mirror of
https://github.com/linuxboot/heads.git
synced 2024-12-24 07:06:42 +00:00
Small cosmetic/typo related changes, ccache enablement for coreboot and reduction of unseal attempts
gui-init: do not consume two unseal attempt to unseal both totp and hotp + cosmetic changes (slow down TPM DA lockout) kexec-seal-key: Add DEBUG statement for PCR precalc seal-totp: add DEBUG statements regarding skipping of PCR5 and PCR6 involvement into TOTP/HOTP sealing ops seal-hotpkey: Add DEBUG statements related to reuse of TOTP sealed secret tpmr: add DO_WITH_DEBUG calls to output pcrread and extend calls tpmr: typo correction stating TRACE calls for tpm2 where it was for tpm1 tpmr: add DO_WITH_DEBUG calls for calcfuturepcr functions: Cosmetic fix on pause_recovery asking user to press Enter to go to recovery shell on host console when board defines CONFIG_BOOT_RECOVERY_SERIAL Not so related but part of output review and corrections: kexec-insert-key: cosmetic changes prepending "+++" to disk related changes kexec-save-default: cosmetic changes prepending "+++" to disk related changes config/coreboot-qemu-tpm*.config: add ccache support for faster coreboot rebuild times
This commit is contained in:
parent
77060b0031
commit
536f4a1623
@ -1,3 +1,4 @@
|
||||
CONFIG_CCACHE=y
|
||||
# CONFIG_INCLUDE_CONFIG_FILE is not set
|
||||
CONFIG_ONBOARD_VGA_IS_PRIMARY=y
|
||||
CONFIG_CBFS_SIZE=0x980000
|
||||
|
@ -1,3 +1,4 @@
|
||||
CONFIG_CCACHE=y
|
||||
# CONFIG_INCLUDE_CONFIG_FILE is not set
|
||||
CONFIG_ONBOARD_VGA_IS_PRIMARY=y
|
||||
CONFIG_CBFS_SIZE=0xfe0000
|
||||
|
@ -164,7 +164,7 @@ generate_totp_htop()
|
||||
# clear screen
|
||||
printf "\033c"
|
||||
else
|
||||
warn "Sealing of measurements inside of TPM failed. You might want to take ownership of TPM by resetting it."
|
||||
warn "Unsealing TOTP/HOTP secret from previous sealed measurements failed. Try "Generate new HOTP/TOTP secret" option if you updated firmware content."
|
||||
fi
|
||||
}
|
||||
|
||||
@ -366,8 +366,7 @@ show_main_menu()
|
||||
attempt_default_boot
|
||||
;;
|
||||
r )
|
||||
update_totp
|
||||
update_hotp
|
||||
update_totp && update_hotp
|
||||
;;
|
||||
o )
|
||||
show_options_menu
|
||||
|
@ -78,8 +78,8 @@ dd if="$INITRD" of="$SECRET_CPIO" bs=512 conv=sync \
|
||||
if [ "$unseal_failed" = "n" ]; then
|
||||
# kexec-save-default might have created crypttab overrides to be injected in initramfs through additional cpio
|
||||
if [ -r "$bootdir/kexec_initrd_crypttab_overrides.txt" ]; then
|
||||
echo "$bootdir/kexec_initrd_crypttab_overrides.txt found..."
|
||||
echo "Preparing initramfs crypttab overrides as defined under $bootdir/kexec_initrd_crypttab_overrides.txt to be injected through cpio at next kexec call..."
|
||||
echo "+++ $bootdir/kexec_initrd_crypttab_overrides.txt found..."
|
||||
echo "+++ Preparing initramfs crypttab overrides as defined under $bootdir/kexec_initrd_crypttab_overrides.txt to be injected through cpio at next kexec call..."
|
||||
# kexec-save-default has found crypttab files under initrd and saved them
|
||||
cat "$bootdir/kexec_initrd_crypttab_overrides.txt" | while read line; do
|
||||
crypttab_file=$(echo "$line" | awk -F ':' {'print $1'})
|
||||
@ -87,14 +87,14 @@ if [ "$unseal_failed" = "n" ]; then
|
||||
# Replace each initrd crypttab file with modified entry containing /secret.key path
|
||||
mkdir -p "$INITRD_DIR/$(dirname $crypttab_file)"
|
||||
echo "$crypttab_entry" | tee -a "$INITRD_DIR/$crypttab_file" > /dev/null
|
||||
echo "initramfs's $crypttab_file will be overriden with $crypttab_entry"
|
||||
echo "+++ initramfs's $crypttab_file will be overriden with: $crypttab_entry"
|
||||
done
|
||||
else
|
||||
# No crypttab files were found under selected default boot option's initrd file
|
||||
crypttab_file="etc/crypttab"
|
||||
mkdir -p "$INITRD_DIR/$(dirname $crypttab_file)"
|
||||
# overwrite crypttab to mirror behavior of seal-key
|
||||
echo "The following /etc/crypttab lines will be passed through cpio into kexec call for default boot option:"
|
||||
echo "+++ The following /etc/crypttab lines will be passed through cpio into kexec call for default boot option:"
|
||||
for uuid in `cat "$TMP_KEY_DEVICES" | cut -d\ -f2`; do
|
||||
# NOTE: discard operation (TRIM) is activated by default if no crypptab found in initrd
|
||||
echo "luks-$uuid UUID=$uuid /secret.key luks,discard" | tee -a "$INITRD_DIR/$crypttab_file"
|
||||
|
@ -146,14 +146,14 @@ if [ "$save_key" = "y" ]; then
|
||||
current_default_initrd=$(cat /boot/kexec_default_hashes.txt | grep initr | awk -F " " {'print $NF'} | sed 's/\.\//\/boot\//g')
|
||||
|
||||
# Get crypttab files paths from initrd
|
||||
echo "Checking current selected default boot's $current_default_initrd for existing crypttab files..."
|
||||
echo "+++ Checking current selected default boot's $current_default_initrd for existing crypttab files..."
|
||||
# First either decompress or use the original if it's not compressed
|
||||
initrd_decompressed="/tmp/initrd_extract/initrd_decompressed.cpio"
|
||||
zcat < "$current_default_initrd" > "$initrd_decompressed" 2> /dev/null || initrd_decompressed="$current_default_initrd"
|
||||
crypttab_files=$(cpio --list --quiet < "$initrd_decompressed" | grep crypttab 2> /dev/null) || true
|
||||
|
||||
if [ ! -z "$crypttab_files" ]; then
|
||||
echo "Extracting current selected default boot's $current_default_initrd for found crypttab files analysis..."
|
||||
echo "+++ Extracting current selected default boot's $current_default_initrd for found crypttab files analysis..."
|
||||
cpio -id --quiet < $initrd_decompressed $crypttab_files 2> /dev/null
|
||||
rm -f $bootdir/kexec_initrd_crypttab_overrides.txt || true
|
||||
|
||||
@ -172,12 +172,12 @@ if [ "$save_key" = "y" ]; then
|
||||
cd - > /dev/null
|
||||
|
||||
#insert current default boot's initrd crypttab locations into tracking file to be overwritten into initramfs at kexec-inject-key
|
||||
echo "The following OS crypttab file:entry were modified from default boot's initrd:"
|
||||
echo "+++ The following OS crypttab file:entry were modified from default boot's initrd:"
|
||||
cat $bootdir/kexec_initrd_crypttab_overrides.txt
|
||||
echo "Heads added /secret.key in those entries and saved them under $bootdir/kexec_initrd_crypttab_overrides.txt"
|
||||
echo "Those overrides will be part of detached signed digests and used to prepare cpio injected at kexec of selected default boot entry."
|
||||
echo "+++ Heads added /secret.key in those entries and saved them under $bootdir/kexec_initrd_crypttab_overrides.txt"
|
||||
echo "+++ Those overrides will be part of detached signed digests and used to prepare cpio injected at kexec of selected default boot entry."
|
||||
else
|
||||
echo "No crypttab file found in extracted initrd. Removing $bootdir/kexec_initrd_crypttab_overrides.txt"
|
||||
echo "+++ No crypttab file found in extracted initrd. Removing $bootdir/kexec_initrd_crypttab_overrides.txt"
|
||||
rm -f "$bootdir/kexec_initrd_crypttab_overrides.txt" || true
|
||||
fi
|
||||
# Cleanup
|
||||
|
@ -96,15 +96,16 @@ tpmr pcrread -a 3 "$pcrf"
|
||||
# Note that PCR 4 needs to be set with the "normal-boot" path value, which is 0.
|
||||
dd if=/dev/zero bs="$(tpmr pcrsize)" count=1 status=none >> "$pcrf"
|
||||
if [ "$CONFIG_USB_KEYBOARD" = "y" -o -r /lib/modules/libata.ko -o -x /bin/hotp_verification ]; then
|
||||
DEBUG "Seal with PCR5 involvement (additional kernel modules are loaded per board config)..."
|
||||
DEBUG "Sealing TPM disk unlock key with PCR5 involvement (additional kernel modules are loaded per board config)..."
|
||||
# Here, we take pcr 5 into consideration if modules are expected to be measured+loaded
|
||||
tpmr pcrread -a 5 "$pcrf"
|
||||
else
|
||||
DEBUG "Seal without PCR5 involvement, PCR5=0..."
|
||||
DEBUG "Sealing TPM disk unlock key with PCR5=0 (NO additional kernel modules are loaded per board config)..."
|
||||
#no kernel modules are expected to be measured+loaded
|
||||
dd if=/dev/zero bs="$(tpmr pcrsize)" count=1 status=none >> "$pcrf"
|
||||
fi
|
||||
# Precompute the value for pcr 6
|
||||
DEBUG "Precomputing TPM future value for PCR6 sealing/unsealing of TPM disk unlock key..."
|
||||
tpmr calcfuturepcr -a "/tmp/luksDump.txt" "$pcrf"
|
||||
# We take into consideration user files in cbfs
|
||||
tpmr pcrread -a 7 "$pcrf"
|
||||
|
@ -304,7 +304,7 @@ user_select() {
|
||||
DEBUG "Rebooting is required prior of booting default boot entry"
|
||||
# Instead of rebooting, drop to a recovery shell
|
||||
# for a chance to inspect debug output
|
||||
recovery "!!! Entering recovery to inspect debug output, reboot to continue"
|
||||
recovery "Entering recovery to permit inspection of /tmp/debug.log output, reboot to continue"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
@ -27,6 +27,7 @@ else
|
||||
fi
|
||||
|
||||
if [ "$CONFIG_TPM" = "y" ]; then
|
||||
DEBUG "Sealing HOTP secret reuses TOTP sealed secret..."
