diff --git a/initrd/bin/gpg-gui.sh b/initrd/bin/gpg-gui.sh index 4f00935a..0e93c538 100755 --- a/initrd/bin/gpg-gui.sh +++ b/initrd/bin/gpg-gui.sh @@ -109,6 +109,58 @@ gpg_flash_rom() { --msgbox "BIOS flashed successfully.\n\nIf your keys have changed, be sure to re-sign all files in /boot\nafter you reboot.\n\nPress Enter to reboot" 16 60 /bin/reboot } +gpg_post_gen_mgmt() { + GPG_GEN_KEY=`grep -A1 pub /tmp/gpg_card_edit_output | tail -n1 | sed -nr 's/^([ ])*//p'` + gpg --export --armor $GPG_GEN_KEY > "/tmp/${GPG_GEN_KEY}.asc" + if (whiptail --title 'Add Public Key to USB disk?' \ + --yesno "Would you like to copy the GPG public key you generated to a USB disk?\n\nOtherwise you will not be able to copy it outside of Heads later\n\nThe file will show up as ${GPG_GEN_KEY}.asc" 16 90) then + mount_usb + mount -o remount,rw /media + cp "/tmp/${GPG_GEN_KEY}.asc" "/media/${GPG_GEN_KEY}.asc" + if [ $? -eq 0 ]; then + whiptail --title "The GPG Key Copied Successfully" \ + --msgbox "${GPG_GEN_KEY}.asc copied successfully." 16 60 + else + whiptail $CONFIG_ERROR_BG_COLOR --title 'ERROR: Copy Failed' \ + --msgbox "Unable to copy ${GPG_GEN_KEY}.asc to /media" 16 60 + fi + umount /media + fi + if (whiptail --title 'Add Public Key to Running BIOS?' \ + --yesno "Would you like to add the GPG public key you generated to the BIOS?\n\nThis makes it a trusted key used to sign files in /boot\n\n" 16 90) then + /bin/flash.sh -r /tmp/gpg-gui.rom + if [ ! -s /tmp/gpg-gui.rom ]; then + whiptail $CONFIG_ERROR_BG_COLOR --title 'ERROR: BIOS Read Failed!' \ + --msgbox "Unable to read BIOS" 16 60 + exit 1 + fi + PUBKEY="/tmp/${GPG_GEN_KEY}.asc" + gpg_flash_rom + fi +} +gpg_sc_oem_reset() { + GPG_KEY_NAME=`date +%Y%m%d%H%M%S` + # Factory reset GPG card + { + echo admin + echo factory-reset + echo y + echo yes + } | gpg --command-fd=0 --status-fd=1 --pinentry-mode=loopback --card-edit > /tmp/gpg_card_edit_output || return 1 + # Generate OEM GPG keys + { + echo admin + echo generate + echo n + echo 12345678 + echo 123456 + echo 0 + echo y + echo "OEM Key" + echo "oem-${GPG_KEY_NAME}@example.com" + echo "OEM-generated key" + } | gpg --command-fd=0 --status-fd=2 --pinentry-mode=loopback --card-edit > /tmp/gpg_card_edit_output || return 2 +} while true; do unset menu_choice @@ -117,7 +169,8 @@ while true; do 'r' ' Add GPG key to running BIOS + reflash' \ 'a' ' Add GPG key to standalone BIOS image + flash' \ 'l' ' List GPG keys in your keyring' \ - 'g' ' Generate GPG keys on a USB security token' \ + 'g' ' Generate GPG keys manually on a USB security token' \ + 'o' ' OEM Factory reset + auto keygen USB security token' \ 'x' ' Exit' \ 2>/tmp/whiptail || recovery "GUI menu failed" @@ -202,32 +255,24 @@ while true; do echo "********************************************************************************" gpg --card-edit > /tmp/gpg_card_edit_output if [ $? -eq 0 ]; then - GPG_GEN_KEY=`grep -A1 pub /tmp/gpg_card_edit_output | tail -n1 | sed -nr 's/^([ ])*//p'` - gpg --export --armor $GPG_GEN_KEY > "/tmp/${GPG_GEN_KEY}.asc" - if (whiptail --title 'Add Public Key to USB disk?' \ - --yesno "Would you like to copy the GPG public key you generated to a USB disk?\n\nOtherwise you will not be able to copy it outside of Heads later\n\nThe file will show up as ${GPG_GEN_KEY}.asc" 16 90) then - mount_usb - mount -o remount,rw /media - cp "/tmp/${GPG_GEN_KEY}.asc" "/media/${GPG_GEN_KEY}.asc" - if [ $? -eq 0 ]; then - whiptail --title "The GPG Key Copied Successfully" \ - --msgbox "${GPG_GEN_KEY}.asc copied successfully." 16 60 - else - whiptail $CONFIG_ERROR_BG_COLOR --title 'ERROR: Copy Failed' \ - --msgbox "Unable to copy ${GPG_GEN_KEY}.asc to /media" 16 60 - fi - umount /media - fi - if (whiptail --title 'Add Public Key to Running BIOS?' \ - --yesno "Would you like to add the GPG public key you generated to the BIOS?\n\nThis makes it a trusted key used to sign files in /boot\n\n" 16 90) then - /bin/flash.sh -r /tmp/gpg-gui.rom - if [ ! -s /tmp/gpg-gui.rom ]; then - whiptail $CONFIG_ERROR_BG_COLOR --title 'ERROR: BIOS Read Failed!' \ - --msgbox "Unable to read BIOS" 16 60 - exit 1 - fi - PUBKEY="/tmp/${GPG_GEN_KEY}.asc" - gpg_flash_rom + gpg_post_gen_mgmt + fi + ;; + "o" ) + if (whiptail $CONFIG_WARNING_BG_COLOR --title 'WARNING: Factory Reset USB Security Token?' \ + --yesno "This will perform a FACTORY RESET of the USB security token!\n\nThis will:\n* Reset all security token passwords to default\n* Erase any keys on the security token\n* Generate new automated GPG keys on the token\n\nAny data now on the USB security token will be LOST!\n\nDo you want to proceed?" 16 120) then + confirm_gpg_card + gpg_sc_oem_reset + if [ $? -eq 0 ]; then + gpg_post_gen_mgmt + elif [ $? -eq 1 ]; then + GPG_OUTPUT=`cat /tmp/gpg_card_edit_output` + whiptail $CONFIG_ERROR_BG_COLOR --title 'ERROR: Factory Reset Failed!' \ + --msgbox "Factory Reset Failed!\n\n$GPG_OUTPUT" 16 120 + elif [ $? -eq 2 ]; then + GPG_OUTPUT=`cat /tmp/gpg_card_edit_output` + whiptail $CONFIG_ERROR_BG_COLOR --title 'ERROR: Automatic Keygen Failed!' \ + --msgbox "Automatic Keygen Failed!\n\n$GPG_OUTPUT" 16 120 fi fi ;;