ExternalVendorCode/heads
1
0
Fork 0
mirror of https://github.com/linuxboot/heads.git synced 2025-02-02 17:20:39 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

initrd/etc/ash_functions: add GPG Admin/User PIN output grabbing on confirm_gpg_card presence call, echo for now, warn to input GPG User PIN when asked to unlock GPG card

Browse Source 
Mitigate misunderstands and show GPG User/Admin PIN counts until proper output exists under hotp_verification info to reduce global confusion

Add TODO under initrd/bin/seal-hotpkey to not foget to fix output since now outputting counter of 8 for Admin PIN which makes no sense at all under hotp_verification 1.6 https://github.com/Nitrokey/nitrokey-hotp-verification/issues/38

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
This commit is contained in:
Thierry Laurion 2024-12-03 12:48:32 -05:00
parent 3726e9083f
commit d57a120912
No known key found for this signature in database
GPG Key ID: 9A53E1BB3FF00461
2 changed files with 16 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
initrd/bin/seal-hotpkey
View File

@ -105,6 +105,7 @@ awk_get_admin_counter="$awk_admin_counter_regex"' { print gensub('"$awk_admin_co
admin_pin_retries="$(echo "$hotp_token_info" | awk "$awk_get_admin_counter")"
admin_pin_retries="${admin_pin_retries:-0}"
DEBUG "Admin PIN retry counter is $admin_pin_retries"
#TODO: as per hotp_verification 1.6: this is 8 for nk3 and wrong. FIX
# Try using factory default admin PIN for 1 month following OEM reset to ease
# initial setup. But don't do it forever to encourage changing the PIN and

17
initrd/etc/ash_functions
View File

@ -154,7 +154,7 @@ confirm_gpg_card() {
# ensure we don't exit without retrying
errexit=$(set -o | grep errexit | awk '{print $2}')
set +e
gpg --card-status >/dev/null
gpg_output=$(gpg --card-status 2>&1)
if [ $? -ne 0 ]; then
# prompt for reinsertion and try a second time
read -n1 -r -p \
@ -165,13 +165,26 @@ confirm_gpg_card() {
set -e
fi
# retry card status
gpg --card-status >/dev/null ||
gpg_output=$(gpg --card-status 2>&1) ||
die "gpg card read failed"
fi
# restore prev errexit state
if [ "$errexit" = "on" ]; then
set -e
fi
# Extract and display GPG PIN retry counters
# output excerpt: "PIN retry counter : 3 0 3"
pin_retry_counters=$(echo "$gpg_output" | grep 'PIN retry counter' | awk -F': ' '{print $2}')
user_pin_retries=$(echo "$pin_retry_counters" | awk '{print $1}')
admin_pin_retries=$(echo "$pin_retry_counters" | awk '{print $3}')
echo ""
echo "GPG User PIN retry attempts left before becoming locked: $user_pin_retries"
echo "GPG Admin PIN retry attempts left before becoming locked: $admin_pin_retries"
echo ""
warn "Your GPG User PIN, followed by Enter key will be required for input at: 'Please unlock the card' next prompt"
echo ""
}
gpg_auth() {