Commit Graph

68 Commits

Author SHA1 Message Date
Thierry Laurion
cba8c4542c
oem-factory-reset: fix call to mount-usb --mode rw (fix #1497) 2023-09-07 16:27:43 -04:00
Markus Meissner
075d40950b
oem-factory-reset: introduce GPG_ALGO
* use GPG_ALGO as gpg key generation algorithm
* determine GPG_ALGO during runtime like this:
  * if CONFIG_GPG_ALGO is set, use as preference
  * adapt based on usb-token capabilities (currently only Nitrokey 3)
2023-09-05 12:28:52 +02:00
Thierry Laurion
f6eed42208
Add external/usb disk encryption (adds exfatprogs and e2fsprogs)
prepare_thumb_drive: default to creating 10% LUKS container on usb drive, prompts for passphrase is not provided and scan drives if no --device specified

NOTE: qemu usb_thumb drive of 128 mb are not big enough so that 10% of it (12mb) can be used to create thumb drive.

Adds:
- e2fsprogs to support ext4 filesystem creation through mke2fs
- add /etc/mke2fs.conf so that mke2fs knows how to handle ext2/ext3/ext4
- removes mke2fs support from busybox
- bump busybox to latest version which adds cpu accelerated hash functions (not needed per se here)
- Adds exfatprogs to have mkfs.exfat and fsck.exfat
- Adds prepare_thumb_drive /etc/luks-functions to be able to prepare a thumb drive with percentage of drive assigned to LUKS, rest to exfat
- Modify most board configs to test space requirements failing
- Talos2 linux config: add staging Exfat support
- Make e2fsprogs and exfatprogs included by default unless explicitely deactivate in board configs
- Change cryptsetup calls : luksOpen to open and luksClose to close to addresss review
- etc/luks_functions: cleanup

GOAL here is to have secure thumb drive creation which Heads will be able to use to backup/restore/use generated GPG key material in the future (next PR)
2023-08-28 16:23:48 -04:00
Jonathon Hall
4c8e445dcd
Merge remote-tracking branch 'github-heads/master' into pureboot-27-heads-upstream
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-07-05 14:32:16 -04:00
Marcin Cieślak
b849cc022e
With gpg 2.3+ user name can be empty 2023-06-27 11:40:02 -04:00
Thierry Laurion
c20c2bc580
oem-factory-reset needed changes to comply with gpg 2.4 toolstack changes 2023-06-27 11:39:59 -04:00
Jonathon Hall
8289d1bb29
oem-factory-reset: Offer to use all defaults on Librem boards only
Introduce CONFIG_OEMRESET_OFFER_DEFAULTS and enable it on Librem
boards.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-06-23 08:20:21 -04:00
Matt DeVillier
3191bfbdaf
oem-factory-reset: Add 'use defaults' prompt to simplify user options
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2023-06-21 13:26:42 -04:00
Thierry Laurion
65b81e6702
oem-factory-reset: remove duplicates and add proper error redirection to file
- Trace calls need to happen after sourcing /etc/functions not before
- Move sourcing of external files at beginning of file, remove /etc/functions sourcing duplicate
- gpg error redirection was sent to /dev/null where expected to be added to whiptail in case of error (2>&1 instead and redirection to file)
2023-03-30 13:12:24 -04:00
ThePlexus
277465b347
fix broken OEM re-ownership process
Problem
When using a custom password for TPM, the OEM re-ownership process is broken

Impact 
The OEM re-ownership process breaks for any user setting a custom password and not just using 12345678 

First appeared
6923fb5e20

Detail
on line 498, if blank, the TPM custom password is overwritten with TPM_PASS_DEF (eg, when no custom password is set by the user installing)

```
if [ "$TPM_PASS" == "" ]; then TPM_PASS=$TPM_PASS_DEF; fi
```
so far so good.  $TPM_PASS should be used for all TPM interaction from this point. $TMP_PASS_DEF is now a disposed of variable.

we see that happens when resetting the TPM on line 712 (generate_checksums) is that $TPM_PASS is used (correctly)

```## reset TPM and set password
if [ "$CONFIG_TPM" = "y" ]; then
  echo -e "\nResetting TPM...\n"
  tpmr reset "$TPM_PASS" >/dev/null 2>/tmp/error
---SNIP
```
The TPM now has either the custom password of the user, or the default of 12345678 depending on user selection.

