mirror of
https://github.com/linuxboot/heads.git
synced 2025-01-21 20:08:03 +00:00
3c76bdc510
fix bugs introduced by #1698 Signed-off-by: Thierry Laurion <insurgo@riseup.net>
681 lines
21 KiB
Bash
Executable File
681 lines
21 KiB
Bash
Executable File
#!/bin/bash
|
|
# Boot from a local disk installation
|
|
|
|
BOARD_NAME=${CONFIG_BOARD_NAME:-${CONFIG_BOARD}}
|
|
MAIN_MENU_TITLE="${BOARD_NAME} | $CONFIG_BRAND_NAME Boot Menu"
|
|
export BG_COLOR_MAIN_MENU="normal"
|
|
|
|
. /etc/functions
|
|
. /etc/gui_functions
|
|
. /etc/luks-functions
|
|
. /tmp/config
|
|
|
|
# skip_to_menu is set if the user selects "continue to the main menu" from any
|
|
# error, so we will indeed go to the main menu even if other errors occur. It's
|
|
# reset when we reach the main menu so the user can retry from the main menu and
|
|
# # see errors again.
|
|
skip_to_menu="false"
|
|
|
|
|
|
|
|
mount_boot()
|
|
{
|
|
TRACE_FUNC
|
|
# Mount local disk if it is not already mounted
|
|
while ! grep -q /boot /proc/mounts ; do
|
|
# try to mount if CONFIG_BOOT_DEV exists
|
|
if [ -e "$CONFIG_BOOT_DEV" ]; then
|
|
mount -o ro $CONFIG_BOOT_DEV /boot
|
|
[[ $? -eq 0 ]] && continue
|
|
fi
|
|
|
|
# CONFIG_BOOT_DEV doesn't exist or couldn't be mounted, so give user options
|
|
BG_COLOR_MAIN_MENU="error"
|
|
whiptail_error --title "ERROR: No Bootable OS Found!" \
|
|
--menu " No bootable OS was found on the default boot device $CONFIG_BOOT_DEV.
|
|
How would you like to proceed?" 0 80 4 \
|
|
'b' ' Select a new boot device' \
|
|
'u' ' Boot from USB' \
|
|
'm' ' Continue to the main menu' \
|
|
'x' ' Exit to recovery shell' \
|
|
2>/tmp/whiptail || recovery "GUI menu failed"
|
|
|
|
option=$(cat /tmp/whiptail)
|
|
case "$option" in
|
|
b )
|
|
config-gui.sh boot_device_select
|
|
if [ $? -eq 0 ]; then
|
|
# update CONFIG_BOOT_DEV
|
|
. /tmp/config
|
|
BG_COLOR_MAIN_MENU="normal"
|
|
fi
|
|
;;
|
|
u )
|
|
exec /bin/usb-init
|
|
;;
|
|
m )
|
|
skip_to_menu="true"
|
|
break
|
|
;;
|
|
* )
|
|
recovery "User requested recovery shell"
|
|
;;
|
|
esac
|
|
done
|
|
}
|
|
|
|
verify_global_hashes()
|
|
{
|
|
TRACE_FUNC
|
|
# Check the hashes of all the files, ignoring signatures for now
|
|
check_config /boot force
|
|
TMP_HASH_FILE="/tmp/kexec/kexec_hashes.txt"
|
|
TMP_TREE_FILE="/tmp/kexec/kexec_tree.txt"
|
|
TMP_PACKAGE_TRIGGER_PRE="/tmp/kexec/kexec_package_trigger_pre.txt"
|
|
TMP_PACKAGE_TRIGGER_POST="/tmp/kexec/kexec_package_trigger_post.txt"
|
|
|
|
if verify_checksums /boot ; then
|
|
return 0
|
|
elif [[ ! -f "$TMP_HASH_FILE" || ! -f "$TMP_TREE_FILE" ]] ; then
|
|
if (whiptail_error --title 'ERROR: Missing File!' \
|
|
--yesno "One of the files containing integrity information for /boot is missing!\n\nIf you are setting up heads for the first time or upgrading from an\nolder version, select Yes to create the missing files.\n\nOtherwise this could indicate a compromise and you should select No to\nreturn to the main menu.\n\nWould you like to create the missing files now?" 0 80) then
