ExternalVendorCode/heads
1
0
Fork 0
mirror of https://github.com/linuxboot/heads.git synced 2025-02-20 17:22:53 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
2,875 Commits 28 Branches 6 Tags
Commit Graph

737 Commits

Author SHA1 Message Date
Thierry Laurion
696ecf54cd
initrd/bin/seal-hotpkey: fix regression of hotp_verification 1.7+ version bump output parsing for <nk3 
As tested working with old librem key fw 0.10: works
Log entry of additioanl 30 minutes for https://github.com/linuxboot/heads/pull/1875 (I cannot not fix with my time @jans23 https://github.com/linuxboot/heads/issues/1866, since nk3 is not the only dongle support by Heads)

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
 2024-12-21 13:22:38 -05:00
Thierry Laurion
d2b84597bf
tpmr: check for CONFIG_TPM2_CAPTURE_PCAP=y to export TPM comms under /tmp/tpm0.pcap (not just check for existence of CONFIG_TPM2_CAPTURE_PCAP under env) 
So that export CONFIG_TPM2_CAPTURE_PCAP=n across all boards doesn't break and so that its easy for auditors to just toggle on in board configs

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
 2024-12-21 13:22:32 -05:00
Jonathon Hall
0825b57e29
config-gui.sh: Combine quiet mode / debug output to one output setting 
These two settings are exclusive, so they would disable each other if
enabled.  Present them as one setting with three output levels.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
 2024-12-21 13:22:03 -05:00
Jonathon Hall
8e630e0e4d
seal-totp: Print plain secret instead of URL for manual entry 
Don't print the URL and then explain how to get the secret out of it,
just print the secret.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
 2024-12-21 13:21:57 -05:00
Jonathon Hall
a06ead69bc
tpmr: Don't continue blindly if a TPM reset step fails 
If a TPM reset step fails, don't blindly continue onto the other
steps.  Use DO_WITH_DEBUG to trace failures, so they're visible in the
log but we still exit due to set -e.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
 2024-12-21 13:21:51 -05:00
Jonathon Hall
c4bb4107ab
tpmr: Use SINK_LOG rather than temp file, avoid doubled log output 
Use SINK_LOG to capture tpm2 unseal rather than a temp file.

Don't double up output from tpm "$@" to log; DO_WITH_DEBUG already
captures it.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
 2024-12-21 13:21:45 -05:00
Thierry Laurion
e1a263ce3b
init: warn user that if CONFIG_QUIET_MODE was enabled in board config at build time but disabled through Configuration Settings applied override, early measurement output got suppressed 
Also tell user that those early suppressed messages can be seen under /tmp/debug.txt

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
 2024-12-21 13:21:28 -05:00
Thierry Laurion
07218df9cb
initrd/bin/kexec-select-boot: clarify that TPM2 primary handle HASH is created upon setting default boot (was not clear) 
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
 2024-12-21 13:21:22 -05:00
Thierry Laurion
eb63d4d46a
oem-factory-reset: remove duplicate output 'Checking for USB Security dongle...' 
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
 2024-12-21 13:21:16 -05:00
Thierry Laurion
02d8ce8d0d
kexec-save-default kexec-select-boot: fix primary handle once more. Can't wait we get rid of this... file must exist and not be empty, and hash output to console must not be silenced 
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
 2024-12-21 13:20:53 -05:00
Thierry Laurion
1e6079620a
TPM2 primary handle debugging once more. Can't wait we get rid of this... 
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
 2024-12-21 13:20:47 -05:00
Thierry Laurion
885af7d39f
kexec-select-boot+kexec-save-default: Quiet mode; remove last rollback counters printed to console 
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
 2024-12-21 13:20:29 -05:00
Thierry Laurion
91299fd89b
seal-totp: contextualize qr code output for manual input of those without qr scanner app in mobile phone 
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
 2024-12-21 13:20:23 -05:00
Thierry Laurion
b5c24f2447
init+cbfs-init: refactor and explain why quiet mode cannot suppress measurements of cbfs-init extracted+measured TPM stuff if not in board config 
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
 2024-12-21 13:20:06 -05:00
Thierry Laurion
08f52af033
Deprecate ash in favor of bash shell; /etc/ash_functions: move /etc/ash_functions under /etc/functions, replace TRACE calls by TRACE_FUNC, remove xx30-flash.init 
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
 2024-12-21 13:20:00 -05:00
Thierry Laurion
4354cd4c22
config-gui.sh: Add quiet mode toggle, which turns off debug+tracing if enabled, and where enabling debug+tracing disables Quiet mode 
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
 2024-12-21 13:19:54 -05:00
Thierry Laurion
53156c3917
WiP: staging changes, refusing to fight against tools helping me, formatting changed. sign after tpm-reset now to work around primary handle issue. 
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
 2024-12-21 13:19:42 -05:00
Thierry Laurion
0d3964274e
WiP: staging changes, warn loud and clear of weak security posture by using weak OEM defaults provisioned secrets 
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
 2024-12-21 13:19:36 -05:00
Thierry Laurion
d768e80de6
WiP: staging changes, no more tpm output. Next warn /boot changed because htop counter and primary handle until removed outside of this PR 
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
 2024-12-21 13:19:30 -05:00
Thierry Laurion
c7ab861325
Turn some info on default boot into LOGged info, LOG might go out forever if not pertinent to most? 
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
 2024-12-21 13:19:25 -05:00
Thierry Laurion
eca4e34176
WiP: staging changes 
Attacking nv index next for TPM nvram read in prod_quiet testing

