You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
--menu "ERROR: $CONFIG_BRAND_NAME couldn't validate the HOTP code.\n\nIf you just reflashed your BIOS, you should generate a new TOTP/HOTP secret.\n\nIf you have not just reflashed your BIOS, THIS COULD INDICATE TAMPERING!\n\nHow would you like to proceed?" 0 80 4 \
286
283
'g'' Generate new TOTP/HOTP secret' \
@@ -553,21 +550,29 @@ reset_tpm() {
553
550
mount -o rw,remount /boot
554
551
#TODO: this is really problematic, we should really remove the primary handle hash
555
552
556
-
INFO "Removing rollback and primary handle hash under /boot"
553
+
INFO "Removing rollback and primary handle hashes under /boot"
554
+
555
+
DEBUG "Removing /boot/kexec_rollback.txt and /boot/kexec_primhdl_hash.txt"
# As a countermeasure for existing primary handle hash, we will now force sign /boot without it
572
577
if (whiptail --title 'TPM Reset Successfully' \
573
578
--yesno "Would you like to update the checksums and sign all of the files in /boot?\n\nYou will need your GPG key to continue and this will modify your disk.\n\nOtherwise the system will reboot immediately." 0 80);then
--yesno "There is no default boot option configured yet.\nWould you like to load a menu of boot options?\nOtherwise you will return to the main menu." 0 80);then
--yesno "There is no default boot option configured yet.\nWould you like to load a menu of boot options?\nOtherwise you will return to the main menu." 0 80) then
#We failed unlocking with DRK passphrase another LUKS container
90
-
die "LUKS device $key_devices cannot all be unlocked with same passphrase. Please make $key_devices devices unlockable with the same passphrase. Exiting"
91
-
else
92
-
warn "Failed to unlock LUKS device $dev with the provided passphrase. Please try again."
93
-
fi
86
+
echo"++++++ $dev: LUKS device unlocked successfully with the DRK passphrase"
94
87
fi
95
88
done
89
+
90
+
if [ $all_devices_unlocked-eq 1 ];then
91
+
luks_drk_passphrase_valid=1
92
+
else
93
+
attempts=$((attempts +1))
94
+
if [ $attempts-eq 3 ];then
95
+
die "Failed to unlock all LUKS devices with the provided passphrase after 3 attempts. Exiting..."
96
+
else
97
+
warn "Please try again."
98
+
fi
99
+
fi
96
100
done
97
101
102
+
# Now that all devices are verified with the DRK passphrase, proceed with DUK setup
103
+
MIN_PASSPHRASE_LENGTH=12
98
104
attempts=0
99
105
while [ $attempts-lt 3 ];do
100
-
read -s -p "New LUKS TPM Disk Unlock Key (DUK) passphrase for booting: " key_password
106
+
read -r -s -p $'\nNew LUKS TPM Disk Unlock Key (DUK) passphrase for booting (minimum '"$MIN_PASSPHRASE_LENGTH"' characters): ' key_password
101
107
echo
102
-
read -s -p "Repeat LUKS TPM Disk Unlock Key (DUK) passphrase for booting: " key_password2
108
+
if [ ${#key_password}-lt$MIN_PASSPHRASE_LENGTH ];then
109
+
attempts=$((attempts +1))
110
+
warn "Disk Unlock Key (DUK) passphrase is too short. Please try again."
111
+
continue
112
+
fi
113
+
114
+
read -r -s -p $'\nRepeat LUKS TPM Disk Unlock Key (DUK) passphrase for booting: ' key_password2
103
115
echo
104
116
if [ "$key_password"!="$key_password2" ];then
105
117
attempts=$((attempts +1))
106
-
if [ "$attempts"=="3" ];then
107
-
die "Disk Unlock Key (DUK) passphrases do not match. Exiting..."
108
-
else
109
-
warn "Disk Unlock Key (DUK) passphrases do not match. Please try again."
110
-
fi
118
+
warn "Disk Unlock Key (DUK) passphrases do not match. Please try again."
111
119
else
112
120
break
113
121
fi
114
122
done
115
123
124
+
if [ $attempts-ge 3 ];then
125
+
die "Failed to set a valid Disk Unlock Key (DUK) passphrase after 3 attempts. Exiting..."
126
+
fi
127
+
116
128
# Generate key file
129
+
echo
117
130
echo"++++++ Generating new randomized 128 bytes key file that will be sealed/unsealed by LUKS TPM Disk Unlock Key passphrase"
118
131
dd \
119
132
if=/dev/urandom \
@@ -159,7 +172,7 @@ for dev in $key_devices; do
159
172
# Get all the key slots that are used on $dev
160
173
luks_used_keyslots=($(cryptsetup luksDump "$dev"| grep -E "$regex"| sed "$sed_command"))
0 commit comments