mirror of
https://github.com/linuxboot/heads.git
synced 2024-12-20 21:43:11 +00:00
Add GPG GUI
It makes more logical sense for GPG functions to be split out into their own menu instead of being part of the "Flash" menu. This creates a gpg-gui.sh script and moves GPG options there while adding a few additional features (like listing keys and initial smartcard key generation support).
This commit is contained in:
parent
f0067d4b5c
commit
c31421218a
@ -74,8 +74,6 @@ while true; do
|
|||||||
--menu 'Select the BIOS function to perform' 20 90 10 \
|
--menu 'Select the BIOS function to perform' 20 90 10 \
|
||||||
'f' ' Flash the BIOS with a new ROM' \
|
'f' ' Flash the BIOS with a new ROM' \
|
||||||
'c' ' Flash the BIOS with a new cleaned ROM' \
|
'c' ' Flash the BIOS with a new cleaned ROM' \
|
||||||
'a' ' Add GPG key to BIOS image' \
|
|
||||||
'r' ' Add GPG key to running BIOS' \
|
|
||||||
'x' ' Exit' \
|
'x' ' Exit' \
|
||||||
2>/tmp/whiptail || recovery "GUI menu failed"
|
2>/tmp/whiptail || recovery "GUI menu failed"
|
||||||
|
|
||||||
@ -115,154 +113,6 @@ while true; do
|
|||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
"a" )
|
|
||||||
if (whiptail --title 'ROM and GPG public key required' \
|
|
||||||
--yesno "This requires you insert a USB drive containing:\n* Your GPG public key (*.key or *.asc)\n* Your BIOS image (*.rom)\n\nAfter you select these files, this program will reflash your BIOS\n\nDo you want to proceed?" 16 90) then
|
|
||||||
mount_usb
|
|
||||||
if grep -q /media /proc/mounts ; then
|
|
||||||
find /media -name '*.key' > /tmp/filelist.txt
|
|
||||||
find /media -name '*.asc' >> /tmp/filelist.txt
|
|
||||||
file_selector "/tmp/filelist.txt" "Choose your GPG public key"
|
|
||||||
if [ "$FILE" == "" ]; then
|
|
||||||
return
|
|
||||||
else
|
|
||||||
PUBKEY=$FILE
|
|
||||||
fi
|
|
||||||
|
|
||||||
find /media -name '*.rom' > /tmp/filelist.txt
|
|
||||||
file_selector "/tmp/filelist.txt" "Choose the ROM to load your key onto"
|
|
||||||
if [ "$FILE" == "" ]; then
|
|
||||||
return
|
|
||||||
else
|
|
||||||
ROM=$FILE
|
|
||||||
fi
|
|
||||||
|
|
||||||
cat "$PUBKEY" | gpg --import
|
|
||||||
#update /.gnupg/trustdb.gpg to ultimately trust all user provided public keys
|
|
||||||
gpg --list-keys --fingerprint --with-colons |sed -E -n -e 's/^fpr:::::::::([0-9A-F]+):$/\1:6:/p' |gpg --import-ownertrust
|
|
||||||
gpg --update-trust
|
|
||||||
|
|
||||||
cp "$ROM" /tmp/gpg-gui.rom
|
|
||||||
if (cbfs -o /tmp/gpg-gui.rom -l | grep -q "heads/initrd/.gnupg/pubring.kbx"); then
|
|
||||||
cbfs -o /tmp/gpg-gui.rom -d "heads/initrd/.gnupg/pubring.kbx"
|
|
||||||
