Merge pull request #1411 from Dasharo/fix-tpm

Talos-II vs. TPM
2024-12-18 20:47:55 +00:00 · 2023-06-09 17:07:55 -04:00 · 2023-06-09 17:07:55 -04:00 · 3b3c49b026
commit 3b3c49b026
parent 21b87ff7d2 b9d2c1a612
9 changed files with 425 additions and 22 deletions
--- a/60
+++ b/60
@ -264,27 +264,52 @@ define define_module =

  ifneq ("$($1_repo)","")
    $(eval $1_patch_name = $1$(if $($1_patch_version),-$($1_patch_version),))
-    # Checkout the tree instead and touch the canary file so that we know
-    # that the files are all present. No signature hashes are checked in
-    # this case, since we don't have a stable version to compare against.
-    $(build)/$($1_base_dir)/.canary:
-	git clone $($1_repo) "$(build)/$($1_base_dir)"
-	cd $(build)/$($1_base_dir) && git reset --hard $($1_commit_hash) && git submodule update --init --checkout
-	if [ -r patches/$($1_patch_name).patch ]; then \
-		( git apply --verbose --reject --binary --directory build/$(CONFIG_TARGET_ARCH)/$($1_base_dir) ) \
-			< patches/$($1_patch_name).patch \
-			|| exit 1 ; \
+    # First time:
+    #   Checkout the tree instead and create the canary file with repo and
+    #   revision so that we know that the files are all present and their
+    #   version.
+    #
+    # Other times:
+    #   If .canary contains the same repo and revision combination, do nothing.
+    #   Otherwise, pull a new revision and checkout with update of submodules
+    #
+    # No signature hashes are checked in this case, since we don't have a
+    # stable version to compare against.
+    #
+    # XXX: "git clean -dffx" is a hack for coreboot during commit switching, need
+	#      module-specific cleanup action to get rid of it.
+    $(build)/$($1_base_dir)/.canary: FORCE
+	if [ ! -e "$$@" ]; then \
+		git clone $($1_repo) "$(build)/$($1_base_dir)"; \
+		git -C "$(build)/$($1_base_dir)" reset --hard $($1_commit_hash) && git submodule update --init --checkout; \
+		echo -n '$($1_repo)|$($1_commit_hash)' > "$$@"; \
+	elif [ "$$$$(cat "$$@")" != '$($1_repo)|$($1_commit_hash)' ]; then \
+		echo "Switching $1 to $($1_repo) at $($1_commit_hash)" && \
+		git -C "$(build)/$($1_base_dir)" fetch $($1_repo) $($1_commit_hash) && \
+		git -C "$(build)/$($1_base_dir)" reset --hard $($1_commit_hash) && \
+		git -C "$(build)/$($1_base_dir)" clean -df && \
+		git -C "$(build)/$($1_base_dir)" clean -dffx payloads util/cbmem && \
+		git -C "$(build)/$($1_base_dir)" submodule sync && \
+		git -C "$(build)/$($1_base_dir)" submodule update --init --checkout && \
+		echo -n '$($1_repo)|$($1_commit_hash)' > "$$@"; \
 	fi
-	if [ -d patches/$($1_patch_name) ] && \
-	   [ -r patches/$($1_patch_name) ] ; then \
-		for patch in patches/$($1_patch_name)/*.patch ; do \
-			echo "Applying patch file : $$$$patch " ;  \
+	if [ ! -e "$(build)/$($1_base_dir)/.patched" ]; then \
+		if [ -r patches/$($1_patch_name).patch ]; then \
 			( git apply --verbose --reject --binary --directory build/$(CONFIG_TARGET_ARCH)/$($1_base_dir) ) \
-				< $$$$patch \
+				< patches/$($1_patch_name).patch \
 				|| exit 1 ; \
-		done ; \
+		fi && \
+		if [ -d patches/$($1_patch_name) ] && \
+		   [ -r patches/$($1_patch_name) ] ; then \
+			for patch in patches/$($1_patch_name)/*.patch ; do \
+				echo "Applying patch file : $$$$patch " ;  \
+				( git apply --verbose --reject --binary --directory build/$(CONFIG_TARGET_ARCH)/$($1_base_dir) ) \
+					< $$$$patch \
+					|| exit 1 ; \
+			done ; \
+		fi && \
+		touch "$(build)/$($1_base_dir)/.patched"; \
 	fi
-	@touch "$$@"
  else
    $(eval $1_patch_version ?= $($1_version))
    $(eval $1_patch_name = $1-$($1_patch_version))
@ -473,6 +498,7 @@ bin_modules-$(CONFIG_UTIL_LINUX) += util-linux
 bin_modules-$(CONFIG_OPENSSL) += openssl
 bin_modules-$(CONFIG_TPM2_TOOLS) += tpm2-tools
 bin_modules-$(CONFIG_BASH) += bash
+bin_modules-$(CONFIG_POWERPC_UTILS) += powerpc-utils

 $(foreach m, $(bin_modules-y), \
 	$(call map,initrd_bin_add,$(call bins,$m)) \
--- a/boards/talos-2/talos-2.config
+++ b/boards/talos-2/talos-2.config
@ -23,6 +23,7 @@ CONFIG_GPG2=y
 CONFIG_PCIUTILS=y
 CONFIG_FLASHROM=y
 CONFIG_FLASHTOOLS=y
+CONFIG_POWERPC_UTILS=y

 #Whiptail in console mode
 CONFIG_SLANG=y
@ -45,7 +46,7 @@ export CONFIG_BOOT_REQ_HASH=n
 export CONFIG_BOOT_REQ_ROLLBACK=n
 export CONFIG_BOOT_KERNEL_REMOVE="quiet"
 export CONFIG_BOOT_KERNEL_ADD="console=tty0 console=hvc0 rootdelay=3 rootwait panic=10"
-export CONFIG_BOOT_DEV="/dev/sda1"
+export CONFIG_BOOT_DEV="/dev/nvme0n1p2"
 export CONFIG_BOARD_NAME="Talos 2"
 export CONFIG_FLASHROM_OPTIONS="--noverify-all -p linux_mtd"

--- a/config/linux-talos-2.config
+++ b/config/linux-talos-2.config
@ -175,13 +175,14 @@ CONFIG_NLS_ASCII=y
 CONFIG_NLS_ISO8859_1=y
 CONFIG_NLS_UTF8=y
 CONFIG_SECURITY=y
-CONFIG_IMA=y
 CONFIG_EVM=y
+CONFIG_SECURITYFS=y
 CONFIG_CRYPTO_ECB=y
 CONFIG_CRYPTO_CMAC=y
 CONFIG_CRYPTO_MD4=y
 CONFIG_CRYPTO_ARC4=y
 CONFIG_CRYPTO_DES=y
+CONFIG_TCG_TPM=y
 # CONFIG_CRYPTO_HW is not set
 CONFIG_PRINTK_TIME=y
 CONFIG_MAGIC_SYSRQ=y
--- a/initrd/bin/seal-totp
+++ b/initrd/bin/seal-totp
@ -30,12 +30,17 @@ dd \

 secret="`base32 < $TOTP_SECRET`"
 pcrf="/tmp/secret/pcrf.bin"
+DEBUG "Sealing TOTP with actual state of PCR0-4)"
 tpmr pcrread 0 "$pcrf"
 tpmr pcrread -a 1 "$pcrf"
 tpmr pcrread -a 2 "$pcrf"
 tpmr pcrread -a 3 "$pcrf"
-# pcr 4 is expected to be zero (boot mode: init)
-dd if=/dev/zero bs="$(tpmr pcrsize)" count=1 status=none >> "$pcrf"
+DEBUG "Sealing TOTP with actual state of PCR4 (Going to recovery shell extends PCR4)"
+# pcr 4 is expected to either: 
+#  zero on bare coreboot+linuxboot on x86 (boot mode: init)
+#  already extended on ppc64 per BOOTKERNEL (skiboot) which boots heads.
+#We expect the PCR4 to be in the right state at unattended unseal operation
+tpmr pcrread -a 4 "$pcrf"
 # pcr 5 (kernel modules loaded) is not measured at sealing/unsealing of totp
 DEBUG "Sealing TOTP neglecting PCR5 involvement (Dynamically loaded kernel modules are not firmware integrity attestation related)"
 # pcr 6 (drive luks header) is not measured at sealing/unsealing of totp
--- a/initrd/bin/talos-init
+++ b/initrd/bin/talos-init
@ -8,6 +8,10 @@
 devmem 0x80060300D0010081 8 254
 devmem 0x80060300D0010082 8 254

+# Disable fast-reset which doesn't reset TPM and results in different values of
+# PRCs every time.
+nvram -p ibm,skiboot --update-config fast-reset=0
+
 # Alias for cbmem to remove need for '-f' option in every call
 echo "alias cbmem='cbmem -f /sys/firmware/cbmem'" >> $HOME/.profile
 export ENV=$HOME/.profile
--- a/modules/coreboot
+++ b/modules/coreboot
@ -43,7 +43,8 @@ else ifeq "$(CONFIG_COREBOOT_VERSION)" "4.19"
        EXTRA_FLAGS := -fdebug-prefix-map=$(pwd)=heads -gno-record-gcc-switches -Wno-error=packed-not-aligned -Wno-error=address-of-packed-member
 else ifeq "$(CONFIG_COREBOOT_VERSION)" "talos_2"
 	coreboot_version = git
-	coreboot_commit_hash = b2d4cc237c51b84c0b465976a56c6deb21b9f263
+	coreboot_patch_version = talos_2
+	coreboot_commit_hash = 068ad520e4ae898d356add72ea7d2a13913b76ab
 	coreboot_repo := https://github.com/Dasharo/coreboot

 else
--- a/modules/powerpc-utils
+++ b/modules/powerpc-utils
@ -0,0 +1,27 @@
+modules-$(CONFIG_POWERPC_UTILS) += powerpc-utils
+
+powerpc-utils_version := 1.3.5
+powerpc-utils_dir := powerpc-utils-$(powerpc-utils_version)
+powerpc-utils_tar := powerpc-utils-$(powerpc-utils_version).tar.gz
+powerpc-utils_url := https://github.com/ibm-power-utilities/powerpc-utils/archive/v$(powerpc-utils_version)/$(powerpc-utils_tar)
+powerpc-utils_hash := 77efe3978ac9c251c4728a35b9aebd6076583939a8e26cc7f07ffa86432a8bf0
+
+powerpc-utils_configure := \
+	./autogen.sh && \
+	$(CROSS_TOOLS) \
+	CFLAGS="-Os"  \
+	./configure \
+	--host $(MUSL_ARCH)-elf-linux \
+	--prefix "/" \
+	--without-systemd \
+	--without-librtas
+
+powerpc-utils_target := \
+	$(MAKE_JOBS) \
+	$(CROSS_TOOLS) \
+	DESTDIR="$(INSTALL)" \
+	install
+
+powerpc-utils_output := src/nvram
+
+powerpc-utils_depends := $(musl_dep)
--- a/patches/coreboot-talos_2/0001-Use-usr-bin-env-in-skiboot.patch
+++ b/patches/coreboot-talos_2/0001-Use-usr-bin-env-in-skiboot.patch
@ -0,0 +1,321 @@
+Use /usr/bin/env in skiboot's shebangs
+
+diff --git a/payloads/external/skiboot/Makefile b/payloads/external/skiboot/Makefile
+index e4db9bb5616..8ce85049afe 100644
+--- a/payloads/external/skiboot/Makefile
+++ b/payloads/external/skiboot/Makefile
+@@ -22,6 +22,7 @@ $(skiboot_elf): | $(skiboot_dir) $(build_dir)
+ $(skiboot_dir):
+ 	git clone $(skiboot_git_repo) $(skiboot_dir)
+ 	git -C $(skiboot_dir) checkout $(skiboot_revision)
+	git -C $(skiboot_dir) apply $(CURDIR)/patches/*.patch
+ 
+ $(build_dir):
+ 	mkdir -p $(build_dir)
+diff --git a/payloads/external/skiboot/patches/0001-Update-shebangs-to-use-usr-bin-env.patch b/payloads/external/skiboot/patches/0001-Update-shebangs-to-use-usr-bin-env.patch
+new file mode 100644
+index 00000000000..23e6d80514d
+--- /dev/null
