mirror of
https://github.com/linuxboot/heads.git
synced 2024-12-20 21:43:11 +00:00
353a0efe6f
This adds support for seamless booting of Qubes with a TPM disk key, as well as signing of qubes files in /boot with a Yubikey. The signed hashes also includes a TPM counter, which is incremented when new hashes are signed. This prevents rollback attacks against the /boot filesystem. The TPMTOTP value is presented to the user at the time of entering the disk encryption keys. Hitting enter will generate a new code. The LUKS headers are included in the TPM sealing of the disk encryption keys.
39 lines
1.0 KiB
Bash
Executable File
39 lines
1.0 KiB
Bash
Executable File
#!/bin/sh
|
|
# Final stage to start qubes given a Xen, dom0 kernel and initrd
|
|
# get the UUID of the root file system
|
|
# busybox blkid doesn't have a "just the UUID" option
|
|
. /etc/functions
|
|
. /etc/config
|
|
|
|
XEN="$1"
|
|
KERNEL="$2"
|
|
INITRD="$3"
|
|
|
|
if [ -z "$XEN" -o -z "$KERNEL" -o -z "$INITRD" ]; then
|
|
die "Usage: $0 /boot/xen... /boot/vmlinuz... /boot/initramfs..."
|
|
fi
|
|
|
|
# Activate the dom0 group, if it isn't already active
|
|
lvm vgchange -a y "$CONFIG_QUBES_VG" \
|
|
|| die "$CONFIG_QUBES_VG: LVM volume group activate failed"
|
|
|
|
ROOT_UUID=`blkid /dev/$CONFIG_QUBES_VG/00 | cut -d\" -f2`
|
|
if [ -z "$ROOT_UUID" ]; then
|
|
die "$CONFIG_QUBES_VG/00: No UUID for /"
|
|
fi
|
|
|
|
echo "$CONFIG_QUBES_VG/00: UUID=$ROOT_UUID"
|
|
|
|
# command line arguments are include in the signature on this script,
|
|
echo '+++ Loading kernel and initrd'
|
|
kexec \
|
|
-l \
|
|
--module "$KERNEL root=/dev/mapper/luks-$ROOT_UUID ro rd.qubes.hide_all_usb" \
|
|
--module "$INITRD" \
|
|
--command-line "no-real-mode reboot=no" \
|
|
"${XEN}" \
|
|
|| die "kexec load failed"
|
|
|
|
echo "+++ Starting Qubes..."
|
|
exec kexec -e
|