ExternalVendorCode/heads
1
0
Fork 0
mirror of https://github.com/linuxboot/heads.git synced 2025-02-14 06:31:57 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

BUGFIX: replace direct calls from LOG to INFO, so that only DO_WITH_DEBUG uses LOG. INFO manages console output to log or console

Browse Source 
Quiet mode introduced output reduction to console to limit technical info provided to end users.
Previous informational output (previous default) now outputs this now considered additional information through INFO() calls, which either outputs to console, or debug.log
Only DO_WITH_DEBUG should call LOG directly, so that stderr+stdout output is prepended with LOG into debug.log

This fixes previous implementation which called LOG in DO_WITH_DEBUG calls and modified expected output to files, which was observed by @3hhh in output of GRUB entries when selecting boot option.

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
This commit is contained in:
Thierry Laurion 2025-01-13 10:57:34 -05:00
parent 8f7b1c4128
commit 930d3e6114
No known key found for this signature in database
GPG Key ID: 9A53E1BB3FF00461
9 changed files with 112 additions and 108 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
initrd/bin/cbfs-init
View File

@ -24,12 +24,12 @@ for cbfsname in `echo $cbfsfiles`; do
if [ ! -z "$filename" ]; then if [ ! -z "$filename" ]; then
mkdir -p `dirname $filename` \ mkdir -p `dirname $filename` \
|| die "$filename: mkdir failed" || die "$filename: mkdir failed"
LOG "Extracting CBFS file $cbfsname into $filename" INFO "Extracting CBFS file $cbfsname into $filename"
cbfs -t 50 $CBFS_ARG -r $cbfsname > "$filename" \ cbfs -t 50 $CBFS_ARG -r $cbfsname > "$filename" \
|| die "$filename: cbfs file read failed" || die "$filename: cbfs file read failed"
if [ "$CONFIG_TPM" = "y" ]; then if [ "$CONFIG_TPM" = "y" ]; then
TRACE_FUNC TRACE_FUNC
LOG "TPM: Extending PCR[$CONFIG_PCR] with filename $filename and then its content" INFO "TPM: Extending PCR[$CONFIG_PCR] with filename $filename and then its content"
# Measure both the filename and its content. This # Measure both the filename and its content. This
# ensures that renaming files or pivoting file content # ensures that renaming files or pivoting file content
# will still affect the resulting PCR measurement. # will still affect the resulting PCR measurement.

2
initrd/bin/gui-init
View File

@ -553,7 +553,7 @@ reset_tpm() {
mount -o rw,remount /boot mount -o rw,remount /boot
#TODO: this is really problematic, we should really remove the primary handle hash #TODO: this is really problematic, we should really remove the primary handle hash
LOG "Removing rollback and primary handle hash under /boot" INFO "Removing rollback and primary handle hash under /boot"
rm -f /boot/kexec_rollback.txt rm -f /boot/kexec_rollback.txt
rm -f /boot/kexec_primhdl_hash.txt rm -f /boot/kexec_primhdl_hash.txt

2
initrd/bin/kexec-insert-key
View File

@ -66,7 +66,7 @@ fi
# Override PCR 4 so that user can't read the key # Override PCR 4 so that user can't read the key
TRACE_FUNC TRACE_FUNC
LOG "TPM: Extending PCR[4] to prevent any future secret unsealing" INFO "TPM: Extending PCR[4] to prevent any future secret unsealing"
tpmr extend -ix 4 -ic generic || tpmr extend -ix 4 -ic generic ||
die 'Unable to scramble PCR' die 'Unable to scramble PCR'

