mirror of
https://github.com/linuxboot/heads.git
synced 2024-12-19 21:17:55 +00:00
87eff7b775
Blob jail provides device firmware blobs to the OS, so the OS does not have to ship them. The firmware is passed through the initrd to /run/firmware, so it works with both installed and live OSes, and there are no race conditions between firmware load and firmware availability. The injection method in the initrd is specific to the style of init script used by PureOS, since it must add a copy command to copy the firmware from the initrd to /run. If the init script is not of this type, boot proceeds without device firmware. This feature can be enabled or disabled from the config GUI. Blob jail is enabled automatically if the Intel AX200 Wi-Fi module is installed and the feature hasn't been explicitly configured. Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
464 lines
18 KiB
Bash
Executable File
464 lines
18 KiB
Bash
Executable File
#!/bin/bash
|
|
#
|
|
set -e -o pipefail
|
|
. /etc/functions
|
|
. /etc/gui_functions
|
|
. /tmp/config
|
|
|
|
TRACE "Under /bin/config-gui.sh"
|
|
|
|
ROOT_HASH_FILE="/boot/kexec_root_hashes.txt"
|
|
|
|
param=$1
|
|
|
|
# Read the current ROM; if it fails display an error and exit.
|
|
read_rom() {
|
|
/bin/flash.sh -r "$1"
|
|
if [ ! -s "$1" ]; then
|
|
whiptail $BG_COLOR_ERROR --title 'ERROR: BIOS Read Failed!' \
|
|
--msgbox "Unable to read BIOS" 0 80
|
|
exit 1
|
|
fi
|
|
}
|
|
|
|
while true; do
|
|
if [ ! -z "$param" ]; then
|
|
# use first char from parameter
|
|
menu_choice=${param::1}
|
|
unset param
|
|
else
|
|
# check current PureBoot Mode
|
|
BASIC_MODE="$(load_config_value CONFIG_PUREBOOT_BASIC)"
|
|
# check current Restricted Boot Mode
|
|
RESTRICTED_BOOT="$(load_config_value CONFIG_RESTRICTED_BOOT)"
|
|
# check current state of blob jail
|
|
USE_JAIL="$(load_config_value CONFIG_USE_BLOB_JAIL)"
|
|
AUTOMATIC_POWERON="$(load_config_value CONFIG_AUTOMATIC_POWERON)"
|
|
BASIC_NO_AUTOMATIC_DEFAULT="$(load_config_value CONFIG_BASIC_NO_AUTOMATIC_DEFAULT)"
|
|
BASIC_USB_AUTOBOOT="$(load_config_value CONFIG_BASIC_USB_AUTOBOOT)"
|
|
|
|
dynamic_config_options=()
|
|
|
|
# Options that don't apply to basic mode
|
|
[ "$BASIC_MODE" != "y" ] && dynamic_config_options+=(
|
|
'r' ' Clear GPG key(s) and reset all user settings'
|
|
'R' ' Change the root device for hashing'
|
|
'D' ' Change the root directories to hash'
|
|
'B' ' Check root hashes at boot'
|
|
'L' " $(get_config_display_action "$RESTRICTED_BOOT") Restricted Boot"
|
|
)
|
|
|
|
# Basic itself is always available
|
|
dynamic_config_options+=(
|
|
'P' " $(get_config_display_action "$BASIC_MODE") PureBoot Basic Mode"
|
|
)
|
|
|
|
# Blob jail is only offered if this is a configuration with the blobs in
|
|
# firmware
|
|
[ "$CONFIG_SUPPORT_BLOB_JAIL" = "y" ] && dynamic_config_options+=(
|
|
'J' " $(get_config_display_action "$USE_JAIL") Firmware Blob Jail"
|
|
)
|
|
|
|
# Basic-only options for automatic boot
|
|
[ "$BASIC_MODE" = "y" ] && dynamic_config_options+=(
|
|
'A' " $(get_inverted_config_display_action "$BASIC_NO_AUTOMATIC_DEFAULT") automatic default boot"
|
|
'U' " $(get_config_display_action "$BASIC_USB_AUTOBOOT") USB automatic boot"
|
|
)
|
|
|
|
# Automatic power on - requires board support
|
|
[ "$CONFIG_SUPPORT_AUTOMATIC_POWERON" = "y" ] && dynamic_config_options+=(
|
|
'N' " $(get_config_display_action "$AUTOMATIC_POWERON") Automatic Power-On"
|
|
)
|
|
|
|
unset menu_choice
|
|
whiptail $BG_COLOR_MAIN_MENU --title "Config Management Menu" \
|
|
--menu "This menu lets you change settings for the current BIOS session.\n\nAll changes will revert after a reboot,\n\nunless you also save them to the running BIOS." 0 80 10 \
|
|
'b' ' Change the /boot device' \
|
|
"${dynamic_config_options[@]}" \
|
|
's' ' Save the current configuration to the running BIOS' \
|
|
'x' ' Return to Main Menu' \
|
|
2>/tmp/whiptail || recovery "GUI menu failed"
|
|
|
|
menu_choice=$(cat /tmp/whiptail)
|
|
fi
|
|
|
|
case "$menu_choice" in
|
|
"x" )
|
|
exit 0
|
|
;;
|
|
"b" )
|
|
CURRENT_OPTION=`grep 'CONFIG_BOOT_DEV=' /tmp/config | tail -n1 | cut -f2 -d '=' | tr -d '"'`
|
|
if ! fdisk -l | grep "Disk /dev/" | cut -f2 -d " " | cut -f1 -d ":" > /tmp/disklist.txt ; then
|
|
whiptail $BG_COLOR_ERROR --title 'ERROR: No bootable devices found' \
|
|
--msgbox " $ERROR\n\n" 16 60
|
|
exit 1
|
|
fi
|
|
# filter out extraneous options
|
|
> /tmp/boot_device_list.txt
|
|
for i in `cat /tmp/disklist.txt`; do
|
|
# remove block device from list if numeric partitions exist, since not bootable
|
|
DEV_NUM_PARTITIONS=$((`ls -1 $i* | wc -l`-1))
|
|
if [ ${DEV_NUM_PARTITIONS} -eq 0 ]; then
|
|
echo $i >> /tmp/boot_device_list.txt
|
|
else
|
|
ls $i* | tail -${DEV_NUM_PARTITIONS} >> /tmp/boot_device_list.txt
|
|
fi
|
|
done
|
|
file_selector "/tmp/boot_device_list.txt" \
|
|
"Choose the default /boot device.\n\nCurrently set to $CURRENT_OPTION." \
|
|
"Boot Device Selection"
|
|
if [ "$FILE" == "" ]; then
|
|
return
|
|
else
|
|
SELECTED_FILE=$FILE
|
|
fi
|
|
|
|
# unmount /boot if needed
|
|
if grep -q /boot /proc/mounts ; then
|
|
umount /boot 2>/dev/null
|
|
fi
|
|
# mount newly selected /boot device
|
|
if ! mount -o ro $SELECTED_FILE /boot 2>/tmp/error ; then
|
|
ERROR=`cat /tmp/error`
|
|
whiptail $BG_COLOR_ERROR --title 'ERROR: unable to mount /boot' \
|
|
--msgbox " $ERROR\n\n" 16 60
|
|
exit 1
|
|
fi
|
|
|
|
replace_config /etc/config.user "CONFIG_BOOT_DEV" "$SELECTED_FILE"
|
|
combine_configs
|
|
|
|
whiptail --title 'Config change successful' \
|
|
--msgbox "The /boot device was successfully changed to $SELECTED_FILE" 16 60
|
|
;;
|
|
"s" )
|
|
read_rom /tmp/config-gui.rom
|
|
|
|
replace_rom_file /tmp/config-gui.rom "heads/initrd/etc/config.user" /etc/config.user
|
|
|
|
if (whiptail --title 'Update ROM?' \
|
|
--yesno "This will reflash your BIOS with the updated version\n\nDo you want to proceed?" 0 80) then
|
|
/bin/flash.sh /tmp/config-gui.rom
|
|
whiptail --title 'BIOS Updated Successfully' \
|
|
--msgbox "BIOS updated successfully.\n\nIf your keys have changed, be sure to re-sign all files in /boot\nafter you reboot.\n\nPress Enter to reboot" 16 60
|
|
/bin/reboot
|
|
else
|
|
exit 0
|
|
fi
|
|
;;
|
|
"r" )
|
|
# prompt for confirmation
|
|
if (whiptail $BG_COLOR_WARNING --title 'Reset Configuration?' \
|
|
--yesno "This will clear all GPG keys, clear boot signatures and checksums,
|
|
\nreset the /boot device, clear/reset the TPM (if present),
|
|
\nand reflash your BIOS with the cleaned configuration.
|
|
\n\nDo you want to proceed?" 0 80) then
|
|
read_rom /tmp/config-gui.rom
|
|
# clear local keyring
|
|
rm /.gnupg/* | true
|
|
# clear /boot signatures/checksums
|
|
mount -o remount,rw /boot
|
|
rm /boot/kexec* | true
|
|
mount -o remount,ro /boot
|
|
# clear GPG keys and user settings
|
|
for i in `cbfs.sh -o /tmp/config-gui.rom -l | grep -e "heads/"`; do
|
|
cbfs.sh -o /tmp/config-gui.rom -d $i
|
|
done
|
|
# flash cleared ROM
|
|
/bin/flash.sh -c /tmp/config-gui.rom
|
|
# reset TPM if present
|
|
if [ "$CONFIG_TPM" = "y" ]; then
|
|
/bin/tpm-reset
|
|
fi
|
|
whiptail --title 'Configuration Reset Updated Successfully' \
|
|
--msgbox "Configuration reset and BIOS updated successfully.\n\nPress Enter to reboot" 16 60
|
|
/bin/reboot
|
|
else
|
|
exit 0
|
|
fi
|
|
;;
|
|
"R" )
|
|
CURRENT_OPTION=`grep 'CONFIG_ROOT_DEV=' /tmp/config | tail -n1 | cut -f2 -d '=' | tr -d '"'`
|
|
fdisk -l | grep "Disk /dev/" | cut -f2 -d " " | cut -f1 -d ":" > /tmp/disklist.txt
|
|
# filter out extraneous options
|
|
> /tmp/root_device_list.txt
|
|
for i in `cat /tmp/disklist.txt`; do
|
|
# remove block device from list if numeric partitions exist, since not bootable
|
|
DEV_NUM_PARTITIONS=$((`ls -1 $i* | wc -l`-1))
|
|
if [ ${DEV_NUM_PARTITIONS} -eq 0 ]; then
|
|
echo $i >> /tmp/root_device_list.txt
|
|
else
|
|
ls $i* | tail -${DEV_NUM_PARTITIONS} >> /tmp/root_device_list.txt
|
|
fi
|
|
done
|
|
file_selector "/tmp/root_device_list.txt" \
|
|
"Choose the default root device.\n\nCurrently set to $CURRENT_OPTION." \
|
|
"Root Device Selection"
|
|
if [ "$FILE" == "" ]; then
|
|
return
|
|
else
|
|
SELECTED_FILE=$FILE
|
|
fi
|
|
|
|
replace_config /etc/config.user "CONFIG_ROOT_DEV" "$SELECTED_FILE"
|
|
combine_configs
|
|
|
|
whiptail --title 'Config change successful' \
|
|
--msgbox "The root device was successfully changed to $SELECTED_FILE" 0 80
|
|
;;
|
|
"D" )
|
|
CURRENT_OPTION=`grep 'CONFIG_ROOT_DIRLIST=' /tmp/config | tail -n1 | cut -f2 -d '=' | tr -d '"'`
|
|
|
|
echo "The current list of directories to hash is $CURRENT_OPTION"
|
|
echo -e "\nEnter the new list of directories separated by spaces, without any beginning forward slashes:"
|
|
echo -e "(Press enter with the list empty to cancel)"
|
|
read -r NEW_CONFIG_ROOT_DIRLIST
|
|
|
|
# strip any leading forward slashes in case the user ignored us
|
|
NEW_CONFIG_ROOT_DIRLIST=$(echo $NEW_CONFIG_ROOT_DIRLIST | sed -e 's/^\///;s/ \// /g')
|
|
|
|
#check if list empty
|
|
if [ -s $NEW_CONFIG_ROOT_DIRLIST ] ; then
|
|
whiptail --title 'Config change canceled' \
|
|
--msgbox "Root device directory change canceled by user" 0 80
|
|
break
|
|
fi
|
|
|
|
replace_config /etc/config.user "CONFIG_ROOT_DIRLIST" "$NEW_CONFIG_ROOT_DIRLIST"
|
|
combine_configs
|
|
|
|
whiptail --title 'Config change successful' \
|
|
--msgbox "The root directories to hash was successfully changed to:\n$NEW_CONFIG_ROOT_DIRLIST" 0 80
|
|
;;
|
|
"B" )
|
|
CURRENT_OPTION=`grep 'CONFIG_ROOT_CHECK_AT_BOOT=' /tmp/config | tail -n1 | cut -f2 -d '=' | tr -d '"'`
|
|
if [ "$CURRENT_OPTION" = "n" ]; then
|
|
if (whiptail --title 'Enable Root Hash Check at Boot?' \
|
|
--yesno "This will enable checking root hashes each time you boot.
