Merge pull request #761 from Nitrokey/hotp-neutral

Fix branding issue with HOTP USB Security Dongles

.gitlab-ci.yml

@@ -8,13 +8,13 @@ stages:
 
 build:
   stage: build
-  retry: 2
+  retry: 1
   cache:
     paths:
       - packages
       - crossgcc
       - build
-    key: "heads-$GITLAB_USER_LOGIN"
+    key: "heads-$GITLAB_USER_LOGIN-2"
   script:
     - dnf install -y @development-tools gcc-c++ gcc-gnat zlib-devel perl-Digest-MD5 perl-Digest-SHA uuid-devel pcsc-tools ncurses-devel lbzip2 libuuid-devel lzma elfutils-libelf-devel bc bzip2 bison flex git gnupg iasl m4 nasm patch python wget libusb-devel cmake automake pv bsdiff autoconf libtool cpio texinfo
     - git fetch origin 
@@ -75,6 +75,8 @@ build:
     - cat ./build/qemu-coreboot/hashes.txt
     - echo "Archiving qemu-coreboot logs..."
     - tar zcvf ./build/qemu-coreboot/logs.tar.gz ./build/log/*
+    - echo "Calculate used space for cache"
+    - du -shc packages crossgcc build
   artifacts:
     paths:
       - ./build/qemu-coreboot

Makefile

@@ -428,7 +428,7 @@ bin_modules-$(CONFIG_FLASHTOOLS) += flashtools
 bin_modules-$(CONFIG_NEWT) += newt
 bin_modules-$(CONFIG_CAIRO) += cairo
 bin_modules-$(CONFIG_FBWHIPTAIL) += fbwhiptail
-bin_modules-$(CONFIG_LIBREMKEY) += libremkey-hotp-verification
+bin_modules-$(CONFIG_HOTPKEY) += hotp-verification
 bin_modules-$(CONFIG_MSRTOOLS) += msrtools
 
 $(foreach m, $(bin_modules-y), \

boards/librem13v2/librem13v2.config

@@ -22,7 +22,7 @@ CONFIG_TPMTOTP=y
 #CONFIG_NEWT=y
 CONFIG_CAIRO=y
 CONFIG_FBWHIPTAIL=y
-CONFIG_LIBREMKEY=y
+CONFIG_HOTPKEY=y
 
 CONFIG_LINUX_USB=y
 

boards/librem13v4/librem13v4.config

@@ -22,7 +22,7 @@ CONFIG_TPMTOTP=y
 #CONFIG_NEWT=y
 CONFIG_CAIRO=y
 CONFIG_FBWHIPTAIL=y
-CONFIG_LIBREMKEY=y
+CONFIG_HOTPKEY=y
 
 CONFIG_LINUX_USB=y
 

boards/librem15v3/librem15v3.config

@@ -24,7 +24,7 @@ CONFIG_TPMTOTP=y
 #CONFIG_NEWT=y
 CONFIG_CAIRO=y
 CONFIG_FBWHIPTAIL=y
-CONFIG_LIBREMKEY=y
+CONFIG_HOTPKEY=y
 
 CONFIG_LINUX_USB=y
 

boards/librem15v4/librem15v4.config

@@ -24,7 +24,7 @@ CONFIG_TPMTOTP=y
 #CONFIG_NEWT=y
 CONFIG_CAIRO=y
 CONFIG_FBWHIPTAIL=y
-CONFIG_LIBREMKEY=y
+CONFIG_HOTPKEY=y
 
 CONFIG_LINUX_USB=y
 

boards/x230-hotp-verification/x230-hotp-verification.config

@@ -24,7 +24,7 @@ CONFIG_DROPBEAR=y
 #CONFIG_NEWT=y
 CONFIG_CAIRO=y
 CONFIG_FBWHIPTAIL=y
-CONFIG_LIBREMKEY=y
+CONFIG_HOTPKEY=y
 
