Commit Graph

285 Commits

Author SHA1 Message Date
alex-nitrokey
a16b97b6ea
Add more input validation
Based on tlaurion's work done here
ff148e4daf/initrd/bin/factory-reset-libremkey.sh (L53)
2020-03-26 15:05:51 +01:00
alex-nitrokey
f0f6e80e95
Add option to choose GnuPG userinfo during OEM reset 2020-01-02 17:29:11 +01:00
tlaurion
81e7c1b636
Merge pull request #575 from merge/remove_keylime
initrd: remove unused keylime-init
2019-11-28 10:52:37 -05:00
Martin Kepplinger
81df949632 oem-factory-reset: Fix description for rebooting when finished
As is in many cases in Heads, not any key will work, just Enter.

Signed-off-by: Martin Kepplinger <martin.kepplinger@puri.sm>
2019-11-26 18:10:39 +01:00
Matt DeVillier
4db6fbd51a
oem-factory-reset: enforce 8-char min on custom password
Since the custom password is used to set the GPG admin
password as well as the TPM and GPG user passwords, an
8-character minimum is required. Inform the user of this,
and validate custom password length upon entry.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2019-11-25 12:44:56 -06:00
Kyle Rankin
8110b6192c
Merge pull request #628 from MrChromebox/hotp_check_boot
unseal-hotp: ensure /boot mounted before checking HOTP secret
2019-11-25 09:26:07 -08:00
Kyle Rankin
9576a427a0
Merge pull request #627 from MrChromebox/totp_error_prompt
gui-init: update TOTP error prompt
2019-11-25 09:23:21 -08:00
Matt DeVillier
0dbc748233
unseal-hotp: ensure /boot mounted before checking HOTP secret
If /boot isn't mounted, we can't read the HOTP counter, so no
point in reading from the TPM. This speeds up getting to the
main menu in the case of an inaccessible or non-existant /boot.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2019-11-18 21:52:48 -06:00
Matt DeVillier
b9fd6e2708
gui-init: update TOTP error prompt
Update text on TOTP error prompt to provide better
guidance for users following the use of the OEM
factory reset function

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2019-11-18 21:46:04 -06:00
Matt DeVillier
7998e96b98
functions: check both grub/grub2 dirs for boot files
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2019-11-18 11:33:25 -06:00
Matt DeVillier
4d32b4adf8
functions: fix handling of checksum update fail
If kexec-sign-config fails due to GPG key not present,
the double die() results in a kernel panic (and if it didn't,
/boot would be left mounted RW). Fix this by removing call to
die() and ensuring /boot remounted RO regardless checksum
update success or failure.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2019-11-18 11:33:08 -06:00
Kyle Rankin
018279b2bf
Add ability to enter custom password for OEM reset
Normally we resort to default passwords for OEM reset, however we have a
use case where it would be convenient to set a custom password instead.
This patch adds a simple prompt (that defaults to the defaults if you
hit Enter) that enables someone using the OEM reset to enter a single
password that will replace the defaults (TPM, GPG Admin, GPG User).
2019-11-18 11:31:55 -06:00
Matt DeVillier
c14c09b602
flash-gui: clear boot signatures after flashing a cleaned ROM
If the user chooses to flash a "cleaned" ROM (not persisting settings
or GPG keys) then the signatures on /boot are no longer valid, so clear
them out. This allows for the OEM factory reset prompt to be shown on
the next boot.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2019-11-18 11:17:35 -06:00
Matt DeVillier
5dc9b0b457
config-gui: mount new /boot after selection
Users may wish to temporarily boot an OS from a drive other than
their primary boot drive, without changing the default and saving
to ROM. Mounting /boot after changing the device selection
facilitates this by allowing the user to then choose an unsafe boot
from the newly-selected boot drive.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2019-11-18 11:16:53 -06:00
Matt DeVillier
0599ce97af
config-gui: fix Save Config option
when commit [928f003] config-gui: add 'Full Reset' option
was added, the bottom end of the save config option was
accidentally truncated; restore it to fix save config option

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2019-11-18 11:16:49 -06:00
Matt DeVillier
aab9004c53
gui-init: add clean boot check
Add a check to determine if first boot after flashing a cleaned
ROM, and prompt user to run the OEM Factory Reset if so

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2019-08-21 17:10:25 -05:00
Matt DeVillier
ba23fb7ac2
gpg-gui: remove OEM factory reset option
superseded by newer version in main options menu

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2019-08-21 17:10:24 -05:00
Matt DeVillier
d8bcc7b841
gui-init: add OEM Factory Reset to options menu
Add an OEM Factory Reset menu option, which performs an
unattended reset and configuration of the device's TPM,
GPG security token, and boot device / boot selection.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2019-08-21 17:10:24 -05:00
Matt DeVillier
f067d9af23
initrd/bin: add OEM Factory Reset
Add oem-factory-reset script which performs an unattended
reset and configuration of the device's TPM, GPG security token,
and boot device / boot selection.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2019-08-21 17:10:23 -05:00
Matt DeVillier
4f54a97cf2
etc/function: add detect_boot_device()
Add function to detect boot device. Start by checking
CONFIG_BOOT_DEV, then iterate thru all bootable partitions.
Check if partition is mountable, contains grub directory.

