tpmr: Improve debug output, hide secrets, trim extend output more

Provide mask_param() function to uniformly mask secret parameters, while still indicating whether they are empty. Extend DO_WITH_DEBUG to allow masking a password parameter by position, using mask_param(). Move from ash_functions to functions (isn't used by ash scripts). Mask password parameters in kexec-unseal-key and tpmr seal. Use mask_param() on existing masked params in tpmr. Trim more troubleshooting output from tpm2_extend() in tpmr. Clarify tpmr kexec_finalize echo; it's the TPM's platform heirarchy, users might not know what this was referring to. Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2024-12-19 21:17:55 +00:00 · 2023-03-07 14:00:57 -05:00 · 2023-03-07 14:00:57 -05:00 · 92a6b5410d
commit 92a6b5410d
parent 93459563d0
4 changed files with 41 additions and 17 deletions
--- a/initrd/bin/kexec-unseal-key
+++ b/initrd/bin/kexec-unseal-key
@ -32,7 +32,9 @@ for tries in 1 2 3; do
 		die "Aborting unseal disk encryption key"
 	fi

-	DO_WITH_DEBUG tpmr unseal "$TPM_INDEX" "sha256:0,1,2,3,4,5,6,7" "$TPM_SIZE" "$key_file" "$tpm_password"
+	DO_WITH_DEBUG --mask-position 6 \
+		tpmr unseal "$TPM_INDEX" "sha256:0,1,2,3,4,5,6,7" "$TPM_SIZE" \
+		"$key_file" "$tpm_password"

 	if [ "$?" -eq 0 ]; then
 		exit 0
--- a/initrd/bin/tpmr
+++ b/initrd/bin/tpmr
@ -20,29 +20,23 @@ TRACE "Under /bin/tpmr"

 tpm2_extend() {
 	TRACE "Under /bin/tpmr:tpm2_extend"
-	DEBUG "value of passed arguments: $1 $2 $3 $4 $5 $6"
 	while true; do
 		case "$1" in
 			-ix)
-				DEBUG "case: -ix $2"
 				index="$2"
 				shift 2;;
 			-ic)
-				DEBUG "case: -ic $2"
 				hash="`echo $2|sha256sum|cut -d' ' -f1`"
 				shift 2;;
 			-if)
-				DEBUG "case: -if $2"
 				hash="`sha256sum $2|cut -d' ' -f1`"
 				shift 2;;
 			*)
 				break;;
 		esac
 	done
-	DEBUG "tpm2 pcrextend $index:sha256=$hash"
 	tpm2 pcrextend "$index:sha256=$hash"
-	DEBUG "tpm2 pcread sha256:$index"
-	tpm2 pcrread "sha256:$index"
+	DO_WITH_DEBUG tpm2 pcrread "sha256:$index"
 }

 tpm2_counter_read() {
@ -159,7 +153,7 @@ tpm2_seal() {
 	mkdir -p "$SECRET_DIR"
 	bname="`basename $file`"

-	DEBUG "tpm2_seal: file=$file handle=$handle pcrl=$pcrl pcrf=$pcrf pass=$([ "$pass" ] && echo "<yes>" || echo "<no>")"
+	DEBUG "tpm2_seal: file=$file handle=$handle pcrl=$pcrl pcrf=$pcrf pass=$(mask_param "$pass")"

 	# Create a policy requiring both PCRs and the object's authentication
 	# value using a trial session.
@ -206,7 +200,9 @@ tpm2_seal() {
 	echo # new line after password prompt
 	# remove possible data occupying this handle
 	tpm2 evictcontrol -Q -C o -P "$key_password" -c "$handle" 2>/dev/null || true
-	DO_WITH_DEBUG tpm2 evictcontrol -Q -C o -P "$key_password" -c "$SECRET_DIR/$bname.seal.ctx" "$handle"
+	DO_WITH_DEBUG --mask-position 6 \
+		tpm2 evictcontrol -Q -C o -P "$key_password" \
+		-c "$SECRET_DIR/$bname.seal.ctx" "$handle"
 }

 # Unseal a file sealed by tpm2_seal.  The PCR list must be provided, the
@ -226,7 +222,7 @@ tpm2_unseal() {
 	# Pad with up to 6 zeros, i.e. '0x81000001', '0x81001234', etc.
 	handle="$(printf "0x81%6s" "$index" | tr ' ' 0)"

-	DEBUG "tpm2_unseal: handle=$handle pcrl=$pcrl file=$file pass=$([ "$pass" ] && echo "<yes>" || echo "<no>")"
+	DEBUG "tpm2_unseal: handle=$handle pcrl=$pcrl file=$file pass=$(mask_param "$pass")"

 	# If we don't have the primary handle (TPM hasn't been reset), tpm2 will
 	# print nonsense error messages about an unexpected handle value.  We
@ -285,7 +281,7 @@ tpm2_kexec_finalize() {
 	# Add a random passphrase to platform hierarchy to prevent TPM2 from
 	# being cleared in the OS.
 	# This passphrase is only effective before the next boot.
-	echo "Locking platform hierarchy..."
+	echo "Locking TPM2 platform hierarchy..."
 	randpass=$(dd if=/dev/urandom bs=4 count=1 | xxd -p)
 	tpm2 changeauth -c platform "$randpass" \
 		|| warn "Failed to lock platform hierarchy of TPM2!"
--- a/initrd/etc/ash_functions
+++ b/initrd/etc/ash_functions
@ -20,11 +20,6 @@ DEBUG() {
 	fi
 }

-DO_WITH_DEBUG() {
-	DEBUG "$@"
-	"$@"
-}
-
 TRACE() {
        if [ "$CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT" = "y" ];then
                echo "TRACE: $*" | tee -a /tmp/debug.log >&2;
--- a/initrd/etc/functions
+++ b/initrd/etc/functions
@ -2,6 +2,37 @@
 # Shell functions for most initialization scripts
 . /etc/ash_functions

+# Print <hidden> or <empty> depending on whether $1 is empty.  Useful to mask an
+# optional password parameter.
+mask_param() {
+	if [ -z "$1" ]; then
+		echo "<empty>"
+	else
+		echo "<hidden>"
+	fi
+}
+
+# Trace a command with DEBUG, then execute it.
+# A password parameter can be masked by passing --mask-position N before the
+# command to execute, the debug trace will just indicate whether the password
+# was empty or nonempty (which is important when use of a password is optional).
+# N=0 is the name of the command to be executed, N=1 is its first parameter,
+# etc.
+DO_WITH_DEBUG() {
+	if [ "$1" == "--mask-position" ]; then
+		mask_position="$2"
+		shift
+		shift
+		DEBUG_ARGS=("$@")
+
+		DEBUG_ARGS[$mask_position]="$(mask_param "${DEBUG_ARGS[$mask_position]}")"
+		DEBUG "${DEBUG_ARGS[@]}"
+	else
+		DEBUG "$@"
+	fi
+	"$@"
+}
+
 recovery() {
 	TRACE "Under /etc/functions:recovery"
 	echo >&2 "!!!!! $*"