Commit Graph

2530 Commits

Author SHA1 Message Date
Thierry Laurion
a2ebf251e0
hotp boards: enable autoboot after 5 seconds if reverse HOTP against USB Security Dongle is successful by default
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-01-09 15:06:04 -05:00
tlaurion
8e1e402dac
Merge pull request #1580 from tlaurion/force_absence_dirmngr
gpg2: make sure dirmngr is not spawn to refresh keys under initrd/.gnupg/gpg.conf
2024-01-09 15:03:17 -05:00
tlaurion
4ece1a1fe4
Merge pull request #1579 from JonathonHall-Purism/seal-hotpkey-error
initrd/bin/seal-hotpkey: Show error if /boot can't be mounted
2024-01-09 14:49:15 -05:00
Thierry Laurion
012400af1b
gpg2: make sure dirmngr is not spawn to refresh keys under initrd/.gnupg/gpg.conf
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-01-09 12:53:56 -05:00
Jonathon Hall
5a00bfc035
initrd/bin/seal-hotpkey: Show error if /boot can't be mounted
If we can't mount /boot, show a meaningful error rather than dropping
to a recovery shell.

Dropping to a recovery shell should be a last resort.  Users that know
how to use the recovery shell know how to get there.  Users that don't
know how to use it can be completely stuck and may not know how to get
back to the menu or even how to turn off the device.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2024-01-09 12:27:59 -05:00
tlaurion
025b4d0dfc
Merge pull request #1576 from JonathonHall-Purism/package-mirrors
Makefile: Support mirrors for dependency source packages
2024-01-09 12:21:30 -05:00
Jonathon Hall
25b977d1e5
initrd/bin/config-gui.sh: Allow configuring automatic boot
Automatic boot can be configured in the configuration GUI.  Options are
disable, 1 second, 5 seconds, or 10 seconds.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2024-01-09 10:12:22 -05:00
Jonathon Hall
93ccf25d24
bin/fetch_coreboot_crossgcc_archive.sh: Symlink archives into coreboot
Symlink the source archives into coreboot's crossgcc build rather than
copying them.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2024-01-09 10:03:51 -05:00
Jonathon Hall
e380539202
modules/coreboot: Disable Ada compiler for coreboot 4.11
Disable the Ada compiler, as it no longer compiles on Debian 12 and is
not needed.

The Ada compiler is only used for libgfxinit - Intel native graphics
initialization.  Neither of the boards on coreboot 4.11 uses this;
Aspeed graphics initialization is written in C (but is not used yet as
it only supports text mode in 4.11).

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2024-01-08 15:38:44 -05:00
Jonathon Hall
f632897bb5
modules/coreboot: Cache coreboot toolchain archives and use mirrors
Download coreboot toolchain archives into packages/<arch> before
coreboot tries to download them.  This allows us to use mirrors to get
the archives.  We could also update the primary source this way if it
goes down instead of patching coreboot itself (has happened for IASL).

The archive versions and digests are retrieved from the coreboot
module, so there isn't another copy of that info to maintain.  That is
done in bin/fetch_coreboot_crossgcc_archive.sh, which uses the
existing fetch script to do the actual download, leveraging mirrors.

bin/fetch_source_archive.sh supports using a SHA-1 digest instead of
SHA-256, since coreboot has SHA-1 digests.  It also checks if the file
already exists (deleting the coreboot directory will cause it to be
re-run, but the packages are already there and can be used from cache).

The coreboot-4.11 IASL patch is updated to delete the outdated acpica
archive digest (it already added the new one, but the old one was still
there).  bin/fetch_coreboot_crossgcc_archive.sh finds the archive
version and digest from the digest files, so only one acpica file must
be present.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2024-01-08 15:10:56 -05:00
Jonathon Hall
29203782f6
bin/fetch_source_archive.sh: Use Heads package names when they differ
Use the Heads name for a package when it differs from the primary
source.  E.g. musl-cross-make's archive is just <hash>.tar.gz, which
makes little sense out of context.  musl-cross-<hash>.tar.gz makes
more sense for a mirror.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2024-01-05 13:17:01 -05:00
Jonathon Hall
3a93b30d5b
Makefile: Support mirrors for dependency source packages
Try to download dependency source packages from mirrors if the primary
source fails or the archive has changed.

Move the download and verify logic to bin/fetch_source_archive.sh.  The
mirror list is here, currently only
https://storage.puri.sm/heads-packages/, but others can be added.  The
mirror list is randomized to load each mirror equally.

The verify logic is moved to this script too so it can fail over to a
mirror (or another mirror) if a mismatched archive is served, not just
for a failure.  Makefile no longer needs to verify separately and there
are no separate .*-_verify files any more, the archive is only moved to
its final place once verified.

