These boards get purism-blobs as a submodule of the purism coreboot
fork. modules/coreboot used to skip the purism-blobs dependency for
this fork, but the module is not needed at all for these boards.
librem_l1um keeps CONFIG_PURISM_BLOBS=y since it is built from patched
coreboot 4.11.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Default the patch version to empty if the module name already includes
the version. Fixes application of coreboot patches.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
The skiboot build fails to find the toolchain when it's not in the
default location. There is only one ppc64 board anyway, so there's no
point trying to share a toolchain for now.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Use .heads-toolchain to mark that the toolchain was built rather than
.xcompile. coreboot doesn't generate .xcompile until the build step,
so all modules had to build successfully before we would stop trying to
to rebuild the toolchain. Build steps should generally produce the
indicated outputs too, which was not occurring here.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Reuse the toolchain from a coreboot release for fork builds. Either
the fork or the release can be built first, in either case the
release's toolchain is built at the default location and reused for
later builds.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Define a separate module for each coreboot version, so the module used
to build the ROM will optionally be able to reference the toolchain
from a different module.
This will allow coreboot fork builds to use the toolchain from the
corresponding release.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
At one time coreboot was built using Heads' musl toolchain, but this
was later reverted. coreboot builds with its own toolchain again.
CROSS= has no effect on coreboot proper (only exception is PPC64
skiboot payload). It was added to coreboot by a patch that was deleted
in 8e44853. COREBOOT_IASL was set to the default, that was only needed
when the toolchain was being overridden to override iasl back to the
coreboot one.
ppc64 still specifies CROSS= since skiboot is unable to find coreboot's
toolchain from XGCCPATH but checks CROSS. This builds skiboot with the
Heads toolchain as before.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Remove coreboot 4.8.1, 4.13, and 4.17, which were all unused.
Remove extra copies of EXTRA_FLAGS which duplicated the common
definition. The only difference was
-Wno-error=address-of-packed-member, the warning is now disabled
entirely everywhere with -Wno-address-of-packed-member.
Use separate coreboot_version values for talos_2, nitrokey, and purism,
which gives each a separate build directory.
Move conditional blob definitions out of each coreboot version.
Fix condition for coreboot-blobs - whether a module is a git clone
actually depends on non-empty <module>_repo, not <module>_version==git.
Fix the test so git versions of coreboot can have arbitrary names.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
For iterating, enabling these in the board config is easiest. It's
also possible to manually inject config.user ahead of time, or enable
at runtime without flashing, but the normal enable/flash/reboot path
does not work in qemu since it is unable to flash.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
On platforms using CONFIG_BOOT_EXTRA_TTYS multiple processes may try to
access TPM at the same time, failing with EBUSY. The order of execution
is unpredictable, so the error may appear on main console, secondary one,
or neither of them if the calls are sufficiently staggered. Try up to
three times (including previous one) with small delays in case of error,
instead of immediately scaring users with "you've been pwned" message.
Signed-off-by: Krystian Hebel <krystian.hebel@3mdeb.com>
Updated cbmem searches for CBMEM exposed by kernel in sysfs before
trying to read it from memory directly. As such, there is no need for
pointing to that file explicitly.
New coreboot revision also fixes output of 'cbmem -t' caused by wrong
endianness.
Signed-off-by: Krystian Hebel <krystian.hebel@3mdeb.com>
Simplify "enable" prompt a bit, clarify that firmware updating is
blocked, and remove mention of "failsafe boot mode". Reword "disable"
prompt similarly.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
The early recovery shell ("hold R") and serial recovery both could
bypass Restricted Boot since they occurred before config.user was
loaded. Load config.user earlier before these recovery methods.
Executing a shell directly (if recovery failed) also would bypass
Restricted Boot, additionally leaking /tmp/secret. Remove this from
the early recovery shell logic. Also remove the final failsafe exec
and move the "just in case" recovery from normal boot here instead, in
case the regular init script fails.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
kgpe-d16 and librem-l1um depend on 4.11 still today in tree, even though building is successful only on debian-10.
Fixing so people building 4.11 today are still successful.
4.19+ already depends on github.com releases tarballs.
REF: https://review.coreboot.org/c/coreboot/+/76399
The -s mode was removed, remove it from usage. Remove the test to skip
checking for board flashrom options with -s mode.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
The "disable restricted boot" prompt got slightly too long when fixing
the TPM wording. Re-wrap that line to match the others. Wrapping
could use some general cleanup but this is sufficient so the text isn't
truncated.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
The CONFIG_BASIC test was backwards, as a result it skipped the
LUKS disk unlock logic if basic mode was _not_ enabled. This wasn't
observed in the PureBoot distribution because we disable the LUKS disk
unlock feature.
CONFIG_BOOT_REQ_ROLLBACK and CONFIG_BOOT_REQ_HASH logic was also
skipped incorrectly, though neither of these are enabled on any board
so this had no effect in the PureBoot distribution either.
Test basic with each bit of logic to eliminate duplication of the
kexec-boot call and fix the LUKS disk unlock feature.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>