Commit Graph

2544 Commits

Author SHA1 Message Date
Thierry Laurion
cbf984ad7c
WiP modules/tpm2* : removed Makefile build instructions too quick
/nix/store/5lr5n3qa4day8l1ivbwlcby2nknczqkq-bash-5.2p26/bin/bash ./libtool  --tag=CC   --mode=link /home/user/heads/crossgcc/x86/bin/x86_64-linux-musl-gcc -fdebug-prefix-map=/home/user/heads=heads -gno-record-gcc-switches -D__MUSL__ --sysroot  /home/user/heads/install/x86 -isystem /home/user/heads/install/x86/include -L/home/user/heads/install/x86/lib  -I./tools -I./lib -Wall -Wextra -Wformat -Wformat-security -Wstack-protector -fstack-protector-all -Wstrict-overflow=5 -O2 -fPIC -fPIE -D_GNU_SOURCE -std=gnu99 -Wstringop-overflow=4 -Wstringop-truncation -Wduplicated-branches -Wduplicated-cond -Wbool-compare -fdata-sections -ffunction-sections -I/home/user/heads/install/x86/include -I/home/user/heads/install/x86//include -I/home/user/heads/install/x86//include/tss2 -I/home/user/heads/install/x86/nix/store/yg75achq89wgqn2fi3gglgsd77kjpi03-openssl-3.0.13-dev/include  -I/home/user/heads/install/x86//include -I/home/user/heads/install/x86//include/tss2 -I/home/user/heads/install/x86//include -I/home/user/heads/install/x86//include/tss2 -I/home/user/heads/install/x86//include -I/home/user/heads/install/x86//include/tss2 -DTPM2_TOOLS_MAX="101" -fdebug-prefix-map=/home/user/heads/install/x86=. -shared -pie -Wl,-z,relro -Wl,-z,now -Wl,--gc-sections   -o tools/tpm2 tools/tpm2-tpm2_tool.o tools/misc/tpm2-tpm2_certifyX509certutil.o tools/misc/tpm2-tpm2_checkquote.o tools/misc/tpm2-tpm2_encodeobject.o tools/misc/tpm2-tpm2_eventlog.o tools/misc/tpm2-tpm2_print.o tools/misc/tpm2-tpm2_rc_decode.o tools/misc/tpm2-tpm2_tr_encode.o tools/tpm2-tpm2_activatecredential.o tools/tpm2-tpm2_certify.o tools/tpm2-tpm2_changeauth.o tools/tpm2-tpm2_changeeps.o tools/tpm2-tpm2_changepps.o tools/tpm2-tpm2_clear.o tools/tpm2-tpm2_clearcontrol.o tools/tpm2-tpm2_clockrateadjust.o tools/tpm2-tpm2_create.o tools/tpm2-tpm2_createak.o tools/tpm2-tpm2_createek.o tools/tpm2-tpm2_createpolicy.o tools/tpm2-tpm2_setprimarypolicy.o tools/tpm2-tpm2_createprimary.o tools/tpm2-tpm2_dictionarylockout.o tools/tpm2-tpm2_duplicate.o tools/tpm2-tpm2_getcap.o tools/tpm2-tpm2_gettestresult.o tools/tpm2-tpm2_encryptdecrypt.o tools/tpm2-tpm2_evictcontrol.o tools/tpm2-tpm2_flushcontext.o tools/tpm2-tpm2_getrandom.o tools/tpm2-tpm2_gettime.o tools/tpm2-tpm2_hash.o tools/tpm2-tpm2_hierarchycontrol.o tools/tpm2-tpm2_hmac.o tools/tpm2-tpm2_import.o tools/tpm2-tpm2_incrementalselftest.o tools/tpm2-tpm2_load.o tools/tpm2-tpm2_loadexternal.o tools/tpm2-tpm2_makecredential.o tools/tpm2-tpm2_nvdefine.o tools/tpm2-tpm2_nvextend.o tools/tpm2-tpm2_nvincrement.o tools/tpm2-tpm2_nvreadpublic.o tools/tpm2-tpm2_nvread.o tools/tpm2-tpm2_nvreadlock.o tools/tpm2-tpm2_nvundefine.o tools/tpm2-tpm2_nvwrite.o tools/tpm2-tpm2_nvwritelock.o tools/tpm2-tpm2_nvsetbits.o tools/tpm2-tpm2_pcrallocate.o tools/tpm2-tpm2_pcrevent.o tools/tpm2-tpm2_pcrextend.o tools/tpm2-tpm2_pcrread.o tools/tpm2-tpm2_pcrreset.o tools/tpm2-tpm2_policypcr.o tools/tpm2-tpm2_policyauthorize.o tools/tpm2-tpm2_policyauthorizenv.o tools/tpm2-tpm2_policynv.o tools/tpm2-tpm2_policycountertimer.o tools/tpm2-tpm2_policyor.o tools/tpm2-tpm2_policynamehash.o tools/tpm2-tpm2_policytemplate.o tools/tpm2-tpm2_policycphash.o tools/tpm2-tpm2_policypassword.o tools/tpm2-tpm2_policysigned.o tools/tpm2-tpm2_policyticket.o tools/tpm2-tpm2_policyauthvalue.o tools/tpm2-tpm2_policysecret.o tools/tpm2-tpm2_policyrestart.o tools/tpm2-tpm2_policycommandcode.o tools/tpm2-tpm2_policynvwritten.o tools/tpm2-tpm2_policyduplicationselect.o tools/tpm2-tpm2_policylocality.o tools/tpm2-tpm2_quote.o tools/tpm2-tpm2_readclock.o tools/tpm2-tpm2_readpublic.o tools/tpm2-tpm2_rsadecrypt.o tools/tpm2-tpm2_rsaencrypt.o tools/tpm2-tpm2_send.o tools/tpm2-tpm2_selftest.o tools/tpm2-tpm2_setclock.o tools/tpm2-tpm2_shutdown.o tools/tpm2-tpm2_sign.o tools/tpm2-tpm2_certifycreation.o tools/tpm2-tpm2_nvcertify.o tools/tpm2-tpm2_startauthsession.o tools/tpm2-tpm2_startup.o tools/tpm2-tpm2_stirrandom.o tools/tpm2-tpm2_testparms.o tools/tpm2-tpm2_unseal.o tools/tpm2-tpm2_verifysignature.o tools/tpm2-tpm2_setcommandauditstatus.o tools/tpm2-tpm2_getcommandauditdigest.o tools/tpm2-tpm2_getsessionauditdigest.o tools/tpm2-tpm2_geteccparameters.o tools/tpm2-tpm2_ecephemeral.o tools/tpm2-tpm2_commit.o tools/tpm2-tpm2_ecdhkeygen.o tools/tpm2-tpm2_ecdhzgen.o tools/tpm2-tpm2_zgen2phase.o tools/tpm2-tpm2_sessionconfig.o tools/tpm2-tpm2_getpolicydigest.o lib/libcommon.a -ltss2-esys -L/home/user/heads/install/x86/lib -L/home/user/heads/install/x86//lib -ltss2-mu -L/home/user/heads/install/x86/nix/store/7nmrrad8skxr47f9hfl3xc0pfqmwq51b-openssl-3.0.13/lib -lcrypto -L/home/user/heads/install/x86//lib -ltss2-tctildr -L/home/user/heads/install/x86//lib -ltss2-rc -L/home/user/heads/install/x86//lib -ltss2-sys
libtool:   error: cannot find the library '//lib/libtss2-sys.la' or unhandled argument '//lib/libtss2-sys.la'
make[1]: *** [Makefile:2478: tools/tpm2] Error 1
make[1]: Leaving directory '/home/user/heads/build/x86/tpm2-tools-5.6'
make: *** [Makefile:521: /home/user/heads/build/x86/tpm2-tools-5.6/.build] Error 1

