Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WiP: Generate diceware passphrases in oem-factory-reset, output qr code of configured secrets prior of reboot #1850

Open
wants to merge 6 commits into
base: master
Choose a base branch
from
Open

WiP: Generate diceware passphrases in oem-factory-reset, output qr code of configured secrets prior of reboot #1850

wants to merge 6 commits into from
+2,548 −1,064

Conversation

tlaurion
Copy link
Collaborator

@tlaurion tlaurion commented Nov 19, 2024
edited
Loading

WiP: will change

size increase of firmware space used: ~5120 bytes

New Functionality:

  • initrd/etc/functions:
    • Added a new helper function generate_passphrase to generate a Diceware passphrase, including subfunctions for parsing parameters, generating dice rolls, and retrieving words from a dictionary.
    • QR code generation at the end of OEM/user mode and setting defaults in oem-factory-reset for user/oem (TODO: improve)

Minor Changes:

  • initrd/init:
    • Updated the oem-factory-reset command to include a --mode oem parameter for better clarity in OEM Factory Reset mode.
    • Added whiptail_error and whiptail_warning scripts.
    • Bumped cryptsetup2 toolstack version and included necessary fixes and patches for multi-LUKS containers and other related changes.
    • Added export BG_COLOR_MAIN_MENU="normal" to allow other scripts to be called from the command line without passing through gui-init.
  • initrd/etc/functions:
    • Improved readability of the SINK_LOG function by reformatting the cat and echo commands.
    • Simplified the conditional check in the device_has_partitions function.
    • Enhanced maintainability by replacing the hardcoded mount check in assert_signable with a call to detect_boot_device so that mounting discoverable /boot is done when needed instead of failing.

@tlaurion tlaurion force-pushed the generate_passphrase-reownership_qr_code branch from 8539e88 to 486b52f Compare November 19, 2024 18:57
@tlaurion tlaurion mentioned this pull request Nov 19, 2024
Draft
@tlaurion tlaurion marked this pull request as draft November 19, 2024 19:00
This was referenced Nov 19, 2024
Merged
Merged
@tlaurion
diceware: add short list v2, requiring 4 dices and providing longer w…
b00ae01 
…ords then short list v1 for easier to remember passphrases

This lists comes from https://www.eff.org/files/2016/09/08/eff_short_wordlist_2_0.txt
Refered in article: https://www.eff.org/dice

Signed-off-by: Thierry Laurion <[email protected]>
@tlaurion
initrd/etc/functions: add generate_passphrase logic
9ecbc0a 
Nothing uses it for the moment, needs to be called from recovery shell: bash, source /etc/functions. generate_passphrase

- parses dictionary to check how many dice rolls needed on first entry, defaults to EFF short list v2 (bigger words easier to remember, 4 dices roll instead of 5)
  - defaults to using initrd/etc/diceware_dictionnaries/eff_short_wordlist_2_0.txt, parametrable
  - make sure format of dictionary is 'digit word' and fail early otherwise: we expect EFF diceware format dictionaries
- enforces max length of 256 chars, parametrable, reduces number of words to fit if not override
- enforces default 3 words passphrase, parametrable
- enforces captialization of first letter, lowercase parametrable
- read multiple bytes from /dev/urandom to fit number of dice rolls

Unrelated: uniformize format of file

Signed-off-by: Thierry Laurion <[email protected]>
@tlaurion
WiP initrd/bin/oem-factory-reset: format unification
5133f10 
Signed-off-by: Thierry Laurion <[email protected]>
@tlaurion
WiP initrd/bin/oem-factory-reset: add --mode (oem/user) skeleton
794acce 
Signed-off-by: Thierry Laurion <[email protected]>
@tlaurion
/etc/functions:: reuse detect_boot_device instead of trying only to m…
cd5d31c 
…ount /etc/fstab existing /boot partition (otherwise early 'o' to enter oem mode of oem-factory-reset

Signed-off-by: Thierry Laurion <[email protected]>
@tlaurion
WiP initrd/bin/oem-factory-reset: add qrcode+secet output loop until …
b681574 
…user press y (end of reownership wizard secret output)

Signed-off-by: Thierry Laurion <[email protected]>

works:
- oem and user mode passphrase generation
- qrcode

missing:
- unattended
  - luks reencryption + passphrase change for OEM mode (only input to be provided) with SINGLE passphrase when in unattended mode
    - same for user reownership when previously OEM reset unattended

Signed-off-by: Thierry Laurion <[email protected]>
@tlaurion
Copy link
Collaborator Author

tlaurion commented Nov 21, 2024
edited
Loading

Rebasing on master which merged #1855 to prepare testing (under qemu: no way I will Iterate pending changes over real hardware until finalized) for upcoming hotp-verification fixes from

@tlaurion tlaurion force-pushed the generate_passphrase-reownership_qr_code branch from 486b52f to b681574 Compare November 21, 2024 17:06
@tlaurion tlaurion marked this pull request as ready for review November 21, 2024 17:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@JonathonHall-Purism JonathonHall-Purism Awaiting requested review from JonathonHall-Purism

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@tlaurion