ExternalVendorCode/heads
1
0
Fork 0
mirror of https://github.com/linuxboot/heads.git synced 2024-12-20 05:28:08 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge pull request #593 from MrChromebox/ux_tweaks

Browse Source 
UX Tweaks [1/2]
This commit is contained in:
Kyle Rankin 2019-08-02 10:53:18 -07:00 committed by GitHub
commit c1232239e9
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 133 additions and 70 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
boards/librem15v3/librem15v3.config
View File

@ -35,3 +35,5 @@ export CONFIG_BOOT_KERNEL_REMOVE=""
export CONFIG_BOOT_DEV="/dev/sda1" export CONFIG_BOOT_DEV="/dev/sda1"
export CONFIG_BOOT_GUI_MENU_NAME="Purism Librem 15v3 Heads Boot Menu" export CONFIG_BOOT_GUI_MENU_NAME="Purism Librem 15v3 Heads Boot Menu"
export CONFIG_USB_BOOT_DEV="/dev/sdb1" export CONFIG_USB_BOOT_DEV="/dev/sdb1"
export CONFIG_WARNING_BG_COLOR="--background-gradient 0 0 0 150 125 0"
export CONFIG_ERROR_BG_COLOR="--background-gradient 0 0 0 150 0 0"

2
boards/librem15v4/librem15v4.config
View File

@ -35,3 +35,5 @@ export CONFIG_BOOT_KERNEL_REMOVE=""
export CONFIG_BOOT_DEV="/dev/sda1" export CONFIG_BOOT_DEV="/dev/sda1"
export CONFIG_BOOT_GUI_MENU_NAME="Purism Librem 15v4 Heads Boot Menu" export CONFIG_BOOT_GUI_MENU_NAME="Purism Librem 15v4 Heads Boot Menu"
export CONFIG_USB_BOOT_DEV="/dev/sdb1" export CONFIG_USB_BOOT_DEV="/dev/sdb1"
export CONFIG_WARNING_BG_COLOR="--background-gradient 0 0 0 150 125 0"
export CONFIG_ERROR_BG_COLOR="--background-gradient 0 0 0 150 0 0"

