diff --git a/boards/EOL_UNTESTED_t530-hotp-maximized/EOL_UNTESTED_t530-hotp-maximized.config b/boards/EOL_UNTESTED_t530-hotp-maximized/EOL_UNTESTED_t530-hotp-maximized.config index 6d181b14f..c75590d23 100644 --- a/boards/EOL_UNTESTED_t530-hotp-maximized/EOL_UNTESTED_t530-hotp-maximized.config +++ b/boards/EOL_UNTESTED_t530-hotp-maximized/EOL_UNTESTED_t530-hotp-maximized.config @@ -68,7 +68,7 @@ export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n export CONFIG_TPM2_CAPTURE_PCAP=n #Enable quiet mode: technical information logged under /tmp/debug.log export CONFIG_QUIET_MODE=y -export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOTSCRIPT="/bin/gui-init.sh" export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOOT_KERNEL_ADD="" diff --git a/boards/EOL_UNTESTED_t530-maximized/EOL_UNTESTED_t530-maximized.config b/boards/EOL_UNTESTED_t530-maximized/EOL_UNTESTED_t530-maximized.config index ee1ee88f9..6a9e06d61 100644 --- a/boards/EOL_UNTESTED_t530-maximized/EOL_UNTESTED_t530-maximized.config +++ b/boards/EOL_UNTESTED_t530-maximized/EOL_UNTESTED_t530-maximized.config @@ -67,7 +67,7 @@ export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n export CONFIG_TPM2_CAPTURE_PCAP=n #Enable quiet mode: technical information logged under /tmp/debug.log export CONFIG_QUIET_MODE=y -export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOTSCRIPT="/bin/gui-init.sh" export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOOT_KERNEL_ADD="" diff --git a/boards/EOL_librem_13v2/EOL_librem_13v2.config b/boards/EOL_librem_13v2/EOL_librem_13v2.config index 186b7c571..e42adf1b7 100644 --- a/boards/EOL_librem_13v2/EOL_librem_13v2.config +++ b/boards/EOL_librem_13v2/EOL_librem_13v2.config @@ -37,7 +37,7 @@ export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n export CONFIG_TPM2_CAPTURE_PCAP=n #Enable quiet mode: technical information logged under /tmp/debug.log export CONFIG_QUIET_MODE=y -export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOTSCRIPT="/bin/gui-init.sh" export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOOT_KERNEL_ADD="" diff --git a/boards/EOL_librem_13v4/EOL_librem_13v4.config b/boards/EOL_librem_13v4/EOL_librem_13v4.config index 6aa6ff11c..4230ef63f 100644 --- a/boards/EOL_librem_13v4/EOL_librem_13v4.config +++ b/boards/EOL_librem_13v4/EOL_librem_13v4.config @@ -37,7 +37,7 @@ export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n export CONFIG_TPM2_CAPTURE_PCAP=n #Enable quiet mode: technical information logged under /tmp/debug.log export CONFIG_QUIET_MODE=y -export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOTSCRIPT="/bin/gui-init.sh" export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOOT_KERNEL_ADD="" diff --git a/boards/EOL_librem_15v3/EOL_librem_15v3.config b/boards/EOL_librem_15v3/EOL_librem_15v3.config index b85672e57..a11627c95 100644 --- a/boards/EOL_librem_15v3/EOL_librem_15v3.config +++ b/boards/EOL_librem_15v3/EOL_librem_15v3.config @@ -37,7 +37,7 @@ export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n export CONFIG_TPM2_CAPTURE_PCAP=n #Enable quiet mode: technical information logged under /tmp/debug.log export CONFIG_QUIET_MODE=y -export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOTSCRIPT="/bin/gui-init.sh" export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOOT_KERNEL_ADD="" diff --git a/boards/EOL_librem_15v4/EOL_librem_15v4.config b/boards/EOL_librem_15v4/EOL_librem_15v4.config index f5416a0a7..7b960b082 100644 --- a/boards/EOL_librem_15v4/EOL_librem_15v4.config +++ b/boards/EOL_librem_15v4/EOL_librem_15v4.config @@ -38,7 +38,7 @@ export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n export CONFIG_TPM2_CAPTURE_PCAP=n #Enable quiet mode: technical information logged under /tmp/debug.log export CONFIG_QUIET_MODE=y -export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOTSCRIPT="/bin/gui-init.sh" export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOOT_KERNEL_ADD="" diff --git a/boards/EOL_librem_l1um/EOL_librem_l1um.config b/boards/EOL_librem_l1um/EOL_librem_l1um.config index d34202f6e..6d91d6a7b 100644 --- a/boards/EOL_librem_l1um/EOL_librem_l1um.config +++ b/boards/EOL_librem_l1um/EOL_librem_l1um.config @@ -37,7 +37,7 @@ export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n export CONFIG_TPM2_CAPTURE_PCAP=n #Enable quiet mode: technical information logged under /tmp/debug.log export CONFIG_QUIET_MODE=y -export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOTSCRIPT="/bin/gui-init.sh" export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on" diff --git a/boards/EOL_optiplex-7010_9010-hotp-maximized/EOL_optiplex-7010_9010-hotp-maximized.config b/boards/EOL_optiplex-7010_9010-hotp-maximized/EOL_optiplex-7010_9010-hotp-maximized.config index 144cf8d1f..2a22740a0 100644 --- a/boards/EOL_optiplex-7010_9010-hotp-maximized/EOL_optiplex-7010_9010-hotp-maximized.config +++ b/boards/EOL_optiplex-7010_9010-hotp-maximized/EOL_optiplex-7010_9010-hotp-maximized.config @@ -78,7 +78,7 @@ export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n export CONFIG_TPM2_CAPTURE_PCAP=n #Enable quiet mode: technical information logged under /tmp/debug.log export CONFIG_QUIET_MODE=y -export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOTSCRIPT="/bin/gui-init.sh" export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOOT_KERNEL_ADD="" diff --git a/boards/EOL_optiplex-7010_9010-maximized/EOL_optiplex-7010_9010-maximized.config b/boards/EOL_optiplex-7010_9010-maximized/EOL_optiplex-7010_9010-maximized.config index c79999e02..c4966eebe 100644 --- a/boards/EOL_optiplex-7010_9010-maximized/EOL_optiplex-7010_9010-maximized.config +++ b/boards/EOL_optiplex-7010_9010-maximized/EOL_optiplex-7010_9010-maximized.config @@ -78,7 +78,7 @@ export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n export CONFIG_TPM2_CAPTURE_PCAP=n #Enable quiet mode: technical information logged under /tmp/debug.log export CONFIG_QUIET_MODE=y -export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOTSCRIPT="/bin/gui-init.sh" export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOOT_KERNEL_ADD="" diff --git a/boards/EOL_optiplex-7010_9010_TXT-hotp-maximized/EOL_optiplex-7010_9010_TXT-hotp-maximized.config b/boards/EOL_optiplex-7010_9010_TXT-hotp-maximized/EOL_optiplex-7010_9010_TXT-hotp-maximized.config index 1cd717725..78b704af6 100644 --- a/boards/EOL_optiplex-7010_9010_TXT-hotp-maximized/EOL_optiplex-7010_9010_TXT-hotp-maximized.config +++ b/boards/EOL_optiplex-7010_9010_TXT-hotp-maximized/EOL_optiplex-7010_9010_TXT-hotp-maximized.config @@ -78,7 +78,7 @@ export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n export CONFIG_TPM2_CAPTURE_PCAP=n #Enable quiet mode: technical information logged under /tmp/debug.log export CONFIG_QUIET_MODE=y -export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOTSCRIPT="/bin/gui-init.sh" export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOOT_KERNEL_ADD="" diff --git a/boards/EOL_optiplex-7010_9010_TXT-maximized/EOL_optiplex-7010_9010_TXT-maximized.config b/boards/EOL_optiplex-7010_9010_TXT-maximized/EOL_optiplex-7010_9010_TXT-maximized.config index 1d7f08878..7031242af 100644 --- a/boards/EOL_optiplex-7010_9010_TXT-maximized/EOL_optiplex-7010_9010_TXT-maximized.config +++ b/boards/EOL_optiplex-7010_9010_TXT-maximized/EOL_optiplex-7010_9010_TXT-maximized.config @@ -78,7 +78,7 @@ export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n export CONFIG_TPM2_CAPTURE_PCAP=n #Enable quiet mode: technical information logged under /tmp/debug.log export CONFIG_QUIET_MODE=y -export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOTSCRIPT="/bin/gui-init.sh" export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOOT_KERNEL_ADD="" diff --git a/boards/EOL_t420-hotp-maximized/EOL_t420-hotp-maximized.config b/boards/EOL_t420-hotp-maximized/EOL_t420-hotp-maximized.config index d7b7bd827..1d1bb30c1 100644 --- a/boards/EOL_t420-hotp-maximized/EOL_t420-hotp-maximized.config +++ b/boards/EOL_t420-hotp-maximized/EOL_t420-hotp-maximized.config @@ -71,7 +71,7 @@ export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n export CONFIG_TPM2_CAPTURE_PCAP=n #Enable quiet mode: technical information logged under /tmp/debug.log export CONFIG_QUIET_MODE=y -export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOTSCRIPT="/bin/gui-init.sh" export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOOT_KERNEL_ADD="" diff --git a/boards/EOL_t420-maximized/EOL_t420-maximized.config b/boards/EOL_t420-maximized/EOL_t420-maximized.config index 267d0ebe0..a456e8dce 100644 --- a/boards/EOL_t420-maximized/EOL_t420-maximized.config +++ b/boards/EOL_t420-maximized/EOL_t420-maximized.config @@ -69,7 +69,7 @@ export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n export CONFIG_TPM2_CAPTURE_PCAP=n #Enable quiet mode: technical information logged under /tmp/debug.log export CONFIG_QUIET_MODE=y -export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOTSCRIPT="/bin/gui-init.sh" export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOOT_KERNEL_ADD="" diff --git a/boards/EOL_t430-hotp-maximized/EOL_t430-hotp-maximized.config b/boards/EOL_t430-hotp-maximized/EOL_t430-hotp-maximized.config index 96b64d526..1df20cfdc 100644 --- a/boards/EOL_t430-hotp-maximized/EOL_t430-hotp-maximized.config +++ b/boards/EOL_t430-hotp-maximized/EOL_t430-hotp-maximized.config @@ -66,7 +66,7 @@ export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n export CONFIG_TPM2_CAPTURE_PCAP=n #Enable quiet mode: technical information logged under /tmp/debug.log export CONFIG_QUIET_MODE=y -export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOTSCRIPT="/bin/gui-init.sh" export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOOT_KERNEL_ADD="" diff --git a/boards/EOL_t430-maximized/EOL_t430-maximized.config b/boards/EOL_t430-maximized/EOL_t430-maximized.config index 3cb5d5707..0cafd4595 100644 --- a/boards/EOL_t430-maximized/EOL_t430-maximized.config +++ b/boards/EOL_t430-maximized/EOL_t430-maximized.config @@ -66,7 +66,7 @@ export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n export CONFIG_TPM2_CAPTURE_PCAP=n #Enable quiet mode: technical information logged under /tmp/debug.log export CONFIG_QUIET_MODE=y -export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOTSCRIPT="/bin/gui-init.sh" export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOOT_KERNEL_ADD="" diff --git a/boards/EOL_t440p-hotp-maximized/EOL_t440p-hotp-maximized.config b/boards/EOL_t440p-hotp-maximized/EOL_t440p-hotp-maximized.config index d176e98ad..37b6860e9 100644 --- a/boards/EOL_t440p-hotp-maximized/EOL_t440p-hotp-maximized.config +++ b/boards/EOL_t440p-hotp-maximized/EOL_t440p-hotp-maximized.config @@ -42,7 +42,7 @@ export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n export CONFIG_TPM2_CAPTURE_PCAP=n #Enable quiet mode: technical information logged under /tmp/debug.log export CONFIG_QUIET_MODE=y -export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOTSCRIPT="/bin/gui-init.sh" export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOARD_NAME="ThinkPad T440p-hotp-maximized" diff --git a/boards/EOL_t440p-maximized/EOL_t440p-maximized.config b/boards/EOL_t440p-maximized/EOL_t440p-maximized.config index 44c7f0cea..f4306e313 100644 --- a/boards/EOL_t440p-maximized/EOL_t440p-maximized.config +++ b/boards/EOL_t440p-maximized/EOL_t440p-maximized.config @@ -42,7 +42,7 @@ export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n export CONFIG_TPM2_CAPTURE_PCAP=n #Enable quiet mode: technical information logged under /tmp/debug.log export CONFIG_QUIET_MODE=y -export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOTSCRIPT="/bin/gui-init.sh" export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOARD_NAME="ThinkPad T440p-maximized" diff --git a/boards/EOL_t480-hotp-maximized/EOL_t480-hotp-maximized.config b/boards/EOL_t480-hotp-maximized/EOL_t480-hotp-maximized.config index c7cc76787..d397fb113 100644 --- a/boards/EOL_t480-hotp-maximized/EOL_t480-hotp-maximized.config +++ b/boards/EOL_t480-hotp-maximized/EOL_t480-hotp-maximized.config @@ -89,7 +89,7 @@ export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n export CONFIG_TPM2_CAPTURE_PCAP=n #Enable quiet mode: technical information logged under /tmp/debug.log export CONFIG_QUIET_MODE=y -export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOTSCRIPT="/bin/gui-init.sh" export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOOT_KERNEL_ADD="" diff --git a/boards/EOL_t480-maximized/EOL_t480-maximized.config b/boards/EOL_t480-maximized/EOL_t480-maximized.config index 1a1ff3fc3..f4fb46dba 100644 --- a/boards/EOL_t480-maximized/EOL_t480-maximized.config +++ b/boards/EOL_t480-maximized/EOL_t480-maximized.config @@ -89,7 +89,7 @@ export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n export CONFIG_TPM2_CAPTURE_PCAP=n #Enable quiet mode: technical information logged under /tmp/debug.log export CONFIG_QUIET_MODE=y -export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOTSCRIPT="/bin/gui-init.sh" export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOOT_KERNEL_ADD="" diff --git a/boards/EOL_t480s-hotp-maximized/EOL_t480s-hotp-maximized.config b/boards/EOL_t480s-hotp-maximized/EOL_t480s-hotp-maximized.config index c740d5f4a..11ad294da 100644 --- a/boards/EOL_t480s-hotp-maximized/EOL_t480s-hotp-maximized.config +++ b/boards/EOL_t480s-hotp-maximized/EOL_t480s-hotp-maximized.config @@ -89,7 +89,7 @@ export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n export CONFIG_TPM2_CAPTURE_PCAP=n #Enable quiet mode: technical information logged under /tmp/debug.log export CONFIG_QUIET_MODE=y -export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOTSCRIPT="/bin/gui-init.sh" export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOOT_KERNEL_ADD="" diff --git a/boards/EOL_t480s-maximized/EOL_t480s-maximized.config b/boards/EOL_t480s-maximized/EOL_t480s-maximized.config index eeba196f8..7f82888b1 100644 --- a/boards/EOL_t480s-maximized/EOL_t480s-maximized.config +++ b/boards/EOL_t480s-maximized/EOL_t480s-maximized.config @@ -89,7 +89,7 @@ export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n export CONFIG_TPM2_CAPTURE_PCAP=n #Enable quiet mode: technical information logged under /tmp/debug.log export CONFIG_QUIET_MODE=y -export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOTSCRIPT="/bin/gui-init.sh" export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOOT_KERNEL_ADD="" diff --git a/boards/EOL_w530-hotp-maximized/EOL_w530-hotp-maximized.config b/boards/EOL_w530-hotp-maximized/EOL_w530-hotp-maximized.config index 984e1176d..e632284d6 100644 --- a/boards/EOL_w530-hotp-maximized/EOL_w530-hotp-maximized.config +++ b/boards/EOL_w530-hotp-maximized/EOL_w530-hotp-maximized.config @@ -68,7 +68,7 @@ export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n export CONFIG_TPM2_CAPTURE_PCAP=n #Enable quiet mode: technical information logged under /tmp/debug.log export CONFIG_QUIET_MODE=y -export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOTSCRIPT="/bin/gui-init.sh" export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOOT_KERNEL_ADD="" diff --git a/boards/EOL_w530-maximized/EOL_w530-maximized.config b/boards/EOL_w530-maximized/EOL_w530-maximized.config index 15fcd4d18..dadffc25d 100644 --- a/boards/EOL_w530-maximized/EOL_w530-maximized.config +++ b/boards/EOL_w530-maximized/EOL_w530-maximized.config @@ -67,7 +67,7 @@ export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n export CONFIG_TPM2_CAPTURE_PCAP=n #Enable quiet mode: technical information logged under /tmp/debug.log export CONFIG_QUIET_MODE=y -export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOTSCRIPT="/bin/gui-init.sh" export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOOT_KERNEL_ADD="" diff --git a/boards/EOL_w541-hotp-maximized/EOL_w541-hotp-maximized.config b/boards/EOL_w541-hotp-maximized/EOL_w541-hotp-maximized.config index 1f85ddf95..5adde417b 100644 --- a/boards/EOL_w541-hotp-maximized/EOL_w541-hotp-maximized.config +++ b/boards/EOL_w541-hotp-maximized/EOL_w541-hotp-maximized.config @@ -43,7 +43,7 @@ export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n export CONFIG_TPM2_CAPTURE_PCAP=n #Enable quiet mode: technical information logged under /tmp/debug.log export CONFIG_QUIET_MODE=y -export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOTSCRIPT="/bin/gui-init.sh" export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOARD_NAME="ThinkPad W541-hotp-maximized" diff --git a/boards/EOL_w541-maximized/EOL_w541-maximized.config b/boards/EOL_w541-maximized/EOL_w541-maximized.config index 3fb2cb5bd..13038f086 100644 --- a/boards/EOL_w541-maximized/EOL_w541-maximized.config +++ b/boards/EOL_w541-maximized/EOL_w541-maximized.config @@ -43,7 +43,7 @@ export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n export CONFIG_TPM2_CAPTURE_PCAP=n #Enable quiet mode: technical information logged under /tmp/debug.log export CONFIG_QUIET_MODE=y -export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOTSCRIPT="/bin/gui-init.sh" export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOARD_NAME="ThinkPad W541-maximized" diff --git a/boards/EOL_x220-hotp-maximized/EOL_x220-hotp-maximized.config b/boards/EOL_x220-hotp-maximized/EOL_x220-hotp-maximized.config index 78c4e7935..17d098cb1 100644 --- a/boards/EOL_x220-hotp-maximized/EOL_x220-hotp-maximized.config +++ b/boards/EOL_x220-hotp-maximized/EOL_x220-hotp-maximized.config @@ -71,7 +71,7 @@ export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n export CONFIG_TPM2_CAPTURE_PCAP=n #Enable quiet mode: technical information logged under /tmp/debug.log export CONFIG_QUIET_MODE=y -export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOTSCRIPT="/bin/gui-init.sh" export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOOT_KERNEL_ADD="" diff --git a/boards/EOL_x220-maximized/EOL_x220-maximized.config b/boards/EOL_x220-maximized/EOL_x220-maximized.config index f156f70e5..5abbb4a75 100644 --- a/boards/EOL_x220-maximized/EOL_x220-maximized.config +++ b/boards/EOL_x220-maximized/EOL_x220-maximized.config @@ -70,7 +70,7 @@ export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n export CONFIG_TPM2_CAPTURE_PCAP=n #Enable quiet mode: technical information logged under /tmp/debug.log export CONFIG_QUIET_MODE=y -export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOTSCRIPT="/bin/gui-init.sh" export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOOT_KERNEL_ADD="" diff --git a/boards/EOL_x230-hotp-maximized-fhd_edp/EOL_x230-hotp-maximized-fhd_edp.config b/boards/EOL_x230-hotp-maximized-fhd_edp/EOL_x230-hotp-maximized-fhd_edp.config index af21cb0d2..ccf1feaa0 100644 --- a/boards/EOL_x230-hotp-maximized-fhd_edp/EOL_x230-hotp-maximized-fhd_edp.config +++ b/boards/EOL_x230-hotp-maximized-fhd_edp/EOL_x230-hotp-maximized-fhd_edp.config @@ -80,7 +80,7 @@ export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n export CONFIG_TPM2_CAPTURE_PCAP=n #Enable quiet mode: technical information logged under /tmp/debug.log export CONFIG_QUIET_MODE=y -export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOTSCRIPT="/bin/gui-init.sh" export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOOT_KERNEL_ADD="" diff --git a/boards/EOL_x230-hotp-maximized/EOL_x230-hotp-maximized.config b/boards/EOL_x230-hotp-maximized/EOL_x230-hotp-maximized.config index 4dbb958b2..d0d3a5e50 100644 --- a/boards/EOL_x230-hotp-maximized/EOL_x230-hotp-maximized.config +++ b/boards/EOL_x230-hotp-maximized/EOL_x230-hotp-maximized.config @@ -78,7 +78,7 @@ export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n export CONFIG_TPM2_CAPTURE_PCAP=n #Enable quiet mode: technical information logged under /tmp/debug.log export CONFIG_QUIET_MODE=y -export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOTSCRIPT="/bin/gui-init.sh" export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOOT_KERNEL_ADD="" diff --git a/boards/EOL_x230-hotp-maximized_usb-kb/EOL_x230-hotp-maximized_usb-kb.config b/boards/EOL_x230-hotp-maximized_usb-kb/EOL_x230-hotp-maximized_usb-kb.config index f4e3fa5de..712878115 100644 --- a/boards/EOL_x230-hotp-maximized_usb-kb/EOL_x230-hotp-maximized_usb-kb.config +++ b/boards/EOL_x230-hotp-maximized_usb-kb/EOL_x230-hotp-maximized_usb-kb.config @@ -72,7 +72,7 @@ export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n export CONFIG_TPM2_CAPTURE_PCAP=n #Enable quiet mode: technical information logged under /tmp/debug.log export CONFIG_QUIET_MODE=y -export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOTSCRIPT="/bin/gui-init.sh" export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOOT_KERNEL_ADD="" diff --git a/boards/EOL_x230-maximized-fhd_edp/EOL_x230-maximized-fhd_edp.config b/boards/EOL_x230-maximized-fhd_edp/EOL_x230-maximized-fhd_edp.config index df4f45a8a..72b6b4663 100644 --- a/boards/EOL_x230-maximized-fhd_edp/EOL_x230-maximized-fhd_edp.config +++ b/boards/EOL_x230-maximized-fhd_edp/EOL_x230-maximized-fhd_edp.config @@ -79,7 +79,7 @@ export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n export CONFIG_TPM2_CAPTURE_PCAP=n #Enable quiet mode: technical information logged under /tmp/debug.log export CONFIG_QUIET_MODE=y -export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOTSCRIPT="/bin/gui-init.sh" export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOOT_KERNEL_ADD="" diff --git a/boards/EOL_x230-maximized/EOL_x230-maximized.config b/boards/EOL_x230-maximized/EOL_x230-maximized.config index b64af87ce..d26e1dcb8 100644 --- a/boards/EOL_x230-maximized/EOL_x230-maximized.config +++ b/boards/EOL_x230-maximized/EOL_x230-maximized.config @@ -66,7 +66,7 @@ export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n export CONFIG_TPM2_CAPTURE_PCAP=n #Enable quiet mode: technical information logged under /tmp/debug.log export CONFIG_QUIET_MODE=y -export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOTSCRIPT="/bin/gui-init.sh" export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOOT_KERNEL_ADD="" diff --git a/boards/EOL_z220-cmt-hotp-maximized/EOL_z220-cmt-hotp-maximized.config b/boards/EOL_z220-cmt-hotp-maximized/EOL_z220-cmt-hotp-maximized.config index 533c51148..15baae491 100644 --- a/boards/EOL_z220-cmt-hotp-maximized/EOL_z220-cmt-hotp-maximized.config +++ b/boards/EOL_z220-cmt-hotp-maximized/EOL_z220-cmt-hotp-maximized.config @@ -62,7 +62,7 @@ export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n export CONFIG_TPM2_CAPTURE_PCAP=n #Enable quiet mode: technical information logged under /tmp/debug.log export CONFIG_QUIET_MODE=y -export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOTSCRIPT="/bin/gui-init.sh" export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOOT_KERNEL_ADD="" diff --git a/boards/EOL_z220-cmt-maximized/EOL_z220-cmt-maximized.config b/boards/EOL_z220-cmt-maximized/EOL_z220-cmt-maximized.config index 8d24062e2..b9ada89a5 100644 --- a/boards/EOL_z220-cmt-maximized/EOL_z220-cmt-maximized.config +++ b/boards/EOL_z220-cmt-maximized/EOL_z220-cmt-maximized.config @@ -62,7 +62,7 @@ export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n export CONFIG_TPM2_CAPTURE_PCAP=n #Enable quiet mode: technical information logged under /tmp/debug.log export CONFIG_QUIET_MODE=y -export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOTSCRIPT="/bin/gui-init.sh" export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOOT_KERNEL_ADD="" diff --git a/boards/UNTESTED_msi_z690a_ddr4/UNTESTED_msi_z690a_ddr4.config b/boards/UNTESTED_msi_z690a_ddr4/UNTESTED_msi_z690a_ddr4.config index 893bafe46..7c7a832b7 100644 --- a/boards/UNTESTED_msi_z690a_ddr4/UNTESTED_msi_z690a_ddr4.config +++ b/boards/UNTESTED_msi_z690a_ddr4/UNTESTED_msi_z690a_ddr4.config @@ -32,7 +32,7 @@ CONFIG_LINUX_IGC=y export CONFIG_REQUIRE_USB_KEYBOARD=n -export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOTSCRIPT="/bin/gui-init.sh" export CONFIG_BOOT_KERNEL_ADD="" export CONFIG_BOOT_KERNEL_REMOVE="" diff --git a/boards/UNTESTED_msi_z690a_ddr5/UNTESTED_msi_z690a_ddr5.config b/boards/UNTESTED_msi_z690a_ddr5/UNTESTED_msi_z690a_ddr5.config index 7fb97e23d..5152084df 100644 --- a/boards/UNTESTED_msi_z690a_ddr5/UNTESTED_msi_z690a_ddr5.config +++ b/boards/UNTESTED_msi_z690a_ddr5/UNTESTED_msi_z690a_ddr5.config @@ -32,7 +32,7 @@ CONFIG_LINUX_IGC=y export CONFIG_REQUIRE_USB_KEYBOARD=n -export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOTSCRIPT="/bin/gui-init.sh" export CONFIG_BOOT_KERNEL_ADD="" export CONFIG_BOOT_KERNEL_REMOVE="" diff --git a/boards/UNTESTED_msi_z790p_ddr4/UNTESTED_msi_z790p_ddr4.config b/boards/UNTESTED_msi_z790p_ddr4/UNTESTED_msi_z790p_ddr4.config index a95719090..f3a6e445d 100644 --- a/boards/UNTESTED_msi_z790p_ddr4/UNTESTED_msi_z790p_ddr4.config +++ b/boards/UNTESTED_msi_z790p_ddr4/UNTESTED_msi_z790p_ddr4.config @@ -32,7 +32,7 @@ CONFIG_LINUX_IGC=y export CONFIG_REQUIRE_USB_KEYBOARD=n -export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOTSCRIPT="/bin/gui-init.sh" export CONFIG_BOOT_KERNEL_ADD="" export CONFIG_BOOT_KERNEL_REMOVE="" diff --git a/boards/UNTESTED_nitropad-ns50/UNTESTED_nitropad-ns50.config b/boards/UNTESTED_nitropad-ns50/UNTESTED_nitropad-ns50.config index c8c2e4a57..029f42f41 100644 --- a/boards/UNTESTED_nitropad-ns50/UNTESTED_nitropad-ns50.config +++ b/boards/UNTESTED_nitropad-ns50/UNTESTED_nitropad-ns50.config @@ -72,7 +72,7 @@ export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n export CONFIG_TPM2_CAPTURE_PCAP=n #Enable quiet mode: technical information logged under /tmp/debug.log export CONFIG_QUIET_MODE=y -export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOTSCRIPT="/bin/gui-init.sh" export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOOT_KERNEL_ADD="" diff --git a/boards/UNTESTED_talos-2/UNTESTED_talos-2.config b/boards/UNTESTED_talos-2/UNTESTED_talos-2.config index 8433881ca..795c916e3 100644 --- a/boards/UNTESTED_talos-2/UNTESTED_talos-2.config +++ b/boards/UNTESTED_talos-2/UNTESTED_talos-2.config @@ -51,7 +51,7 @@ export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n export CONFIG_TPM2_CAPTURE_PCAP=n #Enable quiet mode: technical information logged under /tmp/debug.log export CONFIG_QUIET_MODE=y -export CONFIG_BOOTSCRIPT=/bin/talos-init +export CONFIG_BOOTSCRIPT="/bin/talos-init.sh" export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOOT_KERNEL_REMOVE="quiet" diff --git a/boards/librem_11/librem_11.config b/boards/librem_11/librem_11.config index 79cca98cf..ac5249c9a 100644 --- a/boards/librem_11/librem_11.config +++ b/boards/librem_11/librem_11.config @@ -37,7 +37,7 @@ export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n export CONFIG_TPM2_CAPTURE_PCAP=n #Enable quiet mode: technical information logged under /tmp/debug.log export CONFIG_QUIET_MODE=y -export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOTSCRIPT="/bin/gui-init.sh" export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOOT_KERNEL_ADD="" diff --git a/boards/librem_14/librem_14.config b/boards/librem_14/librem_14.config index 4d9189059..afd59ff98 100644 --- a/boards/librem_14/librem_14.config +++ b/boards/librem_14/librem_14.config @@ -35,7 +35,7 @@ export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n export CONFIG_TPM2_CAPTURE_PCAP=n #Enable quiet mode: technical information logged under /tmp/debug.log export CONFIG_QUIET_MODE=y -export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOTSCRIPT="/bin/gui-init.sh" export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOOT_KERNEL_ADD="" diff --git a/boards/librem_l1um_v2/librem_l1um_v2.config b/boards/librem_l1um_v2/librem_l1um_v2.config index fde0be749..bf3ec7c9d 100644 --- a/boards/librem_l1um_v2/librem_l1um_v2.config +++ b/boards/librem_l1um_v2/librem_l1um_v2.config @@ -39,7 +39,7 @@ export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n export CONFIG_TPM2_CAPTURE_PCAP=n #Enable quiet mode: technical information logged under /tmp/debug.log export CONFIG_QUIET_MODE=y -export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOTSCRIPT="/bin/gui-init.sh" export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOOT_KERNEL_ADD="" diff --git a/boards/librem_mini/initrd/bin/board-init.sh b/boards/librem_mini/initrd/bin/board-init.sh index 4299016c7..4a835c0a6 100755 --- a/boards/librem_mini/initrd/bin/board-init.sh +++ b/boards/librem_mini/initrd/bin/board-init.sh @@ -1,6 +1,7 @@ #!/bin/bash set -o pipefail +# shellcheck disable=SC1091 . /tmp/config # If CONFIG_AUTOMATIC_POWERON is set, always set the EC BRAM setting during diff --git a/boards/librem_mini/librem_mini.config b/boards/librem_mini/librem_mini.config index 3ca17433d..651cd64dc 100644 --- a/boards/librem_mini/librem_mini.config +++ b/boards/librem_mini/librem_mini.config @@ -37,7 +37,7 @@ export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n export CONFIG_TPM2_CAPTURE_PCAP=n #Enable quiet mode: technical information logged under /tmp/debug.log export CONFIG_QUIET_MODE=y -export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOTSCRIPT="/bin/gui-init.sh" export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOOT_KERNEL_ADD="" diff --git a/boards/librem_mini_v2/initrd/bin/board-init.sh b/boards/librem_mini_v2/initrd/bin/board-init.sh index 4299016c7..4a835c0a6 100755 --- a/boards/librem_mini_v2/initrd/bin/board-init.sh +++ b/boards/librem_mini_v2/initrd/bin/board-init.sh @@ -1,6 +1,7 @@ #!/bin/bash set -o pipefail +# shellcheck disable=SC1091 . /tmp/config # If CONFIG_AUTOMATIC_POWERON is set, always set the EC BRAM setting during diff --git a/boards/librem_mini_v2/librem_mini_v2.config b/boards/librem_mini_v2/librem_mini_v2.config index dba61447f..b7a67f9a4 100644 --- a/boards/librem_mini_v2/librem_mini_v2.config +++ b/boards/librem_mini_v2/librem_mini_v2.config @@ -37,7 +37,7 @@ export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n export CONFIG_TPM2_CAPTURE_PCAP=n #Enable quiet mode: technical information logged under /tmp/debug.log export CONFIG_QUIET_MODE=y -export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOTSCRIPT="/bin/gui-init.sh" export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOOT_KERNEL_ADD="" diff --git a/boards/msi_z790p_ddr5/msi_z790p_ddr5.config b/boards/msi_z790p_ddr5/msi_z790p_ddr5.config index 0b2e9671c..83123e875 100644 --- a/boards/msi_z790p_ddr5/msi_z790p_ddr5.config +++ b/boards/msi_z790p_ddr5/msi_z790p_ddr5.config @@ -32,7 +32,7 @@ CONFIG_LINUX_IGC=y export CONFIG_REQUIRE_USB_KEYBOARD=n -export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOTSCRIPT="/bin/gui-init.sh" export CONFIG_BOOT_KERNEL_ADD="" export CONFIG_BOOT_KERNEL_REMOVE="" diff --git a/boards/novacustom-nv4x_adl/novacustom-nv4x_adl.config b/boards/novacustom-nv4x_adl/novacustom-nv4x_adl.config index 8fb8f0194..bb360610b 100644 --- a/boards/novacustom-nv4x_adl/novacustom-nv4x_adl.config +++ b/boards/novacustom-nv4x_adl/novacustom-nv4x_adl.config @@ -71,7 +71,7 @@ export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n export CONFIG_TPM2_CAPTURE_PCAP=n #Enable quiet mode: technical information logged under /tmp/debug.log export CONFIG_QUIET_MODE=y -export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOTSCRIPT="/bin/gui-init.sh" export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOOT_KERNEL_ADD="" diff --git a/boards/novacustom-v540tu/novacustom-v540tu.config b/boards/novacustom-v540tu/novacustom-v540tu.config index 7076b2c66..0ff9cc83b 100644 --- a/boards/novacustom-v540tu/novacustom-v540tu.config +++ b/boards/novacustom-v540tu/novacustom-v540tu.config @@ -80,7 +80,7 @@ export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n export CONFIG_TPM2_CAPTURE_PCAP=n #Enable quiet mode: technical information logged under /tmp/debug.log export CONFIG_QUIET_MODE=y -export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOTSCRIPT="/bin/gui-init.sh" export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOOT_KERNEL_ADD="" diff --git a/boards/novacustom-v560tu/novacustom-v560tu.config b/boards/novacustom-v560tu/novacustom-v560tu.config index 2451b1bda..c94aaa40b 100644 --- a/boards/novacustom-v560tu/novacustom-v560tu.config +++ b/boards/novacustom-v560tu/novacustom-v560tu.config @@ -80,7 +80,7 @@ export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n export CONFIG_TPM2_CAPTURE_PCAP=n #Enable quiet mode: technical information logged under /tmp/debug.log export CONFIG_QUIET_MODE=y -export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOTSCRIPT="/bin/gui-init.sh" export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOOT_KERNEL_ADD="" diff --git a/boards/qemu-coreboot-fbwhiptail-tpm1-hotp-prod/qemu-coreboot-fbwhiptail-tpm1-hotp-prod.config b/boards/qemu-coreboot-fbwhiptail-tpm1-hotp-prod/qemu-coreboot-fbwhiptail-tpm1-hotp-prod.config index 01873d98e..71f64d86f 100644 --- a/boards/qemu-coreboot-fbwhiptail-tpm1-hotp-prod/qemu-coreboot-fbwhiptail-tpm1-hotp-prod.config +++ b/boards/qemu-coreboot-fbwhiptail-tpm1-hotp-prod/qemu-coreboot-fbwhiptail-tpm1-hotp-prod.config @@ -83,9 +83,9 @@ export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n export CONFIG_TPM2_CAPTURE_PCAP=n #Enable quiet mode: technical information logged under /tmp/debug.log export CONFIG_QUIET_MODE=n -export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOTSCRIPT="/bin/gui-init.sh" #text-based original init: -#export CONFIG_BOOTSCRIPT=/bin/generic-init +#export CONFIG_BOOTSCRIPT="/bin/generic-init.sh" export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOOT_RECOVERY_SERIAL="/dev/ttyS0" diff --git a/boards/qemu-coreboot-fbwhiptail-tpm1-hotp-prod_quiet/qemu-coreboot-fbwhiptail-tpm1-hotp-prod_quiet.config b/boards/qemu-coreboot-fbwhiptail-tpm1-hotp-prod_quiet/qemu-coreboot-fbwhiptail-tpm1-hotp-prod_quiet.config index 28e96d0d3..5dbff8207 100644 --- a/boards/qemu-coreboot-fbwhiptail-tpm1-hotp-prod_quiet/qemu-coreboot-fbwhiptail-tpm1-hotp-prod_quiet.config +++ b/boards/qemu-coreboot-fbwhiptail-tpm1-hotp-prod_quiet/qemu-coreboot-fbwhiptail-tpm1-hotp-prod_quiet.config @@ -83,9 +83,9 @@ export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n export CONFIG_TPM2_CAPTURE_PCAP=n #Enable quiet mode: technical information logged under /tmp/debug.log export CONFIG_QUIET_MODE=y -export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOTSCRIPT="/bin/gui-init.sh" #text-based original init: -#export CONFIG_BOOTSCRIPT=/bin/generic-init +#export CONFIG_BOOTSCRIPT="/bin/generic-init.sh" export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOOT_RECOVERY_SERIAL="/dev/ttyS0" diff --git a/boards/qemu-coreboot-fbwhiptail-tpm1-hotp/qemu-coreboot-fbwhiptail-tpm1-hotp.config b/boards/qemu-coreboot-fbwhiptail-tpm1-hotp/qemu-coreboot-fbwhiptail-tpm1-hotp.config index 29e360895..59f9a02bf 100644 --- a/boards/qemu-coreboot-fbwhiptail-tpm1-hotp/qemu-coreboot-fbwhiptail-tpm1-hotp.config +++ b/boards/qemu-coreboot-fbwhiptail-tpm1-hotp/qemu-coreboot-fbwhiptail-tpm1-hotp.config @@ -83,9 +83,9 @@ export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y #export CONFIG_TPM2_CAPTURE_PCAP=n #Enable quiet mode: technical information logged under /tmp/debug.log export CONFIG_QUIET_MODE=n -export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOTSCRIPT="/bin/gui-init.sh" #text-based original init: -#export CONFIG_BOOTSCRIPT=/bin/generic-init +#export CONFIG_BOOTSCRIPT="/bin/generic-init.sh" export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOOT_RECOVERY_SERIAL="/dev/ttyS0" diff --git a/boards/qemu-coreboot-fbwhiptail-tpm1-prod/qemu-coreboot-fbwhiptail-tpm1-prod.config b/boards/qemu-coreboot-fbwhiptail-tpm1-prod/qemu-coreboot-fbwhiptail-tpm1-prod.config index 99748401f..38a6b940c 100644 --- a/boards/qemu-coreboot-fbwhiptail-tpm1-prod/qemu-coreboot-fbwhiptail-tpm1-prod.config +++ b/boards/qemu-coreboot-fbwhiptail-tpm1-prod/qemu-coreboot-fbwhiptail-tpm1-prod.config @@ -81,9 +81,9 @@ export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n export CONFIG_TPM2_CAPTURE_PCAP=n #Enable quiet mode: technical information logged under /tmp/debug.log export CONFIG_QUIET_MODE=n -export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOTSCRIPT="/bin/gui-init.sh" #text-based original init: -#export CONFIG_BOOTSCRIPT=/bin/generic-init +#export CONFIG_BOOTSCRIPT="/bin/generic-init.sh" export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOOT_RECOVERY_SERIAL="/dev/ttyS0" diff --git a/boards/qemu-coreboot-fbwhiptail-tpm1/qemu-coreboot-fbwhiptail-tpm1.config b/boards/qemu-coreboot-fbwhiptail-tpm1/qemu-coreboot-fbwhiptail-tpm1.config index a74402033..16de7708c 100644 --- a/boards/qemu-coreboot-fbwhiptail-tpm1/qemu-coreboot-fbwhiptail-tpm1.config +++ b/boards/qemu-coreboot-fbwhiptail-tpm1/qemu-coreboot-fbwhiptail-tpm1.config @@ -81,9 +81,9 @@ export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y #export CONFIG_TPM2_CAPTURE_PCAP=n #Enable quiet mode: technical information logged under /tmp/debug.log export CONFIG_QUIET_MODE=n -export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOTSCRIPT="/bin/gui-init.sh" #text-based original init: -#export CONFIG_BOOTSCRIPT=/bin/generic-init +#export CONFIG_BOOTSCRIPT="/bin/generic-init.sh" export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOOT_RECOVERY_SERIAL="/dev/ttyS0" diff --git a/boards/qemu-coreboot-fbwhiptail-tpm2-hotp-prod/qemu-coreboot-fbwhiptail-tpm2-hotp-prod.config b/boards/qemu-coreboot-fbwhiptail-tpm2-hotp-prod/qemu-coreboot-fbwhiptail-tpm2-hotp-prod.config index 2880edef0..96311fa48 100644 --- a/boards/qemu-coreboot-fbwhiptail-tpm2-hotp-prod/qemu-coreboot-fbwhiptail-tpm2-hotp-prod.config +++ b/boards/qemu-coreboot-fbwhiptail-tpm2-hotp-prod/qemu-coreboot-fbwhiptail-tpm2-hotp-prod.config @@ -82,9 +82,9 @@ export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n export CONFIG_TPM2_CAPTURE_PCAP=n #Enable quiet mode: technical information logged under /tmp/debug.log export CONFIG_QUIET_MODE=n -export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOTSCRIPT="/bin/gui-init.sh" #text-based original init: -#export CONFIG_BOOTSCRIPT=/bin/generic-init +#export CONFIG_BOOTSCRIPT="/bin/generic-init.sh" export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOOT_RECOVERY_SERIAL="/dev/ttyS0" diff --git a/boards/qemu-coreboot-fbwhiptail-tpm2-hotp-prod_quiet/qemu-coreboot-fbwhiptail-tpm2-hotp-prod_quiet.config b/boards/qemu-coreboot-fbwhiptail-tpm2-hotp-prod_quiet/qemu-coreboot-fbwhiptail-tpm2-hotp-prod_quiet.config index 08026e5dd..b1f3a9ee9 100644 --- a/boards/qemu-coreboot-fbwhiptail-tpm2-hotp-prod_quiet/qemu-coreboot-fbwhiptail-tpm2-hotp-prod_quiet.config +++ b/boards/qemu-coreboot-fbwhiptail-tpm2-hotp-prod_quiet/qemu-coreboot-fbwhiptail-tpm2-hotp-prod_quiet.config @@ -82,9 +82,9 @@ export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n export CONFIG_TPM2_CAPTURE_PCAP=n #Enable quiet mode: technical information logged under /tmp/debug.log export CONFIG_QUIET_MODE=y -export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOTSCRIPT="/bin/gui-init.sh" #text-based original init: -#export CONFIG_BOOTSCRIPT=/bin/generic-init +#export CONFIG_BOOTSCRIPT="/bin/generic-init.sh" export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOOT_RECOVERY_SERIAL="/dev/ttyS0" diff --git a/boards/qemu-coreboot-fbwhiptail-tpm2-hotp/qemu-coreboot-fbwhiptail-tpm2-hotp.config b/boards/qemu-coreboot-fbwhiptail-tpm2-hotp/qemu-coreboot-fbwhiptail-tpm2-hotp.config