Right now all git submodules are left behind on a git clone. Add
git submodule update --init --checkout according to the docs, see
https://www.coreboot.org/Build_HOWTO
The install directly should basically behave like the "build" directory.
Since it's tracked by git, containing a gitignore file, we shouldn't
have it in the toplevel gitignore (just like the build directory).
But then, the toplevel Makefile's real.clean target removes the install
directory. This is changed so that only it's content is being removed.
The Librem Key is a custom device USB-based security token Nitrokey is
producing for Purism and among other things it has custom firmware
created for use with Heads. In particular, when a board is configured
with CONFIG_LIBREMKEY, this custom firmware allows Heads to use the
sealed TOTP secret to also send an HOTP authentication to the Librem
Key. If the HOTP code is successful, the Librem Key will blink a green
LED, if unsuccessful it will blink red, thereby informing the user that
Heads has been tampered with without requiring them to use a phone to
validate the TOTP secret.
Heads will still use and show the TOTP secret, in case the user wants to
validate both codes (in case the Librem Key was lost or is no longer
trusted). It will also show the result of the HOTP verification (but not
the code itself), even though the user should trust only what the Librem
Key displays, so the user can confirm that both the device and Heads are
in sync. If HOTP is enabled, Heads will maintain a new TPM counter
separate from the Heads TPM counter that will increment each time HOTP
codes are checked.
This change also modifies the routines that update TOTP so that if
the Librem Key executables are present it will also update HOTP codes
and synchronize them with a Librem Key.
To keep the flash logic simpler the GUI logic has been split into a
flash-gui.sh program so flash.sh behaves closer to the original flashrom
scripts it was based from. I've also removed the previous flashrom
scripts and incorporated their options into flash.sh. Finally I set
CONFIG_BOARD via the Makefile instead of setting a duplicate option in
each board's config.
If a file $module_$version.series exists, it will be used to
specify a list of patch files to apply to the module.
This is becoming necessary for coreboot which has an increasing
amount of patches required and which makes it hard to maintain
all in one file.
"export" statements included or declared in a Makefile proves literally
(with no escape) passed to the shell, which may result in shell envvars
containing literal double quote if SHELL is set as bash, and they further
becomes statements containing `\"` when printed with command export.
This behavior could be observed by the makefile inlined at the end.
This commit adds a regexp to sed to remove those `\"`.
export QUOTE="QUOTE"
SHELL := /bin/bash
.SHELLFLAGS := -o pipefail -c
export-quote:
export|grep QUOTE
This modifies the segment at 0x0 so that it contains enough of a fake
Extended BIOS Data Area at addresses 0x40e and 0x413 that Xen can
correctly locate its trampoline code.
Since custom Xen is no longer required, we can remove the module,
the patches and all of the references to it in the board definition
files.
The whiptail binary will allow us to create GUI menus from bash scripts.
It is included in the newt library, which depends on slang. To enable,
the board configuration file should add CONFIG_SLANG=y and CONFIG_NEWT=y
This adds a `CONFIG_UROOT=y` option to allow the busybox
runtime to be replaced with the go u-root runtime.
You must have go 1.9 or newer for it to work.
It has been tested on the OCP winterfell and qemu nodes,
and it can be specified on the build command line as well.
Nothing from `heads/initrd` or any of the tools will be
linked into the cpio file. Only the kernel modules and the
go shell will be included.
Move board configuration into `boards/` instead of `config/`
Fix mistake in building kernel module tree before kernel was done.
Allow per-board initrd builds (#278)
Allow per-board configurations for things (#304)
Each of the submodule configuration files defined a subset of the
cross compiler tools that it used and many were picking up the
system `ar`, `nm`, `strip, `ld`, etc. They all now use a `Makefile`
macro that defines the path to the proper cross compiler tools.
For ones that need the tools, but not the musl-libc gcc,
there is $(CROSS_TOOLS_NOCC) that is all of them without gcc.
