All scripts and functions: Add DEBUG calling trace on console when CONFIG_DEBUG_OUTPUT is exported in board config

-qemu-coreboot-*whiptail-tpm1(-hotp) boards have 'export CONFIG_DEBUG_OUTPUT=y' by default now
This commit is contained in:
Thierry Laurion 2023-02-18 12:58:43 -05:00
parent ffd8ab9ac5
commit 5bc2bc88e4
No known key found for this signature in database
GPG Key ID: E7B4A71658E36A93
43 changed files with 139 additions and 1 deletions

View File

@ -8,6 +8,9 @@ export CONFIG_COREBOOT=y
export CONFIG_COREBOOT_VERSION=4.13 export CONFIG_COREBOOT_VERSION=4.13
export CONFIG_LINUX_VERSION=5.10.5 export CONFIG_LINUX_VERSION=5.10.5
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=y
CONFIG_COREBOOT_CONFIG=config/coreboot-qemu-tpm1.config CONFIG_COREBOOT_CONFIG=config/coreboot-qemu-tpm1.config
CONFIG_LINUX_CONFIG=config/linux-qemu.config CONFIG_LINUX_CONFIG=config/linux-qemu.config

View File

@ -6,6 +6,9 @@ export CONFIG_COREBOOT=y
export CONFIG_COREBOOT_VERSION=4.13 export CONFIG_COREBOOT_VERSION=4.13
export CONFIG_LINUX_VERSION=5.10.5 export CONFIG_LINUX_VERSION=5.10.5
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=y
CONFIG_COREBOOT_CONFIG=config/coreboot-qemu-tpm1.config CONFIG_COREBOOT_CONFIG=config/coreboot-qemu-tpm1.config
CONFIG_LINUX_CONFIG=config/linux-qemu.config CONFIG_LINUX_CONFIG=config/linux-qemu.config

View File

@ -8,6 +8,9 @@ export CONFIG_COREBOOT=y
export CONFIG_COREBOOT_VERSION=4.13 export CONFIG_COREBOOT_VERSION=4.13
export CONFIG_LINUX_VERSION=5.10.5 export CONFIG_LINUX_VERSION=5.10.5
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=y
CONFIG_COREBOOT_CONFIG=config/coreboot-qemu-tpm1.config CONFIG_COREBOOT_CONFIG=config/coreboot-qemu-tpm1.config
CONFIG_LINUX_CONFIG=config/linux-qemu.config CONFIG_LINUX_CONFIG=config/linux-qemu.config

View File

@ -6,6 +6,9 @@ export CONFIG_COREBOOT=y
export CONFIG_COREBOOT_VERSION=4.13 export CONFIG_COREBOOT_VERSION=4.13
export CONFIG_LINUX_VERSION=5.10.5 export CONFIG_LINUX_VERSION=5.10.5
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=y
CONFIG_COREBOOT_CONFIG=config/coreboot-qemu-tpm1.config CONFIG_COREBOOT_CONFIG=config/coreboot-qemu-tpm1.config
CONFIG_LINUX_CONFIG=config/linux-qemu.config CONFIG_LINUX_CONFIG=config/linux-qemu.config

View File

@ -2,6 +2,8 @@
set -e -o pipefail set -e -o pipefail
. /etc/functions . /etc/functions
DEBUG "Under /bin/cbfs-init"
# Update initrd with CBFS files # Update initrd with CBFS files
if [ -z "$CONFIG_PCR" ]; then if [ -z "$CONFIG_PCR" ]; then
CONFIG_PCR=7 CONFIG_PCR=7

View File

@ -3,6 +3,8 @@ set -e -o pipefail
. /etc/functions . /etc/functions
. /tmp/config . /tmp/config
DEBUG "Under /bin/cbfs.sh"
if pnor "$2" -r HBI > /tmp/pnor.part 2>/dev/null; then if pnor "$2" -r HBI > /tmp/pnor.part 2>/dev/null; then
cbfs "$@" -o /tmp/pnor.part && pnor "$2" -w HBI < /tmp/pnor.part cbfs "$@" -o /tmp/pnor.part && pnor "$2" -w HBI < /tmp/pnor.part
else else

View File

@ -5,6 +5,8 @@ set -e -o pipefail
. /etc/gui_functions . /etc/gui_functions
. /tmp/config . /tmp/config
DEBUG "Under /bin/config-gui.sh"
param=$1 param=$1
while true; do while true; do

View File

@ -5,6 +5,8 @@ set -e -o pipefail
. /etc/gui_functions . /etc/gui_functions
. /tmp/config . /tmp/config
DEBUG "Under /bin/flash-gui.sh"
while true; do while true; do
unset menu_choice unset menu_choice
whiptail $BG_COLOR_MAIN_MENU --title "Firmware Management Menu" \ whiptail $BG_COLOR_MAIN_MENU --title "Firmware Management Menu" \

View File

@ -6,6 +6,8 @@ set -e -o pipefail
. /etc/functions . /etc/functions
. /tmp/config . /tmp/config
DEBUG "Under /bin/flash.sh"
case "$CONFIG_FLASHROM_OPTIONS" in case "$CONFIG_FLASHROM_OPTIONS" in
-* ) -* )
echo "Board $CONFIG_BOARD detected, continuing..." echo "Board $CONFIG_BOARD detected, continuing..."

