etc/functions: add a DEBUG output function, requiring CONFIG_DEBUG to…

… be exported to output in functions

boards/qemu-coreboot-fbwhiptail-tpm1/qemu-coreboot-fbwhiptail-tpm1.config

@@ -6,6 +6,9 @@ export CONFIG_COREBOOT=y
 export CONFIG_COREBOOT_VERSION=4.13
 export CONFIG_LINUX_VERSION=5.10.5
 
+#Enable DEBUG output
+export CONFIG_DEBUG_OUTPUT=y
+
 CONFIG_COREBOOT_CONFIG=config/coreboot-qemu-tpm1.config
 CONFIG_LINUX_CONFIG=config/linux-qemu.config
 

initrd/bin/gui-init

@@ -17,7 +17,7 @@ skip_to_menu="false"
 
 mount_boot()
 {
-
+  DEBUG "under gui-init:mount_boot"
   # Mount local disk if it is not already mounted
   while ! grep -q /boot /proc/mounts ; do
     # try to mount if CONFIG_BOOT_DEV exists
@@ -63,6 +63,7 @@ mount_boot()
 
 verify_global_hashes()
 {
+  DEBUG "under gui-init:verify_global_hashes"
   # Check the hashes of all the files, ignoring signatures for now
   check_config /boot force
   TMP_HASH_FILE="/tmp/kexec/kexec_hashes.txt"
@@ -137,6 +138,7 @@ verify_global_hashes()
 
 prompt_update_checksums()
 {
+  DEBUG "under gui-init:prompt_update_checksums"
   if (whiptail $BG_COLOR_WARNING --title 'Update Checksums and sign all files in /boot' \
       --yesno "You have chosen to update the checksums and sign all of the files in /boot.\n\nThis means that you trust that these files have not been tampered with.\n\nYou will need your GPG key available, and this change will modify your disk.\n\nDo you want to continue?" 0 80) then
     if ! update_checksums ; then
@@ -148,6 +150,7 @@ prompt_update_checksums()
 
 generate_totp_htop()
 {
+  DEBUG "under gui-init:generate_totp_htop"
   echo "Scan the QR code to add the new TOTP secret"
   if /bin/seal-totp "$BOARD_NAME"; then
     if [ -x /bin/hotp_verification ]; then
@@ -167,6 +170,7 @@ generate_totp_htop()
 
 update_totp()
 {
+  DEBUG "under gui-init:update_totp"
   # update the TOTP code
   date=`date "+%Y-%m-%d %H:%M:%S %Z"`
   if [ "$CONFIG_TPM" = n ]; then
@@ -217,6 +221,7 @@ update_totp()
 
 update_hotp()
 {
+  DEBUG "under gui-init:update_hotp"
   if [ -x /bin/hotp_verification ]; then
     HOTP=`unseal-hotp`
     if ! hotp_verification info ; then
@@ -255,6 +260,7 @@ update_hotp()
 
 clean_boot_check()
 {
+  DEBUG "under gui-init:mount_boot"
   # assume /boot mounted
   if ! grep -q /boot /proc/mounts ; then
     return
@@ -283,6 +289,7 @@ clean_boot_check()
 
 check_gpg_key()
 {
+  DEBUG "under gui-init:check_gpg_key"
   GPG_KEY_COUNT=`gpg -k 2>/dev/null | wc -l`
   if [ $GPG_KEY_COUNT -eq 0 ]; then
     BG_COLOR_MAIN_MENU=$BG_COLOR_ERROR
@@ -319,6 +326,7 @@ check_gpg_key()
 
 prompt_auto_default_boot()
 {
+  DEBUG "under gui-init:prompt_auto_default_boot"
   # save IFS before changing, restore after read
   IFS_DEF=$IFS
   IFS=''
@@ -335,6 +343,7 @@ prompt_auto_default_boot()
 
 show_main_menu()
 {
+  DEBUG "under gui-init:show_main_menu"
   date=`date "+%Y-%m-%d %H:%M:%S %Z"`
   whiptail $BG_COLOR_MAIN_MENU --title "$MAIN_MENU_TITLE" \
     --menu "$date\nTOTP: $TOTP | HOTP: $HOTP" 0 80 10 \
@@ -368,6 +377,7 @@ show_main_menu()
 
 show_options_menu()
 {
+  DEBUG "under gui-init:show_options_menu"
   whiptail $BG_COLOR_MAIN_MENU --title "HEADS Options" \
     --menu "" 0 80 10 \
     'b' ' Boot Options -->' \
@@ -424,6 +434,7 @@ show_options_menu()
 
