Commit Graph

518 Commits

Author SHA1 Message Date
Thierry Laurion
fbbdc94634
switch back from web.archive.org to cairographics.org (CircleCI is rate limited over web.archive.org:not a solution....
Adds up to https://github.com/linuxboot/heads/issues/1198

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-01-04 21:32:32 -05:00
tlaurion
449977b617
Merge pull request #1561 from Nitrokey/up-v2.4
Bump Dasharo Coreboot / hotp-verification; fix nitropad-nxx ec-powerdown
2024-01-03 15:49:55 -05:00
Thierry Laurion
2b65211fac
modules/cairo: www.cairographics.org down again. Use web.archive.org archive
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-01-02 16:18:30 -05:00
Thierry Laurion
98e68366ea
modules/pixman: www.cairographics.org down again. Use web.archive.org archive.
Haven't found same archive elsewhere with same hash.
Adds up to https://github.com/linuxboot/heads/issues/1198

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-01-02 15:12:06 -05:00
Markus Meissner
5e43bcd2f4
hotp-verification: adapt to nk3 v1.6 security model
* overwriting a hotp secret is not possible anymore
* make sure to delete the hotp secret before setting a new one
* requires one additional user presence check during HOTP setup
* bump to v1.5

Signed-off-by: Markus Meissner <coder@safemailbox.de>
2023-12-22 16:14:40 +01:00
Markus Meissner
65abba9946 coreboot-nitrokey: update dasharo to v1.7.2
* remove all previous coreboot patches (as they are already included)
* to be investigated: linux trampoline patch
* add new patch to hardcode sleep configuration
* activate smmstore as dasharo vendor code requires it

Signed-off-by: Markus Meissner <coder@safemailbox.de>
2023-12-22 15:37:29 +01:00
Thierry Laurion
0f0cb99a02
Adapt NV41/NS50 changes, unify bootsplash file usage for branding
Taken from : https://github.com/Nitrokey/heads/tree/temp-release-v2.3

- Move branding/Heads/bootsplash-1024x768.jpg -> branding/Heads/bootsplash.jpg (We don't care about the size. Make filename generic)
- Adapt all coreboot configs so bootsplash is adapted by BRAND_NAME CONFIG_BOOTSPLASH_FILE="@BRAND_DIR@/bootsplash.jpg"
  - Reminders :
    - Makefile changes Heads to defined BRAND_NAME in board config
    - Makefile changes -e 's!@BRAND_DIR@!$(pwd)/branding/$(BRAND_NAME)!g'
- nv41/nv50
  - coreboot oldefconfigs adapted by:
    - make BOARD=nitropad-ns50 coreboot.modify_and_save_oldconfig_in_place
    - make BOARD=nitropad-nv41 coreboot.modify_and_save_oldconfig_in_place
  - linux oldefconfigs adapted by
    - make BOARD=nitropad-nv41 linux.modify_and_save_oldconfig_in_place
      - since this is shared config across nv41/ns50: it only needs to be done for a single board

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-20 09:40:52 -05:00
Thierry Laurion
9d808b0347
Talos-2: bring changes to a working state outside of usage of GPG key material backup as of now
- Closes https://github.com/linuxboot/heads/pull/1452
- coreboot: Take Talos II 0.7 release coreboot config file that was inside of cbfs and use it as a base upstream.
- linux: Readd sysctl and proc requirements for cbmem to work.

TODO: fix gpg2 module so that the following doesn't happen (a ppc64 thing. Can't figure out why):

```
Adding generated key to current firmware and re-flashing...

Board talos-2 detected, continuing...
37281653053696daf2e40a8efe9451b557d9d6ab586830dc85f814bf2e03a05f  /tmp/talos-2.rom
Initializing Flash Programmer
Reading old flash contents. Please wait...
Flashing: [##################################################\] (100%)
Verifying flash contents. Please wait...
The flash contents were verified and the image was flashed correctly.

Signing boot files and generating checksums...

180726119: 000E452213510000005A
gpg: error running '//bin/dirmngr': probably not installed
gpg: failed to start dirmngr '//bin/dirmngr': Configuration error
gpg: can't connect to the dirmngr: Configuration error
gpg: no default secret key: No dirmngr
gpg: signing failed: No dirmngr
```
dirmngr is deactivated per configure statement --disable-dirmngr, and works as expected on x86

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-17 10:26:11 -05:00
tlaurion
1733552fe7
Merge pull request #1505 from JonathonHall-Purism/upstream_28.1_librem_11
Add support for Librem 11
2023-10-30 15:38:02 -04:00
Thierry Laurion
84899cf631
libgcrypt module: remove disable-asm
As on master otherwise with --disable-asm:

    config.status: executing gcrypt-conf commands

            Libgcrypt v1.10.1 has been configured as follows:

            Platform:                  GNU/Linux (x86_64-pc-linux-musl)
            Hardware detection module: none
            Enabled cipher algorithms: arcfour blowfish cast5 des aes twofish
                                       serpent rfc2268 seed camellia idea salsa20
                                       gost28147 chacha20 sm4
            Enabled digest algorithms: crc gostr3411-94 md4 md5 rmd160 sha1
                                       sha256 sha512 sha3 tiger whirlpool stribog
                                       blake2 sm3
            Enabled kdf algorithms:    s2k pkdf2 scrypt
            Enabled pubkey algorithms: dsa elgamal rsa ecc
            Random number generator:   default
            Try using jitter entropy:  yes
            Using linux capabilities:  no
            FIPS module version:
            Try using Padlock crypto:  n/a
            Try using AES-NI crypto:   n/a
            Try using Intel SHAEXT:    n/a
            Try using Intel PCLMUL:    n/a
            Try using Intel SSE4.1:    n/a
            Try using DRNG (RDRAND):   n/a
            Try using Intel AVX:       n/a
            Try using Intel AVX2:      n/a
            Try using ARM NEON:        n/a
            Try using ARMv8 crypto:    n/a
            Try using PPC crypto:      n/a

By disabling --disable-asm in libgcrypt 1.10.1:

    config.status: executing gcrypt-conf commands

            Libgcrypt v1.10.1 has been configured as follows:

            Platform:                  GNU/Linux (x86_64-pc-linux-musl)
            Hardware detection module: libgcrypt_la-hwf-x86
            Enabled cipher algorithms: arcfour blowfish cast5 des aes twofish
                                       serpent rfc2268 seed camellia idea salsa20
                                       gost28147 chacha20 sm4
            Enabled digest algorithms: crc gostr3411-94 md4 md5 rmd160 sha1
                                       sha256 sha512 sha3 tiger whirlpool stribog
                                       blake2 sm3
            Enabled kdf algorithms:    s2k pkdf2 scrypt
            Enabled pubkey algorithms: dsa elgamal rsa ecc
            Random number generator:   default
            Enabled digest algorithms: crc gostr3411-94 md4 md5 rmd160 sha1
                                       sha256 sha512 sha3 tiger whirlpool stribog
                                       blake2 sm3
            Enabled kdf algorithms:    s2k pkdf2 scrypt
            Enabled pubkey algorithms: dsa elgamal rsa ecc
            Random number generator:   default
            Try using jitter entropy:  yes
            Using linux capabilities:  no
            FIPS module version:
            Try using Padlock crypto:  yes
            Try using AES-NI crypto:   yes
            Try using Intel SHAEXT:    yes
            Try using Intel PCLMUL:    yes
            Try using Intel SSE4.1:    yes
            Try using DRNG (RDRAND):   yes
            Try using Intel AVX:       yes
            Try using Intel AVX2:      yes
            Try using ARM NEON:        n/a
            Try using ARMv8 crypto:    n/a
            Try using PPC crypto:      n/a

To support PPC crypto, it seems we will need yasm.
To support linux capabilities, libcap would be required as well later on. :/ another point for rng-tools (which also depends on libcap-ng)
2023-10-10 12:06:18 -04:00
Jonathon Hall
5021bec3cd
librem_11: Add loadkeys (from kbd), optionally enabled
Allow boards to optionally include loadkeys to set a custom keymap.
showkey and dumpkeys (normally only needed for development) can also be
optionally included.

Remove *.map from .gitignore; this was probably intended for build
artifacts that are now excluded via the build/ directory.

Add reboot and poweroff to shell history, which is useful for devices
lacking full hardware keyboards to escape the recovery shell with just
"up" and "enter".

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-09-29 15:29:19 -04:00
Jonathon Hall
010bd718aa
modules/coreboot: Update Purism branch to 4.21-Purism-2
Includes support for Librem 11.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-09-29 15:29:18 -04:00
Jonathon Hall
35c99fa93b
modules/fbwhiptail: Update to 1.3
Update to 1.3.  Includes navigation improvements for devices with just
up/down/Enter keys, for Librem 11.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-09-29 15:29:18 -04:00
tlaurion
8bd82a6e10
Merge pull request #1494 from JonathonHall-Purism/coreboot_purism_4.21
modules/coreboot: Update Purism coreboot to 24e2f7e4
2023-09-06 10:19:55 -04:00
tlaurion
2c3987f9a3
Merge pull request #1485 from Nitrokey/nx-nitropad
add Nitropad NV41/NS50 TPM2 boards (2nd)
2023-09-06 10:15:17 -04:00
Jonathon Hall
bde945ea57
modules/coreboot: Update Purism coreboot to 24e2f7e4
This is 4.21-Purism-1 plus a fix for native graphics init on Mini
v1/v2: HDMI1 is enabled so passive DisplayPort to DVI/HDMI adapters
will work.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-09-05 15:59:47 -04:00
tlaurion
8272d33e7c
Merge pull request #1482 from tlaurion/ease_tpm_disk_unlock_key_resealing_after_totp_mismatch-warn_and_die_changes
Ease TPM Disk Unlock Key sealing/resealing after TOTP mismatch (firmware upgrade) + warn and die changes
2023-09-05 11:48:50 -04:00
Thierry Laurion
2cc7164a99
nv41/ns50: coreboot+coreboot patch+CircleCI config: adapt to have nv41/ns50 build on top of #1417 and #1462 2023-09-05 17:13:56 +02:00
Markus Meissner
033333f288
modules/nitrokey-blobs: add 2023-09-05 17:13:56 +02:00
Markus Meissner
7da9a7e136
modules/iotools: add as binary 2023-09-05 17:13:56 +02:00
Thierry Laurion
03d8f93c95
modules/zstd: now included by default. Deactivated under legacy-flash boards
Rationale:
cpio -t alone cannot extract initrd past early cpio (microcode) in most packed initrd.
unpack_initramfs.sh already under master comes to the rescue, but its usage up to today was limited to pass firmware blobs to final OS under boards/librem_mini_v2

Debian OSes (and probably others) need to have cryptroot/crypttab overriden directly, otherwise generic generation of crypttab is not enough.
Extracting crypttab and overriding directly what is desired by final OS and exposed into /boot/initrd is the way to go otherwise hacking on top of hacks.

This brings default packed modules under Heads to 5 modules, which needs to be deactivate in board configs if undesired:
user@heads-tests-deb12:~/heads$ grep -Rn "?= y" modules/ | grep -v MUSL
modules/zlib:1:CONFIG_ZLIB ?= y
modules/zstd:3:CONFIG_ZSTD ?= y
modules/exfatprogs:2:CONFIG_EXFATPROGS ?= y
modules/busybox:2:CONFIG_BUSYBOX ?= y
modules/e2fsprogs:2:CONFIG_E2FSPROGS ?= y
2023-08-31 11:19:50 -04:00
Markus Meissner
8922c6e32b
modules/hotp-verification: update to v1.4
* add Nitrokey 3 support
* corrected UI issues, when PIN is not set
* add serial number getter
* improve HID calls speed
* Full changelogs to be found here: https://github.com/Nitrokey/nitrokey-hotp-verification/releases
2023-08-30 11:16:26 +02:00
Thierry Laurion
f6eed42208
Add external/usb disk encryption (adds exfatprogs and e2fsprogs)
prepare_thumb_drive: default to creating 10% LUKS container on usb drive, prompts for passphrase is not provided and scan drives if no --device specified

NOTE: qemu usb_thumb drive of 128 mb are not big enough so that 10% of it (12mb) can be used to create thumb drive.

