Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'add_librem_key_support' of https://github.com/kyleranki…
- Loading branch information
Showing
10 changed files
with
294 additions
and
33 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,92 @@ | ||
#!/bin/sh | ||
# Retrieve the sealed TOTP secret and initialize a Librem Key with it | ||
|
||
. /etc/functions | ||
|
||
HOTP_SEALED="/tmp/secret/hotp.sealed" | ||
HOTP_SECRET="/tmp/secret/hotp.key" | ||
HOTP_COUNTER="/boot/kexec_hotp_counter" | ||
|
||
mount_boot() | ||
{ | ||
# Mount local disk if it is not already mounted | ||
if ! grep -q /boot /proc/mounts ; then | ||
mount -o ro /boot \ | ||
|| recovery "Unable to mount /boot" | ||
fi | ||
} | ||
|
||
tpm nv_readvalue \ | ||
-in 4d47 \ | ||
-sz 312 \ | ||
-of "$HOTP_SEALED" \ | ||
|| die "Unable to retrieve sealed file from TPM NV" | ||
|
||
tpm unsealfile \ | ||
-hk 40000000 \ | ||
-if "$HOTP_SEALED" \ | ||
-of "$HOTP_SECRET" \ | ||
|| die "Unable to unseal HOTP secret" | ||
|
||
rm -f "$HOTP_SEALED" | ||
secret="`cat $HOTP_SECRET`" | ||
rm -f "$HOTP_SECRET" | ||
|
||
# Store counter in file instead of TPM for now, as it conflicts with Heads | ||
# config TPM counter as TPM 1.2 can only increment one counter between reboots | ||
# get current value of HOTP counter in TPM, create if absent | ||
mount_boot | ||
|
||
#check_tpm_counter $HOTP_COUNTER hotp \ | ||
#|| die "Unable to find/create TPM counter" | ||
#counter="$TPM_COUNTER" | ||
# | ||
#counter_value=$(read_tpm_counter $counter | cut -f2 -d ' ' | awk 'gsub("^000e","")') | ||
#if [ "$counter_value" == "" ]; then | ||
# die "Unable to read HOTP counter" | ||
#fi | ||
|
||
#counter_value=$(printf "%d" 0x${counter_value}) | ||
|
||
counter_value=1 | ||
|
||
enable_usb | ||
if ! libremkey_hotp_verification info ; then | ||
echo "Insert your Librem Key and press Enter to configure it" | ||
read | ||
libremkey_hotp_verification info \ | ||
|| die "Unable to find Librem Key" | ||
fi | ||
|
||
read -s -p "Enter your Librem Key Admin PIN" admin_pin | ||
echo | ||
|
||
libremkey_hotp_initialize $admin_pin $secret $counter_value | ||
if [ $? -ne 0 ]; then | ||
read -s -p "Error setting HOTP secret, re-enter Admin PIN and try again:" admin_pin | ||
libremkey_hotp_initialize $admin_pin $secret $counter_value \ | ||
|| die "Setting HOTP secret failed" | ||
fi | ||
|
||
secret="" | ||
|
||
# Make sure our counter is incremented ahead of the next check | ||
#increment_tpm_counter $counter > /dev/null \ | ||
#|| die "Unable to increment tpm counter" | ||
#increment_tpm_counter $counter > /dev/null \ | ||
#|| die "Unable to increment tpm counter" | ||
|
||
mount -o remount,rw /boot | ||
|
||
counter_value=`expr $counter_value + 1` | ||
echo $counter_value > $HOTP_COUNTER \ | ||
|| die "Unable to create hotp counter file" | ||
|
||
#sha256sum /tmp/counter-$counter > $HOTP_COUNTER \ | ||
#|| die "Unable to create hotp counter file" | ||
mount -o remount,ro /boot | ||
|
||
echo "Librem Key initialized successfully. Press Enter to continue." | ||
read | ||
|
||
exit 0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,73 @@ | ||
#!/bin/sh | ||
# Retrieve the sealed file and counter from the NVRAM, unseal it and compute the hotp | ||
|
||
. /etc/functions | ||
|
||
HOTP_SEALED="/tmp/secret/hotp.sealed" | ||
HOTP_SECRET="/tmp/secret/hotp.key" | ||
HOTP_COUNTER="/boot/kexec_hotp_counter" | ||
|
||
mount_boot() | ||
{ | ||
# Mount local disk if it is not already mounted | ||
if ! grep -q /boot /proc/mounts ; then | ||
mount -o ro /boot \ | ||
|| recovery "Unable to mount /boot" | ||
fi | ||
} | ||
|
||
tpm nv_readvalue \ | ||
-in 4d47 \ | ||
-sz 312 \ | ||
-of "$HOTP_SEALED" \ | ||
|| die "Unable to retrieve sealed file from TPM NV" | ||
|
||
tpm unsealfile \ | ||
-hk 40000000 \ | ||
-if "$HOTP_SEALED" \ | ||
-of "$HOTP_SECRET" \ | ||
|| die "Unable to unseal HOTP secret" | ||
|
||
rm -f "$HOTP_SEALED" | ||
|
||
# Store counter in file instead of TPM for now, as it conflicts with Heads | ||
# config TPM counter as TPM 1.2 can only increment one counter between reboots | ||
# get current value of HOTP counter in TPM, create if absent | ||
mount_boot | ||
|
||
#check_tpm_counter $HOTP_COUNTER hotp \ | ||
#|| die "Unable to find/create TPM counter" | ||
#counter="$TPM_COUNTER" | ||
# | ||
#counter_value=$(read_tpm_counter $counter | cut -f2 -d ' ' | awk 'gsub("^000e","")') | ||
# | ||
|
||
counter_value=$(cat $HOTP_COUNTER) | ||
|
||
if [ "$counter_value" == "" ]; then | ||
die "Unable to read HOTP counter" | ||
fi | ||
|
||
#counter_value=$(printf "%d" 0x${counter_value}) | ||
|
||
if ! hotp $counter_value < "$HOTP_SECRET"; then | ||
rm -f "$HOTP_SECRET" | ||
die 'Unable to compute HOTP hash?' | ||
fi | ||
|
||
rm -f "$HOTP_SECRET" | ||
|
||
#increment_tpm_counter $counter > /dev/null \ | ||
#|| die "Unable to increment tpm counter" | ||
|
||
mount -o remount,rw /boot | ||
|
||
counter_value=`expr $counter_value + 1` | ||
echo $counter_value > $HOTP_COUNTER \ | ||
|| die "Unable to create hotp counter file" | ||
|
||
#sha256sum /tmp/counter-$counter > $HOTP_COUNTER \ | ||
#|| die "Unable to create hotp counter file" | ||
mount -o remount,ro /boot | ||
|
||
exit 0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.