ExternalVendorCode/heads
1
0
Fork 0
mirror of https://github.com/linuxboot/heads.git synced 2024-12-18 20:47:55 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'upstream/master' into storage-factoryreset

Browse Source
This commit is contained in:
alex-nitrokey 2020-08-05 11:49:18 +02:00
commit 872a4b0488
37 changed files with 252 additions and 268 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
boards/kgpe-d16/kgpe-d16.config
View File

@ -1,5 +1,7 @@
# Configuration for a kgpe-d16 running non-Qubes
export CONFIG_COREBOOT=y
export CONFIG_COREBOOT_VERSION=4.8.1
CONFIG_COREBOOT_CONFIG=config/coreboot-kgpe-d16.config
CONFIG_LINUX_CONFIG=config/linux-kgpe-d16.config

2
boards/librem13v2/librem13v2.config
View File

@ -3,6 +3,8 @@ CONFIG_LINUX_CONFIG=config/linux-librem13v2.config
CONFIG_COREBOOT_CONFIG=config/coreboot-librem13v2.config
export CONFIG_COREBOOT=y
export CONFIG_COREBOOT_VERSION=4.8.1
CONFIG_CRYPTSETUP=y
CONFIG_FLASHROM=y
CONFIG_FLASHTOOLS=y

2
boards/librem13v4/librem13v4.config
View File

@ -3,6 +3,8 @@ CONFIG_LINUX_CONFIG=config/linux-librem13v2.config
CONFIG_COREBOOT_CONFIG=config/coreboot-librem13v4.config
export CONFIG_COREBOOT=y
export CONFIG_COREBOOT_VERSION=4.8.1
CONFIG_CRYPTSETUP=y
CONFIG_FLASHROM=y
CONFIG_FLASHTOOLS=y

2
boards/librem15v3/librem15v3.config
View File

@ -5,6 +5,8 @@ CONFIG_LINUX_CONFIG=config/linux-librem13v2.config
CONFIG_COREBOOT_CONFIG=config/coreboot-librem15v3.config
export CONFIG_COREBOOT=y
export CONFIG_COREBOOT_VERSION=4.8.1
CONFIG_CRYPTSETUP=y
CONFIG_FLASHROM=y
CONFIG_FLASHTOOLS=y

2
boards/librem15v4/librem15v4.config
View File

@ -5,6 +5,8 @@ CONFIG_LINUX_CONFIG=config/linux-librem13v2.config
CONFIG_COREBOOT_CONFIG=config/coreboot-librem15v4.config
export CONFIG_COREBOOT=y
export CONFIG_COREBOOT_VERSION=4.8.1
CONFIG_CRYPTSETUP=y
CONFIG_FLASHROM=y
CONFIG_FLASHTOOLS=y

2
boards/qemu-coreboot-fbwhiptail/qemu-coreboot-fbwhiptail.config
View File

@ -2,6 +2,8 @@
# the qemu emulator in GUI mode thanks to FBWhiptail
export CONFIG_COREBOOT=y
export CONFIG_COREBOOT_VERSION=4.8.1
CONFIG_COREBOOT_CONFIG=config/coreboot-qemu-fbwhiptail.config
CONFIG_LINUX_CONFIG=config/linux-qemu.config

2
boards/qemu-coreboot/qemu-coreboot.config
View File

@ -2,6 +2,8 @@
# the qemu emulator. Note that the TPM does not work, so this
# will just drop into the recovery shell.
export CONFIG_COREBOOT=y
export CONFIG_COREBOOT_VERSION=4.8.1
CONFIG_COREBOOT_CONFIG=config/coreboot-qemu.config
CONFIG_LINUX_CONFIG=config/linux-qemu.config

2
boards/t420/t420.config
View File

@ -1,5 +1,7 @@
# Configuration for a T420 running Qubes and other OS, T420 is identical to X230 on the Linux Side of things.
export CONFIG_COREBOOT=y
export CONFIG_COREBOOT_VERSION=4.8.1
CONFIG_COREBOOT_CONFIG=config/coreboot-t420.config
CONFIG_LINUX_CONFIG=config/linux-x230.config

2
boards/t430-flash/t430-flash.config
View File

@ -2,6 +2,8 @@
BOARD=t430.flash
export CONFIG_COREBOOT=y
export CONFIG_COREBOOT_VERSION=4.8.1
CONFIG_FLASHROM=y
CONFIG_FLASHTOOLS=y
CONFIG_PCIUTILS=y

2
boards/t430/t430.config
View File

@ -1,5 +1,7 @@
# Configuration for a t430 running Qubes and other OSes
export CONFIG_COREBOOT=y
export CONFIG_COREBOOT_VERSION=4.8.1
CONFIG_COREBOOT_CONFIG=config/coreboot-t430.config
CONFIG_LINUX_CONFIG=config/linux-x230.config

2
boards/x220/x220.config
View File

@ -1,5 +1,7 @@
# Configuration for a x220 running Qubes and other OS, X220 is identical to X230 on the Linux Side of things.
export CONFIG_COREBOOT=y
export CONFIG_COREBOOT_VERSION=4.8.1
CONFIG_COREBOOT_CONFIG=config/coreboot-x220.config
CONFIG_LINUX_CONFIG=config/linux-x230.config

2
boards/x230-flash/x230-flash.config
View File

@ -2,6 +2,8 @@
BOARD=x230.flash
export CONFIG_COREBOOT=y
export CONFIG_COREBOOT_VERSION=4.8.1
CONFIG_FLASHROM=y
#CONFIG_GPG=y
CONFIG_FLASHTOOLS=y

2
boards/x230-hotp-verification/x230-hotp-verification.config
View File

@ -1,6 +1,8 @@
# Configuration for a x230-hotp-verification (Nitrokey/Purism USB Security dongle enabled HOTP support)
# running Qubes and other OSes
export CONFIG_COREBOOT=y
export CONFIG_COREBOOT_VERSION=4.8.1
CONFIG_COREBOOT_CONFIG=config/coreboot-x230-hotp-verification.config
CONFIG_LINUX_CONFIG=config/linux-x230.config

