Skip to content

initrd/etc/gui_functions pause_automatic_boot: show TOTP code while waiting for automatic boot is set and hotp is valid #1993

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

initrd/etc/gui_functions pause_automatic_boot: show TOTP code while waiting for automatic boot is set and hotp is valid #1993

wants to merge 1 commit into from
+33 −5

Conversation

@tlaurion
Copy link
Collaborator

@tlaurion tlaurion commented Aug 26, 2025
edited
Loading

This pull request refactors the pause_automatic_boot function in initrd/etc/gui_functions to improve user experience and add TOTP display support during the automatic boot countdown. The main changes include switching to a live countdown display, optionally showing the current TOTP code, and handling user interruption more interactively.

User experience improvements:

  • The boot countdown now updates live on the same line, showing the remaining seconds and the current UTC timestamp, instead of a static message.
  • If TPM and TOTP are enabled and QR code display is not skipped, the current TOTP code is shown alongside the countdown. Errors in retrieving the TOTP are handled gracefully.

Interactive interruption:

  • The function checks for user keypresses every second during the countdown, allowing interruption at any time, and prints a newline for clarity after an interrupt.

In action under qemu-coreboot-whiptail-tpm2-hotp-prod (not silent, not debug):
2025-08-27-180603
2025-08-27-180613
2025-08-27-180647

@tlaurion tlaurion mentioned this pull request Aug 26, 2025
Merged
@tlaurion tlaurion force-pushed the totp_on_automatic_boot branch 2 times, most recently from b5188bc to dbd095a Compare August 27, 2025 22:07
@tlaurion
Copy link
Collaborator Author

tlaurion commented Aug 27, 2025
edited
Loading

Old OP (in link of deprecated superseeded commit e0fb3e7)

This pull request enhances the user experience during the automatic boot countdown in the initrd/etc/gui_functions script. The main improvement is the addition of a dynamic countdown display that updates every second and optionally shows the current TOTP code if TPM is enabled and QR code display is not skipped.

User experience improvements:

  • The automatic boot countdown now updates every second, providing a more interactive and visible countdown for the user.
  • If TPM is enabled and QR code display is not skipped, the current TOTP code is retrieved and displayed alongside the countdown, giving users immediate access to authentication information.
  • The script checks for a keypress each second, allowing the user to interrupt the boot process at any time during the countdown.

In action under qemu-coreboot-whiptail-tpm2-hotp-prod (not silent, not debug):

2025-08-26-160027 2025-08-26-160100 2025-08-26-160142

@tlaurion
Copy link
Collaborator Author

tlaurion commented Sep 18, 2025

Small UX bug to fix, time shown on screen is updated every 2 seconds, not every seconds.

@tlaurion tlaurion force-pushed the totp_on_automatic_boot branch from dbd095a to 25b3d80 Compare September 22, 2025 18:00
@tlaurion
Copy link
Collaborator Author

tlaurion commented Sep 22, 2025

signal-2025-09-22-144315

Self reviewed. @JonathonHall-Purism comments?

@tlaurion tlaurion requested a review from Copilot September 22, 2025 18:52
Copilot AI reviewed Sep 22, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR refactors the pause_automatic_boot function to provide an enhanced user experience during the automatic boot countdown with live updates and optional TOTP display. The changes replace a simple single-line timeout with an interactive countdown loop.

  • Implements live countdown display that updates every second with current UTC timestamp
  • Adds optional TOTP code display when TPM is enabled and QR code display is not skipped
  • Enables real-time user interruption by checking for keypresses every second

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

@tlaurion tlaurion force-pushed the totp_on_automatic_boot branch from 25b3d80 to db9f55e Compare November 5, 2025 21:36
@tlaurion tlaurion requested a review from Copilot November 5, 2025 21:37
Copilot AI reviewed Nov 5, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 2 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@tlaurion
initrd/etc/gui_functions pause_automatic_boot: show UTC timestamp + T…
46f3091 
…OTP code while waiting for automatic boot when a default boot is set and HOTP is valid

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
@tlaurion tlaurion force-pushed the totp_on_automatic_boot branch from db9f55e to 46f3091 Compare November 5, 2025 21:45
@tlaurion tlaurion marked this pull request as draft November 5, 2025 21:45
@tlaurion tlaurion marked this pull request as ready for review November 5, 2025 21:45
@tlaurion
Copy link
Collaborator Author

tlaurion commented Nov 5, 2025

@Tonux599 comments?

