ExternalVendorCode/heads
1
0
Fork 0
mirror of https://github.com/linuxboot/heads.git synced 2025-02-20 17:22:53 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Add Librem Key support to Heads

Browse Source 
The Librem Key is a custom device USB-based security token Nitrokey is
producing for Purism and among other things it has custom firmware
created for use with Heads. In particular, when a board is configured
with CONFIG_LIBREMKEY, this custom firmware allows Heads to use the
sealed TOTP secret to also send an HOTP authentication to the Librem
Key. If the HOTP code is successful, the Librem Key will blink a green
LED, if unsuccessful it will blink red, thereby informing the user that
Heads has been tampered with without requiring them to use a phone to
validate the TOTP secret.

Heads will still use and show the TOTP secret, in case the user wants to
validate both codes (in case the Librem Key was lost or is no longer
trusted). It will also show the result of the HOTP verification (but not
the code itself), even though the user should trust only what the Librem
Key displays, so the user can confirm that both the device and Heads are
in sync. If HOTP is enabled, Heads will maintain a new TPM counter
separate from the Heads TPM counter that will increment each time HOTP
codes are checked.

This change also modifies the routines that update TOTP so that if
the Librem Key executables are present it will also update HOTP codes
and synchronize them with a Librem Key.
This commit is contained in:
Kyle Rankin 2018-06-19 12:27:27 -07:00
parent 584c07042e
commit 31cf85b707
No known key found for this signature in database
GPG Key ID: 555577116BFA74B9
9 changed files with 253 additions and 37 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Makefile
View File

@ -395,7 +395,7 @@ bin_modules-$(CONFIG_FLASHTOOLS) += flashtools
bin_modules-$(CONFIG_NEWT) += newt
bin_modules-$(CONFIG_CAIRO) += cairo
bin_modules-$(CONFIG_FBWHIPTAIL) += fbwhiptail
bin_modules-$(CONFIG_NITROKEY) += nitrokey-hotp-verification
bin_modules-$(CONFIG_LIBREMKEY) += libremkey-hotp-verification
$(foreach m, $(bin_modules-y), \
$(call map,initrd_bin_add,$(call bins,$m)) \

1
boards/librem13v2/librem13v2.config
View File

@ -20,6 +20,7 @@ CONFIG_TPMTOTP=y
#CONFIG_NEWT=y
CONFIG_CAIRO=y
CONFIG_FBWHIPTAIL=y
CONFIG_LIBREMKEY=y
CONFIG_LINUX_USB=y

1
boards/librem15v3/librem15v3.config
View File

@ -22,6 +22,7 @@ CONFIG_TPMTOTP=y
#CONFIG_NEWT=y
CONFIG_CAIRO=y
CONFIG_FBWHIPTAIL=y
CONFIG_LIBREMKEY=y
CONFIG_LINUX_USB=y

