Skip to content
GitLab
Verified Commit 140420e1 authored by Jonathon Hall's avatar Jonathon Hall
Browse files

config-gui.sh: Integrate PureBoot Basic changes 



config-gui-basic.sh is just config-gui.sh with the options relating to
verified boot removed.  Re-integrate by omitting the relevant options
from the whiptail menu in basic mode.

ash lacks arrays, so write a script that invokes whiptail in order to
build the menu items dynamically.  The only alternative is building the
parameters in a single variable that the shell would word-split, but
the quoting for this would be even worse since many of the parameters
contain spaces.

Signed-off-by: Jonathon Hall's avatarJonathon Hall <jonathon.hall@puri.sm>
parent 1b3a28ab
Hide whitespace changes
Inline Side-by-side
initrd/bin/config-gui-basic.sh deleted 100755 → 0
View file @ 1b3a28ab
#!/bin/sh
#
set -e -o pipefail
. /etc/functions
. /etc/gui_functions
. /tmp/config
ROOT_HASH_FILE="/boot/kexec_root_hashes.txt"
param=$1
# Read the current ROM; if it fails display an error and exit.
read_rom() {
/bin/flash.sh -r "$1"
if [ ! -s "$1" ]; then
whiptail $BG_COLOR_ERROR --title 'ERROR: BIOS Read Failed!' \
--msgbox "Unable to read BIOS" 16 60
exit 1
fi
}
while true; do
if [ ! -z "$param" ]; then
# use first char from parameter
menu_choice=${param::1}
unset param
else
# check current PureBoot Mode
BASIC_MODE=`grep 'CONFIG_PUREBOOT_BASIC=' /tmp/config | tail -n1 | cut -f2 -d '=' | tr -d '"'`
[ "$BASIC_MODE" == "y" ] && MODE_ACTION="Disable" || MODE_ACTION="Enable"
unset menu_choice
whiptail $BG_COLOR_MAIN_MENU --clear --title "Config Management Menu" \
--menu "This menu lets you change settings for the current BIOS session.\n\nAll changes will revert after a reboot,\n\nunless you also save them to the running BIOS." 20 90 10 \
'b' ' Change the /boot device' \
'P' " $MODE_ACTION PureBoot Basic Mode" \
's' ' Save the current configuration to the running BIOS' \
'x' ' Return to Main Menu' \
2>/tmp/whiptail || recovery "GUI menu failed"
menu_choice=$(cat /tmp/whiptail)
fi
case "$menu_choice" in
"x" )
exit 0
;;
"b" )
CURRENT_OPTION=`grep 'CONFIG_BOOT_DEV=' /tmp/config | tail -n1 | cut -f2 -d '=' | tr -d '"'`
if ! fdisk -l | grep "Disk /dev/" | cut -f2 -d " " | cut -f1 -d ":" > /tmp/disklist.txt ; then
whiptail $BG_COLOR_ERROR --title 'ERROR: No bootable devices found' \
--msgbox " $ERROR\n\n" 16 60
exit 1
fi
# filter out extraneous options
> /tmp/boot_device_list.txt
for i in `cat /tmp/disklist.txt`; do
# remove block device from list if numeric partitions exist, since not bootable
DEV_NUM_PARTITIONS=$((`ls -1 $i* | wc -l`-1))
if [ ${DEV_NUM_PARTITIONS} -eq 0 ]; then
echo $i >> /tmp/boot_device_list.txt
else
ls $i* | tail -${DEV_NUM_PARTITIONS} >> /tmp/boot_device_list.txt
fi
done
file_selector "/tmp/boot_device_list.txt" \
"Choose the default /boot device.\n\nCurrently set to $CURRENT_OPTION." \
"Boot Device Selection"
if [ "$FILE" == "" ]; then
return
else
SELECTED_FILE=$FILE
fi
# unmount /boot if needed
if grep -q /boot /proc/mounts ; then
umount /boot 2>/dev/null
fi
# mount newly selected /boot device
if ! mount -o ro $SELECTED_FILE /boot 2>/tmp/error ; then
ERROR=`cat /tmp/error`
whiptail $BG_COLOR_ERROR --title 'ERROR: unable to mount /boot' \
--msgbox " $ERROR\n\n" 16 60
exit 1
fi
replace_config /etc/config.user "CONFIG_BOOT_DEV" "$SELECTED_FILE"
combine_configs
whiptail --title 'Config change successful' \
--msgbox "The /boot device was successfully changed to $SELECTED_FILE" 16 60
;;
"s" )
read_rom /tmp/config-gui.rom
replace_rom_file /tmp/config-gui.rom "heads/initrd/etc/config.user" /etc/config.user
if (whiptail --title 'Update ROM?' \
--yesno "This will reflash your BIOS with the updated version\n\nDo you want to proceed?" 16 90) then
/bin/flash.sh /tmp/config-gui.rom
whiptail --title 'BIOS Updated Successfully' \
--msgbox "BIOS updated successfully.\n\nIf your keys have changed, be sure to re-sign all files in /boot\nafter you reboot.\n\nPress Enter to reboot" 16 60
/bin/reboot
else
exit 0
fi
;;
"P" )
if [ "$BASIC_MODE" = "n" ]; then
if (whiptail --title 'Enable PureBoot Basic Mode?' \
--yesno "This will remove all signature checking on the firmware
\nand boot files, and disable use of the Librem Key.
\n\nDo you want to proceed?" 16 90) then
set_config /etc/config.user "CONFIG_PUREBOOT_BASIC" "y"
combine_configs
whiptail --title 'Config change successful' \
--msgbox "PureBoot Basic mode enabled;\nsave the config change and reboot for it to go into effect." 16 60
fi
else
if (whiptail --title 'Disable PureBoot Basic Mode?' \
--yesno "This will enable all signature checking on the firmware
\nand boot files, and enable use of the Librem Key.
\n\nDo you want to proceed?" 16 90) then
set_config /etc/config.user "CONFIG_PUREBOOT_BASIC" "n"
combine_configs
whiptail --title 'Config change successful' \
--msgbox "PureBoot Basic mode has been disabled;\nsave the config change and reboot for it to go into effect." 16 60
fi
fi
;;
esac
done
exit 0
initrd/bin/config-gui.sh
View file @ 140420e1
......@@ -28,33 +28,47 @@ while true; do
# check current PureBoot Mode
if grep -q 'CONFIG_PUREBOOT_BASIC' /tmp/config; then
BASIC_MODE=`grep 'CONFIG_PUREBOOT_BASIC=' /tmp/config | tail -n1 | cut -f2 -d '=' | tr -d '"'`
[ "$BASIC_MODE" == "y" ] && MODE_ACTION="Disable" || MODE_ACTION="Enable"
else
BASIC_MODE=n
MODE_ACTION="Enable"
fi
# check current Restricted Boot Mode
if grep -q 'CONFIG_RESTRICTED_BOOT' /tmp/config; then
RESTRICTED_BOOT=`grep 'CONFIG_RESTRICTED_BOOT' /tmp/config | tail -n1 | cut -f2 -d '=' | tr -d '"'`
[ "$RESTRICTED_BOOT" == "y" ] && RB_MODE_ACTION="Disable" || RB_MODE_ACTION="Enable"
else
RESTRICTED_BOOT=n
RB_MODE_ACTION="Enable"
fi
# ash lacks arrays - to build the arguments for whiptail dynamically,
# generate a script
{
echo '#! /bin/sh'
echo 'whiptail '"$BG_COLOR_MAIN_MENU"' --clear --title "Config Management Menu" \'
echo ' --menu "This menu lets you change settings for the current BIOS session.\n\nAll changes will revert after a reboot,\n\nunless you also save them to the running BIOS." 20 90 10 \'
echo ' "b" " Change the /boot device" \'
if [ "$BASIC_MODE" = "y" ]; then
# In basic mode, offer to disable basic, and skip verified boot options
echo ' "P" " Disable PureBoot Basic Mode" \'
else
echo ' "r" " Clear GPG key(s) and reset all user settings" \'
echo ' "R" " Change the root device for hashing" \'
echo ' "D" " Change the root directories to hash" \'
echo ' "B" " Check root hashes at boot" \'
echo ' "P" " Enable PureBoot Basic Mode" \'
if [ "$RESTRICTED_BOOT" = "y" ]; then
echo ' "L" " Disable Restricted Boot" \'
else
echo ' "L" " Enable Restricted Boot" \'
fi
fi
echo ' "s" " Save the current configuration to the running BIOS" \'
echo ' "x" " Return to Main Menu"'
} >/tmp/config-gui-menu.sh
chmod a+x /tmp/config-gui-menu.sh
unset menu_choice
whiptail $BG_COLOR_MAIN_MENU --clear --title "Config Management Menu" \
--menu "This menu lets you change settings for the current BIOS session.\n\nAll changes will revert after a reboot,\n\nunless you also save them to the running BIOS." 20 90 10 \
'b' ' Change the /boot device' \
'r' ' Clear GPG key(s) and reset all user settings' \
'R' ' Change the root device for hashing' \
'D' ' Change the root directories to hash' \
'B' ' Check root hashes at boot' \
'P' " $MODE_ACTION PureBoot Basic Mode" \
'L' " $RB_MODE_ACTION Restricted Boot" \
's' ' Save the current configuration to the running BIOS' \
'x' ' Return to Main Menu' \
2>/tmp/whiptail || recovery "GUI menu failed"
/tmp/config-gui-menu.sh 2>/tmp/whiptail || recovery "GUI menu failed"
menu_choice=$(cat /tmp/whiptail)
fi
......
initrd/bin/gui-init-basic
View file @ 140420e1
......@@ -116,7 +116,7 @@ show_options_menu()
show_boot_options_menu
;;
c )
config-gui-basic.sh
config-gui.sh
;;
f )
flash-gui.sh
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment