Commit Graph

2463 Commits

Author SHA1 Message Date
Thierry Laurion
664603cf8c
Changeset based on nitrokey 2.3 release to understand what is attempted here. i915 is still under linux config on 2.3 release. coreboot is on gop, not libgfxinit. This is to open discussion.
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-20 11:17:38 -05:00
Thierry Laurion
0e42833ada
x230-legacy-flash board: fixup pointing to x230 as opposed to t430. Fix coreboot config path to bootsplash
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-20 09:42:28 -05:00
Thierry Laurion
b1f1484ae2
linux config: oldconfig for all, make sure BRAND_NAME is there to be overriden
TODO: linuxboot still not touched...
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-20 09:42:23 -05:00
Thierry Laurion
7433920dee
coreboot configs: unify linux console output to 'quiet loglevel=2' but for qemu/flash boards
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-20 09:40:55 -05:00
Thierry Laurion
0f0cb99a02
Adapt NV41/NS50 changes, unify bootsplash file usage for branding
Taken from : https://github.com/Nitrokey/heads/tree/temp-release-v2.3

- Move branding/Heads/bootsplash-1024x768.jpg -> branding/Heads/bootsplash.jpg (We don't care about the size. Make filename generic)
- Adapt all coreboot configs so bootsplash is adapted by BRAND_NAME CONFIG_BOOTSPLASH_FILE="@BRAND_DIR@/bootsplash.jpg"
  - Reminders :
    - Makefile changes Heads to defined BRAND_NAME in board config
    - Makefile changes -e 's!@BRAND_DIR@!$(pwd)/branding/$(BRAND_NAME)!g'
- nv41/nv50
  - coreboot oldefconfigs adapted by:
    - make BOARD=nitropad-ns50 coreboot.modify_and_save_oldconfig_in_place
    - make BOARD=nitropad-nv41 coreboot.modify_and_save_oldconfig_in_place
  - linux oldefconfigs adapted by
    - make BOARD=nitropad-nv41 linux.modify_and_save_oldconfig_in_place
      - since this is shared config across nv41/ns50: it only needs to be done for a single board

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-20 09:40:52 -05:00
Thierry Laurion
6f276a391b
kgpe-d16 linux configs: remove Intel related stuff, enable AMD related IOMMU settings
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-20 09:40:49 -05:00
Thierry Laurion
72e8c39361
FB_EFI next step: make sure CONFIG_INTEL_IOMMU_DEFAULT_ON=y is on on all intel boards touched in past commit
Touches c216, x230-flash, x230-legacy and x230-maximized.
TODO: Other boards, including AMD ones (qemu/kgpe) have this ON, including nv41/ns50 (which uses i915drm which most probably causes problems)
 Note that qemu boards use q35 in config, but were made to have both i440fx and q35, where q35 is tested, which explains why its on by default there.

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-20 09:40:45 -05:00
Thierry Laurion
f4a5a7cc10
FB_EFI next step: remove coreboot's Heads linux intel_iommu statements. TODO: check linux config to see if enabling automatically works as expected.
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-20 09:40:42 -05:00
Thierry Laurion
2fcef4a979
FB_EFI next step: remove CONFIG_BOOT_KERNEL_ADD=intel_iommu=on intel_iommu=igfx_off, add CONFIG_BOOT_KERNEL_REMOVE=intel_iommu=on intel_iommu=igfx_off, remove quiet removal from CONFIG_BOOT_KERNEL_REMOVE. TLDR: do not interfere with OS setting its own boot policies
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-20 09:40:39 -05:00
tlaurion
1f39d16c25
Merge pull request #1530 from tlaurion/talos-2_fix-regressions
Talos-2: bring changes to a working state outside of usage of GPG key material backup as of now
2023-11-17 12:50:49 -05:00
Thierry Laurion
9d808b0347
Talos-2: bring changes to a working state outside of usage of GPG key material backup as of now
- Closes https://github.com/linuxboot/heads/pull/1452
- coreboot: Take Talos II 0.7 release coreboot config file that was inside of cbfs and use it as a base upstream.
- linux: Readd sysctl and proc requirements for cbmem to work.

