diff --git a/.circleci/config.yml b/.circleci/config.yml index c597797..1fbcccf 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -11,14 +11,29 @@ jobs: apt install -y build-essential zlib1g-dev uuid-dev libdigest-sha-perl libelf-dev bc bzip2 bison flex git gnupg iasl m4 nasm patch python wget gnat cpio ccache pkg-config cmake libusb-1.0-0-dev autoconf texinfo ncurses-dev - checkout - - restore_cache: - key: heads-{{ .Environment.CIRCLE_USERNAME }}-{{ .Environment.CACHE_VERSION }} - - run: name: git reset command: | git reset --hard "$CIRCLE_SHA1" \ + - run: + name: Creating all modules and patches digest + command: | + find ./patches/ ./modules/ -type f | sort -h |xargs sha256sum > /tmp/all_modules_and_patches.sha256sums \ + + - run: + name: Creating musl-cross-make and musl-cross-make patches digest + command: | + find ./patches/musl-cross-* modules/musl-cross* -type f | sort -h | xargs sha256sum > /tmp/musl-cross_module_and_patches.sha256sums \ + + + - restore_cache: + keys: + #Restore existing cache for modules checksums validated to be exactly the same as in github current commit + - heads-modules-and-patches-{{ checksum "/tmp/all_modules_and_patches.sha256sums" }} + #If precedent fails. Restore cache for musl-cross module checksum validated to be exactly the same as in github current commit + - heads-cross-musl-{{ checksum "/tmp/musl-cross_module_and_patches.sha256sums" }} + # linuxboot steps need something to pass in the kernel header path # skipping for now # - run: @@ -46,8 +61,9 @@ jobs: - run: name: x230-flash + #We delete build/make-4.2.1/ directory until issue #799 is fixed. command: | - rm -rf build/x230-flash/* build/log/* && make --load 2 \ + rm -rf build/make-4.2.1/ build/x230-flash/* build/log/* && make --load 2 \ V=1 \ BOARD=x230-flash \ no_output_timeout: 3h @@ -137,7 +153,7 @@ jobs: - run: name: qemu-coreboot command: | - rm -rf build/make-4.2.1/ build/qemu-coreboot/* build/log/* && make --load 2 \ + rm -rf build/qemu-coreboot/* build/log/* && make --load 2 \ V=1 \ BOARD=qemu-coreboot \ no_output_timeout: 3h @@ -153,12 +169,19 @@ jobs: path: build/qemu-coreboot - save_cache: - key: heads-{{ .Environment.CIRCLE_USERNAME }}-{{ .Environment.CACHE_VERSION }} + #Generate cache for the same musl-cross module definition if hash is not previously existing + key: heads-cross-musl-{{ checksum "/tmp/musl-cross_module_and_patches.sha256sums" }} + paths: + - crossgcc + - build/musl-cross-* + + - save_cache: + #Generate cache for the exact same modules definitions if hash is not previously existing + key: heads-modules-and-patches-{{ checksum "/tmp/all_modules_and_patches.sha256sums" }} paths: - packages - crossgcc - build - workflows: version: 2 build_and_test: diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index beec06a..545d8b5 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -8,13 +8,13 @@ stages: build: stage: build - retry: 2 + retry: 1 cache: paths: - packages - crossgcc - build - key: "heads-$GITLAB_USER_LOGIN" + key: "heads-$GITLAB_USER_LOGIN-2" script: - dnf install -y @development-tools gcc-c++ gcc-gnat zlib-devel perl-Digest-MD5 perl-Digest-SHA uuid-devel pcsc-tools ncurses-devel lbzip2 libuuid-devel lzma elfutils-libelf-devel bc bzip2 bison flex git gnupg iasl m4 nasm patch python wget libusb-devel cmake automake pv bsdiff autoconf libtool cpio texinfo - git fetch origin @@ -75,6 +75,8 @@ build: - cat ./build/qemu-coreboot/hashes.txt - echo "Archiving qemu-coreboot logs..." - tar zcvf ./build/qemu-coreboot/logs.tar.gz ./build/log/* + - echo "Calculate used space for cache" + - du -shc packages crossgcc build artifacts: paths: - ./build/qemu-coreboot diff --git a/Makefile b/Makefile index a0bda55..084ad03 100644 --- a/Makefile +++ b/Makefile @@ -428,7 +428,7 @@ bin_modules-$(CONFIG_FLASHTOOLS) += flashtools bin_modules-$(CONFIG_NEWT) += newt bin_modules-$(CONFIG_CAIRO) += cairo bin_modules-$(CONFIG_FBWHIPTAIL) += fbwhiptail -bin_modules-$(CONFIG_LIBREMKEY) += libremkey-hotp-verification +bin_modules-$(CONFIG_HOTPKEY) += hotp-verification bin_modules-$(CONFIG_MSRTOOLS) += msrtools $(foreach m, $(bin_modules-y), \ diff --git a/boards/librem13v2/librem13v2.config b/boards/librem13v2/librem13v2.config index 72d4554..46837ed 100644 --- a/boards/librem13v2/librem13v2.config +++ b/boards/librem13v2/librem13v2.config @@ -22,7 +22,7 @@ CONFIG_TPMTOTP=y #CONFIG_NEWT=y CONFIG_CAIRO=y CONFIG_FBWHIPTAIL=y -CONFIG_LIBREMKEY=y +CONFIG_HOTPKEY=y CONFIG_LINUX_USB=y diff --git a/boards/librem13v4/librem13v4.config b/boards/librem13v4/librem13v4.config index c9200f8..5c5de68 100644 --- a/boards/librem13v4/librem13v4.config +++ b/boards/librem13v4/librem13v4.config @@ -22,7 +22,7 @@ CONFIG_TPMTOTP=y #CONFIG_NEWT=y CONFIG_CAIRO=y CONFIG_FBWHIPTAIL=y -CONFIG_LIBREMKEY=y +CONFIG_HOTPKEY=y CONFIG_LINUX_USB=y diff --git a/boards/librem15v3/librem15v3.config b/boards/librem15v3/librem15v3.config index 609afc3..5177be0 100644 --- a/boards/librem15v3/librem15v3.config +++ b/boards/librem15v3/librem15v3.config @@ -24,7 +24,7 @@ CONFIG_TPMTOTP=y #CONFIG_NEWT=y CONFIG_CAIRO=y CONFIG_FBWHIPTAIL=y -CONFIG_LIBREMKEY=y +CONFIG_HOTPKEY=y CONFIG_LINUX_USB=y diff --git a/boards/librem15v4/librem15v4.config b/boards/librem15v4/librem15v4.config index c58e146..9adf6ef 100644 --- a/boards/librem15v4/librem15v4.config +++ b/boards/librem15v4/librem15v4.config @@ -24,7 +24,7 @@ CONFIG_TPMTOTP=y #CONFIG_NEWT=y CONFIG_CAIRO=y CONFIG_FBWHIPTAIL=y -CONFIG_LIBREMKEY=y +CONFIG_HOTPKEY=y CONFIG_LINUX_USB=y diff --git a/boards/qemu-coreboot-fbwhiptail/qemu-coreboot-fbwhiptail.config b/boards/qemu-coreboot-fbwhiptail/qemu-coreboot-fbwhiptail.config index 73ced6b..a08b9e1 100644 --- a/boards/qemu-coreboot-fbwhiptail/qemu-coreboot-fbwhiptail.config +++ b/boards/qemu-coreboot-fbwhiptail/qemu-coreboot-fbwhiptail.config @@ -2,7 +2,7 @@ # the qemu emulator in GUI mode thanks to FBWhiptail export CONFIG_COREBOOT=y -export CONFIG_COREBOOT_VERSION=4.8.1 +export CONFIG_COREBOOT_VERSION=4.12 CONFIG_COREBOOT_CONFIG=config/coreboot-qemu-fbwhiptail.config CONFIG_LINUX_CONFIG=config/linux-qemu.config diff --git a/boards/qemu-coreboot/qemu-coreboot.config b/boards/qemu-coreboot/qemu-coreboot.config index ce2a2fa..fe58b94 100644 --- a/boards/qemu-coreboot/qemu-coreboot.config +++ b/boards/qemu-coreboot/qemu-coreboot.config @@ -2,7 +2,7 @@ # the qemu emulator. Note that the TPM does not work, so this # will just drop into the recovery shell. export CONFIG_COREBOOT=y -export CONFIG_COREBOOT_VERSION=4.8.1 +export CONFIG_COREBOOT_VERSION=4.12 CONFIG_COREBOOT_CONFIG=config/coreboot-qemu.config CONFIG_LINUX_CONFIG=config/linux-qemu.config diff --git a/boards/t430-flash/t430-flash.config b/boards/t430-flash/t430-flash.config index 626fde1..df69603 100644 --- a/boards/t430-flash/t430-flash.config +++ b/boards/t430-flash/t430-flash.config @@ -2,7 +2,7 @@ BOARD=t430.flash export CONFIG_COREBOOT=y -export CONFIG_COREBOOT_VERSION=4.8.1 +export CONFIG_COREBOOT_VERSION=4.12 CONFIG_FLASHROM=y CONFIG_FLASHTOOLS=y diff --git a/boards/t430/t430.config b/boards/t430/t430.config index 3eaaba7..d4d7834 100644 --- a/boards/t430/t430.config +++ b/boards/t430/t430.config @@ -1,6 +1,6 @@ # Configuration for a t430 running Qubes and other OSes export CONFIG_COREBOOT=y -export CONFIG_COREBOOT_VERSION=4.8.1 +export CONFIG_COREBOOT_VERSION=4.12 CONFIG_COREBOOT_CONFIG=config/coreboot-t430.config CONFIG_LINUX_CONFIG=config/linux-x230.config diff --git a/boards/x230-flash/x230-flash.config b/boards/x230-flash/x230-flash.config index c878012..6328b82 100644 --- a/boards/x230-flash/x230-flash.config +++ b/boards/x230-flash/x230-flash.config @@ -2,7 +2,7 @@ BOARD=x230.flash export CONFIG_COREBOOT=y -export CONFIG_COREBOOT_VERSION=4.8.1 +export CONFIG_COREBOOT_VERSION=4.12 CONFIG_FLASHROM=y #CONFIG_GPG=y diff --git a/boards/x230-hotp-verification/x230-hotp-verification.config b/boards/x230-hotp-verification/x230-hotp-verification.config index c5d83ee..aa41b31 100644 --- a/boards/x230-hotp-verification/x230-hotp-verification.config +++ b/boards/x230-hotp-verification/x230-hotp-verification.config @@ -1,7 +1,7 @@ # Configuration for a x230-hotp-verification (Nitrokey/Purism USB Security dongle enabled HOTP support) # running Qubes and other OSes export CONFIG_COREBOOT=y -export CONFIG_COREBOOT_VERSION=4.8.1 +export CONFIG_COREBOOT_VERSION=4.12 CONFIG_COREBOOT_CONFIG=config/coreboot-x230-hotp-verification.config CONFIG_LINUX_CONFIG=config/linux-x230.config @@ -24,7 +24,7 @@ CONFIG_DROPBEAR=y #CONFIG_NEWT=y CONFIG_CAIRO=y CONFIG_FBWHIPTAIL=y -CONFIG_LIBREMKEY=y +CONFIG_HOTPKEY=y CONFIG_LINUX_USB=y CONFIG_LINUX_E1000E=y diff --git a/boards/x230/x230.config b/boards/x230/x230.config index 8a04bc5..2b76220 100644 --- a/boards/x230/x230.config +++ b/boards/x230/x230.config @@ -1,6 +1,6 @@ # Configuration for a x230 running Qubes and other OSes export CONFIG_COREBOOT=y -export CONFIG_COREBOOT_VERSION=4.8.1 +export CONFIG_COREBOOT_VERSION=4.12 CONFIG_COREBOOT_CONFIG=config/coreboot-x230.config CONFIG_LINUX_CONFIG=config/linux-x230.config diff --git a/config/busybox.config b/config/busybox.config index e7ef9aa..23b895e 100644 --- a/config/busybox.config +++ b/config/busybox.config @@ -227,7 +227,7 @@ CONFIG_EXPR=y CONFIG_EXPR_MATH_SUPPORT_64=y CONFIG_FACTOR=y CONFIG_FALSE=y -# CONFIG_FOLD is not set +CONFIG_FOLD=y # CONFIG_FSYNC is not set CONFIG_HEAD=y CONFIG_FEATURE_FANCY_HEAD=y diff --git a/config/coreboot-x230.config b/config/coreboot-x230.config index cdab5d8..68ef480 100644 --- a/config/coreboot-x230.config +++ b/config/coreboot-x230.config @@ -5,7 +5,7 @@ CONFIG_ANY_TOOLCHAIN=y CONFIG_USE_BLOBS=y CONFIG_MEASURED_BOOT=y CONFIG_VENDOR_LENOVO=y -CONFIG_CBFS_SIZE=0x700000 +CONFIG_CBFS_SIZE=0x710000 # CONFIG_POST_IO is not set # CONFIG_POST_DEVICE is not set CONFIG_DRIVERS_UART_8250IO=y diff --git a/initrd/bin/config-gui.sh b/initrd/bin/config-gui.sh index 74e8e7f..f1fce23 100755 --- a/initrd/bin/config-gui.sh +++ b/initrd/bin/config-gui.sh @@ -2,55 +2,9 @@ # set -e -o pipefail . /etc/functions +. /etc/gui_functions . /tmp/config -file_selector() { - FILE="" - FILE_LIST=$1 - MENU_MSG=${2:-"Choose the file"} - MENU_TITLE=${3:-"Select your File"} -# create file menu options - if [ `cat "$FILE_LIST" | wc -l` -gt 0 ]; then - option="" - while [ -z "$option" ] - do - MENU_OPTIONS="" - n=0 - while read option - do - n=`expr $n + 1` - option=$(echo $option | tr " " "_") - MENU_OPTIONS="$MENU_OPTIONS $n ${option}" - done < $FILE_LIST - - MENU_OPTIONS="$MENU_OPTIONS a Abort" - whiptail --clear --title "${MENU_TITLE}" \ - --menu "${MENU_MSG} [1-$n, a to abort]:" 20 120 8 \ - -- $MENU_OPTIONS \ - 2>/tmp/whiptail || die "Aborting" - - option_index=$(cat /tmp/whiptail) - - if [ "$option_index" = "a" ]; then - option="a" - return - fi - - option=`head -n $option_index $FILE_LIST | tail -1` - if [ "$option" == "a" ]; then - return - fi - done - if [ -n "$option" ]; then - FILE=$option - fi - else - whiptail $CONFIG_ERROR_BG_COLOR --title 'ERROR: No Files Found' \ - --msgbox "No Files found matching the pattern. Aborting." 16 60 - exit 1 - fi -} - param=$1 while true; do @@ -82,7 +36,7 @@ while true; do > /tmp/boot_device_list.txt for i in `cat /tmp/disklist.txt`; do # remove block device from list if numeric partitions exist, since not bootable - let DEV_NUM_PARTITIONS=`ls -1 $i* | wc -l`-1 + DEV_NUM_PARTITIONS=$((`ls -1 $i* | wc -l`-1)) if [ ${DEV_NUM_PARTITIONS} -eq 0 ]; then echo $i >> /tmp/boot_device_list.txt else @@ -98,18 +52,21 @@ while true; do SELECTED_FILE=$FILE fi - replace_config /etc/config.user "CONFIG_BOOT_DEV" "$SELECTED_FILE" - combine_configs - + # unmount /boot if needed + if grep -q /boot /proc/mounts ; then + umount /boot 2>/dev/null + fi # mount newly selected /boot device - if ! ( umount /boot 2>/tmp/error && \ - mount -o ro $SELECTED_FILE /boot 2>/tmp/error ); then + if ! mount -o ro $SELECTED_FILE /boot 2>/tmp/error ; then ERROR=`cat /tmp/error` whiptail $CONFIG_ERROR_BG_COLOR --title 'ERROR: unable to mount /boot' \ - --msgbox "Unable to un/re-mount /boot:\n\n$ERROR" 16 60 + --msgbox " $ERROR\n\n" 16 60 exit 1 fi + replace_config /etc/config.user "CONFIG_BOOT_DEV" "$SELECTED_FILE" + combine_configs + whiptail --title 'Config change successful' \ --msgbox "The /boot device was successfully changed to $SELECTED_FILE" 16 60 ;; diff --git a/initrd/bin/flash-gui.sh b/initrd/bin/flash-gui.sh index c8cbd36..6e2a084 100755 --- a/initrd/bin/flash-gui.sh +++ b/initrd/bin/flash-gui.sh @@ -2,70 +2,9 @@ # set -e -o pipefail . /etc/functions +. /etc/gui_functions . /tmp/config -mount_usb(){ -# Mount the USB boot device - if ! grep -q /media /proc/mounts ; then - mount-usb && USB_FAILED=0 || USB_FAILED=1 - if [ $USB_FAILED -ne 0 ]; then - whiptail --title 'USB Drive Missing' \ - --msgbox "Insert your USB drive and press Enter to continue." 