Codebase up to TPM DUK: ident, add DEBUG+TRACE_FUNC, fix HOTP resealing only on OS reinstall, clarify TPM increment workflow

Signed-off-by: Thierry Laurion <[email protected]>

Author: tlaurion

initrd/bin/generic-init

@@ -48,14 +48,14 @@ while true; do
 	if [ "$totp_confirm" = "m" ]; then
 		# Try to select a kernel from the menu
 		mount_boot
-		kexec-select-boot -m -b /boot -c "grub.cfg"
+		DO_WITH_DEBUG kexec-select-boot -m -b /boot -c "grub.cfg"
 		continue
 	fi
 
 	if [ "$totp_confirm" = "y" -o -n "$totp_confirm" ]; then
 		# Try to boot the default
 		mount_boot
-		kexec-select-boot -b /boot -c "grub.cfg" \
+		DO_WITH_DEBUG kexec-select-boot -b /boot -c "grub.cfg" \
 		|| recovery "Failed default boot"
 	fi
 

initrd/bin/gui-init

@@ -183,17 +183,6 @@ update_totp() {
 		TOTP="NO TPM"
 	else
 		TOTP=$(unseal-totp)
-		# On platforms using CONFIG_BOOT_EXTRA_TTYS multiple processes may try to
-		# access TPM at the same time, failing with EBUSY. The order of execution
-		# is unpredictable, so the error may appear on main console, secondary one,
-		# or neither of them if the calls are sufficiently staggered. Try up to
-		# three times (including previous one) with small delays in case of error,
-		# instead of immediately scaring users with "you've been pwned" message.
-		while [ $? -ne 0 ] && [ $tries -lt 2 ]; do
-			sleep 0.5
-			((tries++))
-			TOTP=$(unseal-totp)
-		done
 		if [ $? -ne 0 ]; then
 			BG_COLOR_MAIN_MENU="error"
 			if [ "$skip_to_menu" = "true" ]; then
@@ -280,7 +269,10 @@ update_hotp() {
 		HOTP='N/A'
 	fi
 
-	if [[ "$CONFIG_TPM" = n && "$HOTP" = "Invalid code" ]]; then
+	if [[ "$HOTP" = "Invalid code" ]]; then
+		#TODO: we shouldn't propose to generate a new secret if there is no /boot/kexec_hotp_counter
+		# as this passed tpm unseal, so the secret is correct: we should propose to reset TPM instead
+		#  Otherwise, tpm_counter is also inexistent: The OS was most probably reinstalled wihile TPM can still unseal the secret
 		whiptail_error --title "ERROR: HOTP Validation Failed!" \
 			--menu "ERROR: $CONFIG_BRAND_NAME couldn't validate the HOTP code.\n\nIf you just reflashed your BIOS, you should generate a new TOTP/HOTP secret.\n\nIf you have not just reflashed your BIOS, THIS COULD INDICATE TAMPERING!\n\nHow would you like to proceed?" 0 80 4 \
 			'g' ' Generate new TOTP/HOTP secret' \
@@ -553,21 +545,30 @@ reset_tpm() {
 			mount -o rw,remount /boot
 			#TODO: this is really problematic, we should really remove the primary handle hash
 
-			INFO "Removing rollback and primary handle hash under /boot"
+			INFO "Removing rollback and primary handle hashes under /boot"
+
+			DEBUG "Removing /boot/kexec_rollback.txt and /boot/kexec_primhdl_hash.txt"
 			rm -f /boot/kexec_rollback.txt
 			rm -f /boot/kexec_primhdl_hash.txt
 
 			# create Heads TPM counter before any others
 			check_tpm_counter /boot/kexec_rollback.txt "" "$tpm_owner_password" ||
 				die "Unable to find/create tpm counter"
-			counter="$TPM_COUNTER"
 
-			increment_tpm_counter $counter >/dev/null 2>&1 ||
+			TRACE_FUNC
+
+			TPM_COUNTER=$(cut -d: -f1 </tmp/counter)
+			DEBUG "TPM_COUNTER: $TPM_COUNTER"
+			#TODO was counter supposed to be empty and that was ok?!?!?!
+
+			DO_WITH_DEBUG increment_tpm_counter $TPM_COUNTER>/dev/null 2>&1 ||
 				die "Unable to increment tpm counter"
 
-			sha256sum /tmp/counter-$counter >/boot/kexec_rollback.txt ||
+			#TODO: should this be here?
+			DO_WITH_DEBUG sha256sum /tmp/counter-$TPM_COUNTER >/boot/kexec_rollback.txt ||
 				die "Unable to create rollback file"
 
