Commit Graph

2659 Commits

Author SHA1 Message Date
Thierry Laurion
fc874728f6
oem-factory-reset + seal-hotpkey: Give debug output to underatand in what state is the USB Security dongle
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-04-19 14:30:55 -04:00
Jonathon Hall
00ce2f4d1c
ash_functions: Log board and version when entering recovery shell
Log the board and version when entering the recovery shell.  Extract
the firmware version logic from init.

Currently this is the only way to get the debug log.  If we add a way
from the GUI, we may want to log the board and version somewhere else
too.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2024-04-19 14:16:41 -04:00
Jonathon Hall
a767347afd
kexec-boot: Only capture kexec -d output to log, not console/kmsg
LOG() is added to log to the log only (not kmsg, more verbose than
TRACE).

DO_WITH_DEBUG only captures stdout/stderr to the log with LOG().

kexec-boot silences stderr from kexec, we don't want it on the console.

No need to repeat the kexec command when asking in debug to continue
boot, it's no longer hidden behind verbose output from kexec.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2024-04-19 14:14:54 -04:00
Jonathon Hall
d3656bbe65
kexec-boot, functions: Restore eval and DO_WITH_DEBUG that were deleted
`eval "$kexeccmd"` should become `DO_WITH_DEBUG eval "$kexeccmd"` when
adding DO_WITH_DEBUG, command invocation is still the same, still needs
eval.

Restore DO_WITH_DEBUG in front of kexec-parse-boot that had been
removed.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2024-04-19 13:48:27 -04:00
Jonathon Hall
d8810b7032
functions: DO_WITH_DEBUG: Label stderr/stdout more clearly
"$1 err:" looked like an error, but often there's output on stderr
that's diagnostic (like kexec -d).  "$1 stderr:" is clearer.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2024-04-19 13:31:29 -04:00
Jonathon Hall
015af7e6c7
functions: Add visibility to DO_WITH_DEBUG without affecting command
DO_WITH_DEBUG traces command exit status (if failed), stdout/stderr (if
not empty), and PATH (if command was not found).  The caller still
observes the exit status, and stdout/stderr still go to the caller as
well.

This way, DO_WITH_DEBUG can be inserted anywhere with minimal spam in
the logs and without affecting the script.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2024-04-19 10:29:43 -04:00
Thierry Laurion
ae5f9c5416
Improve DEBUG and DO_WITH_DEBUG output handling to also keep output of kexec -l when BOARD is in DEBUG+TRACE mode (configuration settings menu + flash)
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-04-18 16:30:13 -04:00
Thierry Laurion
82179e4e98
Merge pull request #1638 from tlaurion/move_sleep_for_proper_dongle_detection
BUGFIX: ash_functions: move sleep 2 after all usb modules being loaded
2024-04-15 17:55:57 -04:00
Thierry Laurion
67f1dae840
ash_functions: move sleep 2 after all usb modules being loaded
Otherwise we get ehci-pci and xhci_hcd kernel messages in dmesg debug AFTER "Verifying presence of GPG card" which explains why dongle might not be found in time and fails in oem-factory-reset

Fixes https://github.com/Nitrokey/heads/issues/48

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-04-12 17:05:29 -04:00
Thierry Laurion
fb5cbf41a1
kexec-insert-key: refactor tampering check for encrypted disk keys prior of TPM unsealing ops
move code from kexec-unseal-key to kexec-insert-key, address code review and apply verbiage suggestion changes

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-04-11 14:50:40 -04:00
Thierry Laurion
f6232aa70f
Change disk encryption -> LUKS Disk Key and other relative/relative verbiage, remove irrelevant DEBUG trace under kexec-unseal-key
TODO:
- $(pcrs) call sometimes fail in DEBUG call, outputting too many chars to be inserted in kmesg. Call removed here since redundant (PCR6 already extended with LUKS header)
- Notes added for TPM2 simplification over TPM1 in code as TODO

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-04-11 14:44:13 -04:00
Thierry Laurion
adda59c675
LUKS header change validation at both sealing and unsealing of TPM Disk Unlock Key.
Fixes linuxboot#1092.
Supersedes linuxboot#1093

