Merge pull request #2 from osresearch/master

Merge

.gitignore

@@ -14,3 +14,4 @@ initrd/bin
 initrd/sbin
 initrd/lib
 typescript*
+config/*.old

Makefile

@@ -4,13 +4,23 @@ packages 	:= $(pwd)/packages
 build		:= $(pwd)/build
 config		:= $(pwd)/build
 
-all: x230.rom
-
+# Currently supported targets are x230, chell and qemu
+BOARD		?= x230
+
+all: $(BOARD).rom
+
+# Disable all built in rules
+.SUFFIXES:
 
 
+# Bring in all of the module definitions;
+# these are the external pieces that will be downloaded and built
+# as part of creating the Heads firmware image.
 include modules/*
 
-all: $(modules)
+# These will be built via their intermediate targets
+# This increases the build time, so it is commented out for now
+#all: $(foreach m,$(modules),$m.intermediate)
 
 define prefix =
 $(foreach _, $2, $1$_)
@@ -63,8 +73,14 @@ define define_module =
   endif
 
   # Copy our stored config file into the unpacked directory
-  $(build)/$($1_dir)/.config: config/$1.config $(build)/$($1_dir)/.canary
-	cp "$$<" "$$@"
+  ifdef $1_config
+    $(build)/$($1_dir)/.config: config/$($1_config) $(build)/$($1_dir)/.canary
+	cp -a "$$<" "$$@"
+  else
+    $(build)/$($1_dir)/.config: $(build)/$($1_dir)/.canary
+	touch "$$@"
+  endif
+  
 
   # Use the module's configure variable to build itself
   $(build)/$($1_dir)/.configured: \
@@ -74,14 +90,18 @@ define define_module =
 	touch "$$@"
 
   # Build the target after any dependencies
-  $(call outputs,$1): \
-		$(build)/$($1_dir)/.configured \
-		$(call outputs,$($1_depends))
-	make -C "$(build)/$($1_dir)" $($1_target)
+  $(call outputs,$1): $1.intermediate
 
   # Short hand target for the module
-  $1: $(call outputs,$1)
+  #$1: $(call outputs,$1)
 
+  # Target for all of the outputs, which depend on their dependent modules
+$1.intermediate: \
+		$(build)/$($1_dir)/.configured \
+		$(foreach d,$($1_depends),$d.intermediate)
+	make -C "$(build)/$($1_dir)" $($1_target)
+
+.INTERMEDIATE: $1.intermediate
 endef
 
 $(foreach _, $(modules), $(eval $(call define_module,$_)))
@@ -151,6 +171,9 @@ $(build)/$(coreboot_dir)/util/cbmem/cbmem: $(build)/$(coreboot_dir)/.canary
 # Mounting dm-verity file systems requires dm-verity to be installed
 # We use gpgv to verify the signature on the root hash.
 # Both of these should be brought in as modules instead of from /sbin
+#initrd_bins += initrd/bin/cryptsetup
+initrd/bin/cryptsetup: /sbin/cryptsetup
+	cp "$<" "$@"
 initrd_bins += initrd/bin/dmsetup
 initrd/bin/dmsetup: /sbin/dmsetup
 	cp "$<" "$@"
@@ -174,14 +197,14 @@ initrd_lib_install: $(initrd_bins) $(initrd_libs)
 # initrd image creation
 #
 # The initrd is constructed from various bits and pieces
-# Note the touch and sort operation on the find output -- this
-# ensures that the files always have the same timestamp and
-# appear in the same order.
+# The cpio-clean program is used ensure that the files
+# always have the same timestamp and appear in the same order.
 #
-# If there is in /dev/console, initrd can't startup.
+# If there is no /dev/console, initrd can't startup.
 # We have to force it to be included into the cpio image.
-# Since we are picking up the system's /dev/console, the
-# timestamp will not be reproducible.
+# Since we are picking up the system's /dev/console, there
+# is a chance the build will not be reproducible (although
+# unlikely that their device file has a different major/minor)
 #
 #
 initrd.cpio: $(initrd_bins) $(initrd_libs) initrd_lib_install
@@ -200,6 +223,8 @@ initrd.cpio: $(initrd_bins) $(initrd_libs) initrd_lib_install
 		echo "$@: Unchanged"; \
 		rm "$@.tmp"; \
 	fi
+
+initrd.intermediate: initrd.cpio
 	
