Merging to osresearch master

Makefile

@@ -71,13 +71,6 @@ initrd_bin_dir	:= $(initrd_dir)/bin
 
 $(shell mkdir -p "$(initrd_lib_dir)" "$(initrd_bin_dir)")
 
-#ifeq "$(CONFIG)" ""
-#CONFIG := config/qemu-moc.config
-#$(eval $(shell echo >&2 "$(DATE) CONFIG is not set, defaulting to $(CONFIG)"))
-#endif
-#
-#include $(CONFIG)
-
 # We are running our own version of make,
 # proceed with the build.
 
@@ -91,6 +84,7 @@ musl_dep	:= musl
 heads_cc	:= $(INSTALL)/bin/musl-gcc \
 	-fdebug-prefix-map=$(pwd)=heads \
 	-gno-record-gcc-switches \
+	-D__MUSL__ \
 
 CROSS		:= $(build)/../crossgcc/x86_64-linux-musl/bin/x86_64-musl-linux-
 CROSS_TOOLS_NOCC := \
@@ -336,8 +330,9 @@ bin_modules-$(CONFIG_FLASHROM) += flashrom
 bin_modules-$(CONFIG_CRYPTSETUP) += cryptsetup
 bin_modules-$(CONFIG_GPG) += gpg
 bin_modules-$(CONFIG_LVM2) += lvm2
-bin_modules-$(CONFIG_XEN) += xen
 bin_modules-$(CONFIG_DROPBEAR) += dropbear
+bin_modules-$(CONFIG_FLASHTOOLS) += flashtools
+bin_modules-$(CONFIG_NEWT) += newt
 
 $(foreach m, $(bin_modules-y), \
 	$(call map,initrd_bin_add,$(call bins,$m)) \
@@ -348,8 +343,6 @@ $(foreach m, $(modules-y), \
 	$(call map,initrd_lib_add,$(call libs,$m)) \
 )
 
-#$(foreach _, $(call outputs,xen), $(eval $(call initrd_bin,$_)))
-
 # hack to install busybox into the initrd
 $(build)/$(BOARD)/heads.cpio: busybox.intermediate
 initrd_bins += $(initrd_bin_dir)/busybox
@@ -370,6 +363,7 @@ $(initrd_bin_dir)/busybox: $(build)/$(busybox_dir)/busybox
 #
 ifeq ($(CONFIG_COREBOOT),y)
 $(eval $(call initrd_bin_add,$(build)/$(coreboot_dir)/util/cbmem/cbmem))
+#$(eval $(call initrd_bin_add,$(build)/$(coreboot_dir)/util/inteltool/inteltool))
 endif
 
 $(build)/$(coreboot_dir)/util/cbmem/cbmem: \
@@ -378,6 +372,12 @@ $(build)/$(coreboot_dir)/util/cbmem/cbmem: \
 	$(call do,MAKE,cbmem,\
 		$(MAKE) -C "$(dir $@)" CC="$(heads_cc)" \
 	)
+$(build)/$(coreboot_dir)/util/inteltool/inteltool: \
+		$(build)/$(coreboot_dir)/.canary \
+		musl.intermediate
+	$(call do,MAKE,inteltool,\
+		$(MAKE) -C "$(dir $@)" CC="$(heads_cc)" \
+	)
 
 #
 # initrd image creation
@@ -429,7 +429,10 @@ $(build)/$(BOARD)/tools.cpio: \
 
 	$(call do,INSTALL,$(CONFIG), \
 		mkdir -p "$(initrd_dir)/etc" ; \
-		cp "$(CONFIG)" "$(initrd_dir)/etc/config" \
+		export \
+			| grep ' CONFIG_' \
+			| sed 's/^declare -x /export /' \
+			> "$(initrd_dir)/etc/config" \
 	)
 	$(call do-cpio,$@,$(initrd_dir))
 	@$(RM) -rf "$(initrd_dir)"
@@ -461,6 +464,8 @@ module_dirs := \
 		$(util-linux_dir) \
 		$(zlib_dir) \
 		$(kernel-headers_dir) \
+		$(slang_dir) \
+		$(newt_dir) \
 
 modules.clean:
 	for dir in $(module_dirs) \

boards/librem13v2.config

@@ -9,19 +9,21 @@ CONFIG_KEXEC=y
 CONFIG_UTIL_LINUX=y
 CONFIG_LVM2=y
 CONFIG_MBEDTLS=y
+CONFIG_NEWT=y
 CONFIG_PCIUTILS=y
 CONFIG_POPT=y
 CONFIG_QRENCODE=y
+CONFIG_SLANG=y
 CONFIG_TPMTOTP=y
 
 CONFIG_LINUX_USB=y
 
-CONFIG_BOOTSCRIPT=/bin/generic-init
-
-CONFIG_BOOT_REQ_HASH=n
-CONFIG_BOOT_REQ_ROLLBACK=n
-CONFIG_BOOT_KERNEL_ADD="intel_iommu=on"
-CONFIG_BOOT_KERNEL_REMOVE="quiet"
-CONFIG_BOOT_DEV="/dev/sda1"
-CONFIG_USB_BOOT_DEV="/dev/sdb1"
-CONFIG_BOOT_LOCAL=y
+export CONFIG_TPM=y
+export CONFIG_BOOTSCRIPT=/bin/gui-init
+export CONFIG_BOOT_REQ_HASH=n
+export CONFIG_BOOT_REQ_ROLLBACK=n
+export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on intel_iommu=igfx_off"
+export CONFIG_BOOT_KERNEL_REMOVE="quiet"
+export CONFIG_BOOT_DEV="/dev/sda1"
+export CONFIG_BOOT_GUI_MENU_NAME="Purism Librem 13v2 Heads Boot Menu"
+export CONFIG_USB_BOOT_DEV="/dev/sdb1"

boards/qemu-coreboot.config

@@ -5,23 +5,36 @@ CONFIG_COREBOOT=y
 CONFIG_COREBOOT_CONFIG=config/coreboot-qemu.config
 CONFIG_LINUX_CONFIG=config/linux-qemu.config
 
-CONFIG_CRYPTSETUP=y
-CONFIG_FLASHROM=y
-CONFIG_GPG=y
+ifeq "$(CONFIG_UROOT)" "y"
+CONFIG_BUSYBOX=n
+else
 CONFIG_KEXEC=y
-CONFIG_UTIL_LINUX=y
-CONFIG_LVM2=y
-CONFIG_MBEDTLS=y
-CONFIG_PCIUTILS=y
-CONFIG_POPT=y
 CONFIG_QRENCODE=y
 CONFIG_TPMTOTP=y
+CONFIG_POPT=y
+CONFIG_FLASHTOOLS=y
+CONFIG_FLASHROM=y
+CONFIG_PCIUTILS=y
+CONFIG_UTIL_LINUX=y
+CONFIG_CRYPTSETUP=y
+CONFIG_GPG=y
+CONFIG_LVM2=y
+CONFIG_MBEDTLS=y
 CONFIG_DROPBEAR=y
-CONFIG_XEN=y
-CONFIG_XEN_VERSION=4.6
+CONFIG_NEWT=y
+CONFIG_SLANG=y
+endif
 
 CONFIG_LINUX_USB=y
 CONFIG_LINUX_E1000=y
 
-CONFIG_BOOTSCRIPT=/bin/generic-init
-CONFIG_BOOT_LOCAL=y
+export CONFIG_BOOTSCRIPT=/bin/generic-init
+export CONFIG_TPM=n
+
+#run: coreboot.intermediate
+run:
+	qemu-system-x86_64 \
+		--machine q35 \
+		--serial /dev/tty \
+		--bios $(build)/$(BOARD)/coreboot.rom \
+	; stty sane

boards/qemu-linuxboot.config

@@ -4,35 +4,50 @@ CONFIG_LINUXBOOT=y
 CONFIG_LINUXBOOT_BOARD=qemu
 CONFIG_LINUX_CONFIG=config/linux-linuxboot.config
 
-#CONFIG_CRYPTSETUP=y
+ifeq "$(CONFIG_UROOT)" "y"
+CONFIG_BUSYBOX=n
+endif
+
+CONFIG_CRYPTSETUP=y
 #CONFIG_FLASHROM=y
-#CONFIG_GPG=y
+CONFIG_FLASHTOOLS=y
+CONFIG_GPG=y
 CONFIG_KEXEC=y
 CONFIG_UTIL_LINUX=y
-#CONFIG_LVM2=y
-#CONFIG_MBEDTLS=y
+CONFIG_LVM2=y
+CONFIG_MBEDTLS=y
 CONFIG_PCIUTILS=y
-#CONFIG_POPT=y
-#CONFIG_QRENCODE=y
-#CONFIG_TPMTOTP=y
-#CONFIG_XEN=y
+CONFIG_POPT=y
+CONFIG_QRENCODE=y
+CONFIG_TPMTOTP=y
 CONFIG_DROPBEAR=y
-CONFIG_FROTZ=y
+#CONFIG_FROTZ=y
 
 CONFIG_LINUX_USB=y
-#CONFIG_LINUX_IGB=y
-#CONFIG_LINUX_MEGARAID=y
-#CONFIG_LINUX_E1000E=y
 CONFIG_LINUX_E1000=y
 CONFIG_LINUX_SCSI_GDTH=y
 CONFIG_LINUX_ATA=y
 CONFIG_LINUX_AHCI=y
 
-CONFIG_BOOTSCRIPT=/bin/generic-init
+export CONFIG_BOOTSCRIPT=/bin/generic-init
+
+export CONFIG_BOOT_REQ_HASH=n
+export CONFIG_BOOT_REQ_ROLLBACK=n
+export CONFIG_BOOT_DEV="/dev/sda1"
+export CONFIG_USB_BOOT_DEV="/dev/sdb1"
+
+# You can ssh into the qemu instance by running
+# ssh -p 5555 root@localhost
+# The LinuxBoot firmware should set its ip address to 10.0.2.15
+# or run udhcpc to get a qemu address
+
+run:
+	qemu-system-x86_64 \
+		-machine q35,smm=on  \
+		-global ICH9-LPC.disable_s3=1 \
+		-global driver=cfi.pflash01,property=secure,value=on \
+		-redir tcp:5555::22 \
+		--serial $(or $(SERIAL),/dev/tty) \
+		-drive if=pflash,format=raw,unit=0,file=$(build)/$(BOARD)/linuxboot.rom
+	stty sane
 
-CONFIG_BOOT_REQ_HASH=n
-CONFIG_BOOT_REQ_ROLLBACK=n
-CONFIG_BOOT_DEV="/dev/sda1"
-CONFIG_USB_BOOT_DEV="/dev/sdb1"
-CONFIG_BOOT_REMOTE=y
-CONFIG_BOOT_RECOVERY_SERIAL="/dev/tty0"

boards/r630.config

@@ -16,7 +16,6 @@ CONFIG_PCIUTILS=y
 CONFIG_POPT=y
 CONFIG_QRENCODE=y
 CONFIG_TPMTOTP=y
-#CONFIG_XEN=y
 CONFIG_DROPBEAR=y
 
 CONFIG_LINUX_USB=y
@@ -24,10 +23,9 @@ CONFIG_LINUX_IGB=y
 CONFIG_LINUX_MEGARAID=y
 CONFIG_LINUX_E1000E=y
 
-CONFIG_BOOTSCRIPT=/bin/generic-init
+export CONFIG_BOOTSCRIPT=/bin/generic-init
 
-CONFIG_BOOT_REQ_HASH=n
-CONFIG_BOOT_REQ_ROLLBACK=n
-CONFIG_BOOT_DEV="/dev/sda1"
-CONFIG_USB_BOOT_DEV="/dev/sdb1"
-CONFIG_BOOT_REMOTE=y
+export CONFIG_BOOT_REQ_HASH=n
+export CONFIG_BOOT_REQ_ROLLBACK=n
+export CONFIG_BOOT_DEV="/dev/sda1"
+export CONFIG_USB_BOOT_DEV="/dev/sdb1"

boards/s2600wf.config

@@ -15,6 +15,7 @@ CONFIG_LINUX_CONFIG=config/linux-linuxboot.config
 
 #CONFIG_CRYPTSETUP=y
 #CONFIG_FLASHROM=y
+CONFIG_FLASHTOOLS=y
 CONFIG_GPG=y
 CONFIG_KEXEC=y
 CONFIG_UTIL_LINUX=y
@@ -24,7 +25,6 @@ CONFIG_PCIUTILS=y
 #CONFIG_POPT=y
 #CONFIG_QRENCODE=y
 #CONFIG_TPMTOTP=y
-#CONFIG_XEN=y
 CONFIG_DROPBEAR=y
 
 CONFIG_LINUX_USB=y
@@ -35,10 +35,9 @@ CONFIG_LINUX_SCSI_GDTH=y
 CONFIG_LINUX_ATA=y
 CONFIG_LINUX_AHCI=y
 
-CONFIG_BOOTSCRIPT=/bin/generic-init
-
-CONFIG_BOOT_REQ_HASH=n
-CONFIG_BOOT_REQ_ROLLBACK=n
-CONFIG_BOOT_DEV="/dev/sda1"
-CONFIG_USB_BOOT_DEV="/dev/sdb1"
-CONFIG_BOOT_REMOTE=y
+export CONFIG_TPM=n
+export CONFIG_BOOTSCRIPT=/bin/generic-init
+export CONFIG_BOOT_REQ_HASH=n
+export CONFIG_BOOT_REQ_ROLLBACK=n
+export CONFIG_BOOT_DEV="/dev/sda1"
+export CONFIG_USB_BOOT_DEV="/dev/sdb1"

boards/winterfell.config

@@ -5,7 +5,7 @@ CONFIG_LINUXBOOT_ROM=blobs/winterfell.rom
 CONFIG_LINUX_CONFIG=config/linux-linuxboot.config
 
 # If you want to build with the go-based u-root instead of Heads
-CONFIG_UROOT=y
+CONFIG_UROOT ?= y
 
 ifeq "$(CONFIG_UROOT)" "y"
 # The busybox will likely be redundant and can be trimmed for space.
@@ -16,6 +16,7 @@ else
 # These don't fit if u-root is turned on
 CONFIG_CRYPTSETUP=y
 CONFIG_FLASHROM=y
+CONFIG_FLASHTOOLS=y
 CONFIG_GPG=y
 CONFIG_KEXEC=y
 CONFIG_UTIL_LINUX=y
@@ -25,7 +26,6 @@ CONFIG_PCIUTILS=y
 CONFIG_POPT=y
 #CONFIG_QRENCODE=y
 #CONFIG_TPMTOTP=y
-CONFIG_XEN=y
 CONFIG_DROPBEAR=y
 endif
 
@@ -35,14 +35,14 @@ CONFIG_LINUX_MLX4=y
 CONFIG_LINUX_ATA=y
 CONFIG_LINUX_AHCI=y
 CONFIG_LINUX_E1000E=y
+CONFIG_LINUX_NVME=y
 
-CONFIG_BOOTSCRIPT=/bin/generic-init
-
-CONFIG_BOOT_REQ_HASH=n
-CONFIG_BOOT_REQ_ROLLBACK=n
-CONFIG_BOOT_DEV="/dev/sda1"
-CONFIG_USB_BOOT_DEV="/dev/sdb1"
-CONFIG_BOOT_REMOTE=y
+export CONFIG_BOOTSCRIPT=/bin/generic-init
+export CONFIG_TPM=n
+export CONFIG_BOOT_REQ_HASH=n
+export CONFIG_BOOT_REQ_ROLLBACK=n
+export CONFIG_BOOT_DEV="/dev/sda1"
+export CONFIG_USB_BOOT_DEV="/dev/sdb1"
 
 $(build)/$(BOARD)/linuxboot.rom: linuxboot.intermediate
 

boards/x220.config

@@ -15,19 +15,16 @@ CONFIG_PCIUTILS=y
 CONFIG_POPT=y
 CONFIG_QRENCODE=y
 CONFIG_TPMTOTP=y
-CONFIG_XEN=y
-CONFIG_XEN_VERSION=4.6
 CONFIG_DROPBEAR=y
 
 CONFIG_LINUX_USB=y
 CONFIG_LINUX_E1000E=y
 
-CONFIG_BOOTSCRIPT=/bin/generic-init
-
-CONFIG_BOOT_REQ_HASH=n
-CONFIG_BOOT_REQ_ROLLBACK=n
-CONFIG_BOOT_KERNEL_ADD="intel_iommu=on"
-CONFIG_BOOT_KERNEL_REMOVE="quiet"
-CONFIG_BOOT_DEV="/dev/sda1"
-CONFIG_USB_BOOT_DEV="/dev/sdb1"
-CONFIG_BOOT_LOCAL=y
+export CONFIG_BOOTSCRIPT=/bin/generic-init
+export CONFIG_TPM=y
+export CONFIG_BOOT_REQ_HASH=n
+export CONFIG_BOOT_REQ_ROLLBACK=n
+export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on"
+export CONFIG_BOOT_KERNEL_REMOVE="quiet"
+export CONFIG_BOOT_DEV="/dev/sda1"
+export CONFIG_USB_BOOT_DEV="/dev/sdb1"

boards/x230.config

@@ -4,7 +4,7 @@ CONFIG_COREBOOT_CONFIG=config/coreboot-x230.config
 CONFIG_LINUX_CONFIG=config/linux-x230.config
 
 CONFIG_CRYPTSETUP=y
-CONFIG_FLASHROM=y
+CONFIG_FLASHTOOLS=y
 CONFIG_GPG=y
 CONFIG_KEXEC=y
 CONFIG_UTIL_LINUX=y
@@ -14,20 +14,17 @@ CONFIG_PCIUTILS=y
 CONFIG_POPT=y
 CONFIG_QRENCODE=y
 CONFIG_TPMTOTP=y
-CONFIG_XEN=y
-CONFIG_XEN_VERSION=4.8
 CONFIG_DROPBEAR=y
 CONFIG_TPM=y
 
 CONFIG_LINUX_USB=y
 CONFIG_LINUX_E1000E=y
 
-CONFIG_BOOTSCRIPT=/bin/generic-init
-
-CONFIG_BOOT_REQ_HASH=n
-CONFIG_BOOT_REQ_ROLLBACK=n
-CONFIG_BOOT_KERNEL_ADD="intel_iommu=on"
-CONFIG_BOOT_KERNEL_REMOVE="quiet"
-CONFIG_BOOT_DEV="/dev/sda1"
-CONFIG_USB_BOOT_DEV="/dev/sdb1"
-CONFIG_BOOT_LOCAL=y
+export CONFIG_TPM=y
+export CONFIG_BOOTSCRIPT=/bin/generic-init
+export CONFIG_BOOT_REQ_HASH=n
+export CONFIG_BOOT_REQ_ROLLBACK=n
+export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on"
+export CONFIG_BOOT_KERNEL_REMOVE="quiet"
+export CONFIG_BOOT_DEV="/dev/sda1"
+export CONFIG_USB_BOOT_DEV="/dev/sdb1"

config/coreboot-librem13v2.config

@@ -26,6 +26,7 @@ CONFIG_CACHE_RELOCATED_RAMSTAGE_OUTSIDE_CBMEM=y
 # CONFIG_UPDATE_IMAGE is not set
 CONFIG_BOOTSPLASH_IMAGE=y
 CONFIG_BOOTSPLASH_FILE="bootsplash.jpg"
+CONFIG_MEASURED_BOOT=y
 
