ExternalVendorCode/heads
1
0
Fork 0
mirror of https://github.com/linuxboot/heads.git synced 2024-12-19 21:17:55 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

oem-factory-reset: make passphrases variables able to contain strings and validate things more solidly

Browse Source 
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
This commit is contained in:
Thierry Laurion 2023-10-26 16:50:10 -04:00
parent 56b602974b
commit 9e838ad615
No known key found for this signature in database
GPG Key ID: E7B4A71658E36A93
1 changed files with 145 additions and 144 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

289
initrd/bin/oem-factory-reset
View File

@ -38,8 +38,7 @@ CUSTOM_PASS_AFFECTED_COMPONENTS=""
# Default GPG Algorithm is RSA
GPG_ALGO="RSA"
# Default RSA key length
#TODO change it back to 3076. Canokey cannot be tested easily and Nitrokey prov1 I have doesn't key-attr to 3076
RSA_KEY_LENGTH=2048
RSA_KEY_LENGTH=3072
GPG_USER_NAME="OEM Key"
GPG_KEY_NAME=$(date +%Y%m%d%H%M%S)
@ -74,7 +73,7 @@ whiptail_error_die() {
#Generate a gpg master key: no expiration date, RSA 4096 bits
#This key will be used to sign 3 subkeys: encryption, authentication and signing
#The master key will be stored on the disk, and the subkeys on the smartcard
#The master key and subkeys will be copied to backup, and the subkeys moved from memory keyring to the smartcard
generate_inmemory_RSA_master_and_subkeys() {
TRACE "Under oem-factory-reset:generate_inmemory_RSA_master_and_subkeys"
echo "Generating GPG key material in memory:"
@ -91,8 +90,7 @@ generate_inmemory_RSA_master_and_subkeys() {
echo "Expire-Date: 0"
echo "Passphrase: ${ADMIN_PIN}"
echo "%commit"
} | gpg --batch --gen-key \
>/tmp/gpg_card_edit_output 2>&1
} | gpg --command-fd=0 --status-fd=1 --batch --gen-key >/tmp/gpg_card_edit_output 2>&1
if [ $? -ne 0 ]; then
ERROR=$(cat /tmp/gpg_card_edit_output)
whiptail_error_die "GPG Key generation failed!\n\n$ERROR"
@ -173,55 +171,66 @@ generate_inmemory_RSA_master_and_subkeys() {
#Generate a gpg master key: no expiration date, p256 key (ECC)
#This key will be used to sign 3 subkeys: encryption, authentication and signing
#The master key will be stored on the disk, and the subkeys on the smartcard
#The master key and subkeys will be copied to backup, and the subkeys moved from memory keyring to the smartcard
generate_inmemory_p256_master_and_subkeys() {
DEBUG "Generating GPG key material in memory:"
gpg --expert --batch --pinentry-mode=loopback --passphrase ${ADMIN_PIN} --quick-generate-key "${GPG_USER_NAME} (${GPG_USER_COMMENT}) <${GPG_USER_MAIL}>" nistp256 cert 0
TRACE "Under oem-factory-reset:generate_inmemory_p256_master_and_subkeys"
DEBUG "Getting master key fingerprint..."
echo "Generating GPG p256 bits master key..."
{
echo "Key-Type: ECDSA"
echo "Key-Curve: nistp256"
echo "Key-Usage: cert"
echo "Name-Real: ${GPG_USER_NAME}"
echo "Name-Comment: ${GPG_USER_COMMENT}"
echo "Name-Email: ${GPG_USER_MAIL}"
echo "Expire-Date: 0"
echo "%commit"
} | gpg --expert --batch --pinentry-mode=loopback --passphrase=<(echo -n "${ADMIN_PIN}") --generate-key \
>/tmp/gpg_card_edit_output 2>&1
if [ $? -ne 0 ]; then
ERROR=$(cat /tmp/gpg_card_edit_output)
whiptail_error_die "GPG p256 Key generation failed!\n\n$ERROR"
fi
#Keep Master key fingerprint for add key calls
MASTER_KEY_FP=$(gpg --list-secret-keys --with-colons | grep fpr | cut -d: -f10)
DEBUG "MASTER_KEY_FP=${MASTER_KEY_FP}"
DEBUG "Adding GPG nistp256 signing subkey to master key..."
echo "Generating GPG nistp256 signing subkey..."
{
echo addkey
echo 11 # ECC own set capability
echo Q # sign already present
echo 3 # P-256
echo 0 # no expiration
echo save # save the key
} | gpg --command-fd=0 --passphrase ${ADMIN_PIN} --pinentry-mode=loopback --expert --edit-key ${MASTER_KEY_FP} >/tmp/gpg_card_edit_output 2>&1
echo 11 # ECC own set capability
echo Q # sign already present
echo 3 # P-256
echo 0 # no expiration
} | gpg --expert --command-fd=0 --status-fd=1 --passphrase=<(echo -n "${ADMIN_PIN}") --pinentry-mode=loopback --edit-key ${MASTER_KEY_FP} >/tmp/gpg_card_edit_output 2>&1
if [ $? -ne 0 ]; then
ERROR_MSG=$(cat /tmp/gpg_card_edit_output)
whiptail_error_die "Failed to add ECC nistp256 signing key to master key\n\n${ERROR_MSG}"
fi
DEBUG "Adding GPG nistp256 encryption subkey to master key..."
echo "Generating GPG nistp256 encryption subkey..."
{
echo addkey
echo 12# ECC encrypt only
echo E # encrypt already present
echo 3 # P-256
echo 0 # no expiration
echo save # save the key
} | gpg --command-fd=0 --passphrase ${ADMIN_PIN} --pinentry-mode=loopback --expert --edit-key ${MASTER_KEY_FP} >/tmp/gpg_card_edit_output 2>&1
echo E # encrypt already present
echo 3 # P-256
echo 0 # no expiration
} | gpg --expert --command-fd=0 --status-fd=1 --passphrase=<(echo -n "${ADMIN_PIN}") --pinentry-mode=loopback --edit-key ${MASTER_KEY_FP} >/tmp/gpg_card_edit_output 2>&1
if [ $? -ne 0 ]; then
ERROR_MSG=$(cat /tmp/gpg_card_edit_output)
whiptail_error_die "Failed to add ECC nistp256 encryption key to master key\n\n${ERROR_MSG}"
fi
DEBUG "Adding GPG nistp256 authentication subkey to master key..."
echo "Generating GPG nistp256 authentication subkey..."
{
echo addkey
echo 11 # ECC own set capability
echo S # deactivate sign
echo A # activate auth
echo Q # Quit
echo 3 # P-256
echo 0 # no expiration
echo save # save the key
} | gpg --command-fd=0 --passphrase ${ADMIN_PIN} --pinentry-mode=loopback --expert --edit-key ${MASTER_KEY_FP} >/tmp/gpg_card_edit_output 2>&1
echo 11 # ECC own set capability
echo S # deactivate sign
echo A # activate auth
echo Q # Quit
echo 3 # P-256
echo 0 # no expiration
} | gpg --expert --command-fd=0 --status-fd=1 --passphrase=<(echo -n "${ADMIN_PIN}") --pinentry-mode=loopback --edit-key ${MASTER_KEY_FP} >/tmp/gpg_card_edit_output 2>&1
if [ $? -ne 0 ]; then
ERROR_MSG=$(cat /tmp/gpg_card_edit_output)
whiptail_error_die "Failed to add ECC nistp256 authentication key to master key\n\n${ERROR_MSG}"
@ -242,31 +251,29 @@ keytocard_subkeys_to_smartcard() {
enable_usb_storage
gpg --card-status >/dev/null 2>&1 || die "Error getting GPG card status"
DEBUG "Factory resetting the smartcard..."
echo "Factory resetting the smartcard..."
gpg_key_factory_reset
DEBUG "Moving subkeys to smartcard..."
#keytocard all subkeys
echo "Moving subkeys to smartcard..."
{
echo "key 1" #Select Signature key
echo "keytocard"
echo "1" # Signature key
echo "$ADMIN_PIN" #Smartcard admin pin
echo "$ADMIN_PIN" #Subkey PIN
echo "0" #No expiration date
echo "1" # Signature key
echo "${ADMIN_PIN}" #Smartcard admin pin
echo "${ADMIN_PIN}" #Subkey PIN
echo "0" #No expiration date
echo "key 1"
echo "key 2"
echo "keytocard"
echo "2" # Encryption key
echo "$ADMIN_PIN"
echo "$ADMIN_PIN"
echo "${ADMIN_PIN}"
echo "${ADMIN_PIN}"
echo "key 2"
echo "key 3"
echo "keytocard"
echo "3" # Authentication key
echo "$ADMIN_PIN"
echo "$ADMIN_PIN"
echo "${ADMIN_PIN}"
echo "${ADMIN_PIN}"
echo "key 3"
echo "save"
} | gpg --command-fd=0 --status-fd=1 --pinentry-mode=loopback --expert --edit-key "${GPG_USER_MAIL}" \
@ -275,7 +282,7 @@ keytocard_subkeys_to_smartcard() {
ERROR=$(cat /tmp/gpg_card_edit_output)
whiptail_error_die "GPG Key moving subkeys to smartcard failed!\n\n$ERROR"
fi
DEBUG "Moving subkeys to smartcard done."
echo "Moving subkeys to smartcard done."
}
#Whiptail prompt to disconnect any external USB storage device
@ -326,7 +333,7 @@ export_master_key_subkeys_and_revocation_key_to_private_LUKS_container() {
shift
;;
--pass)
pass="$2"
pass="${2}"
shift
shift
;;
@ -340,14 +347,17 @@ export_master_key_subkeys_and_revocation_key_to_private_LUKS_container() {
#Export master key and subkeys to thumb drive
DEBUG "Exporting master key and subkeys to private LUKS container's partition..."
gpg --export-secret-key --armor --pinentry-mode loopback --passphrase-file <(echo -n "${pass}") "${GPG_USER_MAIL}" >"$mountpoint"/privkey.sec ||
DEBUG "TODO DELETE THIS pass= ${pass} here"
gpg --export-secret-key --armor --pinentry-mode loopback --passphrase=<(echo -n "${pass}") "${GPG_USER_MAIL}" >"$mountpoint"/privkey.sec ||
die "Error exporting master key to private LUKS container's partition"
gpg --export-secret-subkeys --armor --pinentry-mode loopback --passphrase-file <(echo -n "${pass}") "${GPG_USER_MAIL}" >"$mountpoint"/subkeys.sec ||
gpg --export-secret-subkeys --armor --pinentry-mode loopback --passphrase=<(echo -n "${pass}") "${GPG_USER_MAIL}" >"$mountpoint"/subkeys.sec ||
die "Error exporting subkeys to private LUKS container's partition"
#copy whole keyring to thumb drive, including revocation key and trust database
cp -af ~/.gnupg "$mountpoint"/.gnupg || die "Error copying whole keyring to private LUKS container's partition"
#Unmount private LUKS container's mount point
umount "$mountpoint" || die "Error unmounting private LUKS container's mount point"
TRACE "Under oem-factory-reset:export_master_key_subkeys_and_revocation_key_to_private_LUKS_container done"
}
#Export public key to thumb drive's public partition
@ -402,9 +412,9 @@ wipe_thumb_drive_and_copy_gpg_key_material() {
fi
select_luks_container_size_percent
#Wipe thumb drive with a LUKS container of size $(cat /tmp/luks_container_size_percent)
prepare_thumb_drive --device "$thumb_drive" --percentage "$(cat /tmp/luks_container_size_percent)" --pass "$ADMIN_PIN"
prepare_thumb_drive --device "$thumb_drive" --percentage "$(cat /tmp/luks_container_size_percent)" --pass "${ADMIN_PIN}"
#Export master key and subkeys to thumb drive first partition
export_master_key_subkeys_and_revocation_key_to_private_LUKS_container --mode rw --device "$thumb_drive"1 --mountpoint /media --pass "$ADMIN_PIN"
export_master_key_subkeys_and_revocation_key_to_private_LUKS_container --mode rw --device "$thumb_drive"1 --mountpoint /media --pass "${ADMIN_PIN}"
#Export public key to thumb drive's public partition
export_public_key_to_thumbdrive_public_partition --mode rw --device "$thumb_drive"2 --mountpoint /media
}
@ -416,7 +426,7 @@ gpg_key_factory_reset() {
enable_usb
# Factory reset GPG card
DEBUG "GPG factory reset..."
echo "GPG factory reset of smartcard..."
