Small cosmetic/typo related changes, ccache enablement for coreboot and reduction of unseal attempts

gui-init: do not consume two unseal attempt to unseal both totp and hotp + cosmetic changes (slow down TPM DA lockout) kexec-seal-key: Add DEBUG statement for PCR precalc seal-totp: add DEBUG statements regarding skipping of PCR5 and PCR6 involvement into TOTP/HOTP sealing ops seal-hotpkey: Add DEBUG statements related to reuse of TOTP sealed secret tpmr: add DO_WITH_DEBUG calls to output pcrread and extend calls tpmr: typo correction stating TRACE calls for tpm2 where it was for tpm1 tpmr: add DO_WITH_DEBUG calls for calcfuturepcr functions: Cosmetic fix on pause_recovery asking user to press Enter to go to recovery shell on host console when board defines CONFIG_BOOT_RECOVERY_SERIAL Not so related but part of output review and corrections: kexec-insert-key: cosmetic changes prepending "+++" to disk related changes kexec-save-default: cosmetic changes prepending "+++" to disk related changes config/coreboot-qemu-tpm*.config: add ccache support for faster coreboot rebuild times
2024-12-19 21:17:55 +00:00 · 2023-03-09 13:28:04 -05:00 · 2023-03-09 13:28:04 -05:00 · 536f4a1623
commit 536f4a1623
parent 77060b0031
12 changed files with 32 additions and 25 deletions
--- a/config/coreboot-qemu-tpm1.config
+++ b/config/coreboot-qemu-tpm1.config
@ -1,3 +1,4 @@
+CONFIG_CCACHE=y
 # CONFIG_INCLUDE_CONFIG_FILE is not set
 CONFIG_ONBOARD_VGA_IS_PRIMARY=y
 CONFIG_CBFS_SIZE=0x980000
--- a/config/coreboot-qemu-tpm2.config
+++ b/config/coreboot-qemu-tpm2.config
@ -1,3 +1,4 @@
+CONFIG_CCACHE=y
 # CONFIG_INCLUDE_CONFIG_FILE is not set
 CONFIG_ONBOARD_VGA_IS_PRIMARY=y
 CONFIG_CBFS_SIZE=0xfe0000
--- a/initrd/bin/gui-init
+++ b/initrd/bin/gui-init
@ -164,7 +164,7 @@ generate_totp_htop()
    # clear screen
    printf "\033c"
  else
-    warn "Sealing of measurements inside of TPM failed. You might want to take ownership of TPM by resetting it."
+    warn "Unsealing TOTP/HOTP secret from previous sealed measurements failed. Try "Generate new HOTP/TOTP secret" option if you updated firmware content."
  fi
 }

@ -366,8 +366,7 @@ show_main_menu()
      attempt_default_boot
      ;;
    r )
-      update_totp
-      update_hotp
+      update_totp && update_hotp
      ;;
    o )
      show_options_menu
--- a/initrd/bin/kexec-insert-key
+++ b/initrd/bin/kexec-insert-key
@ -78,8 +78,8 @@ dd if="$INITRD" of="$SECRET_CPIO" bs=512 conv=sync \
 if [ "$unseal_failed" = "n" ]; then
 	# kexec-save-default might have created crypttab overrides to be injected in initramfs through additional cpio 
 	if [ -r "$bootdir/kexec_initrd_crypttab_overrides.txt" ]; then
-		echo "$bootdir/kexec_initrd_crypttab_overrides.txt found..."
-		echo "Preparing initramfs crypttab overrides as defined under $bootdir/kexec_initrd_crypttab_overrides.txt to be injected through cpio at next kexec call..."
+		echo "+++ $bootdir/kexec_initrd_crypttab_overrides.txt found..."
+		echo "+++ Preparing initramfs crypttab overrides as defined under $bootdir/kexec_initrd_crypttab_overrides.txt to be injected through cpio at next kexec call..."
 		# kexec-save-default has found crypttab files under initrd and saved them
 		cat "$bootdir/kexec_initrd_crypttab_overrides.txt" | while read line; do
 			crypttab_file=$(echo "$line" | awk -F ':' {'print $1'})
@ -87,14 +87,14 @@ if [ "$unseal_failed" = "n" ]; then
 			# Replace each initrd crypttab file with modified entry containing /secret.key path
 			mkdir -p "$INITRD_DIR/$(dirname $crypttab_file)"
 			echo "$crypttab_entry" | tee -a "$INITRD_DIR/$crypttab_file" > /dev/null
-			echo "initramfs's $crypttab_file will be overriden with $crypttab_entry"
+			echo "+++ initramfs's $crypttab_file will be overriden with: $crypttab_entry"
 		done
 	else
 		# No crypttab files were found under selected default boot option's initrd file
 		crypttab_file="etc/crypttab"
 		mkdir -p "$INITRD_DIR/$(dirname $crypttab_file)"
 		# overwrite crypttab to mirror behavior of seal-key
-		echo "The following /etc/crypttab lines will be passed through cpio into kexec call for default boot option:"
+		echo "+++ The following /etc/crypttab lines will be passed through cpio into kexec call for default boot option:"
 		for uuid in `cat "$TMP_KEY_DEVICES" | cut -d\  -f2`; do
 			# NOTE: discard operation (TRIM) is activated by default if no crypptab found in initrd
 			echo "luks-$uuid UUID=$uuid /secret.key luks,discard" | tee -a "$INITRD_DIR/$crypttab_file"
--- a/initrd/bin/kexec-save-default
+++ b/initrd/bin/kexec-save-default
@ -146,14 +146,14 @@ if [ "$save_key" = "y" ]; then
 	current_default_initrd=$(cat /boot/kexec_default_hashes.txt | grep initr | awk -F " " {'print $NF'} | sed 's/\.\//\/boot\//g')
 	
 	# Get crypttab files paths from initrd
-	echo "Checking current selected default boot's $current_default_initrd for existing crypttab files..."
+	echo "+++ Checking current selected default boot's $current_default_initrd for existing crypttab files..."
 	# First either decompress or use the original if it's not compressed
 	initrd_decompressed="/tmp/initrd_extract/initrd_decompressed.cpio"
 	zcat < "$current_default_initrd" > "$initrd_decompressed" 2> /dev/null || initrd_decompressed="$current_default_initrd"
 	crypttab_files=$(cpio --list --quiet < "$initrd_decompressed" | grep crypttab 2> /dev/null) || true
 	
 	if [ ! -z "$crypttab_files" ]; then
-		echo "Extracting current selected default boot's $current_default_initrd for found crypttab files analysis..."
+		echo "+++ Extracting current selected default boot's $current_default_initrd for found crypttab files analysis..."
 		cpio -id --quiet < $initrd_decompressed $crypttab_files 2> /dev/null
 		rm -f $bootdir/kexec_initrd_crypttab_overrides.txt || true
 		
@ -172,12 +172,12 @@ if [ "$save_key" = "y" ]; then
 		cd - > /dev/null

 		#insert current default boot's initrd crypttab locations into tracking file to be overwritten into initramfs at kexec-inject-key
-		echo "The following OS crypttab file:entry were modified from default boot's initrd:"
+		echo "+++ The following OS crypttab file:entry were modified from default boot's initrd:"
 		cat $bootdir/kexec_initrd_crypttab_overrides.txt
-		echo "Heads added /secret.key in those entries and saved them under $bootdir/kexec_initrd_crypttab_overrides.txt"
-		echo "Those overrides will be part of detached signed digests and used to prepare cpio injected at kexec of selected default boot entry."
+		echo "+++ Heads added /secret.key in those entries and saved them under $bootdir/kexec_initrd_crypttab_overrides.txt"
+		echo "+++ Those overrides will be part of detached signed digests and used to prepare cpio injected at kexec of selected default boot entry."
 	else
-		echo "No crypttab file found in extracted initrd. Removing $bootdir/kexec_initrd_crypttab_overrides.txt"
+		echo "+++ No crypttab file found in extracted initrd. Removing $bootdir/kexec_initrd_crypttab_overrides.txt"
 		rm -f "$bootdir/kexec_initrd_crypttab_overrides.txt" || true
 	fi
 	# Cleanup
--- a/initrd/bin/kexec-seal-key
+++ b/initrd/bin/kexec-seal-key
@ -96,15 +96,16 @@ tpmr pcrread -a 3 "$pcrf"
 # Note that PCR 4 needs to be set with the "normal-boot" path value, which is 0.
 dd if=/dev/zero bs="$(tpmr pcrsize)" count=1 status=none >> "$pcrf"
 if [ "$CONFIG_USB_KEYBOARD" = "y" -o -r /lib/modules/libata.ko -o -x /bin/hotp_verification ]; then
-	DEBUG "Seal with PCR5 involvement (additional kernel modules are loaded per board config)..."
+	DEBUG "Sealing TPM disk unlock key with PCR5 involvement (additional kernel modules are loaded per board config)..."
 	# Here, we take pcr 5 into consideration if modules are expected to be measured+loaded
 	tpmr pcrread -a 5 "$pcrf"
 else
-	DEBUG "Seal without PCR5 involvement, PCR5=0..."
+	DEBUG "Sealing TPM disk unlock key with PCR5=0 (NO additional kernel modules are loaded per board config)..."
 	#no kernel modules are expected to be measured+loaded
 	dd if=/dev/zero bs="$(tpmr pcrsize)" count=1 status=none >> "$pcrf"
 fi
 # Precompute the value for pcr 6
+DEBUG "Precomputing TPM future value for PCR6 sealing/unsealing of TPM disk unlock key..."
 tpmr calcfuturepcr -a "/tmp/luksDump.txt" "$pcrf"
 # We take into consideration user files in cbfs
 tpmr pcrread -a 7 "$pcrf"
--- a/initrd/bin/kexec-select-boot
+++ b/initrd/bin/kexec-select-boot
@ -304,7 +304,7 @@ user_select() {
 				DEBUG "Rebooting is required prior of booting default boot entry"
 				# Instead of rebooting, drop to a recovery shell
 				# for a chance to inspect debug output
-				recovery "!!! Entering recovery to inspect debug output, reboot to continue"
+				recovery "Entering recovery to permit inspection of /tmp/debug.log output, reboot to continue"
 			fi
 		fi
 	fi
--- a/initrd/bin/seal-hotpkey
+++ b/initrd/bin/seal-hotpkey
@ -27,6 +27,7 @@ else
 fi

