ExternalVendorCode/heads
1
0
Fork 0
mirror of https://github.com/linuxboot/heads.git synced 2024-12-18 20:47:55 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge pull request #1515 from tlaurion/inmemory_keygen-gpg_backup_usable_for_RSA_only-copy_to_card_working_for_RSA_only-gpg_auth_for_recovery_and_sub_boot

Browse Source 
GPG User Authentication: In-memory gpg keygen + keytocard and GPG key material backup enabling  (plus a lot of code cleanup and UX improvements)
This commit is contained in:
tlaurion 2023-11-13 16:05:26 -05:00 committed by GitHub
commit 133da0e48e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
40 changed files with 4885 additions and 1046 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
boards/librem_13v2/librem_13v2.config
View File

@ -30,7 +30,6 @@ CONFIG_LINUX_USB=y
export CONFIG_TPM=y
export CONFIG_TPM_NO_LUKS_DISK_UNLOCK=y
export CONFIG_TOTP_SKIP_QRCODE=y
export CONFIG_OEMRESET_OFFER_DEFAULTS=y
export CONFIG_BOOTSCRIPT=/bin/gui-init
export CONFIG_BOOT_REQ_HASH=n
export CONFIG_BOOT_REQ_ROLLBACK=n

1
boards/librem_13v4/librem_13v4.config
View File

@ -30,7 +30,6 @@ CONFIG_LINUX_USB=y
export CONFIG_TPM=y
export CONFIG_TPM_NO_LUKS_DISK_UNLOCK=y
export CONFIG_TOTP_SKIP_QRCODE=y
export CONFIG_OEMRESET_OFFER_DEFAULTS=y
export CONFIG_BOOTSCRIPT=/bin/gui-init
export CONFIG_BOOT_REQ_HASH=n
export CONFIG_BOOT_REQ_ROLLBACK=n

1
boards/librem_14/librem_14.config
View File

@ -28,7 +28,6 @@ CONFIG_LINUX_USB=y
export CONFIG_TPM=y
export CONFIG_TPM_NO_LUKS_DISK_UNLOCK=y
export CONFIG_TOTP_SKIP_QRCODE=y
export CONFIG_OEMRESET_OFFER_DEFAULTS=y
export CONFIG_BOOTSCRIPT=/bin/gui-init
export CONFIG_BOOT_REQ_HASH=n

1
boards/librem_15v3/librem_15v3.config
View File

@ -30,7 +30,6 @@ CONFIG_LINUX_USB=y
export CONFIG_TPM=y
export CONFIG_TPM_NO_LUKS_DISK_UNLOCK=y
export CONFIG_TOTP_SKIP_QRCODE=y
export CONFIG_OEMRESET_OFFER_DEFAULTS=y
export CONFIG_BOOTSCRIPT=/bin/gui-init
export CONFIG_BOOT_REQ_HASH=n
export CONFIG_BOOT_REQ_ROLLBACK=n

1
boards/librem_15v4/librem_15v4.config
View File

@ -31,7 +31,6 @@ CONFIG_LINUX_USB=y
export CONFIG_TPM=y
export CONFIG_TPM_NO_LUKS_DISK_UNLOCK=y
export CONFIG_TOTP_SKIP_QRCODE=y
export CONFIG_OEMRESET_OFFER_DEFAULTS=y
export CONFIG_BOOTSCRIPT=/bin/gui-init
export CONFIG_BOOT_REQ_HASH=n
export CONFIG_BOOT_REQ_ROLLBACK=n

1
boards/librem_l1um/librem_l1um.config
View File

@ -29,7 +29,6 @@ CONFIG_LINUX_USB=y
export CONFIG_TPM=y
export CONFIG_TPM_NO_LUKS_DISK_UNLOCK=y
export CONFIG_TOTP_SKIP_QRCODE=y
export CONFIG_OEMRESET_OFFER_DEFAULTS=y
export CONFIG_BOOTSCRIPT=/bin/gui-init
export CONFIG_BOOT_REQ_HASH=n

1
boards/librem_l1um_v2/librem_l1um_v2.config
View File

@ -32,7 +32,6 @@ CONFIG_OPENSSL=y
CONFIG_PRIMARY_KEY_TYPE=ecc
export CONFIG_TPM_NO_LUKS_DISK_UNLOCK=y
export CONFIG_TOTP_SKIP_QRCODE=y
export CONFIG_OEMRESET_OFFER_DEFAULTS=y
export CONFIG_BOOTSCRIPT=/bin/gui-init
export CONFIG_BOOT_REQ_HASH=n

1
boards/librem_mini/librem_mini.config
View File

@ -30,7 +30,6 @@ CONFIG_LINUX_USB=y
export CONFIG_TPM=n
export CONFIG_TPM_NO_LUKS_DISK_UNLOCK=y
export CONFIG_TOTP_SKIP_QRCODE=y
export CONFIG_OEMRESET_OFFER_DEFAULTS=y
export CONFIG_BOOTSCRIPT=/bin/gui-init
export CONFIG_BOOT_REQ_HASH=n

1
boards/librem_mini_v2/librem_mini_v2.config
View File

@ -30,7 +30,6 @@ CONFIG_LINUX_USB=y
export CONFIG_TPM=n
export CONFIG_TPM_NO_LUKS_DISK_UNLOCK=y
export CONFIG_TOTP_SKIP_QRCODE=y
export CONFIG_OEMRESET_OFFER_DEFAULTS=y
export CONFIG_BOOTSCRIPT=/bin/gui-init
export CONFIG_BOOT_REQ_HASH=n

4
boards/qemu-coreboot-fbwhiptail-tpm1-hotp/qemu-coreboot-fbwhiptail-tpm1-hotp.md
View File

@ -41,9 +41,11 @@ Bootstrapping a working system
* Then Heads will indicate that there is no TOTP code yet, at this point shut down (Continue to main menu -> Power off)
5. Get the public key that was saved to the virtual USB flash drive
* `sudo mkdir /media/fd_heads_gpg`
* `sudo mount ./build/x86/qemu-coreboot-fbwhiptail-tpm1-hotp/usb_fd.raw /media/fd_heads_gpg`
* `sudo losetup --find --partscan ./build/x86/qemu-coreboot-fbwhiptail-tpm1-hotp/usb_fd.raw`
* `sudo mount /dev/loop0p2 /media/fd_heads_gpg` to mount the second partition (public) or if only one partition, /dev/loop0p1
* Look in `/media/fd_heads_gpg` and copy the most recent public key
* `sudo umount /media/fd_heads_gpg`
* `sudo losetup --detach /dev/loop0`
6. Inject the GPG key into the Heads image and run again
* `make BOARD=qemu-coreboot-fbwhiptail-tpm1-hotp PUBKEY_ASC=<path_to_key.asc> inject_gpg`
* `make BOARD=qemu-coreboot-fbwhiptail-tpm1-hotp USB_TOKEN=LibremKey PUBKEY_ASC=<path_to_key.asc> run`

3
boards/qemu-coreboot-fbwhiptail-tpm1/qemu-coreboot-fbwhiptail-tpm1.config
View File

@ -10,6 +10,9 @@ export CONFIG_LINUX_VERSION=5.10.5
#export CONFIG_RESTRICTED_BOOT=y
#export CONFIG_BASIC=y
#Enable HAVE_GPG_KEY_BACKUP to test GPG key backup drive (we cannot inject config under QEMU (no internal flashing))
#export CONFIG_HAVE_GPG_KEY_BACKUP=y
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=y
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y

3
boards/qemu-coreboot-fbwhiptail-tpm2/qemu-coreboot-fbwhiptail-tpm2.config
View File

@ -10,6 +10,9 @@ export CONFIG_LINUX_VERSION=5.10.5
#export CONFIG_RESTRICTED_BOOT=y
#export CONFIG_BASIC=y
#Enable HAVE_GPG_KEY_BACKUP to test GPG key backup drive (we cannot inject config under QEMU (no internal flashing))
#export CONFIG_HAVE_GPG_KEY_BACKUP=y
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=y
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y

5
boards/qemu-coreboot-whiptail-tpm1/qemu-coreboot-whiptail-tpm1.config
View File

@ -6,10 +6,13 @@ export CONFIG_COREBOOT=y
export CONFIG_COREBOOT_VERSION=4.19
export CONFIG_LINUX_VERSION=5.10.5
#Enable only one RESTRICTED/BASIC boot modes below to test them manually (we cannot inject config under QEMU (no internal flashing)
#Enable only one RESTRICTED/BASIC boot modes below to test them manually (we cannot inject config under QEMU (no internal flashing))
#export CONFIG_RESTRICTED_BOOT=y
#export CONFIG_BASIC=y
#Enable HAVE_GPG_KEY_BACKUP to test GPG key backup drive (we cannot inject config under QEMU (no internal flashing))
#export CONFIG_HAVE_GPG_KEY_BACKUP=y
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=y
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y

3
boards/qemu-coreboot-whiptail-tpm2/qemu-coreboot-whiptail-tpm2.config
View File

@ -10,6 +10,9 @@ export CONFIG_LINUX_VERSION=5.10.5
#export CONFIG_RESTRICTED_BOOT=y
#export CONFIG_BASIC=y
#Enable HAVE_GPG_KEY_BACKUP to test GPG key backup drive (we cannot inject config under QEMU (no internal flashing))
#export CONFIG_HAVE_GPG_KEY_BACKUP=y
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=y
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y

2940
config/linux-librem_common-6.1.8.config
View File

File diff suppressed because it is too large Load Diff

5
config/linux-nitropad-x.config
View File

@ -1548,7 +1548,7 @@ CONFIG_DEVPORT=y
# CONFIG_HPET is not set
# CONFIG_HANGCHECK_TIMER is not set
CONFIG_TCG_TPM=y
CONFIG_HW_RANDOM_TPM=n
# CONFIG_HW_RANDOM_TPM is not set
CONFIG_TCG_TIS_CORE=y
CONFIG_TCG_TIS=y
# CONFIG_TCG_TIS_I2C is not set
@ -2768,7 +2768,8 @@ CONFIG_VFAT_FS=y
CONFIG_FAT_DEFAULT_CODEPAGE=437
CONFIG_FAT_DEFAULT_IOCHARSET="iso8859-1"
# CONFIG_FAT_DEFAULT_UTF8 is not set
# CONFIG_EXFAT_FS is not set
CONFIG_EXFAT_FS=y
CONFIG_EXFAT_DEFAULT_IOCHARSET="utf8"
# CONFIG_NTFS_FS is not set
# CONFIG_NTFS3_FS is not set
# end of DOS/FAT/EXFAT/NT Filesystems

4
initrd/.ash_history
View File

@ -1,3 +1,7 @@
#mount /boot in read-only by default
mount /boot
#verify detached signature of /boot content
find /boot/kexec*.txt | gpg --verify /boot/kexec.sig -
#remove invalid kexec_* signed files
mount /dev/sda1 /boot && mount -o remount,rw /boot && rm /boot/kexec* && mount -o remount,ro /boot
#Generate keys from GPG smartcard:

1
initrd/bin/cbfs-init
View File

@ -24,6 +24,7 @@ for cbfsname in `echo $cbfsfiles`; do
TMPFILE=/tmp/cbfs.$$
echo "$filename" > $TMPFILE
cat $filename >> $TMPFILE
DEBUG "Extending TPM PCR $CONFIG_PCR with $filename"
tpmr extend -ix "$CONFIG_PCR" -if $TMPFILE \
|| die "$filename: tpm extend failed"
fi

29
initrd/bin/gui-init
View File

@ -151,12 +151,12 @@ prompt_update_checksums()
generate_totp_hotp()
{
tpm_password="$1" # May be empty, will prompt if needed and empty
TRACE "Under /bin/gui-init:generate_totp_hotp"
TRACE "Under /bin/gui-init:generate_totp_hotp"
tpm_owner_password="$1" # May be empty, will prompt if needed and empty
if [ "$CONFIG_TPM" != "y" ] && [ -x /bin/hotp_verification ]; then
echo "Generating new HOTP secret"
/bin/seal-hotpkey
elif echo -e "Generating new TOTP secret...\n\n" && /bin/seal-totp "$BOARD_NAME" "$tpm_password"; then
elif echo -e "Generating new TOTP secret...\n\n" && /bin/seal-totp "$BOARD_NAME" "$tpm_owner_password"; then
echo
if [ -x /bin/hotp_verification ]; then
if [ "$CONFIG_TOTP_SKIP_QRCODE" != y ]; then
@ -229,8 +229,7 @@ update_totp()
g )
if (whiptail $BG_COLOR_WARNING --title 'Generate new TOTP/HOTP secret' \
--yesno "This will erase your old secret and replace it with a new one!\n\nDo you want to proceed?" 0 80) then
generate_totp_hotp && update_totp && BG_COLOR_MAIN_MENU=""
reseal_tpm_disk_decryption_key
generate_totp_hotp && update_totp && BG_COLOR_MAIN_MENU="" && reseal_tpm_disk_decryption_key
fi
;;
i )
@ -238,8 +237,7 @@ update_totp()
return 1
;;
p )
reset_tpm && update_totp && BG_COLOR_MAIN_MENU=""
reseal_tpm_disk_decryption_key
reset_tpm && update_totp && BG_COLOR_MAIN_MENU="" && reseal_tpm_disk_decryption_key
;;
x )
recovery "User requested recovery shell"
@ -300,8 +298,7 @@ update_hotp()
g )
if (whiptail $BG_COLOR_WARNING --title 'Generate new TOTP/HOTP secret' \
--yesno "This will erase your old secret and replace it with a new one!\n\nDo you want to proceed?" 0 80) then
generate_totp_hotp && BG_COLOR_MAIN_MENU=""
reseal_tpm_disk_decryption_key
generate_totp_hotp && BG_COLOR_MAIN_MENU="" && reseal_tpm_disk_decryption_key
fi
;;
i )
@ -316,7 +313,7 @@ update_hotp()
clean_boot_check()
{
TRACE "Under /bin/gui-init:mount_boot"
TRACE "Under /bin/gui-init:clean_boot_check"
# assume /boot mounted
if ! grep -q /boot /proc/mounts ; then
return
@ -526,12 +523,10 @@ show_tpm_totp_hotp_options_menu()
option=$(cat /tmp/whiptail)
case "$option" in
g )
generate_totp_hotp
reseal_tpm_disk_decryption_key
generate_totp_hotp && reseal_tpm_disk_decryption_key
;;
r )
reset_tpm
reseal_tpm_disk_decryption_key
reset_tpm && reseal_tpm_disk_decryption_key
;;
t )
prompt_totp_mismatch
@ -572,7 +567,7 @@ reset_tpm()
return 1
fi
tpmr reset "$key_password"
tpmr reset "$tpm_owner_password"
# now that the TPM is reset, remove invalid TPM counter files
mount_boot
@ -582,7 +577,7 @@ reset_tpm()
rm -f /boot/kexec_primhdl_hash.txt
# create Heads TPM counter before any others
check_tpm_counter /boot/kexec_rollback.txt "" "$key_password" \
check_tpm_counter /boot/kexec_rollback.txt "" "$tpm_owner_password" \
|| die "Unable to find/create tpm counter"
counter="$TPM_COUNTER"
@ -593,7 +588,7 @@ reset_tpm()
|| die "Unable to create rollback file"
mount -o ro,remount /boot
generate_totp_hotp "$key_password"
generate_totp_hotp "$tpm_owner_password"
else
echo "Returning to the main menu"
fi

