Commit Graph

2638 Commits

Author SHA1 Message Date
Thierry Laurion
80284ff246
.circleci/config.yml: bump to v0.2.0 docker image based on flake.nix's new nss inclusion required for coreboot 24.02+
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-06-20 13:54:20 -04:00
Maciej Pijanowski
fd98c8d0d9
nitropad-nx: use standard shutdown/reboot commands
This commit effectively reverts commits a1c13ff and 902866cc. There is
no need for this special EC-based poweroff command. See more details in
issue linked below.

Fixes: https://github.com/Dasharo/dasharo-issues/issues/711

Signed-off-by: Maciej Pijanowski <maciej.pijanowski@3mdeb.com>
2024-06-20 18:27:05 +02:00
Jonathon Hall
2ba56d1304
modules/coreboot: 24.02.01-Purism-1, remove CFLAGS overrides, needs nss
Update Purism coreboot to 24.02.01-Purism-1.

Remove CFLAGS overrides when building coreboot.  These overrides break
24.02.01, which added (and needs) --param=min-pagesize=1024.  This has
happened repeatedly in the past since Heads has to duplicate coreboot's
CFLAGS if it overrides them.

Specifically, the build fails with this error:
src/commonlib/include/commonlib/endian.h:27:26: error: array subscript 1 is outside array bounds of 'void[0]' [-Werror=array-bounds=]
   27 |         *(uint8_t *)dest = val;
      |         ~~~~~~~~~~~~~~~~~^~~~~
In function 'setup_default_ebda':
cc1: note: source object is likely at address zero

That's because coreboot is attempting to write to EBDA at physical
address 0x40e, just above 1024.  That is a valid address for x86, but
it's too close to 0 by default for GCC, --param-min-pagesize=1024
allows writes to physical addresses above 1024.

coreboot shouldn't need any of the usual Heads CFLAGS overrides for
reproducibility; it is already reproducible.

Fix indentation in modules/coreboot.  Make accepted it before because
the indented lines followed a variable assignment, so they couldn't
be part of a recipe.  That assignment is now gone, so they're now
interprted as part of a recipe for the `.configured` target just above,
they should not be indented.

Add nss to flake.nix, needed as of 24.02.01.

Update Librem coreboot configs for 24.02.01-Purism-1.  Notably, the
board Kconfig changed for Mini v2 in coreboot, so this is needed for
correct builds.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2024-06-19 12:38:45 -04:00
Thierry Laurion
156d2c80dd
Merge pull request #1702 from JonathonHall-Purism/librem_l1um_ci
circleci: Add Librem L1UM to CI, in front of unmaintained 4.11 boards
2024-06-19 09:05:55 -04:00
Jonathon Hall
b0b3449367
circleci: Add Librem L1UM to CI, in front of unmaintained 4.11 boards
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2024-06-18 16:34:33 -04:00
Thierry Laurion
d9a0caca13
Merge pull request #1700 from JonathonHall-Purism/coreboot_purism_4.22.01-Purism-1
Update Purism coreboot to 4.22.01-Purism-1
2024-06-13 11:15:40 -04:00
Jonathon Hall
a15f77e336
config/coreboot-librem_11.config: intel_iommu=igfx_off on Heads cmdline
intel_iommu=igfx_off is needed on the Heads kernel command line for
memtest86+ to work.  Without this parameter, the screen blanks when
memtest86+ starts testing.

This is unique to Librem 11, probably because it is the only device
using FSP GOP for graphics init in coreboot.  (libgfxinit does not yet
support Jasper Lake.)