16 60 - mount-usb && USB_FAILED=0 || USB_FAILED=1 - if [ $USB_FAILED -ne 0 ]; then - whiptail $CONFIG_ERROR_BG_COLOR --title 'ERROR: Mounting /media Failed' \ - --msgbox "Unable to mount USB device" 16 60 - fi - fi - fi -} - -file_selector() { - FILE="" - FILE_LIST=$1 - MENU_MSG=${2:-"Choose the file"} -# create file menu options - if [ `cat "$FILE_LIST" | wc -l` -gt 0 ]; then - option="" - while [ -z "$option" ] - do - MENU_OPTIONS="" - n=0 - while read option - do - n=`expr $n + 1` - option=$(echo $option | tr " " "_") - MENU_OPTIONS="$MENU_OPTIONS $n ${option}" - done < $FILE_LIST - - MENU_OPTIONS="$MENU_OPTIONS a Abort" - whiptail --clear --title "Select your File" \ - --menu "${MENU_MSG} [1-$n, a to abort]:" 20 120 8 \ - -- $MENU_OPTIONS \ - 2>/tmp/whiptail || die "Aborting" - - option_index=$(cat /tmp/whiptail) - - if [ "$option_index" = "a" ]; then - option="a" - return - fi - - option=`head -n $option_index $FILE_LIST | tail -1` - if [ "$option" == "a" ]; then - return - fi - done - if [ -n "$option" ]; then - FILE=$option - fi - else - whiptail $CONFIG_ERROR_BG_COLOR --title 'ERROR: No Files Found' \ - --msgbox "No Files found matching the pattern. Aborting." 16 60 - exit 1 - fi -} - while true; do unset menu_choice whiptail --clear --title "Firmware Management Menu" \ @@ -83,7 +22,7 @@ while true; do ;; f|c ) if (whiptail --title 'Flash the BIOS with a new ROM' \ - --yesno "This requires you insert a USB drive containing:\n* Your BIOS image (*.rom)\n\nAfter you select this file, this program will reflash your BIOS\n\nDo you want to proceed?" 16 90) then + --yesno "You will need to insert a USB drive containing your BIOS image (*.rom).\n\nAfter you select this file, this program will reflash your BIOS.\n\nDo you want to proceed?" 16 90) then mount_usb if grep -q /media /proc/mounts ; then find /media ! -path '*/\.*' -type f -name '*.rom' | sort > /tmp/filelist.txt @@ -95,7 +34,7 @@ while true; do fi if (whiptail --title 'Flash ROM?' \ - --yesno "This will replace your old ROM with $ROM\n\nDo you want to proceed?" 16 90) then + --yesno "This will replace your current ROM with:\n\n$ROM\n\nDo you want to proceed?" 16 60) then if [ "$menu_choice" == "c" ]; then /bin/flash.sh -c "$ROM" # after flash, /boot signatures are now invalid so go ahead and clear them @@ -110,7 +49,7 @@ while true; do /bin/flash.sh "$ROM" fi whiptail --title 'ROM Flashed Successfully' \ - --msgbox "$ROM flashed successfully.\nPress Enter to reboot" 16 60 + --msgbox "$ROM flashed successfully.\n\nPress Enter to reboot\n" 16 60 umount /media /bin/reboot else diff --git a/initrd/bin/gpg-gui.sh b/initrd/bin/gpg-gui.sh index 132cf6b..cb63a66 100755 --- a/initrd/bin/gpg-gui.sh +++ b/initrd/bin/gpg-gui.sh @@ -2,69 +2,9 @@ # set -e -o pipefail . /etc/functions +. /etc/gui_functions . /tmp/config -mount_usb(){ -# Mount the USB boot device - if ! grep -q /media /proc/mounts ; then - mount-usb && USB_FAILED=0 || USB_FAILED=1 - if [ $USB_FAILED -ne 0 ]; then - whiptail --title 'USB Drive Missing' \ - --msgbox "Insert your USB drive and press Enter to continue." 16 60 - mount-usb && USB_FAILED=0 || USB_FAILED=1 - if [ $USB_FAILED -ne 0 ]; then - whiptail $CONFIG_ERROR_BG_COLOR --title 'ERROR: Mounting /media Failed' \ - --msgbox "Unable to mount USB device" 16 60 - fi - fi - fi -} - -file_selector() { - FILE="" - FILE_LIST=$1 - MENU_MSG=${2:-"Choose the file"} -# create file menu options - if [ `cat "$FILE_LIST" | wc -l` -gt 0 ]; then - option="" - while [ -z "$option" ] - do - MENU_OPTIONS="" - n=0 - while read option - do - n=`expr $n + 1` - option=$(echo $option | tr " " "_") - MENU_OPTIONS="$MENU_OPTIONS $n ${option}" - done < $FILE_LIST - - MENU_OPTIONS="$MENU_OPTIONS a Abort" - whiptail --clear --title "Select your File" \ - --menu "${MENU_MSG} [1-$n, a to abort]:" 20 120 8 \ - -- $MENU_OPTIONS \ - 2>/tmp/whiptail || die "Aborting" - - option_index=$(cat /tmp/whiptail) - - if [ "$option_index" = "a" ]; then - option="a" - return - fi - - option=`head -n $option_index $FILE_LIST | tail -1` - if [ "$option" == "a" ]; then - return - fi - done - if [ -n "$option" ]; then - FILE=$option - fi - else - whiptail $CONFIG_ERROR_BG_COLOR --title 'ERROR: No Files Found' \ - --msgbox "No Files found matching the pattern. Aborting." 16 60 - exit 1 - fi -} gpg_flash_rom() { if [ "$1" = "replace" ]; then diff --git a/initrd/bin/gui-init b/initrd/bin/gui-init index a3bf444..5cbca8c 100755 --- a/initrd/bin/gui-init +++ b/initrd/bin/gui-init @@ -42,12 +42,12 @@ verify_global_hashes() TMP_PACKAGE_TRIGGER_PRE="/tmp/kexec/kexec_package_trigger_pre.txt" TMP_PACKAGE_TRIGGER_POST="/tmp/kexec/kexec_package_trigger_post.txt" - if cd /boot && sha256sum -c "$TMP_HASH_FILE" > /tmp/hash_output ; then + if ( cd /boot && sha256sum -c "$TMP_HASH_FILE" > /tmp/hash_output ) then return 0 elif [ ! -f $TMP_HASH_FILE ]; then if (whiptail $CONFIG_ERROR_BG_COLOR --clear --title 'ERROR: Missing Hash File!' \ --yesno "The file containing hashes for /boot is missing!\n\nIf you are setting this system up for the first time, select Yes to update\nyour list of checksums.\n\nOtherwise this could indicate a compromise and you should select No to\nreturn to the main menu.\n\nWould you like to update your checksums now?" 30 90) then - prompt_update_checksums + update_checksums fi return 1 else @@ -70,11 +70,11 @@ verify_global_hashes() fi else - TEXT="The following files failed the verification process:\n${CHANGED_FILES}\n\nThis could indicate a compromise!\n\nWould you like to update your checksums now?" + TEXT="The following files failed the verification process:\n\n${CHANGED_FILES}\n\nThis could indicate a compromise!\n\nWould you like to update your checksums now?" fi if (whiptail $CONFIG_ERROR_BG_COLOR --clear --title 'ERROR: Boot Hash Mismatch' --yesno "$TEXT" 30 90) then - prompt_update_checksums + update_checksums fi return 1 fi @@ -82,7 +82,7 @@ verify_global_hashes() prompt_update_checksums() { if (whiptail --title 'Update Checksums and sign all files in /boot' \ - --yesno "You have chosen to update the checksums and sign all of the files in /boot.\n\nThis means that you trust that the files in /boot have not been tampered with.\n\nYou will need your GPG key to continue and this change will modify your disk.\n\nDo you want to continue?" 16 90) then + --yesno "You have chosen to update the checksums and sign all of the files in /boot.\n\nThis means that you trust that these files have not been tampered with.