WiP: Staging commit to facilitate review, will squash into previous commits once confirmed good

2025-02-20 09:16:21 +00:00 · 2023-08-31 12:07:39 -04:00 · 2023-08-31 12:07:39 -04:00 · 64ad01f333
commit 64ad01f333
parent 03d8f93c95
6 changed files with 156 additions and 168 deletions
--- a/initrd/bin/gui-init
+++ b/initrd/bin/gui-init
@ -174,7 +174,7 @@ generate_totp_hotp()
    printf "\033c"
  else
    warn "Unsealing TOTP/HOTP secret from previous sealed measurements failed"
-    warn "Try "Generate new HOTP/TOTP secret" option if you updated firmware content"
+    warn 'Try "Generate new HOTP/TOTP secret" option if you updated firmware content'
  fi
 }

--- a/initrd/bin/kexec-save-default
+++ b/initrd/bin/kexec-save-default
@ -38,7 +38,6 @@ PRIMHASH_FILE="$paramsdir/kexec_primhdl_hash.txt"
 KEY_DEVICES="$paramsdir/kexec_key_devices.txt"
 KEY_LVM="$paramsdir/kexec_key_lvm.txt"

-
 lvm_suggest=$(lvm vgscan | awk -F '"' {'print $1'} | tail -n +2)
 num_lvm=$(echo "$lvm_suggest" | wc -l)
 if [ "$num_lvm" -eq 1 ] && [ -n "$lvm_suggest" ]; then
@ -50,8 +49,7 @@ DEBUG "LVM num_lvm: $num_lvm, lvm_suggest: $lvm_suggest"

 # get all LUKS container devices
 devices_suggest=$(blkid | cut -d ':' -f 1 | while read device; do
-	cryptsetup isLuks "$device"
-	if [ $(echo $?) == 0 ]; then echo "$device"; fi
+	if cryptsetup isLuks "$device"; then echo "$device"; fi
 done | sort)
 num_devices=$(echo "$devices_suggest" | wc -l)

@ -79,9 +77,9 @@ fi
 save_key="n"
 if [ "$CONFIG_TPM" = "y" ] && [ "$CONFIG_TPM_NO_LUKS_DISK_UNLOCK" != "y" ] && [ "$CONFIG_BASIC" != y ]; then
 	DEBUG "TPM is enabled and TPM_NO_LUKS_DISK_UNLOCK is not set"
-	DEBUG "Checking if a a TPM Disk Unlock Key was previously setuped from $KEY_DEVICES"
+	DEBUG "Checking if a a TPM Disk Unlock Key was previously set up from $KEY_DEVICES"
 	if [ ! -r "$KEY_DEVICES" ]; then
-		DEBUG "No previous TPM Disk Unlock Key was setuped for LUKS devices, confirming to add a disk encryption to the TPM"
+		DEBUG "No previous TPM Disk Unlock Key was set up for LUKS devices, confirming to add a disk encryption to the TPM"
 		read \
 			-n 1 \
 			-p "Do you wish to add a disk encryption to the TPM [y/N]: " \
@ -94,7 +92,7 @@ if [ "$CONFIG_TPM" = "y" ] && [ "$CONFIG_TPM_NO_LUKS_DISK_UNLOCK" != "y" ] && [
 			save_key="y"
 		fi
 	else
-		DEBUG "Previous TPM Disk Unlock Key was setuped for LUKS devices"
+		DEBUG "Previous TPM Disk Unlock Key was set up for LUKS devices"
 		read \
 			-n 1 \
 			-p "Do you want to reseal a disk key to the TPM [y/N]: " \
@ -123,7 +121,7 @@ if [ "$CONFIG_TPM" = "y" ] && [ "$CONFIG_TPM_NO_LUKS_DISK_UNLOCK" != "y" ] && [

