Merge pull request #624 from MrChromebox/purism_resync

Resync with Purism tree
This commit is contained in:
Kyle Rankin 2019-11-25 09:20:48 -08:00 committed by GitHub
commit c55c36ba50
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 97 additions and 18 deletions

View File

@ -2,11 +2,11 @@
# depends on : wget sha256sum gunzip # depends on : wget sha256sum gunzip
# Purism source # Purism source
RELEASES_GIT_HASH="ced905accd065df3de6561ee7278400f320f14f7" RELEASES_GIT_HASH="631b4a4e9bf562768afc262647ef4ef4f4ffaebd"
PURISM_SOURCE="https://source.puri.sm/coreboot/releases/raw/${RELEASES_GIT_HASH}" PURISM_SOURCE="https://source.puri.sm/coreboot/releases/raw/${RELEASES_GIT_HASH}"
# Librem 13 v4 and Librem 15 v4 binary blob hashes # Librem 13 v4 and Librem 15 v4 binary blob hashes
KBL_UCODE_SHA="0e3a06d8949a1d7df2c75b414765b98181766e3bd5bc7c317fad65bfcf7c276b" KBL_UCODE_SHA="bb07f0f77abe08e553f85b99d18fa129f991bf3613cf73d77c4f0ece87dd251e"
KBL_DESCRIPTOR_SHA="642ca36f52aabb5198b82e013bf64a73a5148693a58376fffce322a4d438b524" KBL_DESCRIPTOR_SHA="642ca36f52aabb5198b82e013bf64a73a5148693a58376fffce322a4d438b524"
KBL_ME_SHA="0eec2e1135193941edd39d0ec0f463e353d0c6c9068867a2f32a72b64334fb34" KBL_ME_SHA="0eec2e1135193941edd39d0ec0f463e353d0c6c9068867a2f32a72b64334fb34"
KBL_FSPM_SHA="5da3ad7718eb3f6700fb9d97be988d9c8bdd2d8b5910273a80928c49122d5b2d" KBL_FSPM_SHA="5da3ad7718eb3f6700fb9d97be988d9c8bdd2d8b5910273a80928c49122d5b2d"
@ -27,7 +27,7 @@ IFDTOOL_BIN="./ifdtool"
COREBOOT_IMAGE="coreboot-l13v4.rom" COREBOOT_IMAGE="coreboot-l13v4.rom"
COREBOOT_IMAGE_FILE="$COREBOOT_IMAGE.gz" COREBOOT_IMAGE_FILE="$COREBOOT_IMAGE.gz"
COREBOOT_IMAGE_URL="$PURISM_SOURCE/librem_13v4/$COREBOOT_IMAGE_FILE" COREBOOT_IMAGE_URL="$PURISM_SOURCE/librem_13v4/$COREBOOT_IMAGE_FILE"
COREBOOT_IMAGE_SHA="147b911aad362bc67084d1591950e22557ffaba056f42484b521aa48a617c5b0" COREBOOT_IMAGE_SHA="93c86230c618f9f19c29672f15f431f516db9247fac95bb2eacbc0fa33ea1e6a"
die () { die () {
local msg=$1 local msg=$1

View File

@ -2,11 +2,11 @@
# depends on : wget sha256sum gunzip # depends on : wget sha256sum gunzip
# Purism source # Purism source
RELEASES_GIT_HASH="ced905accd065df3de6561ee7278400f320f14f7" RELEASES_GIT_HASH="631b4a4e9bf562768afc262647ef4ef4f4ffaebd"
PURISM_SOURCE="https://source.puri.sm/coreboot/releases/raw/${RELEASES_GIT_HASH}" PURISM_SOURCE="https://source.puri.sm/coreboot/releases/raw/${RELEASES_GIT_HASH}"
# Librem 13 v2/v3 and Librem 15 v3 binary blob hashes # Librem 13 v2/v3 and Librem 15 v3 binary blob hashes
SKL_UCODE_SHA="6c6e420fe0490de51a504303d4c5d12ef8832ffb98a2d5327a9a07f05e62b01f" SKL_UCODE_SHA="e528d2ccc5d76cd04bfabb556a3fbb70b93d9aca43e291e0f0104fbaae5720fd"
SKL_DESCRIPTOR_SHA="642ca36f52aabb5198b82e013bf64a73a5148693a58376fffce322a4d438b524" SKL_DESCRIPTOR_SHA="642ca36f52aabb5198b82e013bf64a73a5148693a58376fffce322a4d438b524"
SKL_ME_SHA="cf06d3eb8b24490a1ab46fd988b6cef822e5347cd6a2e92bc332cb4a376eb8bc" SKL_ME_SHA="cf06d3eb8b24490a1ab46fd988b6cef822e5347cd6a2e92bc332cb4a376eb8bc"
SKL_FSPM_SHA="5da3ad7718eb3f6700fb9d97be988d9c8bdd2d8b5910273a80928c49122d5b2d" SKL_FSPM_SHA="5da3ad7718eb3f6700fb9d97be988d9c8bdd2d8b5910273a80928c49122d5b2d"
@ -27,7 +27,7 @@ IFDTOOL_BIN="./ifdtool"
COREBOOT_IMAGE="coreboot-l13v3.rom" COREBOOT_IMAGE="coreboot-l13v3.rom"
COREBOOT_IMAGE_FILE="$COREBOOT_IMAGE.gz" COREBOOT_IMAGE_FILE="$COREBOOT_IMAGE.gz"
COREBOOT_IMAGE_URL="$PURISM_SOURCE/librem_13v3/$COREBOOT_IMAGE_FILE" COREBOOT_IMAGE_URL="$PURISM_SOURCE/librem_13v3/$COREBOOT_IMAGE_FILE"
COREBOOT_IMAGE_SHA="f20b999457205f033bf122a436f906172bc53ff718034a32f931d9e1712a1033" COREBOOT_IMAGE_SHA="784d8c9e9e3cf11e99b7f8a473d0ec18738193b2b57bb7a37386b536dab84be2"
die () { die () {
local msg=$1 local msg=$1

View File

@ -101,6 +101,15 @@ while true; do
replace_config /etc/config.user "CONFIG_BOOT_DEV" "$SELECTED_FILE" replace_config /etc/config.user "CONFIG_BOOT_DEV" "$SELECTED_FILE"
combine_configs combine_configs
# mount newly selected /boot device
if ! ( umount /boot 2>/tmp/error && \
mount -o ro $SELECTED_FILE /boot 2>/tmp/error ); then
ERROR=`cat /tmp/error`
whiptail $CONFIG_ERROR_BG_COLOR --title 'ERROR: unable to mount /boot' \
--msgbox "Unable to un/re-mount /boot:\n\n$ERROR" 16 60
exit 1
fi
whiptail --title 'Config change successful' \ whiptail --title 'Config change successful' \
--msgbox "The /boot device was successfully changed to $SELECTED_FILE" 16 60 --msgbox "The /boot device was successfully changed to $SELECTED_FILE" 16 60
;; ;;
@ -116,6 +125,16 @@ while true; do
cbfs -o /tmp/config-gui.rom -d "heads/initrd/etc/config.user" cbfs -o /tmp/config-gui.rom -d "heads/initrd/etc/config.user"
fi fi
cbfs -o /tmp/config-gui.rom -a "heads/initrd/etc/config.user" -f /etc/config.user cbfs -o /tmp/config-gui.rom -a "heads/initrd/etc/config.user" -f /etc/config.user
if (whiptail --title 'Update ROM?' \
--yesno "This will reflash your BIOS with the updated version\n\nDo you want to proceed?" 16 90) then
/bin/flash.sh /tmp/config-gui.rom
whiptail --title 'BIOS Updated Successfully' \
--msgbox "BIOS updated successfully.\n\nIf your keys have changed, be sure to re-sign all files in /boot\nafter you reboot.\n\nPress Enter to reboot" 16 60
/bin/reboot
else
exit 0
fi
;; ;;
"r" ) "r" )
# prompt for confirmation # prompt for confirmation
@ -150,6 +169,8 @@ while true; do
whiptail --title 'Configuration Reset Updated Successfully' \ whiptail --title 'Configuration Reset Updated Successfully' \
--msgbox "Configuration reset and BIOS updated successfully.\n\nPress Enter to reboot" 16 60 --msgbox "Configuration reset and BIOS updated successfully.\n\nPress Enter to reboot" 16 60
/bin/reboot /bin/reboot
else
exit 0
fi fi
;; ;;
esac esac

