Commit Graph

599 Commits

Author SHA1 Message Date
Johan Grip
ceb81944a1
Re-enabled x220 components in flashrom. 2017-05-01 10:49:40 -04:00
Johan Grip
186b641385
Inital test of a lenovo x220 port. Uses hardcoded paths for the blobs required. Uses a stripped ME blob. 2017-05-01 10:49:38 -04:00
Trammell Hudson
2cad84a768
make the ME a module (issue #194) 2017-05-01 10:47:24 -04:00
Francis Lam
1f8eaa696e
minor tweaks to config parsing 2017-04-29 21:50:10 -04:00
Francis Lam
efd662c63a
adds a USB boot option with basic parsing to kexec
Supports booting from USB media using either the root device or
a signed ISO as the boot device.  Boot options are parsed with
quick/dirty shell scripts to infer kexec params.

Closes #195 and begins to address #196
2017-04-29 13:40:34 -04:00
Trammell Hudson
7f600072ad
pass -ic option to tpm extend (issue #198) 2017-04-23 16:12:08 -04:00
Trammell Hudson
448d0731a9
cherry pick Linux config from zfs branch with multi-user set 2017-04-17 16:10:48 -04:00
Trammell Hudson
964b967c9e
Use kernel headers from our Linux kernel tree (issue #188) 2017-04-17 16:09:06 -04:00
Francis Lam
ad732939c3
load usb-storage module in x230-flash.init 2017-04-16 17:37:14 -04:00
Trammell Hudson
a71f84c08f
cbmem was not being built 2017-04-12 11:54:11 -04:00
Trammell Hudson
8f4455bc57
hardware token key 2017-04-12 09:50:08 -04:00
Trammell Hudson
4310b59686
fix patch for -p1 2017-04-12 09:30:08 -04:00
Trammell Hudson
bf95aa1839
use 0.3.0 release of tpmtotp 2017-04-12 08:46:56 -04:00
Trammell Hudson
9d4b7a5b73
print and update the timestamp on the TOTP while waiting for disk unlock code 2017-04-12 08:28:31 -04:00
Trammell Hudson
87b6f1e489
supress mlock error 2017-04-12 08:27:57 -04:00
Trammell Hudson
3fc174b0f7
totp program outputs the date 2017-04-12 08:12:31 -04:00
Trammell Hudson
782d4cdc7b
signing of files is now possible on the laptop 2017-04-12 07:04:25 -04:00
Trammell Hudson
353a0efe6f
Rework /init and qubes setup scripts (issue #27, #155, #32, #29, #110)
This adds support for seamless booting of Qubes with a TPM disk key,
as well as signing of qubes files in /boot with a Yubikey.

The signed hashes also includes a TPM counter, which is incremented
when new hashes are signed.  This prevents rollback attacks against
the /boot filesystem.

The TPMTOTP value is presented to the user at the time of entering
the disk encryption keys.  Hitting enter will generate a new code.

