mirror of
https://github.com/linuxboot/heads.git
synced 2024-12-24 07:06:42 +00:00
Merge branch 'usb-boot' of https://github.com/flammit/heads into flammit-usb-boot
This commit is contained in:
commit
ba98d5dda6
@ -19,6 +19,8 @@ CONFIG_LINUX_USB=y
|
|||||||
|
|
||||||
CONFIG_BOOTSCRIPT=/bin/qubes-init
|
CONFIG_BOOTSCRIPT=/bin/qubes-init
|
||||||
|
|
||||||
|
CONFIG_USB_BOOT_DEV="/dev/sdb1"
|
||||||
|
|
||||||
# Disks encrypted by the TPM LUKS key
|
# Disks encrypted by the TPM LUKS key
|
||||||
CONFIG_QUBES_BOOT_DEV="/dev/sda1"
|
CONFIG_QUBES_BOOT_DEV="/dev/sda1"
|
||||||
CONFIG_QUBES_VG="qubes_dom0"
|
CONFIG_QUBES_VG="qubes_dom0"
|
||||||
|
26
config/x230-generic.config
Normal file
26
config/x230-generic.config
Normal file
@ -0,0 +1,26 @@
|
|||||||
|
# Configuration for a x230 running non-Qubes
|
||||||
|
BOARD=x230
|
||||||
|
|
||||||
|
CONFIG_CRYPTSETUP=y
|
||||||
|
CONFIG_FLASHROM=y
|
||||||
|
CONFIG_GPG=y
|
||||||
|
CONFIG_KEXEC=y
|
||||||
|
CONFIG_UTIL_LINUX=y
|
||||||
|
CONFIG_LVM2=y
|
||||||
|
CONFIG_MBEDTLS=y
|
||||||
|
CONFIG_PCIUTILS=y
|
||||||
|
CONFIG_POPT=y
|
||||||
|
CONFIG_QRENCODE=y
|
||||||
|
CONFIG_TPMTOTP=y
|
||||||
|
CONFIG_XEN=y
|
||||||
|
CONFIG_DROPBEAR=y
|
||||||
|
|
||||||
|
CONFIG_LINUX_USB=y
|
||||||
|
CONFIG_LINUX_E1000E=y
|
||||||
|
|
||||||
|
CONFIG_BOOTSCRIPT=/bin/generic-init
|
||||||
|
|
||||||
|
CONFIG_BOOT_REQ_HASH=n
|
||||||
|
CONFIG_BOOT_REQ_ROLLBACK=n
|
||||||
|
CONFIG_BOOT_DEV="/dev/sda1"
|
||||||
|
CONFIG_USB_BOOT_DEV="/dev/sdb1"
|
@ -20,6 +20,8 @@ CONFIG_LINUX_E1000E=y
|
|||||||
|
|
||||||
CONFIG_BOOTSCRIPT=/bin/qubes-init
|
CONFIG_BOOTSCRIPT=/bin/qubes-init
|
||||||
|
|
||||||
|
CONFIG_USB_BOOT_DEV="/dev/sdb1"
|
||||||
|
|
||||||
# Disks encrypted by the TPM LUKS key
|
# Disks encrypted by the TPM LUKS key
|
||||||
CONFIG_QUBES_BOOT_DEV="/dev/sda1"
|
CONFIG_QUBES_BOOT_DEV="/dev/sda1"
|
||||||
CONFIG_QUBES_VG="qubes_dom0"
|
CONFIG_QUBES_VG="qubes_dom0"
|
||||||
|
25
initrd/bin/generic-init
Executable file
25
initrd/bin/generic-init
Executable file
@ -0,0 +1,25 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
# Boot from a local disk installation
|
||||||
|
|
||||||
|
. /etc/functions
|
||||||
|
. /etc/config
|
||||||
|
|
||||||
|
# Confirm we have a good TOTP unseal
|
||||||
|
if ! confirm_totp ; then
|
||||||
|
recovery 'Failed to unseal TOTP'
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ ! "$totp_confirm" = "y" ]; then
|
||||||
|
recovery "Failed to confirm validity of TOTP"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Mount local disk
|
||||||
|
if ! grep -q /boot /proc/mounts ; then
|
||||||
|
mount -o ro "$CONFIG_BOOT_DEV" /boot \
|
||||||
|
|| recovery "$CONFIG_BOOT_DEV: Unable to mount /boot"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Attempt to pull verified config from device
|
||||||
|
kexec-select-boot -b /boot/ -c "grub.cfg"
|
||||||
|
|
||||||
|
recovery "Something failed during boot"
|
137
initrd/bin/kexec-boot
Executable file
137
initrd/bin/kexec-boot
Executable file
@ -0,0 +1,137 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
# Launches kexec from saved configuration entries
|
||||||
|
set -e -o pipefail
|
||||||
|
. /etc/functions
|
||||||
|
|
||||||
|
dryrun="n"
|
||||||
|
printfiles="n"
|
||||||
|
printinitrd="n"
|
||||||
|
while getopts "b:e:r:a:o:fi" arg; do
|
||||||
|
case $arg in
|
||||||
|
b) bootdir="$OPTARG" ;;
|
||||||
|
e) entry="$OPTARG" ;;
|
||||||
|
r) cmdremove="$OPTARG" ;;
|
||||||
|
a) cmdadd="$OPTARG" ;;
|
||||||
|
o) override_initrd="$OPTARG" ;;
|
||||||
|
f) dryrun="y"; printfiles="y" ;;
|
||||||
|
i) dryrun="y"; printinitrd="y" ;;
|
||||||
|
esac
|
||||||
|
done
|
||||||
|
|
||||||
|
if [ -z "$bootdir" -o -z "$entry" ]; then
|
||||||
|
die "Usage: $0 -b /boot/ -e 'kexec params|...|...'"
|
||||||
|
fi
|
||||||
|
|
||||||
|
bootdir=${bootdir%%"/"}
|
||||||
|
|
||||||
|
kexectype=`echo $entry | cut -d\| -f2`
|
||||||
|
kexecparams=`echo $entry | cut -d\| -f3- | tr '|' '\n'`
|
||||||
|
kexeccmd="kexec"
|
||||||
|
|
||||||
|
# TODO: make this configurable
|
||||||
|
cmdadd="intel_iommu=on $cmdadd"
|
||||||
|
cmdremove="quiet $cmdremove"
|
||||||
|
|
||||||
|
fix_file_path() {
|
||||||
|
if [ "$printfiles" = "y" ]; then
|
||||||
|
# output file relative to local boot directory
|
||||||
|
echo ".$firstval"
|
||||||
|
fi
|
||||||
|
|
||||||
|
filepath="$bootdir$firstval"
|
||||||
|
|
||||||
|
if ! [ -r $filepath ]; then
|
||||||
|
die "Failed to find file $firstval"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
adjusted_cmd_line="n"
|
||||||
|
adjust_cmd_line() {
|
||||||
|
if [ -n "$cmdremove" ]; then
|
||||||
|
for i in $cmdremove; do
|
||||||
|
cmdline="${cmdline//$i/}"
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ -n "$cmdadd" ]; then
|
||||||
|
cmdline="$cmdline $cmdadd"
|
||||||
|
fi
|
||||||
|
adjusted_cmd_line="y"
|
||||||
|
}
|
||||||
|
|
||||||
|
module_number="1"
|
||||||
|
while read line
|
||||||
|
do
|
||||||
|
key=`echo $line | cut -d\ -f1`
|
||||||
|
firstval=`echo $line | cut -d\ -f2`
|
||||||
|
restval=`echo $line | cut -d\ -f3-`
|
||||||
|
if [ "$key" = "kernel" ]; then
|
||||||
|
if [ "$kexectype" = "xen" ]; then
|
||||||
|
# always overload xen and with custom arguments
|
||||||
|
kexeccmd="$kexeccmd -l /bin/xen.gz"
|
||||||
|
kexeccmd="$kexeccmd --command-line \"no-real-mode reboot=no\""
|
||||||
|
elif [ "$kexectype" = "multiboot" ]; then
|
||||||
|
fix_file_path
|
||||||
|
kexeccmd="$kexeccmd -l $filepath"
|
||||||
|
kexeccmd="$kexeccmd --command-line \"$restval\""
|
||||||
|
else
|
||||||
|
fix_file_path
|
||||||
|
kexeccmd="$kexeccmd -l $filepath"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
if [ "$key" = "module" ]; then
|
||||||
|
fix_file_path
|
||||||
|
cmdline="$restval"
|
||||||
|
if [ "$kexectype" = "xen" ]; then
|
||||||
|
if [ "$module_number" -eq 1 ]; then
|
||||||
|
adjust_cmd_line
|
||||||
|
elif [ "$module_number" -eq 2 ]; then
|
||||||
|
if [ "$printinitrd" = "y" ]; then
|
||||||
|
# output the current path to initrd
|
||||||
|
echo $filepath
|
||||||
|
fi
|
||||||
|
if [ -n "$override_initrd" ]; then
|
||||||
|
filepath="$override_initrd"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
module_number=`expr $module_number + 1`
|
||||||
|
kexeccmd="$kexeccmd --module \"$filepath $cmdline\""
|
||||||
|
fi
|
||||||
|
if [ "$key" = "initrd" ]; then
|
||||||
|
fix_file_path
|
||||||
|
if [ "$printinitrd" = "y" ]; then
|
||||||
|
# output the current path to initrd
|
||||||
