WiP

linuxboot · Feb 18, 2023 · 6dcc53c · 6dcc53c
1 parent b9e1984
commit 6dcc53c
Show file tree

Hide file tree

Showing 37 changed files with 259 additions and 180 deletions.
diff --git a/initrd/bin/cbfs-init b/initrd/bin/cbfs-init
@@ -2,6 +2,8 @@
 set -e -o pipefail
 . /etc/functions
 
+DEBUG "Under /bin/cbfs-init"
+
 # Update initrd with CBFS files
 if [ -z "$CONFIG_PCR" ]; then
 	CONFIG_PCR=7

diff --git a/initrd/bin/cbfs.sh b/initrd/bin/cbfs.sh
@@ -3,6 +3,8 @@ set -e -o pipefail
 . /etc/functions
 . /tmp/config
 
+DEBUG "Under /bin/cbfs.sh"
+
 if pnor "$2" -r HBI > /tmp/pnor.part 2>/dev/null; then
     cbfs "$@" -o /tmp/pnor.part && pnor "$2" -w HBI < /tmp/pnor.part
 else

diff --git a/initrd/bin/config-gui.sh b/initrd/bin/config-gui.sh
@@ -5,6 +5,8 @@ set -e -o pipefail
 . /etc/gui_functions
 . /tmp/config
 
+DEBUG "Under /bin/config-gui.sh"
+
 param=$1
 
 while true; do

diff --git a/initrd/bin/flash-gui.sh b/initrd/bin/flash-gui.sh
@@ -5,6 +5,8 @@ set -e -o pipefail
 . /etc/gui_functions
 . /tmp/config
 
+DEBUG "Under /bin/flash-gui.sh"
+
 while true; do
   unset menu_choice
   whiptail $BG_COLOR_MAIN_MENU --title "Firmware Management Menu" \

diff --git a/initrd/bin/flash.sh b/initrd/bin/flash.sh
@@ -6,6 +6,8 @@ set -e -o pipefail
 . /etc/functions
 . /tmp/config
 
+DEBUG "Under /bin/flash.sh"
+
 case "$CONFIG_FLASHROM_OPTIONS" in
   -* )
     echo "Board $CONFIG_BOARD detected, continuing..."

diff --git a/initrd/bin/flashrom-kgpe-d16-openbmc.sh b/initrd/bin/flashrom-kgpe-d16-openbmc.sh
@@ -1,6 +1,8 @@
 #!/bin/sh
 . /etc/functions
 
+DEBUG "Under /bin/flashrom-kgpe-d16-openbmc.sh"
+
 ROM="$1"
 if [ -z "$1" ]; then
 	die "Usage: $0 /media/kgpe-d16-openbmc.rom"

diff --git a/initrd/bin/generic-init b/initrd/bin/generic-init
@@ -6,6 +6,7 @@
 
 mount_boot()
 {
+	DEBUG "Under /bin/generic-init:mount_boot"
 	# Mount local disk if it is not already mounted
 	if ! grep -q /boot /proc/mounts ; then
 		mount -o ro /boot \

diff --git a/initrd/bin/gpg-gui.sh b/initrd/bin/gpg-gui.sh
@@ -5,6 +5,7 @@ set -e -o pipefail
 . /etc/gui_functions
 . /tmp/config
 
+DEBUG "Under /bin/gpg-gui.sh"
 gpg_flash_rom() {
 
   if [ "$1" = "replace" ]; then

diff --git a/initrd/bin/gpgv b/initrd/bin/gpgv
@@ -1,3 +1,4 @@
 #!/bin/sh
 # if we are using the full GPG we need a wrapper for the gpgv executable
+DEBUG "Under /bin/gpgv"
 exec gpg --verify "$@"
diff --git a/initrd/bin/gui-init b/initrd/bin/gui-init
@@ -17,7 +17,7 @@ skip_to_menu="false"
 
 mount_boot()
 {
-  DEBUG "under gui-init:mount_boot"
+  DEBUG "Under /bin/gui-init:mount_boot"
   # Mount local disk if it is not already mounted
   while ! grep -q /boot /proc/mounts ; do
     # try to mount if CONFIG_BOOT_DEV exists
@@ -63,7 +63,7 @@ mount_boot()
 
 verify_global_hashes()
 {
-  DEBUG "under gui-init:verify_global_hashes"
+  DEBUG "Under /bin/gui-init:verify_global_hashes"
   # Check the hashes of all the files, ignoring signatures for now
   check_config /boot force
   TMP_HASH_FILE="/tmp/kexec/kexec_hashes.txt"
@@ -138,7 +138,7 @@ verify_global_hashes()
 
 prompt_update_checksums()
 {
-  DEBUG "under gui-init:prompt_update_checksums"
+  DEBUG "Under /bin/gui-init:prompt_update_checksums"
   if (whiptail $BG_COLOR_WARNING --title 'Update Checksums and sign all files in /boot' \
       --yesno "You have chosen to update the checksums and sign all of the files in /boot.\n\nThis means that you trust that these files have not been tampered with.\n\nYou will need your GPG key available, and this change will modify your disk.\n\nDo you want to continue?" 0 80) then
     if ! update_checksums ; then
@@ -150,7 +150,7 @@ prompt_update_checksums()
 
 generate_totp_htop()
 {
-  DEBUG "under gui-init:generate_totp_htop"
+  DEBUG "Under /bin/gui-init:generate_totp_htop"
   echo "Scan the QR code to add the new TOTP secret"
   if /bin/seal-totp "$BOARD_NAME"; then
     if [ -x /bin/hotp_verification ]; then
@@ -170,7 +170,7 @@ generate_totp_htop()
 
 update_totp()
 {
-  DEBUG "under gui-init:update_totp"
+  DEBUG "Under /bin/gui-init:update_totp"
   # update the TOTP code
   date=`date "+%Y-%m-%d %H:%M:%S %Z"`
   if [ "$CONFIG_TPM" = n ]; then
@@ -221,7 +221,7 @@ update_totp()
 
 update_hotp()
 {
-  DEBUG "under gui-init:update_hotp"
+  DEBUG "Under /bin/gui-init:update_hotp begin"
   if [ -x /bin/hotp_verification ]; then
     HOTP=`unseal-hotp`
     if ! hotp_verification info ; then
@@ -256,11 +256,12 @@ update_hotp()
   else
     HOTP='N/A'
   fi
+  DEBUG "Under /bin/gui-init:update_hotp end"
 }
 
 clean_boot_check()
 {
-  DEBUG "under gui-init:mount_boot"
+  DEBUG "Under /bin/gui-init:mount_boot"
   # assume /boot mounted
   if ! grep -q /boot /proc/mounts ; then
     return
@@ -289,7 +290,7 @@ clean_boot_check()
 
 check_gpg_key()
 {
-  DEBUG "under gui-init:check_gpg_key"
+  DEBUG "Under /bin/gui-init:check_gpg_key"
   GPG_KEY_COUNT=`gpg -k 2>/dev/null | wc -l`
   if [ $GPG_KEY_COUNT -eq 0 ]; then
     BG_COLOR_MAIN_MENU=$BG_COLOR_ERROR
@@ -326,7 +327,7 @@ check_gpg_key()
 
 prompt_auto_default_boot()
 {
-  DEBUG "under gui-init:prompt_auto_default_boot"
+  DEBUG "Under /bin/gui-init:prompt_auto_default_boot"
   # save IFS before changing, restore after read
   IFS_DEF=$IFS
   IFS=''
@@ -343,7 +344,7 @@ prompt_auto_default_boot()
 
