Commit Graph

329 Commits

Author SHA1 Message Date
Thierry Laurion
058b07110b
add reencrypt-luks
initrd/bin/reencrypt-luks: add functions for reencryption and passphrase change. Feeds itself from external provisioning or local provisioning
2022-03-23 15:47:33 -04:00
Thierry Laurion
9016ebccc2 OEM Factory Reset -> OEM Factory Reset / Re-Ownership (with customs passwords and provisioned info given)
oem-factory-reset: adapt code so that custom passphrases can be provided by user without changing oem factory reset workflow.
    oem-factory-reset: output provisioned secrets on screen at the end of of the process.
    oem-factory-reset: warn user of what security components will be provisioned with defaults/customs PINs prior of choosing not after
    gui-init and oem-factory-reset: change OEM Factory Reset -> OEM Factory Reset / Re-Ownership to cover actual use cases
2022-03-11 14:24:54 -05:00
Thierry Laurion
acf709184f bin/kexec-iso-init: Add support for Arch iso support requirements (found at https://mbusb.aguslr.com/howto.html) 2022-03-07 19:02:29 -05:00
tslil clingman
19a8f9c242 Tweak syslinux parsing code to be compatible with new Arch isos 2022-03-07 19:02:29 -05:00
Marek Marczykowski-Górecki
ab6425cc7e
Check for /bin/hotp_verification instead of CONFIG_HOTPKEY
CONFIG_HOTPKEY is not exported to the initrd, check for binary presence.
2022-03-04 00:49:37 +01:00
Marek Marczykowski-Górecki
13a12d157b Move enable_usb earlier
It is going to be enabled later anyway (if CONFIG_HOTPKEY=y), so it can
also be simplified by enabling it at the very beginning.

This enables USB keyboard consistently during all boot menus, including
the "No Bootable OS Found" prompt. It isn't a big deal for "normal"
laptop usage, but it is important for automatic tests and also
non-laptop systems.
2022-03-01 13:39:59 -05:00
HardenedVault
b4b0bc4a7a Use luksHeaderBackup rather than luksDump to measure luks headers. 2022-01-19 10:12:37 -05:00
Matt DeVillier
519bd445d6 flash.sh: Add progress bar
Show state of flashrom reads/writes by means of a progress bar,
as used in the Librem coreboot flashing scripts

v2: add adjustment for use with `--ifd`

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2021-12-17 16:48:34 -05:00
Thierry Laurion
415a08a732 board additions: w530, t530, t520 (hotp-maximized and maximized flavors only)
-CircleCI addition.
-Removal of t530-flash, w530-flash boards, flash scripts and associated coreboot configs (no more legacy boards additions)

This is a merger of #1071, #1072 and #1073 so that test builds are available over CircleCI until osresearch/master CircleCI gets unlocked.
2021-12-06 19:52:25 -05:00
eganonoa
ce435a4148 adding working w530 board, initrd and config files 2021-12-06 19:52:25 -05:00
eganonoa
66e5c23b13 adding working t530 board, initrd and config files 2021-12-06 19:52:25 -05:00
icequbes1
b35e1bcbb3 oem-factory-reset: fix whiptail height/width order 2021-11-24 17:00:25 -05:00
Matt DeVillier
fdbd9b2d48 gui-init: Handle overflow of list of files w/failed hashes
When files in /boot fail hash verification, the list of files
can sometimes overflow the whiptail msgbox, preventing the
prompt and buttons to update checksums from showing. To mitigate
this, if # of files is > 10, use less to show the file list and
present a separate prompt to update the checksums once the file
list has been viewed.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2021-10-29 16:11:28 -04:00
Thierry Laurion
59aafa5506 NEWT: fix whiptail line width for output that could wrap line content over multiple lines 2021-10-29 14:53:53 -04:00
Thierry Laurion
2fc8813fc6 oem-factory-reset: fix output when fbwhiptail is not used
- Fixed inversed HEIGHT and WIDTH usage
- Fixed height to 30 and width to 90 as everywhere else

