Merge remote-tracking branch 'JonathonHall-Purism/introduce_quiet_mode-diceware_STAGING' into JonathonHall-Purism_introduce_quiet_mode-diceware_STAGING

Signed-off-by: Thierry Laurion <insurgo@riseup.net>

Author: tlaurion

initrd/bin/config-gui.sh

@@ -80,12 +80,7 @@ while true; do
 
 		# Debugging option always available
 		dynamic_config_options+=(
-			'Z' " $(get_config_display_action "$CONFIG_DEBUG_OUTPUT") $CONFIG_BRAND_NAME debug and function tracing output"
-		)
-
-		# Quiet option always available
-		dynamic_config_options+=(
-			'Q' " $(get_config_display_action "$CONFIG_QUIET_MODE") $CONFIG_BRAND_NAME quiet mode"
+			'Z' " Configure $CONFIG_BRAND_NAME informational / debug output"
 		)
 
 		[ "$CONFIG_FINALIZE_PLATFORM_LOCKING" = "y" ] && dynamic_config_options+=(
@@ -553,52 +548,34 @@ while true; do
 		fi
 		;;
 	"Z")
-		if [ "$CONFIG_DEBUG_OUTPUT" != "y" ]; then
-			if (whiptail --title 'Enable Debugging and Tracing output?' \
-				--yesno "This will enable DEBUG and TRACE output from scripts.\n\nDo you want to proceed?" 0 80); then
-
-				set_user_config "CONFIG_DEBUG_OUTPUT" "y"
-				set_user_config "CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT" "y"
-				#DEBUG+TRACE is incompatible with QUIET mode, turn it off
-				set_user_config "CONFIG_QUIET_MODE" "n"
-
-				whiptail --title 'Config change successful' \
-					--msgbox "Debugging and Tracing output enabled;\nsave the config change and reboot for it to go into effect." 0 80
-			fi
-		else
-			if (whiptail --title 'Disable Enable Debugging and Tracing output?' \
-				--yesno "This will disable DEBUG and TRACE output from scripts.\n\nDo you want to proceed?" 0 80); then
+		unset output_choice
+		whiptail_type $BG_COLOR_MAIN_MENU --title "Informational / Debug Output" \
+			--menu "$CONFIG_BRAND_NAME can display informational or debug output.\n\nChoose the output level:" 0 80 10 \
+			0 'None - Show no extra output' \
+			1 "Info - Show information about operations in $CONFIG_BRAND_NAME" \
+			2 "Debug - Show detailed information suitable for debugging $CONFIG_BRAND_NAME" \
+			2>/tmp/whiptail || recovery "GUI menu failed"
 
+		output_choice=$(cat /tmp/whiptail)
+		case "$output_choice" in
+			0)
 				set_user_config "CONFIG_DEBUG_OUTPUT" "n"
 				set_user_config "CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT" "n"
-
-				whiptail --title 'Config change successful' \
-					--msgbox "Debugging and Tracing output disabled;\nsave the config change and reboot for it to go into effect." 0 80
-			fi
-		fi
-		;;
-	"Q")
-		#Quiet mode: turn off/on console technical output
-		if [ "$CONFIG_QUIET_MODE" != "y" ]; then
-			if (whiptail --title 'Enable Quiet mode?' \
-				--yesno "This will enable QUIET mode, which will turn off console technical output.\n\nDo you want to proceed?" 0 80); then
-
 				set_user_config "CONFIG_QUIET_MODE" "y"
-				#DEBUG+TRACE is incompatible with QUIET mode, turn it off
+				;;
+			1)
 				set_user_config "CONFIG_DEBUG_OUTPUT" "n"
 				set_user_config "CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT" "n"
-				whiptail --title 'Config change successful' \
-					--msgbox "Quiet mode enabled;\nsave the config change and reboot for it to go into effect." 0 80
-			fi
-		else
-			if (whiptail --title 'Disable Quiet mode?' \
-				--yesno "This will disable QUIET mode, which will turn on console technical output.\n\nDo you want to proceed?" 0 80); then
-
 				set_user_config "CONFIG_QUIET_MODE" "n"
-				whiptail --title 'Config change successful' \
-					--msgbox "Quiet mode disabled;\nsave the config change and reboot for it to go into effect." 0 80
-			fi
-		fi
+				;;
+			2)
+				set_user_config "CONFIG_DEBUG_OUTPUT" "y"
+				set_user_config "CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT" "y"
+				set_user_config "CONFIG_QUIET_MODE" "n"
+				;;
+		esac
+		whiptail --title 'Config change successful' \
+			--msgbox "Output level changed.\nSave the config change and reboot for it to go into effect." 0 80
 		;;
 	esac
 done

initrd/bin/seal-totp

@@ -55,10 +55,9 @@ tpmr seal "$TOTP_SECRET" "$TPM_NVRAM_SPACE" 0,1,2,3,4,7 "$pcrf" 312 "" "$TPM_PAS
 shred -n 10 -z -u "$TOTP_SEALED" 2>/dev/null
 
 url="otpauth://totp/$HOST?secret=$secret"
-secret=""
 
