Commit Graph

2092 Commits

Author SHA1 Message Date
tlaurion
3c492f94c1
Merge pull request #1428 from Dasharo/replay_pcrs_from_cbmem
initrd/bin/tpmr: replay PCR values from event log
2023-07-12 14:11:32 -04:00
Krystian Hebel
77eb9536d6
initrd/bin/tpmr: add debug for replay_pcr()
It also includes instructions for introspecting the replayed values
manually.

Signed-off-by: Krystian Hebel <krystian.hebel@3mdeb.com>
2023-07-12 14:57:44 +02:00
Krystian Hebel
f7066d020d
initrd/bin/gui-init: retry TOTP in case of error
On platforms using CONFIG_BOOT_EXTRA_TTYS multiple processes may try to
access TPM at the same time, failing with EBUSY. The order of execution
is unpredictable, so the error may appear on main console, secondary one,
or neither of them if the calls are sufficiently staggered. Try up to
three times (including previous one) with small delays in case of error,
instead of immediately scaring users with "you've been pwned" message.

Signed-off-by: Krystian Hebel <krystian.hebel@3mdeb.com>
2023-07-12 14:52:07 +02:00
Krystian Hebel
9a72749675
initrd/bin/talos-init: remove alias for cbmem and bump coreboot revision
Updated cbmem searches for CBMEM exposed by kernel in sysfs before
trying to read it from memory directly. As such, there is no need for
pointing to that file explicitly.

New coreboot revision also fixes output of 'cbmem -t' caused by wrong
endianness.

Signed-off-by: Krystian Hebel <krystian.hebel@3mdeb.com>
2023-07-12 14:50:54 +02:00
Krystian Hebel
d1a18f1f83
initrd/bin/tpmr: replay PCR values from event log instead of assumming their values
Signed-off-by: Krystian Hebel <krystian.hebel@3mdeb.com>
2023-07-12 14:50:42 +02:00
Thierry Laurion
38dfa73f7c
config/linux-talos-2.config: Disable CONFIG_XZ_DEC for archs other then POWERPC 2023-07-12 14:50:41 +02:00
Thierry Laurion
5272bf7e73
config/linux-talos-2.config: Enable POWER9 CPU 2023-07-12 14:50:41 +02:00
Thierry Laurion
f980a4e2fa
config/linux-talos-2.config: add PPC accelerated crypto options 2023-07-12 14:50:41 +02:00
Thierry Laurion
22609a7730
config/linux-talos-2.config: add x230-maximized crypto modules equivalents 2023-07-12 14:50:40 +02:00
Thierry Laurion
650090acdc
config/linux-talos-2.config: fix LOCALVERSION for reproducibility 2023-07-12 14:50:40 +02:00
Thierry Laurion
6ce1fb622f
config/linux-talos-2.config: saved in oldconfig format, no change 2023-07-12 14:50:37 +02:00
tlaurion
2ad457bc65
Merge pull request #1439 from tlaurion/coreboot_411-fix_acpica_download_link_same_hash
coreboot 4.11 needs acpica which moved from acpica.org to intel.
2023-07-11 17:59:14 -04:00
Jonathon Hall
440dc5b61c
Merge remote-tracking branch 'github-heads/master' into pureboot-27-heads-upstream 2023-07-11 16:42:54 -04:00
Jonathon Hall
718be739eb
config-gui.sh: Reword Restricted Boot prompts
Simplify "enable" prompt a bit, clarify that firmware updating is
blocked, and remove mention of "failsafe boot mode".  Reword "disable"
prompt similarly.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-07-11 16:42:43 -04:00
Jonathon Hall
61609ff709
initrd/init: Prevent Restricted Boot bypass
The early recovery shell ("hold R") and serial recovery both could
bypass Restricted Boot since they occurred before config.user was
loaded.  Load config.user earlier before these recovery methods.

Executing a shell directly (if recovery failed) also would bypass
Restricted Boot, additionally leaking /tmp/secret.  Remove this from
the early recovery shell logic.  Also remove the final failsafe exec
and move the "just in case" recovery from normal boot here instead, in
case the regular init script fails.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-07-11 16:42:38 -04:00
Thierry Laurion
c3a2bc5578
coreboot 4.11 needs acpica which moved from acpica.org to intel. Download from distfiles.macports.org instead, same hash.
kgpe-d16 and librem-l1um depend on 4.11 still today in tree, even though building is successful only on debian-10.
Fixing so people building 4.11 today are still successful.

4.19+ already depends on github.com releases tarballs.
REF: https://review.coreboot.org/c/coreboot/+/76399
2023-07-11 16:16:01 -04:00
tlaurion
8d7d07a802
Merge pull request #1440 from JonathonHall-Purism/acpi-unix2-20220331-mirror
Use Intel mirror for acpi-unix2 20220331
2023-07-11 16:14:27 -04:00
Jonathon Hall
5c12c4d03b
coreboot-talos_2: Patch acpi-unix2 mirror to Intel
acpica.org now redirects to Intel and all links are broken.  Use
Intel's mirror of this archive.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-07-11 15:03:36 -04:00
Jonathon Hall
17c71ebd1e
coreboot-4.17: Patch acpi-unix2 mirror to Intel
acpica.org now redirects to Intel and all links are broken.  Use
Intel's mirror of this archive.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-07-11 15:02:18 -04:00
Jonathon Hall
e0234485f7
initrd/bin/flash.sh: Remove -s vestiges
The -s mode was removed, remove it from usage.  Remove the test to skip
checking for board flashrom options with -s mode.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-07-10 09:10:52 -04:00
tlaurion
473c235fba
Merge pull request #1436 from tlaurion/kexec_cosmetic_fixes
Kexec cosmetic fixes
2023-07-07 17:07:12 -04:00
Jonathon Hall
19610748d3
config-gui.sh: Fix truncated restricted boot prompt
The "disable restricted boot" prompt got slightly too long when fixing
the TPM wording.  Re-wrap that line to match the others.  Wrapping
could use some general cleanup but this is sufficient so the text isn't
truncated.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-07-07 16:39:55 -04:00
Jonathon Hall
157efc6b03
kexec-select-boot: Fix test for basic mode
The CONFIG_BASIC test was backwards, as a result it skipped the
LUKS disk unlock logic if basic mode was _not_ enabled.  This wasn't
observed in the PureBoot distribution because we disable the LUKS disk
unlock feature.

CONFIG_BOOT_REQ_ROLLBACK and CONFIG_BOOT_REQ_HASH logic was also
skipped incorrectly, though neither of these are enabled on any board
so this had no effect in the PureBoot distribution either.

Test basic with each bit of logic to eliminate duplication of the
kexec-boot call and fix the LUKS disk unlock feature.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-07-07 15:57:45 -04:00
Jonathon Hall
252efc6945
Merge remote-tracking branch 'github-heads/master' into pureboot-27-heads-upstream 2023-07-07 15:57:34 -04:00
Thierry Laurion
a324724172
kexec-2.0.26.patch: report to user in non-debug context that unsupported fb/drm driver is needed on OS initrd 2023-07-07 15:33:02 -04:00
Thierry Laurion
f289b11290
kexec-insert-key: have output line for Building initrd on a new line 2023-07-07 15:32:59 -04:00
Thierry Laurion
d9a2b17dec
kexec-boot: display kexec command to be executed in DEBUG mode and permit to abort call. 2023-07-07 15:32:01 -04:00
tlaurion
3747d58510
Merge pull request #1434 from tlaurion/non-intel_readd-AES-for-cryptsetup
Non-Intel linux configs: make sure AES is enabled (CONFIG_CRYPTO_AES_NI_INTEL won't work there)
2023-07-06 16:00:00 -04:00
Thierry Laurion
4f367d90e6
Non-Intel linux configs: make sure AES is enabled (CONFIG_CRYPTO_AES_NI_INTEL won't work there)
kgpe-d16 linux configs: disable CONFIG_CRYPTO_AES_NI_INTEL (not avail on AMD)

This applied to Q35 qemu board which is AMD, not intel.
generic AES needs to be enabled on non-intel boards, otherwise cryptsetup doesn't know how to deal with xts-plain

Then saved back with linux.save_in_oldconfig_format_in_place
2023-07-06 15:35:55 -04:00
Jonathon Hall
f089ca20af
.circleci/config.yml: Persist build/x86/coreboot-git in cache
Librem boards now use Purism's coreboot distribution cloned from git,
persist it in CI cache.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-07-06 13:24:32 -04:00
Jonathon Hall
99673d373d
seal-hotpkey: Try default PIN only for 1 month and if >=3 attempts left
Only try the default PIN automatically for 1 month after key creation.
This simplifies initial ownership but still encourages changing the
PIN.

Never enter a PIN automatically if fewer than 3 attempts remain, to
avoid causing lockout if the PIN has been changed.

Remind what the default PIN was if it is not attempted for either
reason.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-07-06 13:22:40 -04:00
Jonathon Hall
4c8e445dcd
Merge remote-tracking branch 'github-heads/master' into pureboot-27-heads-upstream
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-07-05 14:32:16 -04:00
Jonathon Hall
9458ec8771
modules/fbwhiptail: Update to 99fe815f (AVX fast copy branch)
Uses AVX for fast copy instead of AVX2, enabling fast copy on
Sandy/Ivy Bridge.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-07-05 14:20:38 -04:00
tlaurion
41216d7795
Merge pull request #1433 from JonathonHall-Purism/fix-qemu-documentation
qemu-coreboot-fbwhiptail-tpm1-hotp: Fix truncated documentation lines
2023-07-05 14:14:43 -04:00
Jonathon Hall
17724f9baa
qemu-coreboot-fbwhiptail-tpm1-hotp: Fix truncated documentation lines
A few lines in the documentation got truncated somehow.  Restored the
swtpm instructions from some notes and rewrote the others.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-07-05 14:11:34 -04:00
tlaurion
b049686757
Merge pull request #1432 from tlaurion/rename_t420-maximized_boards
Remove t420-maximized and t420-hotp-maximized as untested boards
2023-07-05 11:46:46 -04:00
Thierry Laurion
5db4165652
Rename UNTESTED_t420-maximized and UNTESTED_t420-hotp-maximized back to maximized board names. 2023-07-05 10:38:18 -04:00
Jonathon Hall
0a35ef912f
Use 160 bits of ROM hash for TPM-less HOTP secret (up from 80)
HOTP/TOTP secrets don't have to be printable.  Use binary data to
include 160 bits of entropy instead of just 80.

The secret is still limited to 20 bytes.  Most keys now support up to
40 bytes, but tpmtotp is still limited to 20 bytes.

Move the truncation to 20 bytes a bit later, for future improvements to
detect the key's actual limit.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-07-05 10:18:06 -04:00
Jonathon Hall
75cb8a070f
initrd/bin/flash.sh: Remove '-s' "SHA-256" mode
flash.sh had a special mode to read (like -r) and then sha256sum the
resulting file.  This is no different from just a read followed by a
sha256sum, and the only caller also had logic to sha256sum a cached
file anyway.

Just use flash.sh -r and sha256sum the result.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-07-05 10:17:31 -04:00
tlaurion
dba8f6a994
Merge pull request #1398 from tlaurion/staging_all 2023-07-04 18:56:46 -04:00
Thierry Laurion
f8cb3db775
untested boards: move and rename untested boards, while still building them with CircleCI if they were currently built.
Non-impactful action, first step for #1421 based on participation in testing of #1398 and prior non-tested PRs.

EDIT: last minute readd of x220-maximized boards (x220-maximized and x220-hotp-maximized boards).
 x220 is still UNTESTED (legacy, manually extracting ifs, me and gbe).

EDIT: last minute readd of t440p-maximized boards (t440p-maximized and t440p-hotp-maximized boards).

Thanks to @srgrint for lat minute report that t440p and x220 were tested
----

Traces of commands used:
ls qemu-linuxboot* leopard* r630* s2600wf* tioga* winterfell* t420* t520* t440p* w530* kgpe* p8z77* x220* x230-maximized-fhd_edp* | grep ":" | awk -F ":" {'print $1'}| while read board; do mv $board/$board.config $board/UNTESTED_$board.config; done
ls qemu-linuxboot* leopard* r630* s2600wf* tioga* winterfell* t420* t520* t440p* w530* kgpe* p8z77* x220* x230-maximized-fhd_edp* | grep ":" | awk -F ":" {'print $1'}| while read dir; do mv $dir UNTESTED_$dir; done
ls UNTESTED* | grep ":" | awk -F ":" {'print $1'}| awk -F "UNTESTED_" {'print $2'} | while read line; do sed 's/'"$line"'/UNTESTED_'"$line"'/g' ../.circleci/config.yml -i ; done

quick fix of circleci:
sed -i 's/UNTESTED_UNTESTED/UNTESTED/g' ../.circleci/config.yml
sed -i 's/UNTESTED_UNTESTED/UNTESTED/g' ../.circleci/config.yml
sed -i 's/UNTESTED_UNTESTED/UNTESTED/g' ../.circleci/config.yml