 
 # populate the coreboot initrd image from the one we built.
@@ -221,6 +246,8 @@ $(call outputs,coreboot): $(build)/$(coreboot_dir)/bzImage
 #export CC := $(XGCC)/bin/x86_64-elf-gcc
 #export LDFLAGS := -L/lib/x86_64-linux-gnu
 
-x230.rom: $(build)/$(coreboot_dir)/build/coreboot.rom
+x230.rom: $(build)/$(coreboot_dir)/x230/coreboot.rom
 	dd if="$<" of="$@" bs=1M skip=8
 
+qemu.rom: $(build)/$(coreboot_dir)/qemu/coreboot.rom
+	cp -a "$<" "$@"

config/busybox.config

@@ -1,7 +1,7 @@
 #
 # Automatically generated make config: don't edit
 # Busybox version: 1.25.0
-# Sat Aug  6 15:56:20 2016
+# Tue Oct 25 14:38:11 2016
 #
 CONFIG_HAVE_DOT_CONFIG=y
 
@@ -132,10 +132,10 @@ CONFIG_FEATURE_HWIB=y
 #
 # Archival Utilities
 #
-# CONFIG_FEATURE_SEAMLESS_XZ is not set
+CONFIG_FEATURE_SEAMLESS_XZ=y
 # CONFIG_FEATURE_SEAMLESS_LZMA is not set
-# CONFIG_FEATURE_SEAMLESS_BZ2 is not set
-# CONFIG_FEATURE_SEAMLESS_GZ is not set
+CONFIG_FEATURE_SEAMLESS_BZ2=y
+CONFIG_FEATURE_SEAMLESS_GZ=y
 # CONFIG_FEATURE_SEAMLESS_Z is not set
 # CONFIG_AR is not set
 # CONFIG_FEATURE_AR_LONG_FILENAMES is not set
@@ -149,34 +149,34 @@ CONFIG_FEATURE_GUNZIP_LONG_OPTIONS=y
 # CONFIG_LZMA is not set
 # CONFIG_UNXZ is not set
 # CONFIG_XZ is not set
-# CONFIG_BZIP2 is not set
-# CONFIG_CPIO is not set
-# CONFIG_FEATURE_CPIO_O is not set
-# CONFIG_FEATURE_CPIO_P is not set
+CONFIG_BZIP2=y
+CONFIG_CPIO=y
+CONFIG_FEATURE_CPIO_O=y
+CONFIG_FEATURE_CPIO_P=y
 # CONFIG_DPKG is not set
 # CONFIG_DPKG_DEB is not set
 # CONFIG_FEATURE_DPKG_DEB_EXTRACT_ONLY is not set
-# CONFIG_GZIP is not set
-# CONFIG_FEATURE_GZIP_LONG_OPTIONS is not set
+CONFIG_GZIP=y
+CONFIG_FEATURE_GZIP_LONG_OPTIONS=y
 CONFIG_GZIP_FAST=0
 # CONFIG_FEATURE_GZIP_LEVELS is not set
 # CONFIG_LZOP is not set
 # CONFIG_LZOP_COMPR_HIGH is not set
 # CONFIG_RPM is not set
 # CONFIG_RPM2CPIO is not set
-# CONFIG_TAR is not set
-# CONFIG_FEATURE_TAR_CREATE is not set
-# CONFIG_FEATURE_TAR_AUTODETECT is not set
-# CONFIG_FEATURE_TAR_FROM is not set
-# CONFIG_FEATURE_TAR_OLDGNU_COMPATIBILITY is not set
-# CONFIG_FEATURE_TAR_OLDSUN_COMPATIBILITY is not set
-# CONFIG_FEATURE_TAR_GNU_EXTENSIONS is not set
-# CONFIG_FEATURE_TAR_LONG_OPTIONS is not set
-# CONFIG_FEATURE_TAR_TO_COMMAND is not set
-# CONFIG_FEATURE_TAR_UNAME_GNAME is not set
-# CONFIG_FEATURE_TAR_NOPRESERVE_TIME is not set
+CONFIG_TAR=y
+CONFIG_FEATURE_TAR_CREATE=y
+CONFIG_FEATURE_TAR_AUTODETECT=y
+CONFIG_FEATURE_TAR_FROM=y
+CONFIG_FEATURE_TAR_OLDGNU_COMPATIBILITY=y
+CONFIG_FEATURE_TAR_OLDSUN_COMPATIBILITY=y
+CONFIG_FEATURE_TAR_GNU_EXTENSIONS=y
+CONFIG_FEATURE_TAR_LONG_OPTIONS=y
+CONFIG_FEATURE_TAR_TO_COMMAND=y
+CONFIG_FEATURE_TAR_UNAME_GNAME=y
+CONFIG_FEATURE_TAR_NOPRESERVE_TIME=y
 # CONFIG_FEATURE_TAR_SELINUX is not set
-# CONFIG_UNZIP is not set
+CONFIG_UNZIP=y
 
