ExternalVendorCode/heads
1
0
Fork 0
mirror of https://github.com/linuxboot/heads.git synced 2024-12-18 20:47:55 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

all scripts: replace TRACE manual strings with dynamic tracing by bash debug

Browse Source 
Exception: scripts sourcing/calls within etc/ash_functions continues to use old TRACE functions until we switch to bash completely getting rid of ash.
This would mean getting rid of legacy boards (flash + legacy boards which do not have enough space for bash in flash boards) once and for all.

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
This commit is contained in:
Thierry Laurion 2024-02-01 14:30:31 -05:00
parent 5a75e6bffa
commit 40c34453df
No known key found for this signature in database
GPG Key ID: 9A53E1BB3FF00461
43 changed files with 167 additions and 146 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
initrd/bin/cbfs-init
View File

@ -2,7 +2,7 @@
set -e -o pipefail set -e -o pipefail
. /etc/functions . /etc/functions
TRACE "Under /bin/cbfs-init" TRACE_FUNC
# Update initrd with CBFS files # Update initrd with CBFS files
if [ -z "$CONFIG_PCR" ]; then if [ -z "$CONFIG_PCR" ]; then

2
initrd/bin/cbfs.sh
View File

@ -3,7 +3,7 @@ set -e -o pipefail
. /etc/functions . /etc/functions
. /tmp/config . /tmp/config
TRACE "Under /bin/cbfs.sh" TRACE_FUNC
if pnor "$2" -r HBI > /tmp/pnor.part 2>/dev/null; then if pnor "$2" -r HBI > /tmp/pnor.part 2>/dev/null; then
cbfs "$@" -o /tmp/pnor.part && pnor "$2" -w HBI < /tmp/pnor.part cbfs "$@" -o /tmp/pnor.part && pnor "$2" -w HBI < /tmp/pnor.part

2
initrd/bin/config-gui.sh
View File

@ -5,7 +5,7 @@ set -e -o pipefail
. /etc/gui_functions . /etc/gui_functions
. /tmp/config . /tmp/config
TRACE "Under /bin/config-gui.sh" TRACE_FUNC
ROOT_HASH_FILE="/boot/kexec_root_hashes.txt" ROOT_HASH_FILE="/boot/kexec_root_hashes.txt"

2
initrd/bin/flash-gui.sh
View File

@ -5,7 +5,7 @@ set -e -o pipefail
. /etc/gui_functions . /etc/gui_functions
. /tmp/config . /tmp/config
TRACE "Under /bin/flash-gui.sh" TRACE_FUNC
if [ "$CONFIG_RESTRICTED_BOOT" = y ]; then if [ "$CONFIG_RESTRICTED_BOOT" = y ]; then
whiptail $BG_COLOR_ERROR --title 'Restricted Boot Active' \ whiptail $BG_COLOR_ERROR --title 'Restricted Boot Active' \

2
initrd/bin/flashrom-kgpe-d16-openbmc.sh
View File

@ -1,7 +1,7 @@
#!/bin/bash #!/bin/bash
. /etc/functions . /etc/functions
TRACE "Under /bin/flashrom-kgpe-d16-openbmc.sh" TRACE_FUNC
ROM="$1" ROM="$1"
if [ -z "$1" ]; then if [ -z "$1" ]; then

2
initrd/bin/generic-init
View File

@ -6,7 +6,7 @@
mount_boot() mount_boot()
{ {
TRACE "Under /bin/generic-init:mount_boot" TRACE_FUNC
# Mount local disk if it is not already mounted # Mount local disk if it is not already mounted
if ! grep -q /boot /proc/mounts ; then if ! grep -q /boot /proc/mounts ; then
mount -o ro /boot \ mount -o ro /boot \

2
initrd/bin/gpg-gui.sh
View File

@ -5,7 +5,7 @@ set -e -o pipefail
. /etc/gui_functions . /etc/gui_functions
. /tmp/config . /tmp/config
TRACE "Under /bin/gpg-gui.sh" TRACE_FUNC
gpg_flash_rom() { gpg_flash_rom() {
if [ "$1" = "replace" ]; then if [ "$1" = "replace" ]; then

2
initrd/bin/gpgv
View File

@ -2,5 +2,5 @@
# if we are using the full GPG we need a wrapper for the gpgv executable # if we are using the full GPG we need a wrapper for the gpgv executable
. /etc/functions . /etc/functions
TRACE "Under /bin/gpgv" TRACE_FUNC
exec gpg --verify "$@" exec gpg --verify "$@"

