If we can't mount /boot, show a meaningful error rather than dropping
to a recovery shell.
Dropping to a recovery shell should be a last resort. Users that know
how to use the recovery shell know how to get there. Users that don't
know how to use it can be completely stuck and may not know how to get
back to the menu or even how to turn off the device.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Automatic boot can be configured in the configuration GUI. Options are
disable, 1 second, 5 seconds, or 10 seconds.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Change order if user chooses both reencrypt and change passphrase, so that passphrase is changed first.
Signed-off-by: Christian Foerster <christian.foerster@mailfence.com>
Removed all mentions of a "Recovery Disk Key" and replaced with "Disk Recovery Key".
Fixed some grammatical errors.
Added check for new passphrase in reencrypt function to accommodate switching of reencrypt and new passphrase setting order in oem-factory-reset.
Signed-off-by: Christian Foerster <christian.foerster@mailfence.com>
Uses fold on the entire passphrase string now; tested in recovery shell of NK Heads 2.1.
Reverted change of WIDTH parameter (first commit of this PR).
Signed-off-by: Christian Foerster <christian.foerster@mailfence.com>
This partially fixes#1537, but while the increased width wouldn't be a problem on the NV41 AFAICT, I don't know about other machines.
I don't know what @tlaurion means with "busybox's folding", which may be a better solution.
Signed-off-by: Christian Foerster <christian.foerster@mailfence.com>
The call to `hotp_verification regenerate` seems to leave the
communication in a bad state, thus the following `gpg` calls fail. With
this workaround `scdaemon` will resart with the next `gpg` call.
Signed-off-by: Markus Meissner <coder@safemailbox.de>
talos-2 (only) uses .tgz instead of .rom for updates. Currently, both
are treated as alternatives to a ZIP-format update archive with
SHA-256 integrity check, extend that to the prompts to reduce clutter.
Reflow the "You will need ... your BIOS image" prompt to fit on
fbwhiptail.
The .tgz format could be better integrated with the ZIP updates, but
this needs more work specific to talos-2.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Allow configuring the ZIP-format update file extension with
CONFIG_BRAND_UPDATE_PKG_EXT in board config. Default is 'zip'.
Create update package in the default Makefile target. Delete
create_npf.sh.
Do not require /tmp/verified_rom in the update file package's
sha256sum.txt (but allow it for backward compatibility).
Show the integrity error if unzip fails instead of dying (which returns
to main menu with no explanation, error is left on recovery console).
This is the most likely way corruption would be detected as ZIP has
CRCs. The sha256sum is still present for more robust detection.
Don't require the ROM to be the first file in sha256sum.txt since it
raises complexity of adding more files to the update archive in the
future. Instead require that the package contains exactly one file
matching '*.rom'.
Restore confirmation prompt for the update-package flow, at some point
this was lost.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Don't repeat this message if the user says "no" to the confirmation
prompt. Go directly to the menu.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Move confirmation of formatting flash drive with LUKS percentage
selection before any reset actions have been taken, so aborting does
not result in a half-reset system. Combine with the more basic
"confirm" prompt that existed after selecting the device (but did not
include the LUKS size information).
Split up prepare_flash_drive into interactive_prepare_flash_drive (both
prompts and formats as before), confirm_thumb_drive_format (just
confirms the selections), and prepare_thumb_drive (now noninteractive).
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Combine prompt to disconnect other devices with prompt to connect the
desired device.
Show block device sizes in MB/GB when selecting device so it is easier
to select. file_selector now supports --show-size to include block
device sizes in menu.
Rework file_selector so menu options can contain spaces (use bash
array) and to simplify logic.
Prompt to select flash drive and LUKS percentage in OEM reset before
actually taking any actions, so aborting doesn't half-reset the system.
Abort OEM reset if user aborts the flash drive selection instead of
looping forever. (Canceling the confirmation still loops to retry but
it is possible to exit by aborting the repeated menu.)
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Warn user if connected usb block device is less then 128mb, since creating LUKS container of less then 8mb might cause issues.
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Prompt for TPM owner password internally within tpm2_counter_create.
Add tpm1_counter_create to prompt for password internally. Wipe the
cache in either if the operation fails, in case the password was
incorrect.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
- document why shred is still called under functions:check_tpm_counter for safety and add TODO there
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
gui-init: make sure that reseal_tpm_disk_decryption_key happens only on successful TOTP/HOTP sealing, reusing cached TPM Owner password
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Add comments after reboot/poweroff to clarify what they do. These
commands are here partly for discoverability by users who might not
know what to do in a recovery shell, so clarifying their purpose helps
those users figure out what to do.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Some device firmware, such as the graphics microcontroller, is needed
during the initrd - i915 is often loaded in the initrd, and this is the
only chance to load GuC firmware.