On line 712, we duck into the generate_checksums sub, which for some reason reverts to TPM_PASS_DEF

```
    # create Heads TPM counter
    if [ "$CONFIG_TPM" = "y" ];then
	    if [ "$CONFIG_IGNORE_ROLLBACK" != "y" ]; then
		    tpmr counter_create \
			 -pwdo "$TPM_PASS_DEF" \
--SNIP
```

This then, rightly, fails due to 
```
Authentication failed (Incorrect Password) (ox1) from TPM_CreateCounter
```
2023-03-29 21:05:52 +01:00
Jonathon Hall
b21d8f7a94
oem-factory-reset: Use tpmr reset
tpm-reset is just a prompt for the password followed by tpmr reset.
oem-factory-reset already bypasses the prompt, just call tpmr reset
directly.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-03-10 15:46:01 -05:00
Jonathon Hall
b500505312
tpm2-tools: Change sense of CONFIG_TPM to mean any TPM, not just TPM1.
Most logic throughout Heads doesn't need to know TPM1 versus TPM2 (and
shouldn't, the differences should be localized).  Some checks were
incorrect and are fixed by this change.  Most checks are now unchanged
relative to master.

There are not that many places outside of tpmr that need to
differentiate TPM1 and TPM2.  Some of those are duplicate code that
should be consolidated (seal-hotpkey, unseal-totp, unseal-hotp), and
some more are probably good candidates for abstracting in tpmr so the
business logic doesn't have to know TPM1 vs. TPM2.

Previously, CONFIG_TPM could be variously 'y', 'n', or empty.  Now it
is always 'y' or 'n', and 'y' means "any TPM".  Board configs are
unchanged, setting CONFIG_TPM2_TOOLS=y implies CONFIG_TPM=y so this
doesn't have to be duplicated and can't be mistakenly mismatched.

There were a few checks for CONFIG_TPM = n that only coincidentally
worked for TPM2 because CONFIG_TPM was empty (not 'n').  This test is
now OK, but the checks were also cleaned up to '!= "y"' for robustness.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-03-08 12:45:46 -05:00
Jonathon Hall
d51993b6a9
tpm-reset: Reduce duplication with tpmr reset
Use common password prompt logic in tpm-reset rather than duplicating
in tpmr reset.

Use common logic in config-gui.sh to reset the TPM.

Use common logic in oem-factory-reset to reset TPM.  Fixes extra
prompts for TPM2 owner password even when choosing to use a common
password.  Fix sense of "NO TPM" check in TOTP generation (which only
happened to work because CONFIG_TPM is empty for TPM2).

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-03-08 12:45:46 -05:00
Thierry Laurion
8da5d5d723
Add dual support for real bash and busybox's bash(ash)
- modify bash to have it configured with -Os
2023-03-08 12:45:44 -05:00
Thierry Laurion
6923fb5e20
Addition of qemu-(fb)whiptail-tpm2(-hotp) boards
-coreboot support of TPM v2.0 (shared config for TPM2 support across all 4 previous variations)
-swtpm set to be launched under TPM v2.0 mode under board config
-Documentation file under each board.md softlinks to qemu-coreboot-fbwhiptail-tpm1.md (which has been generalized)
This is skeleton for TPM v2 integration under Heads

-------------
WiP

TODO:
- libcurl cannot be built as a tpm2-tools dependency as of now not sure why. curl currently needs to be added in board config to be built
- Note: tpm-reset (master and here) needs some review, no handle of no tpm use case. Caller is responsible to not call it otherwise does nothing
- init tries to bind fd and fails currently
- Note: Check if whiptail is different of fbwhiptail in clearing screen. As of now every clear seems to be removed, still whiptail clears previous console output
- When no OS' /boot can be mounted, do not try to TPM reset (will fail)

- seal-hotpkey is not working properly
- setting disk unlock key asks for TPM ownership passphrase (sealing in NV requires ownership, but text is misleading user as if reowning TPM)
  - We should cache input, feed tpm behind the scene and wipe passphrase and state clearly that this is TPM disk unlock kye passphrase.
- primary key from TPM2 is invalid most of the time from kexec-select-boot and verifying global hashes but is setuped correctly at disk unlock key setup
- would be nice to take advantage of bash function tracing to understand where we are for debugging purposes, code takes ash in consideration only
- tpmr says it implements nv calls but actually doesn't. Removing those falsely wrapped functions would help.
  - Implementing them would be better
- REVIEW TODOS IN CODE
- READD CIRCLECI CONFIG

Current state:
- TPM unseal works without disk unlock key and generates TOTP properly (was missing die condition at unseal to not produce always good TOTP even if invalid)
- TPM disk encryption key fails. Hypothesis is that sealing with USB drivers loaded and measures in inconsistent with sealed with/without.
 - TPM disk unsealing happens without USB modules being loaded in non-HOTP setup. This fails.

