mirror of
https://github.com/linuxboot/heads.git
synced 2025-04-07 19:34:26 +00:00
Merge branch 'master' of ssh://github.com/osresearch/heads
This commit is contained in:
Trammell Hudson
commit
be725ed104
1
.gitignore
vendored
1
.gitignore
vendored
@ -14,3 +14,4 @@ initrd/bin
|
||||
initrd/sbin
|
||||
initrd/lib
|
||||
typescript*
|
||||
config/*.old
|
||||
|
||||
70
Makefile
70
Makefile
@ -4,13 +4,23 @@ packages := $(pwd)/packages
|
||||
build := $(pwd)/build
|
||||
config := $(pwd)/build
|
||||
|
||||
all: x230.rom
|
||||
|
||||
# Currently supported targets are x230, chell and qemu
|
||||
BOARD ?= qemu
|
||||
|
||||
all: $(BOARD).rom
|
||||
|
||||
# Disable all built in rules
|
||||
.SUFFIXES:
|
||||
|
||||
|
||||
# Bring in all of the module definitions;
|
||||
# these are the external pieces that will be downloaded and built
|
||||
# as part of creating the Heads firmware image.
|
||||
include modules/*
|
||||
|
||||
all: $(modules)
|
||||
# These will be built via their intermediate targets
|
||||
# This increases the build time, so it is commented out for now
|
||||
#all: $(foreach m,$(modules),$m.intermediate)
|
||||
|
||||
define prefix =
|
||||
$(foreach _, $2, $1$_)
|
||||
@ -62,9 +72,16 @@ define define_module =
|
||||
touch "$$@"
|
||||
endif
|
||||
|
||||
# Copy our stored config file into the unpacked directory
|
||||
$(build)/$($1_dir)/.config: config/$1.config $(build)/$($1_dir)/.canary
|
||||
cp "$$<" "$$@"
|
||||
ifeq "$($1_config)" ""
|
||||
# There is no official .config file
|
||||
$(build)/$($1_dir)/.config: $(build)/$($1_dir)/.canary
|
||||
touch "$$@"
|
||||
else
|
||||
# Copy the stored config file into the unpacked directory
|
||||
$(build)/$($1_dir)/.config: config/$($1_config) $(build)/$($1_dir)/.canary
|
||||
cp -a "$$<" "$$@"
|
||||
endif
|
||||
|
||||
|
||||
# Use the module's configure variable to build itself
|
||||
$(build)/$($1_dir)/.configured: \
|
||||
@ -74,14 +91,18 @@ define define_module =
|
||||
touch "$$@"
|
||||
|
||||
# Build the target after any dependencies
|
||||
$(call outputs,$1): \
|
||||
$(build)/$($1_dir)/.configured \
|
||||
$(call outputs,$($1_depends))
|
||||
make -C "$(build)/$($1_dir)" $($1_target)
|
||||
$(call outputs,$1): $1.intermediate
|
||||
|
||||
# Short hand target for the module
|
||||
$1: $(call outputs,$1)
|
||||
#$1: $(call outputs,$1)
|
||||
|
||||
# Target for all of the outputs, which depend on their dependent modules
|
||||
$1.intermediate: \
|
||||
$(build)/$($1_dir)/.configured \
|
||||
$(foreach d,$($1_depends),$d.intermediate)
|
||||
make -C "$(build)/$($1_dir)" $($1_target)
|
||||
|
||||
.INTERMEDIATE: $1.intermediate
|
||||
endef
|
||||
|
||||
$(foreach _, $(modules), $(eval $(call define_module,$_)))
|
||||
@ -123,6 +144,7 @@ endef
|
||||
|
||||
$(foreach _, $(call bins,kexec), $(eval $(call initrd_bin_add,$_)))
|
||||
$(foreach _, $(call bins,tpmtotp), $(eval $(call initrd_bin_add,$_)))
|
||||
$(foreach _, $(call bins,cryptsetup), $(eval $(call initrd_bin_add,$_)))
|
||||
|
||||
$(foreach _, $(call libs,tpmtotp), $(eval $(call initrd_lib_add,$_)))
|
||||
$(foreach _, $(call libs,mbedtls), $(eval $(call initrd_lib_add,$_)))
|
||||
@ -151,7 +173,7 @@ $(build)/$(coreboot_dir)/util/cbmem/cbmem: $(build)/$(coreboot_dir)/.canary
|
||||
# Mounting dm-verity file systems requires dm-verity to be installed
|
||||
# We use gpgv to verify the signature on the root hash.
|
||||
# Both of these should be brought in as modules instead of from /sbin
|
||||
initrd_bins += initrd/bin/dmsetup
|
||||
#initrd_bins += initrd/bin/dmsetup
|
||||
initrd/bin/dmsetup: /sbin/dmsetup
|
||||
cp "$<" "$@"
|
||||
initrd_bins += initrd/bin/gpgv
|
||||
@ -174,14 +196,14 @@ initrd_lib_install: $(initrd_bins) $(initrd_libs)
|
||||
# initrd image creation
|
||||
#
|
||||
# The initrd is constructed from various bits and pieces
|
||||
# Note the touch and sort operation on the find output -- this
|
||||
# ensures that the files always have the same timestamp and
|
||||
# appear in the same order.
|
||||
# The cpio-clean program is used ensure that the files
|
||||
# always have the same timestamp and appear in the same order.
|
||||
#
|
||||
# If there is in /dev/console, initrd can't startup.
|
||||
# If there is no /dev/console, initrd can't startup.
|
||||
# We have to force it to be included into the cpio image.
|
||||
# Since we are picking up the system's /dev/console, the
|
||||
# timestamp will not be reproducible.
|
||||
# Since we are picking up the system's /dev/console, there
|
||||
# is a chance the build will not be reproducible (although
|
||||
# unlikely that their device file has a different major/minor)
|
||||
#
|
||||
#
|
||||
initrd.cpio: $(initrd_bins) $(initrd_libs) initrd_lib_install
|
||||
@ -193,14 +215,16 @@ initrd.cpio: $(initrd_bins) $(initrd_libs) initrd_lib_install
|
||||
) \
|
||||
| cpio --quiet -H newc -o \
|
||||
| ../cpio-clean \
|
||||
> "../$@.tmp"
|
||||
> "../$@.tmp"
|
||||
if ! cmp --quiet "$@" "$@.tmp"; then \
|
||||
mv "$@.tmp" "$@"; \
|
||||
else \
|
||||
echo "$@: Unchanged"; \
|
||||
rm "$@.tmp"; \
|
||||
fi
|
||||
|
||||
|
||||
initrd.intermediate: initrd.cpio
|
||||
|
||||
|
||||
# populate the coreboot initrd image from the one we built.
|
||||
# 4.4 doesn't allow this, but building from head does.
|
||||
@ -216,11 +240,13 @@ $(build)/$(coreboot_dir)/bzImage: $(call outputs,linux)
|
||||
$(call outputs,coreboot): $(build)/$(coreboot_dir)/bzImage
|
||||
|
||||
|
||||
# The CoreBoot gcc won't work for us since it doesn't have libc
|
||||
# The coreboot gcc won't work for us since it doesn't have libc
|
||||
#XGCC := $(build)/$(coreboot_dir)/util/crossgcc/xgcc/
|
||||
#export CC := $(XGCC)/bin/x86_64-elf-gcc
|
||||
#export LDFLAGS := -L/lib/x86_64-linux-gnu
|
||||
|
||||
x230.rom: $(build)/$(coreboot_dir)/build/coreboot.rom
|
||||
x230.rom: $(build)/$(coreboot_dir)/x230/coreboot.rom
|
||||
dd if="$<" of="$@" bs=1M skip=8
|
||||
|
||||
qemu.rom: $(build)/$(coreboot_dir)/qemu/coreboot.rom
|
||||
cp -a "$<" "$@"
|
||||
|
||||
175
README.md
175
README.md
@ -12,7 +12,7 @@ to commodity hardware. Among its goals are:
|
||||
* Measure and attest to the state of the firmware
|
||||
* Measure and verify all filesystems
|
||||
|
||||
|
||||
|
||||
|
||||
NOTE: It is a work in progress and not yet ready for users.
|
||||
If you're interested in contributing, please get in touch.
|
||||
@ -20,13 +20,15 @@ Installation requires disassembly of your laptop or server,
|
||||
external SPI flash programmers, possible risk of destruction and
|
||||
significant frustration.
|
||||
|
||||
More information is available in [the 33C3 presentation of building "Slightly more secure systems"](https://trmm.net/Heads_33c3).
|
||||
|
||||
|
||||
Building heads
|
||||
===
|
||||
|
||||
Components:
|
||||
|
||||
* CoreBoot
|
||||
* coreboot
|
||||
* Linux
|
||||
* busybox
|
||||
* kexec
|
||||
@ -35,7 +37,7 @@ Components:
|
||||
|
||||
The top level `Makefile` will handle most of the details -- it downloads
|
||||
the various packages, patches them, configures and builds, and then
|
||||
copies the necessary parts into the `initrd` directory.
|
||||
copies the necessary parts into the `initrd` directory.
|
||||
|
||||
Notes:
|
||||
---
|
||||
@ -49,169 +51,6 @@ of the Xen command line. Booting or installing Qubes is a bit hacky and needs t
|
||||
* Coreboot 4.4 does not handle initrd separately from the kernel correctly, so it must be bundled into the coreboot image. Building from git does the right thing.
|
||||
|
||||
|
||||
Threat model
|
||||
===
|
||||
Heads considers two broad classes of threats:
|
||||
|
||||
* Attackers with physical access to the system
|
||||
** Customs officials, LEO, etc with brief access
|
||||
** "Evil maid" attacks with longer, but still limited access (sans password)
|
||||
** Stolen machines, with unlimited physical access without password
|
||||
** Insider attacks with unlimited time, with password
|
||||
** Insider attacks with unlimited time, with password and without regard for the machine
|
||||
|
||||
* Attackers with ring0 code execution on the runtime system
|
||||
|
||||
The first is hardest to deal with since it allows an attacker to
|
||||
make physical changes to the machine. Without a hardware root of
|
||||
trust and secrets stored inside that CPU, it is very difficult to
|
||||
project against a physical attackers who can replace components and
|
||||
fake measurements. Hardware measurements of the boot ROM (such as
|
||||
Intel's Boot Guard) can help, although a dedicated attacker could
|
||||
replace the CPU with one that is not fused to do the initial measurement.
|
||||
The best that we can do is to lock the bootblock on the SPI flash,
|
||||
perform the first measurement from it and hope that there are not any
|
||||
exploits against the chip itself.
|
||||
|
||||
The second class is also a difficult challenge, but since it is only
|
||||
a software attack, we have better hopes of handling with some harware
|
||||
modifications. The SPI flash chip's boot block protection modes can
|
||||
be locked on and the WP# pin grounded, which will prevent any software
|
||||
attacks from overwriting that portion of the boot ROM. This gives us
|
||||
a better root of trust than the EFI configurations, most of which do
|
||||
not lock the boot ROM.
|
||||
|
||||
Even if they are not able to write to the ROM, the attackers might
|
||||
be able to use their software code execution to modify the system
|
||||
software or boot partition on the drive. The recommended OS
|
||||
configuration is a read-only `/boot` and `/` filesystem, with
|
||||
only the user data directories writable. Additional protection
|
||||
comes from using dm-verity on the file systems, which will
|
||||
detect any writes to the filesystem through a hash tree
|
||||
that is signed by the user's (offline) key.
|
||||
|
||||
Updates to `/` or `/boot` will require a special boot mode,
|
||||
which can be selected by the boot firmware. After the file
|
||||
systems are updated, the user can sign the new hashes with their
|
||||
key on a different machine and store the signed root hash on the
|
||||
drive. TPM keys might need to be migrated as well for the recovery
|
||||
boot mode. On next boot the firmware will mount the drives read-only
|
||||
and verify that the correct key was used to sign the changes,
|
||||
and the TPM should be able to unseal the secrets for TPMTOTP
|
||||
as well as the drive decryption.
|
||||
|
||||
|
||||
|
||||
---
|
||||
|
||||
|
||||
dm-verity setup
|
||||
===
|
||||
*You must install `libdevmapper-dev`, `libpopt-dev` and `libgcrypt-dev` to build cryptsetup*
|
||||
|
||||
This set of tools isn't the easiest to use. It is possible to store
|
||||
hashes on the device that is being hashed if some work is done ahead
|
||||
of time to reserve the last few blocks or if the file system can be
|
||||
resized.
