Add DEBUG traces and have TPM2 boards enable TRACE and DEBUG calls

- /tmp/debug.log is created and appended by all TRACE and DEBUG calls in code - fix some logic errors seen when no DEBUG entry were outputted in /tmp/debug.log
2025-04-12 05:40:09 +00:00 · 2023-02-23 17:05:15 -05:00 · 2023-02-23 17:05:15 -05:00 · 1e5544b934
commit 1e5544b934
parent 79e10ee135
9 changed files with 66 additions and 19 deletions
--- a/boards/qemu-coreboot-fbwhiptail-tpm2-hotp/qemu-coreboot-fbwhiptail-tpm2-hotp.config
+++ b/boards/qemu-coreboot-fbwhiptail-tpm2-hotp/qemu-coreboot-fbwhiptail-tpm2-hotp.config
@ -7,6 +7,10 @@ export CONFIG_COREBOOT=y
 export CONFIG_COREBOOT_VERSION=4.13
 export CONFIG_LINUX_VERSION=5.10.5

+#Enable DEBUG output
+export CONFIG_DEBUG_OUTPUT=y
+export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y
+
 CONFIG_COREBOOT_CONFIG=config/coreboot-qemu-tpm2.config
 CONFIG_LINUX_CONFIG=config/linux-qemu.config

--- a/boards/qemu-coreboot-fbwhiptail-tpm2/qemu-coreboot-fbwhiptail-tpm2.config
+++ b/boards/qemu-coreboot-fbwhiptail-tpm2/qemu-coreboot-fbwhiptail-tpm2.config
@ -6,6 +6,10 @@ export CONFIG_COREBOOT=y
 export CONFIG_COREBOOT_VERSION=4.13
 export CONFIG_LINUX_VERSION=5.10.5

+#Enable DEBUG output
+export CONFIG_DEBUG_OUTPUT=y
+export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y
+
 CONFIG_COREBOOT_CONFIG=config/coreboot-qemu-tpm2.config
 CONFIG_LINUX_CONFIG=config/linux-qemu.config

--- a/boards/qemu-coreboot-whiptail-tpm2-hotp/qemu-coreboot-whiptail-tpm2-hotp.config
+++ b/boards/qemu-coreboot-whiptail-tpm2-hotp/qemu-coreboot-whiptail-tpm2-hotp.config
@ -7,6 +7,10 @@ export CONFIG_COREBOOT=y
 export CONFIG_COREBOOT_VERSION=4.13
 export CONFIG_LINUX_VERSION=5.10.5

+#Enable DEBUG output
+export CONFIG_DEBUG_OUTPUT=y
+export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y
+
 CONFIG_COREBOOT_CONFIG=config/coreboot-qemu-tpm2.config
 CONFIG_LINUX_CONFIG=config/linux-qemu.config

--- a/boards/qemu-coreboot-whiptail-tpm2/qemu-coreboot-whiptail-tpm2.config
+++ b/boards/qemu-coreboot-whiptail-tpm2/qemu-coreboot-whiptail-tpm2.config
@ -6,6 +6,10 @@ export CONFIG_COREBOOT=y
 export CONFIG_COREBOOT_VERSION=4.13
 export CONFIG_LINUX_VERSION=5.10.5

+#Enable DEBUG output
+export CONFIG_DEBUG_OUTPUT=y
+export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y
+
 CONFIG_COREBOOT_CONFIG=config/coreboot-qemu-tpm2.config
 CONFIG_LINUX_CONFIG=config/linux-qemu.config

--- a/initrd/bin/kexec-seal-key
+++ b/initrd/bin/kexec-seal-key
@ -14,6 +14,8 @@ RECOVERY_KEY="/tmp/secret/recovery.key"
 . /etc/functions
 . /tmp/config

+TRACE "Under kexec-seal-key"
+
 paramsdir=$1
 if [ -z "$paramsdir" ]; then
 	die "Usage $0 /boot"
@ -36,10 +38,7 @@ if [ -r "$KEY_LVM" ]; then
 		|| die "$VOLUME_GROUP: unable to activate volume group"
 fi

-echo "DEBUG: CONFIG_TPM: $CONFIG_TPM"
-echo "DEBUG: CONFIG_TPM2_TOOLS: $CONFIG_TPM2_TOOLS"
-echo "DEBUG: Show PCRs"
-pcrs
+DEBUG "$(pcrs)"