 #
 # Mainboard

config/coreboot-qemu.config

@@ -109,7 +109,7 @@ CONFIG_MAINBOARD_PART_NUMBER="QEMU x86 q35/ich9"
 CONFIG_MAINBOARD_VENDOR="Emulation"
 CONFIG_MAX_CPUS=1
 CONFIG_CACHE_ROM_SIZE_OVERRIDE=0x0
-CONFIG_CBFS_SIZE=0x800000
+CONFIG_CBFS_SIZE=0x700000
 # CONFIG_ONBOARD_VGA_IS_PRIMARY is not set
 CONFIG_DIMM_SPD_SIZE=256
 # CONFIG_VGA_BIOS is not set
@@ -151,14 +151,14 @@ CONFIG_BOARD_ROMSIZE_KB_2048=y
 # CONFIG_COREBOOT_ROMSIZE_KB_1024 is not set
 # CONFIG_COREBOOT_ROMSIZE_KB_2048 is not set
 # CONFIG_COREBOOT_ROMSIZE_KB_4096 is not set
-# CONFIG_COREBOOT_ROMSIZE_KB_8192 is not set
+CONFIG_COREBOOT_ROMSIZE_KB_8192=y
 # CONFIG_COREBOOT_ROMSIZE_KB_10240 is not set
-CONFIG_COREBOOT_ROMSIZE_KB_12288=y
+# CONFIG_COREBOOT_ROMSIZE_KB_12288 is not set
 # CONFIG_COREBOOT_ROMSIZE_KB_16384 is not set
 # CONFIG_COREBOOT_ROMSIZE_KB_32768 is not set
 # CONFIG_COREBOOT_ROMSIZE_KB_65536 is not set
-CONFIG_COREBOOT_ROMSIZE_KB=12288
-CONFIG_ROM_SIZE=0xc00000
+CONFIG_COREBOOT_ROMSIZE_KB=8192
+CONFIG_ROM_SIZE=0x800000
 # CONFIG_MAINBOARD_HAS_TPM2 is not set
 # CONFIG_SYSTEM_TYPE_LAPTOP is not set
 # CONFIG_CBFS_AUTOGEN_ATTRIBUTES is not set
@@ -532,7 +532,7 @@ CONFIG_PAYLOAD_LINUX=y
 CONFIG_PAYLOAD_FILE="../../build/qemu-coreboot/bzImage"
 CONFIG_PAYLOAD_OPTIONS=""
 # CONFIG_PXE is not set
-CONFIG_LINUX_COMMAND_LINE="acpi=off console=ttyS0 console=tty quiet"
+CONFIG_LINUX_COMMAND_LINE=""
 CONFIG_LINUX_INITRD="../../build/qemu-coreboot/initrd.cpio.xz"
 # CONFIG_PAYLOAD_IS_FLAT_BINARY is not set
 

config/linux-linuxboot.config

@@ -809,7 +809,9 @@ CONFIG_BLK_DEV_RAM_SIZE=65536
 # CONFIG_BLK_DEV_HD is not set
 # CONFIG_BLK_DEV_RBD is not set
 # CONFIG_BLK_DEV_RSXX is not set
-# CONFIG_BLK_DEV_NVME is not set
+CONFIG_NVME_CORE=m
+CONFIG_BLK_DEV_NVME=m
+# CONFIG_BLK_DEV_NVME_SCSI is not set
 # CONFIG_NVME_TARGET is not set
 
 #

initrd/bin/gui-init

@@ -0,0 +1,127 @@
+#!/bin/sh
+# Boot from a local disk installation
+
+CONFIG_BOOT_GUI_MENU_NAME='Heads Boot Menu'
+
+. /etc/functions
+. /etc/config
+
+mount_boot()
+{
+  # Mount local disk if it is not already mounted
+  if ! grep -q /boot /proc/mounts ; then
+    mount -o ro /boot \
+      || recovery "Unable to mount /boot"
+  fi
+}
+
+
+last_half=X
+while true; do
+  MAIN_MENU_OPTIONS=""
+  unset totp_confirm
+  # update the TOTP code every thirty seconds
+  date=`date "+%Y-%m-%d %H:%M:%S"`
+  seconds=`date "+%s"`
+  half=`expr \( $seconds % 60 \) / 30`
+  if [ "$CONFIG_TPM" = n ]; then
+    TOTP="NO TPM"
+  elif [ "$half" != "$last_half" ]; then
+    last_half=$half;
+    TOTP=`unseal-totp`
+    if [ $? -ne 0 ]; then
+      whiptail --clear --title "ERROR: TOTP Generation Failed!" \
+        --menu "ERROR: Heads couldn't generate the TOTP code.\n\nIf you have just reflashed your BIOS, you will need to generate a new TOTP secret.\n\nIf you have not just reflashed your BIOS, THIS COULD INDICATE TAMPERING!\n\nHow would you like to proceed?" 20 60 4 \
+        'g' ' Generate new TOTP secret' \
+        'i' ' Ignore error and continue to default boot menu' \
+        'x' ' Exit to recovery shell' \
+        2>/tmp/whiptail || recovery "GUI menu failed"
+
+      totp_confirm=$(cat /tmp/whiptail)
+    fi
+  fi
+
+  if [ "$totp_confirm" = "i" -o -z "$totp_confirm" ]; then 
+    whiptail --clear --title "$CONFIG_BOOT_GUI_MENU_NAME" \
+      --menu "$date\nTOTP code: $TOTP" 20 60 8 \
+      'y' ' Default boot' \
+      'r' ' TOTP does not match, refresh code' \
+      'n' ' TOTP does not match after refresh, troubleshoot' \
+      'm' ' Show OS boot menu' \
+      'u' ' USB boot' \
+      'g' ' Generate new TOTP secret' \
+      'x' ' Exit to recovery shell' \
+      2>/tmp/whiptail || recovery "GUI menu failed"
+
+    totp_confirm=$(cat /tmp/whiptail)
+  fi
+
+  if [ "$totp_confirm" = "x" ]; then
+    recovery "User requested recovery shell"
+  fi
+
+  if [ "$totp_confirm" = "r" ]; then
+    continue
+  fi
+
+  if [ "$totp_confirm" = "n" ]; then
+    if (whiptail --title "TOTP code mismatched" \
+      --yesno "TOTP code mismatches could indicate either TPM tampering or clock drift:\n\nTo correct clock drift: 'date -s HH:MM:SS'\nand save it to the RTC: 'hwclock -w'\nthen reboot and try again.\n\nWould you like to exit to a recovery console?" 30 60) then
+      echo ""
+      echo "To correct clock drift: 'date -s HH:MM:SS'"
+      echo "and save it to the RTC: 'hwclock -w'"
+      echo "then reboot and try again"
+      echo ""
+      recovery "TOTP mismatch"
+    else
+      continue
+    fi
+  fi
+
+  if [ "$totp_confirm" = "u" ]; then
+    exec /bin/usb-init
+    continue
+  fi
+
+  if [ "$totp_confirm" = "g" ]; then
+    if (whiptail --title 'Generate new TOTP secret' \
+        --yesno "This will erase your old secret and replace it with a new one!\n\nDo you want to proceed?" 16 60) then
+      echo "Scan the QR code to add the new TOTP secret"
+      /bin/seal-totp
+      echo "Once you have scanned the QR code, hit Enter to reboot"
+      read
+      /bin/reboot
+    else
+      echo "Returning to the main menu"
+    fi
+    continue
+  fi
+
+  if [ "$totp_confirm" = "m" ]; then
+    # Try to select a kernel from the menu
+    mount_boot
+    kexec-select-boot -m -b /boot -c "grub.cfg" -g
+    continue
+  fi
+
+  if [ "$totp_confirm" = "y" -o -n "$totp_confirm" ]; then
+    # Try to boot the default
+    mount_boot
+	  DEFAULT_FILE=`find /boot/kexec_default.*.txt 2>/dev/null | head -1`
+    if [ -r "$DEFAULT_FILE" ]; then
+      kexec-select-boot -b /boot -c "grub.cfg" \
+      || recovery "Failed default boot"
+    else
+      if (whiptail --title 'No Default Boot Option Configured' \
+          --yesno "There is no default boot option configured yet. Would you like to load a menu of boot options? Otherwise you will return to the main menu." 16 60) then
+        kexec-select-boot -m -b /boot -c "grub.cfg" -g
+      else
+        echo "Returning to the main menu"
+      fi
+      continue
+    fi
+  fi
+
+done
+
+recovery "Something failed during boot"

initrd/bin/kexec-save-default

@@ -45,7 +45,7 @@ fi
 KEY_DEVICES="$paramsdir/kexec_key_devices.txt"
 KEY_LVM="$paramsdir/kexec_key_lvm.txt"
 save_key="n"
-if [ ! -z "$CONFIG_TPM" ]; then
+if [ "$CONFIG_TPM" = "y" ]; then
 	if [ ! -r "$KEY_DEVICES" ]; then
 		read \
 			-n 1 \
@@ -131,7 +131,7 @@ fi
 
