initrd/docs: improve dongle detection, STATUS flow, boot respawn, and doc alignment by tlaurion · Pull Request #2094 · linuxboot/heads

tlaurion · 2026-04-28T21:54:32Z

Closes #2098
Closes #2097
~~Closes #2096~~ (previously fixed in #2103)

Summary

This PR improves initrd behavior around USB security dongle detection, long-running STATUS/WARN messaging, and boot-script respawn handling, while aligning documentation with current behavior.

Changes Included

1. USB Security Dongle Detection

Add an early VID wait before branding detection to reduce enumeration races during boot.
Add bounded, cancellable wait behavior so dongle detection is more predictable in interactive flows.
Keep USB initialization explicit in the call paths that actually need it.

2. Logging And Long-Operation UX

Standardize STATUS/NOTE/WARN/INFO usage across initrd scripts.
Add clearer STATUS outcomes for longer dongle, GPG-card, and HOTP-related operations.
Clarify best-effort continuation semantics in doc/logging.md when a bounded wait continues by design.
Keep wording context-accurate between reseal flows and /boot signing flows.

3. Boot Respawn Robustness

Update initrd boot-script respawn handling to use PID-tracked logic instead of a more fragile restart pattern.

4. Build And Documentation Alignment

Sanitize branch tokens used in artifact filenames in Makefile.
Align documentation and runtime wording for recovery flow, dongle mapping, DUK wording, and async serial recovery behavior.
Clarify DUK documentation as 128-byte random key material.

Tested

qemu-coreboot-fbwhiptail-tpm2-hotp (full reset + re-ownership)
qemu-coreboot-fbwhiptail-tpm1-hotp (full reset + re-ownership)
x230 (recovery/interaction behavior validated)
v540tu (TPM2)

Screenshots

USB dongle detection wait in action (x230, tpm1 hotp)

Detected once the dongle is plugged in, default boot v540tu (tpm2):

traces of current logs

See #2094 (comment)

Copilot

Pull request overview

Updates initrd scripts to detect USB security dongle branding earlier and to refine console logging behavior (especially for quiet mode) by shifting messages among STATUS/STATUS_OK/NOTE/WARN and adding more explicit success milestones.

Changes:

Add an early sysfs-based wait in detect_usb_security_dongle_branding() to reduce mis-detection before lsusb is reliable.
Rebalance user-visible logging across multiple initrd scripts (more STATUS/STATUS_OK, convert some INFO→NOTE/WARN, add success confirmations).
Expand doc/logging.md to clarify intended semantics of INFO/NOTE/WARN and console behavior in quiet/info/debug modes.

Reviewed changes

Copilot reviewed 3 out of 15 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
initrd/etc/gui_functions.sh	Adjust integrity report output; add signing-key status messaging.
initrd/etc/functions.sh	Add sysfs VID wait loop before `lsusb` branding detection.
initrd/bin/unseal-hotp.sh	Add STATUS/STATUS_OK around TPM unseal of HOTP secret.
initrd/bin/tpmr.sh	Change TPM2 unseal failure log level (INFO→WARN).
initrd/bin/seal-totp.sh	Promote PCR-read logging to STATUS; show manual secret via NOTE.
initrd/bin/seal-hotpkey.sh	Add STATUS/STATUS_OK around writing HOTP secret to dongle.
initrd/bin/oem-factory-reset.sh	Add STATUS_OK milestones; adjust guidance output levels; fix TPM reset error handling block structure.
initrd/bin/network-init-recovery.sh	Add STATUS_OK milestones for module load, clock sync, and SSH server start.
initrd/bin/lock_chip.sh	Add STATUS_OK after chipset lock command.
initrd/bin/key-init.sh	Reword ISO key loading messages and add final STATUS_OK.
initrd/bin/kexec-seal-key.sh	Add STATUS_OK milestones for key generation, LUKS slot update, PCR reads.
initrd/bin/gui-init.sh	Reduce/shift console output in reseal/TOTP/HOTP flows; add HOTP verification status lines.
initrd/bin/gpg-gui.sh	Convert INFO instructions to NOTE.
initrd/bin/cbfs-init.sh	Adjust SPI read messaging; add STATUS_OK on flash read success.
doc/logging.md	Redefine INFO/NOTE positioning and document console styling/sleep/visibility matrix.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Copilot

Pull request overview

Copilot reviewed 3 out of 15 changed files in this pull request and generated 1 comment.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Copilot

Pull request overview

Copilot reviewed 3 out of 15 changed files in this pull request and generated no new comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Copilot

Pull request overview

Copilot reviewed 4 out of 15 changed files in this pull request and generated 2 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Copilot

Pull request overview

Copilot reviewed 4 out of 16 changed files in this pull request and generated 5 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Copilot

Pull request overview

Copilot reviewed 7 out of 26 changed files in this pull request and generated 2 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

tlaurion · 2026-05-05T22:36:36Z

Splitted tpm1 issues in pr #2099 with refactoring to unify tpm1/tmp2 worflow. will rebase this pr once merged

Copilot

Pull request overview

Copilot reviewed 7 out of 26 changed files in this pull request and generated 3 comments.

Copilot

Pull request overview

Copilot reviewed 8 out of 24 changed files in this pull request and generated 3 comments.

Copilot

Pull request overview

Copilot reviewed 14 out of 30 changed files in this pull request and generated 1 comment.

Signed-off-by: Thierry Laurion <insurgo@riseup.net>

Copilot

Pull request overview

Copilot reviewed 15 out of 31 changed files in this pull request and generated 1 comment.

Signed-off-by: Thierry Laurion <insurgo@riseup.net>

… and long-op STATUS outcomes Align documentation and runtime messaging to match current behavior: - docs: synchronize recovery flow, dongle mapping, DUK/measurement wording - initrd runtime: make long dongle/GPG/HOTP waits report explicit STATUS outcomes (success, degraded continuation, or warning) instead of silent/bare waits - keep wording context-accurate between reseal and /boot signing paths This captures the combined scope now present in this commit after autosquash. Signed-off-by: Thierry Laurion <insurgo@riseup.net>

Signed-off-by: Thierry Laurion <insurgo@riseup.net>

tlaurion · 2026-05-07T19:40:43Z

Some output of logs to put as ref in op on default boot

(./docker_repro.sh make BOARD=qemu-coreboot-fbwhiptail-tpm2-hotp-prod_quiet USB_TOKEN=Nitrokey3NFC PUBKEY_ASC=pubkey.asc inject_gpg run with sealed totp+duk)

/tmp/debug.log

Press Enter to proceed to recovery shell 

Welcome to the Recovery Shell!