10
initrd/bin/kexec-select-boot
View File

@ -82,10 +82,10 @@ if [ "$CONFIG_TPM2_TOOLS" = "y" ]; then
fi fi
verify_global_hashes() { verify_global_hashes() {
LOG "+++ Checking verified boot hash file " INFO "+++ Checking verified boot hash file "
# Check the hashes of all the files # Check the hashes of all the files
if verify_checksums "$bootdir" "$gui_menu"; then if verify_checksums "$bootdir" "$gui_menu"; then
LOG "+++ Verified boot hashes " INFO "+++ Verified boot hashes "
valid_hash='y' valid_hash='y'
valid_global_hash='y' valid_global_hash='y'
else else
@ -208,7 +208,7 @@ parse_option() {
} }
scan_options() { scan_options() {
LOG "+++ Scanning for unsigned boot options" INFO "+++ Scanning for unsigned boot options"
option_file="/tmp/kexec_options.txt" option_file="/tmp/kexec_options.txt"
scan_boot_options "$bootdir" "$config" "$option_file" scan_boot_options "$bootdir" "$config" "$option_file"
if [ ! -s $option_file ]; then if [ ! -s $option_file ]; then
@ -272,7 +272,7 @@ default_select() {
if [ "$CONFIG_BASIC" != "y" ]; then if [ "$CONFIG_BASIC" != "y" ]; then
# Enforce that default option hashes are valid # Enforce that default option hashes are valid
LOG "+++ Checking verified default boot hash file " INFO "+++ Checking verified default boot hash file "
# Check the hashes of all the files # Check the hashes of all the files
if (cd $bootdir && sha256sum -c "$TMP_DEFAULT_HASH_FILE" >/tmp/hash_output); then if (cd $bootdir && sha256sum -c "$TMP_DEFAULT_HASH_FILE" >/tmp/hash_output); then
echo "+++ Verified default boot hashes " echo "+++ Verified default boot hashes "
@ -390,7 +390,7 @@ while true; do
if [ ! -r "$TMP_KEY_DEVICES" ]; then if [ ! -r "$TMP_KEY_DEVICES" ]; then
# Extend PCR4 as soon as possible # Extend PCR4 as soon as possible
TRACE_FUNC TRACE_FUNC
LOG "TPM: Extending PCR[4] to prevent further secret unsealing" INFO "TPM: Extending PCR[4] to prevent further secret unsealing"
tpmr extend -ix 4 -ic generic || tpmr extend -ix 4 -ic generic ||
die "Failed to extend TPM PCR[4]" die "Failed to extend TPM PCR[4]"
fi fi

2
initrd/bin/qubes-measure-luks
View File

@ -20,6 +20,6 @@ DEBUG "Removing /tmp/lukshdr-*"
rm /tmp/lukshdr-* rm /tmp/lukshdr-*
TRACE_FUNC TRACE_FUNC
LOG "TPM: Extending PCR[6] with hash of LUKS headers from /tmp/luksDump.txt" INFO "TPM: Extending PCR[6] with hash of LUKS headers from /tmp/luksDump.txt"
tpmr extend -ix 6 -if /tmp/luksDump.txt || tpmr extend -ix 6 -if /tmp/luksDump.txt ||
die "Unable to extend PCR" die "Unable to extend PCR"

8
initrd/bin/tpmr
View File

@ -257,7 +257,7 @@ tpm2_extend() {
esac esac
done done
tpm2 pcrextend "$index:sha256=$hash" tpm2 pcrextend "$index:sha256=$hash"
LOG $(tpm2 pcrread "sha256:$index" 2>&1) INFO $(tpm2 pcrread "sha256:$index" 2>&1)
TRACE_FUNC TRACE_FUNC
DEBUG "TPM: Extended PCR[$index] with hash $hash" DEBUG "TPM: Extended PCR[$index] with hash $hash"
@ -614,7 +614,7 @@ tpm2_unseal() {
# stderr; capture stderr to log. # stderr; capture stderr to log.
if ! tpm2 unseal -Q -c "$handle" -p "session:$POLICY_SESSION$UNSEAL_PASS_SUFFIX" \ if ! tpm2 unseal -Q -c "$handle" -p "session:$POLICY_SESSION$UNSEAL_PASS_SUFFIX" \
-S "$ENC_SESSION_FILE" >"$file" 2> >(SINK_LOG "tpm2 stderr"); then -S "$ENC_SESSION_FILE" >"$file" 2> >(SINK_LOG "tpm2 stderr"); then
LOG "Unable to unseal secret from TPM NVRAM" INFO "Unable to unseal secret from TPM NVRAM"
# should succeed, exit if it doesn't # should succeed, exit if it doesn't
exit 1 exit 1
@ -800,7 +800,7 @@ if [ "$CONFIG_TPM2_TOOLS" != "y" ]; then
fi fi
TRACE_FUNC TRACE_FUNC
LOG "TPM: Extending PCR[$3] with hash $hash" INFO "TPM: Extending PCR[$3] with hash $hash"
# Silence stdout/stderr, they're only useful for debugging # Silence stdout/stderr, they're only useful for debugging
# and DO_WITH_DEBUG captures them # and DO_WITH_DEBUG captures them
@ -845,7 +845,7 @@ calcfuturepcr)
;; ;;
extend) extend)
TRACE_FUNC TRACE_FUNC
LOG "TPM: Extending PCR[$2] with $4" INFO "TPM: Extending PCR[$2] with $4"
tpm2_extend "$@" tpm2_extend "$@"
;; ;;
counter_read) counter_read)

82
initrd/etc/functions
View File

@ -4,21 +4,21 @@
die() { die() {
if [ "$CONFIG_DEBUG_OUTPUT" = "y" ]; then if [ "$CONFIG_DEBUG_OUTPUT" = "y" ]; then
echo -e " !!! ERROR: $* !!!" | tee -a /tmp/debug.log /dev/kmsg > /dev/null; echo -e " !!! ERROR: $* !!!" | tee -a /tmp/debug.log /dev/kmsg >/dev/null
else else
echo -e >&2 "!!! ERROR: $* !!!"; echo -e "!!! ERROR: $* !!!" >&2
fi fi
sleep 2; sleep 2
exit 1; exit 1
} }
warn() { warn() {
if [ "$CONFIG_DEBUG_OUTPUT" = "y" ]; then if [ "$CONFIG_DEBUG_OUTPUT" = "y" ]; then
echo -e " *** WARNING: $* ***" | tee -a /tmp/debug.log /dev/kmsg > /dev/null; echo -e " *** WARNING: $* ***" | tee -a /tmp/debug.log /dev/kmsg >/dev/null
else else
echo -e >&2 " *** WARNING: $* ***"; echo -e " *** WARNING: $* ***" >&2
fi fi
sleep 1; sleep 1
} }
DEBUG() { DEBUG() {
@ -32,22 +32,28 @@ DEBUG() {
TRACE() { TRACE() {
if [ "$CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT" = "y" ]; then if [ "$CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT" = "y" ]; then
echo "TRACE: $*" | tee -a /tmp/debug.log /dev/kmsg > /dev/null; echo "TRACE: $*" | tee -a /tmp/debug.log /dev/kmsg >/dev/null
fi
}
# Function to manage information output level to the console/debug.log
INFO() {
#TODO: add colors to output, here green for INFO?
# if not CONFIG_QUIET_MODE=y, output to console. If not, output to debug.log
if [ "$CONFIG_DEBUG_OUTPUT" = "y" ]; then
echo "$*" | tee -a /tmp/debug.log /dev/kmsg >/dev/null
elif [ "$CONFIG_QUIET_MODE" = "y" ]; then
echo "$*" >>/tmp/debug.log
else
echo "$*"
fi fi
} }
# Write directly to the debug log (but not kmsg), never appears on console # Write directly to the debug log (but not kmsg), never appears on console
# Main consumer is DO_WITH_DEBUG, which uses this to log command output
LOG() { LOG() {
# if not CONFIG_QUIET_MODE=y, output to console. If not, output to debug.log echo "LOG: $*" >>/tmp/debug.log
if [ "$CONFIG_DEBUG_OUTPUT" = "y" ]; then
DEBUG "$*"
elif [ "$CONFIG_QUIET_MODE" = "y" ]; then
# if in quiet mode, output solely to debug.log
echo "$*" >> /tmp/debug.log
else
# if not in quiet mode, output to console
echo "$*"
fi
} }
fw_version() { fw_version() {
@ -59,16 +65,16 @@ fw_version() {
preserve_rom() { preserve_rom() {
TRACE_FUNC TRACE_FUNC
new_rom="$1" new_rom="$1"
old_files=`cbfs -t 50 -l 2>/dev/null | grep "^heads/"` old_files=$(cbfs -t 50 -l 2>/dev/null | grep "^heads/")
for old_file in `echo $old_files`; do for old_file in $(echo $old_files); do
new_file=`cbfs.sh -o $1 -l | grep -x $old_file` new_file=$(cbfs.sh -o $1 -l | grep -x $old_file)
if [ -z "$new_file" ]; then if [ -z "$new_file" ]; then
echo "+++ Adding $old_file to $1" echo "+++ Adding $old_file to $1"
cbfs -t 50 -r $old_file >/tmp/rom.$$ \ cbfs -t 50 -r $old_file >/tmp/rom.$$ ||
|| die "Failed to read cbfs file from ROM" die "Failed to read cbfs file from ROM"
cbfs.sh -o $1 -a $old_file -f /tmp/rom.$$ \ cbfs.sh -o $1 -a $old_file -f /tmp/rom.$$ ||
|| die "Failed to write cbfs file to new ROM file" die "Failed to write cbfs file to new ROM file"
fi fi
done done
} }
@ -80,7 +86,6 @@ confirm_gpg_card() {
#TODO: or ask GPG user PIN once and cache it for the rest of the boot session for reusal #TODO: or ask GPG user PIN once and cache it for the rest of the boot session for reusal
# This is getting in the way of unattended stuff and GPG prompts are confusing anyway, hide them from user. # This is getting in the way of unattended stuff and GPG prompts are confusing anyway, hide them from user.
TRACE_FUNC TRACE_FUNC
#Skip prompts if we are currently using a known GPG key material Thumb drive backup and keys are unlocked pinentry #Skip prompts if we are currently using a known GPG key material Thumb drive backup and keys are unlocked pinentry
#TODO: probably export CONFIG_GPG_KEY_BACKUP_IN_USE but not under /etc/user.config? #TODO: probably export CONFIG_GPG_KEY_BACKUP_IN_USE but not under /etc/user.config?
@ -141,8 +146,8 @@ confirm_gpg_card() {
