LOG() is added to log to the log only (not kmsg, more verbose than
TRACE).
DO_WITH_DEBUG only captures stdout/stderr to the log with LOG().
kexec-boot silences stderr from kexec, we don't want it on the console.
No need to repeat the kexec command when asking in debug to continue
boot, it's no longer hidden behind verbose output from kexec.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
`eval "$kexeccmd"` should become `DO_WITH_DEBUG eval "$kexeccmd"` when
adding DO_WITH_DEBUG, command invocation is still the same, still needs
eval.
Restore DO_WITH_DEBUG in front of kexec-parse-boot that had been
removed.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
TODO:
- $(pcrs) call sometimes fail in DEBUG call, outputting too many chars to be inserted in kmesg. Call removed here since redundant (PCR6 already extended with LUKS header)
- Notes added for TPM2 simplification over TPM1 in code as TODO
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Fixes linuxboot#1092.
Supersedes linuxboot#1093
- Cherry-picks ed1c23a (credit to @hardened-vault) thank you!)
- Addresses and correct self-review under linuxboot#1093 (@hardened-vault: you don't answer often here!)
- kexec-unseal-key: Warn a user who attempts to default boot while his Disk Unlock Key passphrase fails to unseal because LUKS headers changed.
(linuxboot#1093 (comment))
- kexec-seal-key: Identical as in ed1c23a
- kexec-add-key: Tell the user that the Headers did not change when changing TPM released Disk Unlock Key
(Through changing default boot at Options->Boot Options -> Show OS boot options: select a new boot option
and set a Disk Unlock Key in TPM, accept to modify disk and sign /boot options)
- Here, we cancel the diff output shown on screen linuxboot#1093 (comment)
- And we change the warning given to the user to past tense "Headers of LUKS containers to be unlocked via TPM Disk Unlock Key passphrase did not change."
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Also remove output of attempted module loading since DEBUG will show if needed
Remove timeout after 30 seconds to unify UX and block
Change UX wording
Should address all PR review comments
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
- Add additional requirements to linux config
- Add additional CONFIG_MOBILE_TETHERING=y to all maximized board configs
- Fix issue under network-recovery-init to NTP sync against NTP server pool
- Extend network-recovery-init to first try NTP sync against DNS server returned by DHCP answer
- Remove network-recovery-init earlytty and tty0 redirection (console should be setuped properly by init in all cases)
- If CONFIG_MOBILE_TETHERING=y added to board config and network-recovery-init called, wait to user input on instructions and warning 30 secs before proceeding (non-blocking)
- Machines having STATIC_IP under board config won't benefit of autoatic NTP sync
Since network-recovery-init can only be called from recovery shell now, and recovery shell can be guarded by GPG auth, this is PoC code to be used to complement TOTP being out of sync
TODO(Future PR):
- Refactor into functions and reuse into TOTP/HOTP being out of sync automatically.
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
When testing a possible boot device, detect its partition type and
skip grub, LUKS, and LVM partitions. These aren't mountable as /boot,
this silences spurious exFAT errors.
In detect_boot_device, skip testing CONFIG_BOOT_DEV a second time if it
is found as a block device. This avoids doubling any errors shown from
checking this device, no sense trying it twice.
Refactor some logic to avoid duplication - extract
device_has_partitions and use it in detect_boot_device, extract
mount_possible_boot_device and use it instead of duplicating the logic.
Move find_lvm_vg_name() to /etc/functions.
Avoid mixing up similarly-named devices like 'nvme0n1'/'nvme0n10' or
'sda'/'sdaa' - it's probably unlikely that many devices will appear,
but looking for partitions in '/sys/class/block/<device>/' instead of
'/dev/' would avoid any collisions.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Exception: scripts sourcing/calls within etc/ash_functions continues to use old TRACE functions until we switch to bash completely getting rid of ash.
This would mean getting rid of legacy boards (flash + legacy boards which do not have enough space for bash in flash boards) once and for all.
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Reword the notice shown when enabling USB keyboards based on feedback.
Remove the notice when disabling USB keyboard support, show it only
when enabling.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Next steps on this is introspection and PCRs reconstruction helpers, which will output in DEBUG and be usable from recovery shell.
We have to keep in mind that providing those tools is useful in DEBUG mode and for users having access to Recovery Shell.
But currently, having access to cbmem -L output and final PCRs content is making it too easy for Evil Maid to know what needs to be hardcoded to pass measured boot.