if (cbfs -o /tmp/gpg-gui.rom -l | grep -q "heads/initrd/.gnupg/pubring.gpg"); then
|
|
||||||
cbfs -o /tmp/gpg-gui.rom -d "heads/initrd/.gnupg/pubring.gpg"
|
|
||||||
if [ -e /.gnupg/pubring.gpg ];then
|
|
||||||
rm /.gnupg/pubring.gpg
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
|
|
||||||
#to be compatible with gpgv1
|
|
||||||
if [ -e /.gnupg/pubring.kbx ];then
|
|
||||||
cbfs -o /tmp/gpg-gui.rom -a "heads/initrd/.gnupg/pubring.kbx" -f /.gnupg/pubring.kbx
|
|
||||||
if [ -e /.gnupg/pubring.gpg ];then
|
|
||||||
rm /.gnupg/pubring.gpg
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
if [ -e /.gnupg/pubring.gpg ];then
|
|
||||||
cbfs -o /tmp/gpg-gui.rom -a "heads/initrd/.gnupg/pubring.gpg" -f /.gnupg/pubring.gpg
|
|
||||||
fi
|
|
||||||
|
|
||||||
if (cbfs -o /tmp/gpg-gui.rom -l | grep -q "heads/initrd/.gnupg/trustdb.gpg") then
|
|
||||||
cbfs -o /tmp/gpg-gui.rom -d "heads/initrd/.gnupg/trustdb.gpg"
|
|
||||||
fi
|
|
||||||
cbfs -o /tmp/gpg-gui.rom -a "heads/initrd/.gnupg/trustdb.gpg" -f /.gnupg/trustdb.gpg
|
|
||||||
|
|
||||||
#Remove old method owner trust exported file
|
|
||||||
if (cbfs -o /tmp/gpg-gui.rom -l | grep -q "heads/initrd/.gnupg/otrust.txt") then
|
|
||||||
cbfs -o /tmp/gpg-gui.rom -d "heads/initrd/.gnupg/otrust.txt"
|
|
||||||
fi
|
|
||||||
|
|
||||||
if (whiptail --title 'Flash ROM?' \
|
|
||||||
--yesno "This will replace your old ROM with $ROM\n\nDo you want to proceed?" 16 90) then
|
|
||||||
/bin/flash.sh /tmp/gpg-gui.rom
|
|
||||||
whiptail --title 'ROM Flashed Successfully' \
|
|
||||||
--msgbox "$ROM flashed successfully.\n\nIf your keys have changed, be sure to re-sign all files in /boot\nafter you reboot.\n\nPress Enter to reboot" 16 60
|
|
||||||
umount /media
|
|
||||||
/bin/reboot
|
|
||||||
else
|
|
||||||
exit 0
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
;;
|
|
||||||
"r" )
|
|
||||||
if (whiptail --title 'GPG public key required' \
|
|
||||||
--yesno "Flashing the running BIOS requires you insert a USB drive containing:\n* Your GPG public key (*.key or *.asc)\n\nAfter you select this file, this program will copy and reflash your BIOS\n\nDo you want to proceed?" 16 90) then
|
|
||||||
mount_usb
|
|
||||||
if grep -q /media /proc/mounts ; then
|
|
||||||
find /media -name '*.key' > /tmp/filelist.txt
|
|
||||||
find /media -name '*.asc' >> /tmp/filelist.txt
|
|
||||||
file_selector "/tmp/filelist.txt" "Choose your GPG public key"
|
|
||||||
PUBKEY=$FILE
|
|
||||||
|
|
||||||
/bin/flash.sh -r /tmp/gpg-gui.rom
|
|
||||||
if [ ! -s /tmp/gpg-gui.rom ]; then
|
|
||||||
whiptail $CONFIG_ERROR_BG_COLOR --title 'ERROR: BIOS Read Failed!' \
|
|
||||||
--msgbox "Unable to read BIOS" 16 60
