heads

mirror of https://github.com/linuxboot/heads.git synced 2025-02-10 12:51:09 +00:00

Author	SHA1	Message	Date
Thierry Laurion	07218df9cb	initrd/bin/kexec-select-boot: clarify that TPM2 primary handle HASH is created upon setting default boot (was not clear) Signed-off-by: Thierry Laurion <insurgo@riseup.net>	2024-12-21 13:21:22 -05:00
Thierry Laurion	eb63d4d46a	oem-factory-reset: remove duplicate output 'Checking for USB Security dongle...' Signed-off-by: Thierry Laurion <insurgo@riseup.net>	2024-12-21 13:21:16 -05:00
Thierry Laurion	97121ab86e	global: finalize switch from ash to bash shell, including recovery shell access Signed-off-by: Thierry Laurion <insurgo@riseup.net>	2024-12-21 13:21:10 -05:00
Thierry Laurion	bcd364c280	TO REVERT BEFORE MERGE: enable quiet mode in all boards and revert for qemu so only prod_quiet boards have quiet upon revert repro user@localhost:~/heads$ sed -i 's\|export CONFIG_BOOTSCRIPT=/bin/gui-init\|#Enable quiet mode: technical information logged under /tmp/debug.log\nexport CONFIG_QUIET_MODE=y\nexport CONFIG_BOOTSCRIPT=/bin/gui-init\|' boards//.config user@localhost:~/heads$ git restore boards/qemu/*.config Signed-off-by: Thierry Laurion <insurgo@riseup.net>	2024-12-21 13:21:04 -05:00
Thierry Laurion	494ba09270	novacustom-nv4x board config: revert quiet mode enablement Signed-off-by: Thierry Laurion <insurgo@riseup.net>	2024-12-21 13:20:58 -05:00
Thierry Laurion	02d8ce8d0d	kexec-save-default kexec-select-boot: fix primary handle once more. Can't wait we get rid of this... file must exist and not be empty, and hash output to console must not be silenced Signed-off-by: Thierry Laurion <insurgo@riseup.net>	2024-12-21 13:20:53 -05:00
Thierry Laurion	1e6079620a	TPM2 primary handle debugging once more. Can't wait we get rid of this... Signed-off-by: Thierry Laurion <insurgo@riseup.net>	2024-12-21 13:20:47 -05:00
Thierry Laurion	71d4260045	novacustom_nv4x_adl/novacustom_nv4x_adl.config : add quiet mode for real hardware recording in PR, will comment and generalize in next commit to all maintained boards, leaving this to be overriden by branding downstream for downstream releases exercice and choice Signed-off-by: Thierry Laurion <insurgo@riseup.net>	2024-12-21 13:20:41 -05:00
Thierry Laurion	f981ef971c	init: Quiet mode enablement output string modified; tell users having enabled it through Configuration Settings that earlier suppression requires enabling through board config Signed-off-by: Thierry Laurion <insurgo@riseup.net>	2024-12-21 13:20:35 -05:00
Thierry Laurion	885af7d39f	kexec-select-boot+kexec-save-default: Quiet mode; remove last rollback counters printed to console Signed-off-by: Thierry Laurion <insurgo@riseup.net>	2024-12-21 13:20:29 -05:00
Thierry Laurion	91299fd89b	seal-totp: contextualize qr code output for manual input of those without qr scanner app in mobile phone Signed-off-by: Thierry Laurion <insurgo@riseup.net>	2024-12-21 13:20:23 -05:00
Thierry Laurion	ef4cdfa77e	init: some more comments in code per review Signed-off-by: Thierry Laurion <insurgo@riseup.net>	2024-12-21 13:20:17 -05:00
Thierry Laurion	60ba06dab2	DEBUG: inform that output will be both in dmesg and on console from where that measure is enforced in code This is equivalent of passing debug on kernel command line from coreboot config, even is enabled through config options and saved back in CBFS. Signed-off-by: Thierry Laurion <insurgo@riseup.net>	2024-12-21 13:20:11 -05:00
Thierry Laurion	b5c24f2447	init+cbfs-init: refactor and explain why quiet mode cannot suppress measurements of cbfs-init extracted+measured TPM stuff if not in board config Signed-off-by: Thierry Laurion <insurgo@riseup.net>	2024-12-21 13:20:06 -05:00
Thierry Laurion	08f52af033	Deprecate ash in favor of bash shell; /etc/ash_functions: move /etc/ash_functions under /etc/functions, replace TRACE calls by TRACE_FUNC, remove xx30-flash.init Signed-off-by: Thierry Laurion <insurgo@riseup.net>	2024-12-21 13:20:00 -05:00
