ExternalVendorCode/heads
1
0
Fork 0
mirror of https://github.com/linuxboot/heads.git synced 2025-01-18 02:39:59 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge branch 'master' into gpgexport-factoryreset

Browse Source
This commit is contained in:
Alexander Paetzelt 2020-08-05 10:49:04 +02:00 committed by GitHub
commit c725f869e2
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
43 changed files with 343 additions and 400 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
.gitlab-ci.yml
View File

@ -8,13 +8,13 @@ stages:
build:
stage: build
retry: 2
retry: 1
cache:
paths:
- packages
- crossgcc
- build
key: "heads-$GITLAB_USER_LOGIN"
key: "heads-$GITLAB_USER_LOGIN-2"
script:
- dnf install -y @development-tools gcc-c++ gcc-gnat zlib-devel perl-Digest-MD5 perl-Digest-SHA uuid-devel pcsc-tools ncurses-devel lbzip2 libuuid-devel lzma elfutils-libelf-devel bc bzip2 bison flex git gnupg iasl m4 nasm patch python wget libusb-devel cmake automake pv bsdiff autoconf libtool cpio texinfo
- git fetch origin
@ -75,6 +75,8 @@ build:
- cat ./build/qemu-coreboot/hashes.txt
- echo "Archiving qemu-coreboot logs..."
- tar zcvf ./build/qemu-coreboot/logs.tar.gz ./build/log/*
- echo "Calculate used space for cache"
- du -shc packages crossgcc build
artifacts:
paths:
- ./build/qemu-coreboot

2
Makefile
View File

@ -428,7 +428,7 @@ bin_modules-$(CONFIG_FLASHTOOLS) += flashtools
bin_modules-$(CONFIG_NEWT) += newt
bin_modules-$(CONFIG_CAIRO) += cairo
bin_modules-$(CONFIG_FBWHIPTAIL) += fbwhiptail
bin_modules-$(CONFIG_LIBREMKEY) += libremkey-hotp-verification
bin_modules-$(CONFIG_HOTPKEY) += hotp-verification
bin_modules-$(CONFIG_MSRTOOLS) += msrtools
$(foreach m, $(bin_modules-y), \

2
boards/kgpe-d16/kgpe-d16.config
View File

@ -1,5 +1,7 @@
# Configuration for a kgpe-d16 running non-Qubes
export CONFIG_COREBOOT=y
export CONFIG_COREBOOT_VERSION=4.8.1
CONFIG_COREBOOT_CONFIG=config/coreboot-kgpe-d16.config
CONFIG_LINUX_CONFIG=config/linux-kgpe-d16.config

4
boards/librem13v2/librem13v2.config
View File

@ -3,6 +3,8 @@ CONFIG_LINUX_CONFIG=config/linux-librem13v2.config
CONFIG_COREBOOT_CONFIG=config/coreboot-librem13v2.config
export CONFIG_COREBOOT=y
export CONFIG_COREBOOT_VERSION=4.8.1
CONFIG_CRYPTSETUP=y
CONFIG_FLASHROM=y
CONFIG_FLASHTOOLS=y
@ -20,7 +22,7 @@ CONFIG_TPMTOTP=y
#CONFIG_NEWT=y
CONFIG_CAIRO=y
CONFIG_FBWHIPTAIL=y
CONFIG_LIBREMKEY=y
CONFIG_HOTPKEY=y
CONFIG_LINUX_USB=y

4
boards/librem13v4/librem13v4.config
View File

@ -3,6 +3,8 @@ CONFIG_LINUX_CONFIG=config/linux-librem13v2.config
CONFIG_COREBOOT_CONFIG=config/coreboot-librem13v4.config
export CONFIG_COREBOOT=y
export CONFIG_COREBOOT_VERSION=4.8.1
CONFIG_CRYPTSETUP=y
CONFIG_FLASHROM=y
CONFIG_FLASHTOOLS=y
@ -20,7 +22,7 @@ CONFIG_TPMTOTP=y
#CONFIG_NEWT=y
CONFIG_CAIRO=y
CONFIG_FBWHIPTAIL=y
CONFIG_LIBREMKEY=y
CONFIG_HOTPKEY=y
CONFIG_LINUX_USB=y

4
boards/librem15v3/librem15v3.config
View File

@ -5,6 +5,8 @@ CONFIG_LINUX_CONFIG=config/linux-librem13v2.config
CONFIG_COREBOOT_CONFIG=config/coreboot-librem15v3.config
export CONFIG_COREBOOT=y
export CONFIG_COREBOOT_VERSION=4.8.1
CONFIG_CRYPTSETUP=y
CONFIG_FLASHROM=y
CONFIG_FLASHTOOLS=y
@ -22,7 +24,7 @@ CONFIG_TPMTOTP=y
#CONFIG_NEWT=y
CONFIG_CAIRO=y
CONFIG_FBWHIPTAIL=y
CONFIG_LIBREMKEY=y
CONFIG_HOTPKEY=y
CONFIG_LINUX_USB=y

4
boards/librem15v4/librem15v4.config
View File

@ -5,6 +5,8 @@ CONFIG_LINUX_CONFIG=config/linux-librem13v2.config
CONFIG_COREBOOT_CONFIG=config/coreboot-librem15v4.config
export CONFIG_COREBOOT=y
export CONFIG_COREBOOT_VERSION=4.8.1
CONFIG_CRYPTSETUP=y
CONFIG_FLASHROM=y
CONFIG_FLASHTOOLS=y
@ -22,7 +24,7 @@ CONFIG_TPMTOTP=y
#CONFIG_NEWT=y
CONFIG_CAIRO=y
CONFIG_FBWHIPTAIL=y
CONFIG_LIBREMKEY=y
CONFIG_HOTPKEY=y
CONFIG_LINUX_USB=y

2
boards/qemu-coreboot-fbwhiptail/qemu-coreboot-fbwhiptail.config
View File

@ -2,6 +2,8 @@
# the qemu emulator in GUI mode thanks to FBWhiptail
export CONFIG_COREBOOT=y
export CONFIG_COREBOOT_VERSION=4.8.1
CONFIG_COREBOOT_CONFIG=config/coreboot-qemu-fbwhiptail.config
CONFIG_LINUX_CONFIG=config/linux-qemu.config

2
boards/qemu-coreboot/qemu-coreboot.config
View File

@ -2,6 +2,8 @@
# the qemu emulator. Note that the TPM does not work, so this
# will just drop into the recovery shell.
export CONFIG_COREBOOT=y
export CONFIG_COREBOOT_VERSION=4.8.1
CONFIG_COREBOOT_CONFIG=config/coreboot-qemu.config
CONFIG_LINUX_CONFIG=config/linux-qemu.config

2
boards/t420/t420.config
View File

@ -1,5 +1,7 @@
# Configuration for a T420 running Qubes and other OS, T420 is identical to X230 on the Linux Side of things.
export CONFIG_COREBOOT=y
export CONFIG_COREBOOT_VERSION=4.8.1
CONFIG_COREBOOT_CONFIG=config/coreboot-t420.config
CONFIG_LINUX_CONFIG=config/linux-x230.config

2
boards/t430-flash/t430-flash.config
View File

@ -2,6 +2,8 @@
BOARD=t430.flash
export CONFIG_COREBOOT=y
export CONFIG_COREBOOT_VERSION=4.8.1
CONFIG_FLASHROM=y
CONFIG_FLASHTOOLS=y
CONFIG_PCIUTILS=y

2
boards/t430/t430.config
View File

@ -1,5 +1,7 @@
# Configuration for a t430 running Qubes and other OSes
export CONFIG_COREBOOT=y
export CONFIG_COREBOOT_VERSION=4.8.1
CONFIG_COREBOOT_CONFIG=config/coreboot-t430.config
CONFIG_LINUX_CONFIG=config/linux-x230.config

2
boards/x220/x220.config
View File

@ -1,5 +1,7 @@
# Configuration for a x220 running Qubes and other OS, X220 is identical to X230 on the Linux Side of things.
export CONFIG_COREBOOT=y
export CONFIG_COREBOOT_VERSION=4.8.1
CONFIG_COREBOOT_CONFIG=config/coreboot-x220.config
CONFIG_LINUX_CONFIG=config/linux-x230.config

2
boards/x230-flash/x230-flash.config
View File

@ -2,6 +2,8 @@
BOARD=x230.flash
export CONFIG_COREBOOT=y
export CONFIG_COREBOOT_VERSION=4.8.1
CONFIG_FLASHROM=y
#CONFIG_GPG=y
CONFIG_FLASHTOOLS=y

4
boards/x230-hotp-verification/x230-hotp-verification.config
View File

@ -1,6 +1,8 @@
# Configuration for a x230-hotp-verification (Nitrokey/Purism USB Security dongle enabled HOTP support)
# running Qubes and other OSes
export CONFIG_COREBOOT=y
export CONFIG_COREBOOT_VERSION=4.8.1
CONFIG_COREBOOT_CONFIG=config/coreboot-x230-hotp-verification.config
CONFIG_LINUX_CONFIG=config/linux-x230.config
@ -22,7 +24,7 @@ CONFIG_DROPBEAR=y
#CONFIG_NEWT=y
CONFIG_CAIRO=y
CONFIG_FBWHIPTAIL=y
CONFIG_LIBREMKEY=y
CONFIG_HOTPKEY=y
CONFIG_LINUX_USB=y
CONFIG_LINUX_E1000E=y

2
boards/x230/x230.config
View File

@ -1,5 +1,7 @@
# Configuration for a x230 running Qubes and other OSes
export CONFIG_COREBOOT=y
export CONFIG_COREBOOT_VERSION=4.8.1
CONFIG_COREBOOT_CONFIG=config/coreboot-x230.config
CONFIG_LINUX_CONFIG=config/linux-x230.config

2
config/busybox.config
View File

@ -227,7 +227,7 @@ CONFIG_EXPR=y
CONFIG_EXPR_MATH_SUPPORT_64=y
CONFIG_FACTOR=y
CONFIG_FALSE=y
# CONFIG_FOLD is not set
CONFIG_FOLD=y
# CONFIG_FSYNC is not set
CONFIG_HEAD=y
CONFIG_FEATURE_FANCY_HEAD=y

48
initrd/bin/config-gui.sh
View File

@ -2,55 +2,9 @@
#
set -e -o pipefail
. /etc/functions
. /etc/gui_functions
. /tmp/config
file_selector() {
FILE=""
FILE_LIST=$1
MENU_MSG=${2:-"Choose the file"}
MENU_TITLE=${3:-"Select your File"}
# create file menu options
if [ `cat "$FILE_LIST" | wc -l` -gt 0 ]; then
option=""
while [ -z "$option" ]
do
MENU_OPTIONS=""
n=0
while read option
do
n=`expr $n + 1`
option=$(echo $option | tr " " "_")
MENU_OPTIONS="$MENU_OPTIONS $n ${option}"
done < $FILE_LIST
MENU_OPTIONS="$MENU_OPTIONS a Abort"
whiptail --clear --title "${MENU_TITLE}" \
--menu "${MENU_MSG} [1-$n, a to abort]:" 20 120 8 \
-- $MENU_OPTIONS \
2>/tmp/whiptail || die "Aborting"
option_index=$(cat /tmp/whiptail)
if [ "$option_index" = "a" ]; then
option="a"
return
fi
option=`head -n $option_index $FILE_LIST | tail -1`
if [ "$option" == "a" ]; then
return
fi
done
if [ -n "$option" ]; then
FILE=$option
fi
else
whiptail $CONFIG_ERROR_BG_COLOR --title 'ERROR: No Files Found' \
--msgbox "No Files found matching the pattern. Aborting." 16 60
exit 1
fi
}
param=$1
while true; do

69
initrd/bin/flash-gui.sh
View File

@ -2,70 +2,9 @@
#
set -e -o pipefail
. /etc/functions
. /etc/gui_functions
. /tmp/config
mount_usb(){
# Mount the USB boot device
if ! grep -q /media /proc/mounts ; then
mount-usb && USB_FAILED=0 || USB_FAILED=1
if [ $USB_FAILED -ne 0 ]; then
whiptail --title 'USB Drive Missing' \
--msgbox "Insert your USB drive and press Enter to continue." 16 60
mount-usb && USB_FAILED=0 || USB_FAILED=1
if [ $USB_FAILED -ne 0 ]; then
whiptail $CONFIG_ERROR_BG_COLOR --title 'ERROR: Mounting /media Failed' \
--msgbox "Unable to mount USB device" 16 60
fi
fi
fi
}
file_selector() {
FILE=""
FILE_LIST=$1
MENU_MSG=${2:-"Choose the file"}
# create file menu options
if [ `cat "$FILE_LIST" | wc -l` -gt 0 ]; then
option=""
while [ -z "$option" ]
do
MENU_OPTIONS=""
n=0
while read option
do
n=`expr $n + 1`
option=$(echo $option | tr " " "_")
MENU_OPTIONS="$MENU_OPTIONS $n ${option}"
done < $FILE_LIST
MENU_OPTIONS="$MENU_OPTIONS a Abort"
whiptail --clear --title "Select your File" \
--menu "${MENU_MSG} [1-$n, a to abort]:" 20 120 8 \
-- $MENU_OPTIONS \
2>/tmp/whiptail || die "Aborting"
option_index=$(cat /tmp/whiptail)
if [ "$option_index" = "a" ]; then
option="a"
return
fi
option=`head -n $option_index $FILE_LIST | tail -1`
if [ "$option" == "a" ]; then
return
fi
done
if [ -n "$option" ]; then
FILE=$option
fi
else
whiptail $CONFIG_ERROR_BG_COLOR --title 'ERROR: No Files Found' \
--msgbox "No Files found matching the pattern. Aborting." 16 60
exit 1
fi
}
while true; do
unset menu_choice
whiptail --clear --title "Firmware Management Menu" \
@ -83,7 +22,7 @@ while true; do
;;
f|c )
if (whiptail --title 'Flash the BIOS with a new ROM' \
--yesno "This requires you insert a USB drive containing:\n* Your BIOS image (*.rom)\n\nAfter you select this file, this program will reflash your BIOS\n\nDo you want to proceed?" 16 90) then
--yesno "You will need to insert a USB drive containing your BIOS image (*.rom).\n\nAfter you select this file, this program will reflash your BIOS.\n\nDo you want to proceed?" 16 90) then
mount_usb
if grep -q /media /proc/mounts ; then
find /media ! -path '*/\.*' -type f -name '*.rom' | sort > /tmp/filelist.txt
@ -95,7 +34,7 @@ while true; do
fi
if (whiptail --title 'Flash ROM?' \
--yesno "This will replace your old ROM with $ROM\n\nDo you want to proceed?" 16 90) then
--yesno "This will replace your current ROM with:\n\n$ROM\n\nDo you want to proceed?" 16 60) then
if [ "$menu_choice" == "c" ]; then
/bin/flash.sh -c "$ROM"
# after flash, /boot signatures are now invalid so go ahead and clear them
@ -110,7 +49,7 @@ while true; do
/bin/flash.sh "$ROM"
fi
whiptail --title 'ROM Flashed Successfully' \
--msgbox "$ROM flashed successfully.\nPress Enter to reboot" 16 60
--msgbox "$ROM flashed successfully.\n\nPress Enter to reboot\n" 16 60
umount /media
/bin/reboot
else

62
initrd/bin/gpg-gui.sh
View File

@ -2,69 +2,9 @@
#
set -e -o pipefail
. /etc/functions
. /etc/gui_functions
. /tmp/config
mount_usb(){
# Mount the USB boot device
if ! grep -q /media /proc/mounts ; then
mount-usb && USB_FAILED=0 || USB_FAILED=1
if [ $USB_FAILED -ne 0 ]; then
whiptail --title 'USB Drive Missing' \
--msgbox "Insert your USB drive and press Enter to continue." 16 60
mount-usb && USB_FAILED=0 || USB_FAILED=1
if [ $USB_FAILED -ne 0 ]; then
whiptail $CONFIG_ERROR_BG_COLOR --title 'ERROR: Mounting /media Failed' \
--msgbox "Unable to mount USB device" 16 60
fi
fi
fi
}
file_selector() {
FILE=""
FILE_LIST=$1
MENU_MSG=${2:-"Choose the file"}
# create file menu options
if [ `cat "$FILE_LIST" | wc -l` -gt 0 ]; then
option=""
while [ -z "$option" ]
do
MENU_OPTIONS=""
n=0
while read option
do
n=`expr $n + 1`
option=$(echo $option | tr " " "_")
MENU_OPTIONS="$MENU_OPTIONS $n ${option}"
done < $FILE_LIST
MENU_OPTIONS="$MENU_OPTIONS a Abort"
whiptail --clear --title "Select your File" \
--menu "${MENU_MSG} [1-$n, a to abort]:" 20 120 8 \
-- $MENU_OPTIONS \
2>/tmp/whiptail || die "Aborting"
option_index=$(cat /tmp/whiptail)
if [ "$option_index" = "a" ]; then
option="a"
return
fi
option=`head -n $option_index $FILE_LIST | tail -1`
if [ "$option" == "a" ]; then
return
fi
done
if [ -n "$option" ]; then
FILE=$option
fi
else
whiptail $CONFIG_ERROR_BG_COLOR --title 'ERROR: No Files Found' \
--msgbox "No Files found matching the pattern. Aborting." 16 60
exit 1
fi
}
gpg_flash_rom() {
if [ "$1" = "replace" ]; then

77
initrd/bin/gui-init
View File

@ -42,7 +42,7 @@ verify_global_hashes()
TMP_PACKAGE_TRIGGER_PRE="/tmp/kexec/kexec_package_trigger_pre.txt"
TMP_PACKAGE_TRIGGER_POST="/tmp/kexec/kexec_package_trigger_post.txt"
if cd /boot && sha256sum -c "$TMP_HASH_FILE" > /tmp/hash_output ; then
if ( cd /boot && sha256sum -c "$TMP_HASH_FILE" > /tmp/hash_output ) then
return 0
elif [ ! -f $TMP_HASH_FILE ]; then
if (whiptail $CONFIG_ERROR_BG_COLOR --clear --title 'ERROR: Missing Hash File!' \
@ -70,7 +70,7 @@ verify_global_hashes()
fi
else
TEXT="The following files failed the verification process:\n${CHANGED_FILES}\n\nThis could indicate a compromise!\n\nWould you like to update your checksums now?"
TEXT="The following files failed the verification process:\n\n${CHANGED_FILES}\n\nThis could indicate a compromise!\n\nWould you like to update your checksums now?"
fi
if (whiptail $CONFIG_ERROR_BG_COLOR --clear --title 'ERROR: Boot Hash Mismatch' --yesno "$TEXT" 30 90) then
@ -82,7 +82,7 @@ verify_global_hashes()
prompt_update_checksums()
{
if (whiptail --title 'Update Checksums and sign all files in /boot' \
--yesno "You have chosen to update the checksums and sign all of the files in /boot.\n\nThis means that you trust that the files in /boot have not been tampered with.\n\nYou will need your GPG key to continue and this change will modify your disk.\n\nDo you want to continue?" 16 90) then
--yesno "You have chosen to update the checksums and sign all of the files in /boot.\n\nThis means that you trust that these files have not been tampered with.\n\nYou will need your GPG key available, and this change will modify your disk.\n\nDo you want to continue?" 16 90) then
update_checksums
else
echo "Returning to the main menu"
@ -92,10 +92,10 @@ update_totp()
{
echo "Scan the QR code to add the new TOTP secret"
/bin/seal-totp
if [ -x /bin/libremkey_hotp_verification ]; then
echo "Once you have scanned the QR code, hit Enter to configure your Librem Key"
if [ -x /bin/hotp_verification ]; then
echo "Once you have scanned the QR code, hit Enter to configure your HOTP USB Security Dongle (e.g. Librem Key or Nitrokey)"
read
/bin/seal-libremkey
/bin/seal-hotpkey
else
echo "Once you have scanned the QR code, hit Enter to continue"
read
@ -118,7 +118,7 @@ clean_boot_check()
[ $GPG_KEY_COUNT -ne 0 ] && return
# check for USB security token
if [ "$CONFIG_LIBREMKEY" = "y" ]; then
if [ "$CONFIG_HOTPKEY" = "y" ]; then
enable_usb
if ! gpg --card-status > /dev/null ; then
return
@ -140,6 +140,13 @@ else
mount_boot
fi
# Use stored HOTP key branding
if [ -r /boot/kexec_hotp_key ]; then
HOTPKEY_BRANDING="$(cat /boot/kexec_hotp_key)"
else
HOTPKEY_BRANDING="HOTP USB Security Dongle"
fi
last_half=X
while true; do
MAIN_MENU_OPTIONS=""
@ -188,14 +195,16 @@ while true; do
fi
if [ "$totp_confirm" = "i" -o -z "$totp_confirm" ]; then
if [ -x /bin/libremkey_hotp_verification ]; then
if [ -x /bin/hotp_verification ]; then
HOTP=`unseal-hotp`
enable_usb
if ! libremkey_hotp_verification info ; then
whiptail $CONFIG_WARNING_BG_COLOR --clear --title 'WARNING: Please Insert Your Librem Key' --msgbox "Your Librem Key was not detected.\n\nPlease insert your Librem Key" 30 90
if ! hotp_verification info ; then
whiptail $CONFIG_WARNING_BG_COLOR --clear \
--title "WARNING: Please Insert Your $HOTPKEY_BRANDING" \
--msgbox "Your $HOTPKEY_BRANDING was not detected.\n\nPlease insert your $HOTPKEY_BRANDING" 30 90
fi
# Don't output HOTP codes to screen, so as to make replay attacks harder
libremkey_hotp_verification check $HOTP
hotp_verification check $HOTP
case "$?" in
0 )
HOTP="Success"
@ -205,7 +214,7 @@ while true; do
MAIN_MENU_BG_COLOR=$CONFIG_ERROR_BG_COLOR
;;
* )
HOTP="Error checking code, Insert Librem Key and retry"
HOTP="Error checking code, Insert $HOTPKEY_BRANDING and retry"
MAIN_MENU_BG_COLOR=$CONFIG_WARNING_BG_COLOR
;;
esac
@ -304,30 +313,34 @@ while true; do
fi
if [ "$totp_confirm" = "p" ]; then
if (whiptail --title 'Reset the TPM' \
--yesno "This will clear the TPM and TPM password, replace them with new ones!\n\nDo you want to proceed?" 16 90) then
/bin/tpm-reset
if [ "$CONFIG_TPM" = "y" ]; then
if (whiptail --title 'Reset the TPM' \
--yesno "This will clear the TPM and TPM password, replace them with new ones!\n\nDo you want to proceed?" 16 90) then
/bin/tpm-reset
# now that the TPM is reset, remove invalid TPM counter files
mount_boot
mount -o rw,remount /boot
rm -f /boot/kexec_rollback.txt
# now that the TPM is reset, remove invalid TPM counter files
mount_boot
mount -o rw,remount /boot
rm -f /boot/kexec_rollback.txt
# create Heads TPM counter before any others
check_tpm_counter /boot/kexec_rollback.txt \
|| die "Unable to find/create tpm counter"
counter="$TPM_COUNTER"
# create Heads TPM counter before any others
check_tpm_counter /boot/kexec_rollback.txt \
|| die "Unable to find/create tpm counter"
counter="$TPM_COUNTER"
increment_tpm_counter $counter \
|| die "Unable to increment tpm counter"
increment_tpm_counter $counter \
|| die "Unable to increment tpm counter"
sha256sum /tmp/counter-$counter > /boot/kexec_rollback.txt \
|| die "Unable to create rollback file"
mount -o ro,remount /boot
sha256sum /tmp/counter-$counter > /boot/kexec_rollback.txt \
|| die "Unable to create rollback file"
mount -o ro,remount /boot
update_totp
update_totp
else
echo "Returning to the main menu"
fi
else
echo "Returning to the main menu"
whiptail --clear --title 'ERROR: No TPM Detected' --msgbox "This device does not have a TPM.\n\nPress OK to return to the Main Menu" 30 90
fi
continue
fi
@ -377,10 +390,10 @@ while true; do
if [ "$totp_confirm" = "S" ]; then
memtotal=$(cat /proc/meminfo | grep 'MemTotal' | tr -s ' ' | cut -f2 -d ' ')
memtotal=$((${memtotal} / 1024 + 1))
memtotal=$((${memtotal} / 1024 / 1024 + 1))
cpustr=$(cat /proc/cpuinfo | grep 'model name' | uniq | sed -r 's/\(R\)//;s/\(TM\)//;s/CPU //;s/model name.*: //')
whiptail --title 'System Info' \
--msgbox "VER: ${FW_VER}\n\nCPU: ${cpustr}\nRAM: ${memtotal} MB\n\n$(fdisk -l | grep -e '/dev/sd.:' -e '/dev/nvme.*:' | sed 's/B,.*/B/')" 16 60
--msgbox "VER: ${FW_VER}\n\nCPU: ${cpustr}\nRAM: ${memtotal} GB\n\n$(fdisk -l | grep -e '/dev/sd.:' -e '/dev/nvme.*:' | sed 's/B,.*/B/')" 16 60
continue
fi