{
echo admin
echo factory-reset
@ -467,7 +477,7 @@ gpg_key_factory_reset() {
whiptail_error_die "Setting key to NIST-P256 in USB security dongle failed."
fi
# fallback to RSA key generation by default
else
elif [ "$GPG_ALGO" = "rsa" ]; then
DEBUG "GPG setting RSA key length to ${RSA_KEY_LENGTH} bits..."
# Set RSA key length
{
@ -488,33 +498,33 @@ gpg_key_factory_reset() {
ERROR=$(cat /tmp/gpg_card_edit_output)
whiptail_error_die "Setting key attributed to RSA ${RSA_KEY_LENGTH} bits in USB security dongle failed."
fi
else
#Unknown GPG_ALGO
whiptail_error_die "Unknown GPG_ALGO: $GPG_ALGO"
fi
}
generate_OEM_gpg_keys() {
# Generate OEM GPG keys
TRACE "Under oem-factory-reset:generate_OEM_gpg_keys"
#TODO: finish refactoring to adapt to GPG_ALGO != RSA
if [ "$GPG_ALGO" = "RSA" ]; then
DEBUG "Generating GPG keys to RSA ${RSA_KEY_LENGTH} bits in smartcard..."
{
echo admin
echo generate
echo n
echo ${ADMIN_PIN_DEF}
echo ${USER_PIN_DEF}
echo 0
echo ${GPG_USER_NAME}
echo ${GPG_USER_MAIL}
echo ${GPG_USER_COMMENT}
echo ${USER_PIN_DEF}
} | gpg --command-fd=0 --status-fd=2 --pinentry-mode=loopback --card-edit \
>/tmp/gpg_card_edit_output 2>&1
if [ $? -ne 0 ]; then
ERROR=$(cat /tmp/gpg_card_edit_output)
whiptail_error_die "GPG Key automatic keygen failed!\n\n$ERROR"
fi
#This function simply generates subkeys in smartcard following smarcard config from gpg_key_factory_reset
echo "Generating GPG keys in smartcard..."
{
echo admin
echo generate
echo n
echo ${ADMIN_PIN_DEF}
echo ${USER_PIN_DEF}
echo 0
echo ${GPG_USER_NAME}
echo ${GPG_USER_MAIL}
echo ${GPG_USER_COMMENT}
echo ${USER_PIN_DEF}
} | gpg --command-fd=0 --status-fd=2 --pinentry-mode=loopback --card-edit \
>/tmp/gpg_card_edit_output 2>&1
if [ $? -ne 0 ]; then
ERROR=$(cat /tmp/gpg_card_edit_output)
whiptail_error_die "GPG Key automatic keygen failed!\n\n$ERROR"
fi
}
@ -606,7 +616,7 @@ generate_checksums() {
# sign kexec boot files
if sha256sum $param_files 2>/dev/null | gpg \
--pinentry-mode loopback \
--passphrase "$USER_PIN" \
--passphrase "${USER_PIN}" \
--digest-algo SHA256 \
--detach-sign \
-a \
@ -784,7 +794,7 @@ $TPM_STR
fi
# We show current integrity measurements status and time
#TODO: Reactivate this prior of PR review
#TODO: readd prior of PR review request. Also make sure that check_config is called to check kexec.sig (detached signature validation)
#report_integrity_measurements
# Determine gpg algorithm to be used, based on available usb-token
@ -798,6 +808,7 @@ fi
if [ "$use_defaults" == "n" -o "$use_defaults" == "N" ]; then
#Give general guidance to user on how to answer prompts
echo
echo "The following questionnaire will help you to configure the security components of your system."
echo "You will be prompted for each option to answer a single letter at prompts (Y/n/m)."
echo "If you don't know what to answer, just press Enter to use default value which is shown between [] brackets as the uppercase letter."