|
||||
|
||||
The size of the hash table grows logarithmic with the size of the
|
||||
filesystem. Every 4K block is hashed, and then 4K of those blocks
|
||||
are hashed, and so on until there is only one hash left.
|
||||
Each hash is 32 bytes, so the hash tree size is 32 * log_4096(fs)
|
||||
|
||||
The hashes can be stored on a separate device or on the free space
|
||||
at the end of an existing partition. This will require resizing
|
||||
if you didn't allocate the space initially.
|
||||
|
||||
The sizes of physical partitions can be read (in 512-byte blocks) from
|
||||
`/sys/class/block/sda1/size`. The `resize2fs` tool (assuming you're using
|
||||
a normal ext4 filesystem) will not resize smaller than the free
|
||||
space. Figure out the desired size
|
||||
|
||||
fs_size = $[30 * 1024 * 1024]
|
||||
e2fsck hdd.img
|
||||
resize2fs hdd.img $fs_size
|
||||
|
||||
Once the file system has been resized to make space at the end,
|
||||
the dm-verity tools can generate the hashes. The file system
|
||||
must be unmounted before this is done, otherwise the hashes
|
||||
will not be correct.
|
||||
|
||||
veritysetup \
|
||||
--data-blocks $[$fs_size / 4096] \
|
||||
--hash-offset $fs_size \
|
||||
format hdd.img hdd.img \
|
||||
| tee verity.log
|
||||
|
||||
This will output a text file that contains several important
|
||||
constants for mounting the filesystem later:
|
||||
|
||||
VERITY header information for hdd.img
|
||||
UUID: 73532888-a3e9-4f16-a50a-1d03a265b94f
|
||||
Hash type: 1
|
||||
Data blocks: 7680
|
||||
Data block size: 4096
|
||||
Hash block size: 4096
|
||||
Hash algorithm: sha256
|
||||
Salt: 3d0cd593d29715005794c4e1cd5164c14ba6456c3dbd2c6d8a26007c01ca9937
|
||||
Root hash: 91beda90d7fa1ab92463344966eb56ec9706f4f26063933a86d701a02a961a10
|
||||
|
||||
Unfortunately this is in the wrong form for the `dmsetup` command
|
||||
and must be reformmated like this:
|
||||
|
||||
dmsetup create vroot --readonly --table \
|
||||
"0 61440 verity 1 /dev/sda /dev/sda 4096 4096 7680 7681 sha256 "\
|
||||
"c51e171a1403eda7636c89f10d90066d6a593223399fdd4c36ab214da3c6fc11 "\
|
||||
"f6c6c6b6cbdf2682d6213e65b0e577cb57c8af3015f88f9a40fb512eaf48aca9"
|
||||
|
||||
The 61440 is the number of 512-byte blocks that the filesystem uses.
|
||||
The two 4096 are the data block size and hash block size.
|
||||
The 7680 is the number of data blocks and the 7861 is the first
|
||||
datablock containing hashes (note that block 7680 contains the `VERITY`
|
||||
header and the salt, but not the root hash). The hash and salt are
|
||||
reversed in the order from the `veritysetup` printout.
|
||||
|
||||
We sign this command and stash it in the block after the `VERITY`
|
||||
header so that the firmware can validate the image before mounting it.
|
||||
This does require that the firmware be able to find the header;
|
||||
for now we have it hard coded.
|
||||
|
||||
|
||||
mbedtls vs OpenSSL
|
||||
---
|
||||
mbedtls is a significantly smaller and more modular library than
|
||||
OpenSSL's libcrypto (380KB vs 2.3MB). It is not API compatible,
|
||||
so applications must be written to use it.
|
||||
|
||||
One the build host side we can make use of openssl's tools, but in
|
||||
the firmware we are limited to the smaller library. They are mostly
|
||||
compatible, although the tools are quite different.
|
||||
|
||||
Generate the private/public key pair (and copy the public key to
|
||||
the initrd):
|
||||
|
||||
openssl genrsa -aes256 -out signing.key
|
||||
openssl rsa -pubout -in signing.key -out signing.pub
|
||||
|
||||
Sign something (requires password and private key):
|
||||
|
||||
openssl pkeyutl \
|
||||
-sign \
|
||||
-inkey signing.key \
|
||||
-in roothash \
|
||||
-out roothash.sig
|
||||
|
||||
Verify it (requires public key, no password):
|
||||
|
||||
openssl pkeyutl \
|
||||
-verify \
|
||||
-pubin
|
||||
-inkey signing.pub \
|
||||
-sigfile roothash.sig \
|
||||
-in roothash
|
||||
|
||||
but this doesn't work with pk_verify from mbedtls. more work is necessary.
|
||||
|
||||
|
||||
Signing with GPG
|
||||
---
|
||||
@ -240,9 +79,9 @@ algorithm. You could store the hashes in the ROM, but that would
|
||||
not allow upgrades without rewriting the ROM.
|
||||
|
||||
|
||||
CoreBoot console messages
|
||||
coreboot console messages
|
||||
---
|
||||
The CoreBoot console messages are stored in the CBMEM region
|
||||
The coreboot console messages are stored in the CBMEM region
|
||||
and can be read by the Linux payload with the `cbmem --console | less`
|
||||
command. There is lots of interesting data about the state of the
|
||||
system.
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
#
|
||||
# Automatically generated make config: don't edit
|
||||
# Busybox version: 1.25.0
|
||||
# Sat Aug 6 15:56:20 2016
|
||||
# Tue Nov 29 14:28:46 2016
|
||||
#
|
||||
CONFIG_HAVE_DOT_CONFIG=y
|
||||
|
||||
@ -132,10 +132,10 @@ CONFIG_FEATURE_HWIB=y
|
||||
#
|
||||
# Archival Utilities
|
||||
#
|
||||
# CONFIG_FEATURE_SEAMLESS_XZ is not set
|
||||
CONFIG_FEATURE_SEAMLESS_XZ=y
|
||||
# CONFIG_FEATURE_SEAMLESS_LZMA is not set
|
||||
# CONFIG_FEATURE_SEAMLESS_BZ2 is not set
|
||||
# CONFIG_FEATURE_SEAMLESS_GZ is not set
|
||||
CONFIG_FEATURE_SEAMLESS_BZ2=y
|
||||
CONFIG_FEATURE_SEAMLESS_GZ=y
|
||||
# CONFIG_FEATURE_SEAMLESS_Z is not set
|
||||
# CONFIG_AR is not set
|
||||
# CONFIG_FEATURE_AR_LONG_FILENAMES is not set
|
||||
@ -149,34 +149,34 @@ CONFIG_FEATURE_GUNZIP_LONG_OPTIONS=y
|
||||
# CONFIG_LZMA is not set
|
||||
# CONFIG_UNXZ is not set
|
||||
# CONFIG_XZ is not set
|
||||
# CONFIG_BZIP2 is not set
|
||||
# CONFIG_CPIO is not set
|
||||
# CONFIG_FEATURE_CPIO_O is not set
|
||||
# CONFIG_FEATURE_CPIO_P is not set
|
||||
CONFIG_BZIP2=y
|
||||
CONFIG_CPIO=y
|
||||
CONFIG_FEATURE_CPIO_O=y
|
||||
CONFIG_FEATURE_CPIO_P=y
|
||||
# CONFIG_DPKG is not set
|
||||
# CONFIG_DPKG_DEB is not set
|
||||
# CONFIG_FEATURE_DPKG_DEB_EXTRACT_ONLY is not set
|
||||
# CONFIG_GZIP is not set
|
||||
# CONFIG_FEATURE_GZIP_LONG_OPTIONS is not set
|
||||
CONFIG_GZIP=y
|
||||
CONFIG_FEATURE_GZIP_LONG_OPTIONS=y
|
||||
CONFIG_GZIP_FAST=0
|
||||
# CONFIG_FEATURE_GZIP_LEVELS is not set
|
||||
# CONFIG_LZOP is not set
|
||||
# CONFIG_LZOP_COMPR_HIGH is not set
|
||||
# CONFIG_RPM is not set
|
||||
# CONFIG_RPM2CPIO is not set
|
||||
# CONFIG_TAR is not set
|
||||
# CONFIG_FEATURE_TAR_CREATE is not set
|
||||
# CONFIG_FEATURE_TAR_AUTODETECT is not set
|
||||
# CONFIG_FEATURE_TAR_FROM is not set
|
||||
# CONFIG_FEATURE_TAR_OLDGNU_COMPATIBILITY is not set
|
||||
# CONFIG_FEATURE_TAR_OLDSUN_COMPATIBILITY is not set
|
||||
# CONFIG_FEATURE_TAR_GNU_EXTENSIONS is not set
|
||||
# CONFIG_FEATURE_TAR_LONG_OPTIONS is not set
|
||||
# CONFIG_FEATURE_TAR_TO_COMMAND is not set
|
||||
# CONFIG_FEATURE_TAR_UNAME_GNAME is not set
|
||||
# CONFIG_FEATURE_TAR_NOPRESERVE_TIME is not set
|
||||
CONFIG_TAR=y
|
||||
CONFIG_FEATURE_TAR_CREATE=y
|
||||
CONFIG_FEATURE_TAR_AUTODETECT=y
|
||||
CONFIG_FEATURE_TAR_FROM=y
|
||||
CONFIG_FEATURE_TAR_OLDGNU_COMPATIBILITY=y
|
||||
CONFIG_FEATURE_TAR_OLDSUN_COMPATIBILITY=y
|
||||
CONFIG_FEATURE_TAR_GNU_EXTENSIONS=y
|
||||
CONFIG_FEATURE_TAR_LONG_OPTIONS=y
|
||||
CONFIG_FEATURE_TAR_TO_COMMAND=y
|
||||
CONFIG_FEATURE_TAR_UNAME_GNAME=y