Adds:
- e2fsprogs to support ext4 filesystem creation through mke2fs
- add /etc/mke2fs.conf so that mke2fs knows how to handle ext2/ext3/ext4
- removes mke2fs support from busybox
- bump busybox to latest version which adds cpu accelerated hash functions (not needed per se here)
- Adds exfatprogs to have mkfs.exfat and fsck.exfat
- Adds prepare_thumb_drive /etc/luks-functions to be able to prepare a thumb drive with percentage of drive assigned to LUKS, rest to exfat
- Modify most board configs to test space requirements failing
- Talos2 linux config: add staging Exfat support
- Make e2fsprogs and exfatprogs included by default unless explicitely deactivate in board configs
- Change cryptsetup calls : luksOpen to open and luksClose to close to addresss review
- etc/luks_functions: cleanup

GOAL here is to have secure thumb drive creation which Heads will be able to use to backup/restore/use generated GPG key material in the future (next PR)
2023-08-28 16:23:48 -04:00
tlaurion
fbc0993084
Merge pull request #1462 from JonathonHall-Purism/reuse-toolchains
Enable reusing coreboot release toolchains for forks
2023-08-15 16:27:20 -04:00
Jonathon Hall
a5689c44a9
modules/coreboot: Don't try to share toolchain for purism yet
Nothing else shares the 4.20.1 toolchain yet, and upcoming forks are
based on older releases.  We'll share it when other boards update to
4.20.1.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-08-11 14:48:19 -04:00
Jonathon Hall
4d613dacbb
fbwhiptail: Update to hires_scale based on 1.2 release
hires_scale was rebased on 1.2.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-08-11 14:40:10 -04:00
Jonathon Hall
a3798713b2
fbwhiptail: Update to hires_scale branch
fbwhiptail scales its UI based on the display size.  FBWHIPTAIL_SCALE
can set a specific scale factor for testing.

fbwhiptail no longer looks for a 1080p mode when the default mode is
2160p.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-08-11 14:40:08 -04:00
Jonathon Hall
2f329d9007
kbd: Add setfont from kbd to set large console font on large displays
Build kbd and ship setfont if enabled with CONFIG_KBD.

When CONFIG_KBD is enabled, setconsolefont.sh will double the console
font size on large displays (>1600 lines tall as a heuristic).

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-08-11 14:40:04 -04:00
Jonathon Hall
38e9d47bfd
modules/coreboot: Clarify PPC64 toolchain comments
CROSS= is needed for skiboot on PPC64 due to different endianness
relative to coreboot.

The talos_2 fork doesn't share the toolchain because it is the only
_fork_, not board, to be precise.  We could add more boards using that
fork without having to create a shared toolchain, it only matters if we
add another fork or start building boards from the upstream release
too.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-08-11 13:03:58 -04:00
Jonathon Hall
c2df9f3942
fixup modules/coreboot: Fix purism-blobs dependency for librem_l1um
Two := assignments were factored out together, the second overwrote the
first.  Fix to +=, and remove the nitrokey assignment since it came
from a branch.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-08-11 12:44:40 -04:00
Jonathon Hall
d8a89e7e12
modules/coreboot: Remove errant _depend variable
This was spelled wrong - it's actually '_depends'.  'initrd' isn't a
module any more so the value doesn't make sense, remove it.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-08-11 12:44:40 -04:00
Jonathon Hall
1b81fb2d80
modules/coreboot: Don't try to share toolchain for talos_2 fork
The skiboot build fails to find the toolchain when it's not in the
default location.  There is only one ppc64 board anyway, so there's no
point trying to share a toolchain for now.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-08-11 12:44:34 -04:00
Jonathon Hall
8f95d0b65b
modules/coreboot: Use a specific file to mark the toolchain build
Use .heads-toolchain to mark that the toolchain was built rather than
.xcompile.  coreboot doesn't generate .xcompile until the build step,
so all modules had to build successfully before we would stop trying to
to rebuild the toolchain.  Build steps should generally produce the
indicated outputs too, which was not occurring here.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-08-11 12:43:02 -04:00
Jonathon Hall
0c024b14e8
modules/coreboot: Reuse release toolchain for fork builds
Reuse the toolchain from a coreboot release for fork builds.  Either
the fork or the release can be built first, in either case the
release's toolchain is built at the default location and reused for
later builds.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-08-11 12:42:38 -04:00
Jonathon Hall
786cf09ec7
modules/coreboot: Define each coreboot version as a separate module
Define a separate module for each coreboot version, so the module used
to build the ROM will optionally be able to reference the toolchain
from a different module.

This will allow coreboot fork builds to use the toolchain from the
corresponding release.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-08-11 12:41:59 -04:00
Jonathon Hall
3695489589
modules/coreboot: Delete unused remnants of using musl toolchain
At one time coreboot was built using Heads' musl toolchain, but this
was later reverted.  coreboot builds with its own toolchain again.

CROSS= has no effect on coreboot proper (only exception is PPC64
skiboot payload).  It was added to coreboot by a patch that was deleted
in 8e44853.  COREBOOT_IASL was set to the default, that was only needed
when the toolchain was being overridden to override iasl back to the
coreboot one.

ppc64 still specifies CROSS= since skiboot is unable to find coreboot's
toolchain from XGCCPATH but checks CROSS.  This builds skiboot with the
Heads toolchain as before.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-08-11 12:41:55 -04:00
Jonathon Hall
fb6b81119d
modules/coreboot: Clean up module, don't share git build directories
Remove coreboot 4.8.1, 4.13, and 4.17, which were all unused.

Remove extra copies of EXTRA_FLAGS which duplicated the common
definition.  The only difference was
-Wno-error=address-of-packed-member, the warning is now disabled
entirely everywhere with -Wno-address-of-packed-member.

Use separate coreboot_version values for talos_2, nitrokey, and purism,
which gives each a separate build directory.

Move conditional blob definitions out of each coreboot version.

Fix condition for coreboot-blobs - whether a module is a git clone
actually depends on non-empty <module>_repo, not <module>_version==git.
Fix the test so git versions of coreboot can have arbitrary names.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-08-11 12:35:55 -04:00
tlaurion
6f9409be81
Merge pull request #1463 from tlaurion/ioport_url_change_to_debian
ioport: changing url to debian https server, same hash. First need to go into #1198 direction
2023-08-11 12:15:48 -04:00
Thierry Laurion
3c920dd082
ioport: changing url to debian, same hash. First need to go into #1198 direction 2023-08-11 12:05:15 -04:00
Jonathon Hall
47e9e4cf45
Merge remote-tracking branch 'github-heads/master' into pureboot-27-heads-upstream 2023-07-12 14:14:17 -04:00
Krystian Hebel
9a72749675
initrd/bin/talos-init: remove alias for cbmem and bump coreboot revision
Updated cbmem searches for CBMEM exposed by kernel in sysfs before
trying to read it from memory directly. As such, there is no need for
pointing to that file explicitly.

