Trammell hudson
5dcbc44d39
Merge branch 'pr289': QSB 34, 35, 36 and coreboot 4.6 updates #289
2017-12-10 20:59:29 -05:00
Francis Lam
5f9567c390
Fix coreboot GCC7 build issue
...
This is fixed in coreboot master but backporting for Heads.
Closes #241
2017-12-02 15:14:42 -05:00
Francis Lam
61f6973c5c
Merge branch 'coreboot-4.6'
2017-12-02 14:54:48 -05:00
Francis Lam
491fe083fa
Update qubes xen version for QSB 36
...
For Qubes 3.2: version 4.6.6-35
For Qubes 4.0: version 4.8.2-11
2017-12-02 14:47:52 -05:00
Francis Lam
8d34bcc6bc
Update qubes xen version for QSB 34 and QSB 35
...
For Qubes 3.2: version 4.6.6-34
For Qubes 4.0: version 4.8.2-9
2017-10-28 15:12:39 -04:00
Francis Lam
87251fd1b1
Changed to coreboot patch to not measure relocated modules
2017-10-10 16:27:16 -04:00
Francis Lam
1a34bd9d6f
Updated to coreboot 4.6
...
Also changed x220 and purism configs to use generic boot
2017-10-10 16:27:16 -04:00
Trammell hudson
32ebb70e76
Merge branch 'jgrip-x220' PR #235
2017-10-09 18:18:29 -04:00
Trammell hudson
5ebe5a119a
Merge branch 'x220' of https://github.com/jgrip/heads into jgrip-x220
2017-10-09 18:16:45 -04:00
Trammell hudson
076e246549
Merge branch 'qubes-4.0' PR #210
2017-10-09 18:14:01 -04:00
Trammell hudson
645c7656fa
Merge branch 'qubes-4.0' of https://github.com/flammit/heads into qubes-4.0
2017-10-09 18:12:33 -04:00
Trammell hudson
48175f7528
Merge branch 'generic-boot-cleanup' PR #230
2017-10-09 18:08:05 -04:00
Francis Lam
41f49237c6
Added configurable xen version for Qubes 4 support
...
also addresses issue #238
2017-09-13 22:10:46 -04:00
Francis Lam
ec1a54c6b6
Updated to match latest qubes 3.2 xen 4.6.6-30 (issue #238 )
2017-09-13 21:14:13 -04:00
Francis Lam
821e48446a
Updated to match latest qubes 3.2 xen 4.6.6-29 (issue #238 )
2017-09-02 14:13:29 -04:00
Francis Lam
472ffd35c0
Moved kernel command line parameters to config
2017-09-02 14:13:29 -04:00
Francis Lam
7cec25542d
Allow boot without unseal of TPM LUKS key
...
Closes issue #226
Also changed to procedure to show LVM volume groups and block
device ids to aid in choosing the right combination during the
TPM LUKS key sealing process.
2017-09-02 14:13:29 -04:00
Francis Lam
26b2d49897
Allow TPM LUKS key to be set during default selection
...
Closes #222
2017-09-02 14:13:29 -04:00
Francis Lam
0897a20b84
Ensure recovery for failed default boot
...
Should close #223
Added reboot and poweroff scripts using /proc/sysrq-trigger
Also cleaned up the boot loop in generic-init
2017-09-02 14:13:29 -04:00
Francis Lam
e8f3d206c5
Strip invalid leading/trailing '/' from script params
2017-09-02 14:13:29 -04:00
Johan Grip
6f48c14d0c
Update X220 to do generic image instead of qubes.
...
Also added a script to extract the necessary blobs from a bios
dump image.
2017-08-04 22:48:27 +02:00
Trammell Hudson
9d9af31e58
fix typo and format with markdown (issue #206 )
2017-07-27 06:26:04 -04:00
Trammell Hudson
314ce7b350
bump Linux kernel to 4.9.38 (issue #224 )
2017-07-18 14:25:15 -04:00
Trammell Hudson
fcc99eca93
include version number in verify target (issue #228 )
2017-07-18 14:03:43 -04:00
Trammell Hudson
b550a7f967
rework startup scripts to combine totp prompt with boot mode selection (issue #221 )
2017-07-18 13:44:02 -04:00
Trammell Hudson
3e48f1c5e8
tweaks to make qemu run through the /bin/generic-init process
2017-07-18 13:42:19 -04:00
Trammell Hudson
36e3172c8e
disable i915 for now, since it causes screen glitches in Xen/Qubes (issue #219 )
2017-07-18 13:32:57 -04:00
Trammell Hudson
3c8adf2cf1
remove no longer required vga patch from xen (issue #227 )
2017-07-18 13:31:08 -04:00
Trammell Hudson
7aec9a2288
add support for i915 and render mode setting (issue #219 )
2017-07-18 10:10:55 -04:00
Trammell Hudson
39ade211ce
add support for fractional second timeouts in busybox read (issue #221 )
2017-07-18 09:11:05 -04:00
Trammell Hudson
f0913e9670
Merge branch 'flammit-usb-boot' pull request #200
2017-07-17 12:43:53 -04:00
Trammell Hudson
af3170ebf7
remove trailing / on the /boot device parameter
2017-07-17 12:43:14 -04:00
Trammell Hudson
831dca5124
remove older qubes-specific files, no longer required in generic boot env
2017-07-17 12:31:58 -04:00
Trammell Hudson
22282da905
default to mounting USB device on /media
2017-07-17 12:24:15 -04:00
Trammell Hudson
86f3e9f5dc
add /boot and /media to /etc/fstab on startup (issue #220 )
2017-07-17 12:22:48 -04:00
Trammell Hudson
ba98d5dda6
Merge branch 'usb-boot' of https://github.com/flammit/heads into flammit-usb-boot
2017-07-17 08:52:48 -04:00
Francis Lam
11aca354e9
Fixed edge case in kernel argument injection
...
Debian 9 installer doesn't have kernel arguments so the iommu fix
wasn't being applied properly.
2017-07-13 00:33:49 -04:00
Francis Lam
2a9ca6fdba
Fixed regression on kexec-save-key
2017-07-12 00:43:08 -04:00
Francis Lam
22a52ec4b8
Added TPM secret management to generic boot
...
Also cleaned up error handling and boot parsing edge cases
2017-07-12 00:17:45 -04:00
Francis Lam
d67360a24b
Added rollback protection to generic boot
...
Changed the checking of required hashes or required rollback state
to be right before boot, allowing the user to sign/set defaults
in interactive mode.
Also cleaned up usages of recovery and fixed iso parameter
regression.
2017-07-08 16:59:37 -04:00
Francis Lam
8004b5df2a
Added the ability to persist a default boot option
...
Similar to qubes-update, it will save then verify the hashes of
the kexec files. Once TOTP is verified, a normal boot will verify
that the file hashes and all the kexec params match and if
successful, boot directly to OS.
Also added a config option to require hash verification for
non-recovery boots, failing to recovery not met.
2017-07-04 19:49:14 -04:00
Francis Lam
ce4b91cad9
Minor tweaks to signing params and boot options
...
Also split out usb-scan to allow manual initiation of scan from
the recovery shell
2017-07-03 13:07:03 -04:00
Francis Lam
3614044fff
Added a generic boot config and persistent params
...
Refactored boot parsing code and applied that in local-init to
scan /boot for grub options and allow the user to unsafely boot
anything. This goes a long way to addressing #196 .
Optionally the user can customize those boot parameters or enforce
arbitrary hashes on the boot device by creating and signing config
files in /boot/ or /media/ or /media/kexec_iso/ISO_FILENAME/.
2017-07-02 23:01:04 -04:00
Francis Lam
76a20288a3
Tweaks to allow qubes install w/o custom script
...
usb-boot automatically uses internal xen binary / command line
when multiboot is detected.
also tweaked to evaluate/remove variable refs in kexec arguments
2017-07-02 14:27:02 -04:00
Trammell Hudson
7e5c9bf5f8
fix Xen reproducibility by not using figlet #207
2017-06-26 16:33:49 -04:00
Francis Lam
7f6f365afe
Reverted submodule name back to xen
2017-06-26 13:07:48 -04:00
Francis Lam
e1e654696b
Fixes the patched qubes-vmm-xen Makefile
...
Prevents subsequent builds from trying to unpack/repatch
2017-06-25 18:35:59 -04:00
Francis Lam
c2ec62bfcd
Changed xen submodule to track Qubes Xen
...
Closes #159
2017-06-23 23:01:20 -04:00
Trammell Hudson
265424b101
do not enable libkmod (issue #164 )
2017-06-13 10:45:33 -04:00
Trammell Hudson
a5d4c65533
use SHA256 digest on signatures to avoid SHA1 collision attacks (issue #120 )
2017-05-04 11:19:50 -04:00