Commit Graph

1855 Commits

Author SHA1 Message Date
tlaurion
7be67e4992
Merge pull request #1297 from tlaurion/usb-scan_moved_to-media-scan
usb-scan->media-scan: usb-init calling media-scan usb
2023-01-27 16:07:17 -05:00
tlaurion
f440ad3d31
Merge pull request #1284 from tlaurion/hardenedvault-crypttab-path_remix_enable_discard
WiP : TPM disk unlock key setup (kexec-save-key) reuses OS initrd's crypttab files as base for /secret.key override (kexec-insert-key)
2023-01-27 13:31:44 -05:00
Thierry Laurion
150b95a034
TPM disk unlock key setup: Automatically override selected default boot option's initrd's crypttab file(s) to point to LUKS decryption key in injected cpio
- kexec-save-default extracts initrd crypttab files and creates /boot/kexec_initrd_crypttab_overrides.txt entries pointing to /secret.key
- kexec-insert-key applies /boot/kexec_initrd_crypttab_overrides.txt to replace initrd's crypttabs files pointing to inserted /secret.key through cpio
- Both scripts inform the user of applied magic on screen
2023-01-27 13:27:17 -05:00
HardenedVault
8a60930c6b
Make the path to crypttab within initramfs overridable
Not all distro put crypttab under /etc/ within initramfs, but finding it at
runtime needs unpacking, which may be hard to do, so it is made overridable
with a file at /boot/kexec_initrd_crypttab_path.txt, whose content could be
obtained with $ cpio -t < ${uncompressed_initrd} | grep crypttab .

The "target" field of the record within the crypttab stored in the root
file system for the luks container which is going to be unlocked via
kexec-insert-key should be modified into the same "luks-$uuid" format,
otherwise the boot sequence will get stuck when OS is trying to unlock them
again, in order to map them according to "target" fields written in the
crypttab stored in the root fs.
2023-01-27 12:56:32 -05:00
Thierry Laurion
268767d300
/etc/distro/keys/tails.key: Replace with updated and minimized one 2023-01-26 15:58:57 -05:00
Thierry Laurion
299977926c
usb-scan->media-scan: usb-init calling media-scan usb
media-scan accepts direct input of existing blkid and mount that passed device to /media
2023-01-26 15:38:58 -05:00
tlaurion
c1ae44d71c
Merge pull request #1289 from danielp96/master
/etc/functions: fix detection of virtual flash drive in qemu.
2023-01-26 14:33:38 -05:00
Rocky Breslow
ed8c74e197
Add script for obtaining T440p me.bin blob
I performed an analysis of the differences between an me.bin blob I
extracted from my T440p and the me.bin blob from Lenovo's website:
https://github.com/osresearch/heads/pull/1282#issuecomment-1386292403.
2023-01-23 22:32:35 -05:00
Rocky Breslow
7a29db11ed
t440p: disable NVMe support in Linux kernel
I went through all of the different options we copied from the Librem
config. The only thing that stood out as irrelevant was NVMe support.
However, I'm not a Linux kernel expert, and I didn't do a deep dive, so
I'm sure there is still room for improvement.
2023-01-23 22:28:32 -05:00
Rocky Breslow
c23ed548ff
Clone linux-librem_common.config for T440p 2023-01-20 17:09:09 -05:00
tlaurion
075284374b
Merge pull request #1291 from tlaurion/warn_user_when_totp-hotp_seal_requires_tpm_reset
gui-init: warn the user when sealing measurements through TOTP/HOTP reset
2023-01-19 18:44:10 -05:00
Thierry Laurion
e00280e663
gui-init: warn the user when sealing measurements through TOTP/HOTP requires TPM reset 2023-01-19 14:59:45 -05:00
Rocky Breslow
24d23ff47c
Add intel_iommu=igfx_off to T440p Coreboot kernel parameters
Without this, neither Qubes OS nor the Qubes OS installer would start.
Presumably, because we're "kexecing" from an already running kernel, we
need this set at the Coreboot level? Testing revealed that including
`intel_iommu=igfx_off` in the `CONFIG_BOOT_KERNEL_ADD` board config
option did nothing. And, the Qubes OS default boot option already
contains `intel_iommu=igfx_off`.

See:
- https://www.qubes-os.org/doc/installation-troubleshooting/#not-asking-for-vnc-because-we-dont-have-a-network--x-startup-failed-aborting-installation--pane-is-dead-error-during-installation
- https://github.com/Qubes-Community/Contents/blob/master/docs/troubleshooting/intel-igfx-troubleshooting.md
- https://www.kernel.org/doc/html/v5.10/x86/intel-iommu.html?highlight=igfx_off#graphics-problems
2023-01-18 15:27:45 -05:00
Rocky Breslow
65be2c5b7a
Add Heads config for the T440p (maximized/hotp-maximized) 2023-01-18 15:27:45 -05:00
Rocky Breslow
f0792117ef
Adjust T440p default Coreboot defconfig options
Remove options that haven't deviated from defaults in the Coreboot
Kconfig, despite being saved by `make savedefconfig`. Also, add
`CONFIG_BOARD_LENOVO_THINKPAD_T440P`, which was missing from the `make
savedefconfig` output, causing Heads builds to fail. And finally, bump
`CONFIG_CBFS_SIZE` to `0x800000` (8 MiB to bytes to hexadecimal).