|
echo $filepath
|
||||||
|
fi
|
||||||
|
if [ -n "$override_initrd" ]; then
|
||||||
|
filepath="$override_initrd"
|
||||||
|
fi
|
||||||
|
kexeccmd="$kexeccmd --initrd=$filepath"
|
||||||
|
fi
|
||||||
|
if [ "$key" = "append" ]; then
|
||||||
|
cmdline="$firstval $restval"
|
||||||
|
adjust_cmd_line
|
||||||
|
kexeccmd="$kexeccmd --append=\"$cmdline\""
|
||||||
|
fi
|
||||||
|
done << EOF
|
||||||
|
$kexecparams
|
||||||
|
EOF
|
||||||
|
|
||||||
|
if [ "$adjusted_cmd_line" = "n" ]; then
|
||||||
|
if [ "$kexectype" = "elf" ]; then
|
||||||
|
kexeccmd="$kexeccmd --append=\"$cmdadd\""
|
||||||
|
else
|
||||||
|
die "Failed to add required kernel commands: $cmdadd"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ "$dryrun" = "y" ]; then exit 0; fi
|
||||||
|
|
||||||
|
echo "Loading the new kernel:"
|
||||||
|
echo "$kexeccmd"
|
||||||
|
eval "$kexeccmd" \
|
||||||
|
|| die "Failed to load the new kernel"
|
||||||
|
|
||||||
|
echo "Starting the new kernel"
|
||||||
|
exec kexec -e
|
61
initrd/bin/kexec-insert-key
Executable file
61
initrd/bin/kexec-insert-key
Executable file
@ -0,0 +1,61 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
# Unseal a disk key from TPM and add to a new initramfs
|
||||||
|
set -e -o pipefail
|
||||||
|
. /etc/functions
|
||||||
|
|
||||||
|
TMP_KEY_DEVICES="/tmp/kexec/kexec_key_devices.txt"
|
||||||
|
TMP_KEY_LVM="/tmp/kexec/kexec_key_lvm.txt"
|
||||||
|
|
||||||
|
INITRD="$1"
|
||||||
|
|
||||||
|
if [ -z "$INITRD" ]; then
|
||||||
|
die "Usage: $0 /boot/initramfs... "
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ ! -r "$TMP_KEY_DEVICES" ]; then
|
||||||
|
die "No devices defined for disk encryption"
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ -r "$TMP_KEY_LVM" ]; then
|
||||||
|
# Activate the LVM volume group
|
||||||
|
VOLUME_GROUP=`cat $TMP_KEY_LVM`
|
||||||
|
if [ -z "$TMP_KEY_LVM" ]; then
|
||||||
|
die "No LVM volume group defined for activation"
|
||||||
|
fi
|
||||||
|
lvm vgchange -a y $VOLUME_GROUP \
|
||||||
|
|| die "$VOLUME_GROUP: unable to activate volume group"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Measure the LUKS headers before we unseal the disk key
|
||||||
|
cat "$TMP_KEY_DEVICES" | cut -d\ -f1 | xargs /bin/qubes-measure-luks \
|
||||||
|
|| die "LUKS measure failed"
|
||||||
|
|
||||||
|
# Unpack the initrd and fixup the /etc/crypttab
|
||||||
|
# this is a hack to split it into two parts since
|
||||||
|
# we know that the first 0x3400 bytes are the microcode
|
||||||
|
INITRD_DIR=/tmp/secret/initrd
|
||||||
|
SECRET_CPIO=/tmp/secret/initrd.cpio
|
||||||
|
mkdir -p "$INITRD_DIR/etc"
|
||||||
|
|
||||||
|
# Attempt to unseal the disk key from the TPM
|
||||||
|
# should we give this some number of tries?
|
||||||
|
if ! kexec-unseal-key "$INITRD_DIR/secret.key" ; then
|
||||||
|
die 'Unseal disk key failed'
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Override PCR 4 so that user can't read the key
|
||||||
|
tpm extend -ix 4 -ic generic \
|
||||||
|
|| die 'Unable to scramble PCR'
|
||||||
|
|
||||||
|
echo '+++ Building initrd'
|
||||||
|
# pad the initramfs (dracut doesn't pad the last gz blob)
|
||||||
|
# without this the kernel init/initramfs.c fails to read
|
||||||
|
# the subsequent uncompressed/compressed cpio
|
||||||
|
dd if="$INITRD" of="$SECRET_CPIO" bs=512 conv=sync \
|
||||||
|
|| die "Failed to copy initrd to /tmp"
|
||||||
|
|
||||||
|
# overwrite /etc/crypttab to mirror the behavior for in seal-key
|
||||||
|
for uuid in `cat "$TMP_KEY_DEVICES" | cut -d\ -f2`; do
|
||||||
|
echo "luks-$uuid UUID=$uuid /secret.key" >> "$INITRD_DIR/etc/crypttab"
|
||||||
|
done
|
||||||
|
( cd "$INITRD_DIR" ; find . -type f | cpio -H newc -o ) >> "$SECRET_CPIO"
|
49
initrd/bin/kexec-iso-init
Executable file
49
initrd/bin/kexec-iso-init
Executable file
@ -0,0 +1,49 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
# Boot from signed ISO
|
||||||
|
set -e -o pipefail
|
||||||
|
. /etc/functions
|
||||||
|
. /etc/config
|
||||||
|
|
||||||
|
MOUNTED_ISO_PATH="$1"
|
||||||
|
ISO_PATH="$2"
|
||||||
|
DEV="$3"
|
||||||
|
|
||||||
|
echo '+++ Verifying ISO'
|
||||||
|
# Verify the signature on the hashes
|
||||||
|
ISOSIG="$MOUNTED_ISO_PATH.sig"
|
||||||
|
if ! [ -r "$ISOSIG" ]; then
|
||||||
|
ISOSIG="$MOUNTED_ISO_PATH.asc"
|
||||||
|
fi
|
||||||
|
|
||||||
|
gpgv "$ISOSIG" "$MOUNTED_ISO_PATH" \
|
||||||
|
|| die 'ISO signature failed'
|
||||||
|
|
||||||
|
echo '+++ Mounting ISO and booting'
|
||||||
|
mount -t iso9660 -o loop $MOUNTED_ISO_PATH /boot \
|
||||||
|
|| die '$MOUNTED_ISO_PATH: Unable to mount /boot'
|
||||||
|
|
||||||
|
DEV_UUID=`blkid $DEV | tail -1 | tr " " "\n" | grep UUID | cut -d\" -f2`
|
||||||
|
ADD="fromiso=/dev/disk/by-uuid/$DEV_UUID/$ISO_PATH"
|
||||||
|
REMOVE=""
|
||||||
|
|
||||||
|
paramsdir="/media/kexec_iso/$ISO_PATH/"
|
||||||
|
check_config $paramsdir
|
||||||
|
|
||||||
|
ADD_FILE=/tmp/kexec/kexec_iso_add.txt
|
||||||
|
if [ -r $ADD_FILE ]; then
|
||||||
|
NEW_ADD=`cat $ADD_FILE`
|
||||||
|
ADD=$(eval "echo \"$NEW_ADD\"")
|
||||||
|
echo "+++ Overriding standard ISO kernel add arguments: $ADD"
|
||||||
|
fi
|
||||||
|
REMOVE_FILE=/tmp/kexec/kexec_iso_remove.txt
|
||||||
|
if [ -r $REMOVE_FILE ]; then
|
||||||
|
NEW_REMOVE=`cat $REMOVE_FILE`
|
||||||
|
REMOVE=$(eval "echo \"$NEW_REMOVE\"")
|
||||||
|
echo "+++ Overriding standard ISO kernel remove arguments: $REMOVE"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Call kexec and indicate that hashes have been verified
|
||||||
|
kexec-select-boot -b /boot/ -d /media/ -p "$paramsdir" \
|
||||||
|
-a "$ADD" -r "$REMOVE" -c "*.cfg" -u -i
|
||||||
|
|
||||||
|
die "Something failed in selecting boot"
|
208
initrd/bin/kexec-parse-boot
Executable file
208
initrd/bin/kexec-parse-boot
Executable file
@ -0,0 +1,208 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
set -e -o pipefail
|
||||||
|
bootdir="$1"
|
||||||
|
file="$2"
|
||||||
|
|
||||||
|
if [ -z "$bootdir" -o -z "$file" ]; then
|
||||||
|
die "Usage: $0 /boot/ /boot/grub/grub.cfg"
|
||||||
|
fi
|
||||||
|
|
||||||
|
reset_entry() {
|
||||||
|
name=""
|
||||||
|
kexectype="elf"
|
||||||
|
kernel=""
|
||||||
|
initrd=""
|
||||||
|
modules=""
|
||||||
|
append=""
|
||||||
|
}
|
||||||
|
|
||||||
|
filedir=`dirname $file`
|
||||||
|
bootdir=${bootdir%%"/"}
|
||||||
|
bootlen=${#bootdir}
|
||||||
|
appenddir=${filedir:$bootlen}
|
||||||
|
|
||||||
|
fix_path() {
|
||||||
|
path="$@"
|
||||||
|
