ExternalVendorCode/heads
1
0
Fork 0
mirror of https://github.com/linuxboot/heads.git synced 2025-01-18 10:46:44 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge branch 'add_librem_key_support' of https://github.com/kylerankin/heads

Browse Source
This commit is contained in:
Trammell Hudson 2018-11-07 16:37:01 -05:00
commit 3f53cfe05b
Failed to extract signature
10 changed files with 294 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Makefile
View File

@ -399,7 +399,7 @@ bin_modules-$(CONFIG_FLASHTOOLS) += flashtools
bin_modules-$(CONFIG_NEWT) += newt bin_modules-$(CONFIG_NEWT) += newt
bin_modules-$(CONFIG_CAIRO) += cairo bin_modules-$(CONFIG_CAIRO) += cairo
bin_modules-$(CONFIG_FBWHIPTAIL) += fbwhiptail bin_modules-$(CONFIG_FBWHIPTAIL) += fbwhiptail
bin_modules-$(CONFIG_NITROKEY) += nitrokey-hotp-verification bin_modules-$(CONFIG_LIBREMKEY) += libremkey-hotp-verification
$(foreach m, $(bin_modules-y), \ $(foreach m, $(bin_modules-y), \
$(call map,initrd_bin_add,$(call bins,$m)) \ $(call map,initrd_bin_add,$(call bins,$m)) \

1
boards/librem13v2/librem13v2.config
View File

@ -20,6 +20,7 @@ CONFIG_TPMTOTP=y
#CONFIG_NEWT=y #CONFIG_NEWT=y
CONFIG_CAIRO=y CONFIG_CAIRO=y
CONFIG_FBWHIPTAIL=y CONFIG_FBWHIPTAIL=y
CONFIG_LIBREMKEY=y
CONFIG_LINUX_USB=y CONFIG_LINUX_USB=y

1
boards/librem15v3/librem15v3.config
View File

@ -22,6 +22,7 @@ CONFIG_TPMTOTP=y
#CONFIG_NEWT=y #CONFIG_NEWT=y
CONFIG_CAIRO=y CONFIG_CAIRO=y
CONFIG_FBWHIPTAIL=y CONFIG_FBWHIPTAIL=y
CONFIG_LIBREMKEY=y
CONFIG_LINUX_USB=y CONFIG_LINUX_USB=y

