Commit Graph

2186 Commits

Author SHA1 Message Date
Rocky Breslow
e6c34bda55
Add T440p gbe.bin blob
- I extracted the gbe.bin blob from my T440p's original ROM using the
  blobs/t440p/extract script.
- Using a hex editor, I corrected the sign bit in part 0 that I found
  was malformed in my analysis:
  https://github.com/osresearch/heads/pull/1282#issuecomment-1400634600.
- After correcting the sign bit, nvmutil showed that both parts of my
  gbe.bin blob had valid checksums.
- Finally, I used nvmutil to set the MAC address to 00🇩🇪ad:c0:ff:ee.
2023-02-25 19:53:47 -05:00
Rocky Breslow
7c32d4ed66
Add T440p ifd.bin blob
I extracted the ifd.bin blob from my T440p using the blobs/t440p/extract
script.
2023-02-25 19:53:46 -05:00
Rocky Breslow
936840415c
Rename T440p export-blobs script to extract
More aligned with the naming conventions of xx20 and xx30's extract.sh.
2023-02-25 19:53:46 -05:00
tlaurion
c4b964c80f
Merge pull request #1318 from JonathonHall-Purism/fix-pkg-config-cross-compilation
Makefile: Fix cross compilation variables for pkg-config
2023-02-22 11:46:36 -05:00
Daniel Pineda
f0dc3541f5
patches/busybox-1.32.0.patch: remove, no longer needed with busybox upgrade.
Signed-off-by: Daniel Pineda <daniel.pineda@puri.sm>
2023-02-21 15:00:07 -06:00
Daniel Pineda
b51fda22c1
Makefile: add --remove-destination to cp calls.
This avoids overwriting the busybox binary (and bricking the system)
by following a symlink when busybox and other module both provide
a command with the same filename.

Signed-off-by: Daniel Pineda <daniel.pineda@puri.sm>
2023-02-21 14:34:41 -06:00
Daniel Pineda
17ac64bdf1
Replace base32 from tpmtotp with the one from busybox, disable unused base64.
Signed-off-by: Daniel Pineda <daniel.pineda@puri.sm>
2023-02-21 14:34:35 -06:00
Matt DeVillier
0e356e43cb
modules/busybox: update 1.32.0 -> 1.33.2 (stable)
- update module version, hash
- rename patch
- update config

Busybox 1.33.0 adds base32, which has been disabled in busybox.config
as it conflicts with tpmtotp's base32.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-02-21 14:34:27 -06:00
Jonathon Hall
7592efcf99
Makefile: Fix cross compilation variables for pkg-config
pkg-config will still pick up system default directories from
PKG_CONFIG_LIBDIR even if PKG_CONFIG_PATH is set.  Per the docs,
cross compilation requires clearing PKG_CONFIG_PATH and setting
PKG_CONFIG_LIBDIR (which is always searched after PKG_CONFIG_PATH).

Fixes issues observed in tpm2_retry branch picking up packages from
host environment.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-02-21 13:46:03 -05:00
tlaurion
5c7148f18d
Merge pull request #1305 from echo-84/yubikey-oem-factory-reset 2023-02-21 12:06:35 -05:00
tlaurion
8b479b06cc
Merge pull request #1317 from tlaurion/fix-sh_argument_expected
Add DEBUG statements in code and fix "sh: argument expected"
2023-02-20 14:11:27 -05:00
Thierry Laurion
8259d3ca1e
Add TRACE function tracing function to output on console when enabled
- Add TRACE function tracing output under etc/functions, depending on CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT enabled in board configs
- Replace current DEBUG to TRACE calls in code, reserving DEBUG calls for more verbose debugging later on (output of variables etc)
- add 'export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y' in qemu-coreboot(fb)whiptail-tpm1(-hotp) boards to see it in action
2023-02-20 11:44:52 -05:00
Thierry Laurion
5fbbbbc3f7
gui-init: fix sh: argument expected 2023-02-18 21:52:54 -05:00
Thierry Laurion
5bc2bc88e4
All scripts and functions: Add DEBUG calling trace on console when CONFIG_DEBUG_OUTPUT is exported in board config
-qemu-coreboot-*whiptail-tpm1(-hotp) boards have 'export CONFIG_DEBUG_OUTPUT=y' by default now
2023-02-18 21:52:44 -05:00
tlaurion
9676c794a2
Merge pull request #1315 from tlaurion/qemu-coreboot-tpm_typo-fix
Fix reported typo under #1314
2023-02-17 14:42:35 -05:00
Thierry Laurion
16321dc40a
Fix reported typo under #1314 2023-02-17 14:41:16 -05:00
tlaurion
ffd8ab9ac5
Merge pull request #1301 from tlaurion/reduce_coreboot_configuration_duplicates-label_legacy_boards_correctly
xx20/xx30: Reduce coreboot configuration duplicates + label legacy boards correctly
2023-02-15 11:53:31 -05:00
Thierry Laurion
011276350b
CircleCI: change board names to reflect board name changes (legacy tagged correctly) 2023-02-09 12:51:07 -05:00
Thierry Laurion
03631a5e33
xx30: rename legacy boards names, remove coreboot config duplicates 2023-02-09 12:50:56 -05:00
Thierry Laurion
225741b4cd
remove coreboot-hotp* duplicates, have boards configs point to non-hotp maximized equivalents 2023-02-09 12:34:33 -05:00
tlaurion
5b6370c70c
Merge pull request #1298 from tlaurion/fixup_xx20_xx30_cbfs_size
xx20/xx30 maximized coreboot configs: Fix CONFIG_CBFS_SIZE to reflect ifd.bin's BIOS region (xx20: gain of 0.59mb, xx30: gain of 0.4mb
2023-02-09 12:33:35 -05:00
Thierry Laurion
e7f1e3e7a7
xx20/xx30 maximized coreboot configs: Fix CONFIG_CBFS_SIZE to reflect ifd.bin's BIOS regions.
The calculations outlined at https://github.com/osresearch/heads/pull/1282#discussion_r1072473677
Sums to having 'ifdtool -f layout.txt ifd_shrinked.bin && cat layout.txt'
The example for T440p:
00000000:00000fff fd
00021000:00bfffff bios
00003000:00020fff me
00001000:00002fff gbe

Here: 00bfffff-00021000=BDEFFF
Which is exact result of @rbeslow's calculations.

