Commit Graph

1751 Commits

Author SHA1 Message Date
Jonathon Hall
ff8ec2fd5b
qemu*tpm2*: Manufacture TPM2
Invoke swtpm_setup --create-config-files skip-if-exist to create local
CA files under the current user account, so user does not need
read/write access to /var/lib/swtpm-localca.

Pass --tpm2 to manufacture a TPM2 instead of TPM1.2.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-03-08 12:45:45 -05:00
Jonathon Hall
7ea606524b
gui-init: Remove TPM2 primary handle hash when resetting TPM
Resetting the TPM invalidates the primary handle hash, and
kexec-save-default only generates a hash if none exists.  Remove the
hash file when it is invalidated.

OEM reset and "Reset Configuration" both already remove all kexec
files.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-03-08 12:45:44 -05:00
Jonathon Hall
4e375ad7ca
tpm2-tools: Remove curl dependency
The actual use of curl was already removed, update tpm2-tools patch to
also remove the check for curl.  Remove the curl module and
CONFIG_CURL.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-03-08 12:45:44 -05:00
Thierry Laurion
8da5d5d723
Add dual support for real bash and busybox's bash(ash)
- modify bash to have it configured with -Os
2023-03-08 12:45:44 -05:00
Thierry Laurion
6923fb5e20
Addition of qemu-(fb)whiptail-tpm2(-hotp) boards
-coreboot support of TPM v2.0 (shared config for TPM2 support across all 4 previous variations)
-swtpm set to be launched under TPM v2.0 mode under board config
-Documentation file under each board.md softlinks to qemu-coreboot-fbwhiptail-tpm1.md (which has been generalized)
This is skeleton for TPM v2 integration under Heads

-------------
WiP

TODO:
- libcurl cannot be built as a tpm2-tools dependency as of now not sure why. curl currently needs to be added in board config to be built
- Note: tpm-reset (master and here) needs some review, no handle of no tpm use case. Caller is responsible to not call it otherwise does nothing
- init tries to bind fd and fails currently
- Note: Check if whiptail is different of fbwhiptail in clearing screen. As of now every clear seems to be removed, still whiptail clears previous console output
- When no OS' /boot can be mounted, do not try to TPM reset (will fail)

- seal-hotpkey is not working properly
- setting disk unlock key asks for TPM ownership passphrase (sealing in NV requires ownership, but text is misleading user as if reowning TPM)
  - We should cache input, feed tpm behind the scene and wipe passphrase and state clearly that this is TPM disk unlock kye passphrase.
- primary key from TPM2 is invalid most of the time from kexec-select-boot and verifying global hashes but is setuped correctly at disk unlock key setup
- would be nice to take advantage of bash function tracing to understand where we are for debugging purposes, code takes ash in consideration only
- tpmr says it implements nv calls but actually doesn't. Removing those falsely wrapped functions would help.
  - Implementing them would be better
- REVIEW TODOS IN CODE
- READD CIRCLECI CONFIG

Current state:
- TPM unseal works without disk unlock key and generates TOTP properly (was missing die condition at unseal to not produce always good TOTP even if invalid)
- TPM disk encryption key fails. Hypothesis is that sealing with USB drivers loaded and measures in inconsistent with sealed with/without.
 - TPM disk unsealing happens without USB modules being loaded in non-HOTP setup. This fails.

- Current tests are with fbwhiptail (no clear called so having traces on command line of what happens)
 - Testing with HOTP implementation for sealing/unsealing since that forces USB module loads on each boot to remove this from failing possibilities
2023-03-08 12:45:43 -05:00
tlaurion
b2dcebb50a
Merge pull request #1121 from tlaurion/pass_O2_to_Os 2023-03-08 08:37:59 -05:00
Thierry Laurion
907e906f01
Pass -O3 and -O2 (optimize for speed) to -Os (Optimize for space)
Adresses @easrentai suggestion to pass modules build optimization for space here: #590 (comment)

- Uniformized module's $(CROSS_TOOLS) being passed as environment variable, prior of ./configure call

Doesn't work for:
- busybox (HOSTCXXFLAGS="-Os" attempted prior of ./configure call)
- zlib (CFLAGS="-Os" attempted prior of ./configure call)
- npth (CFLAGS="-Os" attempted prior of ./configure call)
2023-03-07 18:05:39 -05:00
tlaurion
15e9d0b6f3
Merge pull request #1330 from tlaurion/coreboot_do_not_rebuild_builstack_at_each_make
modules/coreboot: do not rebuild version specific coreboot's builstack at each board's make
2023-03-07 16:07:09 -05:00
Thierry Laurion
47bd80a0ec
modules/coreboot: Do not rebuild coreboot buildstack when built
.xcompile was not found because it was quoted and shouldn't in coreboot module's makefile

