HOTP + /boot verif: add debug and prompt if HOTP counter is not found but TPMTOTP can unseal (OS reinstalled?) + die asks for input now.

Signed-off-by: Thierry Laurion <[email protected]>

Author: tlaurion

initrd/bin/gui-init

@@ -183,17 +183,6 @@ update_totp() {
 		TOTP="NO TPM"
 	else
 		TOTP=$(unseal-totp)
-		# On platforms using CONFIG_BOOT_EXTRA_TTYS multiple processes may try to
-		# access TPM at the same time, failing with EBUSY. The order of execution
-		# is unpredictable, so the error may appear on main console, secondary one,
-		# or neither of them if the calls are sufficiently staggered. Try up to
-		# three times (including previous one) with small delays in case of error,
-		# instead of immediately scaring users with "you've been pwned" message.
-		while [ $? -ne 0 ] && [ $tries -lt 2 ]; do
-			sleep 0.5
-			((tries++))
-			TOTP=$(unseal-totp)
-		done
 		if [ $? -ne 0 ]; then
 			BG_COLOR_MAIN_MENU="error"
 			if [ "$skip_to_menu" = "true" ]; then
@@ -280,7 +269,9 @@ update_hotp() {
 		HOTP='N/A'
 	fi
 
-	if [[ "$CONFIG_TPM" = n && "$HOTP" = "Invalid code" ]]; then
+	if [[ "$HOTP" = "Invalid code" ]]; then
+		#TOTP unseal succeeded if unseal-totp called first: TPMTOTP secret is correct. Only propose to reseal TPMTOTP though reverse HOTP
+		# The OS was most probably reinstalled while TPM can still unseal TPMTOTP secret
 		whiptail_error --title "ERROR: HOTP Validation Failed!" \
 			--menu "ERROR: $CONFIG_BRAND_NAME couldn't validate the HOTP code.\n\nIf you just reflashed your BIOS, you should generate a new TOTP/HOTP secret.\n\nIf you have not just reflashed your BIOS, THIS COULD INDICATE TAMPERING!\n\nHow would you like to proceed?" 0 80 4 \
 			'g' ' Generate new TOTP/HOTP secret' \
@@ -553,7 +544,9 @@ reset_tpm() {
 			mount -o rw,remount /boot
 			#TODO: this is really problematic, we should really remove the primary handle hash
 
-			INFO "Removing rollback and primary handle hash under /boot"
+			INFO "Removing rollback and primary handle hashes under /boot"
+
+			DEBUG "Removing /boot/kexec_rollback.txt and /boot/kexec_primhdl_hash.txt"
 			rm -f /boot/kexec_rollback.txt
 			rm -f /boot/kexec_primhdl_hash.txt
 
@@ -562,12 +555,16 @@ reset_tpm() {
 				die "Unable to find/create tpm counter"
 			counter="$TPM_COUNTER"
 
+			DEBUG "TPM_COUNTER: $counter"
+			TRACE_FUNC
+
 			increment_tpm_counter $counter >/dev/null 2>&1 ||
 				die "Unable to increment tpm counter"
 
 			sha256sum /tmp/counter-$counter >/boot/kexec_rollback.txt ||
 				die "Unable to create rollback file"
 
+			TRACE_FUNC
 			# As a countermeasure for existing primary handle hash, we will now force sign /boot without it
 			if (whiptail --title 'TPM Reset Successfully' \
 				--yesno "Would you like to update the checksums and sign all of the files in /boot?\n\nYou will need your GPG key to continue and this will modify your disk.\n\nOtherwise the system will reboot immediately." 0 80); then
@@ -606,10 +603,12 @@ attempt_default_boot() {
 	fi
 	DEFAULT_FILE=$(find /boot/kexec_default.*.txt 2>/dev/null | head -1)
 	if [ -r "$DEFAULT_FILE" ]; then
+		TRACE_FUNC
 		kexec-select-boot -b /boot -c "grub.cfg" -g ||
 			recovery "Failed default boot"
 	elif (whiptail_warning --title 'No Default Boot Option Configured' \
 		--yesno "There is no default boot option configured yet.\nWould you like to load a menu of boot options?\nOtherwise you will return to the main menu." 0 80); then
+		TRACE_FUNC
 		kexec-select-boot -m -b /boot -c "grub.cfg" -g
 	fi
 }

