From 0e349c565e871fe49cd9b94799af82566f13e79c Mon Sep 17 00:00:00 2001 From: alex-nitrokey Date: Tue, 9 Jun 2020 18:42:55 +0200 Subject: [PATCH 01/18] Update hotp-verification --- modules/libremkey-hotp-verification | 4 +- ...36a7a1950226d0ef94e2eeed0ffb510eba89.patch | 73 ------------------- 2 files changed, 2 insertions(+), 75 deletions(-) delete mode 100644 patches/libremkey-hotp-verification-e5fa36a7a1950226d0ef94e2eeed0ffb510eba89.patch diff --git a/modules/libremkey-hotp-verification b/modules/libremkey-hotp-verification index 5ebb713b..c01c07cd 100644 --- a/modules/libremkey-hotp-verification +++ b/modules/libremkey-hotp-verification @@ -2,11 +2,11 @@ modules-$(CONFIG_LIBREMKEY) += libremkey-hotp-verification libremkey-hotp-verification_depends := libusb $(musl_dep) -libremkey-hotp-verification_version := 809953b9b4bef97a4cffaa20d675bd7fe9d8da53 +libremkey-hotp-verification_version := 1cf1e1f3601b79692b81d409597136b8ff7c723a libremkey-hotp-verification_dir := libremkey-hotp-verification-$(libremkey-hotp-verification_version) libremkey-hotp-verification_tar := nitrokey-hotp-verification-$(libremkey-hotp-verification_version).tar.gz libremkey-hotp-verification_url := https://github.com/Nitrokey/nitrokey-hotp-verification/archive/$(libremkey-hotp-verification_version).tar.gz -libremkey-hotp-verification_hash := 251e5cef74e4e45eeddc49e4a1da1e22d1de774cd32cb0451a9030579ae958ba +libremkey-hotp-verification_hash := 21152cfb272f8edeff1220065940d5d6dfc12dbb2a48b84e64b24f8fc89c2567 libremkey-hotp-verification_target := \ $(MAKE_JOBS) \ diff --git a/patches/libremkey-hotp-verification-e5fa36a7a1950226d0ef94e2eeed0ffb510eba89.patch b/patches/libremkey-hotp-verification-e5fa36a7a1950226d0ef94e2eeed0ffb510eba89.patch deleted file mode 100644 index 5f058f22..00000000 --- a/patches/libremkey-hotp-verification-e5fa36a7a1950226d0ef94e2eeed0ffb510eba89.patch +++ /dev/null @@ -1,73 +0,0 @@ ---- nitrokey-hotp-verification-a/Toolchain-heads.cmake 2018-05-22 09:55:46.907209235 -0700 -+++ nitrokey-hotp-verification-b/Toolchain-heads.cmake 2018-05-22 09:55:26.659371966 -0700 -@@ -0,0 +1,27 @@ -+SET(CMAKE_SYSTEM_NAME Linux) -+SET(CMAKE_SYSTEM_VERSION 1) -+ -+# Specify the cross compiler -+SET(CMAKE_C_COMPILER $ENV{CROSS}gcc) -+SET(CMAKE_CXX_COMPILER $ENV{CROSS}gcc) -+ -+#sysroot location -+set(MYSYSROOT $ENV{INSTALL}) -+ -+# compiler/linker flags -+set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} --sysroot=${MYSYSROOT}" CACHE INTERNAL "" FORCE) -+set(CMAKE_C_LINK_FLAGS "${CMAKE_C_LINK_FLAGS} --sysroot=${MYSYSROOT}" CACHE INTERNAL "" FORCE) -+set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} --sysroot=${MYSYSROOT}" CACHE INTERNAL "" FORCE) -+set(CMAKE_CXX_LINK_FLAGS "${CMAKE_CXX_LINK_FLAGS} --sysroot=${MYSYSROOT}" CACHE INTERNAL "" FORCE) -+ -+# Where is the target environment -+SET(CMAKE_FIND_ROOT_PATH "${MYSYSROOT}") -+ -+# Search for programs only in the build host directories -+SET(CMAKE_FIND_ROOT_PATH_MODE_PROGRAM NEVER) -+ -+# Search for libraries and headers only in the target directories -+SET(CMAKE_FIND_ROOT_PATH_MODE_LIBRARY ONLY) -+SET(CMAKE_FIND_ROOT_PATH_MODE_INCLUDE ONLY) -+ -+INCLUDE_DIRECTORIES(hidapi) ---- libremkey-hotp-verification/device.c 2018-06-20 16:13:36.417804210 -0700 -+++ libremkey-hotp-verification-b/device.c 2018-06-20 16:14:34.532367723 -0700 -@@ -34,7 +34,7 @@ - const unsigned short m_vid = 0x20a0; - const unsigned short m_pid = 0x4108; - --static const int CONNECTION_ATTEMPTS_COUNT = 80; -+static const int CONNECTION_ATTEMPTS_COUNT = 2; - - static const int CONNECTION_ATTEMPT_DELAY_MICRO_SECONDS = 1000*1000/2; - ---- libremkey-hotp-verification/libremkey_hotp_initialize -+++ libremkey-hotp-verification-b/libremkey_hotp_initialize -@@ -14,9 +14,9 @@ fi - PIN=$1 - SECRET=$2 - COUNTER=$3 --SECRET_B32=$(echo -n $SECRET | base32) -+SECRET_B32=$(cat $SECRET | base32) - --libremkey_hotp_verification set $SECRET_B32 $PIN -+libremkey_hotp_verification set $SECRET_B32 "$PIN" - if [ $? -ne 0 ]; then - echo "ERROR: Setting HOTP secret on Librem Key failed!" - exit 1 -@@ -25,7 +25,7 @@ fi - i=9 - while [ "$i" -lt "$COUNTER" ]; do - echo "Updating counter to $i" -- HOTP_CODE=$(echo $SECRET | hotp $i) -+ HOTP_CODE=$(hotp $i < $SECRET) - libremkey_hotp_verification check $HOTP_CODE > /dev/null - if [ $? -ne 0 ]; then - echo "HOTP check failed for counter=$i, code=$HOTP_CODE" -@@ -34,7 +34,7 @@ while [ "$i" -lt "$COUNTER" ]; do - let "i += 10" - done - --HOTP_CODE=$(echo $SECRET | hotp $COUNTER) -+HOTP_CODE=$(hotp $COUNTER < $SECRET) - libremkey_hotp_verification check $HOTP_CODE > /dev/null - if [ $? -ne 0 ]; then - echo "HOTP check failed for counter=$COUNTER, code=$HOTP_CODE" From 1ba73ac1d5c1317fadcda9d086225b0544deaa67 Mon Sep 17 00:00:00 2001 From: alex-nitrokey Date: Thu, 11 Jun 2020 15:29:51 +0200 Subject: [PATCH 02/18] Rename CONFIG_LIBREMKEY to CONFIG_HOTPKEY --- Makefile | 2 +- boards/librem13v2/librem13v2.config | 2 +- boards/librem13v4/librem13v4.config | 2 +- boards/librem15v3/librem15v3.config | 2 +- boards/librem15v4/librem15v4.config | 2 +- boards/x230-hotp-verification/x230-hotp-verification.config | 2 +- initrd/bin/gui-init | 2 +- modules/libremkey-hotp-verification | 2 +- 8 files changed, 8 insertions(+), 8 deletions(-) diff --git a/Makefile b/Makefile index a0bda55b..a3f73118 100644 --- a/Makefile +++ b/Makefile @@ -428,7 +428,7 @@ bin_modules-$(CONFIG_FLASHTOOLS) += flashtools bin_modules-$(CONFIG_NEWT) += newt