Commit Graph

58 Commits

Author SHA1 Message Date
Thierry Laurion
40c34453df
all scripts: replace TRACE manual strings with dynamic tracing by bash debug
Exception: scripts sourcing/calls within etc/ash_functions continues to use old TRACE functions until we switch to bash completely getting rid of ash.
This would mean getting rid of legacy boards (flash + legacy boards which do not have enough space for bash in flash boards) once and for all.

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-02-01 15:48:27 -05:00
tlaurion
5a75e6bffa
Merge pull request #1586 from JonathonHall-Purism/root-file-hash-qubes
Root file hashing: support Qubes default partition layout (+ tracing helpers)
2024-02-01 14:25:48 -05:00
Jonathon Hall
9b4eb8df71
config-gui.sh: Reword USB keyboard notice, show on enable only
Reword the notice shown when enabling USB keyboards based on feedback.
Remove the notice when disabling USB keyboard support, show it only
when enabling.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2024-01-31 09:58:35 -05:00
Jonathon Hall
70d249ae46
intird/bin/config-gui.sh: Clarify root hash menu item, minor cleanup
Say the action to take in the menu (enable or disable) instead of just
"Check root hashes at boot".

Clean up some use of load_config_value, set_config, combine_configs.
Get config values from the environment directly.  set_user_config does
set_config and combine_configs.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2024-01-17 16:34:47 -05:00
Jonathon Hall
0a823cb491
Allow laptops to include optional USB keyboard support
Laptops can include optional USB keyboard support (default off unless
the board also sets the default to 'y').  The setting is in the
configuration GUI.

CONFIG_USER_USB_KEYBOARD is now the user-controlled setting on those
boards.  'CONFIG_USB_KEYBOARD' is no longer used to avoid any conflict
with prior releases that expect this to be a compile-time setting only
(conflicts risk total lock out requiring hardware flash, so some
caution is justified IMO).

Boards previously exporting CONFIG_USB_KEYBOARD now export
CONFIG_USB_KEYBOARD_REQUIRED.  Those boards don't have built-in
keyboards, USB keyboard is always enabled. (librem_mini,
librem_mini_v2, librem_11, librem_l1um, librem_l1um_v2, talos-2,
kgpe-d16_workstation-usb_keyboard, x230-hotp-maximized_usb-kb).

Librem laptops now export CONFIG_SUPPORT_USB_KEYBOARD to enable
optional support.  The default is still 'off'.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2024-01-10 15:38:06 -05:00
Jonathon Hall
25b977d1e5
initrd/bin/config-gui.sh: Allow configuring automatic boot
Automatic boot can be configured in the configuration GUI.  Options are
disable, 1 second, 5 seconds, or 10 seconds.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2024-01-09 10:12:22 -05:00
Thierry Laurion
0b154aaee1
config-gui.sh: Add option to toggle DEBUG and TRACE output from Configuration Settings menu 2023-08-25 14:27:51 -04:00
Jonathon Hall
718be739eb
config-gui.sh: Reword Restricted Boot prompts
Simplify "enable" prompt a bit, clarify that firmware updating is
blocked, and remove mention of "failsafe boot mode".  Reword "disable"
prompt similarly.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-07-11 16:42:43 -04:00
Jonathon Hall
19610748d3
config-gui.sh: Fix truncated restricted boot prompt
The "disable restricted boot" prompt got slightly too long when fixing
the TPM wording.  Re-wrap that line to match the others.  Wrapping
could use some general cleanup but this is sufficient so the text isn't
truncated.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-07-07 16:39:55 -04:00
Jonathon Hall
6618dd652c
Restricted boot: Fix wording of 'disable' prompt, does not reset TPM
This was changed to just erase the TOTP/HOTP secret, not reset the TPM.
Update the prompt.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-06-30 14:31:53 -04:00
Jonathon Hall
e0c03be341
Change '16 60'-sized whiptail prompts to '0 80'
Some prompts were missed when changing to 0 80 the first time around,
and some new ones were added thinking that size was intentional.