Prior:
    stat("\"/home/user/heads/build/x86/coreboot-4.13/.xcompile\"", 0x7ffe56e6cfd0) = -1 ENOENT (No such file or directory)
    pipe([3, 4])                            = 0
    fcntl(4, F_GETFD)                       = 0
    fcntl(4, F_SETFD, FD_CLOEXEC)           = 0
    fcntl(3, F_GETFD)                       = 0
    fcntl(3, F_SETFD, FD_CLOEXEC)           = 0
    prlimit64(0, RLIMIT_NOFILE, NULL, {rlim_cur=1024, rlim_max=1024*1024}) = 0
    prlimit64(0, RLIMIT_NOFILE, NULL, {rlim_cur=1024, rlim_max=1024*1024}) = 0
    stat("/usr/bin/env", {st_mode=S_IFREG|0755, st_size=48480, ...}) = 0
    geteuid()                               = 1000
    getegid()                               = 1000
    getuid()                                = 1000
    getgid()                                = 1000
    access("/usr/bin/env", X_OK)            = 0
    mmap(NULL, 36864, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7ce2be6fd000
    rt_sigprocmask(SIG_BLOCK, ~[], [CHLD], 8) = 0
    clone(child_stack=0x7ce2be705ff0, flags=CLONE_VM|CLONE_VFORK|SIGCHLD) = 305342
    munmap(0x7ce2be6fd000, 36864)           = 0
    rt_sigprocmask(SIG_SETMASK, [CHLD], NULL, 8) = 0
    close(4)                                = 0
    read(3, "2\n", 200)                     = 2
    read(3, "", 198)                        = 0
    close(3)                                = 0
    wait4(-1, [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0, NULL) = 305342
    fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(0x88, 0), ...}) = 0
    write(1, "make -C \"/home/user/heads/build/"..., 74make -C "/home/user/heads/build/x86/coreboot-4.13" CPUS=2 "crossgcc-i386"
    ) = 74
    rt_sigprocmask(SIG_BLOCK, [HUP INT QUIT TERM XCPU XFSZ], NULL, 8) = 0
    stat("/usr/bin/env", {st_mode=S_IFREG|0755, st_size=48480, ...}) = 0
    geteuid()                               = 1000
    getegid()                               = 1000
    getuid()                                = 1000
    getgid()                                = 1000
    access("/usr/bin/env", X_OK)            = 0
    mmap(NULL, 36864, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7ce2be6fd000
    rt_sigprocmask(SIG_BLOCK, ~[], [HUP INT QUIT TERM CHLD XCPU XFSZ], 8) = 0
    clone(child_stack=0x7ce2be705ff0, flags=CLONE_VM|CLONE_VFORK|SIGCHLD) = 305343
    munmap(0x7ce2be6fd000, 36864)           = 0
    rt_sigprocmask(SIG_SETMASK, [HUP INT QUIT TERM CHLD XCPU XFSZ], NULL, 8) = 0
    rt_sigprocmask(SIG_UNBLOCK, [HUP INT QUIT TERM XCPU XFSZ], NULL, 8) = 0
    wait4(-1, make[1]: Entering directory '/home/user/heads/build/x86/coreboot-4.13'
    Welcome to the coreboot cross toolchain builder v ()

    Building toolchain using 2 thread(s).

    Target architecture is i386-elf

    Found compatible Ada compiler, enabling Ada support by default.

