Commit Graph

414 Commits

Author SHA1 Message Date
Markus Meissner
d01c3ab7c9
boards: add nitropad-nv41 + nitropad-ns50 2023-09-05 17:13:56 +02:00
Thierry Laurion
f6eed42208
Add external/usb disk encryption (adds exfatprogs and e2fsprogs)
prepare_thumb_drive: default to creating 10% LUKS container on usb drive, prompts for passphrase is not provided and scan drives if no --device specified

NOTE: qemu usb_thumb drive of 128 mb are not big enough so that 10% of it (12mb) can be used to create thumb drive.

Adds:
- e2fsprogs to support ext4 filesystem creation through mke2fs
- add /etc/mke2fs.conf so that mke2fs knows how to handle ext2/ext3/ext4
- removes mke2fs support from busybox
- bump busybox to latest version which adds cpu accelerated hash functions (not needed per se here)
- Adds exfatprogs to have mkfs.exfat and fsck.exfat
- Adds prepare_thumb_drive /etc/luks-functions to be able to prepare a thumb drive with percentage of drive assigned to LUKS, rest to exfat
- Modify most board configs to test space requirements failing
- Talos2 linux config: add staging Exfat support
- Make e2fsprogs and exfatprogs included by default unless explicitely deactivate in board configs
- Change cryptsetup calls : luksOpen to open and luksClose to close to addresss review
- etc/luks_functions: cleanup

GOAL here is to have secure thumb drive creation which Heads will be able to use to backup/restore/use generated GPG key material in the future (next PR)
2023-08-28 16:23:48 -04:00
Thierry Laurion
5bf14d27de
linux-x230-maximized: readd CONFIG_CRYPTO_AES for x230i since i3 doesn't have INTEL AES NI cpu acceleration. 2023-08-22 08:56:53 -04:00
Thierry Laurion
8c366ef61d
coreboot configs: changeset needed to use efifb
- intel igpu related - remove i915drmfb hacks and use simplefb and libgfxinit enabled fb
- coreboot 4.19: add patch to fix https://ticket.coreboot.org/issues/500. fbwhiptail still tears screen if in native 1366x769 though
- coreboot 4.19: add patch to enable linux tampoline handle coreboot framebuffer (merged https://review.coreboot.org/c/coreboot/+/76431)
- coreboot 4.19: add patch to enable coreboot to apply jpeg voodoo to create bootsplash.jpeg injected in cbfs at build time + CircleCI apt imagemagick
  - (Thanks Nico Huber @icon again for above patches!)
- coreboot configs: adapt VESAFB/LIBGFXINIT to use maximum fb height/width
- coreboot configs for iGPU only: CONFIG_LINEAR_FRAMEBUFFER_MAX_HEIGHT CONFIG_LINEAR_FRAMEBUFFER_MAX_WIDTH to native size
- coreboot configs for dGPU based on Optional VBIOS injected: VESAFB set to 1280x1024 (maximum possible).

Details:
coreboot configs: remove CONFIG_LINUX_COMMAND_LINE="drm_kms_helper.drm_leak_fbdev_smem=1 i915.enable_fbc=0"
 - Those were needed to expose i915drmfb driver prior of efifb working.
2023-08-16 09:39:09 -04:00
Thierry Laurion
d3ea60f69e
linux configs: adapt to use efifb driver (Intel iGPU/qemu with bochs native gfxinit) 2023-08-15 17:24:34 -04:00
Jonathon Hall
ef85973109
librem_15v4: Include kbd, don't force eDP resolution in Heads kernel
Include kbd so the console font can be enlarged based on the display
resolution.

Don't force 1080p on the eDP output in Heads.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-08-11 14:40:09 -04:00
tlaurion
06b1b0948d
Merge pull request #1399 from d-wid/z220
Add HP Z220 CMT
2023-07-24 18:27:17 -04:00
d-wid
4d157493a3 Add HP Z220 CMT 2023-07-22 16:27:31 +02:00
Jonathon Hall
47e9e4cf45
Merge remote-tracking branch 'github-heads/master' into pureboot-27-heads-upstream 2023-07-12 14:14:17 -04:00
Thierry Laurion
38dfa73f7c
config/linux-talos-2.config: Disable CONFIG_XZ_DEC for archs other then POWERPC 2023-07-12 14:50:41 +02:00
Thierry Laurion
5272bf7e73
config/linux-talos-2.config: Enable POWER9 CPU 2023-07-12 14:50:41 +02:00
Thierry Laurion
f980a4e2fa
config/linux-talos-2.config: add PPC accelerated crypto options 2023-07-12 14:50:41 +02:00
Thierry Laurion
22609a7730
config/linux-talos-2.config: add x230-maximized crypto modules equivalents 2023-07-12 14:50:40 +02:00
Thierry Laurion
650090acdc
config/linux-talos-2.config: fix LOCALVERSION for reproducibility 2023-07-12 14:50:40 +02:00
Thierry Laurion
6ce1fb622f
config/linux-talos-2.config: saved in oldconfig format, no change 2023-07-12 14:50:37 +02:00
Jonathon Hall
252efc6945
Merge remote-tracking branch 'github-heads/master' into pureboot-27-heads-upstream 2023-07-07 15:57:34 -04:00
Thierry Laurion
4f367d90e6
Non-Intel linux configs: make sure AES is enabled (CONFIG_CRYPTO_AES_NI_INTEL won't work there)
kgpe-d16 linux configs: disable CONFIG_CRYPTO_AES_NI_INTEL (not avail on AMD)

This applied to Q35 qemu board which is AMD, not intel.
generic AES needs to be enabled on non-intel boards, otherwise cryptsetup doesn't know how to deal with xts-plain

Then saved back with linux.save_in_oldconfig_format_in_place
2023-07-06 15:35:55 -04:00
Jonathon Hall
4c8e445dcd
Merge remote-tracking branch 'github-heads/master' into pureboot-27-heads-upstream
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-07-05 14:32:16 -04:00
Jonathon Hall
048bec6ebb
modules/busybox: Enable truncate
Enable the truncate coreutil.

