Debian 12's initrd by default now consists of an uncompressed cpio
archive containing microcode, followed by a zstd-compressed cpio
archive. inject_firmware.sh only supported gzip-compressed cpio, so it
could not extract /init from this archive.
Add zstd-decompress to decompress zstd streams (uncompressed size is
about 180 KB).
Add unpack_initramfs.sh which is able to decompress uncompressed, gzip,
or zstd archives, with multiple segments, much like the Linux kernel
itself does.
Use unpack_initramfs.sh to extract /init for blob jail.
Don't compress the new archive segment containing firmware and the
updated /init.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
PureBoot doesn't have any other three-valued settings and this doesn't
present very well in the config UI.
Instead make this a two-valued setting; drop the mode that forces the
EC setting to "stay off" at every boot because this is the default.
When disabling automatic power-on, disable the EC BRAM setting too.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Mini v1/v2's EC can automatically power on the system when power is
applied, based on a value in EC BRAM. Add a configuration setting to
optionally set this value.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Add ioport module, enable for librem_mini_v2. Only inb and outb are
included, inw/outw/inl/outl aren't needed.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Currently Heads will check files in /boot for tampering before booting
into a system. It would be nice if you could use the trusted environment
within Heads and extend this to check files in / itself. This new script
adds that functionality, however due to the length of time it takes to
perform these kinds of checks, it doesn't run automatically (yet).
This feature can be configured from the config GUI - the root device/
directories to check can be set, and it can be configured to run during
boot.
To make this a bit easier to use, I added a feature to detect whether
the hash file exists and if not, to display a more limited menu to the
user guiding them to create the initial hash file. Otherwise it will
display the date the file was last modified, which can be useful to
determine how stale it is.
- Based on initial server board
- Uses whiptail as opposed to fbwhiptail (was slow and output fuzzy)
- Simple fix to have dual KVM(BMC) and vga output for consoles
Reasoning for dropping fbwhiptail support is that:
- it is impossible to output framebuffer content through remote BMC console.
- A workstation board config could output to fbwhiptail for VGA and give remote recovery shell access through BMC
- If someone shows interest for that, qemu-coreboot-tpm boards can be used as reference.
- slowness/fuzzyness of fbwhiptail output through AST would still need to be fixed in kernel drivers. Not a priority here.
Limitation:
- Since whiptail is sent to both consoles:
- If one console goes to recovery shell, recovery shell access invalidate TPM PCR4 measurements.
- The other console won't be aware that TPM measurements were invalidated, and will consequently:
- not be able to unseal TOTP if refreshed
- not be able to unseal TPM disk unlock key on default boot
- A reboot will fix this.
They're the same other than a TRACE, combine them. Use busybox
insmod since the insmod script uses bash, we don't need the TPM PCRs on
legacy-flash-boards.
Remove PCR4 extend, these boards lack TPM configuration. Update ROM
example name.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
tpm2-tools is able to log pcap files of TPM2 commands, which can be
inspected with wireshark. Add CONFIG_TPM2_CAPTURE_PCAP to capture
these from the tpmr wrapper, and enable for qemu TPM2 boards.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
- legacy-flash boards have a single purpose: to flash BIOS region through flashrom.
- They do not need bash nor have space for it in their 4mb defined coreboot CBFS region
Test build to have legacy boards builds under osresearch#1292
Include bash in all builds. Remove CONFIG_BASH.
Remove CONFIG_BASH_IS_ASH from busybox configuration and clean up hacks
in modules/bash.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
- /tmp/debug.log is created and appended by all TRACE and DEBUG calls in code
- fix some logic errors seen when no DEBUG entry were outputted in /tmp/debug.log
Invoke swtpm_setup --create-config-files skip-if-exist to create local
CA files under the current user account, so user does not need
read/write access to /var/lib/swtpm-localca.
Pass --tpm2 to manufacture a TPM2 instead of TPM1.2.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
The actual use of curl was already removed, update tpm2-tools patch to
also remove the check for curl. Remove the curl module and
CONFIG_CURL.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
-coreboot support of TPM v2.0 (shared config for TPM2 support across all 4 previous variations)
-swtpm set to be launched under TPM v2.0 mode under board config
-Documentation file under each board.md softlinks to qemu-coreboot-fbwhiptail-tpm1.md (which has been generalized)
This is skeleton for TPM v2 integration under Heads
-------------
WiP
TODO:
- libcurl cannot be built as a tpm2-tools dependency as of now not sure why. curl currently needs to be added in board config to be built
- Note: tpm-reset (master and here) needs some review, no handle of no tpm use case. Caller is responsible to not call it otherwise does nothing
- init tries to bind fd and fails currently
- Note: Check if whiptail is different of fbwhiptail in clearing screen. As of now every clear seems to be removed, still whiptail clears previous console output
- When no OS' /boot can be mounted, do not try to TPM reset (will fail)
- seal-hotpkey is not working properly
- setting disk unlock key asks for TPM ownership passphrase (sealing in NV requires ownership, but text is misleading user as if reowning TPM)
- We should cache input, feed tpm behind the scene and wipe passphrase and state clearly that this is TPM disk unlock kye passphrase.
- primary key from TPM2 is invalid most of the time from kexec-select-boot and verifying global hashes but is setuped correctly at disk unlock key setup
- would be nice to take advantage of bash function tracing to understand where we are for debugging purposes, code takes ash in consideration only
- tpmr says it implements nv calls but actually doesn't. Removing those falsely wrapped functions would help.
- Implementing them would be better
- REVIEW TODOS IN CODE
- READD CIRCLECI CONFIG
Current state:
- TPM unseal works without disk unlock key and generates TOTP properly (was missing die condition at unseal to not produce always good TOTP even if invalid)
- TPM disk encryption key fails. Hypothesis is that sealing with USB drivers loaded and measures in inconsistent with sealed with/without.
- TPM disk unsealing happens without USB modules being loaded in non-HOTP setup. This fails.
- Current tests are with fbwhiptail (no clear called so having traces on command line of what happens)
- Testing with HOTP implementation for sealing/unsealing since that forces USB module loads on each boot to remove this from failing possibilities
- Add 4.19 under modules/coreboot
- point all 4.13 boards to 4.19
- adapt x230 FHD/EDP patch under patches/coreboot-4.19/0001-x230-fhd-variant.patch (poked upstream to fix patch under https://review.coreboot.org/c/coreboot/+/28950)
- correct versioning info under .circleci/config/yml
- Add TRACE function tracing output under etc/functions, depending on CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT enabled in board configs
- Replace current DEBUG to TRACE calls in code, reserving DEBUG calls for more verbose debugging later on (output of variables etc)
- add 'export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y' in qemu-coreboot(fb)whiptail-tpm1(-hotp) boards to see it in action
- add x230-maximized-fhd_edp and x230-hotp-maximized-fhd_edp board configs
- add/rework coreboot patch for x230 fhd variant to be applied on top of 4.13
- add coreboot config to point to x230-edp variant, fixing path to vbt file since default path is wrong under. Comment made upstream https://review.coreboot.org/c/coreboot/+/28950/22#message-4904ce82f01ba0505b391e072e4537b6a9f1a229
- remove no gfx init and replace with libgfxinit(defonfig default), set internal display as default
- add x230-hotp-maximized-fhd_edp and x230-maximized-fhd_edp to CircleCI builds
- One single shared coreboot config between boards/x230-hotp-maximized-fhd_edp/x230-hotp-maximized-fhd_edp.config and boards/x230-maximized-fhd_edp/x230-maximized-fhd_edp.config
- Coreboot 4.13 patch from coreboot at patches/coreboot-4.13/0002-x230-fhd-variant.patch
- config/coreboot-x230-maximized-fhd_edp.config points to seperate coreboot config per patch (CONFIG_BOARD_LENOVO_X230_EDP)
- ROOT_DISK_IMG is now dynamic (ROOT_DISK_IMG=/path/to/existing/provisioned/disk.img can be reused across run statements)
- Addition of missing boards to cover all use cases
- All TPM1 boards rely on common config/coreboot-qemu-tpm1.config
- boards/qemu-coreboot-fbwhiptail-tpm1-hotp/qemu-coreboot-fbwhiptail-tpm1-hotp.md has been generalized
- all other boards are softlinked to the above for usage
To be used in board configuration. Expands to the path of the board's
build directory. Also simplifies main Makefile a bit.
Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
Enable virtio video and storage.
Enable serial console and tweak kernel command line to show logs.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Add qemu-coreboot-fbwhiptail-tpm1-hotp configuration, which has a 'run'
target to boot with a persistent TPM, disk, virtual USB disk, and USB-
forwarded token
Provide instructions for bootstrapping a complete working system in qemu
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Set ATA and SATA configs to y, not m - modules weren't being loaded. Other
configs also build these into kernel, so do the same for qemu. Remove relevant
configs from boards since modules no longer need to be in initrd.
Enable OHCI and UHCI. qemu forwards host USB devices over a UHCI controller.
This enables USB-forwarding a physical Librem Key or Nitrokey Pro to the VM.
Export CONFIG_LINUX_USB_COMPANION_CONTROLLER to have enable_usb() load the
modules - it wants both UHCI and OHCI modules, so build both.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
- this boards is a duplicate of x230-hotp-maximized with USB Keyboard support
Testing points:
- x230-hotp-maximized does not accept input from USB keyboard
- x230-hotp-maximized_usb-kb accepts input from USB keyboard
Those boards now produce 4MB coreboot ROM and according CBFS small size, and remove the logic to extract 4Mb ROM out of the 12Mb rom which for some reason, was now misaligned.
config/coreboot-xx30-flash : remove all unnneded stuff to xx30-flash boards.
config/linux-x230-flash: used commonly for all xx30-flash boards, this is now finally saved with savedeconfig, and removes another bunch of unneeded stuff.
