ExternalVendorCode/heads
1
0
Fork 0
mirror of https://github.com/linuxboot/heads.git synced 2025-01-22 04:18:02 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge pull request #1875 from tlaurion/introduce_quiet_mode-diceware_STAGING

Browse Source 
TESTING NEEDED: STAGING PR  (quiet mode + diceware + nk3 fixes)
This commit is contained in:
Thierry Laurion 2025-01-20 14:53:29 -05:00 committed by GitHub
commit 36e30d0174
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
89 changed files with 4840 additions and 2807 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
BOARD_TESTERS.md
View File

@ -44,8 +44,8 @@ Librems:
Clevo:
===
- [ ] Nitropad NS50 (AlderLake) : @daringer
- [ ] Nitropad NV41 (AlderLake) : @tlaurion @daringer
- [ ] Novacustom NV4x (AlderLake) : @tlaurion @daringer
- [ ] Novacustom v560tu (MeteorLake) : @tlaurion @daringer @mkopec
Desktops/Servers
==

7
boards/UNMAINTAINED_kgpe-d16_server-whiptail/UNMAINTAINED_kgpe-d16_server-whiptail.config
View File

@ -51,6 +51,13 @@ export CONFIG_LINUX_USB_COMPANION_CONTROLLER=y
export CONFIG_TPM=y
#BOOT SCRIPT SELECTION
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=n
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=n
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=y
#export CONFIG_BOOTSCRIPT=/bin/generic-init
export CONFIG_BOOTSCRIPT=/bin/gui-init
#export CONFIG_BOOTSCRIPT_NETWORK=/bin/network-init-recovery

7
boards/UNMAINTAINED_kgpe-d16_server/UNMAINTAINED_kgpe-d16_server.config
View File

@ -43,6 +43,13 @@ CONFIG_LINUX_E1000E=y
export CONFIG_LINUX_USB_COMPANION_CONTROLLER=y
export CONFIG_TPM=y
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=n
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=n
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=y
#BOOT SCRIPT SELECTION
export CONFIG_BOOTSCRIPT=/bin/generic-init
#export CONFIG_BOOTSCRIPT_NETWORK=/bin/network-init-recovery

7
boards/UNMAINTAINED_kgpe-d16_workstation-usb_keyboard/UNMAINTAINED_kgpe-d16_workstation-usb_keyboard.config
View File

@ -49,6 +49,13 @@ export CONFIG_USB_KEYBOARD_REQUIRED=y
export CONFIG_TPM=y
#BOOT SCRIPT SELECTION
#export CONFIG_BOOTSCRIPT=/bin/generic-init
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=n
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=n
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=y
export CONFIG_BOOTSCRIPT=/bin/gui-init
#export CONFIG_BOOTSCRIPT_NETWORK=/bin/network-init-recovery

7
boards/UNMAINTAINED_kgpe-d16_workstation/UNMAINTAINED_kgpe-d16_workstation.config
View File

@ -50,6 +50,13 @@ export CONFIG_LINUX_USB_COMPANION_CONTROLLER=y
export CONFIG_TPM=y
#BOOT SCRIPT SELECTION
#export CONFIG_BOOTSCRIPT=/bin/generic-init
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=n
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=n
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=y
export CONFIG_BOOTSCRIPT=/bin/gui-init
#export CONFIG_BOOTSCRIPT_NETWORK=/bin/network-init-recovery

14
boards/UNTESTED_nitropad-ns50/UNTESTED_nitropad-ns50.config
View File

@ -8,12 +8,6 @@ export CONFIG_LINUX_VERSION=6.1.8
CONFIG_COREBOOT_CONFIG=config/coreboot-nitropad-ns50.config
CONFIG_LINUX_CONFIG=config/linux-novacustom-common.config
#Enable DEBUG output
#export CONFIG_DEBUG_OUTPUT=y
#export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y
#Enable TPM2 pcap output under /tmp
#export CONFIG_TPM2_CAPTURE_PCAP=y
#On-demand hardware support (modules.cpio)
CONFIG_LINUX_USB=y
CONFIG_LINUX_E1000=y
@ -68,6 +62,13 @@ export CONFIG_TPM2_TOOLS=y
export CONFIG_PRIMARY_KEY_TYPE=ecc
#TPM1 requirements
#export CONFIG_TPM=y
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=n
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=n
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=y
export CONFIG_BOOTSCRIPT=/bin/gui-init
export CONFIG_BOOT_REQ_HASH=n
export CONFIG_BOOT_REQ_ROLLBACK=n
@ -75,4 +76,3 @@ export CONFIG_BOOT_KERNEL_ADD=""
export CONFIG_BOOT_KERNEL_REMOVE="intel_iommu=on intel_iommu=igfx_off"
export CONFIG_BOARD_NAME="Nitropad NS50"
export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal"
export CONFIG_AUTO_BOOT_TIMEOUT=5

7
boards/UNTESTED_t440p-maximized/UNTESTED_t440p-maximized.config
View File

@ -34,6 +34,13 @@ CONFIG_LINUX_USB=y
CONFIG_MOBILE_TETHERING=y
export CONFIG_TPM=y
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=n
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=n
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=y
export CONFIG_BOOTSCRIPT=/bin/gui-init
export CONFIG_BOOT_REQ_HASH=n
export CONFIG_BOOT_REQ_ROLLBACK=n

7
boards/UNTESTED_talos-2/UNTESTED_talos-2.config
View File

@ -41,6 +41,13 @@ export CONFIG_USB_KEYBOARD_REQUIRED=y
export CONFIG_BOOT_EXTRA_TTYS="tty0"
export CONFIG_TPM=y
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=n
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=n
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=y
export CONFIG_BOOTSCRIPT=/bin/talos-init
export CONFIG_BOOT_REQ_HASH=n
export CONFIG_BOOT_REQ_ROLLBACK=n

7
boards/UNTESTED_w541-maximized/UNTESTED_w541-maximized.config
View File

@ -34,6 +34,13 @@ CONFIG_LINUX_USB=y
CONFIG_MOBILE_TETHERING=y
export CONFIG_TPM=y
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=n
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=n
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=y
export CONFIG_BOOTSCRIPT=/bin/gui-init
export CONFIG_BOOT_REQ_HASH=n
export CONFIG_BOOT_REQ_ROLLBACK=n

7
boards/librem_11/librem_11.config
View File

@ -30,6 +30,13 @@ CONFIG_MOBILE_TETHERING=y
export CONFIG_TPM=n
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=n
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=n
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=y
export CONFIG_BOOTSCRIPT=/bin/gui-init
export CONFIG_BOOT_REQ_HASH=n
export CONFIG_BOOT_REQ_ROLLBACK=n

7
boards/librem_13v2/librem_13v2.config
View File

@ -29,6 +29,13 @@ CONFIG_LINUX_USB=y
CONFIG_MOBILE_TETHERING=y
export CONFIG_TPM=y
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=n
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=n
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=y
export CONFIG_BOOTSCRIPT=/bin/gui-init
export CONFIG_BOOT_REQ_HASH=n
export CONFIG_BOOT_REQ_ROLLBACK=n

7
boards/librem_13v4/librem_13v4.config
View File

@ -29,6 +29,13 @@ CONFIG_LINUX_USB=y
CONFIG_MOBILE_TETHERING=y
export CONFIG_TPM=y
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=n
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=n
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=y
export CONFIG_BOOTSCRIPT=/bin/gui-init
export CONFIG_BOOT_REQ_HASH=n
export CONFIG_BOOT_REQ_ROLLBACK=n

7
boards/librem_14/librem_14.config
View File

@ -28,6 +28,13 @@ CONFIG_MOBILE_TETHERING=y
export CONFIG_TPM=y
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=n
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=n
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=y
export CONFIG_BOOTSCRIPT=/bin/gui-init
export CONFIG_BOOT_REQ_HASH=n
export CONFIG_BOOT_REQ_ROLLBACK=n

7
boards/librem_15v3/librem_15v3.config
View File

@ -29,6 +29,13 @@ CONFIG_LINUX_USB=y
CONFIG_MOBILE_TETHERING=y
export CONFIG_TPM=y
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=n
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=n
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=y
export CONFIG_BOOTSCRIPT=/bin/gui-init
export CONFIG_BOOT_REQ_HASH=n
export CONFIG_BOOT_REQ_ROLLBACK=n

7
boards/librem_15v4/librem_15v4.config
View File

@ -30,6 +30,13 @@ CONFIG_LINUX_USB=y
CONFIG_MOBILE_TETHERING=y
export CONFIG_TPM=y
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=n
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=n
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=y
export CONFIG_BOOTSCRIPT=/bin/gui-init
export CONFIG_BOOT_REQ_HASH=n
export CONFIG_BOOT_REQ_ROLLBACK=n

7
boards/librem_l1um/librem_l1um.config
View File

@ -29,6 +29,13 @@ CONFIG_MOBILE_TETHERING=y
export CONFIG_TPM=y
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=n
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=n
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=y
export CONFIG_BOOTSCRIPT=/bin/gui-init
export CONFIG_BOOT_REQ_HASH=n
export CONFIG_BOOT_REQ_ROLLBACK=n

7
boards/librem_l1um_v2/librem_l1um_v2.config
View File

@ -32,6 +32,13 @@ CONFIG_TPM2_TSS=y
CONFIG_OPENSSL=y
CONFIG_PRIMARY_KEY_TYPE=ecc
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=n
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=n
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=y
export CONFIG_BOOTSCRIPT=/bin/gui-init
export CONFIG_BOOT_REQ_HASH=n
export CONFIG_BOOT_REQ_ROLLBACK=n

7
boards/librem_mini/librem_mini.config
View File

@ -30,6 +30,13 @@ CONFIG_MOBILE_TETHERING=y
export CONFIG_TPM=n
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=n
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=n
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=y
export CONFIG_BOOTSCRIPT=/bin/gui-init
export CONFIG_BOOT_REQ_HASH=n
export CONFIG_BOOT_REQ_ROLLBACK=n

7
boards/librem_mini_v2/librem_mini_v2.config
View File

@ -30,6 +30,13 @@ CONFIG_MOBILE_TETHERING=y
export CONFIG_TPM=n
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=n
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=n
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=y
export CONFIG_BOOTSCRIPT=/bin/gui-init
export CONFIG_BOOT_REQ_HASH=n
export CONFIG_BOOT_REQ_ROLLBACK=n

15
boards/novacustom-v560tu/novacustom-v560tu.config
View File

@ -3,7 +3,7 @@
# This excludes gbe from internal flashing, otherwise mac address would revert to '88:88:88:88:87:88' see https://github.com/linuxboot/heads/pull/1871#discussion_r1870134788
# Same options should be used when externally flashing the first time, otherwise Intel GBE region (Ethernet config blob) will be overwitten and MAC reverted to '88:88:88:88:87:88'
# Meteor Lake (Intel Gen 14) is not supposed to support s3 but coincidently does. In case s3 is broken, user must configure settings to not suspend or otherwise enable ME/CSME for s01x to work (unsupported by QubesOS when writing those lines) or use Hibernate (Not supported by QubesOS either)
# Meteor Lake (Intel Gen 14) is not supposed to support s3 but coincidently does. In case s3 is broken, user must configure settings to not suspend or otherwise enable ME/CSME for s0ix to work (unsupported by QubesOS when writing those lines) or use Hibernate (Not supported by QubesOS either)
export CONFIG_COREBOOT=y
export CONFIG_COREBOOT_VERSION=dasharo
@ -12,12 +12,6 @@ export CONFIG_LINUX_VERSION=6.1.8
CONFIG_COREBOOT_CONFIG=config/coreboot-novacustom-v560tu.config
CONFIG_LINUX_CONFIG=config/linux-novacustom-common.config
#Enable DEBUG output
#export CONFIG_DEBUG_OUTPUT=y
#export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y
#Enable TPM2 pcap output under /tmp
#export CONFIG_TPM2_CAPTURE_PCAP=y
#On-demand hardware support (modules.cpio)
CONFIG_LINUX_USB=y
CONFIG_LINUX_E1000=y
@ -71,6 +65,13 @@ export CONFIG_TPM2_TOOLS=y
export CONFIG_PRIMARY_KEY_TYPE=ecc
#TPM1 requirements
#export CONFIG_TPM=y
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=n
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=n
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=y
export CONFIG_BOOTSCRIPT=/bin/gui-init
export CONFIG_BOOT_REQ_HASH=n
export CONFIG_BOOT_REQ_ROLLBACK=n

14
boards/novacustom_nv4x_adl/novacustom_nv4x_adl.config
View File

@ -8,12 +8,6 @@ export CONFIG_LINUX_VERSION=6.1.8
CONFIG_COREBOOT_CONFIG=config/coreboot-novacustom_nv4x_adl.config
CONFIG_LINUX_CONFIG=config/linux-novacustom-common.config
#Enable DEBUG output
#export CONFIG_DEBUG_OUTPUT=y
#export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y
#Enable TPM2 pcap output under /tmp
#export CONFIG_TPM2_CAPTURE_PCAP=y
#On-demand hardware support (modules.cpio)
CONFIG_LINUX_USB=y
CONFIG_LINUX_E1000=y
@ -67,6 +61,13 @@ export CONFIG_TPM2_TOOLS=y
export CONFIG_PRIMARY_KEY_TYPE=ecc
#TPM1 requirements
#export CONFIG_TPM=y
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=n
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=n
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=y
export CONFIG_BOOTSCRIPT=/bin/gui-init
export CONFIG_BOOT_REQ_HASH=n
export CONFIG_BOOT_REQ_ROLLBACK=n
@ -74,4 +75,3 @@ export CONFIG_BOOT_KERNEL_ADD=""
export CONFIG_BOOT_KERNEL_REMOVE="intel_iommu=on intel_iommu=igfx_off"
export CONFIG_BOARD_NAME="NovaCustom NV4x 12th Gen"
export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal"
export CONFIG_AUTO_BOOT_TIMEOUT=5

11
boards/optiplex-7010_9010-hotp-maximized/optiplex-7010_9010-hotp-maximized.config
View File

@ -13,10 +13,6 @@ export CONFIG_LINUX_VERSION=6.1.8
CONFIG_COREBOOT_CONFIG=config/coreboot-optiplex-7019_9010-maximized.config
CONFIG_LINUX_CONFIG=config/linux-x230-maximized.config
#Enable DEBUG output
#export CONFIG_DEBUG_OUTPUT=y
#export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y
#Additional hardware support
CONFIG_LINUX_USB=y
CONFIG_LINUX_E1000E=y
@ -74,6 +70,13 @@ export CONFIG_AUTO_BOOT_TIMEOUT=5
#export CONFIG_PRIMARY_KEY_TYPE=ecc
#TPM1 requirements
export CONFIG_TPM=y
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=n
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=n
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=y
export CONFIG_BOOTSCRIPT=/bin/gui-init
export CONFIG_BOOT_REQ_HASH=n
export CONFIG_BOOT_REQ_ROLLBACK=n

11
boards/optiplex-7010_9010-maximized/optiplex-7010_9010-maximized.config
View File

@ -13,10 +13,6 @@ export CONFIG_LINUX_VERSION=6.1.8
CONFIG_COREBOOT_CONFIG=config/coreboot-optiplex-7019_9010-maximized.config
CONFIG_LINUX_CONFIG=config/linux-x230-maximized.config
#Enable DEBUG output
#export CONFIG_DEBUG_OUTPUT=y
#export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y
#Additional hardware support
CONFIG_LINUX_USB=y
CONFIG_LINUX_E1000E=y
@ -74,6 +70,13 @@ export CONFIG_AUTO_BOOT_TIMEOUT=5
#export CONFIG_PRIMARY_KEY_TYPE=ecc
#TPM1 requirements
export CONFIG_TPM=y
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=n
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=n
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=y
export CONFIG_BOOTSCRIPT=/bin/gui-init
export CONFIG_BOOT_REQ_HASH=n
export CONFIG_BOOT_REQ_ROLLBACK=n

11
boards/optiplex-7010_9010_TXT-hotp-maximized/optiplex-7010_9010_TXT-hotp-maximized.config
View File

@ -13,10 +13,6 @@ export CONFIG_LINUX_VERSION=6.1.8
CONFIG_COREBOOT_CONFIG=config/coreboot-optiplex-7019_9010_TXT-maximized.config
CONFIG_LINUX_CONFIG=config/linux-x230-maximized.config
#Enable DEBUG output
#export CONFIG_DEBUG_OUTPUT=y
#export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y
#Additional hardware support
CONFIG_LINUX_USB=y
CONFIG_LINUX_E1000E=y
@ -74,6 +70,13 @@ export CONFIG_AUTO_BOOT_TIMEOUT=5
#export CONFIG_PRIMARY_KEY_TYPE=ecc
#TPM1 requirements
export CONFIG_TPM=y
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=n
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=n
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=y
export CONFIG_BOOTSCRIPT=/bin/gui-init
export CONFIG_BOOT_REQ_HASH=n
export CONFIG_BOOT_REQ_ROLLBACK=n

11
boards/optiplex-7010_9010_TXT-maximized/optiplex-7010_9010_TXT-maximized.config
View File

@ -13,10 +13,6 @@ export CONFIG_LINUX_VERSION=6.1.8
CONFIG_COREBOOT_CONFIG=config/coreboot-optiplex-7019_9010_TXT-maximized.config
CONFIG_LINUX_CONFIG=config/linux-x230-maximized.config
#Enable DEBUG output
#export CONFIG_DEBUG_OUTPUT=y
#export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y
#Additional hardware support
CONFIG_LINUX_USB=y
CONFIG_LINUX_E1000E=y
@ -74,6 +70,13 @@ export CONFIG_AUTO_BOOT_TIMEOUT=5
#export CONFIG_PRIMARY_KEY_TYPE=ecc
#TPM1 requirements
export CONFIG_TPM=y
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=n
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=n
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=y
export CONFIG_BOOTSCRIPT=/bin/gui-init
export CONFIG_BOOT_REQ_HASH=n
export CONFIG_BOOT_REQ_ROLLBACK=n

97
boards/qemu-coreboot-fbwhiptail-tpm1-hotp-prod_quiet/qemu-coreboot-fbwhiptail-tpm1-hotp-prod_quiet.config Normal file
View File

