TESTING NEEDED: STAGING PR (quiet mode + diceware + nk3 fixes) #1875
Conversation
tlaurion
force-pushed
the
introduce_quiet_mode-diceware_STAGING
branch
from
fd24b6b to
66829e9
Compare
|
Default boot @wessel-novacustom : additional quiet iterations are harder and harder. 2024-12-10_19-53-39.mp4 |
|
This is a great improvement! Strings that should be muted as well from my point of view are: From ***** Normat boot ... I can imagine that trying to mute those strings is hard since it's part of the HOT code verification application? If it's not hard to mute, please mute for Quiet Mode. Otherwise, it's OK to leave those strings as they are. I think the following strings should be muted:
|
tlaurion
force-pushed
the
introduce_quiet_mode-diceware_STAGING
branch
3 times, most recently
from
f08b552 to
3a04195
Compare
tlaurion
force-pushed
the
introduce_quiet_mode-diceware_STAGING
branch
from
1ac5229 to
78f17b1
Compare
tlaurion
changed the title
|
So here are the demos from 65d6fc4 with qemu fbwhiptail tpm2 hotp prod quiet Firmware upgrade simulation (or tampering if not user initiated!)(injecting pubkey from command line in firmware image generates the tampering simulation) in quiet mode. Since TPM Disk Unlock Key was sealed before, it is renewed as part of the resealing of secrets and /boto is asked to be renewed 2024-12-18_16-50-24.mp4Default boot, with TPM Disk Unlock Key2024-12-18_16-55-42.mp4OEM Factory reset mode initiated by early 'o' keypress, generating one shared secret for all provisioned components2024-12-18_17-04-37.mp4 |
|
I'll first be able to test in January.
…On 18 December 2024 22:19:10 UTC, Thierry Laurion ***@***.***> wrote:
Latest demos for Request For Comment (RFC) at #1875 (comment)
**This changes massively the User eXperience an is an important change for feedback and testing**
know board owners, testing would be better, but commenting on the demo videos would be as much appreciated (tested in qemu and nv41 on my side for both tpm1 and tpm2, with total hosnesty of it all being more tested under tpm2 boards though)
@natterangell @alexmaloteaux @akfhasodh @doob85 @srgrint @Thrilleratplay @nestire @lsafd @bwachter @shamen123 @eganonoa @nitrosimon @jans23 @icequbes1 @weyounsix @zifxify @jnscmns @computer-user123 @tlaurion @osresearch @merge @MrChromebox @n4ru @Tonux599 @househead @pcm720 @fhvyhjriur @3hhh @ThePlexus @akunterkontrolle @rbreslow @ResendeGHF @gaspar-ilom @JonathonHall-Purism @daringer @arhabd @d-wid
---
Summary:
Staging PR including diceware automatic passphrase generation for early 'o' OEM factory reset mode, quiet mode and hotp-verification changes so that secrets app PIN is finally setup per oem-factory-reset prior of use, info output consistent so nk3 is no regression compared to <nk3 security dongles under Heads use case for remote attestation.
This pull request introduces a new configuration option to enable quiet mode across various board configuration files. The quiet mode ensures that technical information is logged under `/tmp/debug.log` instead of being displayed.
Details:
- early 'o' launches oem-factory-reset in oem mode (menu option could be splitted into User Re-Ownership doing individual secret provisioning. Here oem mode randomizes one single diceware passphrase for all secrets: TPM Owner/GPG Admin/GPG User/Secrets app PIN(nk3).
- Quiet mode enalbed on all boards per 65d6fc4 (Q: do we want this to be the default?)
- nk3 hotp-verification changes bettering info output (number of retries before locking on GPG Admin/User PIN/Secrets app PIN (nk3 only)
- oem-factory-reset sets a Secret App PINs on orem-factory-reset (master doesn't and silently sets the first PIN typed after end user received his dongle when HOTP sealing of remote attestation challenge ([nk3 firmware < 1.7.1 neglected PINs entirely and relied only on physical presence](https://www.nitrokey.com/blog/2024/heads-v25-and-nitrokey-3-firmware-v171-security-update). This brings nk3 par with nk2 and permit users to reset Secret app as per re-ownership
- Configuration Settings -> Enable quiet mode disables DEBUG/TRACE mode and vice versa
- Quiet mode activated in board config (like here) sliences all technical unnecessary verbiage and outputs it through LOG call under /tmp/debug.log
- Some important bugfixe related to primary handle hash for TPM2
- some indentation fix (I stopped fighting with code changes and rely to formatting of IDE which is with TAB for files I review for now on)
- Some literals changed and unified I came across on reviewing code
RFC and testing required!
- Do we want Quiet mode to become the default?
- Do we want oem-factory-mode (activated here solely by 'o' early on boot around Heads asciiart showed) to generate unique secrets for all GPG Admin/User PINs/TPM Owner/Secrets App?
This is staging of #1822 and #1850 with fixes picked up after hotp-verification version bump 1.7, next fixes coming as PR from Nitrokey under Heads for review from this moment on.
You can view, comment on, or merge this pull request online at:
#1875
-- Commit Summary --
* qemu-coreboot-fbwhiptail-tpm2-hotp-prod_quiet board: addition of board containing 'export CONFIG_QUIET_MODE=y' for output comparison between debug, prod and quiet mode
* initrd bin/* sbin/insmod + /etc/ash_functions: TPM extend operations now all passed to LOG (quiet mode doesn't show them and logs them to /tmp/debug.log)
* init: suppress /etc/config.user not existing on grep calls
* init: inform user that running in quiet mode, tell user that technical information can be seen running 'cat /tmp/debug.log' from Recovery Shell
* codebase: silence dd output while capturing output in variables when needed
* initrd/bin/tmpr: silence tpm reset console output, LOG instead
* initrd/etc/ash_functions: add GPG Admin/User PIN output grabbing on confirm_gpg_card presence call, echo for now, warn to input GPG User PIN when asked to unlock GPG card
* diceware: add short list v2, requiring 4 dices and providing longer words then short list v1 for easier to remember passphrases
* initrd/etc/functions: add generate_passphrase logic
* WiP initrd/bin/oem-factory-reset: format unification
* WiP initrd/bin/oem-factory-reset: add --mode (oem/user) skeleton
* /etc/functions:: reuse detect_boot_device instead of trying only to mount /etc/fstab existing /boot partition (otherwise early 'o' to enter oem mode of oem-factory-reset
* WiP initrd/bin/oem-factory-reset: add qrcode+secet output loop until user press y (end of reownership wizard secret output)
* WiP: bump to hotp-verification version supporting reset of secret app
* WiP: add nk3 secret app reset function and call it following security dongle reset logic
* modules/hotp-verification: revert to 1.6, add patches tested instead
* oem-factory-reset: add reset secure app PIN = ADMIN_PIN at reownership, make sure defaults are set for all modes, including default which uses current defaults being DEF pins (12345678 and 123456 as master)
* modules/hotp-verification: 1.6, removing patch pr43, only keeping 46 for this PR (43 conflicts when applied atop 46. 46 is needed here)
* oem-factory-reset: don't set user re-ownership by default for now: use current defaults being DEF pins (12345678 and 123456 as master)
* oem-factory-reset: if nk3, also display Secure App PIN = GPG Admin PIN as text and in Qr code
* oem-factory-reset: fix Secure App wording, prevent word globbing, warn that physical presence is needed
* oem-factory-reset: set title_text accordingly to mode, either 'OEM Factory Reset Mode', 'Re-Ownership Mode' or 'OEM Factory Reset / Re-Ownership'
* oem-factory-reset: reset nk3 secure app PIN early since we need physical presence, put nk3 secure APP PIN after TPM but before GPG PINS in output for consistency
* kexec-sign-config: mount rw, write things to /boot, mount ro after
* WiP seal-hotp: customize message to be GPG Admin PIN or Secure App PIN
* hotp-verification patches: Use Nitrokey/nitrokey-hotp-verification#43 instead of Nitrokey/nitrokey-hotp-verification#46 for hotp-verification info parsing and validation of oem-factory-reset and seal-hotp
* oem-factory-reset+seal-hotp nk3 hotp-verification info adaptations
* hotp-verification: removed patches/hotp-verification-e9050e0c914e7a8ffef5d1c82a014e0e2bf79346 directory: waiting for Nitrokey/nitrokey-hotp-verification#43 and Nitrokey/nitrokey-hotp-verification#46 to be merged to change modules/hotp-verification commit
* functions: Fix spelling of 'dictionaries'
* functions: Simplify dictionary word selection
* oem-factory-reset: Stop adding leading blank lines in 'passphrases' msg
* patches/hotp-verification-*/46.patch : readd Nitrokey/nitrokey-hotp-verification#46 so that this PR can be tested and reviewed from OEM Factory Reset/User Re-Ownership perspective
* Merge remote-tracking branch 'tlaurion-github/generate_passphrase-reownership_qr_code' into introduce_quiet_mode-diceware_STAGING
* WiP: staging changes including #1850 Nitrokey/nitrokey-hotp-verification#43 and Nitrokey/nitrokey-hotp-verification#46
* WiP: staging changes (TPM1 regression fixes for LOG/DEBUG on quiet mode)
* WiP: staging changes
* Bump hotp-verification to version 1.7, remove patches: contains info fixes and reset fixes so that oem-factory-reset can reset secrets app PIN
* WiP: staging changes
* Turn some info on default boot into LOGged info, LOG might go out forever if not pertinent to most?