2
boards/x230/x230.config
View File

@ -1,5 +1,7 @@
# Configuration for a x230 running Qubes and other OSes
export CONFIG_COREBOOT=y
export CONFIG_COREBOOT_VERSION=4.8.1
CONFIG_COREBOOT_CONFIG=config/coreboot-x230.config
CONFIG_LINUX_CONFIG=config/linux-x230.config

2
config/busybox.config
View File

@ -227,7 +227,7 @@ CONFIG_EXPR=y
CONFIG_EXPR_MATH_SUPPORT_64=y
CONFIG_FACTOR=y
CONFIG_FALSE=y
# CONFIG_FOLD is not set
CONFIG_FOLD=y
# CONFIG_FSYNC is not set
CONFIG_HEAD=y
CONFIG_FEATURE_FANCY_HEAD=y

48
initrd/bin/config-gui.sh
View File

@ -2,55 +2,9 @@
#
set -e -o pipefail
. /etc/functions
. /etc/gui_functions
. /tmp/config
file_selector() {
FILE=""
FILE_LIST=$1
MENU_MSG=${2:-"Choose the file"}
MENU_TITLE=${3:-"Select your File"}
# create file menu options
if [ `cat "$FILE_LIST" | wc -l` -gt 0 ]; then
option=""
while [ -z "$option" ]
do
MENU_OPTIONS=""
n=0
while read option
do
n=`expr $n + 1`
option=$(echo $option | tr " " "_")
MENU_OPTIONS="$MENU_OPTIONS $n ${option}"
done < $FILE_LIST
MENU_OPTIONS="$MENU_OPTIONS a Abort"
whiptail --clear --title "${MENU_TITLE}" \
--menu "${MENU_MSG} [1-$n, a to abort]:" 20 120 8 \
-- $MENU_OPTIONS \
2>/tmp/whiptail || die "Aborting"
option_index=$(cat /tmp/whiptail)
if [ "$option_index" = "a" ]; then
option="a"
return
fi
option=`head -n $option_index $FILE_LIST | tail -1`
if [ "$option" == "a" ]; then
return
fi
done
if [ -n "$option" ]; then
FILE=$option
fi
else
whiptail $CONFIG_ERROR_BG_COLOR --title 'ERROR: No Files Found' \
--msgbox "No Files found matching the pattern. Aborting." 16 60
exit 1
fi
}
param=$1
while true; do

69
initrd/bin/flash-gui.sh
View File

@ -2,70 +2,9 @@
#
set -e -o pipefail
. /etc/functions
. /etc/gui_functions
. /tmp/config
mount_usb(){
# Mount the USB boot device
if ! grep -q /media /proc/mounts ; then
mount-usb && USB_FAILED=0 || USB_FAILED=1
if [ $USB_FAILED -ne 0 ]; then
whiptail --title 'USB Drive Missing' \
--msgbox "Insert your USB drive and press Enter to continue." 16 60
mount-usb && USB_FAILED=0 || USB_FAILED=1
if [ $USB_FAILED -ne 0 ]; then
whiptail $CONFIG_ERROR_BG_COLOR --title 'ERROR: Mounting /media Failed' \
--msgbox "Unable to mount USB device" 16 60
fi
fi
fi
}
file_selector() {
FILE=""
FILE_LIST=$1
MENU_MSG=${2:-"Choose the file"}
# create file menu options
if [ `cat "$FILE_LIST" | wc -l` -gt 0 ]; then
option=""
while [ -z "$option" ]
do
MENU_OPTIONS=""
n=0
while read option
do
n=`expr $n + 1`
option=$(echo $option | tr " " "_")
MENU_OPTIONS="$MENU_OPTIONS $n ${option}"
done < $FILE_LIST
MENU_OPTIONS="$MENU_OPTIONS a Abort"
whiptail --clear --title "Select your File" \
--menu "${MENU_MSG} [1-$n, a to abort]:" 20 120 8 \
-- $MENU_OPTIONS \
2>/tmp/whiptail || die "Aborting"
option_index=$(cat /tmp/whiptail)
if [ "$option_index" = "a" ]; then
option="a"
return
fi
option=`head -n $option_index $FILE_LIST | tail -1`
if [ "$option" == "a" ]; then
return
fi
done
if [ -n "$option" ]; then
FILE=$option
fi
else
whiptail $CONFIG_ERROR_BG_COLOR --title 'ERROR: No Files Found' \
--msgbox "No Files found matching the pattern. Aborting." 16 60
exit 1
fi
}
while true; do
unset menu_choice
whiptail --clear --title "Firmware Management Menu" \
@ -83,7 +22,7 @@ while true; do
;;
f|c )
if (whiptail --title 'Flash the BIOS with a new ROM' \
--yesno "This requires you insert a USB drive containing:\n* Your BIOS image (*.rom)\n\nAfter you select this file, this program will reflash your BIOS\n\nDo you want to proceed?" 16 90) then
--yesno "You will need to insert a USB drive containing your BIOS image (*.rom).\n\nAfter you select this file, this program will reflash your BIOS.\n\nDo you want to proceed?" 16 90) then
mount_usb
if grep -q /media /proc/mounts ; then
find /media ! -path '*/\.*' -type f -name '*.rom' | sort > /tmp/filelist.txt
@ -95,7 +34,7 @@ while true; do
fi
if (whiptail --title 'Flash ROM?' \
--yesno "This will replace your old ROM with $ROM\n\nDo you want to proceed?" 16 90) then
--yesno "This will replace your current ROM with:\n\n$ROM\n\nDo you want to proceed?" 16 60) then
if [ "$menu_choice" == "c" ]; then
/bin/flash.sh -c "$ROM"
# after flash, /boot signatures are now invalid so go ahead and clear them
@ -110,7 +49,7 @@ while true; do
/bin/flash.sh "$ROM"
fi
whiptail --title 'ROM Flashed Successfully' \
--msgbox "$ROM flashed successfully.\nPress Enter to reboot" 16 60
--msgbox "$ROM flashed successfully.\n\nPress Enter to reboot\n" 16 60
umount /media
/bin/reboot
else

