From 0d3964274ee2ba256eb571ce1291e0cdb8071eb8 Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Fri, 13 Dec 2024 15:50:05 -0500 Subject: [PATCH] WiP: staging changes, warn loud and clear of weak security posture by using weak OEM defaults provisioned secrets Signed-off-by: Thierry Laurion --- initrd/bin/gui-init | 2 +- initrd/bin/seal-hotpkey | 8 ++++++-- initrd/bin/tpmr | 7 +++++-- initrd/bin/unseal-totp | 2 +- 4 files changed, 13 insertions(+), 6 deletions(-) diff --git a/initrd/bin/gui-init b/initrd/bin/gui-init index c3811987..f89f1e15 100755 --- a/initrd/bin/gui-init +++ b/initrd/bin/gui-init @@ -557,7 +557,7 @@ reset_tpm() TRACE_FUNC if [ "$CONFIG_TPM" = "y" ]; then if (whiptail_warning --title 'Reset the TPM' \ - --yesno "This will clear the TPM and TPM password, replace them with new ones!\n\nDo you want to proceed?" 0 80) then + --yesno "This will clear the TPM and replace its Owner password with a new one!\n\nDo you want to proceed?" 0 80) then if ! prompt_new_owner_password; then echo "Press Enter to return to the menu..." diff --git a/initrd/bin/seal-hotpkey b/initrd/bin/seal-hotpkey index 70d86e95..9c01d5d6 100755 --- a/initrd/bin/seal-hotpkey +++ b/initrd/bin/seal-hotpkey @@ -129,7 +129,8 @@ else echo "Trying $prompt_message PIN ($admin_pin) to seal HOTP secret on $HOTPKEY_BRANDING..." #if we deal with the nk3, say to the user that touch will be required if lsusb | grep -q "20a0:42b2"; then - warn "Touching the Nitrokey 3 to confirm presence operation is required" + warn "Nitrokey 3 requires physical presence : touch the dongle when prompted" + echo fi #TODO: silence the output of hotp_initialize once https://github.com/Nitrokey/nitrokey-hotp-verification/issues/41 is fixed #hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value "$HOTPKEY_BRANDING" >/dev/null 2>&1 @@ -161,7 +162,10 @@ if [ "$admin_pin_status" -ne 0 ]; then fi else # remind user to change admin password - warn "Factory $prompt_message default PIN 12345678 detected: please change this PIN as soon as possible through OEM Factory Reset/User Re-Ownership" + warn "Weak OEM default PINs are under use to enforce remote attestation/encryption/signature operations" + warn "$CONFIG_BRAND_NAME security is compromised until the ownership of this device is re-established by changing secrets by non-default values" + warn "You must change current default secrets through 'Options -> OEM Factory Reset/Re-Ownership' menu and not accept the default options" + warn "You will be asked to answer a questionnaire to re-own your device and USB security dongles with new secrets" fi # HOTP key no longer needed diff --git a/initrd/bin/tpmr b/initrd/bin/tpmr index 61d96678..7dbe5043 100755 --- a/initrd/bin/tpmr +++ b/initrd/bin/tpmr @@ -363,7 +363,6 @@ tpm2_startsession() { tpm2 flushcontext -Q \ --saved-session || die "tpm2_flushcontext: unable to flush saved session" - #TODO: readpublic cannot be silenced even if redirected to /dev/null with both stderr and stdout redirected? tpm2 readpublic -Q -c "$PRIMARY_HANDLE" -t "$PRIMARY_HANDLE_FILE" >/dev/null 2>&1 #TODO: do the right thing to not have to suppress "WARN: check public portion the tpmkey manually" see https://github.com/linuxboot/heads/pull/1630#issuecomment-2075120429 tpm2 startauthsession -Q -c "$PRIMARY_HANDLE_FILE" --hmac-session -S "$ENC_SESSION_FILE" >/dev/null 2>&1 @@ -622,7 +621,10 @@ tpm2_unseal() { LOG "tpm2 stderr: $line" done <"$TMP_ERR_FILE" rm -f "$TMP_ERR_FILE" - die "Unable to unseal secret from TPM NVRAM" + LOG "Unable to unseal secret from TPM NVRAM" + + # should succeed, exit if it doesn't + exit 1 fi rm -f "$TMP_ERR_FILE" } @@ -649,6 +651,7 @@ tpm1_unseal() { -sz "$sealed_size" \ -of "$sealed_file" || die "Unable to read sealed file from TPM NVRAM" + # TODO: Cannot log + exit instead of dying!?! PASS_ARGS=() if [ "$pass" ]; then diff --git a/initrd/bin/unseal-totp b/initrd/bin/unseal-totp index b5ec1414..3ca7cf28 100755 --- a/initrd/bin/unseal-totp +++ b/initrd/bin/unseal-totp @@ -9,7 +9,7 @@ TRACE_FUNC if [ "$CONFIG_TPM" = "y" ]; then tpmr unseal 4d47 0,1,2,3,4,7 312 "$TOTP_SECRET" || - die "Unable to unseal TOTP secret" + die "Unable to unseal TOTP secret from TPM" fi if ! totp -q <"$TOTP_SECRET"; then