Thierry Laurion	4354cd4c22	config-gui.sh: Add quiet mode toggle, which turns off debug+tracing if enabled, and where enabling debug+tracing disables Quiet mode Signed-off-by: Thierry Laurion <insurgo@riseup.net>	2024-12-21 13:19:54 -05:00
Thierry Laurion	a54a4b8afa	hot-verification: bump to 1.7+ unrelease patchset https://github.com/Nitrokey/nitrokey-hotp-verification/pull/51 I give up trying to make Nitrokey do the right thing. They will propose PR to Heads next to fix their own fixes for their own caused regressions and security vulns. I just stopped caring for sanity reasons, i'm making quiet+eom/user-reownership fixes for feature freeze. If nitrokey pays, there is gonna be future collaboration, if they don't, they will do Heads related stuff themselves. Signed-off-by: Thierry Laurion <insurgo@riseup.net>	2024-12-21 13:19:48 -05:00
Thierry Laurion	53156c3917	WiP: staging changes, refusing to fight against tools helping me, formatting changed. sign after tpm-reset now to work around primary handle issue. Signed-off-by: Thierry Laurion <insurgo@riseup.net>	2024-12-21 13:19:42 -05:00
Thierry Laurion	0d3964274e	WiP: staging changes, warn loud and clear of weak security posture by using weak OEM defaults provisioned secrets Signed-off-by: Thierry Laurion <insurgo@riseup.net>	2024-12-21 13:19:36 -05:00
Thierry Laurion	d768e80de6	WiP: staging changes, no more tpm output. Next warn /boot changed because htop counter and primary handle until removed outside of this PR Signed-off-by: Thierry Laurion <insurgo@riseup.net>	2024-12-21 13:19:30 -05:00
Thierry Laurion	c7ab861325	Turn some info on default boot into LOGged info, LOG might go out forever if not pertinent to most? Signed-off-by: Thierry Laurion <insurgo@riseup.net>	2024-12-21 13:19:25 -05:00
Thierry Laurion	eca4e34176	WiP: staging changes Attacking nv index next for TPM nvram read in prod_quiet testing Signed-off-by: Thierry Laurion <insurgo@riseup.net>	2024-12-21 13:19:19 -05:00
Thierry Laurion	f68df1ccf0	Bump hotp-verification to version 1.7, remove patches: contains info fixes and reset fixes so that oem-factory-reset can reset secrets app PIN Signed-off-by: Thierry Laurion <insurgo@riseup.net>	2024-12-21 13:19:13 -05:00
Thierry Laurion	94b77e8704	WiP: staging changes Insights: - We should use oem generated pubkey naming to distinguish between oem/user generated keys and try to use default PINs also for GPG User to sign with default PIN and warn even if it works/doesn't, urging users to do reownership - Point is that oem factory reset does in the direction of using randomized PINs, while continuing to use those for a user should be strongly discouraged Signed-off-by: Thierry Laurion <insurgo@riseup.net>	2024-12-21 13:19:07 -05:00
Thierry Laurion	19fd98df2d	WiP: staging changes (TPM1 regression fixes for LOG/DEBUG on quiet mode) Signed-off-by: Thierry Laurion <insurgo@riseup.net>	2024-12-21 13:19:01 -05:00
Thierry Laurion	abc97fe1be	WiP: staging changes including https://github.com/linuxboot/heads/pull/1850 https://github.com/Nitrokey/nitrokey-hotp-verification/pull/43 and https://github.com/Nitrokey/nitrokey-hotp-verification/pull/46 Signed-off-by: Thierry Laurion <insurgo@riseup.net>	2024-12-21 13:18:55 -05:00
Thierry Laurion	4ba7cc5495	patches/hotp-verification-*/46.patch : readd https://github.com/Nitrokey/nitrokey-hotp-verification/pull/46 so that this PR can be tested and reviewed from OEM Factory Reset/User Re-Ownership perspective (PR 43 not in which fixes hotp_verification info, needed to reuse default PINs under seal-hotp if pubkey age <1 month and if Secret app PIN/GPG Admin PIN count >=3 ) Repro: mkdir patches/hotp-verification-e9050e0c914e7a8ffef5d1c82a014e0e2bf79346 wget https://patch-diff.githubusercontent.com/raw/Nitrokey/nitrokey-hotp-verification/pull/46.patch -O patches/hotp-verification-e9050e0c914e7a8ffef5d1c82a014e0e2bf79346/46.patch sudo rm -rf build/x86/hotp-verification-e9050e0c914e7a8ffef5d1c82a014e0e2bf79346/ ./docker_repro.sh make BOARD=qemu-coreboot-whiptail-tpm2-hotp USB_TOKEN=Nitrokey3NFC PUBKEY_ASC=pubkey.asc inject_gpg run Signed-off-by: Thierry Laurion <insurgo@riseup.net>	2024-12-21 13:18:49 -05:00
