initrd, doc: rename password to passphrase throughout

Complete the passphrase/PIN terminology pass started in the previous
commit: rename all internal variables, function names, cache file paths,
and code comments that used "password" for TPM/LUKS secrets.

- tpmr: tpm2_passphrase_hex, cache_owner_passphrase, tpm_passphrase var,
  /tmp/secret/tpm_owner_passphrase cache path
- functions: prompt_tpm_owner_passphrase, prompt_new_owner_passphrase,
  WARN strings updated to "TPM Owner Passphrase"
- kexec-seal-key: key_passphrase / key_passphrase2 variables
- gui-init, oem-factory-reset: call sites updated to match new names
- doc/faq.md, doc/keys.md: "disk password" -> "disk passphrase"

Terminology: TPM/LUKS secrets are passphrases; GPG smartcard operations
use PINs (OpenPGP spec).  The --passwordbox whiptail flag is unchanged
(external API).

Signed-off-by: Thierry Laurion <insurgo@riseup.net>

Author: tlaurion

doc/faq.md

@@ -107,7 +107,7 @@ pull off on a Heads system since the boot devices are constrained.
 However, without tpmtotp in s3 it is hard to know if the system is in
 a safe state when the xscreensaver lock screen comes up.  Is it a fake
 to deceive you and steal your login password?  Maybe!  It wouldn't get
-your disk password, which is perhaps an improvement.
+your disk passphrase, which is perhaps an improvement.
 
 
 Disk key in TPM (LUKS TPM Disk Unlock Key) or user passphrase?

initrd/bin/gui-init

@@ -275,7 +275,7 @@ gate_reseal_with_integrity_report() {
 
 generate_totp_hotp() {
 	TRACE_FUNC
-	tpm_owner_password="$1" # May be empty, will prompt if needed and empty
+	tpm_owner_passphrase="$1" # May be empty, will prompt if needed and empty
 	if [ "$CONFIG_TPM" = "y" ] && tpm_reset_required; then
 		debug_tpm_reset_required_state
 		whiptail_error --title 'ERROR: TPM Reset Required' \
@@ -289,7 +289,7 @@ generate_totp_hotp() {
 		/bin/seal-hotpkey ||
 			DIE "Failed to generate HOTP secret"
 		STATUS_OK "HOTP secret generated"
-	elif STATUS "Generating new TOTP secret" && /bin/seal-totp "$BOARD_NAME" "$tpm_owner_password"; then
+	elif STATUS "Generating new TOTP secret" && /bin/seal-totp "$BOARD_NAME" "$tpm_owner_passphrase"; then
 		if [ -x /bin/hotp_verification ]; then
 			# If we have a TPM and a HOTP USB Security dongle
 			if [ "$CONFIG_TOTP_SKIP_QRCODE" != y ]; then
@@ -821,13 +821,13 @@ reset_tpm() {
 		if (whiptail_warning --title 'Reset the TPM' \
 			--yesno "This will clear the TPM and replace its Owner passphrase with a new one!\n\nDo you want to proceed?" 0 80); then
 
-			if ! prompt_new_owner_password; then
+			if ! prompt_new_owner_passphrase; then
 				INPUT "Press Enter to return to the menu..."
 				return 1
 			fi
 
 			STATUS "Resetting TPM"
-			tpmr reset "$tpm_owner_password"
+			tpmr reset "$tpm_owner_passphrase"
 
 			# now that the TPM is reset, remove invalid TPM counter files
 			mount_boot
@@ -841,7 +841,7 @@ reset_tpm() {
 			rm -f /boot/kexec_primhdl_hash.txt
 
 			# create Heads TPM counter before any others
-			check_tpm_counter /boot/kexec_rollback.txt "" "$tpm_owner_password" ||
+			check_tpm_counter /boot/kexec_rollback.txt "" "$tpm_owner_passphrase" ||
 				DIE "Unable to find/create tpm counter"
 
 			TRACE_FUNC
@@ -850,7 +850,7 @@ reset_tpm() {
 			DEBUG "TPM_COUNTER: $TPM_COUNTER"
 			#TPM_COUNTER can be empty
 
-			increment_tpm_counter "$TPM_COUNTER" "$tpm_owner_password" ||
+			increment_tpm_counter "$TPM_COUNTER" "$tpm_owner_passphrase" ||
 				DIE "Unable to increment tpm counter"
 
 			DO_WITH_DEBUG sha256sum /tmp/counter-$TPM_COUNTER >/boot/kexec_rollback.txt ||
@@ -881,7 +881,7 @@ reset_tpm() {
 			# Clear stale preflight marker before generating fresh TOTP/HOTP.
 			clear_tpm_reset_required
 
-			if ! generate_totp_hotp "$tpm_owner_password"; then
+			if ! generate_totp_hotp "$tpm_owner_passphrase"; then
 				return 1
 			fi
 

initrd/bin/kexec-seal-key

@@ -143,17 +143,17 @@ fi
 MIN_PASSPHRASE_LENGTH=12
 attempts=0
 while [ $attempts -lt 3 ]; do
-	key_password=""
-	INPUT "New LUKS TPM Disk Unlock Key (DUK) passphrase for booting (minimum $MIN_PASSPHRASE_LENGTH characters):" -r -s key_password
-	if [ ${#key_password} -lt $MIN_PASSPHRASE_LENGTH ]; then
+	key_passphrase=""
+	INPUT "New LUKS TPM Disk Unlock Key (DUK) passphrase for booting (minimum $MIN_PASSPHRASE_LENGTH characters):" -r -s key_passphrase
+	if [ ${#key_passphrase} -lt $MIN_PASSPHRASE_LENGTH ]; then
 		attempts=$((attempts + 1))
 		WARN "Disk Unlock Key (DUK) passphrase is too short. Please try again."
 		continue
 	fi
 
-	key_password2=""
-	INPUT "Repeat LUKS TPM Disk Unlock Key (DUK) passphrase for booting:" -r -s key_password2
-	if [ "$key_password" != "$key_password2" ]; then
+	key_passphrase2=""
+	INPUT "Repeat LUKS TPM Disk Unlock Key (DUK) passphrase for booting:" -r -s key_passphrase2
+	if [ "$key_passphrase" != "$key_passphrase2" ]; then
 		attempts=$((attempts + 1))
 		WARN "Disk Unlock Key (DUK) passphrases do not match. Please try again."
 	else
@@ -294,12 +294,12 @@ tpmr calcfuturepcr 6 "/tmp/luksDump.txt" >>"$pcrf"
 # We take into consideration user files in cbfs
 tpmr pcrread -a 7 "$pcrf"
 
-# tpmr seal may prompt for TPM owner password; avoid DO_WITH_DEBUG here so the
+# tpmr seal may prompt for TPM owner passphrase; avoid DO_WITH_DEBUG here so the
 # prompt remains visible on console. tpmr logs command details internally.
 STATUS "Sealing LUKS TPM Disk Unlock Key into TPM NVRAM (this may take a moment)"
 DEBUG "tpmr seal $DUK_KEY_FILE $TPM_INDEX 0,1,2,3,4,5,6,7 $pcrf $TPM_SIZE <hidden>"
 tpmr seal "$DUK_KEY_FILE" "$TPM_INDEX" 0,1,2,3,4,5,6,7 "$pcrf" \
-	"$TPM_SIZE" "$key_password" || DIE "Unable to write LUKS TPM Disk Unlock Key to NVRAM"
+	"$TPM_SIZE" "$key_passphrase" || DIE "Unable to write LUKS TPM Disk Unlock Key to NVRAM"
 STATUS_OK "LUKS TPM Disk Unlock Key sealed successfully"
 
 # should be okay if this fails

initrd/bin/kexec-select-boot

@@ -72,7 +72,7 @@ if [ "$CONFIG_TPM2_TOOLS" = "y" ]; then
 			}
 	else
 		WARN "Hash of TPM2 primary key handle does not exist - rebuild it by setting a default OS to boot: Options -> Boot Options -> Show OS Boot Menu -> pick OS -> Make default"
-		#TODO: Simplify/Automatize TPM2 firmware upgrade process. Today: upgrade, reboot, reseal(type TPM Owner Password), resign, boot
+		#TODO: Simplify/Automatize TPM2 firmware upgrade process. Today: upgrade, reboot, reseal(type TPM owner passphrase), resign, boot
 		default_failed="y"
 		DEBUG "Hash of TPM2 primary key handle does not exist under $PRIMHASH_FILE"
 	fi

initrd/bin/kexec-unseal-key

@@ -31,14 +31,14 @@ for tries in 1 2 3; do
 	# type the LUKS passphrase.
 	show_totp_until_esc
 	STATUS "Unlocking LUKS with TPM Disk Unlock Key"
-	INPUT "Enter LUKS TPM Disk Unlock Key passphrase (blank to abort):" -r -s tpm_password
-	if [ -z "$tpm_password" ]; then
+	INPUT "Enter LUKS TPM Disk Unlock Key passphrase (blank to abort):" -r -s tpm_passphrase
+	if [ -z "$tpm_passphrase" ]; then
 		DIE "Aborting unseal disk encryption key"
 	fi
 
 	if DO_WITH_DEBUG --mask-position 6 \
 		tpmr unseal "$TPM_INDEX" "0,1,2,3,4,5,6,7" "$TPM_SIZE" \
-		"$key_file" "$tpm_password"; then
+		"$key_file" "$tpm_passphrase"; then
 		STATUS_OK "TPM Disk Unlock Key unsealed"
 		exit 0
 	fi

initrd/bin/oem-factory-reset

@@ -33,7 +33,7 @@ GPG_GEN_KEY_IN_MEMORY_COPY_TO_SMARTCARD="n"
 #Circumvent Librem Key/Nitrokey HOTP firmware bug https://github.com/osresearch/heads/issues/1167
 MAX_HOTP_GPG_PIN_LENGTH=25
 
-# What are the Security components affected by custom passwords
+# What are the Security components affected by custom passphrases
 CUSTOM_PASS_AFFECTED_COMPONENTS=""
 
 # Default GPG Algorithm is RSA
@@ -56,7 +56,7 @@ handle_mode() {
 		USER_PIN=$CUSTOM_SINGLE_PASS
 		ADMIN_PIN=$CUSTOM_SINGLE_PASS
 		TPM_PASS=$CUSTOM_SINGLE_PASS
-		# User doesn't know this password, really badger them to record it
+		# User doesn't know this passphrase, really badger them to record it
 		MAKE_USER_RECORD_PASSPHRASES=y
 
 		title_text="OEM Factory Reset Mode"
@@ -66,7 +66,7 @@ handle_mode() {
 		USER_PIN=$(generate_passphrase --number_words 2 --max_length $MAX_HOTP_GPG_PIN_LENGTH)
 		ADMIN_PIN=$(generate_passphrase --number_words 2 --max_length $MAX_HOTP_GPG_PIN_LENGTH)
 		TPM_PASS=$ADMIN_PIN
-		# User doesn't know this password, really badger them to record it
+		# User doesn't know this passphrase, really badger them to record it
 		MAKE_USER_RECORD_PASSPHRASES=y
 
 		title_text="User Re-Ownership Mode"
@@ -1261,7 +1261,7 @@ elif [ -z "$luks_new_Disk_Recovery_Key_desired" -a -n "$luks_new_Disk_Recovery_K
 	luks_change_passphrase
 fi
 
-## reset TPM and set password
+## reset TPM and set passphrase
 if [ "$CONFIG_TPM" = "y" ]; then
 	STATUS "Resetting TPM"
 	tpmr reset "$TPM_PASS" >/dev/null 2>/tmp/error
@@ -1461,7 +1461,7 @@ while true; do
 	whiptail --msgbox "$(echo -e "$passphrases" | fold -w $((WIDTH - 5)))" \
 		$HEIGHT $WIDTH --title "Configured secrets"
 	if [ "$MAKE_USER_RECORD_PASSPHRASES" != y ]; then
-		# Passwords were user-supplied or not complex, we do not need to
+		# Passphrases were user-supplied or not complex, we do not need to
 		# badger the user to record them
 		break
 	fi
@@ -1501,6 +1501,6 @@ whiptail --msgbox "${completion_msg}" \
 # Clean LUKS secrets
 luks_secrets_cleanup
 unset luks_passphrase_changed
-unset tpm_owner_password_changed
+unset tpm_owner_passphrase_changed
 
 reboot

initrd/bin/seal-totp

@@ -15,7 +15,7 @@ HOST="$1"
 if [ -z "$HOST" ]; then
 	HOST="TPMTOTP"
 fi
-TPM_PASSWORD="$2"
+TPM_PASSPHRASE="$2"
 
 TOTP_SECRET="/tmp/secret/totp.key"
 TOTP_SEALED="/tmp/secret/totp.sealed"
@@ -50,7 +50,7 @@ DEBUG "Sealing TOTP without PCR6 involvement (LUKS header consistency is not fir
 # pcr 7 is containing measurements of user injected stuff in cbfs
 DEBUG "Sealing TOTP with actual state of PCR7 (User injected stuff in cbfs)"
 tpmr pcrread -a 7 "$pcrf"
-#Make sure we clear the TPM Owner Password from memory in case it failed to be used to seal TOTP
+#Make sure we clear the TPM owner passphrase from memory in case it failed to be used to seal TOTP
 
 # if the board has TPM2 tools, check for the primary handle before
 # attempting to seal; a missing handle is the most common reason for
@@ -61,9 +61,9 @@ fi
 
 # perform sealing via tpmr. Failures may indicate missing primary handle
 # or other TPM state issues. Avoid DO_WITH_DEBUG so interactive prompts
-# (TPM owner password on TPM1) are not hidden from the user.
+# (TPM owner passphrase on TPM1) are not hidden from the user.
 STATUS "Sealing TOTP secret to TPM NVRAM"
-if ! tpmr seal "$TOTP_SECRET" "$TPM_NVRAM_SPACE" 0,1,2,3,4,7 "$pcrf" 312 "" "$TPM_PASSWORD"; then
+if ! tpmr seal "$TOTP_SECRET" "$TPM_NVRAM_SPACE" 0,1,2,3,4,7 "$pcrf" 312 "" "$TPM_PASSPHRASE"; then
 	# tpmr already logged details; guide user generically to reset TPM
 	DIE "Unable to seal TOTP secret to TPM NVRAM; reset the TPM (Options -> TPM/TOTP/HOTP Options -> Reset the TPM in the GUI) and try again."
 fi

initrd/bin/tpm-reset

@@ -3,6 +3,6 @@
 
 NOTE "This will erase all keys and secrets from the TPM"
 
-prompt_new_owner_password
+prompt_new_owner_passphrase
 
-tpmr reset "$tpm_owner_password"
+tpmr reset "$tpm_owner_passphrase"