Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Introduce optional quiet mode (move technical output from console to /tmp/debug.log) #1863

Open
wants to merge 11 commits into
base: master
Choose a base branch
from
Open

Introduce optional quiet mode (move technical output from console to /tmp/debug.log) #1863

wants to merge 11 commits into from

Conversation

tlaurion
Copy link
Collaborator

@tlaurion tlaurion commented Nov 27, 2024
edited
Loading

WiP

qemu-coreboot-fbwhiptail-tpm2-hotp-prod_quiet board addition

  • Added a new board qemu-coreboot-fbwhiptail-tpm2-hotp-prod_quiet for building a coreboot ROM that works in the QEMU emulator with graphical mode support, HOTP support, TPM2 integration but runs in prod+quiet mode.

Logging Improvements:

  • Updated the LOG() function in initrd/etc/ash_functions to handle different logging modes based on CONFIG_QUIET_MODE and CONFIG_DEBUG_OUTPUT settings. This ensures that logs are directed to the appropriate output (console or debug log) based on the configuration.
  • Modified various scripts (initrd/etc/ash_functions, initrd/init, initrd/sbin/insmod) to use the updated LOG() function for consistent logging behavior. This includes logging TPM-related messages and other debug information. [1] [2]

Supression of output

  • dd output removed
  • tpm output considered irrelevant suppressed, otherwise logged through LOG to /tmp/debug.txt

Added output:

  • Enhanced the confirm_gpg_card() function to extract and display GPG PIN retry counters.

Initialization Script Updates:

  • Added a message in initrd/init to inform users when quiet mode is enabled, directing them to check the debug log for technical output.
  • Improved error handling in initrd/init by adding error redirection to grep commands to avoid unnecessary output.

TODOs:

Notes: OEM can add quiet mode as part of their rebranding prior of releases.

WiP demo:

Old state of output (videos and /tmp/debug.log content) at #1863 (comment)

Newer demo of current status of codebase at #1863 (comment)

@tlaurion tlaurion self-assigned this Nov 27, 2024
@tlaurion
Copy link
Collaborator Author

tlaurion commented Nov 28, 2024
edited
Loading

Current PR state videos ( as of a9c3284 )

TLDR default boot screenshot of console output:

2024-11-28-102830

Videos:

The "technical output" redirected to /tmp/debug.log per same commit:

!!! Hit enter to proceed to recovery shell !!!

