Commit Graph

166 Commits

Author SHA1 Message Date
Kyle Rankin
eaaa1dad39
Fix tab alignment to conform with rest of script 2018-03-14 10:24:14 -07:00
Kyle Rankin
665754122d
Allow insecure boot mode to bypass kexec sig checks
There was a bug in the "force" boot mode where it would still fail if
signatures didn't match. This was because the check_config function
validates the signatures for kexec files. I've added a few conditionals
here so that in the case of a forced boot mode, we can bypass those
signature checks that would prevent boot and error out to a recovery
console.
2018-03-14 10:18:52 -07:00
Kyle Rankin
769f6a7a24
Create nested menus and add option to rehash/sign /boot
The number of options we want in the menu is starting to get large
enough that it's worth slimming things down in the main menu and move
options to nested menus. Along with this nested menu change is the
option to re-sign and re-hash files in /boot directly from the menu.
2018-03-14 10:14:22 -07:00
Francis Lam
e86123769b
Moved network init to a separate bootscript
Enabled recovery serial console (tested on kgpe-d16)
Minor fix to kexec-boot to correct xen boot
Remove busybox power utils
2018-03-10 15:40:07 -08:00
Kyle Rankin
dee52415fa
Add a menu option to reset TPM for bootstrapping. Widen menus.
One of the other core functions a user needs when bootstrapping is
taking over the TPM. I've added a new option in the menu for this and it
revealed that some of the menus needed more space so I've widened all
the menus and also made the main menu longer so the options don't
scroll.
2018-03-08 16:36:56 -08:00
Trammell hudson
9c9b5bcd2b
Merge branch 'add_gui_hash_alert' of https://github.com/kylerankin/heads 2018-03-08 14:41:44 -05:00
Trammell hudson
1043da2860
Merge branch 'add_force_boot_mode' of https://github.com/kylerankin/heads 2018-03-08 11:53:56 -05:00
Trammell hudson
6443442912
restore /etc/motd 2018-03-08 01:14:41 -05:00
Trammell hudson
091ae92b6f
Merge branch 'KGPE-D16_port_NoTPM' of https://github.com/tlaurion/heads 2018-03-08 01:13:16 -05:00
Thierry Laurion
31dd1f4b62
kexec-boot patch so that xen can be booted from bootdir and referred xen.gz and not internal flash xen.gz 2018-03-08 00:58:50 -05:00
Kyle Rankin
8152e8c796
Add a "force" option to kexec-select-boot to bypass hash checks
The point of this change is to provide a failsafe (failunsafe?) mode for
less technically-savvy users who will ultimately be using Heads by
default on Librem laptops.

There are some scenarios where an end user might forget to update hashes
in /boot after an initrd change or might have some other hash mismatch.
Currently that user would then be stuck in a recovery console in Heads
not knowing what to do within that limited shell environment to fix the
situation.

This change adds a 'force' mode to kexec-select-boot that goes straight
into a boot menu and bypasses the hash checks so the user could more
easily get back into their system to attempt to repair it. It adds
appropriate warnings about why this is a risky option and moves it down
toward the bottom of the menu. The goal would be to just have this be an
emergency option our support could guide a user to if they ended up in
this situation.
2018-03-05 14:46:15 -08:00
Thierry Laurion
1c1a1a215d
reverting changes that were not merged from other branches 2018-03-01 01:53:37 -05:00
Thierry Laurion
9eadb07280
Merging to osresearch master 2018-03-01 01:37:36 -05:00
Thierry Laurion
23ae788c6f
Board, linux and coreboot configs 2018-03-01 00:40:46 -05:00
Trammell hudson
f9a12a270a
Merge branch 'add_gui_init' of https://github.com/kylerankin/heads into kylerankin-add_gui_init 2018-02-28 15:06:06 -05:00
Trammell hudson
a84ea7b9de
Merge branch 'tpm-optional' of https://github.com/persmule/heads 2018-02-28 13:33:01 -05:00
Trammell hudson
e4106c6969
Merge branch 'clean_up_init' of https://github.com/kylerankin/heads 2018-02-26 13:15:34 -05:00
Francis Lam
e9312e19bf
Cleanup of init to support server and desktop
Guarded linuxboot specific init entries
Removed Makefile entries into separate file (conflicts with srcing /etc/config)
Added CONFIG_BOOT_LOCAL/_REMOTE to control interface setup
Fixed CONFIG_TPM usage
2018-02-25 11:51:19 -08:00
persmule
b5072390ee
Make TPM dependency optional and controlled by flag CONFIG_TPM
if "CONFIG_TPM=y" is not present in the config file, functionalities
needing TPM could be disabled, while leaving other functionalities intact.