This value for the CBFS size is arbitrary. Originally, I had totaled the
size of all binary blobs, subtracted that from the T440p's ROM size (12
MiB), and used the remaining space as the CBFS size (~11.68 MiB).
However, this caused very long RAM initialization times (courtesy of
`cbmem -t`). And, an anecdote in
https://groups.google.com/a/chromium.org/g/chromium-os-reviews/c/lUqRrGUoEBY/m/ka7L1f2BS8gJ
suggested that this value needs to be a power of 2.

So, I picked a size I expected our Linux payload to fit into that was a
power of 2 that I also expected would leave enough space in the ROM for
the IFD, ME, GbE, and Coreboot.

Now, it takes less than a second for RAM initialization after
flashing/first boot (anecdotally, it seems the MRC needs to be
"trained?").
2023-01-18 15:27:44 -05:00
Rocky Breslow
96f0c5b043
Add script for exporting blobs from original T440p ROM 2023-01-18 15:27:44 -05:00
Rocky Breslow
e325976569
Add initial T440p Coreboot defconfig
I generated this config by walking through Coreboot's `make menuconfig`.
The plan is to pare down verbose defaults and tweak from here.
2023-01-18 15:27:44 -05:00
Rocky Breslow
5cce937393
Add script for obtaining Haswell mrc.bin blob
I based this script on the Coreboot docs:
https://doc.coreboot.org/northbridge/intel/haswell/mrc.bin.html. While
adding an integrity check to ensure we're obtaining the correct blob.

Also, it's worth surfacing that the SHA-1 for the resulting binary is
the same SHA that Libreboot uses in their integrity check:
https://notabug.org/libreboot/lbmk/src/master/resources/scripts/download/mrc#L95.
However, I elected to use SHA-256 for extra paranoia.
2023-01-18 15:27:43 -05:00
tlaurion
f2ba6679ca
Merge pull request #1287 from rbreslow/rb/musl-cross-echo-path
modules/musl-cross: use echo from the PATH to support NixOS
2023-01-18 15:22:55 -05:00
tlaurion
a9e31161ac
Merge pull request #1288 from rbreslow/rb/gh-syntax-highlighting
Add overrides for Makefile syntax highlighting
2023-01-18 15:22:21 -05:00
tlaurion
9da7744808
Merge pull request #1286 from rbreslow/rb/hotp-verification-include-path
modules/hotp-verification: source libusb headers from Makefile DESTDIR
2023-01-18 15:21:22 -05:00
Rocky Breslow
dbd302497d
modules/musl-cross: use echo from the PATH to support NixOS
NixOS doesn't have a traditional FHS where echo is available at
`/bin/echo`. Instead, we must rely on the PATH for any
distribution-managed utilities. Reverses
https://github.com/osresearch/heads/issues/106.
2023-01-18 12:42:41 -05:00
Rocky Breslow
a5fa2ecb0b
modules/hotp-verification: source libusb headers from Makefile DESTDIR
Before, the configure script sourced these from the system FHS
(/usr/include/libusb-1.0). The build failed on my NixOS build machine,
which doesn't store dependencies in a traditional FHS. And this is the
correct approach for reproducible builds.
2023-01-18 12:41:54 -05:00
Daniel Pineda
3cd8654566
/etc/functions: fix detection of virtual flash drive in qemu.
Adds check to detect device formatted as fat32 without partition table.

With fat32 fdisk does not print message about invalid partition table
and instead it'll print an empty table with header.
In both cases total output has the same length of 5 lines: 3 about
device info, 1 empty line and the 5th will be the table header or
invalid partition message.

Signed-off-by: Daniel Pineda <daniel.pineda@puri.sm>
2023-01-18 11:27:15 -06:00
Rocky Breslow
b6c3229deb
Add overrides for Makefile syntax highlighting
Fix GitHub syntax highlighting for the Coreboot/Heads config files, and
modules, which are all Makefiles.

See: https://github.com/github/linguist/blob/master/docs/overrides.md
2023-01-18 11:51:38 -05:00
tlaurion
e45980d33f
Merge pull request #1281 from tlaurion/usb_modules_load_order_fix 2023-01-17 12:13:04 -05:00
tlaurion
db5777ad91
Merge pull request #1262 from 3hhh/add-files 2023-01-17 12:12:13 -05:00
Thierry Laurion
256313a988
/etc/functions: fix order when loading usb modules to prevent warning 2023-01-16 15:21:14 -05:00
3hhh
d07df1e60b
initrd: escape_zero: allow some more characters
Since it's not supposed to be shell safe, just display safe
inside double quotes, we can allow some more characters.

