Commit Graph

275 Commits

Author SHA1 Message Date
Thierry Laurion
56b602974b
WiP: NK3 with p256 ECC algo supported for in-memory keygen and key-to-card op. With this commit, one can provision NK3 with thumb drive backup which enables authenticated recovery shell and USB boot.
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-01 10:07:40 -04:00
Thierry Laurion
2b21623bc6
qemu doc: add modify list/mount instructions to use losetup to map partitions to loop0pX and mount them to get public key
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-01 10:07:37 -04:00
Thierry Laurion
27c457f04b
TPM2 DUK and TOTP/HOTP reseal fix, refactoring and ifferenciating tpm_password into tpm_owner_password and reusing correctly
i
TODO: fix all TODO in PR prior of review + squash

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-01 10:07:27 -04:00
Thierry Laurion
2ae94405ad
WiP: add export CONFIG_HAVE_GPG_KEY_BACKUP=y so whiptail-tpm2 can be used with GPG key material thumb drive backup
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-01 10:07:04 -04:00
Thierry Laurion
1f28c71447
WiP: adapt dmesg in function of CONFIG_DEBUG_OUTPUT being enabled or not so and adapt further troubleshooting notes in code when keys cannot be accessed on media for whatever cause so user can understand what is happening when accessing GPG material on backup thumb drive
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-01 10:06:55 -04:00
Thierry Laurion
b1e5c638cd
WiP
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-01 10:06:45 -04:00
Thierry Laurion
9addb3b6b0
qemu board doc: add Nitrokey3NFC in md doc 2023-10-10 12:30:41 -04:00
Thierry Laurion
4ff955918f
x230-maximized board configs: add DEBUG/TRACE board config in comment
Enabling DEBUG/TRACE options from board config vs from configuration menu is different.

When enabled in board config, /etc/config is from ROM, and sourced early and make TRACE/DEBUG calls appear early.
If added through configuration menu, those are /etc/config.user overrides extracted from CBFS and then sourced after combine_configs call

If for whatever reason early DEBUG is needed on a platform, enabling in board config is needed.
For runtime debugging, enabling Debug output from configuration menu is enough
2023-10-10 12:14:36 -04:00
Jonathon Hall
fab9124f00
librem_* (except L1UM): Linux 6.1, coreboot gfx init with efifb
Update all Librems except L1UM (but including L1UM v2) to Linux 6.1.8.

Use coreboot native graphics init.  Raise maximum framebuffer size for
laptops to 3840x2160 (desktops default to this, but laptops default
to a lower value).  Remove DRM modules from Linux 6.1.8 and add EFIFB.

Remove Heads kernel command line options relating to IOMMU and i915,
which are no longer needed.  Remove OS kernel options relating to
IOMMU.

For Librem 13/15/14/Mini, this fixes issues booting with 4K displays
attached, which were resulting in crashes due to the framebuffer memory
not being reserved properly.  memtest86+ now passes with a 4K display
attached.

For Librem L1UM v2, framebuffer boot now works.

Librem L1UM remains on Linux 5.10 with Heads kernel graphic init
(framebuffer boot still does not work).  coreboot 4.11 has native
graphics init for Aspeed, but only in text mode.  Backporting the
linear framebuffer support appears to be possible - the patch applied
cleanly - but it did not work initially and will need more
investigation.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-09-06 10:36:37 -04:00
tlaurion
8bd82a6e10
Merge pull request #1494 from JonathonHall-Purism/coreboot_purism_4.21
modules/coreboot: Update Purism coreboot to 24e2f7e4
2023-09-06 10:19:55 -04:00
tlaurion
2c3987f9a3
Merge pull request #1485 from Nitrokey/nx-nitropad
add Nitropad NV41/NS50 TPM2 boards (2nd)
2023-09-06 10:15:17 -04:00
Jonathon Hall
eed8adeb49
librem_mini,librem_mini_v2: Enable CMOS layout, update CMOS checksum
Enable the coreboot CMOS option table, which initializes CMOS if the
checksum is not valid.