6
initrd/bin/kexec-seal-key
View File

@ -84,9 +84,9 @@ cat "$KEY_DEVICES" | cut -d\ -f1 | xargs /bin/qubes-measure-luks \
|| die "Unable to measure the LUKS headers"
luks_pcr=`tpm calcfuturepcr -ix 16 -if /tmp/luksDump.txt`
# Librem Key loads USB modules which changes PCR5.
# In the event Librem Key is enabled, skip verification of PCR5
if [ -x /bin/libremkey_hotp_verification ]; then
# HOTP USB Secrity Dongle loads USB modules which changes PCR5.
# In the event HOTP USB Security Dongle is enabled, skip verification of PCR5
if [ -x /bin/hotp_verification ]; then
pcr_5="X"
else
pcr_5="0000000000000000000000000000000000000000"

2
initrd/bin/kexec-select-boot
View File

@ -173,7 +173,7 @@ scan_options() {
kexec-parse-bls "$bootdir" "$i" "$bootdir/loader/entries" >> $option_file
done
fi
if [ ! -r $option_file ]; then
if [ ! -s $option_file ]; then
die "Failed to parse any boot options"
fi
if [ "$unique" = 'y' ]; then

10
initrd/bin/mount-usb
View File

@ -62,9 +62,11 @@ if [ -z ${USB_MOUNT_DEVICE} ]; then
# remove block device from list if numeric partitions exist, since not bootable
let USB_NUM_PARTITIONS=`ls -1 $i* | wc -l`-1
if [ ${USB_NUM_PARTITIONS} -eq 0 ]; then
echo $i >> /tmp/usb_disk_list
echo $i $(blkid | grep $i | grep -o 'LABEL=".*"' | cut -f2 -d '"') >> /tmp/usb_disk_list
else
ls $i* | tail -${USB_NUM_PARTITIONS} >> /tmp/usb_disk_list
for j in $(ls $i* | tail -${USB_NUM_PARTITIONS}); do
echo $j $(blkid | grep $j | grep -o 'LABEL=".*"' | cut -f2 -d '"') >> /tmp/usb_disk_list
done
fi
done
@ -100,9 +102,9 @@ if [ -z ${USB_MOUNT_DEVICE} ]; then
fi
if [ "$option_index" = "a" ]; then
exit 1
exit 5
fi
USB_MOUNT_DEVICE=`head -n $option_index /tmp/usb_disk_list | tail -1`
USB_MOUNT_DEVICE=`head -n $option_index /tmp/usb_disk_list | tail -1 | sed 's/\ .*$//'`
fi
if [ "$1" = "rw" ]; then

