Commit Graph

790 Commits

Author SHA1 Message Date
Thierry Laurion
fb5cbf41a1
kexec-insert-key: refactor tampering check for encrypted disk keys prior of TPM unsealing ops
move code from kexec-unseal-key to kexec-insert-key, address code review and apply verbiage suggestion changes

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-04-11 14:50:40 -04:00
Thierry Laurion
f6232aa70f
Change disk encryption -> LUKS Disk Key and other relative/relative verbiage, remove irrelevant DEBUG trace under kexec-unseal-key
TODO:
- $(pcrs) call sometimes fail in DEBUG call, outputting too many chars to be inserted in kmesg. Call removed here since redundant (PCR6 already extended with LUKS header)
- Notes added for TPM2 simplification over TPM1 in code as TODO

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-04-11 14:44:13 -04:00
Thierry Laurion
adda59c675
LUKS header change validation at both sealing and unsealing of TPM Disk Unlock Key.
Fixes linuxboot#1092.
Supersedes linuxboot#1093

- Cherry-picks ed1c23a (credit to @hardened-vault) thank you!)
- Addresses and correct self-review under linuxboot#1093 (@hardened-vault: you don't answer often here!)
  - kexec-unseal-key: Warn a user who attempts to default boot while his Disk Unlock Key passphrase fails to unseal because LUKS headers changed.
    (linuxboot#1093 (comment))
  - kexec-seal-key: Identical as in ed1c23a
  - kexec-add-key: Tell the user that the Headers did not change when changing TPM released Disk Unlock Key
    (Through changing default boot at Options->Boot Options -> Show OS boot options: select a new boot option
    and set a Disk Unlock Key in TPM, accept to modify disk and sign /boot options)
    - Here, we cancel the diff output shown on screen linuxboot#1093 (comment)
    - And we change the warning given to the user to past tense "Headers of LUKS containers to be unlocked via TPM Disk Unlock Key passphrase did not change."

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-04-11 14:44:07 -04:00
Thierry Laurion
ee1978ffc0
Merge pull request from 0xF4CED/tails-key-2024
Update tails.key
2024-04-04 14:45:15 -04:00
0xF4CED
f525b9337d Update tails.key
Key expired: 2024-01-04
Replace with clean export of updated [Tails](https://tails.net/tails-signing.key) signing key.

Signed-off-by: 0xF4CED <24809481+0xF4CED@users.noreply.github.com>
2024-04-04 02:42:02 +02:00
Thierry Laurion
c73687a232
init: Adding checks for sysfs and runtime panic_on_oom=1
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-04-02 17:17:09 -04:00
Jonathon Hall
ebdcc8523c
Merge branch 'silence-exfat-errors-for-iso9660'
PR 
2024-02-23 13:22:33 -05:00
Thierry Laurion
ebe9db4350
initrd/bin/network-init-recovery: kill dropbear unconditionally prior of starting it
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-02-23 12:17:47 -05:00
Jonathon Hall
2aeab5edbb
initrd/etc/ash_functions: ehci_pci/xhci-* aren't companion controllers
All boards with CONFIG_LINUX_USB=y ship ehci-* and xhci-*, they are
not controlled by CONFIG_LINUX_USB_COMPANION_CONTROLLER.  Always
insert them when initializing USB.  Fixes commit 35de2348

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2024-02-23 09:44:40 -05:00
Jonathon Hall
031f885aaa
initrd/bin/network-init-recovery: Trivial indentation fix
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2024-02-23 09:43:50 -05:00
Thierry Laurion
a5ab32b761
insmod: uniformize module name and lsmod output prior of comapring if module already insmodded (ehci-hcd.ko module name is ehci_hcd...)
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-02-23 01:29:55 -05:00
Thierry Laurion
5f8cb5a159
initrd/bin/network-init-recovery: put usb tethering and ethernet activation in functions and ask user prior of using each mode
Also remove output of attempted module loading since DEBUG will show if needed
Remove timeout after 30 seconds to unify UX and block
Change UX wording

