diff --git a/initrd/bin/gpg-gui.sh b/initrd/bin/gpg-gui.sh index f7566107..4f00935a 100755 --- a/initrd/bin/gpg-gui.sh +++ b/initrd/bin/gpg-gui.sh @@ -67,6 +67,48 @@ file_selector() { exit 1 fi } +gpg_flash_rom() { + cat "$PUBKEY" | gpg --import + #update /.gnupg/trustdb.gpg to ultimately trust all user provided public keys + gpg --list-keys --fingerprint --with-colons |sed -E -n -e 's/^fpr:::::::::([0-9A-F]+):$/\1:6:/p' |gpg --import-ownertrust + gpg --update-trust + + if (cbfs -o /tmp/gpg-gui.rom -l | grep -q "heads/initrd/.gnupg/pubring.kbx"); then + cbfs -o /tmp/gpg-gui.rom -d "heads/initrd/.gnupg/pubring.kbx" + if (cbfs -o /tmp/gpg-gui.rom -l | grep -q "heads/initrd/.gnupg/pubring.gpg"); then + cbfs -o /tmp/gpg-gui.rom -d "heads/initrd/.gnupg/pubring.gpg" + if [ -e /.gnupg/pubring.gpg ];then + rm /.gnupg/pubring.gpg + fi + fi + fi + + #to be compatible with gpgv1 + if [ -e /.gnupg/pubring.kbx ];then + cbfs -o /tmp/gpg-gui.rom -a "heads/initrd/.gnupg/pubring.kbx" -f /.gnupg/pubring.kbx + if [ -e /.gnupg/pubring.gpg ];then + rm /.gnupg/pubring.gpg + fi + fi + if [ -e /.gnupg/pubring.gpg ];then + cbfs -o /tmp/gpg-gui.rom -a "heads/initrd/.gnupg/pubring.gpg" -f /.gnupg/pubring.gpg + fi + + if (cbfs -o /tmp/gpg-gui.rom -l | grep -q "heads/initrd/.gnupg/trustdb.gpg") then + cbfs -o /tmp/gpg-gui.rom -d "heads/initrd/.gnupg/trustdb.gpg" + fi + cbfs -o /tmp/gpg-gui.rom -a "heads/initrd/.gnupg/trustdb.gpg" -f /.gnupg/trustdb.gpg + + #Remove old method owner trust exported file + if (cbfs -o /tmp/gpg-gui.rom -l | grep -q "heads/initrd/.gnupg/otrust.txt") then + cbfs -o /tmp/gpg-gui.rom -d "heads/initrd/.gnupg/otrust.txt" + fi + + /bin/flash.sh /tmp/gpg-gui.rom + whiptail --title 'BIOS Flashed Successfully' \ + --msgbox "BIOS flashed successfully.\n\nIf your keys have changed, be sure to re-sign all files in /boot\nafter you reboot.\n\nPress Enter to reboot" 16 60 + /bin/reboot +} while true; do unset menu_choice @@ -106,51 +148,11 @@ while true; do else ROM=$FILE fi - - cat "$PUBKEY" | gpg --import - #update /.gnupg/trustdb.gpg to ultimately trust all user provided public keys - gpg --list-keys --fingerprint --with-colons |sed -E -n -e 's/^fpr:::::::::([0-9A-F]+):$/\1:6:/p' |gpg --import-ownertrust - gpg --update-trust - cp "$ROM" /tmp/gpg-gui.rom - if (cbfs -o /tmp/gpg-gui.rom -l | grep -q "heads/initrd/.gnupg/pubring.kbx"); then - cbfs -o /tmp/gpg-gui.rom -d "heads/initrd/.gnupg/pubring.kbx" - if (cbfs -o /tmp/gpg-gui.rom -l | grep -q "heads/initrd/.gnupg/pubring.gpg"); then - cbfs -o /tmp/gpg-gui.rom -d "heads/initrd/.gnupg/pubring.gpg" - if [ -e /.gnupg/pubring.gpg ];then - rm /.gnupg/pubring.gpg - fi - fi - fi - - #to be compatible with gpgv1 - if [ -e /.gnupg/pubring.kbx ];then - cbfs -o /tmp/gpg-gui.rom -a "heads/initrd/.gnupg/pubring.kbx" -f /.gnupg/pubring.kbx - if [ -e /.gnupg/pubring.gpg ];then - rm /.gnupg/pubring.gpg - fi - fi - if [ -e /.gnupg/pubring.gpg ];then - cbfs -o /tmp/gpg-gui.rom -a "heads/initrd/.gnupg/pubring.gpg" -f /.gnupg/pubring.gpg - fi - - if (cbfs -o /tmp/gpg-gui.rom -l | grep -q "heads/initrd/.gnupg/trustdb.gpg") then - cbfs -o /tmp/gpg-gui.rom -d "heads/initrd/.gnupg/trustdb.gpg" - fi - cbfs -o /tmp/gpg-gui.rom -a "heads/initrd/.gnupg/trustdb.gpg" -f /.gnupg/trustdb.gpg - - #Remove old method owner trust exported file - if (cbfs -o /tmp/gpg-gui.rom -l | grep -q "heads/initrd/.gnupg/otrust.txt") then - cbfs -o /tmp/gpg-gui.rom -d "heads/initrd/.gnupg/otrust.txt" - fi if (whiptail --title 'Flash ROM?' \ --yesno "This will replace your old ROM with $ROM\n\nDo you want to proceed?" 16 90) then - /bin/flash.sh /tmp/gpg-gui.rom - whiptail --title 'ROM Flashed Successfully' \ - --msgbox "$ROM flashed successfully.\n\nIf your keys have changed, be sure to re-sign all files in /boot\nafter you reboot.