Commit Graph

819 Commits

Author SHA1 Message Date
Trammell Hudson
5195a74422
remove initrd unpacking, since Qubes dracut /etc/cryptab can be fixed 2017-04-05 10:30:28 -04:00
Trammell Hudson
ce766bdc58
LVM patches to compile with musl 2017-04-04 09:41:50 -04:00
Trammell Hudson
39cb4031f4
TPM disk encryption keys for Qubes.
Issue #123: This streamline Qubes startup experience by
making it possible to have a single-password decryption.

Issue #29: The disk keys in `/secret.key` are passed to the systemd
in initramfs through `/etc/crypttab`, which is generated on each boot.
This is slow; need to look at alternate ways.

Issue #110: By using LVM instead of partitions it is now
possible to find the root filesystem in a consistent way.

Issue #80: LVM is now included in the ROM.
2017-04-03 17:18:11 -04:00
Trammell Hudson
3d79f51e4a
Build lvm command line utility (issue #80)
Replace libuuid with util-linux libuuid (and libblkid,
although we are not using libblkid right now).

This also requires a much larger coreboot cbfs, which was
fixed as part of issue #154.
2017-04-03 17:13:59 -04:00
Trammell Hudson
392599b90b
have xen output the xen executable for x230-qubes (issue #84) 2017-04-03 17:13:07 -04:00
Trammell Hudson
4c413a1737
enable file locking for LVM 2017-04-03 17:11:12 -04:00
Trammell Hudson
cd584c4fad
remove unused platform modules 2017-04-03 17:10:22 -04:00
Trammell Hudson
3dcc3d4b49
load the xhci USB3 modules as well 2017-04-03 17:09:54 -04:00
Trammell Hudson
85a77cf5de
build xen for installation into x230-qubes ROM (issue #84) 2017-04-03 17:09:22 -04:00
Trammell Hudson
d335f24292
split x230 config into 4MB bootstrap image and 7MB runtime image (issue #156) 2017-04-03 14:53:29 -04:00
Trammell Hudson
e41e21084a
extend PCR 4 in a recovery to prevent disk key decryption (issue #154) 2017-04-03 10:30:03 -04:00
Trammell Hudson
174bb64957
Move Qubes startup script to /boot/boot.sh
This also adds a set of files in the qubes/ directory that
are meant to be copied to the /boot partition.

Issue #154: for ease of upgrading Qubes, the script should
live on /boot instead of in the ROM.  This requires a GPG
signature on the startup script to avoid attacks by modifying
the boot script.

Issue #123: this streamlines the boot process for Qubes, although
the disk password is still not passed in correctly to the initrd
(issue #29).

This does not address issues #110 of how to find the root device.
The best approach is probably disk labels, which will require
special installation instructions.
2017-04-02 22:21:49 -04:00
Trammell Hudson
4e71017bea
bump xen to 4.6.4 (issue #153) 2017-04-02 21:45:10 -04:00
Trammell Hudson
f99944abe5
qubes init script and improved TPM disk encryption with LUKS headers (issue #123 and #6) 2017-04-01 23:02:00 -04:00
Trammell Hudson
d06ba0a851
reset $boot_option between loops 2017-04-01 22:25:16 -04:00
Trammell Hudson
93a0d7eee2
support clean targets 2017-03-31 18:13:50 -04:00
Trammell Hudson
3225501e84
remove power related busybox tools that do not work 2017-03-31 16:00:27 -04:00
Trammell Hudson
7045d02794
move to Linux 4.9.20 (issue #149) 2017-03-31 15:59:37 -04:00
Trammell Hudson
858b48d304
use our specific strip program to ensure reproducibility (issue #148) 2017-03-31 15:26:41 -04:00
Trammell Hudson
8544c5fe6d
busybox 1.26.2 update (issue #148) 2017-03-31 14:53:01 -04:00
Trammell Hudson
2db3c33866
fix IDSDIR to make pciutils reproducible (issue #147) 2017-03-31 14:33:15 -04:00
Trammell Hudson
27e35f6ef7
cleanup initrd tmpfile and reduce recursive make calls 2017-03-31 13:28:20 -04:00
Trammell Hudson
3241499ee3
pciutils fails on first build if both install and install-lib are specified 2017-03-31 13:05:05 -04:00
Trammell Hudson
d6c553e884
typo in qemu description 2017-03-31 13:04:46 -04:00
Trammell Hudson
9322dbef2d
use default qemu config, parameterize bin_modules 2017-03-31 12:06:59 -04:00
Trammell Hudson
4141c75c8c
make kexec work with the modular build 2017-03-31 11:59:18 -04:00
Trammell Hudson
b35f8d35ae
Merge /tmp/heads 2017-03-31 11:34:11 -04:00
Trammell Hudson
43ef324ae7 Merge /tmp/heads 2017-03-31 11:30:17 -04:00
Trammell Hudson
5ae0b09eb2
do not ignore files in initrd anymore 2017-03-31 11:24:10 -04:00
Trammell Hudson
c40748aa25
Build time configuration for startup scripts and modules.
This addresses multiple issues:

* Issue #63: initrd is build fresh each time, so tracked files do not matter.
* Issue #144: build time configuration
* Issue #123: allows us to customize the startup experience
* Issue #122: manual start-xen will go away
* Issue #25: tpmtotp PCRs are updated after reading the secret
* Issue #16: insmod now meaures modules
2017-03-31 11:18:46 -04:00
Trammell Hudson
581602e5b4
not using jekyl pages on this branch 2017-03-31 09:06:04 -04:00
Trammell Hudson
36021e006b Rebuild sub-modules on each build (issue #143).
The .INTERMEDIATE target seemed to causing the problem with
make thinking it didn't have to descend into the sub-module
directories.  Removing it allows it to work correctly.
2017-03-31 09:05:08 -04:00
Trammell Hudson
d8ab8ecfe8
Rebuild sub-modules on each build (issue #143).
The .INTERMEDIATE target seemed to causing the problem with
make thinking it didn't have to descend into the sub-module
directories.  Removing it allows it to work correctly.
2017-03-30 18:39:18 -04:00
Trammell Hudson
8343130e9a
Merge branch 'moc' - kernel modules, flashrom and other enhancements. 2017-03-30 17:32:47 -04:00
Trammell Hudson
cfd549097f
disable dhcp, since there are no networking modules loaded 2017-03-30 17:21:22 -04:00
Trammell Hudson
8589370708
Flash writing from userspace works (issue #17).
Reduce the size of flashrom by commenting out most flash chips,
boards and programmers.

Wrapper script to make it easier to rewrite the ROM on the x230
using the flashrom layout.

Keep the entire 12 MB ROM for flashing.
2017-03-30 17:12:22 -04:00
Trammell Hudson
9feb094701
enable flashrom and pciutils to allow the boot ROM to be re-written (issue #17) 2017-03-30 14:35:30 -04:00
Trammell Hudson
9666f52e44
bioswrite tool (beta, untested!) 2017-03-30 11:59:55 -04:00
Trammell Hudson
bf94e4c416
include a nearly empty, but consistent, cpio file to ensure reproducible Linux builds (issue #142) 2017-03-30 10:16:13 -04:00
Trammell Hudson
40c9db0416
wait until the coreboot tree is unpacked before building xgcc 2017-03-29 18:00:54 -04:00
Trammell Hudson
4901ccd89c
major rearranging of Makefile, bin, library and busybox installation 2017-03-29 16:58:45 -04:00
Trammell Hudson
8f63763e53
install symlinks directly into initrd 2017-03-29 16:49:07 -04:00
Trammell Hudson
ab0476ad2f
Remove populate-lib, rework libraries and kernel module installation.
The populate-lib program was buggy on some systems and could accidentally
introduce unwanted libraries into the initrd.  The Makefile now uses the
modules' $(module_libraries) variable to select which libraries should be
installed into the initrd.

Kernel modules are now stripped and installed using a similar system.
2017-03-29 15:15:03 -04:00
Trammell Hudson
fbfe565064 Merge branch 'moc' of https://github.com/osresearch/heads into moc 2017-03-29 13:53:28 -04:00
Trammell Hudson
cab9e7c39f
ignore install and crossgcc directories 2017-03-28 17:20:02 -04:00
Trammell Hudson
555e173822
silence NMI errors on qemu (issue #141) 2017-03-28 17:19:53 -04:00
Trammell Hudson
59bae0bf51
make USB a module, strip debug info (issue #139) 2017-03-28 17:08:28 -04:00
Trammell Hudson
453029bde1
ignore install and crossgcc directories 2017-03-28 17:08:22 -04:00
Trammell Hudson
0913adbacb
silence NMI errors on qemu (issue #141) 2017-03-28 17:07:56 -04:00
Trammell Hudson
713d4867fd
Change ethernet drivers to be modules and measure them when they are loaded.
This is a step towards unifying the server and laptop config (issue #139)
and also makes it possible to later remove the USB modules from the
normal boot path.
2017-03-28 17:07:26 -04:00