 show_boot_options_menu()
 {
+  DEBUG "under gui-init:show_boot_options_menu"
   whiptail $BG_COLOR_MAIN_MENU --title "Boot Options" \
     --menu "Select A Boot Option" 0 80 10 \
     'm' ' Show OS boot menu' \
@@ -451,6 +462,7 @@ show_boot_options_menu()
 
 show_tpm_totp_hotp_options_menu()
 {
+  DEBUG "under gui-init:show_tpm_totp_hotp_options_menu"
   whiptail $BG_COLOR_MAIN_MENU --title "TPM/TOTP/HOTP Options" \
     --menu "Select An Option" 0 80 10 \
     'g' ' Generate new TOTP/HOTP secret' \
@@ -477,6 +489,7 @@ show_tpm_totp_hotp_options_menu()
 
 prompt_totp_mismatch()
 {
+  DEBUG "under gui-init:prompt_totp_mismatch"
   if (whiptail $BG_COLOR_WARNING --title "TOTP/HOTP code mismatched" \
     --yesno "TOTP/HOTP code mismatches could indicate either TPM tampering or clock drift:\n\nTo correct clock drift: 'date -s yyyy-MM-DD hh:mm:ss' in UTC timezone\nand save it to the RTC: 'hwclock -w'\nthen reboot and try again.\n\nWould you like to exit to a recovery console?" 0 80) then
     echo ""
@@ -493,6 +506,7 @@ prompt_totp_mismatch()
 
 reset_tpm()
 {
+  DEBUG "under gui-init:reset_tpm"
   if [ "$CONFIG_TPM" = "y" ]; then
     if (whiptail $BG_COLOR_WARNING --title 'Reset the TPM' \
         --yesno "This will clear the TPM and TPM password, replace them with new ones!\n\nDo you want to proceed?" 0 80) then
@@ -526,6 +540,7 @@ reset_tpm()
 
 show_system_info()
 {
+  DEBUG "under gui-init:show_system_info"
   battery_charge="$(print_battery_charge)"
   battery_health="$(print_battery_health)"
   if [ -n $battery_charge -a -n $battery_health ];then
@@ -543,6 +558,7 @@ show_system_info()
 
 select_os_boot_option()
 {
+  DEBUG "under gui-init:select_os_boot_option"
   mount_boot
   if verify_global_hashes ; then
     kexec-select-boot -m -b /boot -c "grub.cfg" -g
@@ -551,6 +567,7 @@ select_os_boot_option()
 
 attempt_default_boot()
 {
+  DEBUG "under gui-init:attempt_default_boot"
   mount_boot
 
   if ! verify_global_hashes; then
@@ -568,6 +585,7 @@ attempt_default_boot()
 
 force_unsafe_boot()
 {
+  DEBUG "under gui-init:force_unsafe_boot"
   # Run the menu selection in "force" mode, bypassing hash checks
   if (whiptail $BG_COLOR_WARNING --title 'Unsafe Forced Boot Selected!' \
       --yesno "WARNING: You have chosen to skip all tamper checks and boot anyway.\n\nThis is an unsafe option!\n\nDo you want to proceed?" 0 80) then

initrd/etc/functions

@@ -12,7 +12,15 @@ warn() {
 	sleep 1;
 }
 
+DEBUG() {
+	if [ "$CONFIG_DEBUG_OUTPUT" = "y" ];then
+        	echo >&2 "DEBUG: $*";
+	fi
+}
+
+
 recovery() {
+	DEBUG "under functions:recovery"
 	echo >&2 "!!!!! $*"
 
 	# Remove any temporary secret files that might be hanging around
@@ -44,6 +52,7 @@ recovery() {
 }
 
 pause_recovery() {
+	DEBUG "under functions:pause_recovery"
 	read -p 'Hit enter to proceed to recovery shell:'
 	recovery $*
 }
@@ -54,6 +63,7 @@ pcrs() {
 
 confirm_totp()
 {
+	DEBUG "under functions:confirm_totp"
 	prompt="$1"
 	last_half=X
 	unset totp_confirm
@@ -93,6 +103,7 @@ confirm_totp()
 
 enable_usb()
 {
+	DEBUG "under functions:enable_usb"
 	#insmod ehci_hcd prior of uhdc_hcd and ohci_hcd to suppress dmesg warning 
 	if ! lsmod | grep -q ehci_hcd; then
                 insmod /lib/modules/ehci-hcd.ko \
@@ -137,6 +148,7 @@ enable_usb()
 
 list_usb_storage()
 {
+	DEBUG "under functions:list_usb_storage"
 	stat -c %N /sys/block/sd* 2>/dev/null | grep usb |
 		cut -f1 -d ' ' |
 		sed "s/[']//g" |
@@ -176,6 +188,7 @@ list_usb_storage()
 
 confirm_gpg_card()
 {
+	DEBUG "under functions:confirm_gpg_card"
 	read \
 		-n 1 \
 		-p "Please confirm that your GPG card is inserted [Y/n]: " \
@@ -219,6 +232,7 @@ confirm_gpg_card()
 
 check_tpm_counter()
 {
+  DEBUG "under functions:check_tpm_counter"
   LABEL=${2:-3135106223}
 	# if the /boot.hashes file already exists, read the TPM counter ID
 	# from it.
@@ -244,18 +258,21 @@ check_tpm_counter()
 
 read_tpm_counter()
 {
+	DEBUG "under functions:read_tpm_counter"
 	tpm counter_read -ix "$1" | tee "/tmp/counter-$1" \
 	|| die "Counter read failed"
 }
 
 increment_tpm_counter()
 {
+	DEBUG "under functions:increment_tpm_counter"
 	tpm counter_increment -ix "$1" -pwdc '' \
 		| tee /tmp/counter-$1 \
 	|| die "Counter increment failed"
 }
 
 check_config() {
+	DEBUG "under functions:check_config"
 	if [ ! -d /tmp/kexec ]; then
 		mkdir /tmp/kexec \
 		|| die 'Failed to make kexec tmp dir'
@@ -284,6 +301,7 @@ check_config() {
 }
 
 preserve_rom() {
+	DEBUG "under functions:preserve_rom"
 	new_rom="$1"
 	old_files=`cbfs -t 50 -l 2>/dev/null | grep "^heads/"`
 
@@ -299,6 +317,7 @@ preserve_rom() {
 	done
 }
 replace_config() {
+	DEBUG "under functions:replace_config"
 	CONFIG_FILE=$1
 	CONFIG_OPTION=$2
 	NEW_SETTING=$3
@@ -314,11 +333,13 @@ replace_config() {
 	rm -f ${CONFIG_FILE}.tmp
 }
 combine_configs() {
+	DEBUG "under functions:combine_configs"
 	cat /etc/config* > /tmp/config
 }
 
 update_checksums()
 {
+	DEBUG "under functions:update_checksums"
 	# ensure /boot mounted
 	if ! grep -q /boot /proc/mounts ; then
 		mount -o ro /boot \
@@ -346,6 +367,7 @@ update_checksums()
 }
 
 print_tree() {
+	DEBUG "under functions:print_tree"
 	find ./ ! -path './kexec*' -print0 | sort -z
 }
 
@@ -413,6 +435,7 @@ escape_zero() {
 # due to https://bugs.busybox.net/show_bug.cgi?id=14226. Also, certain characters
 # may be intepreted by `whiptail`, `less` et al (e.g. \n, \b, ...).
 assert_signable() {
+	DEBUG "under functions:assert_signable"
 	# ensure /boot mounted
 	if ! grep -q /boot /proc/mounts ; then
 		mount -o ro /boot || die "Unable to mount /boot"
@@ -432,6 +455,7 @@ assert_signable() {
 
 verify_checksums()
 {
+	DEBUG "under functions:verify_checksums"
 	local boot_dir="$1"
 	local gui="${2:-y}"
 
@@ -465,6 +489,7 @@ verify_checksums()
 # mount /boot if successful
 detect_boot_device()
 {
+	DEBUG "under functions:detect_boot_device"
 	# unmount /boot to be safe
 	cd / && umount /boot 2>/dev/null
 

initrd/etc/gui_functions

@@ -3,6 +3,7 @@
 
 mount_usb()
 {
+  DEBUG "under gui_functions:mount_usb"
   # Unmount any previous USB device
   if grep -q /media /proc/mounts ; then
     umount /media || die "Unable to unmount /media"
@@ -23,6 +24,7 @@ mount_usb()
 
 file_selector()
 {
+  DEBUG "under gui_functions:file_selector"
   FILE=""
   FILE_LIST=$1
   MENU_MSG=${2:-"Choose the file"}