From 40c34453dfee83b05ff25badf9c430ba73f458c5 Mon Sep 17 00:00:00 2001
From: Thierry Laurion <insurgo@riseup.net>
Date: Thu, 1 Feb 2024 14:30:31 -0500
Subject: [PATCH] all scripts: replace TRACE manual strings with dynamic
tracing by bash debug
Exception: scripts sourcing/calls within etc/ash_functions continues to use old TRACE functions until we switch to bash completely getting rid of ash.
This would mean getting rid of legacy boards (flash + legacy boards which do not have enough space for bash in flash boards) once and for all.
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
---
initrd/bin/cbfs-init | 2 +-
initrd/bin/cbfs.sh | 2 +-
initrd/bin/config-gui.sh | 2 +-
initrd/bin/flash-gui.sh | 2 +-
initrd/bin/flashrom-kgpe-d16-openbmc.sh | 2 +-
initrd/bin/generic-init | 2 +-
initrd/bin/gpg-gui.sh | 2 +-
initrd/bin/gpgv | 2 +-
initrd/bin/gui-init | 40 +++++++++---------
initrd/bin/gui-init-basic | 18 ++++-----
initrd/bin/kexec-boot | 2 +-
initrd/bin/kexec-insert-key | 2 +-
initrd/bin/kexec-iso-init | 2 +-
initrd/bin/kexec-parse-bls | 2 +-
initrd/bin/kexec-parse-boot | 2 +-
initrd/bin/kexec-save-default | 4 +-
initrd/bin/kexec-save-key | 2 +-
initrd/bin/kexec-seal-key | 2 +-
initrd/bin/kexec-select-boot | 2 +-
initrd/bin/kexec-sign-config | 2 +-
initrd/bin/kexec-unseal-key | 2 +-
initrd/bin/key-init | 2 +-
initrd/bin/lock_chip | 23 ++++++++++-
initrd/bin/media-scan | 2 +-
initrd/bin/mount-usb | 2 +-
initrd/bin/network-init-recovery | 2 +-
initrd/bin/oem-factory-reset | 54 ++++++++++++-------------
initrd/bin/oem-system-info-xx30 | 2 +-
initrd/bin/qubes-measure-luks | 2 +-
initrd/bin/seal-hotpkey | 4 +-
initrd/bin/seal-totp | 2 +-
initrd/bin/setconsolefont.sh | 2 +-
initrd/bin/tpmr | 40 +++++++++---------
initrd/bin/unpack_initramfs.sh | 8 ++--
initrd/bin/unseal-hotp | 4 +-
initrd/bin/unseal-totp | 2 +-
initrd/bin/usb-init | 2 +-
initrd/bin/wget-measure.sh | 2 +-
initrd/etc/functions | 34 ++++++++--------
initrd/etc/gui_functions | 6 +--
initrd/etc/luks-functions | 16 ++++----
initrd/sbin/insmod | 2 +-
targets/qemu.mk | 2 +-
43 files changed, 167 insertions(+), 146 deletions(-)
diff --git a/initrd/bin/cbfs-init b/initrd/bin/cbfs-init
index 06d78f00..09456198 100755
--- a/initrd/bin/cbfs-init
+++ b/initrd/bin/cbfs-init
@@ -2,7 +2,7 @@
set -e -o pipefail
. /etc/functions
-TRACE "Under /bin/cbfs-init"
+TRACE_FUNC
# Update initrd with CBFS files
if [ -z "$CONFIG_PCR" ]; then
diff --git a/initrd/bin/cbfs.sh b/initrd/bin/cbfs.sh
index 54d2022f..a6230cb3 100755
--- a/initrd/bin/cbfs.sh
+++ b/initrd/bin/cbfs.sh
@@ -3,7 +3,7 @@ set -e -o pipefail
. /etc/functions
. /tmp/config
-TRACE "Under /bin/cbfs.sh"
+TRACE_FUNC
if pnor "$2" -r HBI > /tmp/pnor.part 2>/dev/null; then
cbfs "$@" -o /tmp/pnor.part && pnor "$2" -w HBI < /tmp/pnor.part
diff --git a/initrd/bin/config-gui.sh b/initrd/bin/config-gui.sh
index 4955dac0..050f416e 100755
--- a/initrd/bin/config-gui.sh
+++ b/initrd/bin/config-gui.sh
@@ -5,7 +5,7 @@ set -e -o pipefail
. /etc/gui_functions
. /tmp/config
-TRACE "Under /bin/config-gui.sh"
+TRACE_FUNC
ROOT_HASH_FILE="/boot/kexec_root_hashes.txt"
diff --git a/initrd/bin/flash-gui.sh b/initrd/bin/flash-gui.sh
index 56d52719..309463f7 100755
--- a/initrd/bin/flash-gui.sh
+++ b/initrd/bin/flash-gui.sh
@@ -5,7 +5,7 @@ set -e -o pipefail
. /etc/gui_functions
. /tmp/config
-TRACE "Under /bin/flash-gui.sh"
+TRACE_FUNC
if [ "$CONFIG_RESTRICTED_BOOT" = y ]; then
whiptail $BG_COLOR_ERROR --title 'Restricted Boot Active' \
diff --git a/initrd/bin/flashrom-kgpe-d16-openbmc.sh b/initrd/bin/flashrom-kgpe-d16-openbmc.sh
index 85108d9f..63e83d46 100755
--- a/initrd/bin/flashrom-kgpe-d16-openbmc.sh
+++ b/initrd/bin/flashrom-kgpe-d16-openbmc.sh
@@ -1,7 +1,7 @@
#!/bin/bash
. /etc/functions
-TRACE "Under /bin/flashrom-kgpe-d16-openbmc.sh"
+TRACE_FUNC
ROM="$1"
if [ -z "$1" ]; then
diff --git a/initrd/bin/generic-init b/initrd/bin/generic-init
index 438f29d9..0a4a17a6 100755
--- a/initrd/bin/generic-init
+++ b/initrd/bin/generic-init
@@ -6,7 +6,7 @@
mount_boot()
{
- TRACE "Under /bin/generic-init:mount_boot"
+ TRACE_FUNC
# Mount local disk if it is not already mounted
if ! grep -q /boot /proc/mounts ; then
mount -o ro /boot \
diff --git a/initrd/bin/gpg-gui.sh b/initrd/bin/gpg-gui.sh
index f2406e53..5391f66a 100755
--- a/initrd/bin/gpg-gui.sh
+++ b/initrd/bin/gpg-gui.sh
@@ -5,7 +5,7 @@ set -e -o pipefail
. /etc/gui_functions
. /tmp/config
-TRACE "Under /bin/gpg-gui.sh"
+TRACE_FUNC
gpg_flash_rom() {
if [ "$1" = "replace" ]; then
diff --git a/initrd/bin/gpgv b/initrd/bin/gpgv
index 67631eda..e7719768 100755
--- a/initrd/bin/gpgv
+++ b/initrd/bin/gpgv
@@ -2,5 +2,5 @@
# if we are using the full GPG we need a wrapper for the gpgv executable
. /etc/functions
-TRACE "Under /bin/gpgv"
+TRACE_FUNC
exec gpg --verify "$@"
diff --git a/initrd/bin/gui-init b/initrd/bin/gui-init
index ac75de7b..cd69e87c 100755
--- a/initrd/bin/gui-init
+++ b/initrd/bin/gui-init
@@ -18,7 +18,7 @@ skip_to_menu="false"
mount_boot()
{
- TRACE "Under /bin/gui-init:mount_boot"
+ TRACE_FUNC
# Mount local disk if it is not already mounted
while ! grep -q /boot /proc/mounts ; do
# try to mount if CONFIG_BOOT_DEV exists
@@ -64,7 +64,7 @@ mount_boot()
verify_global_hashes()
{
- TRACE "Under /bin/gui-init:verify_global_hashes"
+ TRACE_FUNC
# Check the hashes of all the files, ignoring signatures for now
check_config /boot force
TMP_HASH_FILE="/tmp/kexec/kexec_hashes.txt"
@@ -139,7 +139,7 @@ verify_global_hashes()
prompt_update_checksums()
{
- TRACE "Under /bin/gui-init:prompt_update_checksums"
+ TRACE_FUNC
if (whiptail $BG_COLOR_WARNING --title 'Update Checksums and sign all files in /boot' \
