Commit Graph

187 Commits

Author SHA1 Message Date
alex-nitrokey
83cac9ed14
Fix kexec to work with Debian Installer (fixes #699)
This patch was reported by @bemoody in issue #699

Tested via `BOARD=x230-hotp-verification` on a Thinkpad x230

Signed-off-by: alex-nitrokey <alex@nitrokey.com>
2020-07-30 22:11:05 +02:00
Matt DeVillier
d6292015a1
modules/hotp-verification: Update and drop patch
Update to nitrokey-hotp-verification master (c0956cf) and drop
existing patch which is no longer needed.

Test: clean build for Librem 13v2

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2020-07-30 14:26:59 -05:00
Matt DeVillier
302f044e8e
patches: Add patch to fix hotp-verification
Commit 7ea13ee0 made some significant changes to Librem/Nitrokey
verification which broke both compilation and calls to hotp_initialize.
Fix them via a patch until it's fixed upstream.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2020-07-28 01:20:06 -05:00
alex-nitrokey
ff58f1524d
Fix build issue
* use --libdir to fix issue with .la files which had //lib as lib folder
* add libblkid as library
2020-06-19 16:23:16 +02:00
alex-nitrokey
1ef8d14921
Use configure parameter instead of patchfile for rpath
* hardcode rpatch patch not needed as `--disable-rpath` is available
* remove obsolete config parameters
2020-06-11 14:48:50 +02:00
alex-nitrokey
f674a47997
Add patch for cryptsetup 2.3.3
Following commit ed3602f0ba (maintain
reproducibility by removing rpath) and applying the same changes for new
version of cryptsetup.
2020-06-10 16:55:25 +02:00
alex-nitrokey
0e349c565e
Update hotp-verification 2020-06-09 18:42:55 +02:00
tlaurion
0cd1a0d04c
Revert "GPG toolstack upgrade to latest available versions (Fixes Gawk issue)" 2020-05-22 14:55:41 -04:00
Thierry Laurion
241b0bc680
upgrade gpg toolstack to latest versions
- Remove unrecognized configure options
- fixes gawk issue #668 by upgrading to libgpg-error 1.37 instead of patching 1.32 for regex change (fixed upstream)
- move patches so they match new versions for libassuan, gpg and libgcrypt (no change)

Version change:
- gpg 2.2.10 -> 2.2.20
- libassuan 2.5.1 -> 2.5.3
- libgcrypt 1.8.3 -> 1.8.5
- libgpg-error 1.32 -> 1.37

Size changes:
- gpg 			886.5 -> 911.3 kB
- gpg-agent:		371.9 -> 376.0 kB
- scdaemon:		399.5 -> 407.8 kB
- libgpg-error.so.0	125.9 -> 130.0 kB

Unrecognized options on gpg2 toolstack:
- disable-nls and disable-asm disable-keyserver-helpers disable-hkp disable-finger disable-dns-srv disable-dns-cert and disable-wks-server
2020-05-20 13:19:51 -04:00
flawedworld
5a033fa80d T430 TPM Backport 2020-05-15 18:51:49 +01:00
Thierry Laurion
15e19d0594
coreboot patch: remove acpica-unix2-20180531.tar.gz url change fix since acpica.org is now functional again while crux.ster.zone is not... 2020-05-03 23:39:15 -04:00
Matt DeVillier
b29447ef8f
modules/flashrom: update to v1.2 release
- Update flashrom module to v1.2.
- Drop Thinkpad x220 patch as it's now properly supported.
- Drop 'laptop=force_I_want_a_brick' from board FLASHROM_OPTIONS
  since it's no longer needed.
- Migrate kgpe-d16 patch.

The kgpe-d16 patch needed a complete overhaul when rebased against
flashrom v1.2, and needs close inspection/testing as a result.
The following changes were made from the previous patch:

- dropped addition of 4-byte addressing (4BA), since now supported
- dropped addtiion of Macronix MX25L256 and MX66L512 chips,
  since now supported
- added 4BA erase commands for Winbond W25Q256 chip
- dropped code to show progress indicator, since another PR already adds that

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2020-04-20 17:34:08 -05:00
Thierry Laurion
58cb8df266
coreboot-4.8.1: acpica-unix2 cannot be downloaded per www.acpica.org since cert is signed by Intel which cert authority is unknown from older build systems... Cert was renewed March 10 2020. URL changed to crux.ster.zone 2020-03-15 18:45:33 -04:00
Matt DeVillier
28fedf9a7e
modules/libremkey-hotp-verification: make reproducible
Modeled after modules/tpmtotp, use a specific git commit hash for
module libremkey-hotp-verification. Add hidapi as a submodule with
dummy/placeholder in modules (like coreboot-blobs), also specified
by git commit hash. Adjust libremkey-hotp-verification patch file
name so patch applied properly.

