Exception: scripts sourcing/calls within etc/ash_functions continues to use old TRACE functions until we switch to bash completely getting rid of ash.
This would mean getting rid of legacy boards (flash + legacy boards which do not have enough space for bash in flash boards) once and for all.
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
When playing with long fbwhiptail/whiptail messages, this commit played around the long string using fold.
'''
echo -e "This will replace the encrypted container content and its LUKS Disk Recovery Key.\n\nThe passphrase associated with this key will be asked from the user under the following conditions:\n 1-Every boot if no Disk Unlock Key was added to the TPM\n 2-If the TPM fails (hardware failure)\n 3-If the firmware has been tampered with/modified by the user\n\nThis process requires you to type the current LUKS Disk Recovery Key passphrase and will delete the LUKS TPM Disk Unlock Key slot, if set up, by setting a default boot LUKS key slot (1) if present.\n\nAt the next prompt, you may be asked to select which file corresponds to the LUKS device container.\n\nHit Enter to continue." | fold -w 70 -s
'''
Which gave the exact output of what will be inside of the fbwhiptail prompt, fixed to 70 chars width:
'''
This will replace the encrypted container content and its LUKS Disk
Recovery Key.
The passphrase associated with this key will be asked from the user
under the following conditions:
1-Every boot if no Disk Unlock Key was added to the TPM
2-If the TPM fails (hardware failure)
3-If the firmware has been tampered with/modified by the user
This process requires you to type the current LUKS Disk Recovery Key
passphrase and will delete the LUKS TPM Disk Unlock Key slot, if set
up, by setting a default boot LUKS key slot (1) if present.
At the next prompt, you may be asked to select which file corresponds
to the LUKS device container.
Hit Enter to continue.
'''
Therefore, for long prompts in the future, one can just deal with "\n 1-" alignments to be respected in prompts and have fold deal with cutting the length of strings properly.
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Add TRACE_FUNC to trace the file, line, and name of the calling
function. File and function names don't have to be duplicated in a
TRACE statement with this (they tend to become inaccurate as functions
are renamed and the TRACE statement is forgotten).
Add DEBUG_STACK to dump the bash stack to debug output.
Configure bash with --enable-debugger. Bash doesn't actually include
the entire debugger, this is just some supporting variables for it.
Evidently, BASH_SOURCE[n] is only set within a function if this is
enabled. I couldn't find this indicated in any documentation, but it
happened in practice.
Compressed initrd size only increased by 2560 bytes for librem_mini_v2,
I think that is fine. This also gives us BASH_ARGC/BASH_ARGV which
might be useful for diagnostics.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Prompt for TPM owner password internally within tpm2_counter_create.
Add tpm1_counter_create to prompt for password internally. Wipe the
cache in either if the operation fails, in case the password was
incorrect.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
- document why shred is still called under functions:check_tpm_counter for safety and add TODO there
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
gui-init: make sure that reseal_tpm_disk_decryption_key happens only on successful TOTP/HOTP sealing, reusing cached TPM Owner password
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Changes:
- As per master: when TOTP cannot unseal TOTP, user is prompted to either reset or regenerate TOTP
- Now, when either is done and a previous TPM Disk Unlock Key was setuped, the user is guided into:
- Regenerating checksums and signing them
- Regenerating TPM disk Unlock Key and resealing TPM disk Unlock Key with passphrase into TPM
- LUKS header being modified, user is asked to resign kexec.sig one last time prior of being able to default boot
- When no previous Disk Unlock Key was setuped, the user is guided into:
- The above, plus
- Detection of LUKS containers,suggesting only relevant partitions
- Addition of TRACE and DEBUG statements to troubleshoot actual vs expected behavior while coding
- Were missing under TPM Disk Unlock Key setup codepaths
- Fixes for #645 : We now check if only one slots exists and we do not use it if its slot1.
- Also shows in DEBUG traces now
Unrelated staged changes
- ash_functions: warn and die now contains proper spacing and eye attaction
- all warn and die calls modified if containing warnings and too much punctuation
- unify usage of term TPM Disk Unlock Key and Disk Recovery Key
prepare_thumb_drive: default to creating 10% LUKS container on usb drive, prompts for passphrase is not provided and scan drives if no --device specified
NOTE: qemu usb_thumb drive of 128 mb are not big enough so that 10% of it (12mb) can be used to create thumb drive.
