ExternalVendorCode/heads
1
0
Fork 0
mirror of https://github.com/linuxboot/heads.git synced 2024-12-19 04:57:55 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
570 Commits 27 Branches 6 Tags 21 MiB
149635ef95
Commit Graph

570 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Trammell Hudson
831dca5124
remove older qubes-specific files, no longer required in generic boot env 2017-07-17 12:31:58 -04:00
Trammell Hudson
22282da905
default to mounting USB device on /media 2017-07-17 12:24:15 -04:00
Trammell Hudson
86f3e9f5dc
add /boot and /media to /etc/fstab on startup (issue #220) 2017-07-17 12:22:48 -04:00
Trammell Hudson
ba98d5dda6
Merge branch 'usb-boot' of https://github.com/flammit/heads into flammit-usb-boot 2017-07-17 08:52:48 -04:00
Francis Lam
11aca354e9
Fixed edge case in kernel argument injection 
Debian 9 installer doesn't have kernel arguments so the iommu fix
wasn't being applied properly.
 2017-07-13 00:33:49 -04:00
Francis Lam
2a9ca6fdba
Fixed regression on kexec-save-key 2017-07-12 00:43:08 -04:00
Francis Lam
22a52ec4b8
Added TPM secret management to generic boot 
Also cleaned up error handling and boot parsing edge cases
 2017-07-12 00:17:45 -04:00
Francis Lam
d67360a24b
Added rollback protection to generic boot 
Changed the checking of required hashes or required rollback state
to be right before boot, allowing the user to sign/set defaults
in interactive mode.

Also cleaned up usages of recovery and fixed iso parameter
regression.
 2017-07-08 16:59:37 -04:00
Francis Lam
8004b5df2a
Added the ability to persist a default boot option 
Similar to qubes-update, it will save then verify the hashes of
the kexec files. Once TOTP is verified, a normal boot will verify
that the file hashes and all the kexec params match and if
successful, boot directly to OS.

Also added a config option to require hash verification for
non-recovery boots, failing to recovery not met.
 2017-07-04 19:49:14 -04:00
Francis Lam
ce4b91cad9
Minor tweaks to signing params and boot options 
Also split out usb-scan to allow manual initiation of scan from
the recovery shell
 2017-07-03 13:07:03 -04:00
Francis Lam
3614044fff
Added a generic boot config and persistent params 
Refactored boot parsing code and applied that in local-init to
scan /boot for grub options and allow the user to unsafely boot
anything.  This goes a long way to addressing #196.

Optionally the user can customize those boot parameters or enforce
arbitrary hashes on the boot device by creating and signing config
files in /boot/ or /media/ or /media/kexec_iso/ISO_FILENAME/.
 2017-07-02 23:01:04 -04:00
Francis Lam
76a20288a3
Tweaks to allow qubes install w/o custom script 
usb-boot automatically uses internal xen binary / command line
when multiboot is detected.

also tweaked to evaluate/remove variable refs in kexec arguments
 2017-07-02 14:27:02 -04:00
Trammell Hudson
7e5c9bf5f8
fix Xen reproducibility by not using figlet #207 2017-06-26 16:33:49 -04:00
Francis Lam
7f6f365afe
Reverted submodule name back to xen 2017-06-26 13:07:48 -04:00
Francis Lam
e1e654696b
Fixes the patched qubes-vmm-xen Makefile 
Prevents subsequent builds from trying to unpack/repatch
 2017-06-25 18:35:59 -04:00
Francis Lam
c2ec62bfcd
Changed xen submodule to track Qubes Xen 
Closes #159
 2017-06-23 23:01:20 -04:00
Trammell Hudson
265424b101
do not enable libkmod (issue #164) 2017-06-13 10:45:33 -04:00
Trammell Hudson
a5d4c65533
use SHA256 digest on signatures to avoid SHA1 collision attacks (issue #120) 2017-05-04 11:19:50 -04:00
Trammell Hudson
2b2c00e594
typo in comment 2017-05-01 10:52:49 -04:00
Johan Grip
8b3ed5fd7a
Added blob directory for non-free blobs Also basic documentation for the binaries needed for the X220 and how the get to them 2017-05-01 10:49:45 -04:00
Johan Grip
dea6cb60d3
Also enable the correct flash chip for x220 2017-05-01 10:49:43 -04:00
Johan Grip
ceb81944a1
Re-enabled x220 components in flashrom. 2017-05-01 10:49:40 -04:00
Johan Grip
186b641385
Inital test of a lenovo x220 port. Uses hardcoded paths for the blobs required. Uses a stripped ME blob. 2017-05-01 10:49:38 -04:00
Trammell Hudson
2cad84a768
make the ME a module (issue #194) 2017-05-01 10:47:24 -04:00
Francis Lam
1f8eaa696e
minor tweaks to config parsing 2017-04-29 21:50:10 -04:00
Francis Lam
efd662c63a
adds a USB boot option with basic parsing to kexec 
Supports booting from USB media using either the root device or
a signed ISO as the boot device.  Boot options are parsed with
quick/dirty shell scripts to infer kexec params.