88
initrd/bin/gui-init
View File

@ -89,10 +89,25 @@ update_checksums()
echo "Returning to the main menu" echo "Returning to the main menu"
fi fi
} }
update_totp()
{
echo "Scan the QR code to add the new TOTP secret"
/bin/seal-totp
if [ -x /bin/libremkey_hotp_verification ]; then
echo "Once you have scanned the QR code, hit Enter to configure your Librem Key"
read
/bin/seal-libremkey
else
echo "Once you have scanned the QR code, hit Enter to reboot"
read
fi
/bin/reboot
}
last_half=X last_half=X
while true; do while true; do
MAIN_MENU_OPTIONS="" MAIN_MENU_OPTIONS=""
MAIN_MENU_BG_COLOR=""
unset totp_confirm unset totp_confirm
# update the TOTP code every thirty seconds # update the TOTP code every thirty seconds
date=`date "+%Y-%m-%d %H:%M:%S"` date=`date "+%Y-%m-%d %H:%M:%S"`
@ -106,7 +121,7 @@ while true; do
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
whiptail $CONFIG_ERROR_BG_COLOR --clear --title "ERROR: TOTP Generation Failed!" \ whiptail $CONFIG_ERROR_BG_COLOR --clear --title "ERROR: TOTP Generation Failed!" \
--menu "ERROR: Heads couldn't generate the TOTP code.\n\nIf you just reflashed your BIOS, you'll need to generate a new TOTP secret.\n\nIf you have not just reflashed your BIOS, THIS COULD INDICATE TAMPERING!\n\nIf this is the first time the system has booted, you should reset the TPM\nand set your own password\n\nHow would you like to proceed?" 30 90 4 \ --menu "ERROR: Heads couldn't generate the TOTP code.\n\nIf you just reflashed your BIOS, you'll need to generate a new TOTP secret.\n\nIf you have not just reflashed your BIOS, THIS COULD INDICATE TAMPERING!\n\nIf this is the first time the system has booted, you should reset the TPM\nand set your own password\n\nHow would you like to proceed?" 30 90 4 \
'g' ' Generate new TOTP secret' \ 'g' ' Generate new TOTP/HOTP secret' \
'i' ' Ignore error and continue to default boot menu' \ 'i' ' Ignore error and continue to default boot menu' \
'p' ' Reset the TPM' \ 'p' ' Reset the TPM' \
'x' ' Exit to recovery shell' \ 'x' ' Exit to recovery shell' \
@ -117,11 +132,32 @@ while true; do
fi fi
if [ "$totp_confirm" = "i" -o -z "$totp_confirm" ]; then if [ "$totp_confirm" = "i" -o -z "$totp_confirm" ]; then
whiptail --clear --title "$CONFIG_BOOT_GUI_MENU_NAME" \ if [ -x /bin/libremkey_hotp_verification ]; then
--menu "$date\nTOTP code: $TOTP" 20 90 10 \ HOTP=`unseal-hotp`
enable_usb
# Don't output HOTP codes to screen, so as to make replay attacks harder
libremkey_hotp_verification check $HOTP
case "$?" in
0 )
HOTP="Success"
;;
4 )
HOTP="Invalid code"
MAIN_MENU_BG_COLOR=$CONFIG_ERROR_BG_COLOR
;;
* )
HOTP="Error checking code, Insert Librem Key and retry"
MAIN_MENU_BG_COLOR=$CONFIG_WARNING_BG_COLOR
;;
esac
else
HOTP='N/A'
fi
whiptail $MAIN_MENU_BG_COLOR --clear --title "$CONFIG_BOOT_GUI_MENU_NAME" \
--menu "$date\nTOTP: $TOTP | HOTP: $HOTP" 20 90 10 \
'y' ' Default boot' \ 'y' ' Default boot' \
'r' ' TOTP does not match, refresh code' \ 'r' ' TOTP/HOTP does not match, refresh code' \
'n' ' TOTP does not match after refresh, troubleshoot' \
'o' ' Other Boot Options -->' \ 'o' ' Other Boot Options -->' \
'a' ' Advanced Settings -->' \ 'a' ' Advanced Settings -->' \
'x' ' Exit to recovery shell' \ 'x' ' Exit to recovery shell' \
@ -145,10 +181,11 @@ while true; do
if [ "$totp_confirm" = "a" ]; then if [ "$totp_confirm" = "a" ]; then
whiptail --clear --title "Advanced Settings" \ whiptail --clear --title "Advanced Settings" \
--menu "Configure Advanced Settings" 20 90 10 \ --menu "Configure Advanced Settings" 20 90 10 \
'g' ' Generate new TOTP secret' \ 'g' ' Generate new TOTP/HOTP secret' \
'p' ' Reset the TPM' \
's' ' Update checksums and sign all files in /boot' \ 's' ' Update checksums and sign all files in /boot' \
'f' ' Flash/Update the BIOS -->' \ 'f' ' Flash/Update the BIOS -->' \
'p' ' Reset the TPM' \
'n' ' TOTP/HOTP does not match after refresh, troubleshoot' \
'r' ' <-- Return to main menu' \ 'r' ' <-- Return to main menu' \
2>/tmp/whiptail || recovery "GUI menu failed" 2>/tmp/whiptail || recovery "GUI menu failed"
@ -164,14 +201,14 @@ while true; do
fi fi
if [ "$totp_confirm" = "n" ]; then if [ "$totp_confirm" = "n" ]; then
if (whiptail $CONFIG_WARNING_BG_COLOR --title "TOTP code mismatched" \ if (whiptail $CONFIG_WARNING_BG_COLOR --title "TOTP/HOTP code mismatched" \
--yesno "TOTP code mismatches could indicate either TPM tampering or clock drift:\n\nTo correct clock drift: 'date -s HH:MM:SS'\nand save it to the RTC: 'hwclock -w'\nthen reboot and try again.\n\nWould you like to exit to a recovery console?" 30 90) then --yesno "TOTP/HOTP code mismatches could indicate either TPM tampering or clock drift:\n\nTo correct clock drift: 'date -s HH:MM:SS'\nand save it to the RTC: 'hwclock -w'\nthen reboot and try again.\n\nWould you like to exit to a recovery console?" 30 90) then
echo "" echo ""
echo "To correct clock drift: 'date -s HH:MM:SS'" echo "To correct clock drift: 'date -s HH:MM:SS'"
echo "and save it to the RTC: 'hwclock -w'" echo "and save it to the RTC: 'hwclock -w'"
echo "then reboot and try again" echo "then reboot and try again"
echo "" echo ""
recovery "TOTP mismatch" recovery "TOTP/HOTP mismatch"
else else
continue continue
fi fi
@ -183,13 +220,9 @@ while true; do
fi fi
if [ "$totp_confirm" = "g" ]; then if [ "$totp_confirm" = "g" ]; then
if (whiptail --title 'Generate new TOTP secret' \ if (whiptail --title 'Generate new TOTP/HOTP secret' \
--yesno "This will erase your old secret and replace it with a new one!\n\nDo you want to proceed?" 16 90) then --yesno "This will erase your old secret and replace it with a new one!\n\nDo you want to proceed?" 16 90) then
echo "Scan the QR code to add the new TOTP secret" update_totp
/bin/seal-totp
echo "Once you have scanned the QR code, hit Enter to reboot"
read
/bin/reboot
else else
echo "Returning to the main menu" echo "Returning to the main menu"
fi fi
@ -198,20 +231,27 @@ while true; do
if [ "$totp_confirm" = "p" ]; then if [ "$totp_confirm" = "p" ]; then
if (whiptail --title 'Reset the TPM' \ if (whiptail --title 'Reset the TPM' \
--yesno "This will clear the TPM, erase the old TPM password and replace it with a new one!\n\nDo you want to proceed?" 16 90) then --yesno "This will clear the TPM and TPM password, replace them with new ones!\n\nDo you want to proceed?" 16 90) then
/bin/tpm-reset /bin/tpm-reset
# now that the TPM is reset, remove invalid kexec_rollback.txt file # now that the TPM is reset, remove invalid TPM counter files
mount_boot mount_boot
mount -o rw,remount /boot mount -o rw,remount /boot
rm -f /boot/kexec_rollback.txt rm -f /boot/kexec_rollback.txt
# create Heads TPM counter before any others
check_tpm_counter /boot/kexec_rollback.txt \
|| die "Unable to find/create tpm counter"
counter="$TPM_COUNTER"
increment_tpm_counter $counter \
|| die "Unable to increment tpm counter"
sha256sum /tmp/counter-$counter > /boot/kexec_rollback.txt \
|| die "Unable to create rollback file"
mount -o ro,remount /boot mount -o ro,remount /boot
echo "Scan the QR code to add the new TOTP secret" update_totp
/bin/seal-totp
echo "Once you have scanned the QR code, hit Enter to reboot"
read
/bin/reboot
else else
echo "Returning to the main menu" echo "Returning to the main menu"
fi fi

