Merge pull request #593 from MrChromebox/ux_tweaks

UX Tweaks [1/2]
This commit is contained in:
Kyle Rankin 2019-08-02 10:53:18 -07:00 committed by GitHub
commit c1232239e9
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 133 additions and 70 deletions

View File

@ -35,3 +35,5 @@ export CONFIG_BOOT_KERNEL_REMOVE=""
export CONFIG_BOOT_DEV="/dev/sda1"
export CONFIG_BOOT_GUI_MENU_NAME="Purism Librem 15v3 Heads Boot Menu"
export CONFIG_USB_BOOT_DEV="/dev/sdb1"
export CONFIG_WARNING_BG_COLOR="--background-gradient 0 0 0 150 125 0"
export CONFIG_ERROR_BG_COLOR="--background-gradient 0 0 0 150 0 0"

View File

@ -35,3 +35,5 @@ export CONFIG_BOOT_KERNEL_REMOVE=""
export CONFIG_BOOT_DEV="/dev/sda1"
export CONFIG_BOOT_GUI_MENU_NAME="Purism Librem 15v4 Heads Boot Menu"
export CONFIG_USB_BOOT_DEV="/dev/sdb1"
export CONFIG_WARNING_BG_COLOR="--background-gradient 0 0 0 150 125 0"
export CONFIG_ERROR_BG_COLOR="--background-gradient 0 0 0 150 0 0"

View File

@ -68,6 +68,14 @@ file_selector() {
fi
}
gpg_flash_rom() {
if [ "$1" = "replace" ]; then
# clear local keyring
[ -e /.gnupg/pubring.gpg ] && rm /.gnupg/pubring.gpg
[ -e /.gnupg/pubring.kbx ] && rm /.gnupg/pubring.kbx
[ -e /.gnupg/trustdb.gpg ] && rm /.gnupg/trustdb.gpg
fi
cat "$PUBKEY" | gpg --import
#update /.gnupg/trustdb.gpg to ultimately trust all user provided public keys
gpg --list-keys --fingerprint --with-colons |sed -E -n -e 's/^fpr:::::::::([0-9A-F]+):$/\1:6:/p' |gpg --import-ownertrust
@ -104,10 +112,25 @@ gpg_flash_rom() {
cbfs -o /tmp/gpg-gui.rom -d "heads/initrd/.gnupg/otrust.txt"
fi
# persist user config changes
if (cbfs -o /tmp/gpg-gui.rom -l | grep -q "heads/initrd/etc/config.user") then
cbfs -o /tmp/gpg-gui.rom -d "heads/initrd/etc/config.user"
fi
cbfs -o /tmp/gpg-gui.rom -a "heads/initrd/etc/config.user" -f /etc/config.user
/bin/flash.sh /tmp/gpg-gui.rom
whiptail --title 'BIOS Flashed Successfully' \
--msgbox "BIOS flashed successfully.\n\nIf your keys have changed, be sure to re-sign all files in /boot\nafter you reboot.\n\nPress Enter to reboot" 16 60
if (whiptail --title 'BIOS Flashed Successfully' \
--yesno "Would you like to update the checksums and sign all of the files in /boot?\n\nYou will need your GPG key to continue and this will modify your disk.\n\nOtherwise the system will reboot immediately." 16 90) then
update_checksums
else
/bin/reboot
fi
whiptail --title 'Files in /boot Updated Successfully'\
--msgbox "Checksums have been updated and /boot files signed.\n\nPress Enter to reboot" 16 60
/bin/reboot
}
gpg_post_gen_mgmt() {
GPG_GEN_KEY=`grep -A1 pub /tmp/gpg_card_edit_output | tail -n1 | sed -nr 's/^([ ])*//p'`
@ -162,12 +185,40 @@ gpg_sc_oem_reset() {
} | gpg --command-fd=0 --status-fd=2 --pinentry-mode=loopback --card-edit > /tmp/gpg_card_edit_output || return 2
}
gpg_add_key_reflash() {
if (whiptail --title 'GPG public key required' \
--yesno "This requires you insert a USB drive containing:\n* Your GPG public key (*.key or *.asc)\n\nAfter you select this file, this program will copy and reflash your BIOS\n\nDo you want to proceed?" 16 90) then
mount_usb
if grep -q /media /proc/mounts ; then
find /media -name '*.key' > /tmp/filelist.txt
find /media -name '*.asc' >> /tmp/filelist.txt
file_selector "/tmp/filelist.txt" "Choose your GPG public key"
PUBKEY=$FILE
/bin/flash.sh -r /tmp/gpg-gui.rom
if [ ! -s /tmp/gpg-gui.rom ]; then
whiptail $CONFIG_ERROR_BG_COLOR --title 'ERROR: BIOS Read Failed!' \
--msgbox "Unable to read BIOS" 16 60
exit 1
fi
if (whiptail --title 'Update ROM?' \
--yesno "This will reflash your BIOS with the updated version\n\nDo you want to proceed?" 16 90) then
gpg_flash_rom
else
exit 0
fi
fi
fi
}
while true; do
unset menu_choice
whiptail --clear --title "GPG Management Menu" \
--menu 'Select the GPG function to perform' 20 90 10 \
'r' ' Add GPG key to running BIOS + reflash' \
'a' ' Add GPG key to standalone BIOS image + flash' \
'e' ' Replace GPG key(s) in the current ROM + reflash' \
'l' ' List GPG keys in your keyring' \
'g' ' Generate GPG keys manually on a USB security token' \
'o' ' OEM Factory reset + auto keygen USB security token' \
@ -213,30 +264,16 @@ while true; do
fi
;;
"r" )
if (whiptail --title 'GPG public key required' \
--yesno "This requires you insert a USB drive containing:\n* Your GPG public key (*.key or *.asc)\n\nAfter you select this file, this program will copy and reflash your BIOS\n\nDo you want to proceed?" 16 90) then
mount_usb
if grep -q /media /proc/mounts ; then
find /media -name '*.key' > /tmp/filelist.txt
find /media -name '*.asc' >> /tmp/filelist.txt
file_selector "/tmp/filelist.txt" "Choose your GPG public key"
PUBKEY=$FILE
/bin/flash.sh -r /tmp/gpg-gui.rom
if [ ! -s /tmp/gpg-gui.rom ]; then
whiptail $CONFIG_ERROR_BG_COLOR --title 'ERROR: BIOS Read Failed!' \
--msgbox "Unable to read BIOS" 16 60
exit 1
fi
if (whiptail --title 'Update ROM?' \
--yesno "This will reflash your BIOS with the updated version\n\nDo you want to proceed?" 16 90) then
gpg_flash_rom
else
exit 0
fi
fi
fi
gpg_add_key_reflash
exit 0;
;;
"e" )
# clear local keyring
[ -e /.gnupg/pubring.gpg ] && rm /.gnupg/pubring.gpg
[ -e /.gnupg/pubring.kbx ] && rm /.gnupg/pubring.kbx
[ -e /.gnupg/trustdb.gpg ] && rm /.gnupg/trustdb.gpg
# add key and reflash
gpg_add_key_reflash
;;
"l" )
GPG_KEYRING=`gpg -k`

View File

@ -8,15 +8,22 @@ CONFIG_BOOT_GUI_MENU_NAME='Heads Boot Menu'
mount_boot()
{
# Mount local disk if it is not already mounted
while ! grep -q /boot /proc/mounts ; do
# ensure default boot device is set
if [ ! -e "$CONFIG_BOOT_DEV" ]; then
if (whiptail $CONFIG_ERROR_BG_COLOR --clear --title "ERROR: $CONFIG_BOOT_DEV missing!" \
--yesno "The /boot device $CONFIG_BOOT_DEV could not be found!\n\nYou will need to configure the correct device for /boot.\n\nWould you like to configure the /boot device now?" 30 90) then
config-gui.sh
else
# exit to main menu
break
fi
# Mount local disk if it is not already mounted
elif ! grep -q /boot /proc/mounts ; then
mount -o ro /boot
fi
# update CONFIG_BOOT_DEV
. /tmp/config
mount -o ro $CONFIG_BOOT_DEV /boot
if [ $? -ne 0 ]; then
if (whiptail $CONFIG_ERROR_BG_COLOR --clear --title 'ERROR: Cannot mount /boot' \
--yesno "The /boot partition at $CONFIG_BOOT_DEV could not be mounted!\n\nWould you like to configure the /boot device now?" 30 90) then
@ -25,7 +32,7 @@ mount_boot()
recovery "Unable to mount /boot"
fi
fi
fi
done
}
verify_global_hashes()
{
@ -40,7 +47,7 @@ verify_global_hashes()
elif [ ! -f $TMP_HASH_FILE ]; then
if (whiptail $CONFIG_ERROR_BG_COLOR --clear --title 'ERROR: Missing Hash File!' \
--yesno "The file containing hashes for /boot is missing!\n\nIf you are setting this system up for the first time, select Yes to update\nyour list of checksums.\n\nOtherwise this could indicate a compromise and you should select No to\nreturn to the main menu.\n\nWould you like to update your checksums now?" 30 90) then
update_checksums
prompt_update_checksums
fi
return 1
else
@ -67,37 +74,16 @@ verify_global_hashes()
fi
if (whiptail $CONFIG_ERROR_BG_COLOR --clear --title 'ERROR: Boot Hash Mismatch' --yesno "$TEXT" 30 90) then
update_checksums
prompt_update_checksums
fi
return 1
fi
}
update_checksums()
prompt_update_checksums()
{
if (whiptail --title 'Update Checksums and sign all files in /boot' \
--yesno "You have chosen to update the checksums and sign all of the files in /boot.\n\nThis means that you trust that the files in /boot have not been tampered with.\n\nYou will need your GPG key to continue and this change will modify your disk.\n\nDo you want to continue?" 16 90) then
mount_boot
mount -o rw,remount /boot
cd /boot
find ./ -type f ! -name '*kexec*' | xargs sha256sum > /boot/kexec_hashes.txt
DEFAULT_FILES=$(cat /boot/kexec_default_hashes.txt | cut -f3 -d ' ')
echo $DEFAULT_FILES | xargs sha256sum > /boot/kexec_default_hashes.txt
# Remove any package trigger log files
# We don't need them after the user decides to sign
rm -f /boot/kexec_package_trigger*
# sign and auto-roll config counter
extparam=
if [ "$CONFIG_TPM" = "y" ]; then
extparam=-u
fi
kexec-sign-config -p /boot $extparam \
|| die "Failed to sign default config"
# switch back to ro mode
mount -o ro,remount /boot
update_checksums
else
echo "Returning to the main menu"
fi
@ -194,7 +180,7 @@ while true; do
--menu "$date\nTOTP: $TOTP | HOTP: $HOTP" 20 90 10 \
'y' ' Default boot' \
'r' ' Refresh TOTP/HOTP' \
'a' ' Settings -->' \
'a' ' Options -->' \
'P' ' Power Off' \
2>/tmp/whiptail || recovery "GUI menu failed"
@ -202,9 +188,9 @@ while true; do
fi
if [ "$totp_confirm" = "a" ]; then
whiptail --clear --title "Settings" \
--menu "Configure Settings" 20 90 10 \
'o' ' Other Boot Options -->' \
whiptail --clear --title "HEADS Options" \
--menu "" 20 90 10 \
'o' ' Boot Options -->' \
't' ' TPM/TOTP/HOTP Options -->' \
's' ' Update checksums and sign all files in /boot' \
'c' ' Change configuration settings -->' \
@ -218,7 +204,7 @@ while true; do
fi
if [ "$totp_confirm" = "o" ]; then
whiptail --clear --title "Other Boot Options" \
whiptail --clear --title "Boot Options" \
--menu "Select A Boot Option" 20 90 10 \
'm' ' Show OS boot menu' \
'u' ' USB boot' \
@ -331,7 +317,7 @@ while true; do
fi
if [ "$totp_confirm" = "s" ]; then
update_checksums
prompt_update_checksums
continue
fi

View File

@ -59,12 +59,15 @@ if ! libremkey_hotp_verification info ; then
fi
fi
read -s -p "Enter your Librem Key Admin PIN" admin_pin
echo
echo -e ""
read -s -p "Enter your Librem Key Admin PIN: " admin_pin
echo -e "\n"
libremkey_hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value
if [ $? -ne 0 ]; then
echo -e "\n"
read -s -p "Error setting HOTP secret, re-enter Admin PIN and try again: " admin_pin
echo -e "\n"
if ! libremkey_hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value ; then
# don't leak key on failure
shred -n 10 -z -u "$HOTP_SECRET" 2> /dev/null
@ -91,7 +94,7 @@ echo $counter_value > $HOTP_COUNTER \
#|| die "Unable to create hotp counter file"
mount -o remount,ro /boot
echo "Librem Key initialized successfully. Press Enter to continue."
echo -e "\nLibrem Key initialized successfully. Press Enter to continue."
read
exit 0

View File

@ -240,3 +240,36 @@ replace_config() {
combine_configs() {
cat /etc/config* > /tmp/config
}
update_checksums()
{
# clear screen
printf "\033c"
# ensure /boot mounted
if ! grep -q /boot /proc/mounts ; then
mount -o ro /boot \
|| recovery "Unable to mount /boot"
fi
# remount RW
mount -o rw,remount /boot
cd /boot
find ./ -type f ! -name '*kexec*' | xargs sha256sum > /boot/kexec_hashes.txt
if [ -e /boot/kexec_default_hashes.txt ]; then
DEFAULT_FILES=$(cat /boot/kexec_default_hashes.txt | cut -f3 -d ' ')
echo $DEFAULT_FILES | xargs sha256sum > /boot/kexec_default_hashes.txt
fi
# Remove any package trigger log files
# We don't need them after the user decides to sign
rm -f /boot/kexec_package_trigger*
# sign and auto-roll config counter
extparam=
if [ "$CONFIG_TPM" = "y" ]; then
extparam=-u
fi
kexec-sign-config -p /boot $extparam \
|| die "Failed to sign default config"
# switch back to ro mode
mount -o ro,remount /boot
}