89
initrd/bin/gpg-gui.sh
View File

@ -68,6 +68,14 @@ file_selector() {
fi fi
} }
gpg_flash_rom() { gpg_flash_rom() {
if [ "$1" = "replace" ]; then
# clear local keyring
[ -e /.gnupg/pubring.gpg ] && rm /.gnupg/pubring.gpg
[ -e /.gnupg/pubring.kbx ] && rm /.gnupg/pubring.kbx
[ -e /.gnupg/trustdb.gpg ] && rm /.gnupg/trustdb.gpg
fi
cat "$PUBKEY" | gpg --import cat "$PUBKEY" | gpg --import
#update /.gnupg/trustdb.gpg to ultimately trust all user provided public keys #update /.gnupg/trustdb.gpg to ultimately trust all user provided public keys
gpg --list-keys --fingerprint --with-colons |sed -E -n -e 's/^fpr:::::::::([0-9A-F]+):$/\1:6:/p' |gpg --import-ownertrust gpg --list-keys --fingerprint --with-colons |sed -E -n -e 's/^fpr:::::::::([0-9A-F]+):$/\1:6:/p' |gpg --import-ownertrust
@ -104,10 +112,25 @@ gpg_flash_rom() {
cbfs -o /tmp/gpg-gui.rom -d "heads/initrd/.gnupg/otrust.txt" cbfs -o /tmp/gpg-gui.rom -d "heads/initrd/.gnupg/otrust.txt"
fi fi
# persist user config changes
if (cbfs -o /tmp/gpg-gui.rom -l | grep -q "heads/initrd/etc/config.user") then
cbfs -o /tmp/gpg-gui.rom -d "heads/initrd/etc/config.user"
fi
cbfs -o /tmp/gpg-gui.rom -a "heads/initrd/etc/config.user" -f /etc/config.user
/bin/flash.sh /tmp/gpg-gui.rom /bin/flash.sh /tmp/gpg-gui.rom
whiptail --title 'BIOS Flashed Successfully' \
--msgbox "BIOS flashed successfully.\n\nIf your keys have changed, be sure to re-sign all files in /boot\nafter you reboot.\n\nPress Enter to reboot" 16 60 if (whiptail --title 'BIOS Flashed Successfully' \
--yesno "Would you like to update the checksums and sign all of the files in /boot?\n\nYou will need your GPG key to continue and this will modify your disk.\n\nOtherwise the system will reboot immediately." 16 90) then
update_checksums
else
/bin/reboot /bin/reboot
fi
whiptail --title 'Files in /boot Updated Successfully'\
--msgbox "Checksums have been updated and /boot files signed.\n\nPress Enter to reboot" 16 60
/bin/reboot
} }
gpg_post_gen_mgmt() { gpg_post_gen_mgmt() {
GPG_GEN_KEY=`grep -A1 pub /tmp/gpg_card_edit_output | tail -n1 | sed -nr 's/^([ ])*//p'` GPG_GEN_KEY=`grep -A1 pub /tmp/gpg_card_edit_output | tail -n1 | sed -nr 's/^([ ])*//p'`
@ -162,12 +185,40 @@ gpg_sc_oem_reset() {
} | gpg --command-fd=0 --status-fd=2 --pinentry-mode=loopback --card-edit > /tmp/gpg_card_edit_output || return 2 } | gpg --command-fd=0 --status-fd=2 --pinentry-mode=loopback --card-edit > /tmp/gpg_card_edit_output || return 2
} }
gpg_add_key_reflash() {
if (whiptail --title 'GPG public key required' \
--yesno "This requires you insert a USB drive containing:\n* Your GPG public key (*.key or *.asc)\n\nAfter you select this file, this program will copy and reflash your BIOS\n\nDo you want to proceed?" 16 90) then
mount_usb
if grep -q /media /proc/mounts ; then
find /media -name '*.key' > /tmp/filelist.txt
find /media -name '*.asc' >> /tmp/filelist.txt
file_selector "/tmp/filelist.txt" "Choose your GPG public key"
PUBKEY=$FILE
/bin/flash.sh -r /tmp/gpg-gui.rom
if [ ! -s /tmp/gpg-gui.rom ]; then
whiptail $CONFIG_ERROR_BG_COLOR --title 'ERROR: BIOS Read Failed!' \
--msgbox "Unable to read BIOS" 16 60
exit 1
fi
if (whiptail --title 'Update ROM?' \
--yesno "This will reflash your BIOS with the updated version\n\nDo you want to proceed?" 16 90) then
gpg_flash_rom
else
exit 0
fi
fi
fi
}
while true; do while true; do
unset menu_choice unset menu_choice
whiptail --clear --title "GPG Management Menu" \ whiptail --clear --title "GPG Management Menu" \
--menu 'Select the GPG function to perform' 20 90 10 \ --menu 'Select the GPG function to perform' 20 90 10 \
'r' ' Add GPG key to running BIOS + reflash' \ 'r' ' Add GPG key to running BIOS + reflash' \
'a' ' Add GPG key to standalone BIOS image + flash' \ 'a' ' Add GPG key to standalone BIOS image + flash' \
'e' ' Replace GPG key(s) in the current ROM + reflash' \
'l' ' List GPG keys in your keyring' \ 'l' ' List GPG keys in your keyring' \
'g' ' Generate GPG keys manually on a USB security token' \ 'g' ' Generate GPG keys manually on a USB security token' \
'o' ' OEM Factory reset + auto keygen USB security token' \ 'o' ' OEM Factory reset + auto keygen USB security token' \
@ -213,30 +264,16 @@ while true; do
fi fi
;; ;;
"r" ) "r" )
if (whiptail --title 'GPG public key required' \ gpg_add_key_reflash
--yesno "This requires you insert a USB drive containing:\n* Your GPG public key (*.key or *.asc)\n\nAfter you select this file, this program will copy and reflash your BIOS\n\nDo you want to proceed?" 16 90) then exit 0;
mount_usb ;;
if grep -q /media /proc/mounts ; then "e" )
find /media -name '*.key' > /tmp/filelist.txt # clear local keyring
find /media -name '*.asc' >> /tmp/filelist.txt [ -e /.gnupg/pubring.gpg ] && rm /.gnupg/pubring.gpg
file_selector "/tmp/filelist.txt" "Choose your GPG public key" [ -e /.gnupg/pubring.kbx ] && rm /.gnupg/pubring.kbx
PUBKEY=$FILE [ -e /.gnupg/trustdb.gpg ] && rm /.gnupg/trustdb.gpg
# add key and reflash
/bin/flash.sh -r /tmp/gpg-gui.rom gpg_add_key_reflash
if [ ! -s /tmp/gpg-gui.rom ]; then
whiptail $CONFIG_ERROR_BG_COLOR --title 'ERROR: BIOS Read Failed!' \
--msgbox "Unable to read BIOS" 16 60
exit 1
fi
if (whiptail --title 'Update ROM?' \
--yesno "This will reflash your BIOS with the updated version\n\nDo you want to proceed?" 16 90) then
gpg_flash_rom
else
exit 0
fi
fi
fi
;; ;;
"l" ) "l" )
GPG_KEYRING=`gpg -k` GPG_KEYRING=`gpg -k`

