mirror of
https://github.com/linuxboot/heads.git
synced 2025-02-15 06:52:10 +00:00
init+cbfs-init: refactor and explain why quiet mode cannot suppress measurements of cbfs-init extracted+measured TPM stuff if not in board config
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
This commit is contained in:
Thierry Laurion
parent
08f52af033
commit
b5c24f2447
@ -2,6 +2,13 @@
|
||||
set -e -o pipefail
|
||||
. /etc/functions
|
||||
|
||||
# CBFS extraction and measurement
|
||||
# This extraction and measurement cannot be suppressed by quiet mode, since
|
||||
# config.user is not yet loaded at this point.
|
||||
# To suppress this output, set CONFIG_QUIET_MODE=y needs be be set in /etc/config
|
||||
# which is defined at buiid time under board configuration file to be part of initrd.cpio
|
||||
# This script is called from initrd/init
|
||||
|
||||
TRACE_FUNC
|
||||
|
||||
# Update initrd with CBFS files
|
||||
|
||||
151
initrd/init
151
initrd/init
@ -55,86 +55,15 @@ hwclock -l -s
|
||||
# filesystem after exFAT is iso9660, move exFAT last.
|
||||
(grep -v '^\texfat$' /proc/filesystems && echo -e '\texfat') >/etc/filesystems
|
||||
|
||||
# Read the system configuration parameters
|
||||
. /etc/functions
|
||||
# Read the system configuration parameters from build time board configuration
|
||||
. /etc/config
|
||||
# import global functions
|
||||
. /etc/functions
|
||||
|
||||
# report if we are in quiet mode, tell logs available under /tmp/debug.log
|
||||
if [ "$CONFIG_QUIET_MODE" = "y" ]; then
|
||||
echo "Quiet mode enabled. To see technical output, do 'cat /tmp/debug.log' from Recovery Shell!" > /dev/tty0
|
||||
fi
|
||||
|
||||
# Board config had CONFIG_DEBUG_OUTPUT=y defined.
|
||||
# Note that boards's coreboot config kernel command line "debug" option only will have all kernel messages output on console prior of this point
|
||||
if [ "$CONFIG_DEBUG_OUTPUT" = "y" ]; then
|
||||
#Maximize printk messages to output all to console (8=debug)
|
||||
#DEBUG and TRACE calls will output to /dev/kmsg, outputting both on dmesg and on console
|
||||
dmesg -n 8 || true
|
||||
DEBUG "Debug output enabled from board CONFIG_DEBUG_OUTPUT=y option (/etc/config)"
|
||||
else
|
||||
# Board config did't have CONFIG_DEBUG_OUTPUT=y defined
|
||||
# config.user extracted and combined from CBFS had CONFIG_DEBUG_OUTPUT=y
|
||||
# Output only print messages with a priority of 4 (warnings) or lower (errors and critical) kernel messages to console
|
||||
# This way, "debug" kernel command line option will have all kernel messages output on console prior of this point
|
||||
# This is useful to debug boot issues but permits qemu board to boot without flooding console with kernel messages by disabling CONFIG_DEBUG_OUTPUT=y in qemu board config
|
||||
dmesg -n 4 || true
|
||||
DEBUG "Debug output enabled from /etc/config.user's CONFIG_DEBUG_OUTPUT=y after combine_configs (Config menu enabled Debug)"
|
||||
fi
|
||||
|
||||
TRACE_FUNC
|
||||
|
||||
# make sure we have sysctl requirements
|
||||
if [ ! -d /proc/sys ]; then
|
||||
warn "BUG!!! The following requirements to apply runtime kernel tweaks are missing:"
|
||||
warn "CONFIG_SYSCTL=y"
|
||||
warn "CONFIG_PROC_SYSCTL=y"
|
||||
warn "Please open an issue"
|
||||
fi
|
||||
|
||||
if [ ! -e /proc/sys/vm/panic_on_oom ]; then
|
||||
warn "BUG!!! Requirements to setup Panic when under Out Of Memory situation through PROC_SYSCTL are missing (panic_on_oom was not enabled)"
|
||||
warn "Please open an issue"
|
||||
else
|
||||
DEBUG "Applying panic_on_oom setting to sysctl"
|
||||
echo 1 > /proc/sys/vm/panic_on_oom
|
||||
fi
|
||||
|
||||
|
||||
# set CONFIG_TPM dynamically before init
|
||||
if [ ! -e /dev/tpm0 ]; then
|
||||
CONFIG_TPM='n'
|
||||
CONFIG_TPM2_TOOLS='n'
|
||||
fi
|
||||
|
||||
#Specify whiptail background colors cues under FBWhiptail only
|
||||
if [ -x /bin/fbwhiptail ]; then
|
||||
export BG_COLOR_WARNING="${CONFIG_WARNING_BG_COLOR:-"--background-gradient 0 0 0 150 125 0"}"
|
||||
export BG_COLOR_ERROR="${CONFIG_ERROR_BG_COLOR:-"--background-gradient 0 0 0 150 0 0"}"
|
||||
export BG_COLOR_MAIN_MENU="normal"
|
||||
else
|
||||
export TEXT_BG_COLOR_WARNING="${CONFIG_WARNING_TEXT_BG_COLOR:-"yellow"}"
|
||||
export TEXT_BG_COLOR_ERROR="${CONFIG_ERROR_TEXT_BG_COLOR:-"red"}"
|
||||
export BG_COLOR_MAIN_MENU="normal"
|
||||
fi
|
||||
|
||||
if [ "$CONFIG_TPM" = "y" ]; then
|
||||
# Initialize tpm2 encrypted sessions here
|
||||
tpmr startsession
|
||||
fi
|
||||
|
||||
# export user related content from cbfs
|
||||
if [ "$CONFIG_COREBOOT" = "y" ]; then
|
||||
[ -x /bin/bash ] && /bin/cbfs-init
|
||||
/bin/cbfs-init
|
||||
fi
|
||||
if [ "$CONFIG_LINUXBOOT" = "y" ]; then
|
||||
/bin/uefi-init
|
||||
fi
|
||||
|
||||
# Set GPG_TTY before calling gpg in key-init
|
||||
#TODO: do better then this; on dual console gpg only interacts with main console (affects Talos-2 and all whiptail variants)
|
||||
export GPG_TTY=/dev/console
|
||||
|
||||
# Initialize gpnupg with distro/user keys and setup the keyrings
|
||||
[ -x /bin/bash ] && /bin/key-init
|
||||
|
||||
# Override CONFIG_USE_BLOB_JAIL if needed and persist via user config
|
||||
if lspci -n | grep -E -q "8086:(2723|4df0)"; then
|
||||
@ -161,22 +90,84 @@ fi
|
||||
# Substitute it in config.user if present for backward compatibility.
|
||||
sed -i -e 's/^export CONFIG_PUREBOOT_BASIC=/export CONFIG_BASIC=/g' /etc/config.user
|
||||
|
||||
# Combine user configuration overrides from CBFS's /etc/config.user
|
||||
combine_configs
|
||||
# Load the user configuration parameters from combined config
|
||||
. /tmp/config
|
||||
|
||||
# Enable maximum debug info from here if config.user extracted and combined from CBFS had CONFIG_DEBUG_OUTPUT=y
|
||||
if [ "$CONFIG_DEBUG_OUTPUT" = "y" ]; then
|
||||
#Output all kernel messages to console (8=debug)
|
||||
#DEBUG and TRACE calls will be in dmesg and on console
|
||||
if ! grep -q 'CONFIG_DEBUG_OUTPUT="y"' /etc/config;then
|
||||
# Board config did't have CONFIG_DEBUG_OUTPUT=y defined
|
||||
# config.user extracted and combined from CBFS had CONFIG_DEBUG_OUTPUT=y
|
||||
dmesg -n 8
|
||||
DEBUG "Debug output enabled from /etc/config.user's CONFIG_DEBUG_OUTPUT=y after combine_configs (Config menu enabled Debug)"
|
||||
DEBUG "Full debug output enabled from this point. For earlier debug output, enable CONFIG_DEBUG_OUTPUT=y in your board configuration at build time."
