WiP: Staging commit to facilitate review, will squash into previous c…

…ommits once confirmed good
linuxboot · Aug 31, 2023 · 64ad01f · 64ad01f
1 parent 03d8f93
commit 64ad01f
Show file tree

Hide file tree

Showing 6 changed files with 157 additions and 169 deletions.
diff --git a/initrd/bin/gui-init b/initrd/bin/gui-init
@@ -174,7 +174,7 @@ generate_totp_hotp()
     printf "\033c"
   else
     warn "Unsealing TOTP/HOTP secret from previous sealed measurements failed"
-    warn "Try "Generate new HOTP/TOTP secret" option if you updated firmware content"
+    warn 'Try "Generate new HOTP/TOTP secret" option if you updated firmware content'
   fi
 }
 

diff --git a/initrd/bin/kexec-save-default b/initrd/bin/kexec-save-default
@@ -38,7 +38,6 @@ PRIMHASH_FILE="$paramsdir/kexec_primhdl_hash.txt"
 KEY_DEVICES="$paramsdir/kexec_key_devices.txt"
 KEY_LVM="$paramsdir/kexec_key_lvm.txt"
 
-
 lvm_suggest=$(lvm vgscan | awk -F '"' {'print $1'} | tail -n +2)
 num_lvm=$(echo "$lvm_suggest" | wc -l)
 if [ "$num_lvm" -eq 1 ] && [ -n "$lvm_suggest" ]; then
@@ -50,8 +49,7 @@ DEBUG "LVM num_lvm: $num_lvm, lvm_suggest: $lvm_suggest"
 
 # get all LUKS container devices
 devices_suggest=$(blkid | cut -d ':' -f 1 | while read device; do
-	cryptsetup isLuks "$device"
-	if [ $(echo $?) == 0 ]; then echo "$device"; fi
+	if cryptsetup isLuks "$device"; then echo "$device"; fi
 done | sort)
 num_devices=$(echo "$devices_suggest" | wc -l)
 
@@ -79,9 +77,9 @@ fi
 save_key="n"
 if [ "$CONFIG_TPM" = "y" ] && [ "$CONFIG_TPM_NO_LUKS_DISK_UNLOCK" != "y" ] && [ "$CONFIG_BASIC" != y ]; then
 	DEBUG "TPM is enabled and TPM_NO_LUKS_DISK_UNLOCK is not set"
-	DEBUG "Checking if a a TPM Disk Unlock Key was previously setuped from $KEY_DEVICES"
+	DEBUG "Checking if a a TPM Disk Unlock Key was previously set up from $KEY_DEVICES"
 	if [ ! -r "$KEY_DEVICES" ]; then
-		DEBUG "No previous TPM Disk Unlock Key was setuped for LUKS devices, confirming to add a disk encryption to the TPM"
+		DEBUG "No previous TPM Disk Unlock Key was set up for LUKS devices, confirming to add a disk encryption to the TPM"
 		read \
 			-n 1 \
 			-p "Do you wish to add a disk encryption to the TPM [y/N]: " \
@@ -94,7 +92,7 @@ if [ "$CONFIG_TPM" = "y" ] && [ "$CONFIG_TPM_NO_LUKS_DISK_UNLOCK" != "y" ] && [
 			save_key="y"
 		fi
 	else
-		DEBUG "Previous TPM Disk Unlock Key was setuped for LUKS devices"
+		DEBUG "Previous TPM Disk Unlock Key was set up for LUKS devices"
 		read \
 			-n 1 \
 			-p "Do you want to reseal a disk key to the TPM [y/N]: " \
@@ -123,7 +121,7 @@ if [ "$CONFIG_TPM" = "y" ] && [ "$CONFIG_TPM_NO_LUKS_DISK_UNLOCK" != "y" ] && [
 
 	if [ "$save_key" = "y" ]; then
 		if [ -n "$old_key_devices" ] || [ -n "$old_lvm_volume_group" ]; then
-			DEBUG "Previous TPM Disk Unlock Key was setuped for LUKS devices $old_key_devices $old_lvm_volume_group"
+			DEBUG "Previous TPM Disk Unlock Key was set up for LUKS devices $old_key_devices $old_lvm_volume_group"
 			read \
 				-n 1 \
 				-p "Do you want to reuse configured Encrypted LVM groups/Block devices? (Y/n):" \
@@ -138,10 +136,10 @@ if [ "$CONFIG_TPM" = "y" ] && [ "$CONFIG_TPM_NO_LUKS_DISK_UNLOCK" != "y" ] && [
 				fi
 			fi
 		else
-			DEBUG "No previous TPM Disk Unlock Key was setuped for LUKS devices, setting up new ones"
+			DEBUG "No previous TPM Disk Unlock Key was set up for LUKS devices, setting up new ones"
 			if [ "$num_lvm" -gt 1 ]; then
 				DEBUG "Multiple LVM groups found"
-				//untested
+				# TODO: untested codepath. What uses lvm+LUKS on top nowadays?!?
 				selected_lvmdev_not_existing=1
 				while [ $selected_lvmdev_not_existing -ne 0 ]; do
 					{
@@ -172,7 +170,8 @@ if [ "$CONFIG_TPM" = "y" ] && [ "$CONFIG_TPM_NO_LUKS_DISK_UNLOCK" != "y" ] && [
 							key_devices
 
 						result=$(echo "$devices_suggest" | grep -q "$key_devices") || selected_luksdev_not_existing=1
-						if [ $? == 0 ]; then
+						#if result is not empty, then the device exists
+						if [ -n "$result" ]; then
 							selected_luksdev_not_existing=0
 						fi
 					}

diff --git a/initrd/bin/kexec-seal-key b/initrd/bin/kexec-seal-key
@@ -53,7 +53,7 @@ echo
 
 read -s -p "New TPM Disk Unlock Key passphrase for booting: " key_password
 echo
-read -s -p "Repeat TPM Disk Unlock key passphrase for booting: " key_password2
+read -s -p "Repeat TPM Disk Unlock Key passphrase for booting: " key_password2
 echo
 
 if [ "$key_password" != "$key_password2" ]; then

diff --git a/initrd/bin/kexec-select-boot b/initrd/bin/kexec-select-boot
@@ -56,12 +56,12 @@ if [ "$CONFIG_TPM2_TOOLS" = "y" ]; then
 		sha256sum -c "$PRIMHASH_FILE" \
 			|| {
 			echo "FATAL: Hash of TPM2 primary key handle mismatch!";
-			echo "If you have not intentionally regenerated TPM2 primary key,";
+			warn "If you have not intentionally regenerated TPM2 primary key,";
 			warn "your system may have been compromised";
 		}
 	else
-		echo "WARNING: Hash of TPM2 primary key handle does not exist!"
-		echo "Please rebuild the boot hash tree."
+		warn "Hash of TPM2 primary key handle does not exist"
+		warn "Please rebuild the boot hash tree"
 		default_failed="y"
 	fi
 fi