 CONFIG_LINUX_USB=y
 CONFIG_LINUX_E1000E=y

initrd/bin/gui-init

@@ -92,10 +92,10 @@ update_totp()
 {
   echo "Scan the QR code to add the new TOTP secret"
   /bin/seal-totp
-  if [ -x /bin/libremkey_hotp_verification ]; then
-    echo "Once you have scanned the QR code, hit Enter to configure your Librem Key"
+  if [ -x /bin/hotp_verification ]; then
+    echo "Once you have scanned the QR code, hit Enter to configure your HOTP USB Security Dongle (e.g. Librem Key or Nitrokey)"
     read
-    /bin/seal-libremkey
+    /bin/seal-hotpkey
   else
     echo "Once you have scanned the QR code, hit Enter to continue"
     read
@@ -118,7 +118,7 @@ clean_boot_check()
   [ $GPG_KEY_COUNT -ne 0 ] && return
 
    # check for USB security token
-  if [ "$CONFIG_LIBREMKEY" = "y" ]; then
+  if [ "$CONFIG_HOTPKEY" = "y" ]; then
     enable_usb
     if ! gpg --card-status > /dev/null ; then
       return
@@ -140,6 +140,13 @@ else
   mount_boot
 fi
 
+# Use stored HOTP key branding
+if [ -r /boot/kexec_hotp_key ]; then
+	HOTPKEY_BRANDING="$(cat /boot/kexec_hotp_key)"
+else
+	HOTPKEY_BRANDING="HOTP USB Security Dongle"
+fi
+
 last_half=X
 while true; do
   MAIN_MENU_OPTIONS=""
@@ -188,14 +195,16 @@ while true; do
   fi
 
   if [ "$totp_confirm" = "i" -o -z "$totp_confirm" ]; then 
-    if [ -x /bin/libremkey_hotp_verification ]; then
+    if [ -x /bin/hotp_verification ]; then
       HOTP=`unseal-hotp`
       enable_usb
-      if ! libremkey_hotp_verification info ; then
-        whiptail $CONFIG_WARNING_BG_COLOR --clear --title 'WARNING: Please Insert Your Librem Key' --msgbox "Your Librem Key was not detected.\n\nPlease insert your Librem Key" 30 90
+      if ! hotp_verification info ; then
+        whiptail $CONFIG_WARNING_BG_COLOR --clear \
+	--title "WARNING: Please Insert Your $HOTPKEY_BRANDING" \
+	--msgbox "Your $HOTPKEY_BRANDING was not detected.\n\nPlease insert your $HOTPKEY_BRANDING" 30 90
         fi
       # Don't output HOTP codes to screen, so as to make replay attacks harder
-      libremkey_hotp_verification check $HOTP
+      hotp_verification check $HOTP
       case "$?" in
         0 )
           HOTP="Success"
@@ -205,7 +214,7 @@ while true; do
           MAIN_MENU_BG_COLOR=$CONFIG_ERROR_BG_COLOR
         ;;
         * )
-          HOTP="Error checking code, Insert Librem Key and retry"
+          HOTP="Error checking code, Insert $HOTPKEY_BRANDING and retry"
           MAIN_MENU_BG_COLOR=$CONFIG_WARNING_BG_COLOR
         ;;
       esac

initrd/bin/kexec-seal-key

@@ -84,9 +84,9 @@ cat "$KEY_DEVICES" | cut -d\  -f1 | xargs /bin/qubes-measure-luks \
 	|| die "Unable to measure the LUKS headers"
 luks_pcr=`tpm calcfuturepcr -ix 16 -if /tmp/luksDump.txt`
 
-# Librem Key loads USB modules which changes PCR5.
-# In the event Librem Key is enabled, skip verification of PCR5
-if [ -x /bin/libremkey_hotp_verification ]; then
+# HOTP USB Secrity Dongle loads USB modules which changes PCR5.
+# In the event HOTP USB Security Dongle is enabled, skip verification of PCR5
+if [ -x /bin/hotp_verification ]; then
   pcr_5="X"
 else
   pcr_5="0000000000000000000000000000000000000000"

initrd/bin/seal-hotpkey

@@ -1,11 +1,12 @@
 #!/bin/sh
-# Retrieve the sealed TOTP secret and initialize a Librem Key with it
+# Retrieve the sealed TOTP secret and initialize a USB Security dongle with it
 