43
initrd/bin/oem-factory-reset
View File

@ -110,7 +110,7 @@ gpg_key_change_pin()
} | gpg --command-fd=0 --status-fd=2 --pinentry-mode=loopback --card-edit \
> /tmp/gpg_card_edit_output 2>/dev/null
if [ $? -ne 0 ]; then
ERROR=`cat /tmp/gpg_card_edit_output`
ERROR=`cat /tmp/gpg_card_edit_output | fold -s`
whiptail_error_die "GPG Key PIN change failed!\n\n$ERROR"
fi
}
@ -185,7 +185,7 @@ generate_checksums()
mount -o ro,remount /boot
if [ $ret = 1 ] ; then
ERROR=$(tail -n 1 /tmp/error)
ERROR=$(tail -n 1 /tmp/error | fold -s)
whiptail_error_die "Error signing kexec boot files:\n\n$ERROR"
fi
}
@ -202,7 +202,15 @@ set_default_boot_option()
for i in `find /boot -name "grub.cfg"`; do
kexec-parse-boot "/boot" "$i" >> $option_file
done
[ ! -r $option_file ] \
# FC29/30+ may use BLS format grub config files
# https://fedoraproject.org/wiki/Changes/BootLoaderSpecByDefault
# only parse these if $option_file is still empty
if [ ! -s $option_file ] && [ -d "/boot/loader/entries" ]; then
for i in `find /boot -name "grub.cfg"`; do
kexec-parse-bls "/boot" "$i" "/boot/loader/entries" >> $option_file
done
fi
[ ! -s $option_file ] \
&& whiptail_error_die "Failed to parse any boot options"
# sort boot options
@ -214,12 +222,15 @@ set_default_boot_option()
# clear existing default configs
rm "/boot/kexec_default.*.txt" 2>/dev/null
# get correct index for entry
index=$(grep -n "$entry" $option_file | cut -f1 -d ':')
# write new config
echo "$entry" > /boot/kexec_default.1.txt
echo "$entry" > /boot/kexec_default.$index.txt
# validate boot option
cd /boot && /bin/kexec-boot -b "/boot" -e "$entry" -f \
| xargs sha256sum > $hash_file 2>/dev/null \
( cd /boot && /bin/kexec-boot -b "/boot" -e "$entry" -f \
| xargs sha256sum > $hash_file 2>/dev/null ) \
|| whiptail_error_die "Failed to create hashes of boot files"
}
@ -330,7 +341,7 @@ if [ "$prompt_output" == "y" \
umount /media 2>/dev/null
# mount-usb will detect and prompt if no USB inserted
if ! mount-usb rw 2>/tmp/error; then
ERROR=$(tail -n 1 /tmp/error)
ERROR=$(tail -n 1 /tmp/error | fold -s)
whiptail_error_die "Unable to mount USB on /media:\n\n${ERROR}"
fi
else
@ -345,7 +356,7 @@ echo -e "\nChecking for USB Security Dongle...\n"
if ! gpg --card-status >/dev/null 2>&1 ; then
whiptail_error "Can't access USB Security Dongle; \nPlease remove and reinsert, then press Enter."
if ! gpg --card-status >/dev/null 2>/tmp/error ; then
ERROR=$(tail -n 1 /tmp/error)
ERROR=$(tail -n 1 /tmp/error | fold -s)
whiptail_error_die "Unable to detect USB Security Dongle:\n\n${ERROR}"
fi
fi
@ -370,7 +381,7 @@ if [ "$CONFIG_TPM" = "y" ]; then
echo $TPM_PASS_DEF
} | /bin/tpm-reset >/dev/null 2>/tmp/error
if [ $? -ne 0 ]; then
ERROR=$(tail -n 1 /tmp/error)
ERROR=$(tail -n 1 /tmp/error | fold -s)
whiptail_error_die "Error resetting TPM:\n\n${ERROR}"
fi
fi
@ -399,7 +410,7 @@ fi
# export pubkey to file
if ! gpg --export --armor $GPG_GEN_KEY > "${PUBKEY}" 2>/tmp/error ; then
ERROR=$(tail -n 1 /tmp/error)
ERROR=$(tail -n 1 /tmp/error | fold -s)
whiptail_error_die "GPG Key gpg export to file failed!\n\n$ERROR"
fi
@ -408,7 +419,7 @@ if [ $GPG_EXPORT -ne 0 ]; then
echo -e "\nExporting generated key to USB...\n"
# copy to USB
if ! cp "${PUBKEY}" "/media/${GPG_GEN_KEY}.asc" 2>/tmp/error ; then
ERROR=$(tail -n 1 /tmp/error)
ERROR=$(tail -n 1 /tmp/error | fold -s)
whiptail_error_die "Key export error: unable to copy ${GPG_GEN_KEY}.asc to /media:\n\n$ERROR"
fi
umount /media 2>/dev/null
@ -418,24 +429,24 @@ fi
echo -e "\nReading current firmware...\n(this will take a minute or two)\n"
/bin/flash.sh -r /tmp/oem-setup.rom >/dev/null 2>/tmp/error
if [ ! -s /tmp/oem-setup.rom ]; then
ERROR=$(tail -n 1 /tmp/error)
ERROR=$(tail -n 1 /tmp/error | fold -s)
whiptail_error_die "Error reading current firmware:\n\n$ERROR"
fi
# ensure key imported locally
if ! cat "$PUBKEY" | gpg --import >/dev/null 2>/tmp/error ; then
ERROR=$(tail -n 1 /tmp/error)
ERROR=$(tail -n 1 /tmp/error | fold -s)
whiptail_error_die "Error importing GPG key:\n\n$ERROR"
fi
# update /.gnupg/trustdb.gpg to ultimately trust all user provided public keys
if ! gpg --list-keys --fingerprint --with-colons 2>/dev/null \
| sed -E -n -e 's/^fpr:::::::::([0-9A-F]+):$/\1:6:/p' \
| gpg --import-ownertrust >/dev/null 2>/tmp/error ; then
ERROR=$(tail -n 1 /tmp/error)
ERROR=$(tail -n 1 /tmp/error | fold -s)
whiptail_error_die "Error importing GPG ownertrust:\n\n$ERROR"
fi
if ! gpg --update-trust >/dev/null 2>/tmp/error ; then
ERROR=$(tail -n 1 /tmp/error)
ERROR=$(tail -n 1 /tmp/error | fold -s)
whiptail_error_die "Error updating GPG ownertrust:\n\n$ERROR"
fi
# clear any existing heads/gpg files from current firmware
@ -461,7 +472,7 @@ fi
# flash updated firmware image
echo -e "\nAdding generated key to current firmware and re-flashing...\n"
if ! /bin/flash.sh /tmp/oem-setup.rom >/dev/null 2>/tmp/error ; then
ERROR=$(tail -n 1 /tmp/error)
ERROR=$(tail -n 1 /tmp/error | fold -s)
whiptail_error_die "Error flashing updated firmware image:\n\n$ERROR"
fi

39
initrd/bin/seal-libremkey → initrd/bin/seal-hotpkey
View File

@ -1,11 +1,12 @@
#!/bin/sh
# Retrieve the sealed TOTP secret and initialize a Librem Key with it
# Retrieve the sealed TOTP secret and initialize a USB Security dongle with it
. /etc/functions
HOTP_SEALED="/tmp/secret/hotp.sealed"
HOTP_SECRET="/tmp/secret/hotp.key"
HOTP_COUNTER="/boot/kexec_hotp_counter"
HOTP_KEY="/boot/kexec_hotp_key"
mount_boot()
{
@ -16,6 +17,13 @@ mount_boot()
fi
}
# Use stored HOTP key branding (this might be useful after OEM reset)
if [ -r /boot/kexec_hotp_key ]; then
HOTPKEY_BRANDING="$(cat /boot/kexec_hotp_key)"
else
HOTPKEY_BRANDING="HOTP USB Security Dongle"
fi
tpm nv_readvalue \
-in 4d47 \
-sz 312 \
@ -49,26 +57,35 @@ mount_boot
counter_value=1
enable_usb
if ! libremkey_hotp_verification info ; then
echo "Insert your Librem Key and press Enter to configure it"
if ! hotp_verification info ; then
echo "Insert your $HOTPKEY_BRANDING and press Enter to configure it"
read
if ! libremkey_hotp_verification info ; then
if ! hotp_verification info ; then
# don't leak key on failure
shred -n 10 -z -u "$HOTP_SECRET" 2> /dev/null
die "Unable to find Librem Key"
die "Unable to find $HOTPKEY_BRANDING"
fi
fi
# Set HOTP USB Security Dongle branding based on VID
if lsusb | grep -q "20a0:" ; then
HOTPKEY_BRANDING="Nitrokey"
elif lsusb | grep -q "316d:" ; then
HOTPKEY_BRANDING="Librem Key"
else
HOTPKEY_BRANDING="HOTP USB Security Dongle"
fi
echo -e ""
read -s -p "Enter your Librem Key Admin PIN: " admin_pin
read -s -p "Enter your $HOTPKEY_BRANDING Admin PIN: " admin_pin
echo -e "\n"
libremkey_hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value
hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value "$HOTPKEY_BRANDING"
if [ $? -ne 0 ]; then
echo -e "\n"
read -s -p "Error setting HOTP secret, re-enter Admin PIN and try again: " admin_pin
echo -e "\n"
if ! libremkey_hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value ; then
if ! hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value "$HOTPKEY_BRANDING" ; then
# don't leak key on failure
shred -n 10 -z -u "$HOTP_SECRET" 2> /dev/null
die "Setting HOTP secret failed"
@ -90,11 +107,15 @@ counter_value=`expr $counter_value + 1`
echo $counter_value > $HOTP_COUNTER \
|| die "Unable to create hotp counter file"
# Store/overwrite HOTP USB Security Dongle branding found out beforehand
echo $HOTPKEY_BRANDING > $HOTP_KEY \
|| die "Unable to store hotp key file"
#sha256sum /tmp/counter-$counter > $HOTP_COUNTER \
#|| die "Unable to create hotp counter file"
mount -o remount,ro /boot
echo -e "\nLibrem Key initialized successfully. Press Enter to continue."
echo -e "\n$HOTPKEY_BRANDING initialized successfully. Press Enter to continue."
read
exit 0

7
initrd/bin/usb-scan
View File

@ -2,6 +2,7 @@
# Scan for USB installation options
set -e -o pipefail
. /etc/functions
. /etc/gui_functions
. /tmp/config
# Unmount any previous boot device
@ -11,10 +12,8 @@ if grep -q /boot /proc/mounts ; then
fi
# Mount the USB boot device
if ! grep -q /media /proc/mounts ; then
mount-usb "$CONFIG_USB_BOOT_DEV" \
|| die "Unable to mount /media"
fi
mount_usb || die "Unable to mount /media"
# Get USB boot device
USB_BOOT_DEV=$(grep "/media" /etc/mtab | cut -f 1 -d' ')

18
initrd/etc/functions
View File

@ -271,13 +271,15 @@ update_checksums()
|| recovery "Unable to mount /boot"
fi
# remount RW
mount -o rw,remount /boot
cd /boot
find ./ -type f ! -name '*kexec*' | xargs sha256sum > /boot/kexec_hashes.txt
if [ -e /boot/kexec_default_hashes.txt ]; then
DEFAULT_FILES=$(cat /boot/kexec_default_hashes.txt | cut -f3 -d ' ')
echo $DEFAULT_FILES | xargs sha256sum > /boot/kexec_default_hashes.txt
fi
mount -o rw,remount /boot
(
cd /boot
find ./ -type f ! -name '*kexec*' | xargs sha256sum > /boot/kexec_hashes.txt
if [ -e /boot/kexec_default_hashes.txt ]; then
DEFAULT_FILES=$(cat /boot/kexec_default_hashes.txt | cut -f3 -d ' ')
echo $DEFAULT_FILES | xargs sha256sum > /boot/kexec_default_hashes.txt
fi
)
# Remove any package trigger log files
# We don't need them after the user decides to sign
rm -f /boot/kexec_package_trigger*
@ -301,7 +303,7 @@ update_checksums()
detect_boot_device()
{
# unmount /boot to be safe
umount /boot 2>/dev/null
cd / && umount /boot 2>/dev/null
# check $CONFIG_BOOT_DEV if set/valid
if [ -e "$CONFIG_BOOT_DEV" ]; then

71
initrd/etc/gui_functions Executable file
View File

@ -0,0 +1,71 @@
#!/bin/sh
# Shell functions for common operations using fbwhiptail
mount_usb()
{
# Unmount any previous USB device
if grep -q /media /proc/mounts ; then
umount /media || die "Unable to unmount /media"
fi
# Mount the USB boot device
mount-usb && USB_FAILED=0 || ( [ $? -eq 5 ] && exit 1 || USB_FAILED=1 )
if [ $USB_FAILED -ne 0 ]; then
whiptail --title 'USB Drive Missing' \
--msgbox "Insert your USB drive and press Enter to continue." 16 60
mount-usb && USB_FAILED=0 || ( [ $? -eq 5 ] && exit 1 || USB_FAILED=1 )
if [ $USB_FAILED -ne 0 ]; then
whiptail $CONFIG_ERROR_BG_COLOR --title 'ERROR: Mounting /media Failed' \
--msgbox "Unable to mount USB device" 16 60
exit 1
fi
fi
}
file_selector()
{
FILE=""
FILE_LIST=$1
MENU_MSG=${2:-"Choose the file"}
MENU_TITLE=${3:-"Select your File"}
# create file menu options
if [ `cat "$FILE_LIST" | wc -l` -gt 0 ]; then
option=""
while [ -z "$option" ]
do
MENU_OPTIONS=""
n=0
while read option
do
n=`expr $n + 1`
option=$(echo $option | tr " " "_")
MENU_OPTIONS="$MENU_OPTIONS $n ${option}"
done < $FILE_LIST
MENU_OPTIONS="$MENU_OPTIONS a Abort"
whiptail --clear --title "${MENU_TITLE}" \
--menu "${MENU_MSG} [1-$n, a to abort]:" 20 120 8 \
-- $MENU_OPTIONS \
2>/tmp/whiptail || die "Aborting"
option_index=$(cat /tmp/whiptail)
if [ "$option_index" = "a" ]; then
option="a"
return
fi
option=`head -n $option_index $FILE_LIST | tail -1`
if [ "$option" == "a" ]; then
return
fi
done
if [ -n "$option" ]; then
FILE=$option
fi
else
whiptail $CONFIG_ERROR_BG_COLOR --title 'ERROR: No Files Found' \
--msgbox "No Files found matching the pattern. Aborting." 16 60
exit 1
fi
}

4
initrd/init
View File

@ -93,7 +93,9 @@ combine_configs
. /tmp/config
# export firmware version
export FW_VER=$(dmesg | grep 'DMI' | grep -o 'BIOS.*' | cut -f2 -d ' ')
export FW_VER=$(dmesg | grep 'DMI' | grep -o 'BIOS.*' | cut -f2- -d ' ')
# chop off date, since will always be epoch w/timeless builds
FW_VER=${FW_VER::-10}
# Add our boot devices into the /etc/fstab, if they are defined
# in the configuration file.

9
modules/coreboot
View File

@ -1,13 +1,18 @@
modules-$(CONFIG_COREBOOT) += coreboot
ifeq "$(CONFIG_COREBOOT_VERSION)" "4.8.1"
coreboot_version := 4.8.1
coreboot_hash := f0ddf4db0628c1fe1e8348c40084d9cbeb5771400c963fd419cda3995b69ad23
else
$(error "$(BOARD): does not specify coreboot version under CONFIG_COREBOOT_VERSION")
endif
#coreboot_version := git
#coreboot_repo := https://github.com/osresearch/coreboot
coreboot_version := 4.8.1
coreboot_base_dir := coreboot-$(coreboot_version)
coreboot_dir := $(coreboot_base_dir)/$(BOARD)
coreboot_tar := coreboot-$(coreboot_version).tar.xz
coreboot_url := https://www.coreboot.org/releases/$(coreboot_tar)
coreboot_hash := f0ddf4db0628c1fe1e8348c40084d9cbeb5771400c963fd419cda3995b69ad23
# coreboot builds are specialized on a per-target basis.
# The builds are done in a per-target subdirectory

13
modules/gpg2
View File

@ -1,10 +1,10 @@
modules-$(CONFIG_GPG2) += gpg2
gpg2_version := 2.2.20
gpg2_version := 2.2.10
gpg2_dir := gnupg-$(gpg2_version)
gpg2_tar := gnupg-$(gpg2_version).tar.bz2
gpg2_url := https://www.gnupg.org/ftp/gcrypt/gnupg/$(gpg2_tar)
gpg2_hash := 04a7c9d48b74c399168ee8270e548588ddbe52218c337703d7f06373d326ca30
gpg2_hash := 799dd37a86a1448732e339bd20440f4f5ee6e69755f6fd7a73ee8af30840c915
# For reproducibility reasons we have to override the exec_prefix
# and datarootdir on the configure line so that the Makefiles will
@ -16,7 +16,7 @@ gpg2_configure := ./configure \
CPPFLAGS="-I$(INSTALL)/include/libusb-1.0" \
--host x86_64-linux-musl \
--with-libusb="$(INSTALL)" \
--with-gpg-error-prefix="$(INSTALL)" \
--with-libgpg-error-prefix="$(INSTALL)" \
--with-libgcrypt-prefix="$(INSTALL)" \
--with-libassuan-prefix="$(INSTALL)" \
--with-ksba-prefix="$(INSTALL)" \
@ -30,12 +30,19 @@ gpg2_configure := ./configure \
--disable-regex \
--disable-doc \
--disable-bzip2 \
--disable-asm \
--disable-exec \
--disable-photo-viewers \
--disable-keyserver-helpers \
--disable-ldap \
--disable-hkp \
--disable-finger \
--disable-dns-srv \
--disable-dns-cert \
--disable-regex \
--disable-nls \
--disable-all-tests \
--disable-wks-server \
--disable-wks-tools \
--disable-gnutls \
--disable-dirmngr \

2
modules/hidapi
View File

@ -1,2 +1,2 @@
# empty placeholder file
# This submodule is defined in modules/libremkey-hotp-verification
# This submodule is defined in modules/hotp-verification

