ExternalVendorCode/heads
1
0
Fork 0
mirror of https://github.com/linuxboot/heads.git synced 2024-12-21 13:57:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
075d40950b
heads/initrd/bin/unseal-hotp
Jonathon Hall 0a35ef912f
Use 160 bits of ROM hash for TPM-less HOTP secret (up from 80) 
HOTP/TOTP secrets don't have to be printable.  Use binary data to
include 160 bits of entropy instead of just 80.

The secret is still limited to 20 bytes.  Most keys now support up to
40 bytes, but tpmtotp is still limited to 20 bytes.

Move the truncation to 20 bytes a bit later, for future improvements to
detect the key's actual limit.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-07-05 10:18:06 -04:00

72 lines
1.9 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
# Retrieve the sealed file and counter from the NVRAM, unseal it and compute the hotp
. /etc/functions
HOTP_SECRET="/tmp/secret/hotp.key"
HOTP_COUNTER="/boot/kexec_hotp_counter"
mount_boot_or_die()
{
TRACE "Under /bin/unseal-hotp:mount_boot_or_die"
# Mount local disk if it is not already mounted
if ! grep -q /boot /proc/mounts ; then
mount -o ro /boot \
|| die "Unable to mount /boot"
fi
}
TRACE "Under /bin/unseal-hotp"
# Store counter in file instead of TPM for now, as it conflicts with Heads
# config TPM counter as TPM 1.2 can only increment one counter between reboots
# get current value of HOTP counter in TPM, create if absent
mount_boot_or_die
#check_tpm_counter $HOTP_COUNTER hotp \
#|| die "Unable to find/create TPM counter"
#counter="$TPM_COUNTER"
#
#counter_value=$(read_tpm_counter $counter | cut -f2 -d ' ' | awk 'gsub("^000e","")')
#
counter_value=$(cat $HOTP_COUNTER)
if [ "$counter_value" == "" ]; then
die "Unable to read HOTP counter"
fi
#counter_value=$(printf "%d" 0x${counter_value})
if [ "$CONFIG_TPM" = "y" ]; then
DEBUG "Unsealing HOTP secret reuses TOTP sealed secret..."
tpmr unseal 4d47 0,1,2,3,4,7 312 "$HOTP_SECRET"
else
# without a TPM, generate a secret based on the SHA-256 of the ROM
secret_from_rom_hash > "$HOTP_SECRET" || die "Reading ROM failed"
fi
# Truncate the secret if it is longer than the maximum HOTP secret
truncate_max_bytes 20 "$HOTP_SECRET"
if ! hotp $counter_value < "$HOTP_SECRET"; then
shred -n 10 -z -u "$HOTP_SECRET" 2> /dev/null
die 'Unable to compute HOTP hash?'
fi
shred -n 10 -z -u "$HOTP_SECRET" 2> /dev/null
#increment_tpm_counter $counter > /dev/null \
#|| die "Unable to increment tpm counter"
mount -o remount,rw /boot
counter_value=`expr $counter_value + 1`
echo $counter_value > $HOTP_COUNTER \
|| die "Unable to create hotp counter file"
#sha256sum /tmp/counter-$counter > $HOTP_COUNTER \
#|| die "Unable to create hotp counter file"
mount -o remount,ro /boot
exit 0
Reference in New Issue View Git Blame Copy Permalink