mirror of
https://github.com/linuxboot/heads.git
synced 2024-12-24 07:06:42 +00:00
remove older qubes-specific files, no longer required in generic boot env
This commit is contained in:
parent
22282da905
commit
831dca5124
@ -1,27 +0,0 @@
|
||||
# Configuration for a x230 running Qubes OS
|
||||
BOARD=x230
|
||||
|
||||
CONFIG_CRYPTSETUP=y
|
||||
CONFIG_FLASHROM=y
|
||||
CONFIG_GPG=y
|
||||
CONFIG_KEXEC=y
|
||||
CONFIG_UTIL_LINUX=y
|
||||
CONFIG_LVM2=y
|
||||
CONFIG_MBEDTLS=y
|
||||
CONFIG_PCIUTILS=y
|
||||
CONFIG_POPT=y
|
||||
CONFIG_QRENCODE=y
|
||||
CONFIG_TPMTOTP=y
|
||||
CONFIG_XEN=y
|
||||
CONFIG_DROPBEAR=y
|
||||
|
||||
CONFIG_LINUX_USB=y
|
||||
CONFIG_LINUX_E1000E=y
|
||||
|
||||
CONFIG_BOOTSCRIPT=/bin/qubes-init
|
||||
|
||||
CONFIG_USB_BOOT_DEV="/dev/sdb1"
|
||||
|
||||
# Disks encrypted by the TPM LUKS key
|
||||
CONFIG_QUBES_BOOT_DEV="/dev/sda1"
|
||||
CONFIG_QUBES_VG="qubes_dom0"
|
@ -1,11 +0,0 @@
|
||||
#!/bin/sh
|
||||
# Generate a crypttab file for all the devices that are
|
||||
# present on the system. This is a total hack since the
|
||||
# rd.luks.key=/secret.key should be sufficient.
|
||||
|
||||
keyfile=/secret.key
|
||||
|
||||
for dev in /dev/sd*; do
|
||||
uuid=`cryptsetup luksUUID "$dev" 2>/dev/null` || continue
|
||||
echo "luks-$uuid /dev/disk/by-uuid/$uuid $keyfile luks"
|
||||
done
|
@ -1,38 +0,0 @@
|
||||
#!/bin/sh
|
||||
# Final stage to start qubes given a Xen, dom0 kernel and initrd
|
||||
# get the UUID of the root file system
|
||||
# busybox blkid doesn't have a "just the UUID" option
|
||||
. /etc/functions
|
||||
. /etc/config
|
||||
|
||||
XEN="$1"
|
||||
KERNEL="$2"
|
||||
INITRD="$3"
|
||||
|
||||
if [ -z "$XEN" -o -z "$KERNEL" -o -z "$INITRD" ]; then
|
||||
die "Usage: $0 /boot/xen... /boot/vmlinuz... /boot/initramfs..."
|
||||
fi
|
||||
|
||||
# Activate the dom0 group, if it isn't already active
|
||||
lvm vgchange -a y "$CONFIG_QUBES_VG" \
|
||||
|| die "$CONFIG_QUBES_VG: LVM volume group activate failed"
|
||||
|
||||
ROOT_UUID=`blkid /dev/$CONFIG_QUBES_VG/00 | cut -d\" -f2`
|
||||
if [ -z "$ROOT_UUID" ]; then
|
||||
die "$CONFIG_QUBES_VG/00: No UUID for /"
|
||||
fi
|
||||
|
||||
echo "$CONFIG_QUBES_VG/00: UUID=$ROOT_UUID"
|
||||
|
||||
# command line arguments are include in the signature on this script,
|
||||
echo '+++ Loading kernel and initrd'
|
||||
kexec \
|
||||
-l \
|
||||
--module "$KERNEL root=/dev/mapper/luks-$ROOT_UUID ro rd.qubes.hide_all_usb" \
|
||||
--module "$INITRD" \
|
||||
--command-line "no-real-mode reboot=no" \
|
||||
"${XEN}" \
|
||||
|| die "kexec load failed"
|
||||
|
||||
echo "+++ Starting Qubes..."
|
||||
exec kexec -e
|
@ -1,83 +0,0 @@
|
||||
#!/bin/sh
|
||||
# Boot a Qubes installation that has already been setup.
|
||||
# This depends on the PCR 4 being "normal-boot":
|
||||
# f8fa3b6e32e7c6fe04c366e74636e505b28f3b0d
|
||||
# which is only set if the top level /init script has started
|
||||
# without user intervention or dropping into a recovery shell.
|
||||
|
||||
. /etc/functions
|
||||
. /etc/config
|
||||
|
||||
if [ "$1" = "recovery" ]; then
|
||||
warn "Recovery mode boot; ignoring key failures"
|
||||
RECOVERY=1
|
||||
fi
|
||||
|
||||
# TODO: Allow /boot to be encrypted?
|
||||
# This would require a different TPM key, a user passphrase to decrypt it,
|
||||
# or loading the USB modules to talk to a Yubikey to get the thing.
|
||||
if ! grep -q /boot /proc/mounts ; then
|
||||
mount -o ro "$CONFIG_QUBES_BOOT_DEV" /boot \
|
||||
|| recovery '$CONFIG_BOOT_DEV: Unable to mount /boot'
|
||||
fi
|
||||
|
||||
BOOT_HASHES=/boot/boot.hashes
|
||||
if [ ! -r "$BOOT_HASHES" ]; then
|
||||
recovery "$BOOT_HASHES does not exist; re-run qubes-update"
|
||||
fi
|
||||
|
||||
# Verify the signature on the hashes
|
||||
gpgv "$BOOT_HASHES.asc" "$BOOT_HASHES" \
|
||||
|| recovery 'boot hashes signature failed'
|
||||
|
||||
# Retrieve the TPM counter ID and generate its current value
|
||||
TPM_COUNTER=`grep counter $BOOT_HASHES | cut -d- -f2`
|
||||
if [ -z "$TPM_COUNTER" ]; then
|
||||
recovery "$BOOT_HASHES: TPM counter not found?"
|
||||
fi
|
||||
|
||||
read_tpm_counter $TPM_COUNTER
|
||||
|
||||
# Check the hashes of all the files
|
||||
sha256sum -c "$BOOT_HASHES" \
|
||||
|| recovery "$BOOT_HASHES: hash mismatch"
|
||||
|
||||
XEN=`grep /boot/xen $BOOT_HASHES | cut -d\ -f3 | tail -1`
|
||||
KERNEL=`grep /boot/vmlin $BOOT_HASHES | cut -d\ -f3 | tail -1`
|
||||
INITRD=`grep /boot/initram $BOOT_HASHES | cut -d\ -f3 | tail -1`
|
||||
|
||||
# Activate the dom0 group
|
||||
lvm vgchange -a y "$CONFIG_QUBES_VG" \
|
||||
|| recovery "$CONFIG_QUBES_VG: LVM volume group activate failed"
|
||||
|
||||
# Measure the LUKS headers before we unseal the disk key
|
||||
qubes-measure-luks /dev/$CONFIG_QUBES_VG/* \
|
||||
|| recovery "LUKS measure failed"
|
||||
|
||||
# Unpack the initrd and fixup the /etc/crypttab
|
||||
# this is a hack to split it into two parts since
|
||||
# we know that the first 0x3400 bytes are the microcode
|
||||
INITRD_DIR=/tmp/secret/initrd
|
||||
SECRET_CPIO=/tmp/secret/initrd.cpio
|
||||
mkdir -p "$INITRD_DIR/etc"
|
||||
|
||||
# Attempt to unseal the disk key from the TPM
|
||||
# should we give this some number of tries?
|
||||
if ! unseal-key "$INITRD_DIR/secret.key" ; then
|
||||
warn 'Unseal disk key failed'
|
||||
if [ -z "$RECOVERY" ]; then
|
||||
recovery 'Starting recovery shell'
|
||||
fi
|
||||
fi
|
||||
|
||||
# Override PCR 4 so that user can't read the key
|
||||
tpm extend -ix 4 -ic qubes \
|
||||
|| recovery 'Unable to scramble PCR'
|
||||
|
||||
echo '+++ Building initrd'
|
||||
( cd "$INITRD_DIR" ; find . | cpio -H newc -o ) > "$SECRET_CPIO"
|
||||
cat "$INITRD" >> "$SECRET_CPIO"
|
||||
|
||||
/bin/qubes-boot "$XEN" "$KERNEL" "$SECRET_CPIO"
|
||||
|
||||
recovery "Something failed..."
|
@ -1,29 +0,0 @@
|
||||
#!/bin/sh
|
||||
# Attempt to install qubes using the recovery shell and the pre-built
|
||||
# version of Xen
|
||||
|
||||
. /etc/functions
|
||||
|
||||
DEV="$1"
|
||||
if [ -z "$DEV" ]; then
|
||||
DEV="/dev/sdb2"
|
||||
fi
|
||||
|
||||
mount-usb "$DEV" \
|
||||
|| die "$DEV: Unable to mount?"
|
||||
|
||||
cd /media/efi/boot \
|
||||
|| die "$DEV: cd to /media/efi/boot failed?"