View File

@ -1,6 +1,8 @@
#!/bin/sh #!/bin/sh
. /etc/functions . /etc/functions
DEBUG "Under /bin/flashrom-kgpe-d16-openbmc.sh"
ROM="$1" ROM="$1"
if [ -z "$1" ]; then if [ -z "$1" ]; then
die "Usage: $0 /media/kgpe-d16-openbmc.rom" die "Usage: $0 /media/kgpe-d16-openbmc.rom"

View File

@ -6,6 +6,7 @@
mount_boot() mount_boot()
{ {
DEBUG "Under /bin/generic-init:mount_boot"
# Mount local disk if it is not already mounted # Mount local disk if it is not already mounted
if ! grep -q /boot /proc/mounts ; then if ! grep -q /boot /proc/mounts ; then
mount -o ro /boot \ mount -o ro /boot \

View File

@ -5,6 +5,7 @@ set -e -o pipefail
. /etc/gui_functions . /etc/gui_functions
. /tmp/config . /tmp/config
DEBUG "Under /bin/gpg-gui.sh"
gpg_flash_rom() { gpg_flash_rom() {
if [ "$1" = "replace" ]; then if [ "$1" = "replace" ]; then

View File

@ -1,3 +1,6 @@
#!/bin/sh #!/bin/sh
# if we are using the full GPG we need a wrapper for the gpgv executable # if we are using the full GPG we need a wrapper for the gpgv executable
. /etc/functions
DEBUG "Under /bin/gpgv"
exec gpg --verify "$@" exec gpg --verify "$@"