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
cat "$PUBKEY" | gpg --import
|
|
||||||
#update /.gnupg/trustdb.gpg to ultimately trust all user provided public keys
|
|
||||||
gpg --list-keys --fingerprint --with-colons |sed -E -n -e 's/^fpr:::::::::([0-9A-F]+):$/\1:6:/p' |gpg --import-ownertrust
|
|
||||||
gpg --update-trust
|
|
||||||
|
|
||||||
if (cbfs -o /tmp/gpg-gui.rom -l | grep -q "heads/initrd/.gnupg/pubring.kbx"); then
|
|
||||||
cbfs -o /tmp/gpg-gui.rom -d "heads/initrd/.gnupg/pubring.kbx"
|
|
||||||
if (cbfs -o /tmp/gpg-gui.rom -l | grep -q "heads/initrd/.gnupg/pubring.gpg"); then
|
|
||||||
cbfs -o /tmp/gpg-gui.rom -d "heads/initrd/.gnupg/pubring.gpg"
|
|
||||||
if [ -e /.gnupg/pubring.gpg ];then
|
|
||||||
rm /.gnupg/pubring.gpg
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
|
|
||||||
#to be compatible with gpgv1
|
|
||||||
if [ -e /.gnupg/pubring.kbx ];then
|
|
||||||
cbfs -o /tmp/gpg-gui.rom -a "heads/initrd/.gnupg/pubring.kbx" -f /.gnupg/pubring.kbx
|
|
||||||
if [ -e /.gnupg/pubring.gpg ];then
|
|
||||||
rm /.gnupg/pubring.gpg
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
if [ -e /.gnupg/pubring.gpg ];then
|
|
||||||
cbfs -o /tmp/gpg-gui.rom -a "heads/initrd/.gnupg/pubring.gpg" -f /.gnupg/pubring.gpg
|
|
||||||
fi
|
|
||||||
|
|
||||||
if (cbfs -o /tmp/gpg-gui.rom -l | grep -q "heads/initrd/.gnupg/trustdb.gpg") then
|
|
||||||
cbfs -o /tmp/gpg-gui.rom -d "heads/initrd/.gnupg/trustdb.gpg"
|
|
||||||
fi
|
|
||||||
cbfs -o /tmp/gpg-gui.rom -a "heads/initrd/.gnupg/trustdb.gpg" -f /.gnupg/trustdb.gpg
|
|
||||||
|
|
||||||
#Remove old method owner trust exported file
|
|
||||||
if (cbfs -o /tmp/gpg-gui.rom -l | grep -q "heads/initrd/.gnupg/otrust.txt") then
|
|
||||||
cbfs -o /tmp/gpg-gui.rom -d "heads/initrd/.gnupg/otrust.txt"
|
|
||||||
fi
|
|
||||||
|
|
||||||
if (whiptail --title 'Update ROM?' \
|
|
||||||
--yesno "This will reflash your BIOS with the updated version\n\nDo you want to proceed?" 16 90) then
|
|
||||||
/bin/flash.sh /tmp/gpg-gui.rom
|
|
||||||
whiptail --title 'BIOS Updated Successfully' \
|
|
||||||
--msgbox "BIOS updated successfully.\n\nIf your keys have changed, be sure to re-sign all files in /boot\nafter you reboot.\n\nPress Enter to reboot" 16 60
|
|
||||||
umount /media
|
|
||||||
/bin/reboot
|
|
||||||
else
|
|
||||||
exit 0
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
;;
|
|
||||||
"g" )
|
|
||||||
confirm_gpg_card
|
|
||||||
echo "********************************************************************************"
|
|
||||||
echo "*"
|
|
||||||
echo "* INSTRUCTIONS:"
|
|
||||||
echo "* Type 'admin' and then 'generate' and follow the prompts to generate a GPG key."
|
|
||||||
echo "*"
|
|
||||||
echo "********************************************************************************"
|
|
||||||
gpg --card-edit
|
|
||||||
;;
|
|
||||||
esac
|
esac
|
||||||
|
|
||||||
done
|
done
|
||||||
|
244
initrd/bin/gpg-gui.sh
Executable file
244
initrd/bin/gpg-gui.sh
Executable file
@ -0,0 +1,244 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
#
|
||||||
|
set -e -o pipefail
|
||||||
|
. /etc/functions
|
||||||
|
. /tmp/config
|
||||||
|
|
||||||
|
mount_usb(){
|
||||||
|
# Mount the USB boot device
|
||||||
|
if ! grep -q /media /proc/mounts ; then
|
||||||
|
mount-usb "$CONFIG_USB_BOOT_DEV" || USB_FAILED=1
|
||||||
|
if [ $USB_FAILED -ne 0 ]; then
|
||||||
|
if [ ! -e "$CONFIG_USB_BOOT_DEV" ]; then
|
||||||
|
whiptail --title 'USB Drive Missing' \
|
||||||
|
--msgbox "Insert your USB drive and press Enter to continue." 16 60 USB_FAILED=0
|
||||||
|
mount-usb "$CONFIG_USB_BOOT_DEV" || USB_FAILED=1
|
||||||
|
fi
|
||||||
|
if [ $USB_FAILED -ne 0 ]; then
|
||||||
|
whiptail $CONFIG_ERROR_BG_COLOR --title 'ERROR: Mounting /media Failed' \
|
||||||
|
--msgbox "Unable to mount $CONFIG_USB_BOOT_DEV" 16 60
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
file_selector() {
|
||||||
|
FILE=""
|
||||||
|
FILE_LIST=$1
|
||||||
|
MENU_MSG=${2:-"Choose the file"}
|
||||||
|
# create file menu options
|
||||||
|
if [ `cat "$FILE_LIST" | wc -l` -gt 0 ]; then
|
||||||
|
option=""
|
||||||
|
while [ -z "$option" ]
|
||||||
|
do
|
||||||
|
MENU_OPTIONS=""
|
||||||
|
n=0
|
||||||
|
while read option
|
||||||
|
do
|
||||||
|
n=`expr $n + 1`
|
||||||
|
option=$(echo $option | tr " " "_")
|
||||||
|
MENU_OPTIONS="$MENU_OPTIONS $n ${option}"
|
||||||
|
done < $FILE_LIST
|
||||||
|
|
||||||
|
MENU_OPTIONS="$MENU_OPTIONS a Abort"
|
||||||
|
whiptail --clear --title "Select your File" \
|
||||||
|
--menu "${MENU_MSG} [1-$n, a to abort]:" 20 120 8 \
|
||||||
|
-- $MENU_OPTIONS \
|
||||||
|
2>/tmp/whiptail || die "Aborting"
|
||||||
|
|
||||||
|
option_index=$(cat /tmp/whiptail)
|
||||||
|
|
||||||
|
if [ "$option_index" = "a" ]; then
|
||||||
|
option="a"
|
||||||
|
return
|
||||||
|
fi
|
||||||
|
|
||||||
|
option=`head -n $option_index $FILE_LIST | tail -1`
|
||||||
|
if [ "$option" == "a" ]; then
|
||||||
|
return
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
if [ -n "$option" ]; then
|
||||||
|
FILE=$option
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
whiptail $CONFIG_ERROR_BG_COLOR --title 'ERROR: No Files Found' \
|
||||||
|
--msgbox "No Files found matching the pattern. Aborting." 16 60
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
while true; do
|
||||||
|
unset menu_choice
|
||||||
|
whiptail --clear --title "GPG Management Menu" \
|
||||||
|
--menu 'Select the GPG function to perform' 20 90 10 \
|
||||||
|
'r' ' Add GPG key to running BIOS + reflash' \
|
||||||
|