 #
 # Coreutils
@@ -411,30 +411,30 @@ CONFIG_FEATURE_ALLOW_EXEC=y
 #
 # Finding Utilities
 #
-# CONFIG_FIND is not set
-# CONFIG_FEATURE_FIND_PRINT0 is not set
-# CONFIG_FEATURE_FIND_MTIME is not set
-# CONFIG_FEATURE_FIND_MMIN is not set
-# CONFIG_FEATURE_FIND_PERM is not set
-# CONFIG_FEATURE_FIND_TYPE is not set
-# CONFIG_FEATURE_FIND_XDEV is not set
-# CONFIG_FEATURE_FIND_MAXDEPTH is not set
-# CONFIG_FEATURE_FIND_NEWER is not set
-# CONFIG_FEATURE_FIND_INUM is not set
-# CONFIG_FEATURE_FIND_EXEC is not set
-# CONFIG_FEATURE_FIND_EXEC_PLUS is not set
-# CONFIG_FEATURE_FIND_USER is not set
-# CONFIG_FEATURE_FIND_GROUP is not set
-# CONFIG_FEATURE_FIND_NOT is not set
-# CONFIG_FEATURE_FIND_DEPTH is not set
-# CONFIG_FEATURE_FIND_PAREN is not set
-# CONFIG_FEATURE_FIND_SIZE is not set
-# CONFIG_FEATURE_FIND_PRUNE is not set
-# CONFIG_FEATURE_FIND_DELETE is not set
-# CONFIG_FEATURE_FIND_PATH is not set
-# CONFIG_FEATURE_FIND_REGEX is not set
+CONFIG_FIND=y
+CONFIG_FEATURE_FIND_PRINT0=y
+CONFIG_FEATURE_FIND_MTIME=y
+CONFIG_FEATURE_FIND_MMIN=y
+CONFIG_FEATURE_FIND_PERM=y
+CONFIG_FEATURE_FIND_TYPE=y
+CONFIG_FEATURE_FIND_XDEV=y
+CONFIG_FEATURE_FIND_MAXDEPTH=y
+CONFIG_FEATURE_FIND_NEWER=y
+CONFIG_FEATURE_FIND_INUM=y
+CONFIG_FEATURE_FIND_EXEC=y
+CONFIG_FEATURE_FIND_EXEC_PLUS=y
+CONFIG_FEATURE_FIND_USER=y
+CONFIG_FEATURE_FIND_GROUP=y
+CONFIG_FEATURE_FIND_NOT=y
+CONFIG_FEATURE_FIND_DEPTH=y
+CONFIG_FEATURE_FIND_PAREN=y
+CONFIG_FEATURE_FIND_SIZE=y
+CONFIG_FEATURE_FIND_PRUNE=y
+CONFIG_FEATURE_FIND_DELETE=y
+CONFIG_FEATURE_FIND_PATH=y
+CONFIG_FEATURE_FIND_REGEX=y
 # CONFIG_FEATURE_FIND_CONTEXT is not set
-# CONFIG_FEATURE_FIND_LINKS is not set
+CONFIG_FEATURE_FIND_LINKS=y
 CONFIG_GREP=y
 CONFIG_FEATURE_GREP_EGREP_ALIAS=y
 CONFIG_FEATURE_GREP_FGREP_ALIAS=y

config/coreboot-blobs.config

@@ -1 +0,0 @@
-# nothing

config/coreboot-qemu.config

@@ -8,7 +8,6 @@
 #
 CONFIG_LOCALVERSION="-heads"
 CONFIG_CBFS_PREFIX="fallback"
-# CONFIG_MULTIPLE_CBFS_INSTANCES is not set
 CONFIG_COMPILER_GCC=y
 # CONFIG_COMPILER_LLVM_CLANG is not set
 # CONFIG_ANY_TOOLCHAIN is not set
@@ -36,7 +35,6 @@ CONFIG_BOOTBLOCK_SOURCE="bootblock_simple.c"
 # CONFIG_GENERIC_GPIO_LIB is not set
 # CONFIG_BOARD_ID_AUTO is not set
 # CONFIG_BOARD_ID_MANUAL is not set
-CONFIG_DEVICETREE="devicetree.cb"
 # CONFIG_RAM_CODE_SUPPORT is not set
 # CONFIG_BOOTSPLASH_IMAGE is not set
 
@@ -68,6 +66,7 @@ CONFIG_DEVICETREE="devicetree.cb"
 # CONFIG_VENDOR_DIGITALLOGIC is not set
 # CONFIG_VENDOR_DMP is not set
 # CONFIG_VENDOR_ECS is not set
+# CONFIG_VENDOR_ELMEX is not set
 CONFIG_VENDOR_EMULATION=y
 # CONFIG_VENDOR_ESD is not set
 # CONFIG_VENDOR_GETAC is not set
@@ -114,7 +113,7 @@ CONFIG_MAINBOARD_DIR="emulation/qemu-q35"
 CONFIG_MAINBOARD_PART_NUMBER="QEMU x86 q35/ich9"
 CONFIG_MAINBOARD_VENDOR="Emulation"
 CONFIG_MAX_CPUS=1
-CONFIG_CACHE_ROM_SIZE_OVERRIDE=0
+CONFIG_CACHE_ROM_SIZE_OVERRIDE=0x0
 CONFIG_CBFS_SIZE=0x400000
 CONFIG_UART_FOR_CONSOLE=0
 # CONFIG_ONBOARD_VGA_IS_PRIMARY is not set
@@ -138,6 +137,7 @@ CONFIG_BOARD_EMULATION_QEMU_X86_Q35=y
 CONFIG_BOARD_EMULATION_QEMU_X86=y
 # CONFIG_POST_DEVICE is not set
 CONFIG_DRIVERS_PS2_KEYBOARD=y
+CONFIG_DEVICETREE="devicetree.cb"
 CONFIG_TTYS0_LCS=3
 # CONFIG_CONSOLE_POST is not set
 CONFIG_DRIVERS_UART_8250IO=y
@@ -188,6 +188,8 @@ CONFIG_UART_PCI_ADDR=0
 CONFIG_HPET_MIN_TICKS=0x80
 # CONFIG_SOC_MARVELL_ARMADA38X is not set
 # CONFIG_SOC_MARVELL_BG4CD is not set
+# CONFIG_SOC_MARVELL_MVMAP2315 is not set
+CONFIG_TTYS0_BAUD=115200
 # CONFIG_SOC_MEDIATEK_MT8173 is not set
 # CONFIG_SOC_NVIDIA_TEGRA124 is not set
 # CONFIG_SOC_NVIDIA_TEGRA210 is not set
@@ -239,6 +241,7 @@ CONFIG_CPU_MICROCODE_CBFS_GENERATE=y
 # CONFIG_CPU_MICROCODE_CBFS_EXTERNAL_HEADER is not set
 # CONFIG_CPU_MICROCODE_CBFS_NONE is not set
 # CONFIG_CPU_MICROCODE_MULTIPLE_FILES is not set
+CONFIG_CPU_UCODE_BINARIES=""
 
 #
 # Northbridge
@@ -266,6 +269,7 @@ CONFIG_SOUTHBRIDGE_INTEL_I82801IX=y
 #
 # Super I/O
 #
+# CONFIG_SUPERIO_NUVOTON_NCT6776_COM_A is not set
 
