Commit Graph

60 Commits

Author SHA1 Message Date
Thierry Laurion
65b81e6702
oem-factory-reset: remove duplicates and add proper error redirection to file
- Trace calls need to happen after sourcing /etc/functions not before
- Move sourcing of external files at beginning of file, remove /etc/functions sourcing duplicate
- gpg error redirection was sent to /dev/null where expected to be added to whiptail in case of error (2>&1 instead and redirection to file)
2023-03-30 13:12:24 -04:00
ThePlexus
277465b347
fix broken OEM re-ownership process
Problem
When using a custom password for TPM, the OEM re-ownership process is broken

Impact 
The OEM re-ownership process breaks for any user setting a custom password and not just using 12345678 

First appeared
6923fb5e20

Detail
on line 498, if blank, the TPM custom password is overwritten with TPM_PASS_DEF (eg, when no custom password is set by the user installing)

```
if [ "$TPM_PASS" == "" ]; then TPM_PASS=$TPM_PASS_DEF; fi
```
so far so good.  $TPM_PASS should be used for all TPM interaction from this point. $TMP_PASS_DEF is now a disposed of variable.

we see that happens when resetting the TPM on line 712 (generate_checksums) is that $TPM_PASS is used (correctly)

```## reset TPM and set password
if [ "$CONFIG_TPM" = "y" ]; then
  echo -e "\nResetting TPM...\n"
  tpmr reset "$TPM_PASS" >/dev/null 2>/tmp/error
---SNIP
```
The TPM now has either the custom password of the user, or the default of 12345678 depending on user selection.

On line 712, we duck into the generate_checksums sub, which for some reason reverts to TPM_PASS_DEF

```
    # create Heads TPM counter
    if [ "$CONFIG_TPM" = "y" ];then
	    if [ "$CONFIG_IGNORE_ROLLBACK" != "y" ]; then
		    tpmr counter_create \
			 -pwdo "$TPM_PASS_DEF" \
--SNIP
```

This then, rightly, fails due to 
```
Authentication failed (Incorrect Password) (ox1) from TPM_CreateCounter
```
2023-03-29 21:05:52 +01:00
Jonathon Hall
b21d8f7a94
oem-factory-reset: Use tpmr reset
tpm-reset is just a prompt for the password followed by tpmr reset.
oem-factory-reset already bypasses the prompt, just call tpmr reset
directly.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-03-10 15:46:01 -05:00
Jonathon Hall
b500505312
tpm2-tools: Change sense of CONFIG_TPM to mean any TPM, not just TPM1.
Most logic throughout Heads doesn't need to know TPM1 versus TPM2 (and
shouldn't, the differences should be localized).  Some checks were
incorrect and are fixed by this change.  Most checks are now unchanged
relative to master.

There are not that many places outside of tpmr that need to
differentiate TPM1 and TPM2.  Some of those are duplicate code that
should be consolidated (seal-hotpkey, unseal-totp, unseal-hotp), and
some more are probably good candidates for abstracting in tpmr so the
business logic doesn't have to know TPM1 vs. TPM2.

Previously, CONFIG_TPM could be variously 'y', 'n', or empty.  Now it
is always 'y' or 'n', and 'y' means "any TPM".  Board configs are
unchanged, setting CONFIG_TPM2_TOOLS=y implies CONFIG_TPM=y so this
doesn't have to be duplicated and can't be mistakenly mismatched.

There were a few checks for CONFIG_TPM = n that only coincidentally
worked for TPM2 because CONFIG_TPM was empty (not 'n').  This test is
now OK, but the checks were also cleaned up to '!= "y"' for robustness.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-03-08 12:45:46 -05:00
Jonathon Hall
d51993b6a9
tpm-reset: Reduce duplication with tpmr reset
Use common password prompt logic in tpm-reset rather than duplicating
in tpmr reset.

Use common logic in config-gui.sh to reset the TPM.

Use common logic in oem-factory-reset to reset TPM.  Fixes extra
prompts for TPM2 owner password even when choosing to use a common
password.  Fix sense of "NO TPM" check in TOTP generation (which only
happened to work because CONFIG_TPM is empty for TPM2).

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-03-08 12:45:46 -05:00
Thierry Laurion
8da5d5d723
Add dual support for real bash and busybox's bash(ash)
- modify bash to have it configured with -Os
2023-03-08 12:45:44 -05:00
Thierry Laurion
6923fb5e20
Addition of qemu-(fb)whiptail-tpm2(-hotp) boards
-coreboot support of TPM v2.0 (shared config for TPM2 support across all 4 previous variations)
-swtpm set to be launched under TPM v2.0 mode under board config
-Documentation file under each board.md softlinks to qemu-coreboot-fbwhiptail-tpm1.md (which has been generalized)
This is skeleton for TPM v2 integration under Heads

-------------
WiP

TODO:
- libcurl cannot be built as a tpm2-tools dependency as of now not sure why. curl currently needs to be added in board config to be built
- Note: tpm-reset (master and here) needs some review, no handle of no tpm use case. Caller is responsible to not call it otherwise does nothing
- init tries to bind fd and fails currently
- Note: Check if whiptail is different of fbwhiptail in clearing screen. As of now every clear seems to be removed, still whiptail clears previous console output
- When no OS' /boot can be mounted, do not try to TPM reset (will fail)

- seal-hotpkey is not working properly
- setting disk unlock key asks for TPM ownership passphrase (sealing in NV requires ownership, but text is misleading user as if reowning TPM)
  - We should cache input, feed tpm behind the scene and wipe passphrase and state clearly that this is TPM disk unlock kye passphrase.
- primary key from TPM2 is invalid most of the time from kexec-select-boot and verifying global hashes but is setuped correctly at disk unlock key setup
- would be nice to take advantage of bash function tracing to understand where we are for debugging purposes, code takes ash in consideration only
- tpmr says it implements nv calls but actually doesn't. Removing those falsely wrapped functions would help.
  - Implementing them would be better
- REVIEW TODOS IN CODE
- READD CIRCLECI CONFIG

Current state:
- TPM unseal works without disk unlock key and generates TOTP properly (was missing die condition at unseal to not produce always good TOTP even if invalid)
- TPM disk encryption key fails. Hypothesis is that sealing with USB drivers loaded and measures in inconsistent with sealed with/without.
 - TPM disk unsealing happens without USB modules being loaded in non-HOTP setup. This fails.

- Current tests are with fbwhiptail (no clear called so having traces on command line of what happens)
 - Testing with HOTP implementation for sealing/unsealing since that forces USB module loads on each boot to remove this from failing possibilities
2023-03-08 12:45:43 -05:00
tlaurion
5c7148f18d
Merge pull request #1305 from echo-84/yubikey-oem-factory-reset 2023-02-21 12:06:35 -05:00
Thierry Laurion
8259d3ca1e
Add TRACE function tracing function to output on console when enabled
- Add TRACE function tracing output under etc/functions, depending on CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT enabled in board configs
- Replace current DEBUG to TRACE calls in code, reserving DEBUG calls for more verbose debugging later on (output of variables etc)
- add 'export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y' in qemu-coreboot(fb)whiptail-tpm1(-hotp) boards to see it in action
2023-02-20 11:44:52 -05:00
Thierry Laurion
5bc2bc88e4
All scripts and functions: Add DEBUG calling trace on console when CONFIG_DEBUG_OUTPUT is exported in board config
-qemu-coreboot-*whiptail-tpm1(-hotp) boards have 'export CONFIG_DEBUG_OUTPUT=y' by default now
2023-02-18 21:52:44 -05:00
builder
e900d2027a Check Signature PIN and toggle forcesig if not forced 2023-02-01 20:34:07 -06:00
3hhh
4ce8f664ad
initrd: work around a bug in busybox sha256sum
busybox sha256sum will create a checksum file for uncommon file names
(e.g. /boot/foo"$\n"bar), but fail to verify that exact file.
https://bugs.busybox.net/show_bug.cgi?id=14226

Thus disallow all files in /boot/ with strange file names at the time of
signing for now. Verifying in the presence of new files with such file
names in /boot/ is no issue for the kexec_tree verification due to the
previously implemented escaping mechanism.
2023-01-14 10:02:49 +01:00
3hhh
accd9f470d
initrd: track files in /boot in kexec_tree.txt
Fixes #1248
2023-01-14 10:02:27 +01:00
Thierry Laurion
aa9b75f64d
/boot: make sure operations requiring to be happening under /boot are under subshells 2023-01-11 13:59:26 -05:00
Thierry Laurion
81b4bb77de
whiptail: no more whiptail reseting console on call (--clear)
So we have console logs to troubleshoot errors and catch them correctly
2022-11-15 15:11:58 -05:00
Sergii Dmytruk
5ee3219322
Add cbfs wrapper script to handle PNOR
Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
2022-11-11 00:59:12 +02:00
Thierry Laurion
9bb6be8874
whiptail: fixate width to 80 characters and have height dynamic to all whiptail/fbwhiptail prompts 2022-11-09 11:51:27 -05:00
Matt DeVillier
297369fd8b
oem-factory-reset: Add missing newline to prompt
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2022-11-03 18:42:32 -04:00
Thierry Laurion
32e7031678
bin/oem-factory-reset: prevent users to choose a GPG Admin PIN > 25 chars which would fail HOTP sealing
Fixes https://github.com/osresearch/heads/issues/1167
Circumvents https://github.com/Nitrokey/nitrokey-pro-firmware/issues/32
Adds validation so user cannot enter GPG User PIN > 64 while we are at it.