Add `packages` target to just fetch all needed packages for a board,
facilitates seeding a mirror.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2024-01-05 12:49:36 -05:00
tlaurion
c9e067c721
Merge pull request #1575 from tlaurion/revert_waybackmachine_usage_for_circleci
switch back from web.archive.org to cairographics.org (CircleCI is rate limited)
2024-01-04 22:13:08 -05:00
Thierry Laurion
fbbdc94634
switch back from web.archive.org to cairographics.org (CircleCI is rate limited over web.archive.org:not a solution....
Adds up to https://github.com/linuxboot/heads/issues/1198

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-01-04 21:32:32 -05:00
tlaurion
ea0a599dec
Merge pull request #1570 from tlaurion/automate_blobs_download_xx30_xx20
Automate blobs download for xx30 xx20 boards
2024-01-04 17:12:12 -05:00
Thierry Laurion
77f9933538
xx20/xx30 blob based boards: move ME blobs target outside of board configs (targets/xx*_blobs.mk)
Makefile: have inclusion of all defined $BOARD BOARD_TARGETS (me, split_8mb4mb, ...)

TODO: VBIOS scripts for W530/T530 need way more work. To be done later.

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-01-04 15:32:09 -05:00
Thierry Laurion
d7c2bda112
blobs/xx20/download_parse_me.sh: cleanup and don't continue if hash is good
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-01-04 14:21:13 -05:00
Thierry Laurion
f2079dbe44
blobs/xx30 scripts: cleanup and don't continue if hash is good
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-01-04 14:21:11 -05:00
Thierry Laurion
de951f7156
CircleCI : readd blobs cache in prep step to download once and pass through workspace cache
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-01-04 14:21:10 -05:00
Thierry Laurion
197914b396
xx20 boards and circleci: Have boards download extract and neuter me by board config
Fix https://github.com/linuxboot/heads/issues/1569 part of error linked to me not being available in blobs/xx20/me.bin

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-01-04 14:21:08 -05:00
Thierry Laurion
753aa39503
CircleCI: test commit to have all boards download their own blobs
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-01-04 14:21:06 -05:00
Thierry Laurion
24571d91bc
CircleCI: readd xx30 call to have ME downloaded for all boards. Next commit will remove all those to test boards downloading of all blobs, but this is not desirable for CI where we want blobs to be downloaded once in prep step not from each board.
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-01-04 14:21:05 -05:00
Thierry Laurion
0d6cba852b
w530-dgpu K2000 boards : have the boards call vbios download script automatically. Breaks on debian-12 as of now but should work on debian-11 for others, gems say deprecated calls....
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-01-04 14:21:03 -05:00
Thierry Laurion
1fea3e4463
t530-dgpu boards : have the boards call vbios download script automatically. Breaks on debian-12 as of now but should work on debian-11 for others, gems say deprecated calls....
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-01-04 14:21:01 -05:00
Thierry Laurion
43d1b4ed81
xx30: have all xx30 download me automatically.
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-01-04 14:21:00 -05:00
tlaurion
449977b617
Merge pull request #1561 from Nitrokey/up-v2.4
Bump Dasharo Coreboot / hotp-verification; fix nitropad-nxx ec-powerdown
2024-01-03 15:49:55 -05:00
tlaurion
07db2ddb6c
Merge pull request #1573 from tlaurion/cairo_use_waybackmachine
modules/cairo: www.cairographics.org down again. Use web.archive.org archive
2024-01-02 16:20:31 -05:00
Thierry Laurion
2b65211fac
modules/cairo: www.cairographics.org down again. Use web.archive.org archive
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-01-02 16:18:30 -05:00
tlaurion
65036f2ef7
Merge pull request #1571 from tlaurion/pixman_use_waybackmachine
modules/pixman: www.cairographics.org down again. Use web.archive.org archive.
2024-01-02 15:15:10 -05:00
Thierry Laurion
98e68366ea
modules/pixman: www.cairographics.org down again. Use web.archive.org archive.
Haven't found same archive elsewhere with same hash.
Adds up to https://github.com/linuxboot/heads/issues/1198

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-01-02 15:12:06 -05:00
tlaurion
54e96ad00d
Merge pull request #1567 from tlaurion/Makefile_helpers_to_ease_moving_untested_boards
Makefile helpers to ease moving untested boards (and move tested t420 and w530 boards)
2023-12-30 22:10:07 -05:00
Thierry Laurion
718a831481
Board configs: move t420-hotp-maximized t420-maximized w530-maximized w530-hotp-maximized away from UNTESTED_ boards
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-12-30 13:36:28 -05:00
Thierry Laurion
e81f59eac2
Makefile: Add basic helpers permitting to move boards from/to UNTESTED_
Adds two golbal helpers in Makefile:
- board.move_untested_to_tested
- board.move_tested_to_untested

Which can be called by:
- make BOARD=UNTESTED_t420-maximized board.move_untested_to_tested
- make BOARD=x230-legacy board.move_tested_to_untested

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-12-30 13:29:16 -05:00
tlaurion
129a772455
Merge pull request #1566 from tlaurion/TPM_DUK_reuse_tpm_owner_pass
tpmr: fix TPM Disk Unlock Key which was not using proper cached TPM owner passphrase.
2023-12-29 15:47:46 -05:00
Thierry Laurion
b4068e61fa
tpmr: fix TPM Disk Unlock Key which was not using proper cached passphrase.
Add debugging that was needed to spot the issue

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-12-29 15:22:17 -05:00
Markus Meissner
5e43bcd2f4
hotp-verification: adapt to nk3 v1.6 security model
* overwriting a hotp secret is not possible anymore
* make sure to delete the hotp secret before setting a new one
* requires one additional user presence check during HOTP setup
* bump to v1.5

Signed-off-by: Markus Meissner <coder@safemailbox.de>
2023-12-22 16:14:40 +01:00
Markus Meissner
a1c13ff132 nitropad-nx: fix EC-based poweroff/reboot
Signed-off-by: Markus Meissner <coder@safemailbox.de>
2023-12-22 15:37:29 +01:00
Markus Meissner
65abba9946 coreboot-nitrokey: update dasharo to v1.7.2
* remove all previous coreboot patches (as they are already included)
* to be investigated: linux trampoline patch
* add new patch to hardcode sleep configuration
* activate smmstore as dasharo vendor code requires it

Signed-off-by: Markus Meissner <coder@safemailbox.de>
2023-12-22 15:37:29 +01:00
tlaurion
25d7b06063
Merge pull request #1556 from JonathonHall-Purism/site-local-config
Makefile: Allow downstreams to put local customizations in site-local/config
2023-12-20 01:07:28 +00:00
Jonathon Hall
ab97b242b4
Merge remote-tracking branch 'github-heads/master' into site-local-config 2023-12-19 14:14:25 -05:00
tlaurion
fa2d4e8c87
Merge pull request #1554 from tlaurion/ease_rebranding
WiP: Ease cohesion of Heads expected features and rebranding
2023-12-19 18:32:57 +00:00
Thierry Laurion
61843d890b
Unify upstream board config defaults
- Upstream boards will not deactivate TPM DUK
- Upstream will not force BRAND_NAME which currently defaults to Heads
- Upstream will not deactivate Qr code on screen output on HOTP sealing
- Upstream will not offer OEM reset defaults (deprecated and now default anyway)

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-12-19 13:05:46 -05:00
tlaurion
1915862e69
Merge pull request #1553 from tlaurion/librems-enforce_heads_branding_bootsplash_upstream
Librems : enforce upstream Heads branding bootsplash
2023-12-18 21:50:02 +00:00
Jonathon Hall
0cb6d9154f
Makefile: Allow downstream config in site-local/config
Allow downstreams to add config to site-local/config, which can set
config options, including overriding board config and exporting config
to /etc/config.

The intent of site-local is exactly the same as in coreboot - it is a
place for downstreams to add customizations that are included at well-
defined points in the build.  site-local should never appear in the
upstream repository.  coreboot's documentation explains this as well:
https://doc.coreboot.org/tutorial/managing_local_additions.html

Move definitions of ROM artifacts later, so site config can override
BRAND_NAME (and still is included after board config to override it as
well).

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-12-18 16:49:52 -05:00
Jonathon Hall
12a099ad8e
talos-2: Move PPC-style tgz update package targets to targets/
Move the targets generating talos-2's tgz update package to targets.

While this wasn't duplicated, it breaks a cyclic dependency between
board config and BRAND_NAME by moving the ROM output name dependencies
later.  The logic probably would be shared with similar boards if any
were supported, so it is in the spirit of the other targets/ shared
target Makefiles.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-12-18 16:49:52 -05:00
Jonathon Hall
8ce9c9d438
*-legacy-flash: Deduplicate generation of "top" ROM
Move Makefile target for the "top" ROM to targets/legacy_flash.mk.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-12-18 16:49:52 -05:00
Jonathon Hall
d512cd4ad2
12MB boards: Deduplicate generation of 8MB/4MB split ROMs
Move Makefile targets for split ROMs to targets/split_8mb4mb.mk.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-12-18 16:49:52 -05:00
Jonathon Hall
c8e114166c
qemu: Deduplicate Qemu targets/documentation, extract from boards
The 8 qemu-* targets all contained nearly-identical copies of the
targets to prepare the TPM/disk/etc. and then run Qemu.  The only
significant differences were for TPM1/TPM2 (extra swtpm_setup step,
addition of --tpm2 to swtpm_setup and swtpm).  ROOT_DISK_IMG used := or
= differently in some boards, := was kept.

targets/qemu.mk now defines all Qemu targets and is included only for
qemu-* boards (by defining BOARD_TARGETS in each of those boards).

The documentation was moved from qemu-coreboot-fbwhiptail-tpm1-hotp/
qemu-coreboot-fbwhiptail-tpm1-htop.md to targets/qemu.md.  The other 7
qemu boards' symlinks to that file were removed.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-12-18 16:49:10 -05:00
Thierry Laurion
b8a06c5351
Librems/Nitropad: enable QR code printed on screen at TOTP/HOTP Generation
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-12-16 13:15:14 -05:00
Thierry Laurion
d8f098cd53
All board configs: first line now BRAND_NAME=Heads to ease rebranding with sed scripts for downstream projects/forks
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-12-16 12:56:58 -05:00