@ -830,8 +841,7 @@ if [ "$use_defaults" == "n" -o "$use_defaults" == "N" ]; then
-o "$prompt_output" == "M" ] \
; then
GPG_GEN_KEY_IN_MEMORY=1
#TODO: present steps clearer for user
echo "Master key and subkeys will be generated in memory, backuped to dedicated LUKS container and then subkeys imported to factory resetted smartcard."
echo "Master key and subkeys will be generated in memory, backuped to dedicated LUKS container and then subkeys copied to smartcard."
else
GPG_GEN_KEY_IN_MEMORY=0
fi
@ -866,13 +876,13 @@ GPG User PIN"
read CUSTOM_SINGLE_PASS
done
echo
TPM_PASS=$CUSTOM_SINGLE_PASS
USER_PIN=$CUSTOM_SINGLE_PASS
ADMIN_PIN=$CUSTOM_SINGLE_PASS
TPM_PASS=${CUSTOM_SINGLE_PASS}
USER_PIN=${CUSTOM_SINGLE_PASS}
ADMIN_PIN=${CUSTOM_SINGLE_PASS}
# Only set if user said desired. Matches rest of logic
if [ -n "$luks_new_Disk_Recovery_Key_passphrase_desired" ]; then
luks_new_Disk_Recovery_Key_passphrase=$CUSTOM_SINGLE_PASS
luks_new_Disk_Recovery_Key_passphrase=${CUSTOM_SINGLE_PASS}
fi
else
echo -e -n "Would you like to set distinct PINs/passwords to be provisioned to previously stated security components? [y/N]: "
@ -950,9 +960,9 @@ GPG User PIN"
fi
# If nothing is stored in custom variables, we set them to their defaults
if [ "$TPM_PASS" == "" ]; then TPM_PASS=$TPM_PASS_DEF; fi
if [ "$USER_PIN" == "" ]; then USER_PIN=$USER_PIN_DEF; fi
if [ "$ADMIN_PIN" == "" ]; then ADMIN_PIN=$ADMIN_PIN_DEF; fi
if [ "$TPM_PASS" == "" ]; then TPM_PASS=${TPM_PASS_DEF}; fi
if [ "$USER_PIN" == "" ]; then USER_PIN=${USER_PIN_DEF}; fi
if [ "$ADMIN_PIN" == "" ]; then ADMIN_PIN=${ADMIN_PIN_DEF}; fi
## sanity check the USB, GPG key, and boot device before proceeding further
@ -1003,12 +1013,10 @@ assert_signable
# Action time...
#TODO: Should we replace text from "Add a new GPG key" to "Replace current GPG key"? Should we wipe current keyring?
#Current logic is for factory reset, where re-ownership adds key to the keyring which is then copied over cbfs.
# In the all case, we should wipe the keyring since otherwise, USB security dongle is wiped but not the keyring which exposes past public keys
# this seems wrong
# clear local keyring
rm /.gnupg/* | true
rm -rf /.gnupg/* >/dev/null 2>&1 || true
# clear gpg-agent cache so that next gpg calls doesn't have past keyring in memory
killall gpg-agent >/dev/null 2>&1 || true
# detect and set /boot device
echo -e "\nDetecting and setting boot device...\n"
@ -1051,9 +1059,8 @@ rm /.gnupg/*.gpg 2>/dev/null
rm /.gnupg/*.kbx 2>/dev/null
gpg --list-keys >/dev/null 2>&1
#Generate key in memory and copy to smartcard
#Generate keys in memory and copy to smartcard
if [ "$GPG_GEN_KEY_IN_MEMORY" == "1" ]; then
# TODO: Refactoring in progress for RSA and p256 support. Now just GPG_ALGO RSA
if [ "$GPG_ALGO" == "RSA" ]; then
# Generate GPG master key
generate_inmemory_RSA_master_and_subkeys
@ -1061,7 +1068,6 @@ if [ "$GPG_GEN_KEY_IN_MEMORY" == "1" ]; then