2
initrd/bin/kexec-insert-key
View File

@ -49,6 +49,7 @@ if ! kexec-unseal-key "$INITRD_DIR/secret.key"; then
fi
# Override PCR 4 so that user can't read the key
DEBUG "Extending TPM PCR 4 to prevent further secret unsealing"
tpmr extend -ix 4 -ic generic ||
die 'Unable to scramble PCR'
@ -92,7 +93,6 @@ if [ "$unseal_failed" = "n" ]; then
done
else
# No crypttab files were found under selected default boot option's initrd file
# TODO: cpio -t is unfit here :( it just extracts early cpio header and not the whole file. Replace with something else
# Meanwhile, force crypttab to be created from scratch on both possible locations: /etc/crypttab and /cryptroot/crypttab
crypttab_files="etc/crypttab cryptroot/crypttab"
for crypttab_file in $crypttab_files; do

3
initrd/bin/kexec-save-default
View File

@ -276,8 +276,9 @@ if [ ! -d $paramsdir ]; then
fi
if [ "$CONFIG_TPM2_TOOLS" = "y" ]; then
sha256sum /tmp/primary.handle >"$PRIMHASH_FILE" ||
sha256sum /tmp/secret/primary.handle >"$PRIMHASH_FILE" ||
die "ERROR: Failed to Hash TPM2 primary key handle!"
DEBUG "TPM2 primary key handle hash saved to $PRIMHASH_FILE"
fi
rm $paramsdir/kexec_default.*.txt 2>/dev/null || true

1
initrd/bin/kexec-save-key
View File

@ -42,7 +42,6 @@ DEBUG "kexec-save-key prior of last override: paramsdir: $paramsdir, paramsdev:
if [ -n "$lvm_volume_group" ]; then
lvm vgchange -a y $lvm_volume_group ||
die "Failed to activate the LVM group"
#TODO: why reuse key_devices for lvm devices?
for dev in /dev/$lvm_volume_group/*; do
key_devices="$key_devices $dev"
done

21
initrd/bin/kexec-seal-key
View File

@ -72,20 +72,21 @@ dd \
# Count the number of slots used on each device
for dev in $(cat "$KEY_DEVICES" | cut -d\ -f1); do
DEBUG "Checking number of slots used on $dev"
DEBUG "Checking number of slots used on $dev LUKS header"
#check if the device is a LUKS device with luks[1,2]
slots_used=$(cryptsetup luksDump $dev | grep -c 'luks[0-9]*' || die "Unable to get number of slots used on $dev")
DEBUG "Number of slots used on $dev: $slots_used"
DEBUG "Number of slots used on $dev LUKS header: $slots_used"
# If slot1 is the only one used, warn and die with proper messages
if [ $slots_used -eq 1 ]; then
# Check if slot 1 is the only one existing
if cryptsetup luksDump $dev | grep -q "Slot 1: ENABLED"; then
warn "Slot 1 is the only one existing on $dev. Heads cannot use it to store TPM sealed LUKS Disk Unlock Key"
die "Slot 1 should not be the only slot existing on $dev. Fix your custom setup"
warn "Slot 1 is the only one existing on $dev LUKS header. Heads cannot use it to store TPM sealed LUKS Disk Unlock Key"
warn "Slot 1 should not be the only slot existing on $dev LUKS header. Slot 0 should be used to store Disk Recovery Key/passphrase"
die "You can safely fix this before continuing through Heads recovery shell: cryptsetup luksAddKey $dev"
fi
else
DEBUG "Slot 1 is not the only existing slot on $dev"
DEBUG "$dev Slot 1 will be used to store LUKS Disk Unlock Key that TPM will seal/unseal with TPM Disk Unlock Key passphrase"
DEBUG "Slot 1 is not the only existing slot on $dev LUKS header."
DEBUG "$dev LUKS header's slot 1 will store LUKS Disk Unlock Key that TPM will seal/unseal with TPM Disk Unlock Key passphrase"
fi
done
@ -136,7 +137,7 @@ tpmr pcrread -a 7 "$pcrf"
DO_WITH_DEBUG --mask-position 7 \
tpmr seal "$KEY_FILE" "$TPM_INDEX" 0,1,2,3,4,5,6,7 "$pcrf" \
"$TPM_SIZE" "$key_password"
"$TPM_SIZE" "$key_password" || die "Unable to write TPM Disk Unlock Key to NVRAM"
# should be okay if this fails
shred -n 10 -z -u "$pcrf" 2>/dev/null ||
@ -144,7 +145,7 @@ shred -n 10 -z -u "$pcrf" 2>/dev/null ||
shred -n 10 -z -u "$KEY_FILE" 2>/dev/null ||
warn "Failed to delete key file - continuing"
mount -o rw,remount $paramsdir || die "Failed to remount $paramsdir in RW - continuing"
mount -o rw,remount $paramsdir || warn "Failed to remount $paramsdir in RW - continuing"
cp -f /tmp/luksDump.txt "$paramsdir/kexec_lukshdr_hash.txt" ||
die "Failed to copy LUKS header hashes to /boot - continuing"
mount -o ro,remount $paramsdir || die "Failed to remount $paramsdir in RO - continuing"
warn "Failed to copy LUKS header hashes to /boot - continuing"
mount -o ro,remount $paramsdir || warn "Failed to remount $paramsdir in RO - continuing"

178
initrd/bin/kexec-select-boot
View File

@ -19,18 +19,25 @@ force_boot="n"
skip_confirm="n"
while getopts "b:d:p:a:r:c:uimgfs" arg; do
case $arg in
b) bootdir="$OPTARG" ;;
d) paramsdev="$OPTARG" ;;
p) paramsdir="$OPTARG" ;;
a) add="$OPTARG" ;;
r) remove="$OPTARG" ;;
c) config="$OPTARG" ;;
u) unique="y" ;;
m) force_menu="y" ;;
i) valid_hash="y"; valid_rollback="y" ;;
g) gui_menu="y" ;;
f) force_boot="y"; valid_hash="y"; valid_rollback="y" ;;
s) skip_confirm="y" ;;
b) bootdir="$OPTARG" ;;
d) paramsdev="$OPTARG" ;;
p) paramsdir="$OPTARG" ;;
a) add="$OPTARG" ;;
r) remove="$OPTARG" ;;
c) config="$OPTARG" ;;
u) unique="y" ;;
m) force_menu="y" ;;
i)
valid_hash="y"
valid_rollback="y"
;;
g) gui_menu="y" ;;
f)
force_boot="y"
valid_hash="y"
valid_rollback="y"
;;
s) skip_confirm="y" ;;
esac
done
@ -53,24 +60,25 @@ paramsdir="${paramsdir%%/}"
PRIMHASH_FILE="$paramsdir/kexec_primhdl_hash.txt"
if [ "$CONFIG_TPM2_TOOLS" = "y" ]; then
if [ -r "$PRIMHASH_FILE" ]; then
sha256sum -c "$PRIMHASH_FILE" \
|| {
echo "FATAL: Hash of TPM2 primary key handle mismatch!";
warn "If you have not intentionally regenerated TPM2 primary key,";
warn "your system may have been compromised";
}
sha256sum -c "$PRIMHASH_FILE" ||
{
echo "FATAL: Hash of TPM2 primary key handle mismatch!"
warn "If you have not intentionally regenerated TPM2 primary key,"
warn "your system may have been compromised"
DEBUG "Hash of TPM2 primary key handle mismatched for $PRIMHASH_FILE"
}
else
warn "Hash of TPM2 primary key handle does not exist"
warn "Please rebuild the boot hash tree"
default_failed="y"
DEBUG "Hash of TPM2 primary key handle does not exist under $PRIMHASH_FILE"
fi
fi
verify_global_hashes()
{
verify_global_hashes() {
echo "+++ Checking verified boot hash file "
# Check the hashes of all the files
if verify_checksums "$bootdir" "$gui_menu" ; then
if verify_checksums "$bootdir" "$gui_menu"; then
echo "+++ Verified boot hashes "
valid_hash='y'
valid_global_hash='y'
@ -82,44 +90,43 @@ verify_global_hashes()
fi
die "$TMP_HASH_FILE: boot hash mismatch"
fi
# If user enables it, check root hashes before boot as well
if [[ "$CONFIG_ROOT_CHECK_AT_BOOT" = "y" && "$force_menu" == "n" ]]; then
if root-hashes-gui.sh -c; then
echo "+++ Verified root hashes, continuing boot "
# if user re-signs, it wipes out saved options, so scan the boot directory and generate
if [ ! -r "$TMP_MENU_FILE" ]; then
scan_options
fi
else
# root-hashes-gui.sh handles the GUI error menu, just die here
if [ "$gui_menu" = "y" ]; then
whiptail $BG_COLOR_ERROR --title 'ERROR: Root Hash Mismatch' \
--msgbox "The root hash check failed!\nExiting to a recovery shell" 0 80
fi
die "root hash mismatch, see /tmp/hash_output_mismatches for details"
fi
fi
# If user enables it, check root hashes before boot as well
if [[ "$CONFIG_ROOT_CHECK_AT_BOOT" = "y" && "$force_menu" == "n" ]]; then
if root-hashes-gui.sh -c; then
echo "+++ Verified root hashes, continuing boot "
# if user re-signs, it wipes out saved options, so scan the boot directory and generate
if [ ! -r "$TMP_MENU_FILE" ]; then
scan_options
fi
else
# root-hashes-gui.sh handles the GUI error menu, just die here
if [ "$gui_menu" = "y" ]; then
whiptail $BG_COLOR_ERROR --title 'ERROR: Root Hash Mismatch' \
--msgbox "The root hash check failed!\nExiting to a recovery shell" 0 80
fi
die "root hash mismatch, see /tmp/hash_output_mismatches for details"
fi
fi
}
verify_rollback_counter()
{
TPM_COUNTER=`grep counter $TMP_ROLLBACK_FILE | cut -d- -f2`
verify_rollback_counter() {
TPM_COUNTER=$(grep counter $TMP_ROLLBACK_FILE | cut -d- -f2)
if [ -z "$TPM_COUNTER" ]; then
die "$TMP_ROLLBACK_FILE: TPM counter not found?"
fi
read_tpm_counter $TPM_COUNTER \
|| die "Failed to read TPM counter"
read_tpm_counter $TPM_COUNTER ||
die "Failed to read TPM counter"
sha256sum -c $TMP_ROLLBACK_FILE \
|| die "Invalid TPM counter state"
sha256sum -c $TMP_ROLLBACK_FILE ||
die "Invalid TPM counter state"
valid_rollback="y"
}
first_menu="y"
get_menu_option() {
num_options=`cat $TMP_MENU_FILE | wc -l`
num_options=$(cat $TMP_MENU_FILE | wc -l)
if [ $num_options -eq 0 ]; then
die "No boot options"
fi
@ -129,13 +136,12 @@ get_menu_option() {
elif [ "$gui_menu" = "y" ]; then
MENU_OPTIONS=""
n=0
while read option
do
while read option; do
parse_option
n=`expr $n + 1`
n=$(expr $n + 1)
name=$(echo $name | tr " " "_")
MENU_OPTIONS="$MENU_OPTIONS $n ${name} "
done < $TMP_MENU_FILE
done <$TMP_MENU_FILE
whiptail --title "Select your boot option" \
--menu "Choose the boot option [1-$n, a to abort]:" 0 80 8 \
@ -146,12 +152,11 @@ get_menu_option() {
else
echo "+++ Select your boot option:"
n=0
while read option
do
while read option; do
parse_option
n=`expr $n + 1`
n=$(expr $n + 1)
echo "$n. $name [$kernel]"
done < $TMP_MENU_FILE
done <$TMP_MENU_FILE
read \
-p "Choose the boot option [1-$n, a to abort]: " \
@ -163,7 +168,7 @@ get_menu_option() {
fi
first_menu="n"
option=`head -n $option_index $TMP_MENU_FILE | tail -1`
option=$(head -n $option_index $TMP_MENU_FILE | tail -1)
parse_option
}
@ -172,7 +177,7 @@ confirm_menu_option() {
default_text="Make default"
[[ "$CONFIG_TPM_NO_LUKS_DISK_UNLOCK" = "y" ]] && default_text="${default_text} and boot"
whiptail $BG_COLOR_WARNING --title "Confirm boot details" \
--menu "Confirm the boot details for $name:\n\n$(echo $kernel| fold -s -w 80) \n\n" 0 80 8 \
--menu "Confirm the boot details for $name:\n\n$(echo $kernel | fold -s -w 80) \n\n" 0 80 8 \
-- 'd' "${default_text}" 'y' "Boot one time" \
2>/tmp/whiptail || die "Aborting boot attempt"
@ -190,8 +195,8 @@ confirm_menu_option() {
}
parse_option() {
name=`echo $option | cut -d\| -f1`
kernel=`echo $option | cut -d\| -f3`
name=$(echo $option | cut -d\| -f1)
kernel=$(echo $option | cut -d\| -f3)
}
scan_options() {
@ -202,7 +207,7 @@ scan_options() {
die "Failed to parse any boot options"
fi
if [ "$unique" = 'y' ]; then
sort -r $option_file | uniq > $TMP_MENU_FILE
sort -r $option_file | uniq >$TMP_MENU_FILE
else
cp $option_file $TMP_MENU_FILE
fi
@ -224,7 +229,7 @@ save_default_option() {
-d "$paramsdev" \
-p "$paramsdir" \
-i "$option_index" \
; then
; then
echo "+++ Saved defaults to device"
sleep 2
default_failed="n"
@ -242,11 +247,11 @@ default_select() {
# Attempt boot with expected parameters
# Check that entry matches that which is expected from menu
default_index=`basename "$TMP_DEFAULT_FILE" | cut -d. -f 2`
default_index=$(basename "$TMP_DEFAULT_FILE" | cut -d. -f 2)
# Check to see if entries have changed - useful for detecting grub update
expectedoption=`cat $TMP_DEFAULT_FILE`
option=`head -n $default_index $TMP_MENU_FILE | tail -1`
expectedoption=$(cat $TMP_DEFAULT_FILE)
option=$(head -n $default_index $TMP_MENU_FILE | tail -1)
if [ "$option" != "$expectedoption" ]; then
if [ "$gui_menu" = "y" ]; then
whiptail $BG_COLOR_ERROR --title 'ERROR: Boot Entry Has Changed' \
@ -261,7 +266,7 @@ default_select() {
# Enforce that default option hashes are valid
echo "+++ Checking verified default boot hash file "
# Check the hashes of all the files
if ( cd $bootdir && sha256sum -c "$TMP_DEFAULT_HASH_FILE" > /tmp/hash_output ); then
if (cd $bootdir && sha256sum -c "$TMP_DEFAULT_HASH_FILE" >/tmp/hash_output); then
echo "+++ Verified default boot hashes "
valid_hash='y'
else
@ -282,10 +287,9 @@ user_select() {
# No default expected boot parameters, ask user
option_confirm=""
while [ "$option_confirm" != "y" -a "$option_confirm" != "d" ]
do
while [ "$option_confirm" != "y" -a "$option_confirm" != "d" ]; do
get_menu_option
# In force boot mode, no need offer the option to set a default, just boot
# In force boot mode, no need offer the option to set a default, just boot
if [[ "$force_boot" = "y" || "$skip_confirm" = "y" ]]; then
do_boot
else
@ -305,8 +309,8 @@ user_select() {
echo "+++ Rebooting to start the new default option"
sleep 2
if [ "$CONFIG_DEBUG_OUTPUT" != "y" ]; then
reboot \
|| die "!!! Failed to reboot system"
reboot ||
die "!!! Failed to reboot system"
else
DEBUG "Rebooting is required prior of booting default boot entry"
# Instead of rebooting, drop to a recovery shell
@ -319,8 +323,7 @@ user_select() {
do_boot
}
do_boot()
{
do_boot() {
if [ "$CONFIG_BASIC" != y ] && [ "$CONFIG_BOOT_REQ_ROLLBACK" = "y" ] && [ "$valid_rollback" = "n" ]; then
die "!!! Missing required rollback counter state"
fi
@ -330,31 +333,31 @@ do_boot()
fi
if [ "$CONFIG_BASIC" != y ] && [ "$CONFIG_TPM" = "y" ] && [ -r "$TMP_KEY_DEVICES" ]; then
INITRD=`kexec-boot -b "$bootdir" -e "$option" -i` \
|| die "!!! Failed to extract the initrd from boot option"
INITRD=$(kexec-boot -b "$bootdir" -e "$option" -i) ||
die "!!! Failed to extract the initrd from boot option"
if [ -z "$INITRD" ]; then
die "!!! No initrd file found in boot option"
fi
kexec-insert-key $INITRD \
|| die "!!! Failed to insert disk key into a new initrd"
kexec-insert-key $INITRD ||
die "!!! Failed to insert disk key into a new initrd"
kexec-boot -b "$bootdir" -e "$option" \
-a "$add" -r "$remove" -o "/tmp/secret/initrd.cpio" \
|| die "!!! Failed to boot w/ options: $option"
-a "$add" -r "$remove" -o "/tmp/secret/initrd.cpio" ||
die "!!! Failed to boot w/ options: $option"
else
kexec-boot -b "$bootdir" -e "$option" -a "$add" -r "$remove" \
|| die "!!! Failed to boot w/ options: $option"
kexec-boot -b "$bootdir" -e "$option" -a "$add" -r "$remove" ||
die "!!! Failed to boot w/ options: $option"
fi
}
while true; do
if [ "$force_boot" = "y" -o "$CONFIG_BASIC" = "y" ]; then
check_config $paramsdir force
check_config $paramsdir force
else
check_config $paramsdir
check_config $paramsdir
fi
TMP_DEFAULT_FILE=`find /tmp/kexec/kexec_default.*.txt 2>/dev/null | head -1` || true
TMP_DEFAULT_FILE=$(find /tmp/kexec/kexec_default.*.txt 2>/dev/null | head -1) || true
TMP_MENU_FILE="/tmp/kexec/kexec_menu.txt"
TMP_HASH_FILE="/tmp/kexec/kexec_hashes.txt"
TMP_TREE_FILE="/tmp/kexec/kexec_tree.txt"
@ -363,8 +366,8 @@ while true; do
TMP_KEY_DEVICES="/tmp/kexec/kexec_key_devices.txt"
TMP_KEY_LVM="/tmp/kexec/kexec_key_lvm.txt"
# Allow a way for users to ignore warnings and boot into their systems
# even if hashes don't match
# Allow a way for users to ignore warnings and boot into their systems
# even if hashes don't match
if [ "$force_boot" = "y" ]; then
scan_options
if [ "$CONFIG_BASIC" != "y" ]; then
@ -378,8 +381,9 @@ while true; do
if [ "$CONFIG_TPM" = "y" ]; then
if [ ! -r "$TMP_KEY_DEVICES" ]; then
# Extend PCR4 as soon as possible
tpmr extend -ix 4 -ic generic \
|| die "Failed to extend PCR 4"
DEBUG "Extending TPM PCR 4 to prevent further secret unsealing"
tpmr extend -ix 4 -ic generic ||
die "Failed to extend PCR 4"
fi
fi
@ -412,7 +416,7 @@ while true; do
-a "$force_menu" = "n" \
-a -r "$TMP_DEFAULT_FILE" \
-a -r "$TMP_DEFAULT_HASH_FILE" ] \
; then
; then
default_select
default_failed="y"
else