    Downloading and verifying tarballs ...
     * gmp-6.2.0.tar.xz (cached)... hash verified (052a5411dc74054240eec58132d2cf41211d0ff6)
     * mpfr-4.1.0.tar.xz (cached)... hash verified (159c3a58705662bfde4dc93f2617f3660855ead6)
     * mpc-1.2.0.tar.gz (cached)... hash verified (0abdc94acab0c9bfdaa391347cdfd7bbdb1cf017)
     * binutils-2.35.tar.xz (cached)... hash verified (6bdd090ce268b6d6c3442516021c4e4b5019e303)
     * gcc-8.3.0.tar.xz (cached)... hash verified (c27f4499dd263fe4fb01bcc5565917f3698583b2)
    Downloaded tarballs ... ok
    Unpacking and patching ...
     * gmp-6.2.0.tar.xz
       o gmp-6.2.0_generic-build.patch
     * mpfr-4.1.0.tar.xz
    ^C0x7ffe56e6ef40, 0, NULL)      = ? ERESTARTSYS (To be restarted if SA_RESTART is set)
    strace: Process 305153 detached

After:
    stat("/home/user/heads/build/x86/coreboot-4.13/.xcompile", 0x7ffd0303c7f0) = -1 ENOENT (No such file or directory)
    pipe([3, 4])                            = 0
    fcntl(4, F_GETFD)                       = 0
    fcntl(4, F_SETFD, FD_CLOEXEC)           = 0
    fcntl(3, F_GETFD)                       = 0
    fcntl(3, F_SETFD, FD_CLOEXEC)           = 0
    prlimit64(0, RLIMIT_NOFILE, NULL, {rlim_cur=1024, rlim_max=1024*1024}) = 0
    prlimit64(0, RLIMIT_NOFILE, NULL, {rlim_cur=1024, rlim_max=1024*1024}) = 0
    stat("/usr/bin/env", {st_mode=S_IFREG|0755, st_size=48480, ...}) = 0
    geteuid()                               = 1000
    getegid()                               = 1000
    getuid()                                = 1000
    getgid()                                = 1000
    access("/usr/bin/env", X_OK)            = 0
    mmap(NULL, 36864, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x740f6e370000
    rt_sigprocmask(SIG_BLOCK, ~[], [CHLD], 8) = 0
    clone(child_stack=0x740f6e378ff0, flags=CLONE_VM|CLONE_VFORK|SIGCHLD) = 306024
    munmap(0x740f6e370000, 36864)           = 0
    rt_sigprocmask(SIG_SETMASK, [CHLD], NULL, 8) = 0
    close(4)                                = 0
    read(3, "2\n", 200)                     = 2
    read(3, "", 198)                        = 0
    close(3)                                = 0
    wait4(-1, [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0, NULL) = 306024
    fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(0x88, 0), ...}) = 0
    write(1, "make -C \"/home/user/heads/build/"..., 74make -C "/home/user/heads/build/x86/coreboot-4.13" CPUS=2 "crossgcc-i386"
    ) = 74
    rt_sigprocmask(SIG_BLOCK, [HUP INT QUIT TERM XCPU XFSZ], NULL, 8) = 0
    stat("/usr/bin/env", {st_mode=S_IFREG|0755, st_size=48480, ...}) = 0
    geteuid()                               = 1000
    getegid()                               = 1000
    getuid()                                = 1000
    getgid()                                = 1000
    access("/usr/bin/env", X_OK)            = 0
    mmap(NULL, 36864, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x740f6e370000
    rt_sigprocmask(SIG_BLOCK, ~[], [HUP INT QUIT TERM CHLD XCPU XFSZ], 8) = 0
    clone(child_stack=0x740f6e378ff0, flags=CLONE_VM|CLONE_VFORK|SIGCHLD) = 306025
    munmap(0x740f6e370000, 36864)           = 0
    rt_sigprocmask(SIG_SETMASK, [HUP INT QUIT TERM CHLD XCPU XFSZ], NULL, 8) = 0
    rt_sigprocmask(SIG_UNBLOCK, [HUP INT QUIT TERM XCPU XFSZ], NULL, 8) = 0
    wait4(-1, make[1]: Entering directory '/home/user/heads/build/x86/coreboot-4.13'
    Welcome to the coreboot cross toolchain builder v ()

    Building toolchain using 2 thread(s).

    Target architecture is i386-elf

    Found compatible Ada compiler, enabling Ada support by default.

