Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Provisioning Yubikey 5 Nano for Heads configuration #102

Closed
githubuseravailable opened this issue Sep 11, 2022 · 12 comments · Fixed by linuxboot/heads#1305
Closed

Provisioning Yubikey 5 Nano for Heads configuration #102

githubuseravailable opened this issue Sep 11, 2022 · 12 comments · Fixed by linuxboot/heads#1305
Assignees

Comments

@githubuseravailable
Copy link

githubuseravailable commented Sep 11, 2022

To implement: Needs forcesig check and toggle if disabled so factory reset works in all cases: #102 (comment)


hi @tlaurion

i see the Heads wiki has been improved a lot than before, and it is great.

do you mind to add steps about how to provision a new Yubikey and export its public key ?
or maybe there is any good references about that ?

do we have to choose between using the original private key in the Yubikey,
or generate key, then store it inside Yubikey ?

@tlaurion
Copy link
Collaborator

Is there any reason why https://osresearch.net/Configuring-Keys/#no-public-key-found-in-rom is not answering your question?

Which Yubikey please ? ( please modify issue title so that others find this issue).

Know that you might face linuxboot/heads#1076

Let us know

@tlaurion
Copy link
Collaborator

I suggested a workaround there, but the user who opened issue didn't follow through, and I do not own a yubikey myself.

linuxboot/heads#1076 (comment)

@githubuseravailable githubuseravailable changed the title Provisioning a new Yubikey to be used with Heads Provisioning Yubikey 5 Nano for Heads configuration Sep 11, 2022
@githubuseravailable
Copy link
Author

githubuseravailable commented Sep 11, 2022

@tlaurion okay, i have changed the issue title, is it good now, or maybe modify again ?

i also don't really understand that part https://osresearch.net/Configuring-Keys/#no-public-key-found-in-rom

You can either:

  • add a backuped gpg public key matching an already provisioned USB Security dongle (see below on adding public key) or
  • generate the keys, alongside as setting all security components in one go with the OEM Factory Reset/Re-Ownership option.

does it mean that, if we choose OEM factory reset/re-ownersip,
then we don't need to provision the Yubikey ?

or OEM factory reset/re-ownership, is the next step after add gpg key to the running bios ?

@tlaurion
Copy link
Collaborator

tlaurion commented Sep 11, 2022

Basically, I would love to know if forcedsig is on :

gpg --card-status

Then we could go for an image to test and fix issue.

Since Heads bonds more nicely to nitrokey pro and librem keys, no other bug report having happened and the discussion having stopped over there left the issue unfixed.

Please try oem-factory reset/Re-ownwrship wizard and report back in the same issue/PR to advance the discussion. Tag me there as well and I'll try to fix code for you to test image.

Which board?

@tlaurion
Copy link
Collaborator

tlaurion commented Sep 11, 2022

You can either:

add a backuped gpg public key matching an already provisioned USB Security dongle (see below on adding public key) or
generate the keys, alongside as setting all security components in one go with the OEM Factory Reset/Re-Ownership option.

does it mean that, if we choose OEM factory reset/re-ownersip,
then we don't need to provision the Yubikey ?

or OEM factory reset/re-ownership, is the next step after add gpg key to the running bios ?

The OEM factory reset/re-ownership provisions the USB security dongle if it is in factory state, or Re-owns states, including keypair generation with your personal information, resulting in an exported public key.

No public key = no provisioned state.
No public key to be imported. So in a factory default state. And needs to be provisioned, or owned.

What would need to be clearer? Without a keypair (private key in smartcard, public key exported) with a Realname, email address and optinal comment, and passphrases, the dongle cannot really be used.

Under heads, the private key signs with authentication, and the public key is injected in ROM to verify detached signed digest.

Without provisioning your yubikey, the PINs are the default one and no keypair exist, so it cannot be used under Heads.

I see that the wiki implies that one knows GPG. How would you put that in its simplest form so you would have understood that from quoted text?

@githubuseravailable
Copy link
Author

gpg --card-status

Signature PIN: not forced
Signature, encryption, authentication, general key: none

Which board?

x230

Please try oem-factory reset/Re-ownwrship wizard and report back in the same issue/PR to advance the discussion. Tag me there as well and I'll try to fix code for you to test image.

okay

How would you put that in its simplest form so you would have understood that from quoted text?

okay, i understand better now, thanks

i thought that the Yubikey will have contained original private key without provisioning before.
maybe if users don't understand GPG and Yubikey, it will be hard to understand this part.

maybe if we modify the wiki, it will be better, such as:

note that the factory state USB security dongle contain no key inside,
it need to be provisioned to contain key,

if your USB security dongle is in factory state, it means it has not been provisioned,
then choose OEM factory reset, to provision it.

but if you already have the provisioned USB security dongle, and the backuped gpg public key,
then can choose add gpg key to the running bios

@githubuseravailable
Copy link
Author

@tlaurion i have followed the solution in oem factory reset fail
and Heads configuration has completed now, thanks

but there are other issues, so i will open ticket

@tlaurion
Copy link
Collaborator

@githubuseravailable

@tlaurion i have followed the solution in linuxboot/heads#1076 (comment)
and Heads configuration has completed now, thanks

So basically, you confirm that the code is not dealing properly with Yubikey 5 Nano, and that linuxboot/heads#1076 (comment) is stil lvalid and that a code fix is needed?

@githubuseravailable
Copy link
Author

So basically, you confirm that the code is not dealing properly with Yubikey 5 Nano, and that osresearch/heads#1076 (comment) is stil lvalid and that a code fix is needed?

@tlaurion i didn't try oem factory reset without forcesig,
i assume directly that it will fail without forcesig,
so then gpg card edit, admin, forcesig directly,
do you want me to re-try oem factory reset without forcesig ?
i can re-try if you think we need the experiment

@tlaurion
Copy link
Collaborator

Just some notes for a simple test that could be implemented after factory reset of the card under linuxboot/heads#1076 (comment)

Add in script the forcesig function:

gpg_forcesig_on_toggle()
{
    # Toggle forced sig (good security practice, forcing PIN request for each signature request)
    {
        echo admin
        echo forcesig
        echo ${ADMIN_PIN_DEF}
    } | gpg --command-fd=0 --status-fd=1 --pinentry-mode=loopback --card-edit \
        > /tmp/gpg_card_edit_output 2>/dev/null
    if [ $? -ne 0 ]; then
        ERROR=`cat /tmp/gpg_card_edit_output`
        whiptail_error_die "GPG Key forcesig toggle on failed!\n\n$ERROR"
    fi
}

Then add after https://github.com/osresearch/heads/blob/32e70316785f599e28c38c62a3ac72ba5f7acb27/initrd/bin/oem-factory-reset#L607

if gpg --card-status | grep "Signature PIN" | grep -q "not forced"; then gpg_forcesig_on_toggle; fi

@githubuseravailable
Copy link
Author

ok @tlaurion i will try without forcesig to ensure, then apply the additional script above,
i will update again, but not at anytime soon.

@tlaurion
Copy link
Collaborator

tlaurion commented Oct 2, 2022

That should be implemented first and tested.

Reopening issue, modified OP to include link to implementation needed at #102 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants