Commit Graph

244 Commits

Author SHA1 Message Date
Krystian Hebel
d1fd05671a
patches/linux-5.5-openpower/0011: patch to expose CBMEM as file
Signed-off-by: Krystian Hebel <krystian.hebel@3mdeb.com>
2023-03-30 21:03:26 +02:00
Krystian Hebel
06b52583fa
patches/linux-5.5-openpower/0010: new patch for enabling Google coreboot drivers
Signed-off-by: Krystian Hebel <krystian.hebel@3mdeb.com>
2023-03-30 21:03:26 +02:00
Jonathon Hall
4e375ad7ca
tpm2-tools: Remove curl dependency
The actual use of curl was already removed, update tpm2-tools patch to
also remove the check for curl.  Remove the curl module and
CONFIG_CURL.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-03-08 12:45:44 -05:00
Thierry Laurion
6923fb5e20
Addition of qemu-(fb)whiptail-tpm2(-hotp) boards
-coreboot support of TPM v2.0 (shared config for TPM2 support across all 4 previous variations)
-swtpm set to be launched under TPM v2.0 mode under board config
-Documentation file under each board.md softlinks to qemu-coreboot-fbwhiptail-tpm1.md (which has been generalized)
This is skeleton for TPM v2 integration under Heads

-------------
WiP

TODO:
- libcurl cannot be built as a tpm2-tools dependency as of now not sure why. curl currently needs to be added in board config to be built
- Note: tpm-reset (master and here) needs some review, no handle of no tpm use case. Caller is responsible to not call it otherwise does nothing
- init tries to bind fd and fails currently
- Note: Check if whiptail is different of fbwhiptail in clearing screen. As of now every clear seems to be removed, still whiptail clears previous console output
- When no OS' /boot can be mounted, do not try to TPM reset (will fail)

- seal-hotpkey is not working properly
- setting disk unlock key asks for TPM ownership passphrase (sealing in NV requires ownership, but text is misleading user as if reowning TPM)
  - We should cache input, feed tpm behind the scene and wipe passphrase and state clearly that this is TPM disk unlock kye passphrase.
- primary key from TPM2 is invalid most of the time from kexec-select-boot and verifying global hashes but is setuped correctly at disk unlock key setup
- would be nice to take advantage of bash function tracing to understand where we are for debugging purposes, code takes ash in consideration only
- tpmr says it implements nv calls but actually doesn't. Removing those falsely wrapped functions would help.
  - Implementing them would be better
- REVIEW TODOS IN CODE
- READD CIRCLECI CONFIG

Current state:
- TPM unseal works without disk unlock key and generates TOTP properly (was missing die condition at unseal to not produce always good TOTP even if invalid)
- TPM disk encryption key fails. Hypothesis is that sealing with USB drivers loaded and measures in inconsistent with sealed with/without.
 - TPM disk unsealing happens without USB modules being loaded in non-HOTP setup. This fails.

- Current tests are with fbwhiptail (no clear called so having traces on command line of what happens)
 - Testing with HOTP implementation for sealing/unsealing since that forces USB module loads on each boot to remove this from failing possibilities
2023-03-08 12:45:43 -05:00
Thierry Laurion
c323fb4d8b
patches/util-linux: patch configure script so that all hardcode_into_libs=yes -> hardcode_into_libs=no 2023-03-07 11:02:17 -05:00
Thierry Laurion
6300dd178a
Pass all coreboot 4.13 boards to 4.19
- Add 4.19 under modules/coreboot
- point all 4.13 boards to 4.19
- adapt x230 FHD/EDP patch under patches/coreboot-4.19/0001-x230-fhd-variant.patch (poked upstream to fix patch under https://review.coreboot.org/c/coreboot/+/28950)
- correct versioning info under .circleci/config/yml
2023-02-27 18:07:06 -05:00
Daniel Pineda
f0dc3541f5
patches/busybox-1.32.0.patch: remove, no longer needed with busybox upgrade.
Signed-off-by: Daniel Pineda <daniel.pineda@puri.sm>
2023-02-21 15:00:07 -06:00
Matt DeVillier
0e356e43cb
modules/busybox: update 1.32.0 -> 1.33.2 (stable)
- update module version, hash
- rename patch
- update config

Busybox 1.33.0 adds base32, which has been disabled in busybox.config
as it conflicts with tpmtotp's base32.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-02-21 14:34:27 -06:00
Thierry Laurion
2b05a6b42c
Add x230-maximized-fhd_edp and x230-hotp-maximized-fhd_edp boards
- add x230-maximized-fhd_edp and x230-hotp-maximized-fhd_edp board configs
- add/rework coreboot patch for x230 fhd variant to be applied on top of 4.13
- add coreboot config to point to x230-edp variant, fixing path to vbt file since default path is wrong under. Comment made upstream https://review.coreboot.org/c/coreboot/+/28950/22#message-4904ce82f01ba0505b391e072e4537b6a9f1a229
  - remove no gfx init and replace with libgfxinit(defonfig default), set internal display as default
- add x230-hotp-maximized-fhd_edp and x230-maximized-fhd_edp to CircleCI builds
- One single shared coreboot config between boards/x230-hotp-maximized-fhd_edp/x230-hotp-maximized-fhd_edp.config and boards/x230-maximized-fhd_edp/x230-maximized-fhd_edp.config
- Coreboot 4.13 patch from coreboot at patches/coreboot-4.13/0002-x230-fhd-variant.patch
- config/coreboot-x230-maximized-fhd_edp.config points to seperate coreboot config per patch (CONFIG_BOARD_LENOVO_X230_EDP)
2023-01-31 09:58:43 -05:00
Jonathon Hall
487c5b0815
coreboot-4.11: Fix remaining patch to work with git apply
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-01-04 09:04:19 -05:00
Thierry Laurion
14adf647eb
coreboot 4.13: remove transient patch to download over http instead of https 2022-12-14 14:35:12 -05:00
Thierry Laurion
16bc658018
coreboot 4.11: Re-add patch removed by error which was a race condition patch 2022-12-14 14:35:05 -05:00
Thierry Laurion
4cd678efb5
coreboot 4.11 now builds locally with make 4.2.1+ (CircleCI still unfixed) 2022-12-14 12:06:11 -05:00
Thierry Laurion
3e893b7df7
coreboot 4.11 patches: made compliant with git apply (removal of https->http temp fix) 2022-12-14 12:05:10 -05:00
Daniel Pineda
8150e300ee
modules/coreboot: remove support for coreboot 4.15
patches/coreboot-4.15: remove patches for coreboot 4.15

No boards depend on it and is affected by CVE-2022-29264

Signed-off-by: Daniel Pineda <daniel.pineda@puri.sm>
2022-09-15 10:17:34 -06:00
Daniel Pineda
146b78e08c
patches/coreboot-4.17: Add Librem 4.17 patches
Add patches for coreboot 4.17:
- show ME status even when device is disable (kept from 4.15)
- zero unused part of SMBIOS region

Signed-off-by: Daniel Pineda <daniel.pineda@puri.sm>
2022-09-12 13:21:59 -06:00
Sergii Dmytruk
55ef9912aa
Add Talos 2 boards
Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
2022-08-31 00:21:28 +03:00
tlaurion
48b9b74f39
Merge pull request from tlaurion/replace_patch_git_git_apply
Makefile: replace patch with git apply
2022-08-30 15:15:42 -04:00
Sergii Dmytruk
f16e92792a
Support targeting PowerPC 64
This prepares most of the modules to be build for it.

Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
2022-08-25 20:55:39 +03:00
Thierry Laurion
921daabdaf
Makefile: replace patch with git apply
Otherwise binary patches cannot be patched/created

Additional fixes needed
- flashrom patch was invalid and got catched by git apply. Correcting
- gpg2-2.2.21.patch was pointing to bad target. Correcting
2022-08-21 14:28:30 -04:00
Thierry Laurion
bf415a8d69
Remove local build of gawk make
-Makefile: remove local gawk and make version compare and local build
-modules: remove gawk and make
-patches: remove make

local make was added to build 4.2.1 on OSes that were having older version. It was then patched to be built on OSes having newer buildstack.
local gawk was added when GPG toolstack was older then libgpg-error 1.37. GPG toolstack was then upgraded, but local gawk stayed.

Removing those permits better parallelization and of builds and reduces CircleCI (and higher cores systems) to have race conditions and stalled builds
2022-06-23 10:51:13 -04:00
Thierry Laurion
981cb96f25
Fix current builds
- zlib 1.2.12 release is not respecting cross compiling. 1.2.11 disappeared from servers: taking another archive link, same hash.
- busybox 1.32.0 was not patched with 1.28.0 patch. Renaming patch so that its applied in fresh builds.
2022-04-01 09:47:39 -04:00
Thierry Laurion
3b99caa996 coreboot-4.11 patches: remove unwanted .orig artifacts that seems to be making CircleCI fail in the past days.
Heads build system is reextracting archives and reapplying patches on each iteration.
CircleCI optimizes building time by providing cache mechanisms and forces users to build a target under an hour.
This is to force Open Source projects (free tier) to not be leechers of the free tier.

In the past days, CircleCI bails on building coreboot 4.11 boards because some files being cached are already being present (created files from patches).
In those, two files were unwanted artifacts, recreated on top of coreboot 4.11 extracted original files (undesired .orig files), while bailing on the creating of src/security/tpm/sha1.c from patches/coreboot-4.11/0001-Add-Heads-TPM-measured-boot-support.patch.

Hopefully, this is CircleCI having a maximum of 3 automatically entered input (it fails on the 3rd)... And this fix will permit src/security/tpm/sha1.c and src/security/tpm/sha1.h to be skipped if existing.
Below, we see that CircleCI fills patch prompts with EOF 2 times, and then waits for input and then timeouts.

Here is the failing log trace from https://app.circleci.com/pipelines/github/tlaurion/heads/990/workflows/f2a430fd-dc8c-4e95-abe3-364a0e825533/jobs/4914/parallel-runs/0/steps/0-103:

