Commit Graph

499 Commits

Author SHA1 Message Date
Thierry Laurion
35530f9115
modules/msrtools : add missing MAKE_JOBS for parallel builds
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-02 13:02:41 -04:00
Thierry Laurion
fa60bf7dfb
modules/tpm2-tss: just remove LT_LIB_DLLOAD from aclocal generated file since there is no easy way of fixing this
nix doesn't provide an equivalent of libltdl-dev, so just wipe the remnant of old ages if present
https://github.com/tpm2-software/tpm2-tss/issues/2161

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-02 13:02:36 -04:00
Thierry Laurion
a29f92a26d
modules/* : WiP for tpm2-* while having added MAKE_JOBS to modules that were missing it to propogate build optimizations per module, while still impossible to call make -j 12 on main make call
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-02 13:01:48 -04:00
Thierry Laurion
e841f9bc0d
modules/* : Make sure MAKE_JOBS is passed down
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-02 13:01:43 -04:00
Thierry Laurion
cbf984ad7c
WiP modules/tpm2* : removed Makefile build instructions too quick
/nix/store/5lr5n3qa4day8l1ivbwlcby2nknczqkq-bash-5.2p26/bin/bash ./libtool  --tag=CC   --mode=link /home/user/heads/crossgcc/x86/bin/x86_64-linux-musl-gcc -fdebug-prefix-map=/home/user/heads=heads -gno-record-gcc-switches -D__MUSL__ --sysroot  /home/user/heads/install/x86 -isystem /home/user/heads/install/x86/include -L/home/user/heads/install/x86/lib  -I./tools -I./lib -Wall -Wextra -Wformat -Wformat-security -Wstack-protector -fstack-protector-all -Wstrict-overflow=5 -O2 -fPIC -fPIE -D_GNU_SOURCE -std=gnu99 -Wstringop-overflow=4 -Wstringop-truncation -Wduplicated-branches -Wduplicated-cond -Wbool-compare -fdata-sections -ffunction-sections -I/home/user/heads/install/x86/include -I/home/user/heads/install/x86//include -I/home/user/heads/install/x86//include/tss2 -I/home/user/heads/install/x86/nix/store/yg75achq89wgqn2fi3gglgsd77kjpi03-openssl-3.0.13-dev/include  -I/home/user/heads/install/x86//include -I/home/user/heads/install/x86//include/tss2 -I/home/user/heads/install/x86//include -I/home/user/heads/install/x86//include/tss2 -I/home/user/heads/install/x86//include -I/home/user/heads/install/x86//include/tss2 -DTPM2_TOOLS_MAX="101" -fdebug-prefix-map=/home/user/heads/install/x86=. -shared -pie -Wl,-z,relro -Wl,-z,now -Wl,--gc-sections   -o tools/tpm2 tools/tpm2-tpm2_tool.o tools/misc/tpm2-tpm2_certifyX509certutil.o tools/misc/tpm2-tpm2_checkquote.o tools/misc/tpm2-tpm2_encodeobject.o tools/misc/tpm2-tpm2_eventlog.o tools/misc/tpm2-tpm2_print.o tools/misc/tpm2-tpm2_rc_decode.o tools/misc/tpm2-tpm2_tr_encode.o tools/tpm2-tpm2_activatecredential.o tools/tpm2-tpm2_certify.o tools/tpm2-tpm2_changeauth.o tools/tpm2-tpm2_changeeps.o tools/tpm2-tpm2_changepps.o tools/tpm2-tpm2_clear.o tools/tpm2-tpm2_clearcontrol.o tools/tpm2-tpm2_clockrateadjust.o tools/tpm2-tpm2_create.o tools/tpm2-tpm2_createak.o tools/tpm2-tpm2_createek.o tools/tpm2-tpm2_createpolicy.o tools/tpm2-tpm2_setprimarypolicy.o tools/tpm2-tpm2_createprimary.o tools/tpm2-tpm2_dictionarylockout.o tools/tpm2-tpm2_duplicate.o tools/tpm2-tpm2_getcap.o tools/tpm2-tpm2_gettestresult.o tools/tpm2-tpm2_encryptdecrypt.o tools/tpm2-tpm2_evictcontrol.o tools/tpm2-tpm2_flushcontext.o tools/tpm2-tpm2_getrandom.o tools/tpm2-tpm2_gettime.o tools/tpm2-tpm2_hash.o tools/tpm2-tpm2_hierarchycontrol.o tools/tpm2-tpm2_hmac.o tools/tpm2-tpm2_import.o tools/tpm2-tpm2_incrementalselftest.o tools/tpm2-tpm2_load.o tools/tpm2-tpm2_loadexternal.o tools/tpm2-tpm2_makecredential.o tools/tpm2-tpm2_nvdefine.o tools/tpm2-tpm2_nvextend.o tools/tpm2-tpm2_nvincrement.o tools/tpm2-tpm2_nvreadpublic.o tools/tpm2-tpm2_nvread.o tools/tpm2-tpm2_nvreadlock.o tools/tpm2-tpm2_nvundefine.o tools/tpm2-tpm2_nvwrite.o tools/tpm2-tpm2_nvwritelock.o tools/tpm2-tpm2_nvsetbits.o tools/tpm2-tpm2_pcrallocate.o tools/tpm2-tpm2_pcrevent.o tools/tpm2-tpm2_pcrextend.o tools/tpm2-tpm2_pcrread.o tools/tpm2-tpm2_pcrreset.o tools/tpm2-tpm2_policypcr.o tools/tpm2-tpm2_policyauthorize.o tools/tpm2-tpm2_policyauthorizenv.o tools/tpm2-tpm2_policynv.o tools/tpm2-tpm2_policycountertimer.o tools/tpm2-tpm2_policyor.o tools/tpm2-tpm2_policynamehash.o tools/tpm2-tpm2_policytemplate.o tools/tpm2-tpm2_policycphash.o tools/tpm2-tpm2_policypassword.o tools/tpm2-tpm2_policysigned.o tools/tpm2-tpm2_policyticket.o tools/tpm2-tpm2_policyauthvalue.o tools/tpm2-tpm2_policysecret.o tools/tpm2-tpm2_policyrestart.o tools/tpm2-tpm2_policycommandcode.o tools/tpm2-tpm2_policynvwritten.o tools/tpm2-tpm2_policyduplicationselect.o tools/tpm2-tpm2_policylocality.o tools/tpm2-tpm2_quote.o tools/tpm2-tpm2_readclock.o tools/tpm2-tpm2_readpublic.o tools/tpm2-tpm2_rsadecrypt.o tools/tpm2-tpm2_rsaencrypt.o tools/tpm2-tpm2_send.o tools/tpm2-tpm2_selftest.o tools/tpm2-tpm2_setclock.o tools/tpm2-tpm2_shutdown.o tools/tpm2-tpm2_sign.o tools/tpm2-tpm2_certifycreation.o tools/tpm2-tpm2_nvcertify.o tools/tpm2-tpm2_startauthsession.o tools/tpm2-tpm2_startup.o tools/tpm2-tpm2_stirrandom.o tools/tpm2-tpm2_testparms.o tools/tpm2-tpm2_unseal.o tools/tpm2-tpm2_verifysignature.o tools/tpm2-tpm2_setcommandauditstatus.o tools/tpm2-tpm2_getcommandauditdigest.o tools/tpm2-tpm2_getsessionauditdigest.o tools/tpm2-tpm2_geteccparameters.o tools/tpm2-tpm2_ecephemeral.o tools/tpm2-tpm2_commit.o tools/tpm2-tpm2_ecdhkeygen.o tools/tpm2-tpm2_ecdhzgen.o tools/tpm2-tpm2_zgen2phase.o tools/tpm2-tpm2_sessionconfig.o tools/tpm2-tpm2_getpolicydigest.o lib/libcommon.a -ltss2-esys -L/home/user/heads/install/x86/lib -L/home/user/heads/install/x86//lib -ltss2-mu -L/home/user/heads/install/x86/nix/store/7nmrrad8skxr47f9hfl3xc0pfqmwq51b-openssl-3.0.13/lib -lcrypto -L/home/user/heads/install/x86//lib -ltss2-tctildr -L/home/user/heads/install/x86//lib -ltss2-rc -L/home/user/heads/install/x86//lib -ltss2-sys
libtool:   error: cannot find the library '//lib/libtss2-sys.la' or unhandled argument '//lib/libtss2-sys.la'
make[1]: *** [Makefile:2478: tools/tpm2] Error 1
make[1]: Leaving directory '/home/user/heads/build/x86/tpm2-tools-5.6'
make: *** [Makefile:521: /home/user/heads/build/x86/tpm2-tools-5.6/.build] Error 1

