Commit Graph

2319 Commits

Author SHA1 Message Date
Matt DeVillier
3191bfbdaf
oem-factory-reset: Add 'use defaults' prompt to simplify user options
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2023-06-21 13:26:42 -04:00
Matt DeVillier
3766d32034
board/librem_{13/14/15/mini}: Use Purism repo for coreboot
Use Purism's repo for all Librem boards other than the Librem Server L1UM.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2023-06-21 13:26:41 -04:00
Matt DeVillier
1ea5f3bd6b
modules/coreboot: Allow building from Purism's coreboot git repo
Use commit hash from 4.16-Purism-1 tag.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2023-06-21 13:26:41 -04:00
Kyle Rankin
efc49c7425
Add Root file hash feature
Currently Heads will check files in /boot for tampering before booting
into a system. It would be nice if you could use the trusted environment
within Heads and extend this to check files in / itself. This new script
adds that functionality, however due to the length of time it takes to
perform these kinds of checks, it doesn't run automatically (yet).

This feature can be configured from the config GUI - the root device/
directories to check can be set, and it can be configured to run during
boot.

To make this a bit easier to use, I added a feature to detect whether
the hash file exists and if not, to display a more limited menu to the
user guiding them to create the initial hash file. Otherwise it will
display the date the file was last modified, which can be useful to
determine how stale it is.
2023-06-21 13:26:37 -04:00
tlaurion
db20f78357
Merge pull request #1418 from tlaurion/qemu-coreboot-tpm1_config-fix 2023-06-21 12:40:04 -04:00
Thierry Laurion
2dcf7fbd77
coreboot-qemu-tpm1.config: TPM1 coreboot activation got lost in last commit. Sorry 2023-06-21 11:44:06 -04:00
tlaurion
6ec0c81443
Merge pull request #1373 from tlaurion/io386_remake 2023-06-20 20:02:34 -04:00
Thierry Laurion
995a6931f1
config-gui.sh: permit io386 platform locking to be dynamically disabled at runtime
ash_functions: make sure /tmp/config is sourced before going to recovery shell
TODO: revisit https://source.puri.sm/firmware/pureboot/-/blob/Release-27/initrd/bin/config-gui.sh#L33 to have proper config store later on
2023-06-20 12:42:12 -04:00
Thierry Laurion
39bb6ea313
lock_chip: parametrize locking in function of board config exported config option
kexec-boot: depend on io386 presence and board config option to call lock_chip
2023-06-20 12:40:00 -04:00
Thierry Laurion
9830c6c4ed
io386 platform lockdown: enable on sandy/ivy/haswell maximized board configs 2023-06-20 12:36:45 -04:00
Matt DeVillier
d094dcd346
gui-init/seal-libremkey: reduce friction when generating new secret
Reduce friction when generating a new TOTP/HOTP secret by eliminating
an unnecessary 'press enter to continue' prompt following QR code
generation, and by attempting to use the default admin PIN set by
the OEM factory reset function. Fall back to prompting the user
if the default PIN fails.

Also, ensure error messages are visible to users before being returned
back to the GUI menu from which they came by wrapping existing calls to die()

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2023-06-14 09:58:35 -04:00
Kyle Rankin
d937426306
Use the Librem Key as a TPM work-alike in the absence of a TPM
On machines without a TPM, we'd still like some way for the BIOS to
attest that it has not been modified. With a Librem Key, we can have the
BIOS use its own ROM measurement converted to a SHA256sum and truncated
so it fits within an HOTP secret. Like with a TPM, a malicious BIOS with
access to the correct measurements can send pre-known good measurements
to the Librem Key.

This approach provides one big drawback in that we have to truncate the
SHA256sum to 20 characters so that it fits within the limitations of
HOTP secrets. This means the possibility of collisions is much higher
but again, an attacker could also capture and spoof an existing ROM's
measurements if they have prior access to it, either with this approach
or with a TPM.

