ExternalVendorCode/heads
1
0
Fork 0
mirror of https://github.com/linuxboot/heads.git synced 2025-01-29 23:53:53 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

whiptail: fixate width to 80 characters and have height dynamic to all whiptail/fbwhiptail prompts

Browse Source
This commit is contained in:
Thierry Laurion 2022-11-09 11:51:27 -05:00
parent 1cb0324a12
commit 9bb6be8874
No known key found for this signature in database
GPG Key ID: E7B4A71658E36A93
10 changed files with 52 additions and 52 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
initrd/bin/config-gui.sh
View File

@ -15,7 +15,7 @@ while true; do
else else
unset menu_choice unset menu_choice
whiptail $BG_COLOR_MAIN_MENU --clear --title "Config Management Menu" \ whiptail $BG_COLOR_MAIN_MENU --clear --title "Config Management Menu" \
--menu "This menu lets you change settings for the current BIOS session.\n\nAll changes will revert after a reboot,\n\nunless you also save them to the running BIOS." 20 90 10 \ --menu "This menu lets you change settings for the current BIOS session.\n\nAll changes will revert after a reboot,\n\nunless you also save them to the running BIOS." 0 80 10 \
'b' ' Change the /boot device' \ 'b' ' Change the /boot device' \
's' ' Save the current configuration to the running BIOS' \ 's' ' Save the current configuration to the running BIOS' \
'r' ' Clear GPG key(s) and reset all user settings' \ 'r' ' Clear GPG key(s) and reset all user settings' \
@ -88,7 +88,7 @@ while true; do
cbfs -o /tmp/config-gui.rom -a "heads/initrd/etc/config.user" -f /etc/config.user cbfs -o /tmp/config-gui.rom -a "heads/initrd/etc/config.user" -f /etc/config.user
if (whiptail --title 'Update ROM?' \ if (whiptail --title 'Update ROM?' \
--yesno "This will reflash your BIOS with the updated version\n\nDo you want to proceed?" 16 90) then --yesno "This will reflash your BIOS with the updated version\n\nDo you want to proceed?" 0 80) then
/bin/flash.sh /tmp/config-gui.rom /bin/flash.sh /tmp/config-gui.rom
whiptail --title 'BIOS Updated Successfully' \ whiptail --title 'BIOS Updated Successfully' \
--msgbox "BIOS updated successfully.\n\nIf your keys have changed, be sure to re-sign all files in /boot\nafter you reboot.\n\nPress Enter to reboot" 16 60 --msgbox "BIOS updated successfully.\n\nIf your keys have changed, be sure to re-sign all files in /boot\nafter you reboot.\n\nPress Enter to reboot" 16 60
@ -103,7 +103,7 @@ while true; do
--yesno "This will clear all GPG keys, clear boot signatures and checksums, --yesno "This will clear all GPG keys, clear boot signatures and checksums,
\nreset the /boot device, clear/reset the TPM (if present), \nreset the /boot device, clear/reset the TPM (if present),
\nand reflash your BIOS with the cleaned configuration. \nand reflash your BIOS with the cleaned configuration.
\n\nDo you want to proceed?" 16 90) then \n\nDo you want to proceed?" 0 80) then
# read current firmware # read current firmware
/bin/flash.sh -r /tmp/config-gui.rom /bin/flash.sh -r /tmp/config-gui.rom
if [ ! -s /tmp/config-gui.rom ]; then if [ ! -s /tmp/config-gui.rom ]; then

8
initrd/bin/flash-gui.sh
View File

@ -8,7 +8,7 @@ set -e -o pipefail
while true; do while true; do
unset menu_choice unset menu_choice
whiptail $BG_COLOR_MAIN_MENU --clear --title "Firmware Management Menu" \ whiptail $BG_COLOR_MAIN_MENU --clear --title "Firmware Management Menu" \
--menu "Select the firmware function to perform\n\nRetaining settings copies existing settings to the new firmware:\n* Keeps your GPG keyring\n* Keeps changes to the default /boot device\n\nErasing settings uses the new firmware as-is:\n* Erases any existing GPG keyring\n* Restores firmware to default factory settings\n* Clears out /boot signatures\n\nIf you are just updating your firmware, you probably want to retain\nyour settings." 20 90 10 \ --menu "Select the firmware function to perform\n\nRetaining settings copies existing settings to the new firmware:\n* Keeps your GPG keyring\n* Keeps changes to the default /boot device\n\nErasing settings uses the new firmware as-is:\n* Erases any existing GPG keyring\n* Restores firmware to default factory settings\n* Clears out /boot signatures\n\nIf you are just updating your firmware, you probably want to retain\nyour settings." 0 80 10 \
'f' ' Flash the firmware with a new ROM, retain settings' \ 'f' ' Flash the firmware with a new ROM, retain settings' \
'c' ' Flash the firmware with a new ROM, erase settings' \ 'c' ' Flash the firmware with a new ROM, erase settings' \
'x' ' Exit' \ 'x' ' Exit' \
@ -22,7 +22,7 @@ while true; do
;; ;;
f|c ) f|c )
if (whiptail $BG_COLOR_WARNING --title 'Flash the BIOS with a new ROM' \ if (whiptail $BG_COLOR_WARNING --title 'Flash the BIOS with a new ROM' \
--yesno "You will need to insert a USB drive containing your BIOS image (*.rom).\n\nAfter you select this file, this program will reflash your BIOS.\n\nDo you want to proceed?" 16 90) then --yesno "You will need to insert a USB drive containing your BIOS image (*.rom).\n\nAfter you select this file, this program will reflash your BIOS.\n\nDo you want to proceed?" 0 80) then
mount_usb mount_usb
if grep -q /media /proc/mounts ; then if grep -q /media /proc/mounts ; then
find /media ! -path '*/\.*' -type f -name '*.rom' | sort > /tmp/filelist.txt find /media ! -path '*/\.*' -type f -name '*.rom' | sort > /tmp/filelist.txt
@ -34,7 +34,7 @@ while true; do
fi fi
if (whiptail $BG_COLOR_WARNING --title 'Flash ROM?' \ if (whiptail $BG_COLOR_WARNING --title 'Flash ROM?' \
--yesno "This will replace your current ROM with:\n\n${ROM#"/media/"}\n\nDo you want to proceed?" 16 90) then --yesno "This will replace your current ROM with:\n\n${ROM#"/media/"}\n\nDo you want to proceed?" 0 80) then
if [ "$menu_choice" == "c" ]; then if [ "$menu_choice" == "c" ]; then
/bin/flash.sh -c "$ROM" /bin/flash.sh -c "$ROM"
# after flash, /boot signatures are now invalid so go ahead and clear them # after flash, /boot signatures are now invalid so go ahead and clear them
@ -49,7 +49,7 @@ while true; do
/bin/flash.sh "$ROM" /bin/flash.sh "$ROM"
fi fi
whiptail --title 'ROM Flashed Successfully' \ whiptail --title 'ROM Flashed Successfully' \
--msgbox "${ROM#"/media/"}\n\nhas been flashed successfully.\n\nPress Enter to reboot\n" 16 90 --msgbox "${ROM#"/media/"}\n\nhas been flashed successfully.\n\nPress Enter to reboot\n" 0 80
umount /media umount /media
/bin/reboot /bin/reboot
else else

