initrd/init: Prevent Restricted Boot bypass

The early recovery shell ("hold R") and serial recovery both could
bypass Restricted Boot since they occurred before config.user was
loaded.  Load config.user earlier before these recovery methods.

Executing a shell directly (if recovery failed) also would bypass
Restricted Boot, additionally leaking /tmp/secret.  Remove this from
the early recovery shell logic.  Also remove the final failsafe exec
and move the "just in case" recovery from normal boot here instead, in
case the regular init script fails.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>

initrd/init

@@ -87,6 +87,28 @@ export GPG_TTY=/dev/console
 
 [ -x /bin/bash ] && /bin/key-init
 
+# Override CONFIG_USE_BLOB_JAIL if needed and persist via user config
+if lspci -n | grep -q "8086:2723"; then
+  if ! cat /etc/config.user 2>/dev/null | grep -q "USE_BLOB_JAIL"; then
+    echo "CONFIG_USE_BLOB_JAIL=y" >> /etc/config.user
+  fi
+fi
+
+# Override CONFIG_TPM and CONFIG_TPM2_TOOLS from /etc/config with runtime value
+# determined above.
+#
+# Values in user config have higher priority during combining thus effectively
+# changing the value for the rest of the scripts which source /tmp/config.
+echo "export CONFIG_TPM=\"$CONFIG_TPM\"" >> /etc/config.user
+echo "export CONFIG_TPM2_TOOLS=\"$CONFIG_TPM2_TOOLS\"" >> /etc/config.user
+
+# CONFIG_BASIC was previously CONFIG_PUREBOOT_BASIC in the PureBoot distribution.
+# Substitute it in config.user if present for backward compatibility.
+sed -i -e 's/^export CONFIG_PUREBOOT_BASIC=/export CONFIG_BASIC=/g' /etc/config.user
+
+combine_configs
+. /tmp/config
+
 # Setup recovery serial shell
 if [ ! -z "$CONFIG_BOOT_RECOVERY_SERIAL" ]; then
 	stty -F "$CONFIG_BOOT_RECOVERY_SERIAL" 115200
@@ -113,35 +135,9 @@ if [ "$boot_option" = "r" ]; then
 	# Start an interactive shell
 	recovery 'User requested recovery shell'
 	# just in case...
-	if [ "$CONFIG_TPM" = "y" ]; then
-		tpmr extend -ix 4 -ic recovery
-	fi
-	exec /bin/sh
 	exit
 fi
 
-# Override CONFIG_USE_BLOB_JAIL if needed and persist via user config
-if lspci -n | grep -q "8086:2723"; then
-  if ! cat /etc/config.user 2>/dev/null | grep -q "USE_BLOB_JAIL"; then
-    echo "CONFIG_USE_BLOB_JAIL=y" >> /etc/config.user
-  fi
-fi
-
-# Override CONFIG_TPM and CONFIG_TPM2_TOOLS from /etc/config with runtime value
-# determined above.
-#
-# Values in user config have higher priority during combining thus effectively
-# changing the value for the rest of the scripts which source /tmp/config.
-echo "export CONFIG_TPM=\"$CONFIG_TPM\"" >> /etc/config.user
-echo "export CONFIG_TPM2_TOOLS=\"$CONFIG_TPM2_TOOLS\"" >> /etc/config.user
-
-# CONFIG_BASIC was previously CONFIG_PUREBOOT_BASIC in the PureBoot distribution.
-# Substitute it in config.user if present for backward compatibility.
-sed -i -e 's/^export CONFIG_PUREBOOT_BASIC=/export CONFIG_BASIC=/g' /etc/config.user
-
-combine_configs
-. /tmp/config
-
 if [ "$CONFIG_BASIC" = "y" ]; then
 	echo -e "***** BASIC mode: tamper detection disabled\n" > /dev/tty0
 fi
@@ -187,17 +183,11 @@ else
 		fi
 
 		exec "$CONFIG_BOOTSCRIPT"
-
-		# We should never reach here, but just in case...
-		recovery 'Boot script failure?  Entering recovery shell'
 	else
 		# wait for boot via network to occur
 		pause_recovery 'Override network boot. Entering recovery shell'
 	fi
 fi
 
-# belts and suspenders, just in case...
-if [ "$CONFIG_TPM" = "y" ]; then
-	tpmr extend -ix 4 -ic recovery
-fi
-exec /bin/sh
+# We should never reach here, but just in case...
+recovery 'Boot script failure?  Entering recovery shell'