|
|
\nDepending on the directories you are checking, this might add
|
|
\na minute or more to the boot time.
|
|
\n\nDo you want to proceed?" 0 80) then
|
|
|
|
replace_config /etc/config.user "CONFIG_ROOT_CHECK_AT_BOOT" "y"
|
|
combine_configs
|
|
|
|
# check that root hash file exists
|
|
if [ ! -f ${ROOT_HASH_FILE} ]; then
|
|
if (whiptail --title 'Generate Root Hash File' \
|
|
--yesno "\nNo root hash file exists.
|
|
\nWould you like to create the initial hash file now?" 0 80) then
|
|
root-hashes-gui.sh -n
|
|
fi
|
|
fi
|
|
|
|
whiptail --title 'Config change successful' \
|
|
--msgbox "The root device will be checked at each boot." 0 80
|
|
|
|
fi
|
|
else
|
|
if (whiptail --title 'Disable Root Hash Check at Boot?' \
|
|
--yesno "This will disable checking root hashes each time you boot.
|
|
\n\nDo you want to proceed?" 0 80) then
|
|
|
|
replace_config /etc/config.user "CONFIG_ROOT_CHECK_AT_BOOT" "n"
|
|
combine_configs
|
|
|
|
whiptail --title 'Config change successful' \
|
|
--msgbox "The root device will not be checked at each boot." 0 80
|
|
fi
|
|
fi
|
|
;;
|
|
"P" )
|
|
if ! [ "$RESTRICTED_BOOT" = n ]; then
|
|
whiptail $BG_COLOR_ERROR --title 'Restricted Boot Active' \
|
|
--msgbox "Disable Restricted Boot to enable Basic Mode." 0 80
|
|
elif [ "$BASIC_MODE" = "n" ]; then
|
|
if (whiptail --title 'Enable PureBoot Basic Mode?' \
|
|
--yesno "This will remove all signature checking on the firmware
|
|
\nand boot files, and disable use of the Librem Key.
|
|
\n\nDo you want to proceed?" 0 80) then
|
|
|
|
set_config /etc/config.user "CONFIG_PUREBOOT_BASIC" "y"
|
|
combine_configs
|
|
|
|
whiptail --title 'Config change successful' \
|
|
--msgbox "PureBoot Basic mode enabled;\nsave the config change and reboot for it to go into effect." 0 80
|
|
|
|
fi
|
|
else
|
|
if (whiptail --title 'Disable PureBoot Basic Mode?' \
|
|
--yesno "This will enable all signature checking on the firmware
|
|
\nand boot files, and enable use of the Librem Key.
