Ecosyste.ms: OpenCollective

An open API service for software projects hosted on Open Collective.

github.com/QubesOS/qubes-antievilmaid

Qubes component: antievilmaid
https://github.com/QubesOS/qubes-antievilmaid

version 4.2.0

35dd356610102f61bd953e865122a89827a7ad86 authored about 1 year ago by Marek Marczykowski-Górecki <[email protected]>
Offset plymouth messages in anti-evil-maid-unseal

Done by printing three empty ones before the first real message.

Signed-off-by: Sergii Dmytruk ...

62819a6fdf58d3d3c47aff5096dea9fb88ce1d53 authored over 1 year ago by Sergii Dmytruk <[email protected]>
Add TPM2 support

Signed-off-by: Sergii Dmytruk <[email protected]>

87175b091af08efdb472b6ac5ae852ba769b746d authored over 1 year ago by Sergii Dmytruk <[email protected]>
Extract tpmsealprepare() and don't skip sealing

TPM2 will create sealing key on each run to be able to pick up
configuration/PCR changes for its...

13879fe77bd5035a8f694483fceeac8d1b089e5b authored over 1 year ago by Sergii Dmytruk <[email protected]>
Extract tpmid() function

Signed-off-by: Sergii Dmytruk <[email protected]>

0ee247a51b6abb6761005b030a5393b117283405 authored over 1 year ago by Sergii Dmytruk <[email protected]>
Extract tpmzsrk() function

Signed-off-by: Sergii Dmytruk <[email protected]>

acb1843b3152bec8adbf8b4431c68b9676629916 authored over 1 year ago by Sergii Dmytruk <[email protected]>
Change tcsd_ prefix to trousers_

To not be as tied to "tcsd" service.

Signed-off-by: Sergii Dmytruk <[email protected]>

00f820dc48c7f7afcde3c71464838a06f281beee authored over 1 year ago by Sergii Dmytruk <[email protected]>
Add forth parameter to tpm(un)sealdata functions

Path to where sealed secrets are stored. This is to be able to store
more data there.

Signed-o...

fd5aa35b4016bc8133a477a3d157cc7d612d0d7e authored over 1 year ago by Sergii Dmytruk <[email protected]>
Fix alias expansion in anti-evil-maid-install

Switching from "#!/bin/sh -e" to "#!/bin/bash" in commit
bec1954d630031e3a67d87c35465f6335f1b75b...

5f09d6fdb2282d29c63c298c8763a894058a9eb9 authored over 1 year ago by Sergii Dmytruk <[email protected]>
Extract anti-evil-maid-lib-tpm1

Signed-off-by: Sergii Dmytruk <[email protected]>

1b1b5234b7b4c72e910b87989053adc9bac051e7 authored over 1 year ago by Sergii Dmytruk <[email protected]>
Extract listbadpcrs() function

Signed-off-by: Sergii Dmytruk <[email protected]>

af90db69b0626c882ab41b6dbb2eb8d4094ffa6b authored over 1 year ago by Sergii Dmytruk <[email protected]>
Extract functions for managing tcsd service

Signed-off-by: Sergii Dmytruk <[email protected]>

bc04eb21547bf270bb3dd4c3ff756f0ab3636950 authored over 1 year ago by Sergii Dmytruk <[email protected]>
Check system.data file existence in synctpms()

It won't be there for TPM2.

Signed-off-by: Sergii Dmytruk <[email protected]>

f1507010b74fc9a00ada5f148d23c6ffbbee7199 authored over 1 year ago by Sergii Dmytruk <[email protected]>
Drop outdated shellcheck disable= comments

Signed-off-by: Sergii Dmytruk <[email protected]>

7e0d56d161f50708dfd8e47a4ea09d470230d8df authored over 1 year ago by Sergii Dmytruk <[email protected]>
Extract postprovisioning() function

Signed-off-by: Sergii Dmytruk <[email protected]>

6964a7427216b19f168b103a297c1ef494069951 authored over 1 year ago by Sergii Dmytruk <[email protected]>
Extract tpmtakeownership() function

Signed-off-by: Sergii Dmytruk <[email protected]>

1c1fae35be534afad00658518f5d318953e82b41 authored over 1 year ago by Sergii Dmytruk <[email protected]>
Extract tpmunsealdata() function

Signed-off-by: Sergii Dmytruk <[email protected]>

e92578f9385e5b45f4f28badd9c9fef9a21ff4d9 authored over 1 year ago by Sergii Dmytruk <[email protected]>
Extract tpmpcrextend() function

