ExternalVendorCode/heads
1
0
Fork 0
mirror of https://github.com/linuxboot/heads.git synced 2025-01-30 16:14:01 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Make TPM dependency optional and controlled by flag CONFIG_TPM

Browse Source 
if "CONFIG_TPM=y" is not present in the config file, functionalities
needing TPM could be disabled, while leaving other functionalities intact.

This will make Heads a more general-usage bootloader payload atop coreboot.
This commit is contained in:
persmule 2017-12-05 16:29:07 +08:00
parent 55c4864d3d
commit 9bf131b601
6 changed files with 95 additions and 78 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
boards/librem13v2.config
View File

@ -15,6 +15,7 @@ CONFIG_QRENCODE=y
CONFIG_TPMTOTP=y CONFIG_TPMTOTP=y
CONFIG_LINUX_USB=y CONFIG_LINUX_USB=y
CONFIG_TPM=y
CONFIG_BOOTSCRIPT=/bin/generic-init CONFIG_BOOTSCRIPT=/bin/generic-init

1
boards/x230.config
View File

@ -17,6 +17,7 @@ CONFIG_TPMTOTP=y
CONFIG_XEN=y CONFIG_XEN=y
CONFIG_XEN_VERSION=4.8 CONFIG_XEN_VERSION=4.8
CONFIG_DROPBEAR=y CONFIG_DROPBEAR=y
CONFIG_TPM=y
CONFIG_LINUX_USB=y CONFIG_LINUX_USB=y
CONFIG_LINUX_E1000E=y CONFIG_LINUX_E1000E=y

24
initrd/bin/kexec-save-default
View File

@ -1,6 +1,7 @@
#!/bin/sh #!/bin/sh
# Save these options to be the persistent default # Save these options to be the persistent default
set -e -o pipefail set -e -o pipefail
. /etc/config
. /etc/functions . /etc/functions
while getopts "b:d:p:i:" arg; do while getopts "b:d:p:i:" arg; do
@ -44,6 +45,7 @@ fi
KEY_DEVICES="$paramsdir/kexec_key_devices.txt" KEY_DEVICES="$paramsdir/kexec_key_devices.txt"
KEY_LVM="$paramsdir/kexec_key_lvm.txt" KEY_LVM="$paramsdir/kexec_key_lvm.txt"
save_key="n" save_key="n"
if [ "$CONFIG_TPM" = "y" ]; then
if [ ! -r "$KEY_DEVICES" ]; then if [ ! -r "$KEY_DEVICES" ]; then
read \ read \
-n 1 \ -n 1 \
@ -52,8 +54,7 @@ if [ ! -r "$KEY_DEVICES" ]; then
echo echo
if [ "$add_key_confirm" = "y" \ if [ "$add_key_confirm" = "y" \
-o "$add_key_confirm" = "Y" ] \ -o "$add_key_confirm" = "Y" ]; then
; then
lvm_suggest="e.g. qubes_dom0 or blank" lvm_suggest="e.g. qubes_dom0 or blank"
devices_suggest="e.g. /dev/sda2 or blank" devices_suggest="e.g. /dev/sda2 or blank"
save_key="y" save_key="y"
@ -66,15 +67,17 @@ else
echo echo
if [ "$change_key_confirm" = "y" \ if [ "$change_key_confirm" = "y" \
-o "$change_key_confirm" = "Y" ] \ -o "$change_key_confirm" = "Y" ]; then
; then
old_lvm_volume_group="" old_lvm_volume_group=""
if [ -r "$KEY_LVM" ]; then if [ -r "$KEY_LVM" ]; then
old_lvm_volume_group=`cat $KEY_LVM` || true old_lvm_volume_group=`cat $KEY_LVM` || true
old_key_devices=`cat $KEY_DEVICES | cut -d\ -f1 \ old_key_devices=`cat $KEY_DEVICES \
| grep -v "$old_lvm_volume_group" | xargs` || true | cut -d\ -f1 \
| grep -v "$old_lvm_volume_group" \
| xargs` || true
else else
old_key_devices=`cat $KEY_DEVICES | cut -d\ -f1 | xargs` || true old_key_devices=`cat $KEY_DEVICES \
| cut -d\ -f1 | xargs` || true
fi fi
lvm_suggest="was '$old_lvm_volume_group'" lvm_suggest="was '$old_lvm_volume_group'"
@ -108,6 +111,7 @@ if [ "$save_key" = "y" ]; then
kexec-save-key $save_key_params \ kexec-save-key $save_key_params \
|| die "Failed to save the disk key" || die "Failed to save the disk key"
fi fi
fi
# try to switch to rw mode # try to switch to rw mode
mount -o rw,remount $paramsdev mount -o rw,remount $paramsdev
@ -126,7 +130,11 @@ if [ ! -r $ENTRY_FILE -o ! -r $HASH_FILE ]; then
fi fi
# sign and auto-roll config counter # sign and auto-roll config counter
kexec-sign-config -p $paramsdir -u \ extparam=
if [ "$CONFIG_TPM" = "y" ]; then
extparam=-u
fi
kexec-sign-config -p $paramsdir $extparam \
|| die "Failed to sign default config" || die "Failed to sign default config"
# switch back to ro mode # switch back to ro mode