New coreboot revision also fixes output of 'cbmem -t' caused by wrong
endianness.

Signed-off-by: Krystian Hebel <krystian.hebel@3mdeb.com>
2023-07-12 14:50:54 +02:00
Jonathon Hall
4c8e445dcd
Merge remote-tracking branch 'github-heads/master' into pureboot-27-heads-upstream
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-07-05 14:32:16 -04:00
Jonathon Hall
9458ec8771
modules/fbwhiptail: Update to 99fe815f (AVX fast copy branch)
Uses AVX for fast copy instead of AVX2, enabling fast copy on
Sandy/Ivy Bridge.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-07-05 14:20:38 -04:00
Thierry Laurion
92e29c4891
Merge branch 'upstream_flashrom_13' into staging_all 2023-06-28 12:47:11 -04:00
Thierry Laurion
30cc112193
Merge branch 'saper_gnupg-2.4.0-update_reduce_size_some_more' into staging_all 2023-06-28 12:47:01 -04:00
Jonathon Hall
861529cf69
Merge remote-tracking branch 'github-heads/master' into pureboot-27-heads-upstream 2023-06-27 13:21:19 -04:00
Thierry Laurion
979c9dd318
flashrom: remove DUMMY and AST1100 by default on both x86/ppc64, leave MTD only for ppc64, have AST1100 enablement configurable for kgpe-d16 (patch not in) 2023-06-27 12:23:47 -04:00
Jonathon Hall
a1be4e4467
modules/flashrom: Update to 1776bb46
Update flashrom - in particular, this includes support for new chipsets
like Jasper Lake.

CONFIG_INTERAL_X86 was created so CONFIG_INTERNAL could apply to other
platforms, enable it for x86.

The default build target now requires sphinx, just build flashrom
itself.

Update flashrom_progress - filter out noise in newer flashrom that
chokes the progress bar implementation, make size detection more
robust, improve progress bar implementation slightly.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Co-signed by: Thierry Laurion <insurgo@riseup.net.
2023-06-27 12:23:44 -04:00
Thierry Laurion
58d5a295a1
libassuan: build with --disable-doc 2023-06-27 11:40:09 -04:00
Thierry Laurion
e14b869f90
gpg2: remove tools/gpg-connect-agent bin, build with --disable-libdns option 2023-06-27 11:40:05 -04:00
Marcin Cieślak
d4ade892d5
gnupg 2.2.21 -> 2.4.0
830.63 -> 917.89 kB
2023-06-27 11:39:49 -04:00
Marcin Cieślak
15182922fd
libgcrypt 1.8.6 -> 1.10.1
562.01 -> 783.14 kB
2023-06-27 11:39:46 -04:00
Marcin Cieślak
b97f34ecc3
libassuan 2.5.3 -> 2.5.5
741.81 -> 502.42 kB
2023-06-27 11:39:43 -04:00
Marcin Cieślak
7c51116209
libksba 1.4.0 -> 1.6.3
676.03 -> 408.95 kB \o/
2023-06-27 11:39:39 -04:00
Marcin Cieślak
7cef74bb06
libgpg-error 1.46
198.15 -> 277.69 kB
2023-06-27 11:39:36 -04:00
Thierry Laurion
13daaa1203
modules/ coreboot+linux: add helpers to edit config in place + save in oldconfig/defconfig formats
both linux/coreboot:
- save_in_defconfig_format_in_place : takes whatever coreboot config file for a make BOARD=xyz statement and saves it in defconfig
- save_in_oldefconfig_format_in_place : takes whatever coreboot config file for a make BOARD=xyz statement and saves it in oldefconfig

linux:
- linux.prompt_for_new_config_options_for_kernel_version_bump:
  - The most useful helper as of now when doing kernel version bump.
  - Requires to save current kernel config in oldconfig (make BOARD=xyz linux.save_in_oldefconfig_format_in_place) first, then bump kernel version in board config and then use that helper to review new options and save in tree.
2023-06-27 11:20:59 -04:00
Thierry Laurion
f13432cca7
Makefile+ modules/linux: have sizes report output on screen and into sizes.txt
Basically a duplicate of HASHES related Makefile statements
2023-06-27 10:42:04 -04:00
Jonathon Hall
89858f52a9
Merge remote-tracking branch 'github-heads/master' into pureboot-27-heads-upstream
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-06-21 15:15:23 -04:00
Jonathon Hall
c5183253a6
Add CONFIG_BRAND_NAME and allow overriding in Makefile with BRAND_NAME
Use CONFIG_BRAND_NAME to control the brand name displayed in the UI.
Override by setting BRAND_NAME when building, either in the Makefile or
on the command line.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-06-21 14:47:59 -04:00
Jonathon Hall
1bf8331ffb
Blob jail: Add zstd-decompress, decompress more complex archives
Debian 12's initrd by default now consists of an uncompressed cpio
archive containing microcode, followed by a zstd-compressed cpio
archive.  inject_firmware.sh only supported gzip-compressed cpio, so it
could not extract /init from this archive.

Add zstd-decompress to decompress zstd streams (uncompressed size is
about 180 KB).

Add unpack_initramfs.sh which is able to decompress uncompressed, gzip,
or zstd archives, with multiple segments, much like the Linux kernel
itself does.

Use unpack_initramfs.sh to extract /init for blob jail.

Don't compress the new archive segment containing firmware and the
updated /init.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-06-21 13:26:50 -04:00
Jonathon Hall
3e6eac9ffd
modules/coreboot,purism-blobs: Update to 4.20.1-Purism-1
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-06-21 13:26:50 -04:00
Jonathon Hall
be133892fd
modules/fbwhiptail: Update to 1.1
These changes primarily improve server boards using BMC video.  The
correct DRI card is selected even if it isn't the first one, and
performance is greatly improved on non-UMA cards.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-06-21 13:26:49 -04:00
Jonathon Hall
12c7dfdadc
modules/linux: Support building with Linux 6.1.8.
This is particularly beneficial for servers with Aspeed BMC video,
because it introduces framebuffer console acceleration.  The
framebuffer console is much more responsive.

