Commit Graph

11 Commits

Author SHA1 Message Date
Thierry Laurion
40c34453df
all scripts: replace TRACE manual strings with dynamic tracing by bash debug
Exception: scripts sourcing/calls within etc/ash_functions continues to use old TRACE functions until we switch to bash completely getting rid of ash.
This would mean getting rid of legacy boards (flash + legacy boards which do not have enough space for bash in flash boards) once and for all.

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-02-01 15:48:27 -05:00
Thierry Laurion
8d7efa021d
media-scan: die if gpg_auth fails (should loop and never exit anyway)
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-06 10:04:51 -05:00
Thierry Laurion
b1e5c638cd
WiP
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-01 10:06:45 -04:00
Jonathon Hall
09d8bf9930
media-scan: Simplify implementation and improve RB message
Since 'standard boot' was removed, empty "$option" only occurs due to
error now.  Die with a specific error.

Now, we only proceed past ISO boot if no ISOs were present, meaning the
disk might be a plain bootable medium.  Present a specific error for
restricted boot in that case.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-06-30 13:41:07 -04:00
Jonathon Hall
0378d62d49
media-scan: Fix up whiptail prompt, remove errant "s for standard boot"
The whiptail prompt text was copied from the 'read' prompt but did not
actually have the Abort option.  Add it.

The "s for standard boot" option was missing from whiptail.  For plain
'read' it does not appear to revert to a normal boot, it actually went
on to try plain bootable USB on the same medium.  It's not realistic
for a disk to be both directly bootable and contain ISOs, and this
option does not appear to have been missed since it was missing from
the whiptail/fbwhiptail version, which almost all boards use.  Remove
it.

Handle canceling fbwhiptail with esc-esc the same as Abort.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-06-30 13:36:33 -04:00
Kyle Rankin
79da79a5e4
Implement Restricted Boot Mode
Restricted Boot mode only allows booting from signed files, whether that
is signed kernels in /boot or signed ISOs on mounted USB disks. This
disables booting from abitrary USB disks as well as the forced "unsafe"
boot mode. This also disables the recovery console so you can't bypass
this mode simply by running kexec manually.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-06-21 13:26:45 -04:00
Thierry Laurion
4a78225548
media-scan/usb-init: add debugging info 2023-04-17 16:17:55 -04:00
Thierry Laurion
8da5d5d723
Add dual support for real bash and busybox's bash(ash)
- modify bash to have it configured with -Os
2023-03-08 12:45:44 -05:00
Thierry Laurion
8259d3ca1e
Add TRACE function tracing function to output on console when enabled
- Add TRACE function tracing output under etc/functions, depending on CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT enabled in board configs
- Replace current DEBUG to TRACE calls in code, reserving DEBUG calls for more verbose debugging later on (output of variables etc)
- add 'export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y' in qemu-coreboot(fb)whiptail-tpm1(-hotp) boards to see it in action
2023-02-20 11:44:52 -05:00
Thierry Laurion
5bc2bc88e4
All scripts and functions: Add DEBUG calling trace on console when CONFIG_DEBUG_OUTPUT is exported in board config
-qemu-coreboot-*whiptail-tpm1(-hotp) boards have 'export CONFIG_DEBUG_OUTPUT=y' by default now
2023-02-18 21:52:44 -05:00
Thierry Laurion
299977926c
usb-scan->media-scan: usb-init calling media-scan usb
media-scan accepts direct input of existing blkid and mount that passed device to /media
2023-01-26 15:38:58 -05:00