Exerpt of that log:
if [ -d patches/coreboot-4.11 ] && [ -r patches/coreboot-4.11 ] ; then for patch in patches/coreboot-4.11/*.patch ; do echo "Applying patch file : $patch " ; ( cd /root/project/build/coreboot-4.11/ ; patch -p1 ) < $patch || exit 1 ; done ; fi
Applying patch file : patches/coreboot-4.11/0000-cpu-x86-smm-Use-PRIxPTR-to-print-uintptr_t.patch
patching file src/cpu/x86/smm/tseg_region.c
Applying patch file : patches/coreboot-4.11/0001-Add-Heads-TPM-measured-boot-support.patch
patching file src/Kconfig
The next patch would create the file src/Kconfig.orig,
which already exists!  Assume -R? [n] EOF
Apply anyway? [n] EOF
Skipping patch.
1 out of 1 hunk ignored
patching file src/include/program_loading.h
patching file src/lib/cbfs.c
patching file src/lib/hardwaremain.c
Hunk  succeeded at 549 (offset 8 lines).
patching file src/lib/rmodule.c
patching file src/security/tpm/Makefile.inc
The next patch would create the file src/security/tpm/sha1.c,
which already exists!  Assume -R? [n] make: *** [Makefile:507: /root/project/build/coreboot-4.11/.canary] Hangup

context deadline exceeded
2022-02-23 16:59:26 -05:00
Thierry Laurion
0670bcd1c6 coreboot 4.11: add patch to fix assembly.inc directory not always being present and causing race condition in parallelized builds with high number of cores 2022-02-08 13:58:14 -05:00
Thierry Laurion
4b260071c3 Retry CircleCI for 4.11 on Debian 10 docker
- Add kgpe-d16 patch to remove HID for PCI devices (successful build on top of  and  per https://app.circleci.com/pipelines/github/tlaurion/heads/937/workflows/de49bea0-3f58-4a91-8891-87622f5a0eed)
- CircleCI modified to build for coreboot 4.11 kgpe-d16_workstation on top of 4.15 passed workspace
- CircleCI modified so that we still archive all the logs in artifacts for the current build even if failing. We now exit 1 after having archived all the log files under build/
2022-02-03 15:04:09 -05:00
Thierry Laurion
1693644d56 patches/coreboot-4.11: Add patches to build on newer systems
- remove https patch that was made as temporarily fix for bad cert
- upgrade crossgcc's iasl to 2021 so toolchain can be built on debian 11+
- make iasl report itself as being part of coreboot crossgcc build stack.
- remove acpinames from buildgcc make jobss
- add missing string include for binutils gold
- add gnat statements workarounds
- patch Librem L1UM ACPI for newer IASL

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2022-02-03 15:04:09 -05:00
Matt DeVillier
411ecc50f4
patches/coreboot-4.15: Add Librem 4.15 patches
Add patches to coreboot 4.15 to:
- show ME status even when device is disable
- fix PCIe RP hotplug on Librem 14
- fix ME reset timeout on Librem 13/15

This synchronizes with Purism's coreboot 4.15-Purism-3 tag.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2022-01-27 16:38:51 -06:00
Matt DeVillier
ffde47133f patches/coreboot-4.14: Add patches for Librem mini, 14
Patches for the Librem Mini (v1/v2) and Librem 14 upstreamed
post-4.14. Fixes some issues with acoustic noise and headphone
jack detection.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2021-10-15 15:11:39 -04:00
Matt DeVillier
e6dbfab3c2 board/librem_{mini,mini_v2}: Migrate from coreboot 4.13 to 4.14
- adjust board configs
- move/rename coreboot patch
- adjust comment in CI config

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2021-10-15 15:11:39 -04:00
tlaurion
6f0a8522fd
Merge pull request from bluecmd/patch-make
Fix make 4.2.1 to build on newer systems
2021-10-15 14:36:02 -04:00
Christian Svensson
d77ffeda4f Fix make 4.2.1 to build on newer systems
This patch makes it possible to build make 4.2.1 using newer systems
that otherwise would complain about a missing definition of __stat.

Signed-off-by: Christian Svensson <blue@cmd.nu>
2021-09-30 22:01:55 +02:00
Matt DeVillier
7f13418a9a
kexec: Update to version 2.0.22 (was: 2.0.20)
Update version, download hash, patch filename.

Fixes some IOMMU-related issues on Librem Mini v1/v2, L14

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2021-09-15 10:22:54 -05:00
tlaurion
883f4958f8
Merge pull request from hardenedvault/cryptsetup-2.3
Upgrade to cryptsetup 2.3 and make cryptsetup1/cryptsetup2 optionals
2021-02-04 18:21:38 -05:00
HardenedVault
da7f6f734f make cryptsetup1/cryptsetup2 optional 2021-01-30 07:28:28 +02:00
Thomas Clarke
194edf5424
modules/linux: Add support for building against Linux 5.10.5. All patches besides 0000-efi_bds.patch port cleanly. As a result of 0000-efi_bds.patch missing, it is strongly encouraged that no linuxboot boards use Linux 5.10.5 until a proper review has been done. 2021-01-07 19:24:03 +00:00
Thierry Laurion
bbaa049ad1
coreboot buildgcc: TEMPORARY HACK: gnu mirrors are failing because of https errors. Falling back to http. 2021-01-03 21:14:50 -05:00
Thierry Laurion
8e4485347e
coreboot: revert building coreboot against musl-cross-make.
coreboot: correct $$CPUS -> $(CPUS)
2020-12-29 17:06:54 -05:00
Matt DeVillier
883ac669a8
modules/coreboot: bump 4.12 build option to 4.13
- update module hash and blobs hash
- drop patches no longer needed; migrate those that remain
- adjust Librem Mini/Mini v2 board configs

