Small cosmetic/typo related changes, ccache enablement for coreboot and reduction of unseal attempts

gui-init: do not consume two unseal attempt to unseal both totp and hotp + cosmetic changes (slow down TPM DA lockout)
kexec-seal-key: Add DEBUG statement for PCR precalc
seal-totp: add DEBUG statements regarding skipping of PCR5 and PCR6 involvement into TOTP/HOTP sealing ops
seal-hotpkey: Add DEBUG statements related to reuse of TOTP sealed secret
tpmr: add DO_WITH_DEBUG calls to output pcrread and extend calls
tpmr: typo correction stating TRACE calls for tpm2 where it was for tpm1
tpmr: add DO_WITH_DEBUG calls for calcfuturepcr
functions: Cosmetic fix on pause_recovery asking user to press Enter to go to recovery shell on host console when board defines CONFIG_BOOT_RECOVERY_SERIAL

Not so related but part of output review and corrections:
kexec-insert-key: cosmetic changes prepending "+++" to disk related changes
kexec-save-default: cosmetic changes prepending "+++" to disk related changes
config/coreboot-qemu-tpm*.config: add ccache support for faster coreboot rebuild times
This commit is contained in:
Thierry Laurion 2023-03-09 13:28:04 -05:00
parent 77060b0031
commit 536f4a1623
No known key found for this signature in database
GPG Key ID: E7B4A71658E36A93
12 changed files with 32 additions and 25 deletions

View File

@ -1,3 +1,4 @@
CONFIG_CCACHE=y
# CONFIG_INCLUDE_CONFIG_FILE is not set # CONFIG_INCLUDE_CONFIG_FILE is not set
CONFIG_ONBOARD_VGA_IS_PRIMARY=y CONFIG_ONBOARD_VGA_IS_PRIMARY=y
CONFIG_CBFS_SIZE=0x980000 CONFIG_CBFS_SIZE=0x980000

View File

@ -1,3 +1,4 @@
CONFIG_CCACHE=y
# CONFIG_INCLUDE_CONFIG_FILE is not set # CONFIG_INCLUDE_CONFIG_FILE is not set
CONFIG_ONBOARD_VGA_IS_PRIMARY=y CONFIG_ONBOARD_VGA_IS_PRIMARY=y
CONFIG_CBFS_SIZE=0xfe0000 CONFIG_CBFS_SIZE=0xfe0000

View File

@ -164,7 +164,7 @@ generate_totp_htop()
# clear screen # clear screen
printf "\033c" printf "\033c"
else else
warn "Sealing of measurements inside of TPM failed. You might want to take ownership of TPM by resetting it." warn "Unsealing TOTP/HOTP secret from previous sealed measurements failed. Try "Generate new HOTP/TOTP secret" option if you updated firmware content."
fi fi
} }
@ -366,8 +366,7 @@ show_main_menu()
attempt_default_boot attempt_default_boot
;; ;;
r ) r )
update_totp update_totp && update_hotp
update_hotp
;; ;;
o ) o )
show_options_menu show_options_menu

View File

@ -78,8 +78,8 @@ dd if="$INITRD" of="$SECRET_CPIO" bs=512 conv=sync \
if [ "$unseal_failed" = "n" ]; then if [ "$unseal_failed" = "n" ]; then
# kexec-save-default might have created crypttab overrides to be injected in initramfs through additional cpio # kexec-save-default might have created crypttab overrides to be injected in initramfs through additional cpio
if [ -r "$bootdir/kexec_initrd_crypttab_overrides.txt" ]; then if [ -r "$bootdir/kexec_initrd_crypttab_overrides.txt" ]; then
echo "$bootdir/kexec_initrd_crypttab_overrides.txt found..." echo "+++ $bootdir/kexec_initrd_crypttab_overrides.txt found..."
echo "Preparing initramfs crypttab overrides as defined under $bootdir/kexec_initrd_crypttab_overrides.txt to be injected through cpio at next kexec call..." echo "+++ Preparing initramfs crypttab overrides as defined under $bootdir/kexec_initrd_crypttab_overrides.txt to be injected through cpio at next kexec call..."
# kexec-save-default has found crypttab files under initrd and saved them # kexec-save-default has found crypttab files under initrd and saved them
cat "$bootdir/kexec_initrd_crypttab_overrides.txt" | while read line; do cat "$bootdir/kexec_initrd_crypttab_overrides.txt" | while read line; do
crypttab_file=$(echo "$line" | awk -F ':' {'print $1'}) crypttab_file=$(echo "$line" | awk -F ':' {'print $1'})
@ -87,14 +87,14 @@ if [ "$unseal_failed" = "n" ]; then
# Replace each initrd crypttab file with modified entry containing /secret.key path # Replace each initrd crypttab file with modified entry containing /secret.key path
mkdir -p "$INITRD_DIR/$(dirname $crypttab_file)" mkdir -p "$INITRD_DIR/$(dirname $crypttab_file)"
echo "$crypttab_entry" | tee -a "$INITRD_DIR/$crypttab_file" > /dev/null echo "$crypttab_entry" | tee -a "$INITRD_DIR/$crypttab_file" > /dev/null
echo "initramfs's $crypttab_file will be overriden with $crypttab_entry" echo "+++ initramfs's $crypttab_file will be overriden with: $crypttab_entry"
done done
else else
# No crypttab files were found under selected default boot option's initrd file # No crypttab files were found under selected default boot option's initrd file
crypttab_file="etc/crypttab" crypttab_file="etc/crypttab"
mkdir -p "$INITRD_DIR/$(dirname $crypttab_file)" mkdir -p "$INITRD_DIR/$(dirname $crypttab_file)"
# overwrite crypttab to mirror behavior of seal-key # overwrite crypttab to mirror behavior of seal-key
echo "The following /etc/crypttab lines will be passed through cpio into kexec call for default boot option:" echo "+++ The following /etc/crypttab lines will be passed through cpio into kexec call for default boot option:"
for uuid in `cat "$TMP_KEY_DEVICES" | cut -d\ -f2`; do for uuid in `cat "$TMP_KEY_DEVICES" | cut -d\ -f2`; do
# NOTE: discard operation (TRIM) is activated by default if no crypptab found in initrd # NOTE: discard operation (TRIM) is activated by default if no crypptab found in initrd
echo "luks-$uuid UUID=$uuid /secret.key luks,discard" | tee -a "$INITRD_DIR/$crypttab_file" echo "luks-$uuid UUID=$uuid /secret.key luks,discard" | tee -a "$INITRD_DIR/$crypttab_file"

View File

@ -146,14 +146,14 @@ if [ "$save_key" = "y" ]; then
current_default_initrd=$(cat /boot/kexec_default_hashes.txt | grep initr | awk -F " " {'print $NF'} | sed 's/\.\//\/boot\//g') current_default_initrd=$(cat /boot/kexec_default_hashes.txt | grep initr | awk -F " " {'print $NF'} | sed 's/\.\//\/boot\//g')
# Get crypttab files paths from initrd # Get crypttab files paths from initrd
echo "Checking current selected default boot's $current_default_initrd for existing crypttab files..." echo "+++ Checking current selected default boot's $current_default_initrd for existing crypttab files..."
# First either decompress or use the original if it's not compressed # First either decompress or use the original if it's not compressed
initrd_decompressed="/tmp/initrd_extract/initrd_decompressed.cpio" initrd_decompressed="/tmp/initrd_extract/initrd_decompressed.cpio"
zcat < "$current_default_initrd" > "$initrd_decompressed" 2> /dev/null || initrd_decompressed="$current_default_initrd" zcat < "$current_default_initrd" > "$initrd_decompressed" 2> /dev/null || initrd_decompressed="$current_default_initrd"
crypttab_files=$(cpio --list --quiet < "$initrd_decompressed" | grep crypttab 2> /dev/null) || true crypttab_files=$(cpio --list --quiet < "$initrd_decompressed" | grep crypttab 2> /dev/null) || true
if [ ! -z "$crypttab_files" ]; then if [ ! -z "$crypttab_files" ]; then
echo "Extracting current selected default boot's $current_default_initrd for found crypttab files analysis..." echo "+++ Extracting current selected default boot's $current_default_initrd for found crypttab files analysis..."
cpio -id --quiet < $initrd_decompressed $crypttab_files 2> /dev/null cpio -id --quiet < $initrd_decompressed $crypttab_files 2> /dev/null
rm -f $bootdir/kexec_initrd_crypttab_overrides.txt || true rm -f $bootdir/kexec_initrd_crypttab_overrides.txt || true
@ -172,12 +172,12 @@ if [ "$save_key" = "y" ]; then
cd - > /dev/null cd - > /dev/null
#insert current default boot's initrd crypttab locations into tracking file to be overwritten into initramfs at kexec-inject-key #insert current default boot's initrd crypttab locations into tracking file to be overwritten into initramfs at kexec-inject-key
echo "The following OS crypttab file:entry were modified from default boot's initrd:" echo "+++ The following OS crypttab file:entry were modified from default boot's initrd:"
cat $bootdir/kexec_initrd_crypttab_overrides.txt cat $bootdir/kexec_initrd_crypttab_overrides.txt
echo "Heads added /secret.key in those entries and saved them under $bootdir/kexec_initrd_crypttab_overrides.txt" echo "+++ Heads added /secret.key in those entries and saved them under $bootdir/kexec_initrd_crypttab_overrides.txt"
echo "Those overrides will be part of detached signed digests and used to prepare cpio injected at kexec of selected default boot entry." echo "+++ Those overrides will be part of detached signed digests and used to prepare cpio injected at kexec of selected default boot entry."
else else
echo "No crypttab file found in extracted initrd. Removing $bootdir/kexec_initrd_crypttab_overrides.txt" echo "+++ No crypttab file found in extracted initrd. Removing $bootdir/kexec_initrd_crypttab_overrides.txt"
rm -f "$bootdir/kexec_initrd_crypttab_overrides.txt" || true rm -f "$bootdir/kexec_initrd_crypttab_overrides.txt" || true
fi fi
# Cleanup # Cleanup

View File

@ -96,15 +96,16 @@ tpmr pcrread -a 3 "$pcrf"
# Note that PCR 4 needs to be set with the "normal-boot" path value, which is 0. # Note that PCR 4 needs to be set with the "normal-boot" path value, which is 0.
dd if=/dev/zero bs="$(tpmr pcrsize)" count=1 status=none >> "$pcrf" dd if=/dev/zero bs="$(tpmr pcrsize)" count=1 status=none >> "$pcrf"
if [ "$CONFIG_USB_KEYBOARD" = "y" -o -r /lib/modules/libata.ko -o -x /bin/hotp_verification ]; then if [ "$CONFIG_USB_KEYBOARD" = "y" -o -r /lib/modules/libata.ko -o -x /bin/hotp_verification ]; then
DEBUG "Seal with PCR5 involvement (additional kernel modules are loaded per board config)..." DEBUG "Sealing TPM disk unlock key with PCR5 involvement (additional kernel modules are loaded per board config)..."
# Here, we take pcr 5 into consideration if modules are expected to be measured+loaded # Here, we take pcr 5 into consideration if modules are expected to be measured+loaded
tpmr pcrread -a 5 "$pcrf" tpmr pcrread -a 5 "$pcrf"
else else
DEBUG "Seal without PCR5 involvement, PCR5=0..." DEBUG "Sealing TPM disk unlock key with PCR5=0 (NO additional kernel modules are loaded per board config)..."
#no kernel modules are expected to be measured+loaded #no kernel modules are expected to be measured+loaded
dd if=/dev/zero bs="$(tpmr pcrsize)" count=1 status=none >> "$pcrf" dd if=/dev/zero bs="$(tpmr pcrsize)" count=1 status=none >> "$pcrf"
fi fi
# Precompute the value for pcr 6 # Precompute the value for pcr 6
DEBUG "Precomputing TPM future value for PCR6 sealing/unsealing of TPM disk unlock key..."
tpmr calcfuturepcr -a "/tmp/luksDump.txt" "$pcrf" tpmr calcfuturepcr -a "/tmp/luksDump.txt" "$pcrf"
# We take into consideration user files in cbfs # We take into consideration user files in cbfs
tpmr pcrread -a 7 "$pcrf" tpmr pcrread -a 7 "$pcrf"

View File

@ -304,7 +304,7 @@ user_select() {
DEBUG "Rebooting is required prior of booting default boot entry" DEBUG "Rebooting is required prior of booting default boot entry"
# Instead of rebooting, drop to a recovery shell # Instead of rebooting, drop to a recovery shell
# for a chance to inspect debug output # for a chance to inspect debug output
recovery "!!! Entering recovery to inspect debug output, reboot to continue" recovery "Entering recovery to permit inspection of /tmp/debug.log output, reboot to continue"
fi fi
fi fi
fi fi

View File

@ -27,6 +27,7 @@ else
fi fi
if [ "$CONFIG_TPM" = "y" ]; then if [ "$CONFIG_TPM" = "y" ]; then
DEBUG "Sealing HOTP secret reuses TOTP sealed secret..."
tpmr unseal 4d47 0,1,2,3,4,7 312 "$HOTP_SECRET" \ tpmr unseal 4d47 0,1,2,3,4,7 312 "$HOTP_SECRET" \
|| die "Unable to unseal HOTP secret" || die "Unable to unseal HOTP secret"
fi fi

