Commit Graph

140 Commits

Author SHA1 Message Date
Matt DeVillier
2686c836c6
gui-init: ensure /boot is sane first thing
Before anything else, ensure that a default boot device
is set. If not, prompt the user to set one.  If set, ensure
that /boot can be mounted successfully; else prompt the
user to select a new boot device.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2019-06-25 10:06:30 -05:00
Martin Kepplinger
186895d414 gui-init: move Refresh TOTP/HOTP to the Main Boot Menu
also, rename the current menu entry to being smaller and simpler.

Closes #574
2019-05-27 11:12:50 +02:00
Martin Kepplinger
e203de9669 gui-init: rename Advanced Settings to Settings
Since there are no other settings to choose from, there don't have to
be "advanced" ones.
2019-05-25 10:40:50 +02:00
Martin Kepplinger
0dc8d9f82e gui-init: move Exit to Shell menu entry under Advanced Settings
Exiting the GUI to a shell is not expected to be part of our users'
everyday workflow, and thus this menu entry doesn't have to be on
the main page.
2019-05-25 10:30:18 +02:00
Martin Kepplinger
fbe39745b4 gui-init: add Power Off to the Main Boot Menu
Add a main boot menu entry to power off. This enables users to
only verify the firmware integrity using OTP, and do nothing more.

After having left the device out of sight, one might want to do
a quick sanity check only.

Since we already have a script to safely power down, we make use of
it now.
2019-05-24 11:36:49 +02:00
Kyle Rankin
cfddb4ed2e
Add GPG GUI
It makes more logical sense for GPG functions to be split out into their
own menu instead of being part of the "Flash" menu. This creates a
gpg-gui.sh script and moves GPG options there while adding a few
additional features (like listing keys and initial smartcard key
generation support).
2019-02-19 06:48:08 -08:00
tlaurion
564f3ee201
Merge pull request #490 from kylerankin/add_empty_keyring_detection
Add empty keyring detection, clean up main menu
2019-02-08 15:01:28 -05:00
Kyle Rankin
a809c72f7d
Fix column width for error output 2018-12-12 14:09:19 -08:00
Kyle Rankin
3eb62eed1a
Use global /tmp/config that combines multiple config files
As part of the config gui we want to be able to have the system define
new config options without them being lost if the user makes their own
changes in CBFS. To allow that this change creates a function initiated
in init that combines all /etc/config* files into /tmp/config. All
existing scripts have been changed to source /tmp/config instead of
/etc/config. The config-gui.sh script now uses /etc/config.user to hold
user configuration options but the combine_configs function will allow
that to expand as others want to split configuration out further.

As it stands here are the current config files:

/etc/config -- Compiled-in configuration options
/etc/config.user -- User preferences that override /etc/config
/tmp/config -- Running config referenced by the BIOS, combination
               of existing configs
2018-12-06 15:24:28 -08:00
Kyle Rankin
2f9c201f3e
Add a configuration GUI script
This change will add a new GUI script that will allow users to change
their running configuration (currently just /boot and USB boot options)
and optionally persist that modified configuration with reflashing the
BIOS with a modified cbfs.
2018-12-06 10:43:34 -08:00
Kyle Rankin
57b487c38c
Update version #s for Librem coreboot, add Librem Key detection dialog
The Librem coreboot is labeled with the current version and is visible
from dmidecode and is supposed to reflect the current version of
coreboot, however it was out of date and reflected 4.7 when Heads has
moved on to 4.8.1.

I've also added a simple change to further simplify onboarding by
warning users who have Librem Key configured when they boot without it
being inserted.
2018-12-05 14:51:53 -08:00
Kyle Rankin
2195977c23
Move GPG check outside TPM failure
We want to catch the missing GPG keyring error regardless of TPM failure
or even in the case of a system without a TPM at all so we need to move
that section up above the TPM check.
2018-12-03 16:09:55 -08:00
Kyle Rankin
7f8738d6d8
Add empty keyring detection, clean up main menu
To help with onboarding new users to Heads, this change will detect when
Heads does not have any keys in its keyring and will guide the user
through adding a key to the running BIOS. It's important that this
happen *before* guiding them through setting up an initial TOTP/HOTP
secret because adding a GPG key changes the BIOS, so the user would have
to generate TOTP/HOTP secrets 2x unless we handle the keyring case
first.

In addition to this change I've simplified the main menu so that the
majority of the options appear under an 'advanced' menu.
2018-11-30 15:32:29 -08:00
Kyle Rankin
fd99d160e8
Improve status messages for Librem Key HOTP output 2018-07-03 12:40:52 -07:00
Kyle Rankin
acb2b34873
Show warning bg color in main menu when HOTP key not found 2018-06-21 16:30:35 -07:00
Kyle Rankin
be665ac4f9
Show red background when HOTP code is invalid
Granted the user should really be using the Librem Key/phone to check
for tampering (since an attacker could control the Heads background
color) but this provides another visual queue for the user with
the GUI menu to catch less sophisticated tampering.
2018-06-21 16:04:46 -07:00
Kyle Rankin
fe34aba719
Store HOTP counter directly in /boot instead of TPM
The HOTP counter isn't a secret but is just used to prevent replay
attacks (the time-based counter in TOTP isn't a secret either) so it
doesn't need to be protected in the TPM and storing it as a TPM
monotonic counter was causing conflicts with the Heads configuration
counter as TPM 1.2 can only increment one counter per reboot.

