Merge branch 'add_librem_key_support' of https://github.com/kyleranki…

…n/heads

Makefile

@@ -399,7 +399,7 @@ bin_modules-$(CONFIG_FLASHTOOLS) += flashtools
 bin_modules-$(CONFIG_NEWT) += newt
 bin_modules-$(CONFIG_CAIRO) += cairo
 bin_modules-$(CONFIG_FBWHIPTAIL) += fbwhiptail
-bin_modules-$(CONFIG_NITROKEY) += nitrokey-hotp-verification
+bin_modules-$(CONFIG_LIBREMKEY) += libremkey-hotp-verification
 
 $(foreach m, $(bin_modules-y), \
 	$(call map,initrd_bin_add,$(call bins,$m)) \

boards/librem13v2/librem13v2.config

@@ -20,6 +20,7 @@ CONFIG_TPMTOTP=y
 #CONFIG_NEWT=y
 CONFIG_CAIRO=y
 CONFIG_FBWHIPTAIL=y
+CONFIG_LIBREMKEY=y
 
 CONFIG_LINUX_USB=y
 

boards/librem15v3/librem15v3.config

@@ -22,6 +22,7 @@ CONFIG_TPMTOTP=y
 #CONFIG_NEWT=y
 CONFIG_CAIRO=y
 CONFIG_FBWHIPTAIL=y
+CONFIG_LIBREMKEY=y
 
 CONFIG_LINUX_USB=y
 

initrd/bin/gui-init

@@ -89,10 +89,25 @@ update_checksums()
     echo "Returning to the main menu"
   fi
 }
+update_totp()
+{
+  echo "Scan the QR code to add the new TOTP secret"
+  /bin/seal-totp
+  if [ -x /bin/libremkey_hotp_verification ]; then
+    echo "Once you have scanned the QR code, hit Enter to configure your Librem Key"
+    read
+    /bin/seal-libremkey
+  else
+    echo "Once you have scanned the QR code, hit Enter to reboot"
+    read
+  fi
+  /bin/reboot
+}
 
 last_half=X
 while true; do
   MAIN_MENU_OPTIONS=""
+  MAIN_MENU_BG_COLOR=""
   unset totp_confirm
   # update the TOTP code every thirty seconds
   date=`date "+%Y-%m-%d %H:%M:%S"`
@@ -106,7 +121,7 @@ while true; do
     if [ $? -ne 0 ]; then
       whiptail $CONFIG_ERROR_BG_COLOR --clear --title "ERROR: TOTP Generation Failed!" \
         --menu "ERROR: Heads couldn't generate the TOTP code.\n\nIf you just reflashed your BIOS, you'll need to generate a new TOTP secret.\n\nIf you have not just reflashed your BIOS, THIS COULD INDICATE TAMPERING!\n\nIf this is the first time the system has booted, you should reset the TPM\nand set your own password\n\nHow would you like to proceed?" 30 90 4 \
-        'g' ' Generate new TOTP secret' \
+        'g' ' Generate new TOTP/HOTP secret' \
         'i' ' Ignore error and continue to default boot menu' \
         'p' ' Reset the TPM' \
         'x' ' Exit to recovery shell' \
@@ -117,11 +132,32 @@ while true; do
   fi
 
   if [ "$totp_confirm" = "i" -o -z "$totp_confirm" ]; then 
-    whiptail --clear --title "$CONFIG_BOOT_GUI_MENU_NAME" \
-      --menu "$date\nTOTP code: $TOTP" 20 90 10 \
+    if [ -x /bin/libremkey_hotp_verification ]; then
+      HOTP=`unseal-hotp`
+      enable_usb
+      # Don't output HOTP codes to screen, so as to make replay attacks harder
+      libremkey_hotp_verification check $HOTP
+      case "$?" in
+        0 )
+          HOTP="Success"
+        ;;
+        4 )
+          HOTP="Invalid code"
+          MAIN_MENU_BG_COLOR=$CONFIG_ERROR_BG_COLOR
+        ;;
+        * )
+          HOTP="Error checking code, Insert Librem Key and retry"
+          MAIN_MENU_BG_COLOR=$CONFIG_WARNING_BG_COLOR
+        ;;
+      esac
+    else
+      HOTP='N/A'
+    fi
+
+    whiptail $MAIN_MENU_BG_COLOR --clear --title "$CONFIG_BOOT_GUI_MENU_NAME" \
+      --menu "$date\nTOTP: $TOTP | HOTP: $HOTP" 20 90 10 \
       'y' ' Default boot' \
-      'r' ' TOTP does not match, refresh code' \
-      'n' ' TOTP does not match after refresh, troubleshoot' \
+      'r' ' TOTP/HOTP does not match, refresh code' \
       'o' ' Other Boot Options -->' \
       'a' ' Advanced Settings -->' \
       'x' ' Exit to recovery shell' \
@@ -145,10 +181,11 @@ while true; do
   if [ "$totp_confirm" = "a" ]; then
     whiptail --clear --title "Advanced Settings" \
       --menu "Configure Advanced Settings" 20 90 10 \
-      'g' ' Generate new TOTP secret' \
-      'p' ' Reset the TPM' \
+      'g' ' Generate new TOTP/HOTP secret' \
       's' ' Update checksums and sign all files in /boot' \
       'f' ' Flash/Update the BIOS -->' \
+      'p' ' Reset the TPM' \
+      'n' ' TOTP/HOTP does not match after refresh, troubleshoot' \
       'r' ' <-- Return to main menu' \
       2>/tmp/whiptail || recovery "GUI menu failed"
 
@@ -164,14 +201,14 @@ while true; do
   fi
 
   if [ "$totp_confirm" = "n" ]; then
-    if (whiptail $CONFIG_WARNING_BG_COLOR --title "TOTP code mismatched" \
-      --yesno "TOTP code mismatches could indicate either TPM tampering or clock drift:\n\nTo correct clock drift: 'date -s HH:MM:SS'\nand save it to the RTC: 'hwclock -w'\nthen reboot and try again.\n\nWould you like to exit to a recovery console?" 30 90) then
+    if (whiptail $CONFIG_WARNING_BG_COLOR --title "TOTP/HOTP code mismatched" \
+      --yesno "TOTP/HOTP code mismatches could indicate either TPM tampering or clock drift:\n\nTo correct clock drift: 'date -s HH:MM:SS'\nand save it to the RTC: 'hwclock -w'\nthen reboot and try again.\n\nWould you like to exit to a recovery console?" 30 90) then
       echo ""
       echo "To correct clock drift: 'date -s HH:MM:SS'"
       echo "and save it to the RTC: 'hwclock -w'"
       echo "then reboot and try again"
       echo ""
-      recovery "TOTP mismatch"
+      recovery "TOTP/HOTP mismatch"
     else
       continue
     fi
@@ -183,13 +220,9 @@ while true; do
   fi
 
   if [ "$totp_confirm" = "g" ]; then
-    if (whiptail --title 'Generate new TOTP secret' \
+    if (whiptail --title 'Generate new TOTP/HOTP secret' \
         --yesno "This will erase your old secret and replace it with a new one!\n\nDo you want to proceed?" 16 90) then
-      echo "Scan the QR code to add the new TOTP secret"
-      /bin/seal-totp
-      echo "Once you have scanned the QR code, hit Enter to reboot"
-      read
-      /bin/reboot
+      update_totp
     else
       echo "Returning to the main menu"
     fi
@@ -198,20 +231,27 @@ while true; do
 
   if [ "$totp_confirm" = "p" ]; then
     if (whiptail --title 'Reset the TPM' \
-        --yesno "This will clear the TPM, erase the old TPM password and replace it with a new one!\n\nDo you want to proceed?" 16 90) then
+        --yesno "This will clear the TPM and TPM password, replace them with new ones!\n\nDo you want to proceed?" 16 90) then
       /bin/tpm-reset
 
-      # now that the TPM is reset, remove invalid kexec_rollback.txt file
+      # now that the TPM is reset, remove invalid TPM counter files
       mount_boot
       mount -o rw,remount /boot
-      rm -f /boot/kexec_rollback.txt 
+      rm -f /boot/kexec_rollback.txt
+
+      # create Heads TPM counter before any others
+      check_tpm_counter /boot/kexec_rollback.txt \
+      || die "Unable to find/create tpm counter"
+      counter="$TPM_COUNTER"
+
+      increment_tpm_counter $counter \
+      || die "Unable to increment tpm counter"
+
+      sha256sum /tmp/counter-$counter > /boot/kexec_rollback.txt \
+      || die "Unable to create rollback file"
       mount -o ro,remount /boot
 
-      echo "Scan the QR code to add the new TOTP secret"
-      /bin/seal-totp
-      echo "Once you have scanned the QR code, hit Enter to reboot"
-      read
-      /bin/reboot
+      update_totp
     else
       echo "Returning to the main menu"
     fi

initrd/bin/kexec-seal-key

@@ -84,6 +84,14 @@ cat "$KEY_DEVICES" | cut -d\  -f1 | xargs /bin/qubes-measure-luks \
 	|| die "Unable to measure the LUKS headers"
 luks_pcr=`tpm calcfuturepcr -ix 16 -if /tmp/luksDump.txt`
 
+# Librem Key loads USB modules which changes PCR5.
+# In the event Librem Key is enabled, skip verification of PCR5
+if [ -x /bin/libremkey_hotp_verification ]; then
+  pcr_5="X"
+else
+  pcr_5="0000000000000000000000000000000000000000"
+fi
+
 # Note that PCR 4 needs to be set with the "normal-boot"
 # path value, which we do not have right now since we are
 # in a recovery shell.
@@ -104,7 +112,7 @@ tpm sealfile2 \
 	-ix 2 X \
 	-ix 3 X \
 	-ix 4 0000000000000000000000000000000000000000 \
-	-ix 5 0000000000000000000000000000000000000000 \
+	-ix 5 $pcr_5 \
 	-ix 6 $luks_pcr \
 	-ix 7 X \
 || die "Unable to seal secret"

initrd/bin/seal-libremkey

@@ -0,0 +1,92 @@
+#!/bin/sh
+# Retrieve the sealed TOTP secret and initialize a Librem Key with it
+
+. /etc/functions
+
+HOTP_SEALED="/tmp/secret/hotp.sealed"
+HOTP_SECRET="/tmp/secret/hotp.key"
+HOTP_COUNTER="/boot/kexec_hotp_counter"
+
+mount_boot()
+{
+  # Mount local disk if it is not already mounted
+  if ! grep -q /boot /proc/mounts ; then
+    mount -o ro /boot \
+      || recovery "Unable to mount /boot"
+  fi
+}
+
+tpm nv_readvalue \
+	-in 4d47 \
+	-sz 312 \
+	-of "$HOTP_SEALED" \
+|| die "Unable to retrieve sealed file from TPM NV"
+
+tpm unsealfile  \
+	-hk 40000000 \
+	-if "$HOTP_SEALED" \
+	-of "$HOTP_SECRET" \
+|| die "Unable to unseal HOTP secret"
+
+rm -f "$HOTP_SEALED"
+secret="`cat $HOTP_SECRET`"
+rm -f "$HOTP_SECRET"
+
+# Store counter in file instead of TPM for now, as it conflicts with Heads
+# config TPM counter as TPM 1.2 can only increment one counter between reboots
+# get current value of HOTP counter in TPM, create if absent
+mount_boot
+
+#check_tpm_counter $HOTP_COUNTER hotp \
+#|| die "Unable to find/create TPM counter"
+#counter="$TPM_COUNTER"
+#
+#counter_value=$(read_tpm_counter $counter | cut -f2 -d ' ' | awk 'gsub("^000e","")')
+#if [ "$counter_value" == "" ]; then
+#  die "Unable to read HOTP counter"
+#fi
+
+#counter_value=$(printf "%d" 0x${counter_value})
+
+counter_value=1
+
+enable_usb
+if ! libremkey_hotp_verification info ; then
+  echo "Insert your Librem Key and press Enter to configure it"
+  read
+  libremkey_hotp_verification info \
+  || die "Unable to find Librem Key"
+fi
+
+read -s -p "Enter your Librem Key Admin PIN" admin_pin
+echo
+
+libremkey_hotp_initialize $admin_pin $secret $counter_value 
+if [ $? -ne 0 ]; then
+  read -s -p "Error setting HOTP secret, re-enter Admin PIN and try again:" admin_pin
+  libremkey_hotp_initialize $admin_pin $secret $counter_value \
+  || die "Setting HOTP secret failed"
+fi
+
+secret=""
+
+# Make sure our counter is incremented ahead of the next check
+#increment_tpm_counter $counter > /dev/null \
+#|| die "Unable to increment tpm counter"
+#increment_tpm_counter $counter > /dev/null \
+#|| die "Unable to increment tpm counter"
+
+mount -o remount,rw /boot
+
+counter_value=`expr $counter_value + 1`
+echo $counter_value > $HOTP_COUNTER \
+|| die "Unable to create hotp counter file"
+
+#sha256sum /tmp/counter-$counter > $HOTP_COUNTER \
+#|| die "Unable to create hotp counter file"
+mount -o remount,ro /boot
+
+echo "Librem Key initialized successfully. Press Enter to continue."
+read
+
+exit 0

initrd/bin/unseal-hotp

@@ -0,0 +1,73 @@
+#!/bin/sh
+# Retrieve the sealed file and counter from the NVRAM, unseal it and compute the hotp
+
+. /etc/functions
+
+HOTP_SEALED="/tmp/secret/hotp.sealed"
+HOTP_SECRET="/tmp/secret/hotp.key"
+HOTP_COUNTER="/boot/kexec_hotp_counter"
+
+mount_boot()
+{
+  # Mount local disk if it is not already mounted
+  if ! grep -q /boot /proc/mounts ; then
+    mount -o ro /boot \
+      || recovery "Unable to mount /boot"
+  fi
+}
+
+tpm nv_readvalue \
+	-in 4d47 \
+	-sz 312 \
+	-of "$HOTP_SEALED" \
+|| die "Unable to retrieve sealed file from TPM NV"
+
+tpm unsealfile  \
+	-hk 40000000 \
+	-if "$HOTP_SEALED" \
+	-of "$HOTP_SECRET" \
+|| die "Unable to unseal HOTP secret"
+
+rm -f "$HOTP_SEALED"
+
+# Store counter in file instead of TPM for now, as it conflicts with Heads
+# config TPM counter as TPM 1.2 can only increment one counter between reboots
+# get current value of HOTP counter in TPM, create if absent
+mount_boot
+
+#check_tpm_counter $HOTP_COUNTER hotp \
+#|| die "Unable to find/create TPM counter"
+#counter="$TPM_COUNTER"
+#
+#counter_value=$(read_tpm_counter $counter | cut -f2 -d ' ' | awk 'gsub("^000e","")')
+#
+
+counter_value=$(cat $HOTP_COUNTER)
+
+if [ "$counter_value" == "" ]; then
+  die "Unable to read HOTP counter"
+fi
+
+#counter_value=$(printf "%d" 0x${counter_value})
+
+if ! hotp $counter_value < "$HOTP_SECRET"; then
+	rm -f "$HOTP_SECRET"
+	die 'Unable to compute HOTP hash?'
+fi
+
+rm -f "$HOTP_SECRET"
+
+#increment_tpm_counter $counter > /dev/null \
+#|| die "Unable to increment tpm counter"
+
+mount -o remount,rw /boot
+
+counter_value=`expr $counter_value + 1`
+echo $counter_value > $HOTP_COUNTER \
+|| die "Unable to create hotp counter file"
+
+#sha256sum /tmp/counter-$counter > $HOTP_COUNTER \
+#|| die "Unable to create hotp counter file"
+mount -o remount,ro /boot
+
+exit 0

initrd/etc/functions

@@ -138,18 +138,13 @@ confirm_gpg_card()
 
 check_tpm_counter()
 {
+  LABEL=${2:-3135106223}
 	# if the /boot.hashes file already exists, read the TPM counter ID
 	# from it.
 	if [ -r "$1" ]; then
 		TPM_COUNTER=`grep counter- "$1" | cut -d- -f2`
 	else
-    # Initialize label to default if not set
-		if [ "$2" != "" ]; then
-			LABEL=$2
-		else
-			LABEL=3135106223 
-		fi
-		warn "$BOOT_HASHES does not exist; creating new TPM counter"
+		warn "$1 does not exist; creating new TPM counter"
 		read -s -p "TPM Owner password: " tpm_password
 		echo
 		tpm counter_create \