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-02 13:01:34 -04:00
Thierry Laurion
75a5c2f1e6
tpm2 modules: remove sysroot and unneeded duplicated Makefile tweaks now passed from golbal Makefile sysroot (TODO: generalize)
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-02 13:01:24 -04:00
Thierry Laurion
43d806f205
modules/tpm2-tools: add with-sysroot, TSS2_ESYS_3_0_LIBS to configure args
Thanks to @JonathonHall-Purism, that pointed to me that sysroot was
neglected in tpm2-tools configure step.

I wonder why this is not respected if not forced with --with-sysroot and
TSS2_ESYS_3_0_LIBS="-ltss2-esys -L$(INSTALL)/lib"?

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Signed-off-by: Manuel Mendez <github@i.m.mmlb.dev>
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-02 13:00:46 -04:00
Thierry Laurion
fcb9596f7e
modules/tpm2-tss: Add with-sysroot to configure args
Thanks to @JonathonHall-Purism, that pointed to me that sysroot was
neglected in tpm2-tools configure step.

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Signed-off-by: Manuel Mendez <github@i.m.mmlb.dev>
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-02 13:00:41 -04:00
Thierry Laurion
236f9b117c
modules/gpg2: Bump version 2.4.0 -> 2.4.2
More pending work needed to fix fragility of buildsystem and fix nix
build issues as well like:

https://app.circleci.com/pipelines/github/mmlb/osresearch-heads/11/workflows/32cc883c-5074-4f28-94b8-a83a2ec44414/jobs/252
https://app.circleci.com/pipelines/github/mmlb/osresearch-heads/11/workflows/32cc883c-5074-4f28-94b8-a83a2ec44414/jobs/221
https://app.circleci.com/pipelines/github/tlaurion/heads/1781/workflows/ee402ead-6739-4549-88ae-105b695fb3cd
https://app.circleci.com/pipelines/github/tlaurion/heads/1783/workflows/2b35826c-aff4-4f48-8809-4e66259f9aa4/jobs/25877/parallel-runs/0/steps/0-103

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Signed-off-by: Manuel Mendez <github@i.m.mmlb.dev>
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-02 13:00:37 -04:00
Thierry Laurion
67e5973b5d
modules: Remove unrecognized configure options
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Signed-off-by: Manuel Mendez <github@i.m.mmlb.dev>
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-02 13:00:32 -04:00
Manuel Mendez
a4ba76fd90
modules: minor refactor/tweaks
Just some minor clean ups like fixing whitespace and sorting things. I
added (bash)/removed (libusb) white space in order to look like the
other modules.

I sorted the --enable/--disable/--with blocks so that common stuff
looked similar which should aid in comparing modules. I also removed a
couple of duplicate config options (--disable-fallback-curses &
--disable-regex).

Signed-off-by: Manuel Mendez <github@i.m.mmlb.dev>
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-02 13:00:27 -04:00
Manuel Mendez
d396236a83
Remove hard coded paths in shebang lines
Remove hard coded paths from shebangs and other references because they
do not play well in nix-land. Either use /usr/bin/env to do runtime PATH
based lookup or avoid absolute paths so PATH look up happens instead.