Update CONFIG_BOOT_DEV and mount on /boot if successful.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2019-08-21 17:10:23 -05:00
Matt DeVillier
a27affcc7d
flash.sh: persist serial in cbfs
Librem devices store their serial number as a text file
in cbfs; persist this across flashes.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2019-08-05 11:06:46 -05:00
Matt DeVillier
e8e1032027
gpg_add_key_reflash: handle user cancellation
if user chooses abort option, exit without flashing ROM

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2019-08-05 11:03:47 -05:00
Matt DeVillier
c33209add1
confirm_gpg_card: prompt for retry on detection failure
Initial card detection can sometimes fail, so prompt the user
to remove/reinsert their GPG card before retrying. Since
errexit is likely set, disable it prior to calling --card-status so
we can handle the error ourself, then re-set if necessary when done.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2019-08-05 11:03:47 -05:00
Matt DeVillier
5ff3849c16
kecec_select_boot: default to Y when setting new boot option
Next prompt will be to ensure GPG key is attached, which defaults
to Y, so default here as well for consistency

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2019-08-05 11:03:46 -05:00
Matt DeVillier
29f89ae47b
gpg_flash_rom(): ensure files exist before adding to CBFS
Check that any files added to cbfs exist before attempting to
add them, so flashing doesn't fail after a reset.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2019-08-05 11:03:46 -05:00
Matt DeVillier
928f003550
config-gui: add 'Full Reset' option
Add Full Reset option to clear all GPG keys and user settings,
both from the local filesystem and running firmware, and
clear/reset the TPM

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2019-08-05 11:03:45 -05:00
Matt DeVillier
0690c8c011
gui-init: use direct boot device selection
If the boot device is invalid or unabled to be mounted
and the user opts to select a new boot device, jump
directly to that menu option and avoid the additional
step of showing the config main menu.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2019-08-05 11:03:45 -05:00
Matt DeVillier
258783e98e
gui-init: don't reboot after updating TOTP/HOTP
Updating TOTP/HOTP is mainly necessary after a user updates
their firmware, and no need to force another reboot.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2019-08-05 11:03:45 -05:00
Matt DeVillier
c982be5bd4
config-gui: filter out invalid boot device options
use similar filtering logic as with USB drives to provide
the user a more sane list of boot device options. Show user
only valid bootable partitions, not block devices.

There's no point in showing /dev/nvme0 and /dev/nvme0n1 (eg)
when /dev/nvme0n1p[1..n] (eg) exist, as the former are not
valid boot devices.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2019-08-05 11:03:44 -05:00
Matt DeVillier
34394032de
config-gui: add optional param to bypass menu
Add optional parameter to bypass menu selection and
immediately select a menu option. This allows us to call
the 'Set Boot Device' option directly, saving the user
an unnecessary step.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2019-08-05 11:03:44 -05:00
Matt DeVillier
5ca3069b23
config-gui: add optional param to set file_selector title
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2019-08-05 11:03:43 -05:00
Matt DeVillier
0d51b62ebb
gpg-gui: add option to replace existing key(s)
Introduce option to remove any existing key(s) from firmware
and add a user-suppled key, before reflashing.

Move existing code for adding a new key to a separate function
so it can be reused for new feature without duplication.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2019-07-12 11:51:19 -05:00
Matt DeVillier
b1d57dac66
gui-init: retry mounting /boot after device changed
If CONFIG_BOOT_DEV isn't set or otherwise fails to mount,
we prompt the user to change the /boot device, but never
attempt to mount it to ensure it's sane, leading to
potential failures later in the config/boot process.

Ensure that CONFIG_BOOT_DEV is updated after the /boot device
is changed, and attempt to re-mount /boot after the change.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2019-07-12 11:51:19 -05:00
Matt DeVillier
57c4207bf8
gpg_flash_rom: persist user config when flashing
If the user has changed the /boot config but not yet flashed,
it's reasonable for them to expect that flashing to add/update
a GPG key won't revert those changes.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2019-07-12 11:51:19 -05:00
Matt DeVillier
a9e494f670
gpg-gui: prompt user to update checksums after adding key
In order to streamline the initial setup, prompt user to
update checksums/sign /boot files after adding a key and
updating the firmware, in order to avoid an extra reboot.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2019-07-12 11:51:18 -05:00
Matt DeVillier
ed2f19d862
gui-init: move update_checksums() to /etc/functions
Move the non-GUI component of update_checksums() to
/etc/functions so it can be reused outside of gui-init.

Add check that /boot/kexec_default_hashes.txt exists before parsing
it, since doesn't exist if there's no default boot target set yet.
Eliminates spurious error text and/or premature exit depending on
state of errexit.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2019-07-12 11:51:18 -05:00
Matt DeVillier
db5d282a7b
seal-libremkey: add newlines for readability
improve readability of console output by adding newlines as needed

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2019-07-12 11:51:17 -05:00
Matt DeVillier
94f7f98022
gui-init: update Settings, Boot Options menu text
'Options' makes more sense than 'Settings' given the submenu's contents.
Tidy up Boot Options as well

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2019-07-12 11:51:17 -05:00
Kyle Rankin
20d79f5ab5
Merge pull request #589 from MrChromebox/small_fixes
Small fixes
2019-06-25 08:52:06 -07:00
Matt DeVillier
6cfbc86618
initrd: don't mount efivars fs on non-linuxboot systems
it doesn't exist and produces a spurious error on Heads systems

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2019-06-25 10:07:10 -05:00
Matt DeVillier
4a85c85336
gui-init: load USB modules at startup
ensures external USB keyboards are accessible

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2019-06-25 10:06:52 -05:00
Matt DeVillier
2686c836c6
gui-init: ensure /boot is sane first thing
Before anything else, ensure that a default boot device
is set. If not, prompt the user to set one.  If set, ensure
that /boot can be mounted successfully; else prompt the
user to select a new boot device.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2019-06-25 10:06:30 -05:00
Matt DeVillier
f772f2d088
unseal-hotp: ensure /boot mounted before checking HOTP secret
If /boot isn't mounted, we can't read the HOTP secret, so no
point in reading from the TPM. This speeds up getting to the
main menu in the case of an inaccessible or non-existant /boot,
and maintains the warning condition from not being able to
validate the HOTP.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2019-06-25 10:04:03 -05:00
Matt DeVillier
65d669d408
Skip prompt to set default boot when booting from USB
Since a USB boot target can't be the default (at least currently,
/boot must be on internal media), skip the extraneous prompt to
set it as such when booting from USB.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2019-06-25 10:01:18 -05:00
Matt DeVillier
3306dbb66d
flash-gui: clean up ROM list
Exclude dot folders from ROM search path, so that files in
.Trash (eg) aren't shown. Sort the remaining options.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2019-06-25 10:00:54 -05:00
Matt DeVillier
e0e0019250
kexec-select-boot: correct order of USB boot options
Using sort on USB boot options produces a reverse-ordered list,
leading users to often select the wrong option.  Add the -r
parameter to sort to correct the list order and make the default
option the first in the list.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2019-06-25 09:57:24 -05:00
Matt DeVillier
5eb758711d
unseal-hotp: fix/rename mount_boot()
Because of the way unseal-hotp is called from gui-init,
dropping to a recovery shell when failing to mount /boot
causes it to hang, leaving the user stranded until they
kill it with CTRL+C. Instead, simply return and continue
to the main GUI menu where the user can address the problem.

Rename the function to clarify difference from other versions
of mount_boot() which do drop to the recovery shell.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2019-06-25 09:57:02 -05:00
Matt DeVillier
77949c9cff
libremkey_hotp_initialize: handle spaces in admin pin/pass
Fix HOTP verfication failure if LK admin pin/passphrase contains
spaces by quoting the variables when passed to functions.

Test: set LK admin pin to passphrase with spaces, generate
new TOTP/HOTP, verification passes.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2019-06-24 23:30:39 -05:00
Matt DeVillier
286303d95c
libremkey-hotp-verification: pass in key file directly
Reading the file into a variable and then redirecting to stdin
via echo() can cause the binary data to be truncated, leading
to an invalid base32 value and failure to properly generate
and validate the HOTP code.

To resolve this, pass the file directly to hotp(), and ensure
it is removed properly regardless of success or failure to
prevent leakage.

Fixes "Invalid base32 string" error seen when attempting to
generate a new TOTP secret.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2019-06-24 23:29:06 -05:00
Martin Kepplinger
186895d414 gui-init: move Refresh TOTP/HOTP to the Main Boot Menu
also, rename the current menu entry to being smaller and simpler.

Closes #574
2019-05-27 11:12:50 +02:00