Commit Graph

2206 Commits

Author SHA1 Message Date
tlaurion
1cf7158e8e
Merge pull request #1365 from tlaurion/move_tpm2_board_pcap_to_debug_section 2023-04-04 13:38:22 -04:00
ThePlexus
668d7739ce
change default loglevel 2023-04-04 16:13:19 +01:00
Thierry Laurion
a475ecef24
qemu-coreboot-*whiptail-tpm2-* boards: move TPM2 debug PCAP variable to debug section for clarity 2023-04-04 09:36:31 -04:00
tlaurion
a447674a89
Merge pull request #1313 from Dasharo/talos_fan_speed 2023-04-03 19:40:38 -04:00
tlaurion
3b56c0cf53
Merge pull request #1362 from tlaurion/fix_usb_keyboard_at_init
Fix usb keyboard at init
2023-04-03 14:34:03 -04:00
Thierry Laurion
8dbe85ddaf
Fix 'Tracing...' text output still stating functions instead of ash_functions where they are called from 2023-04-03 14:31:21 -04:00
Thierry Laurion
429d8bbead
move enable_usb from /etc/functions to /etc/ash_functions so that usb keyboard can be enabled from init
Reminder: insmod is a bash script and will fail on legacy-flash boards (which should not enable USB_KEYBOARD anyway)
2023-04-03 14:31:09 -04:00
ThePlexus
1761505d87 Autoboot not needed in this board 2023-03-31 17:37:02 +01:00
ThePlexus
5496138f2c
Merge branch 'osresearch:master' into p8z77-m_pro 2023-03-31 16:33:11 +01:00
Krystian Hebel
1a69b1dd07
initrd/bin/talos-init: add alias for cbmem
Signed-off-by: Krystian Hebel <krystian.hebel@3mdeb.com>
2023-03-30 21:04:01 +02:00
Krystian Hebel
9550d2b541
initrd/bin/talos-init: send IPL complete message to BMC
BMC awaits this message before it takes control over CPU fans speed.

Signed-off-by: Krystian Hebel <krystian.hebel@3mdeb.com>
2023-03-30 21:04:01 +02:00
Krystian Hebel
3c6efd1f47
config/coreboot-talos-2.config: update for new tree
Signed-off-by: Krystian Hebel <krystian.hebel@3mdeb.com>
2023-03-30 21:04:01 +02:00
Krystian Hebel
4edd71c5aa
modules/coreboot: bump commit hash for Talos
Signed-off-by: Krystian Hebel <krystian.hebel@3mdeb.com>
2023-03-30 21:04:01 +02:00
Krystian Hebel
a76e8e58c0
config/linux-talos-2.config: enable coreboot drivers and convert to defconfig
Signed-off-by: Krystian Hebel <krystian.hebel@3mdeb.com>
2023-03-30 21:04:01 +02:00
Krystian Hebel
d1fd05671a
patches/linux-5.5-openpower/0011: patch to expose CBMEM as file
Signed-off-by: Krystian Hebel <krystian.hebel@3mdeb.com>
2023-03-30 21:03:26 +02:00
Krystian Hebel
06b52583fa
patches/linux-5.5-openpower/0010: new patch for enabling Google coreboot drivers
Signed-off-by: Krystian Hebel <krystian.hebel@3mdeb.com>
2023-03-30 21:03:26 +02:00
tlaurion
1617b6ccba
Merge pull request #1352 from Dasharo/linux_target_arch 2023-03-30 14:04:57 -04:00
tlaurion
0be5b1b000
Merge pull request #1356 from tlaurion/oem-factory-reset_clean
oem-factory-reset: remove duplicates and add proper error redirection to file
2023-03-30 13:16:15 -04:00
Thierry Laurion
65b81e6702
oem-factory-reset: remove duplicates and add proper error redirection to file
- Trace calls need to happen after sourcing /etc/functions not before
- Move sourcing of external files at beginning of file, remove /etc/functions sourcing duplicate
- gpg error redirection was sent to /dev/null where expected to be added to whiptail in case of error (2>&1 instead and redirection to file)
2023-03-30 13:12:24 -04:00
tlaurion
b48b9edcbc
Merge pull request #1357 from ThePlexus/patch-1
fix broken OEM re-ownership process
2023-03-30 13:10:10 -04:00
ThePlexus
c67cf7c47e Add ASUS P8Z77-M Pro board 2023-03-30 10:28:40 +01:00
ThePlexus
277465b347
fix broken OEM re-ownership process
Problem
When using a custom password for TPM, the OEM re-ownership process is broken

Impact 
The OEM re-ownership process breaks for any user setting a custom password and not just using 12345678 