26
initrd/bin/gpg-gui.sh
View File

@ -62,10 +62,10 @@ gpg_flash_rom() {
/bin/flash.sh /tmp/gpg-gui.rom /bin/flash.sh /tmp/gpg-gui.rom
if (whiptail --title 'BIOS Flashed Successfully' \ if (whiptail --title 'BIOS Flashed Successfully' \
--yesno "Would you like to update the checksums and sign all of the files in /boot?\n\nYou will need your GPG key to continue and this will modify your disk.\n\nOtherwise the system will reboot immediately." 16 90) then --yesno "Would you like to update the checksums and sign all of the files in /boot?\n\nYou will need your GPG key to continue and this will modify your disk.\n\nOtherwise the system will reboot immediately." 0 80) then
if ! update_checksums ; then if ! update_checksums ; then
whiptail $BG_COLOR_ERROR --title 'ERROR' \ whiptail $BG_COLOR_ERROR --title 'ERROR' \
--msgbox "Failed to update checksums / sign default config" 16 90 --msgbox "Failed to update checksums / sign default config" 0 80
fi fi
else else
/bin/reboot /bin/reboot
@ -80,21 +80,21 @@ gpg_post_gen_mgmt() {
GPG_GEN_KEY=`grep -A1 pub /tmp/gpg_card_edit_output | tail -n1 | sed -nr 's/^([ ])*//p'` GPG_GEN_KEY=`grep -A1 pub /tmp/gpg_card_edit_output | tail -n1 | sed -nr 's/^([ ])*//p'`
gpg --export --armor $GPG_GEN_KEY > "/tmp/${GPG_GEN_KEY}.asc" gpg --export --armor $GPG_GEN_KEY > "/tmp/${GPG_GEN_KEY}.asc"
if (whiptail --title 'Add Public Key to USB disk?' \ if (whiptail --title 'Add Public Key to USB disk?' \
--yesno "Would you like to copy the GPG public key you generated to a USB disk?\n\nYou may need it, if you want to use it outside of Heads later.\n\nThe file will show up as ${GPG_GEN_KEY}.asc" 16 90) then --yesno "Would you like to copy the GPG public key you generated to a USB disk?\n\nYou may need it, if you want to use it outside of Heads later.\n\nThe file will show up as ${GPG_GEN_KEY}.asc" 0 80) then
mount_usb mount_usb
mount -o remount,rw /media mount -o remount,rw /media
cp "/tmp/${GPG_GEN_KEY}.asc" "/media/${GPG_GEN_KEY}.asc" cp "/tmp/${GPG_GEN_KEY}.asc" "/media/${GPG_GEN_KEY}.asc"
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
whiptail --title "The GPG Key Copied Successfully" \ whiptail --title "The GPG Key Copied Successfully" \
--msgbox "${GPG_GEN_KEY}.asc copied successfully." 16 90 --msgbox "${GPG_GEN_KEY}.asc copied successfully." 0 80
else else
whiptail $BG_COLOR_ERROR --title 'ERROR: Copy Failed' \ whiptail $BG_COLOR_ERROR --title 'ERROR: Copy Failed' \
--msgbox "Unable to copy ${GPG_GEN_KEY}.asc to /media" 16 90 --msgbox "Unable to copy ${GPG_GEN_KEY}.asc to /media" 0 80
fi fi
umount /media umount /media
fi fi
if (whiptail --title 'Add Public Key to Running BIOS?' \ if (whiptail --title 'Add Public Key to Running BIOS?' \
--yesno "Would you like to add the GPG public key you generated to the BIOS?\n\nThis makes it a trusted key used to sign files in /boot\n\n" 16 90) then --yesno "Would you like to add the GPG public key you generated to the BIOS?\n\nThis makes it a trusted key used to sign files in /boot\n\n" 0 80) then
/bin/flash.sh -r /tmp/gpg-gui.rom /bin/flash.sh -r /tmp/gpg-gui.rom
if [ ! -s /tmp/gpg-gui.rom ]; then if [ ! -s /tmp/gpg-gui.rom ]; then
whiptail $BG_COLOR_ERROR --title 'ERROR: BIOS Read Failed!' \ whiptail $BG_COLOR_ERROR --title 'ERROR: BIOS Read Failed!' \
@ -108,7 +108,7 @@ gpg_post_gen_mgmt() {
gpg_add_key_reflash() { gpg_add_key_reflash() {
if (whiptail --title 'GPG public key required' \ if (whiptail --title 'GPG public key required' \