--yesno "You have chosen to update the checksums and sign all of the files in /boot.\n\nThis means that you trust that these files have not been tampered with.\n\nYou will need your GPG key available, and this change will modify your disk.\n\nDo you want to continue?" 0 80) then
if ! update_checksums ; then
@@ -151,7 +151,7 @@ prompt_update_checksums()
generate_totp_hotp()
{
- TRACE "Under /bin/gui-init:generate_totp_hotp"
+ TRACE_FUNC
tpm_owner_password="$1" # May be empty, will prompt if needed and empty
if [ "$CONFIG_TPM" != "y" ] && [ -x /bin/hotp_verification ]; then
echo "Generating new HOTP secret"
@@ -180,7 +180,7 @@ generate_totp_hotp()
update_totp()
{
- TRACE "Under /bin/gui-init:update_totp"
+ TRACE_FUNC
# update the TOTP code
date=`date "+%Y-%m-%d %H:%M:%S %Z"`
tries=0
@@ -249,7 +249,7 @@ update_totp()
update_hotp()
{
- TRACE "Under /bin/gui-init:update_hotp"
+ TRACE_FUNC
if [ -x /bin/hotp_verification ]; then
HOTP=`unseal-hotp`
if ! hotp_verification info ; then
@@ -313,7 +313,7 @@ update_hotp()
clean_boot_check()
{
- TRACE "Under /bin/gui-init:clean_boot_check"
+ TRACE_FUNC
# assume /boot mounted
if ! grep -q /boot /proc/mounts ; then
return
@@ -342,7 +342,7 @@ clean_boot_check()
check_gpg_key()
{
- TRACE "Under /bin/gui-init:check_gpg_key"
+ TRACE_FUNC
GPG_KEY_COUNT=`gpg -k 2>/dev/null | wc -l`
if [ $GPG_KEY_COUNT -eq 0 ]; then
BG_COLOR_MAIN_MENU=$BG_COLOR_ERROR
@@ -379,7 +379,7 @@ check_gpg_key()
prompt_auto_default_boot()
{
- TRACE "Under /bin/gui-init:prompt_auto_default_boot"
+ TRACE_FUNC
echo -e "\nHOTP verification success\n\n"
if pause_automatic_boot; then
echo -e "\n\nAttempting default boot...\n\n"
@@ -389,7 +389,7 @@ prompt_auto_default_boot()
show_main_menu()
{
- TRACE "Under /bin/gui-init:show_main_menu"
+ TRACE_FUNC
date=`date "+%Y-%m-%d %H:%M:%S %Z"`
whiptail $BG_COLOR_MAIN_MENU --title "$MAIN_MENU_TITLE" \
--menu "$date\nTOTP: $TOTP | HOTP: $HOTP" 0 80 10 \
@@ -422,7 +422,7 @@ show_main_menu()
show_options_menu()
{
- TRACE "Under /bin/gui-init:show_options_menu"
+ TRACE_FUNC
whiptail $BG_COLOR_MAIN_MENU --title "$CONFIG_BRAND_NAME Options" \
--menu "" 0 80 10 \
'b' ' Boot Options -->' \
@@ -483,7 +483,7 @@ show_options_menu()
show_boot_options_menu()
{
- TRACE "Under /bin/gui-init:show_boot_options_menu"
+ TRACE_FUNC
whiptail $BG_COLOR_MAIN_MENU --title "Boot Options" \
--menu "Select A Boot Option" 0 80 10 \
'm' ' Show OS boot menu' \
@@ -511,7 +511,7 @@ show_boot_options_menu()
show_tpm_totp_hotp_options_menu()
{
- TRACE "Under /bin/gui-init:show_tpm_totp_hotp_options_menu"
+ TRACE_FUNC
whiptail $BG_COLOR_MAIN_MENU --title "TPM/TOTP/HOTP Options" \
--menu "Select An Option" 0 80 10 \
'g' ' Generate new TOTP/HOTP secret' \
@@ -538,7 +538,7 @@ show_tpm_totp_hotp_options_menu()
prompt_totp_mismatch()
{
- TRACE "Under /bin/gui-init:prompt_totp_mismatch"
+ TRACE_FUNC
if (whiptail $BG_COLOR_WARNING --title "TOTP/HOTP code mismatched" \
--yesno "TOTP/HOTP code mismatches could indicate either TPM tampering or clock drift:\n\nTo correct clock drift: 'date -s yyyy-MM-DD hh:mm:ss' in UTC timezone\nand save it to the RTC: 'hwclock -w'\nthen reboot and try again.\n\nWould you like to exit to a recovery console?" 0 80) then
echo ""
@@ -555,7 +555,7 @@ prompt_totp_mismatch()
reset_tpm()
{
- TRACE "Under /bin/gui-init:reset_tpm"
+ TRACE_FUNC
if [ "$CONFIG_TPM" = "y" ]; then
if (whiptail $BG_COLOR_WARNING --title 'Reset the TPM' \
--yesno "This will clear the TPM and TPM password, replace them with new ones!\n\nDo you want to proceed?" 0 80) then
@@ -599,7 +599,7 @@ reset_tpm()
select_os_boot_option()
{
- TRACE "Under /bin/gui-init:select_os_boot_option"
+ TRACE_FUNC
mount_boot
if verify_global_hashes ; then
kexec-select-boot -m -b /boot -c "grub.cfg" -g
@@ -608,7 +608,7 @@ select_os_boot_option()
attempt_default_boot()
{
- TRACE "Under /bin/gui-init:attempt_default_boot"
+ TRACE_FUNC
mount_boot
if ! verify_global_hashes; then
@@ -626,7 +626,7 @@ attempt_default_boot()
force_unsafe_boot()
{
- TRACE "Under /bin/gui-init:force_unsafe_boot"
+ TRACE_FUNC
if [ "$CONFIG_RESTRICTED_BOOT" = y ]; then
whiptail $BG_COLOR_ERROR --title 'ERROR: Restricted Boot Enabled' --msgbox "Restricted Boot is Enabled, forced boot not allowed.\n\nPress OK to return to the Main Menu" 0 80
return
@@ -639,7 +639,7 @@ force_unsafe_boot()
}
# gui-init start
-TRACE "Under /bin/gui-init, start"
+TRACE_FUNC
# Use stored HOTP key branding
if [ -r /boot/kexec_hotp_key ]; then
@@ -673,7 +673,7 @@ if [ "$HOTP" = "Success" -a -n "$CONFIG_AUTO_BOOT_TIMEOUT" ]; then
fi
while true; do
- TRACE "Under gui-init:while true loop"
+ TRACE_FUNC
skip_to_menu="false"
show_main_menu
done
diff --git a/initrd/bin/gui-init-basic b/initrd/bin/gui-init-basic
index 95243e89..e5f3b818 100755
--- a/initrd/bin/gui-init-basic
+++ b/initrd/bin/gui-init-basic
@@ -17,7 +17,7 @@ skip_to_menu="false"
mount_boot()
{
- TRACE "Under /bin/gui-init:mount_boot"
+ TRACE_FUNC
# Mount local disk if it is not already mounted
while ! grep -q /boot /proc/mounts ; do
# try to mount if CONFIG_BOOT_DEV exists
@@ -63,7 +63,7 @@ mount_boot()
prompt_auto_default_boot()
{
- TRACE "Under /bin/gui-init:prompt_auto_default_boot"
+ TRACE_FUNC
echo -e "\n\n"
if pause_automatic_boot; then
echo -e "\n\nAttempting default boot...\n\n"
@@ -73,7 +73,7 @@ prompt_auto_default_boot()
show_main_menu()
{
- TRACE "Under /bin/gui-init:show_main_menu"
+ TRACE_FUNC
date=`date "+%Y-%m-%d %H:%M:%S %Z"`
whiptail $BG_COLOR_MAIN_MENU --title "$MAIN_MENU_TITLE" \
--menu "$date" 0 80 10 \
@@ -102,7 +102,7 @@ show_main_menu()
show_options_menu()
{
- TRACE "Under /bin/gui-init:show_options_menu"
+ TRACE_FUNC
whiptail $BG_COLOR_MAIN_MENU --title "$CONFIG_BRAND_NAME Basic Options" \
--menu "" 0 80 10 \
'b' ' Boot Options -->' \
@@ -133,7 +133,7 @@ show_options_menu()
show_boot_options_menu()
{
- TRACE "Under /bin/gui-init:show_boot_options_menu"
+ TRACE_FUNC
whiptail $BG_COLOR_MAIN_MENU --title "Boot Options" \
--menu "Select A Boot Option" 0 80 10 \
'm' ' Show OS boot menu' \
@@ -157,14 +157,14 @@ show_boot_options_menu()
select_os_boot_option()
{
- TRACE "Under /bin/gui-init:select_os_boot_option"
+ TRACE_FUNC
mount_boot
kexec-select-boot -m -b /boot -c "grub.cfg" -g -i
}
attempt_default_boot()
{
- TRACE "Under /bin/gui-init:attempt_default_boot"
+ TRACE_FUNC
mount_boot
DEFAULT_FILE=`find /boot/kexec_default.*.txt 2>/dev/null | head -1`
@@ -183,7 +183,7 @@ attempt_default_boot()
}
# gui-init-basic start
-TRACE "Under /bin/gui-init, start"
+TRACE_FUNC
# USB automatic boot (if configured) occurs before mounting /boot, this should
# work even if no OS is installed
@@ -204,7 +204,7 @@ if [ "$skip_to_menu" != "true" -a -n "$CONFIG_AUTO_BOOT_TIMEOUT" ]; then
fi
while true; do
- TRACE "Under gui-init:while true loop"
+ TRACE_FUNC
skip_to_menu="false"
show_main_menu
done
diff --git a/initrd/bin/kexec-boot b/initrd/bin/kexec-boot
index 3609c2d8..bb39dbb0 100755
--- a/initrd/bin/kexec-boot
+++ b/initrd/bin/kexec-boot
@@ -4,7 +4,7 @@ set -e -o pipefail
. /tmp/config
. /etc/functions
-TRACE "Under /bin/kexec-boot"
+TRACE_FUNC
dryrun="n"
printfiles="n"
diff --git a/initrd/bin/kexec-insert-key b/initrd/bin/kexec-insert-key
index 877e4509..f06c5483 100755
--- a/initrd/bin/kexec-insert-key
+++ b/initrd/bin/kexec-insert-key
@@ -3,7 +3,7 @@
set -e -o pipefail
. /etc/functions
-TRACE "Under /bin/kexec-insert-key"
+TRACE_FUNC
TMP_KEY_DEVICES="/tmp/kexec/kexec_key_devices.txt"
TMP_KEY_LVM="/tmp/kexec/kexec_key_lvm.txt"
diff --git a/initrd/bin/kexec-iso-init b/initrd/bin/kexec-iso-init
index ad283271..c6e86586 100755
--- a/initrd/bin/kexec-iso-init
+++ b/initrd/bin/kexec-iso-init
@@ -4,7 +4,7 @@ set -e -o pipefail
. /etc/functions
. /tmp/config
-TRACE "Under /bin/kexec-iso-init"
+TRACE_FUNC
MOUNTED_ISO_PATH="$1"
ISO_PATH="$2"
diff --git a/initrd/bin/kexec-parse-bls b/initrd/bin/kexec-parse-bls
index a2d98faf..92bc5f6c 100755
--- a/initrd/bin/kexec-parse-bls
+++ b/initrd/bin/kexec-parse-bls
@@ -1,7 +1,7 @@
#!/bin/bash
set -e -o pipefail
. /etc/functions
-TRACE "Under /bin/kexec-parse-bls"
+TRACE_FUNC
bootdir="$1"
file="$2"
diff --git a/initrd/bin/kexec-parse-boot b/initrd/bin/kexec-parse-boot
index 4b0a0567..07e38e3d 100755
--- a/initrd/bin/kexec-parse-boot
+++ b/initrd/bin/kexec-parse-boot
@@ -2,7 +2,7 @@
set -e -o pipefail
. /etc/functions
-TRACE "Under /bin/kexec-parse-boot"
+TRACE_FUNC
bootdir="$1"
file="$2"
diff --git a/initrd/bin/kexec-save-default b/initrd/bin/kexec-save-default
index 6462ffb3..1e5fcd81 100755
--- a/initrd/bin/kexec-save-default
+++ b/initrd/bin/kexec-save-default
@@ -4,7 +4,7 @@ set -e -o pipefail
. /tmp/config
. /etc/functions
-TRACE "Under /bin/kexec-save-default"
+TRACE_FUNC
while getopts "b:d:p:i:" arg; do
case $arg in
@@ -71,7 +71,7 @@ fi
#Reusable function when user wants to define new TPM DUK for lvms/disks
prompt_for_existing_encrypted_lvms_or_disks() {
- TRACE "Under kexec-save-default:prompt_for_existing_encrypted_lvms_or_disks"
+ TRACE_FUNC
DEBUG "num_lvm: $num_lvm, lvm_suggest: $lvm_suggest, num_devices: $num_devices, devices_suggest: $devices_suggest"
# Create an associative array to store the suggested LVMs and their paths
diff --git a/initrd/bin/kexec-save-key b/initrd/bin/kexec-save-key
index 6ab0668c..a6ceb71b 100755
--- a/initrd/bin/kexec-save-key
+++ b/initrd/bin/kexec-save-key
@@ -3,7 +3,7 @@
. /etc/functions
-TRACE "kexec-save-key: start"
+TRACE_FUNC
set -e -o pipefail
. /etc/functions
diff --git a/initrd/bin/kexec-seal-key b/initrd/bin/kexec-seal-key
index 668df5f6..0481ebb2 100755
--- a/initrd/bin/kexec-seal-key
+++ b/initrd/bin/kexec-seal-key
@@ -14,7 +14,7 @@ RECOVERY_KEY="/tmp/secret/recovery.key"
. /etc/functions
. /tmp/config
-TRACE "Under kexec-seal-key"
+TRACE_FUNC
paramsdir=$1
if [ -z "$paramsdir" ]; then
diff --git a/initrd/bin/kexec-select-boot b/initrd/bin/kexec-select-boot
index edf3abba..4161af4a 100755
--- a/initrd/bin/kexec-select-boot
+++ b/initrd/bin/kexec-select-boot
@@ -4,7 +4,7 @@ set -e -o pipefail
. /tmp/config
. /etc/functions
-TRACE "Under /bin/kexec-select-boot"
+TRACE_FUNC
add=""
remove=""
diff --git a/initrd/bin/kexec-sign-config b/initrd/bin/kexec-sign-config
index b5d3ac16..c34060d0 100755
--- a/initrd/bin/kexec-sign-config
+++ b/initrd/bin/kexec-sign-config
@@ -4,7 +4,7 @@ set -e -o pipefail
. /tmp/config
. /etc/functions
-TRACE "Under /bin/kexec-sign-config"
+TRACE_FUNC
rollback="n"
update="n"
diff --git a/initrd/bin/kexec-unseal-key b/initrd/bin/kexec-unseal-key
index d6566a62..3f18c435 100755
--- a/initrd/bin/kexec-unseal-key
+++ b/initrd/bin/kexec-unseal-key
@@ -10,7 +10,7 @@ TPM_SIZE=312
. /etc/functions
-TRACE "Under kexec-unseal-key"
+TRACE_FUNC
mkdir -p /tmp/secret
diff --git a/initrd/bin/key-init b/initrd/bin/key-init
index 44a9063f..68415f23 100755
--- a/initrd/bin/key-init
+++ b/initrd/bin/key-init
@@ -2,7 +2,7 @@
set -e -o pipefail
. /etc/functions
-TRACE "Under /bin/key-init"
+TRACE_FUNC
# Post processing of keys
diff --git a/initrd/bin/lock_chip b/initrd/bin/lock_chip
index 8bf316b7..9519dc16 100755
--- a/initrd/bin/lock_chip
+++ b/initrd/bin/lock_chip
@@ -15,7 +15,28 @@ if [ "$CONFIG_FINALIZE_PLATFORM_LOCKING_PRESKYLAKE" = "y" ]; then
fi
if [ -n "$APM_CNT" -a -n "$FIN_CODE" ]; then
- echo "Finalizing chipset"
+ # SMI PR0 lockdown is implemented by Intel as part of the SMM Supervisor feature.
