\n\nIf this is the first time the system has booted, you should reset the TPM\nand set your own password\n\nIf you just reflashed your BIOS, you'll need to generate a new TOTP secret.\n\nIf you have not just reflashed your BIOS, THIS COULD INDICATE TAMPERING!\n\nHow would you like to proceed?" 30 90 4 \ + 'g' ' Generate new TOTP/HOTP secret' \ + 'i' ' Ignore error and continue to default boot menu' \ + 'p' ' Reset the TPM' \ + 'x' ' Exit to recovery shell' \ + 2>/tmp/whiptail || recovery "GUI menu failed" + fi totp_confirm=$(cat /tmp/whiptail) fi fi @@ -157,8 +167,6 @@ while true; do whiptail $MAIN_MENU_BG_COLOR --clear --title "$CONFIG_BOOT_GUI_MENU_NAME" \ --menu "$date\nTOTP: $TOTP | HOTP: $HOTP" 20 90 10 \ 'y' ' Default boot' \ - 'r' ' TOTP/HOTP does not match, refresh code' \ - 'o' ' Other Boot Options -->' \ 'a' ' Advanced Settings -->' \ 'x' ' Exit to recovery shell' \ 2>/tmp/whiptail || recovery "GUI menu failed" @@ -166,6 +174,22 @@ while true; do totp_confirm=$(cat /tmp/whiptail) fi + if [ "$totp_confirm" = "a" ]; then + whiptail --clear --title "Advanced Settings" \ + --menu "Configure Advanced Settings" 20 90 10 \ + 'o' ' Other Boot Options -->' \ + 'r' ' TOTP/HOTP does not match, refresh code' \ + 'g' ' Generate new TOTP/HOTP secret' \ + 's' ' Update checksums and sign all files in /boot' \ + 'f' ' Flash/Update the BIOS -->' \ + 'p' ' Reset the TPM' \ + 'n' ' TOTP/HOTP does not match after refresh, troubleshoot' \ + 'r' ' <-- Return to main menu' \ + 2>/tmp/whiptail || recovery "GUI menu failed" + + totp_confirm=$(cat /tmp/whiptail) + fi + if [ "$totp_confirm" = "o" ]; then whiptail --clear --title "Other Boot Options" \ --menu "Select A Boot Option" 20 90 10 \ @@ -178,20 +202,6 @@ while true; do totp_confirm=$(cat /tmp/whiptail) fi - if [ "$totp_confirm" = "a" ]; then - whiptail --clear --title "Advanced Settings" \ - --menu "Configure Advanced Settings" 20 90 10 \ - 'g' ' Generate new TOTP/HOTP secret' \ - 's' ' Update checksums and sign all files in /boot' \ - 'f' ' Flash/Update the BIOS -->' \ - 'p' ' Reset the TPM' \ - 'n' ' TOTP/HOTP does not match after refresh, troubleshoot' \ - 'r' ' <-- Return to main menu' \ - 2>/tmp/whiptail || recovery "GUI menu failed" - - totp_confirm=$(cat /tmp/whiptail) - fi - if [ "$totp_confirm" = "x" ]; then recovery "User requested recovery shell" fi From 2195977c23a72b0136724e423eec609fdf5e5732 Mon Sep 17 00:00:00 2001 From: Kyle Rankin Date: Mon, 3 Dec 2018 16:09:55 -0800 Subject: [PATCH 2/4] Move GPG check outside TPM failure We want to catch the missing GPG keyring error regardless of TPM failure or even in the case of a system without a TPM at all so we need to move that section up above the TPM check. --- initrd/bin/gui-init | 46 ++++++++++++++++++++++++--------------------- 1 file changed, 25 insertions(+), 21 deletions(-) diff --git a/initrd/bin/gui-init b/initrd/bin/gui-init index d00a98de..35b32fad 100755 --- a/initrd/bin/gui-init +++ b/initrd/bin/gui-init @@ -109,26 +109,29 @@ while true; do MAIN_MENU_OPTIONS="" MAIN_MENU_BG_COLOR="" unset totp_confirm - # update the TOTP code every thirty seconds - date=`date "+%Y-%m-%d %H:%M:%S"` - seconds=`date "+%s"` - half=`expr \( $seconds % 60 \) / 30` - if [ "$CONFIG_TPM" = n ]; then - TOTP="NO TPM" - elif [ "$half" != "$last_half" ]; then - last_half=$half; - TOTP=`unseal-totp` - if [ $? -ne 0 ]; then - # detect whether any GPG keys exist in the keyring, if not, initialize that first - GPG_KEY_COUNT=`gpg -k 2>/dev/null | wc -l` - if [ $GPG_KEY_COUNT -eq 0 ]; then - whiptail $CONFIG_ERROR_BG_COLOR --clear --title "ERROR: GPG keyring empty!" \ - --menu "ERROR: Heads couldn't find any GPG keys in your keyring.\n\nIf this is the first time the system has booted, you should add a public GPG key to the BIOS now.\n\nIf you just reflashed a new BIOS, you'll need to add at least one public key to the keyring.\n\nIf you have not just reflashed your BIOS, THIS COULD INDICATE TAMPERING!\n\nHow would you like to proceed?" 30 90 4 \ - 'f' ' Add a GPG key to the running BIOS' \ - 'i' ' Ignore error and continue to default boot menu' \ - 'x' ' Exit to recovery shell' \ - 2>/tmp/whiptail || recovery "GUI menu failed" - else + # detect whether any GPG keys exist in the keyring, if not, initialize that first + GPG_KEY_COUNT=`gpg -k 2>/dev/null | wc -l` + if [ $GPG_KEY_COUNT -eq 0 ]; then + whiptail $CONFIG_ERROR_BG_COLOR --clear --title "ERROR: GPG keyring empty!" \ + --menu "ERROR: Heads couldn't find any GPG keys in your keyring.\n\nIf this is the first time the system has booted, you should add a public GPG key to the BIOS now.\n\nIf you just reflashed a new BIOS, you'll need to add at least one public key to the keyring.\n\nIf you have not just reflashed your BIOS, THIS COULD INDICATE TAMPERING!\n\nHow would you like to proceed?" 30 90 4 \ + 'f' ' Add a GPG key to the running BIOS' \ + 'i' ' Ignore error and continue to default boot menu' \ + 'x' ' Exit to recovery shell' \ + 2>/tmp/whiptail || recovery "GUI menu failed" + + totp_confirm=$(cat /tmp/whiptail) + fi + if [ "$totp_confirm" = "i" -o -z "$totp_confirm" ]; then + # update the TOTP code every thirty seconds + date=`date "+%Y-%m-%d %H:%M:%S"` + seconds=`date "+%s"` + half=`expr \( $seconds % 60 \) / 30` + if [ "$CONFIG_TPM" = n ]; then + TOTP="NO TPM" + elif [ "$half" != "$last_half" ]; then + last_half=$half; + TOTP=`unseal-totp` + if [ $? -ne 0 ]; then whiptail $CONFIG_ERROR_BG_COLOR --clear --title "ERROR: TOTP Generation Failed!" \ --menu "ERROR: Heads couldn't generate the TOTP code.\n\nIf this is the first time the system has booted, you should reset the TPM\nand set your own password\n\nIf you just reflashed your BIOS, you'll need to generate a new TOTP secret.\n\nIf you have not just reflashed your BIOS, THIS COULD INDICATE TAMPERING!\n\nHow would you like to proceed?" 30 90 4 \ 'g' ' Generate new TOTP/HOTP secret' \ @@ -136,8 +139,9 @@ while true; do 'p' ' Reset the TPM' \ 'x' ' Exit to recovery shell' \ 2>/tmp/whiptail || recovery "GUI menu failed" + + totp_confirm=$(cat /tmp/whiptail) fi - totp_confirm=$(cat /tmp/whiptail) fi fi From 57b487c38cbc014bbe2e3d6a477b9a5651967b46 Mon Sep 17 00:00:00 2001 From: Kyle Rankin Date: Wed, 5 Dec 2018 14:51:53 -0800 Subject: [PATCH 3/4] Update version #s for Librem coreboot, add Librem Key detection dialog The Librem coreboot is labeled with the current version and is visible from dmidecode and is supposed to reflect the current version of coreboot, however it was out of date and reflected 4.7 when Heads has moved on to 4.8.1. I've also added a simple change to further simplify onboarding by warning users who have Librem Key configured when they boot without it being inserted. --- config/coreboot-librem13v2.config | 4 ++-- config/coreboot-librem15v3.config | 4 ++-- initrd/bin/gui-init | 3 +++ 3 files changed, 7 insertions(+), 4 deletions(-) diff --git a/config/coreboot-librem13v2.config b/config/coreboot-librem13v2.config index f05c1d12..fad72db6 100644 --- a/config/coreboot-librem13v2.config +++ b/config/coreboot-librem13v2.config @@ -1,4 +1,4 @@ -CONFIG_LOCALVERSION="4.7-Purism-4-heads" +CONFIG_LOCALVERSION="4.8.1-Purism-1-heads-beta" CONFIG_USE_BLOBS=y CONFIG_MEASURED_BOOT=y CONFIG_VENDOR_PURISM=y @@ -26,7 +26,7 @@ CONFIG_FSP_M_XIP=y CONFIG_DEFAULT_CONSOLE_LOGLEVEL_8=y CONFIG_PAYLOAD_LINUX=y CONFIG_PAYLOAD_FILE="../../build/librem13v2/bzImage" -CONFIG_LINUX_COMMAND_LINE="intel_iommu=on iommu=pt" +CONFIG_LINUX_COMMAND_LINE="intel_iommu=on iommu=pt quiet loglevel=3" CONFIG_LINUX_INITRD="../../build/librem13v2/initrd.cpio.xz" CONFIG_COREINFO_SECONDARY_PAYLOAD=y CONFIG_MEMTEST_SECONDARY_PAYLOAD=y diff --git a/config/coreboot-librem15v3.config b/config/coreboot-librem15v3.config index 53d196b5..218ea5f7 100644 --- a/config/coreboot-librem15v3.config +++ b/config/coreboot-librem15v3.config @@ -1,4 +1,4 @@ -CONFIG_LOCALVERSION="4.7-Purism-4-heads" +CONFIG_LOCALVERSION="4.8.1-Purism-1-heads-beta" CONFIG_USE_BLOBS=y CONFIG_MEASURED_BOOT=y CONFIG_VENDOR_PURISM=y @@ -26,7 +26,7 @@ CONFIG_FSP_M_XIP=y CONFIG_DEFAULT_CONSOLE_LOGLEVEL_8=y CONFIG_PAYLOAD_LINUX=y CONFIG_PAYLOAD_FILE="../../build/librem15v3/bzImage" -CONFIG_LINUX_COMMAND_LINE="intel_iommu=on iommu=pt" +CONFIG_LINUX_COMMAND_LINE="intel_iommu=on iommu=pt quiet loglevel=3" CONFIG_LINUX_INITRD="../../build/librem15v3/initrd.cpio.xz" CONFIG_COREINFO_SECONDARY_PAYLOAD=y CONFIG_MEMTEST_SECONDARY_PAYLOAD=y diff --git a/initrd/bin/gui-init b/initrd/bin/gui-init index 35b32fad..692c382d 100755 --- a/initrd/bin/gui-init +++ b/initrd/bin/gui-init @@ -149,6 +149,9 @@ while true; do if [ -x /bin/libremkey_hotp_verification ]; then HOTP=`unseal-hotp` enable_usb + if ! libremkey_hotp_verification info ; then + whiptail $CONFIG_WARNING_BG_COLOR --clear --title 'WARNING: Please Insert Your Librem Key' --msgbox "Your Librem Key was not detected.\n\nPlease insert your Librem Key" 30 90 + fi # Don't output HOTP codes to screen, so as to make replay attacks harder libremkey_hotp_verification check $HOTP case "$?" in From a809c72f7d82540aaf954d6fd4ea84d5e4f410ca Mon Sep 17 00:00:00 2001 From: Kyle Rankin Date: Wed, 12 Dec 2018 14:09:19 -0800 Subject: [PATCH 4/4] Fix column width for error output --- initrd/bin/gui-init | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/initrd/bin/gui-init b/initrd/bin/gui-init index 692c382d..fd2876fb 100755 --- a/initrd/bin/gui-init +++ b/initrd/bin/gui-init @@ -113,7 +113,7 @@ while true; do GPG_KEY_COUNT=`gpg -k 2>/dev/null | wc -l` if [ $GPG_KEY_COUNT -eq 0 ]; then whiptail $CONFIG_ERROR_BG_COLOR --clear --title "ERROR: GPG keyring empty!" \ - --menu "ERROR: Heads couldn't find any GPG keys in your keyring.\n\nIf this is the first time the system has booted, you should add a public GPG key to the BIOS now.\n\nIf you just reflashed a new BIOS, you'll need to add at least one public key to the keyring.\n\nIf you have not just reflashed your BIOS, THIS COULD INDICATE TAMPERING!\n\nHow would you like to proceed?" 30 90 4 \ + --menu "ERROR: Heads couldn't find any GPG keys in your keyring.\n\nIf this is the first time the system has booted,\nyou should add a public GPG key to the BIOS now.\n\nIf you just reflashed a new BIOS, you'll need to add at least one\npublic key to the keyring.\n\nIf you have not just reflashed your BIOS, THIS COULD INDICATE TAMPERING!\n\nHow would you like to proceed?" 30 90 4 \ 'f' ' Add a GPG key to the running BIOS' \ 'i' ' Ignore error and continue to default boot menu' \ 'x' ' Exit to recovery shell' \