WiP: staging changes, warn loud and clear of weak security posture by using weak OEM defaults provisioned secrets

Signed-off-by: Thierry Laurion <insurgo@riseup.net>

initrd/bin/gui-init

@@ -557,7 +557,7 @@ reset_tpm()
   TRACE_FUNC
   if [ "$CONFIG_TPM" = "y" ]; then
     if (whiptail_warning --title 'Reset the TPM' \
-        --yesno "This will clear the TPM and TPM password, replace them with new ones!\n\nDo you want to proceed?" 0 80) then
+        --yesno "This will clear the TPM and replace its Owner password with a new one!\n\nDo you want to proceed?" 0 80) then
 
       if ! prompt_new_owner_password; then
         echo "Press Enter to return to the menu..."

initrd/bin/seal-hotpkey

@@ -129,7 +129,8 @@ else
 	echo "Trying $prompt_message PIN ($admin_pin) to seal HOTP secret on $HOTPKEY_BRANDING..."
 	#if we deal with the nk3, say to the user that touch will be required
 	if lsusb | grep -q "20a0:42b2"; then
-		warn "Touching the Nitrokey 3 to confirm presence operation is required"
+		warn "Nitrokey 3 requires physical presence : touch the dongle when prompted"
+		echo
 	fi
 	#TODO: silence the output of hotp_initialize once https://github.com/Nitrokey/nitrokey-hotp-verification/issues/41 is fixed
 	#hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value "$HOTPKEY_BRANDING" >/dev/null 2>&1
@@ -161,7 +162,10 @@ if [ "$admin_pin_status" -ne 0 ]; then
 	fi
 else
 	# remind user to change admin password
-	warn "Factory $prompt_message default PIN 12345678 detected: please change this PIN as soon as possible through OEM Factory Reset/User Re-Ownership"
+	warn "Weak OEM default PINs are under use to enforce remote attestation/encryption/signature operations" 
+	warn "$CONFIG_BRAND_NAME security is compromised until the ownership of this device is re-established by changing secrets by non-default values" 
+	warn "You must change current default secrets through 'Options -> OEM Factory Reset/Re-Ownership' menu and not accept the default options"
+	warn "You will be asked to answer a questionnaire to re-own your device and USB security dongles with new secrets"
 fi
 
 # HOTP key no longer needed

initrd/bin/tpmr

@@ -363,7 +363,6 @@ tpm2_startsession() {
 	tpm2 flushcontext -Q \
 		--saved-session ||
 		die "tpm2_flushcontext: unable to flush saved session"
-	#TODO: readpublic cannot be silenced even if redirected to /dev/null with both stderr and stdout redirected?
 	tpm2 readpublic -Q -c "$PRIMARY_HANDLE" -t "$PRIMARY_HANDLE_FILE" >/dev/null 2>&1
 	#TODO: do the right thing to not have to suppress "WARN: check public portion the tpmkey manually" see https://github.com/linuxboot/heads/pull/1630#issuecomment-2075120429
 	tpm2 startauthsession -Q -c "$PRIMARY_HANDLE_FILE" --hmac-session -S "$ENC_SESSION_FILE" >/dev/null 2>&1
@@ -622,7 +621,10 @@ tpm2_unseal() {
 			LOG "tpm2 stderr: $line"
 		done <"$TMP_ERR_FILE"
 		rm -f "$TMP_ERR_FILE"
-		die "Unable to unseal secret from TPM NVRAM"
+		LOG "Unable to unseal secret from TPM NVRAM"
+
+		# should succeed, exit if it doesn't
+		exit 1
 	fi
 	rm -f "$TMP_ERR_FILE"
 }
@@ -649,6 +651,7 @@ tpm1_unseal() {
 		-sz "$sealed_size" \
 		-of "$sealed_file" ||
 		die "Unable to read sealed file from TPM NVRAM"
+		# TODO: Cannot log + exit instead of dying!?!
 
 	PASS_ARGS=()
 	if [ "$pass" ]; then

initrd/bin/unseal-totp

@@ -9,7 +9,7 @@ TRACE_FUNC
 
 if [ "$CONFIG_TPM" = "y" ]; then
 	tpmr unseal 4d47 0,1,2,3,4,7 312 "$TOTP_SECRET" ||
-		die "Unable to unseal TOTP secret"
+		die "Unable to unseal TOTP secret from TPM"
 fi
 
 if ! totp -q <"$TOTP_SECRET"; then