From 6dcc53c5649955bed0c0d82d3892962d1a5e1cf8 Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Sat, 18 Feb 2023 14:13:11 -0500 Subject: [PATCH] WiP --- initrd/bin/cbfs-init | 2 + initrd/bin/cbfs.sh | 2 + initrd/bin/config-gui.sh | 2 + initrd/bin/flash-gui.sh | 2 + initrd/bin/flash.sh | 2 + initrd/bin/flashrom-kgpe-d16-openbmc.sh | 2 + initrd/bin/generic-init | 1 + initrd/bin/gpg-gui.sh | 1 + initrd/bin/gpgv | 1 + initrd/bin/gui-init | 39 ++--- initrd/bin/kexec-boot | 2 + initrd/bin/kexec-insert-key | 8 +- initrd/bin/kexec-iso-init | 2 + initrd/bin/kexec-parse-bls | 3 + initrd/bin/kexec-parse-boot | 3 + initrd/bin/kexec-save-default | 4 +- initrd/bin/kexec-seal-key | 2 + initrd/bin/kexec-select-boot | 2 + initrd/bin/kexec-sign-config | 2 + initrd/bin/kexec-unseal-key | 2 + initrd/bin/key-init | 2 + initrd/bin/media-scan | 2 + initrd/bin/mount-usb | 2 + initrd/bin/network-init-recovery | 2 + initrd/bin/oem-factory-reset | 2 + initrd/bin/oem-system-info-xx30 | 2 + initrd/bin/poweroff | 3 + initrd/bin/qubes-measure-luks | 2 + initrd/bin/reboot | 3 + initrd/bin/seal-hotpkey | 203 ++++++++++++------------ initrd/bin/seal-totp | 2 + initrd/bin/unseal-hotp | 85 +++++----- initrd/bin/unseal-totp | 2 + initrd/bin/usb-init | 2 + initrd/bin/wget-measure.sh | 3 + initrd/bin/x230-flash.init | 2 + initrd/etc/functions | 36 ++--- 37 files changed, 259 insertions(+), 180 deletions(-) diff --git a/initrd/bin/cbfs-init b/initrd/bin/cbfs-init index ee6276a8e..2aa46d5f3 100755 --- a/initrd/bin/cbfs-init +++ b/initrd/bin/cbfs-init @@ -2,6 +2,8 @@ set -e -o pipefail . /etc/functions +DEBUG "Under /bin/cbfs-init" + # Update initrd with CBFS files if [ -z "$CONFIG_PCR" ]; then CONFIG_PCR=7 diff --git a/initrd/bin/cbfs.sh b/initrd/bin/cbfs.sh index cea0f6c86..e5f63c6bb 100755 --- a/initrd/bin/cbfs.sh +++ b/initrd/bin/cbfs.sh @@ -3,6 +3,8 @@ set -e -o pipefail . /etc/functions . /tmp/config +DEBUG "Under /bin/cbfs.sh" + if pnor "$2" -r HBI > /tmp/pnor.part 2>/dev/null; then cbfs "$@" -o /tmp/pnor.part && pnor "$2" -w HBI < /tmp/pnor.part else diff --git a/initrd/bin/config-gui.sh b/initrd/bin/config-gui.sh index 23e234a1c..0a4fcf7f4 100755 --- a/initrd/bin/config-gui.sh +++ b/initrd/bin/config-gui.sh @@ -5,6 +5,8 @@ set -e -o pipefail . /etc/gui_functions . /tmp/config +DEBUG "Under /bin/config-gui.sh" + param=$1 while true; do diff --git a/initrd/bin/flash-gui.sh b/initrd/bin/flash-gui.sh index 3d858c911..15394ecae 100755 --- a/initrd/bin/flash-gui.sh +++ b/initrd/bin/flash-gui.sh @@ -5,6 +5,8 @@ set -e -o pipefail . /etc/gui_functions . /tmp/config +DEBUG "Under /bin/flash-gui.sh" + while true; do unset menu_choice whiptail $BG_COLOR_MAIN_MENU --title "Firmware Management Menu" \ diff --git a/initrd/bin/flash.sh b/initrd/bin/flash.sh index 14a99fa57..0f190a6d5 100755 --- a/initrd/bin/flash.sh +++ b/initrd/bin/flash.sh @@ -6,6 +6,8 @@ set -e -o pipefail . /etc/functions . /tmp/config +DEBUG "Under /bin/flash.sh" + case "$CONFIG_FLASHROM_OPTIONS" in -* ) echo "Board $CONFIG_BOARD detected, continuing..." diff --git a/initrd/bin/flashrom-kgpe-d16-openbmc.sh b/initrd/bin/flashrom-kgpe-d16-openbmc.sh index 138ce0356..39a4ab8a9 100755 --- a/initrd/bin/flashrom-kgpe-d16-openbmc.sh +++ b/initrd/bin/flashrom-kgpe-d16-openbmc.sh @@ -1,6 +1,8 @@ #!/bin/sh . /etc/functions +DEBUG "Under /bin/flashrom-kgpe-d16-openbmc.sh" + ROM="$1" if [ -z "$1" ]; then die "Usage: $0 /media/kgpe-d16-openbmc.rom" diff --git a/initrd/bin/generic-init b/initrd/bin/generic-init index b63b0a05c..0c3de5e25 100755 --- a/initrd/bin/generic-init +++ b/initrd/bin/generic-init @@ -6,6 +6,7 @@ mount_boot() { + DEBUG "Under /bin/generic-init:mount_boot" # Mount local disk if it is not already mounted if ! grep -q /boot /proc/mounts ; then mount -o ro /boot \ diff --git a/initrd/bin/gpg-gui.sh b/initrd/bin/gpg-gui.sh index 4171733c2..a68f5a681 100755 --- a/initrd/bin/gpg-gui.sh +++ b/initrd/bin/gpg-gui.sh @@ -5,6 +5,7 @@ set -e -o pipefail . /etc/gui_functions . /tmp/config +DEBUG "Under /bin/gpg-gui.sh" gpg_flash_rom() { if [ "$1" = "replace" ]; then diff --git a/initrd/bin/gpgv b/initrd/bin/gpgv index 2bb9b2464..5f90fd420 100755 --- a/initrd/bin/gpgv +++ b/initrd/bin/gpgv @@ -1,3 +1,4 @@ #!/bin/sh # if we are using the full GPG we need a wrapper for the gpgv executable +DEBUG "Under /bin/gpgv" exec gpg --verify "$@" diff --git a/initrd/bin/gui-init b/initrd/bin/gui-init index 7978702b2..35c7de978 100755 --- a/initrd/bin/gui-init +++ b/initrd/bin/gui-init @@ -17,7 +17,7 @@ skip_to_menu="false" mount_boot() { - DEBUG "under gui-init:mount_boot" + DEBUG "Under /bin/gui-init:mount_boot" # Mount local disk if it is not already mounted while ! grep -q /boot /proc/mounts ; do # try to mount if CONFIG_BOOT_DEV exists @@ -63,7 +63,7 @@ mount_boot() verify_global_hashes() { - DEBUG "under gui-init:verify_global_hashes" + DEBUG "Under /bin/gui-init:verify_global_hashes" # Check the hashes of all the files, ignoring signatures for now check_config /boot force TMP_HASH_FILE="/tmp/kexec/kexec_hashes.txt" @@ -138,7 +138,7 @@ verify_global_hashes() prompt_update_checksums() { - DEBUG "under gui-init:prompt_update_checksums" + DEBUG "Under /bin/gui-init:prompt_update_checksums" if (whiptail $BG_COLOR_WARNING --title 'Update Checksums and sign all files in /boot' \ --yesno "You have chosen to update the checksums and sign all of the files in /boot.\n\nThis means that you trust that these files have not been tampered with.\n\nYou will need your GPG key available, and this change will modify your disk.\n\nDo you want to continue?" 0 80) then if ! update_checksums ; then @@ -150,7 +150,7 @@ prompt_update_checksums() generate_totp_htop() { - DEBUG "under gui-init:generate_totp_htop" + DEBUG "Under /bin/gui-init:generate_totp_htop" echo "Scan the QR code to add the new TOTP secret" if /bin/seal-totp "$BOARD_NAME"; then if [ -x /bin/hotp_verification ]; then @@ -170,7 +170,7 @@ generate_totp_htop() update_totp() { - DEBUG "under gui-init:update_totp" + DEBUG "Under /bin/gui-init:update_totp" # update the TOTP code date=`date "+%Y-%m-%d %H:%M:%S %Z"` if [ "$CONFIG_TPM" = n ]; then @@ -221,7 +221,7 @@ update_totp() update_hotp() { - DEBUG "under gui-init:update_hotp" + DEBUG "Under /bin/gui-init:update_hotp begin" if [ -x /bin/hotp_verification ]; then HOTP=`unseal-hotp` if ! hotp_verification info ; then @@ -256,11 +256,12 @@ update_hotp() else HOTP='N/A' fi + DEBUG "Under /bin/gui-init:update_hotp end" } clean_boot_check() { - DEBUG "under gui-init:mount_boot" + DEBUG "Under /bin/gui-init:mount_boot" # assume /boot mounted if ! grep -q /boot /proc/mounts ; then return @@ -289,7 +290,7 @@ clean_boot_check() check_gpg_key() { - DEBUG "under gui-init:check_gpg_key" + DEBUG "Under /bin/gui-init:check_gpg_key" GPG_KEY_COUNT=`gpg -k 2>/dev/null | wc -l` if [ $GPG_KEY_COUNT -eq 0 ]; then BG_COLOR_MAIN_MENU=$BG_COLOR_ERROR @@ -326,7 +327,7 @@ check_gpg_key() prompt_auto_default_boot() { - DEBUG "under gui-init:prompt_auto_default_boot" + DEBUG "Under /bin/gui-init:prompt_auto_default_boot" # save IFS before changing, restore after read IFS_DEF=$IFS IFS='' @@ -343,7 +344,7 @@ prompt_auto_default_boot() show_main_menu() { - DEBUG "under gui-init:show_main_menu" + DEBUG "Under /bin/gui-init:show_main_menu" date=`date "+%Y-%m-%d %H:%M:%S %Z"` whiptail $BG_COLOR_MAIN_MENU --title "$MAIN_MENU_TITLE" \ --menu "$date\nTOTP: $TOTP | HOTP: $HOTP" 0 80 10 \ @@ -377,7 +378,7 @@ show_main_menu() show_options_menu() { - DEBUG "under gui-init:show_options_menu" + DEBUG "Under /bin/gui-init:show_options_menu" whiptail $BG_COLOR_MAIN_MENU --title "HEADS Options" \ --menu "" 0 80 10 \ 'b' ' Boot Options -->' \ @@ -434,7 +435,7 @@ show_options_menu() show_boot_options_menu() { - DEBUG "under gui-init:show_boot_options_menu" + DEBUG "Under /bin/gui-init:show_boot_options_menu" whiptail $BG_COLOR_MAIN_MENU --title "Boot Options" \ --menu "Select A Boot Option" 0 80 10 \ 'm' ' Show OS boot menu' \ @@ -462,7 +463,7 @@ show_boot_options_menu() show_tpm_totp_hotp_options_menu() { - DEBUG "under gui-init:show_tpm_totp_hotp_options_menu" + DEBUG "Under /bin/gui-init:show_tpm_totp_hotp_options_menu" whiptail $BG_COLOR_MAIN_MENU --title "TPM/TOTP/HOTP Options" \ --menu "Select An Option" 0 80 10 \ 'g' ' Generate new TOTP/HOTP secret' \ @@ -489,7 +490,7 @@ show_tpm_totp_hotp_options_menu() prompt_totp_mismatch() { - DEBUG "under gui-init:prompt_totp_mismatch" + DEBUG "Under /bin/gui-init:prompt_totp_mismatch" if (whiptail $BG_COLOR_WARNING --title "TOTP/HOTP code mismatched" \ --yesno "TOTP/HOTP code mismatches could indicate either TPM tampering or clock drift:\n\nTo correct clock drift: 'date -s yyyy-MM-DD hh:mm:ss' in UTC timezone\nand save it to the RTC: 'hwclock -w'\nthen reboot and try again.