Commit Graph

2311 Commits

Author SHA1 Message Date
Thierry Laurion
8b0fc0f129
kexec-seal/save-key /etc/functions : some more uniformisation of TPM DUK verbiage 2023-09-02 04:19:43 -04:00
Thierry Laurion
51b1ad39c3
sbin/insmod wrapper: Add TRACE and DEBUG traces 2023-09-02 04:16:16 -04:00
Thierry Laurion
52947e2767
WiP TPM DUK cleanup 2023-09-02 01:53:31 -04:00
Thierry Laurion
e9dbce2adf
bin/unpack_initramfs.sh: Add TRACE and DEBUG traces 2023-09-02 01:51:50 -04:00
Thierry Laurion
0ba10e5174
path substitution still not working. This is PoC to be tested. Had to go 2023-09-01 18:19:29 -04:00
Thierry Laurion
a2a30020c0
TPM Disk Unlock Key setup: use unpack_initrd.sh, replace none with /secret.key. Still no joy 2023-09-01 16:28:53 -04:00
Thierry Laurion
4a7e23b4c6
Address review for: first set up of TPM DUK and renewal after firmware upg 2023-09-01 15:18:36 -04:00
Thierry Laurion
64ad01f333
WiP: Staging commit to facilitate review, will squash into previous commits once confirmed good 2023-08-31 14:36:27 -04:00
Thierry Laurion
03d8f93c95
modules/zstd: now included by default. Deactivated under legacy-flash boards
Rationale:
cpio -t alone cannot extract initrd past early cpio (microcode) in most packed initrd.
unpack_initramfs.sh already under master comes to the rescue, but its usage up to today was limited to pass firmware blobs to final OS under boards/librem_mini_v2

Debian OSes (and probably others) need to have cryptroot/crypttab overriden directly, otherwise generic generation of crypttab is not enough.
Extracting crypttab and overriding directly what is desired by final OS and exposed into /boot/initrd is the way to go otherwise hacking on top of hacks.

This brings default packed modules under Heads to 5 modules, which needs to be deactivate in board configs if undesired:
user@heads-tests-deb12:~/heads$ grep -Rn "?= y" modules/ | grep -v MUSL
modules/zlib:1:CONFIG_ZLIB ?= y
modules/zstd:3:CONFIG_ZSTD ?= y
modules/exfatprogs:2:CONFIG_EXFATPROGS ?= y
modules/busybox:2:CONFIG_BUSYBOX ?= y
modules/e2fsprogs:2:CONFIG_E2FSPROGS ?= y
2023-08-31 11:19:50 -04:00
Thierry Laurion
67c865d151
TPM DISK Unlock Key : add cryptroot/crypttab to fix #1474
Tested working on both TPM1/TPM2 under debian bookwork, standard encrypted TLVM setup
2023-08-30 18:07:21 -04:00
Thierry Laurion
4910c1188f
TPM Disk Unlock Key sealing/renewal cleanup (Triggered automatically when resealing TOTP)
Changes:
- As per master: when TOTP cannot unseal TOTP, user is prompted to either reset or regenerate TOTP
- Now, when either is done and a previous TPM Disk Unlock Key was setuped, the user is guided into:
  - Regenerating checksums and signing them
  - Regenerating TPM disk Unlock Key and resealing TPM disk Unlock Key with passphrase into TPM
  - LUKS header being modified, user is asked to resign kexec.sig one last time prior of being able to default boot
- When no previous Disk Unlock Key was setuped, the user is guided into:
  - The above, plus
    - Detection of LUKS containers,suggesting only relevant partitions

- Addition of TRACE and DEBUG statements to troubleshoot actual vs expected behavior while coding
  - Were missing under TPM Disk Unlock Key setup codepaths

- Fixes for #645 : We now check if only one slots exists and we do not use it if its slot1.
  - Also shows in DEBUG traces now

