WiP: adapt dmesg in function of CONFIG_DEBUG_OUTPUT being enabled or not so and adapt further troubleshooting notes in code when keys cannot be accessed on media for whatever cause so user can understand what is happening when accessing GPG material on backup thumb drive

Signed-off-by: Thierry Laurion <insurgo@riseup.net>

boards/qemu-coreboot-fbwhiptail-tpm1/qemu-coreboot-fbwhiptail-tpm1.config

@@ -10,9 +10,12 @@ export CONFIG_LINUX_VERSION=5.10.5
 #export CONFIG_RESTRICTED_BOOT=y
 #export CONFIG_BASIC=y
 
+#Enable HAVE_GPG_KEY_BACKUP to test GPG key backup drive (we cannot inject config under QEMU (no internal flashing))
+export CONFIG_HAVE_GPG_KEY_BACKUP=y
+
 #Enable DEBUG output
-export CONFIG_DEBUG_OUTPUT=y
-export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y
+#export CONFIG_DEBUG_OUTPUT=y
+#export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y
 
 CONFIG_COREBOOT_CONFIG=config/coreboot-qemu-tpm1.config
 CONFIG_LINUX_CONFIG=config/linux-qemu.config

boards/qemu-coreboot-whiptail-tpm1/qemu-coreboot-whiptail-tpm1.config

@@ -14,8 +14,8 @@ export CONFIG_LINUX_VERSION=5.10.5
 export CONFIG_HAVE_GPG_KEY_BACKUP=y
 
 #Enable DEBUG output
-export CONFIG_DEBUG_OUTPUT=y
-export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y
+#export CONFIG_DEBUG_OUTPUT=y
+#export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y
 
 CONFIG_COREBOOT_CONFIG=config/coreboot-qemu-tpm1.config
 CONFIG_LINUX_CONFIG=config/linux-qemu.config

initrd/etc/ash_functions

@@ -103,7 +103,7 @@ confirm_gpg_card() {
 			warn "Please select encrypted LUKS on GPG key material backup thumb drive (not public labeled one)"
 			mount-usb --pass "$gpg_admin_pin" || die "Unable to mount USB with GPG Admin PIN"
 			echo "++++ Testing detach-sign operation and verifiying against fused public key in ROM"
-			gpg --pinentry-mode=loopback --passphrase-file <(echo -n "${gpg_admin_pin}") --import /media/subkeys.sec >/dev/null 2>&1 ||
+			gpg --pinentry-mode=loopback --passphrase-file <(echo -n "${gpg_admin_pin}") --import /media/subkeys.sec ||
 				die "Unable to import GPG private subkeys"
 			#Do a detach signature to ensure gpg material is usable and cache passphrase to sign /boot from caller functions
 			dd if=/dev/urandom of="$CR_NONCE" bs=20 count=1 >/dev/null 2>&1 ||

initrd/init

@@ -60,6 +60,14 @@ if [ "$CONFIG_DEBUG_OUTPUT" = "y" ]; then
 	#DEBUG and TRACE calls will output to /dev/kmsg, outputting both on dmesg and on console
 	dmesg -n 8 || true
 	DEBUG "Debug output enabled from board CONFIG_DEBUG_OUTPUT=y option (/etc/config)"
+else
+	# Board config did't have CONFIG_DEBUG_OUTPUT=y defined
+	# config.user extracted and combined from CBFS had CONFIG_DEBUG_OUTPUT=y
+	# Output only print messages with a priority of 4 (warnings) or lower (errors and critical) kernel messages to console
+	# This way, "debug" kernel command line option will have all kernel messages output on console prior of this point
+	# This is useful to debug boot issues but permits qemu board to boot without flooding console with kernel messages by disabling CONFIG_DEBUG_OUTPUT=y in qemu board config
+	dmesg -n 4 || true
+	DEBUG "Debug output enabled from /etc/config.user's CONFIG_DEBUG_OUTPUT=y after combine_configs (Config menu enabled Debug)"
 fi
 
 TRACE "Under init"