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
 2024-12-21 13:19:19 -05:00
Thierry Laurion
94b77e8704
WiP: staging changes 
Insights:
- We should use oem generated pubkey naming to distinguish between oem/user generated keys and try to use default PINs also for GPG User to sign with default PIN and warn even if it works/doesn't, urging users to do reownership
- Point is that oem factory reset does in the direction of using randomized PINs, while continuing to use those for a user should be strongly discouraged

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
 2024-12-21 13:19:07 -05:00
Thierry Laurion
19fd98df2d
WiP: staging changes (TPM1 regression fixes for LOG/DEBUG on quiet mode) 
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
 2024-12-21 13:19:01 -05:00
Thierry Laurion
abc97fe1be
WiP: staging changes including https://github.com/linuxboot/heads/pull/1850 https://github.com/Nitrokey/nitrokey-hotp-verification/pull/43 and https://github.com/Nitrokey/nitrokey-hotp-verification/pull/46 
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
 2024-12-21 13:18:55 -05:00
Jonathon Hall
54baa37d4a
oem-factory-reset: Stop adding leading blank lines in 'passphrases' msg 
We're adding leading blank lines, which makes the prompt look odd and
now have to be removed later.  Just stop adding the leading blank
lines.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
 2024-12-21 13:18:43 -05:00
Thierry Laurion
ebf4d1d221
oem-factory-reset+seal-hotp nk3 hotp-verification info adaptations 
- oem-factory-reset: fix strings for nk3 is from https://github.com/Nitrokey/nitrokey-hotp-verification/pull/43 is Secrets app, not Secret App singular, not App capitalized
- initrd/bin/seal-hotpkey: adapt to check nk3 Secrets App PIN counter if nk3, keep Card counters for <nk3 from https://github.com/Nitrokey/nitrokey-hotp-verification/pull/43
  - Unattended hotp_initialize output removed since we need physical presence to seal HOTP until https://github.com/Nitrokey/nitrokey-hotp-verification/issues/41 is fixed
  - Finally make seal_hotp use logic to detect if public key <1m old, use HOTP related PIN by default if counter is not <3, warn that re-ownership needs to be ran to change it since no security offered at all otherwise with HOTP
- unify format with linting tool

Tested in local tree against https://patch-diff.githubusercontent.com/raw/Nitrokey/nitrokey-hotp-verification/pull/43.patch, removing https://patch-diff.githubusercontent.com/raw/Nitrokey/nitrokey-hotp-verification/pull/46.patch
 - will revert the change above in PR once testing is over

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
 2024-12-21 13:18:18 -05:00
Thierry Laurion
847b4ddbdf
WiP seal-hotp: customize message to be GPG Admin PIN or Secure App PIN 
TODO: check logic in this file because assumptions on PINs retry count are wrong and will depend on https://github.com/Nitrokey/nitrokey-hotp-verification/pull/43 not tested here

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
 2024-12-21 13:15:28 -05:00
Thierry Laurion
95473d6c89
kexec-sign-config: mount rw, write things to /boot, mount ro after 
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
 2024-12-21 13:15:22 -05:00
Thierry Laurion
e25fb595b6
oem-factory-reset: reset nk3 secure app PIN early since we need physical presence, put nk3 secure APP PIN after TPM but before GPG PINS in output for consistency 
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
 2024-12-21 13:15:17 -05:00
Thierry Laurion
c372370210
oem-factory-reset: set title_text accordingly to mode, either 'OEM Factory Reset Mode', 'Re-Ownership Mode' or 'OEM Factory Reset / Re-Ownership' 
TODO: further specialize warning prompt to tell what is going to happen (randomized PIN, signle custom randomized PIN etc)

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
 2024-12-21 13:15:11 -05:00
Thierry Laurion
789231fac3
oem-factory-reset: fix Secure App wording, prevent word globbing, warn that physical presence is needed 
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
 2024-12-21 13:15:05 -05:00
Thierry Laurion
03e5ec0ddf
oem-factory-reset: if nk3, also display Secure App PIN = GPG Admin PIN as text and in Qr code 
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
 2024-12-21 13:14:59 -05:00
Thierry Laurion
e01d346fe8
oem-factory-reset: don't set user re-ownership by default for now: use current defaults being DEF pins (12345678 and 123456 as master) 
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
 2024-12-21 13:14:53 -05:00
Thierry Laurion
fd136cd957
oem-factory-reset: add reset secure app PIN = ADMIN_PIN at reownership, make sure defaults are set for all modes, including default which uses current defaults being DEF pins (12345678 and 123456 as master) 
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
 2024-12-21 13:14:41 -05:00
Thierry Laurion
814f4fabd9
WiP: add nk3 secret app reset function and call it following security dongle reset logic 
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
 2024-12-21 13:14:30 -05:00
Thierry Laurion
a6df16ec3c
WiP initrd/bin/oem-factory-reset: add qrcode+secet output loop until user press y (end of reownership wizard secret output) 
Signed-off-by: Thierry Laurion <insurgo@riseup.net>

works:
- oem and user mode passphrase generation
- qrcode

missing:
- unattended
  - luks reencryption + passphrase change for OEM mode (only input to be provided) with SINGLE passphrase when in unattended mode
    - same for user reownership when previously OEM reset unattended

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
 2024-12-21 13:14:18 -05:00
Thierry Laurion
108e6ed0b1
WiP initrd/bin/oem-factory-reset: add --mode (oem/user) skeleton 
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
 2024-12-21 13:14:06 -05:00
Thierry Laurion
f8fdfc7b8d
WiP initrd/bin/oem-factory-reset: format unification 
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
 2024-12-21 13:14:00 -05:00
Thierry Laurion
d57a120912
initrd/etc/ash_functions: add GPG Admin/User PIN output grabbing on confirm_gpg_card presence call, echo for now, warn to input GPG User PIN when asked to unlock GPG card 
Mitigate misunderstands and show GPG User/Admin PIN counts until proper output exists under hotp_verification info to reduce global confusion

Add TODO under initrd/bin/seal-hotpkey to not foget to fix output since now outputting counter of 8 for Admin PIN which makes no sense at all under hotp_verification 1.6 https://github.com/Nitrokey/nitrokey-hotp-verification/issues/38

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
 2024-12-21 13:13:43 -05:00
Thierry Laurion
3726e9083f
initrd/bin/tmpr: silence tpm reset console output, LOG instead 
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
 2024-12-21 13:13:37 -05:00
Thierry Laurion
48807de222
codebase: silence dd output while capturing output in variables when needed 
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
 2024-12-21 13:13:31 -05:00
Thierry Laurion
1f029123e9
initrd bin/* sbin/insmod + /etc/ash_functions: TPM extend operations now all passed to LOG (quiet mode doesn't show them and logs them to /tmp/debug.log) 
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
 2024-12-21 13:13:13 -05:00
Thierry Laurion
6f2ea7c7bf
Merge remote-tracking branch 'osresearch/master' into pr0_skylake_and_more_recent 2024-11-28 11:53:48 -05:00
Thierry Laurion
5501cd0744
oem-factory-reset: debug mode; hide passphrase output on screen/debug.log on gpg --detach-sign of /boot hash digest 
Before:
[  155.845101] DEBUG: gpg --pinentry-mode loopback --passphrase Please Change Me --digest-algo SHA256 --detach-sign -a

After:
[  131.272954] DEBUG: gpg --pinentry-mode loopback --passphrase <hidden> --digest-algo SHA256 --detach-sign -a

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
 2024-11-25 10:57:44 -05:00
Thierry Laurion
95c6eb5c49
initrd/bin/unpack_initramfs.sh: add xz to unpack logic (add commented: bzip2, lzma, lzo and lz4) 
xz: tested working with tails test build and 6.8.1's initrd
latest ubuntu 24.10: switched back to zstd, works as expected (tested)

Magic numbers referred at:
- 28eb75e178/scripts/extract-vmlinux (L52C1-L58C43)
- https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/lib/decompress.c#n51

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
 2024-11-22 17:30:17 -05:00
Thierry Laurion
71a8075125
initrd/bin/unpack_initramfs.sh: no functional change, just format with tabs 
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
 2024-11-22 17:29:41 -05:00
Thierry Laurion
6e0edcbce6
initrd/bin/config-gui.sh: remove check for CONFIG_SUPPORT_USB_KEYBOARD since usbhid.ko packed for all boards. Menu now permits turning on keyboard from internal, non-usb keyboard or force support through CONFIG_USB_KEYBOARD_REQUIRED=y under board configs 
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
 2024-11-05 15:26:26 -05:00
Thierry Laurion
e999c90a16
codebase: CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE -> CONFIG_FINALIZE_PLATFORM_LOCKING 
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
 2024-10-31 10:23:06 -04:00
Thierry Laurion
7e679d6d68
lock_chip: update documentation for skylake+ 
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
 2024-10-31 10:22:48 -04:00
Thierry Laurion
eecc611d73
bin/lock_chip: Correct PR0 statement 
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
 2024-10-31 10:22:42 -04:00