'a' ' Add GPG key to standalone BIOS image + flash' \
|
||||||
|
'l' ' List GPG keys in your keyring' \
|
||||||
|
'g' ' Generate GPG keys on a USB security token' \
|
||||||
|
'x' ' Exit' \
|
||||||
|
2>/tmp/whiptail || recovery "GUI menu failed"
|
||||||
|
|
||||||
|
menu_choice=$(cat /tmp/whiptail)
|
||||||
|
|
||||||
|
case "$menu_choice" in
|
||||||
|
"x" )
|
||||||
|
exit 0
|
||||||
|
;;
|
||||||
|
"a" )
|
||||||
|
if (whiptail --title 'ROM and GPG public key required' \
|
||||||
|
--yesno "This requires you insert a USB drive containing:\n* Your GPG public key (*.key or *.asc)\n* Your BIOS image (*.rom)\n\nAfter you select these files, this program will reflash your BIOS\n\nDo you want to proceed?" 16 90) then
|
||||||
|
mount_usb
|
||||||
|
if grep -q /media /proc/mounts ; then
|
||||||
|
find /media -name '*.key' > /tmp/filelist.txt
|
||||||
|
find /media -name '*.asc' >> /tmp/filelist.txt
|
||||||
|
file_selector "/tmp/filelist.txt" "Choose your GPG public key"
|
||||||
|
if [ "$FILE" == "" ]; then
|
||||||
|
return
|
||||||
|
else
|
||||||
|
PUBKEY=$FILE
|
||||||
|
fi
|
||||||
|
|
||||||
|
find /media -name '*.rom' > /tmp/filelist.txt
|
||||||
|
file_selector "/tmp/filelist.txt" "Choose the ROM to load your key onto"
|
||||||
|
if [ "$FILE" == "" ]; then
|
||||||
|
return
|
||||||
|
else
|
||||||
|
ROM=$FILE
|
||||||
|
fi
|
||||||
|
|
||||||
|
cat "$PUBKEY" | gpg --import
|
||||||
|
#update /.gnupg/trustdb.gpg to ultimately trust all user provided public keys
|
||||||
|
gpg --list-keys --fingerprint --with-colons |sed -E -n -e 's/^fpr:::::::::([0-9A-F]+):$/\1:6:/p' |gpg --import-ownertrust
|
||||||
|
gpg --update-trust
|
||||||
|
|
||||||
|
cp "$ROM" /tmp/gpg-gui.rom
|
||||||
|
if (cbfs -o /tmp/gpg-gui.rom -l | grep -q "heads/initrd/.gnupg/pubring.kbx"); then
|
||||||
|
cbfs -o /tmp/gpg-gui.rom -d "heads/initrd/.gnupg/pubring.kbx"
|
||||||
|
if (cbfs -o /tmp/gpg-gui.rom -l | grep -q "heads/initrd/.gnupg/pubring.gpg"); then
|
||||||
|
cbfs -o /tmp/gpg-gui.rom -d "heads/initrd/.gnupg/pubring.gpg"
|
||||||
|
if [ -e /.gnupg/pubring.gpg ];then
|
||||||
|
rm /.gnupg/pubring.gpg
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
#to be compatible with gpgv1
|
||||||
|
if [ -e /.gnupg/pubring.kbx ];then
|
||||||
|
cbfs -o /tmp/gpg-gui.rom -a "heads/initrd/.gnupg/pubring.kbx" -f /.gnupg/pubring.kbx
|
||||||
|
if [ -e /.gnupg/pubring.gpg ];then
|
||||||
|
rm /.gnupg/pubring.gpg
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
if [ -e /.gnupg/pubring.gpg ];then
|
||||||
|
cbfs -o /tmp/gpg-gui.rom -a "heads/initrd/.gnupg/pubring.gpg" -f /.gnupg/pubring.gpg
|
||||||
|
fi
|
||||||
|
|
||||||
|
if (cbfs -o /tmp/gpg-gui.rom -l | grep -q "heads/initrd/.gnupg/trustdb.gpg") then
|
||||||
|
cbfs -o /tmp/gpg-gui.rom -d "heads/initrd/.gnupg/trustdb.gpg"
|
||||||
|
fi
|
||||||
|
cbfs -o /tmp/gpg-gui.rom -a "heads/initrd/.gnupg/trustdb.gpg" -f /.gnupg/trustdb.gpg
|
||||||
|
|
||||||
|
#Remove old method owner trust exported file
|
||||||
|
if (cbfs -o /tmp/gpg-gui.rom -l | grep -q "heads/initrd/.gnupg/otrust.txt") then
|
||||||
|
cbfs -o /tmp/gpg-gui.rom -d "heads/initrd/.gnupg/otrust.txt"
|
||||||
|
fi
|
||||||
|
|
||||||
|
if (whiptail --title 'Flash ROM?' \
|
||||||
|
--yesno "This will replace your old ROM with $ROM\n\nDo you want to proceed?" 16 90) then
|
||||||
|
/bin/flash.sh /tmp/gpg-gui.rom
|
||||||
|
whiptail --title 'ROM Flashed Successfully' \
|
||||||
|
--msgbox "$ROM flashed successfully.\n\nIf your keys have changed, be sure to re-sign all files in /boot\nafter you reboot.\n\nPress Enter to reboot" 16 60
|
||||||
|
umount /media
|
||||||
|
/bin/reboot
|
||||||
|
else
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
"r" )
|
||||||
|
if (whiptail --title 'GPG public key required' \
|
||||||
|
--yesno "This requires you insert a USB drive containing:\n* Your GPG public key (*.key or *.asc)\n\nAfter you select this file, this program will copy and reflash your BIOS\n\nDo you want to proceed?" 16 90) then
|
||||||
|
mount_usb
|
||||||
|
if grep -q /media /proc/mounts ; then
|
||||||
|
find /media -name '*.key' > /tmp/filelist.txt
|
||||||
|
find /media -name '*.asc' >> /tmp/filelist.txt
|
||||||
|
file_selector "/tmp/filelist.txt" "Choose your GPG public key"
|
||||||
|
PUBKEY=$FILE
|
||||||
|
|
||||||
|
/bin/flash.sh -r /tmp/gpg-gui.rom
|
||||||
|
if [ ! -s /tmp/gpg-gui.rom ]; then
|
||||||
|
whiptail $CONFIG_ERROR_BG_COLOR --title 'ERROR: BIOS Read Failed!' \
|
||||||
|
--msgbox "Unable to read BIOS" 16 60
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
cat "$PUBKEY" | gpg --import
|
||||||
|
#update /.gnupg/trustdb.gpg to ultimately trust all user provided public keys
|
||||||
|
gpg --list-keys --fingerprint --with-colons |sed -E -n -e 's/^fpr:::::::::([0-9A-F]+):$/\1:6:/p' |gpg --import-ownertrust
|
||||||
|
gpg --update-trust
|
||||||
|
|
||||||
|
if (cbfs -o /tmp/gpg-gui.rom -l | grep -q "heads/initrd/.gnupg/pubring.kbx"); then
|
||||||
|
cbfs -o /tmp/gpg-gui.rom -d "heads/initrd/.gnupg/pubring.kbx"
|
||||||
|
if (cbfs -o /tmp/gpg-gui.rom -l | grep -q "heads/initrd/.gnupg/pubring.gpg"); then
|
||||||
|
cbfs -o /tmp/gpg-gui.rom -d "heads/initrd/.gnupg/pubring.gpg"
|
||||||
|
if [ -e /.gnupg/pubring.gpg ];then
|
||||||
|
rm /.gnupg/pubring.gpg
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
#to be compatible with gpgv1
|
||||||
|
if [ -e /.gnupg/pubring.kbx ];then
|
||||||
|
cbfs -o /tmp/gpg-gui.rom -a "heads/initrd/.gnupg/pubring.kbx" -f /.gnupg/pubring.kbx
|
||||||
|
if [ -e /.gnupg/pubring.gpg ];then
|
||||||
|
rm /.gnupg/pubring.gpg
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
if [ -e /.gnupg/pubring.gpg ];then
|
||||||
|
cbfs -o /tmp/gpg-gui.rom -a "heads/initrd/.gnupg/pubring.gpg" -f /.gnupg/pubring.gpg