Replace '16 60' with '0 80' globally.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-06-30 14:21:11 -04:00
Jonathon Hall
23a086dbf7
config-gui.sh: Simplify root hash device prompt
If we're removing leading slashes anyway, don't complicate the prompt
with more requirements.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-06-30 12:45:06 -04:00
Jonathon Hall
33c2cfb9b1
Root hash: Allow configuring from unset defaults
Allow configuring the root hash feature when the variables are not set
initially.  This worked on Librem boards because the boards all have
defaults for these variables, but didn't work when those defaults were
not present.

Fix set_config function to put quotes around an added variable's value.

Change load_config_value function to default to empty, so it can be
used with non-boolean variables.  None of the existing callers cared
about the 'n' default (boolean variables should always be tested ="y"
or !="y" anyway).

Use load_config_value in config-gui.sh for boot device and the root
hash parameters, so unset defaults do not cause a failure.  Improve the
prompts so the "current value" text only appears if there is a current
value.  Use set_config instead of replace_config so the variables will
be added if needed.

Prevent enabling the root hash feature if it hasn't been configured
yet.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-06-30 10:01:59 -04:00
Jonathon Hall
71243c1a13
config-gui.sh,gui-init: Fix whiptail message box sizes to 16 60
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-06-21 15:36:04 -04:00
Jonathon Hall
89858f52a9
Merge remote-tracking branch 'github-heads/master' into pureboot-27-heads-upstream
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-06-21 15:15:23 -04:00
Jonathon Hall
c5183253a6
Add CONFIG_BRAND_NAME and allow overriding in Makefile with BRAND_NAME
Use CONFIG_BRAND_NAME to control the brand name displayed in the UI.
Override by setting BRAND_NAME when building, either in the Makefile or
on the command line.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-06-21 14:47:59 -04:00
Jonathon Hall
3c4a9fcf0d
Rename CONFIG_PUREBOOT_BASIC to CONFIG_BASIC
Remove brand name from this configuration variable.  For backward
compatibility, update config.user in init if the branded variable is
present.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-06-21 14:42:46 -04:00
Jonathon Hall
e9a5b27e6c
librem_mini,librem_mini_v2: Don't use three values for auto poweron
PureBoot doesn't have any other three-valued settings and this doesn't
present very well in the config UI.

Instead make this a two-valued setting; drop the mode that forces the
EC setting to "stay off" at every boot because this is the default.

When disabling automatic power-on, disable the EC BRAM setting too.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-06-21 13:26:49 -04:00
Jonathon Hall
5e555359a4
config-gui.sh: Fix refactors, simplify implementation more
Stop manually loading config values, just update config in environment.

Never test values against "n", since many default to empty.  Always
test ="y" or !="y", any other value is off.

Add set_user_config() function to set a value in config.user,
combine configs, and update config in environment.  Use it in setting
implementations.

Remove toggle_config, it wasn't very useful because the settings still
test y/n in order to show specific confirmation and success messages.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-06-21 13:26:48 -04:00
Jonathon Hall
01594a823b
config-gui.sh: Update sizes of whiptail prompts
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-06-21 13:26:48 -04:00
Matt DeVillier
87eff7b775
gui-init: Implement blob jail feature
Blob jail provides device firmware blobs to the OS, so the OS does not
have to ship them.  The firmware is passed through the initrd to
/run/firmware, so it works with both installed and live OSes, and there
are no race conditions between firmware load and firmware availability.

The injection method in the initrd is specific to the style of init
script used by PureOS, since it must add a copy command to copy the
firmware from the initrd to /run.  If the init script is not of this
type, boot proceeds without device firmware.

This feature can be enabled or disabled from the config GUI.

Blob jail is enabled automatically if the Intel AX200 Wi-Fi module is
installed and the feature hasn't been explicitly configured.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2023-06-21 13:26:47 -04:00
Jonathon Hall
2d3ecfa41e
librem_mini/librem_mini_v2: Add automatic power-on setting
Mini v1/v2's EC can automatically power on the system when power is
applied, based on a value in EC BRAM.  Add a configuration setting to
optionally set this value.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-06-21 13:26:47 -04:00
Jonathon Hall
206d59dc71
Add USB autoboot feature to PureBoot Basic
USB autoboot automatically boots to a USB flash drive if one is present
during boot.  This is intended for headless deployments as a method to
recover the installed operating system from USB without needing to
attach a display and keyboard.

