Add optional parameter to bypass menu selection and
immediately select a menu option. This allows us to call
the 'Set Boot Device' option directly, saving the user
an unnecessary step.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
Introduce option to remove any existing key(s) from firmware
and add a user-suppled key, before reflashing.
Move existing code for adding a new key to a separate function
so it can be reused for new feature without duplication.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
If CONFIG_BOOT_DEV isn't set or otherwise fails to mount,
we prompt the user to change the /boot device, but never
attempt to mount it to ensure it's sane, leading to
potential failures later in the config/boot process.
Ensure that CONFIG_BOOT_DEV is updated after the /boot device
is changed, and attempt to re-mount /boot after the change.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
If the user has changed the /boot config but not yet flashed,
it's reasonable for them to expect that flashing to add/update
a GPG key won't revert those changes.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
In order to streamline the initial setup, prompt user to
update checksums/sign /boot files after adding a key and
updating the firmware, in order to avoid an extra reboot.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
Move the non-GUI component of update_checksums() to
/etc/functions so it can be reused outside of gui-init.
Add check that /boot/kexec_default_hashes.txt exists before parsing
it, since doesn't exist if there's no default boot target set yet.
Eliminates spurious error text and/or premature exit depending on
state of errexit.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
'Options' makes more sense than 'Settings' given the submenu's contents.
Tidy up Boot Options as well
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
Before anything else, ensure that a default boot device
is set. If not, prompt the user to set one. If set, ensure
that /boot can be mounted successfully; else prompt the
user to select a new boot device.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
If /boot isn't mounted, we can't read the HOTP secret, so no
point in reading from the TPM. This speeds up getting to the
main menu in the case of an inaccessible or non-existant /boot,
and maintains the warning condition from not being able to
validate the HOTP.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
Since a USB boot target can't be the default (at least currently,
/boot must be on internal media), skip the extraneous prompt to
set it as such when booting from USB.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
Exclude dot folders from ROM search path, so that files in
.Trash (eg) aren't shown. Sort the remaining options.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
Using sort on USB boot options produces a reverse-ordered list,
leading users to often select the wrong option. Add the -r
parameter to sort to correct the list order and make the default
option the first in the list.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
Because of the way unseal-hotp is called from gui-init,
dropping to a recovery shell when failing to mount /boot
causes it to hang, leaving the user stranded until they
kill it with CTRL+C. Instead, simply return and continue
to the main GUI menu where the user can address the problem.
Rename the function to clarify difference from other versions
of mount_boot() which do drop to the recovery shell.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
Fix HOTP verfication failure if LK admin pin/passphrase contains
spaces by quoting the variables when passed to functions.
Test: set LK admin pin to passphrase with spaces, generate
new TOTP/HOTP, verification passes.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
Reading the file into a variable and then redirecting to stdin
via echo() can cause the binary data to be truncated, leading
to an invalid base32 value and failure to properly generate
and validate the HOTP code.
To resolve this, pass the file directly to hotp(), and ensure
it is removed properly regardless of success or failure to
prevent leakage.
Fixes "Invalid base32 string" error seen when attempting to
generate a new TOTP secret.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
Add a main boot menu entry to power off. This enables users to
only verify the firmware integrity using OTP, and do nothing more.
After having left the device out of sight, one might want to do
a quick sanity check only.
Since we already have a script to safely power down, we make use of
it now.
Instead of relying on a hard-coded USB disk, it would be better if the
mount script attempted to dynamically detect available USB disks. This
modification to the USB mount script attempts to handle the common case
of a single USB disk but can also handle the case of multiple disks
where it will present the user with all available USB disks
This mimics tlauion's OEM work in the sense that a user (or OEM) could
choose this option and it will reset an OpenPGP smart card and
automatically generate a random key on it. The idea is to allow an OEM
to set up a Librem Key and Heads on a machine before shipping with a
random key, so the user can test for tampering when they receive the
machine, and then the user can choose to reset all of the keys with
their chosen keys after that fact.
Currently Heads relies on a hard-coded config value to determine which
USB disk to mount. This can be problematic when trying to distribute a
pre-built version of Heads that can work on multiple disk
configurations. I've modified the USB mounting script so that it
attempts to detect all USB boot disks present on the system, pick sane
defaults, and prompt the user when there are multiple choices.
I've also removed the USB configuration option from config-gui.sh as
this config option is no longer used.
This change updates the very basic GPG smartcard feature in the GPG GUI
so that it can properly support generating a key from within Heads. It
offers the user the option to copy the generated GPG public key to a USB
thumb drive so it's not lost as well as the option to reflash the
current Heads BIOS with this new public key added to the keyring.
I've moved the common functions required to flash a new ROM with GPG
changes into a shared function at the top of the script.
It makes more logical sense for GPG functions to be split out into their
own menu instead of being part of the "Flash" menu. This creates a
gpg-gui.sh script and moves GPG options there while adding a few
additional features (like listing keys and initial smartcard key
generation support).
key-init makes sure trustdb is updated at run time and user and distro keys are ultimately trusted. Each time a file is signed, the related public key is showed without error on it's trustability.
flash-gui deals with gpg1 to gpg2 migration. If pubring.kbx is found, pubring.gpg is deleted from running rom dump.
.ash_history: add examples to generate keys and otrust in rom
flash-gui: export otrust and import it in rom
key-init: import otrust.txt if present to supress warning about user public key being untrusted
