Commit Graph

2132 Commits

Author SHA1 Message Date
Jonathon Hall
206d59dc71
Add USB autoboot feature to PureBoot Basic
USB autoboot automatically boots to a USB flash drive if one is present
during boot.  This is intended for headless deployments as a method to
recover the installed operating system from USB without needing to
attach a display and keyboard.

USB autoboot can be controlled in config.user and the config GUI.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-06-21 13:26:46 -04:00
Jonathon Hall
b0e0a91c97
Add PureOS signing key
Add the PureOS archive signing key to the keys accepted for signed
ISOs.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-06-21 13:26:46 -04:00
Kyle Rankin
79da79a5e4
Implement Restricted Boot Mode
Restricted Boot mode only allows booting from signed files, whether that
is signed kernels in /boot or signed ISOs on mounted USB disks. This
disables booting from abitrary USB disks as well as the forced "unsafe"
boot mode. This also disables the recovery console so you can't bypass
this mode simply by running kexec manually.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-06-21 13:26:45 -04:00
Matt DeVillier
4bc6159ab6
Add PureBoot Basic Mode
PureBoot Basic mode provides the full Linux userspace in firmware from
Heads without requiring verified boot or a Librem Key.  Basic and
verified boot can be switched freely without changing firmware, such as
if a Librem Key is lost.

PureBoot Basic can apply firmware updates from a USB flash drive, and
having a complete Linux userspace enables more sophisticated recovery
options.

Basic mode boots to the first boot option by default, setting a default
is not required.  This can be configured in the config GUI.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-06-21 13:26:45 -04:00
Matt DeVillier
a5238b5823
config/coreboot.{librem_14,mini_v2}: enlarge CBFS for blob jail
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2023-06-21 13:26:45 -04:00
Jonathon Hall
468643ee82
functions: Add toggle_config function for use in config GUI
toggle_config() toggles the value of a config.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-06-21 13:26:44 -04:00
Jonathon Hall
39c655ae1d
Add load_config_value() and get_config_display_action()
Add these two functions for use in config-gui.sh for future toggles.

load_config_value() obtains the value of a config setting, defaulting
to 'n'.  get_config_display_action() displays 'Enable' or 'Disable'
depending on the current value.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-06-21 13:26:44 -04:00
Jonathon Hall
606c29f0ec
Extract enable_usb_storage() from mount-usb
enable_usb_storage() inserts usb-storage.ko if not already loaded, then
waits for USB storage devices to appear.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-06-21 13:26:44 -04:00
Jonathon Hall
b365f1324a
Extract pause_automatic_boot() from gui-init to gui_functions
pause_automatic_boot() prompts that an automatic boot is about to occur
and allows the user to interrupt it.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-06-21 13:26:43 -04:00
Jonathon Hall
5d7afa2e02
kexec-select-boot: Extract boot menu scanning logic
Move boot menu scanning logic to scan_boot_options() in /etc/functions

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-06-21 13:26:43 -04:00
Jonathon Hall
3a917bb90b
config-gui.sh: Extract utilities from config-gui.sh
Extract utilities from config-gui.sh for use in additional config
settings.  read_rom() reads the current ROM with a message for failure.
replace_rom_file() replaces a CBFS file in a ROM.  set_config() sets a
configuration variable in a file.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-06-21 13:26:43 -04:00
Matt DeVillier
14a5d19f1f
Move show_system_info() from gui-init to gui-functions
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2023-06-21 13:26:42 -04:00
Matt DeVillier
0967fe3201
configs/busybox: enable lzma (de)compression
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2023-06-21 13:26:42 -04:00
Matt DeVillier
3191bfbdaf
oem-factory-reset: Add 'use defaults' prompt to simplify user options
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2023-06-21 13:26:42 -04:00
Matt DeVillier
3766d32034
board/librem_{13/14/15/mini}: Use Purism repo for coreboot
Use Purism's repo for all Librem boards other than the Librem Server L1UM.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2023-06-21 13:26:41 -04:00
Matt DeVillier
1ea5f3bd6b
modules/coreboot: Allow building from Purism's coreboot git repo
Use commit hash from 4.16-Purism-1 tag.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2023-06-21 13:26:41 -04:00
Kyle Rankin
efc49c7425
Add Root file hash feature
Currently Heads will check files in /boot for tampering before booting
into a system. It would be nice if you could use the trusted environment
within Heads and extend this to check files in / itself. This new script
adds that functionality, however due to the length of time it takes to
perform these kinds of checks, it doesn't run automatically (yet).

This feature can be configured from the config GUI - the root device/
directories to check can be set, and it can be configured to run during
boot.

