ExternalVendorCode/heads
1
0
Fork 0
mirror of https://github.com/linuxboot/heads.git synced 2024-12-18 12:46:26 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

merge linuxboot/heads master, adapt boards and linux configs

Browse Source 
Made sure all linux configs are in good oldconfig state by:
docker run -e DISPLAY=$DISPLAY --network host --rm -ti -v $(pwd):$(pwd) -w $(pwd) tlaurion/heads-dev-env:v0.2.3

find ./boards/ -type f | awk -F "/" {'print $3'} | sort | uniq | while read board; do make BOARD=$board linux.modify_and_save_oldconfig_in_place; done

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
This commit is contained in:
Thierry Laurion 2024-10-30 14:33:23 -04:00
commit 6385a95368
No known key found for this signature in database
GPG Key ID: 9A53E1BB3FF00461
55 changed files with 112985 additions and 838 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
config/coreboot-librem_11.config
View File

@ -478,7 +478,6 @@ CONFIG_NO_EARLY_GFX_INIT=y
CONFIG_GENERIC_LINEAR_FRAMEBUFFER=y
CONFIG_LINEAR_FRAMEBUFFER=y
CONFIG_BOOTSPLASH=y
CONFIG_HEAP_SIZE=0x400000
# end of Display
CONFIG_PCI=y
@ -623,6 +622,7 @@ CONFIG_BOOT_DEVICE_SPI_FLASH=y
CONFIG_BOOT_DEVICE_MEMORY_MAPPED=y
CONFIG_BOOT_DEVICE_SUPPORTS_WRITES=y
CONFIG_RTC=y
CONFIG_HEAP_SIZE=0x100000
#
# Console

2
config/coreboot-librem_13v2.config
View File

@ -501,7 +501,6 @@ CONFIG_NO_EARLY_GFX_INIT=y
CONFIG_GENERIC_LINEAR_FRAMEBUFFER=y
CONFIG_LINEAR_FRAMEBUFFER=y
CONFIG_BOOTSPLASH=y
CONFIG_HEAP_SIZE=0x400000
# end of Display
CONFIG_PCI=y
@ -662,6 +661,7 @@ CONFIG_BOOT_DEVICE_SPI_FLASH=y
CONFIG_BOOT_DEVICE_MEMORY_MAPPED=y
CONFIG_BOOT_DEVICE_SUPPORTS_WRITES=y
CONFIG_RTC=y
CONFIG_HEAP_SIZE=0x100000
#
# Console

2
config/coreboot-librem_13v4.config
View File

@ -501,7 +501,6 @@ CONFIG_NO_EARLY_GFX_INIT=y
CONFIG_GENERIC_LINEAR_FRAMEBUFFER=y
CONFIG_LINEAR_FRAMEBUFFER=y
CONFIG_BOOTSPLASH=y
CONFIG_HEAP_SIZE=0x400000
# end of Display
CONFIG_PCI=y
@ -662,6 +661,7 @@ CONFIG_BOOT_DEVICE_SPI_FLASH=y
CONFIG_BOOT_DEVICE_MEMORY_MAPPED=y
CONFIG_BOOT_DEVICE_SUPPORTS_WRITES=y
CONFIG_RTC=y
CONFIG_HEAP_SIZE=0x100000
#
# Console

2
config/coreboot-librem_14.config
View File

@ -498,7 +498,6 @@ CONFIG_NO_EARLY_GFX_INIT=y
CONFIG_GENERIC_LINEAR_FRAMEBUFFER=y
CONFIG_LINEAR_FRAMEBUFFER=y
CONFIG_BOOTSPLASH=y
CONFIG_HEAP_SIZE=0x400000
# end of Display
CONFIG_PCI=y
@ -668,6 +667,7 @@ CONFIG_BOOT_DEVICE_SPI_FLASH=y
CONFIG_BOOT_DEVICE_MEMORY_MAPPED=y
CONFIG_BOOT_DEVICE_SUPPORTS_WRITES=y
CONFIG_RTC=y
CONFIG_HEAP_SIZE=0x100000
#
# Console

2
config/coreboot-librem_15v3.config
View File

@ -501,7 +501,6 @@ CONFIG_NO_EARLY_GFX_INIT=y
CONFIG_GENERIC_LINEAR_FRAMEBUFFER=y
CONFIG_LINEAR_FRAMEBUFFER=y
CONFIG_BOOTSPLASH=y
CONFIG_HEAP_SIZE=0x400000
# end of Display
CONFIG_PCI=y
@ -662,6 +661,7 @@ CONFIG_BOOT_DEVICE_SPI_FLASH=y
CONFIG_BOOT_DEVICE_MEMORY_MAPPED=y
CONFIG_BOOT_DEVICE_SUPPORTS_WRITES=y
CONFIG_RTC=y
CONFIG_HEAP_SIZE=0x100000
#
# Console

2
config/coreboot-librem_15v4.config
View File

@ -501,7 +501,6 @@ CONFIG_NO_EARLY_GFX_INIT=y
CONFIG_GENERIC_LINEAR_FRAMEBUFFER=y
CONFIG_LINEAR_FRAMEBUFFER=y
CONFIG_BOOTSPLASH=y
CONFIG_HEAP_SIZE=0x400000
# end of Display
CONFIG_PCI=y
@ -662,6 +661,7 @@ CONFIG_BOOT_DEVICE_SPI_FLASH=y
CONFIG_BOOT_DEVICE_MEMORY_MAPPED=y
CONFIG_BOOT_DEVICE_SUPPORTS_WRITES=y
CONFIG_RTC=y
CONFIG_HEAP_SIZE=0x100000
#
# Console

2
config/coreboot-librem_l1um_v2.config
View File

@ -498,7 +498,6 @@ CONFIG_NO_EARLY_GFX_INIT=y
CONFIG_GENERIC_LINEAR_FRAMEBUFFER=y
CONFIG_LINEAR_FRAMEBUFFER=y
CONFIG_BOOTSPLASH=y
CONFIG_HEAP_SIZE=0x400000
# end of Display
CONFIG_PCI=y
@ -658,6 +657,7 @@ CONFIG_BOOT_DEVICE_SPI_FLASH=y
CONFIG_BOOT_DEVICE_MEMORY_MAPPED=y
CONFIG_BOOT_DEVICE_SUPPORTS_WRITES=y
CONFIG_RTC=y
CONFIG_HEAP_SIZE=0x100000
#
# Console

2
config/coreboot-librem_mini.config
View File

@ -502,7 +502,6 @@ CONFIG_NO_EARLY_GFX_INIT=y
CONFIG_GENERIC_LINEAR_FRAMEBUFFER=y
CONFIG_LINEAR_FRAMEBUFFER=y
CONFIG_BOOTSPLASH=y
CONFIG_HEAP_SIZE=0x400000
# end of Display
CONFIG_PCI=y
@ -650,6 +649,7 @@ CONFIG_BOOT_DEVICE_SPI_FLASH=y
CONFIG_BOOT_DEVICE_MEMORY_MAPPED=y
CONFIG_BOOT_DEVICE_SUPPORTS_WRITES=y
CONFIG_RTC=y
CONFIG_HEAP_SIZE=0x100000
#
# Console

2
config/coreboot-librem_mini_v2.config
View File

@ -504,7 +504,6 @@ CONFIG_NO_EARLY_GFX_INIT=y
CONFIG_GENERIC_LINEAR_FRAMEBUFFER=y
CONFIG_LINEAR_FRAMEBUFFER=y
CONFIG_BOOTSPLASH=y
CONFIG_HEAP_SIZE=0x400000
# end of Display
CONFIG_PCI=y
@ -657,6 +656,7 @@ CONFIG_BOOT_DEVICE_SPI_FLASH=y
CONFIG_BOOT_DEVICE_MEMORY_MAPPED=y
CONFIG_BOOT_DEVICE_SUPPORTS_WRITES=y
CONFIG_RTC=y
CONFIG_HEAP_SIZE=0x100000
#
# Console

2
config/coreboot-optiplex-7019_9010-maximized.config
View File

@ -385,7 +385,6 @@ CONFIG_NO_EARLY_GFX_INIT=y
CONFIG_GENERIC_LINEAR_FRAMEBUFFER=y
CONFIG_LINEAR_FRAMEBUFFER=y
CONFIG_BOOTSPLASH=y
CONFIG_HEAP_SIZE=0x400000
# end of Display
CONFIG_PCI=y
@ -535,6 +534,7 @@ CONFIG_BOOT_DEVICE_SPI_FLASH=y
CONFIG_BOOT_DEVICE_MEMORY_MAPPED=y
CONFIG_BOOT_DEVICE_SUPPORTS_WRITES=y
CONFIG_RTC=y
CONFIG_HEAP_SIZE=0x100000
#
# Console

2
config/coreboot-optiplex-7019_9010_TXT-maximized.config
View File

@ -389,7 +389,6 @@ CONFIG_NO_EARLY_GFX_INIT=y
CONFIG_GENERIC_LINEAR_FRAMEBUFFER=y
CONFIG_LINEAR_FRAMEBUFFER=y
CONFIG_BOOTSPLASH=y
CONFIG_HEAP_SIZE=0x400000
# end of Display
CONFIG_PCI=y
@ -549,6 +548,7 @@ CONFIG_BOOT_DEVICE_SPI_FLASH=y
CONFIG_BOOT_DEVICE_MEMORY_MAPPED=y
CONFIG_BOOT_DEVICE_SUPPORTS_WRITES=y
CONFIG_RTC=y
CONFIG_HEAP_SIZE=0x100000
#
# Console

2
config/coreboot-qemu-tpm1.config
View File

@ -327,7 +327,7 @@ CONFIG_NO_EARLY_GFX_INIT=y
CONFIG_GENERIC_LINEAR_FRAMEBUFFER=y
CONFIG_LINEAR_FRAMEBUFFER=y
CONFIG_BOOTSPLASH=y
CONFIG_HEAP_SIZE=0x400000
CONFIG_HEAP_SIZE=0x100000
# end of Display
CONFIG_PCI=y

2
config/coreboot-qemu-tpm2.config
View File

@ -324,7 +324,7 @@ CONFIG_NO_EARLY_GFX_INIT=y
CONFIG_GENERIC_LINEAR_FRAMEBUFFER=y
CONFIG_LINEAR_FRAMEBUFFER=y
CONFIG_BOOTSPLASH=y
CONFIG_HEAP_SIZE=0x400000
CONFIG_HEAP_SIZE=0x100000
# end of Display
CONFIG_PCI=y

2
config/coreboot-t420-maximized.config
View File

@ -424,7 +424,7 @@ CONFIG_NO_EARLY_GFX_INIT=y
CONFIG_GENERIC_LINEAR_FRAMEBUFFER=y
CONFIG_LINEAR_FRAMEBUFFER=y
CONFIG_BOOTSPLASH=y
CONFIG_HEAP_SIZE=0x400000
CONFIG_HEAP_SIZE=0x100000
# end of Display
CONFIG_PCI=y

2
config/coreboot-t430-maximized.config
View File

@ -424,7 +424,7 @@ CONFIG_NO_EARLY_GFX_INIT=y
CONFIG_GENERIC_LINEAR_FRAMEBUFFER=y
CONFIG_LINEAR_FRAMEBUFFER=y
CONFIG_BOOTSPLASH=y
CONFIG_HEAP_SIZE=0x400000
CONFIG_HEAP_SIZE=0x100000
# end of Display
CONFIG_PCI=y

2
config/coreboot-t440p.config
View File

@ -422,7 +422,7 @@ CONFIG_NO_EARLY_GFX_INIT=y
CONFIG_GENERIC_LINEAR_FRAMEBUFFER=y
CONFIG_LINEAR_FRAMEBUFFER=y
CONFIG_BOOTSPLASH=y
CONFIG_HEAP_SIZE=0x400000
CONFIG_HEAP_SIZE=0x100000
# end of Display
CONFIG_PCI=y

2
config/coreboot-t530-maximized.config
View File

@ -424,7 +424,7 @@ CONFIG_NO_EARLY_GFX_INIT=y
CONFIG_GENERIC_LINEAR_FRAMEBUFFER=y
CONFIG_LINEAR_FRAMEBUFFER=y
CONFIG_BOOTSPLASH=y
CONFIG_HEAP_SIZE=0x400000
CONFIG_HEAP_SIZE=0x100000
# end of Display
CONFIG_PCI=y

2
config/coreboot-w530-maximized.config
View File

@ -427,7 +427,7 @@ CONFIG_NO_EARLY_GFX_INIT=y
CONFIG_GENERIC_LINEAR_FRAMEBUFFER=y
CONFIG_LINEAR_FRAMEBUFFER=y
CONFIG_BOOTSPLASH=y
CONFIG_HEAP_SIZE=0x400000
CONFIG_HEAP_SIZE=0x100000
# end of Display
CONFIG_PCI=y

2
config/coreboot-w541.config
View File

@ -422,7 +422,7 @@ CONFIG_NO_EARLY_GFX_INIT=y
CONFIG_GENERIC_LINEAR_FRAMEBUFFER=y
CONFIG_LINEAR_FRAMEBUFFER=y
CONFIG_BOOTSPLASH=y
CONFIG_HEAP_SIZE=0x400000
CONFIG_HEAP_SIZE=0x100000
# end of Display
CONFIG_PCI=y

2
config/coreboot-x220-maximized.config
View File

@ -424,7 +424,7 @@ CONFIG_NO_EARLY_GFX_INIT=y
CONFIG_GENERIC_LINEAR_FRAMEBUFFER=y
CONFIG_LINEAR_FRAMEBUFFER=y
CONFIG_BOOTSPLASH=y
CONFIG_HEAP_SIZE=0x400000
CONFIG_HEAP_SIZE=0x100000
# end of Display
CONFIG_PCI=y

2
config/coreboot-x230-legacy-flash.config
View File

@ -413,7 +413,7 @@ CONFIG_NO_EARLY_GFX_INIT=y
CONFIG_GENERIC_LINEAR_FRAMEBUFFER=y
CONFIG_LINEAR_FRAMEBUFFER=y
CONFIG_BOOTSPLASH=y
CONFIG_HEAP_SIZE=0x400000
CONFIG_HEAP_SIZE=0x100000
# end of Display
CONFIG_PCI=y

2
config/coreboot-x230-legacy.config
View File

@ -413,7 +413,7 @@ CONFIG_NO_EARLY_GFX_INIT=y
CONFIG_GENERIC_LINEAR_FRAMEBUFFER=y
CONFIG_LINEAR_FRAMEBUFFER=y
CONFIG_BOOTSPLASH=y
CONFIG_HEAP_SIZE=0x400000
CONFIG_HEAP_SIZE=0x100000
# end of Display
CONFIG_PCI=y

2
config/coreboot-x230-maximized-fhd_edp.config
View File

@ -425,7 +425,7 @@ CONFIG_NO_EARLY_GFX_INIT=y
CONFIG_GENERIC_LINEAR_FRAMEBUFFER=y
CONFIG_LINEAR_FRAMEBUFFER=y
CONFIG_BOOTSPLASH=y
CONFIG_HEAP_SIZE=0x400000
CONFIG_HEAP_SIZE=0x100000
# end of Display
CONFIG_PCI=y

2
config/coreboot-x230-maximized.config
View File

@ -424,7 +424,7 @@ CONFIG_NO_EARLY_GFX_INIT=y
CONFIG_GENERIC_LINEAR_FRAMEBUFFER=y
CONFIG_LINEAR_FRAMEBUFFER=y
CONFIG_BOOTSPLASH=y
CONFIG_HEAP_SIZE=0x400000
CONFIG_HEAP_SIZE=0x100000
# end of Display
CONFIG_PCI=y

2
config/coreboot-z220-cmt.config
View File

@ -401,7 +401,7 @@ CONFIG_NO_EARLY_GFX_INIT=y
CONFIG_GENERIC_LINEAR_FRAMEBUFFER=y
CONFIG_LINEAR_FRAMEBUFFER=y
CONFIG_BOOTSPLASH=y
CONFIG_HEAP_SIZE=0x400000
CONFIG_HEAP_SIZE=0x100000
# end of Display
CONFIG_PCI=y

2
config/linux-talos-2.config
View File

@ -162,7 +162,7 @@ CONFIG_SIGNALFD=y
CONFIG_TIMERFD=y
CONFIG_EVENTFD=y
CONFIG_SHMEM=y
CONFIG_AIO=y
CONFIG_AIO is not set
CONFIG_IO_URING=y
CONFIG_ADVISE_SYSCALLS=y
CONFIG_MEMBARRIER=y

7
initrd/bin/kexec-save-default
View File

@ -218,16 +218,17 @@ if [ "$CONFIG_TPM" = "y" ] && [ "$CONFIG_TPM_NO_LUKS_DISK_UNLOCK" != "y" ] && [
save_key="y"
fi
else
DEBUG "No previous LUKS TPM Disk Unlock Key was set up, confirming to add a Disk Encryption Key to the TPM"
DEBUG "No previous LUKS TPM Disk Unlock Key was set up, confirming to add a Disk Unlock Key (DUK) to the TPM"
read \
-n 1 \
-p "Do you wish to add a disk encryption to the TPM [y/N]: " \
-p "Do you wish to add a disk encryption key to the TPM [y/N]: " \
add_key_confirm
#TODO: still not convinced: disk encryption key? decryption key? everywhere TPM Disk Unlock Key. Confusing even more?
echo
if [ "$add_key_confirm" = "y" \
-o "$add_key_confirm" = "Y" ]; then
DEBUG "User confirmed desire to add a Disk Encryption Key to the TPM"
DEBUG "User confirmed desire to add a Disk Unlock Key (DUK) to the TPM"
save_key="y"
fi
fi

