Make TOTP (+ HOTP) verification possible **without OS** installed

[tlaurion]

It would be nice if we could have TOTP (+ HOTP) verification possible without OS by going through the OEM Factory Reset / Re-Ownership options. It would allow us to have solid root-of-trust from us (OEM) to the end user, even if no OS was chosen. A lot of users order Heads without OS.

From our side, credentials are then separately delivered via different channels (physical paper, email and Signal). Ideally, credentials should be randomly generated.

Originally posted by @wessel-novacustom in https://github.com/linuxboot/heads/discussions/1521#discussioncomment-9083965

[tlaurion]

This is currently limited by several factors, one being that HOTP is stored under /boot as recently reviewed under #1650

@JonathonHall-Purism shared some ideas off-channel.

Might want to chip them in in the referred discussion at https://github.com/linuxboot/heads/discussions/1521#discussioncomment-9083965

[JonathonHall-Purism]

The idea I shared was #1480 - that is, replace reverse HOTP with a TPM signature on the PCR state (=firmware state) and a nonce from the token. That would eliminate the HOTP counter, which is currently stored in /boot and is the reason HOTP doesn't work without an installed OS.

The token would need to support such an operation though.

As a stopgap we could find another place to store the HOTP counter. This would be compatible with existing tokens but loses another benefit of #1480 that the attestation secret never leaves the TPM.

• Could we use a TPM counter? I think this was considered long ago and seems to have been rejected, I'm not sure why
• Could we use flash space? E.g. coreboot smmstore or something specific to this counter. We would want to consider how often sectors get erased so we don't wear out flash. In principle if we dedicated a whole sector to this counter, we should get thousands of counts per erase at least.
• Could we store it on the HOTP token itself somewhere?

[tlaurion]

@daringer @jans23 on previous @JonathonHall-Purism comment?

@JonathonHall-Purism looking at git blame on currently commented code under seal-hotp gives insights on past and reverted implementation. I only Remeber vaguely but that didn't work on TPM1.

[tlaurion]

@JonathonHall-Purism

https://github.com/linuxboot/heads/commit/fe34aba719073ef3710b25627b0acbbb5236815d