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2020-12-14 21:03:32 -06:00
tlaurion
1661e5dcb0
Merge pull request from Tonux599/kgpe-d16_411_measured-boot
KGPE-D16 Coreboot 4.11 + Measured Boot
2020-12-02 18:23:55 -05:00
tlaurion
36c04f19e4
Add xx30-maximized and xx30-hotp-maximized boards (11.5mb flashable BIOS regions, reproducible me.bin and generated gbe.bin and totally externally and internally flashable roms) ()
* xx30-*-maximized: update flashrom options removing --ifd bios option, keeping whole flash of rom internally. WARNING: ifd needs to be initially unlocked through ifdtool -u on 8mb bottom SPI backup. YOU CANNOT COME FROM 1VYRAIN. IF COMING FROM SKULLS, YOU MUST HAVE RAN OPTIONAL -u OPTION FROM SKULLS. PLEASE UPGRADE ONLY AFTER HAVING A PHYSICAL BACKUP OF BOTH SPI FLASH CHIPS. MORE INFORMATION UNDER https://github.com/osresearch/heads/pull/703. This will guarantee that future flash of produced rom will reflash the ROM totally, where heads make sure of adding users customizations (public key, /etc/config.user) when internally flashed. Unfortunately, if you flash externally, you will have to reinject your public key and readd /etc/config customizations.

* Adding generated bincfg coreboot 4.8.1 patch (merged under coreboot 4.13 and backported here to 4.8.1), resulting in gbe.bin under blobs/xx30/gbe.bin and instructions to replicate in README prior of automation (under repo). Note that MAC under gbe.bin is fixed to DE:AD:C0:FF:EE unless extract.sh script is ran on external backup to keep current user's MAC (Thanks to @Thrilleratplay's contribution!)

* xx30 blobs: add two blobs management scripts for xx30: extract from local backup/download+neuter ME
extract.sh: extract from external backup: gbe.bin, neuter under me.bin and maximize BIOS+reduce ME regions under unlocked ifd.bin. 
download_clean_me.sh: download and verify Lenovo latest ME version from website, and drop me.bin in place.
Note: me.bin is 98kb, containing only BUP and ROMP partitions which cannot be modified nor deleted else computer won't boot. As a result, BIOS region is maximized in ifd.bin to 11.5mb and coreboot config takes advantage of that freed space.

* CircleCI: xx30-*-maximized additional step to call download_clean_me.sh prior of building boards so that me.bin is dopped in place. This should be done by users prior of building xx30-*-maximized boards locally, which is imitated in CircleCI builds (look at .circleci/config.yaml for innoextract host added dependency and board buildings. Results on github for each commit).
2020-12-02 17:01:44 -05:00
Thomas Clarke
572f5b3414
On KGPE-D16 boards, ensure linux-kgpe-d16*.config are up-to-date by:
cp config/linux.. ./build/linux*/.config
	cd build/linux*
	make savedefconfig
	cp defconfig ../../config/linux..

Resulting in only linux-kgpe-d16_workstation.config being updated.

For KGPE-D16 workstation boards:
Remove `console=tty0` from `CONFIG_BOOT_KERNEL_ADD` as was blocking Qubes graphical installer (CLI installer was launched).
Comment out `export CONFIG_BOOT_KERNEL_REMOVE="plymouth.ignore-serial-consoles"` to provide a more desktop like experience.

Removed 0001-cpu-x86-smm-Use-PRIxPTR-to-print-uintptr_t.patch as already exists as 0000-cpu-x86-smm-Use-PRIxPTR-to-print-uintptr_t.patch

Added 0020-kgpe-d16_measured-boot-support.patch for coreboot 4.11

Fix TPM errors when microcode is measured by initialising TPM earlier and loading the microcode later.
Thanks to Michał Żygowski <miczyg1> for condition suggestion: `if (CONFIG(MEASURED_BOOT) && CONFIG(LPC_TPM) && boot_cpu())`

Locate bootblock location and size with CBFS API. Credit to: Michał Żygowski <miczyg1>
2020-12-02 15:56:42 +00:00
Thomas Clarke
6bd3f815e4
Better vboot-rwa.fmd for KGPE-D16.
Bring patches/coreboot-4.11 on par with master

Removed patches/coreboot-4.11/0020-kgpe-d16-vboot.patch
Removed Vboot options from KGPE-D16 coreboot configs

Enabled TPM in kgpe-d16 board configs
Enabled measured boot in kgpe-d16 coreboot configs.

Added support for video cards that require nouveau, radeon and amdgpu drivers in linux-kgpe-d16_workstation.config

`nouveau.config=NvForcePost=1` to be added to kexec'd kernels for better Nvidia card support.
2020-12-02 15:56:41 +00:00
Thierry Laurion
bac1d54bde
Activate dual console by default and restructure board config
Changing CONFIG_USB_BOOT_DEV to sdc1, adding back CONFIG_BOOT_STATIC_IP to 192.168.2.3, adding dual console to OpenBMC and tty0 in attempt to have QubesOS graphic installer which complains with no networking when attempting to start VNC

Adding dual console to OpenBmc and tty0

putting kgpe-d16-coreboot.conf in defconfig format

NO_HZ wasn't included in kernel config. Adding it.

Wasn't able to have both console firing up QubesOS gui installer, complaining about hvc1 console errors. Splitting up Workstation and server config. This one works for Worstation

Removing serial configuration and static IP stuff since we have a workstation here.

Seperate Workstation and Server board configurations until dual console truely works through QubesOS gui installation. kgpe-d16 board config removed until then.

Placing files in good directories

Corrrect flashrom options for kgpe-d16 server and workstation boards

kgpe-d16 linux: NO_HZ_IDLE instead of NO_HZ

kgpe-d16: seperate board for workstation to be AST and gui-init based, while kgpe-d16-> kgpe-d16_server

kgpe-d16_server: boots, shows ASpeed text on VGA, controllable through BMC via SSH.

kgpe-d16_workstation on ASpeed console. WIP. (Includes CIs configs to build server and workstation)

kgpe-d16_workstation in defconfig format

kgpe-d16 boards: pass from GPG to GPG2 board definitions

kgpe-d16_workstation : Adding Cairo and FbWhpitail in board config for gui-init to work in FB mode

kgpe-d16: removing plymouth.ignore-serial-consoles to fix server terminal output

kgpe-d16: bring par with staging branch https://gitlab.com/tlaurion/heads/commits/kgpe-d16_staging

kgpe-d16 : expressively export CONFIG_TPM=n

kgpe-d16_wokstation gui-init variables were missing

kgpe-d16 boards: add CONFIG_LINUX_USB_COMPANION_CONTROLLER so that usb is recognized

linux-kgpe-d16*: add support for Pike

kgpe-d16_workstation-usb_keyboard board support addition

kgpe-d16_server-whiptail: Add board and dependencies to have gui-init in whiptail (console mode, not FbWhiptail based

GitlabCI: kgpe-d16 fixes and upstream merge of change

kgpe-d16* board: add statement to fixate coreboot version to 4.8.1 for the moment

kgpe-d16: add missing config/linux-kgpe-d16_server-whiptail.config file

KGPE-D16: community work migration to coreboot 4.11 to fix issue 

KGPE-D16 boards: Adding VBOOT+measured boot, musl-cross patch and 4.11 patch brought up per https://github.com/osresearch/heads/pull/709

kgpe-d16* boards: add VBOOT Kconfig patch per @miczyg1 recommendation under https://github.com/osresearch/heads/pull/795#issuecomment-671214637

KGPE-D16* coreboot configs: Add S3NV as a Runtime data whitelist (so that it is not measured at term) per @miczyg1 recommendation under https://github.com/osresearch/heads/pull/795#issuecomment-671214637

kgpe-d16 coreboot 4.11: add https://review.coreboot.org/c/coreboot/+/36908 patch

kgpe-d16 boards: add Linux kernel version where missing.

CircleCI: Add debug output on fail for kgpe-d16 board builds to bring par with upstream after rebasing on master

coreboot module: typo correction (tabs vs spaces)

CircleCI: trying to address "g++: fatal error: Killed signal terminated program cc1plus." happening under coreboot 4.11 and coreboot 4.12 builds

CircleCI: remove past addition to test recommendation from CircleCI: "resource_class: large"

CircleCi: Ok.... lets output dmesg content prior of other logs.... I'm out of ideas. Next step, ask CircleCI for support

At this stage:
- job's "make --load" is supposed to guarantee that the number of thread doesn't exhaust pass of a load of 2 (medium, free class, CircleCI has 32 cores so possibility of a load of 32)
- "--max_old_space_size=4096" in CircleCI environement is supposed to limit memory consumption to 4096Mb of memory, the max of a medium class free tier CircleCI node

CircleCI: remove verbose build (no more V=1), in case of failed build, find all logs modified in last minute and output each of them on console.

coreboot module: implement load average respect inside of problematic CI build for coreboot 4.11+ being killed in the action (32 cores with 4Gb ram get gcc OOM)

coreboot module: replace nproc by number of Gb actually available as number of CPUs, since each thread is expected to have 1Gb of ram.

CircleCI & coreboot config: fix merge conflict rebasing on master

coreboot 4.11 kgpe-d16 vboot patches addendum, credits goes to @Tonux599

Fix merge conflicts and make sure all boards are inside of CircleCI builds. PoC build for 
2020-12-02 15:56:34 +00:00
Matt DeVillier
85f52e7c7d patches/coreboot-4.12: Add support to coreboot for Librem Mini v2
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2020-11-19 15:39:44 -05:00
Matt DeVillier
904b64db93 patches/coreboot-4.12: Add patches to update Librem Mini
Combination of commits from upstream coreboot master backported to
coreboot 4.12 (tag) to improve performance/functionality, and
prepare for addition of Librem Mini v2.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2020-11-19 15:39:44 -05:00
Matt DeVillier
acd9d258b8 patches/coreboot-4.12: Add patch for cbmem alignment
Cherry-pick of commit 3dea2b63eeb8f97b31571f6f0eb37f38f9967b6b
[soc/intel/common/block/systemagent/memmap.c: Align cached region]
from upstream coreboot.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2020-11-19 15:39:44 -05:00
HardenedVault
057cc3c377 [WIP] cross build json-c and cryptsetup 2020-10-28 15:28:05 +02:00
tlaurion
e3519f2ecd
WiP: gpg2 2.21 LTS upgrade (gnupg toolstack) ()
* gpg2: change gpg2 toolstack to gpg2 2.21 LTS
* remove additional gpg2 unneeded configure options across gpg2 toolstack dependencies
2020-10-26 10:19:57 -04:00
MrChromebox
b71f3757c1
modules/linux: add support for building with kernel 5.4.69 ()
* modules/linux: add support for building with kernel 5.4.69

Add support to module, port patches from 4.19.139.
Needed for newer platforms not supported by 4.19 kernel.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>

* CircleCI: add rysnc dependency for building kernel 5.x

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>

* Migrate all Librem boards to kernel 5.x, common config

Update linux-librem_common.config from 4.x to 5.x, and add
CONFIG items needed to support the librem_l1um (AST DRM drivers,
serial port output).

