Commit Graph

374 Commits

Author SHA1 Message Date
Thierry Laurion
b1e5c638cd
WiP
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-01 10:06:45 -04:00
tlaurion
f540f2a335
Merge pull request #1430 from gaspar-ilom/w541-support
Support Thinkpad W541
2023-10-30 15:41:14 -04:00
tlaurion
1733552fe7
Merge pull request #1505 from JonathonHall-Purism/upstream_28.1_librem_11
Add support for Librem 11
2023-10-30 15:38:02 -04:00
gaspar-ilom
2e8239c5e7 add configuration for w541
closes #1389
2023-10-23 21:52:09 +02:00
Thierry Laurion
9addb3b6b0
qemu board doc: add Nitrokey3NFC in md doc 2023-10-10 12:30:41 -04:00
Thierry Laurion
4ff955918f
x230-maximized board configs: add DEBUG/TRACE board config in comment
Enabling DEBUG/TRACE options from board config vs from configuration menu is different.

When enabled in board config, /etc/config is from ROM, and sourced early and make TRACE/DEBUG calls appear early.
If added through configuration menu, those are /etc/config.user overrides extracted from CBFS and then sourced after combine_configs call

If for whatever reason early DEBUG is needed on a platform, enabling in board config is needed.
For runtime debugging, enabling Debug output from configuration menu is enough
2023-10-10 12:14:36 -04:00
Jonathon Hall
55155f6558
boards/librem_11: Add Librem 11
Add Librem 11 board.

Librem 11 uses coreboot graphics init, which is done with FSP GOP.

Set a custom keymap for the volume/power keys.  Configure the volume
keys as up/down arrows (for navigation in fbwhiptail, and for shell
history in the Linux console).  Configure the power key as Enter.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-09-29 15:36:30 -04:00
Jonathon Hall
fab9124f00
librem_* (except L1UM): Linux 6.1, coreboot gfx init with efifb
Update all Librems except L1UM (but including L1UM v2) to Linux 6.1.8.

Use coreboot native graphics init.  Raise maximum framebuffer size for
laptops to 3840x2160 (desktops default to this, but laptops default
to a lower value).  Remove DRM modules from Linux 6.1.8 and add EFIFB.

Remove Heads kernel command line options relating to IOMMU and i915,
which are no longer needed.  Remove OS kernel options relating to
IOMMU.

For Librem 13/15/14/Mini, this fixes issues booting with 4K displays
attached, which were resulting in crashes due to the framebuffer memory
not being reserved properly.  memtest86+ now passes with a 4K display
attached.

For Librem L1UM v2, framebuffer boot now works.

Librem L1UM remains on Linux 5.10 with Heads kernel graphic init
(framebuffer boot still does not work).  coreboot 4.11 has native
graphics init for Aspeed, but only in text mode.  Backporting the
linear framebuffer support appears to be possible - the patch applied
cleanly - but it did not work initially and will need more
investigation.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-09-06 10:36:37 -04:00
tlaurion
8bd82a6e10
Merge pull request #1494 from JonathonHall-Purism/coreboot_purism_4.21
modules/coreboot: Update Purism coreboot to 24e2f7e4
2023-09-06 10:19:55 -04:00
tlaurion
2c3987f9a3
Merge pull request #1485 from Nitrokey/nx-nitropad
add Nitropad NV41/NS50 TPM2 boards (2nd)
2023-09-06 10:15:17 -04:00
Jonathon Hall
eed8adeb49
librem_mini,librem_mini_v2: Enable CMOS layout, update CMOS checksum
Enable the coreboot CMOS option table, which initializes CMOS if the
checksum is not valid.

There is now a checksum in the CMOS layout since 4.21, update it when
updating the Mini v1/v2 EC power-on setting.

coreboot 4.21 will reset the CMOS settings during the first boot, since
there was no checksum in prior releases.  Heads will restore the
automatic power-on setting during init based on config.user.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-09-05 16:03:02 -04:00
tlaurion
8272d33e7c
Merge pull request #1482 from tlaurion/ease_tpm_disk_unlock_key_resealing_after_totp_mismatch-warn_and_die_changes
Ease TPM Disk Unlock Key sealing/resealing after TOTP mismatch (firmware upgrade) + warn and die changes
2023-09-05 11:48:50 -04:00
Markus Meissner
d01c3ab7c9
boards: add nitropad-nv41 + nitropad-ns50 2023-09-05 17:13:56 +02:00
Markus Meissner
b47da0be89
boards/qemu-*: update allowed usb-token comments 2023-09-05 12:32:22 +02:00
Thierry Laurion
03d8f93c95
modules/zstd: now included by default. Deactivated under legacy-flash boards
Rationale:
cpio -t alone cannot extract initrd past early cpio (microcode) in most packed initrd.
unpack_initramfs.sh already under master comes to the rescue, but its usage up to today was limited to pass firmware blobs to final OS under boards/librem_mini_v2

Debian OSes (and probably others) need to have cryptroot/crypttab overriden directly, otherwise generic generation of crypttab is not enough.
Extracting crypttab and overriding directly what is desired by final OS and exposed into /boot/initrd is the way to go otherwise hacking on top of hacks.

This brings default packed modules under Heads to 5 modules, which needs to be deactivate in board configs if undesired:
user@heads-tests-deb12:~/heads$ grep -Rn "?= y" modules/ | grep -v MUSL
modules/zlib:1:CONFIG_ZLIB ?= y
modules/zstd:3:CONFIG_ZSTD ?= y
modules/exfatprogs:2:CONFIG_EXFATPROGS ?= y
modules/busybox:2:CONFIG_BUSYBOX ?= y
modules/e2fsprogs:2:CONFIG_E2FSPROGS ?= y
2023-08-31 11:19:50 -04:00
Thierry Laurion
d5aa0c874e
boards/qemu-coreboot-whiptail-tpm1/qemu-coreboot-whiptail-tpm1.md was invalid symlink 2023-08-28 16:24:14 -04:00
Thierry Laurion
106a9bf543
qemu boards: change default creation size of USB_FD_IMG from 128MB to 256MB
Otherwise 10% of 128mb (12mb) is not enough to create a LUKS container
2023-08-28 16:24:11 -04:00
Thierry Laurion
97f39a8b1f
t430-maximized/t430-hotp-maximized: move from untested to tested boards, other t430 boards still untested 2023-08-16 14:54:12 -04:00
Thierry Laurion
e5b64f8c48
t430/x230 legacy flash boards: unify so they specify coreboot config files as all other boards
(Otherwise, renaming board requires to rename coreboot config file as well since BOARD is used to pick corresponding one when undefined)
2023-08-16 13:29:08 -04:00
Thierry Laurion
294a6bed94
t430 boards: moved to untested until reported tested as per #1421 2023-08-16 12:35:52 -04:00
Thierry Laurion
572573ff40
x220 board: this is maximized coreboot config, legacy linux config 2023-08-16 09:44:44 -04:00
Thierry Laurion
107855f53a
p8z77-m_pro-tpm1: bring back boards as tested platforms. 2023-08-16 09:44:41 -04:00
Thierry Laurion
d3ea60f69e
linux configs: adapt to use efifb driver (Intel iGPU/qemu with bochs native gfxinit) 2023-08-15 17:24:34 -04:00
tlaurion
fbc0993084
Merge pull request #1462 from JonathonHall-Purism/reuse-toolchains
Enable reusing coreboot release toolchains for forks
2023-08-15 16:27:20 -04:00
Jonathon Hall
57f9d1635b
x230-*-fhd_edp: Include kbd to set console font size
Include the kbd module to set the console font size based on the
display resolution.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-08-11 14:40:10 -04:00
Jonathon Hall
d0d2ea9a77
librem_mini{,_v2}: Include kbd to set console font size
Include the kbd module to enlarge the console font size based on the
display resolution.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-08-11 14:40:09 -04:00
Jonathon Hall
ef85973109
librem_15v4: Include kbd, don't force eDP resolution in Heads kernel
Include kbd so the console font can be enlarged based on the display
resolution.

Don't force 1080p on the eDP output in Heads.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-08-11 14:40:09 -04:00
Jonathon Hall
555dde0b43
boards/librem_* (except l1um): Remove CONFIG_PURISM_BLOBS=y
These boards get purism-blobs as a submodule of the purism coreboot
fork.  modules/coreboot used to skip the purism-blobs dependency for
this fork, but the module is not needed at all for these boards.

librem_l1um keeps CONFIG_PURISM_BLOBS=y since it is built from patched
coreboot 4.11.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-08-11 12:44:39 -04:00
Thierry Laurion
447f8addc7
Rename UNTESTED_x230-maximized-fhd_edp and UNTESTED_x230-hotp-maximized-fhd_edp to normal names 2023-08-02 14:37:02 -04:00
tlaurion
06b1b0948d
Merge pull request #1399 from d-wid/z220
Add HP Z220 CMT
2023-07-24 18:27:17 -04:00
d-wid
4d157493a3 Add HP Z220 CMT 2023-07-22 16:27:31 +02:00
tlaurion
d7b4a47cfe
Merge pull request #1442 from tlaurion/qemu_basic_boot_example_in_board_config
Qemu boards: typo correction in comment to manually enable Basic Boot mode
2023-07-17 14:08:22 -04:00
Thierry Laurion
f4a8ae925f
non-dgpu t530 was reported working (t530-hotp-maximized-v0.2.0-1705-gedf200e.rom) 2023-07-17 12:49:32 -04:00
Thierry Laurion
c419cf7e2b
Qemu boards: typo in comment to manually enable Basic Boot mode : (was CONFIG_BASIC_BOOT where CONFIG_BASIC expected) 2023-07-17 12:32:27 -04:00
Jonathon Hall
45245fe417
qemu-*: Show how to enable restricted/basic in board config
For iterating, enabling these in the board config is easiest.  It's
also possible to manually inject config.user ahead of time, or enable
at runtime without flashing, but the normal enable/flash/reboot path
does not work in qemu since it is unable to flash.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-07-12 14:17:43 -04:00
Jonathon Hall
252efc6945
Merge remote-tracking branch 'github-heads/master' into pureboot-27-heads-upstream 2023-07-07 15:57:34 -04:00
Jonathon Hall
4c8e445dcd
Merge remote-tracking branch 'github-heads/master' into pureboot-27-heads-upstream
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-07-05 14:32:16 -04:00
Jonathon Hall
17724f9baa
qemu-coreboot-fbwhiptail-tpm1-hotp: Fix truncated documentation lines
A few lines in the documentation got truncated somehow.  Restored the
swtpm instructions from some notes and rewrote the others.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-07-05 14:11:34 -04:00
Thierry Laurion
5db4165652
Rename UNTESTED_t420-maximized and UNTESTED_t420-hotp-maximized back to maximized board names. 2023-07-05 10:38:18 -04:00
Thierry Laurion
f8cb3db775
untested boards: move and rename untested boards, while still building them with CircleCI if they were currently built.
Non-impactful action, first step for #1421 based on participation in testing of #1398 and prior non-tested PRs.

EDIT: last minute readd of x220-maximized boards (x220-maximized and x220-hotp-maximized boards).
 x220 is still UNTESTED (legacy, manually extracting ifs, me and gbe).

EDIT: last minute readd of t440p-maximized boards (t440p-maximized and t440p-hotp-maximized boards).

Thanks to @srgrint for lat minute report that t440p and x220 were tested
----

Traces of commands used:
ls qemu-linuxboot* leopard* r630* s2600wf* tioga* winterfell* t420* t520* t440p* w530* kgpe* p8z77* x220* x230-maximized-fhd_edp* | grep ":" | awk -F ":" {'print $1'}| while read board; do mv $board/$board.config $board/UNTESTED_$board.config; done
ls qemu-linuxboot* leopard* r630* s2600wf* tioga* winterfell* t420* t520* t440p* w530* kgpe* p8z77* x220* x230-maximized-fhd_edp* | grep ":" | awk -F ":" {'print $1'}| while read dir; do mv $dir UNTESTED_$dir; done
ls UNTESTED* | grep ":" | awk -F ":" {'print $1'}| awk -F "UNTESTED_" {'print $2'} | while read line; do sed 's/'"$line"'/UNTESTED_'"$line"'/g' ../.circleci/config.yml -i ; done

quick fix of circleci:
sed -i 's/UNTESTED_UNTESTED/UNTESTED/g' ../.circleci/config.yml
sed -i 's/UNTESTED_UNTESTED/UNTESTED/g' ../.circleci/config.yml
sed -i 's/UNTESTED_UNTESTED/UNTESTED/g' ../.circleci/config.yml

Modify p8z77-m_pro-tpm1 hotp board config to include to their maximized counterpart
2023-07-04 18:00:30 -04:00
Thierry Laurion
da4c306d91
t440p p8z77-m_pro: pass to coreboot 4.19 and with comparable lockdown config to x230 + fix vbt path 2023-06-27 11:21:28 -04:00
Thierry Laurion
cc9a4828ef
Remove qemu-coreboot and qemu-coreboot-fbwhiptail board+coreboot configs
qemu-coreboot-*-tpm* boards are way more feature rich to test/develops Heads
2023-06-27 11:21:15 -04:00
Thierry Laurion
f34d2dd7d7
bump qemu-tpm boards to coreboot 4.19 2023-06-27 11:21:09 -04:00
Thierry Laurion
e02228407f
boards: bump non-tpm qemu*, xx20 and xx30 boards to use linux kernel 5.10.5 2023-06-27 11:21:06 -04:00
Thierry Laurion
e8bc003a56
boards/p8z77-m_pro-tpm1-maximized: bump linux from 4.14 to 5.10 2023-06-27 11:21:02 -04:00
Jonathon Hall
8289d1bb29
oem-factory-reset: Offer to use all defaults on Librem boards only
Introduce CONFIG_OEMRESET_OFFER_DEFAULTS and enable it on Librem
boards.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-06-23 08:20:21 -04:00
Jonathon Hall
f6134e9c35
gui-init: Opt into skipping QR code scan for Librem boards only
Introduce CONFIG_TOTP_SKIP_QRCODE to skip this step and enable it on
Librem boards.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-06-23 08:18:59 -04:00
Jonathon Hall
89858f52a9
Merge remote-tracking branch 'github-heads/master' into pureboot-27-heads-upstream
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-06-21 15:15:23 -04:00
Jonathon Hall
1bf8331ffb
Blob jail: Add zstd-decompress, decompress more complex archives
Debian 12's initrd by default now consists of an uncompressed cpio
archive containing microcode, followed by a zstd-compressed cpio
archive.  inject_firmware.sh only supported gzip-compressed cpio, so it
could not extract /init from this archive.

Add zstd-decompress to decompress zstd streams (uncompressed size is
about 180 KB).

Add unpack_initramfs.sh which is able to decompress uncompressed, gzip,
or zstd archives, with multiple segments, much like the Linux kernel
itself does.

Use unpack_initramfs.sh to extract /init for blob jail.

Don't compress the new archive segment containing firmware and the
updated /init.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-06-21 13:26:50 -04:00
Jonathon Hall
6b111d813f
Add new board: Librem L1UM v2
Add Linux 6.1.8 configuration, used by Librem L1UM v2

Add coreboot configuration for Librem L1UM v2

Add Librem L1UM v2 board configuration

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-06-21 13:26:50 -04:00
Jonathon Hall
e9a5b27e6c
librem_mini,librem_mini_v2: Don't use three values for auto poweron
PureBoot doesn't have any other three-valued settings and this doesn't
present very well in the config UI.

Instead make this a two-valued setting; drop the mode that forces the
EC setting to "stay off" at every boot because this is the default.

When disabling automatic power-on, disable the EC BRAM setting too.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-06-21 13:26:49 -04:00
Jonathon Hall
2d3ecfa41e
librem_mini/librem_mini_v2: Add automatic power-on setting
Mini v1/v2's EC can automatically power on the system when power is
applied, based on a value in EC BRAM.  Add a configuration setting to
optionally set this value.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-06-21 13:26:47 -04:00
Jonathon Hall
6e0d241913
ioport: Add ioport module (inb, outb)
Add ioport module, enable for librem_mini_v2.  Only inb and outb are
included, inw/outw/inl/outl aren't needed.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-06-21 13:26:46 -04:00
Matt DeVillier
3766d32034
board/librem_{13/14/15/mini}: Use Purism repo for coreboot
Use Purism's repo for all Librem boards other than the Librem Server L1UM.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2023-06-21 13:26:41 -04:00
Kyle Rankin
efc49c7425
Add Root file hash feature
Currently Heads will check files in /boot for tampering before booting
into a system. It would be nice if you could use the trusted environment
within Heads and extend this to check files in / itself. This new script
adds that functionality, however due to the length of time it takes to
perform these kinds of checks, it doesn't run automatically (yet).

This feature can be configured from the config GUI - the root device/
directories to check can be set, and it can be configured to run during
boot.

To make this a bit easier to use, I added a feature to detect whether
the hash file exists and if not, to display a more limited menu to the
user guiding them to create the initial hash file. Otherwise it will
display the date the file was last modified, which can be useful to
determine how stale it is.
2023-06-21 13:26:37 -04:00
Thierry Laurion
9830c6c4ed
io386 platform lockdown: enable on sandy/ivy/haswell maximized board configs 2023-06-20 12:36:45 -04:00
Sergii Dmytruk
71b0f8dac9
boards/talos-2/talos-2.config: enable powerpc-utils
Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
2023-06-07 01:10:14 +03:00
Thierry Laurion
92cddb315f
boards/talos-2/talos-2.config : sda1 will never be a boot device
/dev/nvme0n1p2 expected to contain /boot/grub dir
2023-06-04 20:20:46 +03:00
tlaurion
3a38ac02e3
Merge pull request #1312 from tlaurion/coreboot-4.13_coreboot-4.19_version_bump
Bump boards depending on coreboot 4.13 to 4.19
2023-04-24 19:21:18 -04:00
tlaurion
e32fc91baf
Merge pull request #1358 from ThePlexus/p8z77-m_pro 2023-04-11 18:59:52 -04:00
ThePlexus
b64077fac6 Incorporate COREBOOT_DIr mod and VSCC optioanl setting 2023-04-10 13:43:54 +01:00
Thierry Laurion
a475ecef24
qemu-coreboot-*whiptail-tpm2-* boards: move TPM2 debug PCAP variable to debug section for clarity 2023-04-04 09:36:31 -04:00
ThePlexus
1761505d87 Autoboot not needed in this board 2023-03-31 17:37:02 +01:00
Krystian Hebel
9550d2b541
initrd/bin/talos-init: send IPL complete message to BMC
BMC awaits this message before it takes control over CPU fans speed.

Signed-off-by: Krystian Hebel <krystian.hebel@3mdeb.com>
2023-03-30 21:04:01 +02:00
ThePlexus
c67cf7c47e Add ASUS P8Z77-M Pro board 2023-03-30 10:28:40 +01:00
tlaurion
2995376cda
Merge pull request #1339 from tlaurion/single_talos_2_board
Talos II - Have single board config
2023-03-20 14:46:38 -04:00
Thierry Laurion
718520fe5e
qemu-coreboot-whiptail-tpm2-hotp : add missing HOTP board requirements 2023-03-14 11:39:47 -04:00
Thierry Laurion
445ca053fb
Talos II - Have single board config
- Based on initial server board
- Uses whiptail as opposed to fbwhiptail (was slow and output fuzzy)
 - Simple fix to have dual KVM(BMC) and vga output for consoles

Reasoning for dropping fbwhiptail support is that:
- it is impossible to output framebuffer content through remote BMC console.
- A workstation board config could output to fbwhiptail for VGA and give remote recovery shell access through BMC
  - If someone shows interest for that, qemu-coreboot-tpm boards can be used as reference.
  - slowness/fuzzyness of fbwhiptail output through AST would still need to be fixed in kernel drivers. Not a priority here.

Limitation:
- Since whiptail is sent to both consoles:
 - If one console goes to recovery shell, recovery shell access invalidate TPM PCR4 measurements.
   - The other console won't be aware that TPM measurements were invalidated, and will consequently:
     - not be able to unseal TOTP if refreshed
     - not be able to unseal TPM disk unlock key on default boot
   - A reboot will fix this.
2023-03-13 14:33:03 -04:00
Jonathon Hall
30963e121f
Combine t430-flash.init, x23-flash.init, fix insmod
They're the same other than a TRACE, combine them.  Use busybox
insmod since the insmod script uses bash, we don't need the TPM PCRs on
legacy-flash-boards.

Remove PCR4 extend, these boards lack TPM configuration.  Update ROM
example name.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-03-13 13:23:29 -04:00
Jonathon Hall
50daa904f9
tpmr: Capture TPM2 pcaps in qemu TPM2 boards
tpm2-tools is able to log pcap files of TPM2 commands, which can be
inspected with wireshark.  Add CONFIG_TPM2_CAPTURE_PCAP to capture
these from the tpmr wrapper, and enable for qemu TPM2 boards.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-03-08 16:34:45 -05:00
Thierry Laurion
d549229bfc
modules/bash: enabled by default, disabled in legacy-flash boards
- legacy-flash boards have a single purpose: to flash BIOS region through flashrom.
  - They do not need bash nor have space for it in their 4mb defined coreboot CBFS region

Test build to have legacy boards builds under osresearch#1292
2023-03-08 12:45:52 -05:00
Jonathon Hall
c9df49ad20
modules/bash: Include bash in all builds, remove CONFIG_BASH
Include bash in all builds.  Remove CONFIG_BASH.

Remove CONFIG_BASH_IS_ASH from busybox configuration and clean up hacks
in modules/bash.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-03-08 12:45:52 -05:00
Jonathon Hall
660a5fe71e
qemu-*: Add CONFIG_BASH=y to TPM1 boards
Enable bash on qemu TPM1 boards to use arrays in tpmr's TPM1 wrappers.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-03-08 12:45:50 -05:00
Thierry Laurion
1e5544b934
Add DEBUG traces and have TPM2 boards enable TRACE and DEBUG calls
- /tmp/debug.log is created and appended by all TRACE and DEBUG calls in code
- fix some logic errors seen when no DEBUG entry were outputted in /tmp/debug.log
2023-03-08 12:45:47 -05:00
Jonathon Hall
ff8ec2fd5b
qemu*tpm2*: Manufacture TPM2
Invoke swtpm_setup --create-config-files skip-if-exist to create local
CA files under the current user account, so user does not need
read/write access to /var/lib/swtpm-localca.

