This patch was reported by @bemoody in issue #699
Tested via `BOARD=x230-hotp-verification` on a Thinkpad x230
Signed-off-by: alex-nitrokey <alex@nitrokey.com>
Attempting to reset the TPM when once isn't present causes a kernel
panic, so let's not allow users to do that.
Test: verify 'No TPM Detected' shown on Librem Mini when Reset TPM
option selected from menu.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
Update to nitrokey-hotp-verification master (c0956cf) and drop
existing patch which is no longer needed.
Test: clean build for Librem 13v2
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
-r will always succeed since the file will be generated regardless
of number of boot entries found. Use -s instead to check for zero
file size.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
Since we sort the boot options prior to selecting the new default entry,
we need to use the index of the entry in the list prior to being sorted,
vs always setting it as 1. This fixes setting/booting of the default
OS target where the list entries are changed when calling sort.
Test: perform OEM factory reset with Fedora 32 installed, verify
default boot succeeds followng reset.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
The same grub parsing logic used in kexec-select-boot should
be used here as well, so copy it over.
Test: oem-factory-reset succeeds with Fedora 32 installed.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
Commit 7ea13ee0 made some significant changes to Librem/Nitrokey
verification which broke both compilation and calls to hotp_initialize.
Fix them via a patch until it's fixed upstream.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
With current implementation, Librem Keys with VID 0x316d are
not identified properly; correct the if/else logic to resolve.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
Add a linebreak before showing list of files with changed
checksums. Fix text truncation on checksum update prompt.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
Adjust text on GUI dialogs to prevent filenames from being truncated
and to improve clarity/readability.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
Currently, /media is mounted once per boot, which causes issues
if a user need to change USB sticks, or unknowning performs an
operation that mounts /media and then needs to access a different
USB stick later (eg, updating the firmware).
To mitigate this, always unmount /media if mounted before scanning
for USB devices, so the user can choose the correct device at the
time of its use.
Additionally, add a unique exit code for user abort so we're not
treating it the same as a failure, and use it to prevent unnecessary
GUI prompts when cancelling selection of a USB device.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
For the handful of operations which need to be done with /boot
as the pwd, encapsulate them in subshells to ensure the pwd
doesn't unexpectedly change for other operations, as functions
which need to mount/unmount /boot may fail if the pwd isn't root.
Also, set the pwd to root at the start of detect_boot_device as an
added safety measure.
Test: run oem-factory-reset function, ensure it doesn't fail to
detect boot device due to incorrect working directory.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
Move code duplicated across several GUI scripts into a common
gui_functions file and include/use that.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
This reverts commit 972c25de7d.
This commit broke OEM factory reset functionality, so revert it
until the issue can be properly diagnosed.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
Show RAM in GB, since the calculation in MB is imprecise as
it excludes RAM allocated for GPU (eg).
Fix display of firmware version strings which contain spaces by
adjusting cut and simply chopping off the date at the end, which
is a fixed 10-char length.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
Since #758 is merged, users have a option to export GnuPG pubkey if
necessary. Thus, we they do not need to insert a USB drive during
factory reset. Until now the whole process failed just because a user
did not provide a USB drive instead.
This shall be fixed by this commit
If smartcard Nitrokey Storage was factory-reset, we delete AES keys on
it as well.
Explaination: After oem-factory-reset was started the AES on the Nitrokey Storage that is used for the encrypted volume and the password safe is is not usable anymore because the smart card was factory-reset. To make it usable, a user needs to delete it via Nitrokey App. By doing so, the HOTP secret is deleted as well, resulting in a bad warning in Heads. Therefore, we are resetting AES key right after factory-reset with hotp_verification
