codebase: fix console echo needed accordingly to previous read changes

tlaurion · tlaurion · commit 21adb0d67681 · 2025-07-02T17:02:01.000-04:00
Signed-off-by: Thierry Laurion &lt;insurgo@riseup.net&gt;
diff --git a/initrd/bin/kexec-boot b/initrd/bin/kexec-boot
@@ -158,7 +158,7 @@ DO_WITH_DEBUG eval "$kexeccmd" 2>/dev/null \
 
 if [ "$CONFIG_DEBUG_OUTPUT" = "y" ];then
 	#Ask user if they want to continue booting without echoing back the input (-s)
-	read -r -s -n 1 -p "[DEBUG] Continue booting? [Y/n]: " debug_boot_confirm
+	read -s -n 1 -p "[DEBUG] Continue booting? [Y/n]: " debug_boot_confirm
 	echo
 	if [ "${debug_boot_confirm^^}" = N ]; then
 		# abort
diff --git a/initrd/bin/kexec-seal-key b/initrd/bin/kexec-seal-key
@@ -70,6 +70,7 @@ attempts=0
 # Ask for the DRK passphrase first, before testing any devices
 while [ $attempts -lt 3 ] && [ $luks_drk_passphrase_valid -eq 0 ]; do
 	read -r -s -p $'\nEnter LUKS Disk Recovery Key (DRK) passphrase that can unlock '"$key_devices"': ' disk_recovery_key_passphrase
+	echo
 	echo -n "$disk_recovery_key_passphrase" >"$DISK_RECOVERY_KEY_FILE"
 
 	# Test the passphrase against ALL devices before deciding if it's valid
@@ -103,13 +104,15 @@ MIN_PASSPHRASE_LENGTH=12
 attempts=0
 while [ $attempts -lt 3 ]; do
 	read -r -s -p $'\nNew LUKS TPM Disk Unlock Key (DUK) passphrase for booting (minimum '"$MIN_PASSPHRASE_LENGTH"' characters): ' key_password
+	echo
 	if [ ${#key_password} -lt $MIN_PASSPHRASE_LENGTH ]; then
 		attempts=$((attempts + 1))
 		warn "Disk Unlock Key (DUK) passphrase is too short. Please try again."
 		continue
 	fi
 
 	read -r -s -p $'\nRepeat LUKS TPM Disk Unlock Key (DUK) passphrase for booting: ' key_password2
+	echo
 	if [ "$key_password" != "$key_password2" ]; then
 		attempts=$((attempts + 1))
 		warn "Disk Unlock Key (DUK) passphrases do not match. Please try again."
@@ -123,6 +126,7 @@ if [ $attempts -ge 3 ]; then
 fi
 
 # Generate key file
+echo
 echo "++++++ Generating new randomized 128 bytes key file that will be sealed/unsealed by LUKS TPM Disk Unlock Key passphrase"
 dd \
 	if=/dev/urandom \
diff --git a/initrd/bin/seal-hotpkey b/initrd/bin/seal-hotpkey
@@ -145,10 +145,11 @@ if [ "$admin_pin_status" -ne 0 ]; then
 
 	# prompt user for PIN and retry
 	read -r -s -p $'\nEnter your '"$HOTPKEY_BRANDING $prompt_message"' PIN: ' admin_pin
-
+	echo
 	hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value "$HOTPKEY_BRANDING"
 	if [ $? -ne 0 ]; then
 		read -r -s -p $'\nError setting HOTP secret, re-enter '"$prompt_message"' PIN and try again: ' admin_pin
+		echo
 		if ! hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value "$HOTPKEY_BRANDING"; then
 			# don't leak key on failure
 			shred -n 10 -z -u "$HOTP_SECRET" 2>/dev/null
diff --git a/initrd/etc/functions b/initrd/etc/functions
@@ -142,10 +142,7 @@ confirm_gpg_card() {
 		message="Please confirm that your GPG card is inserted [Y/n]: "
 	fi
 
-	read \
-		-n 1 \
-		-p "$message" \
-		card_confirm
+	read -r -n 1 -p $'\n'"$message" card_confirm
 	echo
 
 	if [ "$card_confirm" != "y" \
@@ -167,10 +164,10 @@ confirm_gpg_card() {
 			shred -n 10 -z -u "$CR_NONCE" "$CR_SIG" >/dev/null 2>&1 || true
 
 			#Prompt user for configured GPG Admin PIN that will be passed along to mount-usb and to import gpg subkeys
-			echo
 			gpg_admin_pin=""
 			while [ -z "$gpg_admin_pin" ]; do
 				read -r -s -p $'\nPlease enter GPG Admin PIN needed to use the GPG backup thumb drive: ' gpg_admin_pin
+				echo
 			done
 			#prompt user to select the proper encrypted partition, which should the first one on next prompt
 			warn "Please select encrypted LUKS on GPG key material backup thumb drive (not public labeled one)"
@@ -789,6 +786,7 @@ prompt_tpm_owner_password() {
 	fi
 
 	read -r -s -p $'\nTPM Owner Password: ' tpm_owner_password
+	echo
 
 	# Cache the password externally to be reused by who needs it
 	DEBUG "Caching TPM Owner Password to /tmp/secret/tpm_owner_password"
@@ -807,14 +805,13 @@ prompt_new_owner_password() {
 	tpm_owner_password2=2
 	while [ "$tpm_owner_password" != "$tpm_owner_password2" ] || [ "${#tpm_owner_password}" -gt 32 ] || [ -z "$tpm_owner_password" ]; do
 		read -r -s -p $'\nNew TPM Owner Password (2 words suggested, 1-32 characters max): ' tpm_owner_password
-
 		read -r -s -p $'\nRepeat chosen TPM Owner Password: ' tpm_owner_password2
-		echo
 
 		if [ "$tpm_owner_password" != "$tpm_owner_password2" ]; then
-			echo "Passphrases entered do not match. Try again!"
 			echo
+			echo "Passphrases entered do not match. Try again!"
 		fi
+		echo
 	done
 
 	# Cache the password externally to be reused by who needs it