Unrelated staged changes
- ash_functions: warn and die now contains proper spacing and eye attaction
- all warn and die calls modified if containing warnings and too much punctuation
- unify usage of term TPM Disk Unlock Key and Disk Recovery Key
2023-08-30 18:06:29 -04:00
Markus Meissner
8922c6e32b
modules/hotp-verification: update to v1.4
* add Nitrokey 3 support
* corrected UI issues, when PIN is not set
* add serial number getter
* improve HID calls speed
* Full changelogs to be found here: https://github.com/Nitrokey/nitrokey-hotp-verification/releases
2023-08-30 11:16:26 +02:00
tlaurion
45a4f9d0f3
Merge pull request #1446 from tlaurion/Add_secure_thumb_drive_premisses
Add secure thumb drive creation premisses
2023-08-28 16:29:51 -04:00
Thierry Laurion
d5aa0c874e
boards/qemu-coreboot-whiptail-tpm1/qemu-coreboot-whiptail-tpm1.md was invalid symlink 2023-08-28 16:24:14 -04:00
Thierry Laurion
106a9bf543
qemu boards: change default creation size of USB_FD_IMG from 128MB to 256MB
Otherwise 10% of 128mb (12mb) is not enough to create a LUKS container
2023-08-28 16:24:11 -04:00
Thierry Laurion
f6eed42208
Add external/usb disk encryption (adds exfatprogs and e2fsprogs)
prepare_thumb_drive: default to creating 10% LUKS container on usb drive, prompts for passphrase is not provided and scan drives if no --device specified

NOTE: qemu usb_thumb drive of 128 mb are not big enough so that 10% of it (12mb) can be used to create thumb drive.

Adds:
- e2fsprogs to support ext4 filesystem creation through mke2fs
- add /etc/mke2fs.conf so that mke2fs knows how to handle ext2/ext3/ext4
- removes mke2fs support from busybox
- bump busybox to latest version which adds cpu accelerated hash functions (not needed per se here)
- Adds exfatprogs to have mkfs.exfat and fsck.exfat
- Adds prepare_thumb_drive /etc/luks-functions to be able to prepare a thumb drive with percentage of drive assigned to LUKS, rest to exfat
- Modify most board configs to test space requirements failing
- Talos2 linux config: add staging Exfat support
- Make e2fsprogs and exfatprogs included by default unless explicitely deactivate in board configs
- Change cryptsetup calls : luksOpen to open and luksClose to close to addresss review
- etc/luks_functions: cleanup

GOAL here is to have secure thumb drive creation which Heads will be able to use to backup/restore/use generated GPG key material in the future (next PR)
2023-08-28 16:23:48 -04:00
tlaurion
d853f62445
Merge pull request #1479 from tlaurion/add_tracing_debuggin_config_toggle
config-gui.sh: Add option to toggle DEBUG and TRACE output from Configuration Settings
2023-08-25 14:30:17 -04:00
Thierry Laurion
0b154aaee1
config-gui.sh: Add option to toggle DEBUG and TRACE output from Configuration Settings menu 2023-08-25 14:27:51 -04:00
tlaurion
d8a9a1e77e
Merge pull request #1473 from tlaurion/aes_support_x230i_under_x230_maximized
linux-x230-maximized: readd CONFIG_CRYPTO_AES for x230i since i3 doesn't have INTEL AES NI cpu acceleration.
2023-08-22 12:02:36 -04:00
Thierry Laurion
5bf14d27de
linux-x230-maximized: readd CONFIG_CRYPTO_AES for x230i since i3 doesn't have INTEL AES NI cpu acceleration. 2023-08-22 08:56:53 -04:00
tlaurion
6e31163121
Merge pull request #1403 from tlaurion/libgfxinit-or-native-gfx-init_simplefb_linuxboot_splashscreen
libgfxinit/nativegfx init: efifb enforced fb (+coreboot ramstage enabled bootsplash)
2023-08-16 15:06:44 -04:00
Thierry Laurion
97f39a8b1f
t430-maximized/t430-hotp-maximized: move from untested to tested boards, other t430 boards still untested 2023-08-16 14:54:12 -04:00
Thierry Laurion
e5b64f8c48
t430/x230 legacy flash boards: unify so they specify coreboot config files as all other boards
(Otherwise, renaming board requires to rename coreboot config file as well since BOARD is used to pick corresponding one when undefined)
2023-08-16 13:29:08 -04:00
Thierry Laurion
294a6bed94
t430 boards: moved to untested until reported tested as per #1421 2023-08-16 12:35:52 -04:00
Thierry Laurion
572573ff40
x220 board: this is maximized coreboot config, legacy linux config 2023-08-16 09:44:44 -04:00
Thierry Laurion
107855f53a
p8z77-m_pro-tpm1: bring back boards as tested platforms. 2023-08-16 09:44:41 -04:00
Thierry Laurion
8c366ef61d
coreboot configs: changeset needed to use efifb
- intel igpu related - remove i915drmfb hacks and use simplefb and libgfxinit enabled fb
- coreboot 4.19: add patch to fix https://ticket.coreboot.org/issues/500. fbwhiptail still tears screen if in native 1366x769 though
- coreboot 4.19: add patch to enable linux tampoline handle coreboot framebuffer (merged https://review.coreboot.org/c/coreboot/+/76431)
- coreboot 4.19: add patch to enable coreboot to apply jpeg voodoo to create bootsplash.jpeg injected in cbfs at build time + CircleCI apt imagemagick
  - (Thanks Nico Huber @icon again for above patches!)
- coreboot configs: adapt VESAFB/LIBGFXINIT to use maximum fb height/width
- coreboot configs for iGPU only: CONFIG_LINEAR_FRAMEBUFFER_MAX_HEIGHT CONFIG_LINEAR_FRAMEBUFFER_MAX_WIDTH to native size
- coreboot configs for dGPU based on Optional VBIOS injected: VESAFB set to 1280x1024 (maximum possible).

