Skip to content

Commit 42d0f32

Browse files
committed
initrd: harden TPM integrity/reseal flows and add prod_quiet QEMU configs
Improve TPM/TOTP/HOTP recovery and reseal behavior by adding integrity-first gating, clearer failure handling, and stronger rollback preflight checks. - add integrity report + investigation flows in GUI, with explicit actions before reseal/reset paths - introduce TPM reset-required markers and rollback preflight validation to fail early on inconsistent TPM state - make unseal/seal paths safer and more recoverable (nonfatal unseal mode, clearer reset/reseal guidance, better TPM1/TPM2 handling) - improve kexec signing reliability with explicit signing key selection and actionable GPG error diagnostics - avoid hiding interactive password/PIN prompts by removing inappropriate debug wrappers around sensitive interactive commands - add run_lvm wrapper and switch runtime scripts to reduce harmless LVM noise - refresh TPM2 primary-handle hash in update/signing flows to keep trust metadata in sync - add new qemu fbwhiptail prod_quiet board configs for TPM1 and TPM2 - fix board-name values for existing qemu hotp prod_quiet variants - document QEMU canokey state reuse and TPM2 pcap capture debugging - ignore exported public key artifacts (*.asc) in .gitignore - rewrite doc/logging.md: debug.log always captures every level regardless of output mode; console visibility is the only mode-dependent behavior; document STATUS, NOTE, INPUT levels and ANSI color coding rationale - fix DEBUG, TRACE, warn to unconditionally write to debug.log (previously only wrote to debug.log when CONFIG_DEBUG_OUTPUT=y) - add STATUS, NOTE, INPUT logging functions with ANSI color coding; replace bare echo/read patterns across codebase with proper log levels - fix INPUT: echo after read so single-char keypresses do not bleed onto the next output line - demote "No encrypted LVMs/devices found" from INFO to DEBUG - add per-state signing_key_guidance in integrity report (AVAILABLE / CARD UNPROVISIONED / CARD KEY DOES NOT MATCH FIRMWARE / NO CARD DETECTED) replacing a generic catch-all message - suppress redundant Measured Integrity Report when user navigates to OEM Factory Reset from within the report (INTEGRITY_REPORT_ALREADY_SHOWN) - call wait_for_gpg_card silently first; only prompt to insert card if not already detected - call enable_usb unconditionally at gui-init startup (was gated on HOTP) - call wait_for_gpg_card before GPG key count check in reset_tpm loop so card is detected on first pass without requiring a manual retry - move qemu-* poweroff and recovery shell prompt into initrd/bin/reboot; remove do_reboot() from functions; all callers use reboot directly Signed-off-by: Thierry Laurion <insurgo@riseup.net>
1 parent 2ab9ff3 commit 42d0f32

47 files changed

Lines changed: 2683 additions & 948 deletions

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

.gitignore

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,4 @@
1+
*.asc
12
*.bad
23
*.bz2
34
*.cpio

boards/qemu-coreboot-fbwhiptail-tpm1-hotp-prod_quiet/qemu-coreboot-fbwhiptail-tpm1-hotp-prod_quiet.config

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -91,7 +91,7 @@ export CONFIG_BOOT_REQ_ROLLBACK=n
9191
export CONFIG_BOOT_RECOVERY_SERIAL="/dev/ttyS0"
9292
export CONFIG_BOOT_KERNEL_ADD="console=ttyS0 console=tty systemd.zram=0"
9393
export CONFIG_BOOT_KERNEL_REMOVE="quiet rhgb splash"
94-
export CONFIG_BOARD_NAME="qemu-coreboot-fbwhiptail-tpm1-hotp"
94+
export CONFIG_BOARD_NAME="qemu-coreboot-fbwhiptail-tpm1-hotp-prod_quiet"
9595
#export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal"
9696

9797
export CONFIG_KEYBOARD_KEYMAP="/usr/lib/kbd/keymaps/i386/qwerty/us.map"
Lines changed: 97 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,97 @@
1+
# Configuration for building a coreboot ROM that works in
2+
# the qemu emulator in console mode thanks to Whiptail
3+
#
4+
# TPM can be used with a qemu software TPM (TIS, 1.2).
5+
export CONFIG_COREBOOT=y
6+
export CONFIG_COREBOOT_VERSION=25.09
7+
export CONFIG_LINUX_VERSION=6.1.8
8+
9+
CONFIG_COREBOOT_CONFIG=config/coreboot-qemu-tpm1-prod.config
10+
CONFIG_LINUX_CONFIG=config/linux-qemu.config
11+
12+
#Enable only one RESTRICTED/BASIC boot modes below to test them manually (we cannot inject config under QEMU (no internal flashing)
13+
#export CONFIG_RESTRICTED_BOOT=y
14+
#export CONFIG_BASIC=y
15+
16+
#Enable HAVE_GPG_KEY_BACKUP to test GPG key backup drive (we cannot inject config under QEMU (no internal flashing))
17+
#export CONFIG_HAVE_GPG_KEY_BACKUP=y
18+
19+
#On-demand hardware support (modules.cpio)
20+
CONFIG_LINUX_USB=y
21+
CONFIG_LINUX_E1000=y
22+
#CONFIG_MOBILE_TETHERING=y
23+
#Runtime on-demand additional hardware support (modules.cpio)
24+
export CONFIG_LINUX_USB_COMPANION_CONTROLLER=y
25+
26+
27+
28+
#Modules packed into tools.cpio
29+
ifeq "$(CONFIG_UROOT)" "y"
30+
CONFIG_BUSYBOX=n
31+
else
32+
#Modules packed into tools.cpio
33+
CONFIG_CRYPTSETUP2=y
34+
CONFIG_FLASHPROG=y
35+
CONFIG_FLASHTOOLS=y
36+
CONFIG_GPG2=y
37+
CONFIG_KEXEC=y
38+
CONFIG_UTIL_LINUX=y
39+
CONFIG_LVM2=y
40+
CONFIG_MBEDTLS=y
41+
CONFIG_PCIUTILS=y
42+
#Runtime tools to write to MSR
43+
#CONFIG_MSRTOOLS=y
44+
#Remote attestation support
45+
# TPM2 requirements
46+
#CONFIG_TPM2_TSS=y
47+
#CONFIG_OPENSSL=y
48+
#Remote Attestation common tools
49+
CONFIG_POPT=y
50+
CONFIG_QRENCODE=y
51+
CONFIG_TPMTOTP=y
52+
#HOTP based remote attestation for supported USB Security dongle
53+
#With/Without TPM support
54+
#CONFIG_HOTPKEY=y
55+
#Nitrokey Storage admin tool (deprecated)
56+
#CONFIG_NKSTORECLI=n
57+
#GUI Support
58+
#Console based Whiptail support(Console based, no FB):
59+
#CONFIG_SLANG=y
60+
#CONFIG_NEWT=y
61+
#FBWhiptail based (Graphical):
62+
CONFIG_CAIRO=y
63+
CONFIG_FBWHIPTAIL=y
64+
#Additional tools (tools.cpio):
65+
#SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E)
66+
CONFIG_DROPBEAR=y
67+
endif
68+
69+
#Runtime configuration
70+
#Automatically boot if HOTP is valid
71+
export CONFIG_AUTO_BOOT_TIMEOUT=5
72+
#TPM2 requirements
73+
#export CONFIG_TPM2_TOOLS=y
74+
#export CONFIG_PRIMARY_KEY_TYPE=ecc
75+
#TPM1 requirements
76+
export CONFIG_TPM=y
77+
#Enable DEBUG output
78+
export CONFIG_DEBUG_OUTPUT=n
79+
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
80+
#Enable TPM2 pcap output under /tmp
81+
export CONFIG_TPM2_CAPTURE_PCAP=n
82+
#Enable quiet mode: technical information logged under /tmp/debug.log
83+
export CONFIG_QUIET_MODE=y
84+
export CONFIG_BOOTSCRIPT=/bin/gui-init
85+
#text-based original init:
86+
#export CONFIG_BOOTSCRIPT=/bin/generic-init
87+
export CONFIG_BOOT_REQ_HASH=n
88+
export CONFIG_BOOT_REQ_ROLLBACK=n
89+
export CONFIG_BOOT_RECOVERY_SERIAL="/dev/ttyS0"
90+
export CONFIG_BOOT_KERNEL_ADD="console=ttyS0 console=tty systemd.zram=0"
91+
export CONFIG_BOOT_KERNEL_REMOVE="quiet rhgb splash"
92+
export CONFIG_BOARD_NAME="qemu-coreboot-fbwhiptail-tpm1-prod_quiet"
93+
#export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal"
94+
95+
export CONFIG_KEYBOARD_KEYMAP="/usr/lib/kbd/keymaps/i386/qwerty/us.map"
96+
97+
BOARD_TARGETS := qemu