USB autoboot can be controlled in config.user and the config GUI.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-06-21 13:26:46 -04:00
Kyle Rankin
79da79a5e4
Implement Restricted Boot Mode
Restricted Boot mode only allows booting from signed files, whether that
is signed kernels in /boot or signed ISOs on mounted USB disks. This
disables booting from abitrary USB disks as well as the forced "unsafe"
boot mode. This also disables the recovery console so you can't bypass
this mode simply by running kexec manually.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-06-21 13:26:45 -04:00
Matt DeVillier
4bc6159ab6
Add PureBoot Basic Mode
PureBoot Basic mode provides the full Linux userspace in firmware from
Heads without requiring verified boot or a Librem Key.  Basic and
verified boot can be switched freely without changing firmware, such as
if a Librem Key is lost.

PureBoot Basic can apply firmware updates from a USB flash drive, and
having a complete Linux userspace enables more sophisticated recovery
options.

Basic mode boots to the first boot option by default, setting a default
is not required.  This can be configured in the config GUI.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-06-21 13:26:45 -04:00
Jonathon Hall
3a917bb90b
config-gui.sh: Extract utilities from config-gui.sh
Extract utilities from config-gui.sh for use in additional config
settings.  read_rom() reads the current ROM with a message for failure.
replace_rom_file() replaces a CBFS file in a ROM.  set_config() sets a
configuration variable in a file.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-06-21 13:26:43 -04:00
Kyle Rankin
efc49c7425
Add Root file hash feature
Currently Heads will check files in /boot for tampering before booting
into a system. It would be nice if you could use the trusted environment
within Heads and extend this to check files in / itself. This new script
adds that functionality, however due to the length of time it takes to
perform these kinds of checks, it doesn't run automatically (yet).

This feature can be configured from the config GUI - the root device/
directories to check can be set, and it can be configured to run during
boot.

To make this a bit easier to use, I added a feature to detect whether
the hash file exists and if not, to display a more limited menu to the
user guiding them to create the initial hash file. Otherwise it will
display the date the file was last modified, which can be useful to
determine how stale it is.
2023-06-21 13:26:37 -04:00
Thierry Laurion
995a6931f1
config-gui.sh: permit io386 platform locking to be dynamically disabled at runtime
ash_functions: make sure /tmp/config is sourced before going to recovery shell
TODO: revisit https://source.puri.sm/firmware/pureboot/-/blob/Release-27/initrd/bin/config-gui.sh#L33 to have proper config store later on
2023-06-20 12:42:12 -04:00
Jonathon Hall
b500505312
tpm2-tools: Change sense of CONFIG_TPM to mean any TPM, not just TPM1.
Most logic throughout Heads doesn't need to know TPM1 versus TPM2 (and
shouldn't, the differences should be localized).  Some checks were
incorrect and are fixed by this change.  Most checks are now unchanged
relative to master.

There are not that many places outside of tpmr that need to
differentiate TPM1 and TPM2.  Some of those are duplicate code that
should be consolidated (seal-hotpkey, unseal-totp, unseal-hotp), and
some more are probably good candidates for abstracting in tpmr so the
business logic doesn't have to know TPM1 vs. TPM2.

Previously, CONFIG_TPM could be variously 'y', 'n', or empty.  Now it
is always 'y' or 'n', and 'y' means "any TPM".  Board configs are
unchanged, setting CONFIG_TPM2_TOOLS=y implies CONFIG_TPM=y so this
doesn't have to be duplicated and can't be mistakenly mismatched.

There were a few checks for CONFIG_TPM = n that only coincidentally
worked for TPM2 because CONFIG_TPM was empty (not 'n').  This test is
now OK, but the checks were also cleaned up to '!= "y"' for robustness.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-03-08 12:45:46 -05:00
Jonathon Hall
d51993b6a9
tpm-reset: Reduce duplication with tpmr reset
Use common password prompt logic in tpm-reset rather than duplicating
in tpmr reset.