+ # SMM Supervisor is a software component that runs in SMM and acts as a gatekeeper
+ # for SMM access.
+ #
+ # It uses the processor’s memory protection and paging mechanisms to restrict what
+ # SMM code can read and write. SMM Supervisor marks critical pages, such as its
+ # own code, data, and page tables, as supervisor pages, which are only accessible
+ # from the most privileged level (CPL0).
+ #
+ # It also marks the rest of the SMM memory as user pages, which are accessible
+ # from any privilege level.
+ #
+ # This way, SMM Supervisor can isolate itself from other SMM code and enforce a policy
+ # that states what resources the SMI handlers (the interrupt handlers that run in SMM)
+ # require access to.
+ #
+ # SMI PR0 lockdown is enabled by setting a lock bit (FLOCKDN) in the SPI controller,
+ # which prevents further changes to the SMM memory and configuration.
+ # Once SMI PR0 lockdown is enabled, it cannot be disabled until the next system reset.
+ # This ensures that malicious code cannot tamper with the SMM Supervisor or the SMI handlers
+ # after the system boots.
+ echo "Finalizing chipset Write Protection through SMI PR0 lockdown call"
io386 -o b -b x $APM_CNT $FIN_CODE
else
echo "NOT Finalizing chipset"
diff --git a/initrd/bin/media-scan b/initrd/bin/media-scan
index e22cddec..3f723803 100755
--- a/initrd/bin/media-scan
+++ b/initrd/bin/media-scan
@@ -5,7 +5,7 @@ set -e -o pipefail
. /etc/gui_functions
. /tmp/config
-TRACE "Under /bin/media-scan"
+TRACE_FUNC
#Booting from external media should be authenticated if supported
gpg_auth || die "GPG authentication failed"
diff --git a/initrd/bin/mount-usb b/initrd/bin/mount-usb
index 22846a24..e2034e69 100755
--- a/initrd/bin/mount-usb
+++ b/initrd/bin/mount-usb
@@ -3,7 +3,7 @@
. /etc/functions
. /etc/luks-functions
-TRACE "Under /bin/mount-usb"
+TRACE_FUNC
function usage() {
cat <<USAGE_END
diff --git a/initrd/bin/network-init-recovery b/initrd/bin/network-init-recovery
index c7b93b84..d952d175 100755
--- a/initrd/bin/network-init-recovery
+++ b/initrd/bin/network-init-recovery
@@ -2,7 +2,7 @@
. /etc/functions
-TRACE "Under /bin/network-init-recovery"
+TRACE_FUNC
# bring up the ethernet; maybe should do DHCP?
ifconfig lo 127.0.0.1
diff --git a/initrd/bin/oem-factory-reset b/initrd/bin/oem-factory-reset
index 656f85f7..ff0889f6 100755
--- a/initrd/bin/oem-factory-reset
+++ b/initrd/bin/oem-factory-reset
@@ -8,7 +8,7 @@ set -o pipefail
. /etc/luks-functions
. /tmp/config
-TRACE "Under /bin/oem-factory-reset"
+TRACE_FUNC
# use TERM to exit on error
trap "exit 1" TERM
@@ -74,7 +74,7 @@ whiptail_error_die() {
}
mount_boot() {
- TRACE "Under oem-factory-reset:mount_boot"
+ TRACE_FUNC
# Mount local disk if it is not already mounted.
# Added so that 'o' can be typed early at boot to enter directly into OEM Factory Reset
if ! grep -q /boot /proc/mounts; then
@@ -89,7 +89,7 @@ mount_boot() {
#This key will be used to sign 3 subkeys: encryption, authentication and signing
#The master key and subkeys will be copied to backup, and the subkeys moved from memory keyring to the smartcard
generate_inmemory_RSA_master_and_subkeys() {
- TRACE "Under oem-factory-reset:generate_inmemory_RSA_master_and_subkeys"
+ TRACE_FUNC
echo "Generating GPG key material in memory:"
echo "Generating GPG RSA ${RSA_KEY_LENGTH} bits master key..."
@@ -187,7 +187,7 @@ generate_inmemory_RSA_master_and_subkeys() {
#This key will be used to sign 3 subkeys: encryption, authentication and signing
#The master key and subkeys will be copied to backup, and the subkeys moved from memory keyring to the smartcard
generate_inmemory_p256_master_and_subkeys() {
- TRACE "Under oem-factory-reset:generate_inmemory_p256_master_and_subkeys"
+ TRACE_FUNC
echo "Generating GPG p256 bits master key..."
