ExternalVendorCode/heads
1
0
Fork 0
mirror of https://github.com/linuxboot/heads.git synced 2024-12-18 20:47:55 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'github-heads/master' into laptops-optional-usb-keyboard

Browse Source
This commit is contained in:
Jonathon Hall 2024-01-31 10:48:24 -05:00
commit d22cf5ec7b
No known key found for this signature in database
GPG Key ID: 1E9C3CA91AE25114
15 changed files with 101 additions and 70 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
FAQ.md
View File

@ -110,7 +110,7 @@ to deceive you and steal your login password? Maybe! It wouldn't get
your disk password, which is perhaps an improvement. your disk password, which is perhaps an improvement.
Disk key in TPM (TPM Disk Unlock Key) or user passphrase? Disk key in TPM (LUKS TPM Disk Unlock Key) or user passphrase?
--- ---
Depends on your threat model. With the disk key in the TPM an attacker Depends on your threat model. With the disk key in the TPM an attacker
would need to have the entire machine (or a backdoor in the TPM) would need to have the entire machine (or a backdoor in the TPM)

2
initrd/bin/inject_firmware.sh
View File

@ -51,7 +51,7 @@ done
# awk will happily pass through a binary file, so look for the match we want # awk will happily pass through a binary file, so look for the match we want
# before modifying init to ensure it's a shell script and not an ELF, etc. # before modifying init to ensure it's a shell script and not an ELF, etc.
if ! grep -E -q '^exec run-init .*\$\{rootmnt\}' "$INITRD_ROOT/init"; then if ! grep -E -q '^exec run-init .*\$\{rootmnt\}' "$INITRD_ROOT/init"; then
WARN "Can't apply firmware blob jail, unknown init script" warn "Can't apply firmware blob jail, unknown init script"
exit 0 exit 0
fi fi

3
initrd/bin/kexec-insert-key
View File

@ -45,6 +45,7 @@ mkdir -p "$INITRD_DIR/etc"
unseal_failed="n" unseal_failed="n"
if ! kexec-unseal-key "$INITRD_DIR/secret.key"; then if ! kexec-unseal-key "$INITRD_DIR/secret.key"; then
unseal_failed="y" unseal_failed="y"
echo
echo "!!! Failed to unseal the TPM LUKS disk key" echo "!!! Failed to unseal the TPM LUKS disk key"
fi fi
@ -58,7 +59,7 @@ if [ "$unseal_failed" = "y" ]; then
confirm_boot="n" confirm_boot="n"
read \ read \
-n 1 \ -n 1 \
-p "Do you wish to boot and use the disk recovery key? [Y/n] " \ -p "Do you wish to boot and use the LUKS Disk Recovery Key? [Y/n] " \
confirm_boot confirm_boot
if [ "$confirm_boot" != 'y' \ if [ "$confirm_boot" != 'y' \

12
initrd/bin/kexec-save-default
View File

@ -189,10 +189,10 @@ save_key="n"
if [ "$CONFIG_TPM" = "y" ] && [ "$CONFIG_TPM_NO_LUKS_DISK_UNLOCK" != "y" ] && [ "$CONFIG_BASIC" != y ]; then if [ "$CONFIG_TPM" = "y" ] && [ "$CONFIG_TPM_NO_LUKS_DISK_UNLOCK" != "y" ] && [ "$CONFIG_BASIC" != y ]; then
DEBUG "TPM is enabled and TPM_NO_LUKS_DISK_UNLOCK is not set" DEBUG "TPM is enabled and TPM_NO_LUKS_DISK_UNLOCK is not set"
DEBUG "Checking if a a TPM Disk Unlock Key was previously set up from $KEY_DEVICES" DEBUG "Checking if a a LUKS TPM Disk Unlock Key was previously set up from $KEY_DEVICES"
#check if $KEY_DEVICES file exists and is not empty #check if $KEY_DEVICES file exists and is not empty
if [ -r "$KEY_DEVICES" ] && [ -s "$KEY_DEVICES" ]; then if [ -r "$KEY_DEVICES" ] && [ -s "$KEY_DEVICES" ]; then
DEBUG "TPM Disk Unlock Key was previously set up from $KEY_DEVICES" DEBUG "LUKS TPM Disk Unlock Key was previously set up from $KEY_DEVICES"
read \ read \
-n 1 \ -n 1 \
-p "Do you want to reseal a disk key to the TPM [y/N]: " \ -p "Do you want to reseal a disk key to the TPM [y/N]: " \
@ -218,7 +218,7 @@ if [ "$CONFIG_TPM" = "y" ] && [ "$CONFIG_TPM_NO_LUKS_DISK_UNLOCK" != "y" ] && [
save_key="y" save_key="y"
fi fi
else else
DEBUG "No previous TPM Disk Unlock Key was set up for LUKS devices, confirming to add a Disk Encryption Key to the TPM" DEBUG "No previous LUKS TPM Disk Unlock Key was set up, confirming to add a Disk Encryption Key to the TPM"
read \ read \
-n 1 \ -n 1 \
-p "Do you wish to add a disk encryption to the TPM [y/N]: " \ -p "Do you wish to add a disk encryption to the TPM [y/N]: " \
@ -234,7 +234,7 @@ if [ "$CONFIG_TPM" = "y" ] && [ "$CONFIG_TPM_NO_LUKS_DISK_UNLOCK" != "y" ] && [
if [ "$save_key" = "y" ]; then if [ "$save_key" = "y" ]; then
if [ -n "$old_key_devices" ] || [ -n "$old_lvm_volume_group" ]; then if [ -n "$old_key_devices" ] || [ -n "$old_lvm_volume_group" ]; then
DEBUG "Previous TPM Disk Unlock Key was set up for LUKS devices $old_key_devices $old_lvm_volume_group" DEBUG "Previous LUKS TPM Disk Unlock Key was set up for $old_key_devices $old_lvm_volume_group"
read \ read \
-n 1 \ -n 1 \
-p "Do you want to reuse configured Encrypted LVM groups/Block devices? (Y/n):" \ -p "Do you want to reuse configured Encrypted LVM groups/Block devices? (Y/n):" \
@ -252,7 +252,7 @@ if [ "$CONFIG_TPM" = "y" ] && [ "$CONFIG_TPM_NO_LUKS_DISK_UNLOCK" != "y" ] && [
prompt_for_existing_encrypted_lvms_or_disks prompt_for_existing_encrypted_lvms_or_disks
fi fi
else else
DEBUG "No previous TPM Disk Unlock Key was set up for LUKS devices, setting up new one" DEBUG "No previous LUKS TPM Disk Unlock Key was set up, setting up"
prompt_for_existing_encrypted_lvms_or_disks prompt_for_existing_encrypted_lvms_or_disks
fi fi
@ -263,7 +263,7 @@ if [ "$CONFIG_TPM" = "y" ] && [ "$CONFIG_TPM_NO_LUKS_DISK_UNLOCK" != "y" ] && [
save_key_params="$save_key_params $key_devices" save_key_params="$save_key_params $key_devices"
fi fi
kexec-save-key $save_key_params || kexec-save-key $save_key_params ||
die "Failed to save the TPM Disk Unlock Key" die "Failed to save the LUKS TPM Disk Unlock Key"
fi fi
fi fi