56
initrd/bin/gui-init
View File

@ -8,15 +8,22 @@ CONFIG_BOOT_GUI_MENU_NAME='Heads Boot Menu'
mount_boot() mount_boot()
{ {
# Mount local disk if it is not already mounted
while ! grep -q /boot /proc/mounts ; do
# ensure default boot device is set # ensure default boot device is set
if [ ! -e "$CONFIG_BOOT_DEV" ]; then if [ ! -e "$CONFIG_BOOT_DEV" ]; then
if (whiptail $CONFIG_ERROR_BG_COLOR --clear --title "ERROR: $CONFIG_BOOT_DEV missing!" \ if (whiptail $CONFIG_ERROR_BG_COLOR --clear --title "ERROR: $CONFIG_BOOT_DEV missing!" \
--yesno "The /boot device $CONFIG_BOOT_DEV could not be found!\n\nYou will need to configure the correct device for /boot.\n\nWould you like to configure the /boot device now?" 30 90) then --yesno "The /boot device $CONFIG_BOOT_DEV could not be found!\n\nYou will need to configure the correct device for /boot.\n\nWould you like to configure the /boot device now?" 30 90) then
config-gui.sh config-gui.sh
else
# exit to main menu
break
fi fi
# Mount local disk if it is not already mounted fi
elif ! grep -q /boot /proc/mounts ; then # update CONFIG_BOOT_DEV
mount -o ro /boot . /tmp/config
mount -o ro $CONFIG_BOOT_DEV /boot
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
if (whiptail $CONFIG_ERROR_BG_COLOR --clear --title 'ERROR: Cannot mount /boot' \ if (whiptail $CONFIG_ERROR_BG_COLOR --clear --title 'ERROR: Cannot mount /boot' \
--yesno "The /boot partition at $CONFIG_BOOT_DEV could not be mounted!\n\nWould you like to configure the /boot device now?" 30 90) then --yesno "The /boot partition at $CONFIG_BOOT_DEV could not be mounted!\n\nWould you like to configure the /boot device now?" 30 90) then
@ -25,7 +32,7 @@ mount_boot()
recovery "Unable to mount /boot" recovery "Unable to mount /boot"
fi fi
fi fi
fi done
} }
verify_global_hashes() verify_global_hashes()
{ {
@ -40,7 +47,7 @@ verify_global_hashes()
elif [ ! -f $TMP_HASH_FILE ]; then elif [ ! -f $TMP_HASH_FILE ]; then
if (whiptail $CONFIG_ERROR_BG_COLOR --clear --title 'ERROR: Missing Hash File!' \ if (whiptail $CONFIG_ERROR_BG_COLOR --clear --title 'ERROR: Missing Hash File!' \
--yesno "The file containing hashes for /boot is missing!\n\nIf you are setting this system up for the first time, select Yes to update\nyour list of checksums.\n\nOtherwise this could indicate a compromise and you should select No to\nreturn to the main menu.\n\nWould you like to update your checksums now?" 30 90) then --yesno "The file containing hashes for /boot is missing!\n\nIf you are setting this system up for the first time, select Yes to update\nyour list of checksums.\n\nOtherwise this could indicate a compromise and you should select No to\nreturn to the main menu.\n\nWould you like to update your checksums now?" 30 90) then
update_checksums prompt_update_checksums
fi fi
return 1 return 1
else else
@ -67,37 +74,16 @@ verify_global_hashes()
fi fi
if (whiptail $CONFIG_ERROR_BG_COLOR --clear --title 'ERROR: Boot Hash Mismatch' --yesno "$TEXT" 30 90) then if (whiptail $CONFIG_ERROR_BG_COLOR --clear --title 'ERROR: Boot Hash Mismatch' --yesno "$TEXT" 30 90) then
