From 718be739eb65d5f5bf7ab0e93d3e1b327d28f02d Mon Sep 17 00:00:00 2001
From: Jonathon Hall <jonathon.hall@puri.sm>
Date: Tue, 11 Jul 2023 15:58:57 -0400
Subject: [PATCH] config-gui.sh: Reword Restricted Boot prompts

Simplify "enable" prompt a bit, clarify that firmware updating is
blocked, and remove mention of "failsafe boot mode".  Reword "disable"
prompt similarly.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
---
 initrd/bin/config-gui.sh | 24 +++++++++++++-----------
 1 file changed, 13 insertions(+), 11 deletions(-)

diff --git a/initrd/bin/config-gui.sh b/initrd/bin/config-gui.sh
index 034aeb29a..673629bc0 100755
--- a/initrd/bin/config-gui.sh
+++ b/initrd/bin/config-gui.sh
@@ -318,12 +318,15 @@ while true; do
     "L" )
       if [ "$CONFIG_RESTRICTED_BOOT" != "y" ]; then
         if (whiptail --title 'Enable Restricted Boot Mode?' \
-             --yesno "This will disable booting from any unsigned files,
-                    \nincluding kernels that have not yet been signed,
-                    \n.isos without signatures, raw USB disks,
-                    \nand will disable failsafe boot mode.
-                    \n\nThis will also disable the recovery console.
-                    \n\nDo you want to proceed?" 0 80) then
+             --yesno "Restricted Boot allows booting:
+                    \n* Signed installed OS
+                    \n* Signed ISOs from USB
+                    \nAll other boot methods are blocked.  Recovery console and firmware updates
+                    \nwill be blocked.
+                    \nRestricted boot can be disabled at any time.  This resets TOTP/HOTP so it
+                    \nis evident that Restricted Boot was disabled.
+                    \n
+                    \nDo you want to proceed?" 0 80) then
 
           set_user_config "CONFIG_RESTRICTED_BOOT" "y"
 
@@ -333,11 +336,10 @@ while true; do
         fi
       else
         if (whiptail --title 'Disable Restricted Boot Mode?' \
-             --yesno "This will allow booting from unsigned devices,
-                    \nand will re-enable failsafe boot mode.
-                    \n\nThis will also erase the TOTP/HOTP secret and
-                    \nre-enable the recovery console.
-                    \n\nProceeding will automatically update the boot firmware and reboot!
+             --yesno "This will re-enable all boot methods, the recovery console, and firmware
+                    \nupdates.
+                    \nThis will also erase the TOTP/HOTP secret.
+                    \nProceeding will automatically update the boot firmware and reboot!
                     \n\nDo you want to proceed?" 0 80) then
 
           # Wipe the TPM TOTP/HOTP secret before flashing.  Otherwise, enabling