 #
 # Embedded Controllers
@@ -273,10 +277,10 @@ CONFIG_SOUTHBRIDGE_INTEL_I82801IX=y
 CONFIG_VBOOT_VBNV_OFFSET=0x26
 # CONFIG_VBOOT_VBNV_CMOS is not set
 # CONFIG_VBOOT_VBNV_EC is not set
-# CONFIG_VBOOT_VBNV_FLASH is not set
 # CONFIG_VBOOT is not set
 # CONFIG_MAINBOARD_HAS_CHROMEOS is not set
 # CONFIG_UEFI_2_4_BINDING is not set
+# CONFIG_UDK_2015_BINDING is not set
 # CONFIG_USE_SIEMENS_HWILIB is not set
 # CONFIG_ARCH_ARM is not set
 # CONFIG_ARCH_BOOTBLOCK_ARM is not set
@@ -293,6 +297,10 @@ CONFIG_VBOOT_VBNV_OFFSET=0x26
 # CONFIG_ARCH_RAMSTAGE_ARMV7 is not set
 # CONFIG_ARCH_BOOTBLOCK_ARMV7_M is not set
 # CONFIG_ARCH_VERSTAGE_ARMV7_M is not set
+# CONFIG_ARCH_BOOTBLOCK_ARMV7_R is not set
+# CONFIG_ARCH_VERSTAGE_ARMV7_R is not set
+# CONFIG_ARCH_ROMSTAGE_ARMV7_R is not set
+# CONFIG_ARCH_RAMSTAGE_ARMV7_R is not set
 # CONFIG_ARM_LPAE is not set
 # CONFIG_ARCH_ARM64 is not set
 # CONFIG_ARCH_BOOTBLOCK_ARM64 is not set
@@ -384,6 +392,7 @@ CONFIG_SUBSYSTEM_DEVICE_ID=0x0000
 # CONFIG_SPI_FLASH is not set
 # CONFIG_HAVE_SPI_CONSOLE_SUPPORT is not set
 CONFIG_DRIVERS_UART=y
+# CONFIG_DRIVERS_UART_8250IO_SKIP_INIT is not set
 # CONFIG_NO_UART_ON_SUPERIO is not set
 # CONFIG_UART_OVERRIDE_INPUT_CLOCK_DIVIDER is not set
 # CONFIG_UART_OVERRIDE_REFCLK is not set
@@ -399,6 +408,8 @@ CONFIG_DRIVERS_EMULATION_QEMU_BOCHS=y
 # CONFIG_SMBIOS_PROVIDED_BY_MOBO is not set
 # CONFIG_DRIVERS_I2C_PCF8523 is not set
 # CONFIG_DRIVERS_I2C_RTD2132 is not set
+# CONFIG_MAINBOARD_HAS_I2C_TPM_CR50 is not set
+# CONFIG_DRIVER_I2C_TPM_ACPI is not set
 # CONFIG_INTEL_DP is not set
 # CONFIG_INTEL_DDI is not set
 # CONFIG_INTEL_EDID is not set
@@ -420,6 +431,10 @@ CONFIG_DRIVERS_MC146818=y
 # CONFIG_DRIVER_XPOWERS_AXP209 is not set
 # CONFIG_ACPI_SATA_GENERATOR is not set
 # CONFIG_ACPI_INTEL_HARDWARE_SLEEP_VALUES is not set
+# CONFIG_BOOT_DEVICE_NOT_SPI_FLASH is not set
+CONFIG_BOOT_DEVICE_SPI_FLASH=y
+CONFIG_BOOT_DEVICE_MEMORY_MAPPED=y
+# CONFIG_BOOT_DEVICE_SUPPORTS_WRITES is not set
 # CONFIG_RTC is not set
 # CONFIG_TPM is not set
 CONFIG_STACK_SIZE=0x1000
@@ -447,7 +462,6 @@ CONFIG_CONSOLE_SERIAL_115200=y
 # CONFIG_CONSOLE_SERIAL_38400 is not set
 # CONFIG_CONSOLE_SERIAL_19200 is not set
 # CONFIG_CONSOLE_SERIAL_9600 is not set
-CONFIG_TTYS0_BAUD=115200
 # CONFIG_SPKMODEM is not set
 # CONFIG_CONSOLE_NE2K is not set
 CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x20000
@@ -506,7 +520,7 @@ CONFIG_PAYLOAD_LINUX=y
 CONFIG_PAYLOAD_FILE="./bzImage"
 CONFIG_PAYLOAD_OPTIONS=""
 # CONFIG_PXE is not set
-CONFIG_LINUX_COMMAND_LINE="console=ttyS0 console=tty"
+CONFIG_LINUX_COMMAND_LINE="acpi=off console=ttyS0 console=tty"
 CONFIG_LINUX_INITRD=""
 # CONFIG_PAYLOAD_IS_FLAT_BINARY is not set
 
@@ -535,7 +549,6 @@ CONFIG_LINUX_INITRD=""
 # CONFIG_DEBUG_BOOT_STATE is not set
 # CONFIG_ENABLE_APIC_EXT_ID is not set
 CONFIG_WARNINGS_ARE_ERRORS=y
-CONFIG_IASL_WARNINGS_ARE_ERRORS=y
 # CONFIG_POWER_BUTTON_DEFAULT_ENABLE is not set
 # CONFIG_POWER_BUTTON_DEFAULT_DISABLE is not set
 # CONFIG_POWER_BUTTON_FORCE_ENABLE is not set

config/coreboot-x230.config

@@ -68,6 +68,7 @@ CONFIG_MEASURED_BOOT=y
 # CONFIG_VENDOR_DIGITALLOGIC is not set
 # CONFIG_VENDOR_DMP is not set
 # CONFIG_VENDOR_ECS is not set
+# CONFIG_VENDOR_ELMEX is not set
 # CONFIG_VENDOR_EMULATION is not set
 # CONFIG_VENDOR_ESD is not set
 # CONFIG_VENDOR_GETAC is not set
@@ -114,7 +115,7 @@ CONFIG_MAINBOARD_DIR="lenovo/x230"
 CONFIG_MAINBOARD_PART_NUMBER="ThinkPad X230"
 CONFIG_MAINBOARD_VENDOR="LENOVO"
 CONFIG_MAX_CPUS=8
-CONFIG_CACHE_ROM_SIZE_OVERRIDE=0
+CONFIG_CACHE_ROM_SIZE_OVERRIDE=0x0
 CONFIG_CBFS_SIZE=0x400000
 CONFIG_UART_FOR_CONSOLE=0
 CONFIG_VGA_BIOS_ID="8086,0166"
@@ -137,7 +138,7 @@ CONFIG_ID_SECTION_OFFSET=0x80
 CONFIG_USBDEBUG_HCD_INDEX=2
 CONFIG_IFD_BIOS_SECTION=""
 CONFIG_IFD_ME_SECTION=""
-CONFIG_TPM_PIRQ=0
+CONFIG_TPM_PIRQ=0x0
 CONFIG_BOOT_DEVICE_SPI_FLASH_BUS=0
 CONFIG_DRIVERS_PS2_KEYBOARD=y
 CONFIG_DEVICETREE="devicetree.cb"
@@ -312,6 +313,7 @@ CONFIG_SOUTHBRIDGE_INTEL_COMMON_GPIO=y
 #
 # Super I/O
 #
+# CONFIG_SUPERIO_NUVOTON_NCT6776_COM_A is not set
 
 #
 # Embedded Controllers
@@ -461,6 +463,7 @@ CONFIG_SPI_FLASH_WINBOND=y
 # CONFIG_SPI_FLASH_FAST_READ_DUAL_OUTPUT_3B is not set
 # CONFIG_HAVE_SPI_CONSOLE_SUPPORT is not set
 CONFIG_DRIVERS_UART=y
+# CONFIG_DRIVERS_UART_8250IO_SKIP_INIT is not set
 CONFIG_NO_UART_ON_SUPERIO=y
 # CONFIG_UART_OVERRIDE_INPUT_CLOCK_DIVIDER is not set
 # CONFIG_UART_OVERRIDE_REFCLK is not set

config/kexec.config

@@ -1 +0,0 @@
-# nothing

config/linux.config

@@ -2023,17 +2023,17 @@ CONFIG_CRYPTO_RSA=m
 CONFIG_CRYPTO_MANAGER=y
 CONFIG_CRYPTO_MANAGER2=y
 CONFIG_CRYPTO_MANAGER_DISABLE_TESTS=y
-CONFIG_CRYPTO_GF128MUL=m
+CONFIG_CRYPTO_GF128MUL=y
 CONFIG_CRYPTO_NULL=m
 CONFIG_CRYPTO_NULL2=y
 # CONFIG_CRYPTO_PCRYPT is not set
 CONFIG_CRYPTO_WORKQUEUE=y
-CONFIG_CRYPTO_CRYPTD=m
+CONFIG_CRYPTO_CRYPTD=y
 CONFIG_CRYPTO_MCRYPTD=m
 CONFIG_CRYPTO_AUTHENC=m
 # CONFIG_CRYPTO_TEST is not set
-CONFIG_CRYPTO_ABLK_HELPER=m
-CONFIG_CRYPTO_GLUE_HELPER_X86=m
+CONFIG_CRYPTO_ABLK_HELPER=y
+CONFIG_CRYPTO_GLUE_HELPER_X86=y
 
 #
 # Authenticated Encryption with Associated Data
@@ -2051,9 +2051,9 @@ CONFIG_CRYPTO_CBC=y
 CONFIG_CRYPTO_CTR=m
 CONFIG_CRYPTO_CTS=m
 CONFIG_CRYPTO_ECB=y
-CONFIG_CRYPTO_LRW=m
+CONFIG_CRYPTO_LRW=y
 CONFIG_CRYPTO_PCBC=m
-CONFIG_CRYPTO_XTS=m
+CONFIG_CRYPTO_XTS=y
 CONFIG_CRYPTO_KEYWRAP=m
 
 #
@@ -2098,8 +2098,8 @@ CONFIG_CRYPTO_GHASH_CLMUL_NI_INTEL=m
 # Ciphers
 #
 CONFIG_CRYPTO_AES=y
-CONFIG_CRYPTO_AES_X86_64=m
-CONFIG_CRYPTO_AES_NI_INTEL=m
+CONFIG_CRYPTO_AES_X86_64=y
+CONFIG_CRYPTO_AES_NI_INTEL=y
 CONFIG_CRYPTO_ANUBIS=m
 CONFIG_CRYPTO_ARC4=m
 CONFIG_CRYPTO_BLOWFISH=m

config/mbedtls.config

@@ -1 +0,0 @@
-# nothing

config/qrencode.config

@@ -1 +0,0 @@
-# nothing

config/tpmtotp.config

@@ -1 +0,0 @@
-# nothing

config/xen.config

@@ -1 +0,0 @@
-# Nothing

initrd/bin/seal-key

@@ -0,0 +1,74 @@
+#!/bin/sh
+# This will generate a disk encryption key and seal / ecncrypt
+# with the current PCRs and then store it in the TPM NVRAM.
+# It will then need to be bundled into initrd that is booted with Qubes.
+
+TPM_INDEX=3
+TPM_SIZE=312
+KEY_FILE=/tmp/secret.key
+
+die() { echo >&2 "$@"; exit 1; }
+warn() { echo >&2 "$@"; }
+
+read -s -p "New key password: " key_password
+echo
+read -s -p "Repeat password: " key_password2
+echo
+
+if [ "$key_password" -ne "$key_password2" ]; then
+	die "Key passwords do not match"
+fi
+
+dd \
+	if=/dev/urandom \
+	of="$KEY_FILE" \
+	bs=1 \
+	count=128 \
+	2>/dev/null \
+|| die "Unable to generate 128 random bytes"
+
+
+# Use the current values of the PCRs, which will be read
+# from the TPM as part of the sealing ("X").
+# should this read the storage root key?
+sealfile2 \
+	-if "$KEY_FILE" \
+	-of /tmp/sealed \
+	-pwdd "$key_password" \
+	-hk 40000000 \
+	-ix 0 X \
+	-ix 1 X \
+	-ix 2 X \
+	-ix 3 X \
+	-ix 4 X \
+|| die "Unable to seal secret"
+
+rm "$KEY_FILE"
+
+
+# to create an nvram space we need the TPM owner password
+# and the TPM physical presence must be asserted.
+#
+# The permissions are 0 since there is nothing special
+# about the sealed file
+physicalpresence -s \
+|| warn "Warning: Unable to assert physical presence"
+
+read -s -p "TPM Owner password: " tpm_password
+echo
+
+nv_definespace \
+	-in $TPM_INDEX \
+	-sz $TPM_SIZE \
+	-pwdo "$tpm_password" \
+	-per 0 \
+|| die "Warning: Unable to define NVRAM space; trying anyway"
+
+
+nv_writevalue \
+	-in $TPM_INDEX \
+	-if /tmp/sealed \
+|| die "Unable to write sealed secret to NVRAM"
+
+rm /tmp/sealed
+

initrd/bin/start-xen

@@ -9,8 +9,8 @@ KERNEL=/boot/vmlinuz-4.4.14-11.pvops.qubes.x86_64
 
 echo "+++ Checking $XEN"
 gpgv "${XEN}.asc" "${XEN}" || die "Xen signature failed"
-echo "+++ Checking $INITRD"
 
+echo "+++ Checking $INITRD"
 gpgv "${INITRD}.asc" "${INITRD}" || die "Initrd signature failed"
 
 echo "+++ Checking $KERNEL"

initrd/bin/unseal-key

@@ -0,0 +1,34 @@
+#!/bin/sh
+# This will unseal and unecncrypt the drive encryption key from the TPM
+# It will then need to be bundled into initrd that is booted with Qubes.
+
+TPM_INDEX=3
+TPM_SIZE=312
+
+die() { echo >&2 "$@"; exit 1; }
+warn() { echo >&2 "$@"; }
+
+key_file="$1"
+if [ -z "$key_file" ]; then
+	key_file=/tmp/secret.key
+fi
+
+read -s -p "Encryption password: " tpm_password
+echo
+
+nv_readvalue \
+	-in "$TPM_INDEX" \
+	-sz "$TPM_SIZE" \
+	-of /tmp/sealed \
+|| die "Unable to read key from TPM NVRAM"
+
+unsealfile \
+	-if /tmp/sealed \
+	-of "$key_file" \
+	-pwdd "$tpm_password" \
+	-hk 40000000 \
+|| die "Unable to unseal disk encryption key"
+
+rm /tmp/sealed
+
+

initrd/init

@@ -35,4 +35,5 @@ echo
 	
 
 # Start an interactive shell
+export PATH=/sbin:/usr/sbin:/bin:/usr/bin
 exec /bin/ash

modules/busybox

@@ -7,5 +7,6 @@ busybox_url := https://busybox.net/downloads/$(busybox_tar)
 busybox_hash := 5a0fe06885ee1b805fb459ab6aaa023fe4f2eccee4fb8c0fd9a6c17c0daca2fc
 
 busybox_configure := make oldconfig
+busybox_config := busybox.config
 busybox_output := busybox
 

modules/coreboot

@@ -9,14 +9,26 @@ coreboot_dir := coreboot-$(coreboot_version)
 
 coreboot_repo := https://github.com/osresearch/coreboot
 
-coreboot_configure := make oldconfig
-coreboot_output := build/coreboot.rom
+# Coreboot builds are specialized on a per-target basis.
+# The builds are done in a per-target subdirectory
+#coreboot_config := coreboot-$(TARGET).config
+
+coreboot_configure := \
+	make oldconfig obj=./$(BOARD) DOTCONFIG=../../config/coreboot-$(BOARD).config
+
+coreboot_target := \
+	obj=./$(BOARD) DOTCONFIG=../../config/coreboot-$(BOARD).config -j 8
+
+coreboot_output := $(BOARD)/coreboot.rom
+
 
 # hack to force a build dependency on the cross compiler
-$(build)/$(coreboot_dir)/.configured: $(build)/$(coreboot_dir)/util/crossgcc/xgcc/bin/iasl
-$(build)/$(coreboot_dir)/util/crossgcc/xgcc/bin/iasl:
-	echo '******* Building gcc (this might take a while) ******'
+$(build)/$(coreboot_dir)/.configured: $(build)/$(coreboot_dir)/util/crossgcc/xgcc/bin/i386-elf-gcc
+$(build)/$(coreboot_dir)/util/crossgcc/xgcc/bin/i386-elf-gcc:
+	echo '******* Building crossgcc-i386 (this might take a while) ******'
 	time make -C "$(build)/$(coreboot_dir)" crossgcc-i386
+	#echo '******* Building crossgcc-arm (this might take a while) ******'
+	#time make -C "$(build)/$(coreboot_dir)" crossgcc-arm
 
 # The coreboot-blobs must be unpacked before we can build coreboot
 # if we are using a tar file; git checkout will clone the submodule.

modules/linux

@@ -12,3 +12,5 @@ linux_hash := $(linux-$(linux_version)_hash)
 
 linux_configure := make oldconfig
 linux_output := arch/x86/boot/bzImage
+linux_config := linux.config
+linux_target := -j 8 bzImage

modules/xen

@@ -10,3 +10,4 @@ xen_hash := 02badfce9a037bd1bd4a94210c1f6b85467746216c71795805102b514bcf1fc4
 
 xen_output := xen.gz
 xen_configure := 
+xen_target := -j 8