229
initrd/bin/kexec-seal-key
View File

@ -1,15 +1,33 @@
#!/bin/bash
# This will generate a disk encryption key and seal / ecncrypt
# This will generate a disk encryption key and seal / encrypt
# with the current PCRs and then store it in the TPM NVRAM.
# It will then need to be bundled into initrd that is booted.
set -e -o pipefail
. /etc/functions
find_drk_key_slot() {
local temp_drk_key_slot=""
local keyslot
for keyslot in "${luks_used_keyslots[@]}"; do
if [ -z "$temp_drk_key_slot" ]; then
DEBUG "Testing LUKS key slot $keyslot against $DISK_RECOVERY_KEY_FILE for Disk Recovery Key slot..."
if DO_WITH_DEBUG cryptsetup open --test-passphrase --key-slot "$keyslot" --key-file "$DISK_RECOVERY_KEY_FILE" "$dev"; then
temp_drk_key_slot="$keyslot"
DEBUG "Disk Recovery key slot is $temp_drk_key_slot"
break
fi
fi
done
echo "$temp_drk_key_slot"
}
TPM_INDEX=3
TPM_SIZE=312
KEY_FILE="/tmp/secret/secret.key"
DUK_KEY_FILE="/tmp/secret/secret.key"
TPM_SEALED="/tmp/secret/secret.sealed"
RECOVERY_KEY="/tmp/secret/recovery.key"
DISK_RECOVERY_KEY_FILE="/tmp/secret/recovery.key"
. /etc/functions
. /tmp/config
@ -23,11 +41,12 @@ fi
KEY_DEVICES="$paramsdir/kexec_key_devices.txt"
KEY_LVM="$paramsdir/kexec_key_lvm.txt"
key_devices=$(cat "$KEY_DEVICES" | cut -d\ -f1 | tr '\n' ' ')
if [ ! -r "$KEY_DEVICES" ]; then
die "No devices defined for disk encryption"
else
DEBUG "Devices defined for disk encryption: $(cat "$KEY_DEVICES" | cut -d\ -f1 | tr '\n' ' ')"
DEBUG "Devices defined for disk encryption: $key_devices"
fi
if [ -r "$KEY_LVM" ]; then
@ -44,92 +63,160 @@ fi
DEBUG "$(pcrs)"
# LUKS Key slot 0 is the manual recovery pass phrase
# that they user entered when they installed OS,
# key slot 1 is the one that we've generated.
read -s -p "Enter LUKS Disk Recovery Key/passphrase: " disk_password
echo -n "$disk_password" >"$RECOVERY_KEY"
echo
read -s -p "New LUKS TPM Disk Unlock Key passphrase for booting: " key_password
echo
read -s -p "Repeat LUKS TPM Disk Unlock Key passphrase for booting: " key_password2
echo
luks_drk_passphrase_valid=0
for dev in $key_devices ; do
attempts=0
while [ $attempts -lt 3 ]; do
if [ "$luks_drk_passphrase_valid" == "0" ]; then
# Ask for the passphrase only once
read -s -p "Enter LUKS Disk Recovery Key (DRK) passphrase that can unlock: $key_devices: " disk_recovery_key_passphrase
#Using he provided passphrase as the DRK "keyfile" for unattended operations
echo -n "$disk_recovery_key_passphrase" >"$DISK_RECOVERY_KEY_FILE"
echo
fi
if [ "$key_password" != "$key_password2" ]; then
die "Key passphrases do not match"
fi
DEBUG "Testing $DISK_RECOVERY_KEY_FILE keyfile created from provided passphrase against $dev individual key slots"
if cryptsetup open $dev --test-passphrase --key-file "$DISK_RECOVERY_KEY_FILE" >/dev/null 2>&1; then
echo "++++++ $dev: LUKS device unlocked successfully with the DRK passphrase"
luks_drk_passphrase_valid=1
break
else
attempts=$((attempts + 1))
if [ "$attempts" == "3" ] && [ "$luks_drk_passphrase_valid" == "0" ]; then
die "Failed to unlock LUKS device $dev with the provided passphrase. Exiting..."
elif [ "$attempts" != "3" ] && [ "$luks_drk_passphrase_valid" == "1" ]; then
#We failed unlocking with DRK passphrase another LUKS container
die "LUKS device $key_devices cannot all be unlocked with same passphrase. Please make $key_devices devices unlockable with the same passphrase. Exiting"
else
warn "Failed to unlock LUKS device $dev with the provided passphrase. Please try again."
fi
fi
done
done
attempts=0
while [ $attempts -lt 3 ]; do
read -s -p "New LUKS TPM Disk Unlock Key passphrase (DUK) for booting: " key_password
echo
read -s -p "Repeat LUKS TPM Disk Unlock Key (DUK) passphrase for booting: " key_password2
echo
if [ "$key_password" != "$key_password2" ]; then
attempts=$((attempts + 1))
if [ "$attempts" == "3" ]; then
die "Disk Unlock Key passphrases do not match. Exiting..."
else
warn "Disk Unlock Key passphrases do not match. Please try again."
fi
else
break
fi
done
# Generate key file
echo "++++++ Generating new randomized 128 bytes key file that will be sealed/unsealed by LUKS TPM Disk Unlock Key passphrase"
dd \
if=/dev/urandom \
of="$KEY_FILE" \
of="$DUK_KEY_FILE" \
bs=1 \
count=128 \
2>/dev/null ||
die "Unable to generate 128 random bytes"
# Count the number of slots used on each device
for dev in $(cat "$KEY_DEVICES" | cut -d\ -f1); do
DEBUG "Checking number of slots used on $dev LUKS header"
#check if the device is a LUKS device with luks[1,2]
# Get the number of key slots used on the LUKS header.
# LUKS1 Format is :
# Slot 0: ENABLED
# Slot 1: ENABLED
# Slot 2: DISABLED
# Slot 3: DISABLED
#...
# Slot 7: DISABLED
# Luks2 only reports on enabled slots.
# luks2 Format is :
# 0: luks2
# 1: luks2
# Meaning that the number of slots used is the number of lines returned by a grep on the LUKS2 above format.
# We need to count the number of ENABLED slots for both LUKS1 and LUKS2
# create regex pattern for both LUKS1 and LUKS2
regex="Slot [0-9]*: ENABLED"
regex+="\|"
regex+="[0-9]*: luks2"
slots_used=$(cryptsetup luksDump "$dev" | grep -c "$regex" || die "Unable to get number of slots used on $dev")
DEBUG "Number of slots used on $dev LUKS header: $slots_used"
# If slot1 is the only one used, warn and die with proper messages
if [ "$slots_used" -eq 1 ]; then
# Check if slot 1 is the only one existing
if [ "$(cryptsetup luksDump "$dev" | grep -c "Slot 1: ENABLED")" -eq 1 ] || [ "$(cryptsetup luksDump "$dev" | grep -c "1: luks2")" -eq 1 ]; then
warn "Slot 1 is the only one existing on $dev LUKS header. Heads cannot use it to store TPM sealed LUKS Disk Unlock Key"
warn "Slot 1 should not be the only slot existing on $dev LUKS header. Slot 0 should be used to store LUKS Disk Recovery Key/passphrase"
die "You can safely fix this before continuing through Heads recovery shell: cryptsetup luksAddKey $dev"
fi
else
DEBUG "Slot 1 is not the only existing slot on $dev LUKS header."
DEBUG "$dev LUKS header's slot 1 will store LUKS Disk Unlock Key that TPM will seal/unseal with LUKS TPM Disk Unlock Key passphrase"
previous_luks_header_version=0
for dev in $key_devices; do
# Check and store LUKS version of the devices to be used later
luks_version=$(cryptsetup luksDump "$dev" | grep "Version" | cut -d: -f2 | tr -d '[:space:]')
if [ "$luks_version" == "2" ] && [ "$previous_luks_header_version" == "1" ]; then
die "$dev: LUKSv2 device detected while LUKSv1 device was detected previously. Exiting..."
fi
done
# Remove all the old keys from slot 1
for dev in $(cat "$KEY_DEVICES" | cut -d\ -f1); do
echo "++++++ $dev: Removing old LUKS TPM Disk Unlock Key in LUKS slot 1"
cryptsetup luksKillSlot \
--key-file "$RECOVERY_KEY" \
$dev 1 ||
warn "$dev: removal of LUKS TPM Disk Unlock Key in LUKS slot 1 failed: might not exist. Continuing"
if [ "$luks_version" == "1" ] && [ "$previous_luks_header_version" == "2" ]; then
die "$dev: LUKSv1 device detected while LUKSv2 device was detected previously. Exiting..."
fi
echo "++++++ $dev: Adding LUKS TPM Disk Unlock Key to LUKS slot 1"
cryptsetup luksAddKey \
--key-file "$RECOVERY_KEY" \
--key-slot 1 \
$dev "$KEY_FILE" ||
die "$dev: Unable to add LUKS TPM Disk Unlock Key to LUKS slot 1"
if [ "$luks_version" == "2" ]; then
# LUKSv2 last key slot is 31
duk_keyslot=31
regex="^\s+([0-9]+):\s*luks2"
sed_command="s/^\s\+\([0-9]\+\):\s*luks2/\1/g"
previous_luks_header_version=2
DEBUG "$dev: LUKSv2 device detected"
elif [ "$luks_version" == "1" ]; then
# LUKSv1 last key slot is 7
duk_keyslot=7
regex="Key Slot ([0-9]+): ENABLED"
sed_command='s/Key Slot \([0-9]\+\): ENABLED/\1/'
previous_luks_header_version=1
DEBUG "$dev: LUKSv1 device detected"
else
die "$dev: Unsupported LUKS version $luks_version"
fi
# drk_key_slot will be the slot number where the passphrase was tested against as valid. We will keep that slot
drk_key_slot="-1"
# Get all the key slots that are used on $dev
luks_used_keyslots=($(cryptsetup luksDump "$dev" | grep -E "$regex" | sed "$sed_command"))
DEBUG "$dev LUKS key slots: ${luks_used_keyslots[*]}"
#Find the key slot that can be unlocked with the provided passphrase
drk_key_slot=$(find_drk_key_slot)
# If we didn't find the DRK key slot, we exit (this should never happen)
if [ "$drk_key_slot" == "-1" ]; then
die "$dev: Unable to find a key slot that can be unlocked with provided passphrase. Exiting..."
fi
# If the key slot is not the expected DUK o FRK key slot, we will ask the user to confirm the wipe
for keyslot in "${luks_used_keyslots[@]}"; do
if [ "$keyslot" != "$drk_key_slot" ]; then
#set wipe_desired to no by default
wipe_desired="no"
if [ "$keyslot" != "$drk_key_slot" ] && [ "$keyslot" == "1" ]; then
wipe_desired="yes"
DEBUG "LUKS key slot $keyslot not DRK. Will wipe this DUK key slot silently"
elif [ "$keyslot" != "$drk_key_slot" ] && [ "$keyslot" != "$duk_keyslot" ]; then
# Heads expects key slot LUKSv1:7 or LUKSv2:31 to be used for TPM DUK setup.
# Ask user to confirm otherwise
warn "LUKS key slot $keyslot is not typical ($duk_keyslot expected) for TPM Disk Unlock Key setup"
read -p "Are you sure you want to wipe it? [y/N] " -n 1 -r
echo
# If user does not confirm, skip this slot
if [[ $REPLY =~ ^[Yy]$ ]]; then
wipe_desired="yes"
fi
elif [ "$keyslot" == "$duk_keyslot" ]; then
# If key slot is the expected DUK keyslot, we wipe it silently
DEBUG "LUKS key slot $keyslot is the expected DUK key slot. Will wipe this DUK key slot silently"
wipe_desired="yes"
fi
if [ "$wipe_desired" == "yes" ] && [ "$keyslot" != "$drk_key_slot" ]; then
echo "++++++ $dev: Wiping LUKS key slot $keyslot"
DO_WITH_DEBUG cryptsetup luksKillSlot \
--key-file "$DISK_RECOVERY_KEY_FILE" \
$dev $keyslot ||
warn "$dev: removal of LUKS slot $keyslot failed: Continuing"
fi
fi
done
echo "++++++ $dev: Adding LUKS TPM Disk Unlock Key to LUKS key slot $duk_keyslot"
DO_WITH_DEBUG cryptsetup luksAddKey \
--key-file "$DISK_RECOVERY_KEY_FILE" \
--new-key-slot $duk_keyslot \
$dev "$DUK_KEY_FILE" ||
die "$dev: Unable to add LUKS TPM Disk Unlock Key to LUKS key slot $duk_keyslot"
done
# Now that we have setup the new keys, measure the PCRs
# We don't care what ends up in PCR 6; we just want
# to get the /tmp/luksDump.txt file. We use PCR16
# since it should still be zero
cat "$KEY_DEVICES" | cut -d\ -f1 | xargs /bin/qubes-measure-luks ||
echo "$key_devices" | xargs /bin/qubes-measure-luks ||
die "Unable to measure the LUKS headers"
pcrf="/tmp/secret/pcrf.bin"
@ -155,13 +242,13 @@ tpmr calcfuturepcr 6 "/tmp/luksDump.txt" >>"$pcrf"
tpmr pcrread -a 7 "$pcrf"
DO_WITH_DEBUG --mask-position 7 \
tpmr seal "$KEY_FILE" "$TPM_INDEX" 0,1,2,3,4,5,6,7 "$pcrf" \
tpmr seal "$DUK_KEY_FILE" "$TPM_INDEX" 0,1,2,3,4,5,6,7 "$pcrf" \
"$TPM_SIZE" "$key_password" || die "Unable to write LUKS TPM Disk Unlock Key to NVRAM"
# should be okay if this fails
shred -n 10 -z -u "$pcrf" 2>/dev/null ||
warn "Failed to delete pcrf file - continuing"
shred -n 10 -z -u "$KEY_FILE" 2>/dev/null ||
shred -n 10 -z -u "$DUK_KEY_FILE" 2>/dev/null ||
warn "Failed to delete key file - continuing"
mount -o rw,remount $paramsdir || warn "Failed to remount $paramsdir in RW - continuing"

25
initrd/bin/oem-factory-reset
View File

@ -44,6 +44,12 @@ GPG_ALGO="RSA"
# Default RSA key length is 3072 bits for OEM key gen. 4096 are way longer to generate in smartcard
RSA_KEY_LENGTH=3072
#Override RSA_KEY_LENGTH to 2048 bits for Canokey under qemu testing boards until canokey fixes
if [[ "$CONFIG_BOARD_NAME" == qemu-* ]]; then
DEBUG "Overriding RSA_KEY_LENGTH to 2048 bits for Canokey under qemu testing boards"
RSA_KEY_LENGTH=2048
fi
GPG_USER_NAME="OEM Key"
GPG_KEY_NAME=$(date +%Y%m%d%H%M%S)
GPG_USER_MAIL="oem-${GPG_KEY_NAME}@example.com"
@ -266,20 +272,20 @@ keytocard_subkeys_to_smartcard() {
{
echo "key 1" #Toggle on Signature key in --edit-key mode on local keyring
echo "keytocard" #Move Signature key to smartcard
echo "1" #Select Signature key keyslot on smartcard
echo "1" #Select Signature key key slot on smartcard
echo "${ADMIN_PIN}" #Local keyring Subkey PIN
echo "${ADMIN_PIN_DEF}" #Smartcard Admin PIN
echo "0" #No expiration date
echo "key 1" #Toggle off Signature key
echo "key 2" #Toggle on Encryption key
echo "keytocard" #Move Encryption key to smartcard
echo "2" #Select Encryption key keyslot on smartcard
echo "2" #Select Encryption key key slot on smartcard
echo "${ADMIN_PIN}" #Local keyring Subkey PIN
echo "${ADMIN_PIN_DEF}" #Smartcard Admin PIN
echo "key 2" #Toggle off Encryption key
echo "key 3" #Toggle on Authentication key
echo "keytocard" #Move Authentication key to smartcard
echo "3" #Select Authentication key keyslot on smartcard
echo "3" #Select Authentication key slot on smartcard
echo "${ADMIN_PIN}" #Local keyring Subkey PIN
echo "${ADMIN_PIN_DEF}" #Smartcard Admin PIN
echo "key 3" #Toggle off Authentication key
@ -383,6 +389,7 @@ export_public_key_to_thumbdrive_public_partition() {
#pass non-empty arguments to --pass, --mountpoint, --device, --mode
mount-usb --device "$device" --mode "$mode" --mountpoint "$mountpoint" || die "Error mounting thumb drive's public partition"
#TODO: reuse "Obtain GPG key ID" so that pubkey on public thumb drive partition is named after key ID
gpg --export --armor "${GPG_USER_MAIL}" >"$mountpoint"/pubkey.asc || die "Error exporting public key to thumb drive's public partition"
umount "$mountpoint" || die "Error unmounting thumb drive's public partition"
@ -879,6 +886,7 @@ report_integrity_measurements
clear
#Prompt user for use of default configuration options
TRACE_FUNC
echo -e -n "Would you like to use default configuration options?\nIf N, you will be prompted for each option [Y/n]: "
read -n 1 use_defaults
@ -907,6 +915,7 @@ if [ "$use_defaults" == "n" -o "$use_defaults" == "N" ]; then
echo
if [ "$prompt_output" == "y" \
-o "$prompt_output" == "Y" ]; then
TRACE_FUNC
test_luks_current_disk_recovery_key_passphrase
luks_new_Disk_Recovery_Key_desired=1
echo -e "\n"
@ -970,8 +979,7 @@ if [ "$use_defaults" == "n" -o "$use_defaults" == "N" ]; then
echo
if [ "$prompt_output" == "y" \
-o "$prompt_output" == "Y" ]; then
echo -e "\nThe chosen custom password must be between 8 and $MAX_HOTP_GPG_PIN_LENGTH characters in length.\n"
echo
echo -e "\nThe chosen custom password must be between 8 and $MAX_HOTP_GPG_PIN_LENGTH characters in length."
while [[ ${#CUSTOM_SINGLE_PASS} -lt 8 ]] || [[ ${#CUSTOM_SINGLE_PASS} -gt $MAX_HOTP_GPG_PIN_LENGTH ]]; do
echo -e -n "Enter the custom password: "
read CUSTOM_SINGLE_PASS
@ -999,8 +1007,8 @@ if [ "$use_defaults" == "n" -o "$use_defaults" == "N" ]; then
read TPM_PASS
done
fi
while [[ ${#ADMIN_PIN} -lt 8 ]] || [[ ${#ADMIN_PIN} -gt $MAX_HOTP_GPG_PIN_LENGTH ]]; do
echo -e -n "\nThis PIN should be between 8 to $MAX_HOTP_GPG_PIN_LENGTH characters in length.\n"
while [[ ${#ADMIN_PIN} -lt 6 ]] || [[ ${#ADMIN_PIN} -gt $MAX_HOTP_GPG_PIN_LENGTH ]]; do
echo -e -n "\nThis PIN should be between 6 to $MAX_HOTP_GPG_PIN_LENGTH characters in length.\n"
echo -e -n "Enter desired GPG Admin PIN: "
read ADMIN_PIN
done
@ -1028,6 +1036,7 @@ if [ "$use_defaults" == "n" -o "$use_defaults" == "N" ]; then
}
done
#We test that current LUKS Disk Recovery Key passphrase is known prior of going further
TRACE_FUNC
test_luks_current_disk_recovery_key_passphrase
echo -e "\n"
fi
@ -1147,8 +1156,8 @@ fi
if [ -n "$luks_new_Disk_Recovery_Key_desired" -a -n "$luks_new_Disk_Recovery_Key_passphrase_desired" ]; then
#Reencryption of disk, LUKS Disk Recovery Key and LUKS Disk Recovery Key passphrase change is requested
luks_change_passphrase
luks_reencrypt
luks_change_passphrase
elif [ -n "$luks_new_Disk_Recovery_Key_desired" -a -z "$luks_new_Disk_Recovery_Key_passphrase_desired" ]; then
#Reencryption of disk was requested but not passphrase change
luks_reencrypt

2
initrd/bin/seal-totp
View File

@ -46,6 +46,7 @@ DEBUG "Sealing TOTP neglecting PCR5 involvement (Dynamically loaded kernel modul
# pcr 6 (drive LUKS header) is not measured at sealing/unsealing of totp
DEBUG "Sealing TOTP without PCR6 involvement (LUKS header consistency is not firmware integrity attestation related)"
# pcr 7 is containing measurements of user injected stuff in cbfs
DEBUG "Sealing TOTP with actual state of PCR7 (User injected stuff in cbfs)"
tpmr pcrread -a 7 "$pcrf"
#Make sure we clear the TPM Owner Password from memory in case it failed to be used to seal TOTP
tpmr seal "$TOTP_SECRET" "$TPM_NVRAM_SPACE" 0,1,2,3,4,7 "$pcrf" 312 "" "$TPM_PASSWORD" ||
@ -56,5 +57,6 @@ shred -n 10 -z -u "$TOTP_SEALED" 2>/dev/null
url="otpauth://totp/$HOST?secret=$secret"
secret=""
DEBUG "TOTP secret output on screen (both URL and QR code)"
qrenc "$url"
echo "$url"

470
initrd/etc/luks-functions
View File

@ -1,19 +1,110 @@
#!/bin/bash
# LUKS related functions
# This script contains various functions related to LUKS (Linux Unified Key Setup) encryption management.
. /etc/functions
. /etc/gui_functions
. /tmp/config
#List all LUKS devices on the system
list_luks_devices() {
#generate a list of devices to choose from that contain a LUKS header
# List all LUKS devices on the system that are not USB
list_local_luks_devices() {
TRACE_FUNC
lvm vgscan || true
blkid | cut -d ':' -f 1 | while read device; do
if cryptsetup isLuks $device; then echo $device; fi
blkid | cut -d ':' -f 1 | while read -r device; do
DEBUG "Checking device: $device"
if cryptsetup isLuks "$device"; then
DEBUG "Device $device is a LUKS device"
dev_name=$(basename "$device")
parent_dev_name=$(echo "$dev_name" | sed 's/[0-9]*$//')
if [ -e "/sys/block/$parent_dev_name" ]; then
DEBUG "Device $device exists in /sys/block"
if ! stat -c %N "/sys/block/$parent_dev_name" 2>/dev/null | grep -q "usb"; then
DEBUG "Device $device is not a USB device"
echo "$device"
else
DEBUG "Device $device is a USB device, skipping"
fi
else
DEBUG "Device $device does not exist in /sys/block, skipping"
fi
else
DEBUG "Device $device is not a LUKS device"
fi
done | sort
}
# Prompt for LUKS Disk Recovery Key passphrase
prompt_luks_passphrase() {
TRACE_FUNC
while [[ ${#luks_current_Disk_Recovery_Key_passphrase} -lt 8 ]]; do
echo -e "\nEnter the LUKS Disk Recovery Key passphrase (At least 8 characters long):"
read -r luks_current_Disk_Recovery_Key_passphrase
if [[ ${#luks_current_Disk_Recovery_Key_passphrase} -lt 8 ]]; then
echo -e "\nPassphrase must be at least 8 characters long. Please try again."
unset luks_current_Disk_Recovery_Key_passphrase
continue
fi
done
echo -n "$luks_current_Disk_Recovery_Key_passphrase" >/tmp/secret/luks_current_Disk_Recovery_Key_passphrase
}
# Test LUKS passphrase against all found LUKS containers that are not USB
test_luks_passphrase() {
TRACE_FUNC
list_local_luks_devices >/tmp/luks_devices.txt
if [ ! -s /tmp/luks_devices.txt ]; then
warn "No LUKS devices found"
return 1
fi
valid_luks_devices=()
while read -r luks_device; do
DEBUG "Testing passphrase on $luks_device"
if cryptsetup open --test-passphrase "$luks_device" --key-file /tmp/secret/luks_current_Disk_Recovery_Key_passphrase; then
DEBUG "Passphrase valid for $luks_device"
valid_luks_devices+=("$luks_device")
else
DEBUG "Passphrase test failed on $luks_device"
fi
done </tmp/luks_devices.txt
if [ ${#valid_luks_devices[@]} -eq 0 ]; then
return 1
fi
# Export the valid LUKS devices
export LUKS="${valid_luks_devices[*]}"
return 0
}
# Confirm with the user to use all unlockable LUKS partitions
confirm_luks_partitions() {
TRACE_FUNC
MSG="The following LUKS partitions can be unlocked:\n\n${LUKS}\n\nDo you want to use all of these partitions?"
if [ -x /bin/whiptail ]; then
if ! whiptail --title "Confirm LUKS Partitions" --yesno "$MSG" 0 80; then
die "User aborted the operation"
fi
else
echo -e "$MSG"
read -p "Do you want to use all of these partitions? (y/n): " confirm
if [ "$confirm" != "y" ]; then
die "User aborted the operation"
fi
fi
}
# Main function to prompt for passphrase, test it, and confirm partitions
main_luks_selection() {
TRACE_FUNC
prompt_luks_passphrase
if ! test_luks_passphrase; then
die "Passphrase test failed on all LUKS devices"
fi
confirm_luks_partitions
DEBUG "Selected LUKS partitions: $LUKS"
}
#Whiptail prompt asking user to select ratio of device to use for LUKS container between: 25, 50, 75
select_luks_container_size_percent() {
TRACE_FUNC
@ -38,13 +129,13 @@ select_luks_container_size_percent() {
echo "4. 75%"
read -p "Choose your LUKS container size percentage of device [1-3]: " option_index
if [ "$option_index" = "1" ]; then
echo "10" > /tmp/luks_container_size_percent
echo "10" >/tmp/luks_container_size_percent
elif [ "$option_index" = "2" ]; then
echo "25" > /tmp/luks_container_size_percent
echo "25" >/tmp/luks_container_size_percent
elif [ "$option_index" = "3" ]; then
echo "50" > /tmp/luks_container_size_percent
echo "50" >/tmp/luks_container_size_percent
elif [ "$option_index" = "4" ]; then
echo "75" > /tmp/luks_container_size_percent
echo "75" >/tmp/luks_container_size_percent
else
die "Error selecting LUKS container size percentage of device"
fi
@ -54,8 +145,7 @@ select_luks_container_size_percent() {
# Partition a device interactively with two partitions: a LUKS container
# containing private ext4 partition and second public exFAT partition
# Size provisioning is done by percentage of the device
interactive_prepare_thumb_drive()
{
interactive_prepare_thumb_drive() {
TRACE_FUNC
#Refactoring: only one parameter needed to be prompted for: the passphrase for LUKS container if not coming from oem-provisioning
#If no passphrase was provided, ask user to select passphrase for LUKS container
@ -64,9 +154,9 @@ interactive_prepare_thumb_drive()
# we will validate parameters and not make them positional and print a usage function first
#Set defaults
DEVICE="" #Will list all usb storage devices if not provided as parameter
DEVICE="" #Will list all usb storage devices if not provided as parameter
PERCENTAGE="10" #default to 10% of device to use for LUKS container (requires a LUKS partition bigger then 32mb!)
PASSPHRASE="" #Will prompt user for passphrase if not provided as parameter
PASSPHRASE="" #Will prompt user for passphrase if not provided as parameter
#Parse parameters
while [ $# -gt 0 ]; do
@ -100,29 +190,30 @@ interactive_prepare_thumb_drive()
#If no passphrase was provided, ask user to select passphrase for LUKS container
#console based no whiptail
while [[ ${#PASSPHRASE} -lt 8 ]]; do
{
echo -e "\nEnter passphrase for LUKS container (At least 8 characters long):"
#hide passphrase input from read command
read -r -s PASSPHRASE
#skip confirmation if passphrase is less then 8 characters long (continue)
if [[ ${#PASSPHRASE} -lt 8 ]]; then
echo -e "\nPassphrase must be at least 8 characters long. Please try again."
unset PASSPHRASE
continue
fi
#validate passphrase and ask user to re-enter if not at least 8 characters long
#confirm passphrase
echo -e "\nConfirm passphrase for LUKS container:"
#hide passphrase input from read command
read -r -s PASSPHRASE_CONFIRM
#compare passphrase and passphrase confirmation
if [ "$PASSPHRASE" != "$PASSPHRASE_CONFIRM" ]; then
echo -e "\nPassphrases do not match. Please try again."
unset PASSPHRASE
unset PASSPHRASE_CONFIRM
fi
{
echo -e "\nEnter passphrase for LUKS container (At least 8 characters long):"
#hide passphrase input from read command
read -r -s PASSPHRASE
#skip confirmation if passphrase is less then 8 characters long (continue)
if [[ ${#PASSPHRASE} -lt 8 ]]; then
echo -e "\nPassphrase must be at least 8 characters long. Please try again."
unset PASSPHRASE
continue
fi
#validate passphrase and ask user to re-enter if not at least 8 characters long
#confirm passphrase
echo -e "\nConfirm passphrase for LUKS container:"
#hide passphrase input from read command
read -r -s PASSPHRASE_CONFIRM
#compare passphrase and passphrase confirmation
if [ "$PASSPHRASE" != "$PASSPHRASE_CONFIRM" ]; then
echo -e "\nPassphrases do not match. Please try again."
unset PASSPHRASE
unset PASSPHRASE_CONFIRM
fi
};done
}
done
fi
#If no device was provided, ask user to select device to partition
@ -130,8 +221,8 @@ interactive_prepare_thumb_drive()
#warn user to disconnect all external drives
if [ -x /bin/whiptail ]; then
whiptail_warning --title "WARNING: Disconnect all external drives" --msgbox \
"WARNING: Please disconnect all external drives before proceeding.\n\nHit Enter to continue." 0 80 \
|| die "User cancelled wiping and repartitioning of $DEVICE"
"WARNING: Please disconnect all external drives before proceeding.\n\nHit Enter to continue." 0 80 ||
die "User cancelled wiping and repartitioning of $DEVICE"
else
echo -e -n "Warning: Please disconnect all external drives before proceeding.\n\nHit Enter to continue?"
read -r -p " [Y/n] " response
@ -149,7 +240,7 @@ interactive_prepare_thumb_drive()
enable_usb_storage
#list all usb storage devices
list_usb_storage disks > /tmp/devices.txt
list_usb_storage disks >/tmp/devices.txt
if [ $(cat /tmp/devices.txt | wc -l) -gt 0 ]; then
file_selector "/tmp/devices.txt" "Select device to partition"
if [ "$FILE" == "" ]; then
@ -186,8 +277,7 @@ interactive_prepare_thumb_drive()
# parameters:
# $1 - block device of flash drive
# $2 - percent of device allocated to LUKS [1-99]
confirm_thumb_drive_format()
{
confirm_thumb_drive_format() {
TRACE_FUNC
local DEVICE LUKS_PERCENTAGE DISK_SIZE_BYTES DISK_SIZE_DISPLAY LUKS_PERCENTAGE LUKS_SIZE_MB MSG
@ -228,8 +318,7 @@ confirm_thumb_drive_format()
# $1 - block device of flash drive
# $2 - percentage of flash drive to allocate to LUKS [1-99]
# $3 - passphrase for LUKS container
prepare_thumb_drive()
{
prepare_thumb_drive() {
TRACE_FUNC
local DEVICE PERCENTAGE PASSPHRASE DISK_SIZE_BYTES PERCENTAGE_MB
@ -265,183 +354,230 @@ prepare_thumb_drive()
echo "Done."
}
select_luks_container()
{
# Select LUKS container
select_luks_container() {
TRACE_FUNC
if [ -s /boot/kexec_key_devices.txt ]; then
DEBUG "Reusing known good LUKS container device from /boot/kexec_key_devices.txt"
DEBUG "LUKS container device: $(cut -d ' ' -f1 /boot/kexec_key_devices.txt)"
LUKS=$(cut -d ' ' -f1 /boot/kexec_key_devices.txt)
else
list_luks_devices > /tmp/luks_devices.txt
#if /tmp/luks_devices.txt exists and is not empty
if [ -s /tmp/luks_devices.txt ]; then
file_selector "/tmp/luks_devices.txt" "Select LUKS container device"
if [ "$FILE" == "" ]; then
return 1
else
LUKS=$FILE
detect_boot_device
mount -o remount,rw /boot
echo "$LUKS $(cryptsetup luksUUID $LUKS)" >/boot/kexec_key_devices.txt
mount -o remount,ro /boot
fi
else
warn "No encrypted device found"
return 1
fi
DEBUG "LUKS container device: $(echo $LUKS)"
elif [ -z "$LUKS" ]; then
main_luks_selection
fi
}
test_luks_current_disk_recovery_key_passphrase()
{
# Test LUKS current disk recovery key passphrase
test_luks_current_disk_recovery_key_passphrase() {
TRACE_FUNC
while :; do
select_luks_container || return 1
PRINTABLE_LUKS=$(echo $LUKS)
if [ -z "$luks_current_Disk_Recovery_Key_passphrase" ]; then
#if no external provisioning provides current LUKS Disk Recovery Key passphrase
echo -e "\nEnter the current LUKS Disk Recovery Key passphrase (Configured at OS installation or by OEM):"
read -r luks_current_Disk_Recovery_Key_passphrase
echo -n "$luks_current_Disk_Recovery_Key_passphrase" >/tmp/luks_current_Disk_Recovery_Key_passphrase
warn "Testing opening "$LUKS" LUKS encrypted drive content with the current LUKS Disk Recovery Key passphrase..."
cryptsetup open $LUKS test --key-file /tmp/luks_current_Disk_Recovery_Key_passphrase
echo -n "$luks_current_Disk_Recovery_Key_passphrase" > /tmp/secret/luks_current_Disk_Recovery_Key_passphrase
else
echo -n "$luks_current_Disk_Recovery_Key_passphrase" >/tmp/luks_current_Disk_Recovery_Key_passphrase
warn "Testing opening "$LUKS" LUKS encrypted drive content with the current LUKS Disk Recovery Key passphrase..."
cryptsetup open $LUKS test --key-file /tmp/luks_current_Disk_Recovery_Key_passphrase
echo -n "$luks_current_Disk_Recovery_Key_passphrase" > /tmp/secret/luks_current_Disk_Recovery_Key_passphrase
fi
#Validate past cryptsetup-reencrypt attempts
if [ $? -eq 0 ]; then
whiptail --title 'Invalid Actual LUKS Disk Recovery Key passphrase?' --msgbox \
"If you previously changed it and do not remember it, you will have to\n reinstall the OS from a an external drive.\n\nTo do so, place the ISO file and its signature file on root of an\n external drive, and select Options-> Boot from USB \n\nHit Enter to retry." 30 60
shred -n 10 -z -u /tmp/luks_current_Disk_Recovery_Key_passphrase 2>/dev/null
#unsetting luks_current_Disk_Recovery_Key_passphrase so we prompt for it again LUKS Disk Recovery Key passphrase prompt on next round
unset luks_current_Disk_Recovery_Key_passphrase
#remove "known good" selected LUKS container so that next pass asks again user to select LUKS container.
#maybe the container was not the right one
detect_boot_device
mount -o remount,rw /boot
rm -f /boot/kexec_key_devices.txt
mount -o remount,ro /boot
else
#LuksOpen test was successful. Cleanup should be called only when done
#Exporting successfully used passphrase possibly reused by oem-factory-reset
#We close the volume
cryptsetup close test
export luks_current_Disk_Recovery_Key_passphrase
break;
echo -e "\n$PRINTABLE_LUKS: Test unlocking of LUKS encrypted drive content with current LUKS Disk Recovery Key passphrase..."
for luks_container in $LUKS; do
DEBUG "$luks_container: Test unlocking of LUKS encrypted drive content with current LUKS Disk Recovery Key passphrase..."
if ! cryptsetup open --test-passphrase "$luks_container" --key-file /tmp/secret/luks_current_Disk_Recovery_Key_passphrase; then
whiptail_error --title "$luks_container: Wrong current LUKS Disk Recovery Key passphrase?" --msgbox \
"If you previously changed it and do not remember it, you will have to reinstall the OS from an external drive.\n\nTo do so, place the ISO file and its signature file on root of an external drive, and select Options-> Boot from USB \n\nHit Enter to retry." 0 80
detect_boot_device
mount -o remount,rw /boot
rm -f /boot/kexec_key_devices.txt
mount -o remount,ro /boot
luks_secrets_cleanup
unset LUKS
else
echo "$luks_container: unlocking LUKS container with current Disk Recovery Key passphrase successful"
export luks_current_Disk_Recovery_Key_passphrase
fi
done
if [ -n "$LUKS" ]; then
export LUKS
TRACE_FUNC
DEBUG "LUKS container(s) $PRINTABLE_LUKS exported to be reused"
break
fi
done
}
# Function to re-encrypt LUKS partitions
luks_reencrypt() {
TRACE_FUNC
while :; do
select_luks_container || return 1
#If the user just set a new LUKS Disk Recovery Key passphrase
if [ -n "$luks_new_Disk_Recovery_Key_passphrase" ]; then
luks_current_Disk_Recovery_Key_passphrase="$luks_new_Disk_Recovery_Key_passphrase"
fi
if [ -z "$luks_current_Disk_Recovery_Key_passphrase" ]; then
#if no external provisioning provides current LUKS Disk Recovery Key passphrase
msg=$(echo -e "This will replace the encrypted container content and its LUKS Disk Recovery Key.\n\nThe passphrase associated with this key will be asked from the user under the following conditions:\n 1-Every boot if no Disk Unlock Key was added to the TPM\n 2-If the TPM fails (hardware failure)\n 3-If the firmware has been tampered with/modified by the user\n\nThis process requires you to type the current LUKS Disk Recovery Key passphrase and will delete the LUKS TPM Disk Unlock Key slot, if set up, by setting a default boot LUKS key slot (1) if present.\n\nAt the next prompt, you may be asked to select which file corresponds to the LUKS device container.\n\nHit Enter to continue." | fold -w 70 -s)
whiptail --title 'Reencrypt LUKS encrypted container ?' \
--msgbox "$msg" 0 80
echo -e "\nEnter the current LUKS Disk Recovery Key passphrase:"
read -r luks_current_Disk_Recovery_Key_passphrase
echo -n "$luks_current_Disk_Recovery_Key_passphrase" >/tmp/luks_current_Disk_Recovery_Key_passphrase
warn "Reencrypting "$LUKS" LUKS encrypted drive content with a new LUKS Disk Recovery Key. Do NOT shut down or reboot!"
cryptsetup-reencrypt -B 64 --use-directio "$LUKS" --key-slot 0 --key-file /tmp/luks_current_Disk_Recovery_Key_passphrase
test_luks_current_disk_recovery_key_passphrase || return 1
luks_containers=($LUKS)
TRACE_FUNC
DEBUG "luks_containers: ${luks_containers[@]}"
if [ -z "$luks_current_Disk_Recovery_Key_passphrase" ]; then
if [ -f /tmp/secret/luks_current_Disk_Recovery_Key_passphrase ]; then
luks_current_Disk_Recovery_Key_passphrase=$(cat /tmp/secret/luks_current_Disk_Recovery_Key_passphrase)
else
echo -n "$luks_current_Disk_Recovery_Key_passphrase" >/tmp/luks_current_Disk_Recovery_Key_passphrase
warn "Reencrypting "$LUKS" LUKS encrypted drive content with a new LUKS Disk Recovery Key. Do NOT shut down or reboot!"
cryptsetup-reencrypt -B 64 --use-directio "$LUKS" --key-slot 0 --key-file /tmp/luks_current_Disk_Recovery_Key_passphrase
msg=$(echo -e "This will replace the encrypted container content and its LUKS Disk Recovery Key.\n\nThe passphrase associated with this key will be asked from the user under the following conditions:\n 1-Every boot if no Disk Unlock Key was added to the TPM\n 2-If the TPM fails (hardware failure)\n 3-If the firmware has been tampered with/modified by the user\n\nThis process requires you to type the current LUKS Disk Recovery Key passphrase and will delete the LUKS TPM Disk Unlock Key slot, if set up, by setting a default boot LUKS key slot (1) if present.\n\nAt the next prompt, you may be asked to select which file corresponds to the LUKS device container.\n\nHit Enter to continue." | fold -w 70 -s)
whiptail --title 'Reencrypt LUKS encrypted container ?' --msgbox "$msg" 0 80
echo -e "\nEnter the current LUKS Disk Recovery Key passphrase:"
read -r -s luks_current_Disk_Recovery_Key_passphrase
echo -n "$luks_current_Disk_Recovery_Key_passphrase" >/tmp/secret/luks_current_Disk_Recovery_Key_passphrase
fi
#Validate past cryptsetup-reencrypt attempts
if [ $(echo $?) -ne 0 ]; then
whiptail --title 'Invalid Actual LUKS Disk Recovery Key passphrase?' --msgbox \
"If you previously changed it and do not remember it, you will have to\n reinstall the OS from a an external drive.\n\nTo do so, place the ISO file and its signature file on root of an\n external drive, and select Options-> Boot from USB \n\nHit Enter to retry." 30 60
shred -n 10 -z -u /tmp/luks_current_Disk_Recovery_Key_passphrase 2>/dev/null
#unsetting luks_current_Disk_Recovery_Key_passphrase so we prompt for it again LUKS Disk Recovery Key passphrase prompt on next round
unset luks_current_Disk_Recovery_Key_passphrase
#remove "known good" selected LUKS container so that next pass asks again user to select LUKS container.
#maybe the container was not the right one
else
echo -n "$luks_current_Disk_Recovery_Key_passphrase" >/tmp/secret/luks_current_Disk_Recovery_Key_passphrase
fi
for luks_container in "${luks_containers[@]}"; do
DEBUG "$luks_container: Test unlocking of LUKS encrypted drive content with current LUKS Disk Recovery Key passphrase..."
if ! DO_WITH_DEBUG cryptsetup open --test-passphrase "$luks_container" --key-file /tmp/secret/luks_current_Disk_Recovery_Key_passphrase >/dev/null 2>&1; then
whiptail_error --title "$luks_container: Wrong current LUKS Disk Recovery Key passphrase?" --msgbox \
"If you previously changed it and do not remember it, you will have to reinstall the OS from an external drive.\n\nTo do so, place the ISO file and its signature file on root of an external drive, and select Options-> Boot from USB \n\nHit Enter to retry." 0 80
TRACE_FUNC
detect_boot_device
mount -o remount,rw /boot
rm -f /boot/kexec_key_devices.txt
mount -o remount,ro /boot
luks_secrets_cleanup
unset LUKS
continue
fi
DEBUG "Test opening ${luks_container} successful. Now testing key slots to determine which holds master key"
DRK_KEYSLOT=-1
DEBUG "$luks_container: Test unlocking of LUKS encrypted drive content with current LUKS Disk Recovery Key passphrase..."
for i in $(seq 0 31); do
DEBUG "Testing key slot $i on $luks_container"
if DO_WITH_DEBUG cryptsetup open --test-passphrase $luks_container --key-slot $i --key-file /tmp/secret/luks_current_Disk_Recovery_Key_passphrase >/dev/null 2>&1; then
DRK_KEYSLOT=$i
DEBUG "$luks_container: Found key-slot $DRK_KEYSLOT that can be unlocked with the current passphrase. breaking loop"
break
else
DEBUG "Key slot $i on $luks_container cannot be unlocked with the current passphrase"
fi
done
if [ $DRK_KEYSLOT -eq -1 ]; then
whiptail_error --title "$luks_container: Wrong current LUKS Disk Recovery Key passphrase?" --msgbox \
"If you previously changed it and do not remember it, you will have to reinstall the OS from an external drive.\n\nTo do so, place the ISO file and its signature file on root of an external drive, and select Options-> Boot from USB \n\nHit Enter to retry." 0 80
TRACE_FUNC
detect_boot_device
mount -o remount,rw /boot
rm -f /boot/kexec_key_devices.txt
mount -o remount,ro /boot
luks_secrets_cleanup
unset LUKS
continue
fi
# --perf-no_read_workqueue and/or --perf-no_write_workqueue improve encryption/reencrypton performance on kernel 5.10.9+
# bypassing dm-crypt queues.
# Ref https://github.com/cloudflare/linux/issues/1#issuecomment-729695518
# --resilience=none disables the resilience feature of cryptsetup, which is enabled by default
# --force-offline-reencrypt forces the reencryption to be done offline (no read/write operations on the device)
# --disable-locks disables the lock feature of cryptsetup, which is enabled by default
echo -e "\nReencrypting $luks_container LUKS encrypted drive content with current Recovery Disk Key passphrase..."
warn "DO NOT POWER DOWN MACHINE, UNPLUG AC OR REMOVE BATTERY DURING REENCRYPTION PROCESS"
if ! DO_WITH_DEBUG cryptsetup reencrypt \
--perf-no_read_workqueue --perf-no_write_workqueue \
--resilience=none --force-offline-reencrypt --disable-locks \
"$luks_container" --key-slot "$DRK_KEYSLOT" \
--key-file /tmp/secret/luks_current_Disk_Recovery_Key_passphrase; then
whiptail_error --title "$luks_container: Wrong current LUKS Disk Recovery Key passphrase?" --msgbox \
"If you previously changed it and do not remember it, you will have to reinstall the OS from an external drive.\n\nTo do so, place the ISO file and its signature file on root of an external drive, and select Options-> Boot from USB \n\nHit Enter to retry." 0 80
TRACE_FUNC
detect_boot_device
mount -o remount,rw /boot
rm -f /boot/kexec_key_devices.txt
mount -o remount,ro /boot
luks_secrets_cleanup
unset LUKS
else
#Reencryption was successful. Cleanup should be called only when done
#Exporting successfully used passphrase possibly reused by oem-factory-reset
export luks_current_Disk_Recovery_Key_passphrase
break;
export LUKS
fi
done
}
luks_change_passphrase()
{
# Function to change LUKS passphrase
luks_change_passphrase() {
TRACE_FUNC
while :; do
select_luks_container || return 1
#if actual or new LUKS Disk Recovery Key is not provisioned by oem-provisioning file
test_luks_current_disk_recovery_key_passphrase || return 1
luks_containers=($LUKS)
TRACE_FUNC
DEBUG "luks_containers: ${luks_containers[@]}"
for luks_container in "${luks_containers[@]}"; do
if [ -z "$luks_current_Disk_Recovery_Key_passphrase" ] || [ -z "$luks_new_Disk_Recovery_Key_passphrase" ]; then
whiptail --title 'Changing LUKS Disk Recovery Key passphrase' --msgbox \
"Please enter the current LUKS Disk Recovery Key passphrase (slot 0).\nThen choose a strong passphrase of your own.\n\n**DICEWARE passphrase methodology is STRONGLY ADVISED.**\n\nHit Enter to continue" 30 60
if [ -z "$luks_new_Disk_Recovery_Key_passphrase" ]; then
if [ -f /tmp/secret/luks_current_Disk_Recovery_Key_passphrase ]; then
luks_current_Disk_Recovery_Key_passphrase=$(cat /tmp/secret/luks_current_Disk_Recovery_Key_passphrase)
else
whiptail --title 'Changing LUKS Disk Recovery Key passphrase' --msgbox \
"Please enter the current LUKS Disk Recovery Key passphrase (slot 0).\nThen choose a strong passphrase of your own.\n\n**DICEWARE passphrase methodology is STRONGLY ADVISED.**\n\nHit Enter to continue" 0 80
echo -e "\nEnter your desired replacement for the actual LUKS Disk Recovery Key passphrase (At least 8 characters long):"
while [[ ${#luks_new_Disk_Recovery_Key_passphrase} -lt 8 ]]; do
{
read -r luks_new_Disk_Recovery_Key_passphrase
};done
fi
if [ -z "$luks_current_Disk_Recovery_Key_passphrase" ]; then
done
TRACE_FUNC
echo -e "\nEnter the current LUKS Disk Recovery Key passphrase (Configured at OS installation or by OEM):"
read -r luks_current_Disk_Recovery_Key_passphrase
fi
export luks_current_Disk_Recovery_Key_passphrase
export luks_new_Disk_Recovery_Key_passphrase
echo -n "$luks_new_Disk_Recovery_Key_passphrase" >/tmp/luks_new_Disk_Recovery_Key_passphrase
echo -n "$luks_current_Disk_Recovery_Key_passphrase" >/tmp/luks_current_Disk_Recovery_Key_passphrase
warn "Changing "$LUKS" LUKS encrypted disk passphrase to the new LUKS Disk Recovery Key passphrase..."
cryptsetup luksChangeKey "$LUKS" --key-slot 0 --key-file=/tmp/luks_current_Disk_Recovery_Key_passphrase /tmp/luks_new_Disk_Recovery_Key_passphrase
else
#If current and new LUKS Disk Recovery Key were exported
echo -n "$luks_new_Disk_Recovery_Key_passphrase" >/tmp/luks_new_Disk_Recovery_Key_passphrase
echo -n "$luks_current_Disk_Recovery_Key_passphrase" >/tmp/luks_current_Disk_Recovery_Key_passphrase
warn "Changing "$LUKS" LUKS encrypted disk passphrase to the new LUKS Disk Recovery Key passphrase..."
cryptsetup luksChangeKey "$LUKS" --key-slot 0 --key-file=/tmp/luks_current_Disk_Recovery_Key_passphrase /tmp/luks_new_Disk_Recovery_Key_passphrase
fi
#Validate past cryptsetup attempts
if [ $(echo $?) -ne 0 ]; then
#Cryptsetup luksChangeKey was unsuccessful
whiptail --title 'Invalid LUKS passphrase?' --msgbox \
"The LUKS Disk Recovery Key passphrase was provided to you by the OEM over\n a secure communication channel.\n\nIf you previously changed it and do not remember it,\n you will have to reinstall the OS from a USB drive.\nTo do so, put OS ISO file and it's signature file on root of a USB drive,\n and select Boot from USB\n\nHit Enter to continue." 30 60
unset luks_current_Disk_Recovery_Key_passphrase
unset luks_new_Disk_Recovery_Key_passphrase
#remove "known good" selected LUKS container so that next pass asks again user to select LUKS container.
#maybe the container was not the right one
echo -n "$luks_current_Disk_Recovery_Key_passphrase" >/tmp/secret/luks_current_Disk_Recovery_Key_passphrase
echo -n "$luks_new_Disk_Recovery_Key_passphrase" >/tmp/secret/luks_new_Disk_Recovery_Key_passphrase
DEBUG "$luks_container: Test unlocking of LUKS encrypted drive content with current LUKS Disk Recovery Key passphrase..."
if ! DO_WITH_DEBUG cryptsetup open --test-passphrase "$luks_container" --key-file /tmp/secret/luks_current_Disk_Recovery_Key_passphrase >/dev/null 2>&1; then
whiptail_error --title "$luks_container: Wrong current LUKS Disk Recovery Key passphrase?" --msgbox \
"If you previously changed it and do not remember it, you will have to reinstall the OS from an external drive.\n\nTo do so, place the ISO file and its signature file on root of an external drive, and select Options-> Boot from USB \n\nHit Enter to retry." 0 80
TRACE_FUNC
detect_boot_device
mount -o remount,rw /boot
rm -f /boot/kexec_key_devices.txt
mount -o remount,ro /boot
else
#Cryptsetup was successful.
#Cleanup should be called seperately.
#Exporting successfully used passphrase possibly reused by oem-factory-reset
export luks_new_Disk_Recovery_Key_passphrase
break;
luks_secrets_cleanup
unset LUKS
continue
fi
echo -e "\nChanging $luks_container LUKS encrypted disk passphrase to the new LUKS Disk Recovery Key passphrase..."
if ! DO_WITH_DEBUG cryptsetup luksChangeKey "$luks_container" --key-file=/tmp/secret/luks_current_Disk_Recovery_Key_passphrase /tmp/secret/luks_new_Disk_Recovery_Key_passphrase; then
whiptail_error --title 'Failed to change LUKS passphrase' --msgbox \
"Failed to change the passphrase for $luks_container.\nPlease try again." 0 80
continue
fi
echo "Success changing passphrase for $luks_container."
done
# Export the new passphrase if all containers were processed successfully
luks_current_Disk_Recovery_Key_passphrase=$luks_new_Disk_Recovery_Key_passphrase
export luks_current_Disk_Recovery_Key_passphrase
export luks_new_Disk_Recovery_Key_passphrase
export LUKS
}
luks_secrets_cleanup()
{
# Cleanup LUKS secrets
luks_secrets_cleanup() {
TRACE_FUNC
#Cleanup
shred -n 10 -z -u /tmp/luks_new_Disk_Recovery_Key_passphrase 2>/dev/null || true
shred -n 10 -z -u /tmp/luks_current_Disk_Recovery_Key_passphrase 2>/dev/null || true
shred -n 10 -z -u /tmp/secret/luks_new_Disk_Recovery_Key_passphrase 2>/dev/null || true
shred -n 10 -z -u /tmp/secret/luks_current_Disk_Recovery_Key_passphrase 2>/dev/null || true
#Unset variables (when in same boot)
unset luks_current_Disk_Recovery_Key_passphrase
unset luks_new_Disk_Recovery_Key_passphrase
unset LUKS
}