Pass --tpm2 to manufacture a TPM2 instead of TPM1.2.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-03-08 12:45:45 -05:00
Jonathon Hall
4e375ad7ca
tpm2-tools: Remove curl dependency
The actual use of curl was already removed, update tpm2-tools patch to
also remove the check for curl.  Remove the curl module and
CONFIG_CURL.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-03-08 12:45:44 -05:00
Thierry Laurion
6923fb5e20
Addition of qemu-(fb)whiptail-tpm2(-hotp) boards
-coreboot support of TPM v2.0 (shared config for TPM2 support across all 4 previous variations)
-swtpm set to be launched under TPM v2.0 mode under board config
-Documentation file under each board.md softlinks to qemu-coreboot-fbwhiptail-tpm1.md (which has been generalized)
This is skeleton for TPM v2 integration under Heads

-------------
WiP

TODO:
- libcurl cannot be built as a tpm2-tools dependency as of now not sure why. curl currently needs to be added in board config to be built
- Note: tpm-reset (master and here) needs some review, no handle of no tpm use case. Caller is responsible to not call it otherwise does nothing
- init tries to bind fd and fails currently
- Note: Check if whiptail is different of fbwhiptail in clearing screen. As of now every clear seems to be removed, still whiptail clears previous console output
- When no OS' /boot can be mounted, do not try to TPM reset (will fail)

- seal-hotpkey is not working properly
- setting disk unlock key asks for TPM ownership passphrase (sealing in NV requires ownership, but text is misleading user as if reowning TPM)
  - We should cache input, feed tpm behind the scene and wipe passphrase and state clearly that this is TPM disk unlock kye passphrase.
- primary key from TPM2 is invalid most of the time from kexec-select-boot and verifying global hashes but is setuped correctly at disk unlock key setup
- would be nice to take advantage of bash function tracing to understand where we are for debugging purposes, code takes ash in consideration only
- tpmr says it implements nv calls but actually doesn't. Removing those falsely wrapped functions would help.
  - Implementing them would be better
- REVIEW TODOS IN CODE
- READD CIRCLECI CONFIG

Current state:
- TPM unseal works without disk unlock key and generates TOTP properly (was missing die condition at unseal to not produce always good TOTP even if invalid)
- TPM disk encryption key fails. Hypothesis is that sealing with USB drivers loaded and measures in inconsistent with sealed with/without.
 - TPM disk unsealing happens without USB modules being loaded in non-HOTP setup. This fails.

- Current tests are with fbwhiptail (no clear called so having traces on command line of what happens)
 - Testing with HOTP implementation for sealing/unsealing since that forces USB module loads on each boot to remove this from failing possibilities
2023-03-08 12:45:43 -05:00
tlaurion
3ac896bb67
Merge pull request #1282 from rbreslow/rb/support-t440p 2023-02-28 15:23:16 -05:00
Thierry Laurion
6300dd178a
Pass all coreboot 4.13 boards to 4.19
- Add 4.19 under modules/coreboot
- point all 4.13 boards to 4.19
- adapt x230 FHD/EDP patch under patches/coreboot-4.19/0001-x230-fhd-variant.patch (poked upstream to fix patch under https://review.coreboot.org/c/coreboot/+/28950)
- correct versioning info under .circleci/config/yml
2023-02-27 18:07:06 -05:00
Rocky Breslow
1dc5d4eb99
Make T440p Coreboot build depend on blob files
Now, when you run `make BOARD=any-t440p-variant`, the build system
automatically fetches mrc.bin and me.bin.
2023-02-25 19:53:47 -05:00
tlaurion
8b479b06cc
Merge pull request #1317 from tlaurion/fix-sh_argument_expected
Add DEBUG statements in code and fix "sh: argument expected"
2023-02-20 14:11:27 -05:00
Thierry Laurion
8259d3ca1e
Add TRACE function tracing function to output on console when enabled
- Add TRACE function tracing output under etc/functions, depending on CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT enabled in board configs
- Replace current DEBUG to TRACE calls in code, reserving DEBUG calls for more verbose debugging later on (output of variables etc)
- add 'export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y' in qemu-coreboot(fb)whiptail-tpm1(-hotp) boards to see it in action
2023-02-20 11:44:52 -05:00
Thierry Laurion
5bc2bc88e4
All scripts and functions: Add DEBUG calling trace on console when CONFIG_DEBUG_OUTPUT is exported in board config
-qemu-coreboot-*whiptail-tpm1(-hotp) boards have 'export CONFIG_DEBUG_OUTPUT=y' by default now
2023-02-18 21:52:44 -05:00
Thierry Laurion
16321dc40a
Fix reported typo under #1314 2023-02-17 14:41:16 -05:00
Thierry Laurion
03631a5e33
xx30: rename legacy boards names, remove coreboot config duplicates 2023-02-09 12:50:56 -05:00
Thierry Laurion
225741b4cd
remove coreboot-hotp* duplicates, have boards configs point to non-hotp maximized equivalents 2023-02-09 12:34:33 -05:00
Thierry Laurion
2b05a6b42c
Add x230-maximized-fhd_edp and x230-hotp-maximized-fhd_edp boards
- add x230-maximized-fhd_edp and x230-hotp-maximized-fhd_edp board configs
- add/rework coreboot patch for x230 fhd variant to be applied on top of 4.13
- add coreboot config to point to x230-edp variant, fixing path to vbt file since default path is wrong under. Comment made upstream https://review.coreboot.org/c/coreboot/+/28950/22#message-4904ce82f01ba0505b391e072e4537b6a9f1a229
  - remove no gfx init and replace with libgfxinit(defonfig default), set internal display as default
- add x230-hotp-maximized-fhd_edp and x230-maximized-fhd_edp to CircleCI builds
- One single shared coreboot config between boards/x230-hotp-maximized-fhd_edp/x230-hotp-maximized-fhd_edp.config and boards/x230-maximized-fhd_edp/x230-maximized-fhd_edp.config
- Coreboot 4.13 patch from coreboot at patches/coreboot-4.13/0002-x230-fhd-variant.patch
- config/coreboot-x230-maximized-fhd_edp.config points to seperate coreboot config per patch (CONFIG_BOARD_LENOVO_X230_EDP)
2023-01-31 09:58:43 -05:00
Rocky Breslow
c23ed548ff
Clone linux-librem_common.config for T440p 2023-01-20 17:09:09 -05:00
Rocky Breslow
65be2c5b7a
Add Heads config for the T440p (maximized/hotp-maximized) 2023-01-18 15:27:45 -05:00
Thierry Laurion
080d439758
qemu-coreboot-tpm boards: usage optimizations
- ROOT_DISK_IMG is now dynamic (ROOT_DISK_IMG=/path/to/existing/provisioned/disk.img can be reused across run statements)
- Addition of missing boards to cover all use cases
- All TPM1 boards rely on common config/coreboot-qemu-tpm1.config
- boards/qemu-coreboot-fbwhiptail-tpm1-hotp/qemu-coreboot-fbwhiptail-tpm1-hotp.md has been generalized
 - all other boards are softlinked to the above for usage
2023-01-11 15:38:30 -05:00
Thierry Laurion
afb338d5d7
qemu-coreboot-whiptail-tpm1: correction of boardname to reflect reality 2023-01-04 19:01:42 -05:00
tlaurion
c1fb04cd5c
Merge pull request #1241 from tlaurion/qemu_CONFIG_BOOT_RECOVERY_SERIAL 2022-11-15 11:15:11 -05:00
tlaurion
a9bee2885b
Merge pull request #1242 from tlaurion/talos_cryptsetup2
talos boards: pass cryptsetup to cryptsetup2 to support TPM released disk encryption key
2022-11-11 16:19:42 -05:00
Thierry Laurion
ce19a5fb61
Add CONFIG_BOOT_RECOVERY_SERIAL to qemu board configs to interact with host through serial 2022-11-11 15:19:37 -05:00
Sergii Dmytruk
f6999707b8
boards/talos-2_*: build tgz with all output files + hash
This makes output suitable for use via Heads' menus.

Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
2022-11-11 00:59:12 +02:00
Sergii Dmytruk
976f57f008
boards/talos-2_*: version zImage.bundled
Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
2022-11-11 00:59:12 +02:00
Sergii Dmytruk
572c99e898
Add flashrom to Talos II boards
Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
2022-11-11 00:59:12 +02:00
Sergii Dmytruk
a2475e2c53
Add flashtools to Talos II boards
Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
2022-11-11 00:59:12 +02:00
Thierry Laurion
93986e8c71
talos boards: pass cryptsetup to cryptsetup2 to support TPM released disk encryption key testing 2022-11-10 14:12:24 -05:00
Thierry Laurion
9258ca7a68
xx30 - pack cryptsetup2 instead of cryptsetup 2022-09-16 12:51:38 -04:00
Daniel Pineda
1cab17ae30
board/librem_*: Update to coreboot 4.17
Signed-off-by: Daniel Pineda <daniel.pineda@puri.sm>
2022-09-12 13:22:00 -06:00
Sergii Dmytruk
d0ef7e8c1f
Enable Infineon TPM1 for Talos-2 boards
Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
2022-09-01 00:28:16 +03:00
Sergii Dmytruk
72110e5915
Enable OpenBMC VGA console for Talos-2 boards
Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
2022-09-01 00:28:16 +03:00
Sergii Dmytruk
55ef9912aa
Add Talos 2 boards
Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
2022-08-31 00:21:28 +03:00
Sergii Dmytruk
8944710033
Introduce $(board_build) variable
To be used in board configuration.  Expands to the path of the board's
build directory.  Also simplifies main Makefile a bit.

Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
2022-08-25 20:55:35 +03:00
Jonathon Hall
2ca34803af
qemu: Add qemu-coreboot-whiptail-tpm1 configuration
This configuration uses a console interface instead of fbwhiptail, and
no USB token is required.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2022-08-24 13:04:07 -04:00
Jonathon Hall
ef3cd5c65f
qemu-coreboot-fbwhiptail-tpm1-hotp: Virtio video/storage, serial
Enable virtio video and storage.

Enable serial console and tweak kernel command line to show logs.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2022-08-24 13:04:07 -04:00
Jonathon Hall
73eccb364a
qemu: Add qemu-coreboot-fbwhiptail-tpm1-hotp for complete testing in QEMU
Add qemu-coreboot-fbwhiptail-tpm1-hotp configuration, which has a 'run'
target to boot with a persistent TPM, disk, virtual USB disk, and USB-
forwarded token
Provide instructions for bootstrapping a complete working system in qemu

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2022-08-24 13:04:06 -04:00
Jonathon Hall
3e5fd6be75
qemu: Build ATA support into kernel, enable OHCI/UHCI
Set ATA and SATA configs to y, not m - modules weren't being loaded.  Other
configs also build these into kernel, so do the same for qemu.  Remove relevant
configs from boards since modules no longer need to be in initrd.