@ -0,0 +1,97 @@
# Configuration for building a coreboot ROM that works in
# the qemu emulator in console mode thanks to Whiptail
#
# TPM can be used with a qemu software TPM (TIS, 1.2). A Librem Key or
# Nitrokey Pro can also be used by forwarding the USB device from the host to
# the VM.
export CONFIG_COREBOOT=y
export CONFIG_COREBOOT_VERSION=24.02.01
export CONFIG_LINUX_VERSION=6.1.8
CONFIG_COREBOOT_CONFIG=config/coreboot-qemu-tpm1-prod.config
CONFIG_LINUX_CONFIG=config/linux-qemu.config
#Enable only one RESTRICTED/BASIC boot modes below to test them manually (we cannot inject config under QEMU (no internal flashing)
#export CONFIG_RESTRICTED_BOOT=y
#export CONFIG_BASIC=y
#Enable HAVE_GPG_KEY_BACKUP to test GPG key backup drive (we cannot inject config under QEMU (no internal flashing))
#export CONFIG_HAVE_GPG_KEY_BACKUP=y
#On-demand hardware support (modules.cpio)
CONFIG_LINUX_USB=y
CONFIG_LINUX_E1000=y
#CONFIG_MOBILE_TETHERING=y
#Runtime on-demand additional hardware support (modules.cpio)
export CONFIG_LINUX_USB_COMPANION_CONTROLLER=y
#Modules packed into tools.cpio
ifeq "$(CONFIG_UROOT)" "y"
CONFIG_BUSYBOX=n
else
#Modules packed into tools.cpio
CONFIG_CRYPTSETUP2=y
CONFIG_FLASHPROG=y
CONFIG_FLASHTOOLS=y
CONFIG_GPG2=y
CONFIG_KEXEC=y
CONFIG_UTIL_LINUX=y
CONFIG_LVM2=y
CONFIG_MBEDTLS=y
CONFIG_PCIUTILS=y
#Runtime tools to write to MSR
#CONFIG_MSRTOOLS=y
#Remote attestation support
# TPM2 requirements
#CONFIG_TPM2_TSS=y
#CONFIG_OPENSSL=y
#Remote Attestation common tools
CONFIG_POPT=y
CONFIG_QRENCODE=y
CONFIG_TPMTOTP=y
#HOTP based remote attestation for supported USB Security dongle
#With/Without TPM support
CONFIG_HOTPKEY=y
#Nitrokey Storage admin tool (deprecated)
#CONFIG_NKSTORECLI=n
#GUI Support
#Console based Whiptail support(Console based, no FB):
#CONFIG_SLANG=y
#CONFIG_NEWT=y
#FBWhiptail based (Graphical):
CONFIG_CAIRO=y
CONFIG_FBWHIPTAIL=y
#Additional tools (tools.cpio):
#SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E)
CONFIG_DROPBEAR=y
endif
#Runtime configuration
#Automatically boot if HOTP is valid
export CONFIG_AUTO_BOOT_TIMEOUT=5
#TPM2 requirements
#export CONFIG_TPM2_TOOLS=y
#export CONFIG_PRIMARY_KEY_TYPE=ecc
#TPM1 requirements
export CONFIG_TPM=y
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=n
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=n
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=y
export CONFIG_BOOTSCRIPT=/bin/gui-init
#text-based original init:
#export CONFIG_BOOTSCRIPT=/bin/generic-init
export CONFIG_BOOT_REQ_HASH=n
export CONFIG_BOOT_REQ_ROLLBACK=n
export CONFIG_BOOT_RECOVERY_SERIAL="/dev/ttyS0"
export CONFIG_BOOT_KERNEL_ADD="console=ttyS0 console=tty systemd.zram=0"
export CONFIG_BOOT_KERNEL_REMOVE="quiet rhgb splash"
export CONFIG_BOARD_NAME="qemu-coreboot-fbwhiptail-tpm1-hotp"
#export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal"
BOARD_TARGETS := qemu

14
boards/qemu-coreboot-fbwhiptail-tpm1-hotp/qemu-coreboot-fbwhiptail-tpm1-hotp.config
View File

@ -18,12 +18,6 @@ CONFIG_LINUX_CONFIG=config/linux-qemu.config
#Enable HAVE_GPG_KEY_BACKUP to test GPG key backup drive (we cannot inject config under QEMU (no internal flashing))
#export CONFIG_HAVE_GPG_KEY_BACKUP=y
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=y
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y
#Enable TPM2 pcap output under /tmp
#export CONFIG_TPM2_CAPTURE_PCAP=y
#On-demand hardware support (modules.cpio)
CONFIG_LINUX_USB=y
CONFIG_LINUX_E1000=y
@ -82,6 +76,13 @@ export CONFIG_AUTO_BOOT_TIMEOUT=5
#export CONFIG_PRIMARY_KEY_TYPE=ecc
#TPM1 requirements
export CONFIG_TPM=y
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=y
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y
#Enable TPM2 pcap output under /tmp
#export CONFIG_TPM2_CAPTURE_PCAP=n
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=n
export CONFIG_BOOTSCRIPT=/bin/gui-init
#text-based original init:
#export CONFIG_BOOTSCRIPT=/bin/generic-init
@ -92,6 +93,5 @@ export CONFIG_BOOT_KERNEL_ADD="console=ttyS0 console=tty systemd.zram=0"
export CONFIG_BOOT_KERNEL_REMOVE="quiet rhgb splash"
export CONFIG_BOARD_NAME="qemu-coreboot-fbwhiptail-tpm1-hotp"
#export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal"
export CONFIG_AUTO_BOOT_TIMEOUT=5
BOARD_TARGETS := qemu

14
boards/qemu-coreboot-fbwhiptail-tpm1/qemu-coreboot-fbwhiptail-tpm1.config
View File

@ -16,12 +16,6 @@ CONFIG_LINUX_CONFIG=config/linux-qemu.config
#Enable HAVE_GPG_KEY_BACKUP to test GPG key backup drive (we cannot inject config under QEMU (no internal flashing))
#export CONFIG_HAVE_GPG_KEY_BACKUP=y
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=y
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y
#Enable TPM2 pcap output under /tmp
#export CONFIG_TPM2_CAPTURE_PCAP=y
#On-demand hardware support (modules.cpio)
CONFIG_LINUX_USB=y
CONFIG_LINUX_E1000=y
@ -80,6 +74,13 @@ export CONFIG_AUTO_BOOT_TIMEOUT=5
#export CONFIG_PRIMARY_KEY_TYPE=ecc
#TPM1 requirements
export CONFIG_TPM=y
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=y
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y
#Enable TPM2 pcap output under /tmp
#export CONFIG_TPM2_CAPTURE_PCAP=n
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=n
export CONFIG_BOOTSCRIPT=/bin/gui-init
#text-based original init:
#export CONFIG_BOOTSCRIPT=/bin/generic-init
@ -90,6 +91,5 @@ export CONFIG_BOOT_KERNEL_ADD="console=ttyS0 console=tty systemd.zram=0"
export CONFIG_BOOT_KERNEL_REMOVE="quiet rhgb splash"
export CONFIG_BOARD_NAME="qemu-coreboot-fbwhiptail-tpm1"
#export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal"
#export CONFIG_AUTO_BOOT_TIMEOUT=5
BOARD_TARGETS := qemu

14
boards/qemu-coreboot-fbwhiptail-tpm2-hotp-prod/qemu-coreboot-fbwhiptail-tpm2-hotp-prod.config
View File

@ -17,12 +17,6 @@ CONFIG_LINUX_CONFIG=config/linux-qemu.config
#Enable HAVE_GPG_KEY_BACKUP to test GPG key backup drive (we cannot inject config under QEMU (no internal flashing))
#export CONFIG_HAVE_GPG_KEY_BACKUP=y
#Enable DEBUG output
#export CONFIG_DEBUG_OUTPUT=y
#export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y
#Enable TPM2 pcap output under /tmp
#export CONFIG_TPM2_CAPTURE_PCAP=y
#On-demand hardware support (modules.cpio)
CONFIG_LINUX_USB=y
CONFIG_LINUX_E1000=y
@ -81,6 +75,13 @@ export CONFIG_TPM2_TOOLS=y
export CONFIG_PRIMARY_KEY_TYPE=ecc
#TPM1 requirements
#export CONFIG_TPM=y
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=n
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=n
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=n
export CONFIG_BOOTSCRIPT=/bin/gui-init
#text-based original init:
#export CONFIG_BOOTSCRIPT=/bin/generic-init
@ -91,6 +92,5 @@ export CONFIG_BOOT_KERNEL_ADD="console=ttyS0 console=tty systemd.zram=0"
export CONFIG_BOOT_KERNEL_REMOVE="quiet rhgb splash"
export CONFIG_BOARD_NAME="qemu-coreboot-fbwhiptail-tpm2-hotp"
#export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal"
export CONFIG_AUTO_BOOT_TIMEOUT=5
BOARD_TARGETS := qemu

96
boards/qemu-coreboot-fbwhiptail-tpm2-hotp-prod_quiet/qemu-coreboot-fbwhiptail-tpm2-hotp-prod_quiet.config Normal file
View File

@ -0,0 +1,96 @@
# Configuration for building a coreboot ROM that works in
# the qemu emulator in graphical mode thanks to FBWhiptail
# This version requires a supported HOTP Security dongle (Nitrokey Pro/Storage or Librem Key)
#
# TPM can be used with a qemu software TPM (TIS, 2.0).
export CONFIG_COREBOOT=y
export CONFIG_COREBOOT_VERSION=24.02.01
export CONFIG_LINUX_VERSION=6.1.8
CONFIG_COREBOOT_CONFIG=config/coreboot-qemu-tpm2-prod.config
CONFIG_LINUX_CONFIG=config/linux-qemu.config
#Enable only one RESTRICTED/BASIC boot modes below to test them manually (we cannot inject config under QEMU (no internal flashing)
#export CONFIG_RESTRICTED_BOOT=y
#export CONFIG_BASIC=y
#Enable HAVE_GPG_KEY_BACKUP to test GPG key backup drive (we cannot inject config under QEMU (no internal flashing))
#export CONFIG_HAVE_GPG_KEY_BACKUP=y
#On-demand hardware support (modules.cpio)
CONFIG_LINUX_USB=y
CONFIG_LINUX_E1000=y
#CONFIG_MOBILE_TETHERING=y
#Runtime on-demand additional hardware support (modules.cpio)
export CONFIG_LINUX_USB_COMPANION_CONTROLLER=y
#Modules packed into tools.cpio
ifeq "$(CONFIG_UROOT)" "y"
CONFIG_BUSYBOX=n
else
#Modules packed into tools.cpio
CONFIG_CRYPTSETUP2=y
CONFIG_FLASHPROG=y
CONFIG_FLASHTOOLS=y
CONFIG_GPG2=y
CONFIG_KEXEC=y
CONFIG_UTIL_LINUX=y
CONFIG_LVM2=y
CONFIG_MBEDTLS=y
CONFIG_PCIUTILS=y
#Runtime tools to write to MSR
CONFIG_MSRTOOLS=y
#Remote attestation support
# TPM2 requirements
CONFIG_TPM2_TSS=y
CONFIG_OPENSSL=y
#Remote Attestation common tools
CONFIG_POPT=y
CONFIG_QRENCODE=y
CONFIG_TPMTOTP=y
#HOTP based remote attestation for supported USB Security dongle
#With/Without TPM support
CONFIG_HOTPKEY=y
#Nitrokey Storage admin tool (deprecated)
#CONFIG_NKSTORECLI=n
#GUI Support
#Console based Whiptail support(Console based, no FB):
#CONFIG_SLANG=y
#CONFIG_NEWT=y
#FBWhiptail based (Graphical):
CONFIG_CAIRO=y
CONFIG_FBWHIPTAIL=y
#Additional tools (tools.cpio):
#SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E)
CONFIG_DROPBEAR=y
endif
#Runtime configuration
#Automatically boot if HOTP is valid
export CONFIG_AUTO_BOOT_TIMEOUT=5
#TPM2 requirements
export CONFIG_TPM2_TOOLS=y
export CONFIG_PRIMARY_KEY_TYPE=ecc
#TPM1 requirements
#export CONFIG_TPM=y
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=n
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=n
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=y
export CONFIG_BOOTSCRIPT=/bin/gui-init
#text-based original init:
#export CONFIG_BOOTSCRIPT=/bin/generic-init
export CONFIG_BOOT_REQ_HASH=n
export CONFIG_BOOT_REQ_ROLLBACK=n
export CONFIG_BOOT_RECOVERY_SERIAL="/dev/ttyS0"
export CONFIG_BOOT_KERNEL_ADD="console=ttyS0 console=tty systemd.zram=0"
export CONFIG_BOOT_KERNEL_REMOVE="quiet rhgb splash"
export CONFIG_BOARD_NAME="qemu-coreboot-fbwhiptail-tpm2-hotp"
#export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal"
BOARD_TARGETS := qemu

13
boards/qemu-coreboot-fbwhiptail-tpm2-hotp/qemu-coreboot-fbwhiptail-tpm2-hotp.config
View File

@ -17,11 +17,6 @@ CONFIG_LINUX_CONFIG=config/linux-qemu.config
#Enable HAVE_GPG_KEY_BACKUP to test GPG key backup drive (we cannot inject config under QEMU (no internal flashing))
#export CONFIG_HAVE_GPG_KEY_BACKUP=y
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=y
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=y
#On-demand hardware support (modules.cpio)
CONFIG_LINUX_USB=y
@ -81,6 +76,13 @@ export CONFIG_TPM2_TOOLS=y
export CONFIG_PRIMARY_KEY_TYPE=ecc
#TPM1 requirements
#export CONFIG_TPM=y
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=y
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=y
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=n
export CONFIG_BOOTSCRIPT=/bin/gui-init
#text-based original init:
#export CONFIG_BOOTSCRIPT=/bin/generic-init
@ -91,6 +93,5 @@ export CONFIG_BOOT_KERNEL_ADD="console=ttyS0 console=tty systemd.zram=0"
export CONFIG_BOOT_KERNEL_REMOVE="quiet rhgb splash"
export CONFIG_BOARD_NAME="qemu-coreboot-fbwhiptail-tpm2-hotp"
#export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal"
export CONFIG_AUTO_BOOT_TIMEOUT=5
BOARD_TARGETS := qemu

14
boards/qemu-coreboot-fbwhiptail-tpm2-prod/qemu-coreboot-fbwhiptail-tpm2-prod.config
View File

@ -16,12 +16,6 @@ CONFIG_LINUX_CONFIG=config/linux-qemu.config
#Enable HAVE_GPG_KEY_BACKUP to test GPG key backup drive (we cannot inject config under QEMU (no internal flashing))
#export CONFIG_HAVE_GPG_KEY_BACKUP=y
#Enable DEBUG output
#export CONFIG_DEBUG_OUTPUT=y
#export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y
#Enable TPM2 pcap output under /tmp
#export CONFIG_TPM2_CAPTURE_PCAP=y
#On-demand hardware support (modules.cpio)
CONFIG_LINUX_USB=y
CONFIG_LINUX_E1000=y
@ -80,6 +74,13 @@ export CONFIG_TPM2_TOOLS=y
export CONFIG_PRIMARY_KEY_TYPE=ecc
#TPM1 requirements
#export CONFIG_TPM=y
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=n
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=n
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=n
export CONFIG_BOOTSCRIPT=/bin/gui-init
#text-based original init:
#export CONFIG_BOOTSCRIPT=/bin/generic-init
@ -90,6 +91,5 @@ export CONFIG_BOOT_KERNEL_ADD="console=ttyS0 console=tty systemd.zram=0"
export CONFIG_BOOT_KERNEL_REMOVE="quiet rhgb splash"
export CONFIG_BOARD_NAME="qemu-coreboot-fbwhiptail-tpm2"
#export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal"
#export CONFIG_AUTO_BOOT_TIMEOUT=5
BOARD_TARGETS := qemu

13
boards/qemu-coreboot-fbwhiptail-tpm2/qemu-coreboot-fbwhiptail-tpm2.config
View File

@ -16,11 +16,6 @@ CONFIG_LINUX_CONFIG=config/linux-qemu.config
#Enable HAVE_GPG_KEY_BACKUP to test GPG key backup drive (we cannot inject config under QEMU (no internal flashing))
#export CONFIG_HAVE_GPG_KEY_BACKUP=y
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=y
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=y
#On-demand hardware support (modules.cpio)
CONFIG_LINUX_USB=y
@ -80,6 +75,13 @@ export CONFIG_TPM2_TOOLS=y
export CONFIG_PRIMARY_KEY_TYPE=ecc
#TPM1 requirements
#export CONFIG_TPM=y
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=y
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=y
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=n
export CONFIG_BOOTSCRIPT=/bin/gui-init
#text-based original init:
#export CONFIG_BOOTSCRIPT=/bin/generic-init
@ -90,6 +92,5 @@ export CONFIG_BOOT_KERNEL_ADD="console=ttyS0 console=tty systemd.zram=0"
export CONFIG_BOOT_KERNEL_REMOVE="quiet rhgb splash"
export CONFIG_BOARD_NAME="qemu-coreboot-fbwhiptail-tpm2"
#export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal"
#export CONFIG_AUTO_BOOT_TIMEOUT=5
BOARD_TARGETS := qemu

14
boards/qemu-coreboot-whiptail-tpm1-hotp/qemu-coreboot-whiptail-tpm1-hotp.config
View File

@ -18,12 +18,6 @@ CONFIG_LINUX_CONFIG=config/linux-qemu.config
#Enable HAVE_GPG_KEY_BACKUP to test GPG key backup drive (we cannot inject config under QEMU (no internal flashing))
#export CONFIG_HAVE_GPG_KEY_BACKUP=y
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=y
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y
#Enable TPM2 pcap output under /tmp
#export CONFIG_TPM2_CAPTURE_PCAP=y
#On-demand hardware support (modules.cpio)
CONFIG_LINUX_USB=y
CONFIG_LINUX_E1000=y
@ -82,6 +76,13 @@ export CONFIG_AUTO_BOOT_TIMEOUT=5
#export CONFIG_PRIMARY_KEY_TYPE=ecc
#TPM1 requirements
export CONFIG_TPM=y
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=y
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y
#Enable TPM2 pcap output under /tmp
#export CONFIG_TPM2_CAPTURE_PCAP=n
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=n
export CONFIG_BOOTSCRIPT=/bin/gui-init
#text-based original init:
#export CONFIG_BOOTSCRIPT=/bin/generic-init
@ -92,6 +93,5 @@ export CONFIG_BOOT_KERNEL_ADD="console=ttyS0 console=tty systemd.zram=0"
export CONFIG_BOOT_KERNEL_REMOVE="quiet rhgb splash"
export CONFIG_BOARD_NAME="qemu-coreboot-whiptail-tpm1-hotp"
#export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal"
export CONFIG_AUTO_BOOT_TIMEOUT=5
BOARD_TARGETS := qemu

14
boards/qemu-coreboot-whiptail-tpm1/qemu-coreboot-whiptail-tpm1.config
View File

@ -16,12 +16,6 @@ CONFIG_LINUX_CONFIG=config/linux-qemu.config
#Enable HAVE_GPG_KEY_BACKUP to test GPG key backup drive (we cannot inject config under QEMU (no internal flashing))
#export CONFIG_HAVE_GPG_KEY_BACKUP=y
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=y
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y
#Enable TPM2 pcap output under /tmp
#export CONFIG_TPM2_CAPTURE_PCAP=y
#On-demand hardware support (modules.cpio)
CONFIG_LINUX_USB=y
CONFIG_LINUX_E1000=y
@ -80,6 +74,13 @@ export CONFIG_AUTO_BOOT_TIMEOUT=5
#export CONFIG_PRIMARY_KEY_TYPE=ecc
#TPM1 requirements
export CONFIG_TPM=y
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=y
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y
#Enable TPM2 pcap output under /tmp
#export CONFIG_TPM2_CAPTURE_PCAP=n
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=n
export CONFIG_BOOTSCRIPT=/bin/gui-init
#text-based original init:
#export CONFIG_BOOTSCRIPT=/bin/generic-init
@ -90,6 +91,5 @@ export CONFIG_BOOT_KERNEL_ADD="console=ttyS0 console=tty systemd.zram=0"
export CONFIG_BOOT_KERNEL_REMOVE="quiet rhgb splash"
export CONFIG_BOARD_NAME="qemu-coreboot-whiptail-tpm1"
#export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal"
#export CONFIG_AUTO_BOOT_TIMEOUT=5
BOARD_TARGETS := qemu

14
boards/qemu-coreboot-whiptail-tpm2-hotp-prod/qemu-coreboot-whiptail-tpm2-hotp-prod.config
View File

@ -17,12 +17,6 @@ CONFIG_LINUX_CONFIG=config/linux-qemu.config
#Enable HAVE_GPG_KEY_BACKUP to test GPG key backup drive (we cannot inject config under QEMU (no internal flashing))
#export CONFIG_HAVE_GPG_KEY_BACKUP=y
#Enable DEBUG output
#export CONFIG_DEBUG_OUTPUT=y
#export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y
#Enable TPM2 pcap output under /tmp
#export CONFIG_TPM2_CAPTURE_PCAP=y
#On-demand hardware support (modules.cpio)
CONFIG_LINUX_USB=y
CONFIG_LINUX_E1000=y
@ -81,6 +75,13 @@ export CONFIG_TPM2_TOOLS=y
export CONFIG_PRIMARY_KEY_TYPE=ecc
#TPM1 requirements
#export CONFIG_TPM=y
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=n
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=n
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=n
export CONFIG_BOOTSCRIPT=/bin/gui-init
#text-based original init:
#export CONFIG_BOOTSCRIPT=/bin/generic-init
@ -91,6 +92,5 @@ export CONFIG_BOOT_KERNEL_ADD="console=ttyS0 console=tty systemd.zram=0"
export CONFIG_BOOT_KERNEL_REMOVE="quiet rhgb splash"
export CONFIG_BOARD_NAME="qemu-coreboot-whiptail-tpm2-hotp"
#export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal"
export CONFIG_AUTO_BOOT_TIMEOUT=5
BOARD_TARGETS := qemu