|
|
\n\nDo you want to proceed?" 0 80) then
|
|
|
|
set_config /etc/config.user "CONFIG_PUREBOOT_BASIC" "n"
|
|
combine_configs
|
|
|
|
whiptail --title 'Config change successful' \
|
|
--msgbox "PureBoot Basic mode has been disabled;\nsave the config change and reboot for it to go into effect." 0 80
|
|
fi
|
|
fi
|
|
;;
|
|
"L" )
|
|
if [ "$RESTRICTED_BOOT" = "n" ]; then
|
|
if (whiptail --title 'Enable Restricted Boot Mode?' \
|
|
--yesno "This will disable booting from any unsigned files,
|
|
\nincluding kernels that have not yet been signed,
|
|
\n.isos without signatures, raw USB disks,
|
|
\nand will disable failsafe boot mode.
|
|
\n\nThis will also disable the recovery console.
|
|
\n\nDo you want to proceed?" 0 80) then
|
|
|
|
set_config /etc/config.user "CONFIG_RESTRICTED_BOOT" "y"
|
|
combine_configs
|
|
|
|
whiptail --title 'Config change successful' \
|
|
--msgbox "Restricted Boot mode enabled;\nsave the config change and reboot for it to go into effect." 0 80
|
|
|
|
fi
|
|
else
|
|
if (whiptail --title 'Disable Restricted Boot Mode?' \
|
|
--yesno "This will allow booting from unsigned devices,
|
|
\nand will re-enable failsafe boot mode.
|
|
\n\nThis will also RESET the TPM and re-enable the recovery console.
|
|
\n\nProceeding will automatically update the boot firmware, reset TPM and reboot!
|
|
\n\nDo you want to proceed?" 0 80) then
|
|
|
|
# Wipe the TPM TOTP/HOTP secret before flashing. Otherwise, enabling
|
|
# Restricted Boot again might restore the firmware to an identical
|
|
# state, and there would be no evidence that it had been temporarily
|
|
# disabled.
|
|
if ! wipe-totp >/dev/null 2>/tmp/error; then
|
|
ERROR=$(tail -n 1 /tmp/error | fold -s)
|
|
whiptail $BG_COLOR_ERROR --title 'ERROR: erasing TOTP secret' \
|
|
--msgbox "Erasing TOTP Secret Failed\n\n${ERROR}" 0 80
|
|
exit 1
|
|
fi
|
|
|
|
# We can't allow Restricted Boot to be disabled without flashing the
|
|
# firmware - this would allow the use of unrestricted mode without
|
|
# leaving evidence in the firmware. Disable it by flashing the new
|
|
# config directly.
|
|
FLASH_USER_CONFIG=/tmp/config-gui-config-user
|
|
cp /etc/config.user "$FLASH_USER_CONFIG"
|
|
set_config "$FLASH_USER_CONFIG" "CONFIG_RESTRICTED_BOOT" "n"
|
|
|
|
read_rom /tmp/config-gui.rom
|
|
|
|
replace_rom_file /tmp/config-gui.rom "heads/initrd/etc/config.user" "$FLASH_USER_CONFIG"
|
|
|
|
/bin/flash.sh /tmp/config-gui.rom
|
|
whiptail --title 'BIOS Updated Successfully' \
|
|
--msgbox "BIOS updated successfully.\n\nIf your keys have changed, be sure to re-sign all files in /boot\nafter you reboot.\n\nPress Enter to reboot" 0 80
|
|
/bin/reboot
|
|
fi
|
|
fi
|
|
;;
|
|
"J" )
|
|
if [ "$USE_JAIL" = "n" ]; then
|
|
if (whiptail --title 'Enable Firmware Blob Jail?' \
|
|
--yesno "This will enable loading of firmware from flash on each boot
|
|
\n\nDo you want to proceed?" 0 80) then
|
|
|
|
toggle_config /etc/config.user "CONFIG_USE_BLOB_JAIL"
|
|
combine_configs
|
|
|
|
whiptail --title 'Config change successful' \
|
|
--msgbox "Firmware Blob Jail use has been enabled;\nsave the config change and reboot for it to go into effect." 16 60
|
|
|
|
fi
|
|
else
|
|
if (whiptail --title 'Disable Firmware Blob Jail?' \
|
|
--yesno "This will disable loading of firmware from flash on each boot.
