oem-factory-reset/ash_functions/luks-functions: replace provisioning with configuring keywords. Tweak oem-factory-reset flow and questionnaire. Now first prompt is to ask if user wants to go advanced or use defaults.

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-12-19 21:17:55 +00:00 · 2023-11-03 14:34:40 -04:00 · 2023-11-03 14:34:40 -04:00 · 4e10740453
commit 4e10740453
parent cd3ce6999c
3 changed files with 25 additions and 18 deletions
--- a/initrd/bin/oem-factory-reset
+++ b/initrd/bin/oem-factory-reset
@ -831,21 +831,27 @@ report_integrity_measurements
 # Determine gpg algorithm to be used, based on available usb-token
 usb_security_token_capabilities_check

-use_defaults=n
-if [ "$CONFIG_OEMRESET_OFFER_DEFAULTS" = y ]; then
+# Clear the screen
+clear
+
+use_defaults=y
+if [ "$CONFIG_OEMRESET_OFFER_DEFAULTS" = y -o "$use_defaults" = y ]; then
    echo -e -n "Would you like to use default configuration options?\nIf N, you will be prompted for each option [Y/n]: "
    read -n 1 use_defaults
 fi

 if [ "$use_defaults" == "n" -o "$use_defaults" == "N" ]; then
    #Give general guidance to user on how to answer prompts
-    echo -e "\n **** Factory Reset / Re-Ownership Questionnaire ****\n\n"
-    echo -e "The following questionnaire will help you configure the security components of your system.\n"
-    echo -e "Each prompt requires a single letter answer: eg. (Y/n).\n"
+    echo
+    echo "****************************************************"
+    echo "**** Factory Reset / Re-Ownership Questionnaire ****"
+    echo "****************************************************"
+    echo "The following questionnaire will help you configure the security components of your system."
+    echo "Each prompt requires a single letter answer: eg. (Y/n)."
    echo -e "If you don't know what to answer, pressing Enter will select the default answer for that prompt: eg. Y, above.\n"

    # Re-ownership of encrypted disk key, content and passphrase
-    echo -e -n "\n\nWould you like to change the current LUKS Disk Recovery Key passphrase?\n (Highly recommended if you didn't install the Operating System yourself, so that past provisioned passphrase would not permit to access content.\n  Note that without re-encrypting disk, a backed up header could be restored to access encrypted content with old passphrase) [y/N]: "
+    echo -e -n "\n\nWould you like to change the current LUKS Disk Recovery Key passphrase?\n (Highly recommended if you didn't install the Operating System yourself, so that past configured passphrase would not permit to access content.\n  Note that without re-encrypting disk, a backed up header could be restored to access encrypted content with old passphrase) [y/N]: "
    read -n 1 prompt_output
    echo
    if [ "$prompt_output" == "y" \
@ -878,7 +884,7 @@ if [ "$use_defaults" == "n" -o "$use_defaults" == "N" ]; then
        echo
        if [ "$prompt_output" == "n" \
            -o "$prompt_output" == "N" ]; then
-            warn "Subkeys will NOT be copied to USB Security Dongle's smartcard."
+            warn "Subkeys will NOT be copied to USB Security Dongle's smartcard"
            warn "Your GPG key material backup thumb drive should be cloned to a second thumb drive for redundancy for production environements"
            GPG_GEN_KEY_IN_MEMORY_COPY_TO_SMARTCARD=0
        else
@ -913,11 +919,12 @@ if [ "$use_defaults" == "n" -o "$use_defaults" == "N" ]; then


    # Inform user of security components affected for the following prompts
-    echo -e "The following security components will be provisioned with defaults or chosen PINs/passwords:
+    echo
+    echo -e "The following Security Components will be configured with defaults or further chosen PINs/passwords:
 	$CUSTOM_PASS_AFFECTED_COMPONENTS\n"

    # Prompt to change default passwords
-    echo -e -n "Would you like to set a single custom password that will be provisioned to previously stated security components? [y/N]: "
+    echo -e -n "Would you like to set a single custom password to all previously stated security components? [y/N]: "
    read -n 1 prompt_output
    echo
    if [ "$prompt_output" == "y" \
@ -938,7 +945,7 @@ if [ "$use_defaults" == "n" -o "$use_defaults" == "N" ]; then
            luks_new_Disk_Recovery_Key_passphrase=${CUSTOM_SINGLE_PASS}
        fi
    else
-        echo -e -n "Would you like to set distinct PINs/passwords to be provisioned to previously stated security components? [y/N]: "
+        echo -e -n "Would you like to set distinct PINs/passwords to configure previously stated security components? [y/N]: "
        read -n 1 prompt_output
        echo
        if [ "$prompt_output" == "y" \
@ -1195,7 +1202,7 @@ fi
 if [[ "$CONFIG_BOARD_NAME" == qemu-* ]]; then
    warn "Skipping flash of GPG key to ROM because we are running in QEMU without internal flashing support."
    warn "Please review boards/qemu*/qemu*.md documentation to extract public key from raw disk and inject at build time"
-    warn "Also review boards/qemu*/qemu*.config to tweak CONFIG_* options you might want to turn on/off manually at build time"
+    warn "Also review boards/qemu*/qemu*.config to tweak CONFIG_* options you might need to turn on/off manually at build time"
 else
    #We are not running in QEMU, so flash the key to ROM

@ -1247,7 +1254,7 @@ fi
 # passphrases set to be empty first
 passphrases="\n"

-# Prepare whiptail output of provisioned secrets
+# Prepare whiptail output of configured secrets
 if [ -n "$luks_new_Disk_Recovery_Key_passphrase" -o -n "$luks_new_Disk_Recovery_Key_passphrase_desired" ]; then
    passphrases+="LUKS Disk Recovery Key passphrase: ${luks_new_Disk_Recovery_Key_passphrase}\n"
 fi
@ -1268,10 +1275,10 @@ if [ "$GPG_GEN_KEY_IN_MEMORY" == "1" ]; then
    passphrases+="GPG key material backup passphrase: ${ADMIN_PIN}\n"
 fi

-## Show to user current provisioned secrets prior of rebooting
+## Show to user current configured secrets prior of rebooting
 whiptail --msgbox "
    $passphrases" \
-    $HEIGHT $WIDTH --title "Provisioned secrets"
+    $HEIGHT $WIDTH --title "Configured secrets"

 ## all done -- reboot
 whiptail --msgbox "
--- a/initrd/etc/ash_functions
+++ b/initrd/etc/ash_functions
@ -94,7 +94,7 @@ confirm_gpg_card() {
 			#Wipe any previous CR_NONCE and CR_SIG
 			shred -n 10 -z -u "$CR_NONCE" "$CR_SIG" >/dev/null 2>&1 || true

-			#Prompt user for provisioned GPG Admin PIN that will be passed along to mount-usb and to import gpg subkeys
+			#Prompt user for configured GPG Admin PIN that will be passed along to mount-usb and to import gpg subkeys
 			echo
 			#TODO: change all passphrase prompts in codebase to include -r to prevent backslash escapes
 			read -r -s -p "Please enter GPG Admin PIN needed to use the GPG backup thumb drive: " gpg_admin_pin
--- a/initrd/etc/luks-functions
+++ b/initrd/etc/luks-functions
@ -253,7 +253,7 @@ test_luks_current_disk_recovery_key_passphrase()
 		select_luks_container || return 1
 		if [ -z "$luks_current_Disk_Recovery_Key_passphrase" ]; then
 			#if no external provisioning provides current Disk Recovery Key passphrase
-			echo -e "\nEnter current Disk Recovery Key passphrase (Provisioned at OS installation or by OEM):"
+			echo -e "\nEnter current Disk Recovery Key passphrase (Configured at OS installation or by OEM):"
 			read -r luks_current_Disk_Recovery_Key_passphrase
 			echo -n "$luks_current_Disk_Recovery_Key_passphrase" >/tmp/luks_current_Disk_Recovery_Key_passphrase
 			warn "Test opening "$LUKS" LUKS encrypted drive content with current Recovery Disk Key passphrase..."
@ -296,7 +296,7 @@ luks_reencrypt() {
 			#if no external provisioning provides current Disk Recovery Key passphrase
 			whiptail --title 'Reencrypt LUKS disk encrypted container ?' \
 			--msgbox "This will replace the encrypted container content and its Disk Recovery Key.\n\nThe passphrase associated with this key will be asked from the user in the\nfollowing conditions:\n 1-Every boot if no Disk unlock key was added to the TPM\n 2-If the TPM fails (Hardware failure)\n 3-If the firmware has been tampered with/upgraded/modified by the user\n\nThis process requires you to type the current Disk Recovery Key passphrase\nand will delete TPM Disk unlock key slot if set up by setting a default boot\n LUKS header (slot 1) if present.\n\nAt the next prompt, you may be asked to select which file corresponds to\nthe LUKS device container.\n\nHit Enter to continue." 0 80
-			echo -e "\nEnter current Disk Recovery Key passphrase (Provisioned at OS installation or by OEM):"
+			echo -e "\nEnter current Disk Recovery Key passphrase (Configured at OS installation or by OEM):"
 			read -r luks_current_Disk_Recovery_Key_passphrase
 			echo -n "$luks_current_Disk_Recovery_Key_passphrase" >/tmp/luks_current_Disk_Recovery_Key_passphrase
 			warn "Reencrypting "$LUKS" LUKS encrypted drive content with current Recovery Disk Key passphrase..."
@ -345,7 +345,7 @@ luks_change_passphrase()
 			};done
 			fi
 			if [ -z "$luks_current_Disk_Recovery_Key_passphrase" ]; then
-				echo -e "\nEnter current Disk Recovery Key passphrase (Provisioned at OS installation or by OEM):"
+				echo -e "\nEnter current Disk Recovery Key passphrase (Configured at OS installation or by OEM):"
 				read -r luks_current_Disk_Recovery_Key_passphrase
 			fi
 			export luks_current_Disk_Recovery_Key_passphrase