13
boards/qemu-coreboot-whiptail-tpm2-hotp/qemu-coreboot-whiptail-tpm2-hotp.config
View File

@ -17,11 +17,6 @@ CONFIG_LINUX_CONFIG=config/linux-qemu.config
#Enable HAVE_GPG_KEY_BACKUP to test GPG key backup drive (we cannot inject config under QEMU (no internal flashing))
#export CONFIG_HAVE_GPG_KEY_BACKUP=y
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=y
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=y
#On-demand hardware support (modules.cpio)
CONFIG_LINUX_USB=y
@ -81,6 +76,13 @@ export CONFIG_TPM2_TOOLS=y
export CONFIG_PRIMARY_KEY_TYPE=ecc
#TPM1 requirements
#export CONFIG_TPM=y
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=y
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=y
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=n
export CONFIG_BOOTSCRIPT=/bin/gui-init
#text-based original init:
#export CONFIG_BOOTSCRIPT=/bin/generic-init
@ -91,6 +93,5 @@ export CONFIG_BOOT_KERNEL_ADD="console=ttyS0 console=tty systemd.zram=0"
export CONFIG_BOOT_KERNEL_REMOVE="quiet rhgb splash"
export CONFIG_BOARD_NAME="qemu-coreboot-whiptail-tpm2-hotp"
#export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal"
export CONFIG_AUTO_BOOT_TIMEOUT=5
BOARD_TARGETS := qemu

14
boards/qemu-coreboot-whiptail-tpm2-prod/qemu-coreboot-whiptail-tpm2-prod.config
View File

@ -16,12 +16,6 @@ CONFIG_LINUX_CONFIG=config/linux-qemu.config
#Enable HAVE_GPG_KEY_BACKUP to test GPG key backup drive (we cannot inject config under QEMU (no internal flashing))
#export CONFIG_HAVE_GPG_KEY_BACKUP=y
#Enable DEBUG output
#export CONFIG_DEBUG_OUTPUT=y
#export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y
#Enable TPM2 pcap output under /tmp
#export CONFIG_TPM2_CAPTURE_PCAP=y
#On-demand hardware support (modules.cpio)
CONFIG_LINUX_USB=y
CONFIG_LINUX_E1000=y
@ -80,6 +74,13 @@ export CONFIG_TPM2_TOOLS=y
export CONFIG_PRIMARY_KEY_TYPE=ecc
#TPM1 requirements
#export CONFIG_TPM=y
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=n
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=n
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=n
export CONFIG_BOOTSCRIPT=/bin/gui-init
#text-based original init:
#export CONFIG_BOOTSCRIPT=/bin/generic-init
@ -90,6 +91,5 @@ export CONFIG_BOOT_KERNEL_ADD="console=ttyS0 console=tty systemd.zram=0"
export CONFIG_BOOT_KERNEL_REMOVE="quiet rhgb splash"
export CONFIG_BOARD_NAME="qemu-coreboot-whiptail-tpm2"
#export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal"
#export CONFIG_AUTO_BOOT_TIMEOUT=5
BOARD_TARGETS := qemu

12
boards/qemu-coreboot-whiptail-tpm2/qemu-coreboot-whiptail-tpm2.config
View File

@ -16,11 +16,6 @@ CONFIG_LINUX_CONFIG=config/linux-qemu.config
#Enable HAVE_GPG_KEY_BACKUP to test GPG key backup drive (we cannot inject config under QEMU (no internal flashing))
#export CONFIG_HAVE_GPG_KEY_BACKUP=y
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=y
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=y
#On-demand hardware support (modules.cpio)
CONFIG_LINUX_USB=y
@ -80,6 +75,13 @@ export CONFIG_TPM2_TOOLS=y
export CONFIG_PRIMARY_KEY_TYPE=ecc
#TPM1 requirements
#export CONFIG_TPM=y
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=y
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=y
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=n
export CONFIG_BOOTSCRIPT=/bin/gui-init
#text-based original init:
#export CONFIG_BOOTSCRIPT=/bin/generic-init

7
boards/t420-hotp-maximized/t420-hotp-maximized.config
View File

@ -60,6 +60,13 @@ CONFIG_FBWHIPTAIL=y
#SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E)
CONFIG_DROPBEAR=n
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=n
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=n
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=y
export CONFIG_BOOTSCRIPT=/bin/gui-init
export CONFIG_BOOT_REQ_HASH=n
export CONFIG_BOOT_REQ_ROLLBACK=n

7
boards/t420-maximized/t420-maximized.config
View File

@ -58,6 +58,13 @@ CONFIG_FBWHIPTAIL=y
#SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E)
CONFIG_DROPBEAR=n
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=n
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=n
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=y
export CONFIG_BOOTSCRIPT=/bin/gui-init
export CONFIG_BOOT_REQ_HASH=n
export CONFIG_BOOT_REQ_ROLLBACK=n

7
boards/t430-hotp-maximized/t430-hotp-maximized.config
View File

@ -58,6 +58,13 @@ CONFIG_FBWHIPTAIL=y
#SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E)
CONFIG_DROPBEAR=y
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=n
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=n
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=y
export CONFIG_BOOTSCRIPT=/bin/gui-init
export CONFIG_BOOT_REQ_HASH=n
export CONFIG_BOOT_REQ_ROLLBACK=n

7
boards/t430-maximized/t430-maximized.config
View File

@ -58,6 +58,13 @@ CONFIG_FBWHIPTAIL=y
#SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E)
CONFIG_DROPBEAR=y
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=n
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=n
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=y
export CONFIG_BOOTSCRIPT=/bin/gui-init
export CONFIG_BOOT_REQ_HASH=n
export CONFIG_BOOT_REQ_ROLLBACK=n

7
boards/t530-hotp-maximized/t530-hotp-maximized.config
View File

@ -60,6 +60,13 @@ CONFIG_FBWHIPTAIL=y
#SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E)
CONFIG_DROPBEAR=y
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=n
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=n
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=y
export CONFIG_BOOTSCRIPT=/bin/gui-init
export CONFIG_BOOT_REQ_HASH=n
export CONFIG_BOOT_REQ_ROLLBACK=n

7
boards/t530-maximized/t530-maximized.config
View File

@ -59,6 +59,13 @@ CONFIG_FBWHIPTAIL=y
#SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E)
CONFIG_DROPBEAR=y
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=n
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=n
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=y
export CONFIG_BOOTSCRIPT=/bin/gui-init
export CONFIG_BOOT_REQ_HASH=n
export CONFIG_BOOT_REQ_ROLLBACK=n

7
boards/w530-hotp-maximized/w530-hotp-maximized.config
View File

@ -60,6 +60,13 @@ CONFIG_FBWHIPTAIL=y
#SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E)
CONFIG_DROPBEAR=y
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=n
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=n
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=y
export CONFIG_BOOTSCRIPT=/bin/gui-init
export CONFIG_BOOT_REQ_HASH=n
export CONFIG_BOOT_REQ_ROLLBACK=n

7
boards/w530-maximized/w530-maximized.config
View File

@ -59,6 +59,13 @@ CONFIG_FBWHIPTAIL=y
#SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E)
CONFIG_DROPBEAR=y
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=n
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=n
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=y
export CONFIG_BOOTSCRIPT=/bin/gui-init
export CONFIG_BOOT_REQ_HASH=n
export CONFIG_BOOT_REQ_ROLLBACK=n

7
boards/x220-hotp-maximized/x220-hotp-maximized.config
View File

@ -60,6 +60,13 @@ CONFIG_FBWHIPTAIL=y
#SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E)
CONFIG_DROPBEAR=n
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=n
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=n
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=y
export CONFIG_BOOTSCRIPT=/bin/gui-init
export CONFIG_BOOT_REQ_HASH=n
export CONFIG_BOOT_REQ_ROLLBACK=n

7
boards/x220-maximized/x220-maximized.config
View File

@ -59,6 +59,13 @@ CONFIG_FBWHIPTAIL=y
#SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E)
CONFIG_DROPBEAR=n
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=n
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=n
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=y
export CONFIG_BOOTSCRIPT=/bin/gui-init
export CONFIG_BOOT_REQ_HASH=n
export CONFIG_BOOT_REQ_ROLLBACK=n

7
boards/x230-hotp-maximized-fhd_edp/x230-hotp-maximized-fhd_edp.config
View File

@ -72,6 +72,13 @@ CONFIG_FBWHIPTAIL=y
#SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E)
CONFIG_DROPBEAR=y
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=n
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=n
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=y
export CONFIG_BOOTSCRIPT=/bin/gui-init
export CONFIG_BOOT_REQ_HASH=n
export CONFIG_BOOT_REQ_ROLLBACK=n

11
boards/x230-hotp-maximized/x230-hotp-maximized.config
View File

@ -13,10 +13,6 @@ export CONFIG_LINUX_VERSION=6.1.8
CONFIG_COREBOOT_CONFIG=config/coreboot-x230-maximized.config
CONFIG_LINUX_CONFIG=config/linux-x230-maximized.config
#Enable DEBUG output
#export CONFIG_DEBUG_OUTPUT=y
#export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y
#On-demand hardware support (modules.cpio)
CONFIG_LINUX_USB=y
CONFIG_LINUX_E1000E=y
@ -74,6 +70,13 @@ export CONFIG_AUTO_BOOT_TIMEOUT=5
#export CONFIG_PRIMARY_KEY_TYPE=ecc
#TPM1 requirements
export CONFIG_TPM=y
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=n
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=n
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=y
export CONFIG_BOOTSCRIPT=/bin/gui-init
export CONFIG_BOOT_REQ_HASH=n
export CONFIG_BOOT_REQ_ROLLBACK=n

11
boards/x230-hotp-maximized_usb-kb/x230-hotp-maximized_usb-kb.config
View File

@ -15,10 +15,6 @@ export CONFIG_LINUX_VERSION=6.1.8
CONFIG_COREBOOT_CONFIG=config/coreboot-x230-maximized.config
CONFIG_LINUX_CONFIG=config/linux-x230-maximized.config
#Enable DEBUG output
#export CONFIG_DEBUG_OUTPUT=y
#export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y
#Additional hardware support
CONFIG_LINUX_USB=y
CONFIG_LINUX_E1000E=y
@ -68,6 +64,13 @@ CONFIG_FBWHIPTAIL=y
#SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E)
CONFIG_DROPBEAR=y
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=n
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=n
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=y
export CONFIG_BOOTSCRIPT=/bin/gui-init
export CONFIG_BOOT_REQ_HASH=n
export CONFIG_BOOT_REQ_ROLLBACK=n

7
boards/x230-maximized-fhd_edp/x230-maximized-fhd_edp.config
View File

@ -71,6 +71,13 @@ CONFIG_FBWHIPTAIL=y
#SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E)
CONFIG_DROPBEAR=y
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=n
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=n
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=y
export CONFIG_BOOTSCRIPT=/bin/gui-init
export CONFIG_BOOT_REQ_HASH=n
export CONFIG_BOOT_REQ_ROLLBACK=n

11
boards/x230-maximized/x230-maximized.config
View File

@ -13,10 +13,6 @@ export CONFIG_LINUX_VERSION=6.1.8
CONFIG_COREBOOT_CONFIG=config/coreboot-x230-maximized.config
CONFIG_LINUX_CONFIG=config/linux-x230-maximized.config
#Enable DEBUG output
#export CONFIG_DEBUG_OUTPUT=y
#export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y
#Additional hardware support
CONFIG_LINUX_USB=y
CONFIG_LINUX_E1000E=y
@ -62,6 +58,13 @@ CONFIG_FBWHIPTAIL=y
#SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E)
CONFIG_DROPBEAR=y
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=n
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=n
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=y
export CONFIG_BOOTSCRIPT=/bin/gui-init
export CONFIG_BOOT_REQ_HASH=n
export CONFIG_BOOT_REQ_ROLLBACK=n

7
boards/z220-cmt-maximized/z220-cmt-maximized.config
View File

@ -54,6 +54,13 @@ CONFIG_LINUX_USB=y
CONFIG_MOBILE_TETHERING=y
export CONFIG_TPM=y
#Enable DEBUG output
export CONFIG_DEBUG_OUTPUT=n
export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n
#Enable TPM2 pcap output under /tmp
export CONFIG_TPM2_CAPTURE_PCAP=n
#Enable quiet mode: technical information logged under /tmp/debug.log
export CONFIG_QUIET_MODE=y
export CONFIG_BOOTSCRIPT=/bin/gui-init
export CONFIG_BOOT_REQ_HASH=n
export CONFIG_BOOT_REQ_ROLLBACK=n

2
initrd/.ash_history → initrd/.bash_history
View File

@ -4,7 +4,7 @@ mount /boot
find /boot/kexec*.txt | gpg --verify /boot/kexec.sig -
#remove invalid kexec_* signed files
mount /dev/sda1 /boot && mount -o remount,rw /boot && rm /boot/kexec* && mount -o remount,ro /boot
#Generate keys from GPG smartcard:
#Generate keys on OpenPGP smartcard:
mount-usb && gpg --home=/.gnupg/ --card-edit
#Copy generated public key, private_subkey, trustdb and artifacts to external media for backup:
mount -o remount,rw /media && mkdir -p /media/gpg_keys; gpg --export-secret-keys --armor email@address.com > /media/gpg_keys/private.key && gpg --export --armor email@address.com > /media/gpg_keys/public.key && gpg --export-ownertrust > /media/gpg_keys/otrust.txt && cp -r ./.gnupg/* /media/gpg_keys/ 2> /dev/null

13
initrd/bin/cbfs-init
View File

@ -2,6 +2,13 @@
set -e -o pipefail
. /etc/functions
# CBFS extraction and measurement
# This extraction and measurement cannot be suppressed by quiet mode, since
# config.user is not yet loaded at this point.
# To suppress this output, set CONFIG_QUIET_MODE=y needs be be set in /etc/config
# which is defined at build time under board configuration file to be part of initrd.cpio
# This script is called from initrd/init so really early in the boot process to put files in place in initramfs
TRACE_FUNC
# Update initrd with CBFS files
@ -17,12 +24,12 @@ for cbfsname in `echo $cbfsfiles`; do
if [ ! -z "$filename" ]; then
mkdir -p `dirname $filename` \
|| die "$filename: mkdir failed"
echo "Extracting CBFS file $cbfsname into $filename"
INFO "Extracting CBFS file $cbfsname into $filename"
cbfs -t 50 $CBFS_ARG -r $cbfsname > "$filename" \
|| die "$filename: cbfs file read failed"
if [ "$CONFIG_TPM" = "y" ]; then
TRACE_FUNC
echo "TPM: Extending PCR[$CONFIG_PCR] with $filename"
INFO "TPM: Extending PCR[$CONFIG_PCR] with filename $filename and then its content"
# Measure both the filename and its content. This
# ensures that renaming files or pivoting file content
# will still affect the resulting PCR measurement.
@ -32,5 +39,3 @@ for cbfsname in `echo $cbfsfiles`; do
fi
fi
done
# TODO: copy CBFS file named "heads/initrd.tgz" to /tmp, measure and extract

935
initrd/bin/config-gui.sh
View File

File diff suppressed because it is too large Load Diff

6
initrd/bin/flash.sh
View File

@ -1,14 +1,14 @@
#!/bin/ash
#!/bin/bash
#
# NOTE: This script is used on legacy-flash boards and runs with busybox ash,
# not bash
set -e -o pipefail
. /etc/ash_functions
. /etc/functions
. /tmp/config
echo
TRACE "Under /bin/flash.sh"
TRACE_FUNC
case "$CONFIG_FLASH_OPTIONS" in
"" )

2
initrd/bin/gpg-gui.sh
View File

@ -148,7 +148,7 @@ while true; do
'e' ' Replace GPG key(s) in the current ROM and reflash' \
'l' ' List GPG keys in your keyring' \
'p' ' Export public GPG key to USB drive' \
'g' ' Generate GPG keys manually on a USB security token' \
'g' ' Generate GPG keys manually on a USB security dongle' \
'x' ' Exit' \
2>/tmp/whiptail || recovery "GUI menu failed"

1114
initrd/bin/gui-init
View File

File diff suppressed because it is too large Load Diff

2
initrd/bin/inject_firmware.sh
View File

@ -96,7 +96,7 @@ chmod a+x "$INITRD_ROOT/init"
# Linux ignores zeros between archive segments, so any extra padding is not
# harmful.
FW_INITRD="/tmp/inject_firmware_initrd.cpio.gz"
dd if="$ORIG_INITRD" of="$FW_INITRD" bs=512 conv=sync status=none
dd if="$ORIG_INITRD" of="$FW_INITRD" bs=512 conv=sync status=none > /dev/null 2>&1
# Pack up the new contents and append to the initrd. Don't spend time
# compressing this.
(cd "$INITRD_ROOT"; find . | cpio -o -H newc) >>"$FW_INITRD"

4
initrd/bin/kexec-insert-key
View File

@ -66,7 +66,7 @@ fi
# Override PCR 4 so that user can't read the key
TRACE_FUNC
echo "TPM: Extending PCR[4] to prevent any future secret unsealing"
INFO "TPM: Extending PCR[4] to prevent any future secret unsealing"
tpmr extend -ix 4 -ic generic ||
die 'Unable to scramble PCR'
@ -92,7 +92,7 @@ echo '+++ Building initrd'
# pad the initramfs (dracut doesn't pad the last gz blob)
# without this the kernel init/initramfs.c fails to read
# the subsequent uncompressed/compressed cpio
dd if="$INITRD" of="$SECRET_CPIO" bs=512 conv=sync ||
dd if="$INITRD" of="$SECRET_CPIO" bs=512 conv=sync > /dev/null 2>&1 ||
die "Failed to copy initrd to /tmp"
if [ "$unseal_failed" = "n" ]; then

13
initrd/bin/kexec-save-default
View File

@ -223,7 +223,7 @@ if [ "$CONFIG_TPM" = "y" ] && [ "$CONFIG_TPM_NO_LUKS_DISK_UNLOCK" != "y" ] && [
-n 1 \
-p "Do you wish to add a disk encryption key to the TPM [y/N]: " \
add_key_confirm
#TODO: still not convinced: disk encryption key? decryption key? everywhere TPM Disk Unlock Key. Confusing even more?
#TODO: still not convinced: disk encryption key? decryption key? everywhere TPM Disk Unlock Key. Confusing even more?
echo
if [ "$add_key_confirm" = "y" \
@ -277,9 +277,14 @@ if [ ! -d $paramsdir ]; then
fi
if [ "$CONFIG_TPM2_TOOLS" = "y" ]; then
sha256sum /tmp/secret/primary.handle >"$PRIMHASH_FILE" ||
die "ERROR: Failed to Hash TPM2 primary key handle!"
DEBUG "TPM2 primary key handle hash saved to $PRIMHASH_FILE"
if [ -f /tmp/secret/primary.handle ]; then
DEBUG "Hashing TPM2 primary key handle..."
sha256sum /tmp/secret/primary.handle > "$PRIMHASH_FILE" ||
die "ERROR: Failed to Hash TPM2 primary key handle!"
DEBUG "TPM2 primary key handle hash saved to $PRIMHASH_FILE"
else
die "ERROR: TPM2 primary key handle file does not exist!"
fi
fi
rm $paramsdir/kexec_default.*.txt 2>/dev/null || true