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
When playing with long fbwhiptail/whiptail messages, this commit played around the long string using fold.
'''
echo -e "This will replace the encrypted container content and its LUKS Disk Recovery Key.\n\nThe passphrase associated with this key will be asked from the user under the following conditions:\n 1-Every boot if no Disk Unlock Key was added to the TPM\n 2-If the TPM fails (hardware failure)\n 3-If the firmware has been tampered with/modified by the user\n\nThis process requires you to type the current LUKS Disk Recovery Key passphrase and will delete the LUKS TPM Disk Unlock Key slot, if set up, by setting a default boot LUKS key slot (1) if present.\n\nAt the next prompt, you may be asked to select which file corresponds to the LUKS device container.\n\nHit Enter to continue." | fold -w 70 -s
'''
Which gave the exact output of what will be inside of the fbwhiptail prompt, fixed to 70 chars width:
'''
This will replace the encrypted container content and its LUKS Disk
Recovery Key.
The passphrase associated with this key will be asked from the user
under the following conditions:
1-Every boot if no Disk Unlock Key was added to the TPM
2-If the TPM fails (hardware failure)
3-If the firmware has been tampered with/modified by the user
This process requires you to type the current LUKS Disk Recovery Key
passphrase and will delete the LUKS TPM Disk Unlock Key slot, if set
up, by setting a default boot LUKS key slot (1) if present.
At the next prompt, you may be asked to select which file corresponds
to the LUKS device container.
Hit Enter to continue.
'''
Therefore, for long prompts in the future, one can just deal with "\n 1-" alignments to be respected in prompts and have fold deal with cutting the length of strings properly.
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Don't spew the root hashes to the console when creating the hash file.
This speeds up hash creation significantly. A basic Qubes install on a
cheap (slow) SATA SSD reduced from about 1.5 minutes to just under 1
minute, and a PureOS install on a fast NVMe disk reduced from 2.5
minutes to 1 minute.
Support opening LVM volume groups to find the root disk. If an LVM PV
is found, its group is opened and the 'root' volume is used. There is
no way to set the volume name in this iteration; this is the default
name used by Qubes and probably common to many LVM OS installations.
LUKS and LVM can be mixed. Tested LUKS (PureOS) and LUKS+LVM (Qubes).
Always cd to "$ROOT_MOUNT" in a subshell, improves robustness of
scripts (previously some functions only worked if they were called
after another function had cd'd to "$ROOT_MOUNT").
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Say the action to take in the menu (enable or disable) instead of just
"Check root hashes at boot".
Clean up some use of load_config_value, set_config, combine_configs.
Get config values from the environment directly. set_user_config does
set_config and combine_configs.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Laptops can include optional USB keyboard support (default off unless
the board also sets the default to 'y'). The setting is in the
configuration GUI.
CONFIG_USER_USB_KEYBOARD is now the user-controlled setting on those
boards. 'CONFIG_USB_KEYBOARD' is no longer used to avoid any conflict
with prior releases that expect this to be a compile-time setting only
(conflicts risk total lock out requiring hardware flash, so some
caution is justified IMO).
Boards previously exporting CONFIG_USB_KEYBOARD now export
CONFIG_USB_KEYBOARD_REQUIRED. Those boards don't have built-in
keyboards, USB keyboard is always enabled. (librem_mini,
librem_mini_v2, librem_11, librem_l1um, librem_l1um_v2, talos-2,
kgpe-d16_workstation-usb_keyboard, x230-hotp-maximized_usb-kb).
Librem laptops now export CONFIG_SUPPORT_USB_KEYBOARD to enable
optional support. The default is still 'off'.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
'find' may fail if I/O errors occur (medium faulty or removed,
filesystem corruption, etc.) Show a message if this occurs rather than
just dying and returning to the main menu.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
If the user selects a plain ROM, but that file can't be read, show a
message and exit rather than dying. Copy the ROM to RAM before doing
anything with it in case the media fails later.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
If we can't mount /boot, show a meaningful error rather than dropping
to a recovery shell.
Dropping to a recovery shell should be a last resort. Users that know
how to use the recovery shell know how to get there. Users that don't
know how to use it can be completely stuck and may not know how to get
back to the menu or even how to turn off the device.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Automatic boot can be configured in the configuration GUI. Options are
disable, 1 second, 5 seconds, or 10 seconds.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Change order if user chooses both reencrypt and change passphrase, so that passphrase is changed first.
Signed-off-by: Christian Foerster <christian.foerster@mailfence.com>