{
@@ -266,7 +266,7 @@ generate_inmemory_p256_master_and_subkeys() {
# The master key was already used to sign the subkeys, so it is not needed anymore
# Delete the master key from the keyring once key to card is done (already backed up on LUKS private partition)
keytocard_subkeys_to_smartcard() {
- TRACE "Under oem-factory-reset:keytocard_subkeys_to_smartcard"
+ TRACE_FUNC
#make sure usb ready and USB Security Dongle ready to communicate with
enable_usb
@@ -304,12 +304,12 @@ keytocard_subkeys_to_smartcard() {
whiptail_error_die "GPG Key moving subkeys to smartcard failed!\n\n$ERROR"
fi
- TRACE "oem-factory-reset:keytocard_subkeys_to_smartcard done"
+ TRACE_FUNC
}
#Whiptail prompt to insert to be wiped thumb drive
prompt_insert_to_be_wiped_thumb_drive() {
- TRACE "Under oem-factory-reset:prompt_insert_to_be_wiped_thumb_drive"
+ TRACE_FUNC
#Whiptail warning about having only desired to be wiped thumb drive inserted
whiptail $BG_COLOR_WARNING --title 'WARNING: Please insert the thumb drive to be wiped' \
--msgbox "The thumb drive will be WIPED next.\n\nPlease connect only the thumb drive to be wiped and disconnect others." 0 80 ||
@@ -318,7 +318,7 @@ prompt_insert_to_be_wiped_thumb_drive() {
#export master key and subkeys to thumbdrive's private LUKS contained partition
export_master_key_subkeys_and_revocation_key_to_private_LUKS_container() {
- TRACE "Under oem-factory-reset:export_master_key_subkeys_and_revocation_key_to_private_LUKS_container"
+ TRACE_FUNC
#Sanity check on passed arguments
while [ $# -gt 0 ]; do
@@ -363,12 +363,12 @@ export_master_key_subkeys_and_revocation_key_to_private_LUKS_container() {
#Unmount private LUKS container's mount point
umount "$mountpoint" || die "Error unmounting private LUKS container's mount point"
- TRACE "oem-factory-reset:export_master_key_subkeys_and_revocation_key_to_private_LUKS_container done"
+ TRACE_FUNC
}
#Export public key to thumb drive's public partition
export_public_key_to_thumbdrive_public_partition() {
- TRACE "Under oem-factory-reset:export_public_key_to_thumbdrive_public_partition"
+ TRACE_FUNC
#Sanity check on passed arguments
while [ $# -gt 0 ]; do
@@ -399,7 +399,7 @@ export_public_key_to_thumbdrive_public_partition() {
gpg --export --armor "${GPG_USER_MAIL}" >"$mountpoint"/pubkey.asc || die "Error exporting public key to thumb drive's public partition"
umount "$mountpoint" || die "Error unmounting thumb drive's public partition"
- TRACE "oem-factory-reset:export_public_key_to_thumbdrive_public_partition done"
+ TRACE_FUNC
}
# Select thumb drive and LUKS container size for GPG key export
@@ -407,7 +407,7 @@ export_public_key_to_thumbdrive_public_partition() {
# - thumb_drive
# - thumb_drive_luks_percent
select_thumb_drive_for_key_material() {
- TRACE "Under oem-factory-reset:wipe_thumb_drive_and_copy_gpg_key_material"
+ TRACE_FUNC
#enable usb storage
enable_usb
@@ -459,7 +459,7 @@ select_thumb_drive_for_key_material() {
# $1 - thumb drive block device
# $2 - LUKS container percentage [1-99]
wipe_thumb_drive_and_copy_gpg_key_material() {
- TRACE "Under oem-factory-reset:wipe_thumb_drive_and_copy_gpg_key_material"
+ TRACE_FUNC
local thumb_drive thumb_drive_luks_percent
thumb_drive="$1"
@@ -472,11 +472,11 @@ wipe_thumb_drive_and_copy_gpg_key_material() {
#Export public key to thumb drive's public partition
export_public_key_to_thumbdrive_public_partition --mode rw --device "$thumb_drive"2 --mountpoint /media
- TRACE "Under oem-factory-reset:wipe_thumb_drive_and_copy_gpg_key_material done"
+ TRACE_FUNC
}
gpg_key_factory_reset() {
- TRACE "Under oem-factory-reset:gpg_key_factory_reset"
+ TRACE_FUNC
#enable usb storage
enable_usb
@@ -560,11 +560,11 @@ gpg_key_factory_reset() {
whiptail_error_die "Unknown GPG_ALGO: $GPG_ALGO"
fi
- TRACE "oem-factory-reset:gpg_key_factory_reset done"
+ TRACE_FUNC
}
generate_OEM_gpg_keys() {
- TRACE "Under oem-factory-reset:generate_OEM_gpg_keys"
+ TRACE_FUNC
#This function simply generates subkeys in smartcard following smarcard config from gpg_key_factory_reset
echo "Generating GPG keys in USB Security Dongle's smartcard..."
@@ -586,11 +586,11 @@ generate_OEM_gpg_keys() {
whiptail_error_die "GPG Key automatic keygen failed!\n\n$ERROR"
fi
- TRACE "oem-factory-reset:generate_OEM_gpg_keys done"
+ TRACE_FUNC
}
gpg_key_change_pin() {
- TRACE "Under oem-factory-reset:gpg_key_change_pin"
+ TRACE_FUNC
DEBUG "Changing GPG key PIN"
# 1 = user PIN, 3 = admin PIN
PIN_TYPE=$1
@@ -613,11 +613,11 @@ gpg_key_change_pin() {
whiptail_error_die "GPG Key PIN change failed!\n\n$ERROR"
fi
- TRACE "oem-factory-reset:gpg_key_change_pin done"
+ TRACE_FUNC
}
generate_checksums() {
- TRACE "Under oem-factory-reset:generate_checksums"
+ TRACE_FUNC
# ensure /boot mounted
if ! grep -q /boot /proc/mounts; then
@@ -711,11 +711,11 @@ generate_checksums() {
whiptail_error_die "Error signing kexec boot files:\n\n$ERROR"
fi
- TRACE "oem-factory-reset:generate_checksums done"
+ TRACE_FUNC
}
set_default_boot_option() {
- TRACE "Under oem-factory-reset:set_default_boot_option"
+ TRACE_FUNC
option_file="/tmp/kexec_options.txt"
tmp_menu_file="/tmp/kexec/kexec_menu.txt"
@@ -758,11 +758,11 @@ set_default_boot_option() {
xargs sha256sum >$hash_file 2>/dev/null) ||
whiptail_error_die "Failed to create hashes of boot files"
- TRACE "oem-factory-reset:set_default_boot_option done"
+ TRACE_FUNC
}
report_integrity_measurements() {
- TRACE "Under oem-factory-reset:report_integrity_measurements"
+ TRACE_FUNC
#check for GPG key in keyring
GPG_KEY_COUNT=$(gpg -k 2>/dev/null | wc -l)
@@ -818,11 +818,11 @@ report_integrity_measurements() {
whiptail $MAIN_MENU_BG_COLOR --title "Measured Integrity Report" --msgbox "$date\nTOTP: $TOTP | HOTP: $HOTP\n/BOOT INTEGRITY: $HASH\n\nPress OK to continue or Ctrl+Alt+Delete to reboot" 0 80
fi
- TRACE "oem-factory-reset:report_integrity_measurements done"
+ TRACE_FUNC
}
usb_security_token_capabilities_check() {
- TRACE "Under /bin/oem-factory-reset:usb_security_token_capabilities_check"
+ TRACE_FUNC
enable_usb
# ... first set board config preference
diff --git a/initrd/bin/oem-system-info-xx30 b/initrd/bin/oem-system-info-xx30
index 489a5d78..768be263 100755
--- a/initrd/bin/oem-system-info-xx30
+++ b/initrd/bin/oem-system-info-xx30
@@ -9,7 +9,7 @@ export BG_COLOR_MAIN_MENU=""
. /etc/luks-functions
. /tmp/config
-TRACE "Under /bin/oem-system-info-xx30"
+TRACE_FUNC
battery_charge="$(print_battery_charge)"
battery_health="$(print_battery_health)"
