2023-02-08 21:01:48 +00:00
|
|
|
#!/bin/bash
|
2020-06-11 15:04:03 +00:00
|
|
|
# Retrieve the sealed TOTP secret and initialize a USB Security dongle with it
|
2018-06-19 19:27:27 +00:00
|
|
|
|
|
|
|
. /etc/functions
|
|
|
|
|
|
|
|
HOTP_SECRET="/tmp/secret/hotp.key"
|
|
|
|
HOTP_COUNTER="/boot/kexec_hotp_counter"
|
2020-06-24 14:11:41 +00:00
|
|
|
HOTP_KEY="/boot/kexec_hotp_key"
|
|
|
|
|
2018-06-19 19:27:27 +00:00
|
|
|
mount_boot()
|
|
|
|
{
|
2023-02-20 16:01:17 +00:00
|
|
|
TRACE "Under /bin/seal-htopkey:mount_boot"
|
2018-06-19 19:27:27 +00:00
|
|
|
# Mount local disk if it is not already mounted
|
|
|
|
if ! grep -q /boot /proc/mounts ; then
|
|
|
|
mount -o ro /boot \
|
|
|
|
|| recovery "Unable to mount /boot"
|
|
|
|
fi
|
|
|
|
}
|
|
|
|
|
2023-02-20 16:01:17 +00:00
|
|
|
TRACE "Under /bin/seal-hotpkey"
|
2023-02-18 17:58:43 +00:00
|
|
|
|
2020-06-24 15:40:49 +00:00
|
|
|
# Use stored HOTP key branding (this might be useful after OEM reset)
|
|
|
|
if [ -r /boot/kexec_hotp_key ]; then
|
2020-06-24 16:12:56 +00:00
|
|
|
HOTPKEY_BRANDING="$(cat /boot/kexec_hotp_key)"
|
2020-06-24 15:40:49 +00:00
|
|
|
else
|
2020-06-24 16:12:56 +00:00
|
|
|
HOTPKEY_BRANDING="HOTP USB Security Dongle"
|
2020-06-24 15:40:49 +00:00
|
|
|
fi
|
|
|
|
|
2023-02-28 18:36:11 +00:00
|
|
|
if [ "$CONFIG_TPM" = "y" ]; then
|
|
|
|
tpmr unseal 4d47 sha256:0,1,2,3,4,7 312 "$HOTP_SECRET" \
|
2022-08-25 18:43:31 +00:00
|
|
|
|| die "Unable to unseal HOTP secret"
|
|
|
|
fi
|
|
|
|
|
2018-06-20 16:20:39 +00:00
|
|
|
# Store counter in file instead of TPM for now, as it conflicts with Heads
|
|
|
|
# config TPM counter as TPM 1.2 can only increment one counter between reboots
|
2018-06-19 19:27:27 +00:00
|
|
|
# get current value of HOTP counter in TPM, create if absent
|
|
|
|
mount_boot
|
|
|
|
|
2018-06-20 16:20:39 +00:00
|
|
|
#check_tpm_counter $HOTP_COUNTER hotp \
|
|
|
|
#|| die "Unable to find/create TPM counter"
|
|
|
|
#counter="$TPM_COUNTER"
|
|
|
|
#
|
|
|
|
#counter_value=$(read_tpm_counter $counter | cut -f2 -d ' ' | awk 'gsub("^000e","")')
|
|
|
|
#if [ "$counter_value" == "" ]; then
|
|
|
|
# die "Unable to read HOTP counter"
|
|
|
|
#fi
|
2018-06-19 19:27:27 +00:00
|
|
|
|
2018-06-20 16:20:39 +00:00
|
|
|
#counter_value=$(printf "%d" 0x${counter_value})
|
2018-06-19 19:27:27 +00:00
|
|
|
|
2018-06-20 16:20:39 +00:00
|
|
|
counter_value=1
|
2018-06-19 19:27:27 +00:00
|
|
|
|
|
|
|
enable_usb
|
2020-06-25 13:35:47 +00:00
|
|
|
if ! hotp_verification info ; then
|
2020-06-24 16:12:56 +00:00
|
|
|
echo "Insert your $HOTPKEY_BRANDING and press Enter to configure it"
|
2018-06-19 19:27:27 +00:00
|
|
|
read
|
2020-06-25 13:35:47 +00:00
|
|
|
if ! hotp_verification info ; then
|
2019-05-24 16:50:27 +00:00
|
|
|
# don't leak key on failure
|
|
|
|
shred -n 10 -z -u "$HOTP_SECRET" 2> /dev/null
|
2020-06-24 16:12:56 +00:00
|
|
|
die "Unable to find $HOTPKEY_BRANDING"
|
2019-05-24 16:50:27 +00:00
|
|
|
fi
|
2018-06-19 19:27:27 +00:00
|
|
|
fi
|
|
|
|
|
2020-06-24 15:54:39 +00:00
|
|
|
# Set HOTP USB Security Dongle branding based on VID
|
2020-07-24 05:11:33 +00:00
|
|
|
if lsusb | grep -q "20a0:" ; then
|
2020-06-24 16:12:56 +00:00
|
|
|
HOTPKEY_BRANDING="Nitrokey"
|
2020-07-24 05:11:33 +00:00
|
|
|
elif lsusb | grep -q "316d:" ; then
|
2020-06-24 16:12:56 +00:00
|
|
|
HOTPKEY_BRANDING="Librem Key"
|
2020-06-24 15:40:49 +00:00
|
|
|
else
|
2020-06-24 16:12:56 +00:00
|
|
|
HOTPKEY_BRANDING="HOTP USB Security Dongle"
|
2020-06-24 15:40:49 +00:00
|
|
|
fi
|
2020-06-24 14:11:41 +00:00
|
|
|
|
2019-06-29 04:26:20 +00:00
|
|
|
echo -e ""
|
2020-06-24 16:12:56 +00:00
|
|
|
read -s -p "Enter your $HOTPKEY_BRANDING Admin PIN: " admin_pin
|
2019-06-29 04:26:20 +00:00
|
|
|
echo -e "\n"
|
2018-06-19 19:27:27 +00:00
|
|
|
|
2020-07-15 07:35:47 +00:00
|
|
|
hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value "$HOTPKEY_BRANDING"
|
2018-06-19 19:27:27 +00:00
|
|
|
if [ $? -ne 0 ]; then
|
2019-06-29 04:26:20 +00:00
|
|
|
echo -e "\n"
|
|
|
|
read -s -p "Error setting HOTP secret, re-enter Admin PIN and try again: " admin_pin
|
|
|
|
echo -e "\n"
|
2020-07-15 07:35:47 +00:00
|
|
|
if ! hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value "$HOTPKEY_BRANDING" ; then
|
2019-05-24 16:50:27 +00:00
|
|
|
# don't leak key on failure
|
|
|
|
shred -n 10 -z -u "$HOTP_SECRET" 2> /dev/null
|
|
|
|
die "Setting HOTP secret failed"
|
|
|
|
fi
|
2018-06-19 19:27:27 +00:00
|
|
|
fi
|
|
|
|
|
2019-05-24 16:50:27 +00:00
|
|
|
# HOTP key no longer needed
|
|
|
|
shred -n 10 -z -u "$HOTP_SECRET" 2> /dev/null
|
2018-06-19 19:27:27 +00:00
|
|
|
|
|
|
|
# Make sure our counter is incremented ahead of the next check
|
2018-06-20 16:20:39 +00:00
|
|
|
#increment_tpm_counter $counter > /dev/null \
|
|
|
|
#|| die "Unable to increment tpm counter"
|
|
|
|
#increment_tpm_counter $counter > /dev/null \
|
|
|
|
#|| die "Unable to increment tpm counter"
|
2018-06-19 19:27:27 +00:00
|
|
|
|
|
|
|
mount -o remount,rw /boot
|
2018-06-20 16:20:39 +00:00
|
|
|
|
|
|
|
counter_value=`expr $counter_value + 1`
|
|
|
|
echo $counter_value > $HOTP_COUNTER \
|
2018-06-19 19:27:27 +00:00
|
|
|
|| die "Unable to create hotp counter file"
|
2018-06-20 16:20:39 +00:00
|
|
|
|
2020-06-24 15:54:39 +00:00
|
|
|
# Store/overwrite HOTP USB Security Dongle branding found out beforehand
|
2020-06-24 16:12:56 +00:00
|
|
|
echo $HOTPKEY_BRANDING > $HOTP_KEY \
|
2020-06-24 15:40:49 +00:00
|
|
|
|| die "Unable to store hotp key file"
|
|
|
|
|
2018-06-20 16:20:39 +00:00
|
|
|
#sha256sum /tmp/counter-$counter > $HOTP_COUNTER \
|
|
|
|
#|| die "Unable to create hotp counter file"
|
2018-06-19 19:27:27 +00:00
|
|
|
mount -o remount,ro /boot
|
|
|
|
|
2020-06-24 16:12:56 +00:00
|
|
|
echo -e "\n$HOTPKEY_BRANDING initialized successfully. Press Enter to continue."
|
2018-06-19 19:27:27 +00:00
|
|
|
read
|
|
|
|
|
|
|
|
exit 0
|