 	if [ "$save_key" = "y" ]; then
 		if [ -n "$old_key_devices" ] || [ -n "$old_lvm_volume_group" ]; then
-			DEBUG "Previous TPM Disk Unlock Key was setuped for LUKS devices $old_key_devices $old_lvm_volume_group"
+			DEBUG "Previous TPM Disk Unlock Key was set up for LUKS devices $old_key_devices $old_lvm_volume_group"
 			read \
 				-n 1 \
 				-p "Do you want to reuse configured Encrypted LVM groups/Block devices? (Y/n):" \
@ -138,10 +136,10 @@ if [ "$CONFIG_TPM" = "y" ] && [ "$CONFIG_TPM_NO_LUKS_DISK_UNLOCK" != "y" ] && [
 				fi
 			fi
 		else
-			DEBUG "No previous TPM Disk Unlock Key was setuped for LUKS devices, setting up new ones"
+			DEBUG "No previous TPM Disk Unlock Key was set up for LUKS devices, setting up new ones"
 			if [ "$num_lvm" -gt 1 ]; then
 				DEBUG "Multiple LVM groups found"
-				//untested
+				# TODO: untested codepath. What uses lvm+LUKS on top nowadays?!?
 				selected_lvmdev_not_existing=1
 				while [ $selected_lvmdev_not_existing -ne 0 ]; do
 					{
@ -172,7 +170,8 @@ if [ "$CONFIG_TPM" = "y" ] && [ "$CONFIG_TPM_NO_LUKS_DISK_UNLOCK" != "y" ] && [
 							key_devices

 						result=$(echo "$devices_suggest" | grep -q "$key_devices") || selected_luksdev_not_existing=1
-						if [ $? == 0 ]; then
+						#if result is not empty, then the device exists
+						if [ -n "$result" ]; then
 							selected_luksdev_not_existing=0
 						fi
 					}
--- a/initrd/bin/kexec-seal-key
+++ b/initrd/bin/kexec-seal-key
@ -53,7 +53,7 @@ echo

 read -s -p "New TPM Disk Unlock Key passphrase for booting: " key_password
 echo
-read -s -p "Repeat TPM Disk Unlock key passphrase for booting: " key_password2
+read -s -p "Repeat TPM Disk Unlock Key passphrase for booting: " key_password2
 echo

 if [ "$key_password" != "$key_password2" ]; then
--- a/initrd/bin/kexec-select-boot
+++ b/initrd/bin/kexec-select-boot
@ -56,12 +56,12 @@ if [ "$CONFIG_TPM2_TOOLS" = "y" ]; then
 		sha256sum -c "$PRIMHASH_FILE" \
 			|| {
 			echo "FATAL: Hash of TPM2 primary key handle mismatch!";
-			echo "If you have not intentionally regenerated TPM2 primary key,";
+			warn "If you have not intentionally regenerated TPM2 primary key,";
 			warn "your system may have been compromised";
 		}
 	else
-		echo "WARNING: Hash of TPM2 primary key handle does not exist!"
-		echo "Please rebuild the boot hash tree."
+		warn "Hash of TPM2 primary key handle does not exist"
+		warn "Please rebuild the boot hash tree"
 		default_failed="y"
 	fi
 fi
--- a/initrd/etc/functions
+++ b/initrd/etc/functions
@ -41,8 +41,7 @@ pcrs() {
 	fi
 }

-confirm_totp()
-{
+confirm_totp() {
 	TRACE "Under /etc/functions:confirm_totp"
 	prompt="$1"
 	last_half=X
@ -51,15 +50,15 @@ confirm_totp()
 	while true; do

 		# update the TOTP code every thirty seconds
-		date=`date "+%Y-%m-%d %H:%M:%S"`
-		seconds=`date "+%s"`
-		half=`expr \( $seconds % 60 \) / 30`
+		date=$(date "+%Y-%m-%d %H:%M:%S")
+		seconds=$(date "+%s")
+		half=$(expr \( $seconds % 60 \) / 30)
 		if [ "$CONFIG_TPM" != "y" ]; then
 			TOTP="NO TPM"
 		elif [ "$half" != "$last_half" ]; then
-			last_half=$half;
-			TOTP=`unseal-totp` \
-			|| recovery "TOTP code generation failed"
+			last_half=$half
+			TOTP=$(unseal-totp) ||
+				recovery "TOTP code generation failed"
 		fi

 		echo -n "$date $TOTP: "
@ -70,8 +69,8 @@ confirm_totp()
 			-n 1 \
 			-s \
 			-p "$prompt" \
-			totp_confirm \
-		&& break
+			totp_confirm &&
+			break

 		# nothing typed, redraw the line
 		echo -ne '\r'
@ -81,27 +80,32 @@ confirm_totp()
 	echo
 }

-reseal_tpm_disk_decryption_key()
-{
+reseal_tpm_disk_decryption_key() {
 	TRACE "Under /etc/functions:reseal_tpm_disk_decryption_key"
-	#Can be called only on resealing, not on tpm reset:
-	#otherise primary handle and rollback would change.
-	if ! grep -q /boot /proc/mounts ; then
-		mount -o ro /boot \
-		|| recovery "Unable to mount /boot"
+	#For robustness, exit early if TPM Disk Unlock Key is prohibited in board configs
+	if [ "$CONFIG_TPM_DISK_UNLOCK_KEY" != "y" ]; then
+		DEBUG "TPM Disk Unlock Key is prohibited in board configs"
+		return
+	else
+		DEBUG "TPM Disk Unlock Key is allowed in board configs. Continuing"
+	fi
+
+	if ! grep -q /boot /proc/mounts; then
+		mount -o ro /boot ||
+			recovery "Unable to mount /boot"
 	fi

 	if [ -s /boot/kexec_key_devices.txt ] || [ -s /boot/kexec_key_lvm.txt ]; then
-		warn "A TPM disk decryption key previoulsy sealed is now invalid since firmware measurements cannot be unsealed" 
-		warn "Renewing LUKS Disk Unlock Key to be unsealed by TPM Disk Unlock Key passphrase"
+		warn "A TPM Disk Unlock Key previously sealed is now invalid since firmware measurements cannot be unsealed"
+		echo "Renewing LUKS Disk Unlock Key to be unsealed by TPM Disk Unlock Key passphrase"
 		while ! kexec-seal-key /boot; do
-			warn "Recovery disk encryption key passphrase invalid. Try again!"
+			warn "Recovery Disk Encryption key passphrase invalid. Try again!"
 		done
-		warn "LUKS header hash changed under of /boot/kexec_luks_hdr_hash.txt" 
-		warn "Updating checksums and signing all files under /boot/kexec.sig"
+		warn "LUKS header hash changed under /boot/kexec_luks_hdr_hash.txt"
+		echo "Updating checksums and signing all files under /boot/kexec.sig"
 		while ! update_checksums; do
-		warn "Checksums were not signed. Bad GPG PIN provided?" 
-		warn "Please update checksums and provide a valid GPG PIN"
+			warn "Checksums were not signed. Bad GPG PIN provided?"
+			warn "Please update checksums and provide a valid GPG PIN"
 		done
 		warn "Rebooting in 3 seconds to enable booting default boot option"
 		sleep 3
@ -114,23 +118,21 @@ reseal_tpm_disk_decryption_key()
 # Enable USB storage (if not already enabled), and wait for storage devices to
 # be detected.  If USB storage was already enabled, no wait occurs, this would
 # have happened already when USB storage was enabled.
-enable_usb_storage()
-{
+enable_usb_storage() {
 	if ! lsmod | grep -q usb_storage; then
 		timeout=0
 		echo "Scanning for USB storage devices..."
-		insmod /lib/modules/usb-storage.ko >/dev/null 2>&1 \
-		|| die "usb_storage: module load failed"
-		while [[ $(list_usb_storage | wc -l) -eq 0 ]]; do 
+		insmod /lib/modules/usb-storage.ko >/dev/null 2>&1 ||
+			die "usb_storage: module load failed"
+		while [[ $(list_usb_storage | wc -l) -eq 0 ]]; do
 			[[ $timeout -ge 8 ]] && break
 			sleep 1
-			timeout=$(($timeout+1))
+			timeout=$(($timeout + 1))
 		done
 	fi
 }

-list_usb_storage()
-{
+list_usb_storage() {
 	TRACE "Under /etc/functions:list_usb_storage"
 	# List all USB storage devices, including partitions unless we received argument stating we want drives only
 	# The output is a list of device names, one per line.
@ -187,8 +189,7 @@ list_usb_storage()
 		done
 }

-confirm_gpg_card()
-{
+confirm_gpg_card() {
 	TRACE "Under /etc/functions:confirm_gpg_card"
 	read \
 		-n 1 \
@ -199,7 +200,7 @@ confirm_gpg_card()
 	if [ "$card_confirm" != "y" \
 		-a "$card_confirm" != "Y" \
 		-a -n "$card_confirm" ] \
-	; then
+		; then
 		die "gpg card not confirmed"
 	fi

@ -210,23 +211,23 @@ confirm_gpg_card()
 	# ensure we don't exit without retrying
 	errexit=$(set -o | grep errexit | awk '{print $2}')
 	set +e
-	gpg --card-status > /dev/null
+	gpg --card-status >/dev/null
 	if [ $? -ne 0 ]; then
-	  # prompt for reinsertion and try a second time
-	  read -n1 -r -p \
-	      "Can't access GPG key; remove and reinsert, then press Enter to retry. " \
-	      ignored
-	  # restore prev errexit state
-	  if [ "$errexit" = "on" ]; then
-	    set -e
-	  fi
-	  # retry card status
-	  gpg --card-status > /dev/null \
-	  	|| die "gpg card read failed"
+		# prompt for reinsertion and try a second time
+		read -n1 -r -p \
+			"Can't access GPG key; remove and reinsert, then press Enter to retry. " \
+			ignored
+		# restore prev errexit state
+		if [ "$errexit" = "on" ]; then
+			set -e
+		fi
+		# retry card status
+		gpg --card-status >/dev/null ||
+			die "gpg card read failed"
 	fi
 	# restore prev errexit state
 	if [ "$errexit" = "on" ]; then
-	  set -e
+		set -e
 	fi
 }

@ -235,7 +236,7 @@ confirm_gpg_card()
 # line, since some flows need it multiple times and only one prompt is ideal.
 prompt_tpm_password() {
 	if [ -n "$tpm_password" ]; then
-		return 0;
+		return 0
 	fi

 	read -s -p "TPM Owner password: " tpm_password
@ -263,25 +264,24 @@ prompt_new_owner_password() {
 	done
 }

-check_tpm_counter()
-{
-  TRACE "Under /etc/functions:check_tpm_counter"
-  LABEL=${2:-3135106223}
-  tpm_password="$3"
+check_tpm_counter() {
+	TRACE "Under /etc/functions:check_tpm_counter"
+	LABEL=${2:-3135106223}
+	tpm_password="$3"
 	# if the /boot.hashes file already exists, read the TPM counter ID
 	# from it.
 	if [ -r "$1" ]; then
-		TPM_COUNTER=`grep counter- "$1" | cut -d- -f2`
+		TPM_COUNTER=$(grep counter- "$1" | cut -d- -f2)
 	else
 		warn "$1 does not exist; creating new TPM counter"
 		prompt_tpm_password
 		tpmr counter_create \
 			-pwdo "$tpm_password" \
 			-pwdc '' \
-			-la $LABEL \
-		| tee /tmp/counter \
-		|| die "Unable to create TPM counter"
-		TPM_COUNTER=`cut -d: -f1 < /tmp/counter`
+			-la $LABEL |
+			tee /tmp/counter ||
+			die "Unable to create TPM counter"
+		TPM_COUNTER=$(cut -d: -f1 </tmp/counter)
 	fi

 	if [ -z "$TPM_COUNTER" ]; then
@ -289,48 +289,46 @@ check_tpm_counter()
 	fi
 }

-read_tpm_counter()
-{
+read_tpm_counter() {
 	TRACE "Under /etc/functions:read_tpm_counter"
-	tpmr counter_read -ix "$1" | tee "/tmp/counter-$1" \
-	|| die "Counter read failed"
+	tpmr counter_read -ix "$1" | tee "/tmp/counter-$1" ||
+		die "Counter read failed"
 }

-increment_tpm_counter()
-{
+increment_tpm_counter() {
 	TRACE "Under /etc/functions:increment_tpm_counter"
-	tpmr counter_increment -ix "$1" -pwdc '' \
-		| tee /tmp/counter-$1 \
-	|| die "Counter increment failed"
+	tpmr counter_increment -ix "$1" -pwdc '' |
+		tee /tmp/counter-$1 ||
+		die "Counter increment failed"
 }

 check_config() {
 	TRACE "Under /etc/functions:check_config"
 	if [ ! -d /tmp/kexec ]; then
-		mkdir /tmp/kexec \
-		|| die 'Failed to make kexec tmp dir'
+		mkdir /tmp/kexec ||
+			die 'Failed to make kexec tmp dir'
 	else
-		rm -rf /tmp/kexec/* \
-		|| die 'Failed to empty kexec tmp dir'
+		rm -rf /tmp/kexec/* ||
+			die 'Failed to empty kexec tmp dir'
 	fi

 	if [ ! -r $1/kexec.sig -a "$CONFIG_BASIC" != "y" ]; then
 		return
 	fi

-	if [ `find $1/kexec*.txt | wc -l` -eq 0 ]; then
+	if [ $(find $1/kexec*.txt | wc -l) -eq 0 ]; then
 		return
 	fi

 	if [ "$2" != "force" ]; then
-		if ! sha256sum `find $1/kexec*.txt` | gpgv $1/kexec.sig - ; then
+		if ! sha256sum $(find $1/kexec*.txt) | gpgv $1/kexec.sig -; then
 			die 'Invalid signature on kexec boot params'
 		fi
 	fi

 	echo "+++ Found verified kexec boot params"
-	cp $1/kexec*.txt /tmp/kexec \
-	|| die "Failed to copy kexec boot params to tmp"
+	cp $1/kexec*.txt /tmp/kexec ||
+		die "Failed to copy kexec boot params to tmp"
 }

 # Replace a file in a ROM (add it if the file does not exist)
@ -338,8 +336,8 @@ replace_rom_file() {
 	ROM="$1"
 	ROM_FILE="$2"
 	NEW_FILE="$3"
-	
-	if (cbfs.sh -o "$ROM" -l | grep -q "$ROM_FILE") then
+
+	if (cbfs.sh -o "$ROM" -l | grep -q "$ROM_FILE"); then
 		cbfs.sh -o "$ROM" -d "$ROM_FILE"
 	fi
 	cbfs.sh -o "$ROM" -a "$ROM_FILE" -f "$NEW_FILE"
@ -352,13 +350,13 @@ replace_config() {
 	NEW_SETTING=$3

 	touch $CONFIG_FILE
-# first pull out the existing option from the global config and place in a tmp file
-	awk "gsub(\"^export ${CONFIG_OPTION}=.*\",\"export ${CONFIG_OPTION}=\\\"${NEW_SETTING}\\\"\")" /tmp/config > ${CONFIG_FILE}.tmp
-	awk "gsub(\"^${CONFIG_OPTION}=.*\",\"${CONFIG_OPTION}=\\\"${NEW_SETTING}\\\"\")" /tmp/config >> ${CONFIG_FILE}.tmp
+	# first pull out the existing option from the global config and place in a tmp file
+	awk "gsub(\"^export ${CONFIG_OPTION}=.*\",\"export ${CONFIG_OPTION}=\\\"${NEW_SETTING}\\\"\")" /tmp/config >${CONFIG_FILE}.tmp
+	awk "gsub(\"^${CONFIG_OPTION}=.*\",\"${CONFIG_OPTION}=\\\"${NEW_SETTING}\\\"\")" /tmp/config >>${CONFIG_FILE}.tmp

-# then copy any remaining settings from the existing config file, minus the option you changed
-	grep -v "^export ${CONFIG_OPTION}=" ${CONFIG_FILE} | grep -v "^${CONFIG_OPTION}=" >> ${CONFIG_FILE}.tmp || true
-  sort ${CONFIG_FILE}.tmp | uniq > ${CONFIG_FILE}
+	# then copy any remaining settings from the existing config file, minus the option you changed
+	grep -v "^export ${CONFIG_OPTION}=" ${CONFIG_FILE} | grep -v "^${CONFIG_OPTION}=" >>${CONFIG_FILE}.tmp || true
+	sort ${CONFIG_FILE}.tmp | uniq >${CONFIG_FILE}
 	rm -f ${CONFIG_FILE}.tmp
 }

@ -368,7 +366,7 @@ set_config() {
 	CONFIG_FILE="$1"
 	CONFIG_OPTION="$2"
 	NEW_SETTING="$3"
-	
+
 	if grep -q "$CONFIG_OPTION" "$CONFIG_FILE"; then
 		replace_config "$CONFIG_FILE" "$CONFIG_OPTION" "$NEW_SETTING"
 	else
@ -389,12 +387,11 @@ set_user_config() {

 # Load a config value to a variable, defaulting to empty.  Does not fail if the
 # config is not set (since it would expand to empty by default).
-load_config_value()
-{
-  local config_name="$1"
-  if grep -q "$config_name=" /tmp/config; then
-    grep "$config_name=" /tmp/config | tail -n1 | cut -f2 -d '=' | tr -d '"'
-  fi
+load_config_value() {
+	local config_name="$1"
+	if grep -q "$config_name=" /tmp/config; then
+		grep "$config_name=" /tmp/config | tail -n1 | cut -f2 -d '=' | tr -d '"'
+	fi
 }

 # Generate a secret for TPM-less HOTP by reading the ROM.  Output is the
@ -413,13 +410,12 @@ secret_from_rom_hash() {
 	sha256sum "${ROM_IMAGE}" | cut -f1 -d ' ' | fromhex_plain
 }

-update_checksums()
-{
+update_checksums() {
 	TRACE "Under /etc/functions:update_checksums"
 	# ensure /boot mounted
-	if ! grep -q /boot /proc/mounts ; then
-		mount -o ro /boot \
-		|| recovery "Unable to mount /boot"
+	if ! grep -q /boot /proc/mounts; then
+		mount -o ro /boot ||
+			recovery "Unable to mount /boot"
 	fi