Also fix the escape character not being escaped.
2023-01-14 13:14:09 +01:00
3hhh
2ae7f53e04
initrd: assert_signable: use recovery() instead of die()
and display some more information to the user, if
available
2023-01-14 10:27:42 +01:00
3hhh
c65d6b92c0
initrd: call assert_signable earlier
No need to check for the GPG card first.
2023-01-14 10:07:31 +01:00
3hhh
4ce8f664ad
initrd: work around a bug in busybox sha256sum
busybox sha256sum will create a checksum file for uncommon file names
(e.g. /boot/foo"$\n"bar), but fail to verify that exact file.
https://bugs.busybox.net/show_bug.cgi?id=14226

Thus disallow all files in /boot/ with strange file names at the time of
signing for now. Verifying in the presence of new files with such file
names in /boot/ is no issue for the kexec_tree verification due to the
previously implemented escaping mechanism.
2023-01-14 10:02:49 +01:00
3hhh
e368c3f6ea
initrd: speed up non-GUI booting
by not generating the kexec_tree diff in that case
2023-01-14 10:02:49 +01:00
3hhh
f52466edbf
initrd kexec_tree: fix various escaping issues
Attempt to fix the following issues:
1. unescaped file names may let an attacker display arbitrary
   whiptail prompts --> escape, original code by @JonathonHall-Purism
2. whiptail itself allows escape characters such as \n
   --> use an escape character not used by whiptail, i.e. #
3. performance issues caused by diff'ing too early -->
   only generate a diff to display to the user, if an actual issue is
   found
2023-01-14 10:02:49 +01:00
3hhh
60df237c37
initrd: fix error message to work with kexec_tree 2023-01-14 10:02:48 +01:00
3hhh
accd9f470d
initrd: track files in /boot in kexec_tree.txt
Fixes #1248
2023-01-14 10:02:27 +01:00
tlaurion
febff85498
Merge pull request #1278 from tlaurion/kexec-save-default_fix_subshell_boot_ops
kexec-save-default: do /boot operation in subshell
2023-01-13 14:58:11 -05:00
Thierry Laurion
90b2e0ca5d
kexec-save-default: do /boot operation in subshell
fixes screwed commit 6f6f37ec3a
2023-01-13 14:54:14 -05:00
tlaurion
1236cbc29e
Merge pull request #1277 from tlaurion/adjust_printf_clear 2023-01-13 12:23:53 -05:00
Thierry Laurion
1dd8fb4cf1
gui-init: add a print clear after TOTP Qr code being confirmed to be scanned by user 2023-01-13 11:25:27 -05:00
Thierry Laurion
3d5db5d9e2
functions: remove the last two print clear which prevented to troubleshoot console output 2023-01-13 11:24:26 -05:00
tlaurion
cd269f12c2
Merge pull request #1276 from tlaurion/recovery_fix_when_not_secret_to_shred 2023-01-13 10:45:56 -05:00
Thierry Laurion
87027d6a88
recovery call: since we operate under set -e, make sure that shred failing doesn't exit 2023-01-12 18:04:27 -05:00
tlaurion
8e73d91121
Merge pull request #1273 from tlaurion/qemu-coreboot-tpm1-boards_fixes
qemu-coreboot-tpm boards: usage optimizations
2023-01-11 17:19:39 -05:00
tlaurion
6f6f37ec3a
Merge pull request #1272 from tlaurion/boot_ops_under_subshell
/boot: make sure operations requiring to be happening under /boot are under subshells
2023-01-11 16:24:26 -05:00
Thierry Laurion
080d439758
qemu-coreboot-tpm boards: usage optimizations
- ROOT_DISK_IMG is now dynamic (ROOT_DISK_IMG=/path/to/existing/provisioned/disk.img can be reused across run statements)
- Addition of missing boards to cover all use cases
- All TPM1 boards rely on common config/coreboot-qemu-tpm1.config
- boards/qemu-coreboot-fbwhiptail-tpm1-hotp/qemu-coreboot-fbwhiptail-tpm1-hotp.md has been generalized
 - all other boards are softlinked to the above for usage
2023-01-11 15:38:30 -05:00
Thierry Laurion
aa9b75f64d
/boot: make sure operations requiring to be happening under /boot are under subshells 2023-01-11 13:59:26 -05:00
tlaurion
395de880db
Merge pull request #1267 from tlaurion/better_totp_correction_guidelines_in_code 2023-01-06 08:44:15 -05:00
tlaurion
a772259cbd
Merge pull request #1261 from Baitinq/nix_fix
Makefile: Use path agnostic bash location
2023-01-05 10:38:13 -05:00
tlaurion
355d608c6c
Merge pull request #1268 from tlaurion/qemu-coreboot-whiptail-tpm1-boarname_fix
qemu-coreboot-whiptail-tpm1: correction of boardname to reflect reality
2023-01-04 19:04:19 -05:00