ExternalVendorCode/heads
1
0
Fork 0
mirror of https://github.com/linuxboot/heads.git synced 2025-01-31 08:25:37 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

oem-factory-reset: Move format confirmation before resetting anything

Browse Source 
Move confirmation of formatting flash drive with LUKS percentage
selection before any reset actions have been taken, so aborting does
not result in a half-reset system.  Combine with the more basic
"confirm" prompt that existed after selecting the device (but did not
include the LUKS size information).

Split up prepare_flash_drive into interactive_prepare_flash_drive (both
prompts and formats as before), confirm_thumb_drive_format (just
confirms the selections), and prepare_thumb_drive (now noninteractive).

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
This commit is contained in:
Jonathon Hall 2023-11-13 14:37:19 -05:00
parent a925219efb
commit d39fc26dd9
No known key found for this signature in database
GPG Key ID: 1E9C3CA91AE25114
2 changed files with 67 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
initrd/bin/oem-factory-reset
View File

@ -434,11 +434,10 @@ select_thumb_drive_for_key_material() {
warn "If the next operation fails, try with a bigger thumb drive" warn "If the next operation fails, try with a bigger thumb drive"
fi fi
thumb_drive_size_message="$(display_size "$disk_size_bytes")" select_luks_container_size_percent
# confirm with user size of thumb drive to be wiped thumb_drive_luks_percent="$(cat /tmp/luks_container_size_percent)"
whiptail --title "Confirm thumb drive to be wiped" --yesno \
"Are you sure you want to wipe the following thumb drive?\n\n$FILE\n\nSize: $thumb_drive_size_message" 0 0 if ! confirm_thumb_drive_format "$FILE" "$thumb_drive_luks_percent"; then
if [ $? -ne 0 ]; then
warn "Thumb drive wipe aborted by user!" warn "Thumb drive wipe aborted by user!"
continue continue
fi fi
@ -452,8 +451,6 @@ select_thumb_drive_for_key_material() {
die "No USB storage device detected! User decided to not wipe any thumb drive" die "No USB storage device detected! User decided to not wipe any thumb drive"
fi fi
done done
select_luks_container_size_percent
thumb_drive_luks_percent="$(cat /tmp/luks_container_size_percent)" thumb_drive_luks_percent="$(cat /tmp/luks_container_size_percent)"
} }
@ -468,7 +465,7 @@ wipe_thumb_drive_and_copy_gpg_key_material() {
thumb_drive_luks_percent="$2" thumb_drive_luks_percent="$2"
#Wipe thumb drive with a LUKS container of size $(cat /tmp/luks_container_size_percent) #Wipe thumb drive with a LUKS container of size $(cat /tmp/luks_container_size_percent)
prepare_thumb_drive --device "$thumb_drive" --percentage "$thumb_drive_luks_percent" --pass "${ADMIN_PIN}" prepare_thumb_drive "$thumb_drive" "$thumb_drive_luks_percent" "${ADMIN_PIN}"
#Export master key and subkeys to thumb drive first partition #Export master key and subkeys to thumb drive first partition
export_master_key_subkeys_and_revocation_key_to_private_LUKS_container --mode rw --device "$thumb_drive"1 --mountpoint /media --pass "${ADMIN_PIN}" export_master_key_subkeys_and_revocation_key_to_private_LUKS_container --mode rw --device "$thumb_drive"1 --mountpoint /media --pass "${ADMIN_PIN}"
#Export public key to thumb drive's public partition #Export public key to thumb drive's public partition

77
initrd/etc/luks-functions
View File

@ -51,11 +51,12 @@ select_luks_container_size_percent() {
fi fi
} }
#Partition a device with two partitions: a first one being a LUKS container containing private ext4 partition and second public exfat partition # Partition a device interactively with two partitions: a LUKS container
# containing private ext4 partition and second public exFAT partition
# Size provisioning is done by percentage of the device # Size provisioning is done by percentage of the device
prepare_thumb_drive() interactive_prepare_thumb_drive()
{ {
TRACE "Under /etc/luks-functions:prepare_thumb_drive()" TRACE "Under /etc/luks-functions:interactive_prepare_thumb_drive()"
#Refactoring: only one parameter needed to be prompted for: the passphrase for LUKS container if not coming from oem-provisioning #Refactoring: only one parameter needed to be prompted for: the passphrase for LUKS container if not coming from oem-provisioning
#If no passphrase was provided, ask user to select passphrase for LUKS container #If no passphrase was provided, ask user to select passphrase for LUKS container
# if no device provided as parameter, we will ask user to select device to partition # if no device provided as parameter, we will ask user to select device to partition
@ -84,6 +85,7 @@ prepare_thumb_drive()
;; ;;
*) *)
echo "usage: prepare_thumb_drive [--device device] [--percentage percentage] [--pass passphrase]" echo "usage: prepare_thumb_drive [--device device] [--percentage percentage] [--pass passphrase]"
return 1
;; ;;
esac esac
done done
@ -171,31 +173,76 @@ prepare_thumb_drive()
PERCENTAGE=$(cat /tmp/luks_container_size_percent) PERCENTAGE=$(cat /tmp/luks_container_size_percent)
fi fi
confirm_thumb_drive_format "$DEVICE" "$PERCENTAGE" ||
die "User cancelled wiping and repartitioning of $DEVICE"
#Get disk size in bytes from fdisk prepare_thumb_drive "$DEVICE" "$PERCENTAGE" "$PASSPHRASE"
}
# Show a prompt to confirm formatting a flash drive with a percentage allocated
# to LUKS. interactive_prepare_thumb_drive() uses this; during OEM reset it is
# used separately before performing any reset actions
#
# parameters:
# $1 - block device of flash drive
# $2 - percent of device allocated to LUKS [1-99]
confirm_thumb_drive_format()
{
TRACE "Under /etc/luks-functions:confirm_thumb_drive_format()"
local DEVICE LUKS_PERCENTAGE DISK_SIZE_BYTES DISK_SIZE_DISPLAY LUKS_PERCENTAGE LUKS_SIZE_MB MSG
DEVICE="$1"
LUKS_PERCENTAGE="$2"
LUKS_SIZE_MB=
#Get disk size in bytes
DISK_SIZE_BYTES="$(blockdev --getsize64 "$DEVICE")" DISK_SIZE_BYTES="$(blockdev --getsize64 "$DEVICE")"
DISK_SIZE_DISPLAY="$(display_size "$DISK_SIZE_BYTES")"
#Convert disk size to MB #Convert disk size to MB
DISK_SIZE_MB=$((DISK_SIZE_BYTES/1024/1024)) DISK_SIZE_MB=$((DISK_SIZE_BYTES/1024/1024))
#Get size in bytes from percentage and apply percentage to DISK_SIZE_MB #Calculate percentage of device in MB
PERCENTAGE_MB="$((DISK_SIZE_MB*PERCENTAGE/100))" LUKS_SIZE_MB="$((DISK_SIZE_BYTES*LUKS_PERCENTAGE/100/1024/1024))"
#Console and whiptail $BG_COLOR_WARNING prompt (Y/n) validate one last time wiping and repartitioning of $device of total size $DISK_SIZE_MB with $PERCENTAGE_MB assigned to LUKS encrypted private partition MSG="WARNING: Wiping and repartitioning $DEVICE ($DISK_SIZE_DISPLAY) with $LUKS_SIZE_MB MB\n assigned to private LUKS ext4 partition,\n rest assigned to exFAT public partition.\n\nAre you sure you want to continue?"
if [ -x /bin/whiptail ]; then if [ -x /bin/whiptail ]; then
whiptail $BG_COLOR_WARNING --title "WARNING: Wiping and repartitioning $DEVICE of $DISK_SIZE_MB MB" --yesno \ whiptail $BG_COLOR_WARNING --title "WARNING: Wiping and repartitioning $DEVICE ($DISK_SIZE_DISPLAY)" --yesno \
"WARNING: Wiping and repartitioning $DEVICE with $PERCENTAGE_MB MB\n assigned to private LUKS contained private ext4 partition,\n rest assigned to extfat public partition.\n\nAre you sure you want to continue?" 0 80 \ "$MSG" 0 80
|| die "User cancelled wiping and repartitioning of $DEVICE"
else else
echo -e -n "Warning: Wiping and repartitioning $DEVICE with $PERCENTAGE_MB MB assigned to private LUKS contained private ext4 partition, rest assigned to extfat public partition.\n\nAre you sure you want to continue?" echo -e -n "$MSG"
read -r -p " [Y/n] " response read -r -p " [Y/n] " response
#transform response to uppercase with bash parameter expansion #transform response to uppercase with bash parameter expansion
response=${response^^} response=${response^^}
#continue if response different then uppercase N #continue if response is Y, y, or empty, abort for anything else
if [[ $response =~ ^(N)$ ]]; then if [ -n "$response" ] && [ "${response^^}" != Y ]; then
die "User cancelled wiping and repartitioning of $DEVICE" return 1
fi fi
fi fi
}
echo -e "Preparing $DEVICE with $PERCENTAGE_MB MB for private LUKS container while rest of device will be assigned to extfat public partition...\n" # Prepare a flash drive with a private LUKS-encrypted ext4 partition and a
# public exFAT partition. This is not interactive - during OEM reset, any
# selections/confirmations must occur before OEM reset starts resetting the
# system.
#
# $1 - block device of flash drive
# $2 - percentage of flash drive to allocate to LUKS [1-99]
# $3 - passphrase for LUKS container
prepare_thumb_drive()
{
TRACE "Under /etc/luks-functions:prepare_thumb_drive()"
local DEVICE PERCENTAGE PASSPHRASE DISK_SIZE_BYTES PERCENTAGE_MB
DEVICE="$1"
PERCENTAGE="$2"
PASSPHRASE="$3"
#Get disk size in bytes
DISK_SIZE_BYTES="$(blockdev --getsize64 "$DEVICE")"
#Calculate percentage of device in MB
PERCENTAGE_MB="$((DISK_SIZE_BYTES*PERCENTAGE/100/1024/1024))"
echo -e "Preparing $DEVICE with $PERCENTAGE_MB MB for private LUKS container while rest of device will be assigned to exFAT public partition...\n"
echo "Please wait..." echo "Please wait..."
DEBUG "Creating empty DOS partition table on device through fdisk to start clean" DEBUG "Creating empty DOS partition table on device through fdisk to start clean"
echo -e "o\nw\n" | fdisk $DEVICE >/dev/null 2>&1 || die "Error creating partition table" echo -e "o\nw\n" | fdisk $DEVICE >/dev/null 2>&1 || die "Error creating partition table"