Note that GPG PINs can be up to 64 characters.
But GPG Admin PIN will fail HOTP sealing with GPG Admin PIN of more then 25 chars.

Edit: change upstream error to firmware issue, not nitrokey-app.
2022-06-02 14:08:39 -04:00
Thierry Laurion
37bb4906ce
oem-factory-reset: fix bug where it was impossible to just change LUKS passphrase without reencrypting encrypted container.
Since /etc/luks-functions are currently exporting passphrases tested good per cryptsetup to be reused in the code,
the logic calling both luks_reencrypt and luks_change_passphrase testing for non-empty luks_current_Disk_Recovery_Key_passphrase
was bogus.

This commit includes a new variable luks_new_Disk_Recovery_Key_desired which is set when reencryption is desired.
The 3 use cases (reencrypt+passphrase change, reencrypt no passphrase change and passphrase change alone now only test
for luks_new_Disk_Recovery_Key_desired and luks_new_Disk_Recovery_Key_passphrase_desired, nothing else.
2022-05-03 16:41:07 -04:00
Thierry Laurion
70572fd100
oem-factory-reset: Only set default boot option if no TPM Disk Unlock Key
This continues to generate checksums and sign them per new GPG User PIN, but does not set a default boot option.
The user hitting Default Boot on reboot will go through having to setup a new boot default, which will ask him to setup a Disk Unlock Key if desired.

Otherwise, hitting Default Boot goes into asking the user for its Disk Recovery Key passphrase, and requires to manually setup a default boot option.
2022-04-13 14:29:54 -04:00
Matt DeVillier
f3d4924646
/bin/reencrypt-luks: rename to /etc/luks-functions
Move/rename as file is only sourced, not directly executed

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2022-04-06 17:17:07 -05:00
Thierry Laurion
9760181d09
Uniformize time display so it includes timezone
date=`date "+%Y-%m-%d %H:%M:%S %Z"`
2022-03-25 18:46:13 -04:00
Thierry Laurion
8f390f97c2
add integrity report in case some public key is already fused in firmware
- initrd/bin/oem-factory-reset: adds a measured integrity output prior of prompts. Goal is for stating TOTP/HOTP/boot detached signed measurements prior of initiating a Re-Ownership, validating provisioned OEM state.
2022-03-25 13:31:26 -04:00
Thierry Laurion
dacd99c629
add re-encrypting and passphrase change options to oem-factory-reset
- initrd/bin/oem-factory-reset: add 2 additional prompts defaulting to N, also explaining why its important.
2022-03-23 15:55:42 -04:00
Thierry Laurion
9016ebccc2 OEM Factory Reset -> OEM Factory Reset / Re-Ownership (with customs passwords and provisioned info given)
oem-factory-reset: adapt code so that custom passphrases can be provided by user without changing oem factory reset workflow.
    oem-factory-reset: output provisioned secrets on screen at the end of of the process.
    oem-factory-reset: warn user of what security components will be provisioned with defaults/customs PINs prior of choosing not after
    gui-init and oem-factory-reset: change OEM Factory Reset -> OEM Factory Reset / Re-Ownership to cover actual use cases
2022-03-11 14:24:54 -05:00
icequbes1
b35e1bcbb3 oem-factory-reset: fix whiptail height/width order 2021-11-24 17:00:25 -05:00
Thierry Laurion
2fc8813fc6 oem-factory-reset: fix output when fbwhiptail is not used
- Fixed inversed HEIGHT and WIDTH usage
- Fixed height to 30 and width to 90 as everywhere else