Tested working. Fixes#1095
This commit adds explanatory notes and updates existing t530 and w530 boards to generally align them with the dGPU points and provide signposting for those with and those without dGPU boards. It also adds an additional README in the blobs directory to explain the vbios extraction and building process.
This commit adds support for the t530 and w530 boards to enable dGPUs. dGPU's are required for DisplayPort external displays in the t530 dgpu model, and for both the VGA dn DisplayPort external displays in the W530 (which has two dGPUs, the K1000M and K2000M, hence two boards). The commit does the following:
1. Adds automated extraction scripts for vbios modelled on the me script in the blobs directory (one per board is necessary as it is based on board-specific bios updates).
2. Adds specific boards for the various dGPU models and corresponding coreboot configs.
3. Updates circleci config.yaml to run scripts and test boards.
Tested and working on T530 dgpu and W530 K1000M. dGPU scripts tested on Debian 10 and Ubuntu 21.04
Unify the CONFIG_BOOT_KERNEL_ADD/REOVE parameters for all
Librem boards. Ensure IOMMU disabled for the GPU, and that
duplicated IOMMU params are not passed to the kernel.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
Update all Purism Librem boards except the L1UM server
to coreboot 4.15:
- update coreboot version from 4.8.1/4.13 to 4.15
- use purism_blobs module (if not already)
- update board coreboot defconfig files (Librem 13/15)
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
-CircleCI addition.
-Removal of t530-flash, w530-flash boards, flash scripts and associated coreboot configs (no more legacy boards additions)
This is a merger of #1071, #1072 and #1073 so that test builds are available over CircleCI until osresearch/master CircleCI gets unlocked.
- xx30 legacy boards (x230, x230-flash, t430, t430-flash) now rely also on coreboot 4.13
- DOWNSIDE: x230 and t430 legacy boards now rely on WHIPTAIL (NOT FBWhiptail) to have enough space to fit under 7mb)
- xx20 boards moved to 4.13 (no need of xx20-flash boards here since single SPI boards with 7.5mb useable since blobs scripts are required)
- DOWNSIDE: all xx20 boards now have dropbear deactivated, while still having ethernet driver in.
- qemu-coreboot and qemu-coreboot-fbwhiptail switched to coreboot 4.13 WITHOUT TPM SUPPORT (with cryptsetup 2.x support)
- DOWNSIDE:
- coreboot-qemu board CBFS_SIZE=0x700000 -> 0x750000
- coreboot-qemu-fbwhiptail CBFS_SIZE=0x750000 -> 0x780000
- CircleCi build recipe removes 4.8.1 boards altogether
- KGPE-D16 workstation is used as new base build to save workspace layer (we removed one workspace layer)
- Removing one workspace layer will save approx 2 hours of build time on fresh builds
- Removing one coreboot version will save us approx 2 hours of build time on fresh builds
- KGPE-D16 will stay to coreboot 4.11 until forward notice.
- All other board configs SHOULD be built on latest coreboot versions
- all: coreboot NO_POST for all boards
- all: coreboot NO_GFX_INIT (linux payload does the graphic init)
- all: coreboot TPM_MEASURED_BOOT (no more patches under Heads for measured boot)
- all: coreboot DRIVERS_PS2_KEYBOARD (fixes no keyboard on soft reboot and potentially xx30t xx20t fix for random raw keyboard (to be tested)
- all: coreboot removal of DEFAULT_CONSOLE_LOGLEVEL_5 under some boards
- all: coreboot removal of "loglevel=3" under some linux command line options booting Heads kernel
- all: coreboot removal of DEBUG_SMM_RELOCATION (unneeded)
- all: coreboot INCLUDE_CONFIG_FILE and COLLECT_TIMESTAMPS for all boards
- all: coreboot CONSOLE_SERIAL present on all boards
- all: coreboot add VBT
- all: board configs switch to cryptsetup2
xx20 hotp-maximized boards:
- removal of dropbear (not enough space to have htop + dropbear)
txx0 boards coreboot:
- USE_OPTION_TABLE and STATIC_OPTION_TABLE added (todo: check T430 boards optimization and find issue/PR and ammend this commit)
We use 'iommu=igfx_off' for booting the Heads kernel, so use the same for
booting the OS to ensure consistency when kexecing
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
Added note to KGPE-D16 configs about the current microcode bug, why microcode is not included and encouraging AMD Opteron 6300 series users to make sure their operating system loads microcode.
- update module hash and blobs hash
- drop patches no longer needed; migrate those that remain
- adjust Librem Mini/Mini v2 board configs
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
