initrd bin/* sbin/insmod + /etc/ash_functions: TPM extend operations now all passed to LOG (quiet mode doesn't show them and logs them to /tmp/debug.log)

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2025-02-09 04:11:07 +00:00 · 2024-11-27 10:38:37 -05:00 · 2024-11-27 10:38:37 -05:00 · 1f029123e9
commit 1f029123e9
parent 496d93031e
7 changed files with 22 additions and 15 deletions
--- a/initrd/bin/cbfs-init
+++ b/initrd/bin/cbfs-init
@ -17,12 +17,12 @@ for cbfsname in `echo $cbfsfiles`; do
 	if [ ! -z "$filename" ]; then
 		mkdir -p `dirname $filename` \
 		|| die "$filename: mkdir failed"
-		echo "Extracting CBFS file $cbfsname into $filename"
+		LOG "Extracting CBFS file $cbfsname into $filename"
 		cbfs -t 50 $CBFS_ARG -r $cbfsname > "$filename" \
 		|| die "$filename: cbfs file read failed"
 		if [ "$CONFIG_TPM" = "y" ]; then
 			TRACE_FUNC
-			echo "TPM: Extending PCR[$CONFIG_PCR] with $filename"
+			LOG "TPM: Extending PCR[$CONFIG_PCR] with filename $filename and then its content"
 			# Measure both the filename and its content.  This
 			# ensures that renaming files or pivoting file content
 			# will still affect the resulting PCR measurement.
@ -32,5 +32,3 @@ for cbfsname in `echo $cbfsfiles`; do
 		fi
 	fi
 done
-
-# TODO: copy CBFS file named "heads/initrd.tgz" to /tmp, measure and extract
--- a/initrd/bin/kexec-insert-key
+++ b/initrd/bin/kexec-insert-key
@ -66,7 +66,7 @@ fi

 # Override PCR 4 so that user can't read the key
 TRACE_FUNC
-echo "TPM: Extending PCR[4] to prevent any future secret unsealing"
+LOG "TPM: Extending PCR[4] to prevent any future secret unsealing"
 tpmr extend -ix 4 -ic generic ||
 	die 'Unable to scramble PCR'

--- a/initrd/bin/kexec-select-boot
+++ b/initrd/bin/kexec-select-boot
@ -385,7 +385,7 @@ while true; do
 		if [ ! -r "$TMP_KEY_DEVICES" ]; then
 			# Extend PCR4 as soon as possible
 			TRACE_FUNC
-			DEBUG "TPM: Extending PCR[4] to prevent further secret unsealing"
+			LOG "TPM: Extending PCR[4] to prevent further secret unsealing"
 			tpmr extend -ix 4 -ic generic ||
 				die "Failed to extend TPM PCR[4]"
 		fi
--- a/initrd/bin/qubes-measure-luks
+++ b/initrd/bin/qubes-measure-luks
@ -20,6 +20,6 @@ DEBUG "Removing /tmp/lukshdr-*"
 rm /tmp/lukshdr-*

 TRACE_FUNC
-echo "TPM: Extending PCR[6] with hash of LUKS headers from /tmp/luksDump.txt"
+LOG "TPM: Extending PCR[6] with hash of LUKS headers from /tmp/luksDump.txt"
 tpmr extend -ix 6 -if /tmp/luksDump.txt ||
 	die "Unable to extend PCR"
--- a/initrd/bin/tpmr
+++ b/initrd/bin/tpmr
@ -258,7 +258,7 @@ tpm2_extend() {
 		esac
 	done
 	tpm2 pcrextend "$index:sha256=$hash"
-	tpm2 pcrread "sha256:$index"
+	LOG $(tpm2 pcrread "sha256:$index" 2>&1) 

 	TRACE_FUNC
 	DEBUG "TPM: Extended PCR[$index] with hash $hash"
@ -786,7 +786,7 @@ if [ "$CONFIG_TPM2_TOOLS" != "y" ]; then
 		fi
 		
 		TRACE_FUNC
-		DEBUG "TPM: Extending PCR[$3] with hash $hash"
+		LOG "TPM: Extending PCR[$3] with hash $hash"
 		DO_WITH_DEBUG exec tpm "$@"
 		;;
 	seal)
@ -828,7 +828,7 @@ calcfuturepcr)
 	;;
 extend)
 	TRACE_FUNC
-	DEBUG "TPM: Extending PCR[$2] with $4"
+	LOG "TPM: Extending PCR[$2] with $4"
 	tpm2_extend "$@"
 	;;
 counter_read)
--- a/initrd/etc/ash_functions
+++ b/initrd/etc/ash_functions
@ -39,7 +39,16 @@ TRACE() {

 # Write directly to the debug log (but not kmsg), never appears on console
 LOG() {
-	echo "LOG: $*" >>/tmp/debug.log
+	# if not CONFIG_QUIET_MODE=y, output to console. If not, output to debug.log
+	if [ "$CONFIG_DEBUG_OUTPUT" = "y" ]; then
+		DEBUG "$*"
+	elif [ "$CONFIG_QUIET_MODE" = "y" ]; then	
+		# if in quiet mode, output solely to debug.log
+		echo "$*" >> /tmp/debug.log
+	else
+		# if not in quiet mode, output to console
+		echo "$*"
+	fi
 }

 fw_version() {
@ -241,7 +250,7 @@ recovery() {
 	DEBUG "Board $CONFIG_BOARD - version $(fw_version)"

 	if [ "$CONFIG_TPM" = "y" ]; then
-		echo "TPM: Extending PCR[4] to prevent any further secret unsealing"
+		LOG "TPM: Extending PCR[4] to prevent any further secret unsealing"
 		tpmr extend -ix 4 -ic recovery
 	fi

--- a/initrd/sbin/insmod
+++ b/initrd/sbin/insmod
@ -39,19 +39,19 @@ if [ ! -r /sys/class/tpm/tpm0/pcrs -o ! -x /bin/tpm ]; then
 fi

 if [ -z "$tpm_missing" ]; then
-	echo "TPM: Extending PCR[$MODULE_PCR] with $MODULE and parameters '$*' before loading"
+	LOG "TPM: Extending PCR[$MODULE_PCR] with $MODULE and parameters '$*' before loading"
 	# Extend with the module parameters (even if they are empty) and the
 	# module. Changing the parameters or the module content will result in a
 	# different PCR measurement.
 	if [ -n "$*" ]; then
 		TRACE_FUNC
-		DEBUG "Extending with module parameters and the module's content"
+		LOG "Extending with module parameters and the module's content"
 		tpmr extend -ix "$MODULE_PCR" -ic "$*"
 		tpmr extend -ix "$MODULE_PCR" -if "$MODULE" \
 		|| die "$MODULE: tpm extend failed"
 	else
 		TRACE_FUNC
-		DEBUG "No module parameters, extending only with the module's content"
+		LOG "No module parameters, extending only with the module's content"
 		tpmr extend -ix "$MODULE_PCR" -if "$MODULE" \
 		|| die "$MODULE: tpm extend failed"
 	fi