Patches were ported from 5.10.5:

0001-fake-acpi.patch: This may not be needed any more, but it applies
cleanly and I don't think it would harm anything.

0002-nmi-squelch.patch: The comment mentions qemu but I see this
message on physical machines occasionally, so I think this is needed.

0003-fake-trampoline.patch: This patch does not apply cleanly.  It
could be ported, but I don't think it's needed, I dropped it.  Dates
back to a very old commit where Linux was being embedded into a vendor
UEFI firmware: a4d7654b1e.

0010-winterfell-ahci.patch: Minor change of %x to %lx in context.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-06-21 13:26:49 -04:00
Jonathon Hall
6e0d241913
ioport: Add ioport module (inb, outb)
Add ioport module, enable for librem_mini_v2.  Only inb and outb are
included, inw/outw/inl/outl aren't needed.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-06-21 13:26:46 -04:00
Matt DeVillier
1ea5f3bd6b
modules/coreboot: Allow building from Purism's coreboot git repo
Use commit hash from 4.16-Purism-1 tag.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2023-06-21 13:26:41 -04:00
Thierry Laurion
a598ba6e57
modules/io386: fixate to latest commit id and optimize for space 2023-06-12 13:51:58 -04:00
persmule
3f1c76ce11
Introduce io386 to heads and use it to finalize chipset at runtime
On some newer platforms of intel (confirmed on nehalem, sandy/ivy
bridge), coreboot after commit [2ac149d294af795710eb4bb20f093e9920604abd](https://review.coreboot.org/cgit/coreboot.git/commit/?id=2ac149d294af795710eb4bb20f093e9920604abd)
registers an SMI to lockdown some registers on the chipset, as well
as access to the SPI flash, optionally. The SMI will always be triggered
by coreboot during S3 resume, but can be triggered by either coreboot
or the payload during normal boot path.

Enabling lockdown access to SPI flash will effectly write-protect it,
but there is no runtime option for coreboot to control it, so letting
coreboot to trigger such SMI will leave the owner of the machine lost
any possibility to program the SPI flash with its own OS, and becomes
a nightmare if the machine is uneasy to disassemble, so a scheme could
be implement, in which the SMI to lockdown chipset and SPI flash is left
for a payload to trigger, and temporarily disabling such triggering in
order to program the SPI flash needs authentication.

I have implemented a passcode-protected runtime-disableable lockdown
with grub, described [here](https://github.com/hardenedlinux/Debian-GNU-Linux-Profiles/blob/master/docs/hardened_boot/grub-for-coreboot.md#update-for-coreboot-after-commit-2ac149d294af795710eb4bb20f093e9920604abd). In order to implement a similar scheme for
Heads, I wrote [io386](https://github.com/hardenedlinux/io386).

With this commit, io386 will be called before entering boot routine
to trigger the SMI to finalize the chipset and write protect the SPI
flash at the same time. Entering recovery shell will leave the flash
writable.

(The authentication routine implemented in previous revisions has been
split as an independent commit.)

Originally proposed under PR#326
2023-06-12 13:05:49 -04:00
Sergii Dmytruk
b9d2c1a612
Patch coreboot to use /usr/bin/env in skiboot for Talos-II board
Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
2023-06-09 21:25:49 +03:00
Sergii Dmytruk
62e1899367
modules/powerpc-utils: add
This provides nvram tool that allows manipulating configuration of
skiboot.

Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
2023-06-07 01:10:13 +03:00
Sergii Dmytruk
3df4a45477
modules/coreboot: update coreboot
* Properly initialize sensor IDs of 2nd CPU to fix fan control.
* Use 2s delay for I2C communications with TPM in OPAL (configured in
  device tree).
* Stop building unused parts of skiboot using host GCC.

Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
2023-06-07 01:09:42 +03:00
Daniel Pineda
ca00952048
modules/fbwhiptail: Update for reproducibility
Updated to reproducible version of fbwhiptail.
Added flags to remove debug info.
Updated url to current one instead of going through redirect.

Signed-off-by: Daniel Pineda <daniel.pineda@puri.sm>
2023-05-04 13:14:26 -06:00
tlaurion
ab1faf5389
Merge pull request #1378 from JonathonHall-Purism/kexec-framebuffer-graphics 2023-04-28 17:34:32 -04:00
tlaurion
a7777a7dce
Merge pull request #1390 from danielp96/bash-reproducibility
Bash reproducibility
2023-04-28 13:42:41 -04:00
tlaurion
3a38ac02e3
Merge pull request #1312 from tlaurion/coreboot-4.13_coreboot-4.19_version_bump
Bump boards depending on coreboot 4.13 to 4.19
2023-04-24 19:21:18 -04:00
Thierry Laurion
2901d29e24
coreboot: output xcompile into old shared location for all coreboot versions (prevents rebuild of buildstack) 2023-04-21 16:54:48 -04:00
Thierry Laurion
a29c277849
coreboot+linux modules: add modules target helpers to edit configs (oldconfig/defconfig)
Most useful to me are:
coreboot.modify_and_save_defconfig_in_place
coreboot.modify_and_save_oldconfig_in_place
linux.modify_and_save_oldconfig_in_place
linux.modify_and_save_defconfig_in_place
Which permit to take current in tree configs and translate them into other format.
This is useful when trying to version bump and build.

Also add helpers to save in versioned version to facilitate change tracking:
linux.generate_and_save-versioned-oldconfig
linux.regenerate_and_save_versioned_defconfig
2023-04-20 14:07:20 -04:00
Daniel Pineda
31e122443c
modules/bash: Remove debug info from binary
Add -g0 to CFLAGS
Add -s to LDFLAGS

Signed-off-by: Daniel Pineda <daniel.pineda@puri.sm>
2023-04-20 10:44:34 -06:00
Jonathon Hall
353e836dc1
kexec: Update to 2.0.26, add framebuffer tracing
Update kexec to 2.0.26.  Add tracing to framebuffer initialization.  In
particular, the driver name is traced if not recognized, and messages
about kernel config are shown if the kernel doesn't provide the
framebuffer pointer.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-04-19 14:16:38 -04:00
tlaurion
8ff4b9a51b
Merge pull request #1319 from danielp96/master
Update busybox 1.32.0 to 1.33.2
2023-04-12 12:36:46 -04:00
Daniel Pineda
46aa2535ba
modules/json-c: set cmake build type as minsizerel
By default json-c builds as debug instead of release.