Addresses issue #640

Test: build Librem 13v4

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2020-02-19 13:37:41 -06:00
Matt DeVillier
ad2395d3db
libremkey-hotp-verification: toolchain adjustments
Pass through new toolchain path via $(CROSS) so we can set the
c/c++ compiler paths correctly for CMake. Adjust patch to use
new paths, and fix compiler/linker paths to correct a libusb linking issue.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2020-01-22 12:03:05 -06:00
Francis Lam
ed3602f0ba
modules: maintain reproducibility by removing rpath 2020-01-16 09:36:42 -08:00
Francis Lam
23d0126407
kexec: update to 2.0.20
Fix issue with kexec failing to load the target kernel when
building with musl-cross-make
2020-01-16 09:30:15 -08:00
tlaurion
8e4b10922b
Merge pull request #653 from osresearch/musl-cross-make
Use musl cross make for Heads, Linux, coreboot and edk2
2020-01-15 13:15:19 -05:00
tlaurion
a5f4d7d8be
Merge pull request #652 from osresearch/lvm-segfault
lvm2: turn off buffering, which prevents segfault with new musl (#651)
2020-01-15 13:14:30 -05:00
Trammell hudson
6962bfda10
lvm2: turn off buffering, which prevents segfault with new musl (#651)
Signed-off-by: Trammell hudson <hudson@trmm.net>
2020-01-09 13:27:09 +01:00
Trammell Hudson
791d064397
musl-cross-make: replace all cross compilers with musl-cross-make
Signed-off-by: Trammell Hudson <hudson@trmm.net>
2020-01-08 17:08:15 +01:00
Trammell hudson
6c93a5e854
libksba: fix name of patch file
Signed-off-by: Trammell hudson <hudson@trmm.net>
2020-01-08 10:01:21 +01:00
Trammell Hudson
69f3cc46ab
libksba: fix qsort handler to sort the string table in a reproducible way
Signed-off-by: Trammell Hudson <hudson@trmm.net>
2020-01-07 19:01:59 +01:00
tlaurion
8af849cadc
Merge pull request #618 from osresearch/musl-cross-pin
Pin tag of musl-cross, tpmtotp and msrtools
2019-12-06 10:52:50 -05:00
rofl0r
7370b75945 update musl-cross to 1952975
this should fix issues with compressed ELF header sections.
2019-12-02 23:03:14 +00:00
tlaurion
b4a647c485
Merge pull request #461 from osresearch/debug-linux
Enable verbose bootup debugging and set the early serial IO base port
2019-11-28 10:53:29 -05:00
Trammell hudson
56aa508b8d
musl-cross: pin to a specific checkout (#617)
Add `--strip 1` to tar file extraction in the `Makefile`,
which ensures that the directory name in `build/` will
match the one listed in `$($(MODULE)_dir)`.

Signed-off-by: Trammell hudson <hudson@trmm.net>
2019-10-29 13:15:56 +01:00
Trammell hudson
4f0e778582
musl-cross: update patch for recent git commits (#617)
Signed-off-by: Trammell hudson <hudson@trmm.net>
2019-10-29 12:52:55 +01:00
Matt DeVillier
77949c9cff
libremkey_hotp_initialize: handle spaces in admin pin/pass
Fix HOTP verfication failure if LK admin pin/passphrase contains
spaces by quoting the variables when passed to functions.

Test: set LK admin pin to passphrase with spaces, generate
new TOTP/HOTP, verification passes.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2019-06-24 23:30:39 -05:00
Matt DeVillier
286303d95c
libremkey-hotp-verification: pass in key file directly
Reading the file into a variable and then redirecting to stdin
via echo() can cause the binary data to be truncated, leading
to an invalid base32 value and failure to properly generate
and validate the HOTP code.

To resolve this, pass the file directly to hotp(), and ensure
it is removed properly regardless of success or failure to
prevent leakage.