Use common logic in config-gui.sh to reset the TPM.

Use common logic in oem-factory-reset to reset TPM.  Fixes extra
prompts for TPM2 owner password even when choosing to use a common
password.  Fix sense of "NO TPM" check in TOTP generation (which only
happened to work because CONFIG_TPM is empty for TPM2).

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-03-08 12:45:46 -05:00
Thierry Laurion
8da5d5d723
Add dual support for real bash and busybox's bash(ash)
- modify bash to have it configured with -Os
2023-03-08 12:45:44 -05:00
Thierry Laurion
6923fb5e20
Addition of qemu-(fb)whiptail-tpm2(-hotp) boards
-coreboot support of TPM v2.0 (shared config for TPM2 support across all 4 previous variations)
-swtpm set to be launched under TPM v2.0 mode under board config
-Documentation file under each board.md softlinks to qemu-coreboot-fbwhiptail-tpm1.md (which has been generalized)
This is skeleton for TPM v2 integration under Heads

-------------
WiP

TODO:
- libcurl cannot be built as a tpm2-tools dependency as of now not sure why. curl currently needs to be added in board config to be built
- Note: tpm-reset (master and here) needs some review, no handle of no tpm use case. Caller is responsible to not call it otherwise does nothing
- init tries to bind fd and fails currently
- Note: Check if whiptail is different of fbwhiptail in clearing screen. As of now every clear seems to be removed, still whiptail clears previous console output
- When no OS' /boot can be mounted, do not try to TPM reset (will fail)

- seal-hotpkey is not working properly
- setting disk unlock key asks for TPM ownership passphrase (sealing in NV requires ownership, but text is misleading user as if reowning TPM)
  - We should cache input, feed tpm behind the scene and wipe passphrase and state clearly that this is TPM disk unlock kye passphrase.
- primary key from TPM2 is invalid most of the time from kexec-select-boot and verifying global hashes but is setuped correctly at disk unlock key setup
- would be nice to take advantage of bash function tracing to understand where we are for debugging purposes, code takes ash in consideration only
- tpmr says it implements nv calls but actually doesn't. Removing those falsely wrapped functions would help.
  - Implementing them would be better
- REVIEW TODOS IN CODE
- READD CIRCLECI CONFIG

Current state:
- TPM unseal works without disk unlock key and generates TOTP properly (was missing die condition at unseal to not produce always good TOTP even if invalid)
- TPM disk encryption key fails. Hypothesis is that sealing with USB drivers loaded and measures in inconsistent with sealed with/without.
 - TPM disk unsealing happens without USB modules being loaded in non-HOTP setup. This fails.