90
initrd/bin/gui-init
View File

@ -75,12 +75,7 @@ update_checksums()
# We don't need them after the user decides to sign
rm -f /boot/kexec_package_trigger*
# sign and auto-roll config counter
extparam=
if [ "$CONFIG_TPM" = "y" ]; then
extparam=-u
fi
kexec-sign-config -p /boot $extparam \
kexec-sign-config -p /boot \
|| die "Failed to sign default config"
# switch back to ro mode
@ -89,6 +84,20 @@ update_checksums()
echo "Returning to the main menu"
fi
}
update_totp()
{
echo "Scan the QR code to add the new TOTP secret"
/bin/seal-totp
if [ -x /bin/libremkey_hotp_verification ]; then
echo "Once you have scanned the QR code, hit Enter to configure your Librem Key"
read
/bin/seal-libremkey
else
echo "Once you have scanned the QR code, hit Enter to reboot"
read
fi
/bin/reboot
}
last_half=X
while true; do
@ -106,7 +115,7 @@ while true; do
if [ $? -ne 0 ]; then
whiptail $CONFIG_ERROR_BG_COLOR --clear --title "ERROR: TOTP Generation Failed!" \
--menu "ERROR: Heads couldn't generate the TOTP code.\n\nIf you just reflashed your BIOS, you'll need to generate a new TOTP secret.\n\nIf you have not just reflashed your BIOS, THIS COULD INDICATE TAMPERING!\n\nIf this is the first time the system has booted, you should reset the TPM\nand set your own password\n\nHow would you like to proceed?" 30 90 4 \
'g' ' Generate new TOTP secret' \
'g' ' Generate new TOTP/HOTP secret' \
'i' ' Ignore error and continue to default boot menu' \
'p' ' Reset the TPM' \
'x' ' Exit to recovery shell' \
@ -117,11 +126,30 @@ while true; do
fi
if [ "$totp_confirm" = "i" -o -z "$totp_confirm" ]; then
if [ -x /bin/libremkey_hotp_verification ]; then
HOTP=`unseal-hotp`
enable_usb
# Don't output HOTP codes to screen, so as to make replay attacks harder
libremkey_hotp_verification check $HOTP
case "$?" in
0 )
HOTP="success"
;;
4 )
HOTP="invalid code"
;;
* )
HOTP="error checking code"
;;
esac
else
HOTP='N/A'
fi
whiptail --clear --title "$CONFIG_BOOT_GUI_MENU_NAME" \
--menu "$date\nTOTP code: $TOTP" 20 90 10 \
--menu "$date\nTOTP: $TOTP | HOTP: $HOTP" 20 90 10 \
'y' ' Default boot' \
'r' ' TOTP does not match, refresh code' \
'n' ' TOTP does not match after refresh, troubleshoot' \
'r' ' TOTP/HOTP does not match, refresh code' \
'o' ' Other Boot Options -->' \
'a' ' Advanced Settings -->' \
'x' ' Exit to recovery shell' \
@ -145,10 +173,11 @@ while true; do
if [ "$totp_confirm" = "a" ]; then
whiptail --clear --title "Advanced Settings" \
--menu "Configure Advanced Settings" 20 90 10 \
'g' ' Generate new TOTP secret' \
'p' ' Reset the TPM' \
'g' ' Generate new TOTP/HOTP secret' \
's' ' Update checksums and sign all files in /boot' \
'f' ' Flash/Update the BIOS -->' \
'p' ' Reset the TPM' \
'n' ' TOTP/HOTP does not match after refresh, troubleshoot' \
'r' ' <-- Return to main menu' \
2>/tmp/whiptail || recovery "GUI menu failed"
@ -164,14 +193,14 @@ while true; do
fi
if [ "$totp_confirm" = "n" ]; then
if (whiptail $CONFIG_WARNING_BG_COLOR --title "TOTP code mismatched" \
--yesno "TOTP code mismatches could indicate either TPM tampering or clock drift:\n\nTo correct clock drift: 'date -s HH:MM:SS'\nand save it to the RTC: 'hwclock -w'\nthen reboot and try again.\n\nWould you like to exit to a recovery console?" 30 90) then
if (whiptail $CONFIG_WARNING_BG_COLOR --title "TOTP/HOTP code mismatched" \
--yesno "TOTP/HOTP code mismatches could indicate either TPM tampering or clock drift:\n\nTo correct clock drift: 'date -s HH:MM:SS'\nand save it to the RTC: 'hwclock -w'\nthen reboot and try again.\n\nWould you like to exit to a recovery console?" 30 90) then
echo ""
echo "To correct clock drift: 'date -s HH:MM:SS'"
echo "and save it to the RTC: 'hwclock -w'"
echo "then reboot and try again"
echo ""
recovery "TOTP mismatch"
recovery "TOTP/HOTP mismatch"
else
continue
fi
@ -183,13 +212,9 @@ while true; do
fi
if [ "$totp_confirm" = "g" ]; then
if (whiptail --title 'Generate new TOTP secret' \
if (whiptail --title 'Generate new TOTP/HOTP secret' \
--yesno "This will erase your old secret and replace it with a new one!\n\nDo you want to proceed?" 16 90) then
echo "Scan the QR code to add the new TOTP secret"
/bin/seal-totp
echo "Once you have scanned the QR code, hit Enter to reboot"
read
/bin/reboot
update_totp
else
echo "Returning to the main menu"
fi
@ -198,20 +223,27 @@ while true; do
if [ "$totp_confirm" = "p" ]; then
if (whiptail --title 'Reset the TPM' \
--yesno "This will clear the TPM, erase the old TPM password and replace it with a new one!\n\nDo you want to proceed?" 16 90) then
--yesno "This will clear the TPM and TPM password, replace them with new ones!\n\nDo you want to proceed?" 16 90) then
/bin/tpm-reset
# now that the TPM is reset, remove invalid kexec_rollback.txt file
# now that the TPM is reset, remove invalid TPM counter files
mount_boot
mount -o rw,remount /boot
rm -f /boot/kexec_rollback.txt
rm -f /boot/kexec_rollback.txt /boot/kexec_hotp_counter
# create Heads TPM counter before any others
check_tpm_counter /boot/kexec_rollback.txt \
|| die "Unable to find/create tpm counter"
counter="$TPM_COUNTER"
increment_tpm_counter $counter \
|| die "Unable to increment tpm counter"
sha256sum /tmp/counter-$counter > /boot/kexec_rollback.txt \
|| die "Unable to create rollback file"
mount -o ro,remount /boot
echo "Scan the QR code to add the new TOTP secret"
/bin/seal-totp
echo "Once you have scanned the QR code, hit Enter to reboot"
read
/bin/reboot
update_totp
else
echo "Returning to the main menu"
fi

