From 546808294a82e54c17f8431ea96edf8b0ff16287 Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Fri, 20 Oct 2023 16:20:17 -0400 Subject: [PATCH] WiP: adapt dmesg in function of CONFIG_DEBUG_OUTPUT being enabled or not so and adapt further troubleshooting notes in code when keys cannot be accessed on media for whatever cause so user can understand what is happening when accessing GPG material on backup thumb drive --- .../qemu-coreboot-fbwhiptail-tpm1.config | 7 +++++-- .../qemu-coreboot-whiptail-tpm1.config | 4 ++-- initrd/etc/ash_functions | 2 +- initrd/init | 8 ++++++++ 4 files changed, 16 insertions(+), 5 deletions(-) diff --git a/boards/qemu-coreboot-fbwhiptail-tpm1/qemu-coreboot-fbwhiptail-tpm1.config b/boards/qemu-coreboot-fbwhiptail-tpm1/qemu-coreboot-fbwhiptail-tpm1.config index 94f543fd3..f494f2b0f 100644 --- a/boards/qemu-coreboot-fbwhiptail-tpm1/qemu-coreboot-fbwhiptail-tpm1.config +++ b/boards/qemu-coreboot-fbwhiptail-tpm1/qemu-coreboot-fbwhiptail-tpm1.config @@ -10,9 +10,12 @@ export CONFIG_LINUX_VERSION=5.10.5 #export CONFIG_RESTRICTED_BOOT=y #export CONFIG_BASIC=y +#Enable HAVE_GPG_KEY_BACKUP to test GPG key backup drive (we cannot inject config under QEMU (no internal flashing)) +export CONFIG_HAVE_GPG_KEY_BACKUP=y + #Enable DEBUG output -export CONFIG_DEBUG_OUTPUT=y -export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y +#export CONFIG_DEBUG_OUTPUT=y +#export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y CONFIG_COREBOOT_CONFIG=config/coreboot-qemu-tpm1.config CONFIG_LINUX_CONFIG=config/linux-qemu.config diff --git a/boards/qemu-coreboot-whiptail-tpm1/qemu-coreboot-whiptail-tpm1.config b/boards/qemu-coreboot-whiptail-tpm1/qemu-coreboot-whiptail-tpm1.config index 25de9fbbe..bc4859442 100644 --- a/boards/qemu-coreboot-whiptail-tpm1/qemu-coreboot-whiptail-tpm1.config +++ b/boards/qemu-coreboot-whiptail-tpm1/qemu-coreboot-whiptail-tpm1.config @@ -14,8 +14,8 @@ export CONFIG_LINUX_VERSION=5.10.5 export CONFIG_HAVE_GPG_KEY_BACKUP=y #Enable DEBUG output -export CONFIG_DEBUG_OUTPUT=y -export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y +#export CONFIG_DEBUG_OUTPUT=y +#export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y CONFIG_COREBOOT_CONFIG=config/coreboot-qemu-tpm1.config CONFIG_LINUX_CONFIG=config/linux-qemu.config diff --git a/initrd/etc/ash_functions b/initrd/etc/ash_functions index 9cdd7245e..f815833e5 100644 --- a/initrd/etc/ash_functions +++ b/initrd/etc/ash_functions @@ -101,7 +101,7 @@ confirm_gpg_card() { warn "Please select encrypted LUKS on GPG key material backup thumb drive (not public labeled one)" mount-usb --pass "$gpg_admin_pin" || die "Unable to mount USB with GPG Admin PIN" echo "++++ Testing detach-sign operation and verifiying against fused public key in ROM" - gpg --pinentry-mode=loopback --passphrase-file <(echo -n "${gpg_admin_pin}") --import /media/subkeys.sec >/dev/null 2>&1 || + gpg --pinentry-mode=loopback --passphrase-file <(echo -n "${gpg_admin_pin}") --import /media/subkeys.sec || die "Unable to import GPG private subkeys" #Do a detach signature to ensure gpg material is usable and cache passphrase to sign /boot from caller functions dd if=/dev/urandom of="$CR_NONCE" bs=20 count=1 >/dev/null 2>&1 || diff --git a/initrd/init b/initrd/init index 2acd93fed..a9297c23a 100755 --- a/initrd/init +++ b/initrd/init @@ -60,6 +60,14 @@ if [ "$CONFIG_DEBUG_OUTPUT" = "y" ]; then #DEBUG and TRACE calls will output to /dev/kmsg, outputting both on dmesg and on console dmesg -n 8 || true DEBUG "Debug output enabled from board CONFIG_DEBUG_OUTPUT=y option (/etc/config)" +else + # Board config did't have CONFIG_DEBUG_OUTPUT=y defined + # config.user extracted and combined from CBFS had CONFIG_DEBUG_OUTPUT=y + # Output only print messages with a priority of 4 (warnings) or lower (errors and critical) kernel messages to console + # This way, "debug" kernel command line option will have all kernel messages output on console prior of this point + # This is useful to debug boot issues but permits qemu board to boot without flooding console with kernel messages by disabling CONFIG_DEBUG_OUTPUT=y in qemu board config + dmesg -n 4 || true + DEBUG "Debug output enabled from /etc/config.user's CONFIG_DEBUG_OUTPUT=y after combine_configs (Config menu enabled Debug)" fi TRACE "Under init"