* patches/coreboot-4.12: add cross-compiler support patch
Ported from coreboot-4.8.1, re-exported via `git diff`
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
* modules/coreboot: use musl-cross-make to build
revert toolchain bits to pre-4.12 addition
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
* config/coreboot-librem_mini: use CONFIG_ANY_TOOLCHAIN
Needed since coreboot 4.12 now built with musl-cross-make
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
* patches/coreboot-4.12: Add patch for Cannonlake ME status
Add patch print ME status regardless of enablement state
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
* modules: add purism-blobs module
Rather than require users to manually run a script to download the required
blobs to build Purism Librem boards, automate it so the correct version
is automatically downloaded/extracted. Restrict to coreboot 4.12 for now
since 4.8.1 still needs FSP blobs, which are not in module.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
* configs/linux-librem13v2: unset CONFIG_RETPOLINE
Fixes compilation issue with newer kernels, ignored by older ones
which don't need it
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
* Add new board: Librem Mini
Add Librem Mini board patch for coreboot 4.12, board config and
coreboot config. Continue reusing existing librem13v2 Linux config,
same as all other Librem boards currently. Use new purism-blobs module.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
* board/librem*: rename for consistency
Use 'librem_<board>' notation for consistency across all models.
Rename linux config file since used by multiple Librem models.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
* CircleCI: add librem_mini board to test
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
* modules/linux: Add support for multiple kernel versions
Follow same pattern as used for coreboot. Add existing kernel version
as default for all existing boards.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
* modules/linux: Add option to use 4.19 LTS kernel
Add option to use kernel 4.19.139 (current LTS version).
Duplicate existing patches from 4.14.62 as they all apply cleanly.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
* CircleCI: debian:10 docker based. Give possitility to override CACHE_VERSION through CircleCI when needed
* Makefile: fix#799 with implementation of @osresearch's recommended https://github.com/osresearch/heads/issues/799#issuecomment-673059028
* modules/coreboot : indentation fix and putting version hashes together to facilitate future maintainership.
Add version and hash for coreboot and coreboot-blobs modules.
Adjust to use own toolchain, fix blobs path and extraction depth.
Test: build Librem 13v4 using both coreboot 4.8.1 and coreboot 4.12
(after adjusting board defconfig), verify correct toolchains used to
build each, and that teh result is a bootable ROM.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
Update to nitrokey-hotp-verification master (c0956cf) and drop
existing patch which is no longer needed.
Test: clean build for Librem 13v2
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
This reverts commit 972c25de7d.
This commit broke OEM factory reset functionality, so revert it
until the issue can be properly diagnosed.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
- Update flashrom module to v1.2.
- Drop Thinkpad x220 patch as it's now properly supported.
- Drop 'laptop=force_I_want_a_brick' from board FLASHROM_OPTIONS
since it's no longer needed.
- Migrate kgpe-d16 patch.
The kgpe-d16 patch needed a complete overhaul when rebased against
flashrom v1.2, and needs close inspection/testing as a result.
The following changes were made from the previous patch:
- dropped addition of 4-byte addressing (4BA), since now supported
- dropped addtiion of Macronix MX25L256 and MX66L512 chips,
since now supported
- added 4BA erase commands for Winbond W25Q256 chip
- dropped code to show progress indicator, since another PR already adds that
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
Modeled after modules/tpmtotp, use a specific git commit hash for
module libremkey-hotp-verification. Add hidapi as a submodule with
dummy/placeholder in modules (like coreboot-blobs), also specified
by git commit hash. Adjust libremkey-hotp-verification patch file
name so patch applied properly.
Addresses issue #640
Test: build Librem 13v4
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
Pass through new toolchain path via $(CROSS) so we can set the
c/c++ compiler paths correctly for CMake. Adjust patch to use
new paths, and fix compiler/linker paths to correct a libusb linking issue.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
The short commit id can cause the tar archive potentially cause
the root directory in the archive to be named with the short id
causing the verification to fail
Add `--strip 1` to tar file extraction in the `Makefile`,
which ensures that the directory name in `build/` will
match the one listed in `$($(MODULE)_dir)`.
Signed-off-by: Trammell hudson <hudson@trmm.net>
Launchpad offers HTTPS downloads, whereas other more obvious mirrors
(like the one used originally, as well as rpm5.org) do not.
Note: it is unclear to whether Launchpad's tarballs will always match
the checksum from upstream tarballs. However, at least for 1.16, this
condition does indeed seem to hold true. Homebrew, FWIW, lists OpenBSD
as a mirror:
https://github.com/Homebrew/homebrew-core/blob/master/Formula/popt.rb
The new URL automatically redirects to a nearby, current GNU mirror.
Also, the fact that it's HTTPS helps with restrictive outbound
firewall policies that disallow plaintext traffic (for example,
using Qubes' firewall functionality).
The current source URL is not available anymore.
kakaroto changed his copy of heads to point to his own github account's fbwhiptail:
b13cc5e68d
But it seems that source.puri.sm/coreboot is a more accessible home for the
project.
This reduces the amount of noise in the Linux kernel config files
by only storing the differences from the stock configuration.
It adds a new makefile target 'linux.saveconfig' to convert the
build tree's .config file into config/linux-linuxboot.config.
The Librem Key is a custom device USB-based security token Nitrokey is
producing for Purism and among other things it has custom firmware
created for use with Heads. In particular, when a board is configured
with CONFIG_LIBREMKEY, this custom firmware allows Heads to use the
sealed TOTP secret to also send an HOTP authentication to the Librem
Key. If the HOTP code is successful, the Librem Key will blink a green
LED, if unsuccessful it will blink red, thereby informing the user that
Heads has been tampered with without requiring them to use a phone to
validate the TOTP secret.
Heads will still use and show the TOTP secret, in case the user wants to
validate both codes (in case the Librem Key was lost or is no longer
trusted). It will also show the result of the HOTP verification (but not
the code itself), even though the user should trust only what the Librem
Key displays, so the user can confirm that both the device and Heads are
in sync. If HOTP is enabled, Heads will maintain a new TPM counter
separate from the Heads TPM counter that will increment each time HOTP
codes are checked.
This change also modifies the routines that update TOTP so that if
the Librem Key executables are present it will also update HOTP codes
and synchronize them with a Librem Key.