Commit Graph

2554 Commits

Author SHA1 Message Date
Thierry Laurion
70b3272b32
Merge pull request #1671 from tlaurion/nix_qemu-canokey_derivate
flake.nix + qemu.mk : add working qemu-canokey usable from all qemu boards by default
2024-05-13 10:56:53 -04:00
Thierry Laurion
3a7292018e
Merge remote-tracking branch 'osresearch/master' into pr/tlaurion/1662 2024-05-13 09:23:20 -04:00
Thierry Laurion
c73692e4f3
flake.nix + qemu.mk : add working qemu-canokey usable from all qemu boards by default
flake.nix: add canokey-qemu lib, derivate qemu on tope of it and have qemu_kvm depend on qemu derivative
targets/qemu.mk: modified to had canokey support by default if no "USB_TOKEN=" specified on make run call

CircleCI: base docker image pull on v0.1.6 containing the newly added derivatives
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-12 13:51:28 -04:00
Thierry Laurion
1e583e01a0
Merge pull request #1661 from tlaurion/wip-nix-for-build
Move to nix buildstack (and nix develop produced docker image used under CircleCI)
2024-05-10 16:05:34 -04:00
Thierry Laurion
ecbfdbc57b
README.md Simplify Setup of Nix and flakes and docker image creation instructions
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-10 16:01:15 -04:00
Thierry Laurion
c52fd42802
Merge remote-tracking branch 'osresearch/master' into pr/tlaurion/1661 2024-05-10 15:36:54 -04:00
Thierry Laurion
81cc5263a0
nv41/ns50 coreboot configs: save configs with make BOARD=nitropad-n[v41|s50] coreboot.modify_and_save_oldconfig_in_place
removes a comment:
-# CONFIG_DASHARO_FIRMWARE_UPDATE_MODE is not set
- Unify ns50/nv41
 - CONFIG_TPM_PIRQ=0x27 in both nv41/ns50 as per https://github.com/linuxboot/heads/pull/1662#issuecomment-2100820944
NOTE that this doesn't stick when calling
make[1]: Leaving directory '/home/user/heads/build/x86/coreboot-dasharo'
user@heads-tests-deb12:~/heads$ git diff
diff --git a/config/coreboot-nitropad-nv41.config b/config/coreboot-nitropad-nv41.config
index 9484aaf5122..ddd4e5d7c56 100644
--- a/config/coreboot-nitropad-nv41.config
+++ b/config/coreboot-nitropad-nv41.config
@@ -143,7 +143,7 @@ CONFIG_BOARD_CLEVO_NV40PZ_BASE=y
 CONFIG_MAINBOARD_SMBIOS_PRODUCT_NAME="Nitropad NV41"
 CONFIG_CONSOLE_POST=y
 # CONFIG_USE_PM_ACPI_TIMER is not set
-CONFIG_TPM_PIRQ=0x27
+CONFIG_TPM_PIRQ=0x0
 # CONFIG_SOC_INTEL_CSE_SEND_EOP_EARLY is not set
 CONFIG_VBOOT_FWID_VERSION="$(CONFIG_LOCALVERSION)"
 CONFIG_EC_SYSTEM76_EC_BAT_THRESHOLDS=y

