From e177de63d02718a3bed6816fee075076c94181cd Mon Sep 17 00:00:00 2001 From: Trammell hudson Date: Fri, 28 Sep 2018 06:25:00 -0400 Subject: [PATCH 001/189] Enable verbose bootup debugging and ensure that the serial IO base port is configured --- config/linux-linuxboot.config | 2 +- patches/linux-4.14.62/0000-efi_bds.patch | 9 +++++++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/config/linux-linuxboot.config b/config/linux-linuxboot.config index 1074b6ac5..3db4274b5 100644 --- a/config/linux-linuxboot.config +++ b/config/linux-linuxboot.config @@ -291,7 +291,7 @@ CONFIG_STACKTRACE=y # CONFIG_RCU_TRACE is not set # CONFIG_FTRACE is not set # CONFIG_STRICT_DEVMEM is not set -# CONFIG_X86_VERBOSE_BOOTUP is not set +CONFIG_X86_VERBOSE_BOOTUP=y # CONFIG_DOUBLEFAULT is not set CONFIG_IO_DELAY_0XED=y CONFIG_OPTIMIZE_INLINING=y diff --git a/patches/linux-4.14.62/0000-efi_bds.patch b/patches/linux-4.14.62/0000-efi_bds.patch index 5ffbf62bd..0d2d76ea3 100644 --- a/patches/linux-4.14.62/0000-efi_bds.patch +++ b/patches/linux-4.14.62/0000-efi_bds.patch @@ -43,3 +43,12 @@ diff -u --recursive ../../clean/linux-4.14.62/arch/x86/boot/compressed/eboot.c l return boot_params; fail2: +--- clean/linux-4.14.62/arch/x86/boot/compressed/early_serial_console.c 2018-08-09 12:16:40.000000000 +0200 ++++ linux-4.14.62/arch/x86/boot/compressed/early_serial_console.c 2018-09-28 11:59:36.824015244 +0200 +@@ -1,5 +1,5 @@ + #include "misc.h" + +-int early_serial_base; ++int early_serial_base = 0x3f8; + + #include "../early_serial_console.c" From 25113cb8c2f431bb0e0c038cbd2a306069159bcb Mon Sep 17 00:00:00 2001 From: Francis Lam Date: Sat, 10 Nov 2018 13:41:01 -0800 Subject: [PATCH 002/189] Fix coreboot build for kgpe-d16 --- modules/coreboot | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/coreboot b/modules/coreboot index 7081fe086..7c62b6f34 100644 --- a/modules/coreboot +++ b/modules/coreboot @@ -16,7 +16,7 @@ CONFIG_COREBOOT_CONFIG ?= config/coreboot-$(BOARD).config # Ensure that touching the config file will force a rebuild $(build)/$(coreboot_dir)/.configured: $(CONFIG_COREBOOT_CONFIG) -EXTRA_FLAGS := -fdebug-prefix-map=$(pwd)=heads -gno-record-gcc-switches +EXTRA_FLAGS := -fdebug-prefix-map=$(pwd)=heads -gno-record-gcc-switches -Wno-error=packed-not-aligned coreboot_configure := \ mkdir -p "$(build)/$(coreboot_dir)" \ From 7bc90cd8a202d476fbfbd1774af8604c2f8ef0c2 Mon Sep 17 00:00:00 2001 From: Martin Kepplinger Date: Thu, 23 May 2019 09:39:35 +0200 Subject: [PATCH 003/189] initrd: remove unused keylime-init Besides the fact that keylime-init uses a local network location for downloading something, it is unused. Remove dead code. Was is this anyways? --- initrd/etc/keylime-init | 17 ----------------- 1 file changed, 17 deletions(-) delete mode 100755 initrd/etc/keylime-init diff --git a/initrd/etc/keylime-init b/initrd/etc/keylime-init deleted file mode 100755 index e0974e960..000000000 --- a/initrd/etc/keylime-init +++ /dev/null @@ -1,17 +0,0 @@ -#!/bin/sh -# Bring up the x230's NIC, get a DHCP address and invoke keylime - -insmod /lib/modules/e1000e.ko -udhcpc -n - -cd / -wget-measure.sh 6 http://192.168.1.5/keylime.tar.gz -tar xf keylime.tar.gz - -if [ ! -x /keylime-node ]; then - echo '!!!! Keylime overlay not found?' - tpm extend -ix 4 -ic "recovery" - exec /bin/ash -fi - -exec /keylime-node From a523de1bca55b2a16e98c2954acd06c37b1c0dfc Mon Sep 17 00:00:00 2001 From: Sebastian McMillan <22755892+SebastianMcMillan@users.noreply.github.com> Date: Thu, 6 Jun 2019 19:30:39 -0500 Subject: [PATCH 004/189] Update and rename x230-flash.init to install.init --- initrd/bin/{x230-flash.init => install.init} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename initrd/bin/{x230-flash.init => install.init} (92%) diff --git a/initrd/bin/x230-flash.init b/initrd/bin/install.init similarity index 92% rename from initrd/bin/x230-flash.init rename to initrd/bin/install.init index e02dcf5d8..872ebb861 100755 --- a/initrd/bin/x230-flash.init +++ b/initrd/bin/install.init @@ -20,7 +20,7 @@ echo '' echo 'To install from flash drive:' echo '' echo ' mount -o ro /dev/sdb1 /media' -echo ' flashrom-x230.sh /media/x230.rom' +echo ' flash.sh /media/' echo '' exec /bin/ash From 3bc2d158033761679905001f895a411ba424a3e9 Mon Sep 17 00:00:00 2001 From: Sebastian McMillan <22755892+SebastianMcMillan@users.noreply.github.com> Date: Thu, 6 Jun 2019 19:32:07 -0500 Subject: [PATCH 005/189] Update x230-flash.config --- boards/x230-flash/x230-flash.config | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/boards/x230-flash/x230-flash.config b/boards/x230-flash/x230-flash.config index b10d17aff..17be7fafd 100644 --- a/boards/x230-flash/x230-flash.config +++ b/boards/x230-flash/x230-flash.config @@ -16,7 +16,7 @@ CONFIG_LINUX_USB=y CONFIG_LINUX_E1000E=y export CONFIG_USB_BOOT_DEV="/dev/sdb1" -export CONFIG_BOOTSCRIPT=/bin/x230-flash.init +export CONFIG_BOOTSCRIPT=/bin/install.init # This board is "special" in that we only want the top 4 MB of the ROM # for flashing into SPI flash 1 on the mainboard. This is enough to From 286303d95cc8d17504516bb181ea4e8d76fab2bd Mon Sep 17 00:00:00 2001 From: Matt DeVillier Date: Fri, 24 May 2019 11:50:27 -0500 Subject: [PATCH 006/189] libremkey-hotp-verification: pass in key file directly Reading the file into a variable and then redirecting to stdin via echo() can cause the binary data to be truncated, leading to an invalid base32 value and failure to properly generate and validate the HOTP code. To resolve this, pass the file directly to hotp(), and ensure it is removed properly regardless of success or failure to prevent leakage. Fixes "Invalid base32 string" error seen when attempting to generate a new TOTP secret. Signed-off-by: Matt DeVillier --- initrd/bin/seal-libremkey | 21 +++++++++------- patches/libremkey-hotp-verification.patch | 29 +++++++++++++++++++++++ 2 files changed, 42 insertions(+), 8 deletions(-) diff --git a/initrd/bin/seal-libremkey b/initrd/bin/seal-libremkey index 7203b7198..ebab67665 100755 --- a/initrd/bin/seal-libremkey +++ b/initrd/bin/seal-libremkey @@ -29,8 +29,6 @@ tpm unsealfile \ || die "Unable to unseal HOTP secret" shred -n 10 -z -u "$HOTP_SEALED" 2> /dev/null -secret="`cat $HOTP_SECRET`" -shred -n 10 -z -u "$HOTP_SECRET" 2> /dev/null # Store counter in file instead of TPM for now, as it conflicts with Heads # config TPM counter as TPM 1.2 can only increment one counter between reboots @@ -54,21 +52,28 @@ enable_usb if ! libremkey_hotp_verification info ; then echo "Insert your Librem Key and press Enter to configure it" read - libremkey_hotp_verification info \ - || die "Unable to find Librem Key" + if ! libremkey_hotp_verification info ; then + # don't leak key on failure + shred -n 10 -z -u "$HOTP_SECRET" 2> /dev/null + die "Unable to find Librem Key" + fi fi read -s -p "Enter your Librem Key Admin PIN" admin_pin echo -libremkey_hotp_initialize $admin_pin $secret $counter_value +libremkey_hotp_initialize $admin_pin $HOTP_SECRET $counter_value if [ $? -ne 0 ]; then read -s -p "Error setting HOTP secret, re-enter Admin PIN and try again:" admin_pin - libremkey_hotp_initialize $admin_pin $secret $counter_value \ - || die "Setting HOTP secret failed" + if ! libremkey_hotp_initialize $admin_pin $HOTP_SECRET $counter_value ; then + # don't leak key on failure + shred -n 10 -z -u "$HOTP_SECRET" 2> /dev/null + die "Setting HOTP secret failed" + fi fi -secret="" +# HOTP key no longer needed +shred -n 10 -z -u "$HOTP_SECRET" 2> /dev/null # Make sure our counter is incremented ahead of the next check #increment_tpm_counter $counter > /dev/null \ diff --git a/patches/libremkey-hotp-verification.patch b/patches/libremkey-hotp-verification.patch index 5376da03b..fadcc4d59 100644 --- a/patches/libremkey-hotp-verification.patch +++ b/patches/libremkey-hotp-verification.patch @@ -29,4 +29,33 @@ +static const int CONNECTION_ATTEMPTS_COUNT = 2; static const int CONNECTION_ATTEMPT_DELAY_MICRO_SECONDS = 1000*1000/2; + +--- libremkey-hotp-verification/libremkey_hotp_initialize ++++ libremkey-hotp-verification-b/libremkey_hotp_initialize +@@ -14,7 +14,7 @@ fi + PIN=$1 + SECRET=$2 + COUNTER=$3 +-SECRET_B32=$(echo -n $SECRET | base32) ++SECRET_B32=$(cat $SECRET | base32) + libremkey_hotp_verification set $SECRET_B32 $PIN + if [ $? -ne 0 ]; then +@@ -25,7 +25,7 @@ fi + i=9 + while [ "$i" -lt "$COUNTER" ]; do + echo "Updating counter to $i" +- HOTP_CODE=$(echo $SECRET | hotp $i) ++ HOTP_CODE=$(hotp $i < $SECRET) + libremkey_hotp_verification check $HOTP_CODE > /dev/null + if [ $? -ne 0 ]; then + echo "HOTP check failed for counter=$i, code=$HOTP_CODE" +@@ -34,7 +34,7 @@ while [ "$i" -lt "$COUNTER" ]; do + let "i += 10" + done + +-HOTP_CODE=$(echo $SECRET | hotp $COUNTER) ++HOTP_CODE=$(hotp $COUNTER < $SECRET) + libremkey_hotp_verification check $HOTP_CODE > /dev/null + if [ $? -ne 0 ]; then + echo "HOTP check failed for counter=$COUNTER, code=$HOTP_CODE" From 77949c9cffef0566093d61fd1ceb373865b032d4 Mon Sep 17 00:00:00 2001 From: Matt DeVillier Date: Fri, 24 May 2019 18:29:58 -0500 Subject: [PATCH 007/189] libremkey_hotp_initialize: handle spaces in admin pin/pass Fix HOTP verfication failure if LK admin pin/passphrase contains spaces by quoting the variables when passed to functions. Test: set LK admin pin to passphrase with spaces, generate new TOTP/HOTP, verification passes. Signed-off-by: Matt DeVillier --- initrd/bin/seal-libremkey | 4 ++-- patches/libremkey-hotp-verification.patch | 7 +++++-- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/initrd/bin/seal-libremkey b/initrd/bin/seal-libremkey index ebab67665..4551aab1a 100755 --- a/initrd/bin/seal-libremkey +++ b/initrd/bin/seal-libremkey @@ -62,10 +62,10 @@ fi read -s -p "Enter your Librem Key Admin PIN" admin_pin echo -libremkey_hotp_initialize $admin_pin $HOTP_SECRET $counter_value +libremkey_hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value if [ $? -ne 0 ]; then read -s -p "Error setting HOTP secret, re-enter Admin PIN and