Refactored boot parsing code and applied that in local-init to
scan /boot for grub options and allow the user to unsafely boot
anything. This goes a long way to addressing #196.
Optionally the user can customize those boot parameters or enforce
arbitrary hashes on the boot device by creating and signing config
files in /boot/ or /media/ or /media/kexec_iso/ISO_FILENAME/.
usb-boot automatically uses internal xen binary / command line
when multiboot is detected.
also tweaked to evaluate/remove variable refs in kexec arguments
Supports booting from USB media using either the root device or
a signed ISO as the boot device. Boot options are parsed with
quick/dirty shell scripts to infer kexec params.
Closes#195 and begins to address #196
This adds support for seamless booting of Qubes with a TPM disk key,
as well as signing of qubes files in /boot with a Yubikey.
The signed hashes also includes a TPM counter, which is incremented
when new hashes are signed. This prevents rollback attacks against
the /boot filesystem.
The TPMTOTP value is presented to the user at the time of entering
the disk encryption keys. Hitting enter will generate a new code.
The LUKS headers are included in the TPM sealing of the disk
encryption keys.
Issue #123: This streamline Qubes startup experience by
making it possible to have a single-password decryption.
Issue #29: The disk keys in `/secret.key` are passed to the systemd
in initramfs through `/etc/crypttab`, which is generated on each boot.
This is slow; need to look at alternate ways.
Issue #110: By using LVM instead of partitions it is now
possible to find the root filesystem in a consistent way.
Issue #80: LVM is now included in the ROM.
This also adds a set of files in the qubes/ directory that
are meant to be copied to the /boot partition.
Issue #154: for ease of upgrading Qubes, the script should
live on /boot instead of in the ROM. This requires a GPG
signature on the startup script to avoid attacks by modifying
the boot script.
Issue #123: this streamlines the boot process for Qubes, although
the disk password is still not passed in correctly to the initrd
(issue #29).
This does not address issues #110 of how to find the root device.
The best approach is probably disk labels, which will require
special installation instructions.
This addresses multiple issues:
* Issue #63: initrd is build fresh each time, so tracked files do not matter.
* Issue #144: build time configuration
* Issue #123: allows us to customize the startup experience
* Issue #122: manual start-xen will go away
* Issue #25: tpmtotp PCRs are updated after reading the secret
* Issue #16: insmod now meaures modules
Reduce the size of flashrom by commenting out most flash chips,
boards and programmers.
Wrapper script to make it easier to rewrite the ROM on the x230
using the flashrom layout.
Keep the entire 12 MB ROM for flashing.
This is a step towards unifying the server and laptop config (issue #139)
and also makes it possible to later remove the USB modules from the
normal boot path.
Replace the expired key with my updated key, although users
should add their own keys to sign their own firmware images.
Todo: document how to add/replace public keys.
Longer term todo: remove trusted key from the initrd image
so that there is nothing variable between different users'
builds.