3
initrd/bin/media-scan
View File

@ -7,6 +7,9 @@ set -e -o pipefail
TRACE "Under /bin/media-scan"
#Booting from external media should be authenticated if supported
gpg_auth || die "GPG authentication failed"
# Unmount any previous boot device
if grep -q /boot /proc/mounts ; then
umount /boot \

2
initrd/bin/mount-usb
View File

@ -184,7 +184,7 @@ if cryptsetup isLuks "$USB_MOUNT_DEVICE"; then
|| die "ERROR: Failed to open ${USB_MOUNT_DEVICE} LUKS device"
fi
warn "Note that you cannot boot from a mounted encrypted device."
warn "Note that you cannot boot from a mounted encrypted device"
DEBUG "Setting USB_MOUNT_DEVICE=/dev/mapper/"usb_mount_$(basename "$USB_MOUNT_DEVICE")""
USB_MOUNT_DEVICE="/dev/mapper/"usb_mount_$(basename "$USB_MOUNT_DEVICE")""
else

1410
initrd/bin/oem-factory-reset
View File

File diff suppressed because it is too large Load Diff

6
initrd/bin/qubes-measure-luks
View File

@ -14,11 +14,11 @@ for dev in "$@"; do
die "$dev: Unable to read LUKS header"
done
DEBUG "Hashing luks headers into /tmp/luksDump.txt"
sha256sum /tmp/lukshdr-* >/tmp/luksDump.txt || die "Unable to hash luks headers"
DEBUG "Hashing LUKS headers into /tmp/luksDump.txt"
sha256sum /tmp/lukshdr-* >/tmp/luksDump.txt || die "Unable to hash LUKS headers"
DEBUG "Removing /tmp/lukshdr-*"
rm /tmp/lukshdr-*
DEBUG "Extending PCR 6 with /tmp/luksDump.txt"
DEBUG "Extending TPM PCR 6 with hash of LUKS headers from /tmp/luksDump.txt"
tpmr extend -ix 6 -if /tmp/luksDump.txt ||
die "Unable to extend PCR"

13
initrd/bin/reboot
View File

@ -3,14 +3,23 @@
TRACE "Under /bin/reboot"
if [ "$CONFIG_DEBUG_OUTPUT" = "y" ]; then
#Generalize user prompt to continue reboot or go to recovery shell
read -r -n 1 -s -p "Press any key to continue reboot or 'r' to go to recovery shell: " REPLY
echo
if [ "$REPLY" = "r" ] || [ "$REPLY" = "R" ]; then
recovery "Reboot call bypassed to go into recovery shell to debug"
fi
fi
# Shut down TPM
if [ "$CONFIG_TPM" = "y" ]; then
tpmr shutdown
fi
# Run special EC-based poweroff for Nitropad-Nxx
if [ "${CONFIG_BOARD%_*}" = nitropad-nv41 || "${CONFIG_BOARD%_*}" = nitropad-ns51 ]; then
/bin/nitropad-shutdown.sh
if [ "${CONFIG_BOARD%_*}" = nitropad-nv41 ] || [ "${CONFIG_BOARD%_*}" = nitropad-ns51 ]; then
/bin/nitropad-shutdown.sh
fi
# Sync all mounted filesystems

2
initrd/bin/seal-hotpkey
View File

@ -1,5 +1,5 @@
#!/bin/bash
# Retrieve the sealed TOTP secret and initialize a USB Security dongle with it
# Retrieve the sealed TOTP secret and initialize a USB Security Dongle with it
. /etc/functions

20
initrd/bin/seal-totp
View File

@ -25,10 +25,10 @@ dd \
of="$TOTP_SECRET" \
count=1 \
bs=20 \
2>/dev/null \
|| die "Unable to generate 20 random bytes"
2>/dev/null ||
die "Unable to generate 20 random bytes"
secret="`base32 < $TOTP_SECRET`"
secret="$(base32 <$TOTP_SECRET)"
pcrf="/tmp/secret/pcrf.bin"
DEBUG "Sealing TOTP with actual state of PCR0-3"
tpmr pcrread 0 "$pcrf"
@ -36,20 +36,22 @@ tpmr pcrread -a 1 "$pcrf"
tpmr pcrread -a 2 "$pcrf"
tpmr pcrread -a 3 "$pcrf"
DEBUG "Sealing TOTP with boot state of PCR4 (Going to recovery shell extends PCR4)"
# pcr 4 is expected to either:
# pcr 4 is expected to either:
# zero on bare coreboot+linuxboot on x86 (boot mode: init)
# already extended on ppc64 per BOOTKERNEL (skiboot) which boots heads.
# Read from event log to catch both cases, even when called from recovery shell.
tpmr calcfuturepcr 4 >> "$pcrf"
tpmr calcfuturepcr 4 >>"$pcrf"
# pcr 5 (kernel modules loaded) is not measured at sealing/unsealing of totp
DEBUG "Sealing TOTP neglecting PCR5 involvement (Dynamically loaded kernel modules are not firmware integrity attestation related)"
# pcr 6 (drive luks header) is not measured at sealing/unsealing of totp
# pcr 6 (drive LUKS header) is not measured at sealing/unsealing of totp
DEBUG "Sealing TOTP without PCR6 involvement (LUKS header consistency is not firmware integrity attestation related)"
# pcr 7 is containing measurements of user injected stuff in cbfs
tpmr pcrread -a 7 "$pcrf"
tpmr seal "$TOTP_SECRET" "$TPM_NVRAM_SPACE" 0,1,2,3,4,7 "$pcrf" 312 "" "$TPM_PASSWORD" \
|| die "Unable to write sealed secret to NVRAM"
shred -n 10 -z -u "$TOTP_SEALED" 2> /dev/null
#Make sure we clear the TPM Owner Password from memory in case it failed to be used to seal TOTP
tpmr seal "$TOTP_SECRET" "$TPM_NVRAM_SPACE" 0,1,2,3,4,7 "$pcrf" 312 "" "$TPM_PASSWORD" ||
die "Unable to write sealed secret to NVRAM from seal-totp"
#Make sure we clear TPM TOTP sealed if we succeed to seal TOTP
shred -n 10 -z -u "$TOTP_SEALED" 2>/dev/null
url="otpauth://totp/$HOST?secret=$secret"
secret=""

2
initrd/bin/tpm-reset
View File

@ -7,4 +7,4 @@ echo '*****'
prompt_new_owner_password
tpmr reset "$key_password"
tpmr reset "$tpm_owner_password"

