Commit Graph

146 Commits

Author SHA1 Message Date
Thierry Laurion
c73692e4f3
flake.nix + qemu.mk : add working qemu-canokey usable from all qemu boards by default
flake.nix: add canokey-qemu lib, derivate qemu on tope of it and have qemu_kvm depend on qemu derivative
targets/qemu.mk: modified to had canokey support by default if no "USB_TOKEN=" specified on make run call

CircleCI: base docker image pull on v0.1.6 containing the newly added derivatives
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-12 13:51:28 -04:00
Thierry Laurion
e4976e7882
Re-add kgpe-d16 as UNMAINTAINED_* boards, still built by CircleCI (since cosntant interest in the builds)
Modify .circleci/config.yml to also not reuse past caches if CircleCI config changes as part of calculated hashes for the 3 layers
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-08 15:36:27 -04:00
Thierry Laurion
b4936ea42c
CircleCI: use v.0.1.4 produced with latest flake.nix which includes qemu_kvm for kvm testing in docker image
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-08 11:35:23 -04:00
Thierry Laurion
f4db4b791c
README.md qemu.md + CircleCI: point to images for building and using nix developed created docker image
- push v0.1.3 and have latest point to the same image, add repro notes inside of README.md
- modify qemu.md to also refer to using docker images

TODO: remove NIX_REPRO_NOTES prior of merging

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-06 15:22:11 -04:00
Thierry Laurion
2b2356e87e
CircleCI: use tlaurion/heads-dev-env:v0.1.1 which reverts nix attempt of garbage collection inside of nix prior of making the docker
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-03 15:07:29 -04:00
Thierry Laurion
46cad549ef
WiP flake.nix: make docker image usable for testing as well, target: qemu-coreboot-whiptail-tpm2 with swtpm and canokey for smartcard
- include nix tools inside of the docker to be able to call the garbage collector prior of creating docker.
- protect roots from garbage collection (WiP)
  - Requires external preparation call so that nix (the binary) is not wiped as well. See NIX_REPRO_NOTES at the end of the file for repro notes
   - Could probably be improved. Works as of now and created a 4Gb vs 3.02Gb docker image I'm uploading now.
- CircleCI bumped to use v0.0.9 version including this
- CircleCI now depending on flake.lock for all cache layers. Will rebuild clean once again

So now we have qemu with canokey support in image, nix basic tools inside of container. Possible to call docker with DISPLAY, see NIX_REPRO_NOTES as of now.
That feels nice. No need of USB security dongle to have TPM based TPMTOTP nor detach sign? Not tested but feature is there

TODO:
- make docker creating nicer in the Nix way.
- Add canokey support under targets/qemu.mk
- add canokey board version

At least we have reproducible stack and testing stack being in same docker image. Docker image moved from 991.18MB (v0.0.8) to 1.18GB (v0.0.9)
- And I tried to clean binaries of symbols here! Seems like I do not know enough of the Nix way here.

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-02 20:51:18 -04:00
Thierry Laurion
6070d8f6f0
CircleCI: use tlaurion/heads-dev-env:v0.0.8 which includes AC_LOCAL export of develop env into the docker image. Works locally for talos-2 board build.
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-02 13:03:09 -04:00
Thierry Laurion
9a72d9545a
CircleCI: use tlaurion/heads-dev-env:v0.0.7 which includes openssl in flake.nix for talos-2 board's linux config
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-02 13:02:50 -04:00
Thierry Laurion
76c20847da
CircleCI: add CircleCI step to source manually /devenv.sh in build_board additional step
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-02 13:02:31 -04:00
Thierry Laurion
70a9f93ddf
Revert "CirlceCI: use docker v0.0.6 which flake.nix jumped from zlib/zlib.dev to zlib-ng"
This reverts commit 9052d2b562162183fa201ebf89c75be904d87281.

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-02 13:02:26 -04:00
Thierry Laurion
53ca8d3554
CirlceCI: use docker v0.0.6 which flake.nix jumped from zlib/zlib.dev to zlib-ng
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-02 13:02:17 -04:00
Thierry Laurion
b45fc960cf
CircleCI: Test tlaurion/heads-dev-env:v.0.0.5 (created from flake develop) which fails at tpm2-tss
- switch cache to nix-docker-heads to not interfere with nixos develop layer on same PR
- remove nix develop calls; replace by direct script calls and make calls
- make sure save/restore/root is ~/heads

Signed-off-by: Thierry Laurion <insurgo@riseup.net>

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-02 13:02:07 -04:00
Thierry Laurion
05223ca6a3
CircleCI + Makefile: remove limitation to loadavg of 16 in Makefile, test CPUS=8 to maximize loadavg on CircleCI with 4 CPUs & 8GB ram
See first lines of output of any make command. Change aimed to be respectful of CI resource (8GB ram 4CPUs)

With CPUS=8 AVAILABLE_MEM_GB=4, CircleCI outputs:
!!!!!! BUILD SYSTEM INFO !!!!!!
System CPUS: 36
System Available Memory: 4 GB
System Load Average: 12.99
----------------------------------------------------------------------
Used **CPUS**: 8
Used **LOADAVG**: 8
Used **AVAILABLE_MEM_GB**: 4 GB
----------------------------------------------------------------------
**MAKE_JOBS**: -j8 --max-load 8

Variables available for override (use 'make VAR_NAME=value'):
**CPUS** (default: number of processors, e.g., 'make CPUS=4')
**LOADAVG** (default: same as CPUS, e.g., 'make LOADAVG=4')
**AVAILABLE_MEM_GB** (default: memory available on the system in GB, e.g., 'make AVAILABLE_MEM_GB=4')
**MEM_PER_JOB_GB** (default: 1GB per job, e.g., 'make MEM_PER_JOB_GB=2')
----------------------------------------------------------------------

Let's try without any limitation...

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-02 13:01:38 -04:00
Thierry Laurion
e5c55d79e3
CircleCI: have nitropad-nv41 build on top of prep_env, not x230-hotp-maximized
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-02 13:01:19 -04:00
Thierry Laurion
1174282bc4
ci: Prepend nix- to save and restore cache statements
Until nix PR is merged to not interfere with master/other pr caches

Signed-off-by: Manuel Mendez <github@i.m.mmlb.dev>
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-02 13:01:15 -04:00
Manuel Mendez
7169fab81b
ci: Switch image from debian to nix
Signed-off-by: Manuel Mendez <github@i.m.mmlb.dev>
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-02 13:01:10 -04:00
Manuel Mendez
de3f4ec2a3
ci: Replace while loop with tail of multiple files
Gives the exact same output:

```
docker run --rm -ti debian:11 bash -c '
  mkdir -p build/subdir1/ build/subdir2
  echo "subdir1 error" >build/subdir1/fail.log
  echo "subdir2 error" >build/subdir2/fail.log
  find build -type f -name "*.log" -exec tail -n +1 "{}" +
'
==> build/subdir1/fail.log <==
subdir1 error

==> build/subdir2/fail.log <==
subdir2 error
```

Signed-off-by: Manuel Mendez <github@i.m.mmlb.dev>
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-02 13:01:01 -04:00
Manuel Mendez
713eadc129
ci: Simple/mechanical tweaks to config file
Got rid of long lines in favor of more lines for readability. Cleaned up
some comments/typos and unnecessary cruft*. Finally ran prettier on the
file for its automatic formatting, including whitespace clean ups.

cruft:

-  && when already set -e
- run commands with trailing \
- deleted commented out "OLD STUFF"
- sorted listy looking things because unsorted stuff bothers me :) (I
  held back on sorting the board build definitions though, thats
  probably too much).

Signed-off-by: Manuel Mendez <github@i.m.mmlb.dev>
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-02 13:00:56 -04:00
Thierry Laurion
d7915e1639
OpenSSL (libcrypto): patch so that crypto/buildinfo.h generated by perl script contains reproducible date and fake compiler_flags
hardcode VERSION='reproducible_build' into generated configure script to get rid of generate random git abbrev 8/12 chars (could not find source)
 patches/openssl-3.0.8.patch: clean up

tpm2-tools/tpm2-tss:
 hack configure scripts to not contain hardcoded libs and other rpath related strings, using sed instead of patching configure script like cryptsetup2 patch
  Will be clened up in other commits. Leaving here as trace for autotools sed patching for reproducible builds.

CircleCI: change working dir from project->heads so that CircleCI and local builds are from heads directory, helping reproducible builds

TODO: change other patches a well and generalize to gpg toolstack, removing patches that are a maintainership burden.

