ExternalVendorCode/heads
1
0
Fork 0
mirror of https://github.com/linuxboot/heads.git synced 2024-12-20 13:33:10 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

WiP: add nk3 secret app reset function and call it following security dongle reset logic

Browse Source 
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
This commit is contained in:
Thierry Laurion 2024-11-28 16:57:26 -05:00
parent 1e0df1f597
commit c4832eed0e
No known key found for this signature in database
GPG Key ID: 9A53E1BB3FF00461
1 changed files with 18 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
initrd/bin/oem-factory-reset
View File

@ -138,6 +138,17 @@ mount_boot() {
fi fi
} }
reset_nk3_secret_app() {
TRACE_FUNC
# Reset Nitrokey 3 secret app
if lsusb | grep -q "20a0:42b2"; then
echo
echo "Resetting Nitrokey 3 secret app"
# Reset Nitrokey 3 secret app
/bin/hotp_verification reset
fi
}
#Generate a gpg master key: no expiration date, ${RSA_KEY_LENGTH} bits #Generate a gpg master key: no expiration date, ${RSA_KEY_LENGTH} bits
#This key will be used to sign 3 subkeys: encryption, authentication and signing #This key will be used to sign 3 subkeys: encryption, authentication and signing
#The master key and subkeys will be copied to backup, and the subkeys moved from memory keyring to the smartcard #The master key and subkeys will be copied to backup, and the subkeys moved from memory keyring to the smartcard
@ -533,6 +544,11 @@ gpg_key_factory_reset() {
ERROR=$(cat /tmp/gpg_card_edit_output) ERROR=$(cat /tmp/gpg_card_edit_output)
whiptail_error_die "GPG Key factory reset failed!\n\n$ERROR" whiptail_error_die "GPG Key factory reset failed!\n\n$ERROR"
fi fi
#Reset Nitrokey 3 secret app
reset_nk3_secret_app
# Nk3 now ready to set secret app PIN on first use...
# If Nitrokey Storage is inserted, reset AES keys as well # If Nitrokey Storage is inserted, reset AES keys as well
if lsusb | grep -q "20a0:4109" && [ -x /bin/hotp_verification ]; then if lsusb | grep -q "20a0:4109" && [ -x /bin/hotp_verification ]; then
DEBUG "Nitrokey Storage detected, resetting AES keys..." DEBUG "Nitrokey Storage detected, resetting AES keys..."
@ -540,6 +556,7 @@ gpg_key_factory_reset() {
DEBUG "Restarting scdaemon to remove possible exclusive lock of dongle" DEBUG "Restarting scdaemon to remove possible exclusive lock of dongle"
killall -9 scdaemon killall -9 scdaemon
fi fi
# Toggle forced sig (good security practice, forcing PIN request for each signature request) # Toggle forced sig (good security practice, forcing PIN request for each signature request)
if gpg --card-status | grep "Signature PIN" | grep -q "not forced"; then if gpg --card-status | grep "Signature PIN" | grep -q "not forced"; then
DEBUG "GPG toggling forcesig on since off..." DEBUG "GPG toggling forcesig on since off..."
@ -554,6 +571,7 @@ gpg_key_factory_reset() {
whiptail_error_die "GPG Key forcesig toggle on failed!\n\n$ERROR" whiptail_error_die "GPG Key forcesig toggle on failed!\n\n$ERROR"
fi fi
fi fi
# use p256 for key generation if requested # use p256 for key generation if requested
if [ "$GPG_ALGO" = "p256" ]; then if [ "$GPG_ALGO" = "p256" ]; then
{ {