ExternalVendorCode/heads
1
0
Fork 0
mirror of https://github.com/linuxboot/heads.git synced 2025-03-14 08:16:44 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

oem-factory-reset: Only badger user to record passphrases if generated

Browse Source 
There are many flows through oem-factory-reset that use passwords
provided by the user or basic defaults to be changed later.  We don't
need to badger the user to record those passwords.

Still do this if we generated diceware passwords though, as the user
does not know them yet.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
This commit is contained in:
Jonathon Hall 2025-01-16 09:55:16 -05:00 committed by Thierry Laurion
parent 2872f44621
commit 22a86e6d48
No known key found for this signature in database
GPG Key ID: 9A53E1BB3FF00461
1 changed files with 20 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
initrd/bin/oem-factory-reset
View File

@ -42,6 +42,10 @@ GPG_ALGO="RSA"
# Default RSA key length is 3072 bits for OEM key gen. 4096 are way longer to generate in smartcard
RSA_KEY_LENGTH=3072
# If we use complex generated passphrases, we will really try hard to make the
# user record them
MAKE_USER_RECORD_PASSPHRASES=
# Function to handle --mode parameter
handle_mode() {
local mode=$1
@ -52,6 +56,8 @@ handle_mode() {
USER_PIN=$CUSTOM_SINGLE_PASS
ADMIN_PIN=$CUSTOM_SINGLE_PASS
TPM_PASS=$CUSTOM_SINGLE_PASS
# User doesn't know this password, really badger them to record it
MAKE_USER_RECORD_PASSPHRASES=y
title_text="OEM Factory Reset Mode"
;;
@ -60,6 +66,8 @@ handle_mode() {
USER_PIN=$(generate_passphrase --number_words 2 --max_length $MAX_HOTP_GPG_PIN_LENGTH)
ADMIN_PIN=$(generate_passphrase --number_words 2 --max_length $MAX_HOTP_GPG_PIN_LENGTH)
TPM_PASS=$ADMIN_PIN
# User doesn't know this password, really badger them to record it
MAKE_USER_RECORD_PASSPHRASES=y
title_text="User Re-Ownership Mode"
;;
@ -1078,6 +1086,10 @@ if [ "$use_defaults" == "n" -o "$use_defaults" == "N" ]; then
if [ -n "$luks_new_Disk_Recovery_Key_passphrase_desired" ]; then
luks_new_Disk_Recovery_Key_passphrase=${CUSTOM_SINGLE_PASS}
fi
# The user knows this password, we don't need to badger them to
# record it
MAKE_USER_RECORD_PASSPHRASES=
else
echo -e -n "Would you like to set distinct PINs/passwords to configure previously stated security components? [y/N]: "
read -n 1 prompt_output
@ -1108,6 +1120,9 @@ if [ "$use_defaults" == "n" -o "$use_defaults" == "N" ]; then
done
fi
echo
# The user knows these passwords, we don't need to
# badger them to record them
MAKE_USER_RECORD_PASSPHRASES=
fi
fi
@ -1429,6 +1444,11 @@ fi
while true; do
whiptail --msgbox "$(echo -e "$passphrases" | fold -w $((WIDTH - 5)))" \
$HEIGHT $WIDTH --title "Configured secrets"
if [ "$MAKE_USER_RECORD_PASSPHRASES" != y ]; then
# Passwords were user-supplied or not complex, we do not need to
# badger the user to record them
break
fi
#Tell user to scan the QR code containing all configured secrets
echo -e "\nScan the QR code below to save the secrets to a secure location"
qrenc "$(echo -e "$passphrases")"