- fi misplaced
- rework reencryption loop
- added verbose output on TPM DUK key addition when LUKS container can be unlocked with DRK
Current state, left todo for future work:
TPM DUK:
- TPM DUK setup on defautl boot reuses /boot/kexec_key_devices.txt if present
- If not, list all LUKS partitions, asks user for selection and makes sure LUKS passphrase can unlock all
- Works on both LUKSv1 and LUKSv2 containers, reusing OS installer settings (Heads doesn't enforce better then OS installer LUKS parameters)
LUKS passphrase change/LUKS reencryption:
- Reuses /boot/kexec_key_devices.txt if existing
- If not, prompts for LUKS passphase, list all LUKS containers not being USB based and attempt to unlock all those, listing only the ones successfully unlocked
- Prompts user to reuse found unlockable LUKS partitions with LUKS passphrase, caches and reuse in other LUKS operations (passphrase change as well from oem factory reset/re-ownership)
- Deals properly with LUKSv1/LUKSv2/multiple LUKS containers and reencrypt/passphrase changes them all if accepted, otherwise asks user to select individual LUKS container
Tested on luksv1,luksv2, btrfs under luks (2x containers) and TPM DUK setup up to booting OS. All good
TODO:
- LUKS passphrase check is done multiple times across TPM DUK, reencryption and luks passphrase. Could refactor to change this, but since this op is done only one reencrypt+passphrase change) upon hardare reception from OEM, I stopped caring here.
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
cryptsetup2 2.6.1 is a new release that supports reencryption of Q4.2 release LUKS2 volumes created at installation.
This is a critical feature for the Qubes OS 4.2 release for added data at rest protection
Cryptsetup 2.6.x internal changes:
- Argon2 used externally and internally: requires a lot of RAM and CPU to derivate passphrase to key validated in key slots.
- This is used to rate limit efficiently bruteforcing of LUKS key slots, requiring each offline brute force attempt to consume ~15-30 seconds per attempt
- OF course, strong passphrases are still recommended, but bruteforcing LUKSv2 containers with Argon2 would require immense time, ram and CPU even to bruteforce low entropy passphrase/PINs.
- passphrase change doesn't permit LUKS key slot specification anymore: key slot rotates (new one consusumed per op: then old one wiped internally. EG: LUKS key slot 1 created, then 0 deleted)
- reencryption doesn't permit old call arguments. No more direct-io; inadmissively slow through AIO (async) calls, need workarounds for good enough perfs (arguments + newer kernel with cloudfare fixes in tree)
cryptsetup 2.6.1 requires:
- lvm2 2.03.23, which is also included in this PR.
- requires libaio, which is also included in this PR (could be hacked out but deep dependency at first sight: left in)
- requires util-linux 2.39
- patches for reproducible builds are included for above 3 packages.
luks-functions was updated to support the new cryptsetup2 version calls/changes
- reencryption happen in direct-io, offline mode and without locking, requiring linux 5.10.9+ to bypass linux queues
- from tests, this is best for performance and reliability in single-user mode
- LUKS container ops now validate Disk Recovery Key (DRK) passphrase prior and DRK key slot prior of going forward if needed, failing early.
- Heads don't expect DRK to be in static key slot anymore, and finds the DRK key slot dynamically.
- If reencrytipn/passphrase change: make sure all LUKS containers on same block device can be unlocked with same DRK
- Reencryption: requires to know which key slot to reencrypt.
- Find LUKS key slot that unlocks with DRK passphrase unlock prior of reencrypt call
- Passphrase change: no slot can be passed, but key slot of DRK rotates.
kexec-seal-key
- TPM LUKS Disk Unlock Key key slots have changed to be set in max slots per LUKS version (LUKSv1:7 /LUKSv2: 31)
- If key slot != default LUKS version's keyslot outside of DRK key slot: prompt the user before wiping that key slot, otherwise wipe automatically
- This takes for granted that the DRK key slot alone is needed on the system and Heads controls the LUKS key slots.
- If user has something else going on, ie: Using USB Security dongle + TPM DUK, then the user will need to say no when wiping keys.
- It was suggested to leave LUKS key slots outside of DRK alone, but then: what to do when all key slots would be used?
- Alternative implementation could be to only prompt users to wipe keyslots other then DRK when key slots are all used (LUKSv1: 0-7, LUKSv2: 0-31)
- But then cleanup would need to happen prior of operations (LUKS passphrase change, TPM DUK setup) and could be problematic.
- LUKS containers now checked to be same LUKS version prior of permitting to set TPM DUK and will refuse to go forward of different versions.
TODO:
- async (AIO) calls are not used. direct-io is used instead. libaio could be hacked out
- this could be subject to future work
Notes:
- time to deprecated legacy boards the do not enough space for the new space requirements
- x230-legacy, x230-legacy-flash, x230-hotp-legacy
- t430-legacy, t430-legacy-flash, t430-hotp-legacy already deprecated
Unrelated:
- typos fixes found along the way
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
This is not a blocker, but it used to be possible to flash BMC chip from Heads. PAtch is missing to flashprog
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
cbfs-init used to measure filenames as well as the data in the files,
but after refactoring it only measures file data. This means files
could be renamed, or contents pivoted, without affecting the PCR
measurements. Bring back the filename measurement.