!!!!! Console recovery shell
!!!!! Starting recovery shell
~ # cat /tmp/debug.log 
Extracting CBFS file heads/initrd/.gnupg/pubring.kbx into /.gnupg/pubring.kbx
TPM: Extending PCR[7] with filename /.gnupg/pubring.kbx and then its content
TPM: Extending PCR[7] with /.gnupg/pubring.kbx
sha256: 7 : 0x36865F7C4725D07EE25C07BEAC46780BB45DCA781AD1B4C94E1F9816322732F0
TPM: Extending PCR[7] with /.gnupg/pubring.kbx
sha256: 7 : 0x12FF75F9263DFC7D50EB3F5F560BCC185FA62742999282CED3B6217F81FCBD0B
Extracting CBFS file heads/initrd/.gnupg/trustdb.gpg into /.gnupg/trustdb.gpg
TPM: Extending PCR[7] with filename /.gnupg/trustdb.gpg and then its content
TPM: Extending PCR[7] with /.gnupg/trustdb.gpg
sha256: 7 : 0xC0F07EDAB0C0D7B2E34293D389C1B86BE2F1A0398BD79F42420ECC85108E8633
TPM: Extending PCR[7] with /.gnupg/trustdb.gpg
sha256: 7 : 0x2B01B94DB1CF1013B068EA1EE9AAE02A6D4A74266D6047DFCD020A4F2D9AB8D3
TPM: Extending PCR[5] with /lib/modules/ehci-hcd.ko and parameters '' before loading
No module parameters, extending only with the module's content
TPM: Extending PCR[5] with /lib/modules/ehci-hcd.ko
sha256: 5 : 0x909690BD6F97E04B50958166F992B414D81A0D36B732B6A7DA951763541D1CF5
TPM: Extending PCR[5] with /lib/modules/uhci-hcd.ko and parameters '' before loading
No module parameters, extending only with the module's content
TPM: Extending PCR[5] with /lib/modules/uhci-hcd.ko
sha256: 5 : 0x8EC9D2802F8413D4F6C607B73A5103E568ED77E62FB9EEA6EDFDD5EF2693DFDF
TPM: Extending PCR[5] with /lib/modules/ohci-hcd.ko and parameters '' before loading
No module parameters, extending only with the module's content
TPM: Extending PCR[5] with /lib/modules/ohci-hcd.ko
sha256: 5 : 0x5A5A2C556E0204C43F40A8B45CA0FC19CFDFA97F6CFEBBD0D37AF8C342916F4A
TPM: Extending PCR[5] with /lib/modules/ohci-pci.ko and parameters '' before loading
No module parameters, extending only with the module's content
TPM: Extending PCR[5] with /lib/modules/ohci-pci.ko
sha256: 5 : 0x8BA29C95378766C29BEEFB929839549069585709C32EA253F4E11234766039C1
TPM: Extending PCR[5] with /lib/modules/ehci-pci.ko and parameters '' before loading
No module parameters, extending only with the module's content
TPM: Extending PCR[5] with /lib/modules/ehci-pci.ko
sha256: 5 : 0x3479F0982F2000A4052ADA1FA5485239FCD86C0EAD6F624FC300DA8A29C6157A
TPM: Extending PCR[5] with /lib/modules/xhci-hcd.ko and parameters '' before loading
No module parameters, extending only with the module's content
TPM: Extending PCR[5] with /lib/modules/xhci-hcd.ko
sha256: 5 : 0x76B689397B52935FCC087204CBFCAD42442577A38025DACC0C6481BFDC8609B4
TPM: Extending PCR[5] with /lib/modules/xhci-pci.ko and parameters '' before loading
No module parameters, extending only with the module's content
TPM: Extending PCR[5] with /lib/modules/xhci-pci.ko
sha256: 5 : 0x4BB1E1405AD1FA13B66FE9BB465B0DB0F18CA317B9802CE40D42589ACE26BF0E
kexec-parse-boot stdout: Debian GNU/Linux|elf|kernel /vmlinuz-6.1.0-21-amd64|initrd /initrd.img-6.1.0-21-amd64|append root=UUID=8c44b114-b625-440b-a708-177a6b510152 ro console=ttyS0 console=tty systemd.zram=0 quiet
kexec-parse-boot stdout: Debian GNU/Linux, with Linux 6.1.0-21-amd64|elf|kernel /vmlinuz-6.1.0-21-amd64|initrd /initrd.img-6.1.0-21-amd64|append root=UUID=8c44b114-b625-440b-a708-177a6b510152 ro console=ttyS0 console=tty systemd.zram=0 quiet
kexec-parse-boot stdout: Debian GNU/Linux, with Linux 6.1.0-21-amd64 (recovery mode)|elf|kernel /vmlinuz-6.1.0-21-amd64|initrd /initrd.img-6.1.0-21-amd64|append root=UUID=8c44b114-b625-440b-a708-177a6b510152 ro single console=ttyS0 console=tty systemd.zram=0
kexec-parse-boot stdout: Debian GNU/Linux, with Linux 6.1.0-18-amd64|elf|kernel /vmlinuz-6.1.0-18-amd64|initrd /initrd.img-6.1.0-18-amd64|append root=UUID=8c44b114-b625-440b-a708-177a6b510152 ro console=ttyS0 console=tty systemd.zram=0 quiet
kexec-parse-boot stdout: Debian GNU/Linux, with Linux 6.1.0-18-amd64 (recovery mode)|elf|kernel /vmlinuz-6.1.0-18-amd64|initrd /initrd.img-6.1.0-18-amd64|append root=UUID=8c44b114-b625-440b-a708-177a6b510152 ro single console=ttyS0 console=tty systemd.zram=0
TPM: Extending PCR[6] with hash of LUKS headers from /tmp/luksDump.txt
TPM: Extending PCR[6] with /tmp/luksDump.txt
sha256: 6 : 0xB98A2CA636FBA1C34E2DB5CEF4169FDF8562CA3D362E6C31E173A03CF110D095
TPM: Extending PCR[4] to prevent any further secret unsealing
TPM: Extending PCR[4] with recovery
sha256: 4 : 0x51737C77C481AA22095B38D38FC9FD494B0FFA4EAE7D3AC238082083D0AFD614

@tlaurion
qemu-coreboot-fbwhiptail-tpm2-hotp-prod_quiet board: addition of boar…
3cca3be 
…d containing 'export CONFIG_QUIET_MODE=y' for output comparison between debug, prod and quiet mode

Signed-off-by: Thierry Laurion <[email protected]>
@tlaurion
initrd bin/* sbin/insmod + /etc/ash_functions: TPM extend operations …
8594f3a 
…now all passed to LOG (quiet mode doesn't show them and logs them to /tmp/debug.log)

Signed-off-by: Thierry Laurion <[email protected]>
@tlaurion
init: suppress /etc/config.user not existing on grep calls
e44c301 
Signed-off-by: Thierry Laurion <[email protected]>
@tlaurion
init: inform user that running in quiet mode, tell user that technica…
a450dba 
…l information can be seen running 'cat /tmp/debug.log' from Recovery Shell

Signed-off-by: Thierry Laurion <[email protected]>
@tlaurion
codebase: silence dd output while capturing output in variables when …
69bac71 
…needed

Signed-off-by: Thierry Laurion <[email protected]>
@tlaurion
initrd/bin/tmpr: silence tpm reset console output, LOG instead
c8fe994 
Signed-off-by: Thierry Laurion <[email protected]>
@tlaurion
initrd/etc/ash_functions: add GPG Admin/User PIN output grabbing on c…
ae97467 
…onfirm_gpg_card presence call, echo for now, warn to input GPG User PIN when asked to unlock GPG card

Mitigate misunderstands and show GPG User/Admin PIN counts until proper output exists under hotp_verification info to reduce global confusion

Add TODO under initrd/bin/seal-hotpkey to not foget to fix output since now outputting counter of 8 for Admin PIN which makes no sense at all under hotp_verification 1.6 Nitrokey/nitrokey-hotp-verification#38

Signed-off-by: Thierry Laurion <[email protected]>
@tlaurion tlaurion force-pushed the introduce_quiet_mode branch from dd72313 to ae97467 Compare December 3, 2024 19:09
@tlaurion
Copy link
Collaborator Author

tlaurion commented Dec 3, 2024
edited
Loading

Current state demo of ae97467 state

qemu needing to inject pubkey (no persistence) + tpm reset, resealing hotp, signing /boot
Pay attention to

  • additional output on screen around USB Security dongle presence verification
    • we added GPG User/Admin PIN tries (retry count of gpg) left before locking, and prepare user to type GPG User PIN next, followed by Enter key:
2024-12-03.14-11-40.mp4

Default boot output on screen with TPM DUK enabled:

2024-12-03.14-21-43.mp4

@tlaurion tlaurion mentioned this pull request Dec 3, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@JonathonHall-Purism JonathonHall-Purism Awaiting requested review from JonathonHall-Purism

At least 1 approving review is required to merge this pull request.

Assignees

@tlaurion tlaurion

Labels
automated testing consultation service Funded work debug enhancement input for docs release cycle - 2024-11-20 UX
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Extend LOG function to either output through DEBUG, console (std) or /tmp/debug/log if in quiet mode
1 participant
@tlaurion