--yesno "This requires you insert a USB drive containing:\n* Your GPG public key (*.key or *.asc)\n\nAfter you select this file, this program will copy and reflash your BIOS\n\nDo you want to proceed?" 16 90) then --yesno "This requires you insert a USB drive containing:\n* Your GPG public key (*.key or *.asc)\n\nAfter you select this file, this program will copy and reflash your BIOS\n\nDo you want to proceed?" 0 80) then
mount_usb mount_usb
if grep -q /media /proc/mounts ; then if grep -q /media /proc/mounts ; then
find /media -name '*.key' > /tmp/filelist.txt find /media -name '*.key' > /tmp/filelist.txt
@ -129,7 +129,7 @@ gpg_add_key_reflash() {
fi fi
if (whiptail --title 'Update ROM?' \ if (whiptail --title 'Update ROM?' \
--yesno "This will reflash your BIOS with the updated version\n\nDo you want to proceed?" 16 90) then --yesno "This will reflash your BIOS with the updated version\n\nDo you want to proceed?" 0 80) then
gpg_flash_rom gpg_flash_rom
else else
exit 0 exit 0
@ -141,7 +141,7 @@ gpg_add_key_reflash() {
while true; do while true; do
unset menu_choice unset menu_choice
whiptail $BG_COLOR_MAIN_MENU --clear --title "GPG Management Menu" \ whiptail $BG_COLOR_MAIN_MENU --clear --title "GPG Management Menu" \
--menu 'Select the GPG function to perform' 20 90 10 \ --menu 'Select the GPG function to perform' 0 80 10 \
'r' ' Add GPG key to running BIOS and reflash' \ 'r' ' Add GPG key to running BIOS and reflash' \
'a' ' Add GPG key to standalone BIOS image and flash' \ 'a' ' Add GPG key to standalone BIOS image and flash' \
'e' ' Replace GPG key(s) in the current ROM and reflash' \ 'e' ' Replace GPG key(s) in the current ROM and reflash' \
@ -159,7 +159,7 @@ while true; do
;; ;;
"a" ) "a" )
if (whiptail --title 'ROM and GPG public key required' \ if (whiptail --title 'ROM and GPG public key required' \
--yesno "This requires you insert a USB drive containing:\n* Your GPG public key (*.key or *.asc)\n* Your BIOS image (*.rom)\n\nAfter you select these files, this program will reflash your BIOS\n\nDo you want to proceed?" 16 90) then --yesno "This requires you insert a USB drive containing:\n* Your GPG public key (*.key or *.asc)\n* Your BIOS image (*.rom)\n\nAfter you select these files, this program will reflash your BIOS\n\nDo you want to proceed?" 0 80) then
mount_usb mount_usb
if grep -q /media /proc/mounts ; then if grep -q /media /proc/mounts ; then
find /media -name '*.key' > /tmp/filelist.txt find /media -name '*.key' > /tmp/filelist.txt
@ -181,7 +181,7 @@ while true; do
cp "$ROM" /tmp/gpg-gui.rom cp "$ROM" /tmp/gpg-gui.rom
if (whiptail $BG_COLOR_WARNING --title 'Flash ROM?' \ if (whiptail $BG_COLOR_WARNING --title 'Flash ROM?' \
--yesno "This will replace your old ROM with $ROM\n\nDo you want to proceed?" 16 90) then --yesno "This will replace your old ROM with $ROM\n\nDo you want to proceed?" 0 80) then
gpg_flash_rom gpg_flash_rom
else else
exit 0 exit 0
@ -204,11 +204,11 @@ while true; do
"l" ) "l" )
GPG_KEYRING=`gpg -k` GPG_KEYRING=`gpg -k`
whiptail --title 'GPG Keyring' \ whiptail --title 'GPG Keyring' \
--msgbox "${GPG_KEYRING}" 16 90 --msgbox "${GPG_KEYRING}" 0 80
;; ;;
"p" ) "p" )
if (whiptail --title 'Export Public Key(s) to USB drive?' \ if (whiptail --title 'Export Public Key(s) to USB drive?' \
--yesno "Would you like to copy GPG public key(s) to a USB drive?\n\nThe file will show up as public-key.asc" 16 90) then --yesno "Would you like to copy GPG public key(s) to a USB drive?\n\nThe file will show up as public-key.asc" 0 80) then
mount_usb mount_usb
mount -o remount,rw /media mount -o remount,rw /media
gpg --export --armor > "/tmp/public-key.asc" gpg --export --armor > "/tmp/public-key.asc"

