ExternalVendorCode/heads
1
0
Fork 0
mirror of https://github.com/linuxboot/heads.git synced 2024-12-18 20:47:55 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
6385a95368
heads/initrd/bin
History
Thierry Laurion f43fe1a836 initrd/bin/kexec-seal-key initrd/etc/luks-functions: last fixups 
- fi misplaced
- rework reencryption loop
- added verbose output on TPM DUK key addition when LUKS container can be unlocked with DRK

Current state, left todo for future work:

TPM DUK:
- TPM DUK setup on defautl boot reuses /boot/kexec_key_devices.txt if present
- If not, list all LUKS partitions, asks user for selection and makes sure LUKS passphrase can unlock all
- Works on both LUKSv1 and LUKSv2 containers, reusing OS installer settings (Heads doesn't enforce better then OS installer LUKS parameters)

LUKS passphrase change/LUKS reencryption:
- Reuses /boot/kexec_key_devices.txt if existing
- If not, prompts for LUKS passphase, list all LUKS containers not being USB based and attempt to unlock all those, listing only the ones successfully unlocked
- Prompts user to reuse found unlockable LUKS partitions with LUKS passphrase, caches and reuse in other LUKS operations (passphrase change as well from oem factory reset/re-ownership)
- Deals properly with LUKSv1/LUKSv2/multiple LUKS containers and reencrypt/passphrase changes them all if accepted, otherwise asks user to select individual LUKS container

Tested on luksv1,luksv2, btrfs under luks (2x containers) and TPM DUK setup up to booting OS. All good

TODO:
- LUKS passphrase check is done multiple times across TPM DUK, reencryption and luks passphrase. Could refactor to change this, but since this op is done only one reencrypt+passphrase change) upon hardare reception from OEM, I stopped caring here.

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-10-30 14:18:20 -04:00
..
basic-autoboot.sh Add PureBoot Basic Mode 2023-06-21 13:26:45 -04:00
cbfs-init TPM extend ops: Augment output of TPM1/TMP22 for filename and file content hash ops 2024-09-06 17:15:53 -04:00
cbfs.sh all scripts: replace TRACE manual strings with dynamic tracing by bash debug 2024-02-01 15:48:27 -05:00
change-time.sh change-time.sh: Remind of the system time when beginning 2024-08-06 14:01:49 -04:00
config-gui.sh config-gui.sh: fix bug happening when clearing all user config settings/calling config-gui.sh from recovery shell 2024-10-29 15:21:51 -04:00
flash-gui.sh Add functions to handle normal, warning, and error for whiptail and fbwhiptail. 2024-06-25 17:26:14 +00:00
flash.sh flash.sh: remove last references in code to flashrom, use more generic FLASH_OPTIONS instead, might cchange in the future. 2024-10-29 08:58:09 -04:00
flashprog-kgpe-d16-openbmc.sh kgpe-d16 server: TODO AST1100 patch still missing @i-c-o-n https://github.com/linuxboot/heads/blob/master/patches/flashrom-b1f858f65b2abd276542650d8cb9e382da258967/0100-enable-kgpe-d16.patch 2024-10-29 08:58:09 -04:00
generic-init all scripts: replace TRACE manual strings with dynamic tracing by bash debug 2024-02-01 15:48:27 -05:00
gpg-gui.sh Add functions to handle normal, warning, and error for whiptail and fbwhiptail. 2024-06-25 17:26:14 +00:00
gpgv all scripts: replace TRACE manual strings with dynamic tracing by bash debug 2024-02-01 15:48:27 -05:00
gui-init oem-factory-reset gui-init: fix whiptail_error segfaulting because selfcalling itself, fix typo in gui-init 2024-09-04 14:26:57 -04:00
gui-init-basic Add functions to handle normal, warning, and error for whiptail and fbwhiptail. 2024-06-25 17:26:14 +00:00
inject_firmware.sh initrd/bin/inject_firmware.sh: Fix warning command 2024-01-19 09:53:53 -05:00
kexec-boot kexec-boot: Only capture kexec -d output to log, not console/kmsg 2024-04-19 14:14:54 -04:00
kexec-insert-key TPM extend ops: Augment output of TPM1/TMP22 for filename and file content hash ops 2024-09-06 17:15:53 -04:00
kexec-iso-init kexec-iso-init: Always show kernel arguments suppressions/additions overrides 2024-10-16 18:33:02 -04:00
kexec-parse-bls all scripts: replace TRACE manual strings with dynamic tracing by bash debug 2024-02-01 15:48:27 -05:00
kexec-parse-boot all scripts: replace TRACE manual strings with dynamic tracing by bash debug 2024-02-01 15:48:27 -05:00
kexec-save-default cryptsetup2 toolstack version bump and script fixes to support multi-LUKS containers (BTRFS QubesOS 4.2) 2024-10-30 14:18:20 -04:00
kexec-save-key all scripts: replace TRACE manual strings with dynamic tracing by bash debug 2024-02-01 15:48:27 -05:00
kexec-seal-key initrd/bin/kexec-seal-key initrd/etc/luks-functions: last fixups 2024-10-30 14:18:20 -04:00
kexec-select-boot TPM extend ops: Augment output of TPM1/TMP22 for filename and file content hash ops 2024-09-06 17:15:53 -04:00
kexec-sign-config all scripts: replace TRACE manual strings with dynamic tracing by bash debug 2024-02-01 15:48:27 -05:00
kexec-unseal-key kexec-insert-key: refactor tampering check for encrypted disk keys prior of TPM unsealing ops 2024-04-11 14:50:40 -04:00
key-init key-init: If time resets, tell user to set it, but allow skipping 2024-09-06 09:27:37 -04:00
lock_chip all scripts: replace TRACE manual strings with dynamic tracing by bash debug 2024-02-01 15:48:27 -05:00
media-scan Add functions to handle normal, warning, and error for whiptail and fbwhiptail. 2024-06-25 17:26:14 +00:00
mount-usb Add functions to handle normal, warning, and error for whiptail and fbwhiptail. 2024-06-25 17:26:14 +00:00
network-init-recovery initrd/bin/network-init-recovery: kill dropbear unconditionally prior of starting it 2024-02-23 12:17:47 -05:00
oem-factory-reset cryptsetup2 toolstack version bump and script fixes to support multi-LUKS containers (BTRFS QubesOS 4.2) 2024-10-30 14:18:20 -04:00
oem-system-info-xx30 Add functions to handle normal, warning, and error for whiptail and fbwhiptail. 2024-06-25 17:26:14 +00:00
poweroff nitropad-nx: use standard shutdown/reboot commands 2024-06-20 18:27:05 +02:00
qubes-measure-luks TPM extend ops: Augment output of TPM1/TMP22 for filename and file content hash ops 2024-09-06 17:15:53 -04:00
reboot nitropad-nx: use standard shutdown/reboot commands 2024-06-20 18:27:05 +02:00
root-hashes-gui.sh Add functions to handle normal, warning, and error for whiptail and fbwhiptail. 2024-06-25 17:26:14 +00:00
seal-hotpkey Add functions to handle normal, warning, and error for whiptail and fbwhiptail. 2024-06-25 17:26:14 +00:00
seal-totp seal-totp: add missing PCR7 DEBUG call for CBFS measured content, add DEBUG for TOTP secret/qrcode output to console 2024-10-30 14:18:20 -04:00
setconsolefont.sh all scripts: replace TRACE manual strings with dynamic tracing by bash debug 2024-02-01 15:48:27 -05:00
talos-init initrd/bin/talos-init: remove alias for cbmem and bump coreboot revision 2023-07-12 14:50:54 +02:00
tpm-reset TPM2 DUK and TOTP/HOTP reseal fix, refactoring and ifferenciating tpm_password into tpm_owner_password and reusing correctly 2023-11-01 10:07:27 -04:00
tpmr TPM extend ops: Augment output of TPM1/TMP22 for filename and file content hash ops 2024-09-06 17:15:53 -04:00
uefi-init tpm2-tools: Change sense of CONFIG_TPM to mean any TPM, not just TPM1. 2023-03-08 12:45:46 -05:00
unpack_initramfs.sh all scripts: replace TRACE manual strings with dynamic tracing by bash debug 2024-02-01 15:48:27 -05:00
unseal-hotp Fix HOTP verification logic (and counter increment) in gui-init and oem-factory-reset scripts 2024-04-22 17:24:21 -04:00
unseal-totp all scripts: replace TRACE manual strings with dynamic tracing by bash debug 2024-02-01 15:48:27 -05:00
usb-autoboot.sh Add USB autoboot feature to PureBoot Basic 2023-06-21 13:26:46 -04:00
usb-init all scripts: replace TRACE manual strings with dynamic tracing by bash debug 2024-02-01 15:48:27 -05:00
wget-measure.sh all scripts: replace TRACE manual strings with dynamic tracing by bash debug 2024-02-01 15:48:27 -05:00
wipe-totp Implement Restricted Boot Mode 2023-06-21 13:26:45 -04:00
xx30-flash.init Combine t430-flash.init, x23-flash.init, fix insmod 2023-03-13 13:23:29 -04:00