From 4e10740453c06c43dce8ec765a354c3ac0c876ed Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Fri, 3 Nov 2023 14:34:40 -0400 Subject: [PATCH] oem-factory-reset/ash_functions/luks-functions: replace provisioning with configuring keywords. Tweak oem-factory-reset flow and questionnaire. Now first prompt is to ask if user wants to go advanced or use defaults. Signed-off-by: Thierry Laurion --- initrd/bin/oem-factory-reset | 35 +++++++++++++++++++++-------------- initrd/etc/ash_functions | 2 +- initrd/etc/luks-functions | 6 +++--- 3 files changed, 25 insertions(+), 18 deletions(-) diff --git a/initrd/bin/oem-factory-reset b/initrd/bin/oem-factory-reset index 44642b2d..a12eec73 100755 --- a/initrd/bin/oem-factory-reset +++ b/initrd/bin/oem-factory-reset @@ -831,21 +831,27 @@ report_integrity_measurements # Determine gpg algorithm to be used, based on available usb-token usb_security_token_capabilities_check -use_defaults=n -if [ "$CONFIG_OEMRESET_OFFER_DEFAULTS" = y ]; then +# Clear the screen +clear + +use_defaults=y +if [ "$CONFIG_OEMRESET_OFFER_DEFAULTS" = y -o "$use_defaults" = y ]; then echo -e -n "Would you like to use default configuration options?\nIf N, you will be prompted for each option [Y/n]: " read -n 1 use_defaults fi if [ "$use_defaults" == "n" -o "$use_defaults" == "N" ]; then #Give general guidance to user on how to answer prompts - echo -e "\n **** Factory Reset / Re-Ownership Questionnaire ****\n\n" - echo -e "The following questionnaire will help you configure the security components of your system.\n" - echo -e "Each prompt requires a single letter answer: eg. (Y/n).\n" + echo + echo "****************************************************" + echo "**** Factory Reset / Re-Ownership Questionnaire ****" + echo "****************************************************" + echo "The following questionnaire will help you configure the security components of your system." + echo "Each prompt requires a single letter answer: eg. (Y/n)." echo -e "If you don't know what to answer, pressing Enter will select the default answer for that prompt: eg. Y, above.\n" # Re-ownership of encrypted disk key, content and passphrase - echo -e -n "\n\nWould you like to change the current LUKS Disk Recovery Key passphrase?\n (Highly recommended if you didn't install the Operating System yourself, so that past provisioned passphrase would not permit to access content.\n Note that without re-encrypting disk, a backed up header could be restored to access encrypted content with old passphrase) [y/N]: " + echo -e -n "\n\nWould you like to change the current LUKS Disk Recovery Key passphrase?\n (Highly recommended if you didn't install the Operating System yourself, so that past configured passphrase would not permit to access content.\n Note that without re-encrypting disk, a backed up header could be restored to access encrypted content with old passphrase) [y/N]: " read -n 1 prompt_output echo if [ "$prompt_output" == "y" \ @@ -878,7 +884,7 @@ if [ "$use_defaults" == "n" -o "$use_defaults" == "N" ]; then echo if [ "$prompt_output" == "n" \ -o "$prompt_output" == "N" ]; then - warn "Subkeys will NOT be copied to USB Security Dongle's smartcard." + warn "Subkeys will NOT be copied to USB Security Dongle's smartcard" warn "Your GPG key material backup thumb drive should be cloned to a second thumb drive for redundancy for production environements" GPG_GEN_KEY_IN_MEMORY_COPY_TO_SMARTCARD=0 else @@ -913,11 +919,12 @@ if [ "$use_defaults" == "n" -o "$use_defaults" == "N" ]; then # Inform user of security components affected for the following prompts - echo -e "The following security components will be provisioned with defaults or chosen PINs/passwords: + echo + echo -e "The following Security Components will be configured with defaults or further chosen PINs/passwords: $CUSTOM_PASS_AFFECTED_COMPONENTS\n" # Prompt to change default passwords - echo -e -n "Would you like to set a single custom password that will be provisioned to previously stated security components? [y/N]: " + echo -e -n "Would you like to set a single custom password to all previously stated security components? [y/N]: " read -n 1 prompt_output echo if [ "$prompt_output" == "y" \ @@ -938,7 +945,7 @@ if [ "$use_defaults" == "n" -o "$use_defaults" == "N" ]; then luks_new_Disk_Recovery_Key_passphrase=${CUSTOM_SINGLE_PASS} fi else - echo -e -n "Would you like to set distinct PINs/passwords to be provisioned to previously stated security components? [y/N]: " + echo -e -n "Would you like to set distinct PINs/passwords to configure previously stated security components? [y/N]: " read -n 1 prompt_output echo if [ "$prompt_output" == "y" \ @@ -1195,7 +1202,7 @@ fi if [[ "$CONFIG_BOARD_NAME" == qemu-* ]]; then warn "Skipping flash of GPG key to ROM because we are running in QEMU without internal flashing support." warn "Please review boards/qemu*/qemu*.md documentation to extract public key from raw disk and inject at build time" - warn "Also review boards/qemu*/qemu*.config to tweak CONFIG_* options you might want to turn on/off manually at build time" + warn "Also review boards/qemu*/qemu*.config to tweak CONFIG_* options you might need to turn on/off manually at build time" else #We are not running in QEMU, so flash the key to ROM @@ -1247,7 +1254,7 @@ fi # passphrases set to be empty first passphrases="\n" -# Prepare whiptail output of provisioned secrets +# Prepare whiptail output of configured secrets if [ -n "$luks_new_Disk_Recovery_Key_passphrase" -o -n "$luks_new_Disk_Recovery_Key_passphrase_desired" ]; then passphrases+="LUKS Disk Recovery Key passphrase: ${luks_new_Disk_Recovery_Key_passphrase}\n" fi @@ -1268,10 +1275,10 @@ if [ "$GPG_GEN_KEY_IN_MEMORY" == "1" ]; then passphrases+="GPG key material backup passphrase: ${ADMIN_PIN}\n" fi -## Show to user current provisioned secrets prior of rebooting +## Show to user current configured secrets prior of rebooting whiptail --msgbox " $passphrases" \ - $HEIGHT $WIDTH --title "Provisioned secrets" + $HEIGHT $WIDTH --title "Configured secrets" ## all done -- reboot whiptail --msgbox " diff --git a/initrd/etc/ash_functions b/initrd/etc/ash_functions index 4d247360..836e75ce 100644 --- a/initrd/etc/ash_functions +++ b/initrd/etc/ash_functions @@ -94,7 +94,7 @@ confirm_gpg_card() { #Wipe any previous CR_NONCE and CR_SIG shred -n 10 -z -u "$CR_NONCE" "$CR_SIG" >/dev/null 2>&1 || true - #Prompt user for provisioned GPG Admin PIN that will be passed along to mount-usb and to import gpg subkeys + #Prompt user for configured GPG Admin PIN that will be passed along to mount-usb and to import gpg subkeys echo #TODO: change all passphrase prompts in codebase to include -r to prevent backslash escapes read -r -s -p "Please enter GPG Admin PIN needed to use the GPG backup thumb drive: " gpg_admin_pin diff --git a/initrd/etc/luks-functions b/initrd/etc/luks-functions index 9f2943a4..ca75a36b 100644 --- a/initrd/etc/luks-functions +++ b/initrd/etc/luks-functions @@ -253,7 +253,7 @@ test_luks_current_disk_recovery_key_passphrase() select_luks_container || return 1 if [ -z "$luks_current_Disk_Recovery_Key_passphrase" ]; then #if no external provisioning provides current Disk Recovery Key passphrase - echo -e "\nEnter current Disk Recovery Key passphrase (Provisioned at OS installation or by OEM):" + echo -e "\nEnter current Disk Recovery Key passphrase (Configured at OS installation or by OEM):" read -r luks_current_Disk_Recovery_Key_passphrase echo -n "$luks_current_Disk_Recovery_Key_passphrase" >/tmp/luks_current_Disk_Recovery_Key_passphrase warn "Test opening "$LUKS" LUKS encrypted drive content with current Recovery Disk Key passphrase..." @@ -296,7 +296,7 @@ luks_reencrypt() { #if no external provisioning provides current Disk Recovery Key passphrase whiptail --title 'Reencrypt LUKS disk encrypted container ?' \ --msgbox "This will replace the encrypted container content and its Disk Recovery Key.\n\nThe passphrase associated with this key will be asked from the user in the\nfollowing conditions:\n 1-Every boot if no Disk unlock key was added to the TPM\n 2-If the TPM fails (Hardware failure)\n 3-If the firmware has been tampered with/upgraded/modified by the user\n\nThis process requires you to type the current Disk Recovery Key passphrase\nand will delete TPM Disk unlock key slot if set up by setting a default boot\n LUKS header (slot 1) if present.\n\nAt the next prompt, you may be asked to select which file corresponds to\nthe LUKS device container.\n\nHit Enter to continue." 0 80 - echo -e "\nEnter current Disk Recovery Key passphrase (Provisioned at OS installation or by OEM):" + echo -e "\nEnter current Disk Recovery Key passphrase (Configured at OS installation or by OEM):" read -r luks_current_Disk_Recovery_Key_passphrase echo -n "$luks_current_Disk_Recovery_Key_passphrase" >/tmp/luks_current_Disk_Recovery_Key_passphrase warn "Reencrypting "$LUKS" LUKS encrypted drive content with current Recovery Disk Key passphrase..." @@ -345,7 +345,7 @@ luks_change_passphrase() };done fi if [ -z "$luks_current_Disk_Recovery_Key_passphrase" ]; then - echo -e "\nEnter current Disk Recovery Key passphrase (Provisioned at OS installation or by OEM):" + echo -e "\nEnter current Disk Recovery Key passphrase (Configured at OS installation or by OEM):" read -r luks_current_Disk_Recovery_Key_passphrase fi export luks_current_Disk_Recovery_Key_passphrase