There is now a checksum in the CMOS layout since 4.21, update it when
updating the Mini v1/v2 EC power-on setting.

coreboot 4.21 will reset the CMOS settings during the first boot, since
there was no checksum in prior releases.  Heads will restore the
automatic power-on setting during init based on config.user.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-09-05 16:03:02 -04:00
tlaurion
8272d33e7c
Merge pull request #1482 from tlaurion/ease_tpm_disk_unlock_key_resealing_after_totp_mismatch-warn_and_die_changes
Ease TPM Disk Unlock Key sealing/resealing after TOTP mismatch (firmware upgrade) + warn and die changes
2023-09-05 11:48:50 -04:00
Markus Meissner
d01c3ab7c9
boards: add nitropad-nv41 + nitropad-ns50 2023-09-05 17:13:56 +02:00
Markus Meissner
b47da0be89
boards/qemu-*: update allowed usb-token comments 2023-09-05 12:32:22 +02:00
Thierry Laurion
03d8f93c95
modules/zstd: now included by default. Deactivated under legacy-flash boards
Rationale:
cpio -t alone cannot extract initrd past early cpio (microcode) in most packed initrd.
unpack_initramfs.sh already under master comes to the rescue, but its usage up to today was limited to pass firmware blobs to final OS under boards/librem_mini_v2

Debian OSes (and probably others) need to have cryptroot/crypttab overriden directly, otherwise generic generation of crypttab is not enough.
Extracting crypttab and overriding directly what is desired by final OS and exposed into /boot/initrd is the way to go otherwise hacking on top of hacks.

This brings default packed modules under Heads to 5 modules, which needs to be deactivate in board configs if undesired:
user@heads-tests-deb12:~/heads$ grep -Rn "?= y" modules/ | grep -v MUSL
modules/zlib:1:CONFIG_ZLIB ?= y
modules/zstd:3:CONFIG_ZSTD ?= y
modules/exfatprogs:2:CONFIG_EXFATPROGS ?= y
modules/busybox:2:CONFIG_BUSYBOX ?= y
modules/e2fsprogs:2:CONFIG_E2FSPROGS ?= y
2023-08-31 11:19:50 -04:00
Thierry Laurion
d5aa0c874e
boards/qemu-coreboot-whiptail-tpm1/qemu-coreboot-whiptail-tpm1.md was invalid symlink 2023-08-28 16:24:14 -04:00
Thierry Laurion
106a9bf543
qemu boards: change default creation size of USB_FD_IMG from 128MB to 256MB
Otherwise 10% of 128mb (12mb) is not enough to create a LUKS container
2023-08-28 16:24:11 -04:00
Thierry Laurion
97f39a8b1f
t430-maximized/t430-hotp-maximized: move from untested to tested boards, other t430 boards still untested 2023-08-16 14:54:12 -04:00
Thierry Laurion
e5b64f8c48
t430/x230 legacy flash boards: unify so they specify coreboot config files as all other boards
(Otherwise, renaming board requires to rename coreboot config file as well since BOARD is used to pick corresponding one when undefined)
2023-08-16 13:29:08 -04:00
Thierry Laurion
294a6bed94
t430 boards: moved to untested until reported tested as per #1421 2023-08-16 12:35:52 -04:00
Thierry Laurion
572573ff40
x220 board: this is maximized coreboot config, legacy linux config 2023-08-16 09:44:44 -04:00
Thierry Laurion
107855f53a
p8z77-m_pro-tpm1: bring back boards as tested platforms. 2023-08-16 09:44:41 -04:00
Thierry Laurion
d3ea60f69e
linux configs: adapt to use efifb driver (Intel iGPU/qemu with bochs native gfxinit) 2023-08-15 17:24:34 -04:00
tlaurion
fbc0993084
Merge pull request #1462 from JonathonHall-Purism/reuse-toolchains
Enable reusing coreboot release toolchains for forks
2023-08-15 16:27:20 -04:00
Jonathon Hall
57f9d1635b
x230-*-fhd_edp: Include kbd to set console font size
Include the kbd module to set the console font size based on the
display resolution.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-08-11 14:40:10 -04:00
Jonathon Hall
d0d2ea9a77
librem_mini{,_v2}: Include kbd to set console font size
Include the kbd module to enlarge the console font size based on the
display resolution.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-08-11 14:40:09 -04:00
Jonathon Hall
ef85973109
librem_15v4: Include kbd, don't force eDP resolution in Heads kernel
Include kbd so the console font can be enlarged based on the display
resolution.

