add integrity report in case some public key is already fused in firmware

- initrd/bin/oem-factory-reset: adds a measured integrity output prior of prompts. Goal is for stating TOTP/HOTP/boot detached signed measurements prior of initiating a Re-Ownership, validating provisioned OEM state.
2024-12-18 20:47:55 +00:00 · 2022-03-23 16:00:08 -04:00 · 2022-03-23 16:00:08 -04:00 · 8f390f97c2
commit 8f390f97c2
parent dacd99c629
1 changed files with 62 additions and 0 deletions
--- a/initrd/bin/oem-factory-reset
+++ b/initrd/bin/oem-factory-reset
@ -266,6 +266,65 @@ set_default_boot_option()
        || whiptail_error_die "Failed to create hashes of boot files"
 }

+report_integrity_measurements()
+{
+    #check for GPG key in keyring
+    GPG_KEY_COUNT=`gpg -k 2>/dev/null | wc -l`
+    if [ $GPG_KEY_COUNT -ne 0 ]; then
+        # Check and report TOTP
+        # update the TOTP code every thirty seconds
+        date=`date "+%Y-%m-%d %H:%M:%S"`
+        seconds=`date "+%s"`
+        half=`expr \( $seconds % 60 \) / 30`
+        if [ "$CONFIG_TPM" = n ]; then
+            TOTP="NO TPM"
+        elif [ "$half" != "$last_half" ]; then
+            last_half=$half;
+            TOTP=`unseal-totp` > /dev/null 2>&1
+        fi
+
+        # Check and report on HOTP status
+        if [ -x /bin/hotp_verification ]; then
+            HOTP=`unseal-hotp` > /dev/null 2>&1
+            enable_usb
+            if ! hotp_verification info > /dev/null 2>&1 ; then
+                whiptail $CONFIG_WARNING_BG_COLOR --clear --title 'WARNING: Please insert your HOTP enabled USB Security dongle' --msgbox "Your HOTP enabled USB Security dongle was not detected.\n\nPlease remove it and insert it again." 30 90
+            fi
+            # Don't output HOTP codes to screen, so as to make replay attacks harder
+            hotp_verification check $HOTP
+            case "$?" in
+                0 )
+                    HOTP="Success"
+                    ;;
+                4 )
+                    HOTP="Invalid code"
+                    MAIN_MENU_BG_COLOR=$CONFIG_ERROR_BG_COLOR
+                    ;;
+                * )
+                    HOTP="Error checking code, Insert USB Security dongle and retry"
+                    MAIN_MENU_BG_COLOR=$CONFIG_WARNING_BG_COLOR
+                    ;;
+                esac
+            else
+                HOTP='N/A'
+        fi
+        # Check for detached signed digest and report on /boot integrity status
+        check_config /boot force
+        TMP_HASH_FILE="/tmp/kexec/kexec_hashes.txt"
+
+        if cd /boot && sha256sum -c "$TMP_HASH_FILE" > /tmp/hash_output ; then
+            HASH="OK"
+            cd /
+            else
+                HASH="ALTERED"
+        fi
+
+	    #Show results
+	    whiptail $MAIN_MENU_BG_COLOR --clear --title "Measured Integrity Report" --msgbox "Time (GMT/UTC timezone): $date\nTOTP: $TOTP | HOTP: $HOTP\n/BOOT INTEGRITY: $HASH\n\nPress OK to continue or Ctrl+Alt+Delete to reboot" 30 90
+    fi
+}
+
+
 ## main script start

 # check for args
@ -300,6 +359,9 @@ $TPM_STR
    exit 1
 fi

+# We show current integrity measurements status and time
+report_integrity_measurements
+
 # Re-ownership of encrypted disk key, content and passphrase
 echo -e -n "Would you like to change the current LUKS Disk Recovery Key passphrase?\n (Highly recommended if you didn't install the Operating System yourself, so that past provisioned passphrase would not permit to access content.\n  Note that without re-encrypting disk, a backuped header could be restored to access encrypted content with old passphrase) [y/N]: "
 read -n 1 prompt_output