Improve USB dongle detection and refine STATUS/NOTE/INFO logging, fix tpm1 seal issue#2094
Draft
tlaurion wants to merge 3 commits intolinuxboot:masterfrom
Draft
Improve USB dongle detection and refine STATUS/NOTE/INFO logging, fix tpm1 seal issue#2094tlaurion wants to merge 3 commits intolinuxboot:masterfrom
tlaurion wants to merge 3 commits intolinuxboot:masterfrom
Conversation
There was a problem hiding this comment.
Pull request overview
Updates initrd scripts to detect USB security dongle branding earlier and to refine console logging behavior (especially for quiet mode) by shifting messages among STATUS/STATUS_OK/NOTE/WARN and adding more explicit success milestones.
Changes:
- Add an early sysfs-based wait in
detect_usb_security_dongle_branding()to reduce mis-detection beforelsusbis reliable. - Rebalance user-visible logging across multiple initrd scripts (more STATUS/STATUS_OK, convert some INFO→NOTE/WARN, add success confirmations).
- Expand
doc/logging.mdto clarify intended semantics of INFO/NOTE/WARN and console behavior in quiet/info/debug modes.
Reviewed changes
Copilot reviewed 3 out of 15 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| initrd/etc/gui_functions.sh | Adjust integrity report output; add signing-key status messaging. |
| initrd/etc/functions.sh | Add sysfs VID wait loop before lsusb branding detection. |
| initrd/bin/unseal-hotp.sh | Add STATUS/STATUS_OK around TPM unseal of HOTP secret. |
| initrd/bin/tpmr.sh | Change TPM2 unseal failure log level (INFO→WARN). |
| initrd/bin/seal-totp.sh | Promote PCR-read logging to STATUS; show manual secret via NOTE. |
| initrd/bin/seal-hotpkey.sh | Add STATUS/STATUS_OK around writing HOTP secret to dongle. |
| initrd/bin/oem-factory-reset.sh | Add STATUS_OK milestones; adjust guidance output levels; fix TPM reset error handling block structure. |
| initrd/bin/network-init-recovery.sh | Add STATUS_OK milestones for module load, clock sync, and SSH server start. |
| initrd/bin/lock_chip.sh | Add STATUS_OK after chipset lock command. |
| initrd/bin/key-init.sh | Reword ISO key loading messages and add final STATUS_OK. |
| initrd/bin/kexec-seal-key.sh | Add STATUS_OK milestones for key generation, LUKS slot update, PCR reads. |
| initrd/bin/gui-init.sh | Reduce/shift console output in reseal/TOTP/HOTP flows; add HOTP verification status lines. |
| initrd/bin/gpg-gui.sh | Convert INFO instructions to NOTE. |
| initrd/bin/cbfs-init.sh | Adjust SPI read messaging; add STATUS_OK on flash read success. |
| doc/logging.md | Redefine INFO/NOTE positioning and document console styling/sleep/visibility matrix. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
tlaurion
force-pushed
the
detect_usb_security_dongle_branding_early
branch
from
9361484 to
2a485c5
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 3 out of 15 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
tlaurion
force-pushed
the
detect_usb_security_dongle_branding_early
branch
from
2a485c5 to
5e09ef9
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 3 out of 15 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
tlaurion
force-pushed
the
detect_usb_security_dongle_branding_early
branch
from
5e09ef9 to
c03366b
Compare
tlaurion
changed the title
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 4 out of 15 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
tlaurion
force-pushed
the
detect_usb_security_dongle_branding_early
branch
from
c03366b to
fee4251
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 4 out of 16 changed files in this pull request and generated 5 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
tlaurion
changed the title
tlaurion
force-pushed
the
detect_usb_security_dongle_branding_early
branch
from
b8e6c7c to
f76f8a6
Compare
tlaurion
changed the title
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 5 out of 21 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- initrd/etc/functions.sh: Add sysfs polling loop (max 3s) to wait for known dongle VIDs (20a0, 316d, 16d0, 1050) before lsusb branding detection - initrd/etc/gui_functions.sh: Add STATUS_OK for signing key verification when dongle key matches ROM-trusted key in integrity report Signed-off-by: Thierry Laurion <insurgo@riseup.net>