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2024-06-11 13:02:03 -04:00
Jonathon Hall
65ca94b184
modules/coreboot: Update Purism coreboot to 4.22.01-Purism-1
Update Purism coreboot to 4.22.01-Purism-1.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2024-06-11 13:01:57 -04:00
Thierry Laurion
64730d9507
Merge pull request #1688 from 123ahaha/updated-instruction-ptrace_scope
Updated README.md for kernel.yama.ptrace_scope issues
2024-06-07 12:38:38 -04:00
Thierry Laurion
868abb75ba
Merge pull request #1697 from mdrobnak/issue_1692
1692 Update text for TPM Primary Handle error with correct remediation steps.
2024-06-07 09:28:31 -04:00
Matthew Drobnak
c7a5fbd66f
1692 Update text for TPM Primary Handle error with correct remediation steps.
Signed-off-by: Matthew Drobnak <matthew@drobnak.com>
2024-06-05 03:59:40 +00:00
Thierry Laurion
34c7bb5a83
Merge pull request #1687 from tlaurion/use_nixos-unstable_prebuild_qemu-canokey
Use nixos-unstable channel's prebuilt qemu_full with canokey support builtin from nix cache
2024-05-30 17:29:08 -04:00
Thierry Laurion
edd4378b60
flake.nix: remove commented material, add some more comments where needed
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-30 17:05:29 -04:00
Thierry Laurion
a8adfb5089
Merge pull request #1684 from Nitrokey/hotp-version-v1.6
Hotp version v1.6
2024-05-30 15:37:56 -04:00
Thierry Laurion
fc146681f7
Merge pull request #1673 from tlaurion/build-UNMAINTAINED_t530-maximized
Build unmaintained t530 maximized
2024-05-29 18:55:07 -04:00
Thierry Laurion
c7d1495a0a
Use nixos-unstable channel's prebuilt qemu_full with canokey support builtin, downloaded from nix cache
- flake.lock: bumps lcoekd package list to latest packages list through 'nix flake update'
- flake.nix : comment out customizations of derivatives, removing canokey-qemu lib since qemu_full depends on qemu which depends on canokey-qemu by default now
- flake.nux: add 'less' so that 'git log' is usable
- circleci/config.yml: use docker v0.1.9
- README.md : update docker image maintainer notes to ease upstreaming of docker images and for others to play around, requiring dockerhub account

For testing iterations of this, I used:
docker_version="v0.1.9" && docker_hub_repo="tlaurion/heads-dev-env" && sed "s@\(image: \)\(.*\):\(v[0-9]*\.[0-9]*\.[0-9]*\)@\1\2:$docker_version@" -i .circleci/config.yml && nix --print-build-logs --verbose develop --ignore-environment --command true && nix build .#dockerImage && docker load < result && docker tag linuxboot/heads:dev-env "$docker_hub_repo:$docker_version" && docker push "$docker_hub_repo:$docker_version"
Then added final commit, and pushed.

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-25 12:55:28 -04:00
Antoine Luciani
6ac7e5d789 README.md updated in build instructions and in particular an error encountered because of kernel.yama.ptrace_scope during docker image build
Signed-off-by: Antoine Luciani <antoine.luciani@epita.fr>
2024-05-24 13:46:56 +02:00
nestire
ea05b1ed45
extent hotp error message for nitrokeys
Signed-off-by: nestire <hannes@nitrokey.com>
2024-05-21 17:03:08 +02:00
nestire
8bea5697d4
bump hotp version to 1.6
Signed-off-by: nestire <hannes@nitrokey.com>
2024-05-21 17:03:05 +02:00
Thierry Laurion
cf080564df
Merge pull request #1680 from tlaurion/fix_openssl_output_on_console_for_internal_hack
modules/openssl: remove hack, silence error on console when openssl is included for builds (affects tpm2 boards builds)
2024-05-17 15:05:59 -04:00
Thierry Laurion
74b1e2f7c1
modules/openssl: remove hack: silences error on console when openssl is included for builds (affects tpm2 boards builds)
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-17 14:56:11 -04:00
Thierry Laurion
59df86fbd0
Merge pull request #1677 from tlaurion/fix_key_to_card
Revert gpg version bump and unify key to card  code to properly create bug upstream
2024-05-17 13:22:32 -04:00
Thierry Laurion
37f04e2855
Fix key to card failing with invalid time when moving keys to smartcard on master (Opt: Authenticated Heads)
- Revert gnupg toolstack version bump to prior of #1661 merge (2.4.2 -> 2.4.0). Version bump not needed for reproducibility.
  - Investigation and upstream discussions will take their time resolving invalid time issue introduced by between 2.4.0 and latest gnupg, fix regression first under master)

- oem-factory-reset
  - Adding DO_WITH_DEBUG to oem-factory-reset for all its gpg calls. If failing in debug mode, /tmp/debug.txt contains calls and errors
  - Wipe keyrings only (*.gpg, *.kbx)  not conf files under gpg homedir (keep initrd/.gnupg/*.conf)

- flake.nix
  - switch build derivative from qemu and qemu_kvm to qemu_full to have qemu-img tool which was missing to run qemu boards (v0.1.8 docker)
  - add gnupg so that qemu boards can call inject_gpg to inject public key in absence of flashrom+pflash support for internal flashing

- flake.lock: Updated nix pinned package list under flake.lock with 'nix flake update' so qemu_full builds

- README.md: have consistent docker testing + release (push) notes

- .circleci/config.yml: depend on docker v0.1.8 (qemu_full built with canokey-qemu lib support, diffoscopeMinimal and gnupg for proper qemu testing)

TODO:
- some fd2 instead of fd1?!
- oem-factory-resest has whiptail_or_die which sets whiptail box to HEIGHT 0. This doesn't show a scrolling window on gpg errors which is problematic with fbwhiptail, not whiptail

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-17 09:27:29 -04:00
Thierry Laurion
b80aa87077
Merge pull request #1662 from tlaurion/nitrokey_board_unification_clean-enable_htop_validated_autoboot-novacustom_coreboot_version_bump
Nitrokey boards coreboot version bump to match Dasharo+Heads heads+ coreboot version used in their v0.9.0 - 2024-02-29 BOM
2024-05-15 12:43:41 -04:00
Thierry Laurion
a51a7afefe
patches/coreboot-dasharo-unreleased : keep track of patches per upsream dasharo+heads unreleased patches to apply on top of last release
PR numbers being numerical and hopefully not conflicting with each other, keeping track of commits per their upstream PR should make sure they can be applied cleanly on top of each other
 as opposed to commit id related patches that git apply will apply in random order.

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-14 12:09:22 -04:00
Thierry Laurion
49d993715e
Merge remote-tracking branch 'osresearch/master' into nitrokey_board_unification_clean-enable_htop_validated_autoboot-novacustom_coreboot_version_bump 2024-05-13 21:48:19 -04:00
Thierry Laurion
c91731c956
Merge pull request #1676 from tlaurion/update_issues_templates-reflect_forks-reflect_usb_dongles_fix
Issue template: Version information aimed to be hidden was visible + typo fix
2024-05-13 21:47:50 -04:00
Thierry Laurion
2784128b17
Issue template: Version information aimed to be hidden was visible
Also fix gPU -> GPU
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-13 21:46:10 -04:00
Thierry Laurion
85bd68fee0
Merge remote-tracking branch 'osresearch/master' into nitrokey_board_unification_clean-enable_htop_validated_autoboot-novacustom_coreboot_version_bump 2024-05-13 20:57:45 -04:00
Thierry Laurion
ede404c881
Merge pull request #1675 from tlaurion/update_issues_templates-reflect_forks-reflect_usb_dongles
Update issue templates to reflect current realities of forks and security Dongles in the field
2024-05-13 20:57:02 -04:00
Thierry Laurion
03347ea6dc
Update issue templates to reflect current realities of forks and security Dongles Being used out there
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-13 20:56:00 -04:00
Thierry Laurion
1035a93e79
Build UNMAINTAINED_t530-maximized as requested under #1672
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-13 12:15:06 -04:00
Thierry Laurion
41d55bf2fc
coreboot + patches/coreboot-dasharo-unreleased: Add b35dc4a4f25497acfbe159d6abd057d885661a02.patch for TPM IRQ Kconfig missing
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-13 11:03:23 -04:00
Thierry Laurion
b163c389fe
Merge remote-tracking branch 'osresearch/master' into nitrokey_board_unification_clean-enable_htop_validated_autoboot-novacustom_coreboot_version_bump 2024-05-13 11:01:11 -04:00
Thierry Laurion
70b3272b32
Merge pull request #1671 from tlaurion/nix_qemu-canokey_derivate
flake.nix + qemu.mk : add working qemu-canokey usable from all qemu boards by default
2024-05-13 10:56:53 -04:00
Thierry Laurion
3a7292018e
Merge remote-tracking branch 'osresearch/master' into pr/tlaurion/1662 2024-05-13 09:23:20 -04:00
Thierry Laurion
c73692e4f3
flake.nix + qemu.mk : add working qemu-canokey usable from all qemu boards by default
flake.nix: add canokey-qemu lib, derivate qemu on tope of it and have qemu_kvm depend on qemu derivative
targets/qemu.mk: modified to had canokey support by default if no "USB_TOKEN=" specified on make run call

CircleCI: base docker image pull on v0.1.6 containing the newly added derivatives
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-12 13:51:28 -04:00
Thierry Laurion
1e583e01a0
Merge pull request #1661 from tlaurion/wip-nix-for-build
Move to nix buildstack (and nix develop produced docker image used under CircleCI)
2024-05-10 16:05:34 -04:00
Thierry Laurion
ecbfdbc57b
README.md Simplify Setup of Nix and flakes and docker image creation instructions
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-10 16:01:15 -04:00
Thierry Laurion
c52fd42802
Merge remote-tracking branch 'osresearch/master' into pr/tlaurion/1661 2024-05-10 15:36:54 -04:00
Thierry Laurion
81cc5263a0
nv41/ns50 coreboot configs: save configs with make BOARD=nitropad-n[v41|s50] coreboot.modify_and_save_oldconfig_in_place
removes a comment:
-# CONFIG_DASHARO_FIRMWARE_UPDATE_MODE is not set
- Unify ns50/nv41
 - CONFIG_TPM_PIRQ=0x27 in both nv41/ns50 as per https://github.com/linuxboot/heads/pull/1662#issuecomment-2100820944
NOTE that this doesn't stick when calling
make[1]: Leaving directory '/home/user/heads/build/x86/coreboot-dasharo'
user@heads-tests-deb12:~/heads$ git diff
diff --git a/config/coreboot-nitropad-nv41.config b/config/coreboot-nitropad-nv41.config
index 9484aaf5122..ddd4e5d7c56 100644
--- a/config/coreboot-nitropad-nv41.config
+++ b/config/coreboot-nitropad-nv41.config
@@ -143,7 +143,7 @@ CONFIG_BOARD_CLEVO_NV40PZ_BASE=y
 CONFIG_MAINBOARD_SMBIOS_PRODUCT_NAME="Nitropad NV41"
 CONFIG_CONSOLE_POST=y
 # CONFIG_USE_PM_ACPI_TIMER is not set
-CONFIG_TPM_PIRQ=0x27
+CONFIG_TPM_PIRQ=0x0
 # CONFIG_SOC_INTEL_CSE_SEND_EOP_EARLY is not set
 CONFIG_VBOOT_FWID_VERSION="$(CONFIG_LOCALVERSION)"
 CONFIG_EC_SYSTEM76_EC_BAT_THRESHOLDS=y

Also note that CONFIG_EC_SYSTEM76_EC_DGPU=y is not present on ns50 as opposed to nv41, whatever that does.
user@heads-tests-deb12:~/heads$ diff -u config/coreboot-nitropad-nv41.config config/coreboot-nitropad-ns50.config
--- config/coreboot-nitropad-nv41.config	2024-05-10 14:59:42.156754718 -0400
+++ config/coreboot-nitropad-ns50.config	2024-05-10 14:55:37.699761391 -0400
@@ -110,7 +110,7 @@
 # CONFIG_VENDOR_TI is not set
 # CONFIG_VENDOR_UP is not set
 CONFIG_MAINBOARD_FAMILY="Not Applicable"
-CONFIG_MAINBOARD_PART_NUMBER="nv40pz"
+CONFIG_MAINBOARD_PART_NUMBER="ns50pu"
 CONFIG_MAINBOARD_VERSION="v2.1"
 CONFIG_MAINBOARD_DIR="clevo/adl-p"
 CONFIG_DIMM_MAX=4
@@ -128,7 +128,7 @@
 CONFIG_DEVICETREE="devicetree.cb"
 # CONFIG_VBOOT is not set
 CONFIG_VBOOT_VBNV_OFFSET=0x28
-CONFIG_VARIANT_DIR="nv40pz"
+CONFIG_VARIANT_DIR="ns50pu"
 CONFIG_OVERRIDE_DEVICETREE="variants/$(CONFIG_VARIANT_DIR)/overridetree.cb"
 # CONFIG_VGA_BIOS is not set
 CONFIG_MAINBOARD_SMBIOS_MANUFACTURER="Nitrokey"
@@ -139,8 +139,8 @@
 CONFIG_CMOS_LAYOUT_FILE="src/mainboard/$(MAINBOARDDIR)/cmos.layout"
 CONFIG_BOOT_DEVICE_SPI_FLASH_BUS=0
 CONFIG_BOARD_CLEVO_ADLP_COMMON=y
-CONFIG_BOARD_CLEVO_NV40PZ_BASE=y
-CONFIG_MAINBOARD_SMBIOS_PRODUCT_NAME="Nitropad NV41"
+CONFIG_BOARD_CLEVO_NS50PU_BASE=y
+CONFIG_MAINBOARD_SMBIOS_PRODUCT_NAME="Nitropad NS51"
 CONFIG_CONSOLE_POST=y
 # CONFIG_USE_PM_ACPI_TIMER is not set
 CONFIG_TPM_PIRQ=0x27
@@ -158,8 +158,8 @@
 CONFIG_HAVE_INTEL_FIRMWARE=y
 CONFIG_MRC_SETTINGS_CACHE_SIZE=0x10000
 CONFIG_DRIVERS_INTEL_WIFI=y
-CONFIG_IFD_BIN_PATH="3rdparty/dasharo-blobs/novacustom/nv4x_adl/descriptor.bin"
-CONFIG_ME_BIN_PATH="3rdparty/dasharo-blobs/novacustom/nv4x_adl/me.bin"
+CONFIG_IFD_BIN_PATH="3rdparty/dasharo-blobs/novacustom/ns5x_adl/descriptor.bin"
+CONFIG_ME_BIN_PATH="3rdparty/dasharo-blobs/novacustom/ns5x_adl/me.bin"
 CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x20000
 CONFIG_VBT_DATA_SIZE_KB=9
 CONFIG_CARDBUS_PLUGIN_SUPPORT=y
@@ -176,8 +176,8 @@
 #
 # Alder Lake P (2022)
 #
-# CONFIG_BOARD_NOVACUSTOM_NS5X_ADLP is not set
-CONFIG_BOARD_NOVACUSTOM_NV4X_ADLP=y
+CONFIG_BOARD_NOVACUSTOM_NS5X_ADLP=y
+# CONFIG_BOARD_NOVACUSTOM_NV4X_ADLP is not set

 #
 # Tiger Lake U (2021)
@@ -503,7 +503,6 @@
 #
 CONFIG_EC_ACPI=y
 CONFIG_EC_SYSTEM76_EC=y
-CONFIG_EC_SYSTEM76_EC_DGPU=y

 #
 # Intel Firmware

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-10 15:01:56 -04:00
Michał Kopeć
f6f216c5b8
Use single coreboot rev for MSI and NCM
Signed-off-by: Michał Kopeć <michal.kopec@3mdeb.com>
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-10 14:50:37 -04:00
Thierry Laurion
443955e086
nv41/ns50 board config: Add note referring that those boards FB are GOP enabled just like the librem_11 for reference
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-10 14:50:31 -04:00
Thierry Laurion
eb2d8da983
nv41/ns50 coreboot config: apply 4cf15f2586c55d7c2f2c5136f08e7670eebc5012 also to ns50. Note: SMMSTORE and top-down resource allocation diff between ns50/nv41
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-10 14:50:27 -04:00
Thierry Laurion
7e31b204e1
nv41/ns50 coreboot config: make sure everything is saved with make BOARD=nitropad-n*** coreboot.modify_and_save_oldconfig_in_place
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-10 14:50:22 -04:00
Michał Żygowski
23976461d8
modules/coreboot: Avoid double quotes in LOCALVERSION
Signed-off-by: Michał Żygowski <michal.zygowski@3mdeb.com>
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-10 14:40:26 -04:00
Michał Żygowski
83f96aae5c
modules/coreboot: Remove the lines with config values before overriding them
Signed-off-by: Michał Żygowski <michal.zygowski@3mdeb.com>
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-10 14:40:21 -04:00
Michał Kopeć
1eef518daa
modules/coreboot: don't touch DMI vendor name if unspecified
Signed-off-by: Michał Kopeć <michal.kopec@3mdeb.com>
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-10 14:40:16 -04:00
Michał Kopeć
3cfa4e91ae
Allow overriding DMI manufacturer name
Signed-off-by: Michał Kopeć <michal.kopec@3mdeb.com>
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-10 14:40:11 -04:00
Michał Kopeć
3102666c91
coreboot-nitropad-nv41.config: disable RESOURCE_ALLOCATION_TOP_DOWN
Also disable bootsplash resizing to center the logo in the middle of
the screen.

Signed-off-by: Michał Kopeć <michal.kopec@3mdeb.com>
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-10 14:40:07 -04:00