Add ability to enter custom password for OEM reset

Normally we resort to default passwords for OEM reset, however we have a
use case where it would be convenient to set a custom password instead.
This patch adds a simple prompt (that defaults to the defaults if you
hit Enter) that enables someone using the OEM reset to enter a single
password that will replace the defaults (TPM, GPG Admin, GPG User).
This commit is contained in:
Kyle Rankin 2019-11-07 11:01:49 -08:00 committed by Matt DeVillier
parent c14c09b602
commit 018279b2bf
No known key found for this signature in database
GPG Key ID: 2BBB776A35B978FD

View File

@ -18,6 +18,7 @@ WIDTH="220"
USER_PIN_DEF=123456 USER_PIN_DEF=123456
ADMIN_PIN_DEF=12345678 ADMIN_PIN_DEF=12345678
TPM_PASS_DEF=12345678 TPM_PASS_DEF=12345678
CUSTOM_PASS=""
## External files sourced ## External files sourced
@ -85,6 +86,29 @@ gpg_key_reset()
whiptail_error_die "GPG Key automatic keygen failed!\n\n$ERROR" whiptail_error_die "GPG Key automatic keygen failed!\n\n$ERROR"
fi fi
} }
gpg_key_change_pin()
{
# 1 = user PIN, 3 = admin PIN
PIN_TYPE=$1
PIN_ORIG=$2
PIN_NEW=$3
# Change PIN
{
echo admin
echo passwd
echo ${PIN_TYPE}
echo ${PIN_ORIG}
echo ${PIN_NEW}
echo ${PIN_NEW}
echo q
echo q
} | gpg --command-fd=0 --status-fd=2 --pinentry-mode=loopback --card-edit \
> /tmp/gpg_card_edit_output 2>/dev/null
if [ $? -ne 0 ]; then
ERROR=`cat /tmp/gpg_card_edit_output`
whiptail_error_die "GPG Key PIN change failed!\n\n$ERROR"
fi
}
generate_checksums() generate_checksums()
{ {
@ -130,7 +154,7 @@ generate_checksums()
# sign kexec boot files # sign kexec boot files
if sha256sum $param_files 2>/dev/null | gpg \ if sha256sum $param_files 2>/dev/null | gpg \
--pinentry-mode loopback \ --pinentry-mode loopback \
--passphrase $USER_PIN_DEF \ --passphrase "$USER_PIN_DEF" \
--digest-algo SHA256 \ --digest-algo SHA256 \
--detach-sign \ --detach-sign \
-a \ -a \
@ -217,6 +241,19 @@ if ! whiptail --yesno "
exit 1 exit 1
fi fi
# Prompt to change default passwords
echo -e -n "Would you like to set a custom password? [y/N]:"
read -n 1 prompt_output
echo
if [ "$prompt_output" == "y" \
-o "$prompt_output" == "Y" ] \
; then
echo -e -n "Enter the custom password: "
read CUSTOM_PASS
echo
TPM_PASS_DEF=$CUSTOM_PASS
fi
## sanity check the USB, GPG key, and boot device before proceeding further ## sanity check the USB, GPG key, and boot device before proceeding further
# mount USB, then remount rw # mount USB, then remount rw
@ -272,6 +309,15 @@ gpg --list-keys >/dev/null 2>&1
echo -e "\nResetting GPG Key...\n(this will take a minute or two)\n" echo -e "\nResetting GPG Key...\n(this will take a minute or two)\n"
gpg_key_reset gpg_key_reset
if [ "$CUSTOM_PASS" != "" ]; then
echo -e "\nChanging default GPG Admin PIN\n"
gpg_key_change_pin "3" "$ADMIN_PIN_DEF" "$CUSTOM_PASS"
echo -e "\nChanging default GPG User PIN\n"
gpg_key_change_pin "1" "$USER_PIN_DEF" "$CUSTOM_PASS"
USER_PIN_DEF=$CUSTOM_PASS
ADMIN_PIN_DEF=$CUSTOM_PASS
fi
## export generated key to USB ## export generated key to USB
echo -e "\nExporting generated key to USB...\n" echo -e "\nExporting generated key to USB...\n"
# parse name of generated key # parse name of generated key