mirror of
https://github.com/linuxboot/heads.git
synced 2024-12-22 06:17:52 +00:00
d094dcd346
Reduce friction when generating a new TOTP/HOTP secret by eliminating an unnecessary 'press enter to continue' prompt following QR code generation, and by attempting to use the default admin PIN set by the OEM factory reset function. Fall back to prompting the user if the default PIN fails. Also, ensure error messages are visible to users before being returned back to the GUI menu from which they came by wrapping existing calls to die() Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
135 lines
3.9 KiB
Bash
Executable File
135 lines
3.9 KiB
Bash
Executable File
#!/bin/bash
|
|
# Retrieve the sealed TOTP secret and initialize a USB Security dongle with it
|
|
|
|
. /etc/functions
|
|
|
|
HOTP_SECRET="/tmp/secret/hotp.key"
|
|
HOTP_COUNTER="/boot/kexec_hotp_counter"
|
|
HOTP_KEY="/boot/kexec_hotp_key"
|
|
|
|
mount_boot()
|
|
{
|
|
TRACE "Under /bin/seal-htopkey:mount_boot"
|
|
# Mount local disk if it is not already mounted
|
|
if ! grep -q /boot /proc/mounts ; then
|
|
mount -o ro /boot \
|
|
|| recovery "Unable to mount /boot"
|
|
fi
|
|
}
|
|
|
|
TRACE "Under /bin/seal-hotpkey"
|
|
|
|
fatal_error()
|
|
{
|
|
echo -e "\nERROR: ${1}; press Enter to continue."
|
|
read
|
|
die "$1"
|
|
}
|
|
|
|
# Use stored HOTP key branding (this might be useful after OEM reset)
|
|
if [ -r /boot/kexec_hotp_key ]; then
|
|
HOTPKEY_BRANDING="$(cat /boot/kexec_hotp_key)"
|
|
else
|
|
HOTPKEY_BRANDING="HOTP USB Security Dongle"
|
|
fi
|
|
|
|
if [ "$CONFIG_TPM" = "y" ]; then
|
|
DEBUG "Sealing HOTP secret reuses TOTP sealed secret..."
|
|
tpmr unseal 4d47 0,1,2,3,4,7 312 "$HOTP_SECRET" \
|
|
|| fatal_error "Unable to unseal HOTP secret"
|
|
else
|
|
# without a TPM, use the first 20 characters of the ROM SHA256sum
|
|
secret_from_rom_hash > "$HOTP_SECRET"
|
|
fi
|
|
|
|
# Store counter in file instead of TPM for now, as it conflicts with Heads
|
|
# config TPM counter as TPM 1.2 can only increment one counter between reboots
|
|
# get current value of HOTP counter in TPM, create if absent
|
|
mount_boot
|
|
|
|
#check_tpm_counter $HOTP_COUNTER hotp \
|
|
#|| die "Unable to find/create TPM counter"
|
|
#counter="$TPM_COUNTER"
|
|
#
|
|
#counter_value=$(read_tpm_counter $counter | cut -f2 -d ' ' | awk 'gsub("^000e","")')
|
|
#if [ "$counter_value" == "" ]; then
|
|
# die "Unable to read HOTP counter"
|
|
#fi
|
|
|
|
#counter_value=$(printf "%d" 0x${counter_value})
|
|
|
|
counter_value=1
|
|
|
|
enable_usb
|
|
if ! hotp_verification info ; then
|
|
echo -e "\nInsert your $HOTPKEY_BRANDING and press Enter to configure it"
|
|
read
|
|
if ! hotp_verification info ; then
|
|
# don't leak key on failure
|
|
shred -n 10 -z -u "$HOTP_SECRET" 2> /dev/null
|
|
fatal_error "Unable to find $HOTPKEY_BRANDING"
|
|
fi
|
|
fi
|
|
|
|
# Set HOTP USB Security Dongle branding based on VID
|
|
if lsusb | grep -q "20a0:" ; then
|
|
HOTPKEY_BRANDING="Nitrokey"
|
|
elif lsusb | grep -q "316d:" ; then
|
|
HOTPKEY_BRANDING="Librem Key"
|
|
else
|
|
HOTPKEY_BRANDING="HOTP USB Security Dongle"
|
|
fi
|
|
|
|
# try using factory default admin PIN
|
|
admin_pin="12345678"
|
|
hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value "$HOTPKEY_BRANDING" >/dev/null 2>&1
|
|
if [ $? -ne 0 ]; then
|
|
# prompt user for PIN and retry
|
|
echo ""
|
|
read -s -p "Enter your $HOTPKEY_BRANDING Admin PIN: " admin_pin
|
|
echo -e "\n"
|
|
|
|
hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value "$HOTPKEY_BRANDING"
|
|
if [ $? -ne 0 ]; then
|
|
echo -e "\n"
|
|
read -s -p "Error setting HOTP secret, re-enter Admin PIN and try again: " admin_pin
|
|
echo -e "\n"
|
|
if ! hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value "$HOTPKEY_BRANDING" ; then
|
|
# don't leak key on failure
|
|
shred -n 10 -z -u "$HOTP_SECRET" 2> /dev/null
|
|
fatal_error "Setting HOTP secret failed"
|
|
fi
|
|
fi
|
|
else
|
|
# remind user to change admin password
|
|
echo -e "\nWARNING: default GPG admin PIN detected: please change this as soon as possible."
|
|
fi
|
|
|
|
# HOTP key no longer needed
|
|
shred -n 10 -z -u "$HOTP_SECRET" 2> /dev/null
|
|
|
|
# Make sure our counter is incremented ahead of the next check
|
|
#increment_tpm_counter $counter > /dev/null \
|
|
#|| die "Unable to increment tpm counter"
|
|
#increment_tpm_counter $counter > /dev/null \
|
|
#|| die "Unable to increment tpm counter"
|
|
|
|
mount -o remount,rw /boot
|
|
|
|
counter_value=`expr $counter_value + 1`
|
|
echo $counter_value > $HOTP_COUNTER \
|
|
|| fatal_error "Unable to create hotp counter file"
|
|
|
|
# Store/overwrite HOTP USB Security Dongle branding found out beforehand
|
|
echo $HOTPKEY_BRANDING > $HOTP_KEY \
|
|
|| die "Unable to store hotp key file"
|
|
|
|
#sha256sum /tmp/counter-$counter > $HOTP_COUNTER \
|
|
#|| die "Unable to create hotp counter file"
|
|
mount -o remount,ro /boot
|
|
|
|
echo -e "\n$HOTPKEY_BRANDING initialized successfully. Press Enter to continue."
|
|
read
|
|
|
|
exit 0
|