Signed-off-by: Kyle Rankin <kyle.rankin@puri.sm>
2023-06-14 09:58:34 -04:00
Thierry Laurion
a598ba6e57
modules/io386: fixate to latest commit id and optimize for space 2023-06-12 13:51:58 -04:00
Thierry Laurion
699a961381
io386: replace check for io386 to call lock_chip by a single common call from kexec-boot prior of real kexec 2023-06-12 13:51:20 -04:00
persmule
3f1c76ce11
Introduce io386 to heads and use it to finalize chipset at runtime
On some newer platforms of intel (confirmed on nehalem, sandy/ivy
bridge), coreboot after commit [2ac149d294af795710eb4bb20f093e9920604abd](https://review.coreboot.org/cgit/coreboot.git/commit/?id=2ac149d294af795710eb4bb20f093e9920604abd)
registers an SMI to lockdown some registers on the chipset, as well
as access to the SPI flash, optionally. The SMI will always be triggered
by coreboot during S3 resume, but can be triggered by either coreboot
or the payload during normal boot path.

Enabling lockdown access to SPI flash will effectly write-protect it,
but there is no runtime option for coreboot to control it, so letting
coreboot to trigger such SMI will leave the owner of the machine lost
any possibility to program the SPI flash with its own OS, and becomes
a nightmare if the machine is uneasy to disassemble, so a scheme could
be implement, in which the SMI to lockdown chipset and SPI flash is left
for a payload to trigger, and temporarily disabling such triggering in
order to program the SPI flash needs authentication.

I have implemented a passcode-protected runtime-disableable lockdown
with grub, described [here](https://github.com/hardenedlinux/Debian-GNU-Linux-Profiles/blob/master/docs/hardened_boot/grub-for-coreboot.md#update-for-coreboot-after-commit-2ac149d294af795710eb4bb20f093e9920604abd). In order to implement a similar scheme for
Heads, I wrote [io386](https://github.com/hardenedlinux/io386).

With this commit, io386 will be called before entering boot routine
to trigger the SMI to finalize the chipset and write protect the SPI
flash at the same time. Entering recovery shell will leave the flash
writable.

(The authentication routine implemented in previous revisions has been
split as an independent commit.)

Originally proposed under PR#326
2023-06-12 13:05:49 -04:00
tlaurion
3b3c49b026
Merge pull request #1411 from Dasharo/fix-tpm
Talos-II vs. TPM
2023-06-09 17:07:55 -04:00
Sergii Dmytruk
b9d2c1a612
Patch coreboot to use /usr/bin/env in skiboot for Talos-II board
Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
2023-06-09 21:25:49 +03:00
Sergii Dmytruk
0a1e47f585
Makefile: autoupdate and checkout git clones of modules
Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
2023-06-09 21:25:08 +03:00
Sergii Dmytruk
abd99a0f28
initrd/bin/talos-init: disable fast-reset
Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
2023-06-07 01:10:14 +03:00
Sergii Dmytruk
71b0f8dac9
boards/talos-2/talos-2.config: enable powerpc-utils
Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
2023-06-07 01:10:14 +03:00
Sergii Dmytruk
62e1899367
modules/powerpc-utils: add
This provides nvram tool that allows manipulating configuration of
skiboot.

Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
2023-06-07 01:10:13 +03:00
Sergii Dmytruk
3df4a45477
modules/coreboot: update coreboot
* Properly initialize sensor IDs of 2nd CPU to fix fan control.
* Use 2s delay for I2C communications with TPM in OPAL (configured in
  device tree).
* Stop building unused parts of skiboot using host GCC.

Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
2023-06-07 01:09:42 +03:00
Sergii Dmytruk
17f652da3b
config/linux-talos-2.config: don't enable IMA
It only extends PCR10 and logs it separately.

Added entries are to compensate disabling IMA which selects those config
options.

Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
2023-06-06 00:49:07 +03:00
Thierry Laurion
7b949a1a44
initrd/bin/seal-totp: PCR0-4 cannot be expected to be 0 on PPC64.
Seal with extended PCR values, expected to be the same at unseal-totp operation
2023-06-04 20:20:46 +03:00
Thierry Laurion
92cddb315f
boards/talos-2/talos-2.config : sda1 will never be a boot device
/dev/nvme0n1p2 expected to contain /boot/grub dir
2023-06-04 20:20:46 +03:00
tlaurion
21b87ff7d2
Merge pull request #1410 from tlaurion/QubesOS_update_weekly_ISO_signing_keys
Qubes weekly signing key has changed. Removed testing and replaced.
2023-05-24 13:56:01 -04:00
Thierry Laurion
d917ca1c96
Qubes weekly signing key has changed. Removed testing and replaced.
Already minimized and cleaned upstream, taken from https://qubes.notset.fr/iso/ today
2023-05-24 12:13:07 -04:00
tlaurion
b70547f188
Merge pull request #1401 from daringer/fix-makefile
Makefile: adapt cleaning targets for arch directory
2023-05-09 14:09:11 -04:00
Markus Meissner
3ea82ec31e
Makefile: adapt cleaning targets for arch directory 2023-05-09 17:50:49 +02:00
tlaurion
bc148f1341
Merge pull request #1397 from danielp96/fbwhiptail-reproducibility 2023-05-06 11:08:29 -04:00
Daniel Pineda
ca00952048
modules/fbwhiptail: Update for reproducibility
Updated to reproducible version of fbwhiptail.
Added flags to remove debug info.
Updated url to current one instead of going through redirect.

Signed-off-by: Daniel Pineda <daniel.pineda@puri.sm>
2023-05-04 13:14:26 -06:00
tlaurion
3c98f080e4
Merge pull request #1394 from srgrint/linux_4.14_patch_for_use_after_free_realloc
backport upstream patch for 4.14.62.  Allows building on debian 12
2023-05-03 10:52:41 -04:00
srgrint
09f3984020 backport upstream patch for 4.14.62. Allows building on debian 12 2023-05-02 20:49:34 +01:00
tlaurion
87871ad18d
Merge pull request #1393 from tlaurion/linux_5.10.5_patch_for_use_after_free_realloc 2023-05-02 13:02:26 -04:00
Thierry Laurion
e8bc15ee60
linux 5.10.5: backporting linux upstream patch for 5.10.5 (libsubcmd fix use after free for realloc)
Permits building on top of debian-12 (testing), which fails to build since detecting bug.
2023-05-02 10:29:24 -04:00
tlaurion
ab1faf5389
Merge pull request #1378 from JonathonHall-Purism/kexec-framebuffer-graphics 2023-04-28 17:34:32 -04:00
tlaurion
bdcc556e2b
Merge pull request #1377 from tlaurion/iso_boot_debugging_and_fixes 2023-04-28 16:56:21 -04:00
tlaurion
a7777a7dce
Merge pull request #1390 from danielp96/bash-reproducibility
Bash reproducibility
2023-04-28 13:42:41 -04:00
Daniel Pineda
1aa216773a
patches/bash-5.1.16.patch: Do not increment build number
Bash uses .build to keep count of the build number, which conflicts
with heads build system usage of .build to keep track of built modules.

If .build already exists when bash/configure is run it will increment by 1
the build number. This is configurable on the call to the support script
support/mkversion.sh, which is called from the bash/Makefile.

Patching the Makefile template used during bash configuration allows
disabling the build number increment.

Signed-off-by: Daniel Pineda <daniel.pineda@puri.sm>
2023-04-27 11:49:22 -06:00
Jonathon Hall
6d0cd94ba8
Enable CONFIG_NO_GFX_INIT in coreboot on i915 boards with Linux 5.10
We don't need coreboot to initialize graphics on this boards, this
eliminates some unneeded code and the gnat dependency for them.

Coreboot was using libgfxinit, but it was initializing in text mode.
Heads' kernel will then switch to graphics mode, and we hand that
framebuffer from i915 to the target kernel during kexec.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-04-27 12:50:29 -04:00
tlaurion
3a38ac02e3
Merge pull request #1312 from tlaurion/coreboot-4.13_coreboot-4.19_version_bump
Bump boards depending on coreboot 4.13 to 4.19
2023-04-24 19:21:18 -04:00
tlaurion
060c979e4b
Merge pull request #1382 from tlaurion/coreboot_xcompile_fixed_location
coreboot: output xcompile into old shared location for all coreboot versions to prevent buildstack rebuild
2023-04-24 19:14:12 -04:00
Thierry Laurion
2901d29e24
coreboot: output xcompile into old shared location for all coreboot versions (prevents rebuild of buildstack) 2023-04-21 16:54:48 -04:00
tlaurion
77b593301a
Merge pull request #1380 from tlaurion/coreboot+linux_helpers_for_version_bump
coreboot+linux modules: add helpers to edit config, save in oldconfig/defconfig
2023-04-20 14:13:02 -04:00
Thierry Laurion
a29c277849
coreboot+linux modules: add modules target helpers to edit configs (oldconfig/defconfig)
Most useful to me are:
coreboot.modify_and_save_defconfig_in_place
coreboot.modify_and_save_oldconfig_in_place
linux.modify_and_save_oldconfig_in_place
linux.modify_and_save_defconfig_in_place
Which permit to take current in tree configs and translate them into other format.
This is useful when trying to version bump and build.

Also add helpers to save in versioned version to facilitate change tracking:
linux.generate_and_save-versioned-oldconfig
linux.regenerate_and_save_versioned_defconfig
2023-04-20 14:07:20 -04:00
Daniel Pineda
31e122443c
modules/bash: Remove debug info from binary
Add -g0 to CFLAGS
Add -s to LDFLAGS

Signed-off-by: Daniel Pineda <daniel.pineda@puri.sm>
2023-04-20 10:44:34 -06:00
Jonathon Hall
353e836dc1
kexec: Update to 2.0.26, add framebuffer tracing
Update kexec to 2.0.26.  Add tracing to framebuffer initialization.  In
particular, the driver name is traced if not recognized, and messages
about kernel config are shown if the kernel doesn't provide the
framebuffer pointer.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-04-19 14:16:38 -04:00
Jonathon Hall
a75ecdfc8d
t440p: Enable i915 kexec framebuffer fixes
Add CONFIG_DRM_FBDEV_LEAK_PHYS_SMEM and related kernel parameters to
t440p.  This board is already on kernel 5.10 and uses i915 graphics.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-04-19 10:34:29 -04:00
Jonathon Hall
cd4c1a0fdb
coreboot-librem*: Set framebuffer kernel params for Librems except L1UM
Allow leaking the DRM framebuffer pointer to userspace, and disable
framebuffer compression, like librem_15v4.

Tested booting memtest86+ and Debian netinstaller on Mini v2.

Do not enable this for L1UM, it uses Aspeed graphics which still don't
work.  qemu uses virtio graphics, which also are not working.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-04-19 10:32:23 -04:00
Jonathon Hall
2a2279b587
librem_15v4: Disable i915 compressed framebuffer
Compressed framebuffer requires the driver to track updates to the
framebuffer from the CPU and update the compressed framebuffer.  This
doesn't work if we kexec into an OS that will use the linear
framebuffer, so disable it.  (The OS kernel can still use compressed
framebuffer if it has i915.)

Linux 5.8 enabled compressed framebuffer on more chipsets using i915,
which is why this stopped working.

memtest86+ and Debian (manually blacklisted i915, comparable to
netinst) now boot correctly on Librem 15v4.  This will need to be
enabled for other boards too.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-04-18 17:00:03 -04:00