Commit Graph

219 Commits

Author SHA1 Message Date
Jonathon Hall
47e9e4cf45
Merge remote-tracking branch 'github-heads/master' into pureboot-27-heads-upstream 2023-07-12 14:14:17 -04:00
Jonathon Hall
440dc5b61c
Merge remote-tracking branch 'github-heads/master' into pureboot-27-heads-upstream 2023-07-11 16:42:54 -04:00
Thierry Laurion
c3a2bc5578
coreboot 4.11 needs acpica which moved from acpica.org to intel. Download from distfiles.macports.org instead, same hash.
kgpe-d16 and librem-l1um depend on 4.11 still today in tree, even though building is successful only on debian-10.
Fixing so people building 4.11 today are still successful.

4.19+ already depends on github.com releases tarballs.
REF: https://review.coreboot.org/c/coreboot/+/76399
2023-07-11 16:16:01 -04:00
Jonathon Hall
5c12c4d03b
coreboot-talos_2: Patch acpi-unix2 mirror to Intel
acpica.org now redirects to Intel and all links are broken.  Use
Intel's mirror of this archive.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-07-11 15:03:36 -04:00
Jonathon Hall
17c71ebd1e
coreboot-4.17: Patch acpi-unix2 mirror to Intel
acpica.org now redirects to Intel and all links are broken.  Use
Intel's mirror of this archive.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-07-11 15:02:18 -04:00
Thierry Laurion
a324724172
kexec-2.0.26.patch: report to user in non-debug context that unsupported fb/drm driver is needed on OS initrd 2023-07-07 15:33:02 -04:00
Jonathon Hall
4c8e445dcd
Merge remote-tracking branch 'github-heads/master' into pureboot-27-heads-upstream
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-07-05 14:32:16 -04:00
Marcin Cieślak
74e60fb277
libgcrypt: disconnect tests from the build
Tests require libgpg-error library built for the host machine
which we do not nessarily have in the build environment.
2023-06-27 11:39:56 -04:00
Marcin Cieślak
d4ade892d5
gnupg 2.2.21 -> 2.4.0
830.63 -> 917.89 kB
2023-06-27 11:39:49 -04:00
Marcin Cieślak
15182922fd
libgcrypt 1.8.6 -> 1.10.1
562.01 -> 783.14 kB
2023-06-27 11:39:46 -04:00
Marcin Cieślak
b97f34ecc3
libassuan 2.5.3 -> 2.5.5
741.81 -> 502.42 kB
2023-06-27 11:39:43 -04:00
Marcin Cieślak
7c51116209
libksba 1.4.0 -> 1.6.3
676.03 -> 408.95 kB \o/
2023-06-27 11:39:39 -04:00
Marcin Cieślak
7cef74bb06
libgpg-error 1.46
198.15 -> 277.69 kB
2023-06-27 11:39:36 -04:00
Jonathon Hall
12c7dfdadc
modules/linux: Support building with Linux 6.1.8.
This is particularly beneficial for servers with Aspeed BMC video,
because it introduces framebuffer console acceleration.  The
framebuffer console is much more responsive.

Patches were ported from 5.10.5:

0001-fake-acpi.patch: This may not be needed any more, but it applies
cleanly and I don't think it would harm anything.

0002-nmi-squelch.patch: The comment mentions qemu but I see this
message on physical machines occasionally, so I think this is needed.

0003-fake-trampoline.patch: This patch does not apply cleanly.  It
could be ported, but I don't think it's needed, I dropped it.  Dates
back to a very old commit where Linux was being embedded into a vendor
UEFI firmware: a4d7654b1e.

0010-winterfell-ahci.patch: Minor change of %x to %lx in context.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-06-21 13:26:49 -04:00
Sergii Dmytruk
b9d2c1a612
Patch coreboot to use /usr/bin/env in skiboot for Talos-II board
Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
2023-06-09 21:25:49 +03:00
Sergii Dmytruk
62e1899367
modules/powerpc-utils: add
This provides nvram tool that allows manipulating configuration of
skiboot.

Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
2023-06-07 01:10:13 +03:00
srgrint
09f3984020 backport upstream patch for 4.14.62. Allows building on debian 12 2023-05-02 20:49:34 +01:00
Thierry Laurion
e8bc15ee60
linux 5.10.5: backporting linux upstream patch for 5.10.5 (libsubcmd fix use after free for realloc)
Permits building on top of debian-12 (testing), which fails to build since detecting bug.
2023-05-02 10:29:24 -04:00
tlaurion
ab1faf5389
Merge pull request #1378 from JonathonHall-Purism/kexec-framebuffer-graphics 2023-04-28 17:34:32 -04:00
tlaurion
a7777a7dce
Merge pull request #1390 from danielp96/bash-reproducibility
Bash reproducibility
2023-04-28 13:42:41 -04:00
Daniel Pineda
1aa216773a
patches/bash-5.1.16.patch: Do not increment build number
Bash uses .build to keep count of the build number, which conflicts
with heads build system usage of .build to keep track of built modules.