Should address all PR review comments

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-02-23 01:29:45 -05:00
Thierry Laurion
35de23483a
etc/ash_functions: remove redundant lsmod prior of insmod
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-02-22 15:29:38 -05:00
Thierry Laurion
bec2545688
insmod: check if module already loaded and if so exit early
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-02-22 14:15:06 -05:00
Thierry Laurion
7cbcdd8ed7
Tethering refresh for CDC NCM/CDC EEM mobile phones (tested on GrapheneOS Pixel 6a, no more RNDIS support)
- Add additional requirements to linux config
- Add additional CONFIG_MOBILE_TETHERING=y to all maximized board configs
- Fix issue under network-recovery-init to NTP sync against NTP server pool
- Extend network-recovery-init to first try NTP sync against DNS server returned by DHCP answer
- Remove network-recovery-init earlytty and tty0 redirection (console should be setuped properly by init in all cases)
- If CONFIG_MOBILE_TETHERING=y added to board config and network-recovery-init called, wait to user input on instructions and warning 30 secs before proceeding (non-blocking)
- Machines having STATIC_IP under board config won't benefit of autoatic NTP sync

Since network-recovery-init can only be called from recovery shell now, and recovery shell can be guarded by GPG auth, this is PoC code to be used to complement TOTP being out of sync

TODO(Future PR):
- Refactor into functions and reuse into TOTP/HOTP being out of sync automatically.

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-02-21 13:50:18 -05:00
Jonathon Hall
a6228b9843
functions: Improve detect_boot_device to silence exFAT errors
When testing a possible boot device, detect its partition type and
skip grub, LUKS, and LVM partitions.  These aren't mountable as /boot,
this silences spurious exFAT errors.

In detect_boot_device, skip testing CONFIG_BOOT_DEV a second time if it
is found as a block device.  This avoids doubling any errors shown from
checking this device, no sense trying it twice.

Refactor some logic to avoid duplication - extract
device_has_partitions and use it in detect_boot_device, extract
mount_possible_boot_device and use it instead of duplicating the logic.

Move find_lvm_vg_name() to /etc/functions.

Avoid mixing up similarly-named devices like 'nvme0n1'/'nvme0n10' or
'sda'/'sdaa' - it's probably unlikely that many devices will appear,
but looking for partitions in '/sys/class/block/<device>/' instead of
'/dev/' would avoid any collisions.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2024-02-02 17:14:33 -05:00
Jonathon Hall
8233c6f442
init: Silence exFAT errors when mounting iso9660; reorder exfat last
Since exFAT support was enabled, mounting an iso9660 filesystem prints
spurious exFAT errors to the console.  That is because busybox mount
tries all filesystems in the order listed, and exfat precedes iso9660
(those are the last two in our config).  Most filesystems are silent
when used on the wrong type of filesystem, but exFAT logs errors, which
appear on the console.

Move exFAT after iso9660, so iso9660 filesystems won't show these
errors.  The errors will still appear if the filesystem is actually
exFAT but cannot be mounted.

There's no significant risk of misdetecting a remnant iso9660
superblock here either.  Although an iso9660 superblock could fall in
the unused space between the exFAT boot region and the FAT itself,
mkfs.exfat does zero this space so it is unlikely such a remnant
superblock would exist.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2024-02-02 13:24:34 -05:00
Thierry Laurion
40c34453df
all scripts: replace TRACE manual strings with dynamic tracing by bash debug
Exception: scripts sourcing/calls within etc/ash_functions continues to use old TRACE functions until we switch to bash completely getting rid of ash.
This would mean getting rid of legacy boards (flash + legacy boards which do not have enough space for bash in flash boards) once and for all.

