diff --git a/Makefile b/Makefile index 840a186f4e..9572ebed74 100644 --- a/Makefile +++ b/Makefile @@ -328,6 +328,7 @@ bin_modules-$(CONFIG_LVM2) += lvm2 bin_modules-$(CONFIG_DROPBEAR) += dropbear bin_modules-$(CONFIG_FLASHTOOLS) += flashtools bin_modules-$(CONFIG_NEWT) += newt +bin_modules-$(CONFIG_IO386) += io386 $(foreach m, $(bin_modules-y), \ $(call map,initrd_bin_add,$(call bins,$m)) \ diff --git a/initrd/bin/flashmode b/initrd/bin/flashmode new file mode 100755 index 0000000000..988f5ce1ea --- /dev/null +++ b/initrd/bin/flashmode @@ -0,0 +1,46 @@ +#!/bin/sh +. /etc/config +. /etc/functions + + +echo >&2 "!!!!! Please authenticate with OpenPGP card to prove you own this box..." + +confirm_gpg_card + +# Perform a signing-based challenge-response, +# to authencate that the card plugged in holding +# the key to sign the list of boot files. +CR_NONCE="/tmp/secret/cr_nonce" +CR_SIG="/tmp/secret/cr_nonce.sig" + +dd \ + if=/dev/urandom \ + of="$CR_NONCE" \ + count=1 \ + bs=20 \ + 2>/dev/null \ +|| die "Unable to generate 20 random bytes" + +for tries in 1 2 3; do + if gpg --digest-algo SHA256 \ + --detach-sign \ + -o "$CR_SIG" \ + "$CR_NONCE" \ + && gpgv "$CR_SIG" "$CR_NONCE" \ + ; then + # Remove any temporary secret files that might be hanging around + # but recreate the directory so that new tools can use it. + rm -rf /tmp/secret + mkdir -p /tmp/secret + if [ "$CONFIG_TPM" = y ]; then + tpm extend -ix 4 -ic flashing + fi + echo >&2 "!!!!! Starting shell for ROM flashing" + sleep 1 + exec /bin/ash + else + rm "$CR_SIG" + fi +done + +die "Authentication failed! You are not allowed to program the flash." diff --git a/initrd/bin/generic-init b/initrd/bin/generic-init index c0808e48e3..00ea1df041 100755 --- a/initrd/bin/generic-init +++ b/initrd/bin/generic-init @@ -21,6 +21,7 @@ while true; do echo "r) Recovery boot" echo "u) USB boot" echo "m) Boot menu" + echo "f) ROM flashing" if ! confirm_totp "Boot mode"; then recovery 'Failed to unseal TOTP' @@ -40,12 +41,23 @@ while true; do fi if [ "$totp_confirm" = "u" ]; then + if [ "$CONFIG_IO386" = y ]; then + lock_chip + fi exec /bin/usb-init continue fi + if [ "$totp_confirm" = "f" ]; then + flashmode \ + || recovery "Failed to enter flash mode" + fi + if [ "$totp_confirm" = "m" ]; then # Try to select a kernel from the menu + if [ "$CONFIG_IO386" = y ]; then + lock_chip + fi mount_boot kexec-select-boot -m -b /boot -c "grub.cfg" continue @@ -53,11 +65,16 @@ while true; do if [ "$totp_confirm" = "y" -o -n "$totp_confirm" ]; then # Try to boot the default + if [ "$CONFIG_IO386" = y ]; then + lock_chip + fi mount_boot kexec-select-boot -b /boot -c "grub.cfg" \ || recovery "Failed default boot" fi + + done recovery "Something failed during boot" diff --git a/initrd/etc/functions b/initrd/etc/functions index 5301c99a90..c8d59cf24f 100755 --- a/initrd/etc/functions +++ b/initrd/etc/functions @@ -10,6 +10,13 @@ warn() { echo >&2 "$*"; } +lock_chip() { + APM_CNT=0xb2 + FIN_CODE=0xcb + echo "Finalizing chipset" + io386 -o b -b x $APM_CNT $FIN_CODE +} + recovery() { echo >&2 "!!!!! $*" @@ -20,12 +27,16 @@ recovery() { if [ "$CONFIG_TPM" = y ]; then tpm extend -ix 4 -ic recovery fi + + if [ "$CONFIG_IO386" = y ]; then + lock_chip + fi + echo >&2 "!!!!! Starting recovery shell" sleep 1 exec /bin/ash } - pcrs() { head -7 /sys/class/tpm/tpm0/pcrs } @@ -126,7 +137,6 @@ confirm_gpg_card() || die "gpg card read failed" } - check_tpm_counter() { # if the /boot.hashes file already exists, read the TPM counter ID diff --git a/modules/io386 b/modules/io386 new file mode 100644 index 0000000000..6829c7ea9a --- /dev/null +++ b/modules/io386 @@ -0,0 +1,28 @@ +modules-$(CONFIG_IO386) += io386 + +io386_depends := $(musl_dep) + +io386_version := git +io386_repo := https://github.com/hardenedlinux/io386 +io386_dir := io386-$(io386_version) + +io386_target := \ + $(MAKE_JOBS) \ + $(CROSS_TOOLS) \ + SHARED=yes \ + PREFIX="/" \ + && \ + $(MAKE) \ + -C $(build)/$(io386_dir) \ + $(CROSS_TOOLS) \ + SHARED=yes \ + PREFIX="/" \ + DESTDIR="$(INSTALL)" \ + install \ + +io386_output := \ + io386 + +io386_libraries := + +io386_configure :=