Merge branch 'colorized_warning_error' of https://github.com/kylerankin/heads

This commit is contained in:
Trammell hudson 2018-04-30 16:31:45 -04:00
commit cd2325781c
Failed to extract signature
3 changed files with 10 additions and 8 deletions

View File

@ -32,3 +32,5 @@ export CONFIG_BOOT_KERNEL_REMOVE=""
export CONFIG_BOOT_DEV="/dev/sda1" export CONFIG_BOOT_DEV="/dev/sda1"
export CONFIG_BOOT_GUI_MENU_NAME="Purism Librem 13v2 Heads Boot Menu" export CONFIG_BOOT_GUI_MENU_NAME="Purism Librem 13v2 Heads Boot Menu"
export CONFIG_USB_BOOT_DEV="/dev/sdb1" export CONFIG_USB_BOOT_DEV="/dev/sdb1"
export CONFIG_WARNING_BG_COLOR="--background-gradient 0 0 0 150 125 0"
export CONFIG_ERROR_BG_COLOR="--background-gradient 0 0 0 150 0 0"

View File

@ -25,7 +25,7 @@ verify_global_hashes()
if cd /boot && sha256sum -c "$TMP_HASH_FILE" > /tmp/hash_output ; then if cd /boot && sha256sum -c "$TMP_HASH_FILE" > /tmp/hash_output ; then
return 0 return 0
elif [ ! -f $TMP_HASH_FILE ]; then elif [ ! -f $TMP_HASH_FILE ]; then
if (whiptail --clear --title 'ERROR: Missing Hash File!' \ if (whiptail $CONFIG_ERROR_BG_COLOR --clear --title 'ERROR: Missing Hash File!' \
--yesno "The file containing hashes for /boot is missing!\n\nIf you are setting this system up for the first time, select Yes to update your list of checksums.\n\nOtherwise this could indicate a compromise and you should select No to return to the main menu.\n\nWould you like to update your checksums now?" 30 80) then --yesno "The file containing hashes for /boot is missing!\n\nIf you are setting this system up for the first time, select Yes to update your list of checksums.\n\nOtherwise this could indicate a compromise and you should select No to return to the main menu.\n\nWould you like to update your checksums now?" 30 80) then
update_checksums update_checksums
fi fi
@ -53,7 +53,7 @@ verify_global_hashes()
TEXT="The following files failed the verification process:\n${CHANGED_FILES}\n\nThis could indicate a compromise!\n\nWould you like to update your checksums now?" TEXT="The following files failed the verification process:\n${CHANGED_FILES}\n\nThis could indicate a compromise!\n\nWould you like to update your checksums now?"
fi fi
if (whiptail --clear --title 'ERROR: Boot Hash Mismatch' --yesno "$TEXT" 30 80) then if (whiptail $CONFIG_ERROR_BG_COLOR --clear --title 'ERROR: Boot Hash Mismatch' --yesno "$TEXT" 30 80) then
update_checksums update_checksums
fi fi
return 1 return 1
@ -104,7 +104,7 @@ while true; do
last_half=$half; last_half=$half;
TOTP=`unseal-totp` TOTP=`unseal-totp`
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
whiptail --clear --title "ERROR: TOTP Generation Failed!" \ whiptail $CONFIG_ERROR_BG_COLOR --clear --title "ERROR: TOTP Generation Failed!" \
--menu "ERROR: Heads couldn't generate the TOTP code.\n\nIf you have just reflashed your BIOS, you will need to generate a new TOTP secret.\n\nIf you have not just reflashed your BIOS, THIS COULD INDICATE TAMPERING!\n\nIf this is the first time the system has booted, you should reset the TPM and set your own password\n\nHow would you like to proceed?" 30 80 4 \ --menu "ERROR: Heads couldn't generate the TOTP code.\n\nIf you have just reflashed your BIOS, you will need to generate a new TOTP secret.\n\nIf you have not just reflashed your BIOS, THIS COULD INDICATE TAMPERING!\n\nIf this is the first time the system has booted, you should reset the TPM and set your own password\n\nHow would you like to proceed?" 30 80 4 \
'g' ' Generate new TOTP secret' \ 'g' ' Generate new TOTP secret' \
'i' ' Ignore error and continue to default boot menu' \ 'i' ' Ignore error and continue to default boot menu' \
@ -163,7 +163,7 @@ while true; do
fi fi
if [ "$totp_confirm" = "n" ]; then if [ "$totp_confirm" = "n" ]; then
if (whiptail --title "TOTP code mismatched" \ if (whiptail $CONFIG_WARNING_BG_COLOR --title "TOTP code mismatched" \
--yesno "TOTP code mismatches could indicate either TPM tampering or clock drift:\n\nTo correct clock drift: 'date -s HH:MM:SS'\nand save it to the RTC: 'hwclock -w'\nthen reboot and try again.\n\nWould you like to exit to a recovery console?" 30 80) then --yesno "TOTP code mismatches could indicate either TPM tampering or clock drift:\n\nTo correct clock drift: 'date -s HH:MM:SS'\nand save it to the RTC: 'hwclock -w'\nthen reboot and try again.\n\nWould you like to exit to a recovery console?" 30 80) then
echo "" echo ""
echo "To correct clock drift: 'date -s HH:MM:SS'" echo "To correct clock drift: 'date -s HH:MM:SS'"
@ -230,7 +230,7 @@ while true; do
if [ "$totp_confirm" = "i" ]; then if [ "$totp_confirm" = "i" ]; then
# Run the menu selection in "force" mode, bypassing hash checks # Run the menu selection in "force" mode, bypassing hash checks
if (whiptail --title 'Unsafe Forced Boot Selected!' \ if (whiptail $CONFIG_WARNING_BG_COLOR --title 'Unsafe Forced Boot Selected!' \
--yesno "WARNING: You have chosen to skip all tamper checks and boot anyway.\n\nThis is an unsafe option!\n\nDo you want to proceed?" 16 80) then --yesno "WARNING: You have chosen to skip all tamper checks and boot anyway.\n\nThis is an unsafe option!\n\nDo you want to proceed?" 16 80) then
mount_boot mount_boot
kexec-select-boot -m -b /boot -c "grub.cfg" -g -f kexec-select-boot -m -b /boot -c "grub.cfg" -g -f

View File

@ -57,7 +57,7 @@ verify_global_hashes()
else else
if [ "$gui_menu" = "y" ]; then if [ "$gui_menu" = "y" ]; then
CHANGED_FILES=$(grep -v 'OK$' /tmp/hash_output | cut -f1 -d ':') CHANGED_FILES=$(grep -v 'OK$' /tmp/hash_output | cut -f1 -d ':')
whiptail --title 'ERROR: Boot Hash Mismatch' \ whiptail $CONFIG_ERROR_BG_COLOR --title 'ERROR: Boot Hash Mismatch' \
--msgbox "The following files failed the verification process:\n${CHANGED_FILES}\nExiting to a recovery shell" 16 60 --msgbox "The following files failed the verification process:\n${CHANGED_FILES}\nExiting to a recovery shell" 16 60
fi fi
die "$TMP_HASH_FILE: boot hash mismatch" die "$TMP_HASH_FILE: boot hash mismatch"
@ -211,7 +211,7 @@ default_select() {
option=`head -n $default_index $TMP_MENU_FILE | tail -1` option=`head -n $default_index $TMP_MENU_FILE | tail -1`
if [ "$option" != "$expectedoption" ]; then if [ "$option" != "$expectedoption" ]; then
if [ "$gui_menu" = "y" ]; then if [ "$gui_menu" = "y" ]; then
whiptail --title 'ERROR: Boot Entry Has Changed' \ whiptail $CONFIG_ERROR_BG_COLOR --title 'ERROR: Boot Entry Has Changed' \
--msgbox "The list of boot entries has changed\n\nPlease set a new default" 16 60 --msgbox "The list of boot entries has changed\n\nPlease set a new default" 16 60
fi fi
warn "!!! Boot entry has changed - please set a new default" warn "!!! Boot entry has changed - please set a new default"
@ -228,7 +228,7 @@ default_select() {
else else
if [ "$gui_menu" = "y" ]; then if [ "$gui_menu" = "y" ]; then
CHANGED_FILES=$(grep -v 'OK$' /tmp/hash_output | cut -f1 -d ':') CHANGED_FILES=$(grep -v 'OK$' /tmp/hash_output | cut -f1 -d ':')
whiptail --title 'ERROR: Default Boot Hash Mismatch' \ whiptail $CONFIG_ERROR_BG_COLOR --title 'ERROR: Default Boot Hash Mismatch' \
--msgbox "The following files failed the verification process:\n${CHANGED_FILES}\nExiting to a recovery shell" 16 60 --msgbox "The following files failed the verification process:\n${CHANGED_FILES}\nExiting to a recovery shell" 16 60
fi fi
die "!!! $TMP_DEFAULT_HASH_FILE: default boot hash mismatch" die "!!! $TMP_DEFAULT_HASH_FILE: default boot hash mismatch"