443
initrd/bin/tpmr
View File

@ -5,9 +5,9 @@
SECRET_DIR="/tmp/secret"
PRIMARY_HANDLE="0x81000000"
ENC_SESSION_FILE="enc.ctx"
DEC_SESSION_FILE="dec.ctx"
PRIMARY_HANDLE_FILE="primary.handle"
ENC_SESSION_FILE="$SECRET_DIR/enc.ctx"
DEC_SESSION_FILE="$SECRET_DIR/dec.ctx"
PRIMARY_HANDLE_FILE="$SECRET_DIR/primary.handle"
# PCR size in bytes. Set when we determine what TPM version is in use.
# TPM1 PCRs are always 20 bytes. TPM2 is allowed to provide multiple PCR banks
@ -115,7 +115,7 @@ extend_pcr_state() {
shift
if is_hash "$alg" "$next"; then
extend="$next"
else
else
extend="$("${alg}sum" <"$next" | cut -d' ' -f1)"
fi
state="$(echo "$state$extend" | hex2bin | "${alg}sum" | cut -d' ' -f1)"
@ -127,7 +127,7 @@ extend_pcr_state() {
# different arguments for grep. Those formats are shown below as heredocs to
# keep all the data, including whitespaces:
# 1) TPM2 log, which can hold multiple hash algorithms at once:
: << 'EOF'
: <<'EOF'
TPM2 log:
Specification: 2.00
Platform class: PC Client
@ -140,7 +140,7 @@ TPM2 log entry 1:
Event data: FMAP: FMAP
EOF
# 2) TPM1.2 log (aka TCPA), digest is always SHA1:
: << 'EOF'
: <<'EOF'
TCPA log:
Specification: 1.21
Platform class: PC Client
@ -152,7 +152,7 @@ TCPA log entry 1:
EOF
# 3) coreboot-specific format:
# 3.5) older versions printed 'coreboot TCPA log', even though it isn't TCPA
: << 'EOF'
: <<'EOF'
coreboot TPM log:
PCR-2 27c4f1fa214480c8626397a15981ef3a9323717f SHA1 [FMAP: FMAP]
@ -194,25 +194,25 @@ $0 ~ pcr {
# is returned in binary form.
replay_pcr() {
TRACE "Under /bin/tpmr:replay_pcr"
if [ -z "$2" ] ; then
>&2 echo "No PCR number passed"
if [ -z "$2" ]; then
echo >&2 "No PCR number passed"
return
fi
if [ "$2" -ge 8 ] ; then
>&2 echo "Illegal PCR number ($2)"
if [ "$2" -ge 8 ]; then
echo >&2 "Illegal PCR number ($2)"
return
fi
local log=`cbmem -L`
local log=$(cbmem -L)
local alg="$1"
local pcr="$2"
local alg_digits=0
# SHA-1 hashes are 40 chars
if [ "$alg" = "sha1" ] ; then alg_digits=40; fi
if [ "$alg" = "sha1" ]; then alg_digits=40; fi
# SHA-256 hashes are 64 chars
if [ "$alg" = "sha256" ] ; then alg_digits=64; fi
if [ "$alg" = "sha256" ]; then alg_digits=64; fi
shift 2
replayed_pcr=$(extend_pcr_state $alg $(printf "%.${alg_digits}d" 0) \
$(echo "$log" | awk -v alg=$alg -v pcr=$pcr -f <(echo $AWK_PROG)) $@)
$(echo "$log" | awk -v alg=$alg -v pcr=$pcr -f <(echo $AWK_PROG)) $@)
echo $replayed_pcr | hex2bin
DEBUG "Replayed cbmem -L clean boot state of PCR=$pcr ALG=$alg : $replayed_pcr"
# To manually introspect current PCR values:
@ -225,24 +225,28 @@ replay_pcr() {
# PCR-5, depending on which modules are loaded for given board:
# tpmr calcfuturepcr 5 module0.ko module1.ko module2.ko | xxd -p
# PCR-6 and PCR-7: similar to 5, but with different files passed
# (6: luks header, 7: user related cbfs files loaded from cbfs-init)
# (6: LUKS header, 7: user related cbfs files loaded from cbfs-init)
}
tpm2_extend() {
TRACE "Under /bin/tpmr:tpm2_extend"
while true; do
case "$1" in
-ix)
index="$2"
shift 2;;
-ic)
hash="$(echo -n "$2"|sha256sum|cut -d' ' -f1)"
shift 2;;
-if)
hash="$(sha256sum "$2"|cut -d' ' -f1)"
shift 2;;
*)
break;;
-ix)
index="$2"
shift 2
;;
-ic)
hash="$(echo -n "$2" | sha256sum | cut -d' ' -f1)"
shift 2
;;
-if)
hash="$(sha256sum "$2" | cut -d' ' -f1)"
shift 2
;;
*)
break
;;
esac
done
tpm2 pcrextend "$index:sha256=$hash"
@ -253,57 +257,78 @@ tpm2_counter_read() {
TRACE "Under /bin/tpmr:tpm2_counter_read"
while true; do
case "$1" in
-ix)
index="$2"
shift 2;;
*)
break;;
-ix)
index="$2"
shift 2
;;
*)
break
;;
esac
done
echo "$index: `tpm2 nvread 0x$index | xxd -pc8`"
echo "$index: $(tpm2 nvread 0x$index | xxd -pc8)"
}
tpm2_counter_inc() {
TRACE "Under /bin/tpmr:tpm2_counter_inc"
while true; do
case "$1" in
-ix)
index="$2"
shift 2;;
-pwdc)
pwd="$2"
shift 2;;
*)
break;;
-ix)
index="$2"
shift 2
;;
-pwdc)
pwd="$2"
shift 2
;;
*)
break
;;
esac
done
tpm2 nvincrement "0x$index" > /dev/console
echo "$index: `tpm2 nvread 0x$index | xxd -pc8`"
tpm2 nvincrement "0x$index" >/dev/console
echo "$index: $(tpm2 nvread 0x$index | xxd -pc8)"
}
tpm2_counter_cre() {
TRACE "Under /bin/tpmr:tpm2_counter_cre"
tpm1_counter_create() {
TRACE "Under /bin/tpmr:tpm1_counter_create"
# tpmr handles the TPM owner password (from cache or prompt), but all
# other parameters for TPM1 are passed directly, and TPM2 mimics the
# TPM1 interface.
prompt_tpm_owner_password
if ! tpm counter_create -pwdo "$(cat "/tmp/secret/tpm_owner_password")" "$@"; then
DEBUG "Failed to create counter from tpm1_counter_create. Wiping /tmp/secret/tpm_owner_password"
shred -n 10 -z -u /tmp/secret/tpm_owner_password
die "Unable to create counter from tpm1_counter_create"
fi
}
tpm2_counter_create() {
TRACE "Under /bin/tpmr:tpm2_counter_create"
while true; do
case "$1" in
-pwdo)
pwdo="$2"
shift 2;;
-pwdof)
pwdo="file:$2"
shift 2;;
-pwdc)
pwd="$2"
shift 2;;
-la)
label="$2"
shift 2;;
*)
break;;
-pwdc)
pwd="$2"
shift 2
;;
-la)
label="$2"
shift 2
;;
*)
break
;;
esac
done
rand_index="1`dd if=/dev/urandom bs=1 count=3 | xxd -pc3`"
prompt_tpm_owner_password
rand_index="1$(dd if=/dev/urandom bs=1 count=3 | xxd -pc3)"
tpm2 nvdefine -C o -s 8 -a "ownerread|authread|authwrite|nt=1" \
-P "$(tpm2_password_hex "$pwdo")" "0x$rand_index" > /dev/console
-P "$(tpm2_password_hex "$(cat "/tmp/secret/tpm_owner_password")")" "0x$rand_index" >/dev/console ||
{
DEBUG "Failed to create counter from tpm2_counter_create. Wiping /tmp/secret/tpm_owner_password"
shred -n 10 -z -u /tmp/secret/tpm_owner_password
die "Unable to create counter from tpm2_counter_create"
}
echo "$rand_index: (valid after an increment)"
}
@ -311,20 +336,20 @@ tpm2_startsession() {
TRACE "Under /bin/tpmr:tpm2_startsession"
mkdir -p "$SECRET_DIR"
tpm2 flushcontext -Q \
--transient-object \
|| die "tpm2_flushcontext: unable to flush transient handles"
--transient-object ||
die "tpm2_flushcontext: unable to flush transient handles"
tpm2 flushcontext -Q \
--loaded-session \
|| die "tpm2_flushcontext: unable to flush sessions"
--loaded-session ||
die "tpm2_flushcontext: unable to flush sessions"
tpm2 flushcontext -Q \
--saved-session \
|| die "tpm2_flushcontext: unable to flush saved session"
tpm2 readpublic -Q -c "$PRIMARY_HANDLE" -t "/tmp/$PRIMARY_HANDLE_FILE"
tpm2 startauthsession -Q -c "/tmp/$PRIMARY_HANDLE_FILE" --hmac-session -S "/tmp/$ENC_SESSION_FILE"
tpm2 startauthsession -Q -c "/tmp/$PRIMARY_HANDLE_FILE" --hmac-session -S "/tmp/$DEC_SESSION_FILE"
tpm2 sessionconfig -Q --disable-encrypt "/tmp/$DEC_SESSION_FILE"
--saved-session ||
die "tpm2_flushcontext: unable to flush saved session"
tpm2 readpublic -Q -c "$PRIMARY_HANDLE" -t "$PRIMARY_HANDLE_FILE"
tpm2 startauthsession -Q -c "$PRIMARY_HANDLE_FILE" --hmac-session -S "$ENC_SESSION_FILE"
tpm2 startauthsession -Q -c "$PRIMARY_HANDLE_FILE" --hmac-session -S "$DEC_SESSION_FILE"
tpm2 sessionconfig -Q --disable-encrypt "$DEC_SESSION_FILE"
}
# Use cleanup_session() with at_exit to release a TPM2 session and delete the
@ -354,27 +379,27 @@ cleanup_shred() {
# tpm2_destroy: Destroy a sealed file in the TPM. The mechanism differs by
# TPM version - TPM2 evicts the file object, so it no longer exists.
tpm2_destroy() {
index="$1" # Index of the sealed file
size="$2" # Size of zeroes to overwrite for TPM1 (unused in TPM2)
index="$1" # Index of the sealed file
size="$2" # Size of zeroes to overwrite for TPM1 (unused in TPM2)
# Pad with up to 6 zeros, i.e. '0x81000001', '0x81001234', etc.
handle="$(printf "0x81%6s" "$index" | tr ' ' 0)"
# remove possible data occupying this handle
tpm2 evictcontrol -Q -C p -c "$handle" 2>/dev/null \
|| die "Unable to evict secret"
tpm2 evictcontrol -Q -C p -c "$handle" 2>/dev/null ||
die "Unable to evict secret from TPM NVRAM"
}
# tpm1_destroy: Destroy a sealed file in the TPM. The mechanism differs by
# TPM version - TPM1 overwrites the file with zeroes, since this can be done
# without authorization. (Deletion requires authorization.)
tpm1_destroy() {
index="$1" # Index of the sealed file
size="$2" # Size of zeroes to overwrite for TPM1
index="$1" # Index of the sealed file
size="$2" # Size of zeroes to overwrite for TPM1
dd if=/dev/zero bs="$size" count=1 of=/tmp/wipe-totp-zero
tpm nv_writevalue -in "$index" -if /tmp/wipe-totp-zero \
|| die "Unable to wipe sealed secret"
tpm nv_writevalue -in "$index" -if /tmp/wipe-totp-zero ||
die "Unable to wipe sealed secret from TPM NVRAM"
}
# tpm2_seal: Seal a file against PCR values and, optionally, a password.
@ -388,13 +413,13 @@ tpm2_seal() {
index="$2"
pcrl="$3" #0,1,2,3,4,5,6,7 (does not include algorithm prefix)
pcrf="$4"
sealed_size="$5" # Not used for TPM2
pass="$6" # May be empty to seal with no password
tpm_password="$7" # Owner password - will prompt if needed and not empty
# Owner password is always needed for TPM2.
sealed_size="$5" # Not used for TPM2
pass="$6" # May be empty to seal with no password
tpm_password="$7" # Owner password - will prompt if needed and not empty
# TPM Owner Password is always needed for TPM2.
mkdir -p "$SECRET_DIR"
bname="`basename $file`"
bname="$(basename $file)"
# Pad with up to 6 zeros, i.e. '0x81000001', '0x81001234', etc.
handle="$(printf "0x81%6s" "$index" | tr ' ' 0)"
@ -403,8 +428,8 @@ tpm2_seal() {
# Create a policy requiring both PCRs and the object's authentication
# value using a trial session.
TRIAL_SESSION=/tmp/sealfile_trial.session
AUTH_POLICY=/tmp/sealfile_auth.policy
TRIAL_SESSION="$SECRET_DIR/sealfile_trial.session"
AUTH_POLICY="$SECRET_DIR/sealfile_auth.policy"
rm -f "$TRIAL_SESSION" "$AUTH_POLICY"
tpm2 startauthsession -g sha256 -S "$TRIAL_SESSION"
# We have to clean up the session
@ -430,25 +455,30 @@ tpm2_seal() {
# (The default is to allow either policy auth _or_ password auth. In
# this case the policy includes the password, and we don't want to allow
# the password on its own.)
tpm2 create -Q -C "/tmp/$PRIMARY_HANDLE_FILE" \
tpm2 create -Q -C "$PRIMARY_HANDLE_FILE" \
-i "$file" \
-u "$SECRET_DIR/$bname.priv" \
-r "$SECRET_DIR/$bname.pub" \
-L "$AUTH_POLICY" \
-S "/tmp/$DEC_SESSION_FILE" \
-S "$DEC_SESSION_FILE" \
-a "fixedtpm|fixedparent|adminwithpolicy" \
"${CREATE_PASS_ARGS[@]}"
tpm2 load -Q -C "/tmp/$PRIMARY_HANDLE_FILE" \
tpm2 load -Q -C "$PRIMARY_HANDLE_FILE" \
-u "$SECRET_DIR/$bname.priv" -r "$SECRET_DIR/$bname.pub" \
-c "$SECRET_DIR/$bname.seal.ctx"
prompt_tpm_password
prompt_tpm_owner_password
# remove possible data occupying this handle
tpm2 evictcontrol -Q -C o -P "$(tpm2_password_hex "$tpm_password")" \
tpm2 evictcontrol -Q -C o -P "$(tpm2_password_hex "$tpm_owner_password")" \
-c "$handle" 2>/dev/null || true
DO_WITH_DEBUG --mask-position 6 \
tpm2 evictcontrol -Q -C o -P "$(tpm2_password_hex "$tpm_password")" \
-c "$SECRET_DIR/$bname.seal.ctx" "$handle"
tpm2 evictcontrol -Q -C o -P "$(tpm2_password_hex "$tpm_owner_password")" \
-c "$SECRET_DIR/$bname.seal.ctx" "$handle" ||
{
DEBUG "Failed to write sealed secret to NVRAM from tpm2_seal. Wiping /tmp/secret/tpm_owner_password"
shred -n 10 -z -u /tmp/secret/tpm_owner_password
die "Unable to write sealed secret to TPM NVRAM"
}
}
tpm1_seal() {
TRACE "Under /bin/tpmr:tpm1_seal"
@ -457,8 +487,8 @@ tpm1_seal() {
pcrl="$3" #0,1,2,3,4,5,6,7 (does not include algorithm prefix)
pcrf="$4"
sealed_size="$5"
pass="$6" # May be empty to seal with no password
tpm_password="$7" # Owner password - will prompt if needed and not empty
pass="$6" # May be empty to seal with no password
tpm_password="$7" # Owner password - will prompt if needed and not empty
sealed_file="$SECRET_DIR/tpm1_seal_sealed.bin"
at_exit cleanup_shred "$sealed_file"
@ -477,8 +507,8 @@ tpm1_seal() {
# Read each PCR_SIZE block from the file and pass as hex
POLICY_ARGS+=(-ix "$pcr"
"$(dd if="$pcrf" skip="$pcr_file_index" bs="$PCR_SIZE" count=1 status=none | xxd -p | tr -d ' ')"
)
pcr_file_index=$((pcr_file_index+1))
)
pcr_file_index=$((pcr_file_index + 1))
done
tpm sealfile2 \
@ -487,25 +517,28 @@ tpm1_seal() {
-hk 40000000 \
"${POLICY_ARGS[@]}"
# try it without the owner password first
# try it without the TPM Owner Password first
if ! tpm nv_writevalue -in "$index" -if "$sealed_file"; then
# to create an nvram space we need the TPM owner password
# to create an nvram space we need the TPM Owner Password
# and the TPM physical presence must be asserted.
#
# The permissions are 0 since there is nothing special
# about the sealed file
tpm physicalpresence -s \
|| warn "Unable to assert physical presence"
tpm physicalpresence -s ||
warn "Unable to assert physical presence"
prompt_tpm_password
prompt_tpm_owner_password
tpm nv_definespace -in "$index" -sz "$sealed_size" \
-pwdo "$tpm_password" -per 0 \
|| warn "Unable to define NVRAM space; trying anyway"
-pwdo "$tpm_password" -per 0 ||
warn "Unable to define TPM NVRAM space; trying anyway"
tpm nv_writevalue -in "$index" -if "$sealed_file" \
|| die "Unable to write sealed secret to NVRAM"
tpm nv_writevalue -in "$index" -if "$sealed_file" ||
{
DEBUG "Failed to write sealed secret to NVRAM from tpm1_seal. Wiping /tmp/secret/tpm_owner_password"
shred -n 10 -z -u /tmp/secret/tpm_owner_password
die "Unable to write sealed secret to TPM NVRAM"
}
fi
}
@ -531,12 +564,13 @@ tpm2_unseal() {
# If we don't have the primary handle (TPM hasn't been reset), tpm2 will
# print nonsense error messages about an unexpected handle value. We
# can't do anything without a primary handle.
if [ ! -f "/tmp/$PRIMARY_HANDLE_FILE" ]; then
if [ ! -f "$PRIMARY_HANDLE_FILE" ]; then
DEBUG "tpm2_unseal: No primary handle, cannot attempt to unseal"
warn "No TPM primary handle. You must reset TPM to seal secret to TPM NVRAM"
exit 1
fi
POLICY_SESSION=/tmp/unsealfile_policy.session
POLICY_SESSION="$SECRET_DIR/unsealfile_policy.session"
rm -f "$POLICY_SESSION"
tpm2 startauthsession -Q -g sha256 -S "$POLICY_SESSION" --policy-session
at_exit cleanup_session "$POLICY_SESSION"
@ -554,7 +588,7 @@ tpm2_unseal() {
fi
tpm2 unseal -Q -c "$handle" -p "session:$POLICY_SESSION$UNSEAL_PASS_SUFFIX" \
-S "/tmp/$ENC_SESSION_FILE" > "$file"
-S "$ENC_SESSION_FILE" >"$file"
}
tpm1_unseal() {
TRACE "Under /bin/tpmr:tpm1_unseal"
@ -576,8 +610,8 @@ tpm1_unseal() {
tpm nv_readvalue \
-in "$index" \
-sz "$sealed_size" \
-of "$sealed_file" \
|| die "Unable to read sealed file from TPM NVRAM"
-of "$sealed_file" ||
die "Unable to read sealed file from TPM NVRAM"
PASS_ARGS=()
if [ "$pass" ]; then
@ -593,15 +627,18 @@ tpm1_unseal() {
tpm2_reset() {
TRACE "Under /bin/tpmr:tpm2_reset"
key_password="$1"
tpm_owner_password="$1"
mkdir -p "$SECRET_DIR"
# output TPM Owner Password to a file to be reused in this boot session until recovery shell/reboot
DEBUG "Caching TPM Owner Password to $SECRET_DIR/tpm_owner_password"
echo -n "$tpm_owner_password" >"$SECRET_DIR/tpm_owner_password"
tpm2 clear -c platform || warn "Unable to clear TPM on platform hierarchy"
tpm2 changeauth -c owner "$(tpm2_password_hex "$key_password")"
tpm2 changeauth -c endorsement "$(tpm2_password_hex "$key_password")"
tpm2 changeauth -c owner "$(tpm2_password_hex "$tpm_owner_password")"
tpm2 changeauth -c endorsement "$(tpm2_password_hex "$tpm_owner_password")"
tpm2 createprimary -C owner -g sha256 -G "${CONFIG_PRIMARY_KEY_TYPE:-rsa}" \
-c "$SECRET_DIR/primary.ctx" -P "$(tpm2_password_hex "$key_password")"
-c "$SECRET_DIR/primary.ctx" -P "$(tpm2_password_hex "$tpm_owner_password")"
tpm2 evictcontrol -C owner -c "$SECRET_DIR/primary.ctx" "$PRIMARY_HANDLE" \
-P "$(tpm2_password_hex "$key_password")"
-P "$(tpm2_password_hex "$tpm_owner_password")"
shred -u "$SECRET_DIR/primary.ctx"
tpm2_startsession
@ -610,7 +647,7 @@ tpm2_reset() {
# * --max-tries=10: Allow 10 failures before lockout. This allows the
# user to quickly "burst" 10 failures without significantly impacting
# the rate allowed for a dictionary attacker.
# Most TPM2 flows ask for the owner password 2-4 times, so this allows
# Most TPM2 flows ask for the TPM Owner Password 2-4 times, so this allows
# a handful of mistypes and some headroom for an expected unseal
# failure if firmware is updated.
# Remember that an auth failure is also counted any time an unclean
@ -626,7 +663,7 @@ tpm2_reset() {
--max-tries=10 \
--recovery-time=3600 \
--lockout-recovery-time=0 \
--auth="session:/tmp/$ENC_SESSION_FILE"
--auth="session:$ENC_SESSION_FILE"
# Set a random DA lockout password, so the DA lockout can't be cleared
# with a password. Heads doesn't offer dictionary attach reset, instead
@ -639,15 +676,18 @@ tpm2_reset() {
}
tpm1_reset() {
TRACE "Under /bin/tpmr:tpm1_reset"
key_password="$1"
tpm_owner_password="$1"
mkdir -p "$SECRET_DIR"
# output tpm_owner_password to a file to be reused in this boot session until recovery shell/reboot
DEBUG "Caching TPM Owner Password to $SECRET_DIR/tpm_owner_password"
echo -n "$tpm_owner_password" >"$SECRET_DIR/tpm_owner_password"
# Make sure the TPM is ready to be reset
tpm physicalpresence -s
tpm physicalenable
tpm physicalsetdeactivated -c
tpm forceclear
tpm physicalenable
tpm takeown -pwdo "$key_password"
tpm takeown -pwdo "$tpm_owner_password"
# And now turn it all back on
tpm physicalpresence -s
@ -660,20 +700,20 @@ tpm2_kexec_finalize() {
TRACE "Under /bin/tpmr:tpm2_kexec_finalize"
# Flush sessions and transient objects
tpm2 flushcontext -Q --transient-object \
|| warn "tpm2_flushcontext: unable to flush transient handles"
tpm2 flushcontext -Q --loaded-session \
|| warn "tpm2_flushcontext: unable to flush sessions"
tpm2 flushcontext -Q --saved-session \
|| warn "tpm2_flushcontext: unable to flush saved session"
tpm2 flushcontext -Q --transient-object ||
warn "tpm2_flushcontext: unable to flush transient handles"
tpm2 flushcontext -Q --loaded-session ||
warn "tpm2_flushcontext: unable to flush sessions"
tpm2 flushcontext -Q --saved-session ||
warn "tpm2_flushcontext: unable to flush saved session"
# Add a random passphrase to platform hierarchy to prevent TPM2 from
# being cleared in the OS.
# This passphrase is only effective before the next boot.
echo "Locking TPM2 platform hierarchy..."
randpass=$(dd if=/dev/urandom bs=4 count=1 status=none | xxd -p)
tpm2 changeauth -c platform "$randpass" \
|| warn "Failed to lock platform hierarchy of TPM2"
tpm2 changeauth -c platform "$randpass" ||
warn "Failed to lock platform hierarchy of TPM2"
}
tpm2_shutdown() {
@ -693,72 +733,101 @@ fi
# TPM1 - most commands forward directly to tpm, but some are still wrapped for
# consistency with tpm2.
if [ "$CONFIG_TPM2_TOOLS" != "y" ]; then
PCR_SIZE=20 # TPM1 PCRs are always SHA-1
PCR_SIZE=20 # TPM1 PCRs are always SHA-1
subcmd="$1"
# Don't shift yet, for most commands we will just forward to tpm.
case "$subcmd" in
pcrread)
shift; tpm1_pcrread "$@";;
pcrsize)
echo "$PCR_SIZE";;
calcfuturepcr)
shift; replay_pcr "sha1" "$@";;
destroy)
shift; tpm1_destroy "$@";;
seal)
shift; tpm1_seal "$@";;
startsession)
;; # Nothing on TPM1.
unseal)
shift; tpm1_unseal "$@";;
reset)
shift; tpm1_reset "$@";;
kexec_finalize)
;; # Nothing on TPM1.
shutdown)
;; # Nothing on TPM1.
*)
DEBUG "Direct translation from tpmr to tpm1 call"
DO_WITH_DEBUG exec tpm "$@"
;;
pcrread)
shift
tpm1_pcrread "$@"
;;
pcrsize)
echo "$PCR_SIZE"
;;
calcfuturepcr)
shift
replay_pcr "sha1" "$@"
;;
counter_create)
shift
tpm1_counter_create "$@"
;;
destroy)
shift
tpm1_destroy "$@"
;;
seal)
shift
tpm1_seal "$@"
;;
startsession) ;; # Nothing on TPM1.
unseal)
shift
tpm1_unseal "$@"
;;
reset)
shift
tpm1_reset "$@"
;;
kexec_finalize) ;; # Nothing on TPM1.
shutdown) ;; # Nothing on TPM1.
*)
DEBUG "Direct translation from tpmr to tpm1 call"
DO_WITH_DEBUG exec tpm "$@"
;;
esac
exit 0
fi
# TPM2 - all commands implemented as wrappers around tpm2
PCR_SIZE=32 # We use the SHA-256 PCRs
PCR_SIZE=32 # We use the SHA-256 PCRs
subcmd="$1"
shift 1
case "$subcmd" in
pcrread)
tpm2_pcrread "$@";;
pcrsize)
echo "$PCR_SIZE";;
calcfuturepcr)
replay_pcr "sha256" "$@";;
extend)
tpm2_extend "$@";;
counter_read)
tpm2_counter_read "$@";;
counter_increment)
tpm2_counter_inc "$@";;
counter_create)
tpm2_counter_cre "$@";;
destroy)
tpm2_destroy "$@";;
seal)
tpm2_seal "$@";;
startsession)
tpm2_startsession "$@";;
unseal)
tpm2_unseal "$@";;
reset)
tpm2_reset "$@";;
kexec_finalize)
tpm2_kexec_finalize "$@";;
shutdown)
tpm2_shutdown "$@";;
*)
echo "Command $subcmd not wrapped!"
exit 1
pcrread)
tpm2_pcrread "$@"
;;
pcrsize)
echo "$PCR_SIZE"
;;
calcfuturepcr)
replay_pcr "sha256" "$@"
;;
extend)
tpm2_extend "$@"
;;
counter_read)
tpm2_counter_read "$@"
;;
counter_increment)
tpm2_counter_inc "$@"
;;
counter_create)
tpm2_counter_create "$@"
;;
destroy)
tpm2_destroy "$@"
;;
seal)
tpm2_seal "$@"
;;
startsession)
tpm2_startsession "$@"
;;
unseal)
tpm2_unseal "$@"
;;
reset)
tpm2_reset "$@"
;;
kexec_finalize)
tpm2_kexec_finalize "$@"
;;
shutdown)
tpm2_shutdown "$@"
;;
*)
echo "Command $subcmd not wrapped!"
exit 1
;;
esac