There is an issue on haswell, maybe because of car, maybe because of non native memory init blob.
But this is not the case for xx20/xx30 boards.
2023-02-09 12:28:59 -05:00
tlaurion
77f8d5a4f6
Merge pull request #967 from tlaurion/x230-maximized-fhd
Add x230-maximized-fhd_edp and x230-hotp-maximized-fhd_edp boards
2023-02-09 12:24:54 -05:00
tlaurion
8ec0cd377a
Merge pull request #1309 from tlaurion/osresearch_net-back
README: point to https://osresearch.net again (DNS name renewed)
2023-02-08 11:34:56 -05:00
Thierry Laurion
4ac16e0368
README: point to https://osresearch.net again (DNS name renewed) 2023-02-08 11:32:50 -05:00
tlaurion
305851ab4b
Temporary mitigation to osresearch.net having expired
Temporal mitigation to https://github.com/osresearch/heads/issues/1308 and https://github.com/osresearch/heads-wiki/issues/122
2023-02-07 11:42:35 -05:00
builder
e900d2027a Check Signature PIN and toggle forcesig if not forced 2023-02-01 20:34:07 -06:00
tlaurion
411ca09f73
Merge pull request #1304 from tlaurion/CircleCI_informe_where_full_build_logs_are
CircleCI step name change : Make Board -> Make Board (FULL ORDERED BUILD LOGS HERE UNTIL JOB FAILED)
2023-01-31 19:07:22 -05:00
Thierry Laurion
074d19875c
CircleCI step name change : Make Board -> Make Board (FULL ORDERED BUILD LOGS HERE UNTIL JOB FAILED) 2023-01-31 19:06:33 -05:00
Thierry Laurion
2b05a6b42c
Add x230-maximized-fhd_edp and x230-hotp-maximized-fhd_edp boards
- add x230-maximized-fhd_edp and x230-hotp-maximized-fhd_edp board configs
- add/rework coreboot patch for x230 fhd variant to be applied on top of 4.13
- add coreboot config to point to x230-edp variant, fixing path to vbt file since default path is wrong under. Comment made upstream https://review.coreboot.org/c/coreboot/+/28950/22#message-4904ce82f01ba0505b391e072e4537b6a9f1a229
  - remove no gfx init and replace with libgfxinit(defonfig default), set internal display as default
- add x230-hotp-maximized-fhd_edp and x230-maximized-fhd_edp to CircleCI builds
- One single shared coreboot config between boards/x230-hotp-maximized-fhd_edp/x230-hotp-maximized-fhd_edp.config and boards/x230-maximized-fhd_edp/x230-maximized-fhd_edp.config
- Coreboot 4.13 patch from coreboot at patches/coreboot-4.13/0002-x230-fhd-variant.patch
- config/coreboot-x230-maximized-fhd_edp.config points to seperate coreboot config per patch (CONFIG_BOARD_LENOVO_X230_EDP)
2023-01-31 09:58:43 -05:00
tlaurion
1c68befc59
Merge pull request #1296 from tlaurion/new_tails_key
/etc/distro/keys/tails.key: Replace with updated and minimized one
2023-01-27 16:07:55 -05:00
tlaurion
7be67e4992
Merge pull request #1297 from tlaurion/usb-scan_moved_to-media-scan
usb-scan->media-scan: usb-init calling media-scan usb
2023-01-27 16:07:17 -05:00
tlaurion
f440ad3d31
Merge pull request #1284 from tlaurion/hardenedvault-crypttab-path_remix_enable_discard
WiP : TPM disk unlock key setup (kexec-save-key) reuses OS initrd's crypttab files as base for /secret.key override (kexec-insert-key)
2023-01-27 13:31:44 -05:00
Thierry Laurion
150b95a034
TPM disk unlock key setup: Automatically override selected default boot option's initrd's crypttab file(s) to point to LUKS decryption key in injected cpio
- kexec-save-default extracts initrd crypttab files and creates /boot/kexec_initrd_crypttab_overrides.txt entries pointing to /secret.key
- kexec-insert-key applies /boot/kexec_initrd_crypttab_overrides.txt to replace initrd's crypttabs files pointing to inserted /secret.key through cpio
- Both scripts inform the user of applied magic on screen
2023-01-27 13:27:17 -05:00
HardenedVault
8a60930c6b
Make the path to crypttab within initramfs overridable
Not all distro put crypttab under /etc/ within initramfs, but finding it at
runtime needs unpacking, which may be hard to do, so it is made overridable
with a file at /boot/kexec_initrd_crypttab_path.txt, whose content could be
obtained with $ cpio -t < ${uncompressed_initrd} | grep crypttab .

The "target" field of the record within the crypttab stored in the root
file system for the luks container which is going to be unlocked via
kexec-insert-key should be modified into the same "luks-$uuid" format,
otherwise the boot sequence will get stuck when OS is trying to unlock them
again, in order to map them according to "target" fields written in the
crypttab stored in the root fs.
2023-01-27 12:56:32 -05:00
Thierry Laurion
268767d300
/etc/distro/keys/tails.key: Replace with updated and minimized one 2023-01-26 15:58:57 -05:00
Thierry Laurion
299977926c
usb-scan->media-scan: usb-init calling media-scan usb
media-scan accepts direct input of existing blkid and mount that passed device to /media
2023-01-26 15:38:58 -05:00
tlaurion
c1ae44d71c
Merge pull request #1289 from danielp96/master
/etc/functions: fix detection of virtual flash drive in qemu.
2023-01-26 14:33:38 -05:00
Rocky Breslow
ed8c74e197
Add script for obtaining T440p me.bin blob
I performed an analysis of the differences between an me.bin blob I
extracted from my T440p and the me.bin blob from Lenovo's website:
https://github.com/osresearch/heads/pull/1282#issuecomment-1386292403.
2023-01-23 22:32:35 -05:00
Rocky Breslow
7a29db11ed
t440p: disable NVMe support in Linux kernel
I went through all of the different options we copied from the Librem
config. The only thing that stood out as irrelevant was NVMe support.
However, I'm not a Linux kernel expert, and I didn't do a deep dive, so
I'm sure there is still room for improvement.
2023-01-23 22:28:32 -05:00
Rocky Breslow
c23ed548ff
Clone linux-librem_common.config for T440p 2023-01-20 17:09:09 -05:00
tlaurion
075284374b
Merge pull request #1291 from tlaurion/warn_user_when_totp-hotp_seal_requires_tpm_reset
gui-init: warn the user when sealing measurements through TOTP/HOTP reset
2023-01-19 18:44:10 -05:00
Thierry Laurion
e00280e663
gui-init: warn the user when sealing measurements through TOTP/HOTP requires TPM reset 2023-01-19 14:59:45 -05:00
Rocky Breslow
24d23ff47c
Add intel_iommu=igfx_off to T440p Coreboot kernel parameters
Without this, neither Qubes OS nor the Qubes OS installer would start.
Presumably, because we're "kexecing" from an already running kernel, we
need this set at the Coreboot level? Testing revealed that including
`intel_iommu=igfx_off` in the `CONFIG_BOOT_KERNEL_ADD` board config
option did nothing. And, the Qubes OS default boot option already
contains `intel_iommu=igfx_off`.

