Commit Graph

323 Commits

Author SHA1 Message Date
Sergii Dmytruk
17f652da3b
config/linux-talos-2.config: don't enable IMA
It only extends PCR10 and logs it separately.

Added entries are to compensate disabling IMA which selects those config
options.

Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
2023-06-06 00:49:07 +03:00
Jonathon Hall
6d0cd94ba8
Enable CONFIG_NO_GFX_INIT in coreboot on i915 boards with Linux 5.10
We don't need coreboot to initialize graphics on this boards, this
eliminates some unneeded code and the gnat dependency for them.

Coreboot was using libgfxinit, but it was initializing in text mode.
Heads' kernel will then switch to graphics mode, and we hand that
framebuffer from i915 to the target kernel during kexec.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-04-27 12:50:29 -04:00
Jonathon Hall
a75ecdfc8d
t440p: Enable i915 kexec framebuffer fixes
Add CONFIG_DRM_FBDEV_LEAK_PHYS_SMEM and related kernel parameters to
t440p.  This board is already on kernel 5.10 and uses i915 graphics.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-04-19 10:34:29 -04:00
Jonathon Hall
cd4c1a0fdb
coreboot-librem*: Set framebuffer kernel params for Librems except L1UM
Allow leaking the DRM framebuffer pointer to userspace, and disable
framebuffer compression, like librem_15v4.

Tested booting memtest86+ and Debian netinstaller on Mini v2.

Do not enable this for L1UM, it uses Aspeed graphics which still don't
work.  qemu uses virtio graphics, which also are not working.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-04-19 10:32:23 -04:00
Jonathon Hall
2a2279b587
librem_15v4: Disable i915 compressed framebuffer
Compressed framebuffer requires the driver to track updates to the
framebuffer from the CPU and update the compressed framebuffer.  This
doesn't work if we kexec into an OS that will use the linear
framebuffer, so disable it.  (The OS kernel can still use compressed
framebuffer if it has i915.)

Linux 5.8 enabled compressed framebuffer on more chipsets using i915,
which is why this stopped working.

memtest86+ and Debian (manually blacklisted i915, comparable to
netinst) now boot correctly on Librem 15v4.  This will need to be
enabled for other boards too.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-04-18 17:00:03 -04:00
Jonathon Hall
abbc1b5dd8
linux: Allow kexec in userspace to get framebuffer address
kexec(8) needs to get the framebuffer address in order to set up the
new kernel's boot parameters.  This is one of the reasons that using a
>4.20 kernel in Heads prevents framebuffer graphics from working in the
OS kernel.

Linux 4.20 started hiding this address from userspace, because
userspace is not supposed to need physical memory addresses.  A
workaround was added to keep leaking the address, apparently for some
proprietary userspace OpenGL drivers.  This requires both a Kconfig and
a kernel parameter.

This commit enables the Kconfig on the librem_common config, and the
kernel parameter on the librem_15v4 (where I'm testing this).  We will
need to enable it on other >4.20 configs/boards as well.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-04-18 13:17:18 -04:00
tlaurion
8ff4b9a51b
Merge pull request #1319 from danielp96/master
Update busybox 1.32.0 to 1.33.2
2023-04-12 12:36:46 -04:00
tlaurion
e32fc91baf
Merge pull request #1358 from ThePlexus/p8z77-m_pro 2023-04-11 18:59:52 -04:00
ThePlexus
668d7739ce
change default loglevel 2023-04-04 16:13:19 +01:00
Krystian Hebel
3c6efd1f47
config/coreboot-talos-2.config: update for new tree
Signed-off-by: Krystian Hebel <krystian.hebel@3mdeb.com>
2023-03-30 21:04:01 +02:00
Krystian Hebel
a76e8e58c0
config/linux-talos-2.config: enable coreboot drivers and convert to defconfig
Signed-off-by: Krystian Hebel <krystian.hebel@3mdeb.com>
2023-03-30 21:04:01 +02:00
ThePlexus
c67cf7c47e Add ASUS P8Z77-M Pro board 2023-03-30 10:28:40 +01:00
tlaurion
2995376cda
Merge pull request #1339 from tlaurion/single_talos_2_board
Talos II - Have single board config
2023-03-20 14:46:38 -04:00
Thierry Laurion
445ca053fb
Talos II - Have single board config
- Based on initial server board
- Uses whiptail as opposed to fbwhiptail (was slow and output fuzzy)
 - Simple fix to have dual KVM(BMC) and vga output for consoles

Reasoning for dropping fbwhiptail support is that:
- it is impossible to output framebuffer content through remote BMC console.
- A workstation board config could output to fbwhiptail for VGA and give remote recovery shell access through BMC
  - If someone shows interest for that, qemu-coreboot-tpm boards can be used as reference.
  - slowness/fuzzyness of fbwhiptail output through AST would still need to be fixed in kernel drivers. Not a priority here.