|
||||
tpmr unseal 4d47 0,1,2,3,4,7 312 "$HOTP_SECRET" \
|
||||
|| die "Unable to unseal HOTP secret"
|
||||
fi
|
||||
|
@ -36,7 +36,9 @@ tpmr pcrread -a 3 "$pcrf"
|
||||
# pcr 4 is expected to be zero (boot mode: init)
|
||||
dd if=/dev/zero bs="$(tpmr pcrsize)" count=1 status=none >> "$pcrf"
|
||||
# pcr 5 (kernel modules loaded) is not measured at sealing/unsealing of totp
|
||||
DEBUG "Sealing TOTP neglecting PCR5 involvement (Dynamically loaded kernel modules are not firmware integrity attestation related)"
|
||||
# pcr 6 (drive luks header) is not measured at sealing/unsealing of totp
|
||||
DEBUG "Sealing TOTP without PCR6 involvement (LUKS header consistency is not firmware integrity attestation related)"
|
||||
# pcr 7 is containing measurements of user injected stuff in cbfs
|
||||
tpmr pcrread -a 7 "$pcrf"
|
||||
tpmr seal "$TOTP_SECRET" "$TPM_NVRAM_SPACE" 0,1,2,3,4,7 "$pcrf" 312 \
|
||||
|
@ -56,10 +56,10 @@ tpm2_pcrread() {
|
||||
true >"$file"
|
||||
fi
|
||||
|
||||
tpm2 pcrread -Q -o >(cat >>"$file") "sha256:$index"
|
||||
DO_WITH_DEBUG tpm2 pcrread -Q -o >(cat >>"$file") "sha256:$index"
|
||||
}
|
||||
tpm1_pcrread() {
|
||||
TRACE "Under /bin/tpmr:tpm2_pcrread"
|
||||
TRACE "Under /bin/tpmr:tpm1_pcrread"
|
||||
if [ "$1" = "-a" ]; then
|
||||
APPEND=y
|
||||
shift
|
||||
@ -74,7 +74,7 @@ tpm1_pcrread() {
|
||||
true >"$file"
|
||||
fi
|
||||
|
||||
tpm pcrread -ix "$index" | hex2bin >>"$file"
|
||||
DO_WITH_DEBUG tpm pcrread -ix "$index" | hex2bin >>"$file"
|
||||
}
|
||||
|
||||
# usage: tpmr calcfuturepcr [-a] <input_file> <output_file>
|
||||
@ -97,12 +97,12 @@ tpm2_calcfuturepcr() {
|
||||
fi
|
||||
|
||||
tpm2 pcrreset -Q 23
|
||||
tpmr extend -ix 23 -if "$input_file"
|
||||
tpm2 pcrread -Q -o >(cat >>"$output_file") sha256:23
|
||||
DO_WITH_DEBUG tpmr extend -ix 23 -if "$input_file"
|
||||
DO_WITH_DEBUG tpm2 pcrread -Q -o >(cat >>"$output_file") sha256:23
|
||||
tpm2 pcrreset -Q 23
|
||||
}
|
||||
tpm1_calcfuturepcr() {
|
||||
TRACE "Under /bin/tpmr:tpm2_calcfuturepcr"
|
||||
TRACE "Under /bin/tpmr:tpm1_calcfuturepcr"
|
||||
if [ "$1" = "-a" ]; then
|
||||
APPEND=y
|
||||
shift
|
||||
@ -115,7 +115,7 @@ tpm1_calcfuturepcr() {
|
||||
true >"$output_file"
|
||||
fi
|
||||
|
||||
tpm calcfuturepcr -ix 16 -if "$input_file" | hex2bin >>"$output_file"
|
||||
DO_WITH_DEBUG tpm calcfuturepcr -ix 16 -if "$input_file" | hex2bin >>"$output_file"
|
||||
}
|
||||
|
||||
tpm2_extend() {
|
||||
@ -521,7 +521,8 @@ if [ "$CONFIG_TPM2_TOOLS" != "y" ]; then
|
||||
shutdown)
|
||||
;; # Nothing on TPM1.
|
||||
*)
|
||||
exec tpm "$@"
|
||||
DEBUG "Direct translation from tpmr to tpm1 call"
|
||||
DO_WITH_DEBUG exec tpm "$@"
|
||||
;;
|
||||
esac
|
||||
exit 0
|
||||
|
@ -38,6 +38,7 @@ fi
|
||||
|
||||
#counter_value=$(printf "%d" 0x${counter_value})
|
||||
if [ "$CONFIG_TPM" = "y" ]; then
|
||||
DEBUG "Unsealing HOTP secret reuses TOTP sealed secret..."
|
||||
tpmr unseal 4d47 0,1,2,3,4,7 312 "$HOTP_SECRET"
|
||||
fi
|
||||
|
||||
|
@ -67,7 +67,7 @@ recovery() {
|
||||
|
||||
pause_recovery() {
|
||||
TRACE "Under /etc/functions:pause_recovery"
|
||||
read -p 'Hit enter to proceed to recovery shell:'
|
||||
read -p $'!!! Hit enter to proceed to recovery shell !!!\n'
|
||||
recovery $*
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user