Commit Graph

2319 Commits

Author SHA1 Message Date
Jonathon Hall
555dde0b43
boards/librem_* (except l1um): Remove CONFIG_PURISM_BLOBS=y
These boards get purism-blobs as a submodule of the purism coreboot
fork.  modules/coreboot used to skip the purism-blobs dependency for
this fork, but the module is not needed at all for these boards.

librem_l1um keeps CONFIG_PURISM_BLOBS=y since it is built from patched
coreboot 4.11.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-08-11 12:44:39 -04:00
Jonathon Hall
c12b8cec4b
Makefile: Don't double version number in patches for versioned modules
Default the patch version to empty if the module name already includes
the version.  Fixes application of coreboot patches.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-08-11 12:44:39 -04:00
Jonathon Hall
1b81fb2d80
modules/coreboot: Don't try to share toolchain for talos_2 fork
The skiboot build fails to find the toolchain when it's not in the
default location.  There is only one ppc64 board anyway, so there's no
point trying to share a toolchain for now.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-08-11 12:44:34 -04:00
Jonathon Hall
8f95d0b65b
modules/coreboot: Use a specific file to mark the toolchain build
Use .heads-toolchain to mark that the toolchain was built rather than
.xcompile.  coreboot doesn't generate .xcompile until the build step,
so all modules had to build successfully before we would stop trying to
to rebuild the toolchain.  Build steps should generally produce the
indicated outputs too, which was not occurring here.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-08-11 12:43:02 -04:00
Jonathon Hall
0c024b14e8
modules/coreboot: Reuse release toolchain for fork builds
Reuse the toolchain from a coreboot release for fork builds.  Either
the fork or the release can be built first, in either case the
release's toolchain is built at the default location and reused for
later builds.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-08-11 12:42:38 -04:00
Jonathon Hall
786cf09ec7
modules/coreboot: Define each coreboot version as a separate module
Define a separate module for each coreboot version, so the module used
to build the ROM will optionally be able to reference the toolchain
from a different module.

This will allow coreboot fork builds to use the toolchain from the
corresponding release.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-08-11 12:41:59 -04:00
Jonathon Hall
cd73574f71
patches/coreboot-*: Remove unused patches
Remove patches for coreboot 4.8.1, 4.13, 4.14, and 4.17, which are no
longer used.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-08-11 12:41:59 -04:00
Jonathon Hall
3695489589
modules/coreboot: Delete unused remnants of using musl toolchain
At one time coreboot was built using Heads' musl toolchain, but this
was later reverted.  coreboot builds with its own toolchain again.

CROSS= has no effect on coreboot proper (only exception is PPC64
skiboot payload).  It was added to coreboot by a patch that was deleted
in 8e44853.  COREBOOT_IASL was set to the default, that was only needed
when the toolchain was being overridden to override iasl back to the
coreboot one.

ppc64 still specifies CROSS= since skiboot is unable to find coreboot's
toolchain from XGCCPATH but checks CROSS.  This builds skiboot with the
Heads toolchain as before.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-08-11 12:41:55 -04:00
Jonathon Hall
fb6b81119d
modules/coreboot: Clean up module, don't share git build directories
Remove coreboot 4.8.1, 4.13, and 4.17, which were all unused.

Remove extra copies of EXTRA_FLAGS which duplicated the common
definition.  The only difference was
-Wno-error=address-of-packed-member, the warning is now disabled
entirely everywhere with -Wno-address-of-packed-member.

Use separate coreboot_version values for talos_2, nitrokey, and purism,
which gives each a separate build directory.

Move conditional blob definitions out of each coreboot version.

Fix condition for coreboot-blobs - whether a module is a git clone
actually depends on non-empty <module>_repo, not <module>_version==git.
Fix the test so git versions of coreboot can have arbitrary names.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-08-11 12:35:55 -04:00
tlaurion
68f707baad
Merge pull request #1464 from tlaurion/ioport_url_change_to_debian_https
ioport: changing url to debian https server, same hash. First need to go into #1198 direction
2023-08-11 12:17:13 -04:00
tlaurion
6f9409be81
Merge pull request #1463 from tlaurion/ioport_url_change_to_debian
ioport: changing url to debian https server, same hash. First need to go into #1198 direction
2023-08-11 12:15:48 -04:00
tlaurion
a276b05a44
Merge pull request #1463 from tlaurion/ioport_url_change_to_debian
ioport: changing url to debian, same hash. First need to go into #1198 direction
2023-08-11 12:06:26 -04:00
Thierry Laurion
3c920dd082
ioport: changing url to debian, same hash. First need to go into #1198 direction 2023-08-11 12:05:15 -04:00
Thierry Laurion
2965cf69cc
Archlinux distro signing public key update to (expires 2037-10-27) 2023-08-08 12:55:08 -04:00
tlaurion
02c3a1f9ee
Merge pull request #1448 from tlaurion/remove_x230-edp_from_untested
Rename UNTESTED_x230-maximized-fhd_edp and UNTESTED_x230-hotp-maximized-fhd_edp to normal names
2023-08-02 17:55:33 -04:00
Thierry Laurion
447f8addc7
Rename UNTESTED_x230-maximized-fhd_edp and UNTESTED_x230-hotp-maximized-fhd_edp to normal names 2023-08-02 14:37:02 -04:00
tlaurion
06b1b0948d
Merge pull request #1399 from d-wid/z220
Add HP Z220 CMT
2023-07-24 18:27:17 -04:00
tlaurion
f47b3bc126
Merge pull request #1445 from tlaurion/add_donation_qrcode_link_by_default
Add bootsplash with donation link in Qrcode form.  Make it default.
2023-07-24 18:17:24 -04:00
Thierry Laurion
1781d3de25
Add bootsplash with donation link in Qrcode and make it default (Centered) 2023-07-24 17:50:48 -04:00
d-wid
4d157493a3 Add HP Z220 CMT 2023-07-22 16:27:31 +02:00
tlaurion
d7b4a47cfe
Merge pull request #1442 from tlaurion/qemu_basic_boot_example_in_board_config
Qemu boards: typo correction in comment to manually enable Basic Boot mode
2023-07-17 14:08:22 -04:00
tlaurion
92411be10b
Merge pull request #1443 from tlaurion/move_UNTESTED_t530_non-dgpu
non-dgpu t530-hotp-mazimized was reported working
2023-07-17 14:06:18 -04:00
Thierry Laurion
f4a8ae925f
non-dgpu t530 was reported working (t530-hotp-maximized-v0.2.0-1705-gedf200e.rom) 2023-07-17 12:49:32 -04:00
Thierry Laurion
c419cf7e2b
Qemu boards: typo in comment to manually enable Basic Boot mode : (was CONFIG_BASIC_BOOT where CONFIG_BASIC expected) 2023-07-17 12:32:27 -04:00
tlaurion
edf200e791
Merge pull request #1419 from JonathonHall-Purism/pureboot-27-heads-upstream
Upstream PureBoot 27
2023-07-12 15:36:34 -04:00
Jonathon Hall
45245fe417
qemu-*: Show how to enable restricted/basic in board config
For iterating, enabling these in the board config is easiest.  It's
also possible to manually inject config.user ahead of time, or enable
at runtime without flashing, but the normal enable/flash/reboot path
does not work in qemu since it is unable to flash.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-07-12 14:17:43 -04:00
Jonathon Hall
47e9e4cf45
Merge remote-tracking branch 'github-heads/master' into pureboot-27-heads-upstream 2023-07-12 14:14:17 -04:00
tlaurion
3c492f94c1
Merge pull request #1428 from Dasharo/replay_pcrs_from_cbmem
initrd/bin/tpmr: replay PCR values from event log
2023-07-12 14:11:32 -04:00
Krystian Hebel
77eb9536d6
initrd/bin/tpmr: add debug for replay_pcr()
It also includes instructions for introspecting the replayed values
manually.

Signed-off-by: Krystian Hebel <krystian.hebel@3mdeb.com>
2023-07-12 14:57:44 +02:00
Krystian Hebel
f7066d020d
initrd/bin/gui-init: retry TOTP in case of error
On platforms using CONFIG_BOOT_EXTRA_TTYS multiple processes may try to
access TPM at the same time, failing with EBUSY. The order of execution
is unpredictable, so the error may appear on main console, secondary one,
or neither of them if the calls are sufficiently staggered. Try up to
three times (including previous one) with small delays in case of error,
instead of immediately scaring users with "you've been pwned" message.

Signed-off-by: Krystian Hebel <krystian.hebel@3mdeb.com>
2023-07-12 14:52:07 +02:00
Krystian Hebel
9a72749675
initrd/bin/talos-init: remove alias for cbmem and bump coreboot revision
Updated cbmem searches for CBMEM exposed by kernel in sysfs before
trying to read it from memory directly. As such, there is no need for
pointing to that file explicitly.

New coreboot revision also fixes output of 'cbmem -t' caused by wrong
endianness.