boards/qemu-coreboot-fbwhiptail-tpm2-hotp-prod_quiet/qemu-coreboot-fbwhiptail-tpm2-hotp-prod_quiet.config

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -17,6 +17,7 @@ CONFIG_LINUX_CONFIG=config/linux-qemu.config
1717
#Enable HAVE_GPG_KEY_BACKUP to test GPG key backup drive (we cannot inject config under QEMU (no internal flashing))
1818
#export CONFIG_HAVE_GPG_KEY_BACKUP=y
1919

20+
2021
#On-demand hardware support (modules.cpio)
2122
CONFIG_LINUX_USB=y
2223
CONFIG_LINUX_E1000=y
@@ -90,7 +91,7 @@ export CONFIG_BOOT_REQ_ROLLBACK=n
9091
export CONFIG_BOOT_RECOVERY_SERIAL="/dev/ttyS0"
9192
export CONFIG_BOOT_KERNEL_ADD="console=ttyS0 console=tty systemd.zram=0"
9293
export CONFIG_BOOT_KERNEL_REMOVE="quiet rhgb splash"
93-
export CONFIG_BOARD_NAME="qemu-coreboot-fbwhiptail-tpm2-hotp"
94+
export CONFIG_BOARD_NAME="qemu-coreboot-fbwhiptail-tpm2-hotp-prod_quiet"
9495
#export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal"
9596

