@@ -306,11 +306,18 @@ tpm1_counter_create() {
306306 # other parameters for TPM1 are passed directly, and TPM2 mimics the
307307 # TPM1 interface.
308308 prompt_tpm_owner_password
309- if ! tpm counter_create -pwdo " $( cat " /tmp/secret/tpm_owner_password" ) " " $@ " > /dev/null 2>&1 ; then
309+ TMP_ERR_FILE=$( mktemp)
310+ if ! tpm counter_create -pwdo " $( cat " /tmp/secret/tpm_owner_password" ) " " $@ " 2> " $TMP_ERR_FILE " ; then
310311 DEBUG " Failed to create counter from tpm1_counter_create. Wiping /tmp/secret/tpm_owner_password"
311312 shred -n 10 -z -u /tmp/secret/tpm_owner_password
313+ # Log the contents of the temporary error file
314+ while IFS= read -r line; do
315+ DEBUG " tpm1 stderr: $line "
316+ done < " $TMP_ERR_FILE "
317+ rm -f " $TMP_ERR_FILE "
312318 die " Unable to create counter from tpm1_counter_create"
313319 fi
320+ rm -f " $TMP_ERR_FILE "
314321}
315322
316323tpm2_counter_create () {
@@ -608,16 +615,16 @@ tpm2_unseal() {
608615 # stderr. We capture the unsealed data to $file, but still log the errors for quiet mode.
609616 # In case of unseal error, caller will also report on TOTP not being able to be unsealed.
610617 TMP_ERR_FILE=$( mktemp)
611- if ! tpm2 unseal -Q -c " $handle " -p " session:$POLICY_SESSION$UNSEAL_PASS_SUFFIX " \
612- -S " $ENC_SESSION_FILE " > " $file " 2> " $TMP_ERR_FILE " ; then
613- # Log the contents of the temporary error file
614- while IFS= read -r line; do
615- LOG " tpm2 stderr: $line "
616- done < " $TMP_ERR_FILE "
617- rm -f " $TMP_ERR_FILE "
618- die " Unable to unseal secret from TPM NVRAM with tpm2 unseal"
619- fi
620- rm -f " $TMP_ERR_FILE "
618+ if ! tpm2 unseal -Q -c " $handle " -p " session:$POLICY_SESSION$UNSEAL_PASS_SUFFIX " \
619+ -S " $ENC_SESSION_FILE " > " $file " 2> " $TMP_ERR_FILE " ; then
620+ # Log the contents of the temporary error file
621+ while IFS= read -r line; do
622+ LOG " tpm2 stderr: $line "
623+ done < " $TMP_ERR_FILE "
624+ rm -f " $TMP_ERR_FILE "
625+ die " Unable to unseal secret from TPM NVRAM with tpm2 unseal"
626+ fi
627+ rm -f " $TMP_ERR_FILE "
621628}
622629
623630tpm1_unseal () {
@@ -715,7 +722,7 @@ tpm1_reset() {
715722 tpm physicalpresence -s > /dev/null 2>&1 || LOG " Unable to assert physical presence"
716723 tpm physicalenable > /dev/null 2>&1 || LOG " Unable to enable TPM"
717724 tpm physicalsetdeactivated -c > /dev/null 2>&1 || LOG " Unable to deactivate TPM"
718- tpm forceclear -pwdo " $tpm_owner_password " > /dev/null 2>&1 || LOG " Unable to clear TPM"
725+ tpm forceclear > /dev/null 2>&1 || LOG " Unable to clear TPM"
719726 tpm physicalenable > /dev/null 2>&1 || LOG " Unable to enable TPM"
720727 tpm takeown -pwdo " $tpm_owner_password " > /dev/null 2>&1 || LOG " Unable to take ownership of TPM"
721728
@@ -787,7 +794,7 @@ if [ "$CONFIG_TPM2_TOOLS" != "y" ]; then
787794 tpm1_destroy " $@ "
788795 ;;
789796 extend)
790- # check if we extend with a hash or a file
797+ # Check if we extend with a hash or a file
791798 if [ " $4 " = " -if" ]; then
792799 DEBUG " TPM: Will extend PCR[$3 ] hash content of file $5 "
793800 hash=" $( sha1sum " $5 " | cut -d' ' -f1) "
@@ -799,7 +806,14 @@ if [ "$CONFIG_TPM2_TOOLS" != "y" ]; then
799806
800807 TRACE_FUNC
801808 LOG " TPM: Extending PCR[$3 ] with hash $hash "
802- DO_WITH_DEBUG exec tpm " $@ "
809+
810+ # Redirect the output of DO_WITH_DEBUG to a temporary file so we can LOG it in quiet mode
811+ TMP_DEBUG_FILE=$( mktemp)
812+ DO_WITH_DEBUG exec tpm " $@ " > " $TMP_DEBUG_FILE " 2>&1
813+ while IFS= read -r line; do
814+ LOG " $line "
815+ done < " $TMP_DEBUG_FILE "
816+ rm -f " $TMP_DEBUG_FILE "
803817 ;;
804818 seal)
805819 shift
0 commit comments