add locking to web install proof of concept

2021-01-05 08:57:15 -05:00 · 2021-01-05 08:57:15 -05:00 · ebfef1f23b
commit ebfef1f23b
parent b11fbbcf0f
2 changed files with 41 additions and 0 deletions
--- a/static/js/web-install.js
+++ b/static/js/web-install.js
@ -28,6 +28,20 @@ async function unlockBootloader() {
    await fastboot.receive();
 }

+async function lockBootloader() {
+    const webusb = await Adb.open("WebUSB");
+
+    if (!webusb.isFastboot()) {
+        console.log("error: not in fastboot mode");
+    }
+
+    console.log("connecting with fastboot");
+
+    const fastboot = await webusb.connectFastboot();
+    await fastboot.send("flashing lock");
+    await fastboot.receive();
+}
+
 if ("usb" in navigator) {
    console.log("WebUSB available");

@ -38,6 +52,10 @@ if ("usb" in navigator) {
    const unlockBootloaderButton = document.getElementById("unlock-bootloader");
    unlockBootloaderButton.disabled = false;
    unlockBootloaderButton.onclick = unlockBootloader;
+
+    const lockBootloaderButton = document.getElementById("lock-bootloader");
+    lockBootloaderButton.disabled = false;
+    lockBootloaderButton.onclick = lockBootloader;
 } else {
    console.log("WebUSB unavailable");
 }
--- a/static/web-install.html
+++ b/static/web-install.html
@ -138,6 +138,29 @@
                of the volume keys to switch the selection to accepting it and the power button to
                confirm.</p>
            </section>
+
+            <section>
+                <h2>Incomplete</h2>
+            </section>
+
+            <section id="locking-the-bootloader">
+                <h2><a href="#locking-the-bootloader">Locking the bootloader</a></h2>
+
+                <p>Locking the bootloader is important as it enables full verified boot. It also
+                prevents using fastboot to flash, format or erase partitions.  Verified boot will
+                detect modifications to any of the OS partitions and it will prevent reading any
+                modified / corrupted data. If changes are detected, error correction data is used
+                to attempt to obtain the original data at which point it's verified again which
+                makes verified boot robust to non-malicious corruption.</p>
+
+                <p>In the bootloader interface, set it to locked:</p>
+
+                <button id="lock-bootloader" disabled="disabled">Lock bootloader</button>
+
+                <p>The command needs to be confirmed on the device and will wipe all data. Use one
+                of the volume buttons to switch the selection to accepting it and the power button
+                to confirm.</p>
+            </section>
        </main>
        <footer>
            <a href="/"><img src="/logo.png" width="512" height="512" alt=""/>GrapheneOS</a>