Bugfix: Fix TPM auth retry, counter error handling, and NV error surfacing#2099
Merged
Merged
Conversation
tlaurion
changed the title
There was a problem hiding this comment.
Pull request overview
This PR addresses TPM regressions introduced in PR #2068 by reworking TPM counter creation/increment error handling and auth retry behavior, and updating GUI flows/docs to surface TPM reset-required states more clearly.
Changes:
- Add shared TPM auth-retry helper logic and refactor TPM1/TPM2 counter operations in
tpmr.sh. - Improve rollback counter creation/increment handling and propagate TPM “out of resources (0x15)” into a
tpm_reset_requiredmarker + targeted UX. - Update GUI flows and documentation to support “Reset the TPM” gate-bypass patterns and clearer recovery guidance.
Reviewed changes
Copilot reviewed 4 out of 6 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| initrd/etc/gui_functions.sh | Exit integrity investigation loop when update_checksums triggers tpm_reset_required. |
| initrd/etc/functions.sh | Detect TPM 0x15 on counter_create and adjust TPM counter increment plumbing. |
| initrd/bin/tpmr.sh | Introduce _tpm_auth_retry, refactor TPM counter ops, and surface TPM1 stdout quirks. |
| initrd/bin/gui-init.sh | Improve UX around checksum update failure and gate bypass for TPM reset; verify TPM reset result. |
| doc/ux-patterns.md | Document the reset gate-bypass UX pattern. |
| doc/tpm.md | Document 0x15 recovery behavior and TPM1 stdout behavior. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
tlaurion
force-pushed
the
bugfix-tpm_increment_on_seal
branch
from
35fa6b0 to
d76d01c
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 11 out of 13 changed files in this pull request and generated no new comments.
Comments suppressed due to low confidence (1)
initrd/etc/functions.sh:1901
- The comment above the counter_increment pipeline says stdout is captured “while still letting stdout appear on the console”, but the current pipeline ends with
tee /tmp/counter-... >/dev/null, which discards stdout from the console entirely. Either update the comment to match the behavior, or adjust the pipeline if the intent really is to keep stdout visible to the user.
# Try to increment the counter. We normally hide the verbose
# output of tpmr.sh commands to avoid overwhelming the console, but we
# must *not* swallow any interactive prompts. The previous implementation
# redirected the entire `tpmr.sh counter_create` invocation to a file and
# /dev/null, which meant that when the counter was missing the password
# prompt could not be seen by the user even though tpmr.sh printed it to the
# controlling terminal. Instead, capture just the stdout in a temporary
# file while still letting stdout appear on the console (and logging
# stderr to debug log).
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
tlaurion
force-pushed
the
bugfix-tpm_increment_on_seal
branch
from
d76d01c to
9241c16
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 11 out of 13 changed files in this pull request and generated 2 comments.
Comments suppressed due to low confidence (1)
initrd/etc/functions.sh:1901
- The comment above the counter increment pipeline says stdout is captured “while still letting stdout appear on the console”, but the actual pipeline sends stdout into
tee ... >/dev/null, which suppresses console output. Either adjust the redirection to match the comment (if console output is desired) or update the comment to reflect that stdout is intentionally hidden and only logged/stored.
# Try to increment the counter. We normally hide the verbose
# output of tpmr.sh commands to avoid overwhelming the console, but we
# must *not* swallow any interactive prompts. The previous implementation
# redirected the entire `tpmr.sh counter_create` invocation to a file and
# /dev/null, which meant that when the counter was missing the password
# prompt could not be seen by the user even though tpmr.sh printed it to the
# controlling terminal. Instead, capture just the stdout in a temporary
# file while still letting stdout appear on the console (and logging
# stderr to debug log).
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
tlaurion
force-pushed
the
bugfix-tpm_increment_on_seal
branch
from
9241c16 to
a88ee0e
Compare
4 tasks
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 11 out of 13 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
tlaurion
force-pushed
the
bugfix-tpm_increment_on_seal
branch
from
a88ee0e to
73b1916
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 2 out of 4 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This comment was marked as outdated.
This comment was marked as outdated.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 5 out of 7 changed files in this pull request and generated 3 comments.
Comments suppressed due to low confidence (1)
initrd/etc/functions.sh:1906
- This comment says the implementation will “still let stdout appear on the console”, but both TPM1/TPM2 branches pipe DO_WITH_DEBUG output into
tee /tmp/counter-... >/dev/null, which suppresses stdout from reaching the console. Update the comment to match the actual behavior (stdout captured to file; interactive prompts remain visible via tty).