Tested on Librem 13v4, Librem Mini, and Librem Server L1UM.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2020-10-25 01:26:08 -04:00
MrChromebox
85d7e29d18
Add new board: Purism Librem Server L1UM ()
* modules/coreboot: add option to use coreboot 4.11

Port patches from coreboot 4.8.1 to 4.11:
* 0000-measure-boot -> 0001
* 0010-cross-compiler-support

All other patches for coreboot 4.8.1 have either already been
integrated, or are for platforms which do not need to be migrated
to coreboot 4.11 (they will move to 4.12 or newer).

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>

* patches/coreboot-4.11: Add Broadwell-DE platform patch

Add a patch for FSP Broadwell-DE to make use of Heads' measured boot.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>

* patches/coreboot-4.11: Add patch to read serial # from CBFS

Will be used by multiple Librem boards.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>

* patches/coreboot-4.11: add board support for Librem Server L1UM

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>

* Librem Server L1UM: add new board

Add board config, coreboot config, kernel config files.
Add conditional purism-blobs dependency to coreboot-4.11 module.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>

* flash.sh: add special handling for librem_l1um board

Add support for persisting PCIe config via PCHSTRP9 in flash descriptor.
This is needed to support multiple variants of the L1UM server which
use the same firmware but differ in PCIe lane configuration via the
PCH straps configuration in the flash descriptor.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>

* patches/coreboot-4.11: Add 'Use PRIxPTR to print uintptr_t' patch

Cherry-picked from upstream coreboot (post-4.11), fixes compilation issue.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>

* CircleCI: add target to build board librem_l1um

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2020-10-18 14:48:25 -04:00
MrChromebox
3c24460f1a
modules/flashrom: update to add support for Comet Lake-U ()
Update to upstream flashrom (post v1.2) commit 4d3657b4:
Add support for Comet Lake-U/400-series PCH

kgpe-d16 patch from flashrom 1.2 still applies cleanly.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2020-10-18 10:17:34 -04:00
tlaurion
b80899f36c
musl-cross: remove old patch artifact of the musl-cross era ()
* musl-cross: remove old patch artifact of the musl-cross era

* CircleCI: do not produce hash digest for musl-cross-make patches (artifact was for musl-cross, not musl-cross-make)
2020-10-16 15:26:59 -04:00
MrChromebox
92e9a24902
coreboot-4.12: Use musl-cross-make ()
* patches/coreboot-4.12: add cross-compiler support patch

Ported from coreboot-4.8.1, re-exported via `git diff`

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>

* modules/coreboot: use musl-cross-make to build

revert toolchain bits to pre-4.12 addition

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>

* config/coreboot-librem_mini: use CONFIG_ANY_TOOLCHAIN

Needed since coreboot 4.12 now built with musl-cross-make

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2020-10-02 15:12:59 -04:00
MrChromebox
268fb90623
Add new board: Purism Librem Mini ()
* patches/coreboot-4.12: Add patch for Cannonlake ME status

Add patch print ME status regardless of enablement state

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>

* modules: add purism-blobs module

Rather than require users to manually run a script to download the required
blobs to build Purism Librem boards, automate it so the correct version
is automatically downloaded/extracted. Restrict to coreboot 4.12 for now
since 4.8.1 still needs FSP blobs, which are not in module.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>

* configs/linux-librem13v2: unset CONFIG_RETPOLINE

Fixes compilation issue with newer kernels, ignored by older ones
which don't need it

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>

* Add new board: Librem Mini

Add Librem Mini board patch for coreboot 4.12, board config and
coreboot config. Continue reusing existing librem13v2 Linux config,
same as all other Librem boards currently. Use new purism-blobs module.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>

* board/librem*: rename for consistency

Use 'librem_<board>' notation for consistency across all models.
Rename linux config file since used by multiple Librem models.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>

* CircleCI: add librem_mini board to test

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2020-09-02 14:39:37 -04:00
MrChromebox
f23ced0a3b
Support Multiple Kernel Options ()
* modules/linux: Add support for multiple kernel versions

Follow same pattern as used for coreboot. Add existing kernel version
as default for all existing boards.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>

* modules/linux: Add option to use 4.19 LTS kernel

Add option to use kernel 4.19.139 (current LTS version).
Duplicate existing patches from 4.14.62 as they all apply cleanly.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2020-08-20 19:26:48 -04:00
Patrick Rudolph
28d3b7c89c
patches/coreboot-4.8.1: Measure firmware into PCR2 ()
As part of migration to coreboot 4.12, which includes measured boot
without additional patches, measure all parts of the firmware and the
payload into PCR2.

The same is done in coreboot 4.12. This commit ensures that boards not
migrated yet will show the same behaviour.

TODO: Update heads-wiki.