\n\nWould you like to exit to a recovery console?" 0 80) then echo "" @@ -506,7 +507,7 @@ prompt_totp_mismatch() reset_tpm() { - DEBUG "under gui-init:reset_tpm" + DEBUG "Under /bin/gui-init:reset_tpm" if [ "$CONFIG_TPM" = "y" ]; then if (whiptail $BG_COLOR_WARNING --title 'Reset the TPM' \ --yesno "This will clear the TPM and TPM password, replace them with new ones!\n\nDo you want to proceed?" 0 80) then @@ -540,7 +541,7 @@ reset_tpm() show_system_info() { - DEBUG "under gui-init:show_system_info" + DEBUG "Under /bin/gui-init:show_system_info" battery_charge="$(print_battery_charge)" battery_health="$(print_battery_health)" if [ -n $battery_charge -a -n $battery_health ];then @@ -558,7 +559,7 @@ show_system_info() select_os_boot_option() { - DEBUG "under gui-init:select_os_boot_option" + DEBUG "Under /bin/gui-init:select_os_boot_option" mount_boot if verify_global_hashes ; then kexec-select-boot -m -b /boot -c "grub.cfg" -g @@ -567,7 +568,7 @@ select_os_boot_option() attempt_default_boot() { - DEBUG "under gui-init:attempt_default_boot" + DEBUG "Under /bin/gui-init:attempt_default_boot" mount_boot if ! verify_global_hashes; then @@ -585,7 +586,7 @@ attempt_default_boot() force_unsafe_boot() { - DEBUG "under gui-init:force_unsafe_boot" + DEBUG "Under /bin/gui-init:force_unsafe_boot" # Run the menu selection in "force" mode, bypassing hash checks if (whiptail $BG_COLOR_WARNING --title 'Unsafe Forced Boot Selected!' \ --yesno "WARNING: You have chosen to skip all tamper checks and boot anyway.\n\nThis is an unsafe option!\n\nDo you want to proceed?" 0 80) then diff --git a/initrd/bin/kexec-boot b/initrd/bin/kexec-boot index 50f806f37..feb5e6220 100755 --- a/initrd/bin/kexec-boot +++ b/initrd/bin/kexec-boot @@ -4,6 +4,8 @@ set -e -o pipefail . /tmp/config . /etc/functions +DEBUG "Under /bin/kexec-boot" + dryrun="n" printfiles="n" printinitrd="n" diff --git a/initrd/bin/kexec-insert-key b/initrd/bin/kexec-insert-key index 8894da128..a9faa1c00 100755 --- a/initrd/bin/kexec-insert-key +++ b/initrd/bin/kexec-insert-key @@ -3,6 +3,8 @@ set -e -o pipefail . /etc/functions +DEBUG "Under /bin/kexec-insert-key" + TMP_KEY_DEVICES="/tmp/kexec/kexec_key_devices.txt" TMP_KEY_LVM="/tmp/kexec/kexec_key_lvm.txt" @@ -77,8 +79,8 @@ if [ "$unseal_failed" = "n" ]; then # kexec-save-default might have created crypttab overrides to be injected in initramfs through additional cpio if [ -r "$bootdir/kexec_initrd_crypttab_overrides.txt" ]; then echo "$bootdir/kexec_initrd_crypttab_overrides.txt found..." - echo "Preparing initramfs crypttab overrides as defined under $bootdir/kexec_initrd_crypttab_overrides.txt to be injected through cpio at next kexec call..." - # kexec-save-default has found crypttab files under initrd and saved them + echo "Preparing initramfs crypttab overrides as defined under /bin/$bootdir/kexec_initrd_crypttab_overrides.txt to be injected through cpio at next kexec call..." + # kexec-save-default has found crypttab files under /bin/initrd and saved them cat "$bootdir/kexec_initrd_crypttab_overrides.txt" | while read line; do crypttab_file=$(echo "$line" | awk -F ':' {'print $1'}) crypttab_entry=$(echo "$line" | awk -F ':' {'print $NF'}) @@ -88,7 +90,7 @@ if [ "$unseal_failed" = "n" ]; then echo "initramfs's $crypttab_file will be overriden with $crypttab_entry" done else - # No crypttab files were found under selected default boot option's initrd file + # No crypttab files were found under /bin/selected default boot option's initrd file crypttab_file="etc/crypttab" mkdir -p "$INITRD_DIR/$(dirname $crypttab_file)" # overwrite crypttab to mirror behavior of seal-key diff --git a/initrd/bin/kexec-iso-init b/initrd/bin/kexec-iso-init index b623dbff6..41a838828 100755 --- a/initrd/bin/kexec-iso-init +++ b/initrd/bin/kexec-iso-init @@ -4,6 +4,8 @@ set -e -o pipefail . /etc/functions . /tmp/config +DEBUG "Under /bin/kexec-iso-init" + MOUNTED_ISO_PATH="$1" ISO_PATH="$2" DEV="$3" diff --git a/initrd/bin/kexec-parse-bls b/initrd/bin/kexec-parse-bls index ee2e08818..8b34d7504 100755 --- a/initrd/bin/kexec-parse-bls +++ b/initrd/bin/kexec-parse-bls @@ -1,5 +1,8 @@ #!/bin/sh set -e -o pipefail + +DEBUG "Under /bin/kexec-parse-bls" + bootdir="$1" file="$2" blsdir="$3" diff --git a/initrd/bin/kexec-parse-boot b/initrd/bin/kexec-parse-boot index 7bba7d26c..b44aff129 100755 --- a/initrd/bin/kexec-parse-boot +++ b/initrd/bin/kexec-parse-boot @@ -1,5 +1,8 @@ #!/bin/sh set -e -o pipefail + +DEBUG "Under /bin/kexec-parse-boot" + bootdir="$1" file="$2" diff --git a/initrd/bin/kexec-save-default b/initrd/bin/kexec-save-default index 23ddd46b2..1ba0ebb11 100755 --- a/initrd/bin/kexec-save-default +++ b/initrd/bin/kexec-save-default @@ -4,6 +4,8 @@ set -e -o pipefail . /tmp/config . /etc/functions +DEBUG "Under /bin/kexec-save-default" + while getopts "b:d:p:i:" arg; do case $arg in b) bootdir="$OPTARG" ;; @@ -165,7 +167,7 @@ if [ "$save_key" = "y" ]; then #insert current default boot's initrd crypttab locations into tracking file to be overwritten into initramfs at kexec-inject-key echo "The following OS crypttab file:entry were modified from default boot's initrd:" cat $bootdir/kexec_initrd_crypttab_overrides.txt - echo "Heads added /secret.key in those entries and saved them under $bootdir/kexec_initrd_crypttab_overrides.txt" + echo "Heads added /secret.key in those entries and saved them under /bin/$bootdir/kexec_initrd_crypttab_overrides.txt" echo "Those overrides will be part of detached signed digests and used to prepare cpio injected at kexec of selected default boot entry." else echo "No crypttab file found in extracted initrd. Removing $bootdir/kexec_initrd_crypttab_overrides.txt" diff --git a/initrd/bin/kexec-seal-key b/initrd/bin/kexec-seal-key index 7000070b6..b7d04a55d 100755 --- a/initrd/bin/kexec-seal-key +++ b/initrd/bin/kexec-seal-key @@ -4,6 +4,8 @@ # It will then need to be bundled into initrd that is booted. set -e -o pipefail +DEBUG "Under /bin/kexec-seal-key" + TPM_INDEX=3 TPM_SIZE=312 KEY_FILE="/tmp/secret/secret.key" diff --git a/initrd/bin/kexec-select-boot b/initrd/bin/kexec-select-boot index 44fee3089..126d695d2 100755 --- a/initrd/bin/kexec-select-boot +++ b/initrd/bin/kexec-select-boot @@ -4,6 +4,8 @@ set -e -o pipefail . /tmp/config . /etc/functions +DEBUG "Under /bin/kexec-select-boot" + add="" remove="" config="*.cfg" diff --git a/initrd/bin/kexec-sign-config b/initrd/bin/kexec-sign-config index 88a74c141..4d4e2855a 100755 --- a/initrd/bin/kexec-sign-config +++ b/initrd/bin/kexec-sign-config @@ -4,6 +4,8 @@ set -e -o pipefail . /tmp/config . /etc/functions +DEBUG "Under /bin/kexec-sign-config" + rollback="n" update="n" while getopts "p:c:ur" arg; do diff --git a/initrd/bin/kexec-unseal-key b/initrd/bin/kexec-unseal-key index e016f5bdc..b639faa27 100755 --- a/initrd/bin/kexec-unseal-key +++ b/initrd/bin/kexec-unseal-key @@ -4,6 +4,8 @@ # It will then need to be bundled into initrd that is booted with Qubes. set -e -o pipefail +DEBUG "Under /bin/kexec-unseal-key" + TPM_INDEX=3 TPM_SIZE=312 diff --git a/initrd/bin/key-init b/initrd/bin/key-init index bb4c1b5c9..bbc3f47b1 100755 --- a/initrd/bin/key-init +++ b/initrd/bin/key-init @@ -2,6 +2,8 @@ set -e -o pipefail . /etc/functions +DEBUG "Under /bin/key-init" + # Post processing of keys # Import user's keys diff --git a/initrd/bin/media-scan b/initrd/bin/media-scan index 9cea4feac..d49f77911 100755 --- a/initrd/bin/media-scan +++ b/initrd/bin/media-scan @@ -5,6 +5,8 @@ set -e -o pipefail . /etc/gui_functions . /tmp/config +DEBUG "Under /bin/media-scan" + # Unmount any previous boot device if grep -q /boot /proc/mounts ; then umount /boot \ diff --git a/initrd/bin/mount-usb b/initrd/bin/mount-usb index 570336a9a..d6fb79381 100755 --- a/initrd/bin/mount-usb +++ b/initrd/bin/mount-usb @@ -2,6 +2,8 @@ # Mount a USB device . /etc/functions +DEBUG "Under /bin/mount-usb" + enable_usb if ! lsmod | grep -q usb_storage; then diff --git a/initrd/bin/network-init-recovery b/initrd/bin/network-init-recovery index a0fdba2d4..0f97d7a05 100755 --- a/initrd/bin/network-init-recovery +++ b/initrd/bin/network-init-recovery @@ -2,6 +2,8 @@ . /etc/functions +DEBUG "Under /bin/network-init-recovery" + # bring up the ethernet; maybe should do DHCP? ifconfig lo 127.0.0.1 diff --git a/initrd/bin/oem-factory-reset b/initrd/bin/oem-factory-reset index 5d18b2075..e9328cdc2 100755 --- a/initrd/bin/oem-factory-reset +++ b/initrd/bin/oem-factory-reset @@ -1,6 +1,8 @@ #!