 # sign and auto-roll config counter
 extparam=
-if [ ! -z "$CONFIG_TPM" ]; then
+if [ "$CONFIG_TPM" = "y" ]; then
 	extparam=-u
 fi
 kexec-sign-config -p $paramsdir $extparam \

initrd/bin/kexec-select-boot

@@ -12,7 +12,8 @@ valid_hash="n"
 valid_global_hash="n"
 valid_rollback="n"
 force_menu="n"
-while getopts "b:d:p:a:r:c:uim" arg; do
+gui_menu="n"
+while getopts "b:d:p:a:r:c:uimg" arg; do
 	case $arg in
 		b) bootdir="$OPTARG" ;;
 		d) paramsdev="$OPTARG" ;;
@@ -23,6 +24,7 @@ while getopts "b:d:p:a:r:c:uim" arg; do
 		u) unique="y" ;;
 		m) force_menu="y" ;;
 		i) valid_hash="y"; valid_rollback="y" ;;
+		g) gui_menu="y" ;;
 	esac
 done
 
@@ -80,6 +82,24 @@ get_menu_option() {
 
 	if [ $num_options -eq 1 -a $first_menu = "y" ]; then
 		option_index=1
+	elif [ "$gui_menu" = "y" ]; then
+		MENU_OPTIONS=""
+		n=0
+		while read option
+		do
+			parse_option
+			n=`expr $n + 1`
+			name=$(echo $name | tr " " "_")
+			kernel=$(echo $kernel | cut -f2 -d " ")
+			MENU_OPTIONS="$MENU_OPTIONS $n ${name}_[$kernel]"
+		done < $TMP_MENU_FILE
+
+		whiptail --clear --title "Select your boot option" \
+			--menu "Choose the boot option [1-$n, a to abort]:" 20 120 8 \
+			-- $MENU_OPTIONS \
+			2>/tmp/whiptail || die "Aborting boot attempt"
+
+		option_index=$(cat /tmp/whiptail)
 	else
 		echo "+++ Select your boot option:"
 		n=0
@@ -105,14 +125,23 @@ get_menu_option() {
 }
 
 confirm_menu_option() {
-	echo "+++ Please confirm the boot details for $name:"
-	echo $option
+	if [ "$gui_menu" = "y" ]; then
+		whiptail --clear --title "Confirm boot details" \
+			--menu "Confirm the boot details for $name:\n\n$option\n\n" 20 120 8 \
+			-- 'y' "Boot $name" 'd' "Make $name the default" \
+			2>/tmp/whiptail || die "Aborting boot attempt"
 
-	read \
-		-n 1 \
-		-p "Confirm selection by pressing 'y', make default with 'd': " \
-		option_confirm
-	echo
+		option_confirm=$(cat /tmp/whiptail)
+	else
+		echo "+++ Please confirm the boot details for $name:"
+		echo $option
+
+		read \
+			-n 1 \
+			-p "Confirm selection by pressing 'y', make default with 'd': " \
+			option_confirm
+		echo
+	fi
 }
 
 parse_option() {
@@ -232,7 +261,7 @@ do_boot()
 		die "!!! Missing required boot hashes"
 	fi
 
-	if [ ! -z "$CONFIG_TPM" \
+	if [ "$CONFIG_TPM" = "y" \
 		-a -r "$TMP_KEY_DEVICES" ]; then
 		INITRD=`kexec-boot -b "$bootdir" -e "$option" -i` \
 		|| die "!!! Failed to extract the initrd from boot option"
@@ -262,7 +291,7 @@ while true; do
 	TMP_KEY_DEVICES="/tmp/kexec/kexec_key_devices.txt"
 	TMP_KEY_LVM="/tmp/kexec/kexec_key_lvm.txt"
 
-	if [ ! -z "$CONFIG_TPM" \
+	if [ "$CONFIG_TPM" = "y" \
 		-a ! -r "$TMP_KEY_DEVICES" ]; then
 		# Extend PCR4 as soon as possible
 		tpm extend -ix 4 -ic generic \
@@ -274,7 +303,7 @@ while true; do
 		scan_options
 	fi
 
-	if [ ! -z "$CONFIG_TPM" ]; then
+	if [ "$CONFIG_TPM" = "y" ]; then
 		# Optionally enforce device file hashes
 		if [ -r "$TMP_HASH_FILE" ]; then
 			valid_global_hash="n"

initrd/bin/kexec-sign-config

@@ -1,6 +1,7 @@
 #!/bin/sh
 # Sign a valid directory of kexec params
 set -e -o pipefail
+. /etc/config
 . /etc/functions
 
 rollback="n"

initrd/bin/mount-usb

@@ -1,23 +1,9 @@
 #!/bin/sh
 # Mount a USB device
-die() { echo >&2 "!!!!! $@"; exit 1; }
+. /etc/functions
+
+enable_usb
 
-if ! lsmod | grep -q ehci_hcd; then
-	insmod /lib/modules/ehci-hcd.ko \
-	|| die "ehci_hcd: module load failed"
-fi
-if ! lsmod | grep -q ehci_pci; then
-	insmod /lib/modules/ehci-pci.ko \
-  || die "ehci_pci: module load failed"
-fi
-if ! lsmod | grep -q xhci_hcd; then
-	insmod /lib/modules/xhci-hcd.ko \
-	|| die "xhci_hcd: module load failed"
-fi
-if ! lsmod | grep -q xhci_pci; then
-	insmod /lib/modules/xhci-pci.ko \
-	|| die "xhci_pci: module load failed"
-fi
 if ! lsmod | grep -q usb_storage; then
 	insmod /lib/modules/usb-storage.ko \
 	|| die "usb_storage: module load failed"

initrd/bin/usb-init

@@ -4,7 +4,7 @@
 . /etc/functions
 . /etc/config
 
-if [ ! -z "$CONFIG_TPM" ]; then
+if [ "$CONFIG_TPM" = "y" ]; then
 	# Extend PCR4 as soon as possible
 	tpm extend -ix 4 -ic usb
 fi

initrd/etc/functions

@@ -17,7 +17,7 @@ recovery() {
 	# but recreate the directory so that new tools can use it.
 	rm -rf /tmp/secret
 	mkdir -p /tmp/secret
-	if [ ! -z "$CONFIG_TPM" ]; then
+	if [ "$CONFIG_TPM" = y ]; then
 		tpm extend -ix 4 -ic recovery
 	fi
 	echo >&2 "!!!!! Starting recovery shell"
@@ -42,7 +42,7 @@ confirm_totp()
 		date=`date "+%Y-%m-%d %H:%M:%S"`
 		seconds=`date "+%s"`
 		half=`expr \( $seconds % 60 \) / 30`
-		if [ -z "$CONFIG_TPM" ]; then
+		if [ "$CONFIG_TPM" != y ]; then
 			TOTP="NO TPM"
 		elif [ "$half" != "$last_half" ]; then
 			last_half=$half;
@@ -69,6 +69,41 @@ confirm_totp()
 	echo
 }
 
+enable_usb()
+{
+	if [ "$CONFIG_LINUX_USB_COMPANION_CONTROLLER" = y ]; then
+		if ! lsmod | grep -q uhci_hcd; then
+			insmod /lib/modules/uhci-hcd.ko \
+			|| die "uhci_hcd: module load failed"
+		fi
+		if ! lsmod | grep -q ohci_hcd; then
+			insmod /lib/modules/ohci-hcd.ko \
+			|| die "ohci_hcd: module load failed"
+		fi
+		if ! lsmod | grep -q ohci_pci; then
+			insmod /lib/modules/ohci-pci.ko \
+			|| die "ohci_pci: module load failed"
+		fi
+	fi
+	if ! lsmod | grep -q ehci_hcd; then
+		insmod /lib/modules/ehci-hcd.ko \
+		|| die "ehci_hcd: module load failed"
+	fi
+	if ! lsmod | grep -q ehci_pci; then
+		insmod /lib/modules/ehci-pci.ko \
+		|| die "ehci_pci: module load failed"
+	fi
+	if ! lsmod | grep -q xhci_hcd; then
+		insmod /lib/modules/xhci-hcd.ko \
+		|| die "xhci_hcd: module load failed"
+	fi
+	if ! lsmod | grep -q xhci_pci; then
+		insmod /lib/modules/xhci-pci.ko \
+		|| die "xhci_pci: module load failed"
+		sleep 2
+	fi
+}
+
 confirm_gpg_card()
 {
 	read \
@@ -85,23 +120,7 @@ confirm_gpg_card()
 	fi
 
 	# setup the USB so we can reach the GPG card
-	if ! lsmod | grep -q ehci_hcd; then
-		insmod /lib/modules/ehci-hcd.ko \
-		|| die "ehci_hcd: module load failed"
-	fi
-	if ! lsmod | grep -q ehci_pci; then
-		insmod /lib/modules/ehci-pci.ko \
-		|| die "ehci_pci: module load failed"
-	fi
-	if ! lsmod | grep -q xhci_hcd; then
-		insmod /lib/modules/xhci-hcd.ko \
-		|| die "ehci_hcd: module load failed"
-	fi
-	if ! lsmod | grep -q xhci_pci; then
-		insmod /lib/modules/xhci-pci.ko \
-		|| die "ehci_pci: module load failed"
-		sleep 2
-	fi
+	enable_usb
 
 	gpg --card-status \
 	|| die "gpg card read failed"

initrd/init

@@ -16,10 +16,41 @@ mkdir /proc /sys /dev /tmp /boot /media 2>&- 1>&-
 mount /dev 2>/dev/ttyprintk
 mount /proc 2>/dev/ttyprintk
 mount /sys 2>/dev/ttyprintk
+mount /sys/firmware/efi/efivars
+
+# Setup the pty psudeo filesystem
+mkdir /dev/pts
+mount /dev/pts 2>/dev/ttyprintk
+
+if [ ! -r /dev/ptmx ]; then
+	ln -s /dev/pts/ptmx /dev/ptmx
+fi
+
+# bring up the ethernet; maybe should do DHCP?
+ifconfig lo 127.0.0.1
+
+if [ -f /lib/modules/e1000.ko ]; then
+  insmod /lib/modules/e1000.ko
+  ifconfig eth0 10.0.2.15  # qemu
+  ifconfig eth0 > /dev/ttyprintk
+
+# Setup the ssh server, allow root logins and log to stderr
+  if [ ! -d /etc/dropbear ]; then
+    mkdir /etc/dropbear
+  fi
+  dropbear -B -R 2>/dev/ttyprintk
+  ifconfig eth0 | head -1 > /dev/tty0
+fi
 
