initrd+boards: feature-freeze hardening across TPM, tracing, root-hashes, and prompts

- add cross-script full trace-stack context in initrd/etc/functions (TRACE_STACK + TRACE_FUNC chaining) for end-to-end call-path visibility
- harden TPM/TOTP/HOTP and rollback flows across initrd/bin/gui-init, initrd/bin/tpmr, initrd/bin/seal-totp, initrd/bin/unseal-totp, initrd/bin/unseal-hotp, initrd/bin/kexec-sign-config, and initrd/bin/oem-factory-reset
- improve reset-vs-reseal guidance, TPM2 primary-handle checks, and ensure reseal failures propagate to callers
- make counter increment/create pipeline error handling reliable with local pipefail in initrd/etc/functions
- remove sensitive TPM owner-password length debug metadata and apply helper cleanups (partition parsing compatibility, local scoping, formatting)
- fix root-hashes LVM handling for Qubes/device-mapper naming by robust VG detection and dashed VG/LV mapper escaping in initrd/bin/root-hashes-gui.sh + initrd/etc/functions
- fix DUK passphrase prompt UX in initrd/bin/kexec-seal-key (repeat prompt placement and inline entry behavior)
- add qemu tpm1/tpm2 prod_quiet board configs and correct *_hotp-prod_quiet board-name exports for coverage/testing

Signed-off-by: Thierry Laurion <insurgo@riseup.net>

Author: tlaurion

boards/qemu-coreboot-fbwhiptail-tpm1-hotp-prod_quiet/qemu-coreboot-fbwhiptail-tpm1-hotp-prod_quiet.config

@@ -91,7 +91,7 @@ export CONFIG_BOOT_REQ_ROLLBACK=n
 export CONFIG_BOOT_RECOVERY_SERIAL="/dev/ttyS0"
 export CONFIG_BOOT_KERNEL_ADD="console=ttyS0 console=tty systemd.zram=0"
 export CONFIG_BOOT_KERNEL_REMOVE="quiet rhgb splash"
-export CONFIG_BOARD_NAME="qemu-coreboot-fbwhiptail-tpm1-hotp"
+export CONFIG_BOARD_NAME="qemu-coreboot-fbwhiptail-tpm1-hotp-prod_quiet"
 #export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal"
 
 export CONFIG_KEYBOARD_KEYMAP="/usr/lib/kbd/keymaps/i386/qwerty/us.map"

boards/qemu-coreboot-fbwhiptail-tpm1-prod_quiet/qemu-coreboot-fbwhiptail-tpm1-prod_quiet.config

@@ -0,0 +1,97 @@
+# Configuration for building a coreboot ROM that works in
+# the qemu emulator in console mode thanks to Whiptail
+#
+# TPM can be used with a qemu software TPM (TIS, 1.2).
+export CONFIG_COREBOOT=y
+export CONFIG_COREBOOT_VERSION=25.09
+export CONFIG_LINUX_VERSION=6.1.8
+
+CONFIG_COREBOOT_CONFIG=config/coreboot-qemu-tpm1-prod.config
+CONFIG_LINUX_CONFIG=config/linux-qemu.config
+
+#Enable only one RESTRICTED/BASIC boot modes below to test them manually (we cannot inject config under QEMU (no internal flashing)
+#export CONFIG_RESTRICTED_BOOT=y
+#export CONFIG_BASIC=y
+
+#Enable HAVE_GPG_KEY_BACKUP to test GPG key backup drive (we cannot inject config under QEMU (no internal flashing))
+#export CONFIG_HAVE_GPG_KEY_BACKUP=y
+
+#On-demand hardware support (modules.cpio)
+CONFIG_LINUX_USB=y
+CONFIG_LINUX_E1000=y
+#CONFIG_MOBILE_TETHERING=y
+#Runtime on-demand additional hardware support (modules.cpio)
+export CONFIG_LINUX_USB_COMPANION_CONTROLLER=y
+
+
+
+#Modules packed into tools.cpio
+ifeq "$(CONFIG_UROOT)" "y"
+CONFIG_BUSYBOX=n
+else
+#Modules packed into tools.cpio
+CONFIG_CRYPTSETUP2=y
+CONFIG_FLASHPROG=y
+CONFIG_FLASHTOOLS=y
+CONFIG_GPG2=y
+CONFIG_KEXEC=y
+CONFIG_UTIL_LINUX=y
+CONFIG_LVM2=y
+CONFIG_MBEDTLS=y
+CONFIG_PCIUTILS=y
+#Runtime tools to write to MSR
+#CONFIG_MSRTOOLS=y
+#Remote attestation support
+# TPM2 requirements
+#CONFIG_TPM2_TSS=y
+#CONFIG_OPENSSL=y
+#Remote Attestation common tools
+CONFIG_POPT=y
+CONFIG_QRENCODE=y
+CONFIG_TPMTOTP=y
+#HOTP based remote attestation for supported USB Security dongle
+#With/Without TPM support
+#CONFIG_HOTPKEY=y
+#Nitrokey Storage admin tool (deprecated)
+#CONFIG_NKSTORECLI=n
+#GUI Support
+#Console based Whiptail support(Console based, no FB):
+#CONFIG_SLANG=y
+#CONFIG_NEWT=y
+#FBWhiptail based (Graphical):
+CONFIG_CAIRO=y
+CONFIG_FBWHIPTAIL=y
+#Additional tools (tools.cpio):
+#SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E)
+CONFIG_DROPBEAR=y
+endif
+
+#Runtime configuration
+#Automatically boot if HOTP is valid
+export CONFIG_AUTO_BOOT_TIMEOUT=5
+#TPM2 requirements
+#export CONFIG_TPM2_TOOLS=y
+#export CONFIG_PRIMARY_KEY_TYPE=ecc
+#TPM1 requirements
+export CONFIG_TPM=y
+#Enable DEBUG output
+export CONFIG_DEBUG_OUTPUT=n
+export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
+#Enable TPM2 pcap output under /tmp
+export CONFIG_TPM2_CAPTURE_PCAP=n
+#Enable quiet mode: technical information logged under /tmp/debug.log
+export CONFIG_QUIET_MODE=y
+export CONFIG_BOOTSCRIPT=/bin/gui-init
+#text-based original init:
+#export CONFIG_BOOTSCRIPT=/bin/generic-init
+export CONFIG_BOOT_REQ_HASH=n
+export CONFIG_BOOT_REQ_ROLLBACK=n
+export CONFIG_BOOT_RECOVERY_SERIAL="/dev/ttyS0"
+export CONFIG_BOOT_KERNEL_ADD="console=ttyS0 console=tty systemd.zram=0"
+export CONFIG_BOOT_KERNEL_REMOVE="quiet rhgb splash"
+export CONFIG_BOARD_NAME="qemu-coreboot-fbwhiptail-tpm1-prod_quiet"
+#export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal"
+
+export CONFIG_KEYBOARD_KEYMAP="/usr/lib/kbd/keymaps/i386/qwerty/us.map"
+
+BOARD_TARGETS := qemu

boards/qemu-coreboot-fbwhiptail-tpm2-hotp-prod_quiet/qemu-coreboot-fbwhiptail-tpm2-hotp-prod_quiet.config

@@ -17,6 +17,7 @@ CONFIG_LINUX_CONFIG=config/linux-qemu.config
 #Enable HAVE_GPG_KEY_BACKUP to test GPG key backup drive (we cannot inject config under QEMU (no internal flashing))
 #export CONFIG_HAVE_GPG_KEY_BACKUP=y
 
+
 #On-demand hardware support (modules.cpio)
 CONFIG_LINUX_USB=y
 CONFIG_LINUX_E1000=y
@@ -90,7 +91,7 @@ export CONFIG_BOOT_REQ_ROLLBACK=n
 export CONFIG_BOOT_RECOVERY_SERIAL="/dev/ttyS0"
 export CONFIG_BOOT_KERNEL_ADD="console=ttyS0 console=tty systemd.zram=0"
 export CONFIG_BOOT_KERNEL_REMOVE="quiet rhgb splash"
-export CONFIG_BOARD_NAME="qemu-coreboot-fbwhiptail-tpm2-hotp"
+export CONFIG_BOARD_NAME="qemu-coreboot-fbwhiptail-tpm2-hotp-prod_quiet"
 #export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal"
 
 export CONFIG_KEYBOARD_KEYMAP="/usr/lib/kbd/keymaps/i386/qwerty/us.map"

boards/qemu-coreboot-fbwhiptail-tpm2-prod_quiet/qemu-coreboot-fbwhiptail-tpm2-prod_quiet.config

@@ -0,0 +1,98 @@
+# Configuration for building a coreboot ROM that works in
+# the qemu emulator in graphical mode thanks to FBWhiptail
+#
+# TPM can be used with a qemu software TPM (TIS, 2.0).
+export CONFIG_COREBOOT=y
+export CONFIG_COREBOOT_VERSION=25.09
+export CONFIG_LINUX_VERSION=6.1.8
+
+CONFIG_COREBOOT_CONFIG=config/coreboot-qemu-tpm2-prod.config
+CONFIG_LINUX_CONFIG=config/linux-qemu.config
+
+#Enable only one RESTRICTED/BASIC boot modes below to test them manually (we cannot inject config under QEMU (no internal flashing)
+#export CONFIG_RESTRICTED_BOOT=y
+#export CONFIG_BASIC=y
+
+#Enable HAVE_GPG_KEY_BACKUP to test GPG key backup drive (we cannot inject config under QEMU (no internal flashing))
+#export CONFIG_HAVE_GPG_KEY_BACKUP=y
+
+
+#On-demand hardware support (modules.cpio)
+CONFIG_LINUX_USB=y
+CONFIG_LINUX_E1000=y
+#CONFIG_MOBILE_TETHERING=y
+#Runtime on-demand additional hardware support (modules.cpio)
+export CONFIG_LINUX_USB_COMPANION_CONTROLLER=y
+
+
+
+#Modules packed into tools.cpio
+ifeq "$(CONFIG_UROOT)" "y"
+CONFIG_BUSYBOX=n
+else
+#Modules packed into tools.cpio
+CONFIG_CRYPTSETUP2=y
+CONFIG_FLASHPROG=y
+CONFIG_FLASHTOOLS=y
+CONFIG_GPG2=y
+CONFIG_KEXEC=y
+CONFIG_UTIL_LINUX=y
+CONFIG_LVM2=y
+CONFIG_MBEDTLS=y
+CONFIG_PCIUTILS=y
+#Runtime tools to write to MSR
+CONFIG_MSRTOOLS=y
+#Remote attestation support
+# TPM2 requirements
+CONFIG_TPM2_TSS=y
+CONFIG_OPENSSL=y
+#Remote Attestation common tools
+CONFIG_POPT=y
+CONFIG_QRENCODE=y
+CONFIG_TPMTOTP=y
+#HOTP based remote attestation for supported USB Security dongle
+#With/Without TPM support
+#CONFIG_HOTPKEY=y
+#Nitrokey Storage admin tool (deprecated)
+#CONFIG_NKSTORECLI=n
+#GUI Support
+#Console based Whiptail support(Console based, no FB):
+#CONFIG_SLANG=y
+#CONFIG_NEWT=y
+#FBWhiptail based (Graphical):
+CONFIG_CAIRO=y
+CONFIG_FBWHIPTAIL=y
+#Additional tools (tools.cpio):
+#SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E)
+CONFIG_DROPBEAR=y
+endif
+
+#Runtime configuration
+#Automatically boot if HOTP is valid
+export CONFIG_AUTO_BOOT_TIMEOUT=5
+#TPM2 requirements
+export CONFIG_TPM2_TOOLS=y
+export CONFIG_PRIMARY_KEY_TYPE=ecc
+#TPM1 requirements
+#export CONFIG_TPM=y
+#Enable DEBUG output
+#export CONFIG_DEBUG_OUTPUT=y
+#export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y
+#Enable TPM2 pcap output under /tmp
+export CONFIG_TPM2_CAPTURE_PCAP=y
+#Enable quiet mode: technical information logged under /tmp/debug.log
+export CONFIG_QUIET_MODE=y
+export CONFIG_BOOTSCRIPT=/bin/gui-init
+#text-based original init:
+#export CONFIG_BOOTSCRIPT=/bin/generic-init
+export CONFIG_BOOT_REQ_HASH=n
+export CONFIG_BOOT_REQ_ROLLBACK=n
+export CONFIG_BOOT_RECOVERY_SERIAL="/dev/ttyS0"
+export CONFIG_BOOT_KERNEL_ADD="console=ttyS0 console=tty systemd.zram=0"
+export CONFIG_BOOT_KERNEL_REMOVE="quiet rhgb splash"
+export CONFIG_BOARD_NAME="qemu-coreboot-fbwhiptail-tpm2-prod_quiet"
+#export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal"
+
+export CONFIG_KEYBOARD_KEYMAP="/usr/lib/kbd/keymaps/i386/qwerty/us.map"
+
+BOARD_TARGETS := qemu