\n\nPress Enter to reboot" 16 60 - umount /media - /bin/reboot + gpg_flash_rom else exit 0 fi @@ -174,49 +176,9 @@ while true; do exit 1 fi - cat "$PUBKEY" | gpg --import - #update /.gnupg/trustdb.gpg to ultimately trust all user provided public keys - gpg --list-keys --fingerprint --with-colons |sed -E -n -e 's/^fpr:::::::::([0-9A-F]+):$/\1:6:/p' |gpg --import-ownertrust - gpg --update-trust - - if (cbfs -o /tmp/gpg-gui.rom -l | grep -q "heads/initrd/.gnupg/pubring.kbx"); then - cbfs -o /tmp/gpg-gui.rom -d "heads/initrd/.gnupg/pubring.kbx" - if (cbfs -o /tmp/gpg-gui.rom -l | grep -q "heads/initrd/.gnupg/pubring.gpg"); then - cbfs -o /tmp/gpg-gui.rom -d "heads/initrd/.gnupg/pubring.gpg" - if [ -e /.gnupg/pubring.gpg ];then - rm /.gnupg/pubring.gpg - fi - fi - fi - - #to be compatible with gpgv1 - if [ -e /.gnupg/pubring.kbx ];then - cbfs -o /tmp/gpg-gui.rom -a "heads/initrd/.gnupg/pubring.kbx" -f /.gnupg/pubring.kbx - if [ -e /.gnupg/pubring.gpg ];then - rm /.gnupg/pubring.gpg - fi - fi - if [ -e /.gnupg/pubring.gpg ];then - cbfs -o /tmp/gpg-gui.rom -a "heads/initrd/.gnupg/pubring.gpg" -f /.gnupg/pubring.gpg - fi - - if (cbfs -o /tmp/gpg-gui.rom -l | grep -q "heads/initrd/.gnupg/trustdb.gpg") then - cbfs -o /tmp/gpg-gui.rom -d "heads/initrd/.gnupg/trustdb.gpg" - fi - cbfs -o /tmp/gpg-gui.rom -a "heads/initrd/.gnupg/trustdb.gpg" -f /.gnupg/trustdb.gpg - - #Remove old method owner trust exported file - if (cbfs -o /tmp/gpg-gui.rom -l | grep -q "heads/initrd/.gnupg/otrust.txt") then - cbfs -o /tmp/gpg-gui.rom -d "heads/initrd/.gnupg/otrust.txt" - fi - if (whiptail --title 'Update ROM?' \ --yesno "This will reflash your BIOS with the updated version\n\nDo you want to proceed?" 16 90) then - /bin/flash.sh /tmp/gpg-gui.rom - whiptail --title 'BIOS Updated Successfully' \ - --msgbox "BIOS updated successfully.\n\nIf your keys have changed, be sure to re-sign all files in /boot\nafter you reboot.\n\nPress Enter to reboot" 16 60 - umount /media - /bin/reboot + gpg_flash_rom else exit 0 fi @@ -230,13 +192,44 @@ while true; do ;; "g" ) confirm_gpg_card + echo -e "\n\n\n\n" echo "********************************************************************************" echo "*" echo "* INSTRUCTIONS:" echo "* Type 'admin' and then 'generate' and follow the prompts to generate a GPG key." + echo "* Type 'quit' once you have generated the key to exit GPG." echo "*" echo "********************************************************************************" - gpg --card-edit + gpg --card-edit > /tmp/gpg_card_edit_output + if [ $? -eq 0 ]; then + GPG_GEN_KEY=`grep -A1 pub /tmp/gpg_card_edit_output | tail -n1 | sed -nr 's/^([ ])*//p'` + gpg --export --armor $GPG_GEN_KEY > "/tmp/${GPG_GEN_KEY}.asc" + if (whiptail --title 'Add Public Key to USB disk?' \ + --yesno "Would you like to copy the GPG public key you generated to a USB disk?\n\nOtherwise you will not be able to copy it outside of Heads later\n\nThe file will show up as ${GPG_GEN_KEY}.asc" 16 90) then + mount_usb + mount -o remount,rw /media + cp "/tmp/${GPG_GEN_KEY}.asc" "/media/${GPG_GEN_KEY}.asc" + if [ $? -eq 0 ]; then + whiptail --title "The GPG Key Copied Successfully" \ + --msgbox "${GPG_GEN_KEY}.asc copied successfully." 16 60 + else + whiptail $CONFIG_ERROR_BG_COLOR --title 'ERROR: Copy Failed' \ + --msgbox "Unable to copy ${GPG_GEN_KEY}.asc to /media" 16 60 + fi + umount /media + fi + if (whiptail --title 'Add Public Key to Running BIOS?' \ + --yesno "Would you like to add the GPG public key you generated to the BIOS?\n\nThis makes it a trusted key used to sign files in /boot\n\n" 16 90) then + /bin/flash.sh -r /tmp/gpg-gui.rom + if [ ! -s /tmp/gpg-gui.rom ]; then + whiptail $CONFIG_ERROR_BG_COLOR --title 'ERROR: BIOS Read Failed!' \ + --msgbox "Unable to read BIOS" 16 60 + exit 1 + fi + PUBKEY="/tmp/${GPG_GEN_KEY}.asc" + gpg_flash_rom + fi + fi ;; esac