Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make TOTP (+ HOTP) verification possible **without OS** installed #1651

Open
tlaurion opened this issue Apr 22, 2024 · 4 comments
Open

Make TOTP (+ HOTP) verification possible **without OS** installed #1651

tlaurion opened this issue Apr 22, 2024 · 4 comments

Comments

@tlaurion
Copy link
Collaborator

tlaurion commented Apr 22, 2024
edited

It would be nice if we could have TOTP (+ HOTP) verification possible without OS by going through the OEM Factory Reset / Re-Ownership options. It would allow us to have solid root-of-trust from us (OEM) to the end user, even if no OS was chosen. A lot of users order Heads without OS.

From our side, credentials are then separately delivered via different channels (physical paper, email and Signal). Ideally, credentials should be randomly generated.

Originally posted by @wessel-novacustom in #1521 (comment)
@tlaurion
Copy link
Collaborator Author

This is currently limited by several factors, one being that HOTP is stored under /boot as recently reviewed under #1650

@JonathonHall-Purism shared some ideas off-channel.

Might want to chip them in in the referred discussion at #1521 (comment)

@JonathonHall-Purism
Copy link
Collaborator

The idea I shared was #1480 - that is, replace reverse HOTP with a TPM signature on the PCR state (=firmware state) and a nonce from the token. That would eliminate the HOTP counter, which is currently stored in /boot and is the reason HOTP doesn't work without an installed OS.

The token would need to support such an operation though.

As a stopgap we could find another place to store the HOTP counter. This would be compatible with existing tokens but loses another benefit of #1480 that the attestation secret never leaves the TPM.

  • Could we use a TPM counter? I think this was considered long ago and seems to have been rejected, I'm not sure why
  • Could we use flash space? E.g. coreboot smmstore or something specific to this counter. We would want to consider how often sectors get erased so we don't wear out flash. In principle if we dedicated a whole sector to this counter, we should get thousands of counts per erase at least.
  • Could we store it on the HOTP token itself somewhere?

@tlaurion
Copy link
Collaborator Author

tlaurion commented Apr 24, 2024
edited

@daringer @jans23 on previous @JonathonHall-Purism comment?

@JonathonHall-Purism looking at git blame on currently commented code under seal-hotp gives insights on past and reverted implementation. I only Remeber vaguely but that didn't work on TPM1.

@tlaurion
Copy link
Collaborator Author

@JonathonHall-Purism

fe34aba

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tlaurion @JonathonHall-Purism