diff --git a/boards/kgpe-d16/kgpe-d16.config b/boards/kgpe-d16/kgpe-d16.config index 072f36ac..58130699 100644 --- a/boards/kgpe-d16/kgpe-d16.config +++ b/boards/kgpe-d16/kgpe-d16.config @@ -1,5 +1,7 @@ # Configuration for a kgpe-d16 running non-Qubes export CONFIG_COREBOOT=y +export CONFIG_COREBOOT_VERSION=4.8.1 + CONFIG_COREBOOT_CONFIG=config/coreboot-kgpe-d16.config CONFIG_LINUX_CONFIG=config/linux-kgpe-d16.config diff --git a/boards/librem13v2/librem13v2.config b/boards/librem13v2/librem13v2.config index 5aa4bbe0..46837ed5 100644 --- a/boards/librem13v2/librem13v2.config +++ b/boards/librem13v2/librem13v2.config @@ -3,6 +3,8 @@ CONFIG_LINUX_CONFIG=config/linux-librem13v2.config CONFIG_COREBOOT_CONFIG=config/coreboot-librem13v2.config export CONFIG_COREBOOT=y +export CONFIG_COREBOOT_VERSION=4.8.1 + CONFIG_CRYPTSETUP=y CONFIG_FLASHROM=y CONFIG_FLASHTOOLS=y diff --git a/boards/librem13v4/librem13v4.config b/boards/librem13v4/librem13v4.config index 90e20edf..5c5de684 100644 --- a/boards/librem13v4/librem13v4.config +++ b/boards/librem13v4/librem13v4.config @@ -3,6 +3,8 @@ CONFIG_LINUX_CONFIG=config/linux-librem13v2.config CONFIG_COREBOOT_CONFIG=config/coreboot-librem13v4.config export CONFIG_COREBOOT=y +export CONFIG_COREBOOT_VERSION=4.8.1 + CONFIG_CRYPTSETUP=y CONFIG_FLASHROM=y CONFIG_FLASHTOOLS=y diff --git a/boards/librem15v3/librem15v3.config b/boards/librem15v3/librem15v3.config index 133d3c52..5177be03 100644 --- a/boards/librem15v3/librem15v3.config +++ b/boards/librem15v3/librem15v3.config @@ -5,6 +5,8 @@ CONFIG_LINUX_CONFIG=config/linux-librem13v2.config CONFIG_COREBOOT_CONFIG=config/coreboot-librem15v3.config export CONFIG_COREBOOT=y +export CONFIG_COREBOOT_VERSION=4.8.1 + CONFIG_CRYPTSETUP=y CONFIG_FLASHROM=y CONFIG_FLASHTOOLS=y diff --git a/boards/librem15v4/librem15v4.config b/boards/librem15v4/librem15v4.config index 35183371..9adf6ef8 100644 --- a/boards/librem15v4/librem15v4.config +++ b/boards/librem15v4/librem15v4.config @@ -5,6 +5,8 @@ CONFIG_LINUX_CONFIG=config/linux-librem13v2.config CONFIG_COREBOOT_CONFIG=config/coreboot-librem15v4.config export CONFIG_COREBOOT=y +export CONFIG_COREBOOT_VERSION=4.8.1 + CONFIG_CRYPTSETUP=y CONFIG_FLASHROM=y CONFIG_FLASHTOOLS=y diff --git a/boards/qemu-coreboot-fbwhiptail/qemu-coreboot-fbwhiptail.config b/boards/qemu-coreboot-fbwhiptail/qemu-coreboot-fbwhiptail.config index 125879a4..73ced6ba 100644 --- a/boards/qemu-coreboot-fbwhiptail/qemu-coreboot-fbwhiptail.config +++ b/boards/qemu-coreboot-fbwhiptail/qemu-coreboot-fbwhiptail.config @@ -2,6 +2,8 @@ # the qemu emulator in GUI mode thanks to FBWhiptail export CONFIG_COREBOOT=y +export CONFIG_COREBOOT_VERSION=4.8.1 + CONFIG_COREBOOT_CONFIG=config/coreboot-qemu-fbwhiptail.config CONFIG_LINUX_CONFIG=config/linux-qemu.config diff --git a/boards/qemu-coreboot/qemu-coreboot.config b/boards/qemu-coreboot/qemu-coreboot.config index a36b7032..ce2a2fa7 100644 --- a/boards/qemu-coreboot/qemu-coreboot.config +++ b/boards/qemu-coreboot/qemu-coreboot.config @@ -2,6 +2,8 @@ # the qemu emulator. Note that the TPM does not work, so this # will just drop into the recovery shell. export CONFIG_COREBOOT=y +export CONFIG_COREBOOT_VERSION=4.8.1 + CONFIG_COREBOOT_CONFIG=config/coreboot-qemu.config CONFIG_LINUX_CONFIG=config/linux-qemu.config diff --git a/boards/t420/t420.config b/boards/t420/t420.config index 71d769f2..c83e3097 100644 --- a/boards/t420/t420.config +++ b/boards/t420/t420.config @@ -1,5 +1,7 @@ # Configuration for a T420 running Qubes and other OS, T420 is identical to X230 on the Linux Side of things. export CONFIG_COREBOOT=y +export CONFIG_COREBOOT_VERSION=4.8.1 + CONFIG_COREBOOT_CONFIG=config/coreboot-t420.config CONFIG_LINUX_CONFIG=config/linux-x230.config diff --git a/boards/t430-flash/t430-flash.config b/boards/t430-flash/t430-flash.config index 16b3617f..626fde19 100644 --- a/boards/t430-flash/t430-flash.config +++ b/boards/t430-flash/t430-flash.config @@ -2,6 +2,8 @@ BOARD=t430.flash export CONFIG_COREBOOT=y +export CONFIG_COREBOOT_VERSION=4.8.1 + CONFIG_FLASHROM=y CONFIG_FLASHTOOLS=y CONFIG_PCIUTILS=y diff --git a/boards/t430/t430.config b/boards/t430/t430.config index b2487e43..3eaaba71 100644 --- a/boards/t430/t430.config +++ b/boards/t430/t430.config @@ -1,5 +1,7 @@ # Configuration for a t430 running Qubes and other OSes export CONFIG_COREBOOT=y +export CONFIG_COREBOOT_VERSION=4.8.1 + CONFIG_COREBOOT_CONFIG=config/coreboot-t430.config CONFIG_LINUX_CONFIG=config/linux-x230.config diff --git a/boards/x220/x220.config b/boards/x220/x220.config index 7548b773..0efffec4 100644 --- a/boards/x220/x220.config +++ b/boards/x220/x220.config @@ -1,5 +1,7 @@ # Configuration for a x220 running Qubes and other OS, X220 is identical to X230 on the Linux Side of things. export CONFIG_COREBOOT=y +export CONFIG_COREBOOT_VERSION=4.8.1 + CONFIG_COREBOOT_CONFIG=config/coreboot-x220.config CONFIG_LINUX_CONFIG=config/linux-x230.config diff --git a/boards/x230-flash/x230-flash.config b/boards/x230-flash/x230-flash.config index f991b116..c878012d 100644 --- a/boards/x230-flash/x230-flash.config +++ b/boards/x230-flash/x230-flash.config @@ -2,6 +2,8 @@ BOARD=x230.flash export CONFIG_COREBOOT=y +export CONFIG_COREBOOT_VERSION=4.8.1 + CONFIG_FLASHROM=y #CONFIG_GPG=y CONFIG_FLASHTOOLS=y diff --git a/boards/x230-hotp-verification/x230-hotp-verification.config b/boards/x230-hotp-verification/x230-hotp-verification.config index 93ce9831..59f0acdc 100644 --- a/boards/x230-hotp-verification/x230-hotp-verification.config +++ b/boards/x230-hotp-verification/x230-hotp-verification.config @@ -1,6 +1,8 @@ # Configuration for a x230-hotp-verification (Nitrokey/Purism USB Security dongle enabled HOTP support) # running Qubes and other OSes export CONFIG_COREBOOT=y +export CONFIG_COREBOOT_VERSION=4.8.1 + CONFIG_COREBOOT_CONFIG=config/coreboot-x230-hotp-verification.config CONFIG_LINUX_CONFIG=config/linux-x230.config diff --git a/boards/x230/x230.config b/boards/x230/x230.config index 48a11525..8a04bc57 100644 --- a/boards/x230/x230.config +++ b/boards/x230/x230.config @@ -1,5 +1,7 @@ # Configuration for a x230 running Qubes and other OSes export CONFIG_COREBOOT=y +export CONFIG_COREBOOT_VERSION=4.8.1 + CONFIG_COREBOOT_CONFIG=config/coreboot-x230.config CONFIG_LINUX_CONFIG=config/linux-x230.config diff --git a/config/busybox.config b/config/busybox.config index e7ef9aaa..23b895e0 100644 --- a/config/busybox.config +++ b/config/busybox.config @@ -227,7 +227,7 @@ CONFIG_EXPR=y CONFIG_EXPR_MATH_SUPPORT_64=y CONFIG_FACTOR=y CONFIG_FALSE=y -# CONFIG_FOLD is not set +CONFIG_FOLD=y # CONFIG_FSYNC is not set CONFIG_HEAD=y CONFIG_FEATURE_FANCY_HEAD=y diff --git a/initrd/bin/config-gui.sh b/initrd/bin/config-gui.sh index 74e8e7f9..37b4808b 100755 --- a/initrd/bin/config-gui.sh +++ b/initrd/bin/config-gui.sh @@ -2,55 +2,9 @@ # set -e -o pipefail . /etc/functions +. /etc/gui_functions . /tmp/config -file_selector() { - FILE="" - FILE_LIST=$1 - MENU_MSG=${2:-"Choose the file"} - MENU_TITLE=${3:-"Select your File"} -# create file menu options - if [ `cat "$FILE_LIST" | wc -l` -gt 0 ]; then - option="" - while [ -z "$option" ] - do - MENU_OPTIONS="" - n=0 - while read option - do - n=`expr $n + 1` - option=$(echo $option | tr " " "_") - MENU_OPTIONS="$MENU_OPTIONS $n ${option}" - done < $FILE_LIST - - MENU_OPTIONS="$MENU_OPTIONS a Abort" - whiptail --clear --title "${MENU_TITLE}" \ - --menu "${MENU_MSG} [1-$n, a to abort]:" 20 120 8 \ - -- $MENU_OPTIONS \ - 2>/tmp/whiptail || die "Aborting" - - option_index=$(cat /tmp/whiptail) - - if [ "$option_index" = "a" ]; then - option="a" - return - fi - - option=`head -n $option_index $FILE_LIST | tail -1` - if [ "$option" == "a" ]; then - return - fi - done - if [ -n "$option" ]; then - FILE=$option - fi - else - whiptail $CONFIG_ERROR_BG_COLOR --title 'ERROR: No Files Found' \ - --msgbox "No Files found matching the pattern. Aborting." 16 60 - exit 1 - fi -} - param=$1 while true; do diff --git a/initrd/bin/flash-gui.sh b/initrd/bin/flash-gui.sh index c8cbd364..6e2a0840 100755 --- a/initrd/bin/flash-gui.sh +++ b/initrd/bin/flash-gui.sh @@ -2,70 +2,9 @@ # set -e -o pipefail . /etc/functions +. /etc/gui_functions . /tmp/config -mount_usb(){ -# Mount the USB boot device - if ! grep -q /media /proc/mounts ; then - mount-usb && USB_FAILED=0 || USB_FAILED=1 - if [ $USB_FAILED -ne 0 ]; then - whiptail --title 'USB Drive Missing' \ - --msgbox "Insert your USB drive and press Enter to continue." 16 60 - mount-usb && USB_FAILED=0 || USB_FAILED=1 - if [ $USB_FAILED -ne 0 ]; then - whiptail $CONFIG_ERROR_BG_COLOR --title 'ERROR: Mounting /media Failed' \ - --msgbox "Unable to mount USB device" 16 60 - fi - fi - fi -} - -file_selector() { - FILE="" - FILE_LIST=$1 - MENU_MSG=${2:-"Choose the file"} -# create file menu options - if [ `cat "$FILE_LIST" | wc -l` -gt 0 ]; then - option="" - while [ -z "$option" ] - do - MENU_OPTIONS="" - n=0 - while read option - do - n=`expr $n + 1` - option=$(echo $option | tr " " "_") - MENU_OPTIONS="$MENU_OPTIONS $n ${option}" - done < $FILE_LIST - - MENU_OPTIONS="$MENU_OPTIONS a Abort" - whiptail --clear --title "Select your File" \ - --menu "${MENU_MSG} [1-$n, a to abort]:" 20 120 8 \ - -- $MENU_OPTIONS \ - 2>/tmp/whiptail || die "Aborting" - - option_index=$(cat /tmp/whiptail) - - if [ "$option_index" = "a" ]; then - option="a" - return - fi - - option=`head -n $option_index $FILE_LIST | tail -1` - if [ "$option" == "a" ]; then - return - fi - done - if [ -n "$option" ]; then - FILE=$option - fi - else - whiptail $CONFIG_ERROR_BG_COLOR --title 'ERROR: No Files Found' \ - --msgbox "No Files found matching the pattern. Aborting." 16 60 - exit 1 - fi -} - while true; do unset menu_choice whiptail --clear --title "Firmware Management Menu" \ @@ -83,7 +22,7 @@ while true; do ;; f|c ) if (whiptail --title 'Flash the BIOS with a new ROM' \ - --yesno "This requires you insert a USB drive containing:\n* Your BIOS image (*.rom)\n\nAfter you select this file, this program will reflash your BIOS\n\nDo you want to proceed?" 16 90) then + --yesno "You will need to insert a USB drive containing your BIOS image (*.rom).\n\nAfter you select this file, this program will reflash your BIOS.\n\nDo you want to proceed?" 16 90) then mount_usb if grep -q /media /proc/mounts ; then find /media ! -path '*/\.*' -type f -name '*.rom' | sort > /tmp/filelist.txt @@ -95,7 +34,7 @@ while true; do fi if (whiptail --title 'Flash ROM?' \ - --yesno "This will replace your old ROM with $ROM\n\nDo you want to proceed?" 16 90) then + --yesno "This will replace your current ROM with:\n\n$ROM\n\nDo you want to proceed?" 16 60) then if [ "$menu_choice" == "c" ]; then /bin/flash.sh -c "$ROM" # after flash, /boot signatures are now invalid so go ahead and clear them @@ -110,7 +49,7 @@ while true; do /bin/flash.sh "$ROM" fi whiptail --title 'ROM Flashed Successfully' \ - --msgbox "$ROM flashed successfully.\nPress Enter to reboot" 16 60 + --msgbox "$ROM flashed successfully.\n\nPress Enter to reboot\n" 16 60 umount /media /bin/reboot else diff --git a/initrd/bin/gpg-gui.sh b/initrd/bin/gpg-gui.sh index 132cf6b8..cb63a660 100755 --- a/initrd/bin/gpg-gui.sh +++ b/initrd/bin/gpg-gui.sh @@ -2,69 +2,9 @@ # set -e -o pipefail . /etc/functions +. /etc/gui_functions . /tmp/config -mount_usb(){ -# Mount the USB boot device - if ! grep -q /media /proc/mounts ; then - mount-usb && USB_FAILED=0 || USB_FAILED=1 - if [ $USB_FAILED -ne 0 ]; then - whiptail --title 'USB Drive Missing' \ - --msgbox "Insert your USB drive and press Enter to continue." 16 60 - mount-usb && USB_FAILED=0 || USB_FAILED=1 - if [ $USB_FAILED -ne 0 ]; then - whiptail $CONFIG_ERROR_BG_COLOR --title 'ERROR: Mounting /media Failed' \ - --msgbox "Unable to mount USB device" 16 60 - fi - fi - fi -} - -file_selector() { - FILE="" - FILE_LIST=$1 - MENU_MSG=${2:-"Choose the file"} -# create file menu options - if [ `cat "$FILE_LIST" | wc -l` -gt 0 ]; then - option="" - while [ -z "$option" ] - do - MENU_OPTIONS="" - n=0 - while read option - do - n=`expr $n + 1` - option=$(echo $option | tr " " "_") - MENU_OPTIONS="$MENU_OPTIONS $n ${option}" - done < $FILE_LIST - - MENU_OPTIONS="$MENU_OPTIONS a Abort" - whiptail --clear --title "Select your File" \ - --menu "${MENU_MSG} [1-$n, a to abort]:" 20 120 8 \ - -- $MENU_OPTIONS \ - 2>/tmp/whiptail || die "Aborting" - - option_index=$(cat /tmp/whiptail) - - if [ "$option_index" = "a" ]; then - option="a" - return - fi - - option=`head -n $option_index $FILE_LIST | tail -1` - if [ "$option" == "a" ]; then - return - fi - done - if [ -n "$option" ]; then - FILE=$option - fi - else - whiptail $CONFIG_ERROR_BG_COLOR --title 'ERROR: No Files Found' \ - --msgbox "No Files found matching the pattern. Aborting." 16 60 - exit 1 - fi -} gpg_flash_rom() { if [ "$1" = "replace" ]; then diff --git a/initrd/bin/gui-init b/initrd/bin/gui-init index 1e345595..522021f2 100755 --- a/initrd/bin/gui-init +++ b/initrd/bin/gui-init @@ -42,7 +42,7 @@ verify_global_hashes() TMP_PACKAGE_TRIGGER_PRE="/tmp/kexec/kexec_package_trigger_pre.txt" TMP_PACKAGE_TRIGGER_POST="/tmp/kexec/kexec_package_trigger_post.txt" - if cd /boot && sha256sum -c "$TMP_HASH_FILE" > /tmp/hash_output ; then + if ( cd /boot && sha256sum -c "$TMP_HASH_FILE" > /tmp/hash_output ) then return 0 elif [ ! -f $TMP_HASH_FILE ]; then if (whiptail $CONFIG_ERROR_BG_COLOR --clear --title 'ERROR: Missing Hash File!' \ @@ -70,7 +70,7 @@ verify_global_hashes() fi else - TEXT="The following files failed the verification process:\n${CHANGED_FILES}\n\nThis could indicate a compromise!\n\nWould you like to update your checksums now?" + TEXT="The following files failed the verification process:\n\n${CHANGED_FILES}\n\nThis could indicate a compromise!\n\nWould you like to update your checksums now?" fi if (whiptail $CONFIG_ERROR_BG_COLOR --clear --title 'ERROR: Boot Hash Mismatch' --yesno "$TEXT" 30 90) then @@ -82,7 +82,7 @@ verify_global_hashes() prompt_update_checksums() { if (whiptail --title 'Update Checksums and sign all files in /boot' \ - --yesno "You have chosen to update the checksums and sign all of the files in /boot.\n\nThis means that you trust that the files in /boot have not been tampered with.\n\nYou will need your GPG key to continue and this change will modify your disk.\n\nDo you want to continue?" 16 90) then + --yesno "You have chosen to update the checksums and sign all of the files in /boot.\n\nThis means that you trust that these files have not been tampered with.\n\nYou will need your GPG key available, and this change will modify your disk.\n\nDo you want to continue?" 16 90) then update_checksums else echo "Returning to the main menu" @@ -313,30 +313,34 @@ while true; do fi if [ "$totp_confirm" = "p" ]; then - if (whiptail --title 'Reset the TPM' \ - --yesno "This will clear the TPM and TPM password, replace them with new ones!