+			TRACE_FUNC
 			# As a countermeasure for existing primary handle hash, we will now force sign /boot without it
 			if (whiptail --title 'TPM Reset Successfully' \
 				--yesno "Would you like to update the checksums and sign all of the files in /boot?\n\nYou will need your GPG key to continue and this will modify your disk.\n\nOtherwise the system will reboot immediately." 0 80); then
@@ -593,7 +594,7 @@ select_os_boot_option() {
 	TRACE_FUNC
 	mount_boot
 	if verify_global_hashes; then
-		kexec-select-boot -m -b /boot -c "grub.cfg" -g
+		DO_WITH_DEBUG kexec-select-boot -m -b /boot -c "grub.cfg" -g
 	fi
 }
 
@@ -606,11 +607,13 @@ attempt_default_boot() {
 	fi
 	DEFAULT_FILE=$(find /boot/kexec_default.*.txt 2>/dev/null | head -1)
 	if [ -r "$DEFAULT_FILE" ]; then
-		kexec-select-boot -b /boot -c "grub.cfg" -g ||
+		TRACE_FUNC
+		DO_WITH_DEBUG kexec-select-boot -b /boot -c "grub.cfg" -g ||
 			recovery "Failed default boot"
 	elif (whiptail_warning --title 'No Default Boot Option Configured' \
 		--yesno "There is no default boot option configured yet.\nWould you like to load a menu of boot options?\nOtherwise you will return to the main menu." 0 80); then
-		kexec-select-boot -m -b /boot -c "grub.cfg" -g
+		TRACE_FUNC
+		DO_WITH_DEBUG kexec-select-boot -m -b /boot -c "grub.cfg" -g
 	fi
 }
 

initrd/bin/gui-init-basic

@@ -159,7 +159,7 @@ select_os_boot_option()
 {
   TRACE_FUNC
   mount_boot
-  kexec-select-boot -m -b /boot -c "grub.cfg" -g -i
+  DO_WITH_DEBUG kexec-select-boot -m -b /boot -c "grub.cfg" -g -i
 }
 
 attempt_default_boot()
@@ -174,11 +174,11 @@ attempt_default_boot()
   if [ "$CONFIG_BASIC_NO_AUTOMATIC_DEFAULT" != "y" ]; then
     basic-autoboot.sh
   elif [ -r "$DEFAULT_FILE" ]; then
-    kexec-select-boot -b /boot -c "grub.cfg" -g -i -s \
+    DO_WITH_DEBUG kexec-select-boot -b /boot -c "grub.cfg" -g -i -s \
     || recovery "Failed default boot"
   elif (whiptail_warning --title 'No Default Boot Option Configured' \
         --yesno "There is no default boot option configured yet.\nWould you like to load a menu of boot options?\nOtherwise you will return to the main menu." 0 80) then
-    kexec-select-boot -m -b /boot -c "grub.cfg" -g -i
+    DO_WITH_DEBUG kexec-select-boot -m -b /boot -c "grub.cfg" -g -i
   fi
 }
 

initrd/bin/kexec-save-default

@@ -354,7 +354,7 @@ if [ "$CONFIG_TPM" = "y" ]; then
 	fi
 fi
 if [ "$CONFIG_BASIC" != "y" ]; then
-	kexec-sign-config -p $paramsdir $extparam ||
+	DO_WITH_DEBUG kexec-sign-config -p $paramsdir $extparam ||
 		die "Failed to sign default config"
 fi
 # switch back to ro mode

initrd/bin/kexec-save-key

@@ -77,10 +77,11 @@ kexec-seal-key $paramsdir ||
 if [ "$skip_sign" != "y" ]; then
 	extparam=
 	if [ "$CONFIG_IGNORE_ROLLBACK" != "y" ]; then
+		DEBUG "kexec-save-key: CONFIG_IGNORE_ROLLBACK is not set, will sign with -r"
 		extparam=-r
 	fi
 	# sign and auto-roll config counter
-	kexec-sign-config -p $paramsdir $extparam ||
+	DO_WITH_DEBUG kexec-sign-config -p $paramsdir $extparam ||
 		die "Failed to sign updated config"
 fi
 

initrd/bin/kexec-select-boot

@@ -120,14 +120,14 @@ verify_rollback_counter() {
 	TPM_COUNTER=$(grep counter $TMP_ROLLBACK_FILE | cut -d- -f2)
 