try again:" admin_pin - if ! libremkey_hotp_initialize $admin_pin $HOTP_SECRET $counter_value ; then + if ! libremkey_hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value ; then # don't leak key on failure shred -n 10 -z -u "$HOTP_SECRET" 2> /dev/null die "Setting HOTP secret failed" diff --git a/patches/libremkey-hotp-verification.patch b/patches/libremkey-hotp-verification.patch index fadcc4d59..c2b5dfeae 100644 --- a/patches/libremkey-hotp-verification.patch +++ b/patches/libremkey-hotp-verification.patch @@ -32,15 +32,18 @@ --- libremkey-hotp-verification/libremkey_hotp_initialize +++ libremkey-hotp-verification-b/libremkey_hotp_initialize -@@ -14,7 +14,7 @@ fi +@@ -14,9 +14,9 @@ fi PIN=$1 SECRET=$2 COUNTER=$3 -SECRET_B32=$(echo -n $SECRET | base32) +SECRET_B32=$(cat $SECRET | base32) - libremkey_hotp_verification set $SECRET_B32 $PIN +-libremkey_hotp_verification set $SECRET_B32 $PIN ++libremkey_hotp_verification set $SECRET_B32 "$PIN" if [ $? -ne 0 ]; then + echo "ERROR: Setting HOTP secret on Librem Key failed!" + exit 1 @@ -25,7 +25,7 @@ fi i=9 while [ "$i" -lt "$COUNTER" ]; do From 5eb758711da626d952e03bb9b8b4c8d1fd346dc7 Mon Sep 17 00:00:00 2001 From: Matt DeVillier Date: Fri, 17 May 2019 18:07:07 -0500 Subject: [PATCH 008/189] unseal-hotp: fix/rename mount_boot() Because of the way unseal-hotp is called from gui-init, dropping to a recovery shell when failing to mount /boot causes it to hang, leaving the user stranded until they kill it with CTRL+C. Instead, simply return and continue to the main GUI menu where the user can address the problem. Rename the function to clarify difference from other versions of mount_boot() which do drop to the recovery shell. Signed-off-by: Matt DeVillier --- initrd/bin/unseal-hotp | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/initrd/bin/unseal-hotp b/initrd/bin/unseal-hotp index 5a697f369..27094e79f 100755 --- a/initrd/bin/unseal-hotp +++ b/initrd/bin/unseal-hotp @@ -7,12 +7,12 @@ HOTP_SEALED="/tmp/secret/hotp.sealed" HOTP_SECRET="/tmp/secret/hotp.key" HOTP_COUNTER="/boot/kexec_hotp_counter" -mount_boot() +mount_boot_or_die() { # Mount local disk if it is not already mounted if ! grep -q /boot /proc/mounts ; then mount -o ro /boot \ - || recovery "Unable to mount /boot" + || die "Unable to mount /boot" fi } @@ -33,7 +33,7 @@ shred -n 10 -z -u "$HOTP_SEALED" 2> /dev/null # Store counter in file instead of TPM for now, as it conflicts with Heads # config TPM counter as TPM 1.2 can only increment one counter between reboots # get current value of HOTP counter in TPM, create if absent -mount_boot +mount_boot_or_die #check_tpm_counter $HOTP_COUNTER hotp \ #|| die "Unable to find/create TPM counter" From e0e0019250ee5904d036d310d820db88c0575d0d Mon Sep 17 00:00:00 2001 From: Matt DeVillier Date: Sat, 18 May 2019 19:59:22 -0500 Subject: [PATCH 009/189] kexec-select-boot: correct order of USB boot options Using sort on USB boot options produces a reverse-ordered list, leading users to often select the wrong option. Add the -r parameter to sort to correct the list order and make the default option the first in the list. Signed-off-by: Matt DeVillier --- initrd/bin/kexec-select-boot | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/initrd/bin/kexec-select-boot b/initrd/bin/kexec-select-boot index 6a782a82c..5f14dfcb7 