From 279d38488527d60608779470fbb6f3c11b00a4f7 Mon Sep 17 00:00:00 2001 From: Trammell Hudson Date: Tue, 25 Oct 2016 14:42:36 -0400 Subject: [PATCH 01/30] check signatures on kernel, initramfs and xen (issue #43) --- initrd/start-xen | 32 +++++++++++++++++++++++++++----- 1 file changed, 27 insertions(+), 5 deletions(-) diff --git a/initrd/start-xen b/initrd/start-xen index db49603a..80381352 100755 --- a/initrd/start-xen +++ b/initrd/start-xen @@ -1,9 +1,31 @@ #!/bin/sh -mount -o ro -t ext4 /dev/sda1 /boot +mount -o ro -t ext4 /dev/sda2 /boot -exec kexec \ +die() { echo >&2 "$*"; exit 1; } + +XEN=/boot/xen-4.6.3.gz +INITRD=/boot/initramfs-4.4.12-9.pvops.qubes.x86_64.img +KERNEL=/boot/vmlinuz-4.4.12-9.pvops.qubes.x86_64 + +echo "+++ Checking $XEN" +gpgv "${XEN}.asc" "${XEN}" || die "Xen signature failed" +echo "+++ Checking $INITRD" + +gpgv "${INITRD}.asc" "${INITRD}" || die "Initrd signature failed" + +echo "+++ Checking $KERNEL" +gpgv "${KERNEL}.asc" "${KERNEL}" || die "Kernel signature failed" + + +# should also check xen command line arguments! +# should also check kernel command line arguments! + +kexec \ -l \ - --module "/boot/vmlinuz-4.1.13-9.pvops.qubes.x86_64 placeholder root=/dev/mapper/qubes_dom0-root ro i915.preliminary_hw_support=1 rd.lvm.lv=qubes_dom0/root rd.luks.uuid=luks-0f662ac6-2939-48fe-bc95-f5a7e3d6fefb vconsole.font=latarcyrheb-sun16 rd.lvm.lv=qubes_dom0/swap rhgb" \ - --module "/boot/initramfs-4.1.13-9.pvops.qubes.x86_64.img" \ + --module "${KERNEL} placeholder root=/dev/mapper/luks-886ba0fa-8a51-4780-91bf-06c5944baab4 ro rd.luks.uuid=luks-886ba0fa-8a51-4780-91bf-06c5944baab4 rd.lvm.lv=qubes_dom0/00 rd.luks.uuid=luks-28948c05-c995-466c-91a2-bd517a7dd50f rd.lvm.lv=qubes_dom0/02 i915.preliminary_hw_support=1 rhgb" \ + --module "${INITRD}" \ --command-line "no-real-mode reboot=no console=vga dom0_mem=min:1024M dom0_mem=max:4096M" \ - /boot/xen-4.6.3.gz + "${XEN}" + + +echo "Ready to start Xen: run 'kexec -e' to execute it" From 16bad1abd4e9f3fb5f39e3ca1e781d6ecee0836e Mon Sep 17 00:00:00 2001 From: Trammell Hudson Date: Wed, 26 Oct 2016 15:10:53 -0400 Subject: [PATCH 02/30] enable aes-xts in Heads kernel (issue #44) --- config/linux.config | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/config/linux.config b/config/linux.config index c3dfc273..a5687840 100644 --- a/config/linux.config +++ b/config/linux.config @@ -2023,17 +2023,17 @@ CONFIG_CRYPTO_RSA=m CONFIG_CRYPTO_MANAGER=y CONFIG_CRYPTO_MANAGER2=y CONFIG_CRYPTO_MANAGER_DISABLE_TESTS=y -CONFIG_CRYPTO_GF128MUL=m +CONFIG_CRYPTO_GF128MUL=y CONFIG_CRYPTO_NULL=m CONFIG_CRYPTO_NULL2=y # CONFIG_CRYPTO_PCRYPT is not set CONFIG_CRYPTO_WORKQUEUE=y -CONFIG_CRYPTO_CRYPTD=m +CONFIG_CRYPTO_CRYPTD=y CONFIG_CRYPTO_MCRYPTD=m CONFIG_CRYPTO_AUTHENC=m # CONFIG_CRYPTO_TEST is not set -CONFIG_CRYPTO_ABLK_HELPER=m -CONFIG_CRYPTO_GLUE_HELPER_X86=m +CONFIG_CRYPTO_ABLK_HELPER=y +CONFIG_CRYPTO_GLUE_HELPER_X86=y # # Authenticated Encryption with Associated Data @@ -2051,9 +2051,9 @@ CONFIG_CRYPTO_CBC=y CONFIG_CRYPTO_CTR=m CONFIG_CRYPTO_CTS=m CONFIG_CRYPTO_ECB=y -CONFIG_CRYPTO_LRW=m +CONFIG_CRYPTO_LRW=y CONFIG_CRYPTO_PCBC=m -CONFIG_CRYPTO_XTS=m +CONFIG_CRYPTO_XTS=y CONFIG_CRYPTO_KEYWRAP=m # @@ -2098,8 +2098,8 @@ CONFIG_CRYPTO_GHASH_CLMUL_NI_INTEL=m # Ciphers # CONFIG_CRYPTO_AES=y -CONFIG_CRYPTO_AES_X86_64=m -CONFIG_CRYPTO_AES_NI_INTEL=m +CONFIG_CRYPTO_AES_X86_64=y +CONFIG_CRYPTO_AES_NI_INTEL=y CONFIG_CRYPTO_ANUBIS=m CONFIG_CRYPTO_ARC4=m CONFIG_CRYPTO_BLOWFISH=m From 9311428082b68140d2e3de38ca002ed0675721e4 Mon Sep 17 00:00:00 2001 From: Trammell Hudson Date: Wed, 26 Oct 2016 15:11:12 -0400 Subject: [PATCH 03/30] add /sbin paths --- initrd/init | 1 + 1 file changed, 1 insertion(+) diff --git a/initrd/init b/initrd/init index b7154e9b..08af1b93 100755 --- a/initrd/init +++ b/initrd/init @@ -35,4 +35,5 @@ echo # Start an interactive shell +export PATH=/sbin:/usr/sbin:/bin:/usr/bin exec /bin/ash From f65fe75823f046e1813e129009f0619f074b4edc Mon Sep 17 00:00:00 2001 From: Trammell Hudson Date: Fri, 28 Oct 2016 04:57:11 -0400 Subject: [PATCH 04/30] simplify startup arguments for qubes r3.2 --- initrd/start-xen | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/initrd/start-xen b/initrd/start-xen index 80381352..7c4623eb 100755 --- a/initrd/start-xen +++ b/initrd/start-xen @@ -1,11 +1,11 @@ #!/bin/sh -mount -o ro -t ext4 /dev/sda2 /boot +mount -o ro -t ext4 /dev/sda1 /boot die() { echo >&2 "$*"; exit 1; } XEN=/boot/xen-4.6.3.gz -INITRD=/boot/initramfs-4.4.12-9.pvops.qubes.x86_64.img -KERNEL=/boot/vmlinuz-4.4.12-9.pvops.qubes.x86_64 +INITRD=/boot/initramfs-4.4.14-11.pvops.qubes.x86_64.img +KERNEL=/boot/vmlinuz-4.4.14-11.pvops.qubes.x86_64 echo "+++ Checking $XEN" gpgv "${XEN}.asc" "${XEN}" || die "Xen signature failed" @@ -22,7 +22,7 @@ gpgv "${KERNEL}.asc" "${KERNEL}" || die "Kernel signature failed" kexec \ -l \ - --module "${KERNEL} placeholder root=/dev/mapper/luks-886ba0fa-8a51-4780-91bf-06c5944baab4 ro rd.luks.uuid=luks-886ba0fa-8a51-4780-91bf-06c5944baab4 rd.lvm.lv=qubes_dom0/00 rd.luks.uuid=luks-28948c05-c995-466c-91a2-bd517a7dd50f rd.lvm.lv=qubes_dom0/02 i915.preliminary_hw_support=1 rhgb" \ + --module "${KERNEL} root=LABEL=root rhgb" \ --module "${INITRD}" \ --command-line "no-real-mode reboot=no console=vga dom0_mem=min:1024M dom0_mem=max:4096M" \ "${XEN}" From 5a5e7047c70191d5c5c24ab96a21f43734b5b668 Mon Sep 17 00:00:00 2001 From: Trammell Hudson Date: Fri, 28 Oct 2016 04:58:39 -0400 Subject: [PATCH 05/30] fix default location for trusted keys --- initrd/.gnupg/trustedkeys.gpg | Bin 0 -> 17559 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 initrd/.gnupg/trustedkeys.gpg diff --git a/initrd/.gnupg/trustedkeys.gpg b/initrd/.gnupg/trustedkeys.gpg new file mode 100644 index 0000000000000000000000000000000000000000..3381d1de094d1747e193cd7dbd19ed2767761bfc GIT binary patch literal 17559 zcmb8WQyS!SYn{iZor2 zUE;V{HA`EM&PowQ`C>fUP_SD=5$IOZh%YYFCMuVw+-yT_rSy1v08lhTa@W>5t?732 zs$49{L?pap^>=m8+zKL~oW0n6=uWT{vq*?IIHw8%=lZ&dWkz5doZP@x3Q(&zu+fXW zK0hiN#ov4r07r@7uS!W#N#5Tv$xZ?wi0|2_e%5(}Alq?%8+5oekxKWz$2_C{5fAZl zdV^L(>1wSz&R6|;Nusg`6ikYxI?G5XB)=9^NNfNmLV?3eE>s_I_;B^^aLsdpl0uhJ zEVF1gR=AXJ{5~~f-MOuPLvbej%Akm=W(|u|K34>c^w%}@{=kv4YpNWT7O=ZWeT11F z0=UG<$h(kWNPMyVurRHB8ffU`YI)9}0ReV@-%cJc`)-GTYMX9Srhmv+GpqBxC`5bf1Yrf0sDX!uGk!!IT>Qq z8>=@JHF*ZfV8wL3e}~4SWDD}MY9(Q@lD{zC}5a(=@1`%i^MOS<}~AvdhigsU26q}yOq z@48Bc>lOeaAOK)9p^B5Ct*xnz4S|HKiL<>O0guJMeFa>cY;Ec6OkMaQf%rg>0f7K0 zfUtqVpdlf^fq}qKA%GyEph3`pfB}K<0D;g0K!Mbd(o#Voq0MsZ0iYleTD8AbU~j|v z1v38tqd`5@B^y9q=nn;)l97k&sZ8yIxVJf-!)p= z&KQZM8z1-SUN=e#=Y!H3Hfj~pvzY|86L4MBOJ8JPIMuu9cPAmf(dBH*69Sf%MHT%Rk0{F6xa7$F0K zj0gk(0}7;KKHLl%3?7Cb@V7>y)6K>~9^#sVQ2_G8z_Uc3f3bORKsvRPRBf7!LO>A% z2DvJap`ZqcLeVoPb(0?B1d#KLU6^6H!lmhMC)PW;^3<*nB!=i%;<5(FUmEx zCFb*?)dsmA)K>VzDkINBXrd7NjJ_=+`GQ=y zG(nAWGjwcn`=0RQUjFizC66<*?iOQf%5_Y0Wf~6#kd)c9ycoYR)7&?S{yj)g{}%Iv zN3VYdiFJ*vrxx;oLaq`5pgE31o!qCPYb%YTPS;Rxsbu)Gz@|qG%3)rwrZv=tiXOZc zX8^JpEo(#@M?_*44ux`wI4z@+@aqsnxB9+zGbSTj!`tgAJLOgtUMx-q@{%$K23)ho z^lBl-Z9HXvG3XqS5Cs_|7clE3!m4w;VuRlIX)@DpoI6^T)g{o8sb0(&OV2rVyD-!Kn} z$p7S&QdRl?Ertqk04#SGgv(+e6$d8f^3l=wJibv=eC5F`ih;jwT#+6_V7Umr#mk>py|iUYdX9w}Y9#h(Q(>TE%GXfw-GmR53l8iPOX zfn4N)SwYfC&KnbZpHVoz5eKQiA9kb9qiP?z_TktH>8=$1mIopr)W6GP+v9I}z`{@W zFPky5G9kf#QwboQjD`?Ps|m9!Mh-P(N_U%E+lT) zT&x;}mYeA!jp8XE`w6)0n;6__0}w;pK?b3Of;r%^9KXoxwz-P50%R0J>#G_B_lv{= zc?=ck09UBtx5b&*7X1XR)yD5JGwu9<8r1h817q5Y~ zd)nvYtdKn0MbCUg7SL^w=V^{qVc3pDm-Mng!bTk6StP{vob}_YNdymK*Tx-5JJfYv zq#nrKP9p_OJzyXc!A90ic|=*a&X)>7n|lQM+$a9&FtHq=&qI1r=$xgs#FVId>Gcqc zcBHDVtd!SZ>!*}HkF`(!4#k#uO&?|FY8c^ob!LR&EqM#{=C3fP6IOZHr6lH%!Rspk9 zIb(N{`b9T*#fv%ufKx?fku_mc|q0VR@myf3m)nCEG+$Y_dV7!5`Mr6 zqHilyNj6XHs`l3WeO^f2KO%d&Illw!lp|I+;&+PqYrDQb2OBE1>n`g!KAhW}n}uIB zJSVa3ivSs0g41Nt hn_-^u3Cxe5s{}kfYh4w(31wVT=@TU&41Yx4Z+yIyfY{yq#0nq|I<2Nl^ygrqI67Op9!R?Y9AR|1iBD|G0Ah*d#$0-?kjiOk}PcH@p?jX${CJP zH5L0^mo?Y#!~2NKwowDA?FmgNqYf_x)ihXtjjK66;v^ioQu4sOr@qCO!_Bab$Hb3! zv`cZFSztzXh|v-tY%X;QvgxbMIM*&*0Enc%Dn8hjai80;jC>J8p2>^+Rh^3CFlh32 zmpRV4pVzv0Di;SQd5zxk`=COqHixT$lLvqLn+jpBsv>0lV5{SNVvASsj$c6mHKy?% z<76@z!(WuYOPH-zZ*CG%!*0#=ybfGoz!jQ7VK>AZ1D27}rr|_P6bGKz8EOJFNhLW0 z+UFOQH^wMr8>6M2T(8*MS7$9rYT9G3hXUx+0!WryFdxI5dWg}tu0`q?U0zBkif7A| zan2X4z-iW~u%9hV-mEk-M;Oakut`lO7chq?)wh!%C zdVvveA8i_aQoXgKB*`hyY)oY_YTA$UK^7D01oFbPuLMysm6XZXHTi#&nX|jG1D&zG z?f-(z(*HY|p}N6;Gv>N|_y#7-TFBHHM06<+DwSi*xk1z8Xy!bx7HlXGM>O~9bCLk` zSobVA!Sbyk+P6}-EODSUx5^x~&2rE9)X)G|0;R^@hra|kx(9E5c6GyKoY!T;d=1xm z4fIJ(@~d2kaNb71^u3&5no2eVf1`|yUwt!wrhONIH$tOfzI3C5ai{>~JR(B^B!F8k zla6Cd2qa!5A>Km%(gwbY2He6%ZVzaQ3hBd_FJK1fP zgf(wlWcvF5u}un#p^Zme#+WjD+Fwltt08X0a8cRbY`IMgsbu!FG2f)p(}})sdb$?G z2gqVmtKvr`1!9a!Zr2?)$JWOh+(Dx6hGPvyH=a1CJ1;>5fvPx9?X`N<%C-;iMaueP ze$hV^H#?nLuoR{xGDaETou+o;iTq`XE($;kfF|9ixCBld2xo?tTCDhjyv;x3QAGTf zx2(K)q|V0J#kv|im+*inan-!lI&-5`OFgU3V$2QSf~688g&rl95}3C}SDl+^1-T-s z&9l$1_+QAZ`=6BX4>FUF0LZ1Ej7Wgk1ySWsL<+d!=pNJY-l7G_FLY>BgUNMY)-vW5 z4efiqawNqvB1i>toKNm zTlLA=obUNmsr+31hep=2S2V?1^f$6pwb0YtyALQ6CV=XEdQAOvw#jnx$WfJR+oxNW zDR)r}FZ&>=$+)K`jz6ClOx6477W`So;Hvh~P~W%d z{IW9*0R~qT1)iF6yS>qlteYQBUdN1ACTVlXb#+>AcEqlL>+S6Vk7wu{OWIFzs2p%AkV##eNdiMdEH}D zpy;gmV0A$z^b5e~RQZn^>yTt+(AeEZyv`;5}h!=)s4{N*S=mWe|}(&uK` zgt`f1F!swfiaeehYEccsIOVYg+b^otmi2Bl|ANfms}TTdpX!shrT1pbIwxc49%i?? zUKTiYjr_F3clmyLURub;fIs#8w_kMxR=)wQxlOoXyo*8;P0z9V^czi)htnqr84@I+ zrNq1P&*kUDW$pWYa#{`{<0@e`d#-Tu_rR<#ns7$Lb}#pL$F*$UCL}*2NaL86rZ52` z8e5GWJfFr;eGfzB;dME{@4rxavT65%iB8PW zSL!#rxT;JRW&Jf4WkbF@#3z+|ry;C^6#47Uo=}155O>aW!w@+QtvWmpU zN)=PAjUwQLur#p|tOi+o@ctj*Rhzhl| zY!p!a$vQf+L$+_B;*e^tU(;9c`j&FHdBZa0ff&_NzoP=T`|WU zZqj*qzmO*Wgx}x{oZ-TsD~%cQg0rZtTQ6P3ax1!eSKRYk z1vf2c#%boohs*T&Y@ZC5Tx^x(cQQ0ZAV=%1-1xKvkatK}mb*p_`PL30aT(ImgENbT zUgiA*+OJa6eZ~Ied6FC=)e%}j<9-A;rMsE~}uz98v)C1~g1zUbnecv@Y&!ebjd4f{C?)k?}d|zsMbKN22-0 zw7RB@eiSuf=<+QCVCNe=1%b=FVNPZlUH#0`W73<`p-&+R1_vB4f|QZf8nY|w=E@-C zE5>3e0}34D1lS}P>tZ?Z96t+TAgtp)z_23wU&*ZHKa<(=CH#*Dd1&k7ZF&6M+P3oj z)tfZWD=;i*=r70#0QhKx+GRAC++v5}>MiSD`_nyI&v8z37g8Zy-+f~jw50+jtsOpw zqDACOW=PSFkI;3|M8NV~YIs(e9H}{;Vf=n2xDd6)LOVP3cK-Z;CZB!w0{$}BZZ{A` zuHRZ^?XCfB{QXA@Q~~2=1&<&p?=av)3?(I_R))q33HmcT3oM!Yl;E#@;4?GQNrgj; zRAp{FCNG@9{qtZ4fZ+3mqY@-4H(WWd+63mLVg3jho2AAfioi*60rKWa#D&Jz7+OB& z?GL;0Lf1;t=-^usuo^+)1Dk2Lxx&ycOoVF_4|+3E`Vg2?8J|WUBc1{i@E$uXbAU|8 zk;I!LJe27ncurbE>8B%qewF9WcqEeFS8cc|aXLC-mYXrCen7`RgH*!D^cq~ z3J3K-IQpWs{47x&aKOH_umhu=>Zy#H`Zu}YcawW4j9RR>^sW2RF`9vUy?cG;qa1cT zQVhc+-fq;kKUOxdsm(w`3cb`qpoE<~YruA!dhz{Yb8G6_^+8tSfJ16`y<^pDI6JI_ zQUA6P#`3+dj4CTTfP=b%g)6)|9jgE9Wg9$lj&|5b7#c2Ktnp{~$ZXBTUKC1!~@%XaH z`FPd8g8k+RY<&r$Zn%eV6Ta)0>`lG7_qpx8hBcbJfqvSJ`M`<7D2=*C$nO3-iJNR? zE;pT}a;UdV5_bsi$B7SD7W3t#n5cZ&-63^Q%|%vOAWQ||#>aIgXIK#TTk(6_a%^$c zO?~%=r)p|6*wxCn#4@PGvWr5K1PnF|bz*~tocQCJR* zBQmJIG_%NHse1^hQ#b;Nti2$x@QTcY$9aMrnq;qTZ##Jo`_fX2B^>v=U@3yLvu=cd zZRa;dczr{=s@D9Qe-GSPi-?iy8%*yb; z-t2#=(lQkm8k>JEBZ0tle@u=HZJ&0RD`oeo=5kOM?fqQv`I@s^Wk)lmEYZX7b7QNfQV0{h_4|#!?*C@KAv(MDO zn;`{)TQ4s&ye+sIQ>~LsXcO4CezjNQiSaqq`*RCil5qB8J({FBMX+e zkLa5i)$9G07<1SR^t_b}9&LEM1UFw=tV!TN{v-OJ@q$WvzsbXscHwzYbfOur7nGa+ za8xcmtfv_9eZk889I?gKb)X2WmO-NXF^&*nh|e%BnR+d{kM0zcj(bZ(-8kW643u%dgkv$9VQ# zz_R@_-`T4s05~ZVIF&*~wbHW37ljzBSwe!V(c8fARTMc^! zUF}inaUkGR@Yj-D7X#scx2E6qRSFPi)FbSI8b`-sI-=pr>R|q5f64eWZci7C78%Wz zSs(-*aUMy`P#Yb1#gX#*{{^2h#ln9x(?@_OF_}Jk^m_F`*cID8oU@|gWSQq1Zrt|9 z|HR4!HrE(p?=u6U7e5wBuq+N5>zg%TuVo`uwe%}Fs zJViR1mmhNH4y65g4eCXjFsIVk0e)0C_y8FmW^)SoRF}6kx*M*9s4H!8c`SI&JJ~&l zPkPrLP`V+Ug#AIbck@EGVmt2Q+rqfdwn}Up~*somC8|nWIDUM(WsOA^VNbG6lG})7iWi^{3kCl3iMn$6Tov}#nxPwD3GiHKiA~Ak z&m+Qqq-TyXz+?hOCc31ijq)}B-b>r?4Tp}x(_7F?Ngw`mTz$Bi(!rHWvaP&OuA|%4 zXLdTXXT~h8sR2EZe&eqGzu>cuPWT`32mOvWw@Ea5X%43&S}W+fW z4V}wKzIrsLjFd7jTMpCHE2s+g^b{X@^^>P4HUv7b?AbfUSlR5&5XR{*NsEl= zFP}BCFlAh8NDUGw+*E#UuBQ^ugS(BW+~jC7`<#Siei7?cSt--071piV?sP!5x|1oh zmz&qrpFo<0F#3GzTVyUtz-X(3&IFXiA&C2T-WX?yHePS%tB7dcmaKN8MdI#!VTXf* z^Y}%gfhC5a;cY_n@huQ8FZFTTguOcHH7@xov3ZhRSt%d-o}BE76gK2y8}U4S@Yjjz zqM<`d^DBlIeK59J&gl!F>4|s4u@1O4Ky8U;adQjoc;p zav7dz#?~<=>A$*qqqBVdXFk(OeEQ$st4`&n2|c1S)m9q{IP=4cyWqSf-0La6DR z;N-`smBQ=711W;Q-g~KUd_nq932K82Neit;XHsSw4*W=4)#J~ZJLcDS%oZcT*QJ&B z&sVICL5!Miu8V1JqnU7BK(B@Kcz4g@IxNBvr3syn`lqazw`(ir&cA1K1H^8*pa91a9K|oa z0$D#)%gl@5djNw@p!=+G4f8^sKR9=cZgwr@UW4U%$O5D0;dZd(lN%)^%MnArE=^s? zx(_1|x31D+E_~>9E=~vDe-y7l1`Cs(qYlQJ7GC6vCP#hxk3_|7MGZH+S8hsI2Ox%-)bLR( z`74h%mTzf1k}6Zd!d=LwT${1m1~~Mivy5vc*?zh#;L1xbrv*1PaZz4!jglO*n>o;B zw6%-k0tLw9$!(XvBxEXT?7SaXr9#anz4sxMAE%k$bAZHWYmf4_UqBGpBd0<_%n0~z zd8%5dRttr@59c0#B-BN}C>GJ;WAbOWHAqy+joj5ex#MKdan|&$xc8X!I_?EG%_=CHR zA3nh)bwT7w`T;8H;-L~OFR?mDdMCcWHI{T|e8KRBMdf;GmS0bYzY0eP>t$K)l0`YcyZ!Z{6|sD+%+10i#Opsp{bbQAZ*5?V^;qMS5k7ewgq5g~ zH8Y-#o&s88zIZDl$VCv;UmV}(nn6z07kINEL)FrU0ef-^V-DvONJihp3WMc->0JTT z<#!vhaS!tQ^7M%%MN@WbGt%p-h5co{OSE6 zp`8G0#8_L^iF%}06msg&MY~PQkk^(ZwRD)e=}SN?PY_<1aK}_4y@Hz`6C5uz*d^DT zw~(vmyc$D#iUzCX5H~Z(GxtYl3rMk7w4y%MGV{NgQ<*g-9i1B#F3Pg zcuLRQVP;<5_?A2RwUlY8E>xGm-WMH`mA@VfH4l{a&hCKFS@i(x7F5#5E;EJ?%Xk~& z_Nj5(0#PWp&TVD(2Ec$j++U^M2}USWU^y>_o65H&9|5mt z1+by!s6sSap)Ma_3$b(9JRWM!?_%sw*0!iWZUqczBnw37r3|aLZTlS0;B*C3?qUzP zP_TEc#5Y-|W@)!Xf#Fy%-Z`Y>;%uvBgFyaF_(pvO!&IB4$xgiCXuVH<&;!x-!wUo& zSyn6&SSr5-k&B5+yiw!0df2ZHwQA2w<1@5gh%=E2eD%~kf#CknuKtX%DsFGhE#a9Wia!DNMtHhATZ}WbaMt?v^0-JffE_LzfS4?O{Xg zu!ENwhU2$t0Gb6*&Bd6biI$@Hp=_`&Zs*$gqiNnpRD;4WZLeZ$ zmG@}0Ju$|5Kt)_azL>dJ4IRU26Zvzio>eH?*Nw3*hF+{R*PrL__(?=uA8xTt^d;qn zgTdl69b*QnR&2x9o@#l6aTYK*LwO+pcxmZhHSsKo_xU0_c`zpCe@&4esVX@#f5Z#l zNTyhbA!%YtjWB784<|YotyTaB1;08i5gyTw0nhsB1&rK7)@}x|=&&?7!b7w*oZ#G{ z*IbH=)D+w)nF)9!04~jN0jr&E2MxMl4r(9=g9Pbw<*2Ob`&8j-aa*2SLX_6Yn5$*W zjt|PBA&v2NgstF|>-96Te(VVm`&JlQ=?2FdoH>idOP}moby!V_hLf2;ur>Pdhir`y zaeMmS$r_V1mYWNIGIc}UWrsStLD!&b%)J^ETX_)AbC|ALEUYdq+buiiCBi+Xb0i$> zgSTw3XVjL0P@P?j2)i4OXBr#C!+`G5Qx9`zX z4^tpL)Qw;76k`KCRX1wj99rxKkVN)QvZv(K+4^wMtP934cr**XQw<46^C_Xy<>s6B zc_Yzx4;x6lcc4Cv*Et^bG7njzJK=u#7pw<6hX4?kK_m0{GkD`Q2HyG@bQ<~i<$~AZ zLBV$

4Fx@sZblQ-5e{B? zGE*zg2u+D8H|bF}^%aXPQ;BoyI6jj#xr8%2u3v#vaWuQhAR;^d(ujctV_Ic2Qe(Z^ zX6cQcDz*}o+e6B)UAZ!pC;3M`a-V1yfu}k;Rsh=0-d)8RuzUBGm))LibDO8&@O7$m8ORwcK|5Y)_jKNU+=&#L^-7iv^?= zmxe%2l8lj8X+qS@v>;ko!FGghzckOM7yIIpUn=~g??@Bt73&R!Hh4M_4ItpQe?JOw zq~YS~hVPW#?&&ue`zdEiZF&DV4^qCTXY6d5B9P23n9T3&Dey`fBCG3Y`H6jAv;0x> z&y?QJ#J@&aoAz17b?_0wqzSq@KMbwUrW8AE zMtw*EvokiU4@^8;6|pf#R|d5at|yQG6YKrGmG-}5y?6-tZ$jt0MC|AE@Is1VRX;5` zG+egP*Vl3QxApPE(scJrYxgeC-kJu8S*pA)U5;$O6kdmQdn!WhX>cL0s{zOn$7;Q* zBX|WfTJ;_&tBa}0gp8mM3&kPOXz%Dg5ObQuSB^r_VkhS6T=n)v-?R7T_Guz&=j&Z5 zL>f=A`q@AFgQl)Sz0*mhDd*}v<=O!2$1*+9RtdPDZ{eT8R-cl8#W)7advOEax&3gGX$mz5M2QDms`RIb=*|u#yowVJ-flrCgzvGW+Nf zSw^$pmKRA(QpA$a!0Y)XLaCSMnzPa%R1E#Yf}Oz$?5dG86q2Hn8rTccnn9~b#>c%pA3c;Jt04F>)GG!X?z2XErAD24j6#s~HU+;5@zYX= z#kGz+1To0V<3Xh{eg$NSCrp#zQ|gS`&juN90RTP&s2#8<+ukj8D~F@e9P%qC@+~9A zx-1W)Ud^|9*uy?s>LZe$DQxF@rn`q75&}}?CMipvq1I^gnrd#NjWmNgbI%eLm9a!c zGf0OOD#ND0e4zv&LK(3{jX_fv)VH`QA_{c0)aRr%;J9AAXo|&UbB`^oFb~@+CF2H+ zk!T_7=Y)+dF7;0r+Fn!nBx`hp(pJX6j%H#^eRTYDpYiwjr|}||HA$A>PrtS@|HXOR zbKZ_*N}5n>=`JcWA!#IuD6H(W?iHAx`oSXPWU=cdH$!X{<&#Tm}4{sxus0(K!{#`C)2L{ z%Sh ztsF7c??s5Erf@DV!b_QKWY?<1aiW=7pmu-RTGIjVOm0v5yN}mwXQhgPsU17y_H-pO z(Q*FO*H<9hAKcAs?8P{4#fLxfz=6d!dQotu-NONk)hWOP(?y~wLdaJZ<<{YZBJ5Mp zBK}>JHitH|uk8CBW%H=Xtz*xCJiGxIYL`g-oa;@F(E*bo{$!uSD`MUsY3~LXH~Nmc zJ0h_HBsm!(=ZfTvziHi5Is}t-w zJ)_~rNe_Rz1H+{E>KKsBRz<4g;lvYIzM6CGF(u94J+zM`(Re^m+`t+Ev5FL^jf_I{jaR~@QI+qP$ zEf;S^8)Sogj>lVQD0M$d6dl3lk8J4x1AfnEiK}>HUm9g{@E?SP6_@3aORd)>i;-h_ zaN>%pD2(!)D)NE>gfNg+Q)q+F^3M^-Z6J|$Cdh66s=z9x_ds0JPh3l>Am-b(-;Y2s zckUIhp>JFgkUTpK$R?k+#A6Zj%LVIqkHZ;s6zu#1L(%Vd1|E9Ox*)&H)E^Xi;%+z= zm%0wEvDBE9pap+{G^#6y)x>v&%f#ZuK6P=*l3IcqNa>`~RagU};qmLyYeRz~TIJ7K zJ{r2U&VE#{TQ{tj=z7&VIGH6T&!`WHbjHQb_qa!Q_0HVaZY{qSjz=ReeNMhl+`eZW zb^yYHsF-cM{k8sewB#oZFaF&VjdJXKGO_bWP%cwOA}+ZT-M#dC4V%Fp54|;cuQstR zD@}iSz2{@wDHC^!kyL_ZYo@d!W6Bo~T4|Wy@0#DD@<63U$@^1Bk{KbENS%4rA znrC*LYR-jIwiL!N?%n_!vACe!jH7rjVEVjw-5UClQq0`CPJV*WBEl>bOek5qeVo0C zDC^i~%)KJ`-}44o|MPcB!KVZ$ z{l4n8fGY$4(QCy)nLQ$GF)hXRr7E=HRLbt>WZ_HGiAhZz=I&(Mf(d^!;)cjkJAIH? zz%OXDiJfUQNED=xF6ZHD-4Ej`*UN^z|2>t+2biBSNkw|5PH~U5CRy1~-2U0JbbyM% zaNVQaS@Y|+DbaGe0cq9^R?zKvy!=nu^MzgP+aE$Z;L?YM28EoM0%bRq-T4oa;s78J zQ8kbPHeG~n4ERtORO>(G=RFFen}!~NCuX>bxVXE&lpUV(Kd%jUxj+SH?TJ5n9R%nM z;Jn|+{&YWi6~%H8eTbd?p7t6Lx~yBa3DaFhnu)&Dg+y&g#G6ZsEwjiha?=e8yuRka z`f0uyNj53@YwM@#h_MhIAfl9_lDAi!qY|pd zqh^NG7PIg#&FDQ8wHLv~!lyus?ZQmHPpuMV(neI`6~z2@q?%4&pPTj#uJ z#R@4rnKKUO41I3Twe&3PF7~Z4T91{#4-(Y0m?lksIZGR(hv1M$i^rq^9&kiPF%o_y zD!-c;=b~Z4KCB>mLGPG!tgwYFSn%H)S;`NlVzvuN+dj2Pt)$6HmM7P8CF=NMwrz(O zIUqeLd@4(@fK`h{ezSUlQ8oh!2Y9Do$rHYPzLfFnK$shRSBh}zY_w0K&GqVjE0bfP zad>iHT3T@-#;-#2g-8>R7(i;9!_&(S7fg3dAv(Rd&tTmV2_GR(*1Zl--P<-zX*Dc@ z=~bzHAu1;(xgoBJ`+D+15wEACH>#w3g=;HCJoUcmlan{Zfp4(!4#ABYZpEv~wUAuE z%ko0hh+U=w_oiEhf><4Pl2cUSE&o6*o14GeF@xIqmcCoco9VFECg#{M!O*}0EsS0G zPx(0ew}6z?I63oW!hsx+p>HfV33#b4MfHn62Fj+sTt%JniH$x^<9uA13XwN(tz1}Y zixdC*wXzBQ*R_(*pbBk6y?~>;D}_SkTx+F&wReCyR6}zprBse+07skKH0BqSfMs#Y z#f6Nx!#uI*mP~afZ^^qR22dMi?C&gpd$lZ)YB;%Ra6lzT%HLcDJzhO)VXpv`c#1Xf zY4h#^6IvjE`YEu0Zg8|zb4cd?wT_2v1l$X4hyIDn} zp=bk}KIZ)YUyfDGHlhEm9RGc-{O58krw9Mz8TjBZW}Im6*;H6RW?rIfcb#=3zVu~4 zW*uqx2h^Y7PZ~yI6|J{j5ilZVt? zG7f=#YFG3Gmr+&-d2*4hP|xUDW1E}^_#)M?AggB@8taFE$UW?odb)|c^S?S^$$(xpWTAB zWJI=My`+Y){rv@z<;e0VsO0QX<0^>n4_5-J7q>=*wgmT0xZBEM;(1qCgHU2nbfG#g zgypvz{`z-{ws^B3YlmELtd_cEyykMAy?KGpyb9NDidg?wkq`MwY3?+1$<0dWyf7UV zzuI+=K)f`0J}EA4ECf!~dP**P94*2>SVoDUrvYidTmgNaRRTLE@4gc3du@_8h_xvO ZqogWD_T Date: Fri, 28 Oct 2016 04:58:57 -0400 Subject: [PATCH 06/30] fix default location for trusted keys --- initrd/trustedkeys.gpg | Bin 17559 -> 0 bytes 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 initrd/trustedkeys.gpg diff --git a/initrd/trustedkeys.gpg b/initrd/trustedkeys.gpg deleted file mode 100644 index 3381d1de094d1747e193cd7dbd19ed2767761bfc..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 17559 zcmb8WQyS!SYn{iZor2 zUE;V{HA`EM&PowQ`C>fUP_SD=5$IOZh%YYFCMuVw+-yT_rSy1v08lhTa@W>5t?732 zs$49{L?pap^>=m8+zKL~oW0n6=uWT{vq*?IIHw8%=lZ&dWkz5doZP@x3Q(&zu+fXW zK0hiN#ov4r07r@7uS!W#N#5Tv$xZ?wi0|2_e%5(}Alq?%8+5oekxKWz$2_C{5fAZl zdV^L(>1wSz&R6|;Nusg`6ikYxI?G5XB)=9^NNfNmLV?3eE>s_I_;B^^aLsdpl0uhJ zEVF1gR=AXJ{5~~f-MOuPLvbej%Akm=W(|u|K34>c^w%}@{=kv4YpNWT7O=ZWeT11F z0=UG<$h(kWNPMyVurRHB8ffU`YI)9}0ReV@-%cJc`)-GTYMX9Srhmv+GpqBxC`5bf1Yrf0sDX!uGk!!IT>Qq z8>=@JHF*ZfV8wL3e}~4SWDD}MY9(Q@lD{zC}5a(=@1`%i^MOS<}~AvdhigsU26q}yOq z@48Bc>lOeaAOK)9p^B5Ct*xnz4S|HKiL<>O0guJMeFa>cY;Ec6OkMaQf%rg>0f7K0 zfUtqVpdlf^fq}qKA%GyEph3`pfB}K<0D;g0K!Mbd(o#Voq0MsZ0iYleTD8AbU~j|v z1v38tqd`5@B^y9q=nn;)l97k&sZ8yIxVJf-!)p= z&KQZM8z1-SUN=e#=Y!H3Hfj~pvzY|86L4MBOJ8JPIMuu9cPAmf(dBH*69Sf%MHT%Rk0{F6xa7$F0K zj0gk(0}7;KKHLl%3?7Cb@V7>y)6K>~9^#sVQ2_G8z_Uc3f3bORKsvRPRBf7!LO>A% z2DvJap`ZqcLeVoPb(0?B1d#KLU6^6H!lmhMC)PW;^3<*nB!=i%;<5(FUmEx zCFb*?)dsmA)K>VzDkINBXrd7NjJ_=+`GQ=y zG(nAWGjwcn`=0RQUjFizC66<*?iOQf%5_Y0Wf~6#kd)c9ycoYR)7&?S{yj)g{}%Iv zN3VYdiFJ*vrxx;oLaq`5pgE31o!qCPYb%YTPS;Rxsbu)Gz@|qG%3)rwrZv=tiXOZc zX8^JpEo(#@M?_*44ux`wI4z@+@aqsnxB9+zGbSTj!`tgAJLOgtUMx-q@{%$K23)ho z^lBl-Z9HXvG3XqS5Cs_|7clE3!m4w;VuRlIX)@DpoI6^T)g{o8sb0(&OV2rVyD-!Kn} z$p7S&QdRl?Ertqk04#SGgv(+e6$d8f^3l=wJibv=eC5F`ih;jwT#+6_V7Umr#mk>py|iUYdX9w}Y9#h(Q(>TE%GXfw-GmR53l8iPOX zfn4N)SwYfC&KnbZpHVoz5eKQiA9kb9qiP?z_TktH>8=$1mIopr)W6GP+v9I}z`{@W zFPky5G9kf#QwboQjD`?Ps|m9!Mh-P(N_U%E+lT) zT&x;}mYeA!jp8XE`w6)0n;6__0}w;pK?b3Of;r%^9KXoxwz-P50%R0J>#G_B_lv{= zc?=ck09UBtx5b&*7X1XR)yD5JGwu9<8r1h817q5Y~ zd)nvYtdKn0MbCUg7SL^w=V^{qVc3pDm-Mng!bTk6StP{vob}_YNdymK*Tx-5JJfYv zq#nrKP9p_OJzyXc!A90ic|=*a&X)>7n|lQM+$a9&FtHq=&qI1r=$xgs#FVId>Gcqc zcBHDVtd!SZ>!*}HkF`(!4#k#uO&?|FY8c^ob!LR&EqM#{=C3fP6IOZHr6lH%!Rspk9 zIb(N{`b9T*#fv%ufKx?fku_mc|q0VR@myf3m)nCEG+$Y_dV7!5`Mr6 zqHilyNj6XHs`l3WeO^f2KO%d&Illw!lp|I+;&+PqYrDQb2OBE1>n`g!KAhW}n}uIB zJSVa3ivSs0g41Nt hn_-^u3Cxe5s{}kfYh4w(31wVT=@TU&41Yx4Z+yIyfY{yq#0nq|I<2Nl^ygrqI67Op9!R?Y9AR|1iBD|G0Ah*d#$0-?kjiOk}PcH@p?jX${CJP zH5L0^mo?Y#!~2NKwowDA?FmgNqYf_x)ihXtjjK66;v^ioQu4sOr@qCO!_Bab$Hb3! zv`cZFSztzXh|v-tY%X;QvgxbMIM*&*0Enc%Dn8hjai80;jC>J8p2>^+Rh^3CFlh32 zmpRV4pVzv0Di;SQd5zxk`=COqHixT$lLvqLn+jpBsv>0lV5{SNVvASsj$c6mHKy?% z<76@z!(WuYOPH-zZ*CG%!*0#=ybfGoz!jQ7VK>AZ1D27}rr|_P6bGKz8EOJFNhLW0 z+UFOQH^wMr8>6M2T(8*MS7$9rYT9G3hXUx+0!WryFdxI5dWg}tu0`q?U0zBkif7A| zan2X4z-iW~u%9hV-mEk-M;Oakut`lO7chq?)wh!%C zdVvveA8i_aQoXgKB*`hyY)oY_YTA$UK^7D01oFbPuLMysm6XZXHTi#&nX|jG1D&zG z?f-(z(*HY|p}N6;Gv>N|_y#7-TFBHHM06<+DwSi*xk1z8Xy!bx7HlXGM>O~9bCLk` zSobVA!Sbyk+P6}-EODSUx5^x~&2rE9)X)G|0;R^@hra|kx(9E5c6GyKoY!T;d=1xm z4fIJ(@~d2kaNb71^u3&5no2eVf1`|yUwt!wrhONIH$tOfzI3C5ai{>~JR(B^B!F8k zla6Cd2qa!5A>Km%(gwbY2He6%ZVzaQ3hBd_FJK1fP zgf(wlWcvF5u}un#p^Zme#+WjD+Fwltt08X0a8cRbY`IMgsbu!FG2f)p(}})sdb$?G z2gqVmtKvr`1!9a!Zr2?)$JWOh+(Dx6hGPvyH=a1CJ1;>5fvPx9?X`N<%C-;iMaueP ze$hV^H#?nLuoR{xGDaETou+o;iTq`XE($;kfF|9ixCBld2xo?tTCDhjyv;x3QAGTf zx2(K)q|V0J#kv|im+*inan-!lI&-5`OFgU3V$2QSf~688g&rl95}3C}SDl+^1-T-s z&9l$1_+QAZ`=6BX4>FUF0LZ1Ej7Wgk1ySWsL<+d!=pNJY-l7G_FLY>BgUNMY)-vW5 z4efiqawNqvB1i>toKNm zTlLA=obUNmsr+31hep=2S2V?1^f$6pwb0YtyALQ6CV=XEdQAOvw#jnx$WfJR+oxNW zDR)r}FZ&>=$+)K`jz6ClOx6477W`So;Hvh~P~W%d z{IW9*0R~qT1)iF6yS>qlteYQBUdN1ACTVlXb#+>AcEqlL>+S6Vk7wu{OWIFzs2p%AkV##eNdiMdEH}D zpy;gmV0A$z^b5e~RQZn^>yTt+(AeEZyv`;5}h!=)s4{N*S=mWe|}(&uK` zgt`f1F!swfiaeehYEccsIOVYg+b^otmi2Bl|ANfms}TTdpX!shrT1pbIwxc49%i?? zUKTiYjr_F3clmyLURub;fIs#8w_kMxR=)wQxlOoXyo*8;P0z9V^czi)htnqr84@I+ zrNq1P&*kUDW$pWYa#{`{<0@e`d#-Tu_rR<#ns7$Lb}#pL$F*$UCL}*2NaL86rZ52` z8e5GWJfFr;eGfzB;dME{@4rxavT65%iB8PW zSL!#rxT;JRW&Jf4WkbF@#3z+|ry;C^6#47Uo=}155O>aW!w@+QtvWmpU zN)=PAjUwQLur#p|tOi+o@ctj*Rhzhl| zY!p!a$vQf+L$+_B;*e^tU(;9c`j&FHdBZa0ff&_NzoP=T`|WU zZqj*qzmO*Wgx}x{oZ-TsD~%cQg0rZtTQ6P3ax1!eSKRYk z1vf2c#%boohs*T&Y@ZC5Tx^x(cQQ0ZAV=%1-1xKvkatK}mb*p_`PL30aT(ImgENbT zUgiA*+OJa6eZ~Ied6FC=)e%}j<9-A;rMsE~}uz98v)C1~g1zUbnecv@Y&!ebjd4f{C?)k?}d|zsMbKN22-0 zw7RB@eiSuf=<+QCVCNe=1%b=FVNPZlUH#0`W73<`p-&+R1_vB4f|QZf8nY|w=E@-C zE5>3e0}34D1lS}P>tZ?Z96t+TAgtp)z_23wU&*ZHKa<(=CH#*Dd1&k7ZF&6M+P3oj z)tfZWD=;i*=r70#0QhKx+GRAC++v5}>MiSD`_nyI&v8z37g8Zy-+f~jw50+jtsOpw zqDACOW=PSFkI;3|M8NV~YIs(e9H}{;Vf=n2xDd6)LOVP3cK-Z;CZB!w0{$}BZZ{A` zuHRZ^?XCfB{QXA@Q~~2=1&<&p?=av)3?(I_R))q33HmcT3oM!Yl;E#@;4?GQNrgj; zRAp{FCNG@9{qtZ4fZ+3mqY@-4H(WWd+63mLVg3jho2AAfioi*60rKWa#D&Jz7+OB& z?GL;0Lf1;t=-^usuo^+)1Dk2Lxx&ycOoVF_4|+3E`Vg2?8J|WUBc1{i@E$uXbAU|8 zk;I!LJe27ncurbE>8B%qewF9WcqEeFS8cc|aXLC-mYXrCen7`RgH*!D^cq~ z3J3K-IQpWs{47x&aKOH_umhu=>Zy#H`Zu}YcawW4j9RR>^sW2RF`9vUy?cG;qa1cT zQVhc+-fq;kKUOxdsm(w`3cb`qpoE<~YruA!dhz{Yb8G6_^+8tSfJ16`y<^pDI6JI_ zQUA6P#`3+dj4CTTfP=b%g)6)|9jgE9Wg9$lj&|5b7#c2Ktnp{~$ZXBTUKC1!~@%XaH z`FPd8g8k+RY<&r$Zn%eV6Ta)0>`lG7_qpx8hBcbJfqvSJ`M`<7D2=*C$nO3-iJNR? zE;pT}a;UdV5_bsi$B7SD7W3t#n5cZ&-63^Q%|%vOAWQ||#>aIgXIK#TTk(6_a%^$c zO?~%=r)p|6*wxCn#4@PGvWr5K1PnF|bz*~tocQCJR* zBQmJIG_%NHse1^hQ#b;Nti2$x@QTcY$9aMrnq;qTZ##Jo`_fX2B^>v=U@3yLvu=cd zZRa;dczr{=s@D9Qe-GSPi-?iy8%*yb; z-t2#=(lQkm8k>JEBZ0tle@u=HZJ&0RD`oeo=5kOM?fqQv`I@s^Wk)lmEYZX7b7QNfQV0{h_4|#!?*C@KAv(MDO zn;`{)TQ4s&ye+sIQ>~LsXcO4CezjNQiSaqq`*RCil5qB8J({FBMX+e zkLa5i)$9G07<1SR^t_b}9&LEM1UFw=tV!TN{v-OJ@q$WvzsbXscHwzYbfOur7nGa+ za8xcmtfv_9eZk889I?gKb)X2WmO-NXF^&*nh|e%BnR+d{kM0zcj(bZ(-8kW643u%dgkv$9VQ# zz_R@_-`T4s05~ZVIF&*~wbHW37ljzBSwe!V(c8fARTMc^! zUF}inaUkGR@Yj-D7X#scx2E6qRSFPi)FbSI8b`-sI-=pr>R|q5f64eWZci7C78%Wz zSs(-*aUMy`P#Yb1#gX#*{{^2h#ln9x(?@_OF_}Jk^m_F`*cID8oU@|gWSQq1Zrt|9 z|HR4!HrE(p?=u6U7e5wBuq+N5>zg%TuVo`uwe%}Fs zJViR1mmhNH4y65g4eCXjFsIVk0e)0C_y8FmW^)SoRF}6kx*M*9s4H!8c`SI&JJ~&l zPkPrLP`V+Ug#AIbck@EGVmt2Q+rqfdwn}Up~*somC8|nWIDUM(WsOA^VNbG6lG})7iWi^{3kCl3iMn$6Tov}#nxPwD3GiHKiA~Ak z&m+Qqq-TyXz+?hOCc31ijq)}B-b>r?4Tp}x(_7F?Ngw`mTz$Bi(!rHWvaP&OuA|%4 zXLdTXXT~h8sR2EZe&eqGzu>cuPWT`32mOvWw@Ea5X%43&S}W+fW z4V}wKzIrsLjFd7jTMpCHE2s+g^b{X@^^>P4HUv7b?AbfUSlR5&5XR{*NsEl= zFP}BCFlAh8NDUGw+*E#UuBQ^ugS(BW+~jC7`<#Siei7?cSt--071piV?sP!5x|1oh zmz&qrpFo<0F#3GzTVyUtz-X(3&IFXiA&C2T-WX?yHePS%tB7dcmaKN8MdI#!VTXf* z^Y}%gfhC5a;cY_n@huQ8FZFTTguOcHH7@xov3ZhRSt%d-o}BE76gK2y8}U4S@Yjjz zqM<`d^DBlIeK59J&gl!F>4|s4u@1O4Ky8U;adQjoc;p zav7dz#?~<=>A$*qqqBVdXFk(OeEQ$st4`&n2|c1S)m9q{IP=4cyWqSf-0La6DR z;N-`smBQ=711W;Q-g~KUd_nq932K82Neit;XHsSw4*W=4)#J~ZJLcDS%oZcT*QJ&B z&sVICL5!Miu8V1JqnU7BK(B@Kcz4g@IxNBvr3syn`lqazw`(ir&cA1K1H^8*pa91a9K|oa z0$D#)%gl@5djNw@p!=+G4f8^sKR9=cZgwr@UW4U%$O5D0;dZd(lN%)^%MnArE=^s? zx(_1|x31D+E_~>9E=~vDe-y7l1`Cs(qYlQJ7GC6vCP#hxk3_|7MGZH+S8hsI2Ox%-)bLR( z`74h%mTzf1k}6Zd!d=LwT${1m1~~Mivy5vc*?zh#;L1xbrv*1PaZz4!jglO*n>o;B zw6%-k0tLw9$!(XvBxEXT?7SaXr9#anz4sxMAE%k$bAZHWYmf4_UqBGpBd0<_%n0~z zd8%5dRttr@59c0#B-BN}C>GJ;WAbOWHAqy+joj5ex#MKdan|&$xc8X!I_?EG%_=CHR zA3nh)bwT7w`T;8H;-L~OFR?mDdMCcWHI{T|e8KRBMdf;GmS0bYzY0eP>t$K)l0`YcyZ!Z{6|sD+%+10i#Opsp{bbQAZ*5?V^;qMS5k7ewgq5g~ zH8Y-#o&s88zIZDl$VCv;UmV}(nn6z07kINEL)FrU0ef-^V-DvONJihp3WMc->0JTT z<#!vhaS!tQ^7M%%MN@WbGt%p-h5co{OSE6 zp`8G0#8_L^iF%}06msg&MY~PQkk^(ZwRD)e=}SN?PY_<1aK}_4y@Hz`6C5uz*d^DT zw~(vmyc$D#iUzCX5H~Z(GxtYl3rMk7w4y%MGV{NgQ<*g-9i1B#F3Pg zcuLRQVP;<5_?A2RwUlY8E>xGm-WMH`mA@VfH4l{a&hCKFS@i(x7F5#5E;EJ?%Xk~& z_Nj5(0#PWp&TVD(2Ec$j++U^M2}USWU^y>_o65H&9|5mt z1+by!s6sSap)Ma_3$b(9JRWM!?_%sw*0!iWZUqczBnw37r3|aLZTlS0;B*C3?qUzP zP_TEc#5Y-|W@)!Xf#Fy%-Z`Y>;%uvBgFyaF_(pvO!&IB4$xgiCXuVH<&;!x-!wUo& zSyn6&SSr5-k&B5+yiw!0df2ZHwQA2w<1@5gh%=E2eD%~kf#CknuKtX%DsFGhE#a9Wia!DNMtHhATZ}WbaMt?v^0-JffE_LzfS4?O{Xg zu!ENwhU2$t0Gb6*&Bd6biI$@Hp=_`&Zs*$gqiNnpRD;4WZLeZ$ zmG@}0Ju$|5Kt)_azL>dJ4IRU26Zvzio>eH?*Nw3*hF+{R*PrL__(?=uA8xTt^d;qn zgTdl69b*QnR&2x9o@#l6aTYK*LwO+pcxmZhHSsKo_xU0_c`zpCe@&4esVX@#f5Z#l zNTyhbA!%YtjWB784<|YotyTaB1;08i5gyTw0nhsB1&rK7)@}x|=&&?7!b7w*oZ#G{ z*IbH=)D+w)nF)9!04~jN0jr&E2MxMl4r(9=g9Pbw<*2Ob`&8j-aa*2SLX_6Yn5$*W zjt|PBA&v2NgstF|>-96Te(VVm`&JlQ=?2FdoH>idOP}moby!V_hLf2;ur>Pdhir`y zaeMmS$r_V1mYWNIGIc}UWrsStLD!&b%)J^ETX_)AbC|ALEUYdq+buiiCBi+Xb0i$> zgSTw3XVjL0P@P?j2)i4OXBr#C!+`G5Qx9`zX z4^tpL)Qw;76k`KCRX1wj99rxKkVN)QvZv(K+4^wMtP934cr**XQw<46^C_Xy<>s6B zc_Yzx4;x6lcc4Cv*Et^bG7njzJK=u#7pw<6hX4?kK_m0{GkD`Q2HyG@bQ<~i<$~AZ zLBV$

4Fx@sZblQ-5e{B? zGE*zg2u+D8H|bF}^%aXPQ;BoyI6jj#xr8%2u3v#vaWuQhAR;^d(ujctV_Ic2Qe(Z^ zX6cQcDz*}o+e6B)UAZ!pC;3M`a-V1yfu}k;Rsh=0-d)8RuzUBGm))LibDO8&@O7$m8ORwcK|5Y)_jKNU+=&#L^-7iv^?= zmxe%2l8lj8X+qS@v>;ko!FGghzckOM7yIIpUn=~g??@Bt73&R!Hh4M_4ItpQe?JOw zq~YS~hVPW#?&&ue`zdEiZF&DV4^qCTXY6d5B9P23n9T3&Dey`fBCG3Y`H6jAv;0x> z&y?QJ#J@&aoAz17b?_0wqzSq@KMbwUrW8AE zMtw*EvokiU4@^8;6|pf#R|d5at|yQG6YKrGmG-}5y?6-tZ$jt0MC|AE@Is1VRX;5` zG+egP*Vl3QxApPE(scJrYxgeC-kJu8S*pA)U5;$O6kdmQdn!WhX>cL0s{zOn$7;Q* zBX|WfTJ;_&tBa}0gp8mM3&kPOXz%Dg5ObQuSB^r_VkhS6T=n)v-?R7T_Guz&=j&Z5 zL>f=A`q@AFgQl)Sz0*mhDd*}v<=O!2$1*+9RtdPDZ{eT8R-cl8#W)7advOEax&3gGX$mz5M2QDms`RIb=*|u#yowVJ-flrCgzvGW+Nf zSw^$pmKRA(QpA$a!0Y)XLaCSMnzPa%R1E#Yf}Oz$?5dG86q2Hn8rTccnn9~b#>c%pA3c;Jt04F>)GG!X?z2XErAD24j6#s~HU+;5@zYX= z#kGz+1To0V<3Xh{eg$NSCrp#zQ|gS`&juN90RTP&s2#8<+ukj8D~F@e9P%qC@+~9A zx-1W)Ud^|9*uy?s>LZe$DQxF@rn`q75&}}?CMipvq1I^gnrd#NjWmNgbI%eLm9a!c zGf0OOD#ND0e4zv&LK(3{jX_fv)VH`QA_{c0)aRr%;J9AAXo|&UbB`^oFb~@+CF2H+ zk!T_7=Y)+dF7;0r+Fn!nBx`hp(pJX6j%H#^eRTYDpYiwjr|}||HA$A>PrtS@|HXOR zbKZ_*N}5n>=`JcWA!#IuD6H(W?iHAx`oSXPWU=cdH$!X{<&#Tm}4{sxus0(K!{#`C)2L{ z%Sh ztsF7c??s5Erf@DV!b_QKWY?<1aiW=7pmu-RTGIjVOm0v5yN}mwXQhgPsU17y_H-pO z(Q*FO*H<9hAKcAs?8P{4#fLxfz=6d!dQotu-NONk)hWOP(?y~wLdaJZ<<{YZBJ5Mp zBK}>JHitH|uk8CBW%H=Xtz*xCJiGxIYL`g-oa;@F(E*bo{$!uSD`MUsY3~LXH~Nmc zJ0h_HBsm!(=ZfTvziHi5Is}t-w zJ)_~rNe_Rz1H+{E>KKsBRz<4g;lvYIzM6CGF(u94J+zM`(Re^m+`t+Ev5FL^jf_I{jaR~@QI+qP$ zEf;S^8)Sogj>lVQD0M$d6dl3lk8J4x1AfnEiK}>HUm9g{@E?SP6_@3aORd)>i;-h_ zaN>%pD2(!)D)NE>gfNg+Q)q+F^3M^-Z6J|$Cdh66s=z9x_ds0JPh3l>Am-b(-;Y2s zckUIhp>JFgkUTpK$R?k+#A6Zj%LVIqkHZ;s6zu#1L(%Vd1|E9Ox*)&H)E^Xi;%+z= zm%0wEvDBE9pap+{G^#6y)x>v&%f#ZuK6P=*l3IcqNa>`~RagU};qmLyYeRz~TIJ7K zJ{r2U&VE#{TQ{tj=z7&VIGH6T&!`WHbjHQb_qa!Q_0HVaZY{qSjz=ReeNMhl+`eZW zb^yYHsF-cM{k8sewB#oZFaF&VjdJXKGO_bWP%cwOA}+ZT-M#dC4V%Fp54|;cuQstR zD@}iSz2{@wDHC^!kyL_ZYo@d!W6Bo~T4|Wy@0#DD@<63U$@^1Bk{KbENS%4rA znrC*LYR-jIwiL!N?%n_!vACe!jH7rjVEVjw-5UClQq0`CPJV*WBEl>bOek5qeVo0C zDC^i~%)KJ`-}44o|MPcB!KVZ$ z{l4n8fGY$4(QCy)nLQ$GF)hXRr7E=HRLbt>WZ_HGiAhZz=I&(Mf(d^!;)cjkJAIH? zz%OXDiJfUQNED=xF6ZHD-4Ej`*UN^z|2>t+2biBSNkw|5PH~U5CRy1~-2U0JbbyM% zaNVQaS@Y|+DbaGe0cq9^R?zKvy!=nu^MzgP+aE$Z;L?YM28EoM0%bRq-T4oa;s78J zQ8kbPHeG~n4ERtORO>(G=RFFen}!~NCuX>bxVXE&lpUV(Kd%jUxj+SH?TJ5n9R%nM z;Jn|+{&YWi6~%H8eTbd?p7t6Lx~yBa3DaFhnu)&Dg+y&g#G6ZsEwjiha?=e8yuRka z`f0uyNj53@YwM@#h_MhIAfl9_lDAi!qY|pd zqh^NG7PIg#&FDQ8wHLv~!lyus?ZQmHPpuMV(neI`6~z2@q?%4&pPTj#uJ z#R@4rnKKUO41I3Twe&3PF7~Z4T91{#4-(Y0m?lksIZGR(hv1M$i^rq^9&kiPF%o_y zD!-c;=b~Z4KCB>mLGPG!tgwYFSn%H)S;`NlVzvuN+dj2Pt)$6HmM7P8CF=NMwrz(O zIUqeLd@4(@fK`h{ezSUlQ8oh!2Y9Do$rHYPzLfFnK$shRSBh}zY_w0K&GqVjE0bfP zad>iHT3T@-#;-#2g-8>R7(i;9!_&(S7fg3dAv(Rd&tTmV2_GR(*1Zl--P<-zX*Dc@ z=~bzHAu1;(xgoBJ`+D+15wEACH>#w3g=;HCJoUcmlan{Zfp4(!4#ABYZpEv~wUAuE z%ko0hh+U=w_oiEhf><4Pl2cUSE&o6*o14GeF@xIqmcCoco9VFECg#{M!O*}0EsS0G zPx(0ew}6z?I63oW!hsx+p>HfV33#b4MfHn62Fj+sTt%JniH$x^<9uA13XwN(tz1}Y zixdC*wXzBQ*R_(*pbBk6y?~>;D}_SkTx+F&wReCyR6}zprBse+07skKH0BqSfMs#Y z#f6Nx!#uI*mP~afZ^^qR22dMi?C&gpd$lZ)YB;%Ra6lzT%HLcDJzhO)VXpv`c#1Xf zY4h#^6IvjE`YEu0Zg8|zb4cd?wT_2v1l$X4hyIDn} zp=bk}KIZ)YUyfDGHlhEm9RGc-{O58krw9Mz8TjBZW}Im6*;H6RW?rIfcb#=3zVu~4 zW*uqx2h^Y7PZ~yI6|J{j5ilZVt? zG7f=#YFG3Gmr+&-d2*4hP|xUDW1E}^_#)M?AggB@8taFE$UW?odb)|c^S?S^$$(xpWTAB zWJI=My`+Y){rv@z<;e0VsO0QX<0^>n4_5-J7q>=*wgmT0xZBEM;(1qCgHU2nbfG#g zgypvz{`z-{ws^B3YlmELtd_cEyykMAy?KGpyb9NDidg?wkq`MwY3?+1$<0dWyf7UV zzuI+=K)f`0J}EA4ECf!~dP**P94*2>SVoDUrvYidTmgNaRRTLE@4gc3du@_8h_xvO ZqogWD_T Date: Fri, 28 Oct 2016 04:59:21 -0400 Subject: [PATCH 07/30] move start-xen so that it is in the path --- initrd/{ => bin}/start-xen | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename initrd/{ => bin}/start-xen (100%) diff --git a/initrd/start-xen b/initrd/bin/start-xen similarity index 100% rename from initrd/start-xen rename to initrd/bin/start-xen From e9e6d661d3297f4ad2788b7470855e4998a20f10 Mon Sep 17 00:00:00 2001 From: Trammell Hudson Date: Fri, 28 Oct 2016 04:59:51 -0400 Subject: [PATCH 08/30] wrappers to seal/unseal drive encryption keys from the TPM --- initrd/bin/seal-key | 74 +++++++++++++++++++++++++++++++++++++++++++ initrd/bin/unseal-key | 27 ++++++++++++++++ 2 files changed, 101 insertions(+) create mode 100755 initrd/bin/seal-key create mode 100755 initrd/bin/unseal-key diff --git a/initrd/bin/seal-key b/initrd/bin/seal-key new file mode 100755 index 00000000..29f182fb --- /dev/null +++ b/initrd/bin/seal-key @@ -0,0 +1,74 @@ +#!/bin/sh +# This will generate a disk encryption key and seal / ecncrypt +# with the current PCRs and then store it in the TPM NVRAM. +# It will then need to be bundled into initrd that is booted with Qubes. + +TPM_INDEX=3 +TPM_SIZE=312 +KEY_FILE=/tmp/secret.key + +die() { echo >&2 "$@"; exit 1; } +warn() { echo >&2 "$@"; } + +read -s -p "New key password: " key_password +echo +read -s -p "Repeat password: " key_password2 +echo + +if [ "$key_password" -ne "$key_password2" ]; then + die "Key passwords do not match" +fi + +dd \ + if=/dev/urandom \ + of="$KEY_FILE" \ + bs=1 \ + count=128 \ + 2>/dev/null \ +|| die "Unable to generate 128 random bytes" + + +# Use the current values of the PCRs, which will be read +# from the TPM as part of the sealing ("X"). +# should this read the storage root key? +sealfile2 \ + -if "$KEY_FILE" \ + -of /tmp/sealed \ + -pwdd "$key_password" \ + -hk 40000000 \ + -ix 0 X \ + -ix 1 X \ + -ix 2 X \ + -ix 3 X \ + -ix 4 X \ +|| die "Unable to seal secret" + +rm "$KEY_FILE" + + +# to create an nvram space we need the TPM owner password +# and the TPM physical presence must be asserted. +# +# The permissions are 0 since there is nothing special +# about the sealed file +physicalpresence -s \ +|| warn "Warning: Unable to assert physical presence" + +read -s -p "TPM Owner password: " tpm_password +echo + +nv_definespace \ + -in $TPM_INDEX \ + -sz $TPM_SIZE \ + -pwdo "$tpm_password" \ + -per 0 \ +|| die "Warning: Unable to define NVRAM space; trying anyway" + + +nv_writevalue \ + -in $TPM_INDEX \ + -if /tmp/sealed \ +|| die "Unable to write sealed secret to NVRAM" + +rm /tmp/sealed + diff --git a/initrd/bin/unseal-key b/initrd/bin/unseal-key new file mode 100755 index 00000000..774d70de --- /dev/null +++ b/initrd/bin/unseal-key @@ -0,0 +1,27 @@ +#!/bin/sh +# This will unseal and unecncrypt the drive encryption key from the TPM +# It will then need to be bundled into initrd that is booted with Qubes. + +TPM_INDEX=3 +TPM_SIZE=312 + +die() { echo >&2 "$@"; exit 1; } +warn() { echo >&2 "$@"; } + +read -s -p "Encryption password: " tpm_password +echo + +nv_readvalue \ + -in "$TPM_INDEX" \ + -sz "$TPM_SIZE" \ + -of /tmp/sealed \ +|| die "Unable to read key from TPM NVRAM" + +unsealfile \ + -if /tmp/sealed \ + -of /tmp/secret.key \ + -pwdd "$tpm_password" \ + -hk 40000000 \ +|| die "Unable to unseal disk encryption key" + +rm /tmp/sealed From 9fb998bef056c8f8de99d91c1ebfb1a653f0bfef Mon Sep 17 00:00:00 2001 From: Trammell Hudson Date: Thu, 3 Nov 2016 16:45:50 -0400 Subject: [PATCH 09/30] check PGP signatures on xen, kernel and initrd (partial fix for #43) --- initrd/start-xen | 29 +++++++++++++++++++++++++---- 1 file changed, 25 insertions(+), 4 deletions(-) diff --git a/initrd/start-xen b/initrd/start-xen index db49603a..f5aa7038 100755 --- a/initrd/start-xen +++ b/initrd/start-xen @@ -1,9 +1,30 @@ #!/bin/sh mount -o ro -t ext4 /dev/sda1 /boot -exec kexec \ +die() { echo >&2 "$*"; exit 1; } + +XEN=/boot/xen-4.6.3.gz +INITRD=/boot/initramfs-4.4.14-11.pvops.qubes.x86_64.img +KERNEL=/boot/vmlinuz-4.4.14-11.pvops.qubes.x86_64 + +echo "+++ Checking $XEN" +gpgv "${XEN}.asc" "${XEN}" || die "Xen signature failed" +echo "+++ Checking $INITRD" + +gpgv "${INITRD}.asc" "${INITRD}" || die "Initrd signature failed" + +echo "+++ Checking $KERNEL" +gpgv "${KERNEL}.asc" "${KERNEL}" || die "Kernel signature failed" + +# should also check xen command line arguments! +# should also check kernel command line arguments! + +kexec \ -l \ - --module "/boot/vmlinuz-4.1.13-9.pvops.qubes.x86_64 placeholder root=/dev/mapper/qubes_dom0-root ro i915.preliminary_hw_support=1 rd.lvm.lv=qubes_dom0/root rd.luks.uuid=luks-0f662ac6-2939-48fe-bc95-f5a7e3d6fefb vconsole.font=latarcyrheb-sun16 rd.lvm.lv=qubes_dom0/swap rhgb" \ - --module "/boot/initramfs-4.1.13-9.pvops.qubes.x86_64.img" \ + --module "${KERNEL} root=LABEL=root rhgb" \ + --module "${INITRD}" \ --command-line "no-real-mode reboot=no console=vga dom0_mem=min:1024M dom0_mem=max:4096M" \ - /boot/xen-4.6.3.gz + "${XEN}" + + +echo "Ready to start Xen: run 'kexec -e' to execute it" From da2a6580ce918232355e3258d66e2f03f8608971 Mon Sep 17 00:00:00 2001 From: Trammell Hudson Date: Wed, 23 Nov 2016 10:45:39 -0500 Subject: [PATCH 10/30] allow key file to be specified on command line --- initrd/bin/unseal-key | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/initrd/bin/unseal-key b/initrd/bin/unseal-key index 774d70de..387cd135 100755 --- a/initrd/bin/unseal-key +++ b/initrd/bin/unseal-key @@ -8,6 +8,11 @@ TPM_SIZE=312 die() { echo >&2 "$@"; exit 1; } warn() { echo >&2 "$@"; } +key_file="$1" +if [ -z "$key_file" ]; then + key_file=/tmp/secret.key +fi + read -s -p "Encryption password: " tpm_password echo @@ -19,9 +24,11 @@ nv_readvalue \ unsealfile \ -if /tmp/sealed \ - -of /tmp/secret.key \ + -of "$key_file" \ -pwdd "$tpm_password" \ -hk 40000000 \ || die "Unable to unseal disk encryption key" rm /tmp/sealed + + From 1414023e6ecf6f440a7fea1d2a3b92182d3f88f4 Mon Sep 17 00:00:00 2001 From: Trammell Hudson Date: Wed, 23 Nov 2016 10:46:04 -0500 Subject: [PATCH 11/30] include cryptsetup in build, will break 4M ROM images --- Makefile | 3 +++ 1 file changed, 3 insertions(+) diff --git a/Makefile b/Makefile index d177e368..6fb92e47 100644 --- a/Makefile +++ b/Makefile @@ -151,6 +151,9 @@ $(build)/$(coreboot_dir)/util/cbmem/cbmem: $(build)/$(coreboot_dir)/.canary # Mounting dm-verity file systems requires dm-verity to be installed # We use gpgv to verify the signature on the root hash. # Both of these should be brought in as modules instead of from /sbin +#initrd_bins += initrd/bin/cryptsetup +initrd/bin/cryptsetup: /sbin/cryptsetup + cp "$<" "$@" initrd_bins += initrd/bin/dmsetup initrd/bin/dmsetup: /sbin/dmsetup cp "$<" "$@" From 3f444efe8c94ccbf1a5c4b57f7549cff5c71ad22 Mon Sep 17 00:00:00 2001 From: Trammell Hudson Date: Wed, 23 Nov 2016 10:46:32 -0500 Subject: [PATCH 12/30] formatting --- initrd/bin/start-xen | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/initrd/bin/start-xen b/initrd/bin/start-xen index 7c4623eb..b780bec6 100755 --- a/initrd/bin/start-xen +++ b/initrd/bin/start-xen @@ -9,14 +9,13 @@ KERNEL=/boot/vmlinuz-4.4.14-11.pvops.qubes.x86_64 echo "+++ Checking $XEN" gpgv "${XEN}.asc" "${XEN}" || die "Xen signature failed" -echo "+++ Checking $INITRD" +echo "+++ Checking $INITRD" gpgv "${INITRD}.asc" "${INITRD}" || die "Initrd signature failed" echo "+++ Checking $KERNEL" gpgv "${KERNEL}.asc" "${KERNEL}" || die "Kernel signature failed" - # should also check xen command line arguments! # should also check kernel command line arguments! From 638329709e0ad7585dc4f8e5506b85f3d73f6b12 Mon Sep 17 00:00:00 2001 From: Trammell Hudson Date: Wed, 23 Nov 2016 10:47:04 -0500 Subject: [PATCH 13/30] include find and compression tools --- config/busybox.config | 90 +++++++++++++++++++++---------------------- 1 file changed, 45 insertions(+), 45 deletions(-) diff --git a/config/busybox.config b/config/busybox.config index fe3e0a9d..4370d44b 100644 --- a/config/busybox.config +++ b/config/busybox.config @@ -1,7 +1,7 @@ # # Automatically generated make config: don't edit # Busybox version: 1.25.0 -# Sat Aug 6 15:56:20 2016 +# Tue Oct 25 14:38:11 2016 # CONFIG_HAVE_DOT_CONFIG=y @@ -132,10 +132,10 @@ CONFIG_FEATURE_HWIB=y # # Archival Utilities # -# CONFIG_FEATURE_SEAMLESS_XZ is not set +CONFIG_FEATURE_SEAMLESS_XZ=y # CONFIG_FEATURE_SEAMLESS_LZMA is not set -# CONFIG_FEATURE_SEAMLESS_BZ2 is not set -# CONFIG_FEATURE_SEAMLESS_GZ is not set +CONFIG_FEATURE_SEAMLESS_BZ2=y +CONFIG_FEATURE_SEAMLESS_GZ=y # CONFIG_FEATURE_SEAMLESS_Z is not set # CONFIG_AR is not set # CONFIG_FEATURE_AR_LONG_FILENAMES is not set @@ -149,34 +149,34 @@ CONFIG_FEATURE_GUNZIP_LONG_OPTIONS=y # CONFIG_LZMA is not set # CONFIG_UNXZ is not set # CONFIG_XZ is not set -# CONFIG_BZIP2 is not set -# CONFIG_CPIO is not set -# CONFIG_FEATURE_CPIO_O is not set -# CONFIG_FEATURE_CPIO_P is not set +CONFIG_BZIP2=y +CONFIG_CPIO=y +CONFIG_FEATURE_CPIO_O=y +CONFIG_FEATURE_CPIO_P=y # CONFIG_DPKG is not set # CONFIG_DPKG_DEB is not set # CONFIG_FEATURE_DPKG_DEB_EXTRACT_ONLY is not set -# CONFIG_GZIP is not set -# CONFIG_FEATURE_GZIP_LONG_OPTIONS is not set +CONFIG_GZIP=y +CONFIG_FEATURE_GZIP_LONG_OPTIONS=y CONFIG_GZIP_FAST=0 # CONFIG_FEATURE_GZIP_LEVELS is not set # CONFIG_LZOP is not set # CONFIG_LZOP_COMPR_HIGH is not set # CONFIG_RPM is not set # CONFIG_RPM2CPIO is not set -# CONFIG_TAR is not set -# CONFIG_FEATURE_TAR_CREATE is not set -# CONFIG_FEATURE_TAR_AUTODETECT is not set -# CONFIG_FEATURE_TAR_FROM is not set -# CONFIG_FEATURE_TAR_OLDGNU_COMPATIBILITY is not set -# CONFIG_FEATURE_TAR_OLDSUN_COMPATIBILITY is not set -# CONFIG_FEATURE_TAR_GNU_EXTENSIONS is not set -# CONFIG_FEATURE_TAR_LONG_OPTIONS is not set -# CONFIG_FEATURE_TAR_TO_COMMAND is not set -# CONFIG_FEATURE_TAR_UNAME_GNAME is not set -# CONFIG_FEATURE_TAR_NOPRESERVE_TIME is not set +CONFIG_TAR=y +CONFIG_FEATURE_TAR_CREATE=y +CONFIG_FEATURE_TAR_AUTODETECT=y +CONFIG_FEATURE_TAR_FROM=y +CONFIG_FEATURE_TAR_OLDGNU_COMPATIBILITY=y +CONFIG_FEATURE_TAR_OLDSUN_COMPATIBILITY=y +CONFIG_FEATURE_TAR_GNU_EXTENSIONS=y +CONFIG_FEATURE_TAR_LONG_OPTIONS=y +CONFIG_FEATURE_TAR_TO_COMMAND=y +CONFIG_FEATURE_TAR_UNAME_GNAME=y +CONFIG_FEATURE_TAR_NOPRESERVE_TIME=y # CONFIG_FEATURE_TAR_SELINUX is not set -# CONFIG_UNZIP is not set +CONFIG_UNZIP=y # # Coreutils @@ -411,30 +411,30 @@ CONFIG_FEATURE_ALLOW_EXEC=y # # Finding Utilities # -# CONFIG_FIND is not set -# CONFIG_FEATURE_FIND_PRINT0 is not set -# CONFIG_FEATURE_FIND_MTIME is not set -# CONFIG_FEATURE_FIND_MMIN is not set -# CONFIG_FEATURE_FIND_PERM is not set -# CONFIG_FEATURE_FIND_TYPE is not set -# CONFIG_FEATURE_FIND_XDEV is not set -# CONFIG_FEATURE_FIND_MAXDEPTH is not set -# CONFIG_FEATURE_FIND_NEWER is not set -# CONFIG_FEATURE_FIND_INUM is not set -# CONFIG_FEATURE_FIND_EXEC is not set -# CONFIG_FEATURE_FIND_EXEC_PLUS is not set -# CONFIG_FEATURE_FIND_USER is not set -# CONFIG_FEATURE_FIND_GROUP is not set -# CONFIG_FEATURE_FIND_NOT is not set -# CONFIG_FEATURE_FIND_DEPTH is not set -# CONFIG_FEATURE_FIND_PAREN is not set -# CONFIG_FEATURE_FIND_SIZE is not set -# CONFIG_FEATURE_FIND_PRUNE is not set -# CONFIG_FEATURE_FIND_DELETE is not set -# CONFIG_FEATURE_FIND_PATH is not set -# CONFIG_FEATURE_FIND_REGEX is not set +CONFIG_FIND=y +CONFIG_FEATURE_FIND_PRINT0=y +CONFIG_FEATURE_FIND_MTIME=y +CONFIG_FEATURE_FIND_MMIN=y +CONFIG_FEATURE_FIND_PERM=y +CONFIG_FEATURE_FIND_TYPE=y +CONFIG_FEATURE_FIND_XDEV=y +CONFIG_FEATURE_FIND_MAXDEPTH=y +CONFIG_FEATURE_FIND_NEWER=y +CONFIG_FEATURE_FIND_INUM=y +CONFIG_FEATURE_FIND_EXEC=y +CONFIG_FEATURE_FIND_EXEC_PLUS=y +CONFIG_FEATURE_FIND_USER=y +CONFIG_FEATURE_FIND_GROUP=y +CONFIG_FEATURE_FIND_NOT=y +CONFIG_FEATURE_FIND_DEPTH=y +CONFIG_FEATURE_FIND_PAREN=y +CONFIG_FEATURE_FIND_SIZE=y +CONFIG_FEATURE_FIND_PRUNE=y +CONFIG_FEATURE_FIND_DELETE=y +CONFIG_FEATURE_FIND_PATH=y +CONFIG_FEATURE_FIND_REGEX=y # CONFIG_FEATURE_FIND_CONTEXT is not set -# CONFIG_FEATURE_FIND_LINKS is not set +CONFIG_FEATURE_FIND_LINKS=y CONFIG_GREP=y CONFIG_FEATURE_GREP_EGREP_ALIAS=y CONFIG_FEATURE_GREP_FGREP_ALIAS=y From cc1c198810ac7c137e9e425c09bbb2ea9b996e9c Mon Sep 17 00:00:00 2001 From: Trammell Hudson Date: Wed, 23 Nov 2016 12:10:40 -0500 Subject: [PATCH 14/30] ignore modified .config files --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index 442d2cff..0b969ab9 100644 --- a/.gitignore +++ b/.gitignore @@ -14,3 +14,4 @@ initrd/bin initrd/sbin initrd/lib typescript* +config/*.old From 4fbd6ca58bff576c5ba149de472a18615e82a665 Mon Sep 17 00:00:00 2001 From: Trammell Hudson Date: Wed, 23 Nov 2016 12:11:08 -0500 Subject: [PATCH 15/30] Make coreboot building modular to support multiple boards. This touches most of the module configurations since the coreboot build process had to add a few new features. The Linux kernel could make use of it as well if we need separate x230/chell/qemu kernels, for instance. --- Makefile | 27 ++++++++++++------- config/coreboot-qemu.config | 25 ++++++++++++----- .../{coreboot.config => coreboot-x230.config} | 7 +++-- modules/busybox | 1 + modules/coreboot | 22 +++++++++++---- modules/cryptsetup | 1 + modules/kexec | 1 + modules/linux | 2 ++ modules/mbedtls | 1 + modules/qrencode | 1 + modules/tpmtotp | 1 + modules/xen | 2 ++ 12 files changed, 68 insertions(+), 23 deletions(-) rename config/{coreboot.config => coreboot-x230.config} (99%) diff --git a/Makefile b/Makefile index 6fb92e47..57cea1b9 100644 --- a/Makefile +++ b/Makefile @@ -4,10 +4,15 @@ packages := $(pwd)/packages build := $(pwd)/build config := $(pwd)/build -all: x230.rom - +# Currently supported targets are x230, chell and qemu +TARGET ?= x230 + +all: $(TARGET).rom +# Bring in all of the module definitions; +# these are the external pieces that will be downloaded and built +# as part of creating the Heads firmware image. include modules/* all: $(modules) @@ -63,7 +68,7 @@ define define_module = endif # Copy our stored config file into the unpacked directory - $(build)/$($1_dir)/.config: config/$1.config $(build)/$($1_dir)/.canary + $(build)/$($1_dir)/.config: config/$($1_config) $(build)/$($1_dir)/.canary cp "$$<" "$$@" # Use the module's configure variable to build itself @@ -177,14 +182,14 @@ initrd_lib_install: $(initrd_bins) $(initrd_libs) # initrd image creation # # The initrd is constructed from various bits and pieces -# Note the touch and sort operation on the find output -- this -# ensures that the files always have the same timestamp and -# appear in the same order. +# The cpio-clean program is used ensure that the files +# always have the same timestamp and appear in the same order. # -# If there is in /dev/console, initrd can't startup. +# If there is no /dev/console, initrd can't startup. # We have to force it to be included into the cpio image. -# Since we are picking up the system's /dev/console, the -# timestamp will not be reproducible. +# Since we are picking up the system's /dev/console, there +# is a chance the build will not be reproducible (although +# unlikely that their device file has a different major/minor) # # initrd.cpio: $(initrd_bins) $(initrd_libs) initrd_lib_install @@ -224,6 +229,8 @@ $(call outputs,coreboot): $(build)/$(coreboot_dir)/bzImage #export CC := $(XGCC)/bin/x86_64-elf-gcc #export LDFLAGS := -L/lib/x86_64-linux-gnu -x230.rom: $(build)/$(coreboot_dir)/build/coreboot.rom +x230.rom: $(build)/$(coreboot_dir)/x230/coreboot.rom dd if="$<" of="$@" bs=1M skip=8 +qemu.rom: $(build)/$(coreboot_dir)/qemu/coreboot.rom + cp -a "$<" "$@" diff --git a/config/coreboot-qemu.config b/config/coreboot-qemu.config index 60d3e29a..f9562bb4 100644 --- a/config/coreboot-qemu.config +++ b/config/coreboot-qemu.config @@ -8,7 +8,6 @@ # CONFIG_LOCALVERSION="-heads" CONFIG_CBFS_PREFIX="fallback" -# CONFIG_MULTIPLE_CBFS_INSTANCES is not set CONFIG_COMPILER_GCC=y # CONFIG_COMPILER_LLVM_CLANG is not set # CONFIG_ANY_TOOLCHAIN is not set @@ -36,7 +35,6 @@ CONFIG_BOOTBLOCK_SOURCE="bootblock_simple.c" # CONFIG_GENERIC_GPIO_LIB is not set # CONFIG_BOARD_ID_AUTO is not set # CONFIG_BOARD_ID_MANUAL is not set -CONFIG_DEVICETREE="devicetree.cb" # CONFIG_RAM_CODE_SUPPORT is not set # CONFIG_BOOTSPLASH_IMAGE is not set @@ -68,6 +66,7 @@ CONFIG_DEVICETREE="devicetree.cb" # CONFIG_VENDOR_DIGITALLOGIC is not set # CONFIG_VENDOR_DMP is not set # CONFIG_VENDOR_ECS is not set +# CONFIG_VENDOR_ELMEX is not set CONFIG_VENDOR_EMULATION=y # CONFIG_VENDOR_ESD is not set # CONFIG_VENDOR_GETAC is not set @@ -114,7 +113,7 @@ CONFIG_MAINBOARD_DIR="emulation/qemu-q35" CONFIG_MAINBOARD_PART_NUMBER="QEMU x86 q35/ich9" CONFIG_MAINBOARD_VENDOR="Emulation" CONFIG_MAX_CPUS=1 -CONFIG_CACHE_ROM_SIZE_OVERRIDE=0 +CONFIG_CACHE_ROM_SIZE_OVERRIDE=0x0 CONFIG_CBFS_SIZE=0x400000 CONFIG_UART_FOR_CONSOLE=0 # CONFIG_ONBOARD_VGA_IS_PRIMARY is not set @@ -138,6 +137,7 @@ CONFIG_BOARD_EMULATION_QEMU_X86_Q35=y CONFIG_BOARD_EMULATION_QEMU_X86=y # CONFIG_POST_DEVICE is not set CONFIG_DRIVERS_PS2_KEYBOARD=y +CONFIG_DEVICETREE="devicetree.cb" CONFIG_TTYS0_LCS=3 # CONFIG_CONSOLE_POST is not set CONFIG_DRIVERS_UART_8250IO=y @@ -188,6 +188,8 @@ CONFIG_UART_PCI_ADDR=0 CONFIG_HPET_MIN_TICKS=0x80 # CONFIG_SOC_MARVELL_ARMADA38X is not set # CONFIG_SOC_MARVELL_BG4CD is not set +# CONFIG_SOC_MARVELL_MVMAP2315 is not set +CONFIG_TTYS0_BAUD=115200 # CONFIG_SOC_MEDIATEK_MT8173 is not set # CONFIG_SOC_NVIDIA_TEGRA124 is not set # CONFIG_SOC_NVIDIA_TEGRA210 is not set @@ -239,6 +241,7 @@ CONFIG_CPU_MICROCODE_CBFS_GENERATE=y # CONFIG_CPU_MICROCODE_CBFS_EXTERNAL_HEADER is not set # CONFIG_CPU_MICROCODE_CBFS_NONE is not set # CONFIG_CPU_MICROCODE_MULTIPLE_FILES is not set +CONFIG_CPU_UCODE_BINARIES="" # # Northbridge @@ -266,6 +269,7 @@ CONFIG_SOUTHBRIDGE_INTEL_I82801IX=y # # Super I/O # +# CONFIG_SUPERIO_NUVOTON_NCT6776_COM_A is not set # # Embedded Controllers @@ -273,10 +277,10 @@ CONFIG_SOUTHBRIDGE_INTEL_I82801IX=y CONFIG_VBOOT_VBNV_OFFSET=0x26 # CONFIG_VBOOT_VBNV_CMOS is not set # CONFIG_VBOOT_VBNV_EC is not set -# CONFIG_VBOOT_VBNV_FLASH is not set # CONFIG_VBOOT is not set # CONFIG_MAINBOARD_HAS_CHROMEOS is not set # CONFIG_UEFI_2_4_BINDING is not set +# CONFIG_UDK_2015_BINDING is not set # CONFIG_USE_SIEMENS_HWILIB is not set # CONFIG_ARCH_ARM is not set # CONFIG_ARCH_BOOTBLOCK_ARM is not set @@ -293,6 +297,10 @@ CONFIG_VBOOT_VBNV_OFFSET=0x26 # CONFIG_ARCH_RAMSTAGE_ARMV7 is not set # CONFIG_ARCH_BOOTBLOCK_ARMV7_M is not set # CONFIG_ARCH_VERSTAGE_ARMV7_M is not set +# CONFIG_ARCH_BOOTBLOCK_ARMV7_R is not set +# CONFIG_ARCH_VERSTAGE_ARMV7_R is not set +# CONFIG_ARCH_ROMSTAGE_ARMV7_R is not set +# CONFIG_ARCH_RAMSTAGE_ARMV7_R is not set # CONFIG_ARM_LPAE is not set # CONFIG_ARCH_ARM64 is not set # CONFIG_ARCH_BOOTBLOCK_ARM64 is not set @@ -384,6 +392,7 @@ CONFIG_SUBSYSTEM_DEVICE_ID=0x0000 # CONFIG_SPI_FLASH is not set # CONFIG_HAVE_SPI_CONSOLE_SUPPORT is not set CONFIG_DRIVERS_UART=y +# CONFIG_DRIVERS_UART_8250IO_SKIP_INIT is not set # CONFIG_NO_UART_ON_SUPERIO is not set # CONFIG_UART_OVERRIDE_INPUT_CLOCK_DIVIDER is not set # CONFIG_UART_OVERRIDE_REFCLK is not set @@ -399,6 +408,8 @@ CONFIG_DRIVERS_EMULATION_QEMU_BOCHS=y # CONFIG_SMBIOS_PROVIDED_BY_MOBO is not set # CONFIG_DRIVERS_I2C_PCF8523 is not set # CONFIG_DRIVERS_I2C_RTD2132 is not set +# CONFIG_MAINBOARD_HAS_I2C_TPM_CR50 is not set +# CONFIG_DRIVER_I2C_TPM_ACPI is not set # CONFIG_INTEL_DP is not set # CONFIG_INTEL_DDI is not set # CONFIG_INTEL_EDID is not set @@ -420,6 +431,10 @@ CONFIG_DRIVERS_MC146818=y # CONFIG_DRIVER_XPOWERS_AXP209 is not set # CONFIG_ACPI_SATA_GENERATOR is not set # CONFIG_ACPI_INTEL_HARDWARE_SLEEP_VALUES is not set +# CONFIG_BOOT_DEVICE_NOT_SPI_FLASH is not set +CONFIG_BOOT_DEVICE_SPI_FLASH=y +CONFIG_BOOT_DEVICE_MEMORY_MAPPED=y +# CONFIG_BOOT_DEVICE_SUPPORTS_WRITES is not set # CONFIG_RTC is not set # CONFIG_TPM is not set CONFIG_STACK_SIZE=0x1000 @@ -447,7 +462,6 @@ CONFIG_CONSOLE_SERIAL_115200=y # CONFIG_CONSOLE_SERIAL_38400 is not set # CONFIG_CONSOLE_SERIAL_19200 is not set # CONFIG_CONSOLE_SERIAL_9600 is not set -CONFIG_TTYS0_BAUD=115200 # CONFIG_SPKMODEM is not set # CONFIG_CONSOLE_NE2K is not set CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x20000 @@ -535,7 +549,6 @@ CONFIG_LINUX_INITRD="" # CONFIG_DEBUG_BOOT_STATE is not set # CONFIG_ENABLE_APIC_EXT_ID is not set CONFIG_WARNINGS_ARE_ERRORS=y -CONFIG_IASL_WARNINGS_ARE_ERRORS=y # CONFIG_POWER_BUTTON_DEFAULT_ENABLE is not set # CONFIG_POWER_BUTTON_DEFAULT_DISABLE is not set # CONFIG_POWER_BUTTON_FORCE_ENABLE is not set diff --git a/config/coreboot.config b/config/coreboot-x230.config similarity index 99% rename from config/coreboot.config rename to config/coreboot-x230.config index 0436808b..34ab7836 100644 --- a/config/coreboot.config +++ b/config/coreboot-x230.config @@ -68,6 +68,7 @@ CONFIG_MEASURED_BOOT=y # CONFIG_VENDOR_DIGITALLOGIC is not set # CONFIG_VENDOR_DMP is not set # CONFIG_VENDOR_ECS is not set +# CONFIG_VENDOR_ELMEX is not set # CONFIG_VENDOR_EMULATION is not set # CONFIG_VENDOR_ESD is not set # CONFIG_VENDOR_GETAC is not set @@ -114,7 +115,7 @@ CONFIG_MAINBOARD_DIR="lenovo/x230" CONFIG_MAINBOARD_PART_NUMBER="ThinkPad X230" CONFIG_MAINBOARD_VENDOR="LENOVO" CONFIG_MAX_CPUS=8 -CONFIG_CACHE_ROM_SIZE_OVERRIDE=0 +CONFIG_CACHE_ROM_SIZE_OVERRIDE=0x0 CONFIG_CBFS_SIZE=0x400000 CONFIG_UART_FOR_CONSOLE=0 CONFIG_VGA_BIOS_ID="8086,0166" @@ -137,7 +138,7 @@ CONFIG_ID_SECTION_OFFSET=0x80 CONFIG_USBDEBUG_HCD_INDEX=2 CONFIG_IFD_BIOS_SECTION="" CONFIG_IFD_ME_SECTION="" -CONFIG_TPM_PIRQ=0 +CONFIG_TPM_PIRQ=0x0 CONFIG_BOOT_DEVICE_SPI_FLASH_BUS=0 CONFIG_DRIVERS_PS2_KEYBOARD=y CONFIG_DEVICETREE="devicetree.cb" @@ -312,6 +313,7 @@ CONFIG_SOUTHBRIDGE_INTEL_COMMON_GPIO=y # # Super I/O # +# CONFIG_SUPERIO_NUVOTON_NCT6776_COM_A is not set # # Embedded Controllers @@ -461,6 +463,7 @@ CONFIG_SPI_FLASH_WINBOND=y # CONFIG_SPI_FLASH_FAST_READ_DUAL_OUTPUT_3B is not set # CONFIG_HAVE_SPI_CONSOLE_SUPPORT is not set CONFIG_DRIVERS_UART=y +# CONFIG_DRIVERS_UART_8250IO_SKIP_INIT is not set CONFIG_NO_UART_ON_SUPERIO=y # CONFIG_UART_OVERRIDE_INPUT_CLOCK_DIVIDER is not set # CONFIG_UART_OVERRIDE_REFCLK is not set diff --git a/modules/busybox b/modules/busybox index 2c3f11b2..87f98a5f 100644 --- a/modules/busybox +++ b/modules/busybox @@ -7,5 +7,6 @@ busybox_url := https://busybox.net/downloads/$(busybox_tar) busybox_hash := 5a0fe06885ee1b805fb459ab6aaa023fe4f2eccee4fb8c0fd9a6c17c0daca2fc busybox_configure := make oldconfig +busybox_config := busybox.config busybox_output := busybox diff --git a/modules/coreboot b/modules/coreboot index c286767d..a2b94c0e 100644 --- a/modules/coreboot +++ b/modules/coreboot @@ -9,14 +9,26 @@ coreboot_dir := coreboot-$(coreboot_version) coreboot_repo := https://github.com/osresearch/coreboot -coreboot_configure := make oldconfig -coreboot_output := build/coreboot.rom +# Coreboot builds are specialized on a per-target basis. +# The builds are done in a per-target subdirectory +coreboot_config := coreboot-$(TARGET).config + +coreboot_configure := \ + make oldconfig obj=./$(TARGET) DOTCONFIG=../../config/coreboot-$(TARGET).config + +coreboot_target := \ + obj=./$(TARGET) DOTCONFIG=../../config/coreboot-$(TARGET).config -j 8 + +coreboot_output := $(TARGET)/coreboot.rom + # hack to force a build dependency on the cross compiler -$(build)/$(coreboot_dir)/.configured: $(build)/$(coreboot_dir)/util/crossgcc/xgcc/bin/iasl -$(build)/$(coreboot_dir)/util/crossgcc/xgcc/bin/iasl: - echo '******* Building gcc (this might take a while) ******' +$(build)/$(coreboot_dir)/.configured: $(build)/$(coreboot_dir)/util/crossgcc/xgcc/bin/i386-elf-gcc +$(build)/$(coreboot_dir)/util/crossgcc/xgcc/bin/i386-elf-gcc: + echo '******* Building crossgcc-i386 (this might take a while) ******' time make -C "$(build)/$(coreboot_dir)" crossgcc-i386 + #echo '******* Building crossgcc-arm (this might take a while) ******' + #time make -C "$(build)/$(coreboot_dir)" crossgcc-arm # The coreboot-blobs must be unpacked before we can build coreboot # if we are using a tar file; git checkout will clone the submodule. diff --git a/modules/cryptsetup b/modules/cryptsetup index 9d465261..1ed4e1c9 100644 --- a/modules/cryptsetup +++ b/modules/cryptsetup @@ -7,4 +7,5 @@ cryptsetup_url := https://www.kernel.org/pub/linux/utils/cryptsetup/v1.7/cryptse cryptsetup_hash := dbb35dbf5f0c1749168c86c913fe98e872247bfc8425314b494c2423e7e43342 cryptsetup_configure := ./configure +cryptsetup_config := cryptsetup.config cryptsetup_output := diff --git a/modules/kexec b/modules/kexec index e63490fb..f0c112eb 100644 --- a/modules/kexec +++ b/modules/kexec @@ -8,3 +8,4 @@ kexec_hash := cc7b60dad0da202004048a6179d8a53606943062dd627a2edba45a8ea3a85135 kexec_configure := ./configure kexec_output := build/sbin/kexec +kexec_config := kexec.config diff --git a/modules/linux b/modules/linux index af4a55f6..5badbcae 100644 --- a/modules/linux +++ b/modules/linux @@ -12,3 +12,5 @@ linux_hash := $(linux-$(linux_version)_hash) linux_configure := make oldconfig linux_output := arch/x86/boot/bzImage +linux_config := linux.config +linux_target := -j 8 bzImage diff --git a/modules/mbedtls b/modules/mbedtls index 737c37c9..2e1d4089 100644 --- a/modules/mbedtls +++ b/modules/mbedtls @@ -11,3 +11,4 @@ mbedtls_libraries := \ mbedtls_configure := mbedtls_target := SHARED=1 +mbedtls_config := mbedtls.config diff --git a/modules/qrencode b/modules/qrencode index 82ce7f94..30e3c7de 100644 --- a/modules/qrencode +++ b/modules/qrencode @@ -8,3 +8,4 @@ qrencode_hash := e794e26a96019013c0e3665cb06b18992668f352c5553d0a553f5d144f7f2a7 qrencode_output := .libs/libqrencode.so.$(qrencode_version) qrencode_configure := ./configure --without-tools +qrencode_config := qrencode.config diff --git a/modules/tpmtotp b/modules/tpmtotp index d4773780..cc43ac9a 100644 --- a/modules/tpmtotp +++ b/modules/tpmtotp @@ -42,3 +42,4 @@ tpmtotp_libraries := \ libtpm/libtpm.so \ tpmtotp_configure := +tpmtotp_config := tpmtotp.config diff --git a/modules/xen b/modules/xen index 8792d200..156e50df 100644 --- a/modules/xen +++ b/modules/xen @@ -10,3 +10,5 @@ xen_hash := 02badfce9a037bd1bd4a94210c1f6b85467746216c71795805102b514bcf1fc4 xen_output := xen.gz xen_configure := +xen_target := -j 8 +xen_config := xen.config From 4a832737448f0ecf02fab238cc97917c78c839fd Mon Sep 17 00:00:00 2001 From: Trammell Hudson Date: Tue, 29 Nov 2016 11:14:35 -0500 Subject: [PATCH 16/30] disable ACPI on qemu boots, this fixes #53 --- config/coreboot-qemu.config | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/coreboot-qemu.config b/config/coreboot-qemu.config index f9562bb4..8c457b65 100644 --- a/config/coreboot-qemu.config +++ b/config/coreboot-qemu.config @@ -520,7 +520,7 @@ CONFIG_PAYLOAD_LINUX=y CONFIG_PAYLOAD_FILE="./bzImage" CONFIG_PAYLOAD_OPTIONS="" # CONFIG_PXE is not set -CONFIG_LINUX_COMMAND_LINE="console=ttyS0 console=tty" +CONFIG_LINUX_COMMAND_LINE="acpi=off console=ttyS0 console=tty" CONFIG_LINUX_INITRD="" # CONFIG_PAYLOAD_IS_FLAT_BINARY is not set From e55a6a4df42cd30a08481f1271dc61bde906d3f2 Mon Sep 17 00:00:00 2001 From: Trammell Hudson Date: Tue, 29 Nov 2016 11:19:48 -0500 Subject: [PATCH 17/30] Rework Makefile a bit. rename TARGET to BOARD (fix #55) use .INTERMEDIATE trick to avoid building multiple times (fix #52) Don't touch build/*/.config if we don't have to (fix #51) --- Makefile | 37 ++++++++++++++++++++++++++---------- config/coreboot-blobs.config | 1 - config/kexec.config | 1 - config/mbedtls.config | 1 - config/qrencode.config | 1 - config/tpmtotp.config | 1 - config/xen.config | 1 - modules/coreboot | 8 ++++---- modules/cryptsetup | 1 - modules/kexec | 1 - modules/mbedtls | 1 - modules/qrencode | 1 - modules/tpmtotp | 1 - modules/xen | 1 - 14 files changed, 31 insertions(+), 26 deletions(-) delete mode 100644 config/coreboot-blobs.config delete mode 100644 config/kexec.config delete mode 100644 config/mbedtls.config delete mode 100644 config/qrencode.config delete mode 100644 config/tpmtotp.config delete mode 100644 config/xen.config diff --git a/Makefile b/Makefile index 57cea1b9..ea0007c4 100644 --- a/Makefile +++ b/Makefile @@ -5,9 +5,12 @@ build := $(pwd)/build config := $(pwd)/build # Currently supported targets are x230, chell and qemu -TARGET ?= x230 +BOARD ?= x230 -all: $(TARGET).rom +all: $(BOARD).rom + +# Disable all built in rules +.SUFFIXES: # Bring in all of the module definitions; @@ -15,7 +18,9 @@ all: $(TARGET).rom # as part of creating the Heads firmware image. include modules/* -all: $(modules) +# These will be built via their intermediate targets +# This increases the build time, so it is commented out for now +#all: $(foreach m,$(modules),$m.intermediate) define prefix = $(foreach _, $2, $1$_) @@ -68,8 +73,14 @@ define define_module = endif # Copy our stored config file into the unpacked directory - $(build)/$($1_dir)/.config: config/$($1_config) $(build)/$($1_dir)/.canary - cp "$$<" "$$@" + ifdef $1_config + $(build)/$($1_dir)/.config: config/$($1_config) $(build)/$($1_dir)/.canary + cp -a "$$<" "$$@" + else + $(build)/$($1_dir)/.config: $(build)/$($1_dir)/.canary + touch "$$@" + endif + # Use the module's configure variable to build itself $(build)/$($1_dir)/.configured: \ @@ -79,14 +90,18 @@ define define_module = touch "$$@" # Build the target after any dependencies - $(call outputs,$1): \ - $(build)/$($1_dir)/.configured \ - $(call outputs,$($1_depends)) - make -C "$(build)/$($1_dir)" $($1_target) + $(call outputs,$1): $1.intermediate # Short hand target for the module - $1: $(call outputs,$1) + #$1: $(call outputs,$1) + # Target for all of the outputs, which depend on their dependent modules +$1.intermediate: \ + $(build)/$($1_dir)/.configured \ + $(foreach d,$($1_depends),$d.intermediate) + make -C "$(build)/$($1_dir)" $($1_target) + +.INTERMEDIATE: $1.intermediate endef $(foreach _, $(modules), $(eval $(call define_module,$_))) @@ -208,6 +223,8 @@ initrd.cpio: $(initrd_bins) $(initrd_libs) initrd_lib_install echo "$@: Unchanged"; \ rm "$@.tmp"; \ fi + +initrd.intermediate: initrd.cpio # populate the coreboot initrd image from the one we built. diff --git a/config/coreboot-blobs.config b/config/coreboot-blobs.config deleted file mode 100644 index 556df42e..00000000 --- a/config/coreboot-blobs.config +++ /dev/null @@ -1 +0,0 @@ -# nothing diff --git a/config/kexec.config b/config/kexec.config deleted file mode 100644 index 556df42e..00000000 --- a/config/kexec.config +++ /dev/null @@ -1 +0,0 @@ -# nothing diff --git a/config/mbedtls.config b/config/mbedtls.config deleted file mode 100644 index 556df42e..00000000 --- a/config/mbedtls.config +++ /dev/null @@ -1 +0,0 @@ -# nothing diff --git a/config/qrencode.config b/config/qrencode.config deleted file mode 100644 index 556df42e..00000000 --- a/config/qrencode.config +++ /dev/null @@ -1 +0,0 @@ -# nothing diff --git a/config/tpmtotp.config b/config/tpmtotp.config deleted file mode 100644 index 556df42e..00000000 --- a/config/tpmtotp.config +++ /dev/null @@ -1 +0,0 @@ -# nothing diff --git a/config/xen.config b/config/xen.config deleted file mode 100644 index c01ade29..00000000 --- a/config/xen.config +++ /dev/null @@ -1 +0,0 @@ -# Nothing diff --git a/modules/coreboot b/modules/coreboot index a2b94c0e..204c416e 100644 --- a/modules/coreboot +++ b/modules/coreboot @@ -11,15 +11,15 @@ coreboot_repo := https://github.com/osresearch/coreboot # Coreboot builds are specialized on a per-target basis. # The builds are done in a per-target subdirectory -coreboot_config := coreboot-$(TARGET).config +#coreboot_config := coreboot-$(TARGET).config coreboot_configure := \ - make oldconfig obj=./$(TARGET) DOTCONFIG=../../config/coreboot-$(TARGET).config + make oldconfig obj=./$(BOARD) DOTCONFIG=../../config/coreboot-$(BOARD).config coreboot_target := \ - obj=./$(TARGET) DOTCONFIG=../../config/coreboot-$(TARGET).config -j 8 + obj=./$(BOARD) DOTCONFIG=../../config/coreboot-$(BOARD).config -j 8 -coreboot_output := $(TARGET)/coreboot.rom +coreboot_output := $(BOARD)/coreboot.rom # hack to force a build dependency on the cross compiler diff --git a/modules/cryptsetup b/modules/cryptsetup index 1ed4e1c9..9d465261 100644 --- a/modules/cryptsetup +++ b/modules/cryptsetup @@ -7,5 +7,4 @@ cryptsetup_url := https://www.kernel.org/pub/linux/utils/cryptsetup/v1.7/cryptse cryptsetup_hash := dbb35dbf5f0c1749168c86c913fe98e872247bfc8425314b494c2423e7e43342 cryptsetup_configure := ./configure -cryptsetup_config := cryptsetup.config cryptsetup_output := diff --git a/modules/kexec b/modules/kexec index f0c112eb..e63490fb 100644 --- a/modules/kexec +++ b/modules/kexec @@ -8,4 +8,3 @@ kexec_hash := cc7b60dad0da202004048a6179d8a53606943062dd627a2edba45a8ea3a85135 kexec_configure := ./configure kexec_output := build/sbin/kexec -kexec_config := kexec.config diff --git a/modules/mbedtls b/modules/mbedtls index 2e1d4089..737c37c9 100644 --- a/modules/mbedtls +++ b/modules/mbedtls @@ -11,4 +11,3 @@ mbedtls_libraries := \ mbedtls_configure := mbedtls_target := SHARED=1 -mbedtls_config := mbedtls.config diff --git a/modules/qrencode b/modules/qrencode index 30e3c7de..82ce7f94 100644 --- a/modules/qrencode +++ b/modules/qrencode @@ -8,4 +8,3 @@ qrencode_hash := e794e26a96019013c0e3665cb06b18992668f352c5553d0a553f5d144f7f2a7 qrencode_output := .libs/libqrencode.so.$(qrencode_version) qrencode_configure := ./configure --without-tools -qrencode_config := qrencode.config diff --git a/modules/tpmtotp b/modules/tpmtotp index cc43ac9a..d4773780 100644 --- a/modules/tpmtotp +++ b/modules/tpmtotp @@ -42,4 +42,3 @@ tpmtotp_libraries := \ libtpm/libtpm.so \ tpmtotp_configure := -tpmtotp_config := tpmtotp.config diff --git a/modules/xen b/modules/xen index 156e50df..49cc50f8 100644 --- a/modules/xen +++ b/modules/xen @@ -11,4 +11,3 @@ xen_hash := 02badfce9a037bd1bd4a94210c1f6b85467746216c71795805102b514bcf1fc4 xen_output := xen.gz xen_configure := xen_target := -j 8 -xen_config := xen.config From 5fd61f3e52fb5419542e35922c10531ee637d91d Mon Sep 17 00:00:00 2001 From: Philipp Deppenwiese Date: Tue, 29 Nov 2016 20:24:01 +0100 Subject: [PATCH 18/30] Update cryptsetup module and strip it down Signed-off-by: Philipp Deppenwiese --- modules/cryptsetup | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/modules/cryptsetup b/modules/cryptsetup index 9d465261..8ef89457 100644 --- a/modules/cryptsetup +++ b/modules/cryptsetup @@ -1,10 +1,12 @@ modules += cryptsetup -cryptsetup_version := 1.7.2 +cryptsetup_version := 1.7.3 cryptsetup_dir := cryptsetup-$(cryptsetup_version) cryptsetup_tar := cryptsetup-$(cryptsetup_version).tar.xz -cryptsetup_url := https://www.kernel.org/pub/linux/utils/cryptsetup/v1.7/cryptsetup-1.7.2.tar.xz -cryptsetup_hash := dbb35dbf5f0c1749168c86c913fe98e872247bfc8425314b494c2423e7e43342 +cryptsetup_url := https://www.kernel.org/pub/linux/utils/cryptsetup/v1.7/cryptsetup-$(cryptsetup_version).tar.xz +cryptsetup_hash := af2b04e8475cf40b8d9ffd97a1acfa73aa787c890430afd89804fb544d6adc02 -cryptsetup_configure := ./configure +cryptsetup_configure := ./configure \ + --disable-gcrypt-pbkdf2 \ + --with-crypto_backend=kernel cryptsetup_output := From 05056aefc045e78fcee60e0f47df56ab5de49b6e Mon Sep 17 00:00:00 2001 From: Trammell Hudson Date: Tue, 29 Nov 2016 14:29:38 -0500 Subject: [PATCH 19/30] include chmod (fix #30) --- config/busybox.config | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/busybox.config b/config/busybox.config index 4370d44b..5d38e96c 100644 --- a/config/busybox.config +++ b/config/busybox.config @@ -1,7 +1,7 @@ # # Automatically generated make config: don't edit # Busybox version: 1.25.0 -# Tue Oct 25 14:38:11 2016 +# Tue Nov 29 14:28:46 2016 # CONFIG_HAVE_DOT_CONFIG=y @@ -217,7 +217,7 @@ CONFIG_BASE64=y # CONFIG_CAL is not set # CONFIG_CATV is not set # CONFIG_CHGRP is not set -# CONFIG_CHMOD is not set +CONFIG_CHMOD=y # CONFIG_CHOWN is not set # CONFIG_FEATURE_CHOWN_LONG_OPTIONS is not set CONFIG_CHROOT=y From 3b0509758ab9e28e209ba61f0e9feefca73b14be Mon Sep 17 00:00:00 2001 From: Trammell Hudson Date: Thu, 1 Dec 2016 13:57:35 -0500 Subject: [PATCH 20/30] parse the Firmware Interface Table (FIT) on a ROM image --- fit-parse | 66 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 66 insertions(+) create mode 100755 fit-parse diff --git a/fit-parse b/fit-parse new file mode 100755 index 00000000..4519785e --- /dev/null +++ b/fit-parse @@ -0,0 +1,66 @@ +#!