config-gui.sh: Reword Restricted Boot prompts

Simplify "enable" prompt a bit, clarify that firmware updating is blocked, and remove mention of "failsafe boot mode". Reword "disable" prompt similarly. Signed-off-by: Jonathon Hall <[email protected]>
linuxboot · Jul 11, 2023 · 718be73 · 718be73
1 parent 61609ff
commit 718be73
Showing 1 changed file with 13 additions and 11 deletions.
diff --git a/initrd/bin/config-gui.sh b/initrd/bin/config-gui.sh
@@ -318,12 +318,15 @@ while true; do
     "L" )
       if [ "$CONFIG_RESTRICTED_BOOT" != "y" ]; then
         if (whiptail --title 'Enable Restricted Boot Mode?' \
-             --yesno "This will disable booting from any unsigned files,
-                    \nincluding kernels that have not yet been signed,
-                    \n.isos without signatures, raw USB disks,
-                    \nand will disable failsafe boot mode.
-                    \n\nThis will also disable the recovery console.
-                    \n\nDo you want to proceed?" 0 80) then
+             --yesno "Restricted Boot allows booting:
+                    \n* Signed installed OS
+                    \n* Signed ISOs from USB
+                    \nAll other boot methods are blocked.  Recovery console and firmware updates
+                    \nwill be blocked.
+                    \nRestricted boot can be disabled at any time.  This resets TOTP/HOTP so it
+                    \nis evident that Restricted Boot was disabled.
+                    \n
+                    \nDo you want to proceed?" 0 80) then
 
           set_user_config "CONFIG_RESTRICTED_BOOT" "y"
 
@@ -333,11 +336,10 @@ while true; do
         fi
       else
         if (whiptail --title 'Disable Restricted Boot Mode?' \
-             --yesno "This will allow booting from unsigned devices,
-                    \nand will re-enable failsafe boot mode.
-                    \n\nThis will also erase the TOTP/HOTP secret and
-                    \nre-enable the recovery console.
-                    \n\nProceeding will automatically update the boot firmware and reboot!
+             --yesno "This will re-enable all boot methods, the recovery console, and firmware
+                    \nupdates.
+                    \nThis will also erase the TOTP/HOTP secret.
+                    \nProceeding will automatically update the boot firmware and reboot!
                     \n\nDo you want to proceed?" 0 80) then
 
           # Wipe the TPM TOTP/HOTP secret before flashing.  Otherwise, enabling