Commit Graph

526 Commits

Author SHA1 Message Date
Thierry Laurion
2bf173c59a add flashprog support: failed attempt to use review.sourcearcade.org for tarballs download
- Add Makefile new app dep verification
- Add modules/flashprog pointing to review.sourcearcade.org: website faisl to produce reproducible tarballs.

Notes:
- Unfortunately, we cannot use review platform to renerate reproducible tarballs, those don't have the same checksum on each download:
user@heads-tests-deb12-nix:~/heads$ wget https://review.sourcearcade.org/changes/flashprog~72991/revisions/5/archive?format=tgz -O test.tar.gz
--2024-08-31 09:38:14--  https://review.sourcearcade.org/changes/flashprog~72991/revisions/5/archive?format=tgz
Resolving review.sourcearcade.org (review.sourcearcade.org)... 88.99.35.89
Connecting to review.sourcearcade.org (review.sourcearcade.org)|88.99.35.89|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [application/x-gzip]
Saving to: ‘test.tar.gz’

test.tar.gz                                              [        <=>                                                                                                           ] 508.19K   225KB/s    in 2.3s

2024-08-31 09:38:18 (225 KB/s) - ‘test.tar.gz’ saved [520389]

user@heads-tests-deb12-nix:~/heads$ sha256sum test.tar.gz
af2fb823c2699d37db284c1b3066352a59446b7ea491a585df4eeaa25d932a29  test.tar.gz
user@heads-tests-deb12-nix:~/heads$ sha256sum test.tar.gz
af2fb823c2699d37db284c1b3066352a59446b7ea491a585df4eeaa25d932a29  test.tar.gz
user@heads-tests-deb12-nix:~/heads$ wget https://review.sourcearcade.org/changes/flashprog~72991/revisions/5/archive?format=tgz -O test.tar.gz
--2024-08-31 09:38:37--  https://review.sourcearcade.org/changes/flashprog~72991/revisions/5/archive?format=tgz
Resolving review.sourcearcade.org (review.sourcearcade.org)... 88.99.35.89
Connecting to review.sourcearcade.org (review.sourcearcade.org)|88.99.35.89|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [application/x-gzip]
Saving to: ‘test.tar.gz’

test.tar.gz                                              [   <=>                                                                                                                ] 508.22K   855KB/s    in 0.6s

2024-08-31 09:38:38 (855 KB/s) - ‘test.tar.gz’ saved [520417]

user@heads-tests-deb12-nix:~/heads$ sha256sum test.tar.gz
9225002d508bd8e2fc42a2bdcd0741cb93ed2cfc811fcd7e03b0242205d4954b  test.tar.gz
user@heads-tests-deb12-nix:~/heads$ wget https://review.sourcearcade.org/changes/flashprog~72991/revisions/5/archive?format=tgz -O test.tar.gz
--2024-08-31 09:38:43--  https://review.sourcearcade.org/changes/flashprog~72991/revisions/5/archive?format=tgz
Resolving review.sourcearcade.org (review.sourcearcade.org)... 88.99.35.89
Connecting to review.sourcearcade.org (review.sourcearcade.org)|88.99.35.89|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [application/x-gzip]
Saving to: ‘test.tar.gz’

test.tar.gz                                              [     <=>                                                                                                              ] 508.18K   367KB/s    in 1.4s

2024-08-31 09:38:45 (367 KB/s) - ‘test.tar.gz’ saved [520378]

user@heads-tests-deb12-nix:~/heads$ sha256sum test.tar.gz
ebdb7ac0c964178bc312d50547cc7ec82c1c5ffb7d04167fe0ac83deca94ee81  test.tar.gz

  - Github mirror is only for commited code. Will have to work around that somehow : https://github.com/SourceArcade/flashprog

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-10-29 08:58:09 -04:00
Jonathon Hall
d20333f081
modules/coreboot: Reuse 24.02.01 toolchain for coreboot-purism
Reuse the toolchain from coreboot-24.02.01 for coreboot-purism (based
on 24.02.01) instead of compiling a separate toolchain.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2024-07-26 15:39:52 -04:00
Thierry Laurion
f29c16d977
modules/coreboot: add 24.02.01 version
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-07-26 15:35:50 -04:00
Jonathon Hall
ff9adad7d2
modules/coreboot: Update Purism to 24.02.01-Purism-1 w/bootsplash fix
Increases coreboot heap size to accommodate Heads bootsplash.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2024-07-15 16:55:34 -04:00
Jonathon Hall
265b1da920
Revert "Merge pull request #1713 from tlaurion/interim_fix_1712"
This reverts commit c43b6fc05f, reversing
changes made to fb9c558ba4.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2024-07-15 16:53:59 -04:00
Thierry Laurion
b20cde8c61
Revert "Merge pull request #1703 from JonathonHall-Purism/purism_coreboot_24.02.01"
This reverts commit 7025031702, reversing
changes made to 156d2c80dd.

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-07-09 09:29:37 -04:00
Matthew Drobnak
2f8c1a51df
Build ncurses for terminfo definitions.
Signed-off-by: Matthew Drobnak <matthew@drobnak.com>
2024-06-25 17:26:18 +00:00
Maciej Pijanowski
2cd5b0960a
modules: drop iotools
As discussed in: linuxboot#1704
there is no need to include iotools module for nitropads.

Since there is no board using it, and we see no reason to use
it in the future (the EC udpate will not require it, as update
will be server by coreboot in the future), drop the module as well.

Signed-off-by: Maciej Pijanowski <maciej.pijanowski@3mdeb.com>
2024-06-21 17:08:14 +02:00
Jonathon Hall
2ba56d1304
modules/coreboot: 24.02.01-Purism-1, remove CFLAGS overrides, needs nss
Update Purism coreboot to 24.02.01-Purism-1.

Remove CFLAGS overrides when building coreboot.  These overrides break
24.02.01, which added (and needs) --param=min-pagesize=1024.  This has
happened repeatedly in the past since Heads has to duplicate coreboot's
CFLAGS if it overrides them.

Specifically, the build fails with this error:
src/commonlib/include/commonlib/endian.h:27:26: error: array subscript 1 is outside array bounds of 'void[0]' [-Werror=array-bounds=]
   27 |         *(uint8_t *)dest = val;
      |         ~~~~~~~~~~~~~~~~~^~~~~
In function 'setup_default_ebda':
cc1: note: source object is likely at address zero

That's because coreboot is attempting to write to EBDA at physical
address 0x40e, just above 1024.  That is a valid address for x86, but
it's too close to 0 by default for GCC, --param-min-pagesize=1024
allows writes to physical addresses above 1024.

coreboot shouldn't need any of the usual Heads CFLAGS overrides for
reproducibility; it is already reproducible.

Fix indentation in modules/coreboot.  Make accepted it before because
the indented lines followed a variable assignment, so they couldn't
be part of a recipe.  That assignment is now gone, so they're now
interprted as part of a recipe for the `.configured` target just above,
they should not be indented.

Add nss to flake.nix, needed as of 24.02.01.

Update Librem coreboot configs for 24.02.01-Purism-1.  Notably, the
board Kconfig changed for Mini v2 in coreboot, so this is needed for
correct builds.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2024-06-19 12:38:45 -04:00
Jonathon Hall
65ca94b184
modules/coreboot: Update Purism coreboot to 4.22.01-Purism-1
Update Purism coreboot to 4.22.01-Purism-1.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2024-06-11 13:01:57 -04:00
nestire
8bea5697d4
bump hotp version to 1.6
Signed-off-by: nestire <hannes@nitrokey.com>
2024-05-21 17:03:05 +02:00
Thierry Laurion
74b1e2f7c1
modules/openssl: remove hack: silences error on console when openssl is included for builds (affects tpm2 boards builds)
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-17 14:56:11 -04:00
Thierry Laurion
37f04e2855
Fix key to card failing with invalid time when moving keys to smartcard on master (Opt: Authenticated Heads)
- Revert gnupg toolstack version bump to prior of #1661 merge (2.4.2 -> 2.4.0). Version bump not needed for reproducibility.
  - Investigation and upstream discussions will take their time resolving invalid time issue introduced by between 2.4.0 and latest gnupg, fix regression first under master)

