Commit Graph

1545 Commits

Author SHA1 Message Date
Thierry Laurion
0bfd696fbf
xx20 and xx30: split kernel configs to legacy and maximized and board configs point to them 2022-06-10 09:52:07 -04:00
tlaurion
5a6af8f13d
Merge pull request #1168 from tlaurion/oem-factory-reset_circumvent-hotp-sealing-bug_with-gpg-admin-pin-gt-25-chars
bin/oem-factory-reset: prevent users to choose a GPG Admin PIN > 25 chars which would fail HOTP sealing
2022-06-02 17:22:48 -04:00
Thierry Laurion
32e7031678
bin/oem-factory-reset: prevent users to choose a GPG Admin PIN > 25 chars which would fail HOTP sealing
Fixes https://github.com/osresearch/heads/issues/1167
Circumvents https://github.com/Nitrokey/nitrokey-pro-firmware/issues/32
Adds validation so user cannot enter GPG User PIN > 64 while we are at it.

Note that GPG PINs can be up to 64 characters.
But GPG Admin PIN will fail HOTP sealing with GPG Admin PIN of more then 25 chars.

Edit: change upstream error to firmware issue, not nitrokey-app.
2022-06-02 14:08:39 -04:00
tlaurion
d285401369
Merge pull request #1163 from tlaurion/remove_fedora_public_key
Remove fedora public key. They don't detach sign ISOs since before 2020.
2022-05-17 18:57:48 -04:00
Thierry Laurion
4b9757ceef
Remove fedora public key. They don't detach sign ISOs since before 2020. 2022-05-17 15:54:21 -04:00
tlaurion
79486b5dc8
Merge pull request #1162 from tlaurion/oem-factory-reset_passwd_change-without_reencryption-fix
bugfix: oem-factory-reset - permit LUKS passphrase change without reencryption
2022-05-03 21:07:26 -04:00
Thierry Laurion
dd0e4b0a8d
luks-functions: typo correction and consistent warnings across functions. 2022-05-03 16:45:20 -04:00
Thierry Laurion
37bb4906ce
oem-factory-reset: fix bug where it was impossible to just change LUKS passphrase without reencrypting encrypted container.
Since /etc/luks-functions are currently exporting passphrases tested good per cryptsetup to be reused in the code,
the logic calling both luks_reencrypt and luks_change_passphrase testing for non-empty luks_current_Disk_Recovery_Key_passphrase
was bogus.

This commit includes a new variable luks_new_Disk_Recovery_Key_desired which is set when reencryption is desired.
The 3 use cases (reencrypt+passphrase change, reencrypt no passphrase change and passphrase change alone now only test
for luks_new_Disk_Recovery_Key_desired and luks_new_Disk_Recovery_Key_passphrase_desired, nothing else.
2022-05-03 16:41:07 -04:00
tlaurion
46d64e9f16
Merge pull request #1160 from tlaurion/gen_mac_address_for_maximized_boards
Add Heads mac address randomization for maximized boards
2022-05-02 13:08:59 -04:00
Thierry Laurion
e60287fa1d
bin/network-init-recovery: generate random MAC and set it to eth0
network-init-reovery can be used to automatically set RTC clock to obtained NTP clock.
The script would fail if other devices devices previously registered on the network with the same MAC.
Consequently, maximized boards are detected here, and a full random MAC is generated and used instead of using hardcoded DE:AD:C0:FF:EE.
2022-04-29 10:26:12 -04:00
Thierry Laurion
37a343a49c
etc/functions: Add a function to generate random MAC address 2022-04-29 10:24:02 -04:00
tlaurion
fb5cfd5cc2
Merge pull request #1155 from tlaurion/oem_factory_reset-only_if_no_tpm_disk_unlock_key
oem-factory-reset: Only set default boot option if no TPM Disk Unlock Key
2022-04-15 10:24:41 -04:00
Thierry Laurion
70572fd100
oem-factory-reset: Only set default boot option if no TPM Disk Unlock Key
This continues to generate checksums and sign them per new GPG User PIN, but does not set a default boot option.
The user hitting Default Boot on reboot will go through having to setup a new boot default, which will ask him to setup a Disk Unlock Key if desired.

Otherwise, hitting Default Boot goes into asking the user for its Disk Recovery Key passphrase, and requires to manually setup a default boot option.
2022-04-13 14:29:54 -04:00
tlaurion
3201cd4d95
Merge pull request #1153 from tlaurion/fix_kexec-select-boot
Bugfix: fix accidental removal of --menu statement in kexec-select-boot
2022-04-13 11:58:14 -04:00
Thierry Laurion
4e5f781be3
fix removal of --menu from commit ba054b15c3 2022-04-13 11:15:52 -04:00
tlaurion
1dd03d0361
Merge pull request #1151 from MrChromebox/kexec_improvements
Kexec QOL Improvements
2022-04-07 15:41:44 -04:00
Matt DeVillier
ba054b15c3
kexec-select-boot: use 'fold' to wrap kernel args at 80 char
Prevents truncation via fbwhiptail window

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2022-04-07 14:32:29 -05:00
Matt DeVillier
025f914eb3
kexec-select-boot: Skip duplicate prompt when setting new default boot entry
The text based prompt isn't needed when using a GUI menu for selection/confirmation, so skip it

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2022-04-07 13:21:29 -05:00
Matt DeVillier
19067a9a72
kexec-select-boot: Simplify boot selection confirmation, reverse order
Simplify the menu options by removing the duplication of the entry name
in the menu selections; instead, use clear verbiage to distinish
between booting one time and making the default. And as the majority of
the boot menu is shown is when the grub entires have changed and the
user is prompted to select a new default, so make that the first/default
menu option.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2022-04-07 13:21:27 -05:00
Matt DeVillier
7769d13996
kexec-select-boot: Simplify boot menu entries
Drop the duplicated kernel info which hurts readability, runs off the
end of the menu window. This also makes it easier to identify which
menu option is the default, and more closely resembles the grub menu
shown in a traditional BIOS boot.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2022-04-07 12:25:37 -05:00
tlaurion
b07833e1b7
Merge pull request #1150 from MrChromebox/luks_cleanup
Luks-reencrypt Cleanup
2022-04-07 09:51:24 -04:00
Matt DeVillier
0f3f86d21e
etc/luks-functions: exit function when select_luks_container() returns non-zero
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2022-04-06 17:17:25 -05:00
Matt DeVillier
5b5880b4e8
select_luks_container(): return non-zero when no device found/selected
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2022-04-06 17:17:24 -05:00
Matt DeVillier
98c251678c
luks_reencrypt(): remove extraneous call to select_luks_container()
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2022-04-06 17:17:24 -05:00
Matt DeVillier
f3d4924646
/bin/reencrypt-luks: rename to /etc/luks-functions
Move/rename as file is only sourced, not directly executed

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2022-04-06 17:17:07 -05:00
tlaurion
4bf4dcbb40
Merge pull request #1145 from tlaurion/seperate_usb-hid_from_usb_requirements_for_usb-keyboard_support
Make loading of usb-hid kernel module dependent only for USB keyboard support
2022-04-06 11:19:00 -04:00
Thierry Laurion
7327f3524e
CircleCI : add x230-maximized_usb-kb board
Testing points:
- x230-hotp-maximized: USB keyboard is not working (confirmed)
- x230-hotp-maximized_usb-kb: USB keyboard is working (confirmed)
2022-04-05 14:36:53 -04:00
Thierry Laurion
6012e7724c
add new board x230-maximized_usb-kb
- this boards is a duplicate of x230-hotp-maximized with USB Keyboard support

Testing points:
- x230-hotp-maximized does not accept input from USB keyboard
- x230-hotp-maximized_usb-kb accepts input from USB keyboard
2022-04-05 14:09:44 -04:00
Thierry Laurion
7b15726e1d
functions: add loading of usb-hid via enable_usb
Testing points:
- All boards explicitely declaring CONFIG_USB_KEYBOARD=y gets USB Keyboard back under Heads
- All other boards are not impacted.
2022-04-05 13:53:09 -04:00
Thierry Laurion
97b124ab8e
adding the usb-hid kernel module inclusion under linux module when CONFIG_USB_KEYBOARD is defined
Testing points:
- None here. Board who exported "CONFIG_USB_KEYBOARD=y" have it packed under their initrd, but there is no logic loading the module yet.
2022-04-05 13:46:48 -04:00
Thierry Laurion
b90f4f53a1
all linux configs: changing usb-hid support from Y to M
Testing point:
- All board configs not explicitely stating export CONFIG_USB_KEYBOARD=y should not have any impact
- librem_l1um, kgpe-d16_workstation-usb_keyboard, librem_mini_v2 and librem_mini will loose USB Keyboard input with this commit alone.
2022-04-05 13:39:29 -04:00
tlaurion
493eb3ebb7
Merge pull request #1125 from tlaurion/CircleCI_add_packages_to_all_cache_layers
CircleCI cache: have all cache layers caching packages directory.
2022-04-02 15:16:18 -04:00
Thierry Laurion
f6d049b3c0
CircleCI cache: have all cache layers caching packages directory
Heads buildstystem:

    Makefile logic will download modules packages under ./packages, check itheir integrity, then extract it and patch extraction directory ONLY if no corresponding .*_verify files are found under ./packages directory. They are extracted under build/modulename-ver/ where patches are applied prior of building them.
    build/module* .configured is written when packages are configured under build/modulename-ver/.configured
    build/modules* .build is written when packages are built under build/modulename-ver/.build

CircleCI caching subsystem notes:

    A cache name tag is calculated in the prep_env stage early at each beginning of a workflow, and consists of a cache name, appended by a calculated digest signature (which is the final hash of hashed files (the hash of a digest).
        Look for the following under .circleci/config.yml:
            "Creating .... digest statements" : they are basically files passed under sha256sum to create a digest.
            restore_cache keys: they are basically a string concatenating: name + checksum of digest + CACHE_VERSION. Only the first cache is extracted following declared order.
            save_cache keys: same as above, only saving non-existing caches. That is, skipping existing ones and creating missing ones.
    A cache is extracted at the beginning of a workflow if an archive matches an archive name, which consists of a name tag + digest hash + CACHE_VERSION
    A cache is created only at the end of a workflow ("Saving cache...").
        Caches are specialized. Caches are linked to checkumming of some content. And the largest available cache is extracted on next workflow, only extracting the directories/files that were contained in that cache.
    A workspace cache ("Attaching workspace..."), as opposed to a end workflow cache, is passed along steps that depends on prior workflow, as specified under CirclecI config. The current CircleCI config creates a workspace cache for:
        make + gawk + musl-cross-make (passed along next)
        the most massive board config for each coreboot version (passed along next)
        which is finally leading to the workflow cache, specialized for different content that should not change across builds.
            That is 3 caches
                musl-cross-make and bootstrapping tools (builds make and gawk locally) as long as musl-cross module has same checksum
                a coreboot cache, containing all coreboot building directories, as long as coreboot module and patches are having the same hashes
                a global cache containing alla builds artifacts (build dir, install dir, musl-cross dir etc)
    Consequently, a workspace cache contains all the files under a path that is specified. For heads running under CircleCI, this is ~/project, which is basically "heads" checked out GitHub project, and everything being built under it.
    When a workflow is successful, save_cache is ran, constructing caches for digest hashes that are not yet saved (which corresponds to a hash matching muslc-cross module hash, coreboot+patches digest hash and another one for all modules and patches digest hash.
    On next workspace iteration, pre_env step will include a "Restore cache" step, which will use the largest cache available and extract it prior of passing it as workspace caches. This is why there is no such different in build time when building on a clean build (the workspace caches layers are smaller, and passed along. This means saving it, passing it. next workspace downloads extracts and builds on top of those smaller layers), as opposed to a workspace reusing and repassing the bigger workspaces containing the whole cache (bigger initial cache extract, then compressing and saving it to be passed as a workspace layer that is then downloaded, extracted, building on top, compressing and saving which then passed as a workspace cache to the next layer depending on it).
    And finally, the caching system (save_cache, restore_cache) is based on a CircleCI environment variable named CACHE_VERSION which is appended at the end of the checkum fingerprint of a named cache. It can at any moment be changed to wipe actually used cache, if for some reason it is broken.

