From 22a86e6d48977e87344460dc3618768486e7fcba Mon Sep 17 00:00:00 2001
From: Jonathon Hall <jonathon.hall@puri.sm>
Date: Thu, 16 Jan 2025 09:55:16 -0500
Subject: [PATCH] oem-factory-reset: Only badger user to record passphrases if
 generated

There are many flows through oem-factory-reset that use passwords
provided by the user or basic defaults to be changed later.  We don't
need to badger the user to record those passwords.

Still do this if we generated diceware passwords though, as the user
does not know them yet.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
---
 initrd/bin/oem-factory-reset | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/initrd/bin/oem-factory-reset b/initrd/bin/oem-factory-reset
index b504ec95..db8b330e 100755
--- a/initrd/bin/oem-factory-reset
+++ b/initrd/bin/oem-factory-reset
@@ -42,6 +42,10 @@ GPG_ALGO="RSA"
 # Default RSA key length is 3072 bits for OEM key gen. 4096 are way longer to generate in smartcard
 RSA_KEY_LENGTH=3072
 
+# If we use complex generated passphrases, we will really try hard to make the
+# user record them
+MAKE_USER_RECORD_PASSPHRASES=
+
 # Function to handle --mode parameter
 handle_mode() {
 	local mode=$1
@@ -52,6 +56,8 @@ handle_mode() {
 		USER_PIN=$CUSTOM_SINGLE_PASS
 		ADMIN_PIN=$CUSTOM_SINGLE_PASS
 		TPM_PASS=$CUSTOM_SINGLE_PASS
+		# User doesn't know this password, really badger them to record it
+		MAKE_USER_RECORD_PASSPHRASES=y
 
 		title_text="OEM Factory Reset Mode"
 		;;
@@ -60,6 +66,8 @@ handle_mode() {
 		USER_PIN=$(generate_passphrase --number_words 2 --max_length $MAX_HOTP_GPG_PIN_LENGTH)
 		ADMIN_PIN=$(generate_passphrase --number_words 2 --max_length $MAX_HOTP_GPG_PIN_LENGTH)
 		TPM_PASS=$ADMIN_PIN
+		# User doesn't know this password, really badger them to record it
+		MAKE_USER_RECORD_PASSPHRASES=y
 
 		title_text="User Re-Ownership Mode"
 		;;
@@ -1078,6 +1086,10 @@ if [ "$use_defaults" == "n" -o "$use_defaults" == "N" ]; then
 		if [ -n "$luks_new_Disk_Recovery_Key_passphrase_desired" ]; then
 			luks_new_Disk_Recovery_Key_passphrase=${CUSTOM_SINGLE_PASS}
 		fi
+
+		# The user knows this password, we don't need to badger them to
+		# record it
+		MAKE_USER_RECORD_PASSPHRASES=
 	else
 		echo -e -n "Would you like to set distinct PINs/passwords to configure previously stated security components? [y/N]: "
 		read -n 1 prompt_output
@@ -1108,6 +1120,9 @@ if [ "$use_defaults" == "n" -o "$use_defaults" == "N" ]; then
 				done
 			fi
 			echo
+			# The user knows these passwords, we don't need to
+			# badger them to record them
+			MAKE_USER_RECORD_PASSPHRASES=
 		fi
 	fi
 
@@ -1429,6 +1444,11 @@ fi
 while true; do
 	whiptail --msgbox "$(echo -e "$passphrases" | fold -w $((WIDTH - 5)))" \
 		$HEIGHT $WIDTH --title "Configured secrets"
+	if [ "$MAKE_USER_RECORD_PASSPHRASES" != y ]; then
+		# Passwords were user-supplied or not complex, we do not need to
+		# badger the user to record them
+		break
+	fi
 	#Tell user to scan the QR code containing all configured secrets
 	echo -e "\nScan the QR code below to save the secrets to a secure location"
 	qrenc "$(echo -e "$passphrases")"