View File

@ -71,7 +71,7 @@ file_selector() {
while true; do while true; do
unset menu_choice unset menu_choice
whiptail --clear --title "Firmware Management Menu" \ whiptail --clear --title "Firmware Management Menu" \
--menu "Select the firmware function to perform\n\nRetaining settings copies existing settings to the new firmware:\n* Keeps your GPG keyring\n* Keeps changes to the default /boot device\n\nErasing settings uses the new firmware as-is:\n* Erases any existing GPG keyring\n* Restores firmware to default factory settings\n\nIf you are just updating your firmware, you probably want to retain\nyour settings." 20 90 10 \ --menu "Select the firmware function to perform\n\nRetaining settings copies existing settings to the new firmware:\n* Keeps your GPG keyring\n* Keeps changes to the default /boot device\n\nErasing settings uses the new firmware as-is:\n* Erases any existing GPG keyring\n* Restores firmware to default factory settings\n* Clears out /boot signatures\n\nIf you are just updating your firmware, you probably want to retain\nyour settings." 20 90 10 \
'f' ' Flash the firmware with a new ROM, retain settings' \ 'f' ' Flash the firmware with a new ROM, retain settings' \
'c' ' Flash the firmware with a new ROM, erase settings' \ 'c' ' Flash the firmware with a new ROM, erase settings' \
'x' ' Exit' \ 'x' ' Exit' \
@ -100,6 +100,14 @@ while true; do
--yesno "This will replace your old ROM with $ROM\n\nDo you want to proceed?" 16 90) then --yesno "This will replace your old ROM with $ROM\n\nDo you want to proceed?" 16 90) then
if [ "$menu_choice" == "c" ]; then if [ "$menu_choice" == "c" ]; then
/bin/flash.sh -c "$ROM" /bin/flash.sh -c "$ROM"
# after flash, /boot signatures are now invalid so go ahead and clear them
if ls /boot/kexec* >/dev/null 2>&1 ; then
(
mount -o remount,rw /boot 2>/dev/null
rm /boot/kexec* 2>/dev/null
mount -o remount,ro /boot 2>/dev/null
)
fi
else else
/bin/flash.sh "$ROM" /bin/flash.sh "$ROM"
fi fi