This is for musl-libc itself, as well as xen and the Linux kernel.
This addresses multiple issues:
* Issue #63: initrd is build fresh each time, so tracked files do not matter.
* Issue #144: build time configuration
* Issue #123: allows us to customize the startup experience
* Issue #122: manual start-xen will go away
* Issue #25: tpmtotp PCRs are updated after reading the secret
* Issue #16: insmod now meaures modules
The .INTERMEDIATE target seemed to causing the problem with
make thinking it didn't have to descend into the sub-module
directories. Removing it allows it to work correctly.
Reduce the size of flashrom by commenting out most flash chips,
boards and programmers.
Wrapper script to make it easier to rewrite the ROM on the x230
using the flashrom layout.
Keep the entire 12 MB ROM for flashing.
The populate-lib program was buggy on some systems and could accidentally
introduce unwanted libraries into the initrd. The Makefile now uses the
modules' $(module_libraries) variable to select which libraries should be
installed into the initrd.
Kernel modules are now stripped and installed using a similar system.
This is a step towards unifying the server and laptop config (issue #139)
and also makes it possible to later remove the USB modules from the
normal boot path.
Issue #129: set pipefail so that intermediate failures in a pipeline
will cause the build to fail. Otherwise they are silently swallowed
by the tee into the build log.
Issue #128: strip was updating timestamps, making some files look
like they didn't need to be replaced.
No issue: configure was reading from stdin, which would make builds
hang forever if a new option was present.
No issue: print the cbfstool output on a successful ROM build.
Issue #129: set pipefail so that intermediate failures in a pipeline
will cause the build to fail. Otherwise they are silently swallowed
by the tee into the build log.
Issue #128: strip was updating timestamps, making some files look
like they didn't need to be replaced.
No issue: configure was reading from stdin, which would make builds
hang forever if a new option was present.
No issue: print the cbfstool output on a successful ROM build.
This logs all of the sub-modules into $(build)/log/$(module).log
instead of to stdout, unless the user sets `V=1` on the make
environment. It produces a much quieter build, which should
allow integration into CI systems.
This fixes issue #111 which led to problems if /dev/console on
a container had a virtualized device that didn't match the
device major/minor that the Heads kernel was expecting.
Use --prefix="" to ensure that no destination paths are in libraries.
Use -fdebug-prefix-map to rewrite build path so that it does not
appear in the executables.
Use -gno-record-gcc-switches to ensure that the -fdebug-prefix-map
does not appear in the executables.
Change all of the builds to use $(MAKE) instead of the /usr/bin/make.
Download and build GNU make-4.2 if the wrong version is installed
on the system.
Re-invoke build/make-4.2/make with the target that was passed in once
the correct make has been built.
This adds compilations modules for musl-libc and kernel-headers.
The entire initrd (busybox, cryptsetup, gpgv, kexec, etc) can be built
with the much smaller libc and it appears to work with chroot.
Library paths are not set correctly and files are installed into
heads/install to make them accessible to other modules. This prevents
the initrd from working without manual fixup; need to fix before
merging into master.
Build times have gone up since everything is being rebuilt more
often for some reason.
As part of issue #1, we should build all libraries and programs that we
deploy into the Heads initrd. This modifies the module configurations
for all of them to install into heads/install so that we can build
against them.
Add dmsetup, cryptsetup and veritysetup (issue #46).
Build gpgv 1.4 as a standalone tool (issue #23).
Modify populate-lib to use the install directory by setting
LD_LIBRARY_PATH (issue #35).
rename TARGET to BOARD (fix#55)
use .INTERMEDIATE trick to avoid building multiple times (fix#52)
Don't touch build/*/.config if we don't have to (fix#51)
This touches most of the module configurations since the
coreboot build process had to add a few new features.
The Linux kernel could make use of it as well if we need
separate x230/chell/qemu kernels, for instance.