8
initrd/bin/kexec-select-boot
View File

@ -232,7 +232,8 @@ do_boot()
die "!!! Missing required boot hashes" die "!!! Missing required boot hashes"
fi fi
if [ -r "$TMP_KEY_DEVICES" ]; then if [ "$CONFIG_TPM" = "y" \
-a -r "$TMP_KEY_DEVICES" ]; then
INITRD=`kexec-boot -b "$bootdir" -e "$option" -i` \ INITRD=`kexec-boot -b "$bootdir" -e "$option" -i` \
|| die "!!! Failed to extract the initrd from boot option" || die "!!! Failed to extract the initrd from boot option"
if [ -z "$INITRD" ]; then if [ -z "$INITRD" ]; then
@ -261,7 +262,8 @@ while true; do
TMP_KEY_DEVICES="/tmp/kexec/kexec_key_devices.txt" TMP_KEY_DEVICES="/tmp/kexec/kexec_key_devices.txt"
TMP_KEY_LVM="/tmp/kexec/kexec_key_lvm.txt" TMP_KEY_LVM="/tmp/kexec/kexec_key_lvm.txt"
if [ ! -r "$TMP_KEY_DEVICES" ]; then if [ "$CONFIG_TPM" = "y" \
-a ! -r "$TMP_KEY_DEVICES" ]; then
# Extend PCR4 as soon as possible # Extend PCR4 as soon as possible
tpm extend -ix 4 -ic generic \ tpm extend -ix 4 -ic generic \
|| die "Failed to extend PCR 4" || die "Failed to extend PCR 4"
@ -272,6 +274,7 @@ while true; do
scan_options scan_options
fi fi
if [ "$CONFIG_TPM" = "y" ]; then
# Optionally enforce device file hashes # Optionally enforce device file hashes
if [ -r "$TMP_HASH_FILE" ]; then if [ -r "$TMP_HASH_FILE" ]; then
valid_global_hash="n" valid_global_hash="n"
@ -289,6 +292,7 @@ while true; do
verify_rollback_counter verify_rollback_counter
fi fi
fi
if [ "$default_failed" != "y" \ if [ "$default_failed" != "y" \
-a "$force_menu" = "n" \ -a "$force_menu" = "n" \

2
initrd/bin/usb-init
View File

@ -4,8 +4,10 @@
. /etc/functions . /etc/functions
. /etc/config . /etc/config
if [ "$CONFIG_TPM" = "y" ]; then
# Extend PCR4 as soon as possible # Extend PCR4 as soon as possible
tpm extend -ix 4 -ic usb tpm extend -ix 4 -ic usb
fi
usb-scan usb-scan
recovery "Something failed during USB boot" recovery "Something failed during USB boot"

5
initrd/etc/functions
View File

@ -17,8 +17,9 @@ recovery() {
# but recreate the directory so that new tools can use it. # but recreate the directory so that new tools can use it.
rm -rf /tmp/secret rm -rf /tmp/secret
mkdir -p /tmp/secret mkdir -p /tmp/secret
if [ "$CONFIG_TPM" = y ]; then
tpm extend -ix 4 -ic recovery tpm extend -ix 4 -ic recovery
fi
echo >&2 "!!!!! Starting recovery shell" echo >&2 "!!!!! Starting recovery shell"
sleep 1 sleep 1
exec /bin/ash exec /bin/ash
@ -41,7 +42,7 @@ confirm_totp()
date=`date "+%Y-%m-%d %H:%M:%S"` date=`date "+%Y-%m-%d %H:%M:%S"`
seconds=`date "+%s"` seconds=`date "+%s"`
half=`expr \( $seconds % 60 \) / 30` half=`expr \( $seconds % 60 \) / 30`
if [ "$CONFIG_TPM" = n ]; then if [ "$CONFIG_TPM" != y ]; then
TOTP="NO TPM" TOTP="NO TPM"
elif [ "$half" != "$last_half" ]; then elif [ "$half" != "$last_half" ]; then
last_half=$half; last_half=$half;