UX improvements: TPM reseal (HOTP/TOTP/DUK) adds integrity report; detects disk/tpm swap and guide user into action, add terminal colors and guidance! Reduced quiet noise.#2068
Conversation
There was a problem hiding this comment.
Pull request overview
This PR improves Heads’ TPM reseal UX by adding an integrity “gate” (TOTP/HOTP + /boot verification) and better detection/handling of TPM/disk swap or rollback-counter inconsistencies, plus some QEMU-focused debugging/documentation updates.
Changes:
- Add measured integrity reporting + discrepancy investigation flows, and integrate them into reseal/reset paths in the GUI.
- Improve TPM rollback-counter handling (preflight validation, clearer error guidance, better prompt visibility).
- Replace fdisk-based disk display with a sysfs-based helper and add QEMU troubleshooting/debug tips (including TPM2 pcap capture).
Reviewed changes
Copilot reviewed 8 out of 20 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| targets/qemu.md | Adds QEMU troubleshooting notes (Canokey state reuse, TPM2 pcap capture). |
| initrd/etc/gui_functions | Adds integrity report + investigation UI helpers; system info now uses disk_info_sysfs. |
| initrd/etc/functions | Adds trace stack, rollback-counter preflight helpers, sysfs disk info helper, and multiple TPM/boot-device related adjustments. |
| initrd/bin/unseal-totp | Improves TPM2 primary-handle error handling and adds nonfatal mode support. |
| initrd/bin/unseal-hotp | Improves TPM2 primary-handle + rollback-state-aware error handling and adds nonfatal mode support. |
| initrd/bin/tpmr | Improves TPM2 counter increment auth handling, counter-create UX, and TPM2 seal/unseal messaging. |
| initrd/bin/seal-totp | Adds TPM2 primary-handle precheck + clearer sealing failure guidance. |
| initrd/bin/root-hashes-gui.sh | Improves tracing/debugging and adds more flexible LVM LV selection/cleanup. |
| initrd/bin/oem-system-info-xx30 | Switches disk listing to disk_info_sysfs to avoid fdisk/busybox limitations. |
| initrd/bin/oem-factory-reset | Adjusts TPM counter increment handling and removes duplicated integrity report implementation. |
| initrd/bin/kexec-sign-config | Changes TPM counter increment handling and adds a pre-check for empty GPG keyring; modifies signing pipeline. |
| initrd/bin/kexec-select-boot | Hard-fails on TPM2 primary handle hash mismatch with a stronger warning. |
| initrd/bin/kexec-seal-key | Tweaks passphrase prompts/formatting for improved UX. |
| initrd/bin/gui-init | Adds integrity gate + rollback-counter preflight UX and integrates investigation/report flows. |
| boards/qemu-coreboot-fbwhiptail-tpm2/qemu-coreboot-fbwhiptail-tpm2.config | Documents TPM2 pcap capture option in board config. |
| boards/qemu-coreboot-fbwhiptail-tpm2-prod_quiet/qemu-coreboot-fbwhiptail-tpm2-prod_quiet.config | Adds a new “prod_quiet” QEMU TPM2 board config. |
| boards/qemu-coreboot-fbwhiptail-tpm2-hotp-prod_quiet/qemu-coreboot-fbwhiptail-tpm2-hotp-prod_quiet.config | Adjusts board name and minor formatting. |
| boards/qemu-coreboot-fbwhiptail-tpm1-prod_quiet/qemu-coreboot-fbwhiptail-tpm1-prod_quiet.config | Adds a new “prod_quiet” QEMU TPM1 board config. |
| boards/qemu-coreboot-fbwhiptail-tpm1-hotp-prod_quiet/qemu-coreboot-fbwhiptail-tpm1-hotp-prod_quiet.config | Adjusts board name. |
| .gitignore | Ignores *.asc files. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
tlaurion
force-pushed
the
tpm_reseal_ux-integrity_report-detect_disk_and_tpm_swap
branch
from
3f855b8 to
3f2fe25
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 8 out of 20 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
tlaurion
force-pushed
the
tpm_reseal_ux-integrity_report-detect_disk_and_tpm_swap
branch
from
3f2fe25 to
a1e063a
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 8 out of 19 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
boards/qemu-coreboot-fbwhiptail-tpm1-prod_quiet/qemu-coreboot-fbwhiptail-tpm1-prod_quiet.config
Show resolved
Hide resolved
tlaurion
force-pushed
the
tpm_reseal_ux-integrity_report-detect_disk_and_tpm_swap
branch
6 times, most recently
from
b905930 to
8be0849
Compare
tlaurion
changed the title
tlaurion
force-pushed
the
tpm_reseal_ux-integrity_report-detect_disk_and_tpm_swap
branch
from
8be0849 to
5b6ab4f
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 9 out of 23 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
tlaurion
force-pushed
the
tpm_reseal_ux-integrity_report-detect_disk_and_tpm_swap
branch
from
5b6ab4f to
fada3f6
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 10 out of 24 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
tlaurion
force-pushed
the
tpm_reseal_ux-integrity_report-detect_disk_and_tpm_swap
branch
from
fada3f6 to
7527a4e
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 10 out of 24 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
tlaurion
force-pushed
the
tpm_reseal_ux-integrity_report-detect_disk_and_tpm_swap
branch
from
7527a4e to
e8b2126
Compare
|
Still WiP but I would appreciate early testing from all board testers tagged under BOARDS_AND_TESTERS.md: |
|
Still Wip, but I would appreciate all testers to participate in testing and reporting corner case issues. From master's https://github.com/linuxboot/heads/blob/1ab159f22599e7f3b8254ed6ed30bbd617eb4a5a/BOARDS_AND_TESTERS.md, here's all official testers we currently have: This has no chance of bricking. Please report anything you find since this is aimed for next and soon feature freeze 2026-04 thank you. |