View File

@ -36,7 +36,9 @@ tpmr pcrread -a 3 "$pcrf"
# pcr 4 is expected to be zero (boot mode: init) # pcr 4 is expected to be zero (boot mode: init)
dd if=/dev/zero bs="$(tpmr pcrsize)" count=1 status=none >> "$pcrf" dd if=/dev/zero bs="$(tpmr pcrsize)" count=1 status=none >> "$pcrf"
# pcr 5 (kernel modules loaded) is not measured at sealing/unsealing of totp # pcr 5 (kernel modules loaded) is not measured at sealing/unsealing of totp
DEBUG "Sealing TOTP neglecting PCR5 involvement (Dynamically loaded kernel modules are not firmware integrity attestation related)"
# pcr 6 (drive luks header) is not measured at sealing/unsealing of totp # pcr 6 (drive luks header) is not measured at sealing/unsealing of totp
DEBUG "Sealing TOTP without PCR6 involvement (LUKS header consistency is not firmware integrity attestation related)"
# pcr 7 is containing measurements of user injected stuff in cbfs # pcr 7 is containing measurements of user injected stuff in cbfs
tpmr pcrread -a 7 "$pcrf" tpmr pcrread -a 7 "$pcrf"
tpmr seal "$TOTP_SECRET" "$TPM_NVRAM_SPACE" 0,1,2,3,4,7 "$pcrf" 312 \ tpmr seal "$TOTP_SECRET" "$TPM_NVRAM_SPACE" 0,1,2,3,4,7 "$pcrf" 312 \

View File

@ -56,10 +56,10 @@ tpm2_pcrread() {
true >"$file" true >"$file"
fi fi
tpm2 pcrread -Q -o >(cat >>"$file") "sha256:$index" DO_WITH_DEBUG tpm2 pcrread -Q -o >(cat >>"$file") "sha256:$index"
} }
tpm1_pcrread() { tpm1_pcrread() {
TRACE "Under /bin/tpmr:tpm2_pcrread" TRACE "Under /bin/tpmr:tpm1_pcrread"
if [ "$1" = "-a" ]; then if [ "$1" = "-a" ]; then
APPEND=y APPEND=y
shift shift
@ -74,7 +74,7 @@ tpm1_pcrread() {
true >"$file" true >"$file"
fi fi
tpm pcrread -ix "$index" | hex2bin >>"$file" DO_WITH_DEBUG tpm pcrread -ix "$index" | hex2bin >>"$file"
} }
# usage: tpmr calcfuturepcr [-a] <input_file> <output_file> # usage: tpmr calcfuturepcr [-a] <input_file> <output_file>
@ -97,12 +97,12 @@ tpm2_calcfuturepcr() {
fi fi
tpm2 pcrreset -Q 23 tpm2 pcrreset -Q 23
tpmr extend -ix 23 -if "$input_file" DO_WITH_DEBUG tpmr extend -ix 23 -if "$input_file"
tpm2 pcrread -Q -o >(cat >>"$output_file") sha256:23 DO_WITH_DEBUG tpm2 pcrread -Q -o >(cat >>"$output_file") sha256:23
tpm2 pcrreset -Q 23 tpm2 pcrreset -Q 23
} }
tpm1_calcfuturepcr() { tpm1_calcfuturepcr() {
TRACE "Under /bin/tpmr:tpm2_calcfuturepcr" TRACE "Under /bin/tpmr:tpm1_calcfuturepcr"
if [ "$1" = "-a" ]; then if [ "$1" = "-a" ]; then
APPEND=y APPEND=y
shift shift
@ -115,7 +115,7 @@ tpm1_calcfuturepcr() {
true >"$output_file" true >"$output_file"
fi fi
tpm calcfuturepcr -ix 16 -if "$input_file" | hex2bin >>"$output_file" DO_WITH_DEBUG tpm calcfuturepcr -ix 16 -if "$input_file" | hex2bin >>"$output_file"
} }
tpm2_extend() { tpm2_extend() {
@ -521,7 +521,8 @@ if [ "$CONFIG_TPM2_TOOLS" != "y" ]; then
shutdown) shutdown)
;; # Nothing on TPM1. ;; # Nothing on TPM1.
*) *)
exec tpm "$@" DEBUG "Direct translation from tpmr to tpm1 call"
DO_WITH_DEBUG exec tpm "$@"
;; ;;
esac esac
exit 0 exit 0

View File

@ -38,6 +38,7 @@ fi
#counter_value=$(printf "%d" 0x${counter_value}) #counter_value=$(printf "%d" 0x${counter_value})
if [ "$CONFIG_TPM" = "y" ]; then if [ "$CONFIG_TPM" = "y" ]; then
DEBUG "Unsealing HOTP secret reuses TOTP sealed secret..."
tpmr unseal 4d47 0,1,2,3,4,7 312 "$HOTP_SECRET" tpmr unseal 4d47 0,1,2,3,4,7 312 "$HOTP_SECRET"
fi fi

View File

@ -67,7 +67,7 @@ recovery() {
pause_recovery() { pause_recovery() {
TRACE "Under /etc/functions:pause_recovery" TRACE "Under /etc/functions:pause_recovery"
read -p 'Hit enter to proceed to recovery shell:' read -p $'!!! Hit enter to proceed to recovery shell !!!\n'
recovery $* recovery $*
} }