First appeared
6923fb5e20

Detail
on line 498, if blank, the TPM custom password is overwritten with TPM_PASS_DEF (eg, when no custom password is set by the user installing)

```
if [ "$TPM_PASS" == "" ]; then TPM_PASS=$TPM_PASS_DEF; fi
```
so far so good.  $TPM_PASS should be used for all TPM interaction from this point. $TMP_PASS_DEF is now a disposed of variable.

we see that happens when resetting the TPM on line 712 (generate_checksums) is that $TPM_PASS is used (correctly)

```## reset TPM and set password
if [ "$CONFIG_TPM" = "y" ]; then
  echo -e "\nResetting TPM...\n"
  tpmr reset "$TPM_PASS" >/dev/null 2>/tmp/error
---SNIP
```
The TPM now has either the custom password of the user, or the default of 12345678 depending on user selection.

On line 712, we duck into the generate_checksums sub, which for some reason reverts to TPM_PASS_DEF

```
    # create Heads TPM counter
    if [ "$CONFIG_TPM" = "y" ];then
	    if [ "$CONFIG_IGNORE_ROLLBACK" != "y" ]; then
		    tpmr counter_create \
			 -pwdo "$TPM_PASS_DEF" \
--SNIP
```

This then, rightly, fails due to 
```
Authentication failed (Incorrect Password) (ox1) from TPM_CreateCounter
```
2023-03-29 21:05:52 +01:00
tlaurion
7f9ee89781
Merge pull request #1353 from tlaurion/revert_agetty_accidental_removal
Makefile: readd util-linux dependency check to add agetty when needed
2023-03-28 11:09:21 -04:00
tlaurion
1ecc78560b
Merge pull request #1349 from saper/find-me-cleaner
download_clean_me.sh: Find me_cleaner in tree
2023-03-28 09:26:14 -04:00
Thierry Laurion
eaa17681dc
Makefile: readd util-linux dependency check to add agetty when needed
Removed accidentally under 6923fb5e20
2023-03-24 16:41:39 -04:00
Krystian Hebel
e7997abdcc
modules/linux: fix linux.*config targets for non-x86 architectures
This patch adds ARCH="$(LINUX_ARCH)" to Linux targets working on config
files. Without it, the architecture defaults to that of host, which for
cross-compilation isn't right.

Signed-off-by: Krystian Hebel <krystian.hebel@3mdeb.com>
2023-03-24 15:26:34 +01:00
Marcin Cieślak
5cbe27d00f download_clean_me.sh: Find me_cleaner in tree 2023-03-23 23:53:02 +01:00
tlaurion
2995376cda
Merge pull request #1339 from tlaurion/single_talos_2_board
Talos II - Have single board config
2023-03-20 14:46:38 -04:00
tlaurion
96440b928a
Merge pull request #1342 from tlaurion/qemu-coreboot-whiptail-tpm2-hotp_adds-hotp
qemu-coreboot-whiptail-tpm2-hotp : add missing HOTP board requirements
2023-03-14 12:53:58 -04:00
Thierry Laurion
718520fe5e
qemu-coreboot-whiptail-tpm2-hotp : add missing HOTP board requirements 2023-03-14 11:39:47 -04:00
tlaurion
6ee4b1cbe1
Merge pull request #1341 from tlaurion/fix_kexec-save-default_initrd_removal
ikexec-save-default: fix case when no crypttab found in initrd
2023-03-14 10:54:16 -04:00
Thierry Laurion
ab16b3b26f
ikexec-save-default: fix case when no crypttab found in initrd
- /tmp/initrd_extract was attempted to be deleted while under that directory when no crypptab found.
- changing of directory to / is non-conditional prior of deletion: move to cleaning step
- Clarity on message displayed to user when a generic crypttab will be generated in case of no OS override
2023-03-14 10:42:21 -04:00
tlaurion
d24def4b59
Merge pull request #1292 from tlaurion/tpm2_retry
TPM2/TPM1 support (testing and bug fixes needed through qemu-(fb)whiptail-tpm[1,2](-hotp) testing boards!
2023-03-13 16:22:13 -04:00
Thierry Laurion
445ca053fb
Talos II - Have single board config
- Based on initial server board
- Uses whiptail as opposed to fbwhiptail (was slow and output fuzzy)
 - Simple fix to have dual KVM(BMC) and vga output for consoles

Reasoning for dropping fbwhiptail support is that:
- it is impossible to output framebuffer content through remote BMC console.
- A workstation board config could output to fbwhiptail for VGA and give remote recovery shell access through BMC
  - If someone shows interest for that, qemu-coreboot-tpm boards can be used as reference.
  - slowness/fuzzyness of fbwhiptail output through AST would still need to be fixed in kernel drivers. Not a priority here.

