remove older qubes-specific files, no longer required in generic boot env

2024-12-20 05:28:08 +00:00 · 2017-07-17 12:31:58 -04:00 · 2017-07-17 12:31:58 -04:00 · 831dca5124
commit 831dca5124
parent 22282da905
10 changed files with 0 additions and 502 deletions
--- a/config/x230-qubes.config
+++ b/config/x230-qubes.config
@ -1,27 +0,0 @@
-# Configuration for a x230 running Qubes OS
-BOARD=x230
-
-CONFIG_CRYPTSETUP=y
-CONFIG_FLASHROM=y
-CONFIG_GPG=y
-CONFIG_KEXEC=y
-CONFIG_UTIL_LINUX=y
-CONFIG_LVM2=y
-CONFIG_MBEDTLS=y
-CONFIG_PCIUTILS=y
-CONFIG_POPT=y
-CONFIG_QRENCODE=y
-CONFIG_TPMTOTP=y
-CONFIG_XEN=y
-CONFIG_DROPBEAR=y
-
-CONFIG_LINUX_USB=y
-CONFIG_LINUX_E1000E=y
-
-CONFIG_BOOTSCRIPT=/bin/qubes-init
-
-CONFIG_USB_BOOT_DEV="/dev/sdb1"
-
-# Disks encrypted by the TPM LUKS key
-CONFIG_QUBES_BOOT_DEV="/dev/sda1"
-CONFIG_QUBES_VG="qubes_dom0"
--- a/initrd/bin/generate-crypttab
+++ b/initrd/bin/generate-crypttab
@ -1,11 +0,0 @@
-#!/bin/sh
-# Generate a crypttab file for all the devices that are
-# present on the system.  This is a total hack since the
-# rd.luks.key=/secret.key should be sufficient.
-
-keyfile=/secret.key
-
-for dev in /dev/sd*; do
-	uuid=`cryptsetup luksUUID "$dev" 2>/dev/null` || continue
-	echo "luks-$uuid /dev/disk/by-uuid/$uuid $keyfile luks"
-done
--- a/initrd/bin/qubes-boot
+++ b/initrd/bin/qubes-boot
@ -1,38 +0,0 @@
-#!/bin/sh
-# Final stage to start qubes given a Xen, dom0 kernel and initrd
-# get the UUID of the root file system
-# busybox blkid doesn't have a "just the UUID" option
-. /etc/functions
-. /etc/config
-
-XEN="$1"
-KERNEL="$2"
-INITRD="$3"
-
-if [ -z "$XEN" -o -z "$KERNEL" -o -z "$INITRD" ]; then
-	die "Usage: $0 /boot/xen... /boot/vmlinuz... /boot/initramfs..."
-fi
-
-# Activate the dom0 group, if it isn't already active
-lvm vgchange -a y "$CONFIG_QUBES_VG" \
-	|| die "$CONFIG_QUBES_VG: LVM volume group activate failed"
-
-ROOT_UUID=`blkid /dev/$CONFIG_QUBES_VG/00 | cut -d\" -f2`
-if [ -z "$ROOT_UUID" ]; then
-	die "$CONFIG_QUBES_VG/00: No UUID for /"
-fi
-
-echo "$CONFIG_QUBES_VG/00: UUID=$ROOT_UUID"
-
-# command line arguments are include in the signature on this script,
-echo '+++ Loading kernel and initrd'
-kexec \
-	-l \
-	--module "$KERNEL root=/dev/mapper/luks-$ROOT_UUID ro rd.qubes.hide_all_usb" \
-	--module "$INITRD" \
-	--command-line "no-real-mode reboot=no" \
-	"${XEN}" \
-|| die "kexec load failed"
-
-echo "+++ Starting Qubes..."
-exec kexec -e
--- a/initrd/bin/qubes-init
+++ b/initrd/bin/qubes-init
@ -1,83 +0,0 @@
-#!/bin/sh
-# Boot a Qubes installation that has already been setup.