 	# remount RW
@ -427,12 +423,12 @@ update_checksums()

 	# sign and auto-roll config counter
 	extparam=
-	if [ "$CONFIG_TPM" = "y" ];then
+	if [ "$CONFIG_TPM" = "y" ]; then
 		if [ "$CONFIG_IGNORE_ROLLBACK" != "y" ]; then
 			extparam=-r
 		fi
 	fi
-	if ! kexec-sign-config -p /boot -u $extparam ; then
+	if ! kexec-sign-config -p /boot -u $extparam; then
 		rv=1
 	else
 		rv=0
@ -466,15 +462,15 @@ escape_zero() {

 	echo -e -n "$prefix"
 	xxd -p -c1 | tr -d '\n' |
-	{
-		while IFS= read -r -n2 -d '' ; do
-			if [ -n "$todo" ] ; then
-				#REPLY == "  " is EOF
-				[[ "$REPLY" == "  " ]] && echo '' || echo -e -n "$todo"
-				todo=""
-			fi
+		{
+			while IFS= read -r -n2 -d ''; do
+				if [ -n "$todo" ]; then
+					#REPLY == "  " is EOF
+					[[ "$REPLY" == "  " ]] && echo '' || echo -e -n "$todo"
+					todo=""
+				fi

-			case "$REPLY" in
+				case "$REPLY" in
 				00)
 					todo="\n$prefix"
 					;;
@ -497,16 +493,16 @@ escape_zero() {
 					echo -n "$echar$echar"
 					;;
 				#interpreted characters:
-				2[0-9a-f]|3[0-9a-f]|4[0-9a-f]|5[0-9abd-f]|6[0-9a-f]|7[0-9a-e])
+				2[0-9a-f] | 3[0-9a-f] | 4[0-9a-f] | 5[0-9abd-f] | 6[0-9a-f] | 7[0-9a-e])
 					echo -e -n '\x'"$REPLY"
 					;;
 				# All others are escaped
 				*)
 					echo -n "${echar}x$REPLY"
 					;;
-			esac
-		done
-	}
+				esac
+			done
+		}
 }

 # Currently heads doesn't support signing file names with certain characters
@ -515,14 +511,14 @@ escape_zero() {
 assert_signable() {
 	TRACE "Under /etc/functions:assert_signable"
 	# ensure /boot mounted
-	if ! grep -q /boot /proc/mounts ; then
+	if ! grep -q /boot /proc/mounts; then
 		mount -o ro /boot || die "Unable to mount /boot"
 	fi

-	find /boot -print0 > /tmp/signable.ref
+	find /boot -print0 >/tmp/signable.ref
 	local del='\001-\037\134\177-\377'
-	LC_ALL=C tr -d "$del" < /tmp/signable.ref > /tmp/signable.del || die "Failed to execute tr."
-	if ! cmp -s "/tmp/signable.ref" "/tmp/signable.del" &> /dev/null ; then
+	LC_ALL=C tr -d "$del" </tmp/signable.ref >/tmp/signable.del || die "Failed to execute tr."
+	if ! cmp -s "/tmp/signable.ref" "/tmp/signable.del" &>/dev/null; then
 		local user_out="/tmp/hash_output_mismatches"
 		local add="Please investigate!"
 		[ -f "$user_out" ] && add="Please investigate the following relative paths to /boot (where # are sanitized invalid characters):"$'\n'"$(cat "$user_out")"
@ -531,8 +527,7 @@ assert_signable() {
 	rm -f /tmp/signable.*
 }

-verify_checksums()
-{
+verify_checksums() {
 	TRACE "Under /etc/functions:verify_checksums"
 	local boot_dir="$1"
 	local gui="${2:-y}"
@ -541,20 +536,20 @@ verify_checksums()
 		set +e -o pipefail
 		local ret=0
 		cd "$boot_dir" || ret=1
-		sha256sum -c "$TMP_HASH_FILE" > /tmp/hash_output || ret=1
+		sha256sum -c "$TMP_HASH_FILE" >/tmp/hash_output || ret=1