Limitation:
- Since whiptail is sent to both consoles:
 - If one console goes to recovery shell, recovery shell access invalidate TPM PCR4 measurements.
   - The other console won't be aware that TPM measurements were invalidated, and will consequently:
     - not be able to unseal TOTP if refreshed
     - not be able to unseal TPM disk unlock key on default boot
   - A reboot will fix this.
2023-03-13 14:33:03 -04:00
Thierry Laurion
536f4a1623
Small cosmetic/typo related changes, ccache enablement for coreboot and reduction of unseal attempts
gui-init: do not consume two unseal attempt to unseal both totp and hotp + cosmetic changes (slow down TPM DA lockout)
kexec-seal-key: Add DEBUG statement for PCR precalc
seal-totp: add DEBUG statements regarding skipping of PCR5 and PCR6 involvement into TOTP/HOTP sealing ops
seal-hotpkey: Add DEBUG statements related to reuse of TOTP sealed secret
tpmr: add DO_WITH_DEBUG calls to output pcrread and extend calls
tpmr: typo correction stating TRACE calls for tpm2 where it was for tpm1
tpmr: add DO_WITH_DEBUG calls for calcfuturepcr
functions: Cosmetic fix on pause_recovery asking user to press Enter to go to recovery shell on host console when board defines CONFIG_BOOT_RECOVERY_SERIAL

Not so related but part of output review and corrections:
kexec-insert-key: cosmetic changes prepending "+++" to disk related changes
kexec-save-default: cosmetic changes prepending "+++" to disk related changes
config/coreboot-qemu-tpm*.config: add ccache support for faster coreboot rebuild times
2023-03-10 12:11:57 -05:00
Jonathon Hall
c9df49ad20
modules/bash: Include bash in all builds, remove CONFIG_BASH
Include bash in all builds.  Remove CONFIG_BASH.

Remove CONFIG_BASH_IS_ASH from busybox configuration and clean up hacks
in modules/bash.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-03-08 12:45:52 -05:00
Thierry Laurion
6923fb5e20
Addition of qemu-(fb)whiptail-tpm2(-hotp) boards
-coreboot support of TPM v2.0 (shared config for TPM2 support across all 4 previous variations)
-swtpm set to be launched under TPM v2.0 mode under board config
-Documentation file under each board.md softlinks to qemu-coreboot-fbwhiptail-tpm1.md (which has been generalized)
This is skeleton for TPM v2 integration under Heads

-------------
WiP

TODO:
- libcurl cannot be built as a tpm2-tools dependency as of now not sure why. curl currently needs to be added in board config to be built
- Note: tpm-reset (master and here) needs some review, no handle of no tpm use case. Caller is responsible to not call it otherwise does nothing
- init tries to bind fd and fails currently
- Note: Check if whiptail is different of fbwhiptail in clearing screen. As of now every clear seems to be removed, still whiptail clears previous console output
- When no OS' /boot can be mounted, do not try to TPM reset (will fail)

- seal-hotpkey is not working properly
- setting disk unlock key asks for TPM ownership passphrase (sealing in NV requires ownership, but text is misleading user as if reowning TPM)
  - We should cache input, feed tpm behind the scene and wipe passphrase and state clearly that this is TPM disk unlock kye passphrase.
- primary key from TPM2 is invalid most of the time from kexec-select-boot and verifying global hashes but is setuped correctly at disk unlock key setup
- would be nice to take advantage of bash function tracing to understand where we are for debugging purposes, code takes ash in consideration only
- tpmr says it implements nv calls but actually doesn't. Removing those falsely wrapped functions would help.
  - Implementing them would be better
- REVIEW TODOS IN CODE
- READD CIRCLECI CONFIG

Current state:
- TPM unseal works without disk unlock key and generates TOTP properly (was missing die condition at unseal to not produce always good TOTP even if invalid)
- TPM disk encryption key fails. Hypothesis is that sealing with USB drivers loaded and measures in inconsistent with sealed with/without.
 - TPM disk unsealing happens without USB modules being loaded in non-HOTP setup. This fails.

- Current tests are with fbwhiptail (no clear called so having traces on command line of what happens)
 - Testing with HOTP implementation for sealing/unsealing since that forces USB module loads on each boot to remove this from failing possibilities
2023-03-08 12:45:43 -05:00
tlaurion
3ac896bb67
Merge pull request #1282 from rbreslow/rb/support-t440p 2023-02-28 15:23:16 -05:00
Daniel Pineda
17ac64bdf1
Replace base32 from tpmtotp with the one from busybox, disable unused base64.
Signed-off-by: Daniel Pineda <daniel.pineda@puri.sm>
2023-02-21 14:34:35 -06:00
Matt DeVillier
0e356e43cb
modules/busybox: update 1.32.0 -> 1.33.2 (stable)
- update module version, hash
- rename patch
- update config

Busybox 1.33.0 adds base32, which has been disabled in busybox.config
as it conflicts with tpmtotp's base32.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-02-21 14:34:27 -06:00
Thierry Laurion
03631a5e33
xx30: rename legacy boards names, remove coreboot config duplicates 2023-02-09 12:50:56 -05:00
Thierry Laurion
225741b4cd
remove coreboot-hotp* duplicates, have boards configs point to non-hotp maximized equivalents 2023-02-09 12:34:33 -05:00
Thierry Laurion
e7f1e3e7a7
xx20/xx30 maximized coreboot configs: Fix CONFIG_CBFS_SIZE to reflect ifd.bin's BIOS regions.
The calculations outlined at https://github.com/osresearch/heads/pull/1282#discussion_r1072473677
Sums to having 'ifdtool -f layout.txt ifd_shrinked.bin && cat layout.txt'
The example for T440p:
00000000:00000fff fd
00021000:00bfffff bios
00003000:00020fff me
00001000:00002fff gbe

Here: 00bfffff-00021000=BDEFFF
Which is exact result of @rbeslow's calculations.

There is an issue on haswell, maybe because of car, maybe because of non native memory init blob.
But this is not the case for xx20/xx30 boards.
2023-02-09 12:28:59 -05:00
Thierry Laurion
2b05a6b42c
Add x230-maximized-fhd_edp and x230-hotp-maximized-fhd_edp boards
- add x230-maximized-fhd_edp and x230-hotp-maximized-fhd_edp board configs
- add/rework coreboot patch for x230 fhd variant to be applied on top of 4.13
- add coreboot config to point to x230-edp variant, fixing path to vbt file since default path is wrong under. Comment made upstream https://review.coreboot.org/c/coreboot/+/28950/22#message-4904ce82f01ba0505b391e072e4537b6a9f1a229
  - remove no gfx init and replace with libgfxinit(defonfig default), set internal display as default
- add x230-hotp-maximized-fhd_edp and x230-maximized-fhd_edp to CircleCI builds
- One single shared coreboot config between boards/x230-hotp-maximized-fhd_edp/x230-hotp-maximized-fhd_edp.config and boards/x230-maximized-fhd_edp/x230-maximized-fhd_edp.config
- Coreboot 4.13 patch from coreboot at patches/coreboot-4.13/0002-x230-fhd-variant.patch
- config/coreboot-x230-maximized-fhd_edp.config points to seperate coreboot config per patch (CONFIG_BOARD_LENOVO_X230_EDP)
2023-01-31 09:58:43 -05:00
Rocky Breslow
7a29db11ed
t440p: disable NVMe support in Linux kernel
I went through all of the different options we copied from the Librem
config. The only thing that stood out as irrelevant was NVMe support.
However, I'm not a Linux kernel expert, and I didn't do a deep dive, so
I'm sure there is still room for improvement.
2023-01-23 22:28:32 -05:00
Rocky Breslow
c23ed548ff
Clone linux-librem_common.config for T440p 2023-01-20 17:09:09 -05:00
Rocky Breslow
24d23ff47c
Add intel_iommu=igfx_off to T440p Coreboot kernel parameters
Without this, neither Qubes OS nor the Qubes OS installer would start.
Presumably, because we're "kexecing" from an already running kernel, we
need this set at the Coreboot level? Testing revealed that including
`intel_iommu=igfx_off` in the `CONFIG_BOOT_KERNEL_ADD` board config
option did nothing. And, the Qubes OS default boot option already
contains `intel_iommu=igfx_off`.

