Skip to content

Introduce optional quiet mode (move technical output from console to /tmp/debug.log)#1863

Closed
tlaurion wants to merge 11 commits intolinuxboot:masterfrom
tlaurion:introduce_quiet_mode
Closed

Introduce optional quiet mode (move technical output from console to /tmp/debug.log)#1863
tlaurion wants to merge 11 commits intolinuxboot:masterfrom
tlaurion:introduce_quiet_mode

Conversation

@tlaurion
Copy link
Collaborator

@tlaurion tlaurion commented Nov 27, 2024
edited
Loading

WiP

qemu-coreboot-fbwhiptail-tpm2-hotp-prod_quiet board addition

  • Added a new board qemu-coreboot-fbwhiptail-tpm2-hotp-prod_quiet for building a coreboot ROM that works in the QEMU emulator with graphical mode support, HOTP support, TPM2 integration but runs in prod+quiet mode.

Logging Improvements:

  • Updated the LOG() function in initrd/etc/ash_functions to handle different logging modes based on CONFIG_QUIET_MODE and CONFIG_DEBUG_OUTPUT settings. This ensures that logs are directed to the appropriate output (console or debug log) based on the configuration.
  • Modified various scripts (initrd/etc/ash_functions, initrd/init, initrd/sbin/insmod) to use the updated LOG() function for consistent logging behavior. This includes logging TPM-related messages and other debug information. [1] [2]

Supression of output

  • dd output removed
  • tpm output considered irrelevant suppressed, otherwise logged through LOG to /tmp/debug.txt

Added output:

  • Enhanced the confirm_gpg_card() function to extract and display GPG PIN retry counters.

Initialization Script Updates:

  • Added a message in initrd/init to inform users when quiet mode is enabled, directing them to check the debug log for technical output.
  • Improved error handling in initrd/init by adding error redirection to grep commands to avoid unnecessary output.

TODOs:

Notes: OEM can add quiet mode as part of their rebranding prior of releases.

WiP demo:

Old state of output (videos and /tmp/debug.log content) at #1863 (comment)

Newer demo of current status of codebase at #1863 (comment)

@tlaurion tlaurion self-assigned this Nov 27, 2024
@tlaurion
Copy link
Collaborator Author

tlaurion commented Nov 28, 2024
edited
Loading

Current PR state videos ( as of a9c3284 )

TLDR default boot screenshot of console output:

2024-11-28-102830

Videos:

The "technical output" redirected to /tmp/debug.log per same commit:

!!! Hit enter to proceed to recovery shell !!!