37
modules/hotp-verification Normal file
View File

@ -0,0 +1,37 @@
modules-$(CONFIG_HOTPKEY) += hotp-verification
hotp-verification_depends := libusb $(musl_dep)
hotp-verification_version := c0956cfa085bcfc2500c1085dad350a440ccbe40
hotp-verification_dir := hotp-verification-$(hotp-verification_version)
hotp-verification_tar := nitrokey-hotp-verification-$(hotp-verification_version).tar.gz
hotp-verification_url := https://github.com/Nitrokey/nitrokey-hotp-verification/archive/$(hotp-verification_version).tar.gz
hotp-verification_hash := c06e9751bc45bf8e57ddb39f15352442eda07530f6fe0e8e1ed3e54274fc165f
hotp-verification_target := \
$(MAKE_JOBS) \
$(CROSS_TOOLS) \
hotp-verification_output := \
hotp_verification \
hotp_initialize
hotp-verification_configure := \
INSTALL="$(INSTALL)" \
CROSS="$(CROSS)" \
$(CROSS_TOOLS) $(MAKE) LDFLAGS="$(INSTALL)/lib/libusb-1.0.so" GITVERSION="" LIBUSB_FLAGS="-I/usr/include/libusb-1.0" PKGCONFIG="" && $(MAKE) install INSTALL="$(INSTALL)"
hotp-verification_depends += hidapi
modules-y += hidapi
hidapi_version := e5ae0d30a523c565595bdfba3d5f2e9e1faf0bd0
hidapi_dir := hotp-verification-$(hotp-verification_version)/hidapi
hidapi_tar := hidapi-$(hidapi_version).tar.xz
hidapi_url := https://github.com/Nitrokey/hidapi/archive/$(hidapi_version).tar.gz
hidapi_hash := acc2a5089a8917085c2b3ebe9446065a21c760ba7e13cb54917043c4122188e0
## hidapi will be built as part of hotp-verification
## so nothing to do here (but need make to be happy)
hidapi_output := .built
hidapi_configure := echo -e 'all:\n\ttouch .built' > Makefile

8
modules/libassuan
View File

@ -1,16 +1,18 @@
modules-$(CONFIG_GPG2) += libassuan
libassuan_version := 2.5.3
libassuan_version := 2.5.1
libassuan_dir := libassuan-$(libassuan_version)
libassuan_tar := libassuan-$(libassuan_version).tar.bz2
libassuan_url := https://gnupg.org/ftp/gcrypt/libassuan/$(libassuan_tar)
libassuan_hash := 91bcb0403866b4e7c4bc1cc52ed4c364a9b5414b3994f718c70303f7f765e702
libassuan_hash := 47f96c37b4f2aac289f0bc1bacfa8bd8b4b209a488d3d15e2229cb6cc9b26449
libassuan_configure := ./configure \
$(CROSS_TOOLS) \
--host x86_64-linux-musl \
--prefix "/" \
--disable-static \
--with-gpg-error-prefix="$(INSTALL)" \
--disable-nls \
--with-libgpg-error-prefix="$(INSTALL)" \
--disable-asm \
libassuan_target := $(MAKE_JOBS) \
DESTDIR="$(INSTALL)" \

6
modules/libgcrypt
View File

@ -1,16 +1,16 @@
modules-$(CONFIG_GPG2) += libgcrypt
libgcrypt_version := 1.8.5
libgcrypt_version := 1.8.3
libgcrypt_dir := libgcrypt-$(libgcrypt_version)
libgcrypt_tar := libgcrypt-$(libgcrypt_version).tar.bz2
libgcrypt_url := https://gnupg.org/ftp/gcrypt/libgcrypt/$(libgcrypt_tar)
libgcrypt_hash := 3b4a2a94cb637eff5bdebbcaf46f4d95c4f25206f459809339cdada0eb577ac3
libgcrypt_hash := 66ec90be036747602f2b48f98312361a9180c97c68a690a5f376fa0f67d0af7c
libgcrypt_configure := ./configure \
$(CROSS_TOOLS) \
--host=x86_64-linux-musl \
--prefix "/" \
--disable-static \
--with-gpg-error-prefix="$(INSTALL)" \
--with-libgpg-error-prefix="$(INSTALL)" \
--disable-asm \
libgcrypt_target := $(MAKE_JOBS) \

5
modules/libgpg-error
View File

@ -1,9 +1,9 @@
modules-$(CONFIG_GPG2) += libgpg-error
libgpg-error_version := 1.37
libgpg-error_version := 1.32
libgpg-error_dir := libgpg-error-$(libgpg-error_version)
libgpg-error_tar := libgpg-error-$(libgpg-error_version).tar.bz2
libgpg-error_url := https://gnupg.org/ftp/gcrypt/libgpg-error/$(libgpg-error_tar)
libgpg-error_hash := b32d6ff72a73cf79797f7f2d039e95e9c6f92f0c1450215410840ab62aea9763
libgpg-error_hash := c345c5e73cc2332f8d50db84a2280abfb1d8f6d4f1858b9daa30404db44540ca
libgpg-error_configure := ./configure \
$(CROSS_TOOLS) \
@ -14,6 +14,7 @@ libgpg-error_configure := ./configure \
--disable-languages \
--disable-doc \
--disable-tests \
--disable-asm \
libgpg-error_target := $(MAKE_JOBS) \
DESTDIR="$(INSTALL)" \

4
modules/libksba
View File

@ -10,7 +10,9 @@ libksba_configure := ./configure \
--host x86_64-linux-musl \
--prefix "/" \
--disable-static \
--with-gpg-error-prefix="$(INSTALL)" \
--disable-nls \
--with-libgpg-error-prefix="$(INSTALL)" \
--disable-asm \
libksba_target := $(MAKE_JOBS) \
DESTDIR="$(INSTALL)" \

37
modules/libremkey-hotp-verification
View File

@ -1,37 +0,0 @@
modules-$(CONFIG_LIBREMKEY) += libremkey-hotp-verification
libremkey-hotp-verification_depends := libusb $(musl_dep)
libremkey-hotp-verification_version := 809953b9b4bef97a4cffaa20d675bd7fe9d8da53
libremkey-hotp-verification_dir := libremkey-hotp-verification-$(libremkey-hotp-verification_version)
libremkey-hotp-verification_tar := nitrokey-hotp-verification-$(libremkey-hotp-verification_version).tar.gz
libremkey-hotp-verification_url := https://github.com/Nitrokey/nitrokey-hotp-verification/archive/$(libremkey-hotp-verification_version).tar.gz
libremkey-hotp-verification_hash := 251e5cef74e4e45eeddc49e4a1da1e22d1de774cd32cb0451a9030579ae958ba
libremkey-hotp-verification_target := \
$(MAKE_JOBS) \
$(CROSS_TOOLS) \
libremkey-hotp-verification_output := \
libremkey_hotp_verification \
libremkey_hotp_initialize
libremkey-hotp-verification_configure := \
INSTALL="$(INSTALL)" \
CROSS="$(CROSS)" \
$(CROSS_TOOLS) $(MAKE) LDFLAGS="$(INSTALL)/lib/libusb-1.0.so" && $(MAKE) install INSTALL="$(INSTALL)"
libremkey-hotp-verification_depends += hidapi
modules-y += hidapi
hidapi_version := e5ae0d30a523c565595bdfba3d5f2e9e1faf0bd0
hidapi_dir := libremkey-hotp-verification-$(libremkey-hotp-verification_version)/hidapi
hidapi_tar := hidapi-$(hidapi_version).tar.xz
hidapi_url := https://github.com/Nitrokey/hidapi/archive/$(hidapi_version).tar.gz
hidapi_hash := acc2a5089a8917085c2b3ebe9446065a21c760ba7e13cb54917043c4122188e0
## hidapi will be built as part of libremkey-hotp-verification
## so nothing to do here (but need make to be happy)
hidapi_output := .built
hidapi_configure := echo -e 'all:\n\ttouch .built' > Makefile

4
modules/npth
View File

@ -10,7 +10,9 @@ npth_configure := ./configure \
--host x86_64-linux-musl \
--prefix "/" \
--disable-static \
--with-gpg-error-prefix="$(INSTALL)" \
--disable-nls \
--with-libgpg-error-prefix="$(INSTALL)" \
--disable-asm \
npth_target := $(MAKE_JOBS) \
DESTDIR="$(INSTALL)" \

