1635 Commits

Author SHA1 Message Date
Thierry Laurion
988b05f09d
Emergency revert of git apply instead of patch 2022-08-30 15:57:30 -04:00
tlaurion
48b9b74f39
Merge pull request #1201 from tlaurion/replace_patch_git_git_apply
Makefile: replace patch with git apply
2022-08-30 15:15:42 -04:00
tlaurion
c29c168176
Merge pull request #1009 from SergiiDmytruk/support-ppc64-arch
Support ppc64 arch
2022-08-30 12:50:29 -04:00
Sergii Dmytruk
f16e92792a
Support targeting PowerPC 64
This prepares most of the modules to be build for it.

Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
2022-08-25 20:55:39 +03:00
Sergii Dmytruk
2a44e5e7ee
Incorporate architecture into directory layout
* build/ -> build/<arch>/
 * crossgcc/ -> crossgcc/<arch>/
 * install/ -> install/<arch>/
 * packages/ -> packages/<arch>/

Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
2022-08-25 20:55:39 +03:00
Sergii Dmytruk
5dc06bdbf1
Makefile: drop handling of $(TOOLCHAIN)
It came from https://github.com/osresearch/heads/pull/395 and was a
local workaround.

Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
2022-08-25 20:55:39 +03:00
Sergii Dmytruk
8944710033
Introduce $(board_build) variable
To be used in board configuration.  Expands to the path of the board's
build directory.  Also simplifies main Makefile a bit.

Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
2022-08-25 20:55:35 +03:00
Sergii Dmytruk
fa8e8843c6
Expand @VAR@ placeholders in configuration files
This makes configs much less dependent on directory layout.

As of this commit the following variables are supported:
 * @BOARD_BUILD_DIR@ - absolute path under build/
 * @BLOB_DIR@ - absolute path to blobs/

Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
2022-08-25 13:58:40 +03:00
tlaurion
c56e9d2917
Merge pull request #1188 from JonathonHall-Purism/qemu-testing-support 2022-08-24 18:56:32 -04:00
Jonathon Hall
2ca34803af
qemu: Add qemu-coreboot-whiptail-tpm1 configuration
This configuration uses a console interface instead of fbwhiptail, and
no USB token is required.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2022-08-24 13:04:07 -04:00
Jonathon Hall
ef3cd5c65f
qemu-coreboot-fbwhiptail-tpm1-hotp: Virtio video/storage, serial
Enable virtio video and storage.

Enable serial console and tweak kernel command line to show logs.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2022-08-24 13:04:07 -04:00
Jonathon Hall
64f194628f
qemu: Linux 5.10
Update to Linux 5.10 for improved virtio support.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2022-08-24 13:04:07 -04:00
Jonathon Hall
73eccb364a
qemu: Add qemu-coreboot-fbwhiptail-tpm1-hotp for complete testing in QEMU
Add qemu-coreboot-fbwhiptail-tpm1-hotp configuration, which has a 'run'
target to boot with a persistent TPM, disk, virtual USB disk, and USB-
forwarded token
Provide instructions for bootstrapping a complete working system in qemu

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2022-08-24 13:04:06 -04:00
Jonathon Hall
2d188e493d
build: Allow injecting GPG key at build time
flashrom doesn't work in qemu, so the firmware isn't able to update its
keyring.  Adding an already-provisioned key ahead of time works though.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2022-08-24 13:04:06 -04:00
Jonathon Hall
3e5fd6be75
qemu: Build ATA support into kernel, enable OHCI/UHCI
Set ATA and SATA configs to y, not m - modules weren't being loaded.  Other
configs also build these into kernel, so do the same for qemu.  Remove relevant
configs from boards since modules no longer need to be in initrd.

Enable OHCI and UHCI.  qemu forwards host USB devices over a UHCI controller.
This enables USB-forwarding a physical Librem Key or Nitrokey Pro to the VM.
Export CONFIG_LINUX_USB_COMPANION_CONTROLLER to have enable_usb() load the
modules - it wants both UHCI and OHCI modules, so build both.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2022-08-24 13:03:53 -04:00
tlaurion
f7facf042f
Merge pull request #1200 from SergiiDmytruk/optional-otp
init: assign CONFIG_TPM depending on /dev/tpm0 presence
2022-08-24 10:38:16 -04:00
Thierry Laurion
921daabdaf
Makefile: replace patch with git apply
Otherwise binary patches cannot be patched/created

Additional fixes needed
- flashrom patch was invalid and got catched by git apply. Correcting
- gpg2-2.2.21.patch was pointing to bad target. Correcting
2022-08-21 14:28:30 -04:00
Sergii Dmytruk
75748e86b7
gui-init: fix TOTP/HOTP initialization on missing OS
Skip only GPG key check, but always init TOTP and HOTP.

Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
2022-08-21 00:05:20 +03:00
Sergii Dmytruk
b989889e5f
init: assign CONFIG_TPM depending on /dev/tpm0 presence
Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
2022-08-20 23:56:47 +03:00
tlaurion
4ca4656cf9
Merge pull request #1199 from tlaurion/CircleCI_Makefile_part_of_measured_files_in_cache_usage
.circleci/config.yml: Add Makefile as part of measured files for cache downloads
2022-08-16 18:14:25 -04:00
Thierry Laurion
9f75fa2362
.circleci/config.yml: Add Makefile as part of measured files for cache downloads
Global Makefile is the most effective modifier of builds.
As soon as the global Makefile change, so should not be reused caches having measured a different Makefile
2022-08-16 17:33:41 -04:00
tlaurion
160b3d19e7
Merge pull request #1196 from JonathonHall-Purism/dropbear-mirror
dropbear: Use mirror, main host is down
2022-08-02 17:42:47 -04:00
Jonathon Hall
2c3244f48d
dropbear: Use mirror, main host is down
Switch to mirror https://mirror.dropbear.nl/

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2022-08-02 17:35:18 -04:00
tlaurion
21505aa5dd
Merge pull request #1194 from Unb0rn/ecc_fix
EC keys support
2022-07-29 11:48:01 -04:00
Victor Bessonov
a221321b6a Allow gpg to select digest algo
EC signatures requires that the digest has the corresponding length. Removing the hardcoded sha2-256 hash function and adding support of sha2-384 and sha2-512 should allow using EC crypto.
2022-07-23 01:10:52 +03:00
tlaurion
2cfa94003b
Merge pull request #1178 from tlaurion/remove_gawk_make_local_build-fix_xx30_maximized-boards_produce_top_bottom_hashes
Remove local gawk and make builds, add xx30 top and bottom hashes under hashes.txt
2022-06-28 12:46:41 -04:00
tlaurion
7c69167e2a
Merge pull request #1183 from tlaurion/QrCode_named_after_boardname
gui-init: Have TPMTOTP QrCode named under TOTP app with $BOARD_NAME
2022-06-23 14:20:11 -04:00
Thierry Laurion
ba9235abcb
xx30 boards: add top bottom roms statements to get hashes under hashes.txt 2022-06-23 11:05:53 -04:00
Thierry Laurion
bf415a8d69
Remove local build of gawk make
-Makefile: remove local gawk and make version compare and local build
-modules: remove gawk and make
-patches: remove make

local make was added to build 4.2.1 on OSes that were having older version. It was then patched to be built on OSes having newer buildstack.
local gawk was added when GPG toolstack was older then libgpg-error 1.37. GPG toolstack was then upgraded, but local gawk stayed.

Removing those permits better parallelization and of builds and reduces CircleCI (and higher cores systems) to have race conditions and stalled builds
2022-06-23 10:51:13 -04:00
tlaurion
d6dfe9328d
Merge pull request #1182 from tlaurion/CircleCI-remove_coreboot_411_boards
CircleCI: Remove coreboot 4.11 builds
2022-06-22 22:01:57 -04:00
tlaurion
46414fa4a2
Changing landing picture to show FBWhiptail 2022-06-22 16:47:05 -04:00
Thierry Laurion
cc28121beb
gui-init: Have TPMTOTP QrCode named under TOTP app with $BOARD_NAME 2022-06-22 16:43:29 -04:00
Thierry Laurion
af26a7ef0c
CircleCI: Remove coreboot 4.11 builds
Coreboot 4.11 boards are not properly building as of now.
coreboot.pre fails to depend on .car.data because of a race condition that can only be mitigated by single threading CPUS=

This is unrelated to other changes.
KGPE-D16 will soon enough depend on dasharo coreboot and be ported upstream later on.
2022-06-22 16:30:05 -04:00
tlaurion
8760551e70
Merge pull request #1174 from tlaurion/mbetls_move_archive_dl_github
modules/mbetls: move dl from tls.mbed.org to github
2022-06-17 18:57:14 -04:00
Thierry Laurion
b6651ee8ec
modules/mbetls: move dl from tls.mbed.org to github
- licensing change to APACHE 2.0
- sha256sum changed too