40
initrd/bin/gui-init
View File

@ -18,7 +18,7 @@ skip_to_menu="false"
mount_boot() mount_boot()
{ {
TRACE "Under /bin/gui-init:mount_boot" TRACE_FUNC
# Mount local disk if it is not already mounted # Mount local disk if it is not already mounted
while ! grep -q /boot /proc/mounts ; do while ! grep -q /boot /proc/mounts ; do
# try to mount if CONFIG_BOOT_DEV exists # try to mount if CONFIG_BOOT_DEV exists
@ -64,7 +64,7 @@ mount_boot()
verify_global_hashes() verify_global_hashes()
{ {
TRACE "Under /bin/gui-init:verify_global_hashes" TRACE_FUNC
# Check the hashes of all the files, ignoring signatures for now # Check the hashes of all the files, ignoring signatures for now
check_config /boot force check_config /boot force
TMP_HASH_FILE="/tmp/kexec/kexec_hashes.txt" TMP_HASH_FILE="/tmp/kexec/kexec_hashes.txt"
@ -139,7 +139,7 @@ verify_global_hashes()
prompt_update_checksums() prompt_update_checksums()
{ {
TRACE "Under /bin/gui-init:prompt_update_checksums" TRACE_FUNC
if (whiptail $BG_COLOR_WARNING --title 'Update Checksums and sign all files in /boot' \ if (whiptail $BG_COLOR_WARNING --title 'Update Checksums and sign all files in /boot' \
--yesno "You have chosen to update the checksums and sign all of the files in /boot.\n\nThis means that you trust that these files have not been tampered with.\n\nYou will need your GPG key available, and this change will modify your disk.\n\nDo you want to continue?" 0 80) then --yesno "You have chosen to update the checksums and sign all of the files in /boot.\n\nThis means that you trust that these files have not been tampered with.\n\nYou will need your GPG key available, and this change will modify your disk.\n\nDo you want to continue?" 0 80) then
if ! update_checksums ; then if ! update_checksums ; then
@ -151,7 +151,7 @@ prompt_update_checksums()
generate_totp_hotp() generate_totp_hotp()
{ {
TRACE "Under /bin/gui-init:generate_totp_hotp" TRACE_FUNC
tpm_owner_password="$1" # May be empty, will prompt if needed and empty tpm_owner_password="$1" # May be empty, will prompt if needed and empty
if [ "$CONFIG_TPM" != "y" ] && [ -x /bin/hotp_verification ]; then if [ "$CONFIG_TPM" != "y" ] && [ -x /bin/hotp_verification ]; then
echo "Generating new HOTP secret" echo "Generating new HOTP secret"
@ -180,7 +180,7 @@ generate_totp_hotp()
update_totp() update_totp()
{ {
TRACE "Under /bin/gui-init:update_totp" TRACE_FUNC
# update the TOTP code # update the TOTP code
date=`date "+%Y-%m-%d %H:%M:%S %Z"` date=`date "+%Y-%m-%d %H:%M:%S %Z"`
tries=0 tries=0
@ -249,7 +249,7 @@ update_totp()
update_hotp() update_hotp()
{ {
TRACE "Under /bin/gui-init:update_hotp" TRACE_FUNC
if [ -x /bin/hotp_verification ]; then if [ -x /bin/hotp_verification ]; then
HOTP=`unseal-hotp` HOTP=`unseal-hotp`
if ! hotp_verification info ; then if ! hotp_verification info ; then
@ -313,7 +313,7 @@ update_hotp()
clean_boot_check() clean_boot_check()
{ {
TRACE "Under /bin/gui-init:clean_boot_check" TRACE_FUNC
# assume /boot mounted # assume /boot mounted
if ! grep -q /boot /proc/mounts ; then if ! grep -q /boot /proc/mounts ; then
return return
@ -342,7 +342,7 @@ clean_boot_check()
check_gpg_key() check_gpg_key()
{ {
TRACE "Under /bin/gui-init:check_gpg_key" TRACE_FUNC
GPG_KEY_COUNT=`gpg -k 2>/dev/null | wc -l` GPG_KEY_COUNT=`gpg -k 2>/dev/null | wc -l`
if [ $GPG_KEY_COUNT -eq 0 ]; then if [ $GPG_KEY_COUNT -eq 0 ]; then
BG_COLOR_MAIN_MENU=$BG_COLOR_ERROR BG_COLOR_MAIN_MENU=$BG_COLOR_ERROR
@ -379,7 +379,7 @@ check_gpg_key()
prompt_auto_default_boot() prompt_auto_default_boot()
{ {
TRACE "Under /bin/gui-init:prompt_auto_default_boot" TRACE_FUNC
echo -e "\nHOTP verification success\n\n" echo -e "\nHOTP verification success\n\n"
if pause_automatic_boot; then if pause_automatic_boot; then
echo -e "\n\nAttempting default boot...\n\n" echo -e "\n\nAttempting default boot...\n\n"
@ -389,7 +389,7 @@ prompt_auto_default_boot()
show_main_menu() show_main_menu()
{ {
TRACE "Under /bin/gui-init:show_main_menu" TRACE_FUNC
date=`date "+%Y-%m-%d %H:%M:%S %Z"` date=`date "+%Y-%m-%d %H:%M:%S %Z"`
whiptail $BG_COLOR_MAIN_MENU --title "$MAIN_MENU_TITLE" \ whiptail $BG_COLOR_MAIN_MENU --title "$MAIN_MENU_TITLE" \
--menu "$date\nTOTP: $TOTP | HOTP: $HOTP" 0 80 10 \ --menu "$date\nTOTP: $TOTP | HOTP: $HOTP" 0 80 10 \
@ -422,7 +422,7 @@ show_main_menu()
show_options_menu() show_options_menu()
{ {
TRACE "Under /bin/gui-init:show_options_menu" TRACE_FUNC
whiptail $BG_COLOR_MAIN_MENU --title "$CONFIG_BRAND_NAME Options" \ whiptail $BG_COLOR_MAIN_MENU --title "$CONFIG_BRAND_NAME Options" \
--menu "" 0 80 10 \ --menu "" 0 80 10 \
'b' ' Boot Options -->' \ 'b' ' Boot Options -->' \
@ -483,7 +483,7 @@ show_options_menu()
show_boot_options_menu() show_boot_options_menu()
{ {
TRACE "Under /bin/gui-init:show_boot_options_menu" TRACE_FUNC
whiptail $BG_COLOR_MAIN_MENU --title "Boot Options" \ whiptail $BG_COLOR_MAIN_MENU --title "Boot Options" \
--menu "Select A Boot Option" 0 80 10 \ --menu "Select A Boot Option" 0 80 10 \
'm' ' Show OS boot menu' \ 'm' ' Show OS boot menu' \
@ -511,7 +511,7 @@ show_boot_options_menu()
show_tpm_totp_hotp_options_menu() show_tpm_totp_hotp_options_menu()
{ {
TRACE "Under /bin/gui-init:show_tpm_totp_hotp_options_menu" TRACE_FUNC
whiptail $BG_COLOR_MAIN_MENU --title "TPM/TOTP/HOTP Options" \ whiptail $BG_COLOR_MAIN_MENU --title "TPM/TOTP/HOTP Options" \
--menu "Select An Option" 0 80 10 \ --menu "Select An Option" 0 80 10 \
'g' ' Generate new TOTP/HOTP secret' \ 'g' ' Generate new TOTP/HOTP secret' \
@ -538,7 +538,7 @@ show_tpm_totp_hotp_options_menu()
prompt_totp_mismatch() prompt_totp_mismatch()
{ {
TRACE "Under /bin/gui-init:prompt_totp_mismatch" TRACE_FUNC
if (whiptail $BG_COLOR_WARNING --title "TOTP/HOTP code mismatched" \ if (whiptail $BG_COLOR_WARNING --title "TOTP/HOTP code mismatched" \
--yesno "TOTP/HOTP code mismatches could indicate either TPM tampering or clock drift:\n\nTo correct clock drift: 'date -s yyyy-MM-DD hh:mm:ss' in UTC timezone\nand save it to the RTC: 'hwclock -w'\nthen reboot and try again.\n\nWould you like to exit to a recovery console?" 0 80) then --yesno "TOTP/HOTP code mismatches could indicate either TPM tampering or clock drift:\n\nTo correct clock drift: 'date -s yyyy-MM-DD hh:mm:ss' in UTC timezone\nand save it to the RTC: 'hwclock -w'\nthen reboot and try again.\n\nWould you like to exit to a recovery console?" 0 80) then
echo "" echo ""
@ -555,7 +555,7 @@ prompt_totp_mismatch()
reset_tpm() reset_tpm()
{ {
TRACE "Under /bin/gui-init:reset_tpm" TRACE_FUNC
if [ "$CONFIG_TPM" = "y" ]; then if [ "$CONFIG_TPM" = "y" ]; then
if (whiptail $BG_COLOR_WARNING --title 'Reset the TPM' \ if (whiptail $BG_COLOR_WARNING --title 'Reset the TPM' \
--yesno "This will clear the TPM and TPM password, replace them with new ones!\n\nDo you want to proceed?" 0 80) then --yesno "This will clear the TPM and TPM password, replace them with new ones!\n\nDo you want to proceed?" 0 80) then
@ -599,7 +599,7 @@ reset_tpm()
select_os_boot_option() select_os_boot_option()
{ {
TRACE "Under /bin/gui-init:select_os_boot_option" TRACE_FUNC
mount_boot mount_boot
if verify_global_hashes ; then if verify_global_hashes ; then
kexec-select-boot -m -b /boot -c "grub.cfg" -g kexec-select-boot -m -b /boot -c "grub.cfg" -g
@ -608,7 +608,7 @@ select_os_boot_option()
attempt_default_boot() attempt_default_boot()
{ {
TRACE "Under /bin/gui-init:attempt_default_boot" TRACE_FUNC
mount_boot mount_boot
if ! verify_global_hashes; then if ! verify_global_hashes; then
@ -626,7 +626,7 @@ attempt_default_boot()
force_unsafe_boot() force_unsafe_boot()
{ {
TRACE "Under /bin/gui-init:force_unsafe_boot" TRACE_FUNC
if [ "$CONFIG_RESTRICTED_BOOT" = y ]; then if [ "$CONFIG_RESTRICTED_BOOT" = y ]; then
whiptail $BG_COLOR_ERROR --title 'ERROR: Restricted Boot Enabled' --msgbox "Restricted Boot is Enabled, forced boot not allowed.\n\nPress OK to return to the Main Menu" 0 80 whiptail $BG_COLOR_ERROR --title 'ERROR: Restricted Boot Enabled' --msgbox "Restricted Boot is Enabled, forced boot not allowed.\n\nPress OK to return to the Main Menu" 0 80
return return
@ -639,7 +639,7 @@ force_unsafe_boot()
} }
# gui-init start # gui-init start
TRACE "Under /bin/gui-init, start" TRACE_FUNC
# Use stored HOTP key branding # Use stored HOTP key branding
if [ -r /boot/kexec_hotp_key ]; then if [ -r /boot/kexec_hotp_key ]; then
@ -673,7 +673,7 @@ if [ "$HOTP" = "Success" -a -n "$CONFIG_AUTO_BOOT_TIMEOUT" ]; then
fi fi
while true; do while true; do
TRACE "Under gui-init:while true loop" TRACE_FUNC
skip_to_menu="false" skip_to_menu="false"
show_main_menu show_main_menu
done done

18
initrd/bin/gui-init-basic
View File

@ -17,7 +17,7 @@ skip_to_menu="false"
mount_boot() mount_boot()
{ {
TRACE "Under /bin/gui-init:mount_boot" TRACE_FUNC
# Mount local disk if it is not already mounted # Mount local disk if it is not already mounted
while ! grep -q /boot /proc/mounts ; do while ! grep -q /boot /proc/mounts ; do
# try to mount if CONFIG_BOOT_DEV exists # try to mount if CONFIG_BOOT_DEV exists
@ -63,7 +63,7 @@ mount_boot()
prompt_auto_default_boot() prompt_auto_default_boot()
{ {
TRACE "Under /bin/gui-init:prompt_auto_default_boot" TRACE_FUNC
echo -e "\n\n" echo -e "\n\n"
if pause_automatic_boot; then if pause_automatic_boot; then
echo -e "\n\nAttempting default boot...\n\n" echo -e "\n\nAttempting default boot...\n\n"
@ -73,7 +73,7 @@ prompt_auto_default_boot()
show_main_menu() show_main_menu()
{ {
TRACE "Under /bin/gui-init:show_main_menu" TRACE_FUNC
date=`date "+%Y-%m-%d %H:%M:%S %Z"` date=`date "+%Y-%m-%d %H:%M:%S %Z"`
whiptail $BG_COLOR_MAIN_MENU --title "$MAIN_MENU_TITLE" \ whiptail $BG_COLOR_MAIN_MENU --title "$MAIN_MENU_TITLE" \
--menu "$date" 0 80 10 \ --menu "$date" 0 80 10 \
@ -102,7 +102,7 @@ show_main_menu()
show_options_menu() show_options_menu()
{ {
TRACE "Under /bin/gui-init:show_options_menu" TRACE_FUNC
whiptail $BG_COLOR_MAIN_MENU --title "$CONFIG_BRAND_NAME Basic Options" \ whiptail $BG_COLOR_MAIN_MENU --title "$CONFIG_BRAND_NAME Basic Options" \
--menu "" 0 80 10 \ --menu "" 0 80 10 \
'b' ' Boot Options -->' \ 'b' ' Boot Options -->' \
@ -133,7 +133,7 @@ show_options_menu()
show_boot_options_menu() show_boot_options_menu()
{ {
TRACE "Under /bin/gui-init:show_boot_options_menu" TRACE_FUNC
whiptail $BG_COLOR_MAIN_MENU --title "Boot Options" \ whiptail $BG_COLOR_MAIN_MENU --title "Boot Options" \
--menu "Select A Boot Option" 0 80 10 \ --menu "Select A Boot Option" 0 80 10 \
'm' ' Show OS boot menu' \ 'm' ' Show OS boot menu' \
@ -157,14 +157,14 @@ show_boot_options_menu()
select_os_boot_option() select_os_boot_option()
{ {
TRACE "Under /bin/gui-init:select_os_boot_option" TRACE_FUNC
mount_boot mount_boot
kexec-select-boot -m -b /boot -c "grub.cfg" -g -i kexec-select-boot -m -b /boot -c "grub.cfg" -g -i
} }
attempt_default_boot() attempt_default_boot()
{ {
TRACE "Under /bin/gui-init:attempt_default_boot" TRACE_FUNC
mount_boot mount_boot
DEFAULT_FILE=`find /boot/kexec_default.*.txt 2>/dev/null | head -1` DEFAULT_FILE=`find /boot/kexec_default.*.txt 2>/dev/null | head -1`
@ -183,7 +183,7 @@ attempt_default_boot()
} }
# gui-init-basic start # gui-init-basic start
TRACE "Under /bin/gui-init, start" TRACE_FUNC
# USB automatic boot (if configured) occurs before mounting /boot, this should # USB automatic boot (if configured) occurs before mounting /boot, this should
# work even if no OS is installed # work even if no OS is installed
@ -204,7 +204,7 @@ if [ "$skip_to_menu" != "true" -a -n "$CONFIG_AUTO_BOOT_TIMEOUT" ]; then
fi fi
while true; do while true; do
TRACE "Under gui-init:while true loop" TRACE_FUNC
skip_to_menu="false" skip_to_menu="false"
show_main_menu show_main_menu
done done

