diff --git a/initrd/bin/config-gui.sh b/initrd/bin/config-gui.sh index f3299d1aa..2f4117712 100755 --- a/initrd/bin/config-gui.sh +++ b/initrd/bin/config-gui.sh @@ -80,12 +80,7 @@ while true; do # Debugging option always available dynamic_config_options+=( - 'Z' " $(get_config_display_action "$CONFIG_DEBUG_OUTPUT") $CONFIG_BRAND_NAME debug and function tracing output" - ) - - # Quiet option always available - dynamic_config_options+=( - 'Q' " $(get_config_display_action "$CONFIG_QUIET_MODE") $CONFIG_BRAND_NAME quiet mode" + 'Z' " Configure $CONFIG_BRAND_NAME informational / debug output" ) [ "$CONFIG_FINALIZE_PLATFORM_LOCKING" = "y" ] && dynamic_config_options+=( @@ -553,52 +548,34 @@ while true; do fi ;; "Z") - if [ "$CONFIG_DEBUG_OUTPUT" != "y" ]; then - if (whiptail --title 'Enable Debugging and Tracing output?' \ - --yesno "This will enable DEBUG and TRACE output from scripts.\n\nDo you want to proceed?" 0 80); then - - set_user_config "CONFIG_DEBUG_OUTPUT" "y" - set_user_config "CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT" "y" - #DEBUG+TRACE is incompatible with QUIET mode, turn it off - set_user_config "CONFIG_QUIET_MODE" "n" - - whiptail --title 'Config change successful' \ - --msgbox "Debugging and Tracing output enabled;\nsave the config change and reboot for it to go into effect." 0 80 - fi - else - if (whiptail --title 'Disable Enable Debugging and Tracing output?' \ - --yesno "This will disable DEBUG and TRACE output from scripts.\n\nDo you want to proceed?" 0 80); then + unset output_choice + whiptail_type $BG_COLOR_MAIN_MENU --title "Informational / Debug Output" \ + --menu "$CONFIG_BRAND_NAME can display informational or debug output.\n\nChoose the output level:" 0 80 10 \ + 0 'None - Show no extra output' \ + 1 "Info - Show information about operations in $CONFIG_BRAND_NAME" \ + 2 "Debug - Show detailed information suitable for debugging $CONFIG_BRAND_NAME" \ + 2>/tmp/whiptail || recovery "GUI menu failed" + output_choice=$(cat /tmp/whiptail) + case "$output_choice" in + 0) set_user_config "CONFIG_DEBUG_OUTPUT" "n" set_user_config "CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT" "n" - - whiptail --title 'Config change successful' \ - --msgbox "Debugging and Tracing output disabled;\nsave the config change and reboot for it to go into effect." 0 80 - fi - fi - ;; - "Q") - #Quiet mode: turn off/on console technical output - if [ "$CONFIG_QUIET_MODE" != "y" ]; then - if (whiptail --title 'Enable Quiet mode?' \ - --yesno "This will enable QUIET mode, which will turn off console technical output.\n\nDo you want to proceed?" 0 80); then - set_user_config "CONFIG_QUIET_MODE" "y" - #DEBUG+TRACE is incompatible with QUIET mode, turn it off + ;; + 1) set_user_config "CONFIG_DEBUG_OUTPUT" "n" set_user_config "CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT" "n" - whiptail --title 'Config change successful' \ - --msgbox "Quiet mode enabled;\nsave the config change and reboot for it to go into effect." 0 80 - fi - else - if (whiptail --title 'Disable Quiet mode?' \ - --yesno "This will disable QUIET mode, which will turn on console technical output.\n\nDo you want to proceed?" 0 80); then - set_user_config "CONFIG_QUIET_MODE" "n" - whiptail --title 'Config change successful' \ - --msgbox "Quiet mode disabled;\nsave the config change and reboot for it to go into effect." 