talos-2 (only) uses .tgz instead of .rom for updates. Currently, both
are treated as alternatives to a ZIP-format update archive with
SHA-256 integrity check, extend that to the prompts to reduce clutter.
Reflow the "You will need ... your BIOS image" prompt to fit on
fbwhiptail.
The .tgz format could be better integrated with the ZIP updates, but
this needs more work specific to talos-2.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Allow configuring the ZIP-format update file extension with
CONFIG_BRAND_UPDATE_PKG_EXT in board config. Default is 'zip'.
Create update package in the default Makefile target. Delete
create_npf.sh.
Do not require /tmp/verified_rom in the update file package's
sha256sum.txt (but allow it for backward compatibility).
Show the integrity error if unzip fails instead of dying (which returns
to main menu with no explanation, error is left on recovery console).
This is the most likely way corruption would be detected as ZIP has
CRCs. The sha256sum is still present for more robust detection.
Don't require the ROM to be the first file in sha256sum.txt since it
raises complexity of adding more files to the update archive in the
future. Instead require that the package contains exactly one file
matching '*.rom'.
Restore confirmation prompt for the update-package flow, at some point
this was lost.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Don't repeat this message if the user says "no" to the confirmation
prompt. Go directly to the menu.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Move confirmation of formatting flash drive with LUKS percentage
selection before any reset actions have been taken, so aborting does
not result in a half-reset system. Combine with the more basic
"confirm" prompt that existed after selecting the device (but did not
include the LUKS size information).
Split up prepare_flash_drive into interactive_prepare_flash_drive (both
prompts and formats as before), confirm_thumb_drive_format (just
confirms the selections), and prepare_thumb_drive (now noninteractive).
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Combine prompt to disconnect other devices with prompt to connect the
desired device.
Show block device sizes in MB/GB when selecting device so it is easier
to select. file_selector now supports --show-size to include block
device sizes in menu.
Rework file_selector so menu options can contain spaces (use bash
array) and to simplify logic.
Prompt to select flash drive and LUKS percentage in OEM reset before
actually taking any actions, so aborting doesn't half-reset the system.
Abort OEM reset if user aborts the flash drive selection instead of
looping forever. (Canceling the confirmation still loops to retry but
it is possible to exit by aborting the repeated menu.)
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Warn user if connected usb block device is less then 128mb, since creating LUKS container of less then 8mb might cause issues.
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Prompt for TPM owner password internally within tpm2_counter_create.
Add tpm1_counter_create to prompt for password internally. Wipe the
cache in either if the operation fails, in case the password was
incorrect.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
- document why shred is still called under functions:check_tpm_counter for safety and add TODO there
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
gui-init: make sure that reseal_tpm_disk_decryption_key happens only on successful TOTP/HOTP sealing, reusing cached TPM Owner password
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Add comments after reboot/poweroff to clarify what they do. These
commands are here partly for discoverability by users who might not
know what to do in a recovery shell, so clarifying their purpose helps
those users figure out what to do.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Some device firmware, such as the graphics microcontroller, is needed
during the initrd - i915 is often loaded in the initrd, and this is the
only chance to load GuC firmware.
Device firmware must still be available after the real root is mounted
too, so update the custom firmware path in the kernel when the firmware
is moved to /run.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Add Librem 11 board.
Librem 11 uses coreboot graphics init, which is done with FSP GOP.
Set a custom keymap for the volume/power keys. Configure the volume
keys as up/down arrows (for navigation in fbwhiptail, and for shell
history in the Linux console). Configure the power key as Enter.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Allow boards to optionally include loadkeys to set a custom keymap.
showkey and dumpkeys (normally only needed for development) can also be
optionally included.
Remove *.map from .gitignore; this was probably intended for build
artifacts that are now excluded via the build/ directory.
Add reboot and poweroff to shell history, which is useful for devices
lacking full hardware keyboards to escape the recovery shell with just
"up" and "enter".
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Improve speed by pre-filtering only for lines containing any tokens of
interest to flashrom_progress_tokenize().
Improve reliability by avoiding dropping tokens that cross a stream
buffer boundary. Occasionally, a token could be missed if it crosses a
stream buffer boundary, due to read timing out too quickly before the
next buffer is flushed. If this was a state-changing token,
flashrom_progress() would hang forever.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
* use GPG_ALGO as gpg key generation algorithm
* determine GPG_ALGO during runtime like this:
* if CONFIG_GPG_ALGO is set, use as preference
* adapt based on usb-token capabilities (currently only Nitrokey 3)
Changes:
- As per master: when TOTP cannot unseal TOTP, user is prompted to either reset or regenerate TOTP
- Now, when either is done and a previous TPM Disk Unlock Key was setuped, the user is guided into:
- Regenerating checksums and signing them
- Regenerating TPM disk Unlock Key and resealing TPM disk Unlock Key with passphrase into TPM
- LUKS header being modified, user is asked to resign kexec.sig one last time prior of being able to default boot
- When no previous Disk Unlock Key was setuped, the user is guided into:
- The above, plus
- Detection of LUKS containers,suggesting only relevant partitions
- Addition of TRACE and DEBUG statements to troubleshoot actual vs expected behavior while coding
- Were missing under TPM Disk Unlock Key setup codepaths
- Fixes for #645 : We now check if only one slots exists and we do not use it if its slot1.
- Also shows in DEBUG traces now
Unrelated staged changes
- ash_functions: warn and die now contains proper spacing and eye attaction
- all warn and die calls modified if containing warnings and too much punctuation
- unify usage of term TPM Disk Unlock Key and Disk Recovery Key
prepare_thumb_drive: default to creating 10% LUKS container on usb drive, prompts for passphrase is not provided and scan drives if no --device specified
NOTE: qemu usb_thumb drive of 128 mb are not big enough so that 10% of it (12mb) can be used to create thumb drive.
Adds:
- e2fsprogs to support ext4 filesystem creation through mke2fs
- add /etc/mke2fs.conf so that mke2fs knows how to handle ext2/ext3/ext4
- removes mke2fs support from busybox
- bump busybox to latest version which adds cpu accelerated hash functions (not needed per se here)
- Adds exfatprogs to have mkfs.exfat and fsck.exfat
- Adds prepare_thumb_drive /etc/luks-functions to be able to prepare a thumb drive with percentage of drive assigned to LUKS, rest to exfat
- Modify most board configs to test space requirements failing
- Talos2 linux config: add staging Exfat support
- Make e2fsprogs and exfatprogs included by default unless explicitely deactivate in board configs
- Change cryptsetup calls : luksOpen to open and luksClose to close to addresss review
- etc/luks_functions: cleanup
GOAL here is to have secure thumb drive creation which Heads will be able to use to backup/restore/use generated GPG key material in the future (next PR)
Based on feedback, 1440p displays can benefit from 2x console as well.
Err toward a font too large rather than too small and lower the
threshold to 1350, which is the threshold fbwhiptail uses for 1.5x.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Build kbd and ship setfont if enabled with CONFIG_KBD.
When CONFIG_KBD is enabled, setconsolefont.sh will double the console
font size on large displays (>1600 lines tall as a heuristic).
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
On platforms using CONFIG_BOOT_EXTRA_TTYS multiple processes may try to
access TPM at the same time, failing with EBUSY. The order of execution
is unpredictable, so the error may appear on main console, secondary one,
or neither of them if the calls are sufficiently staggered. Try up to
three times (including previous one) with small delays in case of error,
instead of immediately scaring users with "you've been pwned" message.
Signed-off-by: Krystian Hebel <krystian.hebel@3mdeb.com>
Updated cbmem searches for CBMEM exposed by kernel in sysfs before
trying to read it from memory directly. As such, there is no need for
pointing to that file explicitly.
New coreboot revision also fixes output of 'cbmem -t' caused by wrong
endianness.
Signed-off-by: Krystian Hebel <krystian.hebel@3mdeb.com>
Simplify "enable" prompt a bit, clarify that firmware updating is
blocked, and remove mention of "failsafe boot mode". Reword "disable"
prompt similarly.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
The early recovery shell ("hold R") and serial recovery both could
bypass Restricted Boot since they occurred before config.user was
loaded. Load config.user earlier before these recovery methods.
Executing a shell directly (if recovery failed) also would bypass
Restricted Boot, additionally leaking /tmp/secret. Remove this from
the early recovery shell logic. Also remove the final failsafe exec
and move the "just in case" recovery from normal boot here instead, in
case the regular init script fails.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
The -s mode was removed, remove it from usage. Remove the test to skip
checking for board flashrom options with -s mode.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
The "disable restricted boot" prompt got slightly too long when fixing
the TPM wording. Re-wrap that line to match the others. Wrapping
could use some general cleanup but this is sufficient so the text isn't
truncated.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
The CONFIG_BASIC test was backwards, as a result it skipped the
LUKS disk unlock logic if basic mode was _not_ enabled. This wasn't
observed in the PureBoot distribution because we disable the LUKS disk
unlock feature.
CONFIG_BOOT_REQ_ROLLBACK and CONFIG_BOOT_REQ_HASH logic was also
skipped incorrectly, though neither of these are enabled on any board
so this had no effect in the PureBoot distribution either.
Test basic with each bit of logic to eliminate duplication of the
kexec-boot call and fix the LUKS disk unlock feature.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Only try the default PIN automatically for 1 month after key creation.
This simplifies initial ownership but still encourages changing the
PIN.
Never enter a PIN automatically if fewer than 3 attempts remain, to
avoid causing lockout if the PIN has been changed.
Remind what the default PIN was if it is not attempted for either
reason.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
HOTP/TOTP secrets don't have to be printable. Use binary data to
include 160 bits of entropy instead of just 80.