Consequently:

    CircleCI cache should include packages cache (so that packages are downloaded and verified only once.)
    Heads Makefile only downloads, checks and extracts packages and then patch extracted directory content if packages/.module-version_verify doesn't exist. This was missing, causing coreboot tarballs to be redownloaded (not present under packages) and reextracted and repatched (since _verify file was not present under packages/*_verify)
2022-04-02 14:57:54 -04:00
tlaurion
303dc26c91
Merge pull request #1144 from tlaurion/fix_busybox_zlib_current_build
Fix current builds (zlib 1.2.11 cannot be downloaded, busybox patch not applied)
2022-04-01 19:28:59 -04:00
tlaurion
dfbb0db9e9
Merge pull request #1111 from tlaurion/xx30_vbios_script_fixes
Improvements on xx30 vbios scripts
2022-04-01 19:27:29 -04:00
Thierry Laurion
981cb96f25
Fix current builds
- zlib 1.2.12 release is not respecting cross compiling. 1.2.11 disappeared from servers: taking another archive link, same hash.
- busybox 1.32.0 was not patched with 1.28.0 patch. Renaming patch so that its applied in fresh builds.
2022-04-01 09:47:39 -04:00
tlaurion
182bd6bd75
Merge pull request #1141 from tlaurion/oem_reownership_add_reencryption_passphrase_change
OEM Factory Reset/Re-Ownership: Addition of LUKS reencryption + passphrase change options
2022-03-28 15:03:59 -04:00
Thierry Laurion
9760181d09
Uniformize time display so it includes timezone
date=`date "+%Y-%m-%d %H:%M:%S %Z"`
2022-03-25 18:46:13 -04:00
Thierry Laurion
8f390f97c2
add integrity report in case some public key is already fused in firmware
- initrd/bin/oem-factory-reset: adds a measured integrity output prior of prompts. Goal is for stating TOTP/HOTP/boot detached signed measurements prior of initiating a Re-Ownership, validating provisioned OEM state.
2022-03-25 13:31:26 -04:00
Thierry Laurion
dacd99c629
add re-encrypting and passphrase change options to oem-factory-reset
- initrd/bin/oem-factory-reset: add 2 additional prompts defaulting to N, also explaining why its important.
2022-03-23 15:55:42 -04:00
Thierry Laurion
b976309498
add re-encrypt and passphrase change options to menu
- initrd/bin/gui-init : Add two additional menu options to LUKS reencrypt and LUKS passphrase change, calling functions of initrd/bin/reencrypt-luks
- initrd/bin/gui-init : Add option F for EOM Factory Reset / Reownership when no public key is exported by key-init
2022-03-23 15:50:58 -04:00
Thierry Laurion
058b07110b
add reencrypt-luks
initrd/bin/reencrypt-luks: add functions for reencryption and passphrase change. Feeds itself from external provisioning or local provisioning
2022-03-23 15:47:33 -04:00
Thierry Laurion
9016ebccc2 OEM Factory Reset -> OEM Factory Reset / Re-Ownership (with customs passwords and provisioned info given)
oem-factory-reset: adapt code so that custom passphrases can be provided by user without changing oem factory reset workflow.
    oem-factory-reset: output provisioned secrets on screen at the end of of the process.
    oem-factory-reset: warn user of what security components will be provisioned with defaults/customs PINs prior of choosing not after
    gui-init and oem-factory-reset: change OEM Factory Reset -> OEM Factory Reset / Re-Ownership to cover actual use cases
2022-03-11 14:24:54 -05:00
Thierry Laurion
acf709184f bin/kexec-iso-init: Add support for Arch iso support requirements (found at https://mbusb.aguslr.com/howto.html) 2022-03-07 19:02:29 -05:00
Thierry Laurion
3e526aea27 distro key: addition of arch minimized public key
bin/kexec-parse-boot: test 2bb1f52bf5 that fix correctly comma seperated arguments.

Still TODO: when booting, Heads tries to find where the ISO with /dev/disk/by-label/ARCH_202202 wich is never brought up. uuids could, not sure why the label is not brought up correctly. Maybe an issue in the way Arch makes the ISO.
@tslilc : Any idea to continue #584 or modify #762?
2022-03-07 19:02:29 -05:00
tslil clingman
19a8f9c242 Tweak syslinux parsing code to be compatible with new Arch isos 2022-03-07 19:02:29 -05:00
tlaurion
70b93be782
Merge pull request #1130 from marmarek/early-usb
Check for /bin/hotp_verification instead of CONFIG_HOTPKEY
2022-03-03 18:59:04 -05:00
Marek Marczykowski-Górecki
ab6425cc7e
Check for /bin/hotp_verification instead of CONFIG_HOTPKEY
CONFIG_HOTPKEY is not exported to the initrd, check for binary presence.
2022-03-04 00:49:37 +01:00
Marek Marczykowski-Górecki
13a12d157b Move enable_usb earlier
It is going to be enabled later anyway (if CONFIG_HOTPKEY=y), so it can
also be simplified by enabling it at the very beginning.

This enables USB keyboard consistently during all boot menus, including
the "No Bootable OS Found" prompt. It isn't a big deal for "normal"
laptop usage, but it is important for automatic tests and also
non-laptop systems.
2022-03-01 13:39:59 -05:00
Thierry Laurion
3b99caa996 coreboot-4.11 patches: remove unwanted .orig artifacts that seems to be making CircleCI fail in the past days.
Heads build system is reextracting archives and reapplying patches on each iteration.
CircleCI optimizes building time by providing cache mechanisms and forces users to build a target under an hour.
This is to force Open Source projects (free tier) to not be leechers of the free tier.

In the past days, CircleCI bails on building coreboot 4.11 boards because some files being cached are already being present (created files from patches).
In those, two files were unwanted artifacts, recreated on top of coreboot 4.11 extracted original files (undesired .orig files), while bailing on the creating of src/security/tpm/sha1.c from patches/coreboot-4.11/0001-Add-Heads-TPM-measured-boot-support.patch.

Hopefully, this is CircleCI having a maximum of 3 automatically entered input (it fails on the 3rd)... And this fix will permit src/security/tpm/sha1.c and src/security/tpm/sha1.h to be skipped if existing.
Below, we see that CircleCI fills patch prompts with EOF 2 times, and then waits for input and then timeouts.

Here is the failing log trace from https://app.circleci.com/pipelines/github/tlaurion/heads/990/workflows/f2a430fd-dc8c-4e95-abe3-364a0e825533/jobs/4914/parallel-runs/0/steps/0-103:

Exerpt of that log:
if [ -d patches/coreboot-4.11 ] && [ -r patches/coreboot-4.11 ] ; then for patch in patches/coreboot-4.11/*.patch ; do echo "Applying patch file : $patch " ; ( cd /root/project/build/coreboot-4.11/ ; patch -p1 ) < $patch || exit 1 ; done ; fi
Applying patch file : patches/coreboot-4.11/0000-cpu-x86-smm-Use-PRIxPTR-to-print-uintptr_t.patch
patching file src/cpu/x86/smm/tseg_region.c
Applying patch file : patches/coreboot-4.11/0001-Add-Heads-TPM-measured-boot-support.patch
patching file src/Kconfig
The next patch would create the file src/Kconfig.orig,
which already exists!  Assume -R? [n] EOF
Apply anyway? [n] EOF
Skipping patch.
1 out of 1 hunk ignored
patching file src/include/program_loading.h
patching file src/lib/cbfs.c
patching file src/lib/hardwaremain.c
Hunk #2 succeeded at 549 (offset 8 lines).
patching file src/lib/rmodule.c
patching file src/security/tpm/Makefile.inc
The next patch would create the file src/security/tpm/sha1.c,
which already exists!  Assume -R? [n] make: *** [Makefile:507: /root/project/build/coreboot-4.11/.canary] Hangup

context deadline exceeded
2022-02-23 16:59:26 -05:00