- Current tests are with fbwhiptail (no clear called so having traces on command line of what happens)
 - Testing with HOTP implementation for sealing/unsealing since that forces USB module loads on each boot to remove this from failing possibilities
2023-03-08 12:45:43 -05:00
tlaurion
5c7148f18d
Merge pull request #1305 from echo-84/yubikey-oem-factory-reset 2023-02-21 12:06:35 -05:00
Thierry Laurion
8259d3ca1e
Add TRACE function tracing function to output on console when enabled
- Add TRACE function tracing output under etc/functions, depending on CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT enabled in board configs
- Replace current DEBUG to TRACE calls in code, reserving DEBUG calls for more verbose debugging later on (output of variables etc)
- add 'export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y' in qemu-coreboot(fb)whiptail-tpm1(-hotp) boards to see it in action
2023-02-20 11:44:52 -05:00
Thierry Laurion
5bc2bc88e4
All scripts and functions: Add DEBUG calling trace on console when CONFIG_DEBUG_OUTPUT is exported in board config
-qemu-coreboot-*whiptail-tpm1(-hotp) boards have 'export CONFIG_DEBUG_OUTPUT=y' by default now
2023-02-18 21:52:44 -05:00
builder
e900d2027a Check Signature PIN and toggle forcesig if not forced 2023-02-01 20:34:07 -06:00
3hhh
4ce8f664ad
initrd: work around a bug in busybox sha256sum
busybox sha256sum will create a checksum file for uncommon file names
(e.g. /boot/foo"$\n"bar), but fail to verify that exact file.
https://bugs.busybox.net/show_bug.cgi?id=14226

Thus disallow all files in /boot/ with strange file names at the time of
signing for now. Verifying in the presence of new files with such file
names in /boot/ is no issue for the kexec_tree verification due to the
previously implemented escaping mechanism.
2023-01-14 10:02:49 +01:00
3hhh
accd9f470d
initrd: track files in /boot in kexec_tree.txt
Fixes #1248
2023-01-14 10:02:27 +01:00
Thierry Laurion
aa9b75f64d
/boot: make sure operations requiring to be happening under /boot are under subshells 2023-01-11 13:59:26 -05:00
Thierry Laurion
81b4bb77de
whiptail: no more whiptail reseting console on call (--clear)
So we have console logs to troubleshoot errors and catch them correctly
2022-11-15 15:11:58 -05:00
Sergii Dmytruk
5ee3219322
Add cbfs wrapper script to handle PNOR
Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
2022-11-11 00:59:12 +02:00
Thierry Laurion
9bb6be8874
whiptail: fixate width to 80 characters and have height dynamic to all whiptail/fbwhiptail prompts 2022-11-09 11:51:27 -05:00
Matt DeVillier
297369fd8b
oem-factory-reset: Add missing newline to prompt
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2022-11-03 18:42:32 -04:00
Thierry Laurion
32e7031678
bin/oem-factory-reset: prevent users to choose a GPG Admin PIN > 25 chars which would fail HOTP sealing
Fixes https://github.com/osresearch/heads/issues/1167
Circumvents https://github.com/Nitrokey/nitrokey-pro-firmware/issues/32
Adds validation so user cannot enter GPG User PIN > 64 while we are at it.

Note that GPG PINs can be up to 64 characters.
But GPG Admin PIN will fail HOTP sealing with GPG Admin PIN of more then 25 chars.

Edit: change upstream error to firmware issue, not nitrokey-app.
2022-06-02 14:08:39 -04:00
Thierry Laurion
37bb4906ce
oem-factory-reset: fix bug where it was impossible to just change LUKS passphrase without reencrypting encrypted container.
Since /etc/luks-functions are currently exporting passphrases tested good per cryptsetup to be reused in the code,
the logic calling both luks_reencrypt and luks_change_passphrase testing for non-empty luks_current_Disk_Recovery_Key_passphrase
was bogus.

This commit includes a new variable luks_new_Disk_Recovery_Key_desired which is set when reencryption is desired.
The 3 use cases (reencrypt+passphrase change, reencrypt no passphrase change and passphrase change alone now only test
for luks_new_Disk_Recovery_Key_desired and luks_new_Disk_Recovery_Key_passphrase_desired, nothing else.
2022-05-03 16:41:07 -04:00
Thierry Laurion
70572fd100
oem-factory-reset: Only set default boot option if no TPM Disk Unlock Key
This continues to generate checksums and sign them per new GPG User PIN, but does not set a default boot option.
The user hitting Default Boot on reboot will go through having to setup a new boot default, which will ask him to setup a Disk Unlock Key if desired.

