tpmr: Add seal/unseal debug tracing

Trace parameters to seal/unseal and some key tpm2 invocations. Trace invocation of tpmr seal/unseal for disk unlock key. Add DO_WITH_DEBUG() to trace a command and parameters, then execute it. Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2024-12-19 21:17:55 +00:00 · 2023-02-24 16:45:41 -05:00 · 2023-02-24 16:45:41 -05:00 · 8bf5415e79
commit 8bf5415e79
parent e6acaad215
4 changed files with 13 additions and 4 deletions
--- a/initrd/bin/kexec-seal-key
+++ b/initrd/bin/kexec-seal-key
@ -191,7 +191,7 @@ elif [ "$CONFIG_TPM2_TOOLS" = "y" ]; then
 	# We take into consideration user files in cbfs
 	DEBUG "tpm2 pcrread -o /dev/stderr sha256:7 2>&1 >/dev/console | cat >> "$pcrf""
 	tpm2 pcrread -o /dev/stderr sha256:7 2>&1 >/dev/console | cat >> "$pcrf"
-	DEBUG "tpmr seal "$KEY_FILE" "0x8100000$TPM_INDEX" sha256:0,1,2,3,4,5,6,7 "$pcrf" "$key_password""
+	DEBUG "tpmr seal $KEY_FILE 0x8100000$TPM_INDEX sha256:0,1,2,3,4,5,6,7 $pcrf <password>"
 	tpmr seal "$KEY_FILE" "0x8100000$TPM_INDEX" sha256:0,1,2,3,4,5,6,7 "$pcrf" "$key_password"
 	if [ $? -eq 0 ]; then
 		# should be okay if this fails
--- a/initrd/bin/kexec-unseal-key
+++ b/initrd/bin/kexec-unseal-key
@ -44,7 +44,7 @@ for tries in 1 2 3; do

 	unseal_result=1
 	if [ "$CONFIG_TPM2_TOOLS" = "y" ]; then
-		tpmr unseal "0x8100000$TPM_INDEX" "sha256:0,1,2,3,4,5,6,7" "$key_file" "$tpm_password"
+		DO_WITH_DEBUG tpmr unseal "0x8100000$TPM_INDEX" "sha256:0,1,2,3,4,5,6,7" "$key_file" "$tpm_password"
 		unseal_result="$?"
 	else
 		tpm unsealfile \
--- a/initrd/bin/tpmr
+++ b/initrd/bin/tpmr
@ -162,6 +162,8 @@ tpm2_sealfile() {
 	mkdir -p "$SECRET_DIR"
 	bname="`basename $file`"

+	DEBUG "tpm2_sealfile: file=$file handle=$handle pcrl=$pcrl pcrf=$pcrf pass=$([ "$pass" ] && echo "<yes>" || echo "<no>")"
+
 	# Create a policy requiring both PCRs and the object's authentication
 	# value using a trial session.
 	TRIAL_SESSION=/tmp/sealfile_trial.session
@ -209,19 +211,21 @@ tpm2_sealfile() {
 	echo # new line after password prompt
 	# remove possible data occupying this handle
 	tpm2 evictcontrol -Q -C o -P "$key_password" -c "$handle" 2>/dev/null || true
-	tpm2 evictcontrol -Q -C o -P "$key_password" -c "$SECRET_DIR/$bname.seal.ctx" "$handle"
+	DO_WITH_DEBUG tpm2 evictcontrol -Q -C o -P "$key_password" -c "$SECRET_DIR/$bname.seal.ctx" "$handle"
 }

 # Unseal a file sealed by tpm2_sealfile.  The PCR list must be provided, the
 # password must be provided if one was used to seal (and cannot be provided if
 # no password was used to seal).
 tpm2_unsealfile() {
-	TRACE "Under /bin/tpmr:tpm2_unseal"
+	TRACE "Under /bin/tpmr:tpm2_unsealfile"
 	handle="$1"
 	pcrl="$2"
 	file="$3"
 	pass="$4"

+	DEBUG "tpm2_unsealfile: handle=$handle pcrl=$pcrl file=$file pass=$([ "$pass" ] && echo "<yes>" || echo "<no>")"
+
 	POLICY_SESSION=/tmp/unsealfile_policy.session
 	rm -f "$POLICY_SESSION"
 	tpm2 startauthsession -Q -g sha256 -c "/tmp/$PRIMARY_HANDLE_FILE" -S "$POLICY_SESSION" --policy-session
--- a/initrd/etc/functions
+++ b/initrd/etc/functions
@ -18,6 +18,11 @@ DEBUG() {
 	fi
 }

+DO_WITH_DEBUG() {
+	DEBUG "$@"
+	"$@"
+}
+
 TRACE() {
        if [ "$CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT" = "y" ];then
                echo "TRACE: $*" | tee -a /tmp/debug.log >&2;