62
initrd/bin/gpg-gui.sh
View File

@ -2,69 +2,9 @@
#
set -e -o pipefail
. /etc/functions
. /etc/gui_functions
. /tmp/config
mount_usb(){
# Mount the USB boot device
if ! grep -q /media /proc/mounts ; then
mount-usb && USB_FAILED=0 || USB_FAILED=1
if [ $USB_FAILED -ne 0 ]; then
whiptail --title 'USB Drive Missing' \
--msgbox "Insert your USB drive and press Enter to continue." 16 60
mount-usb && USB_FAILED=0 || USB_FAILED=1
if [ $USB_FAILED -ne 0 ]; then
whiptail $CONFIG_ERROR_BG_COLOR --title 'ERROR: Mounting /media Failed' \
--msgbox "Unable to mount USB device" 16 60
fi
fi
fi
}
file_selector() {
FILE=""
FILE_LIST=$1
MENU_MSG=${2:-"Choose the file"}
# create file menu options
if [ `cat "$FILE_LIST" | wc -l` -gt 0 ]; then
option=""
while [ -z "$option" ]
do
MENU_OPTIONS=""
n=0
while read option
do
n=`expr $n + 1`
option=$(echo $option | tr " " "_")
MENU_OPTIONS="$MENU_OPTIONS $n ${option}"
done < $FILE_LIST
MENU_OPTIONS="$MENU_OPTIONS a Abort"
whiptail --clear --title "Select your File" \
--menu "${MENU_MSG} [1-$n, a to abort]:" 20 120 8 \
-- $MENU_OPTIONS \
2>/tmp/whiptail || die "Aborting"
option_index=$(cat /tmp/whiptail)
if [ "$option_index" = "a" ]; then
option="a"
return
fi
option=`head -n $option_index $FILE_LIST | tail -1`
if [ "$option" == "a" ]; then
return
fi
done
if [ -n "$option" ]; then
FILE=$option
fi
else
whiptail $CONFIG_ERROR_BG_COLOR --title 'ERROR: No Files Found' \
--msgbox "No Files found matching the pattern. Aborting." 16 60
exit 1
fi
}
gpg_flash_rom() {
if [ "$1" = "replace" ]; then

50
initrd/bin/gui-init
View File

@ -42,7 +42,7 @@ verify_global_hashes()
TMP_PACKAGE_TRIGGER_PRE="/tmp/kexec/kexec_package_trigger_pre.txt"
TMP_PACKAGE_TRIGGER_POST="/tmp/kexec/kexec_package_trigger_post.txt"
if cd /boot && sha256sum -c "$TMP_HASH_FILE" > /tmp/hash_output ; then
if ( cd /boot && sha256sum -c "$TMP_HASH_FILE" > /tmp/hash_output ) then
return 0
elif [ ! -f $TMP_HASH_FILE ]; then
if (whiptail $CONFIG_ERROR_BG_COLOR --clear --title 'ERROR: Missing Hash File!' \
@ -70,7 +70,7 @@ verify_global_hashes()
fi
else
TEXT="The following files failed the verification process:\n${CHANGED_FILES}\n\nThis could indicate a compromise!\n\nWould you like to update your checksums now?"
TEXT="The following files failed the verification process:\n\n${CHANGED_FILES}\n\nThis could indicate a compromise!\n\nWould you like to update your checksums now?"
fi
if (whiptail $CONFIG_ERROR_BG_COLOR --clear --title 'ERROR: Boot Hash Mismatch' --yesno "$TEXT" 30 90) then
@ -82,7 +82,7 @@ verify_global_hashes()
prompt_update_checksums()
{
if (whiptail --title 'Update Checksums and sign all files in /boot' \
--yesno "You have chosen to update the checksums and sign all of the files in /boot.\n\nThis means that you trust that the files in /boot have not been tampered with.\n\nYou will need your GPG key to continue and this change will modify your disk.\n\nDo you want to continue?" 16 90) then
--yesno "You have chosen to update the checksums and sign all of the files in /boot.\n\nThis means that you trust that these files have not been tampered with.\n\nYou will need your GPG key available, and this change will modify your disk.\n\nDo you want to continue?" 16 90) then
update_checksums
else
echo "Returning to the main menu"
@ -313,30 +313,34 @@ while true; do
fi
if [ "$totp_confirm" = "p" ]; then
if (whiptail --title 'Reset the TPM' \
--yesno "This will clear the TPM and TPM password, replace them with new ones!\n\nDo you want to proceed?" 16 90) then
/bin/tpm-reset
if [ "$CONFIG_TPM" = "y" ]; then
if (whiptail --title 'Reset the TPM' \
--yesno "This will clear the TPM and TPM password, replace them with new ones!\n\nDo you want to proceed?" 16 90) then
/bin/tpm-reset
# now that the TPM is reset, remove invalid TPM counter files
mount_boot
mount -o rw,remount /boot
rm -f /boot/kexec_rollback.txt
# now that the TPM is reset, remove invalid TPM counter files
mount_boot
mount -o rw,remount /boot
rm -f /boot/kexec_rollback.txt
# create Heads TPM counter before any others
check_tpm_counter /boot/kexec_rollback.txt \
|| die "Unable to find/create tpm counter"
counter="$TPM_COUNTER"
# create Heads TPM counter before any others
check_tpm_counter /boot/kexec_rollback.txt \
|| die "Unable to find/create tpm counter"
counter="$TPM_COUNTER"
increment_tpm_counter $counter \
|| die "Unable to increment tpm counter"
increment_tpm_counter $counter \
|| die "Unable to increment tpm counter"
sha256sum /tmp/counter-$counter > /boot/kexec_rollback.txt \
|| die "Unable to create rollback file"
mount -o ro,remount /boot
sha256sum /tmp/counter-$counter > /boot/kexec_rollback.txt \
|| die "Unable to create rollback file"
mount -o ro,remount /boot
update_totp
update_totp
else
echo "Returning to the main menu"
fi
else
echo "Returning to the main menu"
whiptail --clear --title 'ERROR: No TPM Detected' --msgbox "This device does not have a TPM.\n\nPress OK to return to the Main Menu" 30 90
fi
continue
fi
@ -386,10 +390,10 @@ while true; do
if [ "$totp_confirm" = "S" ]; then
memtotal=$(cat /proc/meminfo | grep 'MemTotal' | tr -s ' ' | cut -f2 -d ' ')
memtotal=$((${memtotal} / 1024 + 1))
memtotal=$((${memtotal} / 1024 / 1024 + 1))
cpustr=$(cat /proc/cpuinfo | grep 'model name' | uniq | sed -r 's/\(R\)//;s/\(TM\)//;s/CPU //;s/model name.*: //')
whiptail --title 'System Info' \
--msgbox "VER: ${FW_VER}\n\nCPU: ${cpustr}\nRAM: ${memtotal} MB\n\n$(fdisk -l | grep -e '/dev/sd.:' -e '/dev/nvme.*:' | sed 's/B,.*/B/')" 16 60
--msgbox "VER: ${FW_VER}\n\nCPU: ${cpustr}\nRAM: ${memtotal} GB\n\n$(fdisk -l | grep -e '/dev/sd.:' -e '/dev/nvme.*:' | sed 's/B,.*/B/')" 16 60
continue
fi