- /tmp/debug.log: detailed runtime logs in all output modes.
- /tmp/measuring_trace.log: INFO-level security/measurement log in all output modes.
        - Read locally with:
          - 'less /tmp/debug.log'
          - 'less /tmp/measuring_trace.log'
- If you hit a bug:
        - Connect an ext3/ext4/fat32/exfat USB thumb drive, then run:
          - 'mount-usb.sh --mode rw' # mount USB read-write at /media
          - 'cp /tmp/debug.log /tmp/measuring_trace.log /media/' # copy both logs
          - 'umount /media' # flush writes and safely unmount
- Share both log files with developers.
bash-5.1# cat /tmp/debug.log 
TRACE: main(/init:0) -> main(/bin/cbfs-init.sh:0) -> main(/bin/cbfs-init.sh:19)
 >> Extracting GPG keyring, trustdb, and board configuration from firmware
DEBUG: Extracting heads/initrd/.gnupg/pubring.kbx from firmware CBFS
TRACE: main(/init:0) -> main(/bin/cbfs-init.sh:0) -> main(/bin/cbfs-init.sh:51)
TRACE: main(/init:0) -> main(/bin/cbfs-init.sh:0) -> main(/bin/tpmr.sh:0) -> main(/bin/tpmr.sh:1220)
TRACE: main(/init:0) -> main(/bin/cbfs-init.sh:0) -> main(/bin/tpmr.sh:0) -> main(/bin/tpmr.sh:1226) -> INFO(/etc/functions.sh:301)
INFO: TPM: Extending PCR[7] with content of string '/.gnupg/pubring.kbx' (hash: 96ab5053e4630a040d55549ba73cff2178d401d763147776771f9774597b86a1)
TRACE: main(/init:0) -> main(/bin/cbfs-init.sh:0) -> main(/bin/tpmr.sh:0) -> main(/bin/tpmr.sh:1232) -> tpm2_extend(/bin/tpmr.sh:245)
TRACE: main(/init:0) -> main(/bin/cbfs-init.sh:0) -> main(/bin/tpmr.sh:0) -> main(/bin/tpmr.sh:1232) -> tpm2_extend(/bin/tpmr.sh:256)
DEBUG: TPM: Will extend PCR[7] with hash of string /.gnupg/pubring.kbx
TRACE: main(/init:0) -> main(/bin/cbfs-init.sh:0) -> main(/bin/tpmr.sh:0) -> main(/bin/tpmr.sh:1232) -> tpm2_extend(/bin/tpmr.sh:272) -> INFO(/etc/functions.sh:301)
INFO: TPM: Extended PCR[7] with hash 96ab5053e4630a040d55549ba73cff2178d401d763147776771f9774597b86a1
TRACE: main(/init:0) -> main(/bin/cbfs-init.sh:0) -> main(/bin/tpmr.sh:0) -> main(/bin/tpmr.sh:1232) -> tpm2_extend(/bin/tpmr.sh:273) -> INFO(/etc/functions.sh:301)
INFO: TPM: PCR[7] after extend:     7 : 0x36865F7C4725D07EE25C07BEAC46780BB45DCA781AD1B4C94E1F9816322732F0
TRACE: main(/init:0) -> main(/bin/cbfs-init.sh:0) -> main(/bin/tpmr.sh:0) -> main(/bin/tpmr.sh:1220)
TRACE: main(/init:0) -> main(/bin/cbfs-init.sh:0) -> main(/bin/tpmr.sh:0) -> main(/bin/tpmr.sh:1230) -> INFO(/etc/functions.sh:301)
INFO: TPM: Extending PCR[7] with content of /.gnupg/pubring.kbx (hash: 78eec42fa284396b1f3c87d560b809b2a69db1c14aefdba2714d39a0f6eab35c)
TRACE: main(/init:0) -> main(/bin/cbfs-init.sh:0) -> main(/bin/tpmr.sh:0) -> main(/bin/tpmr.sh:1232) -> tpm2_extend(/bin/tpmr.sh:245)
TRACE: main(/init:0) -> main(/bin/cbfs-init.sh:0) -> main(/bin/tpmr.sh:0) -> main(/bin/tpmr.sh:1232) -> tpm2_extend(/bin/tpmr.sh:261)
DEBUG: TPM: Will extend PCR[7] with hash of file content /.gnupg/pubring.kbx
TRACE: main(/init:0) -> main(/bin/cbfs-init.sh:0) -> main(/bin/tpmr.sh:0) -> main(/bin/tpmr.sh:1232) -> tpm2_extend(/bin/tpmr.sh:272) -> INFO(/etc/functions.sh:301)
INFO: TPM: Extended PCR[7] with hash 78eec42fa284396b1f3c87d560b809b2a69db1c14aefdba2714d39a0f6eab35c
TRACE: main(/init:0) -> main(/bin/cbfs-init.sh:0) -> main(/bin/tpmr.sh:0) -> main(/bin/tpmr.sh:1232) -> tpm2_extend(/bin/tpmr.sh:273) -> INFO(/etc/functions.sh:301)
INFO: TPM: PCR[7] after extend:     7 : 0x57B4C0E7BF595D35624B84CDC2D69EB46741774A44C67B8AFD818A1D73ACC924
DEBUG: Extracting heads/initrd/.gnupg/trustdb.gpg from firmware CBFS
TRACE: main(/init:0) -> main(/bin/cbfs-init.sh:0) -> main(/bin/cbfs-init.sh:51)
TRACE: main(/init:0) -> main(/bin/cbfs-init.sh:0) -> main(/bin/tpmr.sh:0) -> main(/bin/tpmr.sh:1220)
TRACE: main(/init:0) -> main(/bin/cbfs-init.sh:0) -> main(/bin/tpmr.sh:0) -> main(/bin/tpmr.sh:1226) -> INFO(/etc/functions.sh:301)
INFO: TPM: Extending PCR[7] with content of string '/.gnupg/trustdb.gpg' (hash: 53b843fe9bb52894d3a7d00197c776d56f3059f6a285124c7916724cd5013b0b)
TRACE: main(/init:0) -> main(/bin/cbfs-init.sh:0) -> main(/bin/tpmr.sh:0) -> main(/bin/tpmr.sh:1232) -> tpm2_extend(/bin/tpmr.sh:245)
TRACE: main(/init:0) -> main(/bin/cbfs-init.sh:0) -> main(/bin/tpmr.sh:0) -> main(/bin/tpmr.sh:1232) -> tpm2_extend(/bin/tpmr.sh:256)
DEBUG: TPM: Will extend PCR[7] with hash of string /.gnupg/trustdb.gpg
TRACE: main(/init:0) -> main(/bin/cbfs-init.sh:0) -> main(/bin/tpmr.sh:0) -> main(/bin/tpmr.sh:1232) -> tpm2_extend(/bin/tpmr.sh:272) -> INFO(/etc/functions.sh:301)
INFO: TPM: Extended PCR[7] with hash 53b843fe9bb52894d3a7d00197c776d56f3059f6a285124c7916724cd5013b0b
TRACE: main(/init:0) -> main(/bin/cbfs-init.sh:0) -> main(/bin/tpmr.sh:0) -> main(/bin/tpmr.sh:1232) -> tpm2_extend(/bin/tpmr.sh:273) -> INFO(/etc/functions.sh:301)
INFO: TPM: PCR[7] after extend:     7 : 0xF034312C786FCAFF763321A4CACAF8ACF14AD84E8AA7EDD5675BE33B5F13D573
TRACE: main(/init:0) -> main(/bin/cbfs-init.sh:0) -> main(/bin/tpmr.sh:0) -> main(/bin/tpmr.sh:1220)
TRACE: main(/init:0) -> main(/bin/cbfs-init.sh:0) -> main(/bin/tpmr.sh:0) -> main(/bin/tpmr.sh:1230) -> INFO(/etc/functions.sh:301)
INFO: TPM: Extending PCR[7] with content of /.gnupg/trustdb.gpg (hash: 71fab743bc34b91d51ea89cadbf4c898d2298be2ede14a23646cef5b1423a1c9)
TRACE: main(/init:0) -> main(/bin/cbfs-init.sh:0) -> main(/bin/tpmr.sh:0) -> main(/bin/tpmr.sh:1232) -> tpm2_extend(/bin/tpmr.sh:245)
TRACE: main(/init:0) -> main(/bin/cbfs-init.sh:0) -> main(/bin/tpmr.sh:0) -> main(/bin/tpmr.sh:1232) -> tpm2_extend(/bin/tpmr.sh:261)
DEBUG: TPM: Will extend PCR[7] with hash of file content /.gnupg/trustdb.gpg
TRACE: main(/init:0) -> main(/bin/cbfs-init.sh:0) -> main(/bin/tpmr.sh:0) -> main(/bin/tpmr.sh:1232) -> tpm2_extend(/bin/tpmr.sh:272) -> INFO(/etc/functions.sh:301)
INFO: TPM: Extended PCR[7] with hash 71fab743bc34b91d51ea89cadbf4c898d2298be2ede14a23646cef5b1423a1c9
TRACE: main(/init:0) -> main(/bin/cbfs-init.sh:0) -> main(/bin/tpmr.sh:0) -> main(/bin/tpmr.sh:1232) -> tpm2_extend(/bin/tpmr.sh:273) -> INFO(/etc/functions.sh:301)
INFO: TPM: PCR[7] after extend:     7 : 0x3ABE71011EBF3CEC1A4CB83A678F15E7C1A3DF649F7F3EEED8E2B9C896183001
 OK GPG keyring, trustdb, and board configuration extracted from firmware
TRACE: main(/init:0) -> main(/init:92) -> combine_configs(/etc/functions.sh:1146)
 OK Quiet mode enabled from board configuration: refer to '/tmp/debug.log' and '/tmp/measuring_trace.log' for boot traces
TRACE: main(/init:0) -> main(/init:129)
DEBUG: Applying panic_on_oom setting to sysctl
DEBUG: TPM enabled: initializing TPM2 encrypted sessions
TRACE: main(/init:0) -> main(/bin/tpmr.sh:0) -> main(/bin/tpmr.sh:1250) -> tpm2_startsession(/bin/tpmr.sh:478)
TRACE: main(/init:0) -> main(/bin/key-init.sh:0) -> main(/bin/key-init.sh:6)
 >> Loading OS distribution signing keys for ISO boot authentication
 >> Adding user GPG key as trusted for ISO signing
DEBUG: Recovery serial console enabled on /dev/ttyS0
TRACE: main(/init:0) -> main(/init:199) -> load_keymap(/etc/functions.sh:2888)
DEBUG: Loading linux kernel shipped keyboard layout keymap: share/keymaps/defkeymap.map
DEBUG: loadkeys --default
TRACE: main(/init:0) -> main(/init:187) -> pause_recovery(/etc/functions.sh:1140)
TRACE: main(/init:0) -> main(/init:187) -> pause_recovery(/etc/functions.sh:1141) -> INPUT(/etc/functions.sh:411)
INPUT: Press Enter to proceed to recovery shell
DEBUG: Loading keyboard keymap: /usr/lib/kbd/keymaps/i386/qwerty/us.map
DEBUG: loadkeys /usr/lib/kbd/keymaps/i386/qwerty/us.map
TRACE: main(/init:0) -> main(/bin/setconsolefont.sh:0) -> main(/bin/setconsolefont.sh:6)
DEBUG: Keep default console font size due to framebuffer height 768
DEBUG: No board-init.sh found; skipping board-specific init
DEBUG: Entering boot script respawn loop: /bin/gui-init.sh
DEBUG: Starting boot script on main console
DEBUG: detect_heads_tty: tty(1) resolved HEADS_TTY=/dev/tty0
DEBUG: detect_heads_tty: exporting HEADS_TTY=/dev/tty0 GPG_TTY=/dev/tty0
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/bin/gui-init.sh:990)
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/bin/gui-init.sh:994) -> detect_usb_security_dongle_branding(/etc/functions.sh:648)
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/bin/gui-init.sh:994) -> detect_usb_security_dongle_branding(/etc/functions.sh:661) -> enable_usb(/etc/functions.sh:1202)
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/sbin/insmod.sh:0) -> main(/sbin/insmod.sh:9)
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/sbin/insmod.sh:0) -> main(/sbin/insmod.sh:42) -> INFO(/etc/functions.sh:301)
INFO: TPM: Extending PCR[5] with content of module file '/lib/modules/ehci-hcd.ko' and parameters '' before loading
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/sbin/insmod.sh:0) -> main(/sbin/insmod.sh:53)
LOG: No module parameters, extending only with the module's content
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/sbin/insmod.sh:0) -> main(/bin/tpmr.sh:0) -> main(/bin/tpmr.sh:1220)
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/sbin/insmod.sh:0) -> main(/bin/tpmr.sh:0) -> main(/bin/tpmr.sh:1230) -> INFO(/etc/functions.sh:301)
INFO: TPM: Extending PCR[5] with content of /lib/modules/ehci-hcd.ko (hash: 24eae3f2a147c715bd7e0c0ca362f2fe4d6def6925cfea8a06f3a243bd07bf58)
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/sbin/insmod.sh:0) -> main(/bin/tpmr.sh:0) -> main(/bin/tpmr.sh:1232) -> tpm2_extend(/bin/tpmr.sh:245)
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/sbin/insmod.sh:0) -> main(/bin/tpmr.sh:0) -> main(/bin/tpmr.sh:1232) -> tpm2_extend(/bin/tpmr.sh:261)
DEBUG: TPM: Will extend PCR[5] with hash of file content /lib/modules/ehci-hcd.ko
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/sbin/insmod.sh:0) -> main(/bin/tpmr.sh:0) -> main(/bin/tpmr.sh:1232) -> tpm2_extend(/bin/tpmr.sh:272) -> INFO(/etc/functions.sh:301)
INFO: TPM: Extended PCR[5] with hash 24eae3f2a147c715bd7e0c0ca362f2fe4d6def6925cfea8a06f3a243bd07bf58
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/sbin/insmod.sh:0) -> main(/bin/tpmr.sh:0) -> main(/bin/tpmr.sh:1232) -> tpm2_extend(/bin/tpmr.sh:273) -> INFO(/etc/functions.sh:301)
