mirror of
https://github.com/linuxboot/heads.git
synced 2024-12-18 12:46:26 +00:00
cryptsetup2 toolstack version bump and script fixes to support multi-LUKS containers (BTRFS QubesOS 4.2)
cryptsetup2 2.6.1 is a new release that supports reencryption of Q4.2 release LUKS2 volumes created at installation. This is a critical feature for the Qubes OS 4.2 release for added data at rest protection Cryptsetup 2.6.x internal changes: - Argon2 used externally and internally: requires a lot of RAM and CPU to derivate passphrase to key validated in key slots. - This is used to rate limit efficiently bruteforcing of LUKS key slots, requiring each offline brute force attempt to consume ~15-30 seconds per attempt - OF course, strong passphrases are still recommended, but bruteforcing LUKSv2 containers with Argon2 would require immense time, ram and CPU even to bruteforce low entropy passphrase/PINs. - passphrase change doesn't permit LUKS key slot specification anymore: key slot rotates (new one consusumed per op: then old one wiped internally. EG: LUKS key slot 1 created, then 0 deleted) - reencryption doesn't permit old call arguments. No more direct-io; inadmissively slow through AIO (async) calls, need workarounds for good enough perfs (arguments + newer kernel with cloudfare fixes in tree) cryptsetup 2.6.1 requires: - lvm2 2.03.23, which is also included in this PR. - requires libaio, which is also included in this PR (could be hacked out but deep dependency at first sight: left in) - requires util-linux 2.39 - patches for reproducible builds are included for above 3 packages. luks-functions was updated to support the new cryptsetup2 version calls/changes - reencryption happen in direct-io, offline mode and without locking, requiring linux 5.10.9+ to bypass linux queues - from tests, this is best for performance and reliability in single-user mode - LUKS container ops now validate Disk Recovery Key (DRK) passphrase prior and DRK key slot prior of going forward if needed, failing early. - Heads don't expect DRK to be in static key slot anymore, and finds the DRK key slot dynamically. - If reencrytipn/passphrase change: make sure all LUKS containers on same block device can be unlocked with same DRK - Reencryption: requires to know which key slot to reencrypt. - Find LUKS key slot that unlocks with DRK passphrase unlock prior of reencrypt call - Passphrase change: no slot can be passed, but key slot of DRK rotates. kexec-seal-key - TPM LUKS Disk Unlock Key key slots have changed to be set in max slots per LUKS version (LUKSv1:7 /LUKSv2: 31) - If key slot != default LUKS version's keyslot outside of DRK key slot: prompt the user before wiping that key slot, otherwise wipe automatically - This takes for granted that the DRK key slot alone is needed on the system and Heads controls the LUKS key slots. - If user has something else going on, ie: Using USB Security dongle + TPM DUK, then the user will need to say no when wiping keys. - It was suggested to leave LUKS key slots outside of DRK alone, but then: what to do when all key slots would be used? - Alternative implementation could be to only prompt users to wipe keyslots other then DRK when key slots are all used (LUKSv1: 0-7, LUKSv2: 0-31) - But then cleanup would need to happen prior of operations (LUKS passphrase change, TPM DUK setup) and could be problematic. - LUKS containers now checked to be same LUKS version prior of permitting to set TPM DUK and will refuse to go forward of different versions. TODO: - async (AIO) calls are not used. direct-io is used instead. libaio could be hacked out - this could be subject to future work Notes: - time to deprecated legacy boards the do not enough space for the new space requirements - x230-legacy, x230-legacy-flash, x230-hotp-legacy - t430-legacy, t430-legacy-flash, t430-hotp-legacy already deprecated Unrelated: - typos fixes found along the way Signed-off-by: Thierry Laurion <insurgo@riseup.net>
This commit is contained in:
parent
0679b75e1d
commit
0cef8e1edc
@ -218,16 +218,17 @@ if [ "$CONFIG_TPM" = "y" ] && [ "$CONFIG_TPM_NO_LUKS_DISK_UNLOCK" != "y" ] && [
|
||||
save_key="y"
|
||||
fi
|
||||
else
|
||||
DEBUG "No previous LUKS TPM Disk Unlock Key was set up, confirming to add a Disk Encryption Key to the TPM"
|
||||
DEBUG "No previous LUKS TPM Disk Unlock Key was set up, confirming to add a Disk Unlock Key (DUK) to the TPM"
|
||||
read \
|
||||
-n 1 \
|
||||
-p "Do you wish to add a disk encryption to the TPM [y/N]: " \
|
||||
-p "Do you wish to add a disk encryption key to the TPM [y/N]: " \
|
||||
add_key_confirm
|
||||
#TODO: still not convinced: disk encryption key? decryption key? everywhere TPM Disk Unlock Key. Confusing even more?
|
||||
echo
|
||||
|
||||
if [ "$add_key_confirm" = "y" \
|
||||
-o "$add_key_confirm" = "Y" ]; then
|
||||
DEBUG "User confirmed desire to add a Disk Encryption Key to the TPM"
|
||||
DEBUG "User confirmed desire to add a Disk Unlock Key (DUK) to the TPM"
|
||||
save_key="y"
|
||||
fi
|
||||
fi
|
||||
|
@ -1,15 +1,33 @@
|
||||
#!/bin/bash
|
||||
# This will generate a disk encryption key and seal / ecncrypt
|
||||
# This will generate a disk encryption key and seal / encrypt
|
||||
# with the current PCRs and then store it in the TPM NVRAM.
|
||||
# It will then need to be bundled into initrd that is booted.
|
||||
set -e -o pipefail
|
||||
. /etc/functions
|
||||
|
||||
find_drk_key_slot() {
|
||||
local temp_drk_key_slot=""
|
||||
local keyslot
|
||||
|
||||
for keyslot in "${luks_used_keyslots[@]}"; do
|
||||
if [ -z "$temp_drk_key_slot" ]; then
|
||||
DEBUG "Testing LUKS key slot $keyslot against $DISK_RECOVERY_KEY_FILE for Disk Recovery Key slot..."
|
||||
if DO_WITH_DEBUG cryptsetup open --test-passphrase --key-slot "$keyslot" --key-file "$DISK_RECOVERY_KEY_FILE" "$dev"; then
|
||||
temp_drk_key_slot="$keyslot"
|
||||
DEBUG "Disk Recovery key slot is $temp_drk_key_slot"
|
||||
break
|
||||
fi
|
||||
fi
|
||||
done
|
||||
|
||||
echo "$temp_drk_key_slot"
|
||||
}
|
||||
|
||||
TPM_INDEX=3
|
||||
TPM_SIZE=312
|
||||
KEY_FILE="/tmp/secret/secret.key"
|
||||
DUK_KEY_FILE="/tmp/secret/secret.key"
|
||||
TPM_SEALED="/tmp/secret/secret.sealed"
|
||||
RECOVERY_KEY="/tmp/secret/recovery.key"
|
||||
DISK_RECOVERY_KEY_FILE="/tmp/secret/recovery.key"
|
||||
|
||||
. /etc/functions
|
||||
. /tmp/config
|
||||
@ -23,11 +41,12 @@ fi
|
||||
|
||||
KEY_DEVICES="$paramsdir/kexec_key_devices.txt"
|
||||
KEY_LVM="$paramsdir/kexec_key_lvm.txt"
|
||||
key_devices=$(cat "$KEY_DEVICES" | cut -d\ -f1 | tr '\n' ' ')
|
||||
|
||||
if [ ! -r "$KEY_DEVICES" ]; then
|
||||
die "No devices defined for disk encryption"
|
||||
else
|
||||
DEBUG "Devices defined for disk encryption: $(cat "$KEY_DEVICES" | cut -d\ -f1 | tr '\n' ' ')"
|
||||
DEBUG "Devices defined for disk encryption: $key_devices"
|
||||
fi
|
||||
|
||||
if [ -r "$KEY_LVM" ]; then
|
||||
@ -44,92 +63,160 @@ fi
|
||||
|
||||
DEBUG "$(pcrs)"
|
||||
|
||||
# LUKS Key slot 0 is the manual recovery pass phrase
|
||||
# that they user entered when they installed OS,
|
||||
# key slot 1 is the one that we've generated.
|
||||
read -s -p "Enter LUKS Disk Recovery Key/passphrase: " disk_password
|
||||
echo -n "$disk_password" >"$RECOVERY_KEY"
|
||||
echo
|
||||
|
||||
read -s -p "New LUKS TPM Disk Unlock Key passphrase for booting: " key_password
|
||||
echo
|
||||
read -s -p "Repeat LUKS TPM Disk Unlock Key passphrase for booting: " key_password2
|
||||
echo
|
||||
luks_drk_passphrase_valid=0
|
||||
for dev in $key_devices ; do
|
||||
attempts=0
|
||||
while [ $attempts -lt 3 ]; do
|
||||
if [ "$luks_drk_passphrase_valid" == "0" ]; then
|
||||
# Ask for the passphrase only once
|
||||
read -s -p "Enter LUKS Disk Recovery Key (DRK) passphrase that can unlock: $key_devices: " disk_recovery_key_passphrase
|
||||
#Using he provided passphrase as the DRK "keyfile" for unattended operations
|
||||
echo -n "$disk_recovery_key_passphrase" >"$DISK_RECOVERY_KEY_FILE"
|
||||
echo
|
||||
fi
|
||||
|
||||
if [ "$key_password" != "$key_password2" ]; then
|
||||
die "Key passphrases do not match"
|
||||
fi
|
||||
DEBUG "Testing $DISK_RECOVERY_KEY_FILE keyfile created from provided passphrase against $dev individual key slots"
|
||||
if cryptsetup open $dev --test-passphrase --key-file "$DISK_RECOVERY_KEY_FILE" >/dev/null 2>&1; then
|
||||
DEBUG "LUKS device $dev unlocked successfully with the DRK passphrase"
|
||||
luks_drk_passphrase_valid=1
|
||||
break
|
||||
else
|
||||
attempts=$((attempts + 1))
|
||||
if [ "$attempts" == "3" ] && [ "$luks_drk_passphrase_valid" == "0" ]; then
|
||||
die "Failed to unlock LUKS device $dev with the provided passphrase. Exiting..."
|
||||
elif [ "$attempts" != "3" ] && [ "$luks_drk_passphrase_valid" == "1" ]; then
|
||||
#We failed unlocking with DRK passphrase another LUKS container
|
||||
die "LUKS device $key_devices cannot all be unlocked with same passphrase. Please make $key_devices devices unlockable with the same passphrase. Exiting"
|
||||
else
|
||||
warn "Failed to unlock LUKS device $dev with the provided passphrase. Please try again."
|
||||
fi
|
||||
fi
|
||||
done
|
||||
done
|
||||
|
||||
attempts=0
|
||||
while [ $attempts -lt 3 ]; do
|
||||
read -s -p "New LUKS TPM Disk Unlock Key passphrase (DUK) for booting: " key_password
|
||||
echo
|
||||
read -s -p "Repeat LUKS TPM Disk Unlock Key (DUK) passphrase for booting: " key_password2
|
||||
echo
|
||||
if [ "$key_password" != "$key_password2" ]; then
|
||||
attempts=$((attempts + 1))
|
||||
if [ "$attempts" == "3" ]; then
|
||||
die "Disk Unlock Key passphrases do not match. Exiting..."
|
||||
else
|
||||
warn "Disk Unlock Key passphrases do not match. Please try again."
|
||||
fi
|
||||
else
|
||||
break
|
||||
fi
|
||||
done
|
||||
|
||||
# Generate key file
|
||||
echo "++++++ Generating new randomized 128 bytes key file that will be sealed/unsealed by LUKS TPM Disk Unlock Key passphrase"
|
||||
dd \
|
||||
if=/dev/urandom \
|
||||
of="$KEY_FILE" \
|
||||
of="$DUK_KEY_FILE" \
|
||||
bs=1 \
|
||||
count=128 \
|
||||
2>/dev/null ||
|
||||
die "Unable to generate 128 random bytes"
|
||||
|
||||
# Count the number of slots used on each device
|
||||
for dev in $(cat "$KEY_DEVICES" | cut -d\ -f1); do
|
||||
DEBUG "Checking number of slots used on $dev LUKS header"
|
||||
#check if the device is a LUKS device with luks[1,2]
|
||||
# Get the number of key slots used on the LUKS header.
|
||||
# LUKS1 Format is :
|
||||
# Slot 0: ENABLED
|
||||
# Slot 1: ENABLED
|
||||
# Slot 2: DISABLED
|
||||
# Slot 3: DISABLED
|
||||
#...
|
||||
# Slot 7: DISABLED
|
||||
# Luks2 only reports on enabled slots.
|
||||
# luks2 Format is :
|
||||
# 0: luks2
|
||||
# 1: luks2
|
||||
# Meaning that the number of slots used is the number of lines returned by a grep on the LUKS2 above format.
|
||||
# We need to count the number of ENABLED slots for both LUKS1 and LUKS2
|
||||
# create regex pattern for both LUKS1 and LUKS2
|
||||
regex="Slot [0-9]*: ENABLED"
|
||||
regex+="\|"
|
||||
regex+="[0-9]*: luks2"
|
||||
slots_used=$(cryptsetup luksDump "$dev" | grep -c "$regex" || die "Unable to get number of slots used on $dev")
|
||||
|
||||
DEBUG "Number of slots used on $dev LUKS header: $slots_used"
|
||||
# If slot1 is the only one used, warn and die with proper messages
|
||||
if [ "$slots_used" -eq 1 ]; then
|
||||
# Check if slot 1 is the only one existing
|
||||
if [ "$(cryptsetup luksDump "$dev" | grep -c "Slot 1: ENABLED")" -eq 1 ] || [ "$(cryptsetup luksDump "$dev" | grep -c "1: luks2")" -eq 1 ]; then
|
||||
warn "Slot 1 is the only one existing on $dev LUKS header. Heads cannot use it to store TPM sealed LUKS Disk Unlock Key"
|
||||
warn "Slot 1 should not be the only slot existing on $dev LUKS header. Slot 0 should be used to store LUKS Disk Recovery Key/passphrase"
|
||||
die "You can safely fix this before continuing through Heads recovery shell: cryptsetup luksAddKey $dev"
|
||||
fi
|
||||
else
|
||||
DEBUG "Slot 1 is not the only existing slot on $dev LUKS header."
|
||||
DEBUG "$dev LUKS header's slot 1 will store LUKS Disk Unlock Key that TPM will seal/unseal with LUKS TPM Disk Unlock Key passphrase"
|
||||
previous_luks_header_version=0
|
||||
for dev in $key_devices; do
|
||||
# Check and store LUKS version of the devices to be used later
|
||||
luks_version=$(cryptsetup luksDump "$dev" | grep "Version" | cut -d: -f2 | tr -d '[:space:]')
|
||||
if [ "$luks_version" == "2" ] && [ "$previous_luks_header_version" == "1" ]; then
|
||||
die "$dev: LUKSv2 device detected while LUKSv1 device was detected previously. Exiting..."
|
||||
fi
|
||||
done
|
||||
|
||||
# Remove all the old keys from slot 1
|
||||
for dev in $(cat "$KEY_DEVICES" | cut -d\ -f1); do
|
||||
echo "++++++ $dev: Removing old LUKS TPM Disk Unlock Key in LUKS slot 1"
|
||||
cryptsetup luksKillSlot \
|
||||
--key-file "$RECOVERY_KEY" \
|
||||
$dev 1 ||
|
||||
warn "$dev: removal of LUKS TPM Disk Unlock Key in LUKS slot 1 failed: might not exist. Continuing"
|
||||
if [ "$luks_version" == "1" ] && [ "$previous_luks_header_version" == "2" ]; then
|
||||
die "$dev: LUKSv1 device detected while LUKSv2 device was detected previously. Exiting..."
|
||||
fi
|
||||
|
||||
echo "++++++ $dev: Adding LUKS TPM Disk Unlock Key to LUKS slot 1"
|
||||
cryptsetup luksAddKey \
|
||||
--key-file "$RECOVERY_KEY" \
|
||||
--key-slot 1 \
|
||||
$dev "$KEY_FILE" ||
|
||||
die "$dev: Unable to add LUKS TPM Disk Unlock Key to LUKS slot 1"
|
||||
if [ "$luks_version" == "2" ]; then
|
||||
# LUKSv2 last key slot is 31
|
||||
duk_keyslot=31
|
||||
regex="^\s+([0-9]+):\s*luks2"
|
||||
sed_command="s/^\s\+\([0-9]\+\):\s*luks2/\1/g"
|
||||
previous_luks_header_version=2
|
||||
DEBUG "$dev: LUKSv2 device detected"
|
||||
elif [ "$luks_version" == "1" ]; then
|
||||
# LUKSv1 last key slot is 7
|
||||
duk_keyslot=7
|
||||
regex="Key Slot ([0-9]+): ENABLED"
|
||||
sed_command='s/Key Slot \([0-9]\+\): ENABLED/\1/'
|
||||
previous_luks_header_version=1
|
||||
DEBUG "$dev: LUKSv1 device detected"
|
||||
else
|
||||
die "$dev: Unsupported LUKS version $luks_version"
|
||||
fi
|
||||
|
||||
# drk_key_slot will be the slot number where the passphrase was tested against as valid. We will keep that slot
|
||||
drk_key_slot="-1"
|
||||
|
||||
# Get all the key slots that are used on $dev
|
||||
luks_used_keyslots=($(cryptsetup luksDump "$dev" | grep -E "$regex" | sed "$sed_command"))
|
||||
DEBUG "$dev LUKS key slots: ${luks_used_keyslots[*]}"
|
||||
|
||||
#Find the key slot that can be unlocked with the provided passphrase
|
||||
drk_key_slot=$(find_drk_key_slot)
|
||||
|
||||
# If we didn't find the DRK key slot, we exit (this should never happen)
|
||||
if [ "$drk_key_slot" == "-1" ]; then
|
||||
die "$dev: Unable to find a key slot that can be unlocked with provided passphrase. Exiting..."