Device firmware must still be available after the real root is mounted
too, so update the custom firmware path in the kernel when the firmware
is moved to /run.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Add Librem 11 board.
Librem 11 uses coreboot graphics init, which is done with FSP GOP.
Set a custom keymap for the volume/power keys. Configure the volume
keys as up/down arrows (for navigation in fbwhiptail, and for shell
history in the Linux console). Configure the power key as Enter.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Allow boards to optionally include loadkeys to set a custom keymap.
showkey and dumpkeys (normally only needed for development) can also be
optionally included.
Remove *.map from .gitignore; this was probably intended for build
artifacts that are now excluded via the build/ directory.
Add reboot and poweroff to shell history, which is useful for devices
lacking full hardware keyboards to escape the recovery shell with just
"up" and "enter".
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Improve speed by pre-filtering only for lines containing any tokens of
interest to flashrom_progress_tokenize().
Improve reliability by avoiding dropping tokens that cross a stream
buffer boundary. Occasionally, a token could be missed if it crosses a
stream buffer boundary, due to read timing out too quickly before the
next buffer is flushed. If this was a state-changing token,
flashrom_progress() would hang forever.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
* use GPG_ALGO as gpg key generation algorithm
* determine GPG_ALGO during runtime like this:
* if CONFIG_GPG_ALGO is set, use as preference
* adapt based on usb-token capabilities (currently only Nitrokey 3)
Changes:
- As per master: when TOTP cannot unseal TOTP, user is prompted to either reset or regenerate TOTP
- Now, when either is done and a previous TPM Disk Unlock Key was setuped, the user is guided into:
- Regenerating checksums and signing them
- Regenerating TPM disk Unlock Key and resealing TPM disk Unlock Key with passphrase into TPM
- LUKS header being modified, user is asked to resign kexec.sig one last time prior of being able to default boot
- When no previous Disk Unlock Key was setuped, the user is guided into:
- The above, plus
- Detection of LUKS containers,suggesting only relevant partitions
- Addition of TRACE and DEBUG statements to troubleshoot actual vs expected behavior while coding
- Were missing under TPM Disk Unlock Key setup codepaths
- Fixes for #645 : We now check if only one slots exists and we do not use it if its slot1.
- Also shows in DEBUG traces now
Unrelated staged changes
- ash_functions: warn and die now contains proper spacing and eye attaction
- all warn and die calls modified if containing warnings and too much punctuation
- unify usage of term TPM Disk Unlock Key and Disk Recovery Key
prepare_thumb_drive: default to creating 10% LUKS container on usb drive, prompts for passphrase is not provided and scan drives if no --device specified
NOTE: qemu usb_thumb drive of 128 mb are not big enough so that 10% of it (12mb) can be used to create thumb drive.
Adds:
- e2fsprogs to support ext4 filesystem creation through mke2fs
- add /etc/mke2fs.conf so that mke2fs knows how to handle ext2/ext3/ext4
- removes mke2fs support from busybox
- bump busybox to latest version which adds cpu accelerated hash functions (not needed per se here)
- Adds exfatprogs to have mkfs.exfat and fsck.exfat
- Adds prepare_thumb_drive /etc/luks-functions to be able to prepare a thumb drive with percentage of drive assigned to LUKS, rest to exfat
- Modify most board configs to test space requirements failing
- Talos2 linux config: add staging Exfat support
- Make e2fsprogs and exfatprogs included by default unless explicitely deactivate in board configs
- Change cryptsetup calls : luksOpen to open and luksClose to close to addresss review
- etc/luks_functions: cleanup
GOAL here is to have secure thumb drive creation which Heads will be able to use to backup/restore/use generated GPG key material in the future (next PR)
Based on feedback, 1440p displays can benefit from 2x console as well.
Err toward a font too large rather than too small and lower the
threshold to 1350, which is the threshold fbwhiptail uses for 1.5x.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Build kbd and ship setfont if enabled with CONFIG_KBD.
When CONFIG_KBD is enabled, setconsolefont.sh will double the console
font size on large displays (>1600 lines tall as a heuristic).
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
On platforms using CONFIG_BOOT_EXTRA_TTYS multiple processes may try to
access TPM at the same time, failing with EBUSY. The order of execution
is unpredictable, so the error may appear on main console, secondary one,
or neither of them if the calls are sufficiently staggered. Try up to
three times (including previous one) with small delays in case of error,
instead of immediately scaring users with "you've been pwned" message.