40
initrd/bin/gui-init
View File

@ -24,7 +24,7 @@ mount_boot()
BG_COLOR_MAIN_MENU=$BG_COLOR_ERROR BG_COLOR_MAIN_MENU=$BG_COLOR_ERROR
whiptail $BG_COLOR_ERROR --clear --title "ERROR: No Bootable OS Found!" \ whiptail $BG_COLOR_ERROR --clear --title "ERROR: No Bootable OS Found!" \
--menu " No bootable OS was found on the default boot device $CONFIG_BOOT_DEV. --menu " No bootable OS was found on the default boot device $CONFIG_BOOT_DEV.
How would you like to proceed?" 30 90 4 \ How would you like to proceed?" 0 80 4 \
'b' ' Select a new boot device' \ 'b' ' Select a new boot device' \
'u' ' Boot from USB' \ 'u' ' Boot from USB' \
'm' ' Continue to the main menu' \ 'm' ' Continue to the main menu' \
@ -67,13 +67,13 @@ verify_global_hashes()
return 0 return 0
elif [ ! -f $TMP_HASH_FILE ]; then elif [ ! -f $TMP_HASH_FILE ]; then
if (whiptail $BG_COLOR_ERROR --clear --title 'ERROR: Missing Hash File!' \ if (whiptail $BG_COLOR_ERROR --clear --title 'ERROR: Missing Hash File!' \
--yesno "The file containing hashes for /boot is missing!\n\nIf you are setting this system up for the first time, select Yes to update\nyour list of checksums.\n\nOtherwise this could indicate a compromise and you should select No to\nreturn to the main menu.\n\nWould you like to update your checksums now?" 30 90) then --yesno "The file containing hashes for /boot is missing!\n\nIf you are setting this system up for the first time, select Yes to update\nyour list of checksums.\n\nOtherwise this could indicate a compromise and you should select No to\nreturn to the main menu.\n\nWould you like to update your checksums now?" 0 80) then
if update_checksums ; then if update_checksums ; then
BG_COLOR_MAIN_MENU="" BG_COLOR_MAIN_MENU=""
return 0; return 0;
else else
whiptail $BG_COLOR_ERROR --title 'ERROR' \ whiptail $BG_COLOR_ERROR --title 'ERROR' \
--msgbox "Failed to update checksums / sign default config" 16 90 --msgbox "Failed to update checksums / sign default config" 0 80
fi fi
fi fi
BG_COLOR_MAIN_MENU=$BG_COLOR_ERROR BG_COLOR_MAIN_MENU=$BG_COLOR_ERROR
@ -114,13 +114,13 @@ verify_global_hashes()
fi fi
fi fi
if (whiptail $BG_COLOR_ERROR --clear --title 'ERROR: Boot Hash Mismatch' --yesno "$TEXT" 30 90) then if (whiptail $BG_COLOR_ERROR --clear --title 'ERROR: Boot Hash Mismatch' --yesno "$TEXT" 0 80) then
if update_checksums ; then if update_checksums ; then
BG_COLOR_MAIN_MENU="" BG_COLOR_MAIN_MENU=""
return 0; return 0;
else else
whiptail $BG_COLOR_ERROR --title 'ERROR' \ whiptail $BG_COLOR_ERROR --title 'ERROR' \
--msgbox "Failed to update checksums / sign default config" 16 90 --msgbox "Failed to update checksums / sign default config" 0 80
fi fi
fi fi
BG_COLOR_MAIN_MENU=$BG_COLOR_ERROR BG_COLOR_MAIN_MENU=$BG_COLOR_ERROR
@ -131,10 +131,10 @@ verify_global_hashes()
prompt_update_checksums() prompt_update_checksums()
{ {
if (whiptail $BG_COLOR_WARNING --title 'Update Checksums and sign all files in /boot' \ if (whiptail $BG_COLOR_WARNING --title 'Update Checksums and sign all files in /boot' \
--yesno "You have chosen to update the checksums and sign all of the files in /boot.\n\nThis means that you trust that these files have not been tampered with.\n\nYou will need your GPG key available, and this change will modify your disk.\n\nDo you want to continue?" 16 90) then --yesno "You have chosen to update the checksums and sign all of the files in /boot.\n\nThis means that you trust that these files have not been tampered with.\n\nYou will need your GPG key available, and this change will modify your disk.\n\nDo you want to continue?" 0 80) then
if ! update_checksums ; then if ! update_checksums ; then
whiptail $BG_COLOR_ERROR --title 'ERROR' \ whiptail $BG_COLOR_ERROR --title 'ERROR' \
--msgbox "Failed to update checksums / sign default config" 16 90 --msgbox "Failed to update checksums / sign default config" 0 80
fi fi
fi fi
} }
@ -170,7 +170,7 @@ update_totp()
If this is the first time the system has booted, you should If this is the first time the system has booted, you should
reset the TPM and set your own password.\n reset the TPM and set your own password.\n
If you have not just reflashed your BIOS, THIS COULD INDICATE TAMPERING!\n If you have not just reflashed your BIOS, THIS COULD INDICATE TAMPERING!\n
