746 Commits

Author SHA1 Message Date
gaspar-ilom
e647e20b4a
refactor printing of battery state to confuse less users
only print the battery manufacturer in case there is more than one battery, otherwise omit it

make the code more readable for non-bash developers

extract common functions

Signed-off-by: gaspar-ilom <gasparilom@riseup.net>
2025-02-26 23:42:02 +01:00
gaspar-ilom
02bfdeec98
apply the same fix for displaying the battery state to: initrd/bin/oem-system-info-xx30
Signed-off-by: gaspar-ilom <gasparilom@riseup.net>
2025-02-24 14:15:20 +01:00
Thierry Laurion
f02ab497a1
System Info (battery info): dependant functions: add tracing and debug
Repro:
On QEMU (no battery, debug + tracing on):
[   41.792342] TRACE: /bin/gui-init(383): show_main_menu
[   44.722784] TRACE: /etc/gui_functions(167): show_system_info
[   44.765643] TRACE: /etc/functions(1241): print_battery_charge
[   44.846725] DEBUG: No battery found in /sys/class/power_supply/
[   44.899241] TRACE: /etc/functions(1224): print_battery_health
[   45.009917] DEBUG: No battery found in /sys/class/power_supply/

Battery info not provided under whiptail output.
Info for battery depends on linux kernel enablement. Maybe something missing for t480.

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2025-02-18 08:45:41 -05:00
Thierry Laurion
e2d1a87809
non-hotp boards: skip Secrets App reset with hotp_verification if binary doesn't exit
nk3 was not tested on non-hotp boards. Make sure both htop_verification and nk3 is present before resetting Secrets App

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2025-02-03 15:10:13 -05:00
Thierry Laurion
836af32a42
BUGFIX >2tb drives: replace all fdisk -l calls with stderr suppression (workaround)
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2025-01-20 14:15:06 -05:00
Jonathon Hall
22a86e6d48
oem-factory-reset: Only badger user to record passphrases if generated
There are many flows through oem-factory-reset that use passwords
provided by the user or basic defaults to be changed later.  We don't
need to badger the user to record those passwords.

Still do this if we generated diceware passwords though, as the user
does not know them yet.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2025-01-16 11:31:30 -05:00
Thierry Laurion
930d3e6114
BUGFIX: replace direct calls from LOG to INFO, so that only DO_WITH_DEBUG uses LOG. INFO manages console output to log or console
Quiet mode introduced output reduction to console to limit technical info provided to end users.
Previous informational output (previous default) now outputs this now considered additional information through INFO() calls, which either outputs to console, or debug.log
Only DO_WITH_DEBUG should call LOG directly, so that stderr+stdout output is prepended with LOG into debug.log

This fixes previous implementation which called LOG in DO_WITH_DEBUG calls and modified expected output to files, which was observed by @3hhh in output of GRUB entries when selecting boot option.

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2025-01-13 11:00:14 -05:00
Thierry Laurion
af59704bc5
TODOs: remove no more relevant ones code per review
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-12-21 15:06:27 -05:00
Thierry Laurion
94dd788249
seal-hotpkey: change warning when default GPG Admin PIN/Secrets app PIN is detected
Additional 0.5h for applying changes linked to code review under https://github.com/linuxboot/heads/pull/1875
Linked to Nitrokey unacknowledged RfP https://github.com/linuxboot/heads/issues/1866 that continues to grow past the 40h (now near 42... but unpaid because 'unplanned'... As if this was planned on my side.)

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-12-21 14:14:58 -05:00
Thierry Laurion
696ecf54cd
initrd/bin/seal-hotpkey: fix regression of hotp_verification 1.7+ version bump output parsing for <nk3
As tested working with old librem key fw 0.10: works
Log entry of additioanl 30 minutes for https://github.com/linuxboot/heads/pull/1875 (I cannot not fix with my time @jans23 https://github.com/linuxboot/heads/issues/1866, since nk3 is not the only dongle support by Heads)

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-12-21 13:22:38 -05:00
Thierry Laurion
d2b84597bf
tpmr: check for CONFIG_TPM2_CAPTURE_PCAP=y to export TPM comms under /tmp/tpm0.pcap (not just check for existence of CONFIG_TPM2_CAPTURE_PCAP under env)
So that export CONFIG_TPM2_CAPTURE_PCAP=n across all boards doesn't break and so that its easy for auditors to just toggle on in board configs

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-12-21 13:22:32 -05:00
Jonathon Hall
0825b57e29
config-gui.sh: Combine quiet mode / debug output to one output setting
These two settings are exclusive, so they would disable each other if
enabled.  Present them as one setting with three output levels.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-12-21 13:22:03 -05:00
Jonathon Hall
8e630e0e4d
seal-totp: Print plain secret instead of URL for manual entry
Don't print the URL and then explain how to get the secret out of it,
just print the secret.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-12-21 13:21:57 -05:00
Jonathon Hall
a06ead69bc
tpmr: Don't continue blindly if a TPM reset step fails
If a TPM reset step fails, don't blindly continue onto the other
steps.  Use DO_WITH_DEBUG to trace failures, so they're visible in the
log but we still exit due to set -e.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-12-21 13:21:51 -05:00
Jonathon Hall
c4bb4107ab
tpmr: Use SINK_LOG rather than temp file, avoid doubled log output
Use SINK_LOG to capture tpm2 unseal rather than a temp file.

