diff --git a/initrd/bin/factory-reset-libremkey.sh b/initrd/bin/factory-reset-libremkey.sh index 028acb057..6a442ea88 100755 --- a/initrd/bin/factory-reset-libremkey.sh +++ b/initrd/bin/factory-reset-libremkey.sh @@ -4,8 +4,8 @@ set -e -o pipefail . /etc/functions . /tmp/config -if (whiptail $CONFIG_WARNING_BG_COLOR --clear --title 'Factory Reset and reownership of USB security token' \ - --yesno "You are about to factory reset your USB security token!\n\nThis will:\n 1. Wipe all PRIVATE keys that were previously kept inside USB security token\n 2. Set default key size to 4096 bits (maximum)\n 3. Set two passphrases to interact with the card:\n 3.1: An administrative passphrase used to manage the card\n 3.2: A user passphrase (PIN) used everytime you sign\n encrypt/decrypt content\n4. Generate new Encryption, Signing and Authentication keys\n inside your USB security token\n5. Export associated public key into mounted /media/gpg_keys/, replace the\n one being present and trusted inside running BIOS, and reflash\n ROM with resulting image.\n\nAs a result, the running BIOS will be modified. Would you like to continue?" 30 90) then +if (whiptail $CONFIG_WARNING_BG_COLOR --clear --title 'Factory Reset and reownership of USB security dongle' \ + --yesno "You are about to factory reset your USB security dongle!\n\nThis will:\n 1. Wipe all PRIVATE keys that were previously kept inside USB security dongle\n 2. Set default key size to 4096 bits (maximum)\n 3. Set two passphrases to interact with the card:\n 3.1: An administrative passphrase used to manage the card\n 3.2: A user passphrase (PIN) used everytime you sign\n encrypt/decrypt content\n4. Generate new Encryption, Signing and Authentication keys\n inside your USB security dongle\n5. Export associated public key into mounted /media/gpg_keys/, replace the\n one being present and trusted inside running BIOS, and reflash\n ROM with resulting image.\n\nAs a result, the running BIOS will be modified. Would you like to continue?" 30 90) then mount-usb || die "Unable to mount USB device." #Copy generated public key, private_subkey, trustdb and artifacts to external media for backup: @@ -32,7 +32,7 @@ if (whiptail $CONFIG_WARNING_BG_COLOR --clear --title 'Factory Reset and reowner while [[ "$gpgcard_user_pass1" != "$gpgcard_user_pass2" ]] || [[ ${#gpgcard_user_pass1} -lt 6 || ${#gpgcard_user_pass1} -gt 20 ]];do { - echo -e "\nChoose your new USB security token's GPG PIN. You will type this when using USB security token (signing files, encrypting emails and files).\nIt needs to be a least 6 but not more then 20 characters:" + echo -e "\nChoose your new USB security dongle's GPG PIN. You will type this when using USB security dongle (signing files, encrypting emails and files).\nIt needs to be a least 6 but not more then 20 characters:" read -s gpgcard_user_pass1 echo -e "\nRetype user passphrase:" read -s gpgcard_user_pass2 @@ -42,7 +42,7 @@ if (whiptail $CONFIG_WARNING_BG_COLOR --clear --title 'Factory Reset and reowner while [[ "$gpgcard_admin_pass1" != "$gpgcard_admin_pass2" ]] || [[ ${#gpgcard_admin_pass1} -lt 8 || ${#gpgcard_admin_pass1} -gt 20 ]]; do { - echo -e "\nChoose your new GPG admin password. You will type this when managing the USB security token (HOTP sealing, managing key, etc).\nIt needs to be a least 8 but not more then 20 characters:" + echo -e "\nChoose your new GPG admin password. You will type this when managing the USB security dongle (HOTP sealing, managing key, etc).\nIt needs to be a least 8 but not more then 20 characters:" read -s gpgcard_admin_pass1 echo -e "\nRetype GPG admin password:" read -s gpgcard_admin_pass2 @@ -87,7 +87,7 @@ if (whiptail $CONFIG_WARNING_BG_COLOR --clear --title 'Factory Reset and reowner mkdir -p /media/gpg_keys #Generate Encryption, Signing and Authentication keys - whiptail --clear --title 'USB security token GPG key generation' --msgbox \ + whiptail --clear --title 'USB security dongle GPG key generation' --msgbox \ "Generating 4096 bits for encryption, signing and authentication keys.\nPLEASE BE PATIENT! This step takes around 15 minutes.\n\nHit Enter to continue" 30 90 confirm_gpg_card @@ -98,7 +98,7 @@ if (whiptail $CONFIG_WARNING_BG_COLOR --clear --title 'Factory Reset and reowner echo factory-reset echo y echo yes - } | gpg --command-fd=0 --status-fd=1 --pinentry-mode=loopback --card-edit --home=/.gnupg/ || die "Factory resetting the USB security token failed." + } | gpg --command-fd=0 --status-fd=1 --pinentry-mode=loopback --card-edit --home=/.gnupg/ || die "Factory resetting the USB security dongle failed." #Setting new admin and user passwords in GPG card { @@ -113,7 +113,7 @@ if (whiptail $CONFIG_WARNING_BG_COLOR --clear --title 'Factory Reset and reowner echo "$gpgcard_admin_pass" echo "$gpgcard_admin_pass" echo Q - } | gpg --command-fd=0 --status-fd=2 --pinentry-mode=loopback --card-edit --home=/.gnupg/ || die "Setting new GPG admin and user PINs in USB security token failed." + } | gpg --command-fd=0 --status-fd=2 --pinentry-mode=loopback --card-edit --home=/.gnupg/ || die "Setting new GPG admin and user PINs in USB security dongle failed." #Set GPG card key attributes key sizes to 4096 bits { @@ -128,7 +128,7 @@ if (whiptail $CONFIG_WARNING_BG_COLOR --clear --title 'Factory Reset and reowner echo 1 # RSA echo 4096 #Authentication key size set to maximum supported by SmartCard echo "$gpgcard_admin_pass" - } | gpg --command-fd=0 --status-fd=2 --pinentry-mode=loopback --card-edit --home=/.gnupg/ || die "Setting key attributed to RSA 4096 bits in USB security token failed." + } | gpg --command-fd=0 --status-fd=2 --pinentry-mode=loopback --card-edit --home=/.gnupg/ || die "Setting key attributed to RSA 4096 bits in USB security dongle failed." { echo admin diff --git a/initrd/bin/gpg-gui.sh b/initrd/bin/gpg-gui.sh index 4589185d7..5b9feb14c 100755 --- a/initrd/bin/gpg-gui.sh +++ b/initrd/bin/gpg-gui.sh @@ -106,9 +106,9 @@ while true; do 'r' ' Add GPG key to running BIOS + reflash' \ 'a' ' Add GPG key to standalone BIOS image + flash' \ 'l' ' List GPG keys in your keyring' \ - 'm' ' Manually generate GPG keys on a USB security token' \ - 'o' ' OEM Factory reset + auto keygen USB security token' \ - 'F' ' Factory Reset USB security token GPG Card + keygen + flash' \ + 'm' ' Manually generate GPG keys on a USB security dongle' \ + 'o' ' OEM Factory reset + auto keygen USB security dongle' \ + 'F' ' Factory Reset USB security dongle GPG Card + keygen + flash' \ 'x' ' Exit' \ 2>/tmp/whiptail || recovery "GUI menu failed" @@ -198,7 +198,7 @@ while true; do ;; "o" ) if (whiptail $CONFIG_WARNING_BG_COLOR --title 'WARNING: Factory Reset USB Security Token?' \ - --yesno "This will perform a FACTORY RESET of the USB security token!\n\nThis will:\n1. Reset all security token passwords to default\n2. Erase any keys on the security token\n3. Generate new automated GPG keys on the token\n\nPLEASE NOTE: Any data now on the USB security token will be lost!\n\nDo you want to proceed?" 16 120) then + --yesno "This will perform a FACTORY RESET of the USB security dongle!\n\nThis will:\n1. Reset all security token passwords to default\n2. Erase any keys on the security token\n3. Generate new automated GPG keys on the token\n\nPLEASE NOTE: Any data now on the USB security dongle will be lost!\n\nDo you want to proceed?" 16 120) then confirm_gpg_card gpg_sc_oem_reset if [ $? -eq 0 ]; then diff --git a/initrd/bin/gui-init b/initrd/bin/gui-init index f7d00a4ee..577c59208 100755 --- a/initrd/bin/gui-init +++ b/initrd/bin/gui-init @@ -107,12 +107,12 @@ update_totp() echo "Scan the QR code to add the new TOTP secret" /bin/seal-totp $CONFIG_BOARD if [ -x /bin/libremkey_hotp_verification ]; then - echo "Once you have scanned the QR code, hit Enter to configure your USB security token." + echo "Once you have scanned the QR code, hit Enter to configure your USB security dongle." read /bin/seal-libremkey #Sometimes HOTP sealing fails. We do until it works. while [ $? -ne 0 ];do - echo -e "\n\nSealing HOTP secret into USB security token failed. Let's try again by resealing both TOTP and HOTP." + echo -e "\n\nSealing HOTP secret into USB security dongle failed. Let's try again by resealing both TOTP and HOTP." update_totp /bin/seal-libremkey done @@ -205,7 +205,7 @@ while true; do HOTP=`unseal-hotp` enable_usb if ! libremkey_hotp_verification info ; then - whiptail $CONFIG_WARNING_BG_COLOR --clear --title 'WARNING: Please insert your USB security token.' --msgbox "Your USB security token was not detected.