search

Yubico / yubikey-personalization-gui

YubiKey Personalization GUI
https://developers.yubico.com/yubikey-personalization-gui
BSD 2-Clause "Simplified" License
200 stars 38 forks source link

Slot configuration protection lock itself when updating protection #73

Open u1735067 opened 7 years ago

u1735067 commented 7 years ago

When updating configuration protection, you can end up with a configuration locked while this is not what you configured. Tested on Yubikey 4 Nano v4.3.3

Repro steps

Go to settings > update settings (default untouched settings) > select a slot > select the right protection status (protected + the correct access code if protected , unprotected if unprotected) + keep it that way > click update. As expected, it will work, the slot will keep the protection settings. Now retry 2 other times.

Result

After 3 total "keep it that way" with the correct access code, the slot configuration protection will be locked, the tool return the same error as when you put the wrong access code. The only way to put the configuration protection in a working state is to clear the slot, using the access code you set when you set one.

So, by doing an authorized action, with the right access code, the slot configuration protection lock itself.

Also, if you have only 1 slot, or if you lock both slots by doing this, the Yubikey tools are then unable to read the serial number of the key until you reset + reinitialize at least 1 slot. You can still use the slots though, they are kept in the same configuration/key as before the lock.

It seems to act the same as unchecking "Enable updating of Yubikey configuration", except that ability to read serial number is disabled.

Semi-fix

Reset + reinitialize the locked slot(s) -- slot conf is lost

Side issue

If it happen on a slot you configured, you can still reset it. But if it happen on the Yubikey OTP slot, or a slot you have no control on, the issue can be a bit more problematic. As far as I could test, switching slots only works with unprotected slots (or set with the same access code ?), but as one of the slot is locked, you cannot then swap the slots until you reset the locked slot. And in the case of Yubico OTP (and the VIP thing ?), this would make you lose one feature (or official status) of the key.

I don't think this is working as expected ?

u1735067 commented 6 years ago

Any news on this ? Fixed in the latest firmware maybe ?

klali commented 6 years ago

There is no firmware bug that we're aware of affecting this.

There is no way to lock the configuration by multiple invalid attempts with accesscode, there is no counter here or anything.

If serial read is disabled after updating that is because the option "Serial # visibility, API call" is not checked on the previous screen. For updating a configuration to work the option "Enable updating of YubiKey configuration" must be checked. If you remove that checkmark and update it will remove the ability to update configuration again.