 # Recovery shells will erase anything from here
 mkdir -p /tmp/secret
 
+# Now it is safe to print a banner
+if [ -r /etc/motd ]; then
+	cat /etc/motd
+	cat /etc/motd > /dev/tty0
+fi
+
 # Load the date from the hardware clock, setting it in local time
 hwclock -l -s
 
@@ -55,76 +86,35 @@ if [ ! -z "$CONFIG_USB_BOOT_DEV" ]; then
 	echo >> /etc/fstab "$CONFIG_USB_BOOT_DEV /media auto defaults,ro 0 0"
 fi
 
-# Now it is safe to print a banner
-if [ ! -z "$CONFIG_LINUXBOOT" ]; then
-	MOTD=/etc/motd.nerf
-else
-	MOTD=/etc/motd.coreboot
-fi
-if [ -r "$MOTD" ]; then
-	cat "$MOTD"
-	if [ ! -z "$CONFIG_BOOT_RECOVERY_SERIAL" ]; then
-		cat "$MOTD" > "$CONFIG_BOOT_RECOVERY_SERIAL"
-	fi
-fi
-
-# Setup remote attestation interface
-if [ ! -z "$CONFIG_BOOT_REMOTE" ]; then
-  # bring up the ethernet; maybe should do DHCP?
-	ifconfig lo 127.0.0.1
-
-	if [ -f /lib/modules/e1000.ko ]; then
-		insmod /lib/modules/e1000.ko
-		ifconfig eth0 10.0.2.15  # qemu
-		ifconfig eth0 > /dev/ttyprintk
-
-		# Setup the ssh server, allow root logins and log to stderr
-		if [ ! -d /etc/dropbear ]; then
-			mkdir /etc/dropbear
-		fi
-		dropbear -B -R 2>/dev/ttyprintk
-
-		ifconfig eth0 | head -1 > "$CONFIG_BOOT_RECOVERY_SERIAL"
-	fi
-fi
-
-# Setup local attestation interface
-if [ ! -z "$CONFIG_BOOT_LOCAL" ]; then
-	if [ ! -x "$CONFIG_BOOTSCRIPT" ]; then
-		recovery 'Boot script missing?  Entering recovery shell'
-		# just in case...
-		if [ ! -z "$CONFIG_TPM" ]; then
-			tpm extend -ix 4 -ic recovery
-		fi
-		exec /bin/ash
-	fi
-
-	# If the user has been holding down r, enter a recovery shell
-	# otherwise immediately start the configured boot script.
-	# We don't print a prompt, since this is a near instant timeout.
-	read \
-		-t 0.1 \
-		-n 1 \
-		boot_option
-	echo
-
-	if [ "$boot_option" = "r" ]; then
-		# Start an interactive shell
-		recovery 'User requested recovery shell'
-		# just in case...
-		if [ ! -z "$CONFIG_TPM" ]; then
-			tpm extend -ix 4 -ic recovery
-		fi
-		exec /bin/ash
-	fi
-
-	echo '***** Normal boot:' $CONFIG_BOOTSCRIPT
-	exec "$CONFIG_BOOTSCRIPT"
-fi
-
-recovery 'Entering recovery shell'
-# belts and suspenders, just in case...
-if [ ! -z "$CONFIG_TPM" ]; then
+if [ ! -x "$CONFIG_BOOTSCRIPT" ]; then
+	recovery 'Boot script missing?  Entering recovery shell'
+	# just in case...
 	tpm extend -ix 4 -ic recovery
+	exec /bin/ash
 fi
+
+# If the user has been holding down r, enter a recovery shell
+# otherwise immediately start the configured boot script.
+# We don't print a prompt, since this is a near instant timeout.
+read \
+	-t 0.1 \
+	-n 1 \
+	boot_option
+echo
+
+if [ "$boot_option" = "r" ]; then
+	# Start an interactive shell
+	recovery 'User requested recovery shell'
+	# just in case...
+	tpm extend -ix 4 -ic recovery
+	exec /bin/ash
+fi
+
+echo '***** Normal boot:' $CONFIG_BOOTSCRIPT
+exec "$CONFIG_BOOTSCRIPT"
+
+# We should never reach here, but just in case...
+recovery 'Boot script failure?  Entering recovery shell'
+# belts and suspenders, just in case...
+tpm extend -ix 4 -ic recovery
 exec /bin/ash

modules/flashtools

@@ -0,0 +1,26 @@
+modules-$(CONFIG_FLASHTOOLS) += flashtools
+
+flashtools_depends := $(musl_dep)
+
+flashtools_version := git
+flashtools_repo := https://github.com/osresearch/flashtools
+
+flashtools_version := 0.0.1
+flashtools_dir := flashtools-$(flashtools_version)
+flashtools_tar := flashtools-$(flashtools_version).tar.gz
+flashtools_url := https://github.com/osresearch/flashtools/archive/v$(flashtools_version).tar.gz
+flashtools_hash := e8205aa3d19e536080f5974ed06ab9a88c4c3f37870c2f6a3a08a2f39302c22c
+
+flashtools_target := \
+	$(CROSS_TOOLS) \
+	CFLAGS="-I$(INSTALL)/include" \
+	LDFLAGS="-L$(INSTALL)/lib" \
+
+flashtools_output := \
+	flashtool \
+	peek \
+	poke \
+
+flashtools_libraries := \
+
+flashtools_configure := 

modules/kexec

@@ -1,10 +1,10 @@
 modules-$(CONFIG_KEXEC) += kexec
 
-kexec_version := 2.0.12
+kexec_version := 2.0.16
 kexec_dir := kexec-tools-$(kexec_version)
 kexec_tar := kexec-tools-$(kexec_version).tar.gz
 kexec_url := https://kernel.org/pub/linux/utils/kernel/kexec/$(kexec_tar)
-kexec_hash := cc7b60dad0da202004048a6179d8a53606943062dd627a2edba45a8ea3a85135
+kexec_hash := cf17fc99bf77c9b39f06ee88ac0e86d0349c4a0c3f8214a3cc78eece872f6f3a
 
 kexec_configure := ./configure \
 	$(CROSS_TOOLS) \

modules/linux

@@ -63,12 +63,20 @@ linux_modules-$(CONFIG_LINUX_MLX4)	+= drivers/net/ethernet/mellanox/mlx4/mlx4_co
 linux_modules-$(CONFIG_LINUX_MLX4)	+= drivers/net/ethernet/mellanox/mlx4/mlx4_en.ko
 
 # USB modules for both types of controllers
+# older boards also need ohci and uhci
+linux_modules-$(CONFIG_LINUX_USB_COMPANION_CONTROLLER)	+= drivers/usb/host/uhci-hcd.ko
+linux_modules-$(CONFIG_LINUX_USB_COMPANION_CONTROLLER)	+= drivers/usb/host/ohci-hcd.ko
+linux_modules-$(CONFIG_LINUX_USB_COMPANION_CONTROLLER)	+= drivers/usb/host/ohci-pci.ko
 linux_modules-$(CONFIG_LINUX_USB)	+= drivers/usb/host/ehci-hcd.ko
 linux_modules-$(CONFIG_LINUX_USB)	+= drivers/usb/host/ehci-pci.ko
 linux_modules-$(CONFIG_LINUX_USB)	+= drivers/usb/host/xhci-hcd.ko
 linux_modules-$(CONFIG_LINUX_USB)	+= drivers/usb/host/xhci-pci.ko
 linux_modules-$(CONFIG_LINUX_USB)	+= drivers/usb/storage/usb-storage.ko
 
+# NVMe driver for winterfell and other servers
+linux_modules-$(CONFIG_LINUX_NVME)	+= drivers/nvme/host/nvme.ko
+linux_modules-$(CONFIG_LINUX_NVME)	+= drivers/nvme/host/nvme-core.ko
+
 EXTRA_FLAGS := -fdebug-prefix-map=$(pwd)=heads -gno-record-gcc-switches
 
 linux_target := \
@@ -124,8 +132,10 @@ $(build)/$(BOARD)/modules.cpio: linux.intermediate
 	@$(RM) -rf "$(module_initrd_dir)"
 
