Commit Graph

14 Commits

Author SHA1 Message Date
Thierry Laurion
df1e6d7540
coreboot configs: put back all maintained boards (boards/*)'s coreboot configs in oldconfig format
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-07-26 15:39:40 -04:00
Thierry Laurion
446c98a3f8
coreboot configs: add CONFIG_USBDEBUG
sed -i '$a CONFIG_USBDEBUG=y' config/coreboot-*.config
grep -R CONFIG_COREBOOT_VERSION boards/ | awk -F "/" {'print $2'} | while read board; do if ! sudo make BOARD=$board coreboot.save_in_defconfig_format_in_place > /dev/null 2>&1; then echo $board failed;fi; done

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-07-26 15:39:28 -04:00
Thierry Laurion
d44fe53731
coreboot configs: add CONFIG_RESOURCE_ALLOCATION_TOP_DOWN
sed -i '/# CONFIG_RESOURCE_ALLOCATION_TOP_DOWN is not set/d' config/*.config

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-07-26 15:39:22 -04:00
Thierry Laurion
88cec3ab87
coreboot configs: put in defconfig to ease comparison and unification of configs
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-07-26 15:39:10 -04:00
Thierry Laurion
6e237d9edd
config/coreboot*: save new coreboot 24.02.01 coreboot configs in oldconfig (see new defaults from 4.22.01)
grep -R 24.02.01 boards/ | awk -F "/" {'print $2'} | while read board; do sudo make BOARD=$board coreboot.save_in_oldconfig_format_in_place; done

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-07-26 15:36:02 -04:00
Thierry Laurion
119cebc44f
coreboot 24.02.01: add upstream pending patches for heap allocation failure on bootsplash and defaulting to 4mb of heap when bootsplash
Add upstreeam patches to downstream:
git fetch https://review.coreboot.org/coreboot refs/changes/75/83475/1 && git format-patch -1 --stdout FETCH_HEAD > 0001-prevent_bootsplash_heap_allocation_failure_to_booting.patch
git fetch https://review.coreboot.org/coreboot refs/changes/76/83476/2 && git format-patch -1 --stdout FETCH_HEAD > 0002-increase_heap_from1mb_to4mb_when_bootpslash_enabled.patch

Rebuilding coreboot version with patches applied:
docker run -e DISPLAY=$DISPLAY --network host --rm -ti -v $(pwd):$(pwd) -w $(pwd) tlaurion/heads-dev-env:v0.2.0 -- make BOARD=qemu-coreboot-whiptail-tpm1 real.remove_canary_files-extract_patch_rebuild_what_changed
Remove file added by patch when patching fails:
sudo rm build/x86/libgpg-error-1.46/src/syscfg/lock-obj-pub.powerpc64le-unknown-linux-musl.h

Applying patches touching coreboot version 24.02.01 defiend in board config to all boards:
grep -R 24.02.01 boards/ | awk -F "/" {'print $2'} | while read board; do sudo make BOARD=$board coreboot.save_in_oldconfig_format_in_place; done

Adding added/modified files to git tracked files for commit:
git status | grep -e modified -e added | awk -F ":" {'print $2'}| xargs git add

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-07-26 15:35:44 -04:00
Thierry Laurion
fb616f416a
WiP 4.22.01 fhd patch test + bump all 4.19 boards to 4.22.01
- patches/coreboot-4.22.01/0001-x230-fhd-variant.patch created per
  - git fetch https://review.coreboot.org/coreboot refs/changes/50/28950/23 && git format-patch -1 --stdout FETCH_HEAD > ~/heads/patches/coreboot-4.22.01/0001-x230-fhd-variant.patch
- all boards configs bumped with:
  - grep -Rn 4.22 boards/ | awk -F "/" {'print $2'}| while read line; do make BOARD=$line coreboot.save_in_oldconfig_format_in_place ; done

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-03-25 15:14:42 -04:00
Thierry Laurion
0f0cb99a02
Adapt NV41/NS50 changes, unify bootsplash file usage for branding
Taken from : https://github.com/Nitrokey/heads/tree/temp-release-v2.3

- Move branding/Heads/bootsplash-1024x768.jpg -> branding/Heads/bootsplash.jpg (We don't care about the size. Make filename generic)
- Adapt all coreboot configs so bootsplash is adapted by BRAND_NAME CONFIG_BOOTSPLASH_FILE="@BRAND_DIR@/bootsplash.jpg"
  - Reminders :
    - Makefile changes Heads to defined BRAND_NAME in board config
    - Makefile changes -e 's!@BRAND_DIR@!$(pwd)/branding/$(BRAND_NAME)!g'
- nv41/nv50
  - coreboot oldefconfigs adapted by:
    - make BOARD=nitropad-ns50 coreboot.modify_and_save_oldconfig_in_place
    - make BOARD=nitropad-nv41 coreboot.modify_and_save_oldconfig_in_place
  - linux oldefconfigs adapted by
    - make BOARD=nitropad-nv41 linux.modify_and_save_oldconfig_in_place
      - since this is shared config across nv41/ns50: it only needs to be done for a single board

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-20 09:40:52 -05:00
d-wid
2bfa1737f8
Support branding under branding subdirectories
Squash of #1502 + moving logo/bootsplash files under branding/Heads

