heads/unmaintained_boards/x230-legacy/x230-legacy.config

# Configuration for a X230 running Qubes 4.1 and other Linux Based OSes (through kexec)
#
# Deactivated to fit in coreboot's CONFIG_CBFS_SIZE=0x700000 :
# dropbear support(ssh client/server)
# e1000e (ethernet driver)
export CONFIG_COREBOOT=y
export CONFIG_COREBOOT_VERSION=24.02.01
export CONFIG_LINUX_VERSION=5.10.5

CONFIG_COREBOOT_CONFIG=config/coreboot-UNMAINTAINED_x230-legacy.config
CONFIG_LINUX_CONFIG=config/linux-UNMAINTAINED_x230-legacy.config

#Additional hardware support
CONFIG_LINUX_USB=y
CONFIG_LINUX_E1000E=n

CONFIG_CRYPTSETUP2=y
CONFIG_FLASHPROG=y
CONFIG_FLASHTOOLS=y
CONFIG_GPG2=y
CONFIG_KEXEC=y
CONFIG_UTIL_LINUX=y
CONFIG_LVM2=y
CONFIG_MBEDTLS=y
CONFIG_PCIUTILS=y

#Remote attestation support
#TPM based requirements
export CONFIG_TPM=y
CONFIG_POPT=y
CONFIG_QRENCODE=y
CONFIG_TPMTOTP=y
#HOTP based remote attestation for supported USB Security dongle
#With/Without TPM support
CONFIG_HOTPKEY=n

#Nitrokey Storage admin tool
CONFIG_NKSTORECLI=n

#GUI Support
#Console based Whiptail support(Console based, no FB):
CONFIG_SLANG=y
CONFIG_NEWT=y
#FBWhiptail based (Graphical):
#CONFIG_CAIRO=y
#CONFIG_FBWHIPTAIL=y

#Additional tools:
#SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E)
CONFIG_DROPBEAR=n

export CONFIG_BOOTSCRIPT=/bin/gui-init
export CONFIG_BOOT_REQ_HASH=n
export CONFIG_BOOT_REQ_ROLLBACK=n
export CONFIG_BOOT_KERNEL_ADD=""
export CONFIG_BOOT_KERNEL_REMOVE="intel_iommu=on intel_iommu=igfx_off"
export CONFIG_BOARD_NAME="Thinkpad X230-legacy"
export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal --ifd --image bios"

# This board has two SPI flash chips, an 8 MB that holds the IFD,
# the ME image and part of the coreboot image, and a 4 MB one that
# has the rest of the coreboot and the reset vector.
#
# Only flashing to the bios region is safe to do. The easiest is to
# flash internally when the IFD is unlocked for writing, and x230-flash
# is installed first.
cryptsetup2 toolstack version bump and script fixes to support multi-LUKS containers (BTRFS QubesOS 4.2) cryptsetup2 2.6.1 is a new release that supports reencryption of Q4.2 release LUKS2 volumes created at installation. This is a critical feature for the Qubes OS 4.2 release for added data at rest protection Cryptsetup 2.6.x internal changes: - Argon2 used externally and internally: requires a lot of RAM and CPU to derivate passphrase to key validated in key slots. - This is used to rate limit efficiently bruteforcing of LUKS key slots, requiring each offline brute force attempt to consume ~15-30 seconds per attempt - OF course, strong passphrases are still recommended, but bruteforcing LUKSv2 containers with Argon2 would require immense time, ram and CPU even to bruteforce low entropy passphrase/PINs. - passphrase change doesn't permit LUKS key slot specification anymore: key slot rotates (new one consusumed per op: then old one wiped internally. EG: LUKS key slot 1 created, then 0 deleted) - reencryption doesn't permit old call arguments. No more direct-io; inadmissively slow through AIO (async) calls, need workarounds for good enough perfs (arguments + newer kernel with cloudfare fixes in tree) cryptsetup 2.6.1 requires: - lvm2 2.03.23, which is also included in this PR. - requires libaio, which is also included in this PR (could be hacked out but deep dependency at first sight: left in) - requires util-linux 2.39 - patches for reproducible builds are included for above 3 packages. luks-functions was updated to support the new cryptsetup2 version calls/changes - reencryption happen in direct-io, offline mode and without locking, requiring linux 5.10.9+ to bypass linux queues - from tests, this is best for performance and reliability in single-user mode - LUKS container ops now validate Disk Recovery Key (DRK) passphrase prior and DRK key slot prior of going forward if needed, failing early. - Heads don't expect DRK to be in static key slot anymore, and finds the DRK key slot dynamically. - If reencrytipn/passphrase change: make sure all LUKS containers on same block device can be unlocked with same DRK - Reencryption: requires to know which key slot to reencrypt. - Find LUKS key slot that unlocks with DRK passphrase unlock prior of reencrypt call - Passphrase change: no slot can be passed, but key slot of DRK rotates. kexec-seal-key - TPM LUKS Disk Unlock Key key slots have changed to be set in max slots per LUKS version (LUKSv1:7 /LUKSv2: 31) - If key slot != default LUKS version's keyslot outside of DRK key slot: prompt the user before wiping that key slot, otherwise wipe automatically - This takes for granted that the DRK key slot alone is needed on the system and Heads controls the LUKS key slots. - If user has something else going on, ie: Using USB Security dongle + TPM DUK, then the user will need to say no when wiping keys. - It was suggested to leave LUKS key slots outside of DRK alone, but then: what to do when all key slots would be used? - Alternative implementation could be to only prompt users to wipe keyslots other then DRK when key slots are all used (LUKSv1: 0-7, LUKSv2: 0-31) - But then cleanup would need to happen prior of operations (LUKS passphrase change, TPM DUK setup) and could be problematic. - LUKS containers now checked to be same LUKS version prior of permitting to set TPM DUK and will refuse to go forward of different versions. TODO: - async (AIO) calls are not used. direct-io is used instead. libaio could be hacked out - this could be subject to future work Notes: - time to deprecated legacy boards the do not enough space for the new space requirements - x230-legacy, x230-legacy-flash, x230-hotp-legacy - t430-legacy, t430-legacy-flash, t430-hotp-legacy already deprecated Unrelated: - typos fixes found along the way Signed-off-by: Thierry Laurion <insurgo@riseup.net> 2024-08-16 19:20:11 +00:00			`# Configuration for a X230 running Qubes 4.1 and other Linux Based OSes (through kexec)`
			`#`
			`# Deactivated to fit in coreboot's CONFIG_CBFS_SIZE=0x700000 :`
			`# dropbear support(ssh client/server)`
			`# e1000e (ethernet driver)`
			`export CONFIG_COREBOOT=y`
			`export CONFIG_COREBOOT_VERSION=24.02.01`
			`export CONFIG_LINUX_VERSION=5.10.5`

