x230-hotp-verification: Add x230-hotp-verification board to have a HOTP supported remote attestation for Nitrokey Pro 2, Nitrokey Storage 2 and Librem Key

2024-12-18 20:47:55 +00:00 · 2020-05-16 13:38:14 -04:00 · 2020-05-16 13:38:14 -04:00 · d5083f410c
commit d5083f410c
parent fa35b3c557
3 changed files with 78 additions and 0 deletions
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@ -83,6 +83,17 @@ jobs:
          name: Ouput x230 hashes
          command: |
            cat build/x230/hashes.txt \
+      - run:
+          name: x230-hotp-verification
+          command: |
+            make --load 2 \
+                V=1 \
+                BOARD=x230-hotp-verification \
+          no_output_timeout: 3h
+      - run:
+          name: Ouput x230-hotp-verification hashes
+          command: |
+            cat build/x230-hotp-verification/hashes.txt \
      - run:
          name: Archiving build logs to bundle in artifacts
          command: |
@ -94,6 +105,10 @@ jobs:
          path: build/x230/coreboot.rom
      - store-artifacts:
          path: build/x230/initrd.cpio.xz
+      - store-artifacts:
+          path: build/x230-hotp-verification/coreboot.rom
+      - store-artifacts:
+          path: build/x230-hotp-verification/initrd.cpio.xz
      - store-artifacts:
          path: logs.tar.gz

--- a/boards/x230-hotp-verification/x230-hotp-verification.config
+++ b/boards/x230-hotp-verification/x230-hotp-verification.config
@ -0,0 +1,48 @@
+# Configuration for a x230-hotp-verification (Nitrokey/Purism USB Security dongle enabled HOTP support) 
+# running Qubes and other OSes
+export CONFIG_COREBOOT=y
+CONFIG_COREBOOT_CONFIG=config/coreboot-x230-hotp-verification.config
+CONFIG_LINUX_CONFIG=config/linux-x230.config
+
+CONFIG_CRYPTSETUP=y
+CONFIG_FLASHROM=y
+CONFIG_FLASHTOOLS=y
+CONFIG_GPG2=y
+CONFIG_KEXEC=y
+CONFIG_UTIL_LINUX=y
+CONFIG_LVM2=y
+CONFIG_MBEDTLS=y
+CONFIG_PCIUTILS=y
+CONFIG_POPT=y
+CONFIG_QRENCODE=y
+CONFIG_TPMTOTP=y
+CONFIG_DROPBEAR=y
+
+#CONFIG_SLANG=y
+#CONFIG_NEWT=y
+CONFIG_CAIRO=y
+CONFIG_FBWHIPTAIL=y
+CONFIG_LIBREMKEY=y
+
+CONFIG_LINUX_USB=y
+CONFIG_LINUX_E1000E=y
+
+export CONFIG_TPM=y
+export CONFIG_BOOTSCRIPT=/bin/gui-init
+export CONFIG_BOOT_REQ_HASH=n
+export CONFIG_BOOT_REQ_ROLLBACK=n
+export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on intel_iommu=igfx_off"
+export CONFIG_BOOT_KERNEL_REMOVE="quiet"
+export CONFIG_BOOT_DEV="/dev/sda1"
+export CONFIG_BOOT_GUI_MENU_NAME="Thinkpad X230 Heads Boot Menu"
+export CONFIG_WARNING_BG_COLOR="--background-gradient 0 0 0 150 125 0"
+export CONFIG_ERROR_BG_COLOR="--background-gradient 0 0 0 150 0 0"
+export CONFIG_FLASHROM_OPTIONS="--force --noverify-all -p internal --ifd --image bios"
+
+# This board has two SPI flash chips, an 8 MB that holds the IFD,
+# the ME image and part of the coreboot image, and a 4 MB one that
+# has the rest of the coreboot and the reset vector.
+#
+# Only flashing to the bios region is safe to do. The easiest is to
+# flash internally when the IFD is unlocked for writing, and x230-flash
+# is installed first.
--- a/config/coreboot-x230-hotp-verification.config
+++ b/config/coreboot-x230-hotp-verification.config
@ -0,0 +1,15 @@
+CONFIG_LOCALVERSION="heads"
+CONFIG_ANY_TOOLCHAIN=y
+CONFIG_MEASURED_BOOT=y
+CONFIG_VENDOR_LENOVO=y
+CONFIG_CBFS_SIZE=0x800000
+CONFIG_BOARD_LENOVO_X230=y
+CONFIG_NO_POST=y
+CONFIG_UART_PCI_ADDR=0
+CONFIG_NO_GFX_INIT=y
+CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000
+CONFIG_DEFAULT_CONSOLE_LOGLEVEL_5=y
+CONFIG_PAYLOAD_LINUX=y
+CONFIG_PAYLOAD_FILE="../../build/x230-hotp-verification/bzImage"
+CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet"
+CONFIG_LINUX_INITRD="../../build/x230-hotp-verification/initrd.cpio.xz"