diff --git a/boards/kgpe-d16/kgpe-d16.config b/boards/kgpe-d16/kgpe-d16.config index 3888aeec..466fdf01 100644 --- a/boards/kgpe-d16/kgpe-d16.config +++ b/boards/kgpe-d16/kgpe-d16.config @@ -1,10 +1,11 @@ # Configuration for a kgpe-d16 running non-Qubes -CONFIG_COREBOOT=y +export CONFIG_COREBOOT=y CONFIG_COREBOOT_CONFIG=config/coreboot-kgpe-d16.config CONFIG_LINUX_CONFIG=config/linux-kgpe-d16.config CONFIG_CRYPTSETUP=y CONFIG_FLASHROM=y +CONFIG_FLASHTOOLS=y CONFIG_GPG=y CONFIG_KEXEC=y CONFIG_UTIL_LINUX=y diff --git a/boards/librem13v2/librem13v2.config b/boards/librem13v2/librem13v2.config index 9cfea3d2..39a1b325 100644 --- a/boards/librem13v2/librem13v2.config +++ b/boards/librem13v2/librem13v2.config @@ -2,9 +2,10 @@ CONFIG_LINUX_CONFIG=config/linux-librem13v2.config CONFIG_COREBOOT_CONFIG=config/coreboot-librem13v2.config -CONFIG_COREBOOT=y +export CONFIG_COREBOOT=y CONFIG_CRYPTSETUP=y CONFIG_FLASHROM=y +CONFIG_FLASHTOOLS=y CONFIG_GPG=y CONFIG_KEXEC=y CONFIG_UTIL_LINUX=y diff --git a/boards/qemu-coreboot/qemu-coreboot.config b/boards/qemu-coreboot/qemu-coreboot.config index fe2963a6..e095bed5 100644 --- a/boards/qemu-coreboot/qemu-coreboot.config +++ b/boards/qemu-coreboot/qemu-coreboot.config @@ -1,7 +1,7 @@ # Configuration for building a coreboot ROM that works in the. # the qemu emulator. Note that the TPM does not work, so this # will just drop into the recovery shell. -CONFIG_COREBOOT=y +export CONFIG_COREBOOT=y CONFIG_COREBOOT_CONFIG=config/coreboot-qemu.config CONFIG_LINUX_CONFIG=config/linux-qemu.config diff --git a/boards/qemu-linuxboot/qemu-linuxboot.config b/boards/qemu-linuxboot/qemu-linuxboot.config index 2480ebd9..f7114174 100644 --- a/boards/qemu-linuxboot/qemu-linuxboot.config +++ b/boards/qemu-linuxboot/qemu-linuxboot.config @@ -1,6 +1,6 @@ # Configuration for emulating LinuxBoot+Heads with qemu # -CONFIG_LINUXBOOT=y +export CONFIG_LINUXBOOT=y CONFIG_LINUXBOOT_BOARD=qemu CONFIG_LINUX_CONFIG=config/linux-linuxboot.config diff --git a/boards/x220/x220.config b/boards/x220/x220.config index a6aa9732..0b901bdb 100644 --- a/boards/x220/x220.config +++ b/boards/x220/x220.config @@ -1,6 +1,6 @@ # Configuration for a x220 running Qubes and other OS # The Linux configuration is close enough to the x230 -CONFIG_COREBOOT=y +export CONFIG_COREBOOT=y CONFIG_COREBOOT_CONFIG=config/coreboot-x220.config CONFIG_LINUX_CONFIG=config/linux-x230.config diff --git a/boards/x230-flash/x230-flash.config b/boards/x230-flash/x230-flash.config index ad5f2c5d..3c426e65 100644 --- a/boards/x230-flash/x230-flash.config +++ b/boards/x230-flash/x230-flash.config @@ -1,7 +1,7 @@ # Minimal configuration for a x230 to support flashrom, USB and networking BOARD=x230.flash -CONFIG_COREBOOT=y +export CONFIG_COREBOOT=y CONFIG_FLASHROM=y CONFIG_FLASHTOOLS=y CONFIG_PCIUTILS=y diff --git a/boards/x230/x230.config b/boards/x230/x230.config index d65fc395..7a22c5d5 100644 --- a/boards/x230/x230.config +++ b/boards/x230/x230.config @@ -1,5 +1,5 @@ # Configuration for a x230 running Qubes and other OSes -CONFIG_COREBOOT=y +export CONFIG_COREBOOT=y CONFIG_COREBOOT_CONFIG=config/coreboot-x230.config CONFIG_LINUX_CONFIG=config/linux-x230.config diff --git a/initrd/.gnupg/pubring.gpg b/initrd/.gnupg/pubring.gpg deleted file mode 100644 index 8963af39..00000000 Binary files a/initrd/.gnupg/pubring.gpg and /dev/null differ diff --git a/initrd/.gnupg/secring.gpg b/initrd/.gnupg/secring.gpg deleted file mode 100644 index c8bdd473..00000000 Binary files a/initrd/.gnupg/secring.gpg and /dev/null differ diff --git a/initrd/.gnupg/trustdb.gpg b/initrd/.gnupg/trustdb.gpg deleted file mode 100644 index 929b0687..00000000 Binary files a/initrd/.gnupg/trustdb.gpg and /dev/null differ diff --git a/initrd/.ssh/authorized_keys b/initrd/.ssh/authorized_keys deleted file mode 100644 index c90a2b76..00000000 --- a/initrd/.ssh/authorized_keys +++ /dev/null @@ -1 +0,0 @@ -ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCuf59gWFcsnxdXAj7wvbzYto6JTmCF3pAXRS2RGipJUOqmWFayL8mKKLJMPpLoB60oaFno6+Uedbm93v/UQvt1FMWbhBe6Y15KawXEnmX1pjCfGbfbB9UC+EM8l9QPaQfdgCGt8e/CeM+kQKQ0X38d9WvaSNoP0EC9xoMsx7scbhy5O1VtmUYuDNXC2ZtAmCQLS2rC5RyweLA0DFWbmyOa75STEOYe0xuG8Kix7gBUP/LwawZN8URrszTzJonewYEF/PQoltcCnqkIbgVvMnm1N/hS42/911gPzlD29F1ZjhVplraOtlRKD0D5ogR5/5hKyL48MRbt9pi7lm0MtdeR hudson@diamond diff --git a/initrd/bin/cbfs-init b/initrd/bin/cbfs-init new file mode 100755 index 00000000..ee6276a8 --- /dev/null +++ b/initrd/bin/cbfs-init @@ -0,0 +1,31 @@ +#!/bin/ash +set -e -o pipefail +. /etc/functions + +# Update initrd with CBFS files +if [ -z "$CONFIG_PCR" ]; then + CONFIG_PCR=7 +fi + +# Load individual files +cbfsfiles=`cbfs -t 50 -l 2>/dev/null | grep "^heads/initrd/"` + +for cbfsname in `echo $cbfsfiles`; do + filename=${cbfsname:12} + if [ ! -z "$filename" ]; then + echo "Loading $filename from CBFS" + mkdir -p `dirname $filename` \ + || die "$filename: mkdir failed" + cbfs -t 50 -r $cbfsname > "$filename" \ + || die "$filename: cbfs file read failed" + if [ "$CONFIG_TPM" = "y" ]; then + TMPFILE=/tmp/cbfs.$$ + echo "$filename" > $TMPFILE + cat $filename >> $TMPFILE + tpm extend -ix "$CONFIG_PCR" -if $TMPFILE \ + || die "$filename: tpm extend failed" + fi + fi +done + +# TODO: copy CBFS file named "heads/initrd.tgz" to /tmp, measure and extract diff --git a/initrd/bin/flashrom-kgpe-d16.sh b/initrd/bin/flashrom-kgpe-d16.sh index 135c4b6c..801c1b83 100755 --- a/initrd/bin/flashrom-kgpe-d16.sh +++ b/initrd/bin/flashrom-kgpe-d16.sh @@ -1,13 +1,24 @@ #!/bin/sh . /etc/functions -ROM="$1" -if [ -z "$1" ]; then - die "Usage: $0 /media/kgpe-d16.rom" +if [ "$1" = "-c" ]; then + CLEAN=1 + ROM="$2" +else + CLEAN=0 + ROM="$1" +fi + +if [ ! -e "$ROM" ]; then + die "Usage: $0 [-c] /media/kgpe-d16.rom" fi cp "$ROM" /tmp/kgpe-d16.rom sha256sum /tmp/kgpe-d16.rom +if [ "$CLEAN" -eq 0 ]; then + preserve_rom /tmp/kgpe-d16.rom \ + || die "$ROM: Config preservation failed" +fi flashrom \ --force \ diff --git a/initrd/bin/flashrom-x230.sh b/initrd/bin/flashrom-x230.sh index 475d8263..ee978f32 100755 --- a/initrd/bin/flashrom-x230.sh +++ b/initrd/bin/flashrom-x230.sh @@ -1,13 +1,24 @@ #!/bin/sh . /etc/functions -ROM="$1" -if [ -z "$1" ]; then - die "Usage: $0 /media/x230.rom" +if [ "$1" = "-c" ]; then + CLEAN=1 + ROM="$2" +else + CLEAN=0 + ROM="$1" +fi + +if [ ! -e "$ROM" ]; then + die "Usage: $0 [-c] /media/x230.rom" fi cp "$ROM" /tmp/x230.rom sha256sum /tmp/x230.rom +if [ "$CLEAN" -eq 0 ]; then + preserve_rom /tmp/x230.rom \ + || die "$ROM: Config preservation failed" +fi flashrom \ --force \ diff --git a/initrd/bin/kexec-seal-key b/initrd/bin/kexec-seal-key index 05216191..5f6ab6b3 100755 --- a/initrd/bin/kexec-seal-key +++ b/initrd/bin/kexec-seal-key @@ -106,6 +106,7 @@ tpm sealfile2 \ -ix 4 0000000000000000000000000000000000000000 \ -ix 5 0000000000000000000000000000000000000000 \ -ix 6 $luks_pcr \ + -ix 7 X \ || die "Unable to seal secret" rm -f "$KEY_FILE" \ diff --git a/initrd/bin/key-init b/initrd/bin/key-init new file mode 100755 index 00000000..2d684a8d --- /dev/null +++ b/initrd/bin/key-init @@ -0,0 +1,8 @@ +#!/bin/ash +set -e -o pipefail +. /etc/functions + +# Post processing of keys +gpg --import /.gnupg/keys/* 2>/dev/null || true + +# TODO: split out gpg keys into multiple rings by function diff --git a/initrd/bin/network-init-recovery b/initrd/bin/network-init-recovery index 82a4a209..23ebcb25 100755 --- a/initrd/bin/network-init-recovery +++ b/initrd/bin/network-init-recovery @@ -3,23 +3,22 @@ # bring up the ethernet; maybe should do DHCP? ifconfig lo 127.0.0.1 -if [ -f /lib/modules/e1000.ko ]; then - insmod /lib/modules/e1000.ko -fi - -if [ -f /lib/modules/e1000e.ko ]; then - insmod /lib/modules/e1000e.ko -fi +network_modules="e1000 e1000e igb sfc mdio mlx4_core mlx4_en" +for module in `echo $network_modules`; do + if [ -f /lib/modules/$module.ko ]; then + insmod /lib/modules/$module.ko + fi +done if [ -e /sys/class/net/eth0 ]; then - # Setup static IP + # Set up static IP if [ ! -z "$CONFIG_BOOT_STATIC_IP" ]; then ifconfig eth0 $CONFIG_BOOT_STATIC_IP fi - # TODO: setup DHCP if available + # TODO: Set up DHCP if available ifconfig eth0 > /dev/ttyprintk - # Setup the ssh server, allow root logins and log to stderr + # Set up the ssh server, allow root logins and log to stderr if [ ! -d /etc/dropbear ]; then mkdir /etc/dropbear fi diff --git a/initrd/bin/seal-totp b/initrd/bin/seal-totp index fc89d897..f46f4520 100755 --- a/initrd/bin/seal-totp +++ b/initrd/bin/seal-totp @@ -41,6 +41,7 @@ if ! tpm sealfile2 \ -ix 2 X \ -ix 3 X \ -ix 4 0000000000000000000000000000000000000000 \ + -ix 7 X \ ; then rm -f "$TOTP_SECRET" die "Unable to seal secret" diff --git a/initrd/bin/uefi-init b/initrd/bin/uefi-init new file mode 100755 index 00000000..600d2072 --- /dev/null +++ b/initrd/bin/uefi-init @@ -0,0 +1,28 @@ +#!/bin/ash +set -e -o pipefail +. /etc/functions + +# Update initrd with CBFS files +if [ -z "$CONFIG_PCR" ]; then + CONFIG_PCR=7 +fi + +CONFIG_GUID="74696e69-6472-632e-7069-6f2f75736572" + +# copy EFI file named $CONFIG_GUID to /tmp, measure and extract +GUID=`uefi -l | grep "^$CONFIG_GUID"` + +if [ -n "GUID" ]; then + echo "Loading $GUID from ROM" + TMPFILE=/tmp/uefi.