ExternalVendorCode/heads
1
0
Fork 0
mirror of https://github.com/linuxboot/heads.git synced 2024-12-18 20:47:55 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
fa0f90cbec
heads/initrd/bin/seal-hotpkey

181 lines
6.1 KiB
Plaintext
Raw Normal View History

Add dual support for real bash and busybox's bash(ash) - modify bash to have it configured with -Os
2023-02-08 21:01:48 +00:00
#!/bin/bash
oem-factory-reset seal-hotpkey: unify prompts and vocabulary oem-factory-reset: bugfix, keytocard inverts prompts. First is keyring then smartcard. Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-10-30 15:37:31 +00:00
# Retrieve the sealed TOTP secret and initialize a USB Security Dongle with it
Add Librem Key support to Heads The Librem Key is a custom device USB-based security token Nitrokey is producing for Purism and among other things it has custom firmware created for use with Heads. In particular, when a board is configured with CONFIG_LIBREMKEY, this custom firmware allows Heads to use the sealed TOTP secret to also send an HOTP authentication to the Librem Key. If the HOTP code is successful, the Librem Key will blink a green LED, if unsuccessful it will blink red, thereby informing the user that Heads has been tampered with without requiring them to use a phone to validate the TOTP secret. Heads will still use and show the TOTP secret, in case the user wants to validate both codes (in case the Librem Key was lost or is no longer trusted). It will also show the result of the HOTP verification (but not the code itself), even though the user should trust only what the Librem Key displays, so the user can confirm that both the device and Heads are in sync. If HOTP is enabled, Heads will maintain a new TPM counter separate from the Heads TPM counter that will increment each time HOTP codes are checked. This change also modifies the routines that update TOTP so that if the Librem Key executables are present it will also update HOTP codes and synchronize them with a Librem Key.
2018-06-19 19:27:27 +00:00
. /etc/functions
Add functions to handle normal, warning, and error for whiptail and fbwhiptail. Signed-off-by: Matthew Drobnak <matthew@drobnak.com>
2024-06-06 22:59:13 +00:00
. /etc/gui_functions
Add Librem Key support to Heads The Librem Key is a custom device USB-based security token Nitrokey is producing for Purism and among other things it has custom firmware created for use with Heads. In particular, when a board is configured with CONFIG_LIBREMKEY, this custom firmware allows Heads to use the sealed TOTP secret to also send an HOTP authentication to the Librem Key. If the HOTP code is successful, the Librem Key will blink a green LED, if unsuccessful it will blink red, thereby informing the user that Heads has been tampered with without requiring them to use a phone to validate the TOTP secret. Heads will still use and show the TOTP secret, in case the user wants to validate both codes (in case the Librem Key was lost or is no longer trusted). It will also show the result of the HOTP verification (but not the code itself), even though the user should trust only what the Librem Key displays, so the user can confirm that both the device and Heads are in sync. If HOTP is enabled, Heads will maintain a new TPM counter separate from the Heads TPM counter that will increment each time HOTP codes are checked. This change also modifies the routines that update TOTP so that if the Librem Key executables are present it will also update HOTP codes and synchronize them with a Librem Key.
2018-06-19 19:27:27 +00:00
HOTP_SECRET="/tmp/secret/hotp.key"
HOTP_COUNTER="/boot/kexec_hotp_counter"
Prepare usage of /boot/kexec_hotp_key as branding
2020-06-24 14:11:41 +00:00
HOTP_KEY="/boot/kexec_hotp_key"
Add Librem Key support to Heads The Librem Key is a custom device USB-based security token Nitrokey is producing for Purism and among other things it has custom firmware created for use with Heads. In particular, when a board is configured with CONFIG_LIBREMKEY, this custom firmware allows Heads to use the sealed TOTP secret to also send an HOTP authentication to the Librem Key. If the HOTP code is successful, the Librem Key will blink a green LED, if unsuccessful it will blink red, thereby informing the user that Heads has been tampered with without requiring them to use a phone to validate the TOTP secret. Heads will still use and show the TOTP secret, in case the user wants to validate both codes (in case the Librem Key was lost or is no longer trusted). It will also show the result of the HOTP verification (but not the code itself), even though the user should trust only what the Librem Key displays, so the user can confirm that both the device and Heads are in sync. If HOTP is enabled, Heads will maintain a new TPM counter separate from the Heads TPM counter that will increment each time HOTP codes are checked. This change also modifies the routines that update TOTP so that if the Librem Key executables are present it will also update HOTP codes and synchronize them with a Librem Key.
2018-06-19 19:27:27 +00:00
mount_boot()
{
all scripts: replace TRACE manual strings with dynamic tracing by bash debug Exception: scripts sourcing/calls within etc/ash_functions continues to use old TRACE functions until we switch to bash completely getting rid of ash. This would mean getting rid of legacy boards (flash + legacy boards which do not have enough space for bash in flash boards) once and for all. Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-02-01 19:30:31 +00:00
TRACE_FUNC
Add Librem Key support to Heads The Librem Key is a custom device USB-based security token Nitrokey is producing for Purism and among other things it has custom firmware created for use with Heads. In particular, when a board is configured with CONFIG_LIBREMKEY, this custom firmware allows Heads to use the sealed TOTP secret to also send an HOTP authentication to the Librem Key. If the HOTP code is successful, the Librem Key will blink a green LED, if unsuccessful it will blink red, thereby informing the user that Heads has been tampered with without requiring them to use a phone to validate the TOTP secret. Heads will still use and show the TOTP secret, in case the user wants to validate both codes (in case the Librem Key was lost or is no longer trusted). It will also show the result of the HOTP verification (but not the code itself), even though the user should trust only what the Librem Key displays, so the user can confirm that both the device and Heads are in sync. If HOTP is enabled, Heads will maintain a new TPM counter separate from the Heads TPM counter that will increment each time HOTP codes are checked. This change also modifies the routines that update TOTP so that if the Librem Key executables are present it will also update HOTP codes and synchronize them with a Librem Key.
2018-06-19 19:27:27 +00:00
# Mount local disk if it is not already mounted
initrd/bin/seal-hotpkey: Show error if /boot can't be mounted If we can't mount /boot, show a meaningful error rather than dropping to a recovery shell. Dropping to a recovery shell should be a last resort. Users that know how to use the recovery shell know how to get there. Users that don't know how to use it can be completely stuck and may not know how to get back to the menu or even how to turn off the device. Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2024-01-08 20:41:59 +00:00
if ! grep -q /boot /proc/mounts; then
if ! mount -o ro /boot; then
Add functions to handle normal, warning, and error for whiptail and fbwhiptail. Signed-off-by: Matthew Drobnak <matthew@drobnak.com>
2024-06-06 22:59:13 +00:00
whiptail_error --title 'ERROR' \
initrd/bin/seal-hotpkey: Show error if /boot can't be mounted If we can't mount /boot, show a meaningful error rather than dropping to a recovery shell. Dropping to a recovery shell should be a last resort. Users that know how to use the recovery shell know how to get there. Users that don't know how to use it can be completely stuck and may not know how to get back to the menu or even how to turn off the device. Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2024-01-08 20:41:59 +00:00
--msgbox "Couldn't mount /boot.\n\nCheck the /boot device in configuration settings, or perform an OEM reset." 0 80
return 1
fi
Add Librem Key support to Heads The Librem Key is a custom device USB-based security token Nitrokey is producing for Purism and among other things it has custom firmware created for use with Heads. In particular, when a board is configured with CONFIG_LIBREMKEY, this custom firmware allows Heads to use the sealed TOTP secret to also send an HOTP authentication to the Librem Key. If the HOTP code is successful, the Librem Key will blink a green LED, if unsuccessful it will blink red, thereby informing the user that Heads has been tampered with without requiring them to use a phone to validate the TOTP secret. Heads will still use and show the TOTP secret, in case the user wants to validate both codes (in case the Librem Key was lost or is no longer trusted). It will also show the result of the HOTP verification (but not the code itself), even though the user should trust only what the Librem Key displays, so the user can confirm that both the device and Heads are in sync. If HOTP is enabled, Heads will maintain a new TPM counter separate from the Heads TPM counter that will increment each time HOTP codes are checked. This change also modifies the routines that update TOTP so that if the Librem Key executables are present it will also update HOTP codes and synchronize them with a Librem Key.
2018-06-19 19:27:27 +00:00
fi
}
all scripts: replace TRACE manual strings with dynamic tracing by bash debug Exception: scripts sourcing/calls within etc/ash_functions continues to use old TRACE functions until we switch to bash completely getting rid of ash. This would mean getting rid of legacy boards (flash + legacy boards which do not have enough space for bash in flash boards) once and for all. Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-02-01 19:30:31 +00:00
TRACE_FUNC
All scripts and functions: Add DEBUG calling trace on console when CONFIG_DEBUG_OUTPUT is exported in board config -qemu-coreboot-*whiptail-tpm1(-hotp) boards have 'export CONFIG_DEBUG_OUTPUT=y' by default now
2023-02-18 17:58:43 +00:00
gui-init/seal-libremkey: reduce friction when generating new secret Reduce friction when generating a new TOTP/HOTP secret by eliminating an unnecessary 'press enter to continue' prompt following QR code generation, and by attempting to use the default admin PIN set by the OEM factory reset function. Fall back to prompting the user if the default PIN fails. Also, ensure error messages are visible to users before being returned back to the GUI menu from which they came by wrapping existing calls to die() Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2019-08-21 20:40:36 +00:00
fatal_error()
{
echo -e "\nERROR: ${1}; press Enter to continue."
read
oem-factory-reset + seal-hotpkey: Give debug output to underatand in what state is the USB Security dongle Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-04-19 18:30:55 +00:00
# get lsusb output for debugging
DEBUG "lsusb output: $(lsusb)"
gui-init/seal-libremkey: reduce friction when generating new secret Reduce friction when generating a new TOTP/HOTP secret by eliminating an unnecessary 'press enter to continue' prompt following QR code generation, and by attempting to use the default admin PIN set by the OEM factory reset function. Fall back to prompting the user if the default PIN fails. Also, ensure error messages are visible to users before being returned back to the GUI menu from which they came by wrapping existing calls to die() Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2019-08-21 20:40:36 +00:00
die "$1"
}
Store HOTP USB Security Key branding in /boot
2020-06-24 15:40:49 +00:00
# Use stored HOTP key branding (this might be useful after OEM reset)
if [ -r /boot/kexec_hotp_key ]; then
Rename CONFIG_HOTP_BRANDING to HOTP_BRANDING reason: it not a config option anymore
2020-06-24 16:12:56 +00:00
HOTPKEY_BRANDING="$(cat /boot/kexec_hotp_key)"
Store HOTP USB Security Key branding in /boot
2020-06-24 15:40:49 +00:00
else
Rename CONFIG_HOTP_BRANDING to HOTP_BRANDING reason: it not a config option anymore
2020-06-24 16:12:56 +00:00
HOTPKEY_BRANDING="HOTP USB Security Dongle"
Store HOTP USB Security Key branding in /boot
2020-06-24 15:40:49 +00:00
fi
tpmr: Wrap TPM1 and TPM2 unseal actions so scripts can invoke either Provide tpmr unseal to unseal a file with TPM1 or TPM2. For TPM1, it wraps tpm nv_readvalue and tpm unsealfile. For TPM2, it wraps tpm2 unseal. kexec-unseal-key, seal-hotpkey, unseal-hotp, and unseal-totp no longer need to differentiate TPM1/TPM2. Fixes spurious shred errors on TPM2 that only apply to TPM1 (temporary sealed secret file and shred are now internal to tpmr). Fixes TPM1 disk unlock key unsealing due to logic errors relating to exit status of tpmr unseal or tpm unsealfile (now always uses status of tpmr unseal). Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-02-28 18:36:11 +00:00
if [ "$CONFIG_TPM" = "y" ]; then
Small cosmetic/typo related changes, ccache enablement for coreboot and reduction of unseal attempts gui-init: do not consume two unseal attempt to unseal both totp and hotp + cosmetic changes (slow down TPM DA lockout) kexec-seal-key: Add DEBUG statement for PCR precalc seal-totp: add DEBUG statements regarding skipping of PCR5 and PCR6 involvement into TOTP/HOTP sealing ops seal-hotpkey: Add DEBUG statements related to reuse of TOTP sealed secret tpmr: add DO_WITH_DEBUG calls to output pcrread and extend calls tpmr: typo correction stating TRACE calls for tpm2 where it was for tpm1 tpmr: add DO_WITH_DEBUG calls for calcfuturepcr functions: Cosmetic fix on pause_recovery asking user to press Enter to go to recovery shell on host console when board defines CONFIG_BOOT_RECOVERY_SERIAL Not so related but part of output review and corrections: kexec-insert-key: cosmetic changes prepending "+++" to disk related changes kexec-save-default: cosmetic changes prepending "+++" to disk related changes config/coreboot-qemu-tpm*.config: add ccache support for faster coreboot rebuild times
2023-03-09 18:28:04 +00:00
DEBUG "Sealing HOTP secret reuses TOTP sealed secret..."