/usr/bin/perl +use warnings; +use strict; + +undef $/; +my $rom = <>; +my $base = 0xFFFFFFFF - length($rom) + 1; +printf "ROM len: %08x\n", length($rom); +printf "ROM base: %08x\n", $base; + +sub uint32 +{ + my $offset = shift; + return unpack("V", substr($rom, $offset - $base, 4)); +} + +sub uint64 +{ + my $offset = shift; + return unpack("Q", substr($rom, $offset - $base, 8)); +} + +# Assume the ROM is mapped to the top of 4GB +my $fit_ptr = uint32(0xFFFFFFC0); +my $fit_offset = $fit_ptr - $base; + +printf "FIT pointer: %08x (offset %08x)\n", $fit_ptr, $fit_offset; + +die "FIT pointer out of range?\n" if $fit_offset >= length($rom); + +my $fit = substr($rom, $fit_ptr - $base, 8); +printf "Signature: '%s'\n", $fit; +die "Bad signature?\n" unless $fit eq '_FIT_ '; + +my $entries = uint32($fit_ptr + 0x8); + +my %entry_types = ( + 0x00 => "Header", + 0x01 => "Microcode", + 0x02 => "Startup ACM", + 0x07 => "BIOS Startup Module", + 0x08 => "TPM Policy", + 0x09 => "BIOS Policy", + 0x0A => "TXT Policy", + 0x0B => "Key Manifest", + 0x0C => "Boot Policy Manifest", + 0x10 => "CSE Secure Boot", + 0x2D => "TXTSX Policy", + 0x2F => "JMP Debug Policy", + 0x7F => "SKIP", +); + +for my $i (1..$entries-1) +{ + my ($address, $len, $ver, $type, $csum) = unpack( + "QVSCC", substr($rom, $fit_ptr - $base + $i*0x10, 0x10)); + + printf "%d: address %08x @ %08x: ver %04x type %s (0x%02x)\n", + $i, + $address, + $len, + $ver, + $entry_types{$type} || "Unknown", + $type, + ; +} From c98a3925084bbf6b3d024b14be6eda5ea42c7d3b Mon Sep 17 00:00:00 2001 From: Trammell Hudson Date: Thu, 1 Dec 2016 14:02:26 -0500 Subject: [PATCH 21/30] enable EPOLL for plymouth --- config/linux.config | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/linux.config b/config/linux.config index a5687840..82b321f4 100644 --- a/config/linux.config +++ b/config/linux.config @@ -166,7 +166,7 @@ CONFIG_BUG=y CONFIG_PCSPKR_PLATFORM=y # CONFIG_BASE_FULL is not set # CONFIG_FUTEX is not set -# CONFIG_EPOLL is not set +CONFIG_EPOLL=y # CONFIG_SIGNALFD is not set # CONFIG_TIMERFD is not set # CONFIG_EVENTFD is not set From 0aae22d67c32fb4903c40ef070e4b8b41a1acd8e Mon Sep 17 00:00:00 2001 From: Trammell Hudson Date: Thu, 1 Dec 2016 14:02:57 -0500 Subject: [PATCH 22/30] increase CBFS size for qemu builds to allow easier experimentation --- config/coreboot-qemu.config | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/coreboot-qemu.config b/config/coreboot-qemu.config index 8c457b65..868247e7 100644 --- a/config/coreboot-qemu.config +++ b/config/coreboot-qemu.config @@ -114,7 +114,7 @@ CONFIG_MAINBOARD_PART_NUMBER="QEMU x86 q35/ich9" CONFIG_MAINBOARD_VENDOR="Emulation" CONFIG_MAX_CPUS=1 CONFIG_CACHE_ROM_SIZE_OVERRIDE=0x0 -CONFIG_CBFS_SIZE=0x400000 +CONFIG_CBFS_SIZE=0x800000 CONFIG_UART_FOR_CONSOLE=0 # CONFIG_ONBOARD_VGA_IS_PRIMARY is not set # CONFIG_VGA_BIOS is not set From ff5639a5426224db27f359ab60a73a1b3c64ee28 Mon Sep 17 00:00:00 2001 From: Trammell Hudson Date: Thu, 1 Dec 2016 14:03:55 -0500 Subject: [PATCH 23/30] Build cryptsetup and install it into the initrd --- Makefile | 19 +++++++++---------- modules/cryptsetup | 10 +++++++--- 2 files changed, 16 insertions(+), 13 deletions(-) diff --git a/Makefile b/Makefile index ea0007c4..f5f3eeec 100644 --- a/Makefile +++ b/Makefile @@ -5,7 +5,7 @@ build := $(pwd)/build config := $(pwd)/build # Currently supported targets are x230, chell and qemu -BOARD ?= x230 +BOARD ?= qemu all: $(BOARD).rom @@ -72,13 +72,14 @@ define define_module = touch "$$@" endif - # Copy our stored config file into the unpacked directory - ifdef $1_config - $(build)/$($1_dir)/.config: config/$($1_config) $(build)/$($1_dir)/.canary - cp -a "$$<" "$$@" - else + ifeq "$($1_config)" "" + # There is no official .config file $(build)/$($1_dir)/.config: $(build)/$($1_dir)/.canary touch "$$@" + else + # Copy the stored config file into the unpacked directory + $(build)/$($1_dir)/.config: config/$($1_config) $(build)/$($1_dir)/.canary + cp -a "$$<" "$$@" endif @@ -143,6 +144,7 @@ endef $(foreach _, $(call bins,kexec), $(eval $(call initrd_bin_add,$_))) $(foreach _, $(call bins,tpmtotp), $(eval $(call initrd_bin_add,$_))) +$(foreach _, $(call bins,cryptsetup), $(eval $(call initrd_bin_add,$_))) $(foreach _, $(call libs,tpmtotp), $(eval $(call initrd_lib_add,$_))) $(foreach _, $(call libs,mbedtls), $(eval $(call initrd_lib_add,$_))) @@ -171,10 +173,7 @@ $(build)/$(coreboot_dir)/util/cbmem/cbmem: $(build)/$(coreboot_dir)/.canary # Mounting dm-verity file systems requires dm-verity to be installed # We use gpgv to verify the signature on the root hash. # Both of these should be brought in as modules instead of from /sbin -#initrd_bins += initrd/bin/cryptsetup -initrd/bin/cryptsetup: /sbin/cryptsetup - cp "$<" "$@" -initrd_bins += initrd/bin/dmsetup +#initrd_bins += initrd/bin/dmsetup initrd/bin/dmsetup: /sbin/dmsetup cp "$<" "$@" initrd_bins += initrd/bin/gpgv diff --git a/modules/cryptsetup b/modules/cryptsetup index 8ef89457..5bae4152 100644 --- a/modules/cryptsetup +++ b/modules/cryptsetup @@ -7,6 +7,10 @@ cryptsetup_url := https://www.kernel.org/pub/linux/utils/cryptsetup/v1.7/cryptse cryptsetup_hash := af2b04e8475cf40b8d9ffd97a1acfa73aa787c890430afd89804fb544d6adc02 cryptsetup_configure := ./configure \ - --disable-gcrypt-pbkdf2 \ - --with-crypto_backend=kernel -cryptsetup_output := + --disable-gcrypt-pbkdf2 \ + --with-crypto_backend=kernel \ + +cryptsetup_output := \ + src/.libs/cryptsetup \ + src/.libs/veritysetup \ + From a6520772dc52ae4fd3463fb157786d477c65e3fd Mon Sep 17 00:00:00 2001 From: Trammell Hudson Date: Mon, 12 Dec 2016 11:01:18 -0500 Subject: [PATCH 24/30] Update Heads to use the 4.9 Linux LTS kernel. No patches are required to boot 4.9 as a coreboot payload, unlike the 4.7 kernel that required a head_64.S patch. The new kernel is about 40 KB larger than the 4.7; the config might be shrinkable. Close issue #61. --- config/linux.config | 69 +++++++++++++++++++++++++++++++++------------ modules/linux | 3 +- 2 files changed, 53 insertions(+), 19 deletions(-) diff --git a/config/linux.config b/config/linux.config index 82b321f4..d5d9d793 100644 --- a/config/linux.config +++ b/config/linux.config @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86 4.7.0 Kernel Configuration +# Linux/x86 4.9.0 Kernel Configuration # CONFIG_64BIT=y CONFIG_X86_64=y @@ -38,7 +38,6 @@ CONFIG_AUDIT_ARCH=y CONFIG_ARCH_SUPPORTS_OPTIMIZED_INLINING=y CONFIG_ARCH_SUPPORTS_DEBUG_PAGEALLOC=y CONFIG_X86_64_SMP=y -CONFIG_ARCH_HWEIGHT_CFLAGS="-fcall-saved-rdi -fcall-saved-rsi -fcall-saved-rdx -fcall-saved-rcx -fcall-saved-r8 -fcall-saved-r9 -fcall-saved-r10 -fcall-saved-r11" CONFIG_ARCH_SUPPORTS_UPROBES=y CONFIG_FIX_EARLYCON_MEM=y CONFIG_DEBUG_RODATA=y @@ -46,6 +45,7 @@ CONFIG_PGTABLE_LEVELS=4 CONFIG_DEFCONFIG_LIST="/lib/modules/$UNAME_RELEASE/.config" CONFIG_IRQ_WORK=y CONFIG_BUILDTIME_EXTABLE_SORT=y +CONFIG_THREAD_INFO_IN_TASK=y # # General setup @@ -191,6 +191,7 @@ CONFIG_PERF_EVENTS=y # CONFIG_SLAB is not set CONFIG_SLUB=y # CONFIG_SLOB is not set +# CONFIG_SLAB_FREELIST_RANDOM is not set CONFIG_SLUB_CPU_PARTIAL=y # CONFIG_SYSTEM_DATA_VERIFICATION is not set # CONFIG_PROFILING is not set @@ -228,11 +229,14 @@ CONFIG_HAVE_ALIGNED_STRUCT_PAGE=y CONFIG_HAVE_CMPXCHG_LOCAL=y CONFIG_HAVE_CMPXCHG_DOUBLE=y CONFIG_HAVE_ARCH_SECCOMP_FILTER=y +CONFIG_HAVE_GCC_PLUGINS=y +# CONFIG_GCC_PLUGINS is not set CONFIG_HAVE_CC_STACKPROTECTOR=y CONFIG_CC_STACKPROTECTOR=y # CONFIG_CC_STACKPROTECTOR_NONE is not set # CONFIG_CC_STACKPROTECTOR_REGULAR is not set CONFIG_CC_STACKPROTECTOR_STRONG=y +CONFIG_HAVE_ARCH_WITHIN_STACK_FRAMES=y CONFIG_HAVE_CONTEXT_TRACKING=y CONFIG_HAVE_VIRT_CPU_ACCOUNTING_GEN=y CONFIG_HAVE_IRQ_TIME_ACCOUNTING=y @@ -250,6 +254,8 @@ CONFIG_HAVE_STACK_VALIDATION=y # CONFIG_HAVE_ARCH_HASH is not set # CONFIG_ISA_BUS_API is not set # CONFIG_CPU_NO_EFFICIENT_FFS is not set +CONFIG_HAVE_ARCH_VMAP_STACK=y +CONFIG_VMAP_STACK=y # # GCOV-based kernel profiling @@ -279,6 +285,7 @@ CONFIG_BLOCK=y # CONFIG_PARTITION_ADVANCED is not set CONFIG_MSDOS_PARTITION=y CONFIG_EFI_PARTITION=y +CONFIG_BLK_MQ_PCI=y # # IO Schedulers @@ -466,12 +473,14 @@ CONFIG_ACPI_BUTTON=y CONFIG_ACPI_FAN=y # CONFIG_ACPI_DOCK is not set CONFIG_ACPI_CPU_FREQ_PSS=y +CONFIG_ACPI_PROCESSOR_CSTATE=y CONFIG_ACPI_PROCESSOR_IDLE=y CONFIG_ACPI_PROCESSOR=y # CONFIG_ACPI_PROCESSOR_AGGREGATOR is not set CONFIG_ACPI_THERMAL=y CONFIG_ACPI_CUSTOM_DSDT_FILE="" # CONFIG_ACPI_CUSTOM_DSDT is not set +CONFIG_ARCH_HAS_ACPI_TABLE_UPGRADE=y CONFIG_ACPI_TABLE_UPGRADE=y # CONFIG_ACPI_DEBUG is not set # CONFIG_ACPI_PCI_SLOT is not set @@ -486,8 +495,10 @@ CONFIG_ACPI_HOTPLUG_IOAPIC=y CONFIG_HAVE_ACPI_APEI=y CONFIG_HAVE_ACPI_APEI_NMI=y # CONFIG_ACPI_APEI is not set +# CONFIG_DPTF_POWER is not set # CONFIG_ACPI_EXTLOG is not set # CONFIG_PMIC_OPREGION is not set +# CONFIG_ACPI_CONFIGFS is not set # CONFIG_SFI is not set # @@ -534,7 +545,6 @@ CONFIG_PCI_LABEL=y # # PCI host controller drivers # -# CONFIG_PCIE_DW_PLAT is not set # CONFIG_ISA_BUS is not set CONFIG_ISA_DMA_API=y CONFIG_AMD_NB=y @@ -577,6 +587,7 @@ CONFIG_EXTRA_FIRMWARE="" # CONFIG_ALLOW_DEV_COREDUMP is not set # CONFIG_DEBUG_DRIVER is not set # CONFIG_DEBUG_DEVRES is not set +# CONFIG_DEBUG_TEST_DRIVER_REMOVE is not set # CONFIG_SYS_HYPERVISOR is not set # CONFIG_GENERIC_CPU_DEVICES is not set CONFIG_GENERIC_CPU_AUTOPROBE=y @@ -641,12 +652,10 @@ CONFIG_BLK_DEV_RAM_SIZE=65536 # CONFIG_ISL29003 is not set # CONFIG_ISL29020 is not set # CONFIG_SENSORS_TSL2550 is not set -# CONFIG_SENSORS_BH1780 is not set # CONFIG_SENSORS_BH1770 is not set # CONFIG_SENSORS_APDS990X is not set # CONFIG_HMC6352 is not set # CONFIG_DS1682 is not set -# CONFIG_BMP085_I2C is not set # CONFIG_USB_SWITCH_FSA9480 is not set # CONFIG_SRAM is not set # CONFIG_C2PORT is not set @@ -711,8 +720,7 @@ CONFIG_INTEL_MEI_TXE=y # CONFIG_GENWQE is not set # CONFIG_ECHO is not set # CONFIG_CXL_BASE is not set -# CONFIG_CXL_KERNEL_API is not set -# CONFIG_CXL_EEH is not set +# CONFIG_CXL_AFU_DRIVER_OPS is not set CONFIG_HAVE_IDE=y # CONFIG_IDE is not set @@ -769,6 +777,7 @@ CONFIG_SCSI_LOWLEVEL=y # CONFIG_MEGARAID_SAS is not set # CONFIG_SCSI_MPT3SAS is not set # CONFIG_SCSI_MPT2SAS is not set +# CONFIG_SCSI_SMARTPQI is not set # CONFIG_SCSI_UFSHCD is not set # CONFIG_SCSI_HPTIOP is not set # CONFIG_SCSI_BUSLOGIC is not set @@ -937,6 +946,7 @@ CONFIG_SERIAL_8250_RUNTIME_UARTS=4 # CONFIG_SERIAL_8250_EXTENDED is not set # CONFIG_SERIAL_8250_DW is not set # CONFIG_SERIAL_8250_RT288X is not set +# CONFIG_SERIAL_8250_LPSS is not set # CONFIG_SERIAL_8250_MID is not set # CONFIG_SERIAL_8250_MOXA is not set @@ -969,6 +979,7 @@ CONFIG_HW_RANDOM_TPM=m # CONFIG_HPET is not set # CONFIG_HANGCHECK_TIMER is not set CONFIG_TCG_TPM=y +CONFIG_TCG_TIS_CORE=y CONFIG_TCG_TIS=y # CONFIG_TCG_TIS_I2C_ATMEL is not set # CONFIG_TCG_TIS_I2C_INFINEON is not set @@ -977,6 +988,8 @@ CONFIG_TCG_TIS=y # CONFIG_TCG_ATMEL is not set # CONFIG_TCG_INFINEON is not set # CONFIG_TCG_CRB is not set +# CONFIG_TCG_VTPM_PROXY is not set +# CONFIG_TCG_TIS_ST33ZP24_I2C is not set # CONFIG_TELCLOCK is not set CONFIG_DEVPORT=y # CONFIG_XILLYBUS is not set @@ -1082,9 +1095,10 @@ CONFIG_I2C_SLAVE=y # # Enable PHYLIB and NETWORK_PHY_TIMESTAMPING to see the additional clocks. # -CONFIG_ARCH_WANT_OPTIONAL_GPIOLIB=y # CONFIG_GPIOLIB is not set # CONFIG_W1 is not set +# CONFIG_POWER_AVS is not set +# CONFIG_POWER_RESET is not set CONFIG_POWER_SUPPLY=y # CONFIG_POWER_SUPPLY_DEBUG is not set # CONFIG_PDA_POWER is not set @@ -1101,8 +1115,6 @@ CONFIG_POWER_SUPPLY=y # CONFIG_CHARGER_BQ2415X is not set # CONFIG_CHARGER_SMB347 is not set # CONFIG_BATTERY_GAUGE_LTC2941 is not set -# CONFIG_POWER_RESET is not set -# CONFIG_POWER_AVS is not set # CONFIG_HWMON is not set CONFIG_THERMAL=y # CONFIG_THERMAL_WRITABLE_TRIPS is not set @@ -1155,6 +1167,7 @@ CONFIG_BCMA_POSSIBLE=y # CONFIG_MFD_DA9063 is not set # CONFIG_MFD_DA9150 is not set # CONFIG_MFD_DLN2 is not set +# CONFIG_MFD_EXYNOS_LPASS is not set # CONFIG_MFD_MC13XXX_I2C is not set # CONFIG_HTC_PASIC3 is not set # CONFIG_LPC_ICH is not set @@ -1183,7 +1196,6 @@ CONFIG_BCMA_POSSIBLE=y # CONFIG_MFD_RT5033 is not set # CONFIG_MFD_RTSX_USB is not set # CONFIG_MFD_RC5T583 is not set -# CONFIG_MFD_RN5T618 is not set # CONFIG_MFD_SEC_CORE is not set # CONFIG_MFD_SI476X_CORE is not set # CONFIG_MFD_SM501 is not set @@ -1200,6 +1212,7 @@ CONFIG_MFD_SYSCON=y # CONFIG_MFD_TPS65086 is not set # CONFIG_MFD_TPS65090 is not set # CONFIG_MFD_TPS65217 is not set +# CONFIG_MFD_TI_LP873X is not set # CONFIG_MFD_TPS65218 is not set # CONFIG_MFD_TPS6586X is not set # CONFIG_MFD_TPS65912_I2C is not set @@ -1319,6 +1332,7 @@ CONFIG_HID_GENERIC=y # CONFIG_HID_ZEROPLUS is not set # CONFIG_HID_ZYDACRON is not set # CONFIG_HID_SENSOR_HUB is not set +# CONFIG_HID_ALPS is not set # # USB HID support @@ -1331,6 +1345,11 @@ CONFIG_USB_HID=y # I2C HID support # # CONFIG_I2C_HID is not set + +# +# Intel ISH HID support +# +# CONFIG_INTEL_ISH_HID is not set CONFIG_USB_OHCI_LITTLE_ENDIAN=y CONFIG_USB_SUPPORT=y CONFIG_USB_COMMON=y @@ -1345,7 +1364,6 @@ CONFIG_USB_DEFAULT_PERSIST=y # CONFIG_USB_DYNAMIC_MINORS is not set # CONFIG_USB_OTG_WHITELIST is not set # CONFIG_USB_OTG_BLACKLIST_HUB is not set -# CONFIG_USB_ULPI_BUS is not set # CONFIG_USB_MON is not set # CONFIG_USB_WUSB_CBAF is not set @@ -1429,7 +1447,6 @@ CONFIG_USB_STORAGE=y # CONFIG_USB_RIO500 is not set # CONFIG_USB_LEGOTOWER is not set # CONFIG_USB_LCD is not set -# CONFIG_USB_LED is not set # CONFIG_USB_CYPRESS_CY7C63 is not set # CONFIG_USB_CYTHERM is not set # CONFIG_USB_IDMOUSE is not set @@ -1445,6 +1462,7 @@ CONFIG_USB_STORAGE=y # CONFIG_USB_YUREX is not set # CONFIG_USB_EZUSB_FX2 is not set # CONFIG_USB_HSIC_USB3503 is not set +# CONFIG_USB_HSIC_USB4604 is not set # CONFIG_USB_LINK_LAYER_TEST is not set # CONFIG_USB_CHAOSKEY is not set # CONFIG_UCSI is not set @@ -1456,6 +1474,7 @@ CONFIG_USB_STORAGE=y # CONFIG_NOP_USB_XCEIV is not set # CONFIG_USB_ISP1301 is not set # CONFIG_USB_GADGET is not set +# CONFIG_USB_ULPI_BUS is not set # CONFIG_UWB is not set # CONFIG_MMC is not set # CONFIG_MEMSTICK is not set @@ -1465,6 +1484,7 @@ CONFIG_EDAC_ATOMIC_SCRUB=y CONFIG_EDAC_SUPPORT=y # CONFIG_EDAC is not set CONFIG_RTC_LIB=y +CONFIG_RTC_MC146818_LIB=y CONFIG_RTC_CLASS=y CONFIG_RTC_HCTOSYS=y CONFIG_RTC_HCTOSYS_DEVICE="rtc0" @@ -1493,7 +1513,6 @@ CONFIG_RTC_INTF_DEV=y # CONFIG_RTC_DRV_RS5C372 is not set # CONFIG_RTC_DRV_ISL1208 is not set # CONFIG_RTC_DRV_ISL12022 is not set -# CONFIG_RTC_DRV_ISL12057 is not set # CONFIG_RTC_DRV_X1205 is not set # CONFIG_RTC_DRV_PCF8523 is not set # CONFIG_RTC_DRV_PCF85063 is not set @@ -1606,6 +1625,10 @@ CONFIG_IOMMU_SUPPORT=y # # SOC (System On Chip) specific Drivers # + +# +# Broadcom SoC drivers +# # CONFIG_SUNXI_SRAM is not set # CONFIG_SOC_TI is not set # CONFIG_PM_DEVFREQ is not set @@ -1691,6 +1714,7 @@ CONFIG_FS_MBCACHE=y # CONFIG_F2FS_FS is not set # CONFIG_FS_DAX is not set # CONFIG_FS_POSIX_ACL is not set +# CONFIG_EXPORTFS_BLOCK_OPS is not set # CONFIG_FILE_LOCKING is not set # CONFIG_FS_ENCRYPTION is not set # CONFIG_FSNOTIFY is not set @@ -1737,6 +1761,7 @@ CONFIG_KERNFS=y CONFIG_SYSFS=y # CONFIG_HUGETLBFS is not set # CONFIG_HUGETLB_PAGE is not set +CONFIG_ARCH_HAS_GIGANTIC_PAGE=y # CONFIG_CONFIGFS_FS is not set # CONFIG_MISC_FILESYSTEMS is not set CONFIG_NLS=y @@ -1915,12 +1940,9 @@ CONFIG_RCU_CPU_STALL_TIMEOUT=21 # CONFIG_NOTIFIER_ERROR_INJECTION is not set # CONFIG_FAULT_INJECTION is not set # CONFIG_LATENCYTOP is not set -CONFIG_ARCH_HAS_DEBUG_STRICT_USER_COPY_CHECKS=y -# CONFIG_DEBUG_STRICT_USER_COPY_CHECKS is not set CONFIG_USER_STACKTRACE_SUPPORT=y CONFIG_HAVE_FUNCTION_TRACER=y CONFIG_HAVE_FUNCTION_GRAPH_TRACER=y -CONFIG_HAVE_FUNCTION_GRAPH_FP_TEST=y CONFIG_HAVE_DYNAMIC_FTRACE=y CONFIG_HAVE_DYNAMIC_FTRACE_WITH_REGS=y CONFIG_HAVE_FTRACE_MCOUNT_RECORD=y @@ -1960,6 +1982,7 @@ CONFIG_TRACING_SUPPORT=y CONFIG_HAVE_ARCH_KGDB=y # CONFIG_KGDB is not set CONFIG_ARCH_HAS_UBSAN_SANITIZE_ALL=y +# CONFIG_ARCH_WANTS_UBSAN_NO_NULL is not set # CONFIG_UBSAN is not set CONFIG_ARCH_HAS_DEVMEM_IS_ALLOWED=y # CONFIG_STRICT_DEVMEM is not set @@ -1999,6 +2022,10 @@ CONFIG_OPTIMIZE_INLINING=y # CONFIG_KEYS is not set # CONFIG_SECURITY_DMESG_RESTRICT is not set CONFIG_SECURITYFS=y +CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y +CONFIG_HAVE_ARCH_HARDENED_USERCOPY=y +CONFIG_HARDENED_USERCOPY=y +# CONFIG_HARDENED_USERCOPY_PAGESPAN is not set CONFIG_DEFAULT_SECURITY_DAC=y CONFIG_DEFAULT_SECURITY="" CONFIG_CRYPTO=y @@ -2019,7 +2046,10 @@ CONFIG_CRYPTO_RNG2=y CONFIG_CRYPTO_RNG_DEFAULT=m CONFIG_CRYPTO_AKCIPHER2=y CONFIG_CRYPTO_AKCIPHER=m +CONFIG_CRYPTO_KPP2=y CONFIG_CRYPTO_RSA=m +# CONFIG_CRYPTO_DH is not set +# CONFIG_CRYPTO_ECDH is not set CONFIG_CRYPTO_MANAGER=y CONFIG_CRYPTO_MANAGER2=y CONFIG_CRYPTO_MANAGER_DISABLE_TESTS=y @@ -2088,8 +2118,11 @@ CONFIG_CRYPTO_SHA1_SSSE3=m CONFIG_CRYPTO_SHA256_SSSE3=m CONFIG_CRYPTO_SHA512_SSSE3=m CONFIG_CRYPTO_SHA1_MB=m +# CONFIG_CRYPTO_SHA256_MB is not set +# CONFIG_CRYPTO_SHA512_MB is not set CONFIG_CRYPTO_SHA256=y CONFIG_CRYPTO_SHA512=y +# CONFIG_CRYPTO_SHA3 is not set CONFIG_CRYPTO_TGR192=m CONFIG_CRYPTO_WP512=m CONFIG_CRYPTO_GHASH_CLMUL_NI_INTEL=m @@ -2217,7 +2250,6 @@ CONFIG_HAS_IOPORT_MAP=y CONFIG_HAS_DMA=y CONFIG_GLOB=y # CONFIG_GLOB_SELFTEST is not set -CONFIG_ARCH_HAS_ATOMIC64_DEC_IF_POSITIVE=y CONFIG_CLZ_TAB=y CONFIG_CORDIC=m # CONFIG_DDR is not set @@ -2228,3 +2260,4 @@ CONFIG_SG_POOL=y CONFIG_ARCH_HAS_SG_CHAIN=y CONFIG_ARCH_HAS_PMEM_API=y CONFIG_ARCH_HAS_MMIO_FLUSH=y +CONFIG_SBITMAP=y diff --git a/modules/linux b/modules/linux index 5badbcae..35a58920 100644 --- a/modules/linux +++ b/modules/linux @@ -1,12 +1,13 @@ modules += linux -linux_version := 4.7 +linux_version := 4.9 linux_dir := linux-$(linux_version) linux_tar := linux-$(linux_version).tar.xz linux_url := https://cdn.kernel.org/pub/linux/kernel/v4.x/$(linux_tar) linux-4.6.4_hash := 8568d41c7104e941989b14a380d167129f83db42c04e950d8d9337fe6012ff7e linux-4.7_hash := 5190c3d1209aeda04168145bf50569dc0984f80467159b1dc50ad731e3285f10 +linux-4.9_hash := 029098dcffab74875e086ae970e3828456838da6e0ba22ce3f64ef764f3d7f1a linux_hash := $(linux-$(linux_version)_hash) From aa3375f5ef00ec74eae6a9a7d6c7544cdd3d6f11 Mon Sep 17 00:00:00 2001 From: Paul Menzel Date: Tue, 13 Dec 2016 18:02:35 +0100 Subject: [PATCH 25/30] Spell coreboot all lowercase [coreboot](https://www.coreboot.org/) is officially spelled all lowercase. --- Makefile | 2 +- README.md | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Makefile b/Makefile index f5f3eeec..d27f013e 100644 --- a/Makefile +++ b/Makefile @@ -240,7 +240,7 @@ $(build)/$(coreboot_dir)/bzImage: $(call outputs,linux) $(call outputs,coreboot): $(build)/$(coreboot_dir)/bzImage -# The CoreBoot gcc won't work for us since it doesn't have libc +# The coreboot gcc won't work for us since it doesn't have libc #XGCC := $(build)/$(coreboot_dir)/util/crossgcc/xgcc/ #export CC := $(XGCC)/bin/x86_64-elf-gcc #export LDFLAGS := -L/lib/x86_64-linux-gnu diff --git a/README.md b/README.md index da50ce66..97c4c561 100644 --- a/README.md +++ b/README.md @@ -26,7 +26,7 @@ Building heads Components: -* CoreBoot +* coreboot * Linux * busybox * kexec @@ -240,9 +240,9 @@ algorithm. You could store the hashes in the ROM, but that would not allow upgrades without rewriting the ROM. -CoreBoot console messages +coreboot console messages --- -The CoreBoot console messages are stored in the CBMEM region +The coreboot console messages are stored in the CBMEM region and can be read by the Linux payload with the `cbmem --console | less` command. There is lots of interesting data about the state of the system. From 92b20bdfb6a8c3976828ad093e3fa45a9b6ceda2 Mon Sep 17 00:00:00 2001 From: Paul Menzel Date: Tue, 13 Dec 2016 19:10:21 +0100 Subject: [PATCH 26/30] Strip trailing whitespace --- Makefile | 6 +++--- README.md | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Makefile b/Makefile index d27f013e..ba511382 100644 --- a/Makefile +++ b/Makefile @@ -81,7 +81,7 @@ define define_module = $(build)/$($1_dir)/.config: config/$($1_config) $(build)/$($1_dir)/.canary cp -a "$$<" "$$@" endif - + # Use the module's configure variable to build itself $(build)/$($1_dir)/.configured: \ @@ -215,7 +215,7 @@ initrd.cpio: $(initrd_bins) $(initrd_libs) initrd_lib_install ) \ | cpio --quiet -H newc -o \ | ../cpio-clean \ - > "../$@.tmp" + > "../$@.tmp" if ! cmp --quiet "$@" "$@.tmp"; then \ mv "$@.tmp" "$@"; \ else \ @@ -224,7 +224,7 @@ initrd.cpio: $(initrd_bins) $(initrd_libs) initrd_lib_install fi initrd.intermediate: initrd.cpio - + # populate the coreboot initrd image from the one we built. # 4.4 doesn't allow this, but building from head does. diff --git a/README.md b/README.md index 97c4c561..55bcda61 100644 --- a/README.md +++ b/README.md @@ -35,7 +35,7 @@ Components: The top level `Makefile` will handle most of the details -- it downloads the various packages, patches them, configures and builds, and then -copies the necessary parts into the `initrd` directory. +copies the necessary parts into the `initrd` directory. Notes: --- From 45ba75949b0fc327c81e16f51d2a42d7741d540c Mon Sep 17 00:00:00 2001 From: Trammell Hudson Date: Tue, 13 Dec 2016 14:58:23 -0500 Subject: [PATCH 27/30] kernel 4.9 setup with framebuffer for x230 (issue #64) --- config/linux.config | 154 ++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 148 insertions(+), 6 deletions(-) diff --git a/config/linux.config b/config/linux.config index d5d9d793..dd691718 100644 --- a/config/linux.config +++ b/config/linux.config @@ -171,7 +171,7 @@ CONFIG_EPOLL=y # CONFIG_TIMERFD is not set # CONFIG_EVENTFD is not set # CONFIG_BPF_SYSCALL is not set -# CONFIG_SHMEM is not set +CONFIG_SHMEM=y # CONFIG_AIO is not set # CONFIG_ADVISE_SYSCALLS is not set # CONFIG_USERFAULTFD is not set @@ -408,6 +408,7 @@ CONFIG_ARCH_ENABLE_SPLIT_PMD_PTLOCK=y CONFIG_PHYS_ADDR_T_64BIT=y # CONFIG_BOUNCE is not set CONFIG_VIRT_TO_BUS=y +CONFIG_MMU_NOTIFIER=y # CONFIG_KSM is not set CONFIG_DEFAULT_MMAP_MIN_ADDR=65536 CONFIG_ARCH_SUPPORTS_MEMORY_FAILURE=y @@ -470,6 +471,7 @@ CONFIG_ACPI_REV_OVERRIDE_POSSIBLE=y CONFIG_ACPI_AC=y CONFIG_ACPI_BATTERY=y CONFIG_ACPI_BUTTON=y +CONFIG_ACPI_VIDEO=y CONFIG_ACPI_FAN=y # CONFIG_ACPI_DOCK is not set CONFIG_ACPI_CPU_FREQ_PSS=y @@ -594,7 +596,8 @@ CONFIG_GENERIC_CPU_AUTOPROBE=y CONFIG_REGMAP=y CONFIG_REGMAP_I2C=y CONFIG_REGMAP_MMIO=y -# CONFIG_DMA_SHARED_BUFFER is not set +CONFIG_DMA_SHARED_BUFFER=y +# CONFIG_FENCE_TRACE is not set # # Bus devices @@ -1015,7 +1018,7 @@ CONFIG_I2C_MUX_REG=m # # I2C Algorithms # -# CONFIG_I2C_ALGOBIT is not set +CONFIG_I2C_ALGOBIT=y # CONFIG_I2C_ALGOPCF is not set # CONFIG_I2C_ALGOPCA is not set @@ -1235,21 +1238,148 @@ CONFIG_MFD_SYSCON=y # Graphics support # # CONFIG_AGP is not set +CONFIG_INTEL_GTT=y CONFIG_VGA_ARB=y CONFIG_VGA_ARB_MAX_GPUS=16 # CONFIG_VGA_SWITCHEROO is not set -# CONFIG_DRM is not set +CONFIG_DRM=y +CONFIG_DRM_MIPI_DSI=y +# CONFIG_DRM_DP_AUX_CHARDEV is not set +CONFIG_DRM_KMS_HELPER=y +CONFIG_DRM_KMS_FB_HELPER=y +CONFIG_DRM_FBDEV_EMULATION=y +# CONFIG_DRM_LOAD_EDID_FIRMWARE is not set + +# +# I2C encoder or helper chips +# +# CONFIG_DRM_I2C_CH7006 is not set +# CONFIG_DRM_I2C_SIL164 is not set +# CONFIG_DRM_I2C_NXP_TDA998X is not set +# CONFIG_DRM_RADEON is not set +# CONFIG_DRM_AMDGPU is not set # # ACP (Audio CoProcessor) Configuration # +# CONFIG_DRM_NOUVEAU is not set +CONFIG_DRM_I915=y +CONFIG_DRM_I915_PRELIMINARY_HW_SUPPORT=y +CONFIG_DRM_I915_USERPTR=y +# CONFIG_DRM_I915_GVT is not set + +# +# drm/i915 Debugging +# +# CONFIG_DRM_I915_WERROR is not set +# CONFIG_DRM_I915_DEBUG is not set +# CONFIG_DRM_VGEM is not set +# CONFIG_DRM_VMWGFX is not set +# CONFIG_DRM_GMA500 is not set +# CONFIG_DRM_UDL is not set +# CONFIG_DRM_AST is not set +# CONFIG_DRM_MGAG200 is not set +# CONFIG_DRM_CIRRUS_QEMU is not set +# CONFIG_DRM_QXL is not set +# CONFIG_DRM_BOCHS is not set +CONFIG_DRM_PANEL=y + +# +# Display Panels +# +CONFIG_DRM_BRIDGE=y + +# +# Display Interface Bridges +# +# CONFIG_DRM_ANALOGIX_ANX78XX is not set +# CONFIG_DRM_LEGACY is not set # # Frame buffer Devices # -# CONFIG_FB is not set -# CONFIG_BACKLIGHT_LCD_SUPPORT is not set +CONFIG_FB=y +# CONFIG_FIRMWARE_EDID is not set +CONFIG_FB_CMDLINE=y +CONFIG_FB_NOTIFY=y +# CONFIG_FB_DDC is not set +CONFIG_FB_BOOT_VESA_SUPPORT=y +CONFIG_FB_CFB_FILLRECT=y +CONFIG_FB_CFB_COPYAREA=y +CONFIG_FB_CFB_IMAGEBLIT=y +# CONFIG_FB_CFB_REV_PIXELS_IN_BYTE is not set +CONFIG_FB_SYS_FILLRECT=y +CONFIG_FB_SYS_COPYAREA=y +CONFIG_FB_SYS_IMAGEBLIT=y +# CONFIG_FB_FOREIGN_ENDIAN is not set +CONFIG_FB_SYS_FOPS=y +CONFIG_FB_DEFERRED_IO=y +# CONFIG_FB_SVGALIB is not set +# CONFIG_FB_MACMODES is not set +# CONFIG_FB_BACKLIGHT is not set +# CONFIG_FB_MODE_HELPERS is not set +# CONFIG_FB_TILEBLITTING is not set + +# +# Frame buffer hardware drivers +# +# CONFIG_FB_CIRRUS is not set +# CONFIG_FB_PM2 is not set +# CONFIG_FB_CYBER2000 is not set +# CONFIG_FB_ARC is not set +# CONFIG_FB_ASILIANT is not set +# CONFIG_FB_IMSTT is not set +# CONFIG_FB_VGA16 is not set +CONFIG_FB_VESA=y +# CONFIG_FB_N411 is not set +# CONFIG_FB_HGA is not set +# CONFIG_FB_OPENCORES is not set +# CONFIG_FB_S1D13XXX is not set +# CONFIG_FB_NVIDIA is not set +# CONFIG_FB_RIVA is not set +# CONFIG_FB_I740 is not set +# CONFIG_FB_LE80578 is not set +# CONFIG_FB_MATROX is not set +# CONFIG_FB_RADEON is not set +# CONFIG_FB_ATY128 is not set +# CONFIG_FB_ATY is not set +# CONFIG_FB_S3 is not set +# CONFIG_FB_SAVAGE is not set +# CONFIG_FB_SIS is not set +# CONFIG_FB_NEOMAGIC is not set +# CONFIG_FB_KYRO is not set +# CONFIG_FB_3DFX is not set +# CONFIG_FB_VOODOO1 is not set +# CONFIG_FB_VT8623 is not set +# CONFIG_FB_TRIDENT is not set +# CONFIG_FB_ARK is not set +# CONFIG_FB_PM3 is not set +# CONFIG_FB_CARMINE is not set +# CONFIG_FB_SMSCUFX is not set +# CONFIG_FB_UDL is not set +# CONFIG_FB_IBM_GXT4500 is not set +# CONFIG_FB_VIRTUAL is not set +# CONFIG_FB_METRONOME is not set +# CONFIG_FB_MB862XX is not set +# CONFIG_FB_BROADSHEET is not set +# CONFIG_FB_AUO_K190X is not set +# CONFIG_FB_SIMPLE is not set +# CONFIG_FB_SM712 is not set +CONFIG_BACKLIGHT_LCD_SUPPORT=y +CONFIG_LCD_CLASS_DEVICE=m +# CONFIG_LCD_PLATFORM is not set +CONFIG_BACKLIGHT_CLASS_DEVICE=y +CONFIG_BACKLIGHT_GENERIC=y +# CONFIG_BACKLIGHT_APPLE is not set +# CONFIG_BACKLIGHT_PM8941_WLED is not set +# CONFIG_BACKLIGHT_SAHARA is not set +# CONFIG_BACKLIGHT_ADP8860 is not set +# CONFIG_BACKLIGHT_ADP8870 is not set +# CONFIG_BACKLIGHT_LM3639 is not set +# CONFIG_BACKLIGHT_LV5207LP is not set +# CONFIG_BACKLIGHT_BD6107 is not set # CONFIG_VGASTATE is not set +CONFIG_HDMI=y # # Console display driver support @@ -1259,6 +1389,10 @@ CONFIG_VGA_CONSOLE=y CONFIG_DUMMY_CONSOLE=y CONFIG_DUMMY_CONSOLE_COLUMNS=80 CONFIG_DUMMY_CONSOLE_ROWS=25 +CONFIG_FRAMEBUFFER_CONSOLE=y +CONFIG_FRAMEBUFFER_CONSOLE_DETECT_PRIMARY=y +# CONFIG_FRAMEBUFFER_CONSOLE_ROTATION is not set +# CONFIG_LOGO is not set # CONFIG_SOUND is not set # @@ -1759,6 +1893,9 @@ CONFIG_PROC_FS=y # CONFIG_PROC_CHILDREN is not set CONFIG_KERNFS=y CONFIG_SYSFS=y +CONFIG_TMPFS=y +# CONFIG_TMPFS_POSIX_ACL is not set +# CONFIG_TMPFS_XATTR is not set # CONFIG_HUGETLBFS is not set # CONFIG_HUGETLB_PAGE is not set CONFIG_ARCH_HAS_GIGANTIC_PAGE=y @@ -2245,6 +2382,7 @@ CONFIG_DECOMPRESS_XZ=y CONFIG_GENERIC_ALLOCATOR=y CONFIG_REED_SOLOMON=y CONFIG_REED_SOLOMON_DEC8=y +CONFIG_INTERVAL_TREE=y CONFIG_HAS_IOMEM=y CONFIG_HAS_IOPORT_MAP=y CONFIG_HAS_DMA=y @@ -2255,6 +2393,10 @@ CONFIG_CORDIC=m # CONFIG_DDR is not set CONFIG_IRQ_POLL=y CONFIG_MPILIB=m +CONFIG_FONT_SUPPORT=y +# CONFIG_FONTS is not set +CONFIG_FONT_8x8=y +CONFIG_FONT_8x16=y # CONFIG_SG_SPLIT is not set CONFIG_SG_POOL=y CONFIG_ARCH_HAS_SG_CHAIN=y From ccea67e8b4b9bf46676a72e76578a8ec212dcb29 Mon Sep 17 00:00:00 2001 From: Trammell Hudson Date: Tue, 13 Dec 2016 15:10:47 -0500 Subject: [PATCH 28/30] shell scripts to help rewrite Qubes initrd /etc/crypttab (issue #29) --- initrd/bin/generate-crypttab | 11 +++++++++++ initrd/bin/wrap-cpio | 21 +++++++++++++++++++++ 2 files changed, 32 insertions(+) create mode 100755 initrd/bin/generate-crypttab create mode 100755 initrd/bin/wrap-cpio diff --git a/initrd/bin/generate-crypttab b/initrd/bin/generate-crypttab new file mode 100755 index 00000000..47cb97ef --- /dev/null +++ b/initrd/bin/generate-crypttab @@ -0,0 +1,11 @@ +#!/bin/sh +# Generate a crypttab file for all the devices that are +# present on the system. This is a total hack since the +# rd.luks.key=/secret.key should be sufficient. + +keyfile=/secret.key + +for dev in /dev/sd*; do + uuid=`cryptsetup luksUUID "$dev" 2>/dev/null` || continue + echo "luks-$uuid /dev/disk/by-uuid/$uuid $keyfile luks" +done diff --git a/initrd/bin/wrap-cpio b/initrd/bin/wrap-cpio new file mode 100755 index 00000000..f2b004d2 --- /dev/null +++ b/initrd/bin/wrap-cpio @@ -0,0 +1,21 @@ +#!/bin/sh +# Add additional files to the initrd cpio so that we can pass +# new keys to the Qubes startup routines. +# Usage: +# wrap-cpio /boot/initrd.blah /tmp/root/ > /tmp/new.cpio + +die() { echo >&2 "$@"; exit 1; } +warn() { echo >&2 "$@"; } + +cpio_file="$1" +if [ -z "$cpio_file" ]; then + die "Initial cpio must be specified" +fi + +new_dir="$2" +if [ -z "$new_dir" ]; then + die "Additional directory must be specified" +fi + +( cd "$new_dir" ; find . | cpio -H newc -ov ) +cat "$cpio_file" From 24dd8489b421f32177b3bc5f0ae2f38244f18a76 Mon Sep 17 00:00:00 2001 From: Trammell Hudson Date: Mon, 26 Dec 2016 10:55:43 -0500 Subject: [PATCH 29/30] use the mega-binary version of the tpm utilities (issue #70) --- modules/tpmtotp | 20 +------------------- 1 file changed, 1 insertion(+), 19 deletions(-) diff --git a/modules/tpmtotp b/modules/tpmtotp index d4773780..8366e1d8 100644 --- a/modules/tpmtotp +++ b/modules/tpmtotp @@ -18,25 +18,7 @@ tpmtotp_output := \ qrenc \ sealtotp.sh \ unsealtotp.sh \ - util/nv \ - util/nv_definespace \ - util/nv_readvalue \ - util/nv_writevalue \ - util/clearown \ - util/takeown \ - util/forceclear \ - util/pcrreset \ - util/physicaldisable \ - util/physicalenable \ - util/physicalpresence \ - util/physicalsetdeactivated \ - util/getcapability \ - util/sealfile2 \ - util/unsealfile \ - util/counter_create \ - util/counter_increment \ - util/counter_read \ - util/counter_release \ + util/tpm \ tpmtotp_libraries := \ libtpm/libtpm.so \ From 73a3b6d08f6bab0b63a0ebaf97c70138bdade128 Mon Sep 17 00:00:00 2001 From: Trammell Hudson Date: Mon, 26 Dec 2016 16:29:36 -0500 Subject: [PATCH 30/30] removed old info, added link to presentatoin --- README.md | 167 +----------------------------------------------------- 1 file changed, 3 insertions(+), 164 deletions(-) diff --git a/README.md b/README.md index 55bcda61..1e9c2bd8 100644 --- a/README.md +++ b/README.md @@ -12,7 +12,7 @@ to commodity hardware. Among its goals are: * Measure and attest to the state of the firmware * Measure and verify all filesystems -![Flashing Heads into the boot ROM](https://farm9.staticflickr.com/8887/28070128343_b6e942fa60_z_d.jpg) +![Flashing Heads into the boot ROM](https://farm1.staticflickr.com/553/30969183324_c31d8f2dee_z_d.jpg) NOTE: It is a work in progress and not yet ready for users. If you're interested in contributing, please get in touch. @@ -20,6 +20,8 @@ Installation requires disassembly of your laptop or server, external SPI flash programmers, possible risk of destruction and significant frustration. +More information is available in [the 33C3 presentation of building "Slightly more secure systems"](https://trmm.net/Heads_33c3). + Building heads === @@ -49,169 +51,6 @@ of the Xen command line. Booting or installing Qubes is a bit hacky and needs t * Coreboot 4.4 does not handle initrd separately from the kernel correctly, so it must be bundled into the coreboot image. Building from git does the right thing. -Threat model -=== -Heads considers two broad classes of threats: - -* Attackers with physical access to the system -** Customs officials, LEO, etc with brief access -** "Evil maid" attacks with longer, but still limited access (sans password) -** Stolen machines, with unlimited physical access without password -** Insider attacks with unlimited time, with password -** Insider attacks with unlimited time, with password and without regard for the machine - -* Attackers with ring0 code execution on the runtime system - -The first is hardest to deal with since it allows an attacker to -make physical changes to the machine. Without a hardware root of -trust and secrets stored inside that CPU, it is very difficult to -project against a physical attackers who can replace components and -fake measurements. Hardware measurements of the boot ROM (such as -Intel's Boot Guard) can help, although a dedicated attacker could -replace the CPU with one that is not fused to do the initial measurement. -The best that we can do is to lock the bootblock on the SPI flash, -perform the first measurement from it and hope that there are not any -exploits against the chip itself. - -The second class is also a difficult challenge, but since it is only -a software attack, we have better hopes of handling with some harware -modifications. The SPI flash chip's boot block protection modes can -be locked on and the WP# pin grounded, which will prevent any software -attacks from overwriting that portion of the boot ROM. This gives us -a better root of trust than the EFI configurations, most of which do -not lock the boot ROM. - -Even if they are not able to write to the ROM, the attackers might -be able to use their software code execution to modify the system -software or boot partition on the drive. The recommended OS -configuration is a read-only `/boot` and `/` filesystem, with -only the user data directories writable. Additional protection -comes from using dm-verity on the file systems, which will -detect any writes to the filesystem through a hash tree -that is signed by the user's (offline) key. - -Updates to `/` or `/boot` will require a special boot mode, -which can be selected by the boot firmware. After the file -systems are updated, the user can sign the new hashes with their -key on a different machine and store the signed root hash on the -drive. TPM keys might need to be migrated as well for the recovery -boot mode. On next boot the firmware will mount the drives read-only -and verify that the correct key was used to sign the changes, -and the TPM should be able to unseal the secrets for TPMTOTP -as well as the drive decryption. - - - ---- - - -dm-verity setup -=== -*You must install `libdevmapper-dev`, `libpopt-dev` and `libgcrypt-dev` to build cryptsetup* - -This set of tools isn't the easiest to use. It is possible to store -hashes on the device that is being hashed if some work is done ahead -of time to reserve the last few blocks or if the file system can be -resized. - -The size of the hash table grows logarithmic with the size of the -filesystem. Every 4K block is hashed, and then 4K of those blocks -are hashed, and so on until there is only one hash left. -Each hash is 32 bytes, so the hash tree size is 32 * log_4096(fs) - -The hashes can be stored on a separate device or on the free space -at the end of an existing partition. This will require resizing -if you didn't allocate the space initially. - -The sizes of physical partitions can be read (in 512-byte blocks) from -`/sys/class/block/sda1/size`. The `resize2fs` tool (assuming you're using -a normal ext4 filesystem) will not resize smaller than the free -space. Figure out the desired size - - fs_size = $[30 * 1024 * 1024] - e2fsck hdd.img - resize2fs hdd.img $fs_size - -Once the file system has been resized to make space at the end, -the dm-verity tools can generate the hashes. The file system -must be unmounted before this is done, otherwise the hashes -will not be correct. - - veritysetup \ - --data-blocks $[$fs_size / 4096] \ - --hash-offset $fs_size \ - format hdd.img hdd.img \ - | tee verity.log - -This will output a text file that contains several important -constants for mounting the filesystem later: - - VERITY header information for hdd.img - UUID: 73532888-a3e9-4f16-a50a-1d03a265b94f - Hash type: 1 - Data blocks: 7680 - Data block size: 4096 - Hash block size: 4096 - Hash algorithm: sha256 - Salt: 3d0cd593d29715005794c4e1cd5164c14ba6456c3dbd2c6d8a26007c01ca9937 - Root hash: 91beda90d7fa1ab92463344966eb56ec9706f4f26063933a86d701a02a961a10 - -Unfortunately this is in the wrong form for the `dmsetup` command -and must be reformmated like this: - - dmsetup create vroot --readonly --table \ - "0 61440 verity 1 /dev/sda /dev/sda 4096 4096 7680 7681 sha256 "\ - "c51e171a1403eda7636c89f10d90066d6a593223399fdd4c36ab214da3c6fc11 "\ - "f6c6c6b6cbdf2682d6213e65b0e577cb57c8af3015f88f9a40fb512eaf48aca9" - -The 61440 is the number of 512-byte blocks that the filesystem uses. -The two 4096 are the data block size and hash block size. -The 7680 is the number of data blocks and the 7861 is the first -datablock containing hashes (note that block 7680 contains the `VERITY` -header and the salt, but not the root hash). The hash and salt are -reversed in the order from the `veritysetup` printout. - -We sign this command and stash it in the block after the `VERITY` -header so that the firmware can validate the image before mounting it. -This does require that the firmware be able to find the header; -for now we have it hard coded. - - -mbedtls vs OpenSSL ---- -mbedtls is a significantly smaller and more modular library than -OpenSSL's libcrypto (380KB vs 2.3MB). It is not API compatible, -so applications must be written to use it. - -One the build host side we can make use of openssl's tools, but in -the firmware we are limited to the smaller library. They are mostly -compatible, although the tools are quite different. - -Generate the private/public key pair (and copy the public key to -the initrd): - - openssl genrsa -aes256 -out signing.key - openssl rsa -pubout -in signing.key -out signing.pub - -Sign something (requires password and private key): - - openssl pkeyutl \ - -sign \ - -inkey signing.key \ - -in roothash \ - -out roothash.sig - -Verify it (requires public key, no password): - - openssl pkeyutl \ - -verify \ - -pubin - -inkey signing.pub \ - -sigfile roothash.sig \ - -in roothash - -but this doesn't work with pk_verify from mbedtls. more work is necessary. - Signing with GPG ---