2
modules/coreboot
View File

@ -88,7 +88,7 @@ $(eval $(call coreboot_module,talos_2,))
# coreboot-purism is based on 24.02.01 - reuse that toolchain.
coreboot-purism_repo := https://source.puri.sm/firmware/coreboot.git
coreboot-purism_commit_hash := f4f61b75bcfc50fa3a89f8f438e5312e750f6e3c
coreboot-purism_commit_hash := bea9947a1279be7d4a72b38a601d0288d10d1cb8
$(eval $(call coreboot_module,purism,24.02.01))
# MSI and Nitropad NV41 / NS50 boards are based on Dasharo coreboot port

17
modules/cryptsetup2
View File

@ -2,11 +2,11 @@ modules-$(CONFIG_CRYPTSETUP2) += cryptsetup2
cryptsetup2_depends := util-linux popt lvm2 json-c $(musl_dep)
cryptsetup2_version := 2.3.3
cryptsetup2_version := 2.6.1
cryptsetup2_dir := cryptsetup-$(cryptsetup2_version)
cryptsetup2_tar := cryptsetup-$(cryptsetup2_version).tar.xz
cryptsetup2_url := https://www.kernel.org/pub/linux/utils/cryptsetup/v2.3/cryptsetup-$(cryptsetup2_version).tar.xz
cryptsetup2_hash := 3bca4ffe39e2f94cef50f6ea65acb873a6dbce5db34fc6bcefe38b6d095e82df
cryptsetup2_url := https://www.kernel.org/pub/linux/utils/cryptsetup/v2.6/cryptsetup-$(cryptsetup2_version).tar.xz
cryptsetup2_hash := 410ded65a1072ab9c8e41added37b9729c087fef4d2db02bb4ef529ad6da4693
# Use an empty prefix so that the executables will not include the
# build path.
@ -16,9 +16,15 @@ cryptsetup2_configure := \
./configure \
--host $(MUSL_ARCH)-elf-linux \
--prefix "/" \
--disable-gcrypt-pbkdf2 \
--enable-internal-sse-argon2 \
--disable-rpath \
--enable-cryptsetup-reencrypt \
--disable-gcrypt-pbkdf2 \
--disable-ssh-token \
--disable-asciidoc \
--disable-nls \
--disable-selinux \
--disable-udev \
--disable-external-tokens \
--with-crypto_backend=kernel \
--with-tmpfilesdir=$(INSTALL)/lib/tmpfiles.d
@ -33,7 +39,6 @@ cryptsetup2_target := \
cryptsetup2_output := \
.libs/cryptsetup \
.libs/cryptsetup-reencrypt \
.libs/veritysetup \
cryptsetup2_libraries := \

19
modules/libaio Normal file
View File

@ -0,0 +1,19 @@
modules-$(CONFIG_LVM2) += libaio
libaio_version := 0.3.113
libaio_dir := libaio-$(libaio_version)
libaio_tar := libaio_$(libaio_version).orig.tar.gz
libaio_url := https://deb.debian.org/debian/pool/main/liba/libaio/$(libaio_tar)
libaio_hash := 2c44d1c5fd0d43752287c9ae1eb9c023f04ef848ea8d4aafa46e9aedb678200b
libaio_target := \
DESTDIR="$(INSTALL)" \
prefix="/" \
$(CROSS_TOOLS) \
install \
&& mv $(build)/$(libaio_dir)/src/libaio.so.1.0.2 $(build)/$(libaio_dir)/src/libaio.so.1 \
libaio_libraries:= src/libaio.so.1
libaio_depends := $(musl_dep)

6
modules/linux
View File

@ -28,9 +28,9 @@ linux_hash := a6fbd4ee903c128367892c2393ee0d9657b6ed3ea90016d4dc6f1f6da20b2330
# been done. This is because `0000-efi_bds.patch` did not cleanly port
# from 5.4.69 to 5.10.5 which directly affects linuxboot systems.
#
else ifeq "$(CONFIG_LINUX_VERSION)" "5.10.5"
linux_version := 5.10.5
linux_hash := 3991a9e16a187d78d5f414d89236ae5d7f404a69e60c4c42a9d262ee19612ef4
else ifeq "$(CONFIG_LINUX_VERSION)" "5.10.214"
linux_version := 5.10.214
linux_hash := 40f014d53e81f204f6d2a364aae4201ae07970dd1b70dc602d7c66c1a140f558
else ifeq "$(CONFIG_LINUX_VERSION)" "6.1.8"
linux_version := 6.1.8
linux_hash := b60bb53ab8ba370a270454b11e93d41af29126fc72bd6ede517673e2e57b816d

42
modules/lvm2
View File

@ -1,37 +1,39 @@
modules-$(CONFIG_LVM2) += lvm2
lvm2_version := 2.02.168
lvm2_version := 2.03.23
lvm2_dir := lvm2.$(lvm2_version)
lvm2_tar := LVM2.$(lvm2_version).tgz
lvm2_url := https://mirrors.kernel.org/sourceware/lvm2/$(lvm2_tar)
lvm2_hash := 23a3d1cddd41b3ef51812ebf83e9fa491f502fe74130d4263be327a91914660d
lvm2_hash := 74e794a9e9dee1bcf8a2065f65b9196c44fdf321e22d63b98ed7de8c9aa17a5d
# cross compiling test assumes malloc/realloc aren't glibc compat
# so we force it via the configure cache.
lvm2_configure := \
$(CROSS_TOOLS) \
CFLAGS="-Os" \
PKG_CONFIG=/bin/false \
MODPROBE_CMD=/bin/false \
ac_cv_func_malloc_0_nonnull=yes \
ac_cv_func_realloc_0_nonnull=yes \
./configure \
--host $(MUSL_ARCH)-elf-linux \
--prefix "/" \
--disable-blkid_wiping \
--disable-cache_check_needs_check \
--disable-cmirrord \
--disable-dmeventd \
--disable-lvmetad \
--disable-lvmpolld \
--disable-realtime \
--prefix "" \
--libexecdir "/bin" \
--with-optimisation=-Os \
--enable-devmapper \
--disable-selinux \
--disable-thin_check_needs_check \
--disable-udev-systemd-background-jobs \
--disable-use-lvmetad \
--without-systemd \
--disable-lvmimportvdo \
--disable-realtime \
--disable-dmfilemapd \
--disable-dmeventd \
--disable-lvmpolld \
--disable-readline \
--disable-udev_sync \
--enable-static_link \
--disable-use-lvmlockd \
--disable-use-lvmpolld \
--enable-devmapper \
--disable-dmfilemapd \
--disable-cmirrord \
--disable-cache_check_needs_check \
--disable-thin_check_needs_check \
--with-cluster=none \
--with-thin-check= \
@ -49,10 +51,10 @@ lvm2_target := \
DESTDIR="$(INSTALL)" \
install_device-mapper \
lvm2_libraries := libdm/libdevmapper.so.1.02
lvm2_libraries := libdm/ioctl/libdevmapper.so.1.02
lvm2_output := \
tools/dmsetup \
./libdm/dm-tools/dmsetup \
tools/lvm \
lvm2_depends := util-linux $(musl_dep)
lvm2_depends := util-linux libaio $(musl_dep)

6
modules/util-linux
View File

@ -1,10 +1,10 @@
modules-$(CONFIG_UTIL_LINUX) += util-linux
util-linux_version := 2.29.2
util-linux_version := 2.39
util-linux_dir := util-linux-$(util-linux_version)
util-linux_tar := util-linux-$(util-linux_version).tar.xz
util-linux_url := https://www.kernel.org/pub/linux/utils/util-linux/v2.29/$(util-linux_tar)
util-linux_hash := accea4d678209f97f634f40a93b7e9fcad5915d1f4749f6c47bee6bf110fe8e3
util-linux_url := https://www.kernel.org/pub/linux/utils/util-linux/v2.39/$(util-linux_tar)
util-linux_hash := 32b30a336cda903182ed61feb3e9b908b762a5e66fe14e43efb88d37162075cb
util-linux_configure := \
$(CROSS_TOOLS) \