TODO: fix gpg2 module so that the following doesn't happen (a ppc64 thing. Can't figure out why):

```
Adding generated key to current firmware and re-flashing...

Board talos-2 detected, continuing...
37281653053696daf2e40a8efe9451b557d9d6ab586830dc85f814bf2e03a05f  /tmp/talos-2.rom
Initializing Flash Programmer
Reading old flash contents. Please wait...
Flashing: [##################################################\] (100%)
Verifying flash contents. Please wait...
The flash contents were verified and the image was flashed correctly.

Signing boot files and generating checksums...

180726119: 000E452213510000005A
gpg: error running '//bin/dirmngr': probably not installed
gpg: failed to start dirmngr '//bin/dirmngr': Configuration error
gpg: can't connect to the dirmngr: Configuration error
gpg: no default secret key: No dirmngr
gpg: signing failed: No dirmngr
```
dirmngr is deactivated per configure statement --disable-dirmngr, and works as expected on x86

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-17 10:26:11 -05:00
JonathonHall-Purism
f5377b3bd5
Merge pull request #1526 from JonathonHall-Purism/zip_updates
flash-gui.sh: Extend NPF archive format to ZIP, improve workflow
2023-11-17 10:21:44 -05:00
Jonathon Hall
6873df60c1
Remove CONFIG_BRAND_UPDATE_PKG_EXT, use zip everywhere
Nitrokey is going to switch from npf to zip per discussion.  Remove
this config.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-11-16 08:58:38 -05:00
Thierry Laurion
56d38e112c
Talos-2 fixes to comply with hashing file standard. Bypass flash-gui.sh prompt when talos-2 ato validate hashes against hashes provided under tgz through flash.sh validation (still offer zip and tgz, which tgz might change to zip later but only tgz offered through builds)
Attempt to address https://github.com/linuxboot/heads/pull/1526#issuecomment-1811185197

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-16 08:44:39 -05:00
Jonathon Hall
6ef5298d20
Makefile: Don't build ZIP update package for talos-2
talos-2 builds its own tgz update package that is not currently
integrated with the zip method.  While the zip method right now would
theoretically if the tgz was inside it, this would have to be hooked
up for talos-2 specifically.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-11-14 16:50:15 -05:00
Jonathon Hall
51e2d789b4
Makefile: Only add update package to all if it's actually built
Only add the update package to all if it is actually being built, fixes
default target with CONFIG_LEGACY_FLASH=y.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-11-14 13:26:18 -05:00
Jonathon Hall
bb7294476d
Makefile: Don't generate update package for legacy flash boards
The only purpose of legacy flash boards is to be flashed over vendor
firmware using an exploit, to then flash non-maximized Heads firmware.

They are never upgraded to another legacy flash build, and they move
the coreboot ROM from the build directory, so don't build an update
package for those boards.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-11-14 12:14:18 -05:00
Jonathon Hall
6ca1d670f4
CircleCI: Install 'zip' dependency
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-11-14 08:21:13 -05:00
Jonathon Hall
7b2b95cb94
flash-gui.sh: Show .rom or .tgz in UI, not both
talos-2 (only) uses .tgz instead of .rom for updates.  Currently, both
are treated as alternatives to a ZIP-format update archive with
SHA-256 integrity check, extend that to the prompts to reduce clutter.

Reflow the "You will need ... your BIOS image" prompt to fit on
fbwhiptail.

The .tgz format could be better integrated with the ZIP updates, but
this needs more work specific to talos-2.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-11-13 17:17:07 -05:00
Jonathon Hall
5bd50652a0
flash-gui.sh: Extend NPF archive format to ZIP, improve workflow
Allow configuring the ZIP-format update file extension with
CONFIG_BRAND_UPDATE_PKG_EXT in board config.  Default is 'zip'.

Create update package in the default Makefile target.  Delete
create_npf.sh.

Do not require /tmp/verified_rom in the update file package's
sha256sum.txt (but allow it for backward compatibility).

