All TPM Extend additional context passed from console echo output to DEBUG. Put back console output as of master. TODO: decide what we do with tpmr extend output for the future. Hint: forward sealing of next flashed firmware measurements.

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2025-01-18 10:46:44 +00:00 · 2023-11-06 15:53:17 -05:00 · 2023-11-06 15:53:17 -05:00 · 388ee5198b
commit 388ee5198b
parent fd6a947cb3
6 changed files with 8 additions and 10 deletions
--- a/initrd/bin/cbfs-init
+++ b/initrd/bin/cbfs-init
@ -24,7 +24,7 @@ for cbfsname in `echo $cbfsfiles`; do
 			TMPFILE=/tmp/cbfs.$$
 			echo "$filename" > $TMPFILE
 			cat $filename >> $TMPFILE
-			echo " !!!!! Extending TPM PCR $CONFIG_PCR with $filename !!!!!"
+			DEBUG "Extending TPM PCR $CONFIG_PCR with $filename"
 			tpmr extend -ix "$CONFIG_PCR" -if $TMPFILE \
 			|| die "$filename: tpm extend failed"
 		fi
--- a/initrd/bin/kexec-insert-key
+++ b/initrd/bin/kexec-insert-key
@ -49,7 +49,7 @@ if ! kexec-unseal-key "$INITRD_DIR/secret.key"; then
 fi

 # Override PCR 4 so that user can't read the key
-echo " !!!!! Extending TPM PCR 4 to prevent further secret unsealing !!!!!"
+DEBUG "Extending TPM PCR 4 to prevent further secret unsealing"
 tpmr extend -ix 4 -ic generic ||
 	die 'Unable to scramble PCR'

--- a/initrd/bin/kexec-select-boot
+++ b/initrd/bin/kexec-select-boot
@ -381,7 +381,7 @@ while true; do
 	if [ "$CONFIG_TPM" = "y" ]; then
 		if [ ! -r "$TMP_KEY_DEVICES" ]; then
 			# Extend PCR4 as soon as possible
-			echo " !!!!! Extending TPM PCR 4 to prevent further secret unsealing !!!!!"
+			DEBUG "Extending TPM PCR 4 to prevent further secret unsealing"
 			tpmr extend -ix 4 -ic generic ||
 				die "Failed to extend PCR 4"
 		fi
--- a/initrd/bin/qubes-measure-luks
+++ b/initrd/bin/qubes-measure-luks
@ -19,6 +19,6 @@ sha256sum /tmp/lukshdr-* >/tmp/luksDump.txt || die "Unable to hash LUKS headers"
 DEBUG "Removing /tmp/lukshdr-*"
 rm /tmp/lukshdr-*

-echo " !!!! Extending PCR 6 with hash of LUKS headers from /tmp/luksDump.txt !!!!"
+DEBUG "Extending TPM PCR 6 with hash of LUKS headers from /tmp/luksDump.txt"
 tpmr extend -ix 6 -if /tmp/luksDump.txt ||
 	die "Unable to extend PCR"
--- a/initrd/etc/ash_functions
+++ b/initrd/etc/ash_functions
@ -227,7 +227,7 @@ recovery() {
 	. /tmp/config

 	if [ "$CONFIG_TPM" = "y" ]; then
-		echo " !!!!! Extending TPM PCR 4 for recovery shell access !!!!!"
+		DEBUG "Extending TPM PCR 4 for recovery shell access"
 		tpmr extend -ix 4 -ic recovery
 	fi

--- a/initrd/sbin/insmod
+++ b/initrd/sbin/insmod
@ -30,18 +30,16 @@ if [ ! -r /sys/class/tpm/tpm0/pcrs -o ! -x /bin/tpm ]; then
 fi

 if [ -z "$tpm_missing" ]; then
-	echo
-	echo " !!!!! Extending TPM PCR $MODULE_PCR with $MODULE prior of usage !!!!!"
+	DEBUG "Extending TPM PCR $MODULE_PCR with $MODULE prior of usage"
 	tpmr extend -ix "$MODULE_PCR" -if "$MODULE" \
 	|| die "$MODULE: tpm extend failed"
 fi

 if [ ! -z "$*" -a -z "$tpm_missing" ]; then
-	DEBUG "Extending PCR $MODULE_PCR with $*"
+	DEBUG "Extending TPM PCR $MODULE_PCR with $*"
 	TMPFILE=/tmp/insmod.$$
 	echo "$@" > $TMPFILE
-	echo
-	echo " !!!!! Extending TPM PCR $MODULE_PCR with $MODULE prior of usage !!!!!"
+	DEBUG "Extending TPM PCR $MODULE_PCR with $MODULE prior of usage"
 	tpmr extend -ix "$MODULE_PCR" -if $TMPFILE \
 	|| die "$MODULE: tpm extend on arguments failed"
 fi