- Revert gnupg toolstack version bump to prior of #1661 merge (2.4.2 -> 2.4.0). Version bump not needed for reproducibility.
- Investigation and upstream discussions will take their time resolving invalid time issue introduced by between 2.4.0 and latest gnupg, fix regression first under master)
- oem-factory-reset
- Adding DO_WITH_DEBUG to oem-factory-reset for all its gpg calls. If failing in debug mode, /tmp/debug.txt contains calls and errors
- Wipe keyrings only (*.gpg, *.kbx) not conf files under gpg homedir (keep initrd/.gnupg/*.conf)
- flake.nix
- switch build derivative from qemu and qemu_kvm to qemu_full to have qemu-img tool which was missing to run qemu boards (v0.1.8 docker)
- add gnupg so that qemu boards can call inject_gpg to inject public key in absence of flashrom+pflash support for internal flashing
- flake.lock: Updated nix pinned package list under flake.lock with 'nix flake update' so qemu_full builds
- README.md: have consistent docker testing + release (push) notes
- .circleci/config.yml: depend on docker v0.1.8 (qemu_full built with canokey-qemu lib support, diffoscopeMinimal and gnupg for proper qemu testing)
TODO:
- some fd2 instead of fd1?!
- oem-factory-resest has whiptail_or_die which sets whiptail box to HEIGHT 0. This doesn't show a scrolling window on gpg errors which is problematic with fbwhiptail, not whiptail
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
flake.nix: add canokey-qemu lib, derivate qemu on tope of it and have qemu_kvm depend on qemu derivative
targets/qemu.mk: modified to had canokey support by default if no "USB_TOKEN=" specified on make run call
CircleCI: base docker image pull on v0.1.6 containing the newly added derivatives
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Modify .circleci/config.yml to also not reuse past caches if CircleCI config changes as part of calculated hashes for the 3 layers
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
- push v0.1.3 and have latest point to the same image, add repro notes inside of README.md
- modify qemu.md to also refer to using docker images
TODO: remove NIX_REPRO_NOTES prior of merging
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
- include nix tools inside of the docker to be able to call the garbage collector prior of creating docker.
- protect roots from garbage collection (WiP)
- Requires external preparation call so that nix (the binary) is not wiped as well. See NIX_REPRO_NOTES at the end of the file for repro notes
- Could probably be improved. Works as of now and created a 4Gb vs 3.02Gb docker image I'm uploading now.
- CircleCI bumped to use v0.0.9 version including this
- CircleCI now depending on flake.lock for all cache layers. Will rebuild clean once again
So now we have qemu with canokey support in image, nix basic tools inside of container. Possible to call docker with DISPLAY, see NIX_REPRO_NOTES as of now.
That feels nice. No need of USB security dongle to have TPM based TPMTOTP nor detach sign? Not tested but feature is there
TODO:
- make docker creating nicer in the Nix way.
- Add canokey support under targets/qemu.mk
- add canokey board version
At least we have reproducible stack and testing stack being in same docker image. Docker image moved from 991.18MB (v0.0.8) to 1.18GB (v0.0.9)
- And I tried to clean binaries of symbols here! Seems like I do not know enough of the Nix way here.
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
- switch cache to nix-docker-heads to not interfere with nixos develop layer on same PR
- remove nix develop calls; replace by direct script calls and make calls
- make sure save/restore/root is ~/heads
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
See first lines of output of any make command. Change aimed to be respectful of CI resource (8GB ram 4CPUs)
With CPUS=8 AVAILABLE_MEM_GB=4, CircleCI outputs:
!!!!!! BUILD SYSTEM INFO !!!!!!
System CPUS: 36
System Available Memory: 4 GB
System Load Average: 12.99
----------------------------------------------------------------------
Used **CPUS**: 8
Used **LOADAVG**: 8
Used **AVAILABLE_MEM_GB**: 4 GB
----------------------------------------------------------------------
**MAKE_JOBS**: -j8 --max-load 8
Variables available for override (use 'make VAR_NAME=value'):
**CPUS** (default: number of processors, e.g., 'make CPUS=4')
**LOADAVG** (default: same as CPUS, e.g., 'make LOADAVG=4')
**AVAILABLE_MEM_GB** (default: memory available on the system in GB, e.g., 'make AVAILABLE_MEM_GB=4')
**MEM_PER_JOB_GB** (default: 1GB per job, e.g., 'make MEM_PER_JOB_GB=2')
----------------------------------------------------------------------
Let's try without any limitation...
