Commit Graph

606 Commits

Author SHA1 Message Date
Jonathon Hall
ae29ddbc78
initrd/bin/root-hashes-gui.sh: Remove debug statement for non-LVM-PV
This statement was confusing and should be clear from tracing anyway.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2024-01-17 16:34:48 -05:00
Jonathon Hall
80b57eb60d
initrd/bin/root-hashes-gui.sh: Qubes support, faster hash creation
Don't spew the root hashes to the console when creating the hash file.
This speeds up hash creation significantly.  A basic Qubes install on a
cheap (slow) SATA SSD reduced from about 1.5 minutes to just under 1
minute, and a PureOS install on a fast NVMe disk reduced from 2.5
minutes to 1 minute.

Support opening LVM volume groups to find the root disk.  If an LVM PV
is found, its group is opened and the 'root' volume is used.  There is
no way to set the volume name in this iteration; this is the default
name used by Qubes and probably common to many LVM OS installations.
LUKS and LVM can be mixed.  Tested LUKS (PureOS) and LUKS+LVM (Qubes).

Always cd to "$ROOT_MOUNT" in a subshell, improves robustness of
scripts (previously some functions only worked if they were called
after another function had cd'd to "$ROOT_MOUNT").

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2024-01-17 16:34:47 -05:00
Jonathon Hall
70d249ae46
intird/bin/config-gui.sh: Clarify root hash menu item, minor cleanup
Say the action to take in the menu (enable or disable) instead of just
"Check root hashes at boot".

Clean up some use of load_config_value, set_config, combine_configs.
Get config values from the environment directly.  set_user_config does
set_config and combine_configs.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2024-01-17 16:34:47 -05:00
Jonathon Hall
905d40bd9b
initrd/bin/flash-gui.sh: Show error if find fails due to I/O error
'find' may fail if I/O errors occur (medium faulty or removed,
filesystem corruption, etc.)  Show a message if this occurs rather than
just dying and returning to the main menu.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2024-01-09 15:15:24 -05:00
Jonathon Hall
40e96c7dae
initrd/bin/flash-gui.sh: Show message if plain ROM is unreadable
If the user selects a plain ROM, but that file can't be read, show a
message and exit rather than dying.  Copy the ROM to RAM before doing
anything with it in case the media fails later.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2024-01-09 15:15:24 -05:00
Jonathon Hall
7e57ce181b
initrd/bin/flash-gui.sh: Fix indentation
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2024-01-09 15:15:24 -05:00
tlaurion
90d1c2e9e3
Merge pull request #1578 from JonathonHall-Purism/config-automatic-boot-delay
initrd/bin/config-gui.sh: Allow configuring automatic boot
2024-01-09 15:12:03 -05:00
Jonathon Hall
5a00bfc035
initrd/bin/seal-hotpkey: Show error if /boot can't be mounted
If we can't mount /boot, show a meaningful error rather than dropping
to a recovery shell.

Dropping to a recovery shell should be a last resort.  Users that know
how to use the recovery shell know how to get there.  Users that don't
know how to use it can be completely stuck and may not know how to get
back to the menu or even how to turn off the device.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2024-01-09 12:27:59 -05:00
Jonathon Hall
25b977d1e5
initrd/bin/config-gui.sh: Allow configuring automatic boot
Automatic boot can be configured in the configuration GUI.  Options are
disable, 1 second, 5 seconds, or 10 seconds.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2024-01-09 10:12:22 -05:00
tlaurion
449977b617
Merge pull request #1561 from Nitrokey/up-v2.4
Bump Dasharo Coreboot / hotp-verification; fix nitropad-nxx ec-powerdown
2024-01-03 15:49:55 -05:00
Thierry Laurion
b4068e61fa
tpmr: fix TPM Disk Unlock Key which was not using proper cached passphrase.
Add debugging that was needed to spot the issue

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-12-29 15:22:17 -05:00
Markus Meissner
a1c13ff132 nitropad-nx: fix EC-based poweroff/reboot
Signed-off-by: Markus Meissner <coder@safemailbox.de>
2023-12-22 15:37:29 +01:00
tlaurion
6b936e76aa
Merge pull request #1542 from UndeadDevel/luks_reencrypt_text_patch
Luks functions text patch & change order of reencrypt and passphrase change
2023-12-06 22:59:42 -05:00
UndeadDevel
d640c3be28 Update oem-factory-reset
Change order if user chooses both reencrypt and change passphrase, so that passphrase is changed first.

Signed-off-by: Christian Foerster <christian.foerster@mailfence.com>
2023-12-06 15:56:14 +01:00
Christian Foerster
ce2abd4f29 Apply suggestion
Signed-off-by: Christian Foerster <christian.foerster@mailfence.com>
2023-12-06 14:53:15 +01:00
UndeadDevel
e98b26c32a Use better suggested solution (fold)
Uses fold on the entire passphrase string now; tested in recovery shell of NK Heads 2.1.
Reverted change of WIDTH parameter (first commit of this PR).

