remove older qubes-specific files, no longer required in generic boot env

2024-12-20 05:28:08 +00:00 · 2017-07-17 12:31:58 -04:00 · 2017-07-17 12:31:58 -04:00 · 831dca5124
commit 831dca5124
parent 22282da905
10 changed files with 0 additions and 502 deletions
--- a/config/x230-qubes.config
+++ b/config/x230-qubes.config
@ -1,27 +0,0 @@
 # Configuration for a x230 running Qubes OS
 BOARD=x230
 CONFIG_CRYPTSETUP=y
 CONFIG_FLASHROM=y
 CONFIG_GPG=y
 CONFIG_KEXEC=y
 CONFIG_UTIL_LINUX=y
 CONFIG_LVM2=y
 CONFIG_MBEDTLS=y
 CONFIG_PCIUTILS=y
 CONFIG_POPT=y
 CONFIG_QRENCODE=y
 CONFIG_TPMTOTP=y
 CONFIG_XEN=y
 CONFIG_DROPBEAR=y
 CONFIG_LINUX_USB=y
 CONFIG_LINUX_E1000E=y
 CONFIG_BOOTSCRIPT=/bin/qubes-init
 CONFIG_USB_BOOT_DEV="/dev/sdb1"
 # Disks encrypted by the TPM LUKS key
 CONFIG_QUBES_BOOT_DEV="/dev/sda1"
 CONFIG_QUBES_VG="qubes_dom0"
--- a/initrd/bin/generate-crypttab
+++ b/initrd/bin/generate-crypttab
@ -1,11 +0,0 @@
 #!/bin/sh
 # Generate a crypttab file for all the devices that are
 # present on the system.  This is a total hack since the
 # rd.luks.key=/secret.key should be sufficient.
 keyfile=/secret.key
 for dev in /dev/sd*; do
 	uuid=`cryptsetup luksUUID "$dev" 2>/dev/null` || continue
 	echo "luks-$uuid /dev/disk/by-uuid/$uuid $keyfile luks"
 done
--- a/initrd/bin/qubes-boot
+++ b/initrd/bin/qubes-boot
@ -1,38 +0,0 @@
 #!/bin/sh
 # Final stage to start qubes given a Xen, dom0 kernel and initrd
 # get the UUID of the root file system
 # busybox blkid doesn't have a "just the UUID" option
 . /etc/functions
 . /etc/config
 XEN="$1"
 KERNEL="$2"
 INITRD="$3"
 if [ -z "$XEN" -o -z "$KERNEL" -o -z "$INITRD" ]; then
 	die "Usage: $0 /boot/xen... /boot/vmlinuz... /boot/initramfs..."
 fi
 # Activate the dom0 group, if it isn't already active
 lvm vgchange -a y "$CONFIG_QUBES_VG" \
 	|| die "$CONFIG_QUBES_VG: LVM volume group activate failed"
 ROOT_UUID=`blkid /dev/$CONFIG_QUBES_VG/00 | cut -d\" -f2`
 if [ -z "$ROOT_UUID" ]; then
 	die "$CONFIG_QUBES_VG/00: No UUID for /"
 fi
 echo "$CONFIG_QUBES_VG/00: UUID=$ROOT_UUID"
 # command line arguments are include in the signature on this script,
 echo '+++ Loading kernel and initrd'
 kexec \
 	-l \
 	--module "$KERNEL root=/dev/mapper/luks-$ROOT_UUID ro rd.qubes.hide_all_usb" \
 	--module "$INITRD" \
 	--command-line "no-real-mode reboot=no" \
 	"${XEN}" \
 || die "kexec load failed"
 echo "+++ Starting Qubes..."
 exec kexec -e
--- a/initrd/bin/qubes-init
+++ b/initrd/bin/qubes-init
@ -1,83 +0,0 @@
 #!/bin/sh
 # Boot a Qubes installation that has already been setup.
 # This depends on the PCR 4 being "normal-boot":
 # f8fa3b6e32e7c6fe04c366e74636e505b28f3b0d
 # which is only set if the top level /init script has started
 # without user intervention or dropping into a recovery shell.
 . /etc/functions
 . /etc/config
 if [ "$1" = "recovery" ]; then
 	warn "Recovery mode boot; ignoring key failures"
 	RECOVERY=1
 fi
 # TODO: Allow /boot to be encrypted?
 # This would require a different TPM key, a user passphrase to decrypt it,
 # or loading the USB modules to talk to a Yubikey to get the thing.
 if ! grep -q /boot /proc/mounts ; then
 	mount -o ro "$CONFIG_QUBES_BOOT_DEV" /boot \
 		|| recovery '$CONFIG_BOOT_DEV: Unable to mount /boot'
 fi
 BOOT_HASHES=/boot/boot.hashes
 if [ ! -r "$BOOT_HASHES" ]; then
 	recovery "$BOOT_HASHES does not exist; re-run qubes-update"
 fi
 # Verify the signature on the hashes
 gpgv "$BOOT_HASHES.asc" "$BOOT_HASHES" \
 	|| recovery 'boot hashes signature failed'
 # Retrieve the TPM counter ID and generate its current value
 TPM_COUNTER=`grep counter $BOOT_HASHES | cut -d- -f2`
 if [ -z "$TPM_COUNTER" ]; then
 	recovery "$BOOT_HASHES: TPM counter not found?"