if [ "${path:0:1}" != "/" ]; then
|
||||||
|
path="$appenddir/$path"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
echo_entry() {
|
||||||
|
if [ "$kexectype" = "elf" ]; then
|
||||||
|
if [ -z "$kernel" ]; then return; fi
|
||||||
|
|
||||||
|
fix_path $kernel
|
||||||
|
entry="$name|$kexectype|kernel $path"
|
||||||
|
if [ -n "$initrd" ]; then
|
||||||
|
fix_path $initrd
|
||||||
|
entry="$entry|initrd $path"
|
||||||
|
fi
|
||||||
|
if [ -n "$append" ]; then
|
||||||
|
entry="$entry|append $append"
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo $(eval "echo \"$entry\"")
|
||||||
|
fi
|
||||||
|
if [ "$kexectype" = "multiboot" -o "$kexectype" = "xen" ]; then
|
||||||
|
if [ -z "$kernel" ]; then return; fi
|
||||||
|
|
||||||
|
fix_path $kernel
|
||||||
|
echo $(eval "echo \"$name|$kexectype|kernel $path$modules\"")
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
search_entry() {
|
||||||
|
case $line in
|
||||||
|
menuentry* | MENUENTRY* )
|
||||||
|
state="grub"
|
||||||
|
reset_entry
|
||||||
|
name=`echo $line | tr "'" "\"" | cut -d\" -f 2`
|
||||||
|
;;
|
||||||
|
|
||||||
|
label* | LABEL* )
|
||||||
|
state="syslinux"
|
||||||
|
reset_entry
|
||||||
|
name=`echo $line | cut -c6- `
|
||||||
|
esac
|
||||||
|
}
|
||||||
|
|
||||||
|
grub_entry() {
|
||||||
|
if [ "$line" = "}" ]; then
|
||||||
|
echo_entry
|
||||||
|
state="search"
|
||||||
|
return
|
||||||
|
fi
|
||||||
|
|
||||||
|
# add info to menuentry
|
||||||
|
trimcmd=`echo $line | tr '\t ' ' ' | tr -s ' '`
|
||||||
|
cmd=`echo $trimcmd | cut -d\ -f1`
|
||||||
|
val=`echo $trimcmd | cut -d\ -f2-`
|
||||||
|
case $cmd in
|
||||||
|
multiboot*)
|
||||||
|
# TODO: differentiate between Xen and other multiboot kernels
|
||||||
|
kexectype="xen"
|
||||||
|
kernel="$val"
|
||||||
|
;;
|
||||||
|
module*)
|
||||||
|
case $val in
|
||||||
|
--nounzip*) val=`echo $val | cut -d\ -f2-` ;;
|
||||||
|
esac
|
||||||
|
fix_path $val
|
||||||
|
modules="$modules|module $path"
|
||||||
|
;;
|
||||||
|
linux*)
|
||||||
|
kernel=`echo $trimcmd | cut -d\ -f2`
|
||||||
|
append=`echo $trimcmd | cut -d\ -f3-`
|
||||||
|
;;
|
||||||
|
initrd*)
|
||||||
|
initrd="$val"
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
}
|
||||||
|
|
||||||
|
syslinux_end() {
|
||||||
|
# finish menuentry
|
||||||
|
|
||||||
|
# attempt to parse out of append if missing initrd
|
||||||
|
if [ -z "$initrd" ]; then
|
||||||
|
newappend=""
|
||||||
|
for param in $append; do
|
||||||
|
case $param in
|
||||||
|
initrd=*)
|
||||||
|
initrd=`echo $param | cut -d\= -f2`
|
||||||
|
;;
|
||||||
|
*) newappend="$newappend $param" ;;
|
||||||
|
esac
|
||||||
|
done
|
||||||
|
append="${newappend##' '}"
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo_entry
|
||||||
|
state="search"
|
||||||
|
}
|
||||||
|
|
||||||
|
syslinux_multiboot_append() {
|
||||||
|
splitval=`echo "${val// --- /|}" | tr '|' '\n'`
|
||||||
|
while read line
|
||||||
|
do
|
||||||
|
if [ -z "$kernel" ]; then
|
||||||
|
kernel="$line"
|
||||||
|
else
|
||||||
|
fix_path $line
|
||||||
|
modules="$modules|module $path"
|
||||||
|
fi
|
||||||
|
done << EOF
|
||||||
|
$splitval
|
||||||
|
EOF
|
||||||
|
}
|
||||||
|
|
||||||
|
syslinux_entry() {
|
||||||
|
case $line in
|
||||||
|
"")
|
||||||
|
syslinux_end
|
||||||
|
return
|
||||||
|
;;
|
||||||
|
label* | LABEL* )
|
||||||
|
syslinux_end
|
||||||
|
search_entry
|
||||||
|
return
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
# add info to menuentry
|
||||||
|
trimcmd=`echo $line | tr '\t ' ' ' | tr -s ' '`
|
||||||
|
cmd=`echo $trimcmd | cut -d\ -f1`
|
||||||
|
val=`echo $trimcmd | cut -d\ -f2-`
|
||||||
|
case $trimcmd in
|
||||||
|
menu* | MENU* )
|
||||||
|
cmd2=`echo $trimcmd | cut -d \ -f2`
|
||||||
|
if [ "$cmd2" = "label" -o "$cmd2" = "LABEL" ]; then
|
||||||
|
name=`echo $trimcmd | cut -c11- | tr -d '^'`
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
linux* | LINUX* | kernel* | KERNEL* )
|
||||||
|
case $val in
|
||||||
|
# TODO: differentiate between Xen and other multiboot kernels
|
||||||
|
*mboot.c32) kexectype="xen" ;;
|
||||||
|
*.c32)
|
||||||
|
# skip this entry
|
||||||
|
state="search"
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
kernel="$val"
|
||||||
|
esac
|
||||||
|
;;
|
||||||
|
initrd* | INITRD* )
|
||||||
|
initrd="$val"
|
||||||
|
;;
|
||||||
|
append* | APPEND* )
|
||||||
|
if [ "$kexectype" = "multiboot" -o "$kexectype" = "xen" ]; then
|
||||||
|
syslinux_multiboot_append
|
||||||
|
else
|
||||||
|
append="$val"
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
}
|
||||||
|
|
||||||
|
state="search"
|
||||||
|
while read line
|
||||||
|
do
|
||||||
|
case $state in
|
||||||
|
search)
|
||||||
|
search_entry
|
||||||
|
;;
|
||||||
|
grub)
|
||||||
|
grub_entry
|
||||||
|
;;
|
||||||
|
syslinux)
|
||||||
|
syslinux_entry
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
done < "$file"
|
||||||
|
|
||||||
|
# handle EOF case
|
||||||
|
if [ "$state" = "syslinux" ]; then
|
||||||
|
syslinux_end
|
||||||
|
fi
|
61
initrd/bin/kexec-save-default
Executable file
61
initrd/bin/kexec-save-default
Executable file
@ -0,0 +1,61 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
# Save these options to be the persistent default
|
||||||
|
set -e -o pipefail
|
||||||
|
. /etc/functions
|
||||||
|
|
||||||
|
while getopts "b:d:p:e:i:" arg; do
|
||||||
|
case $arg in
|
||||||
|
b) bootdir="$OPTARG" ;;
|
||||||
|
d) paramsdev="$OPTARG" ;;
|
||||||
|
p) paramsdir="$OPTARG" ;;
|
||||||
|
i) index="$OPTARG" ;;
|
||||||
|
esac
|
||||||
|
done
|
||||||
|
|
||||||
|
if [ -z "$bootdir" -o -z "$index" ]; then
|
||||||
|
die "Usage: $0 -b /boot/ -i menu_option "
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ -z "$paramsdev" ]; then
|
||||||
|
paramsdev="$bootdir"
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ -z "$paramsdir" ]; then
|
||||||
|
paramsdir="$bootdir"
|
||||||
|
fi
|
||||||
|
|
||||||
|
TMP_MENU_FILE="/tmp/kexec/kexec_menu.txt"
|
||||||
|
ENTRY_FILE="$paramsdir/kexec_default.$index.txt"
|
||||||
|
HASH_FILE="$paramsdir/kexec_default_hashes.txt"
|
||||||
|
|
||||||
|
if [ ! -r "$TMP_MENU_FILE" ]; then
|
||||||
|
die "No menu options available, please run kexec-select-boot"
|
||||||
|
fi
|
||||||
|
|
||||||
|
entry=`head -n $index $TMP_MENU_FILE | tail -1`
|
||||||
|
if [ -z "$entry" ]; then
|
||||||
|
die "Invalid menu index $index"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# try to switch to rw mode
|
||||||
|
mount -o rw,remount $paramsdev
|
||||||
|
|
||||||
|
if [ ! -d $paramsdir ]; then
|
||||||
|
mkdir -p $paramsdir \
|
||||||
|
|| die "Failed to create params directory"
|
||||||
|
fi
|
||||||
|
rm "$paramsdir/kexec_default.*.txt" 2>/dev/null || true
|
||||||
|
echo "$entry" > $ENTRY_FILE
|
||||||
|
cd $bootdir && kexec-boot -b "$bootdir" -e "$entry" -f | \
|
||||||
|
xargs sha256sum > $HASH_FILE \
|
||||||
|
|| die "Failed to create hashes of boot files"
|
||||||
|
if [ ! -r $ENTRY_FILE -o ! -r $HASH_FILE ]; then
|
||||||
|
die "Failed to write default config"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# sign and auto-roll config counter
|
||||||
|
kexec-sign-config -p $paramsdir -u \
|
||||||
|
|| die "Failed to sign default config"
|
||||||
|
|
||||||
|
# switch back to ro mode
|
||||||
|
mount -o ro,remount $paramsdev
|
63
initrd/bin/kexec-save-key
Executable file
63
initrd/bin/kexec-save-key
Executable file
@ -0,0 +1,63 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
# Generate a TPM key used to unlock LUKS disks
|
||||||
|
set -e -o pipefail
|
||||||
|
. /etc/functions
|
||||||
|
|
||||||
|
lvm_volume_group=""
|
||||||
|
while getopts "p:d:l:" arg; do
|
||||||
|
case $arg in
|
||||||
|
p) paramsdir="$OPTARG" ;;
|
||||||
|
d) paramsdev="$OPTARG" ;;
|
||||||
|
l) lvm_volume_group="$OPTARG" ;;
|
||||||
|
esac
|
||||||
|
done
|
||||||
|
shift `expr $OPTIND - 1`
|
||||||
|
key_devices="$@"
|
||||||
|
|
||||||
|
if [ -z "$paramsdir" ]; then
|
||||||
|
die "Usage: $0 -p /boot/ [-l qubes_dom0] [/dev/sda2 /dev/sda5 ...] "
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ -z "$paramsdev" ]; then
|
||||||
|
paramsdev="$paramsdir"
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ -n "$lvm_volume_group" ]; then
|
||||||
|
lvm vgchange -a y $lvm_volume_group \
|
||||||
|
|| die "Failed to activate the LVM group"
|
||||||
|
|
||||||
|
for dev in /dev/$lvm_volume_group/*; do
|
||||||
|
key_devices="$key_devices $dev"
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ -z "$key_devices" ]; then
|
||||||
|
die "No devices specified for TPM key insertion"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# try to switch to rw mode
|
||||||
|
mount -o rw,remount $paramsdev
|
||||||
|
|
||||||
|
rm -f $paramsdir/kexec_key_lvm.txt || true
|
||||||
|
if [ -n "$lvm_volume_group" ]; then
|
||||||
|
echo "$lvm_volume_group" > $paramsdir/kexec_key_lvm.txt \
|
||||||
|
|| die "Failed to write lvm group to key config "
|
||||||
|
fi
|
||||||
|
|
||||||
|
rm -f $paramsdir/kexec_key_devices.txt || true
|
||||||
|
for dev in $key_devices; do
|
||||||
|
uuid=`cryptsetup luksUUID "$dev" 2>/dev/null` \
|
||||||
|
|| die "Failed to get UUID for device $dev"
|
||||||
|
echo "$dev $uuid" >> $paramsdir/kexec_key_devices.txt \
|
||||||
|
|| die "Failed to add $dev:$uuid to key devices config"
|
||||||
|
done
|
||||||
|
|
||||||
|
kexec-seal-key $paramsdir \
|
||||||
|
|| die "Failed to save and generate key in TPM"
|
||||||
|
|
||||||
|
# sign and auto-roll config counter
|
||||||
|
kexec-sign-config -p $paramsdir -u \
|
||||||
|
|| die "Failed to sign updated config"
|
||||||
|
|
||||||
|
# switch back to ro mode
|
||||||
|
mount -o ro,remount $paramsdev
|
145
initrd/bin/kexec-seal-key
Executable file
145
initrd/bin/kexec-seal-key
Executable file
@ -0,0 +1,145 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
# This will generate a disk encryption key and seal / ecncrypt
|
||||||
|
# with the current PCRs and then store it in the TPM NVRAM.
|
||||||
|
# It will then need to be bundled into initrd that is booted.
|
||||||
|
set -e -o pipefail
|
||||||
|
|
||||||
|
TPM_INDEX=3
|
||||||
|
TPM_SIZE=312
|
||||||
|
KEY_FILE="/tmp/secret/secret.key"
|
||||||
|
TPM_SEALED="/tmp/secret/secret.sealed"
|
||||||
|
RECOVERY_KEY="/tmp/secret/recovery.key"
|
||||||
|
|
||||||
|
. /etc/functions
|
||||||
|
. /etc/config
|
||||||
|
|
||||||
|
paramsdir=$1
|
||||||
|
if [ -z "$paramsdir" ]; then
|
||||||
|
die "Usage $0 /boot/"
|
||||||
|
fi
|
||||||
|
|
||||||
|
KEY_DEVICES="$paramsdir/kexec_key_devices.txt"
|
||||||
|
KEY_LVM="$paramsdir/kexec_key_lvm.txt"
|
||||||
|
|
||||||
|
if [ ! -r "$KEY_DEVICES" ]; then
|
||||||
|
die "No devices defined for disk encryption"
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ -r "$KEY_LVM" ]; then
|
||||||
|
# Activate the LVM volume group
|
||||||
|
VOLUME_GROUP=`cat $KEY_LVM`
|
||||||
|
if [ -z "$VOLUME_GROUP" ]; then
|
||||||
|
die "No LVM volume group defined for activation"
|
||||||
|
fi
|
||||||
|
lvm vgchange -a y $VOLUME_GROUP \
|
||||||
|
|| die "$VOLUME_GROUP: unable to activate volume group"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Key slot 0 is the manual recovery pass phrase
|
||||||
|
# that they user entered when they installed Qubes,
|
||||||
|
# key slot 1 is the one that we've generated.
|
||||||
|
read -s -p "Enter disk recovery key: " disk_password
|
||||||
|
echo -n "$disk_password" > "$RECOVERY_KEY"
|
||||||
|
echo
|
||||||
|
|
||||||
|
read -s -p "New disk unlock password for booting: " key_password
|
||||||
|
echo
|
||||||
|
read -s -p "Repeat unlock code: " key_password2
|
||||||
|
echo
|
||||||
|
|
||||||
|
if [ "$key_password" != "$key_password2" ]; then
|
||||||
|
die "Key passwords do not match"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Generate key file
|
||||||
|
dd \
|
||||||
|
if=/dev/urandom \
|
||||||
|
of="$KEY_FILE" \
|
||||||
|
bs=1 \
|
||||||
|
count=128 \
|
||||||
|
2>/dev/null \
|
||||||
|
|| die "Unable to generate 128 random bytes"
|
||||||
|
|
||||||
|
# Remove all the old keys from slot 1
|
||||||
|
for dev in `cat "$KEY_DEVICES" | cut -d\ -f1`; do
|
||||||
|
echo "++++++ $dev: Removing old key slot"
|
||||||
|
cryptsetup luksKillSlot \
|
||||||
|
--key-file "$RECOVERY_KEY" \
|
||||||
|
$dev 1 \
|
||||||
|
|| warn "$dev: ignoring problem"
|
||||||
|
|
||||||
|
echo "++++++ $dev: Adding key"
|
||||||
|
cryptsetup luksAddKey \
|
||||||
|
--key-file "$RECOVERY_KEY" \
|
||||||
|
--key-slot 1 \
|
||||||
|
$dev "$KEY_FILE" \
|
||||||
|
|| die "$dev: Unable to add key"
|
||||||
|
done
|
||||||
|
|
||||||
|
# Now that we have setup the new keys, measure the PCRs
|
||||||
|
# We don't care what ends up in PCR 6; we just want
|
||||||
|
# to get the /tmp/luksDump.txt file. We use PCR16
|
||||||
|
# since it should still be zero
|
||||||
|
cat "$KEY_DEVICES" | cut -d\ -f1 | xargs /bin/qubes-measure-luks \
|
||||||
|
|| die "Unable to measure the LUKS headers"
