From 17724f9baaa545a035e3d87e883a35d2c4421733 Mon Sep 17 00:00:00 2001
From: Jonathon Hall <jonathon.hall@puri.sm>
Date: Wed, 5 Jul 2023 14:09:57 -0400
Subject: [PATCH 1/2] qemu-coreboot-fbwhiptail-tpm1-hotp: Fix truncated
 documentation lines

A few lines in the documentation got truncated somehow.  Restored the
swtpm instructions from some notes and rewrote the others.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
---
 .../qemu-coreboot-fbwhiptail-tpm1-hotp.md                 | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/boards/qemu-coreboot-fbwhiptail-tpm1-hotp/qemu-coreboot-fbwhiptail-tpm1-hotp.md b/boards/qemu-coreboot-fbwhiptail-tpm1-hotp/qemu-coreboot-fbwhiptail-tpm1-hotp.md
index 4217b756..8781174f 100644
--- a/boards/qemu-coreboot-fbwhiptail-tpm1-hotp/qemu-coreboot-fbwhiptail-tpm1-hotp.md
+++ b/boards/qemu-coreboot-fbwhiptail-tpm1-hotp/qemu-coreboot-fbwhiptail-tpm1-hotp.md
@@ -16,7 +16,7 @@ Bootstrapping a working system
 ===
 
 1. Install QEMU and swtpm.  (Optionally, KVM.)
-   * Many distributions already package swtpm, but Debian Bullseye does not.  (Bookworm does.)  On Bullseye you will have to build and install libtpms and >
+   * Many distributions already package swtpm, but Debian Bullseye does not.  (Bookworm does.)  On Bullseye you will have to build and install libtpms and swtpm from source, see below for detailed instructions.
      * https://github.com/stefanberger/libtpms
      * https://github.com/stefanberger/swtpm
 2. Build Heads
@@ -25,7 +25,7 @@ Bootstrapping a working system
    * `make BOARD=qemu-coreboot-fbwhiptail-tpm1-hotp INSTALL_IMG=<path_to_installer.iso> run`
    * Lightweight desktops (XFCE, LXDE, etc.) are recommended, especially if KVM acceleration is not available (such nested in Qubes OS)
    * When running nested in a qube, disable memory ballooning for the qube, or performance will be very poor.
-   * Include `QEMU_MEMORY_SIZE=6G` to set the guest's memory (`6G`, `8G`, etc.).  The default is 4G to be conservative, but more may be needed depending on>
+   * Include `QEMU_MEMORY_SIZE=6G` to set the guest's memory (`6G`, `8G`, etc.).  The default is 4G to be conservative, but more may be needed depending on the guest OS.
    * Include `QEMU_DISK_SIZE=30G` to set the guest's disk size, the default is `20G`.
 4. Shut down and boot Heads with the USB token attached, proceed with OEM reset
    * `make BOARD=qemu-coreboot-fbwhiptail-tpm1-hotp USB_TOKEN=<token> run`
@@ -62,10 +62,10 @@ To test across all qemu variants, one only has to change BOARD name and run the
 swtpm on Debian Bullseye
 ===
 
-libtpms and swtpm must be built and installed from source on Debian Bullseye. Upstream provides tooling to build these as Debian packages, which allows thi>
+libtpms and swtpm must be built and installed from source on Debian Bullseye. Upstream provides tooling to build these as Debian packages, which allows things to work seamlessly with default AppArmor configs, etc.
 
 1. Install dependencies
-   * `sudo apt install automake autoconf libtool make gcc libc-dev libssl-dev dh-autoreconf libssl-dev libtasn1-6-dev pkg-config net-tools iproute2 libjson>
+   * `sudo apt install automake autoconf libtool make gcc libc-dev libssl-dev dh-autoreconf libssl-dev libtasn1-6-dev pkg-config net-tools iproute2 libjson-glib-dev libgnutls28-dev expect gawk socat gnutls-bin libseccomp-dev libfuse-dev python3-twisted selinux-policy-dev trousers devscripts equivs`
 2. Build libtpms
    * `git clone https://github.com/stefanberger/libtpms`
    * `cd libtpms; git checkout v0.9.4` (latest release as of this writing)

From 4f367d90e6a49f5ced60015bd61d4c8f867f8312 Mon Sep 17 00:00:00 2001
From: Thierry Laurion <insurgo@riseup.net>
Date: Thu, 6 Jul 2023 11:06:27 -0400
Subject: [PATCH 2/2] Non-Intel linux configs: make sure AES is enabled
 (CONFIG_CRYPTO_AES_NI_INTEL won't work there) kgpe-d16 linux configs: disable
 CONFIG_CRYPTO_AES_NI_INTEL (not avail on AMD)

This applied to Q35 qemu board which is AMD, not intel.
generic AES needs to be enabled on non-intel boards, otherwise cryptsetup doesn't know how to deal with xts-plain

