Add DEBUG statements in code and fix "sh: argument expected"

boards/qemu-coreboot-fbwhiptail-tpm1-hotp/qemu-coreboot-fbwhiptail-tpm1-hotp.config

@@ -8,6 +8,10 @@ export CONFIG_COREBOOT=y
 export CONFIG_COREBOOT_VERSION=4.13
 export CONFIG_LINUX_VERSION=5.10.5
 
+#Enable DEBUG output
+export CONFIG_DEBUG_OUTPUT=y
+export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y
+
 CONFIG_COREBOOT_CONFIG=config/coreboot-qemu-tpm1.config
 CONFIG_LINUX_CONFIG=config/linux-qemu.config
 

boards/qemu-coreboot-fbwhiptail-tpm1/qemu-coreboot-fbwhiptail-tpm1.config

@@ -6,6 +6,10 @@ export CONFIG_COREBOOT=y
 export CONFIG_COREBOOT_VERSION=4.13
 export CONFIG_LINUX_VERSION=5.10.5
 
+#Enable DEBUG output
+export CONFIG_DEBUG_OUTPUT=y
+export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y
+
 CONFIG_COREBOOT_CONFIG=config/coreboot-qemu-tpm1.config
 CONFIG_LINUX_CONFIG=config/linux-qemu.config
 

boards/qemu-coreboot-whiptail-tpm1-hotp/qemu-coreboot-whiptail-tpm1-hotp.config

@@ -8,6 +8,10 @@ export CONFIG_COREBOOT=y
 export CONFIG_COREBOOT_VERSION=4.13
 export CONFIG_LINUX_VERSION=5.10.5
 
+#Enable DEBUG output
+export CONFIG_DEBUG_OUTPUT=y
+export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y
+
 CONFIG_COREBOOT_CONFIG=config/coreboot-qemu-tpm1.config
 CONFIG_LINUX_CONFIG=config/linux-qemu.config
 

boards/qemu-coreboot-whiptail-tpm1/qemu-coreboot-whiptail-tpm1.config

@@ -6,6 +6,10 @@ export CONFIG_COREBOOT=y
 export CONFIG_COREBOOT_VERSION=4.13
 export CONFIG_LINUX_VERSION=5.10.5
 
+#Enable DEBUG output
+export CONFIG_DEBUG_OUTPUT=y
+export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y
+
 CONFIG_COREBOOT_CONFIG=config/coreboot-qemu-tpm1.config
 CONFIG_LINUX_CONFIG=config/linux-qemu.config
 

initrd/bin/cbfs-init

@@ -2,6 +2,8 @@
 set -e -o pipefail
 . /etc/functions
 
+TRACE "Under /bin/cbfs-init"
+
 # Update initrd with CBFS files
 if [ -z "$CONFIG_PCR" ]; then
 	CONFIG_PCR=7

initrd/bin/cbfs.sh

@@ -3,6 +3,8 @@ set -e -o pipefail
 . /etc/functions
 . /tmp/config
 
+TRACE "Under /bin/cbfs.sh"
+
 if pnor "$2" -r HBI > /tmp/pnor.part 2>/dev/null; then
     cbfs "$@" -o /tmp/pnor.part && pnor "$2" -w HBI < /tmp/pnor.part
 else

initrd/bin/config-gui.sh

@@ -5,6 +5,8 @@ set -e -o pipefail
 . /etc/gui_functions
 . /tmp/config
 
+TRACE "Under /bin/config-gui.sh"
+
 param=$1
 
 while true; do

initrd/bin/flash-gui.sh

@@ -5,6 +5,8 @@ set -e -o pipefail
 . /etc/gui_functions
 . /tmp/config
 
+TRACE "Under /bin/flash-gui.sh"
+
 while true; do
   unset menu_choice
   whiptail $BG_COLOR_MAIN_MENU --title "Firmware Management Menu" \

initrd/bin/flash.sh

@@ -6,6 +6,8 @@ set -e -o pipefail
 . /etc/functions
 . /tmp/config
 
+TRACE "Under /bin/flash.sh"
+
 case "$CONFIG_FLASHROM_OPTIONS" in
   -* )
     echo "Board $CONFIG_BOARD detected, continuing..."

