ExternalVendorCode/heads
1
0
Fork 0
mirror of https://github.com/linuxboot/heads.git synced 2025-02-15 06:52:10 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

init+cbfs-init: refactor and explain why quiet mode cannot suppress measurements of cbfs-init extracted+measured TPM stuff if not in board config

Browse Source 
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
This commit is contained in:
Thierry Laurion 2024-12-16 13:28:34 -05:00
parent 08f52af033
commit b5c24f2447
No known key found for this signature in database
GPG Key ID: 9A53E1BB3FF00461
2 changed files with 75 additions and 77 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
initrd/bin/cbfs-init
View File

@ -2,6 +2,13 @@
set -e -o pipefail set -e -o pipefail
. /etc/functions . /etc/functions
# CBFS extraction and measurement
# This extraction and measurement cannot be suppressed by quiet mode, since
# config.user is not yet loaded at this point.
# To suppress this output, set CONFIG_QUIET_MODE=y needs be be set in /etc/config
# which is defined at buiid time under board configuration file to be part of initrd.cpio
# This script is called from initrd/init
TRACE_FUNC TRACE_FUNC
# Update initrd with CBFS files # Update initrd with CBFS files

145
initrd/init
View File

@ -3,7 +3,7 @@
# ash. Calls to bash scripts must be guarded by checking config. # ash. Calls to bash scripts must be guarded by checking config.
mknod /dev/ttyprintk c 5 3 mknod /dev/ttyprintk c 5 3
echo "hello world" > /dev/ttyprintk echo "hello world" >/dev/ttyprintk
# Setup our path # Setup our path
export PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin export PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin
@ -43,7 +43,7 @@ mkdir -p /tmp/secret
# Now it is safe to print a banner # Now it is safe to print a banner
if [ -r /etc/motd ]; then if [ -r /etc/motd ]; then
cat /etc/motd > /dev/tty0 cat /etc/motd >/dev/tty0
fi fi
# Load the date from the hardware clock, setting it in local time # Load the date from the hardware clock, setting it in local time
@ -55,30 +55,67 @@ hwclock -l -s
# filesystem after exFAT is iso9660, move exFAT last. # filesystem after exFAT is iso9660, move exFAT last.
(grep -v '^\texfat$' /proc/filesystems && echo -e '\texfat') >/etc/filesystems (grep -v '^\texfat$' /proc/filesystems && echo -e '\texfat') >/etc/filesystems
# Read the system configuration parameters # Read the system configuration parameters from build time board configuration
. /etc/functions
. /etc/config . /etc/config
# import global functions
. /etc/functions
# report if we are in quiet mode, tell logs available under /tmp/debug.log # export user related content from cbfs
if [ "$CONFIG_QUIET_MODE" = "y" ]; then if [ "$CONFIG_COREBOOT" = "y" ]; then
echo "Quiet mode enabled. To see technical output, do 'cat /tmp/debug.log' from Recovery Shell!" > /dev/tty0 /bin/cbfs-init
fi fi
# Board config had CONFIG_DEBUG_OUTPUT=y defined. # Override CONFIG_USE_BLOB_JAIL if needed and persist via user config
# Note that boards's coreboot config kernel command line "debug" option only will have all kernel messages output on console prior of this point if lspci -n | grep -E -q "8086:(2723|4df0)"; then
if ! cat /etc/config.user 2>/dev/null | grep -q "USE_BLOB_JAIL"; then
echo "CONFIG_USE_BLOB_JAIL=y" >>/etc/config.user
fi
fi
# Override CONFIG_TPM and CONFIG_TPM2_TOOLS from /etc/config with runtime value
# determined above.
#
# Values in user config have higher priority during combining thus effectively
# changing the value for the rest of the scripts which source /tmp/config.
#Only set CONFIG_TPM and CONFIG_TPM2_TOOLS if they are not already set in /etc/config.user
if ! grep -q 'CONFIG_TPM=' /etc/config.user 2>/dev/null; then
echo "export CONFIG_TPM=\"$CONFIG_TPM\"" >>/etc/config.user
fi
if ! grep -q 'CONFIG_TPM2_TOOLS=' /etc/config.user 2>/dev/null; then
echo "export CONFIG_TPM2_TOOLS=\"$CONFIG_TPM2_TOOLS\"" >>/etc/config.user
fi
# CONFIG_BASIC was previously CONFIG_PUREBOOT_BASIC in the PureBoot distribution.
# Substitute it in config.user if present for backward compatibility.
sed -i -e 's/^export CONFIG_PUREBOOT_BASIC=/export CONFIG_BASIC=/g' /etc/config.user
