BUGFIX: replace direct calls from LOG to INFO, so that only DO_WITH_D…

…EBUG uses LOG. INFO manages console output to log or console Quiet mode introduced output reduction to console to limit technical info provided to end users. Previous informational output (previous default) now outputs this now considered additional information through INFO() calls, which either outputs to console, or debug.log Only DO_WITH_DEBUG should call LOG directly, so that stderr+stdout output is prepended with LOG into debug.log This fixes previous implementation which called LOG in DO_WITH_DEBUG calls and modified expected output to files, which was observed by @3hhh in output of GRUB entries when selecting boot option. Signed-off-by: Thierry Laurion <insurgo@riseup.net>
linuxboot · Jan 13, 2025 · 930d3e6 · 930d3e6
1 parent 8f7b1c4
commit 930d3e6
Show file tree

Hide file tree

Showing 9 changed files with 112 additions and 108 deletions.
diff --git a/initrd/bin/cbfs-init b/initrd/bin/cbfs-init
@@ -24,12 +24,12 @@ for cbfsname in `echo $cbfsfiles`; do
 	if [ ! -z "$filename" ]; then
 		mkdir -p `dirname $filename` \
 		|| die "$filename: mkdir failed"
-		LOG "Extracting CBFS file $cbfsname into $filename"
+		INFO "Extracting CBFS file $cbfsname into $filename"
 		cbfs -t 50 $CBFS_ARG -r $cbfsname > "$filename" \
 		|| die "$filename: cbfs file read failed"
 		if [ "$CONFIG_TPM" = "y" ]; then
 			TRACE_FUNC
-			LOG "TPM: Extending PCR[$CONFIG_PCR] with filename $filename and then its content"
+			INFO "TPM: Extending PCR[$CONFIG_PCR] with filename $filename and then its content"
 			# Measure both the filename and its content.  This
 			# ensures that renaming files or pivoting file content
 			# will still affect the resulting PCR measurement.

diff --git a/initrd/bin/gui-init b/initrd/bin/gui-init
@@ -553,7 +553,7 @@ reset_tpm() {
 			mount -o rw,remount /boot
 			#TODO: this is really problematic, we should really remove the primary handle hash
 
-			LOG "Removing rollback and primary handle hash under /boot"
+			INFO "Removing rollback and primary handle hash under /boot"
 			rm -f /boot/kexec_rollback.txt
 			rm -f /boot/kexec_primhdl_hash.txt
 

diff --git a/initrd/bin/kexec-insert-key b/initrd/bin/kexec-insert-key
@@ -66,7 +66,7 @@ fi
 
 # Override PCR 4 so that user can't read the key
 TRACE_FUNC
-LOG "TPM: Extending PCR[4] to prevent any future secret unsealing"
+INFO "TPM: Extending PCR[4] to prevent any future secret unsealing"
 tpmr extend -ix 4 -ic generic ||
 	die 'Unable to scramble PCR'
 

diff --git a/initrd/bin/kexec-select-boot b/initrd/bin/kexec-select-boot
@@ -82,10 +82,10 @@ if [ "$CONFIG_TPM2_TOOLS" = "y" ]; then
 fi
 
 verify_global_hashes() {
-	LOG "+++ Checking verified boot hash file "
+	INFO "+++ Checking verified boot hash file "
 	# Check the hashes of all the files
 	if verify_checksums "$bootdir" "$gui_menu"; then
-		LOG "+++ Verified boot hashes "
+		INFO "+++ Verified boot hashes "
 		valid_hash='y'
 		valid_global_hash='y'
 	else
@@ -208,7 +208,7 @@ parse_option() {
 }
 
 scan_options() {
-	LOG "+++ Scanning for unsigned boot options"
+	INFO "+++ Scanning for unsigned boot options"
 	option_file="/tmp/kexec_options.txt"
 	scan_boot_options "$bootdir" "$config" "$option_file"
 	if [ ! -s $option_file ]; then
@@ -272,7 +272,7 @@ default_select() {
 
 	if [ "$CONFIG_BASIC" != "y" ]; then
 		# Enforce that default option hashes are valid
-		LOG "+++ Checking verified default boot hash file "
+		INFO "+++ Checking verified default boot hash file "
 		# Check the hashes of all the files
 		if (cd $bootdir && sha256sum -c "$TMP_DEFAULT_HASH_FILE" >/tmp/hash_output); then
 			echo "+++ Verified default boot hashes "
@@ -390,7 +390,7 @@ while true; do
 		if [ ! -r "$TMP_KEY_DEVICES" ]; then
 			# Extend PCR4 as soon as possible
 			TRACE_FUNC
-			LOG "TPM: Extending PCR[4] to prevent further secret unsealing"
+			INFO "TPM: Extending PCR[4] to prevent further secret unsealing"
 			tpmr extend -ix 4 -ic generic ||
 				die "Failed to extend TPM PCR[4]"
 		fi

diff --git a/initrd/bin/qubes-measure-luks b/initrd/bin/qubes-measure-luks
@@ -20,6 +20,6 @@ DEBUG "Removing /tmp/lukshdr-*"
 rm /tmp/lukshdr-*
 
 TRACE_FUNC
-LOG "TPM: Extending PCR[6] with hash of LUKS headers from /tmp/luksDump.txt"
+INFO "TPM: Extending PCR[6] with hash of LUKS headers from /tmp/luksDump.txt"
 tpmr extend -ix 6 -if /tmp/luksDump.txt ||
 	die "Unable to extend PCR"
diff --git a/initrd/bin/tpmr b/initrd/bin/tpmr
@@ -257,7 +257,7 @@ tpm2_extend() {
 		esac
 	done
 	tpm2 pcrextend "$index:sha256=$hash"
-	LOG $(tpm2 pcrread "sha256:$index" 2>&1)
+	INFO $(tpm2 pcrread "sha256:$index" 2>&1)
 
 	TRACE_FUNC
 	DEBUG "TPM: Extended PCR[$index] with hash $hash"
@@ -614,7 +614,7 @@ tpm2_unseal() {
 	# stderr; capture stderr to log.
 	if ! tpm2 unseal -Q -c "$handle" -p "session:$POLICY_SESSION$UNSEAL_PASS_SUFFIX" \
 		-S "$ENC_SESSION_FILE" >"$file" 2> >(SINK_LOG "tpm2 stderr"); then
-		LOG "Unable to unseal secret from TPM NVRAM"
+		INFO "Unable to unseal secret from TPM NVRAM"
 
 		# should succeed, exit if it doesn't
 		exit 1
@@ -800,7 +800,7 @@ if [ "$CONFIG_TPM2_TOOLS" != "y" ]; then
 		fi
 
 		TRACE_FUNC
-		LOG "TPM: Extending PCR[$3] with hash $hash"
+		INFO "TPM: Extending PCR[$3] with hash $hash"
 
 		# Silence stdout/stderr, they're only useful for debugging
 		# and DO_WITH_DEBUG captures them
@@ -845,7 +845,7 @@ calcfuturepcr)
 	;;
 extend)
 	TRACE_FUNC
-	LOG "TPM: Extending PCR[$2] with $4"
+	INFO "TPM: Extending PCR[$2] with $4"
 	tpm2_extend "$@"
 	;;
 counter_read)