How would you like to proceed?" 30 90 4 \ How would you like to proceed?" 0 80 4 \
'g' ' Generate new HOTP/TOTP secret' \ 'g' ' Generate new HOTP/TOTP secret' \
'i' ' Ignore error and continue to main menu' \ 'i' ' Ignore error and continue to main menu' \
'p' ' Reset the TPM' \ 'p' ' Reset the TPM' \
@ -181,7 +181,7 @@ update_totp()
case "$option" in case "$option" in
g ) g )
if (whiptail $BG_COLOR_WARNING --title 'Generate new TOTP/HOTP secret' \ if (whiptail $BG_COLOR_WARNING --title 'Generate new TOTP/HOTP secret' \
--yesno "This will erase your old secret and replace it with a new one!\n\nDo you want to proceed?" 16 90) then --yesno "This will erase your old secret and replace it with a new one!\n\nDo you want to proceed?" 0 80) then
generate_totp_htop && update_totp && BG_COLOR_MAIN_MENU="" generate_totp_htop && update_totp && BG_COLOR_MAIN_MENU=""
fi fi
;; ;;
@ -207,7 +207,7 @@ update_hotp()
if ! whiptail $BG_COLOR_WARNING --clear \ if ! whiptail $BG_COLOR_WARNING --clear \
--title "WARNING: Please Insert Your $HOTPKEY_BRANDING" \ --title "WARNING: Please Insert Your $HOTPKEY_BRANDING" \
--yes-button "Retry" --no-button "Skip" \ --yes-button "Retry" --no-button "Skip" \
--yesno "Your $HOTPKEY_BRANDING was not detected.\n\nPlease insert your $HOTPKEY_BRANDING" 30 90 ; then --yesno "Your $HOTPKEY_BRANDING was not detected.\n\nPlease insert your $HOTPKEY_BRANDING" 0 80 ; then
HOTP="Error checking code, Insert $HOTPKEY_BRANDING and retry" HOTP="Error checking code, Insert $HOTPKEY_BRANDING and retry"
BG_COLOR_MAIN_MENU=$BG_COLOR_WARNING BG_COLOR_MAIN_MENU=$BG_COLOR_WARNING
return return
@ -268,7 +268,7 @@ check_gpg_key()
if [ $GPG_KEY_COUNT -eq 0 ]; then if [ $GPG_KEY_COUNT -eq 0 ]; then
BG_COLOR_MAIN_MENU=$BG_COLOR_ERROR BG_COLOR_MAIN_MENU=$BG_COLOR_ERROR
whiptail $BG_COLOR_ERROR --clear --title "ERROR: GPG keyring empty!" \ whiptail $BG_COLOR_ERROR --clear --title "ERROR: GPG keyring empty!" \
--menu "ERROR: Heads couldn't find any GPG keys in your keyring.\n\nIf this is the first time the system has booted,\nyou should add a public GPG key to the BIOS now.\n\nIf you just reflashed a new BIOS, you'll need to add at least one\npublic key to the keyring.\n\nIf you have not just reflashed your BIOS, THIS COULD INDICATE TAMPERING!\n\nHow would you like to proceed?" 30 90 4 \ --menu "ERROR: Heads couldn't find any GPG keys in your keyring.\n\nIf this is the first time the system has booted,\nyou should add a public GPG key to the BIOS now.\n\nIf you just reflashed a new BIOS, you'll need to add at least one\npublic key to the keyring.\n\nIf you have not just reflashed your BIOS, THIS COULD INDICATE TAMPERING!\n\nHow would you like to proceed?" 0 80 4 \
'g' ' Add a GPG key to the running BIOS' \ 'g' ' Add a GPG key to the running BIOS' \
'F' ' OEM Factory Reset / Re-Ownership' \ 'F' ' OEM Factory Reset / Re-Ownership' \
'i' ' Ignore error and continue to main menu' \ 'i' ' Ignore error and continue to main menu' \
@ -314,7 +314,7 @@ show_main_menu()
{ {
date=`date "+%Y-%m-%d %H:%M:%S %Z"` date=`date "+%Y-%m-%d %H:%M:%S %Z"`
whiptail $BG_COLOR_MAIN_MENU --clear --title "$MAIN_MENU_TITLE" \ whiptail $BG_COLOR_MAIN_MENU --clear --title "$MAIN_MENU_TITLE" \
--menu "$date\nTOTP: $TOTP | HOTP: $HOTP" 20 90 10 \ --menu "$date\nTOTP: $TOTP | HOTP: $HOTP" 0 80 10 \
'd' ' Default boot' \ 'd' ' Default boot' \
'r' ' Refresh TOTP/HOTP' \ 'r' ' Refresh TOTP/HOTP' \
'o' ' Options -->' \ 'o' ' Options -->' \
@ -345,7 +345,7 @@ show_main_menu()
show_options_menu() show_options_menu()
{ {
whiptail $BG_COLOR_MAIN_MENU --clear --title "HEADS Options" \ whiptail $BG_COLOR_MAIN_MENU --clear --title "HEADS Options" \
--menu "" 20 90 10 \ --menu "" 0 80 10 \
'b' ' Boot Options -->' \ 'b' ' Boot Options -->' \
't' ' TPM/TOTP/HOTP Options -->' \ 't' ' TPM/TOTP/HOTP Options -->' \
'u' ' Update checksums and sign all files in /boot' \ 'u' ' Update checksums and sign all files in /boot' \
@ -401,7 +401,7 @@ show_options_menu()
show_boot_options_menu() show_boot_options_menu()
{ {
whiptail $BG_COLOR_MAIN_MENU --clear --title "Boot Options" \ whiptail $BG_COLOR_MAIN_MENU --clear --title "Boot Options" \
--menu "Select A Boot Option" 20 90 10 \ --menu "Select A Boot Option" 0 80 10 \
'm' ' Show OS boot menu' \ 'm' ' Show OS boot menu' \
