Commit Graph

124 Commits

Author SHA1 Message Date
Thierry Laurion
0cef8e1edc cryptsetup2 toolstack version bump and script fixes to support multi-LUKS containers (BTRFS QubesOS 4.2)
cryptsetup2 2.6.1 is a new release that supports reencryption of Q4.2 release LUKS2 volumes created at installation.
 This is a critical feature for the Qubes OS 4.2 release for added data at rest protection

Cryptsetup 2.6.x internal changes:
 - Argon2 used externally and internally: requires a lot of RAM and CPU to derivate passphrase to key validated in key slots.
  - This is used to rate limit efficiently bruteforcing of LUKS key slots, requiring each offline brute force attempt to consume ~15-30 seconds per attempt
  - OF course, strong passphrases are still recommended, but bruteforcing LUKSv2 containers with Argon2 would require immense time, ram and CPU even to bruteforce low entropy passphrase/PINs.
 - passphrase change doesn't permit LUKS key slot specification anymore: key slot rotates (new one consusumed per op: then old one wiped internally. EG: LUKS key slot 1 created, then 0 deleted)
 - reencryption doesn't permit old call arguments. No more direct-io; inadmissively slow through AIO (async) calls, need workarounds for good enough perfs (arguments + newer kernel with cloudfare fixes in tree)

cryptsetup 2.6.1 requires:
 - lvm2 2.03.23, which is also included in this PR.
   - requires libaio, which is also included in this PR (could be hacked out but deep dependency at first sight: left in)
   - requires util-linux 2.39
 - patches for reproducible builds are included for above 3 packages.

luks-functions was updated to support the new cryptsetup2 version calls/changes
 - reencryption happen in direct-io, offline mode and without locking, requiring linux 5.10.9+ to bypass linux queues
   - from tests, this is best for performance and reliability in single-user mode
 - LUKS container ops now validate Disk Recovery Key (DRK) passphrase prior and DRK key slot prior of going forward if needed, failing early.
  - Heads don't expect DRK to be in static key slot anymore, and finds the DRK key slot dynamically.
  - If reencrytipn/passphrase change: make sure all LUKS containers on same block device can be unlocked with same DRK
 - Reencryption: requires to know which key slot to reencrypt.
   - Find LUKS key slot that unlocks with DRK passphrase unlock prior of reencrypt call
 - Passphrase change: no slot can be passed, but key slot of DRK rotates.

kexec-seal-key
 - TPM LUKS Disk Unlock Key key slots have changed to be set in max slots per LUKS version (LUKSv1:7 /LUKSv2: 31)
  - If key slot != default LUKS version's keyslot outside of DRK key slot: prompt the user before wiping that key slot, otherwise wipe automatically
    - This takes for granted that the DRK key slot alone is needed on the system and Heads controls the LUKS key slots.
      - If user has something else going on, ie: Using USB Security dongle + TPM DUK, then the user will need to say no when wiping keys.
      - It was suggested to leave LUKS key slots outside of DRK alone, but then: what to do when all key slots would be used?
        - Alternative implementation could be to only prompt users to wipe keyslots other then DRK when key slots are all used (LUKSv1: 0-7, LUKSv2: 0-31)
          - But then cleanup would need to happen prior of operations (LUKS passphrase change, TPM DUK setup) and could be problematic.
  - LUKS containers now checked to be same LUKS version prior of permitting to set TPM DUK and will refuse to go forward of different versions.

TODO:
- async (AIO) calls are not used. direct-io is used instead. libaio could be hacked out
  - this could be subject to future work

Notes:
- time to deprecated legacy boards the do not enough space for the new space requirements
 - x230-legacy, x230-legacy-flash, x230-hotp-legacy
 - t430-legacy, t430-legacy-flash, t430-hotp-legacy already deprecated

Unrelated:
- typos fixes found along the way

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-10-30 14:18:20 -04:00
Thierry Laurion
3c76bdc510
oem-factory-reset gui-init: fix whiptail_error segfaulting because selfcalling itself, fix typo in gui-init
fix bugs introduced by #1698

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-09-04 14:26:57 -04:00
Matthew Drobnak
19a705c179
Add functions to handle normal, warning, and error for whiptail and fbwhiptail.
Signed-off-by: Matthew Drobnak <matthew@drobnak.com>
2024-06-25 17:26:14 +00:00
Thierry Laurion
37f04e2855
Fix key to card failing with invalid time when moving keys to smartcard on master (Opt: Authenticated Heads)
- Revert gnupg toolstack version bump to prior of #1661 merge (2.4.2 -> 2.4.0). Version bump not needed for reproducibility.
  - Investigation and upstream discussions will take their time resolving invalid time issue introduced by between 2.4.0 and latest gnupg, fix regression first under master)