|
|
\n\nDo you want to proceed?" 0 80) then
|
|
toggle_config /etc/config.user "CONFIG_USE_BLOB_JAIL"
|
|
combine_configs
|
|
|
|
whiptail --title 'Config change successful' \
|
|
--msgbox "Firmware Blob Jail use has been disabled;\nsave the config change and reboot for it to go into effect." 0 80
|
|
fi
|
|
fi
|
|
;;
|
|
"A" )
|
|
if [ "$BASIC_NO_AUTOMATIC_DEFAULT" = "n" ]; then
|
|
if (whiptail --title 'Disable automatic default boot?' \
|
|
--yesno "You will need to select a default boot option.
|
|
\nIf the boot options are changed, such as for an OS update,
|
|
\nyou will be prompted to select a new default.
|
|
\n\nDo you want to proceed?" 0 80) then
|
|
|
|
set_config /etc/config.user "CONFIG_BASIC_NO_AUTOMATIC_DEFAULT" "y"
|
|
combine_configs
|
|
|
|
whiptail --title 'Config change successful' \
|
|
--msgbox "Automatic default boot disabled;\nsave the config change and reboot for it to go into effect." 0 80
|
|
fi
|
|
else
|
|
if (whiptail --title 'Enable automatic default boot?' \
|
|
--yesno "The first boot option will be used automatically.
|
|
\n\nDo you want to proceed?" 0 80) then
|
|
|
|
set_config /etc/config.user "CONFIG_BASIC_NO_AUTOMATIC_DEFAULT" "n"
|
|
combine_configs
|
|
|
|
whiptail --title 'Config change successful' \
|
|
--msgbox "Automatic default boot enabled;\nsave the config change and reboot for it to go into effect." 0 80
|
|
fi
|
|
fi
|
|
;;
|
|
"U" )
|
|
if [ "$BASIC_USB_AUTOBOOT" = "n" ]; then
|
|
if (whiptail --title 'Enable USB automatic boot?' \
|
|
--yesno "During boot, an attached bootable USB disk will be booted
|
|
\nby default instead of the installed operating system.
|
|
\n\nDo you want to proceed?" 0 80) then
|
|
|
|
set_config /etc/config.user "CONFIG_BASIC_USB_AUTOBOOT" "y"
|
|
combine_configs
|
|
|
|
whiptail --title 'Config change successful' \
|
|
--msgbox "USB automatic boot enabled;\nsave the config change and reboot for it to go into effect." 0 80
|
|
fi
|
|
else
|
|
if (whiptail --title 'Disable USB automatic boot?' \
|
|
--yesno "USB disks will no longer be booted by default.
|
|
\n\nDo you want to proceed?" 0 80) then
|
|
|
|
set_config /etc/config.user "CONFIG_BASIC_USB_AUTOBOOT" "n"
|
|
combine_configs
|
|
|
|
whiptail --title 'Config change successful' \
|
|
--msgbox "USB automatic boot disabled;\nsave the config change and reboot for it to go into effect." 0 80
|
|
fi
|
|
fi
|
|
;;
|
|
"N" )
|
|
if [ "$AUTOMATIC_POWERON" = "n" ]; then
|
|
if (whiptail --title 'Enable automatic power-on?' \
|
|
--yesno "The system will boot automatically when power is applied.
|
|
\n\nDo you want to proceed?" 0 80) then
|
|
|
|
toggle_config /etc/config.user "CONFIG_AUTOMATIC_POWERON"
|
|
combine_configs
|
|
|
|
whiptail --title 'Config change successful' \
|
|
--msgbox "Automatic power-on enabled;\nsave the config change and reboot for it to go into effect." 0 80
|
|
fi
|
|
else
|
|
if (whiptail --title 'Disable automatic power-on?' \
|
|
--yesno "The system will stay off when power is applied.
|
|
\n\nDo you want to proceed?" 0 80) then
|
|
|
|
toggle_config /etc/config.user "CONFIG_AUTOMATIC_POWERON"
|
|
combine_configs
|
|
|
|
whiptail --title 'Config change successful' \
|
|
--msgbox "Automatic power-on disabled;\nsave the config change and reboot for it to go into effect." 0 80
|
|
fi
|
|
fi
|
|
;;
|
|
esac
|
|
|
|
done
|
|
exit 0
|