\n\nDo you want to proceed?" 16 90) then - /bin/tpm-reset + if [ "$CONFIG_TPM" = "y" ]; then + if (whiptail --title 'Reset the TPM' \ + --yesno "This will clear the TPM and TPM password, replace them with new ones!\n\nDo you want to proceed?" 16 90) then + /bin/tpm-reset - # now that the TPM is reset, remove invalid TPM counter files - mount_boot - mount -o rw,remount /boot - rm -f /boot/kexec_rollback.txt + # now that the TPM is reset, remove invalid TPM counter files + mount_boot + mount -o rw,remount /boot + rm -f /boot/kexec_rollback.txt - # create Heads TPM counter before any others - check_tpm_counter /boot/kexec_rollback.txt \ - || die "Unable to find/create tpm counter" - counter="$TPM_COUNTER" + # create Heads TPM counter before any others + check_tpm_counter /boot/kexec_rollback.txt \ + || die "Unable to find/create tpm counter" + counter="$TPM_COUNTER" - increment_tpm_counter $counter \ - || die "Unable to increment tpm counter" + increment_tpm_counter $counter \ + || die "Unable to increment tpm counter" - sha256sum /tmp/counter-$counter > /boot/kexec_rollback.txt \ - || die "Unable to create rollback file" - mount -o ro,remount /boot + sha256sum /tmp/counter-$counter > /boot/kexec_rollback.txt \ + || die "Unable to create rollback file" + mount -o ro,remount /boot - update_totp + update_totp + else + echo "Returning to the main menu" + fi else - echo "Returning to the main menu" + whiptail --clear --title 'ERROR: No TPM Detected' --msgbox "This device does not have a TPM.\n\nPress OK to return to the Main Menu" 30 90 fi continue fi @@ -386,10 +390,10 @@ while true; do if [ "$totp_confirm" = "S" ]; then memtotal=$(cat /proc/meminfo | grep 'MemTotal' | tr -s ' ' | cut -f2 -d ' ') - memtotal=$((${memtotal} / 1024 + 1)) + memtotal=$((${memtotal} / 1024 / 1024 + 1)) cpustr=$(cat /proc/cpuinfo | grep 'model name' | uniq | sed -r 's/\(R\)//;s/\(TM\)//;s/CPU //;s/model name.*: //') whiptail --title 'System Info' \ - --msgbox "VER: ${FW_VER}\n\nCPU: ${cpustr}\nRAM: ${memtotal} MB\n\n$(fdisk -l | grep -e '/dev/sd.:' -e '/dev/nvme.*:' | sed 's/B,.*/B/')" 16 60 + --msgbox "VER: ${FW_VER}\n\nCPU: ${cpustr}\nRAM: ${memtotal} GB\n\n$(fdisk -l | grep -e '/dev/sd.:' -e '/dev/nvme.*:' | sed 's/B,.*/B/')" 16 60 continue fi diff --git a/initrd/bin/kexec-select-boot b/initrd/bin/kexec-select-boot index 793d6a79..ef155be4 100755 --- a/initrd/bin/kexec-select-boot +++ b/initrd/bin/kexec-select-boot @@ -173,7 +173,7 @@ scan_options() { kexec-parse-bls "$bootdir" "$i" "$bootdir/loader/entries" >> $option_file done fi - if [ ! -r $option_file ]; then + if [ ! -s $option_file ]; then die "Failed to parse any boot options" fi if [ "$unique" = 'y' ]; then diff --git a/initrd/bin/mount-usb b/initrd/bin/mount-usb index ca7a745f..501171aa 100755 --- a/initrd/bin/mount-usb +++ b/initrd/bin/mount-usb @@ -62,9 +62,11 @@ if [ -z ${USB_MOUNT_DEVICE} ]; then # remove block device from list if numeric partitions exist, since not bootable let USB_NUM_PARTITIONS=`ls -1 $i* | wc -l`-1 if [ ${USB_NUM_PARTITIONS} -eq 0 ]; then - echo $i >> /tmp/usb_disk_list + echo $i $(blkid | grep $i | grep -o 'LABEL=".*"' | cut -f2 -d '"') >> /tmp/usb_disk_list else - ls $i* | tail -${USB_NUM_PARTITIONS} >> /tmp/usb_disk_list + for j in $(ls $i* | tail -${USB_NUM_PARTITIONS}); do + echo $j $(blkid | grep $j | grep -o 'LABEL=".*"' | cut -f2 -d '"') >> /tmp/usb_disk_list + done fi done @@ -100,9 +102,9 @@ if [ -z ${USB_MOUNT_DEVICE} ]; then fi if [ "$option_index" = "a" ]; then - exit 1 + exit 5 fi - USB_MOUNT_DEVICE=`head -n $option_index /tmp/usb_disk_list | tail -1` + USB_MOUNT_DEVICE=`head -n $option_index /tmp/usb_disk_list | tail -1 | sed 's/\ .*$//'` fi if [ "$1" = "rw" ]; then diff --git a/initrd/bin/oem-factory-reset b/initrd/bin/oem-factory-reset index 002e399d..24dd0dbe 100755 --- a/initrd/bin/oem-factory-reset +++ b/initrd/bin/oem-factory-reset @@ -113,7 +113,7 @@ gpg_key_change_pin() } | gpg --command-fd=0 --status-fd=2 --pinentry-mode=loopback --card-edit \ > /tmp/gpg_card_edit_output 2>/dev/null if [ $? -ne 0 ]; then - ERROR=`cat /tmp/gpg_card_edit_output` + ERROR=`cat /tmp/gpg_card_edit_output | fold -s` whiptail_error_die "GPG Key PIN change failed!\n\n$ERROR" fi } @@ -188,7 +188,7 @@ generate_checksums() mount -o ro,remount /boot if [ $ret = 1 ] ; then - ERROR=$(tail -n 1 /tmp/error) + ERROR=$(tail -n 1 /tmp/error | fold -s) whiptail_error_die "Error signing kexec boot files:\n\n$ERROR" fi } @@ -205,7 +205,15 @@ set_default_boot_option() for i in `find /boot -name "grub.cfg"`; do kexec-parse-boot "/boot" "$i" >> $option_file done - [ ! -r $option_file ] \ + # FC29/30+ may use BLS format grub config files + # https://fedoraproject.org/wiki/Changes/BootLoaderSpecByDefault + # only parse these if $option_file is still empty + if [ ! -s $option_file ] && [ -d "/boot/loader/entries" ]; then + for i in `find /boot -name "grub.cfg"`; do + kexec-parse-bls "/boot" "$i" "/boot/loader/entries" >> $option_file + done + fi + [ ! -s $option_file ] \ && whiptail_error_die "Failed to parse any boot options" # sort boot options @@ -217,12 +225,15 @@ set_default_boot_option() # clear existing default configs rm "/boot/kexec_default.