Implement a "Quiet mode", hiding console output into LOG mode to be seen under /tmp/debug.log from recovery console

[tlaurion]

The idea here is that Heads is getting more and more mainstreamed and aims to get easier/less scary to newcomers.

History:

• Heads was once used only by technical users and collaborated upon by security oriented people.
• Nowadays, this is shifting a bit where advanced users still wants to see TPM extend operations (that were cleaned and more spot on relative information is now provided on console prior of TPM PCR extend ops) but Heads newcomers do not want to see verbose information on console (TMI!!!): This is the current technical information provided to all on each boot:
  • On early boot: Heads asciiart
  • Followed by user material being extracted from cbfs and measured prior of being used
  • Followed by early, board specific kernel modules measurements + load (usb controlloers kernel modules, usb keyboard)
  • Followed by late runtime state PCR extension/recovery shell access PCR extension to invalidate secret unsealing from TPM nvram
  • Followed by late optional TPM Disk Unlock Key (DUK) additional measurements (LUKS header, some platform TPM event log replay) measurements
  • Followed by /boot signed hash digest validation
  • Followed by HOTP enablement + uatomatic default boot "press any key to exit default boot" prompt
  • Followed by optional DUK passphrase prompt if everything above kosher
  • Followed by board specific chipset locking of SPI chip (PR0)
  • Followed by TPM cleanup (TPM2)
  • Followed by kexec call
  • OS takeover output

---

With HOTP and automatic boot now being default in all HOTP boards, which are the ones aimed at less technical users as opposed to non-HOTP (TOTP only remote attestation over phone), only required output on default boot could be, for quiet mode:

• HOTP default boot "press any key to exit default boot" prompt to enter GUI
• OS takeover output

With such implementation, OEM could, as part of their rebranding commit on top of chosen master commit, overload board config with something like export CONFIG_QUIET_MODE=y and have everything advanced hidden from end users. OF course this would require paid development time, but would reduce noise that is currently scary for non technical users. Log traces will always stay available through recovery shell under /tmp/debug.log, where everything above would be trapped behind LOG helper (see /initrd/etc/ash_functions's LOG) to output in debug.log even if no TRACE/DEBUG is enabled under board's config, leaving otherwise default output to console under file instead.

---

Thoughts? Comments?
This would be effort to address concerns for downstream OEM users and to help mainstream Head usage and reduce noise for less advanced users.

• @wessel-novacustom/@jans23: please tag any other people that you think should be involved in this discussion to determine requirements.

--

Note that this effort will not be part of day to day maintainership and must be scoped as OEM first consultation service per #1627

[tlaurion]

A video first from repro instructions under qemu-coreboot-fbwhiptail-hotp-prod, which emulates most of everything that is not platform dependent, while requiring some workaround since we don't have #1203 yet.

Will edit with some notes to create independent issues, but first upload video for before after.

Based on 4f14058

This is factory-reset/re-ownership:
https://github.com/user-attachments/assets/ac86ab9d-9c60-4e0b-863f-c18301361c22

[tlaurion]

Will edit on notes to be taken from this video to sub issues to be resolved.
This video is post oem-factory-reset workflow, tpm TOTP sealing + TOTP reverse HOTP sealing, signing /boot digests, setting DUK. Sorry for the 5fps, video was too big and not done learning what are proper settings for screenshare encoding with VBR and proper size <10mb to be uploaded under github.

post_oem-factory-reset_prod_without_previous_DUK-setup_5.mp4

[tlaurion]

This is default boot with TPM DUK setuped, video too big again, will edit once I have a video editing setup, testing shotcut 10% quality, 5fps, sorry again)

Will edit with issues to tackle in output

default_boot-TPM_DUK_hotp-shotcut-10_percent_q.mp4

• TPM output: start using LOG function: current console output (echo) using LOG function to either call DEBUG, output to console if not in quiet mode or output to /tmp/debug.log if in quiet mode.