|
||||||
|
luks_pcr=`tpm calcfuturepcr -ix 16 -if /tmp/luksDump.txt`
|
||||||
|
|
||||||
|
# Note that PCR 4 needs to be set with the "normal-boot"
|
||||||
|
# path value, which we do not have right now since we are
|
||||||
|
# in a recovery shell.
|
||||||
|
# used to be -ix 4 f8fa3b6e32e7c6fe04c366e74636e505b28f3b0d \
|
||||||
|
# now just all zeros in a normal boot
|
||||||
|
# PCR 5 must be all zero since no kernel modules should have
|
||||||
|
# been loaded during a normal boot, but might have been
|
||||||
|
# loaded in the recovery shell.
|
||||||
|
# Otherwise use the current values of the PCRs, which will be read
|
||||||
|
# from the TPM as part of the sealing ("X").
|
||||||
|
tpm sealfile2 \
|
||||||
|
-if "$KEY_FILE" \
|
||||||
|
-of "$TPM_SEALED" \
|
||||||
|
-pwdd "$key_password" \
|
||||||
|
-hk 40000000 \
|
||||||
|
-ix 0 X \
|
||||||
|
-ix 1 X \
|
||||||
|
-ix 2 X \
|
||||||
|
-ix 3 X \
|
||||||
|
-ix 4 0000000000000000000000000000000000000000 \
|
||||||
|
-ix 5 0000000000000000000000000000000000000000 \
|
||||||
|
-ix 6 $luks_pcr \
|
||||||
|
|| die "Unable to seal secret"
|
||||||
|
|
||||||
|
rm -f "$KEY_FILE" \
|
||||||
|
|| die "Failed to delete key file"
|
||||||
|
|
||||||
|
# try it without the owner password first
|
||||||
|
if ! tpm nv_writevalue \
|
||||||
|
-in $TPM_INDEX \
|
||||||
|
-if "$TPM_SEALED" \
|
||||||
|
; then
|
||||||
|
# to create an nvram space we need the TPM owner password
|
||||||
|
# and the TPM physical presence must be asserted.
|
||||||
|
#
|
||||||
|
# The permissions are 0 since there is nothing special
|
||||||
|
# about the sealed file
|
||||||
|
tpm physicalpresence -s \
|
||||||
|
|| warn "Warning: Unable to assert physical presence"
|
||||||
|
|
||||||
|
read -s -p "TPM Owner password: " tpm_password
|
||||||
|
echo
|
||||||
|
|
||||||
|
tpm nv_definespace \
|
||||||
|
-in $TPM_INDEX \
|
||||||
|
-sz $TPM_SIZE \
|
||||||
|
-pwdo "$tpm_password" \
|
||||||
|
-per 0 \
|
||||||
|
|| warn "Warning: Unable to define NVRAM space; trying anyway"
|
||||||
|
|
||||||
|
|
||||||
|
tpm nv_writevalue \
|
||||||
|
-in $TPM_INDEX \
|
||||||
|
-if "$TPM_SEALED" \
|
||||||
|
|| die "Unable to write sealed secret to NVRAM"
|
||||||
|
fi
|
||||||
|
|
||||||
|
rm "$TPM_SEALED" \
|
||||||
|
|| warn "Failed to delete the sealed secret - continuing"
|
294
initrd/bin/kexec-select-boot
Executable file
294
initrd/bin/kexec-select-boot
Executable file
@ -0,0 +1,294 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
# Generic configurable boot script via kexec
|
||||||
|
set -e -o pipefail
|
||||||
|
. /etc/config
|
||||||
|
. /etc/functions
|
||||||
|
|
||||||
|
add=""
|
||||||
|
remove=""
|
||||||
|
config="*.cfg"
|
||||||
|
unique="n"
|
||||||
|
valid_hash="n"
|
||||||
|
valid_global_hash="n"
|
||||||
|
valid_rollback="n"
|
||||||
|
while getopts "b:d:p:a:r:c:ui" arg; do
|
||||||
|
case $arg in
|
||||||
|
b) bootdir="$OPTARG" ;;
|
||||||
|
d) paramsdev="$OPTARG" ;;
|
||||||
|
p) paramsdir="$OPTARG" ;;
|
||||||
|
a) add="$OPTARG" ;;
|
||||||
|
r) remove="$OPTARG" ;;
|
||||||
|
c) config="$OPTARG" ;;
|
||||||
|
u) unique="y" ;;
|
||||||
|
i) valid_hash="y"; valid_rollback="y" ;;
|
||||||
|
esac
|
||||||
|
done
|
||||||
|
|
||||||
|
if [ -z "$bootdir" ]; then
|
||||||
|
die "Usage: $0 -b /boot/"
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ -z "$paramsdev" ]; then
|
||||||
|
paramsdev="$bootdir"
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ -z "$paramsdir" ]; then
|
||||||
|
paramsdir="$bootdir"
|
||||||
|
fi
|
||||||
|
|
||||||
|
verify_global_hashes()
|
||||||
|
{
|
||||||
|
echo "+++ Checking verified boot hash file "
|
||||||
|
# Check the hashes of all the files
|
||||||
|
if cd $bootdir && sha256sum -c "$TMP_HASH_FILE" ; then
|
||||||
|
echo "+++ Verified boot hashes "
|
||||||
|
valid_hash='y'
|
||||||
|
valid_global_hash='y'
|
||||||
|
else
|
||||||
|
die "$TMP_HASH_FILE: boot hash mismatch"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
verify_rollback_counter()
|
||||||
|
{
|
||||||
|
TPM_COUNTER=`grep counter $TMP_ROLLBACK_FILE | cut -d- -f2`
|
||||||
|
if [ -z "$TPM_COUNTER" ]; then
|
||||||
|
die "$TMP_ROLLBACK_FILE: TPM counter not found?"
|
||||||
|
fi
|
||||||
|
|
||||||
|
read_tpm_counter $TPM_COUNTER \
|
||||||
|
|| die "Failed to read TPM counter"
|
||||||
|
|
||||||
|
sha256sum -c $TMP_ROLLBACK_FILE \
|
||||||
|
|| die "Invalid TPM counter state"
|
||||||
|
|
||||||
|
valid_rollback="y"
|
||||||
|
}
|
||||||
|
|
||||||
|
first_menu="y"
|
||||||
|
get_menu_option() {
|
||||||
|
num_options=`cat $TMP_MENU_FILE | wc -l`
|
||||||
|
if [ $num_options -eq 0 ]; then
|
||||||
|
die "No boot options"
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ $num_options -eq 1 -a $first_menu = "y" ]; then
|
||||||
|
option_index=1
|
||||||
|
else
|
||||||
|
echo "+++ Select your boot option:"
|
||||||
|
n=0
|
||||||
|
while read option
|
||||||
|
do
|
||||||
|
parse_option
|
||||||
|
n=`expr $n + 1`
|
||||||
|
echo "$n. $name [$kernel]"
|
||||||
|
done < $TMP_MENU_FILE
|
||||||
|
|
||||||
|
read \
|
||||||
|
-p "Choose the boot option [1-$n, a to abort]: " \
|
||||||
|
option_index
|
||||||
|
|
||||||
|
if [ "$option_index" = "a" ]; then
|
||||||
|
die "Aborting boot attempt"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
first_menu="n"
|
||||||
|
|
||||||
|
option=`head -n $option_index $TMP_MENU_FILE | tail -1`
|
||||||
|
parse_option
|
||||||
|
}
|
||||||
|
|
||||||
|
confirm_menu_option() {
|
||||||
|
echo "+++ Please confirm the boot details for $name:"
|
||||||
|
echo $option
|
||||||
|
|
||||||
|
read \
|
||||||
|
-n 1 \
|
||||||
|
-p "Confirm selection by pressing 'y', make default with 'd': " \
|
||||||
|
option_confirm
|
||||||
|
echo
|
||||||
|
}
|
||||||
|
|
||||||
|
parse_option() {
|
||||||
|
name=`echo $option | cut -d\| -f1`
|
||||||
|
kernel=`echo $option | cut -d\| -f3`
|
||||||
|
}
|
||||||
|
|
||||||
|
scan_options() {
|
||||||
|
echo "+++ Scanning for unsigned boot options"
|
||||||
|
option_file="/tmp/kexec_options.txt"
|
||||||
|
if [ -r $option_file ]; then rm $option_file; fi
|
||||||
|
for i in `find $bootdir -name "$config"`; do
|
||||||
|
kexec-parse-boot "$bootdir" "$i" >> $option_file
|
||||||
|
done
|
||||||
|
if [ ! -r $option_file ]; then
|
||||||
|
die "Failed to parse any boot options"
|
||||||
|
fi
|
||||||
|
if [ "$unique" = 'y' ]; then
|
||||||
|
sort $option_file | uniq > $TMP_MENU_FILE
|
||||||
|
else
|
||||||
|
cp $option_file $TMP_MENU_FILE
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
save_default_option() {
|
||||||
|
read \
|
||||||
|
-n 1 \
|
||||||
|
-p "Saving a default will modify the disk. Proceed? (y/n): " \
|
||||||
|
default_confirm
|
||||||
|
echo
|
||||||
|
|
||||||
|
if [ "$default_confirm" = "y" ]; then
|
||||||
|
if kexec-save-default \
|
||||||
|
-b "$bootdir" \
|
||||||
|
-d "$paramsdev" \
|
||||||
|
-p "$paramsdir" \
|
||||||
|
-i "$option_index" \
|
||||||
|
; then
|
||||||
|
echo "+++ Saved defaults to device"
|
||||||
|
sleep 2
|
||||||
|
default_failed="n"
