Some (out of tree) servers require use of a USB keyboard, and need
the USB kernel modules loaded prior to checking for keypress to enter
a recovery console. Since loading the modules affects the value in PRC5
and can cause issues putting a LUKS key in TPM, guard the loading of the
USB modules with CONFIG_USB_KEYBOARD and remove the unguarded call from
gui-init.
This should resolve issues #603 and #674.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
gpg2 needs GPG_TTY set to function properly. We set it in /init so it
is inherited by all children. The call to $(tty) must be after /dev and
(preferably) /dev/pts are mounted.
Signed-off-by: Jason Andryuk <jandryuk@gmail.com>
As part of the config gui we want to be able to have the system define
new config options without them being lost if the user makes their own
changes in CBFS. To allow that this change creates a function initiated
in init that combines all /etc/config* files into /tmp/config. All
existing scripts have been changed to source /tmp/config instead of
/etc/config. The config-gui.sh script now uses /etc/config.user to hold
user configuration options but the combine_configs function will allow
that to expand as others want to split configuration out further.
As it stands here are the current config files:
/etc/config -- Compiled-in configuration options
/etc/config.user -- User preferences that override /etc/config
/tmp/config -- Running config referenced by the BIOS, combination
of existing configs
This development branch builds a NERF firmware for the Dell R630
server. It does not use coreboot; instead it branches directly
from the vendor's PEI core into Linux and the Heads runtime
that is setup to be run as an EFI executable.
Supports booting from USB media using either the root device or
a signed ISO as the boot device. Boot options are parsed with
quick/dirty shell scripts to infer kexec params.
Closes#195 and begins to address #196
This adds support for seamless booting of Qubes with a TPM disk key,
as well as signing of qubes files in /boot with a Yubikey.
The signed hashes also includes a TPM counter, which is incremented
when new hashes are signed. This prevents rollback attacks against
the /boot filesystem.
The TPMTOTP value is presented to the user at the time of entering
the disk encryption keys. Hitting enter will generate a new code.
The LUKS headers are included in the TPM sealing of the disk
encryption keys.
This addresses multiple issues:
* Issue #63: initrd is build fresh each time, so tracked files do not matter.
* Issue #144: build time configuration
* Issue #123: allows us to customize the startup experience
* Issue #122: manual start-xen will go away
* Issue #25: tpmtotp PCRs are updated after reading the secret
* Issue #16: insmod now meaures modules
Reduce the size of flashrom by commenting out most flash chips,
boards and programmers.
Wrapper script to make it easier to rewrite the ROM on the x230
using the flashrom layout.
Keep the entire 12 MB ROM for flashing.