diff --git a/initrd/bin/qubes-measure-luks b/initrd/bin/qubes-measure-luks
index 0e3c7801..4f0ca281 100755
--- a/initrd/bin/qubes-measure-luks
+++ b/initrd/bin/qubes-measure-luks
@@ -3,7 +3,7 @@
# a PCR so that we can detect disk swap attacks.
. /etc/functions
-TRACE "Under /bin/qubes-measure-luks"
+TRACE_FUNC
DEBUG "Arguments passed to qubes-measure-luks: $@"
# Measure the LUKS headers into PCR 6
diff --git a/initrd/bin/seal-hotpkey b/initrd/bin/seal-hotpkey
index 1abbf8b1..77940dca 100755
--- a/initrd/bin/seal-hotpkey
+++ b/initrd/bin/seal-hotpkey
@@ -9,7 +9,7 @@ HOTP_KEY="/boot/kexec_hotp_key"
mount_boot()
{
- TRACE "Under /bin/seal-hotpkey:mount_boot"
+ TRACE_FUNC
# Mount local disk if it is not already mounted
if ! grep -q /boot /proc/mounts; then
if ! mount -o ro /boot; then
@@ -20,7 +20,7 @@ mount_boot()
fi
}
-TRACE "Under /bin/seal-hotpkey"
+TRACE_FUNC
fatal_error()
{
diff --git a/initrd/bin/seal-totp b/initrd/bin/seal-totp
index ef418e33..0ef5bcfb 100755
--- a/initrd/bin/seal-totp
+++ b/initrd/bin/seal-totp
@@ -7,7 +7,7 @@
. /etc/functions
-TRACE "Under /bin/seal-totp"
+TRACE_FUNC
TPM_NVRAM_SPACE=4d47
diff --git a/initrd/bin/setconsolefont.sh b/initrd/bin/setconsolefont.sh
index 1f217741..63aacc78 100755
--- a/initrd/bin/setconsolefont.sh
+++ b/initrd/bin/setconsolefont.sh
@@ -3,7 +3,7 @@
set -eo pipefail
. /etc/functions
-TRACE "Under /bin/setconsolefont.sh"
+TRACE_FUNC
# If the board ships setfont, and the console size is >=1600 lines tall,
# increase the console font size.
diff --git a/initrd/bin/tpmr b/initrd/bin/tpmr
index e7e61ceb..630454e1 100755
--- a/initrd/bin/tpmr
+++ b/initrd/bin/tpmr
@@ -29,7 +29,7 @@ else
. /etc/config
fi
-TRACE "Under /bin/tpmr"
+TRACE_FUNC
# Busybox xxd lacks -r, and we get hex dumps from TPM1 commands. This converts
# a hex dump to binary data using sed and printf
@@ -50,7 +50,7 @@ tpm2_password_hex() {
# Reads PCR binary data and writes to file.
# -a: Append to file. Default is to overwrite.
tpm2_pcrread() {
- TRACE "Under /bin/tpmr:tpm2_pcrread"
+ TRACE_FUNC
if [ "$1" = "-a" ]; then
APPEND=y
shift
@@ -68,7 +68,7 @@ tpm2_pcrread() {
DO_WITH_DEBUG tpm2 pcrread -Q -o >(cat >>"$file") "sha256:$index"
}
tpm1_pcrread() {
- TRACE "Under /bin/tpmr:tpm1_pcrread"
+ TRACE_FUNC
if [ "$1" = "-a" ]; then
APPEND=y
shift
@@ -193,7 +193,7 @@ $0 ~ pcr {
# hashes and/or files extended to given PCR after firmware. Resulting PCR value
# is returned in binary form.
replay_pcr() {
- TRACE "Under /bin/tpmr:replay_pcr"
+ TRACE_FUNC
if [ -z "$2" ]; then
echo >&2 "No PCR number passed"
return
@@ -229,7 +229,7 @@ replay_pcr() {
}
tpm2_extend() {
- TRACE "Under /bin/tpmr:tpm2_extend"
+ TRACE_FUNC
while true; do
case "$1" in
-ix)
@@ -254,7 +254,7 @@ tpm2_extend() {
}
tpm2_counter_read() {
- TRACE "Under /bin/tpmr:tpm2_counter_read"
+ TRACE_FUNC
while true; do
case "$1" in
-ix)
@@ -270,7 +270,7 @@ tpm2_counter_read() {
}
tpm2_counter_inc() {
- TRACE "Under /bin/tpmr:tpm2_counter_inc"
+ TRACE_FUNC
while true; do
case "$1" in
-ix)
@@ -291,7 +291,7 @@ tpm2_counter_inc() {
}
tpm1_counter_create() {
- TRACE "Under /bin/tpmr:tpm1_counter_create"
+ TRACE_FUNC
# tpmr handles the TPM owner password (from cache or prompt), but all
# other parameters for TPM1 are passed directly, and TPM2 mimics the
# TPM1 interface.
@@ -304,7 +304,7 @@ tpm1_counter_create() {
}
tpm2_counter_create() {
- TRACE "Under /bin/tpmr:tpm2_counter_create"
+ TRACE_FUNC
while true; do
case "$1" in
-pwdc)
@@ -333,7 +333,7 @@ tpm2_counter_create() {
}
tpm2_startsession() {
- TRACE "Under /bin/tpmr:tpm2_startsession"
+ TRACE_FUNC
mkdir -p "$SECRET_DIR"
tpm2 flushcontext -Q \
--transient-object ||
@@ -356,7 +356,7 @@ tpm2_startsession() {
# session file. E.g.:
# at_exit cleanup_session "$SESSION_FILE"
cleanup_session() {
- TRACE "Under /bin/tpmr:cleanup_session"
+ TRACE_FUNC
session_file="$1"
if [ -f "$session_file" ]; then
DEBUG "Clean up session: $session_file"
@@ -372,7 +372,7 @@ cleanup_session() {
# at_exit, e.g.:
# at_exit cleanup_shred "$FILE"
cleanup_shred() {
- TRACE "Under /bin/tpmr:cleanup_shred"
+ TRACE_FUNC
shred -n 10 -z -u "$1" 2>/dev/null || true
}
@@ -408,7 +408,7 @@ tpm1_destroy() {
# provided - TPM2 allows the TPM to fall back to current PCR values, but it is
# not required to support this.
tpm2_seal() {
- TRACE "Under /bin/tpmr:tpm2_seal"
+ TRACE_FUNC
file="$1" #$KEY_FILE
index="$2"
pcrl="$3" #0,1,2,3,4,5,6,7 (does not include algorithm prefix)
@@ -481,7 +481,7 @@ tpm2_seal() {
}
}
tpm1_seal() {
- TRACE "Under /bin/tpmr:tpm1_seal"
+ TRACE_FUNC
file="$1"
index="$2"
pcrl="$3" #0,1,2,3,4,5,6,7 (does not include algorithm prefix)
@@ -549,7 +549,7 @@ tpm1_seal() {
# password must be provided if one was used to seal (and cannot be provided if
# no password was used to seal).
tpm2_unseal() {
- TRACE "Under /bin/tpmr:tpm2_unseal"
+ TRACE_FUNC
index="$1"
pcrl="$2" #0,1,2,3,4,5,6,7 (does not include algorithm prefix)
sealed_size="$3"
@@ -594,7 +594,7 @@ tpm2_unseal() {
-S "$ENC_SESSION_FILE" >"$file"
}
tpm1_unseal() {
- TRACE "Under /bin/tpmr:tpm1_unseal"
+ TRACE_FUNC
index="$1"
pcrl="$2"
sealed_size="$3"
@@ -629,7 +629,7 @@ tpm1_unseal() {
}
tpm2_reset() {
- TRACE "Under /bin/tpmr:tpm2_reset"
+ TRACE_FUNC
tpm_owner_password="$1"
mkdir -p "$SECRET_DIR"
# output TPM Owner Password to a file to be reused in this boot session until recovery shell/reboot
@@ -678,7 +678,7 @@ tpm2_reset() {
"hex:$(dd if=/dev/urandom bs=32 count=1 status=none | xxd -p | tr -d ' \n')"
}
tpm1_reset() {
- TRACE "Under /bin/tpmr:tpm1_reset"
+ TRACE_FUNC
tpm_owner_password="$1"
mkdir -p "$SECRET_DIR"
# output tpm_owner_password to a file to be reused in this boot session until recovery shell/reboot
@@ -700,7 +700,7 @@ tpm1_reset() {
# Perform final cleanup before boot and lock the platform heirarchy.
tpm2_kexec_finalize() {
- TRACE "Under /bin/tpmr:tpm2_kexec_finalize"
+ TRACE_FUNC
# Flush sessions and transient objects
tpm2 flushcontext -Q --transient-object ||
@@ -720,7 +720,7 @@ tpm2_kexec_finalize() {
}
tpm2_shutdown() {
- TRACE "Under /bin/tpmr:tpm2_shutdown"