\n\nYou will need your GPG key available, and this change will modify your disk.\n\nDo you want to continue?" 16 90) then update_checksums else echo "Returning to the main menu" @@ -92,10 +92,10 @@ update_totp() { echo "Scan the QR code to add the new TOTP secret" /bin/seal-totp - if [ -x /bin/libremkey_hotp_verification ]; then - echo "Once you have scanned the QR code, hit Enter to configure your Librem Key" + if [ -x /bin/hotp_verification ]; then + echo "Once you have scanned the QR code, hit Enter to configure your HOTP USB Security Dongle (e.g. Librem Key or Nitrokey)" read - /bin/seal-libremkey + /bin/seal-hotpkey else echo "Once you have scanned the QR code, hit Enter to continue" read @@ -118,7 +118,7 @@ clean_boot_check() [ $GPG_KEY_COUNT -ne 0 ] && return # check for USB security token - if [ "$CONFIG_LIBREMKEY" = "y" ]; then + if [ "$CONFIG_HOTPKEY" = "y" ]; then enable_usb if ! gpg --card-status > /dev/null ; then return @@ -140,6 +140,13 @@ else mount_boot fi +# Use stored HOTP key branding +if [ -r /boot/kexec_hotp_key ]; then + HOTPKEY_BRANDING="$(cat /boot/kexec_hotp_key)" +else + HOTPKEY_BRANDING="HOTP USB Security Dongle" +fi + last_half=X while true; do MAIN_MENU_OPTIONS="" @@ -188,14 +195,16 @@ while true; do fi if [ "$totp_confirm" = "i" -o -z "$totp_confirm" ]; then - if [ -x /bin/libremkey_hotp_verification ]; then + if [ -x /bin/hotp_verification ]; then HOTP=`unseal-hotp` enable_usb - if ! libremkey_hotp_verification info ; then - whiptail $CONFIG_WARNING_BG_COLOR --clear --title 'WARNING: Please Insert Your Librem Key' --msgbox "Your Librem Key was not detected.\n\nPlease insert your Librem Key" 30 90 + if ! hotp_verification info ; then + whiptail $CONFIG_WARNING_BG_COLOR --clear \ + --title "WARNING: Please Insert Your $HOTPKEY_BRANDING" \ + --msgbox "Your $HOTPKEY_BRANDING was not detected.\n\nPlease insert your $HOTPKEY_BRANDING" 30 90 fi # Don't output HOTP codes to screen, so as to make replay attacks harder - libremkey_hotp_verification check $HOTP + hotp_verification check $HOTP case "$?" in 0 ) HOTP="Success" @@ -205,7 +214,7 @@ while true; do MAIN_MENU_BG_COLOR=$CONFIG_ERROR_BG_COLOR ;; * ) - HOTP="Error checking code, Insert Librem Key and retry" + HOTP="Error checking code, Insert $HOTPKEY_BRANDING and retry" MAIN_MENU_BG_COLOR=$CONFIG_WARNING_BG_COLOR ;; esac @@ -304,30 +313,34 @@ while true; do fi if [ "$totp_confirm" = "p" ]; then - if (whiptail --title 'Reset the TPM' \ - --yesno "This will clear the TPM and TPM password, replace them with new ones!\n\nDo you want to proceed?" 16 90) then - /bin/tpm-reset + if [ "$CONFIG_TPM" = "y" ]; then + if (whiptail --title 'Reset the TPM' \ + --yesno "This will clear the TPM and TPM password, replace them with new ones!\n\nDo you want to proceed?" 16 90) then + /bin/tpm-reset - # now that the TPM is reset, remove invalid TPM counter files - mount_boot - mount -o rw,remount /boot - rm -f /boot/kexec_rollback.txt + # now that the TPM is reset, remove invalid TPM counter files + mount_boot + mount -o rw,remount /boot + rm -f /boot/kexec_rollback.txt - # create Heads TPM counter before any others - check_tpm_counter /boot/kexec_rollback.txt \ - || die "Unable to find/create tpm counter" - counter="$TPM_COUNTER" + # create Heads TPM counter before any others + check_tpm_counter /boot/kexec_rollback.txt \ + || die "Unable to find/create tpm counter" + counter="$TPM_COUNTER" - increment_tpm_counter $counter \ - || die "Unable to increment tpm counter" + increment_tpm_counter $counter \ + || die "Unable to increment tpm counter" - sha256sum /tmp/counter-$counter > /boot/kexec_rollback.txt \ - || die "Unable to create rollback file" - mount -o ro,remount /boot + sha256sum /tmp/counter-$counter > /boot/kexec_rollback.txt \ + || die "Unable to create rollback file" + mount -o ro,remount /boot - update_totp + update_totp + else + echo "Returning to the main menu" + fi else - echo "Returning to the main menu" + whiptail --clear --title 'ERROR: No TPM Detected' --msgbox "This device does not have a TPM.\n\nPress OK to return to the Main Menu" 30 90 fi continue fi diff --git a/initrd/bin/kexec-seal-key b/initrd/bin/kexec-seal-key index 46980af..7000070 100755 --- a/initrd/bin/kexec-seal-key +++ b/initrd/bin/kexec-seal-key @@ -84,9 +84,9 @@ cat "$KEY_DEVICES" | cut -d\ -f1 | xargs /bin/qubes-measure-luks \ || die "Unable to measure the LUKS headers" luks_pcr=`tpm calcfuturepcr -ix 16 -if /tmp/luksDump.txt` -# Librem Key loads USB modules which changes PCR5. -# In the event Librem Key is enabled, skip verification of PCR5 -if [ -x /bin/libremkey_hotp_verification ]; then +# HOTP USB Secrity Dongle loads USB modules which changes PCR5. +# In the event HOTP USB Security Dongle is enabled, skip verification of PCR5 +if [ -x /bin/hotp_verification ]; then pcr_5="X" else pcr_5="0000000000000000000000000000000000000000" diff --git a/initrd/bin/kexec-select-boot b/initrd/bin/kexec-select-boot index 793d6a7..ef155be 100755 --- a/initrd/bin/kexec-select-boot +++ b/initrd/bin/kexec-select-boot @@ -173,7 +173,7 @@ scan_options() { kexec-parse-bls "$bootdir" "$i" "$bootdir/loader/entries" >> $option_file done fi - if [ ! -r $option_file ]; then + if [ ! -s $option_file ]; then die "Failed to parse any boot options" fi if [ "$unique" = 'y' ]; then diff --git a/initrd/bin/mount-usb b/initrd/bin/mount-usb index fcf4264..501171a 100755 --- a/initrd/bin/mount-usb +++ b/initrd/bin/mount-usb @@ -102,7 +102,7 @@ if [ -z ${USB_MOUNT_DEVICE} ]; then fi if [ "$option_index" = "a" ]; then - exit 1 + exit 5 fi USB_MOUNT_DEVICE=`head -n $option_index /tmp/usb_disk_list | tail -1 | sed 's/\ .*$//'` fi diff --git a/initrd/bin/oem-factory-reset b/initrd/bin/oem-factory-reset index f0707a0..17b3dce 100755 --- a/initrd/bin/oem-factory-reset +++ b/initrd/bin/oem-factory-reset @@ -24,6 +24,7 @@ GPG_USER_NAME="OEM Key" GPG_KEY_NAME=`date +%Y%m%d%H%M%S` GPG_USER_MAIL="oem-${GPG_KEY_NAME}@example.com" GPG_USER_COMMENT="OEM-generated key" + ## External files sourced . /etc/functions @@ -70,6 +71,10 @@ gpg_key_reset() ERROR=`cat /tmp/gpg_card_edit_output` whiptail_error_die "GPG Key factory reset failed!