 	if [ -z "$TPM_COUNTER" ]; then
-		die "$TMP_ROLLBACK_FILE: TPM counter not found?"
+		die "$TMP_ROLLBACK_FILE: TPM counter not found. Please reset TPM through the Heads menu: Options -> TPM/TOTP/HOTP Options -> Reset the TPM"
 	fi
 
 	read_tpm_counter $TPM_COUNTER >/dev/null 2>&1 ||
-		die "Failed to read TPM counter"
+		die "Failed to read TPM counter. Please reset TPM through the Heads menu: Options -> TPM/TOTP/HOTP Options -> Reset the TPM"
 
 	sha256sum -c $TMP_ROLLBACK_FILE >/dev/null 2>&1 ||
-		die "Invalid TPM counter state. TPM Reset required"
+		die "Invalid TPM counter state. Please reset TPM through the Heads menu: Options -> TPM/TOTP/HOTP Options -> Reset the TPM"
 
 	valid_rollback="y"
 }
@@ -361,9 +361,9 @@ do_boot() {
 
 while true; do
 	if [ "$force_boot" = "y" -o "$CONFIG_BASIC" = "y" ]; then
-		check_config $paramsdir force
+		DO_WITH_DEBUG check_config $paramsdir force
 	else
-		check_config $paramsdir
+		DO_WITH_DEBUG check_config $paramsdir
 	fi
 	TMP_DEFAULT_FILE=$(find /tmp/kexec/kexec_default.*.txt 2>/dev/null | head -1) || true
 	TMP_MENU_FILE="/tmp/kexec/kexec_menu.txt"

initrd/bin/kexec-sign-config

@@ -1,4 +1,5 @@
 #!/bin/bash
+# filepath: /home/user/heads/initrd/bin/kexec-sign-config
 # Sign a valid directory of kexec params
 set -e -o pipefail
 . /tmp/config
@@ -9,90 +10,126 @@ TRACE_FUNC
 rollback="n"
 update="n"
 while getopts "p:c:ur" arg; do
-	case $arg in
-	p) paramsdir="$OPTARG" ;;
-	c)
-		counter="$OPTARG"
-		rollback="y"
-		;;
-	u) update="y" ;;
-	r) rollback="y" ;;
-	esac
+    case $arg in
+    p) paramsdir="$OPTARG" ;;
+    c)
+        counter="$OPTARG"
+        rollback="y"
+        ;;
+    u) update="y" ;;
+    r) rollback="y" ;;
+    esac
 done
 
 if [ -z "$paramsdir" ]; then
-	die "Usage: $0 -p /boot [ -u | -c counter ]"
+    die "Usage: $0 -p /boot [ -u | -c counter ]"
 fi
 
 paramsdir="${paramsdir%%/}"
 
 assert_signable
+TRACE_FUNC
 
 confirm_gpg_card
+TRACE_FUNC
 
 # remount /boot as rw
 mount -o remount,rw /boot
 
+DEBUG "Signing kexec parameters in $paramsdir, rollback=$rollback, update=$update, counter=$counter"
+
 # update hashes in /boot before signing
 if [ "$update" = "y" ]; then
-	(
-		cd /boot
-		find ./ -type f ! -path './kexec*' -print0 | xargs -0 sha256sum >/boot/kexec_hashes.txt
-		if [ -e /boot/kexec_default_hashes.txt ]; then
-			DEFAULT_FILES=$(cat /boot/kexec_default_hashes.txt | cut -f3 -d ' ')
-			echo $DEFAULT_FILES | xargs sha256sum >/boot/kexec_default_hashes.txt
-		fi
-
-		#also save the file & directory structure to detect added files
-		print_tree >/boot/kexec_tree.txt
-	)
-	[ $? -eq 0 ] || die "$paramsdir: Failed to update hashes."
-
-	# Remove any package trigger log files
-	# We don't need them after the user decides to sign
-	rm -f /boot/kexec_package_trigger*
+    (
+        TRACE_FUNC
+        DEBUG "update=y: Updating kexec hashes in /boot"
+        cd /boot
+        find ./ -type f ! -path './kexec*' -print0 | xargs -0 sha256sum >/boot/kexec_hashes.txt
+        if [ -e /boot/kexec_default_hashes.txt ]; then
+            DEBUG "/boot/kexec_default_hashes.txt exists, updating /boot/kexec_default_hashes.txt"
+            DEFAULT_FILES=$(cat /boot/kexec_default_hashes.txt | cut -f3 -d ' ')
+            echo $DEFAULT_FILES | xargs sha256sum >/boot/kexec_default_hashes.txt
+        fi
+
+        #also save the file & directory structure to detect added files
+        print_tree >/boot/kexec_tree.txt
+        TRACE_FUNC
+    )
+    [ $? -eq 0 ] || die "$paramsdir: Failed to update hashes."
+
+    # Remove any package trigger log files
+    # We don't need them after the user decides to sign
+    rm -f /boot/kexec_package_trigger*
 fi
 
