mirror of
https://github.com/linuxboot/heads.git
synced 2025-01-11 23:42:55 +00:00
Add ability to enter custom password for OEM reset
Normally we resort to default passwords for OEM reset, however we have a use case where it would be convenient to set a custom password instead. This patch adds a simple prompt (that defaults to the defaults if you hit Enter) that enables someone using the OEM reset to enter a single password that will replace the defaults (TPM, GPG Admin, GPG User).
This commit is contained in:
parent
c14c09b602
commit
018279b2bf
@ -18,6 +18,7 @@ WIDTH="220"
|
|||||||
USER_PIN_DEF=123456
|
USER_PIN_DEF=123456
|
||||||
ADMIN_PIN_DEF=12345678
|
ADMIN_PIN_DEF=12345678
|
||||||
TPM_PASS_DEF=12345678
|
TPM_PASS_DEF=12345678
|
||||||
|
CUSTOM_PASS=""
|
||||||
|
|
||||||
## External files sourced
|
## External files sourced
|
||||||
|
|
||||||
@ -85,6 +86,29 @@ gpg_key_reset()
|
|||||||
whiptail_error_die "GPG Key automatic keygen failed!\n\n$ERROR"
|
whiptail_error_die "GPG Key automatic keygen failed!\n\n$ERROR"
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
gpg_key_change_pin()
|
||||||
|
{
|
||||||
|
# 1 = user PIN, 3 = admin PIN
|
||||||
|
PIN_TYPE=$1
|
||||||
|
PIN_ORIG=$2
|
||||||
|
PIN_NEW=$3
|
||||||
|
# Change PIN
|
||||||
|
{
|
||||||
|
echo admin
|
||||||
|
echo passwd
|
||||||
|
echo ${PIN_TYPE}
|
||||||
|
echo ${PIN_ORIG}
|
||||||
|
echo ${PIN_NEW}
|
||||||
|
echo ${PIN_NEW}
|
||||||
|
echo q
|
||||||
|
echo q
|
||||||
|
} | gpg --command-fd=0 --status-fd=2 --pinentry-mode=loopback --card-edit \
|
||||||
|
> /tmp/gpg_card_edit_output 2>/dev/null
|
||||||
|
if [ $? -ne 0 ]; then
|
||||||
|
ERROR=`cat /tmp/gpg_card_edit_output`
|
||||||
|
whiptail_error_die "GPG Key PIN change failed!\n\n$ERROR"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
generate_checksums()
|
generate_checksums()
|
||||||
{
|
{
|
||||||
@ -130,7 +154,7 @@ generate_checksums()
|
|||||||
# sign kexec boot files
|
# sign kexec boot files
|
||||||
if sha256sum $param_files 2>/dev/null | gpg \
|
if sha256sum $param_files 2>/dev/null | gpg \
|
||||||
--pinentry-mode loopback \
|
--pinentry-mode loopback \
|
||||||
--passphrase $USER_PIN_DEF \
|
--passphrase "$USER_PIN_DEF" \
|
||||||
--digest-algo SHA256 \
|
--digest-algo SHA256 \
|
||||||
--detach-sign \
|
--detach-sign \
|
||||||
-a \
|
-a \
|
||||||
@ -217,6 +241,19 @@ if ! whiptail --yesno "
|
|||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# Prompt to change default passwords
|
||||||
|
echo -e -n "Would you like to set a custom password? [y/N]:"
|
||||||
|
read -n 1 prompt_output
|
||||||
|
echo
|
||||||
|
if [ "$prompt_output" == "y" \
|
||||||
|
-o "$prompt_output" == "Y" ] \
|
||||||
|
; then
|
||||||
|
echo -e -n "Enter the custom password: "
|
||||||
|
read CUSTOM_PASS
|
||||||
|
echo
|
||||||
|
TPM_PASS_DEF=$CUSTOM_PASS
|
||||||
|
fi
|
||||||
|
|
||||||
## sanity check the USB, GPG key, and boot device before proceeding further
|
## sanity check the USB, GPG key, and boot device before proceeding further
|
||||||
|
|
||||||
# mount USB, then remount rw
|
# mount USB, then remount rw
|
||||||
@ -272,6 +309,15 @@ gpg --list-keys >/dev/null 2>&1
|
|||||||
echo -e "\nResetting GPG Key...\n(this will take a minute or two)\n"
|
echo -e "\nResetting GPG Key...\n(this will take a minute or two)\n"
|
||||||
gpg_key_reset
|
gpg_key_reset
|
||||||
|
|
||||||
|
if [ "$CUSTOM_PASS" != "" ]; then
|
||||||
|
echo -e "\nChanging default GPG Admin PIN\n"
|
||||||
|
gpg_key_change_pin "3" "$ADMIN_PIN_DEF" "$CUSTOM_PASS"
|
||||||
|
echo -e "\nChanging default GPG User PIN\n"
|
||||||
|
gpg_key_change_pin "1" "$USER_PIN_DEF" "$CUSTOM_PASS"
|
||||||
|
USER_PIN_DEF=$CUSTOM_PASS
|
||||||
|
ADMIN_PIN_DEF=$CUSTOM_PASS
|
||||||
|
fi
|
||||||
|
|
||||||
## export generated key to USB
|
## export generated key to USB
|
||||||
echo -e "\nExporting generated key to USB...\n"
|
echo -e "\nExporting generated key to USB...\n"
|
||||||
# parse name of generated key
|
# parse name of generated key
|
||||||
|
Loading…
Reference in New Issue
Block a user