\n\n$ERROR" fi + # If Nitrokey Storage is inserted, reset AES keys as well + if lsusb | grep -q "20a0:4109" && [ -x /bin/hotp_verification ] ; then + /bin/hotp_verification regenerate ${ADMIN_PIN_DEF} + fi # Generate OEM GPG keys { echo admin @@ -109,7 +114,7 @@ gpg_key_change_pin() } | gpg --command-fd=0 --status-fd=2 --pinentry-mode=loopback --card-edit \ > /tmp/gpg_card_edit_output 2>/dev/null if [ $? -ne 0 ]; then - ERROR=`cat /tmp/gpg_card_edit_output` + ERROR=`cat /tmp/gpg_card_edit_output | fold -s` whiptail_error_die "GPG Key PIN change failed!\n\n$ERROR" fi } @@ -184,7 +189,7 @@ generate_checksums() mount -o ro,remount /boot if [ $ret = 1 ] ; then - ERROR=$(tail -n 1 /tmp/error) + ERROR=$(tail -n 1 /tmp/error | fold -s) whiptail_error_die "Error signing kexec boot files:\n\n$ERROR" fi } @@ -201,7 +206,15 @@ set_default_boot_option() for i in `find /boot -name "grub.cfg"`; do kexec-parse-boot "/boot" "$i" >> $option_file done - [ ! -r $option_file ] \ + # FC29/30+ may use BLS format grub config files + # https://fedoraproject.org/wiki/Changes/BootLoaderSpecByDefault + # only parse these if $option_file is still empty + if [ ! -s $option_file ] && [ -d "/boot/loader/entries" ]; then + for i in `find /boot -name "grub.cfg"`; do + kexec-parse-bls "/boot" "$i" "/boot/loader/entries" >> $option_file + done + fi + [ ! -s $option_file ] \ && whiptail_error_die "Failed to parse any boot options" # sort boot options @@ -213,12 +226,15 @@ set_default_boot_option() # clear existing default configs rm "/boot/kexec_default.*.txt" 2>/dev/null + # get correct index for entry + index=$(grep -n "$entry" $option_file | cut -f1 -d ':') + # write new config - echo "$entry" > /boot/kexec_default.1.txt + echo "$entry" > /boot/kexec_default.$index.txt # validate boot option - cd /boot && /bin/kexec-boot -b "/boot" -e "$entry" -f \ - | xargs sha256sum > $hash_file 2>/dev/null \ + ( cd /boot && /bin/kexec-boot -b "/boot" -e "$entry" -f \ + | xargs sha256sum > $hash_file 2>/dev/null ) \ || whiptail_error_die "Failed to create hashes of boot files" } @@ -313,24 +329,39 @@ fi ## sanity check the USB, GPG key, and boot device before proceeding further -# mount USB, then remount rw -echo -e "\nChecking for USB media...\n" -# ensure /media not mounted -umount /media 2>/dev/null -# mount-usb will detect and prompt if no USB inserted -if ! mount-usb rw 2>/tmp/error; then - ERROR=$(tail -n 1 /tmp/error) - whiptail_error_die "Unable to mount USB on /media:\n\n${ERROR}" +# Prompt to insert USB drive if desired +echo -e -n "Would you like to export your public key to an USB drive? [y/N]: " +read -n 1 prompt_output +echo +if [ "$prompt_output" == "y" \ + -o "$prompt_output" == "Y" ] \ +; then + GPG_EXPORT=1 + # mount USB, then remount rw + echo -e "\nPlease insert an USB drive and hit enter.\n" + read + echo -e "\nChecking for USB media...\n" + # ensure /media not mounted + umount /media 2>/dev/null + # mount-usb will detect and prompt if no USB inserted + if ! mount-usb rw 2>/tmp/error; then + ERROR=$(tail -n 1 /tmp/error | fold -s) + whiptail_error_die "Unable to mount USB on /media:\n\n${ERROR}" + fi +else + GPG_EXPORT=0 + # needed for USB Security dongle below and is ensured via mount-usb in case of GPG_EXPORT=1 + enable_usb fi -# ensure GPG key connected -echo -e "\nChecking for GPG Key...\n" +# ensure USB Security Dongle connected +echo -e "\nChecking for USB Security Dongle...\n" # USB kernel modules already loaded via mount-usb if ! gpg --card-status >/dev/null 2>&1 ; then - whiptail_error "Can't access GPG Key; remove and reinsert, then press Enter to retry." + whiptail_error "Can't access USB Security Dongle; \nPlease remove and reinsert, then press Enter." if ! gpg --card-status >/dev/null 2>/tmp/error ; then - ERROR=$(tail -n 1 /tmp/error) - whiptail_error_die "Unable to detect GPG Key:\n\n${ERROR}" + ERROR=$(tail -n 1 /tmp/error | fold -s) + whiptail_error_die "Unable to detect USB Security Dongle:\n\n${ERROR}" fi fi @@ -354,7 +385,7 @@ if [ "$CONFIG_TPM" = "y" ]; then echo $TPM_PASS_DEF } | /bin/tpm-reset >/dev/null 2>/tmp/error if [ $? -ne 0 ]; then - ERROR=$(tail -n 1 /tmp/error) + ERROR=$(tail -n 1 /tmp/error | fold -s) whiptail_error_die "Error resetting TPM:\n\n${ERROR}" fi fi @@ -381,42 +412,45 @@ if [ "$CUSTOM_PASS" != "" ]; then ADMIN_PIN_DEF=$CUSTOM_PASS fi -## export generated key to USB -echo -e "\nExporting generated key to USB...\n" # export pubkey to file if ! gpg --export --armor $GPG_GEN_KEY > "${PUBKEY}" 2>/tmp/error ; then - ERROR=$(tail -n 1 /tmp/error) + ERROR=$(tail -n 1 /tmp/error | fold -s) whiptail_error_die "GPG Key gpg export to file failed!\n\n$ERROR" fi -# copy to USB -if ! cp "${PUBKEY}" "/media/${GPG_GEN_KEY}.asc" 2>/tmp/error ; then - ERROR=$(tail -n 1 /tmp/error) - whiptail_error_die "Key export error: unable to copy ${GPG_GEN_KEY}.asc to /media:\n\n$ERROR" + +## export pubkey to USB +if [ $GPG_EXPORT -ne 0 ]; then + echo -e "\nExporting generated key to USB...\n" + # copy to USB + if ! cp "${PUBKEY}" "/media/${GPG_GEN_KEY}.asc" 2>/tmp/error ; then + ERROR=$(tail -n 1 /tmp/error | fold -s) + whiptail_error_die "Key export error: unable to copy ${GPG_GEN_KEY}.asc to /media:\n\n$ERROR" + fi + umount /media 2>/dev/null fi -umount /media 2>/dev/null ## flash generated key to ROM echo -e "\nReading current firmware...\n(this will take a minute or two)\n" /bin/flash.sh -r /tmp/oem-setup.rom >/dev/null 2>/tmp/error if [ ! -s /tmp/oem-setup.rom ]; then - ERROR=$(tail -n 1 /tmp/error) + ERROR=$(tail -n 1 /tmp/error | fold -s) whiptail_error_die "Error reading current firmware:\n\n$ERROR" fi # ensure key imported locally if ! cat "$PUBKEY" | gpg --import >/dev/null 2>/tmp/error ; then - ERROR=$(tail -n 1 /tmp/error) + ERROR=$(tail -n 1 /tmp/error | fold -s) whiptail_error_die "Error importing GPG key:\n\n$ERROR" fi # update /.gnupg/trustdb.gpg to ultimately trust all user provided public keys if ! gpg --list-keys --fingerprint --with-colons 2>/dev/null \ | sed -E -n -e 's/^fpr:::::::::([0-9A-F]+):$/\1:6:/p' \ | gpg --import-ownertrust >/dev/null 2>/tmp/error ; then - ERROR=$(tail -n 1 /tmp/error) + ERROR=$(tail -n 1 /tmp/error | fold -s) whiptail_error_die "Error importing GPG ownertrust:\n\n$ERROR" fi if ! gpg --update-trust >/dev/null 2>/tmp/error ; then - ERROR=$(tail -n 1 /tmp/error) + ERROR=$(tail -n 1 /tmp/error | fold -s) whiptail_error_die "Error updating GPG ownertrust:\n\n$ERROR" fi # clear any existing heads/gpg files from current firmware @@ -442,7 +476,7 @@ fi # flash updated firmware image echo -e "\nAdding generated key to current firmware and re-flashing...\n" if ! /bin/flash.sh /tmp/oem-setup.rom >/dev/null 2>/tmp/error ; then - ERROR=$(tail -n 1 /tmp/error) + ERROR=$(tail -n 1 /tmp/error | fold -s) whiptail_error_die "Error flashing updated firmware image:\n\n$ERROR" fi diff --git a/initrd/bin/seal-libremkey b/initrd/bin/seal-hotpkey similarity index 64% rename from initrd/bin/seal-libremkey rename to initrd/bin/seal-hotpkey index c1dab8e..70b0e93 100755 --- a/initrd/bin/seal-libremkey +++ b/initrd/bin/seal-hotpkey @@ -1,11 +1,12 @@ #!/bin/sh -# Retrieve the sealed TOTP secret and initialize a Librem Key with it +# Retrieve the sealed TOTP secret and initialize a USB Security dongle with it . /etc/functions HOTP_SEALED="/tmp/secret/hotp.sealed" HOTP_SECRET="/tmp/secret/hotp.key" HOTP_COUNTER="/boot/kexec_hotp_counter" +HOTP_KEY="/boot/kexec_hotp_key" mount_boot() { @@ -16,6 +17,13 @@ mount_boot() fi } +# Use stored HOTP key branding (this might be useful after OEM reset) +if [ -r /boot/kexec_hotp_key ]; then + HOTPKEY_BRANDING="$(cat /boot/kexec_hotp_key)" +else + HOTPKEY_BRANDING="HOTP USB Security Dongle" +fi + tpm nv_readvalue \ -in 4d47 \ -sz 312 \ @@ -49,26 +57,35 @@ mount_boot counter_value=1 enable_usb -if ! libremkey_hotp_verification info ; then - echo "Insert your Librem Key and press Enter to configure it" +if ! hotp_verification info ; then + echo "Insert your $HOTPKEY_BRANDING and press Enter to configure it" read - if ! libremkey_hotp_verification info ; then + if ! hotp_verification info ; then # don't leak key on failure shred -n 10 -z -u "$HOTP_SECRET" 2> /dev/null - die "Unable to find Librem Key" + die "Unable to find $HOTPKEY_BRANDING" fi fi +# Set HOTP USB Security Dongle branding based on VID +if lsusb | grep -q "20a0:" ; then + HOTPKEY_BRANDING="Nitrokey" +elif lsusb | grep -q "316d:" ; then + HOTPKEY_BRANDING="Librem Key" +else + HOTPKEY_BRANDING="HOTP USB Security Dongle" +fi + echo -e "" -read -s -p "Enter your Librem Key Admin PIN: " admin_pin +read -s -p "Enter your $HOTPKEY_BRANDING Admin PIN: " admin_pin echo -e "\n" -libremkey_hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value +hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value "$HOTPKEY_BRANDING" if [ $? -ne 0 ]; then echo -e "\n" read -s -p "Error setting HOTP secret, re-enter Admin PIN and try again: " admin_pin echo -e "\n" - if ! libremkey_hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value ; then + if ! hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value "$HOTPKEY_BRANDING" ; then # don't leak key on failure shred -n 10 -z -u "$HOTP_SECRET" 2> /dev/null die "Setting HOTP secret failed" @@ -90,11 +107,15 @@ counter_value=`expr $counter_value + 1` echo $counter_value > $HOTP_COUNTER \ || die "Unable to create hotp counter file" +# Store/overwrite HOTP USB Security Dongle branding found out beforehand +echo $HOTPKEY_BRANDING > $HOTP_KEY \ +|| die "Unable to store hotp key file" + #sha256sum /tmp/counter-$counter > $HOTP_COUNTER \ #|| die "Unable to create hotp counter file" mount -o remount,ro /boot -echo -e "\nLibrem Key initialized successfully. Press Enter to continue." +echo -e "\n$HOTPKEY_BRANDING initialized successfully. Press Enter to continue." read exit 0 diff --git a/initrd/bin/usb-scan b/initrd/bin/usb-scan index a9debdf..d9f26b0 100755 --- a/initrd/bin/usb-scan +++ b/initrd/bin/usb-scan @@ -2,6 +2,7 @@ # Scan for USB installation options set -e -o pipefail . /etc/functions +. /etc/gui_functions . /tmp/config # Unmount any previous boot device @@ -11,10 +12,8 @@ if grep -q /boot /proc/mounts ; then fi # Mount the USB boot device -if ! grep -q /media /proc/mounts ; then - mount-usb "$CONFIG_USB_BOOT_DEV" \ - || die "Unable to mount /media" -fi +mount_usb || die "Unable to mount /media" + # Get USB boot device USB_BOOT_DEV=$(grep "/media" /etc/mtab | cut -f 1 -d' ') diff --git a/initrd/etc/functions b/initrd/etc/functions index 2e8bd6a..a5935f6 100755 --- a/initrd/etc/functions +++ b/initrd/etc/functions @@ -271,13 +271,15 @@ update_checksums() || recovery "Unable to mount /boot" fi # remount RW - mount -o rw,remount /boot - cd /boot - find ./ -type f ! -name '*kexec*' | xargs sha256sum > /boot/kexec_hashes.txt - if [ -e /boot/kexec_default_hashes.txt ]; then - DEFAULT_FILES=$(cat /boot/kexec_default_hashes.txt | cut -f3 -d ' ') - echo $DEFAULT_FILES | xargs sha256sum > /boot/kexec_default_hashes.txt - fi + mount -o rw,remount /boot + ( + cd /boot + find ./ -type f ! -name '*kexec*' | xargs sha256sum > /boot/kexec_hashes.txt + if [ -e /boot/kexec_default_hashes.txt ]; then + DEFAULT_FILES=$(cat /boot/kexec_default_hashes.txt | cut -f3 -d ' ') + echo $DEFAULT_FILES | xargs sha256sum > /boot/kexec_default_hashes.txt + fi + ) # Remove any package trigger log files # We don't need them after the user decides to sign rm -f /boot/kexec_package_trigger* @@ -301,7 +303,7 @@ update_checksums() detect_boot_device() { # unmount /boot to be safe - umount /boot 2>/dev/null + cd / && umount /boot 2>/dev/null # check $CONFIG_BOOT_DEV if set/valid if [ -e "$CONFIG_BOOT_DEV" ]; then @@ -320,7 +322,7 @@ detect_boot_device() > /tmp/boot_device_list for i in `cat /tmp/disklist`; do # remove block device from list if numeric partitions exist, since not bootable - let DEV_NUM_PARTITIONS=`ls -1 $i* | wc -l`-1 + DEV_NUM_PARTITIONS=$((`ls -1 $i* | wc -l`-1)) if [ ${DEV_NUM_PARTITIONS} -eq 0 ]; then echo $i >> /tmp/boot_device_list else diff --git a/initrd/etc/gui_functions b/initrd/etc/gui_functions new file mode 100755 index 0000000..efdc138 --- /dev/null +++ b/initrd/etc/gui_functions @@ -0,0 +1,71 @@ +#!/bin/sh +# Shell functions for common operations using fbwhiptail + +mount_usb() +{ + # Unmount any previous USB device + if grep -q /media /proc/mounts ; then + umount /media || die "Unable to unmount /media" + fi + # Mount the USB boot device + mount-usb && USB_FAILED=0 || ( [ $? -eq 5 ] && exit 1 || USB_FAILED=1 ) + if [ $USB_FAILED -ne 0 ]; then + whiptail --title 'USB Drive Missing' \ + --msgbox "Insert your USB drive and press Enter to continue." 