This was causing a blank screen when whiptail without framebuffer (fbwhiptail) was used.
Actually, it seems like the width and height under whiptail calls are only taken into consideration under NEWT, not FBWHIPTAIL.
2021-10-29 13:45:22 -04:00
Matt DeVillier
61124979ec
oem-factory-reset: fix custom comment entry
copy/paste error resulted in user-entered comment never
being set/checked/used, and email address being overwritten.
Fix variable usage so comment and email are set correctly.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2021-10-21 18:34:48 -05:00
Matt DeVillier
32716c8ce6 gui*: Improve consistency of background color use
Persist the background color (and error state) through
the main menu and all submenus. Use warning
background color for destructive operations, error color
for errors.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2021-10-15 14:42:15 -04:00
Thierry Laurion
64b1712e78
oem-factory-reset: set default KEY_LENGTH to 3072 and change expectation management message to console (Fixes #919) 2020-12-10 10:33:02 -05:00
alex-nitrokey
e31d6dcb8e Default to 4096 bit for OEM factory reset 2020-11-24 12:48:41 +01:00
Matt DeVillier
e7faac20db oem-factory-reset: Allow use without an installed OS
If an installed OS is not detected, then skip setting the
default boot device or generating /boot checksums.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2020-10-27 18:01:42 -04:00
Matt DeVillier
6a3bb5897a Drop duplicate board-specific background color configs
Set and export currently-used defaults in gui-init, but still
allow for inidividual boards to override via config if desired.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2020-10-27 16:19:46 -04:00
Tom Hiller
636e40456e
fix: update chesksums of filenames with spaces (#847)
Signed-off-by: Tom Hiller <thrilleratplay@gmail.com>
2020-10-18 14:46:57 -04:00
tlaurion
ae9fb74759
Merge pull request #763 from Nitrokey/storage-factoryreset
Delete AES keys of Nitrokey Storage after reset
2020-08-06 16:14:01 -04:00
alex-nitrokey
872a4b0488 Merge remote-tracking branch 'upstream/master' into storage-factoryreset 2020-08-05 11:49:18 +02:00
alex-nitrokey
a224c43026 Add PID for Storage 2020-08-05 11:49:06 +02:00
Alexander Paetzelt
c725f869e2
Merge branch 'master' into gpgexport-factoryreset 2020-08-05 10:49:04 +02:00
tlaurion
3c551cc249
Merge pull request #784 from MrChromebox/default_boot_fixes
Fix OEM factory reset and setting of default boot with F32
2020-07-30 15:42:08 -04:00
tlaurion
624faa1a9d
Merge pull request #778 from MrChromebox/usb_gui_tweaks
USB / GUI Tweaks
2020-07-30 13:54:25 -04:00
Matt DeVillier
97143953e8
Fix check for valid boot options
-r will always succeed since the file will be generated regardless
of number of boot entries found. Use -s instead to check for zero
file size.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2020-07-29 00:24:11 -05:00
Matt DeVillier
4c64ca631a
oem-factory-reset: Fix index used for default boot option
Since we sort the boot options prior to selecting the new default entry,
we need to use the index of the entry in the list prior to being sorted,
vs always setting it as 1. This fixes setting/booting of the default
OS target where the list entries are changed when calling sort.

Test: perform OEM factory reset with Fedora 32 installed, verify
default boot succeeds followng reset.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2020-07-29 00:24:01 -05:00
Matt DeVillier
009c10465a
oem-factory-reset: Parse BLS format grub files
The same grub parsing logic used in kexec-select-boot should
be used here as well, so copy it over.

Test: oem-factory-reset succeeds with Fedora 32 installed.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2020-07-29 00:23:50 -05:00
Matt DeVillier
5005c92953
oem-factory-reset: Improve readability of error output
Use fold to wrap long lines. Don't show pubkey filename if not needed.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2020-07-21 09:47:55 -05:00
Matt DeVillier
c2c45dae0e
Encapsulate changes to working directory inside subshells
For the handful of operations which need to be done with /boot
as the pwd, encapsulate them in subshells to ensure the pwd
doesn't unexpectedly change for other operations, as functions
which need to mount/unmount /boot may fail if the pwd isn't root.

Also, set the pwd to root at the start of detect_boot_device as an
added safety measure.

Test: run oem-factory-reset function, ensure it doesn't fail to
detect boot device due to incorrect working directory.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2020-07-13 17:30:00 -05:00
Alexander Paetzelt
6fe409aaf3 Still need the exported pubkey file 2020-07-07 11:16:18 +02:00
Alexander Paetzelt
43971dc029 Make export to USB drive an option 2020-07-07 10:32:22 +02:00
alex-nitrokey
19cd15cf96
Remove gnupg pubkey export in oem-factory-reset
Since #758 is merged, users have a option to export GnuPG pubkey if
necessary. Thus, we they do not need to insert a USB drive during
factory reset. Until now the whole process failed just because a user
did not provide a USB drive instead.

This shall be fixed by this commit
2020-06-30 19:16:10 +02:00
alex-nitrokey
30236ffbaa
Delete AES keys of Nitrokey Storage after reset
If smartcard Nitrokey Storage was factory-reset, we delete AES keys on
it as well.

Explaination: After oem-factory-reset was started the AES on the Nitrokey Storage that is used for the encrypted volume and the password safe is is not usable anymore because the smart card was factory-reset. To make it usable, a user needs to delete it via Nitrokey App. By doing so, the HOTP secret is deleted as well, resulting in a bad warning in Heads. Therefore, we are resetting AES key right after factory-reset with hotp_verification
2020-06-30 18:29:42 +02:00