Commit Graph

236 Commits

Author SHA1 Message Date
Manuel Mendez
d396236a83
Remove hard coded paths in shebang lines
Remove hard coded paths from shebangs and other references because they
do not play well in nix-land. Either use /usr/bin/env to do runtime PATH
based lookup or avoid absolute paths so PATH look up happens instead.

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Signed-off-by: Manuel Mendez <github@i.m.mmlb.dev>
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-02 13:00:22 -04:00
Thierry Laurion
8208c86efe
modules/tpm2-tss: sed configure script to remove hardcoding of libs, move patch 3.2.0->3.2.2
disable static lib builds

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-04-03 13:48:58 -04:00
Thierry Laurion
ddef233708
modules-tpm2-tools: bump from 5.2->5.6 (removes need to hack around PACKAGE_VERSION string which configure.ac points to ./VERSION already
tpm2-tools-5.6 patch: comment out git versioning output under ./VERSION; module: output current version under ./VERSION instead. Document under module

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-04-03 13:48:52 -04:00
Thierry Laurion
d7915e1639
OpenSSL (libcrypto): patch so that crypto/buildinfo.h generated by perl script contains reproducible date and fake compiler_flags
hardcode VERSION='reproducible_build' into generated configure script to get rid of generate random git abbrev 8/12 chars (could not find source)
 patches/openssl-3.0.8.patch: clean up

tpm2-tools/tpm2-tss:
 hack configure scripts to not contain hardcoded libs and other rpath related strings, using sed instead of patching configure script like cryptsetup2 patch
  Will be clened up in other commits. Leaving here as trace for autotools sed patching for reproducible builds.

CircleCI: change working dir from project->heads so that CircleCI and local builds are from heads directory, helping reproducible builds

TODO: change other patches a well and generalize to gpg toolstack, removing patches that are a maintainership burden.

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-04-03 13:48:47 -04:00
Thierry Laurion
6d8939924e
patches/coreboot-4.22.01/0001-x230-fhd-variant.patch: adapt patch for Makefile.inc (Makefile.mk doesn't exist under 4.22)
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-03-25 15:15:58 -04:00
Thierry Laurion
f37b010ab1
patches/coreboot-4.22.01/0001-x230-fhd-variant.patch: update to upstream merged state
git fetch https://review.coreboot.org/coreboot refs/changes/50/28950/27 && git format-patch -1 --stdout FETCH_HEAD > ~/heads/patches/coreboot-4.22.01/0001-x230-fhd-variant.patch

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-03-25 15:15:47 -04:00
Thierry Laurion
fb616f416a
WiP 4.22.01 fhd patch test + bump all 4.19 boards to 4.22.01
- patches/coreboot-4.22.01/0001-x230-fhd-variant.patch created per
  - git fetch https://review.coreboot.org/coreboot refs/changes/50/28950/23 && git format-patch -1 --stdout FETCH_HEAD > ~/heads/patches/coreboot-4.22.01/0001-x230-fhd-variant.patch
- all boards configs bumped with:
  - grep -Rn 4.22 boards/ | awk -F "/" {'print $2'}| while read line; do make BOARD=$line coreboot.save_in_oldconfig_format_in_place ; done

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-03-25 15:14:42 -04:00
Markus Meissner
55e3a192be
coreboot-nitrokey: hard-code ME state during boot, fixes Nitrokey/heads#39
Signed-off-by: Markus Meissner <coder@safemailbox.de>
2024-01-22 15:46:31 +01:00
Jonathon Hall
f632897bb5
modules/coreboot: Cache coreboot toolchain archives and use mirrors
Download coreboot toolchain archives into packages/<arch> before
coreboot tries to download them.  This allows us to use mirrors to get
the archives.  We could also update the primary source this way if it
goes down instead of patching coreboot itself (has happened for IASL).

The archive versions and digests are retrieved from the coreboot
module, so there isn't another copy of that info to maintain.  That is
done in bin/fetch_coreboot_crossgcc_archive.sh, which uses the
existing fetch script to do the actual download, leveraging mirrors.

bin/fetch_source_archive.sh supports using a SHA-1 digest instead of
SHA-256, since coreboot has SHA-1 digests.  It also checks if the file
already exists (deleting the coreboot directory will cause it to be
re-run, but the packages are already there and can be used from cache).

The coreboot-4.11 IASL patch is updated to delete the outdated acpica
archive digest (it already added the new one, but the old one was still
there).  bin/fetch_coreboot_crossgcc_archive.sh finds the archive
version and digest from the digest files, so only one acpica file must
be present.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2024-01-08 15:10:56 -05:00
Markus Meissner
65abba9946 coreboot-nitrokey: update dasharo to v1.7.2
* remove all previous coreboot patches (as they are already included)
* to be investigated: linux trampoline patch
* add new patch to hardcode sleep configuration
* activate smmstore as dasharo vendor code requires it

Signed-off-by: Markus Meissner <coder@safemailbox.de>
2023-12-22 15:37:29 +01:00
Thierry Laurion
a7fe2840f0
nv41/nv51: add patch for efifb being able to drive libgfxinit/gop driven fb
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-21 14:34:43 -05:00
Thierry Laurion
664603cf8c
Changeset based on nitrokey 2.3 release to understand what is attempted here. i915 is still under linux config on 2.3 release. coreboot is on gop, not libgfxinit. This is to open discussion.
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2023-11-20 11:17:38 -05:00
Thierry Laurion
498a78af57
newt(whiptail): fix code that was doing toupper of input 2023-10-11 15:47:53 -04:00
Thierry Laurion
2cc7164a99
nv41/ns50: coreboot+coreboot patch+CircleCI config: adapt to have nv41/ns50 build on top of #1417 and #1462 2023-09-05 17:13:56 +02:00
Thierry Laurion
f6eed42208
Add external/usb disk encryption (adds exfatprogs and e2fsprogs)
prepare_thumb_drive: default to creating 10% LUKS container on usb drive, prompts for passphrase is not provided and scan drives if no --device specified

NOTE: qemu usb_thumb drive of 128 mb are not big enough so that 10% of it (12mb) can be used to create thumb drive.

Adds:
- e2fsprogs to support ext4 filesystem creation through mke2fs
- add /etc/mke2fs.conf so that mke2fs knows how to handle ext2/ext3/ext4
- removes mke2fs support from busybox
- bump busybox to latest version which adds cpu accelerated hash functions (not needed per se here)
- Adds exfatprogs to have mkfs.exfat and fsck.exfat
- Adds prepare_thumb_drive /etc/luks-functions to be able to prepare a thumb drive with percentage of drive assigned to LUKS, rest to exfat
- Modify most board configs to test space requirements failing
- Talos2 linux config: add staging Exfat support
- Make e2fsprogs and exfatprogs included by default unless explicitely deactivate in board configs
- Change cryptsetup calls : luksOpen to open and luksClose to close to addresss review
- etc/luks_functions: cleanup

GOAL here is to have secure thumb drive creation which Heads will be able to use to backup/restore/use generated GPG key material in the future (next PR)
2023-08-28 16:23:48 -04:00
Thierry Laurion
8c366ef61d
coreboot configs: changeset needed to use efifb
- intel igpu related - remove i915drmfb hacks and use simplefb and libgfxinit enabled fb
- coreboot 4.19: add patch to fix https://ticket.coreboot.org/issues/500. fbwhiptail still tears screen if in native 1366x769 though
- coreboot 4.19: add patch to enable linux tampoline handle coreboot framebuffer (merged https://review.coreboot.org/c/coreboot/+/76431)
- coreboot 4.19: add patch to enable coreboot to apply jpeg voodoo to create bootsplash.jpeg injected in cbfs at build time + CircleCI apt imagemagick
  - (Thanks Nico Huber @icon again for above patches!)
- coreboot configs: adapt VESAFB/LIBGFXINIT to use maximum fb height/width
- coreboot configs for iGPU only: CONFIG_LINEAR_FRAMEBUFFER_MAX_HEIGHT CONFIG_LINEAR_FRAMEBUFFER_MAX_WIDTH to native size
- coreboot configs for dGPU based on Optional VBIOS injected: VESAFB set to 1280x1024 (maximum possible).