Signed-off-by: Sergii Dmytruk <[email protected]>

90528d11917ebc49b54113b5a6414f8061208d4b authored over 1 year ago by Sergii Dmytruk <[email protected]>
Extract tpmsealdata() function

Signed-off-by: Sergii Dmytruk <[email protected]>

4e98e81a60057b0434c74984f12272a72fef14eb authored over 1 year ago by Sergii Dmytruk <[email protected]>
Extract tpmresetdalock() function

Signed-off-by: Sergii Dmytruk <[email protected]>

0c663deb34a9b28af8a0fa3a1332bd0b5dbd9fa6 authored over 1 year ago by Sergii Dmytruk <[email protected]>
Extract tpmowned() function

Signed-off-by: Sergii Dmytruk <[email protected]>

7ab893d83144ba6c8576fc0170eb90877c69630c authored over 1 year ago by Sergii Dmytruk <[email protected]>
Extract hashfile function

Signed-off-by: Sergii Dmytruk <[email protected]>

07b4bbc003984ed39210237abacd97e25e4037ea authored over 1 year ago by Sergii Dmytruk <[email protected]>
Extract provisiontpmid() function

Signed-off-by: Sergii Dmytruk <[email protected]>

86b5c0fe525d7bb346cea54b0c6acca3d9ec18ce authored over 1 year ago by Sergii Dmytruk <[email protected]>
Use --echo-no in waitforenter()

It's confusing to see a proper password prompt with asterisks after a
"Press ENTER message".

Si...

079060e080532f12bae2caa0ad1a76d05a1fb617 authored over 1 year ago by Sergii Dmytruk <[email protected]>
Extract checksrkpass() function

Signed-off-by: Sergii Dmytruk <[email protected]>

c378ea5c650a3fe751bd47da91905cdbf05f885d authored over 1 year ago by Sergii Dmytruk <[email protected]>
Auto-unmount boot device in anti-evil-maid-unseal

Otherwise in case of error, it stays mounted, but you do anything about
it after leaving initrd....

994af1e9cef9b9680cb70b2ce859fdbc7e2d0f49 authored over 1 year ago by Sergii Dmytruk <[email protected]>
Use `set -euo pipefail` in scripts where possible

anti-evil-maid-check-mount-devs can't have `set -u`.

anti-evil-maid-install needed to be slight...

bec1954d630031e3a67d87c35465f6335f1b75bf authored over 1 year ago by Sergii Dmytruk <[email protected]>
Add tpm2-tools and tss2-tss dependencies

Add files from these packages to dracut right away.

Signed-off-by: Sergii Dmytruk <sergii.dmytr...

fdd2034c9c6860191e91797bd328518e4289317a authored over 1 year ago by Sergii Dmytruk <[email protected]>
Verify that TPM is of compatible family in scripts

Signed-off-by: Sergii Dmytruk <[email protected]>

44424355098bccd6976033af2d033c9e4cadd3c1 authored over 1 year ago by Sergii Dmytruk <[email protected]>
Source lib early in anti-evil-maid-seal

This is to allow using things defined in anti-evil-maid-lib before
starting tcsd.

Signed-off-by...

822bae45f856214f2bc2dbebf9578ed2c76ccfd5 authored over 1 year ago by Sergii Dmytruk <[email protected]>
Fix $SEAL being quoted in anti-evil-maid-seal

This caused tpm_sealdata to fail due to unknown argument (list of PCRs).

Got broken in ee10eb9f...

027c529f5d02c133cecd72172b4755461630db04 authored over 1 year ago by Sergii Dmytruk <[email protected]>
Run shellcheck on CI

Signed-off-by: Sergii Dmytruk <[email protected]>

03e79c695a2dc53526db1758953cfb7e9f02e863 authored over 1 year ago by Sergii Dmytruk <[email protected]>
Add missing double quotes around var expansion

Signed-off-by: Sergii Dmytruk <[email protected]>

ee10eb9fc0012fe82e2cd24b0bae5cce355df60e authored over 1 year ago by Sergii Dmytruk <[email protected]>
Use `true` to create files via redirect explicitly

Signed-off-by: Sergii Dmytruk <[email protected]>

f56157b6597d545d9393af771643b28bd714bf2e authored over 1 year ago by Sergii Dmytruk <[email protected]>
Use $( ... ) instead of `...`

