Commit Graph

2703 Commits

Author SHA1 Message Date
Markus Meissner
55e3a192be
coreboot-nitrokey: hard-code ME state during boot, fixes Nitrokey/heads#39
Signed-off-by: Markus Meissner <coder@safemailbox.de>
2024-01-22 15:46:31 +01:00
Thierry Laurion
4f2b1b68b0
initrd/bin/kexec-unseal-key: never show final PCRs content but in DEBUG mode/Recovery Shell
Next steps on this is introspection and PCRs reconstruction helpers, which will output in DEBUG and be usable from recovery shell.
We have to keep in mind that providing those tools is useful in DEBUG mode and for users having access to Recovery Shell.
But currently, having access to cbmem -L output and final PCRs content is making it too easy for Evil Maid to know what needs to be hardcoded to pass measured boot.

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-01-20 11:48:04 -05:00
Thierry Laurion
6db03b0bdd
Uniformize vocabulary: LUKS TPM Disk Unlock Key & LUKS Disk Recovery Key
When playing with long fbwhiptail/whiptail messages, this commit played around the long string using fold.

'''
echo -e "This will replace the encrypted container content and its LUKS Disk Recovery Key.\n\nThe passphrase associated with this key will be asked from the user under the following conditions:\n 1-Every boot if no Disk Unlock Key was added to the TPM\n 2-If the TPM fails (hardware failure)\n 3-If the firmware has been tampered with/modified by the user\n\nThis process requires you to type the current LUKS Disk Recovery Key passphrase and will delete the LUKS TPM Disk Unlock Key slot, if set up, by setting a default boot LUKS key slot (1) if present.\n\nAt the next prompt, you may be asked to select which file corresponds to the LUKS device container.\n\nHit Enter to continue." | fold -w 70 -s
'''

Which gave the exact output of what will be inside of the fbwhiptail prompt, fixed to 70 chars width:

'''
This will replace the encrypted container content and its LUKS Disk
Recovery Key.

The passphrase associated with this key will be asked from the user
under the following conditions:
 1-Every boot if no Disk Unlock Key was added to the TPM
 2-If the TPM fails (hardware failure)
 3-If the firmware has been tampered with/modified by the user

This process requires you to type the current LUKS Disk Recovery Key
passphrase and will delete the LUKS TPM Disk Unlock Key slot, if set
up, by setting a default boot LUKS key slot (1) if present.

At the next prompt, you may be asked to select which file corresponds
to the LUKS device container.

Hit Enter to continue.
'''

Therefore, for long prompts in the future, one can just deal with "\n 1-" alignments to be respected in prompts and have fold deal with cutting the length of strings properly.

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-01-20 11:47:35 -05:00
Thierry Laurion
4bc284e7fb
TPM DUK: Fix passphrase retry and code to support both LUKSv1/LUKSv2 output to check active keyslot 1 is not the only one existing
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-01-19 14:44:50 -05:00
tlaurion
f877739095
Merge pull request #1594 from JonathonHall-Purism/blob_jail_warn
initrd/bin/inject_firmware.sh: Fix warning command
2024-01-19 10:37:48 -05:00
Jonathon Hall
cb61739139
initrd/bin/inject_firmware.sh: Fix warning command
The function is 'warn', not 'WARN'.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2024-01-19 09:53:53 -05:00
Jonathon Hall
84040176fa
modules/bash: Enable readline
Restores autocomplete and makes bash more usable as an interactive
shell.  Added 106 KB to compressed initrd (checked librem_14).

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2024-01-17 16:34:48 -05:00
Jonathon Hall
ae29ddbc78
initrd/bin/root-hashes-gui.sh: Remove debug statement for non-LVM-PV
This statement was confusing and should be clear from tracing anyway.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2024-01-17 16:34:48 -05:00
Jonathon Hall
80b57eb60d
initrd/bin/root-hashes-gui.sh: Qubes support, faster hash creation
Don't spew the root hashes to the console when creating the hash file.
This speeds up hash creation significantly.  A basic Qubes install on a
cheap (slow) SATA SSD reduced from about 1.5 minutes to just under 1
minute, and a PureOS install on a fast NVMe disk reduced from 2.5
minutes to 1 minute.

Support opening LVM volume groups to find the root disk.  If an LVM PV
is found, its group is opened and the 'root' volume is used.  There is
no way to set the volume name in this iteration; this is the default
name used by Qubes and probably common to many LVM OS installations.
LUKS and LVM can be mixed.  Tested LUKS (PureOS) and LUKS+LVM (Qubes).

