2388 Commits

Author SHA1 Message Date
Rocky Breslow
5cce937393
Add script for obtaining Haswell mrc.bin blob
I based this script on the Coreboot docs:
https://doc.coreboot.org/northbridge/intel/haswell/mrc.bin.html. While
adding an integrity check to ensure we're obtaining the correct blob.

Also, it's worth surfacing that the SHA-1 for the resulting binary is
the same SHA that Libreboot uses in their integrity check:
https://notabug.org/libreboot/lbmk/src/master/resources/scripts/download/mrc#L95.
However, I elected to use SHA-256 for extra paranoia.
2023-01-18 15:27:43 -05:00
tlaurion
f2ba6679ca
Merge pull request #1287 from rbreslow/rb/musl-cross-echo-path
modules/musl-cross: use echo from the PATH to support NixOS
2023-01-18 15:22:55 -05:00
tlaurion
a9e31161ac
Merge pull request #1288 from rbreslow/rb/gh-syntax-highlighting
Add overrides for Makefile syntax highlighting
2023-01-18 15:22:21 -05:00
tlaurion
9da7744808
Merge pull request #1286 from rbreslow/rb/hotp-verification-include-path
modules/hotp-verification: source libusb headers from Makefile DESTDIR
2023-01-18 15:21:22 -05:00
Rocky Breslow
dbd302497d
modules/musl-cross: use echo from the PATH to support NixOS
NixOS doesn't have a traditional FHS where echo is available at
`/bin/echo`. Instead, we must rely on the PATH for any
distribution-managed utilities. Reverses
https://github.com/osresearch/heads/issues/106.
2023-01-18 12:42:41 -05:00
Rocky Breslow
a5fa2ecb0b
modules/hotp-verification: source libusb headers from Makefile DESTDIR
Before, the configure script sourced these from the system FHS
(/usr/include/libusb-1.0). The build failed on my NixOS build machine,
which doesn't store dependencies in a traditional FHS. And this is the
correct approach for reproducible builds.
2023-01-18 12:41:54 -05:00
Daniel Pineda
3cd8654566
/etc/functions: fix detection of virtual flash drive in qemu.
Adds check to detect device formatted as fat32 without partition table.

With fat32 fdisk does not print message about invalid partition table
and instead it'll print an empty table with header.
In both cases total output has the same length of 5 lines: 3 about
device info, 1 empty line and the 5th will be the table header or
invalid partition message.

Signed-off-by: Daniel Pineda <daniel.pineda@puri.sm>
2023-01-18 11:27:15 -06:00
Rocky Breslow
b6c3229deb
Add overrides for Makefile syntax highlighting
Fix GitHub syntax highlighting for the Coreboot/Heads config files, and
modules, which are all Makefiles.

See: https://github.com/github/linguist/blob/master/docs/overrides.md
2023-01-18 11:51:38 -05:00
tlaurion
e45980d33f
Merge pull request #1281 from tlaurion/usb_modules_load_order_fix 2023-01-17 12:13:04 -05:00
tlaurion
db5777ad91
Merge pull request #1262 from 3hhh/add-files 2023-01-17 12:12:13 -05:00
Thierry Laurion
256313a988
/etc/functions: fix order when loading usb modules to prevent warning 2023-01-16 15:21:14 -05:00
3hhh
d07df1e60b
initrd: escape_zero: allow some more characters
Since it's not supposed to be shell safe, just display safe
inside double quotes, we can allow some more characters.