|
||||
CONFIG_FEATURE_TAR_NOPRESERVE_TIME=y
|
||||
# CONFIG_FEATURE_TAR_SELINUX is not set
|
||||
# CONFIG_UNZIP is not set
|
||||
CONFIG_UNZIP=y
|
||||
|
||||
#
|
||||
# Coreutils
|
||||
@ -217,7 +217,7 @@ CONFIG_BASE64=y
|
||||
# CONFIG_CAL is not set
|
||||
# CONFIG_CATV is not set
|
||||
# CONFIG_CHGRP is not set
|
||||
# CONFIG_CHMOD is not set
|
||||
CONFIG_CHMOD=y
|
||||
# CONFIG_CHOWN is not set
|
||||
# CONFIG_FEATURE_CHOWN_LONG_OPTIONS is not set
|
||||
CONFIG_CHROOT=y
|
||||
@ -411,30 +411,30 @@ CONFIG_FEATURE_ALLOW_EXEC=y
|
||||
#
|
||||
# Finding Utilities
|
||||
#
|
||||
# CONFIG_FIND is not set
|
||||
# CONFIG_FEATURE_FIND_PRINT0 is not set
|
||||
# CONFIG_FEATURE_FIND_MTIME is not set
|
||||
# CONFIG_FEATURE_FIND_MMIN is not set
|
||||
# CONFIG_FEATURE_FIND_PERM is not set
|
||||
# CONFIG_FEATURE_FIND_TYPE is not set
|
||||
# CONFIG_FEATURE_FIND_XDEV is not set
|
||||
# CONFIG_FEATURE_FIND_MAXDEPTH is not set
|
||||
# CONFIG_FEATURE_FIND_NEWER is not set
|
||||
# CONFIG_FEATURE_FIND_INUM is not set
|
||||
# CONFIG_FEATURE_FIND_EXEC is not set
|
||||
# CONFIG_FEATURE_FIND_EXEC_PLUS is not set
|
||||
# CONFIG_FEATURE_FIND_USER is not set
|
||||
# CONFIG_FEATURE_FIND_GROUP is not set
|
||||
# CONFIG_FEATURE_FIND_NOT is not set
|
||||
# CONFIG_FEATURE_FIND_DEPTH is not set
|
||||
# CONFIG_FEATURE_FIND_PAREN is not set
|
||||
# CONFIG_FEATURE_FIND_SIZE is not set
|
||||
# CONFIG_FEATURE_FIND_PRUNE is not set
|
||||
# CONFIG_FEATURE_FIND_DELETE is not set
|
||||
# CONFIG_FEATURE_FIND_PATH is not set
|
||||
# CONFIG_FEATURE_FIND_REGEX is not set
|
||||
CONFIG_FIND=y
|
||||
CONFIG_FEATURE_FIND_PRINT0=y
|
||||
CONFIG_FEATURE_FIND_MTIME=y
|
||||
CONFIG_FEATURE_FIND_MMIN=y
|
||||
CONFIG_FEATURE_FIND_PERM=y
|
||||
CONFIG_FEATURE_FIND_TYPE=y
|
||||
CONFIG_FEATURE_FIND_XDEV=y
|
||||
CONFIG_FEATURE_FIND_MAXDEPTH=y
|
||||
CONFIG_FEATURE_FIND_NEWER=y
|
||||
CONFIG_FEATURE_FIND_INUM=y
|
||||
CONFIG_FEATURE_FIND_EXEC=y
|
||||
CONFIG_FEATURE_FIND_EXEC_PLUS=y
|
||||
CONFIG_FEATURE_FIND_USER=y
|
||||
CONFIG_FEATURE_FIND_GROUP=y
|
||||
CONFIG_FEATURE_FIND_NOT=y
|
||||
CONFIG_FEATURE_FIND_DEPTH=y
|
||||
CONFIG_FEATURE_FIND_PAREN=y
|
||||
CONFIG_FEATURE_FIND_SIZE=y
|
||||
CONFIG_FEATURE_FIND_PRUNE=y
|
||||
CONFIG_FEATURE_FIND_DELETE=y
|
||||
CONFIG_FEATURE_FIND_PATH=y
|
||||
CONFIG_FEATURE_FIND_REGEX=y
|
||||
# CONFIG_FEATURE_FIND_CONTEXT is not set
|
||||
# CONFIG_FEATURE_FIND_LINKS is not set
|
||||
CONFIG_FEATURE_FIND_LINKS=y
|
||||
CONFIG_GREP=y
|
||||
CONFIG_FEATURE_GREP_EGREP_ALIAS=y
|
||||
CONFIG_FEATURE_GREP_FGREP_ALIAS=y
|
||||
|
||||
@ -1 +0,0 @@
|
||||
# nothing
|
||||
@ -8,7 +8,6 @@
|
||||
#
|
||||
CONFIG_LOCALVERSION="-heads"
|
||||
CONFIG_CBFS_PREFIX="fallback"
|
||||
# CONFIG_MULTIPLE_CBFS_INSTANCES is not set
|
||||
CONFIG_COMPILER_GCC=y
|
||||
# CONFIG_COMPILER_LLVM_CLANG is not set
|
||||
# CONFIG_ANY_TOOLCHAIN is not set
|
||||
@ -36,7 +35,6 @@ CONFIG_BOOTBLOCK_SOURCE="bootblock_simple.c"
|
||||
# CONFIG_GENERIC_GPIO_LIB is not set
|
||||
# CONFIG_BOARD_ID_AUTO is not set
|
||||
# CONFIG_BOARD_ID_MANUAL is not set
|
||||
CONFIG_DEVICETREE="devicetree.cb"
|
||||
# CONFIG_RAM_CODE_SUPPORT is not set
|
||||
# CONFIG_BOOTSPLASH_IMAGE is not set
|
||||
|
||||
@ -68,6 +66,7 @@ CONFIG_DEVICETREE="devicetree.cb"
|
||||
# CONFIG_VENDOR_DIGITALLOGIC is not set
|
||||
# CONFIG_VENDOR_DMP is not set
|
||||
# CONFIG_VENDOR_ECS is not set
|
||||
# CONFIG_VENDOR_ELMEX is not set
|
||||
CONFIG_VENDOR_EMULATION=y
|
||||
# CONFIG_VENDOR_ESD is not set
|
||||
# CONFIG_VENDOR_GETAC is not set
|
||||
@ -114,8 +113,8 @@ CONFIG_MAINBOARD_DIR="emulation/qemu-q35"
|
||||
CONFIG_MAINBOARD_PART_NUMBER="QEMU x86 q35/ich9"
|
||||
CONFIG_MAINBOARD_VENDOR="Emulation"
|
||||
CONFIG_MAX_CPUS=1
|
||||
CONFIG_CACHE_ROM_SIZE_OVERRIDE=0
|
||||
CONFIG_CBFS_SIZE=0x400000
|
||||
CONFIG_CACHE_ROM_SIZE_OVERRIDE=0x0
|
||||
CONFIG_CBFS_SIZE=0x800000
|
||||
CONFIG_UART_FOR_CONSOLE=0
|
||||
# CONFIG_ONBOARD_VGA_IS_PRIMARY is not set
|
||||
# CONFIG_VGA_BIOS is not set
|
||||
@ -138,6 +137,7 @@ CONFIG_BOARD_EMULATION_QEMU_X86_Q35=y
|
||||
CONFIG_BOARD_EMULATION_QEMU_X86=y
|
||||
# CONFIG_POST_DEVICE is not set
|
||||
CONFIG_DRIVERS_PS2_KEYBOARD=y
|
||||
CONFIG_DEVICETREE="devicetree.cb"
|
||||
CONFIG_TTYS0_LCS=3
|
||||
# CONFIG_CONSOLE_POST is not set
|
||||
CONFIG_DRIVERS_UART_8250IO=y
|
||||
@ -188,6 +188,8 @@ CONFIG_UART_PCI_ADDR=0
|
||||
CONFIG_HPET_MIN_TICKS=0x80
|
||||
# CONFIG_SOC_MARVELL_ARMADA38X is not set
|
||||
# CONFIG_SOC_MARVELL_BG4CD is not set
|
||||
# CONFIG_SOC_MARVELL_MVMAP2315 is not set
|
||||
CONFIG_TTYS0_BAUD=115200
|
||||
# CONFIG_SOC_MEDIATEK_MT8173 is not set
|
||||
# CONFIG_SOC_NVIDIA_TEGRA124 is not set
|
||||
# CONFIG_SOC_NVIDIA_TEGRA210 is not set
|
||||
@ -239,6 +241,7 @@ CONFIG_CPU_MICROCODE_CBFS_GENERATE=y
|
||||
# CONFIG_CPU_MICROCODE_CBFS_EXTERNAL_HEADER is not set
|
||||
# CONFIG_CPU_MICROCODE_CBFS_NONE is not set
|
||||
# CONFIG_CPU_MICROCODE_MULTIPLE_FILES is not set
|
||||
CONFIG_CPU_UCODE_BINARIES=""
|
||||
|
||||
#
|
||||
# Northbridge
|
||||
@ -266,6 +269,7 @@ CONFIG_SOUTHBRIDGE_INTEL_I82801IX=y
|
||||
#
|
||||
# Super I/O
|
||||
#
|
||||
# CONFIG_SUPERIO_NUVOTON_NCT6776_COM_A is not set
|
||||
|
||||
#
|
||||
# Embedded Controllers
|
||||
@ -273,10 +277,10 @@ CONFIG_SOUTHBRIDGE_INTEL_I82801IX=y
|
||||
CONFIG_VBOOT_VBNV_OFFSET=0x26
|
||||
# CONFIG_VBOOT_VBNV_CMOS is not set
|
||||
# CONFIG_VBOOT_VBNV_EC is not set
|
||||
# CONFIG_VBOOT_VBNV_FLASH is not set
|
||||
# CONFIG_VBOOT is not set
|
||||
# CONFIG_MAINBOARD_HAS_CHROMEOS is not set
|
||||
# CONFIG_UEFI_2_4_BINDING is not set
|
||||
# CONFIG_UDK_2015_BINDING is not set
|
||||
# CONFIG_USE_SIEMENS_HWILIB is not set
|
||||
# CONFIG_ARCH_ARM is not set
|
||||
# CONFIG_ARCH_BOOTBLOCK_ARM is not set
|
||||
@ -293,6 +297,10 @@ CONFIG_VBOOT_VBNV_OFFSET=0x26
|
||||
# CONFIG_ARCH_RAMSTAGE_ARMV7 is not set
|
||||
# CONFIG_ARCH_BOOTBLOCK_ARMV7_M is not set
|
||||
# CONFIG_ARCH_VERSTAGE_ARMV7_M is not set
|
||||
# CONFIG_ARCH_BOOTBLOCK_ARMV7_R is not set
|
||||
# CONFIG_ARCH_VERSTAGE_ARMV7_R is not set
|
||||
# CONFIG_ARCH_ROMSTAGE_ARMV7_R is not set
|
||||
# CONFIG_ARCH_RAMSTAGE_ARMV7_R is not set
|
||||
# CONFIG_ARM_LPAE is not set
|
||||
# CONFIG_ARCH_ARM64 is not set
|
||||
# CONFIG_ARCH_BOOTBLOCK_ARM64 is not set
|
||||
@ -384,6 +392,7 @@ CONFIG_SUBSYSTEM_DEVICE_ID=0x0000
|
||||
# CONFIG_SPI_FLASH is not set
|
||||
# CONFIG_HAVE_SPI_CONSOLE_SUPPORT is not set
|
||||
CONFIG_DRIVERS_UART=y
|
||||
# CONFIG_DRIVERS_UART_8250IO_SKIP_INIT is not set
|
||||
# CONFIG_NO_UART_ON_SUPERIO is not set
|
||||
# CONFIG_UART_OVERRIDE_INPUT_CLOCK_DIVIDER is not set
|
||||
# CONFIG_UART_OVERRIDE_REFCLK is not set
|
||||
@ -399,6 +408,8 @@ CONFIG_DRIVERS_EMULATION_QEMU_BOCHS=y
|
||||
# CONFIG_SMBIOS_PROVIDED_BY_MOBO is not set
|
||||
# CONFIG_DRIVERS_I2C_PCF8523 is not set
|
||||
# CONFIG_DRIVERS_I2C_RTD2132 is not set
|
||||
# CONFIG_MAINBOARD_HAS_I2C_TPM_CR50 is not set
|
||||
# CONFIG_DRIVER_I2C_TPM_ACPI is not set
|
||||
# CONFIG_INTEL_DP is not set
|
||||
# CONFIG_INTEL_DDI is not set
|
||||
# CONFIG_INTEL_EDID is not set
|
||||
@ -420,6 +431,10 @@ CONFIG_DRIVERS_MC146818=y
|
||||
# CONFIG_DRIVER_XPOWERS_AXP209 is not set
|
||||