 		# also make sure that the file & directory structure didn't change
 		# (sha256sum won't detect added files)
-		print_tree > /tmp/tree_output || ret=1
-		if ! cmp -s "$TMP_TREE_FILE" /tmp/tree_output &> /dev/null ; then
+		print_tree >/tmp/tree_output || ret=1
+		if ! cmp -s "$TMP_TREE_FILE" /tmp/tree_output &>/dev/null; then
 			ret=1
 			[[ "$gui" != "y" ]] && exit "$ret"
 			# produce a diff that can safely be presented to the user
 			# this is relatively hard as file names may e.g. contain backslashes etc.,
 			# which are interpreted by whiptail, less, ...
-			escape_zero "(new) " < "$TMP_TREE_FILE" > "${TMP_TREE_FILE}.user"
-			escape_zero "(new) " < /tmp/tree_output > /tmp/tree_output.user
-			diff "${TMP_TREE_FILE}.user" /tmp/tree_output.user | grep -E '^\+\(new\).*$' | sed -r 's/^\+\(new\)/(new)/g' >> /tmp/hash_output
+			escape_zero "(new) " <"$TMP_TREE_FILE" >"${TMP_TREE_FILE}.user"
+			escape_zero "(new) " </tmp/tree_output >/tmp/tree_output.user
+			diff "${TMP_TREE_FILE}.user" /tmp/tree_output.user | grep -E '^\+\(new\).*$' | sed -r 's/^\+\(new\)/(new)/g' >>/tmp/hash_output
 			rm -f "${TMP_TREE_FILE}.user"
 			rm -f /tmp/tree_output.user
 		fi
@ -565,8 +560,7 @@ verify_checksums()

 # detect and set /boot device
 # mount /boot if successful
-detect_boot_device()
-{
+detect_boot_device() {
 	TRACE "Under /etc/functions:detect_boot_device"
 	# unmount /boot to be safe
 	cd / && umount /boot 2>/dev/null
@ -582,22 +576,22 @@ detect_boot_device()
 	fi

 	# generate list of possible boot devices
-	fdisk -l | grep "Disk /dev/" | cut -f2 -d " " | cut -f1 -d ":" > /tmp/disklist
+	fdisk -l | grep "Disk /dev/" | cut -f2 -d " " | cut -f1 -d ":" >/tmp/disklist

 	# filter out extraneous options
-	> /tmp/boot_device_list
-	for i in `cat /tmp/disklist`; do
+	>/tmp/boot_device_list
+	for i in $(cat /tmp/disklist); do
 		# remove block device from list if numeric partitions exist, since not bootable
-		DEV_NUM_PARTITIONS=$((`ls -1 $i* | wc -l`-1))
+		DEV_NUM_PARTITIONS=$(($(ls -1 $i* | wc -l) - 1))
 		if [ ${DEV_NUM_PARTITIONS} -eq 0 ]; then
-			echo $i >> /tmp/boot_device_list
+			echo $i >>/tmp/boot_device_list
 		else
-			ls $i* | tail -${DEV_NUM_PARTITIONS} >> /tmp/boot_device_list
+			ls $i* | tail -${DEV_NUM_PARTITIONS} >>/tmp/boot_device_list
 		fi
 	done

 	# iterate thru possible options and check for grub dir
-	for i in `cat /tmp/boot_device_list`; do
+	for i in $(cat /tmp/boot_device_list); do
 		umount /boot 2>/dev/null
 		if mount -o ro $i /boot >/dev/null 2>&1; then
 			if ls -d /boot/grub* >/dev/null 2>&1; then
@ -613,30 +607,28 @@ detect_boot_device()
 	return 1
 }

-scan_boot_options()
-{
+scan_boot_options() {
 	local bootdir config option_file
 	bootdir="$1"
 	config="$2"
 	option_file="$3"

 	if [ -r $option_file ]; then rm $option_file; fi
-	for i in `find $bootdir -name "$config"`; do
-		DO_WITH_DEBUG kexec-parse-boot "$bootdir" "$i" >> $option_file
+	for i in $(find $bootdir -name "$config"); do
+		DO_WITH_DEBUG kexec-parse-boot "$bootdir" "$i" >>$option_file
 	done
 	# FC29/30+ may use BLS format grub config files
 	# https://fedoraproject.org/wiki/Changes/BootLoaderSpecByDefault
 	# only parse these if $option_file is still empty
 	if [ ! -s $option_file ] && [ -d "$bootdir/loader/entries" ]; then
-		for i in `find $bootdir -name "$config"`; do
-			kexec-parse-bls "$bootdir" "$i" "$bootdir/loader/entries" >> $option_file
+		for i in $(find $bootdir -name "$config"); do
+			kexec-parse-bls "$bootdir" "$i" "$bootdir/loader/entries" >>$option_file
 		done
 	fi
 }

-calc()
-{ 
-	awk "BEGIN { print "$*" }"; 
+calc() {
+	awk "BEGIN { print "$*" }"
 }

 # truncate a file to a size only if it is longer (busybox truncate lacks '<' and
@ -665,24 +657,21 @@ fromhex_plain() {
 	fold -w 60 | xxd -p -r
 }