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-04-03 13:48:47 -04:00
Thierry Laurion
7fe2f9dcb2
CircleCI: save_cache depends on librem_14 instead of nitropad-nv41 (so more boards can be built reusing cache and where nv41 will be rebuilt if coreboot level cache was not saved)
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-03-25 16:40:21 -04:00
Thierry Laurion
9fcd5f8fe4
Move boards/UNTESTED_* boards to untested_boards/UNMAINTAINED_*, remove them from CircleCI, add Makefile helper and document untested_boards/README.md
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-03-25 16:05:57 -04:00
Thierry Laurion
673b2f1340
modules/coreboot CircleCI: adapt to coreboot version bumps
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-03-25 15:15:52 -04:00
Thierry Laurion
de951f7156
CircleCI : readd blobs cache in prep step to download once and pass through workspace cache
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-01-04 14:21:10 -05:00
Thierry Laurion
197914b396
xx20 boards and circleci: Have boards download extract and neuter me by board config
Fix https://github.com/linuxboot/heads/issues/1569 part of error linked to me not being available in blobs/xx20/me.bin

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-01-04 14:21:08 -05:00
Thierry Laurion
753aa39503
CircleCI: test commit to have all boards download their own blobs
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-01-04 14:21:06 -05:00
Thierry Laurion
24571d91bc
CircleCI: readd xx30 call to have ME downloaded for all boards. Next commit will remove all those to test boards downloading of all blobs, but this is not desirable for CI where we want blobs to be downloaded once in prep step not from each board.
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-01-04 14:21:05 -05:00
Thierry Laurion
43d1b4ed81
xx30: have all xx30 download me automatically.
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-01-04 14:21:00 -05:00
Thierry Laurion
718a831481
Board configs: move t420-hotp-maximized t420-maximized w530-maximized w530-hotp-maximized away from UNTESTED_ boards
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-12-30 13:36:28 -05:00
Thierry Laurion
0dbbae5dbc
Move t530, p8z77 and t420 boards to be prefixed with UNTESTED as per https://github.com/linuxboot/heads/pull/1522#issuecomment-1850734068. Note that w530 was already marked as UNTESTED, look for commit having moved this board as untested.
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-12-11 16:07:01 -05:00
Jonathon Hall
6ca1d670f4
CircleCI: Install 'zip' dependency
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-11-14 08:21:13 -05:00
gaspar-ilom
2e8239c5e7 add configuration for w541
closes #1389
2023-10-23 21:52:09 +02:00
Thierry Laurion
44fa663d60
CircleCI: fix debian-11 packages dependencies (#1507) 2023-10-17 09:40:57 -04:00
Thierry Laurion
2cc7164a99
nv41/ns50: coreboot+coreboot patch+CircleCI config: adapt to have nv41/ns50 build on top of #1417 and #1462 2023-09-05 17:13:56 +02:00
Thierry Laurion
97f39a8b1f
t430-maximized/t430-hotp-maximized: move from untested to tested boards, other t430 boards still untested 2023-08-16 14:54:12 -04:00
Thierry Laurion
294a6bed94
t430 boards: moved to untested until reported tested as per #1421 2023-08-16 12:35:52 -04:00
Thierry Laurion
107855f53a
p8z77-m_pro-tpm1: bring back boards as tested platforms. 2023-08-16 09:44:41 -04:00
Thierry Laurion
8c366ef61d
coreboot configs: changeset needed to use efifb
- intel igpu related - remove i915drmfb hacks and use simplefb and libgfxinit enabled fb
- coreboot 4.19: add patch to fix https://ticket.coreboot.org/issues/500. fbwhiptail still tears screen if in native 1366x769 though
- coreboot 4.19: add patch to enable linux tampoline handle coreboot framebuffer (merged https://review.coreboot.org/c/coreboot/+/76431)
- coreboot 4.19: add patch to enable coreboot to apply jpeg voodoo to create bootsplash.jpeg injected in cbfs at build time + CircleCI apt imagemagick
  - (Thanks Nico Huber @icon again for above patches!)
- coreboot configs: adapt VESAFB/LIBGFXINIT to use maximum fb height/width
- coreboot configs for iGPU only: CONFIG_LINEAR_FRAMEBUFFER_MAX_HEIGHT CONFIG_LINEAR_FRAMEBUFFER_MAX_WIDTH to native size
- coreboot configs for dGPU based on Optional VBIOS injected: VESAFB set to 1280x1024 (maximum possible).