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Signed-off-by: Manuel Mendez <github@i.m.mmlb.dev>
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-02 13:00:22 -04:00
Thierry Laurion
be71430167
modules/tpm2-tools: Add TODO to uniformize live patching through sed calls as opposed to patch version specific autotools/configure scripts to force reproducible builds
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-04-09 12:39:20 -04:00
Thierry Laurion
8208c86efe
modules/tpm2-tss: sed configure script to remove hardcoding of libs, move patch 3.2.0->3.2.2
disable static lib builds

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-04-03 13:48:58 -04:00
Thierry Laurion
ddef233708
modules-tpm2-tools: bump from 5.2->5.6 (removes need to hack around PACKAGE_VERSION string which configure.ac points to ./VERSION already
tpm2-tools-5.6 patch: comment out git versioning output under ./VERSION; module: output current version under ./VERSION instead. Document under module

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-04-03 13:48:52 -04:00
Thierry Laurion
d7915e1639
OpenSSL (libcrypto): patch so that crypto/buildinfo.h generated by perl script contains reproducible date and fake compiler_flags
hardcode VERSION='reproducible_build' into generated configure script to get rid of generate random git abbrev 8/12 chars (could not find source)
 patches/openssl-3.0.8.patch: clean up

tpm2-tools/tpm2-tss:
 hack configure scripts to not contain hardcoded libs and other rpath related strings, using sed instead of patching configure script like cryptsetup2 patch
  Will be clened up in other commits. Leaving here as trace for autotools sed patching for reproducible builds.

CircleCI: change working dir from project->heads so that CircleCI and local builds are from heads directory, helping reproducible builds

TODO: change other patches a well and generalize to gpg toolstack, removing patches that are a maintainership burden.

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-04-03 13:48:47 -04:00
Thierry Laurion
673b2f1340
modules/coreboot CircleCI: adapt to coreboot version bumps
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-03-25 15:15:52 -04:00
Thierry Laurion
fb616f416a
WiP 4.22.01 fhd patch test + bump all 4.19 boards to 4.22.01
- patches/coreboot-4.22.01/0001-x230-fhd-variant.patch created per
  - git fetch https://review.coreboot.org/coreboot refs/changes/50/28950/23 && git format-patch -1 --stdout FETCH_HEAD > ~/heads/patches/coreboot-4.22.01/0001-x230-fhd-variant.patch
- all boards configs bumped with:
  - grep -Rn 4.22 boards/ | awk -F "/" {'print $2'}| while read line; do make BOARD=$line coreboot.save_in_oldconfig_format_in_place ; done

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-03-25 15:14:42 -04:00
Thierry Laurion
7cbcdd8ed7
Tethering refresh for CDC NCM/CDC EEM mobile phones (tested on GrapheneOS Pixel 6a, no more RNDIS support)
- Add additional requirements to linux config
- Add additional CONFIG_MOBILE_TETHERING=y to all maximized board configs
- Fix issue under network-recovery-init to NTP sync against NTP server pool
- Extend network-recovery-init to first try NTP sync against DNS server returned by DHCP answer
- Remove network-recovery-init earlytty and tty0 redirection (console should be setuped properly by init in all cases)
- If CONFIG_MOBILE_TETHERING=y added to board config and network-recovery-init called, wait to user input on instructions and warning 30 secs before proceeding (non-blocking)
- Machines having STATIC_IP under board config won't benefit of autoatic NTP sync

Since network-recovery-init can only be called from recovery shell now, and recovery shell can be guarded by GPG auth, this is PoC code to be used to complement TOTP being out of sync

TODO(Future PR):
- Refactor into functions and reuse into TOTP/HOTP being out of sync automatically.

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-02-21 13:50:18 -05:00
Michał Kopeć
4af780864f
modules/openssl: remove libgcc path hack
Passing the path to libgcc in LDFLAGS appears to no longer be needed.
Removing this fixes compilation on a freshly cloned repo.

Fixes #1507

Signed-off-by: Michał Kopeć <michal.kopec@3mdeb.com>
2024-02-16 08:18:42 +01:00
tlaurion
5a75e6bffa
Merge pull request #1586 from JonathonHall-Purism/root-file-hash-qubes
Root file hashing: support Qubes default partition layout (+ tracing helpers)
2024-02-01 14:25:48 -05:00
Jonathon Hall
d22cf5ec7b
Merge remote-tracking branch 'github-heads/master' into laptops-optional-usb-keyboard 2024-01-31 10:48:24 -05:00
Thierry Laurion
6db03b0bdd
Uniformize vocabulary: LUKS TPM Disk Unlock Key & LUKS Disk Recovery Key
When playing with long fbwhiptail/whiptail messages, this commit played around the long string using fold.

