config-gui.sh: Reword Restricted Boot prompts

Simplify "enable" prompt a bit, clarify that firmware updating is blocked, and remove mention of "failsafe boot mode". Reword "disable" prompt similarly. Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2025-04-12 21:53:03 +00:00 · 2023-07-11 15:58:57 -04:00 · 2023-07-11 15:58:57 -04:00 · 718be739eb
commit 718be739eb
parent 61609ff709
1 changed files with 13 additions and 11 deletions
--- a/initrd/bin/config-gui.sh
+++ b/initrd/bin/config-gui.sh
@ -318,12 +318,15 @@ while true; do
    "L" )
      if [ "$CONFIG_RESTRICTED_BOOT" != "y" ]; then
        if (whiptail --title 'Enable Restricted Boot Mode?' \
-             --yesno "This will disable booting from any unsigned files,
-                    \nincluding kernels that have not yet been signed,
-                    \n.isos without signatures, raw USB disks,
-                    \nand will disable failsafe boot mode.
-                    \n\nThis will also disable the recovery console.
-                    \n\nDo you want to proceed?" 0 80) then
+             --yesno "Restricted Boot allows booting:
+                    \n* Signed installed OS
+                    \n* Signed ISOs from USB
+                    \nAll other boot methods are blocked.  Recovery console and firmware updates
+                    \nwill be blocked.
+                    \nRestricted boot can be disabled at any time.  This resets TOTP/HOTP so it
+                    \nis evident that Restricted Boot was disabled.
+                    \n
+                    \nDo you want to proceed?" 0 80) then

          set_user_config "CONFIG_RESTRICTED_BOOT" "y"

@ -333,11 +336,10 @@ while true; do
        fi
      else
        if (whiptail --title 'Disable Restricted Boot Mode?' \
-             --yesno "This will allow booting from unsigned devices,
-                    \nand will re-enable failsafe boot mode.
-                    \n\nThis will also erase the TOTP/HOTP secret and
-                    \nre-enable the recovery console.
-                    \n\nProceeding will automatically update the boot firmware and reboot!
+             --yesno "This will re-enable all boot methods, the recovery console, and firmware
+                    \nupdates.
+                    \nThis will also erase the TOTP/HOTP secret.
+                    \nProceeding will automatically update the boot firmware and reboot!
                    \n\nDo you want to proceed?" 0 80) then

          # Wipe the TPM TOTP/HOTP secret before flashing.  Otherwise, enabling