Download coreboot toolchain archives into packages/<arch> before
coreboot tries to download them. This allows us to use mirrors to get
the archives. We could also update the primary source this way if it
goes down instead of patching coreboot itself (has happened for IASL).
The archive versions and digests are retrieved from the coreboot
module, so there isn't another copy of that info to maintain. That is
done in bin/fetch_coreboot_crossgcc_archive.sh, which uses the
existing fetch script to do the actual download, leveraging mirrors.
bin/fetch_source_archive.sh supports using a SHA-1 digest instead of
SHA-256, since coreboot has SHA-1 digests. It also checks if the file
already exists (deleting the coreboot directory will cause it to be
re-run, but the packages are already there and can be used from cache).
The coreboot-4.11 IASL patch is updated to delete the outdated acpica
archive digest (it already added the new one, but the old one was still
there). bin/fetch_coreboot_crossgcc_archive.sh finds the archive
version and digest from the digest files, so only one acpica file must
be present.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Use the Heads name for a package when it differs from the primary
source. E.g. musl-cross-make's archive is just <hash>.tar.gz, which
makes little sense out of context. musl-cross-<hash>.tar.gz makes
more sense for a mirror.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Try to download dependency source packages from mirrors if the primary
source fails or the archive has changed.
Move the download and verify logic to bin/fetch_source_archive.sh. The
mirror list is here, currently only
https://storage.puri.sm/heads-packages/, but others can be added. The
mirror list is randomized to load each mirror equally.
The verify logic is moved to this script too so it can fail over to a
mirror (or another mirror) if a mismatched archive is served, not just
for a failure. Makefile no longer needs to verify separately and there
are no separate .*-_verify files any more, the archive is only moved to
its final place once verified.
Add `packages` target to just fetch all needed packages for a board,
facilitates seeding a mirror.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Makefile: have inclusion of all defined $BOARD BOARD_TARGETS (me, split_8mb4mb, ...)
TODO: VBIOS scripts for W530/T530 need way more work. To be done later.
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Adds two golbal helpers in Makefile:
- board.move_untested_to_tested
- board.move_tested_to_untested
Which can be called by:
- make BOARD=UNTESTED_t420-maximized board.move_untested_to_tested
- make BOARD=x230-legacy board.move_tested_to_untested
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
* overwriting a hotp secret is not possible anymore
* make sure to delete the hotp secret before setting a new one
* requires one additional user presence check during HOTP setup
* bump to v1.5
Signed-off-by: Markus Meissner <coder@safemailbox.de>
* remove all previous coreboot patches (as they are already included)
* to be investigated: linux trampoline patch
* add new patch to hardcode sleep configuration
* activate smmstore as dasharo vendor code requires it
Signed-off-by: Markus Meissner <coder@safemailbox.de>
- Upstream boards will not deactivate TPM DUK
- Upstream will not force BRAND_NAME which currently defaults to Heads
- Upstream will not deactivate Qr code on screen output on HOTP sealing
- Upstream will not offer OEM reset defaults (deprecated and now default anyway)
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Allow downstreams to add config to site-local/config, which can set
config options, including overriding board config and exporting config
to /etc/config.
The intent of site-local is exactly the same as in coreboot - it is a
place for downstreams to add customizations that are included at well-
defined points in the build. site-local should never appear in the
upstream repository. coreboot's documentation explains this as well:
https://doc.coreboot.org/tutorial/managing_local_additions.html
Move definitions of ROM artifacts later, so site config can override
BRAND_NAME (and still is included after board config to override it as
well).
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Move the targets generating talos-2's tgz update package to targets.
While this wasn't duplicated, it breaks a cyclic dependency between
board config and BRAND_NAME by moving the ROM output name dependencies
later. The logic probably would be shared with similar boards if any
were supported, so it is in the spirit of the other targets/ shared
target Makefiles.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
The 8 qemu-* targets all contained nearly-identical copies of the
targets to prepare the TPM/disk/etc. and then run Qemu. The only
significant differences were for TPM1/TPM2 (extra swtpm_setup step,
addition of --tpm2 to swtpm_setup and swtpm). ROOT_DISK_IMG used := or
= differently in some boards, := was kept.
targets/qemu.mk now defines all Qemu targets and is included only for
qemu-* boards (by defining BOARD_TARGETS in each of those boards).
The documentation was moved from qemu-coreboot-fbwhiptail-tpm1-hotp/
qemu-coreboot-fbwhiptail-tpm1-htop.md to targets/qemu.md. The other 7
qemu boards' symlinks to that file were removed.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Change order if user chooses both reencrypt and change passphrase, so that passphrase is changed first.
Signed-off-by: Christian Foerster <christian.foerster@mailfence.com>