8
initrd/bin/kexec-seal-key
View File

@ -97,16 +97,16 @@ done
attempts=0
while [ $attempts -lt 3 ]; do
read -s -p "New LUKS TPM Disk Unlock Key passphrase (DUK) for booting: " key_password
read -s -p "New LUKS TPM Disk Unlock Key (DUK) passphrase for booting: " key_password
echo
read -s -p "Repeat LUKS TPM Disk Unlock Key (DUK) passphrase for booting: " key_password2
echo
if [ "$key_password" != "$key_password2" ]; then
attempts=$((attempts + 1))
if [ "$attempts" == "3" ]; then
die "Disk Unlock Key passphrases do not match. Exiting..."
die "Disk Unlock Key (DUK) passphrases do not match. Exiting..."
else
warn "Disk Unlock Key passphrases do not match. Please try again."
warn "Disk Unlock Key (DUK) passphrases do not match. Please try again."
fi
else
break
@ -168,7 +168,7 @@ for dev in $key_devices; do
die "$dev: Unable to find a key slot that can be unlocked with provided passphrase. Exiting..."
fi
# If the key slot is not the expected DUK o FRK key slot, we will ask the user to confirm the wipe
# If the key slot is not the expected DUK or DRK key slot, we will ask the user to confirm the wipe
for keyslot in "${luks_used_keyslots[@]}"; do
if [ "$keyslot" != "$drk_key_slot" ]; then
#set wipe_desired to no by default

27
initrd/bin/kexec-select-boot
View File

@ -60,17 +60,20 @@ paramsdir="${paramsdir%%/}"
PRIMHASH_FILE="$paramsdir/kexec_primhdl_hash.txt"
if [ "$CONFIG_TPM2_TOOLS" = "y" ]; then
if [ -r "$PRIMHASH_FILE" ]; then
sha256sum -c "$PRIMHASH_FILE" ||
if [ -s "$PRIMHASH_FILE" ]; then
#PRIMHASH_FILE (normally /boot/kexec_primhdl_hash.txt) exists and is not empty
sha256sum -c "$PRIMHASH_FILE" >/dev/null 2>&1 ||
{
echo "FATAL: Hash of TPM2 primary key handle mismatch!"
warn "If you have not intentionally regenerated TPM2 primary key,"
warn "your system may have been compromised"
DEBUG "Hash of TPM2 primary key handle mismatched for $PRIMHASH_FILE"
DEBUG "Contents of $PRIMHASH_FILE:"
DEBUG "$(cat $PRIMHASH_FILE)"
}
else
warn "Hash of TPM2 primary key handle does not exist"
warn "Please rebuild the TPM2 primary key handle by settings a default OS to boot."
warn "Please rebuild the TPM2 primary key handle hash by setting a default OS to boot."
warn "Select Options-> Boot Options -> Show OS Boot Menu -> <Pick OS> -> Make default"
#TODO: Simplify/Automatize TPM2 firmware upgrade process. Today: upgrade, reboot, reseal(type TPM owner pass), resign, boot
default_failed="y"
@ -79,10 +82,10 @@ if [ "$CONFIG_TPM2_TOOLS" = "y" ]; then
fi
verify_global_hashes() {
echo "+++ Checking verified boot hash file "
INFO "+++ Checking verified boot hash file "
# Check the hashes of all the files
if verify_checksums "$bootdir" "$gui_menu"; then
echo "+++ Verified boot hashes "
INFO "+++ Verified boot hashes "
valid_hash='y'
valid_global_hash='y'
else
@ -113,16 +116,18 @@ verify_global_hashes() {
}
verify_rollback_counter() {
TRACE_FUNC
TPM_COUNTER=$(grep counter $TMP_ROLLBACK_FILE | cut -d- -f2)
if [ -z "$TPM_COUNTER" ]; then
die "$TMP_ROLLBACK_FILE: TPM counter not found?"
fi
read_tpm_counter $TPM_COUNTER ||
read_tpm_counter $TPM_COUNTER >/dev/null 2>&1 ||
die "Failed to read TPM counter"
sha256sum -c $TMP_ROLLBACK_FILE ||
die "Invalid TPM counter state"
sha256sum -c $TMP_ROLLBACK_FILE >/dev/null 2>&1 ||
die "Invalid TPM counter state. TPM Reset required"
valid_rollback="y"
}
@ -203,7 +208,7 @@ parse_option() {
}
scan_options() {
echo "+++ Scanning for unsigned boot options"
INFO "+++ Scanning for unsigned boot options"
option_file="/tmp/kexec_options.txt"
scan_boot_options "$bootdir" "$config" "$option_file"
if [ ! -s $option_file ]; then
@ -267,7 +272,7 @@ default_select() {
if [ "$CONFIG_BASIC" != "y" ]; then
# Enforce that default option hashes are valid
echo "+++ Checking verified default boot hash file "
INFO "+++ Checking verified default boot hash file "
# Check the hashes of all the files
if (cd $bootdir && sha256sum -c "$TMP_DEFAULT_HASH_FILE" >/tmp/hash_output); then
echo "+++ Verified default boot hashes "
@ -385,7 +390,7 @@ while true; do
if [ ! -r "$TMP_KEY_DEVICES" ]; then
# Extend PCR4 as soon as possible
TRACE_FUNC
DEBUG "TPM: Extending PCR[4] to prevent further secret unsealing"
INFO "TPM: Extending PCR[4] to prevent further secret unsealing"
tpmr extend -ix 4 -ic generic ||
die "Failed to extend TPM PCR[4]"
fi

49
initrd/bin/kexec-sign-config
View File

@ -10,10 +10,13 @@ rollback="n"
update="n"
while getopts "p:c:ur" arg; do
case $arg in
p) paramsdir="$OPTARG" ;;
c) counter="$OPTARG"; rollback="y" ;;
u) update="y" ;;
r) rollback="y" ;;
p) paramsdir="$OPTARG" ;;
c)
counter="$OPTARG"
rollback="y"
;;
u) update="y" ;;
r) rollback="y" ;;
esac
done
@ -27,18 +30,21 @@ assert_signable
confirm_gpg_card
# remount /boot as rw
mount -o remount,rw /boot
# update hashes in /boot before signing
if [ "$update" = "y" ]; then
(
cd /boot
find ./ -type f ! -path './kexec*' -print0 | xargs -0 sha256sum > /boot/kexec_hashes.txt
find ./ -type f ! -path './kexec*' -print0 | xargs -0 sha256sum >/boot/kexec_hashes.txt
if [ -e /boot/kexec_default_hashes.txt ]; then
DEFAULT_FILES=$(cat /boot/kexec_default_hashes.txt | cut -f3 -d ' ')
echo $DEFAULT_FILES | xargs sha256sum > /boot/kexec_default_hashes.txt
echo $DEFAULT_FILES | xargs sha256sum >/boot/kexec_default_hashes.txt
fi
#also save the file & directory structure to detect added files
print_tree > /boot/kexec_tree.txt
print_tree >/boot/kexec_tree.txt
)
[ $? -eq 0 ] || die "$paramsdir: Failed to update hashes."
@ -52,23 +58,23 @@ if [ "$rollback" = "y" ]; then
if [ -n "$counter" ]; then
# use existing counter
read_tpm_counter $counter \
|| die "$paramsdir: Unable to read tpm counter '$counter'"
read_tpm_counter $counter >/dev/null 2>&1 ||
die "$paramsdir: Unable to read tpm counter '$counter'"
else
# increment counter
check_tpm_counter $rollback_file \
|| die "$paramsdir: Unable to find/create tpm counter"
check_tpm_counter $rollback_file >/dev/null 2>&1 ||
die "$paramsdir: Unable to find/create tpm counter"
counter="$TPM_COUNTER"
increment_tpm_counter $counter \
|| die "$paramsdir: Unable to increment tpm counter"
increment_tpm_counter $counter >/dev/null 2>&1 ||
die "$paramsdir: Unable to increment tpm counter"
fi
sha256sum /tmp/counter-$counter > $rollback_file \
|| die "$paramsdir: Unable to create rollback file"
sha256sum /tmp/counter-$counter >$rollback_file ||
die "$paramsdir: Unable to create rollback file"
fi
param_files=`find $paramsdir/kexec*.txt`
param_files=$(find $paramsdir/kexec*.txt)
if [ -z "$param_files" ]; then
die "$paramsdir: No kexec parameter files to sign"
fi
@ -77,12 +83,19 @@ for tries in 1 2 3; do
if sha256sum $param_files | gpg \
--detach-sign \
-a \
> $paramsdir/kexec.sig \
; then
>$paramsdir/kexec.sig \
; then
# successful - update the validated params
check_config $paramsdir
# remount /boot as ro
mount -o remount,ro /boot
exit 0
fi
done
# remount /boot as ro
mount -o remount,ro /boot
die "$paramsdir: Unable to sign kexec hashes"

7
initrd/bin/lock_chip
View File

@ -1,14 +1,13 @@
#!/bin/sh
#!/bin/bash
# For this to work:
# - io386 module needs to be enabled in board config
# - <Skylake: coreboot config need to enable CONFIG_BOOTMEDIA_LOCK_CONTROLLER=y without enabling CONFIG_INTEL_CHIPSET_LOCKDOWN
# - >=Skylake: same as above and CONFIG_SOC_INTEL_COMMON_SPI_LOCKDOWN_SMM=y, CONFIG_SPI_FLASH_SMM=y and mode (eg: CONFIG_BOOTMEDIA_LOCK_WHOLE_RO=y)
# - Heads is actually doing the CONFIG_INTEL_CHIPSET_LOCKDOWN equivalent here.
#include ash shell functions (TRACE requires it)
. /etc/ash_functions
. /etc/functions
TRACE "Under /bin/lock_chip"
TRACE_FUNC
if [ "$CONFIG_FINALIZE_PLATFORM_LOCKING" = "y" ]; then
APM_CNT=0xb2
FIN_CODE=0xcb

2058
initrd/bin/oem-factory-reset
View File

File diff suppressed because it is too large Load Diff

6
initrd/bin/poweroff
View File

@ -1,7 +1,7 @@
#!/bin/ash
. /etc/ash_functions
#!/bin/bash
. /etc/functions
TRACE "Under /bin/poweroff"
TRACE_FUNC
# Shut down TPM
if [ "$CONFIG_TPM" = "y" ]; then

2
initrd/bin/qubes-measure-luks
View File

@ -20,6 +20,6 @@ DEBUG "Removing /tmp/lukshdr-*"
rm /tmp/lukshdr-*
TRACE_FUNC
echo "TPM: Extending PCR[6] with hash of LUKS headers from /tmp/luksDump.txt"
INFO "TPM: Extending PCR[6] with hash of LUKS headers from /tmp/luksDump.txt"
tpmr extend -ix 6 -if /tmp/luksDump.txt ||
die "Unable to extend PCR"

6
initrd/bin/reboot
View File

@ -1,7 +1,7 @@
#!/bin/ash
. /etc/ash_functions
#!/bin/bash
. /etc/functions
TRACE "Under /bin/reboot"
TRACE_FUNC
if [ "$CONFIG_DEBUG_OUTPUT" = "y" ]; then
#Generalize user prompt to continue reboot or go to recovery shell

2
initrd/bin/root-hashes-gui.sh
View File

@ -367,7 +367,7 @@ detect_root_device()
fi
# generate list of possible boot devices
fdisk -l | grep "Disk /dev/" | cut -f2 -d " " | cut -f1 -d ":" > /tmp/disklist
fdisk -l 2>/dev/null | grep "Disk /dev/" | cut -f2 -d " " | cut -f1 -d ":" > /tmp/disklist
# filter out extraneous options
> /tmp_root_device_list

163
initrd/bin/seal-hotpkey
View File

@ -1,5 +1,5 @@
#!/bin/bash
# Retrieve the sealed TOTP secret and initialize a USB Security Dongle with it
# Retrieve the sealed TOTP secret and initialize a USB Security dongle with it
. /etc/functions
. /etc/gui_functions
@ -8,44 +8,42 @@ HOTP_SECRET="/tmp/secret/hotp.key"
HOTP_COUNTER="/boot/kexec_hotp_counter"
HOTP_KEY="/boot/kexec_hotp_key"
mount_boot()
{
TRACE_FUNC
# Mount local disk if it is not already mounted
if ! grep -q /boot /proc/mounts; then
if ! mount -o ro /boot; then
whiptail_error --title 'ERROR' \
--msgbox "Couldn't mount /boot.\n\nCheck the /boot device in configuration settings, or perform an OEM reset." 0 80
return 1
fi
fi
mount_boot() {
TRACE_FUNC
# Mount local disk if it is not already mounted
if ! grep -q /boot /proc/mounts; then
if ! mount -o ro /boot; then
whiptail_error --title 'ERROR' \
--msgbox "Couldn't mount /boot.\n\nCheck the /boot device in configuration settings, or perform an OEM reset." 0 80
return 1
fi
fi
}
TRACE_FUNC
fatal_error()
{
echo -e "\nERROR: ${1}; press Enter to continue."
read
# get lsusb output for debugging
DEBUG "lsusb output: $(lsusb)"
die "$1"
fatal_error() {
echo -e "\nERROR: ${1}; press Enter to continue."
read
# get lsusb output for debugging
DEBUG "lsusb output: $(lsusb)"
die "$1"
}
# Use stored HOTP key branding (this might be useful after OEM reset)
if [ -r /boot/kexec_hotp_key ]; then
HOTPKEY_BRANDING="$(cat /boot/kexec_hotp_key)"
else
HOTPKEY_BRANDING="HOTP USB Security Dongle"
HOTPKEY_BRANDING="HOTP USB Security dongle"
fi
if [ "$CONFIG_TPM" = "y" ]; then
DEBUG "Sealing HOTP secret reuses TOTP sealed secret..."
tpmr unseal 4d47 0,1,2,3,4,7 312 "$HOTP_SECRET" \
|| fatal_error "Unable to unseal HOTP secret"
tpmr unseal 4d47 0,1,2,3,4,7 312 "$HOTP_SECRET" ||
fatal_error "Unable to unseal HOTP secret"
else
# without a TPM, generate a secret based on the SHA-256 of the ROM
secret_from_rom_hash > "$HOTP_SECRET" || die "Reading ROM failed"
secret_from_rom_hash >"$HOTP_SECRET" || die "Reading ROM failed"
fi
# Store counter in file instead of TPM for now, as it conflicts with Heads
@ -67,25 +65,29 @@ mount_boot || exit 1
counter_value=1
enable_usb
# Make sure no conflicting GPG related services are running, gpg-agent will respawn
killall gpg-agent scdaemon >/dev/null 2>&1
# While making sure the key is inserted, capture the status so we can check how
# many PIN attempts remain
if ! hotp_token_info="$(hotp_verification info)" ; then
echo -e "\nInsert your $HOTPKEY_BRANDING and press Enter to configure it"
read
if ! hotp_token_info="$(hotp_verification info)" ; then
# don't leak key on failure
shred -n 10 -z -u "$HOTP_SECRET" 2> /dev/null
fatal_error "Unable to find $HOTPKEY_BRANDING"
fi
if ! hotp_token_info="$(hotp_verification info)"; then
echo -e "\nInsert your $HOTPKEY_BRANDING and press Enter to configure it"
read
if ! hotp_token_info="$(hotp_verification info)"; then
# don't leak key on failure
shred -n 10 -z -u "$HOTP_SECRET" 2>/dev/null
fatal_error "Unable to find $HOTPKEY_BRANDING"
fi
fi
# Set HOTP USB Security Dongle branding based on VID
if lsusb | grep -q "20a0:" ; then
# Set HOTP USB Security dongle branding based on VID
if lsusb | grep -q "20a0:"; then
HOTPKEY_BRANDING="Nitrokey"
elif lsusb | grep -q "316d:" ; then
elif lsusb | grep -q "316d:"; then
HOTPKEY_BRANDING="Librem Key"
else
HOTPKEY_BRANDING="HOTP USB Security Dongle"
HOTPKEY_BRANDING="HOTP USB Security dongle"
fi
# Truncate the secret if it is longer than the maximum HOTP secret
@ -99,18 +101,26 @@ gpg_key_create_time="${gpg_key_create_time:-0}"
DEBUG "Signature key was created at $(date -d "@$gpg_key_create_time")"
now_date="$(date '+%s')"
# Get the number of admin PIN retry attempts remaining
awk_admin_counter_regex='/^\s*Card counters: Admin (\d),.*$/'
awk_get_admin_counter="$awk_admin_counter_regex"' { print gensub('"$awk_admin_counter_regex"', "\\1", "") }'
admin_pin_retries="$(echo "$hotp_token_info" | awk "$awk_get_admin_counter")"
# Get the number of HOTP related PIN retry attempts remaining
# if nk3 detected by lsusb, use different regex to get admin counter
if lsusb | grep -q "20a0:42b2"; then
# Nitrokey 3: Secrets app PIN counter: 8
admin_pin_retries=$(echo "$hotp_token_info" | grep "Secrets app PIN counter:" | cut -d ':' -f 2 | tr -d ' ')
prompt_message="Secrets app"
else
# <nk3
admin_pin_retries=$(echo "$hotp_token_info" | grep "Card counters: Admin" | grep -o 'Admin [0-9]*' | grep -o '[0-9]*')
prompt_message="GPG Admin"
fi
admin_pin_retries="${admin_pin_retries:-0}"
DEBUG "Admin PIN retry counter is $admin_pin_retries"
DEBUG "HOTP related PIN retry counter is $admin_pin_retries"
# Try using factory default admin PIN for 1 month following OEM reset to ease
# initial setup. But don't do it forever to encourage changing the PIN and
# so PIN attempts are not consumed by the default attempt.
admin_pin="12345678"
month_secs="$((30*24*60*60))"
month_secs="$((30 * 24 * 60 * 60))"
admin_pin_status=1
if [ "$((now_date - gpg_key_create_time))" -gt "$month_secs" ]; then
# Remind what the default PIN was in case it still hasn't been changed
@ -121,38 +131,47 @@ if [ "$((now_date - gpg_key_create_time))" -gt "$month_secs" ]; then
elif [ "$admin_pin_retries" -lt 3 ]; then
echo "Not trying default PIN ($admin_pin), only $admin_pin_retries attempt(s) left"
else
hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value "$HOTPKEY_BRANDING" >/dev/null 2>&1
echo "Trying $prompt_message PIN ($admin_pin) to seal HOTP secret on $HOTPKEY_BRANDING..."
#if we deal with the nk3, say to the user that touch will be required
if lsusb | grep -q "20a0:42b2"; then
warn "Nitrokey 3 requires physical presence : touch the dongle when prompted"
echo
fi
#TODO: silence the output of hotp_initialize once https://github.com/Nitrokey/nitrokey-hotp-verification/issues/41 is fixed
#hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value "$HOTPKEY_BRANDING" >/dev/null 2>&1
hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value "$HOTPKEY_BRANDING"
admin_pin_status="$?"
fi
if [ "$admin_pin_status" -ne 0 ]; then
# prompt user for PIN and retry
echo ""
read -s -p "Enter your $HOTPKEY_BRANDING Admin PIN: " admin_pin
echo -e "\n"
hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value "$HOTPKEY_BRANDING"
if [ $? -ne 0 ]; then
echo -e "\n"
read -s -p "Error setting HOTP secret, re-enter Admin PIN and try again: " admin_pin
echo -e "\n"
if ! hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value "$HOTPKEY_BRANDING" ; then
# don't leak key on failure
shred -n 10 -z -u "$HOTP_SECRET" 2> /dev/null
if [ "$HOTPKEY_BRANDING" == "Nitrokey" ]; then
fatal_error "Setting HOTP secret failed, to reset nitrokey pin use: nitropy nk3 secrets reset or the Nitrokey App 2"
else
fatal_error "Setting HOTP secret failed"
fi
fi
fi
else
# remind user to change admin password
echo -e "\nWARNING: default admin PIN detected: please change this as soon as possible."
# prompt user for PIN and retry
echo ""
read -s -p "Enter your $HOTPKEY_BRANDING $prompt_message PIN: " admin_pin
echo -e "\n"
hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value "$HOTPKEY_BRANDING"
if [ $? -ne 0 ]; then
echo -e "\n"
read -s -p "Error setting HOTP secret, re-enter $prompt_message PIN and try again: " admin_pin
echo -e "\n"
if ! hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value "$HOTPKEY_BRANDING"; then
# don't leak key on failure
shred -n 10 -z -u "$HOTP_SECRET" 2>/dev/null
if [ "$HOTPKEY_BRANDING" == "Nitrokey" ]; then
fatal_error "Setting HOTP secret failed, to reset $prompt_message PIN, redo Re-Ownership procedure, use the Nitrokey App 2 or contact Nitrokey support"
else
fatal_error "Setting HOTP secret failed"
fi
fi
fi
else
# remind user to change admin password
warn "Default $prompt_message PIN detected. Please change this as soon as possible with Options > OEM Factory Reset / Re-Ownership"
fi
# HOTP key no longer needed
shred -n 10 -z -u "$HOTP_SECRET" 2> /dev/null
shred -n 10 -z -u "$HOTP_SECRET" 2>/dev/null
# Make sure our counter is incremented ahead of the next check
#increment_tpm_counter $counter > /dev/null \
@ -162,13 +181,13 @@ shred -n 10 -z -u "$HOTP_SECRET" 2> /dev/null
mount -o remount,rw /boot
counter_value=`expr $counter_value + 1`
echo $counter_value > $HOTP_COUNTER \
|| fatal_error "Unable to create hotp counter file"
counter_value=$(expr $counter_value + 1)
echo $counter_value >$HOTP_COUNTER ||
fatal_error "Unable to create hotp counter file"
# Store/overwrite HOTP USB Security Dongle branding found out beforehand
echo $HOTPKEY_BRANDING > $HOTP_KEY \
|| die "Unable to store hotp key file"
# Store/overwrite HOTP USB Security dongle branding found out beforehand
echo $HOTPKEY_BRANDING >$HOTP_KEY ||
die "Unable to store hotp key file"
#sha256sum /tmp/counter-$counter > $HOTP_COUNTER \
#|| die "Unable to create hotp counter file"

5
initrd/bin/seal-totp
View File

@ -55,8 +55,9 @@ tpmr seal "$TOTP_SECRET" "$TPM_NVRAM_SPACE" 0,1,2,3,4,7 "$pcrf" 312 "" "$TPM_PAS
shred -n 10 -z -u "$TOTP_SEALED" 2>/dev/null
url="otpauth://totp/$HOST?secret=$secret"
secret=""
DEBUG "TOTP secret output on screen (both URL and QR code)"
qrenc "$url"
echo "$url"
echo "TOTP secret for manual input (device without camera): $secret"
secret=""

101
initrd/bin/tpmr
View File

@ -17,7 +17,7 @@ PCR_SIZE=
# Export CONFIG_TPM2_CAPTURE_PCAP=y from your board config to capture tpm2 pcaps to
# /tmp/tpm0.pcap; Wireshark can inspect these. (This must be enabled at build
# time so the pcap TCTI driver is included.)
if [ -n "$CONFIG_TPM2_CAPTURE_PCAP" ]; then
if [ "$CONFIG_TPM2_CAPTURE_PCAP" == "y" ]; then
export TPM2TOOLS_TCTI="pcap:device:/dev/tpmrm0"
export TCTI_PCAP_FILE="/tmp/tpm0.pcap"
fi
@ -29,7 +29,6 @@ else
. /etc/config
fi
# Busybox xxd lacks -r, and we get hex dumps from TPM1 commands. This converts
# a hex dump to binary data using sed and printf
hex2bin() {
@ -258,7 +257,7 @@ tpm2_extend() {
esac
done
tpm2 pcrextend "$index:sha256=$hash"
tpm2 pcrread "sha256:$index"
INFO $(tpm2 pcrread "sha256:$index" 2>&1)
TRACE_FUNC
DEBUG "TPM: Extended PCR[$index] with hash $hash"
@ -307,11 +306,18 @@ tpm1_counter_create() {
# other parameters for TPM1 are passed directly, and TPM2 mimics the
# TPM1 interface.
prompt_tpm_owner_password
if ! tpm counter_create -pwdo "$(cat "/tmp/secret/tpm_owner_password")" "$@"; then
TMP_ERR_FILE=$(mktemp)
if ! tpm counter_create -pwdo "$(cat "/tmp/secret/tpm_owner_password")" "$@" 2>"$TMP_ERR_FILE"; then
DEBUG "Failed to create counter from tpm1_counter_create. Wiping /tmp/secret/tpm_owner_password"
shred -n 10 -z -u /tmp/secret/tpm_owner_password
# Log the contents of the temporary error file
while IFS= read -r line; do
DEBUG "tpm1 stderr: $line"
done <"$TMP_ERR_FILE"
rm -f "$TMP_ERR_FILE"
die "Unable to create counter from tpm1_counter_create"
fi
rm -f "$TMP_ERR_FILE"
}
tpm2_counter_create() {
@ -332,9 +338,9 @@ tpm2_counter_create() {
esac
done
prompt_tpm_owner_password
rand_index="1$(dd if=/dev/urandom bs=1 count=3 | xxd -pc3)"
rand_index="1$(dd if=/dev/urandom bs=1 count=3 2>/dev/null | xxd -pc3)"
tpm2 nvdefine -C o -s 8 -a "ownerread|authread|authwrite|nt=1" \
-P "$(tpm2_password_hex "$(cat "/tmp/secret/tpm_owner_password")")" "0x$rand_index" >/dev/console ||
-P "$(tpm2_password_hex "$(cat "/tmp/secret/tpm_owner_password")")" "0x$rand_index" >/dev/null 2>&1 ||
{
DEBUG "Failed to create counter from tpm2_counter_create. Wiping /tmp/secret/tpm_owner_password"
shred -n 10 -z -u /tmp/secret/tpm_owner_password
@ -357,12 +363,12 @@ tpm2_startsession() {
tpm2 flushcontext -Q \
--saved-session ||
die "tpm2_flushcontext: unable to flush saved session"
tpm2 readpublic -Q -c "$PRIMARY_HANDLE" -t "$PRIMARY_HANDLE_FILE"
tpm2 readpublic -Q -c "$PRIMARY_HANDLE" -t "$PRIMARY_HANDLE_FILE" >/dev/null 2>&1
#TODO: do the right thing to not have to suppress "WARN: check public portion the tpmkey manually" see https://github.com/linuxboot/heads/pull/1630#issuecomment-2075120429
tpm2 startauthsession -Q -c "$PRIMARY_HANDLE_FILE" --hmac-session -S "$ENC_SESSION_FILE" > /dev/null 2>&1
tpm2 startauthsession -Q -c "$PRIMARY_HANDLE_FILE" --hmac-session -S "$ENC_SESSION_FILE" >/dev/null 2>&1
#TODO: do the right thing to not have to suppress "WARN: check public portion the tpmkey manually" see https://github.com/linuxboot/heads/pull/1630#issuecomment-2075120429
tpm2 startauthsession -Q -c "$PRIMARY_HANDLE_FILE" --hmac-session -S "$DEC_SESSION_FILE" > /dev/null 2>&1
tpm2 sessionconfig -Q --disable-encrypt "$DEC_SESSION_FILE"
tpm2 startauthsession -Q -c "$PRIMARY_HANDLE_FILE" --hmac-session -S "$DEC_SESSION_FILE" >/dev/null 2>&1
tpm2 sessionconfig -Q --disable-encrypt "$DEC_SESSION_FILE" >/dev/null 2>&1
}
# Use cleanup_session() with at_exit to release a TPM2 session and delete the
@ -412,7 +418,7 @@ tpm1_destroy() {
index="$1" # Index of the sealed file
size="$2" # Size of zeroes to overwrite for TPM1
dd if=/dev/zero bs="$size" count=1 of=/tmp/wipe-totp-zero
dd if=/dev/zero bs="$size" count=1 of=/tmp/wipe-totp-zero >/dev/null 2>&1
tpm nv_writevalue -in "$index" -if /tmp/wipe-totp-zero ||
die "Unable to wipe sealed secret from TPM NVRAM"
}
@ -502,7 +508,7 @@ tpm1_seal() {
pcrl="$3" #0,1,2,3,4,5,6,7 (does not include algorithm prefix)
pcrf="$4"
sealed_size="$5"
pass="$6" # May be empty to seal with no password
pass="$6" # May be empty to seal with no password
tpm_owner_password="$7" # Owner password - will prompt if needed and not empty
sealed_file="$SECRET_DIR/tpm1_seal_sealed.bin"
@ -512,7 +518,6 @@ tpm1_seal() {
DEBUG "tpm1_seal arguments: file=$file index=$index pcrl=$pcrl pcrf=$pcrf sealed_size=$sealed_size pass=$(mask_param "$pass") tpm_password=$(mask_param "$tpm_password")"
# If a password was given, add it to the policy arguments
if [ "$pass" ]; then
POLICY_ARGS+=(-pwdd "$pass")
@ -534,7 +539,7 @@ tpm1_seal() {
-of "$sealed_file" \
-hk 40000000 \
"${POLICY_ARGS[@]}"
# try it without the TPM Owner Password first
if ! tpm nv_writevalue -in "$index" -if "$sealed_file"; then
# to create an nvram space we need the TPM Owner Password
@ -605,9 +610,18 @@ tpm2_unseal() {
UNSEAL_PASS_SUFFIX="+$(tpm2_password_hex "$pass")"
fi
tpm2 unseal -Q -c "$handle" -p "session:$POLICY_SESSION$UNSEAL_PASS_SUFFIX" \
-S "$ENC_SESSION_FILE" >"$file"
# tpm2 unseal will write the unsealed data to stdout and any errors to
# stderr; capture stderr to log.
if ! tpm2 unseal -Q -c "$handle" -p "session:$POLICY_SESSION$UNSEAL_PASS_SUFFIX" \
-S "$ENC_SESSION_FILE" >"$file" 2> >(SINK_LOG "tpm2 stderr"); then
INFO "Unable to unseal secret from TPM NVRAM"
# should succeed, exit if it doesn't
exit 1
fi
rm -f "$TMP_ERR_FILE"
}
tpm1_unseal() {
TRACE_FUNC
index="$1"
@ -650,15 +664,15 @@ tpm2_reset() {
# output TPM Owner Password to a file to be reused in this boot session until recovery shell/reboot
DEBUG "Caching TPM Owner Password to $SECRET_DIR/tpm_owner_password"
echo -n "$tpm_owner_password" >"$SECRET_DIR/tpm_owner_password"
tpm2 clear -c platform || warn "Unable to clear TPM on platform hierarchy"
tpm2 changeauth -c owner "$(tpm2_password_hex "$tpm_owner_password")"
tpm2 changeauth -c endorsement "$(tpm2_password_hex "$tpm_owner_password")"
tpm2 createprimary -C owner -g sha256 -G "${CONFIG_PRIMARY_KEY_TYPE:-rsa}" \
-c "$SECRET_DIR/primary.ctx" -P "$(tpm2_password_hex "$tpm_owner_password")"
tpm2 evictcontrol -C owner -c "$SECRET_DIR/primary.ctx" "$PRIMARY_HANDLE" \
-P "$(tpm2_password_hex "$tpm_owner_password")"
shred -u "$SECRET_DIR/primary.ctx"
tpm2_startsession
DO_WITH_DEBUG tpm2 clear -c platform &>/dev/null
DO_WITH_DEBUG tpm2 changeauth -c owner "$(tpm2_password_hex "$tpm_owner_password")" &>/dev/null
DO_WITH_DEBUG tpm2 changeauth -c endorsement "$(tpm2_password_hex "$tpm_owner_password")" &>/dev/null
DO_WITH_DEBUG tpm2 createprimary -C owner -g sha256 -G "${CONFIG_PRIMARY_KEY_TYPE:-rsa}" \
-c "$SECRET_DIR/primary.ctx" -P "$(tpm2_password_hex "$tpm_owner_password")" &>/dev/null
DO_WITH_DEBUG tpm2 evictcontrol -C owner -c "$SECRET_DIR/primary.ctx" "$PRIMARY_HANDLE" \
-P "$(tpm2_password_hex "$tpm_owner_password")" &>/dev/null
shred -u "$SECRET_DIR/primary.ctx" &>/dev/null
DO_WITH_DEBUG tpm2_startsession &>/dev/null
# Set the dictionary attack parameters. TPM2 defaults vary widely, we
# want consistent behavior on any TPM.
@ -681,7 +695,7 @@ tpm2_reset() {
--max-tries=10 \
--recovery-time=3600 \
--lockout-recovery-time=0 \
--auth="session:$ENC_SESSION_FILE"
--auth="session:$ENC_SESSION_FILE" >/dev/null 2>&1 || LOG "Unable to set dictionary lockout parameters"
# Set a random DA lockout password, so the DA lockout can't be cleared
# with a password. Heads doesn't offer dictionary attach reset, instead
@ -690,7 +704,7 @@ tpm2_reset() {
# The default lockout password is empty, so we must set this, and we
# don't need to provide any auth (use the default empty password).
tpm2 changeauth -Q -c lockout \
"hex:$(dd if=/dev/urandom bs=32 count=1 status=none | xxd -p | tr -d ' \n')"
"hex:$(dd if=/dev/urandom bs=32 count=1 status=none 2>/dev/null | xxd -p | tr -d ' \n')" >/dev/null 2>&1 || LOG "Unable to set lockout password"
}
tpm1_reset() {
TRACE_FUNC
@ -700,17 +714,17 @@ tpm1_reset() {
DEBUG "Caching TPM Owner Password to $SECRET_DIR/tpm_owner_password"
echo -n "$tpm_owner_password" >"$SECRET_DIR/tpm_owner_password"
# Make sure the TPM is ready to be reset
tpm physicalpresence -s
tpm physicalenable
tpm physicalsetdeactivated -c
tpm forceclear
tpm physicalenable
tpm takeown -pwdo "$tpm_owner_password"
DO_WITH_DEBUG tpm physicalpresence -s &>/dev/null
DO_WITH_DEBUG tpm physicalenable &>/dev/null
DO_WITH_DEBUG tpm physicalsetdeactivated -c &>/dev/null
DO_WITH_DEBUG tpm forceclear &>/dev/null
DO_WITH_DEBUG tpm physicalenable &>/dev/null
DO_WITH_DEBUG tpm takeown -pwdo "$tpm_owner_password" &>/dev/null
# And now turn it all back on
tpm physicalpresence -s
tpm physicalenable
tpm physicalsetdeactivated -c
DO_WITH_DEBUG tpm physicalpresence -s &>/dev/null
DO_WITH_DEBUG tpm physicalenable &>/dev/null
DO_WITH_DEBUG tpm physicalsetdeactivated -c &>/dev/null
}
# Perform final cleanup before boot and lock the platform heirarchy.
@ -729,7 +743,7 @@ tpm2_kexec_finalize() {
# being cleared in the OS.
# This passphrase is only effective before the next boot.
echo "Locking TPM2 platform hierarchy..."
randpass=$(dd if=/dev/urandom bs=4 count=1 status=none | xxd -p)
randpass=$(dd if=/dev/urandom bs=4 count=1 status=none 2>/dev/null | xxd -p)
tpm2 changeauth -c platform "$randpass" ||
warn "Failed to lock platform hierarchy of TPM2"
}
@ -775,7 +789,7 @@ if [ "$CONFIG_TPM2_TOOLS" != "y" ]; then
tpm1_destroy "$@"
;;
extend)
#check if we extend with a hash or a file
# Check if we extend with a hash or a file
if [ "$4" = "-if" ]; then
DEBUG "TPM: Will extend PCR[$3] hash content of file $5"
hash="$(sha1sum "$5" | cut -d' ' -f1)"
@ -784,10 +798,13 @@ if [ "$CONFIG_TPM2_TOOLS" != "y" ]; then
DEBUG "TPM: Will extend PCR[$3] with hash of filename $string"
hash="$(echo -n "$5" | sha1sum | cut -d' ' -f1)"
fi
TRACE_FUNC
DEBUG "TPM: Extending PCR[$3] with hash $hash"
DO_WITH_DEBUG exec tpm "$@"
INFO "TPM: Extending PCR[$3] with hash $hash"
# Silence stdout/stderr, they're only useful for debugging
# and DO_WITH_DEBUG captures them
DO_WITH_DEBUG exec tpm "$@" &>/dev/null
;;
seal)
shift
@ -828,7 +845,7 @@ calcfuturepcr)
;;
extend)
TRACE_FUNC
DEBUG "TPM: Extending PCR[$2] with $4"
INFO "TPM: Extending PCR[$2] with $4"
tpm2_extend "$@"
;;
counter_read)

2
initrd/bin/unpack_initramfs.sh
View File

@ -61,7 +61,7 @@ unpack_first_segment() {
mkdir -p "$dest_dir"
# peek the beginning of the file to determine what type of content is next
magic="$(dd if="$unpack_archive" bs=6 count=1 status=none | xxd -p)"
magic="$(dd if="$unpack_archive" bs=6 count=1 status=none 2>/dev/null | xxd -p)"
# read this segment of the archive, then write the rest to the next file
(

2
initrd/bin/unseal-totp
View File

@ -9,7 +9,7 @@ TRACE_FUNC
if [ "$CONFIG_TPM" = "y" ]; then
tpmr unseal 4d47 0,1,2,3,4,7 312 "$TOTP_SECRET" ||
die "Unable to unseal TOTP secret"
die "Unable to unseal TOTP secret from TPM"
fi
if ! totp -q <"$TOTP_SECRET"; then

27
initrd/bin/xx30-flash.init
View File

@ -1,27 +0,0 @@
#!/bin/ash
# Initialize the USB and network device drivers,
# invoke a recovery shell and prompt the user for how to proceed
. /etc/ash_functions
. /tmp/config
TRACE "Under /bin/xx30-flash.init"
busybox insmod /lib/modules/ehci-hcd.ko
busybox insmod /lib/modules/ehci-pci.ko
busybox insmod /lib/modules/xhci-hcd.ko
busybox insmod /lib/modules/xhci-pci.ko
busybox insmod /lib/modules/e1000e.ko
busybox insmod /lib/modules/usb-storage.ko
sleep 2
echo '***** Starting recovery shell'
echo ''
echo 'To install from flash drive:'
echo ''
echo ' mount -o ro /dev/sdb1 /media'
echo ' flash.sh /media/xx30-legacy.rom'
echo ''
exec /bin/sh