			`CONFIG_COREBOOT_CONFIG=config/coreboot-UNMAINTAINED_x230-legacy.config`
			`CONFIG_LINUX_CONFIG=config/linux-UNMAINTAINED_x230-legacy.config`

			`#Additional hardware support`
			`CONFIG_LINUX_USB=y`
			`CONFIG_LINUX_E1000E=n`

			`CONFIG_CRYPTSETUP2=y`
			`CONFIG_FLASHPROG=y`
			`CONFIG_FLASHTOOLS=y`
			`CONFIG_GPG2=y`
			`CONFIG_KEXEC=y`
			`CONFIG_UTIL_LINUX=y`
			`CONFIG_LVM2=y`
			`CONFIG_MBEDTLS=y`
			`CONFIG_PCIUTILS=y`

			`#Remote attestation support`
			`#TPM based requirements`
			`export CONFIG_TPM=y`
			`CONFIG_POPT=y`
			`CONFIG_QRENCODE=y`
			`CONFIG_TPMTOTP=y`
			`#HOTP based remote attestation for supported USB Security dongle`
			`#With/Without TPM support`
			`CONFIG_HOTPKEY=n`

			`#Nitrokey Storage admin tool`
			`CONFIG_NKSTORECLI=n`

			`#GUI Support`
			`#Console based Whiptail support(Console based, no FB):`
			`CONFIG_SLANG=y`
			`CONFIG_NEWT=y`
			`#FBWhiptail based (Graphical):`
			`#CONFIG_CAIRO=y`
			`#CONFIG_FBWHIPTAIL=y`

			`#Additional tools:`
			`#SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E)`
			`CONFIG_DROPBEAR=n`

			`export CONFIG_BOOTSCRIPT=/bin/gui-init`
			`export CONFIG_BOOT_REQ_HASH=n`
			`export CONFIG_BOOT_REQ_ROLLBACK=n`
			`export CONFIG_BOOT_KERNEL_ADD=""`
			`export CONFIG_BOOT_KERNEL_REMOVE="intel_iommu=on intel_iommu=igfx_off"`
			`export CONFIG_BOARD_NAME="Thinkpad X230-legacy"`
			`export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal --ifd --image bios"`

			`# This board has two SPI flash chips, an 8 MB that holds the IFD,`
			`# the ME image and part of the coreboot image, and a 4 MB one that`
			`# has the rest of the coreboot and the reset vector.`
			`#`
			`# Only flashing to the bios region is safe to do. The easiest is to`
			`# flash internally when the IFD is unlocked for writing, and x230-flash`
			`# is installed first.`