 DEBUG "TOTP secret output on screen (both URL and QR code)"
 qrenc "$url"
 
-echo "TOTP secret for manual input (if no mobile phone) is after the 'secret=' part of the URL:"
-echo "$url"
+echo "TOTP secret for manual input (device without camera): $secret"
+secret=""

initrd/bin/tpmr

@@ -611,16 +611,9 @@ tpm2_unseal() {
 	fi
 
 	# tpm2 unseal will write the unsealed data to stdout and any errors to
-	# 	stderr.  We capture the unsealed data to $file, but still log the errors for quiet mode.
-	# In case of unseal error, caller will also report on TOTP not being able to be unsealed.
-	TMP_ERR_FILE=$(mktemp)
+	# stderr; capture stderr to log.
 	if ! tpm2 unseal -Q -c "$handle" -p "session:$POLICY_SESSION$UNSEAL_PASS_SUFFIX" \
-		-S "$ENC_SESSION_FILE" >"$file" 2>"$TMP_ERR_FILE"; then
-		# Log the contents of the temporary error file
-		while IFS= read -r line; do
-			LOG "tpm2 stderr: $line"
-		done <"$TMP_ERR_FILE"
-		rm -f "$TMP_ERR_FILE"
+		-S "$ENC_SESSION_FILE" >"$file" 2> >(SINK_LOG "tpm2 stderr"); then
 		LOG "Unable to unseal secret from TPM NVRAM"
 
 		# should succeed, exit if it doesn't
@@ -672,15 +665,15 @@ tpm2_reset() {
 	# output TPM Owner Password to a file to be reused in this boot session until recovery shell/reboot
 	DEBUG "Caching TPM Owner Password to $SECRET_DIR/tpm_owner_password"
 	echo -n "$tpm_owner_password" >"$SECRET_DIR/tpm_owner_password"
-	tpm2 clear -c platform >/dev/null 2>&1 || LOG "Unable to clear TPM on platform hierarchy"
-	tpm2 changeauth -c owner "$(tpm2_password_hex "$tpm_owner_password")" >/dev/null 2>&1 || LOG "Unable to change owner password"
-	tpm2 changeauth -c endorsement "$(tpm2_password_hex "$tpm_owner_password")" >/dev/null 2>&1 || LOG "Unable to change endorsement password"
-	tpm2 createprimary -C owner -g sha256 -G "${CONFIG_PRIMARY_KEY_TYPE:-rsa}" \
-		-c "$SECRET_DIR/primary.ctx" -P "$(tpm2_password_hex "$tpm_owner_password")" >/dev/null 2>&1 || LOG "Unable to create primary key"
-	tpm2 evictcontrol -C owner -c "$SECRET_DIR/primary.ctx" "$PRIMARY_HANDLE" \
-		-P "$(tpm2_password_hex "$tpm_owner_password")" >/dev/null 2>&1 || LOG "Unable to evict primary key"
-	shred -u "$SECRET_DIR/primary.ctx" >/dev/null 2>&1
-	tpm2_startsession >/dev/null 2>&1 || LOG "Unable to start session"
+	DO_WITH_DEBUG tpm2 clear -c platform &>/dev/null
+	DO_WITH_DEBUG tpm2 changeauth -c owner "$(tpm2_password_hex "$tpm_owner_password")" &>/dev/null
+	DO_WITH_DEBUG tpm2 changeauth -c endorsement "$(tpm2_password_hex "$tpm_owner_password")" &>/dev/null
+	DO_WITH_DEBUG tpm2 createprimary -C owner -g sha256 -G "${CONFIG_PRIMARY_KEY_TYPE:-rsa}" \
+		-c "$SECRET_DIR/primary.ctx" -P "$(tpm2_password_hex "$tpm_owner_password")" &>/dev/null
+	DO_WITH_DEBUG tpm2 evictcontrol -C owner -c "$SECRET_DIR/primary.ctx" "$PRIMARY_HANDLE" \
+		-P "$(tpm2_password_hex "$tpm_owner_password")" &>/dev/null
+	shred -u "$SECRET_DIR/primary.ctx" &>/dev/null
+	DO_WITH_DEBUG tpm2_startsession &>/dev/null
 
 	# Set the dictionary attack parameters.  TPM2 defaults vary widely, we
 	# want consistent behavior on any TPM.
@@ -722,17 +715,17 @@ tpm1_reset() {
 	DEBUG "Caching TPM Owner Password to $SECRET_DIR/tpm_owner_password"
 	echo -n "$tpm_owner_password" >"$SECRET_DIR/tpm_owner_password"
 	# Make sure the TPM is ready to be reset
-	tpm physicalpresence -s >/dev/null 2>&1 || LOG "Unable to assert physical presence"
-	tpm physicalenable >/dev/null 2>&1 || LOG "Unable to enable TPM"
-	tpm physicalsetdeactivated -c >/dev/null 2>&1 || LOG "Unable to deactivate TPM"
-	tpm forceclear >/dev/null 2>&1 || LOG "Unable to clear TPM"
-	tpm physicalenable >/dev/null 2>&1 || LOG "Unable to enable TPM"
-	tpm takeown -pwdo "$tpm_owner_password" >/dev/null 2>&1 || LOG "Unable to take ownership of TPM"
+	DO_WITH_DEBUG tpm physicalpresence -s &>/dev/null
+	DO_WITH_DEBUG tpm physicalenable &>/dev/null
+	DO_WITH_DEBUG tpm physicalsetdeactivated -c &>/dev/null
+	DO_WITH_DEBUG tpm forceclear &>/dev/null
+	DO_WITH_DEBUG tpm physicalenable &>/dev/null
+	DO_WITH_DEBUG tpm takeown -pwdo "$tpm_owner_password" &>/dev/null
 
 	# And now turn it all back on
-	tpm physicalpresence -s >/dev/null 2>&1 || LOG "Unable to assert physical presence"
-	tpm physicalenable >/dev/null 2>&1 || LOG "Unable to enable TPM"
-	tpm physicalsetdeactivated -c >/dev/null 2>&1 || LOG "Unable to deactivate TPM physical presence requirement"
+	DO_WITH_DEBUG tpm physicalpresence -s &>/dev/null
+	DO_WITH_DEBUG tpm physicalenable &>/dev/null
+	DO_WITH_DEBUG tpm physicalsetdeactivated -c &>/dev/null
 }
 
 # Perform final cleanup before boot and lock the platform heirarchy.
@@ -810,13 +803,9 @@ if [ "$CONFIG_TPM2_TOOLS" != "y" ]; then
 		TRACE_FUNC
 		LOG "TPM: Extending PCR[$3] with hash $hash"
 
-		# Redirect the output of DO_WITH_DEBUG to a temporary file so we can LOG it in quiet mode
-		TMP_DEBUG_FILE=$(mktemp)
-		DO_WITH_DEBUG exec tpm "$@" >"$TMP_DEBUG_FILE" 2>&1
-		while IFS= read -r line; do
-			LOG "$line"
-		done <"$TMP_DEBUG_FILE"
-		rm -f "$TMP_DEBUG_FILE"
+		# Silence stdout/stderr, they're only useful for debugging
+		# and DO_WITH_DEBUG captures them
+		DO_WITH_DEBUG exec tpm "$@" &>/dev/null
 		;;
 	seal)
 		shift

initrd/etc/functions

@@ -402,6 +402,15 @@ mask_param() {
 #
 # For example:
 # ls /boot/vmlinux* | SINK_LOG "/boot kernels"
+#
+# To capture stderr:
+# cryptsetup open /dev/sda1 media-crypt 2> >(SINK_LOG "LUKS unlock sda1 errors")
+# (Note: the space between '>' is necessary in '2> >(SINK_LOG ...)')
+#
+# To capture both:
+# tpm reset > >(SINK_LOG "tpm reset") 2>&1
+# (Note: 2>&1 must follow the stdout redirection, and space between '>' is
+# necessary)
 SINK_LOG() {
 	local name="$1"
 	local line haveblank
@@ -413,7 +422,7 @@ SINK_LOG() {
 		cat
 		echo
 	) | while IFS= read -r line; do
-		[[ -n "$haveblank" ]] && DEBUG "$name: " # Emit buffered blank line
+		[[ -n "$haveblank" ]] && LOG "$name: " # Emit buffered blank line
 		if [[ -z "$line" ]]; then
 			haveblank=y
 		else

initrd/init

@@ -1,6 +1,4 @@
 #! /bin/bash
-# Note this is used on legacy-flash boards that lack bash, it runs with busybox
-# ash.  Calls to bash scripts must be guarded by checking config.
 
 mknod /dev/ttyprintk c 5 3
 echo "hello world" >/dev/ttyprintk