tlaurion
force-pushed
the
detect_usb_security_dongle_branding_early
branch
from
f76f8a6 to
b080f27
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 5 out of 21 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
tlaurion
force-pushed
the
detect_usb_security_dongle_branding_early
branch
from
b080f27 to
2d0487a
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 5 out of 21 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This was referenced May 1, 2026
This was
linked to
issues
May 1, 2026
Collaborator
Author
|
@filipleple this should be part of downstream release |
…ology - doc/logging.md: Complete rewrite with clear INFO/NOTE/WARN guidance, table with sleep/blank-line columns, add measuring_trace.log to Quiet mode table - initrd/bin/cbfs-init.sh: Add STATUS_OK for flash read, streamline messages - initrd/bin/gpg-gui.sh: Change INFO to NOTE for GPG instructions - initrd/bin/gui-init.sh: Remove noisy STATUS pairs, add enable_usb for GPG, add STATUS for HOTP verification - initrd/bin/kexec-insert-key.sh: Improve DUK measuring message - initrd/bin/kexec-seal-key.sh: Add STATUS_OK for key gen, slot update, PCR read - initrd/bin/kexec-select-boot.sh: Fix "unsigned boot options" -> "boot options" - initrd/bin/lock_chip.sh: Add STATUS_OK for chipset lock - initrd/bin/network-init-recovery.sh: Add STATUS_OK for modules, clock, SSH - initrd/bin/oem-factory-reset.sh: Many STATUS_OK additions, INFO->NOTE for guidance - initrd/bin/qubes-measure-luks.sh, uefi-init.sh, usb-init.sh: Improve PCR messages - initrd/bin/seal-hotpkey.sh: Add STATUS/STATUS_OK for HOTP secret write - initrd/bin/seal-totp.sh: Change STATUS to NOTE for TOTP secret - initrd/bin/tpmr.sh: Add STATUS/STATUS_OK, INFO->WARN for unseal, add PCR extend INFO - initrd/bin/unseal-hotp.sh: Add STATUS/STATUS_OK for unseal - initrd/etc/functions.sh: PCR5 regression fix (don't auto-load USB), VID wait loop fixes (sleep 0.1, iteration cap), pcrs() formatting fix - initrd/etc/gui_functions.sh: Remove redundant STATUS_OK, add for signing key verification - initrd/init: echo->STATUS_OK, add measuring_trace.log, fix grammar - initrd/sbin/insmod.sh: Improve PCR extend message Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Collaborator
Author
|
still issues with tpm1 incrementing after reset only on real hardware :( digging |
…eset gate
The tpmtotp C toolkit (counter_create.c, unsealfile.c, sealfile2.c)
prints ALL output — including error messages — via printf() to stdout,
NOT stderr. This fundamental quirk caused multiple failures:
- tpm1_counter_create: success output (counter id+value) was lost,
only stderr was captured; errors were silently missed
- tpm1_seal/nv_writevalue: exit code 2 (index doesn't exist) killed
the script under set -e; errors were missed since stdout was ignored
- tpm1_unseal: "Error PCR mismatch" was printed to stdout and missed
- increment_tpm_counter: stderr was logged but tpmtotp output goes to
stdout, so the counter output could be lost
Changes in tpmr.sh:
- Add comments documenting the tpmtotp stdout quirk
- tpm1_counter_create: capture stdout+stderr (>>file 2>&1), pass
success output through to caller, DEBUG on success/failure
- tpm1_seal: remove while/retry loop; use subshells with set +e to
capture exit codes without triggering set -e; handle exit code 2
(index doesn't exist) alongside "illegal index" output check;
capture stdout+stderr for nv_writevalue and nv_definespace;
rename tmp_err_* to tmp_out_* since we capture both streams;
add at_exit cleanup for secret temp files; add detailed doc block
- tpm1_unseal: use subshell with set +e to capture unseal result;
redirect stdout+stderr to temp file for error detection; use
at_exit cleanup_shred for TMP_UNSEAL_OUT; unify pass/no-pass paths
with if/else instead of duplicate error handling
Changes in functions.sh:
- check_tpm_counter: on counter_create failure, call
set_tpm_reset_required to signal TPM reset is needed; detect
"out of resources" (TPM 1.2 error 0x15 when counters already
