ExternalVendorCode/heads
1
0
Fork 0
mirror of https://github.com/linuxboot/heads.git synced 2024-12-18 20:47:55 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Strip README.md of outdated instructions

Browse Source 
- dm-verity related instruction stripped (see https://github.com/osresearch/heads-wiki/issues/26)
- stripped Xen parts saying it needed to be patched. Was resolved by patching kexec instead of Xen (https://github.com/osresearch/heads/issues/227#issuecomment-369043638)
- Added a link to heads-wiki for documentation needs
This commit is contained in:
tlaurion 2019-05-21 13:23:59 -04:00 committed by GitHub
parent 08ad2d4d20
commit e6cfe38797
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 5 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
README.md
View File

@ -21,6 +21,10 @@ significant frustration.
More information is available in [the 33C3 presentation of building "Slightly more secure systems"](https://trmm.net/Heads_33c3).
Documentation
===
Please refer to [Heads-wiki](https://github.com/osresearch/heads-wiki/blob/master/index.md) for your Heads' documentation needs.
Building heads
===
@ -56,7 +60,7 @@ directory and include:
* [Xen hypervisor](https://www.xenproject.org/)
We also recommend installing [Qubes OS](https://www.qubes-os.org/),
although there Heads can `kexec` into any (?) Linux or
although there Heads can `kexec` into any Linux or
[multiboot](https://www.gnu.org/software/grub/manual/multiboot/multiboot.html)
kernel.
@ -67,41 +71,11 @@ Notes:
* Builds are finally reproducible! The [reproduciblebuilds tag](https://github.com/osresearch/heads/issues?q=is%3Aopen+is%3Aissue+milestone%3Areproduciblebuilds) tracks any regressions.
* Currently only tested in QEMU, the Thinkpad x230 and the Chell Chromebook.
** Xen and the TPM do not work in QEMU, so it is only for testing the `initrd` image.
* Booting Qubes requires patching Xen's real mode startup code
see `patches/xen-4.6.3.patch` and adding `no-real-mode` to start
of the Xen command line. Booting or installing Qubes is a bit hacky and needs to be documented.
* Building for the Lenovo X220 requires binary blobs to be placed in the blobs/x220/ folder.
See the readme.md file in that folder
* Building for the Librem 13 v2/v3 or Librem 15 v3/v4 requires binary blobs to be placed in
the blobs/librem_skl folder. See the readme.md file in that folder
Signing with GPG
---
`gpgv` is a stripped down version of GPG that can be used to verify
signatures without extraneous libraries. This works well with the
Free Software workflow that we want to use.
gpg --clearsign roothash
The `roothash` and `roothash.sig` files can be embedded into the
HDD image and then extracted at firmware boot time:
gpgv --keyring /trustedkeys.gpg roothash.sig roothash \
|| echo "FAILED"
The `mount-boot` script is a start at doing this automatically.
There needs to be an empty block at the end of the partition
that includes a signed script to be executed; typically it will
contain the dm-verity parameters to build the `dmsetup` command
line to mount `/boot`.
The boot script can't be stored in the boot filesystem since the
dm-verity hashes that protect the filesystem would need to have their
own hash pre-computed, which is not feasible with a good hashing
algorithm. You could store the hashes in the ROM, but that would
not allow upgrades without rewriting the ROM.
coreboot console messages
---
The coreboot console messages are stored in the CBMEM region