Details:
coreboot configs: remove CONFIG_LINUX_COMMAND_LINE="drm_kms_helper.drm_leak_fbdev_smem=1 i915.enable_fbc=0"
 - Those were needed to expose i915drmfb driver prior of efifb working.
2023-08-16 09:39:09 -04:00
Jonathon Hall
cd73574f71
patches/coreboot-*: Remove unused patches
Remove patches for coreboot 4.8.1, 4.13, 4.14, and 4.17, which are no
longer used.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-08-11 12:41:59 -04:00
Jonathon Hall
47e9e4cf45
Merge remote-tracking branch 'github-heads/master' into pureboot-27-heads-upstream 2023-07-12 14:14:17 -04:00
Jonathon Hall
440dc5b61c
Merge remote-tracking branch 'github-heads/master' into pureboot-27-heads-upstream 2023-07-11 16:42:54 -04:00
Thierry Laurion
c3a2bc5578
coreboot 4.11 needs acpica which moved from acpica.org to intel. Download from distfiles.macports.org instead, same hash.
kgpe-d16 and librem-l1um depend on 4.11 still today in tree, even though building is successful only on debian-10.
Fixing so people building 4.11 today are still successful.

4.19+ already depends on github.com releases tarballs.
REF: https://review.coreboot.org/c/coreboot/+/76399
2023-07-11 16:16:01 -04:00
Jonathon Hall
5c12c4d03b
coreboot-talos_2: Patch acpi-unix2 mirror to Intel
acpica.org now redirects to Intel and all links are broken.  Use
Intel's mirror of this archive.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-07-11 15:03:36 -04:00
Jonathon Hall
17c71ebd1e
coreboot-4.17: Patch acpi-unix2 mirror to Intel
acpica.org now redirects to Intel and all links are broken.  Use
Intel's mirror of this archive.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-07-11 15:02:18 -04:00
Thierry Laurion
a324724172
kexec-2.0.26.patch: report to user in non-debug context that unsupported fb/drm driver is needed on OS initrd 2023-07-07 15:33:02 -04:00
Jonathon Hall
4c8e445dcd
Merge remote-tracking branch 'github-heads/master' into pureboot-27-heads-upstream
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-07-05 14:32:16 -04:00
Marcin Cieślak
74e60fb277
libgcrypt: disconnect tests from the build
Tests require libgpg-error library built for the host machine
which we do not nessarily have in the build environment.
2023-06-27 11:39:56 -04:00
Marcin Cieślak
d4ade892d5
gnupg 2.2.21 -> 2.4.0
830.63 -> 917.89 kB
2023-06-27 11:39:49 -04:00
Marcin Cieślak
15182922fd
libgcrypt 1.8.6 -> 1.10.1
562.01 -> 783.14 kB
2023-06-27 11:39:46 -04:00
Marcin Cieślak
b97f34ecc3
libassuan 2.5.3 -> 2.5.5
741.81 -> 502.42 kB
2023-06-27 11:39:43 -04:00
Marcin Cieślak
7c51116209
libksba 1.4.0 -> 1.6.3
676.03 -> 408.95 kB \o/
2023-06-27 11:39:39 -04:00
Marcin Cieślak
7cef74bb06
libgpg-error 1.46
198.15 -> 277.69 kB
2023-06-27 11:39:36 -04:00
Jonathon Hall
12c7dfdadc
modules/linux: Support building with Linux 6.1.8.
This is particularly beneficial for servers with Aspeed BMC video,
because it introduces framebuffer console acceleration.  The
framebuffer console is much more responsive.