10
initrd/bin/kexec-seal-key
View File

@ -84,6 +84,14 @@ cat "$KEY_DEVICES" | cut -d\ -f1 | xargs /bin/qubes-measure-luks \
|| die "Unable to measure the LUKS headers" || die "Unable to measure the LUKS headers"
luks_pcr=`tpm calcfuturepcr -ix 16 -if /tmp/luksDump.txt` luks_pcr=`tpm calcfuturepcr -ix 16 -if /tmp/luksDump.txt`
# Librem Key loads USB modules which changes PCR5.
# In the event Librem Key is enabled, skip verification of PCR5
if [ -x /bin/libremkey_hotp_verification ]; then
pcr_5="X"
else
pcr_5="0000000000000000000000000000000000000000"
fi
# Note that PCR 4 needs to be set with the "normal-boot" # Note that PCR 4 needs to be set with the "normal-boot"
# path value, which we do not have right now since we are # path value, which we do not have right now since we are
# in a recovery shell. # in a recovery shell.
@ -104,7 +112,7 @@ tpm sealfile2 \
-ix 2 X \ -ix 2 X \
-ix 3 X \ -ix 3 X \
-ix 4 0000000000000000000000000000000000000000 \ -ix 4 0000000000000000000000000000000000000000 \
-ix 5 0000000000000000000000000000000000000000 \ -ix 5 $pcr_5 \
-ix 6 $luks_pcr \ -ix 6 $luks_pcr \
-ix 7 X \ -ix 7 X \
|| die "Unable to seal secret" || die "Unable to seal secret"