INFO: TPM: PCR[5] after extend:     5 : 0x909690BD6F97E04B50958166F992B414D81A0D36B732B6A7DA951763541D1CF5
DEBUG: Loading /lib/modules/ehci-hcd.ko with busybox insmod
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/sbin/insmod.sh:0) -> main(/sbin/insmod.sh:9)
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/sbin/insmod.sh:0) -> main(/sbin/insmod.sh:42) -> INFO(/etc/functions.sh:301)
INFO: TPM: Extending PCR[5] with content of module file '/lib/modules/uhci-hcd.ko' and parameters '' before loading
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/sbin/insmod.sh:0) -> main(/sbin/insmod.sh:53)
LOG: No module parameters, extending only with the module's content
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/sbin/insmod.sh:0) -> main(/bin/tpmr.sh:0) -> main(/bin/tpmr.sh:1220)
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/sbin/insmod.sh:0) -> main(/bin/tpmr.sh:0) -> main(/bin/tpmr.sh:1230) -> INFO(/etc/functions.sh:301)
INFO: TPM: Extending PCR[5] with content of /lib/modules/uhci-hcd.ko (hash: 351589f2423438d7e7bcfab17d1065da794185fd105a2eaa70938f84635aa1f4)
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/sbin/insmod.sh:0) -> main(/bin/tpmr.sh:0) -> main(/bin/tpmr.sh:1232) -> tpm2_extend(/bin/tpmr.sh:245)
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/sbin/insmod.sh:0) -> main(/bin/tpmr.sh:0) -> main(/bin/tpmr.sh:1232) -> tpm2_extend(/bin/tpmr.sh:261)
DEBUG: TPM: Will extend PCR[5] with hash of file content /lib/modules/uhci-hcd.ko
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/sbin/insmod.sh:0) -> main(/bin/tpmr.sh:0) -> main(/bin/tpmr.sh:1232) -> tpm2_extend(/bin/tpmr.sh:272) -> INFO(/etc/functions.sh:301)
INFO: TPM: Extended PCR[5] with hash 351589f2423438d7e7bcfab17d1065da794185fd105a2eaa70938f84635aa1f4
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/sbin/insmod.sh:0) -> main(/bin/tpmr.sh:0) -> main(/bin/tpmr.sh:1232) -> tpm2_extend(/bin/tpmr.sh:273) -> INFO(/etc/functions.sh:301)
INFO: TPM: PCR[5] after extend:     5 : 0x8EC9D2802F8413D4F6C607B73A5103E568ED77E62FB9EEA6EDFDD5EF2693DFDF
DEBUG: Loading /lib/modules/uhci-hcd.ko with busybox insmod
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/sbin/insmod.sh:0) -> main(/sbin/insmod.sh:9)
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/sbin/insmod.sh:0) -> main(/sbin/insmod.sh:42) -> INFO(/etc/functions.sh:301)
INFO: TPM: Extending PCR[5] with content of module file '/lib/modules/ohci-hcd.ko' and parameters '' before loading
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/sbin/insmod.sh:0) -> main(/sbin/insmod.sh:53)
LOG: No module parameters, extending only with the module's content
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/sbin/insmod.sh:0) -> main(/bin/tpmr.sh:0) -> main(/bin/tpmr.sh:1220)
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/sbin/insmod.sh:0) -> main(/bin/tpmr.sh:0) -> main(/bin/tpmr.sh:1230) -> INFO(/etc/functions.sh:301)
INFO: TPM: Extending PCR[5] with content of /lib/modules/ohci-hcd.ko (hash: 355261b550b90c17b3d7de6306b63d4ac81b3901eb3e698718feb8f9e455beac)
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/sbin/insmod.sh:0) -> main(/bin/tpmr.sh:0) -> main(/bin/tpmr.sh:1232) -> tpm2_extend(/bin/tpmr.sh:245)
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/sbin/insmod.sh:0) -> main(/bin/tpmr.sh:0) -> main(/bin/tpmr.sh:1232) -> tpm2_extend(/bin/tpmr.sh:261)
DEBUG: TPM: Will extend PCR[5] with hash of file content /lib/modules/ohci-hcd.ko
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/sbin/insmod.sh:0) -> main(/bin/tpmr.sh:0) -> main(/bin/tpmr.sh:1232) -> tpm2_extend(/bin/tpmr.sh:272) -> INFO(/etc/functions.sh:301)
INFO: TPM: Extended PCR[5] with hash 355261b550b90c17b3d7de6306b63d4ac81b3901eb3e698718feb8f9e455beac
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/sbin/insmod.sh:0) -> main(/bin/tpmr.sh:0) -> main(/bin/tpmr.sh:1232) -> tpm2_extend(/bin/tpmr.sh:273) -> INFO(/etc/functions.sh:301)
INFO: TPM: PCR[5] after extend:     5 : 0x5A5A2C556E0204C43F40A8B45CA0FC19CFDFA97F6CFEBBD0D37AF8C342916F4A
DEBUG: Loading /lib/modules/ohci-hcd.ko with busybox insmod
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/sbin/insmod.sh:0) -> main(/sbin/insmod.sh:9)
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/sbin/insmod.sh:0) -> main(/sbin/insmod.sh:42) -> INFO(/etc/functions.sh:301)
INFO: TPM: Extending PCR[5] with content of module file '/lib/modules/ohci-pci.ko' and parameters '' before loading
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/sbin/insmod.sh:0) -> main(/sbin/insmod.sh:53)
LOG: No module parameters, extending only with the module's content
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/sbin/insmod.sh:0) -> main(/bin/tpmr.sh:0) -> main(/bin/tpmr.sh:1220)
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/sbin/insmod.sh:0) -> main(/bin/tpmr.sh:0) -> main(/bin/tpmr.sh:1230) -> INFO(/etc/functions.sh:301)
INFO: TPM: Extending PCR[5] with content of /lib/modules/ohci-pci.ko (hash: fc9a0bcce7dbf1e2c47f138f8f4fb30b26973686d3e3fe671f82848af7fd28c3)
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/sbin/insmod.sh:0) -> main(/bin/tpmr.sh:0) -> main(/bin/tpmr.sh:1232) -> tpm2_extend(/bin/tpmr.sh:245)
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/sbin/insmod.sh:0) -> main(/bin/tpmr.sh:0) -> main(/bin/tpmr.sh:1232) -> tpm2_extend(/bin/tpmr.sh:261)
DEBUG: TPM: Will extend PCR[5] with hash of file content /lib/modules/ohci-pci.ko
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/sbin/insmod.sh:0) -> main(/bin/tpmr.sh:0) -> main(/bin/tpmr.sh:1232) -> tpm2_extend(/bin/tpmr.sh:272) -> INFO(/etc/functions.sh:301)
INFO: TPM: Extended PCR[5] with hash fc9a0bcce7dbf1e2c47f138f8f4fb30b26973686d3e3fe671f82848af7fd28c3
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/sbin/insmod.sh:0) -> main(/bin/tpmr.sh:0) -> main(/bin/tpmr.sh:1232) -> tpm2_extend(/bin/tpmr.sh:273) -> INFO(/etc/functions.sh:301)
INFO: TPM: PCR[5] after extend:     5 : 0x8BA29C95378766C29BEEFB929839549069585709C32EA253F4E11234766039C1
DEBUG: Loading /lib/modules/ohci-pci.ko with busybox insmod
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/sbin/insmod.sh:0) -> main(/sbin/insmod.sh:9)
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/sbin/insmod.sh:0) -> main(/sbin/insmod.sh:42) -> INFO(/etc/functions.sh:301)
INFO: TPM: Extending PCR[5] with content of module file '/lib/modules/ehci-pci.ko' and parameters '' before loading
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/sbin/insmod.sh:0) -> main(/sbin/insmod.sh:53)
LOG: No module parameters, extending only with the module's content
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/sbin/insmod.sh:0) -> main(/bin/tpmr.sh:0) -> main(/bin/tpmr.sh:1220)
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/sbin/insmod.sh:0) -> main(/bin/tpmr.sh:0) -> main(/bin/tpmr.sh:1230) -> INFO(/etc/functions.sh:301)
INFO: TPM: Extending PCR[5] with content of /lib/modules/ehci-pci.ko (hash: 70c868f3f436e7ae7daaa0b070ecc024309e634cb3cd6387394249e69a8e7f58)
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/sbin/insmod.sh:0) -> main(/bin/tpmr.sh:0) -> main(/bin/tpmr.sh:1232) -> tpm2_extend(/bin/tpmr.sh:245)
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/sbin/insmod.sh:0) -> main(/bin/tpmr.sh:0) -> main(/bin/tpmr.sh:1232) -> tpm2_extend(/bin/tpmr.sh:261)
DEBUG: TPM: Will extend PCR[5] with hash of file content /lib/modules/ehci-pci.ko
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/sbin/insmod.sh:0) -> main(/bin/tpmr.sh:0) -> main(/bin/tpmr.sh:1232) -> tpm2_extend(/bin/tpmr.sh:272) -> INFO(/etc/functions.sh:301)
INFO: TPM: Extended PCR[5] with hash 70c868f3f436e7ae7daaa0b070ecc024309e634cb3cd6387394249e69a8e7f58
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/sbin/insmod.sh:0) -> main(/bin/tpmr.sh:0) -> main(/bin/tpmr.sh:1232) -> tpm2_extend(/bin/tpmr.sh:273) -> INFO(/etc/functions.sh:301)
INFO: TPM: PCR[5] after extend:     5 : 0x3479F0982F2000A4052ADA1FA5485239FCD86C0EAD6F624FC300DA8A29C6157A
DEBUG: Loading /lib/modules/ehci-pci.ko with busybox insmod
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/sbin/insmod.sh:0) -> main(/sbin/insmod.sh:9)
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/sbin/insmod.sh:0) -> main(/sbin/insmod.sh:42) -> INFO(/etc/functions.sh:301)
INFO: TPM: Extending PCR[5] with content of module file '/lib/modules/xhci-hcd.ko' and parameters '' before loading
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/sbin/insmod.sh:0) -> main(/sbin/insmod.sh:53)
LOG: No module parameters, extending only with the module's content
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/sbin/insmod.sh:0) -> main(/bin/tpmr.sh:0) -> main(/bin/tpmr.sh:1220)
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/sbin/insmod.sh:0) -> main(/bin/tpmr.sh:0) -> main(/bin/tpmr.sh:1230) -> INFO(/etc/functions.sh:301)
INFO: TPM: Extending PCR[5] with content of /lib/modules/xhci-hcd.ko (hash: 5777b543e7a375a39ce486d83a5ff02dcaf5ec2d26356818d8ed0619224f31b3)
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/sbin/insmod.sh:0) -> main(/bin/tpmr.sh:0) -> main(/bin/tpmr.sh:1232) -> tpm2_extend(/bin/tpmr.sh:245)
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/sbin/insmod.sh:0) -> main(/bin/tpmr.sh:0) -> main(/bin/tpmr.sh:1232) -> tpm2_extend(/bin/tpmr.sh:261)
DEBUG: TPM: Will extend PCR[5] with hash of file content /lib/modules/xhci-hcd.ko
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/sbin/insmod.sh:0) -> main(/bin/tpmr.sh:0) -> main(/bin/tpmr.sh:1232) -> tpm2_extend(/bin/tpmr.sh:272) -> INFO(/etc/functions.sh:301)
INFO: TPM: Extended PCR[5] with hash 5777b543e7a375a39ce486d83a5ff02dcaf5ec2d26356818d8ed0619224f31b3
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/sbin/insmod.sh:0) -> main(/bin/tpmr.sh:0) -> main(/bin/tpmr.sh:1232) -> tpm2_extend(/bin/tpmr.sh:273) -> INFO(/etc/functions.sh:301)
INFO: TPM: PCR[5] after extend:     5 : 0x76B689397B52935FCC087204CBFCAD42442577A38025DACC0C6481BFDC8609B4