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-02 13:01:34 -04:00
Thierry Laurion
9ab5260871
Makefile: add yet another developer helper: real.gitclean_keep_packages to not delete already downloaded packages to economize bandwidth
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-02 13:01:29 -04:00
Thierry Laurion
75a5c2f1e6
tpm2 modules: remove sysroot and unneeded duplicated Makefile tweaks now passed from golbal Makefile sysroot (TODO: generalize)
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-02 13:01:24 -04:00
Thierry Laurion
e5c55d79e3
CircleCI: have nitropad-nv41 build on top of prep_env, not x230-hotp-maximized
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-02 13:01:19 -04:00
Thierry Laurion
1174282bc4
ci: Prepend nix- to save and restore cache statements
Until nix PR is merged to not interfere with master/other pr caches

Signed-off-by: Manuel Mendez <github@i.m.mmlb.dev>
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-02 13:01:15 -04:00
Manuel Mendez
7169fab81b
ci: Switch image from debian to nix
Signed-off-by: Manuel Mendez <github@i.m.mmlb.dev>
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-02 13:01:10 -04:00
Manuel Mendez
2824f48f9e
Add nix files
Signed-off-by: Manuel Mendez <github@i.m.mmlb.dev>
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-02 13:01:05 -04:00
Manuel Mendez
de3f4ec2a3
ci: Replace while loop with tail of multiple files
Gives the exact same output:

```
docker run --rm -ti debian:11 bash -c '
  mkdir -p build/subdir1/ build/subdir2
  echo "subdir1 error" >build/subdir1/fail.log
  echo "subdir2 error" >build/subdir2/fail.log
  find build -type f -name "*.log" -exec tail -n +1 "{}" +
'
==> build/subdir1/fail.log <==
subdir1 error

==> build/subdir2/fail.log <==
subdir2 error
```

Signed-off-by: Manuel Mendez <github@i.m.mmlb.dev>
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-02 13:01:01 -04:00
Manuel Mendez
713eadc129
ci: Simple/mechanical tweaks to config file
Got rid of long lines in favor of more lines for readability. Cleaned up
some comments/typos and unnecessary cruft*. Finally ran prettier on the
file for its automatic formatting, including whitespace clean ups.

cruft:

-  && when already set -e
- run commands with trailing \
- deleted commented out "OLD STUFF"
- sorted listy looking things because unsorted stuff bothers me :) (I
  held back on sorting the board build definitions though, thats
  probably too much).

Signed-off-by: Manuel Mendez <github@i.m.mmlb.dev>
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-02 13:00:56 -04:00
Manuel Mendez
87ec2ca043
blobs: Ignore build generated binaries
These are generated during the build process so should be ignored.

Signed-off-by: Manuel Mendez <github@i.m.mmlb.dev>
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-02 13:00:51 -04:00
Thierry Laurion
43d806f205
modules/tpm2-tools: add with-sysroot, TSS2_ESYS_3_0_LIBS to configure args
Thanks to @JonathonHall-Purism, that pointed to me that sysroot was
neglected in tpm2-tools configure step.

I wonder why this is not respected if not forced with --with-sysroot and
TSS2_ESYS_3_0_LIBS="-ltss2-esys -L$(INSTALL)/lib"?

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Signed-off-by: Manuel Mendez <github@i.m.mmlb.dev>
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-02 13:00:46 -04:00
Thierry Laurion
fcb9596f7e
modules/tpm2-tss: Add with-sysroot to configure args
Thanks to @JonathonHall-Purism, that pointed to me that sysroot was
neglected in tpm2-tools configure step.

