Commit 46cad549 ("WiP flake.nix: make docker image usable for...")
added 'root' to the swtpm_setup call, but broke skip-if-exist because
the flags are supposed to be comma-separated. swtpm_setup was ignoring
skip-if-exist and would fail if the config files exist.
Put a comma there so it works again.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
flake.nix: add canokey-qemu lib, derivate qemu on tope of it and have qemu_kvm depend on qemu derivative
targets/qemu.mk: modified to had canokey support by default if no "USB_TOKEN=" specified on make run call
CircleCI: base docker image pull on v0.1.6 containing the newly added derivatives
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
- push v0.1.3 and have latest point to the same image, add repro notes inside of README.md
- modify qemu.md to also refer to using docker images
TODO: remove NIX_REPRO_NOTES prior of merging
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
- include nix tools inside of the docker to be able to call the garbage collector prior of creating docker.
- protect roots from garbage collection (WiP)
- Requires external preparation call so that nix (the binary) is not wiped as well. See NIX_REPRO_NOTES at the end of the file for repro notes
- Could probably be improved. Works as of now and created a 4Gb vs 3.02Gb docker image I'm uploading now.
- CircleCI bumped to use v0.0.9 version including this
- CircleCI now depending on flake.lock for all cache layers. Will rebuild clean once again
So now we have qemu with canokey support in image, nix basic tools inside of container. Possible to call docker with DISPLAY, see NIX_REPRO_NOTES as of now.
That feels nice. No need of USB security dongle to have TPM based TPMTOTP nor detach sign? Not tested but feature is there
TODO:
- make docker creating nicer in the Nix way.
- Add canokey support under targets/qemu.mk
- add canokey board version
At least we have reproducible stack and testing stack being in same docker image. Docker image moved from 991.18MB (v0.0.8) to 1.18GB (v0.0.9)
- And I tried to clean binaries of symbols here! Seems like I do not know enough of the Nix way here.
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Exception: scripts sourcing/calls within etc/ash_functions continues to use old TRACE functions until we switch to bash completely getting rid of ash.
This would mean getting rid of legacy boards (flash + legacy boards which do not have enough space for bash in flash boards) once and for all.
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Makefile: have inclusion of all defined $BOARD BOARD_TARGETS (me, split_8mb4mb, ...)
TODO: VBIOS scripts for W530/T530 need way more work. To be done later.
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Move the targets generating talos-2's tgz update package to targets.
While this wasn't duplicated, it breaks a cyclic dependency between
board config and BRAND_NAME by moving the ROM output name dependencies
later. The logic probably would be shared with similar boards if any
were supported, so it is in the spirit of the other targets/ shared
target Makefiles.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
The 8 qemu-* targets all contained nearly-identical copies of the
targets to prepare the TPM/disk/etc. and then run Qemu. The only
significant differences were for TPM1/TPM2 (extra swtpm_setup step,
addition of --tpm2 to swtpm_setup and swtpm). ROOT_DISK_IMG used := or
= differently in some boards, := was kept.
targets/qemu.mk now defines all Qemu targets and is included only for
qemu-* boards (by defining BOARD_TARGETS in each of those boards).
The documentation was moved from qemu-coreboot-fbwhiptail-tpm1-hotp/
qemu-coreboot-fbwhiptail-tpm1-htop.md to targets/qemu.md. The other 7
qemu boards' symlinks to that file were removed.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
