Thierry Laurion
2a04fb5650
oem-factory-reset: RSA default should be 3072, not 3076. squash
...
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-01 10:08:22 -04:00
Thierry Laurion
a3086e9a1c
Remove TODO in code that were not relevant prior of first review
...
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-01 10:08:19 -04:00
Thierry Laurion
ad1bff6b23
oem-factory-reset: make initial questionnaire more concise
...
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-01 10:08:16 -04:00
Thierry Laurion
38fc097976
Squash: revert testing changes for RSA and unify once more USB Security dongle's usage
...
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-01 10:08:13 -04:00
Thierry Laurion
867fb8d023
RSA keygen adaptation testing with rsa 2048 in memory keygen and key to card missing pieces
...
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-01 10:08:09 -04:00
Thierry Laurion
e6eeb571b0
oem-factory-reset: simplify provisioned secret output at end of wizard, including GPG key material output passphrase (uses strings+=string)
...
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-01 10:08:06 -04:00
Thierry Laurion
c3a5359a85
Squash: remove DEBUG that were TODO for removal
...
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-01 10:08:03 -04:00
Thierry Laurion
8a8634f6a3
oem-factory-reset seal-hotpkey: unify prompts and vocabulary
...
oem-factory-reset: bugfix, keytocard inverts prompts. First is keyring then smartcard.
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-01 10:08:00 -04:00
Thierry Laurion
7cd44b6dc4
oem-factory-reset: further cleaning of code for proper validation and consistency checks for passphrases. Also skip flashing code on qemu boards with short explanation
...
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-01 10:07:56 -04:00
Thierry Laurion
9c3fb35358
initrd/bin/reboot: BugFix in nv41/ns50 condition check to call nitropad-shutdown.sh (otherwise output error on console for improper condition in ash
...
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-01 10:07:53 -04:00
Thierry Laurion
7f5d9700b7
gpg_auth function was not failing properly on failing, die instead
...
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-01 10:07:50 -04:00
Thierry Laurion
05fc4c1747
PCR extend ops inform users on what happens, otherwise we tpm commands output on screen without context
...
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-01 10:07:47 -04:00
Thierry Laurion
9e838ad615
oem-factory-reset: make passphrases variables able to contain strings and validate things more solidly
...
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-01 10:07:43 -04:00
Thierry Laurion
56b602974b
WiP: NK3 with p256 ECC algo supported for in-memory keygen and key-to-card op. With this commit, one can provision NK3 with thumb drive backup which enables authenticated recovery shell and USB boot.
...
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-01 10:07:40 -04:00
Thierry Laurion
2b21623bc6
qemu doc: add modify list/mount instructions to use losetup to map partitions to loop0pX and mount them to get public key
...
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-01 10:07:37 -04:00
Thierry Laurion
b2cb9b4997
.ash_history: add history command for manual detached signed integrity validation
...
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-01 10:07:34 -04:00
Thierry Laurion
cf065eeba2
bin/reboot: fix parameter order so that we pause when in DEBUG before rebooting
...
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-01 10:07:30 -04:00
Thierry Laurion
27c457f04b
TPM2 DUK and TOTP/HOTP reseal fix, refactoring and ifferenciating tpm_password into tpm_owner_password and reusing correctly
...
i
TODO: fix all TODO in PR prior of review + squash
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-01 10:07:27 -04:00
Thierry Laurion
729f2b17b8
WiP to be squashed: we need to refactor prompt_tpm_password which is used both for TPM Owner Password prompt and caching reused for TPM disk unlock key passphrase which of course fails
...
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-01 10:07:24 -04:00
Thierry Laurion
15f1d0b77a
To Squash: changes to reboot were not ash compliant
...
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-01 10:07:21 -04:00
Thierry Laurion
3fb84f0b42
WiP: Clean cached /tmp/secret/tpm_password when sealing fails, otherwise reuse it on TPM Reset/TOTP+HOTP Sealing once for TPM1/TPM2+TPM Disk Unlock Key
...
gui-init: make sure that reseal_tpm_disk_decryption_key happens only on successful TOTP/HOTP sealing, reusing cached TPM Owner password
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-01 10:07:17 -04:00
Thierry Laurion
911eb07565
TPM1/TPM2: unify wording for TPM Owner Password and cache it externally to /tmp/secret/tpm_password to be reused in a boot session until recovery shell access or reboot
...
TODO: Why two functions prompt_tpm_password and prompt_new_owner_password
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-01 10:07:14 -04:00
Thierry Laurion
754e3c9165
bin/reboot: intercept reboot call when in DEBUG mode to type 'r' to go to recovery shell instead of rebooting
...
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-01 10:07:11 -04:00
Thierry Laurion
2ea62ff17e
/etc/functions: add missing TRACE traces to get where TPM passphrase should be written to file and reused since not all in same functions/files for TPM2
...
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-01 10:07:08 -04:00
Thierry Laurion
2ae94405ad
WiP: add export CONFIG_HAVE_GPG_KEY_BACKUP=y so whiptail-tpm2 can be used with GPG key material thumb drive backup
...
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-01 10:07:04 -04:00
Thierry Laurion
88d00dfcb2
scripts: unify luks in text/prompts/messages to LUKS
...
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-01 10:07:01 -04:00
Thierry Laurion
2697a6ad1f
WiP: further removal of unecessary debug messages
...
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-01 10:06:58 -04:00
Thierry Laurion
1f28c71447
WiP: adapt dmesg in function of CONFIG_DEBUG_OUTPUT being enabled or not so and adapt further troubleshooting notes in code when keys cannot be accessed on media for whatever cause so user can understand what is happening when accessing GPG material on backup thumb drive
...
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-01 10:06:55 -04:00
Thierry Laurion
eceb97aa4d
WiP: provide proper info/warn/die messages explaining causes of errors linked to detach signing errors
...
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-01 10:06:51 -04:00
Thierry Laurion
2c55338be5
Wip: now supports both backup and copy to card and gpg_auth when backup exists. Might want to discuss that implementation. Some functions needed to be moved from functions to ash_functions so that gpg_auth can be called from recovery function. That might need to be discussed as well, recovery could be moved from ash_functions to functions instead.
...
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-01 10:06:48 -04:00
Thierry Laurion
b1e5c638cd
WiP
...
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-01 10:06:45 -04:00
tlaurion
bcd269318f
Merge pull request #1514 from tlaurion/confirm_rom_hash_before_flashing
...
bin/flash-gui.sh & initrd/bin/flash.sh: Show SHA256SUM for manual verification prior of flashing
2023-10-31 16:48:27 -04:00
Thierry Laurion
c0cf446034
flash-gui.sh: add proper checks and cleanup in case of npf rom archive
2023-10-31 09:47:47 -04:00
Thierry Laurion
eb1032a55d
flash-gui.sh: Add SHA256SUM and rom name in non npf rom prompt for manual hash verification
2023-10-31 09:34:29 -04:00
tlaurion
f540f2a335
Merge pull request #1430 from gaspar-ilom/w541-support
...
Support Thinkpad W541
2023-10-30 15:41:14 -04:00
tlaurion
1733552fe7
Merge pull request #1505 from JonathonHall-Purism/upstream_28.1_librem_11
...
Add support for Librem 11
2023-10-30 15:38:02 -04:00
gaspar-ilom
2e8239c5e7
add configuration for w541
...
closes #1389
2023-10-23 21:52:09 +02:00
tlaurion
e1d972be37
Merge pull request #1517 from tlaurion/pass_debug_call_output_to_kmsg_one_line_at_a_time
...
BugFix: Pass debug call output to kmsg one line at a time
2023-10-21 14:39:08 -04:00
Thierry Laurion
139f77113c
ash_functions: make DEBUG call pass multiline messages one at a time to /tmp/debug.log and kmsg
2023-10-21 14:37:31 -04:00
tlaurion
9e55e08ac0
Merge pull request #1512 from tlaurion/update_qubes_release_signing_keys
...
qubes release signing keys: move qubes-4.key to qubes-4.1.key, add qubes-4.2.key
2023-10-18 14:11:54 -04:00
Thierry Laurion
576e2a8fff
qubes release signing keys: move qubes-4.key to qubes-4.1.key, add qubes-4.2.key
2023-10-18 13:37:22 -04:00
tlaurion
5002198bb1
Merge pull request #1510 from tlaurion/debian-11_dependencies_fix_for_openssl_module_build
...
CircleCI: fix debian-11 packages dependencies (#1507 )
2023-10-17 17:56:52 -04:00
tlaurion
f78786705e
Merge pull request #1509 from tlaurion/whiptail_respect_lowercase_uppercase_choices
...
newt(whiptail): fix code that was doing toupper of input
2023-10-17 13:30:47 -04:00
Thierry Laurion
44fa663d60
CircleCI: fix debian-11 packages dependencies ( #1507 )
2023-10-17 09:40:57 -04:00
Jonathon Hall
c859c28b88
blobs/librem_jail/README: Fix spelling
...
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-10-12 13:35:26 -04:00
Jonathon Hall
e6272b70fb
initrd/.ash_history: Add comments after reboot/poweroff
...
Add comments after reboot/poweroff to clarify what they do. These
commands are here partly for discoverability by users who might not
know what to do in a recovery shell, so clarifying their purpose helps
those users figure out what to do.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-10-12 13:24:49 -04:00
Thierry Laurion
498a78af57
newt(whiptail): fix code that was doing toupper of input
2023-10-11 15:47:53 -04:00
tlaurion
bd2a8eb96e
Merge pull request #1478 from tlaurion/stenghten_entropy_sources_with_jitter_and_TPM
...
Have CRNG avail early on boot and maximize ligcrypt entropy sources/efficiency
2023-10-10 14:23:47 -04:00
Thierry Laurion
9addb3b6b0
qemu board doc: add Nitrokey3NFC in md doc
2023-10-10 12:30:41 -04:00
Thierry Laurion
65e5286b5a
init: enable cttyhack so that init launches BOOTSCRIPT in a controlled terminal. DEBUG/TRACE now output on /dev/kmsg and console.
2023-10-10 12:28:52 -04:00