2
initrd/bin/kexec-boot
View File

@ -4,7 +4,7 @@ set -e -o pipefail
. /tmp/config . /tmp/config
. /etc/functions . /etc/functions
TRACE "Under /bin/kexec-boot" TRACE_FUNC
dryrun="n" dryrun="n"
printfiles="n" printfiles="n"

2
initrd/bin/kexec-insert-key
View File

@ -3,7 +3,7 @@
set -e -o pipefail set -e -o pipefail
. /etc/functions . /etc/functions
TRACE "Under /bin/kexec-insert-key" TRACE_FUNC
TMP_KEY_DEVICES="/tmp/kexec/kexec_key_devices.txt" TMP_KEY_DEVICES="/tmp/kexec/kexec_key_devices.txt"
TMP_KEY_LVM="/tmp/kexec/kexec_key_lvm.txt" TMP_KEY_LVM="/tmp/kexec/kexec_key_lvm.txt"

2
initrd/bin/kexec-iso-init
View File

@ -4,7 +4,7 @@ set -e -o pipefail
. /etc/functions . /etc/functions
. /tmp/config . /tmp/config
TRACE "Under /bin/kexec-iso-init" TRACE_FUNC
MOUNTED_ISO_PATH="$1" MOUNTED_ISO_PATH="$1"
ISO_PATH="$2" ISO_PATH="$2"

2
initrd/bin/kexec-parse-bls
View File

@ -1,7 +1,7 @@
#!/bin/bash #!/bin/bash
set -e -o pipefail set -e -o pipefail
. /etc/functions . /etc/functions
TRACE "Under /bin/kexec-parse-bls" TRACE_FUNC
bootdir="$1" bootdir="$1"
file="$2" file="$2"

2
initrd/bin/kexec-parse-boot
View File

@ -2,7 +2,7 @@
set -e -o pipefail set -e -o pipefail
. /etc/functions . /etc/functions
TRACE "Under /bin/kexec-parse-boot" TRACE_FUNC
bootdir="$1" bootdir="$1"
file="$2" file="$2"

4
initrd/bin/kexec-save-default
View File

@ -4,7 +4,7 @@ set -e -o pipefail
. /tmp/config . /tmp/config
. /etc/functions . /etc/functions
TRACE "Under /bin/kexec-save-default" TRACE_FUNC
while getopts "b:d:p:i:" arg; do while getopts "b:d:p:i:" arg; do
case $arg in case $arg in
@ -71,7 +71,7 @@ fi
#Reusable function when user wants to define new TPM DUK for lvms/disks #Reusable function when user wants to define new TPM DUK for lvms/disks
prompt_for_existing_encrypted_lvms_or_disks() { prompt_for_existing_encrypted_lvms_or_disks() {
TRACE "Under kexec-save-default:prompt_for_existing_encrypted_lvms_or_disks" TRACE_FUNC
DEBUG "num_lvm: $num_lvm, lvm_suggest: $lvm_suggest, num_devices: $num_devices, devices_suggest: $devices_suggest" DEBUG "num_lvm: $num_lvm, lvm_suggest: $lvm_suggest, num_devices: $num_devices, devices_suggest: $devices_suggest"
# Create an associative array to store the suggested LVMs and their paths # Create an associative array to store the suggested LVMs and their paths

2
initrd/bin/kexec-save-key
View File

@ -3,7 +3,7 @@
. /etc/functions . /etc/functions
TRACE "kexec-save-key: start" TRACE_FUNC
set -e -o pipefail set -e -o pipefail
. /etc/functions . /etc/functions

2
initrd/bin/kexec-seal-key
View File

@ -14,7 +14,7 @@ RECOVERY_KEY="/tmp/secret/recovery.key"
. /etc/functions . /etc/functions
. /tmp/config . /tmp/config
TRACE "Under kexec-seal-key" TRACE_FUNC
paramsdir=$1 paramsdir=$1
if [ -z "$paramsdir" ]; then if [ -z "$paramsdir" ]; then

2
initrd/bin/kexec-select-boot
View File

@ -4,7 +4,7 @@ set -e -o pipefail
. /tmp/config . /tmp/config
. /etc/functions . /etc/functions
TRACE "Under /bin/kexec-select-boot" TRACE_FUNC
add="" add=""
remove="" remove=""

2
initrd/bin/kexec-sign-config
View File

@ -4,7 +4,7 @@ set -e -o pipefail
. /tmp/config . /tmp/config
. /etc/functions . /etc/functions
TRACE "Under /bin/kexec-sign-config" TRACE_FUNC
rollback="n" rollback="n"
update="n" update="n"

2
initrd/bin/kexec-unseal-key
View File

@ -10,7 +10,7 @@ TPM_SIZE=312
. /etc/functions . /etc/functions
TRACE "Under kexec-unseal-key" TRACE_FUNC
mkdir -p /tmp/secret mkdir -p /tmp/secret

2
initrd/bin/key-init
View File

@ -2,7 +2,7 @@
set -e -o pipefail set -e -o pipefail
. /etc/functions . /etc/functions
TRACE "Under /bin/key-init" TRACE_FUNC
# Post processing of keys # Post processing of keys

23
initrd/bin/lock_chip
View File

@ -15,7 +15,28 @@ if [ "$CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE" = "y" ]; then
fi fi
if [ -n "$APM_CNT" -a -n "$FIN_CODE" ]; then if [ -n "$APM_CNT" -a -n "$FIN_CODE" ]; then
echo "Finalizing chipset" # SMI PR0 lockdown is implemented by Intel as part of the SMM Supervisor feature.
# SMM Supervisor is a software component that runs in SMM and acts as a gatekeeper
# for SMM access.
#
# It uses the processors memory protection and paging mechanisms to restrict what
# SMM code can read and write. SMM Supervisor marks critical pages, such as its
# own code, data, and page tables, as supervisor pages, which are only accessible
# from the most privileged level (CPL0).
#
# It also marks the rest of the SMM memory as user pages, which are accessible
# from any privilege level.
#
# This way, SMM Supervisor can isolate itself from other SMM code and enforce a policy
# that states what resources the SMI handlers (the interrupt handlers that run in SMM)
# require access to.
#
# SMI PR0 lockdown is enabled by setting a lock bit (FLOCKDN) in the SPI controller,
# which prevents further changes to the SMM memory and configuration.
# Once SMI PR0 lockdown is enabled, it cannot be disabled until the next system reset.
# This ensures that malicious code cannot tamper with the SMM Supervisor or the SMI handlers
# after the system boots.
echo "Finalizing chipset Write Protection through SMI PR0 lockdown call"
io386 -o b -b x $APM_CNT $FIN_CODE io386 -o b -b x $APM_CNT $FIN_CODE
else else
echo "NOT Finalizing chipset" echo "NOT Finalizing chipset"

2
initrd/bin/media-scan
View File

@ -5,7 +5,7 @@ set -e -o pipefail
. /etc/gui_functions . /etc/gui_functions
. /tmp/config . /tmp/config
TRACE "Under /bin/media-scan" TRACE_FUNC
#Booting from external media should be authenticated if supported #Booting from external media should be authenticated if supported
gpg_auth || die "GPG authentication failed" gpg_auth || die "GPG authentication failed"