* WiP: staging changes, no more tpm output. Next warn /boot changed because htop counter and primary handle until removed outside of this PR
* WiP: staging changes, warn loud and clear of weak security posture by using weak OEM defaults provisioned secrets
* WiP: staging changes, refusing to fight against tools helping me, formatting changed. sign after tpm-reset now to work around primary handle issue.
* hot-verification: bump to 1.7+ unrelease patchset Nitrokey/nitrokey-hotp-verification#51
* config-gui.sh: Add quiet mode toggle, which turns off debug+tracing if enabled, and where enabling debug+tracing disables Quiet mode
* Deprecate ash in favor of bash shell; /etc/ash_functions: move /etc/ash_functions under /etc/functions, replace TRACE calls by TRACE_FUNC, remove xx30-flash.init
* init+cbfs-init: refactor and explain why quiet mode cannot suppress measurements of cbfs-init extracted+measured TPM stuff if not in board config
* DEBUG: inform that output will be both in dmesg and on console from where that measure is enforced in code
* init: some more comments in code per review
* seal-totp: contextualize qr code output for manual input of those without qr scanner app in mobile phone
* kexec-select-boot+kexec-save-default: Quiet mode; remove last rollback counters printed to console
* init: Quiet mode enablement output string modified; tell users having enabled it through Configuration Settings that earlier suppression requires enabling through board config
* novacustom_nv4x_adl/novacustom_nv4x_adl.config : add quiet mode for real hardware recording in PR, will comment and generalize in next commit to all maintained boards, leaving this to be overriden by branding downstream for downstream releases exercice and choice
* TPM2 primary handle debugging once more. Can't wait we get rid of this...
* kexec-save-default kexec-select-boot: fix primary handle once more. Can't wait we get rid of this... file must exist and not be empty, and hash output to console must not be silenced
* novacustom-nv4x board config: revert quiet mode enablement
* TO REVERT BEFORE MERGE: enable quiet mode in all boards and revert for qemu so only prod_quiet boards have quiet upon revert
-- File Changes --
M boards/UNMAINTAINED_kgpe-d16_server-whiptail/UNMAINTAINED_kgpe-d16_server-whiptail.config (2)
M boards/UNMAINTAINED_kgpe-d16_workstation-usb_keyboard/UNMAINTAINED_kgpe-d16_workstation-usb_keyboard.config (2)
M boards/UNMAINTAINED_kgpe-d16_workstation/UNMAINTAINED_kgpe-d16_workstation.config (2)
M boards/UNTESTED_t440p-maximized/UNTESTED_t440p-maximized.config (2)
M boards/UNTESTED_w541-maximized/UNTESTED_w541-maximized.config (2)
M boards/librem_11/librem_11.config (2)
M boards/librem_13v2/librem_13v2.config (2)
M boards/librem_13v4/librem_13v4.config (2)
M boards/librem_14/librem_14.config (2)
M boards/librem_15v3/librem_15v3.config (2)
M boards/librem_15v4/librem_15v4.config (2)
M boards/librem_l1um/librem_l1um.config (2)
M boards/librem_l1um_v2/librem_l1um_v2.config (2)
M boards/librem_mini/librem_mini.config (2)
M boards/librem_mini_v2/librem_mini_v2.config (2)
M boards/nitropad-ns50/nitropad-ns50.config (2)
M boards/novacustom_nv4x_adl/novacustom_nv4x_adl.config (2)
M boards/optiplex-7010_9010-hotp-maximized/optiplex-7010_9010-hotp-maximized.config (2)
M boards/optiplex-7010_9010-maximized/optiplex-7010_9010-maximized.config (2)
M boards/optiplex-7010_9010_TXT-hotp-maximized/optiplex-7010_9010_TXT-hotp-maximized.config (2)
M boards/optiplex-7010_9010_TXT-maximized/optiplex-7010_9010_TXT-maximized.config (2)
A boards/qemu-coreboot-fbwhiptail-tpm1-hotp-prod_quiet/qemu-coreboot-fbwhiptail-tpm1-hotp-prod_quiet.config (100)
A boards/qemu-coreboot-fbwhiptail-tpm2-hotp-prod_quiet/qemu-coreboot-fbwhiptail-tpm2-hotp-prod_quiet.config (99)
M boards/t420-hotp-maximized/t420-hotp-maximized.config (2)
M boards/t420-maximized/t420-maximized.config (2)
M boards/t430-hotp-maximized/t430-hotp-maximized.config (2)
M boards/t430-maximized/t430-maximized.config (2)
M boards/t530-hotp-maximized/t530-hotp-maximized.config (2)
M boards/t530-maximized/t530-maximized.config (2)
M boards/w530-hotp-maximized/w530-hotp-maximized.config (2)
M boards/w530-maximized/w530-maximized.config (2)
M boards/x220-hotp-maximized/x220-hotp-maximized.config (2)
M boards/x220-maximized/x220-maximized.config (2)
M boards/x230-hotp-maximized-fhd_edp/x230-hotp-maximized-fhd_edp.config (2)
M boards/x230-hotp-maximized/x230-hotp-maximized.config (2)
M boards/x230-hotp-maximized_usb-kb/x230-hotp-maximized_usb-kb.config (2)
M boards/x230-maximized-fhd_edp/x230-maximized-fhd_edp.config (2)
M boards/x230-maximized/x230-maximized.config (2)
M boards/z220-cmt-maximized/z220-cmt-maximized.config (2)
M initrd/.ash_history (2)
M initrd/bin/cbfs-init (13)
M initrd/bin/config-gui.sh (1088)
M initrd/bin/flash.sh (6)
M initrd/bin/gpg-gui.sh (2)
M initrd/bin/gui-init (1172)
M initrd/bin/inject_firmware.sh (2)
M initrd/bin/kexec-insert-key (4)
M initrd/bin/kexec-save-default (13)
M initrd/bin/kexec-seal-key (8)
M initrd/bin/kexec-select-boot (25)
M initrd/bin/kexec-sign-config (49)
M initrd/bin/lock_chip (7)
M initrd/bin/oem-factory-reset (2203)
M initrd/bin/poweroff (6)
M initrd/bin/qubes-measure-luks (2)
M initrd/bin/reboot (6)
M initrd/bin/seal-hotpkey (165)
M initrd/bin/seal-totp (2)
M initrd/bin/tpmr (107)
M initrd/bin/unpack_initramfs.sh (2)
M initrd/bin/unseal-totp (2)
D initrd/bin/xx30-flash.init (27)
D initrd/etc/ash_functions (356)
A initrd/etc/diceware_dictionaries/eff_short_wordlist_2_0.txt (1296)
M initrd/etc/functions (538)
M initrd/init (156)
M initrd/mount-boot (2)
M initrd/sbin/insmod (6)
M modules/hotp-verification (6)
M targets/qemu.mk (2)
-- Patch Links --
https://github.com/linuxboot/heads/pull/1875.patch
https://github.com/linuxboot/heads/pull/1875.diff
--
Reply to this email directly or view it on GitHub:
#1875
You are receiving this because you were mentioned.
Message ID: ***@***.***>
|
tlaurion
force-pushed
the
introduce_quiet_mode-diceware_STAGING
branch
2 times, most recently
from
7c49fde to
9b8b815
Compare
There was a problem hiding this comment.
Looks pretty good 👍
I made a handful of commits, have a look over those: tlaurion/heads@introduce_quiet_mode-diceware_STAGING...JonathonHall-Purism:heads:introduce_quiet_mode-diceware_STAGING
Also posted some review comments.
I'll be away for EOY after this. I can help address the remaining issues after holidays, but if you figure them out and need to merge I think that is reasonable.
| if [ "$prompt_output" == "y" -o "$prompt_output" == "Y" ]; then | ||
| break | ||
| fi |
There was a problem hiding this comment.