This change moves the HOTP counter into the file in /boot that was
previously keeping track of the TPM counter id.
2018-06-20 09:20:39 -07:00
Kyle Rankin
7dde5c2aca
Revert "Use HOTP TPM counter instead of Heads when signing, if present"
This reverts commit c42084406d.
2018-06-19 16:28:37 -07:00
Kyle Rankin
c42084406d
Use HOTP TPM counter instead of Heads when signing, if present
TPM v1.2 has a limitation in that only a single monotonic counter can be
incremented between reboots [1]. So in the event we are using HOTP
monotonic counters, we need to reference those for the Heads rollback
counter when we update file signatures in /boot, otherwise the increment
stage at kexec-sign-config will fail since at each boot, the HOTP
monotonic counter has already been incremented.

[1] https://projects.csail.mit.edu/tc/tpmj/UsersGuide.html#inccounter
2018-06-19 16:18:10 -07:00
Kyle Rankin
2cacb15729
Add back TPM config counter section to gui-init
The section in gui-init that modifies the Heads TPM counter when signing
config was accidentally removed. This change adds that section back.
2018-06-19 13:03:01 -07:00
Kyle Rankin
31cf85b707
Add Librem Key support to Heads
The Librem Key is a custom device USB-based security token Nitrokey is
producing for Purism and among other things it has custom firmware
created for use with Heads. In particular, when a board is configured
with CONFIG_LIBREMKEY, this custom firmware allows Heads to use the
sealed TOTP secret to also send an HOTP authentication to the Librem
Key. If the HOTP code is successful, the Librem Key will blink a green
LED, if unsuccessful it will blink red, thereby informing the user that
Heads has been tampered with without requiring them to use a phone to
validate the TOTP secret.

Heads will still use and show the TOTP secret, in case the user wants to
validate both codes (in case the Librem Key was lost or is no longer
trusted). It will also show the result of the HOTP verification (but not
the code itself), even though the user should trust only what the Librem
Key displays, so the user can confirm that both the device and Heads are
in sync. If HOTP is enabled, Heads will maintain a new TPM counter
separate from the Heads TPM counter that will increment each time HOTP
codes are checked.

This change also modifies the routines that update TOTP so that if
the Librem Key executables are present it will also update HOTP codes
and synchronize them with a Librem Key.
2018-06-19 12:27:27 -07:00
Kyle Rankin
258420d75d
Add BIOS ROM editing features to flash GUI
In addition to being able to flash a ROM from the GUI, it would also be
useful for a user to be able to add a GPG key to their keyring using the
flashing tool. This change adds the ability for a user to edit both a
ROM located on a USB key and also edit the running BIOS by using
flashrom to make a local copy of the running BIOS, edit it, then reflash
it. This also supports the upcoming delete feature in CBFS for
circumstances where keyring files already exist within CBFS.
2018-05-17 15:31:23 -07:00
Kyle Rankin
3c88bc5d86
Split flash GUI into separate script
To keep the flash logic simpler the GUI logic has been split into a
flash-gui.sh program so flash.sh behaves closer to the original flashrom
scripts it was based from. I've also removed the previous flashrom
scripts and incorporated their options into flash.sh. Finally I set
CONFIG_BOARD via the Makefile instead of setting a duplicate option in
each board's config.
2018-05-11 14:08:31 -07:00
Kyle Rankin
89b008a042
Use explicit path for flash.sh 2018-05-11 12:32:04 -07:00
Kyle Rankin
45ae20fc12
Add generic flash script
Based on the conversation for PR #406, we decided to go with a more
generic script for general-purpose flashing instead of having individual
(and therefore very similar) flash scripts for each board type. This
script currently handles flashrom on Librem and X230 board types and
introduces a new CONFIG_BOARD option that sets specific flashrom
arguments based on the board.

It also adds support to gui-init to call this flash script.
2018-05-11 12:27:50 -07:00
Kyle Rankin
4fdbe88560
Allow lines to be wrapped closer to the edge 2018-05-03 10:45:45 -07:00
Kyle Rankin
745d843f0d
Extend whiptail window to 90 columns wide
Wrapping text to 80 characters works but due to font size and padding
the maximum 80 character lines start to get truncated. Extending the
window to 90 characters will resolve this.
2018-05-01 15:20:35 -07:00
Kyle Rankin
480b01c278
Wrap an additional line that was missed in the first pass 2018-05-01 15:10:14 -07:00
Kyle Rankin
f26a14c20d
Wrap whiptail text that's over 80 characters
While the whiptail program wraps text appropriately based on column
size, the fbwhiptail program doesn't, leading to text that scrolls off
the window where it can no longer be read. This change wraps the longer
text output so it all fits.
2018-05-01 14:23:56 -07:00
Kyle Rankin
22a8d6f603
Colorize warning and error messages in fbwhiptail
Since fbwhiptail allows us to customize the background colors, we should
colorize warnings and error messages to provide a user with an
additional subtle cue that there might be a problem. I have added two
additional configuration options:

CONFIG_WARNING_BG_COLOR
CONFIG_ERROR_BG_COLOR

and in the librem13v2.config file you can see an example for how to set
them to be yellow and red gradients, respectively. I've also updated the
main two scripts that use whiptail to include those background colors.