 # LUKS Key slot 0 is the manual recovery pass phrase
 # that they user entered when they installed OS,
@ -169,25 +168,30 @@ elif [ "$CONFIG_TPM2_TOOLS" = "y" ]; then
 	# pcr 4 is expected to be zero (init mode)
 	dd if=/dev/zero bs=32 count=1 >> "$pcrf"
 	if [ "$CONFIG_USB_KEYBOARD" = "y" -o -r /lib/modules/libata.ko -o -x /bin/hotp_verification ]; then
+		DEBUG "TPM2, with PCR5 involvement (additional kernel modules are loaded per board config)..."
 		# Here, we take pcr 5 into consideration if modules are expected to be measured+loaded
 		# 
 		# binary pcr dump can only go via stderr for redirection
 		# sadly this busybox has buggy support for "2>>" and "2|"
 		# so we need workaround...
+		DEBUG "tpm2 pcrread -o /dev/stderr sha256:5 2>&1 >/dev/console | cat >> "$pcrf""
 		tpm2 pcrread -o /dev/stderr sha256:5 2>&1 >/dev/console | cat >> "$pcrf"
 	else
+		DEBUG "TPM2, without PCR5 involvement. Inserting 32 zero bytes under pcrf..."
 		#no kernel modules are expected to be measured+loaded
 		dd if=/dev/zero bs=32 count=1 >> "$pcrf"
 	fi
 	# Use pcr 23 to precompute the value for pcr 6
 	tpmr extend -ix 23 -if /tmp/luksDump.txt
 	tpm2 pcrread -o /dev/stderr sha256:23 2>&1 >/dev/console | cat >> "$pcrf"
-	#TODO: delete the following pcrs output on screen
 	# goal is to validate that what is in pcr 23 is at pcr 6 at unseal
-	pcrs
+	DEBUG "PCR23 content used to simulate PCR6 content at unseal:" 
+	DEBUG "$(pcrs)"
 	tpm2 pcrreset 23
 	# We take into consideration user files in cbfs
+	DEBUG "tpm2 pcrread -o /dev/stderr sha256:7 2>&1 >/dev/console | cat >> "$pcrf""
 	tpm2 pcrread -o /dev/stderr sha256:7 2>&1 >/dev/console | cat >> "$pcrf"
+	DEBUG "tpmr seal "$KEY_FILE" "0x8100000$TPM_INDEX" sha256:0,1,2,3,4,5,6,7 "$pcrf" "$key_password""
 	tpmr seal "$KEY_FILE" "0x8100000$TPM_INDEX" sha256:0,1,2,3,4,5,6,7 "$pcrf" "$key_password"
 	if [ $? -eq 0 ]; then
 		# should be okay if this fails
--- a/initrd/bin/kexec-select-boot
+++ b/initrd/bin/kexec-select-boot
@ -297,8 +297,13 @@ user_select() {
 		else
 			echo "+++ Rebooting to start the new default option"
 			sleep 2
-			reboot \
-			|| die "!!! Failed to reboot system"
+			if [ "$CONFIG_DEBUG_OUTPUT" != "y" ]; then
+				reboot \
+				|| die "!!! Failed to reboot system"
+			else
+				DEBUG "Rebooting is required prior of booting default boot entry"
+				sleep 2
+			fi
 		fi
 	fi

--- a/initrd/bin/kexec-unseal-key
+++ b/initrd/bin/kexec-unseal-key
@ -9,6 +9,9 @@ TPM_INDEX=3
 TPM_SIZE=312

 . /etc/functions
+
+TRACE "Under kexec-unseal-key"
+
 mkdir -p /tmp/secret

 sealed_file="/tmp/secret/sealed.key"
@ -41,20 +44,21 @@ for tries in 1 2 3; do

 	unseal_result=1
 	if [ "$CONFIG_TPM2_TOOLS" = "y" ]; then
-		tpmr unseal "0x8100000$TPM_INDEX" "sha256:0,1,2,3,4,5,6,7" "$tpm_password" > "$key_file"
-		unseal_result="$?"
+		DEBUG "tpmr unseal "0x8100000$TPM_INDEX" "sha256:0,1,2,3,4,5,6,7" "$tpm_password" > "$key_file""
+		tpmr unseal "0x8100000$TPM_INDEX" "sha256:0,1,2,3,4,5,6,7" "$tpm_password" > "$key_file" \
+			|| unseal_result="$?"
 	else
 		tpm unsealfile \
 			-if "$sealed_file" \
 			-of "$key_file" \
 			-pwdd "$tpm_password" \
-			-hk 40000000
-		unseal_result="$?"
+			-hk 40000000 \
+			|| unseal_result="$?"
 	fi

-	if [ $? -eq 0 ]; then
-		# should be okay if this fails
-		shred -n 10 -z -u "$sealed_file" 2> /dev/null || true
+	shred -n 10 -z -u "$sealed_file" 2> /dev/null || true
+
+	if [ "$unseal_result" -eq 0 ]; then
 		exit 0
 	fi

--- a/initrd/bin/tpmr
+++ b/initrd/bin/tpmr
@ -16,6 +16,8 @@ else
 	. /etc/config
 fi

+TRACE "Under /bin/tpmr"
+
 if [ "$CONFIG_TPM2_TOOLS" != "y" ]; then
 	# tpm1 does not need to convert options
 	if [ "$CONFIG_TPM" = "y" ]; then
@ -26,26 +28,35 @@ if [ "$CONFIG_TPM2_TOOLS" != "y" ]; then
 fi

 tpm2_extend() {
+	TRACE "Under /bin/tpmr:tpm2_extend"
+	DEBUG "value of passed arguments: $1 $2 $3 $4 $5 $6"
 	while true; do
 		case "$1" in
 			-ix)
+				DEBUG "case: -ix $2"
 				index="$2"
 				shift 2;;
 			-ic)
+				DEBUG "case: -ic $2"
 				hash="`echo $2|sha256sum|cut -d' ' -f1`"
 				shift 2;;
 			-if)
+				DEBUG "case: -if $2"
 				hash="`sha256sum $2|cut -d' ' -f1`"
 				shift 2;;
 			*)
 				break;;
 		esac
 	done
+	DEBUG "tpm2 pcrextend $index:sha256=$hash"
 	tpm2 pcrextend "$index:sha256=$hash"
-	exec tpm2 pcrread "sha256:$index"
+	DEBUG "tpm2 pcread sha256:$index"
+	tpm2 pcrread "sha256:$index"
+	DEBUG "$(pcrs)"
 }

 tpm2_counter_read() {
+	TRACE "Under /bin/tpmr:tpm2_counter_read"
 	while true; do
 		case "$1" in
 			-ix)
@ -59,6 +70,7 @@ tpm2_counter_read() {
 }

 tpm2_counter_inc() {
+	TRACE "Under /bin/tpmr:tpm2_counter_inc"
 	while true; do
 		case "$1" in
 			-ix)
@ -76,6 +88,7 @@ tpm2_counter_inc() {
 }

 tpm2_counter_cre() {
+	TRACE "Under /bin/tpmr:tpm2_counter_cre"
 	while true; do
 		case "$1" in
 			-pwdo)
@ -100,6 +113,7 @@ tpm2_counter_cre() {
 }

 tpm2_startsession() {
+	TRACE "Under /bin/tpmr:tpm2_startsession"
 	mkdir -p "$SECRET_DIR"
 	tpm2 flushcontext \
 		--transient-object \
@ -119,6 +133,7 @@ tpm2_startsession() {
 }

 tpm2_sealfile() {
+	TRACE "Under /bin/tpmr:tpm2_sealfile"
 	#TODO remove this: tpmr seal "$KEY_FILE" "0x8100000$TPM_INDEX" sha256:0,1,2,3,4,5,6,7 "$pcrf" "$key_password"
 	file="$1" #$KEY_FILE
 	handle="$2" # 0x8100000$TPM_INDEX
@ -127,6 +142,7 @@ tpm2_sealfile() {
 	pass="$5"
 	mkdir -p "$SECRET_DIR"
 	bname="`basename $file`"
+	DEBUG "tpm2 createpolicy --policy-pcr -l "$pcrl" -f "$pcrf" -L "$SECRET_DIR/pcr.policy""
 	tpm2 createpolicy --policy-pcr -l "$pcrl" -f "$pcrf" -L "$SECRET_DIR/pcr.policy"
 	if [ "$pass" ];then
 		echo -n "$pass" | tpm2 create -C "/tmp/$PRIMARY_HANDLE_FILE" -i "$file" -u "$SECRET_DIR/$bname.priv" -r "$SECRET_DIR/$bname.pub" -L "$SECRET_DIR/pcr.policy" -S "/tmp/$DEC_SESSION_FILE" -p "file:-"
@ -141,11 +157,12 @@ tpm2_sealfile() {
 }

 tpm2_unseal() {
+	TRACE "Under /bin/tpmr:tpm2_unseal"
 	#TODO: remove this: tpmr unseal "0x8100000$TPM_INDEX" "sha256:0,1,2,3,4,5,6,7" "file:-" > "$key_file"
 	handle="$1"
 	pcrl="$2"
 	pass="$3"
-	echo "debug handle: $handle prcl: $pcrl pass: $pass" >/dev/console
+	DEBUG "handle: $handle prcl: $pcrl pass: $pass"
 	if [ "$pass" ];then
 		echo -n "$pass" | tpm2 unseal -c "$handle" -S "/tmp/$ENC_SESSION_FILE" -p "pcr:$pcrl+file:-"
 	else
@ -154,6 +171,7 @@ tpm2_unseal() {
 }

 tpm2_reset() {
+	TRACE "Under /bin/tpmr:tpm2_reset"
 	key_password="$1"
 	mkdir -p "$SECRET_DIR"
 	tpm2 clear -c platform || warn "Unable to clear TPM on platform hierarchy!"
--- a/initrd/etc/functions
+++ b/initrd/etc/functions
@ -14,13 +14,13 @@ warn() {

 DEBUG() {
 	if [ "$CONFIG_DEBUG_OUTPUT" = "y" ];then
-		echo >&2 "DEBUG: $*";
+		echo "DEBUG: $*" | tee -a /tmp/debug.log >&2;
 	fi
 }

 TRACE() {
        if [ "$CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT" = "y" ];then
-                echo >&2 "TRACE: $*";
+                echo "TRACE: $*" | tee -a /tmp/debug.log >&2;
        fi
 }