Signed-off-by: Patrick Rudolph <patrick.rudolph@9elements.com>
2020-08-11 17:54:59 -04:00
tlaurion
116787fd03
Merge pull request from Nitrokey/kexec-debian
Fix kexec to work with Debian Installer (fixes )
2020-08-01 15:52:57 -04:00
alex-nitrokey
83cac9ed14
Fix kexec to work with Debian Installer (fixes )
This patch was reported by @bemoody in issue 

Tested via `BOARD=x230-hotp-verification` on a Thinkpad x230

Signed-off-by: alex-nitrokey <alex@nitrokey.com>
2020-07-30 22:11:05 +02:00
Matt DeVillier
d6292015a1
modules/hotp-verification: Update and drop patch
Update to nitrokey-hotp-verification master (c0956cf) and drop
existing patch which is no longer needed.

Test: clean build for Librem 13v2

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2020-07-30 14:26:59 -05:00
Matt DeVillier
302f044e8e
patches: Add patch to fix hotp-verification
Commit 7ea13ee0 made some significant changes to Librem/Nitrokey
verification which broke both compilation and calls to hotp_initialize.
Fix them via a patch until it's fixed upstream.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2020-07-28 01:20:06 -05:00
alex-nitrokey
ff58f1524d
Fix build issue
* use --libdir to fix issue with .la files which had //lib as lib folder
* add libblkid as library
2020-06-19 16:23:16 +02:00
alex-nitrokey
1ef8d14921
Use configure parameter instead of patchfile for rpath
* hardcode rpatch patch not needed as `--disable-rpath` is available
* remove obsolete config parameters
2020-06-11 14:48:50 +02:00
alex-nitrokey
f674a47997
Add patch for cryptsetup 2.3.3
Following commit ed3602f0ba (maintain
reproducibility by removing rpath) and applying the same changes for new
version of cryptsetup.
2020-06-10 16:55:25 +02:00
alex-nitrokey
0e349c565e
Update hotp-verification 2020-06-09 18:42:55 +02:00
tlaurion
0cd1a0d04c
Revert "GPG toolstack upgrade to latest available versions (Fixes Gawk issue)" 2020-05-22 14:55:41 -04:00
Thierry Laurion
241b0bc680
upgrade gpg toolstack to latest versions
- Remove unrecognized configure options
- fixes gawk issue  by upgrading to libgpg-error 1.37 instead of patching 1.32 for regex change (fixed upstream)
- move patches so they match new versions for libassuan, gpg and libgcrypt (no change)

Version change:
- gpg 2.2.10 -> 2.2.20
- libassuan 2.5.1 -> 2.5.3
- libgcrypt 1.8.3 -> 1.8.5
- libgpg-error 1.32 -> 1.37

Size changes:
- gpg 			886.5 -> 911.3 kB
- gpg-agent:		371.9 -> 376.0 kB
- scdaemon:		399.5 -> 407.8 kB
- libgpg-error.so.0	125.9 -> 130.0 kB

Unrecognized options on gpg2 toolstack:
- disable-nls and disable-asm disable-keyserver-helpers disable-hkp disable-finger disable-dns-srv disable-dns-cert and disable-wks-server
2020-05-20 13:19:51 -04:00
flawedworld
5a033fa80d T430 TPM Backport 2020-05-15 18:51:49 +01:00
Thierry Laurion
15e19d0594
coreboot patch: remove acpica-unix2-20180531.tar.gz url change fix since acpica.org is now functional again while crux.ster.zone is not... 2020-05-03 23:39:15 -04:00
Matt DeVillier
b29447ef8f
modules/flashrom: update to v1.2 release
- Update flashrom module to v1.2.
- Drop Thinkpad x220 patch as it's now properly supported.
- Drop 'laptop=force_I_want_a_brick' from board FLASHROM_OPTIONS
  since it's no longer needed.
- Migrate kgpe-d16 patch.

The kgpe-d16 patch needed a complete overhaul when rebased against
flashrom v1.2, and needs close inspection/testing as a result.
The following changes were made from the previous patch:

- dropped addition of 4-byte addressing (4BA), since now supported
- dropped addtiion of Macronix MX25L256 and MX66L512 chips,
  since now supported
- added 4BA erase commands for Winbond W25Q256 chip
- dropped code to show progress indicator, since another PR already adds that

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2020-04-20 17:34:08 -05:00
Thierry Laurion
58cb8df266
coreboot-4.8.1: acpica-unix2 cannot be downloaded per www.acpica.org since cert is signed by Intel which cert authority is unknown from older build systems... Cert was renewed March 10 2020. URL changed to crux.ster.zone 2020-03-15 18:45:33 -04:00
Matt DeVillier
28fedf9a7e
modules/libremkey-hotp-verification: make reproducible
Modeled after modules/tpmtotp, use a specific git commit hash for
module libremkey-hotp-verification. Add hidapi as a submodule with
dummy/placeholder in modules (like coreboot-blobs), also specified
by git commit hash. Adjust libremkey-hotp-verification patch file
name so patch applied properly.

