mirror of
https://github.com/linuxboot/heads.git
synced 2024-12-19 04:57:55 +00:00
219 lines
4.3 KiB
Bash
Executable File
219 lines
4.3 KiB
Bash
Executable File
#!/bin/sh
|
|
# Shell functions for most initialization scripts
|
|
|
|
die() {
|
|
echo >&2 "$*";
|
|
exit 1;
|
|
}
|
|
|
|
warn() {
|
|
echo >&2 "$*";
|
|
}
|
|
|
|
recovery() {
|
|
echo >&2 "!!!!! $*"
|
|
|
|
# Remove any temporary secret files that might be hanging around
|
|
# but recreate the directory so that new tools can use it.
|
|
rm -rf /tmp/secret
|
|
mkdir -p /tmp/secret
|
|
if [ "$CONFIG_TPM" = y ]; then
|
|
tpm extend -ix 4 -ic recovery
|
|
fi
|
|
echo >&2 "!!!!! Starting recovery shell"
|
|
sleep 1
|
|
|
|
if [ -x /bin/setsid ]; then
|
|
exec /bin/setsid -c /bin/ash
|
|
else
|
|
exec /bin/ash
|
|
fi
|
|
}
|
|
|
|
pause_recovery() {
|
|
read -p 'Hit enter to proceed to recovery shell:'
|
|
recovery $*
|
|
}
|
|
|
|
pcrs() {
|
|
head -8 /sys/class/tpm/tpm0/pcrs
|
|
}
|
|
|
|
confirm_totp()
|
|
{
|
|
prompt="$1"
|
|
last_half=X
|
|
unset totp_confirm
|
|
|
|
while true; do
|
|
|
|
# update the TOTP code every thirty seconds
|
|
date=`date "+%Y-%m-%d %H:%M:%S"`
|
|
seconds=`date "+%s"`
|
|
half=`expr \( $seconds % 60 \) / 30`
|
|
if [ "$CONFIG_TPM" != y ]; then
|
|
TOTP="NO TPM"
|
|
elif [ "$half" != "$last_half" ]; then
|
|
last_half=$half;
|
|
TOTP=`unseal-totp` \
|
|
|| recovery "TOTP code generation failed"
|
|
fi
|
|
|
|
echo -n "$date $TOTP: "
|
|
|
|
# read the first character, non-blocking
|
|
read \
|
|
-t 1 \
|
|
-n 1 \
|
|
-s \
|
|
-p "$prompt" \
|
|
totp_confirm \
|
|
&& break
|
|
|
|
# nothing typed, redraw the line
|
|
echo -ne '\r'
|
|
done
|
|
|
|
# clean up with a newline
|
|
echo
|
|
}
|
|
|
|
enable_usb()
|
|
{
|
|
if [ "$CONFIG_LINUX_USB_COMPANION_CONTROLLER" = y ]; then
|
|
if ! lsmod | grep -q uhci_hcd; then
|
|
insmod /lib/modules/uhci-hcd.ko \
|
|
|| die "uhci_hcd: module load failed"
|
|
fi
|
|
if ! lsmod | grep -q ohci_hcd; then
|
|
insmod /lib/modules/ohci-hcd.ko \
|
|
|| die "ohci_hcd: module load failed"
|
|
fi
|
|
if ! lsmod | grep -q ohci_pci; then
|
|
insmod /lib/modules/ohci-pci.ko \
|
|
|| die "ohci_pci: module load failed"
|
|
fi
|
|
fi
|
|
if ! lsmod | grep -q ehci_hcd; then
|
|
insmod /lib/modules/ehci-hcd.ko \
|
|
|| die "ehci_hcd: module load failed"
|
|
fi
|
|
if ! lsmod | grep -q ehci_pci; then
|
|
insmod /lib/modules/ehci-pci.ko \
|
|
|| die "ehci_pci: module load failed"
|
|
fi
|
|
if ! lsmod | grep -q xhci_hcd; then
|
|
insmod /lib/modules/xhci-hcd.ko \
|
|
|| die "xhci_hcd: module load failed"
|
|
fi
|
|
if ! lsmod | grep -q xhci_pci; then
|
|
insmod /lib/modules/xhci-pci.ko \
|
|
|| die "xhci_pci: module load failed"
|
|
sleep 2
|
|
fi
|
|
}
|
|
|
|
confirm_gpg_card()
|
|
{
|
|
read \
|
|
-n 1 \
|
|
-p "Please confirm that your GPG card is inserted [Y/n]: " \
|
|
card_confirm
|
|
echo
|
|
|
|
if [ "$card_confirm" != "y" \
|
|
-a "$card_confirm" != "Y" \
|
|
-a -n "$card_confirm" ] \
|
|
; then
|
|
die "gpg card not confirmed"
|
|
fi
|
|
|
|
# setup the USB so we can reach the GPG card
|
|
enable_usb
|
|
|
|
gpg --card-status \
|
|
|| die "gpg card read failed"
|
|
}
|
|
|
|
|
|
check_tpm_counter()
|
|
{
|
|
# if the /boot.hashes file already exists, read the TPM counter ID
|
|
# from it.
|
|
if [ -r "$1" ]; then
|
|
TPM_COUNTER=`grep counter- "$1" | cut -d- -f2`
|
|
else
|
|
warn "$BOOT_HASHES does not exist; creating new TPM counter"
|
|
read -s -p "TPM Owner password: " tpm_password
|
|
echo
|
|
tpm counter_create \
|
|
-pwdo "$tpm_password" \
|
|
-pwdc '' \
|
|
-la 3135106223 \
|
|
| tee /tmp/counter \
|
|
|| die "Unable to create TPM counter"
|
|
TPM_COUNTER=`cut -d: -f1 < /tmp/counter`
|
|
fi
|
|
|
|
if [ -z "$TPM_COUNTER" ]; then
|
|
die "$1: TPM Counter not found?"
|
|
fi
|
|
}
|
|
|
|
read_tpm_counter()
|
|
{
|
|
tpm counter_read -ix "$1" | tee "/tmp/counter-$1" \
|
|
|| die "Counter read failed"
|
|
}
|
|
|
|
increment_tpm_counter()
|
|
{
|
|
tpm counter_increment -ix "$1" -pwdc '' \
|
|
| tee /tmp/counter-$1 \
|
|
|| die "Counter increment failed"
|
|
}
|
|
|
|
check_config() {
|
|
if [ ! -d /tmp/kexec ]; then
|
|
mkdir /tmp/kexec \
|
|
|| die 'Failed to make kexec tmp dir'
|
|
else
|
|
rm -rf /tmp/kexec/* \
|
|
|| die 'Failed to empty kexec tmp dir'
|
|
fi
|
|
|
|
if [ ! -r $1/kexec.sig ]; then
|
|
return
|
|
fi
|
|
|
|
if [ `find $1/kexec*.txt | wc -l` -eq 0 ]; then
|
|
return
|
|
fi
|
|
|
|
if [ "$2" != "force" ]; then
|
|
if ! sha256sum `find $1/kexec*.txt` | gpgv $1/kexec.sig - ; then
|
|
die 'Invalid signature on kexec boot params'
|
|
fi
|
|
fi
|
|
|
|
echo "+++ Found verified kexec boot params"
|
|
cp $1/kexec*.txt /tmp/kexec \
|
|
|| die "Failed to copy kexec boot params to tmp"
|
|
}
|
|
|
|
preserve_rom() {
|
|
new_rom="$1"
|
|
old_files=`cbfs -t 50 -l 2>/dev/null | grep "^heads/"`
|
|
|
|
for old_file in `echo $old_files`; do
|
|
new_file=`cbfs -o $1 -l | grep -x $old_file`
|
|
if [ -z "$new_file" ]; then
|
|
echo "+++ Adding $old_file to $1"
|
|
cbfs -t 50 -r $old_file >/tmp/rom.$$ \
|
|
|| die "Failed to read cbfs file from ROM"
|
|
cbfs -o $1 -a $old_file -f /tmp/rom.$$ \
|
|
|| die "Failed to write cbfs file to new ROM file"
|
|
fi
|
|
done
|
|
}
|