This was causing a blank screen when whiptail without framebuffer (fbwhiptail) was used.
Actually, it seems like the width and height under whiptail calls are only taken into consideration under NEWT, not FBWHIPTAIL.
2021-10-29 13:45:22 -04:00
Thierry Laurion
661b3b0e81 flash-gui: fix width of flash confirmation from 60 -> 90 chars as everywhere else
- Fix the flash prompt that was spreading filename over 2 lines (width 60 -> 90 as everywhere else)
2021-10-29 13:45:22 -04:00
Thierry Laurion
c6a36948c5 Whiptail: move BG_COLOR default definitions from gui-init to init
- Set them only when FBWHIPTAIL is used.
- If NEWT is used (console mode without framebuffer): set default to none.
2021-10-29 13:45:22 -04:00
Matt DeVillier
61124979ec
oem-factory-reset: fix custom comment entry
copy/paste error resulted in user-entered comment never
being set/checked/used, and email address being overwritten.
Fix variable usage so comment and email are set correctly.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2021-10-21 18:34:48 -05:00
Thierry Laurion
4dee35ae40 System Info: Add full charge Battery capacity (actual full charge capacity/design full charge capacity) 2021-10-19 20:21:55 -04:00
Matt DeVillier
de0ce98da3 etc/functions, gpg-gui: Filter boot device options with '/dev/'
Grepping on just 'Disk' can lead to disk UUID identifier strings
being added to /tmp/disklist, which then fail to parse later on.
Avoid this by grepping on 'Disk /dev' instead.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2021-10-15 14:42:15 -04:00
Matt DeVillier
1c6f623c25 gui-init: update $TOTP after generating new secret or resetting TPM
After updating/flashing a new ROM, a new TOTP secret must be generated,
but the $TOTP variable needs to be updated afterwards, otherwise it
will show the previous failure which led to the new secret being
created.

Fix this by re-calling update_totp() after generating a new secret
or resetting the TPM.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2021-10-15 14:42:15 -04:00
Matt DeVillier
5746b8c970 gui-init: Drop elapsed time check for update_totp()
If user selects to manually update the TOTP via the menu,
we should do it regardless of elapsed time from previous
check. Otherwise, HOTP will be checked regardless of validity
of TOTP.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2021-10-15 14:42:15 -04:00
Matt DeVillier
feca95a0c1 gui-init: improve handling when HOTPKEY not present
Allow user to cancel HOTPKEY check, set BG color appropriately

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2021-10-15 14:42:15 -04:00
Matt DeVillier
a0308b808f etc/functions: push result handling of update_checksums() to callers
Modify update_checksums() to return 0/1 on success/failure, and modify
callers to notify the user on error with a GUI msg.

Set background color as appropriate in gui-init.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2021-10-15 14:42:15 -04:00
Matt DeVillier
a87c54220c gui-init: skip initial checks if user selects option from mount_boot
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2021-10-15 14:42:15 -04:00
Matt DeVillier
43b50788c6 config-gui: Show error if no disks found
Currently, if no disks on system, selection of a new /boot
device will silently fail and simply return the user to the
previous screen. Add an error dialog if no disks found.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2021-10-15 14:42:15 -04:00
Matt DeVillier
32716c8ce6 gui*: Improve consistency of background color use
Persist the background color (and error state) through
the main menu and all submenus. Use warning
background color for destructive operations, error color
for errors.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2021-10-15 14:42:15 -04:00
Matt DeVillier
a86debb257 gui-init: chain initial checks outside of main loop
Checking the keyring for a GPG and updating the TOTP/HTOP
status need only happen once at initial boot; the latter
can be updated at any later time from the main menu itself.
Having them repeated each loop of the main menu is unnecessary
(and often annoying). Likewise, the default auto boot can be
moved and the first_pass (and unused MAIN_MENU_OPTIONS)
variable dropped.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2021-10-15 14:42:15 -04:00
Matt DeVillier
463ec15522 gui-init: Handle menu processing internally
Now that all menu options are encapsulated in shell
functions, move menu handling from the main loop to
inside the menu/submenu function itself.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2021-10-15 14:42:15 -04:00
Matt DeVillier
1f27dea220 gui-init: refactor into functions
Break menus and menu items into functions where possible.
Improves readability of code / functional flow, and
makes future refactoring easier.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2021-10-15 14:42:15 -04:00
Matt DeVillier
e6d6594e67 gui-init: Add line breaks between functions for readability
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2021-10-15 14:42:15 -04:00
Matt DeVillier
5a52606ad5 gui-init: rename 'update_totp' to 'generate_totp_hotp'
Name better reflects function purpose, allows 'update_totp'
to be used to actually update the TOTP code.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2021-10-15 14:42:15 -04:00
Matt DeVillier
1def8f95b4
kexec-boot: Streamline cmdline remove filtering
Use sed one-liner vs 3 bash inline commands

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2021-10-15 13:40:24 -05:00
chri2
1245701694
fix bug with e.g. nosplash parameter in kernel command line
strings from $cmdremove should only be removed from $cmdline if they are enclosed by spaces of if they are at the beginning of $cmdline followed by a space or if they are at the end of $cmdline prepended by a space
2021-09-29 06:57:18 +00:00
elliotvirzi
0ed8a886ee
Display TOTP secret as text
Enable use of TOTP devices without a camera
2021-08-07 17:40:13 +00:00
Thierry Laurion
64b1712e78
oem-factory-reset: set default KEY_LENGTH to 3072 and change expectation management message to console (Fixes #919) 2020-12-10 10:33:02 -05:00
alex-nitrokey
e31d6dcb8e Default to 4096 bit for OEM factory reset 2020-11-24 12:48:41 +01:00
Matt DeVillier
055165d61a gui-init: add support for auto-booting default target
if CONFIG_AUTO_BOOT_TIMEOUT exists and is set, and if HOTP
validation was successful, then attempt to boot the default
target after CONFIG_AUTO_BOOT_TIMEOUT seconds if not interrupted
by key press

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2020-11-09 22:26:50 -05:00
Matt DeVillier
f445b29dbe kexec-sign-config: fix args to getopts
The -u arg does not take a parameter, so remove the trailing colon.

