Addressing review and fix TPM counter file bugs

Signed-off-by: Thierry Laurion <[email protected]>

Author: tlaurion

initrd/.bash_history

@@ -5,9 +5,9 @@ find /boot/kexec*.txt | gpg --verify /boot/kexec.sig -
 #remove invalid kexec_* signed files
 mount /dev/sda1 /boot && mount -o remount,rw /boot && rm /boot/kexec* && mount -o remount,ro /boot
 #Generate keys on OpenPGP smartcard: 
-mount-usb && gpg --home=/.gnupg/ --card-edit
+mount-usb --mode rw && gpg --home=/.gnupg/ --card-edit
 #Copy generated public key, private_subkey, trustdb and artifacts to external media for backup: 
-mount -o remount,rw /media && mkdir -p /media/gpg_keys; gpg --export-secret-keys --armor [email protected] > /media/gpg_keys/private.key && gpg --export --armor [email protected]  > /media/gpg_keys/public.key && gpg --export-ownertrust > /media/gpg_keys/otrust.txt && cp -r ./.gnupg/* /media/gpg_keys/ 2> /dev/null
+mkdir -p /media/gpg_keys; gpg --export-secret-keys --armor [email protected] > /media/gpg_keys/private.key && gpg --export --armor [email protected]  > /media/gpg_keys/public.key && gpg --export-ownertrust > /media/gpg_keys/otrust.txt && cp -r ./.gnupg/* /media/gpg_keys/ 2> /dev/null
 #Insert public key and trustdb export into reproducible rom:
 cbfs -o /media/coreboot.rom -a "heads/initrd/.gnupg/keys/public.key" -f /media/gpg_keys/public.key && cbfs -o /media/coreboot.rom -a "heads/initrd/.gnupg/keys/otrust.txt" -f /media/gpg_keys/otrust.txt
 #Flush changes to external media: 

initrd/bin/gui-init

@@ -270,9 +270,9 @@ update_hotp() {
 	fi
 
 	if [[ "$HOTP" = "Invalid code" ]]; then
-		#TODO: we shouldn't propose to generate a new secret if there is no /boot/kexec_hotp_counter
-		# as this passed tpm unseal, so the secret is correct: we should propose to reset TPM instead
-		#  Otherwise, tpm_counter is also inexistent: The OS was most probably reinstalled wihile TPM can still unseal the secret
+		#Do not propose to generate a new secret if there is no /boot/kexec_hotp_counter
+		# tpm unseal succeeded: so the sealed secret is correct: we should propose to reset TPM if not already
+		#  Here: the OS was most probably reinstalled since TPM can still unseal the secret
 		whiptail_error --title "ERROR: HOTP Validation Failed!" \
 			--menu "ERROR: $CONFIG_BRAND_NAME couldn't validate the HOTP code.\n\nIf you just reflashed your BIOS, you should generate a new TOTP/HOTP secret.\n\nIf you have not just reflashed your BIOS, THIS COULD INDICATE TAMPERING!\n\nHow would you like to proceed?" 0 80 4 \
 			'g' ' Generate new TOTP/HOTP secret' \

initrd/bin/kexec-save-default

@@ -8,10 +8,10 @@ TRACE_FUNC
 
 while getopts "b:d:p:i:" arg; do
 	case $arg in
-	b) bootdir="$OPTARG" ;;
-	d) paramsdev="$OPTARG" ;;
-	p) paramsdir="$OPTARG" ;;
-	i) index="$OPTARG" ;;
+		b) bootdir="$OPTARG" ;;
+		d) paramsdev="$OPTARG" ;;
+		p) paramsdir="$OPTARG" ;;
+		i) index="$OPTARG" ;;
 	esac
 done
 

initrd/bin/kexec-select-boot

@@ -20,25 +20,25 @@ force_boot="n"
 skip_confirm="n"
 while getopts "b:d:p:a:r:c:uimgfs" arg; do
 	case $arg in
-	b) bootdir="$OPTARG" ;;
-	d) paramsdev="$OPTARG" ;;
-	p) paramsdir="$OPTARG" ;;
-	a) add="$OPTARG" ;;
-	r) remove="$OPTARG" ;;
-	c) config="$OPTARG" ;;
-	u) unique="y" ;;
-	m) force_menu="y" ;;
-	i)
-		valid_hash="y"
-		valid_rollback="y"
-		;;
-	g) gui_menu="y" ;;
-	f)
-		force_boot="y"
-		valid_hash="y"
-		valid_rollback="y"
-		;;
-	s) skip_confirm="y" ;;
+		b) bootdir="$OPTARG" ;;
+		d) paramsdev="$OPTARG" ;;
+		p) paramsdir="$OPTARG" ;;
+		a) add="$OPTARG" ;;
+		r) remove="$OPTARG" ;;
+		c) config="$OPTARG" ;;
+		u) unique="y" ;;
+		m) force_menu="y" ;;
+		i)
+			valid_hash="y"
+			valid_rollback="y"
+			;;
+		g) gui_menu="y" ;;
+		f)
+			force_boot="y"
+			valid_hash="y"
+			valid_rollback="y"
+			;;
+		s) skip_confirm="y" ;;
 	esac
 done
 

initrd/bin/kexec-sign-config

@@ -1,5 +1,4 @@
 #!/bin/bash
-# filepath: /home/user/heads/initrd/bin/kexec-sign-config
 # Sign a valid directory of kexec params
 set -e -o pipefail
 . /tmp/config
@@ -10,19 +9,19 @@ TRACE_FUNC
 rollback="n"
 update="n"
 while getopts "p:c:ur" arg; do
-    case $arg in
-    p) paramsdir="$OPTARG" ;;
-    c)
-        counter="$OPTARG"
-        rollback="y"
-        ;;
-    u) update="y" ;;
-    r) rollback="y" ;;
-    esac
+	case $arg in
+	p) paramsdir="$OPTARG" ;;
+	c)
+		counter="$OPTARG"
+		rollback="y"
+		;;
+	u) update="y" ;;
+	r) rollback="y" ;;
+	esac
 done
 
 if [ -z "$paramsdir" ]; then
-    die "Usage: $0 -p /boot [ -u | -c counter ]"
+	die "Usage: $0 -p /boot [ -u | -c counter ]"
 fi
 
 paramsdir="${paramsdir%%/}"
@@ -40,96 +39,102 @@ DEBUG "Signing kexec parameters in $paramsdir, rollback=$rollback, update=$updat
 
 # update hashes in /boot before signing
 if [ "$update" = "y" ]; then
-    (
-        TRACE_FUNC
-        DEBUG "update=y: Updating kexec hashes in /boot"
-        cd /boot
-        find ./ -type f ! -path './kexec*' -print0 | xargs -0 sha256sum >/boot/kexec_hashes.txt
-        if [ -e /boot/kexec_default_hashes.txt ]; then
-            DEBUG "/boot/kexec_default_hashes.txt exists, updating /boot/kexec_default_hashes.txt"
-            DEFAULT_FILES=$(cat /boot/kexec_default_hashes.txt | cut -f3 -d ' ')
-            echo $DEFAULT_FILES | xargs sha256sum >/boot/kexec_default_hashes.txt
-        fi
-
-        #also save the file & directory structure to detect added files
-        print_tree >/boot/kexec_tree.txt
-        TRACE_FUNC
-    )
-    [ $? -eq 0 ] || die "$paramsdir: Failed to update hashes."
-
-    # Remove any package trigger log files
-    # We don't need them after the user decides to sign
-    rm -f /boot/kexec_package_trigger*
+	(
+		TRACE_FUNC
+		DEBUG "update=y: Updating kexec hashes in /boot"
+		cd /boot
+		find ./ -type f ! -path './kexec*' -print0 | xargs -0 sha256sum >/boot/kexec_hashes.txt
+		if [ -e /boot/kexec_default_hashes.txt ]; then
+			DEBUG "/boot/kexec_default_hashes.txt exists, updating /boot/kexec_default_hashes.txt"
+			DEFAULT_FILES=$(cat /boot/kexec_default_hashes.txt | cut -f3 -d ' ')
+			echo $DEFAULT_FILES | xargs sha256sum >/boot/kexec_default_hashes.txt
+		fi
+
+		#also save the file & directory structure to detect added files
+		print_tree >/boot/kexec_tree.txt
+		TRACE_FUNC
+	)
+	[ $? -eq 0 ] || die "$paramsdir: Failed to update hashes."
+
+	# Remove any package trigger log files
+	# We don't need them after the user decides to sign
+	rm -f /boot/kexec_package_trigger*
 fi
 
