WiP

works: - oem and user mode passphrase generation - qrcode missing: - unattended - luks reencryption + passphrase change for OEM mode (only input to be provided) with SINGLE passphrase when in unattended mode - same for user reownership when previously OEM reset unattended Signed-off-by: Thierry Laurion <[email protected]>
linuxboot · Nov 19, 2024 · 8539e88 · 8539e88
1 parent 9d2f5b8
commit 8539e88
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 16 deletions.
diff --git a/initrd/bin/oem-factory-reset b/initrd/bin/oem-factory-reset
@@ -58,9 +58,6 @@ handle_mode() {
 		USER_PIN=$(generate_passphrase --number_words 2 --max_length $MAX_HOTP_GPG_PIN_LENGTH)
 		ADMIN_PIN=$(generate_passphrase --number_words 2 --max_length $MAX_HOTP_GPG_PIN_LENGTH)
 		TPM_PASS=$ADMIN_PIN
-		# Inspect the passphrase using xxd and output to DEBUG
-		DEBUG "USER_PIN (hex): $(echo "$USER_PIN" | xxd)"
-		DEBUG "ADMIN_PIN (hex): $(echo "$ADMIN_PIN" | xxd)"
 		;;
 	*)
 		warn "Unknown mode: $mode"
@@ -728,9 +725,6 @@ generate_checksums() {
 	fi
 
 	DEBUG "Detach-signing boot files under kexec.sig: ${param_files}"
-	DEBUG "TODO REMOVE: USER_PIN=$USER_PIN ADMIN_PIN=$ADMIN_PIN"
-	echo "$USER_PIN" | xxd
-	echo "$ADMIN_PIN" | xxd
 
 	if sha256sum $param_files 2>/dev/null | gpg \
 		--pinentry-mode loopback \

diff --git a/initrd/etc/functions b/initrd/etc/functions
@@ -898,17 +898,14 @@ generate_passphrase() {
 		local rolls=""
 		local random_bytes
 
-		# Read num_rolls bytes from /dev/urandom in one go
+		# Read num_rolls bytes from /dev/random, fed by CPU RRAND in one go
 		random_bytes=$(dd if=/dev/random bs=1 count="$num_rolls" 2>/dev/null | hexdump -e '1/1 "%u\n"')
 
 		# Process each byte to generate a dice roll
 		while read -r byte; do
 			roll=$((byte % 6 + 1))
-			DEBUG "Randomized dice roll: $roll"
 			rolls+=$roll
 		done <<<"$random_bytes"
-
-		DEBUG "Generated dice rolls: $rolls"
 		echo "$rolls"
 	}
 
@@ -978,15 +975,12 @@ generate_passphrase() {
 		exit 1
 	fi
 
-	digits=${#key}
-	DEBUG "Number of digits in dice rolls: $digits"
+	digits=${#key} #Number of digits in dice rolls
 
 	for ((i = 0; i < num_words; ++i)); do
 		key=$(generate_dice_rolls "$digits")
 		word=$(get_word_from_dictionary "$key" "$dictionary_file")
-		DEBUG "Retrieved word: =>$word<="
 		if [[ "$lowercase" == "false" ]]; then
-			DEBUG "Capitalizing the first letter of the word"
 			word=${word^} # Capitalize the first letter
 		fi
 		passphrase+="$word "
@@ -997,8 +991,8 @@ generate_passphrase() {
 		fi
 	done
 
-	passphrase=$(echo "$passphrase" | xargs) # Remove any leading/trailing whitespace
-	DEBUG "Generated passphrase: $passphrase<="
+	#Remove passphrase trailing space from passphrase+="$word"
+	passphrase=${passphrase% }
 	echo "$passphrase"
 	return 0
 }