WiP: Generate diceware passphrases in oem-factory-reset, output qr code of configured secrets prior of reboot #1850
Conversation
tlaurion
force-pushed
the
generate_passphrase-reownership_qr_code
branch
from
8539e88
to
486b52f
Compare
…ords then short list v1 for easier to remember passphrases This lists comes from https://www.eff.org/files/2016/09/08/eff_short_wordlist_2_0.txt Refered in article: https://www.eff.org/dice Signed-off-by: Thierry Laurion <[email protected]>
Nothing uses it for the moment, needs to be called from recovery shell: bash, source /etc/functions. generate_passphrase - parses dictionary to check how many dice rolls needed on first entry, defaults to EFF short list v2 (bigger words easier to remember, 4 dices roll instead of 5) - defaults to using initrd/etc/diceware_dictionnaries/eff_short_wordlist_2_0.txt, parametrable - make sure format of dictionary is 'digit word' and fail early otherwise: we expect EFF diceware format dictionaries - enforces max length of 256 chars, parametrable, reduces number of words to fit if not override - enforces default 3 words passphrase, parametrable - enforces captialization of first letter, lowercase parametrable - read multiple bytes from /dev/urandom to fit number of dice rolls Unrelated: uniformize format of file Signed-off-by: Thierry Laurion <[email protected]>
Signed-off-by: Thierry Laurion <[email protected]>
Signed-off-by: Thierry Laurion <[email protected]>
…ount /etc/fstab existing /boot partition (otherwise early 'o' to enter oem mode of oem-factory-reset Signed-off-by: Thierry Laurion <[email protected]>
…user press y (end of reownership wizard secret output) Signed-off-by: Thierry Laurion <[email protected]> works: - oem and user mode passphrase generation - qrcode missing: - unattended - luks reencryption + passphrase change for OEM mode (only input to be provided) with SINGLE passphrase when in unattended mode - same for user reownership when previously OEM reset unattended Signed-off-by: Thierry Laurion <[email protected]>
tlaurion
force-pushed
the
generate_passphrase-reownership_qr_code
branch
from
486b52f
to
b681574
Compare
|
Will try |
Signed-off-by: Thierry Laurion <[email protected]>
… dongle reset logic Signed-off-by: Thierry Laurion <[email protected]>
Works, asks physical presence though, but this is Nitrokey/nitrokey-hotp-verification#41 and won't be part of feature freeze. |
|
There seems to still be some confusion on EDIT: Asked and got acknowledgment of understanding at Nitrokey/nitrokey-hotp-verification#46 (comment) since Nitrokey/nitrokey-hotp-verification#42 (comment) wasn't acknowledged yet. Waiting for fix prior of testing and fixing oem-factory-reset further more. |
| reset_nk3_secret_app() { | ||
| TRACE_FUNC | ||
| # Reset Nitrokey 3 secret app | ||
| if lsusb | grep -q "20a0:42b2"; then | ||
| echo | ||
| echo "Resetting Nitrokey 3 secret app" | ||
| # Reset Nitrokey 3 secret app | ||
| /bin/hotp_verification reset | ||
| fi | ||
| } |
There was a problem hiding this comment.
a SECRET_APP_PIN is definitely needed here, since reset doesn't set default SECRET_APP_PIN to be changed (no previous PIN default set as per GPG User/Admin PINs previously used for <nk3 dongles which rest of oem-factory-reset policy script acts upon) : we consequently need to create a SECRET_APP_PIN, ideally with same value as GPG Admin PIN (generated, single shared PIN chosen, or setting a OEM 12345678=GPG Admin PIN as per current (bad) default for end users.
We do not want to confuse users, nor complexify UX even more.
Blocked by Nitrokey/nitrokey-hotp-verification#46 final implementation resulting in merged hotp_verification changes.
Also note that physical presence needed here (touch dongle) until possibly removed later in next nk3 firmware version (issue Nitrokey/nitrokey-hotp-verification#41, unplanned for current/late #1821)
| # v1.6 | ||
| hotp-verification_version := e9050e0c914e7a8ffef5d1c82a014e0e2bf79346 | ||
| # v1.6 + patch from https://github.com/Nitrokey/nitrokey-hotp-verification/pull/46/commits/de355ed93ba50280bf377772082b76b7a2285185 | ||
| hotp-verification_version := de355ed93ba50280bf377772082b76b7a2285185 |
There was a problem hiding this comment.
This is Nitrokey/nitrokey-hotp-verification#46 (comment) original PR state commit, not implementing argument for single SECRET_APP_PIN to be set since no default PIN set as gpg counterpart.
This is commit Nitrokey/nitrokey-hotp-verification@de355ed for the curious eyes.
WiP: will change
size increase of firmware space used: ~5120 bytes
New Functionality:
generate_passphraseto generate a Diceware passphrase, including subfunctions for parsing parameters, generating dice rolls, and retrieving words from a dictionary.oem-factory-resetfor user/oem (TODO: improve)Minor Changes:
oem-factory-resetcommand to include a--mode oemparameter for better clarity in OEM Factory Reset mode.whiptail_errorandwhiptail_warningscripts.export BG_COLOR_MAIN_MENU="normal"to allow other scripts to be called from the command line without passing throughgui-init.SINK_LOGfunction by reformatting thecatandechocommands.device_has_partitionsfunction.assert_signablewith a call todetect_boot_deviceso that mounting discoverable /boot is done when needed instead of failing.