# CONFIG_ACPI_SATA_GENERATOR is not set
|
||||
# CONFIG_ACPI_INTEL_HARDWARE_SLEEP_VALUES is not set
|
||||
# CONFIG_BOOT_DEVICE_NOT_SPI_FLASH is not set
|
||||
CONFIG_BOOT_DEVICE_SPI_FLASH=y
|
||||
CONFIG_BOOT_DEVICE_MEMORY_MAPPED=y
|
||||
# CONFIG_BOOT_DEVICE_SUPPORTS_WRITES is not set
|
||||
# CONFIG_RTC is not set
|
||||
# CONFIG_TPM is not set
|
||||
CONFIG_STACK_SIZE=0x1000
|
||||
@ -447,7 +462,6 @@ CONFIG_CONSOLE_SERIAL_115200=y
|
||||
# CONFIG_CONSOLE_SERIAL_38400 is not set
|
||||
# CONFIG_CONSOLE_SERIAL_19200 is not set
|
||||
# CONFIG_CONSOLE_SERIAL_9600 is not set
|
||||
CONFIG_TTYS0_BAUD=115200
|
||||
# CONFIG_SPKMODEM is not set
|
||||
# CONFIG_CONSOLE_NE2K is not set
|
||||
CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x20000
|
||||
@ -506,7 +520,7 @@ CONFIG_PAYLOAD_LINUX=y
|
||||
CONFIG_PAYLOAD_FILE="./bzImage"
|
||||
CONFIG_PAYLOAD_OPTIONS=""
|
||||
# CONFIG_PXE is not set
|
||||
CONFIG_LINUX_COMMAND_LINE="console=ttyS0 console=tty"
|
||||
CONFIG_LINUX_COMMAND_LINE="acpi=off console=ttyS0 console=tty"
|
||||
CONFIG_LINUX_INITRD=""
|
||||
# CONFIG_PAYLOAD_IS_FLAT_BINARY is not set
|
||||
|
||||
@ -535,7 +549,6 @@ CONFIG_LINUX_INITRD=""
|
||||
# CONFIG_DEBUG_BOOT_STATE is not set
|
||||
# CONFIG_ENABLE_APIC_EXT_ID is not set
|
||||
CONFIG_WARNINGS_ARE_ERRORS=y
|
||||
CONFIG_IASL_WARNINGS_ARE_ERRORS=y
|
||||
# CONFIG_POWER_BUTTON_DEFAULT_ENABLE is not set
|
||||
# CONFIG_POWER_BUTTON_DEFAULT_DISABLE is not set
|
||||
# CONFIG_POWER_BUTTON_FORCE_ENABLE is not set
|
||||
|
||||
@ -68,6 +68,7 @@ CONFIG_MEASURED_BOOT=y
|
||||
# CONFIG_VENDOR_DIGITALLOGIC is not set
|
||||
# CONFIG_VENDOR_DMP is not set
|
||||
# CONFIG_VENDOR_ECS is not set
|
||||
# CONFIG_VENDOR_ELMEX is not set
|
||||
# CONFIG_VENDOR_EMULATION is not set
|
||||
# CONFIG_VENDOR_ESD is not set
|
||||
# CONFIG_VENDOR_GETAC is not set
|
||||
@ -114,7 +115,7 @@ CONFIG_MAINBOARD_DIR="lenovo/x230"
|
||||
CONFIG_MAINBOARD_PART_NUMBER="ThinkPad X230"
|
||||
CONFIG_MAINBOARD_VENDOR="LENOVO"
|
||||
CONFIG_MAX_CPUS=8
|
||||
CONFIG_CACHE_ROM_SIZE_OVERRIDE=0
|
||||
CONFIG_CACHE_ROM_SIZE_OVERRIDE=0x0
|
||||
CONFIG_CBFS_SIZE=0x400000
|
||||
CONFIG_UART_FOR_CONSOLE=0
|
||||
CONFIG_VGA_BIOS_ID="8086,0166"
|
||||
@ -137,7 +138,7 @@ CONFIG_ID_SECTION_OFFSET=0x80
|
||||
CONFIG_USBDEBUG_HCD_INDEX=2
|
||||
CONFIG_IFD_BIOS_SECTION=""
|
||||
CONFIG_IFD_ME_SECTION=""
|
||||
CONFIG_TPM_PIRQ=0
|
||||
CONFIG_TPM_PIRQ=0x0
|
||||
CONFIG_BOOT_DEVICE_SPI_FLASH_BUS=0
|
||||
CONFIG_DRIVERS_PS2_KEYBOARD=y
|
||||
CONFIG_DEVICETREE="devicetree.cb"
|
||||
@ -312,6 +313,7 @@ CONFIG_SOUTHBRIDGE_INTEL_COMMON_GPIO=y
|
||||
#
|
||||
# Super I/O
|
||||
#
|
||||
# CONFIG_SUPERIO_NUVOTON_NCT6776_COM_A is not set
|
||||
|
||||
#
|
||||
# Embedded Controllers
|
||||
@ -461,6 +463,7 @@ CONFIG_SPI_FLASH_WINBOND=y
|
||||
# CONFIG_SPI_FLASH_FAST_READ_DUAL_OUTPUT_3B is not set
|
||||
# CONFIG_HAVE_SPI_CONSOLE_SUPPORT is not set
|
||||
CONFIG_DRIVERS_UART=y
|
||||
# CONFIG_DRIVERS_UART_8250IO_SKIP_INIT is not set
|
||||
CONFIG_NO_UART_ON_SUPERIO=y
|
||||
# CONFIG_UART_OVERRIDE_INPUT_CLOCK_DIVIDER is not set
|
||||
# CONFIG_UART_OVERRIDE_REFCLK is not set
|
||||
@ -1 +0,0 @@
|
||||
# nothing
|
||||
@ -1,6 +1,6 @@
|
||||
#
|
||||
# Automatically generated file; DO NOT EDIT.
|
||||
# Linux/x86 4.7.0 Kernel Configuration
|
||||
# Linux/x86 4.9.0 Kernel Configuration
|
||||
#
|
||||
CONFIG_64BIT=y
|
||||
CONFIG_X86_64=y
|
||||
@ -38,7 +38,6 @@ CONFIG_AUDIT_ARCH=y
|
||||
CONFIG_ARCH_SUPPORTS_OPTIMIZED_INLINING=y
|
||||
CONFIG_ARCH_SUPPORTS_DEBUG_PAGEALLOC=y
|
||||
CONFIG_X86_64_SMP=y
|
||||
CONFIG_ARCH_HWEIGHT_CFLAGS="-fcall-saved-rdi -fcall-saved-rsi -fcall-saved-rdx -fcall-saved-rcx -fcall-saved-r8 -fcall-saved-r9 -fcall-saved-r10 -fcall-saved-r11"
|
||||
CONFIG_ARCH_SUPPORTS_UPROBES=y
|
||||
CONFIG_FIX_EARLYCON_MEM=y
|
||||
CONFIG_DEBUG_RODATA=y
|
||||
@ -46,6 +45,7 @@ CONFIG_PGTABLE_LEVELS=4
|
||||
CONFIG_DEFCONFIG_LIST="/lib/modules/$UNAME_RELEASE/.config"
|
||||
CONFIG_IRQ_WORK=y
|
||||
CONFIG_BUILDTIME_EXTABLE_SORT=y
|
||||
CONFIG_THREAD_INFO_IN_TASK=y
|
||||
|
||||
#
|
||||
# General setup
|
||||
@ -166,12 +166,12 @@ CONFIG_BUG=y
|
||||
CONFIG_PCSPKR_PLATFORM=y
|
||||
# CONFIG_BASE_FULL is not set
|
||||
# CONFIG_FUTEX is not set
|
||||
# CONFIG_EPOLL is not set
|
||||
CONFIG_EPOLL=y
|
||||
# CONFIG_SIGNALFD is not set
|
||||
# CONFIG_TIMERFD is not set
|
||||
# CONFIG_EVENTFD is not set
|
||||
# CONFIG_BPF_SYSCALL is not set
|
||||
# CONFIG_SHMEM is not set
|
||||
CONFIG_SHMEM=y
|
||||
# CONFIG_AIO is not set
|
||||
# CONFIG_ADVISE_SYSCALLS is not set
|
||||
# CONFIG_USERFAULTFD is not set
|
||||
@ -191,6 +191,7 @@ CONFIG_PERF_EVENTS=y
|
||||
# CONFIG_SLAB is not set
|
||||
CONFIG_SLUB=y
|
||||
# CONFIG_SLOB is not set
|
||||
# CONFIG_SLAB_FREELIST_RANDOM is not set
|
||||
CONFIG_SLUB_CPU_PARTIAL=y
|
||||
# CONFIG_SYSTEM_DATA_VERIFICATION is not set
|
||||
# CONFIG_PROFILING is not set
|
||||
@ -228,11 +229,14 @@ CONFIG_HAVE_ALIGNED_STRUCT_PAGE=y
|
||||
CONFIG_HAVE_CMPXCHG_LOCAL=y
|
||||
CONFIG_HAVE_CMPXCHG_DOUBLE=y
|
||||
CONFIG_HAVE_ARCH_SECCOMP_FILTER=y
|
||||
CONFIG_HAVE_GCC_PLUGINS=y
|
||||
# CONFIG_GCC_PLUGINS is not set
|
||||
CONFIG_HAVE_CC_STACKPROTECTOR=y
|
||||
CONFIG_CC_STACKPROTECTOR=y
|
||||
# CONFIG_CC_STACKPROTECTOR_NONE is not set
|
||||
# CONFIG_CC_STACKPROTECTOR_REGULAR is not set
|
||||
CONFIG_CC_STACKPROTECTOR_STRONG=y
|
||||
CONFIG_HAVE_ARCH_WITHIN_STACK_FRAMES=y
|
||||
CONFIG_HAVE_CONTEXT_TRACKING=y
|
||||
CONFIG_HAVE_VIRT_CPU_ACCOUNTING_GEN=y
|
||||
CONFIG_HAVE_IRQ_TIME_ACCOUNTING=y
|
||||
@ -250,6 +254,8 @@ CONFIG_HAVE_STACK_VALIDATION=y
|
||||
# CONFIG_HAVE_ARCH_HASH is not set
|
||||
# CONFIG_ISA_BUS_API is not set
|
||||
# CONFIG_CPU_NO_EFFICIENT_FFS is not set
|
||||
CONFIG_HAVE_ARCH_VMAP_STACK=y
|
||||
CONFIG_VMAP_STACK=y
|
||||
|
||||
#
|
||||
# GCOV-based kernel profiling
|
||||
@ -279,6 +285,7 @@ CONFIG_BLOCK=y
|
||||
# CONFIG_PARTITION_ADVANCED is not set
|
||||
CONFIG_MSDOS_PARTITION=y
|
||||
CONFIG_EFI_PARTITION=y
|
||||
CONFIG_BLK_MQ_PCI=y
|
||||
|
||||
#
|
||||
# IO Schedulers
|
||||
@ -401,6 +408,7 @@ CONFIG_ARCH_ENABLE_SPLIT_PMD_PTLOCK=y
|
||||
CONFIG_PHYS_ADDR_T_64BIT=y
|
||||
# CONFIG_BOUNCE is not set
|
||||
CONFIG_VIRT_TO_BUS=y
|
||||
CONFIG_MMU_NOTIFIER=y
|
||||
# CONFIG_KSM is not set
|
||||
CONFIG_DEFAULT_MMAP_MIN_ADDR=65536
|
||||
CONFIG_ARCH_SUPPORTS_MEMORY_FAILURE=y
|
||||
@ -463,15 +471,18 @@ CONFIG_ACPI_REV_OVERRIDE_POSSIBLE=y
|
||||
CONFIG_ACPI_AC=y
|
||||
CONFIG_ACPI_BATTERY=y
|
||||
CONFIG_ACPI_BUTTON=y
|
||||
CONFIG_ACPI_VIDEO=y
|
||||
CONFIG_ACPI_FAN=y
|
||||
# CONFIG_ACPI_DOCK is not set
|
||||
CONFIG_ACPI_CPU_FREQ_PSS=y
|
||||
CONFIG_ACPI_PROCESSOR_CSTATE=y
|
||||
CONFIG_ACPI_PROCESSOR_IDLE=y
|
||||
CONFIG_ACPI_PROCESSOR=y
|
||||
# CONFIG_ACPI_PROCESSOR_AGGREGATOR is not set
|
||||
CONFIG_ACPI_THERMAL=y
|
||||
CONFIG_ACPI_CUSTOM_DSDT_FILE=""
|
||||
# CONFIG_ACPI_CUSTOM_DSDT is not set
|
||||
CONFIG_ARCH_HAS_ACPI_TABLE_UPGRADE=y
|
||||
CONFIG_ACPI_TABLE_UPGRADE=y
|
||||
# CONFIG_ACPI_DEBUG is not set
|
||||
# CONFIG_ACPI_PCI_SLOT is not set
|
||||
@ -486,8 +497,10 @@ CONFIG_ACPI_HOTPLUG_IOAPIC=y
|
||||
CONFIG_HAVE_ACPI_APEI=y
|
||||
CONFIG_HAVE_ACPI_APEI_NMI=y
|
||||
# CONFIG_ACPI_APEI is not set
|
||||
# CONFIG_DPTF_POWER is not set
|