'''
echo -e "This will replace the encrypted container content and its LUKS Disk Recovery Key.\n\nThe passphrase associated with this key will be asked from the user under the following conditions:\n 1-Every boot if no Disk Unlock Key was added to the TPM\n 2-If the TPM fails (hardware failure)\n 3-If the firmware has been tampered with/modified by the user\n\nThis process requires you to type the current LUKS Disk Recovery Key passphrase and will delete the LUKS TPM Disk Unlock Key slot, if set up, by setting a default boot LUKS key slot (1) if present.\n\nAt the next prompt, you may be asked to select which file corresponds to the LUKS device container.\n\nHit Enter to continue." | fold -w 70 -s
'''

Which gave the exact output of what will be inside of the fbwhiptail prompt, fixed to 70 chars width:

'''
This will replace the encrypted container content and its LUKS Disk
Recovery Key.

The passphrase associated with this key will be asked from the user
under the following conditions:
 1-Every boot if no Disk Unlock Key was added to the TPM
 2-If the TPM fails (hardware failure)
 3-If the firmware has been tampered with/modified by the user

This process requires you to type the current LUKS Disk Recovery Key
passphrase and will delete the LUKS TPM Disk Unlock Key slot, if set
up, by setting a default boot LUKS key slot (1) if present.

At the next prompt, you may be asked to select which file corresponds
to the LUKS device container.

Hit Enter to continue.
'''

Therefore, for long prompts in the future, one can just deal with "\n 1-" alignments to be respected in prompts and have fold deal with cutting the length of strings properly.

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-01-20 11:47:35 -05:00
Jonathon Hall
84040176fa
modules/bash: Enable readline
Restores autocomplete and makes bash more usable as an interactive
shell.  Added 106 KB to compressed initrd (checked librem_14).

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2024-01-17 16:34:48 -05:00
Jonathon Hall
de1592e2f5
lvm2: Support LVM2 thin provisioned volumes
Support LVM2 thin-provisioned volumes.  LVM2 wants the thin_check
utility by default, but it has multiple dependencies we do not
currently ship (boost, libexpat, others), so disable it.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2024-01-17 16:34:32 -05:00
Jonathon Hall
e0b46d086a
functions: TRACE_FUNC and DEBUG_STACK
Add TRACE_FUNC to trace the file, line, and name of the calling
function.  File and function names don't have to be duplicated in a
TRACE statement with this (they tend to become inaccurate as functions
are renamed and the TRACE statement is forgotten).

Add DEBUG_STACK to dump the bash stack to debug output.

Configure bash with --enable-debugger.  Bash doesn't actually include
the entire debugger, this is just some supporting variables for it.
Evidently, BASH_SOURCE[n] is only set within a function if this is
enabled.  I couldn't find this indicated in any documentation, but it
happened in practice.

Compressed initrd size only increased by 2560 bytes for librem_mini_v2,
I think that is fine.  This also gives us BASH_ARGC/BASH_ARGV which
might be useful for diagnostics.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2024-01-17 16:32:37 -05:00
Thierry Laurion
a42812d60c
ppc64le builder required changes
popt: too old to have a working config.guess
libusb-compat: not needed for gpg2
gpg2: depend on libusb not libusb-compat

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-01-10 18:28:24 -05:00
Jonathon Hall
0a823cb491
Allow laptops to include optional USB keyboard support
Laptops can include optional USB keyboard support (default off unless
the board also sets the default to 'y').  The setting is in the
configuration GUI.

CONFIG_USER_USB_KEYBOARD is now the user-controlled setting on those
boards.  'CONFIG_USB_KEYBOARD' is no longer used to avoid any conflict
with prior releases that expect this to be a compile-time setting only
(conflicts risk total lock out requiring hardware flash, so some
caution is justified IMO).

Boards previously exporting CONFIG_USB_KEYBOARD now export
CONFIG_USB_KEYBOARD_REQUIRED.  Those boards don't have built-in
keyboards, USB keyboard is always enabled. (librem_mini,
librem_mini_v2, librem_11, librem_l1um, librem_l1um_v2, talos-2,
kgpe-d16_workstation-usb_keyboard, x230-hotp-maximized_usb-kb).