Patches were ported from 5.10.5:

0001-fake-acpi.patch: This may not be needed any more, but it applies
cleanly and I don't think it would harm anything.

0002-nmi-squelch.patch: The comment mentions qemu but I see this
message on physical machines occasionally, so I think this is needed.

0003-fake-trampoline.patch: This patch does not apply cleanly.  It
could be ported, but I don't think it's needed, I dropped it.  Dates
back to a very old commit where Linux was being embedded into a vendor
UEFI firmware: a4d7654b1e.

0010-winterfell-ahci.patch: Minor change of %x to %lx in context.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-06-21 13:26:49 -04:00
Sergii Dmytruk
b9d2c1a612
Patch coreboot to use /usr/bin/env in skiboot for Talos-II board
Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
2023-06-09 21:25:49 +03:00
Sergii Dmytruk
62e1899367
modules/powerpc-utils: add
This provides nvram tool that allows manipulating configuration of
skiboot.

Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
2023-06-07 01:10:13 +03:00
srgrint
09f3984020 backport upstream patch for 4.14.62. Allows building on debian 12 2023-05-02 20:49:34 +01:00
Thierry Laurion
e8bc15ee60
linux 5.10.5: backporting linux upstream patch for 5.10.5 (libsubcmd fix use after free for realloc)
Permits building on top of debian-12 (testing), which fails to build since detecting bug.
2023-05-02 10:29:24 -04:00
tlaurion
ab1faf5389
Merge pull request #1378 from JonathonHall-Purism/kexec-framebuffer-graphics 2023-04-28 17:34:32 -04:00
tlaurion
a7777a7dce
Merge pull request #1390 from danielp96/bash-reproducibility
Bash reproducibility
2023-04-28 13:42:41 -04:00
Daniel Pineda
1aa216773a
patches/bash-5.1.16.patch: Do not increment build number
Bash uses .build to keep count of the build number, which conflicts
with heads build system usage of .build to keep track of built modules.

If .build already exists when bash/configure is run it will increment by 1
the build number. This is configurable on the call to the support script
support/mkversion.sh, which is called from the bash/Makefile.

Patching the Makefile template used during bash configuration allows
disabling the build number increment.

Signed-off-by: Daniel Pineda <daniel.pineda@puri.sm>
2023-04-27 11:49:22 -06:00
tlaurion
3a38ac02e3
Merge pull request #1312 from tlaurion/coreboot-4.13_coreboot-4.19_version_bump
Bump boards depending on coreboot 4.13 to 4.19
2023-04-24 19:21:18 -04:00
Jonathon Hall
353e836dc1
kexec: Update to 2.0.26, add framebuffer tracing
Update kexec to 2.0.26.  Add tracing to framebuffer initialization.  In
particular, the driver name is traced if not recognized, and messages
about kernel config are shown if the kernel doesn't provide the
framebuffer pointer.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-04-19 14:16:38 -04:00
Jonathon Hall
13a3cee0e5
kexec: Add new i915 driver ID
The i915 driver's ID changed again, now to i915drmfb.

It's unclear why kexec checks this, it seems it could populate the
target kernel's framebuffer info as long as it knows enough about the
host kernel's framebuffer, which it already checks.  Maybe we could
improve this, for now just add the new ID again.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-04-18 13:29:38 -04:00
tlaurion
8ff4b9a51b
Merge pull request #1319 from danielp96/master
Update busybox 1.32.0 to 1.33.2
2023-04-12 12:36:46 -04:00
Krystian Hebel
d1fd05671a
patches/linux-5.5-openpower/0011: patch to expose CBMEM as file
Signed-off-by: Krystian Hebel <krystian.hebel@3mdeb.com>
2023-03-30 21:03:26 +02:00
Krystian Hebel
06b52583fa
patches/linux-5.5-openpower/0010: new patch for enabling Google coreboot drivers
Signed-off-by: Krystian Hebel <krystian.hebel@3mdeb.com>
2023-03-30 21:03:26 +02:00
Jonathon Hall
4e375ad7ca
tpm2-tools: Remove curl dependency
The actual use of curl was already removed, update tpm2-tools patch to
also remove the check for curl.  Remove the curl module and
CONFIG_CURL.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-03-08 12:45:44 -05:00
Thierry Laurion
6923fb5e20
Addition of qemu-(fb)whiptail-tpm2(-hotp) boards
-coreboot support of TPM v2.0 (shared config for TPM2 support across all 4 previous variations)
-swtpm set to be launched under TPM v2.0 mode under board config
-Documentation file under each board.md softlinks to qemu-coreboot-fbwhiptail-tpm1.md (which has been generalized)
This is skeleton for TPM v2 integration under Heads

