Allow factory reset/pin change without user presence #41
Comments
nestire
changed the title
|
@nestire : Glad you opened this issue. My reasoning is to compare the nk3 with nk2/librem key once more for regression on remote attestation/re-ownership with heads use case in mind. Before, reverse sealing HOTP into the USB Security Dongle only required a valid GPG Admin PIN, which otherwise was decrementing GPG Admin PIN starting from 3 to 0 where 0 required to reset the dongle (unless a reset code was added to OpenGPG smartcard which oem-factory-reset never implemented because meh, yet another PIN/secret to remember). But now, we have a new PIN to deal with, so we should implement this correctly and if secrets stored in USB Security dongle, then them not being usable by reset woukd be clear sign of tamper evidence, no?
The main problem I see is a user not using his key for nothing else then HOTP, where resetting the dongle would not be noticed from a oem-reownership (Heads factory reset) where firmware would be tampered with. There is no simple solution to that today, and current phsycial presence requirement doesn't stop anybody havign access to a unattended dongle to be resetted on second computer with nitropy, today. But if the secrets are wiped on the dongle for 2FA: the user would notice on daily usage, no? Even so if oem-factory-reset'ting the dongle when user attempts to use dongle to authenticate on websites? TLDR: what is the added security provided by physical presence vs gpg --factory-reset on same dongle, or nitropy nk3 secret reset today. Raise the bar of time needed to accomplish same action? |
|
we can look into this mid-term, this is a firmware change |
|
@nestire then another issue needs to be opened seperating need for factory reset of secure element of physical presence. wnitropy nk3 secret reset equivalent should be implemented into hotp-verification, which would not be bound to physical presence and not bound to new firmware version. Heads needs to be able to do oem factory reset of htop (seal secret prior of shipping), and re-ownership needs to be able to reset that, just like gpg pins. For feature freeze: oem will not have a completely unattended experience provisioning randomized secrets because of lack of firmware update, but at least they will be able to seal that secret, and end users be able to reown that part as expected without nk3 being a regression as compared to nk2 for transfer of ownership. |
Will not land for linuxboot/heads#1850 (unattended OEM/re-ownership won't be possible until this is fixed) consequtnely won't be part of feature freeze linuxboot/heads#1827. So linuxboot/heads#1850 will require physical presence (touch). |
see also #36
Reason behind this is to allow for a mostly seamless owner change.
This might not be possible with the current firmware of the nk3 and may also need some more thought since enabling this could essentially allow any process able to talk to the nk3 to destroy all saved secrets or reset the pin to a unkown value for the user without user interaction.
So this issue is more for a discussion if this is even possible in a good way.
The text was updated successfully, but these errors were encountered: