tpm2-software / tpm2-totp

Attest the trustworthiness of a device against a human using time-based one-time passwords

https://tpm2-software.github.io

BSD 3-Clause "New" or "Revised" License

163 stars 36 forks source link

dist: add mkinitcpio hooks #21

Closed diabonas closed 5 years ago

diabonas commented 5 years ago

Add hooks for mkinitcpio, the tool used by Arch Linux to generate initial ramdisks. The files are upstreamed from the tpm2-totp Arch User Repository (AUR) package. They are only installed if mkinitcpio is found on the system or --with-mkinitcpiodir is set explicitly to the initcpio hooks directory (/etc/initcpio for user files or /usr/lib/initcpio for packages).

codecov[bot] commented 5 years ago

Codecov Report

Merging #21 into master will not change coverage. The diff coverage is n/a.

@@           Coverage Diff           @@
##           master      #21   +/-   ##
=======================================
  Coverage   80.53%   80.53%           
=======================================
  Files           4        4           
  Lines         745      745           
=======================================
  Hits          600      600           
  Misses        145      145

Continue to review full report at Codecov.

Legend - Click here to learn more Δ = absolute <relative> (impact), ø = not affected, ? = missing data Powered by Codecov. Last update 7196820...b5c030a. Read the comment docs.

AndreasFuchsTPM commented 5 years ago

how do you like this for the hook file ?

    echo 'Verify the TOTP (press any key to continue):'
    TSS2_LOG=esys+error tpm2-totp ${tpm2_totp_nvindex:+--nvindex "$tpm2_totp_nvindex"} --time calculate
    while read -n 1 -t 10; do
        TSS2_LOG=esys+error tpm2-totp ${tpm2_totp_nvindex:+--nvindex "$tpm2_totp_nvindex"} --time calculate
    done

That way, you allways get regular updates if you hit the edge of a time window and it will stay on screen until you've verified...

diabonas commented 5 years ago

Good idea! I

changed it to while ! read to get the correct logic,
added -r and -s so that the backslash can also be "any key" and the key the user pressed is not displayed on-screen,
added echo so that each TOTP is on its own line.

I also tested with my own initial ramdisk to make sure that all the non-POSIX options to read are indeed recognised by the BusyBox ash that is used by mkinitcpio.

AndreasFuchsTPM commented 5 years ago

Cool...

Maybe we can even add a test with busybox ?

source dist/initcpio/hooks/tpm2-totp
run_hook | grep -E 'Verify the TOTP (press any key to continue):\n[[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2} [[:digit:]]{2}:[[:digit:]]{2}:[[:digit:]]{2}: [[:digit:]]{6}'

And adding busybox as shebang ?

diabonas commented 5 years ago

Sounds good, I will try this.