 fi
 read_tpm_counter $TPM_COUNTER
 # Check the hashes of all the files
 sha256sum -c "$BOOT_HASHES" \
 || recovery "$BOOT_HASHES: hash mismatch"
 XEN=`grep /boot/xen $BOOT_HASHES | cut -d\  -f3 | tail -1`
 KERNEL=`grep /boot/vmlin $BOOT_HASHES | cut -d\  -f3 | tail -1`
 INITRD=`grep /boot/initram $BOOT_HASHES | cut -d\  -f3 | tail -1`
 # Activate the dom0 group
 lvm vgchange -a y "$CONFIG_QUBES_VG" \
 	|| recovery "$CONFIG_QUBES_VG: LVM volume group activate failed"
 # Measure the LUKS headers before we unseal the disk key
 qubes-measure-luks /dev/$CONFIG_QUBES_VG/* \
 	|| recovery "LUKS measure failed"
 # Unpack the initrd and fixup the /etc/crypttab
 # this is a hack to split it into two parts since
 # we know that the first 0x3400 bytes are the microcode
 INITRD_DIR=/tmp/secret/initrd
 SECRET_CPIO=/tmp/secret/initrd.cpio
 mkdir -p "$INITRD_DIR/etc"
 # Attempt to unseal the disk key from the TPM
 # should we give this some number of tries?
 if ! unseal-key "$INITRD_DIR/secret.key" ; then
 	warn 'Unseal disk key failed'
 	if [ -z "$RECOVERY" ]; then
 		recovery 'Starting recovery shell'
 	fi
 fi
 # Override PCR 4 so that user can't read the key
 tpm extend -ix 4 -ic qubes \
 	|| recovery 'Unable to scramble PCR'
 echo '+++ Building initrd'
 ( cd "$INITRD_DIR" ; find . | cpio -H newc -o ) > "$SECRET_CPIO"
 cat "$INITRD" >> "$SECRET_CPIO"
 /bin/qubes-boot "$XEN" "$KERNEL" "$SECRET_CPIO"
 recovery "Something failed..."
--- a/initrd/bin/qubes-install
+++ b/initrd/bin/qubes-install
@ -1,29 +0,0 @@
 #!/bin/sh
 # Attempt to install qubes using the recovery shell and the pre-built
 # version of Xen
 . /etc/functions
 DEV="$1"
 if [ -z "$DEV" ]; then
 	DEV="/dev/sdb2"
 fi
 mount-usb "$DEV" \
 	|| die "$DEV: Unable to mount?"
 cd /media/efi/boot \
 	|| die "$DEV: cd to /media/efi/boot failed?"
 kexec -l \
  --module "./vmlinuz inst.stage2=hd:LABEL=Qubes-R3.2-x86_64" \
  --module "./initrd.img" \
  --command-line "no-real-mode reboot=no" \
  /bin/xen.gz \
 || die "$DEV: kexec -l failed?"
 warn "Starting installer..."
 sleep 1
 kexec -e
 die "$DEV: kexec -e failed?"
--- a/initrd/bin/qubes-update
+++ b/initrd/bin/qubes-update
@ -1,45 +0,0 @@
 #!/bin/sh
 # Update the /boot partition signatures
 set -o pipefail
 . /etc/functions
 XEN="$1"
 KERNEL="$2"
 INITRD="$3"
 BOOT_HASHES="/boot/boot.hashes"
 if [ -z "$XEN" -o -z "$KERNEL" -o -z "$INITRD" ]; then
 	die "Usage: $0 /boot/xen... /boot/vmlinuz... /boot/initramfs..."