Modify p8z77-m_pro-tpm1 hotp board config to include to their maximized counterpart
2023-07-04 18:00:30 -04:00
Jonathon Hall
048bec6ebb
modules/busybox: Enable truncate
Enable the truncate coreutil.

CONFIG_BASE64 and CONFIG_BASH_IS_NONE just changed =n vs. not-set by
menuconfig, meaning is still the same.

initrd.cpio.xz went up by 512 bytes on Librem Mini v2 (probably the
minimum xz increment).  busybox stripped binary did not change size.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-07-03 16:35:38 -04:00
Jonathon Hall
84569e3738
kexec-save-default: Don't seal LUKS disk unlock key in basic mode
Basic mode allows (but does not require) setting a default boot option.
Don't seal disk unlock keys in Basic mode.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-06-30 14:37:38 -04:00
Jonathon Hall
6618dd652c
Restricted boot: Fix wording of 'disable' prompt, does not reset TPM
This was changed to just erase the TOTP/HOTP secret, not reset the TPM.
Update the prompt.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-06-30 14:31:53 -04:00
Jonathon Hall
e0c03be341
Change '16 60'-sized whiptail prompts to '0 80'
Some prompts were missed when changing to 0 80 the first time around,
and some new ones were added thinking that size was intentional.

Replace '16 60' with '0 80' globally.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-06-30 14:21:11 -04:00
Jonathon Hall
09d8bf9930
media-scan: Simplify implementation and improve RB message
Since 'standard boot' was removed, empty "$option" only occurs due to
error now.  Die with a specific error.

Now, we only proceed past ISO boot if no ISOs were present, meaning the
disk might be a plain bootable medium.  Present a specific error for
restricted boot in that case.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-06-30 13:41:07 -04:00
Jonathon Hall
0378d62d49
media-scan: Fix up whiptail prompt, remove errant "s for standard boot"
The whiptail prompt text was copied from the 'read' prompt but did not
actually have the Abort option.  Add it.

The "s for standard boot" option was missing from whiptail.  For plain
'read' it does not appear to revert to a normal boot, it actually went
on to try plain bootable USB on the same medium.  It's not realistic
for a disk to be both directly bootable and contain ISOs, and this
option does not appear to have been missed since it was missing from
the whiptail/fbwhiptail version, which almost all boards use.  Remove
it.

Handle canceling fbwhiptail with esc-esc the same as Abort.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-06-30 13:36:33 -04:00
Jonathon Hall
09f66e93df
Root hashes: enable even if there is no TPM
This feature doesn't require a TPM.  The configuration GUI appears
either way, but the actual check was silently skipped on TPM-less
devices.  Enable it even if there is no TPM.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-06-30 13:13:48 -04:00
Jonathon Hall
23a086dbf7
config-gui.sh: Simplify root hash device prompt
If we're removing leading slashes anyway, don't complicate the prompt
with more requirements.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-06-30 12:45:06 -04:00
Jonathon Hall
33c2cfb9b1
Root hash: Allow configuring from unset defaults
Allow configuring the root hash feature when the variables are not set
initially.  This worked on Librem boards because the boards all have
defaults for these variables, but didn't work when those defaults were
not present.

Fix set_config function to put quotes around an added variable's value.

Change load_config_value function to default to empty, so it can be
used with non-boolean variables.  None of the existing callers cared
about the 'n' default (boolean variables should always be tested ="y"
or !="y" anyway).

Use load_config_value in config-gui.sh for boot device and the root
hash parameters, so unset defaults do not cause a failure.  Improve the
prompts so the "current value" text only appears if there is a current
value.  Use set_config instead of replace_config so the variables will
be added if needed.

Prevent enabling the root hash feature if it hasn't been configured
yet.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-06-30 10:01:59 -04:00