Fixes "Invalid base32 string" error seen when attempting to
generate a new TOTP secret.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2019-06-24 23:29:06 -05:00
tlaurion
64c830e652
Merge branch 'master' into make-4.2.1 2019-04-22 21:53:43 -04:00
Matt DeVillier
f5355815d9 patches/coreboot: add proper IOMMU/RMRR support
These two patches add the capability for coreboot to generate
the RMRR ACPI tables needed for proper IOMMU support. These
patches allow us to use 'intel_iommu=on' vs 'iommu=pt'

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2019-02-12 17:09:56 -06:00
Matt DeVillier
da2d267220 patches/coreboot: add support for librem 13v4/15v4 boards
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2019-02-12 16:32:04 -06:00
Thierry Laurion
75c11481f6
Port gpg1 patch to gpg2 to force crosscompiling and output to stderr. 2019-01-29 11:16:16 -05:00
Trammell Hudson
d8a3be47af
Merge branch 'coreboot-4.8' of https://github.com/flammit/heads 2018-11-07 17:04:23 -05:00
Trammell Hudson
3f53cfe05b
Merge branch 'add_librem_key_support' of https://github.com/kylerankin/heads 2018-11-07 16:37:01 -05:00
Youness Alaoui
03a09a1e1a
Add patches to update coreboot crossgcc to v1.52
crossgcc is now using gcc 8.1.0 which will compile without issues
if your host system has gcc 8.x
This is required if we are to build on a new system (such as latest Fedora)
2018-10-27 15:05:43 -07:00
Francis Lam
0113ecc806
Update coreboot patches condition on CONFIG_MEASURED_BOOT 2018-10-27 11:02:23 -07:00
Francis Lam
8601268a1f
Remove duplicate measurements on librem components
also fix indentation issues
2018-10-27 11:02:23 -07:00
Francis Lam
dd3ae6ee06
Update patches for librem boards 2018-10-27 11:02:23 -07:00
Francis Lam
c326ff62c7
Start updating to coreboot 4.8.1
missing librem patches
2018-10-27 11:02:23 -07:00
Trammell hudson
e177de63d0
Enable verbose bootup debugging and ensure that the serial IO base port is configured 2018-09-28 06:25:00 -04:00
Trammell hudson
292a8bec81
patch for __alloca missing on ubuntu 18.04 (#352) 2018-09-18 06:33:15 -04:00
Trammell Hudson
c98bfe158f
update to 4.14.62 and use the linuxboot.efi BDS 2018-08-09 10:20:22 -04:00
Trammell Hudson
d400c4dd4d
update paths for Linux 4.14.56 (issue #423) 2018-07-17 06:48:06 -04:00
Kyle Rankin
ec3248dbc9
Shorten timeout for Librem Key
Currently the Librem Key tests will time out after 40 seconds, which
adds to the boot time significantly if the user wants to boot without
inserting it. This patch changes that timeout to one second.
2018-06-20 16:20:15 -07:00
Kyle Rankin
31cf85b707
Add Librem Key support to Heads
The Librem Key is a custom device USB-based security token Nitrokey is
producing for Purism and among other things it has custom firmware
created for use with Heads. In particular, when a board is configured
with CONFIG_LIBREMKEY, this custom firmware allows Heads to use the
sealed TOTP secret to also send an HOTP authentication to the Librem
Key. If the HOTP code is successful, the Librem Key will blink a green
LED, if unsuccessful it will blink red, thereby informing the user that
Heads has been tampered with without requiring them to use a phone to
validate the TOTP secret.

Heads will still use and show the TOTP secret, in case the user wants to
validate both codes (in case the Librem Key was lost or is no longer
trusted). It will also show the result of the HOTP verification (but not
the code itself), even though the user should trust only what the Librem
Key displays, so the user can confirm that both the device and Heads are
in sync. If HOTP is enabled, Heads will maintain a new TPM counter
separate from the Heads TPM counter that will increment each time HOTP
codes are checked.

This change also modifies the routines that update TOTP so that if
the Librem Key executables are present it will also update HOTP codes
and synchronize them with a Librem Key.
2018-06-19 12:27:27 -07:00
Francis Lam
bb0e13c24f
Add back flashrom support for KGPE-D16
Also fix up flashrom-x230.sh command only read bios area
2018-05-05 18:59:43 -07:00
Trammell hudson
8108e419fe
remove unused flashrom 0.9.9 patch and use new --ifd feature in its place (pr #370) 2018-04-30 17:16:06 -04:00
Youness Alaoui
16d9c405ac
Librem13v2: Update to 4.7-Purism-4
Fixes access to the EC through the Index I/O interface
Fixes AC and DC LoadLine values to avoid overheating problems
Fix Turbo mode value from EC
Change version name to have '-heads' suffix
2018-04-03 19:04:59 -04:00
Trammell hudson
7e0450113f
split Linux patches into separate files (issue #348) 2018-03-15 17:44:42 -04:00
Trammell hudson
3cbff7ed1e
split coreboot patch into measured boot, kgpe-16 and sandybridge patches (#358) 2018-03-15 15:41:46 -04:00
Youness Alaoui
8bf187b50a
Add patches to coreboot to support Librem 13 v2 with TPM
Add a new series of patches which add measurement support for skylake,
add IOMMU for skylake, fix TPM support, and add support for TPM for
the Librem 13v2 and Librem 15v3 hardware.
2018-03-14 16:27:25 -04:00
Trammell hudson
091ae92b6f
Merge branch 'KGPE-D16_port_NoTPM' of https://github.com/tlaurion/heads 2018-03-08 01:13:16 -05:00
Trammell hudson
d9808f6659
build the superiotool, which requires a hack on the pciutils lib/types.h file 2018-03-02 09:37:31 -05:00
Thierry Laurion
9eadb07280
Merging to osresearch master 2018-03-01 01:37:36 -05:00
Thierry Laurion
0f299fe4be
IKVM4 and alike SMB support into coreboot from here: https://review.coreboot.org/#/c/coreboot/+/19820/. Flashing scripts and flashrom patches. 2018-03-01 00:49:53 -05:00
Trammell hudson
f618f09a69
Generate a fake EBDA with kexec, removing the need for a custom xen (#227)
This modifies the segment at 0x0 so that it contains enough of a fake
Extended BIOS Data Area at addresses 0x40e and 0x413 that Xen can
correctly locate its trampoline code.

Since custom Xen is no longer required, we can remove the module,
the patches and all of the references to it in the board definition
files.
2018-02-28 10:48:35 -05:00
Trammell hudson
9f19cd9dc3
Merge branch 'smm-walkaround' of https://github.com/persmule/heads 2018-02-26 13:13:42 -05:00
Trammell hudson
8ced05de15
musl-cross has the correct URLs now (#324) 2018-02-26 11:39:27 -05:00
Francis Lam
ffa857d087
update mpc url for musl-cross patch 2018-02-24 14:45:55 -08:00
persmule
dadfbeb3b3 Changed to coreboot patch not to call prog_segment_loaded in smm. 2018-02-24 15:27:21 +08:00
Francis Lam
a6a5fef57f
Update qubes xen version for Qubes 4.0rc4 2018-02-19 14:29:43 -05:00
Trammell hudson
f9a9ae544f
busybox 1.28.0 (#310) 2018-02-09 12:15:35 -05:00
Trammell hudson
d225527cad
move to Linux 4.9.80, add winterfell AHCI patch, qemu NMI patch #308 2018-02-07 19:07:53 -05:00
Trammell hudson
cade555c46
Merge branch 'master' of https://github.com/flammit/heads #297 2018-02-07 11:33:02 -05:00
Trammell hudson
eb26a45361
Revert "moved to 4.8 xen"
This reverts commit 2f879be221.
2018-02-06 11:38:35 -05:00
Trammell hudson
2f879be221
moved to 4.8 xen 2018-02-05 17:38:09 -05:00
Trammell hudson
c46c078157
remove old patches 2018-02-05 16:12:32 -05:00
Trammell hudson
383f1f66a5
merge changes from master into nerf branch in preparation for closing nerf branch 2018-02-02 17:06:49 -05:00
Trammell hudson
6df5c8a18b
fix path for MPC (issue #299) 2018-02-02 16:27:57 -05:00
Francis Lam
28628d54f2
Update qubes xen version for QSB 37
For Qubes 3.2: version 4.6.6-36
For Qubes 4.0: version 4.8.2-12
2018-01-26 09:30:06 -08:00
Francis Lam
bd38a9cd58
Update to coreboot 4.7 2018-01-26 09:30:06 -08:00
Francis Lam
21004fbb77
Backport patch to build coreboot 4.6 with GCC 7
Resolves pointer and integer comparison while building crossgcc
2018-01-26 09:30:06 -08:00
Trammell hudson
4310bd4743
force cross_compile=yes for gnupg (issue #299) 2018-01-20 16:56:53 -05:00
Trammell hudson
5daeb025f2
fix path for MPC (issue #299) 2018-01-20 13:28:02 -05:00
Trammell hudson
9bdb01944b
fix patch format for edk2/Makefile 2018-01-16 12:56:03 -05:00
Trammell hudson
a3983d4fa7
patches for DxeCore to work on s2600wf 2017-12-04 18:58:15 -05:00
Trammell hudson
4e3d19b72a
fix newlines 2017-12-04 15:59:51 -05:00
Trammell hudson
5a188f5b46
Add support for building the Linux kernel as a BDS target 2017-12-04 15:30:40 -05:00
Francis Lam
5f9567c390
Fix coreboot GCC7 build issue
This is fixed in coreboot master but backporting for Heads.