Always cd to "$ROOT_MOUNT" in a subshell, improves robustness of
scripts (previously some functions only worked if they were called
after another function had cd'd to "$ROOT_MOUNT").

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2024-01-17 16:34:47 -05:00
Jonathon Hall
70d249ae46
intird/bin/config-gui.sh: Clarify root hash menu item, minor cleanup
Say the action to take in the menu (enable or disable) instead of just
"Check root hashes at boot".

Clean up some use of load_config_value, set_config, combine_configs.
Get config values from the environment directly.  set_user_config does
set_config and combine_configs.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2024-01-17 16:34:47 -05:00
Jonathon Hall
de1592e2f5
lvm2: Support LVM2 thin provisioned volumes
Support LVM2 thin-provisioned volumes.  LVM2 wants the thin_check
utility by default, but it has multiple dependencies we do not
currently ship (boost, libexpat, others), so disable it.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2024-01-17 16:34:32 -05:00
Jonathon Hall
e0b46d086a
functions: TRACE_FUNC and DEBUG_STACK
Add TRACE_FUNC to trace the file, line, and name of the calling
function.  File and function names don't have to be duplicated in a
TRACE statement with this (they tend to become inaccurate as functions
are renamed and the TRACE statement is forgotten).

Add DEBUG_STACK to dump the bash stack to debug output.

Configure bash with --enable-debugger.  Bash doesn't actually include
the entire debugger, this is just some supporting variables for it.
Evidently, BASH_SOURCE[n] is only set within a function if this is
enabled.  I couldn't find this indicated in any documentation, but it
happened in practice.

Compressed initrd size only increased by 2560 bytes for librem_mini_v2,
I think that is fine.  This also gives us BASH_ARGC/BASH_ARGV which
might be useful for diagnostics.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2024-01-17 16:32:37 -05:00
Jonathon Hall
2b41a740c4
config/linux-librem_common-6.1.8: Rebuild starting with 5.10 config
Rebuild the kernel 6.1.8 config for Librem devices starting from the
current 5.10 config as a base.  The current 5.10 config had cleaned up
some unneeded options, but that hadn't been carried over to the 6.1.8
config.

Graphics init still uses EFIFB in the 6.1.8 kernel.  5.10 keeps DRM+ast
to support librem_l1um (the only board still using it).

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2024-01-17 16:10:03 -05:00
tlaurion
cb518e4f1b
Merge pull request #1584 from tlaurion/ppc64le_cross_build_changes
ppc64le builder required changes
2024-01-11 09:58:44 -05:00
Thierry Laurion
a42812d60c
ppc64le builder required changes
popt: too old to have a working config.guess
libusb-compat: not needed for gpg2
gpg2: depend on libusb not libusb-compat

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-01-10 18:28:24 -05:00
Jonathon Hall
0a823cb491
Allow laptops to include optional USB keyboard support
Laptops can include optional USB keyboard support (default off unless
the board also sets the default to 'y').  The setting is in the
configuration GUI.

CONFIG_USER_USB_KEYBOARD is now the user-controlled setting on those
boards.  'CONFIG_USB_KEYBOARD' is no longer used to avoid any conflict
with prior releases that expect this to be a compile-time setting only
(conflicts risk total lock out requiring hardware flash, so some
caution is justified IMO).

Boards previously exporting CONFIG_USB_KEYBOARD now export
CONFIG_USB_KEYBOARD_REQUIRED.  Those boards don't have built-in
keyboards, USB keyboard is always enabled. (librem_mini,
librem_mini_v2, librem_11, librem_l1um, librem_l1um_v2, talos-2,
kgpe-d16_workstation-usb_keyboard, x230-hotp-maximized_usb-kb).