DEBUG: Loading /lib/modules/xhci-hcd.ko with busybox insmod
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/sbin/insmod.sh:0) -> main(/sbin/insmod.sh:9)
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/sbin/insmod.sh:0) -> main(/sbin/insmod.sh:42) -> INFO(/etc/functions.sh:301)
INFO: TPM: Extending PCR[5] with content of module file '/lib/modules/xhci-pci.ko' and parameters '' before loading
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/sbin/insmod.sh:0) -> main(/sbin/insmod.sh:53)
LOG: No module parameters, extending only with the module's content
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/sbin/insmod.sh:0) -> main(/bin/tpmr.sh:0) -> main(/bin/tpmr.sh:1220)
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/sbin/insmod.sh:0) -> main(/bin/tpmr.sh:0) -> main(/bin/tpmr.sh:1230) -> INFO(/etc/functions.sh:301)
INFO: TPM: Extending PCR[5] with content of /lib/modules/xhci-pci.ko (hash: 7a3d34fe568abab53b827ff77d4c51f21a7057111c8afcc4c91e775f92ed3488)
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/sbin/insmod.sh:0) -> main(/bin/tpmr.sh:0) -> main(/bin/tpmr.sh:1232) -> tpm2_extend(/bin/tpmr.sh:245)
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/sbin/insmod.sh:0) -> main(/bin/tpmr.sh:0) -> main(/bin/tpmr.sh:1232) -> tpm2_extend(/bin/tpmr.sh:261)
DEBUG: TPM: Will extend PCR[5] with hash of file content /lib/modules/xhci-pci.ko
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/sbin/insmod.sh:0) -> main(/bin/tpmr.sh:0) -> main(/bin/tpmr.sh:1232) -> tpm2_extend(/bin/tpmr.sh:272) -> INFO(/etc/functions.sh:301)
INFO: TPM: Extended PCR[5] with hash 7a3d34fe568abab53b827ff77d4c51f21a7057111c8afcc4c91e775f92ed3488
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/sbin/insmod.sh:0) -> main(/bin/tpmr.sh:0) -> main(/bin/tpmr.sh:1232) -> tpm2_extend(/bin/tpmr.sh:273) -> INFO(/etc/functions.sh:301)
INFO: TPM: PCR[5] after extend:     5 : 0x4BB1E1405AD1FA13B66FE9BB465B0DB0F18CA317B9802CE40D42589ACE26BF0E
DEBUG: Loading /lib/modules/xhci-pci.ko with busybox insmod
DEBUG: USB modules loaded, _USB_ENABLED=y
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/bin/gui-init.sh:994) -> detect_usb_security_dongle_branding(/etc/functions.sh:662) -> wait_for_usb_devices(/etc/functions.sh:1224)
DEBUG: Waiting for USB peripheral devices (not just hubs) - max 2s timeout
DEBUG: USB peripheral devices ready after 0.400s (iteration 319): found 1 device(s)
 OK USB peripheral devices detected
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/bin/gui-init.sh:994) -> detect_usb_security_dongle_branding(/etc/functions.sh:666) -> wait_for_usb_security_dongle_vid(/etc/functions.sh:551)
DEBUG: wait_for_usb_security_dongle_vid: interactive_tty='/dev/tty0' is_serial=0 RECOVERY_TTY='<none>'
DEBUG: wait_for_usb_security_dongle_vid: allow_user_cancel=y
 >> Waiting up to 15s for USB security dongle detection (press any key to skip)
DEBUG: USB security dongle VID detected in sysfs
 OK USB security dongle detected
DEBUG: lsusb output: Bus 001 Device 001: ID 1d6b:0002
Bus 001 Device 003: ID 20a0:42b2
Bus 001 Device 002: ID 0627:0001
Bus 002 Device 002: ID 46f4:0001
Bus 002 Device 001: ID 1d6b:0003
DEBUG: Detected Nitrokey 3 (20a0:42b2)
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/bin/gui-init.sh:997) -> detect_boot_device(/etc/functions.sh:2601)
DEBUG: CONFIG_BOOT_DEV=
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/bin/gui-init.sh:997) -> detect_boot_device(/etc/functions.sh:2641) -> mount_possible_boot_device(/etc/functions.sh:2550)
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/bin/gui-init.sh:997) -> detect_boot_device(/etc/functions.sh:2641) -> mount_possible_boot_device(/etc/functions.sh:2563) -> is_gpt_bios_grub(/etc/functions.sh:2502)
DEBUG: PART_DEV=/dev/vda1
DEBUG: DEVICE=vda NUMBER=1
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/bin/gui-init.sh:997) -> detect_boot_device(/etc/functions.sh:2641) -> mount_possible_boot_device(/etc/functions.sh:2572) -> find_lvm_vg_name(/etc/functions.sh:2453)
LOG: lvm:   Failed to find physical volume "/dev/vda1".
DEBUG: lvm pvs failed for /dev/vda1
DEBUG: find_lvm_vg_name: /dev/vda1 is not an LVM PV
DEBUG: Try mounting /dev/vda1 as /boot
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/bin/gui-init.sh:999) -> clean_boot_check(/bin/gui-init.sh:613)
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/bin/gui-init.sh:1010) -> preflight_rollback_counter_before_reseal(/etc/functions.sh:1950)
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/bin/gui-init.sh:1010) -> preflight_rollback_counter_before_reseal(/etc/functions.sh:1976) -> get_rollback_counter_id(/etc/functions.sh:1909)
DEBUG: Preflight: validating rollback counter 1b541a8 before protected operations
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/bin/tpmr.sh:0) -> main(/bin/tpmr.sh:1235) -> tpm2_counter_read(/bin/tpmr.sh:277)
DEBUG: Preflight: rollback counter 1b541a8 is readable and has acceptable TPM2 write attributes
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/bin/gui-init.sh:1096) -> check_gpg_key(/bin/gui-init.sh:641)
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/bin/gui-init.sh:1099) -> update_totp(/bin/gui-init.sh:363)
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/bin/unseal-totp.sh:0) -> main(/bin/unseal-totp.sh:17)
DEBUG: tpmr.sh unseal 4d47 0,1,2,3,4,7 312 /tmp/secret/totp.key
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/bin/unseal-totp.sh:0) -> main(/bin/tpmr.sh:0) -> main(/bin/tpmr.sh:1253) -> tpm2_unseal(/bin/tpmr.sh:807)
DEBUG: tpm2_unseal: handle=0x81004d47 pcrl=0,1,2,3,4,7 file=/tmp/secret/totp.key pass=<empty>
DEBUG: Running at_exit handlers
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/bin/unseal-totp.sh:0) -> main(/bin/tpmr.sh:0) -> main(/bin/tpmr.sh:1) -> run_at_exit_handlers(/etc/functions.sh:2773) -> cleanup_session(/bin/tpmr.sh:503)
DEBUG: Clean up session: /tmp/secret/unsealfile_policy.session
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/bin/gui-init.sh:1099) -> update_hotp(/bin/gui-init.sh:450)
 >> Checking Nitrokey 3 presence
 OK Nitrokey 3 firmware: v1.8.3 (Secrets App: v4.14) (minimum: v1.8.3, latest known: v1.8.3)
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/bin/unseal-hotp.sh:0) -> main(/bin/unseal-hotp.sh:18)
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/bin/unseal-hotp.sh:0) -> main(/bin/unseal-hotp.sh:23) -> mount_boot_or_die(/bin/unseal-hotp.sh:10)
DEBUG: Unsealing HOTP secret reuses TOTP sealed secret...
 >> Unsealing HOTP secret from TPM
DEBUG: tpmr.sh unseal 4d47 0,1,2,3,4,7 312 /tmp/secret/hotp.key
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/bin/unseal-hotp.sh:0) -> main(/bin/tpmr.sh:0) -> main(/bin/tpmr.sh:1253) -> tpm2_unseal(/bin/tpmr.sh:807)
DEBUG: tpm2_unseal: handle=0x81004d47 pcrl=0,1,2,3,4,7 file=/tmp/secret/hotp.key pass=<empty>
DEBUG: Running at_exit handlers
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/bin/unseal-hotp.sh:0) -> main(/bin/tpmr.sh:0) -> main(/bin/tpmr.sh:1) -> run_at_exit_handlers(/etc/functions.sh:2773) -> cleanup_session(/bin/tpmr.sh:503)
DEBUG: Clean up session: /tmp/secret/unsealfile_policy.session
 OK HOTP secret unsealed from TPM
DEBUG: Incrementing HOTP counter under /boot/kexec_hotp_counter
 >> Verifying HOTP code
 OK HOTP code verified
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/bin/gui-init.sh:1102) -> prompt_auto_default_boot(/bin/gui-init.sh:679)
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/bin/gui-init.sh:1102) -> prompt_auto_default_boot(/bin/gui-init.sh:680) -> pause_automatic_boot(/etc/gui_functions.sh:8)
 >> Attempting default boot
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/bin/gui-init.sh:1102) -> prompt_auto_default_boot(/bin/gui-init.sh:682) -> attempt_default_boot(/bin/gui-init.sh:958)
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/bin/gui-init.sh:1102) -> prompt_auto_default_boot(/bin/gui-init.sh:682) -> attempt_default_boot(/bin/gui-init.sh:959) -> mount_boot(/bin/gui-init.sh:30)
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/bin/gui-init.sh:1102) -> prompt_auto_default_boot(/bin/gui-init.sh:682) -> attempt_default_boot(/bin/gui-init.sh:961) -> verify_global_hashes(/bin/gui-init.sh:84)
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/bin/gui-init.sh:1102) -> prompt_auto_default_boot(/bin/gui-init.sh:682) -> attempt_default_boot(/bin/gui-init.sh:961) -> verify_global_hashes(/bin/gui-init.sh:86) -> check_config(/etc/functions.sh:2145)
DEBUG: check_config: checking /boot (force=force)
DEBUG: check_config: 9 kexec*.txt file(s) in /boot: kexec_default.1.txt kexec_default_hashes.txt kexec_hashes.txt kexec_initrd_crypttab_overrides.txt kexec_key_devices.txt kexec_lukshdr_hash.txt kexec_primhdl_hash.txt kexec_rollback.txt kexec_tree.txt
 OK GPG signature on kexec boot params verified
DEBUG: check_config: copying kexec*.txt from /boot to /tmp/kexec
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/bin/gui-init.sh:1102) -> prompt_auto_default_boot(/bin/gui-init.sh:682) -> attempt_default_boot(/bin/gui-init.sh:961) -> verify_global_hashes(/bin/gui-init.sh:92) -> verify_checksums(/etc/functions.sh:2413)
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/bin/gui-init.sh:1102) -> prompt_auto_default_boot(/bin/gui-init.sh:682) -> attempt_default_boot(/bin/gui-init.sh:961) -> verify_global_hashes(/bin/gui-init.sh:92) -> verify_checksums(/etc/functions.sh:2425) -> print_tree(/etc/functions.sh:2327)
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/bin/gui-init.sh:1102) -> prompt_auto_default_boot(/bin/gui-init.sh:682) -> attempt_default_boot(/bin/gui-init.sh:966)
DEBUG: kexec-select-boot.sh -b /boot -c grub.cfg -g
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/bin/kexec-select-boot.sh:0) -> main(/bin/kexec-select-boot.sh:8)
DEBUG: check_config /boot
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/bin/kexec-select-boot.sh:0) -> main(/bin/kexec-select-boot.sh:349) -> DO_WITH_DEBUG(/etc/functions.sh:1433) -> check_config(/etc/functions.sh:2145)
DEBUG: check_config: checking /boot (force=)