exist from a previous run) and provide a targeted DIE message
directing the user to reset the TPM via the GUI menu
- increment_tpm_counter (TPM1 path): change SINK_LOG stderr redirect
to 2>/dev/null since tpmtotp output goes to stdout, not stderr
Changes in gui-init.sh:
- prompt_update_checksums: after update_checksums fails, check
tpm_reset_required and show "TPM Reset Required" message instead
of generic "Failed to update checksums"
- TOTP failure menu and TPM options menu "Reset the TPM" options:
gate_reseal_with_integrity_report && reset_tpm to
{ gate || tpm_reset_required; } && reset_tpm so that when the
integrity gate fails because TPM reset is required, the reset
still proceeds (the gate was blocking the very operation needed
to fix the TPM state)
Changes in gui_functions.sh:
- investigate_integrity_discrepancies: after prompt_update_checksums
fails and tpm_reset_required is set, return 1 to exit the
investigation loop instead of trapping the user in a loop that
eventually leads to recovery (which wipes /tmp/secret/ markers)
Changes in initrd/init:
- Wrap boot scripts in while true loop to respawn configured
bootscript on DIE calls
Tested on qemu-coreboot-fbwhiptail-tpm1-hotp:
- sealing.log: counter create, TOTP seal, HOTP unseal, counter
increment, DUK seal all succeed
- unsealing.log: TOTP unseal, HOTP unseal, DUK unseal all succeed
Tested on x230-maximized (real TPM 1.2 hardware):
- sealing.log: TPM reset, counter 52088873 created, counter
increment, sign /boot, TOTP seal, DUK reseal — all clean
- unsealing.log: counter preflight, TOTP unseal, GPG verify,
rollback counter check, DUK unseal, kexec boot — full boot clean
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
tlaurion
force-pushed
the
detect_usb_security_dongle_branding_early
branch
from
2d0487a to
90a7fa6
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 7 out of 23 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+196
to
201
| ```bash | ||
| # If the gate failed *because* TPM reset is required (stale counters), | ||
| # proceed to reset_tpm() which clears them and creates a fresh one. | ||
| if { gate_reseal_with_integrity_report || tpm_reset_required; } && reset_tpm; then | ||
|
|
||
| --- |
Comment on lines
+251
to
+275
| #Never DIE in init, respawn Boot Scripts | ||
| while true; do | ||
| if [ -x "$CONFIG_BOOTSCRIPT_NETWORK" ]; then | ||
| echo '***** Network Boot:' $CONFIG_BOOTSCRIPT_NETWORK | ||
| $CONFIG_BOOTSCRIPT_NETWORK | ||
| echo '***** Network Boot Completed:' $CONFIG_BOOTSCRIPT_NETWORK | ||
| # not blocking | ||
| fi | ||
|
|
||
| if [ -x "$CONFIG_BOOTSCRIPT" ]; then | ||
| echo '***** Normal boot:' $CONFIG_BOOTSCRIPT | ||
| if [ -x "$CONFIG_BOOTSCRIPT" ]; then | ||
| echo '***** Normal boot:' $CONFIG_BOOTSCRIPT | ||
|
|
||
| if [ -x /bin/setsid ] && [ -x /bin/agetty ]; then | ||
| for console in $CONFIG_BOOT_EXTRA_TTYS; do | ||
| setsid agetty -aroot -l"$CONFIG_BOOTSCRIPT" "$console" linux & | ||
| done | ||
| fi | ||
| if [ -x /bin/setsid ] && [ -x /bin/agetty ]; then | ||
| for console in $CONFIG_BOOT_EXTRA_TTYS; do | ||
| setsid agetty -aroot -l"$CONFIG_BOOTSCRIPT" "$console" linux & | ||
| done | ||
| fi | ||
|
|
||
| #Setup a control tty so that all terminals outputs correct tty when tty is called | ||
| exec cttyhack "$CONFIG_BOOTSCRIPT" | ||
| else | ||
| # wait for boot via network to occur | ||
| pause_recovery 'Override network boot. Entering recovery shell' | ||
| fi | ||
| #Setup a control tty so that all terminals outputs correct tty when tty is called | ||
| exec cttyhack "$CONFIG_BOOTSCRIPT" | ||
| else | ||
| # wait for boot via network to occur | ||
| pause_recovery 'Override network boot. Entering recovery shell' | ||
| fi | ||
| done |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary:
Three improvements for Heads initrd:
Key Changes:
TPM1 non-HOTP variant, normal boot (quiet mode)
TPM2 HOTP variant, normal boot (quiet mode)
TPM2 HOTP variant, normal boot (quiet mode) recovery shell access
TPM2 HOTP variant, normal boot (quiet mode), less on advertised /tmp/measuring_trace.log
Tested