|
|
if update_checksums ; then
|
|
BG_COLOR_MAIN_MENU="normal"
|
|
return 0;
|
|
else
|
|
whiptail_error --title 'ERROR' \
|
|
--msgbox "Failed to update checksums / sign default config" 0 80
|
|
fi
|
|
fi
|
|
BG_COLOR_MAIN_MENU="error"
|
|
return 1
|
|
else
|
|
CHANGED_FILES=$(grep -v 'OK$' /tmp/hash_output | cut -f1 -d ':' | tee -a /tmp/hash_output_mismatches)
|
|
CHANGED_FILES_COUNT=$(wc -l /tmp/hash_output_mismatches | cut -f1 -d ' ')
|
|
|
|
# if files changed before package manager started, show stern warning
|
|
if [ -f "$TMP_PACKAGE_TRIGGER_PRE" ]; then
|
|
PRE_CHANGED_FILES=$(grep '^CHANGED_FILES' $TMP_PACKAGE_TRIGGER_POST | cut -f 2 -d '=' | tr -d '"')
|
|
TEXT="The following files failed the verification process BEFORE package updates ran:\n${PRE_CHANGED_FILES}\n\nCompare against the files $CONFIG_BRAND_NAME has detected have changed:\n${CHANGED_FILES}\n\nThis could indicate a compromise!\n\nWould you like to update your checksums anyway?"
|
|
|
|
# if files changed after package manager started, probably caused by package manager
|
|
elif [ -f "$TMP_PACKAGE_TRIGGER_POST" ]; then
|
|
LAST_PACKAGE_LIST=$(grep -E "^(Install|Remove|Upgrade|Reinstall):" $TMP_PACKAGE_TRIGGER_POST)
|
|
UPDATE_INITRAMFS_PACKAGE=$(grep '^UPDATE_INITRAMFS_PACKAGE' $TMP_PACKAGE_TRIGGER_POST | cut -f 2 -d '=' | tr -d '"')
|
|
|
|
if [ "$UPDATE_INITRAMFS_PACKAGE" != "" ]; then
|
|
TEXT="The following files failed the verification process AFTER package updates ran:\n${CHANGED_FILES}\n\nThis is likely due to package triggers in$UPDATE_INITRAMFS_PACKAGE.\n\nYou will need to update your checksums for all files in /boot.\n\nWould you like to update your checksums now?"
|
|
else
|
|
TEXT="The following files failed the verification process AFTER package updates ran:\n${CHANGED_FILES}\n\nThis might be due to the following package updates:\n$LAST_PACKAGE_LIST.\n\nYou will need to update your checksums for all files in /boot.\n\nWould you like to update your checksums now?"
|
|
fi
|
|
|
|
else
|
|
if [ $CHANGED_FILES_COUNT -gt 10 ]; then
|
|
# drop to console to show full file list
|
|
whiptail_error --title 'ERROR: Boot Hash Mismatch' \
|
|
--msgbox "${CHANGED_FILES_COUNT} files failed the verification process!\\n\nThis could indicate a compromise!\n\nHit OK to review the list of files.\n\nType \"q\" to exit the list and return." 0 80
|
|
|
|
echo "Type \"q\" to exit the list and return." >> /tmp/hash_output_mismatches
|
|
less /tmp/hash_output_mismatches
|
|
#move outdated hash mismatch list
|
|
mv /tmp/hash_output_mismatches /tmp/hash_output_mismatch_old
|
|
TEXT="Would you like to update your checksums now?"
|
|
else
|
|
TEXT="The following files failed the verification process:\n\n${CHANGED_FILES}\n\nThis could indicate a compromise!\n\nWould you like to update your checksums now?"