!!!!! Console recovery shell
!!!!! Starting recovery shell
~ # cat /tmp/debug.log 
Extracting CBFS file heads/initrd/.gnupg/pubring.kbx into /.gnupg/pubring.kbx
TPM: Extending PCR[7] with filename /.gnupg/pubring.kbx and then its content
TPM: Extending PCR[7] with /.gnupg/pubring.kbx
sha256: 7 : 0x36865F7C4725D07EE25C07BEAC46780BB45DCA781AD1B4C94E1F9816322732F0
TPM: Extending PCR[7] with /.gnupg/pubring.kbx
sha256: 7 : 0x12FF75F9263DFC7D50EB3F5F560BCC185FA62742999282CED3B6217F81FCBD0B
Extracting CBFS file heads/initrd/.gnupg/trustdb.gpg into /.gnupg/trustdb.gpg
TPM: Extending PCR[7] with filename /.gnupg/trustdb.gpg and then its content
TPM: Extending PCR[7] with /.gnupg/trustdb.gpg
sha256: 7 : 0xC0F07EDAB0C0D7B2E34293D389C1B86BE2F1A0398BD79F42420ECC85108E8633
TPM: Extending PCR[7] with /.gnupg/trustdb.gpg
sha256: 7 : 0x2B01B94DB1CF1013B068EA1EE9AAE02A6D4A74266D6047DFCD020A4F2D9AB8D3
TPM: Extending PCR[5] with /lib/modules/ehci-hcd.ko and parameters '' before loading
No module parameters, extending only with the module's content
TPM: Extending PCR[5] with /lib/modules/ehci-hcd.ko
sha256: 5 : 0x909690BD6F97E04B50958166F992B414D81A0D36B732B6A7DA951763541D1CF5
TPM: Extending PCR[5] with /lib/modules/uhci-hcd.ko and parameters '' before loading
No module parameters, extending only with the module's content
TPM: Extending PCR[5] with /lib/modules/uhci-hcd.ko
sha256: 5 : 0x8EC9D2802F8413D4F6C607B73A5103E568ED77E62FB9EEA6EDFDD5EF2693DFDF
TPM: Extending PCR[5] with /lib/modules/ohci-hcd.ko and parameters '' before loading
No module parameters, extending only with the module's content
TPM: Extending PCR[5] with /lib/modules/ohci-hcd.ko
sha256: 5 : 0x5A5A2C556E0204C43F40A8B45CA0FC19CFDFA97F6CFEBBD0D37AF8C342916F4A
TPM: Extending PCR[5] with /lib/modules/ohci-pci.ko and parameters '' before loading
No module parameters, extending only with the module's content
TPM: Extending PCR[5] with /lib/modules/ohci-pci.ko
sha256: 5 : 0x8BA29C95378766C29BEEFB929839549069585709C32EA253F4E11234766039C1
TPM: Extending PCR[5] with /lib/modules/ehci-pci.ko and parameters '' before loading
No module parameters, extending only with the module's content
TPM: Extending PCR[5] with /lib/modules/ehci-pci.ko
sha256: 5 : 0x3479F0982F2000A4052ADA1FA5485239FCD86C0EAD6F624FC300DA8A29C6157A
TPM: Extending PCR[5] with /lib/modules/xhci-hcd.ko and parameters '' before loading
No module parameters, extending only with the module's content
TPM: Extending PCR[5] with /lib/modules/xhci-hcd.ko
sha256: 5 : 0x76B689397B52935FCC087204CBFCAD42442577A38025DACC0C6481BFDC8609B4
TPM: Extending PCR[5] with /lib/modules/xhci-pci.ko and parameters '' before loading
No module parameters, extending only with the module's content
TPM: Extending PCR[5] with /lib/modules/xhci-pci.ko
sha256: 5 : 0x4BB1E1405AD1FA13B66FE9BB465B0DB0F18CA317B9802CE40D42589ACE26BF0E
kexec-parse-boot stdout: Debian GNU/Linux|elf|kernel /vmlinuz-6.1.0-21-amd64|initrd /initrd.img-6.1.0-21-amd64|append root=UUID=8c44b114-b625-440b-a708-177a6b510152 ro console=ttyS0 console=tty systemd.zram=0 quiet
kexec-parse-boot stdout: Debian GNU/Linux, with Linux 6.1.0-21-amd64|elf|kernel /vmlinuz-6.1.0-21-amd64|initrd /initrd.img-6.1.0-21-amd64|append root=UUID=8c44b114-b625-440b-a708-177a6b510152 ro console=ttyS0 console=tty systemd.zram=0 quiet
kexec-parse-boot stdout: Debian GNU/Linux, with Linux 6.1.0-21-amd64 (recovery mode)|elf|kernel /vmlinuz-6.1.0-21-amd64|initrd /initrd.img-6.1.0-21-amd64|append root=UUID=8c44b114-b625-440b-a708-177a6b510152 ro single console=ttyS0 console=tty systemd.zram=0
kexec-parse-boot stdout: Debian GNU/Linux, with Linux 6.1.0-18-amd64|elf|kernel /vmlinuz-6.1.0-18-amd64|initrd /initrd.img-6.1.0-18-amd64|append root=UUID=8c44b114-b625-440b-a708-177a6b510152 ro console=ttyS0 console=tty systemd.zram=0 quiet
kexec-parse-boot stdout: Debian GNU/Linux, with Linux 6.1.0-18-amd64 (recovery mode)|elf|kernel /vmlinuz-6.1.0-18-amd64|initrd /initrd.img-6.1.0-18-amd64|append root=UUID=8c44b114-b625-440b-a708-177a6b510152 ro single console=ttyS0 console=tty systemd.zram=0
TPM: Extending PCR[6] with hash of LUKS headers from /tmp/luksDump.txt
TPM: Extending PCR[6] with /tmp/luksDump.txt
sha256: 6 : 0xB98A2CA636FBA1C34E2DB5CEF4169FDF8562CA3D362E6C31E173A03CF110D095
TPM: Extending PCR[4] to prevent any further secret unsealing
TPM: Extending PCR[4] with recovery
sha256: 4 : 0x51737C77C481AA22095B38D38FC9FD494B0FFA4EAE7D3AC238082083D0AFD614