Librem laptops now export CONFIG_SUPPORT_USB_KEYBOARD to enable
optional support.  The default is still 'off'.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2024-01-10 15:38:06 -05:00
Thierry Laurion
012400af1b
gpg2: make sure dirmngr is not spawn to refresh keys under initrd/.gnupg/gpg.conf
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-01-09 12:53:56 -05:00
Jonathon Hall
e380539202
modules/coreboot: Disable Ada compiler for coreboot 4.11
Disable the Ada compiler, as it no longer compiles on Debian 12 and is
not needed.

The Ada compiler is only used for libgfxinit - Intel native graphics
initialization.  Neither of the boards on coreboot 4.11 uses this;
Aspeed graphics initialization is written in C (but is not used yet as
it only supports text mode in 4.11).

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2024-01-08 15:38:44 -05:00
Jonathon Hall
f632897bb5
modules/coreboot: Cache coreboot toolchain archives and use mirrors
Download coreboot toolchain archives into packages/<arch> before
coreboot tries to download them.  This allows us to use mirrors to get
the archives.  We could also update the primary source this way if it
goes down instead of patching coreboot itself (has happened for IASL).

The archive versions and digests are retrieved from the coreboot
module, so there isn't another copy of that info to maintain.  That is
done in bin/fetch_coreboot_crossgcc_archive.sh, which uses the
existing fetch script to do the actual download, leveraging mirrors.

bin/fetch_source_archive.sh supports using a SHA-1 digest instead of
SHA-256, since coreboot has SHA-1 digests.  It also checks if the file
already exists (deleting the coreboot directory will cause it to be
re-run, but the packages are already there and can be used from cache).

The coreboot-4.11 IASL patch is updated to delete the outdated acpica
archive digest (it already added the new one, but the old one was still
there).  bin/fetch_coreboot_crossgcc_archive.sh finds the archive
version and digest from the digest files, so only one acpica file must
be present.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2024-01-08 15:10:56 -05:00
Thierry Laurion
fbbdc94634
switch back from web.archive.org to cairographics.org (CircleCI is rate limited over web.archive.org:not a solution....
Adds up to https://github.com/linuxboot/heads/issues/1198

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-01-04 21:32:32 -05:00
tlaurion
449977b617
Merge pull request #1561 from Nitrokey/up-v2.4
Bump Dasharo Coreboot / hotp-verification; fix nitropad-nxx ec-powerdown
2024-01-03 15:49:55 -05:00
Thierry Laurion
2b65211fac
modules/cairo: www.cairographics.org down again. Use web.archive.org archive
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-01-02 16:18:30 -05:00
Thierry Laurion
98e68366ea
modules/pixman: www.cairographics.org down again. Use web.archive.org archive.
Haven't found same archive elsewhere with same hash.
Adds up to https://github.com/linuxboot/heads/issues/1198

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-01-02 15:12:06 -05:00
Markus Meissner
5e43bcd2f4
hotp-verification: adapt to nk3 v1.6 security model
* overwriting a hotp secret is not possible anymore
* make sure to delete the hotp secret before setting a new one
* requires one additional user presence check during HOTP setup
* bump to v1.5

Signed-off-by: Markus Meissner <coder@safemailbox.de>
2023-12-22 16:14:40 +01:00
Markus Meissner
65abba9946 coreboot-nitrokey: update dasharo to v1.7.2
* remove all previous coreboot patches (as they are already included)
* to be investigated: linux trampoline patch
* add new patch to hardcode sleep configuration
* activate smmstore as dasharo vendor code requires it

Signed-off-by: Markus Meissner <coder@safemailbox.de>
2023-12-22 15:37:29 +01:00
Thierry Laurion
0f0cb99a02
Adapt NV41/NS50 changes, unify bootsplash file usage for branding
Taken from : https://github.com/Nitrokey/heads/tree/temp-release-v2.3