Also note that CONFIG_EC_SYSTEM76_EC_DGPU=y is not present on ns50 as opposed to nv41, whatever that does.
user@heads-tests-deb12:~/heads$ diff -u config/coreboot-nitropad-nv41.config config/coreboot-nitropad-ns50.config
--- config/coreboot-nitropad-nv41.config	2024-05-10 14:59:42.156754718 -0400
+++ config/coreboot-nitropad-ns50.config	2024-05-10 14:55:37.699761391 -0400
@@ -110,7 +110,7 @@
 # CONFIG_VENDOR_TI is not set
 # CONFIG_VENDOR_UP is not set
 CONFIG_MAINBOARD_FAMILY="Not Applicable"
-CONFIG_MAINBOARD_PART_NUMBER="nv40pz"
+CONFIG_MAINBOARD_PART_NUMBER="ns50pu"
 CONFIG_MAINBOARD_VERSION="v2.1"
 CONFIG_MAINBOARD_DIR="clevo/adl-p"
 CONFIG_DIMM_MAX=4
@@ -128,7 +128,7 @@
 CONFIG_DEVICETREE="devicetree.cb"
 # CONFIG_VBOOT is not set
 CONFIG_VBOOT_VBNV_OFFSET=0x28
-CONFIG_VARIANT_DIR="nv40pz"
+CONFIG_VARIANT_DIR="ns50pu"
 CONFIG_OVERRIDE_DEVICETREE="variants/$(CONFIG_VARIANT_DIR)/overridetree.cb"
 # CONFIG_VGA_BIOS is not set
 CONFIG_MAINBOARD_SMBIOS_MANUFACTURER="Nitrokey"
@@ -139,8 +139,8 @@
 CONFIG_CMOS_LAYOUT_FILE="src/mainboard/$(MAINBOARDDIR)/cmos.layout"
 CONFIG_BOOT_DEVICE_SPI_FLASH_BUS=0
 CONFIG_BOARD_CLEVO_ADLP_COMMON=y
-CONFIG_BOARD_CLEVO_NV40PZ_BASE=y
-CONFIG_MAINBOARD_SMBIOS_PRODUCT_NAME="Nitropad NV41"
+CONFIG_BOARD_CLEVO_NS50PU_BASE=y
+CONFIG_MAINBOARD_SMBIOS_PRODUCT_NAME="Nitropad NS51"
 CONFIG_CONSOLE_POST=y
 # CONFIG_USE_PM_ACPI_TIMER is not set
 CONFIG_TPM_PIRQ=0x27
@@ -158,8 +158,8 @@
 CONFIG_HAVE_INTEL_FIRMWARE=y
 CONFIG_MRC_SETTINGS_CACHE_SIZE=0x10000
 CONFIG_DRIVERS_INTEL_WIFI=y
-CONFIG_IFD_BIN_PATH="3rdparty/dasharo-blobs/novacustom/nv4x_adl/descriptor.bin"
-CONFIG_ME_BIN_PATH="3rdparty/dasharo-blobs/novacustom/nv4x_adl/me.bin"
+CONFIG_IFD_BIN_PATH="3rdparty/dasharo-blobs/novacustom/ns5x_adl/descriptor.bin"
+CONFIG_ME_BIN_PATH="3rdparty/dasharo-blobs/novacustom/ns5x_adl/me.bin"
 CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x20000
 CONFIG_VBT_DATA_SIZE_KB=9
 CONFIG_CARDBUS_PLUGIN_SUPPORT=y
@@ -176,8 +176,8 @@
 #
 # Alder Lake P (2022)
 #
-# CONFIG_BOARD_NOVACUSTOM_NS5X_ADLP is not set
-CONFIG_BOARD_NOVACUSTOM_NV4X_ADLP=y
+CONFIG_BOARD_NOVACUSTOM_NS5X_ADLP=y
+# CONFIG_BOARD_NOVACUSTOM_NV4X_ADLP is not set

 #
 # Tiger Lake U (2021)
@@ -503,7 +503,6 @@
 #
 CONFIG_EC_ACPI=y
 CONFIG_EC_SYSTEM76_EC=y
-CONFIG_EC_SYSTEM76_EC_DGPU=y

 #
 # Intel Firmware

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-10 15:01:56 -04:00
Michał Kopeć
f6f216c5b8
Use single coreboot rev for MSI and NCM
Signed-off-by: Michał Kopeć <michal.kopec@3mdeb.com>
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-10 14:50:37 -04:00
Thierry Laurion
443955e086
nv41/ns50 board config: Add note referring that those boards FB are GOP enabled just like the librem_11 for reference
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-10 14:50:31 -04:00
Thierry Laurion
eb2d8da983
nv41/ns50 coreboot config: apply 4cf15f2586c55d7c2f2c5136f08e7670eebc5012 also to ns50. Note: SMMSTORE and top-down resource allocation diff between ns50/nv41
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-10 14:50:27 -04:00
Thierry Laurion
7e31b204e1
nv41/ns50 coreboot config: make sure everything is saved with make BOARD=nitropad-n*** coreboot.modify_and_save_oldconfig_in_place
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-10 14:50:22 -04:00
Michał Żygowski
23976461d8
modules/coreboot: Avoid double quotes in LOCALVERSION
Signed-off-by: Michał Żygowski <michal.zygowski@3mdeb.com>
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-10 14:40:26 -04:00
Michał Żygowski
83f96aae5c
modules/coreboot: Remove the lines with config values before overriding them
Signed-off-by: Michał Żygowski <michal.zygowski@3mdeb.com>
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-10 14:40:21 -04:00
Michał Kopeć
1eef518daa
modules/coreboot: don't touch DMI vendor name if unspecified
Signed-off-by: Michał Kopeć <michal.kopec@3mdeb.com>
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-10 14:40:16 -04:00
Michał Kopeć
3cfa4e91ae
Allow overriding DMI manufacturer name
Signed-off-by: Michał Kopeć <michal.kopec@3mdeb.com>
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-10 14:40:11 -04:00
Michał Kopeć
3102666c91
coreboot-nitropad-nv41.config: disable RESOURCE_ALLOCATION_TOP_DOWN
Also disable bootsplash resizing to center the logo in the middle of
the screen.

