Trammell hudson
998736fc50
initial tools to build the nerf EFI volume that goes into the firmware
2017-09-20 17:47:48 -04:00
Trammell hudson
3a8710cf49
unquiet it for now
2017-09-20 17:47:12 -04:00
Trammell hudson
04a108912f
ignore edk2 generated files
2017-09-20 17:46:56 -04:00
Trammell hudson
81a7f18b86
build edk2 as a module for the r630 NERF firmware
2017-09-20 14:26:38 -04:00
Trammell hudson
bda821dbb9
fix patches to have the correct -p level
2017-09-20 14:26:07 -04:00
Trammell hudson
8194f2f477
allow extra options to git via the repo variable
2017-09-20 14:25:19 -04:00
Trammell hudson
33c1c9147e
ACPI tables for the r630 NERF firmware
2017-09-20 10:34:25 -04:00
Trammell hudson
a4d7654b1e
Build the Heads/NERF firmware for the Dell R630 server.
...
This development branch builds a NERF firmware for the Dell R630
server. It does not use coreboot; instead it branches directly
from the vendor's PEI core into Linux and the Heads runtime
that is setup to be run as an EFI executable.
2017-09-20 10:29:14 -04:00
Francis Lam
41f49237c6
Added configurable xen version for Qubes 4 support
...
also addresses issue #238
2017-09-13 22:10:46 -04:00
Francis Lam
ec1a54c6b6
Updated to match latest qubes 3.2 xen 4.6.6-30 (issue #238 )
2017-09-13 21:14:13 -04:00
Trammell hudson
498105c979
enable i915 native support (needed for Librem 13v2)
2017-09-06 19:07:02 -04:00
Francis Lam
821e48446a
Updated to match latest qubes 3.2 xen 4.6.6-29 (issue #238 )
2017-09-02 14:13:29 -04:00
Francis Lam
472ffd35c0
Moved kernel command line parameters to config
2017-09-02 14:13:29 -04:00
Francis Lam
7cec25542d
Allow boot without unseal of TPM LUKS key
...
Closes issue #226
Also changed to procedure to show LVM volume groups and block
device ids to aid in choosing the right combination during the
TPM LUKS key sealing process.
2017-09-02 14:13:29 -04:00
Francis Lam
26b2d49897
Allow TPM LUKS key to be set during default selection
...
Closes #222
2017-09-02 14:13:29 -04:00
Francis Lam
0897a20b84
Ensure recovery for failed default boot
...
Should close #223
Added reboot and poweroff scripts using /proc/sysrq-trigger
Also cleaned up the boot loop in generic-init
2017-09-02 14:13:29 -04:00
Francis Lam
e8f3d206c5
Strip invalid leading/trailing '/' from script params
2017-09-02 14:13:29 -04:00
Johan Grip
6f48c14d0c
Update X220 to do generic image instead of qubes.
...
Also added a script to extract the necessary blobs from a bios
dump image.
2017-08-04 22:48:27 +02:00
Trammell Hudson
9d9af31e58
fix typo and format with markdown (issue #206 )
2017-07-27 06:26:04 -04:00
Trammell Hudson
314ce7b350
bump Linux kernel to 4.9.38 (issue #224 )
2017-07-18 14:25:15 -04:00
Trammell Hudson
fcc99eca93
include version number in verify target (issue #228 )
2017-07-18 14:03:43 -04:00
Trammell Hudson
b550a7f967
rework startup scripts to combine totp prompt with boot mode selection (issue #221 )
2017-07-18 13:44:02 -04:00
Trammell Hudson
3e48f1c5e8
tweaks to make qemu run through the /bin/generic-init process
2017-07-18 13:42:19 -04:00
Trammell Hudson
36e3172c8e
disable i915 for now, since it causes screen glitches in Xen/Qubes (issue #219 )
2017-07-18 13:32:57 -04:00
Trammell Hudson
3c8adf2cf1
remove no longer required vga patch from xen (issue #227 )
2017-07-18 13:31:08 -04:00
Trammell Hudson
7aec9a2288
add support for i915 and render mode setting (issue #219 )
2017-07-18 10:10:55 -04:00
Trammell Hudson
39ade211ce
add support for fractional second timeouts in busybox read (issue #221 )
2017-07-18 09:11:05 -04:00
Trammell Hudson
f0913e9670
Merge branch 'flammit-usb-boot' pull request #200
2017-07-17 12:43:53 -04:00
Trammell Hudson
af3170ebf7
remove trailing / on the /boot device parameter
2017-07-17 12:43:14 -04:00
Trammell Hudson
831dca5124
remove older qubes-specific files, no longer required in generic boot env
2017-07-17 12:31:58 -04:00
Trammell Hudson
22282da905
default to mounting USB device on /media
2017-07-17 12:24:15 -04:00
Trammell Hudson
86f3e9f5dc
add /boot and /media to /etc/fstab on startup (issue #220 )
2017-07-17 12:22:48 -04:00
Trammell Hudson
ba98d5dda6
Merge branch 'usb-boot' of https://github.com/flammit/heads into flammit-usb-boot
2017-07-17 08:52:48 -04:00
Francis Lam
11aca354e9
Fixed edge case in kernel argument injection
...