- oem-factory-reset
  - Adding DO_WITH_DEBUG to oem-factory-reset for all its gpg calls. If failing in debug mode, /tmp/debug.txt contains calls and errors
  - Wipe keyrings only (*.gpg, *.kbx)  not conf files under gpg homedir (keep initrd/.gnupg/*.conf)

- flake.nix
  - switch build derivative from qemu and qemu_kvm to qemu_full to have qemu-img tool which was missing to run qemu boards (v0.1.8 docker)
  - add gnupg so that qemu boards can call inject_gpg to inject public key in absence of flashrom+pflash support for internal flashing

- flake.lock: Updated nix pinned package list under flake.lock with 'nix flake update' so qemu_full builds

- README.md: have consistent docker testing + release (push) notes

- .circleci/config.yml: depend on docker v0.1.8 (qemu_full built with canokey-qemu lib support, diffoscopeMinimal and gnupg for proper qemu testing)

TODO:
- some fd2 instead of fd1?!
- oem-factory-resest has whiptail_or_die which sets whiptail box to HEIGHT 0. This doesn't show a scrolling window on gpg errors which is problematic with fbwhiptail, not whiptail

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-17 09:27:29 -04:00
Thierry Laurion
41d55bf2fc
coreboot + patches/coreboot-dasharo-unreleased: Add b35dc4a4f25497acfbe159d6abd057d885661a02.patch for TPM IRQ Kconfig missing
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-13 11:03:23 -04:00
Thierry Laurion
3a7292018e
Merge remote-tracking branch 'osresearch/master' into pr/tlaurion/1662 2024-05-13 09:23:20 -04:00
Michał Kopeć
f6f216c5b8
Use single coreboot rev for MSI and NCM
Signed-off-by: Michał Kopeć <michal.kopec@3mdeb.com>
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-10 14:50:37 -04:00
Michał Żygowski
23976461d8
modules/coreboot: Avoid double quotes in LOCALVERSION
Signed-off-by: Michał Żygowski <michal.zygowski@3mdeb.com>
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-10 14:40:26 -04:00
Michał Żygowski
83f96aae5c
modules/coreboot: Remove the lines with config values before overriding them
Signed-off-by: Michał Żygowski <michal.zygowski@3mdeb.com>
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-10 14:40:21 -04:00
Michał Kopeć
1eef518daa
modules/coreboot: don't touch DMI vendor name if unspecified
Signed-off-by: Michał Kopeć <michal.kopec@3mdeb.com>
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-10 14:40:16 -04:00
Michał Kopeć
3cfa4e91ae
Allow overriding DMI manufacturer name
Signed-off-by: Michał Kopeć <michal.kopec@3mdeb.com>
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-10 14:40:11 -04:00
Michał Żygowski
acc8044766
modules/coreboot: Allow overriding LOCALVERSION and SMBIOS_PRODUCT_NAME
Signed-off-by: Michał Żygowski <michal.zygowski@3mdeb.com>
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-10 14:40:02 -04:00
Michał Żygowski
c7dc6a8064
patches: Remove obsolete patches for nitropad builds
Signed-off-by: Michał Żygowski <michal.zygowski@3mdeb.com>
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-10 14:39:57 -04:00
Michał Żygowski
8e7e18920d
modules/nitrokey-blobs,boards/nitropad: Remove obsolete blobs module
Signed-off-by: Michał Żygowski <michal.zygowski@3mdeb.com>
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-10 14:39:53 -04:00
Michał Żygowski
6a64144e97
modules/coreboot,config/coreboot-nitropad: Update to the newest revision
Signed-off-by: Michał Żygowski <michal.zygowski@3mdeb.com>
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-10 14:39:48 -04:00
Jonathon Hall
6ce3d21e4c
modules/flashrom: Remove LIBS_BASE to stop linking in RPATH.
Specifying LIBS_BASE causes flashrom's Makefile to link in an RPATH,
using the Heads workspace path, which is not what we want.  It does
other things too, but we already pass the parts we need to the make
invocation for flashrom.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-09 12:20:17 -04:00
Thierry Laurion
19bccf0cbd
Revert "modules/tpm2-tss: just remove LT_LIB_DLLOAD from aclocal generated file since there is no easy way of fixing this"
This reverts commit 6a1791112de451509d81e03bce5bdd6b1a49a79f.

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-02 13:03:04 -04:00
Thierry Laurion
50ab1c5b88
modules/patches slang: bump to version 2.3.3 so we can disable termcap without hacking around
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-02 13:02:55 -04:00
Thierry Laurion
35530f9115
modules/msrtools : add missing MAKE_JOBS for parallel builds
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-02 13:02:41 -04:00
Thierry Laurion
fa60bf7dfb
modules/tpm2-tss: just remove LT_LIB_DLLOAD from aclocal generated file since there is no easy way of fixing this
nix doesn't provide an equivalent of libltdl-dev, so just wipe the remnant of old ages if present
https://github.com/tpm2-software/tpm2-tss/issues/2161

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-02 13:02:36 -04:00
Thierry Laurion
a29f92a26d
modules/* : WiP for tpm2-* while having added MAKE_JOBS to modules that were missing it to propogate build optimizations per module, while still impossible to call make -j 12 on main make call
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-02 13:01:48 -04:00
Thierry Laurion
e841f9bc0d
modules/* : Make sure MAKE_JOBS is passed down
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-02 13:01:43 -04:00
Thierry Laurion
cbf984ad7c
WiP modules/tpm2* : removed Makefile build instructions too quick
/nix/store/5lr5n3qa4day8l1ivbwlcby2nknczqkq-bash-5.2p26/bin/bash ./libtool  --tag=CC   --mode=link /home/user/heads/crossgcc/x86/bin/x86_64-linux-musl-gcc -fdebug-prefix-map=/home/user/heads=heads -gno-record-gcc-switches -D__MUSL__ --sysroot  /home/user/heads/install/x86 -isystem /home/user/heads/install/x86/include -L/home/user/heads/install/x86/lib  -I./tools -I./lib -Wall -Wextra -Wformat -Wformat-security -Wstack-protector -fstack-protector-all -Wstrict-overflow=5 -O2 -fPIC -fPIE -D_GNU_SOURCE -std=gnu99 -Wstringop-overflow=4 -Wstringop-truncation -Wduplicated-branches -Wduplicated-cond -Wbool-compare -fdata-sections -ffunction-sections -I/home/user/heads/install/x86/include -I/home/user/heads/install/x86//include -I/home/user/heads/install/x86//include/tss2 -I/home/user/heads/install/x86/nix/store/yg75achq89wgqn2fi3gglgsd77kjpi03-openssl-3.0.13-dev/include  -I/home/user/heads/install/x86//include -I/home/user/heads/install/x86//include/tss2 -I/home/user/heads/install/x86//include -I/home/user/heads/install/x86//include/tss2 -I/home/user/heads/install/x86//include -I/home/user/heads/install/x86//include/tss2 -DTPM2_TOOLS_MAX="101" -fdebug-prefix-map=/home/user/heads/install/x86=. -shared -pie -Wl,-z,relro -Wl,-z,now -Wl,--gc-sections   -o tools/tpm2 tools/tpm2-tpm2_tool.o tools/misc/tpm2-tpm2_certifyX509certutil.o tools/misc/tpm2-tpm2_checkquote.o tools/misc/tpm2-tpm2_encodeobject.o tools/misc/tpm2-tpm2_eventlog.o tools/misc/tpm2-tpm2_print.o tools/misc/tpm2-tpm2_rc_decode.o tools/misc/tpm2-tpm2_tr_encode.o tools/tpm2-tpm2_activatecredential.o tools/tpm2-tpm2_certify.o tools/tpm2-tpm2_changeauth.o tools/tpm2-tpm2_changeeps.o tools/tpm2-tpm2_changepps.o tools/tpm2-tpm2_clear.o tools/tpm2-tpm2_clearcontrol.o tools/tpm2-tpm2_clockrateadjust.o tools/tpm2-tpm2_create.o tools/tpm2-tpm2_createak.o tools/tpm2-tpm2_createek.o tools/tpm2-tpm2_createpolicy.o tools/tpm2-tpm2_setprimarypolicy.o tools/tpm2-tpm2_createprimary.o tools/tpm2-tpm2_dictionarylockout.o tools/tpm2-tpm2_duplicate.o tools/tpm2-tpm2_getcap.o tools/tpm2-tpm2_gettestresult.o tools/tpm2-tpm2_encryptdecrypt.o tools/tpm2-tpm2_evictcontrol.o tools/tpm2-tpm2_flushcontext.o tools/tpm2-tpm2_getrandom.o tools/tpm2-tpm2_gettime.o tools/tpm2-tpm2_hash.o tools/tpm2-tpm2_hierarchycontrol.o tools/tpm2-tpm2_hmac.o tools/tpm2-tpm2_import.o tools/tpm2-tpm2_incrementalselftest.o tools/tpm2-tpm2_load.o tools/tpm2-tpm2_loadexternal.o tools/tpm2-tpm2_makecredential.o tools/tpm2-tpm2_nvdefine.o tools/tpm2-tpm2_nvextend.o tools/tpm2-tpm2_nvincrement.o tools/tpm2-tpm2_nvreadpublic.o tools/tpm2-tpm2_nvread.o tools/tpm2-tpm2_nvreadlock.o tools/tpm2-tpm2_nvundefine.o tools/tpm2-tpm2_nvwrite.o tools/tpm2-tpm2_nvwritelock.o tools/tpm2-tpm2_nvsetbits.o tools/tpm2-tpm2_pcrallocate.o tools/tpm2-tpm2_pcrevent.o tools/tpm2-tpm2_pcrextend.o tools/tpm2-tpm2_pcrread.o tools/tpm2-tpm2_pcrreset.o tools/tpm2-tpm2_policypcr.o tools/tpm2-tpm2_policyauthorize.o tools/tpm2-tpm2_policyauthorizenv.o tools/tpm2-tpm2_policynv.o tools/tpm2-tpm2_policycountertimer.o tools/tpm2-tpm2_policyor.o tools/tpm2-tpm2_policynamehash.o tools/tpm2-tpm2_policytemplate.o tools/tpm2-tpm2_policycphash.o tools/tpm2-tpm2_policypassword.o tools/tpm2-tpm2_policysigned.o tools/tpm2-tpm2_policyticket.o tools/tpm2-tpm2_policyauthvalue.o tools/tpm2-tpm2_policysecret.o tools/tpm2-tpm2_policyrestart.o tools/tpm2-tpm2_policycommandcode.o tools/tpm2-tpm2_policynvwritten.o tools/tpm2-tpm2_policyduplicationselect.o tools/tpm2-tpm2_policylocality.o tools/tpm2-tpm2_quote.o tools/tpm2-tpm2_readclock.o tools/tpm2-tpm2_readpublic.o tools/tpm2-tpm2_rsadecrypt.o tools/tpm2-tpm2_rsaencrypt.o tools/tpm2-tpm2_send.o tools/tpm2-tpm2_selftest.o tools/tpm2-tpm2_setclock.o tools/tpm2-tpm2_shutdown.o tools/tpm2-tpm2_sign.o tools/tpm2-tpm2_certifycreation.o tools/tpm2-tpm2_nvcertify.o tools/tpm2-tpm2_startauthsession.o tools/tpm2-tpm2_startup.o tools/tpm2-tpm2_stirrandom.o tools/tpm2-tpm2_testparms.o tools/tpm2-tpm2_unseal.o tools/tpm2-tpm2_verifysignature.o tools/tpm2-tpm2_setcommandauditstatus.o tools/tpm2-tpm2_getcommandauditdigest.o tools/tpm2-tpm2_getsessionauditdigest.o tools/tpm2-tpm2_geteccparameters.o tools/tpm2-tpm2_ecephemeral.o tools/tpm2-tpm2_commit.o tools/tpm2-tpm2_ecdhkeygen.o tools/tpm2-tpm2_ecdhzgen.o tools/tpm2-tpm2_zgen2phase.o tools/tpm2-tpm2_sessionconfig.o tools/tpm2-tpm2_getpolicydigest.o lib/libcommon.a -ltss2-esys -L/home/user/heads/install/x86/lib -L/home/user/heads/install/x86//lib -ltss2-mu -L/home/user/heads/install/x86/nix/store/7nmrrad8skxr47f9hfl3xc0pfqmwq51b-openssl-3.0.13/lib -lcrypto -L/home/user/heads/install/x86//lib -ltss2-tctildr -L/home/user/heads/install/x86//lib -ltss2-rc -L/home/user/heads/install/x86//lib -ltss2-sys
libtool:   error: cannot find the library '//lib/libtss2-sys.la' or unhandled argument '//lib/libtss2-sys.la'
make[1]: *** [Makefile:2478: tools/tpm2] Error 1
make[1]: Leaving directory '/home/user/heads/build/x86/tpm2-tools-5.6'
make: *** [Makefile:521: /home/user/heads/build/x86/tpm2-tools-5.6/.build] Error 1