DEBUG: check_config: 9 kexec*.txt file(s) in /boot: kexec_default.1.txt kexec_default_hashes.txt kexec_hashes.txt kexec_initrd_crypttab_overrides.txt kexec_key_devices.txt kexec_lukshdr_hash.txt kexec_primhdl_hash.txt kexec_rollback.txt kexec_tree.txt
 >> Verifying GPG signature on kexec boot params
DEBUG: check_config: running (cd /boot && sha256sum kexec_default.1.txt kexec_default_hashes.txt kexec_hashes.txt kexec_initrd_crypttab_overrides.txt kexec_key_devices.txt kexec_lukshdr_hash.txt kexec_primhdl_hash.txt kexec_rollback.txt kexec_tree.txt) | gpgv.sh /boot/kexec.sig
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/bin/kexec-select-boot.sh:0) -> main(/bin/gpgv.sh:0) -> main(/bin/gpgv.sh:5)
 OK GPG signature on kexec boot params verified
DEBUG: check_config: copying kexec*.txt from /boot to /tmp/kexec
LOG: gpgv kexec.sig: gpg: Signature made Thu May  7 19:34:53 2026 UTC
LOG: gpgv kexec.sig: gpg:                using RSA key 575F80D1599EA6D2C70AA9A19A53E1BB3FF00461
LOG: gpgv kexec.sig: gpg: Good signature from "Insurgo Open Technologies/Technologies Libres (With key material backup) <insurgo@riseup.net>" [ultimate]
 >> Scanning for boot options
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/bin/kexec-select-boot.sh:0) -> main(/bin/kexec-select-boot.sh:384) -> scan_options(/bin/kexec-select-boot.sh:209) -> scan_boot_options(/etc/functions.sh:2655)
DEBUG: kexec-parse-boot.sh /boot /boot/grub/grub.cfg
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/bin/kexec-select-boot.sh:0) -> main(/bin/kexec-parse-boot.sh:0) -> main(/bin/kexec-parse-boot.sh:5)
DEBUG: filedir= /boot/grub
DEBUG: bootdir= /boot
DEBUG: bootlen= 5
DEBUG: appenddir= /grub
DEBUG:  grub_entry : linux trimcmd prior of kernel/append parsing: linux /vmlinuz-6.12.85+deb13-amd64 root=/dev/mapper/debian--vg-root ro console=ttyS0 console=tty systemd.zram=0 quiet
DEBUG:  grub_entry: linux initrd= /initrd.img-6.12.85+deb13-amd64
LOG: kexec-parse-boot.sh stdout: Debian GNU/Linux|elf|kernel /vmlinuz-6.12.85+deb13-amd64|initrd /initrd.img-6.12.85+deb13-amd64|append root=/dev/mapper/debian--vg-root ro console=ttyS0 console=tty systemd.zram=0 quiet
DEBUG:  grub_entry : linux trimcmd prior of kernel/append parsing: linux /vmlinuz-6.12.85+deb13-amd64 root=/dev/mapper/debian--vg-root ro console=ttyS0 console=tty systemd.zram=0 quiet
DEBUG:  grub_entry: linux initrd= /initrd.img-6.12.85+deb13-amd64
LOG: kexec-parse-boot.sh stdout: Debian GNU/Linux, with Linux 6.12.85+deb13-amd64|elf|kernel /vmlinuz-6.12.85+deb13-amd64|initrd /initrd.img-6.12.85+deb13-amd64|append root=/dev/mapper/debian--vg-root ro console=ttyS0 console=tty systemd.zram=0 quiet
DEBUG:  grub_entry : linux trimcmd prior of kernel/append parsing: linux /vmlinuz-6.12.85+deb13-amd64 root=/dev/mapper/debian--vg-root ro single dis_ucode_ldr console=ttyS0 console=tty systemd.zram=0
DEBUG:  grub_entry: linux initrd= /initrd.img-6.12.85+deb13-amd64
LOG: kexec-parse-boot.sh stdout: Debian GNU/Linux, with Linux 6.12.85+deb13-amd64 (recovery mode)|elf|kernel /vmlinuz-6.12.85+deb13-amd64|initrd /initrd.img-6.12.85+deb13-amd64|append root=/dev/mapper/debian--vg-root ro single dis_ucode_ldr console=ttyS0 console=tty systemd.zram=0
DEBUG:  grub_entry : linux trimcmd prior of kernel/append parsing: linux /vmlinuz-6.12.74+deb13+1-amd64 root=/dev/mapper/debian--vg-root ro console=ttyS0 console=tty systemd.zram=0 quiet
DEBUG:  grub_entry: linux initrd= /initrd.img-6.12.74+deb13+1-amd64
LOG: kexec-parse-boot.sh stdout: Debian GNU/Linux, with Linux 6.12.74+deb13+1-amd64|elf|kernel /vmlinuz-6.12.74+deb13+1-amd64|initrd /initrd.img-6.12.74+deb13+1-amd64|append root=/dev/mapper/debian--vg-root ro console=ttyS0 console=tty systemd.zram=0 quiet
DEBUG:  grub_entry : linux trimcmd prior of kernel/append parsing: linux /vmlinuz-6.12.74+deb13+1-amd64 root=/dev/mapper/debian--vg-root ro single dis_ucode_ldr console=ttyS0 console=tty systemd.zram=0
DEBUG:  grub_entry: linux initrd= /initrd.img-6.12.74+deb13+1-amd64
LOG: kexec-parse-boot.sh stdout: Debian GNU/Linux, with Linux 6.12.74+deb13+1-amd64 (recovery mode)|elf|kernel /vmlinuz-6.12.74+deb13+1-amd64|initrd /initrd.img-6.12.74+deb13+1-amd64|append root=/dev/mapper/debian--vg-root ro single dis_ucode_ldr console=ttyS0 console=tty systemd.zram=0
DEBUG:  grub_entry : linux trimcmd prior of kernel/append parsing: linux /vmlinuz-6.12.73+deb13-amd64 root=/dev/mapper/debian--vg-root ro console=ttyS0 console=tty systemd.zram=0 quiet
DEBUG:  grub_entry: linux initrd= /initrd.img-6.12.73+deb13-amd64
LOG: kexec-parse-boot.sh stdout: Debian GNU/Linux, with Linux 6.12.73+deb13-amd64|elf|kernel /vmlinuz-6.12.73+deb13-amd64|initrd /initrd.img-6.12.73+deb13-amd64|append root=/dev/mapper/debian--vg-root ro console=ttyS0 console=tty systemd.zram=0 quiet
DEBUG:  grub_entry : linux trimcmd prior of kernel/append parsing: linux /vmlinuz-6.12.73+deb13-amd64 root=/dev/mapper/debian--vg-root ro single dis_ucode_ldr console=ttyS0 console=tty systemd.zram=0
DEBUG:  grub_entry: linux initrd= /initrd.img-6.12.73+deb13-amd64
LOG: kexec-parse-boot.sh stdout: Debian GNU/Linux, with Linux 6.12.73+deb13-amd64 (recovery mode)|elf|kernel /vmlinuz-6.12.73+deb13-amd64|initrd /initrd.img-6.12.73+deb13-amd64|append root=/dev/mapper/debian--vg-root ro single dis_ucode_ldr console=ttyS0 console=tty systemd.zram=0
DEBUG:  grub_entry : linux trimcmd prior of kernel/append parsing: linux /vmlinuz-6.12.57+deb13-amd64 root=/dev/mapper/debian--vg-root ro console=ttyS0 console=tty systemd.zram=0 quiet
DEBUG:  grub_entry: linux initrd= /initrd.img-6.12.57+deb13-amd64
LOG: kexec-parse-boot.sh stdout: Debian GNU/Linux, with Linux 6.12.57+deb13-amd64|elf|kernel /vmlinuz-6.12.57+deb13-amd64|initrd /initrd.img-6.12.57+deb13-amd64|append root=/dev/mapper/debian--vg-root ro console=ttyS0 console=tty systemd.zram=0 quiet
DEBUG:  grub_entry : linux trimcmd prior of kernel/append parsing: linux /vmlinuz-6.12.57+deb13-amd64 root=/dev/mapper/debian--vg-root ro single dis_ucode_ldr console=ttyS0 console=tty systemd.zram=0
DEBUG:  grub_entry: linux initrd= /initrd.img-6.12.57+deb13-amd64
LOG: kexec-parse-boot.sh stdout: Debian GNU/Linux, with Linux 6.12.57+deb13-amd64 (recovery mode)|elf|kernel /vmlinuz-6.12.57+deb13-amd64|initrd /initrd.img-6.12.57+deb13-amd64|append root=/dev/mapper/debian--vg-root ro single dis_ucode_ldr console=ttyS0 console=tty systemd.zram=0
 >> Checking verified boot hash file
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/bin/kexec-select-boot.sh:0) -> main(/bin/kexec-select-boot.sh:392) -> verify_global_hashes(/bin/kexec-select-boot.sh:84) -> verify_checksums(/etc/functions.sh:2413)
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/bin/kexec-select-boot.sh:0) -> main(/bin/kexec-select-boot.sh:392) -> verify_global_hashes(/bin/kexec-select-boot.sh:84) -> verify_checksums(/etc/functions.sh:2425) -> print_tree(/etc/functions.sh:2327)
 OK Verified boot hashes
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/bin/kexec-select-boot.sh:0) -> main(/bin/kexec-select-boot.sh:403) -> verify_rollback_counter(/bin/kexec-select-boot.sh:116)
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/bin/kexec-select-boot.sh:0) -> main(/bin/kexec-select-boot.sh:403) -> verify_rollback_counter(/bin/kexec-select-boot.sh:123) -> read_tpm_counter(/etc/functions.sh:2027)
DEBUG: Counter file /tmp/counter-1b541a8 not found. Attempting to read from TPM.
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/bin/kexec-select-boot.sh:0) -> main(/bin/tpmr.sh:0) -> main(/bin/tpmr.sh:1235) -> tpm2_counter_read(/bin/tpmr.sh:277)
DEBUG: Counter file /tmp/counter-1b541a8 read successfully.
 >> Checking verified default boot hash file
 OK Verified default boot hashes
 >> Executing default boot for Debian GNU/Linux
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/bin/kexec-select-boot.sh:0) -> main(/bin/kexec-boot.sh:0) -> main(/bin/kexec-boot.sh:7)
DEBUG: kexectype= elf
DEBUG: restval= 
DEBUG: filepath= /boot/vmlinuz-6.12.85+deb13-amd64
DEBUG: kexeccmd= kexec -l /boot/vmlinuz-6.12.85+deb13-amd64
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/bin/kexec-select-boot.sh:0) -> main(/bin/kexec-insert-key.sh:0) -> main(/bin/kexec-insert-key.sh:6)
 >> Measuring TPM Disk Unlock Key (DUK) into PCR[6])
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/bin/kexec-select-boot.sh:0) -> main(/bin/kexec-insert-key.sh:0) -> main(/bin/qubes-measure-luks.sh:0) -> main(/bin/qubes-measure-luks.sh:6)
DEBUG: Arguments passed to qubes-measure-luks.sh: /dev/vda5
DEBUG: Storing LUKS header for /dev/vda5 into /tmp/lukshdr-_dev_vda5
DEBUG: Hashing LUKS headers into /tmp/luksDump.txt
DEBUG: Removing /tmp/lukshdr-*
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/bin/kexec-select-boot.sh:0) -> main(/bin/kexec-insert-key.sh:0) -> main(/bin/qubes-measure-luks.sh:0) -> main(/bin/qubes-measure-luks.sh:22)
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/bin/kexec-select-boot.sh:0) -> main(/bin/kexec-insert-key.sh:0) -> main(/bin/qubes-measure-luks.sh:0) -> main(/bin/qubes-measure-luks.sh:23) -> INFO(/etc/functions.sh:301)
INFO: TPM: Extending PCR[6] with content of /tmp/luksDump.txt (hash of TPM Disk Unlock Key headers)
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/bin/kexec-select-boot.sh:0) -> main(/bin/kexec-insert-key.sh:0) -> main(/bin/qubes-measure-luks.sh:0) -> main(/bin/tpmr.sh:0) -> main(/bin/tpmr.sh:1220)
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/bin/kexec-select-boot.sh:0) -> main(/bin/kexec-insert-key.sh:0) -> main(/bin/qubes-measure-luks.sh:0) -> main(/bin/tpmr.sh:0) -> main(/bin/tpmr.sh:1230) -> INFO(/etc/functions.sh:301)
INFO: TPM: Extending PCR[6] with content of /tmp/luksDump.txt (hash: c250dd644976ed0cbe94b30c5973a09ebc5a19a64abb19b65312bd95b29025b3)
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/bin/kexec-select-boot.sh:0) -> main(/bin/kexec-insert-key.sh:0) -> main(/bin/qubes-measure-luks.sh:0) -> main(/bin/tpmr.sh:0) -> main(/bin/tpmr.sh:1232) -> tpm2_extend(/bin/tpmr.sh:245)