 
-# hack for the coreboot to find the linux kernel
-$(build)/$(BOARD)/bzImage: linux.intermediate
+# The output of the linux.intermediate is the bzImage in the
+# linus build directory.  We need to copy it into our board
+# specific directory for ease of locating it later.
+$(linux_board_dir)/arch/x86/boot/bzImage: linux.intermediate
 $(build)/$(BOARD)/bzImage: $(linux_board_dir)/arch/x86/boot/bzImage
 	$(call do-copy,$<,$@)
 

modules/newt

@@ -0,0 +1,24 @@
+modules-$(CONFIG_NEWT) += newt
+
+newt_depends := popt slang $(musl_dep)
+
+newt_version := 0.52.20
+newt_dir := newt-$(newt_version)
+newt_tar := newt-$(newt_version).tar.gz
+newt_url := https://releases.pagure.org/newt/$(newt_tar)
+newt_hash := 8d66ba6beffc3f786d4ccfee9d2b43d93484680ef8db9397a4fb70b5adbb6dbc
+
+newt_target := \
+	$(MAKE_JOBS) \
+	$(CROSS_TOOLS) \
+
+newt_output := \
+	whiptail \
+
+newt_libraries := \
+	libnewt.so.0.52 \
+
+newt_configure := ./autogen.sh; ./configure \
+	$(CROSS_TOOLS) \
+	--prefix "/" \
+	--host i386-elf-linux \

modules/slang

@@ -0,0 +1,29 @@
+modules-$(CONFIG_SLANG) += slang
+
+slang_version := 2.3.1a
+slang_dir := slang-$(slang_version)
+slang_tar := slang-$(slang_version).tar.bz2
+slang_url := https://www.jedsoft.org/releases/slang/$(slang_tar)
+slang_hash := 54f0c3007fde918039c058965dffdfd6c5aec0bad0f4227192cc486021f08c36
+
+slang_configure := ./configure \
+	$(CROSS_TOOLS) \
+	--prefix "/" \
+	--host i386-elf-linux \
+	--with-png=no \
+	--with-pcre=no \
+	--with-onig=no \
+  && mkdir src/elfobjs
+
+slang_target := \
+	$(MAKE_JOBS) \
+	$(CROSS_TOOLS) \
+	&& $(MAKE) \
+		-C "$(build)/$(slang_dir)" \
+		$(CROSS_TOOLS) \
+		DESTDIR="$(INSTALL)" \
+		install
+
+slang_libraries := src/elfobjs/libslang.so.2
+
+slang_depends := $(musl_dep)

modules/xen

@@ -1,34 +0,0 @@
-modules-$(CONFIG_XEN) += xen
-
-ifeq "$(CONFIG_XEN_VERSION)" "4.8"
-	xen_base_version := 4.8.3
-	xen_version := $(xen_base_version)-2
-	xen_hash := 0d6761a68971e1b7747ae467448a81c16fc97084f96c6832cb4d8f89cbc5dc29
-else
-	xen_base_version := 4.6.6
-	xen_version := $(xen_base_version)-36
-	xen_hash := fcf0703b2931a9230653e0cf38831bad629ab561f6498b8292e532e873286464
-endif
-
-# We extract the entire Xen tree, but only use the xen/xen hypervisor
-# portion since Qubes provides the rest of it.
-xen_dir := qubes-vmm-xen-$(xen_version)
-xen_tar := qubes-vmm-xen-$(xen_version).tar.gz
-xen_url := https://github.com/QubesOS/qubes-vmm-xen/archive/v$(xen_version).tar.gz
-
-xen_depends := musl-cross
-
-xen_output := xen-$(xen_base_version)/xen/xen.gz
-xen_configure :=
-
-xen_target := \
-	$(MAKE_JOBS) \
-	$(CROSS_TOOLS_NOCC) \
-	XEN_WHOAMI=$(GIT_HASH) \
-	XEN_DOMAIN=heads \
-	XEN_BUILD_DATE=1970-01-01 \
-	XEN_BUILD_TIME=00:00:00 \
-	XEN_BUILD_HOST=xen-buildhost \
-	CC="$(CROSS)gcc -fdebug-prefix-map=$(pwd)=heads -gno-record-gcc-switches -Wno-builtin-macro-redefined -D__FILE__=\\\"__FILE__\\\"" \
-	HOSTCC="gcc" \
-	xen.gz

patches/kexec-2.0.12.patch

@@ -1,102 +0,0 @@
-diff -u --recursive ../clean/kexec-tools-2.0.12/include/config.h kexec-tools-2.0.12/include/config.h
---- ../clean/kexec-tools-2.0.12/include/config.h	2016-03-21 21:08:17.000000000 -0400
-+++ kexec-tools-2.0.12/include/config.h	2017-04-08 11:28:01.644379416 -0400
-@@ -11,7 +11,7 @@
- /* #undef HAVE_LIBLZMA */
- 
- /* Define to 1 if you have the `xenctrl' library (-lxenctrl). */
--#define HAVE_LIBXENCTRL 1
-+/* #undef HAVE_LIBXENCTRL */
- 
- /* Define to 1 if you have the `z' library (-lz). */
- #define HAVE_LIBZ 1
-diff -u --recursive ../clean/kexec-tools-2.0.12/kexec/arch/i386/kexec-x86-common.c kexec-tools-2.0.12/kexec/arch/i386/kexec-x86-common.c
---- ../clean/kexec-tools-2.0.12/kexec/arch/i386/kexec-x86-common.c	2015-11-29 18:52:07.000000000 -0500
-+++ kexec-tools-2.0.12/kexec/arch/i386/kexec-x86-common.c	2017-04-08 11:28:00.688368402 -0400
-@@ -24,6 +24,7 @@
- #include <fcntl.h>
- #include <stddef.h>
- #include <stdio.h>
-+#include <inttypes.h>
- #include <errno.h>
- #include <stdint.h>
- #include <string.h>
-@@ -74,20 +75,20 @@
- 		return -1;
- 	}
- 	while(fgets(line, sizeof(line), fp) != 0) {
--		unsigned long long start, end;
-+		uintptr_t start, end;
- 		char *str;
- 		int type;
- 		int consumed;
- 		int count;
- 		if (memory_ranges >= MAX_MEMORY_RANGES)
- 			break;
--		count = sscanf(line, "%Lx-%Lx : %n",
-+		count = sscanf(line, "%"SCNxPTR"-%"SCNxPTR" : %n",
- 			&start, &end, &consumed);
- 		if (count != 2)
- 			continue;
- 		str = line + consumed;
- 
--		dbgprintf("%016Lx-%016Lx : %s", start, end, str);
-+		dbgprintf("%016"PRIxPTR"-%016"PRIxPTR" : %s", start, end, str);
- 
- 		if (memcmp(str, "System RAM\n", 11) == 0) {
- 			type = RANGE_RAM;
-@@ -114,7 +115,7 @@
- 		memory_range[memory_ranges].end = end;
- 		memory_range[memory_ranges].type = type;
- 
--		dbgprintf("%016Lx-%016Lx : %x\n", start, end, type);
-+		dbgprintf("%016"PRIxPTR"-%016"PRIxPTR" : %x\n", start, end, type);
- 
- 		memory_ranges++;
- 	}
-diff -u --recursive ../clean/kexec-tools-2.0.12/Makefile.in kexec-tools-2.0.12/Makefile.in
---- ../clean/kexec-tools-2.0.12/Makefile.in	2014-10-14 00:58:06.000000000 -0400
-+++ kexec-tools-2.0.12/Makefile.in	2017-04-08 11:28:00.688368402 -0400
-@@ -158,16 +158,16 @@
- 
- # kdump (read a crashdump from memory)
- #
--include $(srcdir)/kdump/Makefile
-+#include $(srcdir)/kdump/Makefile
- 
- # vmcore-dmesg (read dmesg from a vmcore)
- #
--include $(srcdir)/vmcore-dmesg/Makefile
-+#include $(srcdir)/vmcore-dmesg/Makefile
- 
- #
- # kexec_test (test program)
- #
--include $(srcdir)/kexec_test/Makefile
-+#include $(srcdir)/kexec_test/Makefile
- 
- SPEC=$(PACKAGE_NAME).spec
- GENERATED_SRCS:= $(SPEC)
-diff -u --recursive ../clean/kexec-tools-2.0.12/purgatory/Makefile kexec-tools-2.0.12/purgatory/Makefile
---- ../clean/kexec-tools-2.0.12/purgatory/Makefile	2015-04-30 01:05:17.000000000 -0400
-+++ kexec-tools-2.0.12/purgatory/Makefile	2017-04-08 11:28:00.688368402 -0400
-@@ -45,7 +45,6 @@
- 	mkdir -p $(@D)
- 	$(COMPILE.c) -o $@ $^
- 
--$(PURGATORY): CC=$(TARGET_CC)
- $(PURGATORY): CFLAGS+=$(PURGATORY_EXTRA_CFLAGS) \
- 		      $($(ARCH)_PURGATORY_EXTRA_CFLAGS) \
- 		      -Os -fno-builtin -ffreestanding \
-diff -u --recursive ../clean/kexec-tools-2.0.12/util/Makefile kexec-tools-2.0.12/util/Makefile
---- ../clean/kexec-tools-2.0.12/util/Makefile	2010-07-29 05:22:16.000000000 -0400
-+++ kexec-tools-2.0.12/util/Makefile	2017-04-08 11:32:33.267394444 -0400
-@@ -2,7 +2,7 @@
- 
- $(BIN_TO_HEX): $(srcdir)/util/bin-to-hex.c
- 	@$(MKDIR) -p $(@D)
--	$(LINK.o) $(CFLAGS) -o $@ $^
-+	$(BUILD_CC) $(BUILD_CFLAGS) -o $@ $^
- 
- $(BIN_TO_HEX): CC=$(BUILD_CC)
- $(BIN_TO_HEX): CFLAGS=$(BUILD_CFLAGS)