||||
# CONFIG_ACPI_EXTLOG is not set
|
||||
# CONFIG_PMIC_OPREGION is not set
|
||||
# CONFIG_ACPI_CONFIGFS is not set
|
||||
# CONFIG_SFI is not set
|
||||
|
||||
#
|
||||
@ -534,7 +547,6 @@ CONFIG_PCI_LABEL=y
|
||||
#
|
||||
# PCI host controller drivers
|
||||
#
|
||||
# CONFIG_PCIE_DW_PLAT is not set
|
||||
# CONFIG_ISA_BUS is not set
|
||||
CONFIG_ISA_DMA_API=y
|
||||
CONFIG_AMD_NB=y
|
||||
@ -577,13 +589,15 @@ CONFIG_EXTRA_FIRMWARE=""
|
||||
# CONFIG_ALLOW_DEV_COREDUMP is not set
|
||||
# CONFIG_DEBUG_DRIVER is not set
|
||||
# CONFIG_DEBUG_DEVRES is not set
|
||||
# CONFIG_DEBUG_TEST_DRIVER_REMOVE is not set
|
||||
# CONFIG_SYS_HYPERVISOR is not set
|
||||
# CONFIG_GENERIC_CPU_DEVICES is not set
|
||||
CONFIG_GENERIC_CPU_AUTOPROBE=y
|
||||
CONFIG_REGMAP=y
|
||||
CONFIG_REGMAP_I2C=y
|
||||
CONFIG_REGMAP_MMIO=y
|
||||
# CONFIG_DMA_SHARED_BUFFER is not set
|
||||
CONFIG_DMA_SHARED_BUFFER=y
|
||||
# CONFIG_FENCE_TRACE is not set
|
||||
|
||||
#
|
||||
# Bus devices
|
||||
@ -641,12 +655,10 @@ CONFIG_BLK_DEV_RAM_SIZE=65536
|
||||
# CONFIG_ISL29003 is not set
|
||||
# CONFIG_ISL29020 is not set
|
||||
# CONFIG_SENSORS_TSL2550 is not set
|
||||
# CONFIG_SENSORS_BH1780 is not set
|
||||
# CONFIG_SENSORS_BH1770 is not set
|
||||
# CONFIG_SENSORS_APDS990X is not set
|
||||
# CONFIG_HMC6352 is not set
|
||||
# CONFIG_DS1682 is not set
|
||||
# CONFIG_BMP085_I2C is not set
|
||||
# CONFIG_USB_SWITCH_FSA9480 is not set
|
||||
# CONFIG_SRAM is not set
|
||||
# CONFIG_C2PORT is not set
|
||||
@ -711,8 +723,7 @@ CONFIG_INTEL_MEI_TXE=y
|
||||
# CONFIG_GENWQE is not set
|
||||
# CONFIG_ECHO is not set
|
||||
# CONFIG_CXL_BASE is not set
|
||||
# CONFIG_CXL_KERNEL_API is not set
|
||||
# CONFIG_CXL_EEH is not set
|
||||
# CONFIG_CXL_AFU_DRIVER_OPS is not set
|
||||
CONFIG_HAVE_IDE=y
|
||||
# CONFIG_IDE is not set
|
||||
|
||||
@ -769,6 +780,7 @@ CONFIG_SCSI_LOWLEVEL=y
|
||||
# CONFIG_MEGARAID_SAS is not set
|
||||
# CONFIG_SCSI_MPT3SAS is not set
|
||||
# CONFIG_SCSI_MPT2SAS is not set
|
||||
# CONFIG_SCSI_SMARTPQI is not set
|
||||
# CONFIG_SCSI_UFSHCD is not set
|
||||
# CONFIG_SCSI_HPTIOP is not set
|
||||
# CONFIG_SCSI_BUSLOGIC is not set
|
||||
@ -937,6 +949,7 @@ CONFIG_SERIAL_8250_RUNTIME_UARTS=4
|
||||
# CONFIG_SERIAL_8250_EXTENDED is not set
|
||||
# CONFIG_SERIAL_8250_DW is not set
|
||||
# CONFIG_SERIAL_8250_RT288X is not set
|
||||
# CONFIG_SERIAL_8250_LPSS is not set
|
||||
# CONFIG_SERIAL_8250_MID is not set
|
||||
# CONFIG_SERIAL_8250_MOXA is not set
|
||||
|
||||
@ -969,6 +982,7 @@ CONFIG_HW_RANDOM_TPM=m
|
||||
# CONFIG_HPET is not set
|
||||
# CONFIG_HANGCHECK_TIMER is not set
|
||||
CONFIG_TCG_TPM=y
|
||||
CONFIG_TCG_TIS_CORE=y
|
||||
CONFIG_TCG_TIS=y
|
||||
# CONFIG_TCG_TIS_I2C_ATMEL is not set
|
||||
# CONFIG_TCG_TIS_I2C_INFINEON is not set
|
||||
@ -977,6 +991,8 @@ CONFIG_TCG_TIS=y
|
||||
# CONFIG_TCG_ATMEL is not set
|
||||
# CONFIG_TCG_INFINEON is not set
|
||||
# CONFIG_TCG_CRB is not set
|
||||
# CONFIG_TCG_VTPM_PROXY is not set
|
||||
# CONFIG_TCG_TIS_ST33ZP24_I2C is not set
|
||||
# CONFIG_TELCLOCK is not set
|
||||
CONFIG_DEVPORT=y
|
||||
# CONFIG_XILLYBUS is not set
|
||||
@ -1002,7 +1018,7 @@ CONFIG_I2C_MUX_REG=m
|
||||
#
|
||||
# I2C Algorithms
|
||||
#
|
||||
# CONFIG_I2C_ALGOBIT is not set
|
||||
CONFIG_I2C_ALGOBIT=y
|
||||
# CONFIG_I2C_ALGOPCF is not set
|
||||
# CONFIG_I2C_ALGOPCA is not set
|
||||
|
||||
@ -1082,9 +1098,10 @@ CONFIG_I2C_SLAVE=y
|
||||
#
|
||||
# Enable PHYLIB and NETWORK_PHY_TIMESTAMPING to see the additional clocks.
|
||||
#
|
||||
CONFIG_ARCH_WANT_OPTIONAL_GPIOLIB=y
|
||||
# CONFIG_GPIOLIB is not set
|
||||
# CONFIG_W1 is not set
|
||||
# CONFIG_POWER_AVS is not set
|
||||
# CONFIG_POWER_RESET is not set
|
||||
CONFIG_POWER_SUPPLY=y
|
||||
# CONFIG_POWER_SUPPLY_DEBUG is not set
|
||||
# CONFIG_PDA_POWER is not set
|
||||
@ -1101,8 +1118,6 @@ CONFIG_POWER_SUPPLY=y
|
||||
# CONFIG_CHARGER_BQ2415X is not set
|
||||
# CONFIG_CHARGER_SMB347 is not set
|
||||
# CONFIG_BATTERY_GAUGE_LTC2941 is not set
|
||||
# CONFIG_POWER_RESET is not set
|
||||
# CONFIG_POWER_AVS is not set
|
||||
# CONFIG_HWMON is not set
|
||||
CONFIG_THERMAL=y
|
||||
# CONFIG_THERMAL_WRITABLE_TRIPS is not set
|
||||
@ -1155,6 +1170,7 @@ CONFIG_BCMA_POSSIBLE=y
|
||||
# CONFIG_MFD_DA9063 is not set
|
||||
# CONFIG_MFD_DA9150 is not set
|
||||
# CONFIG_MFD_DLN2 is not set
|
||||
# CONFIG_MFD_EXYNOS_LPASS is not set
|
||||
# CONFIG_MFD_MC13XXX_I2C is not set
|
||||
# CONFIG_HTC_PASIC3 is not set
|
||||
# CONFIG_LPC_ICH is not set
|
||||
@ -1183,7 +1199,6 @@ CONFIG_BCMA_POSSIBLE=y
|
||||
# CONFIG_MFD_RT5033 is not set
|
||||
# CONFIG_MFD_RTSX_USB is not set
|
||||
# CONFIG_MFD_RC5T583 is not set
|
||||
# CONFIG_MFD_RN5T618 is not set
|
||||
# CONFIG_MFD_SEC_CORE is not set
|
||||
# CONFIG_MFD_SI476X_CORE is not set
|
||||
# CONFIG_MFD_SM501 is not set
|
||||
@ -1200,6 +1215,7 @@ CONFIG_MFD_SYSCON=y
|
||||
# CONFIG_MFD_TPS65086 is not set
|
||||
# CONFIG_MFD_TPS65090 is not set
|
||||
# CONFIG_MFD_TPS65217 is not set
|
||||
# CONFIG_MFD_TI_LP873X is not set
|
||||
# CONFIG_MFD_TPS65218 is not set
|
||||
# CONFIG_MFD_TPS6586X is not set
|
||||
# CONFIG_MFD_TPS65912_I2C is not set
|
||||
@ -1222,21 +1238,148 @@ CONFIG_MFD_SYSCON=y
|
||||
# Graphics support
|
||||
#
|
||||
# CONFIG_AGP is not set
|
||||
CONFIG_INTEL_GTT=y
|
||||
CONFIG_VGA_ARB=y
|
||||
CONFIG_VGA_ARB_MAX_GPUS=16
|
||||
# CONFIG_VGA_SWITCHEROO is not set
|
||||
# CONFIG_DRM is not set
|
||||
CONFIG_DRM=y
|
||||
CONFIG_DRM_MIPI_DSI=y
|
||||
# CONFIG_DRM_DP_AUX_CHARDEV is not set
|
||||
CONFIG_DRM_KMS_HELPER=y
|
||||
CONFIG_DRM_KMS_FB_HELPER=y
|
||||
CONFIG_DRM_FBDEV_EMULATION=y
|
||||
# CONFIG_DRM_LOAD_EDID_FIRMWARE is not set
|
||||
|
||||
#
|
||||
# I2C encoder or helper chips
|
||||
#
|
||||
# CONFIG_DRM_I2C_CH7006 is not set
|
||||
# CONFIG_DRM_I2C_SIL164 is not set
|
||||
# CONFIG_DRM_I2C_NXP_TDA998X is not set
|
||||
# CONFIG_DRM_RADEON is not set
|
||||
# CONFIG_DRM_AMDGPU is not set
|
||||
|
||||
#
|
||||
# ACP (Audio CoProcessor) Configuration
|
||||
#
|
||||
# CONFIG_DRM_NOUVEAU is not set
|
||||
CONFIG_DRM_I915=y
|
||||
CONFIG_DRM_I915_PRELIMINARY_HW_SUPPORT=y
|
||||
CONFIG_DRM_I915_USERPTR=y
|
||||
# CONFIG_DRM_I915_GVT is not set
|
||||
|
||||
#
|
||||
# drm/i915 Debugging
|
||||
#
|
||||
# CONFIG_DRM_I915_WERROR is not set
|
||||
# CONFIG_DRM_I915_DEBUG is not set
|
||||
# CONFIG_DRM_VGEM is not set
|
||||
# CONFIG_DRM_VMWGFX is not set
|
||||
# CONFIG_DRM_GMA500 is not set
|
||||
# CONFIG_DRM_UDL is not set
|
||||
# CONFIG_DRM_AST is not set
|
||||
# CONFIG_DRM_MGAG200 is not set
|
||||
# CONFIG_DRM_CIRRUS_QEMU is not set
|
||||
# CONFIG_DRM_QXL is not set
|
||||
# CONFIG_DRM_BOCHS is not set
|
||||
CONFIG_DRM_PANEL=y
|
||||
|
||||
#
|
||||
# Display Panels
|
||||
#
|
||||
CONFIG_DRM_BRIDGE=y
|
||||
|
||||
#
|
||||
# Display Interface Bridges
|
||||
#
|
||||
# CONFIG_DRM_ANALOGIX_ANX78XX is not set
|
||||
# CONFIG_DRM_LEGACY is not set
|
||||
|
||||
#
|
||||
# Frame buffer Devices
|
||||
#
|
||||
# CONFIG_FB is not set
|
||||
# CONFIG_BACKLIGHT_LCD_SUPPORT is not set
|
||||
CONFIG_FB=y
|
||||
# CONFIG_FIRMWARE_EDID is not set
|
||||
CONFIG_FB_CMDLINE=y
|
||||
CONFIG_FB_NOTIFY=y
|
||||
# CONFIG_FB_DDC is not set
|
||||
