mirror of
https://github.com/linuxboot/heads.git
synced 2025-03-13 15:56:37 +00:00
WiP initrd/bin/oem-factory-reset: add qrcode+secet output loop until user press y (end of reownership wizard secret output)
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
works:
- oem and user mode passphrase generation
- qrcode
missing:
- unattended
- luks reencryption + passphrase change for OEM mode (only input to be provided) with SINGLE passphrase when in unattended mode
- same for user reownership when previously OEM reset unattended
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
This commit is contained in:
Thierry Laurion
parent
40df08ecbc
commit
a6df16ec3c
@ -23,12 +23,10 @@ CANCEL="--no-button Cancel"
|
|||||||
HEIGHT="0"
|
HEIGHT="0"
|
||||||
WIDTH="80"
|
WIDTH="80"
|
||||||
|
|
||||||
|
# Default values
|
||||||
USER_PIN_DEF=123456
|
USER_PIN_DEF=123456
|
||||||
ADMIN_PIN_DEF=12345678
|
ADMIN_PIN_DEF=12345678
|
||||||
TPM_PASS_DEF=12345678
|
TPM_PASS_DEF=12345678
|
||||||
USER_PIN=""
|
|
||||||
ADMIN_PIN=""
|
|
||||||
TPM_PASS=""
|
|
||||||
GPG_GEN_KEY_IN_MEMORY="n"
|
GPG_GEN_KEY_IN_MEMORY="n"
|
||||||
GPG_GEN_KEY_IN_MEMORY_COPY_TO_SMARTCARD="n"
|
GPG_GEN_KEY_IN_MEMORY_COPY_TO_SMARTCARD="n"
|
||||||
|
|
||||||
@ -50,11 +48,16 @@ handle_mode() {
|
|||||||
case $mode in
|
case $mode in
|
||||||
oem)
|
oem)
|
||||||
DEBUG "OEM mode selected"
|
DEBUG "OEM mode selected"
|
||||||
# Add OEM mode specific logic here
|
CUSTOM_SINGLE_PASS=$(generate_passphrase --number_words 2 --max_length $MAX_HOTP_GPG_PIN_LENGTH)
|
||||||
|
USER_PIN=$CUSTOM_SINGLE_PASS
|
||||||
|
ADMIN_PIN=$CUSTOM_SINGLE_PASS
|
||||||
|
TPM_PASS=$CUSTOM_SINGLE_PASS
|
||||||
;;
|
;;
|
||||||
user)
|
user)
|
||||||
DEBUG "User mode selected"
|
DEBUG "User mode selected"
|
||||||
# Add User mode specific logic here
|
USER_PIN=$(generate_passphrase --number_words 2 --max_length $MAX_HOTP_GPG_PIN_LENGTH)
|
||||||
|
ADMIN_PIN=$(generate_passphrase --number_words 2 --max_length $MAX_HOTP_GPG_PIN_LENGTH)
|
||||||
|
TPM_PASS=$ADMIN_PIN
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
warn "Unknown mode: $mode"
|
warn "Unknown mode: $mode"
|
||||||
@ -81,6 +84,9 @@ done
|
|||||||
# Handle the --mode parameter if provided
|
# Handle the --mode parameter if provided
|
||||||
if [[ -n "$MODE" ]]; then
|
if [[ -n "$MODE" ]]; then
|
||||||
handle_mode "$MODE"
|
handle_mode "$MODE"
|
||||||
|
else
|
||||||
|
# Default to User Re-Ownership mode
|
||||||
|
handle_mode "user"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
#Override RSA_KEY_LENGTH to 2048 bits for Canokey under qemu testing boards until canokey fixes
|
#Override RSA_KEY_LENGTH to 2048 bits for Canokey under qemu testing boards until canokey fixes
|
||||||
@ -719,9 +725,10 @@ generate_checksums() {
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
DEBUG "Detach-signing boot files under kexec.sig: ${param_files}"
|
DEBUG "Detach-signing boot files under kexec.sig: ${param_files}"
|
||||||
if sha256sum $param_files 2>/dev/null | DO_WITH_DEBUG gpg \
|
|
||||||
|
if sha256sum $param_files 2>/dev/null | gpg \
|
||||||
--pinentry-mode loopback \
|
--pinentry-mode loopback \
|
||||||
--passphrase "${USER_PIN}" \
|
--passphrase-file <(echo -n "$USER_PIN") \
|
||||||
--digest-algo SHA256 \
|
--digest-algo SHA256 \
|
||||||
--detach-sign \
|
--detach-sign \
|
||||||
-a \
|
-a \
|
||||||
@ -1371,14 +1378,18 @@ if [ "$GPG_GEN_KEY_IN_MEMORY" = "y" ]; then
|
|||||||
passphrases+="GPG key material backup passphrase: ${ADMIN_PIN}\n"
|
passphrases+="GPG key material backup passphrase: ${ADMIN_PIN}\n"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Show qrcode of configured secrets and ask user to confirm scanning of and loop until confirmed with qrenc $passphrases
|
# Show configured secrets in whiptail and loop until user confirms qr code was scanned
|
||||||
while true; do
|
