Commit Graph

20 Commits

Author SHA1 Message Date
Thierry Laurion
40c34453df
all scripts: replace TRACE manual strings with dynamic tracing by bash debug
Exception: scripts sourcing/calls within etc/ash_functions continues to use old TRACE functions until we switch to bash completely getting rid of ash.
This would mean getting rid of legacy boards (flash + legacy boards which do not have enough space for bash in flash boards) once and for all.

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-02-01 15:48:27 -05:00
Thierry Laurion
6db03b0bdd
Uniformize vocabulary: LUKS TPM Disk Unlock Key & LUKS Disk Recovery Key
When playing with long fbwhiptail/whiptail messages, this commit played around the long string using fold.

'''
echo -e "This will replace the encrypted container content and its LUKS Disk Recovery Key.\n\nThe passphrase associated with this key will be asked from the user under the following conditions:\n 1-Every boot if no Disk Unlock Key was added to the TPM\n 2-If the TPM fails (hardware failure)\n 3-If the firmware has been tampered with/modified by the user\n\nThis process requires you to type the current LUKS Disk Recovery Key passphrase and will delete the LUKS TPM Disk Unlock Key slot, if set up, by setting a default boot LUKS key slot (1) if present.\n\nAt the next prompt, you may be asked to select which file corresponds to the LUKS device container.\n\nHit Enter to continue." | fold -w 70 -s
'''

Which gave the exact output of what will be inside of the fbwhiptail prompt, fixed to 70 chars width:

'''
This will replace the encrypted container content and its LUKS Disk
Recovery Key.

The passphrase associated with this key will be asked from the user
under the following conditions:
 1-Every boot if no Disk Unlock Key was added to the TPM
 2-If the TPM fails (hardware failure)
 3-If the firmware has been tampered with/modified by the user

This process requires you to type the current LUKS Disk Recovery Key
passphrase and will delete the LUKS TPM Disk Unlock Key slot, if set
up, by setting a default boot LUKS key slot (1) if present.

At the next prompt, you may be asked to select which file corresponds
to the LUKS device container.

Hit Enter to continue.
'''

Therefore, for long prompts in the future, one can just deal with "\n 1-" alignments to be respected in prompts and have fold deal with cutting the length of strings properly.

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-01-20 11:47:35 -05:00
UndeadDevel
920f871f9f Update luks-functions texts & reencrypt new pw use
Removed all mentions of a "Recovery Disk Key" and replaced with "Disk Recovery Key".

Fixed some grammatical errors.

Added check for new passphrase in reencrypt function to accommodate switching of reencrypt and new passphrase setting order in oem-factory-reset.

Signed-off-by: Christian Foerster <christian.foerster@mailfence.com>
2023-12-06 15:56:14 +01:00
Jonathon Hall
d39fc26dd9
oem-factory-reset: Move format confirmation before resetting anything
Move confirmation of formatting flash drive with LUKS percentage
selection before any reset actions have been taken, so aborting does
not result in a half-reset system.  Combine with the more basic
"confirm" prompt that existed after selecting the device (but did not
include the LUKS size information).

Split up prepare_flash_drive into interactive_prepare_flash_drive (both
prompts and formats as before), confirm_thumb_drive_format (just
confirms the selections), and prepare_thumb_drive (now noninteractive).