-# This depends on the PCR 4 being "normal-boot":
-# f8fa3b6e32e7c6fe04c366e74636e505b28f3b0d
-# which is only set if the top level /init script has started
-# without user intervention or dropping into a recovery shell.
-
-. /etc/functions
-. /etc/config
-
-if [ "$1" = "recovery" ]; then
-	warn "Recovery mode boot; ignoring key failures"
-	RECOVERY=1
-fi
-
-# TODO: Allow /boot to be encrypted?
-# This would require a different TPM key, a user passphrase to decrypt it,
-# or loading the USB modules to talk to a Yubikey to get the thing.
-if ! grep -q /boot /proc/mounts ; then
-	mount -o ro "$CONFIG_QUBES_BOOT_DEV" /boot \
-		|| recovery '$CONFIG_BOOT_DEV: Unable to mount /boot'
-fi
-
-BOOT_HASHES=/boot/boot.hashes
-if [ ! -r "$BOOT_HASHES" ]; then
-	recovery "$BOOT_HASHES does not exist; re-run qubes-update"
-fi
-
-# Verify the signature on the hashes
-gpgv "$BOOT_HASHES.asc" "$BOOT_HASHES" \
-	|| recovery 'boot hashes signature failed'
-
-# Retrieve the TPM counter ID and generate its current value
-TPM_COUNTER=`grep counter $BOOT_HASHES | cut -d- -f2`
-if [ -z "$TPM_COUNTER" ]; then
-	recovery "$BOOT_HASHES: TPM counter not found?"
-fi
-
-read_tpm_counter $TPM_COUNTER
-
-# Check the hashes of all the files
-sha256sum -c "$BOOT_HASHES" \
-|| recovery "$BOOT_HASHES: hash mismatch"
-
-XEN=`grep /boot/xen $BOOT_HASHES | cut -d\  -f3 | tail -1`
-KERNEL=`grep /boot/vmlin $BOOT_HASHES | cut -d\  -f3 | tail -1`
-INITRD=`grep /boot/initram $BOOT_HASHES | cut -d\  -f3 | tail -1`
-
-# Activate the dom0 group
-lvm vgchange -a y "$CONFIG_QUBES_VG" \
-	|| recovery "$CONFIG_QUBES_VG: LVM volume group activate failed"
-
-# Measure the LUKS headers before we unseal the disk key
-qubes-measure-luks /dev/$CONFIG_QUBES_VG/* \
-	|| recovery "LUKS measure failed"
-
-# Unpack the initrd and fixup the /etc/crypttab
-# this is a hack to split it into two parts since
-# we know that the first 0x3400 bytes are the microcode
-INITRD_DIR=/tmp/secret/initrd
-SECRET_CPIO=/tmp/secret/initrd.cpio
-mkdir -p "$INITRD_DIR/etc"
-
-# Attempt to unseal the disk key from the TPM
-# should we give this some number of tries?
-if ! unseal-key "$INITRD_DIR/secret.key" ; then
-	warn 'Unseal disk key failed'
-	if [ -z "$RECOVERY" ]; then
-		recovery 'Starting recovery shell'
-	fi
-fi
-
-# Override PCR 4 so that user can't read the key
-tpm extend -ix 4 -ic qubes \
-	|| recovery 'Unable to scramble PCR'
-
-echo '+++ Building initrd'
-( cd "$INITRD_DIR" ; find . | cpio -H newc -o ) > "$SECRET_CPIO"
-cat "$INITRD" >> "$SECRET_CPIO"
-
-/bin/qubes-boot "$XEN" "$KERNEL" "$SECRET_CPIO"
-
-recovery "Something failed..."
--- a/initrd/bin/qubes-install
+++ b/initrd/bin/qubes-install
@ -1,29 +0,0 @@
-#!/bin/sh
-# Attempt to install qubes using the recovery shell and the pre-built
-# version of Xen
-
-. /etc/functions
-
-DEV="$1"
-if [ -z "$DEV" ]; then
-	DEV="/dev/sdb2"
-fi
-
-mount-usb "$DEV" \
-	|| die "$DEV: Unable to mount?"