CONFIG_BASE64 and CONFIG_BASH_IS_NONE just changed =n vs. not-set by
menuconfig, meaning is still the same.

initrd.cpio.xz went up by 512 bytes on Librem Mini v2 (probably the
minimum xz increment).  busybox stripped binary did not change size.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-07-03 16:35:38 -04:00
Thierry Laurion
08d865ec6c
config/linux-*: remove CPU_ISOLATION since no observable gains as is without dynticks and isolcpus 2023-06-28 12:46:16 -04:00
Thierry Laurion
6245339200
linux-x230-legacy.config: Disable network related option while leaving CONFIG_NET active (crypto need)
Since legacy boards do not have e1000e as opposed to maximized builds (no network), we also deactivate:
+# CONFIG_INET is not set
+# CONFIG_ETHTOOL_NETLINK is not set
+# CONFIG_NETDEVICES is not set

This makes gpg24 and newer flashrom bump possible
2023-06-27 11:21:45 -04:00
Thierry Laurion
14e7a76aaa
coreboot config: correct CONFIG_INTEL_CHIPSET_LOCKDOWN behavior to make sure none locks 2023-06-27 11:21:41 -04:00
Thierry Laurion
4d7585536a
WiP: linux config global tweaks overhaul, unifying kernel configs and keeping important board related perks
CONFIG_PREEMPT_NONE=y: Remove preemptiveness for servers. Under heads, we are single tasking. No point having this big thing in kernel https://lwn.net/Articles/746780/
IO scheduler: only enable CONFIG_MQ_IOSCHED_DEADLINE=y since we want maximum throughput and do not have concurrent tasks
CONFIG_CPU_ISOLATION=y : Enable CPU Isolation accross all boards: this permits to make sure that the kernel tasks running on a CPU are not distrurbed bu user tasks
CONFIG_MULTIUSER not defined: Removing cluttering since we are single root user under Heads anyway
CONFIG_IO_URING=y : limit number of copy operations between kernel and user space from apps
CONFIG_ZONE_DMA not defined: relevant for older hardware (less then 32bit addressing space)
CONFIG_X86_MPPARSE not defined: relevant for older smp systems
CONFIG_CPU_FREQ_DEFAULT_GOV_PERFORMANCE is enabled and SCHEDUTIL is disabled: we want performance with CPU sched with deadline IO.
CONFIG_PERF_EVENTS_INTEL_UNCORE and CONFIG_PERF_EVENTS_INTEL_CSTATE not defined: we want max perf on Heads
CONFIG_X86_VSYSCALL_EMULATION not defined: no need for syscall emulation under Heads
CONFIG_SECCOMP not defined : usefull if BPF is enabled and used.
CONFIG_ACPI_SPCR_TABLE=y : usefull for serial redirection table and earlycon
CONFIG_PCI_MMCONFIG CONFIG_MMCONF_FAM10H unset but for kgpe-d16 which is either fam10h of fam15h
CONFIG_DM_SNAPSHOT=y CONFIG_DM_THIN_PROVISIONING=y so that recovery shell can provide LVM/DM functionality in later PR.
CONFIG_EXFAT_FS=y so that exfat preformated thumb drives can work out of the box
Adjust CONFIG_HW_RANDOM per platform, removing CONFIG_HW_RANDOM_TIMERIOMEM
Only support processor family needed per board (AMD only AMD, Intel only Intel, removing CONFIG_CPU_SUP_HYGON CONFIG_CPU_SUP_HYGON CONFIG_CPU_SUP_CENTAUR CONFIG_CPU_SUP_ZHAOXIN CONFIG_CPU_SUP_ZHAOXIN everywhere
qemu: support both AMD and INTEL as an exception for the above.