View File

@ -17,7 +17,7 @@ skip_to_menu="false"
mount_boot() mount_boot()
{ {
DEBUG "Under /bin/gui-init:mount_boot"
# Mount local disk if it is not already mounted # Mount local disk if it is not already mounted
while ! grep -q /boot /proc/mounts ; do while ! grep -q /boot /proc/mounts ; do
# try to mount if CONFIG_BOOT_DEV exists # try to mount if CONFIG_BOOT_DEV exists
@ -63,6 +63,7 @@ mount_boot()
verify_global_hashes() verify_global_hashes()
{ {
DEBUG "Under /bin/gui-init:verify_global_hashes"
# Check the hashes of all the files, ignoring signatures for now # Check the hashes of all the files, ignoring signatures for now
check_config /boot force check_config /boot force
TMP_HASH_FILE="/tmp/kexec/kexec_hashes.txt" TMP_HASH_FILE="/tmp/kexec/kexec_hashes.txt"
@ -137,6 +138,7 @@ verify_global_hashes()
prompt_update_checksums() prompt_update_checksums()
{ {
DEBUG "Under /bin/gui-init:prompt_update_checksums"
if (whiptail $BG_COLOR_WARNING --title 'Update Checksums and sign all files in /boot' \ if (whiptail $BG_COLOR_WARNING --title 'Update Checksums and sign all files in /boot' \
--yesno "You have chosen to update the checksums and sign all of the files in /boot.\n\nThis means that you trust that these files have not been tampered with.\n\nYou will need your GPG key available, and this change will modify your disk.\n\nDo you want to continue?" 0 80) then --yesno "You have chosen to update the checksums and sign all of the files in /boot.\n\nThis means that you trust that these files have not been tampered with.\n\nYou will need your GPG key available, and this change will modify your disk.\n\nDo you want to continue?" 0 80) then
if ! update_checksums ; then if ! update_checksums ; then
@ -148,6 +150,7 @@ prompt_update_checksums()
generate_totp_htop() generate_totp_htop()
{ {
DEBUG "Under /bin/gui-init:generate_totp_htop"
echo "Scan the QR code to add the new TOTP secret" echo "Scan the QR code to add the new TOTP secret"
if /bin/seal-totp "$BOARD_NAME"; then if /bin/seal-totp "$BOARD_NAME"; then
if [ -x /bin/hotp_verification ]; then if [ -x /bin/hotp_verification ]; then
@ -167,6 +170,7 @@ generate_totp_htop()
update_totp() update_totp()
{ {
DEBUG "Under /bin/gui-init:update_totp"
# update the TOTP code # update the TOTP code
date=`date "+%Y-%m-%d %H:%M:%S %Z"` date=`date "+%Y-%m-%d %H:%M:%S %Z"`
if [ "$CONFIG_TPM" = n ]; then if [ "$CONFIG_TPM" = n ]; then
@ -217,6 +221,7 @@ update_totp()
update_hotp() update_hotp()
{ {
DEBUG "Under /bin/gui-init:update_hotp"
if [ -x /bin/hotp_verification ]; then if [ -x /bin/hotp_verification ]; then
HOTP=`unseal-hotp` HOTP=`unseal-hotp`
if ! hotp_verification info ; then if ! hotp_verification info ; then
@ -255,6 +260,7 @@ update_hotp()
clean_boot_check() clean_boot_check()
{ {
DEBUG "Under /bin/gui-init:mount_boot"
# assume /boot mounted # assume /boot mounted
if ! grep -q /boot /proc/mounts ; then if ! grep -q /boot /proc/mounts ; then
return return
@ -283,6 +289,7 @@ clean_boot_check()
check_gpg_key() check_gpg_key()
{ {
DEBUG "Under /bin/gui-init:check_gpg_key"
GPG_KEY_COUNT=`gpg -k 2>/dev/null | wc -l` GPG_KEY_COUNT=`gpg -k 2>/dev/null | wc -l`
if [ $GPG_KEY_COUNT -eq 0 ]; then if [ $GPG_KEY_COUNT -eq 0 ]; then
BG_COLOR_MAIN_MENU=$BG_COLOR_ERROR BG_COLOR_MAIN_MENU=$BG_COLOR_ERROR
@ -319,6 +326,7 @@ check_gpg_key()
prompt_auto_default_boot() prompt_auto_default_boot()
{ {
DEBUG "Under /bin/gui-init:prompt_auto_default_boot"
# save IFS before changing, restore after read # save IFS before changing, restore after read
IFS_DEF=$IFS IFS_DEF=$IFS
IFS='' IFS=''
@ -335,6 +343,7 @@ prompt_auto_default_boot()
show_main_menu() show_main_menu()
{ {
DEBUG "Under /bin/gui-init:show_main_menu"
date=`date "+%Y-%m-%d %H:%M:%S %Z"` date=`date "+%Y-%m-%d %H:%M:%S %Z"`
whiptail $BG_COLOR_MAIN_MENU --title "$MAIN_MENU_TITLE" \ whiptail $BG_COLOR_MAIN_MENU --title "$MAIN_MENU_TITLE" \
--menu "$date\nTOTP: $TOTP | HOTP: $HOTP" 0 80 10 \ --menu "$date\nTOTP: $TOTP | HOTP: $HOTP" 0 80 10 \
@ -368,6 +377,7 @@ show_main_menu()
show_options_menu() show_options_menu()
{ {
DEBUG "Under /bin/gui-init:show_options_menu"
whiptail $BG_COLOR_MAIN_MENU --title "HEADS Options" \ whiptail $BG_COLOR_MAIN_MENU --title "HEADS Options" \
--menu "" 0 80 10 \ --menu "" 0 80 10 \
'b' ' Boot Options -->' \ 'b' ' Boot Options -->' \
@ -424,6 +434,7 @@ show_options_menu()
show_boot_options_menu() show_boot_options_menu()
{ {
DEBUG "Under /bin/gui-init:show_boot_options_menu"
whiptail $BG_COLOR_MAIN_MENU --title "Boot Options" \ whiptail $BG_COLOR_MAIN_MENU --title "Boot Options" \
--menu "Select A Boot Option" 0 80 10 \ --menu "Select A Boot Option" 0 80 10 \
'm' ' Show OS boot menu' \ 'm' ' Show OS boot menu' \
@ -451,6 +462,7 @@ show_boot_options_menu()
show_tpm_totp_hotp_options_menu() show_tpm_totp_hotp_options_menu()
{ {
DEBUG "Under /bin/gui-init:show_tpm_totp_hotp_options_menu"
whiptail $BG_COLOR_MAIN_MENU --title "TPM/TOTP/HOTP Options" \ whiptail $BG_COLOR_MAIN_MENU --title "TPM/TOTP/HOTP Options" \
--menu "Select An Option" 0 80 10 \ --menu "Select An Option" 0 80 10 \
'g' ' Generate new TOTP/HOTP secret' \ 'g' ' Generate new TOTP/HOTP secret' \
@ -477,6 +489,7 @@ show_tpm_totp_hotp_options_menu()
prompt_totp_mismatch() prompt_totp_mismatch()
{ {
DEBUG "Under /bin/gui-init:prompt_totp_mismatch"
if (whiptail $BG_COLOR_WARNING --title "TOTP/HOTP code mismatched" \ if (whiptail $BG_COLOR_WARNING --title "TOTP/HOTP code mismatched" \
--yesno "TOTP/HOTP code mismatches could indicate either TPM tampering or clock drift:\n\nTo correct clock drift: 'date -s yyyy-MM-DD hh:mm:ss' in UTC timezone\nand save it to the RTC: 'hwclock -w'\nthen reboot and try again.\n\nWould you like to exit to a recovery console?" 0 80) then --yesno "TOTP/HOTP code mismatches could indicate either TPM tampering or clock drift:\n\nTo correct clock drift: 'date -s yyyy-MM-DD hh:mm:ss' in UTC timezone\nand save it to the RTC: 'hwclock -w'\nthen reboot and try again.\n\nWould you like to exit to a recovery console?" 0 80) then
echo "" echo ""
@ -493,6 +506,7 @@ prompt_totp_mismatch()
reset_tpm() reset_tpm()
{ {
DEBUG "Under /bin/gui-init:reset_tpm"
if [ "$CONFIG_TPM" = "y" ]; then if [ "$CONFIG_TPM" = "y" ]; then
if (whiptail $BG_COLOR_WARNING --title 'Reset the TPM' \ if (whiptail $BG_COLOR_WARNING --title 'Reset the TPM' \
--yesno "This will clear the TPM and TPM password, replace them with new ones!\n\nDo you want to proceed?" 0 80) then --yesno "This will clear the TPM and TPM password, replace them with new ones!\n\nDo you want to proceed?" 0 80) then
@ -526,6 +540,7 @@ reset_tpm()
show_system_info() show_system_info()
{ {
DEBUG "Under /bin/gui-init:show_system_info"
battery_charge="$(print_battery_charge)" battery_charge="$(print_battery_charge)"
battery_health="$(print_battery_health)" battery_health="$(print_battery_health)"
if [ -n $battery_charge -a -n $battery_health ];then if [ -n $battery_charge -a -n $battery_health ];then
@ -543,6 +558,7 @@ show_system_info()
select_os_boot_option() select_os_boot_option()
{ {
DEBUG "Under /bin/gui-init:select_os_boot_option"
mount_boot mount_boot
if verify_global_hashes ; then if verify_global_hashes ; then
kexec-select-boot -m -b /boot -c "grub.cfg" -g kexec-select-boot -m -b /boot -c "grub.cfg" -g
@ -551,6 +567,7 @@ select_os_boot_option()
attempt_default_boot() attempt_default_boot()
{ {
DEBUG "Under /bin/gui-init:attempt_default_boot"
mount_boot mount_boot
if ! verify_global_hashes; then if ! verify_global_hashes; then
@ -568,6 +585,7 @@ attempt_default_boot()
force_unsafe_boot() force_unsafe_boot()
{ {
DEBUG "Under /bin/gui-init:force_unsafe_boot"
# Run the menu selection in "force" mode, bypassing hash checks # Run the menu selection in "force" mode, bypassing hash checks
if (whiptail $BG_COLOR_WARNING --title 'Unsafe Forced Boot Selected!' \ if (whiptail $BG_COLOR_WARNING --title 'Unsafe Forced Boot Selected!' \
--yesno "WARNING: You have chosen to skip all tamper checks and boot anyway.\n\nThis is an unsafe option!\n\nDo you want to proceed?" 0 80) then --yesno "WARNING: You have chosen to skip all tamper checks and boot anyway.\n\nThis is an unsafe option!\n\nDo you want to proceed?" 0 80) then
@ -576,6 +594,7 @@ force_unsafe_boot()
} }
# gui-init start # gui-init start
DEBUG "Under /bin/gui-init, start"
# Use stored HOTP key branding # Use stored HOTP key branding
if [ -r /boot/kexec_hotp_key ]; then if [ -r /boot/kexec_hotp_key ]; then
@ -609,6 +628,7 @@ if [[ "$HOTP" = "Success" && $CONFIG_AUTO_BOOT_TIMEOUT ]]; then
fi fi
while true; do while true; do
DEBUG "Under gui-init:while true loop"
skip_to_menu="false" skip_to_menu="false"
show_main_menu show_main_menu
done done

