mirror of
https://github.com/linuxboot/heads.git
synced 2024-12-19 04:57:55 +00:00
3eb62eed1a
As part of the config gui we want to be able to have the system define
new config options without them being lost if the user makes their own
changes in CBFS. To allow that this change creates a function initiated
in init that combines all /etc/config* files into /tmp/config. All
existing scripts have been changed to source /tmp/config instead of
/etc/config. The config-gui.sh script now uses /etc/config.user to hold
user configuration options but the combine_configs function will allow
that to expand as others want to split configuration out further.
As it stands here are the current config files:
/etc/config -- Compiled-in configuration options
/etc/config.user -- User preferences that override /etc/config
/tmp/config -- Running config referenced by the BIOS, combination
of existing configs
142 lines
3.3 KiB
Bash
Executable File
142 lines
3.3 KiB
Bash
Executable File
#!/bin/sh
|
|
# Save these options to be the persistent default
|
|
set -e -o pipefail
|
|
. /tmp/config
|
|
. /etc/functions
|
|
|
|
while getopts "b:d:p:i:" arg; do
|
|
case $arg in
|
|
b) bootdir="$OPTARG" ;;
|
|
d) paramsdev="$OPTARG" ;;
|
|
p) paramsdir="$OPTARG" ;;
|
|
i) index="$OPTARG" ;;
|
|
esac
|
|
done
|
|
|
|
if [ -z "$bootdir" -o -z "$index" ]; then
|
|
die "Usage: $0 -b /boot -i menu_option "
|
|
fi
|
|
|
|
if [ -z "$paramsdev" ]; then
|
|
paramsdev="$bootdir"
|
|
fi
|
|
|
|
if [ -z "$paramsdir" ]; then
|
|
paramsdir="$bootdir"
|
|
fi
|
|
|
|
bootdir="${bootdir%%/}"
|
|
paramsdev="${paramsdev%%/}"
|
|
paramsdir="${paramsdir%%/}"
|
|
|
|
TMP_MENU_FILE="/tmp/kexec/kexec_menu.txt"
|
|
ENTRY_FILE="$paramsdir/kexec_default.$index.txt"
|
|
HASH_FILE="$paramsdir/kexec_default_hashes.txt"
|
|
|
|
if [ ! -r "$TMP_MENU_FILE" ]; then
|
|
die "No menu options available, please run kexec-select-boot"
|
|
fi
|
|
|
|
entry=`head -n $index $TMP_MENU_FILE | tail -1`
|
|
if [ -z "$entry" ]; then
|
|
die "Invalid menu index $index"
|
|
fi
|
|
|
|
KEY_DEVICES="$paramsdir/kexec_key_devices.txt"
|
|
KEY_LVM="$paramsdir/kexec_key_lvm.txt"
|
|
save_key="n"
|
|
if [ "$CONFIG_TPM" = "y" ]; then
|
|
if [ ! -r "$KEY_DEVICES" ]; then
|
|
read \
|
|
-n 1 \
|
|
-p "Do you wish to add a disk encryption to the TPM [y/N]: " \
|
|
add_key_confirm
|
|
echo
|
|
|
|
if [ "$add_key_confirm" = "y" \
|
|
-o "$add_key_confirm" = "Y" ]; then
|
|
lvm_suggest="e.g. qubes_dom0 or blank"
|
|
devices_suggest="e.g. /dev/sda2 or blank"
|
|
save_key="y"
|
|
fi
|
|
else
|
|
read \
|
|
-n 1 \
|
|
-p "Do you want to reseal a disk key to the TPM [y/N]: " \
|
|
change_key_confirm
|
|
echo
|
|
|
|
if [ "$change_key_confirm" = "y" \
|
|
-o "$change_key_confirm" = "Y" ]; then
|
|
old_lvm_volume_group=""
|
|
if [ -r "$KEY_LVM" ]; then
|
|
old_lvm_volume_group=`cat $KEY_LVM` || true
|
|
old_key_devices=`cat $KEY_DEVICES \
|
|
| cut -d\ -f1 \
|
|
| grep -v "$old_lvm_volume_group" \
|
|
| xargs` || true
|
|
else
|
|
old_key_devices=`cat $KEY_DEVICES \
|
|
| cut -d\ -f1 | xargs` || true
|
|
fi
|
|
|
|
lvm_suggest="was '$old_lvm_volume_group'"
|
|
devices_suggest="was '$old_key_devices'"
|
|
save_key="y"
|
|
fi
|
|
fi
|
|
|
|
if [ "$save_key" = "y" ]; then
|
|
echo "+++ LVM volume groups (lvm vgscan): "
|
|
lvm vgscan || true
|
|
|
|
read \
|
|
-p "Encrypted LVM group? ($lvm_suggest): " \
|
|
lvm_volume_group
|
|
|
|
echo "+++ Block devices (blkid): "
|
|
blkid || true
|
|
|
|
read \
|
|
-p "Encrypted devices? ($devices_suggest): " \
|
|
key_devices
|
|
|
|
save_key_params="-s -p $paramsdev"
|
|
if [ -n "$lvm_volume_group" ]; then
|
|
save_key_params="$save_key_params -l $lvm_volume_group $key_devices"
|
|
else
|
|
save_key_params="$save_key_params $key_devices"
|
|
fi
|
|
echo "Running kexec-save-key with params: $save_key_params"
|
|
kexec-save-key $save_key_params \
|
|
|| die "Failed to save the disk key"
|
|
fi
|
|
fi
|
|
|
|
# try to switch to rw mode
|
|
mount -o rw,remount $paramsdev
|
|
|
|
if [ ! -d $paramsdir ]; then
|
|
mkdir -p $paramsdir \
|
|
|| die "Failed to create params directory"
|
|
fi
|
|
rm "$paramsdir/kexec_default.*.txt" 2>/dev/null || true
|
|
echo "$entry" > $ENTRY_FILE
|
|
cd $bootdir && kexec-boot -b "$bootdir" -e "$entry" -f | \
|
|
xargs sha256sum > $HASH_FILE \
|
|
|| die "Failed to create hashes of boot files"
|
|
if [ ! -r $ENTRY_FILE -o ! -r $HASH_FILE ]; then
|
|
die "Failed to write default config"
|
|
fi
|
|
|
|
# sign and auto-roll config counter
|
|
extparam=
|
|
if [ "$CONFIG_TPM" = "y" ]; then
|
|
extparam=-u
|
|
fi
|
|
kexec-sign-config -p $paramsdir $extparam \
|
|
|| die "Failed to sign default config"
|
|
|
|
# switch back to ro mode
|
|
mount -o ro,remount $paramsdev
|