Signed-off-by: Krystian Hebel <krystian.hebel@3mdeb.com>
2023-07-12 14:50:54 +02:00
Krystian Hebel
d1a18f1f83
initrd/bin/tpmr: replay PCR values from event log instead of assumming their values
Signed-off-by: Krystian Hebel <krystian.hebel@3mdeb.com>
2023-07-12 14:50:42 +02:00
Thierry Laurion
38dfa73f7c
config/linux-talos-2.config: Disable CONFIG_XZ_DEC for archs other then POWERPC 2023-07-12 14:50:41 +02:00
Thierry Laurion
5272bf7e73
config/linux-talos-2.config: Enable POWER9 CPU 2023-07-12 14:50:41 +02:00
Thierry Laurion
f980a4e2fa
config/linux-talos-2.config: add PPC accelerated crypto options 2023-07-12 14:50:41 +02:00
Thierry Laurion
22609a7730
config/linux-talos-2.config: add x230-maximized crypto modules equivalents 2023-07-12 14:50:40 +02:00
Thierry Laurion
650090acdc
config/linux-talos-2.config: fix LOCALVERSION for reproducibility 2023-07-12 14:50:40 +02:00
Thierry Laurion
6ce1fb622f
config/linux-talos-2.config: saved in oldconfig format, no change 2023-07-12 14:50:37 +02:00
tlaurion
2ad457bc65
Merge pull request #1439 from tlaurion/coreboot_411-fix_acpica_download_link_same_hash
coreboot 4.11 needs acpica which moved from acpica.org to intel.
2023-07-11 17:59:14 -04:00
Jonathon Hall
440dc5b61c
Merge remote-tracking branch 'github-heads/master' into pureboot-27-heads-upstream 2023-07-11 16:42:54 -04:00
Jonathon Hall
718be739eb
config-gui.sh: Reword Restricted Boot prompts
Simplify "enable" prompt a bit, clarify that firmware updating is
blocked, and remove mention of "failsafe boot mode".  Reword "disable"
prompt similarly.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-07-11 16:42:43 -04:00
Jonathon Hall
61609ff709
initrd/init: Prevent Restricted Boot bypass
The early recovery shell ("hold R") and serial recovery both could
bypass Restricted Boot since they occurred before config.user was
loaded.  Load config.user earlier before these recovery methods.

Executing a shell directly (if recovery failed) also would bypass
Restricted Boot, additionally leaking /tmp/secret.  Remove this from
the early recovery shell logic.  Also remove the final failsafe exec
and move the "just in case" recovery from normal boot here instead, in
case the regular init script fails.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-07-11 16:42:38 -04:00
Thierry Laurion
c3a2bc5578
coreboot 4.11 needs acpica which moved from acpica.org to intel. Download from distfiles.macports.org instead, same hash.
kgpe-d16 and librem-l1um depend on 4.11 still today in tree, even though building is successful only on debian-10.
Fixing so people building 4.11 today are still successful.

4.19+ already depends on github.com releases tarballs.
REF: https://review.coreboot.org/c/coreboot/+/76399
2023-07-11 16:16:01 -04:00
tlaurion
8d7d07a802
Merge pull request #1440 from JonathonHall-Purism/acpi-unix2-20220331-mirror
Use Intel mirror for acpi-unix2 20220331
2023-07-11 16:14:27 -04:00
Jonathon Hall
5c12c4d03b
coreboot-talos_2: Patch acpi-unix2 mirror to Intel
acpica.org now redirects to Intel and all links are broken.  Use
Intel's mirror of this archive.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-07-11 15:03:36 -04:00
Jonathon Hall
17c71ebd1e
coreboot-4.17: Patch acpi-unix2 mirror to Intel
acpica.org now redirects to Intel and all links are broken.  Use
Intel's mirror of this archive.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-07-11 15:02:18 -04:00
Jonathon Hall
e0234485f7
initrd/bin/flash.sh: Remove -s vestiges
The -s mode was removed, remove it from usage.  Remove the test to skip
checking for board flashrom options with -s mode.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-07-10 09:10:52 -04:00
tlaurion
473c235fba
Merge pull request #1436 from tlaurion/kexec_cosmetic_fixes
Kexec cosmetic fixes
2023-07-07 17:07:12 -04:00
Jonathon Hall
19610748d3
config-gui.sh: Fix truncated restricted boot prompt
The "disable restricted boot" prompt got slightly too long when fixing
the TPM wording.  Re-wrap that line to match the others.  Wrapping
could use some general cleanup but this is sufficient so the text isn't
truncated.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-07-07 16:39:55 -04:00
Jonathon Hall
157efc6b03
kexec-select-boot: Fix test for basic mode
The CONFIG_BASIC test was backwards, as a result it skipped the
LUKS disk unlock logic if basic mode was _not_ enabled.  This wasn't
observed in the PureBoot distribution because we disable the LUKS disk
unlock feature.

CONFIG_BOOT_REQ_ROLLBACK and CONFIG_BOOT_REQ_HASH logic was also
skipped incorrectly, though neither of these are enabled on any board
so this had no effect in the PureBoot distribution either.

Test basic with each bit of logic to eliminate duplication of the
kexec-boot call and fix the LUKS disk unlock feature.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-07-07 15:57:45 -04:00