84
initrd/bin/seal-libremkey Executable file
View File

@ -0,0 +1,84 @@
#!/bin/sh
# Retrieve the sealed TOTP secret and initialize a Librem Key with it
. /etc/functions
HOTP_SEALED="/tmp/secret/hotp.sealed"
HOTP_SECRET="/tmp/secret/hotp.key"
HOTP_COUNTER="/boot/kexec_hotp_counter"
mount_boot()
{
# Mount local disk if it is not already mounted
if ! grep -q /boot /proc/mounts ; then
mount -o ro /boot \
|| recovery "Unable to mount /boot"
fi
}
tpm nv_readvalue \
-in 4d47 \
-sz 312 \
-of "$HOTP_SEALED" \
|| die "Unable to retrieve sealed file from TPM NV"
tpm unsealfile \
-hk 40000000 \
-if "$HOTP_SEALED" \
-of "$HOTP_SECRET" \
|| die "Unable to unseal HOTP secret"
rm -f "$HOTP_SEALED"
secret="`cat $HOTP_SECRET`"
rm -f "$HOTP_SECRET"
# get current value of HOTP counter in TPM, create if absent
mount_boot
check_tpm_counter $HOTP_COUNTER hotp \
|| die "Unable to find/create TPM counter"
counter="$TPM_COUNTER"
counter_value=$(read_tpm_counter $counter | cut -f2 -d ' ' | awk 'gsub("^000e","")')
if [ "$counter_value" == "" ]; then
die "Unable to read HOTP TPM counter"
fi
counter_value=$(printf "%d" 0x${counter_value})
enable_usb
if ! libremkey_hotp_verification info ; then
echo "Insert your Librem Key and press Enter to configure it"
read
libremkey_hotp_verification info \
|| die "Unable to find Librem Key"
fi
read -s -p "Enter your Librem Key Admin PIN" admin_pin
echo
libremkey_hotp_initialize $admin_pin $secret $counter_value
if [ $? -ne 0 ]; then
read -s -p "Error setting HOTP secret, re-enter Admin PIN and try again:" admin_pin
libremkey_hotp_initialize $admin_pin $secret $counter_value \
|| die "Setting HOTP secret failed"
fi
secret=""
# Make sure our counter is incremented ahead of the next check
increment_tpm_counter $counter > /dev/null \
|| die "Unable to increment tpm counter"
increment_tpm_counter $counter > /dev/null \
|| die "Unable to increment tpm counter"
mount -o remount,rw /boot
sha256sum /tmp/counter-$counter > $HOTP_COUNTER \
|| die "Unable to create hotp counter file"
mount -o remount,ro /boot
echo "Librem Key initialized successfully. Press Enter to continue."
read
exit 0

