* modules/linux: add support for building with kernel 5.4.69
Add support to module, port patches from 4.19.139.
Needed for newer platforms not supported by 4.19 kernel.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
* CircleCI: add rysnc dependency for building kernel 5.x
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
* Migrate all Librem boards to kernel 5.x, common config
Update linux-librem_common.config from 4.x to 5.x, and add
CONFIG items needed to support the librem_l1um (AST DRM drivers,
serial port output).
Tested on Librem 13v4, Librem Mini, and Librem Server L1UM.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
* modules/coreboot: add option to use coreboot 4.11
Port patches from coreboot 4.8.1 to 4.11:
* 0000-measure-boot -> 0001
* 0010-cross-compiler-support
All other patches for coreboot 4.8.1 have either already been
integrated, or are for platforms which do not need to be migrated
to coreboot 4.11 (they will move to 4.12 or newer).
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
* patches/coreboot-4.11: Add Broadwell-DE platform patch
Add a patch for FSP Broadwell-DE to make use of Heads' measured boot.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
* patches/coreboot-4.11: Add patch to read serial # from CBFS
Will be used by multiple Librem boards.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
* patches/coreboot-4.11: add board support for Librem Server L1UM
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
* Librem Server L1UM: add new board
Add board config, coreboot config, kernel config files.
Add conditional purism-blobs dependency to coreboot-4.11 module.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
* flash.sh: add special handling for librem_l1um board
Add support for persisting PCIe config via PCHSTRP9 in flash descriptor.
This is needed to support multiple variants of the L1UM server which
use the same firmware but differ in PCIe lane configuration via the
PCH straps configuration in the flash descriptor.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
* patches/coreboot-4.11: Add 'Use PRIxPTR to print uintptr_t' patch
Cherry-picked from upstream coreboot (post-4.11), fixes compilation issue.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
* CircleCI: add target to build board librem_l1um
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
Update to upstream flashrom (post v1.2) commit 4d3657b4:
Add support for Comet Lake-U/400-series PCH
kgpe-d16 patch from flashrom 1.2 still applies cleanly.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
* musl-cross: remove old patch artifact of the musl-cross era
* CircleCI: do not produce hash digest for musl-cross-make patches (artifact was for musl-cross, not musl-cross-make)
* patches/coreboot-4.12: add cross-compiler support patch
Ported from coreboot-4.8.1, re-exported via `git diff`
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
* modules/coreboot: use musl-cross-make to build
revert toolchain bits to pre-4.12 addition
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
* config/coreboot-librem_mini: use CONFIG_ANY_TOOLCHAIN
Needed since coreboot 4.12 now built with musl-cross-make
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
* patches/coreboot-4.12: Add patch for Cannonlake ME status
Add patch print ME status regardless of enablement state
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
* modules: add purism-blobs module
Rather than require users to manually run a script to download the required
blobs to build Purism Librem boards, automate it so the correct version
is automatically downloaded/extracted. Restrict to coreboot 4.12 for now
since 4.8.1 still needs FSP blobs, which are not in module.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
* configs/linux-librem13v2: unset CONFIG_RETPOLINE
Fixes compilation issue with newer kernels, ignored by older ones
which don't need it
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
* Add new board: Librem Mini
Add Librem Mini board patch for coreboot 4.12, board config and
coreboot config. Continue reusing existing librem13v2 Linux config,
same as all other Librem boards currently. Use new purism-blobs module.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
* board/librem*: rename for consistency
Use 'librem_<board>' notation for consistency across all models.
Rename linux config file since used by multiple Librem models.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
* CircleCI: add librem_mini board to test
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
* modules/linux: Add support for multiple kernel versions
Follow same pattern as used for coreboot. Add existing kernel version
as default for all existing boards.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
* modules/linux: Add option to use 4.19 LTS kernel
Add option to use kernel 4.19.139 (current LTS version).
Duplicate existing patches from 4.14.62 as they all apply cleanly.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
As part of migration to coreboot 4.12, which includes measured boot
without additional patches, measure all parts of the firmware and the
payload into PCR2.
The same is done in coreboot 4.12. This commit ensures that boards not
migrated yet will show the same behaviour.
TODO: Update heads-wiki.
Signed-off-by: Patrick Rudolph <patrick.rudolph@9elements.com>
This patch was reported by @bemoody in issue #699
Tested via `BOARD=x230-hotp-verification` on a Thinkpad x230
Signed-off-by: alex-nitrokey <alex@nitrokey.com>
Update to nitrokey-hotp-verification master (c0956cf) and drop
existing patch which is no longer needed.
Test: clean build for Librem 13v2
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
Commit 7ea13ee0 made some significant changes to Librem/Nitrokey
verification which broke both compilation and calls to hotp_initialize.
Fix them via a patch until it's fixed upstream.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
- Update flashrom module to v1.2.
- Drop Thinkpad x220 patch as it's now properly supported.
- Drop 'laptop=force_I_want_a_brick' from board FLASHROM_OPTIONS
since it's no longer needed.
- Migrate kgpe-d16 patch.
The kgpe-d16 patch needed a complete overhaul when rebased against
flashrom v1.2, and needs close inspection/testing as a result.
The following changes were made from the previous patch:
- dropped addition of 4-byte addressing (4BA), since now supported
- dropped addtiion of Macronix MX25L256 and MX66L512 chips,
since now supported
- added 4BA erase commands for Winbond W25Q256 chip
- dropped code to show progress indicator, since another PR already adds that
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
Modeled after modules/tpmtotp, use a specific git commit hash for
module libremkey-hotp-verification. Add hidapi as a submodule with
dummy/placeholder in modules (like coreboot-blobs), also specified
by git commit hash. Adjust libremkey-hotp-verification patch file
name so patch applied properly.
Addresses issue #640
Test: build Librem 13v4
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
Pass through new toolchain path via $(CROSS) so we can set the
c/c++ compiler paths correctly for CMake. Adjust patch to use
new paths, and fix compiler/linker paths to correct a libusb linking issue.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
Add `--strip 1` to tar file extraction in the `Makefile`,
which ensures that the directory name in `build/` will
match the one listed in `$($(MODULE)_dir)`.
Signed-off-by: Trammell hudson <hudson@trmm.net>
Fix HOTP verfication failure if LK admin pin/passphrase contains
spaces by quoting the variables when passed to functions.
Test: set LK admin pin to passphrase with spaces, generate
new TOTP/HOTP, verification passes.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
Reading the file into a variable and then redirecting to stdin
via echo() can cause the binary data to be truncated, leading
to an invalid base32 value and failure to properly generate
and validate the HOTP code.
To resolve this, pass the file directly to hotp(), and ensure
it is removed properly regardless of success or failure to
prevent leakage.
Fixes "Invalid base32 string" error seen when attempting to
generate a new TOTP secret.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
These two patches add the capability for coreboot to generate
the RMRR ACPI tables needed for proper IOMMU support. These
patches allow us to use 'intel_iommu=on' vs 'iommu=pt'
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
crossgcc is now using gcc 8.1.0 which will compile without issues
if your host system has gcc 8.x
This is required if we are to build on a new system (such as latest Fedora)