wipe_thumb_drive_and_copy_gpg_key_material
#TODO seperate setting config
set_user_config CONFIG_HAVE_GPG_KEY_BACKUP y
gpg_key_factory_reset #TODO: do we currently double reset? I think so
keytocard_subkeys_to_smartcard
elif [ "$GPG_ALGO" == "p256" ]; then
generate_inmemory_p256_master_and_subkeys
@ -1069,14 +1075,12 @@ if [ "$GPG_GEN_KEY_IN_MEMORY" == "1" ]; then
wipe_thumb_drive_and_copy_gpg_key_material
#TODO seperate setting config
set_user_config CONFIG_HAVE_GPG_KEY_BACKUP y
gpg_key_factory_reset #TODO: do we currently double reset? I think so
keytocard_subkeys_to_smartcard
else
die "Unsupported GPG_ALGO: $GPG_ALGO"
fi
else
#Generate GPG key and subkeys on smartcard
## reset the GPG Key
#Generate GPG key and subkeys on smartcard only
echo -e "\nResetting GPG Key...\n(this will take around 3 minutes...)\n"
gpg_key_factory_reset
generate_OEM_gpg_keys
@ -1087,37 +1091,34 @@ GPG_GEN_KEY=$(gpg --list-keys --with-colons | grep "^fpr" | cut -d: -f10 | head
#Where to export the public key
PUBKEY="/tmp/${GPG_GEN_KEY}.asc"
DEBUG "GPG_GEN_KEY: $GPG_GEN_KEY"
DEBUG "PUBKEY: $PUBKEY"
# export pubkey to file
if ! gpg --export --armor "$GPG_GEN_KEY" >"${PUBKEY}" 2>/tmp/error; then
ERROR=$(tail -n 1 /tmp/error | fold -s)
whiptail_error_die "GPG Key gpg export to file failed!\n\n$ERROR"
fi
#Applying custom GPG PINs if keys were not generated in memory
if [ "$GPG_GEN_KEY_IN_MEMORY" == "0" ]; then
if [ "$USER_PIN" != "" -o "$ADMIN_PIN" != "" ]; then
echo -e "\nChanging default GPG Admin PIN\n"
gpg_key_change_pin "3" "$ADMIN_PIN_DEF" "$ADMIN_PIN"
echo -e "\nChanging default GPG User PIN\n"
gpg_key_change_pin "1" "$USER_PIN_DEF" "$USER_PIN"
fi
#Applying custom GPG PINs to the smartcard if they were provided
if [ "$USER_PIN" != "" -o "$ADMIN_PIN" != "" ]; then
echo -e "\nChanging default GPG Admin PIN\n"
gpg_key_change_pin "3" "$ADMIN_PIN_DEF" "$ADMIN_PIN"
echo -e "\nChanging default GPG User PIN\n"
gpg_key_change_pin "1" "$USER_PIN_DEF" "$USER_PIN"
fi
## export pubkey to USB
if [ $GPG_EXPORT -ne 0 ]; then
echo -e "\nExporting generated key to USB...\n"
# copy to USB
if ! cp "${PUBKEY}" "/media/${GPG_GEN_KEY}.asc" 2>/tmp/error; then
ERROR=$(tail -n 1 /tmp/error | fold -s)
whiptail_error_die "Key export error: unable to copy ${GPG_GEN_KEY}.asc to /media:\n\n$ERROR"
fi
mount -o remount,ro /media 2>/dev/null
## export pubkey to USB
if [ $GPG_EXPORT -ne 0 ]; then
echo -e "\nExporting generated key to USB...\n"
# copy to USB
if ! cp "${PUBKEY}" "/media/${GPG_GEN_KEY}.asc" 2>/tmp/error; then
ERROR=$(tail -n 1 /tmp/error | fold -s)
whiptail_error_die "Key export error: unable to copy ${GPG_GEN_KEY}.asc to /media:\n\n$ERROR"
fi
mount -o remount,ro /media 2>/dev/null
fi
fi
## flash generated key to ROM
# TODO: would be nice if we warned users that qemu boards will fail here and tell them what to do
echo -e "\nReading current firmware...\n(this will take a minute or two)\n"
/bin/flash.sh -r /tmp/oem-setup.rom >/dev/null 2>/tmp/error