If .build already exists when bash/configure is run it will increment by 1
the build number. This is configurable on the call to the support script
support/mkversion.sh, which is called from the bash/Makefile.

Patching the Makefile template used during bash configuration allows
disabling the build number increment.

Signed-off-by: Daniel Pineda <daniel.pineda@puri.sm>
2023-04-27 11:49:22 -06:00
tlaurion
3a38ac02e3
Merge pull request #1312 from tlaurion/coreboot-4.13_coreboot-4.19_version_bump
Bump boards depending on coreboot 4.13 to 4.19
2023-04-24 19:21:18 -04:00
Jonathon Hall
353e836dc1
kexec: Update to 2.0.26, add framebuffer tracing
Update kexec to 2.0.26.  Add tracing to framebuffer initialization.  In
particular, the driver name is traced if not recognized, and messages
about kernel config are shown if the kernel doesn't provide the
framebuffer pointer.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-04-19 14:16:38 -04:00
Jonathon Hall
13a3cee0e5
kexec: Add new i915 driver ID
The i915 driver's ID changed again, now to i915drmfb.

It's unclear why kexec checks this, it seems it could populate the
target kernel's framebuffer info as long as it knows enough about the
host kernel's framebuffer, which it already checks.  Maybe we could
improve this, for now just add the new ID again.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-04-18 13:29:38 -04:00
tlaurion
8ff4b9a51b
Merge pull request #1319 from danielp96/master
Update busybox 1.32.0 to 1.33.2
2023-04-12 12:36:46 -04:00
Krystian Hebel
d1fd05671a
patches/linux-5.5-openpower/0011: patch to expose CBMEM as file
Signed-off-by: Krystian Hebel <krystian.hebel@3mdeb.com>
2023-03-30 21:03:26 +02:00
Krystian Hebel
06b52583fa
patches/linux-5.5-openpower/0010: new patch for enabling Google coreboot drivers
Signed-off-by: Krystian Hebel <krystian.hebel@3mdeb.com>
2023-03-30 21:03:26 +02:00
Jonathon Hall
4e375ad7ca
tpm2-tools: Remove curl dependency
The actual use of curl was already removed, update tpm2-tools patch to
also remove the check for curl.  Remove the curl module and
CONFIG_CURL.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-03-08 12:45:44 -05:00
Thierry Laurion
6923fb5e20
Addition of qemu-(fb)whiptail-tpm2(-hotp) boards
-coreboot support of TPM v2.0 (shared config for TPM2 support across all 4 previous variations)
-swtpm set to be launched under TPM v2.0 mode under board config
-Documentation file under each board.md softlinks to qemu-coreboot-fbwhiptail-tpm1.md (which has been generalized)
This is skeleton for TPM v2 integration under Heads

-------------
WiP

TODO:
- libcurl cannot be built as a tpm2-tools dependency as of now not sure why. curl currently needs to be added in board config to be built
- Note: tpm-reset (master and here) needs some review, no handle of no tpm use case. Caller is responsible to not call it otherwise does nothing
- init tries to bind fd and fails currently
- Note: Check if whiptail is different of fbwhiptail in clearing screen. As of now every clear seems to be removed, still whiptail clears previous console output
- When no OS' /boot can be mounted, do not try to TPM reset (will fail)

- seal-hotpkey is not working properly
- setting disk unlock key asks for TPM ownership passphrase (sealing in NV requires ownership, but text is misleading user as if reowning TPM)
  - We should cache input, feed tpm behind the scene and wipe passphrase and state clearly that this is TPM disk unlock kye passphrase.
- primary key from TPM2 is invalid most of the time from kexec-select-boot and verifying global hashes but is setuped correctly at disk unlock key setup
- would be nice to take advantage of bash function tracing to understand where we are for debugging purposes, code takes ash in consideration only
- tpmr says it implements nv calls but actually doesn't. Removing those falsely wrapped functions would help.
  - Implementing them would be better
- REVIEW TODOS IN CODE
- READD CIRCLECI CONFIG

Current state:
- TPM unseal works without disk unlock key and generates TOTP properly (was missing die condition at unseal to not produce always good TOTP even if invalid)
- TPM disk encryption key fails. Hypothesis is that sealing with USB drivers loaded and measures in inconsistent with sealed with/without.
 - TPM disk unsealing happens without USB modules being loaded in non-HOTP setup. This fails.