-------------
WiP

TODO:
- libcurl cannot be built as a tpm2-tools dependency as of now not sure why. curl currently needs to be added in board config to be built
- Note: tpm-reset (master and here) needs some review, no handle of no tpm use case. Caller is responsible to not call it otherwise does nothing
- init tries to bind fd and fails currently
- Note: Check if whiptail is different of fbwhiptail in clearing screen. As of now every clear seems to be removed, still whiptail clears previous console output
- When no OS' /boot can be mounted, do not try to TPM reset (will fail)

- seal-hotpkey is not working properly
- setting disk unlock key asks for TPM ownership passphrase (sealing in NV requires ownership, but text is misleading user as if reowning TPM)
  - We should cache input, feed tpm behind the scene and wipe passphrase and state clearly that this is TPM disk unlock kye passphrase.
- primary key from TPM2 is invalid most of the time from kexec-select-boot and verifying global hashes but is setuped correctly at disk unlock key setup
- would be nice to take advantage of bash function tracing to understand where we are for debugging purposes, code takes ash in consideration only
- tpmr says it implements nv calls but actually doesn't. Removing those falsely wrapped functions would help.
  - Implementing them would be better
- REVIEW TODOS IN CODE
- READD CIRCLECI CONFIG

Current state:
- TPM unseal works without disk unlock key and generates TOTP properly (was missing die condition at unseal to not produce always good TOTP even if invalid)
- TPM disk encryption key fails. Hypothesis is that sealing with USB drivers loaded and measures in inconsistent with sealed with/without.
 - TPM disk unsealing happens without USB modules being loaded in non-HOTP setup. This fails.

- Current tests are with fbwhiptail (no clear called so having traces on command line of what happens)
 - Testing with HOTP implementation for sealing/unsealing since that forces USB module loads on each boot to remove this from failing possibilities
2023-03-08 12:45:43 -05:00
Thierry Laurion
c323fb4d8b
patches/util-linux: patch configure script so that all hardcode_into_libs=yes -> hardcode_into_libs=no 2023-03-07 11:02:17 -05:00
Thierry Laurion
6300dd178a
Pass all coreboot 4.13 boards to 4.19
- Add 4.19 under modules/coreboot
- point all 4.13 boards to 4.19
- adapt x230 FHD/EDP patch under patches/coreboot-4.19/0001-x230-fhd-variant.patch (poked upstream to fix patch under https://review.coreboot.org/c/coreboot/+/28950)
- correct versioning info under .circleci/config/yml
2023-02-27 18:07:06 -05:00
Daniel Pineda
f0dc3541f5
patches/busybox-1.32.0.patch: remove, no longer needed with busybox upgrade.
Signed-off-by: Daniel Pineda <daniel.pineda@puri.sm>
2023-02-21 15:00:07 -06:00
Matt DeVillier
0e356e43cb
modules/busybox: update 1.32.0 -> 1.33.2 (stable)
- update module version, hash
- rename patch
- update config

Busybox 1.33.0 adds base32, which has been disabled in busybox.config
as it conflicts with tpmtotp's base32.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-02-21 14:34:27 -06:00