Removed unused compiled modules unpacked under modules.cpio
Removed not needed crypto modules compiled in or as modules, reviewed from https://github.com/osresearch/heads/issues/1396#issuecomment-1538780319 :
CONFIG_CRYPTO=y
CONFIG_CRYPTO_ALGAPI=y
CONFIG_CRYPTO_ALGAPI2=y
CONFIG_CRYPTO_AEAD=y
CONFIG_CRYPTO_AEAD2=y
CONFIG_CRYPTO_SKCIPHER=y
CONFIG_CRYPTO_SKCIPHER2=y
CONFIG_CRYPTO_HASH=y
CONFIG_CRYPTO_HASH2=y
CONFIG_CRYPTO_RNG=y
CONFIG_CRYPTO_RNG2=y
CONFIG_CRYPTO_AKCIPHER2=y
CONFIG_CRYPTO_KPP2=y
CONFIG_CRYPTO_ACOMP2=y
CONFIG_CRYPTO_MANAGER=y
CONFIG_CRYPTO_MANAGER2=y
CONFIG_CRYPTO_USER=y
CONFIG_CRYPTO_MANAGER_DISABLE_TESTS=y
CONFIG_CRYPTO_NULL=y
CONFIG_CRYPTO_NULL2=y
CONFIG_CRYPTO_CRYPTD=y
CONFIG_CRYPTO_AUTHENC=y
CONFIG_CRYPTO_SIMD=y
CONFIG_CRYPTO_GLUE_HELPER_X86=y
CONFIG_CRYPTO_CBC=y
CONFIG_CRYPTO_ECB=y
CONFIG_CRYPTO_XTS=y
CONFIG_CRYPTO_ESSIV=y
CONFIG_CRYPTO_HMAC=y
CONFIG_CRYPTO_CRC32C=y
CONFIG_CRYPTO_CRC32C_INTEL=y
CONFIG_CRYPTO_MD5=y
CONFIG_CRYPTO_SHA1=y
CONFIG_CRYPTO_SHA1_SSSE3=y
CONFIG_CRYPTO_SHA256_SSSE3=y
CONFIG_CRYPTO_SHA512_SSSE3=y
CONFIG_CRYPTO_SHA256=y
CONFIG_CRYPTO_SHA512=y
CONFIG_CRYPTO_AES_NI_INTEL=y
CONFIG_CRYPTO_USER_API=y
CONFIG_CRYPTO_USER_API_HASH=y
CONFIG_CRYPTO_USER_API_SKCIPHER=y
CONFIG_CRYPTO_USER_API_RNG=y
CONFIG_CRYPTO_USER_API_AEAD=y
CONFIG_CRYPTO_HASH_INFO=y
CONFIG_CRYPTO_LIB_AES=y
CONFIG_CRYPTO_LIB_SHA256=y
2023-06-27 11:21:35 -04:00
Thierry Laurion
da4c306d91
t440p p8z77-m_pro: pass to coreboot 4.19 and with comparable lockdown config to x230 + fix vbt path 2023-06-27 11:21:28 -04:00
Thierry Laurion
5710eafde4
coreboot configs: sandy/ivy/haswell : readd libgfxinit and bootsplash requirements
Remove CONFIG_NO_GFX_INIT from configs having CONFIG_NORTHBRIDGE_INTEL_SANDYBRIDGE=y
Add CONFIG_BOOTSPLASH_IMAGE from configs having CONFIG_NORTHBRIDGE_INTEL_SANDYBRIDGE=y
Add CONFIG_LINEAR_FRAMEBUFFER from configs having CONFIG_NORTHBRIDGE_INTEL_SANDYBRIDGE=y
Set BOOTSPLASH parameters to match bootsplash and jpeg requirements
 +CONFIG_LINEAR_FRAMEBUFFER_MAX_HEIGHT=768
 +CONFIG_LINEAR_FRAMEBUFFER_MAX_WIDTH=1024
 +CONFIG_BOOTSPLASH=y

Others paramaters defined per board default setting with coreboot.save_oldconfig_in_place helper
2023-06-27 11:21:25 -04:00
Thierry Laurion
00e715660a
linux configs for intel: select proper CPU and trust CPU randomization
CONFIG_MCORE2=y
CONFIG_RANDOM_TRUST_CPU=y
2023-06-27 11:21:18 -04:00
Thierry Laurion
cc9a4828ef
Remove qemu-coreboot and qemu-coreboot-fbwhiptail board+coreboot configs
qemu-coreboot-*-tpm* boards are way more feature rich to test/develops Heads
2023-06-27 11:21:15 -04:00
Thierry Laurion
dbc931e20e
config/linux* saved in oldconfig format to ease boards comparison for same kernel versions and across versions
kgpe-d16 linux configs: converted to oldconfig as well
TODO: talos-2
2023-06-27 11:21:12 -04:00
Thierry Laurion
f34d2dd7d7
bump qemu-tpm boards to coreboot 4.19 2023-06-27 11:21:09 -04:00
Thierry Laurion
c84a0f7e9c
config/coreboot-qemu-fbwhiptail: extend CBFS_SIZE to 0x7E7FFF to accomodate additioaally added DRM+FB for testing 2023-06-27 11:20:56 -04:00
Thierry Laurion
f2d0a6a9c6
config/coreboot-* : adapt i915drmfb driven boards framebuffer requirements
- add additional kernel boot params for i915 where needed:
  - adds : drm_kms_helper.drm_leak_fbdev_smem=1 i915.enable_fbc=0 ( to permit kexec into vesa fb of kexec'ed kernel for i915 driven gpus without framebuffer compression, leaking smem fbdev address for kexec to pickup )
2023-06-27 11:20:52 -04:00
Thierry Laurion
5fce7bf715
config/linux-qemu.config : add CONFIG_DRM_BOCHS=y and CONFIG_FB_SIMPLE=y for basic qemu-coreboot board config
advanced qemu-coreboot-*-tpm*-* boards enables virtio qemu/kvm through command line option.
qemu-coreboot-* (whiptail or fbwhiptail) basic boards are using bochs gpu emulation, provided through qemu

linux-qemu.config, if shared as of now, needs to provide both virtio (no need of FB_SIMPLE because DRM) and BOCHS+SIMPLE_FB
2023-06-27 11:20:49 -04:00
Thierry Laurion
e14d7c363f
config/linux-t440p.config : bump to 5.10.5 2023-06-27 11:20:46 -04:00
Thierry Laurion
7e6987aea0
config/linux-x230-*: migrate from 4.14 to 5.10 + add CONFIG_DRM_FBDEV_LEAK_PHYS_SMEM=y
It was impossible to use directly 4.14 defconfig and apply it to 5.10.
Saving 4.14 in oldconfig, then editing in 5.10 was necessary.
- E1000E module (as kernel module support...) was lost in conversion and needed to be added back.

Also tuned things up:
- legacy-flash has no RETPOLINE, no security policy at all. Has expected usb controllers modules, exFAT and bare minimal support for flashrom.
  - IMPORTANT: CONFIG_X86_IOPL_IOPERM kernel option is required by flashrom
- legacy adds sata, retpoline, additional modules (ethernet), security policy related material on top of legacy-flash config
- maximized adds MMC card support, mousedev+synaptic (to report presence through oem-system-info-xx30), thin provisioning+snapshot support
- tuned with linux.prompt_for_new_config_options_for_kernel_version_bump

Current storage format is oldconfig from now on for proper analysis. If needed, once can save back in defconfig prior of bumping to newer version.
2023-06-27 11:20:43 -04:00
Jonathon Hall
89858f52a9
Merge remote-tracking branch 'github-heads/master' into pureboot-27-heads-upstream
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-06-21 15:15:23 -04:00
Jonathon Hall
c5183253a6
Add CONFIG_BRAND_NAME and allow overriding in Makefile with BRAND_NAME
Use CONFIG_BRAND_NAME to control the brand name displayed in the UI.
Override by setting BRAND_NAME when building, either in the Makefile or
on the command line.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-06-21 14:47:59 -04:00
Jonathon Hall
6b111d813f
Add new board: Librem L1UM v2
Add Linux 6.1.8 configuration, used by Librem L1UM v2

Add coreboot configuration for Librem L1UM v2

Add Librem L1UM v2 board configuration

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-06-21 13:26:50 -04:00
Matt DeVillier
a5238b5823
config/coreboot.{librem_14,mini_v2}: enlarge CBFS for blob jail
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2023-06-21 13:26:45 -04:00
Matt DeVillier
0967fe3201
configs/busybox: enable lzma (de)compression
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2023-06-21 13:26:42 -04:00
Thierry Laurion
2dcf7fbd77
coreboot-qemu-tpm1.config: TPM1 coreboot activation got lost in last commit. Sorry 2023-06-21 11:44:06 -04:00
Thierry Laurion
9830c6c4ed
io386 platform lockdown: enable on sandy/ivy/haswell maximized board configs 2023-06-20 12:36:45 -04:00
Sergii Dmytruk
17f652da3b
config/linux-talos-2.config: don't enable IMA
It only extends PCR10 and logs it separately.

Added entries are to compensate disabling IMA which selects those config
options.

Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
2023-06-06 00:49:07 +03:00
Jonathon Hall
6d0cd94ba8
Enable CONFIG_NO_GFX_INIT in coreboot on i915 boards with Linux 5.10
We don't need coreboot to initialize graphics on this boards, this
eliminates some unneeded code and the gnat dependency for them.

Coreboot was using libgfxinit, but it was initializing in text mode.
Heads' kernel will then switch to graphics mode, and we hand that
framebuffer from i915 to the target kernel during kexec.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-04-27 12:50:29 -04:00
Jonathon Hall
a75ecdfc8d
t440p: Enable i915 kexec framebuffer fixes
Add CONFIG_DRM_FBDEV_LEAK_PHYS_SMEM and related kernel parameters to
t440p.  This board is already on kernel 5.10 and uses i915 graphics.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-04-19 10:34:29 -04:00
Jonathon Hall
cd4c1a0fdb
coreboot-librem*: Set framebuffer kernel params for Librems except L1UM
Allow leaking the DRM framebuffer pointer to userspace, and disable
framebuffer compression, like librem_15v4.

Tested booting memtest86+ and Debian netinstaller on Mini v2.

Do not enable this for L1UM, it uses Aspeed graphics which still don't
work.  qemu uses virtio graphics, which also are not working.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-04-19 10:32:23 -04:00
Jonathon Hall
2a2279b587
librem_15v4: Disable i915 compressed framebuffer
Compressed framebuffer requires the driver to track updates to the
framebuffer from the CPU and update the compressed framebuffer.  This
doesn't work if we kexec into an OS that will use the linear
framebuffer, so disable it.  (The OS kernel can still use compressed
framebuffer if it has i915.)

Linux 5.8 enabled compressed framebuffer on more chipsets using i915,
which is why this stopped working.

memtest86+ and Debian (manually blacklisted i915, comparable to
netinst) now boot correctly on Librem 15v4.  This will need to be
enabled for other boards too.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-04-18 17:00:03 -04:00
Jonathon Hall
abbc1b5dd8
linux: Allow kexec in userspace to get framebuffer address
kexec(8) needs to get the framebuffer address in order to set up the
new kernel's boot parameters.  This is one of the reasons that using a
>4.20 kernel in Heads prevents framebuffer graphics from working in the
OS kernel.