Librem laptops now export CONFIG_SUPPORT_USB_KEYBOARD to enable
optional support.  The default is still 'off'.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2024-01-10 15:38:06 -05:00
tlaurion
de7dad25d7
Merge pull request #1582 from JonathonHall-Purism/coreboot_dep_ln_fix
bin/fetch_coreboot_crossgcc_archive.sh: ln -s again if link exists
2024-01-10 15:07:12 -05:00
tlaurion
be1835b9ad
Merge pull request #1581 from JonathonHall-Purism/flash-gui-errors
Show error messages for various media errors in flash-gui.sh
2024-01-10 15:05:51 -05:00
Jonathon Hall
ff1d606be6
bin/fetch_coreboot_crossgcc_archive.sh: ln -s again if link exists
Changes in things like modules/coreboot will check the coreboot
toolchain archives again.  We reuse the cached archive already, but the
final ln -s may fail if the link already exists.  Remove it first and
link again.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2024-01-10 13:26:55 -05:00
Jonathon Hall
905d40bd9b
initrd/bin/flash-gui.sh: Show error if find fails due to I/O error
'find' may fail if I/O errors occur (medium faulty or removed,
filesystem corruption, etc.)  Show a message if this occurs rather than
just dying and returning to the main menu.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2024-01-09 15:15:24 -05:00
Jonathon Hall
40e96c7dae
initrd/bin/flash-gui.sh: Show message if plain ROM is unreadable
If the user selects a plain ROM, but that file can't be read, show a
message and exit rather than dying.  Copy the ROM to RAM before doing
anything with it in case the media fails later.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2024-01-09 15:15:24 -05:00
Jonathon Hall
7e57ce181b
initrd/bin/flash-gui.sh: Fix indentation
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2024-01-09 15:15:24 -05:00
tlaurion
90d1c2e9e3
Merge pull request #1578 from JonathonHall-Purism/config-automatic-boot-delay
initrd/bin/config-gui.sh: Allow configuring automatic boot
2024-01-09 15:12:03 -05:00
Thierry Laurion
a2ebf251e0
hotp boards: enable autoboot after 5 seconds if reverse HOTP against USB Security Dongle is successful by default
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-01-09 15:06:04 -05:00
tlaurion
8e1e402dac
Merge pull request #1580 from tlaurion/force_absence_dirmngr
gpg2: make sure dirmngr is not spawn to refresh keys under initrd/.gnupg/gpg.conf
2024-01-09 15:03:17 -05:00
tlaurion
4ece1a1fe4
Merge pull request #1579 from JonathonHall-Purism/seal-hotpkey-error
initrd/bin/seal-hotpkey: Show error if /boot can't be mounted
2024-01-09 14:49:15 -05:00
Thierry Laurion
012400af1b
gpg2: make sure dirmngr is not spawn to refresh keys under initrd/.gnupg/gpg.conf
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-01-09 12:53:56 -05:00
Jonathon Hall
5a00bfc035
initrd/bin/seal-hotpkey: Show error if /boot can't be mounted
If we can't mount /boot, show a meaningful error rather than dropping
to a recovery shell.

Dropping to a recovery shell should be a last resort.  Users that know
how to use the recovery shell know how to get there.  Users that don't
know how to use it can be completely stuck and may not know how to get
back to the menu or even how to turn off the device.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2024-01-09 12:27:59 -05:00
tlaurion
025b4d0dfc
Merge pull request #1576 from JonathonHall-Purism/package-mirrors
Makefile: Support mirrors for dependency source packages
2024-01-09 12:21:30 -05:00
Jonathon Hall
25b977d1e5
initrd/bin/config-gui.sh: Allow configuring automatic boot
Automatic boot can be configured in the configuration GUI.  Options are
disable, 1 second, 5 seconds, or 10 seconds.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2024-01-09 10:12:22 -05:00
Jonathon Hall
93ccf25d24
bin/fetch_coreboot_crossgcc_archive.sh: Symlink archives into coreboot
Symlink the source archives into coreboot's crossgcc build rather than
copying them.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2024-01-09 10:03:51 -05:00
Jonathon Hall
e380539202
modules/coreboot: Disable Ada compiler for coreboot 4.11
Disable the Ada compiler, as it no longer compiles on Debian 12 and is
not needed.

The Ada compiler is only used for libgfxinit - Intel native graphics
initialization.  Neither of the boards on coreboot 4.11 uses this;
Aspeed graphics initialization is written in C (but is not used yet as
it only supports text mode in 4.11).

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2024-01-08 15:38:44 -05:00
Jonathon Hall
f632897bb5
modules/coreboot: Cache coreboot toolchain archives and use mirrors
Download coreboot toolchain archives into packages/<arch> before
coreboot tries to download them.  This allows us to use mirrors to get
the archives.  We could also update the primary source this way if it
goes down instead of patching coreboot itself (has happened for IASL).

The archive versions and digests are retrieved from the coreboot
module, so there isn't another copy of that info to maintain.  That is
done in bin/fetch_coreboot_crossgcc_archive.sh, which uses the
existing fetch script to do the actual download, leveraging mirrors.

bin/fetch_source_archive.sh supports using a SHA-1 digest instead of
SHA-256, since coreboot has SHA-1 digests.  It also checks if the file
already exists (deleting the coreboot directory will cause it to be
re-run, but the packages are already there and can be used from cache).