'u' ' USB boot' \ 'u' ' USB boot' \
'i' ' Ignore tampering and force a boot (Unsafe!)' \ 'i' ' Ignore tampering and force a boot (Unsafe!)' \
@ -428,7 +428,7 @@ show_boot_options_menu()
show_tpm_totp_hotp_options_menu() show_tpm_totp_hotp_options_menu()
{ {
whiptail $BG_COLOR_MAIN_MENU --clear --title "TPM/TOTP/HOTP Options" \ whiptail $BG_COLOR_MAIN_MENU --clear --title "TPM/TOTP/HOTP Options" \
--menu "Select An Option" 20 90 10 \ --menu "Select An Option" 0 80 10 \
'g' ' Generate new TOTP/HOTP secret' \ 'g' ' Generate new TOTP/HOTP secret' \
'r' ' Reset the TPM' \ 'r' ' Reset the TPM' \
't' ' TOTP/HOTP does not match after refresh, troubleshoot' \ 't' ' TOTP/HOTP does not match after refresh, troubleshoot' \
@ -454,7 +454,7 @@ show_tpm_totp_hotp_options_menu()
prompt_totp_mismatch() prompt_totp_mismatch()
{ {
if (whiptail $BG_COLOR_WARNING --title "TOTP/HOTP code mismatched" \ if (whiptail $BG_COLOR_WARNING --title "TOTP/HOTP code mismatched" \
--yesno "TOTP/HOTP code mismatches could indicate either TPM tampering or clock drift:\n\nTo correct clock drift: 'date -s HH:MM:SS'\nand save it to the RTC: 'hwclock -w'\nthen reboot and try again.\n\nWould you like to exit to a recovery console?" 30 90) then --yesno "TOTP/HOTP code mismatches could indicate either TPM tampering or clock drift:\n\nTo correct clock drift: 'date -s HH:MM:SS'\nand save it to the RTC: 'hwclock -w'\nthen reboot and try again.\n\nWould you like to exit to a recovery console?" 0 80) then
echo "" echo ""
echo "To correct clock drift: 'date -s HH:MM:SS'" echo "To correct clock drift: 'date -s HH:MM:SS'"
echo "and save it to the RTC: 'hwclock -w'" echo "and save it to the RTC: 'hwclock -w'"
@ -468,7 +468,7 @@ reset_tpm()
{ {
if [ "$CONFIG_TPM" = "y" ]; then if [ "$CONFIG_TPM" = "y" ]; then
if (whiptail $BG_COLOR_WARNING --title 'Reset the TPM' \ if (whiptail $BG_COLOR_WARNING --title 'Reset the TPM' \
--yesno "This will clear the TPM and TPM password, replace them with new ones!\n\nDo you want to proceed?" 16 90) then --yesno "This will clear the TPM and TPM password, replace them with new ones!\n\nDo you want to proceed?" 0 80) then
/bin/tpm-reset /bin/tpm-reset
# now that the TPM is reset, remove invalid TPM counter files # now that the TPM is reset, remove invalid TPM counter files
@ -493,7 +493,7 @@ reset_tpm()
echo "Returning to the main menu" echo "Returning to the main menu"
fi fi
else else
whiptail $BG_COLOR_ERROR --clear --title 'ERROR: No TPM Detected' --msgbox "This device does not have a TPM.\n\nPress OK to return to the Main Menu" 30 90 whiptail $BG_COLOR_ERROR --clear --title 'ERROR: No TPM Detected' --msgbox "This device does not have a TPM.\n\nPress OK to return to the Main Menu" 0 80
fi fi
} }
@ -534,7 +534,7 @@ attempt_default_boot()
kexec-select-boot -b /boot -c "grub.cfg" -g \ kexec-select-boot -b /boot -c "grub.cfg" -g \
|| recovery "Failed default boot" || recovery "Failed default boot"
elif (whiptail $BG_COLOR_WARNING --title 'No Default Boot Option Configured' \ elif (whiptail $BG_COLOR_WARNING --title 'No Default Boot Option Configured' \
--yesno "There is no default boot option configured yet.\nWould you like to load a menu of boot options?\nOtherwise you will return to the main menu." 16 90) then --yesno "There is no default boot option configured yet.\nWould you like to load a menu of boot options?\nOtherwise you will return to the main menu." 0 80) then
kexec-select-boot -m -b /boot -c "grub.cfg" -g kexec-select-boot -m -b /boot -c "grub.cfg" -g
fi fi
} }
@ -543,7 +543,7 @@ force_unsafe_boot()
{ {
# Run the menu selection in "force" mode, bypassing hash checks # Run the menu selection in "force" mode, bypassing hash checks
if (whiptail $BG_COLOR_WARNING --title 'Unsafe Forced Boot Selected!' \ if (whiptail $BG_COLOR_WARNING --title 'Unsafe Forced Boot Selected!' \
--yesno "WARNING: You have chosen to skip all tamper checks and boot anyway.\n\nThis is an unsafe option!\n\nDo you want to proceed?" 16 90) then --yesno "WARNING: You have chosen to skip all tamper checks and boot anyway.\n\nThis is an unsafe option!\n\nDo you want to proceed?" 0 80) then
mount_boot && kexec-select-boot -m -b /boot -c "grub.cfg" -g -f mount_boot && kexec-select-boot -m -b /boot -c "grub.cfg" -g -f
fi fi
} }

