diff --git a/initrd/bin/gui-init b/initrd/bin/gui-init index 382c3742..1ab178f3 100755 --- a/initrd/bin/gui-init +++ b/initrd/bin/gui-init @@ -174,7 +174,7 @@ generate_totp_hotp() printf "\033c" else warn "Unsealing TOTP/HOTP secret from previous sealed measurements failed" - warn "Try "Generate new HOTP/TOTP secret" option if you updated firmware content" + warn 'Try "Generate new HOTP/TOTP secret" option if you updated firmware content' fi } diff --git a/initrd/bin/kexec-save-default b/initrd/bin/kexec-save-default index bc2febcc..a38316e5 100755 --- a/initrd/bin/kexec-save-default +++ b/initrd/bin/kexec-save-default @@ -38,7 +38,6 @@ PRIMHASH_FILE="$paramsdir/kexec_primhdl_hash.txt" KEY_DEVICES="$paramsdir/kexec_key_devices.txt" KEY_LVM="$paramsdir/kexec_key_lvm.txt" - lvm_suggest=$(lvm vgscan | awk -F '"' {'print $1'} | tail -n +2) num_lvm=$(echo "$lvm_suggest" | wc -l) if [ "$num_lvm" -eq 1 ] && [ -n "$lvm_suggest" ]; then @@ -50,8 +49,7 @@ DEBUG "LVM num_lvm: $num_lvm, lvm_suggest: $lvm_suggest" # get all LUKS container devices devices_suggest=$(blkid | cut -d ':' -f 1 | while read device; do - cryptsetup isLuks "$device" - if [ $(echo $?) == 0 ]; then echo "$device"; fi + if cryptsetup isLuks "$device"; then echo "$device"; fi done | sort) num_devices=$(echo "$devices_suggest" | wc -l) @@ -79,9 +77,9 @@ fi save_key="n" if [ "$CONFIG_TPM" = "y" ] && [ "$CONFIG_TPM_NO_LUKS_DISK_UNLOCK" != "y" ] && [ "$CONFIG_BASIC" != y ]; then DEBUG "TPM is enabled and TPM_NO_LUKS_DISK_UNLOCK is not set" - DEBUG "Checking if a a TPM Disk Unlock Key was previously setuped from $KEY_DEVICES" + DEBUG "Checking if a a TPM Disk Unlock Key was previously set up from $KEY_DEVICES" if [ ! -r "$KEY_DEVICES" ]; then - DEBUG "No previous TPM Disk Unlock Key was setuped for LUKS devices, confirming to add a disk encryption to the TPM" + DEBUG "No previous TPM Disk Unlock Key was set up for LUKS devices, confirming to add a disk encryption to the TPM" read \ -n 1 \ -p "Do you wish to add a disk encryption to the TPM [y/N]: " \ @@ -94,7 +92,7 @@ if [ "$CONFIG_TPM" = "y" ] && [ "$CONFIG_TPM_NO_LUKS_DISK_UNLOCK" != "y" ] && [ save_key="y" fi else - DEBUG "Previous TPM Disk Unlock Key was setuped for LUKS devices" + DEBUG "Previous TPM Disk Unlock Key was set up for LUKS devices" read \ -n 1 \ -p "Do you want to reseal a disk key to the TPM [y/N]: " \ @@ -123,7 +121,7 @@ if [ "$CONFIG_TPM" = "y" ] && [ "$CONFIG_TPM_NO_LUKS_DISK_UNLOCK" != "y" ] && [ if [ "$save_key" = "y" ]; then if [ -n "$old_key_devices" ] || [ -n "$old_lvm_volume_group" ]; then - DEBUG "Previous TPM Disk Unlock Key was setuped for LUKS devices $old_key_devices $old_lvm_volume_group" + DEBUG "Previous TPM Disk Unlock Key was set up for LUKS devices $old_key_devices $old_lvm_volume_group" read \ -n 1 \ -p "Do you want to reuse configured Encrypted LVM groups/Block devices? (Y/n):" \ @@ -138,10 +136,10 @@ if [ "$CONFIG_TPM" = "y" ] && [ "$CONFIG_TPM_NO_LUKS_DISK_UNLOCK" != "y" ] && [ fi fi else - DEBUG "No previous TPM Disk Unlock Key was setuped for LUKS devices, setting up new ones" + DEBUG "No previous TPM Disk Unlock Key was set up for LUKS devices, setting up new ones" if [ "$num_lvm" -gt 1 ]; then DEBUG "Multiple LVM groups found" - //untested + # TODO: untested codepath. What uses lvm+LUKS on top nowadays?!? selected_lvmdev_not_existing=1 while [ $selected_lvmdev_not_existing -ne 0 ]; do { @@ -172,7 +170,8 @@ if [ "$CONFIG_TPM" = "y" ] && [ "$CONFIG_TPM_NO_LUKS_DISK_UNLOCK" != "y" ] && [ key_devices result=$(echo "$devices_suggest" | grep -q "$key_devices") || selected_luksdev_not_existing=1 - if [ $? == 0 ]; then + #if result is not empty, then the device exists + if [ -n "$result" ]; then selected_luksdev_not_existing=0 fi } diff --git a/initrd/bin/kexec-seal-key b/initrd/bin/kexec-seal-key index 2757087b..e9f3248e 100755 --- a/initrd/bin/kexec-seal-key +++ b/initrd/bin/kexec-seal-key @@ -53,7 +53,7 @@ echo read -s -p "New TPM Disk Unlock Key passphrase for booting: " key_password echo -read -s -p "Repeat TPM Disk Unlock key passphrase for booting: " key_password2 +read -s -p "Repeat TPM Disk Unlock Key passphrase for booting: " key_password2 echo if [ "$key_password" != "$key_password2" ]; then diff --git a/initrd/bin/kexec-select-boot b/initrd/bin/kexec-select-boot index 28c7087d..1562638c 100755 --- a/initrd/bin/kexec-select-boot +++ b/initrd/bin/kexec-select-boot @@ -56,12 +56,12 @@ if [ "$CONFIG_TPM2_TOOLS" = "y" ]; then sha256sum -c "$PRIMHASH_FILE" \ || { echo "FATAL: Hash of TPM2 primary key handle mismatch!"; - echo "If you have not intentionally regenerated TPM2 primary key,"; + warn "If you have not intentionally regenerated TPM2 primary key,"; warn "your system may have been compromised"; } else - echo "WARNING: Hash of TPM2 primary key handle does not exist!" - echo "Please rebuild the boot hash tree." + warn "Hash of TPM2 primary key handle does not exist" + warn "Please rebuild the boot hash tree" default_failed="y" fi fi diff --git a/initrd/etc/functions b/initrd/etc/functions index c8f4a844..4ea7abed 100755 --- a/initrd/etc/functions +++ b/initrd/etc/functions @@ -41,8 +41,7 @@ pcrs() { fi } -confirm_totp() -{ +confirm_totp() { TRACE "Under /etc/functions:confirm_totp" prompt="$1" last_half=X @@ -51,15 +50,15 @@ confirm_totp() while true; do # update the TOTP code every thirty seconds - date=`date "+%Y-%m-%d %H:%M:%S"` - seconds=`date "+%s"` - half=`expr \( $seconds % 60 \) / 30` + date=$(date "+%Y-%m-%d %H:%M:%S") + seconds=$(date "+%s") + half=$(expr \( $seconds % 60 \) / 30) if [ "$CONFIG_TPM" != "y" ]; then TOTP="NO TPM" elif [ "$half" != "$last_half" ]; then - last_half=$half; - TOTP=`unseal-totp` \ - || recovery "TOTP code generation failed" + last_half=$half + TOTP=$(unseal-totp) || + recovery "TOTP code generation failed" fi echo -n "$date $TOTP: " @@ -70,8 +69,8 @@ confirm_totp() -n 1 \ -s \ -p "$prompt" \ - totp_confirm \ - && break + totp_confirm && + break # nothing typed, redraw the line echo -ne '\r' @@ -81,27 +80,32 @@ confirm_totp() echo } -reseal_tpm_disk_decryption_key() -{ +reseal_tpm_disk_decryption_key() { TRACE "Under /etc/functions:reseal_tpm_disk_decryption_key" - #Can be called only on resealing, not on tpm reset: - #otherise primary handle and rollback would change. - if ! grep -q /boot /proc/mounts ; then - mount -o ro /boot \ - || recovery "Unable to mount /boot" + #For robustness, exit early if TPM Disk Unlock Key is prohibited in board configs + if [ "$CONFIG_TPM_DISK_UNLOCK_KEY" != "y" ]; then + DEBUG "TPM Disk Unlock Key is prohibited in board configs" + return + else + DEBUG "TPM Disk Unlock Key is allowed in board configs. Continuing" + fi + + if ! grep -q /boot /proc/mounts; then + mount -o ro /boot || + recovery "Unable to mount /boot" fi if [ -s /boot/kexec_key_devices.txt ] || [ -s /boot/kexec_key_lvm.txt ]; then - warn "A TPM disk decryption key previoulsy sealed is now invalid since firmware measurements cannot be unsealed" - warn "Renewing LUKS Disk Unlock Key to be unsealed by TPM Disk Unlock Key passphrase" + warn "A TPM Disk Unlock Key previously sealed is now invalid since firmware measurements cannot be unsealed" + echo "Renewing LUKS Disk Unlock Key to be unsealed by TPM Disk Unlock Key passphrase" while ! kexec-seal-key /boot; do - warn "Recovery disk encryption key passphrase invalid. Try again!" + warn "Recovery Disk Encryption key passphrase invalid. Try again!" done - warn "LUKS header hash changed under of /boot/kexec_luks_hdr_hash.txt" - warn "Updating checksums and signing all files under /boot/kexec.sig" + warn "LUKS header hash changed under /boot/kexec_luks_hdr_hash.txt" + echo "Updating checksums and signing all files under /boot/kexec.sig" while ! update_checksums; do - warn "Checksums were not signed. Bad GPG PIN provided?" - warn "Please update checksums and provide a valid GPG PIN" + warn "Checksums were not signed. Bad GPG PIN provided?" + warn "Please update checksums and provide a valid GPG PIN" done warn "Rebooting in 3 seconds to enable booting default boot option" sleep 3 @@ -114,23 +118,21 @@ reseal_tpm_disk_decryption_key() # Enable USB storage (if not already enabled), and wait for storage devices to # be detected. If USB storage was already enabled, no wait occurs, this would # have happened already when USB storage was enabled. -enable_usb_storage() -{ +enable_usb_storage() { if ! lsmod | grep -q usb_storage; then timeout=0 echo "Scanning for USB storage devices..." - insmod /lib/modules/usb-storage.ko >/dev/null 2>&1 \ - || die "usb_storage: module load failed" - while [[ $(list_usb_storage | wc -l) -eq 0 ]]; do + insmod /lib/modules/usb-storage.ko >/dev/null 2>&1 || + die "usb_storage: module load failed" + while [[ $(list_usb_storage | wc -l) -eq 0 ]]; do [[ $timeout -ge 8 ]] && break sleep 1 - timeout=$(($timeout+1)) + timeout=$(($timeout + 1)) done fi } -list_usb_storage() -{ +list_usb_storage() { TRACE "Under /etc/functions:list_usb_storage" # List all USB storage devices, including partitions unless we received argument stating we want drives only # The output is a list of device names, one per line. @@ -187,8 +189,7 @@ list_usb_storage() done } -confirm_gpg_card() -{ +confirm_gpg_card() { TRACE "Under /etc/functions:confirm_gpg_card" read \ -n 1 \ @@ -199,7 +200,7 @@ confirm_gpg_card() if [ "$card_confirm" != "y" \ -a "$card_confirm" != "Y" \ -a -n "$card_confirm" ] \ - ; then + ; then die "gpg card not confirmed" fi @@ -210,23 +211,23 @@ confirm_gpg_card() # ensure we don't exit without retrying errexit=$(set -o | grep errexit | awk '{print $2}') set +e - gpg --card-status > /dev/null + gpg --card-status >/dev/null if [ $? -ne 0 ]; then - # prompt for reinsertion and try a second time - read -n1 -r -p \ - "Can't access GPG key; remove and reinsert, then press Enter to retry. " \ - ignored - # restore prev errexit state - if [ "$errexit" = "on" ]; then - set -e - fi - # retry card status - gpg --card-status > /dev/null \ - || die "gpg card read failed" + # prompt for reinsertion and try a second time + read -n1 -r -p \ + "Can't access GPG key; remove and reinsert, then press Enter to retry. " \ + ignored + # restore prev errexit state + if [ "$errexit" = "on" ]; then + set -e + fi + # retry card status + gpg --card-status >/dev/null || + die "gpg card read failed" fi # restore prev errexit state if [ "$errexit" = "on" ]; then - set -e + set -e fi } @@ -235,7 +236,7 @@ confirm_gpg_card() # line, since some flows need it multiple times and only one prompt is ideal. prompt_tpm_password() { if [ -n "$tpm_password" ]; then - return 0; + return 0 fi read -s -p "TPM Owner password: " tpm_password @@ -263,25 +264,24 @@ prompt_new_owner_password() { done } -check_tpm_counter() -{ - TRACE "Under /etc/functions:check_tpm_counter" - LABEL=${2:-3135106223} - tpm_password="$3" +check_tpm_counter() { + TRACE "Under /etc/functions:check_tpm_counter" + LABEL=${2:-3135106223} + tpm_password="$3" # if the /boot.hashes file already exists, read the TPM counter ID # from it. if [ -r "$1" ]; then - TPM_COUNTER=`grep counter- "$1" | cut -d- -f2` + TPM_COUNTER=$(grep counter- "$1" | cut -d- -f2) else warn "$1 does not exist; creating new TPM counter" prompt_tpm_password tpmr counter_create \ -pwdo "$tpm_password" \ -pwdc '' \ - -la $LABEL \ - | tee /tmp/counter \ - || die "Unable to create TPM counter" - TPM_COUNTER=`cut -d: -f1 < /tmp/counter` + -la $LABEL | + tee /tmp/counter || + die "Unable to create TPM counter" + TPM_COUNTER=$(cut -d: -f1 ${CONFIG_FILE}.tmp - awk "gsub(\"^${CONFIG_OPTION}=.*\",\"${CONFIG_OPTION}=\\\"${NEW_SETTING}\\\"\")" /tmp/config >> ${CONFIG_FILE}.tmp + # first pull out the existing option from the global config and place in a tmp file + awk "gsub(\"^export ${CONFIG_OPTION}=.*\",\"export ${CONFIG_OPTION}=\\\"${NEW_SETTING}\\\"\")" /tmp/config >${CONFIG_FILE}.tmp + awk "gsub(\"^${CONFIG_OPTION}=.*\",\"${CONFIG_OPTION}=\\\"${NEW_SETTING}\\\"\")" /tmp/config >>${CONFIG_FILE}.tmp -# then copy any remaining settings from the existing config file, minus the option you changed - grep -v "^export ${CONFIG_OPTION}=" ${CONFIG_FILE} | grep -v "^${CONFIG_OPTION}=" >> ${CONFIG_FILE}.tmp || true - sort ${CONFIG_FILE}.tmp | uniq > ${CONFIG_FILE} + # then copy any remaining settings from the existing config file, minus the option you changed + grep -v "^export ${CONFIG_OPTION}=" ${CONFIG_FILE} | grep -v "^${CONFIG_OPTION}=" >>${CONFIG_FILE}.tmp || true + sort ${CONFIG_FILE}.tmp | uniq >${CONFIG_FILE} rm -f ${CONFIG_FILE}.tmp } @@ -368,7 +366,7 @@ set_config() { CONFIG_FILE="$1" CONFIG_OPTION="$2" NEW_SETTING="$3" - + if grep -q "$CONFIG_OPTION" "$CONFIG_FILE"; then replace_config "$CONFIG_FILE" "$CONFIG_OPTION" "$NEW_SETTING" else @@ -389,12 +387,11 @@ set_user_config() { # Load a config value to a variable, defaulting to empty. Does not fail if the # config is not set (since it would expand to empty by default). -load_config_value() -{ - local config_name="$1" - if grep -q "$config_name=" /tmp/config; then - grep "$config_name=" /tmp/config | tail -n1 | cut -f2 -d '=' | tr -d '"' - fi +load_config_value() { + local config_name="$1" + if grep -q "$config_name=" /tmp/config; then + grep "$config_name=" /tmp/config | tail -n1 | cut -f2 -d '=' | tr -d '"' + fi } # Generate a secret for TPM-less HOTP by reading the ROM. Output is the @@ -413,13 +410,12 @@ secret_from_rom_hash() { sha256sum "${ROM_IMAGE}" | cut -f1 -d ' ' | fromhex_plain } -update_checksums() -{ +update_checksums() { TRACE "Under /etc/functions:update_checksums" # ensure /boot mounted - if ! grep -q /boot /proc/mounts ; then - mount -o ro /boot \ - || recovery "Unable to mount /boot" + if ! grep -q /boot /proc/mounts; then + mount -o ro /boot || + recovery "Unable to mount /boot" fi # remount RW @@ -427,12 +423,12 @@ update_checksums() # sign and auto-roll config counter extparam= - if [ "$CONFIG_TPM" = "y" ];then + if [ "$CONFIG_TPM" = "y" ]; then if [ "$CONFIG_IGNORE_ROLLBACK" != "y" ]; then extparam=-r fi fi - if ! kexec-sign-config -p /boot -u $extparam ; then + if ! kexec-sign-config -p /boot -u $extparam; then rv=1 else rv=0 @@ -466,15 +462,15 @@ escape_zero() { echo -e -n "$prefix" xxd -p -c1 | tr -d '\n' | - { - while IFS= read -r -n2 -d '' ; do - if [ -n "$todo" ] ; then - #REPLY == " " is EOF - [[ "$REPLY" == " " ]] && echo '' || echo -e -n "$todo" - todo="" - fi + { + while IFS= read -r -n2 -d ''; do + if [ -n "$todo" ]; then + #REPLY == " " is EOF + [[ "$REPLY" == " " ]] && echo '' || echo -e -n "$todo" + todo="" + fi - case "$REPLY" in + case "$REPLY" in 00) todo="\n$prefix" ;; @@ -497,16 +493,16 @@ escape_zero() { echo -n "$echar$echar" ;; #interpreted characters: - 2[0-9a-f]|3[0-9a-f]|4[0-9a-f]|5[0-9abd-f]|6[0-9a-f]|7[0-9a-e]) + 2[0-9a-f] | 3[0-9a-f] | 4[0-9a-f] | 5[0-9abd-f] | 6[0-9a-f] | 7[0-9a-e]) echo -e -n '\x'"$REPLY" ;; # All others are escaped *) echo -n "${echar}x$REPLY" ;; - esac - done - } + esac + done + } } # Currently heads doesn't support signing file names with certain characters @@ -515,14 +511,14 @@ escape_zero() { assert_signable() { TRACE "Under /etc/functions:assert_signable" # ensure /boot mounted - if ! grep -q /boot /proc/mounts ; then + if ! grep -q /boot /proc/mounts; then mount -o ro /boot || die "Unable to mount /boot" fi - find /boot -print0 > /tmp/signable.ref + find /boot -print0 >/tmp/signable.ref local del='\001-\037\134\177-\377' - LC_ALL=C tr -d "$del" < /tmp/signable.ref > /tmp/signable.del || die "Failed to execute tr." - if ! cmp -s "/tmp/signable.ref" "/tmp/signable.del" &> /dev/null ; then + LC_ALL=C tr -d "$del" /tmp/signable.del || die "Failed to execute tr." + if ! cmp -s "/tmp/signable.ref" "/tmp/signable.del" &>/dev/null; then local user_out="/tmp/hash_output_mismatches" local add="Please investigate!" [ -f "$user_out" ] && add="Please investigate the following relative paths to /boot (where # are sanitized invalid characters):"$'\n'"$(cat "$user_out")" @@ -531,8 +527,7 @@ assert_signable() { rm -f /tmp/signable.* } -verify_checksums() -{ +verify_checksums() { TRACE "Under /etc/functions:verify_checksums" local boot_dir="$1" local gui="${2:-y}" @@ -541,20 +536,20 @@ verify_checksums() set +e -o pipefail local ret=0 cd "$boot_dir" || ret=1 - sha256sum -c "$TMP_HASH_FILE" > /tmp/hash_output || ret=1 + sha256sum -c "$TMP_HASH_FILE" >/tmp/hash_output || ret=1 # also make sure that the file & directory structure didn't change # (sha256sum won't detect added files) - print_tree > /tmp/tree_output || ret=1 - if ! cmp -s "$TMP_TREE_FILE" /tmp/tree_output &> /dev/null ; then + print_tree >/tmp/tree_output || ret=1 + if ! cmp -s "$TMP_TREE_FILE" /tmp/tree_output &>/dev/null; then ret=1 [[ "$gui" != "y" ]] && exit "$ret" # produce a diff that can safely be presented to the user # this is relatively hard as file names may e.g. contain backslashes etc., # which are interpreted by whiptail, less, ... - escape_zero "(new) " < "$TMP_TREE_FILE" > "${TMP_TREE_FILE}.user" - escape_zero "(new) " < /tmp/tree_output > /tmp/tree_output.user - diff "${TMP_TREE_FILE}.user" /tmp/tree_output.user | grep -E '^\+\(new\).