|
||||||
|
fi
|
||||||
|
|
||||||
|
if (cbfs -o /tmp/gpg-gui.rom -l | grep -q "heads/initrd/.gnupg/trustdb.gpg") then
|
||||||
|
cbfs -o /tmp/gpg-gui.rom -d "heads/initrd/.gnupg/trustdb.gpg"
|
||||||
|
fi
|
||||||
|
cbfs -o /tmp/gpg-gui.rom -a "heads/initrd/.gnupg/trustdb.gpg" -f /.gnupg/trustdb.gpg
|
||||||
|
|
||||||
|
#Remove old method owner trust exported file
|
||||||
|
if (cbfs -o /tmp/gpg-gui.rom -l | grep -q "heads/initrd/.gnupg/otrust.txt") then
|
||||||
|
cbfs -o /tmp/gpg-gui.rom -d "heads/initrd/.gnupg/otrust.txt"
|
||||||
|
fi
|
||||||
|
|
||||||
|
if (whiptail --title 'Update ROM?' \
|
||||||
|
--yesno "This will reflash your BIOS with the updated version\n\nDo you want to proceed?" 16 90) then
|
||||||
|
/bin/flash.sh /tmp/gpg-gui.rom
|
||||||
|
whiptail --title 'BIOS Updated Successfully' \
|
||||||
|
--msgbox "BIOS updated successfully.\n\nIf your keys have changed, be sure to re-sign all files in /boot\nafter you reboot.\n\nPress Enter to reboot" 16 60
|
||||||
|
umount /media
|
||||||
|
/bin/reboot
|
||||||
|
else
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
"l" )
|
||||||
|
GPG_KEYRING=`gpg -k`
|
||||||
|
whiptail --title 'GPG Keyring' \
|
||||||
|
--msgbox "${GPG_KEYRING}" 16 60
|
||||||
|
;;
|
||||||
|
"g" )
|
||||||
|
confirm_gpg_card
|
||||||
|
echo "********************************************************************************"
|
||||||
|
echo "*"
|
||||||
|
echo "* INSTRUCTIONS:"
|
||||||
|
echo "* Type 'admin' and then 'generate' and follow the prompts to generate a GPG key."
|
||||||
|
echo "*"
|
||||||
|
echo "********************************************************************************"
|
||||||
|
gpg --card-edit
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
done
|
||||||
|
exit 0
|
@ -114,7 +114,7 @@ while true; do
|
|||||||
if [ $GPG_KEY_COUNT -eq 0 ]; then
|
if [ $GPG_KEY_COUNT -eq 0 ]; then
|
||||||
whiptail $CONFIG_ERROR_BG_COLOR --clear --title "ERROR: GPG keyring empty!" \
|
whiptail $CONFIG_ERROR_BG_COLOR --clear --title "ERROR: GPG keyring empty!" \
|
||||||
--menu "ERROR: Heads couldn't find any GPG keys in your keyring.\n\nIf this is the first time the system has booted,\nyou should add a public GPG key to the BIOS now.\n\nIf you just reflashed a new BIOS, you'll need to add at least one\npublic key to the keyring.\n\nIf you have not just reflashed your BIOS, THIS COULD INDICATE TAMPERING!\n\nHow would you like to proceed?" 30 90 4 \
|
--menu "ERROR: Heads couldn't find any GPG keys in your keyring.\n\nIf this is the first time the system has booted,\nyou should add a public GPG key to the BIOS now.\n\nIf you just reflashed a new BIOS, you'll need to add at least one\npublic key to the keyring.\n\nIf you have not just reflashed your BIOS, THIS COULD INDICATE TAMPERING!\n\nHow would you like to proceed?" 30 90 4 \
|
||||||
'f' ' Add a GPG key to the running BIOS' \