2
initrd/bin/mount-usb
View File

@ -3,7 +3,7 @@
. /etc/functions . /etc/functions
. /etc/luks-functions . /etc/luks-functions
TRACE "Under /bin/mount-usb" TRACE_FUNC
function usage() { function usage() {
cat <<USAGE_END cat <<USAGE_END

2
initrd/bin/network-init-recovery
View File

@ -2,7 +2,7 @@
. /etc/functions . /etc/functions
TRACE "Under /bin/network-init-recovery" TRACE_FUNC
# bring up the ethernet; maybe should do DHCP? # bring up the ethernet; maybe should do DHCP?
ifconfig lo 127.0.0.1 ifconfig lo 127.0.0.1

54
initrd/bin/oem-factory-reset
View File

@ -8,7 +8,7 @@ set -o pipefail
. /etc/luks-functions . /etc/luks-functions
. /tmp/config . /tmp/config
TRACE "Under /bin/oem-factory-reset" TRACE_FUNC
# use TERM to exit on error # use TERM to exit on error
trap "exit 1" TERM trap "exit 1" TERM
@ -74,7 +74,7 @@ whiptail_error_die() {
} }
mount_boot() { mount_boot() {
TRACE "Under oem-factory-reset:mount_boot" TRACE_FUNC
# Mount local disk if it is not already mounted. # Mount local disk if it is not already mounted.
# Added so that 'o' can be typed early at boot to enter directly into OEM Factory Reset # Added so that 'o' can be typed early at boot to enter directly into OEM Factory Reset
if ! grep -q /boot /proc/mounts; then if ! grep -q /boot /proc/mounts; then
@ -89,7 +89,7 @@ mount_boot() {
#This key will be used to sign 3 subkeys: encryption, authentication and signing #This key will be used to sign 3 subkeys: encryption, authentication and signing
#The master key and subkeys will be copied to backup, and the subkeys moved from memory keyring to the smartcard #The master key and subkeys will be copied to backup, and the subkeys moved from memory keyring to the smartcard
generate_inmemory_RSA_master_and_subkeys() { generate_inmemory_RSA_master_and_subkeys() {
TRACE "Under oem-factory-reset:generate_inmemory_RSA_master_and_subkeys" TRACE_FUNC
echo "Generating GPG key material in memory:" echo "Generating GPG key material in memory:"
echo "Generating GPG RSA ${RSA_KEY_LENGTH} bits master key..." echo "Generating GPG RSA ${RSA_KEY_LENGTH} bits master key..."
@ -187,7 +187,7 @@ generate_inmemory_RSA_master_and_subkeys() {
#This key will be used to sign 3 subkeys: encryption, authentication and signing #This key will be used to sign 3 subkeys: encryption, authentication and signing
#The master key and subkeys will be copied to backup, and the subkeys moved from memory keyring to the smartcard #The master key and subkeys will be copied to backup, and the subkeys moved from memory keyring to the smartcard
generate_inmemory_p256_master_and_subkeys() { generate_inmemory_p256_master_and_subkeys() {
TRACE "Under oem-factory-reset:generate_inmemory_p256_master_and_subkeys" TRACE_FUNC
echo "Generating GPG p256 bits master key..." echo "Generating GPG p256 bits master key..."
{ {
@ -266,7 +266,7 @@ generate_inmemory_p256_master_and_subkeys() {
# The master key was already used to sign the subkeys, so it is not needed anymore # The master key was already used to sign the subkeys, so it is not needed anymore
# Delete the master key from the keyring once key to card is done (already backed up on LUKS private partition) # Delete the master key from the keyring once key to card is done (already backed up on LUKS private partition)
keytocard_subkeys_to_smartcard() { keytocard_subkeys_to_smartcard() {
TRACE "Under oem-factory-reset:keytocard_subkeys_to_smartcard" TRACE_FUNC
#make sure usb ready and USB Security Dongle ready to communicate with #make sure usb ready and USB Security Dongle ready to communicate with
enable_usb enable_usb
@ -304,12 +304,12 @@ keytocard_subkeys_to_smartcard() {
whiptail_error_die "GPG Key moving subkeys to smartcard failed!\n\n$ERROR" whiptail_error_die "GPG Key moving subkeys to smartcard failed!\n\n$ERROR"
fi fi
TRACE "oem-factory-reset:keytocard_subkeys_to_smartcard done" TRACE_FUNC
} }
#Whiptail prompt to insert to be wiped thumb drive #Whiptail prompt to insert to be wiped thumb drive
prompt_insert_to_be_wiped_thumb_drive() { prompt_insert_to_be_wiped_thumb_drive() {
TRACE "Under oem-factory-reset:prompt_insert_to_be_wiped_thumb_drive" TRACE_FUNC
#Whiptail warning about having only desired to be wiped thumb drive inserted #Whiptail warning about having only desired to be wiped thumb drive inserted
whiptail $BG_COLOR_WARNING --title 'WARNING: Please insert the thumb drive to be wiped' \ whiptail $BG_COLOR_WARNING --title 'WARNING: Please insert the thumb drive to be wiped' \
--msgbox "The thumb drive will be WIPED next.\n\nPlease connect only the thumb drive to be wiped and disconnect others." 0 80 || --msgbox "The thumb drive will be WIPED next.\n\nPlease connect only the thumb drive to be wiped and disconnect others." 0 80 ||
@ -318,7 +318,7 @@ prompt_insert_to_be_wiped_thumb_drive() {
#export master key and subkeys to thumbdrive's private LUKS contained partition #export master key and subkeys to thumbdrive's private LUKS contained partition
export_master_key_subkeys_and_revocation_key_to_private_LUKS_container() { export_master_key_subkeys_and_revocation_key_to_private_LUKS_container() {
TRACE "Under oem-factory-reset:export_master_key_subkeys_and_revocation_key_to_private_LUKS_container" TRACE_FUNC
#Sanity check on passed arguments #Sanity check on passed arguments
while [ $# -gt 0 ]; do while [ $# -gt 0 ]; do
@ -363,12 +363,12 @@ export_master_key_subkeys_and_revocation_key_to_private_LUKS_container() {
#Unmount private LUKS container's mount point #Unmount private LUKS container's mount point
umount "$mountpoint" || die "Error unmounting private LUKS container's mount point" umount "$mountpoint" || die "Error unmounting private LUKS container's mount point"
TRACE "oem-factory-reset:export_master_key_subkeys_and_revocation_key_to_private_LUKS_container done" TRACE_FUNC
} }
#Export public key to thumb drive's public partition #Export public key to thumb drive's public partition
export_public_key_to_thumbdrive_public_partition() { export_public_key_to_thumbdrive_public_partition() {
TRACE "Under oem-factory-reset:export_public_key_to_thumbdrive_public_partition" TRACE_FUNC
#Sanity check on passed arguments #Sanity check on passed arguments
while [ $# -gt 0 ]; do while [ $# -gt 0 ]; do
@ -399,7 +399,7 @@ export_public_key_to_thumbdrive_public_partition() {
gpg --export --armor "${GPG_USER_MAIL}" >"$mountpoint"/pubkey.asc || die "Error exporting public key to thumb drive's public partition" gpg --export --armor "${GPG_USER_MAIL}" >"$mountpoint"/pubkey.asc || die "Error exporting public key to thumb drive's public partition"
umount "$mountpoint" || die "Error unmounting thumb drive's public partition" umount "$mountpoint" || die "Error unmounting thumb drive's public partition"
TRACE "oem-factory-reset:export_public_key_to_thumbdrive_public_partition done" TRACE_FUNC
} }
# Select thumb drive and LUKS container size for GPG key export # Select thumb drive and LUKS container size for GPG key export
@ -407,7 +407,7 @@ export_public_key_to_thumbdrive_public_partition() {
# - thumb_drive # - thumb_drive
# - thumb_drive_luks_percent # - thumb_drive_luks_percent
select_thumb_drive_for_key_material() { select_thumb_drive_for_key_material() {
TRACE "Under oem-factory-reset:wipe_thumb_drive_and_copy_gpg_key_material" TRACE_FUNC
#enable usb storage #enable usb storage
enable_usb enable_usb
@ -459,7 +459,7 @@ select_thumb_drive_for_key_material() {
# $1 - thumb drive block device # $1 - thumb drive block device
# $2 - LUKS container percentage [1-99] # $2 - LUKS container percentage [1-99]
wipe_thumb_drive_and_copy_gpg_key_material() { wipe_thumb_drive_and_copy_gpg_key_material() {
TRACE "Under oem-factory-reset:wipe_thumb_drive_and_copy_gpg_key_material" TRACE_FUNC
local thumb_drive thumb_drive_luks_percent local thumb_drive thumb_drive_luks_percent
thumb_drive="$1" thumb_drive="$1"
@ -472,11 +472,11 @@ wipe_thumb_drive_and_copy_gpg_key_material() {
#Export public key to thumb drive's public partition #Export public key to thumb drive's public partition
export_public_key_to_thumbdrive_public_partition --mode rw --device "$thumb_drive"2 --mountpoint /media export_public_key_to_thumbdrive_public_partition --mode rw --device "$thumb_drive"2 --mountpoint /media
TRACE "Under oem-factory-reset:wipe_thumb_drive_and_copy_gpg_key_material done" TRACE_FUNC
} }
gpg_key_factory_reset() { gpg_key_factory_reset() {
TRACE "Under oem-factory-reset:gpg_key_factory_reset" TRACE_FUNC
#enable usb storage #enable usb storage
enable_usb enable_usb
@ -560,11 +560,11 @@ gpg_key_factory_reset() {
whiptail_error_die "Unknown GPG_ALGO: $GPG_ALGO" whiptail_error_die "Unknown GPG_ALGO: $GPG_ALGO"
fi fi
TRACE "oem-factory-reset:gpg_key_factory_reset done" TRACE_FUNC
} }
generate_OEM_gpg_keys() { generate_OEM_gpg_keys() {
TRACE "Under oem-factory-reset:generate_OEM_gpg_keys" TRACE_FUNC
#This function simply generates subkeys in smartcard following smarcard config from gpg_key_factory_reset #This function simply generates subkeys in smartcard following smarcard config from gpg_key_factory_reset
echo "Generating GPG keys in USB Security Dongle's smartcard..." echo "Generating GPG keys in USB Security Dongle's smartcard..."
@ -586,11 +586,11 @@ generate_OEM_gpg_keys() {
whiptail_error_die "GPG Key automatic keygen failed!\n\n$ERROR" whiptail_error_die "GPG Key automatic keygen failed!\n\n$ERROR"
fi fi
TRACE "oem-factory-reset:generate_OEM_gpg_keys done" TRACE_FUNC
} }
gpg_key_change_pin() { gpg_key_change_pin() {
TRACE "Under oem-factory-reset:gpg_key_change_pin" TRACE_FUNC
DEBUG "Changing GPG key PIN" DEBUG "Changing GPG key PIN"
# 1 = user PIN, 3 = admin PIN # 1 = user PIN, 3 = admin PIN
PIN_TYPE=$1 PIN_TYPE=$1
@ -613,11 +613,11 @@ gpg_key_change_pin() {
whiptail_error_die "GPG Key PIN change failed!\n\n$ERROR" whiptail_error_die "GPG Key PIN change failed!\n\n$ERROR"
fi fi
TRACE "oem-factory-reset:gpg_key_change_pin done" TRACE_FUNC
} }
generate_checksums() { generate_checksums() {
TRACE "Under oem-factory-reset:generate_checksums" TRACE_FUNC
# ensure /boot mounted # ensure /boot mounted
if ! grep -q /boot /proc/mounts; then if ! grep -q /boot /proc/mounts; then
@ -711,11 +711,11 @@ generate_checksums() {
whiptail_error_die "Error signing kexec boot files:\n\n$ERROR" whiptail_error_die "Error signing kexec boot files:\n\n$ERROR"
fi fi
TRACE "oem-factory-reset:generate_checksums done" TRACE_FUNC
} }
set_default_boot_option() { set_default_boot_option() {
TRACE "Under oem-factory-reset:set_default_boot_option" TRACE_FUNC
option_file="/tmp/kexec_options.txt" option_file="/tmp/kexec_options.txt"
tmp_menu_file="/tmp/kexec/kexec_menu.txt" tmp_menu_file="/tmp/kexec/kexec_menu.txt"
@ -758,11 +758,11 @@ set_default_boot_option() {
xargs sha256sum >$hash_file 2>/dev/null) || xargs sha256sum >$hash_file 2>/dev/null) ||
whiptail_error_die "Failed to create hashes of boot files" whiptail_error_die "Failed to create hashes of boot files"
TRACE "oem-factory-reset:set_default_boot_option done" TRACE_FUNC
} }
report_integrity_measurements() { report_integrity_measurements() {
TRACE "Under oem-factory-reset:report_integrity_measurements" TRACE_FUNC
#check for GPG key in keyring #check for GPG key in keyring
GPG_KEY_COUNT=$(gpg -k 2>/dev/null | wc -l) GPG_KEY_COUNT=$(gpg -k 2>/dev/null | wc -l)
@ -818,11 +818,11 @@ report_integrity_measurements() {
whiptail $MAIN_MENU_BG_COLOR --title "Measured Integrity Report" --msgbox "$date\nTOTP: $TOTP | HOTP: $HOTP\n/BOOT INTEGRITY: $HASH\n\nPress OK to continue or Ctrl+Alt+Delete to reboot" 0 80 whiptail $MAIN_MENU_BG_COLOR --title "Measured Integrity Report" --msgbox "$date\nTOTP: $TOTP | HOTP: $HOTP\n/BOOT INTEGRITY: $HASH\n\nPress OK to continue or Ctrl+Alt+Delete to reboot" 0 80
fi fi
TRACE "oem-factory-reset:report_integrity_measurements done" TRACE_FUNC
} }
usb_security_token_capabilities_check() { usb_security_token_capabilities_check() {
TRACE "Under /bin/oem-factory-reset:usb_security_token_capabilities_check" TRACE_FUNC
enable_usb enable_usb
# ... first set board config preference # ... first set board config preference