Closes #195 and begins to address #196
 2017-04-29 13:40:34 -04:00
Trammell Hudson
7f600072ad
pass -ic option to tpm extend (issue #198) 2017-04-23 16:12:08 -04:00
Trammell Hudson
448d0731a9
cherry pick Linux config from zfs branch with multi-user set 2017-04-17 16:10:48 -04:00
Trammell Hudson
964b967c9e
Use kernel headers from our Linux kernel tree (issue #188) 2017-04-17 16:09:06 -04:00
Francis Lam
ad732939c3
load usb-storage module in x230-flash.init 2017-04-16 17:37:14 -04:00
Trammell Hudson
a71f84c08f
cbmem was not being built 2017-04-12 11:54:11 -04:00
Trammell Hudson
8f4455bc57
hardware token key 2017-04-12 09:50:08 -04:00
Trammell Hudson
4310b59686
fix patch for -p1 2017-04-12 09:30:08 -04:00
Trammell Hudson
bf95aa1839
use 0.3.0 release of tpmtotp 2017-04-12 08:46:56 -04:00
Trammell Hudson
9d4b7a5b73
print and update the timestamp on the TOTP while waiting for disk unlock code 2017-04-12 08:28:31 -04:00
Trammell Hudson
87b6f1e489
supress mlock error 2017-04-12 08:27:57 -04:00
Trammell Hudson
3fc174b0f7
totp program outputs the date 2017-04-12 08:12:31 -04:00
Trammell Hudson
782d4cdc7b
signing of files is now possible on the laptop 2017-04-12 07:04:25 -04:00
Trammell Hudson
353a0efe6f
Rework /init and qubes setup scripts (issue #27, #155, #32, #29, #110) 
This adds support for seamless booting of Qubes with a TPM disk key,
as well as signing of qubes files in /boot with a Yubikey.

The signed hashes also includes a TPM counter, which is incremented
when new hashes are signed.  This prevents rollback attacks against
the /boot filesystem.

The TPMTOTP value is presented to the user at the time of entering
the disk encryption keys.  Hitting enter will generate a new code.

The LUKS headers are included in the TPM sealing of the disk
encryption keys.
 2017-04-12 06:57:58 -04:00
Trammell Hudson
8464227aa1
use the external functions (issue #161) 2017-04-12 06:57:26 -04:00
Trammell Hudson
8d2d6ad6c3
helper to install qubes from the recovery shell (issue #27) 2017-04-12 06:55:22 -04:00
Trammell Hudson
6a734208b0
try creating NVRAM entry before prompting for owner password (issue #151) 2017-04-12 06:53:54 -04:00
Trammell Hudson
fa8c3abe98
put board configuration file into /etc/config 2017-04-12 06:52:35 -04:00
Trammell Hudson
122bacab37
use xen.gz since we have zlib support in kexec again (issue #170) 2017-04-12 06:50:57 -04:00
Trammell Hudson
84f1d0af39
copy file and compute sha256 before flashing 2017-04-12 06:50:18 -04:00
Trammell Hudson
7a9ab72144
import the seal/unseal totp scripts since they are very specialized to the heads install, skip owner password if not required (issue #151) 2017-04-12 06:49:39 -04:00
Trammell Hudson
c5c47c6b1c
common recovery shell functions (issue #161) 2017-04-12 06:48:38 -04:00
Trammell Hudson
d73c92e63f
quiet down the boot process 2017-04-12 06:46:55 -04:00
Trammell Hudson
da9bde721c
add some color 2017-04-12 06:46:24 -04:00
Trammell Hudson
ea9b2c0da0
helper to do a forcible TPM reset (issue #27) 2017-04-12 06:45:15 -04:00