\n\nPlease insert your USB security token." 30 90 + whiptail $CONFIG_WARNING_BG_COLOR --clear --title 'WARNING: Please insert your USB security dongle.' --msgbox "Your USB security dongle was not detected.\n\nPlease insert your USB security dongle." 30 90 fi # Don't output HOTP codes to screen, so as to make replay attacks harder libremkey_hotp_verification check $HOTP @@ -218,7 +218,7 @@ while true; do MAIN_MENU_BG_COLOR=$CONFIG_ERROR_BG_COLOR ;; * ) - HOTP="Error checking code. Insert USB security token and retry." + HOTP="Error checking code. Insert USB security dongle and retry." MAIN_MENU_BG_COLOR=$CONFIG_WARNING_BG_COLOR ;; esac diff --git a/initrd/bin/kexec-seal-key b/initrd/bin/kexec-seal-key index d4ac39a73..233dc148c 100755 --- a/initrd/bin/kexec-seal-key +++ b/initrd/bin/kexec-seal-key @@ -98,8 +98,8 @@ cat "$KEY_DEVICES" | cut -d\ -f1 | xargs /bin/qubes-measure-luks \ || die "Unable to measure the LUKS headers" luks_pcr=`tpm calcfuturepcr -ix 16 -if /tmp/luksDump.txt` -# HOTP-enabled USB security token loads USB modules which changes PCR5. -# In the event HOTP-enabled USB security token is enabled, skip verification of PCR5 +# HOTP-enabled USB security dongle loads USB modules which changes PCR5. +# In the event HOTP-enabled USB security dongle is enabled, skip verification of PCR5 if [ -x /bin/libremkey_hotp_verification ]; then pcr_5="X" else diff --git a/initrd/bin/kexec-sign-config b/initrd/bin/kexec-sign-config index 0d670d18c..128b93675 100755 --- a/initrd/bin/kexec-sign-config +++ b/initrd/bin/kexec-sign-config @@ -48,7 +48,7 @@ if [ -z "$param_files" ]; then die "$paramsdir: No kexec parameter files to sign" fi -echo -e "\nEnrolled USB security token will now use GPG to digitally sign /boot config files for future tamper evidence." +echo -e "\nEnrolled USB security dongle will now use GPG to digitally sign /boot config files for future tamper evidence." echo -e "As a result, Heads will prompt you to resign those files if any modification is detected at each reboot.\n" echo -e "Please note that system updates will modify boot configurations. The kernel, initrd, Xen and grub files are normally modified." echo -e "As a consequence, it is recommended that you reboot and sign /boot configuration changes after upgrading system components." @@ -56,7 +56,7 @@ echo -e "Heads will prompt you on reboot to resign those files to attest that yo if [ -z "$oem_gpg_User_PIN" ]; then for tries in 1 2 3; do - echo -e "\nPlease enter your USB security token's GPG User PIN to unlock card and sign /boot config files." + echo -e "\nPlease enter your USB security dongle's GPG User PIN to unlock card and sign /boot config files." if sha256sum $param_files | gpg \ --digest-algo SHA256 \ --detach-sign \ diff --git a/initrd/bin/seal-libremkey b/initrd/bin/seal-libremkey index 920178a78..38832f0ca 100755 --- a/initrd/bin/seal-libremkey +++ b/initrd/bin/seal-libremkey @@ -50,17 +50,17 @@ counter_value=1 enable_usb if ! libremkey_hotp_verification info ; then - echo "Insert your USB security token and press Enter to configure it." + echo "Insert your USB security dongle and press Enter to configure it." read if ! libremkey_hotp_verification info ; then # don't leak key on failure shred -n 10 -z -u "$HOTP_SECRET" 2> /dev/null - die "Unable to find USB security token." + die "Unable to find USB security dongle." fi fi if [ -z "$oem_gpg_Admin_PIN" ]; then - read -s -p "Enter your USB security token's Admin PIN." admin_pin + read -s -p "Enter your USB security dongle's Admin PIN." admin_pin echo else admin_pin=$(echo -n "$oem_gpg_Admin_PIN") @@ -95,7 +95,7 @@ echo $counter_value > $HOTP_COUNTER \ #|| die "Unable to create HOTP counter file" mount -o remount,ro /boot -echo "USB security token initialized with HOTP successfully. Press Enter to continue." +echo "USB security dongle initialized with HOTP successfully. Press Enter to continue." read exit 0