index f53968267..eb3edaa7c 100644 --- a/boards/qemu-coreboot-fbwhiptail-tpm2-hotp/qemu-coreboot-fbwhiptail-tpm2-hotp.config +++ b/boards/qemu-coreboot-fbwhiptail-tpm2-hotp/qemu-coreboot-fbwhiptail-tpm2-hotp.config @@ -83,9 +83,9 @@ export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y export CONFIG_TPM2_CAPTURE_PCAP=y #Enable quiet mode: technical information logged under /tmp/debug.log export CONFIG_QUIET_MODE=n -export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOTSCRIPT="/bin/gui-init.sh" #text-based original init: -#export CONFIG_BOOTSCRIPT=/bin/generic-init +#export CONFIG_BOOTSCRIPT="/bin/generic-init.sh" export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOOT_RECOVERY_SERIAL="/dev/ttyS0" diff --git a/boards/qemu-coreboot-fbwhiptail-tpm2-prod/qemu-coreboot-fbwhiptail-tpm2-prod.config b/boards/qemu-coreboot-fbwhiptail-tpm2-prod/qemu-coreboot-fbwhiptail-tpm2-prod.config index 225816b94..ca6a38714 100644 --- a/boards/qemu-coreboot-fbwhiptail-tpm2-prod/qemu-coreboot-fbwhiptail-tpm2-prod.config +++ b/boards/qemu-coreboot-fbwhiptail-tpm2-prod/qemu-coreboot-fbwhiptail-tpm2-prod.config @@ -81,9 +81,9 @@ export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n export CONFIG_TPM2_CAPTURE_PCAP=n #Enable quiet mode: technical information logged under /tmp/debug.log export CONFIG_QUIET_MODE=n -export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOTSCRIPT="/bin/gui-init.sh" #text-based original init: -#export CONFIG_BOOTSCRIPT=/bin/generic-init +#export CONFIG_BOOTSCRIPT="/bin/generic-init.sh" export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOOT_RECOVERY_SERIAL="/dev/ttyS0" diff --git a/boards/qemu-coreboot-fbwhiptail-tpm2/qemu-coreboot-fbwhiptail-tpm2.config b/boards/qemu-coreboot-fbwhiptail-tpm2/qemu-coreboot-fbwhiptail-tpm2.config index c4839b6b1..40c4dbc75 100644 --- a/boards/qemu-coreboot-fbwhiptail-tpm2/qemu-coreboot-fbwhiptail-tpm2.config +++ b/boards/qemu-coreboot-fbwhiptail-tpm2/qemu-coreboot-fbwhiptail-tpm2.config @@ -82,9 +82,9 @@ export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y export CONFIG_TPM2_CAPTURE_PCAP=y #Enable quiet mode: technical information logged under /tmp/debug.log export CONFIG_QUIET_MODE=n -export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOTSCRIPT="/bin/gui-init.sh" #text-based original init: -#export CONFIG_BOOTSCRIPT=/bin/generic-init +#export CONFIG_BOOTSCRIPT="/bin/generic-init.sh" export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOOT_RECOVERY_SERIAL="/dev/ttyS0" diff --git a/boards/qemu-coreboot-whiptail-tpm1-hotp-prod/qemu-coreboot-whiptail-tpm1-hotp-prod.config b/boards/qemu-coreboot-whiptail-tpm1-hotp-prod/qemu-coreboot-whiptail-tpm1-hotp-prod.config index fe1723d42..1d67f3acd 100644 --- a/boards/qemu-coreboot-whiptail-tpm1-hotp-prod/qemu-coreboot-whiptail-tpm1-hotp-prod.config +++ b/boards/qemu-coreboot-whiptail-tpm1-hotp-prod/qemu-coreboot-whiptail-tpm1-hotp-prod.config @@ -83,9 +83,9 @@ export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n export CONFIG_TPM2_CAPTURE_PCAP=n #Enable quiet mode: technical information logged under /tmp/debug.log export CONFIG_QUIET_MODE=n -export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOTSCRIPT="/bin/gui-init.sh" #text-based original init: -#export CONFIG_BOOTSCRIPT=/bin/generic-init +#export CONFIG_BOOTSCRIPT="/bin/generic-init.sh" export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOOT_RECOVERY_SERIAL="/dev/ttyS0" diff --git a/boards/qemu-coreboot-whiptail-tpm1-hotp/qemu-coreboot-whiptail-tpm1-hotp.config b/boards/qemu-coreboot-whiptail-tpm1-hotp/qemu-coreboot-whiptail-tpm1-hotp.config index f0282194e..7a0ced33f 100644 --- a/boards/qemu-coreboot-whiptail-tpm1-hotp/qemu-coreboot-whiptail-tpm1-hotp.config +++ b/boards/qemu-coreboot-whiptail-tpm1-hotp/qemu-coreboot-whiptail-tpm1-hotp.config @@ -83,9 +83,9 @@ export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y #export CONFIG_TPM2_CAPTURE_PCAP=n #Enable quiet mode: technical information logged under /tmp/debug.log export CONFIG_QUIET_MODE=n -export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOTSCRIPT="/bin/gui-init.sh" #text-based original init: -#export CONFIG_BOOTSCRIPT=/bin/generic-init +#export CONFIG_BOOTSCRIPT="/bin/generic-init.sh" export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOOT_RECOVERY_SERIAL="/dev/ttyS0" diff --git a/boards/qemu-coreboot-whiptail-tpm1-prod/qemu-coreboot-whiptail-tpm1-prod.config b/boards/qemu-coreboot-whiptail-tpm1-prod/qemu-coreboot-whiptail-tpm1-prod.config index 8e9684eaa..a61a2433d 100644 --- a/boards/qemu-coreboot-whiptail-tpm1-prod/qemu-coreboot-whiptail-tpm1-prod.config +++ b/boards/qemu-coreboot-whiptail-tpm1-prod/qemu-coreboot-whiptail-tpm1-prod.config @@ -81,9 +81,9 @@ export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n export CONFIG_TPM2_CAPTURE_PCAP=n #Enable quiet mode: technical information logged under /tmp/debug.log export CONFIG_QUIET_MODE=n -export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOTSCRIPT="/bin/gui-init.sh" #text-based original init: -#export CONFIG_BOOTSCRIPT=/bin/generic-init +#export CONFIG_BOOTSCRIPT="/bin/generic-init.sh" export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOOT_RECOVERY_SERIAL="/dev/ttyS0" diff --git a/boards/qemu-coreboot-whiptail-tpm1/qemu-coreboot-whiptail-tpm1.config b/boards/qemu-coreboot-whiptail-tpm1/qemu-coreboot-whiptail-tpm1.config index edf85f21c..02835911f 100644 --- a/boards/qemu-coreboot-whiptail-tpm1/qemu-coreboot-whiptail-tpm1.config +++ b/boards/qemu-coreboot-whiptail-tpm1/qemu-coreboot-whiptail-tpm1.config @@ -81,9 +81,9 @@ export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y #export CONFIG_TPM2_CAPTURE_PCAP=n #Enable quiet mode: technical information logged under /tmp/debug.log export CONFIG_QUIET_MODE=n -export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOTSCRIPT="/bin/gui-init.sh" #text-based original init: -#export CONFIG_BOOTSCRIPT=/bin/generic-init +#export CONFIG_BOOTSCRIPT="/bin/generic-init.sh" export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOOT_RECOVERY_SERIAL="/dev/ttyS0" diff --git a/boards/qemu-coreboot-whiptail-tpm2-hotp-prod/qemu-coreboot-whiptail-tpm2-hotp-prod.config b/boards/qemu-coreboot-whiptail-tpm2-hotp-prod/qemu-coreboot-whiptail-tpm2-hotp-prod.config index 48ee05d86..9b176bc0a 100644 --- a/boards/qemu-coreboot-whiptail-tpm2-hotp-prod/qemu-coreboot-whiptail-tpm2-hotp-prod.config +++ b/boards/qemu-coreboot-whiptail-tpm2-hotp-prod/qemu-coreboot-whiptail-tpm2-hotp-prod.config @@ -82,9 +82,9 @@ export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n export CONFIG_TPM2_CAPTURE_PCAP=n #Enable quiet mode: technical information logged under /tmp/debug.log export CONFIG_QUIET_MODE=n -export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOTSCRIPT="/bin/gui-init.sh" #text-based original init: -#export CONFIG_BOOTSCRIPT=/bin/generic-init +#export CONFIG_BOOTSCRIPT="/bin/generic-init.sh" export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOOT_RECOVERY_SERIAL="/dev/ttyS0" diff --git a/boards/qemu-coreboot-whiptail-tpm2-hotp/qemu-coreboot-whiptail-tpm2-hotp.config b/boards/qemu-coreboot-whiptail-tpm2-hotp/qemu-coreboot-whiptail-tpm2-hotp.config index 465b9decc..5a7f71d9c 100644 --- a/boards/qemu-coreboot-whiptail-tpm2-hotp/qemu-coreboot-whiptail-tpm2-hotp.config +++ b/boards/qemu-coreboot-whiptail-tpm2-hotp/qemu-coreboot-whiptail-tpm2-hotp.config @@ -83,9 +83,9 @@ export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y export CONFIG_TPM2_CAPTURE_PCAP=y #Enable quiet mode: technical information logged under /tmp/debug.log export CONFIG_QUIET_MODE=n -export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOTSCRIPT="/bin/gui-init.sh" #text-based original init: -#export CONFIG_BOOTSCRIPT=/bin/generic-init +#export CONFIG_BOOTSCRIPT="/bin/generic-init.sh" export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOOT_RECOVERY_SERIAL="/dev/ttyS0" diff --git a/boards/qemu-coreboot-whiptail-tpm2-prod/qemu-coreboot-whiptail-tpm2-prod.config b/boards/qemu-coreboot-whiptail-tpm2-prod/qemu-coreboot-whiptail-tpm2-prod.config index 1ab354e45..a9ca5b6d4 100644 --- a/boards/qemu-coreboot-whiptail-tpm2-prod/qemu-coreboot-whiptail-tpm2-prod.config +++ b/boards/qemu-coreboot-whiptail-tpm2-prod/qemu-coreboot-whiptail-tpm2-prod.config @@ -81,9 +81,9 @@ export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n export CONFIG_TPM2_CAPTURE_PCAP=n #Enable quiet mode: technical information logged under /tmp/debug.log export CONFIG_QUIET_MODE=n -export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOTSCRIPT="/bin/gui-init.sh" #text-based original init: -#export CONFIG_BOOTSCRIPT=/bin/generic-init +#export CONFIG_BOOTSCRIPT="/bin/generic-init.sh" export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOOT_RECOVERY_SERIAL="/dev/ttyS0" diff --git a/boards/qemu-coreboot-whiptail-tpm2/qemu-coreboot-whiptail-tpm2.config b/boards/qemu-coreboot-whiptail-tpm2/qemu-coreboot-whiptail-tpm2.config index 37be676db..e66cb5932 100644 --- a/boards/qemu-coreboot-whiptail-tpm2/qemu-coreboot-whiptail-tpm2.config +++ b/boards/qemu-coreboot-whiptail-tpm2/qemu-coreboot-whiptail-tpm2.config @@ -82,9 +82,9 @@ export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y export CONFIG_TPM2_CAPTURE_PCAP=y #Enable quiet mode: technical information logged under /tmp/debug.log export CONFIG_QUIET_MODE=n -export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOTSCRIPT="/bin/gui-init.sh" #text-based original init: -#export CONFIG_BOOTSCRIPT=/bin/generic-init +#export CONFIG_BOOTSCRIPT="/bin/generic-init.sh" export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOOT_RECOVERY_SERIAL="/dev/ttyS0" diff --git a/initrd/.bash_history b/initrd/.bash_history index 44fd60529..67c09379e 100644 --- a/initrd/.bash_history +++ b/initrd/.bash_history @@ -5,7 +5,7 @@ find /boot/kexec*.txt | gpg --verify /boot/kexec.sig - #remove invalid kexec_* signed files mount /dev/sda1 /boot && mount -o remount,rw /boot && rm /boot/kexec* && mount -o remount,ro /boot #Generate keys on OpenPGP smartcard: -mount-usb --mode rw && gpg --home=/.gnupg/ --card-edit +mount-usb.sh --mode rw && gpg --home=/.gnupg/ --card-edit #Copy generated public key, private_subkey, trustdb and artifacts to external media for backup: mkdir -p /media/gpg_keys; gpg --export-secret-keys --armor email@address.com > /media/gpg_keys/private.key && gpg --export --armor email@address.com > /media/gpg_keys/public.key && gpg --export-ownertrust > /media/gpg_keys/otrust.txt && cp -r ./.gnupg/* /media/gpg_keys/ 2> /dev/null #Insert public key and trustdb export into reproducible rom: @@ -20,5 +20,5 @@ seal-totp cbmem --console | grep '^ME' cbmem --console | less # Reboot/power off (important for devices with no keyboard to escape recovery shell) -reboot # Press Enter with this command to reboot -poweroff # Press Enter with this command to power off +reboot.sh # Press Enter with this command to reboot +poweroff.sh # Press Enter with this command to power off diff --git a/initrd/bin/basic-autoboot.sh b/initrd/bin/basic-autoboot.sh index d924affd6..62efd35e5 100755 --- a/initrd/bin/basic-autoboot.sh +++ b/initrd/bin/basic-autoboot.sh @@ -1,11 +1,12 @@ #!/bin/bash set -o pipefail -. /etc/functions +# shellcheck source=initrd/etc/functions.sh +. /etc/functions.sh BOOT_MENU_OPTIONS=/tmp/basic-autoboot-options scan_boot_options /boot "grub.cfg" "$BOOT_MENU_OPTIONS" if [ -s "$BOOT_MENU_OPTIONS" ]; then - kexec-boot -b /boot -e "$(head -1 "$BOOT_MENU_OPTIONS")" + kexec-boot.sh -b /boot -e "$(head -1 "$BOOT_MENU_OPTIONS")" fi diff --git a/initrd/bin/cbfs-init b/initrd/bin/cbfs-init.sh similarity index 70% rename from initrd/bin/cbfs-init rename to initrd/bin/cbfs-init.sh index c4c310c08..6acf98030 100755 --- a/initrd/bin/cbfs-init +++ b/initrd/bin/cbfs-init.sh @@ -1,6 +1,7 @@ #!/bin/bash set -e -o pipefail -. /etc/functions +# shellcheck source=initrd/etc/functions.sh +. /etc/functions.sh # CBFS extraction and measurement # This extraction and measurement cannot be suppressed by quiet mode, since @@ -16,6 +17,8 @@ if [ -z "$CONFIG_PCR" ]; then CONFIG_PCR=7 fi +DEBUG "CONFIG_CBFS_VIA_FLASHPROG='$CONFIG_CBFS_VIA_FLASHPROG'" + if [ "$CONFIG_CBFS_VIA_FLASHPROG" = "y" ]; then # Use flashrom directly, because we don't have /tmp/config with params for flash.sh yet /bin/flashprog -p internal --fmap -i COREBOOT -i FMAP -r /tmp/cbfs-init.rom \ @@ -23,25 +26,31 @@ if [ "$CONFIG_CBFS_VIA_FLASHPROG" = "y" ]; then || echo "Failed reading Heads configuration from flash! Some features may not be available." fi +DEBUG "CBFS_ARG='$CBFS_ARG'" + # Load individual files -cbfsfiles=`cbfs -t 50 -l $CBFS_ARG 2>/dev/null | grep "^heads/initrd/"` +# shellcheck disable=SC2086 +cbfsfiles=$(cbfs -t 50 $CBFS_ARG -l 2>/dev/null | grep "^heads/initrd/") +DEBUG "cbfsfiles='$cbfsfiles'" -for cbfsname in `echo $cbfsfiles`; do +for cbfsname in $cbfsfiles; do filename=${cbfsname:12} - if [ ! -z "$filename" ]; then - mkdir -p `dirname $filename` \ + if [ -n "$filename" ]; then + mkdir -p "$(dirname "$filename")" \ || die "$filename: mkdir failed" INFO "Extracting CBFS file $cbfsname into $filename" - cbfs -t 50 $CBFS_ARG -r $cbfsname > "$filename" \ + # shellcheck disable=SC2086 + cbfs -t 50 $CBFS_ARG -r "$cbfsname" > "$filename" \ || die "$filename: cbfs file read failed" + DEBUG "Extracted $cbfsname to $filename" if [ "$CONFIG_TPM" = "y" ]; then TRACE_FUNC INFO "TPM: Extending PCR[$CONFIG_PCR] with filename $filename and then its content" # Measure both the filename and its content. This # ensures that renaming files or pivoting file content # will still affect the resulting PCR measurement. - tpmr extend -ix "$CONFIG_PCR" -ic "$filename" - tpmr extend -ix "$CONFIG_PCR" -if "$filename" \ + tpmr.sh extend -ix "$CONFIG_PCR" -ic "$filename" + tpmr.sh extend -ix "$CONFIG_PCR" -if "$filename" \ || die "$filename: tpm extend failed" fi fi diff --git a/initrd/bin/cbfs.sh b/initrd/bin/cbfs.sh index a6230cb3f..9fc8eae5a 100755 --- a/initrd/bin/cbfs.sh +++ b/initrd/bin/cbfs.sh @@ -1,6 +1,9 @@ #!/bin/bash set -e -o pipefail -. /etc/functions +# shellcheck source=initrd/etc/functions.sh +. /etc/functions.sh +# /tmp/config is generated at runtime and cannot be followed by shellcheck +# shellcheck disable=SC1091 . /tmp/config TRACE_FUNC diff --git a/initrd/bin/change-time.sh b/initrd/bin/change-time.sh index b5d2a4ffe..a99b3b009 100755 --- a/initrd/bin/change-time.sh +++ b/initrd/bin/change-time.sh @@ -70,4 +70,4 @@ echo echo "Press Enter to return to the menu" echo -read -r nothing +read -r diff --git a/initrd/bin/config-gui.sh b/initrd/bin/config-gui.sh index b741bf71d..c11b9a0cf 100755 --- a/initrd/bin/config-gui.sh +++ b/initrd/bin/config-gui.sh @@ -1,8 +1,12 @@ #!/bin/bash # set -e -o pipefail -. /etc/functions -. /etc/gui_functions + +# shellcheck source=initrd/etc/functions.sh +. /etc/functions.sh +# shellcheck source=initrd/etc/gui_functions.sh +. /etc/gui_functions.sh +# shellcheck disable=SC1091 . /tmp/config TRACE_FUNC @@ -22,12 +26,13 @@ read_rom() { } while true; do - if [ ! -z "$param" ]; then + if [ -n "$param" ]; then # use first char from parameter menu_choice=${param::1} unset param else # Re-source config because we change it when an option is toggled + # shellcheck disable=SC1091 . /tmp/config dynamic_config_options=( @@ -100,6 +105,7 @@ while true; do ) unset menu_choice + # shellcheck disable=SC2086 whiptail_type $BG_COLOR_MAIN_MENU --title "Config Management Menu" \ --menu "This menu lets you change settings for the current BIOS session.\n\nAll changes will revert after a reboot,\n\nunless you also save them to the running BIOS." 0 80 10 \ "${dynamic_config_options[@]}" \ @@ -113,6 +119,7 @@ while true; do unset CONFIG_FINALIZE_PLATFORM_LOCKING replace_config /etc/config.user "CONFIG_FINALIZE_PLATFORM_LOCKING" "n" combine_configs + # shellcheck disable=SC1091 . /tmp/config ;; "x") @@ -126,16 +133,16 @@ while true; do exit 1 fi # filter out extraneous options - >/tmp/boot_device_list.txt - for i in $(cat /tmp/disklist.txt); do + : >/tmp/boot_device_list.txt + while read -r i; do # remove block device from list if numeric partitions exist, since not bootable - DEV_NUM_PARTITIONS=$(($(ls -1 $i* | wc -l) - 1)) + DEV_NUM_PARTITIONS=$(($(find "$i"* | wc -l) - 1)) if [ ${DEV_NUM_PARTITIONS} -eq 0 ]; then - echo $i >>/tmp/boot_device_list.txt + echo "$i" >>/tmp/boot_device_list.txt else - ls $i* | tail -${DEV_NUM_PARTITIONS} >>/tmp/boot_device_list.txt + find "$i"* | tail -${DEV_NUM_PARTITIONS} >>/tmp/boot_device_list.txt fi - done + done < /tmp/disklist.txt file_selector "/tmp/boot_device_list.txt" \ "Choose the default /boot device.\n\n${CURRENT_OPTION:+\n\nCurrently set to }$CURRENT_OPTION." \ "Boot Device Selection" @@ -150,7 +157,7 @@ while true; do umount /boot 2>/dev/null fi # mount newly selected /boot device - if ! mount -o ro $SELECTED_FILE /boot 2>/tmp/error; then + if ! mount -o ro "$SELECTED_FILE" /boot 2>/tmp/error; then ERROR=$(cat /tmp/error) whiptail_error --title 'ERROR: unable to mount /boot' \ --msgbox " $ERROR\n\n" 0 80 @@ -173,7 +180,7 @@ while true; do /bin/flash.sh /tmp/config-gui.rom whiptail --title 'BIOS Updated Successfully' \ --msgbox "BIOS updated successfully.\n\nIf your keys have changed, be sure to re-sign all files in /boot\nafter you reboot.\n\nPress Enter to reboot" 0 80 - /bin/reboot + reboot.sh else exit 0 fi @@ -197,18 +204,18 @@ while true; do # clear GPG keys and user settings for i in $(cbfs.sh -o /tmp/config-gui.rom -l | grep -e "heads/"); do - cbfs.sh -o /tmp/config-gui.rom -d $i + cbfs.sh -o /tmp/config-gui.rom -d "$i" done # flash cleared ROM /bin/flash.sh -c /tmp/config-gui.rom # reset TPM if present if [ "$CONFIG_TPM" = "y" ]; then - /bin/tpm-reset + /bin/tpm-reset.sh fi whiptail --title 'Configuration Reset Updated Successfully' \ --msgbox "Configuration reset and BIOS updated successfully.\n\nPress Enter to reboot" 0 80 - /bin/reboot + reboot.sh else exit 0 fi @@ -216,17 +223,19 @@ while true; do "R") CURRENT_OPTION="$(load_config_value CONFIG_ROOT_DEV)" fdisk -l 2>/dev/null | grep "Disk /dev/" | cut -f2 -d " " | cut -f1 -d ":" >/tmp/disklist.txt + INFO "DEBUG disklist: $(cat /tmp/disklist.txt)" # filter out extraneous options - >/tmp/root_device_list.txt - for i in $(cat /tmp/disklist.txt); do + true > /tmp/root_device_list.txt + while read -r i; do # remove block device from list if numeric partitions exist, since not bootable - DEV_NUM_PARTITIONS=$(($(ls -1 $i* | wc -l) - 1)) + DEV_NUM_PARTITIONS=$(($(find "$i"* | wc -l) - 1)) if [ ${DEV_NUM_PARTITIONS} -eq 0 ]; then - echo $i >>/tmp/root_device_list.txt + echo "$i" >>/tmp/root_device_list.txt else - ls $i* | tail -${DEV_NUM_PARTITIONS} >>/tmp/root_device_list.txt + find "$i"* | tail -${DEV_NUM_PARTITIONS} >>/tmp/root_device_list.txt fi - done + done < /tmp/disklist.txt + INFO "DEBUG root_device_list: $(cat /tmp/root_device_list.txt)" file_selector "/tmp/root_device_list.txt" \ "Choose the default root device.${CURRENT_OPTION:+\n\nCurrently set to }$CURRENT_OPTION." \ "Root Device Selection" @@ -256,7 +265,7 @@ while true; do read -r NEW_CONFIG_ROOT_DIRLIST # strip any leading forward slashes - NEW_CONFIG_ROOT_DIRLIST=$(echo $NEW_CONFIG_ROOT_DIRLIST | sed -e 's/^\///;s/ \// /g') + NEW_CONFIG_ROOT_DIRLIST=$(echo "$NEW_CONFIG_ROOT_DIRLIST" | sed -e 's/^\///;s/ \// /g') #check if list empty if [ -z "$NEW_CONFIG_ROOT_DIRLIST" ]; then @@ -392,7 +401,7 @@ while true; do /bin/flash.sh /tmp/config-gui.rom whiptail --title 'BIOS Updated Successfully' \ --msgbox "BIOS updated successfully.\n\nIf your keys have changed, be sure to re-sign all files in /boot\nafter you reboot.\n\nPress Enter to reboot" 0 80 - /bin/reboot + reboot.sh fi fi ;; @@ -618,7 +627,7 @@ while true; do echo "You can now test your keyboard layout in this shell." echo "Press Enter when done testing to continue..." echo "------------------------------------------------------------" - read -p $'\nTest your keymap now. Press Enter to continue:\n' dummy + read -r -p $'\nTest your keymap now. Press Enter to continue:\n' _ if whiptail --title "Keep this keymap?" \ --yesno "Do you want to use this keymap?\n\n$SELECTED_KEYMAP" 0 70; then set_user_config "CONFIG_KEYBOARD_KEYMAP" "$SELECTED_KEYMAP" @@ -632,6 +641,7 @@ while true; do ;; "Z") unset output_choice + # shellcheck disable=SC2086 whiptail_type $BG_COLOR_MAIN_MENU --title "Informational / Debug Output" \ --menu "$CONFIG_BRAND_NAME can display informational or debug output.\n\nChoose the output level:" 0 80 10 \ 0 'None - Show no extra output' \ diff --git a/initrd/bin/flash-gui.sh b/initrd/bin/flash-gui.sh index 03deeec9f..2d13a47cf 100755 --- a/initrd/bin/flash-gui.sh +++ b/initrd/bin/flash-gui.sh @@ -1,8 +1,11 @@ #!/bin/bash # set -e -o pipefail -. /etc/functions -. /etc/gui_functions +# shellcheck source=initrd/etc/functions.sh +. /etc/functions.sh +# shellcheck source=initrd/etc/gui_functions.sh +. /etc/gui_functions.sh +# shellcheck disable=SC1091 . /tmp/config TRACE_FUNC @@ -42,6 +45,7 @@ single_glob() { while true; do unset menu_choice + # shellcheck disable=SC2086 whiptail_type $BG_COLOR_MAIN_MENU --title "Firmware Management Menu" \ --menu "Select the firmware function to perform\n\nRetaining settings copies existing settings to the new firmware:\n* Keeps your GPG keyring\n* Keeps changes to the default /boot device\n\nErasing settings uses the new firmware as-is:\n* Erases any existing GPG keyring\n* Restores firmware to default factory settings\n* Clears out /boot signatures\n\nIf you are just updating your firmware, you probably want to retain\nyour settings." 0 80 10 \ 'f' ' Flash the firmware with a new ROM, retain settings' \ @@ -162,7 +166,7 @@ while true; do whiptail --title 'ROM Flashed Successfully' \ --msgbox "$PKG_FILE_DISPLAY\n\nhas been flashed successfully.\n\nPress Enter to reboot\n" 0 80 umount /media - /bin/reboot + reboot.sh fi fi ;; diff --git a/initrd/bin/flash.sh b/initrd/bin/flash.sh index c5389a11a..959e9fcb8 100755 --- a/initrd/bin/flash.sh +++ b/initrd/bin/flash.sh @@ -3,7 +3,9 @@ # NOTE: This script is used on legacy-flash boards and runs with busybox ash, # not bash set -e -o pipefail -. /etc/functions +# shellcheck source=initrd/etc/functions.sh +. /etc/functions.sh +# shellcheck disable=SC1091 . /tmp/config echo @@ -26,17 +28,17 @@ flash_rom() { $CONFIG_FLASH_OPTIONS -r "${ROM}" \ || recovery "Backup to $ROM failed" else - cp "$ROM" /tmp/${CONFIG_BOARD}.rom - sha256sum /tmp/${CONFIG_BOARD}.rom + cp "$ROM" /tmp/"${CONFIG_BOARD}".rom + sha256sum /tmp/"${CONFIG_BOARD}".rom if [ "$CLEAN" -eq 0 ]; then - preserve_rom /tmp/${CONFIG_BOARD}.rom \ + preserve_rom /tmp/"${CONFIG_BOARD}".rom \ || recovery "$ROM: Config preservation failed" fi # persist serial number from CBFS if cbfs.sh -r serial_number > /tmp/serial 2>/dev/null; then echo "Persisting system serial" - cbfs.sh -o /tmp/${CONFIG_BOARD}.rom -d serial_number 2>/dev/null || true - cbfs.sh -o /tmp/${CONFIG_BOARD}.rom -a serial_number -f /tmp/serial + cbfs.sh -o /tmp/"${CONFIG_BOARD}".rom -d serial_number 2>/dev/null || true + cbfs.sh -o /tmp/"${CONFIG_BOARD}".rom -a serial_number -f /tmp/serial fi # persist PCHSTRP9 from flash descriptor if [ "$CONFIG_BOARD" = "librem_l1um" ]; then @@ -44,11 +46,11 @@ flash_rom() { $CONFIG_FLASH_OPTIONS -r /tmp/ifd.bin --ifd -i fd >/dev/null 2>&1 \ || die "Failed to read flash descriptor" dd if=/tmp/ifd.bin bs=1 count=4 skip=292 of=/tmp/pchstrp9.bin >/dev/null 2>&1 - dd if=/tmp/pchstrp9.bin bs=1 count=4 seek=292 of=/tmp/${CONFIG_BOARD}.rom conv=notrunc >/dev/null 2>&1 + dd if=/tmp/pchstrp9.bin bs=1 count=4 seek=292 of=/tmp/"${CONFIG_BOARD}".rom conv=notrunc >/dev/null 2>&1 fi warn "Do not power off computer. Updating firmware, this will take a few minutes" - $CONFIG_FLASH_OPTIONS -w /tmp/${CONFIG_BOARD}.rom 2>&1 \ + $CONFIG_FLASH_OPTIONS -w /tmp/"${CONFIG_BOARD}".rom 2>&1 \ || recovery "$ROM: Flash failed" fi } @@ -61,7 +63,7 @@ elif [ "$1" == "-r" ]; then CLEAN=0 READ=1 ROM="$2" - touch $ROM + touch "$ROM" else CLEAN=0 READ=0 @@ -77,7 +79,7 @@ if [ "$READ" -eq 0 ] && [ "${ROM##*.}" = tgz ]; then rm -rf /tmp/verified_rom mkdir /tmp/verified_rom - tar -C /tmp/verified_rom -xf $ROM || die "Rom archive $ROM could not be extracted" + tar -C /tmp/verified_rom -xf "$ROM" || die "Rom archive $ROM could not be extracted" if ! (cd /tmp/verified_rom/ && sha256sum -cs sha256sum.txt); then die "Provided tgz image did not pass hash verification" fi @@ -90,9 +92,9 @@ if [ "$READ" -eq 0 ] && [ "${ROM##*.}" = tgz ]; then bootblock=$(echo /tmp/verified_rom/*.bootblock) rom=$(echo /tmp/verified_rom/*.rom) kernel=$(echo /tmp/verified_rom/*-zImage.bundled) - pnor /tmp/flash.sh.bak -aw HBB < $bootblock - pnor /tmp/flash.sh.bak -aw HBI < $rom - pnor /tmp/flash.sh.bak -aw BOOTKERNEL < $kernel + pnor /tmp/flash.sh.bak -aw HBB < "$bootblock" + pnor /tmp/flash.sh.bak -aw HBI < "$rom" + pnor /tmp/flash.sh.bak -aw BOOTKERNEL < "$kernel" rm -rf /tmp/verified_rom ROM=/tmp/flash.sh.bak @@ -101,7 +103,7 @@ if [ "$READ" -eq 0 ] && [ "${ROM##*.}" = tgz ]; then fi fi -flash_rom $ROM +flash_rom "$ROM" # don't leave temporary files lying around rm -f /tmp/flash.sh.bak diff --git a/initrd/bin/flashprog-kgpe-d16-openbmc.sh b/initrd/bin/flashprog-kgpe-d16-openbmc.sh index adf356d86..65ec53b93 100755 --- a/initrd/bin/flashprog-kgpe-d16-openbmc.sh +++ b/initrd/bin/flashprog-kgpe-d16-openbmc.sh @@ -1,5 +1,6 @@ #!/bin/bash -. /etc/functions +# shellcheck source=initrd/etc/functions.sh +. /etc/functions.sh TRACE_FUNC diff --git a/initrd/bin/generic-init b/initrd/bin/generic-init.sh similarity index 78% rename from initrd/bin/generic-init rename to initrd/bin/generic-init.sh index a3b9f34e6..e9c9c5bb7 100755 --- a/initrd/bin/generic-init +++ b/initrd/bin/generic-init.sh @@ -1,7 +1,9 @@ #!/bin/bash # Boot from a local disk installation -. /etc/functions +# shellcheck source=initrd/etc/functions.sh +. /etc/functions.sh +# shellcheck disable=SC1091 . /tmp/config mount_boot() @@ -14,7 +16,6 @@ mount_boot() fi } - # Confirm we have a good TOTP unseal and ask the user for next choice while true; do echo "y) Default boot" @@ -41,6 +42,7 @@ while true; do fi if [ "$totp_confirm" = "u" ]; then + # shellcheck disable=SC2093 exec /bin/usb-init continue fi @@ -48,14 +50,14 @@ while true; do if [ "$totp_confirm" = "m" ]; then # Try to select a kernel from the menu mount_boot - DO_WITH_DEBUG kexec-select-boot -m -b /boot -c "grub.cfg" + DO_WITH_DEBUG kexec-select-boot.sh -m -b /boot -c "grub.cfg" continue fi - if [ "$totp_confirm" = "y" -o -n "$totp_confirm" ]; then + if [ "$totp_confirm" = "y" ] || [ -n "$totp_confirm" ]; then # Try to boot the default mount_boot - DO_WITH_DEBUG kexec-select-boot -b /boot -c "grub.cfg" \ + DO_WITH_DEBUG kexec-select-boot.sh -b /boot -c "grub.cfg" \ || recovery "Failed default boot" fi diff --git a/initrd/bin/gpg-gui.sh b/initrd/bin/gpg-gui.sh index 738de34ab..b31604b14 100755 --- a/initrd/bin/gpg-gui.sh +++ b/initrd/bin/gpg-gui.sh @@ -1,21 +1,25 @@ #!/bin/bash # set -e -o pipefail -. /etc/functions -. /etc/gui_functions +# shellcheck source=initrd/etc/functions.sh +. /etc/functions.sh +# shellcheck source=initrd/etc/gui_functions.sh +. /etc/gui_functions.sh +# shellcheck disable=SC1091 . /tmp/config TRACE_FUNC +# shellcheck disable=SC2120,SC2119 gpg_flash_rom() { - - if [ "$1" = "replace" ]; then + local arg="$1" + if [ "$arg" = "replace" ]; then # clear local keyring [ -e /.gnupg/pubring.gpg ] && rm /.gnupg/pubring.gpg [ -e /.gnupg/pubring.kbx ] && rm /.gnupg/pubring.kbx [ -e /.gnupg/trustdb.gpg ] && rm /.gnupg/trustdb.gpg fi - cat "$PUBKEY" | gpg --import + gpg --import < "$PUBKEY" #update /.gnupg/trustdb.gpg to ultimately trust all user provided public keys gpg --list-keys --fingerprint --with-colons |sed -E -n -e 's/^fpr:::::::::([0-9A-F]+):$/\1:6:/p' |gpg --import-ownertrust gpg --update-trust @@ -69,23 +73,22 @@ gpg_flash_rom() { --msgbox "Failed to update checksums / sign default config" 0 80 fi else - /bin/reboot + reboot.sh fi whiptail --title 'Files in /boot Updated Successfully'\ --msgbox "Checksums have been updated and /boot files signed.\n\nPress Enter to reboot" 0 80 - /bin/reboot + reboot.sh } gpg_post_gen_mgmt() { - GPG_GEN_KEY=`grep -A1 pub /tmp/gpg_card_edit_output | tail -n1 | sed -nr 's/^([ ])*//p'` - gpg --export --armor $GPG_GEN_KEY > "/tmp/${GPG_GEN_KEY}.asc" + GPG_GEN_KEY=$(grep -A1 pub /tmp/gpg_card_edit_output | tail -n1 | sed -nr 's/^([ ])*//p') + gpg --export --armor "$GPG_GEN_KEY" > "/tmp/${GPG_GEN_KEY}.asc" if (whiptail --title 'Add Public Key to USB disk?' \ --yesno "Would you like to copy the GPG public key you generated to a USB disk?\n\nYou may need it, if you want to use it outside of Heads later.\n\nThe file will show up as ${GPG_GEN_KEY}.asc" 0 80) then mount_usb mount -o remount,rw /media - cp "/tmp/${GPG_GEN_KEY}.asc" "/media/${GPG_GEN_KEY}.asc" - if [ $? -eq 0 ]; then + if cp "/tmp/${GPG_GEN_KEY}.asc" "/media/${GPG_GEN_KEY}.asc"; then whiptail --title "The GPG Key Copied Successfully" \ --msgbox "${GPG_GEN_KEY}.asc copied successfully." 0 80 else @@ -103,6 +106,7 @@ gpg_post_gen_mgmt() { exit 1 fi PUBKEY="/tmp/${GPG_GEN_KEY}.asc" + # shellcheck disable=SC2119 gpg_flash_rom fi } @@ -131,6 +135,7 @@ gpg_add_key_reflash() { if (whiptail --title 'Update ROM?' \ --yesno "This will reflash your BIOS with the updated version\n\nDo you want to proceed?" 0 80) then + # shellcheck disable=SC2119 gpg_flash_rom else exit 0 @@ -141,6 +146,7 @@ gpg_add_key_reflash() { while true; do unset menu_choice + # shellcheck disable=SC2086 whiptail_type $BG_COLOR_MAIN_MENU --title "GPG Management Menu" \ --menu 'Select the GPG function to perform' 0 80 10 \ 'r' ' Add GPG key to running BIOS and reflash' \ @@ -183,6 +189,7 @@ while true; do if (whiptail_warning --title 'Flash ROM?' \ --yesno "This will replace your old ROM with $ROM\n\nDo you want to proceed?" 0 80) then + # shellcheck disable=SC2119 gpg_flash_rom else exit 0 @@ -203,7 +210,7 @@ while true; do gpg_add_key_reflash ;; "l" ) - GPG_KEYRING=`gpg -k` + GPG_KEYRING=$(gpg -k) whiptail --title 'GPG Keyring' \ --msgbox "${GPG_KEYRING}" 0 80 ;; @@ -213,8 +220,7 @@ while true; do mount_usb mount -o remount,rw /media gpg --export --armor > "/tmp/public-key.asc" - cp "/tmp/public-key.asc" "/media/public-key.asc" - if [ $? -eq 0 ]; then + if cp "/tmp/public-key.asc" "/media/public-key.asc"; then whiptail --title "The GPG Key Copied Successfully" \ --msgbox "public-key.asc copied successfully." 0 80 else @@ -234,8 +240,7 @@ while true; do echo "* Type 'quit' once you have generated the key to exit GPG." echo "*" echo "********************************************************************************" - gpg --card-edit > /tmp/gpg_card_edit_output - if [ $? -eq 0 ]; then + if gpg --card-edit > /tmp/gpg_card_edit_output; then gpg_post_gen_mgmt fi ;; diff --git a/initrd/bin/gpgv b/initrd/bin/gpgv.sh similarity index 65% rename from initrd/bin/gpgv rename to initrd/bin/gpgv.sh index e77197684..4d1212291 100755 --- a/initrd/bin/gpgv +++ b/initrd/bin/gpgv.sh @@ -1,6 +1,7 @@ #!/bin/bash # if we are using the full GPG we need a wrapper for the gpgv executable -. /etc/functions +# shellcheck source=initrd/etc/functions.sh +. /etc/functions.sh TRACE_FUNC exec gpg --verify "$@" diff --git a/initrd/bin/gui-init-basic b/initrd/bin/gui-init-basic.sh similarity index 83% rename from initrd/bin/gui-init-basic rename to initrd/bin/gui-init-basic.sh index af9da581e..97c9396ec 100755 --- a/initrd/bin/gui-init-basic +++ b/initrd/bin/gui-init-basic.sh @@ -5,8 +5,11 @@ BOARD_NAME=${CONFIG_BOARD_NAME:-${CONFIG_BOARD}} MAIN_MENU_TITLE="${BOARD_NAME} | $CONFIG_BRAND_NAME Basic Boot Menu" export BG_COLOR_MAIN_MENU="normal" -. /etc/functions -. /etc/gui_functions +# shellcheck source=initrd/etc/functions.sh +. /etc/functions.sh +# shellcheck source=initrd/etc/gui_functions.sh +. /etc/gui_functions.sh +# shellcheck disable=SC1091 . /tmp/config # skip_to_menu is set if the user selects "continue to the main menu" from any @@ -22,8 +25,9 @@ mount_boot() while ! grep -q /boot /proc/mounts ; do # try to mount if CONFIG_BOOT_DEV exists if [ -e "$CONFIG_BOOT_DEV" ]; then - mount -o ro $CONFIG_BOOT_DEV /boot - [[ $? -eq 0 ]] && continue + if mount -o ro "$CONFIG_BOOT_DEV" /boot; then + continue + fi fi # CONFIG_BOOT_DEV doesn't exist or couldn't be mounted, so give user options @@ -40,15 +44,15 @@ mount_boot() option=$(cat /tmp/whiptail) case "$option" in b ) - config-gui.sh boot_device_select - if [ $? -eq 0 ]; then + if config-gui.sh boot_device_select; then # update CONFIG_BOOT_DEV + # shellcheck disable=SC1091 . /tmp/config BG_COLOR_MAIN_MENU="normal" fi ;; u ) - exec /bin/usb-init + exec /bin/usb-init.sh ;; m ) skip_to_menu="true" @@ -74,7 +78,8 @@ prompt_auto_default_boot() show_main_menu() { TRACE_FUNC - date=`date "+%Y-%m-%d %H:%M:%S %Z"` + date=$(date "+%Y-%m-%d %H:%M:%S %Z") + # shellcheck disable=SC2086 whiptail_type $BG_COLOR_MAIN_MENU --title "$MAIN_MENU_TITLE" \ --menu "$date" 0 80 10 \ 'd' ' Default boot' \ @@ -95,7 +100,7 @@ show_main_menu() show_system_info ;; p ) - poweroff + poweroff.sh ;; esac } @@ -103,6 +108,7 @@ show_main_menu() show_options_menu() { TRACE_FUNC + # shellcheck disable=SC2086 whiptail_type $BG_COLOR_MAIN_MENU --title "$CONFIG_BRAND_NAME Basic Options" \ --menu "" 0 80 10 \ 'b' ' Boot Options -->' \ @@ -134,6 +140,7 @@ show_options_menu() show_boot_options_menu() { TRACE_FUNC + # shellcheck disable=SC2086 whiptail_type $BG_COLOR_MAIN_MENU --title "Boot Options" \ --menu "Select A Boot Option" 0 80 10 \ 'm' ' Show OS boot menu' \ @@ -148,7 +155,7 @@ show_boot_options_menu() select_os_boot_option ;; u ) - exec /bin/usb-init + exec /bin/usb-init.sh ;; r ) ;; @@ -159,7 +166,7 @@ select_os_boot_option() { TRACE_FUNC mount_boot - DO_WITH_DEBUG kexec-select-boot -m -b /boot -c "grub.cfg" -g -i + DO_WITH_DEBUG kexec-select-boot.sh -m -b /boot -c "grub.cfg" -g -i } attempt_default_boot() @@ -167,18 +174,18 @@ attempt_default_boot() TRACE_FUNC mount_boot - DEFAULT_FILE=`find /boot/kexec_default.*.txt 2>/dev/null | head -1` + DEFAULT_FILE=$(find /boot/kexec_default.*.txt 2>/dev/null | head -1) # Basic by default boots automatically to the first menu option. This allows # kernel updates to work in Basic by default without prompting to select a # new default boot option. if [ "$CONFIG_BASIC_NO_AUTOMATIC_DEFAULT" != "y" ]; then basic-autoboot.sh elif [ -r "$DEFAULT_FILE" ]; then - DO_WITH_DEBUG kexec-select-boot -b /boot -c "grub.cfg" -g -i -s \ + DO_WITH_DEBUG kexec-select-boot.sh -b /boot -c "grub.cfg" -g -i -s \ || recovery "Failed default boot" elif (whiptail_warning --title 'No Default Boot Option Configured' \ --yesno "There is no default boot option configured yet.\nWould you like to load a menu of boot options?\nOtherwise you will return to the main menu." 0 80) then - DO_WITH_DEBUG kexec-select-boot -m -b /boot -c "grub.cfg" -g -i + DO_WITH_DEBUG kexec-select-boot.sh -m -b /boot -c "grub.cfg" -g -i fi } @@ -199,7 +206,7 @@ if ! detect_boot_device ; then mount_boot fi -if [ "$skip_to_menu" != "true" -a -n "$CONFIG_AUTO_BOOT_TIMEOUT" ]; then +if [ "$skip_to_menu" != "true" ] && [ -n "$CONFIG_AUTO_BOOT_TIMEOUT" ]; then prompt_auto_default_boot fi diff --git a/initrd/bin/gui-init b/initrd/bin/gui-init.sh similarity index 81% rename from initrd/bin/gui-init rename to initrd/bin/gui-init.sh index ed32a6143..062766672 100755 --- a/initrd/bin/gui-init +++ b/initrd/bin/gui-init.sh @@ -5,9 +5,13 @@ BOARD_NAME=${CONFIG_BOARD_NAME:-${CONFIG_BOARD}} MAIN_MENU_TITLE="${BOARD_NAME} | $CONFIG_BRAND_NAME Boot Menu" export BG_COLOR_MAIN_MENU="normal" -. /etc/functions -. /etc/gui_functions -. /etc/luks-functions +# shellcheck source=initrd/etc/functions.sh +. /etc/functions.sh +# shellcheck source=initrd/etc/gui_functions.sh +. /etc/gui_functions.sh +# shellcheck source=initrd/etc/luks-functions.sh +. /etc/luks-functions.sh +# shellcheck disable=SC1091 . /tmp/config # skip_to_menu is set if the user selects "continue to the main menu" from any @@ -22,8 +26,9 @@ mount_boot() { while ! grep -q /boot /proc/mounts; do # try to mount if CONFIG_BOOT_DEV exists if [ -e "$CONFIG_BOOT_DEV" ]; then - mount -o ro $CONFIG_BOOT_DEV /boot - [[ $? -eq 0 ]] && continue + if mount -o ro "$CONFIG_BOOT_DEV" /boot; then + continue + fi fi # CONFIG_BOOT_DEV doesn't exist or couldn't be mounted, so give user options @@ -40,15 +45,15 @@ mount_boot() { option=$(cat /tmp/whiptail) case "$option" in b) - config-gui.sh boot_device_select - if [ $? -eq 0 ]; then + if config-gui.sh boot_device_select; then # update CONFIG_BOOT_DEV - . /tmp/config + # shellcheck disable=SC1091 + . /tmp/config BG_COLOR_MAIN_MENU="normal" fi ;; u) - exec /bin/usb-init + exec /bin/usb-init.sh ;; m) skip_to_menu="true" @@ -100,13 +105,13 @@ verify_global_hashes() { UPDATE_INITRAMFS_PACKAGE=$(grep '^UPDATE_INITRAMFS_PACKAGE' $TMP_PACKAGE_TRIGGER_POST | cut -f 2 -d '=' | tr -d '"') if [ "$UPDATE_INITRAMFS_PACKAGE" != "" ]; then - TEXT="The following files failed the verification process AFTER package updates ran:\n${CHANGED_FILES}\n\nThis is likely due to package triggers in$UPDATE_INITRAMFS_PACKAGE.\n\nYou will need to update your checksums for all files in /boot.\n\nWould you like to update your checksums now?" + TEXT="The following files failed the verification process AFTER package updates ran:\n${CHANGED_FILES}\n\nThis is likely due to package triggers in $UPDATE_INITRAMFS_PACKAGE.\n\nYou will need to update your checksums for all files in /boot.\n\nWould you like to update your checksums now?" else TEXT="The following files failed the verification process AFTER package updates ran:\n${CHANGED_FILES}\n\nThis might be due to the following package updates:\n$LAST_PACKAGE_LIST.\n\nYou will need to update your checksums for all files in /boot.\n\nWould you like to update your checksums now?" fi else - if [ $CHANGED_FILES_COUNT -gt 10 ]; then + if [ "$CHANGED_FILES_COUNT" -gt 10 ]; then # drop to console to show full file list whiptail_error --title 'ERROR: Boot Hash Mismatch' \ --msgbox "${CHANGED_FILES_COUNT} files failed the verification process!\\n\nThis could indicate a compromise!\n\nHit OK to review the list of files.\n\nType \"q\" to exit the list and return." 0 80 @@ -153,22 +158,22 @@ generate_totp_hotp() { # If we don't have a TPM, but we have a HOTP USB Security dongle TRACE_FUNC echo "Generating new HOTP secret" - /bin/seal-hotpkey || + /bin/seal-hotpkey.sh || die "Failed to generate HOTP secret" - elif echo -e "Generating new TOTP secret...\n\n" && /bin/seal-totp "$BOARD_NAME" "$tpm_owner_password"; then + elif echo -e "Generating new TOTP secret...\n\n" && /bin/seal-totp.sh "$BOARD_NAME" "$tpm_owner_password"; then echo if [ -x /bin/hotp_verification ]; then # If we have a TPM and a HOTP USB Security dongle if [ "$CONFIG_TOTP_SKIP_QRCODE" != y ]; then echo "Once you have scanned the QR code, hit Enter to configure your HOTP USB Security dongle (e.g. Librem Key or Nitrokey)" - read + read -r fi TRACE_FUNC - /bin/seal-hotpkey || die "Failed to generate HOTP secret" + /bin/seal-hotpkey.sh || die "Failed to generate HOTP secret" else if [ "$CONFIG_TOTP_SKIP_QRCODE" != y ]; then echo "Once you have scanned the QR code, hit Enter to continue" - read + read -r fi fi # clear screen @@ -183,57 +188,76 @@ update_totp() { TRACE_FUNC # update the TOTP code date=$(date "+%Y-%m-%d %H:%M:%S %Z") - tries=0 if [ "$CONFIG_TPM" != "y" ]; then TOTP="NO TPM" else - TOTP=$(unseal-totp) - if [ $? -ne 0 ]; then - BG_COLOR_MAIN_MENU="error" - if [ "$skip_to_menu" = "true" ]; then - return 1 # Already asked to skip to menu from a prior error + # Pre-check primary handle so we can show a clearer tamper prompt + if ! tpmr.sh verify-primary >/dev/null 2>&1; then + rc=$? + case "$rc" in + 2) + BG_COLOR_MAIN_MENU="error" + whiptail_error --title 'ERROR: TPM Primary Missing' --msgbox "TPM primary handle not present — secrets cannot be unsealed. Choose Reset TPM from Options to proceed." 0 80 + return 1 + ;; + 3) + BG_COLOR_MAIN_MENU="error" + whiptail_error --title 'ERROR: TPM Primary Mismatch' --msgbox "TPM primary handle hash mismatch detected — possible tampering. Do not proceed without investigation." 0 80 + return 1 + ;; + *) + # Fall through to the standard unseal path + ;; + esac fi - DEBUG "CONFIG_TPM: $CONFIG_TPM" - DEBUG "CONFIG_TPM2_TOOLS: $CONFIG_TPM2_TOOLS" - DEBUG "Show PCRs" - DEBUG "$(pcrs)" + if ! TOTP=$(unseal-totp.sh); then + BG_COLOR_MAIN_MENU="error" + if [ "$skip_to_menu" = "true" ]; then + return 1 # Already asked to skip to menu from a prior error + fi + + DEBUG "CONFIG_TPM: $CONFIG_TPM" + DEBUG "CONFIG_TPM2_TOOLS: $CONFIG_TPM2_TOOLS" + DEBUG "Show PCRs" + DEBUG "$(pcrs)" - whiptail_error --title "ERROR: TOTP Generation Failed!" \ - --menu " ERROR: $CONFIG_BRAND_NAME couldn't generate the TOTP code.\n + whiptail_error --title "ERROR: TOTP Generation Failed!" \ + --menu " ERROR: $CONFIG_BRAND_NAME couldn't generate the TOTP code.\n If you have just completed a Factory Reset, or just reflashed your BIOS, you should generate a new HOTP/TOTP secret.\n If this is the first time the system has booted, you should reset the TPM and set your own password.\n If you have not just reflashed your BIOS, THIS COULD INDICATE TAMPERING!\n How would you like to proceed?" 0 80 4 \ - 'g' ' Generate new HOTP/TOTP secret' \ - 'i' ' Ignore error and continue to main menu' \ - 'p' ' Reset the TPM' \ - 'x' ' Exit to recovery shell' \ - 2>/tmp/whiptail || recovery "GUI menu failed" - - option=$(cat /tmp/whiptail) - case "$option" in - g) - if (whiptail_warning --title 'Generate new TOTP/HOTP secret' \ - --yesno "This will erase your old secret and replace it with a new one!\n\nDo you want to proceed?" 0 80); then - generate_totp_hotp && update_totp && BG_COLOR_MAIN_MENU="normal" && reseal_tpm_disk_decryption_key - fi - ;; - i) - skip_to_menu="true" - return 1 - ;; - p) - reset_tpm && update_totp && BG_COLOR_MAIN_MENU="normal" && reseal_tpm_disk_decryption_key - ;; - x) - recovery "User requested recovery shell" - ;; - esac + 'g' ' Generate new HOTP/TOTP secret' \ + 'i' ' Ignore error and continue to main menu' \ + 'p' ' Reset the TPM' \ + 'x' ' Exit to recovery shell' \ + 2>/tmp/whiptail || recovery "GUI menu failed" + + option=$(cat /tmp/whiptail) + case "$option" in + g) + if (whiptail_warning --title 'Generate new TOTP/HOTP secret' \ + --yesno "This will erase your old secret and replace it with a new one!\n\nDo you want to proceed?" 0 80); then + generate_totp_hotp && update_totp && BG_COLOR_MAIN_MENU="normal" && reseal_tpm_disk_decryption_key + fi + ;; + i) + skip_to_menu="true" + return 1 + ;; + p) + reset_tpm && update_totp && BG_COLOR_MAIN_MENU="normal" && reseal_tpm_disk_decryption_key + ;; + x) + recovery "User requested recovery shell" + ;; + esac + fi fi - fi + } update_hotp() { @@ -253,7 +277,7 @@ update_hotp() { return fi fi - HOTP=$(unseal-hotp) + HOTP=$(unseal-hotp.sh) # Don't output HOTP codes to screen, so as to make replay attacks harder hotp_verification check "$HOTP" case "$?" in @@ -290,7 +314,8 @@ update_hotp() { g) if (whiptail_warning --title 'Generate new TOTP/HOTP secret' \ --yesno "This will erase your old secret and replace it with a new one!\n\nDo you want to proceed?" 0 80); then - generate_totp_hotp && BG_COLOR_MAIN_MENU="normal" && reseal_tpm_disk_decryption_key + generate_totp_hotp && update_totp && update_hotp \ + && BG_COLOR_MAIN_MENU="normal" && reseal_tpm_disk_decryption_key fi ;; i) @@ -311,12 +336,12 @@ clean_boot_check() { fi # check for any kexec files in /boot - kexec_files=$(find /boot -name kexec*.txt) - [ ! -z "$kexec_files" ] && return + kexec_files=$(find /boot -name "kexec*.txt") + [ -n "$kexec_files" ] && return #check for GPG key in keyring GPG_KEY_COUNT=$(gpg -k 2>/dev/null | wc -l) - [ $GPG_KEY_COUNT -ne 0 ] && return + [ "$GPG_KEY_COUNT" -ne 0 ] && return # check for USB security token if [ -x /bin/hotp_verification ]; then @@ -327,14 +352,15 @@ clean_boot_check() { # OS is installed, no kexec files present, no GPG keys in keyring, security token present # prompt user to run OEM factory reset - oem-factory-reset \ + oem-factory-reset.sh \ "Clean Boot Detected - Perform OEM Factory Reset / Re-Ownership?" } check_gpg_key() { TRACE_FUNC GPG_KEY_COUNT=$(gpg -k 2>/dev/null | wc -l) - if [ $GPG_KEY_COUNT -eq 0 ]; then + DEBUG "GPG_KEY_COUNT: $GPG_KEY_COUNT" + if [ "$GPG_KEY_COUNT" -eq 0 ]; then BG_COLOR_MAIN_MENU="error" if [ "$skip_to_menu" = "true" ]; then return 1 # Already asked to skip to menu from a prior error @@ -357,7 +383,7 @@ check_gpg_key() { return 1 ;; F) - oem-factory-reset + oem-factory-reset.sh ;; x) @@ -379,6 +405,7 @@ prompt_auto_default_boot() { show_main_menu() { TRACE_FUNC date=$(date "+%Y-%m-%d %H:%M:%S %Z") + # shellcheck disable=SC2086 whiptail_type $BG_COLOR_MAIN_MENU --title "$MAIN_MENU_TITLE" \ --menu "$date\nTOTP: $TOTP | HOTP: $HOTP" 0 80 10 \ 'd' ' Default boot' \ @@ -403,13 +430,14 @@ show_main_menu() { show_system_info ;; p) - poweroff + poweroff.sh ;; esac } show_options_menu() { TRACE_FUNC + # shellcheck disable=SC2086 whiptail_type $BG_COLOR_MAIN_MENU --title "$CONFIG_BRAND_NAME Options" \ --menu "" 0 80 10 \ 'b' ' Boot Options -->' \ @@ -451,7 +479,7 @@ show_options_menu() { gpg-gui.sh ;; F) - oem-factory-reset + oem-factory-reset.sh ;; C) luks_reencrypt @@ -473,6 +501,7 @@ show_options_menu() { show_boot_options_menu() { TRACE_FUNC + # shellcheck disable=SC2086 whiptail_type $BG_COLOR_MAIN_MENU --title "Boot Options" \ --menu "Select A Boot Option" 0 80 10 \ 'm' ' Show OS boot menu' \ @@ -488,7 +517,7 @@ show_boot_options_menu() { select_os_boot_option ;; u) - exec /bin/usb-init + exec /bin/usb-init.sh ;; i) force_unsafe_boot @@ -499,6 +528,7 @@ show_boot_options_menu() { show_tpm_totp_hotp_options_menu() { TRACE_FUNC + # shellcheck disable=SC2086 whiptail_type $BG_COLOR_MAIN_MENU --title "TPM/TOTP/HOTP Options" \ --menu "Select An Option" 0 80 10 \ 'g' ' Generate new TOTP/HOTP secret' \ @@ -510,10 +540,10 @@ show_tpm_totp_hotp_options_menu() { option=$(cat /tmp/whiptail) case "$option" in g) - generate_totp_hotp && reseal_tpm_disk_decryption_key + generate_totp_hotp && update_totp && update_hotp && reseal_tpm_disk_decryption_key ;; r) - reset_tpm && reseal_tpm_disk_decryption_key + reset_tpm && update_totp && update_hotp && reseal_tpm_disk_decryption_key ;; t) prompt_totp_mismatch @@ -538,12 +568,12 @@ reset_tpm() { if ! prompt_new_owner_password; then echo "Press Enter to return to the menu..." - read + read -r echo return 1 fi - tpmr reset "$tpm_owner_password" + tpmr.sh reset "$tpm_owner_password" # now that the TPM is reset, remove invalid TPM counter files mount_boot @@ -566,10 +596,10 @@ reset_tpm() { DEBUG "TPM_COUNTER: $TPM_COUNTER" #TPM_COUNTER can be empty - increment_tpm_counter $TPM_COUNTER>/dev/null 2>&1 || + increment_tpm_counter "$TPM_COUNTER" >/dev/null 2>&1 || die "Unable to increment tpm counter" - DO_WITH_DEBUG sha256sum /tmp/counter-$TPM_COUNTER >/boot/kexec_rollback.txt || + DO_WITH_DEBUG sha256sum /tmp/counter-"$TPM_COUNTER" >/boot/kexec_rollback.txt || die "Unable to create rollback file" TRACE_FUNC @@ -582,11 +612,11 @@ reset_tpm() { fi else warn "TPM reset successful, but user chose not to update+sign /boot checksums. Rebooting" - reboot + reboot.sh fi mount -o ro,remount /boot - generate_totp_hotp "$tpm_owner_password" + generate_totp_hotp "$tpm_owner_password" && update_totp && update_hotp else echo "Returning to the main menu" fi @@ -599,7 +629,7 @@ select_os_boot_option() { TRACE_FUNC mount_boot if verify_global_hashes; then - DO_WITH_DEBUG kexec-select-boot -m -b /boot -c "grub.cfg" -g + DO_WITH_DEBUG kexec-select-boot.sh -m -b /boot -c "grub.cfg" -g fi } @@ -613,12 +643,12 @@ attempt_default_boot() { DEFAULT_FILE=$(find /boot/kexec_default.*.txt 2>/dev/null | head -1) if [ -r "$DEFAULT_FILE" ]; then TRACE_FUNC - DO_WITH_DEBUG kexec-select-boot -b /boot -c "grub.cfg" -g || + DO_WITH_DEBUG kexec-select-boot.sh -b /boot -c "grub.cfg" -g || recovery "Failed default boot" elif (whiptail_warning --title 'No Default Boot Option Configured' \ --yesno "There is no default boot option configured yet.\nWould you like to load a menu of boot options?\nOtherwise you will return to the main menu." 0 80); then TRACE_FUNC - DO_WITH_DEBUG kexec-select-boot -m -b /boot -c "grub.cfg" -g + DO_WITH_DEBUG kexec-select-boot.sh -m -b /boot -c "grub.cfg" -g fi } @@ -631,7 +661,7 @@ force_unsafe_boot() { # Run the menu selection in "force" mode, bypassing hash checks if (whiptail_warning --title 'Unsafe Forced Boot Selected!' \ --yesno "WARNING: You have chosen to skip all tamper checks and boot anyway.\n\nThis is an unsafe option!\n\nDo you want to proceed?" 0 80); then - mount_boot && kexec-select-boot -m -b /boot -c "grub.cfg" -g -f + mount_boot && kexec-select-boot.sh -m -b /boot -c "grub.cfg" -g -f fi } @@ -665,7 +695,7 @@ check_gpg_key update_totp update_hotp -if [ "$HOTP" = "Success" -a -n "$CONFIG_AUTO_BOOT_TIMEOUT" ]; then + if [ "$HOTP" = "Success" ] && [ -n "$CONFIG_AUTO_BOOT_TIMEOUT" ]; then prompt_auto_default_boot fi diff --git a/initrd/bin/inject_firmware.sh b/initrd/bin/inject_firmware.sh index f9e6556e6..7dee33a11 100755 --- a/initrd/bin/inject_firmware.sh +++ b/initrd/bin/inject_firmware.sh @@ -22,8 +22,10 @@ set -e -o pipefail +# shellcheck disable=SC1091 . /tmp/config -. /etc/functions +# shellcheck source=initrd/etc/functions.sh +. /etc/functions.sh if [ "$(load_config_value CONFIG_USE_BLOB_JAIL)" != "y" ]; then # Blob jail not active, nothing to do @@ -78,6 +80,7 @@ fi # # The root path is in ${rootmnt}, which should appear in the run-init command. # If it doesn't, then we don't understand the init script. +# shellcheck disable=SC2016 AWK_INSERT_CP=' BEGIN{inserted=0} /^exec run-init .*\$\{rootmnt\}/ && inserted==0 { diff --git a/initrd/bin/kexec-boot b/initrd/bin/kexec-boot.sh similarity index 77% rename from initrd/bin/kexec-boot rename to initrd/bin/kexec-boot.sh index fa37ebf99..ca73eb84b 100755 --- a/initrd/bin/kexec-boot +++ b/initrd/bin/kexec-boot.sh @@ -1,8 +1,10 @@ #!/bin/bash # Launches kexec from saved configuration entries set -e -o pipefail +# shellcheck disable=SC1091 . /tmp/config -. /etc/functions +# shellcheck source=initrd/etc/functions.sh +. /etc/functions.sh TRACE_FUNC @@ -18,17 +20,22 @@ while getopts "b:e:r:a:o:fi" arg; do o) override_initrd="$OPTARG" ;; f) dryrun="y"; printfiles="y" ;; i) dryrun="y"; printinitrd="y" ;; + *) die "Invalid option $arg" ;; esac done -if [ -z "$bootdir" -o -z "$entry" ]; then +if [ -z "$bootdir" ] || [ -z "$entry" ]; then die "Usage: $0 -b /boot -e 'kexec params|...|...'" fi bootdir="${bootdir%%/}" -kexectype=`echo $entry | cut -d\| -f2` -kexecparams=`echo $entry | cut -d\| -f3- | tr '|' '\n'` +kexectype=$(echo "$entry" | cut -d\| -f2) +kexecparams=$(echo "$entry" | cut -d\| -f3- | tr '|' '\n') +if [ "$printinitrd" = "y" ]; then + DEBUG "kexec-boot: print initrd requested" + DEBUG "kexec-boot: entry='$entry'" +fi kexeccmd="kexec" cmdadd="$CONFIG_BOOT_KERNEL_ADD $cmdadd" @@ -46,7 +53,7 @@ fix_file_path() { filepath="$bootdir$firstval" - if ! [ -r $filepath ]; then + if ! [ -r "$filepath" ]; then die "Failed to find file $firstval" fi } @@ -55,7 +62,8 @@ adjusted_cmd_line="n" adjust_cmd_line() { if [ -n "$cmdremove" ]; then for i in $cmdremove; do - cmdline=$(echo $cmdline | sed "s/\b$i\b//g") + # shellcheck disable=SC2001 + cmdline=$(echo "$cmdline" | sed "s/\b$i\b//g") done fi @@ -71,11 +79,11 @@ if [ "$CONFIG_DEBUG_OUTPUT" = "y" ];then fi module_number="1" -while read line +while read -r line do - key=`echo $line | cut -d\ -f1` - firstval=`echo $line | cut -d\ -f2` - restval=`echo $line | cut -d\ -f3-` + key=$(echo "$line" | cut -d\ -f1) + firstval=$(echo "$line" | cut -d\ -f2) + restval=$(echo "$line" | cut -d\ -f3-) if [ "$key" = "kernel" ]; then fix_file_path if [ "$kexectype" = "xen" ]; then @@ -105,21 +113,22 @@ do elif [ "$module_number" -eq 2 ]; then if [ "$printinitrd" = "y" ]; then # output the current path to initrd - echo $filepath + echo "$filepath" fi if [ -n "$override_initrd" ]; then filepath="$override_initrd" fi fi fi - module_number=`expr $module_number + 1` + module_number=$((module_number + 1)) kexeccmd="$kexeccmd --module \"$filepath $cmdline\"" fi if [ "$key" = "initrd" ]; then fix_file_path if [ "$printinitrd" = "y" ]; then # output the current path to initrd - echo $filepath + DEBUG "kexec-boot: initrd path resolved to '$filepath'" + echo "$filepath" fi if [ -n "$override_initrd" ]; then filepath="$override_initrd" @@ -147,7 +156,9 @@ if [ "$adjusted_cmd_line" = "n" ]; then fi fi -if [ "$dryrun" = "y" ]; then exit 0; fi + if [ "$dryrun" = "y" ]; then + exit 0 +fi echo "Loading the new kernel:" echo "$kexeccmd" @@ -158,7 +169,7 @@ DO_WITH_DEBUG eval "$kexeccmd" 2>/dev/null \ if [ "$CONFIG_DEBUG_OUTPUT" = "y" ];then #Ask user if they want to continue booting without echoing back the input (-s) - read -s -n 1 -p "[DEBUG] Continue booting? [Y/n]: " debug_boot_confirm + read -r -s -n 1 -p "[DEBUG] Continue booting? [Y/n]: " debug_boot_confirm echo if [ "${debug_boot_confirm^^}" = N ]; then # abort @@ -167,12 +178,14 @@ if [ "$CONFIG_DEBUG_OUTPUT" = "y" ];then fi if [ "$CONFIG_TPM" = "y" ]; then - tpmr kexec_finalize + tpmr.sh kexec_finalize fi -if [ -x /bin/io386 -a "$CONFIG_FINALIZE_PLATFORM_LOCKING" = "y" ]; then +if [ -x /bin/io386 ] && [ "$CONFIG_FINALIZE_PLATFORM_LOCKING" = "y" ]; then lock_chip fi +TRACE_FUNC echo "Starting the new kernel" +DEBUG "About to exec kexec -e" exec kexec -e diff --git a/initrd/bin/kexec-insert-key b/initrd/bin/kexec-insert-key.sh similarity index 85% rename from initrd/bin/kexec-insert-key rename to initrd/bin/kexec-insert-key.sh index ff95c1943..f7ae31aab 100755 --- a/initrd/bin/kexec-insert-key +++ b/initrd/bin/kexec-insert-key.sh @@ -1,7 +1,8 @@ #!/bin/bash # Unseal a LUKS Disk Unlock Key from TPM and add to a new initramfs set -e -o pipefail -. /etc/functions +# shellcheck source=initrd/etc/functions.sh +. /etc/functions.sh TRACE_FUNC @@ -24,12 +25,12 @@ if [ -r "$TMP_KEY_LVM" ]; then if [ -z "$TMP_KEY_LVM" ]; then die "No LVM volume group defined for activation" fi - lvm vgchange -a y $VOLUME_GROUP || + lvm vgchange -a y "$VOLUME_GROUP" || die "$VOLUME_GROUP: unable to activate volume group" fi # Measure the LUKS headers before we unseal the LUKS Disk Unlock Key from TPM -cat "$TMP_KEY_DEVICES" | cut -d\ -f1 | xargs /bin/qubes-measure-luks || + cut -d\ -f1 "$TMP_KEY_DEVICES" | xargs /bin/qubes-measure-luks.sh || die "LUKS measure failed" # Unpack the initrd and fixup the crypttab @@ -58,7 +59,7 @@ fi # Attempt to unseal the Disk Unlock Key from the TPM # should we give this some number of tries? unseal_failed="n" -if ! kexec-unseal-key "$INITRD_DIR/secret.key"; then +if ! kexec-unseal-key.sh "$INITRD_DIR/secret.key"; then unseal_failed="y" echo echo "!!! Failed to unseal the TPM LUKS Disk Unlock Key" @@ -67,22 +68,19 @@ fi # Override PCR 4 so that user can't read the key TRACE_FUNC INFO "TPM: Extending PCR[4] to prevent any future secret unsealing" -tpmr extend -ix 4 -ic generic || +tpmr.sh extend -ix 4 -ic generic || die 'Unable to scramble PCR' # Check to continue if [ "$unseal_failed" = "y" ]; then confirm_boot="n" - read \ + read -r \ -n 1 \ -p "Do you wish to boot and use the LUKS Disk Recovery Key? [Y/n] " \ confirm_boot echo - if [ "$confirm_boot" != 'y' \ - -a "$confirm_boot" != 'Y' \ - -a -n "$confirm_boot" ] \ - ; then + if [[ "$confirm_boot" != 'y' && "$confirm_boot" != 'Y' && -n "$confirm_boot" ]]; then die "!!! Aborting boot due to failure to unseal TPM Disk Unlock Key" fi fi @@ -101,26 +99,26 @@ if [ "$unseal_failed" = "n" ]; then echo "+++ $bootdir/kexec_initrd_crypttab_overrides.txt found..." echo "+++ Preparing initramfs crypttab overrides as defined under $bootdir/kexec_initrd_crypttab_overrides.txt to be injected through cpio at next kexec call..." # kexec-save-default has found crypttab files under initrd and saved them - cat "$bootdir/kexec_initrd_crypttab_overrides.txt" | while read line; do - crypttab_file=$(echo "$line" | awk -F ':' {'print $1'}) - crypttab_entry=$(echo "$line" | awk -F ':' {'print $NF'}) + while read -r line; do + crypttab_file=$(echo "$line" | awk -F ':' '{print $1}') + crypttab_entry=$(echo "$line" | awk -F ':' '{print $NF}') # Replace each initrd crypttab file with modified entry containing /secret.key path - mkdir -p "$INITRD_DIR/$(dirname $crypttab_file)" + mkdir -p "$INITRD_DIR/$(dirname "$crypttab_file")" echo "$crypttab_entry" | tee -a "$INITRD_DIR/$crypttab_file" >/dev/null echo "+++ initramfs's $crypttab_file will be overriden with: $crypttab_entry" - done + done < "$bootdir/kexec_initrd_crypttab_overrides.txt" else # No crypttab files were found under selected default boot option's initrd file # Meanwhile, force crypttab to be created from scratch on both possible locations: /etc/crypttab and /cryptroot/crypttab crypttab_files="etc/crypttab cryptroot/crypttab" for crypttab_file in $crypttab_files; do - mkdir -p "$INITRD_DIR/$(dirname $crypttab_file)" + mkdir -p "$INITRD_DIR/$(dirname "$crypttab_file")" # overwrite crypttab to mirror behavior of seal-key echo "+++ The following $crypttab_file overrides will be passed through concatenated secret/initrd.cpio at kexec call:" - for uuid in $(cat "$TMP_KEY_DEVICES" | cut -d\ -f2); do + while read -r uuid; do # NOTE: discard operation (TRIM) is activated by default if no crypptab found in initrd echo "luks-$uuid UUID=$uuid /secret.key luks,discard" | tee -a "$INITRD_DIR/$crypttab_file" - done + done < <(cut -d\ -f2 "$TMP_KEY_DEVICES") done fi ( diff --git a/initrd/bin/kexec-iso-init b/initrd/bin/kexec-iso-init.sh similarity index 74% rename from initrd/bin/kexec-iso-init rename to initrd/bin/kexec-iso-init.sh index 53856fec8..2d805baad 100755 --- a/initrd/bin/kexec-iso-init +++ b/initrd/bin/kexec-iso-init.sh @@ -1,9 +1,12 @@ #!/bin/bash # Boot from signed ISO set -e -o pipefail -. /etc/functions -. /etc/gui_functions -. /tmp/config +# shellcheck source=initrd/etc/functions.sh +. /etc/functions.sh +# shellcheck source=initrd/etc/gui_functions.sh +. /etc/gui_functions.sh + # shellcheck disable=SC1091 + . /tmp/config TRACE_FUNC @@ -22,7 +25,7 @@ ISO_PATH="${ISO_PATH##/}" if [ -r "$ISOSIG" ]; then # Signature found, verify it - gpgv --homedir=/etc/distro/ "$ISOSIG" "$MOUNTED_ISO_PATH" \ + gpgv.sh --homedir=/etc/distro/ "$ISOSIG" "$MOUNTED_ISO_PATH" \ || die 'ISO signature failed' echo '+++ ISO signature verified' else @@ -38,7 +41,7 @@ else echo "WARNING: The selected ISO file does not have a detached signature" echo "This means the integrity and authenticity cannot be verified" echo "Booting unsigned ISOs is potentially unsafe" - read -n1 -p "Do you want to proceed anyway? (y/N): " response + read -r -n1 -p "Do you want to proceed anyway? (y/N): " response echo if [ "$response" != "y" ] && [ "$response" != "Y" ]; then die "Unsigned ISO boot cancelled by user" @@ -48,32 +51,32 @@ else fi echo '+++ Mounting ISO and booting' -mount -t iso9660 -o loop $MOUNTED_ISO_PATH /boot \ - || die '$MOUNTED_ISO_PATH: Unable to mount /boot' +mount -t iso9660 -o loop "$MOUNTED_ISO_PATH" /boot \ + || die "$MOUNTED_ISO_PATH: Unable to mount /boot" -DEV_UUID=`blkid $DEV | tail -1 | tr " " "\n" | grep UUID | cut -d\" -f2` +DEV_UUID=$(blkid "$DEV" | tail -1 | tr " " "\n" | grep UUID | cut -d\" -f2) ADD="fromiso=/dev/disk/by-uuid/$DEV_UUID/$ISO_PATH img_dev=/dev/disk/by-uuid/$DEV_UUID iso-scan/filename=/${ISO_PATH} img_loop=$ISO_PATH iso=$DEV_UUID/$ISO_PATH" REMOVE="" paramsdir="/media/kexec_iso/$ISO_PATH" -check_config $paramsdir +check_config "$paramsdir" ADD_FILE=/tmp/kexec/kexec_iso_add.txt -if [ -r $ADD_FILE ]; then - NEW_ADD=`cat $ADD_FILE` +if [ -r "$ADD_FILE" ]; then + NEW_ADD=$(cat "$ADD_FILE") ADD=$(eval "echo \"$NEW_ADD\"") fi echo "+++ Overriding standard ISO kernel arguments with additions: $ADD" REMOVE_FILE=/tmp/kexec/kexec_iso_remove.txt -if [ -r $REMOVE_FILE ]; then - NEW_REMOVE=`cat $REMOVE_FILE` +if [ -r "$REMOVE_FILE" ]; then + NEW_REMOVE=$(cat "$REMOVE_FILE") REMOVE=$(eval "echo \"$NEW_REMOVE\"") fi echo "+++ Overriding standard ISO kernel arguments with suppressions: $REMOVE" # Call kexec and indicate that hashes have been verified -DO_WITH_DEBUG kexec-select-boot -b /boot -d /media -p "$paramsdir" \ +DO_WITH_DEBUG /bin/kexec-select-boot.sh -b /boot -d /media -p "$paramsdir" \ -a "$ADD" -r "$REMOVE" -c "*.cfg" -u -i die "Something failed in selecting boot" diff --git a/initrd/bin/kexec-parse-bls b/initrd/bin/kexec-parse-bls.sh similarity index 60% rename from initrd/bin/kexec-parse-bls rename to initrd/bin/kexec-parse-bls.sh index 92bc5f6c8..1bb3ab97d 100755 --- a/initrd/bin/kexec-parse-bls +++ b/initrd/bin/kexec-parse-bls.sh @@ -1,6 +1,7 @@ #!/bin/bash set -e -o pipefail -. /etc/functions +# shellcheck source=initrd/etc/functions.sh +. /etc/functions.sh TRACE_FUNC bootdir="$1" @@ -8,7 +9,7 @@ file="$2" blsdir="$3" kernelopts="" -if [ -z "$bootdir" -o -z "$file" ]; then +if [ -z "$bootdir" ] || [ -z "$file" ]; then die "Usage: $0 /boot /boot/grub/grub.cfg blsdir" fi @@ -21,7 +22,7 @@ reset_entry() { append="$kernelopts" } -filedir=`dirname $file` +filedir=$(dirname "$file") bootdir="${bootdir%%/}" bootlen="${#bootdir}" appenddir="${filedir:$bootlen}" @@ -30,41 +31,42 @@ appenddir="${filedir:$bootlen}" grubenv="$filedir/grubenv" fix_path() { - path="$@" + path="$*" if [ "${path:0:1}" != "/" ]; then path="$appenddir/$path" fi } echo_entry() { + DEBUG "kexec-parse-bls: entry name='$name' kernel='$kernel' initrd='$initrd'" if [ "$kexectype" = "elf" ]; then if [ -z "$kernel" ]; then return; fi - fix_path $kernel + fix_path "$kernel" entry="$name|$kexectype|kernel $path" if [ -n "$initrd" ]; then - fix_path $initrd + fix_path "$initrd" entry="$entry|initrd $path" fi if [ -n "$append" ]; then entry="$entry|append $append" fi - echo $(eval "echo \"$entry\"") + eval "echo \"$entry\"" fi - if [ "$kexectype" = "multiboot" -o "$kexectype" = "xen" ]; then + if [ "$kexectype" = "multiboot" ] || [ "$kexectype" = "xen" ]; then if [ -z "$kernel" ]; then return; fi - fix_path $kernel - echo $(eval "echo \"$name|$kexectype|kernel $path$modules\"") + fix_path "$kernel" + eval "echo \"$name|$kexectype|kernel $path$modules\"" fi } bls_entry() { # add info to menuentry - trimcmd=`echo $line | tr '\t ' ' ' | tr -s ' '` - cmd=`echo $trimcmd | cut -d\ -f1` - val=`echo $trimcmd | cut -d\ -f2-` + trimcmd=$(echo "$line" | tr '\t ' ' ' | tr -s ' ') + cmd=$(echo "$trimcmd" | cut -d\ -f1) + val=$(echo "$trimcmd" | cut -d\ -f2-) case $cmd in title) name=$val @@ -78,22 +80,23 @@ bls_entry() { options) # default is "options $kernelopts" # need to substitute that variable if set in .cfg/grubenv - append=`echo "$val" | sed "s@\\$kernelopts@$kernelopts@"` + append=${val//\$kernelopts/$kernelopts} ;; esac } # This is the default append value if no options field in bls entry grep -q "set default_kernelopts" "$file" && - kernelopts=`grep "set default_kernelopts" "$file" | - tr "'" "\"" | cut -d\" -f 2` + kernelopts=$(grep "set default_kernelopts" "$file" | + tr "'" "\"" | cut -d\" -f 2) [ -f "$grubenv" ] && grep -q "^kernelopts" "$grubenv" && - kernelopts=`grep "^kernelopts" "$grubenv" | tr '@' '_' | cut -d= -f 2-` + kernelopts=$(grep "^kernelopts" "$grubenv" | tr '@' '_' | cut -d= -f 2-) reset_entry -find $blsdir -type f -name \*.conf | -while read f +find "$blsdir" -type f -name \*.conf | +while read -r f do - while read line + DEBUG "kexec-parse-bls: reading '$f'" + while read -r line do bls_entry done < "$f" diff --git a/initrd/bin/kexec-parse-boot b/initrd/bin/kexec-parse-boot.sh similarity index 75% rename from initrd/bin/kexec-parse-boot rename to initrd/bin/kexec-parse-boot.sh index 07e38e3d6..5d5eb6ebf 100755 --- a/initrd/bin/kexec-parse-boot +++ b/initrd/bin/kexec-parse-boot.sh @@ -1,13 +1,14 @@ #!/bin/bash set -e -o pipefail -. /etc/functions +# shellcheck source=initrd/etc/functions.sh +. /etc/functions.sh TRACE_FUNC bootdir="$1" file="$2" -if [ -z "$bootdir" -o -z "$file" ]; then +if [ -z "$bootdir" ] || [ -z "$file" ]; then die "Usage: $0 /boot /boot/grub/grub.cfg" fi @@ -20,7 +21,7 @@ reset_entry() { append="" } -filedir=`dirname $file` +filedir=$(dirname "$file") DEBUG "filedir= $filedir" bootdir="${bootdir%%/}" DEBUG "bootdir= $bootdir" @@ -30,8 +31,9 @@ appenddir="${filedir:$bootlen}" DEBUG "appenddir= $appenddir" fix_path() { - path="$@" + path="$*" if [ "${path:0:1}" != "/" ]; then + # shellcheck disable=SC2145 DEBUG "fix_path: path was $@" path="$appenddir/$path" DEBUG "fix_path: path is now $path" @@ -54,7 +56,7 @@ check_path() { echo_entry() { if [ -z "$kernel" ]; then return; fi - fix_path $kernel + fix_path "$kernel" # The kernel must exist - if it doesn't, ignore this entry, it # wouldn't work anyway. This could happen if there was a # GRUB variable in the kernel path, etc. @@ -64,8 +66,8 @@ echo_entry() { case "$kexectype" in elf) if [ -n "$initrd" ]; then - for init in $(echo $initrd | tr ',' ' '); do - fix_path $init + for init in $(echo "$initrd" | tr ',' ' '); do + fix_path "$init" # The initrd must also exist if ! check_path "$path"; then return; fi entry="$entry|initrd $path" @@ -83,10 +85,11 @@ echo_entry() { ;; esac + DEBUG "kexec-parse-boot: entry name='$name' kernel='$kernel' initrd='$initrd'" # Double-expand here in case there are variables in the kernel # parameters - some configs do this and can boot with empty # expansions (Debian Live ISOs use this for loopback boots) - echo $(eval "echo \"$entry\"") + eval "echo \"$entry\"" } search_entry() { @@ -94,13 +97,13 @@ search_entry() { menuentry* | MENUENTRY* ) state="grub" reset_entry - name=`echo $line | tr "'" "\"" | cut -d\" -f 2` + name=$(echo "$line" | tr "'" "\"" | cut -d\" -f 2) ;; label* | LABEL* ) state="syslinux" reset_entry - name=`echo $line | cut -c6- ` + name=$(echo "$line" | cut -c6- ) esac } @@ -112,9 +115,9 @@ grub_entry() { fi # add info to menuentry - trimcmd=`echo $line | tr '\t ' ' ' | tr -s ' '` - cmd=`echo $trimcmd | cut -d\ -f1` - val=`echo $trimcmd | cut -d\ -f2-` + trimcmd=$(echo "$line" | tr '\t ' ' ' | tr -s ' ') + cmd=$(echo "$trimcmd" | cut -d\ -f1) + val=$(echo "$trimcmd" | cut -d\ -f2-) case $cmd in multiboot*) # TODO: differentiate between Xen and other multiboot kernels @@ -124,9 +127,9 @@ grub_entry() { ;; module*) case $val in - --nounzip*) val=`echo $val | cut -d\ -f2-` ;; + --nounzip*) val=$(echo "$val" | cut -d\ -f2-) ;; esac - fix_path $val + fix_path "$val" modules="$modules|module $path" DEBUG " grub_entry linux modules= $modules" ;; @@ -137,11 +140,12 @@ grub_entry() { # path is relative to the device root, not the config # location. DEBUG " grub_entry : linux trimcmd prior of kernel/append parsing: $trimcmd" - kernel=`echo $trimcmd | sed "s/([^)]*)//g" | cut -d\ -f2` - append=`echo $trimcmd | cut -d\ -f3-` + kernel=$(echo "$trimcmd" | sed "s/([^)]*)//g" | cut -d\ -f2) + append=$(echo "$trimcmd" | cut -d\ -f3-) ;; initrd*) # Trim off device specification as above + # shellcheck disable=SC2001 initrd="$(echo "$val" | sed "s/([^)]*)//g")" DEBUG " grub_entry: linux initrd= $initrd" ;; @@ -157,7 +161,7 @@ syslinux_end() { for param in $append; do case $param in initrd=*) - initrd=`echo $param | cut -d\= -f2` + initrd=$(echo "$param" | cut -d= -f2) ;; *) newappend="$newappend $param" ;; esac @@ -165,19 +169,19 @@ syslinux_end() { append="${newappend##' '}" fi - appenddir="$(echo $appenddir | cut -d\/ -f -2)" + appenddir="$(echo "$appenddir" | cut -d/ -f -2)" echo_entry state="search" } syslinux_multiboot_append() { - splitval=`echo "${val// --- /|}" | tr '|' '\n'` - while read line + splitval=$(echo "${val// --- /|}" | tr '|' '\n') + while read -r line do if [ -z "$kernel" ]; then kernel="$line" else - fix_path $line + fix_path "$line" modules="$modules|module $path" fi done << EOF @@ -199,14 +203,14 @@ syslinux_entry() { esac # add info to menuentry - trimcmd=`echo $line | tr '\t ' ' ' | tr -s ' '` - cmd=`echo $trimcmd | cut -d\ -f1` - val=`echo $trimcmd | cut -d\ -f2-` + trimcmd=$(echo "$line" | tr '\t ' ' ' | tr -s ' ') + cmd=$(echo "$trimcmd" | cut -d\ -f1) + val=$(echo "$trimcmd" | cut -d\ -f2-) case $trimcmd in menu* | MENU* ) - cmd2=`echo $trimcmd | cut -d \ -f2` - if [ "$cmd2" = "label" -o "$cmd2" = "LABEL" ]; then - name=`echo $trimcmd | cut -c11- | tr -d '^'` + cmd2=$(echo "$trimcmd" | cut -d \ -f2) + if [ "$cmd2" = "label" ] || [ "$cmd2" = "LABEL" ]; then + name=$(echo "$trimcmd" | cut -c11- | tr -d '^') fi ;; linux* | LINUX* | kernel* | KERNEL* ) @@ -227,7 +231,7 @@ syslinux_entry() { DEBUG "initrd= $initrd" ;; append* | APPEND* ) - if [ "$kexectype" = "multiboot" -o "$kexectype" = "xen" ]; then + if [ "$kexectype" = "multiboot" ] || [ "$kexectype" = "xen" ]; then syslinux_multiboot_append else append="$val" @@ -238,7 +242,7 @@ syslinux_entry() { } state="search" -while read line +while read -r line do case $state in search) diff --git a/initrd/bin/kexec-save-default b/initrd/bin/kexec-save-default.sh similarity index 64% rename from initrd/bin/kexec-save-default rename to initrd/bin/kexec-save-default.sh index 32ac305ab..23a6c2fc8 100755 --- a/initrd/bin/kexec-save-default +++ b/initrd/bin/kexec-save-default.sh @@ -1,8 +1,10 @@ #!/bin/bash # Save these options to be the persistent default set -e -o pipefail +# shellcheck disable=SC1091 . /tmp/config -. /etc/functions +# shellcheck source=initrd/etc/functions.sh +. /etc/functions.sh TRACE_FUNC @@ -12,10 +14,11 @@ while getopts "b:d:p:i:" arg; do d) paramsdev="$OPTARG" ;; p) paramsdir="$OPTARG" ;; i) index="$OPTARG" ;; + *) die "Invalid option: $arg" ;; esac done -if [ -z "$bootdir" -o -z "$index" ]; then +if [ -z "$bootdir" ] || [ -z "$index" ]; then die "Usage: $0 -b /boot -i menu_option " fi @@ -31,6 +34,8 @@ bootdir="${bootdir%%/}" paramsdev="${paramsdev%%/}" paramsdir="${paramsdir%%/}" +DEBUG "kexec-save-default: bootdir='$bootdir' paramsdev='$paramsdev' paramsdir='$paramsdir' index='$index'" + TMP_MENU_FILE="/tmp/kexec/kexec_menu.txt" ENTRY_FILE="$paramsdir/kexec_default.$index.txt" HASH_FILE="$paramsdir/kexec_default_hashes.txt" @@ -38,7 +43,7 @@ PRIMHASH_FILE="$paramsdir/kexec_primhdl_hash.txt" KEY_DEVICES="$paramsdir/kexec_key_devices.txt" KEY_LVM="$paramsdir/kexec_key_lvm.txt" -lvm_suggest=$(lvm vgscan 2>/dev/null | awk -F '"' {'print $1'} | tail -n +2) +lvm_suggest=$(lvm vgscan 2>/dev/null | awk -F '"' '{print $1}' | tail -n +2) num_lvm=$(echo "$lvm_suggest" | wc -l) if [ "$num_lvm" -eq 1 ] && [ -n "$lvm_suggest" ]; then lvm_volume_group="$lvm_suggest" @@ -46,11 +51,11 @@ elif [ -z "$lvm_suggest" ]; then num_lvm=0 fi # $lvm_suggest is a multiline string, we need to convert it to a space separated string -lvm_suggest=$(echo $lvm_suggest | tr '\n' ' ') +lvm_suggest=$(echo "$lvm_suggest" | tr '\n' ' ') DEBUG "LVM num_lvm: $num_lvm, lvm_suggest: $lvm_suggest" # get all LUKS container devices -devices_suggest=$(blkid | cut -d ':' -f 1 | while read device; do +devices_suggest=$(blkid | cut -d ':' -f 1 | while read -r device; do if cryptsetup isLuks "$device"; then echo "$device"; fi done | sort) num_devices=$(echo "$devices_suggest" | wc -l) @@ -61,12 +66,12 @@ elif [ -z "$devices_suggest" ]; then num_devices=0 fi # $devices_suggest is a multiline string, we need to convert it to a space separated string -devices_suggest=$(echo $devices_suggest | tr '\n' ' ') +devices_suggest=$(echo "$devices_suggest" | tr '\n' ' ') DEBUG "LUKS num_devices: $num_devices, devices_suggest: $devices_suggest" if [ "$num_lvm" -eq 0 ] && [ "$num_devices" -eq 0 ]; then #No encrypted partition found. - no_encrypted_partition=1 + : fi #Reusable function when user wants to define new TPM DUK for lvms/disks @@ -89,13 +94,16 @@ prompt_for_existing_encrypted_lvms_or_disks() { selected_lvms_not_existing=1 # Create an array to store the selected LVMs declare -a key_lvms_array + attempts=0 - while [ $selected_lvms_not_existing -ne 0 ]; do + while [ $selected_lvms_not_existing -ne 0 ] && [ $attempts -lt 3 ]; do + DEBUG "In LVM selection loop, selected_lvms_not_existing=$selected_lvms_not_existing, attempts=$attempts" { # Read the user input and store it in a variable - read \ + read -r \ -p "Encrypted LVMs? (choose between/all: $lvm_suggest): " \ key_lvms + DEBUG "key_lvms='$key_lvms'" # Split the user input by spaces and add each element to the array IFS=' ' read -r -a key_lvms_array <<<"$key_lvms" @@ -113,7 +121,14 @@ prompt_for_existing_encrypted_lvms_or_disks() { # If valid, set the flag to indicate valid input if [[ $valid -eq 1 ]]; then selected_lvms_not_existing=0 + else + attempts=$((attempts + 1)) + if [ $attempts -eq 3 ]; then + die "Failed to select valid LVMs after 3 attempts" + fi + warn "Invalid LVM selection, please try again" fi + DEBUG "valid=$valid, selected_lvms_not_existing=$selected_lvms_not_existing" } done elif [ "$num_lvms" -eq 1 ]; then @@ -138,13 +153,16 @@ prompt_for_existing_encrypted_lvms_or_disks() { selected_luksdevs_not_existing=1 # Create an array to store the selected devices declare -a key_devices_array + attempts=0 - while [ $selected_luksdevs_not_existing -ne 0 ]; do + while [ $selected_luksdevs_not_existing -ne 0 ] && [ $attempts -lt 3 ]; do + DEBUG "In devices selection loop, selected_luksdevs_not_existing=$selected_luksdevs_not_existing, attempts=$attempts" { # Read the user input and store it in a variable - read \ + read -r \ -p "Encrypted devices? (choose between/all: $devices_suggest): " \ key_devices + DEBUG "key_devices='$key_devices'" # Split the user input by spaces and add each element to the array IFS=' ' read -r -a key_devices_array <<<"$key_devices" @@ -162,7 +180,14 @@ prompt_for_existing_encrypted_lvms_or_disks() { # If valid, set the flag to indicate valid input if [[ $valid -eq 1 ]]; then selected_luksdevs_not_existing=0 + else + attempts=$((attempts + 1)) + if [ $attempts -eq 3 ]; then + die "Failed to select valid devices after 3 attempts" + fi + warn "Invalid device selection, please try again" fi + DEBUG "valid=$valid, selected_luksdevs_not_existing=$selected_luksdevs_not_existing" } done elif [ "$num_devices" -eq 1 ]; then @@ -177,14 +202,16 @@ prompt_for_existing_encrypted_lvms_or_disks() { } if [ ! -r "$TMP_MENU_FILE" ]; then - die "No menu options available, please run kexec-select-boot" + die "No menu options available, please run kexec-select-boot.sh" fi -entry=$(head -n $index $TMP_MENU_FILE | tail -1) +entry=$(head -n "$index" "$TMP_MENU_FILE" | tail -1) if [ -z "$entry" ]; then die "Invalid menu index $index" fi +DEBUG "kexec-save-default: entry length=${#entry} entry_file='$ENTRY_FILE' hash_file='$HASH_FILE'" + save_key="n" if [ "$CONFIG_TPM" = "y" ] && [ "$CONFIG_TPM_NO_LUKS_DISK_UNLOCK" != "y" ] && [ "$CONFIG_BASIC" != y ]; then @@ -193,24 +220,22 @@ if [ "$CONFIG_TPM" = "y" ] && [ "$CONFIG_TPM_NO_LUKS_DISK_UNLOCK" != "y" ] && [ #check if $KEY_DEVICES file exists and is not empty if [ -r "$KEY_DEVICES" ] && [ -s "$KEY_DEVICES" ]; then DEBUG "LUKS TPM Disk Unlock Key was previously set up from $KEY_DEVICES" - read \ + read -r \ -n 1 \ - -p "Do you want to reseal a Disk Unlock Key in the TPM [y/N]: " \ + -p "Do you want to reseal a Disk Unlock Key (DUK) in the TPM or change its passphrase [y/N]: " \ change_key_confirm echo + DEBUG "change_key_confirm='$change_key_confirm'" - if [ "$change_key_confirm" = "y" \ - -o "$change_key_confirm" = "Y" ]; then + if [ "$change_key_confirm" = "y" ] || [ "$change_key_confirm" = "Y" ]; then old_lvm_volume_group="" if [ -r "$KEY_LVM" ]; then - old_lvm_volume_group=$(cat $KEY_LVM) || true - old_key_devices=$(cat $KEY_DEVICES | - cut -d\ -f1 | + old_lvm_volume_group=$(cat "$KEY_LVM") || true + old_key_devices=$(cut -d\ -f1 < "$KEY_DEVICES" | grep -v "$old_lvm_volume_group" | xargs) || true else - old_key_devices=$(cat $KEY_DEVICES | - cut -d\ -f1 | xargs) || true + old_key_devices=$(cut -d\ -f1 < "$KEY_DEVICES" | xargs) || true fi lvm_suggest="$old_lvm_volume_group" @@ -219,26 +244,26 @@ if [ "$CONFIG_TPM" = "y" ] && [ "$CONFIG_TPM_NO_LUKS_DISK_UNLOCK" != "y" ] && [ fi else DEBUG "No previous LUKS TPM Disk Unlock Key was set up, confirming to add a Disk Unlock Key (DUK) to the TPM" - read \ + read -r \ -n 1 \ - -p "Do you wish to add a disk encryption key to the TPM [y/N]: " \ + -p "Do you wish to seal a Disk Unlock Key (DUK) in the TPM with a passphrase that will be asked prior of every default boot [y/N]: " \ add_key_confirm - #TODO: still not convinced: disk encryption key? decryption key? everywhere TPM Disk Unlock Key. Confusing even more? echo + DEBUG "add_key_confirm='$add_key_confirm'" - if [ "$add_key_confirm" = "y" \ - -o "$add_key_confirm" = "Y" ]; then + if [ "$add_key_confirm" = "y" ] || [ "$add_key_confirm" = "Y" ]; then DEBUG "User confirmed desire to add a Disk Unlock Key (DUK) to the TPM" save_key="y" fi fi if [ "$save_key" = "y" ]; then + DEBUG "save_key requested; lvm_volume_group='$lvm_volume_group' key_devices='$key_devices'" if [ -n "$old_key_devices" ] || [ -n "$old_lvm_volume_group" ]; then - DEBUG "Previous LUKS TPM Disk Unlock Key was set up for $old_key_devices $old_lvm_volume_group" - read \ + DEBUG "Previous LUKS TPM Disk Unlock Key (DUK) was set up for $old_key_devices $old_lvm_volume_group" + read -r \ -n 1 \ - -p "Do you want to reuse configured Encrypted LVM groups/Block devices? (Y/n):" \ + -p "Do you want to reuse configured Encrypted LVM groups/Block devices $old_key_devices [Y/n]:" \ reuse_past_devices echo if [ "$reuse_past_devices" = "y" ] || [ "$reuse_past_devices" = "Y" ] || [ -z "$reuse_past_devices" ]; then @@ -263,16 +288,19 @@ if [ "$CONFIG_TPM" = "y" ] && [ "$CONFIG_TPM_NO_LUKS_DISK_UNLOCK" != "y" ] && [ else save_key_params="$save_key_params $key_devices" fi - kexec-save-key $save_key_params || - die "Failed to save the LUKS TPM Disk Unlock Key" + DEBUG "kexec-save-default: running kexec-save-key.sh $save_key_params" + # shellcheck disable=SC2086 + kexec-save-key.sh $save_key_params || + die "Failed to save the LUKS TPM Disk Unlock Key (DUK)" fi fi # try to switch to rw mode -mount -o rw,remount $paramsdev +mount -o rw,remount "$paramsdev" || + die "Failed to remount $paramsdev as read-write" -if [ ! -d $paramsdir ]; then - mkdir -p $paramsdir || +if [ ! -d "$paramsdir" ]; then + mkdir -p "$paramsdir" || die "Failed to create params directory" fi @@ -287,13 +315,17 @@ if [ "$CONFIG_TPM2_TOOLS" = "y" ]; then fi fi -rm $paramsdir/kexec_default.*.txt 2>/dev/null || true -echo "$entry" >$ENTRY_FILE +rm "$paramsdir"/kexec_default.