Linux 4.20 started hiding this address from userspace, because
userspace is not supposed to need physical memory addresses.  A
workaround was added to keep leaking the address, apparently for some
proprietary userspace OpenGL drivers.  This requires both a Kconfig and
a kernel parameter.

This commit enables the Kconfig on the librem_common config, and the
kernel parameter on the librem_15v4 (where I'm testing this).  We will
need to enable it on other >4.20 configs/boards as well.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-04-18 13:17:18 -04:00
tlaurion
8ff4b9a51b
Merge pull request #1319 from danielp96/master
Update busybox 1.32.0 to 1.33.2
2023-04-12 12:36:46 -04:00
tlaurion
e32fc91baf
Merge pull request #1358 from ThePlexus/p8z77-m_pro 2023-04-11 18:59:52 -04:00
ThePlexus
668d7739ce
change default loglevel 2023-04-04 16:13:19 +01:00
Krystian Hebel
3c6efd1f47
config/coreboot-talos-2.config: update for new tree
Signed-off-by: Krystian Hebel <krystian.hebel@3mdeb.com>
2023-03-30 21:04:01 +02:00
Krystian Hebel
a76e8e58c0
config/linux-talos-2.config: enable coreboot drivers and convert to defconfig
Signed-off-by: Krystian Hebel <krystian.hebel@3mdeb.com>
2023-03-30 21:04:01 +02:00
ThePlexus
c67cf7c47e Add ASUS P8Z77-M Pro board 2023-03-30 10:28:40 +01:00
tlaurion
2995376cda
Merge pull request #1339 from tlaurion/single_talos_2_board
Talos II - Have single board config
2023-03-20 14:46:38 -04:00
Thierry Laurion
445ca053fb
Talos II - Have single board config
- Based on initial server board
- Uses whiptail as opposed to fbwhiptail (was slow and output fuzzy)
 - Simple fix to have dual KVM(BMC) and vga output for consoles

Reasoning for dropping fbwhiptail support is that:
- it is impossible to output framebuffer content through remote BMC console.
- A workstation board config could output to fbwhiptail for VGA and give remote recovery shell access through BMC
  - If someone shows interest for that, qemu-coreboot-tpm boards can be used as reference.
  - slowness/fuzzyness of fbwhiptail output through AST would still need to be fixed in kernel drivers. Not a priority here.

Limitation:
- Since whiptail is sent to both consoles:
 - If one console goes to recovery shell, recovery shell access invalidate TPM PCR4 measurements.
   - The other console won't be aware that TPM measurements were invalidated, and will consequently:
     - not be able to unseal TOTP if refreshed
     - not be able to unseal TPM disk unlock key on default boot
   - A reboot will fix this.
2023-03-13 14:33:03 -04:00
Thierry Laurion
536f4a1623
Small cosmetic/typo related changes, ccache enablement for coreboot and reduction of unseal attempts
gui-init: do not consume two unseal attempt to unseal both totp and hotp + cosmetic changes (slow down TPM DA lockout)
kexec-seal-key: Add DEBUG statement for PCR precalc
seal-totp: add DEBUG statements regarding skipping of PCR5 and PCR6 involvement into TOTP/HOTP sealing ops
seal-hotpkey: Add DEBUG statements related to reuse of TOTP sealed secret
tpmr: add DO_WITH_DEBUG calls to output pcrread and extend calls
tpmr: typo correction stating TRACE calls for tpm2 where it was for tpm1
tpmr: add DO_WITH_DEBUG calls for calcfuturepcr
functions: Cosmetic fix on pause_recovery asking user to press Enter to go to recovery shell on host console when board defines CONFIG_BOOT_RECOVERY_SERIAL

Not so related but part of output review and corrections:
kexec-insert-key: cosmetic changes prepending "+++" to disk related changes
kexec-save-default: cosmetic changes prepending "+++" to disk related changes
config/coreboot-qemu-tpm*.config: add ccache support for faster coreboot rebuild times
2023-03-10 12:11:57 -05:00
Jonathon Hall
c9df49ad20
modules/bash: Include bash in all builds, remove CONFIG_BASH
Include bash in all builds.  Remove CONFIG_BASH.

Remove CONFIG_BASH_IS_ASH from busybox configuration and clean up hacks
in modules/bash.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-03-08 12:45:52 -05:00
Thierry Laurion
6923fb5e20
Addition of qemu-(fb)whiptail-tpm2(-hotp) boards
-coreboot support of TPM v2.0 (shared config for TPM2 support across all 4 previous variations)
-swtpm set to be launched under TPM v2.0 mode under board config
-Documentation file under each board.md softlinks to qemu-coreboot-fbwhiptail-tpm1.md (which has been generalized)
This is skeleton for TPM v2 integration under Heads

-------------
WiP

TODO:
- libcurl cannot be built as a tpm2-tools dependency as of now not sure why. curl currently needs to be added in board config to be built
- Note: tpm-reset (master and here) needs some review, no handle of no tpm use case. Caller is responsible to not call it otherwise does nothing
- init tries to bind fd and fails currently
- Note: Check if whiptail is different of fbwhiptail in clearing screen. As of now every clear seems to be removed, still whiptail clears previous console output
- When no OS' /boot can be mounted, do not try to TPM reset (will fail)