16 60 + mount-usb && USB_FAILED=0 || ( [ $? -eq 5 ] && exit 1 || USB_FAILED=1 ) + if [ $USB_FAILED -ne 0 ]; then + whiptail $CONFIG_ERROR_BG_COLOR --title 'ERROR: Mounting /media Failed' \ + --msgbox "Unable to mount USB device" 16 60 + exit 1 + fi + fi +} + +file_selector() +{ + FILE="" + FILE_LIST=$1 + MENU_MSG=${2:-"Choose the file"} + MENU_TITLE=${3:-"Select your File"} + + # create file menu options + if [ `cat "$FILE_LIST" | wc -l` -gt 0 ]; then + option="" + while [ -z "$option" ] + do + MENU_OPTIONS="" + n=0 + while read option + do + n=`expr $n + 1` + option=$(echo $option | tr " " "_") + MENU_OPTIONS="$MENU_OPTIONS $n ${option}" + done < $FILE_LIST + + MENU_OPTIONS="$MENU_OPTIONS a Abort" + whiptail --clear --title "${MENU_TITLE}" \ + --menu "${MENU_MSG} [1-$n, a to abort]:" 20 120 8 \ + -- $MENU_OPTIONS \ + 2>/tmp/whiptail || die "Aborting" + + option_index=$(cat /tmp/whiptail) + + if [ "$option_index" = "a" ]; then + option="a" + return + fi + + option=`head -n $option_index $FILE_LIST | tail -1` + if [ "$option" == "a" ]; then + return + fi + done + if [ -n "$option" ]; then + FILE=$option + fi + else + whiptail $CONFIG_ERROR_BG_COLOR --title 'ERROR: No Files Found' \ + --msgbox "No Files found matching the pattern. Aborting." 16 60 + exit 1 + fi +} diff --git a/modules/hidapi b/modules/hidapi index 0a0ab5b..d62b422 100644 --- a/modules/hidapi +++ b/modules/hidapi @@ -1,2 +1,2 @@ # empty placeholder file -# This submodule is defined in modules/libremkey-hotp-verification +# This submodule is defined in modules/hotp-verification diff --git a/modules/hotp-verification b/modules/hotp-verification new file mode 100644 index 0000000..d424f1b --- /dev/null +++ b/modules/hotp-verification @@ -0,0 +1,37 @@ +modules-$(CONFIG_HOTPKEY) += hotp-verification + +hotp-verification_depends := libusb $(musl_dep) + +hotp-verification_version := c0956cfa085bcfc2500c1085dad350a440ccbe40 +hotp-verification_dir := hotp-verification-$(hotp-verification_version) +hotp-verification_tar := nitrokey-hotp-verification-$(hotp-verification_version).tar.gz +hotp-verification_url := https://github.com/Nitrokey/nitrokey-hotp-verification/archive/$(hotp-verification_version).tar.gz +hotp-verification_hash := c06e9751bc45bf8e57ddb39f15352442eda07530f6fe0e8e1ed3e54274fc165f + +hotp-verification_target := \ + $(MAKE_JOBS) \ + $(CROSS_TOOLS) \ + +hotp-verification_output := \ + hotp_verification \ + hotp_initialize + +hotp-verification_configure := \ + INSTALL="$(INSTALL)" \ + CROSS="$(CROSS)" \ + $(CROSS_TOOLS) $(MAKE) LDFLAGS="$(INSTALL)/lib/libusb-1.0.so" GITVERSION="" LIBUSB_FLAGS="-I/usr/include/libusb-1.0" PKGCONFIG="" && $(MAKE) install INSTALL="$(INSTALL)" + +hotp-verification_depends += hidapi +modules-y += hidapi + +hidapi_version := e5ae0d30a523c565595bdfba3d5f2e9e1faf0bd0 +hidapi_dir := hotp-verification-$(hotp-verification_version)/hidapi +hidapi_tar := hidapi-$(hidapi_version).tar.xz +hidapi_url := https://github.com/Nitrokey/hidapi/archive/$(hidapi_version).tar.gz +hidapi_hash := acc2a5089a8917085c2b3ebe9446065a21c760ba7e13cb54917043c4122188e0 + + +## hidapi will be built as part of hotp-verification +## so nothing to do here (but need make to be happy) +hidapi_output := .built +hidapi_configure := echo -e 'all:\n\ttouch .built' > Makefile diff --git a/modules/libremkey-hotp-verification b/modules/libremkey-hotp-verification deleted file mode 100644 index 5ebb713..0000000 --- a/modules/libremkey-hotp-verification +++ /dev/null @@ -1,37 +0,0 @@ -modules-$(CONFIG_LIBREMKEY) += libremkey-hotp-verification - -libremkey-hotp-verification_depends := libusb $(musl_dep) - -libremkey-hotp-verification_version := 809953b9b4bef97a4cffaa20d675bd7fe9d8da53 -libremkey-hotp-verification_dir := libremkey-hotp-verification-$(libremkey-hotp-verification_version) -libremkey-hotp-verification_tar := nitrokey-hotp-verification-$(libremkey-hotp-verification_version).tar.gz -libremkey-hotp-verification_url := https://github.com/Nitrokey/nitrokey-hotp-verification/archive/$(libremkey-hotp-verification_version).tar.gz -libremkey-hotp-verification_hash := 251e5cef74e4e45eeddc49e4a1da1e22d1de774cd32cb0451a9030579ae958ba - -libremkey-hotp-verification_target := \ - $(MAKE_JOBS) \ - $(CROSS_TOOLS) \ - -libremkey-hotp-verification_output := \ - libremkey_hotp_verification \ - libremkey_hotp_initialize - -libremkey-hotp-verification_configure := \ - INSTALL="$(INSTALL)" \ - CROSS="$(CROSS)" \ - $(CROSS_TOOLS) $(MAKE) LDFLAGS="$(INSTALL)/lib/libusb-1.0.so" && $(MAKE) install INSTALL="$(INSTALL)" - -libremkey-hotp-verification_depends += hidapi -modules-y += hidapi - -hidapi_version := e5ae0d30a523c565595bdfba3d5f2e9e1faf0bd0 -hidapi_dir := libremkey-hotp-verification-$(libremkey-hotp-verification_version)/hidapi -hidapi_tar := hidapi-$(hidapi_version).tar.xz -hidapi_url := https://github.com/Nitrokey/hidapi/archive/$(hidapi_version).tar.gz -hidapi_hash := acc2a5089a8917085c2b3ebe9446065a21c760ba7e13cb54917043c4122188e0 - - -## hidapi will be built as part of libremkey-hotp-verification -## so nothing to do here (but need make to be happy) -hidapi_output := .built -hidapi_configure := echo -e 'all:\n\ttouch .built' > Makefile diff --git a/patches/coreboot-4.8.1/0000-measuredboot.patch b/patches/coreboot-4.8.1/0000-measuredboot.patch index 7731a5a..7e3cce9 100644 --- a/patches/coreboot-4.8.1/0000-measuredboot.patch +++ b/patches/coreboot-4.8.1/0000-measuredboot.patch @@ -167,7 +167,7 @@ index 6fd55d7..b5b7d91 100644 +{ + if (IS_ENABLED(CONFIG_MEASURED_BOOT) && !(flags & SEG_NO_MEASURE)) + { -+ tlcl_measure(3, (const void*) start, size); ++ tlcl_measure(2, (const void*) start, size); + } +} + diff --git a/patches/coreboot-4.8.1/0009-Add-heads-TPM-measurements-to-Skylake-Kabylake.patch b/patches/coreboot-4.8.1/0009-Add-heads-TPM-measurements-to-Skylake-Kabylake.patch index 9b3898e..1d53f90 100644 --- a/patches/coreboot-4.8.1/0009-Add-heads-TPM-measurements-to-Skylake-Kabylake.patch +++ b/patches/coreboot-4.8.1/0009-Add-heads-TPM-measurements-to-Skylake-Kabylake.patch @@ -51,9 +51,9 @@ index 30987ce..4957bc0 100644 + tlcl_lib_init(); + const void * const bootblock = (const void*) 0xFFFFF800; + const unsigned bootblock_size = 0x800; -+ tlcl_measure(0, bootblock, bootblock_size); ++ tlcl_measure(2, bootblock, bootblock_size); + -+ tlcl_measure(1, _romstage, _eromstage - _romstage); ++ tlcl_measure(2, _romstage, _eromstage - _romstage); + } + /* Signal that FSP component has been loaded. */ @@ -66,7 +66,7 @@ index 30987ce..4957bc0 100644 +void platform_segment_loaded(uintptr_t start, size_t size, int flags) +{ + if (IS_ENABLED(CONFIG_MEASURED_BOOT) && !(flags & SEG_NO_MEASURE)) { -+ tlcl_measure(1, (const void*) start, size); ++ tlcl_measure(2, (const void*) start, size); + } +} + @@ -87,7 +87,7 @@ index bda88d1..49568f6 100644 die("Failed to read FSPS!