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/bin/kexec-select-boot.sh:0) -> main(/bin/kexec-insert-key.sh:0) -> main(/bin/qubes-measure-luks.sh:0) -> main(/bin/tpmr.sh:0) -> main(/bin/tpmr.sh:1232) -> tpm2_extend(/bin/tpmr.sh:261)
DEBUG: TPM: Will extend PCR[6] with hash of file content /tmp/luksDump.txt
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/bin/kexec-select-boot.sh:0) -> main(/bin/kexec-insert-key.sh:0) -> main(/bin/qubes-measure-luks.sh:0) -> main(/bin/tpmr.sh:0) -> main(/bin/tpmr.sh:1232) -> tpm2_extend(/bin/tpmr.sh:272) -> INFO(/etc/functions.sh:301)
INFO: TPM: Extended PCR[6] with hash c250dd644976ed0cbe94b30c5973a09ebc5a19a64abb19b65312bd95b29025b3
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/bin/kexec-select-boot.sh:0) -> main(/bin/kexec-insert-key.sh:0) -> main(/bin/qubes-measure-luks.sh:0) -> main(/bin/tpmr.sh:0) -> main(/bin/tpmr.sh:1232) -> tpm2_extend(/bin/tpmr.sh:273) -> INFO(/etc/functions.sh:301)
INFO: TPM: PCR[6] after extend:     6 : 0xF9C1C896180B71B3D17F61ACFD7ACA38C8F52E22C793F7985E67D656D225584A
 OK Encrypted disk keys have not changed since sealed in TPM Disk Unlock Key
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/bin/kexec-select-boot.sh:0) -> main(/bin/kexec-insert-key.sh:0) -> main(/bin/kexec-unseal-key.sh:0) -> main(/bin/kexec-unseal-key.sh:13)
DEBUG: CONFIG_TPM: y
DEBUG: CONFIG_TPM2_TOOLS: y
DEBUG: Show PCRs
DEBUG:   sha256:
    0 : 0x0000000000000000000000000000000000000000000000000000000000000000
    1 : 0x0000000000000000000000000000000000000000000000000000000000000000
    2 : 0xB69F97011125E45E67F37EF36B9C3928D81B364E61D7B33406DCE0294541E586
    3 : 0x0000000000000000000000000000000000000000000000000000000000000000
    4 : 0x0000000000000000000000000000000000000000000000000000000000000000
    5 : 0x4BB1E1405AD1FA13B66FE9BB465B0DB0F18CA317B9802CE40D42589ACE26BF0E
    6 : 0xF9C1C896180B71B3D17F61ACFD7ACA38C8F52E22C793F7985E67D656D225584A
    7 : 0x3ABE71011EBF3CEC1A4CB83A678F15E7C1A3DF649F7F3EEED8E2B9C896183001
    8 : 0x0000000000000000000000000000000000000000000000000000000000000000
    9 : 0x0000000000000000000000000000000000000000000000000000000000000000
    10: 0x0000000000000000000000000000000000000000000000000000000000000000
    11: 0x0000000000000000000000000000000000000000000000000000000000000000
    12: 0x0000000000000000000000000000000000000000000000000000000000000000
    13: 0x0000000000000000000000000000000000000000000000000000000000000000
    14: 0x0000000000000000000000000000000000000000000000000000000000000000
    15: 0x0000000000000000000000000000000000000000000000000000000000000000
    16: 0x0000000000000000000000000000000000000000000000000000000000000000
    17: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
    18: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
    19: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
    20: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
    21: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
    22: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
    23: 0x0000000000000000000000000000000000000000000000000000000000000000
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/bin/kexec-select-boot.sh:0) -> main(/bin/kexec-insert-key.sh:0) -> main(/bin/kexec-unseal-key.sh:0) -> main(/bin/unseal-totp.sh:0) -> main(/bin/unseal-totp.sh:17)
DEBUG: tpmr.sh unseal 4d47 0,1,2,3,4,7 312 /tmp/secret/totp.key
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/bin/kexec-select-boot.sh:0) -> main(/bin/kexec-insert-key.sh:0) -> main(/bin/kexec-unseal-key.sh:0) -> main(/bin/unseal-totp.sh:0) -> main(/bin/tpmr.sh:0) -> main(/bin/tpmr.sh:1253) -> tpm2_unseal(/bin/tpmr.sh:807)
DEBUG: tpm2_unseal: handle=0x81004d47 pcrl=0,1,2,3,4,7 file=/tmp/secret/totp.key pass=<empty>
DEBUG: Running at_exit handlers
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/bin/kexec-select-boot.sh:0) -> main(/bin/kexec-insert-key.sh:0) -> main(/bin/kexec-unseal-key.sh:0) -> main(/bin/unseal-totp.sh:0) -> main(/bin/tpmr.sh:0) -> main(/bin/tpmr.sh:1) -> run_at_exit_handlers(/etc/functions.sh:2773) -> cleanup_session(/bin/tpmr.sh:503)
DEBUG: Clean up session: /tmp/secret/unsealfile_policy.session
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/bin/kexec-select-boot.sh:0) -> main(/bin/kexec-insert-key.sh:0) -> main(/bin/kexec-unseal-key.sh:0) -> main(/bin/unseal-totp.sh:0) -> main(/bin/unseal-totp.sh:17)
DEBUG: tpmr.sh unseal 4d47 0,1,2,3,4,7 312 /tmp/secret/totp.key
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/bin/kexec-select-boot.sh:0) -> main(/bin/kexec-insert-key.sh:0) -> main(/bin/kexec-unseal-key.sh:0) -> main(/bin/unseal-totp.sh:0) -> main(/bin/tpmr.sh:0) -> main(/bin/tpmr.sh:1253) -> tpm2_unseal(/bin/tpmr.sh:807)
DEBUG: tpm2_unseal: handle=0x81004d47 pcrl=0,1,2,3,4,7 file=/tmp/secret/totp.key pass=<empty>
DEBUG: Running at_exit handlers
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/bin/kexec-select-boot.sh:0) -> main(/bin/kexec-insert-key.sh:0) -> main(/bin/kexec-unseal-key.sh:0) -> main(/bin/unseal-totp.sh:0) -> main(/bin/tpmr.sh:0) -> main(/bin/tpmr.sh:1) -> run_at_exit_handlers(/etc/functions.sh:2773) -> cleanup_session(/bin/tpmr.sh:503)
DEBUG: Clean up session: /tmp/secret/unsealfile_policy.session
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/bin/kexec-select-boot.sh:0) -> main(/bin/kexec-insert-key.sh:0) -> main(/bin/kexec-unseal-key.sh:0) -> main(/bin/unseal-totp.sh:0) -> main(/bin/unseal-totp.sh:17)
DEBUG: tpmr.sh unseal 4d47 0,1,2,3,4,7 312 /tmp/secret/totp.key
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/bin/kexec-select-boot.sh:0) -> main(/bin/kexec-insert-key.sh:0) -> main(/bin/kexec-unseal-key.sh:0) -> main(/bin/unseal-totp.sh:0) -> main(/bin/tpmr.sh:0) -> main(/bin/tpmr.sh:1253) -> tpm2_unseal(/bin/tpmr.sh:807)
DEBUG: tpm2_unseal: handle=0x81004d47 pcrl=0,1,2,3,4,7 file=/tmp/secret/totp.key pass=<empty>
DEBUG: Running at_exit handlers
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/bin/kexec-select-boot.sh:0) -> main(/bin/kexec-insert-key.sh:0) -> main(/bin/kexec-unseal-key.sh:0) -> main(/bin/unseal-totp.sh:0) -> main(/bin/tpmr.sh:0) -> main(/bin/tpmr.sh:1) -> run_at_exit_handlers(/etc/functions.sh:2773) -> cleanup_session(/bin/tpmr.sh:503)
DEBUG: Clean up session: /tmp/secret/unsealfile_policy.session
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/bin/kexec-select-boot.sh:0) -> main(/bin/kexec-insert-key.sh:0) -> main(/bin/kexec-unseal-key.sh:0) -> main(/bin/unseal-totp.sh:0) -> main(/bin/unseal-totp.sh:17)
DEBUG: tpmr.sh unseal 4d47 0,1,2,3,4,7 312 /tmp/secret/totp.key
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/bin/kexec-select-boot.sh:0) -> main(/bin/kexec-insert-key.sh:0) -> main(/bin/kexec-unseal-key.sh:0) -> main(/bin/unseal-totp.sh:0) -> main(/bin/tpmr.sh:0) -> main(/bin/tpmr.sh:1253) -> tpm2_unseal(/bin/tpmr.sh:807)
DEBUG: tpm2_unseal: handle=0x81004d47 pcrl=0,1,2,3,4,7 file=/tmp/secret/totp.key pass=<empty>
DEBUG: Running at_exit handlers
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/bin/kexec-select-boot.sh:0) -> main(/bin/kexec-insert-key.sh:0) -> main(/bin/kexec-unseal-key.sh:0) -> main(/bin/unseal-totp.sh:0) -> main(/bin/tpmr.sh:0) -> main(/bin/tpmr.sh:1) -> run_at_exit_handlers(/etc/functions.sh:2773) -> cleanup_session(/bin/tpmr.sh:503)
DEBUG: Clean up session: /tmp/secret/unsealfile_policy.session
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/bin/kexec-select-boot.sh:0) -> main(/bin/kexec-insert-key.sh:0) -> main(/bin/kexec-unseal-key.sh:0) -> main(/bin/unseal-totp.sh:0) -> main(/bin/unseal-totp.sh:17)
DEBUG: tpmr.sh unseal 4d47 0,1,2,3,4,7 312 /tmp/secret/totp.key
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/bin/kexec-select-boot.sh:0) -> main(/bin/kexec-insert-key.sh:0) -> main(/bin/kexec-unseal-key.sh:0) -> main(/bin/unseal-totp.sh:0) -> main(/bin/tpmr.sh:0) -> main(/bin/tpmr.sh:1253) -> tpm2_unseal(/bin/tpmr.sh:807)
DEBUG: tpm2_unseal: handle=0x81004d47 pcrl=0,1,2,3,4,7 file=/tmp/secret/totp.key pass=<empty>
TRACE: main(/init:0) -> main(/init:187) -> pause_recovery(/etc/functions.sh:1142) -> recovery(/etc/functions.sh:1068)
DEBUG: detect_heads_tty: tty(1) resolved HEADS_TTY=/dev/ttyS0
DEBUG: detect_heads_tty: exporting HEADS_TTY=/dev/ttyS0 GPG_TTY=/dev/ttyS0
DEBUG: Board qemu-coreboot-fbwhiptail-tpm2-hotp-prod_quiet - version Heads-v0.2.1-3006-g87a7317  EC_VER: 
TRACE: main(/init:0) -> main(/init:187) -> pause_recovery(/etc/functions.sh:1142) -> recovery(/etc/functions.sh:1092) -> INFO(/etc/functions.sh:301)
INFO: TPM: Extending PCR[4] with content of string 'recovery' to prevent further secret unsealing
TRACE: main(/init:0) -> main(/bin/tpmr.sh:0) -> main(/bin/tpmr.sh:1220)
TRACE: main(/init:0) -> main(/bin/tpmr.sh:0) -> main(/bin/tpmr.sh:1226) -> INFO(/etc/functions.sh:301)
INFO: TPM: Extending PCR[4] with content of string 'recovery' (hash: 8c585378513f5f7a2e1456ee54042605fdb890392becefadd2ab180fd02fb341)
TRACE: main(/init:0) -> main(/bin/tpmr.sh:0) -> main(/bin/tpmr.sh:1232) -> tpm2_extend(/bin/tpmr.sh:245)
TRACE: main(/init:0) -> main(/bin/tpmr.sh:0) -> main(/bin/tpmr.sh:1232) -> tpm2_extend(/bin/tpmr.sh:256)
DEBUG: TPM: Will extend PCR[4] with hash of string recovery
TRACE: main(/init:0) -> main(/bin/tpmr.sh:0) -> main(/bin/tpmr.sh:1232) -> tpm2_extend(/bin/tpmr.sh:272) -> INFO(/etc/functions.sh:301)
INFO: TPM: Extended PCR[4] with hash 8c585378513f5f7a2e1456ee54042605fdb890392becefadd2ab180fd02fb341
LOG: tpm2 stderr: ERROR: Could not open path "/tmp/secret/enc.ctx", due to error: "No such file or directory"
LOG: tpm2 stderr: ERROR: Could not restore aux-session #/tmp/secret/enc.ctx
TRACE: main(/init:0) -> main(/bin/tpmr.sh:0) -> main(/bin/tpmr.sh:1232) -> tpm2_extend(/bin/tpmr.sh:273) -> INFO(/etc/functions.sh:301)
LOG: tpm2 stderr: ERROR: Unable to run unseal
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/bin/kexec-select-boot.sh:0) -> main(/bin/kexec-insert-key.sh:0) -> main(/bin/kexec-unseal-key.sh:0) -> main(/bin/unseal-totp.sh:0) -> main(/bin/tpmr.sh:0) -> main(/bin/tpmr.sh:1253) -> tpm2_unseal(/bin/tpmr.sh:852) -> WARN(/etc/functions.sh:77)