|
||||||
|
return
|
||||||
|
else
|
||||||
|
echo "Failed to save defaults"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
option_confirm="n"
|
||||||
|
}
|
||||||
|
|
||||||
|
default_select() {
|
||||||
|
# Attempt boot with expected parameters
|
||||||
|
|
||||||
|
# Check that entry matches that which is expected from menu
|
||||||
|
default_index=`basename "$TMP_DEFAULT_FILE" | cut -d. -f 2`
|
||||||
|
|
||||||
|
# Check to see if entries have changed - useful for detecting grub update
|
||||||
|
expectedoption=`cat $TMP_DEFAULT_FILE`
|
||||||
|
option=`head -n $default_index $TMP_MENU_FILE | tail -1`
|
||||||
|
if [ "$option" != "$expectedoption" ]; then
|
||||||
|
warn "!!! Boot entry has changed - please set a new default"
|
||||||
|
sleep 5
|
||||||
|
return
|
||||||
|
fi
|
||||||
|
parse_option
|
||||||
|
|
||||||
|
# Enforce that default option hashes are valid
|
||||||
|
echo "+++ Checking verified default boot hash file "
|
||||||
|
# Check the hashes of all the files
|
||||||
|
if cd $bootdir && sha256sum -c "$TMP_DEFAULT_HASH_FILE" ; then
|
||||||
|
echo "+++ Verified default boot hashes "
|
||||||
|
valid_hash='y'
|
||||||
|
else
|
||||||
|
die "$TMP_DEFAULT_HASH_FILE: default boot hash mismatch"
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo "+++ Executing default boot for $name:"
|
||||||
|
do_boot
|
||||||
|
warn "Failed to boot default option"
|
||||||
|
}
|
||||||
|
|
||||||
|
user_select() {
|
||||||
|
# No default expected boot parameters, ask user
|
||||||
|
|
||||||
|
option_confirm=""
|
||||||
|
while [ "$option_confirm" != "y" -a "$option_confirm" != "d" ]
|
||||||
|
do
|
||||||
|
get_menu_option
|
||||||
|
confirm_menu_option
|
||||||
|
|
||||||
|
if [ "$option_confirm" = 'd' ]; then
|
||||||
|
save_default_option
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
if [ "$option_confirm" = "d" ]; then
|
||||||
|
# reload settings to reflect new default
|
||||||
|
continue
|
||||||
|
fi
|
||||||
|
|
||||||
|
do_boot
|
||||||
|
}
|
||||||
|
|
||||||
|
do_boot()
|
||||||
|
{
|
||||||
|
if [ "$CONFIG_BOOT_REQ_ROLLBACK" = "y" -a "$valid_rollback" = "n" ]; then
|
||||||
|
warn "!!! Missing required rollback counter state"
|
||||||
|
return
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ "$CONFIG_BOOT_REQ_HASH" = "y" -a "$valid_hash" = "n" ]; then
|
||||||
|
warn "!!! Missing required boot hashes"
|
||||||
|
return
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ -r "$TMP_KEY_DEVICES" ]; then
|
||||||
|
INITRD=`kexec-boot -b "$bootdir" -e "$option" -i` \
|
||||||
|
|| die "!!! Failed to extract the initrd from boot option"
|
||||||
|
if [ -z "$INITRD" ]; then
|
||||||
|
die "!!! No initrd file found in boot option"
|
||||||
|
fi
|
||||||
|
|
||||||
|
kexec-insert-key $INITRD \
|
||||||
|
|| die "!!! Failed to insert disk key into a new initrd"
|
||||||
|
|
||||||
|
kexec-boot -b "$bootdir" -e "$option" \
|
||||||
|
-a "$add" -r "$remove" -o "/tmp/secret/initrd.cpio" \
|
||||||
|
|| die "!!! Failed to boot w/ options: $option"
|
||||||
|
else
|
||||||
|
kexec-boot -b "$bootdir" -e "$option" -a "$add" -r "$remove" \
|
||||||
|
|| die "!!! Failed to boot w/ options: $option"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
while true; do
|
||||||
|
check_config $paramsdir
|
||||||
|
TMP_DEFAULT_FILE=`find /tmp/kexec/kexec_default.*.txt 2>/dev/null | head -1` || true
|
||||||
|
TMP_MENU_FILE="/tmp/kexec/kexec_menu.txt"
|
||||||
|
TMP_HASH_FILE="/tmp/kexec/kexec_hashes.txt"
|
||||||
|
TMP_DEFAULT_HASH_FILE="/tmp/kexec/kexec_default_hashes.txt"
|
||||||
|
TMP_ROLLBACK_FILE="/tmp/kexec/kexec_rollback.txt"
|
||||||
|
TMP_KEY_DEVICES="/tmp/kexec/kexec_key_devices.txt"
|
||||||
|
TMP_KEY_LVM="/tmp/kexec/kexec_key_lvm.txt"
|
||||||
|
|
||||||
|
if [ ! -r "$TMP_KEY_DEVICES" ]; then
|
||||||
|
# Extend PCR4 as soon as possible
|
||||||
|
tpm extend -ix 4 -ic generic \
|
||||||
|
|| die "Failed to extend PCR 4"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# if no saved options, scan the boot directory and generate
|
||||||
|
if [ ! -r "$TMP_MENU_FILE" ]; then
|
||||||
|
scan_options
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Optionally enforce device file hashes
|
||||||
|
if [ -r "$TMP_HASH_FILE" ]; then
|
||||||
|
valid_global_hash="n"
|
||||||
|
|
||||||
|
verify_global_hashes
|
||||||
|
|
||||||
|
if [ "$valid_global_hash" = "n" ]; then
|
||||||
|
die "Failed to verify global hashes"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ -r "$TMP_ROLLBACK_FILE" ]; then
|
||||||
|
# in the case of iso boot with a rollback file, do not assume valid
|
||||||
|
valid_rollback="n"
|
||||||
|
|
||||||
|
verify_rollback_counter
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ "$default_failed" != "y" \
|
||||||
|
-a -r "$TMP_DEFAULT_FILE" \
|
||||||
|
-a -r "$TMP_DEFAULT_HASH_FILE" ] \
|
||||||
|
; then
|
||||||
|
default_select
|
||||||
|
default_failed="y"
|
||||||
|
else
|
||||||
|
user_select
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
die "!!! Shouldn't get here""
|
59
initrd/bin/kexec-sign-config
Executable file
59
initrd/bin/kexec-sign-config
Executable file
@ -0,0 +1,59 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
# Sign a valid directory of kexec params
|
||||||
|
set -e -o pipefail
|
||||||
|
. /etc/functions
|
||||||
|
|
||||||
|
rollback="n"
|
||||||
|
update_counter="n"
|
||||||
|
while getopts "p:c:u" arg; do
|
||||||
|
case $arg in
|
||||||
|
p) paramsdir="$OPTARG" ;;
|
||||||
|
c) counter="$OPTARG"; rollback="y" ;;
|
||||||
|
u) update_counter="y"; rollback="y" ;;
|
||||||
|
esac
|
||||||
|
done
|
||||||
|
|
||||||
|
if [ -z "$paramsdir" ]; then
|
||||||
|
die "Usage: $0 -p /boot/ [ -u | -c counter ]"
|
||||||
|
fi
|
||||||
|
|
||||||
|
confirm_gpg_card
|
||||||
|
|
||||||
|
if [ "$rollback" = "y" ]; then
|
||||||
|
rollback_file="$paramsdir/kexec_rollback.txt"
|
||||||
|
|
||||||
|
if [ -n "$counter" ]; then
|
||||||
|
# use existing counter
|
||||||
|
read_tpm_counter $counter \
|
||||||
|
|| die "$paramsdir: Unable to read tpm counter '$counter'"
|
||||||
|
else
|
||||||
|
# increment counter
|
||||||
|
check_tpm_counter $rollback_file \
|
||||||
|
|| die "$paramsdir: Unable to find/create tpm counter"
|
||||||
|
counter="$TPM_COUNTER"
|
||||||
|
|
||||||
|
increment_tpm_counter $counter \
|
||||||
|
|| die "$paramsdir: Unable to increment tpm counter"
|
||||||
|
fi
|
||||||
|
|
||||||
|
sha256sum /tmp/counter-$counter > $rollback_file \
|
||||||
|
|| die "$paramsdir: Unable to create rollback file"
|
||||||
|
fi
|
||||||
|
|
||||||
|
param_files=`find $paramsdir/kexec*.txt`
|
||||||
|
if [ -z "$param_files" ]; then
|
||||||
|
die "$paramsdir: No kexec parameter files to sign"
|
||||||
|
fi
|
||||||
|
|
||||||
|
for tries in 1 2 3; do
|
||||||
|
if sha256sum $param_files | gpg \
|
||||||
|
--digest-algo SHA256 \
|
||||||
|
--detach-sign \
|
||||||
|
-a \
|
||||||
|
> $paramsdir/kexec.sig \
|
||||||
|
; then
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
die "$paramsdir: Unable to sign kexec hashes"