Fixes /boot hashes not being updated when update_checksums() is called.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2020-11-06 15:16:29 -05:00
Matt DeVillier
e7faac20db oem-factory-reset: Allow use without an installed OS
If an installed OS is not detected, then skip setting the
default boot device or generating /boot checksums.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2020-10-27 18:01:42 -04:00
Matt DeVillier
1fc123df4a gui-init: improve handling of blank/missing disk
Check for presence of CONFIG_BOOT_DEV, and if missing or
unable to be mounted, present the user with a menu offering the
option to select another disk, boot from USB, continue to
main menu, or drop to a recovery shell.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2020-10-27 18:01:42 -04:00
Matt DeVillier
6a3bb5897a Drop duplicate board-specific background color configs
Set and export currently-used defaults in gui-init, but still
allow for inidividual boards to override via config if desired.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2020-10-27 16:19:46 -04:00
Matt DeVillier
95442dccd4 flash-gui: improve readability of ROM filename
Strip the path prefix from the ROM filename, and place on own
line to prevent truncation with long filenames / narrow screens.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2020-10-27 16:19:46 -04:00
Matt DeVillier
755e9787a7 gui-init: add board name, kernel version to System Info
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2020-10-27 16:19:46 -04:00
Matt DeVillier
6df281813f Specify 'friendly' board name vs overriding CONFIG_BOOT_GUI_MENU_NAME
This will allow it to be used elsewhere within the UI.
Rename CONFIG_BOOT_GUI_MENU_NAME to better indicate use/function.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2020-10-27 16:19:46 -04:00
Matt DeVillier
8b3b8cedb5 gui_init: use consistent notation for main menu
sed -i 's/default boot menu/main menu/g'

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2020-10-27 16:19:46 -04:00
Matt DeVillier
998dc684f1 gpg_gui: use 'and' vs '+' in menu listings
Using words is more explicit and clear here rather than symbols.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2020-10-27 16:19:46 -04:00
MrChromebox
85d7e29d18
Add new board: Purism Librem Server L1UM (#858)
* modules/coreboot: add option to use coreboot 4.11

Port patches from coreboot 4.8.1 to 4.11:
* 0000-measure-boot -> 0001
* 0010-cross-compiler-support

All other patches for coreboot 4.8.1 have either already been
integrated, or are for platforms which do not need to be migrated
to coreboot 4.11 (they will move to 4.12 or newer).

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>

* patches/coreboot-4.11: Add Broadwell-DE platform patch

Add a patch for FSP Broadwell-DE to make use of Heads' measured boot.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>

* patches/coreboot-4.11: Add patch to read serial # from CBFS

Will be used by multiple Librem boards.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>

* patches/coreboot-4.11: add board support for Librem Server L1UM

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>

* Librem Server L1UM: add new board

Add board config, coreboot config, kernel config files.
Add conditional purism-blobs dependency to coreboot-4.11 module.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>

* flash.sh: add special handling for librem_l1um board

Add support for persisting PCIe config via PCHSTRP9 in flash descriptor.
This is needed to support multiple variants of the L1UM server which
use the same firmware but differ in PCIe lane configuration via the
PCH straps configuration in the flash descriptor.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>

* patches/coreboot-4.11: Add 'Use PRIxPTR to print uintptr_t' patch

Cherry-picked from upstream coreboot (post-4.11), fixes compilation issue.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>

* CircleCI: add target to build board librem_l1um

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2020-10-18 14:48:25 -04:00
Tom Hiller
636e40456e
fix: update chesksums of filenames with spaces (#847)
Signed-off-by: Tom Hiller <thrilleratplay@gmail.com>
2020-10-18 14:46:57 -04:00
alex-nitrokey
7baeebe9bf Change hash files only if gpg card is present
Update_checksum was already changing files in /boot, befor checking for
gpg card. If no card is present, the user will end up in the recovery
next time instead of getting the same dialog again. Therefore, the
confirm_gpg_card should be checked before altering files.

The dead -u flag/$update_counter is used to mark the necessisty to
update the hash files now.
2020-10-15 17:05:12 +02:00