Conversation
Delay branding detection until a known USB security dongle vendor ID appears in sysfs, then run lsusb matching. - Add bounded VID polling in detect_usb_security_dongle_branding() - Keep branding fallback path when no known VID appears - Initialize USB in integrity report path before branding detection Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Normalize user-visible logging across initrd scripts and documentation so output levels are applied consistently. - Align STATUS/STATUS_OK usage for action start and success - Reserve NOTE for user guidance requiring attention - Keep WARN/ERROR messaging actionable and consistent - Update doc/logging.md to match runtime behavior Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Relative to origin/master (c2fb345): - Introduces wait_for_usb_security_dongle_vid() with visible countdown. - Adds user-cancel path during wait (keyboard/serial). Current state: - Wait exits early once a known VID appears. - Wait times out after 15 seconds to avoid indefinite boot stall. - Branding fallback path remains unchanged. Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Relative to origin/master (c2fb345): - Aligns pause_recovery() with hardened recovery checks. - Drains serial input queue before launching recovery shell. Current state: - Buffered serial bytes are no longer interpreted as shell commands. - PCR extension/auth path is preserved before shell handoff. Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Relative to origin/master (c2fb345): - Replaces asymmetric script handling with PID-tracked respawn loop. - Tracks process ids per console path and restarts only when dead. Current state: - Main and auxiliary consoles respawn predictably without tight loops. - Existing cttyhack/agetty split is preserved. Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Relative to origin/master (c2fb345): - Reintroduces DEBUG lines for critical startup branching decisions. - Covers TPM/USB gating, recovery paths, and boot flow selection. Current state: - Early-boot decision points are observable in debug logs. - Runtime behavior is unchanged; this is diagnostics-only. Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Relative to origin/master (c2fb345): - GIT_BRANCH-derived token used in artifact names is sanitized. - Slashes/whitespace in branch names no longer create invalid output paths. Current state: - Artifact basenames remain traceable to branch context. - Build copy/install steps no longer fail on branch names like feature/foo. Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Correct DUK documentation from "128 characters" to "128 bytes" in runtime status/error messages and security/TPM docs. Add explicit notation of the brute-force space (2^1024) to clarify entropy magnitude. The DUK is 128 bytes from /dev/urandom (1024 bits of entropy). Brute-force time grows exponentially with entropy: a 128-byte random secret has 2^1024 possible values, requiring an attacker to try about 2^1023 guesses on average. Using the formula time ≈ 2^(H-1)/R (where H is entropy in bits, R is guesses/second): - At 10^12 guesses/second, expected time is ~2^1023/10^12 seconds - This is unimaginably longer than the age of the universe (~4×10^17 seconds) - Every bit of entropy doubles the search space, making exponential growth the key property For practical comparison: 80 Diceware words provide ~1032 bits of entropy, roughly comparable to 128 random bytes. Every attack rate is dominated by the exponential requirement. Important caveat: this protection applies only to offline brute-force against a correctly stored secret. Online rate limits or poor storage would override these estimates. Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Collaborator
Author
|
Superseded by reopened PR #2094 to preserve original review thread and comments. |
There was a problem hiding this comment.
Pull request overview
This PR updates Heads initrd boot/security plumbing to improve USB dongle branding detection, refine TPM/logging semantics, add additional boot-time diagnostics/tracing, and expand DUK entropy documentation.
Changes:
- Add sysfs-based USB dongle VID polling + serial/FB-specific input handling for dongle wait UX.
- Refactor/normalize logging and TPM PCR “extend” messaging across multiple initrd scripts (including additional DEBUG/STATUS_OK signals).
- Change init orchestration to a PID-tracked boot-script respawn loop and update documentation around logging + DUK entropy.