Similarly, insmod used to measure module parameters, but no longer
does. Though we don't currently insert any modules with parameters,
there's no reason to leave this open to break later, bring back the
measurement.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
The 'warn' message was not very effective, because change-time.sh
clears the screen right after. Prompt with whiptail instead, which
also lets the user know what's happening before we drop them into a
series of prompts.
Let the user skip changing time if they really want to. While they
usually should set the time, it's rather frustrating if Heads forces
them to go through these prompts when they don't want to.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
cbfs-init: remove temp files, measure direct cbfs output, extend PCR with proper introspection tracing
flash.sh: do not die but go to recovery if flashrom fails, cosmetic fix for warning given to user
kexec-insert-key: extend PCR with proper introspection tracing
kexec-select-boot: extend PCR with proper introspection tracing
kexec-measure-luks: extend PCR with proper introspection tracing
tpmr: Add missing TRACE_FUNC, fix comments, extend give hash that was extended to tpm call in DEBUG, fix TPM startsession unsuppressed output still present
ash_functions: extend PCR with proper introspection tracing
insmod: DEBUG info more pertinent, extend PCR with proper introspection tracing
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
This was a yes/no prompt but didn't actually have a question in it,
ask if the user wants to change the time.
Include the current time so the user can tell if it's correct.
Mention that if it's incorrect they should change the time and check
again.
The first line was too long for fbwhiptail by a few characters, trim it
a little.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
We're trying to move all shell scripts to including '.sh' to
differentiate them from functions. While it's not 100% consistent yet,
do it for new scripts.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Adjust prompt wording when entering fields. Technically the desired
value isn't always between min/max, because min and max are also
acceptable :)
No need to repeat an incorrect value, it is right there on the screen
and it dilutes the important point describing what value is needed.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Ask whether to retry instead of always retrying, so users can escape
if there is a problem setting the date instead of being forced to enter
values until it works.
Ask to press Enter instead of "any key". "Any key" prompts are
generally misleading, because there are usually keys that won't
actually work (e.g. Ctrl, Caps Lock, Shift).
Loop to retry if setting the date fails instead of recursing.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
There's little value to offering the minimum field value as a default
IMO:
* it's rarely accurate (e.g. minute 00 is only accuate 1/60 of the time)
* it's very obvious to just press '0'<enter> instead (and no longer
needs to be '00')
* it eliminates a lot of wordiness you otherwise have to read (or more
likely, ignore)
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
There's no need to try to parse stdout/stderr to figure out if date
succeeded, just check if it was successful directly.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Allow Backspace in input. It's really frustrating otherwise if a typo
cannot be corrected, and worse, the backspace key actually produces a
character that becomes part of the input.
Complete input with Enter. It is surprising when the script just
moves on right away once a fourth/second digit is entered, and worse,
users expecting to press Enter could reasonably press it before
realizing the script did not require it, which then skips the _next_
prompt inadvertently. Users with imperfect typing might double a
digit unintentionally, do not force them to proceed with an incorrect
value.
Removing '-n $digits' from read does both of those. Add '-r' so
backslashes do not have unexpected behavior.
Don't require leading zeroes, zero-pad automatically.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Use local named variables instead of $1-$4 throughout the function.
This makes the implementation clearer and documents the usage.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
This commit effectively reverts commits a1c13ff and 902866cc. There is
no need for this special EC-based poweroff command. See more details in
issue linked below.
Fixes: https://github.com/Dasharo/dasharo-issues/issues/711
Signed-off-by: Maciej Pijanowski <maciej.pijanowski@3mdeb.com>
- Revert gnupg toolstack version bump to prior of #1661 merge (2.4.2 -> 2.4.0). Version bump not needed for reproducibility.
- Investigation and upstream discussions will take their time resolving invalid time issue introduced by between 2.4.0 and latest gnupg, fix regression first under master)
- oem-factory-reset
- Adding DO_WITH_DEBUG to oem-factory-reset for all its gpg calls. If failing in debug mode, /tmp/debug.txt contains calls and errors
- Wipe keyrings only (*.gpg, *.kbx) not conf files under gpg homedir (keep initrd/.gnupg/*.conf)
- flake.nix
- switch build derivative from qemu and qemu_kvm to qemu_full to have qemu-img tool which was missing to run qemu boards (v0.1.8 docker)
- add gnupg so that qemu boards can call inject_gpg to inject public key in absence of flashrom+pflash support for internal flashing
- flake.lock: Updated nix pinned package list under flake.lock with 'nix flake update' so qemu_full builds
- README.md: have consistent docker testing + release (push) notes
- .circleci/config.yml: depend on docker v0.1.8 (qemu_full built with canokey-qemu lib support, diffoscopeMinimal and gnupg for proper qemu testing)
TODO:
- some fd2 instead of fd1?!
- oem-factory-resest has whiptail_or_die which sets whiptail box to HEIGHT 0. This doesn't show a scrolling window on gpg errors which is problematic with fbwhiptail, not whiptail
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