CONFIG_FB_BOOT_VESA_SUPPORT=y
|
||||
CONFIG_FB_CFB_FILLRECT=y
|
||||
CONFIG_FB_CFB_COPYAREA=y
|
||||
CONFIG_FB_CFB_IMAGEBLIT=y
|
||||
# CONFIG_FB_CFB_REV_PIXELS_IN_BYTE is not set
|
||||
CONFIG_FB_SYS_FILLRECT=y
|
||||
CONFIG_FB_SYS_COPYAREA=y
|
||||
CONFIG_FB_SYS_IMAGEBLIT=y
|
||||
# CONFIG_FB_FOREIGN_ENDIAN is not set
|
||||
CONFIG_FB_SYS_FOPS=y
|
||||
CONFIG_FB_DEFERRED_IO=y
|
||||
# CONFIG_FB_SVGALIB is not set
|
||||
# CONFIG_FB_MACMODES is not set
|
||||
# CONFIG_FB_BACKLIGHT is not set
|
||||
# CONFIG_FB_MODE_HELPERS is not set
|
||||
# CONFIG_FB_TILEBLITTING is not set
|
||||
|
||||
#
|
||||
# Frame buffer hardware drivers
|
||||
#
|
||||
# CONFIG_FB_CIRRUS is not set
|
||||
# CONFIG_FB_PM2 is not set
|
||||
# CONFIG_FB_CYBER2000 is not set
|
||||
# CONFIG_FB_ARC is not set
|
||||
# CONFIG_FB_ASILIANT is not set
|
||||
# CONFIG_FB_IMSTT is not set
|
||||
# CONFIG_FB_VGA16 is not set
|
||||
CONFIG_FB_VESA=y
|
||||
# CONFIG_FB_N411 is not set
|
||||
# CONFIG_FB_HGA is not set
|
||||
# CONFIG_FB_OPENCORES is not set
|
||||
# CONFIG_FB_S1D13XXX is not set
|
||||
# CONFIG_FB_NVIDIA is not set
|
||||
# CONFIG_FB_RIVA is not set
|
||||
# CONFIG_FB_I740 is not set
|
||||
# CONFIG_FB_LE80578 is not set
|
||||
# CONFIG_FB_MATROX is not set
|
||||
# CONFIG_FB_RADEON is not set
|
||||
# CONFIG_FB_ATY128 is not set
|
||||
# CONFIG_FB_ATY is not set
|
||||
# CONFIG_FB_S3 is not set
|
||||
# CONFIG_FB_SAVAGE is not set
|
||||
# CONFIG_FB_SIS is not set
|
||||
# CONFIG_FB_NEOMAGIC is not set
|
||||
# CONFIG_FB_KYRO is not set
|
||||
# CONFIG_FB_3DFX is not set
|
||||
# CONFIG_FB_VOODOO1 is not set
|
||||
# CONFIG_FB_VT8623 is not set
|
||||
# CONFIG_FB_TRIDENT is not set
|
||||
# CONFIG_FB_ARK is not set
|
||||
# CONFIG_FB_PM3 is not set
|
||||
# CONFIG_FB_CARMINE is not set
|
||||
# CONFIG_FB_SMSCUFX is not set
|
||||
# CONFIG_FB_UDL is not set
|
||||
# CONFIG_FB_IBM_GXT4500 is not set
|
||||
# CONFIG_FB_VIRTUAL is not set
|
||||
# CONFIG_FB_METRONOME is not set
|
||||
# CONFIG_FB_MB862XX is not set
|
||||
# CONFIG_FB_BROADSHEET is not set
|
||||
# CONFIG_FB_AUO_K190X is not set
|
||||
# CONFIG_FB_SIMPLE is not set
|
||||
# CONFIG_FB_SM712 is not set
|
||||
CONFIG_BACKLIGHT_LCD_SUPPORT=y
|
||||
CONFIG_LCD_CLASS_DEVICE=m
|
||||
# CONFIG_LCD_PLATFORM is not set
|
||||
CONFIG_BACKLIGHT_CLASS_DEVICE=y
|
||||
CONFIG_BACKLIGHT_GENERIC=y
|
||||
# CONFIG_BACKLIGHT_APPLE is not set
|
||||
# CONFIG_BACKLIGHT_PM8941_WLED is not set
|
||||
# CONFIG_BACKLIGHT_SAHARA is not set
|
||||
# CONFIG_BACKLIGHT_ADP8860 is not set
|
||||
# CONFIG_BACKLIGHT_ADP8870 is not set
|
||||
# CONFIG_BACKLIGHT_LM3639 is not set
|
||||
# CONFIG_BACKLIGHT_LV5207LP is not set
|
||||
# CONFIG_BACKLIGHT_BD6107 is not set
|
||||
# CONFIG_VGASTATE is not set
|
||||
CONFIG_HDMI=y
|
||||
|
||||
#
|
||||
# Console display driver support
|
||||
@ -1246,6 +1389,10 @@ CONFIG_VGA_CONSOLE=y
|
||||
CONFIG_DUMMY_CONSOLE=y
|
||||
CONFIG_DUMMY_CONSOLE_COLUMNS=80
|
||||
CONFIG_DUMMY_CONSOLE_ROWS=25
|
||||
CONFIG_FRAMEBUFFER_CONSOLE=y
|
||||
CONFIG_FRAMEBUFFER_CONSOLE_DETECT_PRIMARY=y
|
||||
# CONFIG_FRAMEBUFFER_CONSOLE_ROTATION is not set
|
||||
# CONFIG_LOGO is not set
|
||||
# CONFIG_SOUND is not set
|
||||
|
||||
#
|
||||
@ -1319,6 +1466,7 @@ CONFIG_HID_GENERIC=y
|
||||
# CONFIG_HID_ZEROPLUS is not set
|
||||
# CONFIG_HID_ZYDACRON is not set
|
||||
# CONFIG_HID_SENSOR_HUB is not set
|
||||
# CONFIG_HID_ALPS is not set
|
||||
|
||||
#
|
||||
# USB HID support
|
||||
@ -1331,6 +1479,11 @@ CONFIG_USB_HID=y
|
||||
# I2C HID support
|
||||
#
|
||||
# CONFIG_I2C_HID is not set
|
||||
|
||||
#
|
||||
# Intel ISH HID support
|
||||
#
|
||||
# CONFIG_INTEL_ISH_HID is not set
|
||||
CONFIG_USB_OHCI_LITTLE_ENDIAN=y
|
||||
CONFIG_USB_SUPPORT=y
|
||||
CONFIG_USB_COMMON=y
|
||||
@ -1345,7 +1498,6 @@ CONFIG_USB_DEFAULT_PERSIST=y
|
||||
# CONFIG_USB_DYNAMIC_MINORS is not set
|
||||
# CONFIG_USB_OTG_WHITELIST is not set
|
||||
# CONFIG_USB_OTG_BLACKLIST_HUB is not set
|
||||
# CONFIG_USB_ULPI_BUS is not set
|
||||
# CONFIG_USB_MON is not set
|
||||
# CONFIG_USB_WUSB_CBAF is not set
|
||||
|
||||
@ -1429,7 +1581,6 @@ CONFIG_USB_STORAGE=y
|
||||
# CONFIG_USB_RIO500 is not set
|
||||
# CONFIG_USB_LEGOTOWER is not set
|
||||
# CONFIG_USB_LCD is not set
|
||||
# CONFIG_USB_LED is not set
|
||||
# CONFIG_USB_CYPRESS_CY7C63 is not set
|
||||
# CONFIG_USB_CYTHERM is not set
|
||||
# CONFIG_USB_IDMOUSE is not set
|
||||
@ -1445,6 +1596,7 @@ CONFIG_USB_STORAGE=y
|
||||
# CONFIG_USB_YUREX is not set
|
||||
# CONFIG_USB_EZUSB_FX2 is not set
|
||||
# CONFIG_USB_HSIC_USB3503 is not set
|
||||
# CONFIG_USB_HSIC_USB4604 is not set
|
||||
# CONFIG_USB_LINK_LAYER_TEST is not set
|
||||
# CONFIG_USB_CHAOSKEY is not set
|
||||
# CONFIG_UCSI is not set
|
||||
@ -1456,6 +1608,7 @@ CONFIG_USB_STORAGE=y
|
||||
# CONFIG_NOP_USB_XCEIV is not set
|
||||
# CONFIG_USB_ISP1301 is not set
|
||||
# CONFIG_USB_GADGET is not set
|
||||
# CONFIG_USB_ULPI_BUS is not set
|
||||
# CONFIG_UWB is not set
|
||||
# CONFIG_MMC is not set
|
||||
# CONFIG_MEMSTICK is not set
|
||||
@ -1465,6 +1618,7 @@ CONFIG_EDAC_ATOMIC_SCRUB=y
|
||||
CONFIG_EDAC_SUPPORT=y
|
||||
# CONFIG_EDAC is not set
|
||||
CONFIG_RTC_LIB=y
|
||||
CONFIG_RTC_MC146818_LIB=y
|
||||
CONFIG_RTC_CLASS=y
|
||||
CONFIG_RTC_HCTOSYS=y
|
||||
CONFIG_RTC_HCTOSYS_DEVICE="rtc0"
|
||||
@ -1493,7 +1647,6 @@ CONFIG_RTC_INTF_DEV=y
|
||||
# CONFIG_RTC_DRV_RS5C372 is not set
|
||||
# CONFIG_RTC_DRV_ISL1208 is not set
|
||||
# CONFIG_RTC_DRV_ISL12022 is not set
|
||||
# CONFIG_RTC_DRV_ISL12057 is not set
|
||||
# CONFIG_RTC_DRV_X1205 is not set
|
||||
# CONFIG_RTC_DRV_PCF8523 is not set
|
||||
# CONFIG_RTC_DRV_PCF85063 is not set
|
||||
@ -1606,6 +1759,10 @@ CONFIG_IOMMU_SUPPORT=y
|
||||
#
|
||||
# SOC (System On Chip) specific Drivers
|
||||
#
|
||||
|
||||
#
|
||||
# Broadcom SoC drivers
|
||||
#
|
||||
# CONFIG_SUNXI_SRAM is not set
|
||||
# CONFIG_SOC_TI is not set
|
||||
# CONFIG_PM_DEVFREQ is not set
|
||||
@ -1691,6 +1848,7 @@ CONFIG_FS_MBCACHE=y
|
||||
# CONFIG_F2FS_FS is not set
|
||||
# CONFIG_FS_DAX is not set
|
||||
# CONFIG_FS_POSIX_ACL is not set
|
||||
# CONFIG_EXPORTFS_BLOCK_OPS is not set
|
||||
# CONFIG_FILE_LOCKING is not set
|
||||
# CONFIG_FS_ENCRYPTION is not set
|
||||
# CONFIG_FSNOTIFY is not set
|
||||
@ -1735,8 +1893,12 @@ CONFIG_PROC_FS=y
|
||||
# CONFIG_PROC_CHILDREN is not set
|
||||
CONFIG_KERNFS=y
|
||||
CONFIG_SYSFS=y
|
||||
CONFIG_TMPFS=y
|
||||
# CONFIG_TMPFS_POSIX_ACL is not set
|
||||
# CONFIG_TMPFS_XATTR is not set
|
||||
# CONFIG_HUGETLBFS is not set
|
||||
# CONFIG_HUGETLB_PAGE is not set
|
||||
CONFIG_ARCH_HAS_GIGANTIC_PAGE=y
|
||||
# CONFIG_CONFIGFS_FS is not set
|
||||
# CONFIG_MISC_FILESYSTEMS is not set
|
||||
CONFIG_NLS=y
|
||||
@ -1915,12 +2077,9 @@ CONFIG_RCU_CPU_STALL_TIMEOUT=21
|
||||
# CONFIG_NOTIFIER_ERROR_INJECTION is not set
|
||||
# CONFIG_FAULT_INJECTION is not set
|
||||
# CONFIG_LATENCYTOP is not set
|
||||
CONFIG_ARCH_HAS_DEBUG_STRICT_USER_COPY_CHECKS=y
|
||||
# CONFIG_DEBUG_STRICT_USER_COPY_CHECKS is not set
|
||||
CONFIG_USER_STACKTRACE_SUPPORT=y
|
||||
CONFIG_HAVE_FUNCTION_TRACER=y
|
||||
CONFIG_HAVE_FUNCTION_GRAPH_TRACER=y
|
||||
CONFIG_HAVE_FUNCTION_GRAPH_FP_TEST=y
|
||||
CONFIG_HAVE_DYNAMIC_FTRACE=y
|
||||
