Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

TOTP Tweaks #607

Closed
wants to merge 2 commits into from
Closed

TOTP Tweaks #607

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
7a3e3a4
gui-init: update TOTP error prompt
MrChromebox Aug 21, 2019
4475615
gui-init/seal-libremkey: reduce friction when generating new secret
MrChromebox Aug 21, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 9 additions & 5 deletions initrd/bin/gui-init
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -90,11 +90,9 @@ prompt_update_checksums()
}
update_totp()
{
echo "Scan the QR code to add the new TOTP secret"
echo -e "Scan the QR code to add the new TOTP secret...\n\n"
/bin/seal-totp
if [ -x /bin/libremkey_hotp_verification ]; then
echo "Once you have scanned the QR code, hit Enter to configure your Librem Key"
read
/bin/seal-libremkey
else
echo "Once you have scanned the QR code, hit Enter to continue"
Expand Down Expand Up @@ -169,8 +167,14 @@ while true; do
TOTP=`unseal-totp`
if [ $? -ne 0 ]; then
whiptail $CONFIG_ERROR_BG_COLOR --clear --title "ERROR: TOTP Generation Failed!" \
--menu "ERROR: Heads couldn't generate the TOTP code.\n\nIf this is the first time the system has booted, you should reset the TPM\nand set your own password\n\nIf you just reflashed your BIOS, you'll need to generate a new TOTP secret.\n\nIf you have not just reflashed your BIOS, THIS COULD INDICATE TAMPERING!\n\nHow would you like to proceed?" 30 90 4 \
'g' ' Generate new TOTP/HOTP secret' \
--menu " ERROR: Heads couldn't generate the TOTP code.\n
If you have just completed a Factory Reset, or just reflashed
your BIOS, you should generate a new HOTP/TOTP secret.\n
If this is the first time the system has booted, you should
reset the TPM and set your own password.\n
If you have not just reflashed your BIOS, THIS COULD INDICATE TAMPERING!\n
How would you like to proceed?" 30 90 4 \
'g' ' Generate new HOTP/TOTP secret' \
'i' ' Ignore error and continue to default boot menu' \
'p' ' Reset the TPM' \
'x' ' Exit to recovery shell' \
Expand Down
47 changes: 32 additions & 15 deletions initrd/bin/seal-libremkey
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,17 +16,24 @@ mount_boot()
fi
}

fatal_error()
{
echo -e "\nERROR: ${1}; press Enter to continue."
read
die "$1"
}

tpm nv_readvalue \
-in 4d47 \
-sz 312 \
-of "$HOTP_SEALED" \
|| die "Unable to retrieve sealed file from TPM NV"
|| fatal_error "Unable to retrieve sealed file from TPM NV"

tpm unsealfile \
-hk 40000000 \
-if "$HOTP_SEALED" \
-of "$HOTP_SECRET" \
|| die "Unable to unseal HOTP secret"
|| fatal_error "Unable to unseal HOTP secret"

shred -n 10 -z -u "$HOTP_SEALED" 2> /dev/null

Expand All @@ -50,29 +57,39 @@ counter_value=1

enable_usb
if ! libremkey_hotp_verification info ; then
echo "Insert your Librem Key and press Enter to configure it"
echo -e "\nInsert your Librem Key and press Enter to configure it"
read
if ! libremkey_hotp_verification info ; then
# don't leak key on failure
shred -n 10 -z -u "$HOTP_SECRET" 2> /dev/null
die "Unable to find Librem Key"
fatal_error "Unable to find Librem Key"
fi
fi

echo -e ""
read -s -p "Enter your Librem Key Admin PIN: " admin_pin
echo -e "\n"
# try using factory default admin PIN
admin_pin="12345678"
libremkey_hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value >/dev/null 2>1

libremkey_hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value
if [ $? -ne 0 ]; then
# prompt user for PIN and retry
echo ""
read -s -p "Enter your Librem Key Admin PIN: " admin_pin
echo -e "\n"
read -s -p "Error setting HOTP secret, re-enter Admin PIN and try again: " admin_pin
echo -e "\n"
if ! libremkey_hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value ; then
# don't leak key on failure
shred -n 10 -z -u "$HOTP_SECRET" 2> /dev/null
die "Setting HOTP secret failed"

libremkey_hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value
if [ $? -ne 0 ]; then
echo -e "\n"
read -s -p "Error setting HOTP secret, re-enter Admin PIN and try again: " admin_pin
echo -e "\n"
if ! libremkey_hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value ; then
# don't leak key on failure
shred -n 10 -z -u "$HOTP_SECRET" 2> /dev/null
fatal_error "Setting HOTP secret failed"
fi
fi
else
# remind user to change admin password
echo -e "\nWARNING: default GPG admin PIN detected: please change this as soon as possible."
fi

# HOTP key no longer needed
Expand All @@ -88,7 +105,7 @@ mount -o remount,rw /boot

counter_value=`expr $counter_value + 1`
echo $counter_value > $HOTP_COUNTER \
|| die "Unable to create hotp counter file"
|| fatal_error "Unable to create hotp counter file"

#sha256sum /tmp/counter-$counter > $HOTP_COUNTER \
#|| die "Unable to create hotp counter file"
Expand Down