View File

@ -4,6 +4,8 @@ set -e -o pipefail
. /tmp/config . /tmp/config
. /etc/functions . /etc/functions
DEBUG "Under /bin/kexec-boot"
dryrun="n" dryrun="n"
printfiles="n" printfiles="n"
printinitrd="n" printinitrd="n"

View File

@ -3,6 +3,8 @@
set -e -o pipefail set -e -o pipefail
. /etc/functions . /etc/functions
DEBUG "Under /bin/kexec-insert-key"
TMP_KEY_DEVICES="/tmp/kexec/kexec_key_devices.txt" TMP_KEY_DEVICES="/tmp/kexec/kexec_key_devices.txt"
TMP_KEY_LVM="/tmp/kexec/kexec_key_lvm.txt" TMP_KEY_LVM="/tmp/kexec/kexec_key_lvm.txt"

View File

@ -4,6 +4,8 @@ set -e -o pipefail
. /etc/functions . /etc/functions
. /tmp/config . /tmp/config
DEBUG "Under /bin/kexec-iso-init"
MOUNTED_ISO_PATH="$1" MOUNTED_ISO_PATH="$1"
ISO_PATH="$2" ISO_PATH="$2"
DEV="$3" DEV="$3"

View File

@ -1,5 +1,8 @@
#!/bin/sh #!/bin/sh
set -e -o pipefail set -e -o pipefail
. /etc/functions
DEBUG "Under /bin/kexec-parse-bls"
bootdir="$1" bootdir="$1"
file="$2" file="$2"
blsdir="$3" blsdir="$3"

View File

@ -1,5 +1,9 @@
#!/bin/sh #!/bin/sh
set -e -o pipefail set -e -o pipefail
. /etc/functions
DEBUG "Under /bin/kexec-parse-boot"
bootdir="$1" bootdir="$1"
file="$2" file="$2"

View File

@ -4,6 +4,8 @@ set -e -o pipefail
. /tmp/config . /tmp/config
. /etc/functions . /etc/functions
DEBUG "Under /bin/kexec-save-default"
while getopts "b:d:p:i:" arg; do while getopts "b:d:p:i:" arg; do
case $arg in case $arg in
b) bootdir="$OPTARG" ;; b) bootdir="$OPTARG" ;;

View File

@ -3,6 +3,7 @@
# with the current PCRs and then store it in the TPM NVRAM. # with the current PCRs and then store it in the TPM NVRAM.
# It will then need to be bundled into initrd that is booted. # It will then need to be bundled into initrd that is booted.
set -e -o pipefail set -e -o pipefail
. /etc/functions
TPM_INDEX=3 TPM_INDEX=3
TPM_SIZE=312 TPM_SIZE=312

View File

@ -4,6 +4,8 @@ set -e -o pipefail
. /tmp/config . /tmp/config
. /etc/functions . /etc/functions
DEBUG "Under /bin/kexec-select-boot"
add="" add=""
remove="" remove=""
config="*.cfg" config="*.cfg"

View File

@ -4,6 +4,8 @@ set -e -o pipefail
. /tmp/config . /tmp/config
. /etc/functions . /etc/functions
DEBUG "Under /bin/kexec-sign-config"
rollback="n" rollback="n"
update="n" update="n"
while getopts "p:c:ur" arg; do while getopts "p:c:ur" arg; do

View File

@ -3,6 +3,7 @@
# The TOTP secret will be shown to the user on each encryption attempt. # The TOTP secret will be shown to the user on each encryption attempt.
# It will then need to be bundled into initrd that is booted with Qubes. # It will then need to be bundled into initrd that is booted with Qubes.
set -e -o pipefail set -e -o pipefail
. /etc/functions
TPM_INDEX=3 TPM_INDEX=3
TPM_SIZE=312 TPM_SIZE=312

View File

@ -2,6 +2,8 @@
set -e -o pipefail set -e -o pipefail
. /etc/functions . /etc/functions
DEBUG "Under /bin/key-init"
# Post processing of keys # Post processing of keys
# Import user's keys # Import user's keys

View File

@ -5,6 +5,8 @@ set -e -o pipefail
. /etc/gui_functions . /etc/gui_functions
. /tmp/config . /tmp/config
DEBUG "Under /bin/media-scan"
# Unmount any previous boot device # Unmount any previous boot device
if grep -q /boot /proc/mounts ; then if grep -q /boot /proc/mounts ; then
umount /boot \ umount /boot \

View File

@ -2,6 +2,8 @@
# Mount a USB device # Mount a USB device
. /etc/functions . /etc/functions
DEBUG "Under /bin/mount-usb"
enable_usb enable_usb
if ! lsmod | grep -q usb_storage; then if ! lsmod | grep -q usb_storage; then

View File

@ -2,6 +2,8 @@
. /etc/functions . /etc/functions
DEBUG "Under /bin/network-init-recovery"
# bring up the ethernet; maybe should do DHCP? # bring up the ethernet; maybe should do DHCP?
ifconfig lo 127.0.0.1 ifconfig lo 127.0.0.1

View File

@ -1,7 +1,10 @@
#!/bin/sh #!/bin/sh
# Automated setup of TPM, GPG keys, and disk # Automated setup of TPM, GPG keys, and disk
DEBUG "Under /bin/oem-factory-reset"
set -o pipefail set -o pipefail
. /etc/functions
# use TERM to exit on error # use TERM to exit on error
trap "exit 1" TERM trap "exit 1" TERM

View File

@ -9,6 +9,8 @@ export BG_COLOR_MAIN_MENU=""
. /etc/luks-functions . /etc/luks-functions
. /tmp/config . /tmp/config
DEBUG "Under /bin/oem-system-info-xx30"
battery_charge="$(print_battery_charge)" battery_charge="$(print_battery_charge)"
battery_health="$(print_battery_health)" battery_health="$(print_battery_health)"
if [ -n $battery_charge -a -n $battery_health ];then if [ -n $battery_charge -a -n $battery_health ];then

View File

@ -1,4 +1,7 @@
#!/bin/sh #!/bin/sh
. /etc/functions
DEBUG "Under /bin/poweroff"
# Sync all mounted filesystems # Sync all mounted filesystems
echo s > /proc/sysrq-trigger echo s > /proc/sysrq-trigger

View File

@ -1,6 +1,9 @@
#!/bin/sh #!/bin/sh
# Measure all of the luks disk encryption headers into # Measure all of the luks disk encryption headers into
# a PCR so that we can detect disk swap attacks. # a PCR so that we can detect disk swap attacks.
. /etc/functions
DEBUG "Under /bin/qubes-measure-luks"
die() { echo >&2 "$@"; exit 1; } die() { echo >&2 "$@"; exit 1; }

View File

@ -1,4 +1,7 @@
#!/bin/sh #!/bin/sh
. /etc/functions
DEBUG "Under /bin/reboot"
# Sync all mounted filesystems # Sync all mounted filesystems
echo s > /proc/sysrq-trigger echo s > /proc/sysrq-trigger

View File

@ -10,6 +10,7 @@ HOTP_KEY="/boot/kexec_hotp_key"
mount_boot() mount_boot()
{ {
DEBUG "Under /bin/seal-htopkey:mount_boot"
# Mount local disk if it is not already mounted # Mount local disk if it is not already mounted
if ! grep -q /boot /proc/mounts ; then if ! grep -q /boot /proc/mounts ; then
mount -o ro /boot \ mount -o ro /boot \
@ -17,6 +18,8 @@ mount_boot()
fi fi
} }
DEBUG "Under /bin/seal-hotpkey"
# Use stored HOTP key branding (this might be useful after OEM reset) # Use stored HOTP key branding (this might be useful after OEM reset)
if [ -r /boot/kexec_hotp_key ]; then if [ -r /boot/kexec_hotp_key ]; then
HOTPKEY_BRANDING="$(cat /boot/kexec_hotp_key)" HOTPKEY_BRANDING="$(cat /boot/kexec_hotp_key)"

View File

@ -7,6 +7,8 @@
. /etc/functions . /etc/functions
DEBUG "Under /bin/seal-totp"
TPM_NVRAM_SPACE=4d47 TPM_NVRAM_SPACE=4d47
HOST="$1" HOST="$1"

View File

@ -9,6 +9,7 @@ HOTP_COUNTER="/boot/kexec_hotp_counter"
mount_boot_or_die() mount_boot_or_die()
{ {
DEBUG "Under /bin/unseal-hotp:mount_boot_or_die"
# Mount local disk if it is not already mounted # Mount local disk if it is not already mounted
if ! grep -q /boot /proc/mounts ; then if ! grep -q /boot /proc/mounts ; then
mount -o ro /boot \ mount -o ro /boot \
@ -16,6 +17,8 @@ mount_boot_or_die()
fi fi
} }
DEBUG "Under /bin/unseal-hotp"
# Store counter in file instead of TPM for now, as it conflicts with Heads # Store counter in file instead of TPM for now, as it conflicts with Heads
# config TPM counter as TPM 1.2 can only increment one counter between reboots # config TPM counter as TPM 1.2 can only increment one counter between reboots
# get current value of HOTP counter in TPM, create if absent # get current value of HOTP counter in TPM, create if absent

View File

@ -6,6 +6,8 @@
TOTP_SEALED="/tmp/secret/totp.sealed" TOTP_SEALED="/tmp/secret/totp.sealed"
TOTP_SECRET="/tmp/secret/totp.key" TOTP_SECRET="/tmp/secret/totp.key"
DEBUG "Under /bin/unseal-totp"
tpm nv_readvalue \ tpm nv_readvalue \
-in 4d47 \ -in 4d47 \
-sz 312 \ -sz 312 \

View File

@ -4,6 +4,8 @@
. /etc/functions . /etc/functions
. /tmp/config . /tmp/config
DEBUG "Under /bin/usb-init"
if [ "$CONFIG_TPM" = "y" ]; then if [ "$CONFIG_TPM" = "y" ]; then
# Extend PCR4 as soon as possible # Extend PCR4 as soon as possible
tpm extend -ix 4 -ic usb tpm extend -ix 4 -ic usb

View File

@ -1,7 +1,9 @@
#!/bin/sh #!/bin/sh
# get a file and extend a TPM PCR # get a file and extend a TPM PCR
. /etc/functions
die() { die() {
DEBUG "Under /bin/wget-measure.sh:die"
echo >&2 "$@" echo >&2 "$@"
exit 1 exit 1
} }

View File

@ -5,6 +5,8 @@
. /etc/functions . /etc/functions
. /tmp/config . /tmp/config
DEBUG "Under /bin/x230-flash.init"
insmod /lib/modules/ehci-hcd.ko insmod /lib/modules/ehci-hcd.ko
insmod /lib/modules/ehci-pci.ko insmod /lib/modules/ehci-pci.ko
insmod /lib/modules/xhci-hcd.ko insmod /lib/modules/xhci-hcd.ko

View File

@ -12,7 +12,15 @@ warn() {
sleep 1; sleep 1;
} }
DEBUG() {
if [ "$CONFIG_DEBUG_OUTPUT" = "y" ];then
echo >&2 "DEBUG: $*";
fi
}
recovery() { recovery() {
DEBUG "Under /etc/functions:recovery"
echo >&2 "!!!!! $*" echo >&2 "!!!!! $*"
# Remove any temporary secret files that might be hanging around # Remove any temporary secret files that might be hanging around
@ -44,6 +52,7 @@ recovery() {
} }
pause_recovery() { pause_recovery() {
DEBUG "Under /etc/functions:pause_recovery"
read -p 'Hit enter to proceed to recovery shell:' read -p 'Hit enter to proceed to recovery shell:'
recovery $* recovery $*
} }
@ -54,6 +63,7 @@ pcrs() {
confirm_totp() confirm_totp()
{ {
DEBUG "Under /etc/functions:confirm_totp"
prompt="$1" prompt="$1"
last_half=X last_half=X
unset totp_confirm unset totp_confirm
@ -93,6 +103,7 @@ confirm_totp()
enable_usb() enable_usb()
{ {
DEBUG "Under /etc/functions:enable_usb"
#insmod ehci_hcd prior of uhdc_hcd and ohci_hcd to suppress dmesg warning #insmod ehci_hcd prior of uhdc_hcd and ohci_hcd to suppress dmesg warning
if ! lsmod | grep -q ehci_hcd; then if ! lsmod | grep -q ehci_hcd; then
insmod /lib/modules/ehci-hcd.ko \ insmod /lib/modules/ehci-hcd.ko \
@ -137,6 +148,7 @@ enable_usb()
list_usb_storage() list_usb_storage()
{ {
DEBUG "Under /etc/functions:list_usb_storage"
stat -c %N /sys/block/sd* 2>/dev/null | grep usb | stat -c %N /sys/block/sd* 2>/dev/null | grep usb |
cut -f1 -d ' ' | cut -f1 -d ' ' |
sed "s/[']//g" | sed "s/[']//g" |
@ -176,6 +188,7 @@ list_usb_storage()
confirm_gpg_card() confirm_gpg_card()
{ {
DEBUG "Under /etc/functions:confirm_gpg_card"
read \ read \
-n 1 \ -n 1 \
-p "Please confirm that your GPG card is inserted [Y/n]: " \ -p "Please confirm that your GPG card is inserted [Y/n]: " \
@ -219,6 +232,7 @@ confirm_gpg_card()
check_tpm_counter() check_tpm_counter()
{ {
DEBUG "Under /etc/functions:check_tpm_counter"
LABEL=${2:-3135106223} LABEL=${2:-3135106223}
# if the /boot.hashes file already exists, read the TPM counter ID # if the /boot.hashes file already exists, read the TPM counter ID
# from it. # from it.
@ -244,18 +258,21 @@ check_tpm_counter()
read_tpm_counter() read_tpm_counter()
{ {
DEBUG "Under /etc/functions:read_tpm_counter"
tpm counter_read -ix "$1" | tee "/tmp/counter-$1" \ tpm counter_read -ix "$1" | tee "/tmp/counter-$1" \
|| die "Counter read failed" || die "Counter read failed"
} }
increment_tpm_counter() increment_tpm_counter()
{ {
DEBUG "Under /etc/functions:increment_tpm_counter"
tpm counter_increment -ix "$1" -pwdc '' \ tpm counter_increment -ix "$1" -pwdc '' \
| tee /tmp/counter-$1 \ | tee /tmp/counter-$1 \
|| die "Counter increment failed" || die "Counter increment failed"
} }