CONFIG_HAVE_DYNAMIC_FTRACE_WITH_REGS=y
|
||||
CONFIG_HAVE_FTRACE_MCOUNT_RECORD=y
|
||||
@ -1960,6 +2119,7 @@ CONFIG_TRACING_SUPPORT=y
|
||||
CONFIG_HAVE_ARCH_KGDB=y
|
||||
# CONFIG_KGDB is not set
|
||||
CONFIG_ARCH_HAS_UBSAN_SANITIZE_ALL=y
|
||||
# CONFIG_ARCH_WANTS_UBSAN_NO_NULL is not set
|
||||
# CONFIG_UBSAN is not set
|
||||
CONFIG_ARCH_HAS_DEVMEM_IS_ALLOWED=y
|
||||
# CONFIG_STRICT_DEVMEM is not set
|
||||
@ -1999,6 +2159,10 @@ CONFIG_OPTIMIZE_INLINING=y
|
||||
# CONFIG_KEYS is not set
|
||||
# CONFIG_SECURITY_DMESG_RESTRICT is not set
|
||||
CONFIG_SECURITYFS=y
|
||||
CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y
|
||||
CONFIG_HAVE_ARCH_HARDENED_USERCOPY=y
|
||||
CONFIG_HARDENED_USERCOPY=y
|
||||
# CONFIG_HARDENED_USERCOPY_PAGESPAN is not set
|
||||
CONFIG_DEFAULT_SECURITY_DAC=y
|
||||
CONFIG_DEFAULT_SECURITY=""
|
||||
CONFIG_CRYPTO=y
|
||||
@ -2019,21 +2183,24 @@ CONFIG_CRYPTO_RNG2=y
|
||||
CONFIG_CRYPTO_RNG_DEFAULT=m
|
||||
CONFIG_CRYPTO_AKCIPHER2=y
|
||||
CONFIG_CRYPTO_AKCIPHER=m
|
||||
CONFIG_CRYPTO_KPP2=y
|
||||
CONFIG_CRYPTO_RSA=m
|
||||
# CONFIG_CRYPTO_DH is not set
|
||||
# CONFIG_CRYPTO_ECDH is not set
|
||||
CONFIG_CRYPTO_MANAGER=y
|
||||
CONFIG_CRYPTO_MANAGER2=y
|
||||
CONFIG_CRYPTO_MANAGER_DISABLE_TESTS=y
|
||||
CONFIG_CRYPTO_GF128MUL=m
|
||||
CONFIG_CRYPTO_GF128MUL=y
|
||||
CONFIG_CRYPTO_NULL=m
|
||||
CONFIG_CRYPTO_NULL2=y
|
||||
# CONFIG_CRYPTO_PCRYPT is not set
|
||||
CONFIG_CRYPTO_WORKQUEUE=y
|
||||
CONFIG_CRYPTO_CRYPTD=m
|
||||
CONFIG_CRYPTO_CRYPTD=y
|
||||
CONFIG_CRYPTO_MCRYPTD=m
|
||||
CONFIG_CRYPTO_AUTHENC=m
|
||||
# CONFIG_CRYPTO_TEST is not set
|
||||
CONFIG_CRYPTO_ABLK_HELPER=m
|
||||
CONFIG_CRYPTO_GLUE_HELPER_X86=m
|
||||
CONFIG_CRYPTO_ABLK_HELPER=y
|
||||
CONFIG_CRYPTO_GLUE_HELPER_X86=y
|
||||
|
||||
#
|
||||
# Authenticated Encryption with Associated Data
|
||||
@ -2051,9 +2218,9 @@ CONFIG_CRYPTO_CBC=y
|
||||
CONFIG_CRYPTO_CTR=m
|
||||
CONFIG_CRYPTO_CTS=m
|
||||
CONFIG_CRYPTO_ECB=y
|
||||
CONFIG_CRYPTO_LRW=m
|
||||
CONFIG_CRYPTO_LRW=y
|
||||
CONFIG_CRYPTO_PCBC=m
|
||||
CONFIG_CRYPTO_XTS=m
|
||||
CONFIG_CRYPTO_XTS=y
|
||||
CONFIG_CRYPTO_KEYWRAP=m
|
||||
|
||||
#
|
||||
@ -2088,8 +2255,11 @@ CONFIG_CRYPTO_SHA1_SSSE3=m
|
||||
CONFIG_CRYPTO_SHA256_SSSE3=m
|
||||
CONFIG_CRYPTO_SHA512_SSSE3=m
|
||||
CONFIG_CRYPTO_SHA1_MB=m
|
||||
# CONFIG_CRYPTO_SHA256_MB is not set
|
||||
# CONFIG_CRYPTO_SHA512_MB is not set
|
||||
CONFIG_CRYPTO_SHA256=y
|
||||
CONFIG_CRYPTO_SHA512=y
|
||||
# CONFIG_CRYPTO_SHA3 is not set
|
||||
CONFIG_CRYPTO_TGR192=m
|
||||
CONFIG_CRYPTO_WP512=m
|
||||
CONFIG_CRYPTO_GHASH_CLMUL_NI_INTEL=m
|
||||
@ -2098,8 +2268,8 @@ CONFIG_CRYPTO_GHASH_CLMUL_NI_INTEL=m
|
||||
# Ciphers
|
||||
#
|
||||
CONFIG_CRYPTO_AES=y
|
||||
CONFIG_CRYPTO_AES_X86_64=m
|
||||
CONFIG_CRYPTO_AES_NI_INTEL=m
|
||||
CONFIG_CRYPTO_AES_X86_64=y
|
||||
CONFIG_CRYPTO_AES_NI_INTEL=y
|
||||
CONFIG_CRYPTO_ANUBIS=m
|
||||
CONFIG_CRYPTO_ARC4=m
|
||||
CONFIG_CRYPTO_BLOWFISH=m
|
||||
@ -2212,19 +2382,24 @@ CONFIG_DECOMPRESS_XZ=y
|
||||
CONFIG_GENERIC_ALLOCATOR=y
|
||||
CONFIG_REED_SOLOMON=y
|
||||
CONFIG_REED_SOLOMON_DEC8=y
|
||||
CONFIG_INTERVAL_TREE=y
|
||||
CONFIG_HAS_IOMEM=y
|
||||
CONFIG_HAS_IOPORT_MAP=y
|
||||
CONFIG_HAS_DMA=y
|
||||
CONFIG_GLOB=y
|
||||
# CONFIG_GLOB_SELFTEST is not set
|
||||
CONFIG_ARCH_HAS_ATOMIC64_DEC_IF_POSITIVE=y
|
||||
CONFIG_CLZ_TAB=y
|
||||
CONFIG_CORDIC=m
|
||||
# CONFIG_DDR is not set
|
||||
CONFIG_IRQ_POLL=y
|
||||
CONFIG_MPILIB=m
|
||||
CONFIG_FONT_SUPPORT=y
|
||||
# CONFIG_FONTS is not set
|
||||
CONFIG_FONT_8x8=y
|
||||
CONFIG_FONT_8x16=y
|
||||
# CONFIG_SG_SPLIT is not set
|
||||
CONFIG_SG_POOL=y
|
||||
CONFIG_ARCH_HAS_SG_CHAIN=y
|
||||
CONFIG_ARCH_HAS_PMEM_API=y
|
||||
CONFIG_ARCH_HAS_MMIO_FLUSH=y
|
||||
CONFIG_SBITMAP=y
|
||||
|
||||
@ -1 +0,0 @@
|
||||
# nothing
|
||||
@ -1 +0,0 @@
|
||||
# nothing
|
||||
@ -1 +0,0 @@
|
||||
# nothing
|
||||
@ -1 +0,0 @@
|
||||
# Nothing
|
||||
66
fit-parse
Executable file
66
fit-parse
Executable file
@ -0,0 +1,66 @@
|
||||
#!/usr/bin/perl
|
||||
use warnings;
|
||||
use strict;
|
||||
|
||||
undef $/;
|
||||
my $rom = <>;
|
||||
my $base = 0xFFFFFFFF - length($rom) + 1;
|
||||
printf "ROM len: %08x\n", length($rom);
|
||||
printf "ROM base: %08x\n", $base;
|
||||
|
||||
sub uint32
|
||||
{
|
||||
my $offset = shift;
|
||||
return unpack("V", substr($rom, $offset - $base, 4));
|
||||
}
|
||||
|
||||
sub uint64
|
||||
{
|
||||
my $offset = shift;
|
||||
return unpack("Q", substr($rom, $offset - $base, 8));
|
||||
}
|
||||
|
||||
# Assume the ROM is mapped to the top of 4GB
|
||||
my $fit_ptr = uint32(0xFFFFFFC0);
|
||||
my $fit_offset = $fit_ptr - $base;
|
||||
|
||||
printf "FIT pointer: %08x (offset %08x)\n", $fit_ptr, $fit_offset;
|
||||
|
||||
die "FIT pointer out of range?\n" if $fit_offset >= length($rom);
|
||||
|
||||
my $fit = substr($rom, $fit_ptr - $base, 8);
|
||||
printf "Signature: '%s'\n", $fit;
|
||||
die "Bad signature?\n" unless $fit eq '_FIT_ ';
|
||||
|
||||
my $entries = uint32($fit_ptr + 0x8);
|
||||
|
||||
my %entry_types = (
|
||||
0x00 => "Header",
|
||||
0x01 => "Microcode",
|
||||
0x02 => "Startup ACM",
|
||||
0x07 => "BIOS Startup Module",
|
||||
0x08 => "TPM Policy",
|
||||
0x09 => "BIOS Policy",
|
||||
0x0A => "TXT Policy",
|
||||
0x0B => "Key Manifest",
|
||||
0x0C => "Boot Policy Manifest",
|
||||
0x10 => "CSE Secure Boot",
|
||||
0x2D => "TXTSX Policy",
|
||||
0x2F => "JMP Debug Policy",
|
||||
0x7F => "SKIP",
|
||||
);
|
||||
|
||||
for my $i (1..$entries-1)
|
||||
{
|
||||
my ($address, $len, $ver, $type, $csum) = unpack(
|
||||
"QVSCC", substr($rom, $fit_ptr - $base + $i*0x10, 0x10));
|
||||
|
||||
printf "%d: address %08x @ %08x: ver %04x type %s (0x%02x)\n",
|
||||
$i,
|
||||
$address,
|
||||
$len,
|
||||
$ver,
|
||||
$entry_types{$type} || "Unknown",
|
||||
$type,
|
||||
;
|
||||
}
|
||||
11
initrd/bin/generate-crypttab
Executable file
11
initrd/bin/generate-crypttab
Executable file
@ -0,0 +1,11 @@
|
||||
#!/bin/sh
|
||||
# Generate a crypttab file for all the devices that are
|
||||
# present on the system. This is a total hack since the
|
||||
# rd.luks.key=/secret.key should be sufficient.
|
||||
|
||||
keyfile=/secret.key
|
||||
|
||||
for dev in /dev/sd*; do
|
||||
uuid=`cryptsetup luksUUID "$dev" 2>/dev/null` || continue
|
||||
echo "luks-$uuid /dev/disk/by-uuid/$uuid $keyfile luks"
|
||||
done
|
||||
74
initrd/bin/seal-key
Executable file
74
initrd/bin/seal-key
Executable file
@ -0,0 +1,74 @@
|
||||
#!/bin/sh
|
||||
# This will generate a disk encryption key and seal / ecncrypt
|
||||
# with the current PCRs and then store it in the TPM NVRAM.
|
||||
# It will then need to be bundled into initrd that is booted with Qubes.
|
||||
|
||||
TPM_INDEX=3
|
||||
TPM_SIZE=312
|
||||
KEY_FILE=/tmp/secret.key
|
||||
|
||||
die() { echo >&2 "$@"; exit 1; }
|
||||
warn() { echo >&2 "$@"; }
|
||||
|
||||
read -s -p "New key password: " key_password
|
||||
echo
|
||||
read -s -p "Repeat password: " key_password2
|
||||
echo
|
||||
|
||||
if [ "$key_password" -ne "$key_password2" ]; then
|
||||
die "Key passwords do not match"
|
||||
fi
|
||||
|
||||
dd \
|
||||
if=/dev/urandom \
|
||||
of="$KEY_FILE" \
|
||||
bs=1 \
|
||||
count=128 \
|
||||
2>/dev/null \
|
||||
|| die "Unable to generate 128 random bytes"