patches/kexec-2.0.16.patch

@@ -0,0 +1,89 @@
+diff -u --recursive clean/kexec-tools-2.0.16/Makefile.in kexec-tools-2.0.16/Makefile.in
+--- clean/kexec-tools-2.0.16/Makefile.in	2016-12-09 04:42:06.000000000 -0500
++++ kexec-tools-2.0.16/Makefile.in	2018-02-28 05:39:20.461000000 -0500
+@@ -158,16 +158,16 @@
+ 
+ # kdump (read a crashdump from memory)
+ #
+-include $(srcdir)/kdump/Makefile
++#include $(srcdir)/kdump/Makefile
+ 
+ # vmcore-dmesg (read dmesg from a vmcore)
+ #
+-include $(srcdir)/vmcore-dmesg/Makefile
++#include $(srcdir)/vmcore-dmesg/Makefile
+ 
+ #
+ # kexec_test (test program)
+ #
+-include $(srcdir)/kexec_test/Makefile
++#include $(srcdir)/kexec_test/Makefile
+ 
+ SPEC=$(PACKAGE_NAME).spec
+ GENERATED_SRCS:= $(SPEC)
+diff -u --recursive clean/kexec-tools-2.0.16/include/config.h kexec-tools-2.0.16/include/config.h
+--- clean/kexec-tools-2.0.16/include/config.h	2017-11-20 04:17:12.000000000 -0500
++++ kexec-tools-2.0.16/include/config.h	2018-02-28 05:39:22.420000000 -0500
+@@ -17,7 +17,7 @@
+ /* #undef HAVE_LIBXENCTRL */
+ 
+ /* Define to 1 if you have the `z' library (-lz). */
+-/* #undef HAVE_LIBZ */
++#define HAVE_LIBZ 1
+ 
+ /* Define to 1 if you have the <memory.h> header file. */
+ #define HAVE_MEMORY_H 1
+diff -u --recursive clean/kexec-tools-2.0.16/kexec/kexec.c kexec-tools-2.0.16/kexec/kexec.c
+--- clean/kexec-tools-2.0.16/kexec/kexec.c	2017-03-02 04:45:46.000000000 -0500
++++ kexec-tools-2.0.16/kexec/kexec.c	2018-02-28 10:40:01.662000000 -0500
+@@ -794,6 +794,27 @@
+ 	if (sort_segments(&info) < 0) {
+ 		return -1;
+ 	}
++
++#if 1
++	// force segment 0 to have memsz == bufsz
++	// so that it won't overwrite EBDA
++	if (info.segment[0].mem == 0)
++	{
++		if (kexec_debug)
++			printf("hack ebda into segment 0!\n");
++
++		uint8_t * ebda = calloc(1, info.segment[0].memsz);
++		memcpy(ebda, info.segment[0].buf, info.segment[0].bufsz);
++		info.segment[0].bufsz = info.segment[0].memsz;
++		info.segment[0].buf = ebda;
++
++		// install some default EBDA values that are off scale,
++		// which will force Xen to use the multiboot info
++		*(uint16_t*)(ebda + 0x40e) = 0xFFFF; // segment
++		*(uint16_t*)(ebda + 0x413) = 0xFFFF; // size
++	}
++#endif
++
+ 	/* if purgatory is loaded update it */
+ 	update_purgatory(&info);
+ 	if (entry)
+diff -u --recursive clean/kexec-tools-2.0.16/purgatory/Makefile kexec-tools-2.0.16/purgatory/Makefile
+--- clean/kexec-tools-2.0.16/purgatory/Makefile	2017-01-31 06:23:48.000000000 -0500
++++ kexec-tools-2.0.16/purgatory/Makefile	2018-02-28 05:39:20.461000000 -0500
+@@ -44,7 +44,6 @@
+ 	mkdir -p $(@D)
+ 	$(COMPILE.c) -o $@ $^
+ 
+-$(PURGATORY): CC=$(TARGET_CC)
+ $(PURGATORY): CFLAGS+=$(PURGATORY_EXTRA_CFLAGS) \
+ 		      $($(ARCH)_PURGATORY_EXTRA_CFLAGS) \
+ 		      -Os -fno-builtin -ffreestanding \
+diff -u --recursive clean/kexec-tools-2.0.16/util/Makefile kexec-tools-2.0.16/util/Makefile
+--- clean/kexec-tools-2.0.16/util/Makefile	2010-07-29 05:22:16.000000000 -0400
++++ kexec-tools-2.0.16/util/Makefile	2018-02-28 05:39:20.461000000 -0500
+@@ -2,7 +2,7 @@
+ 
+ $(BIN_TO_HEX): $(srcdir)/util/bin-to-hex.c
+ 	@$(MKDIR) -p $(@D)
+-	$(LINK.o) $(CFLAGS) -o $@ $^
++	$(BUILD_CC) $(BUILD_CFLAGS) -o $@ $^
+ 
+ $(BIN_TO_HEX): CC=$(BUILD_CC)
+ $(BIN_TO_HEX): CFLAGS=$(BUILD_CFLAGS)

patches/musl-cross.patch

@@ -32,29 +32,3 @@ index 4e321c9..6d9ea32 100644
 +
 +# Build GMP, MPFR and MPC
 +GCC_BUILTIN_PREREQS=yes
-diff --git a/defs.sh b/defs.sh
-index f76a2ac..9184123 100644
---- a/defs.sh
-+++ b/defs.sh
-@@ -221,19 +221,19 @@ muslfetchextract() {
- gccprereqs() {
-     if [ ! -e gcc-$GCC_VERSION/gmp ]
-     then
--        fetchextract http://gmplib.org/download/gmp/ gmp-$GMP_VERSION .tar.bz2
-+        fetchextract https://gmplib.org/download/gmp/ gmp-$GMP_VERSION .tar.bz2
-         mv gmp-$GMP_VERSION gcc-$GCC_VERSION/gmp
-     fi
- 
-     if [ ! -e gcc-$GCC_VERSION/mpfr ]
-     then
--        fetchextract http://ftp.gnu.org/gnu/mpfr/ mpfr-$MPFR_VERSION .tar.bz2
-+        fetchextract https://ftp.gnu.org/gnu/mpfr/ mpfr-$MPFR_VERSION .tar.bz2
-         mv mpfr-$MPFR_VERSION gcc-$GCC_VERSION/mpfr
-     fi
- 
-     if [ ! -e gcc-$GCC_VERSION/mpc ]
-     then
-         fetchextract https://ftp.gnu.org/gnu/mpc/ mpc-$MPC_VERSION .tar.gz
-         mv mpc-$MPC_VERSION gcc-$GCC_VERSION/mpc
-     fi
- }

patches/xen-4.6.6-36.patch

@@ -1,140 +0,0 @@
-diff --git ./Makefile ./Makefile
-index 13fa4af..0320888 100644
---- ./Makefile
-+++ ./Makefile
-@@ -122,6 +122,7 @@ verrel:
- 
- .PHONY: clean
- clean::
-+	rm -rf xen-$(version)/
- 	@echo "Running the %clean script of the rpmbuild..."
- 	-$(RPMBUILD) --clean --nodeps $(SPECFILE)
- 
-@@ -153,6 +154,14 @@ update-repo-installer:
- 	for pkg in $(xen-pkgs); do ln -f rpm/x86_64/$$pkg*.rpm ../installer/yum/qubes-dom0/rpm/; done
- 	ln -f rpm/x86_64/xen-hvm-$(version)gui2*-$(release).$(DIST_DOM0)*.rpm ../installer/yum/qubes-dom0/rpm/
- 
-+xen-$(version)/.canary: xen-$(version).tar.gz
-+	tar xzvf xen-$(version).tar.gz
-+	cd xen-$(version) && ../apply-patches ../series.conf ../
-+	touch $@
-+
-+xen.gz: xen-$(version)/.canary
-+	$(MAKE) -C xen-$(version)/ xen
-+
- help:
- 	@echo "Usage: make <target>"
- 	@echo
-diff --git ./apply-patches ./apply-patches
-index b1c8468..74a4c20 100755
---- ./apply-patches
-+++ ./apply-patches
-@@ -6,8 +6,7 @@
- 
- USAGE="$0 [--vanilla] <series.conf> <patchdir> [symbol ...]"
- 
--set -e
--set -o pipefail
-+set -euf
- if test $# -lt 2; then
- 	echo "$USAGE" >&2
- 	exit 1
-@@ -17,10 +16,7 @@ SERIES_CONF=$1
- PATCH_DIR=$2
- shift 2
- 
--(
--	echo "trap 'echo \"*** patch \$_ failed ***\"' ERR"
--	echo "set -ex"
--	egrep -v '^\s*#|^\s*$' <"$SERIES_CONF" | \
--	sed "s|^|patch -s -F0 -E -p1 --no-backup-if-mismatch -i $PATCH_DIR/|"
--) | sh
--
-+for i in `egrep -v '^\s*#|^\s*$' < $SERIES_CONF`
-+do
-+	patch -s -F0 -E -p1 --no-backup-if-mismatch -i $PATCH_DIR/$i
-+done
-diff --git ./series.conf ./series.conf
-index 80972b7..1466c44 100644
---- ./series.conf
-+++ ./series.conf
-@@ -115,3 +115,5 @@ patches.qubes/libxl-disable-forced-vkb-for-HVM.patch
- patches.qubes/xenconsoled-enable-logging.patch
- patches.qubes/vm-0001-hotplug-do-not-attempt-to-remove-containing-xenstore.patch
- patches.qubes/xen-hotplug-qubesdb-update.patch
-+
-+patches.heads/heads.patch
-diff --git ./patches.heads/heads.patch ./patches.heads/heads.patch
-new file mode 100644
-index 0000000..bb17c3d
---- /dev/null
-+++ ./patches.heads/heads.patch
-@@ -0,0 +1,68 @@
-+diff --recursive -u ../xen-4.6.5-clean/xen/arch/x86/boot/head.S ./xen/arch/x86/boot/head.S
-+--- ../xen-4.6.5-clean/xen/arch/x86/boot/head.S	2017-03-07 11:19:05.000000000 -0500
-++++ ./xen/arch/x86/boot/head.S	2017-06-23 21:18:50.498798061 -0400
-+@@ -86,6 +86,8 @@
-+         cmp     $MULTIBOOT_BOOTLOADER_MAGIC,%eax
-+         jne     not_multiboot
-+ 
-++#if 0
-++
-+         /* Set up trampoline segment 64k below EBDA */
-+         movzwl  0x40e,%eax          /* EBDA segment */
-+         cmp     $0xa000,%eax        /* sanity check (high) */
-+@@ -108,6 +110,12 @@
-+         shl     $10-4,%edx
-+         cmp     %eax,%edx           /* compare with BDA value */
-+         cmovb   %edx,%eax           /* and use the smaller */
-++#else
-++	// coreboot does not provide an Extended BIOS Data Area pointer
-++	// just stash things the Multiboot structure, adjusted to bytes
-++        mov     MB_mem_lower(%ebx),%eax
-++        shl     $10-4,%eax
-++#endif
-+ 
-+ 2:      /* Reserve 64kb for the trampoline */
-+         sub     $0x1000,%eax
-+diff --recursive -u ../xen-4.6.5-clean/xen/arch/x86/boot/mkelf32.c ./xen/arch/x86/boot/mkelf32.c
-+--- ../xen-4.6.5-clean/xen/arch/x86/boot/mkelf32.c	2017-03-07 11:19:05.000000000 -0500
-++++ ./xen/arch/x86/boot/mkelf32.c	2017-06-23 21:18:50.498798061 -0400
-+@@ -231,14 +231,14 @@
-+     u32        loadbase, dat_siz, mem_siz;
-+     char      *inimage, *outimage;
-+     int        infd, outfd;
-+-    char       buffer[1024];
-++    char       buffer[1024] = {};
-+     int        bytes, todo, i;
-+ 
-+-    Elf32_Ehdr in32_ehdr;
-+-    Elf32_Phdr in32_phdr;
-++    Elf32_Ehdr in32_ehdr = {};
-++    Elf32_Phdr in32_phdr = {};
-+ 
-+-    Elf64_Ehdr in64_ehdr;
-+-    Elf64_Phdr in64_phdr;
-++    Elf64_Ehdr in64_ehdr = {};
-++    Elf64_Phdr in64_phdr = {};
-+ 
-+     if ( argc != 5 )
-+     {
-+--- ../xen-4.6.5-clean/xen/Makefile.orig	2017-06-26 16:11:02.692193372 -0400
-++++ ./xen/Makefile	2017-06-26 16:11:46.528708643 -0400
-+@@ -97,7 +97,7 @@
-+ 	rm -f tags TAGS cscope.files cscope.in.out cscope.out cscope.po.out GTAGS GPATH GRTAGS GSYMS
-+ 
-+ $(TARGET).gz: $(TARGET)
-+-	gzip -f -9 < $< > $@.new
-++	gzip -f -9 -n < $< > $@.new
-+ 	mv $@.new $@
-+ 
-+ $(TARGET): delete-unfresh-files
-+@@ -121,7 +121,7 @@
-+ 	fi
-+ 
-+ .banner: Makefile
-+-	@if which figlet >/dev/null 2>&1 ; then \
-++	@if false ; then \
-+ 		echo " Xen $(XEN_FULLVERSION)" | figlet -f tools/xen.flf > $@.tmp; \
-+ 	else \
-+ 		echo " Xen $(XEN_FULLVERSION)" > $@.tmp; \