356
initrd/etc/ash_functions
View File

@ -1,356 +0,0 @@
#!/bin/sh
#
# Core shell functions that do not require bash. These functions are used with
# busybox ash on legacy-flash boards, and with bash on all other boards.
die() {
if [ "$CONFIG_DEBUG_OUTPUT" = "y" ];then
echo -e " !!! ERROR: $* !!!" | tee -a /tmp/debug.log /dev/kmsg > /dev/null;
else
echo -e >&2 "!!! ERROR: $* !!!";
fi
sleep 2;
exit 1;
}
warn() {
if [ "$CONFIG_DEBUG_OUTPUT" = "y" ];then
echo -e " *** WARNING: $* ***" | tee -a /tmp/debug.log /dev/kmsg > /dev/null;
else
echo -e >&2 " *** WARNING: $* ***";
fi
sleep 1;
}
DEBUG() {
if [ "$CONFIG_DEBUG_OUTPUT" = "y" ]; then
# fold -s -w 960 will wrap lines at 960 characters on the last space before the limit
echo "DEBUG: $*" | fold -s -w 960 | while read line; do
echo "$line" | tee -a /tmp/debug.log /dev/kmsg >/dev/null
done
fi
}
TRACE() {
if [ "$CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT" = "y" ];then
echo "TRACE: $*" | tee -a /tmp/debug.log /dev/kmsg > /dev/null;
fi
}
# Write directly to the debug log (but not kmsg), never appears on console
LOG() {
echo "LOG: $*" >>/tmp/debug.log
}
fw_version() {
local FW_VER=$(dmesg | grep 'DMI' | grep -o 'BIOS.*' | cut -f2- -d ' ')
# chop off date, since will always be epoch w/timeless builds
echo "${FW_VER::-10}"
}
preserve_rom() {
TRACE "Under /etc/ash_functions:preserve_rom"
new_rom="$1"
old_files=`cbfs -t 50 -l 2>/dev/null | grep "^heads/"`
for old_file in `echo $old_files`; do
new_file=`cbfs.sh -o $1 -l | grep -x $old_file`
if [ -z "$new_file" ]; then
echo "+++ Adding $old_file to $1"
cbfs -t 50 -r $old_file >/tmp/rom.$$ \
|| die "Failed to read cbfs file from ROM"
cbfs.sh -o $1 -a $old_file -f /tmp/rom.$$ \
|| die "Failed to write cbfs file to new ROM file"
fi
done
}
confirm_gpg_card() {
TRACE "Under /etc/ash_functions:confirm_gpg_card"
#Skip prompts if we are currently using a known GPG key material Thumb drive backup and keys are unlocked pinentry
#TODO: probably export CONFIG_GPG_KEY_BACKUP_IN_USE but not under /etc/user.config?
#Toggle to come in next PR, but currently we don't have a way to toggle it back to n if config.user flashed back in rom
if [[ "$CONFIG_HAVE_GPG_KEY_BACKUP" == "y" && "$CONFIG_GPG_KEY_BACKUP_IN_USE" == "y" ]]; then
DEBUG "Using known GPG key material Thumb drive backup and keys are unlocked and useable through pinentry"
return
fi
if [ "$CONFIG_HAVE_GPG_KEY_BACKUP" == "y" ]; then
message="Please confirm that your GPG card is inserted(Y/n) or your GPG key material (b)backup thumbdrive is inserted [Y/n/b]: "
else
# Generic message if no known key material backup
message="Please confirm that your GPG card is inserted [Y/n]: "
fi
read \
-n 1 \
-p "$message" \
card_confirm
echo
if [ "$card_confirm" != "y" \
-a "$card_confirm" != "Y" \
-a "$card_confirm" != "b" \
-a -n "$card_confirm" ] \
; then
die "gpg card not confirmed"
fi
# If user has known GPG key material Thumb drive backup and asked to use it
if [[ "$CONFIG_HAVE_GPG_KEY_BACKUP" == "y" && "$card_confirm" == "b" ]]; then
#Only mount and import GPG key material thumb drive backup once
if [ ! "$CONFIG_GPG_KEY_BACKUP_IN_USE" == "y" ]; then
CR_NONCE="/tmp/secret/cr_nonce"
CR_SIG="$CR_NONCE.sig"
#Wipe any previous CR_NONCE and CR_SIG
shred -n 10 -z -u "$CR_NONCE" "$CR_SIG" >/dev/null 2>&1 || true
#Prompt user for configured GPG Admin PIN that will be passed along to mount-usb and to import gpg subkeys
echo
gpg_admin_pin=""
while [ -z "$gpg_admin_pin" ]; do
#TODO: change all passphrase prompts in codebase to include -r to prevent backslash escapes
read -r -s -p "Please enter GPG Admin PIN needed to use the GPG backup thumb drive: " gpg_admin_pin
echo
done
#prompt user to select the proper encrypted partition, which should the first one on next prompt
warn "Please select encrypted LUKS on GPG key material backup thumb drive (not public labeled one)"
mount-usb --pass "$gpg_admin_pin" || die "Unable to mount USB with provided GPG Admin PIN"
echo "++++ Testing detach-sign operation and verifiying against fused public key in ROM"
gpg --pinentry-mode=loopback --passphrase-file <(echo -n "${gpg_admin_pin}") --import /media/subkeys.sec >/dev/null 2>&1 ||
die "Unable to import GPG private subkeys"
#Do a detach signature to ensure gpg material is usable and cache passphrase to sign /boot from caller functions
dd if=/dev/urandom of="$CR_NONCE" bs=20 count=1 >/dev/null 2>&1 ||
die "Unable to create $CR_NONCE to be detach-signed with GPG private signing subkey"
gpg --pinentry-mode=loopback --passphrase-file <(echo -n "${gpg_admin_pin}") --detach-sign "$CR_NONCE" >/dev/null 2>&1 ||
die "Unable to detach-sign $CR_NONCE with GPG private signing subkey using GPG Admin PIN"
#verify detached signature against public key in rom
gpg --verify "$CR_SIG" "$CR_NONCE" > /dev/null 2>&1 && \
echo "++++ Local GPG keyring can be used to sign/encrypt/authenticate in this boot session ++++" || \
die "Unable to verify $CR_SIG detached signature against public key in ROM"
#Wipe any previous CR_NONCE and CR_SIG
shred -n 10 -z -u "$CR_NONCE" "$CR_SIG" >/dev/null 2>&1 || true
#TODO: maybe just an export instead of setting /etc/user.config otherwise could be flashed in weird corner case situation
set_user_config "CONFIG_GPG_KEY_BACKUP_IN_USE" "y"
umount /media || die "Unable to unmount USB"
return
fi
fi
# setup the USB so we can reach the USB Security Dongle's smartcard
enable_usb
echo -e "\nVerifying presence of GPG card...\n"
# ensure we don't exit without retrying
errexit=$(set -o | grep errexit | awk '{print $2}')
set +e
gpg --card-status >/dev/null
if [ $? -ne 0 ]; then
# prompt for reinsertion and try a second time
read -n1 -r -p \
"Can't access GPG key; remove and reinsert, then press Enter to retry. " \
ignored
# restore prev errexit state
if [ "$errexit" = "on" ]; then
set -e
fi
# retry card status
gpg --card-status >/dev/null ||
die "gpg card read failed"
fi
# restore prev errexit state
if [ "$errexit" = "on" ]; then
set -e
fi
}
gpg_auth() {
if [[ "$CONFIG_HAVE_GPG_KEY_BACKUP" == "y" ]]; then
TRACE "Under /etc/ash_functions:gpg_auth"
# If we have a GPG key backup, we can use it to authenticate even if the card is lost
echo >&2 "!!!!! Please authenticate with OpenPGP smartcard/backup media to prove you are the owner of this machine !!!!!"
# Wipe any existing nonce and signature
shred -n 10 -z -u "$CR_NONCE" "$CR_SIG" 2>/dev/null || true
# In case of gpg_auth, we require confirmation of the card, so loop with confirm_gpg_card until we get it
false
while [ $? -ne 0 ]; do
# Call confirm_gpg_card in subshell to ensure GPG key material presence
( confirm_gpg_card )
done
# Perform a signing-based challenge-response,
# to authencate that the card plugged in holding
# the key to sign the list of boot files.
CR_NONCE="/tmp/secret/cr_nonce"
CR_SIG="$CR_NONCE.sig"
# Generate a random nonce
dd \
if=/dev/urandom \
of="$CR_NONCE" \
count=1 \
bs=20 \
2>/dev/null \
|| die "Unable to generate 20 random bytes"
# Sign the nonce
for tries in 1 2 3; do
if gpg --digest-algo SHA256 \
--detach-sign \
-o "$CR_SIG" \
"$CR_NONCE" > /dev/null 2>&1 \
&& gpg --verify "$CR_SIG" "$CR_NONCE" > /dev/null 2>&1 \
; then
shred -n 10 -z -u "$CR_NONCE" "$CR_SIG" 2>/dev/null || true
DEBUG "Under /etc/ash_functions:gpg_auth: success"
return 0
else
shred -n 10 -z -u "$CR_SIG" 2>/dev/null || true
if [ "$tries" -lt 3 ]; then
echo >&2 "!!!!! GPG authentication failed, please try again !!!!!"
continue
else
die "GPG authentication failed, please reboot and try again"
fi
fi
done
return 1
fi
}
recovery() {
TRACE "Under /etc/ash_functions:recovery"
echo >&2 "!!!!! $*"
# Remove any temporary secret files that might be hanging around
# but recreate the directory so that new tools can use it.
#safe to always be true. Otherwise "set -e" would make it exit here
shred -n 10 -z -u /tmp/secret/* 2> /dev/null || true
rm -rf /tmp/secret
mkdir -p /tmp/secret
# ensure /tmp/config exists for recovery scripts that depend on it
touch /tmp/config
. /tmp/config
DEBUG "Board $CONFIG_BOARD - version $(fw_version)"
if [ "$CONFIG_TPM" = "y" ]; then
echo "TPM: Extending PCR[4] to prevent any further secret unsealing"
tpmr extend -ix 4 -ic recovery
fi
if [ "$CONFIG_RESTRICTED_BOOT" = y ]; then
echo >&2 "Restricted Boot enabled, recovery console disabled, rebooting in 5 seconds"
sleep 5
/bin/reboot
fi
while [ true ]
do
#Going to recovery shell should be authenticated if supported
gpg_auth
echo >&2 "!!!!! Starting recovery shell"
sleep 1
if [ -x /bin/setsid ]; then
/bin/setsid -c /bin/sh
else
/bin/sh
fi
done
}
pause_recovery() {
TRACE "Under /etc/ash_functions:pause_recovery"
read -p $'!!! Hit enter to proceed to recovery shell !!!\n'
recovery $*
}
combine_configs() {
TRACE "Under /etc/ash_functions:combine_configs"
cat /etc/config* > /tmp/config
}
replace_config() {
TRACE "Under /etc/functions:replace_config"
CONFIG_FILE=$1
CONFIG_OPTION=$2
NEW_SETTING=$3
touch $CONFIG_FILE
# first pull out the existing option from the global config and place in a tmp file
awk "gsub(\"^export ${CONFIG_OPTION}=.*\",\"export ${CONFIG_OPTION}=\\\"${NEW_SETTING}\\\"\")" /tmp/config >${CONFIG_FILE}.tmp
awk "gsub(\"^${CONFIG_OPTION}=.*\",\"${CONFIG_OPTION}=\\\"${NEW_SETTING}\\\"\")" /tmp/config >>${CONFIG_FILE}.tmp
# then copy any remaining settings from the existing config file, minus the option you changed
grep -v "^export ${CONFIG_OPTION}=" ${CONFIG_FILE} | grep -v "^${CONFIG_OPTION}=" >>${CONFIG_FILE}.tmp || true
sort ${CONFIG_FILE}.tmp | uniq >${CONFIG_FILE}
rm -f ${CONFIG_FILE}.tmp
}
# Set a config variable in a specific file to a given value - replace it if it
# exists, or add it. If added, the variable will be exported.
set_config() {
CONFIG_FILE="$1"
CONFIG_OPTION="$2"
NEW_SETTING="$3"
if grep -q "$CONFIG_OPTION" "$CONFIG_FILE"; then
replace_config "$CONFIG_FILE" "$CONFIG_OPTION" "$NEW_SETTING"
else
echo "export $CONFIG_OPTION=\"$NEW_SETTING\"" >>"$CONFIG_FILE"
fi
}
# Set a value in config.user, re-combine configs, and update configs in the
# environment.
set_user_config() {
CONFIG_OPTION="$1"
NEW_SETTING="$2"
set_config /etc/config.user "$CONFIG_OPTION" "$NEW_SETTING"
combine_configs
. /tmp/config
}
# Load a config value to a variable, defaulting to empty. Does not fail if the
# config is not set (since it would expand to empty by default).
load_config_value() {
local config_name="$1"
if grep -q "$config_name=" /tmp/config; then
grep "$config_name=" /tmp/config | tail -n1 | cut -f2 -d '=' | tr -d '"'
fi
}
enable_usb()
{
TRACE "Under /etc/ash_functions:enable_usb"
#insmod ehci_hcd prior of uhdc_hcd and ohci_hcd to suppress dmesg warning
insmod /lib/modules/ehci-hcd.ko || die "ehci_hcd: module load failed"
if [ "$CONFIG_LINUX_USB_COMPANION_CONTROLLER" = y ]; then
insmod /lib/modules/uhci-hcd.ko || die "uhci_hcd: module load failed"
insmod /lib/modules/ohci-hcd.ko || die "ohci_hcd: module load failed"
insmod /lib/modules/ohci-pci.ko || die "ohci_pci: module load failed"
fi
insmod /lib/modules/ehci-pci.ko || die "ehci_pci: module load failed"
insmod /lib/modules/xhci-hcd.ko || die "xhci_hcd: module load failed"
insmod /lib/modules/xhci-pci.ko || die "xhci_pci: module load failed"
sleep 2
# For resiliency, test CONFIG_USB_KEYBOARD_REQUIRED explicitly rather
# than having it imply CONFIG_USER_USB_KEYBOARD at build time.
# Otherwise, if a user got CONFIG_USER_USB_KEYBOARD=n in their
# config.user by mistake (say, by copying config.user from a laptop to a
# desktop/server), they could lock themselves out, only recoverable by
# hardware flash.
if [ "$CONFIG_USB_KEYBOARD_REQUIRED" = y ] || [ "$CONFIG_USER_USB_KEYBOARD" = y ]; then
insmod /lib/modules/usbhid.ko || die "usbhid: module load failed"
fi
}

1296
initrd/etc/diceware_dictionaries/eff_short_wordlist_2_0.txt Normal file
View File

