Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OEM factory reset #606

Merged
merged 5 commits into from
Aug 23, 2019
Merged

OEM factory reset #606

merged 5 commits into from
Aug 23, 2019

Conversation

MrChromebox
Copy link
Contributor

Add an improved OEM Factory reset function, which erases/resets the TPM and GPG security token, generates a new GPG key, signs the files in /boot and sets the default boot device / boot selection.

Add a new item in the main options menu for it, and remove the existing GPG reset function since it is superseded by this.

Add a function to detect a clean boot situation, and prompt the user to run the OEM factory reset.

@MrChromebox
etc/function: add detect_boot_device()
4f54a97 
Add function to detect boot device. Start by checking
CONFIG_BOOT_DEV, then iterate thru all bootable partitions.
Check if partition is mountable, contains grub directory.

Update CONFIG_BOOT_DEV and mount on /boot if successful.

Signed-off-by: Matt DeVillier <[email protected]>
@MrChromebox
initrd/bin: add OEM Factory Reset
f067d9a 
Add oem-factory-reset script which performs an unattended
reset and configuration of the device's TPM, GPG security token,
and boot device / boot selection.

Signed-off-by: Matt DeVillier <[email protected]>
@MrChromebox
gui-init: add OEM Factory Reset to options menu
d8bcc7b 
Add an OEM Factory Reset menu option, which performs an
unattended reset and configuration of the device's TPM,
GPG security token, and boot device / boot selection.

Signed-off-by: Matt DeVillier <[email protected]>
@MrChromebox
gpg-gui: remove OEM factory reset option
ba23fb7 
superseded by newer version in main options menu

Signed-off-by: Matt DeVillier <[email protected]>
@MrChromebox
gui-init: add clean boot check
aab9004 
Add a check to determine if first boot after flashing a cleaned
ROM, and prompt user to run the OEM Factory Reset if so

Signed-off-by: Matt DeVillier <[email protected]>
@tlaurion
Copy link
Collaborator

tlaurion commented Aug 23, 2019
edited
Loading

Are we redoing piece by piece what was already done in #551?

@kylerankin
Copy link
Collaborator

In this case the existing automated OEM reset wizard in the GPG menu still required a lot of intervention and prompts that weren't necessary so this PR removed the remaining prompts to make it completely non-interactive. Because it did more than just reset GPG (it also needed to re-sign files in /boot etc) it made more sense to move it up one menu as it impacted more than GPG. Other than that from my reading this is just a simplified and further automated form of what was already merged in a few months ago.

@kylerankin
Copy link
Collaborator

I've tested this and it's much improved over the previous automated GPG reset function I wrote and handles edge cases better while also not bothering the user w/ unnecessary prompts. Merging.

@kylerankin kylerankin merged commit b7f2249 into linuxboot:master Aug 23, 2019
@MrChromebox MrChromebox deleted the oem-factory-reset branch August 26, 2019 19:13
@alex-nitrokey alex-nitrokey mentioned this pull request Dec 19, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@MrChromebox @tlaurion @kylerankin