8
initrd/bin/kexec-select-boot
View File

@ -60,7 +60,7 @@ verify_global_hashes()
if [ "$gui_menu" = "y" ]; then if [ "$gui_menu" = "y" ]; then
CHANGED_FILES=$(grep -v 'OK$' /tmp/hash_output | cut -f1 -d ':') CHANGED_FILES=$(grep -v 'OK$' /tmp/hash_output | cut -f1 -d ':')
whiptail $BG_COLOR_ERROR --title 'ERROR: Boot Hash Mismatch' \ whiptail $BG_COLOR_ERROR --title 'ERROR: Boot Hash Mismatch' \
--msgbox "The following files failed the verification process:\n${CHANGED_FILES}\nExiting to a recovery shell" 16 90 --msgbox "The following files failed the verification process:\n${CHANGED_FILES}\nExiting to a recovery shell" 0 80
fi fi
die "$TMP_HASH_FILE: boot hash mismatch" die "$TMP_HASH_FILE: boot hash mismatch"
fi fi
@ -103,7 +103,7 @@ get_menu_option() {
done < $TMP_MENU_FILE done < $TMP_MENU_FILE
whiptail --clear --title "Select your boot option" \ whiptail --clear --title "Select your boot option" \
--menu "Choose the boot option [1-$n, a to abort]:" 20 120 8 \ --menu "Choose the boot option [1-$n, a to abort]:" 0 80 8 \
-- $MENU_OPTIONS \ -- $MENU_OPTIONS \
2>/tmp/whiptail || die "Aborting boot attempt" 2>/tmp/whiptail || die "Aborting boot attempt"
@ -137,7 +137,7 @@ confirm_menu_option() {
default_text="Make default" default_text="Make default"
[[ "$CONFIG_TPM_NO_LUKS_DISK_UNLOCK" = "y" ]] && default_text="${default_text} and boot" [[ "$CONFIG_TPM_NO_LUKS_DISK_UNLOCK" = "y" ]] && default_text="${default_text} and boot"
whiptail $BG_COLOR_WARNING --clear --title "Confirm boot details" \ whiptail $BG_COLOR_WARNING --clear --title "Confirm boot details" \
--menu "Confirm the boot details for $name:\n\n$(echo $kernel| fold -s -w 80) \n\n" 20 120 8 \ --menu "Confirm the boot details for $name:\n\n$(echo $kernel| fold -s -w 80) \n\n" 0 80 8 \
-- 'd' "${default_text}" 'y' "Boot one time" \ -- 'd' "${default_text}" 'y' "Boot one time" \
2>/tmp/whiptail || die "Aborting boot attempt" 2>/tmp/whiptail || die "Aborting boot attempt"
@ -243,7 +243,7 @@ default_select() {
if [ "$gui_menu" = "y" ]; then if [ "$gui_menu" = "y" ]; then
CHANGED_FILES=$(grep -v 'OK$' /tmp/hash_output | cut -f1 -d ':') CHANGED_FILES=$(grep -v 'OK$' /tmp/hash_output | cut -f1 -d ':')
whiptail $BG_COLOR_ERROR --title 'ERROR: Default Boot Hash Mismatch' \ whiptail $BG_COLOR_ERROR --title 'ERROR: Default Boot Hash Mismatch' \
--msgbox "The following files failed the verification process:\n${CHANGED_FILES}\nExiting to a recovery shell" 16 90 --msgbox "The following files failed the verification process:\n${CHANGED_FILES}\nExiting to a recovery shell" 0 80
fi fi
die "!!! $TMP_DEFAULT_HASH_FILE: default boot hash mismatch" die "!!! $TMP_DEFAULT_HASH_FILE: default boot hash mismatch"
fi fi

2
initrd/bin/mount-usb
View File

@ -66,7 +66,7 @@ if [ -z ${USB_MOUNT_DEVICE} ]; then
MENU_OPTIONS="$MENU_OPTIONS a Abort" MENU_OPTIONS="$MENU_OPTIONS a Abort"
whiptail $BG_COLOR --clear --title "Select your USB disk" \ whiptail $BG_COLOR --clear --title "Select your USB disk" \
--menu "Choose your USB disk [1-$n, a to abort]:" 20 120 8 \ --menu "Choose your USB disk [1-$n, a to abort]:" 0 80 8 \
-- $MENU_OPTIONS \ -- $MENU_OPTIONS \
2>/tmp/whiptail 2>/tmp/whiptail

8
initrd/bin/oem-factory-reset
View File

@ -12,8 +12,8 @@ export TOP_PID=$$
CLEAR="--clear" CLEAR="--clear"
CONTINUE="--yes-button Continue" CONTINUE="--yes-button Continue"
CANCEL="--no-button Cancel" CANCEL="--no-button Cancel"
HEIGHT="30" HEIGHT="0"
WIDTH="90" WIDTH="80"
USER_PIN_DEF=123456 USER_PIN_DEF=123456
ADMIN_PIN_DEF=12345678 ADMIN_PIN_DEF=12345678
@ -298,7 +298,7 @@ report_integrity_measurements()
HOTP=`unseal-hotp` > /dev/null 2>&1 HOTP=`unseal-hotp` > /dev/null 2>&1
enable_usb enable_usb
if ! hotp_verification info > /dev/null 2>&1 ; then if ! hotp_verification info > /dev/null 2>&1 ; then
whiptail $CONFIG_WARNING_BG_COLOR --clear --title 'WARNING: Please insert your HOTP enabled USB Security dongle' --msgbox "Your HOTP enabled USB Security dongle was not detected.\n\nPlease remove it and insert it again." 30 90 whiptail $CONFIG_WARNING_BG_COLOR --clear --title 'WARNING: Please insert your HOTP enabled USB Security dongle' --msgbox "Your HOTP enabled USB Security dongle was not detected.\n\nPlease remove it and insert it again." 0 80
fi fi
# Don't output HOTP codes to screen, so as to make replay attacks harder # Don't output HOTP codes to screen, so as to make replay attacks harder
hotp_verification check $HOTP hotp_verification check $HOTP
@ -330,7 +330,7 @@ report_integrity_measurements()
fi fi
#Show results #Show results
whiptail $MAIN_MENU_BG_COLOR --clear --title "Measured Integrity Report" --msgbox "$date\nTOTP: $TOTP | HOTP: $HOTP\n/BOOT INTEGRITY: $HASH\n\nPress OK to continue or Ctrl+Alt+Delete to reboot" 30 90 whiptail $MAIN_MENU_BG_COLOR --clear --title "Measured Integrity Report" --msgbox "$date\nTOTP: $TOTP | HOTP: $HOTP\n/BOOT INTEGRITY: $HASH\n\nPress OK to continue or Ctrl+Alt+Delete to reboot" 0 80
fi fi
} }