|
|
fi
|
|
fi
|
|
|
|
if (whiptail_error --title 'ERROR: Boot Hash Mismatch' --yesno "$TEXT" 0 80) then
|
|
if update_checksums ; then
|
|
BG_COLOR_MAIN_MENU="normal"
|
|
return 0;
|
|
else
|
|
whiptail_error --title 'ERROR' \
|
|
--msgbox "Failed to update checksums / sign default config" 0 80
|
|
fi
|
|
fi
|
|
BG_COLOR_MAIN_MENU="error"
|
|
return 1
|
|
fi
|
|
}
|
|
|
|
prompt_update_checksums()
|
|
{
|
|
TRACE_FUNC
|
|
if (whiptail_warning --title 'Update Checksums and sign all files in /boot' \
|
|
--yesno "You have chosen to update the checksums and sign all of the files in /boot.\n\nThis means that you trust that these files have not been tampered with.\n\nYou will need your GPG key available, and this change will modify your disk.\n\nDo you want to continue?" 0 80) then
|
|
if ! update_checksums ; then
|
|
whiptail_error --title 'ERROR' \
|
|
--msgbox "Failed to update checksums / sign default config" 0 80
|
|
fi
|
|
fi
|
|
}
|
|
|
|
generate_totp_hotp()
|
|
{
|
|
TRACE_FUNC
|
|
tpm_owner_password="$1" # May be empty, will prompt if needed and empty
|
|
if [ "$CONFIG_TPM" != "y" ] && [ -x /bin/hotp_verification ]; then
|
|
echo "Generating new HOTP secret"
|
|
/bin/seal-hotpkey
|
|
elif echo -e "Generating new TOTP secret...\n\n" && /bin/seal-totp "$BOARD_NAME" "$tpm_owner_password"; then
|
|
echo
|
|
if [ -x /bin/hotp_verification ]; then
|
|
if [ "$CONFIG_TOTP_SKIP_QRCODE" != y ]; then
|
|
echo "Once you have scanned the QR code, hit Enter to configure your HOTP USB Security Dongle (e.g. Librem Key or Nitrokey)"
|
|
read
|
|
fi
|
|
/bin/seal-hotpkey
|
|
else
|
|
if [ "$CONFIG_TOTP_SKIP_QRCODE" != y ]; then
|
|
echo "Once you have scanned the QR code, hit Enter to continue"
|
|
read
|
|
fi
|
|
fi
|
|
# clear screen
|
|
printf "\033c"
|
|
else
|
|
warn "Unsealing TOTP/HOTP secret from previous sealed measurements failed"
|
|
warn 'Try "Generate new HOTP/TOTP secret" option if you updated firmware content'
|
|
fi
|
|
}
|
|
|
|
update_totp()
|
|
{
|
|
TRACE_FUNC
|
|
# update the TOTP code
|
|
date=`date "+%Y-%m-%d %H:%M:%S %Z"`
|
|
tries=0
|
|
if [ "$CONFIG_TPM" != "y" ]; then
|
|
TOTP="NO TPM"
|
|
else
|
|
TOTP=`unseal-totp`
|
|
# On platforms using CONFIG_BOOT_EXTRA_TTYS multiple processes may try to
|
|
# access TPM at the same time, failing with EBUSY. The order of execution
|
|
# is unpredictable, so the error may appear on main console, secondary one,
|
|
# or neither of them if the calls are sufficiently staggered. Try up to
|
|
# three times (including previous one) with small delays in case of error,
|
|
# instead of immediately scaring users with "you've been pwned" message.
|
|
while [ $? -ne 0 ] && [ $tries -lt 2 ]; do
|
|
sleep 0.5
|
|
((tries++))
|
|
TOTP=`unseal-totp`
|
|
done
|
|
if [ $? -ne 0 ]; then
|
|
BG_COLOR_MAIN_MENU="error"
|
|
if [ "$skip_to_menu" = "true" ]; then
|
|
return 1 # Already asked to skip to menu from a prior error
|
|
fi
|
|
|
|
DEBUG "CONFIG_TPM: $CONFIG_TPM"
|
|
DEBUG "CONFIG_TPM2_TOOLS: $CONFIG_TPM2_TOOLS"
|
|
DEBUG "Show PCRs"
|
|
DEBUG "$(pcrs)"
|
|
|
|
whiptail_error --title "ERROR: TOTP Generation Failed!" \
|
|
--menu " ERROR: $CONFIG_BRAND_NAME couldn't generate the TOTP code.\n
|
|
If you have just completed a Factory Reset, or just reflashed
|
|
your BIOS, you should generate a new HOTP/TOTP secret.\n
|
|
If this is the first time the system has booted, you should
|
|
reset the TPM and set your own password.\n
|
|
If you have not just reflashed your BIOS, THIS COULD INDICATE TAMPERING!\n
|
|
How would you like to proceed?" 0 80 4 \
|
|
'g' ' Generate new HOTP/TOTP secret' \
|
|
'i' ' Ignore error and continue to main menu' \
|
|
'p' ' Reset the TPM' \
|
|
'x' ' Exit to recovery shell' \
|
|
2>/tmp/whiptail || recovery "GUI menu failed"
|
|
|
|
option=$(cat /tmp/whiptail)
|
|
case "$option" in
|
|
g )
|
|
if (whiptail_warning --title 'Generate new TOTP/HOTP secret' \
|
|
--yesno "This will erase your old secret and replace it with a new one!\n\nDo you want to proceed?" 0 80) then
|
|
generate_totp_hotp && update_totp && BG_COLOR_MAIN_MENU="normal" && reseal_tpm_disk_decryption_key
|
|
fi
|
|
;;
|
|
i )
|
|
skip_to_menu="true"
|
|
return 1
|
|
;;
|
|
p )
|
|
reset_tpm && update_totp && BG_COLOR_MAIN_MENU="normal" && reseal_tpm_disk_decryption_key
|
|
;;
|
|
x )
|
|
recovery "User requested recovery shell"
|
|
;;
|
|
esac
|
|
fi
|
|
fi
|
|
}
|
|
|
|
update_hotp()
|
|
{
|
|
TRACE_FUNC
|
|
HOTP="Unverified"
|
|
if [ -x /bin/hotp_verification ]; then
|
|
if ! hotp_verification info ; then
|
|
if [ "$skip_to_menu" = "true" ]; then
|
|
return 1 # Already asked to skip to menu from a prior error
|
|
fi
|
|
if ! whiptail_warning \
|
|
--title "WARNING: Please Insert Your $HOTPKEY_BRANDING" \
|
|
--yes-button "Retry" --no-button "Skip" \
|
|
--yesno "Your $HOTPKEY_BRANDING was not detected.\n\nPlease insert your $HOTPKEY_BRANDING" 0 80 ; then
|
|
HOTP="Error checking code, Insert $HOTPKEY_BRANDING and retry"
|
|
BG_COLOR_MAIN_MENU="warning"
|
|
return
|
|
fi
|
|
fi
|
|
HOTP=`unseal-hotp`
|
|
# Don't output HOTP codes to screen, so as to make replay attacks harder
|
|
hotp_verification check "$HOTP"
|
|
case "$?" in
|
|
0 )
|
|
HOTP="Success"
|
|
BG_COLOR_MAIN_MENU="normal"
|
|
;;
|
|
4|7 ) # 4: code was incorrect, 7: code was not a valid HOTP code at all
|
|
HOTP="Invalid code"
|
|
BG_COLOR_MAIN_MENU="error"
|
|
;;
|
|
* )
|
|
HOTP="Error checking code, Insert $HOTPKEY_BRANDING and retry"
|
|
BG_COLOR_MAIN_MENU="warning"
|
|
;;
|
|
esac
|
|
else
|
|
HOTP='N/A'
|
|
fi
|
|
|
|
if [[ "$CONFIG_TPM" = n && "$HOTP" = "Invalid code" ]]; then
|
|
whiptail_error --title "ERROR: HOTP Validation Failed!" \
|
|
--menu "ERROR: $CONFIG_BRAND_NAME couldn't validate the HOTP code.\n\nIf you just reflashed your BIOS, you should generate a new TOTP/HOTP secret.\n\nIf you have not just reflashed your BIOS, THIS COULD INDICATE TAMPERING!\n\nHow would you like to proceed?" 0 80 4 \
|
|
'g' ' Generate new TOTP/HOTP secret' \
|
|
'i' ' Ignore error and continue to main menu' \
|
|
'x' ' Exit to recovery shell' \
|
|
2>/tmp/whiptail || recovery "GUI menu failed"
|
|
|
|
option=$(cat /tmp/whiptail)
|
|
case "$option" in
|
|
g )
|
|
if (whiptail_warning --title 'Generate new TOTP/HOTP secret' \
|
|
--yesno "This will erase your old secret and replace it with a new one!\n\nDo you want to proceed?" 0 80) then
|
|
generate_totp_hotp && BG_COLOR_MAIN_MENU="normal" && reseal_tpm_disk_decryption_key
|
|
fi
|
|
;;
|
|
i )
|
|
return 1
|
|
;;
|
|
x )
|
|
recovery "User requested recovery shell"
|
|
;;
|
|
esac
|
|
fi
|
|
}
|
|
|
|
clean_boot_check()
|
|
{
|
|
TRACE_FUNC
|
|
# assume /boot mounted
|
|
if ! grep -q /boot /proc/mounts ; then
|
|
return
|
|
fi
|
|
|
|
# check for any kexec files in /boot
|
|
kexec_files=`find /boot -name kexec*.txt`
|
|
[ ! -z "$kexec_files" ] && return
|
|
|
|
#check for GPG key in keyring
|
|
GPG_KEY_COUNT=`gpg -k 2>/dev/null | wc -l`
|
|
[ $GPG_KEY_COUNT -ne 0 ] && return
|
|
|
|
# check for USB security token
|
|
if [ -x /bin/hotp_verification ]; then
|
|
if ! gpg --card-status > /dev/null ; then
|
|
return
|
|
fi
|
|
fi
|
|
|
|
# OS is installed, no kexec files present, no GPG keys in keyring, security token present
|
|
# prompt user to run OEM factory reset
|
|
oem-factory-reset \
|
|
"Clean Boot Detected - Perform OEM Factory Reset / Re-Ownership?"
|
|
}
|
|
|
|
check_gpg_key()
|
|
{
|
|
TRACE_FUNC
|
|
GPG_KEY_COUNT=`gpg -k 2>/dev/null | wc -l`
|
|
if [ $GPG_KEY_COUNT -eq 0 ]; then
|
|
BG_COLOR_MAIN_MENU="error"
