diff --git a/initrd/bin/gui-init b/initrd/bin/gui-init index 252462f1..a9827050 100755 --- a/initrd/bin/gui-init +++ b/initrd/bin/gui-init @@ -50,6 +50,7 @@ while true; do 'm' ' Show OS boot menu' \ 'u' ' USB boot' \ 'g' ' Generate new TOTP secret' \ + 'i' ' Ignore tampering and force a boot (Unsafe!)' \ 'x' ' Exit to recovery shell' \ 2>/tmp/whiptail || recovery "GUI menu failed" @@ -104,6 +105,18 @@ while true; do continue fi + if [ "$totp_confirm" = "i" ]; then + # Run the menu selection in "force" mode, bypassing hash checks + if (whiptail --title 'Unsafe Forced Boot Selected!' \ + --yesno "WARNING: You have chosen to skip all tamper checks and boot anyway.\n\nThis is an unsafe option!\n\nDo you want to proceed?" 16 60) then + mount_boot + kexec-select-boot -m -b /boot -c "grub.cfg" -g -f + else + echo "Returning to the main menu" + fi + continue + fi + if [ "$totp_confirm" = "y" -o -n "$totp_confirm" ]; then # Try to boot the default mount_boot diff --git a/initrd/bin/kexec-select-boot b/initrd/bin/kexec-select-boot index 8471ace5..ccdfc67d 100755 --- a/initrd/bin/kexec-select-boot +++ b/initrd/bin/kexec-select-boot @@ -13,7 +13,8 @@ valid_global_hash="n" valid_rollback="n" force_menu="n" gui_menu="n" -while getopts "b:d:p:a:r:c:uimg" arg; do +force_boot="n" +while getopts "b:d:p:a:r:c:uimgf" arg; do case $arg in b) bootdir="$OPTARG" ;; d) paramsdev="$OPTARG" ;; @@ -25,6 +26,7 @@ while getopts "b:d:p:a:r:c:uimg" arg; do m) force_menu="y" ;; i) valid_hash="y"; valid_rollback="y" ;; g) gui_menu="y" ;; + f) force_boot="y"; valid_hash="y"; valid_rollback="y" ;; esac done @@ -291,6 +293,13 @@ while true; do TMP_KEY_DEVICES="/tmp/kexec/kexec_key_devices.txt" TMP_KEY_LVM="/tmp/kexec/kexec_key_lvm.txt" +# Allow a way for users to ignore warnings and boot into their systems +# even if hashes don't match + if [ "$force_boot" = "y" ]; then + scan_options + user_select + fi + if [ "$CONFIG_TPM" = "y" \ -a ! -r "$TMP_KEY_DEVICES" ]; then # Extend PCR4 as soon as possible