Commit Graph

1499 Commits

Author SHA1 Message Date
Trammell hudson
998736fc50
initial tools to build the nerf EFI volume that goes into the firmware 2017-09-20 17:47:48 -04:00
Trammell hudson
3a8710cf49
unquiet it for now 2017-09-20 17:47:12 -04:00
Trammell hudson
04a108912f
ignore edk2 generated files 2017-09-20 17:46:56 -04:00
Trammell hudson
81a7f18b86
build edk2 as a module for the r630 NERF firmware 2017-09-20 14:26:38 -04:00
Trammell hudson
bda821dbb9
fix patches to have the correct -p level 2017-09-20 14:26:07 -04:00
Trammell hudson
8194f2f477
allow extra options to git via the repo variable 2017-09-20 14:25:19 -04:00
Trammell hudson
33c1c9147e
ACPI tables for the r630 NERF firmware 2017-09-20 10:34:25 -04:00
Trammell hudson
a4d7654b1e
Build the Heads/NERF firmware for the Dell R630 server.
This development branch builds a NERF firmware for the Dell R630
server.  It does not use coreboot; instead it branches directly
from the vendor's PEI core into Linux and the Heads runtime
that is setup to be run as an EFI executable.
2017-09-20 10:29:14 -04:00
Francis Lam
41f49237c6
Added configurable xen version for Qubes 4 support
also addresses issue #238
2017-09-13 22:10:46 -04:00
Francis Lam
ec1a54c6b6
Updated to match latest qubes 3.2 xen 4.6.6-30 (issue #238) 2017-09-13 21:14:13 -04:00
Trammell hudson
498105c979
enable i915 native support (needed for Librem 13v2) 2017-09-06 19:07:02 -04:00
Francis Lam
821e48446a
Updated to match latest qubes 3.2 xen 4.6.6-29 (issue #238) 2017-09-02 14:13:29 -04:00
Francis Lam
472ffd35c0
Moved kernel command line parameters to config 2017-09-02 14:13:29 -04:00
Francis Lam
7cec25542d
Allow boot without unseal of TPM LUKS key
Closes issue #226

Also changed to procedure to show LVM volume groups and block
device ids to aid in choosing the right combination during the
TPM LUKS key sealing process.
2017-09-02 14:13:29 -04:00
Francis Lam
26b2d49897
Allow TPM LUKS key to be set during default selection
Closes #222
2017-09-02 14:13:29 -04:00
Francis Lam
0897a20b84
Ensure recovery for failed default boot
Should close #223

Added reboot and poweroff scripts using /proc/sysrq-trigger

Also cleaned up the boot loop in generic-init
2017-09-02 14:13:29 -04:00
Francis Lam
e8f3d206c5
Strip invalid leading/trailing '/' from script params 2017-09-02 14:13:29 -04:00
Johan Grip
6f48c14d0c Update X220 to do generic image instead of qubes.
Also added a script to extract the necessary blobs from a bios
dump image.
2017-08-04 22:48:27 +02:00
Trammell Hudson
9d9af31e58
fix typo and format with markdown (issue #206) 2017-07-27 06:26:04 -04:00
Trammell Hudson
314ce7b350
bump Linux kernel to 4.9.38 (issue #224) 2017-07-18 14:25:15 -04:00
Trammell Hudson
fcc99eca93
include version number in verify target (issue #228) 2017-07-18 14:03:43 -04:00
Trammell Hudson
b550a7f967
rework startup scripts to combine totp prompt with boot mode selection (issue #221) 2017-07-18 13:44:02 -04:00
Trammell Hudson
3e48f1c5e8
tweaks to make qemu run through the /bin/generic-init process 2017-07-18 13:42:19 -04:00
Trammell Hudson
36e3172c8e
disable i915 for now, since it causes screen glitches in Xen/Qubes (issue #219) 2017-07-18 13:32:57 -04:00
Trammell Hudson
3c8adf2cf1
remove no longer required vga patch from xen (issue #227) 2017-07-18 13:31:08 -04:00
Trammell Hudson
7aec9a2288
add support for i915 and render mode setting (issue #219) 2017-07-18 10:10:55 -04:00
Trammell Hudson
39ade211ce
add support for fractional second timeouts in busybox read (issue #221) 2017-07-18 09:11:05 -04:00
Trammell Hudson
f0913e9670
Merge branch 'flammit-usb-boot' pull request #200 2017-07-17 12:43:53 -04:00
Trammell Hudson
af3170ebf7
remove trailing / on the /boot device parameter 2017-07-17 12:43:14 -04:00
Trammell Hudson
831dca5124
remove older qubes-specific files, no longer required in generic boot env 2017-07-17 12:31:58 -04:00
Trammell Hudson
22282da905
default to mounting USB device on /media 2017-07-17 12:24:15 -04:00
Trammell Hudson
86f3e9f5dc
add /boot and /media to /etc/fstab on startup (issue #220) 2017-07-17 12:22:48 -04:00
Trammell Hudson
ba98d5dda6
Merge branch 'usb-boot' of https://github.com/flammit/heads into flammit-usb-boot 2017-07-17 08:52:48 -04:00
Francis Lam
11aca354e9
Fixed edge case in kernel argument injection
Debian 9 installer doesn't have kernel arguments so the iommu fix
wasn't being applied properly.
2017-07-13 00:33:49 -04:00
Francis Lam
2a9ca6fdba
Fixed regression on kexec-save-key 2017-07-12 00:43:08 -04:00
Francis Lam
22a52ec4b8
Added TPM secret management to generic boot
Also cleaned up error handling and boot parsing edge cases
2017-07-12 00:17:45 -04:00
Francis Lam
d67360a24b
Added rollback protection to generic boot
Changed the checking of required hashes or required rollback state
to be right before boot, allowing the user to sign/set defaults
in interactive mode.

Also cleaned up usages of recovery and fixed iso parameter
regression.
2017-07-08 16:59:37 -04:00
Francis Lam
8004b5df2a
Added the ability to persist a default boot option
Similar to qubes-update, it will save then verify the hashes of
the kexec files. Once TOTP is verified, a normal boot will verify
that the file hashes and all the kexec params match and if
successful, boot directly to OS.

Also added a config option to require hash verification for
non-recovery boots, failing to recovery not met.
2017-07-04 19:49:14 -04:00
Francis Lam
ce4b91cad9
Minor tweaks to signing params and boot options
Also split out usb-scan to allow manual initiation of scan from
the recovery shell
2017-07-03 13:07:03 -04:00
Francis Lam
3614044fff
Added a generic boot config and persistent params
Refactored boot parsing code and applied that in local-init to
scan /boot for grub options and allow the user to unsafely boot
anything.  This goes a long way to addressing #196.

Optionally the user can customize those boot parameters or enforce
arbitrary hashes on the boot device by creating and signing config
files in /boot/ or /media/ or /media/kexec_iso/ISO_FILENAME/.
2017-07-02 23:01:04 -04:00
Francis Lam
76a20288a3
Tweaks to allow qubes install w/o custom script
usb-boot automatically uses internal xen binary / command line
when multiboot is detected.

also tweaked to evaluate/remove variable refs in kexec arguments
2017-07-02 14:27:02 -04:00
Trammell Hudson
7e5c9bf5f8
fix Xen reproducibility by not using figlet #207 2017-06-26 16:33:49 -04:00
Francis Lam
7f6f365afe
Reverted submodule name back to xen 2017-06-26 13:07:48 -04:00
Francis Lam
e1e654696b
Fixes the patched qubes-vmm-xen Makefile
Prevents subsequent builds from trying to unpack/repatch
2017-06-25 18:35:59 -04:00
Francis Lam
c2ec62bfcd
Changed xen submodule to track Qubes Xen
Closes #159
2017-06-23 23:01:20 -04:00
Trammell Hudson
265424b101
do not enable libkmod (issue #164) 2017-06-13 10:45:33 -04:00
Trammell Hudson
a5d4c65533
use SHA256 digest on signatures to avoid SHA1 collision attacks (issue #120) 2017-05-04 11:19:50 -04:00
Trammell Hudson
2b2c00e594
typo in comment 2017-05-01 10:52:49 -04:00
Johan Grip
8b3ed5fd7a
Added blob directory for non-free blobs Also basic documentation for the binaries needed for the X220 and how the get to them 2017-05-01 10:49:45 -04:00
Johan Grip
dea6cb60d3
Also enable the correct flash chip for x220 2017-05-01 10:49:43 -04:00