2
initrd/bin/kexec-select-boot
View File

@ -173,7 +173,7 @@ scan_options() {
kexec-parse-bls "$bootdir" "$i" "$bootdir/loader/entries" >> $option_file
done
fi
if [ ! -r $option_file ]; then
if [ ! -s $option_file ]; then
die "Failed to parse any boot options"
fi
if [ "$unique" = 'y' ]; then

10
initrd/bin/mount-usb
View File

@ -62,9 +62,11 @@ if [ -z ${USB_MOUNT_DEVICE} ]; then
# remove block device from list if numeric partitions exist, since not bootable
let USB_NUM_PARTITIONS=`ls -1 $i* | wc -l`-1
if [ ${USB_NUM_PARTITIONS} -eq 0 ]; then
echo $i >> /tmp/usb_disk_list
echo $i $(blkid | grep $i | grep -o 'LABEL=".*"' | cut -f2 -d '"') >> /tmp/usb_disk_list
else
ls $i* | tail -${USB_NUM_PARTITIONS} >> /tmp/usb_disk_list
for j in $(ls $i* | tail -${USB_NUM_PARTITIONS}); do
echo $j $(blkid | grep $j | grep -o 'LABEL=".*"' | cut -f2 -d '"') >> /tmp/usb_disk_list
done
fi
done
@ -100,9 +102,9 @@ if [ -z ${USB_MOUNT_DEVICE} ]; then
fi
if [ "$option_index" = "a" ]; then
exit 1
exit 5
fi
USB_MOUNT_DEVICE=`head -n $option_index /tmp/usb_disk_list | tail -1`
USB_MOUNT_DEVICE=`head -n $option_index /tmp/usb_disk_list | tail -1 | sed 's/\ .*$//'`
fi
if [ "$1" = "rw" ]; then

