diff --git a/initrd/bin/cbfs-init b/initrd/bin/cbfs-init index c54991f4..d89effe5 100755 --- a/initrd/bin/cbfs-init +++ b/initrd/bin/cbfs-init @@ -17,12 +17,12 @@ for cbfsname in `echo $cbfsfiles`; do if [ ! -z "$filename" ]; then mkdir -p `dirname $filename` \ || die "$filename: mkdir failed" - echo "Extracting CBFS file $cbfsname into $filename" + LOG "Extracting CBFS file $cbfsname into $filename" cbfs -t 50 $CBFS_ARG -r $cbfsname > "$filename" \ || die "$filename: cbfs file read failed" if [ "$CONFIG_TPM" = "y" ]; then TRACE_FUNC - echo "TPM: Extending PCR[$CONFIG_PCR] with $filename" + LOG "TPM: Extending PCR[$CONFIG_PCR] with filename $filename and then its content" # Measure both the filename and its content. This # ensures that renaming files or pivoting file content # will still affect the resulting PCR measurement. @@ -32,5 +32,3 @@ for cbfsname in `echo $cbfsfiles`; do fi fi done - -# TODO: copy CBFS file named "heads/initrd.tgz" to /tmp, measure and extract diff --git a/initrd/bin/kexec-insert-key b/initrd/bin/kexec-insert-key index 0028e348..ca5db6a5 100755 --- a/initrd/bin/kexec-insert-key +++ b/initrd/bin/kexec-insert-key @@ -66,7 +66,7 @@ fi # Override PCR 4 so that user can't read the key TRACE_FUNC -echo "TPM: Extending PCR[4] to prevent any future secret unsealing" +LOG "TPM: Extending PCR[4] to prevent any future secret unsealing" tpmr extend -ix 4 -ic generic || die 'Unable to scramble PCR' diff --git a/initrd/bin/kexec-select-boot b/initrd/bin/kexec-select-boot index b3b55c30..bdda8aaf 100755 --- a/initrd/bin/kexec-select-boot +++ b/initrd/bin/kexec-select-boot @@ -385,7 +385,7 @@ while true; do if [ ! -r "$TMP_KEY_DEVICES" ]; then # Extend PCR4 as soon as possible TRACE_FUNC - DEBUG "TPM: Extending PCR[4] to prevent further secret unsealing" + LOG "TPM: Extending PCR[4] to prevent further secret unsealing" tpmr extend -ix 4 -ic generic || die "Failed to extend TPM PCR[4]" fi diff --git a/initrd/bin/qubes-measure-luks b/initrd/bin/qubes-measure-luks index bef6fb10..cc94c9c8 100755 --- a/initrd/bin/qubes-measure-luks +++ b/initrd/bin/qubes-measure-luks @@ -20,6 +20,6 @@ DEBUG "Removing /tmp/lukshdr-*" rm /tmp/lukshdr-* TRACE_FUNC -echo "TPM: Extending PCR[6] with hash of LUKS headers from /tmp/luksDump.txt" +LOG "TPM: Extending PCR[6] with hash of LUKS headers from /tmp/luksDump.txt" tpmr extend -ix 6 -if /tmp/luksDump.txt || die "Unable to extend PCR" diff --git a/initrd/bin/tpmr b/initrd/bin/tpmr index 78b71ea1..5adb4825 100755 --- a/initrd/bin/tpmr +++ b/initrd/bin/tpmr @@ -258,7 +258,7 @@ tpm2_extend() { esac done tpm2 pcrextend "$index:sha256=$hash" - tpm2 pcrread "sha256:$index" + LOG $(tpm2 pcrread "sha256:$index" 2>&1) TRACE_FUNC DEBUG "TPM: Extended PCR[$index] with hash $hash" @@ -786,7 +786,7 @@ if [ "$CONFIG_TPM2_TOOLS" != "y" ]; then fi TRACE_FUNC - DEBUG "TPM: Extending PCR[$3] with hash $hash" + LOG "TPM: Extending PCR[$3] with hash $hash" DO_WITH_DEBUG exec tpm "$@" ;; seal) @@ -828,7 +828,7 @@ calcfuturepcr) ;; extend) TRACE_FUNC - DEBUG "TPM: Extending PCR[$2] with $4" + LOG "TPM: Extending PCR[$2] with $4" tpm2_extend "$@" ;; counter_read) diff --git a/initrd/etc/ash_functions b/initrd/etc/ash_functions index bf2e3289..735c8760 100644 --- a/initrd/etc/ash_functions +++ b/initrd/etc/ash_functions @@ -39,7 +39,16 @@ TRACE() { # Write directly to the debug log (but not kmsg), never appears on console LOG() { - echo "LOG: $*" >>/tmp/debug.log + # if not CONFIG_QUIET_MODE=y, output to console. If not, output to debug.log + if [ "$CONFIG_DEBUG_OUTPUT" = "y" ]; then + DEBUG "$*" + elif [ "$CONFIG_QUIET_MODE" = "y" ]; then + # if in quiet mode, output solely to debug.log + echo "$*" >> /tmp/debug.log + else + # if not in quiet mode, output to console + echo "$*" + fi } fw_version() { @@ -241,7 +250,7 @@ recovery() { DEBUG "Board $CONFIG_BOARD - version $(fw_version)" if [ "$CONFIG_TPM" = "y" ]; then - echo "TPM: Extending PCR[4] to prevent any further secret unsealing" + LOG "TPM: Extending PCR[4] to prevent any further secret unsealing" tpmr extend -ix 4 -ic recovery fi diff --git a/initrd/sbin/insmod b/initrd/sbin/insmod index 359bf68f..95e2303c 100755 --- a/initrd/sbin/insmod +++ b/initrd/sbin/insmod @@ -39,19 +39,19 @@ if [ ! -r /sys/class/tpm/tpm0/pcrs -o ! -x /bin/tpm ]; then fi if [ -z "$tpm_missing" ]; then - echo "TPM: Extending PCR[$MODULE_PCR] with $MODULE and parameters '$*' before loading" + LOG "TPM: Extending PCR[$MODULE_PCR] with $MODULE and parameters '$*' before loading" # Extend with the module parameters (even if they are empty) and the # module. Changing the parameters or the module content will result in a # different PCR measurement. if [ -n "$*" ]; then TRACE_FUNC - DEBUG "Extending with module parameters and the module's content" + LOG "Extending with module parameters and the module's content" tpmr extend -ix "$MODULE_PCR" -ic "$*" tpmr extend -ix "$MODULE_PCR" -if "$MODULE" \ || die "$MODULE: tpm extend failed" else TRACE_FUNC - DEBUG "No module parameters, extending only with the module's content" + LOG "No module parameters, extending only with the module's content" tpmr extend -ix "$MODULE_PCR" -if "$MODULE" \ || die "$MODULE: tpm extend failed" fi