heads/modules/linux
Thierry Laurion 6923fb5e20
Addition of qemu-(fb)whiptail-tpm2(-hotp) boards
-coreboot support of TPM v2.0 (shared config for TPM2 support across all 4 previous variations)
-swtpm set to be launched under TPM v2.0 mode under board config
-Documentation file under each board.md softlinks to qemu-coreboot-fbwhiptail-tpm1.md (which has been generalized)
This is skeleton for TPM v2 integration under Heads

-------------
WiP

TODO:
- libcurl cannot be built as a tpm2-tools dependency as of now not sure why. curl currently needs to be added in board config to be built
- Note: tpm-reset (master and here) needs some review, no handle of no tpm use case. Caller is responsible to not call it otherwise does nothing
- init tries to bind fd and fails currently
- Note: Check if whiptail is different of fbwhiptail in clearing screen. As of now every clear seems to be removed, still whiptail clears previous console output
- When no OS' /boot can be mounted, do not try to TPM reset (will fail)

- seal-hotpkey is not working properly
- setting disk unlock key asks for TPM ownership passphrase (sealing in NV requires ownership, but text is misleading user as if reowning TPM)
  - We should cache input, feed tpm behind the scene and wipe passphrase and state clearly that this is TPM disk unlock kye passphrase.
- primary key from TPM2 is invalid most of the time from kexec-select-boot and verifying global hashes but is setuped correctly at disk unlock key setup
- would be nice to take advantage of bash function tracing to understand where we are for debugging purposes, code takes ash in consideration only
- tpmr says it implements nv calls but actually doesn't. Removing those falsely wrapped functions would help.
  - Implementing them would be better
- REVIEW TODOS IN CODE
- READD CIRCLECI CONFIG

Current state:
- TPM unseal works without disk unlock key and generates TOTP properly (was missing die condition at unseal to not produce always good TOTP even if invalid)
- TPM disk encryption key fails. Hypothesis is that sealing with USB drivers loaded and measures in inconsistent with sealed with/without.
 - TPM disk unsealing happens without USB modules being loaded in non-HOTP setup. This fails.

- Current tests are with fbwhiptail (no clear called so having traces on command line of what happens)
 - Testing with HOTP implementation for sealing/unsealing since that forces USB module loads on each boot to remove this from failing possibilities
2023-03-08 12:45:43 -05:00

260 lines
9.7 KiB
Makefile

modules-y += linux
ifeq "$(CONFIG_TARGET_ARCH)" "x86"
LINUX_ARCH := x86
LINUX_IMAGE_FILE := bzImage
else ifeq "$(CONFIG_TARGET_ARCH)" "ppc64"
LINUX_ARCH := powerpc
LINUX_IMAGE_FILE := zImage
else
$(error "$(CONFIG_TARGET_ARCH) target isn't supported by this module")
endif
ifeq "$(CONFIG_LINUX_VERSION)" "4.14.62"
linux_version := 4.14.62
linux_hash := 51ca4d7e8ee156dc0f19bc7768915cfae41dbb0b4f251e4fa8b178c5674c22ab
else ifeq "$(CONFIG_LINUX_VERSION)" "4.19.139"
linux_version := 4.19.139
linux_hash := 9c4ebf21fe949f80fbcfbbd6e7fe181040d325e89475e230ab53ef01f9d55605
else ifeq "$(CONFIG_LINUX_VERSION)" "5.4.69"
linux_version := 5.4.69
linux_hash := a8b31d716b397303a183e42ad525ff2871024a43e3ea530d0fdf73b7f9d27da7
else ifeq "$(CONFIG_LINUX_VERSION)" "5.5-openpower"
linux_version := 5.5
linux_patch_version := 5.5-openpower
linux_hash := a6fbd4ee903c128367892c2393ee0d9657b6ed3ea90016d4dc6f1f6da20b2330
#
# linuxboot systems should *NOT* use 5.10.5 until a proper review has
# been done. This is because `0000-efi_bds.patch` did not cleanly port
# from 5.4.69 to 5.10.5 which directly affects linuxboot systems.
#
else ifeq "$(CONFIG_LINUX_VERSION)" "5.10.5"
linux_version := 5.10.5
linux_hash := 3991a9e16a187d78d5f414d89236ae5d7f404a69e60c4c42a9d262ee19612ef4
else
$(error "$(BOARD): does not specify linux kernel version under CONFIG_LINUX_VERSION")
endif
linux_base_dir := linux-$(linux_version)
# TODO: fixup the patch process
# input file in the heads config/ dir
# Allow board config to specialize Linux configuration if necessary
linux_kconfig := $(or $(CONFIG_LINUX_CONFIG),config/linux.config)
# Output directory for the Linux kernel build is based on the
# configuration file name, not the board name
linux_dir := $(linux_base_dir)/$(notdir $(basename $(linux_kconfig)))
linux_tar := linux-$(linux_version).tar.xz
linux_major_ver := $(basename $(basename $(CONFIG_LINUX_VERSION)))
linux_url := https://cdn.kernel.org/pub/linux/kernel/v$(linux_major_ver).x/$(linux_tar)
# Ensure that touching the config file will force a reconfig/rebuild
$(build)/$(linux_dir)/.configured: $(linux_kconfig)
linux_configure := \
mkdir -p "$(build)/$(linux_dir)" \
&& $(call install_config,$(pwd)/$(linux_kconfig),$(build)/$(linux_dir)/.config) \
&& $(MAKE) -C .. \
ARCH="$(LINUX_ARCH)" \
CROSS_COMPILE="$(CROSS)" \
O="$(build)/$(linux_dir)" \
olddefconfig \
linux_output += arch/$(LINUX_ARCH)/boot/$(LINUX_IMAGE_FILE)
# Once we have extracted the kernel tar file, install the headers
# so that other submodules can make use of them.
$(INSTALL)/include/linux/limits.h: $(build)/$(linux_base_dir)/.canary
$(MAKE) \
-C "$(build)/$(linux_base_dir)" \
ARCH="$(LINUX_ARCH)" \
INSTALL_HDR_PATH="$(INSTALL)" \
O="$(linux_dir)" \
KCONFIG_CONFIG="$(pwd)/$(linux_kconfig)" \
headers_install
# qemu
linux_modules-$(CONFIG_LINUX_E1000) += drivers/net/ethernet/intel/e1000/e1000.ko
# x230 and winterfell
linux_modules-$(CONFIG_LINUX_E1000E) += drivers/net/ethernet/intel/e1000e/e1000e.ko
# Dell R630 ethernet and RAID controller
linux_modules-$(CONFIG_LINUX_IGB) += drivers/net/ethernet/intel/igb/igb.ko
linux_modules-$(CONFIG_LINUX_MEGARAID) += drivers/scsi/megaraid/megaraid_mm.ko
linux_modules-$(CONFIG_LINUX_MEGARAID) += drivers/scsi/megaraid/megaraid_sas.ko