|
||||
|
||||
kexec -l \
|
||||
--module "./vmlinuz inst.stage2=hd:LABEL=Qubes-R3.2-x86_64" \
|
||||
--module "./initrd.img" \
|
||||
--command-line "no-real-mode reboot=no" \
|
||||
/bin/xen.gz \
|
||||
|| die "$DEV: kexec -l failed?"
|
||||
|
||||
warn "Starting installer..."
|
||||
sleep 1
|
||||
kexec -e
|
||||
|
||||
die "$DEV: kexec -e failed?"
|
@ -1,45 +0,0 @@
|
||||
#!/bin/sh
|
||||
# Update the /boot partition signatures
|
||||
set -o pipefail
|
||||
. /etc/functions
|
||||
|
||||
XEN="$1"
|
||||
KERNEL="$2"
|
||||
INITRD="$3"
|
||||
BOOT_HASHES="/boot/boot.hashes"
|
||||
|
||||
if [ -z "$XEN" -o -z "$KERNEL" -o -z "$INITRD" ]; then
|
||||
die "Usage: $0 /boot/xen... /boot/vmlinuz... /boot/initramfs..."
|
||||
fi
|
||||
|
||||
confirm_gpg_card
|
||||
|
||||
check_tpm_counter $BOOT_HASHES
|
||||
|
||||
mount -o rw,remount /boot \
|
||||
|| die "Could not remount /boot"
|
||||
|
||||
increment_tpm_counter $TPM_COUNTER
|
||||
|
||||
sha256sum \
|
||||
"$XEN" \
|
||||
"$KERNEL" \
|
||||
"$INITRD" \
|
||||
"/tmp/counter-$TPM_COUNTER" \
|
||||
| tee "$BOOT_HASHES"
|
||||
|
||||
for tries in 1 2 3; do
|
||||
if gpg \
|
||||
--digest-algo SHA256 \
|
||||
--detach-sign \
|
||||
-a \
|
||||
"$BOOT_HASHES" \
|
||||
; then
|
||||
mount -o ro,remount /boot
|
||||
exit 0
|
||||
fi
|
||||
done
|
||||
|
||||
warn "$BOOT_HASHES: Unable to sign boot hashes"
|
||||
mount -o ro,remount /boot
|
||||
exit 1
|
@ -1,126 +0,0 @@
|
||||
#!/bin/sh
|
||||
# This will generate a disk encryption key and seal / ecncrypt
|
||||
# with the current PCRs and then store it in the TPM NVRAM.
|
||||
# It will then need to be bundled into initrd that is booted with Qubes.
|
||||
|
||||
TPM_INDEX=3
|
||||
TPM_SIZE=312
|
||||
KEY_FILE="/tmp/secret/secret.key"
|
||||
TPM_SEALED="/tmp/secret/secret.sealed"
|
||||
RECOVERY_KEY="/tmp/secret/recovery.key"
|
||||
|
||||
. /etc/functions
|
||||
. /etc/config
|
||||
|
||||
# Activate the LVM volume group
|
||||
VOLUME_GROUP=qubes_dom0
|
||||
lvm vgchange -a y $VOLUME_GROUP \
|
||||
|| die "$VOLUME_GROUP: unable to activate volume group"
|
||||
|
||||
# Key slot 0 is the manual recovery pass phrase
|
||||
# that they user entered when they installed Qubes,
|
||||
# key slot 1 is the one that we've generated.
|
||||
read -s -p "Enter disk recovery key: " disk_password
|
||||
echo -n "$disk_password" > "$RECOVERY_KEY"
|
||||
echo
|
||||
|
||||
# Remove all the old keys from slot 1
|
||||
for dev in /dev/$VOLUME_GROUP/*; do
|
||||
echo "++++++ $dev: Removing old key slot"
|
||||
cryptsetup luksKillSlot \
|
||||
--key-file "$RECOVERY_KEY" \
|
||||
$dev 1 \
|
||||
|| warn "$dev: ignoring problem"
|
||||
done
|
||||
|
||||
read -s -p "New disk unlock password for booting: " key_password
|
||||
echo
|
||||
read -s -p "Repeat unlock code: " key_password2
|
||||
echo
|
||||
|
||||
if [ "$key_password" != "$key_password2" ]; then
|
||||
die "Key passwords do not match"
|
||||
fi
|
||||
|
||||
dd \
|
||||
if=/dev/urandom \
|
||||
of="$KEY_FILE" \
|
||||
bs=1 \
|
||||
count=128 \
|
||||
2>/dev/null \
|
||||
|| die "Unable to generate 128 random bytes"
|
||||
|
||||
for dev in /dev/$VOLUME_GROUP/*; do
|
||||
echo "+++++ $dev: Adding key"
|
||||
cryptsetup luksAddKey \
|
||||
--key-file "$RECOVERY_KEY" \
|
||||
--key-slot 1 \
|
||||
$dev "$KEY_FILE" \
|
||||
|| die "$dev: Unable to add key"
|
||||
done
|
||||
|
||||
# Now that we have setup the new keys, measure the PCRs
|
||||
# We don't care what ends up in PCR 6; we just want
|
||||
# to get the /tmp/luksDump.txt file. We use PCR16
|
||||
# since it should still be zero
|
||||
/bin/qubes-measure-luks /dev/$VOLUME_GROUP/* \
|
||||
|| die "Unable to measure the LUKS headers"