seal-totp, kexec-seal-key: Use common logic for TPM1 and TPM2 Provide tpmr commands pcrread, pcrsize, calcfuturepcr, and seal for both TPM1 and TPM2. Combine seal logic for TPM1/TPM2 in seal-totp, kexec-seal-key. This is essentially the TPM2 logic now that tpmr provides the same wrapped commands for both TPM1 and TPM2. Remove algorithm prefix from PCR list in tpmr unseal for consistency with tpmr seal. Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-03-08 17:39:06 +00:00
tpmr unseal 4d47 0,1,2,3,4,7 312 "$HOTP_SECRET" \
gui-init/seal-libremkey: reduce friction when generating new secret Reduce friction when generating a new TOTP/HOTP secret by eliminating an unnecessary 'press enter to continue' prompt following QR code generation, and by attempting to use the default admin PIN set by the OEM factory reset function. Fall back to prompting the user if the default PIN fails. Also, ensure error messages are visible to users before being returned back to the GUI menu from which they came by wrapping existing calls to die() Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2019-08-21 20:40:36 +00:00
|| fatal_error "Unable to unseal HOTP secret"
Use the Librem Key as a TPM work-alike in the absence of a TPM On machines without a TPM, we'd still like some way for the BIOS to attest that it has not been modified. With a Librem Key, we can have the BIOS use its own ROM measurement converted to a SHA256sum and truncated so it fits within an HOTP secret. Like with a TPM, a malicious BIOS with access to the correct measurements can send pre-known good measurements to the Librem Key. This approach provides one big drawback in that we have to truncate the SHA256sum to 20 characters so that it fits within the limitations of HOTP secrets. This means the possibility of collisions is much higher but again, an attacker could also capture and spoof an existing ROM's measurements if they have prior access to it, either with this approach or with a TPM. Signed-off-by: Kyle Rankin <kyle.rankin@puri.sm>
2019-11-25 18:25:11 +00:00
else
Use 160 bits of ROM hash for TPM-less HOTP secret (up from 80) HOTP/TOTP secrets don't have to be printable. Use binary data to include 160 bits of entropy instead of just 80. The secret is still limited to 20 bytes. Most keys now support up to 40 bytes, but tpmtotp is still limited to 20 bytes. Move the truncation to 20 bytes a bit later, for future improvements to detect the key's actual limit. Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-07-05 14:18:06 +00:00
# without a TPM, generate a secret based on the SHA-256 of the ROM
initrd/bin/flash.sh: Remove '-s' "SHA-256" mode flash.sh had a special mode to read (like -r) and then sha256sum the resulting file. This is no different from just a read followed by a sha256sum, and the only caller also had logic to sha256sum a cached file anyway. Just use flash.sh -r and sha256sum the result. Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-07-03 20:59:23 +00:00
secret_from_rom_hash > "$HOTP_SECRET" || die "Reading ROM failed"
Addition of qemu-(fb)whiptail-tpm2(-hotp) boards -coreboot support of TPM v2.0 (shared config for TPM2 support across all 4 previous variations) -swtpm set to be launched under TPM v2.0 mode under board config -Documentation file under each board.md softlinks to qemu-coreboot-fbwhiptail-tpm1.md (which has been generalized) This is skeleton for TPM v2 integration under Heads ------------- WiP TODO: - libcurl cannot be built as a tpm2-tools dependency as of now not sure why. curl currently needs to be added in board config to be built - Note: tpm-reset (master and here) needs some review, no handle of no tpm use case. Caller is responsible to not call it otherwise does nothing - init tries to bind fd and fails currently - Note: Check if whiptail is different of fbwhiptail in clearing screen. As of now every clear seems to be removed, still whiptail clears previous console output - When no OS' /boot can be mounted, do not try to TPM reset (will fail) - seal-hotpkey is not working properly - setting disk unlock key asks for TPM ownership passphrase (sealing in NV requires ownership, but text is misleading user as if reowning TPM) - We should cache input, feed tpm behind the scene and wipe passphrase and state clearly that this is TPM disk unlock kye passphrase. - primary key from TPM2 is invalid most of the time from kexec-select-boot and verifying global hashes but is setuped correctly at disk unlock key setup - would be nice to take advantage of bash function tracing to understand where we are for debugging purposes, code takes ash in consideration only - tpmr says it implements nv calls but actually doesn't. Removing those falsely wrapped functions would help. - Implementing them would be better - REVIEW TODOS IN CODE - READD CIRCLECI CONFIG Current state: - TPM unseal works without disk unlock key and generates TOTP properly (was missing die condition at unseal to not produce always good TOTP even if invalid) - TPM disk encryption key fails. Hypothesis is that sealing with USB drivers loaded and measures in inconsistent with sealed with/without. - TPM disk unsealing happens without USB modules being loaded in non-HOTP setup. This fails. - Current tests are with fbwhiptail (no clear called so having traces on command line of what happens) - Testing with HOTP implementation for sealing/unsealing since that forces USB module loads on each boot to remove this from failing possibilities
2022-08-25 18:43:31 +00:00
fi
Store HOTP counter directly in /boot instead of TPM The HOTP counter isn't a secret but is just used to prevent replay attacks (the time-based counter in TOTP isn't a secret either) so it doesn't need to be protected in the TPM and storing it as a TPM monotonic counter was causing conflicts with the Heads configuration counter as TPM 1.2 can only increment one counter per reboot. This change moves the HOTP counter into the file in /boot that was previously keeping track of the TPM counter id.