    Downloading and verifying tarballs ...
     * gmp-6.2.0.tar.xz (cached)... hash verified (052a5411dc74054240eec58132d2cf41211d0ff6)
     * mpfr-4.1.0.tar.xz (cached)... hash verified (159c3a58705662bfde4dc93f2617f3660855ead6)
     * mpc-1.2.0.tar.gz (cached)... hash verified (0abdc94acab0c9bfdaa391347cdfd7bbdb1cf017)
     * binutils-2.35.tar.xz (cached)... hash verified (6bdd090ce268b6d6c3442516021c4e4b5019e303)
     * gcc-8.3.0.tar.xz (cached)... hash verified (c27f4499dd263fe4fb01bcc5565917f3698583b2)
    Downloaded tarballs ... ok
    Unpacking and patching ...
     * mpfr-4.1.0.tar.xz
     * mpc-1.2.0.tar.gz
     * binutils-2.35.tar.xz
    ^C0x7ffd0303e760, 0, NULL)      = ? ERESTARTSYS (To be restarted if SA_RESTART is set)
    strace: Process 305835 detached

So coreboot buildstack is built once per version and then reused on next board builds.
Saves precious CI and local builds when developing with qemu/kvm.
2023-03-07 15:38:44 -05:00
tlaurion
96a20a7456
Merge pull request #1329 from tlaurion/repro_fix-util-linux
Fix util-linux reproducibility issue (libblkid.so.1)
2023-03-07 11:17:14 -05:00
Thierry Laurion
c323fb4d8b
patches/util-linux: patch configure script so that all hardcode_into_libs=yes -> hardcode_into_libs=no 2023-03-07 11:02:17 -05:00
tlaurion
3ac896bb67
Merge pull request #1282 from rbreslow/rb/support-t440p 2023-02-28 15:23:16 -05:00
Rocky Breslow
1dd9c266a8
CircleCI: Make the T440p depend on Librem boards
This change will improve build times by allowing the T440p to share the
Coreboot 4.17 cache with the Librem boards. Once we update the other
ThinkPad boards to use Coreboot 4.19, we'll make the T440p depend on the
X230 again.

Co-authored-by: Thierry Laurion <insurgo@riseup.net>
2023-02-28 14:14:56 -05:00
Rocky Breslow
e4a09e81bb
Add T440p blobs documentation 2023-02-28 11:58:34 -05:00
Rocky Breslow
63eab714e5
Make T440p scripts work with relative paths
Because we're using pushd/popd to make the Coreboot util invocation
cleaner, we need to use realpath so that the scripts will work with any
user input.
2023-02-28 11:58:29 -05:00
Rocky Breslow
3efec15dc7
CircleCI: Install crosfirmware.sh dependencies
We need extra dependencies to support Coreboot's util/crosfirmware.sh to
extract the T440p's mrc.bin.
2023-02-25 21:28:29 -05:00
Rocky Breslow
5083ba356c
Add the T440p to CircleCI 2023-02-25 19:53:48 -05:00
Rocky Breslow
1dc5d4eb99
Make T440p Coreboot build depend on blob files
Now, when you run `make BOARD=any-t440p-variant`, the build system
automatically fetches mrc.bin and me.bin.
2023-02-25 19:53:47 -05:00
Rocky Breslow
144f9c147e
Make T440p scripts use Coreboot from environment
Before, the T440p blob scripts would look for Coreboot using the find
command. Now, we require the user to specify the path to Coreboot in the
COREBOOT_DIR environment variable. Also, add an output directory
argument to each script.

These changes will make it easier to integrate with the Heads build
system and CI.
2023-02-25 19:53:47 -05:00
Rocky Breslow
e6c34bda55
Add T440p gbe.bin blob
- I extracted the gbe.bin blob from my T440p's original ROM using the
  blobs/t440p/extract script.
- Using a hex editor, I corrected the sign bit in part 0 that I found
  was malformed in my analysis:
  https://github.com/osresearch/heads/pull/1282#issuecomment-1400634600.
- After correcting the sign bit, nvmutil showed that both parts of my
  gbe.bin blob had valid checksums.
- Finally, I used nvmutil to set the MAC address to 00🇩🇪ad:c0:ff:ee.
2023-02-25 19:53:47 -05:00
Rocky Breslow
7c32d4ed66
Add T440p ifd.bin blob
I extracted the ifd.bin blob from my T440p using the blobs/t440p/extract
script.
2023-02-25 19:53:46 -05:00
Rocky Breslow
936840415c
Rename T440p export-blobs script to extract
More aligned with the naming conventions of xx20 and xx30's extract.sh.
2023-02-25 19:53:46 -05:00
tlaurion
c4b964c80f
Merge pull request #1318 from JonathonHall-Purism/fix-pkg-config-cross-compilation
Makefile: Fix cross compilation variables for pkg-config
2023-02-22 11:46:36 -05:00
Jonathon Hall
7592efcf99
Makefile: Fix cross compilation variables for pkg-config
pkg-config will still pick up system default directories from
PKG_CONFIG_LIBDIR even if PKG_CONFIG_PATH is set.  Per the docs,
cross compilation requires clearing PKG_CONFIG_PATH and setting
PKG_CONFIG_LIBDIR (which is always searched after PKG_CONFIG_PATH).

