Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Can I use a single USB Security (GPG) dongle with multiple computers? #106

Open
tlaurion opened this issue Oct 28, 2022 · 0 comments
Open

Comments

@tlaurion
Copy link
Collaborator

Asked on slack/matrix channel:

If I get a USB dongle, can I use the same one for multiple laptops installed with heads?


Answer:

You can use one USB Security dongle for multiple computers if you choose non-hotp variants of board configurations (the x230-maximized board config option in your use case; not x230-hotp-maximized) for multiple platforms you own.

Doing so will permit usage of a single USB Security dongle across multiple computers to detach sign content /boot content from a single USB Security dongle, and verified at each boot against the public key that was injected in each of your computers ROMS. This means that one laptop will do the Factory Reset/Re-Ownership wizard, and you will have that resulting public key backuped on a USB thumb drive. On other laptops, you will inject that generated public key in all other non-hotp flashed hardware.

Firmware remote attestation will happen through TOTP (Qr code generation on laptop, scanning from smartphone TOTP supporting app) after injecting the key, sealing firmware measurements (including your keyring and trustdb measurements), where you will give distinctive names to each laptops in the 2fa app at the time of scanning Qr code on your smartphone.

As a side effect of this, TOTP makes you rely on time synchronization to always be in sync (UTC timezone) between your laptops and phone to produce a TOTP unique number every 30 seconds that would match the ones presented on your smartphone at boot. This means that laptops staying offline for longer periods of time will have to have their time either automatically synced through Ethernet (network-init-recovery script called from command line) or manually through the recovery shell (date -s "HH:MM:SS" followed by hwclock -w commands to set time and write it to system clock).

HOTP enabled board configuration variants actively bounds a single laptop to a single HOTP supporting usb dongle for remote attestation. This means that you could use Nitrokey Pro/Nitrokey Storage/Librem Key on your main computer using it with x230-hotp-maximized board variant so that visual firmware integrity validation is enabled on that main laptop, while using other laptops you own with non-hotp variant flashed on them. Unfortunately, there is only one HOTP slot on Librem Key/Nitrokey Pro/Nitrokey Storage that can be used for integrity attestation, and is a limitation from Nitrokey firmware, which can be discussed on Nitrokey firmware github to be fixed accordingly (and then managed properly inside of Heads).

Should we document this better in the heads-wiki/osresearch.net? Can you provide a pull request where things were not clear enough for you to understand the above?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant