From b9e1984d4c074c39a1556da01f4cf8d7098afd03 Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Sat, 18 Feb 2023 12:58:43 -0500 Subject: [PATCH] etc/functions: add a DEBUG output function, requiring CONFIG_DEBUG to be exported to output in functions --- .../qemu-coreboot-fbwhiptail-tpm1.config | 3 +++ initrd/bin/gui-init | 20 ++++++++++++++- initrd/etc/functions | 25 +++++++++++++++++++ initrd/etc/gui_functions | 2 ++ 4 files changed, 49 insertions(+), 1 deletion(-) diff --git a/boards/qemu-coreboot-fbwhiptail-tpm1/qemu-coreboot-fbwhiptail-tpm1.config b/boards/qemu-coreboot-fbwhiptail-tpm1/qemu-coreboot-fbwhiptail-tpm1.config index f579322126..68b75b5096 100644 --- a/boards/qemu-coreboot-fbwhiptail-tpm1/qemu-coreboot-fbwhiptail-tpm1.config +++ b/boards/qemu-coreboot-fbwhiptail-tpm1/qemu-coreboot-fbwhiptail-tpm1.config @@ -6,6 +6,9 @@ export CONFIG_COREBOOT=y export CONFIG_COREBOOT_VERSION=4.13 export CONFIG_LINUX_VERSION=5.10.5 +#Enable DEBUG output +export CONFIG_DEBUG_OUTPUT=y + CONFIG_COREBOOT_CONFIG=config/coreboot-qemu-tpm1.config CONFIG_LINUX_CONFIG=config/linux-qemu.config diff --git a/initrd/bin/gui-init b/initrd/bin/gui-init index 06a0d4224d..7978702b2d 100755 --- a/initrd/bin/gui-init +++ b/initrd/bin/gui-init @@ -17,7 +17,7 @@ skip_to_menu="false" mount_boot() { - + DEBUG "under gui-init:mount_boot" # Mount local disk if it is not already mounted while ! grep -q /boot /proc/mounts ; do # try to mount if CONFIG_BOOT_DEV exists @@ -63,6 +63,7 @@ mount_boot() verify_global_hashes() { + DEBUG "under gui-init:verify_global_hashes" # Check the hashes of all the files, ignoring signatures for now check_config /boot force TMP_HASH_FILE="/tmp/kexec/kexec_hashes.txt" @@ -137,6 +138,7 @@ verify_global_hashes() prompt_update_checksums() { + DEBUG "under gui-init:prompt_update_checksums" if (whiptail $BG_COLOR_WARNING --title 'Update Checksums and sign all files in /boot' \ --yesno "You have chosen to update the checksums and sign all of the files in /boot.\n\nThis means that you trust that these files have not been tampered with.\n\nYou will need your GPG key available, and this change will modify your disk.\n\nDo you want to continue?" 0 80) then if ! update_checksums ; then @@ -148,6 +150,7 @@ prompt_update_checksums() generate_totp_htop() { + DEBUG "under gui-init:generate_totp_htop" echo "Scan the QR code to add the new TOTP secret" if /bin/seal-totp "$BOARD_NAME"; then if [ -x /bin/hotp_verification ]; then @@ -167,6 +170,7 @@ generate_totp_htop() update_totp() { + DEBUG "under gui-init:update_totp" # update the TOTP code date=`date "+%Y-%m-%d %H:%M:%S %Z"` if [ "$CONFIG_TPM" = n ]; then @@ -217,6 +221,7 @@ update_totp() update_hotp() { + DEBUG "under gui-init:update_hotp" if [ -x /bin/hotp_verification ]; then HOTP=`unseal-hotp` if ! hotp_verification info ; then @@ -255,6 +260,7 @@ update_hotp() clean_boot_check() { + DEBUG "under gui-init:mount_boot" # assume /boot mounted if ! grep -q /boot /proc/mounts ; then return @@ -283,6 +289,7 @@ clean_boot_check() check_gpg_key() { + DEBUG "under gui-init:check_gpg_key" GPG_KEY_COUNT=`gpg -k 2>/dev/null | wc -l` if [ $GPG_KEY_COUNT -eq 0 ]; then BG_COLOR_MAIN_MENU=$BG_COLOR_ERROR @@ -319,6 +326,7 @@ check_gpg_key() prompt_auto_default_boot() { + DEBUG "under gui-init:prompt_auto_default_boot" # save IFS before changing, restore after read IFS_DEF=$IFS IFS='' @@ -335,6 +343,7 @@ prompt_auto_default_boot() show_main_menu() { + DEBUG "under gui-init:show_main_menu" date=`date "+%Y-%m-%d %H:%M:%S %Z"` whiptail $BG_COLOR_MAIN_MENU --title "$MAIN_MENU_TITLE" \ --menu "$date\nTOTP: $TOTP | HOTP: $HOTP" 0 80 10 \ @@ -368,6 +377,7 @@ show_main_menu() show_options_menu() { + DEBUG "under gui-init:show_options_menu" whiptail $BG_COLOR_MAIN_MENU --title "HEADS Options" \ --menu "" 0 80 10 \ 'b' ' Boot Options -->' \ @@ -424,6 +434,7 @@ show_options_menu() show_boot_options_menu() { + DEBUG "under gui-init:show_boot_options_menu" whiptail $BG_COLOR_MAIN_MENU --title "Boot Options" \ --menu "Select A Boot Option" 0 80 10 \ 'm' ' Show OS boot menu' \ @@ -451,6 +462,7 @@ show_boot_options_menu() show_tpm_totp_hotp_options_menu() { + DEBUG "under gui-init:show_tpm_totp_hotp_options_menu" whiptail $BG_COLOR_MAIN_MENU --title "TPM/TOTP/HOTP Options" \ --menu "Select An Option" 0 80 10 \ 'g' ' Generate new TOTP/HOTP secret' \ @@ -477,6 +489,7 @@ show_tpm_totp_hotp_options_menu() prompt_totp_mismatch() { + DEBUG "under gui-init:prompt_totp_mismatch" if (whiptail $BG_COLOR_WARNING --title "TOTP/HOTP code mismatched" \ --yesno "TOTP/HOTP code mismatches could indicate either TPM tampering or clock drift:\n\nTo correct clock drift: 'date -s yyyy-MM-DD hh:mm:ss' in UTC timezone\nand save it to the RTC: 'hwclock -w'\nthen reboot and try again.\n\nWould you like to exit to a recovery console?" 0 80) then echo "" @@ -493,6 +506,7 @@ prompt_totp_mismatch() reset_tpm() { + DEBUG "under gui-init:reset_tpm" if [ "$CONFIG_TPM" = "y" ]; then if (whiptail $BG_COLOR_WARNING --title 'Reset the TPM' \ --yesno "This will clear the TPM and TPM password, replace them with new ones!\n\nDo you want to proceed?" 0 80) then @@ -526,6 +540,7 @@ reset_tpm() show_system_info() { + DEBUG "under gui-init:show_system_info" battery_charge="$(print_battery_charge)" battery_health="$(print_battery_health)" if [ -n $battery_charge -a -n $battery_health ];then @@ -543,6 +558,7 @@ show_system_info() select_os_boot_option() { + DEBUG "under gui-init:select_os_boot_option" mount_boot if verify_global_hashes ; then kexec-select-boot -m -b /boot -c "grub.cfg" -g @@ -551,6 +567,7 @@ select_os_boot_option() attempt_default_boot() { + DEBUG "under gui-init:attempt_default_boot" mount_boot if ! verify_global_hashes; then @@ -568,6 +585,7 @@ attempt_default_boot() force_unsafe_boot() { + DEBUG "under gui-init:force_unsafe_boot" # Run the menu selection in "force" mode, bypassing hash checks if (whiptail $BG_COLOR_WARNING --title 'Unsafe Forced Boot Selected!' \ --yesno "WARNING: You have chosen to skip all tamper checks and boot anyway.\n\nThis is an unsafe option!\n\nDo you want to proceed?" 0 80) then diff --git a/initrd/etc/functions b/initrd/etc/functions index 7d8cedc7fd..7cbc512f49 100755 --- a/initrd/etc/functions +++ b/initrd/etc/functions @@ -12,7 +12,15 @@ warn() { sleep 1; } +DEBUG() { + if [ "$CONFIG_DEBUG_OUTPUT" = "y" ];then + echo >&2 "DEBUG: $*"; + fi +} + + recovery() { + DEBUG "under functions:recovery" echo >&2 "!!!!! $*" # Remove any temporary secret files that might be hanging around @@ -44,6 +52,7 @@ recovery() { } pause_recovery() { + DEBUG "under functions:pause_recovery" read -p 'Hit enter to proceed to recovery shell:' recovery $* } @@ -54,6 +63,7 @@ pcrs() { confirm_totp() { + DEBUG "under functions:confirm_totp" prompt="$1" last_half=X unset totp_confirm @@ -93,6 +103,7 @@ confirm_totp() enable_usb() { + DEBUG "under functions:enable_usb" #insmod ehci_hcd prior of uhdc_hcd and ohci_hcd to suppress dmesg warning if ! lsmod | grep -q ehci_hcd; then insmod /lib/modules/ehci-hcd.ko \ @@ -137,6 +148,7 @@ enable_usb() list_usb_storage() { + DEBUG "under functions:list_usb_storage" stat -c %N /sys/block/sd* 2>/dev/null | grep usb | cut -f1 -d ' ' | sed "s/[']//g" | @@ -176,6 +188,7 @@ list_usb_storage() confirm_gpg_card() { + DEBUG "under functions:confirm_gpg_card" read \ -n 1 \ -p "Please confirm that your GPG card is inserted [Y/n]: " \ @@ -219,6 +232,7 @@ confirm_gpg_card() check_tpm_counter() { + DEBUG "under functions:check_tpm_counter" LABEL=${2:-3135106223} # if the /boot.hashes file already exists, read the TPM counter ID # from it. @@ -244,18 +258,21 @@ check_tpm_counter() read_tpm_counter() { + DEBUG "under functions:read_tpm_counter" tpm counter_read -ix "$1" | tee "/tmp/counter-$1" \ || die "Counter read failed" } increment_tpm_counter() { + DEBUG "under functions:increment_tpm_counter" tpm counter_increment -ix "$1" -pwdc '' \ | tee /tmp/counter-$1 \ || die "Counter increment failed" } check_config() { + DEBUG "under functions:check_config" if [ ! -d /tmp/kexec ]; then mkdir /tmp/kexec \ || die 'Failed to make kexec tmp dir' @@ -284,6 +301,7 @@ check_config() { } preserve_rom() { + DEBUG "under functions:preserve_rom" new_rom="$1" old_files=`cbfs -t 50 -l 2>/dev/null | grep "^heads/"` @@ -299,6 +317,7 @@ preserve_rom() { done } replace_config() { + DEBUG "under functions:replace_config" CONFIG_FILE=$1 CONFIG_OPTION=$2 NEW_SETTING=$3 @@ -314,11 +333,13 @@ replace_config() { rm -f ${CONFIG_FILE}.tmp } combine_configs() { + DEBUG "under functions:combine_configs" cat /etc/config* > /tmp/config } update_checksums() { + DEBUG "under functions:update_checksums" # ensure /boot mounted if ! grep -q /boot /proc/mounts ; then mount -o ro /boot \ @@ -346,6 +367,7 @@ update_checksums() } print_tree() { + DEBUG "under functions:print_tree" find ./ ! -path './kexec*' -print0 | sort -z } @@ -413,6 +435,7 @@ escape_zero() { # due to https://bugs.busybox.net/show_bug.cgi?id=14226. Also, certain characters # may be intepreted by `whiptail`, `less` et al (e.g. \n, \b, ...). assert_signable() { + DEBUG "under functions:assert_signable" # ensure /boot mounted if ! grep -q /boot /proc/mounts ; then mount -o ro /boot || die "Unable to mount /boot" @@ -432,6 +455,7 @@ assert_signable() { verify_checksums() { + DEBUG "under functions:verify_checksums" local boot_dir="$1" local gui="${2:-y}" @@ -465,6 +489,7 @@ verify_checksums() # mount /boot if successful detect_boot_device() { + DEBUG "under functions:detect_boot_device" # unmount /boot to be safe cd / && umount /boot 2>/dev/null diff --git a/initrd/etc/gui_functions b/initrd/etc/gui_functions index 7405f2fa4c..1aa74b8f2f 100755 --- a/initrd/etc/gui_functions +++ b/initrd/etc/gui_functions @@ -3,6 +3,7 @@ mount_usb() { + DEBUG "under gui_functions:mount_usb" # Unmount any previous USB device if grep -q /media /proc/mounts ; then umount /media || die "Unable to unmount /media" @@ -23,6 +24,7 @@ mount_usb() file_selector() { + DEBUG "under gui_functions:file_selector" FILE="" FILE_LIST=$1 MENU_MSG=${2:-"Choose the file"}