Adding CMAKE_BUILD_TYPE=minsizerel ensures it does not
add debug info and also optimizes for file size.

Signed-off-by: Daniel Pineda <daniel.pineda@puri.sm>
2023-04-06 12:13:26 -06:00
Krystian Hebel
4edd71c5aa
modules/coreboot: bump commit hash for Talos
Signed-off-by: Krystian Hebel <krystian.hebel@3mdeb.com>
2023-03-30 21:04:01 +02:00
Krystian Hebel
e7997abdcc
modules/linux: fix linux.*config targets for non-x86 architectures
This patch adds ARCH="$(LINUX_ARCH)" to Linux targets working on config
files. Without it, the architecture defaults to that of host, which for
cross-compilation isn't right.

Signed-off-by: Krystian Hebel <krystian.hebel@3mdeb.com>
2023-03-24 15:26:34 +01:00
tlaurion
d24def4b59
Merge pull request #1292 from tlaurion/tpm2_retry
TPM2/TPM1 support (testing and bug fixes needed through qemu-(fb)whiptail-tpm[1,2](-hotp) testing boards!
2023-03-13 16:22:13 -04:00
Jonathon Hall
decd45f361
openssl: Trim optional algorithms
Disable all optional algorithms except SM3.  (SHA and AES are not
optional.)  tpm2-tss uses SHA, AES, and SM3.  Reduces size of libcrypto
by almost 1 MB, saves about 140 KB in ROM.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-03-10 17:07:00 -05:00
Jonathon Hall
48421ada1e
tpmtotp: Update to osresearch merged commit
osresearch has merged support for tpm pcrread.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-03-10 15:09:46 -05:00
Thierry Laurion
dcf65ea892
modules/flashtools : version bump back to osresearch/flashtools
Changes to support ppc64 were merged upstream
2023-03-10 09:31:22 -05:00
Jonathon Hall
50daa904f9
tpmr: Capture TPM2 pcaps in qemu TPM2 boards
tpm2-tools is able to log pcap files of TPM2 commands, which can be
inspected with wireshark.  Add CONFIG_TPM2_CAPTURE_PCAP to capture
these from the tpmr wrapper, and enable for qemu TPM2 boards.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-03-08 16:34:45 -05:00
Jonathon Hall
e2c2f2d4e0
tpmtotp: Update to branch including tpm pcrread
Update to branch including tpm pcrread until it is merged upstream. tpm
pcrread allows us to use the same logical flow for TPM1 and TPM2 in
seal operations.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-03-08 12:45:56 -05:00
Jonathon Hall
5588a47d56
modules/openssl: Update to 3.0.8, reduce size
Update OpenSSL to 3.0.8.  Build with -Os.  Install only libcrypto,
libssl is not currently needed.  Don't buid tests.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-03-08 12:45:55 -05:00
Thierry Laurion
d549229bfc
modules/bash: enabled by default, disabled in legacy-flash boards
- legacy-flash boards have a single purpose: to flash BIOS region through flashrom.
  - They do not need bash nor have space for it in their 4mb defined coreboot CBFS region

Test build to have legacy boards builds under osresearch#1292
2023-03-08 12:45:52 -05:00
Jonathon Hall
c9df49ad20
modules/bash: Include bash in all builds, remove CONFIG_BASH
Include bash in all builds.  Remove CONFIG_BASH.

Remove CONFIG_BASH_IS_ASH from busybox configuration and clean up hacks
in modules/bash.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-03-08 12:45:52 -05:00
Jonathon Hall
d59ffe07b8
modules/bash: Disable readline, enable -Os
Disable readline features for interactive shell.  This significantly
reduces the size of bash and doesn't affect scripting features.  The
interactive shell still functions, but there is no history or command
line editing (backspace works, but arrows do not move cursor).

Enable -Os on bash for more size reduction.

This saves about 180KiB from the compressed initrd for
qemu-coreboot-fbwhiptail-tpm2-hotp, almost half the cost of adding
bash.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-03-08 12:45:51 -05:00
Jonathon Hall
b500505312
tpm2-tools: Change sense of CONFIG_TPM to mean any TPM, not just TPM1.
Most logic throughout Heads doesn't need to know TPM1 versus TPM2 (and
shouldn't, the differences should be localized).  Some checks were
incorrect and are fixed by this change.  Most checks are now unchanged
relative to master.

There are not that many places outside of tpmr that need to
differentiate TPM1 and TPM2.  Some of those are duplicate code that
should be consolidated (seal-hotpkey, unseal-totp, unseal-hotp), and
some more are probably good candidates for abstracting in tpmr so the
business logic doesn't have to know TPM1 vs. TPM2.

Previously, CONFIG_TPM could be variously 'y', 'n', or empty.  Now it
is always 'y' or 'n', and 'y' means "any TPM".  Board configs are
unchanged, setting CONFIG_TPM2_TOOLS=y implies CONFIG_TPM=y so this
doesn't have to be duplicated and can't be mistakenly mismatched.

There were a few checks for CONFIG_TPM = n that only coincidentally
worked for TPM2 because CONFIG_TPM was empty (not 'n').  This test is
now OK, but the checks were also cleaned up to '!= "y"' for robustness.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-03-08 12:45:46 -05:00
Jonathon Hall
4e375ad7ca
tpm2-tools: Remove curl dependency
The actual use of curl was already removed, update tpm2-tools patch to
also remove the check for curl.  Remove the curl module and
CONFIG_CURL.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-03-08 12:45:44 -05:00
Thierry Laurion
6923fb5e20
Addition of qemu-(fb)whiptail-tpm2(-hotp) boards
-coreboot support of TPM v2.0 (shared config for TPM2 support across all 4 previous variations)
-swtpm set to be launched under TPM v2.0 mode under board config
-Documentation file under each board.md softlinks to qemu-coreboot-fbwhiptail-tpm1.md (which has been generalized)
This is skeleton for TPM v2 integration under Heads

-------------
WiP

TODO:
- libcurl cannot be built as a tpm2-tools dependency as of now not sure why. curl currently needs to be added in board config to be built
- Note: tpm-reset (master and here) needs some review, no handle of no tpm use case. Caller is responsible to not call it otherwise does nothing
- init tries to bind fd and fails currently
- Note: Check if whiptail is different of fbwhiptail in clearing screen. As of now every clear seems to be removed, still whiptail clears previous console output
- When no OS' /boot can be mounted, do not try to TPM reset (will fail)

- seal-hotpkey is not working properly
- setting disk unlock key asks for TPM ownership passphrase (sealing in NV requires ownership, but text is misleading user as if reowning TPM)
  - We should cache input, feed tpm behind the scene and wipe passphrase and state clearly that this is TPM disk unlock kye passphrase.
- primary key from TPM2 is invalid most of the time from kexec-select-boot and verifying global hashes but is setuped correctly at disk unlock key setup
- would be nice to take advantage of bash function tracing to understand where we are for debugging purposes, code takes ash in consideration only
- tpmr says it implements nv calls but actually doesn't. Removing those falsely wrapped functions would help.
  - Implementing them would be better
- REVIEW TODOS IN CODE
- READD CIRCLECI CONFIG

Current state:
- TPM unseal works without disk unlock key and generates TOTP properly (was missing die condition at unseal to not produce always good TOTP even if invalid)
- TPM disk encryption key fails. Hypothesis is that sealing with USB drivers loaded and measures in inconsistent with sealed with/without.
 - TPM disk unsealing happens without USB modules being loaded in non-HOTP setup. This fails.

- Current tests are with fbwhiptail (no clear called so having traces on command line of what happens)
 - Testing with HOTP implementation for sealing/unsealing since that forces USB module loads on each boot to remove this from failing possibilities
2023-03-08 12:45:43 -05:00
tlaurion
b2dcebb50a
Merge pull request #1121 from tlaurion/pass_O2_to_Os 2023-03-08 08:37:59 -05:00
Thierry Laurion
907e906f01
Pass -O3 and -O2 (optimize for speed) to -Os (Optimize for space)
Adresses @easrentai suggestion to pass modules build optimization for space here: #590 (comment)

- Uniformized module's $(CROSS_TOOLS) being passed as environment variable, prior of ./configure call

Doesn't work for:
- busybox (HOSTCXXFLAGS="-Os" attempted prior of ./configure call)
- zlib (CFLAGS="-Os" attempted prior of ./configure call)
- npth (CFLAGS="-Os" attempted prior of ./configure call)
2023-03-07 18:05:39 -05:00
Thierry Laurion
47bd80a0ec
modules/coreboot: Do not rebuild coreboot buildstack when built
.xcompile was not found because it was quoted and shouldn't in coreboot module's makefile

Prior:
    stat("\"/home/user/heads/build/x86/coreboot-4.13/.xcompile\"", 0x7ffe56e6cfd0) = -1 ENOENT (No such file or directory)
    pipe([3, 4])                            = 0
    fcntl(4, F_GETFD)                       = 0
    fcntl(4, F_SETFD, FD_CLOEXEC)           = 0
    fcntl(3, F_GETFD)                       = 0
    fcntl(3, F_SETFD, FD_CLOEXEC)           = 0
    prlimit64(0, RLIMIT_NOFILE, NULL, {rlim_cur=1024, rlim_max=1024*1024}) = 0
    prlimit64(0, RLIMIT_NOFILE, NULL, {rlim_cur=1024, rlim_max=1024*1024}) = 0
    stat("/usr/bin/env", {st_mode=S_IFREG|0755, st_size=48480, ...}) = 0
    geteuid()                               = 1000
    getegid()                               = 1000
    getuid()                                = 1000
    getgid()                                = 1000
    access("/usr/bin/env", X_OK)            = 0
    mmap(NULL, 36864, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7ce2be6fd000
    rt_sigprocmask(SIG_BLOCK, ~[], [CHLD], 8) = 0
    clone(child_stack=0x7ce2be705ff0, flags=CLONE_VM|CLONE_VFORK|SIGCHLD) = 305342
    munmap(0x7ce2be6fd000, 36864)           = 0
    rt_sigprocmask(SIG_SETMASK, [CHLD], NULL, 8) = 0
    close(4)                                = 0
    read(3, "2\n", 200)                     = 2
    read(3, "", 198)                        = 0
    close(3)                                = 0
    wait4(-1, [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0, NULL) = 305342
    fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(0x88, 0), ...}) = 0
    write(1, "make -C \"/home/user/heads/build/"..., 74make -C "/home/user/heads/build/x86/coreboot-4.13" CPUS=2 "crossgcc-i386"
    ) = 74
    rt_sigprocmask(SIG_BLOCK, [HUP INT QUIT TERM XCPU XFSZ], NULL, 8) = 0
    stat("/usr/bin/env", {st_mode=S_IFREG|0755, st_size=48480, ...}) = 0
    geteuid()                               = 1000
    getegid()                               = 1000
    getuid()                                = 1000
    getgid()                                = 1000
    access("/usr/bin/env", X_OK)            = 0
    mmap(NULL, 36864, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7ce2be6fd000
    rt_sigprocmask(SIG_BLOCK, ~[], [HUP INT QUIT TERM CHLD XCPU XFSZ], 8) = 0
    clone(child_stack=0x7ce2be705ff0, flags=CLONE_VM|CLONE_VFORK|SIGCHLD) = 305343
    munmap(0x7ce2be6fd000, 36864)           = 0
    rt_sigprocmask(SIG_SETMASK, [HUP INT QUIT TERM CHLD XCPU XFSZ], NULL, 8) = 0
    rt_sigprocmask(SIG_UNBLOCK, [HUP INT QUIT TERM XCPU XFSZ], NULL, 8) = 0
    wait4(-1, make[1]: Entering directory '/home/user/heads/build/x86/coreboot-4.13'
    Welcome to the coreboot cross toolchain builder v ()

    Building toolchain using 2 thread(s).

    Target architecture is i386-elf

    Found compatible Ada compiler, enabling Ada support by default.