update_checksums prompt_update_checksums
fi fi
return 1 return 1
fi fi
} }
update_checksums() prompt_update_checksums()
{ {
if (whiptail --title 'Update Checksums and sign all files in /boot' \ if (whiptail --title 'Update Checksums and sign all files in /boot' \
--yesno "You have chosen to update the checksums and sign all of the files in /boot.\n\nThis means that you trust that the files in /boot have not been tampered with.\n\nYou will need your GPG key to continue and this change will modify your disk.\n\nDo you want to continue?" 16 90) then --yesno "You have chosen to update the checksums and sign all of the files in /boot.\n\nThis means that you trust that the files in /boot have not been tampered with.\n\nYou will need your GPG key to continue and this change will modify your disk.\n\nDo you want to continue?" 16 90) then
mount_boot update_checksums
mount -o rw,remount /boot
cd /boot
find ./ -type f ! -name '*kexec*' | xargs sha256sum > /boot/kexec_hashes.txt
DEFAULT_FILES=$(cat /boot/kexec_default_hashes.txt | cut -f3 -d ' ')
echo $DEFAULT_FILES | xargs sha256sum > /boot/kexec_default_hashes.txt
# Remove any package trigger log files
# We don't need them after the user decides to sign
rm -f /boot/kexec_package_trigger*
# sign and auto-roll config counter
extparam=
if [ "$CONFIG_TPM" = "y" ]; then
extparam=-u
fi
kexec-sign-config -p /boot $extparam \
|| die "Failed to sign default config"
# switch back to ro mode
mount -o ro,remount /boot
else else
echo "Returning to the main menu" echo "Returning to the main menu"
fi fi
@ -194,7 +180,7 @@ while true; do
--menu "$date\nTOTP: $TOTP | HOTP: $HOTP" 20 90 10 \ --menu "$date\nTOTP: $TOTP | HOTP: $HOTP" 20 90 10 \
'y' ' Default boot' \ 'y' ' Default boot' \
'r' ' Refresh TOTP/HOTP' \ 'r' ' Refresh TOTP/HOTP' \
'a' ' Settings -->' \ 'a' ' Options -->' \
'P' ' Power Off' \ 'P' ' Power Off' \
2>/tmp/whiptail || recovery "GUI menu failed" 2>/tmp/whiptail || recovery "GUI menu failed"
@ -202,9 +188,9 @@ while true; do
fi fi
if [ "$totp_confirm" = "a" ]; then if [ "$totp_confirm" = "a" ]; then
whiptail --clear --title "Settings" \ whiptail --clear --title "HEADS Options" \
--menu "Configure Settings" 20 90 10 \ --menu "" 20 90 10 \
'o' ' Other Boot Options -->' \ 'o' ' Boot Options -->' \
't' ' TPM/TOTP/HOTP Options -->' \ 't' ' TPM/TOTP/HOTP Options -->' \
's' ' Update checksums and sign all files in /boot' \ 's' ' Update checksums and sign all files in /boot' \
'c' ' Change configuration settings -->' \ 'c' ' Change configuration settings -->' \
@ -218,7 +204,7 @@ while true; do
fi fi
if [ "$totp_confirm" = "o" ]; then if [ "$totp_confirm" = "o" ]; then
whiptail --clear --title "Other Boot Options" \ whiptail --clear --title "Boot Options" \
--menu "Select A Boot Option" 20 90 10 \ --menu "Select A Boot Option" 20 90 10 \
'm' ' Show OS boot menu' \ 'm' ' Show OS boot menu' \
'u' ' USB boot' \ 'u' ' USB boot' \
@ -331,7 +317,7 @@ while true; do
fi fi
if [ "$totp_confirm" = "s" ]; then if [ "$totp_confirm" = "s" ]; then
update_checksums prompt_update_checksums
continue continue
fi fi