 . /etc/functions
 
 HOTP_SEALED="/tmp/secret/hotp.sealed"
 HOTP_SECRET="/tmp/secret/hotp.key"
 HOTP_COUNTER="/boot/kexec_hotp_counter"
+HOTP_KEY="/boot/kexec_hotp_key"
 
 mount_boot()
 {
@@ -16,6 +17,13 @@ mount_boot()
   fi
 }
 
+# Use stored HOTP key branding (this might be useful after OEM reset)
+if [ -r /boot/kexec_hotp_key ]; then
+	HOTPKEY_BRANDING="$(cat /boot/kexec_hotp_key)"
+else
+	HOTPKEY_BRANDING="HOTP USB Security Dongle"
+fi
+
 tpm nv_readvalue \
 	-in 4d47 \
 	-sz 312 \
@@ -49,26 +57,35 @@ mount_boot
 counter_value=1
 
 enable_usb
-if ! libremkey_hotp_verification info ; then
-  echo "Insert your Librem Key and press Enter to configure it"
+if ! hotp_verification info ; then
+  echo "Insert your $HOTPKEY_BRANDING and press Enter to configure it"
   read
-  if ! libremkey_hotp_verification info ; then
+  if ! hotp_verification info ; then
     # don't leak key on failure
     shred -n 10 -z -u "$HOTP_SECRET" 2> /dev/null
-    die "Unable to find Librem Key"
+    die "Unable to find $HOTPKEY_BRANDING"
   fi
 fi
 
+# Set HOTP USB Security Dongle branding based on VID
+if [ ! $(lsusb | grep -q "20a0:") ]; then
+	HOTPKEY_BRANDING="Nitrokey"
+elif [ ! $(lsusb | grep -q "316d:") ]; then
+	HOTPKEY_BRANDING="Librem Key"
+else
+	HOTPKEY_BRANDING="HOTP USB Security Dongle"
+fi
+
 echo -e ""
-read -s -p "Enter your Librem Key Admin PIN: " admin_pin
+read -s -p "Enter your $HOTPKEY_BRANDING Admin PIN: " admin_pin
 echo -e "\n"
 
-libremkey_hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value 
+hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value "$HOTPKEY_BRANDING"
 if [ $? -ne 0 ]; then
   echo -e "\n"
   read -s -p "Error setting HOTP secret, re-enter Admin PIN and try again: " admin_pin
   echo -e "\n"
-  if ! libremkey_hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value ; then
+  if ! hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value "$HOTPKEY_BRANDING" ; then
     # don't leak key on failure
     shred -n 10 -z -u "$HOTP_SECRET" 2> /dev/null
     die "Setting HOTP secret failed"
@@ -90,11 +107,15 @@ counter_value=`expr $counter_value + 1`
 echo $counter_value > $HOTP_COUNTER \
 || die "Unable to create hotp counter file"
 
+# Store/overwrite HOTP USB Security Dongle branding found out beforehand
+echo $HOTPKEY_BRANDING > $HOTP_KEY \
+|| die "Unable to store hotp key file"
+
 #sha256sum /tmp/counter-$counter > $HOTP_COUNTER \
 #|| die "Unable to create hotp counter file"
 mount -o remount,ro /boot
 
-echo -e "\nLibrem Key initialized successfully. Press Enter to continue."
+echo -e "\n$HOTPKEY_BRANDING initialized successfully. Press Enter to continue."
 read
 
 exit 0

modules/hidapi

@@ -1,2 +1,2 @@
 # empty placeholder file
-# This submodule is defined in modules/libremkey-hotp-verification
+# This submodule is defined in modules/hotp-verification