|
||||
TRACE_FUNC
|
||||
fi
|
||||
|
||||
# report if we are in quiet mode, tell user measurements logs available under /tmp/debug.log
|
||||
if [ "$CONFIG_QUIET_MODE" = "y" ]; then
|
||||
# check origin of quiet mode setting =y: if it is under /etc/config.user then early cbfs-init outputs are not suppressible
|
||||
# if it is under /etc/config then early cbfs-init outputs are suppressible
|
||||
if ! grep -q 'CONFIG_QUIET_MODE="y"' /etc/config.user 2>/dev/null; then
|
||||
echo "Quiet mode enabled at build time: see /tmp/debug.log for boot measurements related traces" >/dev/tty0
|
||||
else
|
||||
echo "Quiet mode enabled at runtime by user configuration: see /tmp/debug.log for additional boot measurements traces past this point" >/dev/tty0
|
||||
echo "To suppress earlier boot measurements traces, enable CONFIG_QUIET_MODE=y in your board configuration at build time." >/dev/tty0
|
||||
" >/dev/tty0
|
||||
fi
|
||||
fi
|
||||
|
||||
TRACE_FUNC
|
||||
|
||||
# make sure we have sysctl requirements
|
||||
if [ ! -d /proc/sys ]; then
|
||||
warn "BUG!!! The following requirements to apply runtime kernel tweaks are missing:"
|
||||
warn "CONFIG_SYSCTL=y"
|
||||
warn "CONFIG_PROC_SYSCTL=y"
|
||||
warn "Please open an issue"
|
||||
fi
|
||||
|
||||
if [ ! -e /proc/sys/vm/panic_on_oom ]; then
|
||||
warn "BUG!!! Requirements to setup Panic when under Out Of Memory situation through PROC_SYSCTL are missing (panic_on_oom was not enabled)"
|
||||
warn "Please open an issue"
|
||||
else
|
||||
DEBUG "Applying panic_on_oom setting to sysctl"
|
||||
echo 1 >/proc/sys/vm/panic_on_oom
|
||||
fi
|
||||
|
||||
# set CONFIG_TPM dynamically before init
|
||||
if [ ! -e /dev/tpm0 ]; then
|
||||
CONFIG_TPM='n'
|
||||
CONFIG_TPM2_TOOLS='n'
|
||||
fi
|
||||
|
||||
#Specify whiptail background colors cues under FBWhiptail only
|
||||
if [ -x /bin/fbwhiptail ]; then
|
||||
export BG_COLOR_WARNING="${CONFIG_WARNING_BG_COLOR:-"--background-gradient 0 0 0 150 125 0"}"
|
||||
export BG_COLOR_ERROR="${CONFIG_ERROR_BG_COLOR:-"--background-gradient 0 0 0 150 0 0"}"
|
||||
export BG_COLOR_MAIN_MENU="normal"
|
||||
else
|
||||
export TEXT_BG_COLOR_WARNING="${CONFIG_WARNING_TEXT_BG_COLOR:-"yellow"}"
|
||||
export TEXT_BG_COLOR_ERROR="${CONFIG_ERROR_TEXT_BG_COLOR:-"red"}"
|
||||
export BG_COLOR_MAIN_MENU="normal"
|
||||
fi
|
||||
|
||||
if [ "$CONFIG_TPM" = "y" ]; then
|
||||
# Initialize tpm2 encrypted sessions here
|
||||
tpmr startsession
|
||||
fi
|
||||
|
||||
if [ "$CONFIG_LINUXBOOT" = "y" ]; then
|
||||
/bin/uefi-init
|
||||
fi
|
||||
|
||||
# Set GPG_TTY before calling gpg in key-init
|
||||
#TODO: do better then this; on dual console gpg only interacts with main console (affects Talos-2 and all whiptail variants)
|
||||
export GPG_TTY=/dev/console
|
||||
|
||||
# Initialize gpnupg with distro/user keys and setup the keyrings
|
||||
/bin/key-init
|
||||
|
||||
# Setup recovery serial shell
|
||||
if [ ! -z "$CONFIG_BOOT_RECOVERY_SERIAL" ]; then
|
||||
@ -227,7 +218,7 @@ if [ ! -z "$CONFIG_BOOT_DEV" ]; then
|
||||
fi
|
||||
|
||||
# Set the console font if needed
|
||||
[ -x /bin/bash ] && setconsolefont.sh
|
||||
setconsolefont.sh
|
||||
|
||||
if [ "$CONFIG_BASIC" = "y" ]; then
|
||||
CONFIG_BOOTSCRIPT=/bin/gui-init-basic
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user