The secret is still limited to 20 bytes. Most keys now support up to
40 bytes, but tpmtotp is still limited to 20 bytes.
Move the truncation to 20 bytes a bit later, for future improvements to
detect the key's actual limit.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
flash.sh had a special mode to read (like -r) and then sha256sum the
resulting file. This is no different from just a read followed by a
sha256sum, and the only caller also had logic to sha256sum a cached
file anyway.
Just use flash.sh -r and sha256sum the result.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Basic mode allows (but does not require) setting a default boot option.
Don't seal disk unlock keys in Basic mode.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Some prompts were missed when changing to 0 80 the first time around,
and some new ones were added thinking that size was intentional.
Replace '16 60' with '0 80' globally.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Since 'standard boot' was removed, empty "$option" only occurs due to
error now. Die with a specific error.
Now, we only proceed past ISO boot if no ISOs were present, meaning the
disk might be a plain bootable medium. Present a specific error for
restricted boot in that case.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
The whiptail prompt text was copied from the 'read' prompt but did not
actually have the Abort option. Add it.
The "s for standard boot" option was missing from whiptail. For plain
'read' it does not appear to revert to a normal boot, it actually went
on to try plain bootable USB on the same medium. It's not realistic
for a disk to be both directly bootable and contain ISOs, and this
option does not appear to have been missed since it was missing from
the whiptail/fbwhiptail version, which almost all boards use. Remove
it.
Handle canceling fbwhiptail with esc-esc the same as Abort.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
This feature doesn't require a TPM. The configuration GUI appears
either way, but the actual check was silently skipped on TPM-less
devices. Enable it even if there is no TPM.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Allow configuring the root hash feature when the variables are not set
initially. This worked on Librem boards because the boards all have
defaults for these variables, but didn't work when those defaults were
not present.
Fix set_config function to put quotes around an added variable's value.
Change load_config_value function to default to empty, so it can be
used with non-boolean variables. None of the existing callers cared
about the 'n' default (boolean variables should always be tested ="y"
or !="y" anyway).
Use load_config_value in config-gui.sh for boot device and the root
hash parameters, so unset defaults do not cause a failure. Improve the
prompts so the "current value" text only appears if there is a current
value. Use set_config instead of replace_config so the variables will
be added if needed.
Prevent enabling the root hash feature if it hasn't been configured
yet.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Update flashrom - in particular, this includes support for new chipsets
like Jasper Lake.
CONFIG_INTERAL_X86 was created so CONFIG_INTERNAL could apply to other
platforms, enable it for x86.
The default build target now requires sphinx, just build flashrom
itself.
Update flashrom_progress - filter out noise in newer flashrom that
chokes the progress bar implementation, make size detection more
robust, improve progress bar implementation slightly.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Co-signed by: Thierry Laurion <insurgo@riseup.net.
Use CONFIG_BRAND_NAME to control the brand name displayed in the UI.
Override by setting BRAND_NAME when building, either in the Makefile or
on the command line.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Remove brand name from this configuration variable. For backward
compatibility, update config.user in init if the branded variable is
present.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Debian 12's initrd by default now consists of an uncompressed cpio
archive containing microcode, followed by a zstd-compressed cpio
archive. inject_firmware.sh only supported gzip-compressed cpio, so it
could not extract /init from this archive.
Add zstd-decompress to decompress zstd streams (uncompressed size is
about 180 KB).
Add unpack_initramfs.sh which is able to decompress uncompressed, gzip,
or zstd archives, with multiple segments, much like the Linux kernel
itself does.
Use unpack_initramfs.sh to extract /init for blob jail.
Don't compress the new archive segment containing firmware and the
updated /init.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
PureBoot doesn't have any other three-valued settings and this doesn't
present very well in the config UI.
Instead make this a two-valued setting; drop the mode that forces the
EC setting to "stay off" at every boot because this is the default.
When disabling automatic power-on, disable the EC BRAM setting too.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Stop manually loading config values, just update config in environment.
Never test values against "n", since many default to empty. Always
test ="y" or !="y", any other value is off.
Add set_user_config() function to set a value in config.user,
combine configs, and update config in environment. Use it in setting
implementations.
Remove toggle_config, it wasn't very useful because the settings still
test y/n in order to show specific confirmation and success messages.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Blob jail provides device firmware blobs to the OS, so the OS does not
have to ship them. The firmware is passed through the initrd to
/run/firmware, so it works with both installed and live OSes, and there
are no race conditions between firmware load and firmware availability.
The injection method in the initrd is specific to the style of init
script used by PureOS, since it must add a copy command to copy the
firmware from the initrd to /run. If the init script is not of this
type, boot proceeds without device firmware.
This feature can be enabled or disabled from the config GUI.
Blob jail is enabled automatically if the Intel AX200 Wi-Fi module is
installed and the feature hasn't been explicitly configured.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
