Merge pull request #624 from MrChromebox/purism_resync

Resync with Purism tree

blobs/librem_kbl/get_blobs.sh

@@ -2,11 +2,11 @@
 # depends on : wget sha256sum gunzip
 
 # Purism source
-RELEASES_GIT_HASH="ced905accd065df3de6561ee7278400f320f14f7"
+RELEASES_GIT_HASH="631b4a4e9bf562768afc262647ef4ef4f4ffaebd"
 PURISM_SOURCE="https://source.puri.sm/coreboot/releases/raw/${RELEASES_GIT_HASH}"
 
 # Librem 13 v4 and Librem 15 v4 binary blob hashes
-KBL_UCODE_SHA="0e3a06d8949a1d7df2c75b414765b98181766e3bd5bc7c317fad65bfcf7c276b"
+KBL_UCODE_SHA="bb07f0f77abe08e553f85b99d18fa129f991bf3613cf73d77c4f0ece87dd251e"
 KBL_DESCRIPTOR_SHA="642ca36f52aabb5198b82e013bf64a73a5148693a58376fffce322a4d438b524"
 KBL_ME_SHA="0eec2e1135193941edd39d0ec0f463e353d0c6c9068867a2f32a72b64334fb34"
 KBL_FSPM_SHA="5da3ad7718eb3f6700fb9d97be988d9c8bdd2d8b5910273a80928c49122d5b2d"
@@ -27,7 +27,7 @@ IFDTOOL_BIN="./ifdtool"
 COREBOOT_IMAGE="coreboot-l13v4.rom"
 COREBOOT_IMAGE_FILE="$COREBOOT_IMAGE.gz"
 COREBOOT_IMAGE_URL="$PURISM_SOURCE/librem_13v4/$COREBOOT_IMAGE_FILE"
-COREBOOT_IMAGE_SHA="147b911aad362bc67084d1591950e22557ffaba056f42484b521aa48a617c5b0"
+COREBOOT_IMAGE_SHA="93c86230c618f9f19c29672f15f431f516db9247fac95bb2eacbc0fa33ea1e6a"
 
 die () {
     local msg=$1

blobs/librem_skl/get_blobs.sh

@@ -2,11 +2,11 @@
 # depends on : wget sha256sum gunzip
 
 # Purism source
-RELEASES_GIT_HASH="ced905accd065df3de6561ee7278400f320f14f7"
+RELEASES_GIT_HASH="631b4a4e9bf562768afc262647ef4ef4f4ffaebd"
 PURISM_SOURCE="https://source.puri.sm/coreboot/releases/raw/${RELEASES_GIT_HASH}"
 
 # Librem 13 v2/v3 and Librem 15 v3 binary blob hashes
-SKL_UCODE_SHA="6c6e420fe0490de51a504303d4c5d12ef8832ffb98a2d5327a9a07f05e62b01f"
+SKL_UCODE_SHA="e528d2ccc5d76cd04bfabb556a3fbb70b93d9aca43e291e0f0104fbaae5720fd"
 SKL_DESCRIPTOR_SHA="642ca36f52aabb5198b82e013bf64a73a5148693a58376fffce322a4d438b524"
 SKL_ME_SHA="cf06d3eb8b24490a1ab46fd988b6cef822e5347cd6a2e92bc332cb4a376eb8bc"
 SKL_FSPM_SHA="5da3ad7718eb3f6700fb9d97be988d9c8bdd2d8b5910273a80928c49122d5b2d"
@@ -27,7 +27,7 @@ IFDTOOL_BIN="./ifdtool"
 COREBOOT_IMAGE="coreboot-l13v3.rom"
 COREBOOT_IMAGE_FILE="$COREBOOT_IMAGE.gz"
 COREBOOT_IMAGE_URL="$PURISM_SOURCE/librem_13v3/$COREBOOT_IMAGE_FILE"
-COREBOOT_IMAGE_SHA="f20b999457205f033bf122a436f906172bc53ff718034a32f931d9e1712a1033"
+COREBOOT_IMAGE_SHA="784d8c9e9e3cf11e99b7f8a473d0ec18738193b2b57bb7a37386b536dab84be2"
 
 die () {
     local msg=$1

initrd/bin/config-gui.sh

@@ -101,6 +101,15 @@ while true; do
       replace_config /etc/config.user "CONFIG_BOOT_DEV" "$SELECTED_FILE"
       combine_configs
 