*.txt" 2>/dev/null + # get correct index for entry + index=$(grep -n "$entry" $option_file | cut -f1 -d ':') + # write new config - echo "$entry" > /boot/kexec_default.1.txt + echo "$entry" > /boot/kexec_default.$index.txt # validate boot option - cd /boot && /bin/kexec-boot -b "/boot" -e "$entry" -f \ - | xargs sha256sum > $hash_file 2>/dev/null \ + ( cd /boot && /bin/kexec-boot -b "/boot" -e "$entry" -f \ + | xargs sha256sum > $hash_file 2>/dev/null ) \ || whiptail_error_die "Failed to create hashes of boot files" } @@ -323,7 +334,7 @@ echo -e "\nChecking for USB media...\n" umount /media 2>/dev/null # mount-usb will detect and prompt if no USB inserted if ! mount-usb rw 2>/tmp/error; then - ERROR=$(tail -n 1 /tmp/error) + ERROR=$(tail -n 1 /tmp/error | fold -s) whiptail_error_die "Unable to mount USB on /media:\n\n${ERROR}" fi @@ -333,7 +344,7 @@ echo -e "\nChecking for GPG Key...\n" if ! gpg --card-status >/dev/null 2>&1 ; then whiptail_error "Can't access GPG Key; remove and reinsert, then press Enter to retry." if ! gpg --card-status >/dev/null 2>/tmp/error ; then - ERROR=$(tail -n 1 /tmp/error) + ERROR=$(tail -n 1 /tmp/error | fold -s) whiptail_error_die "Unable to detect GPG Key:\n\n${ERROR}" fi fi @@ -358,7 +369,7 @@ if [ "$CONFIG_TPM" = "y" ]; then echo $TPM_PASS_DEF } | /bin/tpm-reset >/dev/null 2>/tmp/error if [ $? -ne 0 ]; then - ERROR=$(tail -n 1 /tmp/error) + ERROR=$(tail -n 1 /tmp/error | fold -s) whiptail_error_die "Error resetting TPM:\n\n${ERROR}" fi fi @@ -389,13 +400,13 @@ fi echo -e "\nExporting generated key to USB...\n" # export pubkey to file if ! gpg --export --armor $GPG_GEN_KEY > "${PUBKEY}" 2>/tmp/error ; then - ERROR=$(tail -n 1 /tmp/error) + ERROR=$(tail -n 1 /tmp/error | fold -s) whiptail_error_die "GPG Key gpg export to file failed!\n\n$ERROR" fi # copy to USB if ! cp "${PUBKEY}" "/media/${GPG_GEN_KEY}.asc" 2>/tmp/error ; then - ERROR=$(tail -n 1 /tmp/error) - whiptail_error_die "Key export error: unable to copy ${GPG_GEN_KEY}.asc to /media:\n\n$ERROR" + ERROR=$(tail -n 1 /tmp/error | fold -s) + whiptail_error_die "Key export error: unable to copy exported pubkey to /media:\n\n$ERROR" fi umount /media 2>/dev/null @@ -403,24 +414,24 @@ umount /media 2>/dev/null echo -e "\nReading current firmware...\n(this will take a minute or two)\n" /bin/flash.sh -r /tmp/oem-setup.rom >/dev/null 2>/tmp/error if [ ! -s /tmp/oem-setup.rom ]; then - ERROR=$(tail -n 1 /tmp/error) + ERROR=$(tail -n 1 /tmp/error | fold -s) whiptail_error_die "Error reading current firmware:\n\n$ERROR" fi # ensure key imported locally if ! cat "$PUBKEY" | gpg --import >/dev/null 2>/tmp/error ; then - ERROR=$(tail -n 1 /tmp/error) + ERROR=$(tail -n 1 /tmp/error | fold -s) whiptail_error_die "Error importing GPG key:\n\n$ERROR" fi # update /.gnupg/trustdb.gpg to ultimately trust all user provided public keys if ! gpg --list-keys --fingerprint --with-colons 2>/dev/null \ | sed -E -n -e 's/^fpr:::::::::([0-9A-F]+):$/\1:6:/p' \ | gpg --import-ownertrust >/dev/null 2>/tmp/error ; then - ERROR=$(tail -n 1 /tmp/error) + ERROR=$(tail -n 1 /tmp/error | fold -s) whiptail_error_die "Error importing GPG ownertrust:\n\n$ERROR" fi if ! gpg --update-trust >/dev/null 2>/tmp/error ; then - ERROR=$(tail -n 1 /tmp/error) + ERROR=$(tail -n 1 /tmp/error | fold -s) whiptail_error_die "Error updating GPG ownertrust:\n\n$ERROR" fi # clear any existing heads/gpg files from current firmware @@ -446,7 +457,7 @@ fi # flash updated firmware image echo -e "\nAdding generated key to current firmware and re-flashing...\n" if ! /bin/flash.sh /tmp/oem-setup.rom >/dev/null 2>/tmp/error ; then - ERROR=$(tail -n 1 /tmp/error) + ERROR=$(tail -n 1 /tmp/error | fold -s) whiptail_error_die "Error flashing updated firmware image:\n\n$ERROR" fi diff --git a/initrd/bin/seal-hotpkey b/initrd/bin/seal-hotpkey index 8dc37bb2..70b0e933 100755 --- a/initrd/bin/seal-hotpkey +++ b/initrd/bin/seal-hotpkey @@ -68,9 +68,9 @@ if ! hotp_verification info ; then fi # Set HOTP USB Security Dongle branding based on VID -if [ ! $(lsusb | grep -q "20a0:") ]; then +if lsusb | grep -q "20a0:" ; then HOTPKEY_BRANDING="Nitrokey" -elif [ ! $(lsusb | grep -q "316d:") ]; then +elif lsusb | grep -q "316d:" ; then HOTPKEY_BRANDING="Librem Key" else HOTPKEY_BRANDING="HOTP USB Security Dongle" @@ -80,12 +80,12 @@ echo -e "" read -s -p "Enter your $HOTPKEY_BRANDING Admin PIN: " admin_pin echo -e "\n" -hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value $HOTPKEY_BRANDING +hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value "$HOTPKEY_BRANDING" if [ $? -ne 0 ]; then