mirror of
https://github.com/linuxboot/heads.git
synced 2025-02-21 17:36:43 +00:00
Merge pull request #747 from MrChromebox/factory_reset_no_tpm
oem-factory-reset: Handle non-TPM case
This commit is contained in:
commit
94476bb470
@ -127,21 +127,26 @@ generate_checksums()
|
|||||||
rm /boot/kexec* 2>/dev/null
|
rm /boot/kexec* 2>/dev/null
|
||||||
|
|
||||||
# create Heads TPM counter
|
# create Heads TPM counter
|
||||||
tpm counter_create \
|
if [ "$CONFIG_TPM" = "y" ]; then
|
||||||
-pwdo "$TPM_PASS_DEF" \
|
tpm counter_create \
|
||||||
-pwdc '' \
|
-pwdo "$TPM_PASS_DEF" \
|
||||||
-la -3135106223 \
|
-pwdc '' \
|
||||||
| tee /tmp/counter \
|
-la -3135106223 \
|
||||||
|| whiptail_error_die "Unable to create TPM counter"
|
| tee /tmp/counter \
|
||||||
TPM_COUNTER=`cut -d: -f1 < /tmp/counter`
|
|| whiptail_error_die "Unable to create TPM counter"
|
||||||
|
TPM_COUNTER=`cut -d: -f1 < /tmp/counter`
|
||||||
|
|
||||||
# increment TPM counter
|
# increment TPM counter
|
||||||
increment_tpm_counter $TPM_COUNTER >/dev/null 2>&1 \
|
increment_tpm_counter $TPM_COUNTER >/dev/null 2>&1 \
|
||||||
|| whiptail_error_die "Unable to increment tpm counter"
|
|| whiptail_error_die "Unable to increment tpm counter"
|
||||||
|
|
||||||
# create rollback file
|
# create rollback file
|
||||||
sha256sum /tmp/counter-$TPM_COUNTER > /boot/kexec_rollback.txt 2>/dev/null \
|
sha256sum /tmp/counter-$TPM_COUNTER > /boot/kexec_rollback.txt 2>/dev/null \
|
||||||
|| whiptail_error_die "Unable to create rollback file"
|
|| whiptail_error_die "Unable to create rollback file"
|
||||||
|
else
|
||||||
|
## needs to exist for initial call to unseal-hotp
|
||||||
|
echo "0" > /boot/kexec_hotp_counter
|
||||||
|
fi
|
||||||
|
|
||||||
# set default boot option
|
# set default boot option
|
||||||
set_default_boot_option
|
set_default_boot_option
|
||||||
@ -232,15 +237,20 @@ else
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
# show warning prompt
|
# show warning prompt
|
||||||
|
if [ "$CONFIG_TPM" = "y" ]; then
|
||||||
|
TPM_STR=" * ERASE the TPM and reset it with a default password\n"
|
||||||
|
else
|
||||||
|
TPM_STR=""
|
||||||
|
fi
|
||||||
if ! whiptail --yesno "
|
if ! whiptail --yesno "
|
||||||
This operation will automatically:\n\n
|
This operation will automatically:\n\n
|
||||||
* ERASE the TPM and reset it with a default password\n
|
$TPM_STR
|
||||||
* ERASE any keys or passwords on the GPG smart card,\n
|
* ERASE any keys or passwords on the GPG smart card,\n
|
||||||
reset it to a factory state, and generate new keys\n
|
reset it to a factory state, and generate new keys\n
|
||||||
* Add the new GPG key to the firmware and reflash it\n
|
* Add the new GPG key to the firmware and reflash it\n
|
||||||
* Sign all of the files in /boot with the new GPG key\n\n
|
* Sign all of the files in /boot with the new GPG key\n\n
|
||||||
It requires that you already have an OS installed on a\n
|
It requires that you already have an OS installed on a\n
|
||||||
dedicated /boot partition. Do you wish to continue?\n" \
|
dedicated /boot partition. Do you wish to continue?\n" \
|
||||||
$WIDTH $HEIGHT $CONTINUE $CANCEL $CLEAR $bg_color --title "$title_text" ; then
|
$WIDTH $HEIGHT $CONTINUE $CANCEL $CLEAR $bg_color --title "$title_text" ; then
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
@ -337,14 +347,16 @@ replace_config /etc/config.user "CONFIG_BOOT_DEV" "$CONFIG_BOOT_DEV"
|
|||||||
combine_configs
|
combine_configs
|
||||||
|
|
||||||
## reset TPM and set default password
|
## reset TPM and set default password
|
||||||
echo -e "\nResetting TPM...\n"
|
if [ "$CONFIG_TPM" = "y" ]; then
|
||||||
{
|
echo -e "\nResetting TPM...\n"
|
||||||
echo $TPM_PASS_DEF
|
{
|
||||||
echo $TPM_PASS_DEF
|
echo $TPM_PASS_DEF
|
||||||
} | /bin/tpm-reset >/dev/null 2>/tmp/error
|
echo $TPM_PASS_DEF
|
||||||
if [ $? -ne 0 ]; then
|
} | /bin/tpm-reset >/dev/null 2>/tmp/error
|
||||||
ERROR=$(tail -n 1 /tmp/error)
|
if [ $? -ne 0 ]; then
|
||||||
whiptail_error_die "Error resetting TPM:\n\n${ERROR}"
|
ERROR=$(tail -n 1 /tmp/error)
|
||||||
|
whiptail_error_die "Error resetting TPM:\n\n${ERROR}"
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# clear local keyring
|
# clear local keyring
|
||||||
|
Loading…
x
Reference in New Issue
Block a user