key-init makes sure trustdb is updated at run time and user and distro keys are ultimately trusted. Each time a file is signed, the related public key is showed without error on it's trustability.
flash-gui deals with gpg1 to gpg2 migration. If pubring.kbx is found, pubring.gpg is deleted from running rom dump.
This changes Heads' bootscript for the x230 to gui-init and adds config
options needed for it. The config is very similar to the librem13v2 config.
My comparison of startup-time from a power-button press shows 2.5 seconds
more with these changes applied.
That said, the experience is smooth, the GUI is beautiful and easier to use
than the shell and text menu, especially during setup. That's what we
buy with startup time here.
.ash_history: add examples to generate keys and otrust in rom
flash-gui: export otrust and import it in rom
key-init: import otrust.txt if present to supress warning about user public key being untrusted
gpg2 needs GPG_TTY set to function properly. We set it in /init so it
is inherited by all children. The call to $(tty) must be after /dev and
(preferably) /dev/pts are mounted.
Signed-off-by: Jason Andryuk <jandryuk@gmail.com>
Launchpad offers HTTPS downloads, whereas other more obvious mirrors
(like the one used originally, as well as rpm5.org) do not.
Note: it is unclear to whether Launchpad's tarballs will always match
the checksum from upstream tarballs. However, at least for 1.16, this
condition does indeed seem to hold true. Homebrew, FWIW, lists OpenBSD
as a mirror:
https://github.com/Homebrew/homebrew-core/blob/master/Formula/popt.rb
The new URL automatically redirects to a nearby, current GNU mirror.
Also, the fact that it's HTTPS helps with restrictive outbound
firewall policies that disallow plaintext traffic (for example,
using Qubes' firewall functionality).
There are cases when grepping for an option in the config file where
grep will not find it, which is fine in this case, but without adjusting
the exit code in that case it can make an entire script bail out.
We need to handle the case where the specific config file doesn't exist,
or else grep fails, so we touch the file ahead of time. Mounting the usb
storage caused problems when you re-enter the menu a second time, so we
will just load the storage module.
As part of the config gui we want to be able to have the system define
new config options without them being lost if the user makes their own
changes in CBFS. To allow that this change creates a function initiated
in init that combines all /etc/config* files into /tmp/config. All
existing scripts have been changed to source /tmp/config instead of
/etc/config. The config-gui.sh script now uses /etc/config.user to hold
user configuration options but the combine_configs function will allow
that to expand as others want to split configuration out further.
As it stands here are the current config files:
/etc/config -- Compiled-in configuration options
/etc/config.user -- User preferences that override /etc/config
/tmp/config -- Running config referenced by the BIOS, combination
of existing configs
This change will add a new GUI script that will allow users to change
their running configuration (currently just /boot and USB boot options)
and optionally persist that modified configuration with reflashing the
BIOS with a modified cbfs.
The Librem coreboot is labeled with the current version and is visible
from dmidecode and is supposed to reflect the current version of
coreboot, however it was out of date and reflected 4.7 when Heads has
moved on to 4.8.1.
I've also added a simple change to further simplify onboarding by
warning users who have Librem Key configured when they boot without it
being inserted.
We want to catch the missing GPG keyring error regardless of TPM failure
or even in the case of a system without a TPM at all so we need to move
that section up above the TPM check.
To help with onboarding new users to Heads, this change will detect when
Heads does not have any keys in its keyring and will guide the user
through adding a key to the running BIOS. It's important that this
happen *before* guiding them through setting up an initial TOTP/HOTP
secret because adding a GPG key changes the BIOS, so the user would have
to generate TOTP/HOTP secrets 2x unless we handle the keyring case
first.
In addition to this change I've simplified the main menu so that the
majority of the options appear under an 'advanced' menu.