modules/hotp-verification

@@ -0,0 +1,37 @@
+modules-$(CONFIG_HOTPKEY) += hotp-verification
+
+hotp-verification_depends := libusb $(musl_dep)
+
+hotp-verification_version := 5fb260e631b237a298b6dcca47bbd728f2c5ac3a
+hotp-verification_dir := hotp-verification-$(hotp-verification_version)
+hotp-verification_tar := nitrokey-hotp-verification-$(hotp-verification_version).tar.gz
+hotp-verification_url := https://github.com/Nitrokey/nitrokey-hotp-verification/archive/$(hotp-verification_version).tar.gz
+hotp-verification_hash := 5d98d158ba97fb970061d68e2c6f41582395e687b7752efb1a8038762b0e7b79
+
+hotp-verification_target := \
+	$(MAKE_JOBS) \
+	$(CROSS_TOOLS) \
+
+hotp-verification_output := \
+	hotp_verification \
+	hotp_initialize
+
+hotp-verification_configure := \
+  INSTALL="$(INSTALL)" \
+  CROSS="$(CROSS)" \
+  $(CROSS_TOOLS) $(MAKE) LDFLAGS="$(INSTALL)/lib/libusb-1.0.so" GITVERSION="" LIBUSB_FLAGS="-I/usr/include/libusb-1.0" PKGCONFIG="" && $(MAKE) install INSTALL="$(INSTALL)"
+
+hotp-verification_depends  += hidapi
+modules-y += hidapi
+
+hidapi_version := e5ae0d30a523c565595bdfba3d5f2e9e1faf0bd0
+hidapi_dir := hotp-verification-$(hotp-verification_version)/hidapi
+hidapi_tar := hidapi-$(hidapi_version).tar.xz
+hidapi_url := https://github.com/Nitrokey/hidapi/archive/$(hidapi_version).tar.gz
+hidapi_hash := acc2a5089a8917085c2b3ebe9446065a21c760ba7e13cb54917043c4122188e0
+
+
+## hidapi will be built as part of hotp-verification
+## so nothing to do here (but need make to be happy)
+hidapi_output := .built
+hidapi_configure := echo -e 'all:\n\ttouch .built' > Makefile

modules/libremkey-hotp-verification

@@ -1,37 +0,0 @@
-modules-$(CONFIG_LIBREMKEY) += libremkey-hotp-verification
-
-libremkey-hotp-verification_depends := libusb $(musl_dep)
-
-libremkey-hotp-verification_version := 809953b9b4bef97a4cffaa20d675bd7fe9d8da53
-libremkey-hotp-verification_dir := libremkey-hotp-verification-$(libremkey-hotp-verification_version)
-libremkey-hotp-verification_tar := nitrokey-hotp-verification-$(libremkey-hotp-verification_version).tar.gz
-libremkey-hotp-verification_url := https://github.com/Nitrokey/nitrokey-hotp-verification/archive/$(libremkey-hotp-verification_version).tar.gz
-libremkey-hotp-verification_hash := 251e5cef74e4e45eeddc49e4a1da1e22d1de774cd32cb0451a9030579ae958ba
-
-libremkey-hotp-verification_target := \
-	$(MAKE_JOBS) \
-	$(CROSS_TOOLS) \
-
-libremkey-hotp-verification_output := \
-	libremkey_hotp_verification \
-	libremkey_hotp_initialize
-
-libremkey-hotp-verification_configure := \
-  INSTALL="$(INSTALL)" \
-  CROSS="$(CROSS)" \
-  $(CROSS_TOOLS) $(MAKE) LDFLAGS="$(INSTALL)/lib/libusb-1.0.so" && $(MAKE) install INSTALL="$(INSTALL)"
-
-libremkey-hotp-verification_depends  += hidapi
-modules-y += hidapi
-
-hidapi_version := e5ae0d30a523c565595bdfba3d5f2e9e1faf0bd0
-hidapi_dir := libremkey-hotp-verification-$(libremkey-hotp-verification_version)/hidapi
-hidapi_tar := hidapi-$(hidapi_version).tar.xz
-hidapi_url := https://github.com/Nitrokey/hidapi/archive/$(hidapi_version).tar.gz
-hidapi_hash := acc2a5089a8917085c2b3ebe9446065a21c760ba7e13cb54917043c4122188e0
-
-
-## hidapi will be built as part of libremkey-hotp-verification
-## so nothing to do here (but need make to be happy)
-hidapi_output := .built
-hidapi_configure := echo -e 'all:\n\ttouch .built' > Makefile

patches/libremkey-hotp-verification-e5fa36a7a1950226d0ef94e2eeed0ffb510eba89.patch