# Try to increment the counter. We normally hide the verbose
# output of tpmr.sh commands to avoid overwhelming the console, but we
# must *not* swallow any interactive prompts. The previous implementation
# redirected the entire `tpmr.sh counter_create` invocation to a file and
# /dev/null, which meant that when the counter was missing the password
# prompt could not be seen by the user even though tpmr.sh printed it to the
# controlling terminal. Instead, capture just the stdout in a temporary
# file while still letting stdout appear on the console (and logging
# stderr to debug log).
fc56a2b to
3db201c
Compare
…acing This commit fixes regressions introduced by PR linuxboot#2068, merged to origin/master on 2026-04-07. Regressions fixed (present in origin/master post-PR linuxboot#2068): - No "out of resources" (0x15) TPM counter error detection - TPM2 counter increment had no auth retry on wrong passphrase - TPM1 counter increment had no error handling - tpm1_seal silenced NV define/write errors - Duplicate TPM1/TPM2 retry loops (~100 lines of redundant code) - counter_present dead code (now fixed with counter_read check) - Comment mismatch (stdout vs console) now fixed - set -e issue in check_tpm_counter (wrapped in subshell) Fixes implemented: - Add shared _tpm_auth_retry helper for TPM1/TPM2 - check_tpm_counter only triggers tpm_reset_required on 0x15 errors - tpm1_seal surfaces NV errors with retry loop - Simplify reset_tpm to verify tpmr.sh reset exit code Copilot review fixes: - Fix counter_present dead code: add counter_read check - Fix comment at line 1901: stdout goes to /dev/null via tee - Wrap tpmr.sh counter_create in subshell for set -e compatibility Signed-off-by: Thierry Laurion <insurgo@riseup.net>
…d/etc/*.sh Scripts were renamed from * to *.sh in a previous PR, but doc/* references didn't follow. Update all initrd/bin/* and initrd/etc/* references in doc/* to use the correct .sh extension for consistency. Fixes Copilot review comments: - doc/tpm.md:158 - functions, usb-init, kexec-insert-key -> .sh - doc/tpm.md:390 - TPM1 vs TPM2 table uses tpmr.sh - doc/tpm.md:364 - initrd/bin/* and initrd/etc/* -> .sh - doc/config.md:45 - fix corrupted path boards/<name>/initrd/bin/.sh<file> - doc/architecture.md:61 - seal-hotpkey -> seal-hotpkey.sh - doc/tpm.md:14 - tpmr -> tpmr.sh for consistency - doc/tpm.md:162,367 - remaining tpmr -> tpmr.sh references Signed-off-by: Thierry Laurion <insurgo@riseup.net>
tlaurion
force-pushed
the
bugfix-tpm_increment_on_seal
branch
2 times, most recently
from
fcc647b to
214fb31
Compare
…oards The unconditional enable_usb and detect_usb_security_dongle_branding calls in gui-init.sh (introduced by eb84f1b) caused USB modules to be loaded early during boot, extending PCR-5. This resulted in 'Error PCR mismatch from TPM_Unseal' on non-HOTP boards because kexec-seal-key.sh predicts PCR-5 = 0 (no modules loaded) for the DUK seal. Fix: - Gate enable_usb and detect_usb_security_dongle_branding with 'if [ -x /bin/hotp_verification ]' so non-HOTP boards don't load USB modules during early boot - Non-HOTP boards: PCR-5 stays at 0, DUK unseal works correctly - HOTP boards: USB still initialized early (required for dongle interaction), but only once (gated by _USB_ENABLED flag) - Add enable_usb to wait_for_gpg_card() to ensure USB is ready before GPG card access Fixes regression introduced in commit eb84f1b. Signed-off-by: Thierry Laurion <insurgo@riseup.net>
…gle_branding detect_usb_security_dongle_branding() already calls enable_usb() internally, so calling enable_usb() before it is redundant. Remove all redundant calls and export _USB_ENABLED so child processes inherit the state. Also add DEBUG statements per doc/logging.md at key decision points. Signed-off-by: Thierry Laurion <insurgo@riseup.net>
…essage Signed-off-by: Thierry Laurion <insurgo@riseup.net>
tlaurion
force-pushed
the
bugfix-tpm_increment_on_seal
branch
from
bf15b0c to
5f81daa
Compare
Collaborator
Author
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR fixes regressions introduced by PR #2068, merged to origin/master on 2026-04-07.
Regressions fixed (present in origin/master post-PR #2068):
enable_usbanddetect_usb_security_dongle_brandingingui-init.shloaded USB modules (ehci-hcd, xhci-hcd, etc.) during early boot, extending PCR-5.kexec-seal-key.shpredicts PCR-5 = 0 for DUK seal, causing "Error PCR mismatch from TPM_Unseal" (exit code 24 = 0x18 = TPM_RC_PCR_MISMATCH).Fixes implemented:
PCR-5 / DUK unseal fix (commits 3-4):
enable_usbanddetect_usb_security_dongle_brandinginsideif [ -x /bin/hotp_verification ]ingui-init.shso non-HOTP boards don't load USB modules during early boot_USB_ENABLEDflag)_USB_ENABLED: Child processes (seal-hotpkey.sh, kexec-seal-key.sh, etc.) now inherit the flag and don't reload USB modulesenable_usb()perdoc/logging.mdconventionsenable_usbtowait_for_gpg_card()to ensure USB is ready before GPG card accessTPM auth retry / counter error handling (commits 1-2):
_tpm_auth_retryhelper for TPM1/TPM2check_tpm_counteronly triggerstpm_reset_requiredon 0x15 errorstpm1_sealsurfaces NV errors with retry loopreset_tpmto verifytpmr.sh resetexit codetpmr.sh counter_createto detect "out of resources" (0x15) and surface proper errorDocs: unify script name references (commit 2):
initrd/bin/*andinitrd/etc/*references indoc/*to use.shextensionTesting: (reseal TOTP+HOTP+DUK, TPM Reset + DUK sealing, OEM Factory Reset/Re-Ownership)