initrd/bin/flashrom-kgpe-d16-openbmc.sh

@@ -1,6 +1,8 @@
 #!/bin/sh
 . /etc/functions
 
+TRACE "Under /bin/flashrom-kgpe-d16-openbmc.sh"
+
 ROM="$1"
 if [ -z "$1" ]; then
 	die "Usage: $0 /media/kgpe-d16-openbmc.rom"

initrd/bin/generic-init

@@ -6,6 +6,7 @@
 
 mount_boot()
 {
+	TRACE "Under /bin/generic-init:mount_boot"
 	# Mount local disk if it is not already mounted
 	if ! grep -q /boot /proc/mounts ; then
 		mount -o ro /boot \

initrd/bin/gpg-gui.sh

@@ -5,6 +5,7 @@ set -e -o pipefail
 . /etc/gui_functions
 . /tmp/config
 
+TRACE "Under /bin/gpg-gui.sh"
 gpg_flash_rom() {
 
   if [ "$1" = "replace" ]; then

initrd/bin/gpgv

@@ -1,3 +1,6 @@
 #!/bin/sh
 # if we are using the full GPG we need a wrapper for the gpgv executable
+. /etc/functions
+
+TRACE "Under /bin/gpgv"
 exec gpg --verify "$@"

initrd/bin/gui-init

@@ -17,7 +17,7 @@ skip_to_menu="false"
 
 mount_boot()
 {
-
+  TRACE "Under /bin/gui-init:mount_boot"
   # Mount local disk if it is not already mounted
   while ! grep -q /boot /proc/mounts ; do
     # try to mount if CONFIG_BOOT_DEV exists
@@ -63,6 +63,7 @@ mount_boot()
 
 verify_global_hashes()
 {
+  TRACE "Under /bin/gui-init:verify_global_hashes"
   # Check the hashes of all the files, ignoring signatures for now
   check_config /boot force
   TMP_HASH_FILE="/tmp/kexec/kexec_hashes.txt"
@@ -137,6 +138,7 @@ verify_global_hashes()
 
 prompt_update_checksums()
 {
+  TRACE "Under /bin/gui-init:prompt_update_checksums"
   if (whiptail $BG_COLOR_WARNING --title 'Update Checksums and sign all files in /boot' \
       --yesno "You have chosen to update the checksums and sign all of the files in /boot.\n\nThis means that you trust that these files have not been tampered with.\n\nYou will need your GPG key available, and this change will modify your disk.\n\nDo you want to continue?" 0 80) then
     if ! update_checksums ; then
@@ -148,6 +150,7 @@ prompt_update_checksums()
 
 generate_totp_htop()
 {
+  TRACE "Under /bin/gui-init:generate_totp_htop"
   echo "Scan the QR code to add the new TOTP secret"
   if /bin/seal-totp "$BOARD_NAME"; then
     if [ -x /bin/hotp_verification ]; then
@@ -167,6 +170,7 @@ generate_totp_htop()
 
 update_totp()
 {
+  TRACE "Under /bin/gui-init:update_totp"
   # update the TOTP code
   date=`date "+%Y-%m-%d %H:%M:%S %Z"`
   if [ "$CONFIG_TPM" = n ]; then
@@ -217,6 +221,7 @@ update_totp()
 
 update_hotp()
 {
+  TRACE "Under /bin/gui-init:update_hotp"
   if [ -x /bin/hotp_verification ]; then
     HOTP=`unseal-hotp`
     if ! hotp_verification info ; then
@@ -255,6 +260,7 @@ update_hotp()
 
 clean_boot_check()
 {
+  TRACE "Under /bin/gui-init:mount_boot"
   # assume /boot mounted
   if ! grep -q /boot /proc/mounts ; then
     return
@@ -283,6 +289,7 @@ clean_boot_check()
 
 check_gpg_key()
 {
+  TRACE "Under /bin/gui-init:check_gpg_key"
   GPG_KEY_COUNT=`gpg -k 2>/dev/null | wc -l`
   if [ $GPG_KEY_COUNT -eq 0 ]; then
     BG_COLOR_MAIN_MENU=$BG_COLOR_ERROR
@@ -319,6 +326,7 @@ check_gpg_key()
 
 prompt_auto_default_boot()
 {
+  TRACE "Under /bin/gui-init:prompt_auto_default_boot"
   # save IFS before changing, restore after read
   IFS_DEF=$IFS
   IFS=''
@@ -335,6 +343,7 @@ prompt_auto_default_boot()
 
 show_main_menu()
 {
+  TRACE "Under /bin/gui-init:show_main_menu"
   date=`date "+%Y-%m-%d %H:%M:%S %Z"`
   whiptail $BG_COLOR_MAIN_MENU --title "$MAIN_MENU_TITLE" \
     --menu "$date\nTOTP: $TOTP | HOTP: $HOTP" 0 80 10 \
@@ -368,6 +377,7 @@ show_main_menu()
 
 show_options_menu()
 {
+  TRACE "Under /bin/gui-init:show_options_menu"
   whiptail $BG_COLOR_MAIN_MENU --title "HEADS Options" \
     --menu "" 0 80 10 \
     'b' ' Boot Options -->' \
@@ -424,6 +434,7 @@ show_options_menu()
 
 show_boot_options_menu()
 {
+  TRACE "Under /bin/gui-init:show_boot_options_menu"
   whiptail $BG_COLOR_MAIN_MENU --title "Boot Options" \
     --menu "Select A Boot Option" 0 80 10 \
     'm' ' Show OS boot menu' \
@@ -451,6 +462,7 @@ show_boot_options_menu()
 
 show_tpm_totp_hotp_options_menu()
 {
+  TRACE "Under /bin/gui-init:show_tpm_totp_hotp_options_menu"
   whiptail $BG_COLOR_MAIN_MENU --title "TPM/TOTP/HOTP Options" \
     --menu "Select An Option" 0 80 10 \
     'g' ' Generate new TOTP/HOTP secret' \
@@ -477,6 +489,7 @@ show_tpm_totp_hotp_options_menu()
 
 prompt_totp_mismatch()
 {
+  TRACE "Under /bin/gui-init:prompt_totp_mismatch"
   if (whiptail $BG_COLOR_WARNING --title "TOTP/HOTP code mismatched" \
     --yesno "TOTP/HOTP code mismatches could indicate either TPM tampering or clock drift:\n\nTo correct clock drift: 'date -s yyyy-MM-DD hh:mm:ss' in UTC timezone\nand save it to the RTC: 'hwclock -w'\nthen reboot and try again.\n\nWould you like to exit to a recovery console?" 0 80) then
     echo ""
@@ -493,6 +506,7 @@ prompt_totp_mismatch()
 
 reset_tpm()
 {
+  TRACE "Under /bin/gui-init:reset_tpm"
   if [ "$CONFIG_TPM" = "y" ]; then
     if (whiptail $BG_COLOR_WARNING --title 'Reset the TPM' \
         --yesno "This will clear the TPM and TPM password, replace them with new ones!\n\nDo you want to proceed?" 0 80) then
@@ -526,6 +540,7 @@ reset_tpm()
 
 show_system_info()
 {
+  TRACE "Under /bin/gui-init:show_system_info"
   battery_charge="$(print_battery_charge)"
   battery_health="$(print_battery_health)"
   if [ -n $battery_charge -a -n $battery_health ];then
@@ -543,6 +558,7 @@ show_system_info()
 
 select_os_boot_option()
 {
+  TRACE "Under /bin/gui-init:select_os_boot_option"
   mount_boot
   if verify_global_hashes ; then
     kexec-select-boot -m -b /boot -c "grub.cfg" -g
@@ -551,6 +567,7 @@ select_os_boot_option()
 
 attempt_default_boot()
 {
+  TRACE "Under /bin/gui-init:attempt_default_boot"
   mount_boot
 
   if ! verify_global_hashes; then
@@ -568,6 +585,7 @@ attempt_default_boot()
 
 force_unsafe_boot()
 {
+  TRACE "Under /bin/gui-init:force_unsafe_boot"
   # Run the menu selection in "force" mode, bypassing hash checks
   if (whiptail $BG_COLOR_WARNING --title 'Unsafe Forced Boot Selected!' \
       --yesno "WARNING: You have chosen to skip all tamper checks and boot anyway.\n\nThis is an unsafe option!\n\nDo you want to proceed?" 0 80) then
@@ -576,6 +594,7 @@ force_unsafe_boot()
 }
 
 # gui-init start
+TRACE "Under /bin/gui-init, start"
 
 # Use stored HOTP key branding
 if [ -r /boot/kexec_hotp_key ]; then
@@ -604,11 +623,12 @@ check_gpg_key
 update_totp
 update_hotp
 
-if [[ "$HOTP" = "Success" && $CONFIG_AUTO_BOOT_TIMEOUT ]]; then
+if [ "$HOTP" = "Success" -a -n "$CONFIG_AUTO_BOOT_TIMEOUT" ]; then
   prompt_auto_default_boot
 fi
 
 while true; do
+  TRACE "Under gui-init:while true loop"
   skip_to_menu="false"
   show_main_menu
 done

initrd/bin/kexec-boot

@@ -4,6 +4,8 @@ set -e -o pipefail
 . /tmp/config
 . /etc/functions
 
+TRACE "Under /bin/kexec-boot"
+
 dryrun="n"
 printfiles="n"
 printinitrd="n"

initrd/bin/kexec-insert-key

@@ -3,6 +3,8 @@
 set -e -o pipefail
 . /etc/functions
 
+TRACE "Under /bin/kexec-insert-key"
+
 TMP_KEY_DEVICES="/tmp/kexec/kexec_key_devices.txt"
 TMP_KEY_LVM="/tmp/kexec/kexec_key_lvm.txt"
 

initrd/bin/kexec-iso-init

@@ -4,6 +4,8 @@ set -e -o pipefail
 . /etc/functions
 . /tmp/config
 
+TRACE "Under /bin/kexec-iso-init"
+
 MOUNTED_ISO_PATH="$1"
 ISO_PATH="$2"
 DEV="$3"

initrd/bin/kexec-parse-bls

@@ -1,5 +1,8 @@
 #!/bin/sh
 set -e -o pipefail
+. /etc/functions
+TRACE "Under /bin/kexec-parse-bls"
+
 bootdir="$1"
 file="$2"
 blsdir="$3"

initrd/bin/kexec-parse-boot

@@ -1,5 +1,9 @@
 #!/bin/sh
 set -e -o pipefail
+. /etc/functions
+
+TRACE "Under /bin/kexec-parse-boot"
+
 bootdir="$1"
 file="$2"
 

initrd/bin/kexec-save-default

@@ -4,6 +4,8 @@ set -e -o pipefail
 . /tmp/config
 . /etc/functions
 
+TRACE "Under /bin/kexec-save-default"
+
 while getopts "b:d:p:i:" arg; do
 	case $arg in
 		b) bootdir="$OPTARG" ;;

initrd/bin/kexec-seal-key

@@ -3,6 +3,7 @@
 # with the current PCRs and then store it in the TPM NVRAM.
 # It will then need to be bundled into initrd that is booted.
 set -e -o pipefail
+. /etc/functions
 
 TPM_INDEX=3
 TPM_SIZE=312

initrd/bin/kexec-select-boot

@@ -4,6 +4,8 @@ set -e -o pipefail
 . /tmp/config
 . /etc/functions
 
+TRACE "Under /bin/kexec-select-boot"
+
 add=""
 remove=""
 config="*.cfg"

initrd/bin/kexec-sign-config

@@ -4,6 +4,8 @@ set -e -o pipefail
 . /tmp/config
 . /etc/functions
 
+TRACE "Under /bin/kexec-sign-config"
+
 rollback="n"
 update="n"
 while getopts "p:c:ur" arg; do

initrd/bin/kexec-unseal-key

@@ -3,6 +3,7 @@
 # The TOTP secret will be shown to the user on each encryption attempt.
 # It will then need to be bundled into initrd that is booted with Qubes.
 set -e -o pipefail
+. /etc/functions
 
 TPM_INDEX=3
 TPM_SIZE=312

initrd/bin/key-init

@@ -2,6 +2,8 @@
 set -e -o pipefail
 . /etc/functions
 
+TRACE "Under /bin/key-init"
+
 # Post processing of keys
 
 # Import user's keys