|
||||
luks_pcr=`tpm calcfuturepcr -ix 16 -if /tmp/luksDump.txt`
|
||||
|
||||
# Note that PCR 4 needs to be set with the "normal-boot"
|
||||
# path value, which we do not have right now since we are
|
||||
# in a recovery shell.
|
||||
# used to be -ix 4 f8fa3b6e32e7c6fe04c366e74636e505b28f3b0d \
|
||||
# now just all zeros in a normal boot
|
||||
# PCR 5 must be all zero since no kernel modules should have
|
||||
# been loaded during a normal boot, but might have been
|
||||
# loaded in the recovery shell.
|
||||
# Otherwise use the current values of the PCRs, which will be read
|
||||
# from the TPM as part of the sealing ("X").
|
||||
tpm sealfile2 \
|
||||
-if "$KEY_FILE" \
|
||||
-of "$TPM_SEALED" \
|
||||
-pwdd "$key_password" \
|
||||
-hk 40000000 \
|
||||
-ix 0 X \
|
||||
-ix 1 X \
|
||||
-ix 2 X \
|
||||
-ix 3 X \
|
||||
-ix 4 0000000000000000000000000000000000000000 \
|
||||
-ix 5 0000000000000000000000000000000000000000 \
|
||||
-ix 6 $luks_pcr \
|
||||
|| die "Unable to seal secret"
|
||||
|
||||
rm -f "$KEY_FILE"
|
||||
|
||||
# try it without the owner password first
|
||||
if ! tpm nv_writevalue \
|
||||
-in $TPM_INDEX \
|
||||
-if "$TPM_SEALED" \
|
||||
; then
|
||||
# to create an nvram space we need the TPM owner password
|
||||
# and the TPM physical presence must be asserted.
|
||||
#
|
||||
# The permissions are 0 since there is nothing special
|
||||
# about the sealed file
|
||||
tpm physicalpresence -s \
|
||||
|| warn "Warning: Unable to assert physical presence"
|
||||
|
||||
read -s -p "TPM Owner password: " tpm_password
|
||||
echo
|
||||
|
||||
tpm nv_definespace \
|
||||
-in $TPM_INDEX \
|
||||
-sz $TPM_SIZE \
|
||||
-pwdo "$tpm_password" \
|
||||
-per 0 \
|
||||
|| warn "Warning: Unable to define NVRAM space; trying anyway"
|
||||
|
||||
|
||||
tpm nv_writevalue \
|
||||
-in $TPM_INDEX \
|
||||
-if "$TPM_SEALED" \
|
||||
|| die "Unable to write sealed secret to NVRAM"
|
||||
fi
|
||||
|
||||
rm "$TPM_SEALED" \
|
@ -1,30 +0,0 @@
|
||||
#!/bin/sh
|
||||
mount -o ro -t ext4 /dev/sda1 /boot
|
||||
|
||||
die() { echo >&2 "$*"; exit 1; }
|
||||
|
||||
XEN=/boot/xen-4.6.3.gz
|
||||
INITRD=/boot/initramfs-4.4.14-11.pvops.qubes.x86_64.img
|
||||
KERNEL=/boot/vmlinuz-4.4.14-11.pvops.qubes.x86_64
|
||||
|
||||
echo "+++ Checking $XEN"
|
||||
gpgv "${XEN}.asc" "${XEN}" || die "Xen signature failed"
|
||||
|
||||
echo "+++ Checking $INITRD"
|
||||
gpgv "${INITRD}.asc" "${INITRD}" || die "Initrd signature failed"
|
||||
|
||||
echo "+++ Checking $KERNEL"
|
||||
gpgv "${KERNEL}.asc" "${KERNEL}" || die "Kernel signature failed"