+++ b/payloads/external/skiboot/patches/0001-Update-shebangs-to-use-usr-bin-env.patch
+@@ -0,0 +1,301 @@
+From fcdc09787c255ea43a0efc035e6e346b4b2c161a Mon Sep 17 00:00:00 2001
+From: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
+Date: Fri, 9 Jun 2023 20:40:09 +0300
+Subject: [PATCH] Update shebangs to use /usr/bin/env
+
+Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
+---
+ external/boot-tests/boot_test.sh             | 2 +-
+ external/boot-tests/extract_gcov.sh          | 2 +-
+ external/gard/test/add_test.sh               | 2 +-
+ external/npu/run_procedure.sh                | 2 +-
+ external/pflash/build-all-arch.sh            | 2 +-
+ external/read_esel.sh                        | 2 +-
+ hdata/test/dtdiff_wrap.sh                    | 2 +-
+ libstb/sign-with-local-keys.sh               | 2 +-
+ make_version.sh                              | 2 +-
+ opal-ci/build-centos7.sh                     | 2 +-
+ opal-ci/build-docs.sh                        | 2 +-
+ opal-ci/build-fedora29.sh                    | 2 +-
+ opal-ci/build-qemu-powernv.sh                | 2 +-
+ opal-ci/build-ubuntu-16.04.sh                | 2 +-
+ opal-ci/build-ubuntu-18.04.sh                | 2 +-
+ opal-ci/build-ubuntu-latest.sh               | 2 +-
+ opal-ci/install-deps-qemu-powernv.sh         | 2 +-
+ test/hello_world/run_mambo_hello_world.sh    | 2 +-
+ test/hello_world/run_mambo_p9_hello_world.sh | 2 +-
+ test/hello_world/run_qemu_hello_world.sh     | 2 +-
+ test/make-boot-coverage-report.sh            | 2 +-
+ test/run.sh                                  | 2 +-
+ test/run_mambo_boot_test.sh                  | 2 +-
+ test/run_qemu_boot_test.sh                   | 2 +-
+ test/sreset_world/run_mambo_p9_sreset.sh     | 2 +-
+ test/sreset_world/run_mambo_sreset.sh        | 2 +-
+ 26 files changed, 26 insertions(+), 26 deletions(-)
+ mode change 100644 => 100755 external/read_esel.sh
+
+diff --git a/external/boot-tests/boot_test.sh b/external/boot-tests/boot_test.sh
+index 233467c2..ade47f13 100755
+--- a/external/boot-tests/boot_test.sh
++++ b/external/boot-tests/boot_test.sh
+@@ -1,4 +1,4 @@
+-#!/bin/bash
++#!/usr/bin/env bash
+ # Lets try for /bin/sh but bashisms will sneak in.
+ 
+ # partial bash strict mode
+diff --git a/external/boot-tests/extract_gcov.sh b/external/boot-tests/extract_gcov.sh
+index c40e01e5..0c2f8ae5 100755
+--- a/external/boot-tests/extract_gcov.sh
++++ b/external/boot-tests/extract_gcov.sh
+@@ -1,4 +1,4 @@
+-#!/bin/bash
++#!/usr/bin/env bash
+ 
+ if [ "$SKIBOOT_GCOV" != 1 ]; then
+     echo "Skipping GCOV test on physical hardware. Enable with SKIBOOT_GCOV=1"
+diff --git a/external/gard/test/add_test.sh b/external/gard/test/add_test.sh
+index 8e773609..b401414c 100755
+--- a/external/gard/test/add_test.sh
++++ b/external/gard/test/add_test.sh
+@@ -1,4 +1,4 @@
+-#!/bin/bash -uex
++#!/usr/bin/env bash
+ #
+ # this is a really dumb script for auto-generating test cases from known good-data
+ #
+diff --git a/external/npu/run_procedure.sh b/external/npu/run_procedure.sh
+index f61ec8d4..6605c883 100755
+--- a/external/npu/run_procedure.sh
++++ b/external/npu/run_procedure.sh
+@@ -1,4 +1,4 @@
+-#!/bin/bash
++#!/usr/bin/env bash
+ 
+ # Copyright 2016 IBM Corp.