This will make Heads a more general-usage bootloader payload atop coreboot.
2018-02-24 14:46:33 -08:00
persmule
43ba7a777d fix the broken if syntax 2018-02-24 14:49:10 +08:00
Kyle Rankin
fbbfc8e22f
Replace remaining text-only options in main workflow w/ gui menus
In particular I added a GUI menu to instruct the user if there is no
TOTP code registered (as is the case upon first flash) and also added
better handling of the case the user selects 'default boot' when there
is no default boot set yet. Apart from that where there were text-only
menus left in gui-init I've replaced them with GUI menus.
2018-02-23 12:13:21 -08:00
Kyle Rankin
6ab78ae236
Add gui option to kexec-select-boot, use in gui-init menu option
When selecting the boot menu option (m) in the gui-init you call out to
kexec-select-boot. To better maintain the graphical menu experience,
I've added a -g option to kexec-select-boot that, when set, will use a
graphical whiptail menu for the most common menu selection modes.
2018-02-22 13:18:16 -08:00
Kyle Rankin
57405b0d28
Add menu for TOTP updates, provide sample board config to use gui-init 2018-02-21 15:58:54 -08:00
Kyle Rankin
140064bbf8
Add graphical init menu that uses whiptail
This is a modified version of the generic-init script that uses whiptail
to generate a graphical menu. I changed two of the options so that the
user can refresh the menu to get an updated TOTP code if needed.
2018-02-20 15:35:37 -08:00
persmule
baa30a2026 Add OHCI and UHCI drivers to initrd.
USB smart card readers are most full speed devices, and there is no
"rate-matching hubs" beneath the root hub on older (e.g. GM45) plat-
forms, which has companion OHCI or UHCI controllers and needs cor-
responding drivers to communicate with card readers directly plugged
into the motherboard, otherwise a discrete USB hub should be inserted
between the motherboard and the reader.

This time I make inserting linux modules for OHCI and UHCI controllable
with option CONFIG_LINUX_USB_COMPANION_CONTROLLER.

A linux config for x200 is added as an example.

Tested on my x200s and elitebook revolve 810g1.
2018-02-15 22:59:22 +08:00
persmule
9bf131b601 Make TPM dependency optional and controlled by flag CONFIG_TPM
if "CONFIG_TPM=y" is not present in the config file, functionalities
needing TPM could be disabled, while leaving other functionalities intact.

This will make Heads a more general-usage bootloader payload atop coreboot.
2018-02-15 22:42:12 +08:00
Kyle Rankin
c35f385cf7
Make eth0 init condition on module, remove early bin/ash
To avoid unnecessary errors, only load the eth0 network if the e1000
module exists. Also remove /bin/ash so CONFIG_BOOTSCRIPT works.
2018-02-14 11:50:21 -08:00
Trammell hudson
073834e5c0
Move the ld-musl symlink into the blobs/dev.cpio file. #317
This makes it possible to use musl-libc compiled tools
without the Heads runtime.
2018-02-13 17:44:26 -05:00
Trammell hudson
15a07b3fce
enable qemu networking and ssh key login (#312) 2018-02-09 13:42:52 -05:00
Trammell hudson
23bd4107de
localhost should be defined 2018-02-09 12:05:49 -05:00
Trammell hudson
a3177acb38
fix typos in efivarfs 2018-02-08 17:25:32 -05:00
Trammell hudson
bac7576979
enable efivarfs if it is available 2018-02-08 16:49:49 -05:00
Trammell hudson
383f1f66a5
merge changes from master into nerf branch in preparation for closing nerf branch 2018-02-02 17:06:49 -05:00
Trammell hudson
4150454e1c
add normal directories to path for chroot calls 2018-02-02 15:50:17 -05:00
Trammell hudson
a4d7654b1e
Build the Heads/NERF firmware for the Dell R630 server.
This development branch builds a NERF firmware for the Dell R630
server.  It does not use coreboot; instead it branches directly
from the vendor's PEI core into Linux and the Heads runtime
that is setup to be run as an EFI executable.
2017-09-20 10:29:14 -04:00
Francis Lam
472ffd35c0
Moved kernel command line parameters to config 2017-09-02 14:13:29 -04:00
Francis Lam
7cec25542d
Allow boot without unseal of TPM LUKS key
Closes issue #226

Also changed to procedure to show LVM volume groups and block
device ids to aid in choosing the right combination during the
TPM LUKS key sealing process.
2017-09-02 14:13:29 -04:00
Francis Lam
26b2d49897
Allow TPM LUKS key to be set during default selection
Closes #222
2017-09-02 14:13:29 -04:00
Francis Lam
0897a20b84
Ensure recovery for failed default boot
Should close #223

Added reboot and poweroff scripts using /proc/sysrq-trigger

Also cleaned up the boot loop in generic-init
2017-09-02 14:13:29 -04:00
Francis Lam
e8f3d206c5
Strip invalid leading/trailing '/' from script params 2017-09-02 14:13:29 -04:00
Trammell Hudson
b550a7f967
rework startup scripts to combine totp prompt with boot mode selection (issue #221) 2017-07-18 13:44:02 -04:00
Trammell Hudson
3c8adf2cf1
remove no longer required vga patch from xen (issue #227) 2017-07-18 13:31:08 -04:00
Trammell Hudson
af3170ebf7
remove trailing / on the /boot device parameter 2017-07-17 12:43:14 -04:00
Trammell Hudson
831dca5124
remove older qubes-specific files, no longer required in generic boot env 2017-07-17 12:31:58 -04:00
Trammell Hudson
22282da905
default to mounting USB device on /media 2017-07-17 12:24:15 -04:00
Trammell Hudson
86f3e9f5dc
add /boot and /media to /etc/fstab on startup (issue #220) 2017-07-17 12:22:48 -04:00
Trammell Hudson
ba98d5dda6
Merge branch 'usb-boot' of https://github.com/flammit/heads into flammit-usb-boot 2017-07-17 08:52:48 -04:00
Francis Lam
11aca354e9
Fixed edge case in kernel argument injection
Debian 9 installer doesn't have kernel arguments so the iommu fix
wasn't being applied properly.
2017-07-13 00:33:49 -04:00
Francis Lam
2a9ca6fdba
Fixed regression on kexec-save-key 2017-07-12 00:43:08 -04:00
Francis Lam
22a52ec4b8
Added TPM secret management to generic boot
Also cleaned up error handling and boot parsing edge cases
2017-07-12 00:17:45 -04:00
Francis Lam
d67360a24b
Added rollback protection to generic boot
Changed the checking of required hashes or required rollback state
to be right before boot, allowing the user to sign/set defaults
in interactive mode.

Also cleaned up usages of recovery and fixed iso parameter
regression.
2017-07-08 16:59:37 -04:00
Francis Lam
8004b5df2a
Added the ability to persist a default boot option
Similar to qubes-update, it will save then verify the hashes of
the kexec files. Once TOTP is verified, a normal boot will verify
that the file hashes and all the kexec params match and if
successful, boot directly to OS.

Also added a config option to require hash verification for
non-recovery boots, failing to recovery not met.
2017-07-04 19:49:14 -04:00
Francis Lam
ce4b91cad9
Minor tweaks to signing params and boot options
Also split out usb-scan to allow manual initiation of scan from
the recovery shell
2017-07-03 13:07:03 -04:00
Francis Lam
3614044fff
Added a generic boot config and persistent params
Refactored boot parsing code and applied that in local-init to
scan /boot for grub options and allow the user to unsafely boot
anything.  This goes a long way to addressing #196.

Optionally the user can customize those boot parameters or enforce
arbitrary hashes on the boot device by creating and signing config
files in /boot/ or /media/ or /media/kexec_iso/ISO_FILENAME/.
2017-07-02 23:01:04 -04:00
Francis Lam
76a20288a3
Tweaks to allow qubes install w/o custom script
usb-boot automatically uses internal xen binary / command line
when multiboot is detected.

also tweaked to evaluate/remove variable refs in kexec arguments
2017-07-02 14:27:02 -04:00
Trammell Hudson
a5d4c65533
use SHA256 digest on signatures to avoid SHA1 collision attacks (issue #120) 2017-05-04 11:19:50 -04:00
Francis Lam
1f8eaa696e
minor tweaks to config parsing 2017-04-29 21:50:10 -04:00
Francis Lam
efd662c63a
adds a USB boot option with basic parsing to kexec
Supports booting from USB media using either the root device or
a signed ISO as the boot device.  Boot options are parsed with
quick/dirty shell scripts to infer kexec params.

Closes #195 and begins to address #196
2017-04-29 13:40:34 -04:00
Trammell Hudson
7f600072ad
pass -ic option to tpm extend (issue #198) 2017-04-23 16:12:08 -04:00
Francis Lam
ad732939c3
load usb-storage module in x230-flash.init 2017-04-16 17:37:14 -04:00
Trammell Hudson
8f4455bc57
hardware token key 2017-04-12 09:50:08 -04:00
Trammell Hudson
9d4b7a5b73
print and update the timestamp on the TOTP while waiting for disk unlock code 2017-04-12 08:28:31 -04:00
Trammell Hudson
3fc174b0f7
totp program outputs the date 2017-04-12 08:12:31 -04:00
Trammell Hudson
353a0efe6f
Rework /init and qubes setup scripts (issue #27, #155, #32, #29, #110)
This adds support for seamless booting of Qubes with a TPM disk key,
as well as signing of qubes files in /boot with a Yubikey.

The signed hashes also includes a TPM counter, which is incremented
when new hashes are signed.  This prevents rollback attacks against
the /boot filesystem.

The TPMTOTP value is presented to the user at the time of entering
the disk encryption keys.  Hitting enter will generate a new code.

The LUKS headers are included in the TPM sealing of the disk
encryption keys.
2017-04-12 06:57:58 -04:00
Trammell Hudson
8464227aa1
use the external functions (issue #161) 2017-04-12 06:57:26 -04:00
Trammell Hudson
8d2d6ad6c3
helper to install qubes from the recovery shell (issue #27) 2017-04-12 06:55:22 -04:00
Trammell Hudson
6a734208b0
try creating NVRAM entry before prompting for owner password (issue #151) 2017-04-12 06:53:54 -04:00
Trammell Hudson
84f1d0af39
copy file and compute sha256 before flashing 2017-04-12 06:50:18 -04:00
Trammell Hudson
7a9ab72144
import the seal/unseal totp scripts since they are very specialized to the heads install, skip owner password if not required (issue #151) 2017-04-12 06:49:39 -04:00
Trammell Hudson
c5c47c6b1c
common recovery shell functions (issue #161) 2017-04-12 06:48:38 -04:00
Trammell Hudson
da9bde721c
add some color 2017-04-12 06:46:24 -04:00
Trammell Hudson
ea9b2c0da0
helper to do a forcible TPM reset (issue #27) 2017-04-12 06:45:15 -04:00
Trammell Hudson
8c57ac59e7
x230-flash configuration and initialization 2017-04-11 07:16:20 -04:00
Trammell Hudson
51ecbdc8cb
"$@" does not expand correctly in test expressions, use "$*" instead (issue #181) 2017-04-11 06:31:25 -04:00
Trammell Hudson
c19193d7c6
check for TPM program and device before loading modules (issue #181) 2017-04-10 17:48:52 -04:00
Trammell Hudson
b6eaa5c295
remember to add /dev to /etc/fstab 2017-04-10 17:48:20 -04:00
Trammell Hudson
1744612df6
mount only takes one filesystem 2017-04-10 13:11:19 -04:00
Trammell Hudson
4c982856a3
add /etc/fstab and /etc/mtab to initrd image 2017-04-10 12:59:24 -04:00
Trammell Hudson
350a3564b1
move usb-storage into a kernel module (issue #160) 2017-04-05 19:20:53 -04:00
Trammell Hudson
362785b81c
gpg uses pubring.gpg instead of trustedkeys.gpg 2017-04-05 18:43:58 -04:00
Trammell Hudson
0da184fe01
Enable gpg with card support (issue #32) 2017-04-05 17:59:49 -04:00
Trammell Hudson
39cb4031f4
TPM disk encryption keys for Qubes.
Issue #123: This streamline Qubes startup experience by
making it possible to have a single-password decryption.

Issue #29: The disk keys in `/secret.key` are passed to the systemd
in initramfs through `/etc/crypttab`, which is generated on each boot.
This is slow; need to look at alternate ways.

Issue #110: By using LVM instead of partitions it is now
possible to find the root filesystem in a consistent way.

Issue #80: LVM is now included in the ROM.
2017-04-03 17:18:11 -04:00
Trammell Hudson
3dcc3d4b49
load the xhci USB3 modules as well 2017-04-03 17:09:54 -04:00
Trammell Hudson
d335f24292
split x230 config into 4MB bootstrap image and 7MB runtime image (issue #156) 2017-04-03 14:53:29 -04:00
Trammell Hudson
e41e21084a
extend PCR 4 in a recovery to prevent disk key decryption (issue #154) 2017-04-03 10:30:03 -04:00
Trammell Hudson
174bb64957
Move Qubes startup script to /boot/boot.sh
This also adds a set of files in the qubes/ directory that
are meant to be copied to the /boot partition.

Issue #154: for ease of upgrading Qubes, the script should
live on /boot instead of in the ROM.  This requires a GPG
signature on the startup script to avoid attacks by modifying
the boot script.

Issue #123: this streamlines the boot process for Qubes, although
the disk password is still not passed in correctly to the initrd
(issue #29).

This does not address issues #110 of how to find the root device.
The best approach is probably disk labels, which will require
special installation instructions.
2017-04-02 22:21:49 -04:00
Trammell Hudson
f99944abe5
qubes init script and improved TPM disk encryption with LUKS headers (issue #123 and #6) 2017-04-01 23:02:00 -04:00
Trammell Hudson
d06ba0a851
reset $boot_option between loops 2017-04-01 22:25:16 -04:00
Trammell Hudson
c40748aa25
Build time configuration for startup scripts and modules.
This addresses multiple issues:

* Issue #63: initrd is build fresh each time, so tracked files do not matter.
* Issue #144: build time configuration
* Issue #123: allows us to customize the startup experience
* Issue #122: manual start-xen will go away
* Issue #25: tpmtotp PCRs are updated after reading the secret
* Issue #16: insmod now meaures modules
2017-03-31 11:18:46 -04:00
Trammell Hudson
cfd549097f
disable dhcp, since there are no networking modules loaded 2017-03-30 17:21:22 -04:00
Trammell Hudson
8589370708
Flash writing from userspace works (issue #17).
Reduce the size of flashrom by commenting out most flash chips,
boards and programmers.

Wrapper script to make it easier to rewrite the ROM on the x230
using the flashrom layout.

Keep the entire 12 MB ROM for flashing.
2017-03-30 17:12:22 -04:00
Trammell Hudson
8384201e9c
Change ethernet drivers to be modules and measure them when they are loaded.
This is a step towards unifying the server and laptop config (issue #139)
and also makes it possible to later remove the USB modules from the
normal boot path.
2017-03-28 16:32:58 -04:00
Trammell Hudson
c3757650fd
wget and measure files into the PCR 2017-03-27 18:03:29 -04:00
Trammell Hudson
b0d2d4b5ba
run dhcp automatically on boot 2017-03-27 18:03:09 -04:00
Trammell Hudson
f39dfd321d
enable dhcp and add helper script for lease setup 2017-03-27 15:56:10 -04:00
Trammell Hudson
b387b27e82
Update expired key (issue #82)
Replace the expired key with my updated key, although users
should add their own keys to sign their own firmware images.

Todo: document how to add/replace public keys.

Longer term todo: remove trusted key from the initrd image
so that there is nothing variable between different users'
builds.
2017-02-01 10:28:35 -05:00
Trammell Hudson
84064debbe
musl-libc patches to build a successfull qemu image 2017-01-04 10:31:27 -05:00
Trammell Hudson
ccea67e8b4
shell scripts to help rewrite Qubes initrd /etc/crypttab (issue #29) 2016-12-13 15:10:47 -05:00
Trammell Hudson
3f444efe8c
formatting 2016-11-23 10:46:32 -05:00
Trammell Hudson
da2a6580ce
allow key file to be specified on command line 2016-11-23 10:45:39 -05:00