ExternalVendorCode/heads
1
0
Fork 0
mirror of https://github.com/linuxboot/heads.git synced 2025-03-23 20:45:24 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Add empty keyring detection, clean up main menu

Browse Source 
To help with onboarding new users to Heads, this change will detect when
Heads does not have any keys in its keyring and will guide the user
through adding a key to the running BIOS. It's important that this
happen *before* guiding them through setting up an initial TOTP/HOTP
secret because adding a GPG key changes the BIOS, so the user would have
to generate TOTP/HOTP secrets 2x unless we handle the keyring case
first.

In addition to this change I've simplified the main menu so that the
majority of the options appear under an 'advanced' menu.
This commit is contained in:
Kyle Rankin 2018-11-30 15:32:29 -08:00
parent 760429601a
commit 7f8738d6d8
No known key found for this signature in database
GPG Key ID: 555577116BFA74B9
1 changed files with 34 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

58
initrd/bin/gui-init
View File

@ -119,14 +119,24 @@ while true; do
last_half=$half; last_half=$half;
TOTP=`unseal-totp` TOTP=`unseal-totp`
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
whiptail $CONFIG_ERROR_BG_COLOR --clear --title "ERROR: TOTP Generation Failed!" \ # detect whether any GPG keys exist in the keyring, if not, initialize that first
--menu "ERROR: Heads couldn't generate the TOTP code.\n\nIf you just reflashed your BIOS, you'll need to generate a new TOTP secret.\n\nIf you have not just reflashed your BIOS, THIS COULD INDICATE TAMPERING!\n\nIf this is the first time the system has booted, you should reset the TPM\nand set your own password\n\nHow would you like to proceed?" 30 90 4 \ GPG_KEY_COUNT=`gpg -k 2>/dev/null | wc -l`
'g' ' Generate new TOTP/HOTP secret' \ if [ $GPG_KEY_COUNT -eq 0 ]; then
'i' ' Ignore error and continue to default boot menu' \ whiptail $CONFIG_ERROR_BG_COLOR --clear --title "ERROR: GPG keyring empty!" \
'p' ' Reset the TPM' \ --menu "ERROR: Heads couldn't find any GPG keys in your keyring.\n\nIf this is the first time the system has booted, you should add a public GPG key to the BIOS now.\n\nIf you just reflashed a new BIOS, you'll need to add at least one public key to the keyring.\n\nIf you have not just reflashed your BIOS, THIS COULD INDICATE TAMPERING!\n\nHow would you like to proceed?" 30 90 4 \
'x' ' Exit to recovery shell' \ 'f' ' Add a GPG key to the running BIOS' \
2>/tmp/whiptail || recovery "GUI menu failed" 'i' ' Ignore error and continue to default boot menu' \
'x' ' Exit to recovery shell' \
2>/tmp/whiptail || recovery "GUI menu failed"
else
whiptail $CONFIG_ERROR_BG_COLOR --clear --title "ERROR: TOTP Generation Failed!" \
--menu "ERROR: Heads couldn't generate the TOTP code.\n\nIf this is the first time the system has booted, you should reset the TPM\nand set your own password\n\nIf you just reflashed your BIOS, you'll need to generate a new TOTP secret.\n\nIf you have not just reflashed your BIOS, THIS COULD INDICATE TAMPERING!\n\nHow would you like to proceed?" 30 90 4 \
'g' ' Generate new TOTP/HOTP secret' \
'i' ' Ignore error and continue to default boot menu' \
'p' ' Reset the TPM' \
'x' ' Exit to recovery shell' \
2>/tmp/whiptail || recovery "GUI menu failed"
fi
totp_confirm=$(cat /tmp/whiptail) totp_confirm=$(cat /tmp/whiptail)
fi fi
fi fi
@ -157,8 +167,6 @@ while true; do
whiptail $MAIN_MENU_BG_COLOR --clear --title "$CONFIG_BOOT_GUI_MENU_NAME" \ whiptail $MAIN_MENU_BG_COLOR --clear --title "$CONFIG_BOOT_GUI_MENU_NAME" \
--menu "$date\nTOTP: $TOTP | HOTP: $HOTP" 20 90 10 \ --menu "$date\nTOTP: $TOTP | HOTP: $HOTP" 20 90 10 \
'y' ' Default boot' \ 'y' ' Default boot' \
'r' ' TOTP/HOTP does not match, refresh code' \
'o' ' Other Boot Options -->' \
'a' ' Advanced Settings -->' \ 'a' ' Advanced Settings -->' \
'x' ' Exit to recovery shell' \ 'x' ' Exit to recovery shell' \
2>/tmp/whiptail || recovery "GUI menu failed" 2>/tmp/whiptail || recovery "GUI menu failed"
@ -166,6 +174,22 @@ while true; do
totp_confirm=$(cat /tmp/whiptail) totp_confirm=$(cat /tmp/whiptail)
fi fi
if [ "$totp_confirm" = "a" ]; then
whiptail --clear --title "Advanced Settings" \
--menu "Configure Advanced Settings" 20 90 10 \
'o' ' Other Boot Options -->' \
'r' ' TOTP/HOTP does not match, refresh code' \
'g' ' Generate new TOTP/HOTP secret' \
's' ' Update checksums and sign all files in /boot' \
'f' ' Flash/Update the BIOS -->' \
'p' ' Reset the TPM' \
'n' ' TOTP/HOTP does not match after refresh, troubleshoot' \
'r' ' <-- Return to main menu' \
2>/tmp/whiptail || recovery "GUI menu failed"
totp_confirm=$(cat /tmp/whiptail)
fi
if [ "$totp_confirm" = "o" ]; then if [ "$totp_confirm" = "o" ]; then
whiptail --clear --title "Other Boot Options" \ whiptail --clear --title "Other Boot Options" \
--menu "Select A Boot Option" 20 90 10 \ --menu "Select A Boot Option" 20 90 10 \
@ -178,20 +202,6 @@ while true; do
totp_confirm=$(cat /tmp/whiptail) totp_confirm=$(cat /tmp/whiptail)
fi fi
if [ "$totp_confirm" = "a" ]; then
whiptail --clear --title "Advanced Settings" \
--menu "Configure Advanced Settings" 20 90 10 \
'g' ' Generate new TOTP/HOTP secret' \
's' ' Update checksums and sign all files in /boot' \
'f' ' Flash/Update the BIOS -->' \
'p' ' Reset the TPM' \
'n' ' TOTP/HOTP does not match after refresh, troubleshoot' \
'r' ' <-- Return to main menu' \
2>/tmp/whiptail || recovery "GUI menu failed"
totp_confirm=$(cat /tmp/whiptail)
fi
if [ "$totp_confirm" = "x" ]; then if [ "$totp_confirm" = "x" ]; then
recovery "User requested recovery shell" recovery "User requested recovery shell"
fi fi