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-02 13:01:34 -04:00
Thierry Laurion
75a5c2f1e6
tpm2 modules: remove sysroot and unneeded duplicated Makefile tweaks now passed from golbal Makefile sysroot (TODO: generalize)
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-02 13:01:24 -04:00
Thierry Laurion
43d806f205
modules/tpm2-tools: add with-sysroot, TSS2_ESYS_3_0_LIBS to configure args
Thanks to @JonathonHall-Purism, that pointed to me that sysroot was
neglected in tpm2-tools configure step.

I wonder why this is not respected if not forced with --with-sysroot and
TSS2_ESYS_3_0_LIBS="-ltss2-esys -L$(INSTALL)/lib"?

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Signed-off-by: Manuel Mendez <github@i.m.mmlb.dev>
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-02 13:00:46 -04:00
Thierry Laurion
fcb9596f7e
modules/tpm2-tss: Add with-sysroot to configure args
Thanks to @JonathonHall-Purism, that pointed to me that sysroot was
neglected in tpm2-tools configure step.

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Signed-off-by: Manuel Mendez <github@i.m.mmlb.dev>
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-02 13:00:41 -04:00
Thierry Laurion
236f9b117c
modules/gpg2: Bump version 2.4.0 -> 2.4.2
More pending work needed to fix fragility of buildsystem and fix nix
build issues as well like:

https://app.circleci.com/pipelines/github/mmlb/osresearch-heads/11/workflows/32cc883c-5074-4f28-94b8-a83a2ec44414/jobs/252
https://app.circleci.com/pipelines/github/mmlb/osresearch-heads/11/workflows/32cc883c-5074-4f28-94b8-a83a2ec44414/jobs/221
https://app.circleci.com/pipelines/github/tlaurion/heads/1781/workflows/ee402ead-6739-4549-88ae-105b695fb3cd
https://app.circleci.com/pipelines/github/tlaurion/heads/1783/workflows/2b35826c-aff4-4f48-8809-4e66259f9aa4/jobs/25877/parallel-runs/0/steps/0-103

