Disable the Ada compiler, as it no longer compiles on Debian 12 and is
not needed.
The Ada compiler is only used for libgfxinit - Intel native graphics
initialization. Neither of the boards on coreboot 4.11 uses this;
Aspeed graphics initialization is written in C (but is not used yet as
it only supports text mode in 4.11).
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Download coreboot toolchain archives into packages/<arch> before
coreboot tries to download them. This allows us to use mirrors to get
the archives. We could also update the primary source this way if it
goes down instead of patching coreboot itself (has happened for IASL).
The archive versions and digests are retrieved from the coreboot
module, so there isn't another copy of that info to maintain. That is
done in bin/fetch_coreboot_crossgcc_archive.sh, which uses the
existing fetch script to do the actual download, leveraging mirrors.
bin/fetch_source_archive.sh supports using a SHA-1 digest instead of
SHA-256, since coreboot has SHA-1 digests. It also checks if the file
already exists (deleting the coreboot directory will cause it to be
re-run, but the packages are already there and can be used from cache).
The coreboot-4.11 IASL patch is updated to delete the outdated acpica
archive digest (it already added the new one, but the old one was still
there). bin/fetch_coreboot_crossgcc_archive.sh finds the archive
version and digest from the digest files, so only one acpica file must
be present.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
* overwriting a hotp secret is not possible anymore
* make sure to delete the hotp secret before setting a new one
* requires one additional user presence check during HOTP setup
* bump to v1.5
Signed-off-by: Markus Meissner <coder@safemailbox.de>
* remove all previous coreboot patches (as they are already included)
* to be investigated: linux trampoline patch
* add new patch to hardcode sleep configuration
* activate smmstore as dasharo vendor code requires it
Signed-off-by: Markus Meissner <coder@safemailbox.de>
Taken from : https://github.com/Nitrokey/heads/tree/temp-release-v2.3
- Move branding/Heads/bootsplash-1024x768.jpg -> branding/Heads/bootsplash.jpg (We don't care about the size. Make filename generic)
- Adapt all coreboot configs so bootsplash is adapted by BRAND_NAME CONFIG_BOOTSPLASH_FILE="@BRAND_DIR@/bootsplash.jpg"
- Reminders :
- Makefile changes Heads to defined BRAND_NAME in board config
- Makefile changes -e 's!@BRAND_DIR@!$(pwd)/branding/$(BRAND_NAME)!g'
- nv41/nv50
- coreboot oldefconfigs adapted by:
- make BOARD=nitropad-ns50 coreboot.modify_and_save_oldconfig_in_place
- make BOARD=nitropad-nv41 coreboot.modify_and_save_oldconfig_in_place
- linux oldefconfigs adapted by
- make BOARD=nitropad-nv41 linux.modify_and_save_oldconfig_in_place
- since this is shared config across nv41/ns50: it only needs to be done for a single board
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
- Closes https://github.com/linuxboot/heads/pull/1452
- coreboot: Take Talos II 0.7 release coreboot config file that was inside of cbfs and use it as a base upstream.
- linux: Readd sysctl and proc requirements for cbmem to work.
TODO: fix gpg2 module so that the following doesn't happen (a ppc64 thing. Can't figure out why):
```
Adding generated key to current firmware and re-flashing...
Board talos-2 detected, continuing...
37281653053696daf2e40a8efe9451b557d9d6ab586830dc85f814bf2e03a05f /tmp/talos-2.rom
Initializing Flash Programmer
Reading old flash contents. Please wait...
Flashing: [##################################################\] (100%)
Verifying flash contents. Please wait...
The flash contents were verified and the image was flashed correctly.
Signing boot files and generating checksums...
180726119: 000E452213510000005A
gpg: error running '//bin/dirmngr': probably not installed
gpg: failed to start dirmngr '//bin/dirmngr': Configuration error
gpg: can't connect to the dirmngr: Configuration error
gpg: no default secret key: No dirmngr
gpg: signing failed: No dirmngr
```
dirmngr is deactivated per configure statement --disable-dirmngr, and works as expected on x86
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
As on master otherwise with --disable-asm:
config.status: executing gcrypt-conf commands
Libgcrypt v1.10.1 has been configured as follows:
Platform: GNU/Linux (x86_64-pc-linux-musl)
Hardware detection module: none
Enabled cipher algorithms: arcfour blowfish cast5 des aes twofish
serpent rfc2268 seed camellia idea salsa20
gost28147 chacha20 sm4
Enabled digest algorithms: crc gostr3411-94 md4 md5 rmd160 sha1
sha256 sha512 sha3 tiger whirlpool stribog
blake2 sm3
Enabled kdf algorithms: s2k pkdf2 scrypt
Enabled pubkey algorithms: dsa elgamal rsa ecc
Random number generator: default
Try using jitter entropy: yes
Using linux capabilities: no
FIPS module version:
Try using Padlock crypto: n/a
Try using AES-NI crypto: n/a
Try using Intel SHAEXT: n/a
Try using Intel PCLMUL: n/a
Try using Intel SSE4.1: n/a
Try using DRNG (RDRAND): n/a
Try using Intel AVX: n/a
Try using Intel AVX2: n/a
Try using ARM NEON: n/a
Try using ARMv8 crypto: n/a
Try using PPC crypto: n/a
By disabling --disable-asm in libgcrypt 1.10.1:
config.status: executing gcrypt-conf commands
Libgcrypt v1.10.1 has been configured as follows:
Platform: GNU/Linux (x86_64-pc-linux-musl)
Hardware detection module: libgcrypt_la-hwf-x86
Enabled cipher algorithms: arcfour blowfish cast5 des aes twofish
serpent rfc2268 seed camellia idea salsa20
gost28147 chacha20 sm4
Enabled digest algorithms: crc gostr3411-94 md4 md5 rmd160 sha1
sha256 sha512 sha3 tiger whirlpool stribog
blake2 sm3
Enabled kdf algorithms: s2k pkdf2 scrypt
Enabled pubkey algorithms: dsa elgamal rsa ecc
Random number generator: default
Enabled digest algorithms: crc gostr3411-94 md4 md5 rmd160 sha1
sha256 sha512 sha3 tiger whirlpool stribog
blake2 sm3
Enabled kdf algorithms: s2k pkdf2 scrypt
Enabled pubkey algorithms: dsa elgamal rsa ecc
Random number generator: default
Try using jitter entropy: yes
Using linux capabilities: no
FIPS module version:
Try using Padlock crypto: yes
Try using AES-NI crypto: yes
Try using Intel SHAEXT: yes
Try using Intel PCLMUL: yes
Try using Intel SSE4.1: yes
Try using DRNG (RDRAND): yes
Try using Intel AVX: yes
Try using Intel AVX2: yes
Try using ARM NEON: n/a
Try using ARMv8 crypto: n/a
Try using PPC crypto: n/a
To support PPC crypto, it seems we will need yasm.
To support linux capabilities, libcap would be required as well later on. :/ another point for rng-tools (which also depends on libcap-ng)
Allow boards to optionally include loadkeys to set a custom keymap.
showkey and dumpkeys (normally only needed for development) can also be
optionally included.
Remove *.map from .gitignore; this was probably intended for build
artifacts that are now excluded via the build/ directory.
Add reboot and poweroff to shell history, which is useful for devices
lacking full hardware keyboards to escape the recovery shell with just
"up" and "enter".
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Update to 1.3. Includes navigation improvements for devices with just
up/down/Enter keys, for Librem 11.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
This is 4.21-Purism-1 plus a fix for native graphics init on Mini
v1/v2: HDMI1 is enabled so passive DisplayPort to DVI/HDMI adapters
will work.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Rationale:
cpio -t alone cannot extract initrd past early cpio (microcode) in most packed initrd.
unpack_initramfs.sh already under master comes to the rescue, but its usage up to today was limited to pass firmware blobs to final OS under boards/librem_mini_v2
Debian OSes (and probably others) need to have cryptroot/crypttab overriden directly, otherwise generic generation of crypttab is not enough.
Extracting crypttab and overriding directly what is desired by final OS and exposed into /boot/initrd is the way to go otherwise hacking on top of hacks.
This brings default packed modules under Heads to 5 modules, which needs to be deactivate in board configs if undesired:
user@heads-tests-deb12:~/heads$ grep -Rn "?= y" modules/ | grep -v MUSL
modules/zlib:1:CONFIG_ZLIB ?= y
modules/zstd:3:CONFIG_ZSTD ?= y
modules/exfatprogs:2:CONFIG_EXFATPROGS ?= y
modules/busybox:2:CONFIG_BUSYBOX ?= y
modules/e2fsprogs:2:CONFIG_E2FSPROGS ?= y
prepare_thumb_drive: default to creating 10% LUKS container on usb drive, prompts for passphrase is not provided and scan drives if no --device specified
NOTE: qemu usb_thumb drive of 128 mb are not big enough so that 10% of it (12mb) can be used to create thumb drive.