|
||||
|
||||
|
||||
# Use the current values of the PCRs, which will be read
|
||||
# from the TPM as part of the sealing ("X").
|
||||
# should this read the storage root key?
|
||||
sealfile2 \
|
||||
-if "$KEY_FILE" \
|
||||
-of /tmp/sealed \
|
||||
-pwdd "$key_password" \
|
||||
-hk 40000000 \
|
||||
-ix 0 X \
|
||||
-ix 1 X \
|
||||
-ix 2 X \
|
||||
-ix 3 X \
|
||||
-ix 4 X \
|
||||
|| die "Unable to seal secret"
|
||||
|
||||
rm "$KEY_FILE"
|
||||
|
||||
|
||||
# to create an nvram space we need the TPM owner password
|
||||
# and the TPM physical presence must be asserted.
|
||||
#
|
||||
# The permissions are 0 since there is nothing special
|
||||
# about the sealed file
|
||||
physicalpresence -s \
|
||||
|| warn "Warning: Unable to assert physical presence"
|
||||
|
||||
read -s -p "TPM Owner password: " tpm_password
|
||||
echo
|
||||
|
||||
nv_definespace \
|
||||
-in $TPM_INDEX \
|
||||
-sz $TPM_SIZE \
|
||||
-pwdo "$tpm_password" \
|
||||
-per 0 \
|
||||
|| die "Warning: Unable to define NVRAM space; trying anyway"
|
||||
|
||||
|
||||
nv_writevalue \
|
||||
-in $TPM_INDEX \
|
||||
-if /tmp/sealed \
|
||||
|| die "Unable to write sealed secret to NVRAM"
|
||||
|
||||
rm /tmp/sealed
|
||||
|
||||
30
initrd/bin/start-xen
Executable file
30
initrd/bin/start-xen
Executable file
@ -0,0 +1,30 @@
|
||||
#!/bin/sh
|
||||
mount -o ro -t ext4 /dev/sda1 /boot
|
||||
|
||||
die() { echo >&2 "$*"; exit 1; }
|
||||
|
||||
XEN=/boot/xen-4.6.3.gz
|
||||
INITRD=/boot/initramfs-4.4.14-11.pvops.qubes.x86_64.img
|
||||
KERNEL=/boot/vmlinuz-4.4.14-11.pvops.qubes.x86_64
|
||||
|
||||
echo "+++ Checking $XEN"
|
||||
gpgv "${XEN}.asc" "${XEN}" || die "Xen signature failed"
|
||||
|
||||
echo "+++ Checking $INITRD"
|
||||
gpgv "${INITRD}.asc" "${INITRD}" || die "Initrd signature failed"
|
||||
|
||||
echo "+++ Checking $KERNEL"
|
||||
gpgv "${KERNEL}.asc" "${KERNEL}" || die "Kernel signature failed"
|
||||
|
||||
# should also check xen command line arguments!
|
||||
# should also check kernel command line arguments!
|
||||
|
||||
kexec \
|
||||
-l \
|
||||
--module "${KERNEL} root=LABEL=root rhgb" \
|
||||
--module "${INITRD}" \
|
||||
--command-line "no-real-mode reboot=no console=vga dom0_mem=min:1024M dom0_mem=max:4096M" \
|
||||
"${XEN}"
|
||||
|
||||
|
||||
echo "Ready to start Xen: run 'kexec -e' to execute it"
|
||||
34
initrd/bin/unseal-key
Executable file
34
initrd/bin/unseal-key
Executable file
@ -0,0 +1,34 @@
|
||||
#!/bin/sh
|
||||
# This will unseal and unecncrypt the drive encryption key from the TPM
|
||||
# It will then need to be bundled into initrd that is booted with Qubes.
|
||||
|
||||
TPM_INDEX=3
|
||||
TPM_SIZE=312
|
||||
|
||||
die() { echo >&2 "$@"; exit 1; }
|
||||
warn() { echo >&2 "$@"; }
|
||||
|
||||
key_file="$1"
|
||||
if [ -z "$key_file" ]; then
|
||||
key_file=/tmp/secret.key
|
||||
fi
|
||||
|
||||
read -s -p "Encryption password: " tpm_password
|
||||
echo
|
||||
|
||||
nv_readvalue \
|
||||
-in "$TPM_INDEX" \
|
||||
-sz "$TPM_SIZE" \
|
||||
-of /tmp/sealed \
|
||||
|| die "Unable to read key from TPM NVRAM"
|
||||
|
||||
unsealfile \
|
||||
-if /tmp/sealed \
|
||||
-of "$key_file" \
|
||||
-pwdd "$tpm_password" \
|
||||
-hk 40000000 \
|
||||
|| die "Unable to unseal disk encryption key"
|
||||
|
||||
rm /tmp/sealed
|
||||
|
||||
|
||||
21
initrd/bin/wrap-cpio
Executable file
21
initrd/bin/wrap-cpio
Executable file
@ -0,0 +1,21 @@
|
||||
#!/bin/sh
|
||||
# Add additional files to the initrd cpio so that we can pass
|
||||
# new keys to the Qubes startup routines.
|
||||
# Usage:
|
||||
# wrap-cpio /boot/initrd.blah /tmp/root/ > /tmp/new.cpio
|
||||
|
||||
die() { echo >&2 "$@"; exit 1; }
|
||||
warn() { echo >&2 "$@"; }
|
||||
|
||||
cpio_file="$1"
|
||||
if [ -z "$cpio_file" ]; then
|
||||
die "Initial cpio must be specified"
|
||||
fi
|
||||
|
||||
new_dir="$2"
|
||||
if [ -z "$new_dir" ]; then
|
||||
die "Additional directory must be specified"
|
||||
fi
|
||||
|
||||
( cd "$new_dir" ; find . | cpio -H newc -ov )
|
||||
cat "$cpio_file"
|
||||
@ -35,4 +35,5 @@ echo
|
||||
|
||||
|
||||
# Start an interactive shell
|
||||
export PATH=/sbin:/usr/sbin:/bin:/usr/bin
|
||||
exec /bin/ash
|
||||
|
||||
@ -1,9 +0,0 @@
|
||||
#!/bin/sh
|
||||
mount -o ro -t ext4 /dev/sda1 /boot
|
||||
|
||||
exec kexec \
|
||||
-l \
|
||||
--module "/boot/vmlinuz-4.1.13-9.pvops.qubes.x86_64 placeholder root=/dev/mapper/qubes_dom0-root ro i915.preliminary_hw_support=1 rd.lvm.lv=qubes_dom0/root rd.luks.uuid=luks-0f662ac6-2939-48fe-bc95-f5a7e3d6fefb vconsole.font=latarcyrheb-sun16 rd.lvm.lv=qubes_dom0/swap rhgb" \
|
||||
--module "/boot/initramfs-4.1.13-9.pvops.qubes.x86_64.img" \
|
||||
--command-line "no-real-mode reboot=no console=vga dom0_mem=min:1024M dom0_mem=max:4096M" \
|
||||
/boot/xen-4.6.3.gz
|
||||
@ -7,5 +7,6 @@ busybox_url := https://busybox.net/downloads/$(busybox_tar)
|
||||
busybox_hash := 5a0fe06885ee1b805fb459ab6aaa023fe4f2eccee4fb8c0fd9a6c17c0daca2fc
|
||||
|
||||
busybox_configure := make oldconfig
|
||||
busybox_config := busybox.config
|
||||
busybox_output := busybox
|
||||
|
||||
|
||||
@ -9,14 +9,26 @@ coreboot_dir := coreboot-$(coreboot_version)
|
||||
|
||||
coreboot_repo := https://github.com/osresearch/coreboot
|
||||
|
||||
coreboot_configure := make oldconfig
|
||||
coreboot_output := build/coreboot.rom
|
||||
# Coreboot builds are specialized on a per-target basis.
|
||||
# The builds are done in a per-target subdirectory
|
||||
#coreboot_config := coreboot-$(TARGET).config
|
||||
|
||||
coreboot_configure := \
|
||||
make oldconfig obj=./$(BOARD) DOTCONFIG=../../config/coreboot-$(BOARD).config
|
||||
|
||||
coreboot_target := \
|
||||
obj=./$(BOARD) DOTCONFIG=../../config/coreboot-$(BOARD).config -j 8
|
||||
|
||||
coreboot_output := $(BOARD)/coreboot.rom
|
||||
|
||||
|
||||
# hack to force a build dependency on the cross compiler
|
||||
$(build)/$(coreboot_dir)/.configured: $(build)/$(coreboot_dir)/util/crossgcc/xgcc/bin/iasl
|
||||
$(build)/$(coreboot_dir)/util/crossgcc/xgcc/bin/iasl:
|
||||
echo '******* Building gcc (this might take a while) ******'
|
||||
$(build)/$(coreboot_dir)/.configured: $(build)/$(coreboot_dir)/util/crossgcc/xgcc/bin/i386-elf-gcc
|
||||
$(build)/$(coreboot_dir)/util/crossgcc/xgcc/bin/i386-elf-gcc:
|
||||
echo '******* Building crossgcc-i386 (this might take a while) ******'
|
||||
time make -C "$(build)/$(coreboot_dir)" crossgcc-i386
|
||||
#echo '******* Building crossgcc-arm (this might take a while) ******'
|
||||
#time make -C "$(build)/$(coreboot_dir)" crossgcc-arm
|
||||
|
||||
# The coreboot-blobs must be unpacked before we can build coreboot
|
||||
# if we are using a tar file; git checkout will clone the submodule.
|
||||
|
||||
@ -1,10 +1,16 @@
|
||||
modules += cryptsetup
|
||||
|
||||
cryptsetup_version := 1.7.2
|
||||
cryptsetup_version := 1.7.3
|
||||
cryptsetup_dir := cryptsetup-$(cryptsetup_version)
|
||||
cryptsetup_tar := cryptsetup-$(cryptsetup_version).tar.xz
|
||||
cryptsetup_url := https://www.kernel.org/pub/linux/utils/cryptsetup/v1.7/cryptsetup-1.7.2.tar.xz
|
||||
cryptsetup_hash := dbb35dbf5f0c1749168c86c913fe98e872247bfc8425314b494c2423e7e43342
|
||||
cryptsetup_url := https://www.kernel.org/pub/linux/utils/cryptsetup/v1.7/cryptsetup-$(cryptsetup_version).tar.xz
|
||||
cryptsetup_hash := af2b04e8475cf40b8d9ffd97a1acfa73aa787c890430afd89804fb544d6adc02
|
||||
|
||||
cryptsetup_configure := ./configure \
|
||||
--disable-gcrypt-pbkdf2 \
|
||||
--with-crypto_backend=kernel \
|
||||
|
||||
cryptsetup_output := \
|
||||
src/.libs/cryptsetup \
|
||||
src/.libs/veritysetup \
|
||||
|
||||
cryptsetup_configure := ./configure
|
||||
cryptsetup_output :=
|
||||
|
||||
@ -1,14 +1,17 @@
|
||||
modules += linux
|
||||
|
||||
linux_version := 4.7
|
||||
linux_version := 4.9
|
||||
linux_dir := linux-$(linux_version)
|
||||
linux_tar := linux-$(linux_version).tar.xz
|
||||
linux_url := https://cdn.kernel.org/pub/linux/kernel/v4.x/$(linux_tar)
|
||||
|
||||
linux-4.6.4_hash := 8568d41c7104e941989b14a380d167129f83db42c04e950d8d9337fe6012ff7e
|
||||
linux-4.7_hash := 5190c3d1209aeda04168145bf50569dc0984f80467159b1dc50ad731e3285f10
|
||||
linux-4.9_hash := 029098dcffab74875e086ae970e3828456838da6e0ba22ce3f64ef764f3d7f1a
|
||||
|
||||
linux_hash := $(linux-$(linux_version)_hash)
|
||||
|
||||
linux_configure := make oldconfig
|
||||
linux_output := arch/x86/boot/bzImage
|
||||
linux_config := linux.config
|
||||
linux_target := -j 8 bzImage
|
||||
|
||||
@ -10,3 +10,4 @@ xen_hash := 02badfce9a037bd1bd4a94210c1f6b85467746216c71795805102b514bcf1fc4
|
||||
|
||||
xen_output := xen.gz
|
||||
xen_configure :=
|
||||
xen_target := -j 8
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user