Don't double up output from tpm "$@" to log; DO_WITH_DEBUG already
captures it.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-12-21 13:21:45 -05:00
Thierry Laurion
e1a263ce3b
init: warn user that if CONFIG_QUIET_MODE was enabled in board config at build time but disabled through Configuration Settings applied override, early measurement output got suppressed
Also tell user that those early suppressed messages can be seen under /tmp/debug.txt

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-12-21 13:21:28 -05:00
Thierry Laurion
07218df9cb
initrd/bin/kexec-select-boot: clarify that TPM2 primary handle HASH is created upon setting default boot (was not clear)
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-12-21 13:21:22 -05:00
Thierry Laurion
eb63d4d46a
oem-factory-reset: remove duplicate output 'Checking for USB Security dongle...'
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-12-21 13:21:16 -05:00
Thierry Laurion
02d8ce8d0d
kexec-save-default kexec-select-boot: fix primary handle once more. Can't wait we get rid of this... file must exist and not be empty, and hash output to console must not be silenced
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-12-21 13:20:53 -05:00
Thierry Laurion
1e6079620a
TPM2 primary handle debugging once more. Can't wait we get rid of this...
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-12-21 13:20:47 -05:00
Thierry Laurion
885af7d39f
kexec-select-boot+kexec-save-default: Quiet mode; remove last rollback counters printed to console
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-12-21 13:20:29 -05:00
Thierry Laurion
91299fd89b
seal-totp: contextualize qr code output for manual input of those without qr scanner app in mobile phone
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-12-21 13:20:23 -05:00
Thierry Laurion
b5c24f2447
init+cbfs-init: refactor and explain why quiet mode cannot suppress measurements of cbfs-init extracted+measured TPM stuff if not in board config
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-12-21 13:20:06 -05:00
Thierry Laurion
08f52af033
Deprecate ash in favor of bash shell; /etc/ash_functions: move /etc/ash_functions under /etc/functions, replace TRACE calls by TRACE_FUNC, remove xx30-flash.init
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-12-21 13:20:00 -05:00
Thierry Laurion
4354cd4c22
config-gui.sh: Add quiet mode toggle, which turns off debug+tracing if enabled, and where enabling debug+tracing disables Quiet mode
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-12-21 13:19:54 -05:00
Thierry Laurion
53156c3917
WiP: staging changes, refusing to fight against tools helping me, formatting changed. sign after tpm-reset now to work around primary handle issue.
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-12-21 13:19:42 -05:00
Thierry Laurion
0d3964274e
WiP: staging changes, warn loud and clear of weak security posture by using weak OEM defaults provisioned secrets
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-12-21 13:19:36 -05:00
Thierry Laurion
d768e80de6
WiP: staging changes, no more tpm output. Next warn /boot changed because htop counter and primary handle until removed outside of this PR
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-12-21 13:19:30 -05:00
Thierry Laurion
c7ab861325
Turn some info on default boot into LOGged info, LOG might go out forever if not pertinent to most?
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-12-21 13:19:25 -05:00
Thierry Laurion
eca4e34176
WiP: staging changes
Attacking nv index next for TPM nvram read in prod_quiet testing

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-12-21 13:19:19 -05:00
Thierry Laurion
94b77e8704
WiP: staging changes
Insights:
- We should use oem generated pubkey naming to distinguish between oem/user generated keys and try to use default PINs also for GPG User to sign with default PIN and warn even if it works/doesn't, urging users to do reownership
- Point is that oem factory reset does in the direction of using randomized PINs, while continuing to use those for a user should be strongly discouraged

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-12-21 13:19:07 -05:00
Thierry Laurion
19fd98df2d
WiP: staging changes (TPM1 regression fixes for LOG/DEBUG on quiet mode)
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-12-21 13:19:01 -05:00
Thierry Laurion
abc97fe1be
WiP: staging changes including https://github.com/linuxboot/heads/pull/1850 https://github.com/Nitrokey/nitrokey-hotp-verification/pull/43 and https://github.com/Nitrokey/nitrokey-hotp-verification/pull/46
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-12-21 13:18:55 -05:00
Jonathon Hall
54baa37d4a
oem-factory-reset: Stop adding leading blank lines in 'passphrases' msg
We're adding leading blank lines, which makes the prompt look odd and
now have to be removed later.  Just stop adding the leading blank
lines.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-12-21 13:18:43 -05:00
Thierry Laurion
ebf4d1d221
oem-factory-reset+seal-hotp nk3 hotp-verification info adaptations
- oem-factory-reset: fix strings for nk3 is from https://github.com/Nitrokey/nitrokey-hotp-verification/pull/43 is Secrets app, not Secret App singular, not App capitalized
- initrd/bin/seal-hotpkey: adapt to check nk3 Secrets App PIN counter if nk3, keep Card counters for <nk3 from https://github.com/Nitrokey/nitrokey-hotp-verification/pull/43
  - Unattended hotp_initialize output removed since we need physical presence to seal HOTP until https://github.com/Nitrokey/nitrokey-hotp-verification/issues/41 is fixed
  - Finally make seal_hotp use logic to detect if public key <1m old, use HOTP related PIN by default if counter is not <3, warn that re-ownership needs to be ran to change it since no security offered at all otherwise with HOTP
- unify format with linting tool

Tested in local tree against https://patch-diff.githubusercontent.com/raw/Nitrokey/nitrokey-hotp-verification/pull/43.patch, removing https://patch-diff.githubusercontent.com/raw/Nitrokey/nitrokey-hotp-verification/pull/46.patch
 - will revert the change above in PR once testing is over

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-12-21 13:18:18 -05:00
Thierry Laurion
847b4ddbdf
WiP seal-hotp: customize message to be GPG Admin PIN or Secure App PIN
TODO: check logic in this file because assumptions on PINs retry count are wrong and will depend on https://github.com/Nitrokey/nitrokey-hotp-verification/pull/43 not tested here

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-12-21 13:15:28 -05:00
Thierry Laurion
95473d6c89
kexec-sign-config: mount rw, write things to /boot, mount ro after
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-12-21 13:15:22 -05:00
Thierry Laurion
e25fb595b6
oem-factory-reset: reset nk3 secure app PIN early since we need physical presence, put nk3 secure APP PIN after TPM but before GPG PINS in output for consistency
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-12-21 13:15:17 -05:00
Thierry Laurion
c372370210
oem-factory-reset: set title_text accordingly to mode, either 'OEM Factory Reset Mode', 'Re-Ownership Mode' or 'OEM Factory Reset / Re-Ownership'
TODO: further specialize warning prompt to tell what is going to happen (randomized PIN, signle custom randomized PIN etc)

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-12-21 13:15:11 -05:00
Thierry Laurion
789231fac3
oem-factory-reset: fix Secure App wording, prevent word globbing, warn that physical presence is needed
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-12-21 13:15:05 -05:00
Thierry Laurion
03e5ec0ddf
oem-factory-reset: if nk3, also display Secure App PIN = GPG Admin PIN as text and in Qr code
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-12-21 13:14:59 -05:00
Thierry Laurion
e01d346fe8
oem-factory-reset: don't set user re-ownership by default for now: use current defaults being DEF pins (12345678 and 123456 as master)
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-12-21 13:14:53 -05:00
Thierry Laurion
fd136cd957
oem-factory-reset: add reset secure app PIN = ADMIN_PIN at reownership, make sure defaults are set for all modes, including default which uses current defaults being DEF pins (12345678 and 123456 as master)
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-12-21 13:14:41 -05:00
Thierry Laurion
814f4fabd9
WiP: add nk3 secret app reset function and call it following security dongle reset logic
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-12-21 13:14:30 -05:00
Thierry Laurion
a6df16ec3c
WiP initrd/bin/oem-factory-reset: add qrcode+secet output loop until user press y (end of reownership wizard secret output)
Signed-off-by: Thierry Laurion <insurgo@riseup.net>

works:
- oem and user mode passphrase generation
- qrcode

missing:
- unattended
  - luks reencryption + passphrase change for OEM mode (only input to be provided) with SINGLE passphrase when in unattended mode
    - same for user reownership when previously OEM reset unattended

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-12-21 13:14:18 -05:00
Thierry Laurion
108e6ed0b1
WiP initrd/bin/oem-factory-reset: add --mode (oem/user) skeleton
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-12-21 13:14:06 -05:00
Thierry Laurion
f8fdfc7b8d
WiP initrd/bin/oem-factory-reset: format unification
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-12-21 13:14:00 -05:00
Thierry Laurion
d57a120912
initrd/etc/ash_functions: add GPG Admin/User PIN output grabbing on confirm_gpg_card presence call, echo for now, warn to input GPG User PIN when asked to unlock GPG card
Mitigate misunderstands and show GPG User/Admin PIN counts until proper output exists under hotp_verification info to reduce global confusion

Add TODO under initrd/bin/seal-hotpkey to not foget to fix output since now outputting counter of 8 for Admin PIN which makes no sense at all under hotp_verification 1.6 https://github.com/Nitrokey/nitrokey-hotp-verification/issues/38

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-12-21 13:13:43 -05:00
Thierry Laurion
3726e9083f
initrd/bin/tmpr: silence tpm reset console output, LOG instead
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-12-21 13:13:37 -05:00
Thierry Laurion
48807de222
codebase: silence dd output while capturing output in variables when needed
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-12-21 13:13:31 -05:00