Don't spew the root hashes to the console when creating the hash file.
This speeds up hash creation significantly. A basic Qubes install on a
cheap (slow) SATA SSD reduced from about 1.5 minutes to just under 1
minute, and a PureOS install on a fast NVMe disk reduced from 2.5
minutes to 1 minute.
Support opening LVM volume groups to find the root disk. If an LVM PV
is found, its group is opened and the 'root' volume is used. There is
no way to set the volume name in this iteration; this is the default
name used by Qubes and probably common to many LVM OS installations.
LUKS and LVM can be mixed. Tested LUKS (PureOS) and LUKS+LVM (Qubes).
Always cd to "$ROOT_MOUNT" in a subshell, improves robustness of
scripts (previously some functions only worked if they were called
after another function had cd'd to "$ROOT_MOUNT").
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Say the action to take in the menu (enable or disable) instead of just
"Check root hashes at boot".
Clean up some use of load_config_value, set_config, combine_configs.
Get config values from the environment directly. set_user_config does
set_config and combine_configs.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Add TRACE_FUNC to trace the file, line, and name of the calling
function. File and function names don't have to be duplicated in a
TRACE statement with this (they tend to become inaccurate as functions
are renamed and the TRACE statement is forgotten).
Add DEBUG_STACK to dump the bash stack to debug output.
Configure bash with --enable-debugger. Bash doesn't actually include
the entire debugger, this is just some supporting variables for it.
Evidently, BASH_SOURCE[n] is only set within a function if this is
enabled. I couldn't find this indicated in any documentation, but it
happened in practice.
Compressed initrd size only increased by 2560 bytes for librem_mini_v2,
I think that is fine. This also gives us BASH_ARGC/BASH_ARGV which
might be useful for diagnostics.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Laptops can include optional USB keyboard support (default off unless
the board also sets the default to 'y'). The setting is in the
configuration GUI.
CONFIG_USER_USB_KEYBOARD is now the user-controlled setting on those
boards. 'CONFIG_USB_KEYBOARD' is no longer used to avoid any conflict
with prior releases that expect this to be a compile-time setting only
(conflicts risk total lock out requiring hardware flash, so some
caution is justified IMO).
Boards previously exporting CONFIG_USB_KEYBOARD now export
CONFIG_USB_KEYBOARD_REQUIRED. Those boards don't have built-in
keyboards, USB keyboard is always enabled. (librem_mini,
librem_mini_v2, librem_11, librem_l1um, librem_l1um_v2, talos-2,
kgpe-d16_workstation-usb_keyboard, x230-hotp-maximized_usb-kb).
Librem laptops now export CONFIG_SUPPORT_USB_KEYBOARD to enable
optional support. The default is still 'off'.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
'find' may fail if I/O errors occur (medium faulty or removed,
filesystem corruption, etc.) Show a message if this occurs rather than
just dying and returning to the main menu.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
If the user selects a plain ROM, but that file can't be read, show a
message and exit rather than dying. Copy the ROM to RAM before doing
anything with it in case the media fails later.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
If we can't mount /boot, show a meaningful error rather than dropping
to a recovery shell.
Dropping to a recovery shell should be a last resort. Users that know
how to use the recovery shell know how to get there. Users that don't
know how to use it can be completely stuck and may not know how to get
back to the menu or even how to turn off the device.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Automatic boot can be configured in the configuration GUI. Options are
disable, 1 second, 5 seconds, or 10 seconds.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Change order if user chooses both reencrypt and change passphrase, so that passphrase is changed first.
Signed-off-by: Christian Foerster <christian.foerster@mailfence.com>
Removed all mentions of a "Recovery Disk Key" and replaced with "Disk Recovery Key".
Fixed some grammatical errors.
Added check for new passphrase in reencrypt function to accommodate switching of reencrypt and new passphrase setting order in oem-factory-reset.
Signed-off-by: Christian Foerster <christian.foerster@mailfence.com>
Uses fold on the entire passphrase string now; tested in recovery shell of NK Heads 2.1.
Reverted change of WIDTH parameter (first commit of this PR).
Signed-off-by: Christian Foerster <christian.foerster@mailfence.com>
This partially fixes#1537, but while the increased width wouldn't be a problem on the NV41 AFAICT, I don't know about other machines.
I don't know what @tlaurion means with "busybox's folding", which may be a better solution.
Signed-off-by: Christian Foerster <christian.foerster@mailfence.com>
The call to `hotp_verification regenerate` seems to leave the
communication in a bad state, thus the following `gpg` calls fail. With
this workaround `scdaemon` will resart with the next `gpg` call.
Signed-off-by: Markus Meissner <coder@safemailbox.de>
talos-2 (only) uses .tgz instead of .rom for updates. Currently, both
are treated as alternatives to a ZIP-format update archive with
SHA-256 integrity check, extend that to the prompts to reduce clutter.
Reflow the "You will need ... your BIOS image" prompt to fit on
fbwhiptail.
The .tgz format could be better integrated with the ZIP updates, but
this needs more work specific to talos-2.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Allow configuring the ZIP-format update file extension with
CONFIG_BRAND_UPDATE_PKG_EXT in board config. Default is 'zip'.
Create update package in the default Makefile target. Delete
create_npf.sh.
Do not require /tmp/verified_rom in the update file package's
sha256sum.txt (but allow it for backward compatibility).
Show the integrity error if unzip fails instead of dying (which returns
to main menu with no explanation, error is left on recovery console).
This is the most likely way corruption would be detected as ZIP has
CRCs. The sha256sum is still present for more robust detection.
Don't require the ROM to be the first file in sha256sum.txt since it
raises complexity of adding more files to the update archive in the
future. Instead require that the package contains exactly one file
matching '*.rom'.
Restore confirmation prompt for the update-package flow, at some point
this was lost.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Don't repeat this message if the user says "no" to the confirmation
prompt. Go directly to the menu.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Move confirmation of formatting flash drive with LUKS percentage
selection before any reset actions have been taken, so aborting does
not result in a half-reset system. Combine with the more basic
"confirm" prompt that existed after selecting the device (but did not
include the LUKS size information).
Split up prepare_flash_drive into interactive_prepare_flash_drive (both
prompts and formats as before), confirm_thumb_drive_format (just
confirms the selections), and prepare_thumb_drive (now noninteractive).
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Combine prompt to disconnect other devices with prompt to connect the
desired device.
Show block device sizes in MB/GB when selecting device so it is easier
to select. file_selector now supports --show-size to include block
device sizes in menu.
Rework file_selector so menu options can contain spaces (use bash
array) and to simplify logic.
Prompt to select flash drive and LUKS percentage in OEM reset before
actually taking any actions, so aborting doesn't half-reset the system.
Abort OEM reset if user aborts the flash drive selection instead of
looping forever. (Canceling the confirmation still loops to retry but
it is possible to exit by aborting the repeated menu.)
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Warn user if connected usb block device is less then 128mb, since creating LUKS container of less then 8mb might cause issues.
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Prompt for TPM owner password internally within tpm2_counter_create.
Add tpm1_counter_create to prompt for password internally. Wipe the
cache in either if the operation fails, in case the password was
incorrect.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
- document why shred is still called under functions:check_tpm_counter for safety and add TODO there
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
gui-init: make sure that reseal_tpm_disk_decryption_key happens only on successful TOTP/HOTP sealing, reusing cached TPM Owner password
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Add comments after reboot/poweroff to clarify what they do. These
commands are here partly for discoverability by users who might not
know what to do in a recovery shell, so clarifying their purpose helps
those users figure out what to do.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Some device firmware, such as the graphics microcontroller, is needed
during the initrd - i915 is often loaded in the initrd, and this is the
only chance to load GuC firmware.
Device firmware must still be available after the real root is mounted
too, so update the custom firmware path in the kernel when the firmware
is moved to /run.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Add Librem 11 board.
Librem 11 uses coreboot graphics init, which is done with FSP GOP.
Set a custom keymap for the volume/power keys. Configure the volume
keys as up/down arrows (for navigation in fbwhiptail, and for shell
history in the Linux console). Configure the power key as Enter.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Allow boards to optionally include loadkeys to set a custom keymap.
showkey and dumpkeys (normally only needed for development) can also be
optionally included.
Remove *.map from .gitignore; this was probably intended for build
artifacts that are now excluded via the build/ directory.
Add reboot and poweroff to shell history, which is useful for devices
lacking full hardware keyboards to escape the recovery shell with just
"up" and "enter".
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Improve speed by pre-filtering only for lines containing any tokens of
interest to flashrom_progress_tokenize().
Improve reliability by avoiding dropping tokens that cross a stream
buffer boundary. Occasionally, a token could be missed if it crosses a
stream buffer boundary, due to read timing out too quickly before the
next buffer is flushed. If this was a state-changing token,
flashrom_progress() would hang forever.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
* use GPG_ALGO as gpg key generation algorithm
* determine GPG_ALGO during runtime like this:
* if CONFIG_GPG_ALGO is set, use as preference
* adapt based on usb-token capabilities (currently only Nitrokey 3)
Changes:
- As per master: when TOTP cannot unseal TOTP, user is prompted to either reset or regenerate TOTP
- Now, when either is done and a previous TPM Disk Unlock Key was setuped, the user is guided into:
- Regenerating checksums and signing them
- Regenerating TPM disk Unlock Key and resealing TPM disk Unlock Key with passphrase into TPM
- LUKS header being modified, user is asked to resign kexec.sig one last time prior of being able to default boot
- When no previous Disk Unlock Key was setuped, the user is guided into:
- The above, plus
- Detection of LUKS containers,suggesting only relevant partitions
- Addition of TRACE and DEBUG statements to troubleshoot actual vs expected behavior while coding
- Were missing under TPM Disk Unlock Key setup codepaths
- Fixes for #645 : We now check if only one slots exists and we do not use it if its slot1.
- Also shows in DEBUG traces now
Unrelated staged changes
- ash_functions: warn and die now contains proper spacing and eye attaction
- all warn and die calls modified if containing warnings and too much punctuation
- unify usage of term TPM Disk Unlock Key and Disk Recovery Key
prepare_thumb_drive: default to creating 10% LUKS container on usb drive, prompts for passphrase is not provided and scan drives if no --device specified
NOTE: qemu usb_thumb drive of 128 mb are not big enough so that 10% of it (12mb) can be used to create thumb drive.
Adds:
- e2fsprogs to support ext4 filesystem creation through mke2fs
- add /etc/mke2fs.conf so that mke2fs knows how to handle ext2/ext3/ext4
- removes mke2fs support from busybox
- bump busybox to latest version which adds cpu accelerated hash functions (not needed per se here)
- Adds exfatprogs to have mkfs.exfat and fsck.exfat
- Adds prepare_thumb_drive /etc/luks-functions to be able to prepare a thumb drive with percentage of drive assigned to LUKS, rest to exfat
- Modify most board configs to test space requirements failing
- Talos2 linux config: add staging Exfat support
- Make e2fsprogs and exfatprogs included by default unless explicitely deactivate in board configs
- Change cryptsetup calls : luksOpen to open and luksClose to close to addresss review
- etc/luks_functions: cleanup
GOAL here is to have secure thumb drive creation which Heads will be able to use to backup/restore/use generated GPG key material in the future (next PR)
Based on feedback, 1440p displays can benefit from 2x console as well.
Err toward a font too large rather than too small and lower the
threshold to 1350, which is the threshold fbwhiptail uses for 1.5x.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Build kbd and ship setfont if enabled with CONFIG_KBD.
When CONFIG_KBD is enabled, setconsolefont.sh will double the console
font size on large displays (>1600 lines tall as a heuristic).
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
On platforms using CONFIG_BOOT_EXTRA_TTYS multiple processes may try to
access TPM at the same time, failing with EBUSY. The order of execution
is unpredictable, so the error may appear on main console, secondary one,
or neither of them if the calls are sufficiently staggered. Try up to
three times (including previous one) with small delays in case of error,
instead of immediately scaring users with "you've been pwned" message.
Signed-off-by: Krystian Hebel <krystian.hebel@3mdeb.com>
Updated cbmem searches for CBMEM exposed by kernel in sysfs before
trying to read it from memory directly. As such, there is no need for
pointing to that file explicitly.
New coreboot revision also fixes output of 'cbmem -t' caused by wrong
endianness.
Signed-off-by: Krystian Hebel <krystian.hebel@3mdeb.com>
Simplify "enable" prompt a bit, clarify that firmware updating is
blocked, and remove mention of "failsafe boot mode". Reword "disable"
prompt similarly.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
The early recovery shell ("hold R") and serial recovery both could
bypass Restricted Boot since they occurred before config.user was
loaded. Load config.user earlier before these recovery methods.
Executing a shell directly (if recovery failed) also would bypass
Restricted Boot, additionally leaking /tmp/secret. Remove this from
the early recovery shell logic. Also remove the final failsafe exec
and move the "just in case" recovery from normal boot here instead, in
case the regular init script fails.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
The -s mode was removed, remove it from usage. Remove the test to skip
checking for board flashrom options with -s mode.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
The "disable restricted boot" prompt got slightly too long when fixing
the TPM wording. Re-wrap that line to match the others. Wrapping
could use some general cleanup but this is sufficient so the text isn't
truncated.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
The CONFIG_BASIC test was backwards, as a result it skipped the
LUKS disk unlock logic if basic mode was _not_ enabled. This wasn't
observed in the PureBoot distribution because we disable the LUKS disk
unlock feature.
CONFIG_BOOT_REQ_ROLLBACK and CONFIG_BOOT_REQ_HASH logic was also
skipped incorrectly, though neither of these are enabled on any board
so this had no effect in the PureBoot distribution either.
Test basic with each bit of logic to eliminate duplication of the
kexec-boot call and fix the LUKS disk unlock feature.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Only try the default PIN automatically for 1 month after key creation.
This simplifies initial ownership but still encourages changing the
PIN.
Never enter a PIN automatically if fewer than 3 attempts remain, to
avoid causing lockout if the PIN has been changed.
Remind what the default PIN was if it is not attempted for either
reason.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
HOTP/TOTP secrets don't have to be printable. Use binary data to
include 160 bits of entropy instead of just 80.
The secret is still limited to 20 bytes. Most keys now support up to
40 bytes, but tpmtotp is still limited to 20 bytes.
Move the truncation to 20 bytes a bit later, for future improvements to
detect the key's actual limit.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>