/bin/sh # Automated setup of TPM, GPG keys, and disk +DEBUG "Under /bin/oem-factory-reset" + set -o pipefail # use TERM to exit on error diff --git a/initrd/bin/oem-system-info-xx30 b/initrd/bin/oem-system-info-xx30 index 158df9ffe..ab735da44 100755 --- a/initrd/bin/oem-system-info-xx30 +++ b/initrd/bin/oem-system-info-xx30 @@ -9,6 +9,8 @@ export BG_COLOR_MAIN_MENU="" . /etc/luks-functions . /tmp/config +DEBUG "Under /bin/oem-system-info-xx30" + battery_charge="$(print_battery_charge)" battery_health="$(print_battery_health)" if [ -n $battery_charge -a -n $battery_health ];then diff --git a/initrd/bin/poweroff b/initrd/bin/poweroff index f7a0b1234..9a1fca402 100755 --- a/initrd/bin/poweroff +++ b/initrd/bin/poweroff @@ -1,4 +1,7 @@ #!/bin/sh +. /etc/functions + +DEBUG "Under /bin/generic-init:mount_boot" # Sync all mounted filesystems echo s > /proc/sysrq-trigger diff --git a/initrd/bin/qubes-measure-luks b/initrd/bin/qubes-measure-luks index ddf39ef3e..5469ba5a1 100755 --- a/initrd/bin/qubes-measure-luks +++ b/initrd/bin/qubes-measure-luks @@ -2,6 +2,8 @@ # Measure all of the luks disk encryption headers into # a PCR so that we can detect disk swap attacks. +DEBUG "Under /bin/qubes-measure-luks" + die() { echo >&2 "$@"; exit 1; } # Measure the luks headers into PCR 6 diff --git a/initrd/bin/reboot b/initrd/bin/reboot index aab0fd7db..0e11b9212 100755 --- a/initrd/bin/reboot +++ b/initrd/bin/reboot @@ -1,4 +1,7 @@ #!/bin/sh +. /etc/functions + +DEBUG "Under /bin/reboot" # Sync all mounted filesystems echo s > /proc/sysrq-trigger diff --git a/initrd/bin/seal-hotpkey b/initrd/bin/seal-hotpkey index 70b0e933f..2b840ffe1 100755 --- a/initrd/bin/seal-hotpkey +++ b/initrd/bin/seal-hotpkey @@ -10,6 +10,7 @@ HOTP_KEY="/boot/kexec_hotp_key" mount_boot() { + DEBUG "Under /bin/seal-htopkey:mount_boot" # Mount local disk if it is not already mounted if ! grep -q /boot /proc/mounts ; then mount -o ro /boot \ @@ -17,105 +18,109 @@ mount_boot() fi } -# Use stored HOTP key branding (this might be useful after OEM reset) -if [ -r /boot/kexec_hotp_key ]; then - HOTPKEY_BRANDING="$(cat /boot/kexec_hotp_key)" -else - HOTPKEY_BRANDING="HOTP USB Security Dongle" +DEBUG "Under /bin/seal-hotpkey" + +if [ -x /bin/hotp_verification ]; then + # Use stored HOTP key branding (this might be useful after OEM reset) + if [ -r /boot/kexec_hotp_key ]; then + HOTPKEY_BRANDING="$(cat /boot/kexec_hotp_key)" + else + HOTPKEY_BRANDING="HOTP USB Security Dongle" + fi + + tpm nv_readvalue \ + -in 4d47 \ + -sz 312 \ + -of "$HOTP_SEALED" \ + || die "Unable to retrieve sealed file from TPM NV" + + tpm unsealfile \ + -hk 40000000 \ + -if "$HOTP_SEALED" \ + -of "$HOTP_SECRET" \ + || die "Unable to unseal HOTP secret" + + shred -n 10 -z -u "$HOTP_SEALED" 2> /dev/null + + # Store counter in file instead of TPM for now, as it conflicts with Heads + # config TPM counter as TPM 1.2 can only increment one counter between reboots + # get current value of HOTP counter in TPM, create if absent + mount_boot + + #check_tpm_counter $HOTP_COUNTER hotp \ + #|| die "Unable to find/create TPM counter" + #counter="$TPM_COUNTER" + # + #counter_value=$(read_tpm_counter $counter | cut -f2 -d ' ' | awk 'gsub("^000e","")') + #if [ "$counter_value" == "" ]; then + # die "Unable to read HOTP counter" + #fi + + #counter_value=$(printf "%d" 0x${counter_value}) + + counter_value=1 + + enable_usb + if ! hotp_verification info ; then + echo "Insert your $HOTPKEY_BRANDING and press Enter to configure it" + read + if ! hotp_verification info ; then + # don't leak key on failure + shred -n 10 -z -u "$HOTP_SECRET" 2> /dev/null + die "Unable to find $HOTPKEY_BRANDING" + fi + fi + + # Set HOTP USB Security Dongle branding based on VID + if lsusb | grep -q "20a0:" ; then + HOTPKEY_BRANDING="Nitrokey" + elif lsusb | grep -q "316d:" ; then + HOTPKEY_BRANDING="Librem Key" + else + HOTPKEY_BRANDING="HOTP USB Security Dongle" + fi + + echo -e "" + read -s -p "Enter your $HOTPKEY_BRANDING Admin PIN: " admin_pin + echo -e "\n" + + hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value "$HOTPKEY_BRANDING" + if [ $? -ne 0 ]; then + echo -e "\n" + read -s -p "Error setting HOTP secret, re-enter Admin PIN and try again: " admin_pin + echo -e "\n" + if ! hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value "$HOTPKEY_BRANDING" ; then + # don't leak key on failure + shred -n 10 -z -u "$HOTP_SECRET" 2> /dev/null + die "Setting HOTP secret failed" + fi + fi + + # HOTP key no longer needed + shred -n 10 -z -u "$HOTP_SECRET" 2> /dev/null + + # Make sure our counter is incremented ahead of the next check + #increment_tpm_counter $counter > /dev/null \ + #|| die "Unable to increment tpm counter" + #increment_tpm_counter $counter > /dev/null \ + #|| die "Unable to increment tpm counter" + + mount -o remount,rw /boot + + counter_value=`expr $counter_value + 1` + echo $counter_value > $HOTP_COUNTER \ + || die "Unable to create hotp counter file" + + # Store/overwrite HOTP USB Security Dongle branding found out beforehand + echo $HOTPKEY_BRANDING > $HOTP_KEY \ + || die "Unable to store hotp key file" + + #sha256sum /tmp/counter-$counter > $HOTP_COUNTER \ + #|| die "Unable to create hotp counter file" + mount -o remount,ro /boot + + echo -e "\n$HOTPKEY_BRANDING initialized successfully. Press Enter to continue." + read fi -tpm nv_readvalue \ - -in 4d47 \ - -sz 312 \ - -of "$HOTP_SEALED" \ -|| die "Unable to retrieve sealed file from TPM NV" - -tpm unsealfile \ - -hk 40000000 \ - -if "$HOTP_SEALED" \ - -of "$HOTP_SECRET" \ -|| die "Unable to unseal HOTP secret" - -shred -n 10 -z -u "$HOTP_SEALED" 2> /dev/null - -# Store counter in file instead of TPM for now, as it conflicts with Heads -# config TPM counter as TPM 1.2 can only increment one counter between reboots -# get current value of HOTP counter in TPM, create if absent -mount_boot - -#check_tpm_counter $HOTP_COUNTER hotp \ -#|| die "Unable to find/create TPM counter" -#counter="$TPM_COUNTER" -# -#counter_value=$(read_tpm_counter $counter | cut -f2 -d ' ' | awk 'gsub("^000e","")') -#if [ "$counter_value" == "" ]; then -# die "Unable to read HOTP counter" -#fi - -#counter_value=$(printf "%d" 0x${counter_value}) - -counter_value=1 - -enable_usb -if ! hotp_verification info ; then - echo "Insert your $HOTPKEY_BRANDING and press Enter to configure it" - read - if ! hotp_verification info ; then - # don't leak key on failure - shred -n 10 -z -u "$HOTP_SECRET" 2> /dev/null - die "Unable to find $HOTPKEY_BRANDING" - fi -fi - -# Set HOTP USB Security Dongle branding based on VID -if lsusb | grep -q "20a0:" ; then - HOTPKEY_BRANDING="Nitrokey" -elif lsusb | grep -q "316d:" ; then - HOTPKEY_BRANDING="Librem Key" -else - HOTPKEY_BRANDING="HOTP USB Security Dongle" -fi - -echo -e "" -read -s -p "Enter your $HOTPKEY_BRANDING Admin PIN: " admin_pin -echo -e "\n" - -hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value "$HOTPKEY_BRANDING" -if [ $? -ne 0 ]; then - echo -e "\n" - read -s -p "Error setting HOTP secret, re-enter Admin PIN and try again: " admin_pin - echo -e "\n" - if ! hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value "$HOTPKEY_BRANDING" ; then - # don't leak key on failure - shred -n 10 -z -u "$HOTP_SECRET" 2> /dev/null - die "Setting HOTP secret failed" - fi -fi - -# HOTP key no longer needed -shred -n 10 -z -u "$HOTP_SECRET" 2> /dev/null - -# Make sure our counter is incremented ahead of the next check -#increment_tpm_counter $counter > /dev/null \ -#|| die "Unable to increment tpm counter" -#increment_tpm_counter $counter > /dev/null \ -#|| die "Unable to increment tpm counter" - -mount -o remount,rw /boot - -counter_value=`expr $counter_value + 1` -echo $counter_value > $HOTP_COUNTER \ -|| die "Unable to create hotp counter file" - -# Store/overwrite HOTP USB Security Dongle branding found out beforehand -echo $HOTPKEY_BRANDING > $HOTP_KEY \ -|| die "Unable to store hotp key file" - -#sha256sum /tmp/counter-$counter > $HOTP_COUNTER \ -#|| die "Unable to create hotp counter file" -mount -o remount,ro /boot - -echo -e "\n$HOTPKEY_BRANDING initialized successfully. Press Enter to continue." -read - exit 0 diff --git a/initrd/bin/seal-totp b/initrd/bin/seal-totp index 22005c894..498758961 100755 --- a/initrd/bin/seal-totp +++ b/initrd/bin/seal-totp @@ -7,6 +7,8 @@ . /etc/functions +DEBUG "Under /bin/seal-totp" + TPM_NVRAM_SPACE=4d47 HOST="$1" diff --git a/initrd/bin/unseal-hotp b/initrd/bin/unseal-hotp index 0fc3fb28e..99f130675 100755 --- a/initrd/bin/unseal-hotp +++ b/initrd/bin/unseal-hotp @@ -9,6 +9,7 @@ HOTP_COUNTER="/boot/kexec_hotp_counter" mount_boot_or_die() { + DEBUG "Under /bin/unseal-hotp:mount_boot_or_die" # Mount local disk if it is not already mounted if ! grep -q /boot /proc/mounts ; then mount -o ro /boot \ @@ -16,58 +17,62 @@ mount_boot_or_die() fi } -# Store counter in file instead of TPM for now, as it conflicts with Heads -# config TPM counter as TPM 1.2 can only increment one counter between reboots -# get current value of HOTP counter in TPM, create if absent -mount_boot_or_die +DEBUG "Under /bin/unseal-hotp" -#check_tpm_counter $HOTP_COUNTER hotp \ -#|| die "Unable to find/create TPM counter" -#counter="$TPM_COUNTER" -# -#counter_value=$(read_tpm_counter $counter | cut -f2 -d ' ' | awk 'gsub("^000e","")') -# +if [ -x /bin/hotp_verification ]; then + # Store counter in file instead of TPM for now, as it conflicts with Heads + # config TPM counter as TPM 1.2 can only increment one counter between reboots + # get current value of HOTP counter in TPM, create if absent + mount_boot_or_die -counter_value=$(cat $HOTP_COUNTER) + #check_tpm_counter $HOTP_COUNTER hotp \ + #|| die "Unable to find/create TPM counter" + #counter="$TPM_COUNTER" + # + #counter_value=$(read_tpm_counter $counter | cut -f2 -d ' ' | awk 'gsub("^000e","")') + # -if [ "$counter_value" == "" ]; then - die "Unable to read HOTP counter" -fi + counter_value=$(cat $HOTP_COUNTER) -#counter_value=$(printf "%d" 0x${counter_value}) + if [ "$counter_value" == "" ]; then + die "Unable to read HOTP counter" + fi -tpm nv_readvalue \ - -in 4d47 \ - -sz 312 \ - -of "$HOTP_SEALED" \ -|| die "Unable to retrieve sealed file from TPM NV" + #counter_value=$(printf "%d" 0x${counter_value}) -tpm unsealfile \ - -hk 40000000 \ - -if "$HOTP_SEALED" \ - -of "$HOTP_SECRET" \ -|| die "Unable to unseal HOTP secret" + tpm nv_readvalue \ + -in 4d47 \ + -sz 312 \ + -of "$HOTP_SEALED" \ + || die "Unable to retrieve sealed file from TPM NV" -shred -n 10 -z -u "$HOTP_SEALED" 2> /dev/null + tpm unsealfile \ + -hk 40000000 \ + -if "$HOTP_SEALED" \ + -of "$HOTP_SECRET" \ + || die "Unable to unseal HOTP secret" -if ! hotp $counter_value < "$HOTP_SECRET"; then - shred -n 10 -z -u "$HOTP_SECRET" 2> /dev/null - die 'Unable to compute HOTP hash?' -fi + shred -n 10 -z -u "$HOTP_SEALED" 2> /dev/null -shred -n 10 -z -u "$HOTP_SECRET" 2> /dev/null + if ! hotp $counter_value < "$HOTP_SECRET"; then + shred -n 10 -z -u "$HOTP_SECRET" 2> /dev/null + die 'Unable to compute HOTP hash?' + fi + + shred -n 10 -z -u "$HOTP_SECRET" 2> /dev/null -#increment_tpm_counter $counter > /dev/null \ -#|| die "Unable to increment tpm counter" + #increment_tpm_counter $counter > /dev/null \ + #|| die "Unable to increment tpm counter" -mount -o remount,rw /boot + mount -o remount,rw /boot -counter_value=`expr $counter_value + 1` -echo $counter_value > $HOTP_COUNTER \ -|| die "Unable to create hotp counter file" + counter_value=`expr $counter_value + 1` + echo $counter_value > $HOTP_COUNTER \ + || die "Unable to create hotp counter file" -#sha256sum /tmp/counter-$counter > $HOTP_COUNTER \ -#|| die "Unable to create hotp counter file" -mount -o remount,ro /boot + #sha256sum /tmp/counter-$counter > $HOTP_COUNTER \ + #|| die "Unable to create hotp counter file" + mount -o remount,ro /boot +fi exit 0 diff --git a/initrd/bin/unseal-totp b/initrd/bin/unseal-totp index c9c339b13..47fdeef75 100755 --- a/initrd/bin/unseal-totp +++ b/initrd/bin/unseal-totp @@ -6,6 +6,8 @@ TOTP_SEALED="/tmp/secret/totp.sealed" TOTP_SECRET="/tmp/secret/totp.key" +DEBUG "Under /bin/unseal-totp" + tpm nv_readvalue \ -in 4d47 \ -sz 312 \ diff --git a/initrd/bin/usb-init b/initrd/bin/usb-init index bc0abaf49..6cb783386 100755 --- a/initrd/bin/usb-init +++ b/initrd/bin/usb-init @@ -4,6 +4,8 @@ . /etc/functions . /tmp/config +DEBUG "Under /bin/usb-init" + if [ "$CONFIG_TPM" = "y" ]; then # Extend PCR4 as soon as possible tpm extend -ix 4 -ic usb diff --git a/initrd/bin/wget-measure.sh b/initrd/bin/wget-measure.sh index a18b28e78..ac0f2605e 100755 --- a/initrd/bin/wget-measure.sh +++ b/initrd/bin/wget-measure.sh @@ -1,7 +1,10 @@ #!