Since /etc/luks-functions are currently exporting passphrases tested good per cryptsetup to be reused in the code,
the logic calling both luks_reencrypt and luks_change_passphrase testing for non-empty luks_current_Disk_Recovery_Key_passphrase
was bogus.
This commit includes a new variable luks_new_Disk_Recovery_Key_desired which is set when reencryption is desired.
The 3 use cases (reencrypt+passphrase change, reencrypt no passphrase change and passphrase change alone now only test
for luks_new_Disk_Recovery_Key_desired and luks_new_Disk_Recovery_Key_passphrase_desired, nothing else.
network-init-reovery can be used to automatically set RTC clock to obtained NTP clock.
The script would fail if other devices devices previously registered on the network with the same MAC.
Consequently, maximized boards are detected here, and a full random MAC is generated and used instead of using hardcoded DE:AD:C0:FF:EE.
This continues to generate checksums and sign them per new GPG User PIN, but does not set a default boot option.
The user hitting Default Boot on reboot will go through having to setup a new boot default, which will ask him to setup a Disk Unlock Key if desired.
Otherwise, hitting Default Boot goes into asking the user for its Disk Recovery Key passphrase, and requires to manually setup a default boot option.
Simplify the menu options by removing the duplication of the entry name
in the menu selections; instead, use clear verbiage to distinish
between booting one time and making the default. And as the majority of
the boot menu is shown is when the grub entires have changed and the
user is prompted to select a new default, so make that the first/default
menu option.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
Drop the duplicated kernel info which hurts readability, runs off the
end of the menu window. This also makes it easier to identify which
menu option is the default, and more closely resembles the grub menu
shown in a traditional BIOS boot.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
- this boards is a duplicate of x230-hotp-maximized with USB Keyboard support
Testing points:
- x230-hotp-maximized does not accept input from USB keyboard
- x230-hotp-maximized_usb-kb accepts input from USB keyboard
Testing points:
- None here. Board who exported "CONFIG_USB_KEYBOARD=y" have it packed under their initrd, but there is no logic loading the module yet.
Testing point:
- All board configs not explicitely stating export CONFIG_USB_KEYBOARD=y should not have any impact
- librem_l1um, kgpe-d16_workstation-usb_keyboard, librem_mini_v2 and librem_mini will loose USB Keyboard input with this commit alone.
Heads buildstystem:
Makefile logic will download modules packages under ./packages, check itheir integrity, then extract it and patch extraction directory ONLY if no corresponding .*_verify files are found under ./packages directory. They are extracted under build/modulename-ver/ where patches are applied prior of building them.
build/module* .configured is written when packages are configured under build/modulename-ver/.configured
build/modules* .build is written when packages are built under build/modulename-ver/.build
CircleCI caching subsystem notes:
A cache name tag is calculated in the prep_env stage early at each beginning of a workflow, and consists of a cache name, appended by a calculated digest signature (which is the final hash of hashed files (the hash of a digest).
Look for the following under .circleci/config.yml:
"Creating .... digest statements" : they are basically files passed under sha256sum to create a digest.
restore_cache keys: they are basically a string concatenating: name + checksum of digest + CACHE_VERSION. Only the first cache is extracted following declared order.
save_cache keys: same as above, only saving non-existing caches. That is, skipping existing ones and creating missing ones.
A cache is extracted at the beginning of a workflow if an archive matches an archive name, which consists of a name tag + digest hash + CACHE_VERSION
A cache is created only at the end of a workflow ("Saving cache...").
Caches are specialized. Caches are linked to checkumming of some content. And the largest available cache is extracted on next workflow, only extracting the directories/files that were contained in that cache.
A workspace cache ("Attaching workspace..."), as opposed to a end workflow cache, is passed along steps that depends on prior workflow, as specified under CirclecI config. The current CircleCI config creates a workspace cache for:
make + gawk + musl-cross-make (passed along next)
the most massive board config for each coreboot version (passed along next)
which is finally leading to the workflow cache, specialized for different content that should not change across builds.
That is 3 caches
musl-cross-make and bootstrapping tools (builds make and gawk locally) as long as musl-cross module has same checksum
a coreboot cache, containing all coreboot building directories, as long as coreboot module and patches are having the same hashes
a global cache containing alla builds artifacts (build dir, install dir, musl-cross dir etc)
Consequently, a workspace cache contains all the files under a path that is specified. For heads running under CircleCI, this is ~/project, which is basically "heads" checked out GitHub project, and everything being built under it.
When a workflow is successful, save_cache is ran, constructing caches for digest hashes that are not yet saved (which corresponds to a hash matching muslc-cross module hash, coreboot+patches digest hash and another one for all modules and patches digest hash.
On next workspace iteration, pre_env step will include a "Restore cache" step, which will use the largest cache available and extract it prior of passing it as workspace caches. This is why there is no such different in build time when building on a clean build (the workspace caches layers are smaller, and passed along. This means saving it, passing it. next workspace downloads extracts and builds on top of those smaller layers), as opposed to a workspace reusing and repassing the bigger workspaces containing the whole cache (bigger initial cache extract, then compressing and saving it to be passed as a workspace layer that is then downloaded, extracted, building on top, compressing and saving which then passed as a workspace cache to the next layer depending on it).
And finally, the caching system (save_cache, restore_cache) is based on a CircleCI environment variable named CACHE_VERSION which is appended at the end of the checkum fingerprint of a named cache. It can at any moment be changed to wipe actually used cache, if for some reason it is broken.
Consequently:
CircleCI cache should include packages cache (so that packages are downloaded and verified only once.)
Heads Makefile only downloads, checks and extracts packages and then patch extracted directory content if packages/.module-version_verify doesn't exist. This was missing, causing coreboot tarballs to be redownloaded (not present under packages) and reextracted and repatched (since _verify file was not present under packages/*_verify)
- zlib 1.2.12 release is not respecting cross compiling. 1.2.11 disappeared from servers: taking another archive link, same hash.
- busybox 1.32.0 was not patched with 1.28.0 patch. Renaming patch so that its applied in fresh builds.
- initrd/bin/oem-factory-reset: adds a measured integrity output prior of prompts. Goal is for stating TOTP/HOTP/boot detached signed measurements prior of initiating a Re-Ownership, validating provisioned OEM state.
- initrd/bin/gui-init : Add two additional menu options to LUKS reencrypt and LUKS passphrase change, calling functions of initrd/bin/reencrypt-luks
- initrd/bin/gui-init : Add option F for EOM Factory Reset / Reownership when no public key is exported by key-init
oem-factory-reset: adapt code so that custom passphrases can be provided by user without changing oem factory reset workflow.
oem-factory-reset: output provisioned secrets on screen at the end of of the process.
oem-factory-reset: warn user of what security components will be provisioned with defaults/customs PINs prior of choosing not after
gui-init and oem-factory-reset: change OEM Factory Reset -> OEM Factory Reset / Re-Ownership to cover actual use cases
bin/kexec-parse-boot: test 2bb1f52bf5 that fix correctly comma seperated arguments.
Still TODO: when booting, Heads tries to find where the ISO with /dev/disk/by-label/ARCH_202202 wich is never brought up. uuids could, not sure why the label is not brought up correctly. Maybe an issue in the way Arch makes the ISO.
@tslilc : Any idea to continue #584 or modify #762?
It is going to be enabled later anyway (if CONFIG_HOTPKEY=y), so it can
also be simplified by enabling it at the very beginning.
This enables USB keyboard consistently during all boot menus, including
the "No Bootable OS Found" prompt. It isn't a big deal for "normal"
laptop usage, but it is important for automatic tests and also
non-laptop systems.
