linuxboot
kexec-unseal-key: calls new etc/functions' show_totp_until_esc() before prompting for TPM DUK passphrase
Alternative implementation to #1993 : Add Timestamp UTC | TOTP code: XXXXXX | Press Esc to continue... before TPM DUK passphrase prompt (see screenshot below).
Added function show_totp_until_esc() in etc/functions:
- Shows "[TIMESTAMP] | TOTP code: XXXXXX | Press Esc to continue..." (pipe-separated).
- Caches TOTP for 1 second and only redraws when the second changes (avoids flicker).
- Polls input every 200 ms and returns immediately on ESC, printing a blank line for separation.
- Shows "TOTP unavailable" when a code cannot be fetched (initial or failure).
Qemu:
./docker_repro.sh make BOARD=qemu-coreboot-fbwhiptail-tpm2-hotp-prod_quiet USB_TOKEN=Nitrokey3NFC PUBKEY_ASC=pubkey.asc inject_gpg run
@Tonux599
@Tonux599 hmmm just saw your comment at https://github.com/linuxboot/heads/pull/1993#issuecomment-3498296540
@Tonux599 I think all those implementations are complementary and not competing?
Reasoning:
- having TOTP showed while waiting for autoboot delay is good (but autoboot limited to HOTP being validated for now in current codebase, your suggestions goes there)
- having TOTP showed until escape key pressed is good prior of typing TPM DUK (your don't use it not HOTP, suggestions welcome; this is what is expected from most Heads users to use: HOTP+TPM DUK)
I think I prefer this PR if I had to choose one implementation (at the end of the day, TPM DUK validates more measurements than HOTP, and TPM DUK goal is to have a safe space to type decryption key passphrase that is not the LUKS Disk Recovery Key passphrase (so cannot be used if captured to decrypt disk when disk extracted from platform).
Please dump some thoughts @Tonux599 :)