+ #
+diff --git a/external/pflash/build-all-arch.sh b/external/pflash/build-all-arch.sh
+index 5974fbce..ef709c57 100755
+--- a/external/pflash/build-all-arch.sh
++++ b/external/pflash/build-all-arch.sh
+@@ -1,4 +1,4 @@
+-#!/bin/bash
++#!/usr/bin/env bash
+ #
+ # Script to build all pflash backends
+ #
+diff --git a/external/read_esel.sh b/external/read_esel.sh
+old mode 100644
+new mode 100755
+index 492fbce1..872d8cbf
+--- a/external/read_esel.sh
++++ b/external/read_esel.sh
+@@ -1,4 +1,4 @@
+-#!/bin/bash
++#!/usr/bin/env bash
+ # Copyright 2013-2014 IBM Corp.
+ #
+ # Licensed under the Apache License, Version 2.0 (the "License");
+diff --git a/hdata/test/dtdiff_wrap.sh b/hdata/test/dtdiff_wrap.sh
+index 75c18baf..55cd016b 100755
+--- a/hdata/test/dtdiff_wrap.sh
++++ b/hdata/test/dtdiff_wrap.sh
+@@ -1,4 +1,4 @@
+-#!/bin/bash
++#!/usr/bin/env bash
+ 
+ # Takes /dev/stdin as dtb, saves to file, does dtdiff
+ # Also runs parameter through a dts->dtb->dts conversion
+diff --git a/libstb/sign-with-local-keys.sh b/libstb/sign-with-local-keys.sh
+index b78a079b..164e53a1 100755
+--- a/libstb/sign-with-local-keys.sh
++++ b/libstb/sign-with-local-keys.sh
+@@ -1,4 +1,4 @@
+-#!/bin/bash
++#!/usr/bin/env bash
+ 
+ PAYLOAD=$1
+ OUTPUT=$2
+diff --git a/make_version.sh b/make_version.sh
+index 59fe01c7..fa8bdb44 100755
+--- a/make_version.sh
++++ b/make_version.sh
+@@ -1,4 +1,4 @@
+-#!/bin/bash
++#!/usr/bin/env bash
+ 
+ usage() {
+ 	echo "$0 [ prefix ]"
+diff --git a/opal-ci/build-centos7.sh b/opal-ci/build-centos7.sh
+index 79b4c2e9..96dcad00 100755
+--- a/opal-ci/build-centos7.sh
++++ b/opal-ci/build-centos7.sh
+@@ -1,4 +1,4 @@
+-#!/bin/bash
++#!/usr/bin/env bash
+ 
+ set -uo pipefail
+ set -e
+diff --git a/opal-ci/build-docs.sh b/opal-ci/build-docs.sh
+index 817773bf..3f56b61c 100644
+--- a/opal-ci/build-docs.sh
++++ b/opal-ci/build-docs.sh
+@@ -1,4 +1,4 @@
+-#!/bin/bash
++#!/usr/bin/env bash
+ 
+ set -uo pipefail
+ set -e
+diff --git a/opal-ci/build-fedora29.sh b/opal-ci/build-fedora29.sh
+index 56099d28..3b1c63a4 100755
+--- a/opal-ci/build-fedora29.sh
++++ b/opal-ci/build-fedora29.sh
+@@ -1,4 +1,4 @@
+-#!/bin/bash
++#!/usr/bin/env bash
+ 
+ set -uo pipefail
+ set -e
+diff --git a/opal-ci/build-qemu-powernv.sh b/opal-ci/build-qemu-powernv.sh
+index 904f0e67..8c6ba96c 100755
+--- a/opal-ci/build-qemu-powernv.sh
++++ b/opal-ci/build-qemu-powernv.sh
+@@ -1,4 +1,4 @@
+-#!/bin/bash
++#!/usr/bin/env bash
+ set -e
+ set -vx
+ 
+diff --git a/opal-ci/build-ubuntu-16.04.sh b/opal-ci/build-ubuntu-16.04.sh
