From 018279b2bf6d30c0bd591e58ca1998647a7e530e Mon Sep 17 00:00:00 2001
From: Kyle Rankin <kyle.rankin@puri.sm>
Date: Thu, 7 Nov 2019 11:01:49 -0800
Subject: [PATCH] Add ability to enter custom password for OEM reset

Normally we resort to default passwords for OEM reset, however we have a
use case where it would be convenient to set a custom password instead.
This patch adds a simple prompt (that defaults to the defaults if you
hit Enter) that enables someone using the OEM reset to enter a single
password that will replace the defaults (TPM, GPG Admin, GPG User).
---
 initrd/bin/oem-factory-reset | 48 +++++++++++++++++++++++++++++++++++-
 1 file changed, 47 insertions(+), 1 deletion(-)

diff --git a/initrd/bin/oem-factory-reset b/initrd/bin/oem-factory-reset
index e5138387..1b40bcd2 100755
--- a/initrd/bin/oem-factory-reset
+++ b/initrd/bin/oem-factory-reset
@@ -18,6 +18,7 @@ WIDTH="220"
 USER_PIN_DEF=123456
 ADMIN_PIN_DEF=12345678
 TPM_PASS_DEF=12345678
+CUSTOM_PASS=""
 
 ## External files sourced
 
@@ -85,6 +86,29 @@ gpg_key_reset()
         whiptail_error_die "GPG Key automatic keygen failed!\n\n$ERROR"
     fi
 }
+gpg_key_change_pin()
+{
+    # 1 = user PIN, 3 = admin PIN
+    PIN_TYPE=$1
+    PIN_ORIG=$2
+    PIN_NEW=$3
+    # Change PIN
+    {
+        echo admin
+        echo passwd
+        echo ${PIN_TYPE}
+        echo ${PIN_ORIG}
+        echo ${PIN_NEW}
+        echo ${PIN_NEW}
+        echo q
+        echo q
+    } | gpg --command-fd=0 --status-fd=2 --pinentry-mode=loopback --card-edit \
+        > /tmp/gpg_card_edit_output 2>/dev/null 
+    if [ $? -ne 0 ]; then
+        ERROR=`cat /tmp/gpg_card_edit_output`
+        whiptail_error_die "GPG Key PIN change failed!\n\n$ERROR"
+    fi
+}
 
 generate_checksums()
 {
@@ -130,7 +154,7 @@ generate_checksums()
     # sign kexec boot files
     if sha256sum $param_files 2>/dev/null | gpg \
             --pinentry-mode loopback \
-            --passphrase $USER_PIN_DEF \
+            --passphrase "$USER_PIN_DEF" \
             --digest-algo SHA256 \
             --detach-sign \
             -a \
@@ -217,6 +241,19 @@ if ! whiptail --yesno "
     exit 1
 fi
 
+# Prompt to change default passwords
+echo -e -n "Would you like to set a custom password? [y/N]:"
+read -n 1 prompt_output
+echo
+if [ "$prompt_output" == "y" \
+  -o "$prompt_output" == "Y" ] \
+; then
+  echo -e -n "Enter the custom password: "
+  read CUSTOM_PASS
+  echo
+  TPM_PASS_DEF=$CUSTOM_PASS
+fi
+
 ## sanity check the USB, GPG key, and boot device before proceeding further
 
 # mount USB, then remount rw
@@ -272,6 +309,15 @@ gpg --list-keys >/dev/null 2>&1
 echo -e "\nResetting GPG Key...\n(this will take a minute or two)\n"
 gpg_key_reset
 
+if [ "$CUSTOM_PASS" != "" ]; then
+  echo -e "\nChanging default GPG Admin PIN\n"
+  gpg_key_change_pin "3" "$ADMIN_PIN_DEF" "$CUSTOM_PASS"
+  echo -e "\nChanging default GPG User PIN\n"
+  gpg_key_change_pin "1" "$USER_PIN_DEF" "$CUSTOM_PASS"
+  USER_PIN_DEF=$CUSTOM_PASS
+  ADMIN_PIN_DEF=$CUSTOM_PASS
+fi
+
 ## export generated key to USB
 echo -e "\nExporting generated key to USB...\n"
 # parse name of generated key