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-11-13 14:37:19 -05:00
Thierry Laurion
4e10740453
oem-factory-reset/ash_functions/luks-functions: replace provisioning with configuring keywords. Tweak oem-factory-reset flow and questionnaire. Now first prompt is to ask if user wants to go advanced or use defaults.
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-03 16:41:27 -04:00
Thierry Laurion
af3287c001
luks_functions: fix width of whiptail messages with newlines so its not cut in the middle
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-01 15:07:36 -04:00
Thierry Laurion
2aa9cfafb5
luks-functions: cleanup code of luks containers reported
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-01 10:08:29 -04:00
Thierry Laurion
88d00dfcb2
scripts: unify luks in text/prompts/messages to LUKS
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-01 10:07:01 -04:00
Thierry Laurion
2c55338be5
Wip: now supports both backup and copy to card and gpg_auth when backup exists. Might want to discuss that implementation. Some functions needed to be moved from functions to ash_functions so that gpg_auth can be called from recovery function. That might need to be discussed as well, recovery could be moved from ash_functions to functions instead.
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-01 10:06:48 -04:00
Thierry Laurion
b1e5c638cd
WiP
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-01 10:06:45 -04:00
Thierry Laurion
64ad01f333
WiP: Staging commit to facilitate review, will squash into previous commits once confirmed good 2023-08-31 14:36:27 -04:00
Thierry Laurion
4910c1188f
TPM Disk Unlock Key sealing/renewal cleanup (Triggered automatically when resealing TOTP)
Changes:
- As per master: when TOTP cannot unseal TOTP, user is prompted to either reset or regenerate TOTP
- Now, when either is done and a previous TPM Disk Unlock Key was setuped, the user is guided into:
  - Regenerating checksums and signing them
  - Regenerating TPM disk Unlock Key and resealing TPM disk Unlock Key with passphrase into TPM
  - LUKS header being modified, user is asked to resign kexec.sig one last time prior of being able to default boot
- When no previous Disk Unlock Key was setuped, the user is guided into:
  - The above, plus
    - Detection of LUKS containers,suggesting only relevant partitions

- Addition of TRACE and DEBUG statements to troubleshoot actual vs expected behavior while coding
  - Were missing under TPM Disk Unlock Key setup codepaths

- Fixes for #645 : We now check if only one slots exists and we do not use it if its slot1.
  - Also shows in DEBUG traces now

Unrelated staged changes
- ash_functions: warn and die now contains proper spacing and eye attaction
- all warn and die calls modified if containing warnings and too much punctuation
- unify usage of term TPM Disk Unlock Key and Disk Recovery Key
2023-08-30 18:06:29 -04:00
Thierry Laurion
f6eed42208
Add external/usb disk encryption (adds exfatprogs and e2fsprogs)
prepare_thumb_drive: default to creating 10% LUKS container on usb drive, prompts for passphrase is not provided and scan drives if no --device specified

NOTE: qemu usb_thumb drive of 128 mb are not big enough so that 10% of it (12mb) can be used to create thumb drive.

Adds:
- e2fsprogs to support ext4 filesystem creation through mke2fs
- add /etc/mke2fs.conf so that mke2fs knows how to handle ext2/ext3/ext4
- removes mke2fs support from busybox
- bump busybox to latest version which adds cpu accelerated hash functions (not needed per se here)
- Adds exfatprogs to have mkfs.exfat and fsck.exfat
- Adds prepare_thumb_drive /etc/luks-functions to be able to prepare a thumb drive with percentage of drive assigned to LUKS, rest to exfat
- Modify most board configs to test space requirements failing
- Talos2 linux config: add staging Exfat support
- Make e2fsprogs and exfatprogs included by default unless explicitely deactivate in board configs
- Change cryptsetup calls : luksOpen to open and luksClose to close to addresss review
- etc/luks_functions: cleanup

GOAL here is to have secure thumb drive creation which Heads will be able to use to backup/restore/use generated GPG key material in the future (next PR)
2023-08-28 16:23:48 -04:00
Thierry Laurion
8da5d5d723
Add dual support for real bash and busybox's bash(ash)
- modify bash to have it configured with -Os
2023-03-08 12:45:44 -05:00
Thierry Laurion
9bb6be8874
whiptail: fixate width to 80 characters and have height dynamic to all whiptail/fbwhiptail prompts 2022-11-09 11:51:27 -05:00
Thierry Laurion
dd0e4b0a8d
luks-functions: typo correction and consistent warnings across functions. 2022-05-03 16:45:20 -04:00
Matt DeVillier
0f3f86d21e
etc/luks-functions: exit function when select_luks_container() returns non-zero
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2022-04-06 17:17:25 -05:00
Matt DeVillier
5b5880b4e8
select_luks_container(): return non-zero when no device found/selected
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2022-04-06 17:17:24 -05:00
Matt DeVillier
98c251678c
luks_reencrypt(): remove extraneous call to select_luks_container()
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2022-04-06 17:17:24 -05:00
Matt DeVillier
f3d4924646
/bin/reencrypt-luks: rename to /etc/luks-functions
Move/rename as file is only sourced, not directly executed

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2022-04-06 17:17:07 -05:00