|
|
if [ "$skip_to_menu" = "true" ]; then
|
|
return 1 # Already asked to skip to menu from a prior error
|
|
fi
|
|
whiptail_error --title "ERROR: GPG keyring empty!" \
|
|
--menu "ERROR: $CONFIG_BRAND_NAME couldn't find any GPG keys in your keyring.\n\nIf this is the first time the system has booted,\nyou should add a public GPG key to the BIOS now.\n\nIf you just reflashed a new BIOS, you'll need to add at least one\npublic key to the keyring.\n\nIf you have not just reflashed your BIOS, THIS COULD INDICATE TAMPERING!\n\nHow would you like to proceed?" 0 80 4 \
|
|
'g' ' Add a GPG key to the running BIOS' \
|
|
'F' ' OEM Factory Reset / Re-Ownership' \
|
|
'i' ' Ignore error and continue to main menu' \
|
|
'x' ' Exit to recovery shell' \
|
|
2>/tmp/whiptail || recovery "GUI menu failed"
|
|
|
|
option=$(cat /tmp/whiptail)
|
|
case "$option" in
|
|
g )
|
|
gpg-gui.sh && BG_COLOR_MAIN_MENU="normal"
|
|
;;
|
|
i )
|
|
skip_to_menu="true"
|
|
return 1
|
|
;;
|
|
F )
|
|
oem-factory-reset
|
|
;;
|
|
|
|
x )
|
|
recovery "User requested recovery shell"
|
|
;;
|
|
esac
|
|
fi
|
|
}
|
|
|
|
prompt_auto_default_boot()
|
|
{
|
|
TRACE_FUNC
|
|
echo -e "\nHOTP verification success\n\n"
|
|
if pause_automatic_boot; then
|
|
echo -e "\n\nAttempting default boot...\n\n"
|
|
attempt_default_boot
|
|
fi
|
|
}
|
|
|
|
show_main_menu()
|
|
{
|
|
TRACE_FUNC
|
|
date=`date "+%Y-%m-%d %H:%M:%S %Z"`
|
|
whiptail_type $BG_COLOR_MAIN_MENU --title "$MAIN_MENU_TITLE" \
|
|
--menu "$date\nTOTP: $TOTP | HOTP: $HOTP" 0 80 10 \
|
|
'd' ' Default boot' \
|
|
'r' ' Refresh TOTP/HOTP' \
|
|
'o' ' Options -->' \
|
|
's' ' System Info' \
|
|
'p' ' Power Off' \
|
|
2>/tmp/whiptail || recovery "GUI menu failed"
|
|
|
|
option=$(cat /tmp/whiptail)
|
|
case "$option" in
|
|
d )
|
|
attempt_default_boot
|
|
;;
|
|
r )
|
|
update_totp && update_hotp
|
|
;;
|
|
o )
|
|
show_options_menu
|
|
;;
|
|
s )
|
|
show_system_info
|
|
;;
|
|
p )
|
|
poweroff
|
|
;;
|
|
esac
|
|
}
|
|
|
|
show_options_menu()
|
|
{
|
|
TRACE_FUNC
|
|
whiptail_type $BG_COLOR_MAIN_MENU --title "$CONFIG_BRAND_NAME Options" \
|
|
--menu "" 0 80 10 \
|
|
'b' ' Boot Options -->' \
|
|
't' ' TPM/TOTP/HOTP Options -->' \
|
|
'h' ' Change system time' \
|
|
'u' ' Update checksums and sign all files in /boot' \
|
|
'c' ' Change configuration settings -->' \
|
|
'f' ' Flash/Update the BIOS -->' \
|
|
'g' ' GPG Options -->' \
|
|
'F' ' OEM Factory Reset / Re-Ownership -->' \
|
|
'C' ' Reencrypt LUKS container -->' \
|
|
'P' ' Change LUKS Disk Recovery Key passphrase ->' \
|
|
'R' ' Check/Update file hashes on root disk -->' \
|
|
'x' ' Exit to recovery shell' \
|
|
'r' ' <-- Return to main menu' \
|
|
2>/tmp/whiptail || recovery "GUI menu failed"
|
|
|
|
option=$(cat /tmp/whiptail)
|
|
case "$option" in
|
|
b )
|
|
show_boot_options_menu
|
|
;;
|
|
t )
|
|
show_tpm_totp_hotp_options_menu
|
|
;;
|
|
h )
|
|
change-time.sh
|
|
;;
|
|
u )
|
|
prompt_update_checksums
|
|
;;
|
|
c )
|
|
config-gui.sh
|
|
;;
|
|
f )
|
|
flash-gui.sh
|
|
;;
|
|
g )
|
|
gpg-gui.sh
|
|
;;
|
|
F )
|
|
oem-factory-reset
|
|
;;
|
|
C )
|
|
luks_reencrypt
|
|
luks_secrets_cleanup
|
|
;;
|
|
P )
|
|
luks_change_passphrase
|
|
luks_secrets_cleanup
|
|
;;
|
|
R )
|
|
root-hashes-gui.sh
|
|
;;
|
|
x )
|
|
recovery "User requested recovery shell"
|
|
;;
|
|
r )
|
|
;;
|
|
esac
|
|
}
|
|
|
|
show_boot_options_menu()
|
|
{
|
|
TRACE_FUNC
|
|
whiptail_type $BG_COLOR_MAIN_MENU --title "Boot Options" \
|
|
--menu "Select A Boot Option" 0 80 10 \
|
|
'm' ' Show OS boot menu' \
|
|
'u' ' USB boot' \
|
|
'i' ' Ignore tampering and force a boot (Unsafe!)' \
|
|
'r' ' <-- Return to main menu' \
|
|
2>/tmp/whiptail || recovery "GUI menu failed"
|
|
|
|
option=$(cat /tmp/whiptail)
|
|
case "$option" in
|
|
m )
|
|
# select a kernel from the menu
|
|
select_os_boot_option
|
|
;;
|
|
u )
|
|
exec /bin/usb-init
|
|
;;
|
|
i )
|
|
force_unsafe_boot
|
|
;;
|
|
r )
|
|
;;
|
|
esac
|
|
}
|
|
|
|
show_tpm_totp_hotp_options_menu()
|
|
{
|
|
TRACE_FUNC
|
|
whiptail_type $BG_COLOR_MAIN_MENU --title "TPM/TOTP/HOTP Options" \
|
|
--menu "Select An Option" 0 80 10 \
|
|
'g' ' Generate new TOTP/HOTP secret' \
|
|
'r' ' Reset the TPM' \
|
|
't' ' TOTP/HOTP does not match after refresh, troubleshoot' \
|
|
'm' ' <-- Return to main menu' \
|
|
2>/tmp/whiptail || recovery "GUI menu failed"
|
|
|
|
option=$(cat /tmp/whiptail)
|
|
case "$option" in
|
|
g )
|
|
generate_totp_hotp && reseal_tpm_disk_decryption_key
|
|
;;
|
|
r )
|
|
reset_tpm && reseal_tpm_disk_decryption_key
|
|
;;
|
|
t )
|
|
prompt_totp_mismatch
|
|
;;
|
|
m )
|
|
;;
|
|
esac
|
|
}
|
|
|
|
prompt_totp_mismatch()
|
|
{
|
|
TRACE_FUNC
|
|
if (whiptail_warning --title "TOTP/HOTP code mismatched" \
|
|
--yesno "TOTP/HOTP code mismatches could indicate TPM tampering or clock drift.\n\nThe current UTC time is: $(date "+%Y-%m-%d %H:%M:%S")\nIf this is incorrect, set the correct time and check TOTP/HOTP again.\n\nDo you want to change the time?" 0 80) then
|
|
change-time.sh
|
|
fi
|
|
}
|
|
|
|
reset_tpm()
|
|
{
|
|
TRACE_FUNC
|
|
if [ "$CONFIG_TPM" = "y" ]; then
|
|
if (whiptail_warning --title 'Reset the TPM' \
|
|
--yesno "This will clear the TPM and TPM password, replace them with new ones!\n\nDo you want to proceed?" 0 80) then
|
|
|
|
if ! prompt_new_owner_password; then
|
|
echo "Press Enter to return to the menu..."