2018-06-20 16:20:39 +00:00
# Store counter in file instead of TPM for now, as it conflicts with Heads
# config TPM counter as TPM 1.2 can only increment one counter between reboots
Add Librem Key support to Heads The Librem Key is a custom device USB-based security token Nitrokey is producing for Purism and among other things it has custom firmware created for use with Heads. In particular, when a board is configured with CONFIG_LIBREMKEY, this custom firmware allows Heads to use the sealed TOTP secret to also send an HOTP authentication to the Librem Key. If the HOTP code is successful, the Librem Key will blink a green LED, if unsuccessful it will blink red, thereby informing the user that Heads has been tampered with without requiring them to use a phone to validate the TOTP secret. Heads will still use and show the TOTP secret, in case the user wants to validate both codes (in case the Librem Key was lost or is no longer trusted). It will also show the result of the HOTP verification (but not the code itself), even though the user should trust only what the Librem Key displays, so the user can confirm that both the device and Heads are in sync. If HOTP is enabled, Heads will maintain a new TPM counter separate from the Heads TPM counter that will increment each time HOTP codes are checked. This change also modifies the routines that update TOTP so that if the Librem Key executables are present it will also update HOTP codes and synchronize them with a Librem Key.
2018-06-19 19:27:27 +00:00
# get current value of HOTP counter in TPM, create if absent
initrd/bin/seal-hotpkey: Show error if /boot can't be mounted If we can't mount /boot, show a meaningful error rather than dropping to a recovery shell. Dropping to a recovery shell should be a last resort. Users that know how to use the recovery shell know how to get there. Users that don't know how to use it can be completely stuck and may not know how to get back to the menu or even how to turn off the device. Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2024-01-08 20:41:59 +00:00
mount_boot || exit 1
Add Librem Key support to Heads The Librem Key is a custom device USB-based security token Nitrokey is producing for Purism and among other things it has custom firmware created for use with Heads. In particular, when a board is configured with CONFIG_LIBREMKEY, this custom firmware allows Heads to use the sealed TOTP secret to also send an HOTP authentication to the Librem Key. If the HOTP code is successful, the Librem Key will blink a green LED, if unsuccessful it will blink red, thereby informing the user that Heads has been tampered with without requiring them to use a phone to validate the TOTP secret. Heads will still use and show the TOTP secret, in case the user wants to validate both codes (in case the Librem Key was lost or is no longer trusted). It will also show the result of the HOTP verification (but not the code itself), even though the user should trust only what the Librem Key displays, so the user can confirm that both the device and Heads are in sync. If HOTP is enabled, Heads will maintain a new TPM counter separate from the Heads TPM counter that will increment each time HOTP codes are checked. This change also modifies the routines that update TOTP so that if the Librem Key executables are present it will also update HOTP codes and synchronize them with a Librem Key.
2018-06-19 19:27:27 +00:00
Store HOTP counter directly in /boot instead of TPM The HOTP counter isn't a secret but is just used to prevent replay attacks (the time-based counter in TOTP isn't a secret either) so it doesn't need to be protected in the TPM and storing it as a TPM monotonic counter was causing conflicts with the Heads configuration counter as TPM 1.2 can only increment one counter per reboot. This change moves the HOTP counter into the file in /boot that was previously keeping track of the TPM counter id.
2018-06-20 16:20:39 +00:00
#check_tpm_counter $HOTP_COUNTER hotp \
#|| die "Unable to find/create TPM counter"
#counter="$TPM_COUNTER"
#
#counter_value=$(read_tpm_counter $counter | cut -f2 -d ' ' | awk 'gsub("^000e","")')
#if [ "$counter_value" == "" ]; then
# die "Unable to read HOTP counter"
#fi
Add Librem Key support to Heads The Librem Key is a custom device USB-based security token Nitrokey is producing for Purism and among other things it has custom firmware created for use with Heads. In particular, when a board is configured with CONFIG_LIBREMKEY, this custom firmware allows Heads to use the sealed TOTP secret to also send an HOTP authentication to the Librem Key. If the HOTP code is successful, the Librem Key will blink a green LED, if unsuccessful it will blink red, thereby informing the user that Heads has been tampered with without requiring them to use a phone to validate the TOTP secret. Heads will still use and show the TOTP secret, in case the user wants to validate both codes (in case the Librem Key was lost or is no longer trusted). It will also show the result of the HOTP verification (but not the code itself), even though the user should trust only what the Librem Key displays, so the user can confirm that both the device and Heads are in sync. If HOTP is enabled, Heads will maintain a new TPM counter separate from the Heads TPM counter that will increment each time HOTP codes are checked. This change also modifies the routines that update TOTP so that if the Librem Key executables are present it will also update HOTP codes and synchronize them with a Librem Key.
2018-06-19 19:27:27 +00:00
Store HOTP counter directly in /boot instead of TPM The HOTP counter isn't a secret but is just used to prevent replay attacks (the time-based counter in TOTP isn't a secret either) so it doesn't need to be protected in the TPM and storing it as a TPM monotonic counter was causing conflicts with the Heads configuration counter as TPM 1.2 can only increment one counter per reboot. This change moves the HOTP counter into the file in /boot that was previously keeping track of the TPM counter id.
2018-06-20 16:20:39 +00:00
#counter_value=$(printf "%d" 0x${counter_value})
Add Librem Key support to Heads The Librem Key is a custom device USB-based security token Nitrokey is producing for Purism and among other things it has custom firmware created for use with Heads. In particular, when a board is configured with CONFIG_LIBREMKEY, this custom firmware allows Heads to use the sealed TOTP secret to also send an HOTP authentication to the Librem Key. If the HOTP code is successful, the Librem Key will blink a green LED, if unsuccessful it will blink red, thereby informing the user that Heads has been tampered with without requiring them to use a phone to validate the TOTP secret. Heads will still use and show the TOTP secret, in case the user wants to validate both codes (in case the Librem Key was lost or is no longer trusted). It will also show the result of the HOTP verification (but not the code itself), even though the user should trust only what the Librem Key displays, so the user can confirm that both the device and Heads are in sync. If HOTP is enabled, Heads will maintain a new TPM counter separate from the Heads TPM counter that will increment each time HOTP codes are checked. This change also modifies the routines that update TOTP so that if the Librem Key executables are present it will also update HOTP codes and synchronize them with a Librem Key.
2018-06-19 19:27:27 +00:00
Store HOTP counter directly in /boot instead of TPM The HOTP counter isn't a secret but is just used to prevent replay attacks (the time-based counter in TOTP isn't a secret either) so it doesn't need to be protected in the TPM and storing it as a TPM monotonic counter was causing conflicts with the Heads configuration counter as TPM 1.2 can only increment one counter per reboot. This change moves the HOTP counter into the file in /boot that was previously keeping track of the TPM counter id.
2018-06-20 16:20:39 +00:00
counter_value=1
Add Librem Key support to Heads The Librem Key is a custom device USB-based security token Nitrokey is producing for Purism and among other things it has custom firmware created for use with Heads. In particular, when a board is configured with CONFIG_LIBREMKEY, this custom firmware allows Heads to use the sealed TOTP secret to also send an HOTP authentication to the Librem Key. If the HOTP code is successful, the Librem Key will blink a green LED, if unsuccessful it will blink red, thereby informing the user that Heads has been tampered with without requiring them to use a phone to validate the TOTP secret. Heads will still use and show the TOTP secret, in case the user wants to validate both codes (in case the Librem Key was lost or is no longer trusted). It will also show the result of the HOTP verification (but not the code itself), even though the user should trust only what the Librem Key displays, so the user can confirm that both the device and Heads are in sync. If HOTP is enabled, Heads will maintain a new TPM counter separate from the Heads TPM counter that will increment each time HOTP codes are checked. This change also modifies the routines that update TOTP so that if the Librem Key executables are present it will also update HOTP codes and synchronize them with a Librem Key.
2018-06-19 19:27:27 +00:00
enable_usb
seal-hotpkey: Try default PIN only for 1 month and if >=3 attempts left Only try the default PIN automatically for 1 month after key creation. This simplifies initial ownership but still encourages changing the PIN. Never enter a PIN automatically if fewer than 3 attempts remain, to avoid causing lockout if the PIN has been changed. Remind what the default PIN was if it is not attempted for either reason. Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-07-06 17:22:40 +00:00
# While making sure the key is inserted, capture the status so we can check how
# many PIN attempts remain
if ! hotp_token_info="$(hotp_verification info)" ; then
gui-init/seal-libremkey: reduce friction when generating new secret Reduce friction when generating a new TOTP/HOTP secret by eliminating an unnecessary 'press enter to continue' prompt following QR code generation, and by attempting to use the default admin PIN set by the OEM factory reset function. Fall back to prompting the user if the default PIN fails. Also, ensure error messages are visible to users before being returned back to the GUI menu from which they came by wrapping existing calls to die() Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2019-08-21 20:40:36 +00:00
echo -e "\nInsert your $HOTPKEY_BRANDING and press Enter to configure it"
Add Librem Key support to Heads The Librem Key is a custom device USB-based security token Nitrokey is producing for Purism and among other things it has custom firmware created for use with Heads. In particular, when a board is configured with CONFIG_LIBREMKEY, this custom firmware allows Heads to use the sealed TOTP secret to also send an HOTP authentication to the Librem Key. If the HOTP code is successful, the Librem Key will blink a green LED, if unsuccessful it will blink red, thereby informing the user that Heads has been tampered with without requiring them to use a phone to validate the TOTP secret. Heads will still use and show the TOTP secret, in case the user wants to validate both codes (in case the Librem Key was lost or is no longer trusted). It will also show the result of the HOTP verification (but not the code itself), even though the user should trust only what the Librem Key displays, so the user can confirm that both the device and Heads are in sync. If HOTP is enabled, Heads will maintain a new TPM counter separate from the Heads TPM counter that will increment each time HOTP codes are checked. This change also modifies the routines that update TOTP so that if the Librem Key executables are present it will also update HOTP codes and synchronize them with a Librem Key.
2018-06-19 19:27:27 +00:00
read
seal-hotpkey: Try default PIN only for 1 month and if >=3 attempts left Only try the default PIN automatically for 1 month after key creation. This simplifies initial ownership but still encourages changing the PIN. Never enter a PIN automatically if fewer than 3 attempts remain, to avoid causing lockout if the PIN has been changed. Remind what the default PIN was if it is not attempted for either reason. Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-07-06 17:22:40 +00:00
if ! hotp_token_info="$(hotp_verification info)" ; then
libremkey-hotp-verification: pass in key file directly Reading the file into a variable and then redirecting to stdin via echo() can cause the binary data to be truncated, leading to an invalid base32 value and failure to properly generate and validate the HOTP code. To resolve this, pass the file directly to hotp(), and ensure it is removed properly regardless of success or failure to prevent leakage. Fixes "Invalid base32 string" error seen when attempting to generate a new TOTP secret. Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2019-05-24 16:50:27 +00:00
# don't leak key on failure
shred -n 10 -z -u "$HOTP_SECRET" 2> /dev/null
gui-init/seal-libremkey: reduce friction when generating new secret Reduce friction when generating a new TOTP/HOTP secret by eliminating an unnecessary 'press enter to continue' prompt following QR code generation, and by attempting to use the default admin PIN set by the OEM factory reset function. Fall back to prompting the user if the default PIN fails. Also, ensure error messages are visible to users before being returned back to the GUI menu from which they came by wrapping existing calls to die() Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2019-08-21 20:40:36 +00:00
fatal_error "Unable to find $HOTPKEY_BRANDING"
libremkey-hotp-verification: pass in key file directly Reading the file into a variable and then redirecting to stdin via echo() can cause the binary data to be truncated, leading to an invalid base32 value and failure to properly generate and validate the HOTP code. To resolve this, pass the file directly to hotp(), and ensure it is removed properly regardless of success or failure to prevent leakage. Fixes "Invalid base32 string" error seen when attempting to generate a new TOTP secret. Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2019-05-24 16:50:27 +00:00
fi
Add Librem Key support to Heads The Librem Key is a custom device USB-based security token Nitrokey is producing for Purism and among other things it has custom firmware created for use with Heads. In particular, when a board is configured with CONFIG_LIBREMKEY, this custom firmware allows Heads to use the sealed TOTP secret to also send an HOTP authentication to the Librem Key. If the HOTP code is successful, the Librem Key will blink a green LED, if unsuccessful it will blink red, thereby informing the user that Heads has been tampered with without requiring them to use a phone to validate the TOTP secret. Heads will still use and show the TOTP secret, in case the user wants to validate both codes (in case the Librem Key was lost or is no longer trusted). It will also show the result of the HOTP verification (but not the code itself), even though the user should trust only what the Librem Key displays, so the user can confirm that both the device and Heads are in sync. If HOTP is enabled, Heads will maintain a new TPM counter separate from the Heads TPM counter that will increment each time HOTP codes are checked. This change also modifies the routines that update TOTP so that if the Librem Key executables are present it will also update HOTP codes and synchronize them with a Librem Key.