File diff suppressed because it is too large Load Diff

557
initrd/etc/functions Executable file → Normal file
View File

@ -1,6 +1,392 @@
#!/bin/bash
# Shell functions for most initialization scripts
. /etc/ash_functions
# ------- Start of functions coming from /etc/ash_functions
die() {
if [ "$CONFIG_DEBUG_OUTPUT" = "y" ]; then
echo -e " !!! ERROR: $* !!!" | tee -a /tmp/debug.log /dev/kmsg >/dev/null
else
echo -e "!!! ERROR: $* !!!" >&2
fi
sleep 2
exit 1
}
warn() {
if [ "$CONFIG_DEBUG_OUTPUT" = "y" ]; then
echo -e " *** WARNING: $* ***" | tee -a /tmp/debug.log /dev/kmsg >/dev/null
else
echo -e " *** WARNING: $* ***" >&2
fi
sleep 1
}
DEBUG() {
if [ "$CONFIG_DEBUG_OUTPUT" = "y" ]; then
# fold -s -w 960 will wrap lines at 960 characters on the last space before the limit
echo "DEBUG: $*" | fold -s -w 960 | while read line; do
echo "$line" | tee -a /tmp/debug.log /dev/kmsg >/dev/null
done
fi
}
TRACE() {
if [ "$CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT" = "y" ]; then
echo "TRACE: $*" | tee -a /tmp/debug.log /dev/kmsg >/dev/null
fi
}
# Function to manage information output level to the console/debug.log
INFO() {
#TODO: add colors to output, here green for INFO?
# if not CONFIG_QUIET_MODE=y, output to console. If not, output to debug.log
if [ "$CONFIG_DEBUG_OUTPUT" = "y" ]; then
echo "$*" | tee -a /tmp/debug.log /dev/kmsg >/dev/null
elif [ "$CONFIG_QUIET_MODE" = "y" ]; then
echo "$*" >>/tmp/debug.log
else
echo "$*"
fi
}
# Write directly to the debug log (but not kmsg), never appears on console
# Main consumer is DO_WITH_DEBUG, which uses this to log command output
LOG() {
echo "LOG: $*" >>/tmp/debug.log
}
fw_version() {
local FW_VER=$(dmesg | grep 'DMI' | grep -o 'BIOS.*' | cut -f2- -d ' ')
# chop off date, since will always be epoch w/timeless builds
echo "${FW_VER::-10}"
}
preserve_rom() {
TRACE_FUNC
new_rom="$1"
old_files=$(cbfs -t 50 -l 2>/dev/null | grep "^heads/")
for old_file in $(echo $old_files); do
new_file=$(cbfs.sh -o $1 -l | grep -x $old_file)
if [ -z "$new_file" ]; then
echo "+++ Adding $old_file to $1"
cbfs -t 50 -r $old_file >/tmp/rom.$$ ||
die "Failed to read cbfs file from ROM"
cbfs.sh -o $1 -a $old_file -f /tmp/rom.$$ ||
die "Failed to write cbfs file to new ROM file"
fi
done
}
confirm_gpg_card() {
#TODO: ideally, we ask for confirmation only once per boot session
#TODO: even change logic here to try first and then ask user to confirm if not found
#TODO: or ask GPG user PIN once and cache it for the rest of the boot session for reusal
# This is getting in the way of unattended stuff and GPG prompts are confusing anyway, hide them from user.
TRACE_FUNC
#Skip prompts if we are currently using a known GPG key material Thumb drive backup and keys are unlocked pinentry
#TODO: probably export CONFIG_GPG_KEY_BACKUP_IN_USE but not under /etc/user.config?
#Toggle to come in next PR, but currently we don't have a way to toggle it back to n if config.user flashed back in rom
if [[ "$CONFIG_HAVE_GPG_KEY_BACKUP" == "y" && "$CONFIG_GPG_KEY_BACKUP_IN_USE" == "y" ]]; then
DEBUG "Using known GPG key material Thumb drive backup and keys are unlocked and useable through pinentry"
return
fi
if [ "$CONFIG_HAVE_GPG_KEY_BACKUP" == "y" ]; then
message="Please confirm that your GPG card is inserted(Y/n) or your GPG key material (b)backup thumbdrive is inserted [Y/n/b]: "
else
# Generic message if no known key material backup
message="Please confirm that your GPG card is inserted [Y/n]: "
fi
read \
-n 1 \
-p "$message" \
card_confirm
echo
if [ "$card_confirm" != "y" \
-a "$card_confirm" != "Y" \
-a "$card_confirm" != "b" \
-a -n "$card_confirm" ] \
; then
die "gpg card not confirmed"
fi
# If user has known GPG key material Thumb drive backup and asked to use it
if [[ "$CONFIG_HAVE_GPG_KEY_BACKUP" == "y" && "$card_confirm" == "b" ]]; then
#Only mount and import GPG key material thumb drive backup once
if [ ! "$CONFIG_GPG_KEY_BACKUP_IN_USE" == "y" ]; then
CR_NONCE="/tmp/secret/cr_nonce"
CR_SIG="$CR_NONCE.sig"
#Wipe any previous CR_NONCE and CR_SIG
shred -n 10 -z -u "$CR_NONCE" "$CR_SIG" >/dev/null 2>&1 || true
#Prompt user for configured GPG Admin PIN that will be passed along to mount-usb and to import gpg subkeys
echo
gpg_admin_pin=""
while [ -z "$gpg_admin_pin" ]; do
#TODO: change all passphrase prompts in codebase to include -r to prevent backslash escapes
read -r -s -p "Please enter GPG Admin PIN needed to use the GPG backup thumb drive: " gpg_admin_pin
echo
done
#prompt user to select the proper encrypted partition, which should the first one on next prompt
warn "Please select encrypted LUKS on GPG key material backup thumb drive (not public labeled one)"
mount-usb --pass "$gpg_admin_pin" || die "Unable to mount USB with provided GPG Admin PIN"
echo "++++ Testing detach-sign operation and verifiying against fused public key in ROM"
gpg --pinentry-mode=loopback --passphrase-file <(echo -n "${gpg_admin_pin}") --import /media/subkeys.sec >/dev/null 2>&1 ||
die "Unable to import GPG private subkeys"
#Do a detach signature to ensure gpg material is usable and cache passphrase to sign /boot from caller functions
dd if=/dev/urandom of="$CR_NONCE" bs=20 count=1 >/dev/null 2>&1 ||
die "Unable to create $CR_NONCE to be detach-signed with GPG private signing subkey"
gpg --pinentry-mode=loopback --passphrase-file <(echo -n "${gpg_admin_pin}") --detach-sign "$CR_NONCE" >/dev/null 2>&1 ||
die "Unable to detach-sign $CR_NONCE with GPG private signing subkey using GPG Admin PIN"
#verify detached signature against public key in rom
gpg --verify "$CR_SIG" "$CR_NONCE" >/dev/null 2>&1 &&
echo "++++ Local GPG keyring can be used to sign/encrypt/authenticate in this boot session ++++" ||
die "Unable to verify $CR_SIG detached signature against public key in ROM"
#Wipe any previous CR_NONCE and CR_SIG
shred -n 10 -z -u "$CR_NONCE" "$CR_SIG" >/dev/null 2>&1 || true
#TODO: maybe just an export instead of setting /etc/user.config otherwise could be flashed in weird corner case situation
set_user_config "CONFIG_GPG_KEY_BACKUP_IN_USE" "y"
umount /media || die "Unable to unmount USB"
return
fi
fi
# setup the USB so we can reach the USB Security dongle's OpenPGP smartcard
enable_usb
echo -e "\nVerifying presence of GPG card...\n"
# ensure we don't exit without retrying
errexit=$(set -o | grep errexit | awk '{print $2}')
set +e
gpg_output=$(gpg --card-status 2>&1)
if [ $? -ne 0 ]; then
# prompt for reinsertion and try a second time
read -n1 -r -p \
"Can't access GPG key; remove and reinsert, then press Enter to retry. " \
ignored
# restore prev errexit state
if [ "$errexit" = "on" ]; then
set -e
fi
# retry card status
gpg_output=$(gpg --card-status 2>&1) ||
die "gpg card read failed"
fi
# restore prev errexit state
if [ "$errexit" = "on" ]; then
set -e
fi
# Extract and display GPG PIN retry counters
# output excerpt: "PIN retry counter : 3 0 3"
pin_retry_counters=$(echo "$gpg_output" | grep 'PIN retry counter' | awk -F': ' '{print $2}')
user_pin_retries=$(echo "$pin_retry_counters" | awk '{print $1}')
admin_pin_retries=$(echo "$pin_retry_counters" | awk '{print $3}')
echo ""
echo "GPG User PIN retry attempts left before becoming locked: $user_pin_retries"
echo "GPG Admin PIN retry attempts left before becoming locked: $admin_pin_retries"
echo ""
warn "Your GPG User PIN, followed by Enter key will be required for input at: 'Please unlock the card' next prompt"
echo ""
}
gpg_auth() {
if [[ "$CONFIG_HAVE_GPG_KEY_BACKUP" == "y" ]]; then
TRACE_FUNC
# If we have a GPG key backup, we can use it to authenticate even if the card is lost
echo >&2 "!!!!! Please authenticate with OpenPGP smartcard/backup media to prove you are the owner of this machine !!!!!"
# Wipe any existing nonce and signature
shred -n 10 -z -u "$CR_NONCE" "$CR_SIG" 2>/dev/null || true
# In case of gpg_auth, we require confirmation of the card, so loop with confirm_gpg_card until we get it
false
while [ $? -ne 0 ]; do
# Call confirm_gpg_card in subshell to ensure GPG key material presence
(confirm_gpg_card)
done
# Perform a signing-based challenge-response,
# to authencate that the card plugged in holding
# the key to sign the list of boot files.
CR_NONCE="/tmp/secret/cr_nonce"
CR_SIG="$CR_NONCE.sig"
# Generate a random nonce
dd \
if=/dev/urandom \
of="$CR_NONCE" \
count=1 \
bs=20 \
2>/dev/null ||
die "Unable to generate 20 random bytes"
# Sign the nonce
for tries in 1 2 3; do
if gpg --digest-algo SHA256 \
--detach-sign \
-o "$CR_SIG" \
"$CR_NONCE" >/dev/null 2>&1 &&
gpg --verify "$CR_SIG" "$CR_NONCE" >/dev/null 2>&1 \
; then
shred -n 10 -z -u "$CR_NONCE" "$CR_SIG" 2>/dev/null || true
DEBUG "Under /etc/ash_functions:gpg_auth: success"
return 0
else
shred -n 10 -z -u "$CR_SIG" 2>/dev/null || true
if [ "$tries" -lt 3 ]; then
echo >&2 "!!!!! GPG authentication failed, please try again !!!!!"
continue
else
die "GPG authentication failed, please reboot and try again"
fi
fi
done
return 1
fi
}
recovery() {
TRACE_FUNC
echo >&2 "!!!!! $*"
# Remove any temporary secret files that might be hanging around
# but recreate the directory so that new tools can use it.
#safe to always be true. Otherwise "set -e" would make it exit here
shred -n 10 -z -u /tmp/secret/* 2>/dev/null || true
rm -rf /tmp/secret
mkdir -p /tmp/secret
# ensure /tmp/config exists for recovery scripts that depend on it
touch /tmp/config
. /tmp/config
DEBUG "Board $CONFIG_BOARD - version $(fw_version)"
if [ "$CONFIG_TPM" = "y" ]; then
INFO "TPM: Extending PCR[4] to prevent any further secret unsealing"
tpmr extend -ix 4 -ic recovery
fi
if [ "$CONFIG_RESTRICTED_BOOT" = y ]; then
echo >&2 "Restricted Boot enabled, recovery console disabled, rebooting in 5 seconds"
sleep 5
/bin/reboot
fi
while [ true ]; do
#Going to recovery shell should be authenticated if supported
gpg_auth
echo >&2 "!!!!! Starting recovery shell"
sleep 1
if [ -x /bin/setsid ]; then
/bin/setsid -c /bin/bash
else
/bin/bash
fi
done
}
pause_recovery() {
TRACE_FUNC
read -p $'!!! Hit enter to proceed to recovery shell !!!\n'
recovery $*
}
combine_configs() {
TRACE_FUNC
cat /etc/config* >/tmp/config
}
replace_config() {
TRACE_FUNC
CONFIG_FILE=$1
CONFIG_OPTION=$2
NEW_SETTING=$3
touch $CONFIG_FILE
# first pull out the existing option from the global config and place in a tmp file
awk "gsub(\"^export ${CONFIG_OPTION}=.*\",\"export ${CONFIG_OPTION}=\\\"${NEW_SETTING}\\\"\")" /tmp/config >${CONFIG_FILE}.tmp
awk "gsub(\"^${CONFIG_OPTION}=.*\",\"${CONFIG_OPTION}=\\\"${NEW_SETTING}\\\"\")" /tmp/config >>${CONFIG_FILE}.tmp
# then copy any remaining settings from the existing config file, minus the option you changed
grep -v "^export ${CONFIG_OPTION}=" ${CONFIG_FILE} | grep -v "^${CONFIG_OPTION}=" >>${CONFIG_FILE}.tmp || true
sort ${CONFIG_FILE}.tmp | uniq >${CONFIG_FILE}
rm -f ${CONFIG_FILE}.tmp
}
# Set a config variable in a specific file to a given value - replace it if it
# exists, or add it. If added, the variable will be exported.
set_config() {
CONFIG_FILE="$1"
CONFIG_OPTION="$2"
NEW_SETTING="$3"
if grep -q "$CONFIG_OPTION" "$CONFIG_FILE"; then
replace_config "$CONFIG_FILE" "$CONFIG_OPTION" "$NEW_SETTING"
else
echo "export $CONFIG_OPTION=\"$NEW_SETTING\"" >>"$CONFIG_FILE"
fi
}
# Set a value in config.user, re-combine configs, and update configs in the
# environment.
set_user_config() {
CONFIG_OPTION="$1"
NEW_SETTING="$2"
set_config /etc/config.user "$CONFIG_OPTION" "$NEW_SETTING"
combine_configs
. /tmp/config
}
# Load a config value to a variable, defaulting to empty. Does not fail if the
# config is not set (since it would expand to empty by default).
load_config_value() {
local config_name="$1"
if grep -q "$config_name=" /tmp/config; then
grep "$config_name=" /tmp/config | tail -n1 | cut -f2 -d '=' | tr -d '"'
fi
}
enable_usb() {
TRACE_FUNC
#insmod ehci_hcd prior of uhdc_hcd and ohci_hcd to suppress dmesg warning
insmod /lib/modules/ehci-hcd.ko || die "ehci_hcd: module load failed"
if [ "$CONFIG_LINUX_USB_COMPANION_CONTROLLER" = y ]; then
insmod /lib/modules/uhci-hcd.ko || die "uhci_hcd: module load failed"
insmod /lib/modules/ohci-hcd.ko || die "ohci_hcd: module load failed"
insmod /lib/modules/ohci-pci.ko || die "ohci_pci: module load failed"
fi
insmod /lib/modules/ehci-pci.ko || die "ehci_pci: module load failed"
insmod /lib/modules/xhci-hcd.ko || die "xhci_hcd: module load failed"
insmod /lib/modules/xhci-pci.ko || die "xhci_pci: module load failed"
sleep 2
# For resiliency, test CONFIG_USB_KEYBOARD_REQUIRED explicitly rather
# than having it imply CONFIG_USER_USB_KEYBOARD at build time.
# Otherwise, if a user got CONFIG_USER_USB_KEYBOARD=n in their
# config.user by mistake (say, by copying config.user from a laptop to a
# desktop/server), they could lock themselves out, only recoverable by
# hardware flash.
if [ "$CONFIG_USB_KEYBOARD_REQUIRED" = y ] || [ "$CONFIG_USER_USB_KEYBOARD" = y ]; then
insmod /lib/modules/usbhid.ko || die "usbhid: module load failed"
fi
}
# ------- End of functions coming from /etc/ash_functions
# Print <hidden> or <empty> depending on whether $1 is empty. Useful to mask an
# optional password parameter.
@ -18,6 +404,15 @@ mask_param() {
#
# For example:
# ls /boot/vmlinux* | SINK_LOG "/boot kernels"
#
# To capture stderr:
# cryptsetup open /dev/sda1 media-crypt 2> >(SINK_LOG "LUKS unlock sda1 errors")
# (Note: the space between '>' is necessary in '2> >(SINK_LOG ...)')
#
# To capture both:
# tpm reset > >(SINK_LOG "tpm reset") 2>&1
# (Note: 2>&1 must follow the stdout redirection, and space between '>' is
# necessary)
SINK_LOG() {
local name="$1"
local line haveblank
@ -25,8 +420,11 @@ SINK_LOG() {
# last (unterminated) line. Add a line break with echo to ensure we
# don't lose any input. Buffer up to one blank line so we can avoid
# emitting a final (or only) blank line.
(cat; echo) | while IFS= read -r line; do
[[ -n "$haveblank" ]] && DEBUG "$name: " # Emit buffered blank line
(
cat
echo
) | while IFS= read -r line; do
[[ -n "$haveblank" ]] && LOG "$name: " # Emit buffered blank line
if [[ -z "$line" ]]; then
haveblank=y
else
@ -129,10 +527,10 @@ TRACE_FUNC() {
DEBUG_STACK() {
local FRAMES
FRAMES="${#FUNCNAME[@]}"
DEBUG "call stack: ($((FRAMES-1)) frames)"
DEBUG "call stack: ($((FRAMES - 1)) frames)"
# Don't print DEBUG_STACK itself, start from 1
for i in $(seq 1 "$((FRAMES-1))"); do
DEBUG "- $((i-1)) - ${BASH_SOURCE[$i]}(${BASH_LINENO[$((i-1))]}): ${FUNCNAME[$i]}"
for i in $(seq 1 "$((FRAMES - 1))"); do
DEBUG "- $((i - 1)) - ${BASH_SOURCE[$i]}(${BASH_LINENO[$((i - 1))]}): ${FUNCNAME[$i]}"
done
}
@ -247,8 +645,8 @@ device_has_partitions() {
# This check covers that: [ $(fdisk -l "$b" | wc -l) -eq 5 ]
# In both cases the output is 5 lines: 3 about device info, 1 empty line
# and the 5th will be the table header or the invalid message.
local DISK_DATA=$(fdisk -l "$DEVICE")
if echo "$DISK_DATA" | grep -q "doesn't contain a valid partition table" || \
local DISK_DATA=$(fdisk -l "$DEVICE" 2>/dev/null)
if echo "$DISK_DATA" | grep -q "doesn't contain a valid partition table" ||
[ "$(echo "$DISK_DATA" | wc -l)" -eq 5 ]; then
# No partition table
return 1
@ -305,9 +703,9 @@ list_usb_storage() {
done
}
# Prompt for a TPM Owner Password if it is not already cached in /tmp/secret/tpm_owner_password.
# Sets tpm_owner_password variable reused in flow, and cache file used until recovery shell is accessed.
# Tools should optionally accept a TPM password on the command line, since some flows need
# Prompt for a TPM Owner Password if it is not already cached in /tmp/secret/tpm_owner_password.
# Sets tpm_owner_password variable reused in flow, and cache file used until recovery shell is accessed.
# Tools should optionally accept a TPM password on the command line, since some flows need
# it multiple times and only one prompt is ideal.
prompt_tpm_owner_password() {
TRACE_FUNC
@ -327,7 +725,7 @@ prompt_tpm_owner_password() {
echo -n "$tpm_owner_password" >/tmp/secret/tpm_owner_password || die "Unable to cache TPM owner_password under /tmp/secret/tpm_owner_password"
}
# Prompt for a new TPM Owner Password when resetting the TPM.
# Prompt for a new TPM Owner Password when resetting the TPM.
# Returned in tpm_owner_passpword and cached under /tpm/secret/tpm_owner_password
# The password must be 1-32 characters and must be entered twice,
# the script will loop until this is met.
@ -357,7 +755,7 @@ prompt_new_owner_password() {
check_tpm_counter() {
TRACE_FUNC
LABEL=${2:-3135106223}
tpm_password="$3"
# if the /boot.hashes file already exists, read the TPM counter ID
@ -365,12 +763,12 @@ check_tpm_counter() {
if [ -r "$1" ]; then
TPM_COUNTER=$(grep counter- "$1" | cut -d- -f2)
else
warn "$1 does not exist; creating new TPM counter"
INFO "$1 does not exist; creating new TPM counter"
tpmr counter_create \
-pwdc '' \
-la $LABEL |
tee /tmp/counter ||
die "Unable to create TPM counter"
tee /tmp/counter >/dev/null 2>&1 ||
die "Unable to create TPM counter"
TPM_COUNTER=$(cut -d: -f1 </tmp/counter)
fi
@ -379,19 +777,22 @@ check_tpm_counter() {
fi
}
# Read the TPM counter value from the TPM.
read_tpm_counter() {
TRACE_FUNC
tpmr counter_read -ix "$1" | tee "/tmp/counter-$1" ||
tpmr counter_read -ix "$1" | tee "/tmp/counter-$1" >/dev/null 2>&1 ||
die "Counter read failed"
}
# Increment the TPM counter value in the TPM.
increment_tpm_counter() {
TRACE_FUNC
tpmr counter_increment -ix "$1" -pwdc '' |
tee /tmp/counter-$1 ||
tee /tmp/counter-$1 >/dev/null 2>&1 ||
die "TPM counter increment failed for rollback prevention. Please reset the TPM"
}
# Check detached signature on kexec boot params
check_config() {
TRACE_FUNC
if [ ! -d /tmp/kexec ]; then
@ -411,12 +812,13 @@ check_config() {
fi
if [ "$2" != "force" ]; then
# Note that kexec.sig detached signature is solely verifying kexec*.txt files here!
if ! sha256sum $(find $1/kexec*.txt) | gpgv $1/kexec.sig -; then
die 'Invalid signature on kexec boot params'
fi
fi
echo "+++ Found verified kexec boot params"
INFO "+++ Found verified kexec boot params"
cp $1/kexec*.txt /tmp/kexec ||
die "Failed to copy kexec boot params to tmp"
}
@ -433,6 +835,7 @@ replace_rom_file() {
cbfs.sh -o "$ROM" -a "$ROM_FILE" -f "$NEW_FILE"
}
# Replace the config file by the changed one
replace_config() {
TRACE_FUNC
CONFIG_FILE=$1
@ -466,6 +869,7 @@ secret_from_rom_hash() {
sha256sum "${ROM_IMAGE}" | cut -f1 -d ' ' | fromhex_plain
}
# Update the checksums of the files in /boot and sign them
update_checksums() {
TRACE_FUNC
# ensure /boot mounted
@ -496,6 +900,7 @@ update_checksums() {
return $rv
}
# Print the file and directory structure of /boot to caller's stdout
print_tree() {
TRACE_FUNC
find ./ ! -path './kexec*' -print0 | sort -z
@ -567,9 +972,7 @@ escape_zero() {
assert_signable() {
TRACE_FUNC
# ensure /boot mounted
if ! grep -q /boot /proc/mounts; then
mount -o ro /boot || die "Unable to mount /boot"
fi
detect_boot_device
find /boot -print0 >/tmp/signable.ref
local del='\001-\037\134\177-\377'
@ -583,6 +986,7 @@ assert_signable() {
rm -f /tmp/signable.*
}
# Verify the checksums of the files in /boot
verify_checksums() {
TRACE_FUNC
local boot_dir="$1"
@ -654,7 +1058,7 @@ is_gpt_bios_grub() {
# Extract the partition number
if ! [[ $(basename "$PART_DEV") =~ ([0-9]+)$ ]]; then
return 0 # Can't figure out the partition number
return 0 # Can't figure out the partition number
fi
NUMBER="${BASH_REMATCH[1]}"
@ -662,7 +1066,7 @@ is_gpt_bios_grub() {
# Now we know the device and partition number, get the type. This is
# specific to GPT disks, MBR disks are shown differently by fdisk.
TRACE "$PART_DEV is partition $NUMBER of $DEVICE"
if [ "$(fdisk -l "/dev/$DEVICE" | awk '$1 == '"$NUMBER"' {print $5}')" == grub ]; then
if [ "$(fdisk -l "/dev/$DEVICE" 2>/dev/null | awk '$1 == '"$NUMBER"' {print $5}')" == grub ]; then
return 0
fi
return 1
@ -713,7 +1117,7 @@ mount_possible_boot_device() {
# This device is a reasonable boot device
return 0
fi
umount /boot || true
umount /boot || true
fi
fi
@ -735,7 +1139,7 @@ detect_boot_device() {
fi
# generate list of possible boot devices
fdisk -l | grep "Disk /dev/" | cut -f2 -d " " | cut -f1 -d ":" >/tmp/disklist
fdisk -l 2>/dev/null | grep "Disk /dev/" | cut -f2 -d " " | cut -f1 -d ":" >/tmp/disklist
# Check each possible boot device
for i in $(cat /tmp/disklist); do
@ -744,7 +1148,7 @@ detect_boot_device() {
devname="$(basename "$i")"
partitions=("/sys/class/block/$devname/$devname"?*)
else
partitions=("$i") # Use the device itself
partitions=("$i") # Use the device itself
fi
for partition in "${partitions[@]}"; do
partition_dev=/dev/"$(basename "$partition")"
@ -868,3 +1272,100 @@ run_at_exit_handlers() {
done
}
trap run_at_exit_handlers EXIT
# Helper function to generate diceware passphrase
generate_passphrase() {
usage_generate_passphrase() {
echo "Usage: generate_passphrase --dictionary|-d <dictionary_file> [--number_words|-n <num_words>] [--max_length|-m <max_size>] [--lowercase|-l]"
echo "Generates a passphrase using a Diceware dictionary."
echo " --dictionary|-d <dictionary_file> Path to the Diceware dictionary file (defaults to /etc/diceware_dictionaries/eff_short_wordlist_2_0.txt )."
echo " [--number_words|-n <num_words>] Number of words in the passphrase (default: 3)."
echo " [--max_length|-m <max_size>] Maximum size of the passphrase (default: 256)."
echo " [--lowercase|-l] Use lowercase words (default: false)."
}
# Helper subfunction to get a random word from the dictionary
get_random_word_from_dictionary() {
local dictionary_file="$1" lines random
lines="$(wc -l <"$dictionary_file")"
# 4 random bytes are used to reduce modulo bias to an acceptable
# level. 4 bytes with modulus 1296 results in 0.000003% bias
# toward the first 1263 words.
random="$(dd if=/dev/random bs=4 count=1 status=none | hexdump -e '1/4 "%u\n"')"
((random %= lines))
((++random)) # tail's line count is 1-based
tail -n +"$random" "$dictionary_file" | head -1 | cut -d$'\t' -f2
}
TRACE_FUNC
local dictionary_file="/etc/diceware_dictionaries/eff_short_wordlist_2_0.txt"
local num_words=3
local max_size=256
local lowercase=false
# Parse parameters
while [[ "$#" -gt 0 ]]; do
case "$1" in
--dictionary | -d)
dictionary_file="$2"
shift
;;
--lowercase | -l)
lowercase=true
;;
--number_words | -n)
if ! [[ "$2" =~ ^[0-9]+$ ]] || [[ "$2" -le 0 ]]; then
warn "Invalid number of words: $2"
usage_generate_passphrase
return 1
fi
num_words="$2"
shift
;;
--max_length | -m)
if ! [[ "$2" =~ ^[0-9]+$ ]] || [[ "$2" -le 0 ]]; then
warn "Invalid maximum size: $2"
usage_generate_passphrase
return 1
fi
max_size="$2"
shift
;;
*)
warn "Unknown parameter: $1"
usage_generate_passphrase
return 1
;;
esac
shift
done
# Validate dictionary file
if [[ -z "$dictionary_file" || ! -f "$dictionary_file" ]]; then
warn "Dictionary file not found or not provided: $dictionary_file"
usage_generate_passphrase
return 1
fi
local passphrase=""
local word=""
for ((i = 0; i < num_words; ++i)); do
word=$(get_random_word_from_dictionary "$dictionary_file")
if [[ "$lowercase" == "false" ]]; then
word=${word^} # Capitalize the first letter
fi
passphrase+="$word "
if [[ ${#passphrase} -gt $max_size ]]; then
DEBUG "Passphrase exceeds max size: $max_size, removing last word"
passphrase=${passphrase% *} # Remove the last word if it exceeds max_size
break
fi
done
#Remove passphrase trailing space from passphrase+="$word"
passphrase=${passphrase% }
echo "$passphrase"
return 0
}