@@ -1,73 +0,0 @@
---- nitrokey-hotp-verification-a/Toolchain-heads.cmake	2018-05-22 09:55:46.907209235 -0700
-+++ nitrokey-hotp-verification-b/Toolchain-heads.cmake	2018-05-22 09:55:26.659371966 -0700
-@@ -0,0 +1,27 @@
-+SET(CMAKE_SYSTEM_NAME Linux)
-+SET(CMAKE_SYSTEM_VERSION 1)
-+
-+# Specify the cross compiler
-+SET(CMAKE_C_COMPILER $ENV{CROSS}gcc)
-+SET(CMAKE_CXX_COMPILER $ENV{CROSS}gcc)
-+
-+#sysroot location
-+set(MYSYSROOT $ENV{INSTALL})
-+
-+# compiler/linker flags
-+set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} --sysroot=${MYSYSROOT}" CACHE INTERNAL "" FORCE)
-+set(CMAKE_C_LINK_FLAGS "${CMAKE_C_LINK_FLAGS} --sysroot=${MYSYSROOT}" CACHE INTERNAL "" FORCE)
-+set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} --sysroot=${MYSYSROOT}" CACHE INTERNAL "" FORCE)
-+set(CMAKE_CXX_LINK_FLAGS "${CMAKE_CXX_LINK_FLAGS} --sysroot=${MYSYSROOT}" CACHE INTERNAL "" FORCE)
-+
-+# Where is the target environment
-+SET(CMAKE_FIND_ROOT_PATH "${MYSYSROOT}")
-+
-+# Search for programs only in the build host directories
-+SET(CMAKE_FIND_ROOT_PATH_MODE_PROGRAM NEVER)
-+
-+# Search for libraries and headers only in the target directories
-+SET(CMAKE_FIND_ROOT_PATH_MODE_LIBRARY ONLY)
-+SET(CMAKE_FIND_ROOT_PATH_MODE_INCLUDE ONLY)
-+
-+INCLUDE_DIRECTORIES(hidapi)
---- libremkey-hotp-verification/device.c	2018-06-20 16:13:36.417804210 -0700
-+++ libremkey-hotp-verification-b/device.c	2018-06-20 16:14:34.532367723 -0700
-@@ -34,7 +34,7 @@
- const unsigned short m_vid = 0x20a0;
- const unsigned short m_pid = 0x4108;
- 
--static const int CONNECTION_ATTEMPTS_COUNT = 80;
-+static const int CONNECTION_ATTEMPTS_COUNT = 2;
- 
- static const int CONNECTION_ATTEMPT_DELAY_MICRO_SECONDS = 1000*1000/2;
-
---- libremkey-hotp-verification/libremkey_hotp_initialize
-+++ libremkey-hotp-verification-b/libremkey_hotp_initialize
-@@ -14,9 +14,9 @@ fi
- PIN=$1
- SECRET=$2
- COUNTER=$3
--SECRET_B32=$(echo -n $SECRET | base32)
-+SECRET_B32=$(cat $SECRET | base32)
- 
--libremkey_hotp_verification set $SECRET_B32 $PIN 
-+libremkey_hotp_verification set $SECRET_B32 "$PIN"
- if [ $? -ne 0 ]; then
-   echo "ERROR: Setting HOTP secret on Librem Key failed!"
-   exit 1
-@@ -25,7 +25,7 @@ fi
- i=9
- while [ "$i" -lt "$COUNTER" ]; do
-   echo "Updating counter to $i"
--  HOTP_CODE=$(echo $SECRET | hotp $i)
-+  HOTP_CODE=$(hotp $i < $SECRET)
-   libremkey_hotp_verification check $HOTP_CODE > /dev/null
-   if [ $? -ne 0 ]; then
-     echo "HOTP check failed for counter=$i, code=$HOTP_CODE"
-@@ -34,7 +34,7 @@ while [ "$i" -lt "$COUNTER" ]; do
-   let "i += 10"
- done
- 
--HOTP_CODE=$(echo $SECRET | hotp $COUNTER)
-+HOTP_CODE=$(hotp $COUNTER < $SECRET)
- libremkey_hotp_verification check $HOTP_CODE > /dev/null
- if [ $? -ne 0 ]; then
-   echo "HOTP check failed for counter=$COUNTER, code=$HOTP_CODE"