Merge branch 'secureblue:live' into chromiumconfinement

RoyalOughtness · Jan 9, 2025 · 1767c73 · 1767c73
2 parents 0e18a12 + 1452ca6
commit 1767c73
Show file tree

Hide file tree

Showing 6 changed files with 296 additions and 50 deletions.
diff --git a/docs/README.md b/docs/README.md
@@ -1,6 +1,6 @@
 <p align="center">
   <a href="https://github.com/secureblue/secureblue">
-    <img src="https://github.com/secureblue/secureblue/assets/129108030/292e0ecc-50b8-4de5-a11a-bfe292489f6c" href="https://github.com/secureblue/secureblue" width=180 />
+    <img src="https://github.com/secureblue/secureblue/blob/live/docs/secureblue.png" href="https://github.com/secureblue/secureblue" width=180 />
   </a>
 </p>
 

diff --git a/docs/secureblue.png b/docs/secureblue.png
diff --git a/docs/secureblue.svg b/docs/secureblue.svg
diff --git a/files/justfiles/hardening.just b/files/justfiles/hardening.just
@@ -102,6 +102,14 @@ flatpak-permissions-lockdown:
     echo ""
     echo "Done"
 
+# Resets Flatpak's global overrides
+flatpak-reset-global-overrides:
+    #!/usr/bin/bash
+    GLOBAL_OVERRIDES="$HOME/.local/share/flatpak/overrides/global"
+    echo "This will undo the flatpak-harden command, the flatpak-permissions-lockdown command, as well as any other global overrides (individual app overrides will not be affected)."
+    echo "It will not delete the file, but simply move it from $GLOBAL_OVERRIDES to $GLOBAL_OVERRIDES.save"
+    mv $GLOBAL_OVERRIDES $GLOBAL_OVERRIDES.save
+
 # Setup USBGuard
 setup-usbguard:
     #!/usr/bin/bash

diff --git a/files/system/usr/libexec/luks-disable-fido2-unlock b/files/system/usr/libexec/luks-disable-fido2-unlock
@@ -19,10 +19,11 @@ set -eou pipefail
 [ "$UID" -eq 0 ] || { echo "This script must be run as root."; exit 1;}
 
 echo "WARNING this script will remove ALL currently configured fido2 luks unlock slots."
-echo "This script utilizes systemd-cryptenroll for removing fido2 auto-unlock."
-echo "You can review systemd-cryptenroll's manpage for more information."
-echo "This will modify your system and disable fido2 auto-unlock of your LUKS partition!"
-echo "This script is designed to work with it's corresponding secureblue fido2 enable script. If you manually enabled fido2 unlock, you may need to manually edit /etc/crypttab or restore a known good backup you may have created." 
+echo ""
+echo "This script utilizes systemd-cryptenroll for removing fido2 auto-unlock. You can review systemd-cryptenroll's manpage for more information." \
+"This will modify your system and disable fido2 auto-unlock of your LUKS partition! This script is designed to work with it's corresponding secureblue" \
+"fido2 enable script. If you manually enabled fido2 unlock, you may need to manually edit /etc/crypttab or restore a known good backup you may have created." 
+echo ""
 echo "INFO if no other nonfido2 slot is currently configured, script will fail. This is a safety precaution systemd-cryptenroll implements."
 echo "WARNING if you have not added an additional method, the recovery key will be the only avaliable unlock method after this script is run"
 read -p "Are you sure are good with this and want to disable fido2 auto-unlock? (y/N): " -n 1 -r

diff --git a/files/system/usr/libexec/luks-enable-fido2-unlock b/files/system/usr/libexec/luks-enable-fido2-unlock
@@ -20,13 +20,17 @@ set -eou pipefail
 
