heads/initrd/init
Trammell Hudson c40748aa25
Build time configuration for startup scripts and modules.
This addresses multiple issues:

* Issue #63: initrd is build fresh each time, so tracked files do not matter.
* Issue #144: build time configuration
* Issue #123: allows us to customize the startup experience
* Issue #122: manual start-xen will go away
* Issue #25: tpmtotp PCRs are updated after reading the secret
* Issue #16: insmod now meaures modules
2017-03-31 11:18:46 -04:00

66 lines
1.4 KiB
Bash
Executable File

#!/bin/ash
# First thing it is vital to mount the /dev and other system directories
mkdir /proc /sys /dev /tmp /boot 2>&- 1>&-
mount -t devtmpfs none /dev
mount -t proc none /proc
mount -t sysfs none /sys
# Setup our path
export PATH=/sbin:/bin
# Now it is safe to print a banner
if [ -r /etc/motd ]; then
cat /etc/motd
fi
# Load the date from the hardware clock, setting it in local time
hwclock -l -s
# Read the system configuration parameters
. /config
if [ -z "$CONFIG_TIMEOUT" ]; then
CONFIG_TIMEOUT=10
fi
while true; do
# Verify the user's TPM secret
echo "TPM TOTP:"
if ! unsealtotp.sh ; then
echo '!!!!!'
echo '!!!!! TPM TOTP secret not found.'
echo '!!!!! This firmware can not be trusted.'
echo '!!!!! Entering recovery shell'
echo '!!!!!'
tpm extend -ix 4 -ic "tpm-failure"
exec /bin/ash
fi
# Secret decrypted ok, so prompt for a next step
read \
-t "$CONFIG_TIMEOUT" \
-p "Enter for normal boot or 'r' for recovery shell: " \
-n 1 \
boot_option
if [ "$boot_option" = "r" ]; then
# Start an interactive shell
echo '***** Starting recovery shell'
tpm extend -ix 4 -ic "recovery"
exec /bin/ash
fi
if [ "$boot_option" = "" ]; then
if [ ! -x "$CONFIG_BOOTSCRIPT" ]; then
echo '!!!!! Boot script missing? Entering recovery shell'
tpm extend -ix 4 -ic "boot-failure"
exec /bin/ash
fi
echo '***** Normal boot'
tpm extend -ix 4 -ic "normal-boot"
exec "$CONFIG_BOOTSCRIPT"
fi
done