Skip to content

Commit

Permalink
WiP initrd/bin/oem-factory-reset: add qrcode+secet output loop until …
Browse files Browse the repository at this point in the history
…user press y (end of reownership wizard secret output)

Signed-off-by: Thierry Laurion <insurgo@riseup.net>

works:
- oem and user mode passphrase generation
- qrcode

missing:
- unattended
  - luks reencryption + passphrase change for OEM mode (only input to be provided) with SINGLE passphrase when in unattended mode
    - same for user reownership when previously OEM reset unattended

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
  • Loading branch information
tlaurion committed Nov 21, 2024
1 parent cd5d31c commit b681574
Show file tree
Hide file tree
Showing 2 changed files with 27 additions and 20 deletions.
31 changes: 21 additions & 10 deletions initrd/bin/oem-factory-reset
Original file line number Diff line number Diff line change
Expand Up @@ -23,12 +23,10 @@ CANCEL="--no-button Cancel"
HEIGHT="0"
WIDTH="80"

# Default values
USER_PIN_DEF=123456
ADMIN_PIN_DEF=12345678
TPM_PASS_DEF=12345678
USER_PIN=""
ADMIN_PIN=""
TPM_PASS=""
GPG_GEN_KEY_IN_MEMORY="n"
GPG_GEN_KEY_IN_MEMORY_COPY_TO_SMARTCARD="n"

Expand All @@ -50,11 +48,16 @@ handle_mode() {
case $mode in
oem)
DEBUG "OEM mode selected"
# Add OEM mode specific logic here
CUSTOM_SINGLE_PASS=$(generate_passphrase --number_words 2 --max_length $MAX_HOTP_GPG_PIN_LENGTH)
USER_PIN=$CUSTOM_SINGLE_PASS
ADMIN_PIN=$CUSTOM_SINGLE_PASS
TPM_PASS=$CUSTOM_SINGLE_PASS
;;
user)
DEBUG "User mode selected"
# Add User mode specific logic here
USER_PIN=$(generate_passphrase --number_words 2 --max_length $MAX_HOTP_GPG_PIN_LENGTH)
ADMIN_PIN=$(generate_passphrase --number_words 2 --max_length $MAX_HOTP_GPG_PIN_LENGTH)
TPM_PASS=$ADMIN_PIN
;;
*)
warn "Unknown mode: $mode"
Expand All @@ -81,6 +84,9 @@ done
# Handle the --mode parameter if provided
if [[ -n "$MODE" ]]; then
handle_mode "$MODE"
else
# Default to User Re-Ownership mode
handle_mode "user"
fi

#Override RSA_KEY_LENGTH to 2048 bits for Canokey under qemu testing boards until canokey fixes
Expand Down Expand Up @@ -719,9 +725,10 @@ generate_checksums() {
fi

DEBUG "Detach-signing boot files under kexec.sig: ${param_files}"
if sha256sum $param_files 2>/dev/null | DO_WITH_DEBUG gpg \

if sha256sum $param_files 2>/dev/null | gpg \
--pinentry-mode loopback \
--passphrase "${USER_PIN}" \
--passphrase-file <(echo -n "$USER_PIN") \
--digest-algo SHA256 \
--detach-sign \
-a \
Expand Down Expand Up @@ -1371,14 +1378,18 @@ if [ "$GPG_GEN_KEY_IN_MEMORY" = "y" ]; then
passphrases+="GPG key material backup passphrase: ${ADMIN_PIN}\n"
fi

# Show qrcode of configured secrets and ask user to confirm scanning of and loop until confirmed with qrenc $passphrases
# Show configured secrets in whiptail and loop until user confirms qr code was scanned
while true; do
whiptail --msgbox "
$(echo -e "$passphrases" | fold -w $((WIDTH - 5)))" \
$HEIGHT $WIDTH --title "Configured secrets"
qrencode "$passphrases"
# strip the initial newline of passphrases
qr_code=$(echo -e "$passphrases" | sed '1s/^\n//')
#Tell user to scan the QR code containing all configured secrets
echo -e "\nScan the QR code below to save the secrets to a secure location"
qrenc "$qr_code"
# Prompt user to confirm scanning of qrcode on console prompt not whiptail: y/n
echo -e -n "Please confirm you have scanned the QR code above [y/N]: "
echo -e -n "Please confirm you have scanned the QR code above and/or written down the secrets? [y/N]: "
read -n 1 prompt_output
echo
if [ "$prompt_output" == "y" -o "$prompt_output" == "Y" ]; then
Expand Down
16 changes: 6 additions & 10 deletions initrd/etc/functions
Original file line number Diff line number Diff line change
Expand Up @@ -887,7 +887,7 @@ generate_passphrase() {
local dictionary_file="$2"
local word=""

word=$(grep "^$rolls" "$dictionary_file" | awk '{print $2}')
word=$(grep "^$rolls" "$dictionary_file" | awk -F ' ' '{print $2}')
echo "$word"
}

Expand All @@ -898,17 +898,14 @@ generate_passphrase() {
local rolls=""
local random_bytes

# Read num_rolls bytes from /dev/urandom in one go
random_bytes=$(dd if=/dev/urandom bs=1 count="$num_rolls" 2>/dev/null | hexdump -e '1/1 "%u\n"')
# Read num_rolls bytes from /dev/random, fed by CPU RRAND in one go
random_bytes=$(dd if=/dev/random bs=1 count="$num_rolls" 2>/dev/null | hexdump -e '1/1 "%u\n"')

# Process each byte to generate a dice roll
while read -r byte; do
roll=$((byte % 6 + 1))
DEBUG "Randomized dice roll: $roll"
rolls+=$roll
done <<<"$random_bytes"

DEBUG "Generated dice rolls: $rolls"
echo "$rolls"
}

Expand Down Expand Up @@ -978,15 +975,12 @@ generate_passphrase() {
exit 1
fi

digits=${#key}
DEBUG "Number of digits in dice rolls: $digits"
digits=${#key} #Number of digits in dice rolls

for ((i = 0; i < num_words; ++i)); do
key=$(generate_dice_rolls "$digits")
word=$(get_word_from_dictionary "$key" "$dictionary_file")
DEBUG "Retrieved word: $word"
if [[ "$lowercase" == "false" ]]; then
DEBUG "Capitalizing the first letter of the word"
word=${word^} # Capitalize the first letter
fi
passphrase+="$word "
Expand All @@ -997,6 +991,8 @@ generate_passphrase() {
fi
done

#Remove passphrase trailing space from passphrase+="$word"
passphrase=${passphrase% }
echo "$passphrase"
return 0
}

0 comments on commit b681574

Please sign in to comment.