Also fix the escape character not being escaped.
2023-01-14 13:14:09 +01:00
3hhh
2ae7f53e04
initrd: assert_signable: use recovery() instead of die()
and display some more information to the user, if
available
2023-01-14 10:27:42 +01:00
3hhh
c65d6b92c0
initrd: call assert_signable earlier
No need to check for the GPG card first.
2023-01-14 10:07:31 +01:00
3hhh
4ce8f664ad
initrd: work around a bug in busybox sha256sum
busybox sha256sum will create a checksum file for uncommon file names
(e.g. /boot/foo"$\n"bar), but fail to verify that exact file.
https://bugs.busybox.net/show_bug.cgi?id=14226

Thus disallow all files in /boot/ with strange file names at the time of
signing for now. Verifying in the presence of new files with such file
names in /boot/ is no issue for the kexec_tree verification due to the
previously implemented escaping mechanism.
2023-01-14 10:02:49 +01:00
3hhh
e368c3f6ea
initrd: speed up non-GUI booting
by not generating the kexec_tree diff in that case
2023-01-14 10:02:49 +01:00
3hhh
f52466edbf
initrd kexec_tree: fix various escaping issues
Attempt to fix the following issues:
1. unescaped file names may let an attacker display arbitrary
   whiptail prompts --> escape, original code by @JonathonHall-Purism
2. whiptail itself allows escape characters such as \n
   --> use an escape character not used by whiptail, i.e. #
3. performance issues caused by diff'ing too early -->
   only generate a diff to display to the user, if an actual issue is
   found
2023-01-14 10:02:49 +01:00
3hhh
60df237c37
initrd: fix error message to work with kexec_tree 2023-01-14 10:02:48 +01:00
3hhh
accd9f470d
initrd: track files in /boot in kexec_tree.txt
Fixes #1248
2023-01-14 10:02:27 +01:00
tlaurion
febff85498
Merge pull request #1278 from tlaurion/kexec-save-default_fix_subshell_boot_ops
kexec-save-default: do /boot operation in subshell
2023-01-13 14:58:11 -05:00
Thierry Laurion
90b2e0ca5d
kexec-save-default: do /boot operation in subshell
fixes screwed commit 6f6f37ec3a8d7cab1c963ce4e6614f89132aeecf
2023-01-13 14:54:14 -05:00
tlaurion
1236cbc29e
Merge pull request #1277 from tlaurion/adjust_printf_clear 2023-01-13 12:23:53 -05:00
Thierry Laurion
1dd8fb4cf1
gui-init: add a print clear after TOTP Qr code being confirmed to be scanned by user 2023-01-13 11:25:27 -05:00
Thierry Laurion
3d5db5d9e2
functions: remove the last two print clear which prevented to troubleshoot console output 2023-01-13 11:24:26 -05:00
tlaurion
cd269f12c2
Merge pull request #1276 from tlaurion/recovery_fix_when_not_secret_to_shred 2023-01-13 10:45:56 -05:00
Thierry Laurion
87027d6a88
recovery call: since we operate under set -e, make sure that shred failing doesn't exit 2023-01-12 18:04:27 -05:00
tlaurion
8e73d91121
Merge pull request #1273 from tlaurion/qemu-coreboot-tpm1-boards_fixes
qemu-coreboot-tpm boards: usage optimizations
2023-01-11 17:19:39 -05:00
tlaurion
6f6f37ec3a
Merge pull request #1272 from tlaurion/boot_ops_under_subshell
/boot: make sure operations requiring to be happening under /boot are under subshells
2023-01-11 16:24:26 -05:00
Thierry Laurion
080d439758
qemu-coreboot-tpm boards: usage optimizations
- ROOT_DISK_IMG is now dynamic (ROOT_DISK_IMG=/path/to/existing/provisioned/disk.img can be reused across run statements)
- Addition of missing boards to cover all use cases
- All TPM1 boards rely on common config/coreboot-qemu-tpm1.config
- boards/qemu-coreboot-fbwhiptail-tpm1-hotp/qemu-coreboot-fbwhiptail-tpm1-hotp.md has been generalized
 - all other boards are softlinked to the above for usage
2023-01-11 15:38:30 -05:00
Thierry Laurion
aa9b75f64d
