Update hash for coreboot module, coreboot-blobs.
Adjust extra flags to address SNB/IVB build issue.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
CircleCI: We currently drop coreboot 4.11 builds.
- There is a file missing in the builds. Not sure why/how this is happening
src/soc/intel/fsp_broadwell_de/romstage/romstage.c:41:10: fatal error: build.h: No such file or directory
Example:https://app.circleci.com/pipelines/github/tlaurion/heads/877/workflows/7d0248d2-459c-42ad-b741-8fd56a75d527/jobs/2487
- kgpe-d16_workstation building for all GPUs is unfortunately taking too much time to build (40 minutes).
- Not sure why, but it seems that the kernel build paralellization is not working for 4.11 while it works for 4.13
Makefile: Uncomment MAKE_JOBS which passes the number of jobs to numbers cores by default and --max-load of 16
CircleCI: Remove CPUS statement to use Makefile default
modules/newt: force build with one make job, otherwise there is a race condition in module which fails randomly expecting build modules. (TODO: FIX)
Interestingly, building all coreboot 4.13 boards is happening on a clean commit just above 1h limit.
More details:
- CircleCI changed job build time to a maximum of 1h each.
- CircleCI now permits parallelization of 30 jobs
- 6000 build minutes a month.
- Still waiting for osresearch/heads CircleCI project to be unlocked (currently not recognized as open source project?!)
Readd https://github.com/osresearch/heads/pull/984 without cache
Add kgpe-d16 musl-cross target prior of having kgpe-d16 depend on musl-cross target (To try to have musl-cross step successfull under 1h CircleCI new limit)
CircleCI: add a subcommand that can follow a target (to build musl-cross-make now and coreboot version specific musl-cross later)
Output of hashes is now optional
29/11/2021 CircleCI public information available states parallelization of up to 30 jobs at a time. Let's play
- We first build heads musl-cross-make and persist (passing musl-cross-make into next job)
- We then build per coreboot version board with coreboot make statement only and persist (passing musl-cross-make + coreboot's musl-cross buildstack)
- We then build per coreboot version board (reusing past build musl-cross-make and coreboot's version musl-cross buildstack)
Remove 4.11 boards for the moment to test only build time and parallelization
Update version, download hash, patch filename.
Fixes some IOMMU-related issues on Librem Mini v1/v2, L14
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
* Flashrom was being fetched with git and was always using `master`
* No patches were being applied (i.e. `0100-enable-kgpe-d16.patch` was being ignored).
- update module hash and blobs hash
- drop patches no longer needed; migrate those that remain
- adjust Librem Mini/Mini v2 board configs
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
* modules/linux: add support for building with kernel 5.4.69
Add support to module, port patches from 4.19.139.
Needed for newer platforms not supported by 4.19 kernel.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
* CircleCI: add rysnc dependency for building kernel 5.x
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
* Migrate all Librem boards to kernel 5.x, common config
Update linux-librem_common.config from 4.x to 5.x, and add
CONFIG items needed to support the librem_l1um (AST DRM drivers,
serial port output).
Tested on Librem 13v4, Librem Mini, and Librem Server L1UM.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
* config/coreboot-*: drop CONFIG_LOCALVERSION
Will be injected as part of the build using $(HEADS_GIT_VERSION)
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
* modules/coreboot: inject $(HEADS_GIT_VERSION) as CONFIG_LOCALVERSION
Needed for fwupd to handle board updates
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
* modules/coreboot: override SMBIOS ProductName with $(BOARD)
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
* Use $(BOARD)-$(HEADS_GIT_VERSION) as basis for output filename
makes builds uniquely identifiable based on board and version.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
Increase size of CBFS to 0xC00000 (from 0x800000) to accomodate
newer/larger kernels.
Update purism-blobs module so an update/modified IFD and smaller
ME blob are used.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
* add x230-nkstorecli board;
* add modules: nkstorecli, libnk, libhidapi-libusb
* version bump nkstorecli; related minor in libnk
* upd. libnk module version bump to 3.6; remove 3.5 patch
* modules/coreboot: add option to use coreboot 4.11
Port patches from coreboot 4.8.1 to 4.11:
* 0000-measure-boot -> 0001
* 0010-cross-compiler-support
All other patches for coreboot 4.8.1 have either already been
integrated, or are for platforms which do not need to be migrated
to coreboot 4.11 (they will move to 4.12 or newer).
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
* patches/coreboot-4.11: Add Broadwell-DE platform patch
Add a patch for FSP Broadwell-DE to make use of Heads' measured boot.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
* patches/coreboot-4.11: Add patch to read serial # from CBFS
Will be used by multiple Librem boards.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
* patches/coreboot-4.11: add board support for Librem Server L1UM
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
* Librem Server L1UM: add new board
Add board config, coreboot config, kernel config files.
Add conditional purism-blobs dependency to coreboot-4.11 module.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
* flash.sh: add special handling for librem_l1um board
Add support for persisting PCIe config via PCHSTRP9 in flash descriptor.
This is needed to support multiple variants of the L1UM server which
use the same firmware but differ in PCIe lane configuration via the
PCH straps configuration in the flash descriptor.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
* patches/coreboot-4.11: Add 'Use PRIxPTR to print uintptr_t' patch
Cherry-picked from upstream coreboot (post-4.11), fixes compilation issue.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
* CircleCI: add target to build board librem_l1um
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
Update to upstream flashrom (post v1.2) commit 4d3657b4:
Add support for Comet Lake-U/400-series PCH
kgpe-d16 patch from flashrom 1.2 still applies cleanly.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
* patches/coreboot-4.12: add cross-compiler support patch
Ported from coreboot-4.8.1, re-exported via `git diff`
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
* modules/coreboot: use musl-cross-make to build
revert toolchain bits to pre-4.12 addition
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
* config/coreboot-librem_mini: use CONFIG_ANY_TOOLCHAIN
Needed since coreboot 4.12 now built with musl-cross-make
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
* patches/coreboot-4.12: Add patch for Cannonlake ME status
Add patch print ME status regardless of enablement state
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
* modules: add purism-blobs module
Rather than require users to manually run a script to download the required
blobs to build Purism Librem boards, automate it so the correct version
is automatically downloaded/extracted. Restrict to coreboot 4.12 for now
since 4.8.1 still needs FSP blobs, which are not in module.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
* configs/linux-librem13v2: unset CONFIG_RETPOLINE
Fixes compilation issue with newer kernels, ignored by older ones
which don't need it
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
* Add new board: Librem Mini
Add Librem Mini board patch for coreboot 4.12, board config and
coreboot config. Continue reusing existing librem13v2 Linux config,
same as all other Librem boards currently. Use new purism-blobs module.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
* board/librem*: rename for consistency
Use 'librem_<board>' notation for consistency across all models.
Rename linux config file since used by multiple Librem models.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
* CircleCI: add librem_mini board to test
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
* modules/linux: Add support for multiple kernel versions
Follow same pattern as used for coreboot. Add existing kernel version
as default for all existing boards.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
* modules/linux: Add option to use 4.19 LTS kernel
Add option to use kernel 4.19.139 (current LTS version).
Duplicate existing patches from 4.14.62 as they all apply cleanly.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
* CircleCI: debian:10 docker based. Give possitility to override CACHE_VERSION through CircleCI when needed
* Makefile: fix#799 with implementation of @osresearch's recommended https://github.com/osresearch/heads/issues/799#issuecomment-673059028
* modules/coreboot : indentation fix and putting version hashes together to facilitate future maintainership.
Add version and hash for coreboot and coreboot-blobs modules.
Adjust to use own toolchain, fix blobs path and extraction depth.
Test: build Librem 13v4 using both coreboot 4.8.1 and coreboot 4.12
(after adjusting board defconfig), verify correct toolchains used to
build each, and that teh result is a bootable ROM.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
Update to nitrokey-hotp-verification master (c0956cf) and drop
existing patch which is no longer needed.