Show the integrity error if unzip fails instead of dying (which returns
to main menu with no explanation, error is left on recovery console).
This is the most likely way corruption would be detected as ZIP has
CRCs.  The sha256sum is still present for more robust detection.

Don't require the ROM to be the first file in sha256sum.txt since it
raises complexity of adding more files to the update archive in the
future.  Instead require that the package contains exactly one file
matching '*.rom'.

Restore confirmation prompt for the update-package flow, at some point
this was lost.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-11-13 16:42:05 -05:00
tlaurion
133da0e48e
Merge pull request #1515 from tlaurion/inmemory_keygen-gpg_backup_usable_for_RSA_only-copy_to_card_working_for_RSA_only-gpg_auth_for_recovery_and_sub_boot
GPG User Authentication: In-memory gpg keygen + keytocard and GPG key material backup enabling  (plus a lot of code cleanup and UX improvements)
2023-11-13 16:05:26 -05:00
Jonathon Hall
97d903f22a
oem-factory-reset: Don't repeat "insert flash drive" message
Don't repeat this message if the user says "no" to the confirmation
prompt.  Go directly to the menu.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-11-13 14:52:09 -05:00
Jonathon Hall
d39fc26dd9
oem-factory-reset: Move format confirmation before resetting anything
Move confirmation of formatting flash drive with LUKS percentage
selection before any reset actions have been taken, so aborting does
not result in a half-reset system.  Combine with the more basic
"confirm" prompt that existed after selecting the device (but did not
include the LUKS size information).

Split up prepare_flash_drive into interactive_prepare_flash_drive (both
prompts and formats as before), confirm_thumb_drive_format (just
confirms the selections), and prepare_thumb_drive (now noninteractive).

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-11-13 14:37:19 -05:00
Jonathon Hall
a925219efb
oem-factory-reset: Improve prompt flow formatting flash drive
Combine prompt to disconnect other devices with prompt to connect the
desired device.

Show block device sizes in MB/GB when selecting device so it is easier
to select.  file_selector now supports --show-size to include block
device sizes in menu.

Rework file_selector so menu options can contain spaces (use bash
array) and to simplify logic.

Prompt to select flash drive and LUKS percentage in OEM reset before
actually taking any actions, so aborting doesn't half-reset the system.

Abort OEM reset if user aborts the flash drive selection instead of
looping forever.  (Canceling the confirmation still loops to retry but
it is possible to exit by aborting the repeated menu.)

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-11-13 13:54:37 -05:00
Thierry Laurion
e924a8afca
oem-factory-reset : Prompt user for any connected block device, give storage size and loop until none is connected to exit loop.
Warn user if connected usb block device is less then 128mb, since creating LUKS container of less then 8mb might cause issues.

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-09 17:04:33 -05:00
Thierry Laurion
23c967f26d
nv41/ns50/librem linux: Add EXFAT fs support (mandatory).
config/linux-librem_common-6.1.8.config: passed to oldconfig format through 'make BOARD=librem_14  linux.modify_and_save_oldconfig_in_place'

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-09 13:58:19 -05:00
Thierry Laurion
37872937f0
oem-factory-reset: unify booleen y/n variable usage and double check logic. Also move USB Security dongle capability detection under code already checking for USB Security Dongle's smartcard presence.
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-07 14:34:50 -05:00
Thierry Laurion
160367d065
oem-factory-reset: normal output to inform user of consequences of generating keys on smartcard without backup, not a wanring anymore
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-06 16:05:08 -05:00
Thierry Laurion
659de63180
oem-factory-reset: fix typo : Same a GPG Admin PIN
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-06 16:02:37 -05:00
Thierry Laurion
388ee5198b
All TPM Extend additional context passed from console echo output to DEBUG. Put back console output as of master. TODO: decide what we do with tpmr extend output for the future. Hint: forward sealing of next flashed firmware measurements.
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-06 15:53:17 -05:00
Jonathon Hall
fd6a947cb3
tpmr: Move last TPM owner password prompt/shred into tpmr
Prompt for TPM owner password internally within tpm2_counter_create.
Add tpm1_counter_create to prompt for password internally.  Wipe the
cache in either if the operation fails, in case the password was
incorrect.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-11-06 15:20:29 -05:00
Thierry Laurion
9e0491e9db
oem-factory-reset/librem boards: remove CONFIG_OEMRESET_OFFER_DEFAULTS=y and checks for it; the default of oem-factory-reset is now to propose user to use defaults first for simplicity of most common use case without allianating advanced users which can simply not accept the default and answer questionnaire
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-06 11:27:51 -05:00
Thierry Laurion
0042163861
kexec-seal-key: remove non-needed shred of file cached /tmp/secret/tpm_owner_password (done when sealing fails under tpmr)
- document why shred is still called under functions:check_tpm_counter for safety and add TODO there

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-06 10:30:11 -05:00
Thierry Laurion
923b4e1fe9
ash_functions:confirm_gpg_card: loop gpg_admin_pin prompt until non-empty
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-06 10:06:19 -05:00
Thierry Laurion
8d7efa021d
media-scan: die if gpg_auth fails (should loop and never exit anyway)
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-06 10:04:51 -05:00
Thierry Laurion
bfc877c49c
kexec-select-boot/kexec-insert-key: add info message explaining why PCR 4 is extended
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-06 10:03:14 -05:00
Thierry Laurion
504f0336ac
init: add early boot 'o' option to jump directly to oem-factory-reset for OEM provisioning of secret prior of shipping products, once OS is installed and after MRC training happened on first boot.
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-03 16:41:36 -04:00
Thierry Laurion
eee913d8d2
oem-factory-reset: add rudimentary mount_boot function so that oem-factory-reset can be called early at boot without /boot previously mounted. Also fix logic so that GPG User PIN is showed as configured when keytocard or smartcard only is configured.
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-03 16:41:33 -04:00
Thierry Laurion
c064b78ef6
gui-init: fix TRACE: clean_check_boot stating mount_boot instead of clean_boot_check
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-03 16:41:30 -04:00
Thierry Laurion
4e10740453
oem-factory-reset/ash_functions/luks-functions: replace provisioning with configuring keywords. Tweak oem-factory-reset flow and questionnaire. Now first prompt is to ask if user wants to go advanced or use defaults.
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-03 16:41:27 -04:00
Thierry Laurion
cd3ce6999c
tpmr/kexec-seal-key/functions: end refactoring of tpmr being in carge of wiping /tmp/secret/tpm_owner_password if invalid
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-03 13:53:47 -04:00
Thierry Laurion
afb817ca48
tpmr: give users better error/DEBUG messages in regard of TPM errors
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-03 11:07:36 -04:00
Thierry Laurion
84374dfbcd
kexec-seal-key/seal-totp/tpmr/functions: move wiping of tpm_owner_password to tpmr calls directly
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-03 10:54:16 -04:00
Thierry Laurion
e2985d386e
seal-totp/tpmr: differenciate die messages to show which between tpm1_seal/tpm2_seal or check_tpm_counter fails to seal as first step to possible refactor
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-03 10:15:52 -04:00
Thierry Laurion
51caab8ea4
functions: check_tpm_counter; add shred call to wipe tpm_owner_password if creating counter fails with cached tpm owner password so prompt_tpm_owner_password asks for it again on next run
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-03 10:10:05 -04:00
Thierry Laurion
9523b4fee2
unseal-totp: fix indentation
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-03 09:31:44 -04:00
Thierry Laurion
6d7f9be414
TPM2: add DEBUG and fix path for TPM2 primary key handle hash.
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-02 14:17:52 -04:00
Thierry Laurion
19c5d16e40
functions: guide user torward resetting TPM more directly if counter_increment fails.
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-02 12:58:19 -04:00
Thierry Laurion
644a59ab60
oem-factory-reset: simplify first question for users to have a GPG key material backup and enable GPG Authentication
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-02 12:55:05 -04:00
Thierry Laurion
85266452fa
oem-factory-reset ash_functions: fix USB Security Dongle' smartcard -> USB Security Dongle's smartcard
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-02 12:54:39 -04:00