View File

@ -18,6 +18,7 @@ WIDTH="220"
USER_PIN_DEF=123456 USER_PIN_DEF=123456
ADMIN_PIN_DEF=12345678 ADMIN_PIN_DEF=12345678
TPM_PASS_DEF=12345678 TPM_PASS_DEF=12345678
CUSTOM_PASS=""
## External files sourced ## External files sourced
@ -85,6 +86,29 @@ gpg_key_reset()
whiptail_error_die "GPG Key automatic keygen failed!\n\n$ERROR" whiptail_error_die "GPG Key automatic keygen failed!\n\n$ERROR"
fi fi
} }
gpg_key_change_pin()
{
# 1 = user PIN, 3 = admin PIN
PIN_TYPE=$1
PIN_ORIG=$2
PIN_NEW=$3
# Change PIN
{
echo admin
echo passwd
echo ${PIN_TYPE}
echo ${PIN_ORIG}
echo ${PIN_NEW}
echo ${PIN_NEW}
echo q
echo q
} | gpg --command-fd=0 --status-fd=2 --pinentry-mode=loopback --card-edit \
> /tmp/gpg_card_edit_output 2>/dev/null
if [ $? -ne 0 ]; then
ERROR=`cat /tmp/gpg_card_edit_output`
whiptail_error_die "GPG Key PIN change failed!\n\n$ERROR"
fi
}
generate_checksums() generate_checksums()
{ {
@ -130,7 +154,7 @@ generate_checksums()
# sign kexec boot files # sign kexec boot files
if sha256sum $param_files 2>/dev/null | gpg \ if sha256sum $param_files 2>/dev/null | gpg \
--pinentry-mode loopback \ --pinentry-mode loopback \
--passphrase $USER_PIN_DEF \ --passphrase "$USER_PIN_DEF" \
--digest-algo SHA256 \ --digest-algo SHA256 \
--detach-sign \ --detach-sign \
-a \ -a \
@ -217,6 +241,19 @@ if ! whiptail --yesno "
exit 1 exit 1
fi fi
# Prompt to change default passwords
echo -e -n "Would you like to set a custom password? [y/N]:"
read -n 1 prompt_output
echo
if [ "$prompt_output" == "y" \
-o "$prompt_output" == "Y" ] \
; then
echo -e -n "Enter the custom password: "
read CUSTOM_PASS
echo
TPM_PASS_DEF=$CUSTOM_PASS
fi
## sanity check the USB, GPG key, and boot device before proceeding further ## sanity check the USB, GPG key, and boot device before proceeding further
# mount USB, then remount rw # mount USB, then remount rw
@ -272,6 +309,15 @@ gpg --list-keys >/dev/null 2>&1
echo -e "\nResetting GPG Key...\n(this will take a minute or two)\n" echo -e "\nResetting GPG Key...\n(this will take a minute or two)\n"
gpg_key_reset gpg_key_reset
if [ "$CUSTOM_PASS" != "" ]; then
echo -e "\nChanging default GPG Admin PIN\n"
gpg_key_change_pin "3" "$ADMIN_PIN_DEF" "$CUSTOM_PASS"
echo -e "\nChanging default GPG User PIN\n"
gpg_key_change_pin "1" "$USER_PIN_DEF" "$CUSTOM_PASS"
USER_PIN_DEF=$CUSTOM_PASS
ADMIN_PIN_DEF=$CUSTOM_PASS
fi
## export generated key to USB ## export generated key to USB
echo -e "\nExporting generated key to USB...\n" echo -e "\nExporting generated key to USB...\n"
# parse name of generated key # parse name of generated key

View File

@ -287,8 +287,10 @@ update_checksums()
if [ "$CONFIG_TPM" = "y" ]; then if [ "$CONFIG_TPM" = "y" ]; then
extparam=-u extparam=-u
fi fi
kexec-sign-config -p /boot $extparam \ if ! kexec-sign-config -p /boot $extparam ; then
|| die "Failed to sign default config" echo "Failed to sign default config; press Enter to continue."
read
fi
# switch back to ro mode # switch back to ro mode
mount -o ro,remount /boot mount -o ro,remount /boot
@ -303,10 +305,11 @@ detect_boot_device()
# check $CONFIG_BOOT_DEV if set/valid # check $CONFIG_BOOT_DEV if set/valid
if [ -e "$CONFIG_BOOT_DEV" ]; then if [ -e "$CONFIG_BOOT_DEV" ]; then
mount -o ro $CONFIG_BOOT_DEV /boot >/dev/null 2>&1 if mount -o ro $CONFIG_BOOT_DEV /boot >/dev/null 2>&1; then
if [[ $? && -d /boot/grub ]]; then if ls -d /boot/grub* >/dev/null 2>&1; then
# CONFIG_BOOT_DEV is valid device and contains an installed OS # CONFIG_BOOT_DEV is valid device and contains an installed OS
return 0 return 0
fi
fi fi
fi fi
@ -328,10 +331,11 @@ detect_boot_device()
# iterate thru possible options and check for grub dir # iterate thru possible options and check for grub dir
for i in `cat /tmp/boot_device_list`; do for i in `cat /tmp/boot_device_list`; do
umount /boot 2>/dev/null umount /boot 2>/dev/null
mount -o ro $i /boot >/dev/null 2>&1 if mount -o ro $i /boot >/dev/null 2>&1; then
if [[ $? && -d /boot/grub ]]; then if ls -d /boot/grub* >/dev/null 2>&1; then
CONFIG_BOOT_DEV="$i" CONFIG_BOOT_DEV="$i"
return 0 return 0
fi
fi fi
done done