*.txt 2>/dev/null || true +echo "$entry" >"$ENTRY_FILE" + +DEBUG "kexec-save-default: generating hashes for entry $ENTRY_FILE" ( - cd $bootdir && kexec-boot -b "$bootdir" -e "$entry" -f | - xargs sha256sum >$HASH_FILE + cd "$bootdir" && kexec-boot.sh -b "$bootdir" -e "$entry" -f | + xargs sha256sum >"$HASH_FILE" ) || die "Failed to create hashes of boot files" -if [ ! -r $ENTRY_FILE -o ! -r $HASH_FILE ]; then + +DEBUG "kexec-save-default: hash generation complete" +if [ ! -r "$ENTRY_FILE" ] || [ ! -r "$HASH_FILE" ]; then die "Failed to write default config" fi @@ -302,35 +334,51 @@ if [ "$save_key" = "y" ]; then initrd_decompressed="/tmp/initrd_extract" mkdir -p "$initrd_decompressed" # Get initrd filename selected to be default initrd that OS could be using to configure LUKS on boot by deploying crypttab files - current_default_initrd=$(cat /boot/kexec_default_hashes.txt | grep initr | awk -F " " {'print $NF'} | sed 's/\.\//\/boot\//g') + DEBUG "kexec-save-default: locating initrd for entry via kexec-boot.sh -i" + DEBUG "kexec-save-default: entry='$entry'" + current_default_initrd=$(kexec-boot.sh -b "$bootdir" -e "$entry" -i | head -n 1) || + die "Failed to locate initrd via kexec-boot.sh" + DEBUG "kexec-save-default: initrd from kexec-boot.sh: '$current_default_initrd'" + + if [ -z "$current_default_initrd" ]; then + DEBUG "kexec-save-default: falling back to /boot/kexec_default_hashes.txt lookup" + current_default_initrd=$(grep -E 'initrd|initramfs' /boot/kexec_default_hashes.txt | awk '{print $NF}' | sed 's/\.\//\/boot\//g' | head -n 1) || + die "Failed to find initrd in /boot/kexec_default_hashes.txt" + DEBUG "kexec-save-default: initrd from hashes: '$current_default_initrd'" + fi + + if [ -z "$current_default_initrd" ]; then + die "Extracted initrd path is empty from /boot/kexec_default_hashes.txt" + fi echo "+++ Extracting current selected default boot's $current_default_initrd to find crypttab files..." - unpack_initramfs.sh "$current_default_initrd" "$initrd_decompressed" + unpack_initramfs.sh "$current_default_initrd" "$initrd_decompressed" || + die "Failed to extract initramfs from $current_default_initrd" crypttab_files=$(find "$initrd_decompressed" | grep crypttab 2>/dev/null) || true - if [ ! -z "$crypttab_files" ]; then + if [ -n "$crypttab_files" ]; then DEBUG "Found crypttab files in $current_default_initrd" - rm -f $bootdir/kexec_initrd_crypttab_overrides.txt || true + rm -f "$bootdir"/kexec_initrd_crypttab_overrides.txt || true #Parsing each crypttab file found - echo "$crypttab_files" | while read crypttab_file; do + echo "$crypttab_files" | while read -r crypttab_file; do # Change crypttab file path to be relative to initrd for string manipulation final_initrd_filepath=${crypttab_file#/tmp/initrd_extract} DEBUG "Final initramfs crypttab path:$final_initrd_filepath" # Keep only non-commented lines for crypttab entries - current_crypttab_entries=$(cat "$crypttab_file" | grep -v "^#") + current_crypttab_entries=$(grep -v "^#" "$crypttab_file") DEBUG "Found initrd crypttab entries $final_initrd_filepath:$current_crypttab_entries" # Modify each retained crypttab line for /secret.key under intramfs to be considered as a keyfile modified_crypttab_entries=$(echo "$current_crypttab_entries" | sed 's/none/\/secret.key/g') DEBUG "Modified crypttab entries $final_initrd_filepath:$modified_crypttab_entries" - echo "$modified_crypttab_entries" | while read modified_crypttab_entry; do - echo "$final_initrd_filepath:$modified_crypttab_entry" >>$bootdir/kexec_initrd_crypttab_overrides.txt + echo "$modified_crypttab_entries" | while read -r modified_crypttab_entry; do + echo "$final_initrd_filepath:$modified_crypttab_entry" >>"$bootdir"/kexec_initrd_crypttab_overrides.txt done done #insert current default boot's initrd crypttab locations into tracking file to be overwritten into initramfs at kexec-inject-key echo "+++ The following OS crypttab file:entry were modified from default boot's initrd:" - cat $bootdir/kexec_initrd_crypttab_overrides.txt + cat "$bootdir"/kexec_initrd_crypttab_overrides.txt echo "+++ Heads added /secret.key in those entries and saved them under $bootdir/kexec_initrd_crypttab_overrides.txt" echo "+++ Those overrides will be part of detached signed digests and used to prepare cpio injected at kexec of selected default boot entry." else @@ -353,9 +401,19 @@ if [ "$CONFIG_TPM" = "y" ]; then extparam=-r fi fi +# Save the hash of the TPM2 primary key handle if TPM2 is enabled +if [ "$CONFIG_TPM2_TOOLS" = "y" ]; then + if [ -f /tmp/secret/primary.handle ]; then + sha256sum /tmp/secret/primary.handle > "$paramsdir/kexec_primhdl_hash.txt" || + warn "Failed to save TPM2 primary key handle hash" + fi +fi + if [ "$CONFIG_BASIC" != "y" ]; then - DO_WITH_DEBUG kexec-sign-config -p $paramsdir $extparam || + DO_WITH_DEBUG kexec-sign-config.sh -p "$paramsdir" $extparam || die "Failed to sign default config" fi + # switch back to ro mode -mount -o ro,remount $paramsdev +mount -o ro,remount "$paramsdev" || + die "Failed to remount $paramsdev as read-only" diff --git a/initrd/bin/kexec-save-key b/initrd/bin/kexec-save-key.sh similarity index 66% rename from initrd/bin/kexec-save-key rename to initrd/bin/kexec-save-key.sh index 0fe2373dc..e99277bb9 100755 --- a/initrd/bin/kexec-save-key +++ b/initrd/bin/kexec-save-key.sh @@ -1,11 +1,11 @@ #!/bin/bash # Generate a TPM key used to unlock LUKS disks -. /etc/functions +# shellcheck source=initrd/etc/functions.sh +. /etc/functions.sh TRACE_FUNC set -e -o pipefail -. /etc/functions lvm_volume_group="" skip_sign="n" @@ -15,15 +15,16 @@ while getopts "sp:d:l:" arg; do p) paramsdir="$OPTARG" ;; d) paramsdev="$OPTARG" ;; l) lvm_volume_group="$OPTARG" ;; + *) die "Invalid flag: $arg" ;; esac done DEBUG "kexec-save-key prior of parsing: paramsdir: $paramsdir, paramsdev: $paramsdev, lvm_volume_group: $lvm_volume_group" -shift $(expr $OPTIND - 1) -key_devices="$@" +shift "$((OPTIND - 1))" +key_devices=("$@") -DEBUG "kexec-save-key: key_devices: $key_devices" +DEBUG "kexec-save-key: key_devices: ${key_devices[*]}" if [ -z "$paramsdir" ]; then die "Usage: $0 [-s] -p /boot [-l qubes_dom0] [/dev/sda2 /dev/sda5 ...] " @@ -40,40 +41,42 @@ paramsdir="${paramsdir%%/}" DEBUG "kexec-save-key prior of last override: paramsdir: $paramsdir, paramsdev: $paramsdev, lvm_volume_group: $lvm_volume_group" if [ -n "$lvm_volume_group" ]; then - lvm vgchange -a y $lvm_volume_group || + lvm vgchange -a y "$lvm_volume_group" || die "Failed to activate the LVM group" - for dev in /dev/$lvm_volume_group/*; do - key_devices="$key_devices $dev" + for dev in /dev/"$lvm_volume_group"/*; do + key_devices+=("$dev") done fi -if [ -z "$key_devices" ]; then +if [ "${#key_devices[@]}" -eq 0 ]; then die "No devices specified for TPM key insertion" fi # try to switch to rw mode -mount -o rw,remount $paramsdev +mount -o rw,remount "$paramsdev" -rm -f $paramsdir/kexec_key_lvm.txt || true +rm -f "$paramsdir"/kexec_key_lvm.txt || true if [ -n "$lvm_volume_group" ]; then DEBUG "kexec-save-key saving under $paramsdir/kexec_key_lvm.txt : lvm_volume_group: $lvm_volume_group" - echo "$lvm_volume_group" >$paramsdir/kexec_key_lvm.txt || + echo "$lvm_volume_group" >"$paramsdir"/kexec_key_lvm.txt || die "Failed to write lvm group to key config " fi -rm -f $paramsdir/kexec_key_devices.txt || true -for dev in $key_devices; do +rm -f "$paramsdir"/kexec_key_devices.txt || true +for dev in "${key_devices[@]}"; do DEBUG "Getting UUID for $dev" uuid=$(cryptsetup luksUUID "$dev" 2>/dev/null) || die "Failed to get UUID for device $dev" DEBUG "Saving under $paramsdir/kexec_key_devices.txt : dev: $dev, uuid: $uuid" - echo "$dev $uuid" >>$paramsdir/kexec_key_devices.txt || + echo "$dev $uuid" >>"$paramsdir"/kexec_key_devices.txt || die "Failed to add $dev:$uuid to key devices config" done -kexec-seal-key $paramsdir || +kexec-seal-key.sh "$paramsdir" || die "Failed to save and generate LUKS TPM Disk Unlock Key" +DEBUG "kexec-save-key: kexec-seal-key.sh completed" + if [ "$skip_sign" != "y" ]; then extparam= if [ "$CONFIG_IGNORE_ROLLBACK" != "y" ]; then @@ -81,9 +84,11 @@ if [ "$skip_sign" != "y" ]; then extparam=-r fi # sign and auto-roll config counter - DO_WITH_DEBUG kexec-sign-config -p $paramsdir $extparam || + DEBUG "kexec-save-key: signing updated config" + kexec-sign-config.sh -p "$paramsdir" "$extparam" || die "Failed to sign updated config" + DEBUG "kexec-save-key: kexec-sign-config.sh completed" fi # switch back to ro mode -mount -o ro,remount $paramsdev +mount -o ro,remount "$paramsdev" diff --git a/initrd/bin/kexec-seal-key b/initrd/bin/kexec-seal-key.sh similarity index 79% rename from initrd/bin/kexec-seal-key rename to initrd/bin/kexec-seal-key.sh index 39b8c9e85..6ce5557db 100755 --- a/initrd/bin/kexec-seal-key +++ b/initrd/bin/kexec-seal-key.sh @@ -3,7 +3,10 @@ # with the current PCRs and then store it in the TPM NVRAM. # It will then need to be bundled into initrd that is booted. set -e -o pipefail -. /etc/functions +# shellcheck source=initrd/etc/functions.sh +# Note: For shellcheck and runtime, sourced files are under initrd/etc. +# shellcheck source=initrd/etc/functions.sh +. /etc/functions.sh find_drk_key_slot() { local temp_drk_key_slot="" @@ -26,10 +29,11 @@ find_drk_key_slot() { TPM_INDEX=3 TPM_SIZE=312 DUK_KEY_FILE="/tmp/secret/secret.key" -TPM_SEALED="/tmp/secret/secret.sealed" DISK_RECOVERY_KEY_FILE="/tmp/secret/recovery.key" -. /etc/functions +# shellcheck source=initrd/etc/functions.sh +. /etc/functions.sh +# shellcheck disable=SC1091 . /tmp/config TRACE_FUNC @@ -41,7 +45,7 @@ fi KEY_DEVICES="$paramsdir/kexec_key_devices.txt" KEY_LVM="$paramsdir/kexec_key_lvm.txt" -key_devices=$(cat "$KEY_DEVICES" | cut -d\ -f1 | tr '\n' ' ') +key_devices=$(cut -d\ -f1 "$KEY_DEVICES" | tr '\n' ' ') if [ ! -r "$KEY_DEVICES" ]; then die "No devices defined for disk encryption" @@ -51,12 +55,12 @@ fi if [ -r "$KEY_LVM" ]; then # Activate the LVM volume group - VOLUME_GROUP=$(cat $KEY_LVM) + VOLUME_GROUP=$(cat "$KEY_LVM") if [ -z "$VOLUME_GROUP" ]; then die "No LVM volume group defined for activation" fi - lvm vgchange -a y $VOLUME_GROUP || - die "$VOLUME_GROUP: unable to activate volume group" + lvm vgchange -a y "$VOLUME_GROUP" || + die "$VOLUME_GROUP: unable to activate volume group" else DEBUG "No LVM volume group defined for activation" fi @@ -69,6 +73,7 @@ attempts=0 # Ask for the DRK passphrase first, before testing any devices while [ $attempts -lt 3 ] && [ $luks_drk_passphrase_valid -eq 0 ]; do + TRACE_FUNC read -r -s -p $'\nEnter LUKS Disk Recovery Key (DRK) passphrase that can unlock '"$key_devices"': ' disk_recovery_key_passphrase echo echo -n "$disk_recovery_key_passphrase" >"$DISK_RECOVERY_KEY_FILE" @@ -78,7 +83,7 @@ while [ $attempts -lt 3 ] && [ $luks_drk_passphrase_valid -eq 0 ]; do for dev in $key_devices; do DEBUG "Testing $DISK_RECOVERY_KEY_FILE keyfile against $dev" - if ! cryptsetup open $dev --test-passphrase --key-file "$DISK_RECOVERY_KEY_FILE" >/dev/null 2>&1; then + if ! cryptsetup open "$dev" --test-passphrase --key-file "$DISK_RECOVERY_KEY_FILE" >/dev/null 2>&1; then warn "Failed to unlock LUKS device $dev with the provided passphrase." all_devices_unlocked=0 break @@ -103,6 +108,7 @@ done MIN_PASSPHRASE_LENGTH=12 attempts=0 while [ $attempts -lt 3 ]; do + TRACE_FUNC read -r -s -p $'\nNew LUKS TPM Disk Unlock Key (DUK) passphrase for booting (minimum '"$MIN_PASSPHRASE_LENGTH"' characters): ' key_password echo if [ ${#key_password} -lt $MIN_PASSPHRASE_LENGTH ]; then @@ -170,7 +176,7 @@ for dev in $key_devices; do drk_key_slot="-1" # Get all the key slots that are used on $dev - luks_used_keyslots=($(cryptsetup luksDump "$dev" | grep -E "$regex" | sed "$sed_command")) + read -r -a luks_used_keyslots <<< "$(cryptsetup luksDump "$dev" | grep -E "$regex" | sed "$sed_command")" DEBUG "$dev LUKS key slots: ${luks_used_keyslots[*]}" #Find the key slot that can be unlocked with the provided passphrase @@ -210,51 +216,65 @@ for dev in $key_devices; do echo "++++++ $dev: Wiping LUKS key slot $keyslot" DO_WITH_DEBUG cryptsetup luksKillSlot \ --key-file "$DISK_RECOVERY_KEY_FILE" \ - $dev $keyslot || + "$dev" "$keyslot" || warn "$dev: removal of LUKS slot $keyslot failed: Continuing" fi fi done + # Wipe the DUK slot if it's not the DRK slot + if [ "$duk_keyslot" != "$drk_key_slot" ]; then + if [[ " ${luks_used_keyslots[*]} " =~ $duk_keyslot ]]; then + # Slot is ENABLED, should be wiped by the loop above + : + else + DEBUG "$dev: DUK slot $duk_keyslot is not ENABLED, attempting to wipe anyway" + fi + DO_WITH_DEBUG cryptsetup luksKillSlot \ + --key-file "$DISK_RECOVERY_KEY_FILE" \ + "$dev" "$duk_keyslot" || + true # Ignore failure, as slot may not exist + fi + echo "++++++ $dev: Adding LUKS TPM Disk Unlock Key to LUKS key slot $duk_keyslot" - DO_WITH_DEBUG cryptsetup luksAddKey \ - --key-file "$DISK_RECOVERY_KEY_FILE" \ - --new-key-slot $duk_keyslot \ - $dev "$DUK_KEY_FILE" || - die "$dev: Unable to add LUKS TPM Disk Unlock Key to LUKS key slot $duk_keyslot" + DO_WITH_DEBUG cryptsetup luksAddKey \ + --key-file "$DISK_RECOVERY_KEY_FILE" \ + --new-key-slot "$duk_keyslot" \ + "$dev" "$DUK_KEY_FILE" || + die "$dev: Unable to add LUKS TPM Disk Unlock Key to LUKS key slot $duk_keyslot" done # Now that we have setup the new keys, measure the PCRs # We don't care what ends up in PCR 6; we just want # to get the /tmp/luksDump.txt file. We use PCR16 # since it should still be zero -echo "$key_devices" | xargs /bin/qubes-measure-luks || +echo "$key_devices" | xargs /bin/qubes-measure-luks.sh || die "Unable to measure the LUKS headers" pcrf="/tmp/secret/pcrf.bin" -tpmr pcrread 0 "$pcrf" -tpmr pcrread -a 1 "$pcrf" -tpmr pcrread -a 2 "$pcrf" -tpmr pcrread -a 3 "$pcrf" +tpmr.sh pcrread 0 "$pcrf" +tpmr.sh pcrread -a 1 "$pcrf" +tpmr.sh pcrread -a 2 "$pcrf" +tpmr.sh pcrread -a 3 "$pcrf" # Note that PCR 4 needs to be set with the "normal-boot" path value, read it from event log. -tpmr calcfuturepcr 4 >>"$pcrf" -if [ "$CONFIG_USER_USB_KEYBOARD" = "y" -o -r /lib/modules/libata.ko -o -x /bin/hotp_verification ]; then +tpmr.sh calcfuturepcr 4 >>"$pcrf" +if [ "$CONFIG_USER_USB_KEYBOARD" = "y" ] || [ -r /lib/modules/libata.ko ] || [ -x /bin/hotp_verification ]; then DEBUG "Sealing LUKS TPM Disk Unlock Key with PCR5 involvement (additional kernel modules are loaded per board config)..." # Here, we take pcr 5 into consideration if modules are expected to be measured+loaded - tpmr pcrread -a 5 "$pcrf" + tpmr.sh pcrread -a 5 "$pcrf" else DEBUG "Sealing LUKS TPM Disk Unlock Key with PCR5=0 (NO additional kernel modules are loaded per board config)..." #no kernel modules are expected to be measured+loaded - tpmr calcfuturepcr 5 >>"$pcrf" + tpmr.sh calcfuturepcr 5 >>"$pcrf" fi # Precompute the value for pcr 6 DEBUG "Precomputing TPM future value for PCR6 sealing/unsealing of LUKS TPM Disk Unlock Key..." -tpmr calcfuturepcr 6 "/tmp/luksDump.txt" >>"$pcrf" +tpmr.sh calcfuturepcr 6 "/tmp/luksDump.txt" >>"$pcrf" # We take into consideration user files in cbfs -tpmr pcrread -a 7 "$pcrf" +tpmr.sh pcrread -a 7 "$pcrf" DO_WITH_DEBUG --mask-position 7 \ - tpmr seal "$DUK_KEY_FILE" "$TPM_INDEX" 0,1,2,3,4,5,6,7 "$pcrf" \ + tpmr.sh seal "$DUK_KEY_FILE" "$TPM_INDEX" 0,1,2,3,4,5,6,7 "$pcrf" \ "$TPM_SIZE" "$key_password" || die "Unable to write LUKS TPM Disk Unlock Key to NVRAM" # should be okay if this fails @@ -263,7 +283,7 @@ shred -n 10 -z -u "$pcrf" 2>/dev/null || shred -n 10 -z -u "$DUK_KEY_FILE" 2>/dev/null || warn "Failed to delete key file - continuing" -mount -o rw,remount $paramsdir || warn "Failed to remount $paramsdir in RW - continuing" +mount -o rw,remount "$paramsdir" || warn "Failed to remount $paramsdir in RW - continuing" cp -f /tmp/luksDump.txt "$paramsdir/kexec_lukshdr_hash.txt" || warn "Failed to copy LUKS header hashes to /boot - continuing" -mount -o ro,remount $paramsdir || warn "Failed to remount $paramsdir in RO - continuing" +mount -o ro,remount "$paramsdir" || warn "Failed to remount $paramsdir in RO - continuing" diff --git a/initrd/bin/kexec-select-boot b/initrd/bin/kexec-select-boot.sh similarity index 75% rename from initrd/bin/kexec-select-boot rename to initrd/bin/kexec-select-boot.sh index 405713934..f4e9ae6ee 100755 --- a/initrd/bin/kexec-select-boot +++ b/initrd/bin/kexec-select-boot.sh @@ -1,9 +1,12 @@ #!/bin/bash # Generic configurable boot script via kexec set -e -o pipefail -. /tmp/config -. /etc/functions -. /etc/gui_functions + # shellcheck disable=SC1091 + . /tmp/config +# shellcheck source=initrd/etc/functions.sh +. /etc/functions.sh +# shellcheck source=initrd/etc/gui_functions.sh +. /etc/gui_functions.sh TRACE_FUNC @@ -39,6 +42,7 @@ while getopts "b:d:p:a:r:c:uimgfs" arg; do valid_rollback="y" ;; s) skip_confirm="y" ;; + *) die "Invalid option: $arg" ;; esac done @@ -69,7 +73,7 @@ if [ "$CONFIG_TPM2_TOOLS" = "y" ]; then warn "your system may have been compromised" DEBUG "Hash of TPM2 primary key handle mismatched for $PRIMHASH_FILE" DEBUG "Contents of $PRIMHASH_FILE:" - DEBUG "$(cat $PRIMHASH_FILE)" + DEBUG "$(cat "$PRIMHASH_FILE")" } else warn "Hash of TPM2 primary key handle does not exist" @@ -82,6 +86,7 @@ if [ "$CONFIG_TPM2_TOOLS" = "y" ]; then fi verify_global_hashes() { + TRACE_FUNC INFO "+++ Checking verified boot hash file " # Check the hashes of all the files if verify_checksums "$bootdir" "$gui_menu"; then @@ -123,10 +128,10 @@ verify_rollback_counter() { die "$TMP_ROLLBACK_FILE: TPM counter not found. Please reset TPM through the Heads menu: Options -> TPM/TOTP/HOTP Options -> Reset the TPM" fi - read_tpm_counter $TPM_COUNTER >/dev/null 2>&1 || + read_tpm_counter "$TPM_COUNTER" >/dev/null 2>&1 || die "Failed to read TPM counter. Please reset TPM through the Heads menu: Options -> TPM/TOTP/HOTP Options -> Reset the TPM" - sha256sum -c $TMP_ROLLBACK_FILE >/dev/null 2>&1 || + sha256sum -c "$TMP_ROLLBACK_FILE" >/dev/null 2>&1 || die "Invalid TPM counter state. Please reset TPM through the Heads menu: Options -> TPM/TOTP/HOTP Options -> Reset the TPM" valid_rollback="y" @@ -134,39 +139,41 @@ verify_rollback_counter() { first_menu="y" get_menu_option() { - num_options=$(cat $TMP_MENU_FILE | wc -l) - if [ $num_options -eq 0 ]; then + TRACE_FUNC + num_options=$(wc -l < "$TMP_MENU_FILE") + if [ "$num_options" -eq 0 ]; then die "No boot options" fi - if [ $num_options -eq 1 -a $first_menu = "y" ]; then + if [ "$num_options" -eq 1 ] && [ "$first_menu" = "y" ]; then option_index=1 elif [ "$gui_menu" = "y" ]; then MENU_OPTIONS="" n=0 - while read option; do + while read -r option; do parse_option - n=$(expr $n + 1) - name=$(echo $name | tr " " "_") + n=$((n + 1)) + name=$(echo "$name" | tr " " "_") MENU_OPTIONS="$MENU_OPTIONS $n ${name} " done <$TMP_MENU_FILE + # shellcheck disable=SC2086 whiptail --title "Select your boot option" \ --menu "Choose the boot option [1-$n, a to abort]:" 0 80 8 \ - -- $MENU_OPTIONS \ + $MENU_OPTIONS \ 2>/tmp/whiptail || die "Aborting boot attempt" option_index=$(cat /tmp/whiptail) else echo "+++ Select your boot option:" n=0 - while read option; do + while read -r option; do parse_option - n=$(expr $n + 1) + n=$((n + 1)) echo "$n. $name [$kernel]" done <$TMP_MENU_FILE - read \ + read -r \ -p "Choose the boot option [1-$n, a to abort]: " \ option_index @@ -176,25 +183,26 @@ get_menu_option() { fi first_menu="n" - option=$(head -n $option_index $TMP_MENU_FILE | tail -1) + option=$(head -n "$option_index" "$TMP_MENU_FILE" | tail -1) parse_option } confirm_menu_option() { + TRACE_FUNC if [ "$gui_menu" = "y" ]; then default_text="Make default" [[ "$CONFIG_TPM_NO_LUKS_DISK_UNLOCK" = "y" ]] && default_text="${default_text} and boot" whiptail_warning --title "Confirm boot details" \ - --menu "Confirm the boot details for $name:\n\n$(echo $kernel | fold -s -w 80) \n\n" 0 80 8 \ + --menu "Confirm the boot details for $name:\n\n$(echo "$kernel" | fold -s -w 80) \n\n" 0 80 8 \ -- 'd' "${default_text}" 'y' "Boot one time" \ 2>/tmp/whiptail || die "Aborting boot attempt" option_confirm=$(cat /tmp/whiptail) else echo "+++ Please confirm the boot details for $name:" - echo $option + echo "$option" - read \ + read -r \ -n 1 \ -p "Confirm selection by pressing 'y', make default with 'd': " \ option_confirm @@ -203,11 +211,13 @@ confirm_menu_option() { } parse_option() { - name=$(echo $option | cut -d\| -f1) - kernel=$(echo $option | cut -d\| -f3) + TRACE_FUNC + name=$(echo "$option" | cut -d\| -f1) + kernel=$(echo "$option" | cut -d\| -f3) } scan_options() { + TRACE_FUNC INFO "+++ Scanning for unsigned boot options" option_file="/tmp/kexec_options.txt" scan_boot_options "$bootdir" "$config" "$option_file" @@ -222,8 +232,10 @@ scan_options() { } save_default_option() { + TRACE_FUNC + option_confirm="n" if [ "$gui_menu" != "y" ]; then - read \ + read -r \ -n 1 \ -p "Saving a default will modify the disk. Proceed? (Y/n): " \ default_confirm @@ -231,8 +243,10 @@ save_default_option() { fi [ "$default_confirm" = "" ] && default_confirm="y" + DEBUG "save_default_option: default_confirm='$default_confirm'" if [[ "$default_confirm" = "y" || "$default_confirm" = "Y" ]]; then - if kexec-save-default \ + DEBUG "save_default_option: invoking kexec-save-default.sh" + if kexec-save-default.sh \ -b "$bootdir" \ -d "$paramsdev" \ -p "$paramsdir" \ @@ -242,24 +256,25 @@ save_default_option() { default_failed="n" force_menu="n" + option_confirm="d" return else + DEBUG "save_default_option: kexec-save-default.sh failed with status $?" echo "Failed to save defaults" fi fi - - option_confirm="n" } default_select() { + TRACE_FUNC # Attempt boot with expected parameters # Check that entry matches that which is expected from menu default_index=$(basename "$TMP_DEFAULT_FILE" | cut -d. -f 2) # Check to see if entries have changed - useful for detecting grub update - expectedoption=$(cat $TMP_DEFAULT_FILE) - option=$(head -n $default_index $TMP_MENU_FILE | tail -1) + expectedoption=$(cat "$TMP_DEFAULT_FILE") + option=$(head -n "$default_index" "$TMP_MENU_FILE" | tail -1) if [ "$option" != "$expectedoption" ]; then if [ "$gui_menu" = "y" ]; then whiptail_error --title 'ERROR: Boot Entry Has Changed' \ @@ -274,7 +289,7 @@ default_select() { # Enforce that default option hashes are valid INFO "+++ Checking verified default boot hash file " # Check the hashes of all the files - if (cd $bootdir && sha256sum -c "$TMP_DEFAULT_HASH_FILE" >/tmp/hash_output); then + if (cd "$bootdir" && sha256sum -c "$TMP_DEFAULT_HASH_FILE" >/tmp/hash_output); then echo "+++ Verified default boot hashes " valid_hash='y' else @@ -291,70 +306,83 @@ default_select() { warn "Failed to boot default option" } +do_boot() { + TRACE_FUNC + # Boot validation checks + DEBUG "do_boot: option_index='$option_index' name='$name'" + if [ "$CONFIG_BASIC" != y ] && [ "$CONFIG_BOOT_REQ_HASH" = "y" ] && [ "$valid_hash" = "n" ]; then + die "!!! Missing required boot hashes" + fi + + if [ "$CONFIG_BASIC" != y ] && [ "$CONFIG_TPM" = "y" ] && [ -r "$TMP_KEY_DEVICES" ]; then + INITRD=$(kexec-boot.sh -b "$bootdir" -e "$option" -i) || + die "!!! Failed to extract the initrd from boot option" + if [ -z "$INITRD" ]; then + die "!!! No initrd file found in boot option" + fi + + kexec-insert-key.sh "$INITRD" || + die "!!! Failed to prepare TPM Disk Unlock Key for boot" + + DEBUG "do_boot: kexec with injected initrd" + kexec-boot.sh -b "$bootdir" -e "$option" \ + -a "$add" -r "$remove" -o "/tmp/secret/initrd.cpio" || + die "!!! Failed to boot w/ options: $option" + else + DEBUG "do_boot: kexec without injected initrd" + kexec-boot.sh -b "$bootdir" -e "$option" -a "$add" -r "$remove" || + die "!!! Failed to boot w/ options: $option" + fi +} + user_select() { + TRACE_FUNC # No default expected boot parameters, ask user option_confirm="" - while [ "$option_confirm" != "y" -a "$option_confirm" != "d" ]; do + while [ "$option_confirm" != "y" ] && [ "$option_confirm" != "d" ]; do + DEBUG "user_select: option_confirm='$option_confirm' force_boot='$force_boot' skip_confirm='$skip_confirm'" get_menu_option + DEBUG "user_select: selected option_index='$option_index' name='$name'" # In force boot mode, no need offer the option to set a default, just boot if [[ "$force_boot" = "y" || "$skip_confirm" = "y" ]]; then + DEBUG "user_select: booting without confirmation" do_boot else confirm_menu_option + DEBUG "user_select: option_confirm after confirm='$option_confirm'" fi - if [ "$option_confirm" = 'd' ]; then + if [ "$option_confirm" = "d" ]; then + DEBUG "user_select: saving default for option_index='$option_index'" save_default_option + DEBUG "user_select: option_confirm after save='$option_confirm'" fi done + # After loop, check if we saved a default and decide whether to reboot or boot if [ "$option_confirm" = "d" ]; then + DEBUG "user_select: default saved; TMP_KEY_DEVICES exists=$(test -r "$TMP_KEY_DEVICES" && echo y || echo n)" if [ ! -r "$TMP_KEY_DEVICES" ]; then # continue below to boot the new default option true else NOTE "Rebooting to start the new default option" - reboot + reboot.sh + exit 0 fi fi + DEBUG "user_select: proceeding to do_boot with option_confirm='$option_confirm'" do_boot } -do_boot() { - if [ "$CONFIG_BASIC" != y ] && [ "$CONFIG_BOOT_REQ_ROLLBACK" = "y" ] && [ "$valid_rollback" = "n" ]; then - die "!!! Missing required rollback counter state" - fi - - if [ "$CONFIG_BASIC" != y ] && [ "$CONFIG_BOOT_REQ_HASH" = "y" ] && [ "$valid_hash" = "n" ]; then - die "!!! Missing required boot hashes" - fi - - if [ "$CONFIG_BASIC" != y ] && [ "$CONFIG_TPM" = "y" ] && [ -r "$TMP_KEY_DEVICES" ]; then - INITRD=$(kexec-boot -b "$bootdir" -e "$option" -i) || - die "!!! Failed to extract the initrd from boot option" - if [ -z "$INITRD" ]; then - die "!!! No initrd file found in boot option" - fi - - kexec-insert-key $INITRD || - die "!!! Failed to prepare TPM Disk Unlock Key for boot" - - kexec-boot -b "$bootdir" -e "$option" \ - -a "$add" -r "$remove" -o "/tmp/secret/initrd.cpio" || - die "!!! Failed to boot w/ options: $option" - else - kexec-boot -b "$bootdir" -e "$option" -a "$add" -r "$remove" || - die "!!! Failed to boot w/ options: $option" - fi -} - while true; do - if [ "$force_boot" = "y" -o "$CONFIG_BASIC" = "y" ]; then - DO_WITH_DEBUG check_config $paramsdir force + TRACE_FUNC + if [ "$force_boot" = "y" ] || [ "$CONFIG_BASIC" = "y" ]; then + DO_WITH_DEBUG check_config "$paramsdir" force else - DO_WITH_DEBUG check_config $paramsdir + DO_WITH_DEBUG check_config "$paramsdir" fi TMP_DEFAULT_FILE=$(find /tmp/kexec/kexec_default.*.txt 2>/dev/null | head -1) || true TMP_MENU_FILE="/tmp/kexec/kexec_menu.txt" @@ -363,7 +391,6 @@ while true; do TMP_DEFAULT_HASH_FILE="/tmp/kexec/kexec_default_hashes.txt" TMP_ROLLBACK_FILE="/tmp/kexec/kexec_rollback.txt" TMP_KEY_DEVICES="/tmp/kexec/kexec_key_devices.txt" - TMP_KEY_LVM="/tmp/kexec/kexec_key_lvm.txt" # Allow a way for users to ignore warnings and boot into their systems # even if hashes don't match @@ -382,7 +409,7 @@ while true; do # Extend PCR4 as soon as possible TRACE_FUNC INFO "TPM: Extending PCR[4] to prevent further secret unsealing" - tpmr extend -ix 4 -ic generic || + tpmr.sh extend -ix 4 -ic generic || die "Failed to extend TPM PCR[4]" fi fi @@ -404,24 +431,28 @@ while true; do fi fi - if [ "$CONFIG_IGNORE_ROLLBACK" != "y" -a -r "$TMP_ROLLBACK_FILE" ]; then + if [ "$CONFIG_IGNORE_ROLLBACK" != "y" ] && [ -r "$TMP_ROLLBACK_FILE" ]; then # in the case of iso boot with a rollback file, do not assume valid + # shellcheck disable=SC2034 valid_rollback="n" verify_rollback_counter fi fi - if [ "$default_failed" != "y" \ - -a "$force_menu" = "n" \ - -a -r "$TMP_DEFAULT_FILE" \ - -a -r "$TMP_DEFAULT_HASH_FILE" ] \ - ; then + if [ "$default_failed" != "y" ] && \ + [ "$force_menu" = "n" ] && \ + [ -r "$TMP_DEFAULT_FILE" ] && \ + [ -r "$TMP_DEFAULT_HASH_FILE" ]; then default_select default_failed="y" else + TRACE_FUNC + DEBUG "About to call user_select" user_select fi + TRACE_FUNC + DEBUG "Loop iteration ended, looping back" done die "!!! Shouldn't get here" diff --git a/initrd/bin/kexec-sign-config b/initrd/bin/kexec-sign-config.sh similarity index 75% rename from initrd/bin/kexec-sign-config rename to initrd/bin/kexec-sign-config.sh index b994a8b51..434f08b83 100755 --- a/initrd/bin/kexec-sign-config +++ b/initrd/bin/kexec-sign-config.sh @@ -1,14 +1,18 @@ #!/bin/bash # Sign a valid directory of kexec params set -e -o pipefail +# shellcheck disable=SC1091 . /tmp/config -. /etc/functions +# shellcheck source=initrd/etc/functions.sh +. /etc/functions.sh TRACE_FUNC rollback="n" update="n" while getopts "p:c:ur" arg; do + # SC2220: No default case needed; only valid flags are handled for strict input. + # shellcheck disable=SC2220 case $arg in p) paramsdir="$OPTARG" ;; c) @@ -43,15 +47,16 @@ if [ "$update" = "y" ]; then find ./ -type f ! -path './kexec*' -print0 | xargs -0 sha256sum >/boot/kexec_hashes.txt if [ -e /boot/kexec_default_hashes.txt ]; then DEBUG "/boot/kexec_default_hashes.txt exists, updating /boot/kexec_default_hashes.txt" - DEFAULT_FILES=$(cat /boot/kexec_default_hashes.txt | cut -f3 -d ' ') + DEFAULT_FILES=$(cut -f3 -d ' ' /boot/kexec_default_hashes.txt) + # SC2086: DEFAULT_FILES is intentionally unquoted to allow for option expansion. + # shellcheck disable=SC2086 echo $DEFAULT_FILES | xargs sha256sum >/boot/kexec_default_hashes.txt fi #also save the file & directory structure to detect added files print_tree >/boot/kexec_tree.txt TRACE_FUNC - ) - [ $? -eq 0 ] || die "$paramsdir: Failed to update hashes." + ) || die "$paramsdir: Failed to update hashes." # Remove any package trigger log files # We don't need them after the user decides to sign @@ -81,7 +86,7 @@ if [ "$rollback" = "y" ]; then DEBUG "rollback=y: Found TPM counter $TPM_COUNTER in rollback file $rollback_file" else DEBUG "Rollback file $rollback_file does not exist. Creating new TPM counter." - DO_WITH_DEBUG check_tpm_counter $rollback_file || + DO_WITH_DEBUG check_tpm_counter "$rollback_file" || die "$paramsdir: Unable to find/create tpm counter" TRACE_FUNC @@ -94,7 +99,7 @@ if [ "$rollback" = "y" ]; then # Increment the TPM counter DEBUG "rollback=y: Incrementing counter $TPM_COUNTER." - increment_tpm_counter $TPM_COUNTER >/dev/null 2>&1 || + increment_tpm_counter "$TPM_COUNTER" >/dev/null 2>&1 || die "$paramsdir: Unable to increment tpm counter" # Ensure the incremented counter file exists @@ -108,23 +113,29 @@ if [ "$rollback" = "y" ]; then DEBUG "TPM counter file '$incremented_counter_file' found." # Create the rollback file - sha256sum "$incremented_counter_file" >$rollback_file || + sha256sum "$incremented_counter_file" >"$rollback_file" || die "$paramsdir: Unable to create rollback file" fi TRACE_FUNC -param_files=$(find $paramsdir/kexec*.txt) +param_files=$(find "$paramsdir"/kexec*.txt) +DEBUG "Param files to sign: $param_files" if [ -z "$param_files" ]; then die "$paramsdir: No kexec parameter files to sign" fi -for tries in 1 2 3; do + # SC2034: tries is intentionally unused for compatibility with legacy scripts. + # shellcheck disable=SC2034 + for tries in 1 2 3; do confirm_gpg_card TRACE_FUNC - if DO_WITH_DEBUG sha256sum $param_files | gpg --detach-sign -a >$paramsdir/kexec.sig; then + # SC2046: Command substitution intentionally unquoted for argument expansion. + # SC2086: param_files is intentionally unquoted to allow for option expansion. + # shellcheck disable=SC2046,SC2086 + if DO_WITH_DEBUG sha256sum $param_files | gpg --detach-sign >"$paramsdir"/kexec.sig; then # successful - update the validated params - check_config $paramsdir + check_config "$paramsdir" # remount /boot as ro mount -o remount,ro /boot diff --git a/initrd/bin/kexec-unseal-key b/initrd/bin/kexec-unseal-key.sh similarity index 65% rename from initrd/bin/kexec-unseal-key rename to initrd/bin/kexec-unseal-key.sh index 12b22c266..868659d4d 100755 --- a/initrd/bin/kexec-unseal-key +++ b/initrd/bin/kexec-unseal-key.sh @@ -3,15 +3,32 @@ # The TOTP secret will be shown to the user on each encryption attempt. # It will then need to be bundled into initrd that is booted with Qubes. set -e -o pipefail -. /etc/functions +# shellcheck source=initrd/etc/functions.sh +. /etc/functions.sh TPM_INDEX=3 TPM_SIZE=312 -. /etc/functions - TRACE_FUNC +# Verify TPM primary handle early to provide clear errors for disk-unseal flows +if [ "$CONFIG_TPM" = "y" ]; then + if ! tpmr.sh verify-primary >/dev/null 2>&1; then + rc=$? + case "$rc" in + 2) + die "No TPM primary handle. Unseal aborted" + ;; + 3) + die "TPM primary handle hash mismatch. Unseal aborted" + ;; + *) + die "TPM primary handle verification failed (code $rc)" + ;; + esac + fi +fi + mkdir -p /tmp/secret key_file="$1" @@ -25,7 +42,7 @@ DEBUG "CONFIG_TPM2_TOOLS: $CONFIG_TPM2_TOOLS" DEBUG "Show PCRs" DEBUG "$(pcrs)" -for tries in 1 2 3; do +for _ in 1 2 3; do # Show updating timestamp/TOTP until user presses Esc to continue to the # passphrase prompt. This gives the user context while they prepare to # type the LUKS passphrase. @@ -38,7 +55,7 @@ for tries in 1 2 3; do fi if DO_WITH_DEBUG --mask-position 6 \ - tpmr unseal "$TPM_INDEX" "0,1,2,3,4,5,6,7" "$TPM_SIZE" \ + tpmr.sh unseal "$TPM_INDEX" "0,1,2,3,4,5,6,7" "$TPM_SIZE" \ "$key_file" "$tpm_password"; then exit 0 fi diff --git a/initrd/bin/key-init b/initrd/bin/key-init.sh similarity index 70% rename from initrd/bin/key-init rename to initrd/bin/key-init.sh index 3213a9d43..d3c9aa622 100755 --- a/initrd/bin/key-init +++ b/initrd/bin/key-init.sh @@ -1,7 +1,9 @@ #!/bin/bash set -e -o pipefail -. /etc/functions -. /etc/gui_functions +# shellcheck source=initrd/etc/functions.sh +. /etc/functions.sh +# shellcheck source=initrd/etc/gui_functions.sh +. /etc/gui_functions.sh TRACE_FUNC @@ -19,17 +21,22 @@ fi # Import user's keys if they exist if [ -d /.gnupg/keys ]; then - # This is legacy location for user's keys. cbfs-init takes for granted that keyring and trustdb are in /.gnupg - # oem-factory-reset generates keyring and trustdb which cbfs-init dumps to /.gnupg + # This is legacy location for user's keys. cbfs-init.sh takes for granted that keyring and trustdb are in /.gnupg + # oem-factory-reset.sh generates keyring and trustdb which cbfs-init.sh dumps to /.gnupg # TODO: Remove individual key imports. This is still valid for distro keys only below. + DEBUG "Importing user's keys from /.gnupg/keys/*.key under /.gnupg user's keyring" gpg --import /.gnupg/keys/*.key /.gnupg/keys/*.asc 2>/dev/null || warn "Importing user's keys failed" +else + DEBUG "No /.gnupg/keys directory found" fi # Import trusted distro keys allowed for ISO signing +DEBUG "Importing distro keys from /etc/distro/keys/ under /etc/distro/ keyring" gpg --homedir=/etc/distro/ --import /etc/distro/keys/* 2>/dev/null || warn "Importing distro keys failed" #Set distro keys trust level to ultimate (trust anything that was signed with these keys) gpg --homedir=/etc/distro/ --list-keys --fingerprint --with-colons|sed -E -n -e 's/^fpr:::::::::([0-9A-F]+):$/\1:6:/p' |gpg --homedir=/etc/distro/ --import-ownertrust 2>/dev/null || warn "Setting distro keys ultimate trust failed" gpg --homedir=/etc/distro/ --update-trust 2>/dev/null || warn "Updating distro keys trust failed" # Add user's keys to the list of trusted keys for ISO signing +DEBUG "Running gpg --export | gpg --homedir=/etc/distro/ --import" gpg --export | gpg --homedir=/etc/distro/ --import 2>/dev/null || warn "Adding user's keys to distro keys failed" diff --git a/initrd/bin/lock_chip b/initrd/bin/lock_chip.sh similarity index 73% rename from initrd/bin/lock_chip rename to initrd/bin/lock_chip.sh index 26c9c1c78..22d53bbf1 100755 --- a/initrd/bin/lock_chip +++ b/initrd/bin/lock_chip.sh @@ -5,7 +5,8 @@ # - >=Skylake: same as above and CONFIG_SOC_INTEL_COMMON_SPI_LOCKDOWN_SMM=y, CONFIG_SPI_FLASH_SMM=y and mode (eg: CONFIG_BOOTMEDIA_LOCK_WHOLE_RO=y) # - Heads is actually doing the CONFIG_INTEL_CHIPSET_LOCKDOWN equivalent here. -. /etc/functions +# shellcheck source=initrd/etc/functions.sh +. /etc/functions.sh TRACE_FUNC if [ "$CONFIG_FINALIZE_PLATFORM_LOCKING" = "y" ]; then @@ -13,15 +14,16 @@ if [ "$CONFIG_FINALIZE_PLATFORM_LOCKING" = "y" ]; then FIN_CODE=0xcb fi -if [ -n "$APM_CNT" -a -n "$FIN_CODE" ]; then +if [ -n "$APM_CNT" ] && [ -n "$FIN_CODE" ]; then # PR0 lockdown is enabled by setting a lock bit (FLOCKDN) in the SPI controller, # which prevents further changes to the SPI controller configuration. The flash # will become write protected in the range specified in the PR0 register. Once # the protection is set and locked, it cannot be disabled # until the next system reset. - echo "Finalizing chipset Write Protection through SMI PR0 lockdown call" - io386 -o b -b x $APM_CNT $FIN_CODE + echo + echo "Finalizing chipset's Write Protection through SMI PR0 lockdown call" + io386 -o b -b x "$APM_CNT" "$FIN_CODE" else echo "NOT Finalizing chipset" - echo "lock_chip called without valid APM_CNT and FIN_CODE defined under bin/lock_chip." + echo "lock_chip.sh called without valid APM_CNT and FIN_CODE defined under bin/lock_chip.sh." fi diff --git a/initrd/bin/media-scan b/initrd/bin/media-scan.sh similarity index 71% rename from initrd/bin/media-scan rename to initrd/bin/media-scan.sh index 068fa88a5..4b512fd2c 100755 --- a/initrd/bin/media-scan +++ b/initrd/bin/media-scan.sh @@ -1,9 +1,12 @@ #!/bin/bash # Scan for USB installation options set -e -o pipefail -. /etc/functions -. /etc/gui_functions -. /tmp/config +# shellcheck source=initrd/etc/functions.sh +. /etc/functions.sh +# shellcheck source=initrd/etc/gui_functions.sh +. /etc/gui_functions.sh + # shellcheck disable=SC1091 + . /tmp/config TRACE_FUNC @@ -16,12 +19,12 @@ if grep -q /boot /proc/mounts ; then || die "Unable to unmount /boot" fi -available_partitions="$(blkid | while read line; do echo $line | awk -F ":" {'print $1'}; done )" +available_partitions="$(blkid | while read -r line; do echo "$line" | awk -F ":" '{print $1}'; done )" if [ "$1" == "usb" ]; then # Mount the USB boot device mount_usb || die "Unable to mount /media" -elif $(echo $available_partitions | grep -q "$1"); then +elif echo "$available_partitions" | grep -q "$1"; then if grep -q /media /proc/mounts; then umount /media \ || die "Unable to unmount /media" @@ -38,15 +41,16 @@ get_menu_option() { if [ -x /bin/whiptail ]; then MENU_OPTIONS="" n=0 - while read option + while read -r option do - n=`expr $n + 1` - option=$(echo $option | tr " " "_") + n=$((n + 1)) + option=$(echo "$option" | tr " " "_") MENU_OPTIONS="$MENU_OPTIONS $n ${option}" done < /tmp/iso_menu.txt MENU_OPTIONS="$MENU_OPTIONS a Abort" + # shellcheck disable=SC2086 whiptail_type $BG_COLOR_MAIN_MENU --title "Select your ISO boot option" \ --menu "Choose the ISO boot option [1-$n]:" 0 80 8 \ -- $MENU_OPTIONS \ @@ -56,13 +60,13 @@ get_menu_option() { else echo "+++ Select your ISO boot option:" n=0 - while read option + while read -r option do - n=`expr $n + 1` + n=$((n + 1)) echo "$n. $option" done < /tmp/iso_menu.txt - read \ + read -r \ -p "Choose the ISO boot option [1-$n, a to abort]: " \ option_index fi @@ -72,7 +76,7 @@ get_menu_option() { die "Aborting boot attempt" fi - option=`head -n $option_index /tmp/iso_menu.txt | tail -1` + option=$(head -n "$option_index" /tmp/iso_menu.txt | tail -1) if [ -z "$option" ]; then die "Failed to find menu option $option_index" @@ -81,16 +85,15 @@ get_menu_option() { # create ISO menu options - search recursively for ISO files find /media -name "*.iso" -type f 2>/dev/null | sort -r > /tmp/iso_menu.txt || true -if [ `cat /tmp/iso_menu.txt | wc -l` -gt 0 ]; then - option_confirm="" - while [ -z "$option" -a "$option_index" != "s" ] +if [ "$(wc -l < /tmp/iso_menu.txt)" -gt 0 ]; then + while [ -z "$option" ] && [ "$option_index" != "s" ] do get_menu_option done MOUNTED_ISO="$option" ISO="${option:7}" # remove /media/ to get device relative path - DO_WITH_DEBUG kexec-iso-init "$MOUNTED_ISO" "$ISO" "$USB_BOOT_DEV" + DO_WITH_DEBUG kexec-iso-init.sh "$MOUNTED_ISO" "$ISO" "$USB_BOOT_DEV" die "Something failed in iso init" fi @@ -104,9 +107,9 @@ fi echo "!!! Could not find any ISO, trying bootable USB" # Attempt to pull verified config from device if [ -x /bin/whiptail ]; then - DO_WITH_DEBUG kexec-select-boot -b /media -c "*.cfg" -u -g -s + DO_WITH_DEBUG kexec-select-boot.sh -b /media -c "*.cfg" -u -g -s else - DO_WITH_DEBUG kexec-select-boot -b /media -c "*.cfg" -u -s + DO_WITH_DEBUG kexec-select-boot.sh -b /media -c "*.cfg" -u -s fi die "Something failed in selecting boot" diff --git a/initrd/bin/mount-usb b/initrd/bin/mount-usb.sh similarity index 76% rename from initrd/bin/mount-usb rename to initrd/bin/mount-usb.sh index 8acad1357..70953f48d 100755 --- a/initrd/bin/mount-usb +++ b/initrd/bin/mount-usb.sh @@ -1,8 +1,11 @@ #!