 if [ "$rollback" = "y" ]; then
-	rollback_file="$paramsdir/kexec_rollback.txt"
-
-	if [ -n "$counter" ]; then
-		# use existing counter
-		read_tpm_counter $counter >/dev/null 2>&1 ||
-			die "$paramsdir: Unable to read tpm counter '$counter'"
-	else
-		# increment counter
-		check_tpm_counter $rollback_file >/dev/null 2>&1 ||
-			die "$paramsdir: Unable to find/create tpm counter"
-		counter="$TPM_COUNTER"
-
-		increment_tpm_counter $counter >/dev/null 2>&1 ||
-			die "$paramsdir: Unable to increment tpm counter"
-	fi
-
-	sha256sum /tmp/counter-$counter >$rollback_file ||
-		die "$paramsdir: Unable to create rollback file"
+
+    # this script was called with -c $OPTARG (counter=$OPTARG) or -r (rollback=y)
+    DEBUG "rollback=y, counter=$counter, paramsdir=$paramsdir"
+    TRACE_FUNC
+
+    rollback_file="$paramsdir/kexec_rollback.txt"
+
+    if [ -n "$counter" ]; then
+        DEBUG "rollback=y: counter=$counter, will read tpm counter next"
+        TRACE_FUNC
+
+        # use existing tpm counter
+        DO_WITH_DEBUG read_tpm_counter $counter >/dev/null 2>&1 ||
+            die "$paramsdir: Unable to read tpm counter '$counter'"
+    else
+        DEBUG "rollback=y: counter is empty: checking for existing TPM counter"
+        TRACE_FUNC
+
+        if [ ! -e $rollback_file ]; then
+            DEBUG "Rollback file $rollback_file does not exist. Creating new TPM counter."
+            DO_WITH_DEBUG check_tpm_counter $rollback_file ||
+                die "$paramsdir: Unable to find/create tpm counter"
+
+            TRACE_FUNC
+            DEBUG "rollback=y: checked for existing counter under $rollback_file, found TPM_COUNTER=$TPM_COUNTER"
+            # we checked for existing counter and didn't die; increment it
+            DEBUG "rollback=y: Incrementing counter:$TPM_COUNTER."
+
+            DO_WITH_DEBUG increment_tpm_counter $counter >/dev/null 2>&1 ||
+                die "$paramsdir: Unable to increment tpm counter"
+            TRACE_FUNC
+            DEBUG "rollback=y: Incremented counter $counter"
+        else
+            die "$paramsdir: No rollback file existing. Please reset TPM through the Heads menu: Options -> TPM/TOTP/HOTP Options -> Reset the TPM"
+        fi
+    fi
+
+    # Ensure the TPM counter file exists
+    DEBUG "Checking if TPM counter file '/tmp/counter-$counter exists."
+    if [ ! -e "/tmp/counter-$counter" ]; then
+        die "$paramsdir: TPM counter file '/tmp/counter-$counter' not found after incrementing."
+    fi
+
+    # Create the rollback file
+    sha256sum /tmp/counter-$counter >$rollback_file ||
+        die "$paramsdir: Unable to create rollback file"
 fi
 
 param_files=$(find $paramsdir/kexec*.txt)
 if [ -z "$param_files" ]; then
-	die "$paramsdir: No kexec parameter files to sign"
+    die "$paramsdir: No kexec parameter files to sign"
 fi
 
 for tries in 1 2 3; do
-	if sha256sum $param_files | gpg \
-		--detach-sign \
-		-a \
-		>$paramsdir/kexec.sig \
-		; then
-		# successful - update the validated params
-		check_config $paramsdir
-
-		# remount /boot as ro
-		mount -o remount,ro /boot
-
-		exit 0
-	fi
+    if DO_WITH_DEBUG sha256sum $param_files | gpg \
+        --detach-sign \
+        -a \
+        >$paramsdir/kexec.sig \
+        ; then
+        # successful - update the validated params
+        check_config $paramsdir
+
+        # remount /boot as ro
+        mount -o remount,ro /boot
+
+        exit 0
+    fi
 done
 
 # remount /boot as ro