From 1f28c7144756f4a6a8c2b4ac830939306b16157d Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Fri, 20 Oct 2023 16:20:17 -0400 Subject: [PATCH] WiP: adapt dmesg in function of CONFIG_DEBUG_OUTPUT being enabled or not so and adapt further troubleshooting notes in code when keys cannot be accessed on media for whatever cause so user can understand what is happening when accessing GPG material on backup thumb drive Signed-off-by: Thierry Laurion --- .../qemu-coreboot-fbwhiptail-tpm1.config | 7 +++++-- .../qemu-coreboot-whiptail-tpm1.config | 4 ++-- initrd/etc/ash_functions | 2 +- initrd/init | 8 ++++++++ 4 files changed, 16 insertions(+), 5 deletions(-) diff --git a/boards/qemu-coreboot-fbwhiptail-tpm1/qemu-coreboot-fbwhiptail-tpm1.config b/boards/qemu-coreboot-fbwhiptail-tpm1/qemu-coreboot-fbwhiptail-tpm1.config index 94f543fd..f494f2b0 100644 --- a/boards/qemu-coreboot-fbwhiptail-tpm1/qemu-coreboot-fbwhiptail-tpm1.config +++ b/boards/qemu-coreboot-fbwhiptail-tpm1/qemu-coreboot-fbwhiptail-tpm1.config @@ -10,9 +10,12 @@ export CONFIG_LINUX_VERSION=5.10.5 #export CONFIG_RESTRICTED_BOOT=y #export CONFIG_BASIC=y +#Enable HAVE_GPG_KEY_BACKUP to test GPG key backup drive (we cannot inject config under QEMU (no internal flashing)) +export CONFIG_HAVE_GPG_KEY_BACKUP=y + #Enable DEBUG output -export CONFIG_DEBUG_OUTPUT=y -export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y +#export CONFIG_DEBUG_OUTPUT=y +#export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y CONFIG_COREBOOT_CONFIG=config/coreboot-qemu-tpm1.config CONFIG_LINUX_CONFIG=config/linux-qemu.config diff --git a/boards/qemu-coreboot-whiptail-tpm1/qemu-coreboot-whiptail-tpm1.config b/boards/qemu-coreboot-whiptail-tpm1/qemu-coreboot-whiptail-tpm1.config index 25de9fbb..bc485944 100644 --- a/boards/qemu-coreboot-whiptail-tpm1/qemu-coreboot-whiptail-tpm1.config +++ b/boards/qemu-coreboot-whiptail-tpm1/qemu-coreboot-whiptail-tpm1.config @@ -14,8 +14,8 @@ export CONFIG_LINUX_VERSION=5.10.5 export CONFIG_HAVE_GPG_KEY_BACKUP=y #Enable DEBUG output -export CONFIG_DEBUG_OUTPUT=y -export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y +#export CONFIG_DEBUG_OUTPUT=y +#export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y CONFIG_COREBOOT_CONFIG=config/coreboot-qemu-tpm1.config CONFIG_LINUX_CONFIG=config/linux-qemu.config diff --git a/initrd/etc/ash_functions b/initrd/etc/ash_functions index 5c140531..7703bc5c 100644 --- a/initrd/etc/ash_functions +++ b/initrd/etc/ash_functions @@ -103,7 +103,7 @@ confirm_gpg_card() { warn "Please select encrypted LUKS on GPG key material backup thumb drive (not public labeled one)" mount-usb --pass "$gpg_admin_pin" || die "Unable to mount USB with GPG Admin PIN" echo "++++ Testing detach-sign operation and verifiying against fused public key in ROM" - gpg --pinentry-mode=loopback --passphrase-file <(echo -n "${gpg_admin_pin}") --import /media/subkeys.sec >/dev/null 2>&1 || + gpg --pinentry-mode=loopback --passphrase-file <(echo -n "${gpg_admin_pin}") --import /media/subkeys.sec || die "Unable to import GPG private subkeys" #Do a detach signature to ensure gpg material is usable and cache passphrase to sign /boot from caller functions dd if=/dev/urandom of="$CR_NONCE" bs=20 count=1 >/dev/null 2>&1 || diff --git a/initrd/init b/initrd/init index 2acd93fe..a9297c23 100755 --- a/initrd/init +++ b/initrd/init @@ -60,6 +60,14 @@ if [ "$CONFIG_DEBUG_OUTPUT" = "y" ]; then #DEBUG and TRACE calls will output to /dev/kmsg, outputting both on dmesg and on console dmesg -n 8 || true DEBUG "Debug output enabled from board CONFIG_DEBUG_OUTPUT=y option (/etc/config)" +else + # Board config did't have CONFIG_DEBUG_OUTPUT=y defined + # config.user extracted and combined from CBFS had CONFIG_DEBUG_OUTPUT=y + # Output only print messages with a priority of 4 (warnings) or lower (errors and critical) kernel messages to console + # This way, "debug" kernel command line option will have all kernel messages output on console prior of this point + # This is useful to debug boot issues but permits qemu board to boot without flooding console with kernel messages by disabling CONFIG_DEBUG_OUTPUT=y in qemu board config + dmesg -n 4 || true + DEBUG "Debug output enabled from /etc/config.user's CONFIG_DEBUG_OUTPUT=y after combine_configs (Config menu enabled Debug)" fi TRACE "Under init"