Reviewed changes
Copilot reviewed 8 out of 24 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| Makefile | Sanitizes branch name for artifact filenames. |
| initrd/sbin/insmod.sh | Clarifies TPM PCR extend log message content. |
| initrd/init | Adds more DEBUG traces and changes boot script execution to a respawn loop. |
| initrd/etc/gui_functions.sh | Enables USB before dongle branding detection and adds signing-key verification success status. |
| initrd/etc/functions.sh | Adds serial-tty helper, dongle VID polling/wait UX, recovery-shell PCR state logging, and tweaks TPM2 PCR read formatting. |
| initrd/bin/usb-init.sh | Clarifies PCR4 extend purpose/content for USB boot path. |
| initrd/bin/unseal-hotp.sh | Adds STATUS/STATUS_OK around HOTP unseal operations. |
| initrd/bin/uefi-init.sh | Clarifies PCR extend message to reference file content. |
| initrd/bin/tpmr.sh | Refines PCR extend logging and adjusts severity for TPM2 unseal failures; adds reset status messages. |
| initrd/bin/seal-totp.sh | Adjusts output level for displaying the manual TOTP secret. |
| initrd/bin/seal-hotpkey.sh | Adds STATUS/STATUS_OK around writing the HOTP secret to dongle. |
| initrd/bin/qubes-measure-luks.sh | Updates PCR6 measurement log wording. |
| initrd/bin/oem-factory-reset.sh | Adds STATUS_OK milestones and adjusts INFO→NOTE guidance output. |
| initrd/bin/network-init-recovery.sh | Adds STATUS_OK milestones and tweaks time/clock log output. |
| initrd/bin/lock_chip.sh | Adds STATUS_OK after chipset write-protection finalization. |
| initrd/bin/kexec-select-boot.sh | Tweaks status wording and PCR4 extend message details. |
| initrd/bin/kexec-seal-key.sh | Adds entropy analysis commentary, more STATUS_OK milestones, and refines PCR6 measurement wording. |
| initrd/bin/kexec-insert-key.sh | Updates PCR6 measurement STATUS text and PCR4 extend message details. |
| initrd/bin/gui-init.sh | Adds more STATUS/DEBUG traces for user actions and HOTP flows; refines USB enable comment/location in TPM reset flow. |
| initrd/bin/gpg-gui.sh | Switches instruction lines from INFO to NOTE. |
| initrd/bin/cbfs-init.sh | Improves flashprog/CBFS read messaging and outcome logging. |
| doc/tpm.md | Updates DUK description from “128 characters” to “128 bytes” and adds brute-force-space context. |
| doc/security-model.md | Updates DUK brute-force-space documentation. |
| doc/logging.md | Expands/reworks logging semantics and documents /tmp/measuring_trace.log. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+304
to
+305
| # which one needs restart. Prevents busy-polling. | ||
| wait |
Comment on lines
1125
to
+1129
| INPUT "Press Enter to proceed to recovery shell" | ||
| recovery $* | ||
|
|
||
| # Re-detect TTY so INPUT uses the correct device | ||
| detect_heads_tty | ||
|
|
Comment on lines
+256
to
258
| # Enable USB first for proper branding detection (user-initiated, won't break DUK unseal) | ||
| enable_usb | ||
| detect_usb_security_dongle_branding |
Comment on lines
+603
to
+611
| printf "\n\n" >"$interactive_tty" 2>/dev/null | ||
| DEBUG "User cancelled USB dongle wait (key on framebuffer)" | ||
| return 1 | ||
| fi | ||
| else | ||
| if IFS= read -r -t 0.2 -n 1 ch; then | ||
| printf "\n\n" | ||
| DEBUG "User cancelled USB dongle wait (key on framebuffer)" | ||
| return 1 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Comprehensive enhancements to Heads initrd system across USB dongle detection, TPM counter error handling, logging semantics, boot-time tracing, and DUK (Disk Unlock Key) entropy documentation.
Changes vs origin/master
USB Dongle & Branding Detection
TPM Counter & Error Handling
Boot Infrastructure & Logging
DUK Documentation & Cryptographic Analysis
Related Issues
Closes #2098, #2097
Testing