- seal-hotpkey is not working properly
- setting disk unlock key asks for TPM ownership passphrase (sealing in NV requires ownership, but text is misleading user as if reowning TPM)
  - We should cache input, feed tpm behind the scene and wipe passphrase and state clearly that this is TPM disk unlock kye passphrase.
- primary key from TPM2 is invalid most of the time from kexec-select-boot and verifying global hashes but is setuped correctly at disk unlock key setup
- would be nice to take advantage of bash function tracing to understand where we are for debugging purposes, code takes ash in consideration only
- tpmr says it implements nv calls but actually doesn't. Removing those falsely wrapped functions would help.
  - Implementing them would be better
- REVIEW TODOS IN CODE
- READD CIRCLECI CONFIG

Current state:
- TPM unseal works without disk unlock key and generates TOTP properly (was missing die condition at unseal to not produce always good TOTP even if invalid)
- TPM disk encryption key fails. Hypothesis is that sealing with USB drivers loaded and measures in inconsistent with sealed with/without.
 - TPM disk unsealing happens without USB modules being loaded in non-HOTP setup. This fails.

- Current tests are with fbwhiptail (no clear called so having traces on command line of what happens)
 - Testing with HOTP implementation for sealing/unsealing since that forces USB module loads on each boot to remove this from failing possibilities
2023-03-08 12:45:43 -05:00
tlaurion
3ac896bb67
Merge pull request #1282 from rbreslow/rb/support-t440p 2023-02-28 15:23:16 -05:00
Daniel Pineda
17ac64bdf1
Replace base32 from tpmtotp with the one from busybox, disable unused base64.
Signed-off-by: Daniel Pineda <daniel.pineda@puri.sm>
2023-02-21 14:34:35 -06:00
Matt DeVillier
0e356e43cb
modules/busybox: update 1.32.0 -> 1.33.2 (stable)
- update module version, hash
- rename patch
- update config

Busybox 1.33.0 adds base32, which has been disabled in busybox.config
as it conflicts with tpmtotp's base32.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-02-21 14:34:27 -06:00
Thierry Laurion
03631a5e33
xx30: rename legacy boards names, remove coreboot config duplicates 2023-02-09 12:50:56 -05:00
Thierry Laurion
225741b4cd
remove coreboot-hotp* duplicates, have boards configs point to non-hotp maximized equivalents 2023-02-09 12:34:33 -05:00
Thierry Laurion
e7f1e3e7a7
xx20/xx30 maximized coreboot configs: Fix CONFIG_CBFS_SIZE to reflect ifd.bin's BIOS regions.
The calculations outlined at https://github.com/osresearch/heads/pull/1282#discussion_r1072473677
Sums to having 'ifdtool -f layout.txt ifd_shrinked.bin && cat layout.txt'
The example for T440p:
00000000:00000fff fd
00021000:00bfffff bios
00003000:00020fff me
00001000:00002fff gbe

Here: 00bfffff-00021000=BDEFFF
Which is exact result of @rbeslow's calculations.

There is an issue on haswell, maybe because of car, maybe because of non native memory init blob.
But this is not the case for xx20/xx30 boards.
2023-02-09 12:28:59 -05:00
Thierry Laurion
2b05a6b42c
Add x230-maximized-fhd_edp and x230-hotp-maximized-fhd_edp boards
- add x230-maximized-fhd_edp and x230-hotp-maximized-fhd_edp board configs
- add/rework coreboot patch for x230 fhd variant to be applied on top of 4.13
- add coreboot config to point to x230-edp variant, fixing path to vbt file since default path is wrong under. Comment made upstream https://review.coreboot.org/c/coreboot/+/28950/22#message-4904ce82f01ba0505b391e072e4537b6a9f1a229
  - remove no gfx init and replace with libgfxinit(defonfig default), set internal display as default
- add x230-hotp-maximized-fhd_edp and x230-maximized-fhd_edp to CircleCI builds
- One single shared coreboot config between boards/x230-hotp-maximized-fhd_edp/x230-hotp-maximized-fhd_edp.config and boards/x230-maximized-fhd_edp/x230-maximized-fhd_edp.config
- Coreboot 4.13 patch from coreboot at patches/coreboot-4.13/0002-x230-fhd-variant.patch
- config/coreboot-x230-maximized-fhd_edp.config points to seperate coreboot config per patch (CONFIG_BOARD_LENOVO_X230_EDP)
2023-01-31 09:58:43 -05:00
Rocky Breslow
7a29db11ed
t440p: disable NVMe support in Linux kernel
I went through all of the different options we copied from the Librem
config. The only thing that stood out as irrelevant was NVMe support.
However, I'm not a Linux kernel expert, and I didn't do a deep dive, so
I'm sure there is still room for improvement.
2023-01-23 22:28:32 -05:00
Rocky Breslow
c23ed548ff
Clone linux-librem_common.config for T440p 2023-01-20 17:09:09 -05:00
Rocky Breslow
24d23ff47c
Add intel_iommu=igfx_off to T440p Coreboot kernel parameters
Without this, neither Qubes OS nor the Qubes OS installer would start.
Presumably, because we're "kexecing" from an already running kernel, we
need this set at the Coreboot level? Testing revealed that including
`intel_iommu=igfx_off` in the `CONFIG_BOOT_KERNEL_ADD` board config
option did nothing. And, the Qubes OS default boot option already
contains `intel_iommu=igfx_off`.