- Current tests are with fbwhiptail (no clear called so having traces on command line of what happens)
 - Testing with HOTP implementation for sealing/unsealing since that forces USB module loads on each boot to remove this from failing possibilities
2023-03-08 12:45:43 -05:00
Thierry Laurion
c323fb4d8b
patches/util-linux: patch configure script so that all hardcode_into_libs=yes -> hardcode_into_libs=no 2023-03-07 11:02:17 -05:00
Thierry Laurion
6300dd178a
Pass all coreboot 4.13 boards to 4.19
- Add 4.19 under modules/coreboot
- point all 4.13 boards to 4.19
- adapt x230 FHD/EDP patch under patches/coreboot-4.19/0001-x230-fhd-variant.patch (poked upstream to fix patch under https://review.coreboot.org/c/coreboot/+/28950)
- correct versioning info under .circleci/config/yml
2023-02-27 18:07:06 -05:00
Daniel Pineda
f0dc3541f5
patches/busybox-1.32.0.patch: remove, no longer needed with busybox upgrade.
Signed-off-by: Daniel Pineda <daniel.pineda@puri.sm>
2023-02-21 15:00:07 -06:00
Matt DeVillier
0e356e43cb
modules/busybox: update 1.32.0 -> 1.33.2 (stable)
- update module version, hash
- rename patch
- update config

Busybox 1.33.0 adds base32, which has been disabled in busybox.config
as it conflicts with tpmtotp's base32.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-02-21 14:34:27 -06:00
Thierry Laurion
2b05a6b42c
Add x230-maximized-fhd_edp and x230-hotp-maximized-fhd_edp boards
- add x230-maximized-fhd_edp and x230-hotp-maximized-fhd_edp board configs
- add/rework coreboot patch for x230 fhd variant to be applied on top of 4.13
- add coreboot config to point to x230-edp variant, fixing path to vbt file since default path is wrong under. Comment made upstream https://review.coreboot.org/c/coreboot/+/28950/22#message-4904ce82f01ba0505b391e072e4537b6a9f1a229
  - remove no gfx init and replace with libgfxinit(defonfig default), set internal display as default
- add x230-hotp-maximized-fhd_edp and x230-maximized-fhd_edp to CircleCI builds
- One single shared coreboot config between boards/x230-hotp-maximized-fhd_edp/x230-hotp-maximized-fhd_edp.config and boards/x230-maximized-fhd_edp/x230-maximized-fhd_edp.config
- Coreboot 4.13 patch from coreboot at patches/coreboot-4.13/0002-x230-fhd-variant.patch
- config/coreboot-x230-maximized-fhd_edp.config points to seperate coreboot config per patch (CONFIG_BOARD_LENOVO_X230_EDP)
2023-01-31 09:58:43 -05:00
Jonathon Hall
487c5b0815
coreboot-4.11: Fix remaining patch to work with git apply
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-01-04 09:04:19 -05:00
Thierry Laurion
14adf647eb
coreboot 4.13: remove transient patch to download over http instead of https 2022-12-14 14:35:12 -05:00
Thierry Laurion
16bc658018
coreboot 4.11: Re-add patch removed by error which was a race condition patch 2022-12-14 14:35:05 -05:00
Thierry Laurion
4cd678efb5
coreboot 4.11 now builds locally with make 4.2.1+ (CircleCI still unfixed) 2022-12-14 12:06:11 -05:00
Thierry Laurion
3e893b7df7
coreboot 4.11 patches: made compliant with git apply (removal of https->http temp fix) 2022-12-14 12:05:10 -05:00
Daniel Pineda
8150e300ee
modules/coreboot: remove support for coreboot 4.15
patches/coreboot-4.15: remove patches for coreboot 4.15

No boards depend on it and is affected by CVE-2022-29264

Signed-off-by: Daniel Pineda <daniel.pineda@puri.sm>
2022-09-15 10:17:34 -06:00
Daniel Pineda
146b78e08c
patches/coreboot-4.17: Add Librem 4.17 patches
Add patches for coreboot 4.17:
- show ME status even when device is disable (kept from 4.15)
- zero unused part of SMBIOS region

Signed-off-by: Daniel Pineda <daniel.pineda@puri.sm>
2022-09-12 13:21:59 -06:00
Sergii Dmytruk
55ef9912aa
Add Talos 2 boards
Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
2022-08-31 00:21:28 +03:00
tlaurion
48b9b74f39
Merge pull request #1201 from tlaurion/replace_patch_git_git_apply
Makefile: replace patch with git apply
2022-08-30 15:15:42 -04:00
Sergii Dmytruk
f16e92792a
Support targeting PowerPC 64
This prepares most of the modules to be build for it.

Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
2022-08-25 20:55:39 +03:00
Thierry Laurion
921daabdaf
Makefile: replace patch with git apply
Otherwise binary patches cannot be patched/created

Additional fixes needed
- flashrom patch was invalid and got catched by git apply. Correcting
- gpg2-2.2.21.patch was pointing to bad target. Correcting
2022-08-21 14:28:30 -04:00
Thierry Laurion
bf415a8d69
Remove local build of gawk make
-Makefile: remove local gawk and make version compare and local build
-modules: remove gawk and make
-patches: remove make

local make was added to build 4.2.1 on OSes that were having older version. It was then patched to be built on OSes having newer buildstack.
local gawk was added when GPG toolstack was older then libgpg-error 1.37. GPG toolstack was then upgraded, but local gawk stayed.

Removing those permits better parallelization and of builds and reduces CircleCI (and higher cores systems) to have race conditions and stalled builds
2022-06-23 10:51:13 -04:00
Thierry Laurion
981cb96f25
Fix current builds
- zlib 1.2.12 release is not respecting cross compiling. 1.2.11 disappeared from servers: taking another archive link, same hash.
- busybox 1.32.0 was not patched with 1.28.0 patch. Renaming patch so that its applied in fresh builds.
2022-04-01 09:47:39 -04:00
Thierry Laurion
3b99caa996 coreboot-4.11 patches: remove unwanted .orig artifacts that seems to be making CircleCI fail in the past days.
Heads build system is reextracting archives and reapplying patches on each iteration.
CircleCI optimizes building time by providing cache mechanisms and forces users to build a target under an hour.
This is to force Open Source projects (free tier) to not be leechers of the free tier.

In the past days, CircleCI bails on building coreboot 4.11 boards because some files being cached are already being present (created files from patches).
In those, two files were unwanted artifacts, recreated on top of coreboot 4.11 extracted original files (undesired .orig files), while bailing on the creating of src/security/tpm/sha1.c from patches/coreboot-4.11/0001-Add-Heads-TPM-measured-boot-support.patch.

Hopefully, this is CircleCI having a maximum of 3 automatically entered input (it fails on the 3rd)... And this fix will permit src/security/tpm/sha1.c and src/security/tpm/sha1.h to be skipped if existing.
Below, we see that CircleCI fills patch prompts with EOF 2 times, and then waits for input and then timeouts.

Here is the failing log trace from https://app.circleci.com/pipelines/github/tlaurion/heads/990/workflows/f2a430fd-dc8c-4e95-abe3-364a0e825533/jobs/4914/parallel-runs/0/steps/0-103:

Exerpt of that log:
if [ -d patches/coreboot-4.11 ] && [ -r patches/coreboot-4.11 ] ; then for patch in patches/coreboot-4.11/*.patch ; do echo "Applying patch file : $patch " ; ( cd /root/project/build/coreboot-4.11/ ; patch -p1 ) < $patch || exit 1 ; done ; fi
Applying patch file : patches/coreboot-4.11/0000-cpu-x86-smm-Use-PRIxPTR-to-print-uintptr_t.patch
patching file src/cpu/x86/smm/tseg_region.c
Applying patch file : patches/coreboot-4.11/0001-Add-Heads-TPM-measured-boot-support.patch
patching file src/Kconfig
The next patch would create the file src/Kconfig.orig,
which already exists!  Assume -R? [n] EOF
Apply anyway? [n] EOF
Skipping patch.
1 out of 1 hunk ignored
patching file src/include/program_loading.h
patching file src/lib/cbfs.c
patching file src/lib/hardwaremain.c
Hunk #2 succeeded at 549 (offset 8 lines).
patching file src/lib/rmodule.c
patching file src/security/tpm/Makefile.inc
The next patch would create the file src/security/tpm/sha1.c,
which already exists!  Assume -R? [n] make: *** [Makefile:507: /root/project/build/coreboot-4.11/.canary] Hangup

context deadline exceeded
2022-02-23 16:59:26 -05:00
Thierry Laurion
0670bcd1c6 coreboot 4.11: add patch to fix assembly.inc directory not always being present and causing race condition in parallelized builds with high number of cores 2022-02-08 13:58:14 -05:00
Thierry Laurion
4b260071c3 Retry CircleCI for 4.11 on Debian 10 docker
- Add kgpe-d16 patch to remove HID for PCI devices (successful build on top of #1101 and #1012 per https://app.circleci.com/pipelines/github/tlaurion/heads/937/workflows/de49bea0-3f58-4a91-8891-87622f5a0eed)
- CircleCI modified to build for coreboot 4.11 kgpe-d16_workstation on top of 4.15 passed workspace
- CircleCI modified so that we still archive all the logs in artifacts for the current build even if failing. We now exit 1 after having archived all the log files under build/
2022-02-03 15:04:09 -05:00