|
45
initrd/bin/kexec-unseal-key
Executable file
45
initrd/bin/kexec-unseal-key
Executable file
@ -0,0 +1,45 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
# This will unseal and unecncrypt the drive encryption key from the TPM
|
||||||
|
# The TOTP secret will be shown to the user on each encryption attempt.
|
||||||
|
# It will then need to be bundled into initrd that is booted with Qubes.
|
||||||
|
set -e -o pipefail
|
||||||
|
|
||||||
|
TPM_INDEX=3
|
||||||
|
TPM_SIZE=312
|
||||||
|
|
||||||
|
. /etc/functions
|
||||||
|
mkdir -p /tmp/secret
|
||||||
|
|
||||||
|
sealed_file="/tmp/secret/sealed.key"
|
||||||
|
key_file="$1"
|
||||||
|
|
||||||
|
if [ -z "$key_file" ]; then
|
||||||
|
key_file="/tmp/secret/secret.key"
|
||||||
|
fi
|
||||||
|
|
||||||
|
tpm nv_readvalue \
|
||||||
|
-in "$TPM_INDEX" \
|
||||||
|
-sz "$TPM_SIZE" \
|
||||||
|
-of "$sealed_file" \
|
||||||
|
|| die "Unable to read key from TPM NVRAM"
|
||||||
|
|
||||||
|
for tries in 1 2 3; do
|
||||||
|
read -s -p "Enter unlock password: " tpm_password
|
||||||
|
echo
|
||||||
|
|
||||||
|
if tpm unsealfile \
|
||||||
|
-if "$sealed_file" \
|
||||||
|
-of "$key_file" \
|
||||||
|
-pwdd "$tpm_password" \
|
||||||
|
-hk 40000000 \
|
||||||
|
; then
|
||||||
|
# should be okay if this fails
|
||||||
|
rm -f /tmp/secret/sealed || true
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
pcrs
|
||||||
|
warn "Unable to unseal disk encryption key"
|
||||||
|
done
|
||||||
|
|
||||||
|
die "Retry count exceeded..."
|
@ -36,7 +36,7 @@ if [ -z "$TPM_COUNTER" ]; then
|
|||||||
recovery "$BOOT_HASHES: TPM counter not found?"
|
recovery "$BOOT_HASHES: TPM counter not found?"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
tpm counter_read -ix "$TPM_COUNTER" | tee "/tmp/counter-$TPM_COUNTER"
|
read_tpm_counter $TPM_COUNTER
|
||||||
|
|
||||||
# Check the hashes of all the files
|
# Check the hashes of all the files
|
||||||
sha256sum -c "$BOOT_HASHES" \
|
sha256sum -c "$BOOT_HASHES" \
|
||||||
|
@ -12,55 +12,14 @@ if [ -z "$XEN" -o -z "$KERNEL" -o -z "$INITRD" ]; then
|
|||||||
die "Usage: $0 /boot/xen... /boot/vmlinuz... /boot/initramfs..."
|
die "Usage: $0 /boot/xen... /boot/vmlinuz... /boot/initramfs..."
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# setup the USB so we can reach the GPG card
|
confirm_gpg_card
|
||||||
if ! lsmod | grep -q ehci_hcd; then
|
|
||||||
insmod /lib/modules/ehci-hcd.ko \
|
|
||||||
|| die "ehci_hcd: module load failed"
|
|
||||||
fi
|
|
||||||
if ! lsmod | grep -q ehci_pci; then
|
|
||||||
insmod /lib/modules/ehci-pci.ko \
|
|
||||||
|| die "ehci_pci: module load failed"
|
|
||||||
fi
|
|
||||||
if ! lsmod | grep -q xhci_hcd; then
|
|
||||||
insmod /lib/modules/xhci-hcd.ko \
|
|
||||||
|| die "ehci_hcd: module load failed"
|
|
||||||
fi
|
|
||||||
if ! lsmod | grep -q xhci_pci; then
|
|
||||||
insmod /lib/modules/xhci-pci.ko \
|
|
||||||
|| die "ehci_pci: module load failed"
|
|
||||||
sleep 2
|
|
||||||
fi
|
|
||||||
|
|
||||||
gpg --card-status \
|
check_tpm_counter $BOOT_HASHES
|
||||||
|| die "gpg card read failed"
|
|
||||||
|
|
||||||
# if the /boot.hashes file already exists, read the TPM counter ID
|
|
||||||
# from it.
|
|
||||||
if [ -r "$BOOT_HASHES" ]; then
|
|
||||||
TPM_COUNTER=`grep counter- "$BOOT_HASHES" | cut -d- -f2`
|
|
||||||
else
|
|
||||||
warn "$BOOT_HASHES does not exist; creating new TPM counter"
|
|
||||||
read -s -p "TPM Owner password: " tpm_password
|
|
||||||
echo
|
|
||||||
tpm counter_create \
|
|
||||||
-pwdo "$tpm_password" \
|
|
||||||
-pwdc '' \
|
|
||||||
-la 3135106223 \
|
|
||||||
| tee /tmp/counter \
|
|
||||||
|| die "Unable to create TPM counter"
|
|
||||||
TPM_COUNTER=`cut -d: -f1 < /tmp/counter`
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ -z "$TPM_COUNTER" ]; then
|
|
||||||
die "$BOOT_HASHES: TPM Counter not found?"