*$' | sed -r 's/^\+\(new\)/(new)/g' >> /tmp/hash_output + escape_zero "(new) " <"$TMP_TREE_FILE" >"${TMP_TREE_FILE}.user" + escape_zero "(new) " /tmp/tree_output.user + diff "${TMP_TREE_FILE}.user" /tmp/tree_output.user | grep -E '^\+\(new\).*$' | sed -r 's/^\+\(new\)/(new)/g' >>/tmp/hash_output rm -f "${TMP_TREE_FILE}.user" rm -f /tmp/tree_output.user fi @@ -565,8 +560,7 @@ verify_checksums() # detect and set /boot device # mount /boot if successful -detect_boot_device() -{ +detect_boot_device() { TRACE "Under /etc/functions:detect_boot_device" # unmount /boot to be safe cd / && umount /boot 2>/dev/null @@ -582,22 +576,22 @@ detect_boot_device() fi # generate list of possible boot devices - fdisk -l | grep "Disk /dev/" | cut -f2 -d " " | cut -f1 -d ":" > /tmp/disklist + fdisk -l | grep "Disk /dev/" | cut -f2 -d " " | cut -f1 -d ":" >/tmp/disklist # filter out extraneous options - > /tmp/boot_device_list - for i in `cat /tmp/disklist`; do + >/tmp/boot_device_list + for i in $(cat /tmp/disklist); do # remove block device from list if numeric partitions exist, since not bootable - DEV_NUM_PARTITIONS=$((`ls -1 $i* | wc -l`-1)) + DEV_NUM_PARTITIONS=$(($(ls -1 $i* | wc -l) - 1)) if [ ${DEV_NUM_PARTITIONS} -eq 0 ]; then - echo $i >> /tmp/boot_device_list + echo $i >>/tmp/boot_device_list else - ls $i* | tail -${DEV_NUM_PARTITIONS} >> /tmp/boot_device_list + ls $i* | tail -${DEV_NUM_PARTITIONS} >>/tmp/boot_device_list fi done # iterate thru possible options and check for grub dir - for i in `cat /tmp/boot_device_list`; do + for i in $(cat /tmp/boot_device_list); do umount /boot 2>/dev/null if mount -o ro $i /boot >/dev/null 2>&1; then if ls -d /boot/grub* >/dev/null 2>&1; then @@ -613,30 +607,28 @@ detect_boot_device() return 1 } -scan_boot_options() -{ +scan_boot_options() { local bootdir config option_file bootdir="$1" config="$2" option_file="$3" if [ -r $option_file ]; then rm $option_file; fi - for i in `find $bootdir -name "$config"`; do - DO_WITH_DEBUG kexec-parse-boot "$bootdir" "$i" >> $option_file + for i in $(find $bootdir -name "$config"); do + DO_WITH_DEBUG kexec-parse-boot "$bootdir" "$i" >>$option_file done # FC29/30+ may use BLS format grub config files # https://fedoraproject.org/wiki/Changes/BootLoaderSpecByDefault # only parse these if $option_file is still empty if [ ! -s $option_file ] && [ -d "$bootdir/loader/entries" ]; then - for i in `find $bootdir -name "$config"`; do - kexec-parse-bls "$bootdir" "$i" "$bootdir/loader/entries" >> $option_file + for i in $(find $bootdir -name "$config"); do + kexec-parse-bls "$bootdir" "$i" "$bootdir/loader/entries" >>$option_file done fi } -calc() -{ - awk "BEGIN { print "$*" }"; +calc() { + awk "BEGIN { print "$*" }" } # truncate a file to a size only if it is longer (busybox truncate lacks '<' and @@ -665,24 +657,21 @@ fromhex_plain() { fold -w 60 | xxd -p -r } -print_battery_health() -{ +print_battery_health() { if [ -d /sys/class/power_supply/BAT* ]; then - battery_health=$(calc $(cat /sys/class/power_supply/BAT*/charge_full)/$(cat /sys/class/power_supply/BAT*/charge_full_design)*100 | awk -F "." {'print $1'}) + battery_health=$(calc $(cat /sys/class/power_supply/BAT*/charge_full)/$(cat /sys/class/power_supply/BAT*/charge_full_design)*100 | awk -F "." {'print $1'}) echo "$battery_health" fi } -print_battery_charge() -{ +print_battery_charge() { if [ -d /sys/class/power_supply/BAT* ]; then - battery_charge=$(calc $(cat /sys/class/power_supply/BAT*/charge_now)/$(cat /sys/class/power_supply/BAT*/charge_full)*100 | awk -F "." {'print $1'}) - echo "$battery_charge" - fi + battery_charge=$(calc $(cat /sys/class/power_supply/BAT*/charge_now)/$(cat /sys/class/power_supply/BAT*/charge_full)*100 | awk -F "." {'print $1'}) + echo "$battery_charge" + fi } -generate_random_mac_address() -{ +generate_random_mac_address() { #Borrowed from https://stackoverflow.com/questions/42660218/bash-generate-random-mac-address-unicast hexdump -n 6 -ve '1/1 "%.2x "' /dev/urandom | awk -v a="2,6,a,e" -v r="$RANDOM" 'BEGIN{srand(r);}NR==1{split(a,b,",");r=int(rand()*4+1);printf "%s%s:%s:%s:%s:%s:%s\n",substr($1,0,1),b[r],$2,$3,$4,$5,$6}' } @@ -713,9 +702,9 @@ run_at_exit_handlers() { # Silence trace if there are no handlers, this is common and occurs a lot [ "$cmd_pos" -gt 0 ] && DEBUG "Running at_exit handlers" while [ "$cmd_pos" -gt 0 ]; do - cmd_pos="$((cmd_pos-1))" + cmd_pos="$((cmd_pos - 1))" cmd_len="${AT_EXIT_HANDLERS[$cmd_pos]}" - cmd_pos="$((cmd_pos-cmd_len))" + cmd_pos="$((cmd_pos - cmd_len))" "${AT_EXIT_HANDLERS[@]:$cmd_pos:$cmd_len}" done } diff --git a/initrd/etc/luks-functions b/initrd/etc/luks-functions index c64c00dc..67c937a9 100644 --- a/initrd/etc/luks-functions +++ b/initrd/etc/luks-functions @@ -301,7 +301,7 @@ while : ; do if [ -z "$luks_current_Disk_Recovery_Key_passphrase" ]; then #if no external provisioning provides current Disk Recovery Key passphrase whiptail --title 'Reencrypt LUKS disk encrypted container ?' \ - --msgbox "This will replace the encrypted container content and its Disk Recovery Key.\n\nThe passphrase associated with this key will be asked from the user in the\nfollowing conditions:\n 1-Every boot if no Disk unlock key was added to the TPM\n 2-If the TPM fails (Hardware failure)\n 3-If the firmware has been tampered with/upgraded/modified by the user\n\nThis process requires you to type the current Disk Recovery Key passphrase\nand will delete TPM Disk unlock key slot if setuped by setting a default boot\n LUKS header (slot 1) if present.\n\nAt the next prompt, you may be asked to select which file corresponds to\nthe LUKS device container.\n\nHit Enter to continue." 0 80 + --msgbox "This will replace the encrypted container content and its Disk Recovery Key.\n\nThe passphrase associated with this key will be asked from the user in the\nfollowing conditions:\n 1-Every boot if no Disk unlock key was added to the TPM\n 2-If the TPM fails (Hardware failure)\n 3-If the firmware has been tampered with/upgraded/modified by the user\n\nThis process requires you to type the current Disk Recovery Key passphrase\nand will delete TPM Disk unlock key slot if set up by setting a default boot\n LUKS header (slot 1) if present.\n\nAt the next prompt, you may be asked to select which file corresponds to\nthe LUKS device container.\n\nHit Enter to continue." 0 80 echo -e "\nEnter current Disk Recovery Key passphrase (Provisioned at OS installation or by OEM):" read -r luks_current_Disk_Recovery_Key_passphrase echo -n "$luks_current_Disk_Recovery_Key_passphrase" > /tmp/luks_current_Disk_Recovery_Key_passphrase