if [ ! -s /tmp/oem-setup.rom ]; then
@ -1142,34 +1143,34 @@ if ! gpg --update-trust >/dev/null 2>/tmp/error; then
whiptail_error_die "Error updating GPG ownertrust:\n\n$ERROR"
fi
# clear any existing heads/gpg files from current firmware
for i in $(cbfs.sh -o /tmp/oem-setup.rom -l | grep -e "heads/"); do
cbfs.sh -o /tmp/oem-setup.rom -d "$i"
done
# add heads/gpg files to current firmware
# clear any existing heads/gpg files from current firmware
for i in $(cbfs.sh -o /tmp/oem-setup.rom -l | grep -e "heads/"); do
cbfs.sh -o /tmp/oem-setup.rom -d "$i"
done
# add heads/gpg files to current firmware
if [ -e /.gnupg/pubring.kbx ]; then
cbfs.sh -o /tmp/oem-setup.rom -a "heads/initrd/.gnupg/pubring.kbx" -f /.gnupg/pubring.kbx
if [ -e /.gnupg/pubring.gpg ]; then
rm /.gnupg/pubring.gpg
fi
elif [ -e /.gnupg/pubring.gpg ]; then
cbfs.sh -o /tmp/oem-setup.rom -a "heads/initrd/.gnupg/pubring.gpg" -f /.gnupg/pubring.gpg
fi
if [ -e /.gnupg/trustdb.gpg ]; then
cbfs.sh -o /tmp/oem-setup.rom -a "heads/initrd/.gnupg/trustdb.gpg" -f /.gnupg/trustdb.gpg
fi
if [ -e /.gnupg/pubring.kbx ]; then
cbfs.sh -o /tmp/oem-setup.rom -a "heads/initrd/.gnupg/pubring.kbx" -f /.gnupg/pubring.kbx
if [ -e /.gnupg/pubring.gpg ]; then
rm /.gnupg/pubring.gpg
fi
elif [ -e /.gnupg/pubring.gpg ]; then
cbfs.sh -o /tmp/oem-setup.rom -a "heads/initrd/.gnupg/pubring.gpg" -f /.gnupg/pubring.gpg
fi
if [ -e /.gnupg/trustdb.gpg ]; then
cbfs.sh -o /tmp/oem-setup.rom -a "heads/initrd/.gnupg/trustdb.gpg" -f /.gnupg/trustdb.gpg
fi
# persist user config changes (boot device)
if [ -e /etc/config.user ]; then
cbfs.sh -o /tmp/oem-setup.rom -a "heads/initrd/etc/config.user" -f /etc/config.user
fi
# persist user config changes (boot device)
if [ -e /etc/config.user ]; then
cbfs.sh -o /tmp/oem-setup.rom -a "heads/initrd/etc/config.user" -f /etc/config.user
fi
# flash updated firmware image
echo -e "\nAdding generated key to current firmware and re-flashing...\n"
if ! /bin/flash.sh /tmp/oem-setup.rom 2>/tmp/error; then
ERROR=$(tail -n 1 /tmp/error | fold -s)
whiptail_error_die "Error flashing updated firmware image:\n\n$ERROR"
# flash updated firmware image
echo -e "\nAdding generated key to current firmware and re-flashing...\n"
if ! /bin/flash.sh /tmp/oem-setup.rom 2>/tmp/error; then
ERROR=$(tail -n 1 /tmp/error | fold -s)
whiptail_error_die "Error flashing updated firmware image:\n\n$ERROR"
fi
## sign files in /boot and generate checksums
@ -1188,7 +1189,7 @@ fi
if [ "$CONFIG_TPM" = "y" ]; then
tpm_owner_password_changed="
TPM Owner Password: $TPM_PASS\n"
TPM Owner Password: ${TPM_PASS}\n"
else
tpm_owner_password_changed=""
fi
@ -1197,8 +1198,8 @@ fi
whiptail --msgbox "
$luks_passphrase_changed
$tpm_owner_password_changed
GPG Admin PIN: $ADMIN_PIN\n
GPG User PIN: $USER_PIN\n\n" \
GPG Admin PIN: ${ADMIN_PIN}\n
GPG User PIN: ${USER_PIN}\n\n" \
$HEIGHT $WIDTH --title "Provisioned secrets"
## all done -- reboot