$$ + uefi -r $GUID | gunzip -c > $TMPFILE \ + || die "Failed to read config GUID from ROM" + + if [ "$CONFIG_TPM" = "y" ]; then + tpm extend -ix "$CONFIG_PCR" -if $TMPFILE \ + || die "$filename: tpm extend failed" + fi + + ( cd / ; cpio -iud < $TMPFILE 2>/dev/null ) \ + || die "Failed to extract config GUID" +fi diff --git a/initrd/etc/functions b/initrd/etc/functions index 658990ff..067eabc8 100755 --- a/initrd/etc/functions +++ b/initrd/etc/functions @@ -36,7 +36,7 @@ pause_recovery() { } pcrs() { - head -7 /sys/class/tpm/tpm0/pcrs + head -8 /sys/class/tpm/tpm0/pcrs } confirm_totp() @@ -198,3 +198,19 @@ check_config() { cp $1/kexec*.txt /tmp/kexec \ || die "Failed to copy kexec boot params to tmp" } + +preserve_rom() { + new_rom="$1" + old_files=`cbfs -t 50 -l 2>/dev/null | grep "^heads/"` + + for old_file in `echo $old_files`; do + new_file=`cbfs -o $1 -l | grep -x $old_file` + if [ -z "$new_file" ]; then + echo "+++ Adding $old_file to $1" + cbfs -t 50 -r $old_file >/tmp/rom.$$ \ + || die "Failed to read cbfs file from ROM" + cbfs -o $1 -a $old_file -f /tmp/rom.$$ \ + || die "Failed to write cbfs file to new ROM file" + fi + done +} diff --git a/initrd/init b/initrd/init index 527188f9..d489f6ae 100755 --- a/initrd/init +++ b/initrd/init @@ -51,6 +51,14 @@ if [ ! -z "$CONFIG_USB_BOOT_DEV" ]; then echo >> /etc/fstab "$CONFIG_USB_BOOT_DEV /media auto defaults,ro 0 0" fi +if [ "$CONFIG_COREBOOT" = "y" ]; then + /bin/cbfs-init +fi +if [ "$CONFIG_LINUXBOOT" = "y" ]; then + /bin/uefi-init +fi +/bin/key-init + # Setup recovery serial shell if [ ! -z "$CONFIG_BOOT_RECOVERY_SERIAL" ]; then stty -F "$CONFIG_BOOT_RECOVERY_SERIAL" 115200 @@ -72,7 +80,7 @@ if [ "$boot_option" = "r" ]; then # Start an interactive shell recovery 'User requested recovery shell' # just in case... - if [ "$CONFIG_TPM" = y ]; then + if [ "$CONFIG_TPM" = "y" ]; then tpm extend -ix 4 -ic recovery fi exec /bin/ash @@ -102,7 +110,7 @@ else fi # belts and suspenders, just in case... -if [ "$CONFIG_TPM" = y ]; then +if [ "$CONFIG_TPM" = "y" ]; then tpm extend -ix 4 -ic recovery fi exec /bin/ash diff --git a/modules/flashtools b/modules/flashtools index fddd761e..d95c2152 100644 --- a/modules/flashtools +++ b/modules/flashtools @@ -21,6 +21,7 @@ flashtools_output := \ peek \ poke \ cbfs \ + uefi \ flashtools_libraries := \ diff --git a/modules/linuxboot b/modules/linuxboot index 7392bc2e..822b664c 100644 --- a/modules/linuxboot +++ b/modules/linuxboot @@ -24,10 +24,15 @@ linuxboot_configure := \ fi ; \ touch .config ; \ +ifdef CUSTOM + CUSTOMPWD=$(pwd)/$(CUSTOM) +endif + linuxboot_target := \ BOARD=$(linuxboot_board) \ KERNEL=$(build)/$(BOARD)/bzImage \ INITRD=$(build)/$(BOARD)/initrd.cpio.xz \ + CUSTOM=$(CUSTOMPWD) \ $(if $(CONFIG_LINUXBOOT_ROM), ROM=$(pwd)/$(CONFIG_LINUXBOOT_ROM)) \ all @@ -74,4 +79,5 @@ linuxboot.run: $(build)/$(BOARD)/linuxboot.rom BOARD:=$(linuxboot_board) \ KERNEL=$(build)/$(BOARD)/bzImage \ INITRD=$(build)/$(BOARD)/initrd.cpio.xz \ + CUSTOM=$(CUSTOMPWD) \ run