Merge branch 'cbfs-init' of https://github.com/flammit/heads

boards/kgpe-d16/kgpe-d16.config

@@ -1,10 +1,11 @@
 # Configuration for a kgpe-d16 running non-Qubes
-CONFIG_COREBOOT=y
+export CONFIG_COREBOOT=y
 CONFIG_COREBOOT_CONFIG=config/coreboot-kgpe-d16.config
 CONFIG_LINUX_CONFIG=config/linux-kgpe-d16.config
 
 CONFIG_CRYPTSETUP=y
 CONFIG_FLASHROM=y
+CONFIG_FLASHTOOLS=y
 CONFIG_GPG=y
 CONFIG_KEXEC=y
 CONFIG_UTIL_LINUX=y

boards/librem13v2/librem13v2.config

@@ -2,9 +2,10 @@
 CONFIG_LINUX_CONFIG=config/linux-librem13v2.config
 CONFIG_COREBOOT_CONFIG=config/coreboot-librem13v2.config
 
-CONFIG_COREBOOT=y
+export CONFIG_COREBOOT=y
 CONFIG_CRYPTSETUP=y
 CONFIG_FLASHROM=y
+CONFIG_FLASHTOOLS=y
 CONFIG_GPG=y
 CONFIG_KEXEC=y
 CONFIG_UTIL_LINUX=y

boards/qemu-coreboot/qemu-coreboot.config

@@ -1,7 +1,7 @@
 # Configuration for building a coreboot ROM that works in the.
 # the qemu emulator.  Note that the TPM does not work, so this
 # will just drop into the recovery shell.
-CONFIG_COREBOOT=y
+export CONFIG_COREBOOT=y
 CONFIG_COREBOOT_CONFIG=config/coreboot-qemu.config
 CONFIG_LINUX_CONFIG=config/linux-qemu.config
 

boards/qemu-linuxboot/qemu-linuxboot.config

@@ -1,6 +1,6 @@
 # Configuration for emulating LinuxBoot+Heads with qemu
 #
-CONFIG_LINUXBOOT=y
+export CONFIG_LINUXBOOT=y
 CONFIG_LINUXBOOT_BOARD=qemu
 CONFIG_LINUX_CONFIG=config/linux-linuxboot.config
 

boards/x220/x220.config

@@ -1,6 +1,6 @@
 # Configuration for a x220 running Qubes and other OS
 # The Linux configuration is close enough to the x230
-CONFIG_COREBOOT=y
+export CONFIG_COREBOOT=y
 CONFIG_COREBOOT_CONFIG=config/coreboot-x220.config
 CONFIG_LINUX_CONFIG=config/linux-x230.config
 

boards/x230-flash/x230-flash.config

@@ -1,7 +1,7 @@
 # Minimal configuration for a x230 to support flashrom, USB and networking
 BOARD=x230.flash
 
-CONFIG_COREBOOT=y
+export CONFIG_COREBOOT=y
 CONFIG_FLASHROM=y
 CONFIG_FLASHTOOLS=y
 CONFIG_PCIUTILS=y

boards/x230/x230.config

@@ -1,5 +1,5 @@
 # Configuration for a x230 running Qubes and other OSes
-CONFIG_COREBOOT=y
+export CONFIG_COREBOOT=y
 CONFIG_COREBOOT_CONFIG=config/coreboot-x230.config
 CONFIG_LINUX_CONFIG=config/linux-x230.config
 

initrd/.ssh/authorized_keys

@@ -1 +0,0 @@
-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCuf59gWFcsnxdXAj7wvbzYto6JTmCF3pAXRS2RGipJUOqmWFayL8mKKLJMPpLoB60oaFno6+Uedbm93v/UQvt1FMWbhBe6Y15KawXEnmX1pjCfGbfbB9UC+EM8l9QPaQfdgCGt8e/CeM+kQKQ0X38d9WvaSNoP0EC9xoMsx7scbhy5O1VtmUYuDNXC2ZtAmCQLS2rC5RyweLA0DFWbmyOa75STEOYe0xuG8Kix7gBUP/LwawZN8URrszTzJonewYEF/PQoltcCnqkIbgVvMnm1N/hS42/911gPzlD29F1ZjhVplraOtlRKD0D5ogR5/5hKyL48MRbt9pi7lm0MtdeR hudson@diamond

