Open tlaurion opened 2 months ago
This is currently limited by several factors, one being that HOTP is stored under /boot as recently reviewed under #1650
@JonathonHall-Purism shared some ideas off-channel.
Might want to chip them in in the referred discussion at https://github.com/linuxboot/heads/discussions/1521#discussioncomment-9083965
The idea I shared was #1480 - that is, replace reverse HOTP with a TPM signature on the PCR state (=firmware state) and a nonce from the token. That would eliminate the HOTP counter, which is currently stored in /boot and is the reason HOTP doesn't work without an installed OS.
The token would need to support such an operation though.
As a stopgap we could find another place to store the HOTP counter. This would be compatible with existing tokens but loses another benefit of #1480 that the attestation secret never leaves the TPM.
@daringer @jans23 on previous @JonathonHall-Purism comment?
@JonathonHall-Purism looking at git blame on currently commented code under seal-hotp gives insights on past and reverted implementation. I only Remeber vaguely but that didn't work on TPM1.
@JonathonHall-Purism
https://github.com/linuxboot/heads/commit/fe34aba719073ef3710b25627b0acbbb5236815d
Originally posted by @wessel-novacustom in https://github.com/linuxboot/heads/discussions/1521#discussioncomment-9083965