-print_battery_health()
-{
+print_battery_health() {
 	if [ -d /sys/class/power_supply/BAT* ]; then
-        	battery_health=$(calc $(cat /sys/class/power_supply/BAT*/charge_full)/$(cat /sys/class/power_supply/BAT*/charge_full_design)*100 | awk -F "." {'print $1'})
+		battery_health=$(calc $(cat /sys/class/power_supply/BAT*/charge_full)/$(cat /sys/class/power_supply/BAT*/charge_full_design)*100 | awk -F "." {'print $1'})
 		echo "$battery_health"
 	fi
 }

-print_battery_charge()
-{
+print_battery_charge() {
 	if [ -d /sys/class/power_supply/BAT* ]; then
-                battery_charge=$(calc $(cat /sys/class/power_supply/BAT*/charge_now)/$(cat /sys/class/power_supply/BAT*/charge_full)*100 | awk -F "." {'print $1'})
-                echo "$battery_charge"
-        fi
+		battery_charge=$(calc $(cat /sys/class/power_supply/BAT*/charge_now)/$(cat /sys/class/power_supply/BAT*/charge_full)*100 | awk -F "." {'print $1'})
+		echo "$battery_charge"
+	fi
 }

-generate_random_mac_address()
-{
+generate_random_mac_address() {
 	#Borrowed from https://stackoverflow.com/questions/42660218/bash-generate-random-mac-address-unicast
 	hexdump -n 6 -ve '1/1 "%.2x "' /dev/urandom | awk -v a="2,6,a,e" -v r="$RANDOM" 'BEGIN{srand(r);}NR==1{split(a,b,",");r=int(rand()*4+1);printf "%s%s:%s:%s:%s:%s:%s\n",substr($1,0,1),b[r],$2,$3,$4,$5,$6}'
 }
@ -713,9 +702,9 @@ run_at_exit_handlers() {
 	# Silence trace if there are no handlers, this is common and occurs a lot
 	[ "$cmd_pos" -gt 0 ] && DEBUG "Running at_exit handlers"
 	while [ "$cmd_pos" -gt 0 ]; do
-		cmd_pos="$((cmd_pos-1))"
+		cmd_pos="$((cmd_pos - 1))"
 		cmd_len="${AT_EXIT_HANDLERS[$cmd_pos]}"
-		cmd_pos="$((cmd_pos-cmd_len))"
+		cmd_pos="$((cmd_pos - cmd_len))"
 		"${AT_EXIT_HANDLERS[@]:$cmd_pos:$cmd_len}"
 	done
 }
--- a/initrd/etc/luks-functions
+++ b/initrd/etc/luks-functions
@ -301,7 +301,7 @@ while : ; do
 	if [ -z "$luks_current_Disk_Recovery_Key_passphrase" ]; then
 		#if no external provisioning provides current Disk Recovery Key passphrase
 		whiptail --title 'Reencrypt LUKS disk encrypted container ?' \
-			--msgbox "This will replace the encrypted container content and its Disk Recovery Key.\n\nThe passphrase associated with this key will be asked from the user in the\nfollowing conditions:\n 1-Every boot if no Disk unlock key was added to the TPM\n 2-If the TPM fails (Hardware failure)\n 3-If the firmware has been tampered with/upgraded/modified by the user\n\nThis process requires you to type the current Disk Recovery Key passphrase\nand will delete TPM Disk unlock key slot if setuped by setting a default boot\n LUKS header (slot 1) if present.\n\nAt the next prompt, you may be asked to select which file corresponds to\nthe LUKS device container.\n\nHit Enter to continue." 0 80
+			--msgbox "This will replace the encrypted container content and its Disk Recovery Key.\n\nThe passphrase associated with this key will be asked from the user in the\nfollowing conditions:\n 1-Every boot if no Disk unlock key was added to the TPM\n 2-If the TPM fails (Hardware failure)\n 3-If the firmware has been tampered with/upgraded/modified by the user\n\nThis process requires you to type the current Disk Recovery Key passphrase\nand will delete TPM Disk unlock key slot if set up by setting a default boot\n LUKS header (slot 1) if present.\n\nAt the next prompt, you may be asked to select which file corresponds to\nthe LUKS device container.\n\nHit Enter to continue." 0 80
 		echo -e "\nEnter current Disk Recovery Key passphrase (Provisioned at OS installation or by OEM):"
 		read -r luks_current_Disk_Recovery_Key_passphrase
 		echo -n "$luks_current_Disk_Recovery_Key_passphrase" > /tmp/luks_current_Disk_Recovery_Key_passphrase