gpg --pinentry-mode=loopback --passphrase-file <(echo -n "${gpg_admin_pin}") --detach-sign "$CR_NONCE" >/dev/null 2>&1 || gpg --pinentry-mode=loopback --passphrase-file <(echo -n "${gpg_admin_pin}") --detach-sign "$CR_NONCE" >/dev/null 2>&1 ||
die "Unable to detach-sign $CR_NONCE with GPG private signing subkey using GPG Admin PIN" die "Unable to detach-sign $CR_NONCE with GPG private signing subkey using GPG Admin PIN"
#verify detached signature against public key in rom #verify detached signature against public key in rom
gpg --verify "$CR_SIG" "$CR_NONCE" > /dev/null 2>&1 && \ gpg --verify "$CR_SIG" "$CR_NONCE" >/dev/null 2>&1 &&
echo "++++ Local GPG keyring can be used to sign/encrypt/authenticate in this boot session ++++" || \ echo "++++ Local GPG keyring can be used to sign/encrypt/authenticate in this boot session ++++" ||
die "Unable to verify $CR_SIG detached signature against public key in ROM" die "Unable to verify $CR_SIG detached signature against public key in ROM"
#Wipe any previous CR_NONCE and CR_SIG #Wipe any previous CR_NONCE and CR_SIG
shred -n 10 -z -u "$CR_NONCE" "$CR_SIG" >/dev/null 2>&1 || true shred -n 10 -z -u "$CR_NONCE" "$CR_SIG" >/dev/null 2>&1 || true
@ -222,16 +227,16 @@ gpg_auth() {
of="$CR_NONCE" \ of="$CR_NONCE" \
count=1 \ count=1 \
bs=20 \ bs=20 \
2>/dev/null \ 2>/dev/null ||
|| die "Unable to generate 20 random bytes" die "Unable to generate 20 random bytes"
# Sign the nonce # Sign the nonce
for tries in 1 2 3; do for tries in 1 2 3; do
if gpg --digest-algo SHA256 \ if gpg --digest-algo SHA256 \
--detach-sign \ --detach-sign \
-o "$CR_SIG" \ -o "$CR_SIG" \
"$CR_NONCE" > /dev/null 2>&1 \ "$CR_NONCE" >/dev/null 2>&1 &&
&& gpg --verify "$CR_SIG" "$CR_NONCE" > /dev/null 2>&1 \ gpg --verify "$CR_SIG" "$CR_NONCE" >/dev/null 2>&1 \
; then ; then
shred -n 10 -z -u "$CR_NONCE" "$CR_SIG" 2>/dev/null || true shred -n 10 -z -u "$CR_NONCE" "$CR_SIG" 2>/dev/null || true
DEBUG "Under /etc/ash_functions:gpg_auth: success" DEBUG "Under /etc/ash_functions:gpg_auth: success"
@ -269,7 +274,7 @@ recovery() {
DEBUG "Board $CONFIG_BOARD - version $(fw_version)" DEBUG "Board $CONFIG_BOARD - version $(fw_version)"
if [ "$CONFIG_TPM" = "y" ]; then if [ "$CONFIG_TPM" = "y" ]; then
LOG "TPM: Extending PCR[4] to prevent any further secret unsealing" INFO "TPM: Extending PCR[4] to prevent any further secret unsealing"
tpmr extend -ix 4 -ic recovery tpmr extend -ix 4 -ic recovery
fi fi
@ -278,8 +283,7 @@ recovery() {
sleep 5 sleep 5
/bin/reboot /bin/reboot
fi fi
while [ true ] while [ true ]; do
do
#Going to recovery shell should be authenticated if supported #Going to recovery shell should be authenticated if supported
gpg_auth gpg_auth
@ -356,8 +360,7 @@ load_config_value() {
fi fi
} }
enable_usb() enable_usb() {
{
TRACE_FUNC TRACE_FUNC
#insmod ehci_hcd prior of uhdc_hcd and ohci_hcd to suppress dmesg warning #insmod ehci_hcd prior of uhdc_hcd and ohci_hcd to suppress dmesg warning
insmod /lib/modules/ehci-hcd.ko || die "ehci_hcd: module load failed" insmod /lib/modules/ehci-hcd.ko || die "ehci_hcd: module load failed"
@ -385,7 +388,6 @@ enable_usb()
# ------- End of functions coming from /etc/ash_functions # ------- End of functions coming from /etc/ash_functions
# Print <hidden> or <empty> depending on whether $1 is empty. Useful to mask an # Print <hidden> or <empty> depending on whether $1 is empty. Useful to mask an
# optional password parameter. # optional password parameter.
mask_param() { mask_param() {
@ -761,7 +763,7 @@ check_tpm_counter() {
if [ -r "$1" ]; then if [ -r "$1" ]; then
TPM_COUNTER=$(grep counter- "$1" | cut -d- -f2) TPM_COUNTER=$(grep counter- "$1" | cut -d- -f2)
else else
LOG "$1 does not exist; creating new TPM counter" INFO "$1 does not exist; creating new TPM counter"
tpmr counter_create \ tpmr counter_create \
-pwdc '' \ -pwdc '' \
-la $LABEL | -la $LABEL |
@ -816,7 +818,7 @@ check_config() {
fi fi
fi fi
LOG "+++ Found verified kexec boot params" INFO "+++ Found verified kexec boot params"
cp $1/kexec*.txt /tmp/kexec || cp $1/kexec*.txt /tmp/kexec ||
die "Failed to copy kexec boot params to tmp" die "Failed to copy kexec boot params to tmp"
} }

2
initrd/init
View File

@ -98,9 +98,11 @@ if [ "$CONFIG_DEBUG_OUTPUT" = "y" ]; then
#Output all kernel messages to console (8=debug) #Output all kernel messages to console (8=debug)
#DEBUG and TRACE calls will be in dmesg and on console #DEBUG and TRACE calls will be in dmesg and on console
# config.user extracted and combined from CBFS had CONFIG_DEBUG_OUTPUT=y # config.user extracted and combined from CBFS had CONFIG_DEBUG_OUTPUT=y
# DO_WITH_DEBUG redirects stderr and stdout to /tmp/debug.log to not clog console
TRACE_FUNC TRACE_FUNC
dmesg -n 8 dmesg -n 8
DEBUG "Full debug output enabled from this point: output both in dmesg and on console (equivalent of passing debug to kernel cmdline)" DEBUG "Full debug output enabled from this point: output both in dmesg and on console (equivalent of passing debug to kernel cmdline)"
DEBUG "NOTE: DO_WITH_DEBUG std_err and std_out will be redirected to /tmp/debug.log"
fi fi
# report if we are in quiet mode, tell user measurements logs available under /tmp/debug.log # report if we are in quiet mode, tell user measurements logs available under /tmp/debug.log

6
initrd/sbin/insmod
View File

@ -39,19 +39,19 @@ if [ ! -r /sys/class/tpm/tpm0/pcrs -o ! -x /bin/tpm ]; then
fi fi
if [ -z "$tpm_missing" ]; then if [ -z "$tpm_missing" ]; then
LOG "TPM: Extending PCR[$MODULE_PCR] with $MODULE and parameters '$*' before loading" INFO "TPM: Extending PCR[$MODULE_PCR] with $MODULE and parameters '$*' before loading"
# Extend with the module parameters (even if they are empty) and the # Extend with the module parameters (even if they are empty) and the
# module. Changing the parameters or the module content will result in a # module. Changing the parameters or the module content will result in a
# different PCR measurement. # different PCR measurement.
if [ -n "$*" ]; then if [ -n "$*" ]; then
TRACE_FUNC TRACE_FUNC
LOG "Extending with module parameters and the module's content" INFO "Extending with module parameters and the module's content"
tpmr extend -ix "$MODULE_PCR" -ic "$*" tpmr extend -ix "$MODULE_PCR" -ic "$*"
tpmr extend -ix "$MODULE_PCR" -if "$MODULE" \ tpmr extend -ix "$MODULE_PCR" -if "$MODULE" \
|| die "$MODULE: tpm extend failed" || die "$MODULE: tpm extend failed"
else else
TRACE_FUNC TRACE_FUNC
LOG "No module parameters, extending only with the module's content" INFO "No module parameters, extending only with the module's content"
tpmr extend -ix "$MODULE_PCR" -if "$MODULE" \ tpmr extend -ix "$MODULE_PCR" -if "$MODULE" \
|| die "$MODULE: tpm extend failed" || die "$MODULE: tpm extend failed"
fi fi