See:
- https://www.qubes-os.org/doc/installation-troubleshooting/#not-asking-for-vnc-because-we-dont-have-a-network--x-startup-failed-aborting-installation--pane-is-dead-error-during-installation
- https://github.com/Qubes-Community/Contents/blob/master/docs/troubleshooting/intel-igfx-troubleshooting.md
- https://www.kernel.org/doc/html/v5.10/x86/intel-iommu.html?highlight=igfx_off#graphics-problems
2023-01-18 15:27:45 -05:00
Rocky Breslow
65be2c5b7a
Add Heads config for the T440p (maximized/hotp-maximized) 2023-01-18 15:27:45 -05:00
Rocky Breslow
f0792117ef
Adjust T440p default Coreboot defconfig options
Remove options that haven't deviated from defaults in the Coreboot
Kconfig, despite being saved by `make savedefconfig`. Also, add
`CONFIG_BOARD_LENOVO_THINKPAD_T440P`, which was missing from the `make
savedefconfig` output, causing Heads builds to fail. And finally, bump
`CONFIG_CBFS_SIZE` to `0x800000` (8 MiB to bytes to hexadecimal).

This value for the CBFS size is arbitrary. Originally, I had totaled the
size of all binary blobs, subtracted that from the T440p's ROM size (12
MiB), and used the remaining space as the CBFS size (~11.68 MiB).
However, this caused very long RAM initialization times (courtesy of
`cbmem -t`). And, an anecdote in
https://groups.google.com/a/chromium.org/g/chromium-os-reviews/c/lUqRrGUoEBY/m/ka7L1f2BS8gJ
suggested that this value needs to be a power of 2.

So, I picked a size I expected our Linux payload to fit into that was a
power of 2 that I also expected would leave enough space in the ROM for
the IFD, ME, GbE, and Coreboot.

Now, it takes less than a second for RAM initialization after
flashing/first boot (anecdotally, it seems the MRC needs to be
"trained?").
2023-01-18 15:27:44 -05:00
Rocky Breslow
96f0c5b043
Add script for exporting blobs from original T440p ROM 2023-01-18 15:27:44 -05:00
Rocky Breslow
e325976569
Add initial T440p Coreboot defconfig
I generated this config by walking through Coreboot's `make menuconfig`.
The plan is to pare down verbose defaults and tweak from here.
2023-01-18 15:27:44 -05:00
Rocky Breslow
5cce937393
Add script for obtaining Haswell mrc.bin blob
I based this script on the Coreboot docs:
https://doc.coreboot.org/northbridge/intel/haswell/mrc.bin.html. While
adding an integrity check to ensure we're obtaining the correct blob.

Also, it's worth surfacing that the SHA-1 for the resulting binary is
the same SHA that Libreboot uses in their integrity check:
https://notabug.org/libreboot/lbmk/src/master/resources/scripts/download/mrc#L95.
However, I elected to use SHA-256 for extra paranoia.
2023-01-18 15:27:43 -05:00
tlaurion
f2ba6679ca
Merge pull request #1287 from rbreslow/rb/musl-cross-echo-path
modules/musl-cross: use echo from the PATH to support NixOS
2023-01-18 15:22:55 -05:00