+ TRACE_FUNC
# Prepare for shutdown.
# This is a "clear" shutdown (do not preserve runtime state) since we
diff --git a/initrd/bin/unpack_initramfs.sh b/initrd/bin/unpack_initramfs.sh
index cbefc10a..db176fd6 100755
--- a/initrd/bin/unpack_initramfs.sh
+++ b/initrd/bin/unpack_initramfs.sh
@@ -3,7 +3,7 @@ set -e -o pipefail
. /etc/functions
-TRACE "Under unpack_initramfs.sh"
+TRACE_FUNC
# Unpack a Linux initramfs archive.
#
# In general, the initramfs archive is one or more cpio archives, optionally
@@ -31,7 +31,7 @@ CPIO_ARGS=("$@")
# Consume zero bytes, the first nonzero byte read (if any) is repeated on stdout
consume_zeros() {
- TRACE "Under unpack_initramfs.sh:consume_zeros"
+ TRACE_FUNC
next_byte='00'
while [ "$next_byte" = "00" ]; do
# if we reach EOF, next_byte becomes empty (dd does not fail)
@@ -44,13 +44,13 @@ consume_zeros() {
}
unpack_cpio() {
- TRACE "Under unpack_initramfs.sh:unpack_cpio"
+ TRACE_FUNC
(cd "$dest_dir"; cpio -i "${CPIO_ARGS[@]}" 2>/dev/null)
}
# unpack the first segment of an archive, then write the rest to another file
unpack_first_segment() {
- TRACE "Under unpack_initramfs.sh:unpack_first_segment"
+ TRACE_FUNC
unpack_archive="$1"
dest_dir="$2"
rest_archive="$3"
diff --git a/initrd/bin/unseal-hotp b/initrd/bin/unseal-hotp
index d9f2ad08..031c6d27 100755
--- a/initrd/bin/unseal-hotp
+++ b/initrd/bin/unseal-hotp
@@ -8,7 +8,7 @@ HOTP_COUNTER="/boot/kexec_hotp_counter"
mount_boot_or_die()
{
- TRACE "Under /bin/unseal-hotp:mount_boot_or_die"
+ TRACE_FUNC
# Mount local disk if it is not already mounted
if ! grep -q /boot /proc/mounts ; then
mount -o ro /boot \
@@ -16,7 +16,7 @@ mount_boot_or_die()
fi
}
-TRACE "Under /bin/unseal-hotp"
+TRACE_FUNC
# Store counter in file instead of TPM for now, as it conflicts with Heads
# config TPM counter as TPM 1.2 can only increment one counter between reboots
diff --git a/initrd/bin/unseal-totp b/initrd/bin/unseal-totp
index 7a8dfaf3..b5ec1414 100755
--- a/initrd/bin/unseal-totp
+++ b/initrd/bin/unseal-totp
@@ -5,7 +5,7 @@
TOTP_SECRET="/tmp/secret/totp.key"
-TRACE "Under /bin/unseal-totp"
+TRACE_FUNC
if [ "$CONFIG_TPM" = "y" ]; then
tpmr unseal 4d47 0,1,2,3,4,7 312 "$TOTP_SECRET" ||
diff --git a/initrd/bin/usb-init b/initrd/bin/usb-init
index ea1d72bd..06fbc107 100755
--- a/initrd/bin/usb-init
+++ b/initrd/bin/usb-init
@@ -4,7 +4,7 @@
. /etc/functions
. /tmp/config
-TRACE "Under /bin/usb-init"
+TRACE_FUNC
if [ "$CONFIG_TPM" = "y" ]; then
# Extend PCR4 as soon as possible
diff --git a/initrd/bin/wget-measure.sh b/initrd/bin/wget-measure.sh
index 604f83eb..8e7e9e7b 100755
--- a/initrd/bin/wget-measure.sh
+++ b/initrd/bin/wget-measure.sh
@@ -3,7 +3,7 @@
. /etc/functions
die() {
- TRACE "Under /bin/wget-measure.sh:die"
+ TRACE_FUNC
echo >&2 "$@"
exit 1
}
diff --git a/initrd/etc/functions b/initrd/etc/functions
index da732d9e..496c1064 100755
--- a/initrd/etc/functions
+++ b/initrd/etc/functions
@@ -64,7 +64,7 @@ pcrs() {
}
confirm_totp() {
- TRACE "Under /etc/functions:confirm_totp"
+ TRACE_FUNC
prompt="$1"
last_half=X
unset totp_confirm
@@ -103,7 +103,7 @@ confirm_totp() {
}
reseal_tpm_disk_decryption_key() {
- TRACE "Under /etc/functions:reseal_tpm_disk_decryption_key"
+ TRACE_FUNC
#For robustness, exit early if LUKS TPM Disk Unlock Key is prohibited in board configs
if [ "$CONFIG_TPM_DISK_UNLOCK_KEY" == "n" ]; then
DEBUG "LUKS TPM Disk Unlock Key is prohibited in board configs"
@@ -140,7 +140,7 @@ reseal_tpm_disk_decryption_key() {
# be detected. If USB storage was already enabled, no wait occurs, this would
# have happened already when USB storage was enabled.
enable_usb_storage() {
- TRACE "Under /etc/functions:enable_usb_storage"
+ TRACE_FUNC
if ! lsmod | grep -q usb_storage; then
timeout=0
echo "Scanning for USB storage devices..."
@@ -155,7 +155,7 @@ enable_usb_storage() {
}
list_usb_storage() {
- TRACE "Under /etc/functions:list_usb_storage"
+ TRACE_FUNC
# List all USB storage devices, including partitions unless we received argument stating we want drives only
# The output is a list of device names, one per line.
@@ -216,7 +216,7 @@ list_usb_storage() {
# Tools should optionally accept a TPM password on the command line, since some flows need
# it multiple times and only one prompt is ideal.
prompt_tpm_owner_password() {
- TRACE "Under /etc/functions:prompt_tpm_owner_password"
+ TRACE_FUNC
if [ -s /tmp/secret/tpm_owner_password ]; then
DEBUG "/tmp/secret/tpm_owner_password already cached in file. Reusing"
@@ -238,7 +238,7 @@ prompt_tpm_owner_password() {
# The password must be 1-32 characters and must be entered twice,
# the script will loop until this is met.
prompt_new_owner_password() {
- TRACE "Under /etc/functions:prompt_new_owner_password"
+ TRACE_FUNC
local tpm_owner_password2
tpm_owner_password=1
tpm_owner_password2=2
@@ -262,7 +262,7 @@ prompt_new_owner_password() {
}
check_tpm_counter() {
- TRACE "Under /etc/functions:check_tpm_counter"
+ TRACE_FUNC
LABEL=${2:-3135106223}
tpm_password="$3"
@@ -286,20 +286,20 @@ check_tpm_counter() {
}
read_tpm_counter() {
- TRACE "Under /etc/functions:read_tpm_counter"
+ TRACE_FUNC
tpmr counter_read -ix "$1" | tee "/tmp/counter-$1" ||
die "Counter read failed"
}
increment_tpm_counter() {
- TRACE "Under /etc/functions:increment_tpm_counter"
+ TRACE_FUNC
tpmr counter_increment -ix "$1" -pwdc '' |
tee /tmp/counter-$1 ||
die "TPM counter increment failed for rollback prevention. Please reset the TPM"
}
check_config() {
- TRACE "Under /etc/functions:check_config"
+ TRACE_FUNC
if [ ! -d /tmp/kexec ]; then
mkdir /tmp/kexec ||
die 'Failed to make kexec tmp dir'
@@ -340,7 +340,7 @@ replace_rom_file() {
}
replace_config() {
- TRACE "Under /etc/functions:replace_config"
+ TRACE_FUNC
CONFIG_FILE=$1
CONFIG_OPTION=$2
NEW_SETTING=$3
@@ -373,7 +373,7 @@ secret_from_rom_hash() {
}
update_checksums() {
- TRACE "Under /etc/functions:update_checksums"
+ TRACE_FUNC
# ensure /boot mounted
if ! grep -q /boot /proc/mounts; then
mount -o ro /boot ||
@@ -403,7 +403,7 @@ update_checksums() {
}
print_tree() {
- TRACE "Under /etc/functions:print_tree"
