-
-
Notifications
You must be signed in to change notification settings - Fork 185
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
(WIP) Current x230 no config libremkey #452
(WIP) Current x230 no config libremkey #452
Conversation
missing librem patches
also fix indentation issues
The Librem Key is a custom device USB-based security token Nitrokey is producing for Purism and among other things it has custom firmware created for use with Heads. In particular, when a board is configured with CONFIG_LIBREMKEY, this custom firmware allows Heads to use the sealed TOTP secret to also send an HOTP authentication to the Librem Key. If the HOTP code is successful, the Librem Key will blink a green LED, if unsuccessful it will blink red, thereby informing the user that Heads has been tampered with without requiring them to use a phone to validate the TOTP secret. Heads will still use and show the TOTP secret, in case the user wants to validate both codes (in case the Librem Key was lost or is no longer trusted). It will also show the result of the HOTP verification (but not the code itself), even though the user should trust only what the Librem Key displays, so the user can confirm that both the device and Heads are in sync. If HOTP is enabled, Heads will maintain a new TPM counter separate from the Heads TPM counter that will increment each time HOTP codes are checked. This change also modifies the routines that update TOTP so that if the Librem Key executables are present it will also update HOTP codes and synchronize them with a Librem Key.
The section in gui-init that modifies the Heads TPM counter when signing config was accidentally removed. This change adds that section back.
TPM v1.2 has a limitation in that only a single monotonic counter can be incremented between reboots [1]. So in the event we are using HOTP monotonic counters, we need to reference those for the Heads rollback counter when we update file signatures in /boot, otherwise the increment stage at kexec-sign-config will fail since at each boot, the HOTP monotonic counter has already been incremented. [1] https://projects.csail.mit.edu/tc/tpmj/UsersGuide.html#inccounter
This reverts commit c420844.
The HOTP counter isn't a secret but is just used to prevent replay attacks (the time-based counter in TOTP isn't a secret either) so it doesn't need to be protected in the TPM and storing it as a TPM monotonic counter was causing conflicts with the Heads configuration counter as TPM 1.2 can only increment one counter per reboot. This change moves the HOTP counter into the file in /boot that was previously keeping track of the TPM counter id.
Currently the Librem Key tests will time out after 40 seconds, which adds to the boot time significantly if the user wants to boot without inserting it. This patch changes that timeout to one second.
Granted the user should really be using the Librem Key/phone to check for tampering (since an attacker could control the Heads background color) but this provides another visual queue for the user with the GUI menu to catch less sophisticated tampering.
fwiw I tested this and it looks good to me. You'd probably at least clean up the configs to have head's defconfig format if I see this correctly. But I hope to see these parts merged sometime soon :) |
@kylerankin @osresearch @flammit Any update on the LUKS key releasing bug? @merge : yep, i'll do defconfig and push the changes in a bit, thanks for your input. |
Those are the required changes to build successfully fbwhiptail, libremkey dependencies over CMake over fedora-28, otherwise it doesn't work.
make BOARD=x230
Unsuccessful builds since june: https://gitlab.com/nemanjan00/heads-ci/-/jobs/89088527
@kylerankin @osresearch @flammit : Please review and check LUKS key release bug and merge ASAP!