TODO: bump version to 3.1+, not trivial.
2022-06-17 10:15:00 -04:00
tlaurion
2ddc559653
Merge pull request #1171 from tlaurion/oem-system-info-xx30_fix_missing_exec_mode
oem-system-info-xx30: fix missing exec mode on shell script
2022-06-15 16:13:49 -04:00
Thierry Laurion
810daebc58
oem-system-info-xx30: fix missing exec mode on shell script 2022-06-15 15:40:37 -04:00
tlaurion
55b51610fb
Merge pull request #1164 from tlaurion/system_info_improvements
System info improvements (under separate oem-system-info-xx30 script)
2022-06-13 14:36:30 -04:00
Thierry Laurion
7548580450
create oem-system-info-xx30 (w/trackpad info)
- Take System Info changes from 06311ff068 (Thanks to @nestire)
- Move changes to seperate script under /bin/oem-system-info-xx30
- Add additional camera and wifi card IDs, add synaptic touchpad detection if kernel has module built in

Above changes squashed in this commit.
2022-06-10 10:00:25 -04:00
Thierry Laurion
8e1eeebdee
maximized boards: add ps2mouse modules to maximized kernel cfg 2022-06-10 09:56:36 -04:00
Thierry Laurion
0bfd696fbf
xx20 and xx30: split kernel configs to legacy and maximized and board configs point to them 2022-06-10 09:52:07 -04:00
tlaurion
5a6af8f13d
Merge pull request #1168 from tlaurion/oem-factory-reset_circumvent-hotp-sealing-bug_with-gpg-admin-pin-gt-25-chars
bin/oem-factory-reset: prevent users to choose a GPG Admin PIN > 25 chars which would fail HOTP sealing
2022-06-02 17:22:48 -04:00
Thierry Laurion
32e7031678
bin/oem-factory-reset: prevent users to choose a GPG Admin PIN > 25 chars which would fail HOTP sealing
Fixes https://github.com/osresearch/heads/issues/1167
Circumvents https://github.com/Nitrokey/nitrokey-pro-firmware/issues/32
Adds validation so user cannot enter GPG User PIN > 64 while we are at it.

Note that GPG PINs can be up to 64 characters.
But GPG Admin PIN will fail HOTP sealing with GPG Admin PIN of more then 25 chars.

Edit: change upstream error to firmware issue, not nitrokey-app.
2022-06-02 14:08:39 -04:00
tlaurion
d285401369
Merge pull request #1163 from tlaurion/remove_fedora_public_key
Remove fedora public key. They don't detach sign ISOs since before 2020.
2022-05-17 18:57:48 -04:00
Thierry Laurion
4b9757ceef
Remove fedora public key. They don't detach sign ISOs since before 2020. 2022-05-17 15:54:21 -04:00
tlaurion
79486b5dc8
Merge pull request #1162 from tlaurion/oem-factory-reset_passwd_change-without_reencryption-fix
bugfix: oem-factory-reset - permit LUKS passphrase change without reencryption
2022-05-03 21:07:26 -04:00
Thierry Laurion
dd0e4b0a8d
luks-functions: typo correction and consistent warnings across functions. 2022-05-03 16:45:20 -04:00
Thierry Laurion
37bb4906ce
oem-factory-reset: fix bug where it was impossible to just change LUKS passphrase without reencrypting encrypted container.
Since /etc/luks-functions are currently exporting passphrases tested good per cryptsetup to be reused in the code,
the logic calling both luks_reencrypt and luks_change_passphrase testing for non-empty luks_current_Disk_Recovery_Key_passphrase
was bogus.

This commit includes a new variable luks_new_Disk_Recovery_Key_desired which is set when reencryption is desired.
The 3 use cases (reencrypt+passphrase change, reencrypt no passphrase change and passphrase change alone now only test
for luks_new_Disk_Recovery_Key_desired and luks_new_Disk_Recovery_Key_passphrase_desired, nothing else.
2022-05-03 16:41:07 -04:00
tlaurion
46d64e9f16
Merge pull request #1160 from tlaurion/gen_mac_address_for_maximized_boards
Add Heads mac address randomization for maximized boards
2022-05-02 13:08:59 -04:00
Thierry Laurion
e60287fa1d
bin/network-init-recovery: generate random MAC and set it to eth0
network-init-reovery can be used to automatically set RTC clock to obtained NTP clock.
The script would fail if other devices devices previously registered on the network with the same MAC.
Consequently, maximized boards are detected here, and a full random MAC is generated and used instead of using hardcoded DE:AD:C0:FF:EE.
2022-04-29 10:26:12 -04:00