-
-
Notifications
You must be signed in to change notification settings - Fork 187
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OEM Factory Reset - operation cannot be done while there is no TPM on the motherboard. #745
Comments
@0rb677 Congrats, you found a bug where CONFIG_TPM is not validated as everywhere else in the code base prior to operation |
@tlaurion I'd fixed that locally and forgot to push a PR, I'll do that shortly |
addressed by #747 |
@0rb677 : merged into #472 Please report success/fail! |
@tlaurion OEM FACTORY RESET can't reset gpg-key, on x220 it works. |
Clear process on x220 |
@0rb677 Implemented this validation. Screenshots provided, coming from x220, is not testing previous PR. |
I dont understand it works with couple of bugs.
So it works? |
@tlaurion congrats it done. but if i do it from recovery shell. |
@tlaurion boot from |
I'm confused with things unrelated to this ticket and not sure of your state with contradictory information, If I recall well, your use case made me create: so make
should show
|
If you flashed a new public key, you changed your rom, measurements are now invalid.
Screenshots are always helpful. |
@tlaurion can you join to channel? It too hard to answer you in so many threads. |
so @0rb677 is having different behaviors when calling the script from command line vs from the GUI. The command line calls are successful from console, while doing it from the GUI results in this: with @MrChromebox : any idea why GUI calling /bin/oem-factory-reset is different then from console calling it, which is functional? |
@tlaurion nothing jumps out at me, will have to take a look |
@0rb677 is that still relevant? |
@0rb677 the kgpe-d16 board is now TPM enabled. So if you want a TPM-less board, you will have to disable TPM inside of the board configs on master. |
Please close this issue or tag me back if still relevant. |
@MrChromebox Im against rubber ducky USB dongle+storage ressembling nitrokey/librem key, able to sed everything in terminal in a glimpse of an eye where users could be totally unaware of what is happening, and make Heads gui-init, modified, lie about its real state as proposed in that PR while a green led would be flashing, yes. AFAIK, even flashrom and sha256sum could be copied from that attached and mounted storageto ramfs with proper keyboard sequences and timings entered from rubber ducky HID input, and even interact in a way to fake expected measurements properly, by example mapping found git commit (obtained from /etc/config) and get the proper measurements stored under hashes.txt files for past commits builds, stored under the attached rubber ducky drive. I think we are loosening security bit too far going the convenience path over security, and detailed the reasoning behind it in that PR. For TPM being dynamically detectable, I have nothing strong against that specific part of that PR following the point you made there. But I would prefer board definitions to specify directly the presence or absence of TPM, without that switch in code even being present at all. And to be frank, I don't really see why it should be dynamic at all but to remove that statement in boards configs. A board comes or doesn't come with a TPM, and in the current state of things, I wouldn't recommend having a USB Security dongle replacing TPM, like I said previously in other tickets, USB is brought too soon with USB keyboard support which was merged, then HID attack possibilities and now TPM dynimically switchable seems to me that we are opening the door for convenience at the cost of real added security. |
@tlaurion we have in fact many older Librem 13v2/v3 models which do not have a TPM, as well as ones that do. Having a separate board definition for those is a logistical nightmare, because many times the users aren't even aware. I'll resubmit the part of the patch setting CONFIG_TPM dynamically at boot as a separate PR if you agree, otherwise I'll just keep the patch in Purism's tree for now |
@tlaurion
TEST inventory : KGPE-D16 and Nitrokey Start
link 1
link 2
The text was updated successfully, but these errors were encountered: