ExternalVendorCode/heads
1
0
Fork 0
mirror of https://github.com/linuxboot/heads.git synced 2024-12-20 05:28:08 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
9d34dd6687
heads/initrd/bin/seal-hotpkey
Thierry Laurion 536f4a1623
Small cosmetic/typo related changes, ccache enablement for coreboot and reduction of unseal attempts 
gui-init: do not consume two unseal attempt to unseal both totp and hotp + cosmetic changes (slow down TPM DA lockout)
kexec-seal-key: Add DEBUG statement for PCR precalc
seal-totp: add DEBUG statements regarding skipping of PCR5 and PCR6 involvement into TOTP/HOTP sealing ops
seal-hotpkey: Add DEBUG statements related to reuse of TOTP sealed secret
tpmr: add DO_WITH_DEBUG calls to output pcrread and extend calls
tpmr: typo correction stating TRACE calls for tpm2 where it was for tpm1
tpmr: add DO_WITH_DEBUG calls for calcfuturepcr
functions: Cosmetic fix on pause_recovery asking user to press Enter to go to recovery shell on host console when board defines CONFIG_BOOT_RECOVERY_SERIAL

Not so related but part of output review and corrections:
kexec-insert-key: cosmetic changes prepending "+++" to disk related changes
kexec-save-default: cosmetic changes prepending "+++" to disk related changes
config/coreboot-qemu-tpm*.config: add ccache support for faster coreboot rebuild times
2023-03-10 12:11:57 -05:00

116 lines
3.3 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
# Retrieve the sealed TOTP secret and initialize a USB Security dongle with it
. /etc/functions
HOTP_SECRET="/tmp/secret/hotp.key"
HOTP_COUNTER="/boot/kexec_hotp_counter"
HOTP_KEY="/boot/kexec_hotp_key"
mount_boot()
{
TRACE "Under /bin/seal-htopkey:mount_boot"
# Mount local disk if it is not already mounted
if ! grep -q /boot /proc/mounts ; then
mount -o ro /boot \
|| recovery "Unable to mount /boot"
fi
}
TRACE "Under /bin/seal-hotpkey"
# Use stored HOTP key branding (this might be useful after OEM reset)
if [ -r /boot/kexec_hotp_key ]; then
HOTPKEY_BRANDING="$(cat /boot/kexec_hotp_key)"
else
HOTPKEY_BRANDING="HOTP USB Security Dongle"
fi
if [ "$CONFIG_TPM" = "y" ]; then
DEBUG "Sealing HOTP secret reuses TOTP sealed secret..."
tpmr unseal 4d47 0,1,2,3,4,7 312 "$HOTP_SECRET" \
|| die "Unable to unseal HOTP secret"
fi
# Store counter in file instead of TPM for now, as it conflicts with Heads
# config TPM counter as TPM 1.2 can only increment one counter between reboots
# get current value of HOTP counter in TPM, create if absent
mount_boot
#check_tpm_counter $HOTP_COUNTER hotp \
#|| die "Unable to find/create TPM counter"
#counter="$TPM_COUNTER"
#
#counter_value=$(read_tpm_counter $counter | cut -f2 -d ' ' | awk 'gsub("^000e","")')
#if [ "$counter_value" == "" ]; then
# die "Unable to read HOTP counter"
#fi
#counter_value=$(printf "%d" 0x${counter_value})
counter_value=1
enable_usb
if ! hotp_verification info ; then
echo "Insert your $HOTPKEY_BRANDING and press Enter to configure it"
read
if ! hotp_verification info ; then
# don't leak key on failure
shred -n 10 -z -u "$HOTP_SECRET" 2> /dev/null
die "Unable to find $HOTPKEY_BRANDING"
fi
fi
# Set HOTP USB Security Dongle branding based on VID
if lsusb | grep -q "20a0:" ; then
HOTPKEY_BRANDING="Nitrokey"
elif lsusb | grep -q "316d:" ; then
HOTPKEY_BRANDING="Librem Key"
else
HOTPKEY_BRANDING="HOTP USB Security Dongle"
fi
echo -e ""
read -s -p "Enter your $HOTPKEY_BRANDING Admin PIN: " admin_pin
echo -e "\n"
hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value "$HOTPKEY_BRANDING"
if [ $? -ne 0 ]; then
echo -e "\n"
read -s -p "Error setting HOTP secret, re-enter Admin PIN and try again: " admin_pin
echo -e "\n"
if ! hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value "$HOTPKEY_BRANDING" ; then
# don't leak key on failure
shred -n 10 -z -u "$HOTP_SECRET" 2> /dev/null
die "Setting HOTP secret failed"
fi
fi
# HOTP key no longer needed
shred -n 10 -z -u "$HOTP_SECRET" 2> /dev/null
# Make sure our counter is incremented ahead of the next check
#increment_tpm_counter $counter > /dev/null \
#|| die "Unable to increment tpm counter"
#increment_tpm_counter $counter > /dev/null \
#|| die "Unable to increment tpm counter"
mount -o remount,rw /boot
counter_value=`expr $counter_value + 1`
echo $counter_value > $HOTP_COUNTER \
|| die "Unable to create hotp counter file"
# Store/overwrite HOTP USB Security Dongle branding found out beforehand
echo $HOTPKEY_BRANDING > $HOTP_KEY \
|| die "Unable to store hotp key file"
#sha256sum /tmp/counter-$counter > $HOTP_COUNTER \
#|| die "Unable to create hotp counter file"
mount -o remount,ro /boot
echo -e "\n$HOTPKEY_BRANDING initialized successfully. Press Enter to continue."
read
exit 0
Reference in New Issue View Git Blame Copy Permalink