Then saved back with linux.save_in_oldconfig_format_in_place
---
 config/linux-kgpe-d16_server-whiptail.config | 6 ++----
 config/linux-kgpe-d16_server.config          | 6 ++----
 config/linux-kgpe-d16_workstation.config     | 6 ++----
 config/linux-qemu.config                     | 2 +-
 4 files changed, 7 insertions(+), 13 deletions(-)

diff --git a/config/linux-kgpe-d16_server-whiptail.config b/config/linux-kgpe-d16_server-whiptail.config
index 02248a88..74d9f68b 100644
--- a/config/linux-kgpe-d16_server-whiptail.config
+++ b/config/linux-kgpe-d16_server-whiptail.config
@@ -2683,8 +2683,6 @@ CONFIG_CRYPTO_NULL2=y
 CONFIG_CRYPTO_CRYPTD=y
 CONFIG_CRYPTO_AUTHENC=y
 # CONFIG_CRYPTO_TEST is not set
-CONFIG_CRYPTO_SIMD=y
-CONFIG_CRYPTO_GLUE_HELPER_X86=y
 
 #
 # Public-key cryptography
@@ -2772,9 +2770,9 @@ CONFIG_CRYPTO_SHA512=y
 #
 # Ciphers
 #
-# CONFIG_CRYPTO_AES is not set
+CONFIG_CRYPTO_AES=y
 # CONFIG_CRYPTO_AES_TI is not set
-CONFIG_CRYPTO_AES_NI_INTEL=y
+# CONFIG_CRYPTO_AES_NI_INTEL is not set
 # CONFIG_CRYPTO_BLOWFISH is not set
 # CONFIG_CRYPTO_BLOWFISH_X86_64 is not set
 # CONFIG_CRYPTO_CAMELLIA is not set
diff --git a/config/linux-kgpe-d16_server.config b/config/linux-kgpe-d16_server.config
index 02248a88..74d9f68b 100644
--- a/config/linux-kgpe-d16_server.config
+++ b/config/linux-kgpe-d16_server.config
@@ -2683,8 +2683,6 @@ CONFIG_CRYPTO_NULL2=y
 CONFIG_CRYPTO_CRYPTD=y
 CONFIG_CRYPTO_AUTHENC=y
 # CONFIG_CRYPTO_TEST is not set
-CONFIG_CRYPTO_SIMD=y
-CONFIG_CRYPTO_GLUE_HELPER_X86=y
 
 #
 # Public-key cryptography
@@ -2772,9 +2770,9 @@ CONFIG_CRYPTO_SHA512=y
 #
 # Ciphers
 #
-# CONFIG_CRYPTO_AES is not set
+CONFIG_CRYPTO_AES=y
 # CONFIG_CRYPTO_AES_TI is not set
-CONFIG_CRYPTO_AES_NI_INTEL=y
+# CONFIG_CRYPTO_AES_NI_INTEL is not set
 # CONFIG_CRYPTO_BLOWFISH is not set
 # CONFIG_CRYPTO_BLOWFISH_X86_64 is not set
 # CONFIG_CRYPTO_CAMELLIA is not set
diff --git a/config/linux-kgpe-d16_workstation.config b/config/linux-kgpe-d16_workstation.config
index 13397e9d..3acfe760 100644
--- a/config/linux-kgpe-d16_workstation.config
+++ b/config/linux-kgpe-d16_workstation.config
@@ -2931,8 +2931,6 @@ CONFIG_CRYPTO_NULL2=y
 CONFIG_CRYPTO_CRYPTD=y
 CONFIG_CRYPTO_AUTHENC=y
 # CONFIG_CRYPTO_TEST is not set
-CONFIG_CRYPTO_SIMD=y
-CONFIG_CRYPTO_GLUE_HELPER_X86=y
 
 #
 # Public-key cryptography
@@ -3020,9 +3018,9 @@ CONFIG_CRYPTO_SHA512=y
 #
 # Ciphers
 #
-# CONFIG_CRYPTO_AES is not set
+CONFIG_CRYPTO_AES=y
 # CONFIG_CRYPTO_AES_TI is not set
-CONFIG_CRYPTO_AES_NI_INTEL=y
+# CONFIG_CRYPTO_AES_NI_INTEL is not set
 # CONFIG_CRYPTO_BLOWFISH is not set
 # CONFIG_CRYPTO_BLOWFISH_X86_64 is not set
 # CONFIG_CRYPTO_CAMELLIA is not set
diff --git a/config/linux-qemu.config b/config/linux-qemu.config
index 5787f568..adf3a40c 100644
--- a/config/linux-qemu.config
+++ b/config/linux-qemu.config
@@ -2827,7 +2827,7 @@ CONFIG_CRYPTO_SHA512=y
 #
 # Ciphers
 #
-# CONFIG_CRYPTO_AES is not set
+CONFIG_CRYPTO_AES=y
 # CONFIG_CRYPTO_AES_TI is not set
 CONFIG_CRYPTO_AES_NI_INTEL=y
 # CONFIG_CRYPTO_BLOWFISH is not set