Noticed a couple of dupes (gz and rom) so I figured I should sort it now
to hopefully avoid another one in the future.
Signed-off-by: Manuel Mendez <github@i.m.mmlb.dev>
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
The coreboot power failure state Kconfig options are wired up to the
Power on AC feature on Clevo mainboards. Set the power failure state to
0 to prevent these boards from powering on or waking up with AC attach.
Signed-off-by: Michał Kopeć <michal.kopec@3mdeb.com>
Log the board and version when entering the recovery shell. Extract
the firmware version logic from init.
Currently this is the only way to get the debug log. If we add a way
from the GUI, we may want to log the board and version somewhere else
too.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
LOG() is added to log to the log only (not kmsg, more verbose than
TRACE).
DO_WITH_DEBUG only captures stdout/stderr to the log with LOG().
kexec-boot silences stderr from kexec, we don't want it on the console.
No need to repeat the kexec command when asking in debug to continue
boot, it's no longer hidden behind verbose output from kexec.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
`eval "$kexeccmd"` should become `DO_WITH_DEBUG eval "$kexeccmd"` when
adding DO_WITH_DEBUG, command invocation is still the same, still needs
eval.
Restore DO_WITH_DEBUG in front of kexec-parse-boot that had been
removed.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
"$1 err:" looked like an error, but often there's output on stderr
that's diagnostic (like kexec -d). "$1 stderr:" is clearer.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
DO_WITH_DEBUG traces command exit status (if failed), stdout/stderr (if
not empty), and PATH (if command was not found). The caller still
observes the exit status, and stdout/stderr still go to the caller as
well.
This way, DO_WITH_DEBUG can be inserted anywhere with minimal spam in
the logs and without affecting the script.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Otherwise we get ehci-pci and xhci_hcd kernel messages in dmesg debug AFTER "Verifying presence of GPG card" which explains why dongle might not be found in time and fails in oem-factory-reset
Fixes https://github.com/Nitrokey/heads/issues/48
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
TODO:
- $(pcrs) call sometimes fail in DEBUG call, outputting too many chars to be inserted in kmesg. Call removed here since redundant (PCR6 already extended with LUKS header)
- Notes added for TPM2 simplification over TPM1 in code as TODO
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Fixes linuxboot#1092.
Supersedes linuxboot#1093
- Cherry-picks ed1c23a (credit to @hardened-vault) thank you!)
- Addresses and correct self-review under linuxboot#1093 (@hardened-vault: you don't answer often here!)
- kexec-unseal-key: Warn a user who attempts to default boot while his Disk Unlock Key passphrase fails to unseal because LUKS headers changed.
(linuxboot#1093 (comment))
- kexec-seal-key: Identical as in ed1c23a
- kexec-add-key: Tell the user that the Headers did not change when changing TPM released Disk Unlock Key
(Through changing default boot at Options->Boot Options -> Show OS boot options: select a new boot option
and set a Disk Unlock Key in TPM, accept to modify disk and sign /boot options)
- Here, we cancel the diff output shown on screen linuxboot#1093 (comment)
- And we change the warning given to the user to past tense "Headers of LUKS containers to be unlocked via TPM Disk Unlock Key passphrase did not change."
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
tpm2-tools-5.6 patch: comment out git versioning output under ./VERSION; module: output current version under ./VERSION instead. Document under module
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
hardcode VERSION='reproducible_build' into generated configure script to get rid of generate random git abbrev 8/12 chars (could not find source)
patches/openssl-3.0.8.patch: clean up
tpm2-tools/tpm2-tss:
hack configure scripts to not contain hardcoded libs and other rpath related strings, using sed instead of patching configure script like cryptsetup2 patch
Will be clened up in other commits. Leaving here as trace for autotools sed patching for reproducible builds.
CircleCI: change working dir from project->heads so that CircleCI and local builds are from heads directory, helping reproducible builds
TODO: change other patches a well and generalize to gpg toolstack, removing patches that are a maintainership burden.
Signed-off-by: Thierry Laurion <insurgo@riseup.net>