Debian 9 installer doesn't have kernel arguments so the iommu fix
wasn't being applied properly.
2017-07-13 00:33:49 -04:00
Francis Lam
2a9ca6fdba
Fixed regression on kexec-save-key
2017-07-12 00:43:08 -04:00
Francis Lam
22a52ec4b8
Added TPM secret management to generic boot
...
Also cleaned up error handling and boot parsing edge cases
2017-07-12 00:17:45 -04:00
Francis Lam
d67360a24b
Added rollback protection to generic boot
...
Changed the checking of required hashes or required rollback state
to be right before boot, allowing the user to sign/set defaults
in interactive mode.
Also cleaned up usages of recovery and fixed iso parameter
regression.
2017-07-08 16:59:37 -04:00
Francis Lam
8004b5df2a
Added the ability to persist a default boot option
...
Similar to qubes-update, it will save then verify the hashes of
the kexec files. Once TOTP is verified, a normal boot will verify
that the file hashes and all the kexec params match and if
successful, boot directly to OS.
Also added a config option to require hash verification for
non-recovery boots, failing to recovery not met.
2017-07-04 19:49:14 -04:00
Francis Lam
ce4b91cad9
Minor tweaks to signing params and boot options
...
Also split out usb-scan to allow manual initiation of scan from
the recovery shell
2017-07-03 13:07:03 -04:00
Francis Lam
3614044fff
Added a generic boot config and persistent params
...
Refactored boot parsing code and applied that in local-init to
scan /boot for grub options and allow the user to unsafely boot
anything. This goes a long way to addressing #196 .
Optionally the user can customize those boot parameters or enforce
arbitrary hashes on the boot device by creating and signing config
files in /boot/ or /media/ or /media/kexec_iso/ISO_FILENAME/.
2017-07-02 23:01:04 -04:00
Francis Lam
76a20288a3
Tweaks to allow qubes install w/o custom script
...
usb-boot automatically uses internal xen binary / command line
when multiboot is detected.
also tweaked to evaluate/remove variable refs in kexec arguments
2017-07-02 14:27:02 -04:00
Trammell Hudson
7e5c9bf5f8
fix Xen reproducibility by not using figlet #207
2017-06-26 16:33:49 -04:00
Francis Lam
7f6f365afe
Reverted submodule name back to xen
2017-06-26 13:07:48 -04:00
Francis Lam
e1e654696b
Fixes the patched qubes-vmm-xen Makefile
...
Prevents subsequent builds from trying to unpack/repatch
2017-06-25 18:35:59 -04:00
Francis Lam
c2ec62bfcd
Changed xen submodule to track Qubes Xen
...
Closes #159
2017-06-23 23:01:20 -04:00
Trammell Hudson
265424b101
do not enable libkmod (issue #164 )
2017-06-13 10:45:33 -04:00
Trammell Hudson
a5d4c65533
use SHA256 digest on signatures to avoid SHA1 collision attacks (issue #120 )
2017-05-04 11:19:50 -04:00
Trammell Hudson
2b2c00e594
typo in comment
2017-05-01 10:52:49 -04:00
Johan Grip
8b3ed5fd7a
Added blob directory for non-free blobs Also basic documentation for the binaries needed for the X220 and how the get to them
2017-05-01 10:49:45 -04:00
Johan Grip
dea6cb60d3
Also enable the correct flash chip for x220
2017-05-01 10:49:43 -04:00