- Current tests are with fbwhiptail (no clear called so having traces on command line of what happens)
 - Testing with HOTP implementation for sealing/unsealing since that forces USB module loads on each boot to remove this from failing possibilities
2023-03-08 12:45:43 -05:00
Thierry Laurion
8259d3ca1e
Add TRACE function tracing function to output on console when enabled
- Add TRACE function tracing output under etc/functions, depending on CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT enabled in board configs
- Replace current DEBUG to TRACE calls in code, reserving DEBUG calls for more verbose debugging later on (output of variables etc)
- add 'export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y' in qemu-coreboot(fb)whiptail-tpm1(-hotp) boards to see it in action
2023-02-20 11:44:52 -05:00
Thierry Laurion
5bc2bc88e4
All scripts and functions: Add DEBUG calling trace on console when CONFIG_DEBUG_OUTPUT is exported in board config
-qemu-coreboot-*whiptail-tpm1(-hotp) boards have 'export CONFIG_DEBUG_OUTPUT=y' by default now
2023-02-18 21:52:44 -05:00
Thierry Laurion
81b4bb77de
whiptail: no more whiptail reseting console on call (--clear)
So we have console logs to troubleshoot errors and catch them correctly
2022-11-15 15:11:58 -05:00
Sergii Dmytruk
5ee3219322
Add cbfs wrapper script to handle PNOR
Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
2022-11-11 00:59:12 +02:00
Thierry Laurion
9bb6be8874
whiptail: fixate width to 80 characters and have height dynamic to all whiptail/fbwhiptail prompts 2022-11-09 11:51:27 -05:00
Matt DeVillier
de0ce98da3 etc/functions, gpg-gui: Filter boot device options with '/dev/'
Grepping on just 'Disk' can lead to disk UUID identifier strings
being added to /tmp/disklist, which then fail to parse later on.
Avoid this by grepping on 'Disk /dev' instead.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2021-10-15 14:42:15 -04:00
Matt DeVillier
43b50788c6 config-gui: Show error if no disks found
Currently, if no disks on system, selection of a new /boot
device will silently fail and simply return the user to the
previous screen. Add an error dialog if no disks found.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2021-10-15 14:42:15 -04:00
Matt DeVillier
32716c8ce6 gui*: Improve consistency of background color use
Persist the background color (and error state) through
the main menu and all submenus. Use warning
background color for destructive operations, error color
for errors.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2021-10-15 14:42:15 -04:00
Matt DeVillier
6a3bb5897a Drop duplicate board-specific background color configs
Set and export currently-used defaults in gui-init, but still
allow for inidividual boards to override via config if desired.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2020-10-27 16:19:46 -04:00
Matt DeVillier
0b970b745e
config-gui: clean up boot device selection
When a new /boot device is selected, wait until after
successfully mounting the newly-selected device before
updating CONFIG_BOOT_DEV.

Also, don't assume /boot already mounted, as this can cause
a false failure and prevent mounting of the newly-selected device.

Lastly, tidy up the error output in case mounting /boot fails.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2020-08-03 18:49:26 -05:00
Matt DeVillier
0afa599491
Fix eval of DEV_NUM_PARTITIONS
Using 'let' in these scripts fails when evaluating to zero
for some reason, so replace with '$(())' which works as intended.

Test: Boot device selection menu shown properly when
new/unpartitioned drive installed.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2020-08-03 18:48:58 -05:00
Matt DeVillier
f7c4cae903
*gui.sh: move common ops to gui_functions
Move code duplicated across several GUI scripts into a common
gui_functions file and include/use that.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2020-07-10 17:37:07 -05:00
Matt DeVillier
5dc9b0b457
config-gui: mount new /boot after selection
Users may wish to temporarily boot an OS from a drive other than
their primary boot drive, without changing the default and saving
to ROM. Mounting /boot after changing the device selection
facilitates this by allowing the user to then choose an unsafe boot
from the newly-selected boot drive.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2019-11-18 11:16:53 -06:00
Matt DeVillier
0599ce97af
config-gui: fix Save Config option
when commit [928f003] config-gui: add 'Full Reset' option
was added, the bottom end of the save config option was
accidentally truncated; restore it to fix save config option

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2019-11-18 11:16:49 -06:00
Matt DeVillier
928f003550
config-gui: add 'Full Reset' option
Add Full Reset option to clear all GPG keys and user settings,
both from the local filesystem and running firmware, and
clear/reset the TPM

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2019-08-05 11:03:45 -05:00
Matt DeVillier
c982be5bd4
config-gui: filter out invalid boot device options
use similar filtering logic as with USB drives to provide
the user a more sane list of boot device options. Show user
only valid bootable partitions, not block devices.

There's no point in showing /dev/nvme0 and /dev/nvme0n1 (eg)
when /dev/nvme0n1p[1..n] (eg) exist, as the former are not
valid boot devices.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2019-08-05 11:03:44 -05:00
Matt DeVillier
34394032de
config-gui: add optional param to bypass menu
Add optional parameter to bypass menu selection and
immediately select a menu option. This allows us to call
the 'Set Boot Device' option directly, saving the user
an unnecessary step.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2019-08-05 11:03:44 -05:00
Matt DeVillier
5ca3069b23
config-gui: add optional param to set file_selector title
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2019-08-05 11:03:43 -05:00