Limitation:
- Since whiptail is sent to both consoles:
 - If one console goes to recovery shell, recovery shell access invalidate TPM PCR4 measurements.
   - The other console won't be aware that TPM measurements were invalidated, and will consequently:
     - not be able to unseal TOTP if refreshed
     - not be able to unseal TPM disk unlock key on default boot
   - A reboot will fix this.
2023-03-13 14:33:03 -04:00
Jonathon Hall
4754a754dc
.circleci/config.yml: Add qemu TPM2 representative board
No other TPM2 boards exist yet, so add a qemu TPM2 board as a build
test for TPM2.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-03-13 14:26:25 -04:00
Jonathon Hall
6a9e7e293e
fstab, init: Remove securityfs mount
This is unused, remove it.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-03-13 14:11:02 -04:00
Jonathon Hall
1f8c88a7eb
gui-init, tpm-reset: Enforce TPM password maximum length
TPM password must be 1-32 characters.  Loop if the password is not
valid or the repeated password doesn't match, so the user can try
again.

Move prompt_new_owner_password to functions and use in both gui-init
and tpm-reset.

Fixes #1336

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-03-13 13:34:40 -04:00
Jonathon Hall
30963e121f
Combine t430-flash.init, x23-flash.init, fix insmod
They're the same other than a TRACE, combine them.  Use busybox
insmod since the insmod script uses bash, we don't need the TPM PCRs on
legacy-flash-boards.

Remove PCR4 extend, these boards lack TPM configuration.  Update ROM
example name.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-03-13 13:23:29 -04:00
Jonathon Hall
ea5b8dc30f
tpmr: Provide startsession for TPM1 and TPM2
It's a no-op on TPM1, but provide it so init doesn't have to
distinguish TPM1/TPM2.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-03-13 13:10:24 -04:00
Jonathon Hall
5c33130ddc
init: Fixes for legacy-flash boards
Fix `[ -a` to POSIX `[ -e`.  Only run cbfs-init, key-init on normal
boards with bash.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-03-13 12:52:06 -04:00
Jonathon Hall
0c4fdf343b
poweroff, reboot: Do not use bash
These need to work on legacy-flash boards.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-03-13 12:51:42 -04:00
Jonathon Hall
0760b6f237
init: Use busybox ash
init must use busybox ash because it is used on legacy-flash boards.
Change shebang, move needed functions to ash_functions.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-03-13 12:26:41 -04:00
Jonathon Hall
55b3fcfe1a
tpmr: Use at_exit for cleanup traps
Multiple traps overwrite each other.  While no tpmr functions have more
than one trap right now, it is fragile, and the quoting is complex due
to double expansion.  Use at_exit to add exit handlers that accumulate
and do not require special quoting.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-03-10 17:50:43 -05:00
Jonathon Hall
decd45f361
openssl: Trim optional algorithms
Disable all optional algorithms except SM3.  (SHA and AES are not
optional.)  tpm2-tss uses SHA, AES, and SM3.  Reduces size of libcrypto
by almost 1 MB, saves about 140 KB in ROM.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-03-10 17:07:00 -05:00
Jonathon Hall
b21d8f7a94
oem-factory-reset: Use tpmr reset
tpm-reset is just a prompt for the password followed by tpmr reset.
oem-factory-reset already bypasses the prompt, just call tpmr reset
directly.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-03-10 15:46:01 -05:00
Jonathon Hall
ff481b98fb
gui-init: Fix spelling of generate_totp_hotp()
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-03-10 15:42:19 -05:00
Jonathon Hall
a0272270fe
gui-init, kexec-unseal-key: Move PCR debugging output to DEBUG calls
These were still writing some debugging output containing flags and
PCRs even when debug was not enabled.  Use DEBUG.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-03-10 15:39:54 -05:00
Jonathon Hall
698fc83046
gui-init: Eliminate extra TPM owner password prompts in TPM reset
We just set the TPM owner password, so there's no need to make the user
enter it again.  Eliminates some failure modes if the user mistypes it
or enters the wrong password.

Allow optionally passing in the TPM owner password in tpmr seal,
check_tpm_counter(), seal-totp, and generate_totp_htop().  The user is
still prompted if the password is needed but was not provided, so
existing uses in other contexts continue to work unchanged.

Prompt for the password in reset_tpm() and pass it down to each of the
above.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-03-10 15:36:24 -05:00
Jonathon Hall
48421ada1e
tpmtotp: Update to osresearch merged commit
osresearch has merged support for tpm pcrread.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-03-10 15:09:46 -05:00
Jonathon Hall
9d34dd6687
tpmr: Apply owner password to endorsement hierarchy
Heads doesn't use the endorsement hierarchy, but we shouldn't leave it
with an empty password following a tpm2 clear.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-03-10 15:09:09 -05:00