mirror of
https://github.com/linuxboot/heads.git
synced 2024-12-24 07:06:42 +00:00
Add ability to enter custom password for OEM reset
Normally we resort to default passwords for OEM reset, however we have a use case where it would be convenient to set a custom password instead. This patch adds a simple prompt (that defaults to the defaults if you hit Enter) that enables someone using the OEM reset to enter a single password that will replace the defaults (TPM, GPG Admin, GPG User).
This commit is contained in:
parent
c14c09b602
commit
018279b2bf
@ -18,6 +18,7 @@ WIDTH="220"
|
||||
USER_PIN_DEF=123456
|
||||
ADMIN_PIN_DEF=12345678
|
||||
TPM_PASS_DEF=12345678
|
||||
CUSTOM_PASS=""
|
||||
|
||||
## External files sourced
|
||||
|
||||
@ -85,6 +86,29 @@ gpg_key_reset()
|
||||
whiptail_error_die "GPG Key automatic keygen failed!\n\n$ERROR"
|
||||
fi
|
||||
}
|
||||
gpg_key_change_pin()
|
||||
{
|
||||
# 1 = user PIN, 3 = admin PIN
|
||||
PIN_TYPE=$1
|
||||
PIN_ORIG=$2
|
||||
PIN_NEW=$3
|
||||
# Change PIN
|
||||
{
|
||||
echo admin
|
||||
echo passwd
|
||||
echo ${PIN_TYPE}
|
||||
echo ${PIN_ORIG}
|
||||
echo ${PIN_NEW}
|
||||
echo ${PIN_NEW}
|
||||
echo q
|
||||
echo q
|
||||
} | gpg --command-fd=0 --status-fd=2 --pinentry-mode=loopback --card-edit \
|
||||
> /tmp/gpg_card_edit_output 2>/dev/null
|
||||
if [ $? -ne 0 ]; then
|
||||
ERROR=`cat /tmp/gpg_card_edit_output`
|
||||
whiptail_error_die "GPG Key PIN change failed!\n\n$ERROR"
|
||||
fi
|
||||
}
|
||||
|
||||
generate_checksums()
|
||||
{
|
||||
@ -130,7 +154,7 @@ generate_checksums()
|
||||
# sign kexec boot files
|
||||
if sha256sum $param_files 2>/dev/null | gpg \
|
||||
--pinentry-mode loopback \
|
||||
--passphrase $USER_PIN_DEF \
|
||||
--passphrase "$USER_PIN_DEF" \
|
||||
--digest-algo SHA256 \
|
||||
--detach-sign \
|
||||
-a \
|
||||
@ -217,6 +241,19 @@ if ! whiptail --yesno "
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Prompt to change default passwords
|
||||
echo -e -n "Would you like to set a custom password? [y/N]:"
|
||||
read -n 1 prompt_output
|
||||
echo
|
||||
if [ "$prompt_output" == "y" \
|
||||
-o "$prompt_output" == "Y" ] \
|
||||
; then
|
||||
echo -e -n "Enter the custom password: "
|
||||
read CUSTOM_PASS
|
||||
echo
|
||||
TPM_PASS_DEF=$CUSTOM_PASS
|
||||
fi
|
||||
|
||||
## sanity check the USB, GPG key, and boot device before proceeding further
|
||||
|
||||
# mount USB, then remount rw
|
||||
@ -272,6 +309,15 @@ gpg --list-keys >/dev/null 2>&1
|
||||
echo -e "\nResetting GPG Key...\n(this will take a minute or two)\n"
|
||||
gpg_key_reset
|
||||
|
||||
if [ "$CUSTOM_PASS" != "" ]; then
|
||||
echo -e "\nChanging default GPG Admin PIN\n"
|
||||
gpg_key_change_pin "3" "$ADMIN_PIN_DEF" "$CUSTOM_PASS"
|
||||
echo -e "\nChanging default GPG User PIN\n"
|
||||
gpg_key_change_pin "1" "$USER_PIN_DEF" "$CUSTOM_PASS"
|
||||
USER_PIN_DEF=$CUSTOM_PASS
|
||||
ADMIN_PIN_DEF=$CUSTOM_PASS
|
||||
fi
|
||||
|
||||
## export generated key to USB
|
||||
echo -e "\nExporting generated key to USB...\n"
|
||||
# parse name of generated key
|
||||
|
Loading…
Reference in New Issue
Block a user