Fixes issues observed in tpm2_retry branch picking up packages from
host environment.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
2023-02-21 13:46:03 -05:00
tlaurion
5c7148f18d
Merge pull request #1305 from echo-84/yubikey-oem-factory-reset 2023-02-21 12:06:35 -05:00
tlaurion
8b479b06cc
Merge pull request #1317 from tlaurion/fix-sh_argument_expected
Add DEBUG statements in code and fix "sh: argument expected"
2023-02-20 14:11:27 -05:00
Thierry Laurion
8259d3ca1e
Add TRACE function tracing function to output on console when enabled
- Add TRACE function tracing output under etc/functions, depending on CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT enabled in board configs
- Replace current DEBUG to TRACE calls in code, reserving DEBUG calls for more verbose debugging later on (output of variables etc)
- add 'export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y' in qemu-coreboot(fb)whiptail-tpm1(-hotp) boards to see it in action
2023-02-20 11:44:52 -05:00
Thierry Laurion
5fbbbbc3f7
gui-init: fix sh: argument expected 2023-02-18 21:52:54 -05:00
Thierry Laurion
5bc2bc88e4
All scripts and functions: Add DEBUG calling trace on console when CONFIG_DEBUG_OUTPUT is exported in board config
-qemu-coreboot-*whiptail-tpm1(-hotp) boards have 'export CONFIG_DEBUG_OUTPUT=y' by default now
2023-02-18 21:52:44 -05:00
tlaurion
9676c794a2
Merge pull request #1315 from tlaurion/qemu-coreboot-tpm_typo-fix
Fix reported typo under #1314
2023-02-17 14:42:35 -05:00
Thierry Laurion
16321dc40a
Fix reported typo under #1314 2023-02-17 14:41:16 -05:00
tlaurion
ffd8ab9ac5
Merge pull request #1301 from tlaurion/reduce_coreboot_configuration_duplicates-label_legacy_boards_correctly
xx20/xx30: Reduce coreboot configuration duplicates + label legacy boards correctly
2023-02-15 11:53:31 -05:00
Thierry Laurion
011276350b
CircleCI: change board names to reflect board name changes (legacy tagged correctly) 2023-02-09 12:51:07 -05:00
Thierry Laurion
03631a5e33
xx30: rename legacy boards names, remove coreboot config duplicates 2023-02-09 12:50:56 -05:00
Thierry Laurion
225741b4cd
remove coreboot-hotp* duplicates, have boards configs point to non-hotp maximized equivalents 2023-02-09 12:34:33 -05:00
tlaurion
5b6370c70c
Merge pull request #1298 from tlaurion/fixup_xx20_xx30_cbfs_size
xx20/xx30 maximized coreboot configs: Fix CONFIG_CBFS_SIZE to reflect ifd.bin's BIOS region (xx20: gain of 0.59mb, xx30: gain of 0.4mb
2023-02-09 12:33:35 -05:00
Thierry Laurion
e7f1e3e7a7
xx20/xx30 maximized coreboot configs: Fix CONFIG_CBFS_SIZE to reflect ifd.bin's BIOS regions.
The calculations outlined at https://github.com/osresearch/heads/pull/1282#discussion_r1072473677
Sums to having 'ifdtool -f layout.txt ifd_shrinked.bin && cat layout.txt'
The example for T440p:
00000000:00000fff fd
00021000:00bfffff bios
00003000:00020fff me
00001000:00002fff gbe

Here: 00bfffff-00021000=BDEFFF
Which is exact result of @rbeslow's calculations.

