From 19fd98df2dde010ea54ad93a3017e28adfb443d0 Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Tue, 10 Dec 2024 14:50:52 -0500 Subject: [PATCH] WiP: staging changes (TPM1 regression fixes for LOG/DEBUG on quiet mode) Signed-off-by: Thierry Laurion --- ...oot-fbwhiptail-tpm1-hotp-prod_quiet.config | 100 ++++++++++++++++++ initrd/bin/kexec-select-boot | 1 + initrd/bin/tpmr | 42 +++++--- initrd/etc/functions | 4 +- 4 files changed, 131 insertions(+), 16 deletions(-) create mode 100644 boards/qemu-coreboot-fbwhiptail-tpm1-hotp-prod_quiet/qemu-coreboot-fbwhiptail-tpm1-hotp-prod_quiet.config diff --git a/boards/qemu-coreboot-fbwhiptail-tpm1-hotp-prod_quiet/qemu-coreboot-fbwhiptail-tpm1-hotp-prod_quiet.config b/boards/qemu-coreboot-fbwhiptail-tpm1-hotp-prod_quiet/qemu-coreboot-fbwhiptail-tpm1-hotp-prod_quiet.config new file mode 100644 index 00000000..bbda9706 --- /dev/null +++ b/boards/qemu-coreboot-fbwhiptail-tpm1-hotp-prod_quiet/qemu-coreboot-fbwhiptail-tpm1-hotp-prod_quiet.config @@ -0,0 +1,100 @@ +# Configuration for building a coreboot ROM that works in +# the qemu emulator in console mode thanks to Whiptail +# +# TPM can be used with a qemu software TPM (TIS, 1.2). A Librem Key or +# Nitrokey Pro can also be used by forwarding the USB device from the host to +# the VM. +export CONFIG_COREBOOT=y +export CONFIG_COREBOOT_VERSION=24.02.01 +export CONFIG_LINUX_VERSION=6.1.8 + +CONFIG_COREBOOT_CONFIG=config/coreboot-qemu-tpm1-prod.config +CONFIG_LINUX_CONFIG=config/linux-qemu.config + +#Enable only one RESTRICTED/BASIC boot modes below to test them manually (we cannot inject config under QEMU (no internal flashing) +#export CONFIG_RESTRICTED_BOOT=y +#export CONFIG_BASIC=y + +#Enable HAVE_GPG_KEY_BACKUP to test GPG key backup drive (we cannot inject config under QEMU (no internal flashing)) +#export CONFIG_HAVE_GPG_KEY_BACKUP=y + +#Enable DEBUG output +#export CONFIG_DEBUG_OUTPUT=y +#export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y +#Enable TPM2 pcap output under /tmp +#export CONFIG_TPM2_CAPTURE_PCAP=y + +#Enable quiet mode: technical information logged under /tmp/debug.log +export CONFIG_QUIET_MODE=y + +#On-demand hardware support (modules.cpio) +CONFIG_LINUX_USB=y +CONFIG_LINUX_E1000=y +#CONFIG_MOBILE_TETHERING=y +#Runtime on-demand additional hardware support (modules.cpio) +export CONFIG_LINUX_USB_COMPANION_CONTROLLER=y + + + +#Modules packed into tools.cpio +ifeq "$(CONFIG_UROOT)" "y" +CONFIG_BUSYBOX=n +else +#Modules packed into tools.cpio +CONFIG_CRYPTSETUP2=y +CONFIG_FLASHPROG=y +CONFIG_FLASHTOOLS=y +CONFIG_GPG2=y +CONFIG_KEXEC=y +CONFIG_UTIL_LINUX=y +CONFIG_LVM2=y +CONFIG_MBEDTLS=y +CONFIG_PCIUTILS=y +#Runtime tools to write to MSR +#CONFIG_MSRTOOLS=y +#Remote attestation support +# TPM2 