 echo "WARNING LUKS drive encryption must have been enabled at install time for this script to run" 
 echo "ENSURE you save the backup key this script creates at /var/home/$SUDO_USER/Desktop/luks_backup_key.txt ON ANOTHER COMPUTER"
-echo "This script uses systemd-cryptenroll to enable FIDO2 auto-unlock."
-echo "You can review systemd-cryptenroll's manpage for more information."
-echo "If you are using usbguard, plug into your hardware key, run 'usbguard list-devices'. Identify which number on the left is"
-echo "your device then run 'usbguard allow-device <number> -p'. You must exit this script with ctrl-C and do this now, BEFORE proceeding"
-echo "If you previously used TPM luks unlocking, ensure you run 'ujust remove-luks-tpm-unlock' AFTER running this script."
-echo "Otherwise, the system will likely default to TPM auto-unlocking on boot."
-echo "WARNING this script is designed not to, but could clear stored secrets on your fido2 key. Ensure you have backup options."
+echo ""
+echo "This script uses systemd-cryptenroll to enable FIDO2 auto-unlock. You can review systemd-cryptenroll's manpage for more information." \
+"If you previously used TPM luks unlocking, ensure you run 'ujust remove-luks-tpm-unlock' AFTER running this script." \
+"Otherwise, the system will likely default to TPM auto-unlocking on boot."
+echo ""
+echo "If you are using usbguard, plug in your hardware key, run 'usbguard list-devices'. Identify which number on the left is" \
+"your device then run 'usbguard allow-device <number> -p'. You must exit this script with ctrl-C and do this now, BEFORE proceeding"
+echo ""
+echo "WARNING this script is designed not to, but could clear stored secrets on your fido2 key. Ensure you have backup options for" \
+"any sites you may use FIDO2 based authentication on this key."
+echo ""
 read -p "Are you sure are good with this and want to enable FIDO2 auto-unlock? (y/N): " -n 1 -r
 echo
 if [[ ! $REPLY =~ ^[Yy]$ ]]; then
@@ -88,17 +92,29 @@ fi
 echo "Enrolling FIDO2 unlock requires your existing LUKS unlock password"
 systemd-cryptenroll --fido2-device=auto "$CRYPT_DISK"
 cp /etc/crypttab /etc/crypttab.known-good
-sed -i '$ s/$/ fido2-device=auto/' /etc/crypttab
+sed -i "s/UUID=$RD_LUKS_UUID none discard/UUID=$RD_LUKS_UUID - fido2-device=auto - discard/" /etc/crypttab
 
 echo "Creating backup key"
 systemd-cryptenroll --recovery-key "$CRYPT_DISK" > "/var/home/$SUDO_USER/Desktop/luks_backup_key.txt"
 chmod 644 "/var/home/$SUDO_USER/Desktop/luks_backup_key.txt"
 
+if lsinitrd 2>&1 | grep -q fido2 > /dev/null; then
+  ## add fido2 to initramfs
+  if rpm-ostree initramfs | grep fido2 > /dev/null; then
+    echo "FIDO2 already present in rpm-ostree initramfs config."
+    rpm-ostree initramfs
+    echo "Re-running initramfs to pickup changes above."
+  fi
+  rpm-ostree initramfs --enable --arg=--force-add --arg=fido2
+else
+  ## initramfs already contains fido2
+  echo "FIDO2 already present in initramfs."
+fi
+
 echo "Congratulations!"
-echo "Your system is now configured to use FIDO2 unlocking via the hardware key you used earlier."
-echo "If you previously used TPM luks unlocking, ensure you run 'ujust remove-luks-tpm-unlock'."
-echo "Otherwise, the system will likely default to TPM auto-unlocking on boot."
-echo "REMINDER store on another computer, on an encrypted drive, the script created backup key (which is at /var/home/$SUDO_USER/Desktop/luks_backup_key.txt)"
+echo "Your system is now configured to use FIDO2 unlocking via the hardware key you used earlier. If you previously used TPM luks unlocking, ensure you run 'ujust remove-luks-tpm-unlock'. Otherwise, the system will likely default to TPM auto-unlocking on boot."
+echo ""
+echo "REMINDER: Store on another computer, on an encrypted drive, the script created backup key (which is at /var/home/$SUDO_USER/Desktop/luks_backup_key.txt)"
 
 # References
 # https://0pointer.net/blog/unlocking-luks2-volumes-with-tpm2-fido2-pkcs11-security-hardware-on-systemd-248.html