kylerankin · tlaurion · Jan 5, 2018 · Sep 18, 2018 · Sep 18, 2018 · Sep 18, 2018
diff --git a/Makefile b/Makefile
@@ -393,6 +393,8 @@ bin_modules-$(CONFIG_PCIUTILS) += pciutils
 bin_modules-$(CONFIG_FLASHROM) += flashrom
 bin_modules-$(CONFIG_CRYPTSETUP) += cryptsetup
 bin_modules-$(CONFIG_GPG) += gpg
+bin_modules-$(CONFIG_GPG2) += gpg2
+bin_modules-$(CONFIG_PINENTRY) += pinentry
 bin_modules-$(CONFIG_LVM2) += lvm2
 bin_modules-$(CONFIG_DROPBEAR) += dropbear
 bin_modules-$(CONFIG_FLASHTOOLS) += flashtools

diff --git a/boards/librem13v2/librem13v2.config b/boards/librem13v2/librem13v2.config
@@ -6,7 +6,7 @@ export CONFIG_COREBOOT=y
 CONFIG_CRYPTSETUP=y
 CONFIG_FLASHROM=y
 CONFIG_FLASHTOOLS=y
-CONFIG_GPG=y
+CONFIG_GPG2=y
 CONFIG_KEXEC=y
 CONFIG_UTIL_LINUX=y
 CONFIG_LVM2=y

diff --git a/boards/librem15v3/librem15v3.config b/boards/librem15v3/librem15v3.config
@@ -8,7 +8,7 @@ export CONFIG_COREBOOT=y
 CONFIG_CRYPTSETUP=y
 CONFIG_FLASHROM=y
 CONFIG_FLASHTOOLS=y
-CONFIG_GPG=y
+CONFIG_GPG2=y
 CONFIG_KEXEC=y
 CONFIG_UTIL_LINUX=y
 CONFIG_LVM2=y

diff --git a/boards/qemu-coreboot/qemu-coreboot.config b/boards/qemu-coreboot/qemu-coreboot.config
@@ -17,7 +17,7 @@ CONFIG_FLASHROM=y
 CONFIG_PCIUTILS=y
 CONFIG_UTIL_LINUX=y
 CONFIG_CRYPTSETUP=y
-CONFIG_GPG=y
+CONFIG_GPG2=y
 CONFIG_LVM2=y
 CONFIG_MBEDTLS=y
 CONFIG_DROPBEAR=y

diff --git a/boards/qemu-linuxboot/qemu-linuxboot.config b/boards/qemu-linuxboot/qemu-linuxboot.config
@@ -18,7 +18,7 @@ endif
 
 CONFIG_FLASHROM=y
 CONFIG_FLASHTOOLS=y
-CONFIG_GPG=y
+CONFIG_GPG2=y
 CONFIG_KEXEC=y
 CONFIG_UTIL_LINUX=y
 CONFIG_DROPBEAR=y

diff --git a/boards/x230/x230.config b/boards/x230/x230.config
@@ -6,7 +6,7 @@ CONFIG_LINUX_CONFIG=config/linux-x230.config
 CONFIG_CRYPTSETUP=y
 CONFIG_FLASHROM=y
 CONFIG_FLASHTOOLS=y
-CONFIG_GPG=y
+CONFIG_GPG2=y
 CONFIG_KEXEC=y
 CONFIG_UTIL_LINUX=y
 CONFIG_LVM2=y

diff --git a/config/linux-kgpe-d16.config b/config/linux-kgpe-d16.config
@@ -64,6 +64,7 @@ CONFIG_PCI_PRI=y
 # CONFIG_COREDUMP is not set
 CONFIG_NET=y
 CONFIG_PACKET=y
+CONFIG_UNIX=y
 CONFIG_INET=y
 CONFIG_SYN_COOKIES=y
 # CONFIG_INET_XFRM_MODE_TRANSPORT is not set

diff --git a/config/linux-librem13v2.config b/config/linux-librem13v2.config
@@ -63,6 +63,7 @@ CONFIG_PCI_PRI=y
 # CONFIG_COREDUMP is not set
 CONFIG_NET=y
 CONFIG_PACKET=y
+CONFIG_UNIX=y
 CONFIG_INET=y
 CONFIG_SYN_COOKIES=y
 # CONFIG_INET_XFRM_MODE_TRANSPORT is not set

diff --git a/config/linux-linuxboot.config b/config/linux-linuxboot.config
@@ -84,6 +84,7 @@ CONFIG_PCI_PRI=y
 CONFIG_IA32_EMULATION=y
 CONFIG_NET=y
 CONFIG_PACKET=y
+CONFIG_UNIX=y
 CONFIG_INET=y
 CONFIG_SYN_COOKIES=y
 # CONFIG_INET_XFRM_MODE_TRANSPORT is not set

diff --git a/config/linux-x230.config b/config/linux-x230.config
@@ -64,6 +64,7 @@ CONFIG_PCI_PRI=y
 # CONFIG_COREDUMP is not set
 CONFIG_NET=y
 CONFIG_PACKET=y
+CONFIG_UNIX=y
 CONFIG_INET=y
 CONFIG_SYN_COOKIES=y
 # CONFIG_INET_XFRM_MODE_TRANSPORT is not set

