- Upstream boards will not deactivate TPM DUK
- Upstream will not force BRAND_NAME which currently defaults to Heads
- Upstream will not deactivate Qr code on screen output on HOTP sealing
- Upstream will not offer OEM reset defaults (deprecated and now default anyway)
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Move the targets generating talos-2's tgz update package to targets.
While this wasn't duplicated, it breaks a cyclic dependency between
board config and BRAND_NAME by moving the ROM output name dependencies
later. The logic probably would be shared with similar boards if any
were supported, so it is in the spirit of the other targets/ shared
target Makefiles.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
The 8 qemu-* targets all contained nearly-identical copies of the
targets to prepare the TPM/disk/etc. and then run Qemu. The only
significant differences were for TPM1/TPM2 (extra swtpm_setup step,
addition of --tpm2 to swtpm_setup and swtpm). ROOT_DISK_IMG used := or
= differently in some boards, := was kept.
targets/qemu.mk now defines all Qemu targets and is included only for
qemu-* boards (by defining BOARD_TARGETS in each of those boards).
The documentation was moved from qemu-coreboot-fbwhiptail-tpm1-hotp/
qemu-coreboot-fbwhiptail-tpm1-htop.md to targets/qemu.md. The other 7
qemu boards' symlinks to that file were removed.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
The only purpose of legacy flash boards is to be flashed over vendor
firmware using an exploit, to then flash non-maximized Heads firmware.
They are never upgraded to another legacy flash build, and they move
the coreboot ROM from the build directory, so don't build an update
package for those boards.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Enabling DEBUG/TRACE options from board config vs from configuration menu is different.
When enabled in board config, /etc/config is from ROM, and sourced early and make TRACE/DEBUG calls appear early.
If added through configuration menu, those are /etc/config.user overrides extracted from CBFS and then sourced after combine_configs call
If for whatever reason early DEBUG is needed on a platform, enabling in board config is needed.
For runtime debugging, enabling Debug output from configuration menu is enough
Add Librem 11 board.
Librem 11 uses coreboot graphics init, which is done with FSP GOP.
Set a custom keymap for the volume/power keys. Configure the volume
keys as up/down arrows (for navigation in fbwhiptail, and for shell
history in the Linux console). Configure the power key as Enter.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Update all Librems except L1UM (but including L1UM v2) to Linux 6.1.8.
Use coreboot native graphics init. Raise maximum framebuffer size for
laptops to 3840x2160 (desktops default to this, but laptops default
to a lower value). Remove DRM modules from Linux 6.1.8 and add EFIFB.
Remove Heads kernel command line options relating to IOMMU and i915,
which are no longer needed. Remove OS kernel options relating to
IOMMU.
For Librem 13/15/14/Mini, this fixes issues booting with 4K displays
attached, which were resulting in crashes due to the framebuffer memory
not being reserved properly. memtest86+ now passes with a 4K display
attached.
For Librem L1UM v2, framebuffer boot now works.
Librem L1UM remains on Linux 5.10 with Heads kernel graphic init
(framebuffer boot still does not work). coreboot 4.11 has native
graphics init for Aspeed, but only in text mode. Backporting the
linear framebuffer support appears to be possible - the patch applied
cleanly - but it did not work initially and will need more
investigation.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Enable the coreboot CMOS option table, which initializes CMOS if the
checksum is not valid.
There is now a checksum in the CMOS layout since 4.21, update it when
updating the Mini v1/v2 EC power-on setting.
coreboot 4.21 will reset the CMOS settings during the first boot, since
there was no checksum in prior releases. Heads will restore the
automatic power-on setting during init based on config.user.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Rationale:
cpio -t alone cannot extract initrd past early cpio (microcode) in most packed initrd.
unpack_initramfs.sh already under master comes to the rescue, but its usage up to today was limited to pass firmware blobs to final OS under boards/librem_mini_v2
Debian OSes (and probably others) need to have cryptroot/crypttab overriden directly, otherwise generic generation of crypttab is not enough.
Extracting crypttab and overriding directly what is desired by final OS and exposed into /boot/initrd is the way to go otherwise hacking on top of hacks.
This brings default packed modules under Heads to 5 modules, which needs to be deactivate in board configs if undesired:
user@heads-tests-deb12:~/heads$ grep -Rn "?= y" modules/ | grep -v MUSL
modules/zlib:1:CONFIG_ZLIB ?= y
modules/zstd:3:CONFIG_ZSTD ?= y
modules/exfatprogs:2:CONFIG_EXFATPROGS ?= y
modules/busybox:2:CONFIG_BUSYBOX ?= y
modules/e2fsprogs:2:CONFIG_E2FSPROGS ?= y
Include kbd so the console font can be enlarged based on the display
resolution.
Don't force 1080p on the eDP output in Heads.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
These boards get purism-blobs as a submodule of the purism coreboot
fork. modules/coreboot used to skip the purism-blobs dependency for
this fork, but the module is not needed at all for these boards.
librem_l1um keeps CONFIG_PURISM_BLOBS=y since it is built from patched
coreboot 4.11.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
For iterating, enabling these in the board config is easiest. It's
also possible to manually inject config.user ahead of time, or enable
at runtime without flashing, but the normal enable/flash/reboot path
does not work in qemu since it is unable to flash.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
A few lines in the documentation got truncated somehow. Restored the
swtpm instructions from some notes and rewrote the others.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Non-impactful action, first step for #1421 based on participation in testing of #1398 and prior non-tested PRs.
EDIT: last minute readd of x220-maximized boards (x220-maximized and x220-hotp-maximized boards).
x220 is still UNTESTED (legacy, manually extracting ifs, me and gbe).
EDIT: last minute readd of t440p-maximized boards (t440p-maximized and t440p-hotp-maximized boards).
Thanks to @srgrint for lat minute report that t440p and x220 were tested
----
Traces of commands used:
ls qemu-linuxboot* leopard* r630* s2600wf* tioga* winterfell* t420* t520* t440p* w530* kgpe* p8z77* x220* x230-maximized-fhd_edp* | grep ":" | awk -F ":" {'print $1'}| while read board; do mv $board/$board.config $board/UNTESTED_$board.config; done
ls qemu-linuxboot* leopard* r630* s2600wf* tioga* winterfell* t420* t520* t440p* w530* kgpe* p8z77* x220* x230-maximized-fhd_edp* | grep ":" | awk -F ":" {'print $1'}| while read dir; do mv $dir UNTESTED_$dir; done
ls UNTESTED* | grep ":" | awk -F ":" {'print $1'}| awk -F "UNTESTED_" {'print $2'} | while read line; do sed 's/'"$line"'/UNTESTED_'"$line"'/g' ../.circleci/config.yml -i ; done
quick fix of circleci:
sed -i 's/UNTESTED_UNTESTED/UNTESTED/g' ../.circleci/config.yml
sed -i 's/UNTESTED_UNTESTED/UNTESTED/g' ../.circleci/config.yml
sed -i 's/UNTESTED_UNTESTED/UNTESTED/g' ../.circleci/config.yml
Modify p8z77-m_pro-tpm1 hotp board config to include to their maximized counterpart
Debian 12's initrd by default now consists of an uncompressed cpio
archive containing microcode, followed by a zstd-compressed cpio
archive. inject_firmware.sh only supported gzip-compressed cpio, so it
could not extract /init from this archive.
Add zstd-decompress to decompress zstd streams (uncompressed size is
about 180 KB).
Add unpack_initramfs.sh which is able to decompress uncompressed, gzip,
or zstd archives, with multiple segments, much like the Linux kernel
itself does.
Use unpack_initramfs.sh to extract /init for blob jail.
Don't compress the new archive segment containing firmware and the
updated /init.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
PureBoot doesn't have any other three-valued settings and this doesn't
present very well in the config UI.
Instead make this a two-valued setting; drop the mode that forces the
EC setting to "stay off" at every boot because this is the default.
When disabling automatic power-on, disable the EC BRAM setting too.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Mini v1/v2's EC can automatically power on the system when power is
applied, based on a value in EC BRAM. Add a configuration setting to
optionally set this value.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Add ioport module, enable for librem_mini_v2. Only inb and outb are
included, inw/outw/inl/outl aren't needed.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Currently Heads will check files in /boot for tampering before booting
into a system. It would be nice if you could use the trusted environment
within Heads and extend this to check files in / itself. This new script
adds that functionality, however due to the length of time it takes to
perform these kinds of checks, it doesn't run automatically (yet).
This feature can be configured from the config GUI - the root device/
directories to check can be set, and it can be configured to run during
boot.
To make this a bit easier to use, I added a feature to detect whether
the hash file exists and if not, to display a more limited menu to the
user guiding them to create the initial hash file. Otherwise it will
display the date the file was last modified, which can be useful to
determine how stale it is.
- Based on initial server board
- Uses whiptail as opposed to fbwhiptail (was slow and output fuzzy)
- Simple fix to have dual KVM(BMC) and vga output for consoles
Reasoning for dropping fbwhiptail support is that:
- it is impossible to output framebuffer content through remote BMC console.
- A workstation board config could output to fbwhiptail for VGA and give remote recovery shell access through BMC
- If someone shows interest for that, qemu-coreboot-tpm boards can be used as reference.
- slowness/fuzzyness of fbwhiptail output through AST would still need to be fixed in kernel drivers. Not a priority here.
Limitation:
- Since whiptail is sent to both consoles:
- If one console goes to recovery shell, recovery shell access invalidate TPM PCR4 measurements.
- The other console won't be aware that TPM measurements were invalidated, and will consequently:
- not be able to unseal TOTP if refreshed
- not be able to unseal TPM disk unlock key on default boot
- A reboot will fix this.