linux_modules-$(CONFIG_LINUX_MEGARAID) += drivers/scsi/megaraid/megaraid_mbox.ko
# Intel s2600wf scsi controller
linux_modules-$(CONFIG_LINUX_SCSI_GDTH) += drivers/scsi/gdth.ko
linux_modules-$(CONFIG_LINUX_ATA) += drivers/ata/libata.ko
linux_modules-$(CONFIG_LINUX_AHCI) += drivers/ata/ahci.ko
#linux_modules-$(CONFIG_LINUX_AHCI) += drivers/ata/ahci_platform.ko
linux_modules-$(CONFIG_LINUX_AHCI) += drivers/ata/libahci.ko
#linux_modules-$(CONFIG_LINUX_AHCI) += drivers/ata/libahci_platform.ko
# Solarflare network card
linux_modules-$(CONFIG_LINUX_SFC) += drivers/net/ethernet/sfc/sfc.ko
linux_modules-$(CONFIG_LINUX_SFC) += drivers/net/mdio.ko
# Mellanox ConnectX-3 (winterfell)
linux_modules-$(CONFIG_LINUX_MLX4) += drivers/net/ethernet/mellanox/mlx4/mlx4_core.ko
linux_modules-$(CONFIG_LINUX_MLX4) += drivers/net/ethernet/mellanox/mlx4/mlx4_en.ko
# Broadcom 57302 (25g) for Tioga Pass
linux_modules-$(CONFIG_LINUX_BCM) += drivers/net/ethernet/broadcom/bnxt/bnxt_en.ko
# USB modules for both types of controllers
# older boards also need ohci and uhci
linux_modules-$(CONFIG_LINUX_USB_COMPANION_CONTROLLER) += drivers/usb/host/uhci-hcd.ko
linux_modules-$(CONFIG_LINUX_USB_COMPANION_CONTROLLER) += drivers/usb/host/ohci-hcd.ko
linux_modules-$(CONFIG_LINUX_USB_COMPANION_CONTROLLER) += drivers/usb/host/ohci-pci.ko
linux_modules-$(CONFIG_LINUX_USB) += drivers/usb/host/ehci-hcd.ko
linux_modules-$(CONFIG_LINUX_USB) += drivers/usb/host/ehci-pci.ko
linux_modules-$(CONFIG_LINUX_USB) += drivers/usb/host/xhci-hcd.ko
linux_modules-$(CONFIG_LINUX_USB) += drivers/usb/host/xhci-pci.ko
linux_modules-$(CONFIG_LINUX_USB) += drivers/usb/storage/usb-storage.ko
#USB modules when a USB keyboard is defined in board config
linux_modules-$(CONFIG_USB_KEYBOARD) += drivers/hid/usbhid/usbhid.ko
# NVMe driver for winterfell and other servers
linux_modules-$(CONFIG_LINUX_NVME) += drivers/nvme/host/nvme.ko
linux_modules-$(CONFIG_LINUX_NVME) += drivers/nvme/host/nvme-core.ko
# ME drivers for talking the the management engine
linux_modules-$(CONFIG_LINUX_MEI) += drivers/misc/mei/mei.ko
linux_modules-$(CONFIG_LINUX_MEI) += drivers/misc/mei/mei-me.ko
EXTRA_FLAGS := -fdebug-prefix-map=$(pwd)=heads -gno-record-gcc-switches
ifeq "$(CONFIG_LINUX_VERSION)" "4.14.62"
EXTRA_FLAGS += -Wno-cast-function-type
endif
linux_target := \
O="$(build)/$(linux_dir)" \
ARCH="$(LINUX_ARCH)" \
CROSS_COMPILE="$(CROSS)" \
AFLAGS_KERNEL="$(EXTRA_FLAGS)" \
CFLAGS_KERNEL="$(EXTRA_FLAGS)" \
CFLAGS_MODULE="$(EXTRA_FLAGS)" \
KBUILD_BUILD_USER=$(notdir $(linux_kconfig)) \
KBUILD_BUILD_HOST=linuxboot \
KBUILD_BUILD_TIMESTAMP="1970-00-00" \
KBUILD_BUILD_VERSION=0 \
$(MAKE_JOBS) \
# We cross compile linux now
linux_depends := musl-cross
#
# Linux kernel module installation
#
# This is special cases since we have to do a special strip operation on
# the kernel modules to make them fit into the ROM image.
#
module_initrd_dir := $(shell mktemp -d)
module_initrd_lib_dir := $(module_initrd_dir)/lib/modules
FOO := $(shell mkdir -p "$(module_initrd_lib_dir)")
define linux_module =
# Each module depends on building the Linux kernel
$(build)/$(linux_dir)/$1: $(build)/$(linux_dir)/$(linux_output)
# The cpio file will depend on every module
$(build)/$(BOARD)/modules.cpio: $(module_initrd_lib_dir)/$(notdir $1)
# Strip the modules when we install them so that they will be extra small
$(module_initrd_lib_dir)/$(notdir $1): $(build)/$(linux_dir)/$1
$(call do,INSTALL-MODULE,$1, \
$(CROSS)strip \
--preserve-dates \
--strip-debug \
-o "$$@" \
"$$<" \
)
endef
$(call map,linux_module,$(linux_modules-y))
# We can't rebuild the module initrd until the kernel has been rebuilt
$(build)/$(BOARD)/modules.cpio: $(build)/$(linux_dir)/.build
$(call do-cpio,$@,$(module_initrd_dir))
@$(RM) -rf "$(module_initrd_dir)"
# The output of the linux.intermediate is usually the bzImage in the
# linux build directory. We need to copy it into our board
# specific directory for ease of locating it later.
$(build)/$(BOARD)/$(LINUX_IMAGE_FILE): $(build)/$(linux_dir)/.build
$(call do-copy,$(dir $<)/$(linux_output),$@)
@touch $@ # force a timestamp update
@sha256sum "$@" | tee -a "$(HASHES)"
# Build kernel second time, now that initrd is built.
$(build)/$(BOARD)/$(LINUX_IMAGE_FILE).bundled: \
$(build)/$(initrd_dir)/initrd.cpio.xz \
$(build)/$(BOARD)/$(LINUX_IMAGE_FILE)
xz --decompress --stdout --force "$<" > $(build)/$(initrd_dir)/initrd.cpio
$(MAKE) -C "$(build)/$(linux_dir)" $(linux_target)
$(call do-copy,$(build)/$(linux_dir)/$(linux_output),$@)
@touch $@ # force a timestamp update
@sha256sum "$@" | tee -a "$(HASHES)"
# modifydefconfig target allows us edit current in tree defconfig config
# under linux decompressed+patched directory and put it back in git tree
# to check changes with git difftool
# useful for development cycle of linux kernel version bumps.
linux.modifydefconfig:
cp "$(pwd)/$(linux_kconfig)" "$(build)/$(linux_dir)/.config" && \
$(MAKE) \
-C "$(build)/$(linux_base_dir)" \
O="$(build)/$(linux_dir)" \
menuconfig && \
$(MAKE) \
-C "$(build)/$(linux_base_dir)" \
O="$(build)/$(linux_dir)" \
savedefconfig && \
mv "$(build)/$(linux_dir)/defconfig" "$(pwd)/$(linux_kconfig)"
# generateoldconfig target allows us to copy current in git tree defconfig
# into decompressed linux directory's .config file. This permits
# us to edit that .config file and remove unneeded stuff prior
# of calling saveconfig target from heads main directory (cd -)
linux.generateoldconfig:
mkdir -p "$(build)/$(linux_dir)" \
&& cp "$(pwd)/$(linux_kconfig)" "$(build)/$(linux_dir)/.config" \
&& $(MAKE) -C "$(build)/$(linux_base_dir)" \
O="$(build)/$(linux_dir)" \
olddefconfig \
&& echo "" \
&& echo "You can now edit $(build)/$(linux_dir)/.config" \
&& echo "Either:" \
&& echo " Manually through text editor" \
&& echo " Through make BOARD=XYZ linux.menuconfig" \
&& echo "" \
&& echo "To save chances in git tree for review, type:" \
&& echo "make BOARD=XYZ linux.saveconfig"
# menuconfig target allows us to easily reconfigure this Linux kernel
# Afterwards make linux.saveconfig to generate a minimal config from it
linux.menuconfig:
$(MAKE) \
-C "$(build)/$(linux_base_dir)" \
O="$(build)/$(linux_dir)" \
menuconfig \
# The config file in the repo is stored as a "defconfig" format
# which only includes the options that have changed from the defaults.
linux.saveconfig:
$(MAKE) \
-C "$(build)/$(linux_base_dir)" \
O="$(build)/$(linux_dir)" \
savedefconfig
mv "$(build)/$(linux_dir)/defconfig" "$(pwd)/$(linux_kconfig)"