while true; do
|
||||||
whiptail --msgbox "
|
whiptail --msgbox "
|
||||||
$(echo -e "$passphrases" | fold -w $((WIDTH - 5)))" \
|
$(echo -e "$passphrases" | fold -w $((WIDTH - 5)))" \
|
||||||
$HEIGHT $WIDTH --title "Configured secrets"
|
$HEIGHT $WIDTH --title "Configured secrets"
|
||||||
qrencode "$passphrases"
|
# strip the initial newline of passphrases
|
||||||
|
qr_code=$(echo -e "$passphrases" | sed '1s/^\n//')
|
||||||
|
#Tell user to scan the QR code containing all configured secrets
|
||||||
|
echo -e "\nScan the QR code below to save the secrets to a secure location"
|
||||||
|
qrenc "$qr_code"
|
||||||
# Prompt user to confirm scanning of qrcode on console prompt not whiptail: y/n
|
# Prompt user to confirm scanning of qrcode on console prompt not whiptail: y/n
|
||||||
echo -e -n "Please confirm you have scanned the QR code above [y/N]: "
|
echo -e -n "Please confirm you have scanned the QR code above and/or written down the secrets? [y/N]: "
|
||||||
read -n 1 prompt_output
|
read -n 1 prompt_output
|
||||||
echo
|
echo
|
||||||
if [ "$prompt_output" == "y" -o "$prompt_output" == "Y" ]; then
|
if [ "$prompt_output" == "y" -o "$prompt_output" == "Y" ]; then
|
||||||
|
|||||||
@ -887,7 +887,7 @@ generate_passphrase() {
|
|||||||
local dictionary_file="$2"
|
local dictionary_file="$2"
|
||||||
local word=""
|
local word=""
|
||||||
|
|
||||||
word=$(grep "^$rolls" "$dictionary_file" | awk '{print $2}')
|
word=$(grep "^$rolls" "$dictionary_file" | awk -F ' ' '{print $2}')
|
||||||
echo "$word"
|
echo "$word"
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -898,17 +898,14 @@ generate_passphrase() {
|
|||||||
local rolls=""
|
local rolls=""
|
||||||
local random_bytes
|
local random_bytes
|
||||||
|
|
||||||
# Read num_rolls bytes from /dev/urandom in one go
|
# Read num_rolls bytes from /dev/random, fed by CPU RRAND in one go
|
||||||
random_bytes=$(dd if=/dev/urandom bs=1 count="$num_rolls" 2>/dev/null | hexdump -e '1/1 "%u\n"')
|
random_bytes=$(dd if=/dev/random bs=1 count="$num_rolls" 2>/dev/null | hexdump -e '1/1 "%u\n"')
|
||||||
|
|
||||||
# Process each byte to generate a dice roll
|
# Process each byte to generate a dice roll
|
||||||
while read -r byte; do
|
while read -r byte; do
|
||||||
roll=$((byte % 6 + 1))
|
roll=$((byte % 6 + 1))
|
||||||
DEBUG "Randomized dice roll: $roll"
|
|
||||||
rolls+=$roll
|
rolls+=$roll
|
||||||
done <<<"$random_bytes"
|
done <<<"$random_bytes"
|
||||||
|
|
||||||
DEBUG "Generated dice rolls: $rolls"
|
|
||||||
echo "$rolls"
|
echo "$rolls"
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -978,15 +975,12 @@ generate_passphrase() {
|
|||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
digits=${#key}
|
digits=${#key} #Number of digits in dice rolls
|
||||||
DEBUG "Number of digits in dice rolls: $digits"
|
|
||||||
|
|
||||||
for ((i = 0; i < num_words; ++i)); do
|
for ((i = 0; i < num_words; ++i)); do
|
||||||
key=$(generate_dice_rolls "$digits")
|
key=$(generate_dice_rolls "$digits")
|
||||||
word=$(get_word_from_dictionary "$key" "$dictionary_file")
|
word=$(get_word_from_dictionary "$key" "$dictionary_file")
|
||||||
DEBUG "Retrieved word: $word"
|
|
||||||
if [[ "$lowercase" == "false" ]]; then
|
if [[ "$lowercase" == "false" ]]; then
|
||||||
DEBUG "Capitalizing the first letter of the word"
|
|
||||||
word=${word^} # Capitalize the first letter
|
word=${word^} # Capitalize the first letter
|
||||||
fi
|
fi
|
||||||
passphrase+="$word "
|
passphrase+="$word "
|
||||||
@ -997,6 +991,8 @@ generate_passphrase() {
|
|||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
|
||||||
|
#Remove passphrase trailing space from passphrase+="$word"
|
||||||
|
passphrase=${passphrase% }
|
||||||
echo "$passphrase"
|
echo "$passphrase"
|
||||||
return 0
|
return 0
|
||||||
}
|
}
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user