This is the result of running:
BOARD=nitropad-ns50 coreboot.save_in_oldconfig_format_in_place && make BOARD=nitropad-nv41 coreboot.save_in_oldconfig_format_in_place
Tests:
- whole shebang after firmware upgrade from zip up to booting from TPM DUK passphrase on nv41: ok
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
confirmed unneaded options (not present under librem boards linux configs) after testing: done
Tested:
- HOTP automatic boot after 5 seconds: ok
- Change of settings to write to SPI: ok
- Reseal TOTP to TPM: ok
- Reseal HOTP to NK3 mini: ok
- Automatic TPM DUK reseal after HOTP/TPMTOTP reseal: ok
- Boot of Q4.2.1 with TPM DUK passphrase: ok
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Log the board and version when entering the recovery shell. Extract
the firmware version logic from init.
Currently this is the only way to get the debug log. If we add a way
from the GUI, we may want to log the board and version somewhere else
too.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
LOG() is added to log to the log only (not kmsg, more verbose than
TRACE).
DO_WITH_DEBUG only captures stdout/stderr to the log with LOG().
kexec-boot silences stderr from kexec, we don't want it on the console.
No need to repeat the kexec command when asking in debug to continue
boot, it's no longer hidden behind verbose output from kexec.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
`eval "$kexeccmd"` should become `DO_WITH_DEBUG eval "$kexeccmd"` when
adding DO_WITH_DEBUG, command invocation is still the same, still needs
eval.
Restore DO_WITH_DEBUG in front of kexec-parse-boot that had been
removed.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
"$1 err:" looked like an error, but often there's output on stderr
that's diagnostic (like kexec -d). "$1 stderr:" is clearer.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
DO_WITH_DEBUG traces command exit status (if failed), stdout/stderr (if
not empty), and PATH (if command was not found). The caller still
observes the exit status, and stdout/stderr still go to the caller as
well.
This way, DO_WITH_DEBUG can be inserted anywhere with minimal spam in
the logs and without affecting the script.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Otherwise we get ehci-pci and xhci_hcd kernel messages in dmesg debug AFTER "Verifying presence of GPG card" which explains why dongle might not be found in time and fails in oem-factory-reset
Fixes https://github.com/Nitrokey/heads/issues/48
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
All boards with CONFIG_LINUX_USB=y ship ehci-* and xhci-*, they are
not controlled by CONFIG_LINUX_USB_COMPANION_CONTROLLER. Always
insert them when initializing USB. Fixes commit 35de2348
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Also remove output of attempted module loading since DEBUG will show if needed
Remove timeout after 30 seconds to unify UX and block
Change UX wording
Should address all PR review comments
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
- Add additional requirements to linux config
- Add additional CONFIG_MOBILE_TETHERING=y to all maximized board configs
- Fix issue under network-recovery-init to NTP sync against NTP server pool
- Extend network-recovery-init to first try NTP sync against DNS server returned by DHCP answer
- Remove network-recovery-init earlytty and tty0 redirection (console should be setuped properly by init in all cases)
- If CONFIG_MOBILE_TETHERING=y added to board config and network-recovery-init called, wait to user input on instructions and warning 30 secs before proceeding (non-blocking)
- Machines having STATIC_IP under board config won't benefit of autoatic NTP sync
Since network-recovery-init can only be called from recovery shell now, and recovery shell can be guarded by GPG auth, this is PoC code to be used to complement TOTP being out of sync
TODO(Future PR):
- Refactor into functions and reuse into TOTP/HOTP being out of sync automatically.
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Passing the path to libgcc in LDFLAGS appears to no longer be needed.
Removing this fixes compilation on a freshly cloned repo.
Fixes#1507
Signed-off-by: Michał Kopeć <michal.kopec@3mdeb.com>
When testing a possible boot device, detect its partition type and
skip grub, LUKS, and LVM partitions. These aren't mountable as /boot,
this silences spurious exFAT errors.
In detect_boot_device, skip testing CONFIG_BOOT_DEV a second time if it
is found as a block device. This avoids doubling any errors shown from
checking this device, no sense trying it twice.
Refactor some logic to avoid duplication - extract
device_has_partitions and use it in detect_boot_device, extract
mount_possible_boot_device and use it instead of duplicating the logic.
Move find_lvm_vg_name() to /etc/functions.
Avoid mixing up similarly-named devices like 'nvme0n1'/'nvme0n10' or
'sda'/'sdaa' - it's probably unlikely that many devices will appear,
but looking for partitions in '/sys/class/block/<device>/' instead of
'/dev/' would avoid any collisions.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Since exFAT support was enabled, mounting an iso9660 filesystem prints
spurious exFAT errors to the console. That is because busybox mount
tries all filesystems in the order listed, and exfat precedes iso9660
(those are the last two in our config). Most filesystems are silent
when used on the wrong type of filesystem, but exFAT logs errors, which
appear on the console.
Move exFAT after iso9660, so iso9660 filesystems won't show these
errors. The errors will still appear if the filesystem is actually
exFAT but cannot be mounted.
There's no significant risk of misdetecting a remnant iso9660
superblock here either. Although an iso9660 superblock could fall in
the unused space between the exFAT boot region and the FAT itself,
mkfs.exfat does zero this space so it is unlikely such a remnant
superblock would exist.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>