Signed-off-by: Sergii Dmytruk <[email protected]>

497c9292fec5e9790a8ef42afc4fbcc25b486985 authored over 1 year ago by Sergii Dmytruk <[email protected]>
Quote arguments of `${...#...}`

Signed-off-by: Sergii Dmytruk <[email protected]>

46ae85eb74655bd9ab5add8278b1fa6977ec9f5d authored over 1 year ago by Sergii Dmytruk <[email protected]>
Don't use -a or -o in `[ ... ]`

Signed-off-by: Sergii Dmytruk <[email protected]>

da8236e51059799498136c0f4b0093908cf7227d authored over 1 year ago by Sergii Dmytruk <[email protected]>
Don't use $ inside `$((...))`

Signed-off-by: Sergii Dmytruk <[email protected]>

b56ffdac9436e1d327d7447058d3ba26a8629775 authored over 1 year ago by Sergii Dmytruk <[email protected]>
Name unused loop variables `_`

Signed-off-by: Sergii Dmytruk <[email protected]>

8f03c5dd75f77f243d96924eb84dd48e49ee7388 authored over 1 year ago by Sergii Dmytruk <[email protected]>
Pass `-r` to `read` to not interpret backslashes

Signed-off-by: Sergii Dmytruk <[email protected]>

175249d16d0873eaf07e514eb73e80aa6a9e5fa8 authored over 1 year ago by Sergii Dmytruk <[email protected]>
Fix revokefreshness() not printing suffix value

$_suff was never set.

Signed-off-by: Sergii Dmytruk <[email protected]>

2a32b3ca86cd62674d28552764694d391dae6902 authored over 1 year ago by Sergii Dmytruk <[email protected]>
version 4.1.1

037be3c3644d4873c37171f56619eb97beae1f2a authored almost 2 years ago by Marek Marczykowski-Górecki <[email protected]>
Don't use 'dmsetup table --showkeys', it doesn't work with LUKS2

LUKS2 keeps master key in kernel 'login' keyring by default. Raw key
cannot be exported from the...

8c202e45ae78cc8cc79943c6d1dcd562d1f7ca35 authored almost 2 years ago by Marek Marczykowski-Górecki <[email protected]>
.qubesbuilder: replace 'spec' by 'build'

7561a4d724b9b0df8ba48d8f2735d3754961f87b authored over 2 years ago by Frédéric Pierret (fepitre) <[email protected]>
Add Qubes Builder v2 integration

dab5dad5db83a7973dda5d8a7dbcc61bd68494dd authored over 2 years ago by Frédéric Pierret (fepitre) <[email protected]>
Drop Travis CI

fd8a284c3e5ed742b3fc04c1bd41ce5d2d004e71 authored over 2 years ago by Frédéric Pierret (fepitre) <[email protected]>
Update README

5e313f4f79a21e59e2c14d660792224bd314df2a authored almost 4 years ago by aborrecimento <[email protected]>
Add .gitlab-ci.yml

00b857a76d9e0160bee4026afaff045b07974e64 authored about 4 years ago by Frédéric Pierret (fepitre) <[email protected]>
Update travis

453b5b45fff7924a8f0ab466d664a836c54ff634 authored over 4 years ago by Frédéric Pierret (fepitre) <[email protected]>
travis: switch to dom0 Fedora 31

QubesOS/qubes-issues#5529

9716fa57d8d0ac815d5b668d501dc1c976f36e86 authored almost 5 years ago by Frédéric Pierret (fepitre) <[email protected]>
version 4.1.0

c9fa9a77b75268381ab254389761e01e3f236e97 authored almost 5 years ago by Marek Marczykowski-Górecki <[email protected]>
No longer appending a newline character to the OTP URI before piping

to qrencode. With this change it is possible to import the OTP into
Authy, Google Authenticator a...

e27583e7457732d262694286b200ce270e479034 authored almost 5 years ago by Julius Zint <[email protected]>
add back comment on USB drives

3c8792c6620806eaf16a4b1fd5c999f19323e3a3 authored about 5 years ago by Aaron Janse <[email protected]>
remove misleading text on write-protect switches

2c220ffd3c1c8c76766bfa0e59372db270e2f8db authored about 5 years ago by Aaron Janse <[email protected]>
travis: switch to bionic

QubesOS/qubes-issues#4613

7fca13e7d4e7e8b2b177801de68dbf9dcb860b12 authored about 5 years ago by Frédéric Pierret (fepitre) <[email protected]>
travis: switch to xenial and Qubes R4.1

