Commit Graph

1710 Commits

Author SHA1 Message Date
tlaurion
0d5b3d75e7
Merge pull request #962 from MrChromebox/update_hotp_verification
modules/hotp-verification: Update module to latest version
2021-01-13 12:52:40 -05:00
Matt DeVillier
df02fd934a
modules/hotp-verification: Update module to latest version
Update nitrokey-hotp-verification to upstream master, which
pulls in 2 changes:
- update OTP secret length from 20 bytes to 40 bytes
- fixes handling for branding strings containing spaces

Test: build/boot Librem 13v4, verify LK verification working

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2021-01-13 10:35:13 -06:00
Thomas Clarke
31edd87c89
Add CONFIG_CPU_MICROCODE_CBFS_NONE=y to KGPE-D16 Coreboot configs. This disables microcode being included and loaded by Coreboot because of a current issue in which newer kernels panic when doing so.
Added note to KGPE-D16 configs about the current microcode bug, why microcode is not included and encouraging AMD Opteron 6300 series users to make sure their operating system loads microcode.
2021-01-07 19:24:10 +00:00
Thomas Clarke
9bdf3e01dc
Update all Librem and KGPE-D16 board to build with Linux 5.10.5. Update KGPE-D16 and Librem linux configs to 5.10.5 with make savedefconfig. 2021-01-07 19:24:09 +00:00
Thomas Clarke
194edf5424
modules/linux: Add support for building against Linux 5.10.5. All patches besides 0000-efi_bds.patch port cleanly. As a result of 0000-efi_bds.patch missing, it is strongly encouraged that no linuxboot boards use Linux 5.10.5 until a proper review has been done. 2021-01-07 19:24:03 +00:00
tlaurion
6bc40d7a70
Merge pull request #943 from Tonux599/kgpe-d16-flashrom-fix
Kgpe d16 flashrom fix
2021-01-06 20:13:41 -05:00
tlaurion
9af0981473
Merge pull request #954 from tlaurion/coreboot_remove_any_toolchain
coreboot configs : remove CONFIG_ANY_TOOLCHAIN in coreboot configs
2021-01-05 21:24:25 -05:00
Thierry Laurion
7d10edb661
coreboot configs : CONFIG_ANY_TOOLCHAIN=y is not needed anymore since built against coreboot's version muslcross built toolchain. 2021-01-05 13:20:17 -05:00
tlaurion
5f0a0ac3cc
Merge pull request #952 from tlaurion/xx30-flash_remove_12mb_image
xx30-flash boards: produce top.rom and remove 12mb rom for clarity
2021-01-05 10:47:10 -05:00
tlaurion
d8c0ef0735
Merge pull request #950 from tlaurion/CircleCI_coreboot_cache
CircleCI: Add coreboot+musl-cross cache
2021-01-04 18:25:16 -05:00
Thierry Laurion
d364336913
xx30-flash boards: produce top.rom and remove 12mb rom for clarity 2021-01-04 12:19:09 -05:00
Thierry Laurion
7d2ba3d0b8
coreboot module: CPUS=$$CPUS -> CPUS=$(CPUS) 2021-01-03 23:07:51 -05:00
Thierry Laurion
bbaa049ad1
coreboot buildgcc: TEMPORARY HACK: gnu mirrors are failing because of https errors. Falling back to http. 2021-01-03 21:14:50 -05:00
Thierry Laurion
62a90ed3be
CircleCI: Add coreboot+musl-cross cache
The idea here is a cache to restore from (musl-cross from coreboot version bound crosscomipler, from which coreboot is built)

1- Reuse existing cache for all modules and patches created digest's hash past build matching cache.
(If a single module or patch changes, we have cache miss.)
2- Reuse existing coreboot and musl-cross-make created digest's hash past build's matching cache
(If a patch was added to current coreboot, or new coreboot version was added in coreboot module definition, we have a cache miss.)
3- Reuse existing musl-cross-make created digest's hash past build matching cache
(If musl-cross-make module didn't change, we don't rebuild it.)

Per https://github.com/osresearch/heads/pull/947#issuecomment-753507412 proposition
2021-01-03 21:14:44 -05:00
tlaurion
69075fa738
Merge pull request #948 from tlaurion/gpg2_default_RSA3072
oem-factory-reset: set default KEY_LENGTH to 3072 and change expectation management message to console
2021-01-03 12:32:43 -05:00
tlaurion
817e6a3068
Merge pull request #945 from tlaurion/busybox-fix-1.32
busybox: CONFIG_BASH_IS_ASH is incompatible with CONFIG_BASH_IS_NONE
2020-12-30 20:36:31 -05:00
Thierry Laurion
ee23fe9d3b
busybox: CONFIG_BASH_IS_ASH is incompatible with CONFIG_BASH_IS_NONE. Disabling the latter. 2020-12-30 20:31:37 -05:00
Thomas Clarke
a1f29410be
modules/flashrom: Enable AST1100 in flashrom. This will allow user to flash the BMC internally for KGPE-D16. 2020-12-30 19:18:04 +00:00
Thomas Clarke
aba13a9c55
modules/flashrom: Fixes two issues:
* Flashrom was being fetched with git and was always using `master`
* No patches were being applied (i.e. `0100-enable-kgpe-d16.patch` was being ignored).
2020-12-30 19:17:54 +00:00
tlaurion
69eb819958
Merge pull request #909 from Thrilleratplay/bash_is_ash
feat(busybox): set CONFIG_BASH_IS_ASH
2020-12-30 13:06:04 -05:00
tlaurion
4addeab3f5
Merge pull request #900 from tlaurion/busybox-1_32
Upgrade busybox to 1.32
2020-12-30 13:05:49 -05:00
tlaurion
7c686d576f
Merge pull request #938 from tlaurion/revert-coreboot_musl-cross-make
coreboot: revert building coreboot against musl-cross-make.
2020-12-30 13:04:50 -05:00
Thierry Laurion
8e4485347e
coreboot: revert building coreboot against musl-cross-make.
coreboot: correct $$CPUS -> $(CPUS)
2020-12-29 17:06:54 -05:00
tlaurion
b06a26f814
Merge pull request #932 from MrChromebox/coreboot_4.13
modules/coreboot: bump 4.12 build option to 4.13
2020-12-29 16:57:35 -05:00
Thierry Laurion
e9eedc4717
Upgrade busybox to 1.32
+CONFIG_STACK_OPTIMIZATION_386=y
+CONFIG_FLOAT_DURATION=y
+CONFIG_FEATURE_RTMINMAX_USE_LIBC_DEFINITIONS=y
+CONFIG_FEATURE_EDITING_WINCH=y
+CONFIG_BZIP2_SMALL=8
+CONFIG_FEATURE_CP_REFLINK=y
+CONFIG_MKTEMP=y
+CONFIG_PRINTF=y
+CONFIG_SYNC=y
+CONFIG_FEATURE_SYNC_FANCY=y
+CONFIG_CMP=y
+CONFIG_DIFF=y
+CONFIG_PATCH=y
+CONFIG_FEATURE_FIND_EXECUTABLE=y
+CONFIG_FEATURE_FIND_QUIT=y
+CONFIG_FEATURE_FIND_EMPTY=y
+CONFIG_FEATURE_GPT_LABEL=y
+CONFIG_MKFS_VFAT=y
+CONFIG_DC=y
+CONFIG_FEATURE_LESS_RAW=y
+CONFIG_FEATURE_LESS_ENV=y
+CONFIG_FEATURE_NSLOOKUP_BIG=y
+CONFIG_FEATURE_NSLOOKUP_LONG_OPTIONS=y
+CONFIG_FEATURE_NTP_AUTH=y
+CONFIG_FEATURE_TFTP_HPA_COMPAT=y
+CONFIG_PIDOF=y
+CONFIG_FEATURE_PIDOF_SINGLE=y
+CONFIG_FEATURE_PIDOF_OMIT=y
+CONFIG_SHELL_ASH=y
+CONFIG_ASH_BASH_NOT_FOUND_HOOK=y
+CONFIG_FEATURE_SH_MATH_BASE=y
+CONFIG_FEATURE_SH_EMBEDDED_SCRIPTS=y

This commit changes used compressed space from 6851524 -> 6863812.
Coherent reduction of free available space being 143768 -> 131480 before saturation.

Net increase of 24kB for busybox binary:

    busybox 1.28 : 484kB
    busybox 1.32: 508kB

Increase of 15kB of needed BIOS region space:

    ROM's initrd.cpio.xz with busybox 1.28: 3839kB
    ROM's initrd.cpio.xz with busybox 1.32: 3854kB
2020-12-29 16:49:08 -05:00
tlaurion
46ff6c56cb
Merge pull request #942 from tlaurion/circleci_kgpe-d16_fix
CircleCI: seperate build error from details for KGPE-D16 (par to other boards)
2020-12-28 21:39:46 -05:00
Thierry Laurion
2da03d2ef0
CircleCI: seperate build error from details for KGPE-D16 (par to other boards) 2020-12-27 17:33:57 -05:00
tlaurion
ba8ddd2308
Merge pull request #941 from synackd/coreboot-cpus
coreboot: Pass $CPUS to coreboot make target unerroneously
2020-12-27 17:16:16 -05:00
Devon Bautista
d2b41c5249
modules/coreboot: $$CPUS --> $(CPUS) 2020-12-26 13:37:36 -08:00
tlaurion
6ed1f3ab31
Merge pull request #940 from synackd/qemu-linuxboot-cpus
linuxboot: Pass $CPUS to edk2/OvmfPkg/build.sh unerroneously
2020-12-26 16:13:49 -05:00
Devon Bautista
b85dadee76
modules/linuxboot: $$CPUS --> $(CPUS) 2020-12-26 12:19:10 -08:00
Matt DeVillier
883ac669a8
modules/coreboot: bump 4.12 build option to 4.13
- update module hash and blobs hash
- drop patches no longer needed; migrate those that remain
- adjust Librem Mini/Mini v2 board configs

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
2020-12-14 21:03:32 -06:00
tlaurion
a81ae6ed5b
Merge pull request #930 from tlaurion/xx20_hotp_fix
xx20-hotp-maximized: forgot to fix path to initrd, failed under CI.
2020-12-13 12:22:15 -05:00
Thierry Laurion
bead24c4eb
xx20-hotp-maximized: forgot to fix path to initrd, failed under CI. 2020-12-13 12:17:15 -05:00
tlaurion
0f1f547eb1
Merge pull request #928 from tlaurion/xx20_boards_correction
(WiP) xx20 boards: add xx20-hotp-maximized & remove HOTP and NITROCLI support from xxx0-maximized boards
2020-12-13 11:36:22 -05:00
Thierry Laurion
164d991a69
xx30 boards: remove NKSTORECLI from all boards. Par with xx20. 2020-12-12 22:11:20 -05:00
Thierry Laurion
16488fb21a
xx20 boards: add xx20-hotp-maximized boards, remove hotp support from xx20-boards. Modify CircleCI conf accordingly. 2020-12-12 12:44:06 -05:00
Thierry Laurion
64b1712e78
oem-factory-reset: set default KEY_LENGTH to 3072 and change expectation management message to console (Fixes #919) 2020-12-10 10:33:02 -05:00
tlaurion
671522eff4
Merge pull request #912 from Thrilleratplay/xx20_blobs_extraction_fix
xx20-maximized t420 and x220 boards addition  (ME downloaded from Lenovo and cleaned per @Thrilleratplay me_cleaner adaptation)
2020-12-03 16:39:36 -05:00
Tom Hiller
75e11cbb8d circleci: add xx20 maximized builds 2020-12-03 13:13:47 -05:00
Tom Hiller
5b898e369c boards: add t420-maximized 2020-12-03 13:11:05 -05:00
Tom Hiller
d7ccd87d49 boards: add x220-maximized 2020-12-03 13:10:21 -05:00
Tom Hiller
646ddee748 blobs: add blobs/xx20 2020-12-02 19:18:35 -05:00
tlaurion
1661e5dcb0
Merge pull request #867 from Tonux599/kgpe-d16_411_measured-boot
KGPE-D16 Coreboot 4.11 + Measured Boot
2020-12-02 18:23:55 -05:00
tlaurion
014e59210d
Merge pull request #906 from Nitrokey/gpg-default-keylength
Default to 4096 bit for OEM factory reset (fixes #831)
2020-12-02 18:20:39 -05:00
tlaurion
4d570523f8
Merge pull request #908 from osresearch/pr/non-coreboot-builds
non-coreboot-builds: do not error if CONFIG_COREBOOT_VERSION is not set
2020-12-02 18:04:55 -05:00
tlaurion
05e212d9bf
Merge pull request #917 from tlaurion/quick_typo_fixes
xx30-*-maximized boards: typo fix in comments expend -> expand
2020-12-02 17:40:05 -05:00
Thierry Laurion
1b0a9c4c22
xx30-*-maximized boards: typo fix in comments expend -> expand 2020-12-02 17:35:10 -05:00
tlaurion
36c04f19e4
Add xx30-maximized and xx30-hotp-maximized boards (11.5mb flashable BIOS regions, reproducible me.bin and generated gbe.bin and totally externally and internally flashable roms) (#703)
* xx30-*-maximized: update flashrom options removing --ifd bios option, keeping whole flash of rom internally. WARNING: ifd needs to be initially unlocked through ifdtool -u on 8mb bottom SPI backup. YOU CANNOT COME FROM 1VYRAIN. IF COMING FROM SKULLS, YOU MUST HAVE RAN OPTIONAL -u OPTION FROM SKULLS. PLEASE UPGRADE ONLY AFTER HAVING A PHYSICAL BACKUP OF BOTH SPI FLASH CHIPS. MORE INFORMATION UNDER https://github.com/osresearch/heads/pull/703. This will guarantee that future flash of produced rom will reflash the ROM totally, where heads make sure of adding users customizations (public key, /etc/config.user) when internally flashed. Unfortunately, if you flash externally, you will have to reinject your public key and readd /etc/config customizations.

* Adding generated bincfg coreboot 4.8.1 patch (merged under coreboot 4.13 and backported here to 4.8.1), resulting in gbe.bin under blobs/xx30/gbe.bin and instructions to replicate in README prior of automation (under repo). Note that MAC under gbe.bin is fixed to DE:AD:C0:FF:EE unless extract.sh script is ran on external backup to keep current user's MAC (Thanks to @Thrilleratplay's contribution!)

* xx30 blobs: add two blobs management scripts for xx30: extract from local backup/download+neuter ME
extract.sh: extract from external backup: gbe.bin, neuter under me.bin and maximize BIOS+reduce ME regions under unlocked ifd.bin. 
download_clean_me.sh: download and verify Lenovo latest ME version from website, and drop me.bin in place.
Note: me.bin is 98kb, containing only BUP and ROMP partitions which cannot be modified nor deleted else computer won't boot. As a result, BIOS region is maximized in ifd.bin to 11.5mb and coreboot config takes advantage of that freed space.

* CircleCI: xx30-*-maximized additional step to call download_clean_me.sh prior of building boards so that me.bin is dopped in place. This should be done by users prior of building xx30-*-maximized boards locally, which is imitated in CircleCI builds (look at .circleci/config.yaml for innoextract host added dependency and board buildings. Results on github for each commit).
2020-12-02 17:01:44 -05:00
Thomas Clarke
572f5b3414
On KGPE-D16 boards, ensure linux-kgpe-d16*.config are up-to-date by:
cp config/linux.. ./build/linux*/.config
	cd build/linux*
	make savedefconfig
	cp defconfig ../../config/linux..

Resulting in only linux-kgpe-d16_workstation.config being updated.

For KGPE-D16 workstation boards:
Remove `console=tty0` from `CONFIG_BOOT_KERNEL_ADD` as was blocking Qubes graphical installer (CLI installer was launched).
Comment out `export CONFIG_BOOT_KERNEL_REMOVE="plymouth.ignore-serial-consoles"` to provide a more desktop like experience.

Removed 0001-cpu-x86-smm-Use-PRIxPTR-to-print-uintptr_t.patch as already exists as 0000-cpu-x86-smm-Use-PRIxPTR-to-print-uintptr_t.patch

Added 0020-kgpe-d16_measured-boot-support.patch for coreboot 4.11

Fix TPM errors when microcode is measured by initialising TPM earlier and loading the microcode later.
Thanks to Michał Żygowski <miczyg1> for condition suggestion: `if (CONFIG(MEASURED_BOOT) && CONFIG(LPC_TPM) && boot_cpu())`

Locate bootblock location and size with CBFS API. Credit to: Michał Żygowski <miczyg1>
2020-12-02 15:56:42 +00:00