- oem-factory-reset
  - Adding DO_WITH_DEBUG to oem-factory-reset for all its gpg calls. If failing in debug mode, /tmp/debug.txt contains calls and errors
  - Wipe keyrings only (*.gpg, *.kbx)  not conf files under gpg homedir (keep initrd/.gnupg/*.conf)

- flake.nix
  - switch build derivative from qemu and qemu_kvm to qemu_full to have qemu-img tool which was missing to run qemu boards (v0.1.8 docker)
  - add gnupg so that qemu boards can call inject_gpg to inject public key in absence of flashrom+pflash support for internal flashing

- flake.lock: Updated nix pinned package list under flake.lock with 'nix flake update' so qemu_full builds

- README.md: have consistent docker testing + release (push) notes

- .circleci/config.yml: depend on docker v0.1.8 (qemu_full built with canokey-qemu lib support, diffoscopeMinimal and gnupg for proper qemu testing)

TODO:
- some fd2 instead of fd1?!
- oem-factory-resest has whiptail_or_die which sets whiptail box to HEIGHT 0. This doesn't show a scrolling window on gpg errors which is problematic with fbwhiptail, not whiptail

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-17 09:27:29 -04:00
Thierry Laurion
b2629f8d4d
Merge pull request #1625 from tlaurion:LUKS_header_change_validation_upon_sealing_and_unsealing
LUKS header change validation upon sealing and unsealing ops
2024-04-25 16:39:41 -04:00
Jonathon Hall
1ae4c19f9a
Merge remote-tracking branch 'github-tlaurion/fix_hotp_increment_counter_after_detection-oem-factory-reset_loop_3x_hotp_detect'
PR #1650
2024-04-23 08:33:30 -04:00
Christian Foerster
cb03ec5584
change correct PIN minimum
Signed-off-by: Christian Foerster <christian.foerster@mailfence.com>
2024-04-23 01:10:53 +02:00
Thierry Laurion
b6bd682cb3
Fix HOTP verification logic (and counter increment) in gui-init and oem-factory-reset scripts
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-04-22 17:24:21 -04:00
Christian Foerster
70e9c663bc
only change user PIN minimum requirement to 6
Signed-off-by: Christian Foerster <christian.foerster@mailfence.com>
2024-04-22 22:56:13 +02:00
Christian Foerster
408524fb31
Revert "UX improvements PIN questions"
This reverts commit ba20d98bdd.

Signed-off-by: Christian Foerster <christian.foerster@mailfence.com>
2024-04-22 22:51:25 +02:00
Christian Foerster
0854f2ce80
Revert "fix small incongruency with previous commit"
This reverts commit be65c4be5b.

Signed-off-by: Christian Foerster <christian.foerster@mailfence.com>
2024-04-22 22:51:17 +02:00
Christian Foerster
2828e2ca60
Revert "fix another small incongruency with previous commit"
This reverts commit cc70e772f8.

Signed-off-by: Christian Foerster <christian.foerster@mailfence.com>
2024-04-22 22:50:34 +02:00
Christian Foerster
cc70e772f8
fix another small incongruency with previous commit
Signed-off-by: Christian Foerster <christian.foerster@mailfence.com>
2024-04-21 19:00:29 +02:00
Christian Foerster
be65c4be5b
fix small incongruency with previous commit
Signed-off-by: Christian Foerster <christian.foerster@mailfence.com>
2024-04-21 18:42:52 +02:00
Christian Foerster
ba20d98bdd
UX improvements PIN questions
Signed-off-by: Christian Foerster <christian.foerster@mailfence.com>
2024-04-21 18:31:43 +02:00
Thierry Laurion
fc874728f6
oem-factory-reset + seal-hotpkey: Give debug output to underatand in what state is the USB Security dongle
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-04-19 14:30:55 -04:00
Thierry Laurion
f6232aa70f
Change disk encryption -> LUKS Disk Key and other relative/relative verbiage, remove irrelevant DEBUG trace under kexec-unseal-key
TODO:
- $(pcrs) call sometimes fail in DEBUG call, outputting too many chars to be inserted in kmesg. Call removed here since redundant (PCR6 already extended with LUKS header)
- Notes added for TPM2 simplification over TPM1 in code as TODO

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-04-11 14:44:13 -04:00
Thierry Laurion
40c34453df
all scripts: replace TRACE manual strings with dynamic tracing by bash debug
Exception: scripts sourcing/calls within etc/ash_functions continues to use old TRACE functions until we switch to bash completely getting rid of ash.
This would mean getting rid of legacy boards (flash + legacy boards which do not have enough space for bash in flash boards) once and for all.

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-02-01 15:48:27 -05:00
Thierry Laurion
6db03b0bdd
Uniformize vocabulary: LUKS TPM Disk Unlock Key & LUKS Disk Recovery Key
When playing with long fbwhiptail/whiptail messages, this commit played around the long string using fold.