initrd/bin/cbfs-init

@@ -0,0 +1,31 @@
+#!/bin/ash
+set -e -o pipefail
+. /etc/functions
+
+# Update initrd with CBFS files
+if [ -z "$CONFIG_PCR" ]; then
+	CONFIG_PCR=7
+fi
+
+# Load individual files
+cbfsfiles=`cbfs -t 50 -l 2>/dev/null | grep "^heads/initrd/"`
+
+for cbfsname in `echo $cbfsfiles`; do
+	filename=${cbfsname:12}
+	if [ ! -z "$filename" ]; then
+		echo "Loading $filename from CBFS"
+		mkdir -p `dirname $filename` \
+		|| die "$filename: mkdir failed"
+		cbfs -t 50 -r $cbfsname > "$filename" \
+		|| die "$filename: cbfs file read failed"
+		if [ "$CONFIG_TPM" = "y" ]; then
+			TMPFILE=/tmp/cbfs.$$
+			echo "$filename" > $TMPFILE
+			cat $filename >> $TMPFILE
+			tpm extend -ix "$CONFIG_PCR" -if $TMPFILE \
+			|| die "$filename: tpm extend failed"
+		fi
+	fi
+done
+
+# TODO: copy CBFS file named "heads/initrd.tgz" to /tmp, measure and extract

initrd/bin/flashrom-kgpe-d16.sh

@@ -1,13 +1,24 @@
 #!/bin/sh
 . /etc/functions
 
-ROM="$1"
-if [ -z "$1" ]; then
-	die "Usage: $0 /media/kgpe-d16.rom"
+if [ "$1" = "-c" ]; then
+	CLEAN=1
+	ROM="$2"
+else
+	CLEAN=0
+	ROM="$1"
+fi
+
+if [ ! -e "$ROM" ]; then
+	die "Usage: $0 [-c] /media/kgpe-d16.rom"
 fi
 
 cp "$ROM" /tmp/kgpe-d16.rom
 sha256sum /tmp/kgpe-d16.rom
+if [ "$CLEAN" -eq 0 ]; then
+	preserve_rom /tmp/kgpe-d16.rom \
+	|| die "$ROM: Config preservation failed"
+fi
 
 flashrom \
 	--force \

initrd/bin/flashrom-x230.sh

@@ -1,13 +1,24 @@
 #!/bin/sh
 . /etc/functions
 
-ROM="$1"
-if [ -z "$1" ]; then
-	die "Usage: $0 /media/x230.rom"
+if [ "$1" = "-c" ]; then
+	CLEAN=1
+	ROM="$2"
+else
+	CLEAN=0
+	ROM="$1"
+fi
+
+if [ ! -e "$ROM" ]; then
+	die "Usage: $0 [-c] /media/x230.rom"
 fi
 
 cp "$ROM" /tmp/x230.rom
 sha256sum /tmp/x230.rom
+if [ "$CLEAN" -eq 0 ]; then
+	preserve_rom /tmp/x230.rom \
+	|| die "$ROM: Config preservation failed"
+fi
 
 flashrom \
 	--force \

initrd/bin/kexec-seal-key

@@ -106,6 +106,7 @@ tpm sealfile2 \
 	-ix 4 0000000000000000000000000000000000000000 \
 	-ix 5 0000000000000000000000000000000000000000 \
 	-ix 6 $luks_pcr \
+	-ix 7 X \
 || die "Unable to seal secret"
 
 rm -f "$KEY_FILE" \

initrd/bin/key-init

@@ -0,0 +1,8 @@
+#!/bin/ash
+set -e -o pipefail
+. /etc/functions
+
+# Post processing of keys
+gpg --import /.gnupg/keys/* 2>/dev/null || true
+
+# TODO: split out gpg keys into multiple rings by function

initrd/bin/network-init-recovery

@@ -3,23 +3,22 @@
 # bring up the ethernet; maybe should do DHCP?
 ifconfig lo 127.0.0.1
 
-if [ -f /lib/modules/e1000.ko ]; then
-	insmod /lib/modules/e1000.ko
-fi
-
-if [ -f /lib/modules/e1000e.ko ]; then
-	insmod /lib/modules/e1000e.ko
-fi
+network_modules="e1000 e1000e igb sfc mdio mlx4_core mlx4_en"
+for module in `echo $network_modules`; do
+	if [ -f /lib/modules/$module.ko ]; then
+		insmod /lib/modules/$module.ko
+	fi
+done
 
 if [ -e /sys/class/net/eth0 ]; then
-	# Setup static IP
+	# Set up static IP
 	if [ ! -z "$CONFIG_BOOT_STATIC_IP" ]; then
 		ifconfig eth0 $CONFIG_BOOT_STATIC_IP
 	fi
-	# TODO: setup DHCP if available
+	# TODO: Set up DHCP if available
 	ifconfig eth0 > /dev/ttyprintk
 
-	# Setup the ssh server, allow root logins and log to stderr
+	# Set up the ssh server, allow root logins and log to stderr
 	if [ ! -d /etc/dropbear ]; then
 		mkdir /etc/dropbear
 	fi

initrd/bin/seal-totp

@@ -41,6 +41,7 @@ if ! tpm sealfile2 \
 	-ix 2 X \
 	-ix 3 X \
 	-ix 4 0000000000000000000000000000000000000000 \
+	-ix 7 X \
 ; then
 	rm -f "$TOTP_SECRET"
 	 die "Unable to seal secret"

initrd/bin/uefi-init

@@ -0,0 +1,28 @@
+#!/bin/ash
+set -e -o pipefail
+. /etc/functions
+
+# Update initrd with CBFS files
+if [ -z "$CONFIG_PCR" ]; then
+	CONFIG_PCR=7
+fi
+
+CONFIG_GUID="74696e69-6472-632e-7069-6f2f75736572"
+
+# copy EFI file named $CONFIG_GUID to /tmp, measure and extract
+GUID=`uefi -l | grep "^$CONFIG_GUID"`
+
+if [ -n "GUID" ]; then
+	echo "Loading $GUID from ROM"
+	TMPFILE=/tmp/uefi.$$
+	uefi -r $GUID | gunzip -c > $TMPFILE \
+	|| die "Failed to read config GUID from ROM"
+
+	if [ "$CONFIG_TPM" = "y" ]; then
+		tpm extend -ix "$CONFIG_PCR" -if $TMPFILE \
+		|| die "$filename: tpm extend failed"
+	fi
+
+	( cd / ; cpio -iud < $TMPFILE 2>/dev/null ) \
+	|| die "Failed to extract config GUID"
+fi

initrd/etc/functions

@@ -36,7 +36,7 @@ pause_recovery() {
 }
 
 pcrs() {
-	head -7 /sys/class/tpm/tpm0/pcrs
+	head -8 /sys/class/tpm/tpm0/pcrs
 }
 
 confirm_totp()
@@ -198,3 +198,19 @@ check_config() {
 	cp $1/kexec*.txt /tmp/kexec \
 	|| die "Failed to copy kexec boot params to tmp"
 }
+
+preserve_rom() {
+	new_rom="$1"
+	old_files=`cbfs -t 50 -l 2>/dev/null | grep "^heads/"`
+
+	for old_file in `echo $old_files`; do
+		new_file=`cbfs -o $1 -l | grep -x $old_file`
+		if [ -z "$new_file" ]; then
+			echo "+++ Adding $old_file to $1"
+			cbfs -t 50 -r $old_file >/tmp/rom.$$ \
+			|| die "Failed to read cbfs file from ROM"
+			cbfs -o $1 -a $old_file -f /tmp/rom.$$ \
+			|| die "Failed to write cbfs file to new ROM file"
+		fi
+	done
+}

initrd/init

@@ -51,6 +51,14 @@ if [ ! -z "$CONFIG_USB_BOOT_DEV" ]; then
 	echo >> /etc/fstab "$CONFIG_USB_BOOT_DEV /media auto defaults,ro 0 0"
 fi
 
+if [ "$CONFIG_COREBOOT" = "y" ]; then
+	/bin/cbfs-init
+fi
+if [ "$CONFIG_LINUXBOOT" = "y" ]; then
+	/bin/uefi-init
+fi
+/bin/key-init
+
 # Setup recovery serial shell
 if [ ! -z "$CONFIG_BOOT_RECOVERY_SERIAL" ]; then
 	stty -F "$CONFIG_BOOT_RECOVERY_SERIAL" 115200
@@ -72,7 +80,7 @@ if [ "$boot_option" = "r" ]; then
 	# Start an interactive shell
 	recovery 'User requested recovery shell'
 	# just in case...
-	if [ "$CONFIG_TPM" = y ]; then
+	if [ "$CONFIG_TPM" = "y" ]; then
 		tpm extend -ix 4 -ic recovery
 	fi
 	exec /bin/ash
@@ -102,7 +110,7 @@ else
 fi
 
 # belts and suspenders, just in case...
-if [ "$CONFIG_TPM" = y ]; then
+if [ "$CONFIG_TPM" = "y" ]; then
 	tpm extend -ix 4 -ic recovery
 fi
 exec /bin/ash

modules/flashtools

@@ -21,6 +21,7 @@ flashtools_output := \
 	peek \
 	poke \
 	cbfs \
+	uefi \
 
 flashtools_libraries := \
 

modules/linuxboot

@@ -24,10 +24,15 @@ linuxboot_configure := \
 	fi ; \
 	touch .config ; \
 
+ifdef CUSTOM
+	CUSTOMPWD=$(pwd)/$(CUSTOM)
+endif
+
 linuxboot_target := \
 	BOARD=$(linuxboot_board) \
 	KERNEL=$(build)/$(BOARD)/bzImage \
 	INITRD=$(build)/$(BOARD)/initrd.cpio.xz \
+	CUSTOM=$(CUSTOMPWD) \
 	$(if $(CONFIG_LINUXBOOT_ROM), ROM=$(pwd)/$(CONFIG_LINUXBOOT_ROM)) \
 	all
 
@@ -74,4 +79,5 @@ linuxboot.run: $(build)/$(BOARD)/linuxboot.rom
 		BOARD:=$(linuxboot_board) \
 		KERNEL=$(build)/$(BOARD)/bzImage \
 		INITRD=$(build)/$(BOARD)/initrd.cpio.xz \
+		CUSTOM=$(CUSTOMPWD) \
 		run