check_config() { check_config() {
DEBUG "Under /etc/functions:check_config"
if [ ! -d /tmp/kexec ]; then if [ ! -d /tmp/kexec ]; then
mkdir /tmp/kexec \ mkdir /tmp/kexec \
|| die 'Failed to make kexec tmp dir' || die 'Failed to make kexec tmp dir'
@ -284,6 +301,7 @@ check_config() {
} }
preserve_rom() { preserve_rom() {
DEBUG "Under /etc/functions:preserve_rom"
new_rom="$1" new_rom="$1"
old_files=`cbfs -t 50 -l 2>/dev/null | grep "^heads/"` old_files=`cbfs -t 50 -l 2>/dev/null | grep "^heads/"`
@ -299,6 +317,7 @@ preserve_rom() {
done done
} }
replace_config() { replace_config() {
DEBUG "Under /etc/functions:replace_config"
CONFIG_FILE=$1 CONFIG_FILE=$1
CONFIG_OPTION=$2 CONFIG_OPTION=$2
NEW_SETTING=$3 NEW_SETTING=$3
@ -314,11 +333,13 @@ replace_config() {
rm -f ${CONFIG_FILE}.tmp rm -f ${CONFIG_FILE}.tmp
} }
combine_configs() { combine_configs() {
DEBUG "Under /etc/functions:combine_configs"
cat /etc/config* > /tmp/config cat /etc/config* > /tmp/config
} }
update_checksums() update_checksums()
{ {
DEBUG "Under /etc/functions:update_checksums"
# ensure /boot mounted # ensure /boot mounted
if ! grep -q /boot /proc/mounts ; then if ! grep -q /boot /proc/mounts ; then
mount -o ro /boot \ mount -o ro /boot \
@ -346,6 +367,7 @@ update_checksums()
} }
print_tree() { print_tree() {
DEBUG "Under /etc/functions:print_tree"
find ./ ! -path './kexec*' -print0 | sort -z find ./ ! -path './kexec*' -print0 | sort -z
} }
@ -413,6 +435,7 @@ escape_zero() {
# due to https://bugs.busybox.net/show_bug.cgi?id=14226. Also, certain characters # due to https://bugs.busybox.net/show_bug.cgi?id=14226. Also, certain characters
# may be intepreted by `whiptail`, `less` et al (e.g. \n, \b, ...). # may be intepreted by `whiptail`, `less` et al (e.g. \n, \b, ...).
assert_signable() { assert_signable() {
DEBUG "Under /etc/functions:assert_signable"
# ensure /boot mounted # ensure /boot mounted
if ! grep -q /boot /proc/mounts ; then if ! grep -q /boot /proc/mounts ; then
mount -o ro /boot || die "Unable to mount /boot" mount -o ro /boot || die "Unable to mount /boot"
@ -432,6 +455,7 @@ assert_signable() {
verify_checksums() verify_checksums()
{ {
DEBUG "Under /etc/functions:verify_checksums"
local boot_dir="$1" local boot_dir="$1"
local gui="${2:-y}" local gui="${2:-y}"
@ -465,6 +489,7 @@ verify_checksums()
# mount /boot if successful # mount /boot if successful
detect_boot_device() detect_boot_device()
{ {
DEBUG "Under /etc/functions:detect_boot_device"
# unmount /boot to be safe # unmount /boot to be safe
cd / && umount /boot 2>/dev/null cd / && umount /boot 2>/dev/null

View File

@ -1,8 +1,10 @@
#!/bin/sh #!/bin/sh
# Shell functions for common operations using fbwhiptail # Shell functions for common operations using fbwhiptail
. /etc/functions
mount_usb() mount_usb()
{ {
DEBUG "under gui_functions:mount_usb"
# Unmount any previous USB device # Unmount any previous USB device
if grep -q /media /proc/mounts ; then if grep -q /media /proc/mounts ; then
umount /media || die "Unable to unmount /media" umount /media || die "Unable to unmount /media"
@ -23,6 +25,7 @@ mount_usb()
file_selector() file_selector()
{ {
DEBUG "under gui_functions:file_selector"
FILE="" FILE=""
FILE_LIST=$1 FILE_LIST=$1
MENU_MSG=${2:-"Choose the file"} MENU_MSG=${2:-"Choose the file"}

View File

@ -43,6 +43,8 @@ hwclock -l -s
. /etc/functions . /etc/functions
. /etc/config . /etc/config
DEBUG "Under init"
# set CONFIG_TPM dynamically before init # set CONFIG_TPM dynamically before init
if [ -e /dev/tpm0 ]; then if [ -e /dev/tpm0 ]; then
CONFIG_TPM='y' CONFIG_TPM='y'