Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Qubes fwupd upstream #834

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Qubes fwupd upstream #834

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
72 changes: 42 additions & 30 deletions initrd/bin/flash-gui.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,41 +21,53 @@ while true; do
exit 0
;;
f|c )
if (whiptail $BG_COLOR_WARNING --title 'Flash the BIOS with a new ROM' \
--yesno "You will need to insert a USB drive containing your BIOS image (*.rom).\n\nAfter you select this file, this program will reflash your BIOS.\n\nDo you want to proceed?" 16 90) then
mount_usb
if grep -q /media /proc/mounts ; then
find /media ! -path '*/\.*' -type f -name '*.rom' | sort > /tmp/filelist.txt
# check if fwupd updates exist
if ls /boot/updates/*/*.rom > /dev/null 2>&1; then
if (whiptail --title 'Flash the BIOS with a new ROM' \
--yesno "A ROM detected in the /boot/updates directory.\n\nDo you want to proceed?" 16 90) then
find /boot/updates ! -path '*/\.*' -type f -name '*.rom' | sort > /tmp/filelist.txt
Comment on lines +24 to +28
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Question from what will be dropped under /boot/updates//

  • Do we have a hashes.txt coming from the builds?
  • Is that hashes.txt detached signed with OEM key and provided as well?
  • Should we think of adding a OEM directory to add public keys under OEM directory?
    • Should we add validation prior of proposing the ROM to the user and only propose if valid?
    • The same logic then booting from ISO could easily be borrowed here, where ISO is validated against a seperate gpg --home= instance relative to known distro keys

Thoughts?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Otherwise, any rom being dropped under /boot/updates would be considered a valid firmware update.
@MrChromebox

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Otherwise, any rom being dropped under /boot/updates would be considered a valid firmware update.
@MrChromebox

that's really no different from what we do now from USB

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@MrChromebox well, right now upgrading from USB considered intentional. Now anything pushing updates to that directory would leave user thinking that firmware is authentic and valid and would prompt the user to flash without further validation from Heads.

file_selector "/tmp/filelist.txt" "Choose the ROM to flash"
if [ "$FILE" == "" ]; then
return
else
ROM=$FILE
fi
fi
if [ -z $ROM ]; then
if (whiptail $BG_COLOR_WARNING --title 'Flash the BIOS with a new ROM' \
--yesno "You will need to insert a USB drive containing your BIOS image (*.rom).\n\nAfter you select this file, this program will reflash your BIOS.\n\nDo you want to proceed?" 16 90) then
mount_usb
if grep -q /media /proc/mounts ; then
find /media ! -path '*/\.*' -type f -name '*.rom' | sort > /tmp/filelist.txt
file_selector "/tmp/filelist.txt" "Choose the ROM to flash"
ROM=$FILE
fi
else
exit
fi
fi
if [ -z $ROM ]; then
exit
fi

if (whiptail $BG_COLOR_WARNING --title 'Flash ROM?' \
--yesno "This will replace your current ROM with:\n\n${ROM#"/media/"}\n\nDo you want to proceed?" 16 90) then
if [ "$menu_choice" == "c" ]; then
/bin/flash.sh -c "$ROM"
# after flash, /boot signatures are now invalid so go ahead and clear them
if ls /boot/kexec* >/dev/null 2>&1 ; then
(
mount -o remount,rw /boot 2>/dev/null
rm /boot/kexec* 2>/dev/null
mount -o remount,ro /boot 2>/dev/null
)
fi
else
/bin/flash.sh "$ROM"
fi
whiptail --title 'ROM Flashed Successfully' \
--msgbox "${ROM#"/media/"}\n\nhas been flashed successfully.\n\nPress Enter to reboot\n" 16 90
umount /media
/bin/reboot
else
exit
fi
if (whiptail $BG_COLOR_WARNING --title 'Flash ROM?' \
--yesno "This will replace your current ROM with:\n\n${ROM#"/media/"}\n\nDo you want to proceed?" 16 90) then
if [ "$menu_choice" == "c" ]; then
/bin/flash.sh -c "$ROM"
# after flash, /boot signatures are now invalid so go ahead and clear them
if ls /boot/kexec* >/dev/null 2>&1 ; then
(
mount -o remount,rw /boot 2>/dev/null
rm /boot/kexec* 2>/dev/null
mount -o remount,ro /boot 2>/dev/null
)
fi
else
/bin/flash.sh "$ROM"
fi
whiptail --title 'ROM Flashed Successfully' \
--msgbox "${ROM#"/media/"}\n\nhas been flashed successfully.\n\nPress Enter to reboot\n" 16 90
umount /media
/bin/reboot
else
exit
fi
;;
esac
Expand Down