351 Commits

Author SHA1 Message Date
Francis Lam
d67360a24b
Added rollback protection to generic boot
Changed the checking of required hashes or required rollback state
to be right before boot, allowing the user to sign/set defaults
in interactive mode.

Also cleaned up usages of recovery and fixed iso parameter
regression.
2017-07-08 16:59:37 -04:00
Francis Lam
8004b5df2a
Added the ability to persist a default boot option
Similar to qubes-update, it will save then verify the hashes of
the kexec files. Once TOTP is verified, a normal boot will verify
that the file hashes and all the kexec params match and if
successful, boot directly to OS.

Also added a config option to require hash verification for
non-recovery boots, failing to recovery not met.
2017-07-04 19:49:14 -04:00
Francis Lam
ce4b91cad9
Minor tweaks to signing params and boot options
Also split out usb-scan to allow manual initiation of scan from
the recovery shell
2017-07-03 13:07:03 -04:00
Francis Lam
3614044fff
Added a generic boot config and persistent params
Refactored boot parsing code and applied that in local-init to
scan /boot for grub options and allow the user to unsafely boot
anything.  This goes a long way to addressing #196.

Optionally the user can customize those boot parameters or enforce
arbitrary hashes on the boot device by creating and signing config
files in /boot/ or /media/ or /media/kexec_iso/ISO_FILENAME/.
2017-07-02 23:01:04 -04:00
Francis Lam
76a20288a3
Tweaks to allow qubes install w/o custom script
usb-boot automatically uses internal xen binary / command line
when multiboot is detected.

also tweaked to evaluate/remove variable refs in kexec arguments
2017-07-02 14:27:02 -04:00
Francis Lam
1f8eaa696e
minor tweaks to config parsing 2017-04-29 21:50:10 -04:00
Francis Lam
efd662c63a
adds a USB boot option with basic parsing to kexec
Supports booting from USB media using either the root device or
a signed ISO as the boot device.  Boot options are parsed with
quick/dirty shell scripts to infer kexec params.

Closes #195 and begins to address #196
2017-04-29 13:40:34 -04:00
Trammell Hudson
7f600072ad
pass -ic option to tpm extend (issue #198) 2017-04-23 16:12:08 -04:00
Trammell Hudson
448d0731a9
cherry pick Linux config from zfs branch with multi-user set 2017-04-17 16:10:48 -04:00
Trammell Hudson
964b967c9e
Use kernel headers from our Linux kernel tree (issue #188) 2017-04-17 16:09:06 -04:00
Francis Lam
ad732939c3
load usb-storage module in x230-flash.init 2017-04-16 17:37:14 -04:00
Trammell Hudson
a71f84c08f
cbmem was not being built v0.2.0 2017-04-12 11:54:11 -04:00
Trammell Hudson
8f4455bc57
hardware token key 2017-04-12 09:50:08 -04:00
Trammell Hudson
4310b59686
fix patch for -p1 2017-04-12 09:30:08 -04:00
Trammell Hudson
bf95aa1839
use 0.3.0 release of tpmtotp 2017-04-12 08:46:56 -04:00
Trammell Hudson
9d4b7a5b73
print and update the timestamp on the TOTP while waiting for disk unlock code 2017-04-12 08:28:31 -04:00
Trammell Hudson
87b6f1e489
supress mlock error 2017-04-12 08:27:57 -04:00
Trammell Hudson
3fc174b0f7
totp program outputs the date 2017-04-12 08:12:31 -04:00
Trammell Hudson
782d4cdc7b
signing of files is now possible on the laptop 2017-04-12 07:04:25 -04:00
Trammell Hudson
353a0efe6f
Rework /init and qubes setup scripts (issue #27, #155, #32, #29, #110)
This adds support for seamless booting of Qubes with a TPM disk key,
as well as signing of qubes files in /boot with a Yubikey.

The signed hashes also includes a TPM counter, which is incremented
when new hashes are signed.  This prevents rollback attacks against
the /boot filesystem.

The TPMTOTP value is presented to the user at the time of entering
the disk encryption keys.  Hitting enter will generate a new code.

The LUKS headers are included in the TPM sealing of the disk
encryption keys.
2017-04-12 06:57:58 -04:00
Trammell Hudson
8464227aa1
use the external functions (issue #161) 2017-04-12 06:57:26 -04:00
Trammell Hudson
8d2d6ad6c3
helper to install qubes from the recovery shell (issue #27) 2017-04-12 06:55:22 -04:00
Trammell Hudson
6a734208b0
try creating NVRAM entry before prompting for owner password (issue #151) 2017-04-12 06:53:54 -04:00
Trammell Hudson
fa8c3abe98
put board configuration file into /etc/config 2017-04-12 06:52:35 -04:00
Trammell Hudson
122bacab37
use xen.gz since we have zlib support in kexec again (issue #170) 2017-04-12 06:50:57 -04:00
Trammell Hudson
84f1d0af39
copy file and compute sha256 before flashing 2017-04-12 06:50:18 -04:00
Trammell Hudson
7a9ab72144
import the seal/unseal totp scripts since they are very specialized to the heads install, skip owner password if not required (issue #151) 2017-04-12 06:49:39 -04:00
Trammell Hudson
c5c47c6b1c
common recovery shell functions (issue #161) 2017-04-12 06:48:38 -04:00
Trammell Hudson
d73c92e63f
quiet down the boot process 2017-04-12 06:46:55 -04:00
Trammell Hudson
da9bde721c
add some color 2017-04-12 06:46:24 -04:00
Trammell Hudson
ea9b2c0da0
helper to do a forcible TPM reset (issue #27) 2017-04-12 06:45:15 -04:00
Trammell Hudson
8c57ac59e7
x230-flash configuration and initialization 2017-04-11 07:16:20 -04:00
Trammell Hudson
51ecbdc8cb
"$@" does not expand correctly in test expressions, use "$*" instead (issue #181) 2017-04-11 06:31:25 -04:00
Trammell Hudson
c19193d7c6
check for TPM program and device before loading modules (issue #181) 2017-04-10 17:48:52 -04:00
Trammell Hudson
b6eaa5c295
remember to add /dev to /etc/fstab 2017-04-10 17:48:20 -04:00
Trammell Hudson
1744612df6
mount only takes one filesystem 2017-04-10 13:11:19 -04:00
Trammell Hudson
4c982856a3
add /etc/fstab and /etc/mtab to initrd image 2017-04-10 12:59:24 -04:00
Trammell Hudson
85f0586615
build xen for the qemu image so that we can test kexec 2017-04-10 12:59:07 -04:00
Trammell Hudson
4eab928339
Merge branch 'flammit-master' 2017-04-09 17:50:43 -04:00
Trammell Hudson
ca06e7598d Merge branch 'master' of https://github.com/flammit/heads into flammit-master 2017-04-09 17:49:36 -04:00
Francis Lam
a39a24665c
Fix coreboot build where gcc defaults to pie (issue #177)
See 8bbd596de6
2017-04-09 17:39:23 -04:00
Trammell Hudson
1043517371
typo in $(CROSS_TOOLS_NOCC), building xen with system ld (issue #173) 2017-04-09 16:09:17 -04:00
Trammell Hudson
132d26de05
do two make passes to avoid concurrency errors in lvm2 (issue #175) 2017-04-09 02:49:42 -04:00
Trammell Hudson
740f197487
Linux does not need the musl-libc, just the cross compiler (issue #175) 2017-04-09 02:11:18 -04:00
Trammell Hudson
4e88d5d59c
typo in gnupg, remove the install directory on a real.clean 2017-04-09 01:38:22 -04:00
Trammell Hudson
a2b0ef878e
add real.clean target and fix DAG for parallel top-level makes (issue #175) 2017-04-08 17:46:54 -04:00
Trammell Hudson
a42aaa37c6
xen depends on musl-cross (issue #175) 2017-04-08 17:46:21 -04:00
Trammell Hudson
8c3b5877a3
add bootstrap target to build cross compilers (issue #162) 2017-04-08 15:19:26 -04:00
Trammell Hudson
46a2ae8c2b
disable more unnecessary LVM components 2017-04-08 14:30:50 -04:00
Trammell Hudson
07eb5e9717
Define $(CROSS_TOOLS) to ensure reproducible builds (issue #173)
Each of the submodule configuration files defined a subset of the
cross compiler tools that it used and many were picking up the
system `ar`, `nm`, `strip, `ld`, etc.  They all now use a `Makefile`
macro that defines the path to the proper cross compiler tools.

For ones that need the tools, but not the musl-libc gcc,
there is $(CROSS_TOOLS_NOCC) that is all of them without gcc.
This is for musl-libc itself, as well as xen and the Linux kernel.
2017-04-08 13:23:34 -04:00