10
initrd/bin/unseal-totp
View File

@ -8,14 +8,14 @@ TOTP_SECRET="/tmp/secret/totp.key"
TRACE "Under /bin/unseal-totp"
if [ "$CONFIG_TPM" = "y" ]; then
tpmr unseal 4d47 0,1,2,3,4,7 312 "$TOTP_SECRET" \
|| die "Unable to unseal totp secret"
tpmr unseal 4d47 0,1,2,3,4,7 312 "$TOTP_SECRET" ||
die "Unable to unseal TOTP secret"
fi
if ! totp -q < "$TOTP_SECRET"; then
shred -n 10 -z -u "$TOTP_SECRET" 2> /dev/null
if ! totp -q <"$TOTP_SECRET"; then
shred -n 10 -z -u "$TOTP_SECRET" 2>/dev/null
die 'Unable to compute TOTP hash?'
fi
shred -n 10 -z -u "$TOTP_SECRET" 2> /dev/null
shred -n 10 -z -u "$TOTP_SECRET" 2>/dev/null
exit 0

214
initrd/etc/ash_functions
View File

@ -53,6 +53,163 @@ preserve_rom() {
done
}
confirm_gpg_card() {
TRACE "Under /etc/ash_functions:confirm_gpg_card"
#Skip prompts if we are currently using a known GPG key material Thumb drive backup and keys are unlocked pinentry
#TODO: probably export CONFIG_GPG_KEY_BACKUP_IN_USE but not under /etc/user.config?
#Toggle to come in next PR, but currently we don't have a way to toggle it back to n if config.user flashed back in rom
if [[ "$CONFIG_HAVE_GPG_KEY_BACKUP" == "y" && "$CONFIG_GPG_KEY_BACKUP_IN_USE" == "y" ]]; then
DEBUG "Using known GPG key material Thumb drive backup and keys are unlocked and useable through pinentry"
return
fi
if [ "$CONFIG_HAVE_GPG_KEY_BACKUP" == "y" ]; then
message="Please confirm that your GPG card is inserted(Y/n) or your GPG key material (b)backup thumbdrive is inserted [Y/n/b]: "
else
# Generic message if no known key material backup
message="Please confirm that your GPG card is inserted [Y/n]: "
fi
read \
-n 1 \
-p "$message" \
card_confirm
echo
if [ "$card_confirm" != "y" \
-a "$card_confirm" != "Y" \
-a "$card_confirm" != "b" \
-a -n "$card_confirm" ] \
; then
die "gpg card not confirmed"
fi
# If user has known GPG key material Thumb drive backup and asked to use it
if [[ "$CONFIG_HAVE_GPG_KEY_BACKUP" == "y" && "$card_confirm" == "b" ]]; then
#Only mount and import GPG key material thumb drive backup once
if [ ! "$CONFIG_GPG_KEY_BACKUP_IN_USE" == "y" ]; then
CR_NONCE="/tmp/secret/cr_nonce"
CR_SIG="$CR_NONCE.sig"
#Wipe any previous CR_NONCE and CR_SIG
shred -n 10 -z -u "$CR_NONCE" "$CR_SIG" >/dev/null 2>&1 || true
#Prompt user for configured GPG Admin PIN that will be passed along to mount-usb and to import gpg subkeys
echo
gpg_admin_pin=""
while [ -z "$gpg_admin_pin" ]; do
#TODO: change all passphrase prompts in codebase to include -r to prevent backslash escapes
read -r -s -p "Please enter GPG Admin PIN needed to use the GPG backup thumb drive: " gpg_admin_pin
echo
done
#prompt user to select the proper encrypted partition, which should the first one on next prompt
warn "Please select encrypted LUKS on GPG key material backup thumb drive (not public labeled one)"
mount-usb --pass "$gpg_admin_pin" || die "Unable to mount USB with provided GPG Admin PIN"
echo "++++ Testing detach-sign operation and verifiying against fused public key in ROM"
gpg --pinentry-mode=loopback --passphrase-file <(echo -n "${gpg_admin_pin}") --import /media/subkeys.sec >/dev/null 2>&1 ||
die "Unable to import GPG private subkeys"
#Do a detach signature to ensure gpg material is usable and cache passphrase to sign /boot from caller functions
dd if=/dev/urandom of="$CR_NONCE" bs=20 count=1 >/dev/null 2>&1 ||
die "Unable to create $CR_NONCE to be detach-signed with GPG private signing subkey"
gpg --pinentry-mode=loopback --passphrase-file <(echo -n "${gpg_admin_pin}") --detach-sign "$CR_NONCE" >/dev/null 2>&1 ||
die "Unable to detach-sign $CR_NONCE with GPG private signing subkey using GPG Admin PIN"
#verify detached signature against public key in rom
gpg --verify "$CR_SIG" "$CR_NONCE" > /dev/null 2>&1 && \
echo "++++ Local GPG keyring can be used to sign/encrypt/authenticate in this boot session ++++" || \
die "Unable to verify $CR_SIG detached signature against public key in ROM"
#Wipe any previous CR_NONCE and CR_SIG
shred -n 10 -z -u "$CR_NONCE" "$CR_SIG" >/dev/null 2>&1 || true
#TODO: maybe just an export instead of setting /etc/user.config otherwise could be flashed in weird corner case situation
set_user_config "CONFIG_GPG_KEY_BACKUP_IN_USE" "y"
umount /media || die "Unable to unmount USB"
return
fi
fi
# setup the USB so we can reach the USB Security Dongle's smartcard
enable_usb
echo -e "\nVerifying presence of GPG card...\n"
# ensure we don't exit without retrying
errexit=$(set -o | grep errexit | awk '{print $2}')
set +e
gpg --card-status >/dev/null
if [ $? -ne 0 ]; then
# prompt for reinsertion and try a second time
read -n1 -r -p \
"Can't access GPG key; remove and reinsert, then press Enter to retry. " \
ignored
# restore prev errexit state
if [ "$errexit" = "on" ]; then
set -e
fi
# retry card status
gpg --card-status >/dev/null ||
die "gpg card read failed"
fi
# restore prev errexit state
if [ "$errexit" = "on" ]; then
set -e
fi
}
gpg_auth() {
if [[ "$CONFIG_HAVE_GPG_KEY_BACKUP" == "y" ]]; then
TRACE "Under /etc/ash_functions:gpg_auth"
# If we have a GPG key backup, we can use it to authenticate even if the card is lost
echo >&2 "!!!!! Please authenticate with OpenPGP smartcard/backup media to prove you are the owner of this machine !!!!!"
# Wipe any existing nonce and signature
shred -n 10 -z -u "$CR_NONCE" "$CR_SIG" 2>/dev/null || true
# In case of gpg_auth, we require confirmation of the card, so loop with confirm_gpg_card until we get it
false
while [ $? -ne 0 ]; do
# Call confirm_gpg_card in subshell to ensure GPG key material presence
( confirm_gpg_card )
done
# Perform a signing-based challenge-response,
# to authencate that the card plugged in holding
# the key to sign the list of boot files.
CR_NONCE="/tmp/secret/cr_nonce"
CR_SIG="$CR_NONCE.sig"
# Generate a random nonce
dd \
if=/dev/urandom \
of="$CR_NONCE" \
count=1 \
bs=20 \
2>/dev/null \
|| die "Unable to generate 20 random bytes"
# Sign the nonce
for tries in 1 2 3; do
if gpg --digest-algo SHA256 \
--detach-sign \
-o "$CR_SIG" \
"$CR_NONCE" > /dev/null 2>&1 \
&& gpg --verify "$CR_SIG" "$CR_NONCE" > /dev/null 2>&1 \
; then
shred -n 10 -z -u "$CR_NONCE" "$CR_SIG" 2>/dev/null || true
DEBUG "Under /etc/ash_functions:gpg_auth: success"
return 0
else
shred -n 10 -z -u "$CR_SIG" 2>/dev/null || true
if [ "$tries" -lt 3 ]; then
echo >&2 "!!!!! GPG authentication failed, please try again !!!!!"
continue
else
die "GPG authentication failed, please reboot and try again"
fi
fi
done
return 1
fi
}
recovery() {
TRACE "Under /etc/ash_functions:recovery"
echo >&2 "!!!!! $*"
@ -70,6 +227,7 @@ recovery() {
. /tmp/config
if [ "$CONFIG_TPM" = "y" ]; then
DEBUG "Extending TPM PCR 4 for recovery shell access"
tpmr extend -ix 4 -ic recovery
fi
@ -80,9 +238,12 @@ recovery() {
fi
while [ true ]
do
#Going to recovery shell should be authenticated if supported
gpg_auth
echo >&2 "!!!!! Starting recovery shell"
sleep 1
if [ -x /bin/setsid ]; then
/bin/setsid -c /bin/sh
else
@ -102,6 +263,57 @@ combine_configs() {
cat /etc/config* > /tmp/config
}
replace_config() {
TRACE "Under /etc/functions:replace_config"
CONFIG_FILE=$1
CONFIG_OPTION=$2
NEW_SETTING=$3
touch $CONFIG_FILE
# first pull out the existing option from the global config and place in a tmp file
awk "gsub(\"^export ${CONFIG_OPTION}=.*\",\"export ${CONFIG_OPTION}=\\\"${NEW_SETTING}\\\"\")" /tmp/config >${CONFIG_FILE}.tmp
awk "gsub(\"^${CONFIG_OPTION}=.*\",\"${CONFIG_OPTION}=\\\"${NEW_SETTING}\\\"\")" /tmp/config >>${CONFIG_FILE}.tmp
# then copy any remaining settings from the existing config file, minus the option you changed
grep -v "^export ${CONFIG_OPTION}=" ${CONFIG_FILE} | grep -v "^${CONFIG_OPTION}=" >>${CONFIG_FILE}.tmp || true
sort ${CONFIG_FILE}.tmp | uniq >${CONFIG_FILE}
rm -f ${CONFIG_FILE}.tmp
}
# Set a config variable in a specific file to a given value - replace it if it
# exists, or add it. If added, the variable will be exported.
set_config() {
CONFIG_FILE="$1"
CONFIG_OPTION="$2"
NEW_SETTING="$3"
if grep -q "$CONFIG_OPTION" "$CONFIG_FILE"; then
replace_config "$CONFIG_FILE" "$CONFIG_OPTION" "$NEW_SETTING"
else
echo "export $CONFIG_OPTION=\"$NEW_SETTING\"" >>"$CONFIG_FILE"
fi
}
# Set a value in config.user, re-combine configs, and update configs in the
# environment.
set_user_config() {
CONFIG_OPTION="$1"
NEW_SETTING="$2"
set_config /etc/config.user "$CONFIG_OPTION" "$NEW_SETTING"
combine_configs
. /tmp/config
}
# Load a config value to a variable, defaulting to empty. Does not fail if the
# config is not set (since it would expand to empty by default).
load_config_value() {
local config_name="$1"
if grep -q "$config_name=" /tmp/config; then
grep "$config_name=" /tmp/config | tail -n1 | cut -f2 -d '=' | tr -d '"'
fi
}
enable_usb()
{
TRACE "Under /etc/ash_functions:enable_usb"

