mirror of
https://github.com/linuxboot/heads.git
synced 2024-12-23 14:52:27 +00:00
79da79a5e4
Restricted Boot mode only allows booting from signed files, whether that is signed kernels in /boot or signed ISOs on mounted USB disks. This disables booting from abitrary USB disks as well as the forced "unsafe" boot mode. This also disables the recovery console so you can't bypass this mode simply by running kexec manually. Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
108 lines
2.5 KiB
Bash
Executable File
108 lines
2.5 KiB
Bash
Executable File
#!/bin/bash
|
|
# Scan for USB installation options
|
|
set -e -o pipefail
|
|
. /etc/functions
|
|
. /etc/gui_functions
|
|
. /tmp/config
|
|
|
|
TRACE "Under /bin/media-scan"
|
|
|
|
# Unmount any previous boot device
|
|
if grep -q /boot /proc/mounts ; then
|
|
umount /boot \
|
|
|| die "Unable to unmount /boot"
|
|
fi
|
|
|
|
available_partitions="$(blkid | while read line; do echo $line | awk -F ":" {'print $1'}; done )"
|
|
|
|
if [ "$1" == "usb" ]; then
|
|
# Mount the USB boot device
|
|
mount_usb || die "Unable to mount /media"
|
|
elif $(echo $available_partitions | grep -q "$1"); then
|
|
if grep -q /media /proc/mounts; then
|
|
umount /media \
|
|
|| die "Unable to unmount /media"
|
|
fi
|
|
mount "$1" /media \
|
|
|| die "Unable to mount $1 to /media"
|
|
fi
|
|
|
|
# Get USB boot device
|
|
USB_BOOT_DEV=$(grep "/media" /etc/mtab | cut -f 1 -d' ')
|
|
|
|
# Check for ISO first
|
|
get_menu_option() {
|
|
if [ -x /bin/whiptail ]; then
|
|
MENU_OPTIONS=""
|
|
n=0
|
|
while read option
|
|
do
|
|
n=`expr $n + 1`
|
|
option=$(echo $option | tr " " "_")
|
|
MENU_OPTIONS="$MENU_OPTIONS $n ${option}"
|
|
done < /tmp/iso_menu.txt
|
|
|
|
whiptail $BG_COLOR_MAIN_MENU --title "Select your ISO boot option" \
|
|
--menu "Choose the ISO boot option [1-$n, s for standard boot, a to abort]:" 0 80 8 \
|
|
-- $MENU_OPTIONS \
|
|
2>/tmp/whiptail || die "Aborting boot attempt"
|
|
|
|
option_index=$(cat /tmp/whiptail)
|
|
else
|
|
echo "+++ Select your ISO boot option:"
|
|
n=0
|
|
while read option
|
|
do
|
|
n=`expr $n + 1`
|
|
echo "$n. $option"
|
|
done < /tmp/iso_menu.txt
|
|
|
|
read \
|
|
-p "Choose the ISO boot option [1-$n, s for standard boot, a to abort]: " \
|
|
option_index
|
|
fi
|
|
|
|
if [ "$option_index" = "a" ]; then
|
|
die "Aborting boot attempt"
|
|
fi
|
|
|
|
if [ "$option_index" = "s" ]; then
|
|
option=""
|
|
return
|
|
fi
|
|
|
|
option=`head -n $option_index /tmp/iso_menu.txt | tail -1`
|
|
}
|
|
|
|
# create ISO menu options
|
|
ls -1r /media/*.iso 2>/dev/null > /tmp/iso_menu.txt || true
|
|
if [ `cat /tmp/iso_menu.txt | wc -l` -gt 0 ]; then
|
|
option_confirm=""
|
|
while [ -z "$option" -a "$option_index" != "s" ]
|
|
do
|
|
get_menu_option
|
|
done
|
|
|
|
if [ -n "$option" ]; then
|
|
MOUNTED_ISO=$option
|
|
ISO=${option:7} # remove /media/ to get device relative path
|
|
DO_WITH_DEBUG kexec-iso-init $MOUNTED_ISO $ISO $USB_BOOT_DEV
|
|
|
|
die "Something failed in iso init"
|
|
fi
|
|
fi
|
|
|
|
if [ "$CONFIG_RESTRICTED_BOOT" = y ]; then
|
|
die "ISO boot failed in Restricted Boot mode."
|
|
fi
|
|
|
|
echo "!!! Could not find any ISO, trying bootable USB"
|
|
# Attempt to pull verified config from device
|
|
if [ -x /bin/whiptail ]; then
|
|
DO_WITH_DEBUG kexec-select-boot -b /media -c "*.cfg" -u -g -s
|
|
else
|
|
DO_WITH_DEBUG kexec-select-boot -b /media -c "*.cfg" -u -s
|
|
fi
|
|
|
|
die "Something failed in selecting boot"
|