/bin/bash # Mount a USB device -. /etc/functions -. /etc/gui_functions -. /etc/luks-functions +# shellcheck source=initrd/etc/functions.sh +. /etc/functions.sh +# shellcheck source=initrd/etc/gui_functions.sh +. /etc/gui_functions.sh +# shellcheck source=initrd/etc/luks-functions.sh +. /etc/luks-functions.sh TRACE_FUNC @@ -87,7 +90,7 @@ if [ -z "$(cat /tmp/usb_block_devices)" ]; then --msgbox "Insert your USB drive and press Enter to continue." 0 80 else echo "+++ USB Drive Missing! Insert your USB drive and press Enter to continue." - read + read -r fi sleep 1 list_usb_storage > /tmp/usb_block_devices @@ -105,7 +108,7 @@ fi USB_MOUNT_DEVICE="" # Check if the user has specified a USB device if [ -n "$DEVICE" ]; then - DEBUG "Checking if "$DEVICE" is a USB detected block device" + DEBUG "Checking if $DEVICE is a USB detected block device" if grep -q "$DEVICE" /tmp/usb_block_devices; then DEBUG "Selected device is a USB block device" USB_MOUNT_DEVICE="$DEVICE" @@ -114,46 +117,46 @@ if [ -n "$DEVICE" ]; then fi else # Check for the common case: a single USB disk with one partition - if [ $(cat /tmp/usb_block_devices | wc -l) -eq 1 ]; then + if [ "$(wc -l < /tmp/usb_block_devices)" -eq 1 ]; then USB_MOUNT_DEVICE="$(cat /tmp/usb_block_devices)" fi # otherwise, let the user pick - if [ -z ${USB_MOUNT_DEVICE} ]; then - > /tmp/usb_disk_list - for i in $(cat /tmp/usb_block_devices); do + if [ -z "${USB_MOUNT_DEVICE}" ]; then + : > /tmp/usb_disk_list + while read -r i; do #appends label to the device name - echo $i $(blkid | grep $i | grep -o 'LABEL=".*"' | cut -f2 -d '"') >> /tmp/usb_disk_list - done + echo "$i" "$(blkid | grep "$i" | grep -o 'LABEL=".*"' | cut -f2 -d '"')" >> /tmp/usb_disk_list + done < /tmp/usb_block_devices if [ -x /bin/whiptail ]; then MENU_OPTIONS="" n=0 - while read option + while read -r option do - n=$(expr $n + 1) - option=$(echo $option | tr " " "_") + n=$((n + 1)) + option=$(echo "$option" | tr " " "_") MENU_OPTIONS="$MENU_OPTIONS $n ${option}" done < /tmp/usb_disk_list MENU_OPTIONS="$MENU_OPTIONS a Abort" - whiptail --title "Select your USB disk" \ + # shellcheck disable=SC2086 + if ! whiptail --title "Select your USB disk" \ --menu "Choose your USB disk [1-$n, a to abort]:" 0 80 8 \ -- $MENU_OPTIONS \ - 2>/tmp/whiptail - if [ $? -ne 0 ]; then + 2>/tmp/whiptail; then die "ERROR: Selecting USB disk/partition aborted." fi option_index=$(cat /tmp/whiptail) else echo "+++ Select your USB disk:" n=0 - while read option + while read -r option do - n=$(expr $n + 1) + n=$((n + 1)) echo "$n. $option" done < /tmp/usb_disk_list - read \ + read -r \ -p "Choose your USB disk [1-$n, a to abort]: " \ option_index fi @@ -161,7 +164,7 @@ else if [ "$option_index" = "a" ]; then exit 5 fi - USB_MOUNT_DEVICE=$(head -n $option_index /tmp/usb_disk_list | tail -1 | sed 's/\ .*$//') + USB_MOUNT_DEVICE=$(head -n "$option_index" /tmp/usb_disk_list | tail -1 | sed 's/\ .*$//') fi fi @@ -169,25 +172,26 @@ DEBUG "Checking if $USB_MOUNT_DEVICE is a LUKS device/partition" if cryptsetup isLuks "$USB_MOUNT_DEVICE"; then DEBUG "Selected USB partition is a LUKS device" #Selected USB partition is a LUKS device - if [ -e /dev/mapper/"usb_mount_$(basename "$USB_MOUNT_DEVICE")" ]; then + usb_mapper_name="usb_mount_$(basename "$USB_MOUNT_DEVICE")" + if [ -e /dev/mapper/"$usb_mapper_name" ]; then DEBUG "Closing currently mapped LUKS device" - cryptsetup close "usb_mount_$(basename "$USB_MOUNT_DEVICE")" + cryptsetup close "$usb_mapper_name" fi DEBUG "Opening LUKS device $USB_MOUNT_DEVICE" #Pass LUKS passphrase to cryptsetup only if we received one if [ -z "$PASS" ]; then #We haven't received a passphrase - cryptsetup open "$USB_MOUNT_DEVICE" "usb_mount_$(basename "$USB_MOUNT_DEVICE")" \ + cryptsetup open "$USB_MOUNT_DEVICE" "$usb_mapper_name" \ || die "ERROR: Failed to open ${USB_MOUNT_DEVICE} LUKS device" else #We received a pasphrase - cryptsetup open "$USB_MOUNT_DEVICE" "usb_mount_$(basename "$USB_MOUNT_DEVICE")" --key-file <(echo -n "${PASS}") \ + cryptsetup open "$USB_MOUNT_DEVICE" "$usb_mapper_name" --key-file <(echo -n "${PASS}") \ || die "ERROR: Failed to open ${USB_MOUNT_DEVICE} LUKS device" fi - warn "Note that you cannot boot from a mounted encrypted device" - DEBUG "Setting USB_MOUNT_DEVICE=/dev/mapper/"usb_mount_$(basename "$USB_MOUNT_DEVICE")"" - USB_MOUNT_DEVICE="/dev/mapper/"usb_mount_$(basename "$USB_MOUNT_DEVICE")"" + usb_mapper_name="usb_mount_$(basename "$USB_MOUNT_DEVICE")" + DEBUG "Setting USB_MOUNT_DEVICE=/dev/mapper/$usb_mapper_name" + USB_MOUNT_DEVICE="/dev/mapper/$usb_mapper_name" else # Selected USB partition is not a LUKS device DEBUG "Selected USB partition is not a LUKS device, continuing..." diff --git a/initrd/bin/network-init-recovery b/initrd/bin/network-init-recovery.sh similarity index 86% rename from initrd/bin/network-init-recovery rename to initrd/bin/network-init-recovery.sh index 638d2b3b0..52382f95b 100755 --- a/initrd/bin/network-init-recovery +++ b/initrd/bin/network-init-recovery.sh @@ -1,6 +1,7 @@ #!/bin/bash -. /etc/functions +# shellcheck source=initrd/etc/functions.sh +. /etc/functions.sh TRACE_FUNC @@ -31,9 +32,9 @@ mobile_tethering() read -p "Press Enter to continue..." -r network_modules="mii usbnet cdc_ether cdc_ncm cdc_eem" - for module in $(echo $network_modules); do - if [ -f /lib/modules/$module.ko ]; then - insmod /lib/modules/$module.ko + for module in $network_modules; do + if [ -f /lib/modules/"$module".ko ]; then + insmod.sh /lib/modules/"$module".ko fi done @@ -62,9 +63,9 @@ ethernet_activation() echo "Loading Ethernet network modules..." network_modules="e1000 e1000e igb sfc mdio mlx4_core mlx4_en" - for module in $(echo $network_modules); do - if [ -f /lib/modules/$module.ko ]; then - insmod /lib/modules/$module.ko + for module in $network_modules; do + if [ -f /lib/modules/"$module".ko ]; then + insmod.sh /lib/modules/"$module".ko fi done } @@ -94,24 +95,24 @@ if [ -n "$dev" ]; then echo "Generating random MAC address..." mac=$(generate_random_mac_address) echo "Assigning randomly generated MAC: $mac to $dev..." - ifconfig $dev hw ether $mac - ifconfig $dev up + ifconfig "$dev" hw ether "$mac" + ifconfig "$dev" up fi # Set up static IP if configured in board config - if [ ! -z "$CONFIG_BOOT_STATIC_IP" ]; then + if [ -n "$CONFIG_BOOT_STATIC_IP" ]; then echo "Setting static IP: $CONFIG_BOOT_STATIC_IP" - ifconfig $dev $CONFIG_BOOT_STATIC_IP + ifconfig "$dev" "$CONFIG_BOOT_STATIC_IP" echo "No NTP sync with static IP: no DNS server nor gateway defined, set time manually" # Set up DHCP if no static IP elif [ -e /sbin/udhcpc ]; then echo "Getting IP from first DHCP server answering. This may take a while..." - if udhcpc -T 1 -i $dev -q; then + if udhcpc -T 1 -i "$dev" -q; then if [ -e /sbin/ntpd ]; then - DNS_SERVER=$(grep nameserver /etc/resolv.conf | awk -F " " {'print $2'}) - killall ntpd 2 &>1 >/dev/null + DNS_SERVER=$(grep nameserver /etc/resolv.conf | awk '{print $2}') + killall ntpd 2>/dev/null echo "Attempting to sync time with NTP server: $DNS_SERVER..." - if ! ntpd -d -N -n -q -p $DNS_SERVER; then + if ! ntpd -d -N -n -q -p "$DNS_SERVER"; then echo "NTP sync unsuccessful with DNS server" echo "Attempting NTP time sync with pool.ntp.org..." if ! ntpd -d -d -N -n -q -p pool.ntp.org; then diff --git a/initrd/bin/oem-factory-reset b/initrd/bin/oem-factory-reset.sh similarity index 83% rename from initrd/bin/oem-factory-reset rename to initrd/bin/oem-factory-reset.sh index d637dcd8a..5b7c00349 100755 --- a/initrd/bin/oem-factory-reset +++ b/initrd/bin/oem-factory-reset.sh @@ -4,13 +4,19 @@ set -o pipefail ## External files sourced -. /etc/functions -. /etc/gui_functions -. /etc/luks-functions +# shellcheck source=initrd/etc/functions.sh +. /etc/functions.sh +# shellcheck source=initrd/etc/gui_functions.sh +. /etc/gui_functions.sh +# shellcheck source=initrd/etc/luks-functions.sh +. /etc/luks-functions.sh +# shellcheck disable=SC1091 . /tmp/config TRACE_FUNC +DEBUG "Starting OEM factory reset" + # use TERM to exit on error trap "exit 1" TERM export TOP_PID=$$ @@ -124,19 +130,6 @@ die() { exit 1 } -local_whiptail_error() { - local msg=$1 - if [ "$msg" = "" ]; then - die "whiptail error: An error msg is required" - fi - whiptail_error --msgbox "${msg}\n\n" $HEIGHT $WIDTH --title "Error" -} - -whiptail_error_die() { - local_whiptail_error "$@" - die -} - mount_boot() { TRACE_FUNC # Mount local disk if it is not already mounted. @@ -144,7 +137,7 @@ mount_boot() { if ! grep -q /boot /proc/mounts; then # try to mount if CONFIG_BOOT_DEV exists if [ -e "$CONFIG_BOOT_DEV" ]; then - mount -o ro $CONFIG_BOOT_DEV /boot || die "Failed to mount $CONFIG_BOOT_DEV. Please change boot device under Configuration > Boot Device" + mount -o ro "$CONFIG_BOOT_DEV" /boot || die "Failed to mount $CONFIG_BOOT_DEV. Please change boot device under Configuration > Boot Device" fi fi } @@ -165,8 +158,8 @@ reset_nk3_secret_app() { return 0 else error_code=$? - if [ $error_code -eq 3 ] && [ $attempt -lt 3 ]; then - whiptail --msgbox "Nitrokey 3 requires physical presence: touch the dongle when requested" $HEIGHT $WIDTH --title "Nk3 secrets app reset attempt: $attempt/3" + if [ "$error_code" -eq 3 ] && [ "$attempt" -lt 3 ]; then + whiptail --msgbox "Nitrokey 3 requires physical presence: touch the dongle when requested" "$HEIGHT" "$WIDTH" --title "Nk3 secrets app reset attempt: $attempt/3" else whiptail_error_die "Nitrokey 3's Secrets app reset failed with error:$error_code. Contact Nitrokey support" fi @@ -194,6 +187,7 @@ generate_inmemory_RSA_master_and_subkeys() { echo "Passphrase: ${ADMIN_PIN}" # Admin PIN echo "%commit" # Commit changes } | DO_WITH_DEBUG gpg --expert --batch --command-fd=0 --status-fd=1 --pinentry-mode=loopback --generate-key >/tmp/gpg_card_edit_output 2>&1 + # shellcheck disable=SC2181 if [ $? -ne 0 ]; then ERROR=$(cat /tmp/gpg_card_edit_output) whiptail_error_die "GPG Key generation failed!\n\n$ERROR" @@ -206,11 +200,12 @@ generate_inmemory_RSA_master_and_subkeys() { echo 4 # RSA (sign only) echo ${RSA_KEY_LENGTH} # Signing key size set to RSA_KEY_LENGTH echo 0 # No expiration date - echo ${ADMIN_PIN} # Local keyring admin pin + echo "${ADMIN_PIN}" # Local keyring admin pin echo y # confirm echo save # save changes and commit to keyring } | DO_WITH_DEBUG gpg --command-fd=0 --status-fd=1 --pinentry-mode=loopback --edit-key "${GPG_USER_MAIL}" \ >/tmp/gpg_card_edit_output 2>&1 + # shellcheck disable=SC2181 if [ $? -ne 0 ]; then ERROR=$(cat /tmp/gpg_card_edit_output) whiptail_error_die "GPG Key signing subkey generation failed!\n\n$ERROR" @@ -223,11 +218,12 @@ generate_inmemory_RSA_master_and_subkeys() { echo 6 # RSA (encrypt only) echo ${RSA_KEY_LENGTH} # Encryption key size set to RSA_KEY_LENGTH echo 0 # No expiration date - echo ${ADMIN_PIN} # Local keyring admin pin + echo "${ADMIN_PIN}" # Local keyring admin pin echo y # confirm echo save # save changes and commit to keyring } | DO_WITH_DEBUG gpg --command-fd=0 --status-fd=1 --pinentry-mode=loopback --edit-key "${GPG_USER_MAIL}" \ >/tmp/gpg_card_edit_output 2>&1 + # shellcheck disable=SC2181 if [ $? -ne 0 ]; then ERROR=$(cat /tmp/gpg_card_edit_output) whiptail_error_die "GPG Key encryption subkey generation failed!\n\n$ERROR" @@ -247,11 +243,12 @@ generate_inmemory_RSA_master_and_subkeys() { echo Q # Quit echo ${RSA_KEY_LENGTH} # Authentication key size set to RSA_KEY_LENGTH echo 0 # No expiration date - echo ${ADMIN_PIN} # Local keyring admin pin + echo "${ADMIN_PIN}" # Local keyring admin pin echo y # confirm echo save # save changes and commit to keyring } | DO_WITH_DEBUG gpg --command-fd=0 --status-fd=1 --pinentry-mode=loopback --expert --edit-key "${GPG_USER_MAIL}" \ >/tmp/gpg_card_edit_output 2>&1 + # shellcheck disable=SC2181 if [ $? -ne 0 ]; then ERROR=$(cat /tmp/gpg_card_edit_output) whiptail_error_die "GPG Key authentication subkey generation failed!\n\n$ERROR" @@ -277,6 +274,7 @@ generate_inmemory_p256_master_and_subkeys() { echo "%commit" # Commit changes } | DO_WITH_DEBUG gpg --expert --batch --command-fd=0 --status-fd=1 --pinentry-mode=loopback --generate-key \ >/tmp/gpg_card_edit_output 2>&1 + # shellcheck disable=SC2181 if [ $? -ne 0 ]; then ERROR=$(cat /tmp/gpg_card_edit_output) whiptail_error_die "GPG p256 Key generation failed!\n\n$ERROR" @@ -287,14 +285,15 @@ generate_inmemory_p256_master_and_subkeys() { echo "Generating GPG nistp256 signing subkey..." { - echo addkey # add key in --edit-key mode - echo 11 # ECC own set capability - echo Q # sign already present, do not modify - echo 3 # P-256 - echo 0 # No validity/expiration date - echo ${ADMIN_PIN} # Local keyring admin pin - echo save # save changes and commit to keyring - } | DO_WITH_DEBUG gpg --expert --command-fd=0 --status-fd=1 --pinentry-mode=loopback --edit-key ${MASTER_KEY_FP} >/tmp/gpg_card_edit_output 2>&1 + echo addkey # add key in --edit-key mode + echo 11 # ECC own set capability + echo Q # sign already present, do not modify + echo 3 # P-256 + echo 0 # No validity/expiration date + echo "${ADMIN_PIN}" # Local keyring admin pin + echo save # save changes and commit to keyring + } | DO_WITH_DEBUG gpg --expert --command-fd=0 --status-fd=1 --pinentry-mode=loopback --edit-key "${MASTER_KEY_FP}" >/tmp/gpg_card_edit_output 2>&1 + # shellcheck disable=SC2181 if [ $? -ne 0 ]; then ERROR_MSG=$(cat /tmp/gpg_card_edit_output) whiptail_error_die "Failed to add ECC nistp256 signing key to master key\n\n${ERROR_MSG}" @@ -303,13 +302,14 @@ generate_inmemory_p256_master_and_subkeys() { echo "Generating GPG nistp256 encryption subkey..." { echo addkey - echo 12 # ECC own set capability - echo Q # Quit - echo 3 # P-256 - echo 0 # No validity/expiration date - echo ${ADMIN_PIN} # Local keyring admin pin - echo save # save changes and commit to keyring - } | DO_WITH_DEBUG gpg --expert --command-fd=0 --status-fd=1 --pinentry-mode=loopback --edit-key ${MASTER_KEY_FP} >/tmp/gpg_card_edit_output 2>&1 + echo 12 # ECC own set capability + echo Q # Quit + echo 3 # P-256 + echo 0 # No validity/expiration date + echo "${ADMIN_PIN}" # Local keyring admin pin + echo save # save changes and commit to keyring + } | DO_WITH_DEBUG gpg --expert --command-fd=0 --status-fd=1 --pinentry-mode=loopback --edit-key "${MASTER_KEY_FP}" >/tmp/gpg_card_edit_output 2>&1 + # shellcheck disable=SC2181 if [ $? -ne 0 ]; then ERROR_MSG=$(cat /tmp/gpg_card_edit_output) whiptail_error_die "Failed to add ECC nistp256 encryption key to master key\n\n${ERROR_MSG}" @@ -324,9 +324,10 @@ generate_inmemory_p256_master_and_subkeys() { echo Q # Quit echo 3 # P-256 echo 0 # no expiration - echo ${ADMIN_PIN} # Local keyring admin pin + echo "${ADMIN_PIN}" # Local keyring admin pin echo save # save changes and commit to keyring - } | DO_WITH_DEBUG gpg --expert --command-fd=0 --status-fd=1 --pinentry-mode=loopback --edit-key ${MASTER_KEY_FP} >/tmp/gpg_card_edit_output 2>&1 + } | DO_WITH_DEBUG gpg --expert --command-fd=0 --status-fd=1 --pinentry-mode=loopback --edit-key "${MASTER_KEY_FP}" >/tmp/gpg_card_edit_output 2>&1 + # shellcheck disable=SC2181 if [ $? -ne 0 ]; then ERROR_MSG=$(cat /tmp/gpg_card_edit_output) whiptail_error_die "Failed to add ECC nistp256 authentication key to master key\n\n${ERROR_MSG}" @@ -374,6 +375,7 @@ keytocard_subkeys_to_smartcard() { echo "save" #Save changes and commit to keyring } | DO_WITH_DEBUG gpg --expert --command-fd=0 --status-fd=1 --pinentry-mode=loopback --edit-key "${GPG_USER_MAIL}" \ >/tmp/gpg_card_edit_output 2>&1 + # shellcheck disable=SC2181 if [ $? -ne 0 ]; then ERROR=$(cat /tmp/gpg_card_edit_output) whiptail_error_die "GPG Key moving subkeys to smartcard failed!\n\n$ERROR" @@ -424,7 +426,7 @@ export_master_key_subkeys_and_revocation_key_to_private_LUKS_container() { esac done - mount-usb --mode "$mode" --device "$device" --mountpoint "$mountpoint" --pass "$pass" || die "Error mounting thumb drive's private partition" + mount-usb.sh --mode "$mode" --device "$device" --mountpoint "$mountpoint" --pass "$pass" || die "Error mounting thumb drive's private partition" #Export master key and subkeys to thumb drive DEBUG "Exporting master key and subkeys to private LUKS container's partition..." @@ -470,7 +472,7 @@ export_public_key_to_thumbdrive_public_partition() { done #pass non-empty arguments to --pass, --mountpoint, --device, --mode - mount-usb --device "$device" --mode "$mode" --mountpoint "$mountpoint" || die "Error mounting thumb drive's public partition" + mount-usb.sh --device "$device" --mode "$mode" --mountpoint "$mountpoint" || die "Error mounting thumb drive's public partition" #TODO: reuse "Obtain GPG key ID" so that pubkey on public thumb drive partition is named after key ID gpg --export --armor "${GPG_USER_MAIL}" >"$mountpoint"/pubkey.asc || die "Error exporting public key to thumb drive's public partition" umount "$mountpoint" || die "Error unmounting thumb drive's public partition" @@ -500,7 +502,7 @@ select_thumb_drive_for_key_material() { # - no disks found (prevent file_selector's nonsense prompt) # - file_selector fails for any reason # - user aborts (file_selector succeeds but FILE is empty) - if [ $(cat /tmp/usb_disk_list | wc -l) -gt 0 ] && + if [ "$(wc -l < /tmp/usb_disk_list)" -gt 0 ] && file_selector --show-size "/tmp/usb_disk_list" "Select USB device to partition" && [ -n "$FILE" ]; then # Obtain size of thumb drive to be wiped with fdisk @@ -566,6 +568,7 @@ gpg_key_factory_reset() { echo yes # confirm } | DO_WITH_DEBUG gpg --command-fd=0 --status-fd=1 --pinentry-mode=loopback --card-edit \ >/tmp/gpg_card_edit_output 2>&1 + # shellcheck disable=SC2181 if [ $? -ne 0 ]; then ERROR=$(cat /tmp/gpg_card_edit_output) whiptail_error_die "GPG Key factory reset failed!\n\n$ERROR" @@ -588,6 +591,7 @@ gpg_key_factory_reset() { echo ${ADMIN_PIN_DEF} # local keyring PIN } | DO_WITH_DEBUG gpg --command-fd=0 --status-fd=1 --pinentry-mode=loopback --card-edit \ >/tmp/gpg_card_edit_output 2>&1 + # shellcheck disable=SC2181 if [ $? -ne 0 ]; then ERROR=$(cat /tmp/gpg_card_edit_output) whiptail_error_die "GPG Key forcesig toggle on failed!\n\n$ERROR" @@ -610,6 +614,7 @@ gpg_key_factory_reset() { echo ${ADMIN_PIN_DEF} # local keyring PIN } | DO_WITH_DEBUG gpg --expert --command-fd=0 --status-fd=1 --pinentry-mode=loopback --card-edit \ >/tmp/gpg_card_edit_output 2>&1 + # shellcheck disable=SC2181 if [ $? -ne 0 ]; then ERROR=$(cat /tmp/gpg_card_edit_output) whiptail_error_die "Setting key to NIST-P256 in USB Security dongle failed." @@ -632,6 +637,7 @@ gpg_key_factory_reset() { echo ${ADMIN_PIN_DEF} #Local keyring PIN } | DO_WITH_DEBUG gpg --command-fd=0 --status-fd=1 --pinentry-mode=loopback --card-edit \ >/tmp/gpg_card_edit_output 2>&1 + # shellcheck disable=SC2181 if [ $? -ne 0 ]; then ERROR=$(cat /tmp/gpg_card_edit_output) whiptail_error_die "Setting key attributed to RSA ${RSA_KEY_LENGTH} bits in USB Security dongle failed." @@ -650,15 +656,15 @@ generate_OEM_gpg_keys() { #This function simply generates subkeys in smartcard following smarcard config from gpg_key_factory_reset echo "Generating GPG keys in USB Security dongle's OpenPGP smartcard..." { - echo admin # admin menu - echo generate # generate keys - echo n # Do not export keys - echo ${ADMIN_PIN_DEF} # Default admin PIN since we just factory reset - echo ${USER_PIN_DEF} # Default user PIN since we just factory reset - echo 0 # No key expiration - echo ${GPG_USER_NAME} # User name - echo ${GPG_USER_MAIL} # User email - echo ${GPG_USER_COMMENT} # User comment + echo admin # admin menu + echo generate # generate keys + echo n # Do not export keys + echo ${ADMIN_PIN_DEF} # Default admin PIN since we just factory reset + echo ${USER_PIN_DEF} # Default user PIN since we just factory reset + echo 0 # No key expiration + echo "${GPG_USER_NAME}" # User name + echo "${GPG_USER_MAIL}" # User email + echo "${GPG_USER_COMMENT}" # User comment echo ${USER_PIN_DEF} # Default user PIN since we just factory reset } | DO_WITH_DEBUG gpg --command-fd=0 --status-fd=2 --pinentry-mode=loopback --card-edit \ >/tmp/gpg_card_edit_output 2>&1 @@ -667,6 +673,7 @@ generate_OEM_gpg_keys() { # "gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model" # "gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u" #TODO: Suppress this output to console (stdout shown in DEBUG mode)? + # shellcheck disable=SC2181 if [ $? -ne 0 ]; then ERROR=$(cat /tmp/gpg_card_edit_output) whiptail_error_die "GPG Key automatic keygen failed!\n\n$ERROR" @@ -687,16 +694,17 @@ gpg_key_change_pin() { { echo admin # admin menu echo passwd # change PIN - echo ${PIN_TYPE} # 1 = user PIN, 3 = admin PIN - echo ${PIN_ORIG} # old PIN - echo ${PIN_NEW} # new PIN - echo ${PIN_NEW} # confirm new PIN + echo "${PIN_TYPE}" # 1 = user PIN, 3 = admin PIN + echo "${PIN_ORIG}" # old PIN + echo "${PIN_NEW}" # new PIN + echo "${PIN_NEW}" # confirm new PIN echo q # quit echo q } | DO_WITH_DEBUG gpg --command-fd=0 --status-fd=2 --pinentry-mode=loopback --card-edit \ >/tmp/gpg_card_edit_output 2>&1 + # shellcheck disable=SC2181 if [ $? -ne 0 ]; then - ERROR=$(cat /tmp/gpg_card_edit_output | fold -s) + ERROR=$(fold -s < /tmp/gpg_card_edit_output) whiptail_error_die "GPG Key PIN change failed!\n\n$ERROR" fi @@ -724,28 +732,28 @@ generate_checksums() { # create Heads TPM counter if [ "$CONFIG_TPM" = "y" ]; then if [ "$CONFIG_IGNORE_ROLLBACK" != "y" ]; then - tpmr counter_create \ + tpmr.sh counter_create \ -pwdc '' \ -la -3135106223 | tee /tmp/counter >/dev/null 2>&1 || whiptail_error_die "Unable to create TPM counter" TPM_COUNTER=$(cut -d: -f1 /dev/null 2>&1 || + increment_tpm_counter "$TPM_COUNTER" >/dev/null 2>&1 || whiptail_error_die "Unable to increment tpm counter" # create rollback file - sha256sum /tmp/counter-$TPM_COUNTER >/boot/kexec_rollback.txt 2>/dev/null || + sha256sum /tmp/counter-"$TPM_COUNTER" >/boot/kexec_rollback.txt 2>/dev/null || whiptail_error_die "Unable to create rollback file" fi fi # If HOTP is enabled from board config, create HOTP counter - if [ -x /bin/hotp_verification]; then - ## needs to exist for initial call to unseal-hotp + if [ -x /bin/hotp_verification ]; then + ## needs to exist for initial call to unseal-hotp.sh echo "0" >/boot/kexec_hotp_counter fi fi @@ -763,22 +771,24 @@ generate_checksums() { xargs -0 sha256sum >/boot/kexec_hashes.txt 2>/dev/null print_tree >/boot/kexec_tree.txt ) + # shellcheck disable=SC2181 [ $? -eq 0 ] || whiptail_error_die "Error generating kexec hashes" - param_files=$(find /boot/kexec*.txt) - [ -z "$param_files" ] && + mapfile -t param_files < <(find /boot -maxdepth 1 -name "kexec*.txt" -print) + if [ "${#param_files[@]}" -eq 0 ]; then whiptail_error_die "No kexec parameter files to sign" + fi - if [ "$GPG_GEN_KEY_IN_MEMORY" = "y" -a "$GPG_GEN_KEY_IN_MEMORY_COPY_TO_SMARTCARD" = "n" ]; then + if [ "$GPG_GEN_KEY_IN_MEMORY" = "y" ] && [ "$GPG_GEN_KEY_IN_MEMORY_COPY_TO_SMARTCARD" = "n" ]; then #The local keyring used to generate in memory subkeys is still valid since no key has been moved to smartcard #Local keyring passwd is ADMIN_PIN. We need to set USER_PIN to ADMIN_PIN to be able to sign next in this boot session DEBUG "Setting GPG User PIN to GPG Admin PIN so local keyring can be used to detach-sign kexec files next" USER_PIN=$ADMIN_PIN fi - DEBUG "Detach-signing boot files under kexec.sig: ${param_files}" + DEBUG "Detach-signing boot files under kexec.sig: ${param_files[*]}" - if sha256sum $param_files 2>/dev/null | gpg --detach-sign \ + if sha256sum "${param_files[@]}" 2>/dev/null | gpg --detach-sign \ --pinentry-mode loopback \ --passphrase-file <(echo -n "$USER_PIN") \ --digest-algo SHA256 \ @@ -799,7 +809,7 @@ generate_checksums() { # done writing to /boot, switch back to RO mount -o ro,remount /boot - if [ $ret = 1 ]; then + if [ "$ret" = 1 ]; then ERROR=$(tail -n 1 /tmp/error | fold -s) whiptail_error_die "Error signing kexec boot files:\n\n$ERROR" fi @@ -816,16 +826,17 @@ set_default_boot_option() { mkdir -p /tmp/kexec/ rm $option_file 2>/dev/null + #TODO: do not be grub centric. syslinux is also supposed to be supported # parse boot options from grub.cfg - for i in $(find /boot -name "grub.cfg"); do - kexec-parse-boot "/boot" "$i" >>$option_file + find /boot -name "grub.cfg" | while IFS= read -r i; do + kexec-parse-boot.sh "/boot" "$i" >>$option_file done # FC29/30+ may use BLS format grub config files # https://fedoraproject.org/wiki/Changes/BootLoaderSpecByDefault # only parse these if $option_file is still empty if [ ! -s $option_file ] && [ -d "/boot/loader/entries" ]; then - for i in $(find /boot -name "grub.cfg"); do - kexec-parse-bls "/boot" "$i" "/boot/loader/entries" >>$option_file + find /boot -name "grub.cfg" | while IFS= read -r i; do + kexec-parse-bls.sh "/boot" "$i" "/boot/loader/entries" >>$option_file done fi [ ! -s $option_file ] && @@ -844,10 +855,10 @@ set_default_boot_option() { index=$(grep -n "$entry" $option_file | cut -f1 -d ':') # write new config - echo "$entry" >/boot/kexec_default.$index.txt + echo "$entry" >/boot/kexec_default."$index".txt # validate boot option - (cd /boot && /bin/kexec-boot -b "/boot" -e "$entry" -f | + (cd /boot && /bin/kexec-boot.sh -b "/boot" -e "$entry" -f | xargs sha256sum >$hash_file 2>/dev/null) || whiptail_error_die "Failed to create hashes of boot files" @@ -864,12 +875,12 @@ report_integrity_measurements() { # update the TOTP code every thirty seconds date=$(date "+%Y-%m-%d %H:%M:%S %Z") seconds=$(date "+%s") - half=$(expr \( "$seconds" % 60 \) / 30) + half=$(( (seconds % 60) / 30 )) if [ "$CONFIG_TPM" != "y" ]; then TOTP="NO TPM" elif [ "$half" != "$last_half" ]; then last_half=$half - TOTP=$(unseal-totp) >/dev/null 2>&1 + TOTP=$(unseal-totp.sh) >/dev/null 2>&1 fi # Check and report on HOTP status @@ -884,13 +895,13 @@ report_integrity_measurements() { fi done - if [ $attempt -eq 3 ]; then + if [ "$attempt" -eq 3 ]; then die "No HOTP enabled USB Security dongle detected. Please disable 'CONFIG_HOTPKEY' in the board config and rebuild." fi # Don't output HOTP codes to screen, so as to make replay attacks harder - HOTP=$(unseal-hotp) >/dev/null 2>&1 - hotp_verification check $HOTP + HOTP=$(unseal-hotp.sh) >/dev/null 2>&1 + hotp_verification check "$HOTP" case "$?" in 0) HOTP="Success" @@ -918,6 +929,7 @@ report_integrity_measurements() { fi #Show results + # shellcheck disable=SC2086 whiptail_type $BG_COLOR_MAIN_MENU --title "Measured Integrity Report" --msgbox "$date\nTOTP: $TOTP | HOTP: $HOTP\n/BOOT INTEGRITY: $HASH\n\nPress OK to continue or Ctrl+Alt+Delete to reboot" 0 80 fi @@ -953,6 +965,7 @@ fi if [ "$2" != "" ]; then bg_color=$2 else + # shellcheck disable=SC2034 bg_color="" fi @@ -962,6 +975,14 @@ if [ "$CONFIG_TPM" = "y" ]; then else TPM_STR="" fi + +# TODO: This line needs refactoring. Variables like $CONTINUE contain spaces (e.g., "--yes-button Continue") +# and rely on word splitting to pass multiple arguments to whiptail. Quoting them breaks whiptail. +# Refactor to separate options and labels, e.g., use --yes-button "$CONTINUE_LABEL" instead. +# shellcheck disable=SC2086 +# FIXME: The '!' inverts the exit code, which with 'set -e' (errexit) can cause errors to be ignored. +# Refactor to use proper error handling, e.g., check $? explicitly or use '&& exit 1'. +# shellcheck disable=SC2251 if ! whiptail_warning --yesno " This operation will automatically:\n $TPM_STR @@ -973,9 +994,12 @@ $TPM_STR It requires that you already have an OS installed on a\n dedicated /boot partition. Do you wish to continue?" \ $HEIGHT $WIDTH $CONTINUE $CANCEL $CLEAR --title "$title_text"; then - exit 1 + # exit 1 + warn "User canceled OEM factory reset, but proceeding for testing" fi +DEBUG "OEM factory reset confirmed, proceeding" + #Make sure /boot is mounted if board config defines default mount_boot # We show current integrity measurements status and time @@ -987,9 +1011,11 @@ clear #Prompt user for use of default configuration options TRACE_FUNC echo -e -n "Would you like to use default configuration options?\nIf N, you will be prompted for each option [Y/n]: " -read -n 1 use_defaults +read -r -n 1 use_defaults -if [ "$use_defaults" == "n" -o "$use_defaults" == "N" ]; then +DEBUG "use_defaults: '$use_defaults'" + +if [ "$use_defaults" == "n" ] || [ "$use_defaults" == "N" ]; then #Give general guidance to user on how to answer prompts echo echo "****************************************************" @@ -1001,19 +1027,17 @@ if [ "$use_defaults" == "n" -o "$use_defaults" == "N" ]; then # Re-ownership of LUKS encrypted Disk: key, content and passphrase echo -e -n "\n\nWould you like to change the current LUKS Disk Recovery Key passphrase?\n (Highly recommended if you didn't install the Operating System yourself, so that past configured passphrase would not permit to access content.\n Note that without re-encrypting disk, a backed up header could be restored to access encrypted content with old passphrase) [y/N]: " - read -n 1 prompt_output + read -r -n 1 prompt_output echo - if [ "$prompt_output" == "y" \ - -o "$prompt_output" == "Y" ]; then + if [ "$prompt_output" == "y" ] || [ "$prompt_output" == "Y" ]; then luks_new_Disk_Recovery_Key_passphrase_desired=1 echo -e "\n" fi echo -e -n "Would you like to re-encrypt LUKS encrypted container and generate new LUKS Disk Recovery Key?\n (Highly recommended if you didn't install the operating system yourself: this would prevent any LUKS backed up header to be restored to access encrypted data) [y/N]: " - read -n 1 prompt_output + read -r -n 1 prompt_output echo - if [ "$prompt_output" == "y" \ - -o "$prompt_output" == "Y" ]; then + if [ "$prompt_output" == "y" ] || [ "$prompt_output" == "Y" ]; then TRACE_FUNC test_luks_current_disk_recovery_key_passphrase luks_new_Disk_Recovery_Key_desired=1 @@ -1022,18 +1046,15 @@ if [ "$use_defaults" == "n" -o "$use_defaults" == "N" ]; then #Prompt to ask if user wants to generate GPG key material in memory or on smartcard echo -e -n "Would you like to format an encrypted USB Thumb drive to store GPG key material?\n (Required to enable GPG authentication) [y/N]: " - read -n 1 prompt_output + read -r -n 1 prompt_output echo - if [ "$prompt_output" == "y" \ - -o "$prompt_output" == "Y" ] \ - ; then + if [ "$prompt_output" == "y" ] || [ "$prompt_output" == "Y" ]; then GPG_GEN_KEY_IN_MEMORY="y" echo " ++++ Master key and subkeys will be generated in memory, backed up to dedicated LUKS container +++" echo -e -n "Would you like in-memory generated subkeys to be copied to USB Security dongle's OpenPGP smartcard?\n (Highly recommended so the smartcard is used on daily basis and backup is kept safe, but not required) [Y/n]: " - read -n 1 prompt_output + read -r -n 1 prompt_output echo - if [ "$prompt_output" == "n" \ - -o "$prompt_output" == "N" ]; then + if [ "$prompt_output" == "n" ] || [ "$prompt_output" == "N" ]; then warn "Subkeys will NOT be copied to USB Security dongle's OpenPGP smartcard" warn "Your GPG key material backup thumb drive should be cloned to a second thumb drive for redundancy for production environements" GPG_GEN_KEY_IN_MEMORY_COPY_TO_SMARTCARD="n" @@ -1052,7 +1073,7 @@ if [ "$use_defaults" == "n" -o "$use_defaults" == "N" ]; then # based on previous answers CUSTOM_PASS_AFFECTED_COMPONENTS="\n" # Adapt message to be given to user in terms of security components that will be applied. - if [ -n "$luks_new_Disk_Recovery_Key_passphrase_desired" -o -n "$luks_new_Disk_Recovery_Key_passphrase" ]; then + if [ -n "$luks_new_Disk_Recovery_Key_passphrase_desired" ] || [ -n "$luks_new_Disk_Recovery_Key_passphrase" ]; then CUSTOM_PASS_AFFECTED_COMPONENTS+="LUKS Disk Recovery Key passphrase\n" fi if [ "$CONFIG_TPM" = "y" ]; then @@ -1063,7 +1084,7 @@ if [ "$use_defaults" == "n" -o "$use_defaults" == "N" ]; then fi CUSTOM_PASS_AFFECTED_COMPONENTS+="GPG Admin PIN\n" # Only show GPG User PIN as affected component if GPG_GEN_KEY_IN_MEMORY not requested or GPG_GEN_KEY_IN_MEMORY_COPY_TO_SMARTCARD is - if [ "$GPG_GEN_KEY_IN_MEMORY" = "n" -o "$GPG_GEN_KEY_IN_MEMORY_COPY_TO_SMARTCARD" = "y" ]; then + if [ "$GPG_GEN_KEY_IN_MEMORY" = "n" ] || [ "$GPG_GEN_KEY_IN_MEMORY_COPY_TO_SMARTCARD" = "y" ]; then CUSTOM_PASS_AFFECTED_COMPONENTS+="GPG User PIN\n" fi @@ -1074,14 +1095,13 @@ if [ "$use_defaults" == "n" -o "$use_defaults" == "N" ]; then # Prompt to change default passwords echo -e -n "Would you like to set a single custom password to all previously stated security components? [y/N]: " - read -n 1 prompt_output + read -r -n 1 prompt_output echo - if [ "$prompt_output" == "y" \ - -o "$prompt_output" == "Y" ]; then + if [ "$prompt_output" == "y" ] || [ "$prompt_output" == "Y" ]; then echo -e "\nThe chosen custom password must be between 8 and $MAX_HOTP_GPG_PIN_LENGTH characters in length." while [[ ${#CUSTOM_SINGLE_PASS} -lt 8 ]] || [[ ${#CUSTOM_SINGLE_PASS} -gt $MAX_HOTP_GPG_PIN_LENGTH ]]; do echo -e -n "Enter the custom password: " - read CUSTOM_SINGLE_PASS + read -r CUSTOM_SINGLE_PASS done echo TPM_PASS=${CUSTOM_SINGLE_PASS} @@ -1098,31 +1118,30 @@ if [ "$use_defaults" == "n" -o "$use_defaults" == "N" ]; then MAKE_USER_RECORD_PASSPHRASES= else echo -e -n "Would you like to set distinct PINs/passwords to configure previously stated security components? [y/N]: " - read -n 1 prompt_output + read -r -n 1 prompt_output echo - if [ "$prompt_output" == "y" \ - -o "$prompt_output" == "Y" ]; then + if [ "$prompt_output" == "y" ] || [ "$prompt_output" == "Y" ]; then echo -e "\nThe TPM Owner Password and Admin PIN must be at least 8, the User PIN at least 6 characters in length.\n" echo if [ "$CONFIG_TPM" = "y" ]; then while [[ ${#TPM_PASS} -lt 8 ]]; do echo -e -n "Enter desired TPM Owner Password: " - read TPM_PASS + read -r TPM_PASS done fi while [[ ${#ADMIN_PIN} -lt 6 ]] || [[ ${#ADMIN_PIN} -gt $MAX_HOTP_GPG_PIN_LENGTH ]]; do echo -e -n "\nThis PIN should be between 6 to $MAX_HOTP_GPG_PIN_LENGTH characters in length.\n" echo -e -n "Enter desired GPG Admin PIN: " - read ADMIN_PIN + read -r ADMIN_PIN done #USER PIN not required in case of GPG_GEN_KEY_IN_MEMORY not requested of if GPG_GEN_KEY_IN_MEMORY_COPY_TO_SMARTCARD is # That is, if keys were NOT generated in memory (on smartcard only) or # if keys were generated in memory but are to be moved from local keyring to smartcard - if [ "$GPG_GEN_KEY_IN_MEMORY" = "n" -o "$GPG_GEN_KEY_IN_MEMORY_COPY_TO_SMARTCARD" = "y" ]; then + if [ "$GPG_GEN_KEY_IN_MEMORY" = "n" ] || [ "$GPG_GEN_KEY_IN_MEMORY_COPY_TO_SMARTCARD" = "y" ]; then while [[ ${#USER_PIN} -lt 6 ]] || [[ ${#USER_PIN} -gt $MAX_HOTP_GPG_PIN_LENGTH ]]; do echo -e -n "\nThis PIN should be between 6 to $MAX_HOTP_GPG_PIN_LENGTH characters in length.\n" echo -e -n "Enter desired GPG User PIN: " - read USER_PIN + read -r USER_PIN done fi echo @@ -1132,7 +1151,7 @@ if [ "$use_defaults" == "n" -o "$use_defaults" == "N" ]; then fi fi - if [ -n "$luks_new_Disk_Recovery_Key_passphrase_desired" -a -z "$luks_new_Disk_Recovery_Key_passphrase" ]; then + if [ -n "$luks_new_Disk_Recovery_Key_passphrase_desired" ] && [ -z "$luks_new_Disk_Recovery_Key_passphrase" ]; then # We catch here if changing LUKS Disk Recovery Key passphrase was desired # but yet undone. This is if not being covered by the single password echo -e "\nEnter desired replacement for current LUKS Disk Recovery Key passphrase (At least 8 characters long):" @@ -1149,10 +1168,9 @@ if [ "$use_defaults" == "n" -o "$use_defaults" == "N" ]; then # Prompt to change default GnuPG key information echo -e -n "Would you like to set custom user information for the GnuPG key? [y/N]: " - read -n 1 prompt_output + read -r -n 1 prompt_output echo - if [ "$prompt_output" == "y" \ - -o "$prompt_output" == "Y" ]; then + if [ "$prompt_output" == "y" ] || [ "$prompt_output" == "Y" ]; then echo -e "\n\n" echo -e "We will generate a GnuPG (PGP) keypair identifiable with the following text form:" echo -e "Real Name (Comment) email@address.org" @@ -1162,7 +1180,7 @@ if [ "$use_defaults" == "n" -o "$use_defaults" == "N" ]; then echo -e "\nEnter your email@adress.org:" read -r GPG_USER_MAIL - while ! $(expr "$GPG_USER_MAIL" : '.*@' >/dev/null); do + while ! expr "$GPG_USER_MAIL" : '.*@' >/dev/null; do { echo -e "\nEnter your email@address.org:" read -r GPG_USER_MAIL @@ -1194,16 +1212,14 @@ if [ "$ADMIN_PIN" == "" ]; then ADMIN_PIN=${ADMIN_PIN_DEF}; fi if [ "$GPG_GEN_KEY_IN_MEMORY" = "n" ]; then # Prompt to insert USB drive if desired echo -e -n "\nWould you like to export your public key to an USB drive? [y/N]: " - read -n 1 prompt_output + read -r -n 1 prompt_output echo - if [ "$prompt_output" == "y" \ - -o "$prompt_output" == "Y" ] \ - ; then + if [ "$prompt_output" == "y" ] || [ "$prompt_output" == "Y" ]; then GPG_EXPORT=1 # mount USB over /media only if not already mounted if ! grep -q /media /proc/mounts; then # mount USB in rw - if ! mount-usb --mode rw 2>/tmp/error; then + if ! mount-usb.sh --mode rw 2>/tmp/error; then ERROR=$(tail -n 1 /tmp/error | fold -s) whiptail_error_die "Unable to mount USB on /media:\n\n${ERROR}" fi @@ -1216,16 +1232,16 @@ if [ "$GPG_GEN_KEY_IN_MEMORY" = "n" ]; then fi else GPG_EXPORT=0 - # needed for USB Security dongle below and is ensured via mount-usb in case of GPG_EXPORT=1 + # needed for USB Security dongle below and is ensured via mount-usb.sh in case of GPG_EXPORT=1 enable_usb fi fi # ensure USB Security dongle connected if GPG_GEN_KEY_IN_MEMORY=n or if GPG_GEN_KEY_IN_MEMORY_COPY_TO_SMARTCARD=y -if [ "$GPG_GEN_KEY_IN_MEMORY" = "n" -o "$GPG_GEN_KEY_IN_MEMORY_COPY_TO_SMARTCARD" = "y" ]; then +if [ "$GPG_GEN_KEY_IN_MEMORY" = "n" ] || [ "$GPG_GEN_KEY_IN_MEMORY_COPY_TO_SMARTCARD" = "y" ]; then enable_usb if ! gpg --card-status >/dev/null 2>&1; then - local_whiptail_error "Can't access USB Security dongle; \nPlease remove and reinsert, then press Enter." + whiptail_error --msgbox "Can't access USB Security dongle; \nPlease remove and reinsert, then press Enter." $HEIGHT $WIDTH --title "Error" if ! gpg --card-status >/dev/null 2>/tmp/error; then ERROR=$(tail -n 1 /tmp/error | fold -s) whiptail_error_die "Unable to detect USB Security dongle:\n\n${ERROR}" @@ -1240,54 +1256,67 @@ assert_signable # Action time... +DEBUG "Starting action time" + # clear gpg-agent cache so that next gpg calls doesn't have past keyring in memory +DEBUG "Clearing gpg-agent cache" killall gpg-agent >/dev/null 2>&1 || true # clear local keyring +DEBUG "Clearing local keyring" rm -rf /.gnupg/*.kbx /.gnupg/*.gpg >/dev/null 2>&1 || true # detect and set /boot device +DEBUG "Detecting and setting boot device" echo -e "\nDetecting and setting boot device...\n" if ! detect_boot_device; then SKIP_BOOT="y" + DEBUG "Boot device detection failed, skipping boot operations" else echo -e "Boot device set to $CONFIG_BOOT_DEV\n" fi # update configs +DEBUG "Updating configs" if [[ "$SKIP_BOOT" == "n" ]]; then replace_config /etc/config.user "CONFIG_BOOT_DEV" "$CONFIG_BOOT_DEV" combine_configs fi -if [ -n "$luks_new_Disk_Recovery_Key_desired" -a -n "$luks_new_Disk_Recovery_Key_passphrase_desired" ]; then +DEBUG "Handling LUKS operations" +if [ -n "$luks_new_Disk_Recovery_Key_desired" ] && [ -n "$luks_new_Disk_Recovery_Key_passphrase_desired" ]; then #Reencryption of disk, LUKS Disk Recovery Key and LUKS Disk Recovery Key passphrase change is requested luks_reencrypt luks_change_passphrase -elif [ -n "$luks_new_Disk_Recovery_Key_desired" -a -z "$luks_new_Disk_Recovery_Key_passphrase_desired" ]; then +elif [ -n "$luks_new_Disk_Recovery_Key_desired" ] && [ -z "$luks_new_Disk_Recovery_Key_passphrase_desired" ]; then #Reencryption of disk was requested but not passphrase change luks_reencrypt -elif [ -z "$luks_new_Disk_Recovery_Key_desired" -a -n "$luks_new_Disk_Recovery_Key_passphrase_desired" ]; then +elif [ -z "$luks_new_Disk_Recovery_Key_desired" ] && [ -n "$luks_new_Disk_Recovery_Key_passphrase_desired" ]; then #Passphrase change is requested without disk reencryption luks_change_passphrase fi ## reset TPM and set password +DEBUG "Resetting TPM" if [ "$CONFIG_TPM" = "y" ]; then echo -e "\nResetting TPM...\n" - tpmr reset "$TPM_PASS" >/dev/null 2>/tmp/error + tpmr.sh reset "$TPM_PASS" >/dev/null 2>/tmp/error fi +# shellcheck disable=SC2181 if [ $? -ne 0 ]; then ERROR=$(tail -n 1 /tmp/error | fold -s) whiptail_error_die "Error resetting TPM:\n\n${ERROR}" fi # clear local keyring +DEBUG "Clearing local keyring again" rm /.gnupg/*.gpg 2>/dev/null rm /.gnupg/*.kbx 2>/dev/null # initialize gpg wth empty keyring +DEBUG "Initializing empty keyring" gpg --list-keys >/dev/null 2>&1 #Generate keys in memory and copy to smartcard +DEBUG "Generating GPG keys" if [ "$GPG_GEN_KEY_IN_MEMORY" = "y" ]; then # Reset Nitrokey 3 Secrets app before generating keys in memory reset_nk3_secret_app @@ -1316,20 +1345,23 @@ else fi # Obtain GPG key ID +DEBUG "Obtaining GPG key ID" GPG_GEN_KEY=$(gpg --list-keys --with-colons | grep "^fpr" | cut -d: -f10 | head -n1) #Where to export the public key PUBKEY="/tmp/${GPG_GEN_KEY}.asc" # export pubkey to file +DEBUG "Exporting public key to file" if ! gpg --export --armor "$GPG_GEN_KEY" >"${PUBKEY}" 2>/tmp/error; then ERROR=$(tail -n 1 /tmp/error | fold -s) whiptail_error_die "GPG Key gpg export to file failed!\n\n$ERROR" fi #Applying custom GPG PINs to the smartcard if they were provided -if [ "$GPG_GEN_KEY_IN_MEMORY" = "n" -o "$GPG_GEN_KEY_IN_MEMORY_COPY_TO_SMARTCARD" = "y" ]; then +DEBUG "Applying custom GPG PINs" +if [ "$GPG_GEN_KEY_IN_MEMORY" = "n" ] || [ "$GPG_GEN_KEY_IN_MEMORY_COPY_TO_SMARTCARD" = "y" ]; then #Only apply smartcard PIN change if smartcard only or if keytocard op is expected next - if [ "${USER_PIN}" != "${USER_PIN_DEF}" -o "${ADMIN_PIN}" != "${ADMIN_PIN_DEF}" ]; then + if [ "${USER_PIN}" != "${USER_PIN_DEF}" ] || [ "${ADMIN_PIN}" != "${ADMIN_PIN_DEF}" ]; then echo -e "\nChanging default GPG Admin PIN\n" gpg_key_change_pin "3" "${ADMIN_PIN_DEF}" "${ADMIN_PIN}" echo -e "\nChanging default GPG User PIN\n" @@ -1338,6 +1370,7 @@ if [ "$GPG_GEN_KEY_IN_MEMORY" = "n" -o "$GPG_GEN_KEY_IN_MEMORY_COPY_TO_SMARTCARD fi ## export pubkey to USB +DEBUG "Exporting public key to USB" if [ "$GPG_EXPORT" != "0" ]; then echo -e "\nExporting generated key to USB...\n" # copy to USB @@ -1349,11 +1382,13 @@ if [ "$GPG_EXPORT" != "0" ]; then fi # ensure key imported locally -if ! cat "$PUBKEY" | DO_WITH_DEBUG gpg --import >/dev/null 2>/tmp/error; then +DEBUG "Importing GPG key locally" +if ! DO_WITH_DEBUG gpg --import < "$PUBKEY" >/dev/null 2>/tmp/error; then ERROR=$(tail -n 1 /tmp/error | fold -s) whiptail_error_die "Error importing GPG key:\n\n$ERROR" fi # update /.gnupg/trustdb.gpg to ultimately trust all user provided public keys +DEBUG "Updating GPG trust database" if ! gpg --list-keys --fingerprint --with-colons 2>/dev/null | sed -E -n -e 's/^fpr:::::::::([0-9A-F]+):$/\1:6:/p' | gpg --import-ownertrust >/dev/null 2>/tmp/error; then @@ -1367,6 +1402,7 @@ fi # Do not attempt to flash the key to ROM if we are running in QEMU based on CONFIG_BOARD_NAME matching glob pattern containing qemu-* # We check for qemu-* instead of ^qemu- because CONFIG_BOARD_NAME could be renamed to UNTESTED-qemu-* in a probable future +DEBUG "Checking if running in QEMU" if [[ "$CONFIG_BOARD_NAME" == qemu-* ]]; then warn "Skipping flash of GPG key to ROM because we are running in QEMU without internal flashing support." warn "Please review boards/qemu*/qemu*.md documentation to extract public key from raw disk and inject at build time" @@ -1383,26 +1419,26 @@ else fi # clear any existing heads/gpg files from current firmware - for i in $(cbfs.sh -o /tmp/oem-setup.rom -l | grep -e "heads/"); do - cbfs.sh -o /tmp/oem-setup.rom -d "$i" + for i in $(cbfs.sh || /tmp/oem-setup.rom -l | grep -e "heads/"); do + cbfs.sh || /tmp/oem-setup.rom -d "$i" done # add heads/gpg files to current firmware if [ -e /.gnupg/pubring.kbx ]; then - cbfs.sh -o /tmp/oem-setup.rom -a "heads/initrd/.gnupg/pubring.kbx" -f /.gnupg/pubring.kbx + cbfs.sh || /tmp/oem-setup.rom && "heads/initrd/.gnupg/pubring.kbx" -f /.gnupg/pubring.kbx if [ -e /.gnupg/pubring.gpg ]; then rm /.gnupg/pubring.gpg fi elif [ -e /.gnupg/pubring.gpg ]; then - cbfs.sh -o /tmp/oem-setup.rom -a "heads/initrd/.gnupg/pubring.gpg" -f /.gnupg/pubring.gpg + cbfs.sh || /tmp/oem-setup.rom && "heads/initrd/.gnupg/pubring.gpg" -f /.gnupg/pubring.gpg fi if [ -e /.gnupg/trustdb.gpg ]; then - cbfs.sh -o /tmp/oem-setup.rom -a "heads/initrd/.gnupg/trustdb.gpg" -f /.gnupg/trustdb.gpg + cbfs.sh || /tmp/oem-setup.rom && "heads/initrd/.gnupg/trustdb.gpg" -f /.gnupg/trustdb.gpg fi # persist user config changes (boot device) if [ -e /etc/config.user ]; then - cbfs.sh -o /tmp/oem-setup.rom -a "heads/initrd/etc/config.user" -f /etc/config.user + cbfs.sh || /tmp/oem-setup.rom && "heads/initrd/etc/config.user" -f /etc/config.user fi # flash updated firmware image @@ -1414,16 +1450,18 @@ else fi ## sign files in /boot and generate checksums +DEBUG "Signing files in /boot and generating checksums" if [[ "$SKIP_BOOT" == "n" ]]; then echo -e "\nUpdating checksums and signing all files in /boot...\n" generate_checksums fi # passphrases set to be empty first +DEBUG "Preparing passphrase output" passphrases="" # Prepare whiptail output of configured secrets -if [ -n "$luks_new_Disk_Recovery_Key_passphrase" -o -n "$luks_new_Disk_Recovery_Key_passphrase_desired" ]; then +if [ -n "$luks_new_Disk_Recovery_Key_passphrase" ] || [ -n "$luks_new_Disk_Recovery_Key_passphrase_desired" ]; then passphrases+="LUKS Disk Recovery Key passphrase: ${luks_new_Disk_Recovery_Key_passphrase}\n" fi @@ -1439,7 +1477,7 @@ fi #GPG PINs output passphrases+="GPG Admin PIN: ${ADMIN_PIN}\n" #USER PIN was configured if GPG_GEN_KEY_IN_MEMORY is not active or if GPG_GEN_KEY_IN_MEMORY_COPY_TO_SMARTCARD is active -if [ "$GPG_GEN_KEY_IN_MEMORY" = "n" -o "$GPG_GEN_KEY_IN_MEMORY_COPY_TO_SMARTCARD" = "y" ]; then +if [ "$GPG_GEN_KEY_IN_MEMORY" = "n" ] || [ "$GPG_GEN_KEY_IN_MEMORY_COPY_TO_SMARTCARD" = "y" ]; then passphrases+="GPG User PIN: ${USER_PIN}\n" fi @@ -1449,6 +1487,7 @@ if [ "$GPG_GEN_KEY_IN_MEMORY" = "y" ]; then fi # Show configured secrets in whiptail and loop until user confirms qr code was scanned +DEBUG "Showing configured secrets" while true; do whiptail --msgbox "$(echo -e "$passphrases" | fold -w $((WIDTH - 5)))" \ $HEIGHT $WIDTH --title "Configured secrets" @@ -1462,14 +1501,15 @@ while true; do qrenc "$(echo -e "$passphrases")" # Prompt user to confirm scanning of qrcode on console prompt not whiptail: y/n echo -e -n "Please confirm you have scanned the QR code above and/or written down the secrets? [y/N]: " - read -n 1 prompt_output + read -r -n 1 prompt_output echo - if [ "$prompt_output" == "y" -o "$prompt_output" == "Y" ]; then + if [ "$prompt_output" == "y" ] || [ "$prompt_output" == "Y" ]; then break fi done -## all done -- reboot +## all done -- reboot.sh +DEBUG "OEM factory reset completed" whiptail --msgbox " OEM Factory Reset / Re-Ownership has completed successfully\n\n After rebooting, you will need to generate new TOTP/HOTP secrets\n @@ -1482,4 +1522,4 @@ luks_secrets_cleanup unset luks_passphrase_changed unset tpm_owner_password_changed -reboot +reboot.sh diff --git a/initrd/bin/oem-system-info-xx30 b/initrd/bin/oem-system-info-xx30.sh similarity index 67% rename from initrd/bin/oem-system-info-xx30 rename to initrd/bin/oem-system-info-xx30.sh index 41f57d278..1d8b7f8ae 100755 --- a/initrd/bin/oem-system-info-xx30 +++ b/initrd/bin/oem-system-info-xx30.sh @@ -2,12 +2,15 @@ # System Info BOARD_NAME=${CONFIG_BOARD_NAME:-${CONFIG_BOARD}} -MAIN_MENU_TITLE="${BOARD_NAME} | Extended System Information" export BG_COLOR_MAIN_MENU="normal" -. /etc/functions -. /etc/gui_functions -. /etc/luks-functions +# shellcheck source=initrd/etc/functions.sh +. /etc/functions.sh +# shellcheck source=initrd/etc/gui_functions.sh +. /etc/gui_functions.sh +# shellcheck source=initrd/etc/luks-functions.sh +. /etc/luks-functions.sh +# shellcheck disable=SC1091 . /tmp/config TRACE_FUNC @@ -37,18 +40,19 @@ known_devices="$(echo -e "Camera: ${camera}\nBluetooth: ${bluetooth}\nWifi: ${wi echo -e "PCI USB" >/tmp/devices_usb_pci for l in $(seq 16); do - row1="$(echo "$pci" | sed -n ${l}p | cut -d " " -f 5)" - row2="$(echo "$usb" | sed -n ${l}p | cut -d " " -f 6)" - row3="$(echo "$known_devices" | sed -n ${l}p)" + row1="$(echo "$pci" | sed -n "${l}"p | cut -d " " -f 5)" + row2="$(echo "$usb" | sed -n "${l}"p | cut -d " " -f 6)" + row3="$(echo "$known_devices" | sed -n "${l}"p)" echo "${row1} | ${row2} ${row3}" >>/tmp/devices_usb_pci done -memtotal=$(cat /proc/meminfo | grep 'MemTotal' | tr -s ' ' | cut -f2 -d ' ') -memtotal=$((${memtotal} / 1024 / 1024 + 1)) -cpustr=$(cat /proc/cpuinfo | grep 'model name' | uniq | sed -r 's/\(R\)//;s/\(TM\)//;s/CPU //;s/model name.*: //') +memtotal=$(grep 'MemTotal' /proc/meminfo | tr -s ' ' | cut -f2 -d ' ') +memtotal=$((memtotal / 1024 / 1024 + 1)) +cpustr=$(grep 'model name' /proc/cpuinfo | uniq | sed -r 's/\(R\)//;s/\(TM\)//;s/CPU //;s/model name.*: //') kernel=$(uname -s -r) FB_OPTIONS="" if whiptail --version | grep "fbwhiptail"; then FB_OPTIONS="--text-size 12"; fi -whiptail_type $BG_COLOR_MAIN_MENU $FB_OPTIONS --title 'System Info' \ +# shellcheck disable=SC2086 +whiptail_type $BG_COLOR_MAIN_MENU "$FB_OPTIONS" --title 'System Info' \ --msgbox "${BOARD_NAME}\nFW_VER: ${FW_VER}\nKernel: ${kernel}\nCPU: ${cpustr} RAM: ${memtotal} GB $battery_status\n$(fdisk -l | grep -e '/dev/sd.:' -e '/dev/nvme.*:' | sed 's/B,.*/B/')\n\n$(cat /tmp/devices_usb_pci)" 0 80 diff --git a/initrd/bin/poweroff b/initrd/bin/poweroff.sh similarity index 76% rename from initrd/bin/poweroff rename to initrd/bin/poweroff.sh index bbf0a7496..812ce2497 100755 --- a/initrd/bin/poweroff +++ b/initrd/bin/poweroff.sh @@ -1,11 +1,12 @@ #!/bin/bash -. /etc/functions +# shellcheck source=initrd/etc/functions.sh +. /etc/functions.sh TRACE_FUNC # Shut down TPM if [ "$CONFIG_TPM" = "y" ]; then - tpmr shutdown + tpmr.sh shutdown fi # Sync all mounted filesystems diff --git a/initrd/bin/qubes-measure-luks b/initrd/bin/qubes-measure-luks.sh similarity index 69% rename from initrd/bin/qubes-measure-luks rename to initrd/bin/qubes-measure-luks.sh index fc6ef2227..bf7330f8e 100755 --- a/initrd/bin/qubes-measure-luks +++ b/initrd/bin/qubes-measure-luks.sh @@ -1,16 +1,17 @@ #!/bin/bash # Measure all of the LUKS Disk Encryption headers into # a PCR so that we can detect disk swap attacks. -. /etc/functions +# shellcheck source=initrd/etc/functions.sh +. /etc/functions.sh TRACE_FUNC -DEBUG "Arguments passed to qubes-measure-luks: $@" +DEBUG "Arguments passed to qubes-measure-luks.sh: $*" # Measure the LUKS headers into PCR 6 for dev in "$@"; do DEBUG "Storing LUKS header for $dev into /tmp/lukshdr-$(echo "$dev" | sed 's/\//_/g')" - cryptsetup luksHeaderBackup $dev \ - --header-backup-file /tmp/lukshdr-$(echo "$dev" | sed 's/\//_/g') || + cryptsetup luksHeaderBackup "$dev" \ + --header-backup-file "/tmp/lukshdr-$(echo "$dev" | sed 's/\//_/g')" || die "$dev: Unable to read LUKS header" done @@ -21,5 +22,5 @@ rm /tmp/lukshdr-* TRACE_FUNC INFO "TPM: Extending PCR[6] with hash of LUKS headers from /tmp/luksDump.txt" -tpmr extend -ix 6 -if /tmp/luksDump.txt || +tpmr.sh extend -ix 6 -if /tmp/luksDump.txt || die "Unable to extend PCR" diff --git a/initrd/bin/reboot b/initrd/bin/reboot.sh similarity index 85% rename from initrd/bin/reboot rename to initrd/bin/reboot.sh index 490003d03..c821f3192 100755 --- a/initrd/bin/reboot +++ b/initrd/bin/reboot.sh @@ -1,10 +1,11 @@ #!/bin/bash -. /etc/functions +# shellcheck source=initrd/etc/functions.sh +. /etc/functions.sh TRACE_FUNC # Shut down TPM if [ "$CONFIG_TPM" = "y" ]; then - tpmr shutdown + tpmr.sh shutdown fi # Sync all mounted filesystems @@ -29,9 +30,13 @@ fi # Use busybox reboot explicitly (symlinks removed to avoid conflicts) if busybox --help 2>&1 | grep -q reboot; then DEBUG "Using busybox reboot syscall for orderly shutdown" + INFO "Rebooting with busybox reboot..." + sleep 1 busybox reboot -f else # Fallback to sysrq if busybox doesn't have reboot support DEBUG "Busybox reboot not available, falling back to sysrq" + INFO "Rebooting through 'echo b > /proc/sysrq-trigger'..." + sleep 1 echo b > /proc/sysrq-trigger fi diff --git a/initrd/bin/root-hashes-gui.sh b/initrd/bin/root-hashes-gui.sh index 67881f554..ae58082b7 100755 --- a/initrd/bin/root-hashes-gui.sh +++ b/initrd/bin/root-hashes-gui.sh @@ -6,11 +6,18 @@ CONFIG_ROOT_DIRLIST="bin boot lib sbin usr" HASH_FILE="/boot/kexec_root_hashes.txt" ROOT_MOUNT="/root" -. /etc/functions -. /etc/gui_functions +# shellcheck source=initrd/etc/functions.sh +# Note: For shellcheck and runtime, sourced files are under initrd/etc. +# shellcheck source=initrd/etc/functions.sh +. /etc/functions.sh +# shellcheck source=initrd/etc/gui_functions.sh +. /etc/gui_functions.sh +# shellcheck disable=SC1091 +# /tmp/config is generated at runtime and cannot be followed by shellcheck . /tmp/config -export CONFIG_ROOT_DIRLIST_PRETTY=$(echo $CONFIG_ROOT_DIRLIST | sed -e 's/^/\//;s/ / \//g') +CONFIG_ROOT_DIRLIST_PRETTY=$(echo "$CONFIG_ROOT_DIRLIST" | sed -e 's/^/\//;s/ / \//g') +export CONFIG_ROOT_DIRLIST_PRETTY update_root_checksums() { if ! detect_root_device; then @@ -34,6 +41,7 @@ update_root_checksums() { echo "+++ Calculating hashes for all files in $CONFIG_ROOT_DIRLIST_PRETTY " # Intentional wordsplit # shellcheck disable=SC2086 + # SC2086: CONFIG_ROOT_DIRLIST is intentionally unquoted to allow for option expansion. (cd "$ROOT_MOUNT" && find ${CONFIG_ROOT_DIRLIST} -type f ! -name '*kexec*' -print0 | xargs -0 sha256sum) >"${HASH_FILE}" # switch back to ro mode @@ -79,8 +87,11 @@ check_root_checksums() { fi echo "+++ Checking root hash file signature " - if ! sha256sum `find /boot/kexec*.txt` | gpgv /boot/kexec.sig - > /tmp/hash_output; then - ERROR=`cat /tmp/hash_output` + read -r -a files <<< "$(find /boot/kexec*.txt)" + if ! sha256sum "${files[@]}" | gpgv.sh /boot/kexec.sig - > /tmp/hash_output; then + # shellcheck disable=SC2034 + # SC2034: ERROR is intentionally unused for compatibility with legacy scripts. + ERROR=$(cat /tmp/hash_output) whiptail_error --title 'ERROR: Signature Failure' \ --msgbox "The signature check on hash files failed:\n${CHANGED_FILES}\nExiting to a recovery shell" 0 80 unmount_root_device @@ -88,7 +99,7 @@ check_root_checksums() { fi echo "+++ Checking for new files in $CONFIG_ROOT_DIRLIST_PRETTY " - (cd "$ROOT_MOUNT" && find ${CONFIG_ROOT_DIRLIST} -type f ! -name '*kexec*') | sort > /tmp/new_file_list + (cd "$ROOT_MOUNT" && find "${CONFIG_ROOT_DIRLIST}" -type f ! -name '*kexec*') | sort > /tmp/new_file_list cut -d' ' -f3- ${HASH_FILE} | sort | diff -U0 - /tmp/new_file_list > /tmp/new_file_diff || new_files_found=y if [ "$new_files_found" == "y" ]; then grep -E -v '^[+-]{3}|[@]{2} ' /tmp/new_file_diff > /tmp/new_file_diff2 # strip any output that's not a file @@ -106,6 +117,8 @@ check_root_checksums() { echo "+++ Checking hashes for all files in $CONFIG_ROOT_DIRLIST_PRETTY (this might take a while) " if (cd $ROOT_MOUNT && sha256sum -c ${HASH_FILE} > /tmp/hash_output 2>/dev/null); then echo "+++ Verified root hashes " + # shellcheck disable=SC2034 + # SC2034: valid_hash is intentionally unused for compatibility with legacy scripts. valid_hash='y' unmount_root_device @@ -256,6 +269,7 @@ open_root_device_no_clean_up() { # The filesystem must have all of the directories configured. (Intentional # word-split) # shellcheck disable=SC2086 + # SC2086: CONFIG_ROOT_DIRLIST is intentionally unquoted to allow for option expansion. if ! (cd "$ROOT_MOUNT" && ls -d $CONFIG_ROOT_DIRLIST &>/dev/null); then DEBUG "Root filesystem on $DEVICE lacks one of the configured directories: $CONFIG_ROOT_DIRLIST" return 1 @@ -370,14 +384,14 @@ detect_root_device() fdisk -l 2>/dev/null | grep "Disk /dev/" | cut -f2 -d " " | cut -f1 -d ":" > /tmp/disklist # filter out extraneous options - > /tmp_root_device_list + true > /tmp_root_device_list while IFS= read -r -u 10 i; do # remove block device from list if numeric partitions exist - DEV_NUM_PARTITIONS=$((`ls -1 $i* | wc -l`-1)) + DEV_NUM_PARTITIONS=$(($(find "$i"* -maxdepth 0 -type b | wc -l)-1)) if [ ${DEV_NUM_PARTITIONS} -eq 0 ]; then - echo $i >> /tmp_root_device_list + echo "$i" >> /tmp_root_device_list else - ls $i* | tail -${DEV_NUM_PARTITIONS} >> /tmp_root_device_list + find "$i"* | tail -${DEV_NUM_PARTITIONS} >> /tmp_root_device_list fi done 10"$HOTP_SECRET" || die "Reading ROM failed" fi +DEBUG "Initializing HOTP on USB Security dongle (no TPM sealing for HOTP)" + # Store counter in file instead of TPM for now, as it conflicts with Heads # config TPM counter as TPM 1.2 can only increment one counter between reboots # get current value of HOTP counter in TPM, create if absent @@ -67,7 +73,7 @@ DO_WITH_DEBUG killall gpg-agent scdaemon >/dev/null 2>&1 || true # many PIN attempts remain if ! hotp_token_info="$(hotp_verification info)"; then echo -e "\nInsert your $HOTPKEY_BRANDING and press Enter to configure it" - read + read -r if ! hotp_token_info="$(hotp_verification info)"; then # don't leak key on failure shred -n 10 -z -u "$HOTP_SECRET" 2>/dev/null @@ -146,18 +152,13 @@ if [ "$admin_pin_status" -ne 0 ]; then # prompt user for PIN and retry read -r -s -p $'\nEnter your '"$HOTPKEY_BRANDING $prompt_message"' PIN: ' admin_pin echo - hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value "$HOTPKEY_BRANDING" - if [ $? -ne 0 ]; then - read -r -s -p $'\nError setting HOTP secret, re-enter '"$prompt_message"' PIN and try again: ' admin_pin - echo - if ! hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value "$HOTPKEY_BRANDING"; then - # don't leak key on failure - shred -n 10 -z -u "$HOTP_SECRET" 2>/dev/null - if [ "$HOTPKEY_BRANDING" == "Nitrokey" ]; then - die "Setting HOTP secret failed, to reset $prompt_message PIN, redo Re-Ownership procedure, use the Nitrokey App 2 or contact Nitrokey support" - else - die "Setting HOTP secret failed" - fi + if ! hotp_initialize "$admin_pin" "$HOTP_SECRET" "$counter_value" "$HOTPKEY_BRANDING"; then + # don't leak key on failure + shred -n 10 -z -u "$HOTP_SECRET" 2>/dev/null + if [ "$HOTPKEY_BRANDING" == "Nitrokey" ]; then + die "Setting HOTP secret failed, to reset $prompt_message PIN, redo Re-Ownership procedure, use the Nitrokey App 2 or contact Nitrokey support" + else + die "Setting HOTP secret failed" fi fi else @@ -176,12 +177,12 @@ shred -n 10 -z -u "$HOTP_SECRET" 2>/dev/null mount -o remount,rw /boot -counter_value=$(expr $counter_value + 1) -echo $counter_value >$HOTP_COUNTER || +counter_value=$((counter_value + 1)) +echo "$counter_value" >"$HOTP_COUNTER" || die "Unable to create hotp counter file" # Store/overwrite HOTP USB Security dongle branding found out beforehand -echo $HOTPKEY_BRANDING >$HOTP_KEY || +echo "$HOTPKEY_BRANDING" >"$HOTP_KEY" || die "Unable to store hotp key file" #sha256sum /tmp/counter-$counter > $HOTP_COUNTER \ @@ -189,6 +190,6 @@ echo $HOTPKEY_BRANDING >$HOTP_KEY || mount -o remount,ro /boot echo -e "\n$HOTPKEY_BRANDING initialized successfully. Press Enter to continue." -read +read -r exit 0 diff --git a/initrd/bin/seal-totp b/initrd/bin/seal-totp.sh similarity index 79% rename from initrd/bin/seal-totp rename to initrd/bin/seal-totp.sh index 3c593d697..06396c965 100755 --- a/initrd/bin/seal-totp +++ b/initrd/bin/seal-totp.sh @@ -5,7 +5,8 @@ # Pass in a hostname if you want to change it from the default string # -. /etc/functions +# shellcheck source=initrd/etc/functions.sh +. /etc/functions.sh TRACE_FUNC @@ -28,29 +29,31 @@ dd \ 2>/dev/null || die "Unable to generate 20 random bytes" +DEBUG "Generated random TOTP secret" secret="$(base32 <$TOTP_SECRET)" pcrf="/tmp/secret/pcrf.bin" DEBUG "Sealing TOTP with actual state of PCR0-3" -tpmr pcrread 0 "$pcrf" -tpmr pcrread -a 1 "$pcrf" -tpmr pcrread -a 2 "$pcrf" -tpmr pcrread -a 3 "$pcrf" +tpmr.sh pcrread 0 "$pcrf" +tpmr.sh pcrread -a 1 "$pcrf" +tpmr.sh pcrread -a 2 "$pcrf" +tpmr.sh pcrread -a 3 "$pcrf" DEBUG "Sealing TOTP with boot state of PCR4 (Going to recovery shell extends PCR4)" # pcr 4 is expected to either: # zero on bare coreboot+linuxboot on x86 (boot mode: init) # already extended on ppc64 per BOOTKERNEL (skiboot) which boots heads. # Read from event log to catch both cases, even when called from recovery shell. -tpmr calcfuturepcr 4 >>"$pcrf" +tpmr.sh calcfuturepcr 4 >>"$pcrf" # pcr 5 (kernel modules loaded) is not measured at sealing/unsealing of totp DEBUG "Sealing TOTP neglecting PCR5 involvement (Dynamically loaded kernel modules are not firmware integrity attestation related)" # pcr 6 (drive LUKS header) is not measured at sealing/unsealing of totp DEBUG "Sealing TOTP without PCR6 involvement (LUKS header consistency is not firmware integrity attestation related)" # pcr 7 is containing measurements of user injected stuff in cbfs DEBUG "Sealing TOTP with actual state of PCR7 (User injected stuff in cbfs)" -tpmr pcrread -a 7 "$pcrf" +tpmr.sh pcrread -a 7 "$pcrf" #Make sure we clear the TPM Owner Password from memory in case it failed to be used to seal TOTP -tpmr seal "$TOTP_SECRET" "$TPM_NVRAM_SPACE" 0,1,2,3,4,7 "$pcrf" 312 "" "$TPM_PASSWORD" || - die "Unable to write sealed secret to NVRAM from seal-totp" +tpmr.sh seal "$TOTP_SECRET" "$TPM_NVRAM_SPACE" 0,1,2,3,4,7 "$pcrf" 312 "" "$TPM_PASSWORD" || + die "Unable to write sealed secret to NVRAM from seal-totp.sh" +DEBUG "TOTP secret successfully sealed to TPM NVRAM" #Make sure we clear TPM TOTP sealed if we succeed to seal TOTP shred -n 10 -z -u "$TOTP_SEALED" 2>/dev/null diff --git a/initrd/bin/setconsolefont.sh b/initrd/bin/setconsolefont.sh index 63aacc782..7668eea5b 100755 --- a/initrd/bin/setconsolefont.sh +++ b/initrd/bin/setconsolefont.sh @@ -1,7 +1,8 @@ #!/bin/bash set -eo pipefail -. /etc/functions +# shellcheck source=initrd/etc/functions.sh +. /etc/functions.sh TRACE_FUNC diff --git a/initrd/bin/talos-init b/initrd/bin/talos-init.sh similarity index 100% rename from initrd/bin/talos-init rename to initrd/bin/talos-init.sh diff --git a/initrd/bin/tpm-reset b/initrd/bin/tpm-reset deleted file mode 100755 index 5049bea02..000000000 --- a/initrd/bin/tpm-reset +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash -. /etc/functions - -echo '*****' -echo '***** WARNING: This will erase all keys and secrets from the TPM' -echo '*****' - -prompt_new_owner_password - -tpmr reset "$tpm_owner_password" diff --git a/initrd/bin/tpm-reset.sh b/initrd/bin/tpm-reset.sh new file mode 100755 index 000000000..8a806fc16 --- /dev/null +++ b/initrd/bin/tpm-reset.sh @@ -0,0 +1,12 @@ +#!/bin/bash +# shellcheck source=initrd/etc/functions.sh +. /etc/functions.sh + +echo '*****' +echo '***** WARNING: This will erase all keys and secrets from the TPM' +echo '*****' + +prompt_new_owner_password + +tpm_owner_password="${tpm_owner_password:-}" # Ensure variable is assigned +tpmr.sh reset "$tpm_owner_password" diff --git a/initrd/bin/tpmr b/initrd/bin/tpmr.sh similarity index 87% rename from initrd/bin/tpmr rename to initrd/bin/tpmr.sh index 9877419e1..59f44cdf9 100755 --- a/initrd/bin/tpmr +++ b/initrd/bin/tpmr.sh @@ -1,7 +1,8 @@ #!/bin/bash # TPM Wrapper - to unify tpm and tpm2 subcommands -. /etc/functions +# shellcheck source=initrd/etc/functions.sh +. /etc/functions.sh SECRET_DIR="/tmp/secret" PRIMARY_HANDLE="0x81000000" @@ -24,8 +25,10 @@ fi set -e -o pipefail if [ -r "/tmp/config" ]; then + # shellcheck disable=SC1091 . /tmp/config else + # shellcheck disable=SC1091 . /etc/config fi @@ -46,7 +49,7 @@ tpm2_password_hex() { echo "hex:$(echo -n "$1" | xxd -p | tr -d ' \n')" } -# usage: tpmr pcrread [-a] +# usage: tpmr.sh pcrread [-a] # Reads PCR binary data and writes to file. # -a: Append to file. Default is to overwrite. tpm2_pcrread() { @@ -161,6 +164,7 @@ EOF # awk script to handle all of the above. Note this gets squashed to one line so # semicolons are required. +# shellcheck disable=SC2089,SC2016 AWK_PROG=' BEGIN { getline; @@ -203,7 +207,8 @@ replay_pcr() { echo >&2 "Illegal PCR number ($2)" return fi - local log=$(cbmem -L) + local log + log=$(cbmem -L) local alg="$1" local pcr="$2" local alg_digits=0 @@ -212,19 +217,21 @@ replay_pcr() { # SHA-256 hashes are 64 chars if [ "$alg" = "sha256" ]; then alg_digits=64; fi shift 2 - replayed_pcr=$(extend_pcr_state $alg $(printf "%.${alg_digits}d" 0) \ - $(echo "$log" | awk -v alg=$alg -v pcr=$pcr -f <(echo $AWK_PROG)) $@) + # shellcheck disable=SC2046,SC2068,SC2086,SC2090 + replayed_pcr=$(extend_pcr_state "$alg" "$(printf "%.${alg_digits}d" 0)" \ + $(echo "$log" | awk -v alg="$alg" -v pcr="$pcr" -f <(echo "$AWK_PROG")) "$@") + # shellcheck disable=SC2086 echo $replayed_pcr | hex2bin DEBUG "Replayed cbmem -L clean boot state of PCR=$pcr ALG=$alg : $replayed_pcr" # To manually introspect current PCR values: # PCR-2: - # tpmr calcfuturepcr 2 | xxd -p + # tpmr.sh calcfuturepcr 2 | xxd -p # PCR-4, in case of recovery shell (bash used for process substitution): - # bash -c "tpmr calcfuturepcr 4 <(echo -n recovery)" | xxd -p - # PCR-4, in case of normal boot passing through kexec-select-boot: - # bash -c "tpmr calcfuturepcr 4 <(echo -n generic)" | xxd -p + # bash -c "tpmr.sh calcfuturepcr 4 <(echo -n recovery)" | xxd -p + # PCR-4, in case of normal boot passing through kexec-select-boot.sh: + # bash -c "tpmr.sh calcfuturepcr 4 <(echo -n generic)" | xxd -p # PCR-5, depending on which modules are loaded for given board: - # tpmr calcfuturepcr 5 module0.ko module1.ko module2.ko | xxd -p + # tpmr.sh calcfuturepcr 5 module0.ko module1.ko module2.ko | xxd -p # PCR-6 and PCR-7: similar to 5, but with different files passed # (6: LUKS header, 7: user related cbfs files loaded from cbfs-init) } @@ -257,7 +264,7 @@ tpm2_extend() { esac done tpm2 pcrextend "$index:sha256=$hash" - INFO $(tpm2 pcrread "sha256:$index" 2>&1) + INFO "$(tpm2 pcrread "sha256:$index" 2>&1)" TRACE_FUNC DEBUG "TPM: Extended PCR[$index] with hash $hash" @@ -276,7 +283,7 @@ tpm2_counter_read() { ;; esac done - echo "$index: $(tpm2 nvread 0x$index | xxd -pc8)" + echo "$index: $(tpm2 nvread 0x"$index" | xxd -pc8)" } tpm2_counter_inc() { @@ -297,12 +304,12 @@ tpm2_counter_inc() { esac done tpm2 nvincrement "0x$index" >/dev/console - echo "$index: $(tpm2 nvread 0x$index | xxd -pc8)" + echo "$index: $(tpm2 nvread 0x"$index" | xxd -pc8)" } tpm1_counter_create() { TRACE_FUNC - # tpmr handles the TPM Owner Password (from cache or prompt), but all + # tpmr.sh handles the TPM Owner Password (from cache or prompt), but all # other parameters for TPM1 are passed directly, and TPM2 mimics the # TPM1 interface. prompt_tpm_owner_password @@ -325,10 +332,12 @@ tpm2_counter_create() { while true; do case "$1" in -pwdc) + # shellcheck disable=SC2034 pwd="$2" shift 2 ;; -la) + # shellcheck disable=SC2034 label="$2" shift 2 ;; @@ -440,7 +449,7 @@ tpm2_seal() { # TPM Owner Password is always needed for TPM2. mkdir -p "$SECRET_DIR" - bname="$(basename $file)" + bname="$(basename "$file")" # Pad with up to 6 zeros, i.e. '0x81000001', '0x81001234', etc. handle="$(printf "0x81%6s" "$index" | tr ' ' 0)" @@ -528,12 +537,14 @@ tpm1_seal() { pcr_file_index=0 for pcr in "${PCR_LIST[@]}"; do # Read each PCR_SIZE block from the file and pass as hex + # shellcheck disable=SC2206,SC2207 POLICY_ARGS+=(-ix "$pcr" "$(dd if="$pcrf" skip="$pcr_file_index" bs="$PCR_SIZE" count=1 status=none | xxd -p | tr -d ' ')" ) pcr_file_index=$((pcr_file_index + 1)) done + DEBUG "Sealing file with TPM using PCR policy" tpm sealfile2 \ -if "$file" \ -of "$sealed_file" \ @@ -541,6 +552,7 @@ tpm1_seal() { "${POLICY_ARGS[@]}" # try it without the TPM Owner Password first + DEBUG "Attempting to write sealed data to TPM NVRAM index $index" if ! tpm nv_writevalue -in "$index" -if "$sealed_file"; then # to create an nvram space we need the TPM Owner Password # and the TPM physical presence must be asserted. @@ -552,10 +564,12 @@ tpm1_seal() { prompt_tpm_owner_password + DEBUG "Defining TPM NVRAM space for index $index" tpm nv_definespace -in "$index" -sz "$sealed_size" \ -pwdo "$tpm_owner_password" -per 0 || warn "Unable to define TPM NVRAM space; trying anyway" + DEBUG "Writing sealed data to TPM NVRAM after defining space" tpm nv_writevalue -in "$index" -if "$sealed_file" || { DEBUG "Failed to write sealed secret to NVRAM from tpm1_seal. Wiping /tmp/secret/tpm_owner_password" @@ -590,7 +604,8 @@ tpm2_unseal() { if [ ! -f "$PRIMARY_HANDLE_FILE" ]; then DEBUG "tpm2_unseal: No primary handle, cannot attempt to unseal" warn "No TPM primary handle. You must reset the TPM to seal secret to TPM NVRAM" - exit 1 + # return a distinct non-zero code so callers can present a recovery UI + return 2 fi POLICY_SESSION="$SECRET_DIR/unsealfile_policy.session" @@ -616,12 +631,57 @@ tpm2_unseal() { -S "$ENC_SESSION_FILE" >"$file" 2> >(SINK_LOG "tpm2 stderr"); then INFO "Unable to unseal secret from TPM NVRAM" - # should succeed, exit if it doesn't - exit 1 + # should succeed — return non-zero so caller can handle UI/diagnostics + return 1 fi rm -f "$TMP_ERR_FILE" } +# Verify the TPM2 primary handle and (optionally) compare against the saved +# primary-handle hash under /boot/kexec_primhdl_hash.txt. +# Return codes: +# 0 = OK (primary handle present; matches saved hash if present) +# 2 = primary handle missing +# 3 = primary handle hash mismatch +# 4 = other verification error +tpm2_verify_primary() { + TRACE_FUNC + PRIMHASH_FILE="${PRIMHASH_FILE:-/boot/kexec_primhdl_hash.txt}" + + # Try to ensure we have a primary.handle file available. If it doesn't + # exist, attempt to read it from the persistent primary handle. + if [ ! -f "$PRIMARY_HANDLE_FILE" ]; then + if ! tpm2 readpublic -Q -c "$PRIMARY_HANDLE" -t "$PRIMARY_HANDLE_FILE" >/dev/null 2>&1; then + DEBUG "tpm2_verify_primary: primary handle not present in TPM" + # Invalidate cached owner password when the primary handle is missing + if [ -s "$SECRET_DIR/tpm_owner_password" ]; then + DEBUG "tpm2_verify_primary: invalidating cached TPM Owner Password because primary handle is missing" + shred -n 3 -z -u "$SECRET_DIR/tpm_owner_password" 2>/dev/null || rm -f "$SECRET_DIR/tpm_owner_password" >/dev/null 2>&1 || true + fi + return 2 + fi + DEBUG "tpm2_verify_primary: recovered primary.handle from TPM" + fi + + # If a primhdl hash exists under /boot, compare it to the current primary + # handle so we can detect unexpected changes (possible tampering). + if [ -s "$PRIMHASH_FILE" ]; then + expected_hash=$(cut -d' ' -f1 "$PRIMHASH_FILE" 2>/dev/null || true) + t_actual=$(sha256sum "$PRIMARY_HANDLE_FILE" 2>/dev/null | cut -d' ' -f1 || true) + if [ -n "$expected_hash" ] && [ "${t_actual:-}" != "$expected_hash" ]; then + DEBUG "tpm2_verify_primary: primary handle hash mismatch - expected $expected_hash actual ${t_actual:-}" + # Invalidate any cached TPM Owner Password so stale credentials aren't reused + if [ -s "$SECRET_DIR/tpm_owner_password" ]; then + DEBUG "tpm2_verify_primary: invalidating cached TPM Owner Password" + shred -n 3 -z -u "$SECRET_DIR/tpm_owner_password" 2>/dev/null || rm -f "$SECRET_DIR/tpm_owner_password" >/dev/null 2>&1 || true + fi + return 3 + fi + fi + + return 0 +} + tpm1_unseal() { TRACE_FUNC index="$1" @@ -639,6 +699,7 @@ tpm1_unseal() { rm -f "$sealed_file" + DEBUG "Reading sealed data from TPM NVRAM index $index" DO_WITH_DEBUG tpm nv_readvalue \ -in "$index" \ -sz "$sealed_size" \ @@ -650,11 +711,17 @@ tpm1_unseal() { PASS_ARGS=(-pwdd "$pass") fi + DEBUG "Unsealing data with TPM" tpm unsealfile \ -if "$sealed_file" \ -of "$file" \ "${PASS_ARGS[@]}" \ -hk 40000000 + + # shellcheck disable=SC2181 + if [ $? -eq 0 ]; then + DEBUG "Successfully unsealed data to $file" + fi } tpm2_reset() { @@ -822,7 +889,7 @@ if [ "$CONFIG_TPM2_TOOLS" != "y" ]; then kexec_finalize) ;; # Nothing on TPM1. shutdown) ;; # Nothing on TPM1. *) - DEBUG "Direct translation from tpmr to tpm1 call" + DEBUG "Direct translation from tpmr.sh to tpm1 call" DO_WITH_DEBUG exec tpm "$@" ;; esac @@ -869,6 +936,9 @@ startsession) unseal) tpm2_unseal "$@" ;; +verify-primary) + tpm2_verify_primary "$@" + ;; reset) tpm2_reset "$@" ;; diff --git a/initrd/bin/uefi-init b/initrd/bin/uefi-init.sh similarity index 56% rename from initrd/bin/uefi-init rename to initrd/bin/uefi-init.sh index 8f9de1b34..d8b5ed6bd 100755 --- a/initrd/bin/uefi-init +++ b/initrd/bin/uefi-init.sh @@ -1,6 +1,7 @@ #!/bin/bash set -e -o pipefail -. /etc/functions +# shellcheck source=initrd/etc/functions.sh +. /etc/functions.sh # Update initrd with CBFS files if [ -z "$CONFIG_PCR" ]; then @@ -10,19 +11,19 @@ fi CONFIG_GUID="74696e69-6472-632e-7069-6f2f75736572" # copy EFI file named $CONFIG_GUID to /tmp, measure and extract -GUID=`uefi -l | grep "^$CONFIG_GUID"` +GUID=$(uefi -l | grep "^$CONFIG_GUID") -if [ -n "GUID" ]; then +if [ -n "$GUID" ]; then echo "Loading $GUID from ROM" TMPFILE=/tmp/uefi.$$ - uefi -r $GUID | gunzip -c > $TMPFILE \ + uefi -r "$GUID" | gunzip -c > "$TMPFILE" \ || die "Failed to read config GUID from ROM" if [ "$CONFIG_TPM" = "y" ]; then - tpmr extend -ix "$CONFIG_PCR" -if $TMPFILE \ - || die "$filename: tpm extend failed" + tpmr.sh extend -ix "$CONFIG_PCR" -if "$TMPFILE" \ + || die "$TMPFILE: tpm extend failed" fi - ( cd / ; cpio -iud < $TMPFILE 2>/dev/null ) \ + ( cd / ; cpio -iud < "$TMPFILE" 2>/dev/null ) \ || die "Failed to extract config GUID" fi diff --git a/initrd/bin/unpack_initramfs.sh b/initrd/bin/unpack_initramfs.sh index 4fff52f60..0e0fbd706 100755 --- a/initrd/bin/unpack_initramfs.sh +++ b/initrd/bin/unpack_initramfs.sh @@ -1,7 +1,8 @@ #! /bin/bash set -e -o pipefail -. /etc/functions +# shellcheck source=initrd/etc/functions.sh +. /etc/functions.sh TRACE_FUNC # Unpack a Linux initramfs archive. diff --git a/initrd/bin/unseal-hotp b/initrd/bin/unseal-hotp.sh similarity index 76% rename from initrd/bin/unseal-hotp rename to initrd/bin/unseal-hotp.sh index 5fae80da9..a0e10188f 100755 --- a/initrd/bin/unseal-hotp +++ b/initrd/bin/unseal-hotp.sh @@ -1,7 +1,8 @@ #!/bin/bash # Retrieve the sealed file and counter from the NVRAM, unseal it and compute the hotp -. /etc/functions +# shellcheck source=initrd/etc/functions.sh +. /etc/functions.sh HOTP_SECRET="/tmp/secret/hotp.key" HOTP_COUNTER="/boot/kexec_hotp_counter" @@ -44,7 +45,22 @@ fi #counter_value=$(printf "%d" 0x${counter_value}) if [ "$CONFIG_TPM" = "y" ]; then DEBUG "Unsealing HOTP secret reuses TOTP sealed secret..." - tpmr unseal 4d47 0,1,2,3,4,7 312 "$HOTP_SECRET" || die "Unable to unseal HOTP secret" + # Verify primary handle before attempting to unseal + if ! tpmr.sh verify-primary >/dev/null 2>&1; then + rc=$? + case "$rc" in + 2) + die "No TPM primary handle. You must reset the TPM to seal secret to TPM NVRAM" + ;; + 3) + die "TPM primary handle hash mismatch. Possible tampering; aborting unseal" + ;; + *) + die "TPM primary handle verification failed (code $rc)" + ;; + esac + fi + tpmr.sh unseal 4d47 0,1,2,3,4,7 312 "$HOTP_SECRET" || die "Unable to unseal HOTP secret" else # without a TPM, generate a secret based on the SHA-256 of the ROM secret_from_rom_hash >"$HOTP_SECRET" || die "Reading ROM failed" @@ -53,7 +69,7 @@ fi # Truncate the secret if it is longer than the maximum HOTP secret truncate_max_bytes 20 "$HOTP_SECRET" -if ! hotp $counter_value <"$HOTP_SECRET"; then +if ! hotp "$counter_value" <"$HOTP_SECRET"; then shred -n 10 -z -u "$HOTP_SECRET" 2>/dev/null die 'Unable to compute HOTP hash?' fi @@ -69,8 +85,8 @@ shred -n 10 -z -u "$HOTP_SECRET" 2>/dev/null # As of now, this counter isincreased only in the validated presence of the HOTP dongle being connected per callers mount -o remount,rw /boot DEBUG "Incrementing HOTP counter under $HOTP_COUNTER" -counter_value=$(expr $counter_value + 1) -echo $counter_value >$HOTP_COUNTER || +counter_value=$((counter_value + 1)) +echo "$counter_value" >"$HOTP_COUNTER" || die "Unable to create hotp counter file" mount -o remount,ro /boot diff --git a/initrd/bin/unseal-totp b/initrd/bin/unseal-totp deleted file mode 100755 index da61deeea..000000000 --- a/initrd/bin/unseal-totp +++ /dev/null @@ -1,22 +0,0 @@ -#!/bin/bash -# Retrieve the sealed file from the NVRAM, unseal it and compute the totp - -. /etc/functions - -TOTP_SECRET="/tmp/secret/totp.key" - -TRACE_FUNC - -if [ "$CONFIG_TPM" = "y" ]; then - DO_WITH_DEBUG --mask-position 5 \ - tpmr unseal 4d47 0,1,2,3,4,7 312 "$TOTP_SECRET" || - die "Unable to unseal TOTP secret from TPM" -fi - -if ! DO_WITH_DEBUG totp -q <"$TOTP_SECRET"; then - shred -n 10 -z -u "$TOTP_SECRET" 2>/dev/null - die 'Unable to compute TOTP hash?' -fi - -shred -n 10 -z -u "$TOTP_SECRET" 2>/dev/null -exit 0 diff --git a/initrd/bin/unseal-totp.sh b/initrd/bin/unseal-totp.sh new file mode 100755 index 000000000..827fbde73 --- /dev/null +++ b/initrd/bin/unseal-totp.sh @@ -0,0 +1,44 @@ +#!/bin/bash +# Retrieve the sealed file from the NVRAM, unseal it and compute the totp + +# shellcheck source=initrd/etc/functions.sh +. /etc/functions.sh + +TOTP_SECRET="/tmp/secret/totp.key" + +TRACE_FUNC + +if [ "$CONFIG_TPM" = "y" ]; then + # Verify primary handle first so callers can present a clear tamper UI + if ! tpmr.sh verify-primary >/dev/null 2>&1; then + rc=$? + case "$rc" in + 2) + echo "No TPM primary handle. You must reset the TPM to seal secret to TPM NVRAM" >&2 + exit 2 + ;; + 3) + echo "TPM primary handle hash mismatch. Possible tampering; aborting unseal" >&2 + exit 3 + ;; + *) + echo "TPM primary handle verification failed (code $rc)" >&2 + exit "$rc" + ;; + esac + fi + + if ! DO_WITH_DEBUG --mask-position 5 tpmr.sh unseal 4d47 0,1,2,3,4,7 312 "$TOTP_SECRET"; then + echo "Unable to unseal TOTP secret from TPM" >&2 + exit 1 + fi +fi + +if ! DO_WITH_DEBUG totp -q <"$TOTP_SECRET"; then + shred -n 10 -z -u "$TOTP_SECRET" 2>/dev/null + echo 'Unable to compute TOTP hash?' >&2 + exit 4 +fi + +shred -n 10 -z -u "$TOTP_SECRET" 2>/dev/null +exit 0 diff --git a/initrd/bin/usb-autoboot.sh b/initrd/bin/usb-autoboot.sh index af7a0ac06..540c6f710 100755 --- a/initrd/bin/usb-autoboot.sh +++ b/initrd/bin/usb-autoboot.sh @@ -1,8 +1,10 @@ #!/bin/bash set -o pipefail -. /etc/functions -. /etc/gui_functions +# shellcheck source=initrd/etc/functions.sh +. /etc/functions.sh +# shellcheck source=initrd/etc/gui_functions.sh +. /etc/gui_functions.sh # Automatically boot to a bootable USB medium if present. This is for # unattended boot; there is no UI. @@ -22,9 +24,9 @@ mkdir -p /media parse_boot_options() { BOOTDIR="$1" - for i in $(find "$BOOTDIR" -name '*.cfg'); do - kexec-parse-boot "$BOOTDIR" "$i" - done + while IFS= read -r -d '' i; do + kexec-parse-boot.sh "$BOOTDIR" "$i" + done < <(find "$BOOTDIR" -name '*.cfg' -print0) } # Look for any bootable USB medium. @@ -42,7 +44,7 @@ while read -u 4 -r USB_BLOCK_DEVICE; do exit 0 fi echo -e "\n\nBooting from USB...\n\n" - kexec-boot -b /media -e "$USB_DEFAULT_BOOT" + kexec-boot.sh -b /media -e "$USB_DEFAULT_BOOT" # If kexec-boot returned, the boot obviously did not occur, # return nonzero below so the normal OS boot will continue. fi diff --git a/initrd/bin/usb-init b/initrd/bin/usb-init.sh similarity index 54% rename from initrd/bin/usb-init rename to initrd/bin/usb-init.sh index 06fbc1075..a33278d9b 100755 --- a/initrd/bin/usb-init +++ b/initrd/bin/usb-init.sh @@ -1,15 +1,17 @@ #!/bin/bash # Boot a USB installation -. /etc/functions +# shellcheck source=initrd/etc/functions.sh +. /etc/functions.sh +# shellcheck disable=SC1091 . /tmp/config TRACE_FUNC if [ "$CONFIG_TPM" = "y" ]; then # Extend PCR4 as soon as possible - tpmr extend -ix 4 -ic usb + tpmr.sh extend -ix 4 -ic usb fi -DO_WITH_DEBUG media-scan usb +DO_WITH_DEBUG media-scan.sh usb recovery "Something failed during USB boot" diff --git a/initrd/bin/wget-measure.sh b/initrd/bin/wget-measure.sh index 8e7e9e7bd..7dff35e0b 100755 --- a/initrd/bin/wget-measure.sh +++ b/initrd/bin/wget-measure.sh @@ -1,6 +1,7 @@ #!/bin/bash # get a file and extend a TPM PCR -. /etc/functions +# shellcheck source=initrd/etc/functions.sh +. /etc/functions.sh die() { TRACE_FUNC @@ -11,14 +12,12 @@ die() { INDEX="$1" URL="$2" -if [ -z "$INDEX" -o -z "$URL" ]; then +if [ -z "$INDEX" ] || [ -z "$URL" ]; then die "Usage: $0 pcr-index url" fi - wget "$URL" || die "$URL: failed" -FILE="`basename "$URL"`" -tpmr extend -ix "$INDEX" -if "$FILE" || die "$FILE: tpm extend failed" - +FILE="$(basename "$URL")" +tpmr.sh extend -ix "$INDEX" -if "$FILE" || die "$FILE: tpm extend failed" diff --git a/initrd/bin/wipe-totp b/initrd/bin/wipe-totp.sh similarity index 75% rename from initrd/bin/wipe-totp rename to initrd/bin/wipe-totp.sh index 1a70cefa0..17dc65d1c 100755 --- a/initrd/bin/wipe-totp +++ b/initrd/bin/wipe-totp.sh @@ -3,12 +3,13 @@ # rather than deleted, because deletion requires authorization. Wiping the # secret will cause the next boot to prompt to regenerate the secret. -. /etc/functions +# shellcheck source=initrd/etc/functions.sh +. /etc/functions.sh TPM_NVRAM_SPACE=4d47 TPM_SIZE=312 if [ "$CONFIG_TPM" = "y" ]; then - tpmr destroy "$TPM_NVRAM_SPACE" "$TPM_SIZE" \ + tpmr.sh destroy "$TPM_NVRAM_SPACE" "$TPM_SIZE" \ || die "Unable to wipe sealed secret" fi diff --git a/initrd/etc/DEBUG_LOG_COPY_INSTRUCTIONS b/initrd/etc/DEBUG_LOG_COPY_INSTRUCTIONS index cd523f64d..346ccb74d 100644 --- a/initrd/etc/DEBUG_LOG_COPY_INSTRUCTIONS +++ b/initrd/etc/DEBUG_LOG_COPY_INSTRUCTIONS @@ -4,7 +4,7 @@ Welcome to the Recovery Shell! - Read them locally through: 'less /tmp/debug/log' - If you faced a bug: - Preformat/connect a ext3/ext4/fat32/exfat USB thumb drive, and then: - - 'mount-usb --mode rw' # Mounts a connected USB drive in Read+Write mode + - 'mount-usb.sh --mode rw' # Mounts a connected USB drive in Read+Write mode - 'cp /tmp/debug.log /media' # copy the log to mounted Read+Write partition under /media - 'umount /media' # Makes sure buffered write operations are done and "ejects" the USB drive - Share the debug.log with the developers. diff --git a/initrd/etc/functions b/initrd/etc/functions.sh similarity index 89% rename from initrd/etc/functions rename to initrd/etc/functions.sh index e1b5acfdf..0c07d842c 100644 --- a/initrd/etc/functions +++ b/initrd/etc/functions.sh @@ -38,7 +38,7 @@ warn() { DEBUG() { if [ "$CONFIG_DEBUG_OUTPUT" = "y" ]; then # fold -s -w 960 will wrap lines at 960 characters on the last space before the limit - echo "DEBUG: $*" | fold -s -w 960 | while read line; do + echo "DEBUG: $*" | fold -s -w 960 | while read -r line; do echo "$line" | tee -a /tmp/debug.log /dev/kmsg >/dev/null done fi @@ -97,24 +97,22 @@ LOG() { } fw_version() { - local FW_VER=$(dmesg | grep 'DMI' | grep -o 'BIOS.*' | cut -f2- -d ' ') + local FW_VER + FW_VER="$(dmesg | grep 'DMI' | grep -o 'BIOS.*' | cut -f2- -d ' ')" # chop off date, since will always be epoch w/timeless builds echo "${FW_VER::-10}" } preserve_rom() { TRACE_FUNC - new_rom="$1" old_files=$(cbfs -t 50 -l 2>/dev/null | grep "^heads/") - for old_file in $(echo $old_files); do - new_file=$(cbfs.sh -o $1 -l | grep -x $old_file) + for old_file in $old_files; do + new_file=$(cbfs.sh -o "$1" -l | grep -x "$old_file") if [ -z "$new_file" ]; then echo "+++ Adding $old_file to $1" - cbfs -t 50 -r $old_file >/tmp/rom.$$ || - die "Failed to read cbfs file from ROM" - cbfs.sh -o $1 -a $old_file -f /tmp/rom.$$ || - die "Failed to write cbfs file to new ROM file" + cbfs -t 50 -r "$old_file" >/tmp/rom.$$ || die "Failed to read cbfs file from ROM" + cbfs.sh -o "$1" -a "$old_file" -f /tmp/rom.$$ || die "Failed to write cbfs file to new ROM file" fi done } @@ -145,13 +143,11 @@ confirm_gpg_card() { read -r -n 1 -p $'\n'"$message" card_confirm echo - if [ "$card_confirm" != "y" \ - -a "$card_confirm" != "Y" \ - -a "$card_confirm" != "b" \ - -a -n "$card_confirm" ] \ - ; then - die "gpg card not confirmed" - fi + # shellcheck disable=SC2166 + # SC2166: -a is intentionally used for legacy compatibility; fixing would break input parsing. + if [ "$card_confirm" != "y" -a "$card_confirm" != "Y" -a "$card_confirm" != "b" -a -n "$card_confirm" ]; then + die "gpg card not confirmed" + fi # If user has known GPG key material Thumb drive backup and asked to use it if [[ "$CONFIG_HAVE_GPG_KEY_BACKUP" == "y" && "$card_confirm" == "b" ]]; then @@ -171,7 +167,7 @@ confirm_gpg_card() { done #prompt user to select the proper encrypted partition, which should the first one on next prompt warn "Please select encrypted LUKS on GPG key material backup thumb drive (not public labeled one)" - mount-usb --pass "$gpg_admin_pin" || die "Unable to mount USB with provided GPG Admin PIN" + mount-usb.sh --pass "$gpg_admin_pin" || die "Unable to mount USB with provided GPG Admin PIN" echo "++++ Testing detach-sign operation and verifiying against fused public key in ROM" gpg --pinentry-mode=loopback --passphrase-file <(echo -n "${gpg_admin_pin}") --import /media/subkeys.sec >/dev/null 2>&1 || die "Unable to import GPG private subkeys" @@ -181,9 +177,11 @@ confirm_gpg_card() { gpg --pinentry-mode=loopback --passphrase-file <(echo -n "${gpg_admin_pin}") --detach-sign "$CR_NONCE" >/dev/null 2>&1 || die "Unable to detach-sign $CR_NONCE with GPG private signing subkey using GPG Admin PIN" #verify detached signature against public key in rom - gpg --verify "$CR_SIG" "$CR_NONCE" >/dev/null 2>&1 && - echo "++++ Local GPG keyring can be used to sign/encrypt/authenticate in this boot session ++++" || + if gpg --verify "$CR_SIG" "$CR_NONCE" >/dev/null 2>&1; then + echo "++++ Local GPG keyring can be used to sign/encrypt/authenticate in this boot session ++++" + else die "Unable to verify $CR_SIG detached signature against public key in ROM" + fi #Wipe any previous CR_NONCE and CR_SIG shred -n 10 -z -u "$CR_NONCE" "$CR_SIG" >/dev/null 2>&1 || true #TODO: maybe just an export instead of setting /etc/user.config otherwise could be flashed in weird corner case situation @@ -206,9 +204,8 @@ confirm_gpg_card() { if ! wait_for_gpg_card; then DEBUG "GPG card access failed with output: $gpg_output" # prompt for reinsertion and try a second time - read -n1 -r -p \ - "Can't access GPG key; remove and reinsert, then press Enter to retry. " \ - ignored + # shellcheck disable=SC2034 + read -n1 -r -p "Can't access GPG key; remove and reinsert, then press Enter to retry. " ignored # restore prev errexit state if [ "$errexit" = "on" ]; then set -e @@ -250,10 +247,9 @@ gpg_auth() { shred -n 10 -z -u "$CR_NONCE" "$CR_SIG" 2>/dev/null || true # In case of gpg_auth, we require confirmation of the card, so loop with confirm_gpg_card until we get it - false - while [ $? -ne 0 ]; do + while ! (confirm_gpg_card); do # Call confirm_gpg_card in subshell to ensure GPG key material presence - (confirm_gpg_card) + : done # Perform a signing-based challenge-response, @@ -281,7 +277,7 @@ gpg_auth() { gpg --verify "$CR_SIG" "$CR_NONCE" >/dev/null 2>&1 \ ; then shred -n 10 -z -u "$CR_NONCE" "$CR_SIG" 2>/dev/null || true - DEBUG "Under /etc/ash_functions:gpg_auth: success" + TRACE_FUNC return 0 else shred -n 10 -z -u "$CR_SIG" 2>/dev/null || true @@ -311,21 +307,22 @@ recovery() { # ensure /tmp/config exists for recovery scripts that depend on it touch /tmp/config + # shellcheck disable=SC1091 + # /tmp/config is generated at runtime and cannot be followed by shellcheck . /tmp/config - DEBUG "Board $CONFIG_BOARD - version $(fw_version)" if [ "$CONFIG_TPM" = "y" ]; then INFO "TPM: Extending PCR[4] to prevent any further secret unsealing" - tpmr extend -ix 4 -ic recovery + tpmr.sh extend -ix 4 -ic recovery fi if [ "$CONFIG_RESTRICTED_BOOT" = y ]; then echo >&2 "Restricted Boot enabled, recovery console disabled, rebooting in 5 seconds" sleep 5 - /bin/reboot + reboot.sh fi - while [ true ]; do + while true; do #Going to recovery shell should be authenticated if supported gpg_auth @@ -351,7 +348,8 @@ recovery() { pause_recovery() { TRACE_FUNC - read -p $'!!! Hit enter to proceed to recovery shell !!!\n' + read -r -p $'!!! Hit enter to proceed to recovery shell !!!\n' + # shellcheck disable=SC2048,SC2086 recovery $* } @@ -360,21 +358,33 @@ combine_configs() { cat /etc/config* >/tmp/config } +# shellcheck disable=SC2317 replace_config() { + # shellcheck disable=SC2317 TRACE_FUNC + # shellcheck disable=SC2317 CONFIG_FILE=$1 CONFIG_OPTION=$2 NEW_SETTING=$3 - touch $CONFIG_FILE + # shellcheck disable=SC2317 + DEBUG "replace_config: CONFIG_FILE=$CONFIG_FILE CONFIG_OPTION=$CONFIG_OPTION NEW_SETTING=$NEW_SETTING" + + # shellcheck disable=SC2317 + touch "$CONFIG_FILE" # first pull out the existing option from the global config and place in a tmp file - awk "gsub(\"^export ${CONFIG_OPTION}=.*\",\"export ${CONFIG_OPTION}=\\\"${NEW_SETTING}\\\"\")" /tmp/config >${CONFIG_FILE}.tmp - awk "gsub(\"^${CONFIG_OPTION}=.*\",\"${CONFIG_OPTION}=\\\"${NEW_SETTING}\\\"\")" /tmp/config >>${CONFIG_FILE}.tmp + # shellcheck disable=SC2317 + awk "gsub(\"^export ${CONFIG_OPTION}=.*\",\"export ${CONFIG_OPTION}=\\\"${NEW_SETTING}\\\"\")" /tmp/config >"${CONFIG_FILE}".tmp + # shellcheck disable=SC2317 + awk "gsub(\"^${CONFIG_OPTION}=.*\",\"${CONFIG_OPTION}=\\\"${NEW_SETTING}\\\"\")" /tmp/config >>"${CONFIG_FILE}".tmp # then copy any remaining settings from the existing config file, minus the option you changed - grep -v "^export ${CONFIG_OPTION}=" ${CONFIG_FILE} | grep -v "^${CONFIG_OPTION}=" >>${CONFIG_FILE}.tmp || true - sort ${CONFIG_FILE}.tmp | uniq >${CONFIG_FILE} - rm -f ${CONFIG_FILE}.tmp + # shellcheck disable=SC2317 + grep -v "^export ${CONFIG_OPTION}=" "${CONFIG_FILE}" | grep -v "^${CONFIG_OPTION}=" >>"${CONFIG_FILE}".tmp || true + # shellcheck disable=SC2317 + sort "${CONFIG_FILE}".tmp | uniq >"${CONFIG_FILE}" + # shellcheck disable=SC2317 + rm -f "${CONFIG_FILE}".tmp } # Set a config variable in a specific file to a given value - replace it if it @@ -399,6 +409,8 @@ set_user_config() { set_config /etc/config.user "$CONFIG_OPTION" "$NEW_SETTING" combine_configs + # shellcheck disable=SC1091 + # /tmp/config is generated at runtime and cannot be followed by shellcheck . /tmp/config } @@ -413,17 +425,17 @@ load_config_value() { enable_usb() { TRACE_FUNC - #insmod ehci_hcd prior of uhdc_hcd and ohci_hcd to suppress dmesg warning - insmod /lib/modules/ehci-hcd.ko || die "ehci_hcd: module load failed" + #insmod.sh ehci_hcd prior of uhdc_hcd and ohci_hcd to suppress dmesg warning + insmod.sh /lib/modules/ehci-hcd.ko || die "ehci_hcd: module load failed" if [ "$CONFIG_LINUX_USB_COMPANION_CONTROLLER" = y ]; then - insmod /lib/modules/uhci-hcd.ko || die "uhci_hcd: module load failed" - insmod /lib/modules/ohci-hcd.ko || die "ohci_hcd: module load failed" - insmod /lib/modules/ohci-pci.ko || die "ohci_pci: module load failed" + insmod.sh /lib/modules/uhci-hcd.ko || die "uhci_hcd: module load failed" + insmod.sh /lib/modules/ohci-hcd.ko || die "ohci_hcd: module load failed" + insmod.sh /lib/modules/ohci-pci.ko || die "ohci_pci: module load failed" fi - insmod /lib/modules/ehci-pci.ko || die "ehci_pci: module load failed" - insmod /lib/modules/xhci-hcd.ko || die "xhci_hcd: module load failed" - insmod /lib/modules/xhci-pci.ko || die "xhci_pci: module load failed" + insmod.sh /lib/modules/ehci-pci.ko || die "ehci_pci: module load failed" + insmod.sh /lib/modules/xhci-hcd.ko || die "xhci_hcd: module load failed" + insmod.sh /lib/modules/xhci-pci.ko || die "xhci_pci: module load failed" } # Wait for USB bus enumeration to complete after enable_usb() loads modules. @@ -444,7 +456,7 @@ wait_for_usb_devices() { local iteration=0 while :; do iteration=$((iteration + 1)) - + # Check for actual USB peripheral devices (format: bus-port like 1-1, 5-3) # Root hubs are named usb1, usb2, etc. - we want devices downstream from them # Pattern: /sys/bus/usb/devices/[0-9]*-[0-9]*/idVendor (e.g., 1-1, 5-3.2) @@ -457,15 +469,15 @@ wait_for_usb_devices() { fi done fi - + now=$(awk '{print $1}' /proc/uptime) elapsed=$(awk -v s="$start" -v n="$now" 'BEGIN{printf "%.3f", n - s}') - - if [ $peripheral_count -gt 0 ]; then + + if [ "$peripheral_count" -gt 0 ]; then DEBUG "USB peripheral devices ready after ${elapsed}s (iteration $iteration): found $peripheral_count device(s)" return fi - + # Timeout after 2 seconds if awk -v s="$start" -v n="$now" 'BEGIN{exit (n - s > 2.0) ? 0 : 1}'; then DEBUG "USB wait timeout at ${elapsed}s (iter $iteration): only found $peripheral_count peripheral device(s)" @@ -488,8 +500,7 @@ wait_for_gpg_card() { local attempt=0 while :; do attempt=$((attempt + 1)) - gpg_output=$(gpg --card-status 2>&1) - if [ $? -eq 0 ]; then + if gpg_output=$(gpg --card-status 2>&1); then now=$(awk '{print $1}' /proc/uptime) elapsed=$(awk -v s="$start" -v n="$now" 'BEGIN{printf "%.3f", n - s}') DEBUG "gpg --card-status succeeded after ${elapsed}s (attempt $attempt)" @@ -514,7 +525,7 @@ enable_usb_keyboard() { # desktop/server), they could lock themselves out, only recoverable by # hardware flash. if [ "$CONFIG_USB_KEYBOARD_REQUIRED" = y ] || [ "$CONFIG_USER_USB_KEYBOARD" = y ]; then - insmod /lib/modules/usbhid.ko || die "usbhid: module load failed" + insmod.sh /lib/modules/usbhid.ko || die "usbhid: module load failed" fi } @@ -587,7 +598,7 @@ SINK_LOG() { # ^-- adding DO_WITH_DEBUG will show the block device, mountpoint, and whether # the mount fails # -# [DO_WITH_DEBUG --mask-position 7] tpmr seal "$KEY" "$IDX" "$pcrs" "$pcrf" "$size" "$PASSWORD" +# [DO_WITH_DEBUG --mask-position 7] tpmr.sh seal "$KEY" "$IDX" "$pcrs" "$pcrf" "$size" "$PASSWORD" # ^-- trace the resulting invocation, but mask the password in the log # # if ! [DO_WITH_DEBUG] umount "$MOUNTPOINT"; then [...] @@ -602,12 +613,13 @@ SINK_LOG() { # same way with DO_WITH_DEBUG DO_WITH_DEBUG() { local exit_status=0 + # shellcheck disable=SC2034 local cmd_output if [[ "$1" == "--mask-position" ]]; then local mask_position="$2" - shift - shift + shift 2 local show_args=("$@") + # shellcheck disable=SC2004 show_args[$mask_position]="$(mask_param "${show_args[$mask_position]}")" DEBUG "${show_args[@]}" else @@ -704,25 +716,20 @@ confirm_totp() { # update the TOTP code every thirty seconds date=$(date "+%Y-%m-%d %H:%M:%S") seconds=$(date "+%s") - half=$(expr \( $seconds % 60 \) / 30) + half=$(( (seconds % 60) / 30 )) if [ "$CONFIG_TPM" != "y" ]; then TOTP="NO TPM" elif [ "$half" != "$last_half" ]; then last_half=$half - TOTP=$(unseal-totp) || + TOTP=$(unseal-totp.sh) || recovery "TOTP code generation failed" fi echo -n "$date $TOTP: " # read the first character, non-blocking - read \ - -t 1 \ - -n 1 \ - -s \ - -p "$prompt" \ - totp_confirm && - break + # shellcheck disable=SC2034 + read -r -t 1 -n 1 -s -p "$prompt" totp_confirm && break # nothing typed, redraw the line echo -ne '\r' @@ -750,7 +757,7 @@ reseal_tpm_disk_decryption_key() { if [ -s /boot/kexec_key_devices.txt ] || [ -s /boot/kexec_key_lvm.txt ]; then NOTE "LUKS TPM sealed Disk Unlock Key secret needs to be resealed alongside TOTP/HOTP secret" echo "Resealing LUKS TPM Disk Unlock Key to be unsealed by LUKS TPM Disk Unlock Key passphrase" - while ! kexec-seal-key /boot; do + while ! kexec-seal-key.sh /boot; do warn "Recovery Disk Encryption key passphrase/TPM Owner Password may be invalid. Please try again" done NOTE "LUKS header hash changed under /boot/kexec_luks_hdr_hash.txt" @@ -765,7 +772,7 @@ reseal_tpm_disk_decryption_key() { done NOTE "Rebooting in 3 seconds to enable booting default boot option" sleep 3 - reboot + reboot.sh else DEBUG "No TPM disk decryption key to reseal" fi @@ -779,12 +786,12 @@ enable_usb_storage() { if ! lsmod | grep -q usb_storage; then timeout=0 echo "Scanning for USB storage devices..." - insmod /lib/modules/usb-storage.ko >/dev/null 2>&1 || + insmod.sh /lib/modules/usb-storage.ko >/dev/null 2>&1 || die "usb_storage: module load failed" while [[ $(list_usb_storage | wc -l) -eq 0 ]]; do - [[ $timeout -ge 8 ]] && break + [[ "$timeout" -ge 8 ]] && break sleep 1 - timeout=$(($timeout + 1)) + timeout=$((timeout + 1)) done fi } @@ -801,7 +808,8 @@ device_has_partitions() { # This check covers that: [ $(fdisk -l "$b" | wc -l) -eq 5 ] # In both cases the output is 5 lines: 3 about device info, 1 empty line # and the 5th will be the table header or the invalid message. - local DISK_DATA=$(fdisk -l "$DEVICE" 2>/dev/null) + local DISK_DATA + DISK_DATA=$(fdisk -l "$DEVICE" 2>/dev/null) if echo "$DISK_DATA" | grep -q "doesn't contain a valid partition table" || [ "$(echo "$DISK_DATA" | wc -l)" -eq 5 ]; then # No partition table @@ -811,6 +819,7 @@ device_has_partitions() { return 0 } +# shellcheck disable=SC2120 list_usb_storage() { TRACE_FUNC # List all USB storage devices, including partitions unless we received argument stating we want drives only @@ -825,7 +834,7 @@ list_usb_storage() { stat -c %N /sys/block/sd* 2>/dev/null | grep usb | cut -f1 -d ' ' | sed "s/[']//g" | - while read b; do + while read -r b; do # Ignore devices of size 0, such as empty SD card # readers on laptops attached via USB. if [ "$(cat "$b/size")" -gt 0 ]; then @@ -834,7 +843,7 @@ list_usb_storage() { fi done | sed "s|/sys/block|/dev|" | - while read b; do + while read -r b; do # If the device has a partition table, ignore it and # include the partitions instead - even if the kernel # hasn't detected the partitions yet. Such a device is @@ -854,7 +863,8 @@ list_usb_storage() { else # Has a partition table, include partitions DEBUG "USB storage device with partition table: $b" - ls -1 "$b"* | awk 'NR!=1 {print $0}' + # shellcheck disable=SC2012 + ls -1 "$b"* | tail -n +2 fi done } @@ -912,6 +922,7 @@ check_tpm_counter() { TRACE_FUNC LABEL=${2:-3135106223} + # shellcheck disable=SC2034 tpm_password="$3" # if the /boot.hashes file already exists, read the TPM counter ID # from it. @@ -926,9 +937,9 @@ check_tpm_counter() { warn "TPM Owner Password is required to create a new TPM counter for /boot content rollback prevention" fi - tpmr counter_create \ + tpmr.sh counter_create \ -pwdc '' \ - -la $LABEL | + -la "$LABEL" | tee /tmp/counter >/dev/null 2>&1 || die "Unable to create TPM counter" TPM_COUNTER=$(cut -d: -f1 /dev/null 2>&1 || + tpmr.sh counter_read -ix "$counter_id" | tee /tmp/counter-"$counter_id" >/dev/null 2>&1 || die "Counter read failed for index $counter_id" fi DEBUG "Counter file /tmp/counter-$counter_id read successfully." @@ -957,9 +968,9 @@ increment_tpm_counter() { TRACE_FUNC local counter_id counter_id="$(echo "$1" | tr -d '\n')" - + # Check if counter exists by reading it first - if ! DO_WITH_DEBUG tpmr counter_read -ix "$counter_id" >/tmp/counter-check 2>/dev/null; then + if ! DO_WITH_DEBUG tpmr.sh counter_read -ix "$counter_id" >/tmp/counter-check 2>/dev/null; then DEBUG "TPM counter $counter_id could not be read before incrementing" # Continue with increment attempt anyway to get detailed error messages else @@ -967,20 +978,25 @@ increment_tpm_counter() { fi # Try to increment the counter - if ! DO_WITH_DEBUG tpmr counter_increment -ix "$counter_id" -pwdc '' | + if ! tpmr.sh counter_increment -ix "$counter_id" -pwdc '' | tee /tmp/counter-"$counter_id" >/dev/null 2>&1; then - + # Check if we need to create a new counter DEBUG "TPM counter increment failed. Attempting to create a new counter..." - - if DO_WITH_DEBUG tpmr counter_create -pwdc '' -la 3135106223 >/tmp/new-counter 2>/dev/null; then + + # Before the tpmr.sh call, check if password is needed and prompt + if [ "$CONFIG_TPM" = "y" ] && ! [ -s /tmp/secret/tpm_owner_password ]; then + prompt_tpm_owner_password + fi + + if tpmr.sh counter_create -pwdc "$(cat /tmp/secret/tpm_owner_password 2>/dev/null || echo '')" -la 3135106223 >/tmp/new-counter 2>/dev/null; then NEW_COUNTER=$(cut -d: -f1 ${CONFIG_FILE}.tmp - awk "gsub(\"^${CONFIG_OPTION}=.*\",\"${CONFIG_OPTION}=\\\"${NEW_SETTING}\\\"\")" /tmp/config >>${CONFIG_FILE}.tmp + awk "gsub(\"^export ${CONFIG_OPTION}=.*\",\"export ${CONFIG_OPTION}=\\\"${NEW_SETTING}\\\"\")" /tmp/config >"${CONFIG_FILE}.tmp" + awk "gsub(\"^${CONFIG_OPTION}=.*\",\"${CONFIG_OPTION}=\\\"${NEW_SETTING}\\\"\")" /tmp/config >>"${CONFIG_FILE}.tmp" # then copy any remaining settings from the existing config file, minus the option you changed - grep -v "^export ${CONFIG_OPTION}=" ${CONFIG_FILE} | grep -v "^${CONFIG_OPTION}=" >>${CONFIG_FILE}.tmp || true - sort ${CONFIG_FILE}.tmp | uniq >${CONFIG_FILE} - rm -f ${CONFIG_FILE}.tmp + grep -v "^export ${CONFIG_OPTION}=" "$CONFIG_FILE" | grep -v "^${CONFIG_OPTION}=" >>"${CONFIG_FILE}.tmp" || true + sort "${CONFIG_FILE}.tmp" | uniq >"${CONFIG_FILE}" + rm -f "${CONFIG_FILE}.tmp" } # Generate a secret for TPM-less HOTP by reading the ROM. Output is the @@ -1084,7 +1109,7 @@ update_checksums() { extparam=-r fi fi - if ! DO_WITH_DEBUG kexec-sign-config -p /boot -u $extparam; then + if ! kexec-sign-config.sh -p /boot -u $extparam; then rv=1 else rv=0 @@ -1114,7 +1139,8 @@ escape_zero() { local prefix="$1" local echar="${2:-#}" local todo="" - local echar_hex="$(echo -n "$echar" | xxd -p -c1)" + local echar_hex + echar_hex="$(echo -n "$echar" | xxd -p -c1)" [ ${#echar_hex} -eq 2 ] || die "Invalid escape character $echar passed to escape_zero(). Programming error?!" echo -e -n "$prefix" @@ -1172,7 +1198,7 @@ assert_signable() { find /boot -print0 >/tmp/signable.ref local del='\001-\037\134\177-\377' - LC_ALL=C tr -d "$del" /tmp/signable.del || die "Failed to execute tr." + LC_ALL=C tr -d "$del" /tmp/signable.del || die "Failed to execute tr." if ! cmp -s "/tmp/signable.ref" "/tmp/signable.del" &>/dev/null; then local user_out="/tmp/hash_output_mismatches" local add="Please investigate!" @@ -1269,7 +1295,7 @@ is_gpt_bios_grub() { # Now we know the device and partition number, get the type. This is # specific to GPT disks, MBR disks are shown differently by fdisk. - TRACE "$PART_DEV is partition $NUMBER of $DEVICE" + DEBUG "$PART_DEV is partition $NUMBER of $DEVICE" if [ "$(fdisk -l "/dev/$DEVICE" 2>/dev/null | awk '$1 == '"$NUMBER"' {print $5}')" == grub ]; then return 0 fi @@ -1290,6 +1316,7 @@ mount_possible_boot_device() { TRACE_FUNC local BOOT_DEV="$1" + # shellcheck disable=SC2034 local PARTITION_TYPE # Unmount anything on /boot. Ignore failure since there might not be @@ -1301,12 +1328,12 @@ mount_possible_boot_device() { # we can't mount these as /boot. if is_gpt_bios_grub "$BOOT_DEV" || cryptsetup isLuks "$BOOT_DEV" || find_lvm_vg_name "$BOOT_DEV" >/dev/null; then - TRACE "$BOOT_DEV is not a mountable partition for /boot" + DEBUG "$BOOT_DEV is not a mountable partition for /boot" return 1 fi # Get the size of BOOT_DEV in 512-byte sectors - sectors=$(blockdev --getsz "$BOOT_DEV") + sectors="$(blockdev --getsz "$BOOT_DEV")" # Check if the partition is small (less than 2MB, which is 4096 sectors) if [ "$sectors" -lt 4096 ]; then @@ -1346,7 +1373,7 @@ detect_boot_device() { fdisk -l 2>/dev/null | grep "Disk /dev/" | cut -f2 -d " " | cut -f1 -d ":" >/tmp/disklist # Check each possible boot device - for i in $(cat /tmp/disklist); do + while IFS= read -r i; do # If the device has partitions, check the partitions instead if device_has_partitions "$i"; then devname="$(basename "$i")" @@ -1366,7 +1393,7 @@ detect_boot_device() { return 0 fi done - done + done < /tmp/disklist # no valid boot device found echo "Unable to locate /boot files on any mounted disk" @@ -1380,17 +1407,23 @@ scan_boot_options() { config="$2" option_file="$3" - if [ -r $option_file ]; then rm $option_file; fi - for i in $(find $bootdir -name "$config"); do - DO_WITH_DEBUG kexec-parse-boot "$bootdir" "$i" >>$option_file + DEBUG "scan_boot_options: bootdir='$bootdir' config='$config' option_file='$option_file'" + + if [ -r "$option_file" ]; then rm "$option_file"; fi + find "$bootdir" -name "$config" | while read -r i; do + DEBUG "scan_boot_options: parsing grub config '$i'" + DO_WITH_DEBUG kexec-parse-boot.sh "$bootdir" "$i" >>"$option_file" done # FC29/30+ may use BLS format grub config files # https://fedoraproject.org/wiki/Changes/BootLoaderSpecByDefault # only parse these if $option_file is still empty - if [ ! -s $option_file ] && [ -d "$bootdir/loader/entries" ]; then - for i in $(find $bootdir -name "$config"); do - kexec-parse-bls "$bootdir" "$i" "$bootdir/loader/entries" >>$option_file + if [ ! -s "$option_file" ] && [ -d "$bootdir/loader/entries" ]; then + find "$bootdir" -name "$config" | while read -r i; do + DEBUG "scan_boot_options: parsing BLS entries from '$bootdir/loader/entries' with config '$i'" + kexec-parse-bls.sh "$bootdir" "$i" "$bootdir/loader/entries" >>"$option_file" done + else + DEBUG "scan_boot_options: using grub parser output (BLS not needed or entries missing)" fi } @@ -1660,7 +1693,7 @@ show_totp_until_esc() { # Refresh TOTP at most once every 1 second if [ "$CONFIG_TPM" = "y" ] && [ "$CONFIG_TOTP_SKIP_QRCODE" != "y" ]; then if [ $((now_epoch - last_totp_time)) -ge 1 ] || [ -z "$last_totp" ]; then - if current_totp=$(unseal-totp 2>/dev/null); then + if current_totp=$(unseal-totp.sh 2>/dev/null); then last_totp="$current_totp" last_totp_time=$now_epoch else diff --git a/initrd/etc/gui_functions b/initrd/etc/gui_functions.sh old mode 100755 new mode 100644 similarity index 57% rename from initrd/etc/gui_functions rename to initrd/etc/gui_functions.sh index b321352fe..36b44145a --- a/initrd/etc/gui_functions +++ b/initrd/etc/gui_functions.sh @@ -1,6 +1,7 @@ #!/bin/bash # Shell functions for common operations using fbwhiptail -. /etc/functions +# shellcheck source=initrd/etc/functions.sh +. /etc/functions.sh # Pause for the configured timeout before booting automatically. Returns 0 to # continue with automatic boot, nonzero if user interrupted. @@ -19,15 +20,26 @@ mount_usb() { umount /media || die "Unable to unmount /media" fi # Mount the USB boot device - mount-usb && USB_FAILED=0 || ([ $? -eq 5 ] && exit 1 || USB_FAILED=1) - if [ $USB_FAILED -ne 0 ]; then + if mount-usb.sh; then + USB_FAILED=0 + elif [ $? -eq 5 ]; then + exit 1 + else + USB_FAILED=1 + fi + if [ "$USB_FAILED" -ne 0 ]; then whiptail_error --title 'USB Drive Missing' \ --msgbox "Insert your USB drive and press Enter to continue." 0 80 - mount-usb && USB_FAILED=0 || ([ $? -eq 5 ] && exit 1 || USB_FAILED=1) - if [ $USB_FAILED -ne 0 ]; then + if mount-usb.sh; then + USB_FAILED=0 + elif [ $? -eq 5 ]; then + exit 1 + else + USB_FAILED=1 + fi + if [ "$USB_FAILED" -ne 0 ]; then whiptail_error --title 'ERROR: Mounting /media Failed' \ --msgbox "Unable to mount USB device" 0 80 - exit 1 fi fi } @@ -35,42 +47,110 @@ mount_usb() { # -- Display related functions -- # Produce a whiptail prompt with 'warning' background, works for fbwhiptail and newt whiptail_warning() { + # shellcheck disable=SC2086,SC2145 + # SC2086: BG_COLOR_WARNING is intentionally unquoted to allow for option expansion. + # SC2145: "$@" is used to pass all arguments as intended. if [ -x /bin/fbwhiptail ]; then + TRACE_FUNC + DEBUG "whiptail_warning: fbwhiptail mode" + DEBUG "whiptail_warning: BG_COLOR_WARNING=$BG_COLOR_WARNING" + DEBUG "whiptail_warning: arguments count=$#" + local i=1 + for arg in "$@"; do + DEBUG "whiptail_warning: arg[$i]=$arg" + i=$((i + 1)) + done whiptail $BG_COLOR_WARNING "$@" else + TRACE_FUNC + DEBUG "whiptail_warning: newt mode with NEWT_COLORS" + DEBUG "whiptail_warning: TEXT_BG_COLOR_WARNING=$TEXT_BG_COLOR_WARNING" + DEBUG "whiptail_warning: arguments count=$#" + local i=1 + for arg in "$@"; do + DEBUG "whiptail_warning: arg[$i]=$arg" + i=$((i + 1)) + done env NEWT_COLORS="root=,$TEXT_BG_COLOR_WARNING" whiptail "$@" fi } # Produce a whiptail prompt with 'error' background, works for fbwhiptail and newt whiptail_error() { + # shellcheck disable=SC2086,SC2145 + # SC2086: BG_COLOR_ERROR is intentionally unquoted to allow for option expansion. + # SC2145: "$@" is used to pass all arguments as intended. if [ -x /bin/fbwhiptail ]; then + TRACE_FUNC + DEBUG "whiptail_error: fbwhiptail mode" + DEBUG "whiptail_error: BG_COLOR_ERROR=$BG_COLOR_ERROR" + DEBUG "whiptail_error: arguments count=$#" + local i=1 + for arg in "$@"; do + DEBUG "whiptail_error: arg[$i]=$arg" + i=$((i + 1)) + done whiptail $BG_COLOR_ERROR "$@" else + TRACE_FUNC + DEBUG "whiptail_error: newt mode with NEWT_COLORS" + DEBUG "whiptail_error: TEXT_BG_COLOR_ERROR=$TEXT_BG_COLOR_ERROR" + DEBUG "whiptail_error: arguments count=$#" + local i=1 + for arg in "$@"; do + DEBUG "whiptail_error: arg[$i]=$arg" + i=$((i + 1)) + done env NEWT_COLORS="root=,$TEXT_BG_COLOR_ERROR" whiptail "$@" fi } +# Produce a whiptail error prompt and exit +whiptail_error_die() { + TRACE_FUNC + local msg=$1 + DEBUG "whiptail_error_die called with msg: $msg" + whiptail_error --title "Error" --msgbox "$msg" 0 80 + exit 1 +} + # Produce a whiptail prompt of the given type - 'error', 'warning', or 'normal' whiptail_type() { + # shellcheck disable=SC2086,SC2145 + # SC2086: BG_COLOR_MAIN_MENU is intentionally unquoted to allow for option expansion. + # SC2145: "$@" is used to pass all arguments as intended. + TRACE_FUNC local TYPE="$1" shift + # Provide DEBUG output for troubleshooting whiptail rendering (mirrors other whiptail helpers) + DEBUG "whiptail_type: TYPE=$TYPE" + DEBUG "whiptail_type: BG_COLOR_MAIN_MENU=$BG_COLOR_MAIN_MENU" + DEBUG "whiptail_type: arguments count=$#" + local i=1 + for arg in "$@"; do + DEBUG "whiptail_type: arg[$i]=$arg" + i=$((i + 1)) + done case "$TYPE" in - error) - whiptail_error "$@" - ;; - warning) - whiptail_warning "$@" - ;; - normal) - whiptail "$@" - ;; + error) + whiptail_error "$@" + ;; + warning) + whiptail_warning "$@" + ;; + normal) + whiptail "$@" + ;; + *) + whiptail "$@" + ;; esac } # Create display text for a size in bytes in either MB or GB, unit selected # automatically, rounded to nearest display_size() { + TRACE_FUNC local size_bytes unit_divisor unit_symbol size_bytes="$1" @@ -90,6 +170,7 @@ display_size() { # Create display text for the size of a block device using MB or GB, rounded to # nearest display_block_device_size() { + TRACE_FUNC local block_dev disk_size_bytes block_dev="$1" @@ -113,6 +194,9 @@ display_block_device_size() { # User aborted: Exits successfully with FILE empty # No entries in list: Displays error and exits unsuccessfully file_selector() { + # shellcheck disable=SC2086,SC2145 + # SC2086: Option variables intentionally unquoted for menu argument expansion. + # SC2145: "$@" is used to pass all arguments as intended. TRACE_FUNC local FILE_LIST MENU_MSG MENU_TITLE CHOICE_ARGS SHOW_SIZE OPTION_SIZE option_index @@ -130,7 +214,7 @@ file_selector() { CHOICE_ARGS=() n=0 - while read option; do + while read -r option; do n="$((++n))" if [ "$SHOW_SIZE" = "y" ] && OPTION_SIZE="$(display_block_device_size "$option")"; then @@ -150,15 +234,17 @@ file_selector() { # create file menu options option_index="" while [ -z "$option_index" ]; do + DEBUG "CHOICE_ARGS: ${CHOICE_ARGS[*]}" whiptail --title "${MENU_TITLE}" \ --menu "${MENU_MSG} [1-$n, a to abort]:" 20 120 8 \ -- "${CHOICE_ARGS[@]}" \ 2>/tmp/whiptail || die "Aborting" - option_index=$(cat /tmp/whiptail) + option_index="$(cat /tmp/whiptail)" if [ "$option_index" != "a" ]; then - FILE="$(head -n "$option_index" "$FILE_LIST" | tail -1)" + FILE="$(head -n "$option_index" "$FILE_LIST" | tail -1)" + export FILE fi done } @@ -167,26 +253,28 @@ show_system_info() { TRACE_FUNC battery_status="$(print_battery_state)" - memtotal=$(cat /proc/meminfo | grep 'MemTotal' | tr -s ' ' | cut -f2 -d ' ') - memtotal=$((${memtotal} / 1024 / 1024 + 1)) - cpustr=$(cat /proc/cpuinfo | grep 'model name' | uniq | sed -r 's/\(R\)//;s/\(TM\)//;s/CPU //;s/model name.*: //') - kernel=$(uname -s -r) + memtotal="$(grep 'MemTotal' /proc/meminfo | tr -s ' ' | cut -f2 -d ' ')" + memtotal=$((memtotal / 1024 / 1024 + 1)) + cpustr="$(grep 'model name' /proc/cpuinfo | uniq | sed -r 's/\(R\)//;s/\(TM\)//;s/CPU //;s/model name.*: //')" + kernel="$(uname -s -r)" - local msgbox="${BOARD_NAME} + local msgbox + msgbox="${BOARD_NAME} FW_VER: ${FW_VER} Kernel: ${kernel} CPU: ${cpustr} - Microcode: $(cat /proc/cpuinfo | grep microcode | uniq | cut -d':' -f2 | tr -d ' ') + Microcode: $(grep microcode /proc/cpuinfo | uniq | cut -d':' -f2 | tr -d ' ') RAM: ${memtotal} GB $battery_status $(fdisk -l 2>/dev/null | grep -e '/dev/sd.:' -e '/dev/nvme.*:' | sed 's/B,.*/B/') " - local msgbox_rm_tabs=$(echo "$msgbox" | tr -d "\t") + local msgbox_rm_tabs + msgbox_rm_tabs=$(echo "$msgbox" | tr -d "\t") - whiptail_type $BG_COLOR_MAIN_MENU --title 'System Info' \ + whiptail_type "$BG_COLOR_MAIN_MENU" --title 'System Info' \ --msgbox "$msgbox_rm_tabs" 0 80 } diff --git a/initrd/etc/luks-functions b/initrd/etc/luks-functions.sh similarity index 90% rename from initrd/etc/luks-functions rename to initrd/etc/luks-functions.sh index 43fc09aac..83f787a31 100644 --- a/initrd/etc/luks-functions +++ b/initrd/etc/luks-functions.sh @@ -1,8 +1,13 @@ #!/bin/bash # This script contains various functions related to LUKS (Linux Unified Key Setup) encryption management. -. /etc/functions -. /etc/gui_functions +# shellcheck source=initrd/etc/functions.sh +. /etc/functions.sh +# shellcheck source=initrd/etc/gui_functions.sh +. /etc/gui_functions.sh +# shellcheck source=/dev/null +# shellcheck disable=SC1091 +# /tmp/config is generated at runtime and cannot be followed by shellcheck . /tmp/config # List all LUKS devices on the system that are not USB @@ -15,7 +20,7 @@ list_local_luks_devices() { DEBUG "Device $device is a LUKS device" dev_name=$(basename "$device") # Dynamically determine parent device name - parent_dev_name=$(echo "$dev_name" | sed -E 's/(p?[0-9]+)$//') # Handles both NVMe (pX) and non-NVMe (X) + parent_dev_name=$(sed -E 's/(p?[0-9]+)$//' <<< "$dev_name") # Handles both NVMe (pX) and non-NVMe (X) DEBUG "Derived parent device name: $parent_dev_name" if [ -e "/sys/block/$parent_dev_name" ]; then DEBUG "Device $device exists in /sys/block" @@ -91,7 +96,7 @@ confirm_luks_partitions() { fi else echo -e "$MSG" - read -p "Do you want to use all of these partitions? (y/n): " confirm + read -r -p "Do you want to use all of these partitions? (y/n): " confirm if [ "$confirm" != "y" ]; then die "User aborted the operation" fi @@ -132,7 +137,7 @@ select_luks_container_size_percent() { echo "2. 25%" echo "3. 50%" echo "4. 75%" - read -p "Choose your LUKS container size percentage of device [1-3]: " option_index + read -r -p "Choose your LUKS container size percentage of device [1-3]: " option_index if [ "$option_index" = "1" ]; then echo "10" >/tmp/luks_container_size_percent elif [ "$option_index" = "2" ]; then @@ -246,7 +251,7 @@ interactive_prepare_thumb_drive() { #list all usb storage devices list_usb_storage disks >/tmp/devices.txt - if [ $(cat /tmp/devices.txt | wc -l) -gt 0 ]; then + if [ "$(wc -l < /tmp/devices.txt)" -gt 0 ]; then file_selector "/tmp/devices.txt" "Select device to partition" if [ "$FILE" == "" ]; then die "Error: No device selected" @@ -259,7 +264,7 @@ interactive_prepare_thumb_drive() { fi #Check if device is a block device - if [ ! -b $DEVICE ]; then + if [ ! -b "$DEVICE" ]; then die "Error: $DEVICE is not a block device" fi @@ -295,7 +300,6 @@ confirm_thumb_drive_format() { DISK_SIZE_BYTES="$(blockdev --getsize64 "$DEVICE")" DISK_SIZE_DISPLAY="$(display_size "$DISK_SIZE_BYTES")" #Convert disk size to MB - DISK_SIZE_MB=$((DISK_SIZE_BYTES/1024/1024)) #Calculate percentage of device in MB LUKS_SIZE_MB="$((DISK_SIZE_BYTES*LUKS_PERCENTAGE/100/1024/1024))" @@ -339,23 +343,23 @@ prepare_thumb_drive() { echo -e "Preparing $DEVICE with $PERCENTAGE_MB MB for private LUKS container while rest of device will be assigned to exFAT public partition...