Fix HOTP verification logic (and counter increment) in gui-init and oem-factory-reset scripts

2024-12-19 21:17:55 +00:00 · 2024-04-22 17:09:36 -04:00 · 2024-04-22 17:09:36 -04:00 · c9c4e6e2c4
commit c9c4e6e2c4
parent 16f1d07867
3 changed files with 38 additions and 27 deletions
--- a/initrd/bin/gui-init
+++ b/initrd/bin/gui-init
@ -250,8 +250,8 @@ update_totp()
 update_hotp()
 {
  TRACE_FUNC
+  HOTP="Unverified"
  if [ -x /bin/hotp_verification ]; then
-    HOTP=`unseal-hotp`
    if ! hotp_verification info ; then
      if [ "$skip_to_menu" = "true" ]; then
        return 1  # Already asked to skip to menu from a prior error
@ -265,6 +265,7 @@ update_hotp()
        return
      fi
    fi
+    HOTP=`unseal-hotp`
    # Don't output HOTP codes to screen, so as to make replay attacks harder
    hotp_verification check "$HOTP"
    case "$?" in
--- a/initrd/bin/oem-factory-reset
+++ b/initrd/bin/oem-factory-reset
@ -783,12 +783,22 @@ report_integrity_measurements() {

        # Check and report on HOTP status
        if [ -x /bin/hotp_verification ]; then
-            HOTP=$(unseal-hotp) >/dev/null 2>&1
+            HOTP="Unverified"
            enable_usb
+            for attempt in 1 2 3; do
                if ! hotp_verification info >/dev/null 2>&1; then
-                whiptail $CONFIG_WARNING_BG_COLOR --title 'WARNING: Please insert your HOTP enabled USB Security Dongle' --msgbox "Your HOTP enabled USB Security Dongle was not detected.\n\nPlease remove it and insert it again." 0 80
+                    whiptail $CONFIG_WARNING_BG_COLOR --title "WARNING: Please insert your HOTP enabled USB Security Dongle (Attempt $attempt/3)" --msgbox "Your HOTP enabled USB Security Dongle was not detected.\n\nPlease remove it and insert it again." 0 80
+                else
+                    break
                fi
+            done
+
+            if [ $attempt -eq 3 ]; then
+                die "No HOTP enabled USB Security Dongle detected. Please disable 'CONFIG_HOTPKEY' in the board config and rebuild."
+            fi
+
            # Don't output HOTP codes to screen, so as to make replay attacks harder
+            HOTP=$(unseal-hotp) >/dev/null 2>&1
            hotp_verification check $HOTP
            case "$?" in
            0)
--- a/initrd/bin/unseal-hotp
+++ b/initrd/bin/unseal-hotp
@ -6,13 +6,12 @@
 HOTP_SECRET="/tmp/secret/hotp.key"
 HOTP_COUNTER="/boot/kexec_hotp_counter"

-mount_boot_or_die()
-{
+mount_boot_or_die() {
  TRACE_FUNC
  # Mount local disk if it is not already mounted
  if ! grep -q /boot /proc/mounts; then
-    mount -o ro /boot \
-      || die "Unable to mount /boot"
+    mount -o ro /boot ||
+      die "Unable to mount /boot"
  fi
 }

@ -55,17 +54,18 @@ fi

 shred -n 10 -z -u "$HOTP_SECRET" 2>/dev/null

-#increment_tpm_counter $counter > /dev/null \
-#|| die "Unable to increment tpm counter"
-
+#Incrementing counter under $HOTP_COUNTER
+#
+# If for whatever reason, this counter is 5 counts different then on HOTP USB Security dongle, HOTP unseal fails.
+#Note: HOTP_COUNTER="/boot/kexec_hotp_counter" is not detached signed under kexec.sig since it changes
+#
+# TODO: figure out a better alternative then a counter that can be modified on disk
+#   As of now, this counter isincreased only in the validated presence of the HOTP dongle being connected per callers
 mount -o remount,rw /boot
-
-counter_value=`expr $counter_value + 1`
-echo $counter_value > $HOTP_COUNTER \
-|| die "Unable to create hotp counter file"
-
-#sha256sum /tmp/counter-$counter > $HOTP_COUNTER \
-#|| die "Unable to create hotp counter file"
+DEBUG "Incrementing HOTP counter under $HOTP_COUNTER"
+counter_value=$(expr $counter_value + 1)
+echo $counter_value >$HOTP_COUNTER ||
+  die "Unable to create hotp counter file"
 mount -o remount,ro /boot

 exit 0