initrd/bin/gui-init

@@ -174,11 +174,40 @@ generate_totp_hotp() {
 		# clear screen
 		printf "\033c"
 	else
-		warn "Unsealing TOTP/HOTP secret from previous sealed measurements failed"
-		warn 'Try "Generate new HOTP/TOTP secret" option if you updated firmware content'
+		# seal-totp already printed an explanatory error (e.g. missing
+		# primary handle) and guided the user to reset the TPM.  Don't add
+		# confusing generic warnings here, just propagate failure.
+		return 1
 	fi
 }
 
+prompt_missing_gpg_key_action() {
+	TRACE_FUNC
+	whiptail_error --title "ERROR: GPG keyring empty!" \
+		--menu "Cannot continue TPM disk-key reseal because no GPG key is available.\n\nHow would you like to proceed?" 0 80 4 \
+		'g' ' Add a GPG key to the running BIOS' \
+		'F' ' OEM Factory Reset / Re-Ownership' \
+		'm' ' Return to main menu' \
+		'x' ' Exit to recovery shell' \
+		2>/tmp/whiptail || recovery "GUI menu failed"
+
+	option=$(cat /tmp/whiptail)
+	case "$option" in
+	g)
+		gpg-gui.sh && BG_COLOR_MAIN_MENU="normal"
+		;;
+	F)
+		oem-factory-reset
+		;;
+	x)
+		recovery "User requested recovery shell"
+		;;
+	m | *)
+		return 1
+		;;
+	esac
+}
+
 update_totp() {
 	TRACE_FUNC
 	# update the TOTP code
@@ -218,15 +247,19 @@ update_totp() {
 			g)
 				if (whiptail_warning --title 'Generate new TOTP/HOTP secret' \
 					--yesno "This will erase your old secret and replace it with a new one!\n\nDo you want to proceed?" 0 80); then
-					generate_totp_hotp && update_totp && BG_COLOR_MAIN_MENU="normal" && reseal_tpm_disk_decryption_key
+					if generate_totp_hotp && update_totp && BG_COLOR_MAIN_MENU="normal"; then
+						reseal_tpm_disk_decryption_key || prompt_missing_gpg_key_action
+					fi
 				fi
 				;;
 			i)
 				skip_to_menu="true"
 				return 1
 				;;
 			p)
-				reset_tpm && update_totp && BG_COLOR_MAIN_MENU="normal" && reseal_tpm_disk_decryption_key
+				if reset_tpm && update_totp && BG_COLOR_MAIN_MENU="normal"; then
+					reseal_tpm_disk_decryption_key || prompt_missing_gpg_key_action
+				fi
 				;;
 			x)
 				recovery "User requested recovery shell"
@@ -290,7 +323,9 @@ update_hotp() {
 		g)
 			if (whiptail_warning --title 'Generate new TOTP/HOTP secret' \
 				--yesno "This will erase your old secret and replace it with a new one!\n\nDo you want to proceed?" 0 80); then
-				generate_totp_hotp && BG_COLOR_MAIN_MENU="normal" && reseal_tpm_disk_decryption_key
+				if generate_totp_hotp && BG_COLOR_MAIN_MENU="normal"; then
+					reseal_tpm_disk_decryption_key || prompt_missing_gpg_key_action
+				fi
 			fi
 			;;
 		i)
@@ -510,10 +545,14 @@ show_tpm_totp_hotp_options_menu() {
 	option=$(cat /tmp/whiptail)
 	case "$option" in
 	g)
-		generate_totp_hotp && reseal_tpm_disk_decryption_key
+		if generate_totp_hotp; then
+			reseal_tpm_disk_decryption_key || prompt_missing_gpg_key_action
+		fi
 		;;
 	r)
-		reset_tpm && reseal_tpm_disk_decryption_key
+		if reset_tpm; then
+			reseal_tpm_disk_decryption_key || prompt_missing_gpg_key_action
+		fi
 		;;
 	t)
 		prompt_totp_mismatch
@@ -566,15 +605,18 @@ reset_tpm() {
 			DEBUG "TPM_COUNTER: $TPM_COUNTER"
 			#TPM_COUNTER can be empty
 
-			increment_tpm_counter $TPM_COUNTER>/dev/null 2>&1 ||
+			increment_tpm_counter $TPM_COUNTER ||
 				die "Unable to increment tpm counter"
 
 			DO_WITH_DEBUG sha256sum /tmp/counter-$TPM_COUNTER >/boot/kexec_rollback.txt ||
 				die "Unable to create rollback file"
 
 			TRACE_FUNC
 			# As a countermeasure for existing primary handle hash, we will now force sign /boot without it
-			if (whiptail --title 'TPM Reset Successfully' \
+			GPG_KEY_COUNT=$(gpg -k 2>/dev/null | wc -l)
+			if [ "$GPG_KEY_COUNT" -eq 0 ]; then
+				prompt_missing_gpg_key_action
+			elif (whiptail --title 'TPM Reset Successfully' \
 				--yesno "Would you like to update the checksums and sign all of the files in /boot?\n\nYou will need your GPG key to continue and this will modify your disk.\n\nOtherwise the system will reboot immediately." 0 80); then
 				if ! update_checksums; then
 					whiptail_error --title 'ERROR' \

initrd/bin/kexec-seal-key

@@ -69,7 +69,10 @@ attempts=0
 
 # Ask for the DRK passphrase first, before testing any devices
 while [ $attempts -lt 3 ] && [ $luks_drk_passphrase_valid -eq 0 ]; do
-	read -r -s -p $'\nEnter LUKS Disk Recovery Key (DRK) passphrase that can unlock '"$key_devices"': ' disk_recovery_key_passphrase
+	if [ $attempts -eq 0 ]; then
+		echo
+	fi
+	read -r -s -p "Enter LUKS Disk Recovery Key (DRK) passphrase that can unlock $key_devices: " disk_recovery_key_passphrase
 	echo
 	echo -n "$disk_recovery_key_passphrase" >"$DISK_RECOVERY_KEY_FILE"
 
@@ -103,15 +106,19 @@ done
 MIN_PASSPHRASE_LENGTH=12
 attempts=0
 while [ $attempts -lt 3 ]; do
-	read -r -s -p $'\nNew LUKS TPM Disk Unlock Key (DUK) passphrase for booting (minimum '"$MIN_PASSPHRASE_LENGTH"' characters): ' key_password
-	echo
+	if [ $attempts -eq 0 ]; then
+		echo
+	fi
+	read -r -s -p "New LUKS TPM Disk Unlock Key (DUK) passphrase for booting (minimum $MIN_PASSPHRASE_LENGTH characters): " key_password
 	if [ ${#key_password} -lt $MIN_PASSPHRASE_LENGTH ]; then
+		echo
 		attempts=$((attempts + 1))
 		warn "Disk Unlock Key (DUK) passphrase is too short. Please try again."
 		continue
 	fi
 
-	read -r -s -p $'\nRepeat LUKS TPM Disk Unlock Key (DUK) passphrase for booting: ' key_password2
+	echo
+	read -r -s -p "Repeat LUKS TPM Disk Unlock Key (DUK) passphrase for booting: " key_password2
 	echo
 	if [ "$key_password" != "$key_password2" ]; then
 		attempts=$((attempts + 1))