80
patches/coreboot-24.02.01/0001-prevent_bootsplash_heap_allocation_failure_to_booting.patch
View File

@ -1,80 +0,0 @@
From 8b6fc3a877d8169091d034ea6ac6d15593cc69a0 Mon Sep 17 00:00:00 2001
From: Jonathon Hall <jonathon.hall@puri.sm>
Date: Mon, 15 Jul 2024 15:01:52 -0400
Subject: [PATCH] src/lib/malloc.c: If allocation fails, leave the heap
unchanged
If an allocation fails because it is too large for the rest of the heap,
don't consume the rest of the heap needlessly.
This started occurring with the Heads bootsplash image in 24.02.01,
following the switch to the Wuffs JPEG decoder. The work area needed
was too large for the heap. The bootsplash failed to show, but worse,
the boot failed entirely because we were then out of heap space, even
though we did not actually use the large allocation that failed.
With this change, that failure no longer prevents boot.
The error message is improved slightly also:
* missing line break is added
* "Tried to round up" now shows the beginning of the allocation before
and after rounding instead of the unrounded beginning and rounded end
(misleading, looked like it was trying to align by 1 MB when it
was actually allocating 1 MB)
Change-Id: Ie72814027d9daa517c0794f3ea7abec2b9a9d596
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
---
src/lib/malloc.c | 25 ++++++++++++-------------
1 file changed, 12 insertions(+), 13 deletions(-)
diff --git a/src/lib/malloc.c b/src/lib/malloc.c
index 30298064d9..281792c3d5 100644
--- a/src/lib/malloc.c
+++ b/src/lib/malloc.c
@@ -26,30 +26,29 @@ void *memalign(size_t boundary, size_t size)
MALLOCDBG("%s Enter, boundary %zu, size %zu, free_mem_ptr %p\n",
__func__, boundary, size, free_mem_ptr);
- free_mem_ptr = (void *)ALIGN_UP((unsigned long)free_mem_ptr, boundary);
+ p = (void *)ALIGN_UP((unsigned long)free_mem_ptr, boundary);
- p = free_mem_ptr;
- free_mem_ptr += size;
- /*
- * Store last allocation pointer after ALIGN, as malloc() will
- * return it. This may cause n bytes of gap between allocations
- * where n < boundary.
- */
- free_last_alloc_ptr = p;
-
- if (free_mem_ptr >= free_mem_end_ptr) {
+ if (p + size >= free_mem_end_ptr) {
printk(BIOS_ERR, "%s(boundary=%zu, size=%zu): failed: ",
__func__, boundary, size);
printk(BIOS_ERR, "Tried to round up free_mem_ptr %p to %p\n",
- p, free_mem_ptr);
+ free_mem_ptr, p);
printk(BIOS_ERR, "but free_mem_end_ptr is %p\n",
free_mem_end_ptr);
printk(BIOS_ERR, "Error! %s: Out of memory "
- "(free_mem_ptr >= free_mem_end_ptr)",
+ "(free_mem_ptr >= free_mem_end_ptr)\n",
__func__);
return NULL;
}
+ free_mem_ptr = p + size;
+ /*
+ * Store last allocation pointer after ALIGN, as malloc() will
+ * return it. This may cause n bytes of gap between allocations
+ * where n < boundary.
+ */
+ free_last_alloc_ptr = p;
+
MALLOCDBG("%s %p\n", __func__, p);
return p;
--
2.39.2

111421
patches/coreboot-24.02.01/0001-vc_wuffs-upgrade-to-Wuffs_0.4.0-alpha.8.patch Normal file
View File

File diff suppressed because it is too large Load Diff

44
patches/coreboot-24.02.01/0002-increase_heap_from1mb_to4mb_when_bootpslash_enabled.patch
View File

@ -1,44 +0,0 @@
From 00d695849a5fb503d87203e3515f761fa8dac850 Mon Sep 17 00:00:00 2001
From: Jonathon Hall <jonathon.hall@puri.sm>
Date: Mon, 15 Jul 2024 16:37:40 -0400
Subject: [PATCH] bootsplash: Increase heap from 1 MB to 4 MB when bootsplash
is enabled
Since commit 1d029b40c9de ("lib/jpeg: Replace decoder with Wuffs'
implementation"), a relatively large heap allocation is needed to
decode many JPEGs for use as work area. The prior decoder did not need
this, but also had many limitations in the JPEGs it could decode.
A 1024x768 non-progressive JPEG used in Heads needs 1179648 bytes of
work area; about 1.2 MB. While the work area will also depend on the
subsampling of each channel, it's generally proportional to the image
size.
Increasing the heap size to 4 MB when bootsplash is enabled should be
enough to decode bootsplashes up to 1920x1080 with some headroom.
Change-Id: Ia4348d39effbc16c1b42ab01bcf1e4ec5d652fa9
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
---
src/device/Kconfig | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/src/device/Kconfig b/src/device/Kconfig
index 243e23e52a..4dd03eba21 100644
--- a/src/device/Kconfig
+++ b/src/device/Kconfig
@@ -501,6 +501,11 @@ config BOOTSPLASH
image in the 'General' section or add it manually to CBFS, using,
for example, cbfstool.
+# The bootsplash JPEG decoder requires heap space approximately proportional to
+# the image size. This usually needs a larger heap.
+config HEAP_SIZE
+ default 0x400000 if BOOTSPLASH
+
config LINEAR_FRAMEBUFFER_MAX_WIDTH
int "Maximum width in pixels"
depends on LINEAR_FRAMEBUFFER && MAINBOARD_USE_LIBGFXINIT
--
2.39.2

91
patches/coreboot-24.02.01/0002-lib_jpeg-avoidcalling-malloc-and-free.patch Normal file
View File

@ -0,0 +1,91 @@
From efad423f8472c1b9c130842e3d92625500f82d5d Mon Sep 17 00:00:00 2001
From: Nigel Tao <nigeltao@golang.org>
Date: Tue, 13 Aug 2024 22:29:21 +1000
Subject: [PATCH] lib/jpeg: avoid calling malloc and free
Since commit 1d029b40c9de ("lib/jpeg: Replace decoder with Wuffs'
implementation"), a relatively large heap allocation is needed to decode
many JPEGs for use as work area. The prior decoder did not need this,
but also had many limitations in the JPEGs it could decode, was not as
memory-safe and quickly crashed under fuzzing.
This commit keeps using Wuffs' JPEG decoder, but it no longer requires
any heap allocation (and thus configuring the heap size depending on how
big a bootsplash image you want to support).
Change-Id: Ie4c52520cbce498539517c4898ff765365a6beba
Signed-off-by: Nigel Tao <nigeltao@golang.org>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/83895
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Nico Huber <nico.h@gmx.de>
Reviewed-by: Felix Singer <service+coreboot-gerrit@felixsinger.de>
Reviewed-by: Jonathon Hall <jonathon.hall@puri.sm>
---
src/lib/jpeg.c | 36 +++++++++++++++++++++---------------
1 file changed, 21 insertions(+), 15 deletions(-)
diff --git a/src/lib/jpeg.c b/src/lib/jpeg.c
index 242cf0ca8e..617ab0b22a 100644
--- a/src/lib/jpeg.c
+++ b/src/lib/jpeg.c
@@ -1,9 +1,7 @@
/* SPDX-License-Identifier: GPL-2.0-only */
/*
- * Provide a simple API around the Wuffs JPEG decoder
- * Uses the heap (and lots of it) for the image-size specific
- * work buffer, so ramstage-only.
+ * Provide a simple API around the Wuffs JPEG decoder.
*/
#include <stdint.h>
@@ -85,6 +83,24 @@ int jpeg_decode(unsigned char *filedata, size_t filesize, unsigned char *pic,
return JPEG_DECODE_FAILED;
}
+ /* Opting in to lower quality means that we can pass an empty slice as the
+ * "work buffer" argument to wuffs_jpeg__decoder__decode_frame below.
+ *
+ * Decoding progressive (not sequential) JPEGs would still require dynamic
+ * memory allocation (and the amount of work buffer required depends on the
+ * image dimensions), but we choose to just reject progressive JPEGs. It is
+ * simpler than sometimes calling malloc (which can fail, especially for
+ * large allocations) and free.
+ *
+ * More commentary about these quirks is at
+ * https://github.com/google/wuffs/blob/beaf45650085a16780b5f708b72daaeb1aa865c8/std/jpeg/decode_quirks.wuffs
+ */
+ wuffs_jpeg__decoder__set_quirk(
+ &dec, WUFFS_BASE__QUIRK_QUALITY,
+ WUFFS_BASE__QUIRK_QUALITY__VALUE__LOWER_QUALITY);
+ wuffs_jpeg__decoder__set_quirk(
+ &dec, WUFFS_JPEG__QUIRK_REJECT_PROGRESSIVE_JPEGS, 1);
+
wuffs_base__image_config imgcfg;
wuffs_base__io_buffer src = wuffs_base__ptr_u8__reader(filedata, filesize, true);
status = wuffs_jpeg__decoder__decode_image_config(&dec, &imgcfg, &src);
@@ -104,19 +120,9 @@ int jpeg_decode(unsigned char *filedata, size_t filesize, unsigned char *pic,
return JPEG_DECODE_FAILED;
}
- uint64_t workbuf_len_min_incl = wuffs_jpeg__decoder__workbuf_len(&dec).min_incl;
- uint8_t *workbuf_array = malloc(workbuf_len_min_incl);
- if ((workbuf_array == NULL) && workbuf_len_min_incl) {
- return JPEG_DECODE_FAILED;
- }
-
- wuffs_base__slice_u8 workbuf =
- wuffs_base__make_slice_u8(workbuf_array, workbuf_len_min_incl);
status = wuffs_jpeg__decoder__decode_frame(&dec, &pixbuf, &src,
- WUFFS_BASE__PIXEL_BLEND__SRC, workbuf, NULL);
-
- free(workbuf_array);
-
+ WUFFS_BASE__PIXEL_BLEND__SRC,
+ wuffs_base__empty_slice_u8(), NULL);
if (status.repr) {
return JPEG_DECODE_FAILED;
}
--
2.39.2