 *** WARNING: Unable to unseal secret from TPM NVRAM ***

INFO: TPM: PCR[4] after extend:     4 : 0x51737C77C481AA22095B38D38FC9FD494B0FFA4EAE7D3AC238082083D0AFD614
TRACE: main(/init:0) -> main(/init:187) -> pause_recovery(/etc/functions.sh:1142) -> recovery(/etc/functions.sh:1103) -> WARN(/etc/functions.sh:77)

 *** WARNING: Serial console recovery shell ***

DEBUG: Running at_exit handlers
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/bin/kexec-select-boot.sh:0) -> main(/bin/kexec-insert-key.sh:0) -> main(/bin/kexec-unseal-key.sh:0) -> main(/bin/unseal-totp.sh:0) -> main(/bin/tpmr.sh:0) -> main(/bin/tpmr.sh:1253) -> tpm2_unseal(/bin/tpmr.sh:1) -> run_at_exit_handlers(/etc/functions.sh:2773) -> cleanup_session(/bin/tpmr.sh:503)
DEBUG: Clean up session: /tmp/secret/unsealfile_policy.session
TRACE: main(/init:0) -> main(/init:187) -> pause_recovery(/etc/functions.sh:1142) -> recovery(/etc/functions.sh:1108) -> INFO(/etc/functions.sh:301)
INFO: TPM: PCR state on entering recovery shell:
DEBUG: tpmr.sh: exited with status 1
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/bin/kexec-select-boot.sh:0) -> main(/bin/kexec-insert-key.sh:0) -> main(/bin/kexec-unseal-key.sh:0) -> main(/bin/unseal-totp.sh:0) -> main(/bin/unseal-totp.sh:32) -> fail_unseal(/etc/functions.sh:2925)
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/bin/kexec-select-boot.sh:0) -> main(/bin/kexec-insert-key.sh:0) -> main(/bin/kexec-unseal-key.sh:0) -> main(/bin/unseal-totp.sh:0) -> main(/bin/unseal-totp.sh:32) -> fail_unseal(/etc/functions.sh:2930) -> DIE(/etc/functions.sh:29)
!!! ERROR: Unable to unseal TOTP secret from TPM. Use the GUI menu (Options -> TPM/TOTP/HOTP Options -> Generate new TOTP/HOTP secret) to reseal. !!!
TRACE: main(/init:0) -> main(/bin/gui-init.sh:0) -> main(/bin/kexec-select-boot.sh:0) -> main(/bin/kexec-insert-key.sh:0) -> main(/bin/kexec-unseal-key.sh:0) -> main(/bin/unseal-totp.sh:0) -> main(/bin/unseal-totp.sh:32) -> fail_unseal(/etc/functions.sh:2930) -> DIE(/etc/functions.sh:45) -> INPUT(/etc/functions.sh:411)
INPUT: Press Enter to continue...
TRACE: main(/init:0) -> main(/init:187) -> pause_recovery(/etc/functions.sh:1142) -> recovery(/etc/functions.sh:1110) -> INFO(/etc/functions.sh:301)
INFO:   sha256:
TRACE: main(/init:0) -> main(/init:187) -> pause_recovery(/etc/functions.sh:1142) -> recovery(/etc/functions.sh:1110) -> INFO(/etc/functions.sh:301)
INFO:     0 : 0x0000000000000000000000000000000000000000000000000000000000000000
TRACE: main(/init:0) -> main(/init:187) -> pause_recovery(/etc/functions.sh:1142) -> recovery(/etc/functions.sh:1110) -> INFO(/etc/functions.sh:301)
INFO:     1 : 0x0000000000000000000000000000000000000000000000000000000000000000
TRACE: main(/init:0) -> main(/init:187) -> pause_recovery(/etc/functions.sh:1142) -> recovery(/etc/functions.sh:1110) -> INFO(/etc/functions.sh:301)
INFO:     2 : 0xB69F97011125E45E67F37EF36B9C3928D81B364E61D7B33406DCE0294541E586
TRACE: main(/init:0) -> main(/init:187) -> pause_recovery(/etc/functions.sh:1142) -> recovery(/etc/functions.sh:1110) -> INFO(/etc/functions.sh:301)
INFO:     3 : 0x0000000000000000000000000000000000000000000000000000000000000000
TRACE: main(/init:0) -> main(/init:187) -> pause_recovery(/etc/functions.sh:1142) -> recovery(/etc/functions.sh:1110) -> INFO(/etc/functions.sh:301)
INFO:     4 : 0x51737C77C481AA22095B38D38FC9FD494B0FFA4EAE7D3AC238082083D0AFD614
TRACE: main(/init:0) -> main(/init:187) -> pause_recovery(/etc/functions.sh:1142) -> recovery(/etc/functions.sh:1110) -> INFO(/etc/functions.sh:301)
INFO:     5 : 0x4BB1E1405AD1FA13B66FE9BB465B0DB0F18CA317B9802CE40D42589ACE26BF0E
TRACE: main(/init:0) -> main(/init:187) -> pause_recovery(/etc/functions.sh:1142) -> recovery(/etc/functions.sh:1110) -> INFO(/etc/functions.sh:301)
INFO:     6 : 0xF9C1C896180B71B3D17F61ACFD7ACA38C8F52E22C793F7985E67D656D225584A
TRACE: main(/init:0) -> main(/init:187) -> pause_recovery(/etc/functions.sh:1142) -> recovery(/etc/functions.sh:1110) -> INFO(/etc/functions.sh:301)
INFO:     7 : 0x3ABE71011EBF3CEC1A4CB83A678F15E7C1A3DF649F7F3EEED8E2B9C896183001
TRACE: main(/init:0) -> main(/init:187) -> pause_recovery(/etc/functions.sh:1142) -> recovery(/etc/functions.sh:1110) -> INFO(/etc/functions.sh:301)
INFO:     8 : 0x0000000000000000000000000000000000000000000000000000000000000000
TRACE: main(/init:0) -> main(/init:187) -> pause_recovery(/etc/functions.sh:1142) -> recovery(/etc/functions.sh:1110) -> INFO(/etc/functions.sh:301)
INFO:     9 : 0x0000000000000000000000000000000000000000000000000000000000000000
TRACE: main(/init:0) -> main(/init:187) -> pause_recovery(/etc/functions.sh:1142) -> recovery(/etc/functions.sh:1110) -> INFO(/etc/functions.sh:301)
INFO:     10: 0x0000000000000000000000000000000000000000000000000000000000000000
TRACE: main(/init:0) -> main(/init:187) -> pause_recovery(/etc/functions.sh:1142) -> recovery(/etc/functions.sh:1110) -> INFO(/etc/functions.sh:301)
INFO:     11: 0x0000000000000000000000000000000000000000000000000000000000000000
TRACE: main(/init:0) -> main(/init:187) -> pause_recovery(/etc/functions.sh:1142) -> recovery(/etc/functions.sh:1110) -> INFO(/etc/functions.sh:301)
INFO:     12: 0x0000000000000000000000000000000000000000000000000000000000000000
TRACE: main(/init:0) -> main(/init:187) -> pause_recovery(/etc/functions.sh:1142) -> recovery(/etc/functions.sh:1110) -> INFO(/etc/functions.sh:301)
INFO:     13: 0x0000000000000000000000000000000000000000000000000000000000000000
TRACE: main(/init:0) -> main(/init:187) -> pause_recovery(/etc/functions.sh:1142) -> recovery(/etc/functions.sh:1110) -> INFO(/etc/functions.sh:301)
INFO:     14: 0x0000000000000000000000000000000000000000000000000000000000000000
TRACE: main(/init:0) -> main(/init:187) -> pause_recovery(/etc/functions.sh:1142) -> recovery(/etc/functions.sh:1110) -> INFO(/etc/functions.sh:301)
INFO:     15: 0x0000000000000000000000000000000000000000000000000000000000000000
TRACE: main(/init:0) -> main(/init:187) -> pause_recovery(/etc/functions.sh:1142) -> recovery(/etc/functions.sh:1110) -> INFO(/etc/functions.sh:301)
INFO:     16: 0x0000000000000000000000000000000000000000000000000000000000000000
TRACE: main(/init:0) -> main(/init:187) -> pause_recovery(/etc/functions.sh:1142) -> recovery(/etc/functions.sh:1110) -> INFO(/etc/functions.sh:301)
INFO:     17: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
TRACE: main(/init:0) -> main(/init:187) -> pause_recovery(/etc/functions.sh:1142) -> recovery(/etc/functions.sh:1110) -> INFO(/etc/functions.sh:301)
INFO:     18: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
TRACE: main(/init:0) -> main(/init:187) -> pause_recovery(/etc/functions.sh:1142) -> recovery(/etc/functions.sh:1110) -> INFO(/etc/functions.sh:301)
INFO:     19: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
TRACE: main(/init:0) -> main(/init:187) -> pause_recovery(/etc/functions.sh:1142) -> recovery(/etc/functions.sh:1110) -> INFO(/etc/functions.sh:301)
INFO:     20: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
TRACE: main(/init:0) -> main(/init:187) -> pause_recovery(/etc/functions.sh:1142) -> recovery(/etc/functions.sh:1110) -> INFO(/etc/functions.sh:301)
INFO:     21: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
TRACE: main(/init:0) -> main(/init:187) -> pause_recovery(/etc/functions.sh:1142) -> recovery(/etc/functions.sh:1110) -> INFO(/etc/functions.sh:301)
INFO:     22: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
TRACE: main(/init:0) -> main(/init:187) -> pause_recovery(/etc/functions.sh:1142) -> recovery(/etc/functions.sh:1110) -> INFO(/etc/functions.sh:301)
INFO:     23: 0x0000000000000000000000000000000000000000000000000000000000000000
 >> Starting recovery shell

/tmp/measuring_trace.log

bash-5.1# cat /tmp/measuring_trace.log 
INFO: TPM: Extending PCR[7] with content of string '/.gnupg/pubring.kbx' (hash: 96ab5053e4630a040d55549ba73cff2178d401d763147776771f9774597b86a1)
INFO: TPM: Extended PCR[7] with hash 96ab5053e4630a040d55549ba73cff2178d401d763147776771f9774597b86a1
INFO: TPM: PCR[7] after extend:     7 : 0x36865F7C4725D07EE25C07BEAC46780BB45DCA781AD1B4C94E1F9816322732F0
INFO: TPM: Extending PCR[7] with content of /.gnupg/pubring.kbx (hash: 78eec42fa284396b1f3c87d560b809b2a69db1c14aefdba2714d39a0f6eab35c)
INFO: TPM: Extended PCR[7] with hash 78eec42fa284396b1f3c87d560b809b2a69db1c14aefdba2714d39a0f6eab35c
INFO: TPM: PCR[7] after extend:     7 : 0x57B4C0E7BF595D35624B84CDC2D69EB46741774A44C67B8AFD818A1D73ACC924
INFO: TPM: Extending PCR[7] with content of string '/.gnupg/trustdb.gpg' (hash: 53b843fe9bb52894d3a7d00197c776d56f3059f6a285124c7916724cd5013b0b)
INFO: TPM: Extended PCR[7] with hash 53b843fe9bb52894d3a7d00197c776d56f3059f6a285124c7916724cd5013b0b
INFO: TPM: PCR[7] after extend:     7 : 0xF034312C786FCAFF763321A4CACAF8ACF14AD84E8AA7EDD5675BE33B5F13D573
INFO: TPM: Extending PCR[7] with content of /.gnupg/trustdb.gpg (hash: 71fab743bc34b91d51ea89cadbf4c898d2298be2ede14a23646cef5b1423a1c9)
INFO: TPM: Extended PCR[7] with hash 71fab743bc34b91d51ea89cadbf4c898d2298be2ede14a23646cef5b1423a1c9
INFO: TPM: PCR[7] after extend:     7 : 0x3ABE71011EBF3CEC1A4CB83A678F15E7C1A3DF649F7F3EEED8E2B9C896183001
INFO: TPM: Extending PCR[5] with content of module file '/lib/modules/ehci-hcd.ko' and parameters '' before loading
INFO: TPM: Extending PCR[5] with content of /lib/modules/ehci-hcd.ko (hash: 24eae3f2a147c715bd7e0c0ca362f2fe4d6def6925cfea8a06f3a243bd07bf58)
INFO: TPM: Extended PCR[5] with hash 24eae3f2a147c715bd7e0c0ca362f2fe4d6def6925cfea8a06f3a243bd07bf58
INFO: TPM: PCR[5] after extend:     5 : 0x909690BD6F97E04B50958166F992B414D81A0D36B732B6A7DA951763541D1CF5
INFO: TPM: Extending PCR[5] with content of module file '/lib/modules/uhci-hcd.ko' and parameters '' before loading
INFO: TPM: Extending PCR[5] with content of /lib/modules/uhci-hcd.ko (hash: 351589f2423438d7e7bcfab17d1065da794185fd105a2eaa70938f84635aa1f4)
INFO: TPM: Extended PCR[5] with hash 351589f2423438d7e7bcfab17d1065da794185fd105a2eaa70938f84635aa1f4
INFO: TPM: PCR[5] after extend:     5 : 0x8EC9D2802F8413D4F6C607B73A5103E568ED77E62FB9EEA6EDFDD5EF2693DFDF
INFO: TPM: Extending PCR[5] with content of module file '/lib/modules/ohci-hcd.ko' and parameters '' before loading
INFO: TPM: Extending PCR[5] with content of /lib/modules/ohci-hcd.ko (hash: 355261b550b90c17b3d7de6306b63d4ac81b3901eb3e698718feb8f9e455beac)
INFO: TPM: Extended PCR[5] with hash 355261b550b90c17b3d7de6306b63d4ac81b3901eb3e698718feb8f9e455beac
INFO: TPM: PCR[5] after extend:     5 : 0x5A5A2C556E0204C43F40A8B45CA0FC19CFDFA97F6CFEBBD0D37AF8C342916F4A
INFO: TPM: Extending PCR[5] with content of module file '/lib/modules/ohci-pci.ko' and parameters '' before loading
INFO: TPM: Extending PCR[5] with content of /lib/modules/ohci-pci.ko (hash: fc9a0bcce7dbf1e2c47f138f8f4fb30b26973686d3e3fe671f82848af7fd28c3)
INFO: TPM: Extended PCR[5] with hash fc9a0bcce7dbf1e2c47f138f8f4fb30b26973686d3e3fe671f82848af7fd28c3
INFO: TPM: PCR[5] after extend:     5 : 0x8BA29C95378766C29BEEFB929839549069585709C32EA253F4E11234766039C1
INFO: TPM: Extending PCR[5] with content of module file '/lib/modules/ehci-pci.ko' and parameters '' before loading
INFO: TPM: Extending PCR[5] with content of /lib/modules/ehci-pci.ko (hash: 70c868f3f436e7ae7daaa0b070ecc024309e634cb3cd6387394249e69a8e7f58)
INFO: TPM: Extended PCR[5] with hash 70c868f3f436e7ae7daaa0b070ecc024309e634cb3cd6387394249e69a8e7f58
INFO: TPM: PCR[5] after extend:     5 : 0x3479F0982F2000A4052ADA1FA5485239FCD86C0EAD6F624FC300DA8A29C6157A
INFO: TPM: Extending PCR[5] with content of module file '/lib/modules/xhci-hcd.ko' and parameters '' before loading
INFO: TPM: Extending PCR[5] with content of /lib/modules/xhci-hcd.ko (hash: 5777b543e7a375a39ce486d83a5ff02dcaf5ec2d26356818d8ed0619224f31b3)
INFO: TPM: Extended PCR[5] with hash 5777b543e7a375a39ce486d83a5ff02dcaf5ec2d26356818d8ed0619224f31b3
INFO: TPM: PCR[5] after extend:     5 : 0x76B689397B52935FCC087204CBFCAD42442577A38025DACC0C6481BFDC8609B4
INFO: TPM: Extending PCR[5] with content of module file '/lib/modules/xhci-pci.ko' and parameters '' before loading
INFO: TPM: Extending PCR[5] with content of /lib/modules/xhci-pci.ko (hash: 7a3d34fe568abab53b827ff77d4c51f21a7057111c8afcc4c91e775f92ed3488)
INFO: TPM: Extended PCR[5] with hash 7a3d34fe568abab53b827ff77d4c51f21a7057111c8afcc4c91e775f92ed3488
INFO: TPM: PCR[5] after extend:     5 : 0x4BB1E1405AD1FA13B66FE9BB465B0DB0F18CA317B9802CE40D42589ACE26BF0E
INFO: TPM: Extending PCR[6] with content of /tmp/luksDump.txt (hash of TPM Disk Unlock Key headers)
INFO: TPM: Extending PCR[6] with content of /tmp/luksDump.txt (hash: c250dd644976ed0cbe94b30c5973a09ebc5a19a64abb19b65312bd95b29025b3)
INFO: TPM: Extended PCR[6] with hash c250dd644976ed0cbe94b30c5973a09ebc5a19a64abb19b65312bd95b29025b3
INFO: TPM: PCR[6] after extend:     6 : 0xF9C1C896180B71B3D17F61ACFD7ACA38C8F52E22C793F7985E67D656D225584A
INFO: TPM: Extending PCR[4] with content of string 'recovery' to prevent further secret unsealing
INFO: TPM: Extending PCR[4] with content of string 'recovery' (hash: 8c585378513f5f7a2e1456ee54042605fdb890392becefadd2ab180fd02fb341)
INFO: TPM: Extended PCR[4] with hash 8c585378513f5f7a2e1456ee54042605fdb890392becefadd2ab180fd02fb341
INFO: TPM: PCR[4] after extend:     4 : 0x51737C77C481AA22095B38D38FC9FD494B0FFA4EAE7D3AC238082083D0AFD614
INFO: TPM: PCR state on entering recovery shell:
INFO:   sha256:
INFO:     0 : 0x0000000000000000000000000000000000000000000000000000000000000000
INFO:     1 : 0x0000000000000000000000000000000000000000000000000000000000000000
INFO:     2 : 0xB69F97011125E45E67F37EF36B9C3928D81B364E61D7B33406DCE0294541E586
INFO:     3 : 0x0000000000000000000000000000000000000000000000000000000000000000
INFO:     4 : 0x51737C77C481AA22095B38D38FC9FD494B0FFA4EAE7D3AC238082083D0AFD614
INFO:     5 : 0x4BB1E1405AD1FA13B66FE9BB465B0DB0F18CA317B9802CE40D42589ACE26BF0E
INFO:     6 : 0xF9C1C896180B71B3D17F61ACFD7ACA38C8F52E22C793F7985E67D656D225584A
INFO:     7 : 0x3ABE71011EBF3CEC1A4CB83A678F15E7C1A3DF649F7F3EEED8E2B9C896183001
INFO:     8 : 0x0000000000000000000000000000000000000000000000000000000000000000
INFO:     9 : 0x0000000000000000000000000000000000000000000000000000000000000000
INFO:     10: 0x0000000000000000000000000000000000000000000000000000000000000000
INFO:     11: 0x0000000000000000000000000000000000000000000000000000000000000000
INFO:     12: 0x0000000000000000000000000000000000000000000000000000000000000000
INFO:     13: 0x0000000000000000000000000000000000000000000000000000000000000000
INFO:     14: 0x0000000000000000000000000000000000000000000000000000000000000000
INFO:     15: 0x0000000000000000000000000000000000000000000000000000000000000000
INFO:     16: 0x0000000000000000000000000000000000000000000000000000000000000000
INFO:     17: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
INFO:     18: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
INFO:     19: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
INFO:     20: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
INFO:     21: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
INFO:     22: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
INFO:     23: 0x0000000000000000000000000000000000000000000000000000000000000000