2
initrd/bin/oem-system-info-xx30
View File

@ -9,7 +9,7 @@ export BG_COLOR_MAIN_MENU=""
. /etc/luks-functions . /etc/luks-functions
. /tmp/config . /tmp/config
TRACE "Under /bin/oem-system-info-xx30" TRACE_FUNC
battery_charge="$(print_battery_charge)" battery_charge="$(print_battery_charge)"
battery_health="$(print_battery_health)" battery_health="$(print_battery_health)"

2
initrd/bin/qubes-measure-luks
View File

@ -3,7 +3,7 @@
# a PCR so that we can detect disk swap attacks. # a PCR so that we can detect disk swap attacks.
. /etc/functions . /etc/functions
TRACE "Under /bin/qubes-measure-luks" TRACE_FUNC
DEBUG "Arguments passed to qubes-measure-luks: $@" DEBUG "Arguments passed to qubes-measure-luks: $@"
# Measure the LUKS headers into PCR 6 # Measure the LUKS headers into PCR 6

4
initrd/bin/seal-hotpkey
View File

@ -9,7 +9,7 @@ HOTP_KEY="/boot/kexec_hotp_key"
mount_boot() mount_boot()
{ {
TRACE "Under /bin/seal-hotpkey:mount_boot" TRACE_FUNC
# Mount local disk if it is not already mounted # Mount local disk if it is not already mounted
if ! grep -q /boot /proc/mounts; then if ! grep -q /boot /proc/mounts; then
if ! mount -o ro /boot; then if ! mount -o ro /boot; then
@ -20,7 +20,7 @@ mount_boot()
fi fi
} }
TRACE "Under /bin/seal-hotpkey" TRACE_FUNC
fatal_error() fatal_error()
{ {

2
initrd/bin/seal-totp
View File

@ -7,7 +7,7 @@
. /etc/functions . /etc/functions
TRACE "Under /bin/seal-totp" TRACE_FUNC
TPM_NVRAM_SPACE=4d47 TPM_NVRAM_SPACE=4d47

2
initrd/bin/setconsolefont.sh
View File

@ -3,7 +3,7 @@
set -eo pipefail set -eo pipefail
. /etc/functions . /etc/functions
TRACE "Under /bin/setconsolefont.sh" TRACE_FUNC
# If the board ships setfont, and the console size is >=1600 lines tall, # If the board ships setfont, and the console size is >=1600 lines tall,
# increase the console font size. # increase the console font size.