358
patches/cryptsetup2-2.3.3.patch → patches/cryptsetup2-2.6.1.patch
View File

@ -1,7 +1,7 @@
diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
--- cryptsetup-2.3.3-clean/configure 2020-06-10 14:05:45.784925972 +0200
+++ cryptsetup-2.3.3/configure 2020-06-10 14:12:03.811651237 +0200
@@ -10206,7 +10206,7 @@
diff -u -r cryptsetup-2.4.3-clean/configure cryptsetup-2.4.3/configure
--- cryptsetup-2.4.3-clean/configure 2022-01-13 17:24:34.000000000 +0800
+++ cryptsetup-2.4.3/configure 2022-01-16 14:08:37.088258763 +0800
@@ -11056,7 +11056,7 @@
hardcode_automatic=no
hardcode_direct=no
hardcode_direct_absolute=no
@ -10,7 +10,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
hardcode_libdir_separator=
hardcode_minus_L=no
hardcode_shlibpath_var=unsupported
@@ -10290,7 +10290,7 @@
@@ -11140,7 +11140,7 @@
# are reset later if shared libraries are not supported. Putting them
# here allows them to be overridden if necessary.
runpath_var=LD_RUN_PATH
@ -19,7 +19,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
export_dynamic_flag_spec='$wl--export-dynamic'
# ancient GNU ld didn't support --whole-archive et. al.
if $LD --help 2>&1 | $GREP 'no-whole-archive' > /dev/null; then
@@ -10336,7 +10336,7 @@
@@ -11186,7 +11186,7 @@
;;
m68k)
archive_cmds='$RM $output_objdir/a2ixlibrary.data~$ECHO "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$ECHO "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$ECHO "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$ECHO "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)'
@ -28,7 +28,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
hardcode_minus_L=yes
;;
esac
@@ -10356,7 +10356,7 @@
@@ -11206,7 +11206,7 @@
cygwin* | mingw* | pw32* | cegcc*)
# _LT_TAGVAR(hardcode_libdir_flag_spec, ) is actually meaningless,
# as there is no search path for DLLs.
@ -37,7 +37,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
export_dynamic_flag_spec='$wl--export-all-symbols'
allow_undefined_flag=unsupported
always_export_symbols=no
@@ -10386,7 +10386,7 @@
@@ -11236,7 +11236,7 @@
;;
os2*)
@ -46,7 +46,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
hardcode_minus_L=yes
allow_undefined_flag=unsupported
shrext_cmds=.dll
@@ -10416,7 +10416,7 @@
@@ -11266,7 +11266,7 @@
interix[3-9]*)
hardcode_direct=no
hardcode_shlibpath_var=no
@ -55,7 +55,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
export_dynamic_flag_spec='$wl-E'
# Hack: On Interix 3.x, we cannot compile PIC because of a broken gcc.
# Instead, shared libraries are loaded at an image base (0x10000000 by
@@ -10492,7 +10492,7 @@
@@ -11342,7 +11342,7 @@
xlf* | bgf* | bgxlf* | mpixlf*)
# IBM XL Fortran 10.1 on PPC cannot create shared libs itself
whole_archive_flag_spec='--whole-archive$convenience --no-whole-archive'
@ -64,7 +64,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
archive_cmds='$LD -shared $libobjs $deplibs $linker_flags -soname $soname -o $lib'
if test yes = "$supports_anon_versioning"; then
archive_expsym_cmds='echo "{ global:" > $output_objdir/$libname.ver~
@@ -10559,7 +10559,7 @@
@@ -11409,7 +11409,7 @@
# DT_RUNPATH tag from executables and libraries. But doing so
# requires that you compile everything twice, which is a pain.
if $LD --help 2>&1 | $GREP ': supported targets:.* elf' > /dev/null; then
@ -73,7 +73,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags $wl-soname $wl$soname -o $lib'
archive_expsym_cmds='$CC -shared $libobjs $deplibs $compiler_flags $wl-soname $wl$soname $wl-retain-symbols-file $wl$export_symbols -o $lib'
else
@@ -10588,7 +10588,7 @@
@@ -11438,7 +11438,7 @@
if test no = "$ld_shlibs"; then
runpath_var=
@ -82,7 +82,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
export_dynamic_flag_spec=
whole_archive_flag_spec=
fi
@@ -10706,7 +10706,7 @@
@@ -11556,7 +11556,7 @@
# path is not listed in the libpath. Setting hardcode_minus_L
# to unsupported forces relinking
hardcode_minus_L=yes
@ -91,7 +91,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
hardcode_libdir_separator=
fi
;;
@@ -10790,11 +10790,11 @@
@@ -11642,11 +11642,11 @@
aix_libpath=$lt_cv_aix_libpath_
fi
@ -105,7 +105,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
allow_undefined_flag="-z nodefs"
archive_expsym_cmds="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs '"\$wl$no_entry_flag"' $compiler_flags $wl$allow_undefined_flag '"\$wl$exp_sym_flag:\$export_symbols"
else
@@ -10843,7 +10843,7 @@
@@ -11697,7 +11697,7 @@
aix_libpath=$lt_cv_aix_libpath_
fi
@ -114,7 +114,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
# Warning - without using the other run time loading flags,
# -berok will link without error, but may produce a broken library.
no_undefined_flag=' $wl-bernotok'
@@ -10883,7 +10883,7 @@
@@ -11737,7 +11737,7 @@
;;
m68k)
archive_cmds='$RM $output_objdir/a2ixlibrary.data~$ECHO "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$ECHO "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$ECHO "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$ECHO "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)'
@ -123,25 +123,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
hardcode_minus_L=yes
;;
esac
@@ -10901,7 +10901,7 @@
case $cc_basename in
cl*)
# Native MSVC
- hardcode_libdir_flag_spec=' '
+ hardcode_libdir_flag_spec=" "
allow_undefined_flag=unsupported
always_export_symbols=yes
file_list_spec='@'
@@ -10942,7 +10942,7 @@
;;
*)
# Assume MSVC wrapper
- hardcode_libdir_flag_spec=' '
+ hardcode_libdir_flag_spec=" "
allow_undefined_flag=unsupported
# Tell ltmain to make .lib files, not .a files.
libext=lib
@@ -10993,7 +10993,7 @@
@@ -11847,7 +11847,7 @@
dgux*)
archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
@ -150,7 +132,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
hardcode_shlibpath_var=no
;;
@@ -11003,7 +11003,7 @@
@@ -11857,7 +11857,7 @@
# extra space).
freebsd2.2*)
archive_cmds='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags /usr/lib/c++rt0.o'
@ -159,16 +141,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
hardcode_direct=yes
hardcode_shlibpath_var=no
;;
@@ -11019,7 +11019,7 @@
# FreeBSD 3 and greater uses gcc -shared to do shared libraries.
freebsd* | dragonfly*)
archive_cmds='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags'
- hardcode_libdir_flag_spec='-R$libdir'
+ hardcode_libdir_flag_spec=" "
hardcode_direct=yes
hardcode_shlibpath_var=no
;;
@@ -11030,7 +11030,7 @@
@@ -11884,7 +11884,7 @@
else
archive_cmds='$RM $output_objdir/$soname~$LD -b +b $install_libdir -o $output_objdir/$soname $libobjs $deplibs $linker_flags~test "x$output_objdir/$soname" = "x$lib" || mv $output_objdir/$soname $lib'
fi
@ -177,7 +150,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
hardcode_libdir_separator=:
hardcode_direct=yes
@@ -11047,7 +11047,7 @@
@@ -11901,7 +11901,7 @@
archive_cmds='$LD -b +h $soname +b $install_libdir -o $lib $libobjs $deplibs $linker_flags'
fi
if test no = "$with_gnu_ld"; then
@ -186,7 +159,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
hardcode_libdir_separator=:
hardcode_direct=yes
hardcode_direct_absolute=yes
@@ -11124,7 +11124,7 @@
@@ -11979,7 +11979,7 @@
esac
fi
if test no = "$with_gnu_ld"; then
@ -195,7 +168,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
hardcode_libdir_separator=:
case $host_cpu in
@@ -11183,7 +11183,7 @@
@@ -12040,7 +12040,7 @@
archive_expsym_cmds='$CC -shared $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry $output_objdir/so_locations -exports_file $export_symbols -o $lib'
fi
archive_cmds_need_lc='no'
@ -204,7 +177,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
hardcode_libdir_separator=:
inherit_rpath=yes
link_all_deplibs=yes
@@ -11205,7 +11205,7 @@
@@ -12062,7 +12062,7 @@
else
archive_cmds='$LD -shared -o $lib $libobjs $deplibs $linker_flags' # ELF
fi
@ -213,7 +186,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
hardcode_direct=yes
hardcode_shlibpath_var=no
;;
@@ -11213,7 +11213,7 @@
@@ -12070,7 +12070,7 @@
newsos6)
archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
hardcode_direct=yes
@ -222,7 +195,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
hardcode_libdir_separator=:
hardcode_shlibpath_var=no
;;
@@ -11229,11 +11229,11 @@
@@ -12086,11 +12086,11 @@
if test -z "`echo __ELF__ | $CC -E - | $GREP __ELF__`"; then
archive_cmds='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags'
archive_expsym_cmds='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags $wl-retain-symbols-file,$export_symbols'
@ -236,7 +209,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
fi
else
ld_shlibs=no
@@ -11241,7 +11241,7 @@
@@ -12098,7 +12098,7 @@
;;
os2*)
@ -245,7 +218,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
hardcode_minus_L=yes
allow_undefined_flag=unsupported
shrext_cmds=.dll
@@ -11277,7 +11277,7 @@
@@ -12134,7 +12134,7 @@
archive_cmds='$CC -shared$allow_undefined_flag $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry $output_objdir/so_locations -o $lib'
fi
archive_cmds_need_lc='no'
@ -254,7 +227,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
hardcode_libdir_separator=:
;;
@@ -11285,7 +11285,7 @@
@@ -12142,7 +12142,7 @@
if test yes = "$GCC"; then
allow_undefined_flag=' $wl-expect_unresolved $wl\*'
archive_cmds='$CC -shared$allow_undefined_flag $pic_flag $libobjs $deplibs $compiler_flags $wl-msym $wl-soname $wl$soname `test -n "$verstring" && func_echo_all "$wl-set_version $wl$verstring"` $wl-update_registry $wl$output_objdir/so_locations -o $lib'
@ -263,7 +236,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
else
allow_undefined_flag=' -expect_unresolved \*'
archive_cmds='$CC -shared$allow_undefined_flag $libobjs $deplibs $compiler_flags -msym -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry $output_objdir/so_locations -o $lib'
@@ -11293,7 +11293,7 @@
@@ -12150,7 +12150,7 @@
$CC -shared$allow_undefined_flag $wl-input $wl$lib.exp $compiler_flags $libobjs $deplibs -soname $soname `test -n "$verstring" && $ECHO "-set_version $verstring"` -update_registry $output_objdir/so_locations -o $lib~$RM $lib.exp'
# Both c and cxx compiler support -rpath directly
@ -272,7 +245,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
fi
archive_cmds_need_lc='no'
hardcode_libdir_separator=:
@@ -11322,7 +11322,7 @@
@@ -12179,7 +12179,7 @@
;;
esac
fi
@ -281,7 +254,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
hardcode_shlibpath_var=no
case $host_os in
solaris2.[0-5] | solaris2.[0-5].*) ;;
@@ -11349,7 +11349,7 @@
@@ -12206,7 +12206,7 @@
else
archive_cmds='$LD -assert pure-text -Bstatic -o $lib $libobjs $deplibs $linker_flags'
fi
@ -290,7 +263,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
hardcode_direct=yes
hardcode_minus_L=yes
hardcode_shlibpath_var=no
@@ -11419,7 +11419,7 @@
@@ -12276,7 +12276,7 @@
allow_undefined_flag='$wl-z,nodefs'
archive_cmds_need_lc=no
hardcode_shlibpath_var=no
@ -299,7 +272,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
hardcode_libdir_separator=':'
link_all_deplibs=yes
export_dynamic_flag_spec='$wl-Bexport'
@@ -11436,7 +11436,7 @@
@@ -12293,7 +12293,7 @@
uts4*)
archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
@ -308,7 +281,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
hardcode_shlibpath_var=no
;;
@@ -11804,7 +11804,7 @@
@@ -12662,7 +12662,7 @@
version_type=linux # correct to gnu/linux during the next big refactor
need_lib_prefix=no
need_version=no
@ -317,7 +290,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
if test ia64 = "$host_cpu"; then
# AIX 5 supports IA64
library_names_spec='$libname$release$shared_ext$major $libname$release$shared_ext$versuffix $libname$shared_ext'
@@ -12094,16 +12094,16 @@
@@ -12952,16 +12952,16 @@
;;
freebsd3.[01]* | freebsdelf3.[01]*)
shlibpath_overrides_runpath=yes
@ -337,7 +310,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
;;
esac
;;
@@ -12118,7 +12118,7 @@
@@ -12976,7 +12976,7 @@
shlibpath_var=LIBRARY_PATH
shlibpath_overrides_runpath=no
sys_lib_dlsearch_path_spec='/boot/home/config/lib /boot/common/lib /boot/system/lib'
@ -346,7 +319,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
;;
hpux9* | hpux10* | hpux11*)
@@ -12130,7 +12130,7 @@
@@ -12988,7 +12988,7 @@
case $host_cpu in
ia64*)
shrext_cmds='.so'
@ -355,7 +328,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
dynamic_linker="$host_os dld.so"
shlibpath_var=LD_LIBRARY_PATH
shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
@@ -12146,7 +12146,7 @@
@@ -13004,7 +13004,7 @@
;;
hppa*64*)
shrext_cmds='.sl'
@ -364,7 +337,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
dynamic_linker="$host_os dld.sl"
shlibpath_var=LD_LIBRARY_PATH # How should we handle SHLIB_PATH
shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
@@ -12179,7 +12179,7 @@
@@ -13037,7 +13037,7 @@
dynamic_linker='Interix 3.x ld.so.1 (PE, like ELF)'
shlibpath_var=LD_LIBRARY_PATH
shlibpath_overrides_runpath=no
@ -373,7 +346,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
;;
irix5* | irix6* | nonstopux*)
@@ -12216,7 +12216,7 @@
@@ -13074,7 +13074,7 @@
shlibpath_overrides_runpath=no
sys_lib_search_path_spec="/usr/lib$libsuff /lib$libsuff /usr/local/lib$libsuff"
sys_lib_dlsearch_path_spec="/usr/lib$libsuff /lib$libsuff"
@ -382,7 +355,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
;;
# No shared lib support for Linux oldld, aout, or coff.
@@ -12237,11 +12237,11 @@
@@ -13095,11 +13095,11 @@
# This implies no fast_install, which is unacceptable.
# Some rework will be needed to allow for fast_install
# before this can be enabled.
@ -396,7 +369,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
;;
# This must be glibc/ELF.
@@ -12292,7 +12292,7 @@
@@ -13153,7 +13153,7 @@
# This implies no fast_install, which is unacceptable.
# Some rework will be needed to allow for fast_install
# before this can be enabled.
@ -405,7 +378,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
# Ideally, we could use ldconfig to report *all* directores which are
# searched for libraries, however this is still not possible. Aside from not
@@ -12322,7 +12322,7 @@
@@ -13183,7 +13183,7 @@
soname_spec='${libname}${release}${shared_ext}$major'
shlibpath_var=LD_LIBRARY_PATH
shlibpath_overrides_runpath=no
@ -414,7 +387,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
dynamic_linker='NetBSD ld.elf_so'
;;
@@ -12341,7 +12341,7 @@
@@ -13202,7 +13202,7 @@
fi
shlibpath_var=LD_LIBRARY_PATH
shlibpath_overrides_runpath=yes
@ -423,7 +396,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
;;
newsos6)
@@ -12359,7 +12359,7 @@
@@ -13220,7 +13220,7 @@
soname_spec='$libname$release$shared_ext$major'
shlibpath_var=LD_LIBRARY_PATH
shlibpath_overrides_runpath=no
@ -432,7 +405,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
dynamic_linker='ldqnx.so'
;;
@@ -12431,7 +12431,7 @@
@@ -13292,7 +13292,7 @@
soname_spec='$libname$release$shared_ext$major'
shlibpath_var=LD_LIBRARY_PATH
shlibpath_overrides_runpath=yes
@ -441,7 +414,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
# ldd complains unless libraries are executable
postinstall_cmds='chmod +x $lib'
;;
@@ -12488,7 +12488,7 @@
@@ -13349,7 +13349,7 @@
soname_spec='$libname$release$shared_ext$major'
shlibpath_var=LD_LIBRARY_PATH
shlibpath_overrides_runpath=yes
@ -450,7 +423,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
if test yes = "$with_gnu_ld"; then
sys_lib_search_path_spec='/usr/local/lib /usr/gnu/lib /usr/ccs/lib /usr/lib /lib'
else
@@ -12510,7 +12510,7 @@
@@ -13371,7 +13371,7 @@
library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$shared_ext'
shlibpath_var=LD_LIBRARY_PATH
shlibpath_overrides_runpath=no
@ -459,7 +432,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
;;
uts4*)
@@ -13610,7 +13610,7 @@
@@ -14490,7 +14490,7 @@
acl_shlibext="$acl_cv_shlibext"
acl_libname_spec="$acl_cv_libname_spec"
acl_library_names_spec="$acl_cv_library_names_spec"
@ -468,7 +441,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
acl_hardcode_libdir_separator="$acl_cv_hardcode_libdir_separator"
acl_hardcode_direct="$acl_cv_hardcode_direct"
acl_hardcode_minus_L="$acl_cv_hardcode_minus_L"
@@ -21296,7 +21296,7 @@
@@ -22538,7 +22538,7 @@
with_gnu_ld='`$ECHO "$with_gnu_ld" | $SED "$delay_single_quote_subst"`'
allow_undefined_flag='`$ECHO "$allow_undefined_flag" | $SED "$delay_single_quote_subst"`'
no_undefined_flag='`$ECHO "$no_undefined_flag" | $SED "$delay_single_quote_subst"`'
@ -477,7 +450,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
hardcode_libdir_separator='`$ECHO "$hardcode_libdir_separator" | $SED "$delay_single_quote_subst"`'
hardcode_direct='`$ECHO "$hardcode_direct" | $SED "$delay_single_quote_subst"`'
hardcode_direct_absolute='`$ECHO "$hardcode_direct_absolute" | $SED "$delay_single_quote_subst"`'
@@ -21327,7 +21327,7 @@
@@ -22569,7 +22569,7 @@
postuninstall_cmds='`$ECHO "$postuninstall_cmds" | $SED "$delay_single_quote_subst"`'
finish_cmds='`$ECHO "$finish_cmds" | $SED "$delay_single_quote_subst"`'
finish_eval='`$ECHO "$finish_eval" | $SED "$delay_single_quote_subst"`'
@ -486,7 +459,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
sys_lib_search_path_spec='`$ECHO "$sys_lib_search_path_spec" | $SED "$delay_single_quote_subst"`'
configure_time_dlsearch_path='`$ECHO "$configure_time_dlsearch_path" | $SED "$delay_single_quote_subst"`'
configure_time_lt_sys_library_path='`$ECHO "$configure_time_lt_sys_library_path" | $SED "$delay_single_quote_subst"`'
@@ -22485,7 +22485,7 @@
@@ -23727,7 +23727,7 @@
finish_eval=$lt_finish_eval
# Whether we should hardcode library paths into libraries.
@ -495,7 +468,7 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
# Compile-time system search path for libraries.
sys_lib_search_path_spec=$lt_sys_lib_search_path_spec
@@ -22582,7 +22582,7 @@
@@ -23824,7 +23824,7 @@
# Flag to hardcode \$libdir into a binary during linking.
# This must work even if \$libdir does not exist
@ -504,10 +477,10 @@ diff -u -r cryptsetup-2.3.3-clean/configure cryptsetup-2.3.3/configure
# Whether we need a single "-rpath" flag with a separated argument.
hardcode_libdir_separator=$lt_hardcode_libdir_separator
diff -u -r cryptsetup-2.3.3-clean/Makefile.in cryptsetup-2.3.3/Makefile.in
--- cryptsetup-2.3.3-clean/Makefile.in 2020-06-10 14:05:45.781594282 +0200
+++ cryptsetup-2.3.3/Makefile.in 2020-06-10 14:30:09.512375745 +0200
@@ -1032,6 +1032,8 @@
diff -u -r cryptsetup-2.4.3-clean/Makefile.in cryptsetup-2.4.3/Makefile.in
--- cryptsetup-2.4.3-clean/Makefile.in 2022-01-13 17:24:33.000000000 +0800
+++ cryptsetup-2.4.3/Makefile.in 2022-01-16 14:08:37.096258854 +0800
@@ -1115,6 +1115,8 @@
@CRYPTSETUP_TRUE@cryptsetup_LDADD = $(LDADD) \
@CRYPTSETUP_TRUE@ libcryptsetup.la \
@CRYPTSETUP_TRUE@ @POPT_LIBS@ \
@ -516,17 +489,17 @@ diff -u -r cryptsetup-2.3.3-clean/Makefile.in cryptsetup-2.3.3/Makefile.in
@CRYPTSETUP_TRUE@ @PWQUALITY_LIBS@ \
@CRYPTSETUP_TRUE@ @PASSWDQC_LIBS@ \
@CRYPTSETUP_TRUE@ @UUID_LIBS@ \
@@ -1060,6 +1062,9 @@
@@ -1147,6 +1149,9 @@
@VERITYSETUP_TRUE@veritysetup_LDADD = $(LDADD) \
@VERITYSETUP_TRUE@ libcryptsetup.la \
@VERITYSETUP_TRUE@ @POPT_LIBS@ \
+@VERITYSETUP_TRUE@ @UUID_LIBS@ \
+@VERITYSETUP_TRUE@ @DEVMAPPER_LIBS@ \
+@VERITYSETUP_TRUE@ @JSON_C_LIBS@ \
@VERITYSETUP_TRUE@ @PWQUALITY_LIBS@ \
@VERITYSETUP_TRUE@ @PASSWDQC_LIBS@ \
+@VERITYSETUP_TRUE@ @UUID_LIBS@ \
+@VERITYSETUP_TRUE@ @DEVMAPPER_LIBS@ \
+@VERITYSETUP_TRUE@ @JSON_C_LIBS@ \
@VERITYSETUP_TRUE@ @BLKID_LIBS@
@@ -1093,6 +1093,8 @@
@STATIC_TOOLS_TRUE@@VERITYSETUP_TRUE@veritysetup_static_SOURCES = $(veritysetup_SOURCES)
@@ -1177,6 +1182,8 @@
@INTEGRITYSETUP_TRUE@ libcryptsetup.la \
@INTEGRITYSETUP_TRUE@ @POPT_LIBS@ \
@INTEGRITYSETUP_TRUE@ @UUID_LIBS@ \
@ -535,12 +508,199 @@ diff -u -r cryptsetup-2.3.3-clean/Makefile.in cryptsetup-2.3.3/Makefile.in
@INTEGRITYSETUP_TRUE@ @BLKID_LIBS@
@INTEGRITYSETUP_TRUE@@STATIC_TOOLS_TRUE@integritysetup_static_SOURCES = $(integritysetup_SOURCES)
@@ -1122,6 +1122,8 @@
@REENCRYPT_TRUE@ @POPT_LIBS@ \
@REENCRYPT_TRUE@ @PWQUALITY_LIBS@ \
@REENCRYPT_TRUE@ @PASSWDQC_LIBS@ \
+@REENCRYPT_TRUE@ @DEVMAPPER_LIBS@ \
+@REENCRYPT_TRUE@ @JSON_C_LIBS@ \
@REENCRYPT_TRUE@ @UUID_LIBS@ \
@REENCRYPT_TRUE@ @BLKID_LIBS@
--- ./configure.orig 2023-11-26 14:22:30.912000000 -0500
+++ ./configure 2023-11-26 14:26:21.714000000 -0500
@@ -12336,7 +12336,7 @@
case $cc_basename in
tcc*)
- hardcode_libdir_flag_spec='$wl-rpath $wl$libdir'
+ hardcode_libdir_flag_spec=" "
export_dynamic_flag_spec='-rdynamic'
;;
xlf* | bgf* | bgxlf* | mpixlf*)
@@ -12755,7 +12755,7 @@
case $cc_basename in
cl* | icl*)
# Native MSVC or ICC
- hardcode_libdir_flag_spec=' '
+ hardcode_libdir_flag_spec=" "
allow_undefined_flag=unsupported
always_export_symbols=yes
file_list_spec='@'
@@ -12796,7 +12796,7 @@
;;
*)
# Assume MSVC and ICC wrapper
- hardcode_libdir_flag_spec=' '
+ hardcode_libdir_flag_spec=" "
allow_undefined_flag=unsupported
# Tell ltmain to make .lib files, not .a files.
libext=lib
@@ -12873,7 +12873,7 @@
# FreeBSD 3 and greater uses gcc -shared to do shared libraries.
freebsd* | dragonfly* | midnightbsd*)
archive_cmds='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags'
- hardcode_libdir_flag_spec='-R$libdir'
+ hardcode_libdir_flag_spec=" "
hardcode_direct=yes
hardcode_shlibpath_var=no
;;
@@ -13052,7 +13052,7 @@
# Fabrice Bellard et al's Tiny C Compiler
ld_shlibs=yes
archive_cmds='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags'
- hardcode_libdir_flag_spec='$wl-rpath $wl$libdir'
+ hardcode_libdir_flag_spec=" "
;;
esac
;;
--- ./configure.mod 2023-11-26 14:46:49.779000000 -0500
+++ ./configure 2023-11-26 14:47:56.962000000 -0500
@@ -17670,7 +17670,7 @@
version_type=linux # correct to gnu/linux during the next big refactor
need_lib_prefix=no
need_version=no
- hardcode_into_libs=yes
+ hardcode_into_libs=no
if test ia64 = "$host_cpu"; then
# AIX 5 supports IA64
library_names_spec='$libname$release$shared_ext$major $libname$release$shared_ext$versuffix $libname$shared_ext'
@@ -17958,16 +17958,16 @@
;;
freebsd3.[01]* | freebsdelf3.[01]*)
shlibpath_overrides_runpath=yes
- hardcode_into_libs=yes
+ hardcode_into_libs=no
;;
freebsd3.[2-9]* | freebsdelf3.[2-9]* | \
freebsd4.[0-5] | freebsdelf4.[0-5] | freebsd4.1.1 | freebsdelf4.1.1)
shlibpath_overrides_runpath=no
- hardcode_into_libs=yes
+ hardcode_into_libs=no
;;
*) # from 4.6 on, and DragonFly
shlibpath_overrides_runpath=yes
- hardcode_into_libs=yes
+ hardcode_into_libs=no
;;
esac
;;
@@ -17982,7 +17982,7 @@
shlibpath_var=LIBRARY_PATH
shlibpath_overrides_runpath=no
sys_lib_dlsearch_path_spec='/boot/home/config/lib /boot/common/lib /boot/system/lib'
- hardcode_into_libs=yes
+ hardcode_into_libs=no
;;
hpux9* | hpux10* | hpux11*)
@@ -17994,7 +17994,7 @@
case $host_cpu in
ia64*)
shrext_cmds='.so'
- hardcode_into_libs=yes
+ hardcode_into_libs=no
dynamic_linker="$host_os dld.so"
shlibpath_var=LD_LIBRARY_PATH
shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
@@ -18010,7 +18010,7 @@
;;
hppa*64*)
shrext_cmds='.sl'
- hardcode_into_libs=yes
+ hardcode_into_libs=no
dynamic_linker="$host_os dld.sl"
shlibpath_var=LD_LIBRARY_PATH # How should we handle SHLIB_PATH
shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
@@ -18043,7 +18043,7 @@
dynamic_linker='Interix 3.x ld.so.1 (PE, like ELF)'
shlibpath_var=LD_LIBRARY_PATH
shlibpath_overrides_runpath=no
- hardcode_into_libs=yes
+ hardcode_into_libs=no
;;
irix5* | irix6* | nonstopux*)
@@ -18080,7 +18080,7 @@
shlibpath_overrides_runpath=no
sys_lib_search_path_spec="/usr/lib$libsuff /lib$libsuff /usr/local/lib$libsuff"
sys_lib_dlsearch_path_spec="/usr/lib$libsuff /lib$libsuff"
- hardcode_into_libs=yes
+ hardcode_into_libs=no
;;
# No shared lib support for Linux oldld, aout, or coff.
@@ -18101,7 +18101,7 @@
# This implies no fast_install, which is unacceptable.
# Some rework will be needed to allow for fast_install
# before this can be enabled.
- hardcode_into_libs=yes
+ hardcode_into_libs=no
dynamic_linker='Android linker'
# Don't embed -rpath directories since the linker doesn't support them.
@@ -18159,7 +18159,7 @@
# This implies no fast_install, which is unacceptable.
# Some rework will be needed to allow for fast_install
# before this can be enabled.
- hardcode_into_libs=yes
+ hardcode_into_libs=no
# Ideally, we could use ldconfig to report *all* directores which are
# searched for libraries, however this is still not possible. Aside from not
@@ -18189,7 +18189,7 @@
soname_spec='${libname}${release}${shared_ext}$major'
shlibpath_var=LD_LIBRARY_PATH
shlibpath_overrides_runpath=no
- hardcode_into_libs=yes
+ hardcode_into_libs=no
dynamic_linker='NetBSD ld.elf_so'
;;
@@ -18208,7 +18208,7 @@
fi
shlibpath_var=LD_LIBRARY_PATH
shlibpath_overrides_runpath=yes
- hardcode_into_libs=yes
+ hardcode_into_libs=no
;;
newsos6)
@@ -18226,7 +18226,7 @@
soname_spec='$libname$release$shared_ext$major'
shlibpath_var=LD_LIBRARY_PATH
shlibpath_overrides_runpath=no
- hardcode_into_libs=yes
+ hardcode_into_libs=no
dynamic_linker='ldqnx.so'
;;
@@ -18298,7 +18298,7 @@
soname_spec='$libname$release$shared_ext$major'
shlibpath_var=LD_LIBRARY_PATH
shlibpath_overrides_runpath=yes
- hardcode_into_libs=yes
+ hardcode_into_libs=no
# ldd complains unless libraries are executable
postinstall_cmds='chmod +x $lib'
;;
@@ -18355,7 +18355,7 @@
soname_spec='$libname$release$shared_ext$major'
shlibpath_var=LD_LIBRARY_PATH
shlibpath_overrides_runpath=yes
- hardcode_into_libs=yes
+ hardcode_into_libs=no
if test yes = "$with_gnu_ld"; then
sys_lib_search_path_spec='/usr/local/lib /usr/gnu/lib /usr/ccs/lib /usr/lib /lib'
else
@@ -18377,7 +18377,7 @@
library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$shared_ext'
shlibpath_var=LD_LIBRARY_PATH
shlibpath_overrides_runpath=no
- hardcode_into_libs=yes
+ hardcode_into_libs=no
;;
uts4*)

