mirror of
https://github.com/linuxboot/heads.git
synced 2025-01-18 10:46:44 +00:00
fe34aba719
The HOTP counter isn't a secret but is just used to prevent replay attacks (the time-based counter in TOTP isn't a secret either) so it doesn't need to be protected in the TPM and storing it as a TPM monotonic counter was causing conflicts with the Heads configuration counter as TPM 1.2 can only increment one counter per reboot. This change moves the HOTP counter into the file in /boot that was previously keeping track of the TPM counter id.
93 lines
2.4 KiB
Bash
Executable File
93 lines
2.4 KiB
Bash
Executable File
#!/bin/sh
|
|
# Retrieve the sealed TOTP secret and initialize a Librem Key with it
|
|
|
|
. /etc/functions
|
|
|
|
HOTP_SEALED="/tmp/secret/hotp.sealed"
|
|
HOTP_SECRET="/tmp/secret/hotp.key"
|
|
HOTP_COUNTER="/boot/kexec_hotp_counter"
|
|
|
|
mount_boot()
|
|
{
|
|
# Mount local disk if it is not already mounted
|
|
if ! grep -q /boot /proc/mounts ; then
|
|
mount -o ro /boot \
|
|
|| recovery "Unable to mount /boot"
|
|
fi
|
|
}
|
|
|
|
tpm nv_readvalue \
|
|
-in 4d47 \
|
|
-sz 312 \
|
|
-of "$HOTP_SEALED" \
|
|
|| die "Unable to retrieve sealed file from TPM NV"
|
|
|
|
tpm unsealfile \
|
|
-hk 40000000 \
|
|
-if "$HOTP_SEALED" \
|
|
-of "$HOTP_SECRET" \
|
|
|| die "Unable to unseal HOTP secret"
|
|
|
|
rm -f "$HOTP_SEALED"
|
|
secret="`cat $HOTP_SECRET`"
|
|
rm -f "$HOTP_SECRET"
|
|
|
|
# Store counter in file instead of TPM for now, as it conflicts with Heads
|
|
# config TPM counter as TPM 1.2 can only increment one counter between reboots
|
|
# get current value of HOTP counter in TPM, create if absent
|
|
mount_boot
|
|
|
|
#check_tpm_counter $HOTP_COUNTER hotp \
|
|
#|| die "Unable to find/create TPM counter"
|
|
#counter="$TPM_COUNTER"
|
|
#
|
|
#counter_value=$(read_tpm_counter $counter | cut -f2 -d ' ' | awk 'gsub("^000e","")')
|
|
#if [ "$counter_value" == "" ]; then
|
|
# die "Unable to read HOTP counter"
|
|
#fi
|
|
|
|
#counter_value=$(printf "%d" 0x${counter_value})
|
|
|
|
counter_value=1
|
|
|
|
enable_usb
|
|
if ! libremkey_hotp_verification info ; then
|
|
echo "Insert your Librem Key and press Enter to configure it"
|
|
read
|
|
libremkey_hotp_verification info \
|
|
|| die "Unable to find Librem Key"
|
|
fi
|
|
|
|
read -s -p "Enter your Librem Key Admin PIN" admin_pin
|
|
echo
|
|
|
|
libremkey_hotp_initialize $admin_pin $secret $counter_value
|
|
if [ $? -ne 0 ]; then
|
|
read -s -p "Error setting HOTP secret, re-enter Admin PIN and try again:" admin_pin
|
|
libremkey_hotp_initialize $admin_pin $secret $counter_value \
|
|
|| die "Setting HOTP secret failed"
|
|
fi
|
|
|
|
secret=""
|
|
|
|
# Make sure our counter is incremented ahead of the next check
|
|
#increment_tpm_counter $counter > /dev/null \
|
|
#|| die "Unable to increment tpm counter"
|
|
#increment_tpm_counter $counter > /dev/null \
|
|
#|| die "Unable to increment tpm counter"
|
|
|
|
mount -o remount,rw /boot
|
|
|
|
counter_value=`expr $counter_value + 1`
|
|
echo $counter_value > $HOTP_COUNTER \
|
|
|| die "Unable to create hotp counter file"
|
|
|
|
#sha256sum /tmp/counter-$counter > $HOTP_COUNTER \
|
|
#|| die "Unable to create hotp counter file"
|
|
mount -o remount,ro /boot
|
|
|
|
echo "Librem Key initialized successfully. Press Enter to continue."
|
|
read
|
|
|
|
exit 0
|