key-init: force user to change time if <2024, give warnings on key import errors

[tlaurion]

Fixes #1775 : without this, a machine that had CMOS battery disconnected for initial flashing will show weird and unexpected behaviors, early under key-init since gpg keys imported there have a creation date in the future.

This is a bug, and since we now have #1737 merged in, we can force users to change system clock if in an impossible past, in all case (<2024. Could also be 1970, but why not <2024 just as the GUI forces, today).

---

This PR:

• Check if system clock year < 2024. If so force user to set time with new GUI merged at Alexgithublab: change time (superseeds #1730) #1737
• Do not send gpg errors to /dev/null and pretend everything is ok... warn instead
• only import individual user keys if directory present (legacy: TODO deprecate totally as well as under oem-factory-reset and flash scripts)
  • oem-factory-reset and flashing scripts with config preservation takes trustdb+pub keyring+user config overrides and inject them back in firmware when internally flashing. The old individual key import are still there, but not used since years. We could delte at some point. @JonathonHall-Purism : we do this separately? Left a TODO in code under key-init

[tlaurion]

Legacy individual keys import gives an error. To be put only if directory exists (oem-factory-reset creates trusdb/pubring which is injected because contains a seed as opposed to key injection which creates pubring with said seed) : this should be deprecated, we do not use individual keys since maybe 5 years!)

[    4.643655] DEBUG: Debug output enabled from board CONFIG_DEBUG_OUTPUT=y option (/etc/config)
[    4.669303] TRACE: Under init
[    4.711578] DEBUG: Applying panic_on_oom setting to sysctl
[    4.858228] TRACE: /bin/tpmr(32): main
[    4.910196] TRACE: /bin/tpmr(336): tpm2_startsession
[    5.542699] TRACE: /bin/cbfs-init(5): main
[    5.659485] DEBUG: Extending TPM PCR 7 with /.gnupg/pubring.kbx
[    5.730724] TRACE: /bin/tpmr(32): main
[    5.765843] TRACE: /bin/tpmr(232): tpm2_extend
[    5.867261] DEBUG: tpm2 pcrread sha256:7
[    6.078541] DEBUG: Extending TPM PCR 7 with /.gnupg/trustdb.gpg
[    6.145530] TRACE: /bin/tpmr(32): main
[    6.177971] TRACE: /bin/tpmr(232): tpm2_extend
[    6.286832] DEBUG: tpm2 pcrread sha256:7
[    6.455275] TRACE: /bin/key-init(5): main
[    6.539725]  *** WARNING: Importing user's keys failed ***
[    8.503260] TRACE: Under /etc/ash_functions:combine_configs
[    8.570345] TRACE: Under /etc/ash_functions:pause_recovery
!!! Hit enter to proceed to recovery shell !!!

[tlaurion]

@JonathonHall-Purism please approve

trace

[    4.684682] DEBUG: Debug output enabled from board CONFIG_DEBUG_OUTPUT=y option (/etc/config)
[    4.697178] TRACE: Under init
[    4.736451] DEBUG: Applying panic_on_oom setting to sysctl
[    4.875786] TRACE: /bin/tpmr(32): main
[    4.932410] TRACE: /bin/tpmr(336): tpm2_startsession
[    5.655044] TRACE: /bin/cbfs-init(5): main
[    5.809734] DEBUG: Extending TPM PCR 7 with /.gnupg/pubring.kbx
[    5.899991] TRACE: /bin/tpmr(32): main
[    5.935391] TRACE: /bin/tpmr(232): tpm2_extend
[    6.046963] DEBUG: tpm2 pcrread sha256:7
[    6.282743] DEBUG: Extending TPM PCR 7 with /.gnupg/trustdb.gpg
[    6.344431] TRACE: /bin/tpmr(32): main
[    6.385554] TRACE: /bin/tpmr(232): tpm2_extend
[    6.486850] DEBUG: tpm2 pcrread sha256:7
[    6.698581] TRACE: /bin/key-init(5): main
[    6.737096]  *** WARNING: System time is incorrect. Please set the correct time. ***
[  105.172410] TRACE: Under /etc/ash_functions:combine_configs
[  105.220237] TRACE: Under /etc/ash_functions:pause_recovery
!!! Hit enter to proceed to recovery shell !!!
[  105.424012] TRACE: /bin/setconsolefont.sh(6): main
[  105.445988] DEBUG: Board does not ship setfont, not checking console font
[  105.602978] TRACE: /bin/gui-init(641): main
[  105.621387] TRACE: /etc/functions(715): detect_boot_device
[  105.664037] TRACE: /etc/functions(682): mount_possible_boot_device
[  105.698458] TRACE: /etc/functions(642): is_gpt_bios_grub
[  105.770715] TRACE: /dev/vda1 is partition 1 of vda
[  105.852659] TRACE: /etc/functions(619): find_lvm_vg_name
[  106.000691] TRACE: Try mounting /dev/vda1 as /boot
[  106.045613] EXT4-fs (vda1): mounted filesystem with ordered data mode. Opts: (null)
[  106.093007] TRACE: /bin/gui-init(319): clean_boot_check
[  106.188559] TRACE: /bin/gui-init(348): check_gpg_key
[  106.276451] TRACE: /bin/gui-init(185): update_totp
[  106.366904] TRACE: /bin/unseal-totp(8): main
[  106.442130] TRACE: /bin/tpmr(32): main
[  106.490083] TRACE: /bin/tpmr(554): tpm2_unseal
[  106.552953] DEBUG: tpm2_unseal: handle=0x81004d47 pcrl=0,1,2,3,4,7 file=/tmp/secret/totp.key pass=<empty>
[  107.127046] DEBUG: Running at_exit handlers
[  107.155125] TRACE: /bin/tpmr(361): cleanup_session
[  107.203816] DEBUG: Clean up session: /tmp/secret/unsealfile_policy.session
[  107.324874]  !!! ERROR: Unable to unseal TOTP secret !!!
[  109.944924] TRACE: /bin/unseal-totp(8): main
[  110.043042] TRACE: /bin/tpmr(32): main
[  110.093519] TRACE: /bin/tpmr(554): tpm2_unseal
[  110.161863] DEBUG: tpm2_unseal: handle=0x81004d47 pcrl=0,1,2,3,4,7 file=/tmp/secret/totp.key pass=<empty>
[  110.755702] DEBUG: Running at_exit handlers
[  110.787313] TRACE: /bin/tpmr(361): cleanup_session
[  110.833663] DEBUG: Clean up session: /tmp/secret/unsealfile_policy.session
[  110.949940]  !!! ERROR: Unable to unseal TOTP secret !!!
[  113.573741] TRACE: /bin/unseal-totp(8): main
[  113.658656] TRACE: /bin/tpmr(32): main
[  113.706436] TRACE: /bin/tpmr(554): tpm2_unseal
[  113.776518] DEBUG: tpm2_unseal: handle=0x81004d47 pcrl=0,1,2,3,4,7 file=/tmp/secret/totp.key pass=<empty>
[  114.372375] DEBUG: Running at_exit handlers
[  114.386500] TRACE: /bin/tpmr(361): cleanup_session
[  114.421211] DEBUG: Clean up session: /tmp/secret/unsealfile_policy.session
[  114.541699]  !!! ERROR: Unable to unseal TOTP secret !!!
[  116.607303] DEBUG: CONFIG_TPM: y
[  116.661400] DEBUG: CONFIG_TPM2_TOOLS: y
[  116.714964] DEBUG: Show PCRs
[  116.882791] DEBUG:   sha256:
[  116.915088] 0 : 0x0000000000000000000000000000000000000000000000000000000000000000
[  116.954169] 1 : 0x0000000000000000000000000000000000000000000000000000000000000000
[  117.000170] 2 : 0xA520385AE9831ED3F24AF7C59A45A534323015EE9D2A60333281FB5E3FB94EBD
[  117.033743] 3 : 0x0000000000000000000000000000000000000000000000000000000000000000
[  117.068846] 4 : 0x0000000000000000000000000000000000000000000000000000000000000000
[  117.101800] 5 : 0x0000000000000000000000000000000000000000000000000000000000000000
[  117.140069] 6 : 0x0000000000000000000000000000000000000000000000000000000000000000
[  117.168924] 7 : 0x7FF225FD6FE58C3E2814FC8E32D6373CC61C66DA4FC5D5531CAA99AE411C2547
[  117.199239] 8 : 0x0000000000000000000000000000000000000000000000000000000000000000
[  117.230054] 9 : 0x0000000000000000000000000000000000000000000000000000000000000000
[  117.267998] 10: 0x0000000000000000000000000000000000000000000000000000000000000000
[  117.297599] 11: 0x0000000000000000000000000000000000000000000000000000000000000000
[  117.324196] 12: 0x0000000000000000000000000000000000000000000000000000000000000000
[  117.353193] 13: 0x0000000000000000000000000000000000000000000000000000000000000000
[  117.370249] 14: 0x0000000000000000000000000000000000000000000000000000000000000000
[  117.401329] 15: 0x0000000000000000000000000000000000000000000000000000000000000000
[  117.422566] 16: 0x0000000000000000000000000000000000000000000000000000000000000000
[  117.449601] 17: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
[  117.472232] 18: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
[  117.494586] 19: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
[  117.523604] 20: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
[  117.538273] 21: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
[  117.560177] 22: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
[  117.584562] 23: 0x0000000000000000000000000000000000000000000000000000000000000000

[tlaurion]

@macpijan Docs should be clearer on effect of disconnecting CMOS battery resulting in being back in 1970 at https://docs.dasharo.com/unified/novacustom/initial-deployment/#installing-dasharo

[tlaurion]

@JonathonHall-Purism forgot to tag you here for review

[tlaurion]

Goes alongside documentation needed fix opened issue at Dasharo/dasharo-issues#1040

@JonathonHall-Purism open internal issue if Purism documentation misses that step too, while less important because Pureboot should pick up on that change on next release automatically once merged? Dido @daringer.

[JonathonHall-Purism]

@tlaurion Suggestion: 92396ca

• The 'warn' message isn't very effective, change-time.sh clears the screen right after. Prompt with whiptail instead like we do for TOTP reset and everything else. This is also less jarring IMO, the user knows what is happening before we drop them into a bunch of prompts.
• Allow skipping if the user really wants to. While they should usually set the time, IMO it's pretty annoying if I know I don't want to do this right now but Heads forces me to anyway.

This is great, thanks for putting this together 💪

Surprisingly, on Librem 14 (and others IIRC), the clock resets to 2070, not 1970. Maybe if I enable the RTC century bit in CMOS it'll reset to 1970 instead.

I think I would rather try that before something like asking to reset if the clock is set to 2070. 46 years seems like a long time, but who knows 😉

Anyway this is great, so don't hold it up while I figure out another improvement for Librems. If you agree with the changes I suggested, let's merge, otherwise feel free to discuss 👍

[tlaurion]

@tlaurion Suggestion: 92396ca

• The 'warn' message isn't very effective, change-time.sh clears the screen right after. Prompt with whiptail instead like we do for TOTP reset and everything else. This is also less jarring IMO, the user knows what is happening before we drop them into a bunch of prompts.
• Allow skipping if the user really wants to. While they should usually set the time, IMO it's pretty annoying if I know I don't want to do this right now but Heads forces me to anyway.

This is great, thanks for putting this together 💪

Surprisingly, on Librem 14 (and others IIRC), the clock resets to 2070, not 1970. Maybe if I enable the RTC century bit in CMOS it'll reset to 1970 instead.

That would help, should most probably set it everywhere if it works for you.

I think I would rather try that before something like asking to reset if the clock is set to 2070. 46 years seems like a long time, but who knows 😉

Again should not trigger bug, will create weird logs in rootfs, but won't frezze nor create weird behavior under heads, which are because keys imported > 1970 < 2070. I still belive we should sync clock from network but this is not possible nor easy as part of a traditionnal OEM factory reset. IDeally, we would have all computers be in 1970 if possible after CMOS battery disconnection otherwise we do not have a stable behavior to correct upon.

Anyway this is great, so don't hold it up while I figure out another improvement for Librems. If you agree with the changes I suggested, let's merge, otherwise feel free to discuss 👍

@JonathonHall-Purism merged master+cherry-picked cbd1f28

[tlaurion]

@JonathonHall-Purism let's merge whenever you are ready to push merge button

[JonathonHall-Purism]

Button pushed! Thanks