Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve startup user experience #123

Closed
mfc opened this issue Mar 2, 2017 · 4 comments
Closed

Improve startup user experience #123

mfc opened this issue Mar 2, 2017 · 4 comments
Labels
enhancement UX
Milestone
usability

Comments

@mfc
Copy link

mfc commented Mar 2, 2017

currently, to boot your operating system (Qubes) with Heads:

  1. turn on machine
  2. read & confirm OTP code
  3. type start-xen (not ./start-xen)
  4. type kexec -e

instead, the process should be:

  1. turn on machine
  2. read & confirm OTP code
  3. press Enter

with dropping into the prompt requiring pressing ESC or similar.
@osresearch
Copy link
Collaborator

Possible reasons to drop to the shell:

  • No /boot partition
  • No /boot/boot.sh script
  • Failed signatures
  • kexec failure

Things that we need to streamline:

  • TPM counter based version checking
  • TPM keys and dom0 initrd
  • PCR values for known good builds
  • PCR updates after reading the TOTP and before starting Xen

@osresearch osresearch changed the title [UX] Improve user experience Improve startup user experience Mar 2, 2017
osresearch pushed a commit that referenced this issue Mar 31, 2017
Build time configuration for startup scripts and modules.
c40748a 
This addresses multiple issues:

* Issue #63: initrd is build fresh each time, so tracked files do not matter.
* Issue #144: build time configuration
* Issue #123: allows us to customize the startup experience
* Issue #122: manual start-xen will go away
* Issue #25: tpmtotp PCRs are updated after reading the secret
* Issue #16: insmod now meaures modules
@osresearch
Copy link
Collaborator

Reopening since we haven't actually implemented the startup scripts for Qubes in the new configurable build. All the pieces are there, just need to make them happen.

@osresearch osresearch reopened this Mar 31, 2017
osresearch added a commit that referenced this issue Apr 2, 2017
@osresearch
qubes init script and improved TPM disk encryption with LUKS headers …
f99944a 
…(issue #123 and #6)
@osresearch osresearch added this to the usability milestone Apr 3, 2017
osresearch added a commit that referenced this issue Apr 3, 2017
@osresearch
Move Qubes startup script to /boot/boot.sh
174bb64 
This also adds a set of files in the qubes/ directory that
are meant to be copied to the /boot partition.

Issue #154: for ease of upgrading Qubes, the script should
live on /boot instead of in the ROM.  This requires a GPG
signature on the startup script to avoid attacks by modifying
the boot script.

Issue #123: this streamlines the boot process for Qubes, although
the disk password is still not passed in correctly to the initrd
(issue #29).

This does not address issues #110 of how to find the root device.
The best approach is probably disk labels, which will require
special installation instructions.
@osresearch
Copy link
Collaborator

The startup is almost seamless, although quite verbose. The last remaining issue is #29 which might need a systemd fix unless we figure out how to properly generate the /etc/crypttab file in the Qubes' initrd image. Currently it does not have all of the parititions listed.

osresearch added a commit that referenced this issue Apr 3, 2017
@osresearch
TPM disk encryption keys for Qubes.
39cb403 
Issue #123: This streamline Qubes startup experience by
making it possible to have a single-password decryption.

Issue #29: The disk keys in `/secret.key` are passed to the systemd
in initramfs through `/etc/crypttab`, which is generated on each boot.
This is slow; need to look at alternate ways.

Issue #110: By using LVM instead of partitions it is now
possible to find the root filesystem in a consistent way.

Issue #80: LVM is now included in the ROM.
@osresearch
Copy link
Collaborator

On a configured and sealed system the startup is greatly improved. It is possible to boot all the way into Qubes' login screen with just the disk unlock code.

tlaurion pushed a commit to tlaurion/heads that referenced this issue May 3, 2024
@tasket
Merge pull request linuxboot#123 from gasull/patch-2
2dafd9c 
Catch PermissionError for /var/lock/
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement UX
Projects
None yet
Milestone
usability
Development

No branches or pull requests
2 participants
@mfc @osresearch