454089410bb0408d6cc425c07b8f64c2471d4714 authored over 5 years ago by Frédéric Pierret (fepitre) <[email protected]>
Create .spec.in

76e8d029eb9d80b0323bde8dcfd462a2e726cc40 authored over 5 years ago by Frédéric Pierret (fepitre) <[email protected]>
Split out tpm-extra and trousers-changer

QubesOS/qubes-issues#4356

f00666cefa4e5ed86401a1386ebc307b19976264 authored over 5 years ago by Frédéric Pierret (fepitre) <[email protected]>
Merge remote-tracking branch 'qubesos/pr/26'

* qubesos/pr/26:
README: clarify impact of TPM vulns; mention CHIPSEC
README: mention 1.2 sp...

af4f6160dfd89d126b923c183b5a9cea18b4b1b9 authored almost 7 years ago by Marek Marczykowski-Górecki <[email protected]>
README: clarify impact of TPM vulns; mention CHIPSEC

da6c1bacfe5f8864e08efcf7903f9867d40629b3 authored almost 7 years ago by Patrik Hagara <[email protected]>
Merge remote-tracking branch 'qubesos/pr/25'

* qubesos/pr/25:
-install: Always regenerate grub.cfg

aa9a40817edae0d4e0a71b6cb34ede0098e92d04 authored almost 7 years ago by Marek Marczykowski-Górecki <[email protected]>
README: mention 1.2 spec emulation built into some 2.0 TPMs

5bce10092f6fc5831fd810e4aa19655dffc226e4 authored almost 7 years ago by Patrik Hagara <[email protected]>
README: add security notes

26bdf4d0bdaa34948f8f9736faf4f98f027abc86 authored almost 7 years ago by Patrik Hagara <[email protected]>
version 4.0.1

5206053615b96af9c9d74adc39df8b9d9807d1a6 authored almost 7 years ago by Marek Marczykowski-Górecki <[email protected]>
travis: update versions (4.0 only)

cf44b671c91a411085bebc82da471531f563e274 authored almost 7 years ago by Marek Marczykowski-Górecki <[email protected]>
-seal: better error message when run manually w/o suffix arg

resolves QubesOS/qubes-issues#3296

9c5af9cdcec2b61973ed77d98e29e144710452f9 authored almost 7 years ago by Patrik Hagara <[email protected]>
improve and document freshness token unsealing error

190241f64bbc482e4851ce40f0ffeb672e6e9d64 authored almost 7 years ago by Patrik Hagara <[email protected]>
add missing cryptsetup binary to initramfs

8b4c9bf039fcaaff3e29809f1f58b0e709b29ef7 authored almost 7 years ago by Patrik Hagara <[email protected]>
change TPM NVRAM indices to improve compatibility

abd446bcc14e60e5ab71d25ab7072e5a39c4ff19 authored almost 7 years ago by Patrik Hagara <[email protected]>
-install: Always regenerate grub.cfg

This is needed for internal partitions too, in order to pick up the
SINIT blob.

Closes #21

919ba90179ee34f745a572453fc87a9765c6f6d7 authored about 7 years ago by Rusty Bird <[email protected]>
readme: better SRK pw change instructions

8ee6220b430336649d2517bf606bed7a3618795f authored over 7 years ago by Patrik Hagara <[email protected]>
readme: add upgrade instructions

63186a345bf6085ab7bd5ef712b003660a5d9b6d authored over 7 years ago by Patrik Hagara <[email protected]>
-install: remove the "experimental" warning for MFA

b218da87fb510c01ca4c750a90de3e034540207b authored over 7 years ago by Patrik Hagara <[email protected]>
specfile: depend on coreutils containing base32 binary

69b65de976d8d00e626c92012c50eecd245de07b authored over 7 years ago by Patrik Hagara <[email protected]>
-install: remove stray tab

b858ec99267c2bd81500ecc25a70ce705d71e292 authored over 7 years ago by Patrik Hagara <[email protected]>
README: fix typos; clearer MFA AEM media requirements

75f8c2d132c3ea21680e78aadde39ebca0123ab6 authored over 7 years ago by Patrik Hagara <[email protected]>
-install: make sure user sees the "wrong RTC TZ" warning

d87193b93aaff73bf268f81fda1252a06a8b17de authored over 7 years ago by Patrik Hagara <[email protected]>
allow (less secure) MFA AEM install on internal/non-removable media

7ce339ce87bbb9a51f76c6e252f3fb5c7b4c7096 authored over 7 years ago by Patrik Hagara <[email protected]>
change freshness token file extension from .fsh to .fre

4b1f53368d9b741ae3a4df2e9c7dc1f65bf74903 authored over 7 years ago by Patrik Hagara <[email protected]>
Save seed to secret.otp with trailing newline

13b1f38e6e34135d06a10b73bac7f76b587c8199 authored over 7 years ago by Rusty Bird <[email protected]>
tpm_id: Update error message

10f663d8c587e05c6b4e2313bdc9d3395164656a authored over 7 years ago by Rusty Bird <[email protected]>
Use same format (16 bytes hex) for owner and freshness pw

d1830e6f84354c2028cf6075e63dea39150f53bf authored over 7 years ago by Rusty Bird <[email protected]>
Use same hex() and unhex() everywhere

3ae0a09e4be67cff2746ce0194dcddd2abee6658 authored over 7 years ago by Rusty Bird <[email protected]>
Use the same sysfs TPM directory everywhere

3bbf8a8e28db57d98241b61c646cab76bda8fbe1 authored over 7 years ago by Rusty Bird <[email protected]>
-tpm-setup: only move tcs data when actually creating tpm id

b51d8156aaf4a1105a32754cb761e5e1b9ed2d17 authored over 7 years ago by Patrik Hagara <[email protected]>
-tpm-setup: don't ask for TPM ID when tcsd is stopped

d6348300d72e0023eccd6181d25f3828174c9a7c authored over 7 years ago by Patrik Hagara <[email protected]>
$TPM_FRESHNESS_PASSWORD -> $TPM_FRESHNESS_PASSWORD_FILE

f5ae26f37d1c8d69e9a5eb6bdb01918f8db45928 authored over 7 years ago by Rusty Bird <[email protected]>
Reset dictionary attack lock on -seal startup

67ae71cb40aece2789e11a02e508c4dd92c4428f authored over 7 years ago by Rusty Bird <[email protected]>
-install: Move freshness token enrollment check up

Before doing anything time consuming. Maybe the user just forgot "-s".

338a27eb942d15552076aef1d0374dd2f91d6c5b authored over 7 years ago by Rusty Bird <[email protected]>
rd.antievilmaid.uuid -> aem.uuid; remove rd.antievilmaid

The parameter is used inside and outside the initrd, so no "rd." prefix.

2cbc74df07ed7d515f775d413a4a4ba0004dc572 authored over 7 years ago by Rusty Bird <[email protected]>
-seal: Use UUID instead of label to find device

94efdaded9ec7115ae7aab6117beedb61494e253 authored over 7 years ago by Rusty Bird <[email protected]>
Factor out getparams()

40e55c05295d9ebfeda576a0e813865343c7c18f authored over 7 years ago by Rusty Bird <[email protected]>
-unseal: Add blank line after "Waiting for /dev/disk/..." messages

225ebf23c305166d182d15cb90adedad727d66ab authored over 7 years ago by Rusty Bird <[email protected]>
-unseal: Abort on duplicate UUID attack

5e142379d8884c24c96518d2b11e1592f5935d07 authored over 7 years ago by Rusty Bird <[email protected]>
-unseal: Fixed string & glob for prefix test; log -> message

e91b7831a9983c64969bd3d1bf5024f44375c74d authored over 7 years ago by Rusty Bird <[email protected]>
-unseal: Also show UUID in log messages

c291949c3e4b9d006553454316c7361c8a93414b authored over 7 years ago by Rusty Bird <[email protected]>
-unseal: wait for AEM media by UUID instead of label

36040a7bc26d3ab3507f42f6e9d0a8f0d204cfb5 authored over 7 years ago by Patrik Hagara <[email protected]>
-tpm-setup fixes

Must be run as root
(Re)start tcsd before tpm_takeownership call
Filter out tpm_takeownership's ...

b0b2dcf9c136b366385a499a556a8e88365b0a06 authored over 7 years ago by Rusty Bird <[email protected]>
-tpm-setup: rest of the implementation; fixed tpm_id

08b922332277e0e1dbbb4dca3e43627e1af7f21d authored over 7 years ago by Patrik Hagara <[email protected]>
notty; anti-evil-maid-tpm-setup stub

e0dbede90c4a54528503f213966686690324155d authored over 7 years ago by Rusty Bird <[email protected]>