2
initrd/etc/gui_functions
View File

@ -181,7 +181,7 @@ show_system_info()
kernel=$(uname -s -r)
whiptail_type $BG_COLOR_MAIN_MENU --title 'System Info' \
--msgbox "${BOARD_NAME}\n\nFW_VER: ${FW_VER}\nKernel: ${kernel}\n\nCPU: ${cpustr}\nRAM: ${memtotal} GB\n$battery_status\n$(fdisk -l | grep -e '/dev/sd.:' -e '/dev/nvme.*:' | sed 's/B,.*/B/')" 0 80
--msgbox "${BOARD_NAME}\n\nFW_VER: ${FW_VER}\nKernel: ${kernel}\n\nCPU: ${cpustr}\nRAM: ${memtotal} GB\n$battery_status\n$(fdisk -l 2>/dev/null | grep -e '/dev/sd.:' -e '/dev/nvme.*:' | sed 's/B,.*/B/')" 0 80
}
# Get "Enable" or "Disable" to display in the configuration menu, based on a

173
initrd/init
View File

@ -1,9 +1,7 @@
#! /bin/ash
# Note this is used on legacy-flash boards that lack bash, it runs with busybox
# ash. Calls to bash scripts must be guarded by checking config.
#! /bin/bash
mknod /dev/ttyprintk c 5 3
echo "hello world" > /dev/ttyprintk
echo "hello world" >/dev/ttyprintk
# Setup our path
export PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin
@ -43,7 +41,7 @@ mkdir -p /tmp/secret
# Now it is safe to print a banner
if [ -r /etc/motd ]; then
cat /etc/motd > /dev/tty0
cat /etc/motd >/dev/tty0
fi
# Load the date from the hardware clock, setting it in local time
@ -55,28 +53,80 @@ hwclock -l -s
# filesystem after exFAT is iso9660, move exFAT last.
(grep -v '^\texfat$' /proc/filesystems && echo -e '\texfat') >/etc/filesystems
# Read the system configuration parameters
. /etc/ash_functions
# Read the system configuration parameters from build time board configuration
. /etc/config
# import global functions
. /etc/functions
# Board config had CONFIG_DEBUG_OUTPUT=y defined.
# Note that boards's coreboot config kernel command line "debug" option only will have all kernel messages output on console prior of this point
if [ "$CONFIG_DEBUG_OUTPUT" = "y" ]; then
#Maximize printk messages to output all to console (8=debug)
#DEBUG and TRACE calls will output to /dev/kmsg, outputting both on dmesg and on console
dmesg -n 8 || true
DEBUG "Debug output enabled from board CONFIG_DEBUG_OUTPUT=y option (/etc/config)"
else
# Board config did't have CONFIG_DEBUG_OUTPUT=y defined
# config.user extracted and combined from CBFS had CONFIG_DEBUG_OUTPUT=y
# Output only print messages with a priority of 4 (warnings) or lower (errors and critical) kernel messages to console
# This way, "debug" kernel command line option will have all kernel messages output on console prior of this point
# This is useful to debug boot issues but permits qemu board to boot without flooding console with kernel messages by disabling CONFIG_DEBUG_OUTPUT=y in qemu board config
dmesg -n 4 || true
DEBUG "Debug output enabled from /etc/config.user's CONFIG_DEBUG_OUTPUT=y after combine_configs (Config menu enabled Debug)"
# export user related content from cbfs
if [ "$CONFIG_COREBOOT" = "y" ]; then
/bin/cbfs-init
fi
TRACE "Under init"
# Override CONFIG_USE_BLOB_JAIL if needed and persist via user config
if lspci -n | grep -E -q "8086:(2723|4df0)"; then
if ! cat /etc/config.user 2>/dev/null | grep -q "USE_BLOB_JAIL"; then
echo "CONFIG_USE_BLOB_JAIL=y" >>/etc/config.user
fi
fi
# Override CONFIG_TPM and CONFIG_TPM2_TOOLS from /etc/config with runtime value
# determined above.
#
# Values in user config have higher priority during combining thus effectively
# changing the value for the rest of the scripts which source /tmp/config.
#Only set CONFIG_TPM and CONFIG_TPM2_TOOLS if they are not already set in /etc/config.user
if ! grep -q 'CONFIG_TPM=' /etc/config.user 2>/dev/null; then
echo "export CONFIG_TPM=\"$CONFIG_TPM\"" >>/etc/config.user
fi
if ! grep -q 'CONFIG_TPM2_TOOLS=' /etc/config.user 2>/dev/null; then
echo "export CONFIG_TPM2_TOOLS=\"$CONFIG_TPM2_TOOLS\"" >>/etc/config.user
fi
# CONFIG_BASIC was previously CONFIG_PUREBOOT_BASIC in the PureBoot distribution.
# Substitute it in config.user if present for backward compatibility.
sed -i -e 's/^export CONFIG_PUREBOOT_BASIC=/export CONFIG_BASIC=/g' /etc/config.user
# Combine user configuration overrides from CBFS's /etc/config.user
combine_configs
# Load the user configuration parameters from combined config
. /tmp/config
# Enable maximum debug info from here if config.user extracted and combined from CBFS had CONFIG_DEBUG_OUTPUT=y
if [ "$CONFIG_DEBUG_OUTPUT" = "y" ]; then
#Output all kernel messages to console (8=debug)
#DEBUG and TRACE calls will be in dmesg and on console
# config.user extracted and combined from CBFS had CONFIG_DEBUG_OUTPUT=y
# DO_WITH_DEBUG redirects stderr and stdout to /tmp/debug.log to not clog console
TRACE_FUNC
dmesg -n 8
DEBUG "Full debug output enabled from this point: output both in dmesg and on console (equivalent of passing debug to kernel cmdline)"
DEBUG "NOTE: DO_WITH_DEBUG std_err and std_out will be redirected to /tmp/debug.log"
fi
# report if we are in quiet mode, tell user measurements logs available under /tmp/debug.log
if [ "$CONFIG_QUIET_MODE" = "y" ]; then
# check origin of quiet mode setting =y: if it is under /etc/config.user then early cbfs-init outputs are not suppressible
# if it is under /etc/config then early cbfs-init outputs are suppressible
if grep -q 'CONFIG_QUIET_MODE="y"' /etc/config 2>/dev/null; then
echo "Quiet mode enabled from board configuration: refer to '/tmp/debug.log' for boot measurements traces" >/dev/tty0
else
echo "Runtime applied Quiet mode: refer to '/tmp/debug.log' for additional boot measurements traces past this point" >/dev/tty0
echo "To suppress earlier boot measurements traces, enable CONFIG_QUIET_MODE=y in your board configuration at build time." >/dev/tty0
fi
# If CONFIG_QUIET_MODE enabled in board config but disabled from Config->Configuration Settings
# warn that early boot measurements output was suppressed prior of this point
elif [ "$CONFIG_QUIET_MODE" = "n" ]; then
# if CONFIG_QUIET_MODE=n in /etc/config.user but CONFIG_QUIET_MODE=y in /etc/config then early cbfs-init outputs are suppressed
# both needs to be checked to determine if early boot measurements traces were suppressed
if grep -q 'CONFIG_QUIET_MODE="y"' /etc/config 2>/dev/null && grep -q 'CONFIG_QUIET_MODE="n"' /etc/config.user 2>/dev/null; then
echo "Early boot measurements traces were suppressed per CONFIG_QUIET_MODE=y in your board configuration at build time (/etc/config)" >/dev/tty0
echo "Runtime applied Quiet mode disabled: refer to '/tmp/debug.log' for cbfs-init related traces prior of this point" >/dev/tty0
fi
fi
TRACE_FUNC
# make sure we have sysctl requirements
if [ ! -d /proc/sys ]; then
@ -86,16 +136,15 @@ if [ ! -d /proc/sys ]; then
warn "Please open an issue"
fi
if [ ! -e /proc/sys/vm/panic_on_oom ]; then
warn "BUG!!! Requirements to setup Panic when under Out Of Memory situation through PROC_SYSCTL are missing (panic_on_oom was not enabled)"
if [ ! -e /proc/sys/vm/panic_on_oom ]; then
warn "BUG!!! Requirements to setup Panic when under Out Of Memory situation through PROC_SYSCTL are missing (panic_on_oom was not enabled)"
warn "Please open an issue"
else
DEBUG "Applying panic_on_oom setting to sysctl"
echo 1 > /proc/sys/vm/panic_on_oom
echo 1 >/proc/sys/vm/panic_on_oom
fi
# set CONFIG_TPM dynamically before init
# set CONFIG_TPM dynamically off before init if no TPM device is present
if [ ! -e /dev/tpm0 ]; then
CONFIG_TPM='n'
CONFIG_TPM2_TOOLS='n'
@ -117,67 +166,24 @@ if [ "$CONFIG_TPM" = "y" ]; then
tpmr startsession
fi
if [ "$CONFIG_COREBOOT" = "y" ]; then
[ -x /bin/bash ] && /bin/cbfs-init
fi
if [ "$CONFIG_LINUXBOOT" = "y" ]; then
# Initialize the UEFI environment for linuxboot boards
/bin/uefi-init
fi
# Set GPG_TTY before calling gpg in key-init
#TODO: do better then this; on dual console gpg only interacts with main console (affects Talos-2 and all whiptail variants)
export GPG_TTY=/dev/console
# Initialize gpnupg with distro/user keys and setup the keyrings
[ -x /bin/bash ] && /bin/key-init
# Override CONFIG_USE_BLOB_JAIL if needed and persist via user config
if lspci -n | grep -E -q "8086:(2723|4df0)"; then
if ! cat /etc/config.user 2>/dev/null | grep -q "USE_BLOB_JAIL"; then
echo "CONFIG_USE_BLOB_JAIL=y" >> /etc/config.user
fi
fi
# Override CONFIG_TPM and CONFIG_TPM2_TOOLS from /etc/config with runtime value
# determined above.
#
# Values in user config have higher priority during combining thus effectively
# changing the value for the rest of the scripts which source /tmp/config.
#Only set CONFIG_TPM and CONFIG_TPM2_TOOLS if they are not already set in /etc/config.user
if ! grep -q 'CONFIG_TPM=' /etc/config.user; then
echo "export CONFIG_TPM=\"$CONFIG_TPM\"" >> /etc/config.user
fi
if ! grep -q 'CONFIG_TPM2_TOOLS=' /etc/config.user; then
echo "export CONFIG_TPM2_TOOLS=\"$CONFIG_TPM2_TOOLS\"" >> /etc/config.user
fi
# CONFIG_BASIC was previously CONFIG_PUREBOOT_BASIC in the PureBoot distribution.
# Substitute it in config.user if present for backward compatibility.
sed -i -e 's/^export CONFIG_PUREBOOT_BASIC=/export CONFIG_BASIC=/g' /etc/config.user
combine_configs
. /tmp/config
# Enable maximum debug info from here if config.user extracted and combined from CBFS had CONFIG_DEBUG_OUTPUT=y
if [ "$CONFIG_DEBUG_OUTPUT" = "y" ]; then
#Output all kernel messages to console (8=debug)
#DEBUG and TRACE calls will be in dmesg and on console
if ! grep -q 'CONFIG_DEBUG_OUTPUT="y"' /etc/config;then
# Board config did't have CONFIG_DEBUG_OUTPUT=y defined
# config.user extracted and combined from CBFS had CONFIG_DEBUG_OUTPUT=y
dmesg -n 8
DEBUG "Debug output enabled from /etc/config.user's CONFIG_DEBUG_OUTPUT=y after combine_configs (Config menu enabled Debug)"
TRACE "Under init:after combine_configs"
fi
fi
/bin/key-init
# Setup recovery serial shell
if [ ! -z "$CONFIG_BOOT_RECOVERY_SERIAL" ]; then
stty -F "$CONFIG_BOOT_RECOVERY_SERIAL" 115200
pause_recovery 'Console recovery shell' \
< "$CONFIG_BOOT_RECOVERY_SERIAL" \
> "$CONFIG_BOOT_RECOVERY_SERIAL" 2>&1 &
pause_recovery 'Serial console recovery shell' \
<"$CONFIG_BOOT_RECOVERY_SERIAL" \
>"$CONFIG_BOOT_RECOVERY_SERIAL" 2>&1 &
fi
# load USB modules for boards using a USB keyboard
@ -200,14 +206,15 @@ if [ "$boot_option" = "r" ]; then
# just in case...
exit
elif [ "$boot_option" = "o" ]; then
# Launch OEM Factory Reset/Re-Ownership
oem-factory-reset
# Launch OEM Factory Reset mode
echo -e "***** Entering OEM Factory Reset mode\n" >/dev/tty0
oem-factory-reset --mode oem
# just in case...
exit
fi
if [ "$CONFIG_BASIC" = "y" ]; then
echo -e "***** BASIC mode: tamper detection disabled\n" > /dev/tty0
echo -e "***** BASIC mode: tamper detection disabled\n" >/dev/tty0
fi
# export firmware version
@ -216,11 +223,11 @@ export FW_VER=$(fw_version)
# Add our boot devices into the /etc/fstab, if they are defined
# in the configuration file.
if [ ! -z "$CONFIG_BOOT_DEV" ]; then
echo >> /etc/fstab "$CONFIG_BOOT_DEV /boot auto defaults,ro 0 0"
echo >>/etc/fstab "$CONFIG_BOOT_DEV /boot auto defaults,ro 0 0"
fi
# Set the console font if needed
[ -x /bin/bash ] && setconsolefont.sh
setconsolefont.sh
if [ "$CONFIG_BASIC" = "y" ]; then
CONFIG_BOOTSCRIPT=/bin/gui-init-basic
@ -250,7 +257,7 @@ else
setsid agetty -aroot -l"$CONFIG_BOOTSCRIPT" "$console" linux &
done
fi
#Setup a control tty so that all terminals outputs correct tty when tty is called
exec cttyhack "$CONFIG_BOOTSCRIPT"
else

2
initrd/mount-boot
View File

@ -36,7 +36,7 @@ dev_blocks=`cat "$dev_size_file"`
#
# Extract the signed file from the hard disk image
#
if ! dd if="$dev" of="$cmd_sig" bs=512 skip="`expr $dev_blocks - 1`"; then
if ! dd if="$dev" of="$cmd_sig" bs=512 skip="`expr $dev_blocks - 1`" > /dev/null 2>&1; then
echo >&2 '!!!!!'
echo >&2 '!!!!! Boot block extraction failed'
echo >&2 '!!!!! Dropping to recovery shell'

6
initrd/sbin/insmod
View File

@ -39,19 +39,19 @@ if [ ! -r /sys/class/tpm/tpm0/pcrs -o ! -x /bin/tpm ]; then
fi
if [ -z "$tpm_missing" ]; then
echo "TPM: Extending PCR[$MODULE_PCR] with $MODULE and parameters '$*' before loading"
INFO "TPM: Extending PCR[$MODULE_PCR] with $MODULE and parameters '$*' before loading"
# Extend with the module parameters (even if they are empty) and the
# module. Changing the parameters or the module content will result in a
# different PCR measurement.
if [ -n "$*" ]; then
TRACE_FUNC
DEBUG "Extending with module parameters and the module's content"
INFO "Extending with module parameters and the module's content"
tpmr extend -ix "$MODULE_PCR" -ic "$*"
tpmr extend -ix "$MODULE_PCR" -if "$MODULE" \
|| die "$MODULE: tpm extend failed"
else
TRACE_FUNC
DEBUG "No module parameters, extending only with the module's content"
INFO "No module parameters, extending only with the module's content"
tpmr extend -ix "$MODULE_PCR" -if "$MODULE" \
|| die "$MODULE: tpm extend failed"
fi

6
modules/hotp-verification
View File

@ -2,12 +2,12 @@ modules-$(CONFIG_HOTPKEY) += hotp-verification
hotp-verification_depends := libusb $(musl_dep)
# v1.6
hotp-verification_version := e9050e0c914e7a8ffef5d1c82a014e0e2bf79346
# v1.7 + non-released stuff under 1.7 version bump (Nitrokey will do PR to change this in the future and also fixes to Heads related to regression fixes under Heads)
hotp-verification_version := f4583b701a354dfa50c690075a568bc5cdf160e1
hotp-verification_dir := hotp-verification-$(hotp-verification_version)
hotp-verification_tar := nitrokey-hotp-verification-$(hotp-verification_version).tar.gz
hotp-verification_url := https://github.com/Nitrokey/nitrokey-hotp-verification/archive/$(hotp-verification_version).tar.gz
hotp-verification_hash := 480c978d3585eee73b9aa5186b471d4caeeeeba411217e1544eef7cfd90312ac
hotp-verification_hash := 42efeba9a61e4a00df55bf5337c157948bc76c895410fc76d02b87d6cd3b38eb
hotp-verification_target := \
$(MAKE_JOBS) \

1
modules/linux
View File

@ -40,7 +40,6 @@ endif
linux_base_dir := linux-$(linux_version)
# TODO: fixup the patch process
# input file in the heads config/ dir
# Allow board config to specialize Linux configuration if necessary
linux_kconfig := $(or $(CONFIG_LINUX_CONFIG),config/linux.config)

2
targets/qemu.mk
View File

@ -45,7 +45,7 @@ $(MEMORY_SIZE_FILE):
@echo "$(QEMU_MEMORY_SIZE)" >"$(MEMORY_SIZE_FILE)"
USB_FD_IMG=$(build)/$(BOARD)/usb_fd.raw
$(USB_FD_IMG):
dd if=/dev/zero bs=1M of="$(USB_FD_IMG)" bs=1M count=256
dd if=/dev/zero bs=1M of="$(USB_FD_IMG)" bs=1M count=256 >/dev/null 2>&1
# Debian obnoxiously does not include /usr/sbin in PATH for non-root, even
# though it is meaningful to use mkfs.vfat (etc.) as non-root
MKFS_VFAT=mkfs.vfat; \