heads/initrd/bin/qubes-update
Francis Lam 8004b5df2a
Added the ability to persist a default boot option
Similar to qubes-update, it will save then verify the hashes of
the kexec files. Once TOTP is verified, a normal boot will verify
that the file hashes and all the kexec params match and if
successful, boot directly to OS.

Also added a config option to require hash verification for
non-recovery boots, failing to recovery not met.
2017-07-04 19:49:14 -04:00

62 lines
1.3 KiB
Bash
Executable File

#!/bin/sh
# Update the /boot partition signatures
set -o pipefail
. /etc/functions
XEN="$1"
KERNEL="$2"
INITRD="$3"
BOOT_HASHES="/boot/boot.hashes"
if [ -z "$XEN" -o -z "$KERNEL" -o -z "$INITRD" ]; then
die "Usage: $0 /boot/xen... /boot/vmlinuz... /boot/initramfs..."
fi
confirm_gpg_card
# if the /boot.hashes file already exists, read the TPM counter ID
# from it.
if [ -r "$BOOT_HASHES" ]; then
TPM_COUNTER=`grep counter- "$BOOT_HASHES" | cut -d- -f2`
else
warn "$BOOT_HASHES does not exist; creating new TPM counter"
read -s -p "TPM Owner password: " tpm_password
echo
tpm counter_create \
-pwdo "$tpm_password" \
-pwdc '' \
-la 3135106223 \
| tee /tmp/counter \
|| die "Unable to create TPM counter"
TPM_COUNTER=`cut -d: -f1 < /tmp/counter`
fi
if [ -z "$TPM_COUNTER" ]; then
die "$BOOT_HASHES: TPM Counter not found?"
fi
mount -o rw,remount /boot \
|| die "Could not remount /boot"
tpm counter_increment -ix "$TPM_COUNTER" -pwdc '' \
| tee /tmp/counter-$TPM_COUNTER \
|| die "Counter increment failed"
sha256sum \
"$XEN" \
"$KERNEL" \
"$INITRD" \
"/tmp/counter-$TPM_COUNTER" \
| tee "$BOOT_HASHES"
for tries in 1 2 3; do
if gpg --detach-sign -a "$BOOT_HASHES"; then
mount -o ro,remount /boot
exit 0
fi
done
warn "$BOOT_HASHES: Unable to sign boot hashes"
mount -o ro,remount /boot
exit 1