Commit Graph

52 Commits

Author SHA1 Message Date
Thierry Laurion
0b154aaee1
config-gui.sh: Add option to toggle DEBUG and TRACE output from Configuration Settings menu 2023-08-25 14:27:51 -04:00
Jonathon Hall
718be739eb
config-gui.sh: Reword Restricted Boot prompts
Simplify "enable" prompt a bit, clarify that firmware updating is
blocked, and remove mention of "failsafe boot mode".  Reword "disable"
prompt similarly.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-07-11 16:42:43 -04:00
Jonathon Hall
19610748d3
config-gui.sh: Fix truncated restricted boot prompt
The "disable restricted boot" prompt got slightly too long when fixing
the TPM wording.  Re-wrap that line to match the others.  Wrapping
could use some general cleanup but this is sufficient so the text isn't
truncated.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-07-07 16:39:55 -04:00
Jonathon Hall
6618dd652c
Restricted boot: Fix wording of 'disable' prompt, does not reset TPM
This was changed to just erase the TOTP/HOTP secret, not reset the TPM.
Update the prompt.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-06-30 14:31:53 -04:00
Jonathon Hall
e0c03be341
Change '16 60'-sized whiptail prompts to '0 80'
Some prompts were missed when changing to 0 80 the first time around,
and some new ones were added thinking that size was intentional.

Replace '16 60' with '0 80' globally.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-06-30 14:21:11 -04:00
Jonathon Hall
23a086dbf7
config-gui.sh: Simplify root hash device prompt
If we're removing leading slashes anyway, don't complicate the prompt
with more requirements.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-06-30 12:45:06 -04:00
Jonathon Hall
33c2cfb9b1
Root hash: Allow configuring from unset defaults
Allow configuring the root hash feature when the variables are not set
initially.  This worked on Librem boards because the boards all have
defaults for these variables, but didn't work when those defaults were
not present.

Fix set_config function to put quotes around an added variable's value.

Change load_config_value function to default to empty, so it can be
used with non-boolean variables.  None of the existing callers cared
about the 'n' default (boolean variables should always be tested ="y"
or !="y" anyway).

Use load_config_value in config-gui.sh for boot device and the root
hash parameters, so unset defaults do not cause a failure.  Improve the
prompts so the "current value" text only appears if there is a current
value.  Use set_config instead of replace_config so the variables will
be added if needed.

Prevent enabling the root hash feature if it hasn't been configured
yet.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-06-30 10:01:59 -04:00
Jonathon Hall
71243c1a13
config-gui.sh,gui-init: Fix whiptail message box sizes to 16 60
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-06-21 15:36:04 -04:00
Jonathon Hall
89858f52a9
Merge remote-tracking branch 'github-heads/master' into pureboot-27-heads-upstream
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-06-21 15:15:23 -04:00
Jonathon Hall
c5183253a6
Add CONFIG_BRAND_NAME and allow overriding in Makefile with BRAND_NAME
Use CONFIG_BRAND_NAME to control the brand name displayed in the UI.
Override by setting BRAND_NAME when building, either in the Makefile or
on the command line.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-06-21 14:47:59 -04:00
Jonathon Hall
3c4a9fcf0d
Rename CONFIG_PUREBOOT_BASIC to CONFIG_BASIC
Remove brand name from this configuration variable.  For backward
compatibility, update config.user in init if the branded variable is
present.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-06-21 14:42:46 -04:00
Jonathon Hall
e9a5b27e6c
librem_mini,librem_mini_v2: Don't use three values for auto poweron
PureBoot doesn't have any other three-valued settings and this doesn't
present very well in the config UI.

Instead make this a two-valued setting; drop the mode that forces the
EC setting to "stay off" at every boot because this is the default.

When disabling automatic power-on, disable the EC BRAM setting too.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-06-21 13:26:49 -04:00
Jonathon Hall
5e555359a4
config-gui.sh: Fix refactors, simplify implementation more
Stop manually loading config values, just update config in environment.

Never test values against "n", since many default to empty.  Always
test ="y" or !="y", any other value is off.

Add set_user_config() function to set a value in config.user,
combine configs, and update config in environment.  Use it in setting
implementations.

Remove toggle_config, it wasn't very useful because the settings still
test y/n in order to show specific confirmation and success messages.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-06-21 13:26:48 -04:00
Jonathon Hall
01594a823b
config-gui.sh: Update sizes of whiptail prompts
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-06-21 13:26:48 -04:00
Matt DeVillier
87eff7b775
gui-init: Implement blob jail feature
Blob jail provides device firmware blobs to the OS, so the OS does not
have to ship them.  The firmware is passed through the initrd to
/run/firmware, so it works with both installed and live OSes, and there
are no race conditions between firmware load and firmware availability.

The injection method in the initrd is specific to the style of init
script used by PureOS, since it must add a copy command to copy the
firmware from the initrd to /run.  If the init script is not of this
type, boot proceeds without device firmware.

This feature can be enabled or disabled from the config GUI.

Blob jail is enabled automatically if the Intel AX200 Wi-Fi module is
installed and the feature hasn't been explicitly configured.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2023-06-21 13:26:47 -04:00
Jonathon Hall
2d3ecfa41e
librem_mini/librem_mini_v2: Add automatic power-on setting
Mini v1/v2's EC can automatically power on the system when power is
applied, based on a value in EC BRAM.  Add a configuration setting to
optionally set this value.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-06-21 13:26:47 -04:00
Jonathon Hall
206d59dc71
Add USB autoboot feature to PureBoot Basic
USB autoboot automatically boots to a USB flash drive if one is present
during boot.  This is intended for headless deployments as a method to
recover the installed operating system from USB without needing to
attach a display and keyboard.

USB autoboot can be controlled in config.user and the config GUI.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-06-21 13:26:46 -04:00
Kyle Rankin
79da79a5e4
Implement Restricted Boot Mode
Restricted Boot mode only allows booting from signed files, whether that
is signed kernels in /boot or signed ISOs on mounted USB disks. This
disables booting from abitrary USB disks as well as the forced "unsafe"
boot mode. This also disables the recovery console so you can't bypass
this mode simply by running kexec manually.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-06-21 13:26:45 -04:00
Matt DeVillier
4bc6159ab6
Add PureBoot Basic Mode
PureBoot Basic mode provides the full Linux userspace in firmware from
Heads without requiring verified boot or a Librem Key.  Basic and
verified boot can be switched freely without changing firmware, such as
if a Librem Key is lost.

PureBoot Basic can apply firmware updates from a USB flash drive, and
having a complete Linux userspace enables more sophisticated recovery
options.

Basic mode boots to the first boot option by default, setting a default
is not required.  This can be configured in the config GUI.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-06-21 13:26:45 -04:00
Jonathon Hall
3a917bb90b
config-gui.sh: Extract utilities from config-gui.sh
Extract utilities from config-gui.sh for use in additional config
settings.  read_rom() reads the current ROM with a message for failure.
replace_rom_file() replaces a CBFS file in a ROM.  set_config() sets a
configuration variable in a file.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-06-21 13:26:43 -04:00
Kyle Rankin
efc49c7425
Add Root file hash feature
Currently Heads will check files in /boot for tampering before booting
into a system. It would be nice if you could use the trusted environment
within Heads and extend this to check files in / itself. This new script
adds that functionality, however due to the length of time it takes to
perform these kinds of checks, it doesn't run automatically (yet).

This feature can be configured from the config GUI - the root device/
directories to check can be set, and it can be configured to run during
boot.

To make this a bit easier to use, I added a feature to detect whether
the hash file exists and if not, to display a more limited menu to the
user guiding them to create the initial hash file. Otherwise it will
display the date the file was last modified, which can be useful to
determine how stale it is.
2023-06-21 13:26:37 -04:00
Thierry Laurion
995a6931f1
config-gui.sh: permit io386 platform locking to be dynamically disabled at runtime
ash_functions: make sure /tmp/config is sourced before going to recovery shell
TODO: revisit https://source.puri.sm/firmware/pureboot/-/blob/Release-27/initrd/bin/config-gui.sh#L33 to have proper config store later on
2023-06-20 12:42:12 -04:00
Jonathon Hall
b500505312
tpm2-tools: Change sense of CONFIG_TPM to mean any TPM, not just TPM1.
Most logic throughout Heads doesn't need to know TPM1 versus TPM2 (and
shouldn't, the differences should be localized).  Some checks were
incorrect and are fixed by this change.  Most checks are now unchanged
relative to master.

There are not that many places outside of tpmr that need to
differentiate TPM1 and TPM2.  Some of those are duplicate code that
should be consolidated (seal-hotpkey, unseal-totp, unseal-hotp), and
some more are probably good candidates for abstracting in tpmr so the
business logic doesn't have to know TPM1 vs. TPM2.

Previously, CONFIG_TPM could be variously 'y', 'n', or empty.  Now it
is always 'y' or 'n', and 'y' means "any TPM".  Board configs are
unchanged, setting CONFIG_TPM2_TOOLS=y implies CONFIG_TPM=y so this
doesn't have to be duplicated and can't be mistakenly mismatched.

There were a few checks for CONFIG_TPM = n that only coincidentally
worked for TPM2 because CONFIG_TPM was empty (not 'n').  This test is
now OK, but the checks were also cleaned up to '!= "y"' for robustness.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-03-08 12:45:46 -05:00
Jonathon Hall
d51993b6a9
tpm-reset: Reduce duplication with tpmr reset
Use common password prompt logic in tpm-reset rather than duplicating
in tpmr reset.

Use common logic in config-gui.sh to reset the TPM.

Use common logic in oem-factory-reset to reset TPM.  Fixes extra
prompts for TPM2 owner password even when choosing to use a common
password.  Fix sense of "NO TPM" check in TOTP generation (which only
happened to work because CONFIG_TPM is empty for TPM2).

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-03-08 12:45:46 -05:00
Thierry Laurion
8da5d5d723
Add dual support for real bash and busybox's bash(ash)
- modify bash to have it configured with -Os
2023-03-08 12:45:44 -05:00
Thierry Laurion
6923fb5e20
Addition of qemu-(fb)whiptail-tpm2(-hotp) boards
-coreboot support of TPM v2.0 (shared config for TPM2 support across all 4 previous variations)
-swtpm set to be launched under TPM v2.0 mode under board config
-Documentation file under each board.md softlinks to qemu-coreboot-fbwhiptail-tpm1.md (which has been generalized)
This is skeleton for TPM v2 integration under Heads

-------------
WiP

TODO:
- libcurl cannot be built as a tpm2-tools dependency as of now not sure why. curl currently needs to be added in board config to be built
- Note: tpm-reset (master and here) needs some review, no handle of no tpm use case. Caller is responsible to not call it otherwise does nothing
- init tries to bind fd and fails currently
- Note: Check if whiptail is different of fbwhiptail in clearing screen. As of now every clear seems to be removed, still whiptail clears previous console output
- When no OS' /boot can be mounted, do not try to TPM reset (will fail)

- seal-hotpkey is not working properly
- setting disk unlock key asks for TPM ownership passphrase (sealing in NV requires ownership, but text is misleading user as if reowning TPM)
  - We should cache input, feed tpm behind the scene and wipe passphrase and state clearly that this is TPM disk unlock kye passphrase.
- primary key from TPM2 is invalid most of the time from kexec-select-boot and verifying global hashes but is setuped correctly at disk unlock key setup
- would be nice to take advantage of bash function tracing to understand where we are for debugging purposes, code takes ash in consideration only
- tpmr says it implements nv calls but actually doesn't. Removing those falsely wrapped functions would help.
  - Implementing them would be better
- REVIEW TODOS IN CODE
- READD CIRCLECI CONFIG

Current state:
- TPM unseal works without disk unlock key and generates TOTP properly (was missing die condition at unseal to not produce always good TOTP even if invalid)
- TPM disk encryption key fails. Hypothesis is that sealing with USB drivers loaded and measures in inconsistent with sealed with/without.
 - TPM disk unsealing happens without USB modules being loaded in non-HOTP setup. This fails.