See:
- https://www.qubes-os.org/doc/installation-troubleshooting/#not-asking-for-vnc-because-we-dont-have-a-network--x-startup-failed-aborting-installation--pane-is-dead-error-during-installation
- https://github.com/Qubes-Community/Contents/blob/master/docs/troubleshooting/intel-igfx-troubleshooting.md
- https://www.kernel.org/doc/html/v5.10/x86/intel-iommu.html?highlight=igfx_off#graphics-problems
2023-01-18 15:27:45 -05:00
Rocky Breslow
f0792117ef
Adjust T440p default Coreboot defconfig options
Remove options that haven't deviated from defaults in the Coreboot
Kconfig, despite being saved by `make savedefconfig`. Also, add
`CONFIG_BOARD_LENOVO_THINKPAD_T440P`, which was missing from the `make
savedefconfig` output, causing Heads builds to fail. And finally, bump
`CONFIG_CBFS_SIZE` to `0x800000` (8 MiB to bytes to hexadecimal).

This value for the CBFS size is arbitrary. Originally, I had totaled the
size of all binary blobs, subtracted that from the T440p's ROM size (12
MiB), and used the remaining space as the CBFS size (~11.68 MiB).
However, this caused very long RAM initialization times (courtesy of
`cbmem -t`). And, an anecdote in
https://groups.google.com/a/chromium.org/g/chromium-os-reviews/c/lUqRrGUoEBY/m/ka7L1f2BS8gJ
suggested that this value needs to be a power of 2.

So, I picked a size I expected our Linux payload to fit into that was a
power of 2 that I also expected would leave enough space in the ROM for
the IFD, ME, GbE, and Coreboot.

Now, it takes less than a second for RAM initialization after
flashing/first boot (anecdotally, it seems the MRC needs to be
"trained?").
2023-01-18 15:27:44 -05:00
Rocky Breslow
e325976569
Add initial T440p Coreboot defconfig
I generated this config by walking through Coreboot's `make menuconfig`.
The plan is to pare down verbose defaults and tweak from here.
2023-01-18 15:27:44 -05:00
Thierry Laurion
080d439758
qemu-coreboot-tpm boards: usage optimizations
- ROOT_DISK_IMG is now dynamic (ROOT_DISK_IMG=/path/to/existing/provisioned/disk.img can be reused across run statements)
- Addition of missing boards to cover all use cases
- All TPM1 boards rely on common config/coreboot-qemu-tpm1.config
- boards/qemu-coreboot-fbwhiptail-tpm1-hotp/qemu-coreboot-fbwhiptail-tpm1-hotp.md has been generalized
 - all other boards are softlinked to the above for usage
2023-01-11 15:38:30 -05:00
tlaurion
315febdf74
Merge pull request #1247 from tlaurion/Talos_II_enable_tpm
Talos II : add TPM module (coreboot config) as under dasharo
2022-12-08 10:11:49 -05:00
Thierry Laurion
9fc1f1c10b
Talos II : add TPM module as under 2207bbcccb 2022-11-24 10:23:29 -05:00
Victor Bessonov
cf791477e5
Reduced defconfig 2022-11-05 21:07:51 +03:00
Sergii Dmytruk
d0ef7e8c1f
Enable Infineon TPM1 for Talos-2 boards
Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
2022-09-01 00:28:16 +03:00
Sergii Dmytruk
72110e5915
Enable OpenBMC VGA console for Talos-2 boards
Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
2022-09-01 00:28:16 +03:00
Sergii Dmytruk
55ef9912aa
Add Talos 2 boards
Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
2022-08-31 00:21:28 +03:00
Sergii Dmytruk
fa8e8843c6
Expand @VAR@ placeholders in configuration files
This makes configs much less dependent on directory layout.