- Cherry-picks ed1c23a (credit to @hardened-vault) thank you!)
- Addresses and correct self-review under linuxboot#1093 (@hardened-vault: you don't answer often here!)
  - kexec-unseal-key: Warn a user who attempts to default boot while his Disk Unlock Key passphrase fails to unseal because LUKS headers changed.
    (linuxboot#1093 (comment))
  - kexec-seal-key: Identical as in ed1c23a
  - kexec-add-key: Tell the user that the Headers did not change when changing TPM released Disk Unlock Key
    (Through changing default boot at Options->Boot Options -> Show OS boot options: select a new boot option
    and set a Disk Unlock Key in TPM, accept to modify disk and sign /boot options)
    - Here, we cancel the diff output shown on screen linuxboot#1093 (comment)
    - And we change the warning given to the user to past tense "Headers of LUKS containers to be unlocked via TPM Disk Unlock Key passphrase did not change."

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-04-11 14:44:07 -04:00
Thierry Laurion
8fcf1ddba8
Makefile: add real.gitclean target which calls 'git clean -fxd'
Ease cleaning up everything. IMOH better then real.clean target

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-04-11 14:39:11 -04:00
Thierry Laurion
be71430167
modules/tpm2-tools: Add TODO to uniformize live patching through sed calls as opposed to patch version specific autotools/configure scripts to force reproducible builds
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-04-09 12:39:20 -04:00
Thierry Laurion
ee1978ffc0
Merge pull request #1631 from 0xF4CED/tails-key-2024
Update tails.key
2024-04-04 14:45:15 -04:00
Jonathon Hall
a36070343f
Merge remote-tracking branch 'github-tlaurion/heads_panic_on_oom'
PR #1626
2024-04-04 10:08:21 -04:00
0xF4CED
f525b9337d Update tails.key
Key expired: 2024-01-04
Replace with clean export of updated [Tails](https://tails.net/tails-signing.key) signing key.

Signed-off-by: 0xF4CED <24809481+0xF4CED@users.noreply.github.com>
2024-04-04 02:42:02 +02:00
Thierry Laurion
8208c86efe
modules/tpm2-tss: sed configure script to remove hardcoding of libs, move patch 3.2.0->3.2.2
disable static lib builds

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-04-03 13:48:58 -04:00
Thierry Laurion
ddef233708
modules-tpm2-tools: bump from 5.2->5.6 (removes need to hack around PACKAGE_VERSION string which configure.ac points to ./VERSION already
tpm2-tools-5.6 patch: comment out git versioning output under ./VERSION; module: output current version under ./VERSION instead. Document under module

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-04-03 13:48:52 -04:00
Thierry Laurion
d7915e1639
OpenSSL (libcrypto): patch so that crypto/buildinfo.h generated by perl script contains reproducible date and fake compiler_flags
hardcode VERSION='reproducible_build' into generated configure script to get rid of generate random git abbrev 8/12 chars (could not find source)
 patches/openssl-3.0.8.patch: clean up

tpm2-tools/tpm2-tss:
 hack configure scripts to not contain hardcoded libs and other rpath related strings, using sed instead of patching configure script like cryptsetup2 patch
  Will be clened up in other commits. Leaving here as trace for autotools sed patching for reproducible builds.

CircleCI: change working dir from project->heads so that CircleCI and local builds are from heads directory, helping reproducible builds

TODO: change other patches a well and generalize to gpg toolstack, removing patches that are a maintainership burden.

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-04-03 13:48:47 -04:00
Thierry Laurion
18e7be8ab7
Makefile: add real.gitclean target which calls 'git clean -fxd'
Ease cleaning up everything. IMOH better then real.clean target

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-04-03 13:48:42 -04:00
Thierry Laurion
c73687a232
init: Adding checks for sysfs and runtime panic_on_oom=1
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-04-02 17:17:09 -04:00
Thierry Laurion
a051483c79
linux configs: align with purism; remove TMPFS, add sysctl requirements
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-04-01 16:15:16 -04:00
Thierry Laurion
05289c0989
Merge pull request #1604 from tlaurion/422_fhd
4.22.01 fhd patch merged upstream (4.24) + bump all 4.19 boards to 4.22.01
2024-03-25 21:36:33 -04:00
Thierry Laurion
7fe2f9dcb2
CircleCI: save_cache depends on librem_14 instead of nitropad-nv41 (so more boards can be built reusing cache and where nv41 will be rebuilt if coreboot level cache was not saved)
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-03-25 16:40:21 -04:00
Thierry Laurion
9fcd5f8fe4
Move boards/UNTESTED_* boards to untested_boards/UNMAINTAINED_*, remove them from CircleCI, add Makefile helper and document untested_boards/README.md
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-03-25 16:05:57 -04:00
Thierry Laurion
b91eaeda97
boards aimed to bump at coreboot 4.22.01: switch TPM event log format to TCG
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-03-25 15:16:03 -04:00
Thierry Laurion
6d8939924e
patches/coreboot-4.22.01/0001-x230-fhd-variant.patch: adapt patch for Makefile.inc (Makefile.mk doesn't exist under 4.22)
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-03-25 15:15:58 -04:00
Thierry Laurion
673b2f1340
modules/coreboot CircleCI: adapt to coreboot version bumps
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-03-25 15:15:52 -04:00
Thierry Laurion
f37b010ab1
patches/coreboot-4.22.01/0001-x230-fhd-variant.patch: update to upstream merged state
git fetch https://review.coreboot.org/coreboot refs/changes/50/28950/27 && git format-patch -1 --stdout FETCH_HEAD > ~/heads/patches/coreboot-4.22.01/0001-x230-fhd-variant.patch

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-03-25 15:15:47 -04:00
Thierry Laurion
fb616f416a
WiP 4.22.01 fhd patch test + bump all 4.19 boards to 4.22.01
- patches/coreboot-4.22.01/0001-x230-fhd-variant.patch created per
  - git fetch https://review.coreboot.org/coreboot refs/changes/50/28950/23 && git format-patch -1 --stdout FETCH_HEAD > ~/heads/patches/coreboot-4.22.01/0001-x230-fhd-variant.patch
- all boards configs bumped with:
  - grep -Rn 4.22 boards/ | awk -F "/" {'print $2'}| while read line; do make BOARD=$line coreboot.save_in_oldconfig_format_in_place ; done

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-03-25 15:14:42 -04:00
Jonathon Hall
ebdcc8523c
Merge branch 'silence-exfat-errors-for-iso9660'
PR #1602
2024-02-23 13:22:33 -05:00
Jonathon Hall
9d0431999f
Merge remote-tracking branch 'github-tlaurion/xx20_xx30_kernel_510_bump-tether'
PR #1384
2024-02-23 13:12:48 -05:00
Thierry Laurion
ebe9db4350
initrd/bin/network-init-recovery: kill dropbear unconditionally prior of starting it
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-02-23 12:17:47 -05:00
Jonathon Hall
2aeab5edbb
initrd/etc/ash_functions: ehci_pci/xhci-* aren't companion controllers
All boards with CONFIG_LINUX_USB=y ship ehci-* and xhci-*, they are
not controlled by CONFIG_LINUX_USB_COMPANION_CONTROLLER.  Always
insert them when initializing USB.  Fixes commit 35de2348

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2024-02-23 09:44:40 -05:00
Jonathon Hall
031f885aaa
initrd/bin/network-init-recovery: Trivial indentation fix
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2024-02-23 09:43:50 -05:00
Thierry Laurion
a5ab32b761
insmod: uniformize module name and lsmod output prior of comapring if module already insmodded (ehci-hcd.ko module name is ehci_hcd...)
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-02-23 01:29:55 -05:00
Thierry Laurion
5f8cb5a159
initrd/bin/network-init-recovery: put usb tethering and ethernet activation in functions and ask user prior of using each mode
Also remove output of attempted module loading since DEBUG will show if needed
Remove timeout after 30 seconds to unify UX and block
Change UX wording

Should address all PR review comments

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-02-23 01:29:45 -05:00
Thierry Laurion
35de23483a
etc/ash_functions: remove redundant lsmod prior of insmod
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-02-22 15:29:38 -05:00
Thierry Laurion
bec2545688
insmod: check if module already loaded and if so exit early
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-02-22 14:15:06 -05:00
Jonathon Hall
65f0b905f6
boards/librem*, config/linux-librem*: Enable mobile tethering
Enable mobile tethering on all Librem boards.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2024-02-22 12:35:41 -05:00
Thierry Laurion
9b69f1b66a
boards/x230-hotp-maximized_usb-kb/x230-hotp-maximized_usb-kb.config: unify with x230-hotp-maximized
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-02-21 13:50:28 -05:00
Thierry Laurion
7cbcdd8ed7
Tethering refresh for CDC NCM/CDC EEM mobile phones (tested on GrapheneOS Pixel 6a, no more RNDIS support)
- Add additional requirements to linux config
- Add additional CONFIG_MOBILE_TETHERING=y to all maximized board configs
- Fix issue under network-recovery-init to NTP sync against NTP server pool
- Extend network-recovery-init to first try NTP sync against DNS server returned by DHCP answer
- Remove network-recovery-init earlytty and tty0 redirection (console should be setuped properly by init in all cases)
- If CONFIG_MOBILE_TETHERING=y added to board config and network-recovery-init called, wait to user input on instructions and warning 30 secs before proceeding (non-blocking)
- Machines having STATIC_IP under board config won't benefit of autoatic NTP sync

