Adds two golbal helpers in Makefile:
- board.move_untested_to_tested
- board.move_tested_to_untested
Which can be called by:
- make BOARD=UNTESTED_t420-maximized board.move_untested_to_tested
- make BOARD=x230-legacy board.move_tested_to_untested
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
* overwriting a hotp secret is not possible anymore
* make sure to delete the hotp secret before setting a new one
* requires one additional user presence check during HOTP setup
* bump to v1.5
Signed-off-by: Markus Meissner <coder@safemailbox.de>
* remove all previous coreboot patches (as they are already included)
* to be investigated: linux trampoline patch
* add new patch to hardcode sleep configuration
* activate smmstore as dasharo vendor code requires it
Signed-off-by: Markus Meissner <coder@safemailbox.de>
- Upstream boards will not deactivate TPM DUK
- Upstream will not force BRAND_NAME which currently defaults to Heads
- Upstream will not deactivate Qr code on screen output on HOTP sealing
- Upstream will not offer OEM reset defaults (deprecated and now default anyway)
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Allow downstreams to add config to site-local/config, which can set
config options, including overriding board config and exporting config
to /etc/config.
The intent of site-local is exactly the same as in coreboot - it is a
place for downstreams to add customizations that are included at well-
defined points in the build. site-local should never appear in the
upstream repository. coreboot's documentation explains this as well:
https://doc.coreboot.org/tutorial/managing_local_additions.html
Move definitions of ROM artifacts later, so site config can override
BRAND_NAME (and still is included after board config to override it as
well).
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Move the targets generating talos-2's tgz update package to targets.
While this wasn't duplicated, it breaks a cyclic dependency between
board config and BRAND_NAME by moving the ROM output name dependencies
later. The logic probably would be shared with similar boards if any
were supported, so it is in the spirit of the other targets/ shared
target Makefiles.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
The 8 qemu-* targets all contained nearly-identical copies of the
targets to prepare the TPM/disk/etc. and then run Qemu. The only
significant differences were for TPM1/TPM2 (extra swtpm_setup step,
addition of --tpm2 to swtpm_setup and swtpm). ROOT_DISK_IMG used := or
= differently in some boards, := was kept.
targets/qemu.mk now defines all Qemu targets and is included only for
qemu-* boards (by defining BOARD_TARGETS in each of those boards).
The documentation was moved from qemu-coreboot-fbwhiptail-tpm1-hotp/
qemu-coreboot-fbwhiptail-tpm1-htop.md to targets/qemu.md. The other 7
qemu boards' symlinks to that file were removed.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Change order if user chooses both reencrypt and change passphrase, so that passphrase is changed first.
Signed-off-by: Christian Foerster <christian.foerster@mailfence.com>
Removed all mentions of a "Recovery Disk Key" and replaced with "Disk Recovery Key".
Fixed some grammatical errors.
Added check for new passphrase in reencrypt function to accommodate switching of reencrypt and new passphrase setting order in oem-factory-reset.
Signed-off-by: Christian Foerster <christian.foerster@mailfence.com>
Uses fold on the entire passphrase string now; tested in recovery shell of NK Heads 2.1.
Reverted change of WIDTH parameter (first commit of this PR).
Signed-off-by: Christian Foerster <christian.foerster@mailfence.com>
This partially fixes#1537, but while the increased width wouldn't be a problem on the NV41 AFAICT, I don't know about other machines.
I don't know what @tlaurion means with "busybox's folding", which may be a better solution.
Signed-off-by: Christian Foerster <christian.foerster@mailfence.com>
The call to `hotp_verification regenerate` seems to leave the
communication in a bad state, thus the following `gpg` calls fail. With
this workaround `scdaemon` will resart with the next `gpg` call.
Signed-off-by: Markus Meissner <coder@safemailbox.de>
Taken from : https://github.com/Nitrokey/heads/tree/temp-release-v2.3
- Move branding/Heads/bootsplash-1024x768.jpg -> branding/Heads/bootsplash.jpg (We don't care about the size. Make filename generic)
- Adapt all coreboot configs so bootsplash is adapted by BRAND_NAME CONFIG_BOOTSPLASH_FILE="@BRAND_DIR@/bootsplash.jpg"
- Reminders :
- Makefile changes Heads to defined BRAND_NAME in board config
- Makefile changes -e 's!@BRAND_DIR@!$(pwd)/branding/$(BRAND_NAME)!g'
- nv41/nv50
- coreboot oldefconfigs adapted by:
- make BOARD=nitropad-ns50 coreboot.modify_and_save_oldconfig_in_place
- make BOARD=nitropad-nv41 coreboot.modify_and_save_oldconfig_in_place
- linux oldefconfigs adapted by
- make BOARD=nitropad-nv41 linux.modify_and_save_oldconfig_in_place
- since this is shared config across nv41/ns50: it only needs to be done for a single board
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Touches c216, x230-flash, x230-legacy and x230-maximized.
TODO: Other boards, including AMD ones (qemu/kgpe) have this ON, including nv41/ns50 (which uses i915drm which most probably causes problems)
Note that qemu boards use q35 in config, but were made to have both i440fx and q35, where q35 is tested, which explains why its on by default there.
Signed-off-by: Thierry Laurion <insurgo@riseup.net>