The coreboot-4.11 IASL patch is updated to delete the outdated acpica
archive digest (it already added the new one, but the old one was still
there).  bin/fetch_coreboot_crossgcc_archive.sh finds the archive
version and digest from the digest files, so only one acpica file must
be present.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2024-01-08 15:10:56 -05:00
Jonathon Hall
29203782f6
bin/fetch_source_archive.sh: Use Heads package names when they differ
Use the Heads name for a package when it differs from the primary
source.  E.g. musl-cross-make's archive is just <hash>.tar.gz, which
makes little sense out of context.  musl-cross-<hash>.tar.gz makes
more sense for a mirror.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2024-01-05 13:17:01 -05:00
Jonathon Hall
3a93b30d5b
Makefile: Support mirrors for dependency source packages
Try to download dependency source packages from mirrors if the primary
source fails or the archive has changed.

Move the download and verify logic to bin/fetch_source_archive.sh.  The
mirror list is here, currently only
https://storage.puri.sm/heads-packages/, but others can be added.  The
mirror list is randomized to load each mirror equally.

The verify logic is moved to this script too so it can fail over to a
mirror (or another mirror) if a mismatched archive is served, not just
for a failure.  Makefile no longer needs to verify separately and there
are no separate .*-_verify files any more, the archive is only moved to
its final place once verified.

Add `packages` target to just fetch all needed packages for a board,
facilitates seeding a mirror.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2024-01-05 12:49:36 -05:00
tlaurion
c9e067c721
Merge pull request #1575 from tlaurion/revert_waybackmachine_usage_for_circleci
switch back from web.archive.org to cairographics.org (CircleCI is rate limited)
2024-01-04 22:13:08 -05:00
Thierry Laurion
fbbdc94634
switch back from web.archive.org to cairographics.org (CircleCI is rate limited over web.archive.org:not a solution....
Adds up to https://github.com/linuxboot/heads/issues/1198

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-01-04 21:32:32 -05:00
tlaurion
ea0a599dec
Merge pull request #1570 from tlaurion/automate_blobs_download_xx30_xx20
Automate blobs download for xx30 xx20 boards
2024-01-04 17:12:12 -05:00
Thierry Laurion
77f9933538
xx20/xx30 blob based boards: move ME blobs target outside of board configs (targets/xx*_blobs.mk)
Makefile: have inclusion of all defined $BOARD BOARD_TARGETS (me, split_8mb4mb, ...)

TODO: VBIOS scripts for W530/T530 need way more work. To be done later.

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-01-04 15:32:09 -05:00
Thierry Laurion
d7c2bda112
blobs/xx20/download_parse_me.sh: cleanup and don't continue if hash is good
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-01-04 14:21:13 -05:00
Thierry Laurion
f2079dbe44
blobs/xx30 scripts: cleanup and don't continue if hash is good
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-01-04 14:21:11 -05:00
Thierry Laurion
de951f7156
CircleCI : readd blobs cache in prep step to download once and pass through workspace cache
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-01-04 14:21:10 -05:00
Thierry Laurion
197914b396
xx20 boards and circleci: Have boards download extract and neuter me by board config
Fix https://github.com/linuxboot/heads/issues/1569 part of error linked to me not being available in blobs/xx20/me.bin

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-01-04 14:21:08 -05:00
Thierry Laurion
753aa39503
CircleCI: test commit to have all boards download their own blobs
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-01-04 14:21:06 -05:00
Thierry Laurion
24571d91bc
CircleCI: readd xx30 call to have ME downloaded for all boards. Next commit will remove all those to test boards downloading of all blobs, but this is not desirable for CI where we want blobs to be downloaded once in prep step not from each board.
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-01-04 14:21:05 -05:00
Thierry Laurion
0d6cba852b
w530-dgpu K2000 boards : have the boards call vbios download script automatically. Breaks on debian-12 as of now but should work on debian-11 for others, gems say deprecated calls....
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-01-04 14:21:03 -05:00
Thierry Laurion
1fea3e4463
t530-dgpu boards : have the boards call vbios download script automatically. Breaks on debian-12 as of now but should work on debian-11 for others, gems say deprecated calls....
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-01-04 14:21:01 -05:00
Thierry Laurion
43d1b4ed81
xx30: have all xx30 download me automatically.
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-01-04 14:21:00 -05:00
tlaurion
449977b617
Merge pull request #1561 from Nitrokey/up-v2.4
Bump Dasharo Coreboot / hotp-verification; fix nitropad-nxx ec-powerdown
2024-01-03 15:49:55 -05:00
tlaurion
07db2ddb6c
Merge pull request #1573 from tlaurion/cairo_use_waybackmachine
modules/cairo: www.cairographics.org down again. Use web.archive.org archive
2024-01-02 16:20:31 -05:00