If you decide to use regular whiptail, just don't set these config
options and it should behave as expected.
2018-04-25 13:21:56 -07:00
Kyle Rankin
887c79065e
Add GUI package update handler w/ checksum update function
Part of the Heads workflow involves handling legitimate changes to /boot
as part of the package manager. This is a challenging workflow to handle
as package managers on many systems work in a completely unattended way
(and some even reboot first, apply updates, and then reboot again).

We need to be able to detect changes that are potentially caused by a
package manager so to do that I've set up a trigger within the OS
(currently just for Debian) that runs both before and after package
updates. It verifies the signatures in /boot and if they fail before
package updates it creates a log file in
/boot/kexec_package_trigger_pre.txt. If they fail after package updates
run /boot/kexec_package_trigger_post.txt is created. These files contain
the following fields:

CHANGED_FILES: A list of files in /boot that failed the sha256sum check
UPDATE_INITRAMFS_PACKAGE: An (optional) list of packages known to
trigger initramfs changes

Following those fields is a list of log output from the last package
manager run which contains its own formatted fields (I'm pulling from
/var/lib/dpkg/info).

When a user selects a boot option, gui-init first verifies the
checksums just to catch errors before calling kexec-select-boot. If
there are any errors it looks for these package logs and if they exist,
it displays appropriate warnings. If the files are absent it displays a
more generic warning. The user is also given an opportunity to re-sign
the /boot hashes.
2018-04-03 15:20:34 -07:00
Kyle Rankin
35916d942b
Handle signing failures more gracefully with a dialog 2018-03-20 11:26:09 -07:00
Kyle Rankin
769f6a7a24
Create nested menus and add option to rehash/sign /boot
The number of options we want in the menu is starting to get large
enough that it's worth slimming things down in the main menu and move
options to nested menus. Along with this nested menu change is the
option to re-sign and re-hash files in /boot directly from the menu.
2018-03-14 10:14:22 -07:00
Kyle Rankin
dee52415fa
Add a menu option to reset TPM for bootstrapping. Widen menus.
One of the other core functions a user needs when bootstrapping is
taking over the TPM. I've added a new option in the menu for this and it
revealed that some of the menus needed more space so I've widened all
the menus and also made the main menu longer so the options don't
scroll.
2018-03-08 16:36:56 -08:00
Trammell hudson
9c9b5bcd2b
Merge branch 'add_gui_hash_alert' of https://github.com/kylerankin/heads 2018-03-08 14:41:44 -05:00
Kyle Rankin
8152e8c796
Add a "force" option to kexec-select-boot to bypass hash checks
The point of this change is to provide a failsafe (failunsafe?) mode for
less technically-savvy users who will ultimately be using Heads by
default on Librem laptops.

There are some scenarios where an end user might forget to update hashes
in /boot after an initrd change or might have some other hash mismatch.
Currently that user would then be stuck in a recovery console in Heads
not knowing what to do within that limited shell environment to fix the
situation.

This change adds a 'force' mode to kexec-select-boot that goes straight
into a boot menu and bypasses the hash checks so the user could more
easily get back into their system to attempt to repair it. It adds
appropriate warnings about why this is a risky option and moves it down
toward the bottom of the menu. The goal would be to just have this be an
emergency option our support could guide a user to if they ended up in
this situation.
2018-03-05 14:46:15 -08:00
Kyle Rankin
fbbfc8e22f
Replace remaining text-only options in main workflow w/ gui menus
In particular I added a GUI menu to instruct the user if there is no
TOTP code registered (as is the case upon first flash) and also added
better handling of the case the user selects 'default boot' when there
is no default boot set yet. Apart from that where there were text-only
menus left in gui-init I've replaced them with GUI menus.
2018-02-23 12:13:21 -08:00
Kyle Rankin
6ab78ae236
Add gui option to kexec-select-boot, use in gui-init menu option
When selecting the boot menu option (m) in the gui-init you call out to
kexec-select-boot. To better maintain the graphical menu experience,
I've added a -g option to kexec-select-boot that, when set, will use a
graphical whiptail menu for the most common menu selection modes.
2018-02-22 13:18:16 -08:00
Kyle Rankin
57405b0d28
Add menu for TOTP updates, provide sample board config to use gui-init 2018-02-21 15:58:54 -08:00
Kyle Rankin
140064bbf8
Add graphical init menu that uses whiptail
This is a modified version of the generic-init script that uses whiptail
to generate a graphical menu. I changed two of the options so that the
user can refresh the menu to get an updated TOTP code if needed.
2018-02-20 15:35:37 -08:00