initrd/bin/kexec-save-key

@@ -77,6 +77,7 @@ kexec-seal-key $paramsdir ||
 if [ "$skip_sign" != "y" ]; then
 	extparam=
 	if [ "$CONFIG_IGNORE_ROLLBACK" != "y" ]; then
+		DEBUG "kexec-save-key: CONFIG_IGNORE_ROLLBACK is not set, will sign with -r"
 		extparam=-r
 	fi
 	# sign and auto-roll config counter

initrd/bin/kexec-select-boot

@@ -120,14 +120,14 @@ verify_rollback_counter() {
 	TPM_COUNTER=$(grep counter $TMP_ROLLBACK_FILE | cut -d- -f2)
 
 	if [ -z "$TPM_COUNTER" ]; then
-		die "$TMP_ROLLBACK_FILE: TPM counter not found?"
+		die "$TMP_ROLLBACK_FILE: TPM counter not found. Please reset TPM through the Heads menu: Options -> TPM/TOTP/HOTP Options -> Reset the TPM"
 	fi
 
 	read_tpm_counter $TPM_COUNTER >/dev/null 2>&1 ||
-		die "Failed to read TPM counter"
+		die "Failed to read TPM counter. Please reset TPM through the Heads menu: Options -> TPM/TOTP/HOTP Options -> Reset the TPM"
 
 	sha256sum -c $TMP_ROLLBACK_FILE >/dev/null 2>&1 ||
-		die "Invalid TPM counter state. TPM Reset required"
+		die "Invalid TPM counter state. Please reset TPM through the Heads menu: Options -> TPM/TOTP/HOTP Options -> Reset the TPM"
 
 	valid_rollback="y"
 }

initrd/bin/kexec-sign-config

@@ -27,22 +27,31 @@ fi
 paramsdir="${paramsdir%%/}"
 
 assert_signable
+TRACE_FUNC
 
 confirm_gpg_card
+TRACE_FUNC
 
 # remount /boot as rw
 mount -o remount,rw /boot
 
+DEBUG "Signing kexec parameters in $paramsdir, rollback=$rollback, update=$update, counter=$counter"
+
 # update hashes in /boot before signing
 if [ "$update" = "y" ]; then
 	(
+		TRACE_FUNC
+		DEBUG "update=y: Updating kexec hashes in /boot"
 		cd /boot
 		find ./ -type f ! -path './kexec*' -print0 | xargs -0 sha256sum >/boot/kexec_hashes.txt
 		if [ -e /boot/kexec_default_hashes.txt ]; then
+			DEBUG "/boot/kexec_default_hashes.txt exists, updating /boot/kexec_default_hashes.txt"
 			DEFAULT_FILES=$(cat /boot/kexec_default_hashes.txt | cut -f3 -d ' ')
 			echo $DEFAULT_FILES | xargs sha256sum >/boot/kexec_default_hashes.txt
 		fi
 
+		TRACE_FUNC
+
 		#also save the file & directory structure to detect added files
 		print_tree >/boot/kexec_tree.txt
 	)
@@ -56,7 +65,13 @@ fi
 if [ "$rollback" = "y" ]; then
 	rollback_file="$paramsdir/kexec_rollback.txt"
 
+	DEBUG "rollback=y, counter=$counter, paramsdir=$paramsdir"
+	TRACE_FUNC
+
 	if [ -n "$counter" ]; then
+		DEBUG "rollback=y: counter=$counter, will read tpm counter next"
+		TRACE_FUNC
+
 		# use existing counter
 		read_tpm_counter $counter >/dev/null 2>&1 ||
 			die "$paramsdir: Unable to read tpm counter '$counter'"

initrd/bin/tpmr

@@ -719,7 +719,7 @@ tpm1_reset() {
 	DO_WITH_DEBUG tpm physicalsetdeactivated -c &>/dev/null
 	DO_WITH_DEBUG tpm forceclear &>/dev/null
 	DO_WITH_DEBUG tpm physicalenable &>/dev/null
-	DO_WITH_DEBUG tpm takeown -pwdo "$tpm_owner_password" &>/dev/null
+	DO_WITH_DEBUG --mask-position 3 tpm takeown -pwdo "$tpm_owner_password" &>/dev/null
 
 	# And now turn it all back on
 	DO_WITH_DEBUG tpm physicalpresence -s &>/dev/null

initrd/bin/unseal-hotp

@@ -29,7 +29,13 @@ mount_boot_or_die
 #counter_value=$(read_tpm_counter $counter | cut -f2 -d ' ' | awk 'gsub("^000e","")')
 #
 
-counter_value=$(cat $HOTP_COUNTER)
+#if HOTP_COUNTER is not present, bail out
+if [ ! -f $HOTP_COUNTER ]; then
+  die "HOTP counter file not found. If you just reinstalled an OS, you need to reseal the HOTP secret"
+fi
+
+# Read the counter from the file
+counter_value=$(cat $HOTP_COUNTER 2>/dev/null)
 
 if [ "$counter_value" == "" ]; then
   die "Unable to read HOTP counter"

initrd/bin/unseal-totp

@@ -8,11 +8,12 @@ TOTP_SECRET="/tmp/secret/totp.key"
 TRACE_FUNC
 
 if [ "$CONFIG_TPM" = "y" ]; then
-	tpmr unseal 4d47 0,1,2,3,4,7 312 "$TOTP_SECRET" ||
-		die "Unable to unseal TOTP secret from TPM"
+	DO_WITH_DEBUG --mask-position 5 \
+		tpmr unseal 4d47 0,1,2,3,4,7 312 "$TOTP_SECRET" ||
+			die "Unable to unseal TOTP secret from TPM"
 fi
 
-if ! totp -q <"$TOTP_SECRET"; then
+if ! DO_WITH_DEBUG --mask-position 2 totp -q <"$TOTP_SECRET"; then
 	shred -n 10 -z -u "$TOTP_SECRET" 2>/dev/null
 	die 'Unable to compute TOTP hash?'
 fi

initrd/etc/functions

@@ -8,7 +8,10 @@ die() {
 	else
 		echo -e "!!! ERROR: $* !!!" >&2
 	fi
-	sleep 2
+
+	# ask user to press any key prior to exit
+	read -n 1 -s -r -p $'Press any key to continue...\n\n'
+
 	exit 1
 }
 
@@ -778,7 +781,7 @@ prompt_new_owner_password() {
 	# Cache the password externally to be reused by who needs it
 	DEBUG "Caching TPM Owner Password to /tmp/secret/tpm_owner_password"
 	mkdir -p /tmp/secret || die "Unable to create /tmp/secret"
-	echo -n "$tpm_owner_password" >/tmp/secret/tpm_owner_password || die "Unable to cache TPM password under /tmp/secret"
+	echo -n "$tpm_owner_password" >/tmp/secret/tpm_owner_password || die "Unable to cache TPM password under /tmp/secret/tpm_owner_password"
 }
 
 check_tpm_counter() {
@@ -817,12 +820,17 @@ increment_tpm_counter() {
 	TRACE_FUNC
 	tpmr counter_increment -ix "$1" -pwdc '' |
 		tee /tmp/counter-$1 >/dev/null 2>&1 ||
-		die "TPM counter increment failed for rollback prevention. Please reset the TPM"
+		die "TPM counter increment failed for rollback prevention. Please reset the TPM. Press Enter to continue"
+		#TODO: why the die here needs to say to Press Enter to continue? Should be part of die call?
 }
 
