-
-
Notifications
You must be signed in to change notification settings - Fork 45
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Provisioning Yubikey 5 Nano for Heads configuration #102
Comments
Is there any reason why https://osresearch.net/Configuring-Keys/#no-public-key-found-in-rom is not answering your question? Which Yubikey please ? ( please modify issue title so that others find this issue). Know that you might face linuxboot/heads#1076 Let us know |
I suggested a workaround there, but the user who opened issue didn't follow through, and I do not own a yubikey myself. |
@tlaurion okay, i have changed the issue title, is it good now, or maybe modify again ? i also don't really understand that part https://osresearch.net/Configuring-Keys/#no-public-key-found-in-rom You can either:
does it mean that, if we choose OEM factory reset/re-ownersip, or OEM factory reset/re-ownership, is the next step after add gpg key to the running bios ? |
Basically, I would love to know if forcedsig is on : gpg --card-status Then we could go for an image to test and fix issue. Since Heads bonds more nicely to nitrokey pro and librem keys, no other bug report having happened and the discussion having stopped over there left the issue unfixed. Please try oem-factory reset/Re-ownwrship wizard and report back in the same issue/PR to advance the discussion. Tag me there as well and I'll try to fix code for you to test image. Which board? |
The OEM factory reset/re-ownership provisions the USB security dongle if it is in factory state, or Re-owns states, including keypair generation with your personal information, resulting in an exported public key. No public key = no provisioned state. What would need to be clearer? Without a keypair (private key in smartcard, public key exported) with a Realname, email address and optinal comment, and passphrases, the dongle cannot really be used. Under heads, the private key signs with authentication, and the public key is injected in ROM to verify detached signed digest. Without provisioning your yubikey, the PINs are the default one and no keypair exist, so it cannot be used under Heads. I see that the wiki implies that one knows GPG. How would you put that in its simplest form so you would have understood that from quoted text? |
Signature PIN: not forced
x230
okay
okay, i understand better now, thanks i thought that the Yubikey will have contained original private key without provisioning before. maybe if we modify the wiki, it will be better, such as: note that the factory state USB security dongle contain no key inside, if your USB security dongle is in factory state, it means it has not been provisioned, but if you already have the provisioned USB security dongle, and the backuped gpg public key, |
@tlaurion i have followed the solution in oem factory reset fail but there are other issues, so i will open ticket |
So basically, you confirm that the code is not dealing properly with Yubikey 5 Nano, and that linuxboot/heads#1076 (comment) is stil lvalid and that a code fix is needed? |
@tlaurion i didn't try oem factory reset without forcesig, |
Just some notes for a simple test that could be implemented after factory reset of the card under linuxboot/heads#1076 (comment) Add in script the forcesig function:
Then add after https://github.com/osresearch/heads/blob/32e70316785f599e28c38c62a3ac72ba5f7acb27/initrd/bin/oem-factory-reset#L607
|
ok @tlaurion i will try without forcesig to ensure, then apply the additional script above, |
That should be implemented first and tested. Reopening issue, modified OP to include link to implementation needed at #102 (comment) |
To implement: Needs forcesig check and toggle if disabled so factory reset works in all cases: #102 (comment)
hi @tlaurion
i see the Heads wiki has been improved a lot than before, and it is great.
do you mind to add steps about how to provision a new Yubikey and export its public key ?
or maybe there is any good references about that ?
do we have to choose between using the original private key in the Yubikey,
or generate key, then store it inside Yubikey ?
The text was updated successfully, but these errors were encountered: