Merge branch 'nested_menus' of https://github.com/kylerankin/heads

2025-04-11 13:20:06 +00:00 · 2018-03-29 17:32:08 -04:00 · 2018-03-29 17:32:08 -04:00 · 83df25c5ab
commit 83df25c5ab
parent c6ece3bea1 35916d942b
1 changed files with 53 additions and 2 deletions
--- a/initrd/bin/gui-init
+++ b/initrd/bin/gui-init
@ -48,12 +48,33 @@ while true; do
      'y' ' Default boot' \
      'r' ' TOTP does not match, refresh code' \
      'n' ' TOTP does not match after refresh, troubleshoot' \
+      'o' ' Other Boot Options -->' \
+      'a' ' Advanced Settings -->' \
+      'x' ' Exit to recovery shell' \
+      2>/tmp/whiptail || recovery "GUI menu failed"
+
+    totp_confirm=$(cat /tmp/whiptail)
+  fi
+
+  if [ "$totp_confirm" = "o" ]; then
+    whiptail --clear --title "Other Boot Options" \
+      --menu "Select A Boot Option" 20 80 10 \
      'm' ' Show OS boot menu' \
      'u' ' USB boot' \
-      'g' ' Generate new TOTP secret' \
      'i' ' Ignore tampering and force a boot (Unsafe!)' \
+      'r' ' <-- Return to main menu' \
+      2>/tmp/whiptail || recovery "GUI menu failed"
+
+    totp_confirm=$(cat /tmp/whiptail)
+  fi
+
+  if [ "$totp_confirm" = "a" ]; then
+    whiptail --clear --title "Advanced Settings" \
+      --menu "Configure Advanced Settings" 20 80 10 \
+      'g' ' Generate new TOTP secret' \
      'p' ' Reset the TPM' \
-      'x' ' Exit to recovery shell' \
+      's' ' Update checksums and sign all files in /boot' \
+      'r' ' <-- Return to main menu' \
      2>/tmp/whiptail || recovery "GUI menu failed"

    totp_confirm=$(cat /tmp/whiptail)
@ -134,6 +155,36 @@ while true; do
    continue
  fi

+  if [ "$totp_confirm" = "s" ]; then
+    if (whiptail --title 'Update Checksums and sign all files in /boot' \
+        --yesno "You have chosen to update the checksums and sign all of the files in /boot.\n\nThis means that you trust that the files in /boot have not been tampered with.\n\nYou will need your GPG key to continue and this change will modify your disk.\n\nDo you want to continue?" 16 80) then
+      mount_boot
+      mount -o rw,remount /boot
+
+      cd /boot
+      find ./ -type f ! -name '*kexec*' | xargs sha256sum > /boot/kexec_hashes.txt
+      DEFAULT_FILES=$(cat /boot/kexec_default_hashes.txt | cut -f3 -d ' ')
+      echo $DEFAULT_FILES | xargs sha256sum > /boot/kexec_default_hashes.txt
+
+      # sign and auto-roll config counter
+      extparam=
+      if [ "$CONFIG_TPM" = "y" ]; then
+        extparam=-u
+      fi
+
+      kexec-sign-config -p /boot $extparam 
+      if [ $? -ne 0 ]; then
+        mount -o ro,remount /boot
+        whiptail --title 'ERROR: Signing Failed' \
+          --msgbox "The signing process failed!\n\nReturning to main menu." 16 60
+      else
+        # switch back to ro mode
+        mount -o ro,remount /boot
+      fi
+    fi
+    continue
+  fi
+
  if [ "$totp_confirm" = "y" -o -n "$totp_confirm" ]; then
    # Try to boot the default
    mount_boot