/boot: make sure operations requiring to be happening under /boot are under subshells 2023-01-11 13:59:26 -05:00
tlaurion
395de880db
Merge pull request #1267 from tlaurion/better_totp_correction_guidelines_in_code 2023-01-06 08:44:15 -05:00
tlaurion
a772259cbd
Merge pull request #1261 from Baitinq/nix_fix
Makefile: Use path agnostic bash location
2023-01-05 10:38:13 -05:00
tlaurion
355d608c6c
Merge pull request #1268 from tlaurion/qemu-coreboot-whiptail-tpm1-boarname_fix
qemu-coreboot-whiptail-tpm1: correction of boardname to reflect reality
2023-01-04 19:04:19 -05:00
Thierry Laurion
afb338d5d7
qemu-coreboot-whiptail-tpm1: correction of boardname to reflect reality 2023-01-04 19:01:42 -05:00
Thierry Laurion
d3eb708bcb
TOTP code mismatch: better guidelines in code 2023-01-04 16:07:38 -05:00
tlaurion
6a82894894
Merge pull request #1264 from JonathonHall-Purism/coreboot-4.11-patch-fix 2023-01-04 11:21:24 -05:00
Jonathon Hall
487c5b0815
coreboot-4.11: Fix remaining patch to work with git apply
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-01-04 09:04:19 -05:00
Baitinq
171b29f09d
Makefile: Use path agnostic bash location
This patch changes the bash location in the makefile from /bin/bash to
/usr/bin/env bash. The latter is a more reproducible location as it is
common to more *nix systems which don't contain the former, such as
NixOS.
2022-12-28 15:58:57 +01:00
tlaurion
bf3898a2a1
Merge pull request #1256 from tlaurion/revert_deleted_race_condition_patch-remove_coreboot413_http_download_patch
Revert deleted race condition patch remove, coreboot413 http download patch
2022-12-14 17:05:53 -05:00
Thierry Laurion
14adf647eb
coreboot 4.13: remove transient patch to download over http instead of https 2022-12-14 14:35:12 -05:00
Thierry Laurion
16bc658018
coreboot 4.11: Re-add patch removed by error which was a race condition patch 2022-12-14 14:35:05 -05:00
tlaurion
1a0f48d8a6
Merge pull request #1253 from tlaurion/fix_coreboot_411_patches_for_git_apply
Have coreboot 4.11 boards locally buildable again (patches compliant with "git apply" + make 4.2.1+ fixes)
2022-12-14 14:22:32 -05:00
Thierry Laurion
9447b17f86
CircleCI: add second layer cache for coreboot 4.17 (so buildstack is cached when other modules changes) 2022-12-14 12:07:25 -05:00
Thierry Laurion
4cd678efb5
coreboot 4.11 now builds locally with make 4.2.1+ (CircleCI still unfixed) 2022-12-14 12:06:11 -05:00
Thierry Laurion
3e893b7df7
coreboot 4.11 patches: made compliant with git apply (removal of https->http temp fix) 2022-12-14 12:05:10 -05:00
tlaurion
315febdf74
Merge pull request #1247 from tlaurion/Talos_II_enable_tpm
Talos II : add TPM module (coreboot config) as under dasharo
2022-12-08 10:11:49 -05:00
tlaurion
61f72f8d51
Merge pull request #1232 from Unb0rn/l14-size-reduce 2022-12-01 10:03:12 -05:00
Thierry Laurion
9fc1f1c10b
Talos II : add TPM module as under 2207bbcccb 2022-11-24 10:23:29 -05:00
tlaurion
3184bf7a8c
Merge pull request #1246 from JonathonHall-Purism/continue_to_main_menu
gui-init: Always go to main menu when selecting "continue to main menu"
2022-11-23 17:03:57 -05:00
Jonathon Hall
817b9b3bb7
gui-init: Always go to main menu when selecting "continue to main menu"
If the user selects "continue to main menu" from an error, do not show
any more error prompts until reaching the main menu.

We still try to initialize everything (GPG, TOTP, HOTP) so that the
main menu can still show TOTP/HOTP if GPG is not configured, etc., but
no more prompts are shown after selecting "continue to main menu".

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2022-11-23 14:01:02 -05:00