-
-cd /media/efi/boot \
-	|| die "$DEV: cd to /media/efi/boot failed?"
-
-kexec -l \
-  --module "./vmlinuz inst.stage2=hd:LABEL=Qubes-R3.2-x86_64" \
-  --module "./initrd.img" \
-  --command-line "no-real-mode reboot=no" \
-  /bin/xen.gz \
-|| die "$DEV: kexec -l failed?"
-
-warn "Starting installer..."
-sleep 1
-kexec -e
-
-die "$DEV: kexec -e failed?"
--- a/initrd/bin/qubes-update
+++ b/initrd/bin/qubes-update
@ -1,45 +0,0 @@
-#!/bin/sh
-# Update the /boot partition signatures
-set -o pipefail
-. /etc/functions
-
-XEN="$1"
-KERNEL="$2"
-INITRD="$3"
-BOOT_HASHES="/boot/boot.hashes"
-
-if [ -z "$XEN" -o -z "$KERNEL" -o -z "$INITRD" ]; then
-	die "Usage: $0 /boot/xen... /boot/vmlinuz... /boot/initramfs..."
-fi
-
-confirm_gpg_card
-
-check_tpm_counter $BOOT_HASHES
-
-mount -o rw,remount /boot \
-|| die "Could not remount /boot"
-
-increment_tpm_counter $TPM_COUNTER
-
-sha256sum \
-	"$XEN" \
-	"$KERNEL" \
-	"$INITRD" \
-	"/tmp/counter-$TPM_COUNTER" \
-| tee "$BOOT_HASHES"
-
-for tries in 1 2 3; do
-	if gpg \
-		--digest-algo SHA256 \
-		--detach-sign \
-		-a \
-		"$BOOT_HASHES" \
-	; then
-		mount -o ro,remount /boot
-		exit 0
-	fi
-done
-
-warn "$BOOT_HASHES: Unable to sign boot hashes"
-mount -o ro,remount /boot
-exit 1
--- a/initrd/bin/seal-key
+++ b/initrd/bin/seal-key
@ -1,126 +0,0 @@
-#!/bin/sh
-# This will generate a disk encryption key and seal / ecncrypt
-# with the current PCRs and then store it in the TPM NVRAM.
-# It will then need to be bundled into initrd that is booted with Qubes.
-
-TPM_INDEX=3
-TPM_SIZE=312
-KEY_FILE="/tmp/secret/secret.key"
-TPM_SEALED="/tmp/secret/secret.sealed"
-RECOVERY_KEY="/tmp/secret/recovery.key"
-
-. /etc/functions
-. /etc/config
-
-# Activate the LVM volume group
-VOLUME_GROUP=qubes_dom0
-lvm vgchange -a y $VOLUME_GROUP \
-	|| die "$VOLUME_GROUP: unable to activate volume group"
-
-# Key slot 0 is the manual recovery pass phrase
-# that they user entered when they installed Qubes,
-# key slot 1 is the one that we've generated.