Why do we need to loop here rather than our usual "press enter"? If somebody forgets to scan the QR code, you can always OEM reset again
There was a problem hiding this comment.
@JonathonHall-Purism to make sure they understand that qr code here contains all providioned secrets and have to type Y (forced input)
If somebody forgets to scan the QR code, you can always OEM reset again.
The goal here would be for oem-factory-reset OEM mode to prompt as well for OS installation luks disk unlock key and, since unique, passphrase change it to the same diceware passphrase.
The request from OEM here was to be able to use a Qr code scanner/keyboard emulator to enter keypresses here, but I considered it too much changes on initial PR. The ideal workflow would be to load usb controllers + hid kernel modules and have a single prompt or two: either hardcode ISO defined OEM PINs per config (12345678/PleaseChangeMe known to be used by oem repacked ISOs) and prompt for oem actual/desired Disk Recovery Key passphrase.
Since physical presence is still needed for nk3 today, unattended workflow is not possible and I decided to postpone this to later, regression testing, as you pointed out for librem keys/nk2 might need more work and each iteration needs testing under Heads.
Tldr:So as of now, we force the user to acknowledge the secrets provisioned. Cause that involves DRK even today (if defaults are not accepted and user reencrypts + passphrase change luks containers) where a re-ownership alone won't fix a DRK passphrase change: réinstallation would be needed.
Security considerations
A security reminder that OEM OS pre-installation with publicly available OS luks key passphrases is convenient for unattended OS installation only, with severe implications: it eases in transit interdiction. Someone could not only implant something in installed OS if that default luks passphrase is publicly known, and only provides security if not shared with end user until past delivery for sole scope of the user reencrypting luks + passphrase changing upon reception of delivery.
End use's data at rest (encrypted user data, files, configs) requires luks containers reencryption+passphrase change, otherwise a passphrase change alone would not prevent in-transit luks header having been backup to be restored, and attacker to type PleaseChangeMe to access data at rest later on. This puts undesired liability on OEM if for whatever reason, luks passphrase happened to leak until end user reencrypts+passphrase change luks containers through re-ownership.
Luks containers reencryption+passphrase change is needed to protect user of oem and in-transit interception and defeat possible usage of luks header backup to be restored and data at rest to be accessed from pre-installed OEM OSes.
| @@ -121,38 +130,50 @@ if [ "$((now_date - gpg_key_create_time))" -gt "$month_secs" ]; then | |||
| elif [ "$admin_pin_retries" -lt 3 ]; then | |||
There was a problem hiding this comment.
Something's not right here on Librem Key, I'm getting:
/bin/seal-hotpkey: line 130: [: Admin3,User3: integer expression expected
(it's getting Admin3,User3 in admin_pin_retries)
I can help figure this out but it'll have to be in January
There was a problem hiding this comment.
fixed under 696ecf5 and tested with undusted old 0.10 fw based librem key I had in toolbox. <Nk3 works.
| #TODO: silence the output of hotp_initialize once https://github.com/Nitrokey/nitrokey-hotp-verification/issues/41 is fixed | ||
| #hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value "$HOTPKEY_BRANDING" >/dev/null 2>&1 | ||
| hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value "$HOTPKEY_BRANDING" |
There was a problem hiding this comment.
You probably know this but there's a TODO here and it's producing some output for other keys now. Just leaving this open so we fix it before merge. Or you could use DO_WITH_DEBUG if capturing stdout/stderr to the log is sufficient for working on this
There was a problem hiding this comment.
@JonathonHall-Purism agreed. This is regression caused by Nitrokey with their nk3 introduction without testing Heads for regression since nk3 is sold. If we silence output as before, then user doesn't receive prompt from hotp_initialize for nk3 keys.
@JonathonHall-Purism Feel free to open issue under https://github.com/Nitrokey/nitrokey-hotp-verification/ for @daringer and @daringer (cc @jans23) to be aware of time lost by ecosystem, so its not just me complaining. Further more that their nk3 regressions have impact for the whole ecosystem which they don't seem to acknowledge, living in their Nitrokey bubble.
I'm sorry, but i've lost 60h up to now which won't be paid and there is no compensation for my time applying mitigations/testing fixes etc that happened under #1866.
So from now on, regressions for heads will need issues opened under https://github.com/Nitrokey/nitrokey-hotp-verification and pr will be proposed by Nitrokey team under Heads since they refuse to compensate for work done. Todos in code for them to fix, as noted, depending on Nitrokey/nitrokey-hotp-verification#41 (requiring nk3 firmware upgrade) which was delayed from this feature freeze, even if @jans23 said it would be present for feature freeze per business related discussions.
initrd/bin/seal-hotpkey
Outdated
| # remind user to change admin password | ||
| warn "Weak OEM default PINs are under use to enforce remote attestation/encryption/signature operations" | ||
| warn "$CONFIG_BRAND_NAME security is compromised until the ownership of this device is re-established by changing secrets by non-default values" | ||
| warn "You must change current default secrets through 'Options -> OEM Factory Reset/Re-Ownership' menu and not accept the default options" | ||
| warn "You will be asked to answer a questionnaire to re-own your device and USB security dongles with new secrets" |
There was a problem hiding this comment.
IMO, the amount of text in this warning will cause fewer people to read it, not more. (I am guilty of this.) I know I have read research on this, sadly I don't have enough time today to look it up. Above a sentence or two, users very frequently ignore the message entirely.
It is a great improvement to suggest where to go rather than leaving users totally confused. There is no sense re-explaining what OEM factory reset will explain anyway though.
| # remind user to change admin password | |
| warn "Weak OEM default PINs are under use to enforce remote attestation/encryption/signature operations" | |
| warn "$CONFIG_BRAND_NAME security is compromised until the ownership of this device is re-established by changing secrets by non-default values" | |
| warn "You must change current default secrets through 'Options -> OEM Factory Reset/Re-Ownership' menu and not accept the default options" | |
| warn "You will be asked to answer a questionnaire to re-own your device and USB security dongles with new secrets" | |
| # remind user to change admin password | |
| warn "Default admin PIN detected. Please change this as soon as possible with Options > OEM Factory Reset / Re-Ownership" |
There was a problem hiding this comment.
Fixed under 94dd788 which shows Secrets app PIN/ GPG Admin PIN depending if nk3/<nk3 (tested on 0.10 fw librem key: ok with branding info ok as well.
initrd/bin/tpmr
Outdated
| @@ -630,6 +651,7 @@ tpm1_unseal() { | |||
| -sz "$sealed_size" \ | |||
| -of "$sealed_file" || | |||
| die "Unable to read sealed file from TPM NVRAM" | |||
| # TODO: Cannot log + exit instead of dying!?! | |||
There was a problem hiding this comment.
Artifacts of quiet modes TODOs that were still in code but not relevant anymore. Fixed by af59704
All other TODOs in code considered relevant per quick review.
initrd/bin/tpmr
Outdated
| tpm2 clear -c platform >/dev/null 2>&1 || LOG "Unable to clear TPM on platform hierarchy" | ||
| tpm2 changeauth -c owner "$(tpm2_password_hex "$tpm_owner_password")" >/dev/null 2>&1 || LOG "Unable to change owner password" | ||
| tpm2 changeauth -c endorsement "$(tpm2_password_hex "$tpm_owner_password")" >/dev/null 2>&1 || LOG "Unable to change endorsement password" | ||
| tpm2 createprimary -C owner -g sha256 -G "${CONFIG_PRIMARY_KEY_TYPE:-rsa}" \ | ||
| -c "$SECRET_DIR/primary.ctx" -P "$(tpm2_password_hex "$tpm_owner_password")" | ||
| -c "$SECRET_DIR/primary.ctx" -P "$(tpm2_password_hex "$tpm_owner_password")" >/dev/null 2>&1 || LOG "Unable to create primary key" | ||
| tpm2 evictcontrol -C owner -c "$SECRET_DIR/primary.ctx" "$PRIMARY_HANDLE" \ | ||
| -P "$(tpm2_password_hex "$tpm_owner_password")" | ||
| shred -u "$SECRET_DIR/primary.ctx" | ||
| tpm2_startsession | ||
| -P "$(tpm2_password_hex "$tpm_owner_password")" >/dev/null 2>&1 || LOG "Unable to evict primary key" | ||
| shred -u "$SECRET_DIR/primary.ctx" >/dev/null 2>&1 | ||
| tpm2_startsession >/dev/null 2>&1 || LOG "Unable to start session" |
There was a problem hiding this comment.
TPM2 reset is not working on L1UM v2 🤔 Tried to do OEM reset and just get an error about TPM reset failed with blank output.
Trying to grab a debug log (not much time left for today but I think it'll be done in time). I haven't tried master on L1UM v2 lately either, not sure it's from this branch.
(Also not sure the problem is here, just putting this somewhere relevant 🙂 )
There was a problem hiding this comment.
Cannot replicate neither on tpm2 qemu boards or nv4x :/ (but with your fixes in though)
tlaurion
force-pushed
the
introduce_quiet_mode-diceware_STAGING
branch
from
c66b5b6 to
c41c923
Compare
|
All proposed changes by @JonathonHall-Purism tested, good improvements, specifically the Config Settings menu changes under single menu and sink log hacks that are more streamlined. |
…sion bump output parsing for <nk3 As tested working with old librem key fw 0.10: works Log entry of additioanl 30 minutes for linuxboot#1875 (I cannot not fix with my time @jans23 linuxboot#1866, since nk3 is not the only dongle support by Heads) Signed-off-by: Thierry Laurion <insurgo@riseup.net>
|
Houla. https://github.com/linuxboot/heads/pull/1875/checks?check_run_id=34750406698 says there is unsigned commit at HEAD~72 :/ Trying to fix but this pr has 67 commits. Oh well. Edit: DCO error points to commit tlaurion@853541c Will rebase on master and move on. |
…sion bump output parsing for <nk3 As tested working with old librem key fw 0.10: works Log entry of additioanl 30 minutes for linuxboot#1875 (I cannot not fix with my time @jans23 linuxboot#1866, since nk3 is not the only dongle support by Heads) Signed-off-by: Thierry Laurion <insurgo@riseup.net>
…d containing 'export CONFIG_QUIET_MODE=y' for output comparison between debug, prod and quiet mode Signed-off-by: Thierry Laurion <insurgo@riseup.net>
…now all passed to LOG (quiet mode doesn't show them and logs them to /tmp/debug.log) Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
…l information can be seen running 'cat /tmp/debug.log' from Recovery Shell Signed-off-by: Thierry Laurion <insurgo@riseup.net>
…needed Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
…an't wait we get rid of this... file must exist and not be empty, and hash output to console must not be silenced Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
…r qemu so only prod_quiet boards have quiet upon revert repro user@localhost:~/heads$ sed -i 's|export CONFIG_BOOTSCRIPT=/bin/gui-init|#Enable quiet mode: technical information logged under /tmp/debug.log\nexport CONFIG_QUIET_MODE=y\nexport CONFIG_BOOTSCRIPT=/bin/gui-init|' boards/*/*.config user@localhost:~/heads$ git restore boards/*qemu*/*.config Signed-off-by: Thierry Laurion <insurgo@riseup.net>
…ell access Signed-off-by: Thierry Laurion <insurgo@riseup.net>
… dongle...' Signed-off-by: Thierry Laurion <insurgo@riseup.net>
…s created upon setting default boot (was not clear) Signed-off-by: Thierry Laurion <insurgo@riseup.net>
… at build time but disabled through Configuration Settings applied override, early measurement output got suppressed Also tell user that those early suppressed messages can be seen under /tmp/debug.txt Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm> Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Add examples for capturing stderr or both stdout+stderr. Trace blank lines with LOG like non-blank lines. Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm> Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Use SINK_LOG to capture tpm2 unseal rather than a temp file. Don't double up output from tpm "$@" to log; DO_WITH_DEBUG already captures it. Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm> Signed-off-by: Thierry Laurion <insurgo@riseup.net>
If a TPM reset step fails, don't blindly continue onto the other steps. Use DO_WITH_DEBUG to trace failures, so they're visible in the log but we still exit due to set -e. Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm> Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Don't print the URL and then explain how to get the secret out of it, just print the secret. Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm> Signed-off-by: Thierry Laurion <insurgo@riseup.net>
These two settings are exclusive, so they would disable each other if enabled. Present them as one setting with three output levels. Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm> Signed-off-by: Thierry Laurion <insurgo@riseup.net>
…olution Signed-off-by: Thierry Laurion <insurgo@riseup.net>
…evert for qemu so only prod_quiet boards have quiet upon revert" This reverts commit 65d6fc4. Signed-off-by: Thierry Laurion <insurgo@riseup.net>
…et(y) just prior of gui-init to attempt to unify to all boards Signed-off-by: Thierry Laurion <insurgo@riseup.net>
…prior of bootscript to unify to all boards with exception of - qemu boards not being *quiet: quiet=n - qemu boards not being *prod* having pcap=y - qemy boards not being *prod* have debug+tracing=y - qemu tpm1 boards have '#pcap=n' Signed-off-by: Thierry Laurion <insurgo@riseup.net>
…/tmp/tpm0.pcap (not just check for existence of CONFIG_TPM2_CAPTURE_PCAP under env) So that export CONFIG_TPM2_CAPTURE_PCAP=n across all boards doesn't break and so that its easy for auditors to just toggle on in board configs Signed-off-by: Thierry Laurion <insurgo@riseup.net>
…sion bump output parsing for <nk3 As tested working with old librem key fw 0.10: works Log entry of additioanl 30 minutes for linuxboot#1875 (I cannot not fix with my time @jans23 linuxboot#1866, since nk3 is not the only dongle support by Heads) Signed-off-by: Thierry Laurion <insurgo@riseup.net>
tlaurion
force-pushed
the
introduce_quiet_mode-diceware_STAGING
branch
from
29b2108 to
696ecf5
Compare
|
Ha right. Sorry for the noise of rebasing: https://github.com/linuxboot/heads/compare/29b210800a99de24bef8519363a3bdfbc2a82bd7..696ecf54cd38d278495a3119ca8afcd627d6d2bb shows last master unsigned commit which was used for testing unsigned commit (commit signed by github for #1794) |
…IN is detected Additional 0.5h for applying changes linked to code review under linuxboot#1875 Linked to Nitrokey unacknowledged RfP linuxboot#1866 that continues to grow past the 40h (now near 42... but unpaid because 'unplanned'... As if this was planned on my side.) Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
|
Ready for testing for all, with fixes per @JonathonHall-Purism and additional commits to address his review. Switching from draft to ready to review so github bot updates in channel |
|
Excellent work - thanks I have flashed heads-x220-maximized-v0.2.0-2537-gaf59704.zip Seems to work fine so far. Will test more extensively over next few days. In my opinion, quiet mode is a sensible default - can easily switch to more debugging if needed |
|
I tested So far it mostly seems to do its job, thanks! Some things I noticed:
Merry Christmas btw. |
This is weird unless you changed the informational output option, which saves back under cbfs config.user overrides for debug output which you seemed to have tested here. This would modify flash as warned and? What was unexpected?
Please open an issue here. This is important issue and not sure one is opened, would not be trivial to change but not complicated either.
That would be part of debug output and is considered normal unless thought otherwise?
You too and thanks for the feedback, means a lot. |
Ok, I reported it at #1880.
I had enabled informational output only and didn't expect that the option affects the list of boot options which I can select from. |
Latest demos for Request For Comment (RFC) at #1875 (comment)
This changes massively the User eXperience an is an important change for feedback and testing
know board owners, testing would be better, but commenting on the demo videos would be as much appreciated (tested in qemu and nv41 on my side for both tpm1 and tpm2, with total hosnesty of it all being more tested under tpm2 boards though)
@natterangell @alexmaloteaux @akfhasodh @doob85 @srgrint @Thrilleratplay @nestire @lsafd @bwachter @shamen123 @eganonoa @nitrosimon @jans23 @icequbes1 @weyounsix @zifxify @jnscmns @computer-user123 @tlaurion @osresearch @merge @MrChromebox @n4ru @Tonux599 @househead @pcm720 @fhvyhjriur @3hhh @ThePlexus @akunterkontrolle @rbreslow @ResendeGHF @gaspar-ilom @JonathonHall-Purism @daringer @arhabd @d-wid
Summary:
Staging PR including diceware automatic passphrase generation for early 'o' OEM factory reset mode, quiet mode and hotp-verification changes so that secrets app PIN is finally setup per oem-factory-reset prior of use, info output consistent so nk3 is no regression compared to <nk3 security dongles under Heads use case for remote attestation.
This pull request introduces a new configuration option to enable quiet mode across various board configuration files. The quiet mode ensures that technical information is logged under
/tmp/debug.loginstead of being displayed.Details:
RFC and testing required!
This is staging of #1822 and #1850 with fixes picked up after hotp-verification version bump 1.7, next fixes coming as PR from Nitrokey under Heads for review from this moment on.