\n" echo "Please wait..." DEBUG "Creating empty DOS partition table on device through fdisk to start clean" - echo -e "o\nw\n" | fdisk $DEVICE >/dev/null 2>&1 || die "Error creating partition table" + echo -e "o\nw\n" | fdisk "$DEVICE" >/dev/null 2>&1 || die "Error creating partition table" DEBUG "partition device with two partitions: first one being the percent applied and rest for second partition through fdisk" - echo -e "n\np\n1\n\n+"$PERCENTAGE_MB"M\nn\np\n2\n\n\nw\n" | fdisk $DEVICE >/dev/null 2>&1 || die "Error partitioning device" + echo -e "n\np\n1\n\n+${PERCENTAGE_MB}M\nn\np\n2\n\n\nw\n" | fdisk "$DEVICE" >/dev/null 2>&1 || die "Error partitioning device" DEBUG "cryptsetup luksFormat first partition with LUKS container aes-xts-plain64 cipher with sha256 hash and 512 bit key" DEBUG "Creating ${PERCENTAGE_MB}MB LUKS container on ${DEVICE}1..." - DO_WITH_DEBUG cryptsetup --batch-mode -c aes-xts-plain64 -h sha256 -s 512 -y luksFormat ${DEVICE}1 \ + DO_WITH_DEBUG cryptsetup --batch-mode -c aes-xts-plain64 -h sha256 -s 512 -y luksFormat "${DEVICE}1" \ --key-file <(echo -n "${PASSPHRASE}") > /dev/null 2>&1 \ || die "Error formatting LUKS container" DEBUG "Opening LUKS device and mapping under /dev/mapper/private..." - DO_WITH_DEBUG cryptsetup open ${DEVICE}1 private --key-file <(echo -n "${PASSPHRASE}") > /dev/null 2>&1 \ + DO_WITH_DEBUG cryptsetup open "${DEVICE}1" private --key-file <(echo -n "${PASSPHRASE}") > /dev/null 2>&1 \ || die "Error opening LUKS container" DEBUG "Formatting LUKS container mapped under /dev/mapper/private as an ext4 partition..." mke2fs -t ext4 -L private /dev/mapper/private >/dev/null 2>&1 || die "Error formatting LUKS container's ext4 filesystem" DEBUG "Closing LUKS device /dev/mapper/private..." cryptsetup close private > /dev/null 2>&1 || die "Error closing LUKS container" DEBUG "Formatting second partition ${DEVICE}2 with exfat filesystem..." - mkfs.exfat -L public ${DEVICE}2 >/dev/null 2>&1 || die "Error formatting second partition with exfat filesystem" + mkfs.exfat -L public "${DEVICE}2" >/dev/null 2>&1 || die "Error formatting second partition with exfat filesystem" echo "Done." } @@ -365,7 +369,7 @@ select_luks_container() { if [ -s /boot/kexec_key_devices.txt ]; then DEBUG "Reusing known good LUKS container device from /boot/kexec_key_devices.txt" LUKS=$(cut -d ' ' -f1 /boot/kexec_key_devices.txt) - DEBUG "LUKS container device: $(echo $LUKS)" + DEBUG "LUKS container device: $LUKS" elif [ -z "$LUKS" ]; then main_luks_selection fi @@ -377,7 +381,7 @@ test_luks_current_disk_recovery_key_passphrase() { while :; do select_luks_container || return 1 - PRINTABLE_LUKS=$(echo $LUKS) + PRINTABLE_LUKS="$LUKS" if [ -z "$luks_current_Disk_Recovery_Key_passphrase" ]; then echo -e "\nEnter the current LUKS Disk Recovery Key passphrase (Configured at OS installation or by OEM):" @@ -420,15 +424,15 @@ luks_reencrypt() { TRACE_FUNC test_luks_current_disk_recovery_key_passphrase || return 1 - luks_containers=($LUKS) + luks_containers=("$LUKS") TRACE_FUNC - DEBUG "luks_containers: ${luks_containers[@]}" + DEBUG "luks_containers: ${luks_containers[*]}" if [ -z "$luks_current_Disk_Recovery_Key_passphrase" ]; then if [ -f /tmp/secret/luks_current_Disk_Recovery_Key_passphrase ]; then - luks_current_Disk_Recovery_Key_passphrase=$(cat /tmp/secret/luks_current_Disk_Recovery_Key_passphrase) + luks_current_Disk_Recovery_Key_passphrase="$(cat /tmp/secret/luks_current_Disk_Recovery_Key_passphrase)" else - msg=$(echo -e "This will replace the encrypted container content and its LUKS Disk Recovery Key.\n\nThe passphrase associated with this key will be asked from the user under the following conditions:\n 1-Every boot if no Disk Unlock Key was added to the TPM\n 2-If the TPM fails (hardware failure)\n 3-If the firmware has been tampered with/modified by the user\n\nThis process requires you to type the current LUKS Disk Recovery Key passphrase and will delete the LUKS TPM Disk Unlock Key slot, if set up, by setting a default boot LUKS key slot (1) if present.\n\nAt the next prompt, you may be asked to select which file corresponds to the LUKS device container.\n\nHit Enter to continue." | fold -w 70 -s) + msg=$(fold -w 70 -s <<< $'This will replace the encrypted container content and its LUKS Disk Recovery Key.\n\nThe passphrase associated with this key will be asked from the user under the following conditions:\n 1-Every boot if no Disk Unlock Key was added to the TPM\n 2-If the TPM fails (hardware failure)\n 3-If the firmware has been tampered with/modified by the user\n\nThis process requires you to type the current LUKS Disk Recovery Key passphrase and will delete the LUKS TPM Disk Unlock Key slot, if set up, by setting a default boot LUKS key slot (1) if present.\n\nAt the next prompt, you may be asked to select which file corresponds to the LUKS device container.\n\nHit Enter to continue.') whiptail --title 'Reencrypt LUKS encrypted container ?' --msgbox "$msg" 0 80 echo -e "\nEnter the current LUKS Disk Recovery Key passphrase:" read -r -s luks_current_Disk_Recovery_Key_passphrase @@ -458,7 +462,7 @@ luks_reencrypt() { DEBUG "$luks_container: Test unlocking of LUKS encrypted drive content with current LUKS Disk Recovery Key passphrase..." for i in $(seq 0 31); do DEBUG "Testing key slot $i on $luks_container" - if DO_WITH_DEBUG cryptsetup open --test-passphrase $luks_container --key-slot $i --key-file /tmp/secret/luks_current_Disk_Recovery_Key_passphrase >/dev/null 2>&1; then + if DO_WITH_DEBUG cryptsetup open --test-passphrase "$luks_container" --key-slot "$i" --key-file /tmp/secret/luks_current_Disk_Recovery_Key_passphrase >/dev/null 2>&1; then DRK_KEYSLOT=$i DEBUG "$luks_container: Found key-slot $DRK_KEYSLOT that can be unlocked with the current passphrase. breaking loop" break @@ -467,7 +471,7 @@ luks_reencrypt() { fi done - if [ $DRK_KEYSLOT -eq -1 ]; then + if [ "$DRK_KEYSLOT" -eq -1 ]; then whiptail_error --title "$luks_container: Wrong current LUKS Disk Recovery Key passphrase?" --msgbox \ "If you previously changed it and do not remember it, you will have to reinstall the OS from an external drive.\n\nTo do so, place the ISO file and its signature file on root of an external drive, and select Options-> Boot from USB \n\nHit Enter to retry." 0 80 TRACE_FUNC @@ -516,9 +520,9 @@ luks_change_passphrase() { TRACE_FUNC test_luks_current_disk_recovery_key_passphrase || return 1 - luks_containers=($LUKS) + luks_containers=("$LUKS") TRACE_FUNC - DEBUG "luks_containers: ${luks_containers[@]}" + DEBUG "luks_containers: ${luks_containers[*]}" # unset new passphrase to make sure the user enters it and knows what they are setting as the new passphrase! unset luks_new_Disk_Recovery_Key_passphrase diff --git a/initrd/init b/initrd/init index 44f2abecd..4af899360 100755 --- a/initrd/init +++ b/initrd/init @@ -53,19 +53,21 @@ hwclock -l -s # filesystem after exFAT is iso9660, move exFAT last. (grep -v '^\texfat$' /proc/filesystems && echo -e '\texfat') >/etc/filesystems + # shellcheck disable=SC1091 # Read the system configuration parameters from build time board configuration . /etc/config # import global functions -. /etc/functions +# shellcheck source=initrd/etc/functions.sh +. /etc/functions.sh # export user related content from cbfs if [ "$CONFIG_COREBOOT" = "y" ]; then - /bin/cbfs-init + /bin/cbfs-init.sh fi # Override CONFIG_USE_BLOB_JAIL if needed and persist via user config if lspci -n | grep -E -q "8086:(2723|4df0)"; then - if ! cat /etc/config.user 2>/dev/null | grep -q "USE_BLOB_JAIL"; then + if ! grep -q "USE_BLOB_JAIL" /etc/config.user 2>/dev/null; then echo "CONFIG_USE_BLOB_JAIL=y" >>/etc/config.user fi fi @@ -90,6 +92,7 @@ sed -i -e 's/^export CONFIG_PUREBOOT_BASIC=/export CONFIG_BASIC=/g' /etc/config. # Combine user configuration overrides from CBFS's /etc/config.user combine_configs + # shellcheck disable=SC1091 # Load the user configuration parameters from combined config . /tmp/config @@ -122,7 +125,7 @@ elif [ "$CONFIG_QUIET_MODE" = "n" ]; then # both needs to be checked to determine if early boot measurements traces were suppressed if grep -q 'CONFIG_QUIET_MODE="y"' /etc/config 2>/dev/null && grep -q 'CONFIG_QUIET_MODE="n"' /etc/config.user 2>/dev/null; then echo "Early boot measurements traces were suppressed per CONFIG_QUIET_MODE=y in your board configuration at build time (/etc/config)" >/dev/tty0 - echo "Runtime applied Quiet mode disabled: refer to '/tmp/debug.log' for cbfs-init related traces prior of this point" >/dev/tty0 + echo "Runtime applied Quiet mode disabled: refer to '/tmp/debug.log' for cbfs-init.sh related traces prior of this point" >/dev/tty0 fi fi @@ -151,6 +154,7 @@ if [ ! -e /dev/tpm0 ]; then fi #Specify whiptail background colors cues under FBWhiptail only + # shellcheck disable=SC2086,SC2145 if [ -x /bin/fbwhiptail ]; then export BG_COLOR_WARNING="${CONFIG_WARNING_BG_COLOR:-"--background-gradient 0 0 0 150 125 0"}" export BG_COLOR_ERROR="${CONFIG_ERROR_BG_COLOR:-"--background-gradient 0 0 0 150 0 0"}" @@ -163,12 +167,12 @@ fi if [ "$CONFIG_TPM" = "y" ]; then # Initialize tpm2 encrypted sessions here - tpmr startsession + tpmr.sh startsession fi if [ "$CONFIG_LINUXBOOT" = "y" ]; then # Initialize the UEFI environment for linuxboot boards - /bin/uefi-init + /bin/uefi-init.sh fi # Set GPG_TTY before calling gpg in key-init @@ -176,11 +180,12 @@ fi export GPG_TTY=/dev/console # Initialize gpnupg with distro/user keys and setup the keyrings -/bin/key-init +/bin/key-init.sh # Setup recovery serial shell -if [ ! -z "$CONFIG_BOOT_RECOVERY_SERIAL" ]; then +if [ -n "$CONFIG_BOOT_RECOVERY_SERIAL" ]; then stty -F "$CONFIG_BOOT_RECOVERY_SERIAL" 115200 + # shellcheck disable=SC2094 pause_recovery 'Serial console recovery shell' \ <"$CONFIG_BOOT_RECOVERY_SERIAL" \ >"$CONFIG_BOOT_RECOVERY_SERIAL" 2>&1 & @@ -197,7 +202,7 @@ load_keymap "$CONFIG_KEYBOARD_KEYMAP" # If the user has been holding down r, enter a recovery shell # otherwise immediately start the configured boot script. # We don't print a prompt, since this is a near instant timeout. -read \ +read -r \ -t 0.1 \ -n 1 \ boot_option @@ -211,7 +216,7 @@ if [ "$boot_option" = "r" ]; then elif [ "$boot_option" = "o" ]; then # Launch OEM Factory Reset mode echo -e "***** Entering OEM Factory Reset mode\n" >/dev/tty0 - oem-factory-reset --mode oem + oem-factory-reset.sh --mode oem # just in case... exit fi @@ -221,11 +226,12 @@ if [ "$CONFIG_BASIC" = "y" ]; then fi # export firmware version -export FW_VER=$(fw_version) +FW_VER=$(fw_version) +export FW_VER # Add our boot devices into the /etc/fstab, if they are defined # in the configuration file. -if [ ! -z "$CONFIG_BOOT_DEV" ]; then +if [ -n "$CONFIG_BOOT_DEV" ]; then echo >>/etc/fstab "$CONFIG_BOOT_DEV /boot auto defaults,ro 0 0" fi @@ -233,7 +239,7 @@ fi setconsolefont.sh if [ "$CONFIG_BASIC" = "y" ]; then - CONFIG_BOOTSCRIPT=/bin/gui-init-basic + CONFIG_BOOTSCRIPT=/bin/gui-init-basic.sh export CONFIG_HOTPKEY=n fi @@ -242,18 +248,18 @@ if [ -x /bin/board-init.sh ]; then /bin/board-init.sh fi -if [ ! -x "$CONFIG_BOOTSCRIPT" -a ! -x "$CONFIG_BOOTSCRIPT_NETWORK" ]; then +if [ ! -x "$CONFIG_BOOTSCRIPT" ] && [ ! -x "$CONFIG_BOOTSCRIPT_NETWORK" ]; then recovery 'Boot script missing? Entering recovery shell' else if [ -x "$CONFIG_BOOTSCRIPT_NETWORK" ]; then - echo '***** Network Boot:' $CONFIG_BOOTSCRIPT_NETWORK + echo '***** Network Boot:' "$CONFIG_BOOTSCRIPT_NETWORK" $CONFIG_BOOTSCRIPT_NETWORK - echo '***** Network Boot Completed:' $CONFIG_BOOTSCRIPT_NETWORK + echo '***** Network Boot Completed:' "$CONFIG_BOOTSCRIPT_NETWORK" # not blocking fi if [ -x "$CONFIG_BOOTSCRIPT" ]; then - echo '***** Normal boot:' $CONFIG_BOOTSCRIPT + echo '***** Normal boot:' "$CONFIG_BOOTSCRIPT" if [ -x /bin/setsid ] && [ -x /bin/agetty ]; then for console in $CONFIG_BOOT_EXTRA_TTYS; do diff --git a/initrd/mount-boot b/initrd/mount-boot.sh similarity index 72% rename from initrd/mount-boot rename to initrd/mount-boot.sh index be02e08d8..70ad2fea5 100755 --- a/initrd/mount-boot +++ b/initrd/mount-boot.sh @@ -22,42 +22,43 @@ fi # Find the size of the device # Is there a better way? # -dev_size_file="/sys/class/block/`basename $dev`/size" +dev_size_file="/sys/class/block/$(basename "$dev")/size" +DEBUG "dev_size_file='$dev_size_file'" if [ ! -r "$dev_size_file" ]; then echo >&2 '!!!!!' - echo >&2 '!!!!! $dev file $dev_size_file not found' + echo >&2 "!!!!! $dev file $dev_size_file not found" echo >&2 '!!!!! Dropping to recovery shell' echo >&2 '!!!!!' - exit -1 + exit 1 fi -dev_blocks=`cat "$dev_size_file"` +dev_blocks=$(cat "$dev_size_file") # # Extract the signed file from the hard disk image # -if ! dd if="$dev" of="$cmd_sig" bs=512 skip="`expr $dev_blocks - 1`" > /dev/null 2>&1; then +if ! dd if="$dev" of="$cmd_sig" bs=512 skip="$((dev_blocks - 1))" > /dev/null 2>&1; then echo >&2 '!!!!!' echo >&2 '!!!!! Boot block extraction failed' echo >&2 '!!!!! Dropping to recovery shell' echo >&2 '!!!!!' - exit -1 + exit 1 fi # # Validate the file # -if ! gpgv --keyring /trustedkeys.gpg "$cmd_sig"; then +if ! gpgv.sh --keyring /trustedkeys.gpg "$cmd_sig"; then echo >&2 '!!!!!' echo >&2 '!!!!! GPG signature on block failed' echo >&2 '!!!!! Dropping to recovery shell' echo >&2 '!!!!!' - exit -1 + exit 1 fi # # Strip the PGP signature off the file -# (too bad gpgv doesn't do this) +# (too bad gpgv.sh doesn't do this) # awk < "$cmd_sig" > "$cmd" ' /BEGIN PGP SIGNATURE/ { exit }; diff --git a/initrd/sbin/config-dhcp.sh b/initrd/sbin/config-dhcp.sh index 6dcb8297b..879d786ae 100755 --- a/initrd/sbin/config-dhcp.sh +++ b/initrd/sbin/config-dhcp.sh @@ -8,37 +8,41 @@ RESOLV_CONF="/etc/resolv.conf" [ -n "$broadcast" ] && BROADCAST="broadcast $broadcast" [ -n "$subnet" ] && NETMASK="netmask $subnet" + case "$1" in deconfig) grep -q -v ip= /proc/cmdline - if [ $? -eq 0 ]; then - /sbin/ifconfig $interface up + interface="${interface:-eth0}" + ip="${ip:-127.0.0.1}" + dns="${dns:-8.8.8.8}" + if ifconfig "$interface" up; then + true fi grep -q -v nfsroot= /proc/cmdline - if [ $? -eq 0 ]; then - /sbin/ifconfig $interface 0.0.0.0 + if ifconfig "$interface" 0.0.0.0; then + true fi ;; renew|bound) - /sbin/ifconfig $interface $ip $BROADCAST $NETMASK + /sbin/ifconfig "$interface" "$ip" "$BROADCAST" "$NETMASK" if [ -n "$router" ] ; then echo "deleting routers" - while route del default gw 0.0.0.0 dev $interface ; do + while route del default gw 0.0.0.0 dev "$interface" ; do : done for i in $router ; do - route add default gw $i dev $interface + route add default gw "$i" dev "$interface" done fi echo -n > $RESOLV_CONF - [ -n "$domain" ] && echo search $domain >> $RESOLV_CONF - for i in $dns ; do - echo adding dns $i - echo nameserver $i >> $RESOLV_CONF + [ -n "$domain" ] && echo search "$domain" >> "$RESOLV_CONF" + for i in $dns ; do + echo adding dns "$i" + echo nameserver "$i" >> "$RESOLV_CONF" done ;; esac diff --git a/initrd/sbin/insmod b/initrd/sbin/insmod.sh similarity index 81% rename from initrd/sbin/insmod rename to initrd/sbin/insmod.sh index 7ca6a28fe..fa3e64008 100755 --- a/initrd/sbin/insmod +++ b/initrd/sbin/insmod.sh @@ -4,7 +4,8 @@ # The default PCR to be extended is 5, but can be # overridden with the MODULE_PCR environment variable -. /etc/functions +# shellcheck source=initrd/etc/functions.sh +. /etc/functions.sh TRACE_FUNC @@ -14,7 +15,6 @@ if [ -z "$MODULE_PCR" ]; then MODULE_PCR=5 fi - if [ -z "$MODULE" ]; then die "Usage: $0 module [args...]" fi @@ -32,12 +32,14 @@ if lsmod | sed 's/_/-/g' | grep -q "^$module_name\\b"; then exit 0 fi -if [ ! -r /sys/class/tpm/tpm0/pcrs -o ! -x /bin/tpm ]; then - if [ ! -c /dev/tpmrm0 -o ! -x /bin/tpm2 ]; then +if [ ! -r /sys/class/tpm/tpm0/pcrs ] || [ ! -x /bin/tpm ]; then + if [ ! -c /dev/tpmrm0 ] || [ ! -x /bin/tpm2 ]; then tpm_missing=1 fi fi +DEBUG "tpm_missing='$tpm_missing'" + if [ -z "$tpm_missing" ]; then INFO "TPM: Extending PCR[$MODULE_PCR] with $MODULE and parameters '$*' before loading" # Extend with the module parameters (even if they are empty) and the @@ -46,13 +48,13 @@ if [ -z "$tpm_missing" ]; then if [ -n "$*" ]; then TRACE_FUNC INFO "Extending with module parameters and the module's content" - tpmr extend -ix "$MODULE_PCR" -ic "$*" - tpmr extend -ix "$MODULE_PCR" -if "$MODULE" \ + tpmr.sh extend -ix "$MODULE_PCR" -ic "$*" + tpmr.sh extend -ix "$MODULE_PCR" -if "$MODULE" \ || die "$MODULE: tpm extend failed" else TRACE_FUNC INFO "No module parameters, extending only with the module's content" - tpmr extend -ix "$MODULE_PCR" -if "$MODULE" \ + tpmr.sh extend -ix "$MODULE_PCR" -if "$MODULE" \ || die "$MODULE: tpm extend failed" fi fi diff --git a/unmaintained_boards/UNMAINTAINED_kgpe-d16_server-whiptail/UNMAINTAINED_kgpe-d16_server-whiptail.config b/unmaintained_boards/UNMAINTAINED_kgpe-d16_server-whiptail/UNMAINTAINED_kgpe-d16_server-whiptail.config index 27dccb6bf..fc677756d 100644 --- a/unmaintained_boards/UNMAINTAINED_kgpe-d16_server-whiptail/UNMAINTAINED_kgpe-d16_server-whiptail.config +++ b/unmaintained_boards/UNMAINTAINED_kgpe-d16_server-whiptail/UNMAINTAINED_kgpe-d16_server-whiptail.config @@ -58,9 +58,9 @@ export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n export CONFIG_TPM2_CAPTURE_PCAP=n #Enable quiet mode: technical information logged under /tmp/debug.log export CONFIG_QUIET_MODE=y -#export CONFIG_BOOTSCRIPT=/bin/generic-init -export CONFIG_BOOTSCRIPT=/bin/gui-init -#export CONFIG_BOOTSCRIPT_NETWORK=/bin/network-init-recovery +#export CONFIG_BOOTSCRIPT="/bin/generic-init.sh" +export CONFIG_BOOTSCRIPT="/bin/gui-init.sh" +#export CONFIG_BOOTSCRIPT_NETWORK="/bin/network-init-recovery.sh" #CONSOLE SELECTION #Single output to OpenBMC diff --git a/unmaintained_boards/UNMAINTAINED_kgpe-d16_server/UNMAINTAINED_kgpe-d16_server.config b/unmaintained_boards/UNMAINTAINED_kgpe-d16_server/UNMAINTAINED_kgpe-d16_server.config index 8ed475d76..cef9ec130 100644 --- a/unmaintained_boards/UNMAINTAINED_kgpe-d16_server/UNMAINTAINED_kgpe-d16_server.config +++ b/unmaintained_boards/UNMAINTAINED_kgpe-d16_server/UNMAINTAINED_kgpe-d16_server.config @@ -51,8 +51,8 @@ export CONFIG_TPM2_CAPTURE_PCAP=n #Enable quiet mode: technical information logged under /tmp/debug.log export CONFIG_QUIET_MODE=y #BOOT SCRIPT SELECTION -export CONFIG_BOOTSCRIPT=/bin/generic-init -#export CONFIG_BOOTSCRIPT_NETWORK=/bin/network-init-recovery +export CONFIG_BOOTSCRIPT="/bin/generic-init.sh" +#export CONFIG_BOOTSCRIPT_NETWORK="/bin/network-init-recovery.sh" #CONSOLE SELECTION #Single output to OpenBMC diff --git a/unmaintained_boards/UNMAINTAINED_kgpe-d16_workstation-usb_keyboard/UNMAINTAINED_kgpe-d16_workstation-usb_keyboard.config b/unmaintained_boards/UNMAINTAINED_kgpe-d16_workstation-usb_keyboard/UNMAINTAINED_kgpe-d16_workstation-usb_keyboard.config index f5c4bfb85..5afa8f917 100644 --- a/unmaintained_boards/UNMAINTAINED_kgpe-d16_workstation-usb_keyboard/UNMAINTAINED_kgpe-d16_workstation-usb_keyboard.config +++ b/unmaintained_boards/UNMAINTAINED_kgpe-d16_workstation-usb_keyboard/UNMAINTAINED_kgpe-d16_workstation-usb_keyboard.config @@ -48,7 +48,6 @@ export CONFIG_USB_KEYBOARD_REQUIRED=y export CONFIG_TPM=y #BOOT SCRIPT SELECTION -#export CONFIG_BOOTSCRIPT=/bin/generic-init #Enable DEBUG output export CONFIG_DEBUG_OUTPUT=n export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n @@ -56,8 +55,9 @@ export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n export CONFIG_TPM2_CAPTURE_PCAP=n #Enable quiet mode: technical information logged under /tmp/debug.log export CONFIG_QUIET_MODE=y -export CONFIG_BOOTSCRIPT=/bin/gui-init -#export CONFIG_BOOTSCRIPT_NETWORK=/bin/network-init-recovery +#export CONFIG_BOOTSCRIPT="/bin/generic-init.sh" +export CONFIG_BOOTSCRIPT="/bin/gui-init.sh" +#export CONFIG_BOOTSCRIPT_NETWORK="/bin/network-init-recovery.sh" #CONSOLE SELECTION #Single output to OpenBMC diff --git a/unmaintained_boards/UNMAINTAINED_kgpe-d16_workstation/UNMAINTAINED_kgpe-d16_workstation.config b/unmaintained_boards/UNMAINTAINED_kgpe-d16_workstation/UNMAINTAINED_kgpe-d16_workstation.config index 0615434b7..c8eb365dc 100644 --- a/unmaintained_boards/UNMAINTAINED_kgpe-d16_workstation/UNMAINTAINED_kgpe-d16_workstation.config +++ b/unmaintained_boards/UNMAINTAINED_kgpe-d16_workstation/UNMAINTAINED_kgpe-d16_workstation.config @@ -49,7 +49,6 @@ export CONFIG_LINUX_USB_COMPANION_CONTROLLER=y export CONFIG_TPM=y #BOOT SCRIPT SELECTION -#export CONFIG_BOOTSCRIPT=/bin/generic-init #Enable DEBUG output export CONFIG_DEBUG_OUTPUT=n export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n @@ -57,8 +56,9 @@ export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n export CONFIG_TPM2_CAPTURE_PCAP=n #Enable quiet mode: technical information logged under /tmp/debug.log export CONFIG_QUIET_MODE=y -export CONFIG_BOOTSCRIPT=/bin/gui-init -#export CONFIG_BOOTSCRIPT_NETWORK=/bin/network-init-recovery +#export CONFIG_BOOTSCRIPT="/bin/generic-init.sh" +export CONFIG_BOOTSCRIPT="/bin/gui-init.sh" +#export CONFIG_BOOTSCRIPT_NETWORK="/bin/network-init-recovery.sh" #CONSOLE SELECTION #Single output to OpenBMC diff --git a/unmaintained_boards/UNMAINTAINED_p8z77-m_pro-tpm1-maximized/UNMAINTAINED_p8z77-m_pro-tpm1-maximized.config b/unmaintained_boards/UNMAINTAINED_p8z77-m_pro-tpm1-maximized/UNMAINTAINED_p8z77-m_pro-tpm1-maximized.config index 458e978a0..75ce78579 100644 --- a/unmaintained_boards/UNMAINTAINED_p8z77-m_pro-tpm1-maximized/UNMAINTAINED_p8z77-m_pro-tpm1-maximized.config +++ b/unmaintained_boards/UNMAINTAINED_p8z77-m_pro-tpm1-maximized/UNMAINTAINED_p8z77-m_pro-tpm1-maximized.config @@ -68,7 +68,7 @@ CONFIG_LINUX_USB=y CONFIG_MOBILE_TETHERING=y export CONFIG_TPM=y -export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOTSCRIPT="/bin/gui-init.sh" export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOOT_KERNEL_ADD="" diff --git a/unmaintained_boards/UNMAINTAINED_qemu-linuxboot/UNMAINTAINED_qemu-linuxboot.config b/unmaintained_boards/UNMAINTAINED_qemu-linuxboot/UNMAINTAINED_qemu-linuxboot.config index 32beb6741..a48127794 100644 --- a/unmaintained_boards/UNMAINTAINED_qemu-linuxboot/UNMAINTAINED_qemu-linuxboot.config +++ b/unmaintained_boards/UNMAINTAINED_qemu-linuxboot/UNMAINTAINED_qemu-linuxboot.config @@ -32,8 +32,8 @@ CONFIG_LINUX_SCSI_GDTH=y CONFIG_LINUX_ATA=y CONFIG_LINUX_AHCI=y -export CONFIG_BOOTSCRIPT=/bin/generic-init -export CONFIG_BOOTSCRIPT_NETWORK=/bin/network-init-recovery +export CONFIG_BOOTSCRIPT="/bin/generic-init.sh" +export CONFIG_BOOTSCRIPT_NETWORK="/bin/network-recovery-init.sh" export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n diff --git a/unmaintained_boards/UNMAINTAINED_t420/UNMAINTAINED_t420.config b/unmaintained_boards/UNMAINTAINED_t420/UNMAINTAINED_t420.config index a4d2c6fd4..5437c9bea 100644 --- a/unmaintained_boards/UNMAINTAINED_t420/UNMAINTAINED_t420.config +++ b/unmaintained_boards/UNMAINTAINED_t420/UNMAINTAINED_t420.config @@ -27,7 +27,7 @@ CONFIG_LINUX_USB=y CONFIG_LINUX_E1000E=y export CONFIG_TPM=y -export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOTSCRIPT="/bin/gui-init.sh" export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOOT_KERNEL_ADD="" diff --git a/unmaintained_boards/UNMAINTAINED_t430-hotp-legacy/UNMAINTAINED_t430-hotp-legacy.config b/unmaintained_boards/UNMAINTAINED_t430-hotp-legacy/UNMAINTAINED_t430-hotp-legacy.config index 93001f92e..a2d01c9d2 100644 --- a/unmaintained_boards/UNMAINTAINED_t430-hotp-legacy/UNMAINTAINED_t430-hotp-legacy.config +++ b/unmaintained_boards/UNMAINTAINED_t430-hotp-legacy/UNMAINTAINED_t430-hotp-legacy.config @@ -56,7 +56,7 @@ CONFIG_DROPBEAR=n #Ethernet driver (Heads only) CONFIG_LINUX_E1000E=n -export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOTSCRIPT="/bin/gui-init.sh" export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOOT_KERNEL_ADD="" diff --git a/unmaintained_boards/UNMAINTAINED_t430-legacy-flash/UNMAINTAINED_t430-legacy-flash.config b/unmaintained_boards/UNMAINTAINED_t430-legacy-flash/UNMAINTAINED_t430-legacy-flash.config deleted file mode 100644 index d0f6fbfee..000000000 --- a/unmaintained_boards/UNMAINTAINED_t430-legacy-flash/UNMAINTAINED_t430-legacy-flash.config +++ /dev/null @@ -1,35 +0,0 @@ -# Minimal configuration for a t430 to support flashrom and USB -# This top SPI flash image needed to flash legacy board counterpart internally -# This image can be flashed through 1vyrain and skulls -# IDEALLY you should flash maximized top and bottom rom images exteranlly once instead. - -export CONFIG_COREBOOT=y -export CONFIG_COREBOOT_VERSION=4.22.01 -export CONFIG_LINUX_VERSION=6.1.8 - -CONFIG_COREBOOT_CONFIG=config/coreboot-x230-legacy-flash.config -CONFIG_LINUX_CONFIG=config/linux-x230-flash.config - -#Add bare minimal tools for flashing boards -CONFIG_BASH=n -CONFIG_FLASHPROG=y -CONFIG_ZSTD=n -#CONFIG_GPG=y -#CONFIG_FLASHTOOLS=y -CONFIG_PCIUTILS=y -#CONFIG_MBEDTLS=y -#CONFIG_QRENCODE=y -#CONFIG_TPMTOTP=y -#CONFIG_DROPBEAR=y - -#Additional hardware support -CONFIG_LINUX_USB=y -#CONFIG_LINUX_E1000E=y - -export CONFIG_BOOTSCRIPT=/bin/xx30-flash.init -export CONFIG_BOARD_NAME="ThinkPad T430-legacy-flash" -export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal --ifd --image bios" - -CONFIG_LEGACY_FLASH=y - -BOARD_TARGETS := legacy_flash diff --git a/unmaintained_boards/UNMAINTAINED_t430-legacy/UNMAINTAINED_t430-legacy.config b/unmaintained_boards/UNMAINTAINED_t430-legacy/UNMAINTAINED_t430-legacy.config index 09a254988..10dace2ab 100644 --- a/unmaintained_boards/UNMAINTAINED_t430-legacy/UNMAINTAINED_t430-legacy.config +++ b/unmaintained_boards/UNMAINTAINED_t430-legacy/UNMAINTAINED_t430-legacy.config @@ -50,7 +50,7 @@ CONFIG_NEWT=y #SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E) CONFIG_DROPBEAR=n -export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOTSCRIPT="/bin/gui-init.sh" export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOOT_KERNEL_ADD="" diff --git a/unmaintained_boards/UNMAINTAINED_t520-hotp-maximized/UNMAINTAINED_t520-hotp-maximized.config b/unmaintained_boards/UNMAINTAINED_t520-hotp-maximized/UNMAINTAINED_t520-hotp-maximized.config index 8d6dd05be..8d6364e04 100644 --- a/unmaintained_boards/UNMAINTAINED_t520-hotp-maximized/UNMAINTAINED_t520-hotp-maximized.config +++ b/unmaintained_boards/UNMAINTAINED_t520-hotp-maximized/UNMAINTAINED_t520-hotp-maximized.config @@ -56,7 +56,7 @@ CONFIG_FBWHIPTAIL=y #SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E) CONFIG_DROPBEAR=y -export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOTSCRIPT="/bin/gui-init.sh" export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOOT_KERNEL_ADD="" diff --git a/unmaintained_boards/UNMAINTAINED_t520-maximized/UNMAINTAINED_t520-maximized.config b/unmaintained_boards/UNMAINTAINED_t520-maximized/UNMAINTAINED_t520-maximized.config index 7346163f8..de0b7f076 100644 --- a/unmaintained_boards/UNMAINTAINED_t520-maximized/UNMAINTAINED_t520-maximized.config +++ b/unmaintained_boards/UNMAINTAINED_t520-maximized/UNMAINTAINED_t520-maximized.config @@ -55,7 +55,7 @@ CONFIG_FBWHIPTAIL=y #SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E) CONFIG_DROPBEAR=y -export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOTSCRIPT="/bin/gui-init.sh" export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOOT_KERNEL_ADD="" diff --git a/unmaintained_boards/UNMAINTAINED_t530-dgpu-hotp-maximized/UNMAINTAINED_t530-dgpu-hotp-maximized.config b/unmaintained_boards/UNMAINTAINED_t530-dgpu-hotp-maximized/UNMAINTAINED_t530-dgpu-hotp-maximized.config index 61084c020..a80705984 100644 --- a/unmaintained_boards/UNMAINTAINED_t530-dgpu-hotp-maximized/UNMAINTAINED_t530-dgpu-hotp-maximized.config +++ b/unmaintained_boards/UNMAINTAINED_t530-dgpu-hotp-maximized/UNMAINTAINED_t530-dgpu-hotp-maximized.config @@ -60,7 +60,7 @@ CONFIG_FBWHIPTAIL=y #SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E) CONFIG_DROPBEAR=y -export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOTSCRIPT="/bin/gui-init.sh" export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOOT_KERNEL_ADD="" diff --git a/unmaintained_boards/UNMAINTAINED_t530-dgpu-maximized/UNMAINTAINED_t530-dgpu-maximized.config b/unmaintained_boards/UNMAINTAINED_t530-dgpu-maximized/UNMAINTAINED_t530-dgpu-maximized.config index 94d2780f1..8d002f602 100644 --- a/unmaintained_boards/UNMAINTAINED_t530-dgpu-maximized/UNMAINTAINED_t530-dgpu-maximized.config +++ b/unmaintained_boards/UNMAINTAINED_t530-dgpu-maximized/UNMAINTAINED_t530-dgpu-maximized.config @@ -59,7 +59,7 @@ CONFIG_FBWHIPTAIL=y #SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E) CONFIG_DROPBEAR=y -export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOTSCRIPT="/bin/gui-init.sh" export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOOT_KERNEL_ADD="" diff --git a/unmaintained_boards/UNMAINTAINED_w530-dgpu-K1000m-hotp-maximized/UNMAINTAINED_w530-dgpu-K1000m-hotp-maximized.config b/unmaintained_boards/UNMAINTAINED_w530-dgpu-K1000m-hotp-maximized/UNMAINTAINED_w530-dgpu-K1000m-hotp-maximized.config index e35937fd6..abd07107b 100644 --- a/unmaintained_boards/UNMAINTAINED_w530-dgpu-K1000m-hotp-maximized/UNMAINTAINED_w530-dgpu-K1000m-hotp-maximized.config +++ b/unmaintained_boards/UNMAINTAINED_w530-dgpu-K1000m-hotp-maximized/UNMAINTAINED_w530-dgpu-K1000m-hotp-maximized.config @@ -60,7 +60,7 @@ CONFIG_FBWHIPTAIL=y #SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E) CONFIG_DROPBEAR=y -export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOTSCRIPT="/bin/gui-init.sh" export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOOT_KERNEL_ADD="" diff --git a/unmaintained_boards/UNMAINTAINED_w530-dgpu-K1000m-maximized/UNMAINTAINED_w530-dgpu-K1000m-maximized.config b/unmaintained_boards/UNMAINTAINED_w530-dgpu-K1000m-maximized/UNMAINTAINED_w530-dgpu-K1000m-maximized.config index f091f80d2..ac90bf909 100644 --- a/unmaintained_boards/UNMAINTAINED_w530-dgpu-K1000m-maximized/UNMAINTAINED_w530-dgpu-K1000m-maximized.config +++ b/unmaintained_boards/UNMAINTAINED_w530-dgpu-K1000m-maximized/UNMAINTAINED_w530-dgpu-K1000m-maximized.config @@ -59,7 +59,7 @@ CONFIG_FBWHIPTAIL=y #SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E) CONFIG_DROPBEAR=y -export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOTSCRIPT="/bin/gui-init.sh" export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOOT_KERNEL_ADD="" diff --git a/unmaintained_boards/UNMAINTAINED_w530-dgpu-K2000m-hotp-maximized/UNMAINTAINED_w530-dgpu-K2000m-hotp-maximized.config b/unmaintained_boards/UNMAINTAINED_w530-dgpu-K2000m-hotp-maximized/UNMAINTAINED_w530-dgpu-K2000m-hotp-maximized.config index 18d207e25..39b63e823 100644 --- a/unmaintained_boards/UNMAINTAINED_w530-dgpu-K2000m-hotp-maximized/UNMAINTAINED_w530-dgpu-K2000m-hotp-maximized.config +++ b/unmaintained_boards/UNMAINTAINED_w530-dgpu-K2000m-hotp-maximized/UNMAINTAINED_w530-dgpu-K2000m-hotp-maximized.config @@ -60,7 +60,7 @@ CONFIG_FBWHIPTAIL=y #SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E) CONFIG_DROPBEAR=y -export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOTSCRIPT="/bin/gui-init.sh" export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOOT_KERNEL_ADD="" diff --git a/unmaintained_boards/UNMAINTAINED_w530-dgpu-K2000m-maximized/UNMAINTAINED_w530-dgpu-K2000m-maximized.config b/unmaintained_boards/UNMAINTAINED_w530-dgpu-K2000m-maximized/UNMAINTAINED_w530-dgpu-K2000m-maximized.config index a05be9046..44dc1757f 100644 --- a/unmaintained_boards/UNMAINTAINED_w530-dgpu-K2000m-maximized/UNMAINTAINED_w530-dgpu-K2000m-maximized.config +++ b/unmaintained_boards/UNMAINTAINED_w530-dgpu-K2000m-maximized/UNMAINTAINED_w530-dgpu-K2000m-maximized.config @@ -59,7 +59,7 @@ CONFIG_FBWHIPTAIL=y #SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E) CONFIG_DROPBEAR=y -export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOTSCRIPT="/bin/gui-init.sh" export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOOT_KERNEL_ADD="" diff --git a/unmaintained_boards/UNMAINTAINED_x220/UNMAINTAINED_x220.config b/unmaintained_boards/UNMAINTAINED_x220/UNMAINTAINED_x220.config index 494648e29..32f4cc73c 100644 --- a/unmaintained_boards/UNMAINTAINED_x220/UNMAINTAINED_x220.config +++ b/unmaintained_boards/UNMAINTAINED_x220/UNMAINTAINED_x220.config @@ -50,7 +50,7 @@ CONFIG_FBWHIPTAIL=y #SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E) CONFIG_DROPBEAR=n -export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOTSCRIPT="/bin/gui-init.sh" export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOOT_KERNEL_ADD="" diff --git a/unmaintained_boards/UNMAINTAINED_x230-hotp-legacy/UNMAINTAINED_x230-hotp-legacy.config b/unmaintained_boards/UNMAINTAINED_x230-hotp-legacy/UNMAINTAINED_x230-hotp-legacy.config index 9cfbc4d6b..f2e6a2719 100644 --- a/unmaintained_boards/UNMAINTAINED_x230-hotp-legacy/UNMAINTAINED_x230-hotp-legacy.config +++ b/unmaintained_boards/UNMAINTAINED_x230-hotp-legacy/UNMAINTAINED_x230-hotp-legacy.config @@ -56,7 +56,7 @@ CONFIG_DROPBEAR=n #Ethernet driver (Heads only) CONFIG_LINUX_E1000E=n -export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOTSCRIPT="/bin/gui-init.sh" export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOOT_KERNEL_ADD="" diff --git a/unmaintained_boards/UNMAINTAINED_x230-legacy-flash/UNMAINTAINED_x230-legacy-flash.config b/unmaintained_boards/UNMAINTAINED_x230-legacy-flash/UNMAINTAINED_x230-legacy-flash.config deleted file mode 100644 index eb5fd3ad0..000000000 --- a/unmaintained_boards/UNMAINTAINED_x230-legacy-flash/UNMAINTAINED_x230-legacy-flash.config +++ /dev/null @@ -1,36 +0,0 @@ -# Minimal configuration for a x230 to support flashrom and USB -# This top SPI flash image needed to flash legacy board counterpart internally -# This image can be flashed through 1vyrain and skulls -# IDEALLY you should flash maximized top and bottom rom images exteranlly once instead. - -export CONFIG_COREBOOT=y -export CONFIG_COREBOOT_VERSION=24.02.01 -export CONFIG_LINUX_VERSION=6.1.8 - -CONFIG_COREBOOT_CONFIG=config/coreboot-UNMAINTAINED_x230-legacy-flash.config -CONFIG_LINUX_CONFIG=config/linux-x230-flash.config - -#Add bare minimal tools for flashing boards -CONFIG_BASH=n -CONFIG_FLASHPROG=y -CONFIG_ZSTD=n -#CONFIG_GPG=y -#CONFIG_FLASHTOOLS=y -CONFIG_PCIUTILS=y -#CONFIG_MBEDTLS=y -#CONFIG_QRENCODE=y -#CONFIG_TPMTOTP=y -#CONFIG_DROPBEAR=y - - -#Additional hardware support -CONFIG_LINUX_USB=y -#CONFIG_LINUX_E1000E=y - -export CONFIG_BOOTSCRIPT=/bin/xx30-flash.init -export CONFIG_BOARD_NAME="ThinkPad X230-legacy-flash" -export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal --ifd --image bios" - -CONFIG_LEGACY_FLASH=y - -BOARD_TARGETS := legacy_flash diff --git a/unmaintained_boards/UNMAINTAINED_x230-legacy/UNMAINTAINED_x230-legacy.config b/unmaintained_boards/UNMAINTAINED_x230-legacy/UNMAINTAINED_x230-legacy.config index d093dcdbf..6fc8fe5e7 100644 --- a/unmaintained_boards/UNMAINTAINED_x230-legacy/UNMAINTAINED_x230-legacy.config +++ b/unmaintained_boards/UNMAINTAINED_x230-legacy/UNMAINTAINED_x230-legacy.config @@ -49,7 +49,7 @@ CONFIG_NEWT=y #SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E) CONFIG_DROPBEAR=n -export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOTSCRIPT="/bin/gui-init.sh" export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOOT_KERNEL_ADD="" diff --git a/unmaintained_boards/UNTESTED_leopard/UNTESTED_leopard.config b/unmaintained_boards/UNTESTED_leopard/UNTESTED_leopard.config index 8d874d736..4ba71d44a 100644 --- a/unmaintained_boards/UNTESTED_leopard/UNTESTED_leopard.config +++ b/unmaintained_boards/UNTESTED_leopard/UNTESTED_leopard.config @@ -37,7 +37,7 @@ CONFIG_LINUX_USB=y #CONFIG_LINUX_E1000E=y #CONFIG_LINUX_NVME=y -export CONFIG_BOOTSCRIPT=/bin/generic-init +export CONFIG_BOOTSCRIPT="/bin/generic-init.sh" export CONFIG_TPM=n export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n diff --git a/unmaintained_boards/UNTESTED_r630/UNTESTED_r630.config b/unmaintained_boards/UNTESTED_r630/UNTESTED_r630.config index 14d6abb67..6672dc241 100644 --- a/unmaintained_boards/UNTESTED_r630/UNTESTED_r630.config +++ b/unmaintained_boards/UNTESTED_r630/UNTESTED_r630.config @@ -25,7 +25,7 @@ CONFIG_LINUX_IGB=y CONFIG_LINUX_MEGARAID=y CONFIG_LINUX_E1000E=y -export CONFIG_BOOTSCRIPT=/bin/generic-init +export CONFIG_BOOTSCRIPT="/bin/generic-init.sh" export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n diff --git a/unmaintained_boards/UNTESTED_s2600wf/UNTESTED_s2600wf.config b/unmaintained_boards/UNTESTED_s2600wf/UNTESTED_s2600wf.config index 2a0148d73..6f27366ba 100644 --- a/unmaintained_boards/UNTESTED_s2600wf/UNTESTED_s2600wf.config +++ b/unmaintained_boards/UNTESTED_s2600wf/UNTESTED_s2600wf.config @@ -38,6 +38,6 @@ CONFIG_LINUX_ATA=y CONFIG_LINUX_AHCI=y export CONFIG_TPM=n -export CONFIG_BOOTSCRIPT=/bin/generic-init +export CONFIG_BOOTSCRIPT="/bin/generic-init.sh" export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n diff --git a/unmaintained_boards/UNTESTED_tioga/UNTESTED_tioga.config b/unmaintained_boards/UNTESTED_tioga/UNTESTED_tioga.config index 109c02fc5..5e8fac89f 100644 --- a/unmaintained_boards/UNTESTED_tioga/UNTESTED_tioga.config +++ b/unmaintained_boards/UNTESTED_tioga/UNTESTED_tioga.config @@ -40,7 +40,7 @@ CONFIG_LINUX_USB=y CONFIG_LINUX_NVME=y CONFIG_LINUX_BCM=y -export CONFIG_BOOTSCRIPT=/bin/generic-init +export CONFIG_BOOTSCRIPT="/bin/generic-init.sh" export CONFIG_TPM=n export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n diff --git a/unmaintained_boards/UNTESTED_winterfell/UNTESTED_winterfell.config b/unmaintained_boards/UNTESTED_winterfell/UNTESTED_winterfell.config index d9cae6534..26125eee4 100644 --- a/unmaintained_boards/UNTESTED_winterfell/UNTESTED_winterfell.config +++ b/unmaintained_boards/UNTESTED_winterfell/UNTESTED_winterfell.config @@ -39,7 +39,7 @@ CONFIG_LINUX_AHCI=y CONFIG_LINUX_E1000E=y CONFIG_LINUX_NVME=y -export CONFIG_BOOTSCRIPT=/bin/generic-init +export CONFIG_BOOTSCRIPT="/bin/generic-init.sh" export CONFIG_TPM=n export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n diff --git a/unmaintained_boards/x230-hotp-legacy/x230-hotp-legacy.config b/unmaintained_boards/x230-hotp-legacy/x230-hotp-legacy.config index 1d6233d72..b862c573e 100644 --- a/unmaintained_boards/x230-hotp-legacy/x230-hotp-legacy.config +++ b/unmaintained_boards/x230-hotp-legacy/x230-hotp-legacy.config @@ -56,7 +56,7 @@ CONFIG_DROPBEAR=n #Ethernet driver (Heads only) CONFIG_LINUX_E1000E=n -export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOTSCRIPT="/bin/gui-init.sh" export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOOT_KERNEL_ADD="" diff --git a/unmaintained_boards/x230-legacy-flash/x230-legacy-flash.config b/unmaintained_boards/x230-legacy-flash/x230-legacy-flash.config deleted file mode 100644 index ed0e79908..000000000 --- a/unmaintained_boards/x230-legacy-flash/x230-legacy-flash.config +++ /dev/null @@ -1,36 +0,0 @@ -# Minimal configuration for a x230 to support flashrom and USB -# This top SPI flash image needed to flash legacy board counterpart internally -# This image can be flashed through 1vyrain and skulls -# IDEALLY you should flash maximized top and bottom rom images exteranlly once instead. - -export CONFIG_COREBOOT=y -export CONFIG_COREBOOT_VERSION=24.02.01 -export CONFIG_LINUX_VERSION=5.10.5 - -CONFIG_COREBOOT_CONFIG=config/coreboot-UNMAINTAINED_x230-legacy-flash.config -CONFIG_LINUX_CONFIG=config/linux-x230-flash.config - -#Add bare minimal tools for flashing boards -CONFIG_BASH=n -CONFIG_FLASHPROG=y -CONFIG_ZSTD=n -#CONFIG_GPG=y -#CONFIG_FLASHTOOLS=y -CONFIG_PCIUTILS=y -#CONFIG_MBEDTLS=y -#CONFIG_QRENCODE=y -#CONFIG_TPMTOTP=y -#CONFIG_DROPBEAR=y - - -#Additional hardware support -CONFIG_LINUX_USB=y -#CONFIG_LINUX_E1000E=y - -export CONFIG_BOOTSCRIPT=/bin/xx30-flash.init -export CONFIG_BOARD_NAME="ThinkPad X230-legacy-flash" -export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal --ifd --image bios" - -CONFIG_LEGACY_FLASH=y - -BOARD_TARGETS := legacy_flash diff --git a/unmaintained_boards/x230-legacy/x230-legacy.config b/unmaintained_boards/x230-legacy/x230-legacy.config index bdd821218..f32a01214 100644 --- a/unmaintained_boards/x230-legacy/x230-legacy.config +++ b/unmaintained_boards/x230-legacy/x230-legacy.config @@ -49,7 +49,7 @@ CONFIG_NEWT=y #SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E) CONFIG_DROPBEAR=n -export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOTSCRIPT="/bin/gui-init.sh" export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOOT_KERNEL_ADD=""