\n"); + if (IS_ENABLED(CONFIG_MEASURED_BOOT)) { -+ tlcl_measure(1, (const void*) dest, size); ++ tlcl_measure(2, (const void*) dest, size); + } + if (fsp_component_relocate((uintptr_t)dest, dest, size) < 0) diff --git a/patches/coreboot-4.8.1/0030-sandybridge.patch b/patches/coreboot-4.8.1/0030-sandybridge.patch index 8559b40..b6083f0 100644 --- a/patches/coreboot-4.8.1/0030-sandybridge.patch +++ b/patches/coreboot-4.8.1/0030-sandybridge.patch @@ -22,10 +22,10 @@ index 0426b83..d348b9e 100644 + tlcl_lib_init(); + const void * const bootblock = (const void*) 0xFFFFF800; + const unsigned bootblock_size = 0x800; -+ tlcl_measure(0, bootblock, bootblock_size); ++ tlcl_measure(2, bootblock, bootblock_size); + + extern char _romstage, _eromstage; -+ tlcl_measure(1, &_romstage, &_eromstage - &_romstage); ++ tlcl_measure(2, &_romstage, &_eromstage - &_romstage); + } + /* USB is initialized in MRC if MRC is used. */ diff --git a/patches/kexec-2.0.20.patch b/patches/kexec-2.0.20.patch index 9e94049..c16cda1 100644 --- a/patches/kexec-2.0.20.patch +++ b/patches/kexec-2.0.20.patch @@ -1,7 +1,7 @@ -diff --git ./Makefile.in ./Makefile.in +diff --git a/Makefile.in b/Makefile.in index fb01134..bf1973e 100644 ---- ./Makefile.in -+++ ./Makefile.in +--- a/Makefile.in ++++ b/Makefile.in @@ -157,12 +157,12 @@ include $(srcdir)/kexec/Makefile # vmcore-dmesg (read dmesg from a vmcore) @@ -17,10 +17,24 @@ index fb01134..bf1973e 100644 SPEC=$(PACKAGE_NAME).spec GENERATED_SRCS:= $(SPEC) -diff --git ./kexec/kexec.c ./kexec/kexec.c +diff --git a/kexec/arch/i386/x86-linux-setup.c b/kexec/arch/i386/x86-linux-setup.c +index 057ee14..43e017a 100644 +--- a/kexec/arch/i386/x86-linux-setup.c ++++ b/kexec/arch/i386/x86-linux-setup.c +@@ -137,7 +137,8 @@ static int setup_linux_vesafb(struct x86_linux_param_header *real_mode) + goto out; + if (-1 == ioctl(fd, FBIOGET_VSCREENINFO, &var)) + goto out; +- if (0 == strcmp(fix.id, "VESA VGA")) { ++ if (0 == strcmp(fix.id, "VESA VGA") ++ || 0 == strcmp(fix.id, "inteldrmfb")) { + /* VIDEO_TYPE_VLFB */ + real_mode->orig_video_isVGA = 0x23; + } else if (0 == strcmp(fix.id, "EFI VGA")) { +diff --git a/kexec/kexec.c b/kexec/kexec.c index bc6ab3d..b82725b 100644 ---- ./kexec/kexec.c -+++ ./kexec/kexec.c +--- a/kexec/kexec.c ++++ b/kexec/kexec.c @@ -805,6 +805,27 @@ static int my_load(const char *type, int fileind, int argc, char **argv, if (sort_segments(&info) < 0) { return -1; @@ -49,10 +63,10 @@ index bc6ab3d..b82725b 100644 /* if purgatory is loaded update it */ update_purgatory(&info); if (entry) -diff --git ./purgatory/Makefile ./purgatory/Makefile +diff --git a/purgatory/Makefile b/purgatory/Makefile index 2dd6c47..2de8f07 100644 ---- ./purgatory/Makefile -+++ ./purgatory/Makefile +--- a/purgatory/Makefile ++++ b/purgatory/Makefile @@ -44,7 +44,6 @@ purgatory/sha256.o: $(srcdir)/util_lib/sha256.c mkdir -p $(@D) $(COMPILE.c) -o $@ $^ @@ -61,10 +75,10 @@ index 2dd6c47..2de8f07 100644 $(PURGATORY): CFLAGS=$(PURGATORY_EXTRA_CFLAGS) \ $($(ARCH)_PURGATORY_EXTRA_CFLAGS) \ -Os -fno-builtin -ffreestanding \ -diff --git ./util/Makefile ./util/Makefile +diff --git a/util/Makefile b/util/Makefile index 948ee63..833a897 100644 ---- ./util/Makefile -+++ ./util/Makefile +--- a/util/Makefile ++++ b/util/Makefile @@ -2,7 +2,7 @@ BIN_TO_HEX:= bin/bin-to-hex $(BIN_TO_HEX): $(srcdir)/util/bin-to-hex.c diff --git a/patches/libremkey-hotp-verification-e5fa36a7a1950226d0ef94e2eeed0ffb510eba89.patch b/patches/libremkey-hotp-verification-e5fa36a7a1950226d0ef94e2eeed0ffb510eba89.patch deleted file mode 100644 index 5f058f2..0000000 --- a/patches/libremkey-hotp-verification-e5fa36a7a1950226d0ef94e2eeed0ffb510eba89.patch +++ /dev/null @@ -1,73 +0,0 @@ ---- nitrokey-hotp-verification-a/Toolchain-heads.cmake 2018-05-22 09:55:46.907209235 -0700 -+++ nitrokey-hotp-verification-b/Toolchain-heads.cmake 2018-05-22 09:55:26.659371966 -0700 -@@ -0,0 +1,27 @@ -+SET(CMAKE_SYSTEM_NAME Linux) -+SET(CMAKE_SYSTEM_VERSION 1) -+ -+# Specify the cross compiler -+SET(CMAKE_C_COMPILER $ENV{CROSS}gcc) -+SET(CMAKE_CXX_COMPILER $ENV{CROSS}gcc) -+ -+#sysroot location -+set(MYSYSROOT $ENV{INSTALL}) -+ -+# compiler/linker flags -+set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} --sysroot=${MYSYSROOT}" CACHE INTERNAL "" FORCE) -+set(CMAKE_C_LINK_FLAGS "${CMAKE_C_LINK_FLAGS} --sysroot=${MYSYSROOT}" CACHE INTERNAL "" FORCE) -+set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} --sysroot=${MYSYSROOT}" CACHE INTERNAL "" FORCE) -+set(CMAKE_CXX_LINK_FLAGS "${CMAKE_CXX_LINK_FLAGS} --sysroot=${MYSYSROOT}" CACHE INTERNAL "" FORCE) -+ -+# Where is the target environment -+SET(CMAKE_FIND_ROOT_PATH "${MYSYSROOT}") -+ -+# Search for programs only in the build host directories -+SET(CMAKE_FIND_ROOT_PATH_MODE_PROGRAM NEVER) -+ -+# Search for libraries and headers only in the target directories -+SET(CMAKE_FIND_ROOT_PATH_MODE_LIBRARY ONLY) -+SET(CMAKE_FIND_ROOT_PATH_MODE_INCLUDE ONLY) -+ -+INCLUDE_DIRECTORIES(hidapi) ---- libremkey-hotp-verification/device.c 2018-06-20 16:13:36.417804210 -0700 -+++ libremkey-hotp-verification-b/device.c 2018-06-20 16:14:34.532367723 -0700 -@@ -34,7 +34,7 @@ - const unsigned short m_vid = 0x20a0; - const unsigned short m_pid = 0x4108; - --static const int CONNECTION_ATTEMPTS_COUNT = 80; -+static const int CONNECTION_ATTEMPTS_COUNT = 2; - - static const int CONNECTION_ATTEMPT_DELAY_MICRO_SECONDS = 1000*1000/2; - ---- libremkey-hotp-verification/libremkey_hotp_initialize -+++ libremkey-hotp-verification-b/libremkey_hotp_initialize -@@ -14,9 +14,9 @@ fi - PIN=$1 - SECRET=$2 - COUNTER=$3 --SECRET_B32=$(echo -n $SECRET | base32) -+SECRET_B32=$(cat $SECRET | base32) - --libremkey_hotp_verification set $SECRET_B32 $PIN -+libremkey_hotp_verification set $SECRET_B32 "$PIN" - if [ $? -ne 0 ]; then - echo "ERROR: Setting HOTP secret on Librem Key failed!" - exit 1 -@@ -25,7 +25,7 @@ fi - i=9 - while [ "$i" -lt "$COUNTER" ]; do - echo "Updating counter to $i" -- HOTP_CODE=$(echo $SECRET | hotp $i) -+ HOTP_CODE=$(hotp $i < $SECRET) - libremkey_hotp_verification check $HOTP_CODE > /dev/null - if [ $? -ne 0 ]; then - echo "HOTP check failed for counter=$i, code=$HOTP_CODE" -@@ -34,7 +34,7 @@ while [ "$i" -lt "$COUNTER" ]; do - let "i += 10" - done - --HOTP_CODE=$(echo $SECRET | hotp $COUNTER) -+HOTP_CODE=$(hotp $COUNTER < $SECRET) - libremkey_hotp_verification check $HOTP_CODE > /dev/null - if [ $? -ne 0 ]; then - echo "HOTP check failed for counter=$COUNTER, code=$HOTP_CODE"