Jonathon Hall	54baa37d4a	oem-factory-reset: Stop adding leading blank lines in 'passphrases' msg We're adding leading blank lines, which makes the prompt look odd and now have to be removed later. Just stop adding the leading blank lines. Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm> Signed-off-by: Thierry Laurion <insurgo@riseup.net>	2024-12-21 13:18:43 -05:00
Jonathon Hall	be49517a0d	functions: Simplify dictionary word selection The dice-rolls method was relatively complex and somewhat biased (~2.4% biased toward 1-4 on each roll due to modulo bias). Just pick a line from the dictionary at random. Using all 32 bits of entropy to pick a line once distributes the modulo bias so it is only 0.000003% biased toward the first 1263 words. Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm> Signed-off-by: Thierry Laurion <insurgo@riseup.net>	2024-12-21 13:18:38 -05:00
Jonathon Hall	98e20544ef	functions: Fix spelling of 'dictionaries' Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm> Signed-off-by: Thierry Laurion <insurgo@riseup.net>	2024-12-21 13:18:32 -05:00
Thierry Laurion	27ab17377d	hotp-verification: removed patches/hotp-verification-e9050e0c914e7a8ffef5d1c82a014e0e2bf79346 directory: waiting for https://github.com/Nitrokey/nitrokey-hotp-verification/pull/43 and https://github.com/Nitrokey/nitrokey-hotp-verification/pull/46 to be merged to change modules/hotp-verification commit Signed-off-by: Thierry Laurion <insurgo@riseup.net>	2024-12-21 13:18:26 -05:00
Thierry Laurion	ebf4d1d221	oem-factory-reset+seal-hotp nk3 hotp-verification info adaptations - oem-factory-reset: fix strings for nk3 is from https://github.com/Nitrokey/nitrokey-hotp-verification/pull/43 is Secrets app, not Secret App singular, not App capitalized - initrd/bin/seal-hotpkey: adapt to check nk3 Secrets App PIN counter if nk3, keep Card counters for <nk3 from https://github.com/Nitrokey/nitrokey-hotp-verification/pull/43 - Unattended hotp_initialize output removed since we need physical presence to seal HOTP until https://github.com/Nitrokey/nitrokey-hotp-verification/issues/41 is fixed - Finally make seal_hotp use logic to detect if public key <1m old, use HOTP related PIN by default if counter is not <3, warn that re-ownership needs to be ran to change it since no security offered at all otherwise with HOTP - unify format with linting tool Tested in local tree against https://patch-diff.githubusercontent.com/raw/Nitrokey/nitrokey-hotp-verification/pull/43.patch, removing https://patch-diff.githubusercontent.com/raw/Nitrokey/nitrokey-hotp-verification/pull/46.patch - will revert the change above in PR once testing is over Signed-off-by: Thierry Laurion <insurgo@riseup.net>	2024-12-21 13:18:18 -05:00
Thierry Laurion	4fd710696e	hotp-verification patches: Use https://github.com/Nitrokey/nitrokey-hotp-verification/pull/43 instead of https://github.com/Nitrokey/nitrokey-hotp-verification/pull/46 for hotp-verification info parsing and validation of oem-factory-reset and seal-hotp Signed-off-by: Thierry Laurion <insurgo@riseup.net>	2024-12-21 13:15:34 -05:00
Thierry Laurion	847b4ddbdf	WiP seal-hotp: customize message to be GPG Admin PIN or Secure App PIN TODO: check logic in this file because assumptions on PINs retry count are wrong and will depend on https://github.com/Nitrokey/nitrokey-hotp-verification/pull/43 not tested here Signed-off-by: Thierry Laurion <insurgo@riseup.net>	2024-12-21 13:15:28 -05:00
Thierry Laurion	95473d6c89	kexec-sign-config: mount rw, write things to /boot, mount ro after Signed-off-by: Thierry Laurion <insurgo@riseup.net>	2024-12-21 13:15:22 -05:00
Thierry Laurion	e25fb595b6	oem-factory-reset: reset nk3 secure app PIN early since we need physical presence, put nk3 secure APP PIN after TPM but before GPG PINS in output for consistency Signed-off-by: Thierry Laurion <insurgo@riseup.net>	2024-12-21 13:15:17 -05:00
Thierry Laurion	c372370210	oem-factory-reset: set title_text accordingly to mode, either 'OEM Factory Reset Mode', 'Re-Ownership Mode' or 'OEM Factory Reset / Re-Ownership' TODO: further specialize warning prompt to tell what is going to happen (randomized PIN, signle custom randomized PIN etc) Signed-off-by: Thierry Laurion <insurgo@riseup.net>	2024-12-21 13:15:11 -05:00