2
initrd/bin/kexec-save-key
View File

@ -72,7 +72,7 @@ for dev in $key_devices; do
done done
kexec-seal-key $paramsdir || kexec-seal-key $paramsdir ||
die "Failed to save and generate TPM Disk Unlock Key" die "Failed to save and generate LUKS TPM Disk Unlock Key"
if [ "$skip_sign" != "y" ]; then if [ "$skip_sign" != "y" ]; then
extparam= extparam=

53
initrd/bin/kexec-seal-key
View File

@ -47,13 +47,13 @@ DEBUG "$(pcrs)"
# LUKS Key slot 0 is the manual recovery pass phrase # LUKS Key slot 0 is the manual recovery pass phrase
# that they user entered when they installed OS, # that they user entered when they installed OS,
# key slot 1 is the one that we've generated. # key slot 1 is the one that we've generated.
read -s -p "Enter Disk Recovery Key/passphrase: " disk_password read -s -p "Enter LUKS Disk Recovery Key/passphrase: " disk_password
echo -n "$disk_password" >"$RECOVERY_KEY" echo -n "$disk_password" >"$RECOVERY_KEY"
echo echo
read -s -p "New TPM Disk Unlock Key passphrase for booting: " key_password read -s -p "New LUKS TPM Disk Unlock Key passphrase for booting: " key_password
echo echo
read -s -p "Repeat TPM Disk Unlock Key passphrase for booting: " key_password2 read -s -p "Repeat LUKS TPM Disk Unlock Key passphrase for booting: " key_password2
echo echo
if [ "$key_password" != "$key_password2" ]; then if [ "$key_password" != "$key_password2" ]; then
@ -61,7 +61,7 @@ if [ "$key_password" != "$key_password2" ]; then
fi fi
# Generate key file # Generate key file
echo "++++++ Generating new randomized 128 bytes key file that will be sealed/unsealed by TPM Disk Unlock Key passphrase" echo "++++++ Generating new randomized 128 bytes key file that will be sealed/unsealed by LUKS TPM Disk Unlock Key passphrase"
dd \ dd \
if=/dev/urandom \ if=/dev/urandom \
of="$KEY_FILE" \ of="$KEY_FILE" \
@ -74,36 +74,55 @@ dd \
for dev in $(cat "$KEY_DEVICES" | cut -d\ -f1); do for dev in $(cat "$KEY_DEVICES" | cut -d\ -f1); do
DEBUG "Checking number of slots used on $dev LUKS header" DEBUG "Checking number of slots used on $dev LUKS header"
#check if the device is a LUKS device with luks[1,2] #check if the device is a LUKS device with luks[1,2]
slots_used=$(cryptsetup luksDump $dev | grep -c 'luks[0-9]*' || die "Unable to get number of slots used on $dev") # Get the number of key slots used on the LUKS header.
# LUKS1 Format is :
# Slot 0: ENABLED
# Slot 1: ENABLED
# Slot 2: DISABLED
# Slot 3: DISABLED
#...
# Slot 7: DISABLED
# Luks2 only reports on enabled slots.
# luks2 Format is :
# 0: luks2
# 1: luks2
# Meaning that the number of slots used is the number of lines returned by a grep on the LUKS2 above format.
# We need to count the number of ENABLED slots for both LUKS1 and LUKS2
# create regex pattern for both LUKS1 and LUKS2
regex="Slot [0-9]*: ENABLED"
regex+="\|"
regex+="[0-9]*: luks2"
slots_used=$(cryptsetup luksDump "$dev" | grep -c "$regex" || die "Unable to get number of slots used on $dev")
DEBUG "Number of slots used on $dev LUKS header: $slots_used" DEBUG "Number of slots used on $dev LUKS header: $slots_used"
# If slot1 is the only one used, warn and die with proper messages # If slot1 is the only one used, warn and die with proper messages
if [ $slots_used -eq 1 ]; then if [ "$slots_used" -eq 1 ]; then
# Check if slot 1 is the only one existing # Check if slot 1 is the only one existing
if cryptsetup luksDump $dev | grep -q "Slot 1: ENABLED"; then if [ "$(cryptsetup luksDump "$dev" | grep -c "Slot 1: ENABLED")" -eq 1 ] || [ "$(cryptsetup luksDump "$dev" | grep -c "1: luks2")" -eq 1 ]; then
warn "Slot 1 is the only one existing on $dev LUKS header. Heads cannot use it to store TPM sealed LUKS Disk Unlock Key" warn "Slot 1 is the only one existing on $dev LUKS header. Heads cannot use it to store TPM sealed LUKS Disk Unlock Key"
warn "Slot 1 should not be the only slot existing on $dev LUKS header. Slot 0 should be used to store Disk Recovery Key/passphrase" warn "Slot 1 should not be the only slot existing on $dev LUKS header. Slot 0 should be used to store LUKS Disk Recovery Key/passphrase"