- Move branding/Heads/bootsplash-1024x768.jpg -> branding/Heads/bootsplash.jpg (We don't care about the size. Make filename generic)
- Adapt all coreboot configs so bootsplash is adapted by BRAND_NAME CONFIG_BOOTSPLASH_FILE="@BRAND_DIR@/bootsplash.jpg"
  - Reminders :
    - Makefile changes Heads to defined BRAND_NAME in board config
    - Makefile changes -e 's!@BRAND_DIR@!$(pwd)/branding/$(BRAND_NAME)!g'
- nv41/nv50
  - coreboot oldefconfigs adapted by:
    - make BOARD=nitropad-ns50 coreboot.modify_and_save_oldconfig_in_place
    - make BOARD=nitropad-nv41 coreboot.modify_and_save_oldconfig_in_place
  - linux oldefconfigs adapted by
    - make BOARD=nitropad-nv41 linux.modify_and_save_oldconfig_in_place
      - since this is shared config across nv41/ns50: it only needs to be done for a single board

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-20 09:40:52 -05:00
Thierry Laurion
9d808b0347
Talos-2: bring changes to a working state outside of usage of GPG key material backup as of now
- Closes https://github.com/linuxboot/heads/pull/1452
- coreboot: Take Talos II 0.7 release coreboot config file that was inside of cbfs and use it as a base upstream.
- linux: Readd sysctl and proc requirements for cbmem to work.

TODO: fix gpg2 module so that the following doesn't happen (a ppc64 thing. Can't figure out why):

```
Adding generated key to current firmware and re-flashing...

Board talos-2 detected, continuing...
37281653053696daf2e40a8efe9451b557d9d6ab586830dc85f814bf2e03a05f  /tmp/talos-2.rom
Initializing Flash Programmer
Reading old flash contents. Please wait...
Flashing: [##################################################\] (100%)
Verifying flash contents. Please wait...
The flash contents were verified and the image was flashed correctly.

Signing boot files and generating checksums...

180726119: 000E452213510000005A
gpg: error running '//bin/dirmngr': probably not installed
gpg: failed to start dirmngr '//bin/dirmngr': Configuration error
gpg: can't connect to the dirmngr: Configuration error
gpg: no default secret key: No dirmngr
gpg: signing failed: No dirmngr
```
dirmngr is deactivated per configure statement --disable-dirmngr, and works as expected on x86

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-17 10:26:11 -05:00
tlaurion
1733552fe7
Merge pull request #1505 from JonathonHall-Purism/upstream_28.1_librem_11
Add support for Librem 11
2023-10-30 15:38:02 -04:00
Thierry Laurion
84899cf631
libgcrypt module: remove disable-asm
As on master otherwise with --disable-asm:

    config.status: executing gcrypt-conf commands

            Libgcrypt v1.10.1 has been configured as follows:

            Platform:                  GNU/Linux (x86_64-pc-linux-musl)
            Hardware detection module: none
            Enabled cipher algorithms: arcfour blowfish cast5 des aes twofish
                                       serpent rfc2268 seed camellia idea salsa20
                                       gost28147 chacha20 sm4
            Enabled digest algorithms: crc gostr3411-94 md4 md5 rmd160 sha1
                                       sha256 sha512 sha3 tiger whirlpool stribog
                                       blake2 sm3
            Enabled kdf algorithms:    s2k pkdf2 scrypt
            Enabled pubkey algorithms: dsa elgamal rsa ecc
            Random number generator:   default
            Try using jitter entropy:  yes
            Using linux capabilities:  no
            FIPS module version:
            Try using Padlock crypto:  n/a
            Try using AES-NI crypto:   n/a
            Try using Intel SHAEXT:    n/a
            Try using Intel PCLMUL:    n/a
            Try using Intel SSE4.1:    n/a
            Try using DRNG (RDRAND):   n/a
            Try using Intel AVX:       n/a
            Try using Intel AVX2:      n/a
            Try using ARM NEON:        n/a
            Try using ARMv8 crypto:    n/a
            Try using PPC crypto:      n/a

By disabling --disable-asm in libgcrypt 1.10.1:

    config.status: executing gcrypt-conf commands

            Libgcrypt v1.10.1 has been configured as follows:

            Platform:                  GNU/Linux (x86_64-pc-linux-musl)
            Hardware detection module: libgcrypt_la-hwf-x86
            Enabled cipher algorithms: arcfour blowfish cast5 des aes twofish
                                       serpent rfc2268 seed camellia idea salsa20
                                       gost28147 chacha20 sm4
            Enabled digest algorithms: crc gostr3411-94 md4 md5 rmd160 sha1
                                       sha256 sha512 sha3 tiger whirlpool stribog
                                       blake2 sm3
            Enabled kdf algorithms:    s2k pkdf2 scrypt
            Enabled pubkey algorithms: dsa elgamal rsa ecc
            Random number generator:   default
            Enabled digest algorithms: crc gostr3411-94 md4 md5 rmd160 sha1
                                       sha256 sha512 sha3 tiger whirlpool stribog
                                       blake2 sm3
            Enabled kdf algorithms:    s2k pkdf2 scrypt
            Enabled pubkey algorithms: dsa elgamal rsa ecc
            Random number generator:   default
            Try using jitter entropy:  yes
            Using linux capabilities:  no
            FIPS module version:
            Try using Padlock crypto:  yes
            Try using AES-NI crypto:   yes
            Try using Intel SHAEXT:    yes
            Try using Intel PCLMUL:    yes
            Try using Intel SSE4.1:    yes
            Try using DRNG (RDRAND):   yes
            Try using Intel AVX:       yes
            Try using Intel AVX2:      yes
            Try using ARM NEON:        n/a
            Try using ARMv8 crypto:    n/a
            Try using PPC crypto:      n/a

To support PPC crypto, it seems we will need yasm.
To support linux capabilities, libcap would be required as well later on. :/ another point for rng-tools (which also depends on libcap-ng)
2023-10-10 12:06:18 -04:00
Jonathon Hall
5021bec3cd
librem_11: Add loadkeys (from kbd), optionally enabled
Allow boards to optionally include loadkeys to set a custom keymap.
showkey and dumpkeys (normally only needed for development) can also be
optionally included.

Remove *.map from .gitignore; this was probably intended for build
artifacts that are now excluded via the build/ directory.

Add reboot and poweroff to shell history, which is useful for devices
lacking full hardware keyboards to escape the recovery shell with just
"up" and "enter".

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-09-29 15:29:19 -04:00
Jonathon Hall
010bd718aa
modules/coreboot: Update Purism branch to 4.21-Purism-2
Includes support for Librem 11.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-09-29 15:29:18 -04:00
Jonathon Hall
35c99fa93b
modules/fbwhiptail: Update to 1.3
Update to 1.3.  Includes navigation improvements for devices with just
up/down/Enter keys, for Librem 11.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-09-29 15:29:18 -04:00
tlaurion
8bd82a6e10
Merge pull request #1494 from JonathonHall-Purism/coreboot_purism_4.21
modules/coreboot: Update Purism coreboot to 24e2f7e4
2023-09-06 10:19:55 -04:00
tlaurion
2c3987f9a3
Merge pull request #1485 from Nitrokey/nx-nitropad
add Nitropad NV41/NS50 TPM2 boards (2nd)
2023-09-06 10:15:17 -04:00
Jonathon Hall
bde945ea57
modules/coreboot: Update Purism coreboot to 24e2f7e4
This is 4.21-Purism-1 plus a fix for native graphics init on Mini
v1/v2: HDMI1 is enabled so passive DisplayPort to DVI/HDMI adapters
will work.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-09-05 15:59:47 -04:00
tlaurion
8272d33e7c
Merge pull request #1482 from tlaurion/ease_tpm_disk_unlock_key_resealing_after_totp_mismatch-warn_and_die_changes
Ease TPM Disk Unlock Key sealing/resealing after TOTP mismatch (firmware upgrade) + warn and die changes
2023-09-05 11:48:50 -04:00
Thierry Laurion
2cc7164a99
nv41/ns50: coreboot+coreboot patch+CircleCI config: adapt to have nv41/ns50 build on top of #1417 and #1462 2023-09-05 17:13:56 +02:00
Markus Meissner
033333f288
modules/nitrokey-blobs: add 2023-09-05 17:13:56 +02:00