|
|
read
|
|
echo
|
|
return 1
|
|
fi
|
|
|
|
tpmr reset "$tpm_owner_password"
|
|
|
|
# now that the TPM is reset, remove invalid TPM counter files
|
|
mount_boot
|
|
mount -o rw,remount /boot
|
|
warn "Removing rollback and primary handle hash under /boot"
|
|
rm -f /boot/kexec_rollback.txt
|
|
rm -f /boot/kexec_primhdl_hash.txt
|
|
|
|
# create Heads TPM counter before any others
|
|
check_tpm_counter /boot/kexec_rollback.txt "" "$tpm_owner_password" \
|
|
|| die "Unable to find/create tpm counter"
|
|
counter="$TPM_COUNTER"
|
|
|
|
increment_tpm_counter $counter \
|
|
|| die "Unable to increment tpm counter"
|
|
|
|
sha256sum /tmp/counter-$counter > /boot/kexec_rollback.txt \
|
|
|| die "Unable to create rollback file"
|
|
mount -o ro,remount /boot
|
|
|
|
generate_totp_hotp "$tpm_owner_password"
|
|
else
|
|
echo "Returning to the main menu"
|
|
fi
|
|
else
|
|
whiptail_error --title 'ERROR: No TPM Detected' --msgbox "This device does not have a TPM.\n\nPress OK to return to the Main Menu" 0 80
|
|
fi
|
|
}
|
|
|
|
select_os_boot_option()
|
|
{
|
|
TRACE_FUNC
|
|
mount_boot
|
|
if verify_global_hashes ; then
|
|
kexec-select-boot -m -b /boot -c "grub.cfg" -g
|
|
fi
|
|
}
|
|
|
|
attempt_default_boot()
|
|
{
|
|
TRACE_FUNC
|
|
mount_boot
|
|
|
|
if ! verify_global_hashes; then
|
|
return
|
|
fi
|
|
DEFAULT_FILE=`find /boot/kexec_default.*.txt 2>/dev/null | head -1`
|
|
if [ -r "$DEFAULT_FILE" ]; then
|
|
kexec-select-boot -b /boot -c "grub.cfg" -g \
|
|
|| recovery "Failed default boot"
|
|
elif (whiptail_warning --title 'No Default Boot Option Configured' \
|
|
--yesno "There is no default boot option configured yet.\nWould you like to load a menu of boot options?\nOtherwise you will return to the main menu." 0 80) then
|
|
kexec-select-boot -m -b /boot -c "grub.cfg" -g
|
|
fi
|
|
}
|
|
|
|
force_unsafe_boot()
|
|
{
|
|
TRACE_FUNC
|
|
if [ "$CONFIG_RESTRICTED_BOOT" = y ]; then
|
|
whiptail_error --title 'ERROR: Restricted Boot Enabled' --msgbox "Restricted Boot is Enabled, forced boot not allowed.\n\nPress OK to return to the Main Menu" 0 80
|
|
return
|
|
fi
|
|
# Run the menu selection in "force" mode, bypassing hash checks
|
|
if (whiptail_warning --title 'Unsafe Forced Boot Selected!' \
|
|
--yesno "WARNING: You have chosen to skip all tamper checks and boot anyway.\n\nThis is an unsafe option!\n\nDo you want to proceed?" 0 80) then
|
|
mount_boot && kexec-select-boot -m -b /boot -c "grub.cfg" -g -f
|
|
fi
|
|
}
|
|
|
|
# gui-init start
|
|
TRACE_FUNC
|
|
|
|
# Use stored HOTP key branding
|
|
if [ -r /boot/kexec_hotp_key ]; then
|
|
HOTPKEY_BRANDING="$(cat /boot/kexec_hotp_key)"
|
|
else
|
|
HOTPKEY_BRANDING="HOTP USB Security Dongle"
|
|
fi
|
|
|
|
if [ -x /bin/hotp_verification ]; then
|
|
enable_usb
|
|
fi
|
|
|
|
if detect_boot_device ; then
|
|
# /boot device with installed OS found
|
|
clean_boot_check
|
|
else
|
|
# can't determine /boot device or no OS installed,
|
|
# so fall back to interactive selection
|
|
mount_boot
|
|
fi
|
|
|
|
# detect whether any GPG keys exist in the keyring, if not, initialize that first
|
|
check_gpg_key
|
|
# Even if GPG init fails, still try to update TOTP/HOTP so the main menu can
|
|
# show the correct status.
|
|
update_totp
|
|
update_hotp
|
|
|
|
if [ "$HOTP" = "Success" -a -n "$CONFIG_AUTO_BOOT_TIMEOUT" ]; then
|
|
prompt_auto_default_boot
|
|
fi
|
|
|
|
while true; do
|
|
TRACE_FUNC
|
|
skip_to_menu="false"
|
|
show_main_menu
|
|
done
|
|
|
|
recovery "Something failed during boot"
|