die "You can safely fix this before continuing through Heads recovery shell: cryptsetup luksAddKey $dev" die "You can safely fix this before continuing through Heads recovery shell: cryptsetup luksAddKey $dev"
fi fi
else else
DEBUG "Slot 1 is not the only existing slot on $dev LUKS header." DEBUG "Slot 1 is not the only existing slot on $dev LUKS header."
DEBUG "$dev LUKS header's slot 1 will store LUKS Disk Unlock Key that TPM will seal/unseal with TPM Disk Unlock Key passphrase" DEBUG "$dev LUKS header's slot 1 will store LUKS Disk Unlock Key that TPM will seal/unseal with LUKS TPM Disk Unlock Key passphrase"
fi fi
done done
# Remove all the old keys from slot 1 # Remove all the old keys from slot 1
for dev in $(cat "$KEY_DEVICES" | cut -d\ -f1); do for dev in $(cat "$KEY_DEVICES" | cut -d\ -f1); do
echo "++++++ $dev: Removing old key slot 1" echo "++++++ $dev: Removing old LUKS TPM Disk Unlock Key in LUKS slot 1"
cryptsetup luksKillSlot \ cryptsetup luksKillSlot \
--key-file "$RECOVERY_KEY" \ --key-file "$RECOVERY_KEY" \
$dev 1 || $dev 1 ||
warn "$dev: removal of key in slot 1 failed: might not exist. Continuing" warn "$dev: removal of LUKS TPM Disk Unlock Key in LUKS slot 1 failed: might not exist. Continuing"
echo "++++++ $dev: Adding key to slot 1" echo "++++++ $dev: Adding LUKS TPM Disk Unlock Key to LUKS slot 1"
cryptsetup luksAddKey \ cryptsetup luksAddKey \
--key-file "$RECOVERY_KEY" \ --key-file "$RECOVERY_KEY" \
--key-slot 1 \ --key-slot 1 \
$dev "$KEY_FILE" || $dev "$KEY_FILE" ||
die "$dev: Unable to add key to slot 1" die "$dev: Unable to add LUKS TPM Disk Unlock Key to LUKS slot 1"
done done
# Now that we have setup the new keys, measure the PCRs # Now that we have setup the new keys, measure the PCRs
@ -121,23 +140,23 @@ tpmr pcrread -a 3 "$pcrf"
# Note that PCR 4 needs to be set with the "normal-boot" path value, read it from event log. # Note that PCR 4 needs to be set with the "normal-boot" path value, read it from event log.
tpmr calcfuturepcr 4 >>"$pcrf" tpmr calcfuturepcr 4 >>"$pcrf"
if [ "$CONFIG_USER_USB_KEYBOARD" = "y" -o -r /lib/modules/libata.ko -o -x /bin/hotp_verification ]; then if [ "$CONFIG_USER_USB_KEYBOARD" = "y" -o -r /lib/modules/libata.ko -o -x /bin/hotp_verification ]; then
DEBUG "Sealing TPM Disk Unlock key with PCR5 involvement (additional kernel modules are loaded per board config)..." DEBUG "Sealing LUKS TPM Disk Unlock Key with PCR5 involvement (additional kernel modules are loaded per board config)..."
# Here, we take pcr 5 into consideration if modules are expected to be measured+loaded # Here, we take pcr 5 into consideration if modules are expected to be measured+loaded
tpmr pcrread -a 5 "$pcrf" tpmr pcrread -a 5 "$pcrf"
else else
DEBUG "Sealing TPM Disk Unlock Key with PCR5=0 (NO additional kernel modules are loaded per board config)..." DEBUG "Sealing LUKS TPM Disk Unlock Key with PCR5=0 (NO additional kernel modules are loaded per board config)..."
#no kernel modules are expected to be measured+loaded #no kernel modules are expected to be measured+loaded
tpmr calcfuturepcr 5 >>"$pcrf" tpmr calcfuturepcr 5 >>"$pcrf"
fi fi
# Precompute the value for pcr 6 # Precompute the value for pcr 6
DEBUG "Precomputing TPM future value for PCR6 sealing/unsealing of TPM Disk Unlock Key..." DEBUG "Precomputing TPM future value for PCR6 sealing/unsealing of LUKS TPM Disk Unlock Key..."
tpmr calcfuturepcr 6 "/tmp/luksDump.txt" >>"$pcrf" tpmr calcfuturepcr 6 "/tmp/luksDump.txt" >>"$pcrf"
# We take into consideration user files in cbfs # We take into consideration user files in cbfs
tpmr pcrread -a 7 "$pcrf" tpmr pcrread -a 7 "$pcrf"
DO_WITH_DEBUG --mask-position 7 \ DO_WITH_DEBUG --mask-position 7 \
tpmr seal "$KEY_FILE" "$TPM_INDEX" 0,1,2,3,4,5,6,7 "$pcrf" \ tpmr seal "$KEY_FILE" "$TPM_INDEX" 0,1,2,3,4,5,6,7 "$pcrf" \
"$TPM_SIZE" "$key_password" || die "Unable to write TPM Disk Unlock Key to NVRAM" "$TPM_SIZE" "$key_password" || die "Unable to write LUKS TPM Disk Unlock Key to NVRAM"
# should be okay if this fails # should be okay if this fails
shred -n 10 -z -u "$pcrf" 2>/dev/null || shred -n 10 -z -u "$pcrf" 2>/dev/null ||

10
initrd/bin/kexec-unseal-key
View File

@ -26,21 +26,19 @@ DEBUG "Show PCRs"
DEBUG "$(pcrs)" DEBUG "$(pcrs)"
for tries in 1 2 3; do for tries in 1 2 3; do
read -s -p "Enter LUKS Disk Unlock Key passphrase (blank to abort): " tpm_password read -s -p "Enter LUKS TPM Disk Unlock Key passphrase (blank to abort): " tpm_password
echo echo
if [ -z "$tpm_password" ]; then if [ -z "$tpm_password" ]; then
die "Aborting unseal disk encryption key" die "Aborting unseal disk encryption key"
fi fi
DO_WITH_DEBUG --mask-position 6 \ if DO_WITH_DEBUG --mask-position 6 \
tpmr unseal "$TPM_INDEX" "0,1,2,3,4,5,6,7" "$TPM_SIZE" \ tpmr unseal "$TPM_INDEX" "0,1,2,3,4,5,6,7" "$TPM_SIZE" \
"$key_file" "$tpm_password" "$key_file" "$tpm_password"; then
if [ "$?" -eq 0 ]; then
exit 0 exit 0
fi fi
pcrs DEBUG $(pcrs)
warn "Unable to unseal disk encryption key" warn "Unable to unseal disk encryption key"
done done

12
initrd/bin/oem-factory-reset
View File

@ -626,7 +626,7 @@ generate_checksums() {
mount -o remount,rw /boot || whiptail_error_die "Unable to mount /boot" mount -o remount,rw /boot || whiptail_error_die "Unable to mount /boot"
fi fi
#Check if previous TPM Disk unlock Key was set #Check if previous LUKS TPM Disk Unlock Key was set
if [ -e /boot/kexec_key_devices.txt ]; then if [ -e /boot/kexec_key_devices.txt ]; then
TPM_DISK_ENCRYPTION_KEY_SET=1 TPM_DISK_ENCRYPTION_KEY_SET=1
fi fi
@ -657,7 +657,7 @@ generate_checksums() {
fi fi
fi fi
# set default boot option only if no TPM Disk Unlock Key previously set # set default boot option only if no LUKS TPM Disk Unlock Key previously set
if [ -z "$TPM_DISK_ENCRYPTION_KEY_SET" ]; then if [ -z "$TPM_DISK_ENCRYPTION_KEY_SET" ]; then
set_default_boot_option set_default_boot_option
fi fi
@ -903,7 +903,7 @@ if [ "$use_defaults" == "n" -o "$use_defaults" == "N" ]; then
echo -e "\n" echo -e "\n"
fi fi
echo -e -n "Would you like to re-encrypt LUKS encrypted container and generate new Disk Recovery key?\n (Highly recommended if you didn't install the operating system yourself: this would prevent any LUKS backed up header to be restored to access encrypted data) [y/N]: " echo -e -n "Would you like to re-encrypt LUKS encrypted container and generate new LUKS Disk Recovery Key?\n (Highly recommended if you didn't install the operating system yourself: this would prevent any LUKS backed up header to be restored to access encrypted data) [y/N]: "
read -n 1 prompt_output read -n 1 prompt_output
echo echo
if [ "$prompt_output" == "y" \ if [ "$prompt_output" == "y" \
@ -1022,13 +1022,13 @@ if [ "$use_defaults" == "n" -o "$use_defaults" == "N" ]; then
if [ -n "$luks_new_Disk_Recovery_Key_passphrase_desired" -a -z "$luks_new_Disk_Recovery_Key_passphrase" ]; then if [ -n "$luks_new_Disk_Recovery_Key_passphrase_desired" -a -z "$luks_new_Disk_Recovery_Key_passphrase" ]; then
# We catch here if changing LUKS Disk Recovery Key passphrase was desired # We catch here if changing LUKS Disk Recovery Key passphrase was desired
# but yet undone. This is if not being covered by the single password # but yet undone. This is if not being covered by the single password
echo -e "\nEnter desired replacement for current Disk Recovery Key passphrase (At least 8 characters long):" echo -e "\nEnter desired replacement for current LUKS Disk Recovery Key passphrase (At least 8 characters long):"
while [[ ${#luks_new_Disk_Recovery_Key_passphrase} -lt 8 ]]; do while [[ ${#luks_new_Disk_Recovery_Key_passphrase} -lt 8 ]]; do
{ {
read -r luks_new_Disk_Recovery_Key_passphrase read -r luks_new_Disk_Recovery_Key_passphrase
} }
done done
#We test that current Disk Recovery Key passphrase is known prior of going further #We test that current LUKS Disk Recovery Key passphrase is known prior of going further
test_luks_current_disk_recovery_key_passphrase test_luks_current_disk_recovery_key_passphrase
echo -e "\n" echo -e "\n"
fi fi
@ -1147,7 +1147,7 @@ if [[ "$SKIP_BOOT" == "n" ]]; then
fi fi
if [ -n "$luks_new_Disk_Recovery_Key_desired" -a -n "$luks_new_Disk_Recovery_Key_passphrase_desired" ]; then if [ -n "$luks_new_Disk_Recovery_Key_desired" -a -n "$luks_new_Disk_Recovery_Key_passphrase_desired" ]; then
#Reencryption of disk, disk recovery key and Disk Recovery Key passphrase change is requested #Reencryption of disk, LUKS Disk Recovery Key and LUKS Disk Recovery Key passphrase change is requested
luks_change_passphrase luks_change_passphrase
luks_reencrypt luks_reencrypt
elif [ -n "$luks_new_Disk_Recovery_Key_desired" -a -z "$luks_new_Disk_Recovery_Key_passphrase_desired" ]; then elif [ -n "$luks_new_Disk_Recovery_Key_desired" -a -z "$luks_new_Disk_Recovery_Key_passphrase_desired" ]; then

10
initrd/etc/functions
View File

@ -82,12 +82,12 @@ confirm_totp() {
reseal_tpm_disk_decryption_key() { reseal_tpm_disk_decryption_key() {
TRACE "Under /etc/functions:reseal_tpm_disk_decryption_key" TRACE "Under /etc/functions:reseal_tpm_disk_decryption_key"
#For robustness, exit early if TPM Disk Unlock Key is prohibited in board configs #For robustness, exit early if LUKS TPM Disk Unlock Key is prohibited in board configs
if [ "$CONFIG_TPM_DISK_UNLOCK_KEY" == "n" ]; then if [ "$CONFIG_TPM_DISK_UNLOCK_KEY" == "n" ]; then
DEBUG "TPM Disk Unlock Key is prohibited in board configs" DEBUG "LUKS TPM Disk Unlock Key is prohibited in board configs"
return return
else else
DEBUG "TPM Disk Unlock Key is allowed in board configs. Continuing" DEBUG "LUKS TPM Disk Unlock Key is allowed in board configs. Continuing"
fi fi
if ! grep -q /boot /proc/mounts; then if ! grep -q /boot /proc/mounts; then
@ -96,8 +96,8 @@ reseal_tpm_disk_decryption_key() {
fi fi
if [ -s /boot/kexec_key_devices.txt ] || [ -s /boot/kexec_key_lvm.txt ]; then if [ -s /boot/kexec_key_devices.txt ] || [ -s /boot/kexec_key_lvm.txt ]; then
warn "TPM sealed Disk Unlock Key secret needs to be resealed alongside TOTP/HOTP secret" warn "LUKS TPM sealed Disk Unlock Key secret needs to be resealed alongside TOTP/HOTP secret"
echo "Resealing TPM LUKS Disk Unlock Key to be unsealed by TPM Disk Unlock Key passphrase" echo "Resealing LUKS TPM Disk Unlock Key to be unsealed by LUKS TPM Disk Unlock Key passphrase"
while ! kexec-seal-key /boot; do while ! kexec-seal-key /boot; do
warn "Recovery Disk Encryption key passphrase/TPM Owner Password may be invalid. Please try again" warn "Recovery Disk Encryption key passphrase/TPM Owner Password may be invalid. Please try again"
done done