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Signed-off-by: Manuel Mendez <github@i.m.mmlb.dev>
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-02 13:00:41 -04:00
Thierry Laurion
236f9b117c
modules/gpg2: Bump version 2.4.0 -> 2.4.2
More pending work needed to fix fragility of buildsystem and fix nix
build issues as well like:

https://app.circleci.com/pipelines/github/mmlb/osresearch-heads/11/workflows/32cc883c-5074-4f28-94b8-a83a2ec44414/jobs/252
https://app.circleci.com/pipelines/github/mmlb/osresearch-heads/11/workflows/32cc883c-5074-4f28-94b8-a83a2ec44414/jobs/221
https://app.circleci.com/pipelines/github/tlaurion/heads/1781/workflows/ee402ead-6739-4549-88ae-105b695fb3cd
https://app.circleci.com/pipelines/github/tlaurion/heads/1783/workflows/2b35826c-aff4-4f48-8809-4e66259f9aa4/jobs/25877/parallel-runs/0/steps/0-103

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Signed-off-by: Manuel Mendez <github@i.m.mmlb.dev>
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-02 13:00:37 -04:00
Thierry Laurion
67e5973b5d
modules: Remove unrecognized configure options
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Signed-off-by: Manuel Mendez <github@i.m.mmlb.dev>
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-02 13:00:32 -04:00
Manuel Mendez
a4ba76fd90
modules: minor refactor/tweaks
Just some minor clean ups like fixing whitespace and sorting things. I
added (bash)/removed (libusb) white space in order to look like the
other modules.

I sorted the --enable/--disable/--with blocks so that common stuff
looked similar which should aid in comparing modules. I also removed a
couple of duplicate config options (--disable-fallback-curses &
--disable-regex).

Signed-off-by: Manuel Mendez <github@i.m.mmlb.dev>
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-02 13:00:27 -04:00
Manuel Mendez
d396236a83
Remove hard coded paths in shebang lines
Remove hard coded paths from shebangs and other references because they
do not play well in nix-land. Either use /usr/bin/env to do runtime PATH
based lookup or avoid absolute paths so PATH look up happens instead.

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Signed-off-by: Manuel Mendez <github@i.m.mmlb.dev>
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-02 13:00:22 -04:00
Manuel Mendez
4f3d210f89
Sort .gitignore
Noticed a couple of dupes (gz and rom) so I figured I should sort it now
to hopefully avoid another one in the future.

Signed-off-by: Manuel Mendez <github@i.m.mmlb.dev>
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-02 13:00:18 -04:00
Jonathon Hall
165f90a8cf
Merge remote-tracking branch 'github-tlaurion/reproducible_openssl_libtss2_tpm2'
PR #1630
2024-04-26 12:26:55 -04:00
Thierry Laurion
60d9aa4d5a
tpmr: remove warning "Warn: check public portion of the tpmkey manually"
Discussed under https://github.com/linuxboot/heads/pull/1630#issuecomment-2075120429

TODO added in code.

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-04-26 11:14:14 -04:00
Thierry Laurion
b2629f8d4d
Merge pull request #1625 from tlaurion:LUKS_header_change_validation_upon_sealing_and_unsealing
LUKS header change validation upon sealing and unsealing ops
2024-04-25 16:39:41 -04:00
Thierry Laurion
ba63b1823f
Merge pull request #1654 from Dasharo/fix_nitropad_pwr_state
config/coreboot-nitropad-*.config: disable power on AC
2024-04-24 18:33:39 -04:00
Michał Kopeć
019098c821
config/coreboot-nitropad-*.config: disable power on AC
The coreboot power failure state Kconfig options are wired up to the
Power on AC feature on Clevo mainboards. Set the power failure state to
0 to prevent these boards from powering on or waking up with AC attach.

Signed-off-by: Michał Kopeć <michal.kopec@3mdeb.com>
2024-04-24 12:48:52 +02:00
Jonathon Hall
1ae4c19f9a
Merge remote-tracking branch 'github-tlaurion/fix_hotp_increment_counter_after_detection-oem-factory-reset_loop_3x_hotp_detect'
PR #1650
2024-04-23 08:33:30 -04:00
Thierry Laurion
d8a6502d69
Merge pull request #1646 from UndeadDevel/better_PIN_question_default
Address inconsistency between docs and OEM factory reset User GPG PIN minimum length requirement
2024-04-22 20:27:46 -04:00
Christian Foerster
cb03ec5584
change correct PIN minimum
Signed-off-by: Christian Foerster <christian.foerster@mailfence.com>
2024-04-23 01:10:53 +02:00
Thierry Laurion
b6bd682cb3
Fix HOTP verification logic (and counter increment) in gui-init and oem-factory-reset scripts
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-04-22 17:24:21 -04:00
Christian Foerster
70e9c663bc
only change user PIN minimum requirement to 6
Signed-off-by: Christian Foerster <christian.foerster@mailfence.com>
2024-04-22 22:56:13 +02:00
Christian Foerster
408524fb31
Revert "UX improvements PIN questions"
This reverts commit ba20d98bdd.