Adds:
- e2fsprogs to support ext4 filesystem creation through mke2fs
- add /etc/mke2fs.conf so that mke2fs knows how to handle ext2/ext3/ext4
- removes mke2fs support from busybox
- bump busybox to latest version which adds cpu accelerated hash functions (not needed per se here)
- Adds exfatprogs to have mkfs.exfat and fsck.exfat
- Adds prepare_thumb_drive /etc/luks-functions to be able to prepare a thumb drive with percentage of drive assigned to LUKS, rest to exfat
- Modify most board configs to test space requirements failing
- Talos2 linux config: add staging Exfat support
- Make e2fsprogs and exfatprogs included by default unless explicitely deactivate in board configs
- Change cryptsetup calls : luksOpen to open and luksClose to close to addresss review
- etc/luks_functions: cleanup
GOAL here is to have secure thumb drive creation which Heads will be able to use to backup/restore/use generated GPG key material in the future (next PR)
HOTP/TOTP secrets don't have to be printable. Use binary data to
include 160 bits of entropy instead of just 80.
The secret is still limited to 20 bytes. Most keys now support up to
40 bytes, but tpmtotp is still limited to 20 bytes.
Move the truncation to 20 bytes a bit later, for future improvements to
detect the key's actual limit.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
flash.sh had a special mode to read (like -r) and then sha256sum the
resulting file. This is no different from just a read followed by a
sha256sum, and the only caller also had logic to sha256sum a cached
file anyway.
Just use flash.sh -r and sha256sum the result.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Allow configuring the root hash feature when the variables are not set
initially. This worked on Librem boards because the boards all have
defaults for these variables, but didn't work when those defaults were
not present.
Fix set_config function to put quotes around an added variable's value.
Change load_config_value function to default to empty, so it can be
used with non-boolean variables. None of the existing callers cared
about the 'n' default (boolean variables should always be tested ="y"
or !="y" anyway).
Use load_config_value in config-gui.sh for boot device and the root
hash parameters, so unset defaults do not cause a failure. Improve the
prompts so the "current value" text only appears if there is a current
value. Use set_config instead of replace_config so the variables will
be added if needed.
Prevent enabling the root hash feature if it hasn't been configured
yet.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Remove brand name from this configuration variable. For backward
compatibility, update config.user in init if the branded variable is
present.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Stop manually loading config values, just update config in environment.
Never test values against "n", since many default to empty. Always
test ="y" or !="y", any other value is off.
Add set_user_config() function to set a value in config.user,
combine configs, and update config in environment. Use it in setting
implementations.
Remove toggle_config, it wasn't very useful because the settings still
test y/n in order to show specific confirmation and success messages.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Blob jail provides device firmware blobs to the OS, so the OS does not
have to ship them. The firmware is passed through the initrd to
/run/firmware, so it works with both installed and live OSes, and there
are no race conditions between firmware load and firmware availability.
The injection method in the initrd is specific to the style of init
script used by PureOS, since it must add a copy command to copy the
firmware from the initrd to /run. If the init script is not of this
type, boot proceeds without device firmware.
This feature can be enabled or disabled from the config GUI.
Blob jail is enabled automatically if the Intel AX200 Wi-Fi module is
installed and the feature hasn't been explicitly configured.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
PureBoot Basic mode provides the full Linux userspace in firmware from
Heads without requiring verified boot or a Librem Key. Basic and
verified boot can be switched freely without changing firmware, such as
if a Librem Key is lost.
PureBoot Basic can apply firmware updates from a USB flash drive, and
having a complete Linux userspace enables more sophisticated recovery
options.
Basic mode boots to the first boot option by default, setting a default
is not required. This can be configured in the config GUI.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
enable_usb_storage() inserts usb-storage.ko if not already loaded, then
waits for USB storage devices to appear.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Extract utilities from config-gui.sh for use in additional config
settings. read_rom() reads the current ROM with a message for failure.
replace_rom_file() replaces a CBFS file in a ROM. set_config() sets a
configuration variable in a file.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
On machines without a TPM, we'd still like some way for the BIOS to
attest that it has not been modified. With a Librem Key, we can have the
BIOS use its own ROM measurement converted to a SHA256sum and truncated
so it fits within an HOTP secret. Like with a TPM, a malicious BIOS with
access to the correct measurements can send pre-known good measurements
to the Librem Key.
This approach provides one big drawback in that we have to truncate the
SHA256sum to 20 characters so that it fits within the limitations of
HOTP secrets. This means the possibility of collisions is much higher
but again, an attacker could also capture and spoof an existing ROM's
measurements if they have prior access to it, either with this approach
or with a TPM.
Signed-off-by: Kyle Rankin <kyle.rankin@puri.sm>
TPM password must be 1-32 characters. Loop if the password is not
valid or the repeated password doesn't match, so the user can try
again.