@Tonux599
Copy link
Contributor

Tonux599 commented Nov 6, 2025

@Tonux599 comments?

This is only for HOTP configs? I can't test that, however code looks fine to me. Would be nice if this could be extended to non-hotp configs also.

@tlaurion
Copy link
Collaborator Author

tlaurion commented Nov 6, 2025

@Tonux599 comments?

This is only for HOTP configs? I can't test that, however code looks fine to me. Would be nice if this could be extended to non-hotp configs also.

@Tonux599 then if not in pause waiting for automatic boot delay to come to 0, this could be put in place while waiting user to press Esc keyboard key before typing TPM DUK passphrase?

Otherwise as of now, TOTP is only shown from Heads main menu.

@Tonux599
Copy link
Contributor

Tonux599 commented Nov 6, 2025

@Tonux599 then if not in pause waiting for automatic boot delay to come to 0, this could be put in place while waiting user to press Esc keyboard key before typing TPM DUK passphrase?

Otherwise as of now, TOTP is only shown from Heads main menu.

I don't think in TPM DUK, as not everyone will use that (I trust my TPM to measure the boot, but not to store my disk encryption key).

heads/initrd/bin/gui-init

Lines 660 to 662 in 46f3091

if [ "$HOTP" = "Success" -a -n "$CONFIG_AUTO_BOOT_TIMEOUT" ]; then
prompt_auto_default_boot
fi

If above was changed to something like (pseudo-ish code):

if [ -n "$CONFIG_AUTO_BOOT_TIMEOUT" ]; then 
  if [ "$CONFIG_HOTPKEY" = "y" -a "$HOTP" != "Success" ]; then
    # Return an error here and stop autoboot.
  fi

  prompt_auto_default_boot 
fi

I think that ought to catch all?

@tlaurion tlaurion mentioned this pull request Nov 6, 2025
Open
@tlaurion
Copy link
Collaborator Author

tlaurion commented Nov 6, 2025

@Tonux599 then if not in pause waiting for automatic boot delay to come to 0, this could be put in place while waiting user to press Esc keyboard key before typing TPM DUK passphrase?
Otherwise as of now, TOTP is only shown from Heads main menu.

I don't think in TPM DUK, as not everyone will use that (I trust my TPM to measure the boot, but not to store my disk encryption key).

heads/initrd/bin/gui-init

Lines 660 to 662 in 46f3091

if [ "$HOTP" = "Success" -a -n "$CONFIG_AUTO_BOOT_TIMEOUT" ]; then
prompt_auto_default_boot
fi

If above was changed to something like (pseudo-ish code):

if [ -n "$CONFIG_AUTO_BOOT_TIMEOUT" ]; then 
  if [ "$CONFIG_HOTPKEY" = "y" -a "$HOTP" != "Success" ]; then
    # Return an error here and stop autoboot.
  fi

  prompt_auto_default_boot 
fi

I think that ought to catch all?

Ha. No Trust in TPM for DUK. Well, I welcome improvement to #2024 since vendors use HOTP+automatic boot, not necessary TPM DUK (not forced) but there is no other current automatic boot as of now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@JonathonHall-Purism JonathonHall-Purism Awaiting requested review from JonathonHall-Purism

+1 more reviewer

@Tonux599 Tonux599 Tonux599 approved these changes

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

security UX

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tlaurion @Tonux599