- Current tests are with fbwhiptail (no clear called so having traces on command line of what happens)
 - Testing with HOTP implementation for sealing/unsealing since that forces USB module loads on each boot to remove this from failing possibilities
2023-03-08 12:45:43 -05:00
Thierry Laurion
8259d3ca1e
Add TRACE function tracing function to output on console when enabled
- Add TRACE function tracing output under etc/functions, depending on CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT enabled in board configs
- Replace current DEBUG to TRACE calls in code, reserving DEBUG calls for more verbose debugging later on (output of variables etc)
- add 'export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y' in qemu-coreboot(fb)whiptail-tpm1(-hotp) boards to see it in action
2023-02-20 11:44:52 -05:00
Thierry Laurion
5bc2bc88e4
All scripts and functions: Add DEBUG calling trace on console when CONFIG_DEBUG_OUTPUT is exported in board config
-qemu-coreboot-*whiptail-tpm1(-hotp) boards have 'export CONFIG_DEBUG_OUTPUT=y' by default now
2023-02-18 21:52:44 -05:00
Thierry Laurion
81b4bb77de
whiptail: no more whiptail reseting console on call (--clear)
So we have console logs to troubleshoot errors and catch them correctly
2022-11-15 15:11:58 -05:00
Sergii Dmytruk
5ee3219322
Add cbfs wrapper script to handle PNOR
Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
2022-11-11 00:59:12 +02:00
Thierry Laurion
9bb6be8874
whiptail: fixate width to 80 characters and have height dynamic to all whiptail/fbwhiptail prompts 2022-11-09 11:51:27 -05:00
Matt DeVillier
de0ce98da3 etc/functions, gpg-gui: Filter boot device options with '/dev/'
Grepping on just 'Disk' can lead to disk UUID identifier strings
being added to /tmp/disklist, which then fail to parse later on.
Avoid this by grepping on 'Disk /dev' instead.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2021-10-15 14:42:15 -04:00
Matt DeVillier
43b50788c6 config-gui: Show error if no disks found
Currently, if no disks on system, selection of a new /boot
device will silently fail and simply return the user to the
previous screen. Add an error dialog if no disks found.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2021-10-15 14:42:15 -04:00
Matt DeVillier
32716c8ce6 gui*: Improve consistency of background color use
Persist the background color (and error state) through
the main menu and all submenus. Use warning
background color for destructive operations, error color
for errors.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2021-10-15 14:42:15 -04:00
Matt DeVillier
6a3bb5897a Drop duplicate board-specific background color configs
Set and export currently-used defaults in gui-init, but still
allow for inidividual boards to override via config if desired.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2020-10-27 16:19:46 -04:00
Matt DeVillier
0b970b745e
config-gui: clean up boot device selection
When a new /boot device is selected, wait until after
successfully mounting the newly-selected device before
updating CONFIG_BOOT_DEV.

Also, don't assume /boot already mounted, as this can cause
a false failure and prevent mounting of the newly-selected device.

Lastly, tidy up the error output in case mounting /boot fails.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2020-08-03 18:49:26 -05:00
Matt DeVillier
0afa599491
Fix eval of DEV_NUM_PARTITIONS
Using 'let' in these scripts fails when evaluating to zero
for some reason, so replace with '$(())' which works as intended.

Test: Boot device selection menu shown properly when
new/unpartitioned drive installed.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2020-08-03 18:48:58 -05:00
Matt DeVillier
f7c4cae903
*gui.sh: move common ops to gui_functions
Move code duplicated across several GUI scripts into a common
gui_functions file and include/use that.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2020-07-10 17:37:07 -05:00
Matt DeVillier
5dc9b0b457
config-gui: mount new /boot after selection
Users may wish to temporarily boot an OS from a drive other than
their primary boot drive, without changing the default and saving
to ROM. Mounting /boot after changing the device selection
facilitates this by allowing the user to then choose an unsafe boot
from the newly-selected boot drive.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2019-11-18 11:16:53 -06:00
Matt DeVillier
0599ce97af
config-gui: fix Save Config option
when commit [928f003] config-gui: add 'Full Reset' option
was added, the bottom end of the save config option was
accidentally truncated; restore it to fix save config option

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2019-11-18 11:16:49 -06:00
Matt DeVillier
928f003550
config-gui: add 'Full Reset' option
Add Full Reset option to clear all GPG keys and user settings,
both from the local filesystem and running firmware, and
clear/reset the TPM

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2019-08-05 11:03:45 -05:00
Matt DeVillier
c982be5bd4
config-gui: filter out invalid boot device options
use similar filtering logic as with USB drives to provide
the user a more sane list of boot device options. Show user
only valid bootable partitions, not block devices.

There's no point in showing /dev/nvme0 and /dev/nvme0n1 (eg)
when /dev/nvme0n1p[1..n] (eg) exist, as the former are not
valid boot devices.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2019-08-05 11:03:44 -05:00
Matt DeVillier
34394032de
config-gui: add optional param to bypass menu
Add optional parameter to bypass menu selection and
immediately select a menu option. This allows us to call
the 'Set Boot Device' option directly, saving the user
an unnecessary step.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2019-08-05 11:03:44 -05:00
Matt DeVillier
5ca3069b23
config-gui: add optional param to set file_selector title
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2019-08-05 11:03:43 -05:00
Kyle Rankin
152689d5d5
Detect USB disk dynamically
Currently Heads relies on a hard-coded config value to determine which
USB disk to mount. This can be problematic when trying to distribute a
pre-built version of Heads that can work on multiple disk
configurations. I've modified the USB mounting script so that it
attempts to detect all USB boot disks present on the system, pick sane
defaults, and prompt the user when there are multiple choices.

I've also removed the USB configuration option from config-gui.sh as
this config option is no longer used.
2019-04-15 15:05:03 -07:00
Kyle Rankin
43a858e25c
Show the last setting for a config option if more than one exist 2018-12-06 16:45:40 -08:00
Kyle Rankin
dd3f650b81
Just load usb-storage module, not mount, bugfix in replace_config
We need to handle the case where the specific config file doesn't exist,
or else grep fails, so we touch the file ahead of time. Mounting the usb
storage caused problems when you re-enter the menu a second time, so we
will just load the storage module.
2018-12-06 15:41:20 -08:00
Kyle Rankin
3eb62eed1a
Use global /tmp/config that combines multiple config files
As part of the config gui we want to be able to have the system define
new config options without them being lost if the user makes their own
changes in CBFS. To allow that this change creates a function initiated
in init that combines all /etc/config* files into /tmp/config. All
existing scripts have been changed to source /tmp/config instead of
/etc/config. The config-gui.sh script now uses /etc/config.user to hold
user configuration options but the combine_configs function will allow
that to expand as others want to split configuration out further.

As it stands here are the current config files:

/etc/config -- Compiled-in configuration options
/etc/config.user -- User preferences that override /etc/config
/tmp/config -- Running config referenced by the BIOS, combination
               of existing configs
2018-12-06 15:24:28 -08:00
Kyle Rankin
49a131fa4b
Fix formatting on the default config GUI menu text 2018-12-06 13:51:46 -08:00
Kyle Rankin
f47df1edd6
Use mount-usb instead of enable_usb to find USB drives 2018-12-06 13:10:45 -08:00