 if [ "$CONFIG_TPM" = "y" ]; then
+	DEBUG "Sealing HOTP secret reuses TOTP sealed secret..."
 	tpmr unseal 4d47 0,1,2,3,4,7 312 "$HOTP_SECRET" \
 		|| die "Unable to unseal HOTP secret"
 fi
--- a/initrd/bin/seal-totp
+++ b/initrd/bin/seal-totp
@ -36,7 +36,9 @@ tpmr pcrread -a 3 "$pcrf"
 # pcr 4 is expected to be zero (boot mode: init)
 dd if=/dev/zero bs="$(tpmr pcrsize)" count=1 status=none >> "$pcrf"
 # pcr 5 (kernel modules loaded) is not measured at sealing/unsealing of totp
+DEBUG "Sealing TOTP neglecting PCR5 involvement (Dynamically loaded kernel modules are not firmware integrity attestation related)"
 # pcr 6 (drive luks header) is not measured at sealing/unsealing of totp
+DEBUG "Sealing TOTP without PCR6 involvement (LUKS header consistency is not firmware integrity attestation related)"
 # pcr 7 is containing measurements of user injected stuff in cbfs
 tpmr pcrread -a 7 "$pcrf"
 tpmr seal "$TOTP_SECRET" "$TPM_NVRAM_SPACE" 0,1,2,3,4,7 "$pcrf" 312 \
--- a/initrd/bin/tpmr
+++ b/initrd/bin/tpmr
@ -56,10 +56,10 @@ tpm2_pcrread() {
 		true >"$file"
 	fi

-	tpm2 pcrread -Q -o >(cat >>"$file") "sha256:$index"
+	DO_WITH_DEBUG tpm2 pcrread -Q -o >(cat >>"$file") "sha256:$index"
 }
 tpm1_pcrread() {
-	TRACE "Under /bin/tpmr:tpm2_pcrread"
+	TRACE "Under /bin/tpmr:tpm1_pcrread"
 	if [ "$1" = "-a" ]; then
 		APPEND=y
 		shift
@ -74,7 +74,7 @@ tpm1_pcrread() {
 		true >"$file"
 	fi

-	tpm pcrread -ix "$index" | hex2bin >>"$file"
+	DO_WITH_DEBUG tpm pcrread -ix "$index" | hex2bin >>"$file"
 }

 # usage: tpmr calcfuturepcr [-a] <input_file> <output_file>
@ -97,12 +97,12 @@ tpm2_calcfuturepcr() {
 	fi

 	tpm2 pcrreset -Q 23
-	tpmr extend -ix 23 -if "$input_file"
-	tpm2 pcrread -Q -o >(cat >>"$output_file") sha256:23
+	DO_WITH_DEBUG tpmr extend -ix 23 -if "$input_file"
+	DO_WITH_DEBUG tpm2 pcrread -Q -o >(cat >>"$output_file") sha256:23
 	tpm2 pcrreset -Q 23
 }
 tpm1_calcfuturepcr() {
-	TRACE "Under /bin/tpmr:tpm2_calcfuturepcr"
+	TRACE "Under /bin/tpmr:tpm1_calcfuturepcr"
 	if [ "$1" = "-a" ]; then
 		APPEND=y
 		shift
@ -115,7 +115,7 @@ tpm1_calcfuturepcr() {
 		true >"$output_file"
 	fi

-	tpm calcfuturepcr -ix 16 -if "$input_file" | hex2bin >>"$output_file"
+	DO_WITH_DEBUG tpm calcfuturepcr -ix 16 -if "$input_file" | hex2bin >>"$output_file"
 }

 tpm2_extend() {
@ -521,7 +521,8 @@ if [ "$CONFIG_TPM2_TOOLS" != "y" ]; then
 		shutdown)
 			;;	# Nothing on TPM1.
 		*)
-			exec tpm "$@"
+			DEBUG "Direct translation from tpmr to tpm1 call"
+			DO_WITH_DEBUG exec tpm "$@"
 			;;
 	esac
 	exit 0
--- a/initrd/bin/unseal-hotp
+++ b/initrd/bin/unseal-hotp
@ -38,6 +38,7 @@ fi

 #counter_value=$(printf "%d" 0x${counter_value})
 if [ "$CONFIG_TPM" = "y" ]; then
+	DEBUG "Unsealing HOTP secret reuses TOTP sealed secret..."
 	tpmr unseal 4d47 0,1,2,3,4,7 312 "$HOTP_SECRET"
 fi

--- a/initrd/etc/functions
+++ b/initrd/etc/functions
@ -67,7 +67,7 @@ recovery() {

 pause_recovery() {
 	TRACE "Under /etc/functions:pause_recovery"
-	read -p 'Hit enter to proceed to recovery shell:'
+	read -p $'!!! Hit enter to proceed to recovery shell !!!\n'
 	recovery $*
 }