@tlaurion
qemu-coreboot-fbwhiptail-tpm2-hotp-prod_quiet board: addition of boar…
3cca3be 
…d containing 'export CONFIG_QUIET_MODE=y' for output comparison between debug, prod and quiet mode

Signed-off-by: Thierry Laurion <[email protected]>
@tlaurion
initrd bin/* sbin/insmod + /etc/ash_functions: TPM extend operations …
8594f3a 
…now all passed to LOG (quiet mode doesn't show them and logs them to /tmp/debug.log)

Signed-off-by: Thierry Laurion <[email protected]>
@tlaurion
init: suppress /etc/config.user not existing on grep calls
e44c301 
Signed-off-by: Thierry Laurion <[email protected]>
@tlaurion
init: inform user that running in quiet mode, tell user that technica…
a450dba 
…l information can be seen running 'cat /tmp/debug.log' from Recovery Shell

Signed-off-by: Thierry Laurion <[email protected]>
@tlaurion
codebase: silence dd output while capturing output in variables when …
69bac71 
…needed

Signed-off-by: Thierry Laurion <[email protected]>
@tlaurion
initrd/bin/tmpr: silence tpm reset console output, LOG instead
c8fe994 
Signed-off-by: Thierry Laurion <[email protected]>
@tlaurion
initrd/etc/ash_functions: add GPG Admin/User PIN output grabbing on c…
ae97467 
…onfirm_gpg_card presence call, echo for now, warn to input GPG User PIN when asked to unlock GPG card

Mitigate misunderstands and show GPG User/Admin PIN counts until proper output exists under hotp_verification info to reduce global confusion

Add TODO under initrd/bin/seal-hotpkey to not foget to fix output since now outputting counter of 8 for Admin PIN which makes no sense at all under hotp_verification 1.6 Nitrokey/nitrokey-hotp-verification#38

Signed-off-by: Thierry Laurion <[email protected]>
@tlaurion tlaurion force-pushed the introduce_quiet_mode branch from dd72313 to ae97467 Compare December 3, 2024 19:09
@tlaurion
Copy link
Collaborator Author

tlaurion commented Dec 3, 2024
edited
Loading

Current state demo of ae97467 state

qemu needing to inject pubkey (no persistence) + tpm reset, resealing hotp, signing /boot
Pay attention to

  • additional output on screen around USB Security dongle presence verification
    • we added GPG User/Admin PIN tries (retry count of gpg) left before locking, and prepare user to type GPG User PIN next, followed by Enter key:
2024-12-03.14-11-40.mp4

Default boot output on screen with TPM DUK enabled:

2024-12-03.14-21-43.mp4

@tlaurion tlaurion mentioned this pull request Dec 3, 2024
Closed
@tlaurion
Copy link
Collaborator Author

tlaurion commented Jan 15, 2025

Replaced and integrated for testing under #1884

@tlaurion tlaurion closed this Jan 15, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@JonathonHall-Purism JonathonHall-Purism Awaiting requested review from JonathonHall-Purism

Assignees

@tlaurion tlaurion

Labels

automated testing consultation service Funded work debug enhancement input for docs release cycle - 2025-01-30 (originally targeted 2024-11-20) UX

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add info function so that LOG is dynamic: output through DEBUG, to console (std) or /tmp/debug/log if in quiet mode

1 participant

@tlaurion