-
-
Notifications
You must be signed in to change notification settings - Fork 180
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make TOTP (+ HOTP) verification possible **without OS** installed #1651
Comments
This is currently limited by several factors, one being that HOTP is stored under /boot as recently reviewed under #1650 @JonathonHall-Purism shared some ideas off-channel. Might want to chip them in in the referred discussion at #1521 (comment) |
The idea I shared was #1480 - that is, replace reverse HOTP with a TPM signature on the PCR state (=firmware state) and a nonce from the token. That would eliminate the HOTP counter, which is currently stored in /boot and is the reason HOTP doesn't work without an installed OS. The token would need to support such an operation though. As a stopgap we could find another place to store the HOTP counter. This would be compatible with existing tokens but loses another benefit of #1480 that the attestation secret never leaves the TPM.
|
@daringer @jans23 on previous @JonathonHall-Purism comment? @JonathonHall-Purism looking at git blame on currently commented code under seal-hotp gives insights on past and reverted implementation. I only Remeber vaguely but that didn't work on TPM1. |
Originally posted by @wessel-novacustom in #1521 (comment)
The text was updated successfully, but these errors were encountered: