- Revert gnupg toolstack version bump to prior of #1661 merge (2.4.2 -> 2.4.0). Version bump not needed for reproducibility.
- Investigation and upstream discussions will take their time resolving invalid time issue introduced by between 2.4.0 and latest gnupg, fix regression first under master)
- oem-factory-reset
- Adding DO_WITH_DEBUG to oem-factory-reset for all its gpg calls. If failing in debug mode, /tmp/debug.txt contains calls and errors
- Wipe keyrings only (*.gpg, *.kbx) not conf files under gpg homedir (keep initrd/.gnupg/*.conf)
- flake.nix
- switch build derivative from qemu and qemu_kvm to qemu_full to have qemu-img tool which was missing to run qemu boards (v0.1.8 docker)
- add gnupg so that qemu boards can call inject_gpg to inject public key in absence of flashrom+pflash support for internal flashing
- flake.lock: Updated nix pinned package list under flake.lock with 'nix flake update' so qemu_full builds
- README.md: have consistent docker testing + release (push) notes
- .circleci/config.yml: depend on docker v0.1.8 (qemu_full built with canokey-qemu lib support, diffoscopeMinimal and gnupg for proper qemu testing)
TODO:
- some fd2 instead of fd1?!
- oem-factory-resest has whiptail_or_die which sets whiptail box to HEIGHT 0. This doesn't show a scrolling window on gpg errors which is problematic with fbwhiptail, not whiptail
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Specifying LIBS_BASE causes flashrom's Makefile to link in an RPATH,
using the Heads workspace path, which is not what we want. It does
other things too, but we already pass the parts we need to the make
invocation for flashrom.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Thanks to @JonathonHall-Purism, that pointed to me that sysroot was
neglected in tpm2-tools configure step.
I wonder why this is not respected if not forced with --with-sysroot and
TSS2_ESYS_3_0_LIBS="-ltss2-esys -L$(INSTALL)/lib"?
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Signed-off-by: Manuel Mendez <github@i.m.mmlb.dev>
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Thanks to @JonathonHall-Purism, that pointed to me that sysroot was
neglected in tpm2-tools configure step.
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Signed-off-by: Manuel Mendez <github@i.m.mmlb.dev>
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Just some minor clean ups like fixing whitespace and sorting things. I
added (bash)/removed (libusb) white space in order to look like the
other modules.
I sorted the --enable/--disable/--with blocks so that common stuff
looked similar which should aid in comparing modules. I also removed a
couple of duplicate config options (--disable-fallback-curses &
--disable-regex).
Signed-off-by: Manuel Mendez <github@i.m.mmlb.dev>
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Remove hard coded paths from shebangs and other references because they
do not play well in nix-land. Either use /usr/bin/env to do runtime PATH
based lookup or avoid absolute paths so PATH look up happens instead.
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Signed-off-by: Manuel Mendez <github@i.m.mmlb.dev>
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
tpm2-tools-5.6 patch: comment out git versioning output under ./VERSION; module: output current version under ./VERSION instead. Document under module
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
hardcode VERSION='reproducible_build' into generated configure script to get rid of generate random git abbrev 8/12 chars (could not find source)
patches/openssl-3.0.8.patch: clean up
tpm2-tools/tpm2-tss:
hack configure scripts to not contain hardcoded libs and other rpath related strings, using sed instead of patching configure script like cryptsetup2 patch
Will be clened up in other commits. Leaving here as trace for autotools sed patching for reproducible builds.
CircleCI: change working dir from project->heads so that CircleCI and local builds are from heads directory, helping reproducible builds
TODO: change other patches a well and generalize to gpg toolstack, removing patches that are a maintainership burden.
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
- Add additional requirements to linux config
- Add additional CONFIG_MOBILE_TETHERING=y to all maximized board configs
- Fix issue under network-recovery-init to NTP sync against NTP server pool
- Extend network-recovery-init to first try NTP sync against DNS server returned by DHCP answer
- Remove network-recovery-init earlytty and tty0 redirection (console should be setuped properly by init in all cases)
- If CONFIG_MOBILE_TETHERING=y added to board config and network-recovery-init called, wait to user input on instructions and warning 30 secs before proceeding (non-blocking)
- Machines having STATIC_IP under board config won't benefit of autoatic NTP sync
Since network-recovery-init can only be called from recovery shell now, and recovery shell can be guarded by GPG auth, this is PoC code to be used to complement TOTP being out of sync
TODO(Future PR):
- Refactor into functions and reuse into TOTP/HOTP being out of sync automatically.
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Passing the path to libgcc in LDFLAGS appears to no longer be needed.
Removing this fixes compilation on a freshly cloned repo.
Fixes#1507
Signed-off-by: Michał Kopeć <michal.kopec@3mdeb.com>
When playing with long fbwhiptail/whiptail messages, this commit played around the long string using fold.
'''
echo -e "This will replace the encrypted container content and its LUKS Disk Recovery Key.\n\nThe passphrase associated with this key will be asked from the user under the following conditions:\n 1-Every boot if no Disk Unlock Key was added to the TPM\n 2-If the TPM fails (hardware failure)\n 3-If the firmware has been tampered with/modified by the user\n\nThis process requires you to type the current LUKS Disk Recovery Key passphrase and will delete the LUKS TPM Disk Unlock Key slot, if set up, by setting a default boot LUKS key slot (1) if present.\n\nAt the next prompt, you may be asked to select which file corresponds to the LUKS device container.\n\nHit Enter to continue." | fold -w 70 -s
'''
Which gave the exact output of what will be inside of the fbwhiptail prompt, fixed to 70 chars width:
'''
This will replace the encrypted container content and its LUKS Disk
Recovery Key.
The passphrase associated with this key will be asked from the user
under the following conditions:
1-Every boot if no Disk Unlock Key was added to the TPM
2-If the TPM fails (hardware failure)
3-If the firmware has been tampered with/modified by the user
This process requires you to type the current LUKS Disk Recovery Key
passphrase and will delete the LUKS TPM Disk Unlock Key slot, if set
up, by setting a default boot LUKS key slot (1) if present.
At the next prompt, you may be asked to select which file corresponds
to the LUKS device container.
Hit Enter to continue.
'''
Therefore, for long prompts in the future, one can just deal with "\n 1-" alignments to be respected in prompts and have fold deal with cutting the length of strings properly.
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Restores autocomplete and makes bash more usable as an interactive
shell. Added 106 KB to compressed initrd (checked librem_14).
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Support LVM2 thin-provisioned volumes. LVM2 wants the thin_check
utility by default, but it has multiple dependencies we do not
currently ship (boost, libexpat, others), so disable it.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Add TRACE_FUNC to trace the file, line, and name of the calling
function. File and function names don't have to be duplicated in a
TRACE statement with this (they tend to become inaccurate as functions
are renamed and the TRACE statement is forgotten).
Add DEBUG_STACK to dump the bash stack to debug output.
Configure bash with --enable-debugger. Bash doesn't actually include
the entire debugger, this is just some supporting variables for it.
Evidently, BASH_SOURCE[n] is only set within a function if this is
enabled. I couldn't find this indicated in any documentation, but it
happened in practice.
Compressed initrd size only increased by 2560 bytes for librem_mini_v2,
I think that is fine. This also gives us BASH_ARGC/BASH_ARGV which
might be useful for diagnostics.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
popt: too old to have a working config.guess
libusb-compat: not needed for gpg2
gpg2: depend on libusb not libusb-compat
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Laptops can include optional USB keyboard support (default off unless
the board also sets the default to 'y'). The setting is in the
configuration GUI.
CONFIG_USER_USB_KEYBOARD is now the user-controlled setting on those
boards. 'CONFIG_USB_KEYBOARD' is no longer used to avoid any conflict
with prior releases that expect this to be a compile-time setting only
(conflicts risk total lock out requiring hardware flash, so some
caution is justified IMO).
Boards previously exporting CONFIG_USB_KEYBOARD now export
CONFIG_USB_KEYBOARD_REQUIRED. Those boards don't have built-in
keyboards, USB keyboard is always enabled. (librem_mini,
librem_mini_v2, librem_11, librem_l1um, librem_l1um_v2, talos-2,
kgpe-d16_workstation-usb_keyboard, x230-hotp-maximized_usb-kb).
Librem laptops now export CONFIG_SUPPORT_USB_KEYBOARD to enable
optional support. The default is still 'off'.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Disable the Ada compiler, as it no longer compiles on Debian 12 and is
not needed.
The Ada compiler is only used for libgfxinit - Intel native graphics
initialization. Neither of the boards on coreboot 4.11 uses this;
Aspeed graphics initialization is written in C (but is not used yet as
it only supports text mode in 4.11).
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Download coreboot toolchain archives into packages/<arch> before
coreboot tries to download them. This allows us to use mirrors to get
the archives. We could also update the primary source this way if it
goes down instead of patching coreboot itself (has happened for IASL).
The archive versions and digests are retrieved from the coreboot
module, so there isn't another copy of that info to maintain. That is
done in bin/fetch_coreboot_crossgcc_archive.sh, which uses the
existing fetch script to do the actual download, leveraging mirrors.
bin/fetch_source_archive.sh supports using a SHA-1 digest instead of
SHA-256, since coreboot has SHA-1 digests. It also checks if the file
already exists (deleting the coreboot directory will cause it to be
re-run, but the packages are already there and can be used from cache).
The coreboot-4.11 IASL patch is updated to delete the outdated acpica
archive digest (it already added the new one, but the old one was still
there). bin/fetch_coreboot_crossgcc_archive.sh finds the archive
version and digest from the digest files, so only one acpica file must
be present.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