Addresses issue 

Test: build Librem 13v4

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2020-02-19 13:37:41 -06:00
Matt DeVillier
ad2395d3db
libremkey-hotp-verification: toolchain adjustments
Pass through new toolchain path via $(CROSS) so we can set the
c/c++ compiler paths correctly for CMake. Adjust patch to use
new paths, and fix compiler/linker paths to correct a libusb linking issue.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2020-01-22 12:03:05 -06:00
Francis Lam
ed3602f0ba
modules: maintain reproducibility by removing rpath 2020-01-16 09:36:42 -08:00
Francis Lam
23d0126407
kexec: update to 2.0.20
Fix issue with kexec failing to load the target kernel when
building with musl-cross-make
2020-01-16 09:30:15 -08:00
tlaurion
8e4b10922b
Merge pull request from osresearch/musl-cross-make
Use musl cross make for Heads, Linux, coreboot and edk2
2020-01-15 13:15:19 -05:00
tlaurion
a5f4d7d8be
Merge pull request from osresearch/lvm-segfault
lvm2: turn off buffering, which prevents segfault with new musl ()
2020-01-15 13:14:30 -05:00
Trammell hudson
6962bfda10
lvm2: turn off buffering, which prevents segfault with new musl ()
Signed-off-by: Trammell hudson <hudson@trmm.net>
2020-01-09 13:27:09 +01:00
Trammell Hudson
791d064397
musl-cross-make: replace all cross compilers with musl-cross-make
Signed-off-by: Trammell Hudson <hudson@trmm.net>
2020-01-08 17:08:15 +01:00
Trammell hudson
6c93a5e854
libksba: fix name of patch file
Signed-off-by: Trammell hudson <hudson@trmm.net>
2020-01-08 10:01:21 +01:00
Trammell Hudson
69f3cc46ab
libksba: fix qsort handler to sort the string table in a reproducible way
Signed-off-by: Trammell Hudson <hudson@trmm.net>
2020-01-07 19:01:59 +01:00
tlaurion
8af849cadc
Merge pull request from osresearch/musl-cross-pin
Pin tag of musl-cross, tpmtotp and msrtools
2019-12-06 10:52:50 -05:00
rofl0r
7370b75945 update musl-cross to 1952975
this should fix issues with compressed ELF header sections.
2019-12-02 23:03:14 +00:00
tlaurion
b4a647c485
Merge pull request from osresearch/debug-linux
Enable verbose bootup debugging and set the early serial IO base port
2019-11-28 10:53:29 -05:00
Trammell hudson
56aa508b8d
musl-cross: pin to a specific checkout ()
Add `--strip 1` to tar file extraction in the `Makefile`,
which ensures that the directory name in `build/` will
match the one listed in `$($(MODULE)_dir)`.

Signed-off-by: Trammell hudson <hudson@trmm.net>
2019-10-29 13:15:56 +01:00
Trammell hudson
4f0e778582
musl-cross: update patch for recent git commits ()
Signed-off-by: Trammell hudson <hudson@trmm.net>
2019-10-29 12:52:55 +01:00
Matt DeVillier
77949c9cff
libremkey_hotp_initialize: handle spaces in admin pin/pass
Fix HOTP verfication failure if LK admin pin/passphrase contains
spaces by quoting the variables when passed to functions.

Test: set LK admin pin to passphrase with spaces, generate
new TOTP/HOTP, verification passes.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2019-06-24 23:30:39 -05:00
Matt DeVillier
286303d95c
libremkey-hotp-verification: pass in key file directly
Reading the file into a variable and then redirecting to stdin
via echo() can cause the binary data to be truncated, leading
to an invalid base32 value and failure to properly generate
and validate the HOTP code.

To resolve this, pass the file directly to hotp(), and ensure
it is removed properly regardless of success or failure to
prevent leakage.

Fixes "Invalid base32 string" error seen when attempting to
generate a new TOTP secret.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2019-06-24 23:29:06 -05:00
tlaurion
64c830e652
Merge branch 'master' into make-4.2.1 2019-04-22 21:53:43 -04:00
Matt DeVillier
f5355815d9 patches/coreboot: add proper IOMMU/RMRR support
These two patches add the capability for coreboot to generate
the RMRR ACPI tables needed for proper IOMMU support. These
patches allow us to use 'intel_iommu=on' vs 'iommu=pt'

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2019-02-12 17:09:56 -06:00
Matt DeVillier
da2d267220 patches/coreboot: add support for librem 13v4/15v4 boards
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2019-02-12 16:32:04 -06:00
Thierry Laurion
75c11481f6
Port gpg1 patch to gpg2 to force crosscompiling and output to stderr. 2019-01-29 11:16:16 -05:00
Trammell Hudson
d8a3be47af
Merge branch 'coreboot-4.8' of https://github.com/flammit/heads 2018-11-07 17:04:23 -05:00
Trammell Hudson
3f53cfe05b
Merge branch 'add_librem_key_support' of https://github.com/kylerankin/heads 2018-11-07 16:37:01 -05:00
Youness Alaoui
03a09a1e1a
Add patches to update coreboot crossgcc to v1.52
crossgcc is now using gcc 8.1.0 which will compile without issues
if your host system has gcc 8.x
This is required if we are to build on a new system (such as latest Fedora)
2018-10-27 15:05:43 -07:00
Francis Lam
0113ecc806
Update coreboot patches condition on CONFIG_MEASURED_BOOT 2018-10-27 11:02:23 -07:00
Francis Lam
8601268a1f
Remove duplicate measurements on librem components
also fix indentation issues
2018-10-27 11:02:23 -07:00
Francis Lam
dd3ae6ee06
Update patches for librem boards 2018-10-27 11:02:23 -07:00
Francis Lam
c326ff62c7
Start updating to coreboot 4.8.1
missing librem patches
2018-10-27 11:02:23 -07:00
Trammell hudson
e177de63d0
Enable verbose bootup debugging and ensure that the serial IO base port is configured 2018-09-28 06:25:00 -04:00
Trammell hudson
292a8bec81
patch for __alloca missing on ubuntu 18.04 () 2018-09-18 06:33:15 -04:00