Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WiP: oem-factory-reset: unattended factory-reset + reownership #1849

Draft
wants to merge 9 commits into
base: master
Choose a base branch
from
Draft

WiP: oem-factory-reset: unattended factory-reset + reownership #1849

wants to merge 9 commits into from
+2,548 −1,064

Conversation

tlaurion
Copy link
Collaborator

@tlaurion tlaurion commented Nov 19, 2024
edited
Loading

WiP

Putting oem-factory-reset user/oem mode to function unattended will happen here once #1850 is finished and merged.

size differences, taking x220-hotp-maximized to against master

Raw sizes diff (empty space below): 90084-84964=5120 bytes (eff dic is 17258 bytes)

master:

Nov 15 17:57:07 "/root/heads/build/x86/coreboot-24.02.01/x220-hotp-maximized/cbfstool" "/root/heads/build/x86/coreboot-24.02.01/x220-hotp-maximized/coreboot.rom" print
Nov 15 17:57:07 FMAP REGION: COREBOOT
Nov 15 17:57:07 Name                           Offset     Type           Size   Comp
Nov 15 17:57:07 cbfs_master_header             0x0        cbfs header        32 none
Nov 15 17:57:07 fallback/romstage              0x80       stage           98160 none
Nov 15 17:57:07 cpu_microcode_blob.bin         0x18080    microcode       26624 none
Nov 15 17:57:07 fallback/ramstage              0x1e8c0    stage          148872 LZMA (323424 decompressed)
Nov 15 17:57:07 config                         0x42ec0    raw              3359 LZMA (10703 decompressed)
Nov 15 17:57:07 revision                       0x43c40    raw               724 none
Nov 15 17:57:07 build_info                     0x43f40    raw               101 none
Nov 15 17:57:07 bootsplash.jpg                 0x44000    bootsplash      43282 none
Nov 15 17:57:07 fallback/dsdt.aml              0x4e940    raw             14715 none
Nov 15 17:57:07 vbt.bin                        0x52300    raw              1400 LZMA (3985 decompressed)
Nov 15 17:57:07 cmos_layout.bin                0x528c0    cmos_layout      1976 none
Nov 15 17:57:07 fallback/postcar               0x530c0    stage           29980 none
Nov 15 17:57:07 fallback/payload               0x5a640    simple elf    7705386 none
Nov 15 17:57:07 (empty)                        0x7b39c0   null            90084 none
Nov 15 17:57:07 bootblock                      0x7c99c0   bootblock       25600 none
Nov 15 17:57:07 2024-11-15 17:57:07+00:00 INSTALL   build/x86/coreboot-24.02.01/x220-hotp-maximized/coreboot.rom => build/x86/x220-hotp-maximized/heads-x220-hotp-maximized-v0.2.0-2422-g9ed131b.rom

this PR:

Nov 19 16:47:33 "/root/heads/build/x86/coreboot-24.02.01/x220-hotp-maximized/cbfstool" "/root/heads/build/x86/coreboot-24.02.01/x220-hotp-maximized/coreboot.rom" print
Nov 19 16:47:33 FMAP REGION: COREBOOT
Nov 19 16:47:33 Name                           Offset     Type           Size   Comp
Nov 19 16:47:33 cbfs_master_header             0x0        cbfs header        32 none
Nov 19 16:47:33 fallback/romstage              0x80       stage           98160 none
Nov 19 16:47:33 cpu_microcode_blob.bin         0x18080    microcode       26624 none
Nov 19 16:47:33 fallback/ramstage              0x1e8c0    stage          148872 LZMA (323424 decompressed)
Nov 19 16:47:33 config                         0x42ec0    raw              3361 LZMA (10703 decompressed)
Nov 19 16:47:33 revision                       0x43c40    raw               724 none
Nov 19 16:47:33 build_info                     0x43f40    raw               101 none
Nov 19 16:47:33 bootsplash.jpg                 0x44000    bootsplash      43282 none
Nov 19 16:47:33 fallback/dsdt.aml              0x4e940    raw             14715 none
Nov 19 16:47:33 vbt.bin                        0x52300    raw              1400 LZMA (3985 decompressed)
Nov 19 16:47:33 cmos_layout.bin                0x528c0    cmos_layout      1976 none
Nov 19 16:47:33 fallback/postcar               0x530c0    stage           29980 none
Nov 19 16:47:33 fallback/payload               0x5a640    simple elf    7710506 none
Nov 19 16:47:33 (empty)                        0x7b4dc0   null            84964 none
Nov 19 16:47:33 bootblock                      0x7c99c0   bootblock       25600 none
Nov 19 16:47:33 2024-11-19 16:47:33+00:00 INSTALL   build/x86/coreboot-24.02.01/x220-hotp-maximized/coreboot.rom => build/x86/x220-hotp-maximized/heads-x220-hotp-maximized-v0.2.0-2431-g9cd07cb.rom

detailed analysis

user@heads-tests-deb12-nix:/tmp$ wget -q https://output.circle-artifacts.com/output/job/79356cac-2be2-4ea8-a04e-21c602d0af87/artifacts/0/build/x86/x220-hotp-maximized/sizes.txt -O 1849
user@heads-tests-deb12-nix:/tmp$ wget -q https://output.circle-artifacts.com/output/job/0e4032fa-a6d7-4244-a116-883bb8deef8f/artifacts/0/build/x86/x220-hotp-maximized/sizes.txt -O master
user@heads-tests-deb12-nix:/tmp$ diff -u master 1849
--- master	2024-11-15 12:57:11.000000000 -0500
+++ 1849	2024-11-19 11:47:37.000000000 -0500
@@ -1,4 +1,4 @@
-2024-11-15 17:56:15+00:00 9ed131b79d5feca7ca689f86642f1367e1fa1478 clean
+2024-11-19 16:46:44+00:00 9cd07cbd1e8920eab3165eb560945fef565e650a clean
  2822912:/root/heads/build/x86/x220-hotp-maximized/bzImage
   930816:/root/heads/build/x86/x220-hotp-maximized/modules.cpio
 -----
@@ -75,7 +75,7 @@
     1740:./etc/terminfo/l/linux
      733:./etc/config
 -----
-  406016:/root/heads/build/x86/x220-hotp-maximized/heads.cpio
+  423424:/root/heads/build/x86/x220-hotp-maximized/heads.cpio
 -----
     1585:./.ash_history
       73:./.gnupg/gpg-agent.conf
@@ -84,10 +84,7 @@
     1046:./bin/cbfs-init
      221:./bin/cbfs.sh
     1933:./bin/change-time.sh
-   23638:./bin/config-gui.sh
     7703:./bin/flash-gui.sh
-    3293:./bin/flash.sh
-     372:./bin/flashprog-kgpe-d16-openbmc.sh
     1313:./bin/generic-init
     8977:./bin/gpg-gui.sh
      137:./bin/gpgv
@@ -99,9 +96,7 @@
     1503:./bin/kexec-iso-init
     2090:./bin/kexec-parse-bls
     5311:./bin/kexec-parse-boot
-   12014:./bin/kexec-save-default
     2376:./bin/kexec-save-key
-    9548:./bin/kexec-seal-key
    11751:./bin/kexec-select-boot
     2079:./bin/kexec-sign-config
      976:./bin/kexec-unseal-key
@@ -110,14 +105,12 @@
     2841:./bin/media-scan
     6012:./bin/mount-usb
     4610:./bin/network-init-recovery
-   54633:./bin/oem-factory-reset
     2348:./bin/oem-system-info-xx30
      324:./bin/poweroff
      841:./bin/qubes-measure-luks
      719:./bin/reboot
    15321:./bin/root-hashes-gui.sh
     6248:./bin/seal-hotpkey
-    2127:./bin/seal-totp
     1258:./bin/setconsolefont.sh
      657:./bin/talos-init
      189:./bin/tpm-reset
@@ -131,7 +124,13 @@
      352:./bin/wget-measure.sh
      410:./bin/wipe-totp
      639:./bin/xx30-flash.init
-   12373:./etc/ash_functions
+   23638:./bin/config-gui.sh
+    3293:./bin/flash.sh
+     372:./bin/flashprog-kgpe-d16-openbmc.sh
+   12014:./bin/kexec-save-default
+    9548:./bin/kexec-seal-key
+   50901:./bin/oem-factory-reset
+    2127:./bin/seal-totp
       17:./etc/distro/gpg-agent.conf
     1168:./etc/distro/keys/archlinux.key
     1629:./etc/distro/keys/qubes-4.1.key
@@ -140,20 +139,22 @@
      404:./etc/distro/keys/qubes-weekly-builds-signing-key.asc
    23488:./etc/distro/keys/tails.key
      197:./etc/fstab
-   27558:./etc/functions
       10:./etc/group
     5781:./etc/gui_functions
       20:./etc/hosts
-   24617:./etc/luks-functions
      813:./etc/mke2fs.conf
      174:./etc/motd
       26:./etc/passwd
       27:./etc/shells
-    9061:./init
+   12373:./etc/ash_functions
+   17258:./etc/diceware_dictionnaries/eff_short_wordlist_2_0.txt
+   31078:./etc/functions
+   24617:./etc/luks-functions
     1375:./mount-boot
        0:./run/cryptsetup/.placeholder
      924:./sbin/config-dhcp.sh
     1840:./sbin/insmod
+    9064:./init
 -----
- 4893184:build/x86/x220-hotp-maximized/initrd.cpio.xz
- 8388608:/root/heads/build/x86/x220-hotp-maximized/heads-x220-hotp-maximized-v0.2.0-2422-g9ed131b.rom
+ 4898304:build/x86/x220-hotp-maximized/initrd.cpio.xz
+ 8388608:/root/heads/build/x86/x220-hotp-maximized/heads-x220-hotp-maximized-v0.2.0-2431-g9cd07cb.rom

@tlaurion
diceware: add short list v2, requiring 4 dices and providing longer w…
f90701f 
…ords then short list v1 for easier to remember passphrases

This lists comes from https://www.eff.org/files/2016/09/08/eff_short_wordlist_2_0.txt
Refered in article: https://www.eff.org/dice

Signed-off-by: Thierry Laurion <[email protected]>
@tlaurion
initrd/etc/functions: add generate_passphrase logic
7e26b17 
Nothing uses it for the moment, needs to be called from recovery shell: bash, source /etc/functions. generate_passphrase

- parses dictionary to check how many dice rolls needed on first entry, defaults to EFF short list v2 (bigger words easier to remember, 4 dices roll instead of 5)
  - defaults to using initrd/etc/diceware_dictionnaries/eff_short_wordlist_2_0.txt, parametrable
  - make sure format of dictionary is 'digit word' and fail early otherwise: we expect EFF diceware format dictionaries
- enforces max length of 256 chars, parametrable, reduces number of words to fit if not override
- enforces default 3 words passphrase, parametrable
- enforces captialization of first letter, lowercase parametrable
- read multiple bytes from /dev/urandom to fit number of dice rolls

Unrelated: uniformize format of file

Signed-off-by: Thierry Laurion <[email protected]>
@tlaurion
WiP initrd/bin/oem-factory-reset: format unification
0ac0fde 
Signed-off-by: Thierry Laurion <[email protected]>
@tlaurion
WiP initrd/bin/oem-factory-reset: add --mode (oem/user) skeleton
329ed10 
Signed-off-by: Thierry Laurion <[email protected]>
@tlaurion
/etc/functions:: reuse detect_boot_device instead of trying only to m…
3322af5 
…ount /etc/fstab existing /boot partition (otherwise early 'o' to enter oem mode of oem-factory-reset

Signed-off-by: Thierry Laurion <[email protected]>
@tlaurion
WiP initrd/bin/oem-factory-reset: add qrcode+secet output loop until …
6df5e24 
…user press y (end of reownership wizard secret output)

Signed-off-by: Thierry Laurion <[email protected]>
@tlaurion
WiP
c8ed23d 
Signed-off-by: Thierry Laurion <[email protected]>
@tlaurion
WiP
e01a748 
Signed-off-by: Thierry Laurion <[email protected]>
@tlaurion
WiP
9cd07cb 
works:
- oem and user mode passphrase generation
- qrcode

missing:
- unattended
  - luks reencryption + passphrase change for OEM mode (only input to be provided) with SINGLE passphrase when in unattended mode
    - same for user reownership when previously OEM reset unattended

Signed-off-by: Thierry Laurion <[email protected]>
@tlaurion tlaurion marked this pull request as draft November 19, 2024 15:49
@tlaurion tlaurion mentioned this pull request Nov 19, 2024
Merged
@tlaurion tlaurion changed the title WiP: oem-factory-reset: Generate passphrases, output in both text + qrcode prior of reboot WiP: oem-factory-reset: unattended factory-reset + reownership Nov 19, 2024
@tlaurion tlaurion mentioned this pull request Nov 20, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@tlaurion