Signed-off-by: Michał Kopeć <michal.kopec@3mdeb.com>
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-10 14:40:07 -04:00
Michał Żygowski
acc8044766
modules/coreboot: Allow overriding LOCALVERSION and SMBIOS_PRODUCT_NAME
Signed-off-by: Michał Żygowski <michal.zygowski@3mdeb.com>
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-10 14:40:02 -04:00
Michał Żygowski
c7dc6a8064
patches: Remove obsolete patches for nitropad builds
Signed-off-by: Michał Żygowski <michal.zygowski@3mdeb.com>
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-10 14:39:57 -04:00
Michał Żygowski
8e7e18920d
modules/nitrokey-blobs,boards/nitropad: Remove obsolete blobs module
Signed-off-by: Michał Żygowski <michal.zygowski@3mdeb.com>
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-10 14:39:53 -04:00
Michał Żygowski
6a64144e97
modules/coreboot,config/coreboot-nitropad: Update to the newest revision
Signed-off-by: Michał Żygowski <michal.zygowski@3mdeb.com>
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-10 14:39:48 -04:00
Thierry Laurion
77f1e346d0
Merge pull request #1640 from tlaurion/nitrokey_board_unification_clean-enable_htop_validated_autoboot
Nitrokey board cleaning+ unification cleanup (enable htop validated autoboot + tethering)
2024-05-10 14:20:16 -04:00
Thierry Laurion
181ce621bb
README.md Makefile: address comments in PR review for daily/non-daily Nix users, remove NIX_REPRO_NOTES, Makefile dev helpers self-explain themselves
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-10 12:04:32 -04:00
Jonathon Hall
c7f652bf89
Makefile: Use relative paths in configs generated from templates
Use relative paths in configs generated from templates, so the final
build doesn't depend on the absolute location of the repository.  The
coreboot config is part of the final ROM.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-09 19:44:10 -04:00
Jonathon Hall
6ce3d21e4c
modules/flashrom: Remove LIBS_BASE to stop linking in RPATH.
Specifying LIBS_BASE causes flashrom's Makefile to link in an RPATH,
using the Heads workspace path, which is not what we want.  It does
other things too, but we already pass the parts we need to the make
invocation for flashrom.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-09 12:20:17 -04:00
Thierry Laurion
e4976e7882
Re-add kgpe-d16 as UNMAINTAINED_* boards, still built by CircleCI (since cosntant interest in the builds)
Modify .circleci/config.yml to also not reuse past caches if CircleCI config changes as part of calculated hashes for the 3 layers
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-08 15:36:27 -04:00
Thierry Laurion
b4936ea42c
CircleCI: use v.0.1.4 produced with latest flake.nix which includes qemu_kvm for kvm testing in docker image
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-08 11:35:23 -04:00
Thierry Laurion
1bef1083e0
README.md: update repro notes. flake.nix: qemu_kvm was not included for native kvm support: added
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-08 11:30:23 -04:00
Thierry Laurion
03e861ea48
README.md: Add docs refs to setup docker and nix persistence over QubesOS Template/AppVM for usage. Expand on nix repro instructions fro NIX_REPRO_NOTES for review
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-07 12:09:39 -04:00
Thierry Laurion
f4db4b791c
README.md qemu.md + CircleCI: point to images for building and using nix developed created docker image
- push v0.1.3 and have latest point to the same image, add repro notes inside of README.md
- modify qemu.md to also refer to using docker images

TODO: remove NIX_REPRO_NOTES prior of merging

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-06 15:22:11 -04:00
Thierry Laurion
2b2356e87e
CircleCI: use tlaurion/heads-dev-env:v0.1.1 which reverts nix attempt of garbage collection inside of nix prior of making the docker
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-03 15:07:29 -04:00
Thierry Laurion
0b7ce534a8
WiP: revert garbage collector within nix environment. Doesn;t help and makes the docker image bigger
TODO: push v0.1.2 with those changes pointing circleci to use it
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-03 14:16:43 -04:00
Thierry Laurion
b65e8bf66d
nv41/ns50 shared linux config: reenable I2C, not even sure if needed
git difftool -d HEAD^ to check config against previous version (librem shared config), noticed I2C options being maybe relevant, added them back in

Then saved with make BOARD=nitropad-ns50 linux.modify_and_save_oldconfig_in_place

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-03 13:53:28 -04:00
Thierry Laurion
862f58f0da
config/linux-nitropad-x.config: bring par with librem_11 shared linux config (GOP compliant)
TODO: next, readd what might have been pertinent

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-03 13:43:31 -04:00
Thierry Laurion
8cace17940
nv41/ns50: coreboot configs saved in oldconfig
Result of:
make BOARD=nitropad-nv41 coreboot.save_in_oldconfig_format_in_place
make BOARD=nitropad-ns50 coreboot.save_in_oldconfig_format_in_place

No change, was applied like this anyway at compilation.