# Combine user configuration overrides from CBFS's /etc/config.user
combine_configs
# Load the user configuration parameters from combined config
. /tmp/config
# Enable maximum debug info from here if config.user extracted and combined from CBFS had CONFIG_DEBUG_OUTPUT=y
if [ "$CONFIG_DEBUG_OUTPUT" = "y" ]; then if [ "$CONFIG_DEBUG_OUTPUT" = "y" ]; then
#Maximize printk messages to output all to console (8=debug) #Output all kernel messages to console (8=debug)
#DEBUG and TRACE calls will output to /dev/kmsg, outputting both on dmesg and on console #DEBUG and TRACE calls will be in dmesg and on console
dmesg -n 8 || true
DEBUG "Debug output enabled from board CONFIG_DEBUG_OUTPUT=y option (/etc/config)"
else
# Board config did't have CONFIG_DEBUG_OUTPUT=y defined
# config.user extracted and combined from CBFS had CONFIG_DEBUG_OUTPUT=y # config.user extracted and combined from CBFS had CONFIG_DEBUG_OUTPUT=y
# Output only print messages with a priority of 4 (warnings) or lower (errors and critical) kernel messages to console dmesg -n 8
# This way, "debug" kernel command line option will have all kernel messages output on console prior of this point DEBUG "Full debug output enabled from this point. For earlier debug output, enable CONFIG_DEBUG_OUTPUT=y in your board configuration at build time."
# This is useful to debug boot issues but permits qemu board to boot without flooding console with kernel messages by disabling CONFIG_DEBUG_OUTPUT=y in qemu board config TRACE_FUNC
dmesg -n 4 || true fi
DEBUG "Debug output enabled from /etc/config.user's CONFIG_DEBUG_OUTPUT=y after combine_configs (Config menu enabled Debug)"
# report if we are in quiet mode, tell user measurements logs available under /tmp/debug.log
if [ "$CONFIG_QUIET_MODE" = "y" ]; then
# check origin of quiet mode setting =y: if it is under /etc/config.user then early cbfs-init outputs are not suppressible
# if it is under /etc/config then early cbfs-init outputs are suppressible
if ! grep -q 'CONFIG_QUIET_MODE="y"' /etc/config.user 2>/dev/null; then
echo "Quiet mode enabled at build time: see /tmp/debug.log for boot measurements related traces" >/dev/tty0
else
echo "Quiet mode enabled at runtime by user configuration: see /tmp/debug.log for additional boot measurements traces past this point" >/dev/tty0
echo "To suppress earlier boot measurements traces, enable CONFIG_QUIET_MODE=y in your board configuration at build time." >/dev/tty0
" >/dev/tty0
fi
fi fi
TRACE_FUNC TRACE_FUNC
@ -91,15 +128,14 @@ if [ ! -d /proc/sys ]; then
warn "Please open an issue" warn "Please open an issue"
fi fi
if [ ! -e /proc/sys/vm/panic_on_oom ]; then if [ ! -e /proc/sys/vm/panic_on_oom ]; then
warn "BUG!!! Requirements to setup Panic when under Out Of Memory situation through PROC_SYSCTL are missing (panic_on_oom was not enabled)" warn "BUG!!! Requirements to setup Panic when under Out Of Memory situation through PROC_SYSCTL are missing (panic_on_oom was not enabled)"
warn "Please open an issue" warn "Please open an issue"
else else
DEBUG "Applying panic_on_oom setting to sysctl" DEBUG "Applying panic_on_oom setting to sysctl"
echo 1 > /proc/sys/vm/panic_on_oom echo 1 >/proc/sys/vm/panic_on_oom
fi fi
# set CONFIG_TPM dynamically before init # set CONFIG_TPM dynamically before init
if [ ! -e /dev/tpm0 ]; then if [ ! -e /dev/tpm0 ]; then
CONFIG_TPM='n' CONFIG_TPM='n'
@ -122,9 +158,6 @@ if [ "$CONFIG_TPM" = "y" ]; then
tpmr startsession tpmr startsession
fi fi
if [ "$CONFIG_COREBOOT" = "y" ]; then
[ -x /bin/bash ] && /bin/cbfs-init
fi
if [ "$CONFIG_LINUXBOOT" = "y" ]; then if [ "$CONFIG_LINUXBOOT" = "y" ]; then
/bin/uefi-init /bin/uefi-init
fi fi
@ -134,56 +167,14 @@ fi
export GPG_TTY=/dev/console export GPG_TTY=/dev/console
# Initialize gpnupg with distro/user keys and setup the keyrings # Initialize gpnupg with distro/user keys and setup the keyrings
[ -x /bin/bash ] && /bin/key-init /bin/key-init
# Override CONFIG_USE_BLOB_JAIL if needed and persist via user config
if lspci -n | grep -E -q "8086:(2723|4df0)"; then
if ! cat /etc/config.user 2>/dev/null | grep -q "USE_BLOB_JAIL"; then
echo "CONFIG_USE_BLOB_JAIL=y" >> /etc/config.user
fi
fi
# Override CONFIG_TPM and CONFIG_TPM2_TOOLS from /etc/config with runtime value
# determined above.
#
# Values in user config have higher priority during combining thus effectively
# changing the value for the rest of the scripts which source /tmp/config.
#Only set CONFIG_TPM and CONFIG_TPM2_TOOLS if they are not already set in /etc/config.user
if ! grep -q 'CONFIG_TPM=' /etc/config.user 2>/dev/null; then
echo "export CONFIG_TPM=\"$CONFIG_TPM\"" >> /etc/config.user
fi
if ! grep -q 'CONFIG_TPM2_TOOLS=' /etc/config.user 2> /dev/null; then
echo "export CONFIG_TPM2_TOOLS=\"$CONFIG_TPM2_TOOLS\"" >> /etc/config.user
fi
# CONFIG_BASIC was previously CONFIG_PUREBOOT_BASIC in the PureBoot distribution.
# Substitute it in config.user if present for backward compatibility.
sed -i -e 's/^export CONFIG_PUREBOOT_BASIC=/export CONFIG_BASIC=/g' /etc/config.user
combine_configs
. /tmp/config
# Enable maximum debug info from here if config.user extracted and combined from CBFS had CONFIG_DEBUG_OUTPUT=y
if [ "$CONFIG_DEBUG_OUTPUT" = "y" ]; then
#Output all kernel messages to console (8=debug)
#DEBUG and TRACE calls will be in dmesg and on console
if ! grep -q 'CONFIG_DEBUG_OUTPUT="y"' /etc/config;then
# Board config did't have CONFIG_DEBUG_OUTPUT=y defined
# config.user extracted and combined from CBFS had CONFIG_DEBUG_OUTPUT=y
dmesg -n 8
DEBUG "Debug output enabled from /etc/config.user's CONFIG_DEBUG_OUTPUT=y after combine_configs (Config menu enabled Debug)"
TRACE_FUNC
fi
fi
# Setup recovery serial shell # Setup recovery serial shell
if [ ! -z "$CONFIG_BOOT_RECOVERY_SERIAL" ]; then if [ ! -z "$CONFIG_BOOT_RECOVERY_SERIAL" ]; then
stty -F "$CONFIG_BOOT_RECOVERY_SERIAL" 115200 stty -F "$CONFIG_BOOT_RECOVERY_SERIAL" 115200
pause_recovery 'Serial console recovery shell' \ pause_recovery 'Serial console recovery shell' \
< "$CONFIG_BOOT_RECOVERY_SERIAL" \ <"$CONFIG_BOOT_RECOVERY_SERIAL" \
> "$CONFIG_BOOT_RECOVERY_SERIAL" 2>&1 & >"$CONFIG_BOOT_RECOVERY_SERIAL" 2>&1 &
fi fi
# load USB modules for boards using a USB keyboard # load USB modules for boards using a USB keyboard
@ -207,14 +198,14 @@ if [ "$boot_option" = "r" ]; then
exit exit
elif [ "$boot_option" = "o" ]; then elif [ "$boot_option" = "o" ]; then
# Launch OEM Factory Reset mode # Launch OEM Factory Reset mode
echo -e "***** Entering OEM Factory Reset mode\n" > /dev/tty0 echo -e "***** Entering OEM Factory Reset mode\n" >/dev/tty0
oem-factory-reset --mode oem oem-factory-reset --mode oem
# just in case... # just in case...
exit exit
fi fi
if [ "$CONFIG_BASIC" = "y" ]; then if [ "$CONFIG_BASIC" = "y" ]; then
echo -e "***** BASIC mode: tamper detection disabled\n" > /dev/tty0 echo -e "***** BASIC mode: tamper detection disabled\n" >/dev/tty0
fi fi
# export firmware version # export firmware version
@ -223,11 +214,11 @@ export FW_VER=$(fw_version)
# Add our boot devices into the /etc/fstab, if they are defined # Add our boot devices into the /etc/fstab, if they are defined
# in the configuration file. # in the configuration file.
if [ ! -z "$CONFIG_BOOT_DEV" ]; then if [ ! -z "$CONFIG_BOOT_DEV" ]; then
echo >> /etc/fstab "$CONFIG_BOOT_DEV /boot auto defaults,ro 0 0" echo >>/etc/fstab "$CONFIG_BOOT_DEV /boot auto defaults,ro 0 0"
fi fi
# Set the console font if needed # Set the console font if needed
[ -x /bin/bash ] && setconsolefont.sh setconsolefont.sh
if [ "$CONFIG_BASIC" = "y" ]; then if [ "$CONFIG_BASIC" = "y" ]; then
CONFIG_BOOTSCRIPT=/bin/gui-init-basic CONFIG_BOOTSCRIPT=/bin/gui-init-basic
@ -257,7 +248,7 @@ else
setsid agetty -aroot -l"$CONFIG_BOOTSCRIPT" "$console" linux & setsid agetty -aroot -l"$CONFIG_BOOTSCRIPT" "$console" linux &
done done
fi fi
#Setup a control tty so that all terminals outputs correct tty when tty is called #Setup a control tty so that all terminals outputs correct tty when tty is called
exec cttyhack "$CONFIG_BOOTSCRIPT" exec cttyhack "$CONFIG_BOOTSCRIPT"
else else