- Move logos and bootsplashes from blobs to branding/Heads/
- Makefile: add support for BRAND_DIR which depends on BRAND_NAME which defaults to Heads if no branding
- Boards coreboot configs: change bootsplash directory to depend on BRAND_DIR (instead of BLOBS_DIR) in bootsplash enabled configs
- Branding/Heads/bootsplash-1024x768.jpg points to branding/Heads/d-wid-ThePlexus_coreboot-linuxboot-heads_background-plain_DonateQrCode.jpg
- xcf file deleted. Original still under #1502 to reuse for modification without recompressing (blobs/heads.xcf)
- CREDITS file created to point to original authors, remixers (Open for details)
  - Thanks to: @d-wid for remixing Bing's AI generated Janus logo, @ThePlexus for Qubes Box concept and @ThrillerAtPlay for its matrix background
2023-10-06 17:09:23 -04:00
Thierry Laurion
8c366ef61d
coreboot configs: changeset needed to use efifb
- intel igpu related - remove i915drmfb hacks and use simplefb and libgfxinit enabled fb
- coreboot 4.19: add patch to fix https://ticket.coreboot.org/issues/500. fbwhiptail still tears screen if in native 1366x769 though
- coreboot 4.19: add patch to enable linux tampoline handle coreboot framebuffer (merged https://review.coreboot.org/c/coreboot/+/76431)
- coreboot 4.19: add patch to enable coreboot to apply jpeg voodoo to create bootsplash.jpeg injected in cbfs at build time + CircleCI apt imagemagick
  - (Thanks Nico Huber @icon again for above patches!)
- coreboot configs: adapt VESAFB/LIBGFXINIT to use maximum fb height/width
- coreboot configs for iGPU only: CONFIG_LINEAR_FRAMEBUFFER_MAX_HEIGHT CONFIG_LINEAR_FRAMEBUFFER_MAX_WIDTH to native size
- coreboot configs for dGPU based on Optional VBIOS injected: VESAFB set to 1280x1024 (maximum possible).

Details:
coreboot configs: remove CONFIG_LINUX_COMMAND_LINE="drm_kms_helper.drm_leak_fbdev_smem=1 i915.enable_fbc=0"
 - Those were needed to expose i915drmfb driver prior of efifb working.
2023-08-16 09:39:09 -04:00
Thierry Laurion
d3ea60f69e
linux configs: adapt to use efifb driver (Intel iGPU/qemu with bochs native gfxinit) 2023-08-15 17:24:34 -04:00
Thierry Laurion
f34d2dd7d7
bump qemu-tpm boards to coreboot 4.19 2023-06-27 11:21:09 -04:00
Thierry Laurion
536f4a1623
Small cosmetic/typo related changes, ccache enablement for coreboot and reduction of unseal attempts
gui-init: do not consume two unseal attempt to unseal both totp and hotp + cosmetic changes (slow down TPM DA lockout)
kexec-seal-key: Add DEBUG statement for PCR precalc
seal-totp: add DEBUG statements regarding skipping of PCR5 and PCR6 involvement into TOTP/HOTP sealing ops
seal-hotpkey: Add DEBUG statements related to reuse of TOTP sealed secret
tpmr: add DO_WITH_DEBUG calls to output pcrread and extend calls
tpmr: typo correction stating TRACE calls for tpm2 where it was for tpm1
tpmr: add DO_WITH_DEBUG calls for calcfuturepcr
functions: Cosmetic fix on pause_recovery asking user to press Enter to go to recovery shell on host console when board defines CONFIG_BOOT_RECOVERY_SERIAL

Not so related but part of output review and corrections:
kexec-insert-key: cosmetic changes prepending "+++" to disk related changes
kexec-save-default: cosmetic changes prepending "+++" to disk related changes
config/coreboot-qemu-tpm*.config: add ccache support for faster coreboot rebuild times
2023-03-10 12:11:57 -05:00
Thierry Laurion
6923fb5e20
Addition of qemu-(fb)whiptail-tpm2(-hotp) boards
-coreboot support of TPM v2.0 (shared config for TPM2 support across all 4 previous variations)
-swtpm set to be launched under TPM v2.0 mode under board config
-Documentation file under each board.md softlinks to qemu-coreboot-fbwhiptail-tpm1.md (which has been generalized)
This is skeleton for TPM v2 integration under Heads

-------------
WiP

TODO:
- libcurl cannot be built as a tpm2-tools dependency as of now not sure why. curl currently needs to be added in board config to be built
- Note: tpm-reset (master and here) needs some review, no handle of no tpm use case. Caller is responsible to not call it otherwise does nothing
- init tries to bind fd and fails currently
- Note: Check if whiptail is different of fbwhiptail in clearing screen. As of now every clear seems to be removed, still whiptail clears previous console output
- When no OS' /boot can be mounted, do not try to TPM reset (will fail)

- seal-hotpkey is not working properly
- setting disk unlock key asks for TPM ownership passphrase (sealing in NV requires ownership, but text is misleading user as if reowning TPM)
  - We should cache input, feed tpm behind the scene and wipe passphrase and state clearly that this is TPM disk unlock kye passphrase.
- primary key from TPM2 is invalid most of the time from kexec-select-boot and verifying global hashes but is setuped correctly at disk unlock key setup
- would be nice to take advantage of bash function tracing to understand where we are for debugging purposes, code takes ash in consideration only
- tpmr says it implements nv calls but actually doesn't. Removing those falsely wrapped functions would help.
  - Implementing them would be better
- REVIEW TODOS IN CODE
- READD CIRCLECI CONFIG

Current state:
- TPM unseal works without disk unlock key and generates TOTP properly (was missing die condition at unseal to not produce always good TOTP even if invalid)
- TPM disk encryption key fails. Hypothesis is that sealing with USB drivers loaded and measures in inconsistent with sealed with/without.
 - TPM disk unsealing happens without USB modules being loaded in non-HOTP setup. This fails.

- Current tests are with fbwhiptail (no clear called so having traces on command line of what happens)
 - Testing with HOTP implementation for sealing/unsealing since that forces USB module loads on each boot to remove this from failing possibilities
2023-03-08 12:45:43 -05:00