3
modules/pinentry
View File

@ -27,8 +27,7 @@ pinentry_configure := ./configure \
--disable-pinentry-fltk \
--disable-pinentry-emacs \
--disable-fallback-curses \
--disable-pinentry-qt5 \
--with-gpg-error-prefix="$(INSTALL)" \
--with-libgpg-error-prefix="$(INSTALL)" \
--with-libassuan-prefix="$(INSTALL)" \
# Run one build to generate the executables with the pre-defined

38
patches/kexec-2.0.20.patch
View File

@ -1,7 +1,7 @@
diff --git ./Makefile.in ./Makefile.in
diff --git a/Makefile.in b/Makefile.in
index fb01134..bf1973e 100644
--- ./Makefile.in
+++ ./Makefile.in
--- a/Makefile.in
+++ b/Makefile.in
@@ -157,12 +157,12 @@ include $(srcdir)/kexec/Makefile
# vmcore-dmesg (read dmesg from a vmcore)
@ -17,10 +17,24 @@ index fb01134..bf1973e 100644
SPEC=$(PACKAGE_NAME).spec
GENERATED_SRCS:= $(SPEC)
diff --git ./kexec/kexec.c ./kexec/kexec.c
diff --git a/kexec/arch/i386/x86-linux-setup.c b/kexec/arch/i386/x86-linux-setup.c
index 057ee14..43e017a 100644
--- a/kexec/arch/i386/x86-linux-setup.c
+++ b/kexec/arch/i386/x86-linux-setup.c
@@ -137,7 +137,8 @@ static int setup_linux_vesafb(struct x86_linux_param_header *real_mode)
goto out;
if (-1 == ioctl(fd, FBIOGET_VSCREENINFO, &var))
goto out;
- if (0 == strcmp(fix.id, "VESA VGA")) {
+ if (0 == strcmp(fix.id, "VESA VGA")
+ || 0 == strcmp(fix.id, "inteldrmfb")) {
/* VIDEO_TYPE_VLFB */
real_mode->orig_video_isVGA = 0x23;
} else if (0 == strcmp(fix.id, "EFI VGA")) {
diff --git a/kexec/kexec.c b/kexec/kexec.c
index bc6ab3d..b82725b 100644
--- ./kexec/kexec.c
+++ ./kexec/kexec.c
--- a/kexec/kexec.c
+++ b/kexec/kexec.c
@@ -805,6 +805,27 @@ static int my_load(const char *type, int fileind, int argc, char **argv,
if (sort_segments(&info) < 0) {
return -1;
@ -49,10 +63,10 @@ index bc6ab3d..b82725b 100644
/* if purgatory is loaded update it */
update_purgatory(&info);
if (entry)
diff --git ./purgatory/Makefile ./purgatory/Makefile
diff --git a/purgatory/Makefile b/purgatory/Makefile
index 2dd6c47..2de8f07 100644
--- ./purgatory/Makefile
+++ ./purgatory/Makefile
--- a/purgatory/Makefile
+++ b/purgatory/Makefile
@@ -44,7 +44,6 @@ purgatory/sha256.o: $(srcdir)/util_lib/sha256.c
mkdir -p $(@D)
$(COMPILE.c) -o $@ $^
@ -61,10 +75,10 @@ index 2dd6c47..2de8f07 100644
$(PURGATORY): CFLAGS=$(PURGATORY_EXTRA_CFLAGS) \
$($(ARCH)_PURGATORY_EXTRA_CFLAGS) \
-Os -fno-builtin -ffreestanding \
diff --git ./util/Makefile ./util/Makefile
diff --git a/util/Makefile b/util/Makefile
index 948ee63..833a897 100644
--- ./util/Makefile
+++ ./util/Makefile
--- a/util/Makefile
+++ b/util/Makefile
@@ -2,7 +2,7 @@ BIN_TO_HEX:= bin/bin-to-hex
$(BIN_TO_HEX): $(srcdir)/util/bin-to-hex.c

73
patches/libremkey-hotp-verification-e5fa36a7a1950226d0ef94e2eeed0ffb510eba89.patch
View File

@ -1,73 +0,0 @@
--- nitrokey-hotp-verification-a/Toolchain-heads.cmake 2018-05-22 09:55:46.907209235 -0700
+++ nitrokey-hotp-verification-b/Toolchain-heads.cmake 2018-05-22 09:55:26.659371966 -0700
@@ -0,0 +1,27 @@
+SET(CMAKE_SYSTEM_NAME Linux)
+SET(CMAKE_SYSTEM_VERSION 1)
+
+# Specify the cross compiler
+SET(CMAKE_C_COMPILER $ENV{CROSS}gcc)
+SET(CMAKE_CXX_COMPILER $ENV{CROSS}gcc)
+
+#sysroot location
+set(MYSYSROOT $ENV{INSTALL})
+
+# compiler/linker flags
+set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} --sysroot=${MYSYSROOT}" CACHE INTERNAL "" FORCE)
+set(CMAKE_C_LINK_FLAGS "${CMAKE_C_LINK_FLAGS} --sysroot=${MYSYSROOT}" CACHE INTERNAL "" FORCE)
+set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} --sysroot=${MYSYSROOT}" CACHE INTERNAL "" FORCE)
+set(CMAKE_CXX_LINK_FLAGS "${CMAKE_CXX_LINK_FLAGS} --sysroot=${MYSYSROOT}" CACHE INTERNAL "" FORCE)
+
+# Where is the target environment
+SET(CMAKE_FIND_ROOT_PATH "${MYSYSROOT}")
+
+# Search for programs only in the build host directories
+SET(CMAKE_FIND_ROOT_PATH_MODE_PROGRAM NEVER)
+
+# Search for libraries and headers only in the target directories
+SET(CMAKE_FIND_ROOT_PATH_MODE_LIBRARY ONLY)
+SET(CMAKE_FIND_ROOT_PATH_MODE_INCLUDE ONLY)
+
+INCLUDE_DIRECTORIES(hidapi)
--- libremkey-hotp-verification/device.c 2018-06-20 16:13:36.417804210 -0700
+++ libremkey-hotp-verification-b/device.c 2018-06-20 16:14:34.532367723 -0700
@@ -34,7 +34,7 @@
const unsigned short m_vid = 0x20a0;
const unsigned short m_pid = 0x4108;
-static const int CONNECTION_ATTEMPTS_COUNT = 80;
+static const int CONNECTION_ATTEMPTS_COUNT = 2;
static const int CONNECTION_ATTEMPT_DELAY_MICRO_SECONDS = 1000*1000/2;
--- libremkey-hotp-verification/libremkey_hotp_initialize
+++ libremkey-hotp-verification-b/libremkey_hotp_initialize
@@ -14,9 +14,9 @@ fi
PIN=$1
SECRET=$2
COUNTER=$3
-SECRET_B32=$(echo -n $SECRET | base32)
+SECRET_B32=$(cat $SECRET | base32)
-libremkey_hotp_verification set $SECRET_B32 $PIN
+libremkey_hotp_verification set $SECRET_B32 "$PIN"
if [ $? -ne 0 ]; then
echo "ERROR: Setting HOTP secret on Librem Key failed!"
exit 1
@@ -25,7 +25,7 @@ fi
i=9
while [ "$i" -lt "$COUNTER" ]; do
echo "Updating counter to $i"
- HOTP_CODE=$(echo $SECRET | hotp $i)
+ HOTP_CODE=$(hotp $i < $SECRET)
libremkey_hotp_verification check $HOTP_CODE > /dev/null
if [ $? -ne 0 ]; then
echo "HOTP check failed for counter=$i, code=$HOTP_CODE"
@@ -34,7 +34,7 @@ while [ "$i" -lt "$COUNTER" ]; do
let "i += 10"
done
-HOTP_CODE=$(echo $SECRET | hotp $COUNTER)
+HOTP_CODE=$(hotp $COUNTER < $SECRET)
libremkey_hotp_verification check $HOTP_CODE > /dev/null
if [ $? -ne 0 ]; then
echo "HOTP check failed for counter=$COUNTER, code=$HOTP_CODE"