Commit Graph

148 Commits

Author SHA1 Message Date
Kyle Rankin
76a068935d
Bugfixes to mount-usb
This change fixes some edge cases where a single usb disk was inserted
with multiple partitions on it, among others.
2019-04-16 12:55:00 -07:00
Kyle Rankin
152689d5d5
Detect USB disk dynamically
Currently Heads relies on a hard-coded config value to determine which
USB disk to mount. This can be problematic when trying to distribute a
pre-built version of Heads that can work on multiple disk
configurations. I've modified the USB mounting script so that it
attempts to detect all USB boot disks present on the system, pick sane
defaults, and prompt the user when there are multiple choices.

I've also removed the USB configuration option from config-gui.sh as
this config option is no longer used.
2019-04-15 15:05:03 -07:00
Thierry Laurion
2740317d67
shred TOTP_SECRET also when generation is successful 2019-02-24 11:11:00 -05:00
Thierry Laurion
8310a3d62e
also shred LUKS sealed secret when done instead of rm it 2019-02-24 10:29:09 -05:00
Thierry Laurion
b3a6c285c8
also shred LUKS key when done instead of rm it 2019-02-24 10:29:07 -05:00
Thierry Laurion
14c76d062c
supress errors on console when files don't exist (equivalent of rm -f) 2019-02-24 10:28:57 -05:00
Thierry Laurion
0722d42d65
using shred instead of rm on secret related files. 2019-02-24 10:27:20 -05:00
Kyle Rankin
07cf7d7577
Revert "Remove "pipefail" so unmatched greps don't cause script to exit"
This reverts commit 9279d60a1a.
2019-02-19 06:48:35 -08:00
Kyle Rankin
9279d60a1a
Remove "pipefail" so unmatched greps don't cause script to exit 2019-02-19 06:48:17 -08:00
Kyle Rankin
cfddb4ed2e
Add GPG GUI
It makes more logical sense for GPG functions to be split out into their
own menu instead of being part of the "Flash" menu. This creates a
gpg-gui.sh script and moves GPG options there while adding a few
additional features (like listing keys and initial smartcard key
generation support).
2019-02-19 06:48:08 -08:00
tlaurion
564f3ee201
Merge pull request #490 from kylerankin/add_empty_keyring_detection
Add empty keyring detection, clean up main menu
2019-02-08 15:01:28 -05:00
tlaurion
695993b593
Merge branch 'master' into gpg2 2019-02-08 13:29:02 -05:00
Thierry Laurion
005a19eeda
properly deal with trusting keys to supress UX confusion about trusted keys
key-init makes sure trustdb is updated at run time and user and distro keys are ultimately trusted. Each time a file is signed, the related public key is showed without error on it's trustability.
flash-gui deals with gpg1 to gpg2 migration. If pubring.kbx is found, pubring.gpg is deleted from running rom dump.
2019-02-08 12:38:38 -05:00
Thierry Laurion
5eee5aa296
GPG2 required changes for key and trustdb generation and inclusion in rom
.ash_history: add examples to generate keys and otrust in rom
flash-gui: export otrust and import it in rom
key-init: import otrust.txt if present to supress warning about user public key being untrusted
2019-01-29 11:18:11 -05:00
Thierry Laurion
6335ece902
gpg2 pubring extension change from gpg to kbx 2019-01-26 11:51:56 -05:00
Kyle Rankin
a809c72f7d
Fix column width for error output 2018-12-12 14:09:19 -08:00
Kyle Rankin
43a858e25c
Show the last setting for a config option if more than one exist 2018-12-06 16:45:40 -08:00
Kyle Rankin
dd3f650b81
Just load usb-storage module, not mount, bugfix in replace_config
We need to handle the case where the specific config file doesn't exist,
or else grep fails, so we touch the file ahead of time. Mounting the usb
storage caused problems when you re-enter the menu a second time, so we
will just load the storage module.
2018-12-06 15:41:20 -08:00
Kyle Rankin
3eb62eed1a
Use global /tmp/config that combines multiple config files
As part of the config gui we want to be able to have the system define
new config options without them being lost if the user makes their own
changes in CBFS. To allow that this change creates a function initiated
in init that combines all /etc/config* files into /tmp/config. All
existing scripts have been changed to source /tmp/config instead of
/etc/config. The config-gui.sh script now uses /etc/config.user to hold
user configuration options but the combine_configs function will allow
that to expand as others want to split configuration out further.

As it stands here are the current config files:

/etc/config -- Compiled-in configuration options
/etc/config.user -- User preferences that override /etc/config
/tmp/config -- Running config referenced by the BIOS, combination
               of existing configs
2018-12-06 15:24:28 -08:00
Kyle Rankin
49a131fa4b
Fix formatting on the default config GUI menu text 2018-12-06 13:51:46 -08:00
Kyle Rankin
f47df1edd6
Use mount-usb instead of enable_usb to find USB drives 2018-12-06 13:10:45 -08:00
Kyle Rankin
de18c706dc
Load USB modules before scanning for USB devices 2018-12-06 12:56:39 -08:00
Kyle Rankin
2f9c201f3e
Add a configuration GUI script
This change will add a new GUI script that will allow users to change
their running configuration (currently just /boot and USB boot options)
and optionally persist that modified configuration with reflashing the
BIOS with a modified cbfs.
2018-12-06 10:43:34 -08:00
Kyle Rankin
57b487c38c
Update version #s for Librem coreboot, add Librem Key detection dialog
The Librem coreboot is labeled with the current version and is visible
from dmidecode and is supposed to reflect the current version of
coreboot, however it was out of date and reflected 4.7 when Heads has
moved on to 4.8.1.

I've also added a simple change to further simplify onboarding by
warning users who have Librem Key configured when they boot without it
being inserted.
2018-12-05 14:51:53 -08:00
Kyle Rankin
2195977c23
Move GPG check outside TPM failure
We want to catch the missing GPG keyring error regardless of TPM failure
or even in the case of a system without a TPM at all so we need to move
that section up above the TPM check.
2018-12-03 16:09:55 -08:00
Kyle Rankin
7f8738d6d8
Add empty keyring detection, clean up main menu
To help with onboarding new users to Heads, this change will detect when
Heads does not have any keys in its keyring and will guide the user
through adding a key to the running BIOS. It's important that this
happen *before* guiding them through setting up an initial TOTP/HOTP
secret because adding a GPG key changes the BIOS, so the user would have
to generate TOTP/HOTP secrets 2x unless we handle the keyring case
first.

In addition to this change I've simplified the main menu so that the
majority of the options appear under an 'advanced' menu.
2018-11-30 15:32:29 -08:00
Trammell Hudson
6eb214a3f1
Merge branch 'usb-scan_fix' of https://github.com/tlaurion/heads 2018-11-07 16:38:51 -05:00
Kyle Rankin
79a09e7424
Ignore PCR5 when sealing key when Librem Key is enabled
When the Librem Key is enabled, the kernel loads USB modules at boot,
this causes PCR5 to change and breaks unsealing the LUKS key (if set).
This change retains the protection of the PCR5 check unless Librem Key
is enabled.
2018-11-07 13:27:52 -08:00
Thierry Laurion
3755ddb47a $TMP_MENU_FILE is an unknown variable. Replaced with /tmp/iso_menu.txt so usb-scan works. 2018-10-22 11:01:05 -04:00
Kyle Rankin
fd99d160e8
Improve status messages for Librem Key HOTP output 2018-07-03 12:40:52 -07:00
Kyle Rankin
acb2b34873
Show warning bg color in main menu when HOTP key not found 2018-06-21 16:30:35 -07:00
Kyle Rankin
be665ac4f9
Show red background when HOTP code is invalid
Granted the user should really be using the Librem Key/phone to check
for tampering (since an attacker could control the Heads background
color) but this provides another visual queue for the user with
the GUI menu to catch less sophisticated tampering.
2018-06-21 16:04:46 -07:00
Kyle Rankin
fe34aba719
Store HOTP counter directly in /boot instead of TPM
The HOTP counter isn't a secret but is just used to prevent replay
attacks (the time-based counter in TOTP isn't a secret either) so it
doesn't need to be protected in the TPM and storing it as a TPM
monotonic counter was causing conflicts with the Heads configuration
counter as TPM 1.2 can only increment one counter per reboot.

This change moves the HOTP counter into the file in /boot that was
previously keeping track of the TPM counter id.
2018-06-20 09:20:39 -07:00
Kyle Rankin
7dde5c2aca
Revert "Use HOTP TPM counter instead of Heads when signing, if present"
This reverts commit c42084406d.
2018-06-19 16:28:37 -07:00
Kyle Rankin
c42084406d
Use HOTP TPM counter instead of Heads when signing, if present
TPM v1.2 has a limitation in that only a single monotonic counter can be
incremented between reboots [1]. So in the event we are using HOTP
monotonic counters, we need to reference those for the Heads rollback
counter when we update file signatures in /boot, otherwise the increment
stage at kexec-sign-config will fail since at each boot, the HOTP
monotonic counter has already been incremented.