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-02-01 15:48:27 -05:00
tlaurion
5a75e6bffa
Merge pull request from JonathonHall-Purism/root-file-hash-qubes
Root file hashing: support Qubes default partition layout (+ tracing helpers)
2024-02-01 14:25:48 -05:00
Jonathon Hall
d22cf5ec7b
Merge remote-tracking branch 'github-heads/master' into laptops-optional-usb-keyboard 2024-01-31 10:48:24 -05:00
Jonathon Hall
9b4eb8df71
config-gui.sh: Reword USB keyboard notice, show on enable only
Reword the notice shown when enabling USB keyboards based on feedback.
Remove the notice when disabling USB keyboard support, show it only
when enabling.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2024-01-31 09:58:35 -05:00
Thierry Laurion
4f2b1b68b0
initrd/bin/kexec-unseal-key: never show final PCRs content but in DEBUG mode/Recovery Shell
Next steps on this is introspection and PCRs reconstruction helpers, which will output in DEBUG and be usable from recovery shell.
We have to keep in mind that providing those tools is useful in DEBUG mode and for users having access to Recovery Shell.
But currently, having access to cbmem -L output and final PCRs content is making it too easy for Evil Maid to know what needs to be hardcoded to pass measured boot.

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-01-20 11:48:04 -05:00
Thierry Laurion
6db03b0bdd
Uniformize vocabulary: LUKS TPM Disk Unlock Key & LUKS Disk Recovery Key
When playing with long fbwhiptail/whiptail messages, this commit played around the long string using fold.

'''
echo -e "This will replace the encrypted container content and its LUKS Disk Recovery Key.\n\nThe passphrase associated with this key will be asked from the user under the following conditions:\n 1-Every boot if no Disk Unlock Key was added to the TPM\n 2-If the TPM fails (hardware failure)\n 3-If the firmware has been tampered with/modified by the user\n\nThis process requires you to type the current LUKS Disk Recovery Key passphrase and will delete the LUKS TPM Disk Unlock Key slot, if set up, by setting a default boot LUKS key slot (1) if present.\n\nAt the next prompt, you may be asked to select which file corresponds to the LUKS device container.\n\nHit Enter to continue." | fold -w 70 -s
'''

Which gave the exact output of what will be inside of the fbwhiptail prompt, fixed to 70 chars width:

'''
This will replace the encrypted container content and its LUKS Disk
Recovery Key.

The passphrase associated with this key will be asked from the user
under the following conditions:
 1-Every boot if no Disk Unlock Key was added to the TPM
 2-If the TPM fails (hardware failure)
 3-If the firmware has been tampered with/modified by the user

This process requires you to type the current LUKS Disk Recovery Key
passphrase and will delete the LUKS TPM Disk Unlock Key slot, if set
up, by setting a default boot LUKS key slot (1) if present.

At the next prompt, you may be asked to select which file corresponds
to the LUKS device container.

Hit Enter to continue.
'''

Therefore, for long prompts in the future, one can just deal with "\n 1-" alignments to be respected in prompts and have fold deal with cutting the length of strings properly.

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-01-20 11:47:35 -05:00
Thierry Laurion
4bc284e7fb
TPM DUK: Fix passphrase retry and code to support both LUKSv1/LUKSv2 output to check active keyslot 1 is not the only one existing
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-01-19 14:44:50 -05:00
Jonathon Hall
cb61739139
initrd/bin/inject_firmware.sh: Fix warning command
The function is 'warn', not 'WARN'.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2024-01-19 09:53:53 -05:00
Jonathon Hall
ae29ddbc78
initrd/bin/root-hashes-gui.sh: Remove debug statement for non-LVM-PV
This statement was confusing and should be clear from tracing anyway.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2024-01-17 16:34:48 -05:00
Jonathon Hall
80b57eb60d
initrd/bin/root-hashes-gui.sh: Qubes support, faster hash creation
Don't spew the root hashes to the console when creating the hash file.
This speeds up hash creation significantly.  A basic Qubes install on a
cheap (slow) SATA SSD reduced from about 1.5 minutes to just under 1
minute, and a PureOS install on a fast NVMe disk reduced from 2.5
minutes to 1 minute.

Support opening LVM volume groups to find the root disk.  If an LVM PV
is found, its group is opened and the 'root' volume is used.  There is
no way to set the volume name in this iteration; this is the default
name used by Qubes and probably common to many LVM OS installations.
LUKS and LVM can be mixed.  Tested LUKS (PureOS) and LUKS+LVM (Qubes).