|
Working on it some more. some more detection on empty keyring, mismatching kexec.sig key used to sign vs currently help by usb security dongle etc. Also coming: colorized output. Will leave it to proper UX flow on upgrade trying to catch all corner case and move STATUS output and INPUT whiptail prompt to after porting missing functions into fbwhiptail later #2069 if funding/interest. |
tlaurion
force-pushed
the
tpm_reseal_ux-integrity_report-detect_disk_and_tpm_swap
branch
2 times, most recently
from
42d0f32 to
c55caae
Compare
Go! |
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 14 out of 47 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
…dd prod_quiet QEMU configs Improve TPM/TOTP/HOTP recovery and reseal behavior by adding integrity-first gating, coloring and improvements of logging/input wrappers, clearer failure handling, and stronger rollback preflight checks. - add integrity report + investigation flows in GUI, with explicit actions before reseal/reset paths - introduce TPM reset-required markers and rollback preflight validation to fail early on inconsistent TPM state - make unseal/seal paths safer and more recoverable (nonfatal unseal mode, clearer reset/reseal guidance, better TPM1/TPM2 handling) - improve kexec signing reliability with explicit signing key selection and actionable GPG error diagnostics - avoid hiding interactive password/PIN prompts by removing inappropriate debug wrappers around sensitive interactive commands - add run_lvm wrapper and switch runtime scripts to reduce harmless LVM noise - refresh TPM2 primary-handle hash in update/signing flows to keep trust metadata in sync - add new qemu fbwhiptail prod_quiet board configs for TPM1 and TPM2 - fix board-name values for existing qemu hotp prod_quiet variants - document QEMU canokey state reuse and TPM2 pcap capture debugging - ignore exported public key artifacts (*.asc) in .gitignore - rewrite doc/logging.md: debug.log always captures every level regardless of output mode; console visibility is the only mode-dependent behavior; document STATUS, NOTE, INPUT levels and ANSI color coding rationale - fix DEBUG, TRACE, warn to unconditionally write to debug.log (previously only wrote to debug.log when CONFIG_DEBUG_OUTPUT=y) - add STATUS, STATUS_OK NOTE, INPUT logging functions with ANSI color coding; replace bare echo/read patterns across codebase with proper log levels - fix INPUT: echo after read so single-char keypresses do not bleed onto the next output line - demote "No encrypted LVMs/devices found" from INFO to DEBUG - add per-state signing_key_guidance in integrity report (AVAILABLE / CARD UNPROVISIONED / CARD KEY DOES NOT MATCH FIRMWARE / NO CARD DETECTED) replacing a generic catch-all message - suppress redundant Measured Integrity Report when user navigates to OEM Factory Reset from within the report (INTEGRITY_REPORT_ALREADY_SHOWN) - call wait_for_gpg_card silently first; only prompt to insert card if not already detected - call enable_usb unconditionally at gui-init startup (was gated on HOTP) - call wait_for_gpg_card before GPG key count check in reset_tpm loop so card is detected on first pass without requiring a manual retry - reboot: qemu-* calls poweroff from reboot, pauses for recovery Signed-off-by: Thierry Laurion <insurgo@riseup.net>
tlaurion
force-pushed
the
tpm_reseal_ux-integrity_report-detect_disk_and_tpm_swap
branch
from
c8d424f to
e12252b
Compare
|
@macpijan @mkopec + @3hhh @akfhasodh @akunterkontrolle @alexmaloteaux @arhabd @bwachter @computer-user123 @daringer @doob85 @doritos4mlady @eganonoa @fhvyhjriur @gaspar-ilom @HarleyGodfrey @househead @icequbes1 @jan23 @jans23 @jnscmns @JonathonHall-Purism @kjkent @lsafd @MattClifton76 @merge @mkopec@d-wid @MrChromebox @n4ru @nestire @nitrosimon @notgivenby @pcm720 @rbreslow @ResendeGHF @shamen123 @srgrint @ThePlexus @thickfont @Thrilleratplay @tlaurion @Tonux599 @weyounsix @zifxify Would be nice if you tested (no need for hardware: swtpm+canokey) in cloned ~/heads dir for this PR: Then follow the prompts. You should be guided into reownership. Reboot. Thanks. |
tlaurion
changed the title
Improve TPM/TOTP/HOTP recovery and reseal behavior by adding integrity-first
gating, clearer failure handling, and stronger rollback preflight checks.
before reseal/reset paths
fail early on inconsistent TPM state
clearer reset/reseal guidance, better TPM1/TPM2 handling)
actionable GPG error diagnostics
debug wrappers around sensitive interactive commands
metadata in sync
Tested : simulating or real firmware upgrade from master to this PR CI created rom artifacts 03/11/2026
Workflow change
CC @wessel-novacustom comments?
There were reports of Heads not providing integrity checks prior of resealing TOTP/HOTP, so that user is confident about the state of /boot prior of resealing TOTP/HOTP/DUK which would resign /boot content.
Normal workflow after upgrading firmware while /boot unchanged
Normal non-hotp boot workflow requesting TPM DUK
Other corners cases
TPM reset from OS?
Similar to above, but pushes for TPM Reset since TPM reseal won't work
Replaced gpg key, mismatch from USB Security dongle etc
This is where testing of corner cases is lacking (too much time involved here already)