Since network-recovery-init can only be called from recovery shell now, and recovery shell can be guarded by GPG auth, this is PoC code to be used to complement TOTP being out of sync

TODO(Future PR):
- Refactor into functions and reuse into TOTP/HOTP being out of sync automatically.

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-02-21 13:50:18 -05:00
Thierry Laurion
95f9636a1a
Merge pull request #1614 from Dasharo/fix_openssl_compilation
modules/openssl: remove libgcc path hack
2024-02-16 13:32:34 -05:00
Michał Kopeć
4af780864f
modules/openssl: remove libgcc path hack
Passing the path to libgcc in LDFLAGS appears to no longer be needed.
Removing this fixes compilation on a freshly cloned repo.

Fixes #1507

Signed-off-by: Michał Kopeć <michal.kopec@3mdeb.com>
2024-02-16 08:18:42 +01:00
Jonathon Hall
a6228b9843
functions: Improve detect_boot_device to silence exFAT errors
When testing a possible boot device, detect its partition type and
skip grub, LUKS, and LVM partitions.  These aren't mountable as /boot,
this silences spurious exFAT errors.

In detect_boot_device, skip testing CONFIG_BOOT_DEV a second time if it
is found as a block device.  This avoids doubling any errors shown from
checking this device, no sense trying it twice.

Refactor some logic to avoid duplication - extract
device_has_partitions and use it in detect_boot_device, extract
mount_possible_boot_device and use it instead of duplicating the logic.

Move find_lvm_vg_name() to /etc/functions.

Avoid mixing up similarly-named devices like 'nvme0n1'/'nvme0n10' or
'sda'/'sdaa' - it's probably unlikely that many devices will appear,
but looking for partitions in '/sys/class/block/<device>/' instead of
'/dev/' would avoid any collisions.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2024-02-02 17:14:33 -05:00
Jonathon Hall
8233c6f442
init: Silence exFAT errors when mounting iso9660; reorder exfat last
Since exFAT support was enabled, mounting an iso9660 filesystem prints
spurious exFAT errors to the console.  That is because busybox mount
tries all filesystems in the order listed, and exfat precedes iso9660
(those are the last two in our config).  Most filesystems are silent
when used on the wrong type of filesystem, but exFAT logs errors, which
appear on the console.

Move exFAT after iso9660, so iso9660 filesystems won't show these
errors.  The errors will still appear if the filesystem is actually
exFAT but cannot be mounted.

There's no significant risk of misdetecting a remnant iso9660
superblock here either.  Although an iso9660 superblock could fall in
the unused space between the exFAT boot region and the FAT itself,
mkfs.exfat does zero this space so it is unlikely such a remnant
superblock would exist.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2024-02-02 13:24:34 -05:00
tlaurion
5bff51952d
Merge pull request #1601 from tlaurion/switch_TRACE_to_TRACE_FUNC_everywhere_possible
all scripts: replace TRACE manual strings with dynamic tracing by bash debug
2024-02-01 16:13:45 -05:00
Thierry Laurion
40c34453df
all scripts: replace TRACE manual strings with dynamic tracing by bash debug
Exception: scripts sourcing/calls within etc/ash_functions continues to use old TRACE functions until we switch to bash completely getting rid of ash.
This would mean getting rid of legacy boards (flash + legacy boards which do not have enough space for bash in flash boards) once and for all.

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-02-01 15:48:27 -05:00
tlaurion
5a75e6bffa
Merge pull request #1586 from JonathonHall-Purism/root-file-hash-qubes
Root file hashing: support Qubes default partition layout (+ tracing helpers)
2024-02-01 14:25:48 -05:00