Skip to content

kexec-unseal-key: calls new etc/functions' show_totp_until_esc() before prompting for TPM DUK passphrase #2024

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

kexec-unseal-key: calls new etc/functions' show_totp_until_esc() before prompting for TPM DUK passphrase #2024

wants to merge 1 commit into from

Conversation

@tlaurion
Copy link
Collaborator

@tlaurion tlaurion commented Nov 6, 2025

Alternative implementation to #1993 : Add Timestamp UTC | TOTP code: XXXXXX | Press Esc to continue... before TPM DUK passphrase prompt (see screenshot below).

Added function show_totp_until_esc() in etc/functions:

  • Shows "[TIMESTAMP] | TOTP code: XXXXXX | Press Esc to continue..." (pipe-separated).
  • Caches TOTP for 1 second and only redraws when the second changes (avoids flicker).
  • Polls input every 200 ms and returns immediately on ESC, printing a blank line for separation.
  • Shows "TOTP unavailable" when a code cannot be fetched (initial or failure).

Qemu:
./docker_repro.sh make BOARD=qemu-coreboot-fbwhiptail-tpm2-hotp-prod_quiet USB_TOKEN=Nitrokey3NFC PUBKEY_ASC=pubkey.asc inject_gpg run

2025-11-06-120814

@Tonux599

@tlaurion
kexec-unseal-key: calls new etc/functions' show_totp_until_esc() befo…
41d998d 
…re prompting for TPM DUK passphrase

Added function show_totp_until_esc() in etc/functions:
- Shows "[TIMESTAMP] | TOTP code: XXXXXX | Press Esc to continue..." (pipe-separated).
- Caches TOTP for 1 second and only redraws when the second changes (avoids flicker).
- Polls input every 200 ms and returns immediately on ESC, printing a blank line for separation.
- Shows "TOTP unavailable" when a code cannot be fetched (initial or failure).

Signed-off-by: Thierry Laurion <[email protected]>
@tlaurion
Copy link
Collaborator Author

tlaurion commented Nov 6, 2025
edited
Loading

@Tonux599 hmmm just saw your comment at #1993 (comment)

@tlaurion tlaurion mentioned this pull request Nov 6, 2025
Open
@tlaurion
Copy link
Collaborator Author

tlaurion commented Nov 20, 2025

@Tonux599 I think all those implementations are complementary and not competing?

Reasoning:

  • having TOTP showed while waiting for autoboot delay is good (but autoboot limited to HOTP being validated for now in current codebase, your suggestions goes there)
  • having TOTP showed until escape key pressed is good prior of typing TPM DUK (your don't use it not HOTP, suggestions welcome; this is what is expected from most Heads users to use: HOTP+TPM DUK)

I think I prefer this PR if I had to choose one implementation (at the end of the day, TPM DUK validates more measurements than HOTP, and TPM DUK goal is to have a safe space to type decryption key passphrase that is not the LUKS Disk Recovery Key passphrase (so cannot be used if captured to decrypt disk when disk extracted from platform).

Please dump some thoughts @Tonux599 :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@tlaurion