Signed-off-by: Christian Foerster <christian.foerster@mailfence.com>
2024-04-22 22:51:25 +02:00
Christian Foerster
0854f2ce80
Revert "fix small incongruency with previous commit"
This reverts commit be65c4be5b.

Signed-off-by: Christian Foerster <christian.foerster@mailfence.com>
2024-04-22 22:51:17 +02:00
Christian Foerster
2828e2ca60
Revert "fix another small incongruency with previous commit"
This reverts commit cc70e772f8.

Signed-off-by: Christian Foerster <christian.foerster@mailfence.com>
2024-04-22 22:50:34 +02:00
Christian Foerster
cc70e772f8
fix another small incongruency with previous commit
Signed-off-by: Christian Foerster <christian.foerster@mailfence.com>
2024-04-21 19:00:29 +02:00
Christian Foerster
be65c4be5b
fix small incongruency with previous commit
Signed-off-by: Christian Foerster <christian.foerster@mailfence.com>
2024-04-21 18:42:52 +02:00
Christian Foerster
ba20d98bdd
UX improvements PIN questions
Signed-off-by: Christian Foerster <christian.foerster@mailfence.com>
2024-04-21 18:31:43 +02:00
Thierry Laurion
609a9db9eb
Merge pull request #1642 from tlaurion/improve_debug_with_output_of_do_with_debug
Improve DEBUG and DO_WITH_DEBUG output handling to also keep output of DO_WITH_DEBUG commands
2024-04-19 16:50:54 -04:00
Thierry Laurion
89a0c103ae
QEMU/KVM board configs: logical reorganization of requirements for board configs. Next step is creating fbwhiptail/whiptail/tpm1/tpm2 mk files and include them in all boards
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-04-19 15:52:50 -04:00
Thierry Laurion
fc874728f6
oem-factory-reset + seal-hotpkey: Give debug output to underatand in what state is the USB Security dongle
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-04-19 14:30:55 -04:00
Jonathon Hall
00ce2f4d1c
ash_functions: Log board and version when entering recovery shell
Log the board and version when entering the recovery shell.  Extract
the firmware version logic from init.

Currently this is the only way to get the debug log.  If we add a way
from the GUI, we may want to log the board and version somewhere else
too.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2024-04-19 14:16:41 -04:00
Jonathon Hall
a767347afd
kexec-boot: Only capture kexec -d output to log, not console/kmsg
LOG() is added to log to the log only (not kmsg, more verbose than
TRACE).

DO_WITH_DEBUG only captures stdout/stderr to the log with LOG().

kexec-boot silences stderr from kexec, we don't want it on the console.

No need to repeat the kexec command when asking in debug to continue
boot, it's no longer hidden behind verbose output from kexec.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2024-04-19 14:14:54 -04:00
Jonathon Hall
d3656bbe65
kexec-boot, functions: Restore eval and DO_WITH_DEBUG that were deleted
`eval "$kexeccmd"` should become `DO_WITH_DEBUG eval "$kexeccmd"` when
adding DO_WITH_DEBUG, command invocation is still the same, still needs
eval.

Restore DO_WITH_DEBUG in front of kexec-parse-boot that had been
removed.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2024-04-19 13:48:27 -04:00
Jonathon Hall
d8810b7032
functions: DO_WITH_DEBUG: Label stderr/stdout more clearly
"$1 err:" looked like an error, but often there's output on stderr
that's diagnostic (like kexec -d).  "$1 stderr:" is clearer.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2024-04-19 13:31:29 -04:00
Jonathon Hall
015af7e6c7
functions: Add visibility to DO_WITH_DEBUG without affecting command
DO_WITH_DEBUG traces command exit status (if failed), stdout/stderr (if
not empty), and PATH (if command was not found).  The caller still
observes the exit status, and stdout/stderr still go to the caller as
well.

This way, DO_WITH_DEBUG can be inserted anywhere with minimal spam in
the logs and without affecting the script.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2024-04-19 10:29:43 -04:00
Thierry Laurion
ae5f9c5416
Improve DEBUG and DO_WITH_DEBUG output handling to also keep output of kexec -l when BOARD is in DEBUG+TRACE mode (configuration settings menu + flash)
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-04-18 16:30:13 -04:00
Thierry Laurion
82179e4e98
Merge pull request #1638 from tlaurion/move_sleep_for_proper_dongle_detection
BUGFIX: ash_functions: move sleep 2 after all usb modules being loaded
2024-04-15 17:55:57 -04:00
Thierry Laurion
67f1dae840
ash_functions: move sleep 2 after all usb modules being loaded
Otherwise we get ehci-pci and xhci_hcd kernel messages in dmesg debug AFTER "Verifying presence of GPG card" which explains why dongle might not be found in time and fails in oem-factory-reset

Fixes https://github.com/Nitrokey/heads/issues/48

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-04-12 17:05:29 -04:00
Thierry Laurion
fb5cbf41a1
kexec-insert-key: refactor tampering check for encrypted disk keys prior of TPM unsealing ops
move code from kexec-unseal-key to kexec-insert-key, address code review and apply verbiage suggestion changes

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-04-11 14:50:40 -04:00
Thierry Laurion
f6232aa70f
Change disk encryption -> LUKS Disk Key and other relative/relative verbiage, remove irrelevant DEBUG trace under kexec-unseal-key
TODO:
- $(pcrs) call sometimes fail in DEBUG call, outputting too many chars to be inserted in kmesg. Call removed here since redundant (PCR6 already extended with LUKS header)
- Notes added for TPM2 simplification over TPM1 in code as TODO

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-04-11 14:44:13 -04:00
Thierry Laurion
adda59c675
LUKS header change validation at both sealing and unsealing of TPM Disk Unlock Key.
Fixes linuxboot#1092.
Supersedes linuxboot#1093

- Cherry-picks ed1c23a (credit to @hardened-vault) thank you!)
- Addresses and correct self-review under linuxboot#1093 (@hardened-vault: you don't answer often here!)
  - kexec-unseal-key: Warn a user who attempts to default boot while his Disk Unlock Key passphrase fails to unseal because LUKS headers changed.
    (linuxboot#1093 (comment))
  - kexec-seal-key: Identical as in ed1c23a
  - kexec-add-key: Tell the user that the Headers did not change when changing TPM released Disk Unlock Key
    (Through changing default boot at Options->Boot Options -> Show OS boot options: select a new boot option
    and set a Disk Unlock Key in TPM, accept to modify disk and sign /boot options)
    - Here, we cancel the diff output shown on screen linuxboot#1093 (comment)
    - And we change the warning given to the user to past tense "Headers of LUKS containers to be unlocked via TPM Disk Unlock Key passphrase did not change."

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-04-11 14:44:07 -04:00
Thierry Laurion
8fcf1ddba8
Makefile: add real.gitclean target which calls 'git clean -fxd'
Ease cleaning up everything. IMOH better then real.clean target

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-04-11 14:39:11 -04:00
Thierry Laurion
be71430167
modules/tpm2-tools: Add TODO to uniformize live patching through sed calls as opposed to patch version specific autotools/configure scripts to force reproducible builds
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-04-09 12:39:20 -04:00
Thierry Laurion
ee1978ffc0
Merge pull request #1631 from 0xF4CED/tails-key-2024
Update tails.key
2024-04-04 14:45:15 -04:00