|
||||
|
||||
# should also check xen command line arguments!
|
||||
# should also check kernel command line arguments!
|
||||
|
||||
kexec \
|
||||
-l \
|
||||
--module "${KERNEL} root=LABEL=root rhgb" \
|
||||
--module "${INITRD}" \
|
||||
--command-line "no-real-mode reboot=no console=vga dom0_mem=min:1024M dom0_mem=max:4096M" \
|
||||
"${XEN}"
|
||||
|
||||
|
||||
echo "Ready to start Xen: run 'kexec -e' to execute it"
|
@ -1,92 +0,0 @@
|
||||
#!/bin/sh
|
||||
# This will unseal and unecncrypt the drive encryption key from the TPM
|
||||
# The TOTP secret will be shown to the user on each encryption attempt.
|
||||
# It will then need to be bundled into initrd that is booted with Qubes.
|
||||
|
||||
TPM_INDEX=3
|
||||
TPM_SIZE=312
|
||||
|
||||
. /etc/functions
|
||||
mkdir -p /tmp/secret
|
||||
|
||||
sealed_file="/tmp/secret/sealed.key"
|
||||
key_file="$1"
|
||||
|
||||
if [ -z "$key_file" ]; then
|
||||
key_file="/tmp/secret/secret.key"
|
||||
fi
|
||||
|
||||
tpm nv_readvalue \
|
||||
-in "$TPM_INDEX" \
|
||||
-sz "$TPM_SIZE" \
|
||||
-of "$sealed_file" \
|
||||
|| die "Unable to read key from TPM NVRAM"
|
||||
|
||||
|
||||
get_password()
|
||||
{
|
||||
last_half=X
|
||||
|
||||
while true; do
|
||||
|
||||
# update the TOTP code every thirty seconds
|
||||
date=`date "+%Y-%m-%d %H:%M:%S"`
|
||||
seconds=`date "+%s"`
|
||||
half=`expr \( $seconds % 60 \) / 30`
|
||||
if [ "$half" != "$last_half" ]; then
|
||||
last_half=$half;
|
||||
TOTP=`unseal-totp` \
|
||||
|| die "TOTP code generation failed"
|
||||
fi
|
||||
|
||||
echo -n "$date $TOTP: "
|
||||
|
||||
# read the first character, non-blocking
|
||||
read \
|
||||
-t 1 \
|
||||
-n 1 \
|
||||
-s \
|
||||
-p "Enter unlock password: " \
|
||||
tpm_password_1 \
|
||||
&& break
|
||||
|
||||
# nothing typed, redraw the line
|
||||
echo -ne '\r'
|
||||
done
|
||||
|
||||
# they have started typing, read the rest, blocking
|
||||
if [ -z "$tpm_password_1" ]; then
|
||||
# they hit enter; we should exit gracefully
|
||||
tpm_password=""
|
||||
else
|
||||
# they hit something else, read the rest of the line
|
||||
read \
|
||||
-s \
|
||||
-p '' \
|
||||
tpm_password_2
|
||||
tpm_password="$tpm_password_1$tpm_password_2"
|
||||
fi
|
||||
|
||||
# clean up with a newline
|
||||
echo
|
||||
|
||||
}
|
||||
|
||||
for tries in 1 2 3; do
|
||||
get_password
|
||||
|
||||
if tpm unsealfile \
|
||||
-if "$sealed_file" \
|
||||
-of "$key_file" \
|
||||
-pwdd "$tpm_password" \
|
||||
-hk 40000000 \
|
||||
; then
|
||||
rm -f /tmp/secret/sealed
|
||||
exit 0
|
||||
fi
|
||||
|
||||
pcrs
|
||||
warn "Unable to unseal disk encryption key"
|
||||
done
|
||||
|
||||
die "Retry count exceeded..."
|
@ -1,21 +0,0 @@
|
||||
#!/bin/sh
|
||||
# Add additional files to the initrd cpio so that we can pass
|
||||
# new keys to the Qubes startup routines.
|
||||
# Usage:
|
||||
# wrap-cpio /boot/initrd.blah /tmp/root/ > /tmp/new.cpio
|
||||
|
||||
die() { echo >&2 "$@"; exit 1; }
|
||||
warn() { echo >&2 "$@"; }
|
||||
|
||||
cpio_file="$1"
|
||||
if [ -z "$cpio_file" ]; then
|
||||
die "Initial cpio must be specified"
|
||||
fi
|
||||
|
||||
new_dir="$2"
|
||||
if [ -z "$new_dir" ]; then
|
||||
die "Additional directory must be specified"
|
||||
fi
|
||||
|
||||
( cd "$new_dir" ; find . | cpio -H newc -ov )
|
||||
cat "$cpio_file"
|
Loading…
Reference in New Issue
Block a user