echo -e "\n" read -s -p "Error setting HOTP secret, re-enter Admin PIN and try again: " admin_pin echo -e "\n" - if ! hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value $HOTPKEY_BRANDING ; then + if ! hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value "$HOTPKEY_BRANDING" ; then # don't leak key on failure shred -n 10 -z -u "$HOTP_SECRET" 2> /dev/null die "Setting HOTP secret failed" diff --git a/initrd/bin/usb-scan b/initrd/bin/usb-scan index a9debdf5..d9f26b04 100755 --- a/initrd/bin/usb-scan +++ b/initrd/bin/usb-scan @@ -2,6 +2,7 @@ # Scan for USB installation options set -e -o pipefail . /etc/functions +. /etc/gui_functions . /tmp/config # Unmount any previous boot device @@ -11,10 +12,8 @@ if grep -q /boot /proc/mounts ; then fi # Mount the USB boot device -if ! grep -q /media /proc/mounts ; then - mount-usb "$CONFIG_USB_BOOT_DEV" \ - || die "Unable to mount /media" -fi +mount_usb || die "Unable to mount /media" + # Get USB boot device USB_BOOT_DEV=$(grep "/media" /etc/mtab | cut -f 1 -d' ') diff --git a/initrd/etc/functions b/initrd/etc/functions index 2e8bd6a4..3ccf7bc7 100755 --- a/initrd/etc/functions +++ b/initrd/etc/functions @@ -271,13 +271,15 @@ update_checksums() || recovery "Unable to mount /boot" fi # remount RW - mount -o rw,remount /boot - cd /boot - find ./ -type f ! -name '*kexec*' | xargs sha256sum > /boot/kexec_hashes.txt - if [ -e /boot/kexec_default_hashes.txt ]; then - DEFAULT_FILES=$(cat /boot/kexec_default_hashes.txt | cut -f3 -d ' ') - echo $DEFAULT_FILES | xargs sha256sum > /boot/kexec_default_hashes.txt - fi + mount -o rw,remount /boot + ( + cd /boot + find ./ -type f ! -name '*kexec*' | xargs sha256sum > /boot/kexec_hashes.txt + if [ -e /boot/kexec_default_hashes.txt ]; then + DEFAULT_FILES=$(cat /boot/kexec_default_hashes.txt | cut -f3 -d ' ') + echo $DEFAULT_FILES | xargs sha256sum > /boot/kexec_default_hashes.txt + fi + ) # Remove any package trigger log files # We don't need them after the user decides to sign rm -f /boot/kexec_package_trigger* @@ -301,7 +303,7 @@ update_checksums() detect_boot_device() { # unmount /boot to be safe - umount /boot 2>/dev/null + cd / && umount /boot 2>/dev/null # check $CONFIG_BOOT_DEV if set/valid if [ -e "$CONFIG_BOOT_DEV" ]; then diff --git a/initrd/etc/gui_functions b/initrd/etc/gui_functions new file mode 100755 index 00000000..efdc1384 --- /dev/null +++ b/initrd/etc/gui_functions @@ -0,0 +1,71 @@ +#!/bin/sh +# Shell functions for common operations using fbwhiptail + +mount_usb() +{ + # Unmount any previous USB device + if grep -q /media /proc/mounts ; then + umount /media || die "Unable to unmount /media" + fi + # Mount the USB boot device + mount-usb && USB_FAILED=0 || ( [ $? -eq 5 ] && exit 1 || USB_FAILED=1 ) + if [ $USB_FAILED -ne 0 ]; then + whiptail --title 'USB Drive Missing' \ + --msgbox "Insert your USB drive and press Enter to continue." 16 60 + mount-usb && USB_FAILED=0 || ( [ $? -eq 5 ] && exit 1 || USB_FAILED=1 ) + if [ $USB_FAILED -ne 0 ]; then + whiptail $CONFIG_ERROR_BG_COLOR --title 'ERROR: Mounting /media Failed' \ + --msgbox "Unable to mount USB device" 16 60 + exit 1 + fi + fi +} + +file_selector() +{ + FILE="" + FILE_LIST=$1 + MENU_MSG=${2:-"Choose the file"} + MENU_TITLE=${3:-"Select your File"} + + # create file menu options + if [ `cat "$FILE_LIST" | wc -l` -gt 0 ]; then + option="" + while [ -z "$option" ] + do + MENU_OPTIONS="" + n=0 + while read option + do + n=`expr $n + 1` + option=$(echo $option | tr " " "_") + MENU_OPTIONS="$MENU_OPTIONS $n ${option}" + done < $FILE_LIST + + MENU_OPTIONS="$MENU_OPTIONS a Abort" + whiptail --clear --title "${MENU_TITLE}" \ + --menu "${MENU_MSG} [1-$n, a to abort]:" 20 120 8 \ + -- $MENU_OPTIONS \ + 2>/tmp/whiptail || die "Aborting" + + option_index=$(cat /tmp/whiptail) + + if [ "$option_index" = "a" ]; then + option="a" + return + fi + + option=`head -n $option_index $FILE_LIST | tail -1` + if [ "$option" == "a" ]; then + return + fi + done + if [ -n "$option" ]; then + FILE=$option + fi + else + whiptail $CONFIG_ERROR_BG_COLOR --title 'ERROR: No Files Found' \ + --msgbox "No Files found matching the pattern. Aborting." 16 60 + exit 1 + fi +} diff --git a/initrd/init b/initrd/init index 8419739b..660e4dfe 100755 --- a/initrd/init +++ b/initrd/init @@ -93,7 +93,9 @@ combine_configs . /tmp/config # export firmware version -export FW_VER=$(dmesg | grep 'DMI' | grep -o 'BIOS.*' | cut -f2 -d ' ') +export FW_VER=$(dmesg | grep 'DMI' | grep -o 'BIOS.*' | cut -f2- -d ' ') +# chop off date, since will always be epoch w/timeless builds +FW_VER=${FW_VER::-10} # Add our boot devices into the /etc/fstab, if they are defined # in the configuration file. diff --git a/modules/coreboot b/modules/coreboot index 2f63ee2e..a14ea3ed 100644 --- a/modules/coreboot +++ b/modules/coreboot @@ -1,13 +1,18 @@ modules-$(CONFIG_COREBOOT) += coreboot +ifeq "$(CONFIG_COREBOOT_VERSION)" "4.8.1" +coreboot_version := 4.8.1 +coreboot_hash := f0ddf4db0628c1fe1e8348c40084d9cbeb5771400c963fd419cda3995b69ad23 +else +$(error "$(BOARD): does not specify coreboot version under CONFIG_COREBOOT_VERSION") +endif + #coreboot_version := git #coreboot_repo := https://github.com/osresearch/coreboot -coreboot_version := 4.8.1 coreboot_base_dir := coreboot-$(coreboot_version) coreboot_dir := $(coreboot_base_dir)/$(BOARD) coreboot_tar := coreboot-$(coreboot_version).tar.xz coreboot_url := https://www.coreboot.org/releases/$(coreboot_tar) -coreboot_hash := f0ddf4db0628c1fe1e8348c40084d9cbeb5771400c963fd419cda3995b69ad23 # coreboot builds are specialized on a per-target basis. # The builds are done in a per-target subdirectory diff --git a/modules/gpg2 b/modules/gpg2 index 06099899..318a4cd1 100644 --- a/modules/gpg2 +++ b/modules/gpg2 @@ -1,10 +1,10 @@ modules-$(CONFIG_GPG2) += gpg2 -gpg2_version := 2.2.20 +gpg2_version := 2.2.10 gpg2_dir := gnupg-$(gpg2_version) gpg2_tar := gnupg-$(gpg2_version).tar.bz2 gpg2_url := https://www.gnupg.org/ftp/gcrypt/gnupg/$(gpg2_tar) -gpg2_hash := 04a7c9d48b74c399168ee8270e548588ddbe52218c337703d7f06373d326ca30 +gpg2_hash := 799dd37a86a1448732e339bd20440f4f5ee6e69755f6fd7a73ee8af30840c915 # For reproducibility reasons we have to override the exec_prefix # and datarootdir on the configure line so that the Makefiles will @@ -16,7 +16,7 @@ gpg2_configure := ./configure \ CPPFLAGS="-I$(INSTALL)/include/libusb-1.0" \ --host x86_64-linux-musl \ --with-libusb="$(INSTALL)" \ - --with-gpg-error-prefix="$(INSTALL)" \ + --with-libgpg-error-prefix="$(INSTALL)" \ --with-libgcrypt-prefix="$(INSTALL)" \ --with-libassuan-prefix="$(INSTALL)" \ --with-ksba-prefix="$(INSTALL)" \ @@ -30,12 +30,19 @@ gpg2_configure := ./configure \ --disable-regex \ --disable-doc \ --disable-bzip2 \ + --disable-asm \ --disable-exec \ --disable-photo-viewers \ + --disable-keyserver-helpers \ --disable-ldap \ + --disable-hkp \ + --disable-finger \ + --disable-dns-srv \ + --disable-dns-cert \ --disable-regex \ --disable-nls \ --disable-all-tests \ + --disable-wks-server \ --disable-wks-tools \ --disable-gnutls \ --disable-dirmngr \ diff --git a/modules/hotp-verification b/modules/hotp-verification index 15eff604..d424f1b8 100644 --- a/modules/hotp-verification +++ b/modules/hotp-verification @@ -2,11 +2,11 @@ modules-$(CONFIG_HOTPKEY) += hotp-verification hotp-verification_depends := libusb $(musl_dep) -hotp-verification_version := 5fb260e631b237a298b6dcca47bbd728f2c5ac3a +hotp-verification_version := c0956cfa085bcfc2500c1085dad350a440ccbe40 hotp-verification_dir := hotp-verification-$(hotp-verification_version) hotp-verification_tar := nitrokey-hotp-verification-$(hotp-verification_version).tar.gz hotp-verification_url := https://github.com/Nitrokey/nitrokey-hotp-verification/archive/$(hotp-verification_version).tar.gz -hotp-verification_hash := 5d98d158ba97fb970061d68e2c6f41582395e687b7752efb1a8038762b0e7b79 +hotp-verification_hash := c06e9751bc45bf8e57ddb39f15352442eda07530f6fe0e8e1ed3e54274fc165f hotp-verification_target := \ $(MAKE_JOBS) \ @@ -19,7 +19,7 @@ hotp-verification_output := \ hotp-verification_configure := \ INSTALL="$(INSTALL)" \ CROSS="$(CROSS)" \ - $(CROSS_TOOLS) $(MAKE) LDFLAGS="$(INSTALL)/lib/libusb-1.0.so" && $(MAKE) install INSTALL="$(INSTALL)" + $(CROSS_TOOLS) $(MAKE) LDFLAGS="$(INSTALL)/lib/libusb-1.0.so" GITVERSION="" LIBUSB_FLAGS="-I/usr/include/libusb-1.0" PKGCONFIG="" && $(MAKE) install INSTALL="$(INSTALL)" hotp-verification_depends += hidapi modules-y += hidapi diff --git a/modules/libassuan b/modules/libassuan index 80099340..3c4e319a 100644 --- a/modules/libassuan +++ b/modules/libassuan @@ -1,16 +1,18 @@ modules-$(CONFIG_GPG2) += libassuan -libassuan_version := 2.5.3 +libassuan_version := 2.5.1 libassuan_dir := libassuan-$(libassuan_version) libassuan_tar := libassuan-$(libassuan_version).tar.bz2 libassuan_url := https://gnupg.org/ftp/gcrypt/libassuan/$(libassuan_tar) -libassuan_hash := 91bcb0403866b4e7c4bc1cc52ed4c364a9b5414b3994f718c70303f7f765e702 +libassuan_hash := 47f96c37b4f2aac289f0bc1bacfa8bd8b4b209a488d3d15e2229cb6cc9b26449 libassuan_configure := ./configure \ $(CROSS_TOOLS) \ --host x86_64-linux-musl \ --prefix "/" \ --disable-static \ - --with-gpg-error-prefix="$(INSTALL)" \ + --disable-nls \ + --with-libgpg-error-prefix="$(INSTALL)" \ + --disable-asm \ libassuan_target := $(MAKE_JOBS) \ DESTDIR="$(INSTALL)" \ diff --git a/modules/libgcrypt b/modules/libgcrypt index 60299549..1ba82fce 100644 --- a/modules/libgcrypt +++ b/modules/libgcrypt @@ -1,16 +1,16 @@ modules-$(CONFIG_GPG2) += libgcrypt -libgcrypt_version := 1.8.5 +libgcrypt_version := 1.8.3 libgcrypt_dir := libgcrypt-$(libgcrypt_version) libgcrypt_tar := libgcrypt-$(libgcrypt_version).tar.bz2 libgcrypt_url := https://gnupg.org/ftp/gcrypt/libgcrypt/$(libgcrypt_tar) -libgcrypt_hash := 3b4a2a94cb637eff5bdebbcaf46f4d95c4f25206f459809339cdada0eb577ac3 +libgcrypt_hash := 