|
|
||||||
fi
|
|
||||||
|
|
||||||
mount -o rw,remount /boot \
|
mount -o rw,remount /boot \
|
||||||
|| die "Could not remount /boot"
|
|| die "Could not remount /boot"
|
||||||
|
|
||||||
tpm counter_increment -ix "$TPM_COUNTER" -pwdc '' \
|
increment_tpm_counter $TPM_COUNTER
|
||||||
| tee /tmp/counter-$TPM_COUNTER \
|
|
||||||
|| die "Counter increment failed"
|
|
||||||
|
|
||||||
sha256sum \
|
sha256sum \
|
||||||
"$XEN" \
|
"$XEN" \
|
||||||
|
20
initrd/bin/usb-init
Executable file
20
initrd/bin/usb-init
Executable file
@ -0,0 +1,20 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
# Boot a USB installation
|
||||||
|
|
||||||
|
. /etc/functions
|
||||||
|
. /etc/config
|
||||||
|
|
||||||
|
# Confirm we have a good TOTP unseal
|
||||||
|
if ! confirm_totp ; then
|
||||||
|
recovery 'Failed to unseal TOTP'
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Extend PCR4 as soon as possible
|
||||||
|
tpm extend -ix 4 -ic usb
|
||||||
|
|
||||||
|
if [ ! "$totp_confirm" = "y" ]; then
|
||||||
|
recovery "Failed to confirm validity of TOTP"
|
||||||
|
fi
|
||||||
|
|
||||||
|
usb-scan
|
||||||
|
recovery "Something failed during USB boot"
|
67
initrd/bin/usb-scan
Executable file
67
initrd/bin/usb-scan
Executable file
@ -0,0 +1,67 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
# Scan for USB installation options
|
||||||
|
set -e -o pipefail
|
||||||
|
. /etc/functions
|
||||||
|
. /etc/config
|
||||||
|
|
||||||
|
# Unmount any previous boot device
|
||||||
|
if grep -q /boot /proc/mounts ; then
|
||||||
|
umount /boot \
|
||||||
|
|| die '$CONFIG_USB_BOOT_DEV: Unable to unmount /boot'
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Mount the USB boot device
|
||||||
|
if ! grep -q /media /proc/mounts ; then
|
||||||
|
mount-usb "$CONFIG_USB_BOOT_DEV" \
|
||||||
|
|| die '$CONFIG_USB_BOOT_DEV: Unable to mount /media'
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Check for ISO first
|
||||||
|
get_menu_option() {
|
||||||
|
echo "+++ Select your ISO boot option:"
|
||||||
|
n=0
|
||||||
|
while read option
|
||||||
|
do
|
||||||
|
n=`expr $n + 1`
|
||||||
|
echo "$n. $option"
|
||||||
|
done < /tmp/iso_menu.txt
|
||||||
|
|
||||||
|
read \
|
||||||
|
-p "Choose the ISO boot option [1-$n, s for standard boot, a to abort]: " \
|
||||||
|
option_index
|
||||||
|
|
||||||
|
if [ "$option_index" = "a" ]; then
|
||||||
|
die "Aborting boot attempt"
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ "$option_index" = "s" ]; then
|
||||||
|
option=""
|
||||||
|
return
|
||||||
|
fi
|
||||||
|
|
||||||
|
option=`head -n $option_index /tmp/iso_menu.txt | tail -1`
|
||||||
|
}
|
||||||
|
|
||||||
|
# create ISO menu options
|
||||||
|
ls -1r /media/*.iso 2>/dev/null > /tmp/iso_menu.txt || true
|
||||||
|
if [ `cat /tmp/iso_menu.txt | wc -l` -gt 0 ]; then
|
||||||
|
option_confirm=""
|
||||||
|
while [ -z "$option" -a "$option_index" != "s" ]
|
||||||
|
do
|
||||||
|
get_menu_option
|
||||||
|
done
|
||||||
|
|
||||||
|
if [ -n "$option" ]; then
|
||||||
|
MOUNTED_ISO=$option
|
||||||
|
ISO=${option:7} # remove /media/ to get device relative path
|
||||||
|
kexec-iso-init $MOUNTED_ISO $ISO $CONFIG_USB_BOOT_DEV
|
||||||
|
|
||||||
|
die "Something failed in iso init"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo "!!! Could not find any ISO, trying bootable USB"
|
||||||
|
# Attempt to pull verified config from device
|
||||||
|
kexec-select-boot -b /media/ -c "*.cfg" -u
|
||||||
|
|
||||||
|
die "Something failed in selecting boot"
|
@ -28,3 +28,127 @@ recovery() {
|
|||||||
pcrs() {
|
pcrs() {
|
||||||
head -7 /sys/class/tpm/tpm0/pcrs
|
head -7 /sys/class/tpm/tpm0/pcrs
|
||||||
}
|
}
|
||||||
|
|
||||||
|
confirm_totp()
|
||||||
|
{
|
||||||
|
last_half=X
|
||||||
|
|
||||||
|
while true; do
|
||||||
|
|
||||||
|
# update the TOTP code every thirty seconds
|
||||||
|
date=`date "+%Y-%m-%d %H:%M:%S"`
|
||||||
|
seconds=`date "+%s"`
|
||||||
|
half=`expr \( $seconds % 60 \) / 30`
|
||||||
|
if [ "$half" != "$last_half" ]; then
|
||||||
|
last_half=$half;
|
||||||
|
TOTP=`unseal-totp` \
|
||||||
|
|| recovery "TOTP code generation failed"
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo -n "$date $TOTP: "
|
||||||
|
|
||||||
|
# read the first character, non-blocking
|
||||||
|
read \
|
||||||
|
-t 1 \
|
||||||
|
-n 1 \
|
||||||
|
-s \
|
||||||
|
-p "Confirm TOTP with a 'y': " \
|
||||||
|
totp_confirm \
|
||||||
|
&& break
|
||||||
|
|
||||||
|
# nothing typed, redraw the line
|
||||||
|
echo -ne '\r'
|
||||||
|
done
|
||||||
|
|
||||||
|
# clean up with a newline
|
||||||
|
echo
|
||||||
|
}
|
||||||
|
|
||||||
|
confirm_gpg_card()
|
||||||
|
{
|
||||||
|
# setup the USB so we can reach the GPG card
|
||||||
|
if ! lsmod | grep -q ehci_hcd; then
|
||||||
|
insmod /lib/modules/ehci-hcd.ko \
|
||||||
|
|| die "ehci_hcd: module load failed"
|
||||||
|
fi
|
||||||
|
if ! lsmod | grep -q ehci_pci; then
|
||||||
|
insmod /lib/modules/ehci-pci.ko \
|
||||||
|
|| die "ehci_pci: module load failed"
|
||||||
|
fi
|
||||||
|
if ! lsmod | grep -q xhci_hcd; then
|
||||||
|
insmod /lib/modules/xhci-hcd.ko \
|
||||||
|
|| die "ehci_hcd: module load failed"
|
||||||
|
fi
|
||||||
|
if ! lsmod | grep -q xhci_pci; then
|
||||||
|
insmod /lib/modules/xhci-pci.ko \
|
||||||
|
|| die "ehci_pci: module load failed"
|
||||||
|
sleep 2
|
||||||
|
fi
|
||||||
|
|
||||||
|
gpg --card-status \
|
||||||
|
|| die "gpg card read failed"
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
check_tpm_counter()
|
||||||
|
{
|
||||||
|
# if the /boot.hashes file already exists, read the TPM counter ID
|
||||||
|
# from it.
|
||||||
|
if [ -r "$1" ]; then
|
||||||
|
TPM_COUNTER=`grep counter- "$1" | cut -d- -f2`
|
||||||
|
else
|
||||||
|
warn "$BOOT_HASHES does not exist; creating new TPM counter"
|
||||||
|
read -s -p "TPM Owner password: " tpm_password
|
||||||
|
echo
|
||||||
|
tpm counter_create \
|
||||||
|
-pwdo "$tpm_password" \
|
||||||
|
-pwdc '' \
|
||||||
|
-la 3135106223 \
|
||||||
|
| tee /tmp/counter \
|
||||||
|
|| die "Unable to create TPM counter"
|
||||||
|
TPM_COUNTER=`cut -d: -f1 < /tmp/counter`
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ -z "$TPM_COUNTER" ]; then
|
||||||
|
die "$1: TPM Counter not found?"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
read_tpm_counter()
|
||||||
|
{
|
||||||
|
tpm counter_read -ix "$1" | tee "/tmp/counter-$1" \
|
||||||
|
|| die "Counter read failed"
|
||||||
|
}
|
||||||
|
|
||||||
|
increment_tpm_counter()
|
||||||
|
{
|
||||||
|
tpm counter_increment -ix "$1" -pwdc '' \
|
||||||
|
| tee /tmp/counter-$1 \
|
||||||
|
|| die "Counter increment failed"
|
||||||
|
}
|
||||||
|
|
||||||
|
check_config() {
|
||||||
|
if [ ! -d /tmp/kexec ]; then
|
||||||
|
mkdir /tmp/kexec \
|
||||||
|
|| die 'Failed to make kexec tmp dir'
|
||||||
|
else
|
||||||
|
rm -rf /tmp/kexec/* \
|
||||||
|
|| die 'Failed to empty kexec tmp dir'
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ ! -r $1/kexec.sig ]; then
|
||||||
|
return
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ `find $1/kexec*.txt | wc -l` -eq 0 ]; then
|
||||||
|
return
|
||||||
|
fi
|
||||||
|
|
||||||
|
if ! sha256sum `find $1/kexec*.txt` | gpgv $1/kexec.sig - ; then
|
||||||
|
die 'Invalid signature on kexec boot params'
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo "+++ Found verified kexec boot params"
|
||||||
|
cp $1/kexec*.txt /tmp/kexec \
|
||||||
|
|| die "Failed to copy kexec boot params to tmp"
|
||||||
|
}
|
||||||
|
10
initrd/init
10
initrd/init
@ -39,7 +39,7 @@ fi
|
|||||||
# Give the user a second to enter a recovery shell
|
# Give the user a second to enter a recovery shell
|
||||||
read \
|
read \
|
||||||
-t "1" \
|
-t "1" \
|
||||||
-p "Press 'r' for recovery shell: " \
|
-p "Press 'r' for recovery shell or 'u' for usb: " \
|
||||||
-n 1 \
|
-n 1 \
|
||||||
boot_option
|
boot_option
|
||||||
echo
|
echo
|
||||||
@ -52,6 +52,14 @@ if [ "$boot_option" = "r" ]; then
|
|||||||
exec /bin/ash
|
exec /bin/ash
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
if [ "$boot_option" = "u" ]; then
|
||||||
|
echo '***** USB boot'
|
||||||
|
exec /bin/usb-init
|
||||||
|
# just in case...
|
||||||
|
tpm extend -ix 4 -ic recovery
|
||||||
|
exec /bin/ash
|
||||||
|
fi
|
||||||
|
|
||||||
echo '***** Normal boot'
|
echo '***** Normal boot'
|
||||||
exec "$CONFIG_BOOTSCRIPT"
|
exec "$CONFIG_BOOTSCRIPT"
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user