OEM reownership required changes for QubesOS certification of the X230

[tlaurion]

The main goal behind this OEM Reownership Wizard is to be able to ship QubesOS or any other OS preinstalled into LUKS encrypted containers, without compromising user's confidentiality, privacy nor security, while enforcing tamper-evidence (provable security) of the firmware and /boot components in transit and at rest, without giving the OEM a possibility to hand those out to third parties.

With Heads measured boot through TOTP/HOTP integrity seals, preinstalled QubesOS trusted hardware shipped with QubesOS can now become a reality. This PR is the last step before QubesOS certifies the PrivacyBeast x230 laptop, by Insurgo Technologies Libres / Open technologies (This is me! Hello! :) )

The OEM flashes Heads, neutralizes ME and reboots. He is asked to insert his public GPG key, which he does with his own dedicated deployment public key associated with his deployment Nitrokey/Librem Key. On reboot, he is asked to reown the TPM, which will trigger HOTP/TOTP resealing from a prompted menu. The OEM has to make sure that the system clock is good and correct GMT time accordingly before going further. (Make sure RTC clock battery is good).

He then boots pre-signed clonezilla or other ISO image with his deployment Nitrokey/Librem Key and reimages the HD with an up-to-date QubesOS disk image, signs boot config files and then fires the reownership wizard, wth a brand new Librem Key/Nitrokey conected, for that hardware secrets to be unique. To do so he creates a /boot/oem file, which when dropped into place invokes the OEM reownership wizard.

That wizards looks for an existing /media/oem-provisining file, that if present, automagically provision Heads prompts to reencrypt LUKS container, change LUKS associated passphrase, factory resets connected Librem Key/Nitrokey and define user and admin PINS injects associated public key into running rom, and ends by reowning the TPM. EDIT: if file is present but doesnt contain required secrets, the user is prompted to fill them with autogenerated passphrases, or he can manually select one, while the screen is filled with diceware words to choose from.

Then the OEM boots QubesOS, syncs system time. Then go into recovery, and finally recreates the /boot/oem for the user to use the same process. That is the last step done by the OEM before shipping the devices separately/altogether. The next reboot invokes the reownership for the user to do the exact same steps described above when the hardware is received, with a a user provided /media/oem-provisioning file or manually entering secrets into prompts. In either way, the OEM needs to provide the Actual Disk Receovery Key by secured communication channels so the user can reown his computer upon reception.

See video here.

The /media/oem-provisioning file can be automatically generated by a script to provision Heads required secrets from the OEM wizard.

The OEM shares used oem-provision file to the user by secured communication channel, accompanied with a screen capture of the TOTP QR code printed on the screen after TPM reset has been accomplished. The user can already scan that TPMTOTP code in his smartphone's OTP application to attest that the laptop has not been tampered with in transit, while thinking about the secrets he will feed to the new hardware when received, let it be manually or through /media/oem-provisioning.

The OEM reownership wizard explains the steps to the user through whiptail messages, the onboarding one being:

The received hardware is currently owned by $oem_name.
We will change that.

This Wizard will otherwise make you own your own hardware by:
1-Reencrypting encrypted drive content (LUKS container)
2-Changing LUKS Disk Recovery Key and it's passphrase
3-Resetting your Librem Key/Nitrokey Pro v2 to factory defaults
4-Setting User and Admin PINs into your Librem Key/NitroKey
5-Generating keys in it, exporting public key and
 importing it in the ROM prior to reprogramming the SPI flash with it
6-Taking integrity measures of all /boot files and sign the resulting
 checksum file with your Librem Key/Nitrokey Pro
7-Reowning your Trusted Platform Module (TPM)

Scan the QR Code with an OTP app only after Reset the TPM last phase.

Details of this PR. Evolution of #511

• OEM mode is enforced on HOTP/TOTP sealed clean hardware.
• OEM is enforced by touching /boot/oem
• OEM can be provisioned automatically if /media/oem-provisioning exists
  which feeds all the secrets automatically.
• OEM oem-reownership/generate_diceware-eom-provisioning.sh script to generate oem-provisioning.generated secrets for both OEM and users. (EDIT: Still there but not usefull. Diceware generated secrets is now part of the standard workflow, while user can manually enter secrets that are validated for minimal required length, different for each of them with safe defaults)

OEM features:

• LUKS rencryption script added, which reencrypts and change Disk Recevory Key passphrase
• LibremKey/Nitrokey factory reset script added, which takes user input first and then change key size, generate keys, exports them and flash rom.
  • Todo: Reset code should be added later on. (To unlock Admin. Else, a DoS is possible on a USB GPG key)

Additions:

• Gitlab CI configuration to replicate builds based on fedora-29 container, making sure that each branch keeps his own seperate cache. This is the simpler way I've found so OEM can maintain their own board branches based on Head's git repo.
• Contains uniformaization of langage.
• Some shellcheck improved code
• LUKS Disk Unlock Key works properly
  • LVM volumes and disk devices are automatically detected
• GPG modules were retouched to remove invalid configure options which generated warnings
• LibremKey/Nitrokey is named everywhere for proper credit of partnership for HOTP
  ... And a lot of other smaller fixes...

Sent from my Galaxy S3 using FastHub-Libre

[kylerankin]

The main things were the small branding correction, not using "|| die" so much in GUI scripts, and moving the oem functions possibly into their own /etc/functions-oem file that's sourced by gui-init instead of having them all be inside gui-init.

[merge]

could you also add documentation on why we have OEM mode and what it does exactly? thanks!

[tlaurion]

could you also add documentation on why we have OEM mode and what it does exactly? thanks!

@merge you're right. Editing OP.

[tlaurion]

@merge : if you have any comment, you are more then welcome!

[tlaurion]

All gpg and gpg requirements undefined options have been removed.

Not applicable anymore

[tlaurion]

Certified.

[tlaurion]

@merge @flammit @kylerankin @osresearch: will you approve this PR or shall I maintain it seperatly in my gitlab account?

Sent from my Galaxy S3 using FastHub-Libre

[tlaurion]

@merge @flammit @kylerankin @osresearch @marmarek
The CI reproducible build of x230-libremkey firmware (downloadable artifacts -> coreboot.rom) is here.

The PrivacyBeast_X230_QubesOS_Certified protected branch won't be updated for the next year, following QubesOS certification's public announcement.

Technology preview - Walktrough videos:

1. How to activate OEM ReOwnership Wizard (OEM ready-to-ship perspective)
2. The complete OEM -> User ReOwnership walk-through upon hardware reception (User perspective / OEM perspective after cloning his disk image to make deployment unique)

If you see anything ugly, now would be a good time to speak!

[tlaurion]

Fixes needed to be done on the stable branch to fix sdcard issues only showing when attempting to reencrypt sdcard content (resulting in IO errors on some cards of the same brand but not others... sdhci-pci and mmc being involved in the problem)

This implied upgrading the kernel to latest LTS.
Which tackles the quest for smaller ROM

Commits onward are here

CI builds attempts are happening here
EDIT: latest Certified PrivacyBeast X230 QubesOS build is here

[tlaurion]

Most of the work here has been upstreamed.

Missing if anyone wants to upstream:

• diceware passphrase generator
• automatic reusal of past used Luis containers

Will be done soon:

• support of encrypted partitions under luks