Enabling DEBUG/TRACE options from board config vs from configuration menu is different.
When enabled in board config, /etc/config is from ROM, and sourced early and make TRACE/DEBUG calls appear early.
If added through configuration menu, those are /etc/config.user overrides extracted from CBFS and then sourced after combine_configs call
If for whatever reason early DEBUG is needed on a platform, enabling in board config is needed.
For runtime debugging, enabling Debug output from configuration menu is enough
As on master otherwise with --disable-asm:
config.status: executing gcrypt-conf commands
Libgcrypt v1.10.1 has been configured as follows:
Platform: GNU/Linux (x86_64-pc-linux-musl)
Hardware detection module: none
Enabled cipher algorithms: arcfour blowfish cast5 des aes twofish
serpent rfc2268 seed camellia idea salsa20
gost28147 chacha20 sm4
Enabled digest algorithms: crc gostr3411-94 md4 md5 rmd160 sha1
sha256 sha512 sha3 tiger whirlpool stribog
blake2 sm3
Enabled kdf algorithms: s2k pkdf2 scrypt
Enabled pubkey algorithms: dsa elgamal rsa ecc
Random number generator: default
Try using jitter entropy: yes
Using linux capabilities: no
FIPS module version:
Try using Padlock crypto: n/a
Try using AES-NI crypto: n/a
Try using Intel SHAEXT: n/a
Try using Intel PCLMUL: n/a
Try using Intel SSE4.1: n/a
Try using DRNG (RDRAND): n/a
Try using Intel AVX: n/a
Try using Intel AVX2: n/a
Try using ARM NEON: n/a
Try using ARMv8 crypto: n/a
Try using PPC crypto: n/a
By disabling --disable-asm in libgcrypt 1.10.1:
config.status: executing gcrypt-conf commands
Libgcrypt v1.10.1 has been configured as follows:
Platform: GNU/Linux (x86_64-pc-linux-musl)
Hardware detection module: libgcrypt_la-hwf-x86
Enabled cipher algorithms: arcfour blowfish cast5 des aes twofish
serpent rfc2268 seed camellia idea salsa20
gost28147 chacha20 sm4
Enabled digest algorithms: crc gostr3411-94 md4 md5 rmd160 sha1
sha256 sha512 sha3 tiger whirlpool stribog
blake2 sm3
Enabled kdf algorithms: s2k pkdf2 scrypt
Enabled pubkey algorithms: dsa elgamal rsa ecc
Random number generator: default
Enabled digest algorithms: crc gostr3411-94 md4 md5 rmd160 sha1
sha256 sha512 sha3 tiger whirlpool stribog
blake2 sm3
Enabled kdf algorithms: s2k pkdf2 scrypt
Enabled pubkey algorithms: dsa elgamal rsa ecc
Random number generator: default
Try using jitter entropy: yes
Using linux capabilities: no
FIPS module version:
Try using Padlock crypto: yes
Try using AES-NI crypto: yes
Try using Intel SHAEXT: yes
Try using Intel PCLMUL: yes
Try using Intel SSE4.1: yes
Try using DRNG (RDRAND): yes
Try using Intel AVX: yes
Try using Intel AVX2: yes
Try using ARM NEON: n/a
Try using ARMv8 crypto: n/a
Try using PPC crypto: n/a
To support PPC crypto, it seems we will need yasm.
To support linux capabilities, libcap would be required as well later on. :/ another point for rng-tools (which also depends on libcap-ng)
Squash of #1502 + moving logo/bootsplash files under branding/Heads
- Move logos and bootsplashes from blobs to branding/Heads/
- Makefile: add support for BRAND_DIR which depends on BRAND_NAME which defaults to Heads if no branding
- Boards coreboot configs: change bootsplash directory to depend on BRAND_DIR (instead of BLOBS_DIR) in bootsplash enabled configs
- Branding/Heads/bootsplash-1024x768.jpg points to branding/Heads/d-wid-ThePlexus_coreboot-linuxboot-heads_background-plain_DonateQrCode.jpg
- xcf file deleted. Original still under #1502 to reuse for modification without recompressing (blobs/heads.xcf)
- CREDITS file created to point to original authors, remixers (Open for details)
- Thanks to: @d-wid for remixing Bing's AI generated Janus logo, @ThePlexus for Qubes Box concept and @ThrillerAtPlay for its matrix background
Update all Librems except L1UM (but including L1UM v2) to Linux 6.1.8.
Use coreboot native graphics init. Raise maximum framebuffer size for
laptops to 3840x2160 (desktops default to this, but laptops default
to a lower value). Remove DRM modules from Linux 6.1.8 and add EFIFB.
Remove Heads kernel command line options relating to IOMMU and i915,
which are no longer needed. Remove OS kernel options relating to
IOMMU.
For Librem 13/15/14/Mini, this fixes issues booting with 4K displays
attached, which were resulting in crashes due to the framebuffer memory
not being reserved properly. memtest86+ now passes with a 4K display
attached.
For Librem L1UM v2, framebuffer boot now works.
Librem L1UM remains on Linux 5.10 with Heads kernel graphic init
(framebuffer boot still does not work). coreboot 4.11 has native
graphics init for Aspeed, but only in text mode. Backporting the
linear framebuffer support appears to be possible - the patch applied
cleanly - but it did not work initially and will need more
investigation.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Improve speed by pre-filtering only for lines containing any tokens of
interest to flashrom_progress_tokenize().
Improve reliability by avoiding dropping tokens that cross a stream
buffer boundary. Occasionally, a token could be missed if it crosses a
stream buffer boundary, due to read timing out too quickly before the
next buffer is flushed. If this was a state-changing token,
flashrom_progress() would hang forever.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Enable the coreboot CMOS option table, which initializes CMOS if the
checksum is not valid.
There is now a checksum in the CMOS layout since 4.21, update it when
updating the Mini v1/v2 EC power-on setting.
coreboot 4.21 will reset the CMOS settings during the first boot, since
there was no checksum in prior releases. Heads will restore the
automatic power-on setting during init based on config.user.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
This is 4.21-Purism-1 plus a fix for native graphics init on Mini
v1/v2: HDMI1 is enabled so passive DisplayPort to DVI/HDMI adapters
will work.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
* use GPG_ALGO as gpg key generation algorithm
* determine GPG_ALGO during runtime like this:
* if CONFIG_GPG_ALGO is set, use as preference
* adapt based on usb-token capabilities (currently only Nitrokey 3)
Rationale:
cpio -t alone cannot extract initrd past early cpio (microcode) in most packed initrd.
unpack_initramfs.sh already under master comes to the rescue, but its usage up to today was limited to pass firmware blobs to final OS under boards/librem_mini_v2
Debian OSes (and probably others) need to have cryptroot/crypttab overriden directly, otherwise generic generation of crypttab is not enough.
Extracting crypttab and overriding directly what is desired by final OS and exposed into /boot/initrd is the way to go otherwise hacking on top of hacks.
This brings default packed modules under Heads to 5 modules, which needs to be deactivate in board configs if undesired:
user@heads-tests-deb12:~/heads$ grep -Rn "?= y" modules/ | grep -v MUSL
modules/zlib:1:CONFIG_ZLIB ?= y
modules/zstd:3:CONFIG_ZSTD ?= y
modules/exfatprogs:2:CONFIG_EXFATPROGS ?= y
modules/busybox:2:CONFIG_BUSYBOX ?= y
modules/e2fsprogs:2:CONFIG_E2FSPROGS ?= y
Changes:
- As per master: when TOTP cannot unseal TOTP, user is prompted to either reset or regenerate TOTP
- Now, when either is done and a previous TPM Disk Unlock Key was setuped, the user is guided into:
- Regenerating checksums and signing them
- Regenerating TPM disk Unlock Key and resealing TPM disk Unlock Key with passphrase into TPM
- LUKS header being modified, user is asked to resign kexec.sig one last time prior of being able to default boot
- When no previous Disk Unlock Key was setuped, the user is guided into:
- The above, plus
- Detection of LUKS containers,suggesting only relevant partitions
- Addition of TRACE and DEBUG statements to troubleshoot actual vs expected behavior while coding
- Were missing under TPM Disk Unlock Key setup codepaths
- Fixes for #645 : We now check if only one slots exists and we do not use it if its slot1.
- Also shows in DEBUG traces now
Unrelated staged changes
- ash_functions: warn and die now contains proper spacing and eye attaction
- all warn and die calls modified if containing warnings and too much punctuation
- unify usage of term TPM Disk Unlock Key and Disk Recovery Key