Move prompt_new_owner_password to functions and use in both gui-init
and tpm-reset.
Fixes#1336
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
init must use busybox ash because it is used on legacy-flash boards.
Change shebang, move needed functions to ash_functions.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Multiple traps overwrite each other. While no tpmr functions have more
than one trap right now, it is fragile, and the quoting is complex due
to double expansion. Use at_exit to add exit handlers that accumulate
and do not require special quoting.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
We just set the TPM owner password, so there's no need to make the user
enter it again. Eliminates some failure modes if the user mistypes it
or enters the wrong password.
Allow optionally passing in the TPM owner password in tpmr seal,
check_tpm_counter(), seal-totp, and generate_totp_htop(). The user is
still prompted if the password is needed but was not provided, so
existing uses in other contexts continue to work unchanged.
Prompt for the password in reset_tpm() and pass it down to each of the
above.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
gui-init: do not consume two unseal attempt to unseal both totp and hotp + cosmetic changes (slow down TPM DA lockout)
kexec-seal-key: Add DEBUG statement for PCR precalc
seal-totp: add DEBUG statements regarding skipping of PCR5 and PCR6 involvement into TOTP/HOTP sealing ops
seal-hotpkey: Add DEBUG statements related to reuse of TOTP sealed secret
tpmr: add DO_WITH_DEBUG calls to output pcrread and extend calls
tpmr: typo correction stating TRACE calls for tpm2 where it was for tpm1
tpmr: add DO_WITH_DEBUG calls for calcfuturepcr
functions: Cosmetic fix on pause_recovery asking user to press Enter to go to recovery shell on host console when board defines CONFIG_BOOT_RECOVERY_SERIAL
Not so related but part of output review and corrections:
kexec-insert-key: cosmetic changes prepending "+++" to disk related changes
kexec-save-default: cosmetic changes prepending "+++" to disk related changes
config/coreboot-qemu-tpm*.config: add ccache support for faster coreboot rebuild times
Provide mask_param() function to uniformly mask secret parameters,
while still indicating whether they are empty.
Extend DO_WITH_DEBUG to allow masking a password parameter by position,
using mask_param(). Move from ash_functions to functions (isn't used
by ash scripts).
Mask password parameters in kexec-unseal-key and tpmr seal. Use
mask_param() on existing masked params in tpmr.
Trim more troubleshooting output from tpm2_extend() in tpmr.
Clarify tpmr kexec_finalize echo; it's the TPM's platform heirarchy,
users might not know what this was referring to.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Busybox no longer has CONFIG_BASH since we are deploying bash on most
boards. We also should clearly indicate which scripts cannot use
bashisms.
Change shebang in x230-flash.init, t430-flash.init, flash.sh to
/bin/ash. Execute /bin/sh for interactive shells.
Move key functions needed by those scripts to initrd/etc/ash_functions.
Source ash_functions instead of functions in those scripts, so any
bashisms in other functions won't break parsing of the script in ash.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Use /bin/sh (ash in busybox builds) for interactive shells, not bash.
Preparation for trimming interactive features from bash to reduce size.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Trace parameters to seal/unseal and some key tpm2 invocations. Trace
invocation of tpmr seal/unseal for disk unlock key.
Add DO_WITH_DEBUG() to trace a command and parameters, then execute it.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
- /tmp/debug.log is created and appended by all TRACE and DEBUG calls in code
- fix some logic errors seen when no DEBUG entry were outputted in /tmp/debug.log
Most logic throughout Heads doesn't need to know TPM1 versus TPM2 (and
shouldn't, the differences should be localized). Some checks were
incorrect and are fixed by this change. Most checks are now unchanged
relative to master.
There are not that many places outside of tpmr that need to
differentiate TPM1 and TPM2. Some of those are duplicate code that
should be consolidated (seal-hotpkey, unseal-totp, unseal-hotp), and
some more are probably good candidates for abstracting in tpmr so the
business logic doesn't have to know TPM1 vs. TPM2.
Previously, CONFIG_TPM could be variously 'y', 'n', or empty. Now it
is always 'y' or 'n', and 'y' means "any TPM". Board configs are
unchanged, setting CONFIG_TPM2_TOOLS=y implies CONFIG_TPM=y so this
doesn't have to be duplicated and can't be mistakenly mismatched.
There were a few checks for CONFIG_TPM = n that only coincidentally
worked for TPM2 because CONFIG_TPM was empty (not 'n'). This test is
now OK, but the checks were also cleaned up to '!= "y"' for robustness.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>