From 0a823cb491be440570726269960ea9e1a56009f6 Mon Sep 17 00:00:00 2001 From: Jonathon Hall Date: Tue, 9 Jan 2024 09:43:28 -0500 Subject: [PATCH 1/2] Allow laptops to include optional USB keyboard support Laptops can include optional USB keyboard support (default off unless the board also sets the default to 'y'). The setting is in the configuration GUI. CONFIG_USER_USB_KEYBOARD is now the user-controlled setting on those boards. 'CONFIG_USB_KEYBOARD' is no longer used to avoid any conflict with prior releases that expect this to be a compile-time setting only (conflicts risk total lock out requiring hardware flash, so some caution is justified IMO). Boards previously exporting CONFIG_USB_KEYBOARD now export CONFIG_USB_KEYBOARD_REQUIRED. Those boards don't have built-in keyboards, USB keyboard is always enabled. (librem_mini, librem_mini_v2, librem_11, librem_l1um, librem_l1um_v2, talos-2, kgpe-d16_workstation-usb_keyboard, x230-hotp-maximized_usb-kb). Librem laptops now export CONFIG_SUPPORT_USB_KEYBOARD to enable optional support. The default is still 'off'. Signed-off-by: Jonathon Hall --- Makefile | 12 ++++++ ...D_kgpe-d16_workstation-usb_keyboard.config | 2 +- boards/librem_11/librem_11.config | 2 +- boards/librem_13v2/librem_13v2.config | 1 + boards/librem_13v4/librem_13v4.config | 1 + boards/librem_14/librem_14.config | 1 + boards/librem_15v3/librem_15v3.config | 1 + boards/librem_15v4/librem_15v4.config | 1 + boards/librem_l1um/librem_l1um.config | 2 +- boards/librem_l1um_v2/librem_l1um_v2.config | 2 +- boards/librem_mini/librem_mini.config | 2 +- boards/librem_mini_v2/librem_mini_v2.config | 2 +- boards/talos-2/talos-2.config | 2 +- .../x230-hotp-maximized_usb-kb.config | 2 +- initrd/bin/config-gui.sh | 38 +++++++++++++++++++ initrd/bin/kexec-seal-key | 2 +- initrd/etc/ash_functions | 8 +++- initrd/init | 2 +- modules/linux | 2 +- 19 files changed, 73 insertions(+), 12 deletions(-) diff --git a/Makefile b/Makefile index de0d3e4f..0e2de85f 100644 --- a/Makefile +++ b/Makefile @@ -72,6 +72,18 @@ CONFIG_HEADS ?= y # Unless otherwise specified, we are building bash to have non-interactive shell for scripts (arrays and bashisms) CONFIG_BASH ?= y +# USB keyboards can be ignored, optionally supported, or required. +# +# To optionally support USB keyboards, export CONFIG_SUPPORT_USB_KEYBOARD=y. To +# default the setting to 'on', also export CONFIG_USER_USB_KEYBOARD=y. +# +# To require USB keyboard support (not user-configurable, for boards with no +# built-in keyboard), export CONFIG_USB_KEYBOARD_REQUIRED=y. +ifeq "$(CONFIG_USB_KEYBOARD_REQUIRED)" "y" +# CONFIG_USB_KEYBOARD_REQUIRED implies CONFIG_SUPPORT_USB_KEYBOARD. +export CONFIG_SUPPORT_USB_KEYBOARD=y +endif + # Determine arch part for a host triplet ifeq "$(CONFIG_TARGET_ARCH)" "x86" MUSL_ARCH := x86_64 diff --git a/boards/UNTESTED_kgpe-d16_workstation-usb_keyboard/UNTESTED_kgpe-d16_workstation-usb_keyboard.config b/boards/UNTESTED_kgpe-d16_workstation-usb_keyboard/UNTESTED_kgpe-d16_workstation-usb_keyboard.config index 78b56ff4..519c7810 100644 --- a/boards/UNTESTED_kgpe-d16_workstation-usb_keyboard/UNTESTED_kgpe-d16_workstation-usb_keyboard.config +++ b/boards/UNTESTED_kgpe-d16_workstation-usb_keyboard/UNTESTED_kgpe-d16_workstation-usb_keyboard.config @@ -44,7 +44,7 @@ CONFIG_LINUX_E1000E=y export CONFIG_LINUX_USB_COMPANION_CONTROLLER=y #Enable USB Keyboard support -export CONFIG_USB_KEYBOARD=y +export CONFIG_USB_KEYBOARD_REQUIRED=y export CONFIG_TPM=y #BOOT SCRIPT SELECTION diff --git a/boards/librem_11/librem_11.config b/boards/librem_11/librem_11.config index 07c8b8e4..75de0ed5 100644 --- a/boards/librem_11/librem_11.config +++ b/boards/librem_11/librem_11.config @@ -37,7 +37,7 @@ export CONFIG_BOOT_KERNEL_REMOVE="" export CONFIG_BOOT_DEV="/dev/nvme0n1p1" export CONFIG_BOARD_NAME="Librem 11" export CONFIG_FLASHROM_OPTIONS="-p internal" -export CONFIG_USB_KEYBOARD=y +export CONFIG_USB_KEYBOARD_REQUIRED=y export CONFIG_AUTO_BOOT_TIMEOUT=5 export CONFIG_ROOT_DEV="/dev/nvme0n1p2" export CONFIG_ROOT_DIRLIST="bin boot lib sbin usr" diff --git a/boards/librem_13v2/librem_13v2.config b/boards/librem_13v2/librem_13v2.config index ad5365ed..f6d44990 100644 --- a/boards/librem_13v2/librem_13v2.config +++ b/boards/librem_13v2/librem_13v2.config @@ -26,6 +26,7 @@ CONFIG_FBWHIPTAIL=y CONFIG_HOTPKEY=y CONFIG_LINUX_USB=y +export CONFIG_SUPPORT_USB_KEYBOARD=y export CONFIG_TPM=y export CONFIG_BOOTSCRIPT=/bin/gui-init diff --git a/boards/librem_13v4/librem_13v4.config b/boards/librem_13v4/librem_13v4.config index ea7cff2c..f92c249a 100644 --- a/boards/librem_13v4/librem_13v4.config +++ b/boards/librem_13v4/librem_13v4.config @@ -26,6 +26,7 @@ CONFIG_FBWHIPTAIL=y CONFIG_HOTPKEY=y CONFIG_LINUX_USB=y +export CONFIG_SUPPORT_USB_KEYBOARD=y export CONFIG_TPM=y export CONFIG_BOOTSCRIPT=/bin/gui-init diff --git a/boards/librem_14/librem_14.config b/boards/librem_14/librem_14.config index 609f6c09..c04f95ac 100644 --- a/boards/librem_14/librem_14.config +++ b/boards/librem_14/librem_14.config @@ -26,6 +26,7 @@ CONFIG_HOTPKEY=y CONFIG_LINUX_USB=y export CONFIG_TPM=y +export CONFIG_SUPPORT_USB_KEYBOARD=y export CONFIG_BOOTSCRIPT=/bin/gui-init export CONFIG_BOOT_REQ_HASH=n diff --git a/boards/librem_15v3/librem_15v3.config b/boards/librem_15v3/librem_15v3.config index 5897323a..14049aba 100644 --- a/boards/librem_15v3/librem_15v3.config +++ b/boards/librem_15v3/librem_15v3.config @@ -26,6 +26,7 @@ CONFIG_FBWHIPTAIL=y CONFIG_HOTPKEY=y CONFIG_LINUX_USB=y +export CONFIG_SUPPORT_USB_KEYBOARD=y export CONFIG_TPM=y export CONFIG_BOOTSCRIPT=/bin/gui-init diff --git a/boards/librem_15v4/librem_15v4.config b/boards/librem_15v4/librem_15v4.config index 6b5889dc..c95e6101 100644 --- a/boards/librem_15v4/librem_15v4.config +++ b/boards/librem_15v4/librem_15v4.config @@ -27,6 +27,7 @@ CONFIG_FBWHIPTAIL=y CONFIG_HOTPKEY=y CONFIG_LINUX_USB=y +export CONFIG_SUPPORT_USB_KEYBOARD=y export CONFIG_TPM=y export CONFIG_BOOTSCRIPT=/bin/gui-init diff --git a/boards/librem_l1um/librem_l1um.config b/boards/librem_l1um/librem_l1um.config index 0a670fef..c5d960b1 100644 --- a/boards/librem_l1um/librem_l1um.config +++ b/boards/librem_l1um/librem_l1um.config @@ -37,7 +37,7 @@ export CONFIG_BOOT_DEV="/dev/nvme0n1p1" export CONFIG_BOARD_NAME="Librem Server L1UM" export CONFIG_AUTO_BOOT_TIMEOUT=5 export CONFIG_FLASHROM_OPTIONS="-p internal" -export CONFIG_USB_KEYBOARD=y +export CONFIG_USB_KEYBOARD_REQUIRED=y export CONFIG_ROOT_DEV="/dev/nvme0n1p2" export CONFIG_ROOT_DIRLIST="bin boot lib sbin usr" export CONFIG_ROOT_CHECK_AT_BOOT="n" diff --git a/boards/librem_l1um_v2/librem_l1um_v2.config b/boards/librem_l1um_v2/librem_l1um_v2.config index a02c69b5..32bdfa1e 100644 --- a/boards/librem_l1um_v2/librem_l1um_v2.config +++ b/boards/librem_l1um_v2/librem_l1um_v2.config @@ -41,7 +41,7 @@ export CONFIG_BOOT_DEV="/dev/nvme0n1p1" export CONFIG_BOARD_NAME="Librem Server L1UM v2" export CONFIG_AUTO_BOOT_TIMEOUT=5 export CONFIG_FLASHROM_OPTIONS="-p internal" -export CONFIG_USB_KEYBOARD=y +export CONFIG_USB_KEYBOARD_REQUIRED=y export CONFIG_ROOT_DEV="/dev/nvme0n1p2" export CONFIG_ROOT_DIRLIST="bin boot lib sbin usr" export CONFIG_ROOT_CHECK_AT_BOOT="n" diff --git a/boards/librem_mini/librem_mini.config b/boards/librem_mini/librem_mini.config index 11f1b145..a460a21a 100644 --- a/boards/librem_mini/librem_mini.config +++ b/boards/librem_mini/librem_mini.config @@ -37,7 +37,7 @@ export CONFIG_BOOT_KERNEL_REMOVE="" export CONFIG_BOOT_DEV="/dev/nvme0n1p1" export CONFIG_BOARD_NAME="Librem Mini" export CONFIG_FLASHROM_OPTIONS="-p internal" -export CONFIG_USB_KEYBOARD=y +export CONFIG_USB_KEYBOARD_REQUIRED=y export CONFIG_AUTO_BOOT_TIMEOUT=5 export CONFIG_ROOT_DEV="/dev/nvme0n1p2" export CONFIG_ROOT_DIRLIST="bin boot lib sbin usr" diff --git a/boards/librem_mini_v2/librem_mini_v2.config b/boards/librem_mini_v2/librem_mini_v2.config index 39fa1ff3..ed1be16f 100644 --- a/boards/librem_mini_v2/librem_mini_v2.config +++ b/boards/librem_mini_v2/librem_mini_v2.config @@ -37,7 +37,7 @@ export CONFIG_BOOT_KERNEL_REMOVE="" export CONFIG_BOOT_DEV="/dev/nvme0n1p1" export CONFIG_BOARD_NAME="Librem Mini v2" export CONFIG_FLASHROM_OPTIONS="-p internal" -export CONFIG_USB_KEYBOARD=y +export CONFIG_USB_KEYBOARD_REQUIRED=y export CONFIG_AUTO_BOOT_TIMEOUT=5 export CONFIG_ROOT_DEV="/dev/nvme0n1p2" export CONFIG_ROOT_DIRLIST="bin boot lib sbin usr" diff --git a/boards/talos-2/talos-2.config b/boards/talos-2/talos-2.config index d4e98a25..cc92b694 100644 --- a/boards/talos-2/talos-2.config +++ b/boards/talos-2/talos-2.config @@ -37,7 +37,7 @@ CONFIG_DROPBEAR=y # for OpenBMC VGA console export CONFIG_USE_AGETTY=y -export CONFIG_USB_KEYBOARD=y +export CONFIG_USB_KEYBOARD_REQUIRED=y export CONFIG_BOOT_EXTRA_TTYS="tty0" export CONFIG_TPM=y diff --git a/boards/x230-hotp-maximized_usb-kb/x230-hotp-maximized_usb-kb.config b/boards/x230-hotp-maximized_usb-kb/x230-hotp-maximized_usb-kb.config index 167fb431..a2e61660 100644 --- a/boards/x230-hotp-maximized_usb-kb/x230-hotp-maximized_usb-kb.config +++ b/boards/x230-hotp-maximized_usb-kb/x230-hotp-maximized_usb-kb.config @@ -18,7 +18,7 @@ CONFIG_LINUX_CONFIG=config/linux-x230-maximized.config #Additional hardware support CONFIG_LINUX_USB=y CONFIG_LINUX_E1000E=y -export CONFIG_USB_KEYBOARD=y +export CONFIG_USB_KEYBOARD_REQUIRED=y CONFIG_CRYPTSETUP2=y CONFIG_FLASHROM=y diff --git a/initrd/bin/config-gui.sh b/initrd/bin/config-gui.sh index 24a940ba..3e61a7da 100755 --- a/initrd/bin/config-gui.sh +++ b/initrd/bin/config-gui.sh @@ -70,6 +70,16 @@ while true; do 'N' " $(get_config_display_action "$CONFIG_AUTOMATIC_POWERON") automatic power-on" ) + # Boards with built-in keyboards can support optional USB keyboards as well. + # Export CONFIG_SUPPORT_USB_KEYBOARD=y to enable optional support. + # Boards that do not have a built-in keyboard export + # CONFIG_USB_KEYBOARD_REQUIRED=y; this hides the config option and ensures + # USB keyboard support always loads. + [ "$CONFIG_SUPPORT_USB_KEYBOARD" = y ] && [ "$CONFIG_USB_KEYBOARD_REQUIRED" != y ] \ + && dynamic_config_options+=( + 'K' " $(get_config_display_action "$CONFIG_USER_USB_KEYBOARD") USB keyboard" + ) + # Debugging option always available dynamic_config_options+=( 'Z' " $(get_config_display_action "$CONFIG_DEBUG_OUTPUT") $CONFIG_BRAND_NAME debug and function tracing output" @@ -514,6 +524,34 @@ while true; do fi fi ;; + "K" ) + if [ "$CONFIG_USER_USB_KEYBOARD" != "y" ]; then + if (whiptail --title 'Enable USB Keyboard?' \ + --yesno "USB keyboards will be usable in $CONFIG_BRAND_NAME. + \n\nIgnoring USB keyboards prevents a compromised USB device from controlling + \n$CONFIG_BRAND_NAME. + \n\nDo you want to proceed?" 0 80) then + + set_user_config "CONFIG_USER_USB_KEYBOARD" "y" + + whiptail --title 'Config change successful' \ + --msgbox "USB Keyboard support has been enabled;\nsave the config change and reboot for it to go into effect." 0 80 + + fi + else + if (whiptail --title 'Disable USB Keyboard?' \ + --yesno "Only the built-in keyboard will be usable in $CONFIG_BRAND_NAME. + \n\nIgnoring USB keyboards prevents a compromised USB device from controlling + \n$CONFIG_BRAND_NAME. + \n\nDo you want to proceed?" 0 80) then + + set_user_config "CONFIG_USER_USB_KEYBOARD" "n" + + whiptail --title 'Config change successful' \ + --msgbox "USB Keyboard support has been disabled;\nsave the config change and reboot for it to go into effect." 0 80 + fi + fi + ;; "Z" ) if [ "$CONFIG_DEBUG_OUTPUT" != "y" ]; then if (whiptail --title 'Enable Debugging and Tracing output?' \ diff --git a/initrd/bin/kexec-seal-key b/initrd/bin/kexec-seal-key index 03b64ab8..398e30fb 100755 --- a/initrd/bin/kexec-seal-key +++ b/initrd/bin/kexec-seal-key @@ -120,7 +120,7 @@ tpmr pcrread -a 2 "$pcrf" tpmr pcrread -a 3 "$pcrf" # Note that PCR 4 needs to be set with the "normal-boot" path value, read it from event log. tpmr calcfuturepcr 4 >>"$pcrf" -if [ "$CONFIG_USB_KEYBOARD" = "y" -o -r /lib/modules/libata.ko -o -x /bin/hotp_verification ]; then +if [ "$CONFIG_USER_USB_KEYBOARD" = "y" -o -r /lib/modules/libata.ko -o -x /bin/hotp_verification ]; then DEBUG "Sealing TPM Disk Unlock key with PCR5 involvement (additional kernel modules are loaded per board config)..." # Here, we take pcr 5 into consideration if modules are expected to be measured+loaded tpmr pcrread -a 5 "$pcrf" diff --git a/initrd/etc/ash_functions b/initrd/etc/ash_functions