bin_modules-$(CONFIG_CAIRO) += cairo bin_modules-$(CONFIG_FBWHIPTAIL) += fbwhiptail -bin_modules-$(CONFIG_LIBREMKEY) += libremkey-hotp-verification +bin_modules-$(CONFIG_HOTPKEY) += libremkey-hotp-verification bin_modules-$(CONFIG_MSRTOOLS) += msrtools $(foreach m, $(bin_modules-y), \ diff --git a/boards/librem13v2/librem13v2.config b/boards/librem13v2/librem13v2.config index 776256be..0ceaea82 100644 --- a/boards/librem13v2/librem13v2.config +++ b/boards/librem13v2/librem13v2.config @@ -20,7 +20,7 @@ CONFIG_TPMTOTP=y #CONFIG_NEWT=y CONFIG_CAIRO=y CONFIG_FBWHIPTAIL=y -CONFIG_LIBREMKEY=y +CONFIG_HOTPKEY=y CONFIG_LINUX_USB=y diff --git a/boards/librem13v4/librem13v4.config b/boards/librem13v4/librem13v4.config index 1b0a83ab..4b146723 100644 --- a/boards/librem13v4/librem13v4.config +++ b/boards/librem13v4/librem13v4.config @@ -20,7 +20,7 @@ CONFIG_TPMTOTP=y #CONFIG_NEWT=y CONFIG_CAIRO=y CONFIG_FBWHIPTAIL=y -CONFIG_LIBREMKEY=y +CONFIG_HOTPKEY=y CONFIG_LINUX_USB=y diff --git a/boards/librem15v3/librem15v3.config b/boards/librem15v3/librem15v3.config index c73f5b8f..75c5fc92 100644 --- a/boards/librem15v3/librem15v3.config +++ b/boards/librem15v3/librem15v3.config @@ -22,7 +22,7 @@ CONFIG_TPMTOTP=y #CONFIG_NEWT=y CONFIG_CAIRO=y CONFIG_FBWHIPTAIL=y -CONFIG_LIBREMKEY=y +CONFIG_HOTPKEY=y CONFIG_LINUX_USB=y diff --git a/boards/librem15v4/librem15v4.config b/boards/librem15v4/librem15v4.config index b2349799..8f1c8824 100644 --- a/boards/librem15v4/librem15v4.config +++ b/boards/librem15v4/librem15v4.config @@ -22,7 +22,7 @@ CONFIG_TPMTOTP=y #CONFIG_NEWT=y CONFIG_CAIRO=y CONFIG_FBWHIPTAIL=y -CONFIG_LIBREMKEY=y +CONFIG_HOTPKEY=y CONFIG_LINUX_USB=y diff --git a/boards/x230-hotp-verification/x230-hotp-verification.config b/boards/x230-hotp-verification/x230-hotp-verification.config index 1c9ef31b..93ce9831 100644 --- a/boards/x230-hotp-verification/x230-hotp-verification.config +++ b/boards/x230-hotp-verification/x230-hotp-verification.config @@ -22,7 +22,7 @@ CONFIG_DROPBEAR=y #CONFIG_NEWT=y CONFIG_CAIRO=y CONFIG_FBWHIPTAIL=y -CONFIG_LIBREMKEY=y +CONFIG_HOTPKEY=y CONFIG_LINUX_USB=y CONFIG_LINUX_E1000E=y diff --git a/initrd/bin/gui-init b/initrd/bin/gui-init index 1ac0273f..323700ba 100755 --- a/initrd/bin/gui-init +++ b/initrd/bin/gui-init @@ -118,7 +118,7 @@ clean_boot_check() [ $GPG_KEY_COUNT -ne 0 ] && return # check for USB security token - if [ "$CONFIG_LIBREMKEY" = "y" ]; then + if [ "$CONFIG_HOTPKEY" = "y" ]; then enable_usb if ! gpg --card-status > /dev/null ; then return diff --git a/modules/libremkey-hotp-verification b/modules/libremkey-hotp-verification index 5ebb713b..94397e1a 100644 --- a/modules/libremkey-hotp-verification +++ b/modules/libremkey-hotp-verification @@ -1,4 +1,4 @@ -modules-$(CONFIG_LIBREMKEY) += libremkey-hotp-verification +modules-$(CONFIG_HOTPKEY) += libremkey-hotp-verification libremkey-hotp-verification_depends := libusb $(musl_dep) From 342431746dda12db84c0306a45e84dc85448b4e1 Mon Sep 17 00:00:00 2001 From: alex-nitrokey Date: Thu, 11 Jun 2020 15:39:12 +0200 Subject: [PATCH 03/18] Quick fix to build --- config/coreboot-x230-hotp-verification.config | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/coreboot-x230-hotp-verification.config b/config/coreboot-x230-hotp-verification.config index db20e18c..150c7333 100644 --- a/config/coreboot-x230-hotp-verification.config +++ b/config/coreboot-x230-hotp-verification.config @@ -2,7 +2,7 @@ CONFIG_LOCALVERSION="heads" CONFIG_ANY_TOOLCHAIN=y CONFIG_MEASURED_BOOT=y CONFIG_VENDOR_LENOVO=y -CONFIG_CBFS_SIZE=0x800000 +CONFIG_CBFS_SIZE=0x710000 CONFIG_BOARD_LENOVO_X230=y CONFIG_NO_POST=y CONFIG_UART_PCI_ADDR=0 From 4069619ead133aee352a17e696f4f46b7c135f83 Mon Sep 17 00:00:00 2001 From: alex-nitrokey Date: Thu, 11 Jun 2020 15:54:10 +0200 Subject: [PATCH 04/18] Rename libremkey-hotp-verification module --- Makefile | 2 +- modules/hidapi | 2 +- modules/hotp-verification | 37 +++++++++++++++++++++++++++++ modules/libremkey-hotp-verification | 37 ----------------------------- 4 files changed, 39 insertions(+), 39 deletions(-) create mode 100644 modules/hotp-verification delete mode 100644 modules/libremkey-hotp-verification diff --git a/Makefile b/Makefile index a3f73118..084ad033 100644 --- a/Makefile +++ b/Makefile @@ -428,7 +428,7 @@ bin_modules-$(CONFIG_FLASHTOOLS) += flashtools bin_modules-$(CONFIG_NEWT) += newt bin_modules-$(CONFIG_CAIRO) += cairo bin_modules-$(CONFIG_FBWHIPTAIL) += fbwhiptail -bin_modules-$(CONFIG_HOTPKEY) += libremkey-hotp-verification +bin_modules-$(CONFIG_HOTPKEY) += hotp-verification bin_modules-$(CONFIG_MSRTOOLS) += msrtools $(foreach m, $(bin_modules-y), \ diff --git a/modules/hidapi b/modules/hidapi index 0a0ab5b1..d62b4224 100644 --- a/modules/hidapi +++ b/modules/hidapi @@ -1,2 +1,2 @@ # empty placeholder file -# This submodule is defined in modules/libremkey-hotp-verification +# This submodule is defined in modules/hotp-verification diff --git a/modules/hotp-verification b/modules/hotp-verification new file mode 100644 index 00000000..164f2735 --- /dev/null +++ b/modules/hotp-verification @@ -0,0 +1,37 @@ +modules-$(CONFIG_HOTPKEY) += hotp-verification + +hotp-verification_depends := libusb $(musl_dep) + +hotp-verification_version := 1cf1e1f3601b79692b81d409597136b8ff7c723a +hotp-verification_dir := hotp-verification-$(hotp-verification_version) +hotp-verification_tar := nitrokey-hotp-verification-$(hotp-verification_version).tar.gz +hotp-verification_url := https://github.com/Nitrokey/nitrokey-hotp-verification/archive/$(hotp-verification_version).tar.gz +hotp-verification_hash := 21152cfb272f8edeff1220065940d5d6dfc12dbb2a48b84e64b24f8fc89c2567 + +hotp-verification_target := \ + $(MAKE_JOBS) \ + $(CROSS_TOOLS) \ + +hotp-verification_output := \ + libremkey_hotp_verification \ + libremkey_hotp_initialize + +hotp-verification_configure := \ + INSTALL="$(INSTALL)" \ + CROSS="$(CROSS)" \ + $(CROSS_TOOLS) $(MAKE) LDFLAGS="$(INSTALL)/lib/libusb-1.0.so" && $(MAKE) install INSTALL="$(INSTALL)" + +hotp-verification_depends += hidapi +modules-y += hidapi + +hidapi_version := e5ae0d30a523c565595bdfba3d5f2e9e1faf0bd0 +hidapi_dir := hotp-verification-$(hotp-verification_version)/hidapi +hidapi_tar := hidapi-$(hidapi_version).tar.xz +hidapi_url := https://github.com/Nitrokey/hidapi/archive/$(hidapi_version).tar.gz +hidapi_hash := acc2a5089a8917085c2b3ebe9446065a21c760ba7e13cb54917043c4122188e0 + + +## hidapi will be built as part of hotp-verification +## so nothing to do here (but need make to be happy) +hidapi_output := .built +hidapi_configure := echo -e 'all:\n\ttouch .built' > Makefile diff --git a/modules/libremkey-hotp-verification b/modules/libremkey-hotp-verification deleted file mode 100644 index 81d0db75..00000000 --- a/modules/libremkey-hotp-verification +++ /dev/null @@ -1,37 +0,0 @@ -modules-$(CONFIG_HOTPKEY) += libremkey-hotp-verification - -libremkey-hotp-verification_depends := libusb $(musl_dep) - -libremkey-hotp-verification_version := 1cf1e1f3601b79692b81d409597136b8ff7c723a -libremkey-hotp-verification_dir := libremkey-hotp-verification-$(libremkey-hotp-verification_version) -libremkey-hotp-verification_tar := nitrokey-hotp-verification-$(libremkey-hotp-verification_version).tar.gz -libremkey-hotp-verification_url := https://github.com/Nitrokey/nitrokey-hotp-verification/archive/$(libremkey-hotp-verification_version).tar.gz -libremkey-hotp-verification_hash := 21152cfb272f8edeff1220065940d5d6dfc12dbb2a48b84e64b24f8fc89c2567 - -libremkey-hotp-verification_target := \ - $(MAKE_JOBS) \ - $(CROSS_TOOLS) \ - -libremkey-hotp-verification_output := \ - libremkey_hotp_verification \ - libremkey_hotp_initialize - -libremkey-hotp-verification_configure := \ - INSTALL="$(INSTALL)" \ - CROSS="$(CROSS)" \ - $(CROSS_TOOLS) $(MAKE) LDFLAGS="$(INSTALL)/lib/libusb-1.0.so" && $(MAKE) install INSTALL="$(INSTALL)" - -libremkey-hotp-verification_depends += hidapi -modules-y += hidapi - -hidapi_version := e5ae0d30a523c565595bdfba3d5f2e9e1faf0bd0 -hidapi_dir := libremkey-hotp-verification-$(libremkey-hotp-verification_version)/hidapi -hidapi_tar := hidapi-$(hidapi_version).tar.xz -hidapi_url := https://github.com/Nitrokey/hidapi/archive/$(hidapi_version).tar.gz -hidapi_hash := acc2a5089a8917085c2b3ebe9446065a21c760ba7e13cb54917043c4122188e0 - - -## hidapi will be built as part of libremkey-hotp-verification -## so nothing to do here (but need make to be happy) -hidapi_output := .built -hidapi_configure := echo -e 'all:\n\ttouch .built' > Makefile From 28735a8c849b55e6dc647591e9540af9b9c4a820 Mon Sep 17 00:00:00 2001 From: alex-nitrokey Date: Thu, 11 Jun 2020 17:04:03 +0200 Subject: [PATCH 05/18] Add CONFIG_HOTP_BRANDING --- Makefile | 3 +++ initrd/bin/gui-init | 7 ++++--- initrd/bin/kexec-seal-key | 4 ++-- initrd/bin/seal-libremkey | 10 +++++----- 4 files changed, 14 insertions(+), 10 deletions(-) diff --git a/Makefile b/Makefile index 084ad033..6a8bf3ef 100644 --- a/Makefile +++ b/Makefile @@ -48,6 +48,9 @@ include $(CONFIG) # Unless otherwise specified, we are building for heads CONFIG_HEADS ?= y +# HOTP USB Security naming if not specified in boards config +CONFIG_HOTPKEY_BRANDING ?= "HOTP USB Security dongle" + # Some things want usernames, we use the current checkout # so that they are reproducible GIT_HASH := $(shell git rev-parse HEAD) diff --git a/initrd/bin/gui-init b/initrd/bin/gui-init index 323700ba..2ec6c659 100755 --- a/initrd/bin/gui-init +++ b/initrd/bin/gui-init @@ -93,7 +93,7 @@ update_totp() echo "Scan the QR code to add the new TOTP secret" /bin/seal-totp if [ -x /bin/libremkey_hotp_verification ]; then - echo "Once you have scanned the QR code, hit Enter to configure your Librem Key" + echo "Once you have scanned the QR code, hit Enter to configure your $(CONFIG_HOTPKEY_BRANDING)" read /bin/seal-libremkey else @@ -192,7 +192,8 @@ while true; do HOTP=`unseal-hotp` enable_usb if ! libremkey_hotp_verification info ; then - whiptail $CONFIG_WARNING_BG_COLOR --clear --title 'WARNING: Please Insert Your Librem Key' --msgbox "Your Librem Key was not detected.\n\nPlease insert your Librem Key" 30 90 + whiptail $CONFIG_WARNING_BG_COLOR --clear --title 'WARNING: Please Insert Your + $(CONFIG_HOTPKEY_BRANDING)' --msgbox "Your $(CONFIG_HOTPKEY_BRANDING) was not detected.\n\nPlease insert your $(CONFIG_HOTPKEY_BRANDING)" 30 90 fi # Don't output HOTP codes to screen, so as to make replay attacks harder libremkey_hotp_verification check $HOTP @@ -205,7 +206,7 @@ while true; do MAIN_MENU_BG_COLOR=$CONFIG_ERROR_BG_COLOR ;; * ) - HOTP="Error checking code, Insert Librem Key and retry" + HOTP="Error checking code, Insert $(CONFIG_HOTPKEY_BRANDING) and retry" MAIN_MENU_BG_COLOR=$CONFIG_WARNING_BG_COLOR ;; esac diff --git a/initrd/bin/kexec-seal-key b/initrd/bin/kexec-seal-key index 46980af8..2da427cd 100755 --- a/initrd/bin/kexec-seal-key +++ b/initrd/bin/kexec-seal-key @@ -84,8 +84,8 @@ cat "$KEY_DEVICES" | cut -d\ -f1 | xargs /bin/qubes-measure-luks \ || die "Unable to measure the LUKS headers" luks_pcr=`tpm calcfuturepcr -ix 16 -if /tmp/luksDump.txt` -# Librem Key loads USB modules which changes PCR5. -# In the event Librem Key is enabled, skip verification of PCR5 +# HOTP USB Secrity dongle loads USB modules which changes PCR5. +# In the event HOTP USB Security dongle is enabled, skip verification of PCR5 if [ -x /bin/libremkey_hotp_verification ]; then pcr_5="X" else diff --git a/initrd/bin/seal-libremkey b/initrd/bin/seal-libremkey index c1dab8e6..87885eb2 100755 --- a/initrd/bin/seal-libremkey +++ b/initrd/bin/seal-libremkey @@ -1,5 +1,5 @@ #!/bin/sh -# Retrieve the sealed TOTP secret and initialize a Librem Key with it +# Retrieve the sealed TOTP secret and initialize a USB Security dongle with it . /etc/functions @@ -50,17 +50,17 @@ counter_value=1 enable_usb if ! libremkey_hotp_verification info ; then - echo "Insert your Librem Key and press Enter to configure it" + echo "Insert your $(CONFIG_HOTPKEY_BRANDING) and press Enter to configure it" read if ! libremkey_hotp_verification info ; then # don't leak key on failure shred -n 10 -z -u "$HOTP_SECRET" 2> /dev/null - die "Unable to find Librem Key" + die "Unable to find $(CONFIG_HOTPKEY_BRANDING)" fi fi echo -e "" -read -s -p "Enter your Librem Key Admin PIN: " admin_pin +read -s -p "Enter your $(CONFIG_HOTPKEY_BRANDING) Admin PIN: " admin_pin echo -e "\n" libremkey_hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value @@ -94,7 +94,7 @@ echo $counter_value > $HOTP_COUNTER \ #|| die "Unable to create hotp counter file" mount -o remount,ro /boot -echo -e "\nLibrem Key initialized successfully. Press Enter to continue." +echo -e "\n$(CONFIG_HOTPKEY_BRANDING) initialized successfully. Press Enter to continue." read exit 0 From 53b67d27a430edcdcc63f971acf6fbb43304a028 Mon Sep 17 00:00:00 2001 From: alex-nitrokey Date: Wed, 24 Jun 2020 16:11:41 +0200 Subject: [PATCH 06/18] Prepare usage of /boot/kexec_hotp_key as branding --- Makefile | 3 --- initrd/bin/gui-init | 8 +++++++- initrd/bin/seal-libremkey | 8 ++++++++ 3 files changed, 15 insertions(+), 4 deletions(-) diff --git a/Makefile b/Makefile index 6a8bf3ef..084ad033 100644 --- a/Makefile +++ b/Makefile @@ -48,9 +48,6 @@ include $(CONFIG) # Unless otherwise specified, we are building for heads CONFIG_HEADS ?= y -# HOTP USB Security naming if not specified in boards config -CONFIG_HOTPKEY_BRANDING ?= "HOTP USB Security dongle" - # Some things want usernames, we use the current checkout # so that they are reproducible GIT_HASH := $(shell git rev-parse HEAD) diff --git a/initrd/bin/gui-init b/initrd/bin/gui-init index 2ec6c659..8b0197ce 100755 --- a/initrd/bin/gui-init +++ b/initrd/bin/gui-init @@ -3,6 +3,12 @@ CONFIG_BOOT_GUI_MENU_NAME='Heads Boot Menu' +if [ -r /boot/kexec_hotp_key ]; then + CONFIG_HOTPKEY_BRANDING="$(cat /boot/kexec_hotp_key)" +else + CONFIG_HOTPKEY_BRANDING="HOTP USB security dongle" +fi + . /etc/functions . /tmp/config @@ -93,7 +99,7 @@ update_totp() echo "Scan the QR code to add the new TOTP secret" /bin/seal-totp if [ -x /bin/libremkey_hotp_verification ]; then - echo "Once you have scanned the QR code, hit Enter to configure your $(CONFIG_HOTPKEY_BRANDING)" + echo "Once you have scanned the QR code, hit Enter to configure your HOTP USB security dongle (e.g. Librem Key or Nitrokey)" read /bin/seal-libremkey else diff --git a/initrd/bin/seal-libremkey b/initrd/bin/seal-libremkey index 87885eb2..e82f6794 100755 --- a/initrd/bin/seal-libremkey +++ b/initrd/bin/seal-libremkey @@ -6,6 +6,10 @@ HOTP_SEALED="/tmp/secret/hotp.sealed" HOTP_SECRET="/tmp/secret/hotp.key" HOTP_COUNTER="/boot/kexec_hotp_counter" +HOTP_KEY="/boot/kexec_hotp_key" + +CONFIG_HOTPKEY_BRANDING="HOTP USB security dongle" + mount_boot() { @@ -59,6 +63,8 @@ if ! libremkey_hotp_verification info ; then fi fi +# TODO find out branding now and set variable + echo -e "" read -s -p "Enter your $(CONFIG_HOTPKEY_BRANDING) Admin PIN: " admin_pin echo -e "\n" @@ -75,6 +81,8 @@ if [ $? -ne 0 ]; then fi fi +# TODO store key branding in HOTP_KEY + # HOTP key no longer needed shred -n 10 -z -u "$HOTP_SECRET" 2> /dev/null From 407778eb9a22ec9cb6b5e2d3e2865434681fcbd0 Mon Sep 17 00:00:00 2001 From: alex-nitrokey Date: Wed, 24 Jun 2020 16:16:03 +0200 Subject: [PATCH 07/18] Remove unintented paranthesis --- initrd/bin/gui-init | 4 ++-- initrd/bin/seal-libremkey | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/initrd/bin/gui-init b/initrd/bin/gui-init index 8b0197ce..26813b3e 100755 --- a/initrd/bin/gui-init +++ b/initrd/bin/gui-init @@ -199,7 +199,7 @@ while true; do enable_usb if ! libremkey_hotp_verification info ; then whiptail $CONFIG_WARNING_BG_COLOR --clear --title 'WARNING: Please Insert Your - $(CONFIG_HOTPKEY_BRANDING)' --msgbox "Your $(CONFIG_HOTPKEY_BRANDING) was not detected.\n\nPlease insert your $(CONFIG_HOTPKEY_BRANDING)" 30 90 + $CONFIG_HOTPKEY_BRANDING' --msgbox "Your $CONFIG_HOTPKEY_BRANDING was not detected.\n\nPlease insert your $CONFIG_HOTPKEY_BRANDING" 30 90 fi # Don't output HOTP codes to screen, so as to make replay attacks harder libremkey_hotp_verification check $HOTP @@ -212,7 +212,7 @@ while true; do MAIN_MENU_BG_COLOR=$CONFIG_ERROR_BG_COLOR ;; * ) - HOTP="Error checking code, Insert $(CONFIG_HOTPKEY_BRANDING) and retry" + HOTP="Error checking code, Insert $CONFIG_HOTPKEY_BRANDING and retry" MAIN_MENU_BG_COLOR=$CONFIG_WARNING_BG_COLOR ;; esac diff --git a/initrd/bin/seal-libremkey b/initrd/bin/seal-libremkey index e82f6794..2e5e0749 100755 --- a/initrd/bin/seal-libremkey +++ b/initrd/bin/seal-libremkey @@ -54,19 +54,19 @@ counter_value=1 enable_usb if ! libremkey_hotp_verification info ; then - echo "Insert your $(CONFIG_HOTPKEY_BRANDING) and press Enter to configure it" + echo "Insert your $CONFIG_HOTPKEY_BRANDING and press Enter to configure it" read if ! libremkey_hotp_verification info ; then # don't leak key on failure shred -n 10 -z -u "$HOTP_SECRET" 2> /dev/null - die "Unable to find $(CONFIG_HOTPKEY_BRANDING)" + die "Unable to find $CONFIG_HOTPKEY_BRANDING" fi fi # TODO find out branding now and set variable echo -e "" -read -s -p "Enter your $(CONFIG_HOTPKEY_BRANDING) Admin PIN: " admin_pin +read -s -p "Enter your $CONFIG_HOTPKEY_BRANDING Admin PIN: " admin_pin echo -e "\n" libremkey_hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value @@ -102,7 +102,7 @@ echo $counter_value > $HOTP_COUNTER \ #|| die "Unable to create hotp counter file" mount -o remount,ro /boot -echo -e "\n$(CONFIG_HOTPKEY_BRANDING) initialized successfully. Press Enter to continue." +echo -e "\n$CONFIG_HOTPKEY_BRANDING initialized successfully. Press Enter to continue." read exit 0 From 38ba25706372d22bf1f033c5543b71496e4d7d61 Mon Sep 17 00:00:00 2001 From: alex-nitrokey Date: Wed, 24 Jun 2020 16:31:22 +0200 Subject: [PATCH 08/18] Include upstream updates of hotp_verification --- modules/libremkey-hotp-verification | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/libremkey-hotp-verification b/modules/libremkey-hotp-verification index c01c07cd..53a0f146 100644 --- a/modules/libremkey-hotp-verification +++ b/modules/libremkey-hotp-verification @@ -2,11 +2,11 @@ modules-$(CONFIG_LIBREMKEY) += libremkey-hotp-verification libremkey-hotp-verification_depends := libusb $(musl_dep) -libremkey-hotp-verification_version := 1cf1e1f3601b79692b81d409597136b8ff7c723a +libremkey-hotp-verification_version := 29094d8ff0f1c9321886079860f3747aa04c44b4 libremkey-hotp-verification_dir := libremkey-hotp-verification-$(libremkey-hotp-verification_version) libremkey-hotp-verification_tar := nitrokey-hotp-verification-$(libremkey-hotp-verification_version).tar.gz libremkey-hotp-verification_url := https://github.com/Nitrokey/nitrokey-hotp-verification/archive/$(libremkey-hotp-verification_version).tar.gz -libremkey-hotp-verification_hash := 21152cfb272f8edeff1220065940d5d6dfc12dbb2a48b84e64b24f8fc89c2567 +libremkey-hotp-verification_hash := b8591a6abafaefd769e7e58d121d4ba6af1c54587b4b7f3438d65b37632fa2b0 libremkey-hotp-verification_target := \ $(MAKE_JOBS) \ From aab2c327e38901876e8d904fb788ddc49b99be11 Mon Sep 17 00:00:00 2001 From: alex-nitrokey Date: Wed, 24 Jun 2020 17:25:39 +0200 Subject: [PATCH 09/18] Fix warning box title --- initrd/bin/gui-init | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/initrd/bin/gui-init b/initrd/bin/gui-init index 26813b3e..71cdb79c 100755 --- a/initrd/bin/gui-init +++ b/initrd/bin/gui-init @@ -198,8 +198,9 @@ while true; do HOTP=`unseal-hotp` enable_usb if ! libremkey_hotp_verification info ; then - whiptail $CONFIG_WARNING_BG_COLOR --clear --title 'WARNING: Please Insert Your - $CONFIG_HOTPKEY_BRANDING' --msgbox "Your $CONFIG_HOTPKEY_BRANDING was not detected.\n\nPlease insert your $CONFIG_HOTPKEY_BRANDING" 30 90 + whiptail $CONFIG_WARNING_BG_COLOR --clear \ + --title "WARNING: Please Insert Your $CONFIG_HOTPKEY_BRANDING" \ + --msgbox "Your $CONFIG_HOTPKEY_BRANDING was not detected.\n\nPlease insert your $CONFIG_HOTPKEY_BRANDING" 30 90 fi # Don't output HOTP codes to screen, so as to make replay attacks harder libremkey_hotp_verification check $HOTP From 92b18265377c8797914cadc20663beae90ccc667 Mon Sep 17 00:00:00 2001 From: alex-nitrokey Date: Wed, 24 Jun 2020 17:36:53 +0200 Subject: [PATCH 10/18] /boot needs to get mounted first --- initrd/bin/gui-init | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/initrd/bin/gui-init b/initrd/bin/gui-init index 71cdb79c..7e3be63d 100755 --- a/initrd/bin/gui-init +++ b/initrd/bin/gui-init @@ -3,12 +3,6 @@ CONFIG_BOOT_GUI_MENU_NAME='Heads Boot Menu' -if [ -r /boot/kexec_hotp_key ]; then - CONFIG_HOTPKEY_BRANDING="$(cat /boot/kexec_hotp_key)" -else - CONFIG_HOTPKEY_BRANDING="HOTP USB security dongle" -fi - . /etc/functions . /tmp/config @@ -146,6 +140,13 @@ else mount_boot fi +# Use stored HOTP key branding +if [ -r /boot/kexec_hotp_key ]; then + CONFIG_HOTPKEY_BRANDING="$(cat /boot/kexec_hotp_key)" +else + CONFIG_HOTPKEY_BRANDING="HOTP USB Security Dongle" +fi + last_half=X while true; do MAIN_MENU_OPTIONS="" From 5867fc516cce80ec751196902f895c9237647bac Mon Sep 17 00:00:00 2001 From: alex-nitrokey Date: Wed, 24 Jun 2020 17:40:49 +0200 Subject: [PATCH 11/18] Store HOTP USB Security Key branding in /boot --- initrd/bin/seal-libremkey | 25 +++++++++++++++++++------ 1 file changed, 19 insertions(+), 6 deletions(-) diff --git a/initrd/bin/seal-libremkey b/initrd/bin/seal-libremkey index 2e5e0749..914a5188 100755 --- a/initrd/bin/seal-libremkey +++ b/initrd/bin/seal-libremkey @@ -8,9 +8,6 @@ HOTP_SECRET="/tmp/secret/hotp.key" HOTP_COUNTER="/boot/kexec_hotp_counter" HOTP_KEY="/boot/kexec_hotp_key" -CONFIG_HOTPKEY_BRANDING="HOTP USB security dongle" - - mount_boot() { # Mount local disk if it is not already mounted @@ -20,6 +17,13 @@ mount_boot() fi } +# Use stored HOTP key branding (this might be useful after OEM reset) +if [ -r /boot/kexec_hotp_key ]; then + CONFIG_HOTPKEY_BRANDING="$(cat /boot/kexec_hotp_key)" +else + CONFIG_HOTPKEY_BRANDING="HOTP USB Security Dongle" +fi + tpm nv_readvalue \ -in 4d47 \ -sz 312 \ @@ -63,7 +67,14 @@ if ! libremkey_hotp_verification info ; then fi fi -# TODO find out branding now and set variable +# Set HOTP USB security key branding based on VID +if [ ! $(lsusb | grep -q "20a0:") ]; then + CONFIG_HOTPKEY_BRANDING="Nitrokey" +elif [ ! $(lsusb | grep -q "316d:") ]; then + CONFIG_HOTPKEY_BRANDING="Librem Key" +else + CONFIG_HOTPKEY_BRANDING="HOTP USB security key" +fi echo -e "" read -s -p "Enter your $CONFIG_HOTPKEY_BRANDING Admin PIN: " admin_pin @@ -81,8 +92,6 @@ if [ $? -ne 0 ]; then fi fi -# TODO store key branding in HOTP_KEY - # HOTP key no longer needed shred -n 10 -z -u "$HOTP_SECRET" 2> /dev/null @@ -98,6 +107,10 @@ counter_value=`expr $counter_value + 1` echo $counter_value > $HOTP_COUNTER \ || die "Unable to create hotp counter file" +# Store/overwrite HOTP USB security key branding found out beforehand +echo $CONFIG_HOTPKEY_BRANDING > $HOTP_KEY \ +|| die "Unable to store hotp key file" + #sha256sum /tmp/counter-$counter > $HOTP_COUNTER \ #|| die "Unable to create hotp counter file" mount -o remount,ro /boot From 3236f0e1707481f418dfa065073a7eaac72605ce Mon Sep 17 00:00:00 2001 From: alex-nitrokey Date: Wed, 24 Jun 2020 17:44:29 +0200 Subject: [PATCH 12/18] Change name seal-libremkey -> seal-hotpkey --- initrd/bin/gui-init | 2 +- initrd/bin/{seal-libremkey => seal-hotpkey} | 0 2 files changed, 1 insertion(+), 1 deletion(-) rename initrd/bin/{seal-libremkey => seal-hotpkey} (100%) diff --git a/initrd/bin/gui-init b/initrd/bin/gui-init index 7e3be63d..f0085432 100755 --- a/initrd/bin/gui-init +++ b/initrd/bin/gui-init @@ -95,7 +95,7 @@ update_totp() if [ -x /bin/libremkey_hotp_verification ]; then echo "Once you have scanned the QR code, hit Enter to configure your HOTP USB security dongle (e.g. Librem Key or Nitrokey)" read - /bin/seal-libremkey + /bin/seal-hotpkey else echo "Once you have scanned the QR code, hit Enter to continue" read diff --git a/initrd/bin/seal-libremkey b/initrd/bin/seal-hotpkey similarity index 100% rename from initrd/bin/seal-libremkey rename to initrd/bin/seal-hotpkey From 2fe946ccbe8eede9c07d84c4cb3b6bf94873e862 Mon Sep 17 00:00:00 2001 From: alex-nitrokey Date: Wed, 24 Jun 2020 17:54:39 +0200 Subject: [PATCH 13/18] Fix termonology --- initrd/bin/gui-init | 2 +- initrd/bin/kexec-seal-key | 4 ++-- initrd/bin/seal-hotpkey | 6 +++--- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/initrd/bin/gui-init b/initrd/bin/gui-init index f0085432..02fca80d 100755 --- a/initrd/bin/gui-init +++ b/initrd/bin/gui-init @@ -93,7 +93,7 @@ update_totp() echo "Scan the QR code to add the new TOTP secret" /bin/seal-totp if [ -x /bin/libremkey_hotp_verification ]; then - echo "Once you have scanned the QR code, hit Enter to configure your HOTP USB security dongle (e.g. Librem Key or Nitrokey)" + echo "Once you have scanned the QR code, hit Enter to configure your HOTP USB Security Dongle (e.g. Librem Key or Nitrokey)" read /bin/seal-hotpkey else diff --git a/initrd/bin/kexec-seal-key b/initrd/bin/kexec-seal-key index 2da427cd..6219fb75 100755 --- a/initrd/bin/kexec-seal-key +++ b/initrd/bin/kexec-seal-key @@ -84,8 +84,8 @@ cat "$KEY_DEVICES" | cut -d\ -f1 | xargs /bin/qubes-measure-luks \ || die "Unable to measure the LUKS headers" luks_pcr=`tpm calcfuturepcr -ix 16 -if /tmp/luksDump.txt` -# HOTP USB Secrity dongle loads USB modules which changes PCR5. -# In the event HOTP USB Security dongle is enabled, skip verification of PCR5 +# HOTP USB Secrity Dongle loads USB modules which changes PCR5. +# In the event HOTP USB Security Dongle is enabled, skip verification of PCR5 if [ -x /bin/libremkey_hotp_verification ]; then pcr_5="X" else diff --git a/initrd/bin/seal-hotpkey b/initrd/bin/seal-hotpkey index 914a5188..98020db6 100755 --- a/initrd/bin/seal-hotpkey +++ b/initrd/bin/seal-hotpkey @@ -67,13 +67,13 @@ if ! libremkey_hotp_verification info ; then fi fi -# Set HOTP USB security key branding based on VID +# Set HOTP USB Security Dongle branding based on VID if [ ! $(lsusb | grep -q "20a0:") ]; then CONFIG_HOTPKEY_BRANDING="Nitrokey" elif [ ! $(lsusb | grep -q "316d:") ]; then CONFIG_HOTPKEY_BRANDING="Librem Key" else - CONFIG_HOTPKEY_BRANDING="HOTP USB security key" + CONFIG_HOTPKEY_BRANDING="HOTP USB Security Dongle" fi echo -e "" @@ -107,7 +107,7 @@ counter_value=`expr $counter_value + 1` echo $counter_value > $HOTP_COUNTER \ || die "Unable to create hotp counter file" -# Store/overwrite HOTP USB security key branding found out beforehand +# Store/overwrite HOTP USB Security Dongle branding found out beforehand echo $CONFIG_HOTPKEY_BRANDING > $HOTP_KEY \ || die "Unable to store hotp key file" From fecb9cfd80dc1115017147777ab4a1a81214f40f Mon Sep 17 00:00:00 2001 From: alex-nitrokey Date: Wed, 24 Jun 2020 18:12:56 +0200 Subject: [PATCH 14/18] Rename CONFIG_HOTP_BRANDING to HOTP_BRANDING reason: it not a config option anymore --- initrd/bin/gui-init | 10 +++++----- initrd/bin/seal-hotpkey | 20 ++++++++++---------- 2 files changed, 15 insertions(+), 15 deletions(-) diff --git a/initrd/bin/gui-init b/initrd/bin/gui-init index 02fca80d..b674356c 100755 --- a/initrd/bin/gui-init +++ b/initrd/bin/gui-init @@ -142,9 +142,9 @@ fi # Use stored HOTP key branding if [ -r /boot/kexec_hotp_key ]; then - CONFIG_HOTPKEY_BRANDING="$(cat /boot/kexec_hotp_key)" + HOTPKEY_BRANDING="$(cat /boot/kexec_hotp_key)" else - CONFIG_HOTPKEY_BRANDING="HOTP USB Security Dongle" + HOTPKEY_BRANDING="HOTP USB Security Dongle" fi last_half=X @@ -200,8 +200,8 @@ while true; do enable_usb if ! libremkey_hotp_verification info ; then whiptail $CONFIG_WARNING_BG_COLOR --clear \ - --title "WARNING: Please Insert Your $CONFIG_HOTPKEY_BRANDING" \ - --msgbox "Your $CONFIG_HOTPKEY_BRANDING was not detected.