tlaurion · 2026-05-07T19:55:55Z

~~rebasing on~~ mergin master + fixup here, which now includes #2102

-> 57cfe85

+ fixup

Signed-off-by: Thierry Laurion <insurgo@riseup.net>

tlaurion · 2026-05-07T20:29:26Z

@notgivenby @marmarek decided to switch DEBUG to WARN when usb keyboard is enforced per board/user config per 9a98d79

See WARNING in yellow.

There is now no way users are not aware of it.

Tested on x230-hotp-maximized enabling usb keyboard in config menu.

Q: @marmarek we can deprecate EOL_x230-hotp-maximized_usb-kb?

Copilot

Pull request overview

Copilot reviewed 15 out of 31 changed files in this pull request and generated 1 comment.

 		# Timeout after 2 seconds
 		if awk -v s="$start" -v n="$now" 'BEGIN{exit (n - s > 2.0) ? 0 : 1}'; then
 			DEBUG "USB wait timeout at ${elapsed}s (iter $iteration): only found $peripheral_count peripheral device(s)"
+			WARN "USB peripheral devices were not detected within 2s, continuing"


marmarek · 2026-05-07T21:21:47Z

Q: @marmarek we can deprecate EOL_x230-hotp-maximized_usb-kb?

That still can be enabled in the config menu, right? If so, dropping separate build is fine with me.

…cally, document seeds - Fix regression from a2a027f: replace x230-hotp-maximized_usb-kb with x230-hotp-maximized in CI (was accidentally swapped) - Group all boards under their respective coreboot fork - Sort entries alphabetically within each fork group - Move EOL_t480 and EOL_t480s into the 25.09 group (were orphaned at bottom) - Reorder fork seeds alphabetically - Document downstream boards per seed Signed-off-by: Thierry Laurion <insurgo@riseup.net>

tlaurion · 2026-05-08T16:14:36Z

Q: @marmarek we can deprecate EOL_x230-hotp-maximized_usb-kb?

That still can be enabled in the config menu, right? If so, dropping separate build is fine with me.

yes, can be enabled with internal keyboard through config menu + save to flash.

This results in

(as shown under #2094 (comment))

EOL_x230-hotp-maximized_usb-kb dropped in circleci for now in 13fef22

Copilot AI review requested due to automatic review settings April 28, 2026 21:54

Copilot started reviewing on behalf of tlaurion April 28, 2026 21:55 View session

Copilot AI reviewed Apr 28, 2026

View reviewed changes

Comment thread initrd/etc/gui_functions.sh Outdated

Comment thread initrd/etc/functions.sh Outdated

tlaurion force-pushed the detect_usb_security_dongle_branding_early branch from 9361484 to 2a485c5 Compare April 29, 2026 13:27

tlaurion marked this pull request as draft April 29, 2026 13:28

tlaurion requested a review from Copilot April 29, 2026 13:28

Copilot started reviewing on behalf of tlaurion April 29, 2026 13:28 View session

Copilot AI reviewed Apr 29, 2026

View reviewed changes

Comment thread doc/logging.md Outdated

tlaurion force-pushed the detect_usb_security_dongle_branding_early branch from 2a485c5 to 5e09ef9 Compare April 29, 2026 13:57

tlaurion requested a review from Copilot April 29, 2026 13:59

Copilot started reviewing on behalf of tlaurion April 29, 2026 13:59 View session

Copilot AI reviewed Apr 29, 2026

View reviewed changes

tlaurion force-pushed the detect_usb_security_dongle_branding_early branch from 5e09ef9 to c03366b Compare April 29, 2026 18:20

tlaurion requested a review from Copilot April 29, 2026 18:21

tlaurion changed the title ~~Detect usb security dongle branding early, fixup STATUS STATUS_OK for quiet mode~~ Detect usb security dongle branding early, fixup STATUS+STATUS_OK/INFO for quiet mode Apr 29, 2026

Copilot started reviewing on behalf of tlaurion April 29, 2026 18:22 View session

Copilot AI reviewed Apr 29, 2026

View reviewed changes

Comment thread initrd/init Outdated

Comment thread doc/logging.md Outdated

tlaurion force-pushed the detect_usb_security_dongle_branding_early branch from c03366b to fee4251 Compare April 29, 2026 18:53

tlaurion requested a review from Copilot April 29, 2026 18:55

Copilot started reviewing on behalf of tlaurion April 29, 2026 18:55 View session

Copilot AI reviewed Apr 29, 2026

View reviewed changes

Comment thread doc/logging.md Outdated

Comment thread initrd/init

Comment thread initrd/init Outdated

Comment thread initrd/init Outdated

Comment thread initrd/etc/functions.sh Outdated

tlaurion marked this pull request as ready for review April 29, 2026 19:04

tlaurion added bug UX debug security documentation feature freeze 2026-04 labels Apr 29, 2026

tlaurion changed the title ~~Detect usb security dongle branding early, fixup STATUS+STATUS_OK/INFO for quiet mode~~ Refine STATUS/NOTE/INFO logging for consistent UX and accurate terminology Apr 29, 2026

tlaurion marked this pull request as draft April 29, 2026 19:08

tlaurion changed the title ~~Improve USB dongle detection and refine STATUS/NOTE/INFO logging, fix tpm sealing/counter increment issue~~ Fix TPM2 counter increment, add DEBUG traces across boot chain, fix respawn loop May 2, 2026

tlaurion changed the title ~~Fix TPM2 counter increment, add DEBUG traces across boot chain, fix respawn loop~~ Fix early USB security dongle branding detection; refine STATUS/NOTE/INFO logging, fix TPM sealing/counter increment & respawn loop May 2, 2026

tlaurion requested a review from Copilot May 2, 2026 22:29

Copilot started reviewing on behalf of tlaurion May 2, 2026 22:30 View session

Copilot AI reviewed May 2, 2026

View reviewed changes

Comment thread initrd/etc/gui_functions.sh Outdated

Comment thread initrd/init Outdated

tlaurion removed a link to an issue May 6, 2026

TPM1 sometimes fail to seal secrets #2096

Closed

tlaurion requested a review from Copilot May 6, 2026 23:55

Copilot AI reviewed May 7, 2026

View reviewed changes

Comment thread initrd/init Outdated

Comment thread initrd/etc/gui_functions.sh Outdated

Comment thread initrd/etc/functions.sh Outdated

tlaurion mentioned this pull request May 7, 2026

Heads initrd: USB dongle detection, TPM counter fixes, logging refinements, boot traces, serial recovery shell, DUK entropy documentation #2104

Closed

Copilot AI reviewed May 7, 2026

View reviewed changes

Comment thread initrd/etc/functions.sh

Comment thread initrd/etc/functions.sh Outdated

Comment thread initrd/etc/functions.sh Outdated

Copilot AI reviewed May 7, 2026

View reviewed changes

Comment thread doc/boot-process.md Outdated

tlaurion added 4 commits May 7, 2026 14:10

initrd: wait for known USB dongle VID before branding detection

1f546ef

Signed-off-by: Thierry Laurion <insurgo@riseup.net>

initrd: standardize STATUS/NOTE/WARN/INFO semantics

3f5a132

Signed-off-by: Thierry Laurion <insurgo@riseup.net>

initrd/etc/functions.sh: add cancellable 15s dongle VID wait

0263e8b

Signed-off-by: Thierry Laurion <insurgo@riseup.net>

initrd/init: use PID-tracked bootscript respawn loop

853ac91

Signed-off-by: Thierry Laurion <insurgo@riseup.net>

Copilot AI reviewed May 7, 2026

View reviewed changes

Comment thread Makefile Outdated

tlaurion added 3 commits May 7, 2026 15:12

Makefile: sanitize branch token in artifact filenames

4544577

Signed-off-by: Thierry Laurion <insurgo@riseup.net>

doc/boot-process: clarify serial recovery path is asynchronous

87a7317

Signed-off-by: Thierry Laurion <insurgo@riseup.net>

tlaurion added 2 commits May 7, 2026 15:59

Merge remote-tracking branch 'origin/master' into HEAD

57cfe85

+ fixup

init: WARN prior of loading USB keyboard driver to force awareness

9a98d79

Signed-off-by: Thierry Laurion <insurgo@riseup.net>

Copilot AI reviewed May 7, 2026

View reviewed changes

tlaurion mentioned this pull request May 8, 2026

CircleCI doesnt build x230-hotp-maximized after commit a2a027f6610bb8e357e65324d30dc5a4741b52dc #2105

Closed

Uh oh!

Conversation

tlaurion commented Apr 28, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary

Changes Included

1. USB Security Dongle Detection

2. Logging And Long-Operation UX

3. Boot Respawn Robustness

4. Build And Documentation Alignment

Tested

Screenshots

traces of current logs

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Reviewed changes

Uh oh!

Uh oh!

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Uh oh!

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Uh oh!

Uh oh!

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Uh oh!

Uh oh!

Uh oh!

tlaurion commented May 5, 2026

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Uh oh!

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Uh oh!

Uh oh!

tlaurion commented May 7, 2026

/tmp/debug.log

/tmp/measuring_trace.log

tlaurion commented Apr 28, 2026 •

edited

Loading

tlaurion commented May 7, 2026 •

edited

Loading

tlaurion commented May 7, 2026 •

edited

Loading

tlaurion commented May 8, 2026 •

edited

Loading