Details:
coreboot configs: remove CONFIG_LINUX_COMMAND_LINE="drm_kms_helper.drm_leak_fbdev_smem=1 i915.enable_fbc=0"
 - Those were needed to expose i915drmfb driver prior of efifb working.
2023-08-16 09:39:09 -04:00
Thierry Laurion
d3ea60f69e
linux configs: adapt to use efifb driver (Intel iGPU/qemu with bochs native gfxinit) 2023-08-15 17:24:34 -04:00
tlaurion
fbc0993084
Merge pull request #1462 from JonathonHall-Purism/reuse-toolchains
Enable reusing coreboot release toolchains for forks
2023-08-15 16:27:20 -04:00
tlaurion
59972f3972
Merge pull request #1459 from JonathonHall-Purism/hires_scale
Scale fbwhiptail and console font for high resolution displays
2023-08-11 14:53:04 -04:00
Jonathon Hall
a5689c44a9
modules/coreboot: Don't try to share toolchain for purism yet
Nothing else shares the 4.20.1 toolchain yet, and upcoming forks are
based on older releases.  We'll share it when other boards update to
4.20.1.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-08-11 14:48:19 -04:00
Jonathon Hall
98fc0cb81a
initrd/bin/setconsolefont.sh: Reduce threshold for 2x console to 1350
Based on feedback, 1440p displays can benefit from 2x console as well.
Err toward a font too large rather than too small and lower the
threshold to 1350, which is the threshold fbwhiptail uses for 1.5x.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-08-11 14:40:11 -04:00
Jonathon Hall
4d613dacbb
fbwhiptail: Update to hires_scale based on 1.2 release
hires_scale was rebased on 1.2.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-08-11 14:40:10 -04:00
Jonathon Hall
57f9d1635b
x230-*-fhd_edp: Include kbd to set console font size
Include the kbd module to set the console font size based on the
display resolution.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-08-11 14:40:10 -04:00
Jonathon Hall
d0d2ea9a77
librem_mini{,_v2}: Include kbd to set console font size
Include the kbd module to enlarge the console font size based on the
display resolution.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-08-11 14:40:09 -04:00
Jonathon Hall
ef85973109
librem_15v4: Include kbd, don't force eDP resolution in Heads kernel
Include kbd so the console font can be enlarged based on the display
resolution.

Don't force 1080p on the eDP output in Heads.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-08-11 14:40:09 -04:00
Jonathon Hall
a3798713b2
fbwhiptail: Update to hires_scale branch
fbwhiptail scales its UI based on the display size.  FBWHIPTAIL_SCALE
can set a specific scale factor for testing.

fbwhiptail no longer looks for a 1080p mode when the default mode is
2160p.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-08-11 14:40:08 -04:00
Jonathon Hall
2f329d9007
kbd: Add setfont from kbd to set large console font on large displays
Build kbd and ship setfont if enabled with CONFIG_KBD.

When CONFIG_KBD is enabled, setconsolefont.sh will double the console
font size on large displays (>1600 lines tall as a heuristic).