There is an issue on haswell, maybe because of car, maybe because of non native memory init blob.
But this is not the case for xx20/xx30 boards.
2023-02-09 12:28:59 -05:00
tlaurion
77f8d5a4f6
Merge pull request #967 from tlaurion/x230-maximized-fhd
Add x230-maximized-fhd_edp and x230-hotp-maximized-fhd_edp boards
2023-02-09 12:24:54 -05:00
tlaurion
8ec0cd377a
Merge pull request #1309 from tlaurion/osresearch_net-back
README: point to https://osresearch.net again (DNS name renewed)
2023-02-08 11:34:56 -05:00
Thierry Laurion
4ac16e0368
README: point to https://osresearch.net again (DNS name renewed) 2023-02-08 11:32:50 -05:00
tlaurion
305851ab4b
Temporary mitigation to osresearch.net having expired
Temporal mitigation to https://github.com/osresearch/heads/issues/1308 and https://github.com/osresearch/heads-wiki/issues/122
2023-02-07 11:42:35 -05:00
builder
e900d2027a Check Signature PIN and toggle forcesig if not forced 2023-02-01 20:34:07 -06:00
tlaurion
411ca09f73
Merge pull request #1304 from tlaurion/CircleCI_informe_where_full_build_logs_are
CircleCI step name change : Make Board -> Make Board (FULL ORDERED BUILD LOGS HERE UNTIL JOB FAILED)
2023-01-31 19:07:22 -05:00
Thierry Laurion
074d19875c
CircleCI step name change : Make Board -> Make Board (FULL ORDERED BUILD LOGS HERE UNTIL JOB FAILED) 2023-01-31 19:06:33 -05:00
Thierry Laurion
2b05a6b42c
Add x230-maximized-fhd_edp and x230-hotp-maximized-fhd_edp boards
- add x230-maximized-fhd_edp and x230-hotp-maximized-fhd_edp board configs
- add/rework coreboot patch for x230 fhd variant to be applied on top of 4.13
- add coreboot config to point to x230-edp variant, fixing path to vbt file since default path is wrong under. Comment made upstream https://review.coreboot.org/c/coreboot/+/28950/22#message-4904ce82f01ba0505b391e072e4537b6a9f1a229
  - remove no gfx init and replace with libgfxinit(defonfig default), set internal display as default
- add x230-hotp-maximized-fhd_edp and x230-maximized-fhd_edp to CircleCI builds
- One single shared coreboot config between boards/x230-hotp-maximized-fhd_edp/x230-hotp-maximized-fhd_edp.config and boards/x230-maximized-fhd_edp/x230-maximized-fhd_edp.config
- Coreboot 4.13 patch from coreboot at patches/coreboot-4.13/0002-x230-fhd-variant.patch
- config/coreboot-x230-maximized-fhd_edp.config points to seperate coreboot config per patch (CONFIG_BOARD_LENOVO_X230_EDP)
2023-01-31 09:58:43 -05:00
tlaurion
1c68befc59
Merge pull request #1296 from tlaurion/new_tails_key
/etc/distro/keys/tails.key: Replace with updated and minimized one
2023-01-27 16:07:55 -05:00
tlaurion
7be67e4992
Merge pull request #1297 from tlaurion/usb-scan_moved_to-media-scan
usb-scan->media-scan: usb-init calling media-scan usb
2023-01-27 16:07:17 -05:00
tlaurion
f440ad3d31
Merge pull request #1284 from tlaurion/hardenedvault-crypttab-path_remix_enable_discard
WiP : TPM disk unlock key setup (kexec-save-key) reuses OS initrd's crypttab files as base for /secret.key override (kexec-insert-key)
2023-01-27 13:31:44 -05:00
Thierry Laurion
150b95a034
TPM disk unlock key setup: Automatically override selected default boot option's initrd's crypttab file(s) to point to LUKS decryption key in injected cpio
- kexec-save-default extracts initrd crypttab files and creates /boot/kexec_initrd_crypttab_overrides.txt entries pointing to /secret.key
- kexec-insert-key applies /boot/kexec_initrd_crypttab_overrides.txt to replace initrd's crypttabs files pointing to inserted /secret.key through cpio
- Both scripts inform the user of applied magic on screen
2023-01-27 13:27:17 -05:00
HardenedVault
8a60930c6b
Make the path to crypttab within initramfs overridable
Not all distro put crypttab under /etc/ within initramfs, but finding it at
runtime needs unpacking, which may be hard to do, so it is made overridable
with a file at /boot/kexec_initrd_crypttab_path.txt, whose content could be
obtained with $ cpio -t < ${uncompressed_initrd} | grep crypttab .

The "target" field of the record within the crypttab stored in the root
file system for the luks container which is going to be unlocked via
kexec-insert-key should be modified into the same "luks-$uuid" format,
otherwise the boot sequence will get stuck when OS is trying to unlock them
again, in order to map them according to "target" fields written in the
crypttab stored in the root fs.
2023-01-27 12:56:32 -05:00