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Signed-off-by: Manuel Mendez <github@i.m.mmlb.dev>
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-02 13:00:37 -04:00
Thierry Laurion
67e5973b5d
modules: Remove unrecognized configure options
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Signed-off-by: Manuel Mendez <github@i.m.mmlb.dev>
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-02 13:00:32 -04:00
Manuel Mendez
a4ba76fd90
modules: minor refactor/tweaks
Just some minor clean ups like fixing whitespace and sorting things. I
added (bash)/removed (libusb) white space in order to look like the
other modules.

I sorted the --enable/--disable/--with blocks so that common stuff
looked similar which should aid in comparing modules. I also removed a
couple of duplicate config options (--disable-fallback-curses &
--disable-regex).

Signed-off-by: Manuel Mendez <github@i.m.mmlb.dev>
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-02 13:00:27 -04:00
Manuel Mendez
d396236a83
Remove hard coded paths in shebang lines
Remove hard coded paths from shebangs and other references because they
do not play well in nix-land. Either use /usr/bin/env to do runtime PATH
based lookup or avoid absolute paths so PATH look up happens instead.

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Signed-off-by: Manuel Mendez <github@i.m.mmlb.dev>
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-02 13:00:22 -04:00
Thierry Laurion
be71430167
modules/tpm2-tools: Add TODO to uniformize live patching through sed calls as opposed to patch version specific autotools/configure scripts to force reproducible builds
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-04-09 12:39:20 -04:00
Thierry Laurion
8208c86efe
modules/tpm2-tss: sed configure script to remove hardcoding of libs, move patch 3.2.0->3.2.2
disable static lib builds

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-04-03 13:48:58 -04:00
Thierry Laurion
ddef233708
modules-tpm2-tools: bump from 5.2->5.6 (removes need to hack around PACKAGE_VERSION string which configure.ac points to ./VERSION already
tpm2-tools-5.6 patch: comment out git versioning output under ./VERSION; module: output current version under ./VERSION instead. Document under module

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-04-03 13:48:52 -04:00
Thierry Laurion
d7915e1639
OpenSSL (libcrypto): patch so that crypto/buildinfo.h generated by perl script contains reproducible date and fake compiler_flags
hardcode VERSION='reproducible_build' into generated configure script to get rid of generate random git abbrev 8/12 chars (could not find source)
 patches/openssl-3.0.8.patch: clean up

tpm2-tools/tpm2-tss:
 hack configure scripts to not contain hardcoded libs and other rpath related strings, using sed instead of patching configure script like cryptsetup2 patch
  Will be clened up in other commits. Leaving here as trace for autotools sed patching for reproducible builds.

CircleCI: change working dir from project->heads so that CircleCI and local builds are from heads directory, helping reproducible builds

TODO: change other patches a well and generalize to gpg toolstack, removing patches that are a maintainership burden.

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-04-03 13:48:47 -04:00
Thierry Laurion
673b2f1340
modules/coreboot CircleCI: adapt to coreboot version bumps
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-03-25 15:15:52 -04:00
Thierry Laurion
fb616f416a
WiP 4.22.01 fhd patch test + bump all 4.19 boards to 4.22.01
- patches/coreboot-4.22.01/0001-x230-fhd-variant.patch created per
  - git fetch https://review.coreboot.org/coreboot refs/changes/50/28950/23 && git format-patch -1 --stdout FETCH_HEAD > ~/heads/patches/coreboot-4.22.01/0001-x230-fhd-variant.patch
- all boards configs bumped with:
  - grep -Rn 4.22 boards/ | awk -F "/" {'print $2'}| while read line; do make BOARD=$line coreboot.save_in_oldconfig_format_in_place ; done