[1] https://projects.csail.mit.edu/tc/tpmj/UsersGuide.html#inccounter
2018-06-19 16:18:10 -07:00
Kyle Rankin
2cacb15729
Add back TPM config counter section to gui-init
The section in gui-init that modifies the Heads TPM counter when signing
config was accidentally removed. This change adds that section back.
2018-06-19 13:03:01 -07:00
Kyle Rankin
31cf85b707
Add Librem Key support to Heads
The Librem Key is a custom device USB-based security token Nitrokey is
producing for Purism and among other things it has custom firmware
created for use with Heads. In particular, when a board is configured
with CONFIG_LIBREMKEY, this custom firmware allows Heads to use the
sealed TOTP secret to also send an HOTP authentication to the Librem
Key. If the HOTP code is successful, the Librem Key will blink a green
LED, if unsuccessful it will blink red, thereby informing the user that
Heads has been tampered with without requiring them to use a phone to
validate the TOTP secret.

Heads will still use and show the TOTP secret, in case the user wants to
validate both codes (in case the Librem Key was lost or is no longer
trusted). It will also show the result of the HOTP verification (but not
the code itself), even though the user should trust only what the Librem
Key displays, so the user can confirm that both the device and Heads are
in sync. If HOTP is enabled, Heads will maintain a new TPM counter
separate from the Heads TPM counter that will increment each time HOTP
codes are checked.

This change also modifies the routines that update TOTP so that if
the Librem Key executables are present it will also update HOTP codes
and synchronize them with a Librem Key.
2018-06-19 12:27:27 -07:00
Trammell hudson
584c07042e
Merge branch 'generic_flashrom_script' of https://github.com/kylerankin/heads 2018-06-01 12:40:16 -04:00
Kyle Rankin
8d50b6a1ab
Add option to flash cleaned ROM to GUI 2018-05-28 11:38:04 -07:00
Kyle Rankin
8dc2f8602f
Add trivial word-wrapping for long output line 2018-05-23 16:14:44 -07:00
Francis Lam
736538a8a2
Add additional kernel command line options for ISO boot
Allows Qubes/Ubuntu/Fedora ISO media to be used by default
without a custom kexec_iso_add.txt config
2018-05-19 10:52:49 -07:00
Kyle Rankin
cfa6c3a374
Make x230 board option a glob to match x230-flash option 2018-05-18 14:04:00 -07:00
Francis Lam
c1be56c5ad
Separate trusted ISO signers from trusted config signers 2018-05-17 19:52:11 -07:00
Kyle Rankin
258420d75d
Add BIOS ROM editing features to flash GUI
In addition to being able to flash a ROM from the GUI, it would also be
useful for a user to be able to add a GPG key to their keyring using the
flashing tool. This change adds the ability for a user to edit both a
ROM located on a USB key and also edit the running BIOS by using
flashrom to make a local copy of the running BIOS, edit it, then reflash
it. This also supports the upcoming delete feature in CBFS for
circumstances where keyring files already exist within CBFS.
2018-05-17 15:31:23 -07:00
Kyle Rankin
a9bf4eb874
Add read mode to flash.sh
If we want to modify a running BIOS we will need the ability to pull
down the current BIOS, modify it, and then reflash. This change adds a
read option to flash.sh and pulls down three versions of the BIOS and
only exists successfully if all three match.
2018-05-15 16:24:24 -07:00
Kyle Rankin
b276e355d9
Re-add the flashrom script for kgpe-d16-openbmc 2018-05-11 14:23:48 -07:00
Kyle Rankin
3c88bc5d86
Split flash GUI into separate script
To keep the flash logic simpler the GUI logic has been split into a
flash-gui.sh program so flash.sh behaves closer to the original flashrom
scripts it was based from. I've also removed the previous flashrom
scripts and incorporated their options into flash.sh. Finally I set
CONFIG_BOARD via the Makefile instead of setting a duplicate option in
each board's config.
2018-05-11 14:08:31 -07:00
Kyle Rankin
89b008a042
Use explicit path for flash.sh 2018-05-11 12:32:04 -07:00
Kyle Rankin
45ae20fc12
Add generic flash script
Based on the conversation for PR #406, we decided to go with a more
generic script for general-purpose flashing instead of having individual
(and therefore very similar) flash scripts for each board type. This
script currently handles flashrom on Librem and X230 board types and
introduces a new CONFIG_BOARD option that sets specific flashrom
arguments based on the board.

It also adds support to gui-init to call this flash script.
2018-05-11 12:27:50 -07:00
Trammell hudson
9c95b4ed58
Merge branch 'usb-scan-gui' of https://github.com/kylerankin/heads 2018-05-07 11:24:56 -04:00