    Downloading and verifying tarballs ...
     * gmp-6.2.0.tar.xz (cached)... hash verified (052a5411dc74054240eec58132d2cf41211d0ff6)
     * mpfr-4.1.0.tar.xz (cached)... hash verified (159c3a58705662bfde4dc93f2617f3660855ead6)
     * mpc-1.2.0.tar.gz (cached)... hash verified (0abdc94acab0c9bfdaa391347cdfd7bbdb1cf017)
     * binutils-2.35.tar.xz (cached)... hash verified (6bdd090ce268b6d6c3442516021c4e4b5019e303)
     * gcc-8.3.0.tar.xz (cached)... hash verified (c27f4499dd263fe4fb01bcc5565917f3698583b2)
    Downloaded tarballs ... ok
    Unpacking and patching ...
     * gmp-6.2.0.tar.xz
       o gmp-6.2.0_generic-build.patch
     * mpfr-4.1.0.tar.xz
    ^C0x7ffe56e6ef40, 0, NULL)      = ? ERESTARTSYS (To be restarted if SA_RESTART is set)
    strace: Process 305153 detached

After:
    stat("/home/user/heads/build/x86/coreboot-4.13/.xcompile", 0x7ffd0303c7f0) = -1 ENOENT (No such file or directory)
    pipe([3, 4])                            = 0
    fcntl(4, F_GETFD)                       = 0
    fcntl(4, F_SETFD, FD_CLOEXEC)           = 0
    fcntl(3, F_GETFD)                       = 0
    fcntl(3, F_SETFD, FD_CLOEXEC)           = 0
    prlimit64(0, RLIMIT_NOFILE, NULL, {rlim_cur=1024, rlim_max=1024*1024}) = 0
    prlimit64(0, RLIMIT_NOFILE, NULL, {rlim_cur=1024, rlim_max=1024*1024}) = 0
    stat("/usr/bin/env", {st_mode=S_IFREG|0755, st_size=48480, ...}) = 0
    geteuid()                               = 1000
    getegid()                               = 1000
    getuid()                                = 1000
    getgid()                                = 1000
    access("/usr/bin/env", X_OK)            = 0
    mmap(NULL, 36864, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x740f6e370000
    rt_sigprocmask(SIG_BLOCK, ~[], [CHLD], 8) = 0
    clone(child_stack=0x740f6e378ff0, flags=CLONE_VM|CLONE_VFORK|SIGCHLD) = 306024
    munmap(0x740f6e370000, 36864)           = 0
    rt_sigprocmask(SIG_SETMASK, [CHLD], NULL, 8) = 0
    close(4)                                = 0
    read(3, "2\n", 200)                     = 2
    read(3, "", 198)                        = 0
    close(3)                                = 0
    wait4(-1, [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0, NULL) = 306024
    fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(0x88, 0), ...}) = 0
    write(1, "make -C \"/home/user/heads/build/"..., 74make -C "/home/user/heads/build/x86/coreboot-4.13" CPUS=2 "crossgcc-i386"
    ) = 74
    rt_sigprocmask(SIG_BLOCK, [HUP INT QUIT TERM XCPU XFSZ], NULL, 8) = 0
    stat("/usr/bin/env", {st_mode=S_IFREG|0755, st_size=48480, ...}) = 0
    geteuid()                               = 1000
    getegid()                               = 1000
    getuid()                                = 1000
    getgid()                                = 1000
    access("/usr/bin/env", X_OK)            = 0
    mmap(NULL, 36864, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x740f6e370000
    rt_sigprocmask(SIG_BLOCK, ~[], [HUP INT QUIT TERM CHLD XCPU XFSZ], 8) = 0
    clone(child_stack=0x740f6e378ff0, flags=CLONE_VM|CLONE_VFORK|SIGCHLD) = 306025
    munmap(0x740f6e370000, 36864)           = 0
    rt_sigprocmask(SIG_SETMASK, [HUP INT QUIT TERM CHLD XCPU XFSZ], NULL, 8) = 0
    rt_sigprocmask(SIG_UNBLOCK, [HUP INT QUIT TERM XCPU XFSZ], NULL, 8) = 0
    wait4(-1, make[1]: Entering directory '/home/user/heads/build/x86/coreboot-4.13'
    Welcome to the coreboot cross toolchain builder v ()

    Building toolchain using 2 thread(s).

    Target architecture is i386-elf

    Found compatible Ada compiler, enabling Ada support by default.

    Downloading and verifying tarballs ...
     * gmp-6.2.0.tar.xz (cached)... hash verified (052a5411dc74054240eec58132d2cf41211d0ff6)
     * mpfr-4.1.0.tar.xz (cached)... hash verified (159c3a58705662bfde4dc93f2617f3660855ead6)
     * mpc-1.2.0.tar.gz (cached)... hash verified (0abdc94acab0c9bfdaa391347cdfd7bbdb1cf017)
     * binutils-2.35.tar.xz (cached)... hash verified (6bdd090ce268b6d6c3442516021c4e4b5019e303)
     * gcc-8.3.0.tar.xz (cached)... hash verified (c27f4499dd263fe4fb01bcc5565917f3698583b2)
    Downloaded tarballs ... ok
    Unpacking and patching ...
     * mpfr-4.1.0.tar.xz
     * mpc-1.2.0.tar.gz
     * binutils-2.35.tar.xz
    ^C0x7ffd0303e760, 0, NULL)      = ? ERESTARTSYS (To be restarted if SA_RESTART is set)
    strace: Process 305835 detached

So coreboot buildstack is built once per version and then reused on next board builds.
Saves precious CI and local builds when developing with qemu/kvm.
2023-03-07 15:38:44 -05:00
Thierry Laurion
6300dd178a
Pass all coreboot 4.13 boards to 4.19
- Add 4.19 under modules/coreboot
- point all 4.13 boards to 4.19
- adapt x230 FHD/EDP patch under patches/coreboot-4.19/0001-x230-fhd-variant.patch (poked upstream to fix patch under https://review.coreboot.org/c/coreboot/+/28950)
- correct versioning info under .circleci/config/yml
2023-02-27 18:07:06 -05:00
Daniel Pineda
17ac64bdf1
Replace base32 from tpmtotp with the one from busybox, disable unused base64.
Signed-off-by: Daniel Pineda <daniel.pineda@puri.sm>
2023-02-21 14:34:35 -06:00