Enable OHCI and UHCI.  qemu forwards host USB devices over a UHCI controller.
This enables USB-forwarding a physical Librem Key or Nitrokey Pro to the VM.
Export CONFIG_LINUX_USB_COMPANION_CONTROLLER to have enable_usb() load the
modules - it wants both UHCI and OHCI modules, so build both.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2022-08-24 13:03:53 -04:00
Thierry Laurion
ba9235abcb
xx30 boards: add top bottom roms statements to get hashes under hashes.txt 2022-06-23 11:05:53 -04:00
Thierry Laurion
0bfd696fbf
xx20 and xx30: split kernel configs to legacy and maximized and board configs point to them 2022-06-10 09:52:07 -04:00
Thierry Laurion
6012e7724c
add new board x230-maximized_usb-kb
- this boards is a duplicate of x230-hotp-maximized with USB Keyboard support

Testing points:
- x230-hotp-maximized does not accept input from USB keyboard
- x230-hotp-maximized_usb-kb accepts input from USB keyboard
2022-04-05 14:09:44 -04:00
Thierry Laurion
065cbfda7b
boards/xx30-flash: change board configs to be solely include flashrom module.
Those boards now produce 4MB coreboot ROM and according CBFS small size, and remove the logic to extract 4Mb ROM out of the 12Mb rom which for some reason, was now misaligned.
config/coreboot-xx30-flash : remove all unnneded stuff to xx30-flash boards.
config/linux-x230-flash: used commonly for all xx30-flash boards, this is now finally saved with savedeconfig, and removes another bunch of unneeded stuff.

Tested working. Fixes #1095
2022-02-17 20:20:43 -05:00
tlaurion
fde7ee2b11
Merge pull request #1100 from tlaurion/board_configs_fixes_CONFIG_BOARD_NAME
boards/* : Add/uniformize missing CONFIG_BOARD_NAME for coreboot boards
2022-01-28 20:55:37 -05:00
Thierry Laurion
37ee3f37ad
boards/* : Add/uniformize missing CONFIG_BOARD_NAME for coreboot boards 2022-01-28 14:17:22 -05:00
Matt DeVillier
31214381a2
board/librem_*: Switch to cryptsetup2
Required to decrypt some volumes encrypted via LUKS2
(eg, Qubes 4.1 dom0 / root partition)

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2022-01-27 16:40:47 -06:00
eganonoa
a5b27e485f Adding explanatory notes re t530 and w530 dgpus
This commit adds explanatory notes  and updates existing t530 and w530 boards to generally align them with the dGPU points and provide signposting for those with and those without dGPU boards. It also adds an additional README in the blobs directory to explain the vbios extraction and building process.
2021-12-28 11:10:58 -05:00
eganonoa
a854144e2d Add support for t530 and w530 dGPU
This commit adds support for the t530 and w530 boards to enable dGPUs. dGPU's are required for DisplayPort external displays in the t530 dgpu model, and for both the VGA dn DisplayPort external displays in the W530 (which has two dGPUs, the K1000M and K2000M, hence two boards).  The commit does the following:

1. Adds automated extraction scripts for vbios modelled on the me script in the blobs directory (one per board is necessary as it is based on board-specific bios updates).
2. Adds specific boards for the various dGPU models and corresponding coreboot configs.
3. Updates circleci config.yaml to run scripts and test boards.

Tested and working on T530 dgpu and W530 K1000M. dGPU scripts tested on Debian 10 and Ubuntu 21.04
2021-12-28 11:10:58 -05:00
Matt DeVillier
51a1119973 boards/librem_*: Unify/update kernel IOMMU params
Unify the CONFIG_BOOT_KERNEL_ADD/REOVE parameters for all
Librem boards. Ensure IOMMU disabled for the GPU, and that
duplicated IOMMU params are not passed to the kernel.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2021-12-20 22:13:36 -05:00
Matt DeVillier
c5d9fa484b boards/librem_*: Update to coreboot 4.15
Update all Purism Librem boards except the L1UM server
to coreboot 4.15:

- update coreboot version from 4.8.1/4.13 to 4.15
- use purism_blobs module (if not already)
- update board coreboot defconfig files (Librem 13/15)

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2021-12-20 22:13:36 -05:00
Thierry Laurion
415a08a732 board additions: w530, t530, t520 (hotp-maximized and maximized flavors only)
-CircleCI addition.
-Removal of t530-flash, w530-flash boards, flash scripts and associated coreboot configs (no more legacy boards additions)