|
||||
fi
|
||||
|
||||
# If the key slot is not the expected DUK o FRK key slot, we will ask the user to confirm the wipe
|
||||
for keyslot in "${luks_used_keyslots[@]}"; do
|
||||
if [ "$keyslot" != "$drk_key_slot" ]; then
|
||||
#set wipe_desired to no by default
|
||||
wipe_desired="no"
|
||||
|
||||
if [ "$keyslot" != "$drk_key_slot" ] && [ "$keyslot" == "1" ]; then
|
||||
wipe_desired="yes"
|
||||
DEBUG "LUKS key slot $keyslot not DRK. Will wipe this DUK key slot silently"
|
||||
elif [ "$keyslot" != "$drk_key_slot" ] && [ "$keyslot" != "$duk_keyslot" ]; then
|
||||
# Heads expects key slot LUKSv1:7 or LUKSv2:31 to be used for TPM DUK setup.
|
||||
# Ask user to confirm otherwise
|
||||
warn "LUKS key slot $keyslot is not typical ($duk_keyslot expected) for TPM Disk Unlock Key setup"
|
||||
read -p "Are you sure you want to wipe it? [y/N] " -n 1 -r
|
||||
echo
|
||||
# If user does not confirm, skip this slot
|
||||
if [[ $REPLY =~ ^[Yy]$ ]]; then
|
||||
wipe_desired="yes"
|
||||
fi
|
||||
elif [ "$keyslot" == "$duk_keyslot" ]; then
|
||||
# If key slot is the expected DUK keyslot, we wipe it silently
|
||||
DEBUG "LUKS key slot $keyslot is the expected DUK key slot. Will wipe this DUK key slot silently"
|
||||
wipe_desired="yes"
|
||||
fi
|
||||
|
||||
if [ "$wipe_desired" == "yes" ] && [ "$keyslot" != "$drk_key_slot" ]; then
|
||||
echo "++++++ $dev: Wiping LUKS key slot $keyslot"
|
||||
DO_WITH_DEBUG cryptsetup luksKillSlot \
|
||||
--key-file "$DISK_RECOVERY_KEY_FILE" \
|
||||
$dev $keyslot ||
|
||||
warn "$dev: removal of LUKS slot $keyslot failed: Continuing"
|
||||
fi
|
||||
fi
|
||||
done
|
||||
|
||||
|
||||
echo "++++++ $dev: Adding LUKS TPM Disk Unlock Key to LUKS key slot $duk_keyslot"
|
||||
DO_WITH_DEBUG cryptsetup luksAddKey \
|
||||
--key-file "$DISK_RECOVERY_KEY_FILE" \
|
||||
--new-key-slot $duk_keyslot \
|
||||
$dev "$DUK_KEY_FILE" ||
|
||||
die "$dev: Unable to add LUKS TPM Disk Unlock Key to LUKS key slot $duk_keyslot"
|
||||
done
|
||||
|
||||
# Now that we have setup the new keys, measure the PCRs
|
||||
# We don't care what ends up in PCR 6; we just want
|
||||
# to get the /tmp/luksDump.txt file. We use PCR16
|
||||
# since it should still be zero
|
||||
cat "$KEY_DEVICES" | cut -d\ -f1 | xargs /bin/qubes-measure-luks ||
|
||||
echo "$key_devices" | xargs /bin/qubes-measure-luks ||
|
||||
die "Unable to measure the LUKS headers"
|
||||
|
||||
pcrf="/tmp/secret/pcrf.bin"
|
||||
@ -155,13 +242,13 @@ tpmr calcfuturepcr 6 "/tmp/luksDump.txt" >>"$pcrf"
|
||||
tpmr pcrread -a 7 "$pcrf"
|
||||
|
||||
DO_WITH_DEBUG --mask-position 7 \
|
||||
tpmr seal "$KEY_FILE" "$TPM_INDEX" 0,1,2,3,4,5,6,7 "$pcrf" \
|
||||
tpmr seal "$DUK_KEY_FILE" "$TPM_INDEX" 0,1,2,3,4,5,6,7 "$pcrf" \
|
||||
"$TPM_SIZE" "$key_password" || die "Unable to write LUKS TPM Disk Unlock Key to NVRAM"
|
||||
|
||||
# should be okay if this fails
|
||||
shred -n 10 -z -u "$pcrf" 2>/dev/null ||
|
||||
warn "Failed to delete pcrf file - continuing"
|
||||
shred -n 10 -z -u "$KEY_FILE" 2>/dev/null ||
|
||||
shred -n 10 -z -u "$DUK_KEY_FILE" 2>/dev/null ||
|
||||
warn "Failed to delete key file - continuing"
|
||||
|
||||
mount -o rw,remount $paramsdir || warn "Failed to remount $paramsdir in RW - continuing"
|
||||
|
@ -44,6 +44,12 @@ GPG_ALGO="RSA"
|
||||
# Default RSA key length is 3072 bits for OEM key gen. 4096 are way longer to generate in smartcard
|
||||
RSA_KEY_LENGTH=3072
|
||||
|
||||
#Override RSA_KEY_LENGTH to 2048 bits for Canokey under qemu testing boards until canokey fixes
|
||||
if [[ "$CONFIG_BOARD_NAME" == qemu-* ]]; then
|
||||
DEBUG "Overriding RSA_KEY_LENGTH to 2048 bits for Canokey under qemu testing boards"
|
||||
RSA_KEY_LENGTH=2048
|
||||
fi
|
||||
|
||||
GPG_USER_NAME="OEM Key"
|
||||
GPG_KEY_NAME=$(date +%Y%m%d%H%M%S)
|
||||
GPG_USER_MAIL="oem-${GPG_KEY_NAME}@example.com"
|
||||
@ -266,20 +272,20 @@ keytocard_subkeys_to_smartcard() {
|
||||
{
|
||||
echo "key 1" #Toggle on Signature key in --edit-key mode on local keyring
|
||||
echo "keytocard" #Move Signature key to smartcard
|
||||
echo "1" #Select Signature key keyslot on smartcard
|
||||
echo "1" #Select Signature key key slot on smartcard
|
||||
echo "${ADMIN_PIN}" #Local keyring Subkey PIN
|
||||
echo "${ADMIN_PIN_DEF}" #Smartcard Admin PIN
|
||||
echo "0" #No expiration date
|
||||
echo "key 1" #Toggle off Signature key
|
||||
echo "key 2" #Toggle on Encryption key
|
||||
echo "keytocard" #Move Encryption key to smartcard
|
||||
echo "2" #Select Encryption key keyslot on smartcard
|
||||
echo "2" #Select Encryption key key slot on smartcard
|
||||
echo "${ADMIN_PIN}" #Local keyring Subkey PIN
|
||||
echo "${ADMIN_PIN_DEF}" #Smartcard Admin PIN
|
||||
echo "key 2" #Toggle off Encryption key
|
||||
echo "key 3" #Toggle on Authentication key
|
||||
echo "keytocard" #Move Authentication key to smartcard
|
||||
echo "3" #Select Authentication key keyslot on smartcard
|
||||
echo "3" #Select Authentication key slot on smartcard
|
||||
echo "${ADMIN_PIN}" #Local keyring Subkey PIN
|
||||
echo "${ADMIN_PIN_DEF}" #Smartcard Admin PIN
|
||||
echo "key 3" #Toggle off Authentication key
|
||||
@ -383,6 +389,7 @@ export_public_key_to_thumbdrive_public_partition() {
|
||||
|
||||
#pass non-empty arguments to --pass, --mountpoint, --device, --mode
|
||||
mount-usb --device "$device" --mode "$mode" --mountpoint "$mountpoint" || die "Error mounting thumb drive's public partition"
|
||||
#TODO: reuse "Obtain GPG key ID" so that pubkey on public thumb drive partition is named after key ID
|
||||
gpg --export --armor "${GPG_USER_MAIL}" >"$mountpoint"/pubkey.asc || die "Error exporting public key to thumb drive's public partition"
|
||||
umount "$mountpoint" || die "Error unmounting thumb drive's public partition"
|
||||
|
||||
@ -879,6 +886,7 @@ report_integrity_measurements
|
||||
clear
|
||||
|
||||
#Prompt user for use of default configuration options
|
||||
TRACE_FUNC
|
||||
echo -e -n "Would you like to use default configuration options?\nIf N, you will be prompted for each option [Y/n]: "
|
||||
read -n 1 use_defaults
|
||||
|
||||
@ -907,6 +915,7 @@ if [ "$use_defaults" == "n" -o "$use_defaults" == "N" ]; then
|
||||
echo
|
||||
if [ "$prompt_output" == "y" \
|
||||
-o "$prompt_output" == "Y" ]; then
|
||||
TRACE_FUNC
|
||||
test_luks_current_disk_recovery_key_passphrase
|
||||
luks_new_Disk_Recovery_Key_desired=1
|
||||
echo -e "\n"
|
||||
@ -970,8 +979,7 @@ if [ "$use_defaults" == "n" -o "$use_defaults" == "N" ]; then
|
||||
echo
|
||||
if [ "$prompt_output" == "y" \
|
||||
-o "$prompt_output" == "Y" ]; then
|
||||
echo -e "\nThe chosen custom password must be between 8 and $MAX_HOTP_GPG_PIN_LENGTH characters in length.\n"
|
||||
echo
|
||||
echo -e "\nThe chosen custom password must be between 8 and $MAX_HOTP_GPG_PIN_LENGTH characters in length."
|
||||
while [[ ${#CUSTOM_SINGLE_PASS} -lt 8 ]] || [[ ${#CUSTOM_SINGLE_PASS} -gt $MAX_HOTP_GPG_PIN_LENGTH ]]; do
|
||||
echo -e -n "Enter the custom password: "
|
||||
read CUSTOM_SINGLE_PASS
|
||||
@ -999,8 +1007,8 @@ if [ "$use_defaults" == "n" -o "$use_defaults" == "N" ]; then
|
||||
read TPM_PASS
|
||||
done
|
||||
fi
|
||||
while [[ ${#ADMIN_PIN} -lt 8 ]] || [[ ${#ADMIN_PIN} -gt $MAX_HOTP_GPG_PIN_LENGTH ]]; do
|
||||
echo -e -n "\nThis PIN should be between 8 to $MAX_HOTP_GPG_PIN_LENGTH characters in length.\n"
|
||||
while [[ ${#ADMIN_PIN} -lt 6 ]] || [[ ${#ADMIN_PIN} -gt $MAX_HOTP_GPG_PIN_LENGTH ]]; do
|
||||
echo -e -n "\nThis PIN should be between 6 to $MAX_HOTP_GPG_PIN_LENGTH characters in length.\n"
|
||||
echo -e -n "Enter desired GPG Admin PIN: "
|
||||
read ADMIN_PIN
|
||||
done
|
||||
@ -1028,6 +1036,7 @@ if [ "$use_defaults" == "n" -o "$use_defaults" == "N" ]; then
|
||||
}
|
||||
done
|
||||
#We test that current LUKS Disk Recovery Key passphrase is known prior of going further
|
||||
TRACE_FUNC
|
||||
test_luks_current_disk_recovery_key_passphrase
|
||||
echo -e "\n"
|
||||
fi
|
||||
@ -1147,8 +1156,8 @@ fi
|
||||
|
||||
if [ -n "$luks_new_Disk_Recovery_Key_desired" -a -n "$luks_new_Disk_Recovery_Key_passphrase_desired" ]; then
|
||||
#Reencryption of disk, LUKS Disk Recovery Key and LUKS Disk Recovery Key passphrase change is requested
|
||||
luks_change_passphrase
|
||||
luks_reencrypt
|
||||
luks_change_passphrase
|
||||
elif [ -n "$luks_new_Disk_Recovery_Key_desired" -a -z "$luks_new_Disk_Recovery_Key_passphrase_desired" ]; then
|
||||
#Reencryption of disk was requested but not passphrase change
|
||||
luks_reencrypt
|
||||
|
@ -37,6 +37,7 @@ mount_usb()
|
||||
# -- Display related functions --
|
||||
# Produce a whiptail prompt with 'warning' background, works for fbwhiptail and newt
|
||||
whiptail_warning() {
|
||||
#TODO: Cannot be called as is under luks_functions with string expension in title: why?
|
||||
if [ -x /bin/fbwhiptail ]; then
|
||||
whiptail $BG_COLOR_WARNING "$@"
|
||||
else
|
||||
@ -46,6 +47,7 @@ whiptail_warning() {
|
||||
|
||||
# Produce a whiptail prompt with 'error' background, works for fbwhiptail and newt
|
||||
whiptail_error() {
|
||||
#TODO: Cannot be called as is under luks_functions with string expension in title: why?
|
||||
if [ -x /bin/fbwhiptail ]; then
|
||||
whiptail $BG_COLOR_ERROR "$@"
|
||||
else
|
||||
@ -55,6 +57,7 @@ whiptail_error() {
|
||||
|
||||
# Produce a whiptail prompt of the given type - 'error', 'warning', or 'normal'
|
||||
whiptail_type() {
|
||||
TRACE_FUNC
|
||||
local TYPE="$1"
|
||||
shift
|
||||
case "$TYPE" in
|
||||
|
@ -7,6 +7,7 @@
|
||||
|
||||
#List all LUKS devices on the system
|
||||
list_luks_devices() {
|
||||
TRACE_FUNC
|
||||
#generate a list of devices to choose from that contain a LUKS header
|
||||
lvm vgscan || true
|
||||
blkid | cut -d ':' -f 1 | while read device; do
|
||||
@ -267,12 +268,15 @@ prepare_thumb_drive()
|
||||
|
||||
select_luks_container()
|
||||
{
|
||||
#TODO: extend logic to prompt for block devices with model if multiple LUKS are found on block device instead of partitions
|
||||
# Then feed luks with those partitions so that reencrypt and passphrase change can use passphrase to test all selected
|
||||
TRACE_FUNC
|
||||
if [ -s /boot/kexec_key_devices.txt ]; then
|
||||
DEBUG "Reusing known good LUKS container device from /boot/kexec_key_devices.txt"
|
||||
DEBUG "LUKS container device: $(cut -d ' ' -f1 /boot/kexec_key_devices.txt)"
|
||||
LUKS=$(cut -d ' ' -f1 /boot/kexec_key_devices.txt)
|
||||
else
|
||||
LUKS=$(cut -d ' ' -f1 /boot/kexec_key_devices.txt)
|
||||
DEBUG "LUKS container device: $(echo $LUKS)"
|
||||
# LUKS variable not exported yet, prompt for LUKS device
|
||||
elif [ -z "$LUKS" ]; then
|
||||
list_luks_devices > /tmp/luks_devices.txt
|
||||
#if /tmp/luks_devices.txt exists and is not empty
|
||||
if [ -s /tmp/luks_devices.txt ]; then
|
||||
@ -280,11 +284,21 @@ select_luks_container()
|
||||
if [ "$FILE" == "" ]; then
|
||||
return 1
|
||||
else
|
||||
LUKS=$FILE
|
||||
detect_boot_device
|
||||
mount -o remount,rw /boot
|
||||
echo "$LUKS $(cryptsetup luksUUID $LUKS)" >/boot/kexec_key_devices.txt
|
||||
mount -o remount,ro /boot
|
||||
#TODO: What about BRTFS multi LUKS setup of QubesOS?
|
||||
# if multiple LUKS containers are found on same block device
|
||||
# select all of the luks containers on same block device instead of just one
|
||||
# note that block devices for example under /dev/sda will be /dev/sda1, /dev/sda2, etc
|
||||
# so we need to select all of the partitions on the same block device from /tmp/luks_devices.txt
|
||||
# and then export them to LUKS variable
|
||||
# then reencrypt and passphrase change functions will loop on all of the LUKS containers
|
||||
# and test passphrase on all of them
|
||||
if grep -q "$(echo $FILE | sed 's/[0-9]*$//')" /tmp/luks_devices.txt; then
|
||||
DEBUG "Multiple LUKS containers found on same block device, selecting them all"
|
||||
LUKS=$(grep $(echo $FILE | sed 's/[0-9]*$//') /tmp/luks_devices.txt)
|
||||
else
|
||||
DEBUG "Single LUKS container found on block device, assigning to LUKS variable"
|
||||
LUKS=$FILE
|
||||
fi
|
||||
fi
|
||||
else
|
||||
warn "No encrypted device found"
|
||||
@ -295,41 +309,79 @@ select_luks_container()
|
||||
|
||||
test_luks_current_disk_recovery_key_passphrase()
|
||||
{
|
||||
#TODO: reuse/generalize usage of this function. Tests for LUKS are still done 4 times independently of this helper
|
||||
TRACE_FUNC
|
||||
while :; do
|
||||
select_luks_container || return 1
|
||||
|
||||
# LUKS contains multiline string of LUKS containers on same block device
|
||||
# transform it into words of a same string separated by space
|
||||
PRINTABLE_LUKS=$(echo $LUKS)
|
||||
|
||||
TRACE_FUNC
|
||||
if [ -z "$luks_current_Disk_Recovery_Key_passphrase" ]; then
|
||||
#if no external provisioning provides current LUKS Disk Recovery Key passphrase
|
||||
# if no external provisioning provides current LUKS Disk Recovery Key passphrase
|
||||
echo -e "\nEnter the current LUKS Disk Recovery Key passphrase (Configured at OS installation or by OEM):"
|
||||
read -r luks_current_Disk_Recovery_Key_passphrase
|
||||
echo -n "$luks_current_Disk_Recovery_Key_passphrase" >/tmp/luks_current_Disk_Recovery_Key_passphrase
|
||||
warn "Testing opening "$LUKS" LUKS encrypted drive content with the current LUKS Disk Recovery Key passphrase..."
|
||||
cryptsetup open $LUKS test --key-file /tmp/luks_current_Disk_Recovery_Key_passphrase
|
||||
else
|
||||
echo -n "$luks_current_Disk_Recovery_Key_passphrase" >/tmp/luks_current_Disk_Recovery_Key_passphrase
|
||||
warn "Testing opening "$LUKS" LUKS encrypted drive content with the current LUKS Disk Recovery Key passphrase..."
|
||||
cryptsetup open $LUKS test --key-file /tmp/luks_current_Disk_Recovery_Key_passphrase
|
||||
fi
|
||||
#Validate past cryptsetup-reencrypt attempts
|
||||
if [ $? -eq 0 ]; then
|
||||
whiptail --title 'Invalid Actual LUKS Disk Recovery Key passphrase?' --msgbox \
|
||||
"If you previously changed it and do not remember it, you will have to\n reinstall the OS from a an external drive.\n\nTo do so, place the ISO file and its signature file on root of an\n external drive, and select Options-> Boot from USB \n\nHit Enter to retry." 30 60
|
||||
shred -n 10 -z -u /tmp/luks_current_Disk_Recovery_Key_passphrase 2>/dev/null
|
||||
#unsetting luks_current_Disk_Recovery_Key_passphrase so we prompt for it again LUKS Disk Recovery Key passphrase prompt on next round
|
||||
unset luks_current_Disk_Recovery_Key_passphrase
|
||||
#remove "known good" selected LUKS container so that next pass asks again user to select LUKS container.