 show_main_menu()
 {
-  DEBUG "under gui-init:show_main_menu"
+  DEBUG "Under /bin/gui-init:show_main_menu"
   date=`date "+%Y-%m-%d %H:%M:%S %Z"`
   whiptail $BG_COLOR_MAIN_MENU --title "$MAIN_MENU_TITLE" \
     --menu "$date\nTOTP: $TOTP | HOTP: $HOTP" 0 80 10 \
@@ -377,7 +378,7 @@ show_main_menu()
 
 show_options_menu()
 {
-  DEBUG "under gui-init:show_options_menu"
+  DEBUG "Under /bin/gui-init:show_options_menu"
   whiptail $BG_COLOR_MAIN_MENU --title "HEADS Options" \
     --menu "" 0 80 10 \
     'b' ' Boot Options -->' \
@@ -434,7 +435,7 @@ show_options_menu()
 
 show_boot_options_menu()
 {
-  DEBUG "under gui-init:show_boot_options_menu"
+  DEBUG "Under /bin/gui-init:show_boot_options_menu"
   whiptail $BG_COLOR_MAIN_MENU --title "Boot Options" \
     --menu "Select A Boot Option" 0 80 10 \
     'm' ' Show OS boot menu' \
@@ -462,7 +463,7 @@ show_boot_options_menu()
 
 show_tpm_totp_hotp_options_menu()
 {
-  DEBUG "under gui-init:show_tpm_totp_hotp_options_menu"
+  DEBUG "Under /bin/gui-init:show_tpm_totp_hotp_options_menu"
   whiptail $BG_COLOR_MAIN_MENU --title "TPM/TOTP/HOTP Options" \
     --menu "Select An Option" 0 80 10 \
     'g' ' Generate new TOTP/HOTP secret' \
@@ -489,7 +490,7 @@ show_tpm_totp_hotp_options_menu()
 
 prompt_totp_mismatch()
 {
-  DEBUG "under gui-init:prompt_totp_mismatch"
+  DEBUG "Under /bin/gui-init:prompt_totp_mismatch"
   if (whiptail $BG_COLOR_WARNING --title "TOTP/HOTP code mismatched" \
     --yesno "TOTP/HOTP code mismatches could indicate either TPM tampering or clock drift:\n\nTo correct clock drift: 'date -s yyyy-MM-DD hh:mm:ss' in UTC timezone\nand save it to the RTC: 'hwclock -w'\nthen reboot and try again.\n\nWould you like to exit to a recovery console?" 0 80) then
     echo ""
@@ -506,7 +507,7 @@ prompt_totp_mismatch()
 
 reset_tpm()
 {
-  DEBUG "under gui-init:reset_tpm"
+  DEBUG "Under /bin/gui-init:reset_tpm"
   if [ "$CONFIG_TPM" = "y" ]; then
     if (whiptail $BG_COLOR_WARNING --title 'Reset the TPM' \
         --yesno "This will clear the TPM and TPM password, replace them with new ones!\n\nDo you want to proceed?" 0 80) then
@@ -540,7 +541,7 @@ reset_tpm()
 
 show_system_info()
 {
-  DEBUG "under gui-init:show_system_info"
+  DEBUG "Under /bin/gui-init:show_system_info"
   battery_charge="$(print_battery_charge)"
   battery_health="$(print_battery_health)"
   if [ -n $battery_charge -a -n $battery_health ];then
@@ -558,7 +559,7 @@ show_system_info()
 
 select_os_boot_option()
 {
-  DEBUG "under gui-init:select_os_boot_option"
+  DEBUG "Under /bin/gui-init:select_os_boot_option"
   mount_boot
   if verify_global_hashes ; then
     kexec-select-boot -m -b /boot -c "grub.cfg" -g
@@ -567,7 +568,7 @@ select_os_boot_option()
 
 attempt_default_boot()
 {
-  DEBUG "under gui-init:attempt_default_boot"
+  DEBUG "Under /bin/gui-init:attempt_default_boot"
   mount_boot
 
   if ! verify_global_hashes; then
@@ -585,7 +586,7 @@ attempt_default_boot()
 
 force_unsafe_boot()
 {
-  DEBUG "under gui-init:force_unsafe_boot"
+  DEBUG "Under /bin/gui-init:force_unsafe_boot"
   # Run the menu selection in "force" mode, bypassing hash checks
   if (whiptail $BG_COLOR_WARNING --title 'Unsafe Forced Boot Selected!' \
       --yesno "WARNING: You have chosen to skip all tamper checks and boot anyway.\n\nThis is an unsafe option!\n\nDo you want to proceed?" 0 80) then

diff --git a/initrd/bin/kexec-boot b/initrd/bin/kexec-boot
@@ -4,6 +4,8 @@ set -e -o pipefail
 . /tmp/config
 . /etc/functions
 
+DEBUG "Under /bin/kexec-boot"
+
 dryrun="n"
 printfiles="n"
 printinitrd="n"

diff --git a/initrd/bin/kexec-insert-key b/initrd/bin/kexec-insert-key
@@ -3,6 +3,8 @@
 set -e -o pipefail
 . /etc/functions
 
+DEBUG "Under /bin/kexec-insert-key"
+
 TMP_KEY_DEVICES="/tmp/kexec/kexec_key_devices.txt"
 TMP_KEY_LVM="/tmp/kexec/kexec_key_lvm.txt"
 
@@ -77,8 +79,8 @@ if [ "$unseal_failed" = "n" ]; then
 	# kexec-save-default might have created crypttab overrides to be injected in initramfs through additional cpio 
 	if [ -r "$bootdir/kexec_initrd_crypttab_overrides.txt" ]; then
 		echo "$bootdir/kexec_initrd_crypttab_overrides.txt found..."
-		echo "Preparing initramfs crypttab overrides as defined under $bootdir/kexec_initrd_crypttab_overrides.txt to be injected through cpio at next kexec call..."
-		# kexec-save-default has found crypttab files under initrd and saved them
+		echo "Preparing initramfs crypttab overrides as defined under /bin/$bootdir/kexec_initrd_crypttab_overrides.txt to be injected through cpio at next kexec call..."
+		# kexec-save-default has found crypttab files under /bin/initrd and saved them
 		cat "$bootdir/kexec_initrd_crypttab_overrides.txt" | while read line; do
 			crypttab_file=$(echo "$line" | awk -F ':' {'print $1'})
 			crypttab_entry=$(echo "$line" | awk -F ':' {'print $NF'})
@@ -88,7 +90,7 @@ if [ "$unseal_failed" = "n" ]; then
 			echo "initramfs's $crypttab_file will be overriden with $crypttab_entry"
 		done
 	else
-		# No crypttab files were found under selected default boot option's initrd file
+		# No crypttab files were found under /bin/selected default boot option's initrd file
 		crypttab_file="etc/crypttab"
 		mkdir -p "$INITRD_DIR/$(dirname $crypttab_file)"
 		# overwrite crypttab to mirror behavior of seal-key

diff --git a/initrd/bin/kexec-iso-init b/initrd/bin/kexec-iso-init
@@ -4,6 +4,8 @@ set -e -o pipefail
 . /etc/functions
 . /tmp/config
 
+DEBUG "Under /bin/kexec-iso-init"
+
 MOUNTED_ISO_PATH="$1"
 ISO_PATH="$2"
 DEV="$3"

diff --git a/initrd/bin/kexec-parse-bls b/initrd/bin/kexec-parse-bls
@@ -1,5 +1,8 @@
 #!/bin/sh
 set -e -o pipefail
+
+DEBUG "Under /bin/kexec-parse-bls"
+
 bootdir="$1"
 file="$2"
 blsdir="$3"

diff --git a/initrd/bin/kexec-parse-boot b/initrd/bin/kexec-parse-boot
@@ -1,5 +1,8 @@
 #!/bin/sh
 set -e -o pipefail
+
+DEBUG "Under /bin/kexec-parse-boot"
+
 bootdir="$1"
 file="$2"
 

diff --git a/initrd/bin/kexec-save-default b/initrd/bin/kexec-save-default
@@ -4,6 +4,8 @@ set -e -o pipefail
 . /tmp/config
 . /etc/functions
 
