(WIP) initrd: fix TPM1/TPM2 add DA lockout handling/gating and test tooling#2124
Draft
tlaurion wants to merge 1 commit into
Draft
(WIP) initrd: fix TPM1/TPM2 add DA lockout handling/gating and test tooling#2124tlaurion wants to merge 1 commit into
tlaurion wants to merge 1 commit into
Conversation
- tpm1_counter_increment: empty -pwdc '' bypasses _tpm_auth_retry and
calls tpm directly per TCG spec. Non-empty passphrase or no -pwdc
falls through to owner-auth retry path (migration for counters created
by pre-fix code).
- tpm1_bad_auth: emit STATUS when lockout detected or counter ID
missing, instead of silent DEBUG-only return. STATUS deduplicated with
marker file for loop safety. On lockout, queries da_state and shows
remaining duration when available.
- tpm1_da_state: convert raw hex firmware version (0x0D.0x0C) to
human-readable decimal (13.12) in all output and log messages.
- tpm1_da_state: when state=1 but timer is 0 or empty, print "duration
unknown on this TPM" instead of misleading "0s remaining".
- tpm1_da_state: declare rev_major_dec/rev_minor_dec as local variables
and normalize variable names to match tpm2_da_state conventions.
- tpm2_da_state: declare interval_hex, recovery_hex, interval, recovery
as local variables (previously leaked into global scope).
- da_state output in bad_auth: extract only the => summary line for
STATUS on console and the DA: machine line for DEBUG in log. Avoids
duplicate re-emission of diagnostic lines already logged internally.
- tpm1_unseal: detect DA lockout from unseal failure output ("defend
lock"), emit WARN, query da_state for remaining time, set marker file
so callers show lockout-specific guidance instead of generic reseal.
- gui-init.sh update_totp: when marker present, show DA-lockout-specific
whiptail with TCG exponential backoff guidance instead of generic OEM
reset message. Shows exact remaining time when da_state provides it.
- unseal-totp.sh: check DA lockout marker and show lockout-specific
fail_unseal message.
- recovery shell: show concise DA state summary at STATUS (not INFO)
level so it reaches console in Quiet mode.
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
There was a problem hiding this comment.
Pull request overview
This PR updates Heads initrd TPM handling to fix a TPM1 rollback-counter auth regression and add dictionary-attack (DA) lockout detection/reporting across TPM flows (including UI feedback and recovery-shell visibility).
Changes:
- Switch TPM1 rollback counter creation/increment to use empty counter auth (
-pwdc '') per spec, with a migration fallback for older counters. - Add DA lockout state querying (
tpmr.sh da_state) and propagate lockout markers/messages into recovery + GUI flows. - Expand TPM wrapper docs and add helper commands (
da_state,bad_auth) for diagnostics.
Reviewed changes
Copilot reviewed 2 out of 7 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| initrd/etc/functions.sh | Adds recovery DA-state output and preflight DA checks before counter increment; changes TPM1 counter auth behavior. |
| initrd/bin/tpmr.sh | Implements TPM1/TPM2 DA-state queries, TPM1 empty-auth counter increment behavior, DA lockout detection markers, and diagnostic helpers. |
| initrd/bin/gui-init.sh | Adds DA-lockout-specific whiptail flow when TOTP unseal fails and a lockout marker is present. |
| initrd/bin/unseal-totp.sh | Adds explanatory comments about DA lockout marker handling around TPM1 unseal failures. |
| initrd/bin/oem-factory-reset.sh | Creates TPM counter with empty counter auth (-pwdc ''). |
| initrd/bin/tpm-reset.sh | Adds guidance/TODO notes clarifying CLI reset scope vs. GUI reprovisioning. |
| doc/tpm.md | Expands TPM wrapper documentation and adds auth-retry / reset / DA-lockout explanations. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+2095
to
+2101
| if [ "$CONFIG_TPM" = "y" ]; then | ||
| local da_line da_current da_threshold da_timer | ||
| da_line="$(tpmr.sh da_state 2>/dev/null | grep '^DA: ')" | ||
| da_current=$(echo "$da_line" | sed 's/.*current=\([^ ]*\).*/\1/') | ||
| da_threshold=$(echo "$da_line" | sed 's/.*threshold=\([^ ]*\).*/\1/') | ||
| # With sed -n /p, da_timer stays empty when timer= field absent (TPM2 clean) | ||
| da_timer=$(echo "$da_line" | sed -n 's/.*timer=\([^ ]*\).*/\1/p') |
tlaurion
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
WiP to fix #2123