Store HOTP counter directly in /boot instead of TPM

The HOTP counter isn't a secret but is just used to prevent replay attacks (the time-based counter in TOTP isn't a secret either) so it doesn't need to be protected in the TPM and storing it as a TPM monotonic counter was causing conflicts with the Heads configuration counter as TPM 1.2 can only increment one counter per reboot. This change moves the HOTP counter into the file in /boot that was previously keeping track of the TPM counter id.
2025-01-18 02:39:59 +00:00 · 2018-06-20 09:20:39 -07:00 · 2018-06-20 09:20:39 -07:00 · fe34aba719
commit fe34aba719
parent 7dde5c2aca
3 changed files with 42 additions and 24 deletions
--- a/initrd/bin/gui-init
+++ b/initrd/bin/gui-init
@ -234,7 +234,7 @@ while true; do
      # now that the TPM is reset, remove invalid TPM counter files
      mount_boot
      mount -o rw,remount /boot
-      rm -f /boot/kexec_rollback.txt /boot/kexec_hotp_counter
+      rm -f /boot/kexec_rollback.txt

      # create Heads TPM counter before any others
      check_tpm_counter /boot/kexec_rollback.txt \
--- a/initrd/bin/seal-libremkey
+++ b/initrd/bin/seal-libremkey
@ -32,20 +32,23 @@ rm -f "$HOTP_SEALED"
 secret="`cat $HOTP_SECRET`"
 rm -f "$HOTP_SECRET"

+# Store counter in file instead of TPM for now, as it conflicts with Heads
+# config TPM counter as TPM 1.2 can only increment one counter between reboots
 # get current value of HOTP counter in TPM, create if absent
 mount_boot

-check_tpm_counter $HOTP_COUNTER hotp \
-|| die "Unable to find/create TPM counter"
-counter="$TPM_COUNTER"
+#check_tpm_counter $HOTP_COUNTER hotp \
+#|| die "Unable to find/create TPM counter"
+#counter="$TPM_COUNTER"
+#
+#counter_value=$(read_tpm_counter $counter | cut -f2 -d ' ' | awk 'gsub("^000e","")')
+#if [ "$counter_value" == "" ]; then
+#  die "Unable to read HOTP counter"
+#fi

-counter_value=$(read_tpm_counter $counter | cut -f2 -d ' ' | awk 'gsub("^000e","")')
+#counter_value=$(printf "%d" 0x${counter_value})

-if [ "$counter_value" == "" ]; then
-  die "Unable to read HOTP TPM counter"
-fi
-
-counter_value=$(printf "%d" 0x${counter_value})
+counter_value=1

 enable_usb
 if ! libremkey_hotp_verification info ; then
@ -68,14 +71,19 @@ fi
 secret=""

 # Make sure our counter is incremented ahead of the next check
-increment_tpm_counter $counter > /dev/null \
-|| die "Unable to increment tpm counter"
-increment_tpm_counter $counter > /dev/null \
-|| die "Unable to increment tpm counter"
+#increment_tpm_counter $counter > /dev/null \
+#|| die "Unable to increment tpm counter"
+#increment_tpm_counter $counter > /dev/null \
+#|| die "Unable to increment tpm counter"

 mount -o remount,rw /boot
-sha256sum /tmp/counter-$counter > $HOTP_COUNTER \
+
+counter_value=`expr $counter_value + 1`
+echo $counter_value > $HOTP_COUNTER \
 || die "Unable to create hotp counter file"
+
+#sha256sum /tmp/counter-$counter > $HOTP_COUNTER \
+#|| die "Unable to create hotp counter file"
 mount -o remount,ro /boot

 echo "Librem Key initialized successfully. Press Enter to continue."
--- a/initrd/bin/unseal-hotp
+++ b/initrd/bin/unseal-hotp
@ -30,20 +30,25 @@ tpm unsealfile  \

 rm -f "$HOTP_SEALED"

+# Store counter in file instead of TPM for now, as it conflicts with Heads
+# config TPM counter as TPM 1.2 can only increment one counter between reboots
 # get current value of HOTP counter in TPM, create if absent
 mount_boot

-check_tpm_counter $HOTP_COUNTER hotp \
-|| die "Unable to find/create TPM counter"
-counter="$TPM_COUNTER"
+#check_tpm_counter $HOTP_COUNTER hotp \
+#|| die "Unable to find/create TPM counter"
+#counter="$TPM_COUNTER"
+#
+#counter_value=$(read_tpm_counter $counter | cut -f2 -d ' ' | awk 'gsub("^000e","")')
+#

-counter_value=$(read_tpm_counter $counter | cut -f2 -d ' ' | awk 'gsub("^000e","")')
+counter_value=$(cat $HOTP_COUNTER)

 if [ "$counter_value" == "" ]; then
-  die "Unable to read HOTP TPM counter"
+  die "Unable to read HOTP counter"
 fi

-counter_value=$(printf "%d" 0x${counter_value})
+#counter_value=$(printf "%d" 0x${counter_value})

 if ! hotp $counter_value < "$HOTP_SECRET"; then
 	rm -f "$HOTP_SECRET"
@ -52,12 +57,17 @@ fi

 rm -f "$HOTP_SECRET"

-increment_tpm_counter $counter > /dev/null \
-|| die "Unable to increment tpm counter"
+#increment_tpm_counter $counter > /dev/null \
+#|| die "Unable to increment tpm counter"

 mount -o remount,rw /boot
-sha256sum /tmp/counter-$counter > $HOTP_COUNTER \
+
+counter_value=`expr $counter_value + 1`
+echo $counter_value > $HOTP_COUNTER \
 || die "Unable to create hotp counter file"
+
+#sha256sum /tmp/counter-$counter > $HOTP_COUNTER \
+#|| die "Unable to create hotp counter file"
 mount -o remount,ro /boot

 exit 0