diff --git a/initrd/.ash_history b/initrd/.ash_history
@@ -1,14 +1,17 @@
-mount /dev/sda1 /boot
-mount -o remount,rw /boot
-rm /boot/kexec_*
-mount-usb
-mkdir -p /media/gpg_keys
-gpg --home=/media/gpg_keys --card-edit
-gpg --home=/media/gpg_keys --export --armor e@mail.address > /media/gpg_keys/public.key
-gpg --home=/media/gpg_keys --export-secret-keys --armor e@mail.address > /media/gpg_keys/private.key
-cbfs -o /media/coreboot.rom -a "heads/initrd/.gnupg/keys/public.key" -f /media/gpg_keys/public.key
-cbfs -o /media/coreboot.rom -a "heads/initrd/.gnupg/keys/private.key" -f /media/gpg_keys/private.key
-mount -o remount,ro /media
-flash.sh /media/coreboot.com
+#remove invalid kexec_* signed files
+mount /dev/sda1 /boot && mount -o remount,rw /boot && rm /boot/kexec* && mount -o remount,ro /boot
+#Generate keys from GPG smartcard: 
+mount-usb && gpg --home=/.gnupg/ --card-edit
+#Copy generated public key, private_subkey, trustdb and artifacts to external media for backup: 
+mount -o remount,rw /media && mkdir -p /media/gpg_keys; gpg --export-secret-keys --armor email@address.com > /media/gpg_keys/private.key && gpg --export --armor email@address.com  > /media/gpg_keys/public.key && gpg --export-ownertrust > /media/gpg_keys/otrust.txt && cp -r ./.gnupg/* /media/gpg_keys/ 2> /dev/null
+#Insert public key and trustdb export into reproducible rom:
+cbfs -o /media/coreboot.rom -a "heads/initrd/.gnupg/keys/public.key" -f /media/gpg_keys/public.key && cbfs -o /media/coreboot.rom -a "heads/initrd/.gnupg/keys/otrust.txt" -f /media/gpg_keys/otrust.txt
+#Flush changes to external media: 
+mount -o,remount ro /media
+#Flash modified reproducible rom with inserted public key and trustdb export from precedent step. Flushes actual rom's keys (-c: clean):
+flash.sh -c /media/coreboot.rom
+#Attest integrity of firmware as it is
+seal-totp
+#Verify Intel ME state:
 cbmem --console | grep '^ME'
 cbmem --console | less
diff --git a/initrd/.gnupg/gpg-agent.conf b/initrd/.gnupg/gpg-agent.conf
@@ -0,0 +1,3 @@
+scdaemon-program /bin/scdaemon
+pinentry-program /bin/pinentry-tty
+daemon
diff --git a/initrd/.gnupg/gpg.conf b/initrd/.gnupg/gpg.conf
@@ -0,0 +1 @@
+use-agent
diff --git a/initrd/bin/flash-gui.sh b/initrd/bin/flash-gui.sh
@@ -139,16 +139,22 @@ while true; do
 
           cat $PUBKEY | gpg --import
           cp $ROM /tmp/gpg-gui.rom
-          if (cbfs -o /tmp/gpg-gui.rom -l | grep -q "heads/initrd/.gnupg/pubring.gpg") then
-            cbfs -o /tmp/gpg-gui.rom -d "heads/initrd/.gnupg/pubring.gpg"
+          if (cbfs -o /tmp/gpg-gui.rom -l | grep -q "heads/initrd/.gnupg/pubring.kbx") then
+            cbfs -o /tmp/gpg-gui.rom -d "heads/initrd/.gnupg/pubring.kbx"
           fi
-          cbfs -o /tmp/gpg-gui.rom -a "heads/initrd/.gnupg/pubring.gpg" -f /.gnupg/pubring.gpg
-
+          cbfs -o /tmp/gpg-gui.rom -a "heads/initrd/.gnupg/pubring.kbx" -f /.gnupg/pubring.kbx
+
+          #TODO: Remove this? Not useful in GPG2
           if (cbfs -o /tmp/gpg-gui.rom -l | grep -q "heads/initrd/.gnupg/trustdb.gpg") then
             cbfs -o /tmp/gpg-gui.rom -d "heads/initrd/.gnupg/trustdb.gpg"
           fi
           cbfs -o /tmp/gpg-gui.rom -a "heads/initrd/.gnupg/trustdb.gpg" -f /.gnupg/trustdb.gpg
 
+          if (cbfs -o /tmp/gpg-gui.rom -l | grep -q "heads/initrd/.gnupg/otrust.txt") then
+            cbfs -o /tmp/gpg-gui.rom -d "heads/initrd/.gnupg/otrust.txt"
+          fi
+          cbfs -o /tmp/gpg-gui.rom -a "heads/initrd/.gnupg/otrust.txt" -f /.gnupg/otrust.txt
+
           if (whiptail --title 'Flash ROM?' \
               --yesno "This will replace your old ROM with $ROM\n\nDo you want to proceed?" 16 90) then
             /bin/flash.sh /tmp/gpg-gui.rom
@@ -180,10 +186,10 @@ while true; do
           fi
 
           cat $PUBKEY | gpg --import
-          if (cbfs -o /tmp/gpg-gui.rom -l | grep -q "heads/initrd/.gnupg/pubring.gpg") then
-            cbfs -o /tmp/gpg-gui.rom -d "heads/initrd/.gnupg/pubring.gpg"
+          if (cbfs -o /tmp/gpg-gui.rom -l | grep -q "heads/initrd/.gnupg/pubring.kbx") then
+            cbfs -o /tmp/gpg-gui.rom -d "heads/initrd/.gnupg/pubring.kbx"
           fi
-          cbfs -o /tmp/gpg-gui.rom -a "heads/initrd/.gnupg/pubring.gpg" -f /.gnupg/pubring.gpg
+          cbfs -o /tmp/gpg-gui.rom -a "heads/initrd/.gnupg/pubring.kbx" -f /.gnupg/pubring.kbx
 
           if (cbfs -o /tmp/gpg-gui.rom -l | grep -q "heads/initrd/.gnupg/trustdb.gpg") then
             cbfs -o /tmp/gpg-gui.rom -d "heads/initrd/.gnupg/trustdb.gpg"