Commit Graph

423 Commits

Author SHA1 Message Date
Francis Lam
d67360a24b
Added rollback protection to generic boot
Changed the checking of required hashes or required rollback state
to be right before boot, allowing the user to sign/set defaults
in interactive mode.

Also cleaned up usages of recovery and fixed iso parameter
regression.
2017-07-08 16:59:37 -04:00
Francis Lam
8004b5df2a
Added the ability to persist a default boot option
Similar to qubes-update, it will save then verify the hashes of
the kexec files. Once TOTP is verified, a normal boot will verify
that the file hashes and all the kexec params match and if
successful, boot directly to OS.

Also added a config option to require hash verification for
non-recovery boots, failing to recovery not met.
2017-07-04 19:49:14 -04:00
Francis Lam
3614044fff
Added a generic boot config and persistent params
Refactored boot parsing code and applied that in local-init to
scan /boot for grub options and allow the user to unsafely boot
anything.  This goes a long way to addressing #196.

Optionally the user can customize those boot parameters or enforce
arbitrary hashes on the boot device by creating and signing config
files in /boot/ or /media/ or /media/kexec_iso/ISO_FILENAME/.
2017-07-02 23:01:04 -04:00
Francis Lam
7f6f365afe
Reverted submodule name back to xen 2017-06-26 13:07:48 -04:00
Francis Lam
c2ec62bfcd
Changed xen submodule to track Qubes Xen
Closes #159
2017-06-23 23:01:20 -04:00
Trammell Hudson
2b2c00e594
typo in comment 2017-05-01 10:52:49 -04:00
Johan Grip
8b3ed5fd7a
Added blob directory for non-free blobs Also basic documentation for the binaries needed for the X220 and how the get to them 2017-05-01 10:49:45 -04:00
Johan Grip
186b641385
Inital test of a lenovo x220 port. Uses hardcoded paths for the blobs required. Uses a stripped ME blob. 2017-05-01 10:49:38 -04:00
Trammell Hudson
2cad84a768
make the ME a module (issue #194) 2017-05-01 10:47:24 -04:00
Francis Lam
efd662c63a
adds a USB boot option with basic parsing to kexec
Supports booting from USB media using either the root device or
a signed ISO as the boot device.  Boot options are parsed with
quick/dirty shell scripts to infer kexec params.

Closes #195 and begins to address #196
2017-04-29 13:40:34 -04:00
Trammell Hudson
448d0731a9
cherry pick Linux config from zfs branch with multi-user set 2017-04-17 16:10:48 -04:00
Trammell Hudson
d73c92e63f
quiet down the boot process 2017-04-12 06:46:55 -04:00
Trammell Hudson
8c57ac59e7
x230-flash configuration and initialization 2017-04-11 07:16:20 -04:00
Trammell Hudson
85f0586615
build xen for the qemu image so that we can test kexec 2017-04-10 12:59:07 -04:00
Trammell Hudson
300b17fa25
add dropbear ssh to qubes and moc configurations (issue #169) 2017-04-07 09:53:02 -04:00
Trammell Hudson
830828f2a2
enable usb storage module (issue #160) 2017-04-06 09:45:47 -04:00
Trammell Hudson
cfcf6c46d5
Purism Librem 13v1 initial configuration 2017-04-05 14:13:40 -04:00
Trammell Hudson
3d79f51e4a
Build lvm command line utility (issue #80)
Replace libuuid with util-linux libuuid (and libblkid,
although we are not using libblkid right now).

This also requires a much larger coreboot cbfs, which was
fixed as part of issue #154.
2017-04-03 17:13:59 -04:00
Trammell Hudson
4c413a1737
enable file locking for LVM 2017-04-03 17:11:12 -04:00
Trammell Hudson
d335f24292
split x230 config into 4MB bootstrap image and 7MB runtime image (issue #156) 2017-04-03 14:53:29 -04:00
Trammell Hudson
f99944abe5
qubes init script and improved TPM disk encryption with LUKS headers (issue #123 and #6) 2017-04-01 23:02:00 -04:00
Trammell Hudson
3225501e84
remove power related busybox tools that do not work 2017-03-31 16:00:27 -04:00
Trammell Hudson
7045d02794
move to Linux 4.9.20 (issue #149) 2017-03-31 15:59:37 -04:00
Trammell Hudson
8544c5fe6d
busybox 1.26.2 update (issue #148) 2017-03-31 14:53:01 -04:00
Trammell Hudson
d6c553e884
typo in qemu description 2017-03-31 13:04:46 -04:00
Trammell Hudson
c40748aa25
Build time configuration for startup scripts and modules.
This addresses multiple issues:

* Issue #63: initrd is build fresh each time, so tracked files do not matter.
* Issue #144: build time configuration
* Issue #123: allows us to customize the startup experience
* Issue #122: manual start-xen will go away
* Issue #25: tpmtotp PCRs are updated after reading the secret
* Issue #16: insmod now meaures modules
2017-03-31 11:18:46 -04:00
Trammell Hudson
9feb094701
enable flashrom and pciutils to allow the boot ROM to be re-written (issue #17) 2017-03-30 14:35:30 -04:00
Trammell Hudson
bf94e4c416
include a nearly empty, but consistent, cpio file to ensure reproducible Linux builds (issue #142) 2017-03-30 10:16:13 -04:00
Trammell Hudson
418ceaf733
make USB a module, strip debug info (issue #139) 2017-03-28 17:05:04 -04:00
Trammell Hudson
8384201e9c
Change ethernet drivers to be modules and measure them when they are loaded.
This is a step towards unifying the server and laptop config (issue #139)
and also makes it possible to later remove the USB modules from the
normal boot path.
2017-03-28 16:32:58 -04:00
Trammell Hudson
1475148848
enable TCP SYN cookies (issue #138) 2017-03-28 11:46:17 -04:00
Trammell Hudson
e83ba0a0c7
enable futex for keylime 2017-03-27 18:52:31 -04:00
Trammell Hudson
f39dfd321d
enable dhcp and add helper script for lease setup 2017-03-27 15:56:10 -04:00
Trammell Hudson
edb4b4de50
enable raw sockets and the qemu network driver 2017-03-27 15:27:53 -04:00
Trammell Hudson
48adc3e4cd
enable wget 2017-03-27 14:25:34 -04:00
Trammell Hudson
279851e66d
started on extra features for MOC server initrd build 2017-03-20 14:57:22 -04:00
Trammell Hudson
b06b0331a0
started on extra features for MOC server kernel build 2017-03-20 14:52:39 -04:00
Trammell Hudson
4182c0e0aa
enable ISO9660 file systems and code page ISO8859-1 (issues #116 and #107) 2017-03-20 11:17:18 -04:00
Trammell Hudson
e4538785ec
enable read-only, no-execute for module data (issue #72) 2017-03-20 11:12:41 -04:00
Trammell Hudson
54cded7f59
pass extra parameters to xz to compress initrd.cpio for Linux kernel (issue #127) 2017-03-18 10:50:43 -04:00
Trammell Hudson
b81a20fb71
enable CONFIG_NET, to allow cryptsetup to work (issue #79) 2017-01-05 06:00:59 -05:00
Trammell Hudson
8ff56aff5a
Enable IOMMU by default (issue #75) and prune kernel features. 2017-01-04 18:38:45 -05:00
Trammell Hudson
45ba75949b
kernel 4.9 setup with framebuffer for x230 (issue #64) 2016-12-13 14:58:23 -05:00
Trammell Hudson
a6520772dc
Update Heads to use the 4.9 Linux LTS kernel.
No patches are required to boot 4.9 as a coreboot payload,
unlike the 4.7 kernel that required a head_64.S patch.

The new kernel is about 40 KB larger than the 4.7; the
config might be shrinkable.

Close issue #61.
2016-12-12 11:01:18 -05:00
Trammell Hudson
0aae22d67c
increase CBFS size for qemu builds to allow easier experimentation 2016-12-01 14:02:57 -05:00
Trammell Hudson
c98a392508
enable EPOLL for plymouth 2016-12-01 14:02:26 -05:00
Trammell Hudson
05056aefc0
include chmod (fix #30) 2016-11-29 14:29:38 -05:00
Trammell Hudson
e55a6a4df4
Rework Makefile a bit.
rename TARGET to BOARD (fix #55)
use .INTERMEDIATE trick to avoid building multiple times (fix #52)
Don't touch build/*/.config if we don't have to (fix #51)
2016-11-29 11:28:05 -05:00
Trammell Hudson
4a83273744 disable ACPI on qemu boots, this fixes #53 2016-11-29 11:22:47 -05:00
Trammell Hudson
4fbd6ca58b
Make coreboot building modular to support multiple boards.
This touches most of the module configurations since the
coreboot build process had to add a few new features.
The Linux kernel could make use of it as well if we need
separate x230/chell/qemu kernels, for instance.
2016-11-23 12:11:08 -05:00
Trammell Hudson
638329709e
include find and compression tools 2016-11-23 10:47:04 -05:00
Trammell Hudson
16bad1abd4
enable aes-xts in Heads kernel (issue #44) 2016-10-26 15:10:53 -04:00
Trammell Hudson
2663fc464b
updated for receent merge of coreboot master 2016-09-26 14:10:32 -04:00
Trammell Hudson
ab5fb03475
enable unicode on vt so that qrenc works 2016-09-09 18:32:44 -04:00
Trammell Hudson
0e16afe17a
update config after recent coreboot/coreboot merge 2016-09-09 13:27:20 -04:00
Trammell Hudson
47ad314798
enable CONFIG_USE_BLOBS to checkout non-free binary blobs submodule 2016-08-19 14:41:32 -04:00
Trammell Hudson
d857170e0f
Enable measured boot support 2016-08-16 17:44:51 -04:00
Trammell Hudson
c755b8431f
update for coreboot-git 2016-08-16 09:13:38 -04:00
Trammell Hudson
21268a4bb8
Updates for coreboot-git 2016-08-14 16:04:43 -04:00
Trammell Hudson
c84293ad62
4.7 is the new default kernel 2016-08-14 16:04:11 -04:00
Trammell Hudson
d85d72a0d7
enable a few more busybox tools 2016-08-06 17:14:56 -04:00
Trammell Hudson
377cb1415b
Add cdroms to Linux config, support 4.7 kernels 2016-08-05 12:25:00 -04:00
Trammell Hudson
69ede68ced
enable /dev/mem so that cbmem tool can work 2016-08-04 17:29:26 -04:00
Trammell Hudson
a81a002abb
Build and bundle the patched xen 4.6.3 kernel 2016-08-03 18:10:44 -04:00
Trammell Hudson
4589e5d1d3
copy the bzImage into the coreboot build directory 2016-08-02 21:59:14 -04:00
Trammell Hudson
62c544ea96
coreboot build (might) work; need to do a test from clean while online 2016-08-02 21:49:22 -04:00
Trammell Hudson
3fde9759f3
coreboot-4.4 binary blobs 2016-08-02 21:39:24 -04:00
Trammell Hudson
426cd8f94f
build the linux kernel after building the initrd 2016-08-02 21:23:18 -04:00
Trammell Hudson
00559def5d
porting Makefile to use a modular build system for each package 2016-08-02 19:25:47 -04:00
Trammell Hudson
2471e15109
cleanup initrd, improve population of lib directories, remove some extra drivers, add notes on /dev 2016-07-28 00:08:33 -04:00
Trammell Hudson
364e44fcdf
working configuration files for coreboot-4.4 and linux-4.6.4, as well as with qemu 2016-07-26 15:14:07 -04:00
Trammell Hudson
4dded24fb7
build almost works 2016-07-25 13:36:15 -04:00
Trammell Hudson
a6d9902a2d
started on automated build process 2016-07-25 10:08:53 -04:00