Signed-off-by: Krystian Hebel <krystian.hebel@3mdeb.com>
Updated cbmem searches for CBMEM exposed by kernel in sysfs before
trying to read it from memory directly. As such, there is no need for
pointing to that file explicitly.
New coreboot revision also fixes output of 'cbmem -t' caused by wrong
endianness.
Signed-off-by: Krystian Hebel <krystian.hebel@3mdeb.com>
Simplify "enable" prompt a bit, clarify that firmware updating is
blocked, and remove mention of "failsafe boot mode". Reword "disable"
prompt similarly.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
The early recovery shell ("hold R") and serial recovery both could
bypass Restricted Boot since they occurred before config.user was
loaded. Load config.user earlier before these recovery methods.
Executing a shell directly (if recovery failed) also would bypass
Restricted Boot, additionally leaking /tmp/secret. Remove this from
the early recovery shell logic. Also remove the final failsafe exec
and move the "just in case" recovery from normal boot here instead, in
case the regular init script fails.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
The -s mode was removed, remove it from usage. Remove the test to skip
checking for board flashrom options with -s mode.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
The "disable restricted boot" prompt got slightly too long when fixing
the TPM wording. Re-wrap that line to match the others. Wrapping
could use some general cleanup but this is sufficient so the text isn't
truncated.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
The CONFIG_BASIC test was backwards, as a result it skipped the
LUKS disk unlock logic if basic mode was _not_ enabled. This wasn't
observed in the PureBoot distribution because we disable the LUKS disk
unlock feature.
CONFIG_BOOT_REQ_ROLLBACK and CONFIG_BOOT_REQ_HASH logic was also
skipped incorrectly, though neither of these are enabled on any board
so this had no effect in the PureBoot distribution either.
Test basic with each bit of logic to eliminate duplication of the
kexec-boot call and fix the LUKS disk unlock feature.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Only try the default PIN automatically for 1 month after key creation.
This simplifies initial ownership but still encourages changing the
PIN.
Never enter a PIN automatically if fewer than 3 attempts remain, to
avoid causing lockout if the PIN has been changed.
Remind what the default PIN was if it is not attempted for either
reason.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
HOTP/TOTP secrets don't have to be printable. Use binary data to
include 160 bits of entropy instead of just 80.
The secret is still limited to 20 bytes. Most keys now support up to
40 bytes, but tpmtotp is still limited to 20 bytes.
Move the truncation to 20 bytes a bit later, for future improvements to
detect the key's actual limit.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
flash.sh had a special mode to read (like -r) and then sha256sum the
resulting file. This is no different from just a read followed by a
sha256sum, and the only caller also had logic to sha256sum a cached
file anyway.
Just use flash.sh -r and sha256sum the result.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Basic mode allows (but does not require) setting a default boot option.
Don't seal disk unlock keys in Basic mode.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Some prompts were missed when changing to 0 80 the first time around,
and some new ones were added thinking that size was intentional.
Replace '16 60' with '0 80' globally.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Since 'standard boot' was removed, empty "$option" only occurs due to
error now. Die with a specific error.
Now, we only proceed past ISO boot if no ISOs were present, meaning the
disk might be a plain bootable medium. Present a specific error for
restricted boot in that case.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
The whiptail prompt text was copied from the 'read' prompt but did not
actually have the Abort option. Add it.
The "s for standard boot" option was missing from whiptail. For plain
'read' it does not appear to revert to a normal boot, it actually went
on to try plain bootable USB on the same medium. It's not realistic
for a disk to be both directly bootable and contain ISOs, and this
option does not appear to have been missed since it was missing from
the whiptail/fbwhiptail version, which almost all boards use. Remove
it.
Handle canceling fbwhiptail with esc-esc the same as Abort.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
This feature doesn't require a TPM. The configuration GUI appears
either way, but the actual check was silently skipped on TPM-less
devices. Enable it even if there is no TPM.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Allow configuring the root hash feature when the variables are not set
initially. This worked on Librem boards because the boards all have
defaults for these variables, but didn't work when those defaults were
not present.
Fix set_config function to put quotes around an added variable's value.
Change load_config_value function to default to empty, so it can be
used with non-boolean variables. None of the existing callers cared
about the 'n' default (boolean variables should always be tested ="y"
or !="y" anyway).
Use load_config_value in config-gui.sh for boot device and the root
hash parameters, so unset defaults do not cause a failure. Improve the
prompts so the "current value" text only appears if there is a current
value. Use set_config instead of replace_config so the variables will
be added if needed.
Prevent enabling the root hash feature if it hasn't been configured
yet.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
