(WIP) Current x230 no config libremkey #452
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
missing librem patches
also fix indentation issues
The Librem Key is a custom device USB-based security token Nitrokey is producing for Purism and among other things it has custom firmware created for use with Heads. In particular, when a board is configured with CONFIG_LIBREMKEY, this custom firmware allows Heads to use the sealed TOTP secret to also send an HOTP authentication to the Librem Key. If the HOTP code is successful, the Librem Key will blink a green LED, if unsuccessful it will blink red, thereby informing the user that Heads has been tampered with without requiring them to use a phone to validate the TOTP secret. Heads will still use and show the TOTP secret, in case the user wants to validate both codes (in case the Librem Key was lost or is no longer trusted). It will also show the result of the HOTP verification (but not the code itself), even though the user should trust only what the Librem Key displays, so the user can confirm that both the device and Heads are in sync. If HOTP is enabled, Heads will maintain a new TPM counter separate from the Heads TPM counter that will increment each time HOTP codes are checked. This change also modifies the routines that update TOTP so that if the Librem Key executables are present it will also update HOTP codes and synchronize them with a Librem Key.
The section in gui-init that modifies the Heads TPM counter when signing config was accidentally removed. This change adds that section back.
TPM v1.2 has a limitation in that only a single monotonic counter can be incremented between reboots [1]. So in the event we are using HOTP monotonic counters, we need to reference those for the Heads rollback counter when we update file signatures in /boot, otherwise the increment stage at kexec-sign-config will fail since at each boot, the HOTP monotonic counter has already been incremented. [1] https://projects.csail.mit.edu/tc/tpmj/UsersGuide.html#inccounter
This reverts commit c420844.
The HOTP counter isn't a secret but is just used to prevent replay attacks (the time-based counter in TOTP isn't a secret either) so it doesn't need to be protected in the TPM and storing it as a TPM monotonic counter was causing conflicts with the Heads configuration counter as TPM 1.2 can only increment one counter per reboot. This change moves the HOTP counter into the file in /boot that was previously keeping track of the TPM counter id.
Currently the Librem Key tests will time out after 40 seconds, which adds to the boot time significantly if the user wants to boot without inserting it. This patch changes that timeout to one second.
Granted the user should really be using the Librem Key/phone to check for tampering (since an attacker could control the Heads background color) but this provides another visual queue for the user with the GUI menu to catch less sophisticated tampering.
|
fwiw I tested this and it looks good to me. You'd probably at least clean up the configs to have head's defconfig format if I see this correctly. But I hope to see these parts merged sometime soon :) |
|
@kylerankin @osresearch @flammit Any update on the LUKS key releasing bug? @merge : yep, i'll do defconfig and push the changes in a bit, thanks for your input. |
tlaurion
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Those are the required changes to build successfully fbwhiptail, libremkey dependencies over CMake over fedora-28, otherwise it doesn't work.
make BOARD=x230Unsuccessful builds since june: https://gitlab.com/nemanjan00/heads-ci/-/jobs/89088527
@kylerankin @osresearch @flammit : Please review and check LUKS key release bug and merge ASAP!