 # Check detached signature on kexec boot params
 check_config() {
 	TRACE_FUNC
+
+	DEBUG "paramdir: $1"
+	DEBUG "force: $2"
+
 	if [ ! -d /tmp/kexec ]; then
 		mkdir /tmp/kexec ||
 			die 'Failed to make kexec tmp dir'
@@ -832,17 +840,27 @@ check_config() {
 	fi
 
 	if [ ! -r $1/kexec.sig -a "$CONFIG_BASIC" != "y" ]; then
+		DEBUG "No $1/kexec.sig found"
 		return
 	fi
 
 	if [ $(find $1/kexec*.txt | wc -l) -eq 0 ]; then
+		DEBUG "No $1/kexec*.txt found"
 		return
 	fi
 
 	if [ "$2" != "force" ]; then
+		DEBUG "checking unforced signature on $1/kexec*.txt against $1/kexec.sig"
+		#TODO: what does unforced signature mean if its actually forced?
+		
+		#die if we have no detached digest under $1/kexec.sig
+		if [ ! -r "$1/kexec.sig" ]; then
+			die "No detached digest signature found under $1/kexec.sig. Please do 'Options-> Update checksums and sign all files in /boot'"
+		fi
+
 		# Note that kexec.sig detached signature is solely verifying kexec*.txt files here!
 		if ! sha256sum $(find $1/kexec*.txt) | gpgv $1/kexec.sig -; then
-			die 'Invalid signature on kexec boot params'
+			die "Invalid digest signature under $1/kexec.sig. Please do 'Options-> Update checksums and sign all files in /boot'"
 		fi
 	fi
 
@@ -913,6 +931,7 @@ update_checksums() {
 	extparam=
 	if [ "$CONFIG_TPM" = "y" ]; then
 		if [ "$CONFIG_IGNORE_ROLLBACK" != "y" ]; then
+			DEBUG "add -r to kexec-sign-config since CONFIG_IGNORE_ROLLBACK is not set"
 			extparam=-r
 		fi
 	fi
@@ -1024,20 +1043,26 @@ verify_checksums() {
 		set +e -o pipefail
 		local ret=0
 		cd "$boot_dir" || ret=1
-		sha256sum -c "$TMP_HASH_FILE" >/tmp/hash_output || ret=1
+		TRACE_FUNC
+		sha256sum -c "$TMP_HASH_FILE" >/tmp/hash_output 2>/dev/null || ret=1
 
 		# also make sure that the file & directory structure didn't change
 		# (sha256sum won't detect added files)
 		print_tree >/tmp/tree_output || ret=1
-		if ! cmp -s "$TMP_TREE_FILE" /tmp/tree_output &>/dev/null; then
+		#if ! cmp -s "$TMP_TREE_FILE" /tmp/tree_output 2>/dev/null; then
+		if ! cmp -s "$TMP_TREE_FILE" /tmp/tree_output; then
+			TRACE_FUNC
 			ret=1
 			[[ "$gui" != "y" ]] && exit "$ret"
 			# produce a diff that can safely be presented to the user
 			# this is relatively hard as file names may e.g. contain backslashes etc.,
 			# which are interpreted by whiptail, less, ...
-			escape_zero "(new) " <"$TMP_TREE_FILE" >"${TMP_TREE_FILE}.user"
+			[ -f "$TMP_TREE_FILE" ] && escape_zero "(new) " <"$TMP_TREE_FILE" >"${TMP_TREE_FILE}.user"
 			escape_zero "(new) " </tmp/tree_output >/tmp/tree_output.user
-			diff "${TMP_TREE_FILE}.user" /tmp/tree_output.user | grep -E '^\+\(new\).*$' | sed -r 's/^\+\(new\)/(new)/g' >>/tmp/hash_output
+			TRACE_FUNC
+			diff "${TMP_TREE_FILE}.user" /tmp/tree_output.user 2>/dev/null |
+				grep -E '^\+(new).*$' | sed -r 's/^\+(new)/(new)/g' >/tmp/tree_output
+			TRACE_FUNC
 			rm -f "${TMP_TREE_FILE}.user"
 			rm -f /tmp/tree_output.user
 		fi