This is a merger of #1071, #1072 and #1073 so that test builds are available over CircleCI until osresearch/master CircleCI gets unlocked.
2021-12-06 19:52:25 -05:00
eganonoa
f8a30866a8 Reverting to coreboot 4.13 2021-12-06 19:52:25 -05:00
eganonoa
5263aa9c2f Reverting to coreboot 4.13 2021-12-06 19:52:25 -05:00
eganonoa
8aa11bae40 Update t530-flash.config 2021-12-06 19:52:25 -05:00
eganonoa
b4368f3df0 Reverting to coreboot 4.13 2021-12-06 19:52:25 -05:00
eganonoa
38b29cb9f7 Reverting to coreboot 4.13 2021-12-06 19:52:25 -05:00
eganonoa
ce435a4148 adding working w530 board, initrd and config files 2021-12-06 19:52:25 -05:00
eganonoa
652bcb8ad0 reverting to coreboot 4.8.1 (4.13, 4.14 both working) 2021-12-06 19:52:25 -05:00
eganonoa
66e5c23b13 adding working t530 board, initrd and config files 2021-12-06 19:52:25 -05:00
eganonoa
90984baca7 adding working t520 baord and configs 2021-12-06 19:52:25 -05:00
Thierry Laurion
40babfeaf4 t430-hotp-verification: addition of t430 counterpart of non-maximized x230-hotp-verification board 2021-12-04 15:51:53 -05:00
Thierry Laurion
2d8d45c02e t420 board was still based on coreboot 4.8.1. blobs still depend on blobs/t420/* presence. 2021-12-04 15:51:53 -05:00
Thierry Laurion
41847f5cd2 move all other boards (but KGPE-D16) to coreboot 4.13
- xx30 legacy boards (x230, x230-flash, t430, t430-flash) now rely also on coreboot 4.13
  - DOWNSIDE: x230 and t430 legacy boards now rely on WHIPTAIL (NOT FBWhiptail) to have enough space to fit under 7mb)
- xx20 boards moved to 4.13 (no need of xx20-flash boards here since single SPI boards with 7.5mb useable since blobs scripts are required)
  - DOWNSIDE: all xx20 boards now have dropbear deactivated, while still having ethernet driver in.
- qemu-coreboot and qemu-coreboot-fbwhiptail switched to coreboot 4.13 WITHOUT TPM SUPPORT (with cryptsetup 2.x support)
  - DOWNSIDE:
    - coreboot-qemu board CBFS_SIZE=0x700000 -> 0x750000
    - coreboot-qemu-fbwhiptail CBFS_SIZE=0x750000 -> 0x780000
- CircleCi build recipe removes 4.8.1 boards altogether
  - KGPE-D16 workstation is used as new base build to save workspace layer (we removed one workspace layer)
  - Removing one workspace layer will save approx 2 hours of build time on fresh builds
  - Removing one coreboot version will save us approx 2 hours of build time on fresh builds
  - KGPE-D16 will stay to coreboot 4.11 until forward notice.
  - All other board configs SHOULD be built on latest coreboot versions
2021-12-04 15:51:53 -05:00
Thierry Laurion
c7e651d663 xx20/xx30 boards uniformisation when switching to coreboot 4.13
- all: coreboot NO_POST for all boards
- all: coreboot NO_GFX_INIT (linux payload does the graphic init)
- all: coreboot TPM_MEASURED_BOOT (no more patches under Heads for measured boot)
- all: coreboot DRIVERS_PS2_KEYBOARD (fixes no keyboard on soft reboot and potentially xx30t xx20t fix for random raw keyboard (to be tested)
- all: coreboot removal of DEFAULT_CONSOLE_LOGLEVEL_5 under some boards
- all: coreboot removal of "loglevel=3" under some linux command line options booting Heads kernel
- all: coreboot removal of DEBUG_SMM_RELOCATION (unneeded)
- all: coreboot INCLUDE_CONFIG_FILE and COLLECT_TIMESTAMPS for all boards
- all: coreboot CONSOLE_SERIAL present on all boards
- all: coreboot add VBT
- all: board configs switch to cryptsetup2

xx20 hotp-maximized boards:
- removal of dropbear (not enough space to have htop + dropbear)

txx0 boards coreboot:
- USE_OPTION_TABLE and STATIC_OPTION_TABLE added (todo: check T430 boards optimization and find issue/PR and ammend this commit)
2021-12-04 15:51:53 -05:00
Thierry Laurion
e8032924c1 x230-maximized boards: build against coreboot 4.13 2021-12-04 15:51:53 -05:00
natterangell
54a3b07947 t420-maximized boards: build against coreboot 4.13 2021-12-04 15:51:53 -05:00
Thierry Laurion
561d01c863 KGPE-D16: remove BOOT_GUI_MENU_NAME and BG_COLOR as under all other boards. 2021-10-29 13:45:22 -04:00
Matt DeVillier
ed0282d33e Add new board Purism Librem 14
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2021-10-15 15:11:39 -04:00
Matt DeVillier
e6dbfab3c2 board/librem_{mini,mini_v2}: Migrate from coreboot 4.13 to 4.14
- adjust board configs
- move/rename coreboot patch
- adjust comment in CI config

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2021-10-15 15:11:39 -04:00
Matt DeVillier
c8f85c41d3
board/librem_{mini,v2}: Disable iGPU passthru for consistency
We use 'iommu=igfx_off' for booting the Heads kernel, so use the same for
booting the OS to ensure consistency when kexecing

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2021-10-08 17:38:59 -05:00
Thierry Laurion
815a7ef245
x230-nkstorecli PoC board removal, both in tree and in CI (board builds fails. fits in maximized boards.) 2021-02-04 22:13:43 -05:00
tlaurion
f156589570
Merge pull request #957 from Tonux599/support-linux-5.10.5
Bump Librem and KGPE-D16 to Linux 5.10.5
2021-02-02 17:43:45 -05:00
Thierry Laurion
041f3f1188
xx30 boards: correct documentation, typos 2021-01-17 13:47:53 -05:00
Thomas Clarke
31edd87c89
Add CONFIG_CPU_MICROCODE_CBFS_NONE=y to KGPE-D16 Coreboot configs. This disables microcode being included and loaded by Coreboot because of a current issue in which newer kernels panic when doing so.
Added note to KGPE-D16 configs about the current microcode bug, why microcode is not included and encouraging AMD Opteron 6300 series users to make sure their operating system loads microcode.
2021-01-07 19:24:10 +00:00
Thomas Clarke
9bdf3e01dc
Update all Librem and KGPE-D16 board to build with Linux 5.10.5. Update KGPE-D16 and Librem linux configs to 5.10.5 with make savedefconfig. 2021-01-07 19:24:09 +00:00
Thierry Laurion
d364336913
xx30-flash boards: produce top.rom and remove 12mb rom for clarity 2021-01-04 12:19:09 -05:00
Matt DeVillier
883ac669a8
modules/coreboot: bump 4.12 build option to 4.13
- update module hash and blobs hash
- drop patches no longer needed; migrate those that remain
- adjust Librem Mini/Mini v2 board configs

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2020-12-14 21:03:32 -06:00
Thierry Laurion
164d991a69
xx30 boards: remove NKSTORECLI from all boards. Par with xx20. 2020-12-12 22:11:20 -05:00
Thierry Laurion
16488fb21a
xx20 boards: add xx20-hotp-maximized boards, remove hotp support from xx20-boards. Modify CircleCI conf accordingly. 2020-12-12 12:44:06 -05:00
Tom Hiller
5b898e369c boards: add t420-maximized 2020-12-03 13:11:05 -05:00