66ec90be036747602f2b48f98312361a9180c97c68a690a5f376fa0f67d0af7c libgcrypt_configure := ./configure \ $(CROSS_TOOLS) \ --host=x86_64-linux-musl \ --prefix "/" \ --disable-static \ - --with-gpg-error-prefix="$(INSTALL)" \ + --with-libgpg-error-prefix="$(INSTALL)" \ --disable-asm \ libgcrypt_target := $(MAKE_JOBS) \ diff --git a/modules/libgpg-error b/modules/libgpg-error index 00bd0644..752e11aa 100644 --- a/modules/libgpg-error +++ b/modules/libgpg-error @@ -1,9 +1,9 @@ modules-$(CONFIG_GPG2) += libgpg-error -libgpg-error_version := 1.37 +libgpg-error_version := 1.32 libgpg-error_dir := libgpg-error-$(libgpg-error_version) libgpg-error_tar := libgpg-error-$(libgpg-error_version).tar.bz2 libgpg-error_url := https://gnupg.org/ftp/gcrypt/libgpg-error/$(libgpg-error_tar) -libgpg-error_hash := b32d6ff72a73cf79797f7f2d039e95e9c6f92f0c1450215410840ab62aea9763 +libgpg-error_hash := c345c5e73cc2332f8d50db84a2280abfb1d8f6d4f1858b9daa30404db44540ca libgpg-error_configure := ./configure \ $(CROSS_TOOLS) \ @@ -14,6 +14,7 @@ libgpg-error_configure := ./configure \ --disable-languages \ --disable-doc \ --disable-tests \ + --disable-asm \ libgpg-error_target := $(MAKE_JOBS) \ DESTDIR="$(INSTALL)" \ diff --git a/modules/libksba b/modules/libksba index 587280ed..d3529133 100644 --- a/modules/libksba +++ b/modules/libksba @@ -10,7 +10,9 @@ libksba_configure := ./configure \ --host x86_64-linux-musl \ --prefix "/" \ --disable-static \ - --with-gpg-error-prefix="$(INSTALL)" \ + --disable-nls \ + --with-libgpg-error-prefix="$(INSTALL)" \ + --disable-asm \ libksba_target := $(MAKE_JOBS) \ DESTDIR="$(INSTALL)" \ diff --git a/modules/npth b/modules/npth index 2128e1d4..e0f30c69 100644 --- a/modules/npth +++ b/modules/npth @@ -10,7 +10,9 @@ npth_configure := ./configure \ --host x86_64-linux-musl \ --prefix "/" \ --disable-static \ - --with-gpg-error-prefix="$(INSTALL)" \ + --disable-nls \ + --with-libgpg-error-prefix="$(INSTALL)" \ + --disable-asm \ npth_target := $(MAKE_JOBS) \ DESTDIR="$(INSTALL)" \ diff --git a/modules/pinentry b/modules/pinentry index 54d40e11..c0e93d7f 100644 --- a/modules/pinentry +++ b/modules/pinentry @@ -27,8 +27,7 @@ pinentry_configure := ./configure \ --disable-pinentry-fltk \ --disable-pinentry-emacs \ --disable-fallback-curses \ - --disable-pinentry-qt5 \ - --with-gpg-error-prefix="$(INSTALL)" \ + --with-libgpg-error-prefix="$(INSTALL)" \ --with-libassuan-prefix="$(INSTALL)" \ # Run one build to generate the executables with the pre-defined diff --git a/patches/kexec-2.0.20.patch b/patches/kexec-2.0.20.patch index 9e940494..c16cda1b 100644 --- a/patches/kexec-2.0.20.patch +++ b/patches/kexec-2.0.20.patch @@ -1,7 +1,7 @@ -diff --git ./Makefile.in ./Makefile.in +diff --git a/Makefile.in b/Makefile.in index fb01134..bf1973e 100644 ---- ./Makefile.in -+++ ./Makefile.in +--- a/Makefile.in ++++ b/Makefile.in @@ -157,12 +157,12 @@ include $(srcdir)/kexec/Makefile # vmcore-dmesg (read dmesg from a vmcore) @@ -17,10 +17,24 @@ index fb01134..bf1973e 100644 SPEC=$(PACKAGE_NAME).spec GENERATED_SRCS:= $(SPEC) -diff --git ./kexec/kexec.c ./kexec/kexec.c +diff --git a/kexec/arch/i386/x86-linux-setup.c b/kexec/arch/i386/x86-linux-setup.c +index 057ee14..43e017a 100644 +--- a/kexec/arch/i386/x86-linux-setup.c ++++ b/kexec/arch/i386/x86-linux-setup.c +@@ -137,7 +137,8 @@ static int setup_linux_vesafb(struct x86_linux_param_header *real_mode) + goto out; + if (-1 == ioctl(fd, FBIOGET_VSCREENINFO, &var)) + goto out; +- if (0 == strcmp(fix.id, "VESA VGA")) { ++ if (0 == strcmp(fix.id, "VESA VGA") ++ || 0 == strcmp(fix.id, "inteldrmfb")) { + /* VIDEO_TYPE_VLFB */ + real_mode->orig_video_isVGA = 0x23; + } else if (0 == strcmp(fix.id, "EFI VGA")) { +diff --git a/kexec/kexec.c b/kexec/kexec.c index bc6ab3d..b82725b 100644 ---- ./kexec/kexec.c -+++ ./kexec/kexec.c +--- a/kexec/kexec.c ++++ b/kexec/kexec.c @@ -805,6 +805,27 @@ static int my_load(const char *type, int fileind, int argc, char **argv, if (sort_segments(&info) < 0) { return -1; @@ -49,10 +63,10 @@ index bc6ab3d..b82725b 100644 /* if purgatory is loaded update it */ update_purgatory(&info); if (entry) -diff --git ./purgatory/Makefile ./purgatory/Makefile +diff --git a/purgatory/Makefile b/purgatory/Makefile index 2dd6c47..2de8f07 100644 ---- ./purgatory/Makefile -+++ ./purgatory/Makefile +--- a/purgatory/Makefile ++++ b/purgatory/Makefile @@ -44,7 +44,6 @@ purgatory/sha256.o: $(srcdir)/util_lib/sha256.c mkdir -p $(@D) $(COMPILE.c) -o $@ $^ @@ -61,10 +75,10 @@ index 2dd6c47..2de8f07 100644 $(PURGATORY): CFLAGS=$(PURGATORY_EXTRA_CFLAGS) \ $($(ARCH)_PURGATORY_EXTRA_CFLAGS) \ -Os -fno-builtin -ffreestanding \ -diff --git ./util/Makefile ./util/Makefile +diff --git a/util/Makefile b/util/Makefile index 948ee63..833a897 100644 ---- ./util/Makefile -+++ ./util/Makefile +--- a/util/Makefile ++++ b/util/Makefile @@ -2,7 +2,7 @@ BIN_TO_HEX:= bin/bin-to-hex $(BIN_TO_HEX): $(srcdir)/util/bin-to-hex.c