The LUKS headers are included in the TPM sealing of the disk
encryption keys.
2017-04-12 06:57:58 -04:00
Trammell Hudson
8464227aa1
use the external functions (issue #161) 2017-04-12 06:57:26 -04:00
Trammell Hudson
8d2d6ad6c3
helper to install qubes from the recovery shell (issue #27) 2017-04-12 06:55:22 -04:00
Trammell Hudson
6a734208b0
try creating NVRAM entry before prompting for owner password (issue #151) 2017-04-12 06:53:54 -04:00
Trammell Hudson
fa8c3abe98
put board configuration file into /etc/config 2017-04-12 06:52:35 -04:00
Trammell Hudson
122bacab37
use xen.gz since we have zlib support in kexec again (issue #170) 2017-04-12 06:50:57 -04:00
Trammell Hudson
84f1d0af39
copy file and compute sha256 before flashing 2017-04-12 06:50:18 -04:00
Trammell Hudson
7a9ab72144
import the seal/unseal totp scripts since they are very specialized to the heads install, skip owner password if not required (issue #151) 2017-04-12 06:49:39 -04:00
Trammell Hudson
c5c47c6b1c
common recovery shell functions (issue #161) 2017-04-12 06:48:38 -04:00
Trammell Hudson
d73c92e63f
quiet down the boot process 2017-04-12 06:46:55 -04:00
Trammell Hudson
da9bde721c
add some color 2017-04-12 06:46:24 -04:00
Trammell Hudson
ea9b2c0da0
helper to do a forcible TPM reset (issue #27) 2017-04-12 06:45:15 -04:00
Trammell Hudson
8c57ac59e7
x230-flash configuration and initialization 2017-04-11 07:16:20 -04:00
Trammell Hudson
51ecbdc8cb
"$@" does not expand correctly in test expressions, use "$*" instead (issue #181) 2017-04-11 06:31:25 -04:00
Trammell Hudson
c19193d7c6
check for TPM program and device before loading modules (issue #181) 2017-04-10 17:48:52 -04:00
Trammell Hudson
b6eaa5c295
remember to add /dev to /etc/fstab 2017-04-10 17:48:20 -04:00
Trammell Hudson
1744612df6
mount only takes one filesystem 2017-04-10 13:11:19 -04:00
Trammell Hudson
4c982856a3
add /etc/fstab and /etc/mtab to initrd image 2017-04-10 12:59:24 -04:00
Trammell Hudson
85f0586615
build xen for the qemu image so that we can test kexec 2017-04-10 12:59:07 -04:00
Trammell Hudson
4eab928339
Merge branch 'flammit-master' 2017-04-09 17:50:43 -04:00
Trammell Hudson
ca06e7598d Merge branch 'master' of https://github.com/flammit/heads into flammit-master 2017-04-09 17:49:36 -04:00
Francis Lam
a39a24665c
Fix coreboot build where gcc defaults to pie (issue #177)
See 8bbd596de6
2017-04-09 17:39:23 -04:00
Trammell Hudson
1043517371
typo in $(CROSS_TOOLS_NOCC), building xen with system ld (issue #173) 2017-04-09 16:09:17 -04:00
Trammell Hudson
132d26de05
do two make passes to avoid concurrency errors in lvm2 (issue #175) 2017-04-09 02:49:42 -04:00
Trammell Hudson
740f197487
Linux does not need the musl-libc, just the cross compiler (issue #175) 2017-04-09 02:11:18 -04:00
Trammell Hudson
4e88d5d59c
typo in gnupg, remove the install directory on a real.clean 2017-04-09 01:38:22 -04:00
Trammell Hudson
a2b0ef878e
add real.clean target and fix DAG for parallel top-level makes (issue #175) 2017-04-08 17:46:54 -04:00
Trammell Hudson
a42aaa37c6
xen depends on musl-cross (issue #175) 2017-04-08 17:46:21 -04:00
Trammell Hudson
8c3b5877a3
add bootstrap target to build cross compilers (issue #162) 2017-04-08 15:19:26 -04:00
Trammell Hudson
46a2ae8c2b
disable more unnecessary LVM components 2017-04-08 14:30:50 -04:00
Trammell Hudson
07eb5e9717
Define $(CROSS_TOOLS) to ensure reproducible builds (issue #173)
Each of the submodule configuration files defined a subset of the
cross compiler tools that it used and many were picking up the
system `ar`, `nm`, `strip, `ld`, etc.  They all now use a `Makefile`
macro that defines the path to the proper cross compiler tools.

For ones that need the tools, but not the musl-libc gcc,
there is $(CROSS_TOOLS_NOCC) that is all of them without gcc.
This is for musl-libc itself, as well as xen and the Linux kernel.
2017-04-08 13:23:34 -04:00
Trammell Hudson
ae6bed14a2
lvm Makefile was defining $(STRIP) (issue #174) 2017-04-08 13:21:14 -04:00
Trammell Hudson
c262de30a4
kexec/util/bin-to-hex needs to be HOST_CC, not LD (issue #173) 2017-04-08 13:20:40 -04:00