See:
- https://www.qubes-os.org/doc/installation-troubleshooting/#not-asking-for-vnc-because-we-dont-have-a-network--x-startup-failed-aborting-installation--pane-is-dead-error-during-installation
- https://github.com/Qubes-Community/Contents/blob/master/docs/troubleshooting/intel-igfx-troubleshooting.md
- https://www.kernel.org/doc/html/v5.10/x86/intel-iommu.html?highlight=igfx_off#graphics-problems
2023-01-18 15:27:45 -05:00
Rocky Breslow
f0792117ef
Adjust T440p default Coreboot defconfig options
Remove options that haven't deviated from defaults in the Coreboot
Kconfig, despite being saved by `make savedefconfig`. Also, add
`CONFIG_BOARD_LENOVO_THINKPAD_T440P`, which was missing from the `make
savedefconfig` output, causing Heads builds to fail. And finally, bump
`CONFIG_CBFS_SIZE` to `0x800000` (8 MiB to bytes to hexadecimal).

This value for the CBFS size is arbitrary. Originally, I had totaled the
size of all binary blobs, subtracted that from the T440p's ROM size (12
MiB), and used the remaining space as the CBFS size (~11.68 MiB).
However, this caused very long RAM initialization times (courtesy of
`cbmem -t`). And, an anecdote in
https://groups.google.com/a/chromium.org/g/chromium-os-reviews/c/lUqRrGUoEBY/m/ka7L1f2BS8gJ
suggested that this value needs to be a power of 2.

So, I picked a size I expected our Linux payload to fit into that was a
power of 2 that I also expected would leave enough space in the ROM for
the IFD, ME, GbE, and Coreboot.

Now, it takes less than a second for RAM initialization after
flashing/first boot (anecdotally, it seems the MRC needs to be
"trained?").
2023-01-18 15:27:44 -05:00
Rocky Breslow
e325976569
Add initial T440p Coreboot defconfig
I generated this config by walking through Coreboot's `make menuconfig`.
The plan is to pare down verbose defaults and tweak from here.
2023-01-18 15:27:44 -05:00
Thierry Laurion
080d439758
qemu-coreboot-tpm boards: usage optimizations
- ROOT_DISK_IMG is now dynamic (ROOT_DISK_IMG=/path/to/existing/provisioned/disk.img can be reused across run statements)
- Addition of missing boards to cover all use cases
- All TPM1 boards rely on common config/coreboot-qemu-tpm1.config
- boards/qemu-coreboot-fbwhiptail-tpm1-hotp/qemu-coreboot-fbwhiptail-tpm1-hotp.md has been generalized
 - all other boards are softlinked to the above for usage
2023-01-11 15:38:30 -05:00
tlaurion
315febdf74
Merge pull request #1247 from tlaurion/Talos_II_enable_tpm
Talos II : add TPM module (coreboot config) as under dasharo
2022-12-08 10:11:49 -05:00
Thierry Laurion
9fc1f1c10b
Talos II : add TPM module as under 2207bbcccb 2022-11-24 10:23:29 -05:00
Victor Bessonov
cf791477e5
Reduced defconfig 2022-11-05 21:07:51 +03:00
Sergii Dmytruk
d0ef7e8c1f
Enable Infineon TPM1 for Talos-2 boards
Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
2022-09-01 00:28:16 +03:00
Sergii Dmytruk
72110e5915
Enable OpenBMC VGA console for Talos-2 boards
Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
2022-09-01 00:28:16 +03:00
Sergii Dmytruk
55ef9912aa
Add Talos 2 boards
Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
2022-08-31 00:21:28 +03:00
Sergii Dmytruk
fa8e8843c6
Expand @VAR@ placeholders in configuration files
This makes configs much less dependent on directory layout.

As of this commit the following variables are supported:
 * @BOARD_BUILD_DIR@ - absolute path under build/
 * @BLOB_DIR@ - absolute path to blobs/

Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
2022-08-25 13:58:40 +03:00
Jonathon Hall
2ca34803af
qemu: Add qemu-coreboot-whiptail-tpm1 configuration
This configuration uses a console interface instead of fbwhiptail, and
no USB token is required.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2022-08-24 13:04:07 -04:00
Jonathon Hall
ef3cd5c65f
qemu-coreboot-fbwhiptail-tpm1-hotp: Virtio video/storage, serial
Enable virtio video and storage.

Enable serial console and tweak kernel command line to show logs.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2022-08-24 13:04:07 -04:00
Jonathon Hall
64f194628f
qemu: Linux 5.10
Update to Linux 5.10 for improved virtio support.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2022-08-24 13:04:07 -04:00
Jonathon Hall
73eccb364a
qemu: Add qemu-coreboot-fbwhiptail-tpm1-hotp for complete testing in QEMU
Add qemu-coreboot-fbwhiptail-tpm1-hotp configuration, which has a 'run'
target to boot with a persistent TPM, disk, virtual USB disk, and USB-
forwarded token
Provide instructions for bootstrapping a complete working system in qemu

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2022-08-24 13:04:06 -04:00
Jonathon Hall
3e5fd6be75
qemu: Build ATA support into kernel, enable OHCI/UHCI
Set ATA and SATA configs to y, not m - modules weren't being loaded.  Other
configs also build these into kernel, so do the same for qemu.  Remove relevant
configs from boards since modules no longer need to be in initrd.