To make this a bit easier to use, I added a feature to detect whether
the hash file exists and if not, to display a more limited menu to the
user guiding them to create the initial hash file. Otherwise it will
display the date the file was last modified, which can be useful to
determine how stale it is.
2023-06-21 13:26:37 -04:00
tlaurion
db20f78357
Merge pull request #1418 from tlaurion/qemu-coreboot-tpm1_config-fix 2023-06-21 12:40:04 -04:00
Thierry Laurion
2dcf7fbd77
coreboot-qemu-tpm1.config: TPM1 coreboot activation got lost in last commit. Sorry 2023-06-21 11:44:06 -04:00
tlaurion
6ec0c81443
Merge pull request #1373 from tlaurion/io386_remake 2023-06-20 20:02:34 -04:00
Thierry Laurion
995a6931f1
config-gui.sh: permit io386 platform locking to be dynamically disabled at runtime
ash_functions: make sure /tmp/config is sourced before going to recovery shell
TODO: revisit https://source.puri.sm/firmware/pureboot/-/blob/Release-27/initrd/bin/config-gui.sh#L33 to have proper config store later on
2023-06-20 12:42:12 -04:00
Thierry Laurion
39bb6ea313
lock_chip: parametrize locking in function of board config exported config option
kexec-boot: depend on io386 presence and board config option to call lock_chip
2023-06-20 12:40:00 -04:00
Thierry Laurion
9830c6c4ed
io386 platform lockdown: enable on sandy/ivy/haswell maximized board configs 2023-06-20 12:36:45 -04:00
Matt DeVillier
d094dcd346
gui-init/seal-libremkey: reduce friction when generating new secret
Reduce friction when generating a new TOTP/HOTP secret by eliminating
an unnecessary 'press enter to continue' prompt following QR code
generation, and by attempting to use the default admin PIN set by
the OEM factory reset function. Fall back to prompting the user
if the default PIN fails.

Also, ensure error messages are visible to users before being returned
back to the GUI menu from which they came by wrapping existing calls to die()

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2023-06-14 09:58:35 -04:00
Kyle Rankin
d937426306
Use the Librem Key as a TPM work-alike in the absence of a TPM
On machines without a TPM, we'd still like some way for the BIOS to
attest that it has not been modified. With a Librem Key, we can have the
BIOS use its own ROM measurement converted to a SHA256sum and truncated
so it fits within an HOTP secret. Like with a TPM, a malicious BIOS with
access to the correct measurements can send pre-known good measurements
to the Librem Key.

This approach provides one big drawback in that we have to truncate the
SHA256sum to 20 characters so that it fits within the limitations of
HOTP secrets. This means the possibility of collisions is much higher
but again, an attacker could also capture and spoof an existing ROM's
measurements if they have prior access to it, either with this approach
or with a TPM.

Signed-off-by: Kyle Rankin <kyle.rankin@puri.sm>
2023-06-14 09:58:34 -04:00
Thierry Laurion
a598ba6e57
modules/io386: fixate to latest commit id and optimize for space 2023-06-12 13:51:58 -04:00
Thierry Laurion
699a961381
io386: replace check for io386 to call lock_chip by a single common call from kexec-boot prior of real kexec 2023-06-12 13:51:20 -04:00
persmule
3f1c76ce11
Introduce io386 to heads and use it to finalize chipset at runtime
On some newer platforms of intel (confirmed on nehalem, sandy/ivy
bridge), coreboot after commit [2ac149d294af795710eb4bb20f093e9920604abd](https://review.coreboot.org/cgit/coreboot.git/commit/?id=2ac149d294af795710eb4bb20f093e9920604abd)
registers an SMI to lockdown some registers on the chipset, as well
as access to the SPI flash, optionally. The SMI will always be triggered
by coreboot during S3 resume, but can be triggered by either coreboot
or the payload during normal boot path.

Enabling lockdown access to SPI flash will effectly write-protect it,
but there is no runtime option for coreboot to control it, so letting
coreboot to trigger such SMI will leave the owner of the machine lost
any possibility to program the SPI flash with its own OS, and becomes
a nightmare if the machine is uneasy to disassemble, so a scheme could
be implement, in which the SMI to lockdown chipset and SPI flash is left
for a payload to trigger, and temporarily disabling such triggering in
order to program the SPI flash needs authentication.

I have implemented a passcode-protected runtime-disableable lockdown
with grub, described [here](https://github.com/hardenedlinux/Debian-GNU-Linux-Profiles/blob/master/docs/hardened_boot/grub-for-coreboot.md#update-for-coreboot-after-commit-2ac149d294af795710eb4bb20f093e9920604abd). In order to implement a similar scheme for
Heads, I wrote [io386](https://github.com/hardenedlinux/io386).

With this commit, io386 will be called before entering boot routine
to trigger the SMI to finalize the chipset and write protect the SPI
flash at the same time. Entering recovery shell will leave the flash
writable.