Thierry Laurion	789231fac3	oem-factory-reset: fix Secure App wording, prevent word globbing, warn that physical presence is needed Signed-off-by: Thierry Laurion <insurgo@riseup.net>	2024-12-21 13:15:05 -05:00
Thierry Laurion	03e5ec0ddf	oem-factory-reset: if nk3, also display Secure App PIN = GPG Admin PIN as text and in Qr code Signed-off-by: Thierry Laurion <insurgo@riseup.net>	2024-12-21 13:14:59 -05:00
Thierry Laurion	e01d346fe8	oem-factory-reset: don't set user re-ownership by default for now: use current defaults being DEF pins (12345678 and 123456 as master) Signed-off-by: Thierry Laurion <insurgo@riseup.net>	2024-12-21 13:14:53 -05:00
Thierry Laurion	7f9f84b830	modules/hotp-verification: 1.6, removing patch pr43, only keeping 46 for this PR (43 conflicts when applied atop 46. 46 is needed here) Signed-off-by: Thierry Laurion <insurgo@riseup.net>	2024-12-21 13:14:47 -05:00
Thierry Laurion	fd136cd957	oem-factory-reset: add reset secure app PIN = ADMIN_PIN at reownership, make sure defaults are set for all modes, including default which uses current defaults being DEF pins (12345678 and 123456 as master) Signed-off-by: Thierry Laurion <insurgo@riseup.net>	2024-12-21 13:14:41 -05:00
Thierry Laurion	351a2e2130	modules/hotp-verification: revert to 1.6, add patches tested instead Signed-off-by: Thierry Laurion <insurgo@riseup.net>	2024-12-21 13:14:35 -05:00
Thierry Laurion	814f4fabd9	WiP: add nk3 secret app reset function and call it following security dongle reset logic Signed-off-by: Thierry Laurion <insurgo@riseup.net>	2024-12-21 13:14:30 -05:00
Thierry Laurion	223e5041bc	WiP: bump to hotp-verification version supporting reset of secret app Signed-off-by: Thierry Laurion <insurgo@riseup.net>	2024-12-21 13:14:24 -05:00
Thierry Laurion	a6df16ec3c	WiP initrd/bin/oem-factory-reset: add qrcode+secet output loop until user press y (end of reownership wizard secret output) Signed-off-by: Thierry Laurion <insurgo@riseup.net> works: - oem and user mode passphrase generation - qrcode missing: - unattended - luks reencryption + passphrase change for OEM mode (only input to be provided) with SINGLE passphrase when in unattended mode - same for user reownership when previously OEM reset unattended Signed-off-by: Thierry Laurion <insurgo@riseup.net>	2024-12-21 13:14:18 -05:00
Thierry Laurion	40df08ecbc	/etc/functions:: reuse detect_boot_device instead of trying only to mount /etc/fstab existing /boot partition (otherwise early 'o' to enter oem mode of oem-factory-reset Signed-off-by: Thierry Laurion <insurgo@riseup.net>	2024-12-21 13:14:12 -05:00
Thierry Laurion	108e6ed0b1	WiP initrd/bin/oem-factory-reset: add --mode (oem/user) skeleton Signed-off-by: Thierry Laurion <insurgo@riseup.net>	2024-12-21 13:14:06 -05:00
Thierry Laurion	f8fdfc7b8d	WiP initrd/bin/oem-factory-reset: format unification Signed-off-by: Thierry Laurion <insurgo@riseup.net>	2024-12-21 13:14:00 -05:00
Thierry Laurion	1da5119584	initrd/etc/functions: add generate_passphrase logic Nothing uses it for the moment, needs to be called from recovery shell: bash, source /etc/functions. generate_passphrase - parses dictionary to check how many dice rolls needed on first entry, defaults to EFF short list v2 (bigger words easier to remember, 4 dices roll instead of 5) - defaults to using initrd/etc/diceware_dictionnaries/eff_short_wordlist_2_0.txt, parametrable - make sure format of dictionary is 'digit word' and fail early otherwise: we expect EFF diceware format dictionaries - enforces max length of 256 chars, parametrable, reduces number of words to fit if not override - enforces default 3 words passphrase, parametrable - enforces captialization of first letter, lowercase parametrable - read multiple bytes from /dev/urandom to fit number of dice rolls Unrelated: uniformize format of file Signed-off-by: Thierry Laurion <insurgo@riseup.net>	2024-12-21 13:13:54 -05:00

1 2 3 4 5 ...

2862 Commits