63
initrd/bin/unseal-hotp Executable file
View File

@ -0,0 +1,63 @@
#!/bin/sh
# Retrieve the sealed file and counter from the NVRAM, unseal it and compute the hotp
. /etc/functions
HOTP_SEALED="/tmp/secret/hotp.sealed"
HOTP_SECRET="/tmp/secret/hotp.key"
HOTP_COUNTER="/boot/kexec_hotp_counter"
mount_boot()
{
# Mount local disk if it is not already mounted
if ! grep -q /boot /proc/mounts ; then
mount -o ro /boot \
|| recovery "Unable to mount /boot"
fi
}
tpm nv_readvalue \
-in 4d47 \
-sz 312 \
-of "$HOTP_SEALED" \
|| die "Unable to retrieve sealed file from TPM NV"
tpm unsealfile \
-hk 40000000 \
-if "$HOTP_SEALED" \
-of "$HOTP_SECRET" \
|| die "Unable to unseal HOTP secret"
rm -f "$HOTP_SEALED"
# get current value of HOTP counter in TPM, create if absent
mount_boot
check_tpm_counter $HOTP_COUNTER hotp \
|| die "Unable to find/create TPM counter"
counter="$TPM_COUNTER"
counter_value=$(read_tpm_counter $counter | cut -f2 -d ' ' | awk 'gsub("^000e","")')
if [ "$counter_value" == "" ]; then
die "Unable to read HOTP TPM counter"
fi
counter_value=$(printf "%d" 0x${counter_value})
if ! hotp $counter_value < "$HOTP_SECRET"; then
rm -f "$HOTP_SECRET"
die 'Unable to compute HOTP hash?'
fi
rm -f "$HOTP_SECRET"
increment_tpm_counter $counter > /dev/null \
|| die "Unable to increment tpm counter"
mount -o remount,rw /boot
sha256sum /tmp/counter-$counter > $HOTP_COUNTER \
|| die "Unable to create hotp counter file"
mount -o remount,ro /boot
exit 0

9
initrd/etc/functions
View File

@ -138,18 +138,13 @@ confirm_gpg_card()
check_tpm_counter()
{
LABEL=${2:-3135106223}
# if the /boot.hashes file already exists, read the TPM counter ID
# from it.
if [ -r "$1" ]; then
TPM_COUNTER=`grep counter- "$1" | cut -d- -f2`
else
# Initialize label to default if not set
if [ "$2" != "" ]; then
LABEL=$2
else
LABEL=3135106223
fi
warn "$BOOT_HASHES does not exist; creating new TPM counter"
warn "$1 does not exist; creating new TPM counter"
read -s -p "TPM Owner password: " tpm_password
echo
tpm counter_create \

19
modules/libremkey-hotp-verification Normal file
View File

@ -0,0 +1,19 @@
modules-$(CONFIG_LIBREMKEY) += libremkey-hotp-verification
libremkey-hotp-verification_depends := libusb $(musl_dep)
libremkey-hotp-verification_version := git
libremkey-hotp-verification_dir := libremkey-hotp-verification
libremkey-hotp-verification_repo := --recursive https://github.com/Nitrokey/nitrokey-hotp-verification
libremkey-hotp-verification_target := \
$(MAKE_JOBS) \
$(CROSS_TOOLS) \
libremkey-hotp-verification_output := \
libremkey_hotp_verification \
libremkey_hotp_initialize
libremkey-hotp-verification_configure := \
INSTALL="$(INSTALL)" \
cmake -DCMAKE_TOOLCHAIN_FILE=./Toolchain-heads.cmake -DCMAKE_AR="$(CROSS)ar" .

21
patches/libremkey-hotp-verification.patch Normal file
View File

@ -0,0 +1,21 @@
--- nitrokey-hotp-verification-a/Toolchain-heads.cmake 2018-05-22 09:55:46.907209235 -0700
+++ nitrokey-hotp-verification-b/Toolchain-heads.cmake 2018-05-22 09:55:26.659371966 -0700
@@ -0,0 +1,18 @@
+SET(CMAKE_SYSTEM_NAME Linux)
+SET(CMAKE_SYSTEM_VERSION 1)
+
+# Specify the cross compiler
+SET(CMAKE_C_COMPILER $ENV{INSTALL}/bin/musl-gcc)
+SET(CMAKE_CXX_COMPILER $ENV{INSTALL}/bin/musl-gcc)
+
+# Where is the target environment
+SET(CMAKE_FIND_ROOT_PATH $ENV{INSTALL})
+
+# Search for programs only in the build host directories
+SET(CMAKE_FIND_ROOT_PATH_MODE_PROGRAM NEVER)
+
+# Search for libraries and headers only in the target directories
+SET(CMAKE_FIND_ROOT_PATH_MODE_LIBRARY ONLY)
+SET(CMAKE_FIND_ROOT_PATH_MODE_INCLUDE ONLY)
+
+INCLUDE_DIRECTORIES(hidapi)