39
initrd/etc/luks-functions
View File

@ -299,15 +299,15 @@ test_luks_current_disk_recovery_key_passphrase()
while :; do while :; do
select_luks_container || return 1 select_luks_container || return 1
if [ -z "$luks_current_Disk_Recovery_Key_passphrase" ]; then if [ -z "$luks_current_Disk_Recovery_Key_passphrase" ]; then
#if no external provisioning provides current Disk Recovery Key passphrase #if no external provisioning provides current LUKS Disk Recovery Key passphrase
echo -e "\nEnter the current Disk Recovery Key passphrase (Configured at OS installation or by OEM):" echo -e "\nEnter the current LUKS Disk Recovery Key passphrase (Configured at OS installation or by OEM):"
read -r luks_current_Disk_Recovery_Key_passphrase read -r luks_current_Disk_Recovery_Key_passphrase
echo -n "$luks_current_Disk_Recovery_Key_passphrase" >/tmp/luks_current_Disk_Recovery_Key_passphrase echo -n "$luks_current_Disk_Recovery_Key_passphrase" >/tmp/luks_current_Disk_Recovery_Key_passphrase
warn "Testing opening "$LUKS" LUKS encrypted drive content with the current Disk Recovery Key passphrase..." warn "Testing opening "$LUKS" LUKS encrypted drive content with the current LUKS Disk Recovery Key passphrase..."
cryptsetup open $LUKS test --key-file /tmp/luks_current_Disk_Recovery_Key_passphrase cryptsetup open $LUKS test --key-file /tmp/luks_current_Disk_Recovery_Key_passphrase
else else
echo -n "$luks_current_Disk_Recovery_Key_passphrase" >/tmp/luks_current_Disk_Recovery_Key_passphrase echo -n "$luks_current_Disk_Recovery_Key_passphrase" >/tmp/luks_current_Disk_Recovery_Key_passphrase
warn "Testing opening "$LUKS" LUKS encrypted drive content with the current Disk Recovery Key passphrase..." warn "Testing opening "$LUKS" LUKS encrypted drive content with the current LUKS Disk Recovery Key passphrase..."
cryptsetup open $LUKS test --key-file /tmp/luks_current_Disk_Recovery_Key_passphrase cryptsetup open $LUKS test --key-file /tmp/luks_current_Disk_Recovery_Key_passphrase
fi fi
#Validate past cryptsetup-reencrypt attempts #Validate past cryptsetup-reencrypt attempts
@ -315,7 +315,7 @@ test_luks_current_disk_recovery_key_passphrase()
whiptail --title 'Invalid Actual LUKS Disk Recovery Key passphrase?' --msgbox \ whiptail --title 'Invalid Actual LUKS Disk Recovery Key passphrase?' --msgbox \
"If you previously changed it and do not remember it, you will have to\n reinstall the OS from a an external drive.\n\nTo do so, place the ISO file and its signature file on root of an\n external drive, and select Options-> Boot from USB \n\nHit Enter to retry." 30 60 "If you previously changed it and do not remember it, you will have to\n reinstall the OS from a an external drive.\n\nTo do so, place the ISO file and its signature file on root of an\n external drive, and select Options-> Boot from USB \n\nHit Enter to retry." 30 60
shred -n 10 -z -u /tmp/luks_current_Disk_Recovery_Key_passphrase 2>/dev/null shred -n 10 -z -u /tmp/luks_current_Disk_Recovery_Key_passphrase 2>/dev/null
#unsetting luks_current_Disk_Recovery_Key_passphrase so we prompt for it again Disk Recovery Key passphrase prompt on next round #unsetting luks_current_Disk_Recovery_Key_passphrase so we prompt for it again LUKS Disk Recovery Key passphrase prompt on next round
unset luks_current_Disk_Recovery_Key_passphrase unset luks_current_Disk_Recovery_Key_passphrase
#remove "known good" selected LUKS container so that next pass asks again user to select LUKS container. #remove "known good" selected LUKS container so that next pass asks again user to select LUKS container.
#maybe the container was not the right one #maybe the container was not the right one
@ -339,22 +339,23 @@ luks_reencrypt() {
TRACE "Under /etc/luks-functions:luks_reencrypt()" TRACE "Under /etc/luks-functions:luks_reencrypt()"
while :; do while :; do
select_luks_container || return 1 select_luks_container || return 1
#If the user just set a new Disk Recovery Key passphrase #If the user just set a new LUKS Disk Recovery Key passphrase
if [ -n "$luks_new_Disk_Recovery_Key_passphrase" ]; then if [ -n "$luks_new_Disk_Recovery_Key_passphrase" ]; then
luks_current_Disk_Recovery_Key_passphrase="$luks_new_Disk_Recovery_Key_passphrase" luks_current_Disk_Recovery_Key_passphrase="$luks_new_Disk_Recovery_Key_passphrase"
fi fi
if [ -z "$luks_current_Disk_Recovery_Key_passphrase" ]; then if [ -z "$luks_current_Disk_Recovery_Key_passphrase" ]; then
#if no external provisioning provides current Disk Recovery Key passphrase #if no external provisioning provides current LUKS Disk Recovery Key passphrase
msg=$(echo -e "This will replace the encrypted container content and its LUKS Disk Recovery Key.\n\nThe passphrase associated with this key will be asked from the user under the following conditions:\n 1-Every boot if no Disk Unlock Key was added to the TPM\n 2-If the TPM fails (hardware failure)\n 3-If the firmware has been tampered with/modified by the user\n\nThis process requires you to type the current LUKS Disk Recovery Key passphrase and will delete the LUKS TPM Disk Unlock Key slot, if set up, by setting a default boot LUKS key slot (1) if present.\n\nAt the next prompt, you may be asked to select which file corresponds to the LUKS device container.\n\nHit Enter to continue." | fold -w 70 -s)
whiptail --title 'Reencrypt LUKS encrypted container ?' \ whiptail --title 'Reencrypt LUKS encrypted container ?' \
--msgbox "This will replace the encrypted container content and its Disk Recovery Key.\n\nThe passphrase associated with this key will be asked from the user under\nthe following conditions:\n 1-Every boot if no Disk Unlock Key was added to the TPM\n 2-If the TPM fails (hardware failure)\n 3-If the firmware has been tampered with/upgraded/modified by the user\n\nThis process requires you to type the current Disk Recovery Key passphrase\nand will delete the TPM Disk Unlock Key slot, if set up, by setting a default\n boot LUKS key slot (1) if present.\n\nAt the next prompt, you may be asked to select which file corresponds to\nthe LUKS device container.\n\nHit Enter to continue." 0 80 --msgbox "$msg" 0 80
echo -e "\nEnter the current Disk Recovery Key passphrase:" echo -e "\nEnter the current LUKS Disk Recovery Key passphrase:"
read -r luks_current_Disk_Recovery_Key_passphrase read -r luks_current_Disk_Recovery_Key_passphrase
echo -n "$luks_current_Disk_Recovery_Key_passphrase" >/tmp/luks_current_Disk_Recovery_Key_passphrase echo -n "$luks_current_Disk_Recovery_Key_passphrase" >/tmp/luks_current_Disk_Recovery_Key_passphrase
warn "Reencrypting "$LUKS" LUKS encrypted drive content with a new Disk Recovery Key. Do NOT shut down or reboot!" warn "Reencrypting "$LUKS" LUKS encrypted drive content with a new LUKS Disk Recovery Key. Do NOT shut down or reboot!"
cryptsetup-reencrypt -B 64 --use-directio "$LUKS" --key-slot 0 --key-file /tmp/luks_current_Disk_Recovery_Key_passphrase cryptsetup-reencrypt -B 64 --use-directio "$LUKS" --key-slot 0 --key-file /tmp/luks_current_Disk_Recovery_Key_passphrase
else else
echo -n "$luks_current_Disk_Recovery_Key_passphrase" >/tmp/luks_current_Disk_Recovery_Key_passphrase echo -n "$luks_current_Disk_Recovery_Key_passphrase" >/tmp/luks_current_Disk_Recovery_Key_passphrase
warn "Reencrypting "$LUKS" LUKS encrypted drive content with a new Disk Recovery Key. Do NOT shut down or reboot!" warn "Reencrypting "$LUKS" LUKS encrypted drive content with a new LUKS Disk Recovery Key. Do NOT shut down or reboot!"
cryptsetup-reencrypt -B 64 --use-directio "$LUKS" --key-slot 0 --key-file /tmp/luks_current_Disk_Recovery_Key_passphrase cryptsetup-reencrypt -B 64 --use-directio "$LUKS" --key-slot 0 --key-file /tmp/luks_current_Disk_Recovery_Key_passphrase
fi fi
#Validate past cryptsetup-reencrypt attempts #Validate past cryptsetup-reencrypt attempts
@ -362,7 +363,7 @@ luks_reencrypt() {
whiptail --title 'Invalid Actual LUKS Disk Recovery Key passphrase?' --msgbox \ whiptail --title 'Invalid Actual LUKS Disk Recovery Key passphrase?' --msgbox \
"If you previously changed it and do not remember it, you will have to\n reinstall the OS from a an external drive.\n\nTo do so, place the ISO file and its signature file on root of an\n external drive, and select Options-> Boot from USB \n\nHit Enter to retry." 30 60 "If you previously changed it and do not remember it, you will have to\n reinstall the OS from a an external drive.\n\nTo do so, place the ISO file and its signature file on root of an\n external drive, and select Options-> Boot from USB \n\nHit Enter to retry." 30 60
shred -n 10 -z -u /tmp/luks_current_Disk_Recovery_Key_passphrase 2>/dev/null shred -n 10 -z -u /tmp/luks_current_Disk_Recovery_Key_passphrase 2>/dev/null
#unsetting luks_current_Disk_Recovery_Key_passphrase so we prompt for it again Disk Recovery Key passphrase prompt on next round #unsetting luks_current_Disk_Recovery_Key_passphrase so we prompt for it again LUKS Disk Recovery Key passphrase prompt on next round
unset luks_current_Disk_Recovery_Key_passphrase unset luks_current_Disk_Recovery_Key_passphrase
#remove "known good" selected LUKS container so that next pass asks again user to select LUKS container. #remove "known good" selected LUKS container so that next pass asks again user to select LUKS container.
#maybe the container was not the right one #maybe the container was not the right one
@ -384,32 +385,32 @@ luks_change_passphrase()
TRACE "Under /etc/luks-functions:luks_change_passphrase()" TRACE "Under /etc/luks-functions:luks_change_passphrase()"
while :; do while :; do
select_luks_container || return 1 select_luks_container || return 1
#if actual or new Disk Recovery Key is not provisioned by oem-provisioning file #if actual or new LUKS Disk Recovery Key is not provisioned by oem-provisioning file
if [ -z "$luks_current_Disk_Recovery_Key_passphrase" ] || [ -z "$luks_new_Disk_Recovery_Key_passphrase" ]; then if [ -z "$luks_current_Disk_Recovery_Key_passphrase" ] || [ -z "$luks_new_Disk_Recovery_Key_passphrase" ]; then
whiptail --title 'Changing LUKS Disk Recovery Key passphrase' --msgbox \ whiptail --title 'Changing LUKS Disk Recovery Key passphrase' --msgbox \
"Please enter the current Disk Recovery Key passphrase (slot 0).\nThen choose a strong passphrase of your own.\n\n**DICEWARE passphrase methodology is STRONGLY ADVISED.**\n\nHit Enter to continue" 30 60 "Please enter the current LUKS Disk Recovery Key passphrase (slot 0).\nThen choose a strong passphrase of your own.\n\n**DICEWARE passphrase methodology is STRONGLY ADVISED.**\n\nHit Enter to continue" 30 60
if [ -z "$luks_new_Disk_Recovery_Key_passphrase" ]; then if [ -z "$luks_new_Disk_Recovery_Key_passphrase" ]; then
echo -e "\nEnter your desired replacement for the actual Disk Recovery Key passphrase (At least 8 characters long):" echo -e "\nEnter your desired replacement for the actual LUKS Disk Recovery Key passphrase (At least 8 characters long):"
while [[ ${#luks_new_Disk_Recovery_Key_passphrase} -lt 8 ]]; do while [[ ${#luks_new_Disk_Recovery_Key_passphrase} -lt 8 ]]; do
{ {
read -r luks_new_Disk_Recovery_Key_passphrase read -r luks_new_Disk_Recovery_Key_passphrase
};done };done
fi fi
if [ -z "$luks_current_Disk_Recovery_Key_passphrase" ]; then if [ -z "$luks_current_Disk_Recovery_Key_passphrase" ]; then
echo -e "\nEnter the current Disk Recovery Key passphrase (Configured at OS installation or by OEM):" echo -e "\nEnter the current LUKS Disk Recovery Key passphrase (Configured at OS installation or by OEM):"
read -r luks_current_Disk_Recovery_Key_passphrase read -r luks_current_Disk_Recovery_Key_passphrase
fi fi
export luks_current_Disk_Recovery_Key_passphrase export luks_current_Disk_Recovery_Key_passphrase
export luks_new_Disk_Recovery_Key_passphrase export luks_new_Disk_Recovery_Key_passphrase
echo -n "$luks_new_Disk_Recovery_Key_passphrase" >/tmp/luks_new_Disk_Recovery_Key_passphrase echo -n "$luks_new_Disk_Recovery_Key_passphrase" >/tmp/luks_new_Disk_Recovery_Key_passphrase
echo -n "$luks_current_Disk_Recovery_Key_passphrase" >/tmp/luks_current_Disk_Recovery_Key_passphrase echo -n "$luks_current_Disk_Recovery_Key_passphrase" >/tmp/luks_current_Disk_Recovery_Key_passphrase
warn "Changing "$LUKS" LUKS encrypted disk passphrase to the new Disk Recovery Key passphrase..." warn "Changing "$LUKS" LUKS encrypted disk passphrase to the new LUKS Disk Recovery Key passphrase..."
cryptsetup luksChangeKey "$LUKS" --key-slot 0 --key-file=/tmp/luks_current_Disk_Recovery_Key_passphrase /tmp/luks_new_Disk_Recovery_Key_passphrase cryptsetup luksChangeKey "$LUKS" --key-slot 0 --key-file=/tmp/luks_current_Disk_Recovery_Key_passphrase /tmp/luks_new_Disk_Recovery_Key_passphrase
else else
#If current and new Disk Recovery Key were exported #If current and new LUKS Disk Recovery Key were exported
echo -n "$luks_new_Disk_Recovery_Key_passphrase" >/tmp/luks_new_Disk_Recovery_Key_passphrase echo -n "$luks_new_Disk_Recovery_Key_passphrase" >/tmp/luks_new_Disk_Recovery_Key_passphrase
echo -n "$luks_current_Disk_Recovery_Key_passphrase" >/tmp/luks_current_Disk_Recovery_Key_passphrase echo -n "$luks_current_Disk_Recovery_Key_passphrase" >/tmp/luks_current_Disk_Recovery_Key_passphrase
warn "Changing "$LUKS" LUKS encrypted disk passphrase to the new Disk Recovery Key passphrase..." warn "Changing "$LUKS" LUKS encrypted disk passphrase to the new LUKS Disk Recovery Key passphrase..."
cryptsetup luksChangeKey "$LUKS" --key-slot 0 --key-file=/tmp/luks_current_Disk_Recovery_Key_passphrase /tmp/luks_new_Disk_Recovery_Key_passphrase cryptsetup luksChangeKey "$LUKS" --key-slot 0 --key-file=/tmp/luks_current_Disk_Recovery_Key_passphrase /tmp/luks_new_Disk_Recovery_Key_passphrase
fi fi

2
modules/gpg2
View File

@ -5,7 +5,7 @@ gpg2_dir := gnupg-$(gpg2_version)
gpg2_tar := gnupg-$(gpg2_version).tar.bz2 gpg2_tar := gnupg-$(gpg2_version).tar.bz2
gpg2_url := https://www.gnupg.org/ftp/gcrypt/gnupg/$(gpg2_tar) gpg2_url := https://www.gnupg.org/ftp/gcrypt/gnupg/$(gpg2_tar)
gpg2_hash := 1d79158dd01d992431dd2e3facb89fdac97127f89784ea2cb610c600fb0c1483 gpg2_hash := 1d79158dd01d992431dd2e3facb89fdac97127f89784ea2cb610c600fb0c1483
gpg2_depends := libgpg-error libgcrypt libksba libassuan npth libusb-compat $(musl_dep) gpg2_depends := libgpg-error libgcrypt libksba libassuan npth libusb $(musl_dep)
# For reproducibility reasons we have to override the exec_prefix # For reproducibility reasons we have to override the exec_prefix
# and datarootdir on the configure line so that the Makefiles will # and datarootdir on the configure line so that the Makefiles will

1
modules/libusb-compat
View File

@ -3,7 +3,6 @@
# This is a bit of a hack to set it up. # This is a bit of a hack to set it up.
modules-$(CONFIG_GPG) += libusb-compat modules-$(CONFIG_GPG) += libusb-compat
modules-$(CONFIG_GPG2) += libusb-compat
libusb-compat_version := 0.1.5 libusb-compat_version := 0.1.5
libusb-compat_dir := libusb-compat-$(libusb-compat_version) libusb-compat_dir := libusb-compat-$(libusb-compat_version)

9
modules/popt
View File

@ -1,16 +1,17 @@
modules-$(CONFIG_POPT) += popt modules-$(CONFIG_POPT) += popt
popt_version := 1.16 popt_version := 1.19
popt_dir := popt-$(popt_version) popt_dir := popt-$(popt_version)
popt_tar := popt-$(popt_version).tar.gz popt_tar := popt-$(popt_version).tar.gz
popt_url := https://launchpad.net/popt/head/$(popt_version)/+download/$(popt_tar) popt_url := https://fossies.org/linux/misc/$(popt_tar)
popt_hash := e728ed296fe9f069a0e005003c3d6b2dde3d9cad453422a10d6558616d304cc8 popt_hash := c25a4838fc8e4c1c8aacb8bd620edb3084a3d63bf8987fdad3ca2758c63240f9
popt_configure := ./configure \ popt_configure := ./configure \
$(CROSS_TOOLS) \ $(CROSS_TOOLS) \
--prefix "/" \ --prefix "/" \
--host $(MUSL_ARCH)-elf-linux \ --host $(MUSL_ARCH)-elf-linux \
popt_target := \ popt_target := \
$(MAKE_JOBS) \ $(MAKE_JOBS) \
$(CROSS_TOOLS) \ $(CROSS_TOOLS) \
@ -20,6 +21,6 @@ popt_target := \
DESTDIR="$(INSTALL)" \ DESTDIR="$(INSTALL)" \
install install
popt_libraries := .libs/libpopt.so.0 popt_libraries := src/.libs/libpopt.so.0
popt_depends := $(musl_dep) popt_depends := $(musl_dep)

2
modules/zstd
View File

@ -1,5 +1,5 @@
# ZSTD is always included, unless explicitly turned off # ZSTD is always included, unless explicitly turned off
# Needed by initrd/bin/unpack_initramfs.sh under TPM Disk Unlock Key setup # Needed by initrd/bin/unpack_initramfs.sh under LUKS TPM Disk Unlock Key setup
CONFIG_ZSTD ?= y CONFIG_ZSTD ?= y
modules-$(CONFIG_ZSTD) += zstd modules-$(CONFIG_ZSTD) += zstd

12
patches/coreboot-nitrokey-clevo_release/0002-dasharo-hardcode-me.patch Normal file
View File

@ -0,0 +1,12 @@
diff -ur coreboot-nitrokey.org/src/vendorcode/dasharo/options.c coreboot-nitrokey/src/vendorcode/dasharo/options.c
--- coreboot-nitrokey.org/src/vendorcode/dasharo/options.c 2024-01-22 14:11:59.525612567 +0100
+++ coreboot-nitrokey/src/vendorcode/dasharo/options.c 2024-01-22 14:12:07.535544365 +0100
@@ -133,7 +133,7 @@
if (CONFIG(DRIVERS_EFI_VARIABLE_STORE))
read_u8_var("MeMode", &var);
- return var;
+ return ME_MODE_DISABLE_HAP;
}
bool is_smm_bwp_permitted(void)