Details:
coreboot configs: remove CONFIG_LINUX_COMMAND_LINE="drm_kms_helper.drm_leak_fbdev_smem=1 i915.enable_fbc=0"
 - Those were needed to expose i915drmfb driver prior of efifb working.
2023-08-16 09:39:09 -04:00
Thierry Laurion
447f8addc7
Rename UNTESTED_x230-maximized-fhd_edp and UNTESTED_x230-hotp-maximized-fhd_edp to normal names 2023-08-02 14:37:02 -04:00
tlaurion
06b1b0948d
Merge pull request #1399 from d-wid/z220
Add HP Z220 CMT
2023-07-24 18:27:17 -04:00
d-wid
4d157493a3 Add HP Z220 CMT 2023-07-22 16:27:31 +02:00
Thierry Laurion
f4a8ae925f
non-dgpu t530 was reported working (t530-hotp-maximized-v0.2.0-1705-gedf200e.rom) 2023-07-17 12:49:32 -04:00
Jonathon Hall
f089ca20af
.circleci/config.yml: Persist build/x86/coreboot-git in cache
Librem boards now use Purism's coreboot distribution cloned from git,
persist it in CI cache.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-07-06 13:24:32 -04:00
Thierry Laurion
5db4165652
Rename UNTESTED_t420-maximized and UNTESTED_t420-hotp-maximized back to maximized board names. 2023-07-05 10:38:18 -04:00
Thierry Laurion
f8cb3db775
untested boards: move and rename untested boards, while still building them with CircleCI if they were currently built.
Non-impactful action, first step for #1421 based on participation in testing of #1398 and prior non-tested PRs.

EDIT: last minute readd of x220-maximized boards (x220-maximized and x220-hotp-maximized boards).
 x220 is still UNTESTED (legacy, manually extracting ifs, me and gbe).

EDIT: last minute readd of t440p-maximized boards (t440p-maximized and t440p-hotp-maximized boards).

Thanks to @srgrint for lat minute report that t440p and x220 were tested
----

Traces of commands used:
ls qemu-linuxboot* leopard* r630* s2600wf* tioga* winterfell* t420* t520* t440p* w530* kgpe* p8z77* x220* x230-maximized-fhd_edp* | grep ":" | awk -F ":" {'print $1'}| while read board; do mv $board/$board.config $board/UNTESTED_$board.config; done
ls qemu-linuxboot* leopard* r630* s2600wf* tioga* winterfell* t420* t520* t440p* w530* kgpe* p8z77* x220* x230-maximized-fhd_edp* | grep ":" | awk -F ":" {'print $1'}| while read dir; do mv $dir UNTESTED_$dir; done
ls UNTESTED* | grep ":" | awk -F ":" {'print $1'}| awk -F "UNTESTED_" {'print $2'} | while read line; do sed 's/'"$line"'/UNTESTED_'"$line"'/g' ../.circleci/config.yml -i ; done

quick fix of circleci:
sed -i 's/UNTESTED_UNTESTED/UNTESTED/g' ../.circleci/config.yml
sed -i 's/UNTESTED_UNTESTED/UNTESTED/g' ../.circleci/config.yml
sed -i 's/UNTESTED_UNTESTED/UNTESTED/g' ../.circleci/config.yml

Modify p8z77-m_pro-tpm1 hotp board config to include to their maximized counterpart
2023-07-04 18:00:30 -04:00
Thierry Laurion
252c9df505
CircleCI config: remove generic qemu-coreboot/qemu-coreboot-fbwhiptail and reorgagnize per coreboot ver
add coreboot 4.19 builddir into save_cache
2023-06-27 11:21:32 -04:00
Thierry Laurion
3bab585bc0
CircleCI: have sizes output kept in CircleCI forever just as hashes 2023-06-27 11:05:17 -04:00
tlaurion
3a38ac02e3
Merge pull request #1312 from tlaurion/coreboot-4.13_coreboot-4.19_version_bump
Bump boards depending on coreboot 4.13 to 4.19
2023-04-24 19:21:18 -04:00
ThePlexus
c67cf7c47e Add ASUS P8Z77-M Pro board 2023-03-30 10:28:40 +01:00
tlaurion
2995376cda
Merge pull request #1339 from tlaurion/single_talos_2_board
Talos II - Have single board config
2023-03-20 14:46:38 -04:00
Thierry Laurion
445ca053fb
Talos II - Have single board config
- Based on initial server board
- Uses whiptail as opposed to fbwhiptail (was slow and output fuzzy)
 - Simple fix to have dual KVM(BMC) and vga output for consoles

Reasoning for dropping fbwhiptail support is that:
- it is impossible to output framebuffer content through remote BMC console.
- A workstation board config could output to fbwhiptail for VGA and give remote recovery shell access through BMC
  - If someone shows interest for that, qemu-coreboot-tpm boards can be used as reference.
  - slowness/fuzzyness of fbwhiptail output through AST would still need to be fixed in kernel drivers. Not a priority here.

Limitation:
- Since whiptail is sent to both consoles:
 - If one console goes to recovery shell, recovery shell access invalidate TPM PCR4 measurements.
   - The other console won't be aware that TPM measurements were invalidated, and will consequently:
     - not be able to unseal TOTP if refreshed
     - not be able to unseal TPM disk unlock key on default boot
   - A reboot will fix this.
2023-03-13 14:33:03 -04:00