From 22a86e6d48977e87344460dc3618768486e7fcba Mon Sep 17 00:00:00 2001 From: Jonathon Hall Date: Thu, 16 Jan 2025 09:55:16 -0500 Subject: [PATCH] oem-factory-reset: Only badger user to record passphrases if generated There are many flows through oem-factory-reset that use passwords provided by the user or basic defaults to be changed later. We don't need to badger the user to record those passwords. Still do this if we generated diceware passwords though, as the user does not know them yet. Signed-off-by: Jonathon Hall --- initrd/bin/oem-factory-reset | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/initrd/bin/oem-factory-reset b/initrd/bin/oem-factory-reset index b504ec95..db8b330e 100755 --- a/initrd/bin/oem-factory-reset +++ b/initrd/bin/oem-factory-reset @@ -42,6 +42,10 @@ GPG_ALGO="RSA" # Default RSA key length is 3072 bits for OEM key gen. 4096 are way longer to generate in smartcard RSA_KEY_LENGTH=3072 +# If we use complex generated passphrases, we will really try hard to make the +# user record them +MAKE_USER_RECORD_PASSPHRASES= + # Function to handle --mode parameter handle_mode() { local mode=$1 @@ -52,6 +56,8 @@ handle_mode() { USER_PIN=$CUSTOM_SINGLE_PASS ADMIN_PIN=$CUSTOM_SINGLE_PASS TPM_PASS=$CUSTOM_SINGLE_PASS + # User doesn't know this password, really badger them to record it + MAKE_USER_RECORD_PASSPHRASES=y title_text="OEM Factory Reset Mode" ;; @@ -60,6 +66,8 @@ handle_mode() { USER_PIN=$(generate_passphrase --number_words 2 --max_length $MAX_HOTP_GPG_PIN_LENGTH) ADMIN_PIN=$(generate_passphrase --number_words 2 --max_length $MAX_HOTP_GPG_PIN_LENGTH) TPM_PASS=$ADMIN_PIN + # User doesn't know this password, really badger them to record it + MAKE_USER_RECORD_PASSPHRASES=y title_text="User Re-Ownership Mode" ;; @@ -1078,6 +1086,10 @@ if [ "$use_defaults" == "n" -o "$use_defaults" == "N" ]; then if [ -n "$luks_new_Disk_Recovery_Key_passphrase_desired" ]; then luks_new_Disk_Recovery_Key_passphrase=${CUSTOM_SINGLE_PASS} fi + + # The user knows this password, we don't need to badger them to + # record it + MAKE_USER_RECORD_PASSPHRASES= else echo -e -n "Would you like to set distinct PINs/passwords to configure previously stated security components? [y/N]: " read -n 1 prompt_output @@ -1108,6 +1120,9 @@ if [ "$use_defaults" == "n" -o "$use_defaults" == "N" ]; then done fi echo + # The user knows these passwords, we don't need to + # badger them to record them + MAKE_USER_RECORD_PASSPHRASES= fi fi @@ -1429,6 +1444,11 @@ fi while true; do whiptail --msgbox "$(echo -e "$passphrases" | fold -w $((WIDTH - 5)))" \ $HEIGHT $WIDTH --title "Configured secrets" + if [ "$MAKE_USER_RECORD_PASSPHRASES" != y ]; then + # Passwords were user-supplied or not complex, we do not need to + # badger the user to record them + break + fi #Tell user to scan the QR code containing all configured secrets echo -e "\nScan the QR code below to save the secrets to a secure location" qrenc "$(echo -e "$passphrases")"