index 078c3bdd..58634307 100644 --- a/initrd/etc/ash_functions +++ b/initrd/etc/ash_functions @@ -350,7 +350,13 @@ enable_usb() sleep 2 fi - if [ "$CONFIG_USB_KEYBOARD" = y ]; then + # For resiliency, test CONFIG_USB_KEYBOARD_REQUIRED explicitly rather + # than having it imply CONFIG_USER_USB_KEYBOARD at build time. + # Otherwise, if a user got CONFIG_USER_USB_KEYBOARD=n in their + # config.user by mistake (say, by copying config.user from a laptop to a + # desktop/server), they could lock themselves out, only recoverable by + # hardware flash. + if [ "$CONFIG_USB_KEYBOARD_REQUIRED" = y ] || [ "$CONFIG_USER_USB_KEYBOARD" = y ]; then if ! lsmod | grep -q usbhid; then insmod /lib/modules/usbhid.ko \ || die "usbhid: module load failed" diff --git a/initrd/init b/initrd/init index 1b0d13ae..dee9256a 100755 --- a/initrd/init +++ b/initrd/init @@ -150,7 +150,7 @@ if [ ! -z "$CONFIG_BOOT_RECOVERY_SERIAL" ]; then fi # load USB modules for boards using a USB keyboard -if [ "$CONFIG_USB_KEYBOARD" = "y" ]; then +if [ "$CONFIG_USB_KEYBOARD_REQUIRED" = y ] || [ "$CONFIG_USER_USB_KEYBOARD" = "y" ]; then enable_usb fi diff --git a/modules/linux b/modules/linux index afcabf4e..07b592a1 100644 --- a/modules/linux +++ b/modules/linux @@ -123,7 +123,7 @@ linux_modules-$(CONFIG_LINUX_USB) += drivers/usb/host/xhci-pci.ko linux_modules-$(CONFIG_LINUX_USB) += drivers/usb/storage/usb-storage.ko #USB modules when a USB keyboard is defined in board config -linux_modules-$(CONFIG_USB_KEYBOARD) += drivers/hid/usbhid/usbhid.ko +linux_modules-$(CONFIG_SUPPORT_USB_KEYBOARD) += drivers/hid/usbhid/usbhid.ko # NVMe driver for winterfell and other servers linux_modules-$(CONFIG_LINUX_NVME) += drivers/nvme/host/nvme.ko From 9b4eb8df716e91a904b0a1ac8b33c33fb4dd191e Mon Sep 17 00:00:00 2001 From: Jonathon Hall Date: Wed, 31 Jan 2024 09:58:35 -0500 Subject: [PATCH 2/2] config-gui.sh: Reword USB keyboard notice, show on enable only Reword the notice shown when enabling USB keyboards based on feedback. Remove the notice when disabling USB keyboard support, show it only when enabling. Signed-off-by: Jonathon Hall --- initrd/bin/config-gui.sh | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/initrd/bin/config-gui.sh b/initrd/bin/config-gui.sh index 3e61a7da..df8bc923 100755 --- a/initrd/bin/config-gui.sh +++ b/initrd/bin/config-gui.sh @@ -528,7 +528,7 @@ while true; do if [ "$CONFIG_USER_USB_KEYBOARD" != "y" ]; then if (whiptail --title 'Enable USB Keyboard?' \ --yesno "USB keyboards will be usable in $CONFIG_BRAND_NAME. - \n\nIgnoring USB keyboards prevents a compromised USB device from controlling + \n\nEnabling USB keyboards could allow a compromised USB device to control \n$CONFIG_BRAND_NAME. \n\nDo you want to proceed?" 0 80) then @@ -541,8 +541,6 @@ while true; do else if (whiptail --title 'Disable USB Keyboard?' \ --yesno "Only the built-in keyboard will be usable in $CONFIG_BRAND_NAME. - \n\nIgnoring USB keyboards prevents a compromised USB device from controlling - \n$CONFIG_BRAND_NAME. \n\nDo you want to proceed?" 0 80) then set_user_config "CONFIG_USER_USB_KEYBOARD" "n"