0
patches/linux-5.10.5/0001-fake-acpi.patch → patches/linux-5.10.214/0001-fake-acpi.patch
View File

0
patches/linux-5.10.5/0002-nmi-squelch.patch → patches/linux-5.10.214/0002-nmi-squelch.patch
View File

0
patches/linux-5.10.5/0003-fake-trampoline.patch → patches/linux-5.10.214/0003-fake-trampoline.patch
View File

0
patches/linux-5.10.5/0010-winterfell-ahci.patch → patches/linux-5.10.214/0010-winterfell-ahci.patch
View File

40
patches/linux-5.10.214/shebangs.patch Normal file
View File

@ -0,0 +1,40 @@
diff --git a/scripts/check-sysctl-docs b/scripts/check-sysctl-docs
index 8bcb9e26c7bc..90137319c50a 100755
--- a/scripts/check-sysctl-docs
+++ b/scripts/check-sysctl-docs
@@ -1,4 +1,4 @@
-#!/usr/bin/gawk -f
+#!/usr/bin/env -S gawk -f
# SPDX-License-Identifier: GPL-2.0
# Script to check sysctl documentation against source files
diff --git a/scripts/ld-version.sh b/scripts/ld-version.sh
index f2be0ff9a738..7a5b546ece16 100755
--- a/scripts/ld-version.sh
+++ b/scripts/ld-version.sh
@@ -1,4 +1,4 @@
-#!/usr/bin/awk -f
+#!/usr/bin/env -S awk -f
# SPDX-License-Identifier: GPL-2.0
# extract linker version number from stdin and turn into single number
{
diff --git a/scripts/parse-maintainers.pl b/scripts/parse-maintainers.pl
index 2ca4eb3f190d..9515765158fa 100755
--- a/scripts/parse-maintainers.pl
+++ b/scripts/parse-maintainers.pl
@@ -1,4 +1,4 @@
-#!/usr/bin/perl -w
+#!/usr/bin/env -S perl -w
# SPDX-License-Identifier: GPL-2.0
use strict;
diff --git a/scripts/ver_linux b/scripts/ver_linux
index 0968a3070eff..345b92f71d2d 100755
--- a/scripts/ver_linux
+++ b/scripts/ver_linux
@@ -1,4 +1,4 @@
-#!/usr/bin/awk -f
+#!/usr/bin/env -S awk -f
# SPDX-License-Identifier: GPL-2.0
# Before running this script please ensure that your PATH is
# typical as you use for compilation/installation. I use

64
patches/linux-5.10.5/0004-libsubcmd_Fix_use-after-free-for-realloc.patch
View File

@ -1,64 +0,0 @@
From 52a9dab6d892763b2a8334a568bd4e2c1a6fde66 Mon Sep 17 00:00:00 2001
From: Kees Cook <keescook@chromium.org>
Date: Sun, 13 Feb 2022 10:24:43 -0800
Subject: [PATCH] libsubcmd: Fix use-after-free for realloc(..., 0)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
GCC 12 correctly reports a potential use-after-free condition in the
xrealloc helper. Fix the warning by avoiding an implicit "free(ptr)"
when size == 0:
In file included from help.c:12:
In function 'xrealloc',
inlined from 'add_cmdname' at help.c:24:2: subcmd-util.h:56:23: error: pointer may be used after 'realloc' [-Werror=use-after-free]
56 | ret = realloc(ptr, size);
| ^~~~~~~~~~~~~~~~~~
subcmd-util.h:52:21: note: call to 'realloc' here
52 | void *ret = realloc(ptr, size);
| ^~~~~~~~~~~~~~~~~~
subcmd-util.h:58:31: error: pointer may be used after 'realloc' [-Werror=use-after-free]
58 | ret = realloc(ptr, 1);
| ^~~~~~~~~~~~~~~
subcmd-util.h:52:21: note: call to 'realloc' here
52 | void *ret = realloc(ptr, size);
| ^~~~~~~~~~~~~~~~~~
Fixes: 2f4ce5ec1d447beb ("perf tools: Finalize subcmd independence")
Reported-by: Valdis Klētnieks <valdis.kletnieks@vt.edu>
Signed-off-by: Kees Kook <keescook@chromium.org>
Tested-by: Valdis Klētnieks <valdis.kletnieks@vt.edu>
Tested-by: Justin M. Forbes <jforbes@fedoraproject.org>
Acked-by: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: linux-hardening@vger.kernel.org
Cc: Valdis Klētnieks <valdis.kletnieks@vt.edu>
Link: http://lore.kernel.org/lkml/20220213182443.4037039-1-keescook@chromium.org
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
---
tools/lib/subcmd/subcmd-util.h | 11 ++---------
1 file changed, 2 insertions(+), 9 deletions(-)
diff --git a/tools/lib/subcmd/subcmd-util.h b/tools/lib/subcmd/subcmd-util.h
index 794a375dad3601..b2aec04fce8f67 100644
--- a/tools/lib/subcmd/subcmd-util.h
+++ b/tools/lib/subcmd/subcmd-util.h
@@ -50,15 +50,8 @@ static NORETURN inline void die(const char *err, ...)
static inline void *xrealloc(void *ptr, size_t size)
{
void *ret = realloc(ptr, size);
- if (!ret && !size)
- ret = realloc(ptr, 1);
- if (!ret) {
- ret = realloc(ptr, size);
- if (!ret && !size)
- ret = realloc(ptr, 1);
- if (!ret)
- die("Out of memory, realloc failed");
- }
+ if (!ret)
+ die("Out of memory, realloc failed");
return ret;
}

100
patches/linux-5.10.5/shebangs.patch
View File

@ -1,100 +0,0 @@
diff --git a/scripts/bloat-o-meter b/scripts/bloat-o-meter
index d7ca46c612b3..652e9542043f 100755
--- a/scripts/bloat-o-meter
+++ b/scripts/bloat-o-meter
@@ -1,4 +1,4 @@
-#!/usr/bin/python
+#!/usr/bin/env python
#
# Copyright 2004 Matt Mackall <mpm@selenic.com>
#
diff --git a/scripts/check-sysctl-docs b/scripts/check-sysctl-docs
index 8bcb9e26c7bc..90137319c50a 100755
--- a/scripts/check-sysctl-docs
+++ b/scripts/check-sysctl-docs
@@ -1,4 +1,4 @@
-#!/usr/bin/gawk -f
+#!/usr/bin/env -S gawk -f
# SPDX-License-Identifier: GPL-2.0
# Script to check sysctl documentation against source files
diff --git a/scripts/diffconfig b/scripts/diffconfig
index 89abf777f197..627eba5849b5 100755
--- a/scripts/diffconfig
+++ b/scripts/diffconfig
@@ -1,4 +1,4 @@
-#!/usr/bin/python
+#!/usr/bin/env python
# SPDX-License-Identifier: GPL-2.0
#
# diffconfig - a tool to compare .config files.
diff --git a/scripts/get_abi.pl b/scripts/get_abi.pl
index 68dab828a722..92d9aa6cc4f5 100755
--- a/scripts/get_abi.pl
+++ b/scripts/get_abi.pl
@@ -1,4 +1,4 @@
-#!/usr/bin/perl
+#!/usr/bin/env perl
# SPDX-License-Identifier: GPL-2.0
use strict;
diff --git a/scripts/ld-version.sh b/scripts/ld-version.sh
index f2be0ff9a738..7a5b546ece16 100755
--- a/scripts/ld-version.sh
+++ b/scripts/ld-version.sh
@@ -1,4 +1,4 @@
-#!/usr/bin/awk -f
+#!/usr/bin/env -S awk -f
# SPDX-License-Identifier: GPL-2.0
# extract linker version number from stdin and turn into single number
{
diff --git a/scripts/parse-maintainers.pl b/scripts/parse-maintainers.pl
index 2ca4eb3f190d..9515765158fa 100755
--- a/scripts/parse-maintainers.pl
+++ b/scripts/parse-maintainers.pl
@@ -1,4 +1,4 @@
-#!/usr/bin/perl -w
+#!/usr/bin/env -S perl -w
# SPDX-License-Identifier: GPL-2.0
use strict;
diff --git a/scripts/show_delta b/scripts/show_delta
index 264399307c4f..28e67e178194 100755
--- a/scripts/show_delta
+++ b/scripts/show_delta
@@ -1,4 +1,4 @@
-#!/usr/bin/python
+#!/usr/bin/env python
# SPDX-License-Identifier: GPL-2.0-only
#
# show_deltas: Read list of printk messages instrumented with
diff --git a/scripts/sphinx-pre-install b/scripts/sphinx-pre-install
index 40fa6923e80a..828a8615a918 100755
--- a/scripts/sphinx-pre-install
+++ b/scripts/sphinx-pre-install
@@ -1,4 +1,4 @@
-#!/usr/bin/perl
+#!/usr/bin/env perl
# SPDX-License-Identifier: GPL-2.0-or-later
use strict;
diff --git a/scripts/split-man.pl b/scripts/split-man.pl
index c3db607ee9ec..96bd99dc977a 100755
--- a/scripts/split-man.pl
+++ b/scripts/split-man.pl
@@ -1,4 +1,4 @@
-#!/usr/bin/perl
+#!/usr/bin/env perl
# SPDX-License-Identifier: GPL-2.0
#
# Author: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
diff --git a/scripts/ver_linux b/scripts/ver_linux
index 0968a3070eff..345b92f71d2d 100755
--- a/scripts/ver_linux
+++ b/scripts/ver_linux
@@ -1,4 +1,4 @@
-#!/usr/bin/awk -f
+#!/usr/bin/env -S awk -f
# SPDX-License-Identifier: GPL-2.0
# Before running this script please ensure that your PATH is
# typical as you use for compilation/installation. I use

150
patches/lvm2-2.03.23.patch Normal file
View File

@ -0,0 +1,150 @@
--- ./lib/mm/memlock.c.orig 2023-11-27 13:52:46.281000000 -0500
+++ ./lib/mm/memlock.c 2023-11-27 13:56:35.656000000 -0500
@@ -160,6 +160,7 @@
static void _allocate_memory(void)
{
+#if 0
#if defined(__GLIBC__) && !defined(VALGRIND_POOL)
/* Memory allocation is currently only tested with glibc
* for different C libraries, some other mechanisms might be needed
@@ -233,11 +234,14 @@
for (i = 0; i < area; ++i)
free(areas[i]);
#endif
+#endif
}
static void _release_memory(void)
{
+#if 0
free(_malloc_mem);
+#endif
}
/*
@@ -313,7 +317,7 @@
if (lock == LVM_MLOCK) {
if (mlock((const void*)from, sz) < 0) {
- log_sys_error("mlock", line);
+ //log_sys_error("mlock", line);
return 0;
}
} else {
--- ./libdm/libdm-stats.c.orig 2023-11-27 13:59:40.677000000 -0500
+++ ./libdm/libdm-stats.c 2023-11-27 14:07:28.655000000 -0500
@@ -18,7 +18,23 @@
#include "libdm/misc/dmlib.h"
#include "libdm/misc/kdev_t.h"
+#if 0
#include "math.h" /* log10() */
+#else
+static int ilog10(double x)
+{
+ int e = 0;
+
+ while(x > 10)
+ {
+ e++;
+ x = x / 10;
+ }
+
+ return e;
+}
+#endif
+
#include <sys/sysmacros.h>
#include <sys/ioctl.h>
@@ -556,7 +572,12 @@
while(entry >= bins) {
value = (double) (entry--)->upper;
/* Use lround to avoid size_t -> double cast warning. */
+#if 0
hist_len += 1 + (size_t) lround(log10(value / scale));
+#else
+ hist_len += 1 + ilog10(value / scale);
+#endif
+
if (entry != bins)
hist_len++; /* ',' */
}
@@ -1863,7 +1884,12 @@
i = dm_bit_get_first(regions);
for (; i >= 0; i = dm_bit_get_next(regions, i)) {
/* length of region_id or range start in characters */
+#if 0
id_len = (i) ? 1 + (size_t) log10(i) : 1;
+#else
+ id_len = (i) ? 1 + ilog10(i) : 1;
+#endif
+
buflen += id_len;
j = i;
do
@@ -1878,7 +1904,11 @@
/* handle range */
if (i != j) {
/* j is always > i, which is always >= 0 */
+#if 0
id_len = 1 + (size_t) log10(j);
+#else
+ id_len = 1 + ilog10(j);
+#endif
buflen += id_len + 1; /* range end plus "-" */
}
buflen++;
--- ./tools/lvmcmdline.c.orig 2023-11-27 14:12:46.649000000 -0500
+++ ./tools/lvmcmdline.c 2023-11-27 14:15:47.563000000 -0500
@@ -3438,7 +3438,7 @@
static int _check_standard_fds(void)
{
int err = is_valid_fd(STDERR_FILENO);
-
+#if 0
if (!is_valid_fd(STDIN_FILENO) &&
!(stdin = fopen(_PATH_DEVNULL, "r"))) {
if (err)
@@ -3463,7 +3463,7 @@
strerror(errno));
return 0;
}
-
+#endif
return 1;
}
@@ -3644,7 +3644,7 @@
*/
dm_set_name_mangling_mode(DM_STRING_MANGLING_NONE);
- if (!(cmd = create_toolcontext(0, NULL, 1, threaded, set_connections, set_filters))) {
+ if (!(cmd = create_toolcontext(0, NULL, 0, threaded, set_connections, set_filters))) {
return_NULL;
}
--- ./make.tmpl.orig 2023-11-28 13:29:11.744000000 -0500
+++ ./make.tmpl.in 2023-11-28 13:29:36.716000000 -0500
@@ -210,7 +210,7 @@
M_INSTALL_PROGRAM = -m 555
M_INSTALL_DATA = -m 444
endif
-INSTALL_PROGRAM = $(INSTALL) $(M_INSTALL_PROGRAM) $(STRIP)
+INSTALL_PROGRAM = $(INSTALL) $(M_INSTALL_PROGRAM)
INSTALL_DATA = $(INSTALL) -p $(M_INSTALL_DATA)
INSTALL_WDATA = $(INSTALL) -p -m 644
--- ./libdm/make.tmpl.orig 2023-11-28 13:29:52.760000000 -0500
+++ ./libdm/make.tmpl.in 2023-11-28 13:30:22.336000000 -0500
@@ -173,7 +173,7 @@
M_INSTALL_PROGRAM = -m 555
M_INSTALL_DATA = -m 444
endif
-INSTALL_PROGRAM = $(INSTALL) $(M_INSTALL_PROGRAM) $(STRIP)
+INSTALL_PROGRAM = $(INSTALL) $(M_INSTALL_PROGRAM)
INSTALL_DATA = $(INSTALL) -p $(M_INSTALL_DATA)
INSTALL_WDATA = $(INSTALL) -p -m 644

139
patches/util-linux-2.29.2.patch
View File

@ -1,139 +0,0 @@
--- ./configure 2017-02-22 07:07:46.595740152 -0500
+++ ./configure 2023-02-27 13:34:27.068000000 -0500
@@ -13408,7 +13408,7 @@
version_type=linux # correct to gnu/linux during the next big refactor
need_lib_prefix=no
need_version=no
- hardcode_into_libs=yes
+ hardcode_into_libs=no
if test ia64 = "$host_cpu"; then
# AIX 5 supports IA64
library_names_spec='$libname$release$shared_ext$major $libname$release$shared_ext$versuffix $libname$shared_ext'
@@ -13698,16 +13698,16 @@
;;
freebsd3.[01]* | freebsdelf3.[01]*)
shlibpath_overrides_runpath=yes
- hardcode_into_libs=yes
+ hardcode_into_libs=no
;;
freebsd3.[2-9]* | freebsdelf3.[2-9]* | \
freebsd4.[0-5] | freebsdelf4.[0-5] | freebsd4.1.1 | freebsdelf4.1.1)
shlibpath_overrides_runpath=no
- hardcode_into_libs=yes
+ hardcode_into_libs=no
;;
*) # from 4.6 on, and DragonFly
shlibpath_overrides_runpath=yes
- hardcode_into_libs=yes
+ hardcode_into_libs=no
;;
esac
;;
@@ -13722,7 +13722,7 @@
shlibpath_var=LIBRARY_PATH
shlibpath_overrides_runpath=no
sys_lib_dlsearch_path_spec='/boot/home/config/lib /boot/common/lib /boot/system/lib'
- hardcode_into_libs=yes
+ hardcode_into_libs=no
;;
hpux9* | hpux10* | hpux11*)
@@ -13734,7 +13734,7 @@
case $host_cpu in
ia64*)
shrext_cmds='.so'
- hardcode_into_libs=yes
+ hardcode_into_libs=no
dynamic_linker="$host_os dld.so"
shlibpath_var=LD_LIBRARY_PATH
shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
@@ -13750,7 +13750,7 @@
;;
hppa*64*)
shrext_cmds='.sl'
- hardcode_into_libs=yes
+ hardcode_into_libs=no
dynamic_linker="$host_os dld.sl"
shlibpath_var=LD_LIBRARY_PATH # How should we handle SHLIB_PATH
shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
@@ -13783,7 +13783,7 @@
dynamic_linker='Interix 3.x ld.so.1 (PE, like ELF)'
shlibpath_var=LD_LIBRARY_PATH
shlibpath_overrides_runpath=no
- hardcode_into_libs=yes
+ hardcode_into_libs=no
;;
irix5* | irix6* | nonstopux*)
@@ -13820,7 +13820,7 @@
shlibpath_overrides_runpath=no
sys_lib_search_path_spec="/usr/lib$libsuff /lib$libsuff /usr/local/lib$libsuff"
sys_lib_dlsearch_path_spec="/usr/lib$libsuff /lib$libsuff"
- hardcode_into_libs=yes
+ hardcode_into_libs=no
;;
# No shared lib support for Linux oldld, aout, or coff.
@@ -13841,7 +13841,7 @@
# This implies no fast_install, which is unacceptable.
# Some rework will be needed to allow for fast_install
# before this can be enabled.
- hardcode_into_libs=yes
+ hardcode_into_libs=no
dynamic_linker='Android linker'
# Don't embed -rpath directories since the linker doesn't support them.
@@ -13896,7 +13896,7 @@
# This implies no fast_install, which is unacceptable.
# Some rework will be needed to allow for fast_install
# before this can be enabled.
- hardcode_into_libs=yes
+ hardcode_into_libs=no
# Add ABI-specific directories to the system library path.
sys_lib_dlsearch_path_spec="/lib64 /usr/lib64 /lib /usr/lib"
@@ -13936,7 +13936,7 @@
fi
shlibpath_var=LD_LIBRARY_PATH
shlibpath_overrides_runpath=yes
- hardcode_into_libs=yes
+ hardcode_into_libs=no
;;
newsos6)
@@ -13954,7 +13954,7 @@
soname_spec='$libname$release$shared_ext$major'
shlibpath_var=LD_LIBRARY_PATH
shlibpath_overrides_runpath=no
- hardcode_into_libs=yes
+ hardcode_into_libs=no
dynamic_linker='ldqnx.so'
;;
@@ -14026,7 +14026,7 @@
soname_spec='$libname$release$shared_ext$major'
shlibpath_var=LD_LIBRARY_PATH
shlibpath_overrides_runpath=yes
- hardcode_into_libs=yes
+ hardcode_into_libs=no
# ldd complains unless libraries are executable
postinstall_cmds='chmod +x $lib'
;;
@@ -14083,7 +14083,7 @@
soname_spec='$libname$release$shared_ext$major'
shlibpath_var=LD_LIBRARY_PATH
shlibpath_overrides_runpath=yes
- hardcode_into_libs=yes
+ hardcode_into_libs=no
if test yes = "$with_gnu_ld"; then
sys_lib_search_path_spec='/usr/local/lib /usr/gnu/lib /usr/ccs/lib /usr/lib /lib'
else
@@ -14105,7 +14105,7 @@
library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$shared_ext'
shlibpath_var=LD_LIBRARY_PATH
shlibpath_overrides_runpath=no
- hardcode_into_libs=yes
+ hardcode_into_libs=no
;;
uts4*)

276
patches/util-linux-2.39.patch Normal file
View File

@ -0,0 +1,276 @@
--- ./configure.orig 2023-05-17 06:53:16.721284360 -0400
+++ ./configure 2023-11-28 13:57:50.012000000 -0500
@@ -16580,7 +16580,7 @@
version_type=linux # correct to gnu/linux during the next big refactor
need_lib_prefix=no
need_version=no
- hardcode_into_libs=yes
+ hardcode_into_libs=no
if test ia64 = "$host_cpu"; then
# AIX 5 supports IA64
library_names_spec='$libname$release$shared_ext$major $libname$release$shared_ext$versuffix $libname$shared_ext'
@@ -16870,16 +16870,16 @@
;;
freebsd3.[01]* | freebsdelf3.[01]*)
shlibpath_overrides_runpath=yes
- hardcode_into_libs=yes
+ hardcode_into_libs=no
;;
freebsd3.[2-9]* | freebsdelf3.[2-9]* | \
freebsd4.[0-5] | freebsdelf4.[0-5] | freebsd4.1.1 | freebsdelf4.1.1)
shlibpath_overrides_runpath=no
- hardcode_into_libs=yes
+ hardcode_into_libs=no
;;
*) # from 4.6 on, and DragonFly
shlibpath_overrides_runpath=yes
- hardcode_into_libs=yes
+ hardcode_into_libs=no
;;
esac
;;
@@ -16894,7 +16894,7 @@
shlibpath_var=LIBRARY_PATH
shlibpath_overrides_runpath=no
sys_lib_dlsearch_path_spec='/boot/home/config/lib /boot/common/lib /boot/system/lib'
- hardcode_into_libs=yes
+ hardcode_into_libs=no
;;
hpux9* | hpux10* | hpux11*)
@@ -16906,7 +16906,7 @@
case $host_cpu in
ia64*)
shrext_cmds='.so'
- hardcode_into_libs=yes
+ hardcode_into_libs=no
dynamic_linker="$host_os dld.so"
shlibpath_var=LD_LIBRARY_PATH
shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
@@ -16922,7 +16922,7 @@
;;
hppa*64*)
shrext_cmds='.sl'
- hardcode_into_libs=yes
+ hardcode_into_libs=no
dynamic_linker="$host_os dld.sl"
shlibpath_var=LD_LIBRARY_PATH # How should we handle SHLIB_PATH
shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
@@ -16955,7 +16955,7 @@
dynamic_linker='Interix 3.x ld.so.1 (PE, like ELF)'
shlibpath_var=LD_LIBRARY_PATH
shlibpath_overrides_runpath=no
- hardcode_into_libs=yes
+ hardcode_into_libs=no
;;
irix5* | irix6* | nonstopux*)
@@ -16992,7 +16992,7 @@
shlibpath_overrides_runpath=no
sys_lib_search_path_spec="/usr/lib$libsuff /lib$libsuff /usr/local/lib$libsuff"
sys_lib_dlsearch_path_spec="/usr/lib$libsuff /lib$libsuff"
- hardcode_into_libs=yes
+ hardcode_into_libs=no
;;
# No shared lib support for Linux oldld, aout, or coff.
@@ -17013,7 +17013,7 @@
# This implies no fast_install, which is unacceptable.
# Some rework will be needed to allow for fast_install
# before this can be enabled.
- hardcode_into_libs=yes
+ hardcode_into_libs=no
dynamic_linker='Android linker'
# Don't embed -rpath directories since the linker doesn't support them.
@@ -17071,7 +17071,7 @@
# This implies no fast_install, which is unacceptable.
# Some rework will be needed to allow for fast_install
# before this can be enabled.
- hardcode_into_libs=yes
+ hardcode_into_libs=no
# Add ABI-specific directories to the system library path.
sys_lib_dlsearch_path_spec="/lib64 /usr/lib64 /lib /usr/lib"
@@ -17111,7 +17111,7 @@
fi
shlibpath_var=LD_LIBRARY_PATH
shlibpath_overrides_runpath=yes
- hardcode_into_libs=yes
+ hardcode_into_libs=no
;;
newsos6)
@@ -17129,7 +17129,7 @@
soname_spec='$libname$release$shared_ext$major'
shlibpath_var=LD_LIBRARY_PATH
shlibpath_overrides_runpath=no
- hardcode_into_libs=yes
+ hardcode_into_libs=no
dynamic_linker='ldqnx.so'
;;
@@ -17201,7 +17201,7 @@
soname_spec='$libname$release$shared_ext$major'
shlibpath_var=LD_LIBRARY_PATH
shlibpath_overrides_runpath=yes
- hardcode_into_libs=yes
+ hardcode_into_libs=no
# ldd complains unless libraries are executable
postinstall_cmds='chmod +x $lib'
;;
@@ -17258,7 +17258,7 @@
soname_spec='$libname$release$shared_ext$major'
shlibpath_var=LD_LIBRARY_PATH
shlibpath_overrides_runpath=yes
- hardcode_into_libs=yes
+ hardcode_into_libs=no
if test yes = "$with_gnu_ld"; then
sys_lib_search_path_spec='/usr/local/lib /usr/gnu/lib /usr/ccs/lib /usr/lib /lib'
else
@@ -17280,7 +17280,7 @@
library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$shared_ext'
shlibpath_var=LD_LIBRARY_PATH
shlibpath_overrides_runpath=no
- hardcode_into_libs=yes
+ hardcode_into_libs=no
;;
uts4*)
@@ -20574,7 +20574,7 @@
version_type=linux # correct to gnu/linux during the next big refactor
need_lib_prefix=no
need_version=no
- hardcode_into_libs=yes
+ hardcode_into_libs=no
if test ia64 = "$host_cpu"; then
# AIX 5 supports IA64
library_names_spec='$libname$release$shared_ext$major $libname$release$shared_ext$versuffix $libname$shared_ext'
@@ -20862,16 +20862,16 @@
;;
freebsd3.[01]* | freebsdelf3.[01]*)
shlibpath_overrides_runpath=yes
- hardcode_into_libs=yes
+ hardcode_into_libs=no
;;
freebsd3.[2-9]* | freebsdelf3.[2-9]* | \
freebsd4.[0-5] | freebsdelf4.[0-5] | freebsd4.1.1 | freebsdelf4.1.1)
shlibpath_overrides_runpath=no
- hardcode_into_libs=yes
+ hardcode_into_libs=no
;;
*) # from 4.6 on, and DragonFly
shlibpath_overrides_runpath=yes
- hardcode_into_libs=yes
+ hardcode_into_libs=no
;;
esac
;;
@@ -20886,7 +20886,7 @@
shlibpath_var=LIBRARY_PATH
shlibpath_overrides_runpath=no
sys_lib_dlsearch_path_spec='/boot/home/config/lib /boot/common/lib /boot/system/lib'
- hardcode_into_libs=yes
+ hardcode_into_libs=no
;;
hpux9* | hpux10* | hpux11*)
@@ -20898,7 +20898,7 @@
case $host_cpu in
ia64*)
shrext_cmds='.so'
- hardcode_into_libs=yes
+ hardcode_into_libs=no
dynamic_linker="$host_os dld.so"
shlibpath_var=LD_LIBRARY_PATH
shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
@@ -20914,7 +20914,7 @@
;;
hppa*64*)
shrext_cmds='.sl'
- hardcode_into_libs=yes
+ hardcode_into_libs=no
dynamic_linker="$host_os dld.sl"
shlibpath_var=LD_LIBRARY_PATH # How should we handle SHLIB_PATH
shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
@@ -20947,7 +20947,7 @@
dynamic_linker='Interix 3.x ld.so.1 (PE, like ELF)'
shlibpath_var=LD_LIBRARY_PATH
shlibpath_overrides_runpath=no
- hardcode_into_libs=yes
+ hardcode_into_libs=no
;;
irix5* | irix6* | nonstopux*)
@@ -20984,7 +20984,7 @@
shlibpath_overrides_runpath=no
sys_lib_search_path_spec="/usr/lib$libsuff /lib$libsuff /usr/local/lib$libsuff"
sys_lib_dlsearch_path_spec="/usr/lib$libsuff /lib$libsuff"
- hardcode_into_libs=yes
+ hardcode_into_libs=no
;;
# No shared lib support for Linux oldld, aout, or coff.
@@ -21005,7 +21005,7 @@
# This implies no fast_install, which is unacceptable.
# Some rework will be needed to allow for fast_install
# before this can be enabled.
- hardcode_into_libs=yes
+ hardcode_into_libs=no
dynamic_linker='Android linker'
# Don't embed -rpath directories since the linker doesn't support them.
@@ -21063,7 +21063,7 @@
# This implies no fast_install, which is unacceptable.
# Some rework will be needed to allow for fast_install
# before this can be enabled.
- hardcode_into_libs=yes
+ hardcode_into_libs=no
# Add ABI-specific directories to the system library path.
sys_lib_dlsearch_path_spec="/lib64 /usr/lib64 /lib /usr/lib"
@@ -21103,7 +21103,7 @@
fi
shlibpath_var=LD_LIBRARY_PATH
shlibpath_overrides_runpath=yes
- hardcode_into_libs=yes
+ hardcode_into_libs=no
;;
newsos6)
@@ -21121,7 +21121,7 @@
soname_spec='$libname$release$shared_ext$major'
shlibpath_var=LD_LIBRARY_PATH
shlibpath_overrides_runpath=no
- hardcode_into_libs=yes
+ hardcode_into_libs=no
dynamic_linker='ldqnx.so'
;;
@@ -21193,7 +21193,7 @@
soname_spec='$libname$release$shared_ext$major'
shlibpath_var=LD_LIBRARY_PATH
shlibpath_overrides_runpath=yes
- hardcode_into_libs=yes
+ hardcode_into_libs=no
# ldd complains unless libraries are executable
postinstall_cmds='chmod +x $lib'
;;
@@ -21250,7 +21250,7 @@
soname_spec='$libname$release$shared_ext$major'
shlibpath_var=LD_LIBRARY_PATH
shlibpath_overrides_runpath=yes
- hardcode_into_libs=yes
+ hardcode_into_libs=no
if test yes = "$with_gnu_ld"; then
sys_lib_search_path_spec='/usr/local/lib /usr/gnu/lib /usr/ccs/lib /usr/lib /lib'
else
@@ -21272,7 +21272,7 @@
library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$shared_ext'
shlibpath_var=LD_LIBRARY_PATH
shlibpath_overrides_runpath=no
- hardcode_into_libs=yes
+ hardcode_into_libs=no
;;
uts4*)

73
unmaintained_boards/x230-hotp-legacy/x230-hotp-legacy.config Normal file
View File

@ -0,0 +1,73 @@
# Configuration for a x230 with HOTP (Nitrokey/Purism USB Security dongle enabled HOTP support)
# running Qubes 4.1 and other OSes.
#
# Deactivated to fit in coreboot's CONFIG_CBFS_SIZE=0x700000 :
# dropbear support(ssh client/server)
# e1000e (ethernet driver)
#
# Addition vs standard x230 board config:
# HOTP_KEY: HOTP challenge for currently supported USB Security dongles
export CONFIG_COREBOOT=y
export CONFIG_COREBOOT_VERSION=24.02.01
export CONFIG_LINUX_VERSION=5.10.5
CONFIG_COREBOOT_CONFIG=config/coreboot-x230-legacy.config
CONFIG_LINUX_CONFIG=config/linux-x230-legacy.config
#Additional hardware support
CONFIG_LINUX_USB=y
CONFIG_LINUX_E1000E=n
CONFIG_CRYPTSETUP2=y
CONFIG_FLASHPROG=y
CONFIG_FLASHTOOLS=y
CONFIG_GPG2=y
CONFIG_KEXEC=y
CONFIG_UTIL_LINUX=y
CONFIG_LVM2=y
CONFIG_MBEDTLS=y
CONFIG_PCIUTILS=y
#Remote attestation support
#TPM based requirements
export CONFIG_TPM=y
CONFIG_POPT=y
CONFIG_QRENCODE=y
CONFIG_TPMTOTP=y
#HOTP based remote attestation for supported USB Security dongle
#With/Without TPM support
CONFIG_HOTPKEY=y
export CONFIG_AUTO_BOOT_TIMEOUT=5
#Nitrokey Storage admin tool
CONFIG_NKSTORECLI=n
#GUI Support
#Console based Whiptail support(Console based, no FB):
CONFIG_SLANG=y
CONFIG_NEWT=y
#FBWhiptail based (Graphical):
#CONFIG_CAIRO=y
#CONFIG_FBWHIPTAIL=y
#Additional tools:
#SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E)
CONFIG_DROPBEAR=n
#Ethernet driver (Heads only)
CONFIG_LINUX_E1000E=n
export CONFIG_BOOTSCRIPT=/bin/gui-init
export CONFIG_BOOT_REQ_HASH=n
export CONFIG_BOOT_REQ_ROLLBACK=n
export CONFIG_BOOT_KERNEL_ADD=""
export CONFIG_BOOT_KERNEL_REMOVE="intel_iommu=on intel_iommu=igfx_off"
export CONFIG_BOARD_NAME="Thinkpad X230-hotp-legacy"
export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal --ifd --image bios"
# This board has two SPI flash chips, an 8 MB that holds the IFD,
# the ME image and part of the coreboot image, and a 4 MB one that
# has the rest of the coreboot and the reset vector.
#
# Only flashing to the bios region is safe to do. The easiest is to
# flash internally when the IFD is unlocked for writing, and x230-flash
# is installed first.

36
unmaintained_boards/x230-legacy-flash/x230-legacy-flash.config Normal file
View File

@ -0,0 +1,36 @@
# Minimal configuration for a x230 to support flashrom and USB
# This top SPI flash image needed to flash legacy board counterpart internally
# This image can be flashed through 1vyrain and skulls
# IDEALLY you should flash maximized top and bottom rom images exteranlly once instead.
export CONFIG_COREBOOT=y
export CONFIG_COREBOOT_VERSION=24.02.01
export CONFIG_LINUX_VERSION=5.10.5
CONFIG_COREBOOT_CONFIG=config/coreboot-UNMAINTAINED_x230-legacy-flash.config
CONFIG_LINUX_CONFIG=config/linux-x230-flash.config
#Add bare minimal tools for flashing boards
CONFIG_BASH=n
CONFIG_FLASHPROG=y
CONFIG_ZSTD=n
#CONFIG_GPG=y
#CONFIG_FLASHTOOLS=y
CONFIG_PCIUTILS=y
#CONFIG_MBEDTLS=y
#CONFIG_QRENCODE=y
#CONFIG_TPMTOTP=y
#CONFIG_DROPBEAR=y
#Additional hardware support
CONFIG_LINUX_USB=y
#CONFIG_LINUX_E1000E=y
export CONFIG_BOOTSCRIPT=/bin/xx30-flash.init
export CONFIG_BOARD_NAME="ThinkPad X230-legacy-flash"
export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal --ifd --image bios"
CONFIG_LEGACY_FLASH=y
BOARD_TARGETS := legacy_flash

66
unmaintained_boards/x230-legacy/x230-legacy.config Normal file
View File

@ -0,0 +1,66 @@
# Configuration for a X230 running Qubes 4.1 and other Linux Based OSes (through kexec)
#
# Deactivated to fit in coreboot's CONFIG_CBFS_SIZE=0x700000 :
# dropbear support(ssh client/server)
# e1000e (ethernet driver)
export CONFIG_COREBOOT=y
export CONFIG_COREBOOT_VERSION=24.02.01
export CONFIG_LINUX_VERSION=5.10.5
CONFIG_COREBOOT_CONFIG=config/coreboot-UNMAINTAINED_x230-legacy.config
CONFIG_LINUX_CONFIG=config/linux-UNMAINTAINED_x230-legacy.config
#Additional hardware support
CONFIG_LINUX_USB=y
CONFIG_LINUX_E1000E=n
CONFIG_CRYPTSETUP2=y
CONFIG_FLASHPROG=y
CONFIG_FLASHTOOLS=y
CONFIG_GPG2=y
CONFIG_KEXEC=y
CONFIG_UTIL_LINUX=y
CONFIG_LVM2=y
CONFIG_MBEDTLS=y
CONFIG_PCIUTILS=y
#Remote attestation support
#TPM based requirements
export CONFIG_TPM=y
CONFIG_POPT=y
CONFIG_QRENCODE=y
CONFIG_TPMTOTP=y
#HOTP based remote attestation for supported USB Security dongle
#With/Without TPM support
CONFIG_HOTPKEY=n
#Nitrokey Storage admin tool
CONFIG_NKSTORECLI=n
#GUI Support
#Console based Whiptail support(Console based, no FB):
CONFIG_SLANG=y
CONFIG_NEWT=y
#FBWhiptail based (Graphical):
#CONFIG_CAIRO=y
#CONFIG_FBWHIPTAIL=y
#Additional tools:
#SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E)
CONFIG_DROPBEAR=n
export CONFIG_BOOTSCRIPT=/bin/gui-init
export CONFIG_BOOT_REQ_HASH=n
export CONFIG_BOOT_REQ_ROLLBACK=n
export CONFIG_BOOT_KERNEL_ADD=""
export CONFIG_BOOT_KERNEL_REMOVE="intel_iommu=on intel_iommu=igfx_off"
export CONFIG_BOARD_NAME="Thinkpad X230-legacy"
export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal --ifd --image bios"
# This board has two SPI flash chips, an 8 MB that holds the IFD,
# the ME image and part of the coreboot image, and a 4 MB one that
# has the rest of the coreboot and the reset vector.
#
# Only flashing to the bios region is safe to do. The easiest is to
# flash internally when the IFD is unlocked for writing, and x230-flash
# is installed first.