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-03-25 15:14:42 -04:00
Thierry Laurion
7cbcdd8ed7
Tethering refresh for CDC NCM/CDC EEM mobile phones (tested on GrapheneOS Pixel 6a, no more RNDIS support)
- Add additional requirements to linux config
- Add additional CONFIG_MOBILE_TETHERING=y to all maximized board configs
- Fix issue under network-recovery-init to NTP sync against NTP server pool
- Extend network-recovery-init to first try NTP sync against DNS server returned by DHCP answer
- Remove network-recovery-init earlytty and tty0 redirection (console should be setuped properly by init in all cases)
- If CONFIG_MOBILE_TETHERING=y added to board config and network-recovery-init called, wait to user input on instructions and warning 30 secs before proceeding (non-blocking)
- Machines having STATIC_IP under board config won't benefit of autoatic NTP sync

Since network-recovery-init can only be called from recovery shell now, and recovery shell can be guarded by GPG auth, this is PoC code to be used to complement TOTP being out of sync

TODO(Future PR):
- Refactor into functions and reuse into TOTP/HOTP being out of sync automatically.

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-02-21 13:50:18 -05:00
Michał Kopeć
4af780864f
modules/openssl: remove libgcc path hack
Passing the path to libgcc in LDFLAGS appears to no longer be needed.
Removing this fixes compilation on a freshly cloned repo.

Fixes #1507

Signed-off-by: Michał Kopeć <michal.kopec@3mdeb.com>
2024-02-16 08:18:42 +01:00
tlaurion
5a75e6bffa
Merge pull request #1586 from JonathonHall-Purism/root-file-hash-qubes
Root file hashing: support Qubes default partition layout (+ tracing helpers)
2024-02-01 14:25:48 -05:00
Jonathon Hall
d22cf5ec7b
Merge remote-tracking branch 'github-heads/master' into laptops-optional-usb-keyboard 2024-01-31 10:48:24 -05:00
Thierry Laurion
6db03b0bdd
Uniformize vocabulary: LUKS TPM Disk Unlock Key & LUKS Disk Recovery Key
When playing with long fbwhiptail/whiptail messages, this commit played around the long string using fold.

'''
echo -e "This will replace the encrypted container content and its LUKS Disk Recovery Key.\n\nThe passphrase associated with this key will be asked from the user under the following conditions:\n 1-Every boot if no Disk Unlock Key was added to the TPM\n 2-If the TPM fails (hardware failure)\n 3-If the firmware has been tampered with/modified by the user\n\nThis process requires you to type the current LUKS Disk Recovery Key passphrase and will delete the LUKS TPM Disk Unlock Key slot, if set up, by setting a default boot LUKS key slot (1) if present.\n\nAt the next prompt, you may be asked to select which file corresponds to the LUKS device container.\n\nHit Enter to continue." | fold -w 70 -s
'''

Which gave the exact output of what will be inside of the fbwhiptail prompt, fixed to 70 chars width:

'''
This will replace the encrypted container content and its LUKS Disk
Recovery Key.

The passphrase associated with this key will be asked from the user
under the following conditions:
 1-Every boot if no Disk Unlock Key was added to the TPM
 2-If the TPM fails (hardware failure)
 3-If the firmware has been tampered with/modified by the user

This process requires you to type the current LUKS Disk Recovery Key
passphrase and will delete the LUKS TPM Disk Unlock Key slot, if set
up, by setting a default boot LUKS key slot (1) if present.

At the next prompt, you may be asked to select which file corresponds
to the LUKS device container.

Hit Enter to continue.
'''

Therefore, for long prompts in the future, one can just deal with "\n 1-" alignments to be respected in prompts and have fold deal with cutting the length of strings properly.

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-01-20 11:47:35 -05:00