45
initrd/bin/oem-factory-reset
View File

@ -113,7 +113,7 @@ gpg_key_change_pin()
} | gpg --command-fd=0 --status-fd=2 --pinentry-mode=loopback --card-edit \
> /tmp/gpg_card_edit_output 2>/dev/null
if [ $? -ne 0 ]; then
ERROR=`cat /tmp/gpg_card_edit_output`
ERROR=`cat /tmp/gpg_card_edit_output | fold -s`
whiptail_error_die "GPG Key PIN change failed!\n\n$ERROR"
fi
}
@ -188,7 +188,7 @@ generate_checksums()
mount -o ro,remount /boot
if [ $ret = 1 ] ; then
ERROR=$(tail -n 1 /tmp/error)
ERROR=$(tail -n 1 /tmp/error | fold -s)
whiptail_error_die "Error signing kexec boot files:\n\n$ERROR"
fi
}
@ -205,7 +205,15 @@ set_default_boot_option()
for i in `find /boot -name "grub.cfg"`; do
kexec-parse-boot "/boot" "$i" >> $option_file
done
[ ! -r $option_file ] \
# FC29/30+ may use BLS format grub config files
# https://fedoraproject.org/wiki/Changes/BootLoaderSpecByDefault
# only parse these if $option_file is still empty
if [ ! -s $option_file ] && [ -d "/boot/loader/entries" ]; then
for i in `find /boot -name "grub.cfg"`; do
kexec-parse-bls "/boot" "$i" "/boot/loader/entries" >> $option_file
done
fi
[ ! -s $option_file ] \
&& whiptail_error_die "Failed to parse any boot options"
# sort boot options
@ -217,12 +225,15 @@ set_default_boot_option()
# clear existing default configs
rm "/boot/kexec_default.*.txt" 2>/dev/null
# get correct index for entry
index=$(grep -n "$entry" $option_file | cut -f1 -d ':')
# write new config
echo "$entry" > /boot/kexec_default.1.txt
echo "$entry" > /boot/kexec_default.$index.txt
# validate boot option
cd /boot && /bin/kexec-boot -b "/boot" -e "$entry" -f \
| xargs sha256sum > $hash_file 2>/dev/null \
( cd /boot && /bin/kexec-boot -b "/boot" -e "$entry" -f \
| xargs sha256sum > $hash_file 2>/dev/null ) \
|| whiptail_error_die "Failed to create hashes of boot files"
}
@ -323,7 +334,7 @@ echo -e "\nChecking for USB media...\n"
umount /media 2>/dev/null
# mount-usb will detect and prompt if no USB inserted
if ! mount-usb rw 2>/tmp/error; then
ERROR=$(tail -n 1 /tmp/error)
ERROR=$(tail -n 1 /tmp/error | fold -s)
whiptail_error_die "Unable to mount USB on /media:\n\n${ERROR}"
fi
@ -333,7 +344,7 @@ echo -e "\nChecking for GPG Key...\n"
if ! gpg --card-status >/dev/null 2>&1 ; then
whiptail_error "Can't access GPG Key; remove and reinsert, then press Enter to retry."
if ! gpg --card-status >/dev/null 2>/tmp/error ; then
ERROR=$(tail -n 1 /tmp/error)
ERROR=$(tail -n 1 /tmp/error | fold -s)
whiptail_error_die "Unable to detect GPG Key:\n\n${ERROR}"
fi
fi
@ -358,7 +369,7 @@ if [ "$CONFIG_TPM" = "y" ]; then
echo $TPM_PASS_DEF
} | /bin/tpm-reset >/dev/null 2>/tmp/error
if [ $? -ne 0 ]; then
ERROR=$(tail -n 1 /tmp/error)
ERROR=$(tail -n 1 /tmp/error | fold -s)
whiptail_error_die "Error resetting TPM:\n\n${ERROR}"
fi
fi
@ -389,13 +400,13 @@ fi
echo -e "\nExporting generated key to USB...\n"
# export pubkey to file
if ! gpg --export --armor $GPG_GEN_KEY > "${PUBKEY}" 2>/tmp/error ; then
ERROR=$(tail -n 1 /tmp/error)
ERROR=$(tail -n 1 /tmp/error | fold -s)
whiptail_error_die "GPG Key gpg export to file failed!\n\n$ERROR"
fi
# copy to USB
if ! cp "${PUBKEY}" "/media/${GPG_GEN_KEY}.asc" 2>/tmp/error ; then
ERROR=$(tail -n 1 /tmp/error)
whiptail_error_die "Key export error: unable to copy ${GPG_GEN_KEY}.asc to /media:\n\n$ERROR"
ERROR=$(tail -n 1 /tmp/error | fold -s)
whiptail_error_die "Key export error: unable to copy exported pubkey to /media:\n\n$ERROR"
fi
umount /media 2>/dev/null
@ -403,24 +414,24 @@ umount /media 2>/dev/null
echo -e "\nReading current firmware...\n(this will take a minute or two)\n"
/bin/flash.sh -r /tmp/oem-setup.rom >/dev/null 2>/tmp/error
if [ ! -s /tmp/oem-setup.rom ]; then
ERROR=$(tail -n 1 /tmp/error)
ERROR=$(tail -n 1 /tmp/error | fold -s)
whiptail_error_die "Error reading current firmware:\n\n$ERROR"
fi
# ensure key imported locally
if ! cat "$PUBKEY" | gpg --import >/dev/null 2>/tmp/error ; then
ERROR=$(tail -n 1 /tmp/error)
ERROR=$(tail -n 1 /tmp/error | fold -s)
whiptail_error_die "Error importing GPG key:\n\n$ERROR"
fi
# update /.gnupg/trustdb.gpg to ultimately trust all user provided public keys
if ! gpg --list-keys --fingerprint --with-colons 2>/dev/null \
| sed -E -n -e 's/^fpr:::::::::([0-9A-F]+):$/\1:6:/p' \
| gpg --import-ownertrust >/dev/null 2>/tmp/error ; then
ERROR=$(tail -n 1 /tmp/error)
ERROR=$(tail -n 1 /tmp/error | fold -s)
whiptail_error_die "Error importing GPG ownertrust:\n\n$ERROR"
fi
if ! gpg --update-trust >/dev/null 2>/tmp/error ; then
ERROR=$(tail -n 1 /tmp/error)
ERROR=$(tail -n 1 /tmp/error | fold -s)
whiptail_error_die "Error updating GPG ownertrust:\n\n$ERROR"
fi
# clear any existing heads/gpg files from current firmware
@ -446,7 +457,7 @@ fi
# flash updated firmware image
echo -e "\nAdding generated key to current firmware and re-flashing...\n"
if ! /bin/flash.sh /tmp/oem-setup.rom >/dev/null 2>/tmp/error ; then
ERROR=$(tail -n 1 /tmp/error)
ERROR=$(tail -n 1 /tmp/error | fold -s)
whiptail_error_die "Error flashing updated firmware image:\n\n$ERROR"
fi

8
initrd/bin/seal-hotpkey
View File

@ -68,9 +68,9 @@ if ! hotp_verification info ; then
fi
# Set HOTP USB Security Dongle branding based on VID
if [ ! $(lsusb | grep -q "20a0:") ]; then
if lsusb | grep -q "20a0:" ; then
HOTPKEY_BRANDING="Nitrokey"
elif [ ! $(lsusb | grep -q "316d:") ]; then
elif lsusb | grep -q "316d:" ; then
HOTPKEY_BRANDING="Librem Key"
else
HOTPKEY_BRANDING="HOTP USB Security Dongle"
@ -80,12 +80,12 @@ echo -e ""
read -s -p "Enter your $HOTPKEY_BRANDING Admin PIN: " admin_pin
echo -e "\n"
hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value $HOTPKEY_BRANDING
hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value "$HOTPKEY_BRANDING"
if [ $? -ne 0 ]; then
echo -e "\n"
read -s -p "Error setting HOTP secret, re-enter Admin PIN and try again: " admin_pin
echo -e "\n"
if ! hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value $HOTPKEY_BRANDING ; then
if ! hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value "$HOTPKEY_BRANDING" ; then
# don't leak key on failure
shred -n 10 -z -u "$HOTP_SECRET" 2> /dev/null
die "Setting HOTP secret failed"

