mirror of
https://github.com/linuxboot/heads.git
synced 2024-12-24 07:06:42 +00:00
Add a "Factory reset" GPG option
This mimics tlauion's OEM work in the sense that a user (or OEM) could choose this option and it will reset an OpenPGP smart card and automatically generate a random key on it. The idea is to allow an OEM to set up a Librem Key and Heads on a machine before shipping with a random key, so the user can test for tampering when they receive the machine, and then the user can choose to reset all of the keys with their chosen keys after that fact.
This commit is contained in:
parent
c028f7752e
commit
efd6b066a2
@ -109,6 +109,58 @@ gpg_flash_rom() {
|
||||
--msgbox "BIOS flashed successfully.\n\nIf your keys have changed, be sure to re-sign all files in /boot\nafter you reboot.\n\nPress Enter to reboot" 16 60
|
||||
/bin/reboot
|
||||
}
|
||||
gpg_post_gen_mgmt() {
|
||||
GPG_GEN_KEY=`grep -A1 pub /tmp/gpg_card_edit_output | tail -n1 | sed -nr 's/^([ ])*//p'`
|
||||
gpg --export --armor $GPG_GEN_KEY > "/tmp/${GPG_GEN_KEY}.asc"
|
||||
if (whiptail --title 'Add Public Key to USB disk?' \
|
||||
--yesno "Would you like to copy the GPG public key you generated to a USB disk?\n\nOtherwise you will not be able to copy it outside of Heads later\n\nThe file will show up as ${GPG_GEN_KEY}.asc" 16 90) then
|
||||
mount_usb
|
||||
mount -o remount,rw /media
|
||||
cp "/tmp/${GPG_GEN_KEY}.asc" "/media/${GPG_GEN_KEY}.asc"
|
||||
if [ $? -eq 0 ]; then
|
||||
whiptail --title "The GPG Key Copied Successfully" \
|
||||
--msgbox "${GPG_GEN_KEY}.asc copied successfully." 16 60
|
||||
else
|
||||
whiptail $CONFIG_ERROR_BG_COLOR --title 'ERROR: Copy Failed' \
|
||||
--msgbox "Unable to copy ${GPG_GEN_KEY}.asc to /media" 16 60
|
||||
fi
|
||||
umount /media
|
||||
fi
|
||||
if (whiptail --title 'Add Public Key to Running BIOS?' \
|
||||
--yesno "Would you like to add the GPG public key you generated to the BIOS?\n\nThis makes it a trusted key used to sign files in /boot\n\n" 16 90) then
|
||||
/bin/flash.sh -r /tmp/gpg-gui.rom
|
||||
if [ ! -s /tmp/gpg-gui.rom ]; then
|
||||
whiptail $CONFIG_ERROR_BG_COLOR --title 'ERROR: BIOS Read Failed!' \
|
||||
--msgbox "Unable to read BIOS" 16 60
|
||||
exit 1
|
||||
fi
|
||||
PUBKEY="/tmp/${GPG_GEN_KEY}.asc"
|
||||
gpg_flash_rom
|
||||
fi
|
||||
}
|
||||
gpg_sc_oem_reset() {
|
||||
GPG_KEY_NAME=`date +%Y%m%d%H%M%S`
|
||||
# Factory reset GPG card
|
||||
{
|
||||
echo admin
|
||||
echo factory-reset
|
||||
echo y
|
||||
echo yes
|
||||
} | gpg --command-fd=0 --status-fd=1 --pinentry-mode=loopback --card-edit > /tmp/gpg_card_edit_output || return 1
|
||||
# Generate OEM GPG keys
|
||||
{
|
||||
echo admin
|
||||
echo generate
|
||||
echo n
|
||||
echo 12345678
|
||||
echo 123456
|
||||
echo 0
|
||||
echo y
|
||||
echo "OEM Key"
|
||||
echo "oem-${GPG_KEY_NAME}@example.com"
|
||||
echo "OEM-generated key"
|
||||
} | gpg --command-fd=0 --status-fd=2 --pinentry-mode=loopback --card-edit > /tmp/gpg_card_edit_output || return 2
|
||||
}
|
||||
|
||||
while true; do
|
||||
unset menu_choice
|
||||
@ -117,7 +169,8 @@ while true; do
|
||||
'r' ' Add GPG key to running BIOS + reflash' \
|
||||
'a' ' Add GPG key to standalone BIOS image + flash' \
|
||||
'l' ' List GPG keys in your keyring' \
|
||||
'g' ' Generate GPG keys on a USB security token' \
|
||||
'g' ' Generate GPG keys manually on a USB security token' \
|
||||
'o' ' OEM Factory reset + auto keygen USB security token' \
|
||||
'x' ' Exit' \
|
||||
2>/tmp/whiptail || recovery "GUI menu failed"
|
||||
|
||||
@ -202,32 +255,24 @@ while true; do
|
||||
echo "********************************************************************************"
|
||||
gpg --card-edit > /tmp/gpg_card_edit_output
|
||||
if [ $? -eq 0 ]; then
|
||||
GPG_GEN_KEY=`grep -A1 pub /tmp/gpg_card_edit_output | tail -n1 | sed -nr 's/^([ ])*//p'`
|
||||
gpg --export --armor $GPG_GEN_KEY > "/tmp/${GPG_GEN_KEY}.asc"
|
||||
if (whiptail --title 'Add Public Key to USB disk?' \
|
||||
--yesno "Would you like to copy the GPG public key you generated to a USB disk?\n\nOtherwise you will not be able to copy it outside of Heads later\n\nThe file will show up as ${GPG_GEN_KEY}.asc" 16 90) then
|
||||
mount_usb
|
||||
mount -o remount,rw /media
|
||||
cp "/tmp/${GPG_GEN_KEY}.asc" "/media/${GPG_GEN_KEY}.asc"
|
||||
gpg_post_gen_mgmt
|
||||
fi
|
||||
;;
|
||||
"o" )
|
||||
if (whiptail $CONFIG_WARNING_BG_COLOR --title 'WARNING: Factory Reset USB Security Token?' \
|
||||
--yesno "This will perform a FACTORY RESET of the USB security token!\n\nThis will:\n* Reset all security token passwords to default\n* Erase any keys on the security token\n* Generate new automated GPG keys on the token\n\nAny data now on the USB security token will be LOST!\n\nDo you want to proceed?" 16 120) then
|
||||
confirm_gpg_card
|
||||
gpg_sc_oem_reset
|
||||
if [ $? -eq 0 ]; then
|
||||
whiptail --title "The GPG Key Copied Successfully" \
|
||||
--msgbox "${GPG_GEN_KEY}.asc copied successfully." 16 60
|
||||
else
|
||||
whiptail $CONFIG_ERROR_BG_COLOR --title 'ERROR: Copy Failed' \
|
||||
--msgbox "Unable to copy ${GPG_GEN_KEY}.asc to /media" 16 60
|
||||
fi
|
||||
umount /media
|
||||
fi
|
||||
if (whiptail --title 'Add Public Key to Running BIOS?' \
|
||||
--yesno "Would you like to add the GPG public key you generated to the BIOS?\n\nThis makes it a trusted key used to sign files in /boot\n\n" 16 90) then
|
||||
/bin/flash.sh -r /tmp/gpg-gui.rom
|
||||
if [ ! -s /tmp/gpg-gui.rom ]; then
|
||||
whiptail $CONFIG_ERROR_BG_COLOR --title 'ERROR: BIOS Read Failed!' \
|
||||
--msgbox "Unable to read BIOS" 16 60
|
||||
exit 1
|
||||
fi
|
||||
PUBKEY="/tmp/${GPG_GEN_KEY}.asc"
|
||||
gpg_flash_rom
|
||||
gpg_post_gen_mgmt
|
||||
elif [ $? -eq 1 ]; then
|
||||
GPG_OUTPUT=`cat /tmp/gpg_card_edit_output`
|
||||
whiptail $CONFIG_ERROR_BG_COLOR --title 'ERROR: Factory Reset Failed!' \
|
||||
--msgbox "Factory Reset Failed!\n\n$GPG_OUTPUT" 16 120
|
||||
elif [ $? -eq 2 ]; then
|
||||
GPG_OUTPUT=`cat /tmp/gpg_card_edit_output`
|
||||
whiptail $CONFIG_ERROR_BG_COLOR --title 'ERROR: Automatic Keygen Failed!' \
|
||||
--msgbox "Automatic Keygen Failed!\n\n$GPG_OUTPUT" 16 120
|
||||
fi
|
||||
fi
|
||||
;;
|
||||
|
Loading…
Reference in New Issue
Block a user