As of this commit the following variables are supported:
 * @BOARD_BUILD_DIR@ - absolute path under build/
 * @BLOB_DIR@ - absolute path to blobs/

Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
2022-08-25 13:58:40 +03:00
Jonathon Hall
2ca34803af
qemu: Add qemu-coreboot-whiptail-tpm1 configuration
This configuration uses a console interface instead of fbwhiptail, and
no USB token is required.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2022-08-24 13:04:07 -04:00
Jonathon Hall
ef3cd5c65f
qemu-coreboot-fbwhiptail-tpm1-hotp: Virtio video/storage, serial
Enable virtio video and storage.

Enable serial console and tweak kernel command line to show logs.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2022-08-24 13:04:07 -04:00
Jonathon Hall
64f194628f
qemu: Linux 5.10
Update to Linux 5.10 for improved virtio support.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2022-08-24 13:04:07 -04:00
Jonathon Hall
73eccb364a
qemu: Add qemu-coreboot-fbwhiptail-tpm1-hotp for complete testing in QEMU
Add qemu-coreboot-fbwhiptail-tpm1-hotp configuration, which has a 'run'
target to boot with a persistent TPM, disk, virtual USB disk, and USB-
forwarded token
Provide instructions for bootstrapping a complete working system in qemu

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2022-08-24 13:04:06 -04:00
Jonathon Hall
3e5fd6be75
qemu: Build ATA support into kernel, enable OHCI/UHCI
Set ATA and SATA configs to y, not m - modules weren't being loaded.  Other
configs also build these into kernel, so do the same for qemu.  Remove relevant
configs from boards since modules no longer need to be in initrd.

Enable OHCI and UHCI.  qemu forwards host USB devices over a UHCI controller.
This enables USB-forwarding a physical Librem Key or Nitrokey Pro to the VM.
Export CONFIG_LINUX_USB_COMPANION_CONTROLLER to have enable_usb() load the
modules - it wants both UHCI and OHCI modules, so build both.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2022-08-24 13:03:53 -04:00
Victor Bessonov
a221321b6a Allow gpg to select digest algo
EC signatures requires that the digest has the corresponding length. Removing the hardcoded sha2-256 hash function and adding support of sha2-384 and sha2-512 should allow using EC crypto.
2022-07-23 01:10:52 +03:00
Thierry Laurion
8e1eeebdee
maximized boards: add ps2mouse modules to maximized kernel cfg 2022-06-10 09:56:36 -04:00
Thierry Laurion
0bfd696fbf
xx20 and xx30: split kernel configs to legacy and maximized and board configs point to them 2022-06-10 09:52:07 -04:00
Thierry Laurion
6012e7724c
add new board x230-maximized_usb-kb
- this boards is a duplicate of x230-hotp-maximized with USB Keyboard support

Testing points:
- x230-hotp-maximized does not accept input from USB keyboard
- x230-hotp-maximized_usb-kb accepts input from USB keyboard
2022-04-05 14:09:44 -04:00
Thierry Laurion
b90f4f53a1
all linux configs: changing usb-hid support from Y to M
Testing point:
- All board configs not explicitely stating export CONFIG_USB_KEYBOARD=y should not have any impact
- librem_l1um, kgpe-d16_workstation-usb_keyboard, librem_mini_v2 and librem_mini will loose USB Keyboard input with this commit alone.
2022-04-05 13:39:29 -04:00
Thierry Laurion
c1409a8b75 config/coreboot-xx30(legacy platforms): add back microcode updates that were preventing vmx to work on i5 without them.
Fixes #1107
2022-02-18 14:13:42 -05:00
Thierry Laurion
065cbfda7b
boards/xx30-flash: change board configs to be solely include flashrom module.
Those boards now produce 4MB coreboot ROM and according CBFS small size, and remove the logic to extract 4Mb ROM out of the 12Mb rom which for some reason, was now misaligned.
config/coreboot-xx30-flash : remove all unnneded stuff to xx30-flash boards.
config/linux-x230-flash: used commonly for all xx30-flash boards, this is now finally saved with savedeconfig, and removes another bunch of unneeded stuff.

Tested working. Fixes #1095
2022-02-17 20:20:43 -05:00
eganonoa
a5b27e485f Adding explanatory notes re t530 and w530 dgpus
This commit adds explanatory notes  and updates existing t530 and w530 boards to generally align them with the dGPU points and provide signposting for those with and those without dGPU boards. It also adds an additional README in the blobs directory to explain the vbios extraction and building process.
2021-12-28 11:10:58 -05:00