About a year ago, Kyle Rankin wrote an article about PureBoot’s recovery console.
This was a very interesting article which started me exploring the payload’s runtime environment, filesystem and tools. It really is much fun: you can see all sort of interesting things like scripts, coreboot stages logs and TPM measurements, config files, and much more.
I can’t exactly remember where (could be reading some osresearch documentation) I got the notion that I could invoke the console by holding the ‘r’ key right after power on. But then I got into the habit of doing so every time I wanted a console.
Recent versions of PureBoot have introduced this much awaited “Restricted Boot” feature, which - among other things - restricts and even forbids invoking a recovery console; a good thing for added security.
Just the other day, I flashed the latest PureBoot version 27 and after this I wanted to reboot into the console to check which coreboot modules had changed from the previous version. Out of habit, I rebooted holding the ‘r’ key. Then I thought to myself: this is not gonna work, I re-enabled restricted boot…but to my surprise, I dropped into the console right then!
I thought maybe this was a new bug or regression with version 27, so I rolled back to v25 and checked again: same behavior. And then v24 as well!
So we have a problem. What could it be? A race condition between an early console catching the ‘r’ key and acting before the script checking the state of restricted boot is run? Could it be a feature used only for debugging and that was inadvertently left enabled?
Anyway, getting a recovery console so easily at startup…sort of defeats the whole purpose of restricted boot.