7
initrd/bin/usb-scan
View File

@ -2,6 +2,7 @@
# Scan for USB installation options
set -e -o pipefail
. /etc/functions
. /etc/gui_functions
. /tmp/config
# Unmount any previous boot device
@ -11,10 +12,8 @@ if grep -q /boot /proc/mounts ; then
fi
# Mount the USB boot device
if ! grep -q /media /proc/mounts ; then
mount-usb "$CONFIG_USB_BOOT_DEV" \
|| die "Unable to mount /media"
fi
mount_usb || die "Unable to mount /media"
# Get USB boot device
USB_BOOT_DEV=$(grep "/media" /etc/mtab | cut -f 1 -d' ')

18
initrd/etc/functions
View File

@ -271,13 +271,15 @@ update_checksums()
|| recovery "Unable to mount /boot"
fi
# remount RW
mount -o rw,remount /boot
cd /boot
find ./ -type f ! -name '*kexec*' | xargs sha256sum > /boot/kexec_hashes.txt
if [ -e /boot/kexec_default_hashes.txt ]; then
DEFAULT_FILES=$(cat /boot/kexec_default_hashes.txt | cut -f3 -d ' ')
echo $DEFAULT_FILES | xargs sha256sum > /boot/kexec_default_hashes.txt
fi
mount -o rw,remount /boot
(
cd /boot
find ./ -type f ! -name '*kexec*' | xargs sha256sum > /boot/kexec_hashes.txt
if [ -e /boot/kexec_default_hashes.txt ]; then
DEFAULT_FILES=$(cat /boot/kexec_default_hashes.txt | cut -f3 -d ' ')
echo $DEFAULT_FILES | xargs sha256sum > /boot/kexec_default_hashes.txt
fi
)
# Remove any package trigger log files
# We don't need them after the user decides to sign
rm -f /boot/kexec_package_trigger*
@ -301,7 +303,7 @@ update_checksums()
detect_boot_device()
{
# unmount /boot to be safe
umount /boot 2>/dev/null
cd / && umount /boot 2>/dev/null
# check $CONFIG_BOOT_DEV if set/valid
if [ -e "$CONFIG_BOOT_DEV" ]; then

71
initrd/etc/gui_functions Executable file
View File

@ -0,0 +1,71 @@
#!/bin/sh
# Shell functions for common operations using fbwhiptail
mount_usb()
{
# Unmount any previous USB device
if grep -q /media /proc/mounts ; then
umount /media || die "Unable to unmount /media"
fi
# Mount the USB boot device
mount-usb && USB_FAILED=0 || ( [ $? -eq 5 ] && exit 1 || USB_FAILED=1 )
if [ $USB_FAILED -ne 0 ]; then
whiptail --title 'USB Drive Missing' \
--msgbox "Insert your USB drive and press Enter to continue." 16 60
mount-usb && USB_FAILED=0 || ( [ $? -eq 5 ] && exit 1 || USB_FAILED=1 )
if [ $USB_FAILED -ne 0 ]; then
whiptail $CONFIG_ERROR_BG_COLOR --title 'ERROR: Mounting /media Failed' \
--msgbox "Unable to mount USB device" 16 60
exit 1
fi
fi
}
file_selector()
{
FILE=""
FILE_LIST=$1
MENU_MSG=${2:-"Choose the file"}
MENU_TITLE=${3:-"Select your File"}
# create file menu options
if [ `cat "$FILE_LIST" | wc -l` -gt 0 ]; then
option=""
while [ -z "$option" ]
do
MENU_OPTIONS=""
n=0
while read option
do
n=`expr $n + 1`
option=$(echo $option | tr " " "_")
MENU_OPTIONS="$MENU_OPTIONS $n ${option}"
done < $FILE_LIST
MENU_OPTIONS="$MENU_OPTIONS a Abort"
whiptail --clear --title "${MENU_TITLE}" \
--menu "${MENU_MSG} [1-$n, a to abort]:" 20 120 8 \
-- $MENU_OPTIONS \
2>/tmp/whiptail || die "Aborting"
option_index=$(cat /tmp/whiptail)
if [ "$option_index" = "a" ]; then
option="a"
return
fi
option=`head -n $option_index $FILE_LIST | tail -1`
if [ "$option" == "a" ]; then
return
fi
done
if [ -n "$option" ]; then
FILE=$option
fi
else
whiptail $CONFIG_ERROR_BG_COLOR --title 'ERROR: No Files Found' \
--msgbox "No Files found matching the pattern. Aborting." 16 60
exit 1
fi
}

4
initrd/init
View File

@ -93,7 +93,9 @@ combine_configs
. /tmp/config
# export firmware version
export FW_VER=$(dmesg | grep 'DMI' | grep -o 'BIOS.*' | cut -f2 -d ' ')
export FW_VER=$(dmesg | grep 'DMI' | grep -o 'BIOS.*' | cut -f2- -d ' ')
# chop off date, since will always be epoch w/timeless builds
FW_VER=${FW_VER::-10}
# Add our boot devices into the /etc/fstab, if they are defined
# in the configuration file.

9
modules/coreboot
View File

@ -1,13 +1,18 @@
modules-$(CONFIG_COREBOOT) += coreboot
ifeq "$(CONFIG_COREBOOT_VERSION)" "4.8.1"
coreboot_version := 4.8.1
coreboot_hash := f0ddf4db0628c1fe1e8348c40084d9cbeb5771400c963fd419cda3995b69ad23
else
$(error "$(BOARD): does not specify coreboot version under CONFIG_COREBOOT_VERSION")
endif
#coreboot_version := git
#coreboot_repo := https://github.com/osresearch/coreboot
coreboot_version := 4.8.1
coreboot_base_dir := coreboot-$(coreboot_version)
coreboot_dir := $(coreboot_base_dir)/$(BOARD)
coreboot_tar := coreboot-$(coreboot_version).tar.xz
coreboot_url := https://www.coreboot.org/releases/$(coreboot_tar)
coreboot_hash := f0ddf4db0628c1fe1e8348c40084d9cbeb5771400c963fd419cda3995b69ad23
# coreboot builds are specialized on a per-target basis.
# The builds are done in a per-target subdirectory