139
initrd/etc/functions
View File

@ -96,16 +96,15 @@ reseal_tpm_disk_decryption_key() {
fi
if [ -s /boot/kexec_key_devices.txt ] || [ -s /boot/kexec_key_lvm.txt ]; then
warn "A TPM Disk Unlock Key previously sealed is now invalid since firmware measurements could not unseal TOTP"
echo "Renewing LUKS Disk Unlock Key to be unsealed by TPM Disk Unlock Key passphrase"
warn "TPM sealed Disk Unlock Key secret needs to be resealed alongside TOTP/HOTP secret"
echo "Resealing TPM LUKS Disk Unlock Key to be unsealed by TPM Disk Unlock Key passphrase"
while ! kexec-seal-key /boot; do
warn "Recovery Disk Encryption key passphrase invalid. Try again!"
warn "Recovery Disk Encryption key passphrase/TPM Owner Password may be invalid. Please try again"
done
warn "LUKS header hash changed under /boot/kexec_luks_hdr_hash.txt"
echo "Updating checksums and signing all files under /boot/kexec.sig"
while ! update_checksums; do
warn "Checksums were not signed. Bad GPG PIN provided?"
warn "Please update checksums and provide a valid GPG PIN"
warn "Checksums were not signed. Preceding errors should explain possible causes"
done
warn "Rebooting in 3 seconds to enable booting default boot option"
sleep 3
@ -119,6 +118,7 @@ reseal_tpm_disk_decryption_key() {
# be detected. If USB storage was already enabled, no wait occurs, this would
# have happened already when USB storage was enabled.
enable_usb_storage() {
TRACE "Under /etc/functions:enable_usb_storage"
if ! lsmod | grep -q usb_storage; then
timeout=0
echo "Scanning for USB storage devices..."
@ -189,83 +189,59 @@ list_usb_storage() {
done
}
confirm_gpg_card() {
TRACE "Under /etc/functions:confirm_gpg_card"
read \
-n 1 \
-p "Please confirm that your GPG card is inserted [Y/n]: " \
card_confirm
echo
# Prompt for a TPM Owner Password if it is not already cached in /tmp/secret/tpm_owner_password.
# Sets tpm_owner_password variable reused in flow, and cache file used until recovery shell is accessed.
# Tools should optionally accept a TPM password on the command line, since some flows need
# it multiple times and only one prompt is ideal.
prompt_tpm_owner_password() {
TRACE "Under /etc/functions:prompt_tpm_owner_password"
if [ "$card_confirm" != "y" \
-a "$card_confirm" != "Y" \
-a -n "$card_confirm" ] \
; then
die "gpg card not confirmed"
fi
# setup the USB so we can reach the GPG card
enable_usb
echo -e "\nVerifying presence of GPG card...\n"
# ensure we don't exit without retrying
errexit=$(set -o | grep errexit | awk '{print $2}')
set +e
gpg --card-status >/dev/null
if [ $? -ne 0 ]; then
# prompt for reinsertion and try a second time
read -n1 -r -p \
"Can't access GPG key; remove and reinsert, then press Enter to retry. " \
ignored
# restore prev errexit state
if [ "$errexit" = "on" ]; then
set -e
fi
# retry card status
gpg --card-status >/dev/null ||
die "gpg card read failed"
fi
# restore prev errexit state
if [ "$errexit" = "on" ]; then
set -e
fi
}
# Prompt for an owner password if it is not already set in tpm_password. Sets
# tpm_password. Tools should optionally accept a TPM password on the command
# line, since some flows need it multiple times and only one prompt is ideal.
prompt_tpm_password() {
if [ -n "$tpm_password" ]; then
if [ -s /tmp/secret/tpm_owner_password ]; then
DEBUG "/tmp/secret/tpm_owner_password already cached in file. Reusing"
tpm_owner_password=$(cat /tmp/secret/tpm_owner_password)
return 0
fi
read -s -p "TPM Owner password: " tpm_password
read -s -p "TPM Owner Password: " tpm_owner_password
echo # new line after password prompt
# Cache the password externally to be reused by who needs it
DEBUG "Caching TPM Owner Password to /tmp/secret/tpm_owner_password"
mkdir -p /tmp/secret || die "Unable to create /tmp/secret"
echo -n "$tpm_owner_password" >/tmp/secret/tpm_owner_password || die "Unable to cache TPM owner_password under /tmp/secret/tpm_owner_password"
}
# Prompt for a new owner password when resetting the TPM. Returned in
# key_password. The password must be 1-32 characters and must be entered twice,
# Prompt for a new TPM Owner Password when resetting the TPM.
# Returned in tpm_owner_passpword and cached under /tpm/secret/tpm_owner_password
# The password must be 1-32 characters and must be entered twice,
# the script will loop until this is met.
prompt_new_owner_password() {
local key_password2
key_password=1
key_password2=2
while [ "$key_password" != "$key_password2" ] || [ "${#key_password}" -gt 32 ] || [ -z "$key_password" ]; do
read -s -p "New TPM owner passphrase (2 words suggested, 1-32 characters max): " key_password
TRACE "Under /etc/functions:prompt_new_owner_password"
local tpm_owner_password2
tpm_owner_password=1
tpm_owner_password2=2
while [ "$tpm_owner_password" != "$tpm_owner_password2" ] || [ "${#tpm_owner_password}" -gt 32 ] || [ -z "$tpm_owner_password" ]; do
read -s -p "New TPM Owner Password (2 words suggested, 1-32 characters max): " tpm_owner_password
echo
read -s -p "Repeat chosen TPM owner passphrase: " key_password2
read -s -p "Repeat chosen TPM Owner Password: " tpm_owner_password2
echo
if [ "$key_password" != "$key_password2" ]; then
if [ "$tpm_owner_password" != "$tpm_owner_password2" ]; then
echo "Passphrases entered do not match. Try again!"
echo
fi
done
# Cache the password externally to be reused by who needs it
DEBUG "Caching TPM Owner Password to /tmp/secret/tpm_owner_password"
mkdir -p /tmp/secret || die "Unable to create /tmp/secret"
echo -n "$tpm_owner_password" >/tmp/secret/tpm_owner_password || die "Unable to cache TPM password under /tmp/secret"
}
check_tpm_counter() {
TRACE "Under /etc/functions:check_tpm_counter"
LABEL=${2:-3135106223}
tpm_password="$3"
# if the /boot.hashes file already exists, read the TPM counter ID
@ -274,13 +250,11 @@ check_tpm_counter() {
TPM_COUNTER=$(grep counter- "$1" | cut -d- -f2)
else
warn "$1 does not exist; creating new TPM counter"
prompt_tpm_password
tpmr counter_create \
-pwdo "$tpm_password" \
-pwdc '' \
-la $LABEL |
tee /tmp/counter ||
die "Unable to create TPM counter"
die "Unable to create TPM counter"
TPM_COUNTER=$(cut -d: -f1 </tmp/counter)
fi
@ -299,7 +273,7 @@ increment_tpm_counter() {
TRACE "Under /etc/functions:increment_tpm_counter"
tpmr counter_increment -ix "$1" -pwdc '' |
tee /tmp/counter-$1 ||
die "Counter increment failed"
die "TPM counter increment failed for rollback prevention. Please reset the TPM"
}
check_config() {
@ -360,40 +334,6 @@ replace_config() {
rm -f ${CONFIG_FILE}.tmp
}
# Set a config variable in a specific file to a given value - replace it if it
# exists, or add it. If added, the variable will be exported.
set_config() {
CONFIG_FILE="$1"
CONFIG_OPTION="$2"
NEW_SETTING="$3"
if grep -q "$CONFIG_OPTION" "$CONFIG_FILE"; then
replace_config "$CONFIG_FILE" "$CONFIG_OPTION" "$NEW_SETTING"
else
echo "export $CONFIG_OPTION=\"$NEW_SETTING\"" >>"$CONFIG_FILE"
fi
}
# Set a value in config.user, re-combine configs, and update configs in the
# environment.
set_user_config() {
CONFIG_OPTION="$1"
NEW_SETTING="$2"
set_config /etc/config.user "$CONFIG_OPTION" "$NEW_SETTING"
combine_configs
. /tmp/config
}
# Load a config value to a variable, defaulting to empty. Does not fail if the
# config is not set (since it would expand to empty by default).
load_config_value() {
local config_name="$1"
if grep -q "$config_name=" /tmp/config; then
grep "$config_name=" /tmp/config | tail -n1 | cut -f2 -d '=' | tr -d '"'
fi
}
# Generate a secret for TPM-less HOTP by reading the ROM. Output is the
# sha256sum of the ROM (binary, not printable), which can be truncated to the
# supported secret length.
@ -608,6 +548,7 @@ detect_boot_device() {
}
scan_boot_options() {
TRACE "Under /etc/functions:scan_boot_options"
local bootdir config option_file
bootdir="$1"
config="$2"

128
initrd/etc/gui_functions
View File

@ -34,54 +34,100 @@ mount_usb()
fi
}
# Create display text for a size in bytes in either MB or GB, unit selected
# automatically, rounded to nearest
display_size() {
local size_bytes unit_divisor unit_symbol
size_bytes="$1"
# If it's less than 1 GB, display MB
if [ "$((size_bytes))" -lt "$((1024*1024*1024))" ]; then
unit_divisor=$((1024*1024))
unit_symbol="MB"
else
unit_divisor=$((1024*1024*1024))
unit_symbol="GB"
fi
# Divide by the unit divisor and round to nearest
echo "$(( (size_bytes + unit_divisor/2) / unit_divisor )) $unit_symbol"
}
# Create display text for the size of a block device using MB or GB, rounded to
# nearest
display_block_device_size() {
local block_dev disk_size_bytes
block_dev="$1"
# Obtain size of thumb drive to be wiped with fdisk
if ! disk_size_bytes="$(blockdev --getsize64 "$block_dev")"; then
exit 1
fi
display_size "$disk_size_bytes"
}
# Display a menu to select a file from a list. Pass the name of a file
# containing the list.
# --show-size: Append sizes of files listed. Currently only supports block
# devices.
# $1: Name of file listing files that can be chosen (one per line)
# $2: Optional prompt message
# $3: Optional prompt title
#
# Success: Sets FILE with the selected file
# User aborted: Exits successfully with FILE empty
# No entries in list: Displays error and exits unsuccessfully
file_selector()
{
TRACE "under gui_functions:file_selector"
FILE=""
FILE_LIST=$1
MENU_MSG=${2:-"Choose the file"}
MENU_TITLE=${3:-"Select your File"}
TRACE "under gui_functions:file_selector"
# create file menu options
if [ `cat "$FILE_LIST" | wc -l` -gt 0 ]; then
option=""
while [ -z "$option" ]
do
MENU_OPTIONS=""
n=0
while read option
do
n=`expr $n + 1`
option=$(echo $option | tr " " "_")
MENU_OPTIONS="$MENU_OPTIONS $n ${option}"
done < $FILE_LIST
local FILE_LIST MENU_MSG MENU_TITLE CHOICE_ARGS SHOW_SIZE OPTION_SIZE option_index
MENU_OPTIONS="$MENU_OPTIONS a Abort"
whiptail --title "${MENU_TITLE}" \
--menu "${MENU_MSG} [1-$n, a to abort]:" 20 120 8 \
-- $MENU_OPTIONS \
2>/tmp/whiptail || die "Aborting"
FILE=""
option_index=$(cat /tmp/whiptail)
if [ "$1" = "--show-size" ]; then
SHOW_SIZE=y
shift
fi
if [ "$option_index" = "a" ]; then
option="a"
return
fi
FILE_LIST=$1
MENU_MSG=${2:-"Choose the file"}
MENU_TITLE=${3:-"Select your File"}
option=`head -n $option_index $FILE_LIST | tail -1`
if [ "$option" == "a" ]; then
return
fi
done
if [ -n "$option" ]; then
FILE=$option
fi
else
whiptail $BG_COLOR_ERROR --title 'ERROR: No Files Found' \
--msgbox "No Files found matching the pattern. Aborting." 0 80
exit 1
fi
CHOICE_ARGS=()
n=0
while read option; do
n="$((++n))"
if [ "$SHOW_SIZE" = "y" ] && OPTION_SIZE="$(display_block_device_size "$option")"; then
option="$option - $OPTION_SIZE"
fi
CHOICE_ARGS+=("$n" "$option")
done < "$FILE_LIST"
if [ "${#CHOICE_ARGS[@]}" -eq 0 ]; then
whiptail $BG_COLOR_ERROR --title 'ERROR: No Files Found' \
--msgbox "No Files found matching the pattern. Aborting." 0 80
exit 1
fi
CHOICE_ARGS+=(a Abort)
# create file menu options
option_index=""
while [ -z "$option_index" ]; do
whiptail --title "${MENU_TITLE}" \
--menu "${MENU_MSG} [1-$n, a to abort]:" 20 120 8 \
-- "${CHOICE_ARGS[@]}" \
2>/tmp/whiptail || die "Aborting"
option_index=$(cat /tmp/whiptail)
if [ "$option_index" != "a" ]; then
FILE="$(head -n "$option_index" "$FILE_LIST" | tail -1)"
fi
done
}
show_system_info()