9
initrd/bin/seal-libremkey
View File

@ -59,12 +59,15 @@ if ! libremkey_hotp_verification info ; then
fi fi
fi fi
read -s -p "Enter your Librem Key Admin PIN" admin_pin echo -e ""
echo read -s -p "Enter your Librem Key Admin PIN: " admin_pin
echo -e "\n"
libremkey_hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value libremkey_hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
echo -e "\n"
read -s -p "Error setting HOTP secret, re-enter Admin PIN and try again: " admin_pin read -s -p "Error setting HOTP secret, re-enter Admin PIN and try again: " admin_pin
echo -e "\n"
if ! libremkey_hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value ; then if ! libremkey_hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value ; then
# don't leak key on failure # don't leak key on failure
shred -n 10 -z -u "$HOTP_SECRET" 2> /dev/null shred -n 10 -z -u "$HOTP_SECRET" 2> /dev/null
@ -91,7 +94,7 @@ echo $counter_value > $HOTP_COUNTER \
#|| die "Unable to create hotp counter file" #|| die "Unable to create hotp counter file"
mount -o remount,ro /boot mount -o remount,ro /boot
echo "Librem Key initialized successfully. Press Enter to continue." echo -e "\nLibrem Key initialized successfully. Press Enter to continue."
read read
exit 0 exit 0

33
initrd/etc/functions
View File

@ -240,3 +240,36 @@ replace_config() {
combine_configs() { combine_configs() {
cat /etc/config* > /tmp/config cat /etc/config* > /tmp/config
} }
update_checksums()
{
# clear screen
printf "\033c"
# ensure /boot mounted
if ! grep -q /boot /proc/mounts ; then
mount -o ro /boot \
|| recovery "Unable to mount /boot"
fi
# remount RW
mount -o rw,remount /boot
cd /boot
find ./ -type f ! -name '*kexec*' | xargs sha256sum > /boot/kexec_hashes.txt
if [ -e /boot/kexec_default_hashes.txt ]; then
DEFAULT_FILES=$(cat /boot/kexec_default_hashes.txt | cut -f3 -d ' ')
echo $DEFAULT_FILES | xargs sha256sum > /boot/kexec_default_hashes.txt
fi
# Remove any package trigger log files
# We don't need them after the user decides to sign
rm -f /boot/kexec_package_trigger*
# sign and auto-roll config counter
extparam=
if [ "$CONFIG_TPM" = "y" ]; then
extparam=-u
fi
kexec-sign-config -p /boot $extparam \
|| die "Failed to sign default config"
# switch back to ro mode
mount -o ro,remount /boot
}