(The authentication routine implemented in previous revisions has been
split as an independent commit.)

Originally proposed under PR#326
2023-06-12 13:05:49 -04:00
tlaurion
3b3c49b026
Merge pull request #1411 from Dasharo/fix-tpm
Talos-II vs. TPM
2023-06-09 17:07:55 -04:00
Sergii Dmytruk
b9d2c1a612
Patch coreboot to use /usr/bin/env in skiboot for Talos-II board
Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
2023-06-09 21:25:49 +03:00
Sergii Dmytruk
0a1e47f585
Makefile: autoupdate and checkout git clones of modules
Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
2023-06-09 21:25:08 +03:00
Sergii Dmytruk
abd99a0f28
initrd/bin/talos-init: disable fast-reset
Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
2023-06-07 01:10:14 +03:00
Sergii Dmytruk
71b0f8dac9
boards/talos-2/talos-2.config: enable powerpc-utils
Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
2023-06-07 01:10:14 +03:00
Sergii Dmytruk
62e1899367
modules/powerpc-utils: add
This provides nvram tool that allows manipulating configuration of
skiboot.

Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
2023-06-07 01:10:13 +03:00
Sergii Dmytruk
3df4a45477
modules/coreboot: update coreboot
* Properly initialize sensor IDs of 2nd CPU to fix fan control.
* Use 2s delay for I2C communications with TPM in OPAL (configured in
  device tree).
* Stop building unused parts of skiboot using host GCC.

Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
2023-06-07 01:09:42 +03:00
Sergii Dmytruk
17f652da3b
config/linux-talos-2.config: don't enable IMA
It only extends PCR10 and logs it separately.

Added entries are to compensate disabling IMA which selects those config
options.

Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
2023-06-06 00:49:07 +03:00
Thierry Laurion
7b949a1a44
initrd/bin/seal-totp: PCR0-4 cannot be expected to be 0 on PPC64.
Seal with extended PCR values, expected to be the same at unseal-totp operation
2023-06-04 20:20:46 +03:00
Thierry Laurion
92cddb315f
boards/talos-2/talos-2.config : sda1 will never be a boot device
/dev/nvme0n1p2 expected to contain /boot/grub dir
2023-06-04 20:20:46 +03:00
tlaurion
21b87ff7d2
Merge pull request #1410 from tlaurion/QubesOS_update_weekly_ISO_signing_keys
Qubes weekly signing key has changed. Removed testing and replaced.
2023-05-24 13:56:01 -04:00
Thierry Laurion
d917ca1c96
Qubes weekly signing key has changed. Removed testing and replaced.
Already minimized and cleaned upstream, taken from https://qubes.notset.fr/iso/ today
2023-05-24 12:13:07 -04:00
tlaurion
b70547f188
Merge pull request #1401 from daringer/fix-makefile
Makefile: adapt cleaning targets for arch directory
2023-05-09 14:09:11 -04:00
Markus Meissner
3ea82ec31e
Makefile: adapt cleaning targets for arch directory 2023-05-09 17:50:49 +02:00
tlaurion
bc148f1341
Merge pull request #1397 from danielp96/fbwhiptail-reproducibility 2023-05-06 11:08:29 -04:00
Daniel Pineda
ca00952048
modules/fbwhiptail: Update for reproducibility
Updated to reproducible version of fbwhiptail.
Added flags to remove debug info.
Updated url to current one instead of going through redirect.

Signed-off-by: Daniel Pineda <daniel.pineda@puri.sm>
2023-05-04 13:14:26 -06:00
tlaurion
3c98f080e4
Merge pull request #1394 from srgrint/linux_4.14_patch_for_use_after_free_realloc
backport upstream patch for 4.14.62.  Allows building on debian 12
2023-05-03 10:52:41 -04:00
srgrint
09f3984020 backport upstream patch for 4.14.62. Allows building on debian 12 2023-05-02 20:49:34 +01:00
tlaurion
87871ad18d
Merge pull request #1393 from tlaurion/linux_5.10.5_patch_for_use_after_free_realloc 2023-05-02 13:02:26 -04:00
Thierry Laurion
e8bc15ee60
linux 5.10.5: backporting linux upstream patch for 5.10.5 (libsubcmd fix use after free for realloc)
Permits building on top of debian-12 (testing), which fails to build since detecting bug.
2023-05-02 10:29:24 -04:00
tlaurion
ab1faf5389
Merge pull request #1378 from JonathonHall-Purism/kexec-framebuffer-graphics 2023-04-28 17:34:32 -04:00
tlaurion
bdcc556e2b
Merge pull request #1377 from tlaurion/iso_boot_debugging_and_fixes 2023-04-28 16:56:21 -04:00