\n\nPlease insert your $CONFIG_HOTPKEY_BRANDING" 30 90 + --title "WARNING: Please Insert Your $HOTPKEY_BRANDING" \ + --msgbox "Your $HOTPKEY_BRANDING was not detected.\n\nPlease insert your $HOTPKEY_BRANDING" 30 90 fi # Don't output HOTP codes to screen, so as to make replay attacks harder libremkey_hotp_verification check $HOTP @@ -214,7 +214,7 @@ while true; do MAIN_MENU_BG_COLOR=$CONFIG_ERROR_BG_COLOR ;; * ) - HOTP="Error checking code, Insert $CONFIG_HOTPKEY_BRANDING and retry" + HOTP="Error checking code, Insert $HOTPKEY_BRANDING and retry" MAIN_MENU_BG_COLOR=$CONFIG_WARNING_BG_COLOR ;; esac diff --git a/initrd/bin/seal-hotpkey b/initrd/bin/seal-hotpkey index 98020db6..d66ce0c1 100755 --- a/initrd/bin/seal-hotpkey +++ b/initrd/bin/seal-hotpkey @@ -19,9 +19,9 @@ mount_boot() # Use stored HOTP key branding (this might be useful after OEM reset) if [ -r /boot/kexec_hotp_key ]; then - CONFIG_HOTPKEY_BRANDING="$(cat /boot/kexec_hotp_key)" + HOTPKEY_BRANDING="$(cat /boot/kexec_hotp_key)" else - CONFIG_HOTPKEY_BRANDING="HOTP USB Security Dongle" + HOTPKEY_BRANDING="HOTP USB Security Dongle" fi tpm nv_readvalue \ @@ -58,26 +58,26 @@ counter_value=1 enable_usb if ! libremkey_hotp_verification info ; then - echo "Insert your $CONFIG_HOTPKEY_BRANDING and press Enter to configure it" + echo "Insert your $HOTPKEY_BRANDING and press Enter to configure it" read if ! libremkey_hotp_verification info ; then # don't leak key on failure shred -n 10 -z -u "$HOTP_SECRET" 2> /dev/null - die "Unable to find $CONFIG_HOTPKEY_BRANDING" + die "Unable to find $HOTPKEY_BRANDING" fi fi # Set HOTP USB Security Dongle branding based on VID if [ ! $(lsusb | grep -q "20a0:") ]; then - CONFIG_HOTPKEY_BRANDING="Nitrokey" + HOTPKEY_BRANDING="Nitrokey" elif [ ! $(lsusb | grep -q "316d:") ]; then - CONFIG_HOTPKEY_BRANDING="Librem Key" + HOTPKEY_BRANDING="Librem Key" else - CONFIG_HOTPKEY_BRANDING="HOTP USB Security Dongle" + HOTPKEY_BRANDING="HOTP USB Security Dongle" fi echo -e "" -read -s -p "Enter your $CONFIG_HOTPKEY_BRANDING Admin PIN: " admin_pin +read -s -p "Enter your $HOTPKEY_BRANDING Admin PIN: " admin_pin echo -e "\n" libremkey_hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value @@ -108,14 +108,14 @@ echo $counter_value > $HOTP_COUNTER \ || die "Unable to create hotp counter file" # Store/overwrite HOTP USB Security Dongle branding found out beforehand -echo $CONFIG_HOTPKEY_BRANDING > $HOTP_KEY \ +echo $HOTPKEY_BRANDING > $HOTP_KEY \ || die "Unable to store hotp key file" #sha256sum /tmp/counter-$counter > $HOTP_COUNTER \ #|| die "Unable to create hotp counter file" mount -o remount,ro /boot -echo -e "\n$CONFIG_HOTPKEY_BRANDING initialized successfully. Press Enter to continue." +echo -e "\n$HOTPKEY_BRANDING initialized successfully. Press Enter to continue." read exit 0 From 53dc659c014ce63c3dcd7d40140cb062121df6f4 Mon Sep 17 00:00:00 2001 From: alex-nitrokey Date: Thu, 25 Jun 2020 15:35:47 +0200 Subject: [PATCH 15/18] Replace libremkey_htop_* by hotp_* --- initrd/bin/gui-init | 8 ++++---- initrd/bin/kexec-seal-key | 2 +- initrd/bin/seal-hotpkey | 8 ++++---- modules/hotp-verification | 8 ++++---- 4 files changed, 13 insertions(+), 13 deletions(-) diff --git a/initrd/bin/gui-init b/initrd/bin/gui-init index b674356c..2b53130d 100755 --- a/initrd/bin/gui-init +++ b/initrd/bin/gui-init @@ -92,7 +92,7 @@ update_totp() { echo "Scan the QR code to add the new TOTP secret" /bin/seal-totp - if [ -x /bin/libremkey_hotp_verification ]; then + if [ -x /bin/hotp_verification ]; then echo "Once you have scanned the QR code, hit Enter to configure your HOTP USB Security Dongle (e.g. Librem Key or Nitrokey)" read /bin/seal-hotpkey @@ -195,16 +195,16 @@ while true; do fi if [ "$totp_confirm" = "i" -o -z "$totp_confirm" ]; then - if [ -x /bin/libremkey_hotp_verification ]; then + if [ -x /bin/hotp_verification ]; then HOTP=`unseal-hotp` enable_usb - if ! libremkey_hotp_verification info ; then + if ! hotp_verification info ; then whiptail $CONFIG_WARNING_BG_COLOR --clear \ --title "WARNING: Please Insert Your $HOTPKEY_BRANDING" \ --msgbox "Your $HOTPKEY_BRANDING was not detected.\n\nPlease insert your $HOTPKEY_BRANDING" 30 90 fi # Don't output HOTP codes to screen, so as to make replay attacks harder - libremkey_hotp_verification check $HOTP + hotp_verification check $HOTP case "$?" in 0 ) HOTP="Success" diff --git a/initrd/bin/kexec-seal-key b/initrd/bin/kexec-seal-key index 6219fb75..7000070b 100755 --- a/initrd/bin/kexec-seal-key +++ b/initrd/bin/kexec-seal-key @@ -86,7 +86,7 @@ luks_pcr=`tpm calcfuturepcr -ix 16 -if /tmp/luksDump.txt` # HOTP USB Secrity Dongle loads USB modules which changes PCR5. # In the event HOTP USB Security Dongle is enabled, skip verification of PCR5 -if [ -x /bin/libremkey_hotp_verification ]; then +if [ -x /bin/hotp_verification ]; then pcr_5="X" else pcr_5="0000000000000000000000000000000000000000" diff --git a/initrd/bin/seal-hotpkey b/initrd/bin/seal-hotpkey index d66ce0c1..8dc37bb2 100755 --- a/initrd/bin/seal-hotpkey +++ b/initrd/bin/seal-hotpkey @@ -57,10 +57,10 @@ mount_boot counter_value=1 enable_usb -if ! libremkey_hotp_verification info ; then +if ! hotp_verification info ; then echo "Insert your $HOTPKEY_BRANDING and press Enter to configure it" read - if ! libremkey_hotp_verification info ; then + if ! hotp_verification info ; then # don't leak key on failure shred -n 10 -z -u "$HOTP_SECRET" 2> /dev/null die "Unable to find $HOTPKEY_BRANDING" @@ -80,12 +80,12 @@ echo -e "" read -s -p "Enter your $HOTPKEY_BRANDING Admin PIN: " admin_pin echo -e "\n" -libremkey_hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value +hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value $HOTPKEY_BRANDING if [ $? -ne 0 ]; then echo -e "\n" read -s -p "Error setting HOTP secret, re-enter Admin PIN and try again: " admin_pin echo -e "\n" - if ! libremkey_hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value ; then + if ! hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value $HOTPKEY_BRANDING ; then # don't leak key on failure shred -n 10 -z -u "$HOTP_SECRET" 2> /dev/null die "Setting HOTP secret failed" diff --git a/modules/hotp-verification b/modules/hotp-verification index 5df7b556..15eff604 100644 --- a/modules/hotp-verification +++ b/modules/hotp-verification @@ -2,19 +2,19 @@ modules-$(CONFIG_HOTPKEY) += hotp-verification hotp-verification_depends := libusb $(musl_dep) -hotp-verification_version := 29094d8ff0f1c9321886079860f3747aa04c44b4 +hotp-verification_version := 5fb260e631b237a298b6dcca47bbd728f2c5ac3a hotp-verification_dir := hotp-verification-$(hotp-verification_version) hotp-verification_tar := nitrokey-hotp-verification-$(hotp-verification_version).tar.gz hotp-verification_url := https://github.com/Nitrokey/nitrokey-hotp-verification/archive/$(hotp-verification_version).tar.gz -hotp-verification_hash := b8591a6abafaefd769e7e58d121d4ba6af1c54587b4b7f3438d65b37632fa2b0 +hotp-verification_hash := 5d98d158ba97fb970061d68e2c6f41582395e687b7752efb1a8038762b0e7b79 hotp-verification_target := \ $(MAKE_JOBS) \ $(CROSS_TOOLS) \ hotp-verification_output := \ - libremkey_hotp_verification \ - libremkey_hotp_initialize + hotp_verification \ + hotp_initialize hotp-verification_configure := \ INSTALL="$(INSTALL)" \ From d3d4529545848f5ee3a2b96eb89324582b61f69a Mon Sep 17 00:00:00 2001 From: Szczepan Zalega Date: Tue, 30 Jun 2020 13:45:21 +0200 Subject: [PATCH 16/18] GitlabCI: reset cache, and investigate Calculate the uncompressed used cache space Decrease retry count --- .gitlab-ci.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index beec06a4..545d8b59 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -8,13 +8,13 @@ stages: build: stage: build - retry: 2 + retry: 1 cache: paths: - packages - crossgcc - build - key: "heads-$GITLAB_USER_LOGIN" + key: "heads-$GITLAB_USER_LOGIN-2" script: - dnf install -y @development-tools gcc-c++ gcc-gnat zlib-devel perl-Digest-MD5 perl-Digest-SHA uuid-devel pcsc-tools ncurses-devel lbzip2 libuuid-devel lzma elfutils-libelf-devel bc bzip2 bison flex git gnupg iasl m4 nasm patch python wget libusb-devel cmake automake pv bsdiff autoconf libtool cpio texinfo - git fetch origin @@ -75,6 +75,8 @@ build: - cat ./build/qemu-coreboot/hashes.txt - echo "Archiving qemu-coreboot logs..." - tar zcvf ./build/qemu-coreboot/logs.tar.gz ./build/log/* + - echo "Calculate used space for cache" + - du -shc packages crossgcc build artifacts: paths: - ./build/qemu-coreboot From 9c9edb0cfc10b626c7fb5b9bd0a3a5348e0da756 Mon Sep 17 00:00:00 2001 From: Szczepan Zalega Date: Tue, 30 Jun 2020 16:00:04 +0200 Subject: [PATCH 17/18] Remove pkg-config and git version use --- modules/hotp-verification | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/hotp-verification b/modules/hotp-verification index 15eff604..ebc63a58 100644 --- a/modules/hotp-verification +++ b/modules/hotp-verification @@ -19,7 +19,7 @@ hotp-verification_output := \ hotp-verification_configure := \ INSTALL="$(INSTALL)" \ CROSS="$(CROSS)" \ - $(CROSS_TOOLS) $(MAKE) LDFLAGS="$(INSTALL)/lib/libusb-1.0.so" && $(MAKE) install INSTALL="$(INSTALL)" + $(CROSS_TOOLS) $(MAKE) LDFLAGS="$(INSTALL)/lib/libusb-1.0.so" GITVERSION="" LIBUSB_FLAGS="-I/usr/include/libusb-1.0" PKGCONFIG="" && $(MAKE) install INSTALL="$(INSTALL)" hotp-verification_depends += hidapi modules-y += hidapi From d472c43c7916e318407e028d54a6087f04508dcc Mon Sep 17 00:00:00 2001 From: Alexander Paetzelt Date: Wed, 15 Jul 2020 09:35:47 +0200 Subject: [PATCH 18/18] Fix quoting of variable --- initrd/bin/seal-hotpkey | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/initrd/bin/seal-hotpkey b/initrd/bin/seal-hotpkey index 8dc37bb2..3d116ad2 100755 --- a/initrd/bin/seal-hotpkey +++ b/initrd/bin/seal-hotpkey @@ -80,12 +80,12 @@ echo -e "" read -s -p "Enter your $HOTPKEY_BRANDING Admin PIN: " admin_pin echo -e "\n" -hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value $HOTPKEY_BRANDING +hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value "$HOTPKEY_BRANDING" if [ $? -ne 0 ]; then echo -e "\n" read -s -p "Error setting HOTP secret, re-enter Admin PIN and try again: " admin_pin echo -e "\n" - if ! hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value $HOTPKEY_BRANDING ; then + if ! hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value "$HOTPKEY_BRANDING" ; then # don't leak key on failure shred -n 10 -z -u "$HOTP_SECRET" 2> /dev/null die "Setting HOTP secret failed"