|
'G' ' Add a GPG key to the running BIOS' \
|
||||||
'i' ' Ignore error and continue to default boot menu' \
|
'i' ' Ignore error and continue to default boot menu' \
|
||||||
'x' ' Exit to recovery shell' \
|
'x' ' Exit to recovery shell' \
|
||||||
2>/tmp/whiptail || recovery "GUI menu failed"
|
2>/tmp/whiptail || recovery "GUI menu failed"
|
||||||
@ -185,13 +185,11 @@ while true; do
|
|||||||
whiptail --clear --title "Advanced Settings" \
|
whiptail --clear --title "Advanced Settings" \
|
||||||
--menu "Configure Advanced Settings" 20 90 10 \
|
--menu "Configure Advanced Settings" 20 90 10 \
|
||||||
'o' ' Other Boot Options -->' \
|
'o' ' Other Boot Options -->' \
|
||||||
'r' ' TOTP/HOTP does not match, refresh code' \
|
't' ' TPM/TOTP/HOTP Options -->' \
|
||||||
'g' ' Generate new TOTP/HOTP secret' \
|
|
||||||
's' ' Update checksums and sign all files in /boot' \
|
's' ' Update checksums and sign all files in /boot' \
|
||||||
'c' ' Change configuration settings -->' \
|
'c' ' Change configuration settings -->' \
|
||||||
'f' ' Flash/Update the BIOS -->' \
|
'f' ' Flash/Update the BIOS -->' \
|
||||||
'p' ' Reset the TPM' \
|
'G' ' GPG Options -->' \
|
||||||
'n' ' TOTP/HOTP does not match after refresh, troubleshoot' \
|
|
||||||
'r' ' <-- Return to main menu' \
|
'r' ' <-- Return to main menu' \
|
||||||
2>/tmp/whiptail || recovery "GUI menu failed"
|
2>/tmp/whiptail || recovery "GUI menu failed"
|
||||||
|
|
||||||
@ -210,6 +208,19 @@ while true; do
|
|||||||
totp_confirm=$(cat /tmp/whiptail)
|
totp_confirm=$(cat /tmp/whiptail)
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
if [ "$totp_confirm" = "t" ]; then
|
||||||
|
whiptail --clear --title "TPM/TOTP/HOTP Options" \
|
||||||
|
--menu "Select An Option" 20 90 10 \
|
||||||
|
'g' ' Generate new TOTP/HOTP secret' \
|
||||||
|
'p' ' Reset the TPM' \
|
||||||
|
'r' ' TOTP/HOTP does not match, refresh code' \
|
||||||
|
'n' ' TOTP/HOTP does not match after refresh, troubleshoot' \
|
||||||
|
'r' ' <-- Return to main menu' \
|
||||||
|
2>/tmp/whiptail || recovery "GUI menu failed"
|
||||||
|
|
||||||
|
totp_confirm=$(cat /tmp/whiptail)
|
||||||
|
fi
|
||||||
|
|
||||||
if [ "$totp_confirm" = "x" ]; then
|
if [ "$totp_confirm" = "x" ]; then
|
||||||
recovery "User requested recovery shell"
|
recovery "User requested recovery shell"
|
||||||
fi
|
fi
|
||||||
@ -314,6 +325,11 @@ while true; do
|
|||||||
continue
|
continue
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
if [ "$totp_confirm" = "G" ]; then
|
||||||
|
gpg-gui.sh
|
||||||
|
continue
|
||||||
|
fi
|
||||||
|
|
||||||
if [ "$totp_confirm" = "y" -o -n "$totp_confirm" ]; then
|
if [ "$totp_confirm" = "y" -o -n "$totp_confirm" ]; then
|
||||||
# Try to boot the default
|
# Try to boot the default
|
||||||
mount_boot
|
mount_boot
|
||||||
|
Loading…
Reference in New Issue
Block a user