/bin/sh # get a file and extend a TPM PCR +DEBUG "Under /bin/wget-measure.sh" + die() { + DEBUG "Under /bin/wget-measure.sh:die" echo >&2 "$@" exit 1 } diff --git a/initrd/bin/x230-flash.init b/initrd/bin/x230-flash.init index 0ba456f79..4d8ed84c3 100755 --- a/initrd/bin/x230-flash.init +++ b/initrd/bin/x230-flash.init @@ -5,6 +5,8 @@ . /etc/functions . /tmp/config +DEBUG "Under /bin/x230-flash.init" + insmod /lib/modules/ehci-hcd.ko insmod /lib/modules/ehci-pci.ko insmod /lib/modules/xhci-hcd.ko diff --git a/initrd/etc/functions b/initrd/etc/functions index 7cbc512f4..27781fc3a 100755 --- a/initrd/etc/functions +++ b/initrd/etc/functions @@ -20,7 +20,7 @@ DEBUG() { recovery() { - DEBUG "under functions:recovery" + DEBUG "Under /etc/functions:recovery" echo >&2 "!!!!! $*" # Remove any temporary secret files that might be hanging around @@ -52,7 +52,7 @@ recovery() { } pause_recovery() { - DEBUG "under functions:pause_recovery" + DEBUG "Under /etc/functions:pause_recovery" read -p 'Hit enter to proceed to recovery shell:' recovery $* } @@ -63,7 +63,7 @@ pcrs() { confirm_totp() { - DEBUG "under functions:confirm_totp" + DEBUG "Under /etc/functions:confirm_totp" prompt="$1" last_half=X unset totp_confirm @@ -103,7 +103,7 @@ confirm_totp() enable_usb() { - DEBUG "under functions:enable_usb" + DEBUG "Under /etc/functions:enable_usb" #insmod ehci_hcd prior of uhdc_hcd and ohci_hcd to suppress dmesg warning if ! lsmod | grep -q ehci_hcd; then insmod /lib/modules/ehci-hcd.ko \ @@ -148,7 +148,7 @@ enable_usb() list_usb_storage() { - DEBUG "under functions:list_usb_storage" + DEBUG "Under /etc/functions:list_usb_storage" stat -c %N /sys/block/sd* 2>/dev/null | grep usb | cut -f1 -d ' ' | sed "s/[']//g" | @@ -188,7 +188,7 @@ list_usb_storage() confirm_gpg_card() { - DEBUG "under functions:confirm_gpg_card" + DEBUG "Under /etc/functions:confirm_gpg_card" read \ -n 1 \ -p "Please confirm that your GPG card is inserted [Y/n]: " \ @@ -232,7 +232,7 @@ confirm_gpg_card() check_tpm_counter() { - DEBUG "under functions:check_tpm_counter" + DEBUG "Under /etc/functions:check_tpm_counter" LABEL=${2:-3135106223} # if the /boot.hashes file already exists, read the TPM counter ID # from it. @@ -258,21 +258,21 @@ check_tpm_counter() read_tpm_counter() { - DEBUG "under functions:read_tpm_counter" + DEBUG "Under /etc/functions:read_tpm_counter" tpm counter_read -ix "$1" | tee "/tmp/counter-$1" \ || die "Counter read failed" } increment_tpm_counter() { - DEBUG "under functions:increment_tpm_counter" + DEBUG "Under /etc/functions:increment_tpm_counter" tpm counter_increment -ix "$1" -pwdc '' \ | tee /tmp/counter-$1 \ || die "Counter increment failed" } check_config() { - DEBUG "under functions:check_config" + DEBUG "Under /etc/functions:check_config" if [ ! -d /tmp/kexec ]; then mkdir /tmp/kexec \ || die 'Failed to make kexec tmp dir' @@ -301,7 +301,7 @@ check_config() { } preserve_rom() { - DEBUG "under functions:preserve_rom" + DEBUG "Under /etc/functions:preserve_rom" new_rom="$1" old_files=`cbfs -t 50 -l 2>/dev/null | grep "^heads/"` @@ -317,7 +317,7 @@ preserve_rom() { done } replace_config() { - DEBUG "under functions:replace_config" + DEBUG "Under /etc/functions:replace_config" CONFIG_FILE=$1 CONFIG_OPTION=$2 NEW_SETTING=$3 @@ -333,13 +333,13 @@ replace_config() { rm -f ${CONFIG_FILE}.tmp } combine_configs() { - DEBUG "under functions:combine_configs" + DEBUG "Under /etc/functions:combine_configs" cat /etc/config* > /tmp/config } update_checksums() { - DEBUG "under functions:update_checksums" + DEBUG "Under /etc/functions:update_checksums" # ensure /boot mounted if ! grep -q /boot /proc/mounts ; then mount -o ro /boot \ @@ -367,7 +367,7 @@ update_checksums() } print_tree() { - DEBUG "under functions:print_tree" + DEBUG "Under /etc/functions:print_tree" find ./ ! -path './kexec*' -print0 | sort -z } @@ -435,7 +435,7 @@ escape_zero() { # due to https://bugs.busybox.net/show_bug.cgi?id=14226. Also, certain characters # may be intepreted by `whiptail`, `less` et al (e.g. \n, \b, ...). assert_signable() { - DEBUG "under functions:assert_signable" + DEBUG "Under /etc/functions:assert_signable" # ensure /boot mounted if ! grep -q /boot /proc/mounts ; then mount -o ro /boot || die "Unable to mount /boot" @@ -455,7 +455,7 @@ assert_signable() { verify_checksums() { - DEBUG "under functions:verify_checksums" + DEBUG "Under /etc/functions:verify_checksums" local boot_dir="$1" local gui="${2:-y}" @@ -489,7 +489,7 @@ verify_checksums() # mount /boot if successful detect_boot_device() { - DEBUG "under functions:detect_boot_device" + DEBUG "Under /etc/functions:detect_boot_device" # unmount /boot to be safe cd / && umount /boot 2>/dev/null