40
initrd/bin/tpmr
View File

@ -29,7 +29,7 @@ else
. /etc/config . /etc/config
fi fi
TRACE "Under /bin/tpmr" TRACE_FUNC
# Busybox xxd lacks -r, and we get hex dumps from TPM1 commands. This converts # Busybox xxd lacks -r, and we get hex dumps from TPM1 commands. This converts
# a hex dump to binary data using sed and printf # a hex dump to binary data using sed and printf
@ -50,7 +50,7 @@ tpm2_password_hex() {
# Reads PCR binary data and writes to file. # Reads PCR binary data and writes to file.
# -a: Append to file. Default is to overwrite. # -a: Append to file. Default is to overwrite.
tpm2_pcrread() { tpm2_pcrread() {
TRACE "Under /bin/tpmr:tpm2_pcrread" TRACE_FUNC
if [ "$1" = "-a" ]; then if [ "$1" = "-a" ]; then
APPEND=y APPEND=y
shift shift
@ -68,7 +68,7 @@ tpm2_pcrread() {
DO_WITH_DEBUG tpm2 pcrread -Q -o >(cat >>"$file") "sha256:$index" DO_WITH_DEBUG tpm2 pcrread -Q -o >(cat >>"$file") "sha256:$index"
} }
tpm1_pcrread() { tpm1_pcrread() {
TRACE "Under /bin/tpmr:tpm1_pcrread" TRACE_FUNC
if [ "$1" = "-a" ]; then if [ "$1" = "-a" ]; then
APPEND=y APPEND=y
shift shift
@ -193,7 +193,7 @@ $0 ~ pcr {
# hashes and/or files extended to given PCR after firmware. Resulting PCR value # hashes and/or files extended to given PCR after firmware. Resulting PCR value
# is returned in binary form. # is returned in binary form.
replay_pcr() { replay_pcr() {
TRACE "Under /bin/tpmr:replay_pcr" TRACE_FUNC
if [ -z "$2" ]; then if [ -z "$2" ]; then
echo >&2 "No PCR number passed" echo >&2 "No PCR number passed"
return return
@ -229,7 +229,7 @@ replay_pcr() {
} }
tpm2_extend() { tpm2_extend() {
TRACE "Under /bin/tpmr:tpm2_extend" TRACE_FUNC
while true; do while true; do
case "$1" in case "$1" in
-ix) -ix)
@ -254,7 +254,7 @@ tpm2_extend() {
} }
tpm2_counter_read() { tpm2_counter_read() {
TRACE "Under /bin/tpmr:tpm2_counter_read" TRACE_FUNC
while true; do while true; do
case "$1" in case "$1" in
-ix) -ix)
@ -270,7 +270,7 @@ tpm2_counter_read() {
} }
tpm2_counter_inc() { tpm2_counter_inc() {
TRACE "Under /bin/tpmr:tpm2_counter_inc" TRACE_FUNC
while true; do while true; do
case "$1" in case "$1" in
-ix) -ix)
@ -291,7 +291,7 @@ tpm2_counter_inc() {
} }
tpm1_counter_create() { tpm1_counter_create() {
TRACE "Under /bin/tpmr:tpm1_counter_create" TRACE_FUNC
# tpmr handles the TPM owner password (from cache or prompt), but all # tpmr handles the TPM owner password (from cache or prompt), but all
# other parameters for TPM1 are passed directly, and TPM2 mimics the # other parameters for TPM1 are passed directly, and TPM2 mimics the
# TPM1 interface. # TPM1 interface.
@ -304,7 +304,7 @@ tpm1_counter_create() {
} }
tpm2_counter_create() { tpm2_counter_create() {
TRACE "Under /bin/tpmr:tpm2_counter_create" TRACE_FUNC
while true; do while true; do
case "$1" in case "$1" in
-pwdc) -pwdc)
@ -333,7 +333,7 @@ tpm2_counter_create() {
} }
tpm2_startsession() { tpm2_startsession() {
TRACE "Under /bin/tpmr:tpm2_startsession" TRACE_FUNC
mkdir -p "$SECRET_DIR" mkdir -p "$SECRET_DIR"
tpm2 flushcontext -Q \ tpm2 flushcontext -Q \
--transient-object || --transient-object ||
@ -356,7 +356,7 @@ tpm2_startsession() {
# session file. E.g.: # session file. E.g.:
# at_exit cleanup_session "$SESSION_FILE" # at_exit cleanup_session "$SESSION_FILE"
cleanup_session() { cleanup_session() {
TRACE "Under /bin/tpmr:cleanup_session" TRACE_FUNC
session_file="$1" session_file="$1"
if [ -f "$session_file" ]; then if [ -f "$session_file" ]; then
DEBUG "Clean up session: $session_file" DEBUG "Clean up session: $session_file"
@ -372,7 +372,7 @@ cleanup_session() {
# at_exit, e.g.: # at_exit, e.g.:
# at_exit cleanup_shred "$FILE" # at_exit cleanup_shred "$FILE"
cleanup_shred() { cleanup_shred() {
TRACE "Under /bin/tpmr:cleanup_shred" TRACE_FUNC
shred -n 10 -z -u "$1" 2>/dev/null || true shred -n 10 -z -u "$1" 2>/dev/null || true
} }
@ -408,7 +408,7 @@ tpm1_destroy() {
# provided - TPM2 allows the TPM to fall back to current PCR values, but it is # provided - TPM2 allows the TPM to fall back to current PCR values, but it is
# not required to support this. # not required to support this.
tpm2_seal() { tpm2_seal() {
TRACE "Under /bin/tpmr:tpm2_seal" TRACE_FUNC
file="$1" #$KEY_FILE file="$1" #$KEY_FILE
index="$2" index="$2"
pcrl="$3" #0,1,2,3,4,5,6,7 (does not include algorithm prefix) pcrl="$3" #0,1,2,3,4,5,6,7 (does not include algorithm prefix)
@ -481,7 +481,7 @@ tpm2_seal() {
} }
} }
tpm1_seal() { tpm1_seal() {
TRACE "Under /bin/tpmr:tpm1_seal" TRACE_FUNC
file="$1" file="$1"
index="$2" index="$2"
pcrl="$3" #0,1,2,3,4,5,6,7 (does not include algorithm prefix) pcrl="$3" #0,1,2,3,4,5,6,7 (does not include algorithm prefix)
@ -549,7 +549,7 @@ tpm1_seal() {
# password must be provided if one was used to seal (and cannot be provided if # password must be provided if one was used to seal (and cannot be provided if
# no password was used to seal). # no password was used to seal).
tpm2_unseal() { tpm2_unseal() {
TRACE "Under /bin/tpmr:tpm2_unseal" TRACE_FUNC
index="$1" index="$1"
pcrl="$2" #0,1,2,3,4,5,6,7 (does not include algorithm prefix) pcrl="$2" #0,1,2,3,4,5,6,7 (does not include algorithm prefix)
sealed_size="$3" sealed_size="$3"
@ -594,7 +594,7 @@ tpm2_unseal() {
-S "$ENC_SESSION_FILE" >"$file" -S "$ENC_SESSION_FILE" >"$file"
} }
tpm1_unseal() { tpm1_unseal() {
TRACE "Under /bin/tpmr:tpm1_unseal" TRACE_FUNC
index="$1" index="$1"
pcrl="$2" pcrl="$2"
sealed_size="$3" sealed_size="$3"
@ -629,7 +629,7 @@ tpm1_unseal() {
} }
tpm2_reset() { tpm2_reset() {
TRACE "Under /bin/tpmr:tpm2_reset" TRACE_FUNC
tpm_owner_password="$1" tpm_owner_password="$1"
mkdir -p "$SECRET_DIR" mkdir -p "$SECRET_DIR"
# output TPM Owner Password to a file to be reused in this boot session until recovery shell/reboot # output TPM Owner Password to a file to be reused in this boot session until recovery shell/reboot
@ -678,7 +678,7 @@ tpm2_reset() {
"hex:$(dd if=/dev/urandom bs=32 count=1 status=none | xxd -p | tr -d ' \n')" "hex:$(dd if=/dev/urandom bs=32 count=1 status=none | xxd -p | tr -d ' \n')"
} }
tpm1_reset() { tpm1_reset() {
TRACE "Under /bin/tpmr:tpm1_reset" TRACE_FUNC
tpm_owner_password="$1" tpm_owner_password="$1"
mkdir -p "$SECRET_DIR" mkdir -p "$SECRET_DIR"
# output tpm_owner_password to a file to be reused in this boot session until recovery shell/reboot # output tpm_owner_password to a file to be reused in this boot session until recovery shell/reboot
@ -700,7 +700,7 @@ tpm1_reset() {
# Perform final cleanup before boot and lock the platform heirarchy. # Perform final cleanup before boot and lock the platform heirarchy.
tpm2_kexec_finalize() { tpm2_kexec_finalize() {
TRACE "Under /bin/tpmr:tpm2_kexec_finalize" TRACE_FUNC
# Flush sessions and transient objects # Flush sessions and transient objects
tpm2 flushcontext -Q --transient-object || tpm2 flushcontext -Q --transient-object ||
@ -720,7 +720,7 @@ tpm2_kexec_finalize() {
} }
tpm2_shutdown() { tpm2_shutdown() {
TRACE "Under /bin/tpmr:tpm2_shutdown" TRACE_FUNC
# Prepare for shutdown. # Prepare for shutdown.
# This is a "clear" shutdown (do not preserve runtime state) since we # This is a "clear" shutdown (do not preserve runtime state) since we

8
initrd/bin/unpack_initramfs.sh
View File

@ -3,7 +3,7 @@ set -e -o pipefail
. /etc/functions . /etc/functions
TRACE "Under unpack_initramfs.sh" TRACE_FUNC
# Unpack a Linux initramfs archive. # Unpack a Linux initramfs archive.
# #
# In general, the initramfs archive is one or more cpio archives, optionally # In general, the initramfs archive is one or more cpio archives, optionally
@ -31,7 +31,7 @@ CPIO_ARGS=("$@")
# Consume zero bytes, the first nonzero byte read (if any) is repeated on stdout # Consume zero bytes, the first nonzero byte read (if any) is repeated on stdout
consume_zeros() { consume_zeros() {
TRACE "Under unpack_initramfs.sh:consume_zeros" TRACE_FUNC
next_byte='00' next_byte='00'
while [ "$next_byte" = "00" ]; do while [ "$next_byte" = "00" ]; do
# if we reach EOF, next_byte becomes empty (dd does not fail) # if we reach EOF, next_byte becomes empty (dd does not fail)
@ -44,13 +44,13 @@ consume_zeros() {
} }
unpack_cpio() { unpack_cpio() {
TRACE "Under unpack_initramfs.sh:unpack_cpio" TRACE_FUNC
(cd "$dest_dir"; cpio -i "${CPIO_ARGS[@]}" 2>/dev/null) (cd "$dest_dir"; cpio -i "${CPIO_ARGS[@]}" 2>/dev/null)
} }
# unpack the first segment of an archive, then write the rest to another file # unpack the first segment of an archive, then write the rest to another file
unpack_first_segment() { unpack_first_segment() {
TRACE "Under unpack_initramfs.sh:unpack_first_segment" TRACE_FUNC
unpack_archive="$1" unpack_archive="$1"
dest_dir="$2" dest_dir="$2"
rest_archive="$3" rest_archive="$3"

4
initrd/bin/unseal-hotp
View File

@ -8,7 +8,7 @@ HOTP_COUNTER="/boot/kexec_hotp_counter"
mount_boot_or_die() mount_boot_or_die()
{ {
TRACE "Under /bin/unseal-hotp:mount_boot_or_die" TRACE_FUNC
# Mount local disk if it is not already mounted # Mount local disk if it is not already mounted
if ! grep -q /boot /proc/mounts ; then if ! grep -q /boot /proc/mounts ; then
mount -o ro /boot \ mount -o ro /boot \
@ -16,7 +16,7 @@ mount_boot_or_die()
fi fi
} }
TRACE "Under /bin/unseal-hotp" TRACE_FUNC
# Store counter in file instead of TPM for now, as it conflicts with Heads # Store counter in file instead of TPM for now, as it conflicts with Heads
# config TPM counter as TPM 1.2 can only increment one counter between reboots # config TPM counter as TPM 1.2 can only increment one counter between reboots

2
initrd/bin/unseal-totp
View File

@ -5,7 +5,7 @@
TOTP_SECRET="/tmp/secret/totp.key" TOTP_SECRET="/tmp/secret/totp.key"
TRACE "Under /bin/unseal-totp" TRACE_FUNC
if [ "$CONFIG_TPM" = "y" ]; then if [ "$CONFIG_TPM" = "y" ]; then
tpmr unseal 4d47 0,1,2,3,4,7 312 "$TOTP_SECRET" || tpmr unseal 4d47 0,1,2,3,4,7 312 "$TOTP_SECRET" ||

2
initrd/bin/usb-init
View File

@ -4,7 +4,7 @@
. /etc/functions . /etc/functions
. /tmp/config . /tmp/config
TRACE "Under /bin/usb-init" TRACE_FUNC
if [ "$CONFIG_TPM" = "y" ]; then if [ "$CONFIG_TPM" = "y" ]; then
# Extend PCR4 as soon as possible # Extend PCR4 as soon as possible

2
initrd/bin/wget-measure.sh
View File

@ -3,7 +3,7 @@
. /etc/functions . /etc/functions
die() { die() {
TRACE "Under /bin/wget-measure.sh:die" TRACE_FUNC
echo >&2 "$@" echo >&2 "$@"
exit 1 exit 1
} }

34
initrd/etc/functions
View File

@ -64,7 +64,7 @@ pcrs() {
} }
confirm_totp() { confirm_totp() {
TRACE "Under /etc/functions:confirm_totp" TRACE_FUNC
prompt="$1" prompt="$1"
last_half=X last_half=X
unset totp_confirm unset totp_confirm
@ -103,7 +103,7 @@ confirm_totp() {
} }
reseal_tpm_disk_decryption_key() { reseal_tpm_disk_decryption_key() {
TRACE "Under /etc/functions:reseal_tpm_disk_decryption_key" TRACE_FUNC
#For robustness, exit early if LUKS TPM Disk Unlock Key is prohibited in board configs #For robustness, exit early if LUKS TPM Disk Unlock Key is prohibited in board configs
if [ "$CONFIG_TPM_DISK_UNLOCK_KEY" == "n" ]; then if [ "$CONFIG_TPM_DISK_UNLOCK_KEY" == "n" ]; then
DEBUG "LUKS TPM Disk Unlock Key is prohibited in board configs" DEBUG "LUKS TPM Disk Unlock Key is prohibited in board configs"
@ -140,7 +140,7 @@ reseal_tpm_disk_decryption_key() {
# be detected. If USB storage was already enabled, no wait occurs, this would # be detected. If USB storage was already enabled, no wait occurs, this would
# have happened already when USB storage was enabled. # have happened already when USB storage was enabled.
enable_usb_storage() { enable_usb_storage() {
TRACE "Under /etc/functions:enable_usb_storage" TRACE_FUNC
if ! lsmod | grep -q usb_storage; then if ! lsmod | grep -q usb_storage; then
timeout=0 timeout=0
echo "Scanning for USB storage devices..." echo "Scanning for USB storage devices..."
@ -155,7 +155,7 @@ enable_usb_storage() {
} }
list_usb_storage() { list_usb_storage() {
TRACE "Under /etc/functions:list_usb_storage" TRACE_FUNC
# List all USB storage devices, including partitions unless we received argument stating we want drives only # List all USB storage devices, including partitions unless we received argument stating we want drives only
# The output is a list of device names, one per line. # The output is a list of device names, one per line.
@ -216,7 +216,7 @@ list_usb_storage() {
# Tools should optionally accept a TPM password on the command line, since some flows need # Tools should optionally accept a TPM password on the command line, since some flows need
# it multiple times and only one prompt is ideal. # it multiple times and only one prompt is ideal.
prompt_tpm_owner_password() { prompt_tpm_owner_password() {
TRACE "Under /etc/functions:prompt_tpm_owner_password" TRACE_FUNC
if [ -s /tmp/secret/tpm_owner_password ]; then if [ -s /tmp/secret/tpm_owner_password ]; then
DEBUG "/tmp/secret/tpm_owner_password already cached in file. Reusing" DEBUG "/tmp/secret/tpm_owner_password already cached in file. Reusing"
@ -238,7 +238,7 @@ prompt_tpm_owner_password() {
# The password must be 1-32 characters and must be entered twice, # The password must be 1-32 characters and must be entered twice,
# the script will loop until this is met. # the script will loop until this is met.
prompt_new_owner_password() { prompt_new_owner_password() {
TRACE "Under /etc/functions:prompt_new_owner_password" TRACE_FUNC
local tpm_owner_password2 local tpm_owner_password2
tpm_owner_password=1 tpm_owner_password=1
tpm_owner_password2=2 tpm_owner_password2=2
@ -262,7 +262,7 @@ prompt_new_owner_password() {
} }
check_tpm_counter() { check_tpm_counter() {
TRACE "Under /etc/functions:check_tpm_counter" TRACE_FUNC
LABEL=${2:-3135106223} LABEL=${2:-3135106223}
tpm_password="$3" tpm_password="$3"
@ -286,20 +286,20 @@ check_tpm_counter() {
} }
read_tpm_counter() { read_tpm_counter() {
TRACE "Under /etc/functions:read_tpm_counter" TRACE_FUNC
tpmr counter_read -ix "$1" | tee "/tmp/counter-$1" || tpmr counter_read -ix "$1" | tee "/tmp/counter-$1" ||
die "Counter read failed" die "Counter read failed"
} }
increment_tpm_counter() { increment_tpm_counter() {
TRACE "Under /etc/functions:increment_tpm_counter" TRACE_FUNC
tpmr counter_increment -ix "$1" -pwdc '' | tpmr counter_increment -ix "$1" -pwdc '' |
tee /tmp/counter-$1 || tee /tmp/counter-$1 ||
die "TPM counter increment failed for rollback prevention. Please reset the TPM" die "TPM counter increment failed for rollback prevention. Please reset the TPM"
} }
check_config() { check_config() {
TRACE "Under /etc/functions:check_config" TRACE_FUNC
if [ ! -d /tmp/kexec ]; then if [ ! -d /tmp/kexec ]; then
mkdir /tmp/kexec || mkdir /tmp/kexec ||
die 'Failed to make kexec tmp dir' die 'Failed to make kexec tmp dir'
@ -340,7 +340,7 @@ replace_rom_file() {
} }
replace_config() { replace_config() {
TRACE "Under /etc/functions:replace_config" TRACE_FUNC
CONFIG_FILE=$1 CONFIG_FILE=$1
CONFIG_OPTION=$2 CONFIG_OPTION=$2
NEW_SETTING=$3 NEW_SETTING=$3
@ -373,7 +373,7 @@ secret_from_rom_hash() {
} }
update_checksums() { update_checksums() {
TRACE "Under /etc/functions:update_checksums" TRACE_FUNC
# ensure /boot mounted # ensure /boot mounted
if ! grep -q /boot /proc/mounts; then if ! grep -q /boot /proc/mounts; then
mount -o ro /boot || mount -o ro /boot ||
@ -403,7 +403,7 @@ update_checksums() {
} }
print_tree() { print_tree() {
TRACE "Under /etc/functions:print_tree" TRACE_FUNC
find ./ ! -path './kexec*' -print0 | sort -z find ./ ! -path './kexec*' -print0 | sort -z
} }
@ -471,7 +471,7 @@ escape_zero() {
# due to https://bugs.busybox.net/show_bug.cgi?id=14226. Also, certain characters # due to https://bugs.busybox.net/show_bug.cgi?id=14226. Also, certain characters
# may be intepreted by `whiptail`, `less` et al (e.g. \n, \b, ...). # may be intepreted by `whiptail`, `less` et al (e.g. \n, \b, ...).
assert_signable() { assert_signable() {
TRACE "Under /etc/functions:assert_signable" TRACE_FUNC
# ensure /boot mounted # ensure /boot mounted
if ! grep -q /boot /proc/mounts; then if ! grep -q /boot /proc/mounts; then
mount -o ro /boot || die "Unable to mount /boot" mount -o ro /boot || die "Unable to mount /boot"
@ -490,7 +490,7 @@ assert_signable() {
} }
verify_checksums() { verify_checksums() {
TRACE "Under /etc/functions:verify_checksums" TRACE_FUNC
local boot_dir="$1" local boot_dir="$1"
local gui="${2:-y}" local gui="${2:-y}"
@ -523,7 +523,7 @@ verify_checksums() {
# detect and set /boot device # detect and set /boot device
# mount /boot if successful # mount /boot if successful
detect_boot_device() { detect_boot_device() {
TRACE "Under /etc/functions:detect_boot_device" TRACE_FUNC
# unmount /boot to be safe # unmount /boot to be safe
cd / && umount /boot 2>/dev/null cd / && umount /boot 2>/dev/null
@ -570,7 +570,7 @@ detect_boot_device() {
} }
scan_boot_options() { scan_boot_options() {
TRACE "Under /etc/functions:scan_boot_options" TRACE_FUNC
local bootdir config option_file local bootdir config option_file
bootdir="$1" bootdir="$1"
config="$2" config="$2"

