Patch 0003-CONFIG_RESOURCE_ALLOCATION_TOP_DOWN-CONFIG_DOMAIN_RESOURCE_32BIT_LIMIT.patch
is removed because it is no longer required.
Signed-off-by: Michał Kopeć <michal.kopec@3mdeb.com>
Quiet mode introduced output reduction to console to limit technical info provided to end users.
Previous informational output (previous default) now outputs this now considered additional information through INFO() calls, which either outputs to console, or debug.log
Only DO_WITH_DEBUG should call LOG directly, so that stderr+stdout output is prepended with LOG into debug.log
This fixes previous implementation which called LOG in DO_WITH_DEBUG calls and modified expected output to files, which was observed by @3hhh in output of GRUB entries when selecting boot option.
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Additional 0.5h for applying changes linked to code review under https://github.com/linuxboot/heads/pull/1875
Linked to Nitrokey unacknowledged RfP https://github.com/linuxboot/heads/issues/1866 that continues to grow past the 40h (now near 42... but unpaid because 'unplanned'... As if this was planned on my side.)
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
So that export CONFIG_TPM2_CAPTURE_PCAP=n across all boards doesn't break and so that its easy for auditors to just toggle on in board configs
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
with exception of
- qemu boards not being *quiet: quiet=n
- qemu boards not being *prod* having pcap=y
- qemy boards not being *prod* have debug+tracing=y
- qemu tpm1 boards have '#pcap=n'
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
These two settings are exclusive, so they would disable each other if
enabled. Present them as one setting with three output levels.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Don't print the URL and then explain how to get the secret out of it,
just print the secret.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
If a TPM reset step fails, don't blindly continue onto the other
steps. Use DO_WITH_DEBUG to trace failures, so they're visible in the
log but we still exit due to set -e.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Use SINK_LOG to capture tpm2 unseal rather than a temp file.
Don't double up output from tpm "$@" to log; DO_WITH_DEBUG already
captures it.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Add examples for capturing stderr or both stdout+stderr.
Trace blank lines with LOG like non-blank lines.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
This is equivalent of passing debug on kernel command line from coreboot config, even is enabled through config options and saved back in CBFS.
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
I give up trying to make Nitrokey do the right thing. They will propose PR to Heads next to fix their own fixes for their own caused regressions and security vulns.
I just stopped caring for sanity reasons, i'm making quiet+eom/user-reownership fixes for feature freeze. If nitrokey pays, there is gonna be future collaboration, if they don't, they will do Heads related stuff themselves.
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Insights:
- We should use oem generated pubkey naming to distinguish between oem/user generated keys and try to use default PINs also for GPG User to sign with default PIN and warn even if it works/doesn't, urging users to do reownership
- Point is that oem factory reset does in the direction of using randomized PINs, while continuing to use those for a user should be strongly discouraged
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
(PR 43 not in which fixes hotp_verification info, needed to reuse default PINs under seal-hotp if pubkey age <1 month and if Secret app PIN/GPG Admin PIN count >=3 )
Repro:
mkdir patches/hotp-verification-e9050e0c914e7a8ffef5d1c82a014e0e2bf79346
wget https://patch-diff.githubusercontent.com/raw/Nitrokey/nitrokey-hotp-verification/pull/46.patch -O patches/hotp-verification-e9050e0c914e7a8ffef5d1c82a014e0e2bf79346/46.patch
sudo rm -rf build/x86/hotp-verification-e9050e0c914e7a8ffef5d1c82a014e0e2bf79346/
./docker_repro.sh make BOARD=qemu-coreboot-whiptail-tpm2-hotp USB_TOKEN=Nitrokey3NFC PUBKEY_ASC=pubkey.asc inject_gpg run
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
We're adding leading blank lines, which makes the prompt look odd and
now have to be removed later. Just stop adding the leading blank
lines.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Signed-off-by: Thierry Laurion <insurgo@riseup.net>