+DEBUG "Under /bin/kexec-save-default"
+
 while getopts "b:d:p:i:" arg; do
 	case $arg in
 		b) bootdir="$OPTARG" ;;
@@ -165,7 +167,7 @@ if [ "$save_key" = "y" ]; then
 		#insert current default boot's initrd crypttab locations into tracking file to be overwritten into initramfs at kexec-inject-key
 		echo "The following OS crypttab file:entry were modified from default boot's initrd:"
 		cat $bootdir/kexec_initrd_crypttab_overrides.txt
-		echo "Heads added /secret.key in those entries and saved them under $bootdir/kexec_initrd_crypttab_overrides.txt"
+		echo "Heads added /secret.key in those entries and saved them under /bin/$bootdir/kexec_initrd_crypttab_overrides.txt"
 		echo "Those overrides will be part of detached signed digests and used to prepare cpio injected at kexec of selected default boot entry."
 	else
 		echo "No crypttab file found in extracted initrd. Removing $bootdir/kexec_initrd_crypttab_overrides.txt"

diff --git a/initrd/bin/kexec-seal-key b/initrd/bin/kexec-seal-key
@@ -4,6 +4,8 @@
 # It will then need to be bundled into initrd that is booted.
 set -e -o pipefail
 
+DEBUG "Under /bin/kexec-seal-key"
+
 TPM_INDEX=3
 TPM_SIZE=312
 KEY_FILE="/tmp/secret/secret.key"

diff --git a/initrd/bin/kexec-select-boot b/initrd/bin/kexec-select-boot
@@ -4,6 +4,8 @@ set -e -o pipefail
 . /tmp/config
 . /etc/functions
 
+DEBUG "Under /bin/kexec-select-boot"
+
 add=""
 remove=""
 config="*.cfg"

diff --git a/initrd/bin/kexec-sign-config b/initrd/bin/kexec-sign-config
@@ -4,6 +4,8 @@ set -e -o pipefail
 . /tmp/config
 . /etc/functions
 
+DEBUG "Under /bin/kexec-sign-config"
+
 rollback="n"
 update="n"
 while getopts "p:c:ur" arg; do

diff --git a/initrd/bin/kexec-unseal-key b/initrd/bin/kexec-unseal-key
@@ -4,6 +4,8 @@
 # It will then need to be bundled into initrd that is booted with Qubes.
 set -e -o pipefail
 
+DEBUG "Under /bin/kexec-unseal-key"
+
 TPM_INDEX=3
 TPM_SIZE=312
 

diff --git a/initrd/bin/key-init b/initrd/bin/key-init
@@ -2,6 +2,8 @@
 set -e -o pipefail
 . /etc/functions
 
+DEBUG "Under /bin/key-init"
+
 # Post processing of keys
 
 # Import user's keys

diff --git a/initrd/bin/media-scan b/initrd/bin/media-scan
@@ -5,6 +5,8 @@ set -e -o pipefail
 . /etc/gui_functions
 . /tmp/config
 
+DEBUG "Under /bin/media-scan"
+
 # Unmount any previous boot device
 if grep -q /boot /proc/mounts ; then
 	umount /boot \

diff --git a/initrd/bin/mount-usb b/initrd/bin/mount-usb
@@ -2,6 +2,8 @@
 # Mount a USB device
 . /etc/functions
 
+DEBUG "Under /bin/mount-usb"
+
 enable_usb
 
 if ! lsmod | grep -q usb_storage; then