Always cd to "$ROOT_MOUNT" in a subshell, improves robustness of
scripts (previously some functions only worked if they were called
after another function had cd'd to "$ROOT_MOUNT").

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2024-01-17 16:34:47 -05:00
Jonathon Hall
70d249ae46
intird/bin/config-gui.sh: Clarify root hash menu item, minor cleanup
Say the action to take in the menu (enable or disable) instead of just
"Check root hashes at boot".

Clean up some use of load_config_value, set_config, combine_configs.
Get config values from the environment directly.  set_user_config does
set_config and combine_configs.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2024-01-17 16:34:47 -05:00
Jonathon Hall
e0b46d086a
functions: TRACE_FUNC and DEBUG_STACK
Add TRACE_FUNC to trace the file, line, and name of the calling
function.  File and function names don't have to be duplicated in a
TRACE statement with this (they tend to become inaccurate as functions
are renamed and the TRACE statement is forgotten).

Add DEBUG_STACK to dump the bash stack to debug output.

Configure bash with --enable-debugger.  Bash doesn't actually include
the entire debugger, this is just some supporting variables for it.
Evidently, BASH_SOURCE[n] is only set within a function if this is
enabled.  I couldn't find this indicated in any documentation, but it
happened in practice.

Compressed initrd size only increased by 2560 bytes for librem_mini_v2,
I think that is fine.  This also gives us BASH_ARGC/BASH_ARGV which
might be useful for diagnostics.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2024-01-17 16:32:37 -05:00
Jonathon Hall
0a823cb491
Allow laptops to include optional USB keyboard support
Laptops can include optional USB keyboard support (default off unless
the board also sets the default to 'y').  The setting is in the
configuration GUI.

CONFIG_USER_USB_KEYBOARD is now the user-controlled setting on those
boards.  'CONFIG_USB_KEYBOARD' is no longer used to avoid any conflict
with prior releases that expect this to be a compile-time setting only
(conflicts risk total lock out requiring hardware flash, so some
caution is justified IMO).

Boards previously exporting CONFIG_USB_KEYBOARD now export
CONFIG_USB_KEYBOARD_REQUIRED.  Those boards don't have built-in
keyboards, USB keyboard is always enabled. (librem_mini,
librem_mini_v2, librem_11, librem_l1um, librem_l1um_v2, talos-2,
kgpe-d16_workstation-usb_keyboard, x230-hotp-maximized_usb-kb).

Librem laptops now export CONFIG_SUPPORT_USB_KEYBOARD to enable
optional support.  The default is still 'off'.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2024-01-10 15:38:06 -05:00
Jonathon Hall
905d40bd9b
initrd/bin/flash-gui.sh: Show error if find fails due to I/O error
'find' may fail if I/O errors occur (medium faulty or removed,
filesystem corruption, etc.)  Show a message if this occurs rather than
just dying and returning to the main menu.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2024-01-09 15:15:24 -05:00
Jonathon Hall
40e96c7dae
initrd/bin/flash-gui.sh: Show message if plain ROM is unreadable
If the user selects a plain ROM, but that file can't be read, show a
message and exit rather than dying.  Copy the ROM to RAM before doing
anything with it in case the media fails later.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2024-01-09 15:15:24 -05:00
Jonathon Hall
7e57ce181b
initrd/bin/flash-gui.sh: Fix indentation
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2024-01-09 15:15:24 -05:00
tlaurion
90d1c2e9e3
Merge pull request from JonathonHall-Purism/config-automatic-boot-delay
initrd/bin/config-gui.sh: Allow configuring automatic boot
2024-01-09 15:12:03 -05:00
tlaurion
8e1e402dac
Merge pull request from tlaurion/force_absence_dirmngr
gpg2: make sure dirmngr is not spawn to refresh keys under initrd/.gnupg/gpg.conf
2024-01-09 15:03:17 -05:00
Thierry Laurion
012400af1b
gpg2: make sure dirmngr is not spawn to refresh keys under initrd/.gnupg/gpg.conf
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-01-09 12:53:56 -05:00
Jonathon Hall
5a00bfc035
initrd/bin/seal-hotpkey: Show error if /boot can't be mounted
If we can't mount /boot, show a meaningful error rather than dropping
to a recovery shell.