|
||||
#maybe the container was not the right one
|
||||
detect_boot_device
|
||||
mount -o remount,rw /boot
|
||||
rm -f /boot/kexec_key_devices.txt
|
||||
mount -o remount,ro /boot
|
||||
else
|
||||
#LuksOpen test was successful. Cleanup should be called only when done
|
||||
#Exporting successfully used passphrase possibly reused by oem-factory-reset
|
||||
|
||||
#We close the volume
|
||||
cryptsetup close test
|
||||
export luks_current_Disk_Recovery_Key_passphrase
|
||||
# test all LUKS containers on same block device as returned by select_luks_container
|
||||
echo -e "\n$PRINTABLE_LUKS: Test unlocking of LUKS encrypted drive content with current LUKS Disk Recovery Key passphrase..."
|
||||
|
||||
# Loop on all LUKS containers on same block device
|
||||
for luks_container in $LUKS; do
|
||||
DEBUG "$luks_container: Test unlocking of LUKS encrypted drive content with current LUKS Disk Recovery Key passphrase..."
|
||||
DO_WITH_DEBUG cryptsetup open --test-passphrase "$luks_container" --key-file /tmp/luks_current_Disk_Recovery_Key_passphrase
|
||||
# Validate past cryptsetup reencrypt attempts
|
||||
if [ $? -ne 0 ]; then
|
||||
# if we have more than one LUKS container and passphrase test unsuccessful, tell user how to change passphrase
|
||||
if [ $(echo $LUKS | wc -w) -gt 1 ]; then
|
||||
#TODO remove this once whiptail_error whiptail_warning can take titles with double quotes
|
||||
#whiptail_warning --title 'tes' --msgbox 'test' 0 80
|
||||
#whiptail_error --title 'error' --msgbox 'error' 0 80
|
||||
#Neither work today. Not related to this PR... Using whiptail without coloring.
|
||||
|
||||
msg=$(echo -e "All $PRINTABLE_LUKS must unlock with the same Disk Recovery Key passphrase for the current operation to succeed.\n\nTo change individual LUKS container passphrase, do so from 'Options-> Change LUKS Disk Recovery Key passphrase'\n\nThen retry this operation." | fold -w 70 -s)
|
||||
whiptail --title "$luks_container"': Wrong current LUKS Disk Recovery Key passphrase?' \
|
||||
--msgbox "$msg" 0 80
|
||||
|
||||
TRACE_FUNC
|
||||
luks_secrets_cleanup
|
||||
die "$PRINTABLE_LUKS individual containers NEED to share the same Disk Recovery Key passphrase"
|
||||
# We exited to caller, LUKS still set. TODO: problem? Should we call all cleaning functions on die?
|
||||
fi
|
||||
|
||||
whiptail --title "$luks_container: Wrong current LUKS Disk Recovery Key passphrase?" --msgbox \
|
||||
"If you previously changed it and do not remember it, you will have to\n reinstall the OS from a an external drive.\n\nTo do so, place the ISO file and its signature file on root of an\n external drive, and select Options-> Boot from USB \n\nHit Enter to retry." 0 80
|
||||
TRACE_FUNC
|
||||
|
||||
detect_boot_device
|
||||
mount -o remount,rw /boot
|
||||
rm -f /boot/kexec_key_devices.txt
|
||||
mount -o remount,ro /boot
|
||||
luks_secrets_cleanup
|
||||
# remove "known good" selected LUKS container so that next pass asks again user to select LUKS container.
|
||||
# maybe the container was not the right one
|
||||
unset LUKS
|
||||
else
|
||||
# LuksOpen test was successful. Cleanup should be called only when done
|
||||
# Exporting successfully used passphrase possibly reused by oem-factory-reset
|
||||
echo "$luks_container: unlocking LUKS container with current Disk Recovery Key passphrase successful"
|
||||
|
||||
# Exporting successfully used passphrase possibly reused by oem-factory-reset
|
||||
export luks_current_Disk_Recovery_Key_passphrase
|
||||
fi
|
||||
done
|
||||
|
||||
# exit while loop if LUKS variable is not empty
|
||||
if [ -n "$LUKS" ]; then
|
||||
# We export the LUKS volume(s) that was/were validated via passphrase test
|
||||
export LUKS
|
||||
TRACE_FUNC
|
||||
DEBUG "$LUKS exported to be reused"
|
||||
break;
|
||||
fi
|
||||
done
|
||||
@ -337,12 +389,16 @@ test_luks_current_disk_recovery_key_passphrase()
|
||||
|
||||
luks_reencrypt() {
|
||||
TRACE_FUNC
|
||||
while :; do
|
||||
select_luks_container || return 1
|
||||
#If the user just set a new LUKS Disk Recovery Key passphrase
|
||||
if [ -n "$luks_new_Disk_Recovery_Key_passphrase" ]; then
|
||||
luks_current_Disk_Recovery_Key_passphrase="$luks_new_Disk_Recovery_Key_passphrase"
|
||||
fi
|
||||
#TODO: REFACTOR This and luks passphrase change function needs to loop on same drive discovered luks containers so that reencrypt/passwd change is done on all luks containers of same drive
|
||||
# Ideal would be to list luks devices and then try keep and append LUKS devices to a list of devices to reencrypt or change passphrase
|
||||
# then loop on that list of devices that could be opened and reencrypt/change passphrase for all the devices that could be tested opened with that passphrase
|
||||
select_luks_container || return 1
|
||||
|
||||
# Count the number of containers to be reencrypted
|
||||
num_containers=$(echo "$LUKS" | wc -w)
|
||||
reencrypted_containers=0
|
||||
|
||||
while [ $reencrypted_containers -lt $num_containers ]; do
|
||||
if [ -z "$luks_current_Disk_Recovery_Key_passphrase" ]; then
|
||||
#if no external provisioning provides current LUKS Disk Recovery Key passphrase
|
||||
msg=$(echo -e "This will replace the encrypted container content and its LUKS Disk Recovery Key.\n\nThe passphrase associated with this key will be asked from the user under the following conditions:\n 1-Every boot if no Disk Unlock Key was added to the TPM\n 2-If the TPM fails (hardware failure)\n 3-If the firmware has been tampered with/modified by the user\n\nThis process requires you to type the current LUKS Disk Recovery Key passphrase and will delete the LUKS TPM Disk Unlock Key slot, if set up, by setting a default boot LUKS key slot (1) if present.\n\nAt the next prompt, you may be asked to select which file corresponds to the LUKS device container.\n\nHit Enter to continue." | fold -w 70 -s)
|
||||
@ -351,97 +407,185 @@ luks_reencrypt() {
|
||||
echo -e "\nEnter the current LUKS Disk Recovery Key passphrase:"
|
||||
read -r luks_current_Disk_Recovery_Key_passphrase
|
||||
echo -n "$luks_current_Disk_Recovery_Key_passphrase" >/tmp/luks_current_Disk_Recovery_Key_passphrase
|
||||
warn "Reencrypting "$LUKS" LUKS encrypted drive content with a new LUKS Disk Recovery Key. Do NOT shut down or reboot!"
|
||||
cryptsetup-reencrypt -B 64 --use-directio "$LUKS" --key-slot 0 --key-file /tmp/luks_current_Disk_Recovery_Key_passphrase
|
||||
else
|
||||
echo -n "$luks_current_Disk_Recovery_Key_passphrase" >/tmp/luks_current_Disk_Recovery_Key_passphrase
|
||||
warn "Reencrypting "$LUKS" LUKS encrypted drive content with a new LUKS Disk Recovery Key. Do NOT shut down or reboot!"
|
||||
cryptsetup-reencrypt -B 64 --use-directio "$LUKS" --key-slot 0 --key-file /tmp/luks_current_Disk_Recovery_Key_passphrase
|
||||
fi
|
||||
#Validate past cryptsetup-reencrypt attempts
|
||||
if [ $(echo $?) -ne 0 ]; then
|
||||
whiptail --title 'Invalid Actual LUKS Disk Recovery Key passphrase?' --msgbox \
|
||||
"If you previously changed it and do not remember it, you will have to\n reinstall the OS from a an external drive.\n\nTo do so, place the ISO file and its signature file on root of an\n external drive, and select Options-> Boot from USB \n\nHit Enter to retry." 30 60
|
||||
shred -n 10 -z -u /tmp/luks_current_Disk_Recovery_Key_passphrase 2>/dev/null
|
||||
#unsetting luks_current_Disk_Recovery_Key_passphrase so we prompt for it again LUKS Disk Recovery Key passphrase prompt on next round
|
||||
unset luks_current_Disk_Recovery_Key_passphrase
|
||||
#remove "known good" selected LUKS container so that next pass asks again user to select LUKS container.
|
||||
#maybe the container was not the right one
|
||||
detect_boot_device
|
||||
mount -o remount,rw /boot
|
||||
rm -f /boot/kexec_key_devices.txt
|
||||
mount -o remount,ro /boot
|
||||
else
|
||||
#Reencryption was successful. Cleanup should be called only when done
|
||||
#Exporting successfully used passphrase possibly reused by oem-factory-reset
|
||||
export luks_current_Disk_Recovery_Key_passphrase
|
||||
break;
|
||||
fi
|
||||
|
||||
# Split the $LUKS variable into an array of LUKS containers
|
||||
luks_containers=($LUKS)
|
||||
TRACE_FUNC
|
||||
DEBUG "luks_containers: $luks_containers"
|
||||
|
||||
# Loop through each LUKS container
|
||||
for luks_container in "${luks_containers[@]}"; do
|
||||
DEBUG "$luks_container: Test unlocking of LUKS encrypted drive content with current LUKS Disk Recovery Key passphrase..."
|
||||
if ! DO_WITH_DEBUG cryptsetup open --test-passphrase "$luks_container" --key-file /tmp/luks_current_Disk_Recovery_Key_passphrase > /dev/null 2>&1; then
|
||||
whiptail --title "$luks_container: Wrong current LUKS Disk Recovery Key passphrase?" --msgbox \
|
||||
"If you previously changed it and do not remember it, you will have to\n reinstall the OS from a an external drive.\n\nTo do so, place the ISO file and its signature file on root of an\n external drive, and select Options-> Boot from USB \n\nHit Enter to retry." 0 80
|
||||
# Remove "known good" selected LUKS container so that next pass asks again user to select LUKS container.
|
||||
# Maybe the container was not the right one
|
||||
TRACE_FUNC
|
||||
detect_boot_device
|
||||
mount -o remount,rw /boot
|
||||
rm -f /boot/kexec_key_devices.txt
|
||||
mount -o remount,ro /boot
|
||||
luks_secrets_cleanup
|
||||
unset LUKS
|
||||
continue
|
||||
fi
|
||||
done
|
||||
|
||||
DEBUG "Test opening ${luks_containers[@]} successful. Now testing key slots to determine which holds master key"
|
||||
for luks_container in "${luks_containers[@]}"; do
|
||||
# First obtain which luks1/luks2 key-slot can be unlocked with the key-file
|
||||
DRK_KEYSLOT=-1
|
||||
DEBUG "$luks_container: Test unlocking of LUKS encrypted drive content with current LUKS Disk Recovery Key passphrase..."
|
||||
for i in $(seq 0 31); do
|
||||
if DO_WITH_DEBUG cryptsetup open --test-passphrase $luks_container --key-slot $i --key-file /tmp/luks_current_Disk_Recovery_Key_passphrase > /dev/null 2>&1; then
|
||||
DRK_KEYSLOT=$i
|
||||
DEBUG "$luks_container: Found key-slot $DRK_KEYSLOT that can be unlocked with the current passphrase. breaking loop"
|
||||
break
|
||||
fi
|
||||
done
|
||||
|
||||
# Validate if a key slot was found
|
||||
if [ $DRK_KEYSLOT -eq -1 ]; then
|
||||
whiptail --title "$luks_container: Wrong current LUKS Disk Recovery Key passphrase?" --msgbox \
|
||||
"If you previously changed it and do not remember it, you will have to\n reinstall the OS from a an external drive.\n\nTo do so, place the ISO file and its signature file on root of an\n external drive, and select Options-> Boot from USB \n\nHit Enter to retry." 0 80
|
||||
# Remove "known good" selected LUKS container so that next pass asks again user to select LUKS container.
|
||||
# Maybe the container was not the right one
|
||||
TRACE_FUNC
|
||||
detect_boot_device
|
||||
mount -o remount,rw /boot
|
||||
rm -f /boot/kexec_key_devices.txt
|
||||
mount -o remount,ro /boot
|
||||
luks_secrets_cleanup
|
||||
unset LUKS
|
||||
continue
|
||||
fi
|
||||
|
||||
# Now reencrypt the LUKS container with the same key slot
|
||||
# Warn and launch actual reencryption
|
||||
echo -e "\nReencrypting $luks_container LUKS encrypted drive content with current Recovery Disk Key passphrase..."
|
||||
warn "DO NOT POWER DOWN MACHINE, UNPLUG AC OR REMOVE BATTERY DURING REENCRYPTION PROCESS"
|
||||
|
||||
# --perf-no_read_workqueue and/or --perf-no_write_workqueue improve encryption/reencrypton performance on kernel 5.10.9+
|
||||
# bypassing dm-crypt queues.
|
||||
# Ref https://github.com/cloudflare/linux/issues/1#issuecomment-729695518
|
||||
# --resilience=none disables the resilience feature of cryptsetup, which is enabled by default
|
||||
# --force-offline-reencrypt forces the reencryption to be done offline (no read/write operations on the device)
|
||||
# --disable-locks disables the lock feature of cryptsetup, which is enabled by default
|
||||
|
||||
if ! DO_WITH_DEBUG cryptsetup reencrypt \
|
||||
--perf-no_read_workqueue --perf-no_write_workqueue \
|
||||
--resilience=none --force-offline-reencrypt --disable-locks \
|
||||
"$luks_container" --key-slot "$DRK_KEYSLOT" \
|
||||
--key-file /tmp/luks_current_Disk_Recovery_Key_passphrase; then
|
||||
whiptail --title "$luks_container: Wrong current LUKS Disk Recovery Key passphrase?" --msgbox \
|
||||
"If you previously changed it and do not remember it, you will have to\n reinstall the OS from a an external drive.\n\nTo do so, place the ISO file and its signature file on root of an\n external drive, and select Options-> Boot from USB \n\nHit Enter to retry." 0 80
|
||||
|
||||
TRACE_FUNC
|
||||
|
||||
#remove "known good" selected LUKS container so that next pass asks again user to select LUKS container.
|
||||
#maybe the container was not the right one
|
||||
detect_boot_device
|
||||
mount -o remount,rw /boot
|
||||
rm -f /boot/kexec_key_devices.txt
|
||||
mount -o remount,ro /boot
|
||||
luks_secrets_cleanup
|
||||
unset LUKS
|
||||
else
|
||||
#Reencryption was successful. Cleanup should be called only when done
|
||||
#Exporting successfully used passphrase possibly reused by oem-factory-reset
|
||||
export luks_current_Disk_Recovery_Key_passphrase
|
||||
export LUKS
|
||||
|
||||
# Increment the count of reencrypted containers
|
||||
reencrypted_containers=$((reencrypted_containers + 1))
|
||||
fi
|
||||
done
|
||||
done
|
||||
}
|
||||
|
||||
luks_change_passphrase()
|
||||
{
|
||||
TRACE_FUNC
|
||||
while :; do
|
||||
select_luks_container || return 1
|
||||
#if actual or new LUKS Disk Recovery Key is not provisioned by oem-provisioning file
|
||||
if [ -z "$luks_current_Disk_Recovery_Key_passphrase" ] || [ -z "$luks_new_Disk_Recovery_Key_passphrase" ]; then
|
||||
whiptail --title 'Changing LUKS Disk Recovery Key passphrase' --msgbox \
|
||||
"Please enter the current LUKS Disk Recovery Key passphrase (slot 0).\nThen choose a strong passphrase of your own.\n\n**DICEWARE passphrase methodology is STRONGLY ADVISED.**\n\nHit Enter to continue" 30 60
|
||||
if [ -z "$luks_new_Disk_Recovery_Key_passphrase" ]; then
|
||||
echo -e "\nEnter your desired replacement for the actual LUKS Disk Recovery Key passphrase (At least 8 characters long):"
|
||||
while [[ ${#luks_new_Disk_Recovery_Key_passphrase} -lt 8 ]]; do
|
||||
{
|
||||
read -r luks_new_Disk_Recovery_Key_passphrase
|
||||
};done
|
||||
fi
|
||||
if [ -z "$luks_current_Disk_Recovery_Key_passphrase" ]; then
|
||||
echo -e "\nEnter the current LUKS Disk Recovery Key passphrase (Configured at OS installation or by OEM):"
|
||||
read -r luks_current_Disk_Recovery_Key_passphrase
|
||||
fi
|
||||
export luks_current_Disk_Recovery_Key_passphrase
|
||||
export luks_new_Disk_Recovery_Key_passphrase
|
||||
echo -n "$luks_new_Disk_Recovery_Key_passphrase" >/tmp/luks_new_Disk_Recovery_Key_passphrase
|
||||
echo -n "$luks_current_Disk_Recovery_Key_passphrase" >/tmp/luks_current_Disk_Recovery_Key_passphrase
|
||||
warn "Changing "$LUKS" LUKS encrypted disk passphrase to the new LUKS Disk Recovery Key passphrase..."
|
||||
cryptsetup luksChangeKey "$LUKS" --key-slot 0 --key-file=/tmp/luks_current_Disk_Recovery_Key_passphrase /tmp/luks_new_Disk_Recovery_Key_passphrase
|
||||
else
|
||||
#If current and new LUKS Disk Recovery Key were exported
|
||||
echo -n "$luks_new_Disk_Recovery_Key_passphrase" >/tmp/luks_new_Disk_Recovery_Key_passphrase
|
||||
echo -n "$luks_current_Disk_Recovery_Key_passphrase" >/tmp/luks_current_Disk_Recovery_Key_passphrase
|
||||
warn "Changing "$LUKS" LUKS encrypted disk passphrase to the new LUKS Disk Recovery Key passphrase..."
|
||||
cryptsetup luksChangeKey "$LUKS" --key-slot 0 --key-file=/tmp/luks_current_Disk_Recovery_Key_passphrase /tmp/luks_new_Disk_Recovery_Key_passphrase
|
||||
fi
|
||||
luks_change_passphrase() {
|
||||
TRACE_FUNC
|
||||
|
||||
#Validate past cryptsetup attempts
|
||||
if [ $(echo $?) -ne 0 ]; then
|
||||
#Cryptsetup luksChangeKey was unsuccessful
|
||||
whiptail --title 'Invalid LUKS passphrase?' --msgbox \
|
||||
"The LUKS Disk Recovery Key passphrase was provided to you by the OEM over\n a secure communication channel.\n\nIf you previously changed it and do not remember it,\n you will have to reinstall the OS from a USB drive.\nTo do so, put OS ISO file and it's signature file on root of a USB drive,\n and select Boot from USB\n\nHit Enter to continue." 30 60
|
||||
unset luks_current_Disk_Recovery_Key_passphrase
|
||||
unset luks_new_Disk_Recovery_Key_passphrase
|
||||
#remove "known good" selected LUKS container so that next pass asks again user to select LUKS container.
|
||||
#maybe the container was not the right one
|
||||
detect_boot_device
|
||||
mount -o remount,rw /boot
|
||||
rm -f /boot/kexec_key_devices.txt
|
||||
mount -o remount,ro /boot
|
||||
else
|
||||
#Cryptsetup was successful.
|
||||
#Cleanup should be called seperately.
|
||||
#Exporting successfully used passphrase possibly reused by oem-factory-reset
|
||||
export luks_new_Disk_Recovery_Key_passphrase
|
||||
break;
|
||||
fi
|
||||
done
|
||||
select_luks_container || return 1
|
||||
|
||||
# Count the number of containers to be processed
|
||||
num_containers=$(echo "$LUKS" | wc -w)
|
||||
changed_containers=0
|
||||
|
||||
# Split the $LUKS variable into an array of LUKS containers
|
||||
IFS=' ' read -ra luks_containers <<< "$LUKS"
|
||||
|
||||
for luks_container in "${luks_containers[@]}"; do
|
||||
if [ -z "$luks_current_Disk_Recovery_Key_passphrase" ] || [ -z "$luks_new_Disk_Recovery_Key_passphrase" ]; then
|
||||
whiptail --title 'Changing LUKS Disk Recovery Key passphrase' --msgbox \
|
||||
"Please enter the current LUKS Disk Recovery Key passphrase (slot 0).\nThen choose a strong passphrase of your own.\n\n**DICEWARE passphrase methodology is STRONGLY ADVISED.**\n\nHit Enter to continue" 0 80
|
||||
|
||||
if [ -z "$luks_new_Disk_Recovery_Key_passphrase" ]; then
|
||||
echo -e "\nEnter your desired replacement for the actual LUKS Disk Recovery Key passphrase (At least 8 characters long):"
|
||||
while [[ ${#luks_new_Disk_Recovery_Key_passphrase} -lt 8 ]]; do
|
||||
read -r luks_new_Disk_Recovery_Key_passphrase
|
||||
done
|
||||
fi
|
||||
|
||||
if [ -z "$luks_current_Disk_Recovery_Key_passphrase" ]; then
|
||||
echo -e "\nEnter the current LUKS Disk Recovery Key passphrase (Configured at OS installation or by OEM):"
|
||||
read -r luks_current_Disk_Recovery_Key_passphrase
|
||||
fi
|
||||
fi
|
||||
|
||||
echo -n "$luks_current_Disk_Recovery_Key_passphrase" > /tmp/luks_current_Disk_Recovery_Key_passphrase
|
||||
echo -n "$luks_new_Disk_Recovery_Key_passphrase" > /tmp/luks_new_Disk_Recovery_Key_passphrase
|
||||
|
||||
DEBUG "$luks_container: Test unlocking of LUKS encrypted drive content with current LUKS Disk Recovery Key passphrase..."
|
||||
if ! DO_WITH_DEBUG cryptsetup open --test-passphrase "$luks_container" --key-file /tmp/luks_current_Disk_Recovery_Key_passphrase > /dev/null 2>&1; then
|
||||
whiptail --title "$luks_container: Wrong current LUKS Disk Recovery Key passphrase?" --msgbox \
|
||||
"If you previously changed it and do not remember it, you will have to\n reinstall the OS from an external drive.\n\nTo do so, place the ISO file and its signature file on root of an\n external drive, and select Options-> Boot from USB \n\nHit Enter to retry." 0 80
|
||||
TRACE_FUNC
|
||||
detect_boot_device
|
||||
mount -o remount,rw /boot
|
||||
rm -f /boot/kexec_key_devices.txt
|
||||
mount -o remount,ro /boot
|
||||
luks_secrets_cleanup
|
||||
unset LUKS
|
||||
continue
|
||||
fi
|
||||
|
||||
echo -e "\nChanging $luks_container LUKS encrypted disk passphrase to the new LUKS Disk Recovery Key passphrase..."
|
||||
if ! DO_WITH_DEBUG cryptsetup luksChangeKey "$luks_container" --key-file=/tmp/luks_current_Disk_Recovery_Key_passphrase /tmp/luks_new_Disk_Recovery_Key_passphrase; then
|
||||
whiptail --title 'Failed to change LUKS passphrase' --msgbox \
|
||||
"Failed to change the passphrase for $luks_container.\nPlease try again." 0 80
|
||||
continue
|
||||
fi
|
||||
|
||||
echo "Success changing passphrase for $luks_container."
|
||||
changed_containers=$((changed_containers + 1))
|
||||
done
|
||||
|
||||
if [ $changed_containers -eq $num_containers ]; then
|
||||
# All containers processed successfully
|
||||
luks_current_Disk_Recovery_Key_passphrase=$luks_new_Disk_Recovery_Key_passphrase
|
||||
export luks_current_Disk_Recovery_Key_passphrase
|
||||
export luks_new_Disk_Recovery_Key_passphrase
|
||||
export LUKS
|
||||
fi
|
||||
}
|
||||
|
||||
luks_secrets_cleanup()
|
||||
{
|
||||
TRACE_FUNC
|
||||
|
||||
#Cleanup
|
||||
shred -n 10 -z -u /tmp/luks_new_Disk_Recovery_Key_passphrase 2>/dev/null || true
|
||||
shred -n 10 -z -u /tmp/luks_current_Disk_Recovery_Key_passphrase 2>/dev/null || true
|
||||
|
||||
#Unset variables (when in same boot)
|
||||
unset luks_current_Disk_Recovery_Key_passphrase
|
||||
unset luks_new_Disk_Recovery_Key_passphrase
|
||||
|
||||
#TODO: refactor logic of selec_luks_conatainer, where to put
|
||||
#unset LUKS
|
||||
}
|
||||
|
@ -103,10 +103,12 @@ fi
|
||||
|
||||
#Specify whiptail background colors cues under FBWhiptail only
|
||||
if [ -x /bin/fbwhiptail ]; then
|
||||
DEBUG "fbwhiptail BG_COLOR_* exported"
|
||||
export BG_COLOR_WARNING="${CONFIG_WARNING_BG_COLOR:-"--background-gradient 0 0 0 150 125 0"}"
|
||||
export BG_COLOR_ERROR="${CONFIG_ERROR_BG_COLOR:-"--background-gradient 0 0 0 150 0 0"}"
|
||||
export BG_COLOR_MAIN_MENU="normal"
|
||||
else
|
||||
DEBUG "whiptail TEXT_BG_COLOR_* exported"
|
||||
export TEXT_BG_COLOR_WARNING="${CONFIG_WARNING_TEXT_BG_COLOR:-"yellow"}"
|
||||
export TEXT_BG_COLOR_ERROR="${CONFIG_ERROR_TEXT_BG_COLOR:-"red"}"
|
||||
export BG_COLOR_MAIN_MENU="normal"
|
||||
|
@ -2,11 +2,11 @@ modules-$(CONFIG_CRYPTSETUP2) += cryptsetup2
|
||||
|
||||
cryptsetup2_depends := util-linux popt lvm2 json-c $(musl_dep)
|
||||
|
||||
cryptsetup2_version := 2.3.3
|
||||
cryptsetup2_version := 2.6.1
|
||||
cryptsetup2_dir := cryptsetup-$(cryptsetup2_version)
|
||||
cryptsetup2_tar := cryptsetup-$(cryptsetup2_version).tar.xz
|
||||
cryptsetup2_url := https://www.kernel.org/pub/linux/utils/cryptsetup/v2.3/cryptsetup-$(cryptsetup2_version).tar.xz
|
||||
cryptsetup2_hash := 3bca4ffe39e2f94cef50f6ea65acb873a6dbce5db34fc6bcefe38b6d095e82df
|
||||
cryptsetup2_url := https://www.kernel.org/pub/linux/utils/cryptsetup/v2.6/cryptsetup-$(cryptsetup2_version).tar.xz
|
||||
cryptsetup2_hash := 410ded65a1072ab9c8e41added37b9729c087fef4d2db02bb4ef529ad6da4693
|
||||
|
||||
# Use an empty prefix so that the executables will not include the
|
||||
# build path.
|
||||
@ -16,9 +16,15 @@ cryptsetup2_configure := \
|
||||
./configure \
|
||||
--host $(MUSL_ARCH)-elf-linux \
|
||||
--prefix "/" \
|
||||
--disable-gcrypt-pbkdf2 \
|
||||
--enable-internal-sse-argon2 \
|
||||
--disable-rpath \
|
||||
--enable-cryptsetup-reencrypt \
|
||||
--disable-gcrypt-pbkdf2 \
|
||||
--disable-ssh-token \
|
||||
--disable-asciidoc \
|
||||
--disable-nls \
|
||||
--disable-selinux \
|
||||
--disable-udev \
|
||||
--disable-external-tokens \
|
||||
--with-crypto_backend=kernel \
|
||||
--with-tmpfilesdir=$(INSTALL)/lib/tmpfiles.d
|
||||
|
||||
@ -33,7 +39,6 @@ cryptsetup2_target := \
|
||||
|
||||
cryptsetup2_output := \
|
||||
.libs/cryptsetup \
|
||||
.libs/cryptsetup-reencrypt \
|
||||
.libs/veritysetup \
|
||||
|
||||
cryptsetup2_libraries := \
|
||||
|
19
modules/libaio
Normal file
19
modules/libaio
Normal file
@ -0,0 +1,19 @@
|
||||
modules-$(CONFIG_LVM2) += libaio
|
||||
|
||||
libaio_version := 0.3.113
|
||||
libaio_dir := libaio-$(libaio_version)
|
||||
libaio_tar := libaio_$(libaio_version).orig.tar.gz
|
||||
libaio_url := https://deb.debian.org/debian/pool/main/liba/libaio/$(libaio_tar)
|
||||
libaio_hash := 2c44d1c5fd0d43752287c9ae1eb9c023f04ef848ea8d4aafa46e9aedb678200b
|
||||
|
||||
libaio_target := \
|
||||
DESTDIR="$(INSTALL)" \
|
||||
prefix="/" \
|
||||
$(CROSS_TOOLS) \
|
||||
install \
|
||||
&& mv $(build)/$(libaio_dir)/src/libaio.so.1.0.2 $(build)/$(libaio_dir)/src/libaio.so.1 \
|
||||
|
||||
libaio_libraries:= src/libaio.so.1
|
||||
|
||||
libaio_depends := $(musl_dep)
|
||||
|
42
modules/lvm2
42
modules/lvm2
@ -1,37 +1,39 @@
|
||||
modules-$(CONFIG_LVM2) += lvm2
|
||||
|
||||
lvm2_version := 2.02.168
|
||||
lvm2_version := 2.03.23
|
||||
lvm2_dir := lvm2.$(lvm2_version)
|
||||
lvm2_tar := LVM2.$(lvm2_version).tgz
|
||||
lvm2_url := https://mirrors.kernel.org/sourceware/lvm2/$(lvm2_tar)
|
||||
lvm2_hash := 23a3d1cddd41b3ef51812ebf83e9fa491f502fe74130d4263be327a91914660d
|
||||
lvm2_hash := 74e794a9e9dee1bcf8a2065f65b9196c44fdf321e22d63b98ed7de8c9aa17a5d
|
||||
|
||||
# cross compiling test assumes malloc/realloc aren't glibc compat
|
||||
# so we force it via the configure cache.
|
||||
lvm2_configure := \
|
||||
$(CROSS_TOOLS) \
|
||||
CFLAGS="-Os" \
|
||||
PKG_CONFIG=/bin/false \
|
||||
MODPROBE_CMD=/bin/false \
|
||||
ac_cv_func_malloc_0_nonnull=yes \
|
||||
ac_cv_func_realloc_0_nonnull=yes \
|
||||
./configure \
|
||||
--host $(MUSL_ARCH)-elf-linux \
|
||||
--prefix "/" \
|
||||
--disable-blkid_wiping \
|
||||
--disable-cache_check_needs_check \
|
||||
--disable-cmirrord \
|
||||
--disable-dmeventd \
|
||||
--disable-lvmetad \
|
||||
--disable-lvmpolld \
|
||||
--disable-realtime \
|
||||
--prefix "" \
|
||||
--libexecdir "/bin" \
|
||||
--with-optimisation=-Os \
|
||||
--enable-devmapper \
|
||||
--disable-selinux \
|
||||
--disable-thin_check_needs_check \
|
||||
--disable-udev-systemd-background-jobs \
|
||||
--disable-use-lvmetad \
|
||||
--without-systemd \
|
||||
--disable-lvmimportvdo \
|
||||
--disable-realtime \
|
||||
--disable-dmfilemapd \
|
||||
--disable-dmeventd \
|
||||
--disable-lvmpolld \
|
||||
--disable-readline \
|
||||
--disable-udev_sync \
|
||||
--enable-static_link \
|
||||
--disable-use-lvmlockd \
|
||||
--disable-use-lvmpolld \
|
||||
--enable-devmapper \
|
||||
--disable-dmfilemapd \
|
||||
--disable-cmirrord \
|
||||
--disable-cache_check_needs_check \
|
||||
--disable-thin_check_needs_check \
|
||||
--with-cluster=none \
|
||||
--with-thin-check= \
|
||||
|
||||
@ -49,10 +51,10 @@ lvm2_target := \
|
||||
DESTDIR="$(INSTALL)" \
|
||||
install_device-mapper \
|
||||
|
||||
lvm2_libraries := libdm/libdevmapper.so.1.02
|
||||
lvm2_libraries := libdm/ioctl/libdevmapper.so.1.02
|
||||
|
||||
lvm2_output := \
|
||||
tools/dmsetup \
|
||||
./libdm/dm-tools/dmsetup \
|
||||
tools/lvm \
|
||||
|
||||
lvm2_depends := util-linux $(musl_dep)
|
||||
lvm2_depends := util-linux libaio $(musl_dep)
|
||||
|
@ -1,10 +1,10 @@
|
||||
modules-$(CONFIG_UTIL_LINUX) += util-linux
|
||||
|
||||
util-linux_version := 2.29.2
|
||||
util-linux_version := 2.39
|
||||
util-linux_dir := util-linux-$(util-linux_version)
|
||||
util-linux_tar := util-linux-$(util-linux_version).tar.xz
|
||||
util-linux_url := https://www.kernel.org/pub/linux/utils/util-linux/v2.29/$(util-linux_tar)
|
||||
util-linux_hash := accea4d678209f97f634f40a93b7e9fcad5915d1f4749f6c47bee6bf110fe8e3
|
||||
util-linux_url := https://www.kernel.org/pub/linux/utils/util-linux/v2.39/$(util-linux_tar)
|
||||
util-linux_hash := 32b30a336cda903182ed61feb3e9b908b762a5e66fe14e43efb88d37162075cb
|
||||
|
||||
util-linux_configure := \
|
||||
$(CROSS_TOOLS) \
|
||||
|
@ -1,7 +1,7 @@
|
||||
diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
|
||||
--- cryptsetup-2.3.3-clean/configure 2020-06-10 14:05:45.784925972 +0200
|
||||
+++ cryptsetup-2.3.3/configure 2020-06-10 14:12:03.811651237 +0200
|
||||
@@ -10206,7 +10206,7 @@
|
||||
diff -u -r cryptsetup-2.4.3-clean/configure cryptsetup-2.4.3/configure
|
||||
--- cryptsetup-2.4.3-clean/configure 2022-01-13 17:24:34.000000000 +0800
|
||||
+++ cryptsetup-2.4.3/configure 2022-01-16 14:08:37.088258763 +0800
|
||||
@@ -11056,7 +11056,7 @@
|
||||
hardcode_automatic=no
|
||||
hardcode_direct=no
|
||||
hardcode_direct_absolute=no
|
||||
@ -10,7 +10,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
|
||||
hardcode_libdir_separator=
|
||||
hardcode_minus_L=no
|
||||
hardcode_shlibpath_var=unsupported
|
||||
@@ -10290,7 +10290,7 @@
|
||||
@@ -11140,7 +11140,7 @@
|
||||
# are reset later if shared libraries are not supported. Putting them
|
||||
# here allows them to be overridden if necessary.
|
||||
runpath_var=LD_RUN_PATH
|
||||
@ -19,7 +19,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
|
||||
export_dynamic_flag_spec='$wl--export-dynamic'
|
||||
# ancient GNU ld didn't support --whole-archive et. al.
|
||||
if $LD --help 2>&1 | $GREP 'no-whole-archive' > /dev/null; then
|
||||
@@ -10336,7 +10336,7 @@
|
||||
@@ -11186,7 +11186,7 @@
|
||||
;;
|
||||
m68k)
|
||||
archive_cmds='$RM $output_objdir/a2ixlibrary.data~$ECHO "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$ECHO "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$ECHO "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$ECHO "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)'
|
||||
@ -28,7 +28,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
|
||||
hardcode_minus_L=yes
|
||||
;;
|
||||
esac
|
||||
@@ -10356,7 +10356,7 @@
|
||||
@@ -11206,7 +11206,7 @@
|
||||
cygwin* | mingw* | pw32* | cegcc*)
|
||||
# _LT_TAGVAR(hardcode_libdir_flag_spec, ) is actually meaningless,
|
||||
# as there is no search path for DLLs.
|
||||
@ -37,7 +37,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
|
||||
export_dynamic_flag_spec='$wl--export-all-symbols'
|
||||
allow_undefined_flag=unsupported
|
||||
always_export_symbols=no
|
||||
@@ -10386,7 +10386,7 @@
|
||||
@@ -11236,7 +11236,7 @@
|
||||
;;
|
||||
|
||||
os2*)
|
||||
@ -46,7 +46,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
|
||||
hardcode_minus_L=yes
|
||||
allow_undefined_flag=unsupported
|
||||
shrext_cmds=.dll
|
||||
@@ -10416,7 +10416,7 @@
|
||||
@@ -11266,7 +11266,7 @@
|
||||
interix[3-9]*)
|
||||
hardcode_direct=no
|
||||
hardcode_shlibpath_var=no
|
||||
@ -55,7 +55,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
|
||||
export_dynamic_flag_spec='$wl-E'
|
||||
# Hack: On Interix 3.x, we cannot compile PIC because of a broken gcc.
|
||||
# Instead, shared libraries are loaded at an image base (0x10000000 by
|
||||
@@ -10492,7 +10492,7 @@
|
||||
@@ -11342,7 +11342,7 @@
|
||||
xlf* | bgf* | bgxlf* | mpixlf*)
|
||||
# IBM XL Fortran 10.1 on PPC cannot create shared libs itself
|
||||
whole_archive_flag_spec='--whole-archive$convenience --no-whole-archive'
|
||||
@ -64,7 +64,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
|
||||
archive_cmds='$LD -shared $libobjs $deplibs $linker_flags -soname $soname -o $lib'
|
||||
if test yes = "$supports_anon_versioning"; then
|
||||
archive_expsym_cmds='echo "{ global:" > $output_objdir/$libname.ver~
|
||||
@@ -10559,7 +10559,7 @@
|
||||
@@ -11409,7 +11409,7 @@
|
||||
# DT_RUNPATH tag from executables and libraries. But doing so
|
||||
# requires that you compile everything twice, which is a pain.
|
||||
if $LD --help 2>&1 | $GREP ': supported targets:.* elf' > /dev/null; then
|
||||
@ -73,7 +73,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
|
||||
archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags $wl-soname $wl$soname -o $lib'
|
||||
archive_expsym_cmds='$CC -shared $libobjs $deplibs $compiler_flags $wl-soname $wl$soname $wl-retain-symbols-file $wl$export_symbols -o $lib'
|
||||
else
|
||||
@@ -10588,7 +10588,7 @@
|
||||
@@ -11438,7 +11438,7 @@
|
||||
|
||||
if test no = "$ld_shlibs"; then
|
||||
runpath_var=
|
||||
@ -82,7 +82,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
|
||||
export_dynamic_flag_spec=
|
||||
whole_archive_flag_spec=
|
||||
fi
|
||||
@@ -10706,7 +10706,7 @@
|
||||
@@ -11556,7 +11556,7 @@
|
||||
# path is not listed in the libpath. Setting hardcode_minus_L
|
||||
# to unsupported forces relinking
|
||||
hardcode_minus_L=yes
|
||||
@ -91,7 +91,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
|
||||
hardcode_libdir_separator=
|
||||
fi
|
||||
;;
|
||||
@@ -10790,11 +10790,11 @@
|
||||
@@ -11642,11 +11642,11 @@
|
||||
aix_libpath=$lt_cv_aix_libpath_
|
||||
fi
|
||||
|
||||
@ -105,7 +105,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
|
||||
allow_undefined_flag="-z nodefs"
|
||||
archive_expsym_cmds="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs '"\$wl$no_entry_flag"' $compiler_flags $wl$allow_undefined_flag '"\$wl$exp_sym_flag:\$export_symbols"
|
||||
else
|
||||
@@ -10843,7 +10843,7 @@
|
||||
@@ -11697,7 +11697,7 @@
|
||||
aix_libpath=$lt_cv_aix_libpath_
|
||||
fi
|
||||
|
||||
@ -114,7 +114,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
|
||||
# Warning - without using the other run time loading flags,
|
||||
# -berok will link without error, but may produce a broken library.
|
||||
no_undefined_flag=' $wl-bernotok'
|
||||
@@ -10883,7 +10883,7 @@
|
||||
@@ -11737,7 +11737,7 @@
|
||||
;;
|
||||
m68k)
|
||||
archive_cmds='$RM $output_objdir/a2ixlibrary.data~$ECHO "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$ECHO "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$ECHO "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$ECHO "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)'
|
||||
@ -123,25 +123,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
|
||||
hardcode_minus_L=yes
|
||||
;;
|
||||
esac
|
||||
@@ -10901,7 +10901,7 @@
|
||||
case $cc_basename in
|
||||
cl*)
|
||||
# Native MSVC
|
||||
- hardcode_libdir_flag_spec=' '
|
||||
+ hardcode_libdir_flag_spec=" "
|
||||
allow_undefined_flag=unsupported
|
||||
always_export_symbols=yes
|
||||
file_list_spec='@'
|
||||
@@ -10942,7 +10942,7 @@
|
||||
;;
|
||||
*)
|
||||
# Assume MSVC wrapper
|
||||
- hardcode_libdir_flag_spec=' '
|
||||
+ hardcode_libdir_flag_spec=" "
|
||||
allow_undefined_flag=unsupported
|
||||
# Tell ltmain to make .lib files, not .a files.
|
||||
libext=lib
|
||||
@@ -10993,7 +10993,7 @@
|
||||
@@ -11847,7 +11847,7 @@
|
||||
|
||||
dgux*)
|
||||
archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
|
||||
@ -150,7 +132,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
|
||||
hardcode_shlibpath_var=no
|
||||
;;
|
||||
|
||||
@@ -11003,7 +11003,7 @@
|
||||
@@ -11857,7 +11857,7 @@
|
||||
# extra space).
|
||||
freebsd2.2*)
|
||||
archive_cmds='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags /usr/lib/c++rt0.o'
|
||||
@ -159,16 +141,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
|
||||
hardcode_direct=yes
|
||||
hardcode_shlibpath_var=no
|
||||
;;
|
||||
@@ -11019,7 +11019,7 @@
|
||||
# FreeBSD 3 and greater uses gcc -shared to do shared libraries.
|
||||
freebsd* | dragonfly*)
|
||||
archive_cmds='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags'
|
||||
- hardcode_libdir_flag_spec='-R$libdir'
|
||||
+ hardcode_libdir_flag_spec=" "
|
||||
hardcode_direct=yes
|
||||
hardcode_shlibpath_var=no
|
||||
;;
|
||||
@@ -11030,7 +11030,7 @@
|
||||
@@ -11884,7 +11884,7 @@
|
||||
else
|
||||
archive_cmds='$RM $output_objdir/$soname~$LD -b +b $install_libdir -o $output_objdir/$soname $libobjs $deplibs $linker_flags~test "x$output_objdir/$soname" = "x$lib" || mv $output_objdir/$soname $lib'
|
||||
fi
|
||||
@ -177,7 +150,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
|
||||
hardcode_libdir_separator=:
|
||||
hardcode_direct=yes
|
||||
|
||||
@@ -11047,7 +11047,7 @@
|
||||
@@ -11901,7 +11901,7 @@
|
||||
archive_cmds='$LD -b +h $soname +b $install_libdir -o $lib $libobjs $deplibs $linker_flags'
|
||||
fi
|
||||
if test no = "$with_gnu_ld"; then
|
||||
@ -186,7 +159,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
|
||||
hardcode_libdir_separator=:
|
||||
hardcode_direct=yes
|
||||
hardcode_direct_absolute=yes
|
||||
@@ -11124,7 +11124,7 @@
|
||||
@@ -11979,7 +11979,7 @@
|
||||
esac
|
||||
fi
|
||||
if test no = "$with_gnu_ld"; then
|
||||
@ -195,7 +168,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
|
||||
hardcode_libdir_separator=:
|
||||
|
||||
case $host_cpu in
|
||||
@@ -11183,7 +11183,7 @@
|
||||
@@ -12040,7 +12040,7 @@
|
||||
archive_expsym_cmds='$CC -shared $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry $output_objdir/so_locations -exports_file $export_symbols -o $lib'
|
||||
fi
|
||||
archive_cmds_need_lc='no'
|
||||
@ -204,7 +177,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
|
||||
hardcode_libdir_separator=:
|
||||
inherit_rpath=yes
|
||||
link_all_deplibs=yes
|
||||
@@ -11205,7 +11205,7 @@
|
||||
@@ -12062,7 +12062,7 @@
|
||||
else
|
||||
archive_cmds='$LD -shared -o $lib $libobjs $deplibs $linker_flags' # ELF
|
||||
fi
|
||||
@ -213,7 +186,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
|
||||
hardcode_direct=yes
|
||||
hardcode_shlibpath_var=no
|
||||
;;
|
||||
@@ -11213,7 +11213,7 @@
|
||||
@@ -12070,7 +12070,7 @@
|
||||
newsos6)
|
||||
archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
|
||||
hardcode_direct=yes
|
||||
@ -222,7 +195,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
|
||||
hardcode_libdir_separator=:
|
||||
hardcode_shlibpath_var=no
|
||||
;;
|
||||
@@ -11229,11 +11229,11 @@
|
||||
@@ -12086,11 +12086,11 @@
|
||||
if test -z "`echo __ELF__ | $CC -E - | $GREP __ELF__`"; then
|
||||
archive_cmds='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags'
|
||||
archive_expsym_cmds='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags $wl-retain-symbols-file,$export_symbols'
|
||||
@ -236,7 +209,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
|
||||
fi
|
||||
else
|
||||
ld_shlibs=no
|
||||
@@ -11241,7 +11241,7 @@
|
||||
@@ -12098,7 +12098,7 @@
|
||||
;;
|
||||
|
||||
os2*)
|
||||
@ -245,7 +218,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
|
||||
hardcode_minus_L=yes
|
||||
allow_undefined_flag=unsupported
|
||||
shrext_cmds=.dll
|
||||
@@ -11277,7 +11277,7 @@
|
||||
@@ -12134,7 +12134,7 @@
|
||||
archive_cmds='$CC -shared$allow_undefined_flag $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry $output_objdir/so_locations -o $lib'
|
||||
fi
|
||||
archive_cmds_need_lc='no'
|
||||
@ -254,7 +227,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
|
||||
hardcode_libdir_separator=:
|
||||
;;
|
||||
|
||||
@@ -11285,7 +11285,7 @@
|
||||
@@ -12142,7 +12142,7 @@
|
||||
if test yes = "$GCC"; then
|
||||
allow_undefined_flag=' $wl-expect_unresolved $wl\*'
|
||||
archive_cmds='$CC -shared$allow_undefined_flag $pic_flag $libobjs $deplibs $compiler_flags $wl-msym $wl-soname $wl$soname `test -n "$verstring" && func_echo_all "$wl-set_version $wl$verstring"` $wl-update_registry $wl$output_objdir/so_locations -o $lib'
|
||||
@ -263,7 +236,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
|
||||
else
|
||||
allow_undefined_flag=' -expect_unresolved \*'
|
||||
archive_cmds='$CC -shared$allow_undefined_flag $libobjs $deplibs $compiler_flags -msym -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry $output_objdir/so_locations -o $lib'
|
||||
@@ -11293,7 +11293,7 @@
|
||||
@@ -12150,7 +12150,7 @@
|
||||
$CC -shared$allow_undefined_flag $wl-input $wl$lib.exp $compiler_flags $libobjs $deplibs -soname $soname `test -n "$verstring" && $ECHO "-set_version $verstring"` -update_registry $output_objdir/so_locations -o $lib~$RM $lib.exp'
|
||||
|
||||
# Both c and cxx compiler support -rpath directly
|
||||
@ -272,7 +245,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
|
||||
fi
|
||||
archive_cmds_need_lc='no'
|
||||
hardcode_libdir_separator=:
|
||||
@@ -11322,7 +11322,7 @@
|
||||
@@ -12179,7 +12179,7 @@
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
@ -281,7 +254,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
|
||||
hardcode_shlibpath_var=no
|
||||
case $host_os in
|
||||
solaris2.[0-5] | solaris2.[0-5].*) ;;
|
||||
@@ -11349,7 +11349,7 @@
|
||||
@@ -12206,7 +12206,7 @@
|
||||
else
|
||||
archive_cmds='$LD -assert pure-text -Bstatic -o $lib $libobjs $deplibs $linker_flags'
|
||||
fi
|
||||
@ -290,7 +263,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
|
||||
hardcode_direct=yes
|
||||
hardcode_minus_L=yes
|
||||
hardcode_shlibpath_var=no
|
||||
@@ -11419,7 +11419,7 @@
|
||||
@@ -12276,7 +12276,7 @@
|
||||
allow_undefined_flag='$wl-z,nodefs'
|
||||
archive_cmds_need_lc=no
|
||||
hardcode_shlibpath_var=no
|
||||
@ -299,7 +272,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
|
||||
hardcode_libdir_separator=':'
|
||||
link_all_deplibs=yes
|
||||
export_dynamic_flag_spec='$wl-Bexport'
|
||||
@@ -11436,7 +11436,7 @@
|
||||
@@ -12293,7 +12293,7 @@
|
||||
|
||||
uts4*)
|
||||
archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
|
||||
@ -308,7 +281,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
|
||||
hardcode_shlibpath_var=no
|
||||
;;
|
||||
|
||||
@@ -11804,7 +11804,7 @@
|
||||
@@ -12662,7 +12662,7 @@
|
||||
version_type=linux # correct to gnu/linux during the next big refactor
|
||||
need_lib_prefix=no
|
||||
need_version=no
|
||||
@ -317,7 +290,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
|
||||
if test ia64 = "$host_cpu"; then
|
||||
# AIX 5 supports IA64
|
||||
library_names_spec='$libname$release$shared_ext$major $libname$release$shared_ext$versuffix $libname$shared_ext'
|
||||
@@ -12094,16 +12094,16 @@
|
||||
@@ -12952,16 +12952,16 @@
|
||||
;;
|
||||
freebsd3.[01]* | freebsdelf3.[01]*)
|
||||
shlibpath_overrides_runpath=yes
|
||||
@ -337,7 +310,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
|
||||
;;
|
||||
esac
|
||||
;;
|
||||
@@ -12118,7 +12118,7 @@
|
||||
@@ -12976,7 +12976,7 @@
|
||||
shlibpath_var=LIBRARY_PATH
|
||||
shlibpath_overrides_runpath=no
|
||||
sys_lib_dlsearch_path_spec='/boot/home/config/lib /boot/common/lib /boot/system/lib'
|
||||
@ -346,7 +319,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
|
||||
;;
|
||||
|
||||
hpux9* | hpux10* | hpux11*)
|
||||
@@ -12130,7 +12130,7 @@
|
||||
@@ -12988,7 +12988,7 @@
|
||||
case $host_cpu in
|
||||
ia64*)
|
||||
shrext_cmds='.so'
|
||||
@ -355,7 +328,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
|
||||
dynamic_linker="$host_os dld.so"
|
||||
shlibpath_var=LD_LIBRARY_PATH
|
||||
shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
|
||||
@@ -12146,7 +12146,7 @@
|
||||
@@ -13004,7 +13004,7 @@
|
||||
;;
|
||||
hppa*64*)
|
||||
shrext_cmds='.sl'
|
||||
@ -364,7 +337,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
|
||||
dynamic_linker="$host_os dld.sl"
|
||||
shlibpath_var=LD_LIBRARY_PATH # How should we handle SHLIB_PATH
|
||||
shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
|
||||
@@ -12179,7 +12179,7 @@
|
||||
@@ -13037,7 +13037,7 @@
|
||||
dynamic_linker='Interix 3.x ld.so.1 (PE, like ELF)'
|
||||
shlibpath_var=LD_LIBRARY_PATH
|
||||
shlibpath_overrides_runpath=no
|
||||
@ -373,7 +346,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
|
||||
;;
|
||||
|
||||
irix5* | irix6* | nonstopux*)
|
||||
@@ -12216,7 +12216,7 @@
|
||||
@@ -13074,7 +13074,7 @@
|
||||
shlibpath_overrides_runpath=no
|
||||
sys_lib_search_path_spec="/usr/lib$libsuff /lib$libsuff /usr/local/lib$libsuff"
|
||||
sys_lib_dlsearch_path_spec="/usr/lib$libsuff /lib$libsuff"
|
||||
@ -382,7 +355,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
|
||||
;;
|
||||
|
||||
# No shared lib support for Linux oldld, aout, or coff.
|
||||
@@ -12237,11 +12237,11 @@
|
||||
@@ -13095,11 +13095,11 @@
|
||||
# This implies no fast_install, which is unacceptable.
|
||||
# Some rework will be needed to allow for fast_install
|
||||
# before this can be enabled.
|
||||
@ -396,7 +369,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
|
||||
;;
|
||||
|
||||
# This must be glibc/ELF.
|
||||
@@ -12292,7 +12292,7 @@
|
||||
@@ -13153,7 +13153,7 @@
|
||||
# This implies no fast_install, which is unacceptable.
|
||||
# Some rework will be needed to allow for fast_install
|
||||
# before this can be enabled.
|
||||
@ -405,7 +378,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
|
||||
|
||||
# Ideally, we could use ldconfig to report *all* directores which are
|
||||
# searched for libraries, however this is still not possible. Aside from not
|
||||
@@ -12322,7 +12322,7 @@
|
||||
@@ -13183,7 +13183,7 @@
|
||||
soname_spec='${libname}${release}${shared_ext}$major'
|
||||
shlibpath_var=LD_LIBRARY_PATH
|
||||
shlibpath_overrides_runpath=no
|
||||
@ -414,7 +387,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
|
||||
dynamic_linker='NetBSD ld.elf_so'
|
||||
;;
|
||||
|
||||
@@ -12341,7 +12341,7 @@
|
||||
@@ -13202,7 +13202,7 @@
|
||||
fi
|
||||
shlibpath_var=LD_LIBRARY_PATH
|
||||
shlibpath_overrides_runpath=yes
|
||||
@ -423,7 +396,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
|
||||
;;
|
||||
|
||||
newsos6)
|
||||
@@ -12359,7 +12359,7 @@
|
||||
@@ -13220,7 +13220,7 @@
|
||||
soname_spec='$libname$release$shared_ext$major'
|
||||
shlibpath_var=LD_LIBRARY_PATH
|
||||
shlibpath_overrides_runpath=no
|
||||
@ -432,7 +405,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
|
||||
dynamic_linker='ldqnx.so'
|
||||
;;
|
||||
|
||||
@@ -12431,7 +12431,7 @@
|
||||
@@ -13292,7 +13292,7 @@
|
||||
soname_spec='$libname$release$shared_ext$major'
|
||||
shlibpath_var=LD_LIBRARY_PATH
|
||||
shlibpath_overrides_runpath=yes
|
||||
@ -441,7 +414,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
|
||||
# ldd complains unless libraries are executable
|
||||
postinstall_cmds='chmod +x $lib'
|
||||
;;
|
||||
@@ -12488,7 +12488,7 @@
|
||||
@@ -13349,7 +13349,7 @@
|
||||
soname_spec='$libname$release$shared_ext$major'
|
||||
shlibpath_var=LD_LIBRARY_PATH
|
||||
shlibpath_overrides_runpath=yes
|
||||
@ -450,7 +423,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
|
||||
if test yes = "$with_gnu_ld"; then
|
||||
sys_lib_search_path_spec='/usr/local/lib /usr/gnu/lib /usr/ccs/lib /usr/lib /lib'
|
||||
else
|
||||
@@ -12510,7 +12510,7 @@
|
||||
@@ -13371,7 +13371,7 @@
|
||||
library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$shared_ext'
|
||||
shlibpath_var=LD_LIBRARY_PATH
|
||||
shlibpath_overrides_runpath=no
|
||||
@ -459,7 +432,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
|
||||
;;
|
||||
|
||||
uts4*)
|
||||
@@ -13610,7 +13610,7 @@
|
||||
@@ -14490,7 +14490,7 @@
|
||||
acl_shlibext="$acl_cv_shlibext"
|
||||
acl_libname_spec="$acl_cv_libname_spec"
|
||||
acl_library_names_spec="$acl_cv_library_names_spec"
|
||||
@ -468,7 +441,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
|
||||
acl_hardcode_libdir_separator="$acl_cv_hardcode_libdir_separator"
|
||||
acl_hardcode_direct="$acl_cv_hardcode_direct"
|
||||
acl_hardcode_minus_L="$acl_cv_hardcode_minus_L"
|
||||
@@ -21296,7 +21296,7 @@
|
||||
@@ -22538,7 +22538,7 @@
|
||||
with_gnu_ld='`$ECHO "$with_gnu_ld" | $SED "$delay_single_quote_subst"`'
|
||||
allow_undefined_flag='`$ECHO "$allow_undefined_flag" | $SED "$delay_single_quote_subst"`'
|
||||
no_undefined_flag='`$ECHO "$no_undefined_flag" | $SED "$delay_single_quote_subst"`'
|
||||
@ -477,7 +450,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
|
||||
hardcode_libdir_separator='`$ECHO "$hardcode_libdir_separator" | $SED "$delay_single_quote_subst"`'
|
||||
hardcode_direct='`$ECHO "$hardcode_direct" | $SED "$delay_single_quote_subst"`'
|
||||
hardcode_direct_absolute='`$ECHO "$hardcode_direct_absolute" | $SED "$delay_single_quote_subst"`'
|
||||
@@ -21327,7 +21327,7 @@
|
||||
@@ -22569,7 +22569,7 @@
|
||||
postuninstall_cmds='`$ECHO "$postuninstall_cmds" | $SED "$delay_single_quote_subst"`'
|
||||
finish_cmds='`$ECHO "$finish_cmds" | $SED "$delay_single_quote_subst"`'
|
||||
finish_eval='`$ECHO "$finish_eval" | $SED "$delay_single_quote_subst"`'
|
||||
@ -486,7 +459,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
|
||||
sys_lib_search_path_spec='`$ECHO "$sys_lib_search_path_spec" | $SED "$delay_single_quote_subst"`'
|
||||
configure_time_dlsearch_path='`$ECHO "$configure_time_dlsearch_path" | $SED "$delay_single_quote_subst"`'
|
||||
configure_time_lt_sys_library_path='`$ECHO "$configure_time_lt_sys_library_path" | $SED "$delay_single_quote_subst"`'
|
||||
@@ -22485,7 +22485,7 @@
|
||||
@@ -23727,7 +23727,7 @@
|
||||
finish_eval=$lt_finish_eval
|
||||
|
||||
# Whether we should hardcode library paths into libraries.
|
||||
@ -495,7 +468,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
|
||||
|
||||
# Compile-time system search path for libraries.
|
||||
sys_lib_search_path_spec=$lt_sys_lib_search_path_spec
|
||||
@@ -22582,7 +22582,7 @@
|
||||
@@ -23824,7 +23824,7 @@
|
||||
|
||||
# Flag to hardcode \$libdir into a binary during linking.
|
||||
# This must work even if \$libdir does not exist
|
||||
@ -504,10 +477,10 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
|
||||
|
||||
# Whether we need a single "-rpath" flag with a separated argument.
|
||||
hardcode_libdir_separator=$lt_hardcode_libdir_separator
|
||||
diff -u -r cryptsetup-2.3.3-clean/Makefile.in cryptsetup-2.3.3/Makefile.in
|
||||
--- cryptsetup-2.3.3-clean/Makefile.in 2020-06-10 14:05:45.781594282 +0200
|
||||
+++ cryptsetup-2.3.3/Makefile.in 2020-06-10 14:30:09.512375745 +0200
|
||||
@@ -1032,6 +1032,8 @@
|
||||
diff -u -r cryptsetup-2.4.3-clean/Makefile.in cryptsetup-2.4.3/Makefile.in
|
||||
--- cryptsetup-2.4.3-clean/Makefile.in 2022-01-13 17:24:33.000000000 +0800
|
||||
+++ cryptsetup-2.4.3/Makefile.in 2022-01-16 14:08:37.096258854 +0800
|
||||
@@ -1115,6 +1115,8 @@
|
||||
@CRYPTSETUP_TRUE@cryptsetup_LDADD = $(LDADD) \
|
||||
@CRYPTSETUP_TRUE@ libcryptsetup.la \
|
||||
@CRYPTSETUP_TRUE@ @POPT_LIBS@ \
|
||||
@ -516,31 +489,218 @@ diff -u -r cryptsetup-2.3.3-clean/Makefile.in cryptsetup-2.3.3/Makefile.in
|
||||
@CRYPTSETUP_TRUE@ @PWQUALITY_LIBS@ \
|
||||
@CRYPTSETUP_TRUE@ @PASSWDQC_LIBS@ \
|
||||
@CRYPTSETUP_TRUE@ @UUID_LIBS@ \
|
||||
@@ -1060,6 +1062,9 @@
|
||||
@@ -1147,6 +1149,9 @@
|
||||
@VERITYSETUP_TRUE@veritysetup_LDADD = $(LDADD) \
|
||||
@VERITYSETUP_TRUE@ libcryptsetup.la \
|
||||
@VERITYSETUP_TRUE@ @POPT_LIBS@ \
|
||||
+@VERITYSETUP_TRUE@ @UUID_LIBS@ \
|
||||
+@VERITYSETUP_TRUE@ @DEVMAPPER_LIBS@ \
|
||||
+@VERITYSETUP_TRUE@ @JSON_C_LIBS@ \
|
||||
@VERITYSETUP_TRUE@ @PWQUALITY_LIBS@ \
|
||||
@VERITYSETUP_TRUE@ @PASSWDQC_LIBS@ \
|
||||
+@VERITYSETUP_TRUE@ @UUID_LIBS@ \
|
||||
+@VERITYSETUP_TRUE@ @DEVMAPPER_LIBS@ \
|
||||
+@VERITYSETUP_TRUE@ @JSON_C_LIBS@ \
|
||||
@VERITYSETUP_TRUE@ @BLKID_LIBS@
|
||||
@@ -1093,6 +1093,8 @@
|
||||
|
||||
@STATIC_TOOLS_TRUE@@VERITYSETUP_TRUE@veritysetup_static_SOURCES = $(veritysetup_SOURCES)
|
||||
@@ -1177,6 +1182,8 @@
|
||||
@INTEGRITYSETUP_TRUE@ libcryptsetup.la \
|
||||
@INTEGRITYSETUP_TRUE@ @POPT_LIBS@ \
|
||||
@INTEGRITYSETUP_TRUE@ @UUID_LIBS@ \
|
||||
+@INTEGRITYSETUP_TRUE@ @DEVMAPPER_LIBS@ \
|
||||
+@INTEGRITYSETUP_TRUE@ @JSON_C_LIBS@ \
|
||||
@INTEGRITYSETUP_TRUE@ @BLKID_LIBS@
|
||||
|
||||
@INTEGRITYSETUP_TRUE@@STATIC_TOOLS_TRUE@integritysetup_static_SOURCES = $(integritysetup_SOURCES)
|
||||
@@ -1122,6 +1122,8 @@
|
||||
@REENCRYPT_TRUE@ @POPT_LIBS@ \
|
||||
@REENCRYPT_TRUE@ @PWQUALITY_LIBS@ \
|
||||
@REENCRYPT_TRUE@ @PASSWDQC_LIBS@ \
|
||||
+@REENCRYPT_TRUE@ @DEVMAPPER_LIBS@ \
|
||||
+@REENCRYPT_TRUE@ @JSON_C_LIBS@ \
|
||||
@REENCRYPT_TRUE@ @UUID_LIBS@ \
|
||||
@REENCRYPT_TRUE@ @BLKID_LIBS@
|
||||
|
||||
@INTEGRITYSETUP_TRUE@@STATIC_TOOLS_TRUE@integritysetup_static_SOURCES = $(integritysetup_SOURCES)
|
||||
|
||||
--- ./configure.orig 2023-11-26 14:22:30.912000000 -0500
|
||||
+++ ./configure 2023-11-26 14:26:21.714000000 -0500
|
||||
@@ -12336,7 +12336,7 @@
|
||||
|
||||
case $cc_basename in
|
||||
tcc*)
|
||||
- hardcode_libdir_flag_spec='$wl-rpath $wl$libdir'
|
||||
+ hardcode_libdir_flag_spec=" "
|
||||
export_dynamic_flag_spec='-rdynamic'
|
||||
;;
|
||||
xlf* | bgf* | bgxlf* | mpixlf*)
|
||||
@@ -12755,7 +12755,7 @@
|
||||
case $cc_basename in
|
||||
cl* | icl*)
|
||||
# Native MSVC or ICC
|
||||
- hardcode_libdir_flag_spec=' '
|
||||
+ hardcode_libdir_flag_spec=" "
|
||||
allow_undefined_flag=unsupported
|
||||
always_export_symbols=yes
|
||||
file_list_spec='@'
|
||||
@@ -12796,7 +12796,7 @@
|
||||
;;
|
||||
*)
|
||||
# Assume MSVC and ICC wrapper
|
||||
- hardcode_libdir_flag_spec=' '
|
||||
+ hardcode_libdir_flag_spec=" "
|
||||
allow_undefined_flag=unsupported
|
||||
# Tell ltmain to make .lib files, not .a files.
|
||||
libext=lib
|
||||
@@ -12873,7 +12873,7 @@
|
||||
# FreeBSD 3 and greater uses gcc -shared to do shared libraries.
|
||||
freebsd* | dragonfly* | midnightbsd*)
|
||||
archive_cmds='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags'
|
||||
- hardcode_libdir_flag_spec='-R$libdir'
|
||||
+ hardcode_libdir_flag_spec=" "
|
||||
hardcode_direct=yes
|
||||
hardcode_shlibpath_var=no
|
||||
;;
|
||||
@@ -13052,7 +13052,7 @@
|
||||
# Fabrice Bellard et al's Tiny C Compiler
|
||||
ld_shlibs=yes
|
||||
archive_cmds='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags'
|
||||
- hardcode_libdir_flag_spec='$wl-rpath $wl$libdir'
|
||||
+ hardcode_libdir_flag_spec=" "
|
||||
;;
|
||||
esac
|
||||
;;
|
||||
--- ./configure.mod 2023-11-26 14:46:49.779000000 -0500
|
||||
+++ ./configure 2023-11-26 14:47:56.962000000 -0500
|
||||
@@ -17670,7 +17670,7 @@
|
||||
version_type=linux # correct to gnu/linux during the next big refactor
|
||||
need_lib_prefix=no
|
||||
need_version=no
|
||||
- hardcode_into_libs=yes
|
||||
+ hardcode_into_libs=no
|
||||
if test ia64 = "$host_cpu"; then
|
||||
# AIX 5 supports IA64
|
||||
library_names_spec='$libname$release$shared_ext$major $libname$release$shared_ext$versuffix $libname$shared_ext'
|
||||
@@ -17958,16 +17958,16 @@
|
||||
;;
|
||||
freebsd3.[01]* | freebsdelf3.[01]*)
|
||||
shlibpath_overrides_runpath=yes
|
||||
- hardcode_into_libs=yes
|
||||
+ hardcode_into_libs=no
|
||||
;;
|
||||
freebsd3.[2-9]* | freebsdelf3.[2-9]* | \
|
||||
freebsd4.[0-5] | freebsdelf4.[0-5] | freebsd4.1.1 | freebsdelf4.1.1)
|
||||
shlibpath_overrides_runpath=no
|
||||
- hardcode_into_libs=yes
|
||||
+ hardcode_into_libs=no
|
||||
;;
|
||||
*) # from 4.6 on, and DragonFly
|
||||
shlibpath_overrides_runpath=yes
|
||||
- hardcode_into_libs=yes
|
||||
+ hardcode_into_libs=no
|
||||
;;
|
||||
esac
|
||||
;;
|
||||
@@ -17982,7 +17982,7 @@
|
||||
shlibpath_var=LIBRARY_PATH
|
||||
shlibpath_overrides_runpath=no
|
||||
sys_lib_dlsearch_path_spec='/boot/home/config/lib /boot/common/lib /boot/system/lib'
|
||||
- hardcode_into_libs=yes
|
||||
+ hardcode_into_libs=no
|
||||
;;
|
||||
|
||||
hpux9* | hpux10* | hpux11*)
|
||||
@@ -17994,7 +17994,7 @@
|
||||
case $host_cpu in
|
||||
ia64*)
|
||||
shrext_cmds='.so'
|
||||
- hardcode_into_libs=yes
|
||||
+ hardcode_into_libs=no
|
||||
dynamic_linker="$host_os dld.so"
|
||||
shlibpath_var=LD_LIBRARY_PATH
|
||||
shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
|
||||
@@ -18010,7 +18010,7 @@
|
||||
;;
|
||||
hppa*64*)
|
||||
shrext_cmds='.sl'
|
||||
- hardcode_into_libs=yes
|
||||
+ hardcode_into_libs=no
|
||||
dynamic_linker="$host_os dld.sl"
|
||||
shlibpath_var=LD_LIBRARY_PATH # How should we handle SHLIB_PATH
|
||||
shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
|
||||
@@ -18043,7 +18043,7 @@
|
||||
dynamic_linker='Interix 3.x ld.so.1 (PE, like ELF)'
|
||||
shlibpath_var=LD_LIBRARY_PATH
|
||||
shlibpath_overrides_runpath=no
|
||||
- hardcode_into_libs=yes
|
||||
+ hardcode_into_libs=no
|
||||
;;
|
||||
|
||||
irix5* | irix6* | nonstopux*)
|
||||
@@ -18080,7 +18080,7 @@
|
||||
shlibpath_overrides_runpath=no
|
||||
sys_lib_search_path_spec="/usr/lib$libsuff /lib$libsuff /usr/local/lib$libsuff"
|
||||
sys_lib_dlsearch_path_spec="/usr/lib$libsuff /lib$libsuff"
|
||||
- hardcode_into_libs=yes
|
||||
+ hardcode_into_libs=no
|
||||
;;
|
||||
|
||||
# No shared lib support for Linux oldld, aout, or coff.
|
||||
@@ -18101,7 +18101,7 @@
|
||||
# This implies no fast_install, which is unacceptable.
|
||||
# Some rework will be needed to allow for fast_install
|
||||
# before this can be enabled.
|
||||
- hardcode_into_libs=yes
|
||||
+ hardcode_into_libs=no
|
||||
|
||||
dynamic_linker='Android linker'
|
||||
# Don't embed -rpath directories since the linker doesn't support them.
|
||||
@@ -18159,7 +18159,7 @@
|
||||
# This implies no fast_install, which is unacceptable.
|
||||
# Some rework will be needed to allow for fast_install
|
||||
# before this can be enabled.
|
||||
- hardcode_into_libs=yes
|
||||
+ hardcode_into_libs=no
|
||||
|
||||
# Ideally, we could use ldconfig to report *all* directores which are
|
||||
# searched for libraries, however this is still not possible. Aside from not
|
||||
@@ -18189,7 +18189,7 @@
|
||||
soname_spec='${libname}${release}${shared_ext}$major'
|
||||
shlibpath_var=LD_LIBRARY_PATH
|
||||
shlibpath_overrides_runpath=no
|
||||
- hardcode_into_libs=yes
|
||||
+ hardcode_into_libs=no
|
||||
dynamic_linker='NetBSD ld.elf_so'
|
||||
;;
|
||||
|
||||
@@ -18208,7 +18208,7 @@
|
||||
fi
|
||||
shlibpath_var=LD_LIBRARY_PATH
|
||||
shlibpath_overrides_runpath=yes
|
||||
- hardcode_into_libs=yes
|
||||
+ hardcode_into_libs=no
|
||||
;;
|
||||
|
||||
newsos6)
|
||||
@@ -18226,7 +18226,7 @@
|
||||
soname_spec='$libname$release$shared_ext$major'
|
||||
shlibpath_var=LD_LIBRARY_PATH
|
||||
shlibpath_overrides_runpath=no
|
||||
- hardcode_into_libs=yes
|
||||
+ hardcode_into_libs=no
|
||||
dynamic_linker='ldqnx.so'
|
||||
;;
|
||||
|
||||
@@ -18298,7 +18298,7 @@
|
||||
soname_spec='$libname$release$shared_ext$major'
|
||||
shlibpath_var=LD_LIBRARY_PATH
|
||||
shlibpath_overrides_runpath=yes
|
||||
- hardcode_into_libs=yes
|
||||
+ hardcode_into_libs=no
|
||||
# ldd complains unless libraries are executable
|
||||
postinstall_cmds='chmod +x $lib'
|
||||
;;
|
||||
@@ -18355,7 +18355,7 @@
|
||||
soname_spec='$libname$release$shared_ext$major'
|
||||
shlibpath_var=LD_LIBRARY_PATH
|
||||
shlibpath_overrides_runpath=yes
|
||||
- hardcode_into_libs=yes
|
||||
+ hardcode_into_libs=no
|
||||
if test yes = "$with_gnu_ld"; then
|
||||
sys_lib_search_path_spec='/usr/local/lib /usr/gnu/lib /usr/ccs/lib /usr/lib /lib'
|
||||
else
|
||||
@@ -18377,7 +18377,7 @@
|
||||
library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$shared_ext'
|
||||
shlibpath_var=LD_LIBRARY_PATH
|
||||
shlibpath_overrides_runpath=no
|
||||
- hardcode_into_libs=yes
|
||||
+ hardcode_into_libs=no
|
||||
;;
|
||||
|
||||
uts4*)
|
150
patches/lvm2-2.03.23.patch
Normal file
150
patches/lvm2-2.03.23.patch
Normal file
@ -0,0 +1,150 @@
|
||||
--- ./lib/mm/memlock.c.orig 2023-11-27 13:52:46.281000000 -0500
|
||||
+++ ./lib/mm/memlock.c 2023-11-27 13:56:35.656000000 -0500
|
||||
@@ -160,6 +160,7 @@
|
||||
|
||||
static void _allocate_memory(void)
|
||||
{
|
||||
+#if 0
|
||||
#if defined(__GLIBC__) && !defined(VALGRIND_POOL)
|
||||
/* Memory allocation is currently only tested with glibc
|
||||
* for different C libraries, some other mechanisms might be needed
|
||||
@@ -233,11 +234,14 @@
|
||||
for (i = 0; i < area; ++i)
|
||||
free(areas[i]);
|
||||
#endif
|
||||
+#endif
|
||||
}
|
||||
|
||||
static void _release_memory(void)
|
||||
{
|
||||
+#if 0
|
||||
free(_malloc_mem);
|
||||
+#endif
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -313,7 +317,7 @@
|
||||
|
||||
if (lock == LVM_MLOCK) {
|
||||
if (mlock((const void*)from, sz) < 0) {
|
||||
- log_sys_error("mlock", line);
|
||||
+ //log_sys_error("mlock", line);
|
||||
return 0;
|
||||
}
|
||||
} else {
|
||||
--- ./libdm/libdm-stats.c.orig 2023-11-27 13:59:40.677000000 -0500
|
||||
+++ ./libdm/libdm-stats.c 2023-11-27 14:07:28.655000000 -0500
|
||||
@@ -18,7 +18,23 @@
|
||||
#include "libdm/misc/dmlib.h"
|
||||
#include "libdm/misc/kdev_t.h"
|
||||
|
||||
+#if 0
|
||||
#include "math.h" /* log10() */
|
||||
+#else
|
||||
+static int ilog10(double x)
|
||||
+{
|
||||
+ int e = 0;
|
||||
+
|
||||
+ while(x > 10)
|
||||
+ {
|
||||
+ e++;
|
||||
+ x = x / 10;
|
||||
+ }
|
||||
+
|
||||
+ return e;
|
||||
+}
|
||||
+#endif
|
||||
+
|
||||
|
||||
#include <sys/sysmacros.h>
|
||||
#include <sys/ioctl.h>
|
||||
@@ -556,7 +572,12 @@
|
||||
while(entry >= bins) {
|
||||
value = (double) (entry--)->upper;
|
||||
/* Use lround to avoid size_t -> double cast warning. */
|
||||
+#if 0
|
||||
hist_len += 1 + (size_t) lround(log10(value / scale));
|
||||
+#else
|
||||
+ hist_len += 1 + ilog10(value / scale);
|
||||
+#endif
|
||||
+
|
||||
if (entry != bins)
|
||||
hist_len++; /* ',' */
|
||||
}
|
||||
@@ -1863,7 +1884,12 @@
|
||||
i = dm_bit_get_first(regions);
|
||||
for (; i >= 0; i = dm_bit_get_next(regions, i)) {
|
||||
/* length of region_id or range start in characters */
|
||||
+#if 0
|
||||
id_len = (i) ? 1 + (size_t) log10(i) : 1;
|
||||
+#else
|
||||
+ id_len = (i) ? 1 + ilog10(i) : 1;
|
||||
+#endif
|
||||
+
|
||||
buflen += id_len;
|
||||
j = i;
|
||||
do
|
||||
@@ -1878,7 +1904,11 @@
|
||||
/* handle range */
|
||||
if (i != j) {
|
||||
/* j is always > i, which is always >= 0 */
|
||||
+#if 0
|
||||
id_len = 1 + (size_t) log10(j);
|
||||
+#else
|
||||
+ id_len = 1 + ilog10(j);
|
||||
+#endif
|
||||
buflen += id_len + 1; /* range end plus "-" */
|
||||
}
|
||||
buflen++;
|
||||
|
||||
--- ./tools/lvmcmdline.c.orig 2023-11-27 14:12:46.649000000 -0500
|
||||
+++ ./tools/lvmcmdline.c 2023-11-27 14:15:47.563000000 -0500
|
||||
@@ -3438,7 +3438,7 @@
|
||||
static int _check_standard_fds(void)
|
||||
{
|
||||
int err = is_valid_fd(STDERR_FILENO);
|
||||
-
|
||||
+#if 0
|
||||
if (!is_valid_fd(STDIN_FILENO) &&
|
||||
!(stdin = fopen(_PATH_DEVNULL, "r"))) {
|
||||
if (err)
|
||||
@@ -3463,7 +3463,7 @@
|
||||
strerror(errno));
|
||||
return 0;
|
||||
}
|
||||
-
|
||||
+#endif
|
||||
return 1;
|
||||
}
|
||||
|
||||
@@ -3644,7 +3644,7 @@
|
||||
*/
|
||||
dm_set_name_mangling_mode(DM_STRING_MANGLING_NONE);
|
||||
|
||||
- if (!(cmd = create_toolcontext(0, NULL, 1, threaded, set_connections, set_filters))) {
|
||||
+ if (!(cmd = create_toolcontext(0, NULL, 0, threaded, set_connections, set_filters))) {
|
||||
return_NULL;
|
||||
}
|
||||
|
||||
--- ./make.tmpl.orig 2023-11-28 13:29:11.744000000 -0500
|
||||
+++ ./make.tmpl.in 2023-11-28 13:29:36.716000000 -0500
|
||||
@@ -210,7 +210,7 @@
|
||||
M_INSTALL_PROGRAM = -m 555
|
||||
M_INSTALL_DATA = -m 444
|
||||
endif
|
||||
-INSTALL_PROGRAM = $(INSTALL) $(M_INSTALL_PROGRAM) $(STRIP)
|
||||
+INSTALL_PROGRAM = $(INSTALL) $(M_INSTALL_PROGRAM)
|
||||
INSTALL_DATA = $(INSTALL) -p $(M_INSTALL_DATA)
|
||||
INSTALL_WDATA = $(INSTALL) -p -m 644
|
||||
|
||||
--- ./libdm/make.tmpl.orig 2023-11-28 13:29:52.760000000 -0500
|
||||
+++ ./libdm/make.tmpl.in 2023-11-28 13:30:22.336000000 -0500
|
||||
@@ -173,7 +173,7 @@
|
||||
M_INSTALL_PROGRAM = -m 555
|
||||
M_INSTALL_DATA = -m 444
|
||||
endif
|
||||
-INSTALL_PROGRAM = $(INSTALL) $(M_INSTALL_PROGRAM) $(STRIP)
|
||||
+INSTALL_PROGRAM = $(INSTALL) $(M_INSTALL_PROGRAM)
|
||||
INSTALL_DATA = $(INSTALL) -p $(M_INSTALL_DATA)
|
||||
INSTALL_WDATA = $(INSTALL) -p -m 644
|
||||
|
@ -1,139 +0,0 @@
|
||||
--- ./configure 2017-02-22 07:07:46.595740152 -0500
|
||||
+++ ./configure 2023-02-27 13:34:27.068000000 -0500
|
||||
@@ -13408,7 +13408,7 @@
|
||||
version_type=linux # correct to gnu/linux during the next big refactor
|
||||
need_lib_prefix=no
|
||||
need_version=no
|
||||
- hardcode_into_libs=yes
|
||||
+ hardcode_into_libs=no
|
||||
if test ia64 = "$host_cpu"; then
|
||||
# AIX 5 supports IA64
|
||||
library_names_spec='$libname$release$shared_ext$major $libname$release$shared_ext$versuffix $libname$shared_ext'
|
||||
@@ -13698,16 +13698,16 @@
|
||||
;;
|
||||
freebsd3.[01]* | freebsdelf3.[01]*)
|
||||
shlibpath_overrides_runpath=yes
|
||||
- hardcode_into_libs=yes
|
||||
+ hardcode_into_libs=no
|
||||
;;
|
||||
freebsd3.[2-9]* | freebsdelf3.[2-9]* | \
|
||||
freebsd4.[0-5] | freebsdelf4.[0-5] | freebsd4.1.1 | freebsdelf4.1.1)
|
||||
shlibpath_overrides_runpath=no
|
||||
- hardcode_into_libs=yes
|
||||
+ hardcode_into_libs=no
|
||||
;;
|
||||
*) # from 4.6 on, and DragonFly
|
||||
shlibpath_overrides_runpath=yes
|
||||
- hardcode_into_libs=yes
|
||||
+ hardcode_into_libs=no
|
||||
;;
|
||||
esac
|
||||
;;
|
||||
@@ -13722,7 +13722,7 @@
|
||||
shlibpath_var=LIBRARY_PATH
|
||||
shlibpath_overrides_runpath=no
|
||||
sys_lib_dlsearch_path_spec='/boot/home/config/lib /boot/common/lib /boot/system/lib'
|
||||
- hardcode_into_libs=yes
|
||||
+ hardcode_into_libs=no
|
||||
;;
|
||||
|
||||
hpux9* | hpux10* | hpux11*)
|
||||
@@ -13734,7 +13734,7 @@
|
||||
case $host_cpu in
|
||||
ia64*)
|
||||
shrext_cmds='.so'
|
||||
- hardcode_into_libs=yes
|
||||
+ hardcode_into_libs=no
|
||||
dynamic_linker="$host_os dld.so"
|
||||
shlibpath_var=LD_LIBRARY_PATH
|
||||
shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
|
||||
@@ -13750,7 +13750,7 @@
|
||||
;;
|
||||
hppa*64*)
|
||||
shrext_cmds='.sl'
|
||||
- hardcode_into_libs=yes
|
||||
+ hardcode_into_libs=no
|
||||
dynamic_linker="$host_os dld.sl"
|
||||
shlibpath_var=LD_LIBRARY_PATH # How should we handle SHLIB_PATH
|
||||
shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
|
||||
@@ -13783,7 +13783,7 @@
|
||||
dynamic_linker='Interix 3.x ld.so.1 (PE, like ELF)'
|
||||
shlibpath_var=LD_LIBRARY_PATH
|
||||
shlibpath_overrides_runpath=no
|
||||
- hardcode_into_libs=yes
|
||||
+ hardcode_into_libs=no
|
||||
;;
|
||||
|
||||
irix5* | irix6* | nonstopux*)
|
||||
@@ -13820,7 +13820,7 @@
|
||||
shlibpath_overrides_runpath=no
|
||||
sys_lib_search_path_spec="/usr/lib$libsuff /lib$libsuff /usr/local/lib$libsuff"
|
||||
sys_lib_dlsearch_path_spec="/usr/lib$libsuff /lib$libsuff"
|
||||
- hardcode_into_libs=yes
|
||||
+ hardcode_into_libs=no
|
||||
;;
|
||||
|
||||
# No shared lib support for Linux oldld, aout, or coff.
|
||||
@@ -13841,7 +13841,7 @@
|
||||
# This implies no fast_install, which is unacceptable.
|
||||
# Some rework will be needed to allow for fast_install
|
||||
# before this can be enabled.
|
||||
- hardcode_into_libs=yes
|
||||
+ hardcode_into_libs=no
|
||||
|
||||
dynamic_linker='Android linker'
|
||||
# Don't embed -rpath directories since the linker doesn't support them.
|
||||
@@ -13896,7 +13896,7 @@
|
||||
# This implies no fast_install, which is unacceptable.
|
||||
# Some rework will be needed to allow for fast_install
|
||||
# before this can be enabled.
|
||||
- hardcode_into_libs=yes
|
||||
+ hardcode_into_libs=no
|
||||
|
||||
# Add ABI-specific directories to the system library path.
|
||||
sys_lib_dlsearch_path_spec="/lib64 /usr/lib64 /lib /usr/lib"
|
||||
@@ -13936,7 +13936,7 @@
|
||||
fi
|
||||
shlibpath_var=LD_LIBRARY_PATH
|
||||
shlibpath_overrides_runpath=yes
|
||||
- hardcode_into_libs=yes
|
||||
+ hardcode_into_libs=no
|
||||
;;
|
||||
|
||||
newsos6)
|
||||
@@ -13954,7 +13954,7 @@
|
||||
soname_spec='$libname$release$shared_ext$major'
|
||||
shlibpath_var=LD_LIBRARY_PATH
|
||||
shlibpath_overrides_runpath=no
|
||||
- hardcode_into_libs=yes
|
||||
+ hardcode_into_libs=no
|
||||
dynamic_linker='ldqnx.so'
|
||||
;;
|
||||
|
||||
@@ -14026,7 +14026,7 @@
|
||||
soname_spec='$libname$release$shared_ext$major'
|
||||
shlibpath_var=LD_LIBRARY_PATH
|
||||
shlibpath_overrides_runpath=yes
|
||||
- hardcode_into_libs=yes
|
||||
+ hardcode_into_libs=no
|
||||
# ldd complains unless libraries are executable
|
||||
postinstall_cmds='chmod +x $lib'
|
||||
;;
|
||||
@@ -14083,7 +14083,7 @@
|
||||
soname_spec='$libname$release$shared_ext$major'
|
||||
shlibpath_var=LD_LIBRARY_PATH
|
||||
shlibpath_overrides_runpath=yes
|
||||
- hardcode_into_libs=yes
|
||||
+ hardcode_into_libs=no
|
||||
if test yes = "$with_gnu_ld"; then
|
||||
sys_lib_search_path_spec='/usr/local/lib /usr/gnu/lib /usr/ccs/lib /usr/lib /lib'
|
||||
else
|
||||
@@ -14105,7 +14105,7 @@
|
||||
library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$shared_ext'
|
||||
shlibpath_var=LD_LIBRARY_PATH
|
||||
shlibpath_overrides_runpath=no
|
||||
- hardcode_into_libs=yes
|
||||
+ hardcode_into_libs=no
|
||||
;;
|
||||
|
||||
uts4*)
|
276
patches/util-linux-2.39.patch
Normal file
276
patches/util-linux-2.39.patch
Normal file
@ -0,0 +1,276 @@
|
||||
--- ./configure.orig 2023-05-17 06:53:16.721284360 -0400
|
||||
+++ ./configure 2023-11-28 13:57:50.012000000 -0500
|
||||
@@ -16580,7 +16580,7 @@
|
||||
version_type=linux # correct to gnu/linux during the next big refactor
|
||||
need_lib_prefix=no
|
||||
need_version=no
|
||||
- hardcode_into_libs=yes
|
||||
+ hardcode_into_libs=no
|
||||
if test ia64 = "$host_cpu"; then
|
||||
# AIX 5 supports IA64
|
||||
library_names_spec='$libname$release$shared_ext$major $libname$release$shared_ext$versuffix $libname$shared_ext'
|
||||
@@ -16870,16 +16870,16 @@
|
||||
;;
|
||||
freebsd3.[01]* | freebsdelf3.[01]*)
|
||||
shlibpath_overrides_runpath=yes
|
||||
- hardcode_into_libs=yes
|
||||
+ hardcode_into_libs=no
|
||||
;;
|
||||
freebsd3.[2-9]* | freebsdelf3.[2-9]* | \
|
||||
freebsd4.[0-5] | freebsdelf4.[0-5] | freebsd4.1.1 | freebsdelf4.1.1)
|
||||
shlibpath_overrides_runpath=no
|
||||
- hardcode_into_libs=yes
|
||||
+ hardcode_into_libs=no
|
||||
;;
|
||||
*) # from 4.6 on, and DragonFly
|
||||
shlibpath_overrides_runpath=yes
|
||||
- hardcode_into_libs=yes
|
||||
+ hardcode_into_libs=no
|
||||
;;
|
||||
esac
|
||||
;;
|
||||
@@ -16894,7 +16894,7 @@
|
||||
shlibpath_var=LIBRARY_PATH
|
||||
shlibpath_overrides_runpath=no
|
||||
sys_lib_dlsearch_path_spec='/boot/home/config/lib /boot/common/lib /boot/system/lib'
|
||||
- hardcode_into_libs=yes
|
||||
+ hardcode_into_libs=no
|
||||
;;
|
||||
|
||||
hpux9* | hpux10* | hpux11*)
|
||||
@@ -16906,7 +16906,7 @@
|
||||
case $host_cpu in
|
||||
ia64*)
|
||||
shrext_cmds='.so'
|
||||
- hardcode_into_libs=yes
|
||||
+ hardcode_into_libs=no
|
||||
dynamic_linker="$host_os dld.so"
|
||||
shlibpath_var=LD_LIBRARY_PATH
|
||||
shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
|
||||
@@ -16922,7 +16922,7 @@
|
||||
;;
|
||||
hppa*64*)
|
||||
shrext_cmds='.sl'
|
||||
- hardcode_into_libs=yes
|
||||
+ hardcode_into_libs=no
|
||||
dynamic_linker="$host_os dld.sl"
|
||||
shlibpath_var=LD_LIBRARY_PATH # How should we handle SHLIB_PATH
|
||||
shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
|
||||
@@ -16955,7 +16955,7 @@
|
||||
dynamic_linker='Interix 3.x ld.so.1 (PE, like ELF)'
|
||||
shlibpath_var=LD_LIBRARY_PATH
|
||||
shlibpath_overrides_runpath=no
|
||||
- hardcode_into_libs=yes
|
||||
+ hardcode_into_libs=no
|
||||
;;
|
||||
|
||||
irix5* | irix6* | nonstopux*)
|
||||
@@ -16992,7 +16992,7 @@
|
||||
shlibpath_overrides_runpath=no
|
||||
sys_lib_search_path_spec="/usr/lib$libsuff /lib$libsuff /usr/local/lib$libsuff"
|
||||
sys_lib_dlsearch_path_spec="/usr/lib$libsuff /lib$libsuff"
|
||||
- hardcode_into_libs=yes
|
||||
+ hardcode_into_libs=no
|
||||
;;
|
||||
|
||||
# No shared lib support for Linux oldld, aout, or coff.
|
||||
@@ -17013,7 +17013,7 @@
|
||||
# This implies no fast_install, which is unacceptable.
|
||||
# Some rework will be needed to allow for fast_install
|
||||
# before this can be enabled.
|
||||
- hardcode_into_libs=yes
|
||||
+ hardcode_into_libs=no
|
||||
|
||||
dynamic_linker='Android linker'
|
||||
# Don't embed -rpath directories since the linker doesn't support them.
|
||||
@@ -17071,7 +17071,7 @@
|
||||
# This implies no fast_install, which is unacceptable.
|
||||
# Some rework will be needed to allow for fast_install
|
||||
# before this can be enabled.
|
||||
- hardcode_into_libs=yes
|
||||
+ hardcode_into_libs=no
|
||||
|
||||
# Add ABI-specific directories to the system library path.
|
||||
sys_lib_dlsearch_path_spec="/lib64 /usr/lib64 /lib /usr/lib"
|
||||
@@ -17111,7 +17111,7 @@
|
||||
fi
|
||||
shlibpath_var=LD_LIBRARY_PATH
|
||||
shlibpath_overrides_runpath=yes
|
||||
- hardcode_into_libs=yes
|
||||
+ hardcode_into_libs=no
|
||||
;;
|
||||
|
||||
newsos6)
|
||||
@@ -17129,7 +17129,7 @@
|
||||
soname_spec='$libname$release$shared_ext$major'
|
||||
shlibpath_var=LD_LIBRARY_PATH
|
||||
shlibpath_overrides_runpath=no
|
||||
- hardcode_into_libs=yes
|
||||
+ hardcode_into_libs=no
|
||||
dynamic_linker='ldqnx.so'
|
||||
;;
|
||||
|
||||
@@ -17201,7 +17201,7 @@
|
||||
soname_spec='$libname$release$shared_ext$major'
|
||||
shlibpath_var=LD_LIBRARY_PATH
|
||||
shlibpath_overrides_runpath=yes
|
||||
- hardcode_into_libs=yes
|
||||
+ hardcode_into_libs=no
|
||||
# ldd complains unless libraries are executable
|
||||
postinstall_cmds='chmod +x $lib'
|
||||
;;
|
||||
@@ -17258,7 +17258,7 @@
|
||||
soname_spec='$libname$release$shared_ext$major'
|
||||
shlibpath_var=LD_LIBRARY_PATH
|
||||
shlibpath_overrides_runpath=yes
|
||||
- hardcode_into_libs=yes
|
||||
+ hardcode_into_libs=no
|
||||
if test yes = "$with_gnu_ld"; then
|
||||
sys_lib_search_path_spec='/usr/local/lib /usr/gnu/lib /usr/ccs/lib /usr/lib /lib'
|
||||
else
|
||||
@@ -17280,7 +17280,7 @@
|
||||
library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$shared_ext'
|
||||
shlibpath_var=LD_LIBRARY_PATH
|
||||
shlibpath_overrides_runpath=no
|
||||
- hardcode_into_libs=yes
|
||||
+ hardcode_into_libs=no
|
||||
;;
|
||||
|
||||
uts4*)
|
||||
@@ -20574,7 +20574,7 @@
|
||||
version_type=linux # correct to gnu/linux during the next big refactor
|
||||
need_lib_prefix=no
|
||||
need_version=no
|
||||
- hardcode_into_libs=yes
|
||||
+ hardcode_into_libs=no
|
||||
if test ia64 = "$host_cpu"; then
|
||||
# AIX 5 supports IA64
|
||||
library_names_spec='$libname$release$shared_ext$major $libname$release$shared_ext$versuffix $libname$shared_ext'
|
||||
@@ -20862,16 +20862,16 @@
|
||||
;;
|
||||
freebsd3.[01]* | freebsdelf3.[01]*)
|
||||
shlibpath_overrides_runpath=yes
|
||||
- hardcode_into_libs=yes
|
||||
+ hardcode_into_libs=no
|
||||
;;
|
||||
freebsd3.[2-9]* | freebsdelf3.[2-9]* | \
|
||||
freebsd4.[0-5] | freebsdelf4.[0-5] | freebsd4.1.1 | freebsdelf4.1.1)
|
||||
shlibpath_overrides_runpath=no
|
||||
- hardcode_into_libs=yes
|
||||
+ hardcode_into_libs=no
|
||||
;;
|
||||
*) # from 4.6 on, and DragonFly
|
||||
shlibpath_overrides_runpath=yes
|
||||
- hardcode_into_libs=yes
|
||||
+ hardcode_into_libs=no
|
||||
;;
|
||||
esac
|
||||
;;
|
||||
@@ -20886,7 +20886,7 @@
|
||||
shlibpath_var=LIBRARY_PATH
|
||||
shlibpath_overrides_runpath=no
|
||||
sys_lib_dlsearch_path_spec='/boot/home/config/lib /boot/common/lib /boot/system/lib'
|
||||
- hardcode_into_libs=yes
|
||||
+ hardcode_into_libs=no
|
||||
;;
|
||||
|
||||
hpux9* | hpux10* | hpux11*)
|
||||
@@ -20898,7 +20898,7 @@
|
||||
case $host_cpu in
|
||||
ia64*)
|
||||
shrext_cmds='.so'
|
||||
- hardcode_into_libs=yes
|
||||
+ hardcode_into_libs=no
|
||||
dynamic_linker="$host_os dld.so"
|
||||
shlibpath_var=LD_LIBRARY_PATH
|
||||
shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
|
||||
@@ -20914,7 +20914,7 @@
|
||||
;;
|
||||
hppa*64*)
|
||||
shrext_cmds='.sl'
|
||||
- hardcode_into_libs=yes
|
||||
+ hardcode_into_libs=no
|
||||
dynamic_linker="$host_os dld.sl"
|
||||
shlibpath_var=LD_LIBRARY_PATH # How should we handle SHLIB_PATH
|
||||
shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
|
||||
@@ -20947,7 +20947,7 @@
|
||||
dynamic_linker='Interix 3.x ld.so.1 (PE, like ELF)'
|
||||
shlibpath_var=LD_LIBRARY_PATH
|
||||
shlibpath_overrides_runpath=no
|
||||
- hardcode_into_libs=yes
|
||||
+ hardcode_into_libs=no
|
||||
;;
|
||||
|
||||
irix5* | irix6* | nonstopux*)
|
||||
@@ -20984,7 +20984,7 @@
|
||||
shlibpath_overrides_runpath=no
|
||||
sys_lib_search_path_spec="/usr/lib$libsuff /lib$libsuff /usr/local/lib$libsuff"
|
||||
sys_lib_dlsearch_path_spec="/usr/lib$libsuff /lib$libsuff"
|
||||
- hardcode_into_libs=yes
|
||||
+ hardcode_into_libs=no
|
||||
;;
|
||||
|
||||
# No shared lib support for Linux oldld, aout, or coff.
|
||||
@@ -21005,7 +21005,7 @@
|
||||
# This implies no fast_install, which is unacceptable.
|
||||
# Some rework will be needed to allow for fast_install
|
||||
# before this can be enabled.
|
||||
- hardcode_into_libs=yes
|
||||
+ hardcode_into_libs=no
|
||||
|
||||
dynamic_linker='Android linker'
|
||||
# Don't embed -rpath directories since the linker doesn't support them.
|
||||
@@ -21063,7 +21063,7 @@
|
||||
# This implies no fast_install, which is unacceptable.
|
||||
# Some rework will be needed to allow for fast_install
|
||||
# before this can be enabled.
|
||||
- hardcode_into_libs=yes
|
||||
+ hardcode_into_libs=no
|
||||
|
||||
# Add ABI-specific directories to the system library path.
|
||||
sys_lib_dlsearch_path_spec="/lib64 /usr/lib64 /lib /usr/lib"
|
||||
@@ -21103,7 +21103,7 @@
|
||||
fi
|
||||
shlibpath_var=LD_LIBRARY_PATH
|
||||
shlibpath_overrides_runpath=yes
|
||||
- hardcode_into_libs=yes
|
||||
+ hardcode_into_libs=no
|
||||
;;
|
||||
|
||||
newsos6)
|
||||
@@ -21121,7 +21121,7 @@
|
||||
soname_spec='$libname$release$shared_ext$major'
|
||||
shlibpath_var=LD_LIBRARY_PATH
|
||||
shlibpath_overrides_runpath=no
|
||||
- hardcode_into_libs=yes
|
||||
+ hardcode_into_libs=no
|
||||
dynamic_linker='ldqnx.so'
|
||||
;;
|
||||
|
||||
@@ -21193,7 +21193,7 @@
|
||||
soname_spec='$libname$release$shared_ext$major'
|
||||
shlibpath_var=LD_LIBRARY_PATH
|
||||
shlibpath_overrides_runpath=yes
|
||||
- hardcode_into_libs=yes
|
||||
+ hardcode_into_libs=no
|
||||
# ldd complains unless libraries are executable
|
||||
postinstall_cmds='chmod +x $lib'
|
||||
;;
|
||||
@@ -21250,7 +21250,7 @@
|
||||
soname_spec='$libname$release$shared_ext$major'
|
||||
shlibpath_var=LD_LIBRARY_PATH
|
||||
shlibpath_overrides_runpath=yes
|
||||
- hardcode_into_libs=yes
|
||||
+ hardcode_into_libs=no
|
||||
if test yes = "$with_gnu_ld"; then
|
||||
sys_lib_search_path_spec='/usr/local/lib /usr/gnu/lib /usr/ccs/lib /usr/lib /lib'
|
||||
else
|
||||
@@ -21272,7 +21272,7 @@
|
||||
library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$shared_ext'
|
||||
shlibpath_var=LD_LIBRARY_PATH
|
||||
shlibpath_overrides_runpath=no
|
||||
- hardcode_into_libs=yes
|
||||
+ hardcode_into_libs=no
|
||||
;;
|
||||
|
||||
uts4*)
|
73
unmaintained_boards/x230-hotp-legacy/x230-hotp-legacy.config
Normal file
73
unmaintained_boards/x230-hotp-legacy/x230-hotp-legacy.config
Normal file
@ -0,0 +1,73 @@
|
||||
# Configuration for a x230 with HOTP (Nitrokey/Purism USB Security dongle enabled HOTP support)
|
||||
# running Qubes 4.1 and other OSes.
|
||||
#
|
||||
# Deactivated to fit in coreboot's CONFIG_CBFS_SIZE=0x700000 :
|
||||
# dropbear support(ssh client/server)
|
||||
# e1000e (ethernet driver)
|
||||
#
|
||||
# Addition vs standard x230 board config:
|
||||
# HOTP_KEY: HOTP challenge for currently supported USB Security dongles
|
||||
export CONFIG_COREBOOT=y
|
||||
export CONFIG_COREBOOT_VERSION=24.02.01
|
||||
export CONFIG_LINUX_VERSION=5.10.5
|
||||
|
||||
CONFIG_COREBOOT_CONFIG=config/coreboot-x230-legacy.config
|
||||
CONFIG_LINUX_CONFIG=config/linux-x230-legacy.config
|
||||
|
||||
#Additional hardware support
|
||||
CONFIG_LINUX_USB=y
|
||||
CONFIG_LINUX_E1000E=n
|
||||
|
||||
CONFIG_CRYPTSETUP2=y
|
||||
CONFIG_FLASHPROG=y
|
||||
CONFIG_FLASHTOOLS=y
|
||||
CONFIG_GPG2=y
|
||||
CONFIG_KEXEC=y
|
||||
CONFIG_UTIL_LINUX=y
|
||||
CONFIG_LVM2=y
|
||||
CONFIG_MBEDTLS=y
|
||||
CONFIG_PCIUTILS=y
|
||||
|
||||
#Remote attestation support
|
||||
#TPM based requirements
|
||||
export CONFIG_TPM=y
|
||||
CONFIG_POPT=y
|
||||
CONFIG_QRENCODE=y
|
||||
CONFIG_TPMTOTP=y
|
||||
#HOTP based remote attestation for supported USB Security dongle
|
||||
#With/Without TPM support
|
||||
CONFIG_HOTPKEY=y
|
||||
export CONFIG_AUTO_BOOT_TIMEOUT=5
|
||||
|
||||
#Nitrokey Storage admin tool
|
||||
CONFIG_NKSTORECLI=n
|
||||
|
||||
#GUI Support
|
||||
#Console based Whiptail support(Console based, no FB):
|
||||
CONFIG_SLANG=y
|
||||
CONFIG_NEWT=y
|
||||
#FBWhiptail based (Graphical):
|
||||
#CONFIG_CAIRO=y
|
||||
#CONFIG_FBWHIPTAIL=y
|
||||
|
||||
#Additional tools:
|
||||
#SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E)
|
||||
CONFIG_DROPBEAR=n
|
||||
#Ethernet driver (Heads only)
|
||||
CONFIG_LINUX_E1000E=n
|
||||
|
||||
export CONFIG_BOOTSCRIPT=/bin/gui-init
|
||||
export CONFIG_BOOT_REQ_HASH=n
|
||||
export CONFIG_BOOT_REQ_ROLLBACK=n
|
||||
export CONFIG_BOOT_KERNEL_ADD=""
|
||||
export CONFIG_BOOT_KERNEL_REMOVE="intel_iommu=on intel_iommu=igfx_off"
|
||||
export CONFIG_BOARD_NAME="Thinkpad X230-hotp-legacy"
|
||||
export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal --ifd --image bios"
|
||||
|
||||
# This board has two SPI flash chips, an 8 MB that holds the IFD,
|
||||
# the ME image and part of the coreboot image, and a 4 MB one that
|
||||
# has the rest of the coreboot and the reset vector.
|
||||
#
|
||||
# Only flashing to the bios region is safe to do. The easiest is to
|
||||
# flash internally when the IFD is unlocked for writing, and x230-flash
|
||||
# is installed first.
|
@ -0,0 +1,36 @@
|
||||
# Minimal configuration for a x230 to support flashrom and USB
|
||||
# This top SPI flash image needed to flash legacy board counterpart internally
|
||||
# This image can be flashed through 1vyrain and skulls
|
||||
# IDEALLY you should flash maximized top and bottom rom images exteranlly once instead.
|
||||
|
||||
export CONFIG_COREBOOT=y
|
||||
export CONFIG_COREBOOT_VERSION=24.02.01
|
||||
export CONFIG_LINUX_VERSION=5.10.5
|
||||
|
||||
CONFIG_COREBOOT_CONFIG=config/coreboot-UNMAINTAINED_x230-legacy-flash.config
|
||||
CONFIG_LINUX_CONFIG=config/linux-x230-flash.config
|
||||
|
||||
#Add bare minimal tools for flashing boards
|
||||
CONFIG_BASH=n
|
||||
CONFIG_FLASHPROG=y
|
||||
CONFIG_ZSTD=n
|
||||
#CONFIG_GPG=y
|
||||
#CONFIG_FLASHTOOLS=y
|
||||
CONFIG_PCIUTILS=y
|
||||
#CONFIG_MBEDTLS=y
|
||||
#CONFIG_QRENCODE=y
|
||||
#CONFIG_TPMTOTP=y
|
||||
#CONFIG_DROPBEAR=y
|
||||
|
||||
|
||||
#Additional hardware support
|
||||
CONFIG_LINUX_USB=y
|
||||
#CONFIG_LINUX_E1000E=y
|
||||
|
||||
export CONFIG_BOOTSCRIPT=/bin/xx30-flash.init
|
||||
export CONFIG_BOARD_NAME="ThinkPad X230-legacy-flash"
|
||||
export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal --ifd --image bios"
|
||||
|
||||
CONFIG_LEGACY_FLASH=y
|
||||
|
||||
BOARD_TARGETS := legacy_flash
|
66
unmaintained_boards/x230-legacy/x230-legacy.config
Normal file
66
unmaintained_boards/x230-legacy/x230-legacy.config
Normal file
@ -0,0 +1,66 @@
|
||||
# Configuration for a X230 running Qubes 4.1 and other Linux Based OSes (through kexec)
|
||||
#
|
||||
# Deactivated to fit in coreboot's CONFIG_CBFS_SIZE=0x700000 :
|
||||
# dropbear support(ssh client/server)
|
||||
# e1000e (ethernet driver)
|
||||
export CONFIG_COREBOOT=y
|
||||
export CONFIG_COREBOOT_VERSION=24.02.01
|
||||
export CONFIG_LINUX_VERSION=5.10.5
|
||||
|
||||
CONFIG_COREBOOT_CONFIG=config/coreboot-UNMAINTAINED_x230-legacy.config
|
||||
CONFIG_LINUX_CONFIG=config/linux-UNMAINTAINED_x230-legacy.config
|
||||
|
||||
#Additional hardware support
|
||||
CONFIG_LINUX_USB=y
|
||||
CONFIG_LINUX_E1000E=n
|
||||
|
||||
CONFIG_CRYPTSETUP2=y
|
||||
CONFIG_FLASHPROG=y
|
||||
CONFIG_FLASHTOOLS=y
|
||||
CONFIG_GPG2=y
|
||||
CONFIG_KEXEC=y
|
||||
CONFIG_UTIL_LINUX=y
|
||||
CONFIG_LVM2=y
|
||||
CONFIG_MBEDTLS=y
|
||||
CONFIG_PCIUTILS=y
|
||||
|
||||
#Remote attestation support
|
||||
#TPM based requirements
|
||||
export CONFIG_TPM=y
|
||||
CONFIG_POPT=y
|
||||
CONFIG_QRENCODE=y
|
||||
CONFIG_TPMTOTP=y
|
||||
#HOTP based remote attestation for supported USB Security dongle
|
||||
#With/Without TPM support
|
||||
CONFIG_HOTPKEY=n
|
||||
|
||||
#Nitrokey Storage admin tool
|
||||
CONFIG_NKSTORECLI=n
|
||||
|
||||
#GUI Support
|
||||
#Console based Whiptail support(Console based, no FB):
|
||||
CONFIG_SLANG=y
|
||||
CONFIG_NEWT=y
|
||||
#FBWhiptail based (Graphical):
|
||||
#CONFIG_CAIRO=y
|
||||
#CONFIG_FBWHIPTAIL=y
|
||||
|
||||
#Additional tools:
|
||||
#SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E)
|
||||
CONFIG_DROPBEAR=n
|
||||
|
||||
export CONFIG_BOOTSCRIPT=/bin/gui-init
|
||||
export CONFIG_BOOT_REQ_HASH=n
|
||||
export CONFIG_BOOT_REQ_ROLLBACK=n
|
||||
export CONFIG_BOOT_KERNEL_ADD=""
|
||||
export CONFIG_BOOT_KERNEL_REMOVE="intel_iommu=on intel_iommu=igfx_off"
|
||||
export CONFIG_BOARD_NAME="Thinkpad X230-legacy"
|
||||
export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal --ifd --image bios"
|
||||
|
||||
# This board has two SPI flash chips, an 8 MB that holds the IFD,
|
||||
# the ME image and part of the coreboot image, and a 4 MB one that
|
||||
# has the rest of the coreboot and the reset vector.
|
||||
#
|
||||
# Only flashing to the bios region is safe to do. The easiest is to
|
||||
# flash internally when the IFD is unlocked for writing, and x230-flash
|
||||
# is installed first.
|
Loading…
Reference in New Issue
Block a user