92
initrd/bin/seal-libremkey Executable file
View File

@ -0,0 +1,92 @@
#!/bin/sh
# Retrieve the sealed TOTP secret and initialize a Librem Key with it
. /etc/functions
HOTP_SEALED="/tmp/secret/hotp.sealed"
HOTP_SECRET="/tmp/secret/hotp.key"
HOTP_COUNTER="/boot/kexec_hotp_counter"
mount_boot()
{
# Mount local disk if it is not already mounted
if ! grep -q /boot /proc/mounts ; then
mount -o ro /boot \
|| recovery "Unable to mount /boot"
fi
}
tpm nv_readvalue \
-in 4d47 \
-sz 312 \
-of "$HOTP_SEALED" \
|| die "Unable to retrieve sealed file from TPM NV"
tpm unsealfile \
-hk 40000000 \
-if "$HOTP_SEALED" \
-of "$HOTP_SECRET" \
|| die "Unable to unseal HOTP secret"
rm -f "$HOTP_SEALED"
secret="`cat $HOTP_SECRET`"
rm -f "$HOTP_SECRET"
# Store counter in file instead of TPM for now, as it conflicts with Heads
# config TPM counter as TPM 1.2 can only increment one counter between reboots
# get current value of HOTP counter in TPM, create if absent
mount_boot
#check_tpm_counter $HOTP_COUNTER hotp \
#|| die "Unable to find/create TPM counter"
#counter="$TPM_COUNTER"
#
#counter_value=$(read_tpm_counter $counter | cut -f2 -d ' ' | awk 'gsub("^000e","")')
#if [ "$counter_value" == "" ]; then
# die "Unable to read HOTP counter"
#fi
#counter_value=$(printf "%d" 0x${counter_value})
counter_value=1
enable_usb
if ! libremkey_hotp_verification info ; then
echo "Insert your Librem Key and press Enter to configure it"
read
libremkey_hotp_verification info \
|| die "Unable to find Librem Key"
fi
read -s -p "Enter your Librem Key Admin PIN" admin_pin
echo
libremkey_hotp_initialize $admin_pin $secret $counter_value
if [ $? -ne 0 ]; then
read -s -p "Error setting HOTP secret, re-enter Admin PIN and try again:" admin_pin
libremkey_hotp_initialize $admin_pin $secret $counter_value \
|| die "Setting HOTP secret failed"
fi
secret=""
# Make sure our counter is incremented ahead of the next check
#increment_tpm_counter $counter > /dev/null \
#|| die "Unable to increment tpm counter"
#increment_tpm_counter $counter > /dev/null \
#|| die "Unable to increment tpm counter"
mount -o remount,rw /boot
counter_value=`expr $counter_value + 1`
echo $counter_value > $HOTP_COUNTER \
|| die "Unable to create hotp counter file"
#sha256sum /tmp/counter-$counter > $HOTP_COUNTER \
#|| die "Unable to create hotp counter file"
mount -o remount,ro /boot
echo "Librem Key initialized successfully. Press Enter to continue."
read
exit 0

73
initrd/bin/unseal-hotp Executable file
View File

@ -0,0 +1,73 @@
#!/bin/sh
# Retrieve the sealed file and counter from the NVRAM, unseal it and compute the hotp
. /etc/functions
HOTP_SEALED="/tmp/secret/hotp.sealed"
HOTP_SECRET="/tmp/secret/hotp.key"
HOTP_COUNTER="/boot/kexec_hotp_counter"
mount_boot()
{
# Mount local disk if it is not already mounted
if ! grep -q /boot /proc/mounts ; then
mount -o ro /boot \
|| recovery "Unable to mount /boot"
fi
}
tpm nv_readvalue \
-in 4d47 \
-sz 312 \
-of "$HOTP_SEALED" \
|| die "Unable to retrieve sealed file from TPM NV"
tpm unsealfile \
-hk 40000000 \
-if "$HOTP_SEALED" \
-of "$HOTP_SECRET" \
|| die "Unable to unseal HOTP secret"
rm -f "$HOTP_SEALED"
# Store counter in file instead of TPM for now, as it conflicts with Heads
# config TPM counter as TPM 1.2 can only increment one counter between reboots
# get current value of HOTP counter in TPM, create if absent
mount_boot
#check_tpm_counter $HOTP_COUNTER hotp \
#|| die "Unable to find/create TPM counter"
#counter="$TPM_COUNTER"
#
#counter_value=$(read_tpm_counter $counter | cut -f2 -d ' ' | awk 'gsub("^000e","")')
#
counter_value=$(cat $HOTP_COUNTER)
if [ "$counter_value" == "" ]; then
die "Unable to read HOTP counter"
fi
#counter_value=$(printf "%d" 0x${counter_value})
if ! hotp $counter_value < "$HOTP_SECRET"; then
rm -f "$HOTP_SECRET"
die 'Unable to compute HOTP hash?'
fi
rm -f "$HOTP_SECRET"
#increment_tpm_counter $counter > /dev/null \
#|| die "Unable to increment tpm counter"
mount -o remount,rw /boot
counter_value=`expr $counter_value + 1`
echo $counter_value > $HOTP_COUNTER \
|| die "Unable to create hotp counter file"
#sha256sum /tmp/counter-$counter > $HOTP_COUNTER \
#|| die "Unable to create hotp counter file"
mount -o remount,ro /boot
exit 0

9
initrd/etc/functions
View File

@ -138,18 +138,13 @@ confirm_gpg_card()
check_tpm_counter() check_tpm_counter()
{ {
LABEL=${2:-3135106223}
# if the /boot.hashes file already exists, read the TPM counter ID # if the /boot.hashes file already exists, read the TPM counter ID
# from it. # from it.
if [ -r "$1" ]; then if [ -r "$1" ]; then
TPM_COUNTER=`grep counter- "$1" | cut -d- -f2` TPM_COUNTER=`grep counter- "$1" | cut -d- -f2`
else else
# Initialize label to default if not set warn "$1 does not exist; creating new TPM counter"
if [ "$2" != "" ]; then
LABEL=$2
else
LABEL=3135106223
fi
warn "$BOOT_HASHES does not exist; creating new TPM counter"
read -s -p "TPM Owner password: " tpm_password read -s -p "TPM Owner password: " tpm_password
echo echo
tpm counter_create \ tpm counter_create \

19
modules/libremkey-hotp-verification Normal file
View File

@ -0,0 +1,19 @@
modules-$(CONFIG_LIBREMKEY) += libremkey-hotp-verification
libremkey-hotp-verification_depends := libusb $(musl_dep)
libremkey-hotp-verification_version := git
libremkey-hotp-verification_dir := libremkey-hotp-verification
libremkey-hotp-verification_repo := --recursive https://github.com/Nitrokey/nitrokey-hotp-verification
libremkey-hotp-verification_target := \
$(MAKE_JOBS) \
$(CROSS_TOOLS) \
libremkey-hotp-verification_output := \
libremkey_hotp_verification \
libremkey_hotp_initialize
libremkey-hotp-verification_configure := \
INSTALL="$(INSTALL)" \
cmake -DCMAKE_TOOLCHAIN_FILE=./Toolchain-heads.cmake -DCMAKE_AR="$(CROSS)ar" .

32
patches/libremkey-hotp-verification.patch Normal file
View File

@ -0,0 +1,32 @@
--- nitrokey-hotp-verification-a/Toolchain-heads.cmake 2018-05-22 09:55:46.907209235 -0700
+++ nitrokey-hotp-verification-b/Toolchain-heads.cmake 2018-05-22 09:55:26.659371966 -0700
@@ -0,0 +1,18 @@
+SET(CMAKE_SYSTEM_NAME Linux)
+SET(CMAKE_SYSTEM_VERSION 1)
+
+# Specify the cross compiler
+SET(CMAKE_C_COMPILER $ENV{INSTALL}/bin/musl-gcc)
+SET(CMAKE_CXX_COMPILER $ENV{INSTALL}/bin/musl-gcc)
+
+# Where is the target environment
+SET(CMAKE_FIND_ROOT_PATH $ENV{INSTALL})
+
+# Search for programs only in the build host directories
+SET(CMAKE_FIND_ROOT_PATH_MODE_PROGRAM NEVER)
+
+# Search for libraries and headers only in the target directories
+SET(CMAKE_FIND_ROOT_PATH_MODE_LIBRARY ONLY)
+SET(CMAKE_FIND_ROOT_PATH_MODE_INCLUDE ONLY)
+
+INCLUDE_DIRECTORIES(hidapi)
--- libremkey-hotp-verification/device.c 2018-06-20 16:13:36.417804210 -0700
+++ libremkey-hotp-verification-b/device.c 2018-06-20 16:14:34.532367723 -0700
@@ -34,7 +34,7 @@
const unsigned short m_vid = 0x20a0;
const unsigned short m_pid = 0x4108;
-static const int CONNECTION_ATTEMPTS_COUNT = 80;
+static const int CONNECTION_ATTEMPTS_COUNT = 2;
static const int CONNECTION_ATTEMPT_DELAY_MICRO_SECONDS = 1000*1000/2;