2018-06-19 19:27:27 +00:00
fi
Fix termonology
2020-06-24 15:54:39 +00:00
# Set HOTP USB Security Dongle branding based on VID
seal-hotp: Fix HOTP key identification With current implementation, Librem Keys with VID 0x316d are not identified properly; correct the if/else logic to resolve. Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2020-07-24 05:11:33 +00:00
if lsusb | grep -q "20a0:" ; then
Rename CONFIG_HOTP_BRANDING to HOTP_BRANDING reason: it not a config option anymore
2020-06-24 16:12:56 +00:00
HOTPKEY_BRANDING="Nitrokey"
seal-hotp: Fix HOTP key identification With current implementation, Librem Keys with VID 0x316d are not identified properly; correct the if/else logic to resolve. Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2020-07-24 05:11:33 +00:00
elif lsusb | grep -q "316d:" ; then
Rename CONFIG_HOTP_BRANDING to HOTP_BRANDING reason: it not a config option anymore
2020-06-24 16:12:56 +00:00
HOTPKEY_BRANDING="Librem Key"
Store HOTP USB Security Key branding in /boot
2020-06-24 15:40:49 +00:00
else
Rename CONFIG_HOTP_BRANDING to HOTP_BRANDING reason: it not a config option anymore
2020-06-24 16:12:56 +00:00
HOTPKEY_BRANDING="HOTP USB Security Dongle"
Store HOTP USB Security Key branding in /boot
2020-06-24 15:40:49 +00:00
fi
Prepare usage of /boot/kexec_hotp_key as branding
2020-06-24 14:11:41 +00:00
Use 160 bits of ROM hash for TPM-less HOTP secret (up from 80) HOTP/TOTP secrets don't have to be printable. Use binary data to include 160 bits of entropy instead of just 80. The secret is still limited to 20 bytes. Most keys now support up to 40 bytes, but tpmtotp is still limited to 20 bytes. Move the truncation to 20 bytes a bit later, for future improvements to detect the key's actual limit. Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-07-05 14:18:06 +00:00
# Truncate the secret if it is longer than the maximum HOTP secret
truncate_max_bytes 20 "$HOTP_SECRET"
seal-hotpkey: Try default PIN only for 1 month and if >=3 attempts left Only try the default PIN automatically for 1 month after key creation. This simplifies initial ownership but still encourages changing the PIN. Never enter a PIN automatically if fewer than 3 attempts remain, to avoid causing lockout if the PIN has been changed. Remind what the default PIN was if it is not attempted for either reason. Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-07-06 17:22:40 +00:00
# Check when the signing key was created to consider trying the default PIN
# (Note: we must avoid using gpg --card-status here as the Nitrokey firmware
# locks up, https://github.com/Nitrokey/nitrokey-pro-firmware/issues/54)
gpg_key_create_time="$(gpg --list-keys --with-colons | grep -m 1 '^pub:' | cut -d: -f6)"
gpg_key_create_time="${gpg_key_create_time:-0}"
DEBUG "Signature key was created at $(date -d "@$gpg_key_create_time")"
now_date="$(date '+%s')"
# Get the number of admin PIN retry attempts remaining
awk_admin_counter_regex='/^\s*Card counters: Admin (\d),.*$/'
awk_get_admin_counter="$awk_admin_counter_regex"' { print gensub('"$awk_admin_counter_regex"', "\\1", "") }'
admin_pin_retries="$(echo "$hotp_token_info" | awk "$awk_get_admin_counter")"
admin_pin_retries="${admin_pin_retries:-0}"
DEBUG "Admin PIN retry counter is $admin_pin_retries"
# Try using factory default admin PIN for 1 month following OEM reset to ease
# initial setup. But don't do it forever to encourage changing the PIN and
# so PIN attempts are not consumed by the default attempt.
gui-init/seal-libremkey: reduce friction when generating new secret Reduce friction when generating a new TOTP/HOTP secret by eliminating an unnecessary 'press enter to continue' prompt following QR code generation, and by attempting to use the default admin PIN set by the OEM factory reset function. Fall back to prompting the user if the default PIN fails. Also, ensure error messages are visible to users before being returned back to the GUI menu from which they came by wrapping existing calls to die() Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2019-08-21 20:40:36 +00:00
admin_pin="12345678"
seal-hotpkey: Try default PIN only for 1 month and if >=3 attempts left Only try the default PIN automatically for 1 month after key creation. This simplifies initial ownership but still encourages changing the PIN. Never enter a PIN automatically if fewer than 3 attempts remain, to avoid causing lockout if the PIN has been changed. Remind what the default PIN was if it is not attempted for either reason. Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-07-06 17:22:40 +00:00
month_secs="$((30*24*60*60))"
admin_pin_status=1
if [ "$((now_date - gpg_key_create_time))" -gt "$month_secs" ]; then
# Remind what the default PIN was in case it still hasn't been changed
echo "Not trying default PIN ($admin_pin)"
# Never consume an attempt if there are less than 3 attempts left, otherwise
# attempting the default PIN could cause an unexpected lockout before getting a
# chance to enter the correct PIN
elif [ "$admin_pin_retries" -lt 3 ]; then
echo "Not trying default PIN ($admin_pin), only $admin_pin_retries attempt(s) left"
else
hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value "$HOTPKEY_BRANDING" >/dev/null 2>&1
admin_pin_status="$?"
fi
if [ "$admin_pin_status" -ne 0 ]; then
gui-init/seal-libremkey: reduce friction when generating new secret Reduce friction when generating a new TOTP/HOTP secret by eliminating an unnecessary 'press enter to continue' prompt following QR code generation, and by attempting to use the default admin PIN set by the OEM factory reset function. Fall back to prompting the user if the default PIN fails. Also, ensure error messages are visible to users before being returned back to the GUI menu from which they came by wrapping existing calls to die() Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2019-08-21 20:40:36 +00:00
# prompt user for PIN and retry
echo ""
read -s -p "Enter your $HOTPKEY_BRANDING Admin PIN: " admin_pin
seal-libremkey: add newlines for readability improve readability of console output by adding newlines as needed Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2019-06-29 04:26:20 +00:00
echo -e "\n"
gui-init/seal-libremkey: reduce friction when generating new secret Reduce friction when generating a new TOTP/HOTP secret by eliminating an unnecessary 'press enter to continue' prompt following QR code generation, and by attempting to use the default admin PIN set by the OEM factory reset function. Fall back to prompting the user if the default PIN fails. Also, ensure error messages are visible to users before being returned back to the GUI menu from which they came by wrapping existing calls to die() Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2019-08-21 20:40:36 +00:00
hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value "$HOTPKEY_BRANDING"
if [ $? -ne 0 ]; then
echo -e "\n"
read -s -p "Error setting HOTP secret, re-enter Admin PIN and try again: " admin_pin
echo -e "\n"
if ! hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value "$HOTPKEY_BRANDING" ; then
# don't leak key on failure
shred -n 10 -z -u "$HOTP_SECRET" 2> /dev/null
extent hotp error message for nitrokeys Signed-off-by: nestire <hannes@nitrokey.com>
2024-05-21 11:34:00 +00:00
if [ "$HOTPKEY_BRANDING" == "Nitrokey" ]; then
fatal_error "Setting HOTP secret failed, to reset nitrokey pin use: nitropy nk3 secrets reset or the Nitrokey App 2"
else
fatal_error "Setting HOTP secret failed"
fi
gui-init/seal-libremkey: reduce friction when generating new secret Reduce friction when generating a new TOTP/HOTP secret by eliminating an unnecessary 'press enter to continue' prompt following QR code generation, and by attempting to use the default admin PIN set by the OEM factory reset function. Fall back to prompting the user if the default PIN fails. Also, ensure error messages are visible to users before being returned back to the GUI menu from which they came by wrapping existing calls to die() Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2019-08-21 20:40:36 +00:00
fi
libremkey-hotp-verification: pass in key file directly Reading the file into a variable and then redirecting to stdin via echo() can cause the binary data to be truncated, leading to an invalid base32 value and failure to properly generate and validate the HOTP code. To resolve this, pass the file directly to hotp(), and ensure it is removed properly regardless of success or failure to prevent leakage. Fixes "Invalid base32 string" error seen when attempting to generate a new TOTP secret. Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2019-05-24 16:50:27 +00:00
fi
gui-init/seal-libremkey: reduce friction when generating new secret Reduce friction when generating a new TOTP/HOTP secret by eliminating an unnecessary 'press enter to continue' prompt following QR code generation, and by attempting to use the default admin PIN set by the OEM factory reset function. Fall back to prompting the user if the default PIN fails. Also, ensure error messages are visible to users before being returned back to the GUI menu from which they came by wrapping existing calls to die() Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2019-08-21 20:40:36 +00:00
else
# remind user to change admin password
extent hotp error message for nitrokeys Signed-off-by: nestire <hannes@nitrokey.com>
2024-05-21 11:34:00 +00:00
echo -e "\nWARNING: default admin PIN detected: please change this as soon as possible."
Add Librem Key support to Heads The Librem Key is a custom device USB-based security token Nitrokey is producing for Purism and among other things it has custom firmware created for use with Heads. In particular, when a board is configured with CONFIG_LIBREMKEY, this custom firmware allows Heads to use the sealed TOTP secret to also send an HOTP authentication to the Librem Key. If the HOTP code is successful, the Librem Key will blink a green LED, if unsuccessful it will blink red, thereby informing the user that Heads has been tampered with without requiring them to use a phone to validate the TOTP secret. Heads will still use and show the TOTP secret, in case the user wants to validate both codes (in case the Librem Key was lost or is no longer trusted). It will also show the result of the HOTP verification (but not the code itself), even though the user should trust only what the Librem Key displays, so the user can confirm that both the device and Heads are in sync. If HOTP is enabled, Heads will maintain a new TPM counter separate from the Heads TPM counter that will increment each time HOTP codes are checked. This change also modifies the routines that update TOTP so that if the Librem Key executables are present it will also update HOTP codes and synchronize them with a Librem Key.
2018-06-19 19:27:27 +00:00
fi
libremkey-hotp-verification: pass in key file directly Reading the file into a variable and then redirecting to stdin via echo() can cause the binary data to be truncated, leading to an invalid base32 value and failure to properly generate and validate the HOTP code. To resolve this, pass the file directly to hotp(), and ensure it is removed properly regardless of success or failure to prevent leakage. Fixes "Invalid base32 string" error seen when attempting to generate a new TOTP secret. Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2019-05-24 16:50:27 +00:00
# HOTP key no longer needed
shred -n 10 -z -u "$HOTP_SECRET" 2> /dev/null
Add Librem Key support to Heads The Librem Key is a custom device USB-based security token Nitrokey is producing for Purism and among other things it has custom firmware created for use with Heads. In particular, when a board is configured with CONFIG_LIBREMKEY, this custom firmware allows Heads to use the sealed TOTP secret to also send an HOTP authentication to the Librem Key. If the HOTP code is successful, the Librem Key will blink a green LED, if unsuccessful it will blink red, thereby informing the user that Heads has been tampered with without requiring them to use a phone to validate the TOTP secret. Heads will still use and show the TOTP secret, in case the user wants to validate both codes (in case the Librem Key was lost or is no longer trusted). It will also show the result of the HOTP verification (but not the code itself), even though the user should trust only what the Librem Key displays, so the user can confirm that both the device and Heads are in sync. If HOTP is enabled, Heads will maintain a new TPM counter separate from the Heads TPM counter that will increment each time HOTP codes are checked. This change also modifies the routines that update TOTP so that if the Librem Key executables are present it will also update HOTP codes and synchronize them with a Librem Key.
2018-06-19 19:27:27 +00:00
# Make sure our counter is incremented ahead of the next check
Store HOTP counter directly in /boot instead of TPM The HOTP counter isn't a secret but is just used to prevent replay attacks (the time-based counter in TOTP isn't a secret either) so it doesn't need to be protected in the TPM and storing it as a TPM monotonic counter was causing conflicts with the Heads configuration counter as TPM 1.2 can only increment one counter per reboot. This change moves the HOTP counter into the file in /boot that was previously keeping track of the TPM counter id.
2018-06-20 16:20:39 +00:00
#increment_tpm_counter $counter > /dev/null \
#|| die "Unable to increment tpm counter"
#increment_tpm_counter $counter > /dev/null \
#|| die "Unable to increment tpm counter"
Add Librem Key support to Heads The Librem Key is a custom device USB-based security token Nitrokey is producing for Purism and among other things it has custom firmware created for use with Heads. In particular, when a board is configured with CONFIG_LIBREMKEY, this custom firmware allows Heads to use the sealed TOTP secret to also send an HOTP authentication to the Librem Key. If the HOTP code is successful, the Librem Key will blink a green LED, if unsuccessful it will blink red, thereby informing the user that Heads has been tampered with without requiring them to use a phone to validate the TOTP secret. Heads will still use and show the TOTP secret, in case the user wants to validate both codes (in case the Librem Key was lost or is no longer trusted). It will also show the result of the HOTP verification (but not the code itself), even though the user should trust only what the Librem Key displays, so the user can confirm that both the device and Heads are in sync. If HOTP is enabled, Heads will maintain a new TPM counter separate from the Heads TPM counter that will increment each time HOTP codes are checked. This change also modifies the routines that update TOTP so that if the Librem Key executables are present it will also update HOTP codes and synchronize them with a Librem Key.
2018-06-19 19:27:27 +00:00
mount -o remount,rw /boot
Store HOTP counter directly in /boot instead of TPM The HOTP counter isn't a secret but is just used to prevent replay attacks (the time-based counter in TOTP isn't a secret either) so it doesn't need to be protected in the TPM and storing it as a TPM monotonic counter was causing conflicts with the Heads configuration counter as TPM 1.2 can only increment one counter per reboot. This change moves the HOTP counter into the file in /boot that was previously keeping track of the TPM counter id.
2018-06-20 16:20:39 +00:00
counter_value=`expr $counter_value + 1`
echo $counter_value > $HOTP_COUNTER \
gui-init/seal-libremkey: reduce friction when generating new secret Reduce friction when generating a new TOTP/HOTP secret by eliminating an unnecessary 'press enter to continue' prompt following QR code generation, and by attempting to use the default admin PIN set by the OEM factory reset function. Fall back to prompting the user if the default PIN fails. Also, ensure error messages are visible to users before being returned back to the GUI menu from which they came by wrapping existing calls to die() Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2019-08-21 20:40:36 +00:00
|| fatal_error "Unable to create hotp counter file"
Store HOTP counter directly in /boot instead of TPM The HOTP counter isn't a secret but is just used to prevent replay attacks (the time-based counter in TOTP isn't a secret either) so it doesn't need to be protected in the TPM and storing it as a TPM monotonic counter was causing conflicts with the Heads configuration counter as TPM 1.2 can only increment one counter per reboot. This change moves the HOTP counter into the file in /boot that was previously keeping track of the TPM counter id.
2018-06-20 16:20:39 +00:00
Fix termonology
2020-06-24 15:54:39 +00:00
# Store/overwrite HOTP USB Security Dongle branding found out beforehand
Rename CONFIG_HOTP_BRANDING to HOTP_BRANDING reason: it not a config option anymore
2020-06-24 16:12:56 +00:00
echo $HOTPKEY_BRANDING > $HOTP_KEY \
Store HOTP USB Security Key branding in /boot
2020-06-24 15:40:49 +00:00
|| die "Unable to store hotp key file"
Store HOTP counter directly in /boot instead of TPM The HOTP counter isn't a secret but is just used to prevent replay attacks (the time-based counter in TOTP isn't a secret either) so it doesn't need to be protected in the TPM and storing it as a TPM monotonic counter was causing conflicts with the Heads configuration counter as TPM 1.2 can only increment one counter per reboot. This change moves the HOTP counter into the file in /boot that was previously keeping track of the TPM counter id.
2018-06-20 16:20:39 +00:00
#sha256sum /tmp/counter-$counter > $HOTP_COUNTER \
#|| die "Unable to create hotp counter file"
Add Librem Key support to Heads The Librem Key is a custom device USB-based security token Nitrokey is producing for Purism and among other things it has custom firmware created for use with Heads. In particular, when a board is configured with CONFIG_LIBREMKEY, this custom firmware allows Heads to use the sealed TOTP secret to also send an HOTP authentication to the Librem Key. If the HOTP code is successful, the Librem Key will blink a green LED, if unsuccessful it will blink red, thereby informing the user that Heads has been tampered with without requiring them to use a phone to validate the TOTP secret. Heads will still use and show the TOTP secret, in case the user wants to validate both codes (in case the Librem Key was lost or is no longer trusted). It will also show the result of the HOTP verification (but not the code itself), even though the user should trust only what the Librem Key displays, so the user can confirm that both the device and Heads are in sync. If HOTP is enabled, Heads will maintain a new TPM counter separate from the Heads TPM counter that will increment each time HOTP codes are checked. This change also modifies the routines that update TOTP so that if the Librem Key executables are present it will also update HOTP codes and synchronize them with a Librem Key.
2018-06-19 19:27:27 +00:00
mount -o remount,ro /boot
Rename CONFIG_HOTP_BRANDING to HOTP_BRANDING reason: it not a config option anymore
2020-06-24 16:12:56 +00:00
echo -e "\n$HOTPKEY_BRANDING initialized successfully. Press Enter to continue."
Add Librem Key support to Heads The Librem Key is a custom device USB-based security token Nitrokey is producing for Purism and among other things it has custom firmware created for use with Heads. In particular, when a board is configured with CONFIG_LIBREMKEY, this custom firmware allows Heads to use the sealed TOTP secret to also send an HOTP authentication to the Librem Key. If the HOTP code is successful, the Librem Key will blink a green LED, if unsuccessful it will blink red, thereby informing the user that Heads has been tampered with without requiring them to use a phone to validate the TOTP secret. Heads will still use and show the TOTP secret, in case the user wants to validate both codes (in case the Librem Key was lost or is no longer trusted). It will also show the result of the HOTP verification (but not the code itself), even though the user should trust only what the Librem Key displays, so the user can confirm that both the device and Heads are in sync. If HOTP is enabled, Heads will maintain a new TPM counter separate from the Heads TPM counter that will increment each time HOTP codes are checked. This change also modifies the routines that update TOTP so that if the Librem Key executables are present it will also update HOTP codes and synchronize them with a Librem Key.
2018-06-19 19:27:27 +00:00
read
exit 0
Reference in New Issue Copy Permalink