6
initrd/etc/gui_functions
View File

@ -15,7 +15,7 @@ pause_automatic_boot()
mount_usb() mount_usb()
{ {
TRACE "under gui_functions:mount_usb" TRACE_FUNC
# Unmount any previous USB device # Unmount any previous USB device
if grep -q /media /proc/mounts ; then if grep -q /media /proc/mounts ; then
umount /media || die "Unable to unmount /media" umount /media || die "Unable to unmount /media"
@ -80,7 +80,7 @@ display_block_device_size() {
# No entries in list: Displays error and exits unsuccessfully # No entries in list: Displays error and exits unsuccessfully
file_selector() file_selector()
{ {
TRACE "under gui_functions:file_selector" TRACE_FUNC
local FILE_LIST MENU_MSG MENU_TITLE CHOICE_ARGS SHOW_SIZE OPTION_SIZE option_index local FILE_LIST MENU_MSG MENU_TITLE CHOICE_ARGS SHOW_SIZE OPTION_SIZE option_index
@ -132,7 +132,7 @@ file_selector()
show_system_info() show_system_info()
{ {
TRACE "Under /bin/gui-init:show_system_info" TRACE_FUNC
battery_charge="$(print_battery_charge)" battery_charge="$(print_battery_charge)"
battery_health="$(print_battery_health)" battery_health="$(print_battery_health)"
if [ -n $battery_charge -a -n $battery_health ];then if [ -n $battery_charge -a -n $battery_health ];then

16
initrd/etc/luks-functions
View File

@ -16,7 +16,7 @@ list_luks_devices() {
#Whiptail prompt asking user to select ratio of device to use for LUKS container between: 25, 50, 75 #Whiptail prompt asking user to select ratio of device to use for LUKS container between: 25, 50, 75
select_luks_container_size_percent() { select_luks_container_size_percent() {
TRACE "Under /etc/luks-functions:select_luks_container_size_percent()" TRACE_FUNC
if [ -x /bin/whiptail ]; then if [ -x /bin/whiptail ]; then
#whiptail prompt asking user to select ratio of device to use for LUKS container between: 25, 50, 75 #whiptail prompt asking user to select ratio of device to use for LUKS container between: 25, 50, 75
#whiptail returns the percentage of the device to use for LUKS container #whiptail returns the percentage of the device to use for LUKS container
@ -56,7 +56,7 @@ select_luks_container_size_percent() {
# Size provisioning is done by percentage of the device # Size provisioning is done by percentage of the device
interactive_prepare_thumb_drive() interactive_prepare_thumb_drive()
{ {
TRACE "Under /etc/luks-functions:interactive_prepare_thumb_drive()" TRACE_FUNC
#Refactoring: only one parameter needed to be prompted for: the passphrase for LUKS container if not coming from oem-provisioning #Refactoring: only one parameter needed to be prompted for: the passphrase for LUKS container if not coming from oem-provisioning
#If no passphrase was provided, ask user to select passphrase for LUKS container #If no passphrase was provided, ask user to select passphrase for LUKS container
# if no device provided as parameter, we will ask user to select device to partition # if no device provided as parameter, we will ask user to select device to partition
@ -188,7 +188,7 @@ interactive_prepare_thumb_drive()
# $2 - percent of device allocated to LUKS [1-99] # $2 - percent of device allocated to LUKS [1-99]
confirm_thumb_drive_format() confirm_thumb_drive_format()
{ {
TRACE "Under /etc/luks-functions:confirm_thumb_drive_format()" TRACE_FUNC
local DEVICE LUKS_PERCENTAGE DISK_SIZE_BYTES DISK_SIZE_DISPLAY LUKS_PERCENTAGE LUKS_SIZE_MB MSG local DEVICE LUKS_PERCENTAGE DISK_SIZE_BYTES DISK_SIZE_DISPLAY LUKS_PERCENTAGE LUKS_SIZE_MB MSG
DEVICE="$1" DEVICE="$1"
@ -230,7 +230,7 @@ confirm_thumb_drive_format()
# $3 - passphrase for LUKS container # $3 - passphrase for LUKS container
prepare_thumb_drive() prepare_thumb_drive()
{ {
TRACE "Under /etc/luks-functions:prepare_thumb_drive()" TRACE_FUNC
local DEVICE PERCENTAGE PASSPHRASE DISK_SIZE_BYTES PERCENTAGE_MB local DEVICE PERCENTAGE PASSPHRASE DISK_SIZE_BYTES PERCENTAGE_MB
DEVICE="$1" DEVICE="$1"
@ -267,7 +267,7 @@ prepare_thumb_drive()
select_luks_container() select_luks_container()
{ {
TRACE "Under /etc/luks-functions:select_luks_container()" TRACE_FUNC
if [ -s /boot/kexec_key_devices.txt ]; then if [ -s /boot/kexec_key_devices.txt ]; then
DEBUG "Reusing known good LUKS container device from /boot/kexec_key_devices.txt" DEBUG "Reusing known good LUKS container device from /boot/kexec_key_devices.txt"
DEBUG "LUKS container device: $(cut -d ' ' -f1 /boot/kexec_key_devices.txt)" DEBUG "LUKS container device: $(cut -d ' ' -f1 /boot/kexec_key_devices.txt)"
@ -295,7 +295,7 @@ select_luks_container()
test_luks_current_disk_recovery_key_passphrase() test_luks_current_disk_recovery_key_passphrase()
{ {
TRACE "Under /etc/luks-functions:test_luks_current_disk_recovery_key_passphrase()" TRACE_FUNC
while :; do while :; do
select_luks_container || return 1 select_luks_container || return 1
if [ -z "$luks_current_Disk_Recovery_Key_passphrase" ]; then if [ -z "$luks_current_Disk_Recovery_Key_passphrase" ]; then
@ -336,7 +336,7 @@ test_luks_current_disk_recovery_key_passphrase()
} }
luks_reencrypt() { luks_reencrypt() {
TRACE "Under /etc/luks-functions:luks_reencrypt()" TRACE_FUNC
while :; do while :; do
select_luks_container || return 1 select_luks_container || return 1
#If the user just set a new LUKS Disk Recovery Key passphrase #If the user just set a new LUKS Disk Recovery Key passphrase
@ -382,7 +382,7 @@ luks_reencrypt() {
luks_change_passphrase() luks_change_passphrase()
{ {
TRACE "Under /etc/luks-functions:luks_change_passphrase()" TRACE_FUNC
while :; do while :; do
select_luks_container || return 1 select_luks_container || return 1
#if actual or new LUKS Disk Recovery Key is not provisioned by oem-provisioning file #if actual or new LUKS Disk Recovery Key is not provisioned by oem-provisioning file

2
initrd/sbin/insmod
View File

@ -6,7 +6,7 @@
. /etc/functions . /etc/functions
TRACE "Under insmod.sh" TRACE_FUNC
MODULE="$1"; shift MODULE="$1"; shift

2
targets/qemu.mk
View File

@ -88,7 +88,7 @@ run: $(TPMDIR)/.manufacture $(ROOT_DISK_IMG) $(MEMORY_SIZE_FILE) $(USB_FD_IMG)
-qemu-system-x86_64 -drive file="$(ROOT_DISK_IMG)",if=virtio \ -qemu-system-x86_64 -drive file="$(ROOT_DISK_IMG)",if=virtio \
--machine q35,accel=kvm:tcg \ --machine q35,accel=kvm:tcg \
-rtc base=utc \ -rtc base=utc \
-smp "$$(nproc)" \ -smp 1 \
-vga std \ -vga std \
-m "$$(cat "$(MEMORY_SIZE_FILE)")" \ -m "$$(cat "$(MEMORY_SIZE_FILE)")" \
-serial stdio \ -serial stdio \