309
initrd/etc/luks-functions
View File

@ -6,25 +6,19 @@
. /tmp/config
#List all LUKS devices on the system
list_luks_devices()
{
list_luks_devices() {
#generate a list of devices to choose from that contain a LUKS header
lvm vgscan||true
blkid | cut -d ':' -f 1 | while read device
do cryptsetup isLuks $device
if [ $? -eq 0 ]; then
echo "$device"
fi
done | sort
lvm vgscan || true
blkid | cut -d ':' -f 1 | while read device; do
if cryptsetup isLuks $device; then echo $device; fi
done | sort
}
#Whiptail prompt asking user to select ratio of device to use for LUKS container between: 10, 25, 50, 75
select_luks_container_size_percent()
{
#Whiptail prompt asking user to select ratio of device to use for LUKS container between: 25, 50, 75
select_luks_container_size_percent() {
TRACE "Under /etc/luks-functions:select_luks_container_size_percent()"
if [ -x /bin/whiptail ]; then
#whiptail prompt asking user to select ratio of device to use for LUKS container between: 10, 25, 50, 75
#whiptail prompt asking user to select ratio of device to use for LUKS container between: 25, 50, 75
#whiptail returns the percentage of the device to use for LUKS container
whiptail --title "Select LUKS container size percentage of device" --menu \
"Select LUKS container size percentage of device:" 0 80 10 \
@ -57,11 +51,12 @@ select_luks_container_size_percent()
fi
}
#Partition a device with two partitions: a first one being a LUKS container containing private ext4 partition and second public exfat partition
# Partition a device interactively with two partitions: a LUKS container
# containing private ext4 partition and second public exFAT partition
# Size provisioning is done by percentage of the device
prepare_thumb_drive()
interactive_prepare_thumb_drive()
{
TRACE "Under /etc/luks-functions:prepare_thumb_drive()"
TRACE "Under /etc/luks-functions:interactive_prepare_thumb_drive()"
#Refactoring: only one parameter needed to be prompted for: the passphrase for LUKS container if not coming from oem-provisioning
#If no passphrase was provided, ask user to select passphrase for LUKS container
# if no device provided as parameter, we will ask user to select device to partition
@ -84,12 +79,13 @@ prepare_thumb_drive()
PERCENTAGE=$2
shift 2
;;
--passphrase)
--pass)
PASSPHRASE=$2
shift 2
;;
*)
echo "usage: prepare_thumb_drive [--device device] [--percentage percentage] [--passphrase passphrase]"
echo "usage: prepare_thumb_drive [--device device] [--percentage percentage] [--pass passphrase]"
return 1
;;
esac
done
@ -177,37 +173,82 @@ prepare_thumb_drive()
PERCENTAGE=$(cat /tmp/luks_container_size_percent)
fi
confirm_thumb_drive_format "$DEVICE" "$PERCENTAGE" ||
die "User cancelled wiping and repartitioning of $DEVICE"
#Get disk size in bytes from fdisk
prepare_thumb_drive "$DEVICE" "$PERCENTAGE" "$PASSPHRASE"
}
# Show a prompt to confirm formatting a flash drive with a percentage allocated
# to LUKS. interactive_prepare_thumb_drive() uses this; during OEM reset it is
# used separately before performing any reset actions
#
# parameters:
# $1 - block device of flash drive
# $2 - percent of device allocated to LUKS [1-99]
confirm_thumb_drive_format()
{
TRACE "Under /etc/luks-functions:confirm_thumb_drive_format()"
local DEVICE LUKS_PERCENTAGE DISK_SIZE_BYTES DISK_SIZE_DISPLAY LUKS_PERCENTAGE LUKS_SIZE_MB MSG
DEVICE="$1"
LUKS_PERCENTAGE="$2"
LUKS_SIZE_MB=
#Get disk size in bytes
DISK_SIZE_BYTES="$(blockdev --getsize64 "$DEVICE")"
DISK_SIZE_DISPLAY="$(display_size "$DISK_SIZE_BYTES")"
#Convert disk size to MB
DISK_SIZE_MB=$((DISK_SIZE_BYTES/1024/1024))
#Get size in bytes from percentage and apply percentage to DISK_SIZE_MB
PERCENTAGE_MB="$((DISK_SIZE_MB*PERCENTAGE/100))"
#Console and whiptail $BG_COLOR_WARNING prompt (Y/n) validate one last time wiping and repartitioning of $device of total size $DISK_SIZE_MB with $PERCENTAGE_MB assigned to LUKS encrypted private partition
#Calculate percentage of device in MB
LUKS_SIZE_MB="$((DISK_SIZE_BYTES*LUKS_PERCENTAGE/100/1024/1024))"
MSG="WARNING: Wiping and repartitioning $DEVICE ($DISK_SIZE_DISPLAY) with $LUKS_SIZE_MB MB\n assigned to private LUKS ext4 partition,\n rest assigned to exFAT public partition.\n\nAre you sure you want to continue?"
if [ -x /bin/whiptail ]; then
whiptail $BG_COLOR_WARNING --title "WARNING: Wiping and repartitioning $DEVICE of $DISK_SIZE_MB MB" --yesno \
"WARNING: Wiping and repartitioning $DEVICE with $PERCENTAGE_MB MB assigned to private LUKS contained private ext4 partition, rest assigned to extfat public partition.\n\nAre you sure you want to continue?" 0 80 \
|| die "User cancelled wiping and repartitioning of $DEVICE"
whiptail $BG_COLOR_WARNING --title "WARNING: Wiping and repartitioning $DEVICE ($DISK_SIZE_DISPLAY)" --yesno \
"$MSG" 0 80
else
echo -e -n "Warning: Wiping and repartitioning $DEVICE with $PERCENTAGE_MB MB assigned to private LUKS contained private ext4 partition, rest assigned to extfat public partition.\n\nAre you sure you want to continue?"
echo -e -n "$MSG"
read -r -p " [Y/n] " response
#transform response to uppercase with bash parameter expansion
response=${response^^}
#continue if response different then uppercase N
if [[ $response =~ ^(N)$ ]]; then
die "User cancelled wiping and repartitioning of $DEVICE"
#continue if response is Y, y, or empty, abort for anything else
if [ -n "$response" ] && [ "${response^^}" != Y ]; then
return 1
fi
fi
}
echo -e "Preparing $DEVICE with $PERCENTAGE_MB MB for private LUKS container and rest of disk with exfat\
\n for public partition (This may take a while)..." | fold -s
# Prepare a flash drive with a private LUKS-encrypted ext4 partition and a
# public exFAT partition. This is not interactive - during OEM reset, any
# selections/confirmations must occur before OEM reset starts resetting the
# system.
#
# $1 - block device of flash drive
# $2 - percentage of flash drive to allocate to LUKS [1-99]
# $3 - passphrase for LUKS container
prepare_thumb_drive()
{
TRACE "Under /etc/luks-functions:prepare_thumb_drive()"
local DEVICE PERCENTAGE PASSPHRASE DISK_SIZE_BYTES PERCENTAGE_MB
DEVICE="$1"
PERCENTAGE="$2"
PASSPHRASE="$3"
#Get disk size in bytes
DISK_SIZE_BYTES="$(blockdev --getsize64 "$DEVICE")"
#Calculate percentage of device in MB
PERCENTAGE_MB="$((DISK_SIZE_BYTES*PERCENTAGE/100/1024/1024))"
echo -e "Preparing $DEVICE with $PERCENTAGE_MB MB for private LUKS container while rest of device will be assigned to exFAT public partition...\n"
echo "Please wait..."
DEBUG "Creating empty DOS partition table on device through fdisk to start clean"
echo -e "o\nw\n" | fdisk $DEVICE > /dev/null 2>&1 || die "Error creating partition table"
echo -e "o\nw\n" | fdisk $DEVICE >/dev/null 2>&1 || die "Error creating partition table"
DEBUG "partition device with two partitions: first one being the percent applied and rest for second partition through fdisk"
echo -e "n\np\n1\n\n+"$PERCENTAGE_MB"M\nn\np\n2\n\n\nw\n" | fdisk $DEVICE > /dev/null 2>&1 || die "Error partitioning device"
DEBUG "cryptsetup luksFormat first partition with LUKS container aes-xts-plain64 cipher with sha256 hash and 512 bit key"
echo -e "n\np\n1\n\n+"$PERCENTAGE_MB"M\nn\np\n2\n\n\nw\n" | fdisk $DEVICE >/dev/null 2>&1 || die "Error partitioning device"
DEBUG "cryptsetup luksFormat first partition with LUKS container aes-xts-plain64 cipher with sha256 hash and 512 bit key"
DEBUG "Creating ${PERCENTAGE_MB}MB LUKS container on ${DEVICE}1..."
DO_WITH_DEBUG cryptsetup --batch-mode -c aes-xts-plain64 -h sha256 -s 512 -y luksFormat ${DEVICE}1 \
--key-file <(echo -n "${PASSPHRASE}") > /dev/null 2>&1 \
@ -216,11 +257,11 @@ prepare_thumb_drive()
DO_WITH_DEBUG cryptsetup open ${DEVICE}1 private --key-file <(echo -n "${PASSPHRASE}") > /dev/null 2>&1 \
|| die "Error opening LUKS container"
DEBUG "Formatting LUKS container mapped under /dev/mapper/private as an ext4 partition..."
mke2fs -t ext4 -L private /dev/mapper/private > /dev/null 2>&1 || die "Error formatting LUKS container's ext4 filesystem"
mke2fs -t ext4 -L private /dev/mapper/private >/dev/null 2>&1 || die "Error formatting LUKS container's ext4 filesystem"
DEBUG "Closing LUKS device /dev/mapper/private..."
cryptsetup close private > /dev/null 2>&1 || die "Error closing LUKS container"
DEBUG "Formatting second partition ${DEVICE}2 with exfat filesystem..."
mkfs.exfat -L public ${DEVICE}2 > /dev/null 2>&1 || die "Error formatting second partition with exfat filesystem"
mkfs.exfat -L public ${DEVICE}2 >/dev/null 2>&1 || die "Error formatting second partition with exfat filesystem"
echo "Done."
}
@ -242,11 +283,11 @@ select_luks_container()
LUKS=$FILE
detect_boot_device
mount -o remount,rw /boot
echo "$LUKS $(cryptsetup luksUUID $LUKS)" > /boot/kexec_key_devices.txt
echo "$LUKS $(cryptsetup luksUUID $LUKS)" >/boot/kexec_key_devices.txt
mount -o remount,ro /boot
fi
else
warn "No encrypted device found."
warn "No encrypted device found"
return 1
fi
fi
@ -255,17 +296,17 @@ select_luks_container()
test_luks_current_disk_recovery_key_passphrase()
{
TRACE "Under /etc/luks-functions:test_luks_current_disk_recovery_key_passphrase()"
while : ; do
while :; do
select_luks_container || return 1
if [ -z "$luks_current_Disk_Recovery_Key_passphrase" ]; then
#if no external provisioning provides current Disk Recovery Key passphrase
echo -e "\nEnter current Disk Recovery Key passphrase (Provisioned at OS installation or by OEM):"
echo -e "\nEnter current Disk Recovery Key passphrase (Configured at OS installation or by OEM):"
read -r luks_current_Disk_Recovery_Key_passphrase
echo -n "$luks_current_Disk_Recovery_Key_passphrase" > /tmp/luks_current_Disk_Recovery_Key_passphrase
echo -n "$luks_current_Disk_Recovery_Key_passphrase" >/tmp/luks_current_Disk_Recovery_Key_passphrase
warn "Test opening "$LUKS" LUKS encrypted drive content with current Recovery Disk Key passphrase..."
cryptsetup open $LUKS test --key-file /tmp/luks_current_Disk_Recovery_Key_passphrase
else
echo -n "$luks_current_Disk_Recovery_Key_passphrase" > /tmp/luks_current_Disk_Recovery_Key_passphrase
echo -n "$luks_current_Disk_Recovery_Key_passphrase" >/tmp/luks_current_Disk_Recovery_Key_passphrase
warn "Test opening "$LUKS" LUKS encrypted drive content with current Recovery Disk Key passphrase..."
cryptsetup open $LUKS test --key-file /tmp/luks_current_Disk_Recovery_Key_passphrase
fi
@ -273,10 +314,10 @@ test_luks_current_disk_recovery_key_passphrase()
if [ $? -eq 0 ]; then
whiptail --title 'Invalid Actual LUKS Disk Recovery Key passphrase?' --msgbox \
"If you previously changed it and do not remember it, you will have to\n reinstall OS from a an external drive.\n\nTo do so, place ISO file and its signature file on root of external drive,\n and select Options-> Boot from USB \n\nHit Enter to retry." 30 60
shred -n 10 -z -u /tmp/luks_current_Disk_Recovery_Key_passphrase 2> /dev/null
shred -n 10 -z -u /tmp/luks_current_Disk_Recovery_Key_passphrase 2>/dev/null
#unsetting luks_current_Disk_Recovery_Key_passphrase so we prompt for it again Disk Recovery Key passphrase prompt on next round
unset luks_current_Disk_Recovery_Key_passphrase
#remove "known good" selected luks container so that next pass asks again user to select luks container.
#remove "known good" selected LUKS container so that next pass asks again user to select LUKS container.
#maybe the container was not the right one
detect_boot_device
mount -o remount,rw /boot
@ -285,7 +326,7 @@ test_luks_current_disk_recovery_key_passphrase()
else
#LuksOpen test was successful. Cleanup should be called only when done
#Exporting successfully used passphrase possibly reused by oem-factory-reset
#We close the volume
cryptsetup close test
export luks_current_Disk_Recovery_Key_passphrase
@ -294,108 +335,108 @@ test_luks_current_disk_recovery_key_passphrase()
done
}
luks_reencrypt(){
TRACE "Under /etc/luks-functions:luks_reencrypt()"
while : ; do
select_luks_container || return 1
if [ -z "$luks_current_Disk_Recovery_Key_passphrase" ]; then
#if no external provisioning provides current Disk Recovery Key passphrase
whiptail --title 'Reencrypt LUKS disk encrypted container ?' \
luks_reencrypt() {
TRACE "Under /etc/luks-functions:luks_reencrypt()"
while :; do
select_luks_container || return 1
if [ -z "$luks_current_Disk_Recovery_Key_passphrase" ]; then
#if no external provisioning provides current Disk Recovery Key passphrase
whiptail --title 'Reencrypt LUKS disk encrypted container ?' \
--msgbox "This will replace the encrypted container content and its Disk Recovery Key.\n\nThe passphrase associated with this key will be asked from the user in the\nfollowing conditions:\n 1-Every boot if no Disk unlock key was added to the TPM\n 2-If the TPM fails (Hardware failure)\n 3-If the firmware has been tampered with/upgraded/modified by the user\n\nThis process requires you to type the current Disk Recovery Key passphrase\nand will delete TPM Disk unlock key slot if set up by setting a default boot\n LUKS header (slot 1) if present.\n\nAt the next prompt, you may be asked to select which file corresponds to\nthe LUKS device container.\n\nHit Enter to continue." 0 80
echo -e "\nEnter current Disk Recovery Key passphrase (Provisioned at OS installation or by OEM):"
read -r luks_current_Disk_Recovery_Key_passphrase
echo -n "$luks_current_Disk_Recovery_Key_passphrase" > /tmp/luks_current_Disk_Recovery_Key_passphrase
warn "Reencrypting "$LUKS" LUKS encrypted drive content with current Recovery Disk Key passphrase..."
cryptsetup-reencrypt -B 64 --use-directio "$LUKS" --key-slot 0 --key-file /tmp/luks_current_Disk_Recovery_Key_passphrase
else
echo -n "$luks_current_Disk_Recovery_Key_passphrase" > /tmp/luks_current_Disk_Recovery_Key_passphrase
warn "Reencrypting "$LUKS" LUKS encrypted drive content with current Recovery Disk Key passphrase..."
cryptsetup-reencrypt -B 64 --use-directio "$LUKS" --key-slot 0 --key-file /tmp/luks_current_Disk_Recovery_Key_passphrase
fi
#Validate past cryptsetup-reencrypt attempts
if [ $(echo $?) -ne 0 ]; then
whiptail --title 'Invalid Actual LUKS Disk Recovery Key passphrase?' --msgbox \
"If you previously changed it and do not remember it, you will have to\n reinstall OS from a an external drive.\n\nTo do so, place ISO file and its signature file on root of external drive,\n and select Options-> Boot from USB \n\nHit Enter to retry." 30 60
shred -n 10 -z -u /tmp/luks_current_Disk_Recovery_Key_passphrase 2> /dev/null
#unsetting luks_current_Disk_Recovery_Key_passphrase so we prompt for it again Disk Recovery Key passphrase prompt on next round
unset luks_current_Disk_Recovery_Key_passphrase
#remove "known good" selected luks container so that next pass asks again user to select luks container.
#maybe the container was not the right one
detect_boot_device
mount -o remount,rw /boot
rm -f /boot/kexec_key_devices.txt
mount -o remount,ro /boot
else
#Reencryption was successful. Cleanup should be called only when done
#Exporting successfully used passphrase possibly reused by oem-factory-reset
export luks_current_Disk_Recovery_Key_passphrase
echo -e "\nEnter current Disk Recovery Key passphrase (Configured at OS installation or by OEM):"
read -r luks_current_Disk_Recovery_Key_passphrase
echo -n "$luks_current_Disk_Recovery_Key_passphrase" >/tmp/luks_current_Disk_Recovery_Key_passphrase
warn "Reencrypting "$LUKS" LUKS encrypted drive content with current Recovery Disk Key passphrase..."
cryptsetup-reencrypt -B 64 --use-directio "$LUKS" --key-slot 0 --key-file /tmp/luks_current_Disk_Recovery_Key_passphrase
else
echo -n "$luks_current_Disk_Recovery_Key_passphrase" >/tmp/luks_current_Disk_Recovery_Key_passphrase
warn "Reencrypting "$LUKS" LUKS encrypted drive content with current Recovery Disk Key passphrase..."
cryptsetup-reencrypt -B 64 --use-directio "$LUKS" --key-slot 0 --key-file /tmp/luks_current_Disk_Recovery_Key_passphrase
fi
#Validate past cryptsetup-reencrypt attempts
if [ $(echo $?) -ne 0 ]; then
whiptail --title 'Invalid Actual LUKS Disk Recovery Key passphrase?' --msgbox \
"If you previously changed it and do not remember it, you will have to\n reinstall OS from a an external drive.\n\nTo do so, place ISO file and its signature file on root of external drive,\n and select Options-> Boot from USB \n\nHit Enter to retry." 30 60
shred -n 10 -z -u /tmp/luks_current_Disk_Recovery_Key_passphrase 2>/dev/null
#unsetting luks_current_Disk_Recovery_Key_passphrase so we prompt for it again Disk Recovery Key passphrase prompt on next round
unset luks_current_Disk_Recovery_Key_passphrase
#remove "known good" selected LUKS container so that next pass asks again user to select LUKS container.
#maybe the container was not the right one
detect_boot_device
mount -o remount,rw /boot
rm -f /boot/kexec_key_devices.txt
mount -o remount,ro /boot
else
#Reencryption was successful. Cleanup should be called only when done
#Exporting successfully used passphrase possibly reused by oem-factory-reset
export luks_current_Disk_Recovery_Key_passphrase
break;
fi
done
fi
done
}
luks_change_passphrase()
{
TRACE "Under /etc/luks-functions:luks_change_passphrase()"
while : ; do
select_luks_container || return 1
#if actual or new Disk Recovery Key is not provisioned by oem-provisioning file
if [ -z "$luks_current_Disk_Recovery_Key_passphrase" ] || [ -z "$luks_new_Disk_Recovery_Key_passphrase" ] ; then
whiptail --title 'Changing LUKS Disk Recovery Key passphrase' --msgbox \
"Please enter current Disk Recovery Key passphrase (slot 0).\nThen choose a strong passphrase of your own.\n\n**DICEWARE passphrase methodology is STRONGLY ADVISED.**\n\nHit Enter to continue" 30 60
if [ -z "$luks_new_Disk_Recovery_Key_passphrase" ] ; then
echo -e "\nEnter desired replacement for actual Disk Recovery Key passphrase (At least 8 characters long):"
while [[ ${#luks_new_Disk_Recovery_Key_passphrase} -lt 8 ]]; do
{
read -r luks_new_Disk_Recovery_Key_passphrase
while :; do
select_luks_container || return 1
#if actual or new Disk Recovery Key is not provisioned by oem-provisioning file
if [ -z "$luks_current_Disk_Recovery_Key_passphrase" ] || [ -z "$luks_new_Disk_Recovery_Key_passphrase" ]; then
whiptail --title 'Changing LUKS Disk Recovery Key passphrase' --msgbox \
"Please enter current Disk Recovery Key passphrase (slot 0).\nThen choose a strong passphrase of your own.\n\n**DICEWARE passphrase methodology is STRONGLY ADVISED.**\n\nHit Enter to continue" 30 60
if [ -z "$luks_new_Disk_Recovery_Key_passphrase" ]; then
echo -e "\nEnter desired replacement for actual Disk Recovery Key passphrase (At least 8 characters long):"
while [[ ${#luks_new_Disk_Recovery_Key_passphrase} -lt 8 ]]; do
{
read -r luks_new_Disk_Recovery_Key_passphrase
};done
fi
if [ -z "$luks_current_Disk_Recovery_Key_passphrase" ]; then
echo -e "\nEnter current Disk Recovery Key passphrase (Configured at OS installation or by OEM):"
read -r luks_current_Disk_Recovery_Key_passphrase
fi
export luks_current_Disk_Recovery_Key_passphrase
export luks_new_Disk_Recovery_Key_passphrase
echo -n "$luks_new_Disk_Recovery_Key_passphrase" >/tmp/luks_new_Disk_Recovery_Key_passphrase
echo -n "$luks_current_Disk_Recovery_Key_passphrase" >/tmp/luks_current_Disk_Recovery_Key_passphrase
warn "Changing "$LUKS" LUKS encrypted disk passphrase to new Disk Recovery Key passphrase..."
cryptsetup luksChangeKey "$LUKS" --key-slot 0 --key-file=/tmp/luks_current_Disk_Recovery_Key_passphrase /tmp/luks_new_Disk_Recovery_Key_passphrase
else
#If current and new Disk Recovery Key were exported
echo -n "$luks_new_Disk_Recovery_Key_passphrase" >/tmp/luks_new_Disk_Recovery_Key_passphrase
echo -n "$luks_current_Disk_Recovery_Key_passphrase" >/tmp/luks_current_Disk_Recovery_Key_passphrase
warn "Changing "$LUKS" LUKS encrypted disk passphrase to new Disk Recovery Key passphrase..."
cryptsetup luksChangeKey "$LUKS" --key-slot 0 --key-file=/tmp/luks_current_Disk_Recovery_Key_passphrase /tmp/luks_new_Disk_Recovery_Key_passphrase
fi
if [ -z "$luks_current_Disk_Recovery_Key_passphrase" ];then
echo -e "\nEnter current Disk Recovery Key passphrase (Provisioned at OS installation or by OEM):"
read -r luks_current_Disk_Recovery_Key_passphrase
fi
export luks_current_Disk_Recovery_Key_passphrase
export luks_new_Disk_Recovery_Key_passphrase
echo -n "$luks_new_Disk_Recovery_Key_passphrase" > /tmp/luks_new_Disk_Recovery_Key_passphrase
echo -n "$luks_current_Disk_Recovery_Key_passphrase" > /tmp/luks_current_Disk_Recovery_Key_passphrase
warn "Changing "$LUKS" LUKS encrypted disk passphrase to new Disk Recovery Key passphrase..."
cryptsetup luksChangeKey "$LUKS" --key-slot 0 --key-file=/tmp/luks_current_Disk_Recovery_Key_passphrase /tmp/luks_new_Disk_Recovery_Key_passphrase
else
#If current and new Disk Recovery Key were exported
echo -n "$luks_new_Disk_Recovery_Key_passphrase" > /tmp/luks_new_Disk_Recovery_Key_passphrase
echo -n "$luks_current_Disk_Recovery_Key_passphrase" > /tmp/luks_current_Disk_Recovery_Key_passphrase
warn "Changing "$LUKS" LUKS encrypted disk passphrase to new Disk Recovery Key passphrase..."
cryptsetup luksChangeKey "$LUKS" --key-slot 0 --key-file=/tmp/luks_current_Disk_Recovery_Key_passphrase /tmp/luks_new_Disk_Recovery_Key_passphrase
fi
#Validate past cryptsetup attempts
if [ $(echo $?) -ne 0 ]; then
#Cryptsetup luksChangeKey was unsuccessful
whiptail --title 'Invalid LUKS passphrase?' --msgbox \
"The LUKS Disk Recovery Key passphrase was provided to you by the OEM over\n secure communication channel.\n\nIf you previously changed it and do not remember it,\n you will have to reinstall OS from a USB drive.\nTo do so, put OS ISO file and it's signature file on root of USB drive,\n And select Boot from USB\n\nHit Enter to continue." 30 60
unset luks_current_Disk_Recovery_Key_passphrase
unset luks_new_Disk_Recovery_Key_passphrase
#remove "known good" selected luks container so that next pass asks again user to select LUKS container.
#maybe the container was not the right one
detect_boot_device
mount -o remount,rw /boot
rm -f /boot/kexec_key_devices.txt
mount -o remount,ro /boot
else
#Cryptsetup was successful.
#Cleanup should be called seperately.
#Exporting successfully used passphrase possibly reused by oem-factory-reset
export luks_new_Disk_Recovery_Key_passphrase
#Validate past cryptsetup attempts
if [ $(echo $?) -ne 0 ]; then
#Cryptsetup luksChangeKey was unsuccessful
whiptail --title 'Invalid LUKS passphrase?' --msgbox \
"The LUKS Disk Recovery Key passphrase was provided to you by the OEM over\n secure communication channel.\n\nIf you previously changed it and do not remember it,\n you will have to reinstall OS from a USB drive.\nTo do so, put OS ISO file and it's signature file on root of USB drive,\n And select Boot from USB\n\nHit Enter to continue." 30 60
unset luks_current_Disk_Recovery_Key_passphrase
unset luks_new_Disk_Recovery_Key_passphrase
#remove "known good" selected LUKS container so that next pass asks again user to select LUKS container.
#maybe the container was not the right one
detect_boot_device
mount -o remount,rw /boot
rm -f /boot/kexec_key_devices.txt
mount -o remount,ro /boot
else
#Cryptsetup was successful.
#Cleanup should be called seperately.
#Exporting successfully used passphrase possibly reused by oem-factory-reset
export luks_new_Disk_Recovery_Key_passphrase
break;
fi
done
fi
done
}
luks_secrets_cleanup()
{
#Cleanup
shred -n 10 -z -u /tmp/luks_new_Disk_Recovery_Key_passphrase 2> /dev/null || true
shred -n 10 -z -u /tmp/luks_current_Disk_Recovery_Key_passphrase 2> /dev/null || true
shred -n 10 -z -u /tmp/luks_new_Disk_Recovery_Key_passphrase 2>/dev/null || true
shred -n 10 -z -u /tmp/luks_current_Disk_Recovery_Key_passphrase 2>/dev/null || true
unset luks_current_Disk_Recovery_Key_passphrase
unset luks_new_Disk_Recovery_Key_passphrase
}