Signed-off-by: Christian Foerster <christian.foerster@mailfence.com>
2023-12-06 14:52:15 +01:00
UndeadDevel
85e6f60438 Update oem-factory-reset - wider window to show secrets
This partially fixes #1537, but while the increased width wouldn't be a problem on the NV41 AFAICT, I don't know about other machines.

I don't know what @tlaurion means with "busybox's folding", which may be a better solution.

Signed-off-by: Christian Foerster <christian.foerster@mailfence.com>
2023-12-06 14:52:15 +01:00
Markus Meissner
397a46203b oem-factory-reset: kill scdaemon after aes regenerate on nk storage
The call to `hotp_verification regenerate` seems to leave the
communication in a bad state, thus the following `gpg` calls fail. With
this workaround `scdaemon` will resart with the next `gpg` call.

Signed-off-by: Markus Meissner <coder@safemailbox.de>
2023-11-22 11:09:49 +01:00
JonathonHall-Purism
f5377b3bd5
Merge pull request #1526 from JonathonHall-Purism/zip_updates
flash-gui.sh: Extend NPF archive format to ZIP, improve workflow
2023-11-17 10:21:44 -05:00
Jonathon Hall
6873df60c1
Remove CONFIG_BRAND_UPDATE_PKG_EXT, use zip everywhere
Nitrokey is going to switch from npf to zip per discussion.  Remove
this config.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-11-16 08:58:38 -05:00
Thierry Laurion
56d38e112c
Talos-2 fixes to comply with hashing file standard. Bypass flash-gui.sh prompt when talos-2 ato validate hashes against hashes provided under tgz through flash.sh validation (still offer zip and tgz, which tgz might change to zip later but only tgz offered through builds)
Attempt to address https://github.com/linuxboot/heads/pull/1526#issuecomment-1811185197

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-16 08:44:39 -05:00
Jonathon Hall
7b2b95cb94
flash-gui.sh: Show .rom or .tgz in UI, not both
talos-2 (only) uses .tgz instead of .rom for updates.  Currently, both
are treated as alternatives to a ZIP-format update archive with
SHA-256 integrity check, extend that to the prompts to reduce clutter.

Reflow the "You will need ... your BIOS image" prompt to fit on
fbwhiptail.

The .tgz format could be better integrated with the ZIP updates, but
this needs more work specific to talos-2.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-11-13 17:17:07 -05:00
Jonathon Hall
5bd50652a0
flash-gui.sh: Extend NPF archive format to ZIP, improve workflow
Allow configuring the ZIP-format update file extension with
CONFIG_BRAND_UPDATE_PKG_EXT in board config.  Default is 'zip'.

Create update package in the default Makefile target.  Delete
create_npf.sh.

Do not require /tmp/verified_rom in the update file package's
sha256sum.txt (but allow it for backward compatibility).

Show the integrity error if unzip fails instead of dying (which returns
to main menu with no explanation, error is left on recovery console).
This is the most likely way corruption would be detected as ZIP has
CRCs.  The sha256sum is still present for more robust detection.

Don't require the ROM to be the first file in sha256sum.txt since it
raises complexity of adding more files to the update archive in the
future.  Instead require that the package contains exactly one file
matching '*.rom'.

Restore confirmation prompt for the update-package flow, at some point
this was lost.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-11-13 16:42:05 -05:00
tlaurion
133da0e48e
Merge pull request #1515 from tlaurion/inmemory_keygen-gpg_backup_usable_for_RSA_only-copy_to_card_working_for_RSA_only-gpg_auth_for_recovery_and_sub_boot
GPG User Authentication: In-memory gpg keygen + keytocard and GPG key material backup enabling  (plus a lot of code cleanup and UX improvements)
2023-11-13 16:05:26 -05:00
Jonathon Hall
97d903f22a
oem-factory-reset: Don't repeat "insert flash drive" message
Don't repeat this message if the user says "no" to the confirmation
prompt.  Go directly to the menu.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-11-13 14:52:09 -05:00
Jonathon Hall
d39fc26dd9
oem-factory-reset: Move format confirmation before resetting anything
Move confirmation of formatting flash drive with LUKS percentage
selection before any reset actions have been taken, so aborting does
not result in a half-reset system.  Combine with the more basic
"confirm" prompt that existed after selecting the device (but did not
include the LUKS size information).

Split up prepare_flash_drive into interactive_prepare_flash_drive (both
prompts and formats as before), confirm_thumb_drive_format (just
confirms the selections), and prepare_thumb_drive (now noninteractive).

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-11-13 14:37:19 -05:00
Jonathon Hall
a925219efb
oem-factory-reset: Improve prompt flow formatting flash drive
Combine prompt to disconnect other devices with prompt to connect the
desired device.

Show block device sizes in MB/GB when selecting device so it is easier
to select.  file_selector now supports --show-size to include block
device sizes in menu.

Rework file_selector so menu options can contain spaces (use bash
array) and to simplify logic.

Prompt to select flash drive and LUKS percentage in OEM reset before
actually taking any actions, so aborting doesn't half-reset the system.

Abort OEM reset if user aborts the flash drive selection instead of
looping forever.  (Canceling the confirmation still loops to retry but
it is possible to exit by aborting the repeated menu.)

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-11-13 13:54:37 -05:00
Thierry Laurion
e924a8afca
oem-factory-reset : Prompt user for any connected block device, give storage size and loop until none is connected to exit loop.
Warn user if connected usb block device is less then 128mb, since creating LUKS container of less then 8mb might cause issues.

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-09 17:04:33 -05:00
Thierry Laurion
37872937f0
oem-factory-reset: unify booleen y/n variable usage and double check logic. Also move USB Security dongle capability detection under code already checking for USB Security Dongle's smartcard presence.
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-07 14:34:50 -05:00
Thierry Laurion
160367d065
oem-factory-reset: normal output to inform user of consequences of generating keys on smartcard without backup, not a wanring anymore
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-06 16:05:08 -05:00
Thierry Laurion
659de63180
oem-factory-reset: fix typo : Same a GPG Admin PIN
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-06 16:02:37 -05:00
Thierry Laurion
388ee5198b
All TPM Extend additional context passed from console echo output to DEBUG. Put back console output as of master. TODO: decide what we do with tpmr extend output for the future. Hint: forward sealing of next flashed firmware measurements.
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-06 15:53:17 -05:00
Jonathon Hall
fd6a947cb3
tpmr: Move last TPM owner password prompt/shred into tpmr
Prompt for TPM owner password internally within tpm2_counter_create.
Add tpm1_counter_create to prompt for password internally.  Wipe the
cache in either if the operation fails, in case the password was
incorrect.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-11-06 15:20:29 -05:00
Thierry Laurion
9e0491e9db
oem-factory-reset/librem boards: remove CONFIG_OEMRESET_OFFER_DEFAULTS=y and checks for it; the default of oem-factory-reset is now to propose user to use defaults first for simplicity of most common use case without allianating advanced users which can simply not accept the default and answer questionnaire
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-06 11:27:51 -05:00
Thierry Laurion
0042163861
kexec-seal-key: remove non-needed shred of file cached /tmp/secret/tpm_owner_password (done when sealing fails under tpmr)
- document why shred is still called under functions:check_tpm_counter for safety and add TODO there

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-06 10:30:11 -05:00
Thierry Laurion
8d7efa021d
media-scan: die if gpg_auth fails (should loop and never exit anyway)
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-06 10:04:51 -05:00
Thierry Laurion
bfc877c49c
kexec-select-boot/kexec-insert-key: add info message explaining why PCR 4 is extended
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-06 10:03:14 -05:00
Thierry Laurion
eee913d8d2
oem-factory-reset: add rudimentary mount_boot function so that oem-factory-reset can be called early at boot without /boot previously mounted. Also fix logic so that GPG User PIN is showed as configured when keytocard or smartcard only is configured.
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-03 16:41:33 -04:00
Thierry Laurion
c064b78ef6
gui-init: fix TRACE: clean_check_boot stating mount_boot instead of clean_boot_check
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-03 16:41:30 -04:00
Thierry Laurion
4e10740453
oem-factory-reset/ash_functions/luks-functions: replace provisioning with configuring keywords. Tweak oem-factory-reset flow and questionnaire. Now first prompt is to ask if user wants to go advanced or use defaults.
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-03 16:41:27 -04:00
Thierry Laurion
cd3ce6999c
tpmr/kexec-seal-key/functions: end refactoring of tpmr being in carge of wiping /tmp/secret/tpm_owner_password if invalid
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-03 13:53:47 -04:00
Thierry Laurion
afb817ca48
tpmr: give users better error/DEBUG messages in regard of TPM errors
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-03 11:07:36 -04:00
Thierry Laurion
84374dfbcd
kexec-seal-key/seal-totp/tpmr/functions: move wiping of tpm_owner_password to tpmr calls directly
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-03 10:54:16 -04:00
Thierry Laurion
e2985d386e
seal-totp/tpmr: differenciate die messages to show which between tpm1_seal/tpm2_seal or check_tpm_counter fails to seal as first step to possible refactor
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-03 10:15:52 -04:00
Thierry Laurion
9523b4fee2
unseal-totp: fix indentation
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-03 09:31:44 -04:00
Thierry Laurion
6d7f9be414
TPM2: add DEBUG and fix path for TPM2 primary key handle hash.
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-02 14:17:52 -04:00
Thierry Laurion
644a59ab60
oem-factory-reset: simplify first question for users to have a GPG key material backup and enable GPG Authentication
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-02 12:55:05 -04:00
Thierry Laurion
85266452fa
oem-factory-reset ash_functions: fix USB Security Dongle' smartcard -> USB Security Dongle's smartcard
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-02 12:54:39 -04:00
Thierry Laurion
921acd0f6f
tpmr: move TPM2 related secrets artifacts to /tmp/secret to be autowiped when recovery shell is accessed. If you want to see those, use qemu and have main console launching qemu under recovery shell prior of doing ops you want to see /tmp/secret/ artifacts before being deleted. We still have pcap under /tmp which is as expected
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-02 11:45:02 -04:00
Thierry Laurion
2942d660de
oem-factory-reset: prmompt only for GPG User PIN when needed, warn users when no backup/when having only in-memory keygen backup without smartcard.
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-01 14:27:22 -04:00