+      # mount newly selected /boot device
+      if ! ( umount /boot 2>/tmp/error && \
+          mount -o ro $SELECTED_FILE /boot 2>/tmp/error ); then
+        ERROR=`cat /tmp/error`
+        whiptail $CONFIG_ERROR_BG_COLOR --title 'ERROR: unable to mount /boot' \
+          --msgbox "Unable to un/re-mount /boot:\n\n$ERROR" 16 60
+        exit 1
+      fi
+
       whiptail --title 'Config change successful' \
         --msgbox "The /boot device was successfully changed to $SELECTED_FILE" 16 60
     ;;
@@ -116,6 +125,16 @@ while true; do
         cbfs -o /tmp/config-gui.rom -d "heads/initrd/etc/config.user"
       fi
       cbfs -o /tmp/config-gui.rom -a "heads/initrd/etc/config.user" -f /etc/config.user
+
+      if (whiptail --title 'Update ROM?' \
+          --yesno "This will reflash your BIOS with the updated version\n\nDo you want to proceed?" 16 90) then
+        /bin/flash.sh /tmp/config-gui.rom
+        whiptail --title 'BIOS Updated Successfully' \
+          --msgbox "BIOS updated successfully.\n\nIf your keys have changed, be sure to re-sign all files in /boot\nafter you reboot.\n\nPress Enter to reboot" 16 60
+        /bin/reboot
+      else
+        exit 0
+      fi
     ;;
     "r" )
       # prompt for confirmation
@@ -150,6 +169,8 @@ while true; do
         whiptail --title 'Configuration Reset Updated Successfully' \
           --msgbox "Configuration reset and BIOS updated successfully.\n\nPress Enter to reboot" 16 60
         /bin/reboot
+      else
+        exit 0
       fi
     ;;
   esac

initrd/bin/flash-gui.sh

@@ -71,7 +71,7 @@ file_selector() {
 while true; do
   unset menu_choice
   whiptail --clear --title "Firmware Management Menu" \
-    --menu "Select the firmware function to perform\n\nRetaining settings copies existing settings to the new firmware:\n* Keeps your GPG keyring\n* Keeps changes to the default /boot device\n\nErasing settings uses the new firmware as-is:\n* Erases any existing GPG keyring\n* Restores firmware to default factory settings\n\nIf you are just updating your firmware, you probably want to retain\nyour settings." 20 90 10 \
+    --menu "Select the firmware function to perform\n\nRetaining settings copies existing settings to the new firmware:\n* Keeps your GPG keyring\n* Keeps changes to the default /boot device\n\nErasing settings uses the new firmware as-is:\n* Erases any existing GPG keyring\n* Restores firmware to default factory settings\n* Clears out /boot signatures\n\nIf you are just updating your firmware, you probably want to retain\nyour settings." 20 90 10 \
     'f' ' Flash the firmware with a new ROM, retain settings' \
     'c' ' Flash the firmware with a new ROM, erase settings' \
     'x' ' Exit' \
@@ -100,6 +100,14 @@ while true; do
               --yesno "This will replace your old ROM with $ROM\n\nDo you want to proceed?" 16 90) then
             if [ "$menu_choice" == "c" ]; then
               /bin/flash.sh -c "$ROM"
+              # after flash, /boot signatures are now invalid so go ahead and clear them
+              if ls /boot/kexec* >/dev/null 2>&1 ; then
+                (
+                  mount -o remount,rw /boot 2>/dev/null
+                  rm /boot/kexec* 2>/dev/null
+                  mount -o remount,ro /boot 2>/dev/null
+                )
+              fi
             else
               /bin/flash.sh "$ROM"
             fi

initrd/bin/oem-factory-reset

@@ -18,6 +18,7 @@ WIDTH="220"
 USER_PIN_DEF=123456
 ADMIN_PIN_DEF=12345678
 TPM_PASS_DEF=12345678
+CUSTOM_PASS=""
 