Adds:
- e2fsprogs to support ext4 filesystem creation through mke2fs
- add /etc/mke2fs.conf so that mke2fs knows how to handle ext2/ext3/ext4
- removes mke2fs support from busybox
- bump busybox to latest version which adds cpu accelerated hash functions (not needed per se here)
- Adds exfatprogs to have mkfs.exfat and fsck.exfat
- Adds prepare_thumb_drive /etc/luks-functions to be able to prepare a thumb drive with percentage of drive assigned to LUKS, rest to exfat
- Modify most board configs to test space requirements failing
- Talos2 linux config: add staging Exfat support
- Make e2fsprogs and exfatprogs included by default unless explicitely deactivate in board configs
- Change cryptsetup calls : luksOpen to open and luksClose to close to addresss review
- etc/luks_functions: cleanup
GOAL here is to have secure thumb drive creation which Heads will be able to use to backup/restore/use generated GPG key material in the future (next PR)
Nothing else shares the 4.20.1 toolchain yet, and upcoming forks are
based on older releases. We'll share it when other boards update to
4.20.1.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
fbwhiptail scales its UI based on the display size. FBWHIPTAIL_SCALE
can set a specific scale factor for testing.
fbwhiptail no longer looks for a 1080p mode when the default mode is
2160p.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Build kbd and ship setfont if enabled with CONFIG_KBD.
When CONFIG_KBD is enabled, setconsolefont.sh will double the console
font size on large displays (>1600 lines tall as a heuristic).
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
CROSS= is needed for skiboot on PPC64 due to different endianness
relative to coreboot.
The talos_2 fork doesn't share the toolchain because it is the only
_fork_, not board, to be precise. We could add more boards using that
fork without having to create a shared toolchain, it only matters if we
add another fork or start building boards from the upstream release
too.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Two := assignments were factored out together, the second overwrote the
first. Fix to +=, and remove the nitrokey assignment since it came
from a branch.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
This was spelled wrong - it's actually '_depends'. 'initrd' isn't a
module any more so the value doesn't make sense, remove it.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
The skiboot build fails to find the toolchain when it's not in the
default location. There is only one ppc64 board anyway, so there's no
point trying to share a toolchain for now.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Use .heads-toolchain to mark that the toolchain was built rather than
.xcompile. coreboot doesn't generate .xcompile until the build step,
so all modules had to build successfully before we would stop trying to
to rebuild the toolchain. Build steps should generally produce the
indicated outputs too, which was not occurring here.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Reuse the toolchain from a coreboot release for fork builds. Either
the fork or the release can be built first, in either case the
release's toolchain is built at the default location and reused for
later builds.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Define a separate module for each coreboot version, so the module used
to build the ROM will optionally be able to reference the toolchain
from a different module.
This will allow coreboot fork builds to use the toolchain from the
corresponding release.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
At one time coreboot was built using Heads' musl toolchain, but this
was later reverted. coreboot builds with its own toolchain again.
CROSS= has no effect on coreboot proper (only exception is PPC64
skiboot payload). It was added to coreboot by a patch that was deleted
in 8e44853. COREBOOT_IASL was set to the default, that was only needed
when the toolchain was being overridden to override iasl back to the
coreboot one.
ppc64 still specifies CROSS= since skiboot is unable to find coreboot's
toolchain from XGCCPATH but checks CROSS. This builds skiboot with the
Heads toolchain as before.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Remove coreboot 4.8.1, 4.13, and 4.17, which were all unused.
Remove extra copies of EXTRA_FLAGS which duplicated the common
definition. The only difference was
-Wno-error=address-of-packed-member, the warning is now disabled
entirely everywhere with -Wno-address-of-packed-member.
Use separate coreboot_version values for talos_2, nitrokey, and purism,
which gives each a separate build directory.
Move conditional blob definitions out of each coreboot version.
Fix condition for coreboot-blobs - whether a module is a git clone
actually depends on non-empty <module>_repo, not <module>_version==git.
Fix the test so git versions of coreboot can have arbitrary names.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Updated cbmem searches for CBMEM exposed by kernel in sysfs before
trying to read it from memory directly. As such, there is no need for
pointing to that file explicitly.
New coreboot revision also fixes output of 'cbmem -t' caused by wrong
endianness.
Signed-off-by: Krystian Hebel <krystian.hebel@3mdeb.com>