 fi
 confirm_gpg_card
 check_tpm_counter $BOOT_HASHES
 mount -o rw,remount /boot \
 || die "Could not remount /boot"
 increment_tpm_counter $TPM_COUNTER
 sha256sum \
 	"$XEN" \
 	"$KERNEL" \
 	"$INITRD" \
 	"/tmp/counter-$TPM_COUNTER" \
 | tee "$BOOT_HASHES"
 for tries in 1 2 3; do
 	if gpg \
 		--digest-algo SHA256 \
 		--detach-sign \
 		-a \
 		"$BOOT_HASHES" \
 	; then
 		mount -o ro,remount /boot
 		exit 0
 	fi
 done
 warn "$BOOT_HASHES: Unable to sign boot hashes"
 mount -o ro,remount /boot
 exit 1
--- a/initrd/bin/seal-key
+++ b/initrd/bin/seal-key
@ -1,126 +0,0 @@
 #!/bin/sh
 # This will generate a disk encryption key and seal / ecncrypt
 # with the current PCRs and then store it in the TPM NVRAM.
 # It will then need to be bundled into initrd that is booted with Qubes.
 TPM_INDEX=3
 TPM_SIZE=312
 KEY_FILE="/tmp/secret/secret.key"
 TPM_SEALED="/tmp/secret/secret.sealed"
 RECOVERY_KEY="/tmp/secret/recovery.key"
 . /etc/functions
 . /etc/config
 # Activate the LVM volume group
 VOLUME_GROUP=qubes_dom0
 lvm vgchange -a y $VOLUME_GROUP \
 	|| die "$VOLUME_GROUP: unable to activate volume group"
 # Key slot 0 is the manual recovery pass phrase
 # that they user entered when they installed Qubes,
 # key slot 1 is the one that we've generated.
 read -s -p "Enter disk recovery key: " disk_password
 echo -n "$disk_password" > "$RECOVERY_KEY"
 echo
 # Remove all the old keys from slot 1
 for dev in /dev/$VOLUME_GROUP/*; do
 	echo "++++++ $dev: Removing old key slot"
 	cryptsetup luksKillSlot \
 		--key-file "$RECOVERY_KEY" \
 		$dev 1 \
 	|| warn "$dev: ignoring problem"
 done
 read -s -p "New disk unlock password for booting: " key_password
 echo
 read -s -p "Repeat unlock code: " key_password2
 echo
 if [ "$key_password" != "$key_password2" ]; then
 	die "Key passwords do not match"
 fi
 dd \
 	if=/dev/urandom \
 	of="$KEY_FILE" \
 	bs=1 \
 	count=128 \
 	2>/dev/null \
 || die "Unable to generate 128 random bytes"
 for dev in /dev/$VOLUME_GROUP/*; do
 	echo "+++++ $dev: Adding key"
 	cryptsetup luksAddKey \
 		--key-file "$RECOVERY_KEY" \
 		--key-slot 1 \
 		$dev "$KEY_FILE" \
 	|| die "$dev: Unable to add key"
 done
 # Now that we have setup the new keys, measure the PCRs
 # We don't care what ends up in PCR 6; we just want
 # to get the /tmp/luksDump.txt file.  We use PCR16
 # since it should still be zero
 /bin/qubes-measure-luks /dev/$VOLUME_GROUP/* \
 	|| die "Unable to measure the LUKS headers"
 luks_pcr=`tpm calcfuturepcr -ix 16 -if /tmp/luksDump.txt`
 # Note that PCR 4 needs to be set with the "normal-boot"
 # path value, which we do not have right now since we are
 # in a recovery shell.
 # used to be -ix 4 f8fa3b6e32e7c6fe04c366e74636e505b28f3b0d \
 # now just all zeros in a normal boot
 # PCR 5 must be all zero since no kernel modules should have
 # been loaded during a normal boot, but might have been
 # loaded in the recovery shell.
 # Otherwise use the current values of the PCRs, which will be read
 # from the TPM as part of the sealing ("X").
 tpm sealfile2 \
 	-if "$KEY_FILE" \
 	-of "$TPM_SEALED" \
 	-pwdd "$key_password" \
 	-hk 40000000 \
 	-ix 0 X \
 	-ix 1 X \
 	-ix 2 X \
 	-ix 3 X \
 	-ix 4 0000000000000000000000000000000000000000 \
 	-ix 5 0000000000000000000000000000000000000000 \
 	-ix 6 $luks_pcr \
 || die "Unable to seal secret"
 rm -f "$KEY_FILE"
 # try it without the owner password first
 if ! tpm nv_writevalue \
 	-in $TPM_INDEX \
 	-if "$TPM_SEALED" \
 ; then
 	# to create an nvram space we need the TPM owner password
 	# and the TPM physical presence must be asserted.
 	#
 	# The permissions are 0 since there is nothing special
 	# about the sealed file
 	tpm physicalpresence -s \
 	|| warn "Warning: Unable to assert physical presence"
 	read -s -p "TPM Owner password: " tpm_password
 	echo
 	tpm nv_definespace \
 		-in $TPM_INDEX \
 		-sz $TPM_SIZE \
 		-pwdo "$tpm_password" \
 		-per 0 \
 	|| warn "Warning: Unable to define NVRAM space; trying anyway"
 	tpm nv_writevalue \
 		-in $TPM_INDEX \
 		-if "$TPM_SEALED" \
 	|| die "Unable to write sealed secret to NVRAM"
 fi
 rm "$TPM_SEALED" \
--- a/initrd/bin/start-xen
+++ b/initrd/bin/start-xen
@ -1,30 +0,0 @@
 #!/bin/sh
 mount -o ro -t ext4 /dev/sda1 /boot
 die() { echo >&2 "$*"; exit 1; }
 XEN=/boot/xen-4.6.3.gz
 INITRD=/boot/initramfs-4.4.14-11.pvops.qubes.x86_64.img
 KERNEL=/boot/vmlinuz-4.4.14-11.pvops.qubes.x86_64
 echo "+++ Checking $XEN"
 gpgv "${XEN}.asc" "${XEN}" || die "Xen signature failed"
 echo "+++ Checking $INITRD"
 gpgv "${INITRD}.asc" "${INITRD}" || die "Initrd signature failed"
 echo "+++ Checking $KERNEL"
 gpgv "${KERNEL}.asc" "${KERNEL}" || die "Kernel signature failed"
 # should also check xen command line arguments!
 # should also check kernel command line arguments!
 kexec \
 	-l \
 	--module "${KERNEL} root=LABEL=root rhgb" \
 	--module "${INITRD}" \
 	--command-line "no-real-mode reboot=no console=vga dom0_mem=min:1024M dom0_mem=max:4096M" \
 	"${XEN}"
 echo "Ready to start Xen: run 'kexec -e' to execute it"
--- a/initrd/bin/unseal-key
+++ b/initrd/bin/unseal-key
@ -1,92 +0,0 @@
 #!/bin/sh
 # This will unseal and unecncrypt the drive encryption key from the TPM
 # The TOTP secret will be shown to the user on each encryption attempt.
 # It will then need to be bundled into initrd that is booted with Qubes.
 TPM_INDEX=3
 TPM_SIZE=312
 . /etc/functions
 mkdir -p /tmp/secret
 sealed_file="/tmp/secret/sealed.key"
 key_file="$1"
 if [ -z "$key_file" ]; then
 	key_file="/tmp/secret/secret.key"
 fi
 tpm nv_readvalue \
 	-in "$TPM_INDEX" \
 	-sz "$TPM_SIZE" \
 	-of "$sealed_file" \
 || die "Unable to read key from TPM NVRAM"
 get_password()
 {
 	last_half=X
 	while true; do
 		# update the TOTP code every thirty seconds
 		date=`date "+%Y-%m-%d %H:%M:%S"`
 		seconds=`date "+%s"`
 		half=`expr \( $seconds % 60 \) / 30`
 		if [ "$half" != "$last_half" ]; then
 			last_half=$half;
 			TOTP=`unseal-totp` \
 			|| die "TOTP code generation failed"
 		fi
 		echo -n "$date $TOTP: "
 		# read the first character, non-blocking
 		read \
 			-t 1 \
 			-n 1 \
 			-s \
 			-p "Enter unlock password: " \
 			tpm_password_1 \
 		&& break
 		# nothing typed, redraw the line
 		echo -ne '\r'
 	done
 	# they have started typing, read the rest, blocking
 	if [ -z "$tpm_password_1" ]; then
 		# they hit enter; we should exit gracefully
 		tpm_password=""
 	else
 		# they hit something else, read the rest of the line
 		read \
 			-s \
 			-p '' \
 			tpm_password_2
 		tpm_password="$tpm_password_1$tpm_password_2"
 	fi
 	# clean up with a newline
 	echo
 }
 for tries in 1 2 3; do
 	get_password
 	if tpm unsealfile \
 		-if "$sealed_file" \
 		-of "$key_file" \
 		-pwdd "$tpm_password" \
 		-hk 40000000 \
 	; then
 		rm -f /tmp/secret/sealed
 		exit 0
 	fi
 	pcrs
 	warn "Unable to unseal disk encryption key"
 done
 die "Retry count exceeded..."
--- a/initrd/bin/wrap-cpio
+++ b/initrd/bin/wrap-cpio
@ -1,21 +0,0 @@
 #!/bin/sh
 # Add additional files to the initrd cpio so that we can pass
 # new keys to the Qubes startup routines.
 # Usage:
 #  wrap-cpio /boot/initrd.blah /tmp/root/ > /tmp/new.cpio
 die() { echo >&2 "$@"; exit 1; }
 warn() { echo >&2 "$@"; }
 cpio_file="$1"
 if [ -z "$cpio_file" ]; then
 	die "Initial cpio must be specified"
 fi
 new_dir="$2"
 if [ -z "$new_dir" ]; then
 	die "Additional directory must be specified"
 fi
 ( cd "$new_dir" ; find . | cpio -H newc -ov )
 cat "$cpio_file"