 ## External files sourced
 
@@ -85,6 +86,29 @@ gpg_key_reset()
         whiptail_error_die "GPG Key automatic keygen failed!\n\n$ERROR"
     fi
 }
+gpg_key_change_pin()
+{
+    # 1 = user PIN, 3 = admin PIN
+    PIN_TYPE=$1
+    PIN_ORIG=$2
+    PIN_NEW=$3
+    # Change PIN
+    {
+        echo admin
+        echo passwd
+        echo ${PIN_TYPE}
+        echo ${PIN_ORIG}
+        echo ${PIN_NEW}
+        echo ${PIN_NEW}
+        echo q
+        echo q
+    } | gpg --command-fd=0 --status-fd=2 --pinentry-mode=loopback --card-edit \
+        > /tmp/gpg_card_edit_output 2>/dev/null 
+    if [ $? -ne 0 ]; then
+        ERROR=`cat /tmp/gpg_card_edit_output`
+        whiptail_error_die "GPG Key PIN change failed!\n\n$ERROR"
+    fi
+}
 
 generate_checksums()
 {
@@ -130,7 +154,7 @@ generate_checksums()
     # sign kexec boot files
     if sha256sum $param_files 2>/dev/null | gpg \
             --pinentry-mode loopback \
-            --passphrase $USER_PIN_DEF \
+            --passphrase "$USER_PIN_DEF" \
             --digest-algo SHA256 \
             --detach-sign \
             -a \
@@ -217,6 +241,19 @@ if ! whiptail --yesno "
     exit 1
 fi
 
+# Prompt to change default passwords
+echo -e -n "Would you like to set a custom password? [y/N]:"
+read -n 1 prompt_output
+echo
+if [ "$prompt_output" == "y" \
+  -o "$prompt_output" == "Y" ] \
+; then
+  echo -e -n "Enter the custom password: "
+  read CUSTOM_PASS
+  echo
+  TPM_PASS_DEF=$CUSTOM_PASS
+fi
+
 ## sanity check the USB, GPG key, and boot device before proceeding further
 
 # mount USB, then remount rw
@@ -272,6 +309,15 @@ gpg --list-keys >/dev/null 2>&1
 echo -e "\nResetting GPG Key...\n(this will take a minute or two)\n"
 gpg_key_reset
 
+if [ "$CUSTOM_PASS" != "" ]; then
+  echo -e "\nChanging default GPG Admin PIN\n"
+  gpg_key_change_pin "3" "$ADMIN_PIN_DEF" "$CUSTOM_PASS"
+  echo -e "\nChanging default GPG User PIN\n"
+  gpg_key_change_pin "1" "$USER_PIN_DEF" "$CUSTOM_PASS"
+  USER_PIN_DEF=$CUSTOM_PASS
+  ADMIN_PIN_DEF=$CUSTOM_PASS
+fi
+
 ## export generated key to USB
 echo -e "\nExporting generated key to USB...\n"
 # parse name of generated key

initrd/etc/functions

@@ -287,8 +287,10 @@ update_checksums()
 	if [ "$CONFIG_TPM" = "y" ]; then
 	extparam=-u
 	fi
-	kexec-sign-config -p /boot $extparam \
-	|| die "Failed to sign default config"
+	if ! kexec-sign-config -p /boot $extparam ; then
+	  echo "Failed to sign default config; press Enter to continue."
+	  read
+	fi
 
 	# switch back to ro mode
 	mount -o ro,remount /boot
@@ -303,10 +305,11 @@ detect_boot_device()
 
 	# check $CONFIG_BOOT_DEV if set/valid
 	if [ -e "$CONFIG_BOOT_DEV" ]; then
-		mount -o ro $CONFIG_BOOT_DEV /boot >/dev/null 2>&1
-		if [[ $? && -d /boot/grub ]]; then
-			# CONFIG_BOOT_DEV is valid device and contains an installed OS
-			return 0
+		if mount -o ro $CONFIG_BOOT_DEV /boot >/dev/null 2>&1; then
+			if ls -d /boot/grub* >/dev/null 2>&1; then
+				# CONFIG_BOOT_DEV is valid device and contains an installed OS
+				return 0
+			fi
 		fi
 	fi
 
@@ -328,10 +331,11 @@ detect_boot_device()
 	# iterate thru possible options and check for grub dir
 	for i in `cat /tmp/boot_device_list`; do
 		umount /boot 2>/dev/null
-		mount -o ro $i /boot >/dev/null 2>&1
-		if [[ $? && -d /boot/grub ]]; then
-			CONFIG_BOOT_DEV="$i"
-			return 0
+		if mount -o ro $i /boot >/dev/null 2>&1; then
+			if ls -d /boot/grub* >/dev/null 2>&1; then
+				CONFIG_BOOT_DEV="$i"
+				return 0
+			fi
 		fi
 	done