-r will always succeed since the file will be generated regardless
of number of boot entries found. Use -s instead to check for zero
file size.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
Since we sort the boot options prior to selecting the new default entry,
we need to use the index of the entry in the list prior to being sorted,
vs always setting it as 1. This fixes setting/booting of the default
OS target where the list entries are changed when calling sort.
Test: perform OEM factory reset with Fedora 32 installed, verify
default boot succeeds followng reset.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
The same grub parsing logic used in kexec-select-boot should
be used here as well, so copy it over.
Test: oem-factory-reset succeeds with Fedora 32 installed.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
For the handful of operations which need to be done with /boot
as the pwd, encapsulate them in subshells to ensure the pwd
doesn't unexpectedly change for other operations, as functions
which need to mount/unmount /boot may fail if the pwd isn't root.
Also, set the pwd to root at the start of detect_boot_device as an
added safety measure.
Test: run oem-factory-reset function, ensure it doesn't fail to
detect boot device due to incorrect working directory.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
Since #758 is merged, users have a option to export GnuPG pubkey if
necessary. Thus, we they do not need to insert a USB drive during
factory reset. Until now the whole process failed just because a user
did not provide a USB drive instead.
This shall be fixed by this commit
If smartcard Nitrokey Storage was factory-reset, we delete AES keys on
it as well.
Explaination: After oem-factory-reset was started the AES on the Nitrokey Storage that is used for the encrypted volume and the password safe is is not usable anymore because the smart card was factory-reset. To make it usable, a user needs to delete it via Nitrokey App. By doing so, the HOTP secret is deleted as well, resulting in a bad warning in Heads. Therefore, we are resetting AES key right after factory-reset with hotp_verification
Since the custom password is used to set the GPG admin
password as well as the TPM and GPG user passwords, an
8-character minimum is required. Inform the user of this,
and validate custom password length upon entry.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
Normally we resort to default passwords for OEM reset, however we have a
use case where it would be convenient to set a custom password instead.
This patch adds a simple prompt (that defaults to the defaults if you
hit Enter) that enables someone using the OEM reset to enter a single
password that will replace the defaults (TPM, GPG Admin, GPG User).
Add oem-factory-reset script which performs an unattended
reset and configuration of the device's TPM, GPG security token,
and boot device / boot selection.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