-read -s -p "Enter disk recovery key: " disk_password
-echo -n "$disk_password" > "$RECOVERY_KEY"
-echo
-
-# Remove all the old keys from slot 1
-for dev in /dev/$VOLUME_GROUP/*; do
-	echo "++++++ $dev: Removing old key slot"
-	cryptsetup luksKillSlot \
-		--key-file "$RECOVERY_KEY" \
-		$dev 1 \
-	|| warn "$dev: ignoring problem"
-done
-
-read -s -p "New disk unlock password for booting: " key_password
-echo
-read -s -p "Repeat unlock code: " key_password2
-echo
-
-if [ "$key_password" != "$key_password2" ]; then
-	die "Key passwords do not match"
-fi
-
-dd \
-	if=/dev/urandom \
-	of="$KEY_FILE" \
-	bs=1 \
-	count=128 \
-	2>/dev/null \
-|| die "Unable to generate 128 random bytes"
-
-for dev in /dev/$VOLUME_GROUP/*; do
-	echo "+++++ $dev: Adding key"
-	cryptsetup luksAddKey \
-		--key-file "$RECOVERY_KEY" \
-		--key-slot 1 \
-		$dev "$KEY_FILE" \
-	|| die "$dev: Unable to add key"
-done
-
-# Now that we have setup the new keys, measure the PCRs
-# We don't care what ends up in PCR 6; we just want
-# to get the /tmp/luksDump.txt file.  We use PCR16
-# since it should still be zero
-/bin/qubes-measure-luks /dev/$VOLUME_GROUP/* \
-	|| die "Unable to measure the LUKS headers"
-luks_pcr=`tpm calcfuturepcr -ix 16 -if /tmp/luksDump.txt`
-
-# Note that PCR 4 needs to be set with the "normal-boot"
-# path value, which we do not have right now since we are
-# in a recovery shell.
-# used to be -ix 4 f8fa3b6e32e7c6fe04c366e74636e505b28f3b0d \
-# now just all zeros in a normal boot
-# PCR 5 must be all zero since no kernel modules should have
-# been loaded during a normal boot, but might have been
-# loaded in the recovery shell.
-# Otherwise use the current values of the PCRs, which will be read
-# from the TPM as part of the sealing ("X").
-tpm sealfile2 \
-	-if "$KEY_FILE" \
-	-of "$TPM_SEALED" \
-	-pwdd "$key_password" \
-	-hk 40000000 \
-	-ix 0 X \
-	-ix 1 X \
-	-ix 2 X \
-	-ix 3 X \
-	-ix 4 0000000000000000000000000000000000000000 \
-	-ix 5 0000000000000000000000000000000000000000 \
-	-ix 6 $luks_pcr \
-|| die "Unable to seal secret"
-
-rm -f "$KEY_FILE"
-
-# try it without the owner password first
-if ! tpm nv_writevalue \
-	-in $TPM_INDEX \
-	-if "$TPM_SEALED" \
-; then
-	# to create an nvram space we need the TPM owner password
-	# and the TPM physical presence must be asserted.
-	#
-	# The permissions are 0 since there is nothing special
-	# about the sealed file
-	tpm physicalpresence -s \
-	|| warn "Warning: Unable to assert physical presence"
-
-	read -s -p "TPM Owner password: " tpm_password
-	echo
-
-	tpm nv_definespace \
-		-in $TPM_INDEX \
-		-sz $TPM_SIZE \
-		-pwdo "$tpm_password" \
-		-per 0 \
-	|| warn "Warning: Unable to define NVRAM space; trying anyway"
-
-
-	tpm nv_writevalue \
-		-in $TPM_INDEX \
-		-if "$TPM_SEALED" \
-	|| die "Unable to write sealed secret to NVRAM"
-fi
-
-rm "$TPM_SEALED" \
--- a/initrd/bin/start-xen
+++ b/initrd/bin/start-xen
@ -1,30 +0,0 @@
-#!/bin/sh
-mount -o ro -t ext4 /dev/sda1 /boot
-
-die() { echo >&2 "$*"; exit 1; }
-
-XEN=/boot/xen-4.6.3.gz
-INITRD=/boot/initramfs-4.4.14-11.pvops.qubes.x86_64.img
-KERNEL=/boot/vmlinuz-4.4.14-11.pvops.qubes.x86_64
-
-echo "+++ Checking $XEN"
-gpgv "${XEN}.asc" "${XEN}" || die "Xen signature failed"
-
-echo "+++ Checking $INITRD"
-gpgv "${INITRD}.asc" "${INITRD}" || die "Initrd signature failed"
-
-echo "+++ Checking $KERNEL"
-gpgv "${KERNEL}.asc" "${KERNEL}" || die "Kernel signature failed"
-
-# should also check xen command line arguments!