13
modules/gpg2
View File

@ -1,10 +1,10 @@
modules-$(CONFIG_GPG2) += gpg2
gpg2_version := 2.2.20
gpg2_version := 2.2.10
gpg2_dir := gnupg-$(gpg2_version)
gpg2_tar := gnupg-$(gpg2_version).tar.bz2
gpg2_url := https://www.gnupg.org/ftp/gcrypt/gnupg/$(gpg2_tar)
gpg2_hash := 04a7c9d48b74c399168ee8270e548588ddbe52218c337703d7f06373d326ca30
gpg2_hash := 799dd37a86a1448732e339bd20440f4f5ee6e69755f6fd7a73ee8af30840c915
# For reproducibility reasons we have to override the exec_prefix
# and datarootdir on the configure line so that the Makefiles will
@ -16,7 +16,7 @@ gpg2_configure := ./configure \
CPPFLAGS="-I$(INSTALL)/include/libusb-1.0" \
--host x86_64-linux-musl \
--with-libusb="$(INSTALL)" \
--with-gpg-error-prefix="$(INSTALL)" \
--with-libgpg-error-prefix="$(INSTALL)" \
--with-libgcrypt-prefix="$(INSTALL)" \
--with-libassuan-prefix="$(INSTALL)" \
--with-ksba-prefix="$(INSTALL)" \
@ -30,12 +30,19 @@ gpg2_configure := ./configure \
--disable-regex \
--disable-doc \
--disable-bzip2 \
--disable-asm \
--disable-exec \
--disable-photo-viewers \
--disable-keyserver-helpers \
--disable-ldap \
--disable-hkp \
--disable-finger \
--disable-dns-srv \
--disable-dns-cert \
--disable-regex \
--disable-nls \
--disable-all-tests \
--disable-wks-server \
--disable-wks-tools \
--disable-gnutls \
--disable-dirmngr \

6
modules/hotp-verification
View File

@ -2,11 +2,11 @@ modules-$(CONFIG_HOTPKEY) += hotp-verification
hotp-verification_depends := libusb $(musl_dep)
hotp-verification_version := 5fb260e631b237a298b6dcca47bbd728f2c5ac3a
hotp-verification_version := c0956cfa085bcfc2500c1085dad350a440ccbe40
hotp-verification_dir := hotp-verification-$(hotp-verification_version)
hotp-verification_tar := nitrokey-hotp-verification-$(hotp-verification_version).tar.gz
hotp-verification_url := https://github.com/Nitrokey/nitrokey-hotp-verification/archive/$(hotp-verification_version).tar.gz
hotp-verification_hash := 5d98d158ba97fb970061d68e2c6f41582395e687b7752efb1a8038762b0e7b79
hotp-verification_hash := c06e9751bc45bf8e57ddb39f15352442eda07530f6fe0e8e1ed3e54274fc165f
hotp-verification_target := \
$(MAKE_JOBS) \
@ -19,7 +19,7 @@ hotp-verification_output := \
hotp-verification_configure := \
INSTALL="$(INSTALL)" \
CROSS="$(CROSS)" \
$(CROSS_TOOLS) $(MAKE) LDFLAGS="$(INSTALL)/lib/libusb-1.0.so" && $(MAKE) install INSTALL="$(INSTALL)"
$(CROSS_TOOLS) $(MAKE) LDFLAGS="$(INSTALL)/lib/libusb-1.0.so" GITVERSION="" LIBUSB_FLAGS="-I/usr/include/libusb-1.0" PKGCONFIG="" && $(MAKE) install INSTALL="$(INSTALL)"
hotp-verification_depends += hidapi
modules-y += hidapi

8
modules/libassuan
View File

@ -1,16 +1,18 @@
modules-$(CONFIG_GPG2) += libassuan
libassuan_version := 2.5.3
libassuan_version := 2.5.1
libassuan_dir := libassuan-$(libassuan_version)
libassuan_tar := libassuan-$(libassuan_version).tar.bz2
libassuan_url := https://gnupg.org/ftp/gcrypt/libassuan/$(libassuan_tar)
libassuan_hash := 91bcb0403866b4e7c4bc1cc52ed4c364a9b5414b3994f718c70303f7f765e702
libassuan_hash := 47f96c37b4f2aac289f0bc1bacfa8bd8b4b209a488d3d15e2229cb6cc9b26449
libassuan_configure := ./configure \
$(CROSS_TOOLS) \
--host x86_64-linux-musl \
--prefix "/" \
--disable-static \
--with-gpg-error-prefix="$(INSTALL)" \
--disable-nls \
--with-libgpg-error-prefix="$(INSTALL)" \
--disable-asm \
libassuan_target := $(MAKE_JOBS) \
DESTDIR="$(INSTALL)" \

6
modules/libgcrypt
View File

@ -1,16 +1,16 @@
modules-$(CONFIG_GPG2) += libgcrypt
libgcrypt_version := 1.8.5
libgcrypt_version := 1.8.3
libgcrypt_dir := libgcrypt-$(libgcrypt_version)
libgcrypt_tar := libgcrypt-$(libgcrypt_version).tar.bz2
libgcrypt_url := https://gnupg.org/ftp/gcrypt/libgcrypt/$(libgcrypt_tar)
libgcrypt_hash := 3b4a2a94cb637eff5bdebbcaf46f4d95c4f25206f459809339cdada0eb577ac3
libgcrypt_hash := 66ec90be036747602f2b48f98312361a9180c97c68a690a5f376fa0f67d0af7c
libgcrypt_configure := ./configure \
$(CROSS_TOOLS) \
--host=x86_64-linux-musl \
--prefix "/" \
--disable-static \
--with-gpg-error-prefix="$(INSTALL)" \
--with-libgpg-error-prefix="$(INSTALL)" \
--disable-asm \
libgcrypt_target := $(MAKE_JOBS) \