9697
export CONFIG_KEYBOARD_KEYMAP="/usr/lib/kbd/keymaps/i386/qwerty/us.map"
Lines changed: 98 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,98 @@
1+
# Configuration for building a coreboot ROM that works in
2+
# the qemu emulator in graphical mode thanks to FBWhiptail
3+
#
4+
# TPM can be used with a qemu software TPM (TIS, 2.0).
5+
export CONFIG_COREBOOT=y
6+
export CONFIG_COREBOOT_VERSION=25.09
7+
export CONFIG_LINUX_VERSION=6.1.8
8+
9+
CONFIG_COREBOOT_CONFIG=config/coreboot-qemu-tpm2-prod.config
10+
CONFIG_LINUX_CONFIG=config/linux-qemu.config
11+
12+
#Enable only one RESTRICTED/BASIC boot modes below to test them manually (we cannot inject config under QEMU (no internal flashing)
13+
#export CONFIG_RESTRICTED_BOOT=y
14+
#export CONFIG_BASIC=y
15+
16+
#Enable HAVE_GPG_KEY_BACKUP to test GPG key backup drive (we cannot inject config under QEMU (no internal flashing))
17+
#export CONFIG_HAVE_GPG_KEY_BACKUP=y
18+
19+
20+
#On-demand hardware support (modules.cpio)
21+
CONFIG_LINUX_USB=y
22+
CONFIG_LINUX_E1000=y
23+
#CONFIG_MOBILE_TETHERING=y
24+
#Runtime on-demand additional hardware support (modules.cpio)
25+
export CONFIG_LINUX_USB_COMPANION_CONTROLLER=y
26+
27+
28+
29+
#Modules packed into tools.cpio
30+
ifeq "$(CONFIG_UROOT)" "y"
31+
CONFIG_BUSYBOX=n
32+
else
33+
#Modules packed into tools.cpio
34+
CONFIG_CRYPTSETUP2=y
35+
CONFIG_FLASHPROG=y
36+
CONFIG_FLASHTOOLS=y
37+
CONFIG_GPG2=y
38+
CONFIG_KEXEC=y
39+
CONFIG_UTIL_LINUX=y
40+
CONFIG_LVM2=y
41+
CONFIG_MBEDTLS=y
42+
CONFIG_PCIUTILS=y
43+
#Runtime tools to write to MSR
44+
CONFIG_MSRTOOLS=y
45+
#Remote attestation support
46+
# TPM2 requirements
47+
CONFIG_TPM2_TSS=y
48+
CONFIG_OPENSSL=y
49+
#Remote Attestation common tools
50+
CONFIG_POPT=y
51+
CONFIG_QRENCODE=y
52+
CONFIG_TPMTOTP=y
53+
#HOTP based remote attestation for supported USB Security dongle
54+
#With/Without TPM support
55+
#CONFIG_HOTPKEY=y
56+
#Nitrokey Storage admin tool (deprecated)
57+
#CONFIG_NKSTORECLI=n
58+
#GUI Support
59+
#Console based Whiptail support(Console based, no FB):
60+
#CONFIG_SLANG=y
61+
#CONFIG_NEWT=y
62+
#FBWhiptail based (Graphical):
63+
CONFIG_CAIRO=y
64+
CONFIG_FBWHIPTAIL=y
65+
#Additional tools (tools.cpio):
66+
#SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E)
67+
CONFIG_DROPBEAR=y
68+
endif
69+
70+
#Runtime configuration
71+
#Automatically boot if HOTP is valid
72+
export CONFIG_AUTO_BOOT_TIMEOUT=5
73+
#TPM2 requirements
74+
export CONFIG_TPM2_TOOLS=y
75+
export CONFIG_PRIMARY_KEY_TYPE=ecc
76+
#TPM1 requirements
77+
#export CONFIG_TPM=y
78+
#Enable DEBUG output
79+
#export CONFIG_DEBUG_OUTPUT=y
80+
#export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y
81+
#Enable TPM2 pcap output under /tmp
82+
export CONFIG_TPM2_CAPTURE_PCAP=y
83+
#Enable quiet mode: technical information logged under /tmp/debug.log
84+
export CONFIG_QUIET_MODE=y
85+
export CONFIG_BOOTSCRIPT=/bin/gui-init
86+
#text-based original init:
87+
#export CONFIG_BOOTSCRIPT=/bin/generic-init
88+
export CONFIG_BOOT_REQ_HASH=n
89+
export CONFIG_BOOT_REQ_ROLLBACK=n
90+
export CONFIG_BOOT_RECOVERY_SERIAL="/dev/ttyS0"
91+
export CONFIG_BOOT_KERNEL_ADD="console=ttyS0 console=tty systemd.zram=0"
92+
export CONFIG_BOOT_KERNEL_REMOVE="quiet rhgb splash"
93+
export CONFIG_BOARD_NAME="qemu-coreboot-fbwhiptail-tpm2-prod_quiet"
94+
#export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal"
95+
96+
export CONFIG_KEYBOARD_KEYMAP="/usr/lib/kbd/keymaps/i386/qwerty/us.map"
97+
98+
BOARD_TARGETS := qemu

boards/qemu-coreboot-fbwhiptail-tpm2/qemu-coreboot-fbwhiptail-tpm2.config

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -79,6 +79,9 @@ export CONFIG_PRIMARY_KEY_TYPE=ecc
7979
export CONFIG_DEBUG_OUTPUT=y
8080
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y
8181
#Enable TPM2 pcap output under /tmp
82+
# When enabled, tpmr writes TPM2 command/response capture to /tmp/tpm0.pcap
83+
# (inside the Heads runtime). This can be inspected with Wireshark to debug
84+
# TPM interaction similarly to a TPM bus sniffer.
8285
export CONFIG_TPM2_CAPTURE_PCAP=y
8386
#Enable quiet mode: technical information logged under /tmp/debug.log
8487
export CONFIG_QUIET_MODE=n

0 commit comments

Comments
 (0)