+ TRACE_FUNC
find ./ ! -path './kexec*' -print0 | sort -z
}
@@ -471,7 +471,7 @@ escape_zero() {
# due to https://bugs.busybox.net/show_bug.cgi?id=14226. Also, certain characters
# may be intepreted by `whiptail`, `less` et al (e.g. \n, \b, ...).
assert_signable() {
- TRACE "Under /etc/functions:assert_signable"
+ TRACE_FUNC
# ensure /boot mounted
if ! grep -q /boot /proc/mounts; then
mount -o ro /boot || die "Unable to mount /boot"
@@ -490,7 +490,7 @@ assert_signable() {
}
verify_checksums() {
- TRACE "Under /etc/functions:verify_checksums"
+ TRACE_FUNC
local boot_dir="$1"
local gui="${2:-y}"
@@ -523,7 +523,7 @@ verify_checksums() {
# detect and set /boot device
# mount /boot if successful
detect_boot_device() {
- TRACE "Under /etc/functions:detect_boot_device"
+ TRACE_FUNC
# unmount /boot to be safe
cd / && umount /boot 2>/dev/null
@@ -570,7 +570,7 @@ detect_boot_device() {
}
scan_boot_options() {
- TRACE "Under /etc/functions:scan_boot_options"
+ TRACE_FUNC
local bootdir config option_file
bootdir="$1"
config="$2"
diff --git a/initrd/etc/gui_functions b/initrd/etc/gui_functions
index 86e09916..67376ea2 100755
--- a/initrd/etc/gui_functions
+++ b/initrd/etc/gui_functions
@@ -15,7 +15,7 @@ pause_automatic_boot()
mount_usb()
{
- TRACE "under gui_functions:mount_usb"
+ TRACE_FUNC
# Unmount any previous USB device
if grep -q /media /proc/mounts ; then
umount /media || die "Unable to unmount /media"
@@ -80,7 +80,7 @@ display_block_device_size() {
# No entries in list: Displays error and exits unsuccessfully
file_selector()
{
- TRACE "under gui_functions:file_selector"
+ TRACE_FUNC
local FILE_LIST MENU_MSG MENU_TITLE CHOICE_ARGS SHOW_SIZE OPTION_SIZE option_index
@@ -132,7 +132,7 @@ file_selector()
show_system_info()
{
- TRACE "Under /bin/gui-init:show_system_info"
+ TRACE_FUNC
battery_charge="$(print_battery_charge)"
battery_health="$(print_battery_health)"
if [ -n $battery_charge -a -n $battery_health ];then
diff --git a/initrd/etc/luks-functions b/initrd/etc/luks-functions
index 8f8e5ad7..7704620b 100644
--- a/initrd/etc/luks-functions
+++ b/initrd/etc/luks-functions
@@ -16,7 +16,7 @@ list_luks_devices() {
#Whiptail prompt asking user to select ratio of device to use for LUKS container between: 25, 50, 75
select_luks_container_size_percent() {
- TRACE "Under /etc/luks-functions:select_luks_container_size_percent()"
+ TRACE_FUNC
if [ -x /bin/whiptail ]; then
#whiptail prompt asking user to select ratio of device to use for LUKS container between: 25, 50, 75
#whiptail returns the percentage of the device to use for LUKS container
@@ -56,7 +56,7 @@ select_luks_container_size_percent() {
# Size provisioning is done by percentage of the device
interactive_prepare_thumb_drive()
{
- TRACE "Under /etc/luks-functions:interactive_prepare_thumb_drive()"
+ TRACE_FUNC
#Refactoring: only one parameter needed to be prompted for: the passphrase for LUKS container if not coming from oem-provisioning
#If no passphrase was provided, ask user to select passphrase for LUKS container
# if no device provided as parameter, we will ask user to select device to partition
@@ -188,7 +188,7 @@ interactive_prepare_thumb_drive()
# $2 - percent of device allocated to LUKS [1-99]
confirm_thumb_drive_format()
{
- TRACE "Under /etc/luks-functions:confirm_thumb_drive_format()"
+ TRACE_FUNC
local DEVICE LUKS_PERCENTAGE DISK_SIZE_BYTES DISK_SIZE_DISPLAY LUKS_PERCENTAGE LUKS_SIZE_MB MSG
DEVICE="$1"
@@ -230,7 +230,7 @@ confirm_thumb_drive_format()
# $3 - passphrase for LUKS container
prepare_thumb_drive()
{
- TRACE "Under /etc/luks-functions:prepare_thumb_drive()"
+ TRACE_FUNC
local DEVICE PERCENTAGE PASSPHRASE DISK_SIZE_BYTES PERCENTAGE_MB
DEVICE="$1"
@@ -267,7 +267,7 @@ prepare_thumb_drive()
select_luks_container()
{
- TRACE "Under /etc/luks-functions:select_luks_container()"
+ TRACE_FUNC
if [ -s /boot/kexec_key_devices.txt ]; then
DEBUG "Reusing known good LUKS container device from /boot/kexec_key_devices.txt"
DEBUG "LUKS container device: $(cut -d ' ' -f1 /boot/kexec_key_devices.txt)"
@@ -295,7 +295,7 @@ select_luks_container()
test_luks_current_disk_recovery_key_passphrase()
{
- TRACE "Under /etc/luks-functions:test_luks_current_disk_recovery_key_passphrase()"
+ TRACE_FUNC
while :; do
select_luks_container || return 1
if [ -z "$luks_current_Disk_Recovery_Key_passphrase" ]; then
@@ -336,7 +336,7 @@ test_luks_current_disk_recovery_key_passphrase()
}
luks_reencrypt() {
- TRACE "Under /etc/luks-functions:luks_reencrypt()"
+ TRACE_FUNC
while :; do
select_luks_container || return 1
#If the user just set a new LUKS Disk Recovery Key passphrase
@@ -382,7 +382,7 @@ luks_reencrypt() {
luks_change_passphrase()
{
- TRACE "Under /etc/luks-functions:luks_change_passphrase()"
+ TRACE_FUNC
while :; do
select_luks_container || return 1
#if actual or new LUKS Disk Recovery Key is not provisioned by oem-provisioning file
diff --git a/initrd/sbin/insmod b/initrd/sbin/insmod
index 3f04edc8..8545482b 100755
--- a/initrd/sbin/insmod
+++ b/initrd/sbin/insmod
@@ -6,7 +6,7 @@
. /etc/functions
-TRACE "Under insmod.sh"
+TRACE_FUNC
MODULE="$1"; shift
diff --git a/targets/qemu.mk b/targets/qemu.mk
index 930afa7b..59286a3e 100644
--- a/targets/qemu.mk
+++ b/targets/qemu.mk
@@ -88,7 +88,7 @@ run: $(TPMDIR)/.manufacture $(ROOT_DISK_IMG) $(MEMORY_SIZE_FILE) $(USB_FD_IMG)
-qemu-system-x86_64 -drive file="$(ROOT_DISK_IMG)",if=virtio \
--machine q35,accel=kvm:tcg \
-rtc base=utc \
- -smp "$$(nproc)" \
+ -smp 1 \
-vga std \
-m "$$(cat "$(MEMORY_SIZE_FILE)")" \
-serial stdio \