Otherwise, hitting Default Boot goes into asking the user for its Disk Recovery Key passphrase, and requires to manually setup a default boot option.
2022-04-13 14:29:54 -04:00
Matt DeVillier
f3d4924646
/bin/reencrypt-luks: rename to /etc/luks-functions
Move/rename as file is only sourced, not directly executed

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2022-04-06 17:17:07 -05:00
Thierry Laurion
9760181d09
Uniformize time display so it includes timezone
date=`date "+%Y-%m-%d %H:%M:%S %Z"`
2022-03-25 18:46:13 -04:00
Thierry Laurion
8f390f97c2
add integrity report in case some public key is already fused in firmware
- initrd/bin/oem-factory-reset: adds a measured integrity output prior of prompts. Goal is for stating TOTP/HOTP/boot detached signed measurements prior of initiating a Re-Ownership, validating provisioned OEM state.
2022-03-25 13:31:26 -04:00
Thierry Laurion
dacd99c629
add re-encrypting and passphrase change options to oem-factory-reset
- initrd/bin/oem-factory-reset: add 2 additional prompts defaulting to N, also explaining why its important.
2022-03-23 15:55:42 -04:00
Thierry Laurion
9016ebccc2 OEM Factory Reset -> OEM Factory Reset / Re-Ownership (with customs passwords and provisioned info given)
oem-factory-reset: adapt code so that custom passphrases can be provided by user without changing oem factory reset workflow.
    oem-factory-reset: output provisioned secrets on screen at the end of of the process.
    oem-factory-reset: warn user of what security components will be provisioned with defaults/customs PINs prior of choosing not after
    gui-init and oem-factory-reset: change OEM Factory Reset -> OEM Factory Reset / Re-Ownership to cover actual use cases
2022-03-11 14:24:54 -05:00
icequbes1
b35e1bcbb3 oem-factory-reset: fix whiptail height/width order 2021-11-24 17:00:25 -05:00
Thierry Laurion
2fc8813fc6 oem-factory-reset: fix output when fbwhiptail is not used
- Fixed inversed HEIGHT and WIDTH usage
- Fixed height to 30 and width to 90 as everywhere else

This was causing a blank screen when whiptail without framebuffer (fbwhiptail) was used.
Actually, it seems like the width and height under whiptail calls are only taken into consideration under NEWT, not FBWHIPTAIL.
2021-10-29 13:45:22 -04:00
Matt DeVillier
61124979ec
oem-factory-reset: fix custom comment entry
copy/paste error resulted in user-entered comment never
being set/checked/used, and email address being overwritten.
Fix variable usage so comment and email are set correctly.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2021-10-21 18:34:48 -05:00
Matt DeVillier
32716c8ce6 gui*: Improve consistency of background color use
Persist the background color (and error state) through
the main menu and all submenus. Use warning
background color for destructive operations, error color
for errors.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2021-10-15 14:42:15 -04:00
Thierry Laurion
64b1712e78
oem-factory-reset: set default KEY_LENGTH to 3072 and change expectation management message to console (Fixes #919) 2020-12-10 10:33:02 -05:00
alex-nitrokey
e31d6dcb8e Default to 4096 bit for OEM factory reset 2020-11-24 12:48:41 +01:00
Matt DeVillier
e7faac20db oem-factory-reset: Allow use without an installed OS
If an installed OS is not detected, then skip setting the
default boot device or generating /boot checksums.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2020-10-27 18:01:42 -04:00
Matt DeVillier
6a3bb5897a Drop duplicate board-specific background color configs
Set and export currently-used defaults in gui-init, but still
allow for inidividual boards to override via config if desired.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2020-10-27 16:19:46 -04:00
Tom Hiller
636e40456e
fix: update chesksums of filenames with spaces (#847)
Signed-off-by: Tom Hiller <thrilleratplay@gmail.com>
2020-10-18 14:46:57 -04:00
tlaurion
ae9fb74759
Merge pull request #763 from Nitrokey/storage-factoryreset
Delete AES keys of Nitrokey Storage after reset
2020-08-06 16:14:01 -04:00
alex-nitrokey
872a4b0488 Merge remote-tracking branch 'upstream/master' into storage-factoryreset 2020-08-05 11:49:18 +02:00
alex-nitrokey
a224c43026 Add PID for Storage 2020-08-05 11:49:06 +02:00
Alexander Paetzelt
c725f869e2
Merge branch 'master' into gpgexport-factoryreset 2020-08-05 10:49:04 +02:00
tlaurion
3c551cc249
Merge pull request #784 from MrChromebox/default_boot_fixes
Fix OEM factory reset and setting of default boot with F32
2020-07-30 15:42:08 -04:00
tlaurion
624faa1a9d
Merge pull request #778 from MrChromebox/usb_gui_tweaks
USB / GUI Tweaks
2020-07-30 13:54:25 -04:00
Matt DeVillier
97143953e8
Fix check for valid boot options
-r will always succeed since the file will be generated regardless
of number of boot entries found. Use -s instead to check for zero
file size.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2020-07-29 00:24:11 -05:00