Don't force 1080p on the eDP output in Heads.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-08-11 14:40:09 -04:00
Jonathon Hall
555dde0b43
boards/librem_* (except l1um): Remove CONFIG_PURISM_BLOBS=y
These boards get purism-blobs as a submodule of the purism coreboot
fork.  modules/coreboot used to skip the purism-blobs dependency for
this fork, but the module is not needed at all for these boards.

librem_l1um keeps CONFIG_PURISM_BLOBS=y since it is built from patched
coreboot 4.11.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-08-11 12:44:39 -04:00
Thierry Laurion
447f8addc7
Rename UNTESTED_x230-maximized-fhd_edp and UNTESTED_x230-hotp-maximized-fhd_edp to normal names 2023-08-02 14:37:02 -04:00
tlaurion
06b1b0948d
Merge pull request #1399 from d-wid/z220
Add HP Z220 CMT
2023-07-24 18:27:17 -04:00
d-wid
4d157493a3 Add HP Z220 CMT 2023-07-22 16:27:31 +02:00
tlaurion
d7b4a47cfe
Merge pull request #1442 from tlaurion/qemu_basic_boot_example_in_board_config
Qemu boards: typo correction in comment to manually enable Basic Boot mode
2023-07-17 14:08:22 -04:00
Thierry Laurion
f4a8ae925f
non-dgpu t530 was reported working (t530-hotp-maximized-v0.2.0-1705-gedf200e.rom) 2023-07-17 12:49:32 -04:00
Thierry Laurion
c419cf7e2b
Qemu boards: typo in comment to manually enable Basic Boot mode : (was CONFIG_BASIC_BOOT where CONFIG_BASIC expected) 2023-07-17 12:32:27 -04:00
Jonathon Hall
45245fe417
qemu-*: Show how to enable restricted/basic in board config
For iterating, enabling these in the board config is easiest.  It's
also possible to manually inject config.user ahead of time, or enable
at runtime without flashing, but the normal enable/flash/reboot path
does not work in qemu since it is unable to flash.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-07-12 14:17:43 -04:00
Jonathon Hall
252efc6945
Merge remote-tracking branch 'github-heads/master' into pureboot-27-heads-upstream 2023-07-07 15:57:34 -04:00
Jonathon Hall
4c8e445dcd
Merge remote-tracking branch 'github-heads/master' into pureboot-27-heads-upstream
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-07-05 14:32:16 -04:00
Jonathon Hall
17724f9baa
qemu-coreboot-fbwhiptail-tpm1-hotp: Fix truncated documentation lines
A few lines in the documentation got truncated somehow.  Restored the
swtpm instructions from some notes and rewrote the others.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-07-05 14:11:34 -04:00
Thierry Laurion
5db4165652
Rename UNTESTED_t420-maximized and UNTESTED_t420-hotp-maximized back to maximized board names. 2023-07-05 10:38:18 -04:00
Thierry Laurion
f8cb3db775
untested boards: move and rename untested boards, while still building them with CircleCI if they were currently built.
Non-impactful action, first step for #1421 based on participation in testing of #1398 and prior non-tested PRs.

EDIT: last minute readd of x220-maximized boards (x220-maximized and x220-hotp-maximized boards).
 x220 is still UNTESTED (legacy, manually extracting ifs, me and gbe).

EDIT: last minute readd of t440p-maximized boards (t440p-maximized and t440p-hotp-maximized boards).

Thanks to @srgrint for lat minute report that t440p and x220 were tested
----

Traces of commands used:
ls qemu-linuxboot* leopard* r630* s2600wf* tioga* winterfell* t420* t520* t440p* w530* kgpe* p8z77* x220* x230-maximized-fhd_edp* | grep ":" | awk -F ":" {'print $1'}| while read board; do mv $board/$board.config $board/UNTESTED_$board.config; done
ls qemu-linuxboot* leopard* r630* s2600wf* tioga* winterfell* t420* t520* t440p* w530* kgpe* p8z77* x220* x230-maximized-fhd_edp* | grep ":" | awk -F ":" {'print $1'}| while read dir; do mv $dir UNTESTED_$dir; done
ls UNTESTED* | grep ":" | awk -F ":" {'print $1'}| awk -F "UNTESTED_" {'print $2'} | while read line; do sed 's/'"$line"'/UNTESTED_'"$line"'/g' ../.circleci/config.yml -i ; done

quick fix of circleci:
sed -i 's/UNTESTED_UNTESTED/UNTESTED/g' ../.circleci/config.yml
sed -i 's/UNTESTED_UNTESTED/UNTESTED/g' ../.circleci/config.yml
sed -i 's/UNTESTED_UNTESTED/UNTESTED/g' ../.circleci/config.yml

Modify p8z77-m_pro-tpm1 hotp board config to include to their maximized counterpart
2023-07-04 18:00:30 -04:00
Thierry Laurion
da4c306d91
t440p p8z77-m_pro: pass to coreboot 4.19 and with comparable lockdown config to x230 + fix vbt path 2023-06-27 11:21:28 -04:00
Thierry Laurion
cc9a4828ef
Remove qemu-coreboot and qemu-coreboot-fbwhiptail board+coreboot configs
qemu-coreboot-*-tpm* boards are way more feature rich to test/develops Heads
2023-06-27 11:21:15 -04:00
Thierry Laurion
f34d2dd7d7
bump qemu-tpm boards to coreboot 4.19 2023-06-27 11:21:09 -04:00
Thierry Laurion
e02228407f
boards: bump non-tpm qemu*, xx20 and xx30 boards to use linux kernel 5.10.5 2023-06-27 11:21:06 -04:00
Thierry Laurion
e8bc003a56
boards/p8z77-m_pro-tpm1-maximized: bump linux from 4.14 to 5.10 2023-06-27 11:21:02 -04:00
Jonathon Hall
8289d1bb29
oem-factory-reset: Offer to use all defaults on Librem boards only
Introduce CONFIG_OEMRESET_OFFER_DEFAULTS and enable it on Librem
boards.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-06-23 08:20:21 -04:00
Jonathon Hall
f6134e9c35
gui-init: Opt into skipping QR code scan for Librem boards only
Introduce CONFIG_TOTP_SKIP_QRCODE to skip this step and enable it on
Librem boards.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-06-23 08:18:59 -04:00
Jonathon Hall
89858f52a9
Merge remote-tracking branch 'github-heads/master' into pureboot-27-heads-upstream
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-06-21 15:15:23 -04:00
Jonathon Hall
1bf8331ffb
Blob jail: Add zstd-decompress, decompress more complex archives
Debian 12's initrd by default now consists of an uncompressed cpio
archive containing microcode, followed by a zstd-compressed cpio
archive.  inject_firmware.sh only supported gzip-compressed cpio, so it
could not extract /init from this archive.

Add zstd-decompress to decompress zstd streams (uncompressed size is
about 180 KB).

Add unpack_initramfs.sh which is able to decompress uncompressed, gzip,
or zstd archives, with multiple segments, much like the Linux kernel
itself does.

Use unpack_initramfs.sh to extract /init for blob jail.

Don't compress the new archive segment containing firmware and the
updated /init.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-06-21 13:26:50 -04:00