Test: clean build for Librem 13v2
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
This reverts commit 972c25de7d.
This commit broke OEM factory reset functionality, so revert it
until the issue can be properly diagnosed.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
- Update flashrom module to v1.2.
- Drop Thinkpad x220 patch as it's now properly supported.
- Drop 'laptop=force_I_want_a_brick' from board FLASHROM_OPTIONS
since it's no longer needed.
- Migrate kgpe-d16 patch.
The kgpe-d16 patch needed a complete overhaul when rebased against
flashrom v1.2, and needs close inspection/testing as a result.
The following changes were made from the previous patch:
- dropped addition of 4-byte addressing (4BA), since now supported
- dropped addtiion of Macronix MX25L256 and MX66L512 chips,
since now supported
- added 4BA erase commands for Winbond W25Q256 chip
- dropped code to show progress indicator, since another PR already adds that
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
Modeled after modules/tpmtotp, use a specific git commit hash for
module libremkey-hotp-verification. Add hidapi as a submodule with
dummy/placeholder in modules (like coreboot-blobs), also specified
by git commit hash. Adjust libremkey-hotp-verification patch file
name so patch applied properly.
Addresses issue #640
Test: build Librem 13v4
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
Pass through new toolchain path via $(CROSS) so we can set the
c/c++ compiler paths correctly for CMake. Adjust patch to use
new paths, and fix compiler/linker paths to correct a libusb linking issue.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
The short commit id can cause the tar archive potentially cause
the root directory in the archive to be named with the short id
causing the verification to fail
Add `--strip 1` to tar file extraction in the `Makefile`,
which ensures that the directory name in `build/` will
match the one listed in `$($(MODULE)_dir)`.
Signed-off-by: Trammell hudson <hudson@trmm.net>
Launchpad offers HTTPS downloads, whereas other more obvious mirrors
(like the one used originally, as well as rpm5.org) do not.
Note: it is unclear to whether Launchpad's tarballs will always match
the checksum from upstream tarballs. However, at least for 1.16, this
condition does indeed seem to hold true. Homebrew, FWIW, lists OpenBSD
as a mirror:
https://github.com/Homebrew/homebrew-core/blob/master/Formula/popt.rb
The new URL automatically redirects to a nearby, current GNU mirror.
Also, the fact that it's HTTPS helps with restrictive outbound
firewall policies that disallow plaintext traffic (for example,
using Qubes' firewall functionality).
The current source URL is not available anymore.
kakaroto changed his copy of heads to point to his own github account's fbwhiptail:
b13cc5e68d
But it seems that source.puri.sm/coreboot is a more accessible home for the
project.
This reduces the amount of noise in the Linux kernel config files
by only storing the differences from the stock configuration.
It adds a new makefile target 'linux.saveconfig' to convert the
build tree's .config file into config/linux-linuxboot.config.
The Librem Key is a custom device USB-based security token Nitrokey is
producing for Purism and among other things it has custom firmware
created for use with Heads. In particular, when a board is configured
with CONFIG_LIBREMKEY, this custom firmware allows Heads to use the
sealed TOTP secret to also send an HOTP authentication to the Librem
Key. If the HOTP code is successful, the Librem Key will blink a green
LED, if unsuccessful it will blink red, thereby informing the user that
Heads has been tampered with without requiring them to use a phone to
validate the TOTP secret.
Heads will still use and show the TOTP secret, in case the user wants to
validate both codes (in case the Librem Key was lost or is no longer
trusted). It will also show the result of the HOTP verification (but not
the code itself), even though the user should trust only what the Librem
Key displays, so the user can confirm that both the device and Heads are
in sync. If HOTP is enabled, Heads will maintain a new TPM counter
separate from the Heads TPM counter that will increment each time HOTP
codes are checked.
This change also modifies the routines that update TOTP so that if
the Librem Key executables are present it will also update HOTP codes
and synchronize them with a Librem Key.