0 80 - fi - fi + ;; + 2) + set_user_config "CONFIG_DEBUG_OUTPUT" "y" + set_user_config "CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT" "y" + set_user_config "CONFIG_QUIET_MODE" "n" + ;; + esac + whiptail --title 'Config change successful' \ + --msgbox "Output level changed.\nSave the config change and reboot for it to go into effect." 0 80 ;; esac done diff --git a/initrd/bin/seal-totp b/initrd/bin/seal-totp index cc1147054..3c593d697 100755 --- a/initrd/bin/seal-totp +++ b/initrd/bin/seal-totp @@ -55,10 +55,9 @@ tpmr seal "$TOTP_SECRET" "$TPM_NVRAM_SPACE" 0,1,2,3,4,7 "$pcrf" 312 "" "$TPM_PAS shred -n 10 -z -u "$TOTP_SEALED" 2>/dev/null url="otpauth://totp/$HOST?secret=$secret" -secret="" DEBUG "TOTP secret output on screen (both URL and QR code)" qrenc "$url" -echo "TOTP secret for manual input (if no mobile phone) is after the 'secret=' part of the URL:" -echo "$url" +echo "TOTP secret for manual input (device without camera): $secret" +secret="" diff --git a/initrd/bin/tpmr b/initrd/bin/tpmr index 14e595fc1..84626e886 100755 --- a/initrd/bin/tpmr +++ b/initrd/bin/tpmr @@ -611,16 +611,9 @@ tpm2_unseal() { fi # tpm2 unseal will write the unsealed data to stdout and any errors to - # stderr. We capture the unsealed data to $file, but still log the errors for quiet mode. - # In case of unseal error, caller will also report on TOTP not being able to be unsealed. - TMP_ERR_FILE=$(mktemp) + # stderr; capture stderr to log. if ! tpm2 unseal -Q -c "$handle" -p "session:$POLICY_SESSION$UNSEAL_PASS_SUFFIX" \ - -S "$ENC_SESSION_FILE" >"$file" 2>"$TMP_ERR_FILE"; then - # Log the contents of the temporary error file - while IFS= read -r line; do - LOG "tpm2 stderr: $line" - done <"$TMP_ERR_FILE" - rm -f "$TMP_ERR_FILE" + -S "$ENC_SESSION_FILE" >"$file" 2> >(SINK_LOG "tpm2 stderr"); then LOG "Unable to unseal secret from TPM NVRAM" # should succeed, exit if it doesn't @@ -672,15 +665,15 @@ tpm2_reset() { # output TPM Owner Password to a file to be reused in this boot session until recovery shell/reboot DEBUG "Caching TPM Owner Password to $SECRET_DIR/tpm_owner_password" echo -n "$tpm_owner_password" >"$SECRET_DIR/tpm_owner_password" - tpm2 clear -c platform >/dev/null 2>&1 || LOG "Unable to clear TPM on platform hierarchy" - tpm2 changeauth -c owner "$(tpm2_password_hex "$tpm_owner_password")" >/dev/null 2>&1 || LOG "Unable to change owner password" - tpm2 changeauth -c endorsement "$(tpm2_password_hex "$tpm_owner_password")" >/dev/null 2>&1 || LOG "Unable to change endorsement password" - tpm2 createprimary -C owner -g sha256 -G "${CONFIG_PRIMARY_KEY_TYPE:-rsa}" \ - -c "$SECRET_DIR/primary.ctx" -P "$(tpm2_password_hex "$tpm_owner_password")" >/dev/null 2>&1 || LOG "Unable to create primary key" - tpm2 evictcontrol -C owner -c "$SECRET_DIR/primary.ctx" "$PRIMARY_HANDLE" \ - -P "$(tpm2_password_hex "$tpm_owner_password")" >/dev/null 2>&1 || LOG "Unable to evict primary key" - shred -u "$SECRET_DIR/primary.ctx" >/dev/null 2>&1 - tpm2_startsession >/dev/null 2>&1 || LOG "Unable to start session" + DO_WITH_DEBUG tpm2 clear -c platform &>/dev/null + DO_WITH_DEBUG tpm2 changeauth -c owner "$(tpm2_password_hex "$tpm_owner_password")" &>/dev/null + DO_WITH_DEBUG tpm2 changeauth -c endorsement "$(tpm2_password_hex "$tpm_owner_password")" &>/dev/null + DO_WITH_DEBUG tpm2 createprimary -C owner -g sha256 -G "${CONFIG_PRIMARY_KEY_TYPE:-rsa}" \ + -c "$SECRET_DIR/primary.ctx" -P "$(tpm2_password_hex "$tpm_owner_password")" &>/dev/null + DO_WITH_DEBUG tpm2 evictcontrol -C owner -c "$SECRET_DIR/primary.ctx" "$PRIMARY_HANDLE" \ + -P "$(tpm2_password_hex "$tpm_owner_password")" &>/dev/null + shred -u "$SECRET_DIR/primary.ctx" &>/dev/null + DO_WITH_DEBUG tpm2_startsession &>/dev/null # Set the dictionary attack parameters. TPM2 defaults vary widely, we # want consistent behavior on any TPM. @@ -722,17 +715,17 @@ tpm1_reset() { DEBUG "Caching TPM Owner Password to $SECRET_DIR/tpm_owner_password" echo -n "$tpm_owner_password" >"$SECRET_DIR/tpm_owner_password" # Make sure the TPM is ready to be reset - tpm physicalpresence -s >/dev/null 2>&1 || LOG "Unable to assert physical presence" - tpm physicalenable >/dev/null 2>&1 || LOG "Unable to enable TPM" - tpm physicalsetdeactivated -c >/dev/null 2>&1 || LOG "Unable to deactivate TPM" - tpm forceclear >/dev/null 2>&1 || LOG "Unable to clear TPM" - tpm physicalenable >/dev/null 2>&1 || LOG "Unable to enable TPM" - tpm takeown -pwdo "$tpm_owner_password" >/dev/null 2>&1 || LOG "Unable to take ownership of TPM" + DO_WITH_DEBUG tpm physicalpresence -s &>/dev/null + DO_WITH_DEBUG tpm physicalenable &>/dev/null + DO_WITH_DEBUG tpm physicalsetdeactivated -c &>/dev/null + DO_WITH_DEBUG tpm forceclear &>/dev/null + DO_WITH_DEBUG tpm physicalenable &>/dev/null + DO_WITH_DEBUG tpm takeown -pwdo "$tpm_owner_password" &>/dev/null # And now turn it all back on - tpm physicalpresence -s >/dev/null 2>&1 || LOG "Unable to assert physical presence" - tpm physicalenable >/dev/null 2>&1 || LOG "Unable to enable TPM" - tpm physicalsetdeactivated -c >/dev/null 2>&1 || LOG "Unable to deactivate TPM physical presence requirement" + DO_WITH_DEBUG tpm physicalpresence -s &>/dev/null + DO_WITH_DEBUG tpm physicalenable &>/dev/null + DO_WITH_DEBUG tpm physicalsetdeactivated -c &>/dev/null } # Perform final cleanup before boot and lock the platform heirarchy. @@ -810,13 +803,9 @@ if [ "$CONFIG_TPM2_TOOLS" != "y" ]; then TRACE_FUNC LOG "TPM: Extending PCR[$3] with hash $hash" - # Redirect the output of DO_WITH_DEBUG to a temporary file so we can LOG it in quiet mode - TMP_DEBUG_FILE=$(mktemp) - DO_WITH_DEBUG exec tpm "$@" >"$TMP_DEBUG_FILE" 2>&1 - while IFS= read -r line; do - LOG "$line" - done <"$TMP_DEBUG_FILE" - rm -f "$TMP_DEBUG_FILE" + # Silence stdout/stderr, they're only useful for debugging + # and DO_WITH_DEBUG captures them + DO_WITH_DEBUG exec tpm "$@" &>/dev/null ;; seal) shift diff --git a/initrd/etc/functions b/initrd/etc/functions index e50d1b318..4da1087a4 100644 --- a/initrd/etc/functions +++ b/initrd/etc/functions @@ -402,6 +402,15 @@ mask_param() { # # For example: # ls /boot/vmlinux* | SINK_LOG "/boot kernels" +# +# To capture stderr: +# cryptsetup open /dev/sda1 media-crypt 2> >(SINK_LOG "LUKS unlock sda1 errors") +# (Note: the space between '>' is necessary in '2> >(SINK_LOG ...)') +# +# To capture both: +# tpm reset > >(SINK_LOG "tpm reset") 2>&1 +# (Note: 2>&1 must follow the stdout redirection, and space between '>' is +# necessary) SINK_LOG() { local name="$1" local line haveblank @@ -413,7 +422,7 @@ SINK_LOG() { cat echo ) | while IFS= read -r line; do - [[ -n "$haveblank" ]] && DEBUG "$name: " # Emit buffered blank line + [[ -n "$haveblank" ]] && LOG "$name: " # Emit buffered blank line if [[ -z "$line" ]]; then haveblank=y else diff --git a/initrd/init b/initrd/init index b170924d6..9419d9ed4 100755 --- a/initrd/init +++ b/initrd/init @@ -1,6 +1,4 @@ #! /bin/bash -# Note this is used on legacy-flash boards that lack bash, it runs with busybox -# ash. Calls to bash scripts must be guarded by checking config. mknod /dev/ttyprintk c 5 3 echo "hello world" >/dev/ttyprintk