Merge pull request #761 from Nitrokey/hotp-neutral

Fix branding issue with HOTP USB Security Dongles

.gitlab-ci.yml

@@ -8,13 +8,13 @@ stages:
 
 build:
   stage: build
-  retry: 2
+  retry: 1
   cache:
     paths:
       - packages
       - crossgcc
       - build
-    key: "heads-$GITLAB_USER_LOGIN"
+    key: "heads-$GITLAB_USER_LOGIN-2"
   script:
     - dnf install -y @development-tools gcc-c++ gcc-gnat zlib-devel perl-Digest-MD5 perl-Digest-SHA uuid-devel pcsc-tools ncurses-devel lbzip2 libuuid-devel lzma elfutils-libelf-devel bc bzip2 bison flex git gnupg iasl m4 nasm patch python wget libusb-devel cmake automake pv bsdiff autoconf libtool cpio texinfo
     - git fetch origin 
@@ -75,6 +75,8 @@ build:
     - cat ./build/qemu-coreboot/hashes.txt
     - echo "Archiving qemu-coreboot logs..."
     - tar zcvf ./build/qemu-coreboot/logs.tar.gz ./build/log/*
+    - echo "Calculate used space for cache"
+    - du -shc packages crossgcc build
   artifacts:
     paths:
       - ./build/qemu-coreboot

Makefile

@@ -428,7 +428,7 @@ bin_modules-$(CONFIG_FLASHTOOLS) += flashtools
 bin_modules-$(CONFIG_NEWT) += newt
 bin_modules-$(CONFIG_CAIRO) += cairo
 bin_modules-$(CONFIG_FBWHIPTAIL) += fbwhiptail
-bin_modules-$(CONFIG_LIBREMKEY) += libremkey-hotp-verification
+bin_modules-$(CONFIG_HOTPKEY) += hotp-verification
 bin_modules-$(CONFIG_MSRTOOLS) += msrtools
 
 $(foreach m, $(bin_modules-y), \

boards/librem13v2/librem13v2.config

@@ -22,7 +22,7 @@ CONFIG_TPMTOTP=y
 #CONFIG_NEWT=y
 CONFIG_CAIRO=y
 CONFIG_FBWHIPTAIL=y
-CONFIG_LIBREMKEY=y
+CONFIG_HOTPKEY=y
 
 CONFIG_LINUX_USB=y
 

boards/librem13v4/librem13v4.config

@@ -22,7 +22,7 @@ CONFIG_TPMTOTP=y
 #CONFIG_NEWT=y
 CONFIG_CAIRO=y
 CONFIG_FBWHIPTAIL=y
-CONFIG_LIBREMKEY=y
+CONFIG_HOTPKEY=y
 
 CONFIG_LINUX_USB=y
 

boards/librem15v3/librem15v3.config

@@ -24,7 +24,7 @@ CONFIG_TPMTOTP=y
 #CONFIG_NEWT=y
 CONFIG_CAIRO=y
 CONFIG_FBWHIPTAIL=y
-CONFIG_LIBREMKEY=y
+CONFIG_HOTPKEY=y
 
 CONFIG_LINUX_USB=y
 

boards/librem15v4/librem15v4.config

@@ -24,7 +24,7 @@ CONFIG_TPMTOTP=y
 #CONFIG_NEWT=y
 CONFIG_CAIRO=y
 CONFIG_FBWHIPTAIL=y
-CONFIG_LIBREMKEY=y
+CONFIG_HOTPKEY=y
 
 CONFIG_LINUX_USB=y
 

boards/x230-hotp-verification/x230-hotp-verification.config

@@ -24,7 +24,7 @@ CONFIG_DROPBEAR=y
 #CONFIG_NEWT=y
 CONFIG_CAIRO=y
 CONFIG_FBWHIPTAIL=y
-CONFIG_LIBREMKEY=y
+CONFIG_HOTPKEY=y
 
 CONFIG_LINUX_USB=y
 CONFIG_LINUX_E1000E=y

initrd/bin/gui-init

@@ -92,10 +92,10 @@ update_totp()
 {
   echo "Scan the QR code to add the new TOTP secret"
   /bin/seal-totp
-  if [ -x /bin/libremkey_hotp_verification ]; then
-    echo "Once you have scanned the QR code, hit Enter to configure your Librem Key"
+  if [ -x /bin/hotp_verification ]; then
+    echo "Once you have scanned the QR code, hit Enter to configure your HOTP USB Security Dongle (e.g. Librem Key or Nitrokey)"
     read
-    /bin/seal-libremkey
+    /bin/seal-hotpkey
   else
     echo "Once you have scanned the QR code, hit Enter to continue"
     read
@@ -118,7 +118,7 @@ clean_boot_check()
   [ $GPG_KEY_COUNT -ne 0 ] && return
 
    # check for USB security token
-  if [ "$CONFIG_LIBREMKEY" = "y" ]; then
+  if [ "$CONFIG_HOTPKEY" = "y" ]; then
     enable_usb
     if ! gpg --card-status > /dev/null ; then
       return
@@ -140,6 +140,13 @@ else
   mount_boot
 fi
 
+# Use stored HOTP key branding
+if [ -r /boot/kexec_hotp_key ]; then
+	HOTPKEY_BRANDING="$(cat /boot/kexec_hotp_key)"
+else
+	HOTPKEY_BRANDING="HOTP USB Security Dongle"
+fi
+
 last_half=X
 while true; do
   MAIN_MENU_OPTIONS=""
@@ -188,14 +195,16 @@ while true; do
   fi
 
   if [ "$totp_confirm" = "i" -o -z "$totp_confirm" ]; then 
-    if [ -x /bin/libremkey_hotp_verification ]; then
+    if [ -x /bin/hotp_verification ]; then
       HOTP=`unseal-hotp`
       enable_usb
-      if ! libremkey_hotp_verification info ; then
-        whiptail $CONFIG_WARNING_BG_COLOR --clear --title 'WARNING: Please Insert Your Librem Key' --msgbox "Your Librem Key was not detected.\n\nPlease insert your Librem Key" 30 90
+      if ! hotp_verification info ; then
+        whiptail $CONFIG_WARNING_BG_COLOR --clear \
+	--title "WARNING: Please Insert Your $HOTPKEY_BRANDING" \
+	--msgbox "Your $HOTPKEY_BRANDING was not detected.\n\nPlease insert your $HOTPKEY_BRANDING" 30 90
         fi
       # Don't output HOTP codes to screen, so as to make replay attacks harder
-      libremkey_hotp_verification check $HOTP
+      hotp_verification check $HOTP
       case "$?" in
         0 )
           HOTP="Success"
@@ -205,7 +214,7 @@ while true; do
           MAIN_MENU_BG_COLOR=$CONFIG_ERROR_BG_COLOR
         ;;
         * )
-          HOTP="Error checking code, Insert Librem Key and retry"
+          HOTP="Error checking code, Insert $HOTPKEY_BRANDING and retry"
           MAIN_MENU_BG_COLOR=$CONFIG_WARNING_BG_COLOR
         ;;
       esac

initrd/bin/kexec-seal-key

@@ -84,9 +84,9 @@ cat "$KEY_DEVICES" | cut -d\  -f1 | xargs /bin/qubes-measure-luks \
 	|| die "Unable to measure the LUKS headers"
 luks_pcr=`tpm calcfuturepcr -ix 16 -if /tmp/luksDump.txt`
 
-# Librem Key loads USB modules which changes PCR5.
-# In the event Librem Key is enabled, skip verification of PCR5
-if [ -x /bin/libremkey_hotp_verification ]; then
+# HOTP USB Secrity Dongle loads USB modules which changes PCR5.
+# In the event HOTP USB Security Dongle is enabled, skip verification of PCR5
+if [ -x /bin/hotp_verification ]; then
   pcr_5="X"
 else
   pcr_5="0000000000000000000000000000000000000000"

initrd/bin/seal-libremkey → initrd/bin/seal-hotpkey

@@ -1,11 +1,12 @@
 #!/bin/sh
-# Retrieve the sealed TOTP secret and initialize a Librem Key with it
+# Retrieve the sealed TOTP secret and initialize a USB Security dongle with it
 
 . /etc/functions
 
 HOTP_SEALED="/tmp/secret/hotp.sealed"
 HOTP_SECRET="/tmp/secret/hotp.key"
 HOTP_COUNTER="/boot/kexec_hotp_counter"
+HOTP_KEY="/boot/kexec_hotp_key"
 
 mount_boot()
 {
@@ -16,6 +17,13 @@ mount_boot()
   fi
 }
 
+# Use stored HOTP key branding (this might be useful after OEM reset)
+if [ -r /boot/kexec_hotp_key ]; then
+	HOTPKEY_BRANDING="$(cat /boot/kexec_hotp_key)"
+else
+	HOTPKEY_BRANDING="HOTP USB Security Dongle"
+fi
+
 tpm nv_readvalue \
 	-in 4d47 \
 	-sz 312 \
@@ -49,26 +57,35 @@ mount_boot
 counter_value=1
 
 enable_usb
-if ! libremkey_hotp_verification info ; then
-  echo "Insert your Librem Key and press Enter to configure it"
+if ! hotp_verification info ; then
+  echo "Insert your $HOTPKEY_BRANDING and press Enter to configure it"
   read
-  if ! libremkey_hotp_verification info ; then
+  if ! hotp_verification info ; then
     # don't leak key on failure
     shred -n 10 -z -u "$HOTP_SECRET" 2> /dev/null
-    die "Unable to find Librem Key"
+    die "Unable to find $HOTPKEY_BRANDING"
   fi
 fi
 
+# Set HOTP USB Security Dongle branding based on VID
+if [ ! $(lsusb | grep -q "20a0:") ]; then
+	HOTPKEY_BRANDING="Nitrokey"
+elif [ ! $(lsusb | grep -q "316d:") ]; then
+	HOTPKEY_BRANDING="Librem Key"
+else
+	HOTPKEY_BRANDING="HOTP USB Security Dongle"
+fi
+
 echo -e ""
-read -s -p "Enter your Librem Key Admin PIN: " admin_pin
+read -s -p "Enter your $HOTPKEY_BRANDING Admin PIN: " admin_pin
 echo -e "\n"
 
-libremkey_hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value 
+hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value "$HOTPKEY_BRANDING"
 if [ $? -ne 0 ]; then
   echo -e "\n"
   read -s -p "Error setting HOTP secret, re-enter Admin PIN and try again: " admin_pin
   echo -e "\n"
-  if ! libremkey_hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value ; then
+  if ! hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value "$HOTPKEY_BRANDING" ; then
     # don't leak key on failure
     shred -n 10 -z -u "$HOTP_SECRET" 2> /dev/null
     die "Setting HOTP secret failed"
@@ -90,11 +107,15 @@ counter_value=`expr $counter_value + 1`
 echo $counter_value > $HOTP_COUNTER \
 || die "Unable to create hotp counter file"
 
+# Store/overwrite HOTP USB Security Dongle branding found out beforehand
+echo $HOTPKEY_BRANDING > $HOTP_KEY \
+|| die "Unable to store hotp key file"
+
 #sha256sum /tmp/counter-$counter > $HOTP_COUNTER \
 #|| die "Unable to create hotp counter file"
 mount -o remount,ro /boot
 
-echo -e "\nLibrem Key initialized successfully. Press Enter to continue."
+echo -e "\n$HOTPKEY_BRANDING initialized successfully. Press Enter to continue."
 read
 
 exit 0

modules/hidapi

@@ -1,2 +1,2 @@
 # empty placeholder file
-# This submodule is defined in modules/libremkey-hotp-verification
+# This submodule is defined in modules/hotp-verification

modules/hotp-verification

@@ -0,0 +1,37 @@
+modules-$(CONFIG_HOTPKEY) += hotp-verification
+
+hotp-verification_depends := libusb $(musl_dep)
+
+hotp-verification_version := 5fb260e631b237a298b6dcca47bbd728f2c5ac3a
+hotp-verification_dir := hotp-verification-$(hotp-verification_version)
+hotp-verification_tar := nitrokey-hotp-verification-$(hotp-verification_version).tar.gz
+hotp-verification_url := https://github.com/Nitrokey/nitrokey-hotp-verification/archive/$(hotp-verification_version).tar.gz
+hotp-verification_hash := 5d98d158ba97fb970061d68e2c6f41582395e687b7752efb1a8038762b0e7b79
+
+hotp-verification_target := \
+	$(MAKE_JOBS) \
+	$(CROSS_TOOLS) \
+
+hotp-verification_output := \
+	hotp_verification \
+	hotp_initialize
+
+hotp-verification_configure := \
+  INSTALL="$(INSTALL)" \
+  CROSS="$(CROSS)" \
+  $(CROSS_TOOLS) $(MAKE) LDFLAGS="$(INSTALL)/lib/libusb-1.0.so" GITVERSION="" LIBUSB_FLAGS="-I/usr/include/libusb-1.0" PKGCONFIG="" && $(MAKE) install INSTALL="$(INSTALL)"
+
+hotp-verification_depends  += hidapi
+modules-y += hidapi
+
+hidapi_version := e5ae0d30a523c565595bdfba3d5f2e9e1faf0bd0
+hidapi_dir := hotp-verification-$(hotp-verification_version)/hidapi
+hidapi_tar := hidapi-$(hidapi_version).tar.xz
+hidapi_url := https://github.com/Nitrokey/hidapi/archive/$(hidapi_version).tar.gz
+hidapi_hash := acc2a5089a8917085c2b3ebe9446065a21c760ba7e13cb54917043c4122188e0
+
+
+## hidapi will be built as part of hotp-verification
+## so nothing to do here (but need make to be happy)
+hidapi_output := .built
+hidapi_configure := echo -e 'all:\n\ttouch .built' > Makefile