requirements +#CONFIG_TPM2_TSS=y +#CONFIG_OPENSSL=y +#Remote Attestation common tools +CONFIG_POPT=y +CONFIG_QRENCODE=y +CONFIG_TPMTOTP=y +#HOTP based remote attestation for supported USB Security dongle +#With/Without TPM support +CONFIG_HOTPKEY=y +#Nitrokey Storage admin tool (deprecated) +#CONFIG_NKSTORECLI=n +#GUI Support +#Console based Whiptail support(Console based, no FB): +#CONFIG_SLANG=y +#CONFIG_NEWT=y +#FBWhiptail based (Graphical): +CONFIG_CAIRO=y +CONFIG_FBWHIPTAIL=y +#Additional tools (tools.cpio): +#SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E) +CONFIG_DROPBEAR=y +endif + +#Runtime configuration +#Automatically boot if HOTP is valid +export CONFIG_AUTO_BOOT_TIMEOUT=5 +#TPM2 requirements +#export CONFIG_TPM2_TOOLS=y +#export CONFIG_PRIMARY_KEY_TYPE=ecc +#TPM1 requirements +export CONFIG_TPM=y +export CONFIG_BOOTSCRIPT=/bin/gui-init +#text-based original init: +#export CONFIG_BOOTSCRIPT=/bin/generic-init +export CONFIG_BOOT_REQ_HASH=n +export CONFIG_BOOT_REQ_ROLLBACK=n +export CONFIG_BOOT_RECOVERY_SERIAL="/dev/ttyS0" +export CONFIG_BOOT_KERNEL_ADD="console=ttyS0 console=tty systemd.zram=0" +export CONFIG_BOOT_KERNEL_REMOVE="quiet rhgb splash" +export CONFIG_BOARD_NAME="qemu-coreboot-fbwhiptail-tpm1-hotp" +#export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal" +export CONFIG_AUTO_BOOT_TIMEOUT=5 + +BOARD_TARGETS := qemu diff --git a/initrd/bin/kexec-select-boot b/initrd/bin/kexec-select-boot index bdda8aaf..81d0e5ff 100755 --- a/initrd/bin/kexec-select-boot +++ b/initrd/bin/kexec-select-boot @@ -113,6 +113,7 @@ verify_global_hashes() { } verify_rollback_counter() { + TRACE_FUNC TPM_COUNTER=$(grep counter $TMP_ROLLBACK_FILE | cut -d- -f2) if [ -z "$TPM_COUNTER" ]; then die "$TMP_ROLLBACK_FILE: TPM counter not found?" diff --git a/initrd/bin/tpmr b/initrd/bin/tpmr index e94cf605..ccf1f6c2 100755 --- a/initrd/bin/tpmr +++ b/initrd/bin/tpmr @@ -306,11 +306,18 @@ tpm1_counter_create() { # other parameters for TPM1 are passed directly, and TPM2 mimics the # TPM1 interface. prompt_tpm_owner_password - if ! tpm counter_create -pwdo "$(cat "/tmp/secret/tpm_owner_password")" "$@" >/dev/null 2>&1; then + TMP_ERR_FILE=$(mktemp) + if ! tpm counter_create -pwdo "$(cat "/tmp/secret/tpm_owner_password")" "$@" 2>"$TMP_ERR_FILE"; then DEBUG "Failed to create counter from tpm1_counter_create. Wiping /tmp/secret/tpm_owner_password" shred -n 10 -z -u /tmp/secret/tpm_owner_password + # Log the contents of the temporary error file + while IFS= read -r line; do + DEBUG "tpm1 stderr: $line" + done <"$TMP_ERR_FILE" + rm -f "$TMP_ERR_FILE" die "Unable to create counter from tpm1_counter_create" fi + rm -f "$TMP_ERR_FILE" } tpm2_counter_create() { @@ -608,16 +615,16 @@ tpm2_unseal() { # stderr. We