mirror of
https://github.com/linuxboot/heads.git
synced 2025-01-22 12:28:04 +00:00
79da79a5e4
Restricted Boot mode only allows booting from signed files, whether that is signed kernels in /boot or signed ISOs on mounted USB disks. This disables booting from abitrary USB disks as well as the forced "unsafe" boot mode. This also disables the recovery console so you can't bypass this mode simply by running kexec manually. Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
137 lines
3.2 KiB
Bash
137 lines
3.2 KiB
Bash
#!/bin/sh
|
|
#
|
|
# Core shell functions that do not require bash. These functions are used with
|
|
# busybox ash on legacy-flash boards, and with bash on all other boards.
|
|
|
|
die() {
|
|
echo >&2 "$*";
|
|
sleep 2;
|
|
exit 1;
|
|
}
|
|
|
|
warn() {
|
|
echo >&2 "$*";
|
|
sleep 1;
|
|
}
|
|
|
|
DEBUG() {
|
|
if [ "$CONFIG_DEBUG_OUTPUT" = "y" ];then
|
|
echo "DEBUG: $*" | tee -a /tmp/debug.log >&2;
|
|
fi
|
|
}
|
|
|
|
TRACE() {
|
|
if [ "$CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT" = "y" ];then
|
|
echo "TRACE: $*" | tee -a /tmp/debug.log >&2;
|
|
fi
|
|
}
|
|
|
|
preserve_rom() {
|
|
TRACE "Under /etc/ash_functions:preserve_rom"
|
|
new_rom="$1"
|
|
old_files=`cbfs -t 50 -l 2>/dev/null | grep "^heads/"`
|
|
|
|
for old_file in `echo $old_files`; do
|
|
new_file=`cbfs.sh -o $1 -l | grep -x $old_file`
|
|
if [ -z "$new_file" ]; then
|
|
echo "+++ Adding $old_file to $1"
|
|
cbfs -t 50 -r $old_file >/tmp/rom.$$ \
|
|
|| die "Failed to read cbfs file from ROM"
|
|
cbfs.sh -o $1 -a $old_file -f /tmp/rom.$$ \
|
|
|| die "Failed to write cbfs file to new ROM file"
|
|
fi
|
|
done
|
|
}
|
|
|
|
recovery() {
|
|
TRACE "Under /etc/ash_functions:recovery"
|
|
echo >&2 "!!!!! $*"
|
|
|
|
# Remove any temporary secret files that might be hanging around
|
|
# but recreate the directory so that new tools can use it.
|
|
|
|
#safe to always be true. Otherwise "set -e" would make it exit here
|
|
shred -n 10 -z -u /tmp/secret/* 2> /dev/null || true
|
|
rm -rf /tmp/secret
|
|
mkdir -p /tmp/secret
|
|
|
|
# ensure /tmp/config exists for recovery scripts that depend on it
|
|
touch /tmp/config
|
|
|
|
if [ "$CONFIG_TPM" = "y" ]; then
|
|
tpmr extend -ix 4 -ic recovery
|
|
fi
|
|
|
|
if [ "$CONFIG_RESTRICTED_BOOT" = y ]; then
|
|
echo >&2 "Restricted Boot enabled, recovery console disabled, rebooting in 5 seconds"
|
|
sleep 5
|
|
/bin/reboot
|
|
fi
|
|
while [ true ]
|
|
do
|
|
echo >&2 "!!!!! Starting recovery shell"
|
|
sleep 1
|
|
|
|
if [ -x /bin/setsid ]; then
|
|
/bin/setsid -c /bin/sh
|
|
else
|
|
/bin/sh
|
|
fi
|
|
done
|
|
}
|
|
|
|
pause_recovery() {
|
|
TRACE "Under /etc/ash_functions:pause_recovery"
|
|
read -p $'!!! Hit enter to proceed to recovery shell !!!\n'
|
|
recovery $*
|
|
}
|
|
|
|
combine_configs() {
|
|
TRACE "Under /etc/ash_functions:combine_configs"
|
|
cat /etc/config* > /tmp/config
|
|
}
|
|
|
|
enable_usb()
|
|
{
|
|
TRACE "Under /etc/ash_functions:enable_usb"
|
|
#insmod ehci_hcd prior of uhdc_hcd and ohci_hcd to suppress dmesg warning
|
|
if ! lsmod | grep -q ehci_hcd; then
|
|
insmod /lib/modules/ehci-hcd.ko \
|
|
|| die "ehci_hcd: module load failed"
|
|
fi
|
|
if [ "$CONFIG_LINUX_USB_COMPANION_CONTROLLER" = y ]; then
|
|
if ! lsmod | grep -q uhci_hcd; then
|
|
insmod /lib/modules/uhci-hcd.ko \
|
|
|| die "uhci_hcd: module load failed"
|
|
fi
|
|
if ! lsmod | grep -q ohci_hcd; then
|
|
insmod /lib/modules/ohci-hcd.ko \
|
|
|| die "ohci_hcd: module load failed"
|
|
fi
|
|
if ! lsmod | grep -q ohci_pci; then
|
|
insmod /lib/modules/ohci-pci.ko \
|
|
|| die "ohci_pci: module load failed"
|
|
fi
|
|
fi
|
|
if ! lsmod | grep -q ehci_pci; then
|
|
insmod /lib/modules/ehci-pci.ko \
|
|
|| die "ehci_pci: module load failed"
|
|
fi
|
|
if ! lsmod | grep -q xhci_hcd; then
|
|
insmod /lib/modules/xhci-hcd.ko \
|
|
|| die "xhci_hcd: module load failed"
|
|
fi
|
|
if ! lsmod | grep -q xhci_pci; then
|
|
insmod /lib/modules/xhci-pci.ko \
|
|
|| die "xhci_pci: module load failed"
|
|
sleep 2
|
|
fi
|
|
|
|
if [ "$CONFIG_USB_KEYBOARD" = y ]; then
|
|
if ! lsmod | grep -q usbhid; then
|
|
insmod /lib/modules/usbhid.ko \
|
|
|| die "usbhid: module load failed"
|
|
fi
|
|
fi
|
|
}
|