- Upstream boards will not deactivate TPM DUK
- Upstream will not force BRAND_NAME which currently defaults to Heads
- Upstream will not deactivate Qr code on screen output on HOTP sealing
- Upstream will not offer OEM reset defaults (deprecated and now default anyway)
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Update all Librems except L1UM (but including L1UM v2) to Linux 6.1.8.
Use coreboot native graphics init. Raise maximum framebuffer size for
laptops to 3840x2160 (desktops default to this, but laptops default
to a lower value). Remove DRM modules from Linux 6.1.8 and add EFIFB.
Remove Heads kernel command line options relating to IOMMU and i915,
which are no longer needed. Remove OS kernel options relating to
IOMMU.
For Librem 13/15/14/Mini, this fixes issues booting with 4K displays
attached, which were resulting in crashes due to the framebuffer memory
not being reserved properly. memtest86+ now passes with a 4K display
attached.
For Librem L1UM v2, framebuffer boot now works.
Librem L1UM remains on Linux 5.10 with Heads kernel graphic init
(framebuffer boot still does not work). coreboot 4.11 has native
graphics init for Aspeed, but only in text mode. Backporting the
linear framebuffer support appears to be possible - the patch applied
cleanly - but it did not work initially and will need more
investigation.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
These boards get purism-blobs as a submodule of the purism coreboot
fork. modules/coreboot used to skip the purism-blobs dependency for
this fork, but the module is not needed at all for these boards.
librem_l1um keeps CONFIG_PURISM_BLOBS=y since it is built from patched
coreboot 4.11.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Currently Heads will check files in /boot for tampering before booting
into a system. It would be nice if you could use the trusted environment
within Heads and extend this to check files in / itself. This new script
adds that functionality, however due to the length of time it takes to
perform these kinds of checks, it doesn't run automatically (yet).
This feature can be configured from the config GUI - the root device/
directories to check can be set, and it can be configured to run during
boot.
To make this a bit easier to use, I added a feature to detect whether
the hash file exists and if not, to display a more limited menu to the
user guiding them to create the initial hash file. Otherwise it will
display the date the file was last modified, which can be useful to
determine how stale it is.
Unify the CONFIG_BOOT_KERNEL_ADD/REOVE parameters for all
Librem boards. Ensure IOMMU disabled for the GPU, and that
duplicated IOMMU params are not passed to the kernel.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
Update all Purism Librem boards except the L1UM server
to coreboot 4.15:
- update coreboot version from 4.8.1/4.13 to 4.15
- use purism_blobs module (if not already)
- update board coreboot defconfig files (Librem 13/15)
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>