Refactor to force HOTP sealing when needed.

We want to seal against HOTP dongle here, no reason to skip presence. Force it. USB drivers are loaded on demand prior of having calls to interrogate usb dongle, dongle should be detectable per host drivers if connected. If not, there is either a bug in Nitrokey dongle firmware firmware, under hotp_verification, or prior code paths having interacted with gpg --card-info of gpg --card-edit. Signed-off-by: Thierry Laurion <[email protected]>
tlaurion · Apr 18, 2024 · acaf29a · acaf29a
1 parent a16c280
commit acaf29a
Showing 1 changed file with 10 additions and 2 deletions.
diff --git a/initrd/bin/gui-init b/initrd/bin/gui-init
@@ -155,15 +155,23 @@ generate_totp_hotp()
   tpm_owner_password="$1"	# May be empty, will prompt if needed and empty
   if [ "$CONFIG_TPM" != "y" ] && [ -x /bin/hotp_verification ]; then
     echo "Generating new HOTP secret"
-    /bin/seal-hotpkey
+    # we loop calling /bin/seal-hotpkey until it succeeds
+    while ! /bin/seal-hotpkey; do
+      warn "Sealing HOTP secret failed, retrying..."
+      /bin/seal-hotpkey
+    done
   elif echo -e "Generating new TOTP secret...\n\n" && /bin/seal-totp "$BOARD_NAME" "$tpm_owner_password"; then
     echo
     if [ -x /bin/hotp_verification ]; then
       if [ "$CONFIG_TOTP_SKIP_QRCODE" != y ]; then
         echo "Once you have scanned the QR code, hit Enter to configure your HOTP USB Security Dongle (e.g. Librem Key or Nitrokey)"
         read
       fi
-      /bin/seal-hotpkey
+      # we loop calling /bin/seal-hotpkey until it succeeds
+      while ! /bin/seal-hotpkey; do
+        warn "Sealing HOTP secret failed, retrying..."
+        /bin/seal-hotpkey
+      done
     else
       if [ "$CONFIG_TOTP_SKIP_QRCODE" != y ]; then
         echo "Once you have scanned the QR code, hit Enter to continue"