 if [ "$rollback" = "y" ]; then
-
-    # this script was called with -c $OPTARG (counter=$OPTARG) or -r (rollback=y)
-    DEBUG "rollback=y, counter=$counter, paramsdir=$paramsdir"
-    TRACE_FUNC
-
-    rollback_file="$paramsdir/kexec_rollback.txt"
-
-    if [ -n "$counter" ]; then
-        DEBUG "rollback=y: counter=$counter, will read tpm counter next"
-        TRACE_FUNC
-
-        # use existing tpm counter
-        DO_WITH_DEBUG read_tpm_counter $counter >/dev/null 2>&1 ||
-            die "$paramsdir: Unable to read tpm counter '$counter'"
-    else
-        DEBUG "rollback=y: counter is empty: checking for existing TPM counter"
-        TRACE_FUNC
-
-        if [ ! -e $rollback_file ]; then
-            DEBUG "Rollback file $rollback_file does not exist. Creating new TPM counter."
-            DO_WITH_DEBUG check_tpm_counter $rollback_file ||
-                die "$paramsdir: Unable to find/create tpm counter"
-
-            TRACE_FUNC
-            DEBUG "rollback=y: checked for existing counter under $rollback_file, found TPM_COUNTER=$TPM_COUNTER"
-            # we checked for existing counter and didn't die; increment it
-            DEBUG "rollback=y: Incrementing counter:$TPM_COUNTER."
-
-            DO_WITH_DEBUG increment_tpm_counter $counter >/dev/null 2>&1 ||
-                die "$paramsdir: Unable to increment tpm counter"
-            TRACE_FUNC
-            DEBUG "rollback=y: Incremented counter $counter"
-        else
-            die "$paramsdir: No rollback file existing. Please reset TPM through the Heads menu: Options -> TPM/TOTP/HOTP Options -> Reset the TPM"
-        fi
-    fi
-
-    # Ensure the TPM counter file exists
-    DEBUG "Checking if TPM counter file '/tmp/counter-$counter exists."
-    if [ ! -e "/tmp/counter-$counter" ]; then
-        die "$paramsdir: TPM counter file '/tmp/counter-$counter' not found after incrementing."
-    fi
-
-    # Create the rollback file
-    sha256sum /tmp/counter-$counter >$rollback_file ||
-        die "$paramsdir: Unable to create rollback file"
+	rollback_file="$paramsdir/kexec_rollback.txt"
+
+	DEBUG "rollback=y, counter=$counter, paramsdir=$paramsdir, rollback_file=$rollback_file"
+	TRACE_FUNC
+
+	if [ -n "$counter" ]; then
+		DEBUG "rollback=y: provided counter=$counter, will read tpm counter next"
+		TRACE_FUNC
+
+		# use existing tpm counter
+		DO_WITH_DEBUG read_tpm_counter "$counter" >/dev/null 2>&1 ||
+			die "$paramsdir: Unable to read tpm counter '$counter'"
+	else
+		DEBUG "rollback=y: counter was not provided: checking for existing TPM counter from TPM rollback_file=$rollback_file"
+		TRACE_FUNC
+
+		if [ -e "$rollback_file" ]; then
+			# Extract TPM_COUNTER from rollback file
+			TPM_COUNTER=$(grep -o 'counter-[0-9a-f]*' "$rollback_file" | cut -d- -f2)
+			DEBUG "rollback=y: Found TPM counter $TPM_COUNTER in rollback file $rollback_file"
+		else
+			DEBUG "Rollback file $rollback_file does not exist. Creating new TPM counter."
+			DO_WITH_DEBUG check_tpm_counter $rollback_file ||
+				die "$paramsdir: Unable to find/create tpm counter"
+
+			TRACE_FUNC
+			TPM_COUNTER=$(cut -d: -f1 </tmp/counter)
+			DEBUG "rollback=y: Created new TPM counter $TPM_COUNTER"
+		fi
+	fi
+
+	TRACE_FUNC
+
+	# Increment the TPM counter
+	DEBUG "rollback=y: Incrementing counter $TPM_COUNTER."
+	DO_WITH_DEBUG increment_tpm_counter $TPM_COUNTER >/dev/null 2>&1 ||
+		die "$paramsdir: Unable to increment tpm counter"
+
+	# Ensure the incremented counter file exists
+	incremented_counter_file="/tmp/counter-$TPM_COUNTER"
+	if [ ! -e "$incremented_counter_file" ]; then
+		DEBUG "TPM counter file '$incremented_counter_file' not found. Attempting to read it again."
+		DO_WITH_DEBUG read_tpm_counter "$TPM_COUNTER" >/dev/null 2>&1 ||
+			die "$paramsdir: TPM counter file '$incremented_counter_file' not found after incrementing."
+	fi
+
+	DEBUG "TPM counter file '$incremented_counter_file' found."
+
+	# Create the rollback file
+	sha256sum "$incremented_counter_file" >$rollback_file ||
+		die "$paramsdir: Unable to create rollback file"
 fi
 
