add visual response to escape key ignored in secure mode

[Quozl]

the ok prompt is not to be accessible when the system is secured. this is working fine.

however, when diagnosing system behaviour, it is not easy to differentiate between a failed escape key, failed keyboard, or secured laptop.

test case: with a system secured, and no developer key present, use the keyboard to attempt access to the ok prompt, verify that something is displayed to indicate failure.

[Quozl]

Patch to print "Secured, continuing" if the escape key was pressed at boot when the system is secured.

[Quozl]

Mitch, what do you think of this change? Caution is warranted because it is a change to the secure boot path.

I've tested it here with a secure laptop. Two downsides:

• the visible causes the signed boot search to appear,
• the escape is consumed, requiring two escapes when a developer key is present, but that could be fixed using pending-char instead of key.

[reuben]

My only comment is that I'd be cautious to change dev key behavior much. As it stands I've seen in the field what appears to be a regression or significant delay added between pressing ESC key and getting the ok prompt when using a dev key.

[Quozl]

This isn't developer key behaviour being changed, once I change to using pending-char.

I can explain the significant delay you see in the field. It is not a regression.

The code that captures the ESC key when the laptop is unlocked, runs before any device or filesystem access occurs. So it has a very predictable response. Pressing ESC as soon as the XO icon appears or the startup sound begins will always work.

But the code that captures the key when the laptop is locked, with a developer key present, runs after a device and filesystem search for /security/develop.sig. Since the NAND FLASH on XO-1 has a jffs2 filesystem, the time it takes to open this filesystem can be large, and can vary.

I have updated http://wiki.laptop.org/go/Ok

[Quozl]

Second patch, using pending-char, no longer consumes the ESC key that is needed to gain the ok prompt on a locked laptop with a developer key present. Tested.

[Quozl]

Has completed local testing, pushed as svn 3007.

[Quozl]

Is in Q2F12. Yet to be in Q3 or Q4.

[Quozl]

Is in Q3C07. Yet to be in Q4.

[Quozl]

Is in Q4D17.

[dsd]

Test in 12.1.0 build 15.

[dsd]

I checked this on Q2F12. Seems to be working OK but maybe I found a corner case.

When booting with a developer key on USB, I press escape and see: Secured, continuing.

A moment later, it seeks and finds the developer key and gives me the prompt.

Is this the intended design?

[Quozl]

Yes, intended. I saw that too and considered it. It still gives useful information, in that the laptop is secured.

[greenfeld]

One sees "Secured Continuing" on XO-1, 1.5, & 1.75 with 12.1.0 os16 when pressing the ESC key.

If a developer key is present we get a OFW prompt; if it is not we continue booting normally in secure mode.