Dropping to a recovery shell should be a last resort.  Users that know
how to use the recovery shell know how to get there.  Users that don't
know how to use it can be completely stuck and may not know how to get
back to the menu or even how to turn off the device.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2024-01-09 12:27:59 -05:00
Jonathon Hall
25b977d1e5
initrd/bin/config-gui.sh: Allow configuring automatic boot
Automatic boot can be configured in the configuration GUI.  Options are
disable, 1 second, 5 seconds, or 10 seconds.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2024-01-09 10:12:22 -05:00
tlaurion
449977b617
Merge pull request from Nitrokey/up-v2.4
Bump Dasharo Coreboot / hotp-verification; fix nitropad-nxx ec-powerdown
2024-01-03 15:49:55 -05:00
Thierry Laurion
b4068e61fa
tpmr: fix TPM Disk Unlock Key which was not using proper cached passphrase.
Add debugging that was needed to spot the issue

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-12-29 15:22:17 -05:00
Markus Meissner
a1c13ff132 nitropad-nx: fix EC-based poweroff/reboot
Signed-off-by: Markus Meissner <coder@safemailbox.de>
2023-12-22 15:37:29 +01:00
tlaurion
6b936e76aa
Merge pull request from UndeadDevel/luks_reencrypt_text_patch
Luks functions text patch & change order of reencrypt and passphrase change
2023-12-06 22:59:42 -05:00
UndeadDevel
d640c3be28 Update oem-factory-reset
Change order if user chooses both reencrypt and change passphrase, so that passphrase is changed first.

Signed-off-by: Christian Foerster <christian.foerster@mailfence.com>
2023-12-06 15:56:14 +01:00
UndeadDevel
920f871f9f Update luks-functions texts & reencrypt new pw use
Removed all mentions of a "Recovery Disk Key" and replaced with "Disk Recovery Key".

Fixed some grammatical errors.

Added check for new passphrase in reencrypt function to accommodate switching of reencrypt and new passphrase setting order in oem-factory-reset.

Signed-off-by: Christian Foerster <christian.foerster@mailfence.com>
2023-12-06 15:56:14 +01:00
Christian Foerster
ce2abd4f29 Apply suggestion
Signed-off-by: Christian Foerster <christian.foerster@mailfence.com>
2023-12-06 14:53:15 +01:00
UndeadDevel
e98b26c32a Use better suggested solution (fold)
Uses fold on the entire passphrase string now; tested in recovery shell of NK Heads 2.1.
Reverted change of WIDTH parameter (first commit of this PR).

Signed-off-by: Christian Foerster <christian.foerster@mailfence.com>
2023-12-06 14:52:15 +01:00
UndeadDevel
85e6f60438 Update oem-factory-reset - wider window to show secrets
This partially fixes , but while the increased width wouldn't be a problem on the NV41 AFAICT, I don't know about other machines.

I don't know what @tlaurion means with "busybox's folding", which may be a better solution.

Signed-off-by: Christian Foerster <christian.foerster@mailfence.com>
2023-12-06 14:52:15 +01:00
Markus Meissner
397a46203b oem-factory-reset: kill scdaemon after aes regenerate on nk storage
The call to `hotp_verification regenerate` seems to leave the
communication in a bad state, thus the following `gpg` calls fail. With
this workaround `scdaemon` will resart with the next `gpg` call.

Signed-off-by: Markus Meissner <coder@safemailbox.de>
2023-11-22 11:09:49 +01:00
JonathonHall-Purism
f5377b3bd5
Merge pull request from JonathonHall-Purism/zip_updates
flash-gui.sh: Extend NPF archive format to ZIP, improve workflow
2023-11-17 10:21:44 -05:00
Jonathon Hall
6873df60c1
Remove CONFIG_BRAND_UPDATE_PKG_EXT, use zip everywhere
Nitrokey is going to switch from npf to zip per discussion.  Remove
this config.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-11-16 08:58:38 -05:00