'''
echo -e "This will replace the encrypted container content and its LUKS Disk Recovery Key.\n\nThe passphrase associated with this key will be asked from the user under the following conditions:\n 1-Every boot if no Disk Unlock Key was added to the TPM\n 2-If the TPM fails (hardware failure)\n 3-If the firmware has been tampered with/modified by the user\n\nThis process requires you to type the current LUKS Disk Recovery Key passphrase and will delete the LUKS TPM Disk Unlock Key slot, if set up, by setting a default boot LUKS key slot (1) if present.\n\nAt the next prompt, you may be asked to select which file corresponds to the LUKS device container.\n\nHit Enter to continue." | fold -w 70 -s
'''

Which gave the exact output of what will be inside of the fbwhiptail prompt, fixed to 70 chars width:

'''
This will replace the encrypted container content and its LUKS Disk
Recovery Key.

The passphrase associated with this key will be asked from the user
under the following conditions:
 1-Every boot if no Disk Unlock Key was added to the TPM
 2-If the TPM fails (hardware failure)
 3-If the firmware has been tampered with/modified by the user

This process requires you to type the current LUKS Disk Recovery Key
passphrase and will delete the LUKS TPM Disk Unlock Key slot, if set
up, by setting a default boot LUKS key slot (1) if present.

At the next prompt, you may be asked to select which file corresponds
to the LUKS device container.

Hit Enter to continue.
'''

Therefore, for long prompts in the future, one can just deal with "\n 1-" alignments to be respected in prompts and have fold deal with cutting the length of strings properly.

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-01-20 11:47:35 -05:00
tlaurion
6b936e76aa
Merge pull request #1542 from UndeadDevel/luks_reencrypt_text_patch
Luks functions text patch & change order of reencrypt and passphrase change
2023-12-06 22:59:42 -05:00
UndeadDevel
d640c3be28 Update oem-factory-reset
Change order if user chooses both reencrypt and change passphrase, so that passphrase is changed first.

Signed-off-by: Christian Foerster <christian.foerster@mailfence.com>
2023-12-06 15:56:14 +01:00
Christian Foerster
ce2abd4f29 Apply suggestion
Signed-off-by: Christian Foerster <christian.foerster@mailfence.com>
2023-12-06 14:53:15 +01:00
UndeadDevel
e98b26c32a Use better suggested solution (fold)
Uses fold on the entire passphrase string now; tested in recovery shell of NK Heads 2.1.
Reverted change of WIDTH parameter (first commit of this PR).

Signed-off-by: Christian Foerster <christian.foerster@mailfence.com>
2023-12-06 14:52:15 +01:00
UndeadDevel
85e6f60438 Update oem-factory-reset - wider window to show secrets
This partially fixes #1537, but while the increased width wouldn't be a problem on the NV41 AFAICT, I don't know about other machines.

I don't know what @tlaurion means with "busybox's folding", which may be a better solution.

Signed-off-by: Christian Foerster <christian.foerster@mailfence.com>
2023-12-06 14:52:15 +01:00
Markus Meissner
397a46203b oem-factory-reset: kill scdaemon after aes regenerate on nk storage
The call to `hotp_verification regenerate` seems to leave the
communication in a bad state, thus the following `gpg` calls fail. With
this workaround `scdaemon` will resart with the next `gpg` call.

Signed-off-by: Markus Meissner <coder@safemailbox.de>
2023-11-22 11:09:49 +01:00
Jonathon Hall
97d903f22a
oem-factory-reset: Don't repeat "insert flash drive" message
Don't repeat this message if the user says "no" to the confirmation
prompt.  Go directly to the menu.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-11-13 14:52:09 -05:00
Jonathon Hall
d39fc26dd9
oem-factory-reset: Move format confirmation before resetting anything
Move confirmation of formatting flash drive with LUKS percentage
selection before any reset actions have been taken, so aborting does
not result in a half-reset system.  Combine with the more basic
"confirm" prompt that existed after selecting the device (but did not
include the LUKS size information).

Split up prepare_flash_drive into interactive_prepare_flash_drive (both
prompts and formats as before), confirm_thumb_drive_format (just
confirms the selections), and prepare_thumb_drive (now noninteractive).

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-11-13 14:37:19 -05:00
Jonathon Hall
a925219efb
oem-factory-reset: Improve prompt flow formatting flash drive
Combine prompt to disconnect other devices with prompt to connect the
desired device.

Show block device sizes in MB/GB when selecting device so it is easier
to select.  file_selector now supports --show-size to include block
device sizes in menu.

Rework file_selector so menu options can contain spaces (use bash
array) and to simplify logic.

Prompt to select flash drive and LUKS percentage in OEM reset before
actually taking any actions, so aborting doesn't half-reset the system.

Abort OEM reset if user aborts the flash drive selection instead of
looping forever.  (Canceling the confirmation still loops to retry but
it is possible to exit by aborting the repeated menu.)

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-11-13 13:54:37 -05:00
Thierry Laurion
e924a8afca
oem-factory-reset : Prompt user for any connected block device, give storage size and loop until none is connected to exit loop.
Warn user if connected usb block device is less then 128mb, since creating LUKS container of less then 8mb might cause issues.

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-09 17:04:33 -05:00
Thierry Laurion
37872937f0
oem-factory-reset: unify booleen y/n variable usage and double check logic. Also move USB Security dongle capability detection under code already checking for USB Security Dongle's smartcard presence.
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-07 14:34:50 -05:00
Thierry Laurion
160367d065
oem-factory-reset: normal output to inform user of consequences of generating keys on smartcard without backup, not a wanring anymore
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-06 16:05:08 -05:00
Thierry Laurion
659de63180
oem-factory-reset: fix typo : Same a GPG Admin PIN
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-06 16:02:37 -05:00
Jonathon Hall
fd6a947cb3
tpmr: Move last TPM owner password prompt/shred into tpmr
Prompt for TPM owner password internally within tpm2_counter_create.
Add tpm1_counter_create to prompt for password internally.  Wipe the
cache in either if the operation fails, in case the password was
incorrect.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-11-06 15:20:29 -05:00
Thierry Laurion
9e0491e9db
oem-factory-reset/librem boards: remove CONFIG_OEMRESET_OFFER_DEFAULTS=y and checks for it; the default of oem-factory-reset is now to propose user to use defaults first for simplicity of most common use case without allianating advanced users which can simply not accept the default and answer questionnaire
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-06 11:27:51 -05:00
Thierry Laurion
eee913d8d2
oem-factory-reset: add rudimentary mount_boot function so that oem-factory-reset can be called early at boot without /boot previously mounted. Also fix logic so that GPG User PIN is showed as configured when keytocard or smartcard only is configured.
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-03 16:41:33 -04:00
Thierry Laurion
4e10740453
oem-factory-reset/ash_functions/luks-functions: replace provisioning with configuring keywords. Tweak oem-factory-reset flow and questionnaire. Now first prompt is to ask if user wants to go advanced or use defaults.
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-03 16:41:27 -04:00
Thierry Laurion
644a59ab60
oem-factory-reset: simplify first question for users to have a GPG key material backup and enable GPG Authentication
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-02 12:55:05 -04:00
Thierry Laurion
85266452fa
oem-factory-reset ash_functions: fix USB Security Dongle' smartcard -> USB Security Dongle's smartcard
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-02 12:54:39 -04:00
Thierry Laurion
2942d660de
oem-factory-reset: prmompt only for GPG User PIN when needed, warn users when no backup/when having only in-memory keygen backup without smartcard.
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-01 14:27:22 -04:00
Thierry Laurion
584c964064
oem-factory-reset: now permits to generate in-memory key, backuped to encrypted disk without copy to card from questionnaire. Can be tested out of the box on Qemu without modification from end of wizard's reboot call, prompting for gpg_auth when in debug mode.
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-01 10:08:32 -04:00
Thierry Laurion
4d72eb3120
oem-factory-reset: typo correction past tense
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-01 10:08:26 -04:00
Thierry Laurion
2a04fb5650
oem-factory-reset: RSA default should be 3072, not 3076. squash
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-01 10:08:22 -04:00
Thierry Laurion
a3086e9a1c
Remove TODO in code that were not relevant prior of first review
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-01 10:08:19 -04:00
Thierry Laurion
ad1bff6b23
oem-factory-reset: make initial questionnaire more concise
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-01 10:08:16 -04:00
Thierry Laurion
38fc097976
Squash: revert testing changes for RSA and unify once more USB Security dongle's usage
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-01 10:08:13 -04:00
Thierry Laurion
867fb8d023
RSA keygen adaptation testing with rsa 2048 in memory keygen and key to card missing pieces
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-01 10:08:09 -04:00
Thierry Laurion
e6eeb571b0
oem-factory-reset: simplify provisioned secret output at end of wizard, including GPG key material output passphrase (uses strings+=string)
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-01 10:08:06 -04:00
Thierry Laurion
c3a5359a85
Squash: remove DEBUG that were TODO for removal
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-01 10:08:03 -04:00
Thierry Laurion
8a8634f6a3
oem-factory-reset seal-hotpkey: unify prompts and vocabulary
oem-factory-reset: bugfix, keytocard inverts prompts. First is keyring then smartcard.
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-01 10:08:00 -04:00
Thierry Laurion
7cd44b6dc4
oem-factory-reset: further cleaning of code for proper validation and consistency checks for passphrases. Also skip flashing code on qemu boards with short explanation
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-01 10:07:56 -04:00