patches/xen-4.8.3-2.patch

@@ -1,130 +0,0 @@
-diff --git ./Makefile ./Makefile
-index 75df729..4113caa 100644
---- ./Makefile
-+++ ./Makefile
-@@ -122,6 +122,7 @@ verrel:
- 
- .PHONY: clean
- clean::
-+	rm -rf xen-$(version)/
- 	@echo "Running the %clean script of the rpmbuild..."
- 	-$(RPMBUILD) --clean --nodeps $(SPECFILE)
- 
-@@ -153,6 +154,14 @@ update-repo-installer:
- 	for pkg in $(xen-pkgs); do ln -f rpm/x86_64/$$pkg*.rpm ../installer/yum/qubes-dom0/rpm/; done
- 	ln -f rpm/x86_64/xen-hvm-$(version)gui2*-$(release).$(DIST_DOM0)*.rpm ../installer/yum/qubes-dom0/rpm/
- 
-+xen-$(version)/.canary: xen-$(version).tar.gz
-+	tar xzvf xen-$(version).tar.gz
-+	cd xen-$(version) && ../apply-patches ../series.conf ../
-+	touch $@
-+
-+xen.gz: xen-$(version)/.canary
-+	$(MAKE) -C xen-$(version)/ xen
-+
- help:
- 	@echo "Usage: make <target>"
- 	@echo
-diff --git ./apply-patches ./apply-patches
-index b1c8468..74a4c20 100755
---- ./apply-patches
-+++ ./apply-patches
-@@ -6,8 +6,7 @@
- 
- USAGE="$0 [--vanilla] <series.conf> <patchdir> [symbol ...]"
- 
--set -e
--set -o pipefail
-+set -euf
- if test $# -lt 2; then
- 	echo "$USAGE" >&2
- 	exit 1
-@@ -17,10 +16,7 @@ SERIES_CONF=$1
- PATCH_DIR=$2
- shift 2
- 
--(
--	echo "trap 'echo \"*** patch \$_ failed ***\"' ERR"
--	echo "set -ex"
--	egrep -v '^\s*#|^\s*$' <"$SERIES_CONF" | \
--	sed "s|^|patch -s -F0 -E -p1 --no-backup-if-mismatch -i $PATCH_DIR/|"
--) | sh
--
-+for i in `egrep -v '^\s*#|^\s*$' < $SERIES_CONF`
-+do
-+	patch -s -F0 -E -p1 --no-backup-if-mismatch -i $PATCH_DIR/$i
-+done
-diff --git ./patches.heads/heads.patch ./patches.heads/heads.patch
-new file mode 100644
-index 0000000..d956f8a
---- /dev/null
-+++ ./patches.heads/heads.patch
-@@ -0,0 +1,54 @@
-+diff -u --recursive xen-4.8.2-clean/xen/arch/x86/boot/head.S xen-4.8.2/xen/arch/x86/boot/head.S
-+--- xen-4.8.2-clean/xen/arch/x86/boot/head.S	2017-09-06 06:26:35.000000000 -0400
-++++ xen-4.8.2/xen/arch/x86/boot/head.S	2017-09-13 21:58:31.186882703 -0400
-+@@ -86,6 +86,8 @@
-+         cmp     $MULTIBOOT_BOOTLOADER_MAGIC,%eax
-+         jne     not_multiboot
-+ 
-++#if 0
-++
-+         /* Set up trampoline segment 64k below EBDA */
-+         movzwl  0x40e,%ecx          /* EBDA segment */
-+         cmp     $0xa000,%ecx        /* sanity check (high) */
-+@@ -108,6 +110,12 @@
-+         shl     $10-4,%edx
-+         cmp     %ecx,%edx           /* compare with BDA value */
-+         cmovb   %edx,%ecx           /* and use the smaller */
-++#else
-++	// coreboot does not provide an Extended BIOS Data Area pointer
-++	// just stash things the Multiboot structure, adjusted to bytes
-++        mov     MB_mem_lower(%ebx),%ecx
-++        shl     $10-4,%ecx
-++#endif
-+ 
-+ 2:      /* Reserve 64kb for the trampoline */
-+         sub     $0x1000,%ecx
-+diff -u --recursive xen-4.8.2-clean/xen/arch/x86/boot/mkelf32.c xen-4.8.2/xen/arch/x86/boot/mkelf32.c
-+--- xen-4.8.2-clean/xen/arch/x86/boot/mkelf32.c	2017-09-06 06:26:35.000000000 -0400
-++++ xen-4.8.2/xen/arch/x86/boot/mkelf32.c	2017-09-13 21:58:31.186882703 -0400
-+@@ -264,10 +264,10 @@
-+     int        bytes, todo, i = 1;
-+     int        num_phdrs = 1;
-+ 
-+-    Elf32_Ehdr in32_ehdr;
-++    Elf32_Ehdr in32_ehdr = {};
-+ 
-+-    Elf64_Ehdr in64_ehdr;
-+-    Elf64_Phdr in64_phdr;
-++    Elf64_Ehdr in64_ehdr = {};
-++    Elf64_Phdr in64_phdr = {};
-+ 
-+     if ( argc < 5 )
-+     {
-+diff -u --recursive xen-4.8.2-clean/xen/Makefile xen-4.8.2/xen/Makefile
-+--- xen-4.8.2-clean/xen/Makefile	2017-09-06 06:26:35.000000000 -0400
-++++ xen-4.8.2/xen/Makefile	2017-09-13 21:58:31.186882703 -0400
-+@@ -152,7 +152,7 @@
-+ 	fi
-+ 
-+ .banner: Makefile
-+-	@if which figlet >/dev/null 2>&1 ; then \
-++	@if false ; then \
-+ 		echo " Xen $(XEN_FULLVERSION)" | figlet -f tools/xen.flf > $@.tmp; \
-+ 	else \
-+ 		echo " Xen $(XEN_FULLVERSION)" > $@.tmp; \
-diff --git ./series.conf ./series.conf
-index 750ec6c..0706300 100644
---- ./series.conf
-+++ ./series.conf
-@@ -97,6 +97,9 @@ patches.qubes/xenconsoled-enable-logging.patch
- patches.qubes/vm-0001-hotplug-do-not-attempt-to-remove-containing-xenstore.patch
- patches.qubes/xen-hotplug-qubesdb-update.patch
- 
-+# Custom patches for Heads
-+patches.heads/heads.patch
-+
- #python3
- patches.misc/0001-python-check-return-value-of-PyErr_NewException.patch
- patches.misc/0002-python-drop-tp_getattr-implementation.patch