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-03 13:35:46 -04:00
Thierry Laurion
0f412ed3ce
config/linux-nitropad-x.config: Add Tethering requirements
TODO: fix discrepencies in kernel config to limit technological debt in later commit in this PR
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-03 13:30:37 -04:00
Thierry Laurion
60e0d6017f
boards: uniformize nitropad boards with qemu-coreboot boards and against each other
- Add tethering in board configs
- Add autoboot after 5 seconds if HOTP remote attestation is  successful

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-03 13:29:17 -04:00
Thierry Laurion
865a0c6a2b
WiP: Boards configuration unification between x230-hotp-maximized and nitrokey boards: enable Automatic boot when HOTP valid after 5 seconds
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-03 12:30:20 -04:00
Thierry Laurion
3d0991f6c1
flake.nix: revert to mmlb state and testing
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-03 10:13:09 -04:00
Thierry Laurion
973e905ef6
flake.lock: revert to old package pinning
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-03 10:06:16 -04:00
Thierry Laurion
46cad549ef
WiP flake.nix: make docker image usable for testing as well, target: qemu-coreboot-whiptail-tpm2 with swtpm and canokey for smartcard
- include nix tools inside of the docker to be able to call the garbage collector prior of creating docker.
- protect roots from garbage collection (WiP)
  - Requires external preparation call so that nix (the binary) is not wiped as well. See NIX_REPRO_NOTES at the end of the file for repro notes
   - Could probably be improved. Works as of now and created a 4Gb vs 3.02Gb docker image I'm uploading now.
- CircleCI bumped to use v0.0.9 version including this
- CircleCI now depending on flake.lock for all cache layers. Will rebuild clean once again

So now we have qemu with canokey support in image, nix basic tools inside of container. Possible to call docker with DISPLAY, see NIX_REPRO_NOTES as of now.
That feels nice. No need of USB security dongle to have TPM based TPMTOTP nor detach sign? Not tested but feature is there

TODO:
- make docker creating nicer in the Nix way.
- Add canokey support under targets/qemu.mk
- add canokey board version

At least we have reproducible stack and testing stack being in same docker image. Docker image moved from 991.18MB (v0.0.8) to 1.18GB (v0.0.9)
- And I tried to clean binaries of symbols here! Seems like I do not know enough of the Nix way here.

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-02 20:51:18 -04:00
Thierry Laurion
6070d8f6f0
CircleCI: use tlaurion/heads-dev-env:v0.0.8 which includes AC_LOCAL export of develop env into the docker image. Works locally for talos-2 board build.
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-02 13:03:09 -04:00
Thierry Laurion
19bccf0cbd
Revert "modules/tpm2-tss: just remove LT_LIB_DLLOAD from aclocal generated file since there is no easy way of fixing this"
This reverts commit 6a1791112de451509d81e03bce5bdd6b1a49a79f.

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-02 13:03:04 -04:00
Thierry Laurion
5b2b4dc0fd
flake.nix: add exporting of AC_LOCAL which was not exported in deveenv.sh.
Was causing another ac macro misbehavior since host ac was not considered by aclocal and autoreconf

TODO: Might want to revert 6a1791112de451509d81e03bce5bdd6b1a49a79f if talos-2 board is able to build 3rdparty/sb-sign-tool

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-02 13:03:00 -04:00
Thierry Laurion
50ab1c5b88
modules/patches slang: bump to version 2.3.3 so we can disable termcap without hacking around
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-02 13:02:55 -04:00
Thierry Laurion
9a72d9545a
CircleCI: use tlaurion/heads-dev-env:v0.0.7 which includes openssl in flake.nix for talos-2 board's linux config
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-02 13:02:50 -04:00
Thierry Laurion
89181181df
flake.nix: add openssl requirement to build talos-2 board's kernel
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-02 13:02:45 -04:00
Thierry Laurion
35530f9115
modules/msrtools : add missing MAKE_JOBS for parallel builds
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-02 13:02:41 -04:00
Thierry Laurion
fa60bf7dfb
modules/tpm2-tss: just remove LT_LIB_DLLOAD from aclocal generated file since there is no easy way of fixing this
nix doesn't provide an equivalent of libltdl-dev, so just wipe the remnant of old ages if present
https://github.com/tpm2-software/tpm2-tss/issues/2161

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-02 13:02:36 -04:00
Thierry Laurion
76c20847da
CircleCI: add CircleCI step to source manually /devenv.sh in build_board additional step
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-02 13:02:31 -04:00
Thierry Laurion
70a9f93ddf
Revert "CirlceCI: use docker v0.0.6 which flake.nix jumped from zlib/zlib.dev to zlib-ng"
This reverts commit 9052d2b562162183fa201ebf89c75be904d87281.

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
2024-05-02 13:02:26 -04:00