Enable OHCI and UHCI.  qemu forwards host USB devices over a UHCI controller.
This enables USB-forwarding a physical Librem Key or Nitrokey Pro to the VM.
Export CONFIG_LINUX_USB_COMPANION_CONTROLLER to have enable_usb() load the
modules - it wants both UHCI and OHCI modules, so build both.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2022-08-24 13:03:53 -04:00
Victor Bessonov
a221321b6a Allow gpg to select digest algo
EC signatures requires that the digest has the corresponding length. Removing the hardcoded sha2-256 hash function and adding support of sha2-384 and sha2-512 should allow using EC crypto.
2022-07-23 01:10:52 +03:00
Thierry Laurion
8e1eeebdee
maximized boards: add ps2mouse modules to maximized kernel cfg 2022-06-10 09:56:36 -04:00
Thierry Laurion
0bfd696fbf
xx20 and xx30: split kernel configs to legacy and maximized and board configs point to them 2022-06-10 09:52:07 -04:00
Thierry Laurion
6012e7724c
add new board x230-maximized_usb-kb
- this boards is a duplicate of x230-hotp-maximized with USB Keyboard support

Testing points:
- x230-hotp-maximized does not accept input from USB keyboard
- x230-hotp-maximized_usb-kb accepts input from USB keyboard
2022-04-05 14:09:44 -04:00
Thierry Laurion
b90f4f53a1
all linux configs: changing usb-hid support from Y to M
Testing point:
- All board configs not explicitely stating export CONFIG_USB_KEYBOARD=y should not have any impact
- librem_l1um, kgpe-d16_workstation-usb_keyboard, librem_mini_v2 and librem_mini will loose USB Keyboard input with this commit alone.
2022-04-05 13:39:29 -04:00
Thierry Laurion
c1409a8b75 config/coreboot-xx30(legacy platforms): add back microcode updates that were preventing vmx to work on i5 without them.
Fixes #1107
2022-02-18 14:13:42 -05:00
Thierry Laurion
065cbfda7b
boards/xx30-flash: change board configs to be solely include flashrom module.
Those boards now produce 4MB coreboot ROM and according CBFS small size, and remove the logic to extract 4Mb ROM out of the 12Mb rom which for some reason, was now misaligned.
config/coreboot-xx30-flash : remove all unnneded stuff to xx30-flash boards.
config/linux-x230-flash: used commonly for all xx30-flash boards, this is now finally saved with savedeconfig, and removes another bunch of unneeded stuff.

Tested working. Fixes #1095
2022-02-17 20:20:43 -05:00
eganonoa
a5b27e485f Adding explanatory notes re t530 and w530 dgpus
This commit adds explanatory notes  and updates existing t530 and w530 boards to generally align them with the dGPU points and provide signposting for those with and those without dGPU boards. It also adds an additional README in the blobs directory to explain the vbios extraction and building process.
2021-12-28 11:10:58 -05:00
eganonoa
a854144e2d Add support for t530 and w530 dGPU
This commit adds support for the t530 and w530 boards to enable dGPUs. dGPU's are required for DisplayPort external displays in the t530 dgpu model, and for both the VGA dn DisplayPort external displays in the W530 (which has two dGPUs, the K1000M and K2000M, hence two boards).  The commit does the following:

1. Adds automated extraction scripts for vbios modelled on the me script in the blobs directory (one per board is necessary as it is based on board-specific bios updates).
2. Adds specific boards for the various dGPU models and corresponding coreboot configs.
3. Updates circleci config.yaml to run scripts and test boards.

Tested and working on T530 dgpu and W530 K1000M. dGPU scripts tested on Debian 10 and Ubuntu 21.04
2021-12-28 11:10:58 -05:00
Matt DeVillier
7d83bfcbea config/coreboot-librem_14: Drop CONFIG_ANY_TOOLCHAIN
No longer needed

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2021-12-20 22:13:36 -05:00
Matt DeVillier
f23d218db1 config/coreboot-librem_{13*,15*}: Use iommu=pt for Heads kernel
Resolves issues booting Qubes 4.1-RC1 installer. Drop log level
to be consistent with the Librem 14/Mini v1/v2.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2021-12-20 22:13:36 -05:00
Matt DeVillier
c5d9fa484b boards/librem_*: Update to coreboot 4.15
Update all Purism Librem boards except the L1UM server
to coreboot 4.15:

- update coreboot version from 4.8.1/4.13 to 4.15
- use purism_blobs module (if not already)
- update board coreboot defconfig files (Librem 13/15)

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2021-12-20 22:13:36 -05:00
Thierry Laurion
415a08a732 board additions: w530, t530, t520 (hotp-maximized and maximized flavors only)
-CircleCI addition.
-Removal of t530-flash, w530-flash boards, flash scripts and associated coreboot configs (no more legacy boards additions)

This is a merger of #1071, #1072 and #1073 so that test builds are available over CircleCI until osresearch/master CircleCI gets unlocked.
2021-12-06 19:52:25 -05:00
eganonoa
ce435a4148 adding working w530 board, initrd and config files 2021-12-06 19:52:25 -05:00
eganonoa
66e5c23b13 adding working t530 board, initrd and config files 2021-12-06 19:52:25 -05:00
eganonoa
90984baca7 adding working t520 baord and configs 2021-12-06 19:52:25 -05:00
Thierry Laurion
2ddbd12f98 t4xx: coreboot fix of https://github.com/osresearch/heads/issues/1057#issuecomment-980244848 for #1015 2021-12-04 15:51:53 -05:00