+TRACE_FUNC
 param_files=$(find $paramsdir/kexec*.txt)
 if [ -z "$param_files" ]; then
-    die "$paramsdir: No kexec parameter files to sign"
+	die "$paramsdir: No kexec parameter files to sign"
 fi
 
 for tries in 1 2 3; do
-    if DO_WITH_DEBUG sha256sum $param_files | gpg \
-        --detach-sign \
-        -a \
-        >$paramsdir/kexec.sig \
-        ; then
-        # successful - update the validated params
-        check_config $paramsdir
-
-        # remount /boot as ro
-        mount -o remount,ro /boot
-
-        exit 0
-    fi
+	if DO_WITH_DEBUG sha256sum $param_files | gpg \
+		--detach-sign \
+		-a \
+		>$paramsdir/kexec.sig \
+		; then
+		# successful - update the validated params
+		check_config $paramsdir
+
+		# remount /boot as ro
+		mount -o remount,ro /boot
+
+		exit 0
+	fi
 done
 
 # remount /boot as ro

initrd/bin/key-init

@@ -10,19 +10,19 @@ TRACE_FUNC
 # Good system clock is required for GPG to work properly.
 # if system year is less then 2024, prompt user to set correct time
 if [ "$(date +%Y)" -lt 2024 ]; then
-    if whiptail_warning --title "System Time Incorrect" \
-        --yesno "The system time is incorrect. Please set the correct time." \
-        0 80 --yes-button Continue --no-button Skip --clear; then
-        change-time.sh
-    fi
+	if whiptail_warning --title "System Time Incorrect" \
+		--yesno "The system time is incorrect. Please set the correct time." \
+		0 80 --yes-button Continue --no-button Skip --clear; then
+		change-time.sh
+	fi
 fi
 
 # Import user's keys if they exist
 if [ -d /.gnupg/keys ]; then
-    # This is legacy location for user's keys. cbfs-init takes for granted that keyring and trustdb are in /.gnupg
-    #  oem-factory-reset generates keyring and trustdb which cbfs-init dumps to /.gnupg
-    # TODO: Remove individual key imports. This is still valid for distro keys only below.
-    gpg --import /.gnupg/keys/*.key  /.gnupg/keys/*.asc 2>/dev/null || warn "Importing user's keys failed"
+	# This is legacy location for user's keys. cbfs-init takes for granted that keyring and trustdb are in /.gnupg
+	#  oem-factory-reset generates keyring and trustdb which cbfs-init dumps to /.gnupg
+	# TODO: Remove individual key imports. This is still valid for distro keys only below.
+	gpg --import /.gnupg/keys/*.key  /.gnupg/keys/*.asc 2>/dev/null || warn "Importing user's keys failed"
 fi
 
 # Import trusted distro keys allowed for ISO signing

initrd/bin/reboot

@@ -5,7 +5,7 @@ TRACE_FUNC
 
 if [ "$CONFIG_DEBUG_OUTPUT" = "y" ]; then 
 	#Generalize user prompt to continue reboot or go to recovery shell 
-	read -r -n 1 -s -p "Press any key to continue reboot or 'r' to go to recovery shell: " REPLY 
+	read -r -n 1 -s -p "Press Enter to continue reboot or 'r' to go to recovery shell: " REPLY 
 	echo 
 	if [ "$REPLY" = "r" ] || [ "$REPLY" = "R" ]; then 
 		recovery "Reboot call bypassed to go into recovery shell to debug"

initrd/bin/tpmr

@@ -589,7 +589,7 @@ tpm2_unseal() {
 	# can't do anything without a primary handle.
 	if [ ! -f "$PRIMARY_HANDLE_FILE" ]; then
 		DEBUG "tpm2_unseal: No primary handle, cannot attempt to unseal"
-		warn "No TPM primary handle. You must reset TPM to seal secret to TPM NVRAM"
+		warn "No TPM primary handle. You must reset the TPM to seal secret to TPM NVRAM"
 		exit 1
 	fi