capture the unsealed data to $file, but still log the errors for quiet mode. # In case of unseal error, caller will also report on TOTP not being able to be unsealed. TMP_ERR_FILE=$(mktemp) -if ! tpm2 unseal -Q -c "$handle" -p "session:$POLICY_SESSION$UNSEAL_PASS_SUFFIX" \ - -S "$ENC_SESSION_FILE" >"$file" 2>"$TMP_ERR_FILE"; then - # Log the contents of the temporary error file - while IFS= read -r line; do - LOG "tpm2 stderr: $line" - done <"$TMP_ERR_FILE" - rm -f "$TMP_ERR_FILE" - die "Unable to unseal secret from TPM NVRAM with tpm2 unseal" -fi -rm -f "$TMP_ERR_FILE" + if ! tpm2 unseal -Q -c "$handle" -p "session:$POLICY_SESSION$UNSEAL_PASS_SUFFIX" \ + -S "$ENC_SESSION_FILE" >"$file" 2>"$TMP_ERR_FILE"; then + # Log the contents of the temporary error file + while IFS= read -r line; do + LOG "tpm2 stderr: $line" + done <"$TMP_ERR_FILE" + rm -f "$TMP_ERR_FILE" + die "Unable to unseal secret from TPM NVRAM with tpm2 unseal" + fi + rm -f "$TMP_ERR_FILE" } tpm1_unseal() { @@ -715,7 +722,7 @@ tpm1_reset() { tpm physicalpresence -s >/dev/null 2>&1 || LOG "Unable to assert physical presence" tpm physicalenable >/dev/null 2>&1 || LOG "Unable to enable TPM" tpm physicalsetdeactivated -c >/dev/null 2>&1 || LOG "Unable to deactivate TPM" - tpm forceclear -pwdo "$tpm_owner_password" >/dev/null 2>&1 || LOG "Unable to clear TPM" + tpm forceclear >/dev/null 2>&1 || LOG "Unable to clear TPM" tpm physicalenable >/dev/null 2>&1 || LOG "Unable to enable TPM" tpm takeown -pwdo "$tpm_owner_password" >/dev/null 2>&1 || LOG "Unable to take ownership of TPM" @@ -787,7 +794,7 @@ if [ "$CONFIG_TPM2_TOOLS" != "y" ]; then tpm1_destroy "$@" ;; extend) - #check if we extend with a hash or a file + # Check if we extend with a hash or a file if [ "$4" = "-if" ]; then DEBUG "TPM: Will extend PCR[$3] hash content of file $5" hash="$(sha1sum "$5" | cut -d' ' -f1)" @@ -799,7 +806,14 @@ if [ "$CONFIG_TPM2_TOOLS" != "y" ]; then TRACE_FUNC LOG "TPM: Extending PCR[$3] with hash $hash" - DO_WITH_DEBUG exec tpm "$@" + + # Redirect the output of DO_WITH_DEBUG to a temporary file so we can LOG it in quiet mode + TMP_DEBUG_FILE=$(mktemp) + DO_WITH_DEBUG exec tpm "$@" >"$TMP_DEBUG_FILE" 2>&1 + while IFS= read -r line; do + LOG "$line" + done <"$TMP_DEBUG_FILE" + rm -f "$TMP_DEBUG_FILE" ;; seal) shift diff --git a/initrd/etc/functions b/initrd/etc/functions index 2dabda7b..f6438ae7 100755 --- a/initrd/etc/functions +++ b/initrd/etc/functions @@ -372,7 +372,7 @@ check_tpm_counter() { tpmr counter_create \ -pwdc '' \ -la $LABEL | - tee /tmp/counter || + tee /tmp/counter > /dev/null 2>&1 || die "Unable to create TPM counter" TPM_COUNTER=$(cut -d: -f1 /dev/null 2>&1 || die "TPM counter increment failed for rollback prevention. Please reset the TPM" }