13
initrd/init
View File

@ -60,6 +60,14 @@ if [ "$CONFIG_DEBUG_OUTPUT" = "y" ]; then
#DEBUG and TRACE calls will output to /dev/kmsg, outputting both on dmesg and on console
dmesg -n 8 || true
DEBUG "Debug output enabled from board CONFIG_DEBUG_OUTPUT=y option (/etc/config)"
else
# Board config did't have CONFIG_DEBUG_OUTPUT=y defined
# config.user extracted and combined from CBFS had CONFIG_DEBUG_OUTPUT=y
# Output only print messages with a priority of 4 (warnings) or lower (errors and critical) kernel messages to console
# This way, "debug" kernel command line option will have all kernel messages output on console prior of this point
# This is useful to debug boot issues but permits qemu board to boot without flooding console with kernel messages by disabling CONFIG_DEBUG_OUTPUT=y in qemu board config
dmesg -n 4 || true
DEBUG "Debug output enabled from /etc/config.user's CONFIG_DEBUG_OUTPUT=y after combine_configs (Config menu enabled Debug)"
fi
TRACE "Under init"
@ -160,6 +168,11 @@ if [ "$boot_option" = "r" ]; then
recovery 'User requested recovery shell'
# just in case...
exit
elif [ "$boot_option" = "o" ]; then
# Launch OEM Factory Reset/Re-Ownership
oem-factory-reset
# just in case...
exit
fi
if [ "$CONFIG_BASIC" = "y" ]; then

6
initrd/sbin/insmod
View File

@ -30,16 +30,16 @@ if [ ! -r /sys/class/tpm/tpm0/pcrs -o ! -x /bin/tpm ]; then
fi
if [ -z "$tpm_missing" ]; then
DEBUG "Extending PCR $MODULE_PCR with $MODULE"
DEBUG "Extending TPM PCR $MODULE_PCR with $MODULE prior of usage"
tpmr extend -ix "$MODULE_PCR" -if "$MODULE" \
|| die "$MODULE: tpm extend failed"
fi
if [ ! -z "$*" -a -z "$tpm_missing" ]; then
DEBUG "Extending PCR $MODULE_PCR with $*"
DEBUG "Extending TPM PCR $MODULE_PCR with $*"
TMPFILE=/tmp/insmod.$$
echo "$@" > $TMPFILE
DEBUG "Extending PCR $MODULE_PCR with $TMPFILE"
DEBUG "Extending TPM PCR $MODULE_PCR with $MODULE prior of usage"
tpmr extend -ix "$MODULE_PCR" -if $TMPFILE \
|| die "$MODULE: tpm extend on arguments failed"
fi