-# should also check kernel command line arguments!
-
-kexec \
-	-l \
-	--module "${KERNEL} root=LABEL=root rhgb" \
-	--module "${INITRD}" \
-	--command-line "no-real-mode reboot=no console=vga dom0_mem=min:1024M dom0_mem=max:4096M" \
-	"${XEN}"
-
-
-echo "Ready to start Xen: run 'kexec -e' to execute it"
--- a/initrd/bin/unseal-key
+++ b/initrd/bin/unseal-key
@ -1,92 +0,0 @@
-#!/bin/sh
-# This will unseal and unecncrypt the drive encryption key from the TPM
-# The TOTP secret will be shown to the user on each encryption attempt.
-# It will then need to be bundled into initrd that is booted with Qubes.
-
-TPM_INDEX=3
-TPM_SIZE=312
-
-. /etc/functions
-mkdir -p /tmp/secret
-
-sealed_file="/tmp/secret/sealed.key"
-key_file="$1"
-
-if [ -z "$key_file" ]; then
-	key_file="/tmp/secret/secret.key"
-fi
-
-tpm nv_readvalue \
-	-in "$TPM_INDEX" \
-	-sz "$TPM_SIZE" \
-	-of "$sealed_file" \
-|| die "Unable to read key from TPM NVRAM"
-
-
-get_password()
-{
-	last_half=X
-
-	while true; do
-
-		# update the TOTP code every thirty seconds
-		date=`date "+%Y-%m-%d %H:%M:%S"`
-		seconds=`date "+%s"`
-		half=`expr \( $seconds % 60 \) / 30`
-		if [ "$half" != "$last_half" ]; then
-			last_half=$half;
-			TOTP=`unseal-totp` \
-			|| die "TOTP code generation failed"
-		fi
-
-		echo -n "$date $TOTP: "
-
-		# read the first character, non-blocking
-		read \
-			-t 1 \
-			-n 1 \
-			-s \
-			-p "Enter unlock password: " \
-			tpm_password_1 \
-		&& break
-
-		# nothing typed, redraw the line
-		echo -ne '\r'
-	done
-
-	# they have started typing, read the rest, blocking
-	if [ -z "$tpm_password_1" ]; then
-		# they hit enter; we should exit gracefully
-		tpm_password=""
-	else
-		# they hit something else, read the rest of the line
-		read \
-			-s \
-			-p '' \
-			tpm_password_2
-		tpm_password="$tpm_password_1$tpm_password_2"
-	fi
-
-	# clean up with a newline
-	echo
-
-}
-
-for tries in 1 2 3; do
-	get_password
-
-	if tpm unsealfile \
-		-if "$sealed_file" \
-		-of "$key_file" \
-		-pwdd "$tpm_password" \
-		-hk 40000000 \
-	; then
-		rm -f /tmp/secret/sealed
-		exit 0
-	fi
-
-	pcrs
-	warn "Unable to unseal disk encryption key"
-done
-
-die "Retry count exceeded..."
--- a/initrd/bin/wrap-cpio
+++ b/initrd/bin/wrap-cpio
@ -1,21 +0,0 @@
-#!/bin/sh
-# Add additional files to the initrd cpio so that we can pass
-# new keys to the Qubes startup routines.
-# Usage:
-#  wrap-cpio /boot/initrd.blah /tmp/root/ > /tmp/new.cpio
-
-die() { echo >&2 "$@"; exit 1; }
-warn() { echo >&2 "$@"; }
-
-cpio_file="$1"
-if [ -z "$cpio_file" ]; then
-	die "Initial cpio must be specified"
-fi
-
-new_dir="$2"
-if [ -z "$new_dir" ]; then
-	die "Additional directory must be specified"
-fi
-
-( cd "$new_dir" ; find . | cpio -H newc -ov )
-cat "$cpio_file"