2
initrd/bin/oem-system-info-xx30
View File

@ -53,4 +53,4 @@ export BG_COLOR_MAIN_MENU=""
FB_OPTIONS="" FB_OPTIONS=""
if whiptail --version |grep "fbwhiptail"; then FB_OPTIONS="--text-size 12"; fi if whiptail --version |grep "fbwhiptail"; then FB_OPTIONS="--text-size 12"; fi
whiptail $BG_COLOR_MAIN_MENU $FB_OPTIONS --title 'System Info' \ whiptail $BG_COLOR_MAIN_MENU $FB_OPTIONS --title 'System Info' \
--msgbox "${BOARD_NAME}\nFW_VER: ${FW_VER}\nKernel: ${kernel}\nCPU: ${cpustr} RAM: ${memtotal} GB $battery_status\n$(fdisk -l | grep -e '/dev/sd.:' -e '/dev/nvme.*:' | sed 's/B,.*/B/')\n\n$(cat /tmp/devices_usb_pci)" 40 90 --msgbox "${BOARD_NAME}\nFW_VER: ${FW_VER}\nKernel: ${kernel}\nCPU: ${cpustr} RAM: ${memtotal} GB $battery_status\n$(fdisk -l | grep -e '/dev/sd.:' -e '/dev/nvme.*:' | sed 's/B,.*/B/')\n\n$(cat /tmp/devices_usb_pci)" 0 80

2
initrd/bin/usb-scan
View File

@ -30,7 +30,7 @@ get_menu_option() {
done < /tmp/iso_menu.txt done < /tmp/iso_menu.txt
whiptail $BG_COLOR_MAIN_MENU --clear --title "Select your ISO boot option" \ whiptail $BG_COLOR_MAIN_MENU --clear --title "Select your ISO boot option" \
--menu "Choose the ISO boot option [1-$n, s for standard boot, a to abort]:" 20 120 8 \ --menu "Choose the ISO boot option [1-$n, s for standard boot, a to abort]:" 0 80 8 \
-- $MENU_OPTIONS \ -- $MENU_OPTIONS \
2>/tmp/whiptail || die "Aborting boot attempt" 2>/tmp/whiptail || die "Aborting boot attempt"

2
initrd/etc/luks-functions
View File

@ -78,7 +78,7 @@ while : ; do
if [ -z "$luks_current_Disk_Recovery_Key_passphrase" ]; then if [ -z "$luks_current_Disk_Recovery_Key_passphrase" ]; then
#if no external provisioning provides current Disk Recovery Key passphrase #if no external provisioning provides current Disk Recovery Key passphrase
whiptail --title 'Reencrypt LUKS disk encrypted container ?' \ whiptail --title 'Reencrypt LUKS disk encrypted container ?' \
--msgbox "This will replace the encrypted container content and its Disk Recovery Key.\n\nThe passphrase associated with this key will be asked from the user in the\nfollowing conditions:\n 1-Every boot if no Disk unlock key was added to the TPM\n 2-If the TPM fails (Hardware failure)\n 3-If the firmware has been tampered with/upgraded/modified by the user\n\nThis process requires you to type the current Disk Recovery Key passphrase\nand will delete TPM Disk unlock key slot if setuped by setting a default boot\n LUKS header (slot 1) if present.\n\nAt the next prompt, you may be asked to select which file corresponds to\nthe LUKS device container.\n\nHit Enter to continue." 30 90 --msgbox "This will replace the encrypted container content and its Disk Recovery Key.\n\nThe passphrase associated with this key will be asked from the user in the\nfollowing conditions:\n 1-Every boot if no Disk unlock key was added to the TPM\n 2-If the TPM fails (Hardware failure)\n 3-If the firmware has been tampered with/upgraded/modified by the user\n\nThis process requires you to type the current Disk Recovery Key passphrase\nand will delete TPM Disk unlock key slot if setuped by setting a default boot\n LUKS header (slot 1) if present.\n\nAt the next prompt, you may be asked to select which file corresponds to\nthe LUKS device container.\n\nHit Enter to continue." 0 80
echo -e "\nEnter current Disk Recovery Key passphrase (Provisioned at OS installation or by OEM):" echo -e "\nEnter current Disk Recovery Key passphrase (Provisioned at OS installation or by OEM):"
read -r luks_current_Disk_Recovery_Key_passphrase read -r luks_current_Disk_Recovery_Key_passphrase
echo -n "$luks_current_Disk_Recovery_Key_passphrase" > /tmp/luks_current_Disk_Recovery_Key_passphrase echo -n "$luks_current_Disk_Recovery_Key_passphrase" > /tmp/luks_current_Disk_Recovery_Key_passphrase