ExternalVendorCode/heads
1
0
Fork 0
mirror of https://github.com/linuxboot/heads.git synced 2024-12-18 20:47:55 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Fix HOTP verification logic (and counter increment) in gui-init and oem-factory-reset scripts

Browse Source
This commit is contained in:
Thierry Laurion 2024-04-22 17:09:36 -04:00
parent 16f1d07867
commit c9c4e6e2c4
No known key found for this signature in database
GPG Key ID: 9A53E1BB3FF00461
3 changed files with 38 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
initrd/bin/gui-init
View File

@ -250,8 +250,8 @@ update_totp()
update_hotp() update_hotp()
{ {
TRACE_FUNC TRACE_FUNC
HOTP="Unverified"
if [ -x /bin/hotp_verification ]; then if [ -x /bin/hotp_verification ]; then
HOTP=`unseal-hotp`
if ! hotp_verification info ; then if ! hotp_verification info ; then
if [ "$skip_to_menu" = "true" ]; then if [ "$skip_to_menu" = "true" ]; then
return 1 # Already asked to skip to menu from a prior error return 1 # Already asked to skip to menu from a prior error
@ -265,6 +265,7 @@ update_hotp()
return return
fi fi
fi fi
HOTP=`unseal-hotp`
# Don't output HOTP codes to screen, so as to make replay attacks harder # Don't output HOTP codes to screen, so as to make replay attacks harder
hotp_verification check "$HOTP" hotp_verification check "$HOTP"
case "$?" in case "$?" in

16
initrd/bin/oem-factory-reset
View File

@ -783,12 +783,22 @@ report_integrity_measurements() {
# Check and report on HOTP status # Check and report on HOTP status
if [ -x /bin/hotp_verification ]; then if [ -x /bin/hotp_verification ]; then
HOTP=$(unseal-hotp) >/dev/null 2>&1 HOTP="Unverified"
enable_usb enable_usb
if ! hotp_verification info >/dev/null 2>&1; then for attempt in 1 2 3; do
whiptail $CONFIG_WARNING_BG_COLOR --title 'WARNING: Please insert your HOTP enabled USB Security Dongle' --msgbox "Your HOTP enabled USB Security Dongle was not detected.\n\nPlease remove it and insert it again." 0 80 if ! hotp_verification info >/dev/null 2>&1; then
whiptail $CONFIG_WARNING_BG_COLOR --title "WARNING: Please insert your HOTP enabled USB Security Dongle (Attempt $attempt/3)" --msgbox "Your HOTP enabled USB Security Dongle was not detected.\n\nPlease remove it and insert it again." 0 80
else
break
fi
done
if [ $attempt -eq 3 ]; then
die "No HOTP enabled USB Security Dongle detected. Please disable 'CONFIG_HOTPKEY' in the board config and rebuild."
fi fi
# Don't output HOTP codes to screen, so as to make replay attacks harder # Don't output HOTP codes to screen, so as to make replay attacks harder
HOTP=$(unseal-hotp) >/dev/null 2>&1
hotp_verification check $HOTP hotp_verification check $HOTP
case "$?" in case "$?" in
0) 0)

46
initrd/bin/unseal-hotp
View File

@ -6,13 +6,12 @@
HOTP_SECRET="/tmp/secret/hotp.key" HOTP_SECRET="/tmp/secret/hotp.key"
HOTP_COUNTER="/boot/kexec_hotp_counter" HOTP_COUNTER="/boot/kexec_hotp_counter"
mount_boot_or_die() mount_boot_or_die() {
{
TRACE_FUNC TRACE_FUNC
# Mount local disk if it is not already mounted # Mount local disk if it is not already mounted
if ! grep -q /boot /proc/mounts ; then if ! grep -q /boot /proc/mounts; then
mount -o ro /boot \ mount -o ro /boot ||
|| die "Unable to mount /boot" die "Unable to mount /boot"
fi fi
} }
@ -38,34 +37,35 @@ fi
#counter_value=$(printf "%d" 0x${counter_value}) #counter_value=$(printf "%d" 0x${counter_value})
if [ "$CONFIG_TPM" = "y" ]; then if [ "$CONFIG_TPM" = "y" ]; then
DEBUG "Unsealing HOTP secret reuses TOTP sealed secret..." DEBUG "Unsealing HOTP secret reuses TOTP sealed secret..."
tpmr unseal 4d47 0,1,2,3,4,7 312 "$HOTP_SECRET" || die "Unable to unseal HOTP secret" tpmr unseal 4d47 0,1,2,3,4,7 312 "$HOTP_SECRET" || die "Unable to unseal HOTP secret"
else else
# without a TPM, generate a secret based on the SHA-256 of the ROM # without a TPM, generate a secret based on the SHA-256 of the ROM
secret_from_rom_hash > "$HOTP_SECRET" || die "Reading ROM failed" secret_from_rom_hash >"$HOTP_SECRET" || die "Reading ROM failed"
fi fi
# Truncate the secret if it is longer than the maximum HOTP secret # Truncate the secret if it is longer than the maximum HOTP secret
truncate_max_bytes 20 "$HOTP_SECRET" truncate_max_bytes 20 "$HOTP_SECRET"
if ! hotp $counter_value < "$HOTP_SECRET"; then if ! hotp $counter_value <"$HOTP_SECRET"; then
shred -n 10 -z -u "$HOTP_SECRET" 2> /dev/null shred -n 10 -z -u "$HOTP_SECRET" 2>/dev/null
die 'Unable to compute HOTP hash?' die 'Unable to compute HOTP hash?'
fi fi
shred -n 10 -z -u "$HOTP_SECRET" 2> /dev/null shred -n 10 -z -u "$HOTP_SECRET" 2>/dev/null
#increment_tpm_counter $counter > /dev/null \
#|| die "Unable to increment tpm counter"
#Incrementing counter under $HOTP_COUNTER
#
# If for whatever reason, this counter is 5 counts different then on HOTP USB Security dongle, HOTP unseal fails.
#Note: HOTP_COUNTER="/boot/kexec_hotp_counter" is not detached signed under kexec.sig since it changes
#
# TODO: figure out a better alternative then a counter that can be modified on disk
# As of now, this counter isincreased only in the validated presence of the HOTP dongle being connected per callers
mount -o remount,rw /boot mount -o remount,rw /boot
DEBUG "Incrementing HOTP counter under $HOTP_COUNTER"
counter_value=`expr $counter_value + 1` counter_value=$(expr $counter_value + 1)
echo $counter_value > $HOTP_COUNTER \ echo $counter_value >$HOTP_COUNTER ||
|| die "Unable to create hotp counter file" die "Unable to create hotp counter file"
#sha256sum /tmp/counter-$counter > $HOTP_COUNTER \
#|| die "Unable to create hotp counter file"
mount -o remount,ro /boot mount -o remount,ro /boot
exit 0 exit 0