Add an OEM Factory Reset menu option, which performs an
unattended reset and configuration of the device's TPM,
GPG security token, and boot device / boot selection.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
Add oem-factory-reset script which performs an unattended
reset and configuration of the device's TPM, GPG security token,
and boot device / boot selection.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
Add function to detect boot device. Start by checking
CONFIG_BOOT_DEV, then iterate thru all bootable partitions.
Check if partition is mountable, contains grub directory.
Update CONFIG_BOOT_DEV and mount on /boot if successful.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
Initial card detection can sometimes fail, so prompt the user
to remove/reinsert their GPG card before retrying. Since
errexit is likely set, disable it prior to calling --card-status so
we can handle the error ourself, then re-set if necessary when done.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
Next prompt will be to ensure GPG key is attached, which defaults
to Y, so default here as well for consistency
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
Check that any files added to cbfs exist before attempting to
add them, so flashing doesn't fail after a reset.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
Add Full Reset option to clear all GPG keys and user settings,
both from the local filesystem and running firmware, and
clear/reset the TPM
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
If the boot device is invalid or unabled to be mounted
and the user opts to select a new boot device, jump
directly to that menu option and avoid the additional
step of showing the config main menu.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
Updating TOTP/HOTP is mainly necessary after a user updates
their firmware, and no need to force another reboot.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
use similar filtering logic as with USB drives to provide
the user a more sane list of boot device options. Show user
only valid bootable partitions, not block devices.
There's no point in showing /dev/nvme0 and /dev/nvme0n1 (eg)
when /dev/nvme0n1p[1..n] (eg) exist, as the former are not
valid boot devices.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
Add optional parameter to bypass menu selection and
immediately select a menu option. This allows us to call
the 'Set Boot Device' option directly, saving the user
an unnecessary step.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
Introduce option to remove any existing key(s) from firmware
and add a user-suppled key, before reflashing.
Move existing code for adding a new key to a separate function
so it can be reused for new feature without duplication.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
If CONFIG_BOOT_DEV isn't set or otherwise fails to mount,
we prompt the user to change the /boot device, but never
attempt to mount it to ensure it's sane, leading to
potential failures later in the config/boot process.
Ensure that CONFIG_BOOT_DEV is updated after the /boot device
is changed, and attempt to re-mount /boot after the change.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
If the user has changed the /boot config but not yet flashed,
it's reasonable for them to expect that flashing to add/update
a GPG key won't revert those changes.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
The error/warning background gradient colors were defined
for the librem 13 boards, but not for the librem 15 ones.
Add the missing exports.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
In order to streamline the initial setup, prompt user to
update checksums/sign /boot files after adding a key and
updating the firmware, in order to avoid an extra reboot.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
Move the non-GUI component of update_checksums() to
/etc/functions so it can be reused outside of gui-init.
Add check that /boot/kexec_default_hashes.txt exists before parsing
it, since doesn't exist if there's no default boot target set yet.
Eliminates spurious error text and/or premature exit depending on
state of errexit.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
'Options' makes more sense than 'Settings' given the submenu's contents.
Tidy up Boot Options as well
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
Before anything else, ensure that a default boot device
is set. If not, prompt the user to set one. If set, ensure
that /boot can be mounted successfully; else prompt the
user to select a new boot device.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
If /boot isn't mounted, we can't read the HOTP secret, so no
point in reading from the TPM. This speeds up getting to the
main menu in the case of an inaccessible or non-existant /boot,
and maintains the warning condition from not being able to
validate the HOTP.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
Since a USB boot target can't be the default (at least currently,
/boot must be on internal media), skip the extraneous prompt to
set it as such when booting from USB.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
Exclude dot folders from ROM search path, so that files in
.Trash (eg) aren't shown. Sort the remaining options.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
Using sort on USB boot options produces a reverse-ordered list,
leading users to often select the wrong option. Add the -r
parameter to sort to correct the list order and make the default
option the first in the list.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
Because of the way unseal-hotp is called from gui-init,
dropping to a recovery shell when failing to mount /boot
causes it to hang, leaving the user stranded until they
kill it with CTRL+C. Instead, simply return and continue
to the main GUI menu where the user can address the problem.
Rename the function to clarify difference from other versions
of mount_boot() which do drop to the recovery shell.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
Fix HOTP verfication failure if LK admin pin/passphrase contains
spaces by quoting the variables when passed to functions.
Test: set LK admin pin to passphrase with spaces, generate
new TOTP/HOTP, verification passes.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
Reading the file into a variable and then redirecting to stdin
via echo() can cause the binary data to be truncated, leading
to an invalid base32 value and failure to properly generate
and validate the HOTP code.
To resolve this, pass the file directly to hotp(), and ensure
it is removed properly regardless of success or failure to
prevent leakage.
Fixes "Invalid base32 string" error seen when attempting to
generate a new TOTP secret.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
Add a main boot menu entry to power off. This enables users to
only verify the firmware integrity using OTP, and do nothing more.
After having left the device out of sight, one might want to do
a quick sanity check only.
Since we already have a script to safely power down, we make use of
it now.