From 1e5544b9349b63d314bad27c99e5faf8f847325a Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Thu, 23 Feb 2023 17:05:15 -0500 Subject: [PATCH] Add DEBUG traces and have TPM2 boards enable TRACE and DEBUG calls - /tmp/debug.log is created and appended by all TRACE and DEBUG calls in code - fix some logic errors seen when no DEBUG entry were outputted in /tmp/debug.log --- .../qemu-coreboot-fbwhiptail-tpm2-hotp.config | 4 ++++ .../qemu-coreboot-fbwhiptail-tpm2.config | 4 ++++ .../qemu-coreboot-whiptail-tpm2-hotp.config | 4 ++++ .../qemu-coreboot-whiptail-tpm2.config | 4 ++++ initrd/bin/kexec-seal-key | 16 +++++++++----- initrd/bin/kexec-select-boot | 9 ++++++-- initrd/bin/kexec-unseal-key | 18 +++++++++------ initrd/bin/tpmr | 22 +++++++++++++++++-- initrd/etc/functions | 4 ++-- 9 files changed, 66 insertions(+), 19 deletions(-) diff --git a/boards/qemu-coreboot-fbwhiptail-tpm2-hotp/qemu-coreboot-fbwhiptail-tpm2-hotp.config b/boards/qemu-coreboot-fbwhiptail-tpm2-hotp/qemu-coreboot-fbwhiptail-tpm2-hotp.config index aff6fdc7..bef99417 100644 --- a/boards/qemu-coreboot-fbwhiptail-tpm2-hotp/qemu-coreboot-fbwhiptail-tpm2-hotp.config +++ b/boards/qemu-coreboot-fbwhiptail-tpm2-hotp/qemu-coreboot-fbwhiptail-tpm2-hotp.config @@ -7,6 +7,10 @@ export CONFIG_COREBOOT=y export CONFIG_COREBOOT_VERSION=4.13 export CONFIG_LINUX_VERSION=5.10.5 +#Enable DEBUG output +export CONFIG_DEBUG_OUTPUT=y +export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y + CONFIG_COREBOOT_CONFIG=config/coreboot-qemu-tpm2.config CONFIG_LINUX_CONFIG=config/linux-qemu.config diff --git a/boards/qemu-coreboot-fbwhiptail-tpm2/qemu-coreboot-fbwhiptail-tpm2.config b/boards/qemu-coreboot-fbwhiptail-tpm2/qemu-coreboot-fbwhiptail-tpm2.config index f14574c6..d6dbb10c 100644 --- a/boards/qemu-coreboot-fbwhiptail-tpm2/qemu-coreboot-fbwhiptail-tpm2.config +++ b/boards/qemu-coreboot-fbwhiptail-tpm2/qemu-coreboot-fbwhiptail-tpm2.config @@ -6,6 +6,10 @@ export CONFIG_COREBOOT=y export CONFIG_COREBOOT_VERSION=4.13 export CONFIG_LINUX_VERSION=5.10.5 +#Enable DEBUG output +export CONFIG_DEBUG_OUTPUT=y +export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y + CONFIG_COREBOOT_CONFIG=config/coreboot-qemu-tpm2.config CONFIG_LINUX_CONFIG=config/linux-qemu.config diff --git a/boards/qemu-coreboot-whiptail-tpm2-hotp/qemu-coreboot-whiptail-tpm2-hotp.config b/boards/qemu-coreboot-whiptail-tpm2-hotp/qemu-coreboot-whiptail-tpm2-hotp.config index d9bfb75e..9813dfda 100644 --- a/boards/qemu-coreboot-whiptail-tpm2-hotp/qemu-coreboot-whiptail-tpm2-hotp.config +++ b/boards/qemu-coreboot-whiptail-tpm2-hotp/qemu-coreboot-whiptail-tpm2-hotp.config @@ -7,6 +7,10 @@ export CONFIG_COREBOOT=y export CONFIG_COREBOOT_VERSION=4.13 export CONFIG_LINUX_VERSION=5.10.5 +#Enable DEBUG output +export CONFIG_DEBUG_OUTPUT=y +export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y + CONFIG_COREBOOT_CONFIG=config/coreboot-qemu-tpm2.config CONFIG_LINUX_CONFIG=config/linux-qemu.config diff --git a/boards/qemu-coreboot-whiptail-tpm2/qemu-coreboot-whiptail-tpm2.config b/boards/qemu-coreboot-whiptail-tpm2/qemu-coreboot-whiptail-tpm2.config index fff30cae..0f9edf0c 100644 --- a/boards/qemu-coreboot-whiptail-tpm2/qemu-coreboot-whiptail-tpm2.config +++ b/boards/qemu-coreboot-whiptail-tpm2/qemu-coreboot-whiptail-tpm2.config @@ -6,6 +6,10 @@ export CONFIG_COREBOOT=y export CONFIG_COREBOOT_VERSION=4.13 export CONFIG_LINUX_VERSION=5.10.5 +#Enable DEBUG output +export CONFIG_DEBUG_OUTPUT=y +export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y + CONFIG_COREBOOT_CONFIG=config/coreboot-qemu-tpm2.config CONFIG_LINUX_CONFIG=config/linux-qemu.config diff --git a/initrd/bin/kexec-seal-key b/initrd/bin/kexec-seal-key index d2ed0237..48b74ecd 100755 --- a/initrd/bin/kexec-seal-key +++ b/initrd/bin/kexec-seal-key @@ -14,6 +14,8 @@ RECOVERY_KEY="/tmp/secret/recovery.key" . /etc/functions . /tmp/config +TRACE "Under kexec-seal-key" + paramsdir=$1 if [ -z "$paramsdir" ]; then die "Usage $0 /boot" @@ -36,10 +38,7 @@ if [ -r "$KEY_LVM" ]; then || die "$VOLUME_GROUP: unable to activate volume group" fi -echo "DEBUG: CONFIG_TPM: $CONFIG_TPM" -echo "DEBUG: CONFIG_TPM2_TOOLS: $CONFIG_TPM2_TOOLS" -echo "DEBUG: Show PCRs" -pcrs +DEBUG "$(pcrs)" # LUKS Key slot 0 is the manual recovery pass phrase # that they user entered when they installed OS, @@ -169,25 +168,30 @@ elif [ "$CONFIG_TPM2_TOOLS" = "y" ]; then # pcr 4 is expected to be zero (init mode) dd if=/dev/zero bs=32 count=1 >> "$pcrf" if [ "$CONFIG_USB_KEYBOARD" = "y" -o -r /lib/modules/libata.ko -o -x /bin/hotp_verification ]; then + DEBUG "TPM2, with PCR5 involvement (additional kernel modules are loaded per board config)..." # Here, we take pcr 5 into consideration if modules are expected to be measured+loaded # # binary pcr dump can only go via stderr for redirection # sadly this busybox has buggy support for "2>>" and "2|" # so we need workaround... + DEBUG "tpm2 pcrread -o /dev/stderr sha256:5 2>&1 >/dev/console | cat >> "$pcrf"" tpm2 pcrread -o /dev/stderr sha256:5 2>&1 >/dev/console | cat >> "$pcrf" else + DEBUG "TPM2, without PCR5 involvement. Inserting 32 zero bytes under pcrf..." #no kernel modules are expected to be measured+loaded dd if=/dev/zero bs=32 count=1 >> "$pcrf" fi # Use pcr 23 to precompute the value for pcr 6 tpmr extend -ix 23 -if /tmp/luksDump.txt tpm2 pcrread -o /dev/stderr sha256:23 2>&1 >/dev/console | cat >> "$pcrf" - #TODO: delete the following pcrs output on screen # goal is to validate that what is in pcr 23 is at pcr 6 at unseal - pcrs + DEBUG "PCR23 content used to simulate PCR6 content at unseal:" + DEBUG "$(pcrs)" tpm2 pcrreset 23 # We take into consideration user files in cbfs + DEBUG "tpm2 pcrread -o /dev/stderr sha256:7 2>&1 >/dev/console | cat >> "$pcrf"" tpm2 pcrread -o /dev/stderr sha256:7 2>&1 >/dev/console | cat >> "$pcrf" + DEBUG "tpmr seal "$KEY_FILE" "0x8100000$TPM_INDEX" sha256:0,1,2,3,4,5,6,7 "$pcrf" "$key_password"" tpmr seal "$KEY_FILE" "0x8100000$TPM_INDEX" sha256:0,1,2,3,4,5,6,7 "$pcrf" "$key_password" if [ $? -eq 0 ]; then # should be okay if this fails diff --git a/initrd/bin/kexec-select-boot b/initrd/bin/kexec-select-boot index b71f5b22..c6983e4e 100755 --- a/initrd/bin/kexec-select-boot +++ b/initrd/bin/kexec-select-boot @@ -297,8 +297,13 @@ user_select() { else echo "+++ Rebooting to start the new default option" sleep 2 - reboot \ - || die "!!! Failed to reboot system" + if [ "$CONFIG_DEBUG_OUTPUT" != "y" ]; then + reboot \ + || die "!!! Failed to reboot system" + else + DEBUG "Rebooting is required prior of booting default boot entry" + sleep 2 + fi fi fi diff --git a/initrd/bin/kexec-unseal-key b/initrd/bin/kexec-unseal-key index 5b1039e3..72a458a6 100755 --- a/initrd/bin/kexec-unseal-key +++ b/initrd/bin/kexec-unseal-key @@ -9,6 +9,9 @@ TPM_INDEX=3 TPM_SIZE=312 . /etc/functions + +TRACE "Under kexec-unseal-key" + mkdir -p /tmp/secret sealed_file="/tmp/secret/sealed.key" @@ -41,20 +44,21 @@ for tries in 1 2 3; do unseal_result=1 if [ "$CONFIG_TPM2_TOOLS" = "y" ]; then - tpmr unseal "0x8100000$TPM_INDEX" "sha256:0,1,2,3,4,5,6,7" "$tpm_password" > "$key_file" - unseal_result="$?" + DEBUG "tpmr unseal "0x8100000$TPM_INDEX" "sha256:0,1,2,3,4,5,6,7" "$tpm_password" > "$key_file"" + tpmr unseal "0x8100000$TPM_INDEX" "sha256:0,1,2,3,4,5,6,7" "$tpm_password" > "$key_file" \ + || unseal_result="$?" else tpm unsealfile \ -if "$sealed_file" \ -of "$key_file" \ -pwdd "$tpm_password" \ - -hk 40000000 - unseal_result="$?" + -hk 40000000 \ + || unseal_result="$?" fi - if [ $? -eq 0 ]; then - # should be okay if this fails - shred -n 10 -z -u "$sealed_file" 2> /dev/null || true + shred -n 10 -z -u "$sealed_file" 2> /dev/null || true + + if [ "$unseal_result" -eq 0 ]; then exit 0 fi diff --git a/initrd/bin/tpmr b/initrd/bin/tpmr index b4731446..9e2b9328 100755 --- a/initrd/bin/tpmr +++ b/initrd/bin/tpmr @@ -16,6 +16,8 @@ else . /etc/config fi +TRACE "Under /bin/tpmr" + if [ "$CONFIG_TPM2_TOOLS" != "y" ]; then # tpm1 does not need to convert options if [ "$CONFIG_TPM" = "y" ]; then @@ -26,26 +28,35 @@ if [ "$CONFIG_TPM2_TOOLS" != "y" ]; then fi tpm2_extend() { + TRACE "Under /bin/tpmr:tpm2_extend" + DEBUG "value of passed arguments: $1 $2 $3 $4 $5 $6" while true; do case "$1" in -ix) + DEBUG "case: -ix $2" index="$2" shift 2;; -ic) + DEBUG "case: -ic $2" hash="`echo $2|sha256sum|cut -d' ' -f1`" shift 2;; -if) + DEBUG "case: -if $2" hash="`sha256sum $2|cut -d' ' -f1`" shift 2;; *) break;; esac done + DEBUG "tpm2 pcrextend $index:sha256=$hash" tpm2 pcrextend "$index:sha256=$hash" - exec tpm2 pcrread "sha256:$index" + DEBUG "tpm2 pcread sha256:$index" + tpm2 pcrread "sha256:$index" + DEBUG "$(pcrs)" } tpm2_counter_read() { + TRACE "Under /bin/tpmr:tpm2_counter_read" while true; do case "$1" in -ix) @@ -59,6 +70,7 @@ tpm2_counter_read() { } tpm2_counter_inc() { + TRACE "Under /bin/tpmr:tpm2_counter_inc" while true; do case "$1" in -ix) @@ -76,6 +88,7 @@ tpm2_counter_inc() { } tpm2_counter_cre() { + TRACE "Under /bin/tpmr:tpm2_counter_cre" while true; do case "$1" in -pwdo) @@ -100,6 +113,7 @@ tpm2_counter_cre() { } tpm2_startsession() { + TRACE "Under /bin/tpmr:tpm2_startsession" mkdir -p "$SECRET_DIR" tpm2 flushcontext \ --transient-object \ @@ -119,6 +133,7 @@ tpm2_startsession() { } tpm2_sealfile() { + TRACE "Under /bin/tpmr:tpm2_sealfile" #TODO remove this: tpmr seal "$KEY_FILE" "0x8100000$TPM_INDEX" sha256:0,1,2,3,4,5,6,7 "$pcrf" "$key_password" file="$1" #$KEY_FILE handle="$2" # 0x8100000$TPM_INDEX @@ -127,6 +142,7 @@ tpm2_sealfile() { pass="$5" mkdir -p "$SECRET_DIR" bname="`basename $file`" + DEBUG "tpm2 createpolicy --policy-pcr -l "$pcrl" -f "$pcrf" -L "$SECRET_DIR/pcr.policy"" tpm2 createpolicy --policy-pcr -l "$pcrl" -f "$pcrf" -L "$SECRET_DIR/pcr.policy" if [ "$pass" ];then echo -n "$pass" | tpm2 create -C "/tmp/$PRIMARY_HANDLE_FILE" -i "$file" -u "$SECRET_DIR/$bname.priv" -r "$SECRET_DIR/$bname.pub" -L "$SECRET_DIR/pcr.policy" -S "/tmp/$DEC_SESSION_FILE" -p "file:-" @@ -141,11 +157,12 @@ tpm2_sealfile() { } tpm2_unseal() { + TRACE "Under /bin/tpmr:tpm2_unseal" #TODO: remove this: tpmr unseal "0x8100000$TPM_INDEX" "sha256:0,1,2,3,4,5,6,7" "file:-" > "$key_file" handle="$1" pcrl="$2" pass="$3" - echo "debug handle: $handle prcl: $pcrl pass: $pass" >/dev/console + DEBUG "handle: $handle prcl: $pcrl pass: $pass" if [ "$pass" ];then echo -n "$pass" | tpm2 unseal -c "$handle" -S "/tmp/$ENC_SESSION_FILE" -p "pcr:$pcrl+file:-" else @@ -154,6 +171,7 @@ tpm2_unseal() { } tpm2_reset() { + TRACE "Under /bin/tpmr:tpm2_reset" key_password="$1" mkdir -p "$SECRET_DIR" tpm2 clear -c platform || warn "Unable to clear TPM on platform hierarchy!" diff --git a/initrd/etc/functions b/initrd/etc/functions index 3591b056..b16ac27d 100755 --- a/initrd/etc/functions +++ b/initrd/etc/functions @@ -14,13 +14,13 @@ warn() { DEBUG() { if [ "$CONFIG_DEBUG_OUTPUT" = "y" ];then - echo >&2 "DEBUG: $*"; + echo "DEBUG: $*" | tee -a /tmp/debug.log >&2; fi } TRACE() { if [ "$CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT" = "y" ];then - echo >&2 "TRACE: $*"; + echo "TRACE: $*" | tee -a /tmp/debug.log >&2; fi }