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Until nix PR is merged to not interfere with master/other pr caches
Signed-off-by: Manuel Mendez <github@i.m.mmlb.dev>
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Got rid of long lines in favor of more lines for readability. Cleaned up
some comments/typos and unnecessary cruft*. Finally ran prettier on the
file for its automatic formatting, including whitespace clean ups.
cruft:
- && when already set -e
- run commands with trailing \
- deleted commented out "OLD STUFF"
- sorted listy looking things because unsorted stuff bothers me :) (I
held back on sorting the board build definitions though, thats
probably too much).
Signed-off-by: Manuel Mendez <github@i.m.mmlb.dev>
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
hardcode VERSION='reproducible_build' into generated configure script to get rid of generate random git abbrev 8/12 chars (could not find source)
patches/openssl-3.0.8.patch: clean up
tpm2-tools/tpm2-tss:
hack configure scripts to not contain hardcoded libs and other rpath related strings, using sed instead of patching configure script like cryptsetup2 patch
Will be clened up in other commits. Leaving here as trace for autotools sed patching for reproducible builds.
CircleCI: change working dir from project->heads so that CircleCI and local builds are from heads directory, helping reproducible builds
TODO: change other patches a well and generalize to gpg toolstack, removing patches that are a maintainership burden.
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
- intel igpu related - remove i915drmfb hacks and use simplefb and libgfxinit enabled fb
- coreboot 4.19: add patch to fix https://ticket.coreboot.org/issues/500. fbwhiptail still tears screen if in native 1366x769 though
- coreboot 4.19: add patch to enable linux tampoline handle coreboot framebuffer (merged https://review.coreboot.org/c/coreboot/+/76431)
- coreboot 4.19: add patch to enable coreboot to apply jpeg voodoo to create bootsplash.jpeg injected in cbfs at build time + CircleCI apt imagemagick
- (Thanks Nico Huber @icon again for above patches!)
- coreboot configs: adapt VESAFB/LIBGFXINIT to use maximum fb height/width
- coreboot configs for iGPU only: CONFIG_LINEAR_FRAMEBUFFER_MAX_HEIGHT CONFIG_LINEAR_FRAMEBUFFER_MAX_WIDTH to native size
- coreboot configs for dGPU based on Optional VBIOS injected: VESAFB set to 1280x1024 (maximum possible).
Details:
coreboot configs: remove CONFIG_LINUX_COMMAND_LINE="drm_kms_helper.drm_leak_fbdev_smem=1 i915.enable_fbc=0"
- Those were needed to expose i915drmfb driver prior of efifb working.
Non-impactful action, first step for #1421 based on participation in testing of #1398 and prior non-tested PRs.
EDIT: last minute readd of x220-maximized boards (x220-maximized and x220-hotp-maximized boards).
x220 is still UNTESTED (legacy, manually extracting ifs, me and gbe).
EDIT: last minute readd of t440p-maximized boards (t440p-maximized and t440p-hotp-maximized boards).
Thanks to @srgrint for lat minute report that t440p and x220 were tested
----
Traces of commands used:
ls qemu-linuxboot* leopard* r630* s2600wf* tioga* winterfell* t420* t520* t440p* w530* kgpe* p8z77* x220* x230-maximized-fhd_edp* | grep ":" | awk -F ":" {'print $1'}| while read board; do mv $board/$board.config $board/UNTESTED_$board.config; done
ls qemu-linuxboot* leopard* r630* s2600wf* tioga* winterfell* t420* t520* t440p* w530* kgpe* p8z77* x220* x230-maximized-fhd_edp* | grep ":" | awk -F ":" {'print $1'}| while read dir; do mv $dir UNTESTED_$dir; done
ls UNTESTED* | grep ":" | awk -F ":" {'print $1'}| awk -F "UNTESTED_" {'print $2'} | while read line; do sed 's/'"$line"'/UNTESTED_'"$line"'/g' ../.circleci/config.yml -i ; done
quick fix of circleci:
sed -i 's/UNTESTED_UNTESTED/UNTESTED/g' ../.circleci/config.yml
sed -i 's/UNTESTED_UNTESTED/UNTESTED/g' ../.circleci/config.yml
sed -i 's/UNTESTED_UNTESTED/UNTESTED/g' ../.circleci/config.yml
Modify p8z77-m_pro-tpm1 hotp board config to include to their maximized counterpart