5
modules/libgpg-error
View File

@ -1,9 +1,9 @@
modules-$(CONFIG_GPG2) += libgpg-error
libgpg-error_version := 1.37
libgpg-error_version := 1.32
libgpg-error_dir := libgpg-error-$(libgpg-error_version)
libgpg-error_tar := libgpg-error-$(libgpg-error_version).tar.bz2
libgpg-error_url := https://gnupg.org/ftp/gcrypt/libgpg-error/$(libgpg-error_tar)
libgpg-error_hash := b32d6ff72a73cf79797f7f2d039e95e9c6f92f0c1450215410840ab62aea9763
libgpg-error_hash := c345c5e73cc2332f8d50db84a2280abfb1d8f6d4f1858b9daa30404db44540ca
libgpg-error_configure := ./configure \
$(CROSS_TOOLS) \
@ -14,6 +14,7 @@ libgpg-error_configure := ./configure \
--disable-languages \
--disable-doc \
--disable-tests \
--disable-asm \
libgpg-error_target := $(MAKE_JOBS) \
DESTDIR="$(INSTALL)" \

4
modules/libksba
View File

@ -10,7 +10,9 @@ libksba_configure := ./configure \
--host x86_64-linux-musl \
--prefix "/" \
--disable-static \
--with-gpg-error-prefix="$(INSTALL)" \
--disable-nls \
--with-libgpg-error-prefix="$(INSTALL)" \
--disable-asm \
libksba_target := $(MAKE_JOBS) \
DESTDIR="$(INSTALL)" \

4
modules/npth
View File

@ -10,7 +10,9 @@ npth_configure := ./configure \
--host x86_64-linux-musl \
--prefix "/" \
--disable-static \
--with-gpg-error-prefix="$(INSTALL)" \
--disable-nls \
--with-libgpg-error-prefix="$(INSTALL)" \
--disable-asm \
npth_target := $(MAKE_JOBS) \
DESTDIR="$(INSTALL)" \

3
modules/pinentry
View File

@ -27,8 +27,7 @@ pinentry_configure := ./configure \
--disable-pinentry-fltk \
--disable-pinentry-emacs \
--disable-fallback-curses \
--disable-pinentry-qt5 \
--with-gpg-error-prefix="$(INSTALL)" \
--with-libgpg-error-prefix="$(INSTALL)" \
--with-libassuan-prefix="$(INSTALL)" \
# Run one build to generate the executables with the pre-defined

38
patches/kexec-2.0.20.patch
View File

@ -1,7 +1,7 @@
diff --git ./Makefile.in ./Makefile.in
diff --git a/Makefile.in b/Makefile.in
index fb01134..bf1973e 100644
--- ./Makefile.in
+++ ./Makefile.in
--- a/Makefile.in
+++ b/Makefile.in
@@ -157,12 +157,12 @@ include $(srcdir)/kexec/Makefile
# vmcore-dmesg (read dmesg from a vmcore)
@ -17,10 +17,24 @@ index fb01134..bf1973e 100644
SPEC=$(PACKAGE_NAME).spec
GENERATED_SRCS:= $(SPEC)
diff --git ./kexec/kexec.c ./kexec/kexec.c
diff --git a/kexec/arch/i386/x86-linux-setup.c b/kexec/arch/i386/x86-linux-setup.c
index 057ee14..43e017a 100644
--- a/kexec/arch/i386/x86-linux-setup.c
+++ b/kexec/arch/i386/x86-linux-setup.c
@@ -137,7 +137,8 @@ static int setup_linux_vesafb(struct x86_linux_param_header *real_mode)
goto out;
if (-1 == ioctl(fd, FBIOGET_VSCREENINFO, &var))
goto out;
- if (0 == strcmp(fix.id, "VESA VGA")) {
+ if (0 == strcmp(fix.id, "VESA VGA")
+ || 0 == strcmp(fix.id, "inteldrmfb")) {
/* VIDEO_TYPE_VLFB */
real_mode->orig_video_isVGA = 0x23;
} else if (0 == strcmp(fix.id, "EFI VGA")) {
diff --git a/kexec/kexec.c b/kexec/kexec.c
index bc6ab3d..b82725b 100644
--- ./kexec/kexec.c
+++ ./kexec/kexec.c
--- a/kexec/kexec.c
+++ b/kexec/kexec.c
@@ -805,6 +805,27 @@ static int my_load(const char *type, int fileind, int argc, char **argv,
if (sort_segments(&info) < 0) {
return -1;
@ -49,10 +63,10 @@ index bc6ab3d..b82725b 100644
/* if purgatory is loaded update it */
update_purgatory(&info);
if (entry)
diff --git ./purgatory/Makefile ./purgatory/Makefile
diff --git a/purgatory/Makefile b/purgatory/Makefile
index 2dd6c47..2de8f07 100644
--- ./purgatory/Makefile
+++ ./purgatory/Makefile
--- a/purgatory/Makefile
+++ b/purgatory/Makefile
@@ -44,7 +44,6 @@ purgatory/sha256.o: $(srcdir)/util_lib/sha256.c
mkdir -p $(@D)
$(COMPILE.c) -o $@ $^
@ -61,10 +75,10 @@ index 2dd6c47..2de8f07 100644
$(PURGATORY): CFLAGS=$(PURGATORY_EXTRA_CFLAGS) \
$($(ARCH)_PURGATORY_EXTRA_CFLAGS) \
-Os -fno-builtin -ffreestanding \
diff --git ./util/Makefile ./util/Makefile
diff --git a/util/Makefile b/util/Makefile
index 948ee63..833a897 100644
--- ./util/Makefile
+++ ./util/Makefile
--- a/util/Makefile
+++ b/util/Makefile
@@ -2,7 +2,7 @@ BIN_TO_HEX:= bin/bin-to-hex
$(BIN_TO_HEX): $(srcdir)/util/bin-to-hex.c