+index 39fb3f1c..cffbfdfc 100755
+--- a/opal-ci/build-ubuntu-16.04.sh
++++ b/opal-ci/build-ubuntu-16.04.sh
+@@ -1,4 +1,4 @@
+-#!/bin/bash
++#!/usr/bin/env bash
+ 
+ set -uo pipefail
+ set -e
+diff --git a/opal-ci/build-ubuntu-18.04.sh b/opal-ci/build-ubuntu-18.04.sh
+index 6fd755f3..dde32b12 100755
+--- a/opal-ci/build-ubuntu-18.04.sh
++++ b/opal-ci/build-ubuntu-18.04.sh
+@@ -1,4 +1,4 @@
+-#!/bin/bash
++#!/usr/bin/env bash
+ 
+ set -uo pipefail
+ set -e
+diff --git a/opal-ci/build-ubuntu-latest.sh b/opal-ci/build-ubuntu-latest.sh
+index 16c33a9f..099b5c5c 100755
+--- a/opal-ci/build-ubuntu-latest.sh
++++ b/opal-ci/build-ubuntu-latest.sh
+@@ -1,4 +1,4 @@
+-#!/bin/bash
++#!/usr/bin/env bash
+ 
+ set -uo pipefail
+ set -e
+diff --git a/opal-ci/install-deps-qemu-powernv.sh b/opal-ci/install-deps-qemu-powernv.sh
+index a67daf40..506c9470 100755
+--- a/opal-ci/install-deps-qemu-powernv.sh
++++ b/opal-ci/install-deps-qemu-powernv.sh
+@@ -1,4 +1,4 @@
+-#!/bin/bash
++#!/usr/bin/env bash
+ set -e
+ sudo apt-get -y install eatmydata
+ sudo eatmydata apt-get -y install gcc python g++ pkg-config \
+diff --git a/test/hello_world/run_mambo_hello_world.sh b/test/hello_world/run_mambo_hello_world.sh
+index 54d445b1..a5bb99ad 100755
+--- a/test/hello_world/run_mambo_hello_world.sh
++++ b/test/hello_world/run_mambo_hello_world.sh
+@@ -1,4 +1,4 @@
+-#!/bin/bash
++#!/usr/bin/env bash
+ 
+ 
+ if [ -z "$MAMBO_PATH" ]; then
+diff --git a/test/hello_world/run_mambo_p9_hello_world.sh b/test/hello_world/run_mambo_p9_hello_world.sh
+index 9560527a..45f3eaa6 100755
+--- a/test/hello_world/run_mambo_p9_hello_world.sh
++++ b/test/hello_world/run_mambo_p9_hello_world.sh
+@@ -1,4 +1,4 @@
+-#!/bin/bash
++#!/usr/bin/env bash
+ 
+ if [ -z "$P9MAMBO_PATH" ]; then
+     P9MAMBO_PATH=/opt/ibm/systemsim-p9/
+diff --git a/test/hello_world/run_qemu_hello_world.sh b/test/hello_world/run_qemu_hello_world.sh
+index 4f12958d..b1a70d62 100755
+--- a/test/hello_world/run_qemu_hello_world.sh
++++ b/test/hello_world/run_qemu_hello_world.sh
+@@ -1,4 +1,4 @@
+-#!/bin/bash
++#!/usr/bin/env bash
+ 
+ QEMU_ARGS="-M powernv -nographic -device ipmi-bmc-sim,id=bmc0 -device isa-ipmi-bt,bmc=bmc0,irq=10"
+ 
+diff --git a/test/make-boot-coverage-report.sh b/test/make-boot-coverage-report.sh
+index 210880ee..0bdeff15 100755
+--- a/test/make-boot-coverage-report.sh
++++ b/test/make-boot-coverage-report.sh
+@@ -1,4 +1,4 @@
+-#!/bin/bash
++#!/usr/bin/env bash
+ 
+ # We cheat and do this in a shell script so I don't go Makefile crazy.
+ 
+diff --git a/test/run.sh b/test/run.sh
+index e159bd30..8c28e222 100755
+--- a/test/run.sh
++++ b/test/run.sh
+@@ -1,4 +1,4 @@
+-#!/bin/bash
++#!/usr/bin/env bash
+ 
+ t=$(mktemp) || exit 1
+ 
+diff --git a/test/run_mambo_boot_test.sh b/test/run_mambo_boot_test.sh
+index adff1804..675138d9 100755
+--- a/test/run_mambo_boot_test.sh
++++ b/test/run_mambo_boot_test.sh
+@@ -1,4 +1,4 @@
+-#!/bin/bash
++#!/usr/bin/env bash
+ 
+ 
+ if [ -z "$MAMBO_PATH" ]; then
+diff --git a/test/run_qemu_boot_test.sh b/test/run_qemu_boot_test.sh
+index db657eed..8fe751f7 100755
+--- a/test/run_qemu_boot_test.sh
++++ b/test/run_qemu_boot_test.sh
+@@ -1,4 +1,4 @@
+-#!/bin/bash
++#!/usr/bin/env bash
+ 
+ QEMU_ARGS="-M powernv -m 3G -nographic -device ipmi-bmc-sim,id=bmc0 -device isa-ipmi-bt,bmc=bmc0,irq=10"
+ 
+diff --git a/test/sreset_world/run_mambo_p9_sreset.sh b/test/sreset_world/run_mambo_p9_sreset.sh
+index 926ce3e4..25e95365 100755
+--- a/test/sreset_world/run_mambo_p9_sreset.sh
++++ b/test/sreset_world/run_mambo_p9_sreset.sh
+@@ -1,4 +1,4 @@
+-#!/bin/bash
++#!/usr/bin/env bash
+ 
+ if [ -z "$P9MAMBO_PATH" ]; then
+     P9MAMBO_PATH=/opt/ibm/systemsim-p9/
+diff --git a/test/sreset_world/run_mambo_sreset.sh b/test/sreset_world/run_mambo_sreset.sh
+index 8fba5eb9..6192aa4f 100755
+--- a/test/sreset_world/run_mambo_sreset.sh
++++ b/test/sreset_world/run_mambo_sreset.sh
+@@ -1,4 +1,4 @@
+-#!/bin/bash
++#!/usr/bin/env bash
+ 
+ 
+ if [ -z "$MAMBO_PATH" ]; then
+-- 
+2.35.8
+
--- a/patches/powerpc-utils-1.3.5.patch
+++ b/patches/powerpc-utils-1.3.5.patch
@ -0,0 +1,17 @@
+AC_FUNC_MALLOC somehow fails to find malloc(), so drop the check
+
+Weirdly, it doesn't fail configuration, but instead adds -Dmalloc=rpl_malloc
+and fails linking.
+
+diff --git a/configure.ac.orig b/configure.ac
+index a7be3ee95c..74aade323b 100644
+--- a/configure.ac
+++ b/configure.ac
+@@ -33,7 +33,6 @@ AC_TYPE_UINT8_T
+ # Checks for library functions.
+ AC_FUNC_FORK
+ AC_FUNC_LSTAT_FOLLOWS_SLASHED_SYMLINK
+-AC_FUNC_MALLOC
+ AC_FUNC_MKTIME
+ AC_CHECK_FUNCS([memset strchr strcspn strdup strerror strrchr strstr strtol strtoul strtoull gettimeofday])
+