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-08-11 14:40:04 -04:00
tlaurion
f42070a51d
Merge pull request #1457 from tlaurion/archlinux_distro_pukey_update
Archlinux distro signing public key update to (expires 2037-10-27)
2023-08-11 14:29:57 -04:00
Jonathon Hall
38e9d47bfd
modules/coreboot: Clarify PPC64 toolchain comments
CROSS= is needed for skiboot on PPC64 due to different endianness
relative to coreboot.

The talos_2 fork doesn't share the toolchain because it is the only
_fork_, not board, to be precise.  We could add more boards using that
fork without having to create a shared toolchain, it only matters if we
add another fork or start building boards from the upstream release
too.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-08-11 13:03:58 -04:00
Jonathon Hall
c2df9f3942
fixup modules/coreboot: Fix purism-blobs dependency for librem_l1um
Two := assignments were factored out together, the second overwrote the
first.  Fix to +=, and remove the nitrokey assignment since it came
from a branch.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-08-11 12:44:40 -04:00
Jonathon Hall
d8a89e7e12
modules/coreboot: Remove errant _depend variable
This was spelled wrong - it's actually '_depends'.  'initrd' isn't a
module any more so the value doesn't make sense, remove it.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-08-11 12:44:40 -04:00
Jonathon Hall
555dde0b43
boards/librem_* (except l1um): Remove CONFIG_PURISM_BLOBS=y
These boards get purism-blobs as a submodule of the purism coreboot
fork.  modules/coreboot used to skip the purism-blobs dependency for
this fork, but the module is not needed at all for these boards.

librem_l1um keeps CONFIG_PURISM_BLOBS=y since it is built from patched
coreboot 4.11.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-08-11 12:44:39 -04:00
Jonathon Hall
c12b8cec4b
Makefile: Don't double version number in patches for versioned modules
Default the patch version to empty if the module name already includes
the version.  Fixes application of coreboot patches.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-08-11 12:44:39 -04:00
Jonathon Hall
1b81fb2d80
modules/coreboot: Don't try to share toolchain for talos_2 fork
The skiboot build fails to find the toolchain when it's not in the
default location.  There is only one ppc64 board anyway, so there's no
point trying to share a toolchain for now.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-08-11 12:44:34 -04:00
Jonathon Hall
8f95d0b65b
modules/coreboot: Use a specific file to mark the toolchain build
Use .heads-toolchain to mark that the toolchain was built rather than
.xcompile.  coreboot doesn't generate .xcompile until the build step,
so all modules had to build successfully before we would stop trying to
to rebuild the toolchain.  Build steps should generally produce the
indicated outputs too, which was not occurring here.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-08-11 12:43:02 -04:00
Jonathon Hall
0c024b14e8
modules/coreboot: Reuse release toolchain for fork builds
Reuse the toolchain from a coreboot release for fork builds.  Either
the fork or the release can be built first, in either case the
release's toolchain is built at the default location and reused for
later builds.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-08-11 12:42:38 -04:00
Jonathon Hall
786cf09ec7
modules/coreboot: Define each coreboot version as a separate module
Define a separate module for each coreboot version, so the module used
to build the ROM will optionally be able to reference the toolchain
from a different module.

This will allow coreboot fork builds to use the toolchain from the
corresponding release.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-08-11 12:41:59 -04:00
Jonathon Hall
cd73574f71
patches/coreboot-*: Remove unused patches
Remove patches for coreboot 4.8.1, 4.13, 4.14, and 4.17, which are no
longer used.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-08-11 12:41:59 -04:00
Jonathon Hall
3695489589
modules/coreboot: Delete unused remnants of using musl toolchain
At one time coreboot was built using Heads' musl toolchain, but this
was later reverted.  coreboot builds with its own toolchain again.

CROSS= has no effect on coreboot proper (only exception is PPC64
skiboot payload).  It was added to coreboot by a patch that was deleted
in 8e44853.  COREBOOT_IASL was set to the default, that was only needed
when the toolchain was being overridden to override iasl back to the
coreboot one.

ppc64 still specifies CROSS= since skiboot is unable to find coreboot's
toolchain from XGCCPATH but checks CROSS.  This builds skiboot with the
Heads toolchain as before.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-08-11 12:41:55 -04:00