Mtl dasharo branding #12
Draft
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…d containing 'export CONFIG_QUIET_MODE=y' for output comparison between debug, prod and quiet mode Signed-off-by: Thierry Laurion <[email protected]>
…now all passed to LOG (quiet mode doesn't show them and logs them to /tmp/debug.log) Signed-off-by: Thierry Laurion <[email protected]>
Signed-off-by: Thierry Laurion <[email protected]>
…l information can be seen running 'cat /tmp/debug.log' from Recovery Shell Signed-off-by: Thierry Laurion <[email protected]>
…needed Signed-off-by: Thierry Laurion <[email protected]>
Signed-off-by: Thierry Laurion <[email protected]>
…onfirm_gpg_card presence call, echo for now, warn to input GPG User PIN when asked to unlock GPG card Mitigate misunderstands and show GPG User/Admin PIN counts until proper output exists under hotp_verification info to reduce global confusion Add TODO under initrd/bin/seal-hotpkey to not foget to fix output since now outputting counter of 8 for Admin PIN which makes no sense at all under hotp_verification 1.6 Nitrokey/nitrokey-hotp-verification#38 Signed-off-by: Thierry Laurion <[email protected]>
…ords then short list v1 for easier to remember passphrases This lists comes from https://www.eff.org/files/2016/09/08/eff_short_wordlist_2_0.txt Refered in article: https://www.eff.org/dice Signed-off-by: Thierry Laurion <[email protected]>
Nothing uses it for the moment, needs to be called from recovery shell: bash, source /etc/functions. generate_passphrase - parses dictionary to check how many dice rolls needed on first entry, defaults to EFF short list v2 (bigger words easier to remember, 4 dices roll instead of 5) - defaults to using initrd/etc/diceware_dictionnaries/eff_short_wordlist_2_0.txt, parametrable - make sure format of dictionary is 'digit word' and fail early otherwise: we expect EFF diceware format dictionaries - enforces max length of 256 chars, parametrable, reduces number of words to fit if not override - enforces default 3 words passphrase, parametrable - enforces captialization of first letter, lowercase parametrable - read multiple bytes from /dev/urandom to fit number of dice rolls Unrelated: uniformize format of file Signed-off-by: Thierry Laurion <[email protected]>
Signed-off-by: Thierry Laurion <[email protected]>
Signed-off-by: Thierry Laurion <[email protected]>
…ount /etc/fstab existing /boot partition (otherwise early 'o' to enter oem mode of oem-factory-reset Signed-off-by: Thierry Laurion <[email protected]>
…user press y (end of reownership wizard secret output) Signed-off-by: Thierry Laurion <[email protected]> works: - oem and user mode passphrase generation - qrcode missing: - unattended - luks reencryption + passphrase change for OEM mode (only input to be provided) with SINGLE passphrase when in unattended mode - same for user reownership when previously OEM reset unattended Signed-off-by: Thierry Laurion <[email protected]>
Signed-off-by: Thierry Laurion <[email protected]>
… dongle reset logic Signed-off-by: Thierry Laurion <[email protected]>
Signed-off-by: Thierry Laurion <[email protected]>
…p, make sure defaults are set for all modes, including default which uses current defaults being DEF pins (12345678 and 123456 as master) Signed-off-by: Thierry Laurion <[email protected]>
…for this PR (43 conflicts when applied atop 46. 46 is needed here) Signed-off-by: Thierry Laurion <[email protected]>
…e current defaults being DEF pins (12345678 and 123456 as master) Signed-off-by: Thierry Laurion <[email protected]>
…N as text and in Qr code Signed-off-by: Thierry Laurion <[email protected]>
…n that physical presence is needed Signed-off-by: Thierry Laurion <[email protected]>
…ctory Reset Mode', 'Re-Ownership Mode' or 'OEM Factory Reset / Re-Ownership' TODO: further specialize warning prompt to tell what is going to happen (randomized PIN, signle custom randomized PIN etc) Signed-off-by: Thierry Laurion <[email protected]>
…cal presence, put nk3 secure APP PIN after TPM but before GPG PINS in output for consistency Signed-off-by: Thierry Laurion <[email protected]>
Signed-off-by: Thierry Laurion <[email protected]>
TODO: check logic in this file because assumptions on PINs retry count are wrong and will depend on Nitrokey/nitrokey-hotp-verification#43 not tested here Signed-off-by: Thierry Laurion <[email protected]>
…instead of Nitrokey/nitrokey-hotp-verification#46 for hotp-verification info parsing and validation of oem-factory-reset and seal-hotp Signed-off-by: Thierry Laurion <[email protected]>
- oem-factory-reset: fix strings for nk3 is from Nitrokey/nitrokey-hotp-verification#43 is Secrets app, not Secret App singular, not App capitalized - initrd/bin/seal-hotpkey: adapt to check nk3 Secrets App PIN counter if nk3, keep Card counters for <nk3 from Nitrokey/nitrokey-hotp-verification#43 - Unattended hotp_initialize output removed since we need physical presence to seal HOTP until Nitrokey/nitrokey-hotp-verification#41 is fixed - Finally make seal_hotp use logic to detect if public key <1m old, use HOTP related PIN by default if counter is not <3, warn that re-ownership needs to be ran to change it since no security offered at all otherwise with HOTP - unify format with linting tool Tested in local tree against https://patch-diff.githubusercontent.com/raw/Nitrokey/nitrokey-hotp-verification/pull/43.patch, removing https://patch-diff.githubusercontent.com/raw/Nitrokey/nitrokey-hotp-verification/pull/46.patch - will revert the change above in PR once testing is over Signed-off-by: Thierry Laurion <[email protected]>
…fef5d1c82a014e0e2bf79346 directory: waiting for Nitrokey/nitrokey-hotp-verification#43 and Nitrokey/nitrokey-hotp-verification#46 to be merged to change modules/hotp-verification commit Signed-off-by: Thierry Laurion <[email protected]>
Signed-off-by: Jonathon Hall <[email protected]> Signed-off-by: Thierry Laurion <[email protected]>
…IN is detected Additional 0.5h for applying changes linked to code review under linuxboot#1875 Linked to Nitrokey unacknowledged RfP linuxboot#1866 that continues to grow past the 40h (now near 42... but unpaid because 'unplanned'... As if this was planned on my side.) Signed-off-by: Thierry Laurion <[email protected]>
Signed-off-by: Thierry Laurion <[email protected]>
…ects output to file used to show boot options in GUI Thanks @3hhh for bug in PR bug report at linuxboot#1875 (comment) This bug is present for all DO_WITH_DEBUG calls to functions redirecting output to file. Signed-off-by: Thierry Laurion <[email protected]>
mkopec
force-pushed
the
mtl_dasharo_branding
branch
from
9c0d988 to
6e1138b
Compare
…ch redirects output to file used to show boot options in GUI" This reverts commit 618ff26. This is not the proper way. Signed-off-by: Thierry Laurion <[email protected]>
…EBUG uses LOG. INFO manages console output to log or console Quiet mode introduced output reduction to console to limit technical info provided to end users. Previous informational output (previous default) now outputs this now considered additional information through INFO() calls, which either outputs to console, or debug.log Only DO_WITH_DEBUG should call LOG directly, so that stderr+stdout output is prepended with LOG into debug.log This fixes previous implementation which called LOG in DO_WITH_DEBUG calls and modified expected output to files, which was observed by @3hhh in output of GRUB entries when selecting boot option. Signed-off-by: Thierry Laurion <[email protected]>
Add NovaCustom V560TU board
…_mode-diceware_STAGING
…d to answer testing calls Signed-off-by: Thierry Laurion <[email protected]>
…by default Signed-off-by: Thierry Laurion <[email protected]>
Signed-off-by: Thierry Laurion <[email protected]>
… to linux kernel Note: qemu coreboot config still pass debug (non quiet, non prod board = debug) config/coreboot-qemu-tpm1.config:173:CONFIG_LINUX_COMMAND_LINE="debug console=ttyS0,115200 console=tty" config/coreboot-qemu-tpm2.config:170:CONFIG_LINUX_COMMAND_LINE="debug console=ttyS0,115200 console=tty" Signed-off-by: Thierry Laurion <[email protected]>
There are many flows through oem-factory-reset that use passwords provided by the user or basic defaults to be changed later. We don't need to badger the user to record those passwords. Still do this if we generated diceware passwords though, as the user does not know them yet. Signed-off-by: Jonathon Hall <[email protected]>
…ranch Signed-off-by: Michał Kopeć <[email protected]>
…coreboot to linux kernel Note: qemu coreboot config still pass debug (non quiet, non prod board = debug) config/coreboot-qemu-tpm1.config:173:CONFIG_LINUX_COMMAND_LINE="debug console=ttyS0,115200 console=tty" config/coreboot-qemu-tpm2.config:170:CONFIG_LINUX_COMMAND_LINE="debug console=ttyS0,115200 console=tty" Signed-off-by: Thierry Laurion <[email protected]>
BUGFIX: v560tu: unify board config, remove debug cmdline passed from coreboot to linux kernel
…_mode-diceware_STAGING
…branch modules/coreboot: set Dasharo coreboot fork rev to the main dasharo branch
…_mode-diceware_STAGING
…asharo branch" This reverts commit 13f8cce. Signed-off-by: Thierry Laurion <[email protected]>
…dasharo BUGFIX: Revert "modules/coreboot: set Dasharo coreboot fork rev to the main d…
…_mode-diceware_STAGING
…n (workaround) Signed-off-by: Thierry Laurion <[email protected]>
…diceware_STAGING TESTING NEEDED: STAGING PR (quiet mode + diceware + nk3 fixes)
mkopec
force-pushed
the
mtl_dasharo_branding
branch
from
6e1138b to
6ab663c
Compare
Signed-off-by: Michał Kopeć <[email protected]>
Signed-off-by: Michał Kopeć <[email protected]>
mkopec
force-pushed
the
mtl_dasharo_branding
branch
from
6ab663c to
d983b42
Compare
Signed-off-by: Michał Kopeć <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.