Remove TODO in code that were not relevant prior of first review

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-12-18 20:47:55 +00:00 · 2023-10-30 14:01:37 -04:00 · 2023-10-30 14:01:37 -04:00 · a3086e9a1c
commit a3086e9a1c
parent ad1bff6b23
9 changed files with 10 additions and 17 deletions
--- a/boards/qemu-coreboot-fbwhiptail-tpm1/qemu-coreboot-fbwhiptail-tpm1.config
+++ b/boards/qemu-coreboot-fbwhiptail-tpm1/qemu-coreboot-fbwhiptail-tpm1.config
@ -11,7 +11,7 @@ export CONFIG_LINUX_VERSION=5.10.5
 #export CONFIG_BASIC=y

 #Enable HAVE_GPG_KEY_BACKUP to test GPG key backup drive (we cannot inject config under QEMU (no internal flashing))
-export CONFIG_HAVE_GPG_KEY_BACKUP=y
+#export CONFIG_HAVE_GPG_KEY_BACKUP=y

 #Enable DEBUG output
 #export CONFIG_DEBUG_OUTPUT=y
--- a/boards/qemu-coreboot-fbwhiptail-tpm2/qemu-coreboot-fbwhiptail-tpm2.config
+++ b/boards/qemu-coreboot-fbwhiptail-tpm2/qemu-coreboot-fbwhiptail-tpm2.config
@ -10,9 +10,12 @@ export CONFIG_LINUX_VERSION=5.10.5
 #export CONFIG_RESTRICTED_BOOT=y
 #export CONFIG_BASIC=y

+#Enable HAVE_GPG_KEY_BACKUP to test GPG key backup drive (we cannot inject config under QEMU (no internal flashing))
+#export CONFIG_HAVE_GPG_KEY_BACKUP=y
+
 #Enable DEBUG output
-export CONFIG_DEBUG_OUTPUT=y
-export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y
+#export CONFIG_DEBUG_OUTPUT=y
+#export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y
 #Enable TPM2 pcap output under /tmp
 export CONFIG_TPM2_CAPTURE_PCAP=y

--- a/boards/qemu-coreboot-whiptail-tpm1/qemu-coreboot-whiptail-tpm1.config
+++ b/boards/qemu-coreboot-whiptail-tpm1/qemu-coreboot-whiptail-tpm1.config
@ -11,7 +11,6 @@ export CONFIG_LINUX_VERSION=5.10.5
 #export CONFIG_BASIC=y

 #Enable HAVE_GPG_KEY_BACKUP to test GPG key backup drive (we cannot inject config under QEMU (no internal flashing))
-#TODO: comment following line prior of pushing final version
 #export CONFIG_HAVE_GPG_KEY_BACKUP=y

 #Enable DEBUG output
--- a/boards/qemu-coreboot-whiptail-tpm2/qemu-coreboot-whiptail-tpm2.config
+++ b/boards/qemu-coreboot-whiptail-tpm2/qemu-coreboot-whiptail-tpm2.config
@ -11,11 +11,11 @@ export CONFIG_LINUX_VERSION=5.10.5
 #export CONFIG_BASIC=y

 #Enable HAVE_GPG_KEY_BACKUP to test GPG key backup drive (we cannot inject config under QEMU (no internal flashing))
-export CONFIG_HAVE_GPG_KEY_BACKUP=y
+#export CONFIG_HAVE_GPG_KEY_BACKUP=y

 #Enable DEBUG output
-export CONFIG_DEBUG_OUTPUT=y
-export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y
+#export CONFIG_DEBUG_OUTPUT=y
+#export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y
 #Enable TPM2 pcap output under /tmp
 export CONFIG_TPM2_CAPTURE_PCAP=y

--- a/initrd/bin/kexec-insert-key
+++ b/initrd/bin/kexec-insert-key
@ -92,7 +92,6 @@ if [ "$unseal_failed" = "n" ]; then
 		done
 	else
 		# No crypttab files were found under selected default boot option's initrd file
-		# TODO: cpio -t is unfit here :( it just extracts early cpio header and not the whole file. Replace with something else
 		#  Meanwhile, force crypttab to be created from scratch on both possible locations: /etc/crypttab and /cryptroot/crypttab
 		crypttab_files="etc/crypttab cryptroot/crypttab"
 		for crypttab_file in $crypttab_files; do
--- a/initrd/bin/kexec-save-key
+++ b/initrd/bin/kexec-save-key
@ -42,7 +42,6 @@ DEBUG "kexec-save-key prior of last override: paramsdir: $paramsdir, paramsdev:
 if [ -n "$lvm_volume_group" ]; then
 	lvm vgchange -a y $lvm_volume_group ||
 		die "Failed to activate the LVM group"
-	#TODO: why reuse key_devices for lvm devices?
 	for dev in /dev/$lvm_volume_group/*; do
 		key_devices="$key_devices $dev"
 	done
--- a/initrd/bin/kexec-seal-key
+++ b/initrd/bin/kexec-seal-key
@ -135,10 +135,6 @@ tpmr calcfuturepcr 6 "/tmp/luksDump.txt" >>"$pcrf"
 # We take into consideration user files in cbfs
 tpmr pcrread -a 7 "$pcrf"

-DEBUG "TODO: REMOVE THIS: key_password=$key_password here"
-DEBUG "TODO: REMOVE THIS: content of /tmp/secret/tpm_owner_password: $(cat /tmp/secret/tpm_owner_password) here"
-
-
 DO_WITH_DEBUG --mask-position 7 \
 	tpmr seal "$KEY_FILE" "$TPM_INDEX" 0,1,2,3,4,5,6,7 "$pcrf" \
 	"$TPM_SIZE" "$key_password" || {
--- a/initrd/bin/oem-factory-reset
+++ b/initrd/bin/oem-factory-reset
@ -819,8 +819,7 @@ $TPM_STR
 fi

 # We show current integrity measurements status and time
-#TODO: readd prior of PR review request. Also make sure that check_config is called to check kexec.sig (detached signature validation)
-#report_integrity_measurements
+report_integrity_measurements

 # Determine gpg algorithm to be used, based on available usb-token
 usb_security_token_capabilities_check
@ -872,7 +871,6 @@ if [ "$use_defaults" == "n" -o "$use_defaults" == "N" ]; then
    fi

    CUSTOM_PASS_AFFECTED_COMPONENTS="\n"
-    # TODO: add LUKS container passphrase = ADMIN_PIN in security components provisioned
    # Adapt message to be given to user in terms of security components that will be applied.
    if [ -n "$luks_new_Disk_Recovery_Key_passphrase_desired" -o -n "$luks_new_Disk_Recovery_Key_passphrase" ]; then
        CUSTOM_PASS_AFFECTED_COMPONENTS+="LUKS Disk Recovery Key passphrase\n"
--- a/initrd/etc/functions
+++ b/initrd/etc/functions
@ -205,7 +205,6 @@ prompt_tpm_owner_password() {
 	fi

 	read -s -p "TPM Owner Password: " tpm_owner_password
-	#TODO: This function is called for both owner and TPM sealing calls. We should probably have a different prompt for each
 	echo # new line after password prompt

 	# Cache the password externally to be reused by who needs it