Closes #241
2017-12-02 15:14:42 -05:00
Francis Lam
61f6973c5c
Merge branch 'coreboot-4.6' 2017-12-02 14:54:48 -05:00
Francis Lam
491fe083fa
Update qubes xen version for QSB 36
For Qubes 3.2: version 4.6.6-35
For Qubes 4.0: version 4.8.2-11
2017-12-02 14:47:52 -05:00
Francis Lam
8d34bcc6bc
Update qubes xen version for QSB 34 and QSB 35
For Qubes 3.2: version 4.6.6-34
For Qubes 4.0: version 4.8.2-9
2017-10-28 15:12:39 -04:00
Trammell hudson
3e5783a24f
enable serial debugging and moderate verbose output from dxe-core 2017-10-19 16:04:14 -04:00
Trammell hudson
87bd21111f
Include edk2 EmuVariableRuntimeDxe to provide efi vars (issue #270)
Remove the patch to Linux efivar_init() since we now have efi vars
for it to use.

Also link in SmbiosDxe, although it is not currently used.
2017-10-19 15:59:13 -04:00
Francis Lam
87251fd1b1
Changed to coreboot patch to not measure relocated modules 2017-10-10 16:27:16 -04:00
Francis Lam
1a34bd9d6f
Updated to coreboot 4.6
Also changed x220 and purism configs to use generic boot
2017-10-10 16:27:16 -04:00
Trammell hudson
212b030660
generate ACPI firmware volume and removed Linux ACPI table hacks (issue #266) 2017-09-25 15:21:16 -04:00
Trammell hudson
30c844661c
make a hole in low memory for the trampoline (issue #246) 2017-09-22 19:13:23 -04:00
Trammell hudson
90c231623c
support XZ initrd, without forcing XZ on initramfs (issue #257) 2017-09-22 15:27:10 -04:00
Trammell hudson
0cc31132d3
Allow initrd.cpio to be a separate EFI firmware volume (issue #257)
Add a function to walk all firmware volumes looking for a well
known GUID that is the initrd.cpio image. Currently it must be
uncompressed.
2017-09-22 15:13:41 -04:00
Trammell hudson
f7de7d7388
Enable all flashrom devices (issue #249).
This allows flashrom to work on the r630 NERF server, but
also increases the size of the flashrom executable significantly
since it brings in all chipset and flash types.
2017-09-21 10:26:11 -04:00
Trammell hudson
796ea2870a
build appears to produce a NERFed r630 firmware image 2017-09-20 18:24:54 -04:00
Trammell hudson
bda821dbb9
fix patches to have the correct -p level 2017-09-20 14:26:07 -04:00
Trammell hudson
a4d7654b1e
Build the Heads/NERF firmware for the Dell R630 server.
This development branch builds a NERF firmware for the Dell R630
server.  It does not use coreboot; instead it branches directly
from the vendor's PEI core into Linux and the Heads runtime
that is setup to be run as an EFI executable.
2017-09-20 10:29:14 -04:00
Francis Lam
41f49237c6
Added configurable xen version for Qubes 4 support
also addresses issue #238
2017-09-13 22:10:46 -04:00
Francis Lam
ec1a54c6b6
Updated to match latest qubes 3.2 xen 4.6.6-30 (issue #238) 2017-09-13 21:14:13 -04:00
Francis Lam
821e48446a
Updated to match latest qubes 3.2 xen 4.6.6-29 (issue #238) 2017-09-02 14:13:29 -04:00
Trammell Hudson
3c8adf2cf1
remove no longer required vga patch from xen (issue #227) 2017-07-18 13:31:08 -04:00