100755 --- a/initrd/bin/kexec-select-boot +++ b/initrd/bin/kexec-select-boot @@ -175,7 +175,7 @@ scan_options() { die "Failed to parse any boot options" fi if [ "$unique" = 'y' ]; then - sort $option_file | uniq > $TMP_MENU_FILE + sort -r $option_file | uniq > $TMP_MENU_FILE else cp $option_file $TMP_MENU_FILE fi From 3306dbb66d2859edd095cb6707c532e9ca23d93e Mon Sep 17 00:00:00 2001 From: Matt DeVillier Date: Sat, 18 May 2019 20:02:05 -0500 Subject: [PATCH 010/189] flash-gui: clean up ROM list Exclude dot folders from ROM search path, so that files in .Trash (eg) aren't shown. Sort the remaining options. Signed-off-by: Matt DeVillier --- initrd/bin/flash-gui.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/initrd/bin/flash-gui.sh b/initrd/bin/flash-gui.sh index 3780051a1..4105a9aea 100755 --- a/initrd/bin/flash-gui.sh +++ b/initrd/bin/flash-gui.sh @@ -88,7 +88,7 @@ while true; do --yesno "This requires you insert a USB drive containing:\n* Your BIOS image (*.rom)\n\nAfter you select this file, this program will reflash your BIOS\n\nDo you want to proceed?" 16 90) then mount_usb if grep -q /media /proc/mounts ; then - find /media -name '*.rom' > /tmp/filelist.txt + find /media ! -path '*/\.*' -type f -name '*.rom' | sort > /tmp/filelist.txt file_selector "/tmp/filelist.txt" "Choose the ROM to flash" if [ "$FILE" == "" ]; then return From 65d669d408d212729a4bf01ac28f5261b6596397 Mon Sep 17 00:00:00 2001 From: Matt DeVillier Date: Sat, 18 May 2019 20:13:32 -0500 Subject: [PATCH 011/189] Skip prompt to set default boot when booting from USB Since a USB boot target can't be the default (at least currently, /boot must be on internal media), skip the extraneous prompt to set it as such when booting from USB. Signed-off-by: Matt DeVillier --- initrd/bin/kexec-select-boot | 6 ++++-- initrd/bin/usb-scan | 4 ++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/initrd/bin/kexec-select-boot b/initrd/bin/kexec-select-boot index 5f14dfcb7..36b35a613 100755 --- a/initrd/bin/kexec-select-boot +++ b/initrd/bin/kexec-select-boot @@ -14,7 +14,8 @@ valid_rollback="n" force_menu="n" gui_menu="n" force_boot="n" -while getopts "b:d:p:a:r:c:uimgf" arg; do +skip_confirm="n" +while getopts "b:d:p:a:r:c:uimgfs" arg; do case $arg in b) bootdir="$OPTARG" ;; d) paramsdev="$OPTARG" ;; @@ -27,6 +28,7 @@ while getopts "b:d:p:a:r:c:uimgf" arg; do i) valid_hash="y"; valid_rollback="y" ;; g) gui_menu="y" ;; f) force_boot="y"; valid_hash="y"; valid_rollback="y" ;; + s) skip_confirm="y" ;; esac done @@ -255,7 +257,7 @@ user_select() { do get_menu_option # In force boot mode, no need offer the option to set a default, just boot - if [ "$force_boot" = "y" ]; then + if [[ "$force_boot" = "y" || "$skip_confirm" = "y" ]]; then do_boot else confirm_menu_option diff --git a/initrd/bin/usb-scan b/initrd/bin/usb-scan index 6d3eda27d..4d576555c 100755 --- a/initrd/bin/usb-scan +++ b/initrd/bin/usb-scan @@ -81,9 +81,9 @@ fi echo "!!! Could not find any ISO, trying bootable USB" # Attempt to pull verified config from device if [ -x /bin/whiptail ]; then - kexec-select-boot -b /media -c "*.cfg" -u -g + kexec-select-boot -b /media -c "*.cfg" -u -g -s else - kexec-select-boot -b /media -c "*.cfg" -u + kexec-select-boot -b /media -c "*.cfg" -u -s fi die "Something failed in selecting boot" From f772f2d088cb69e0642bc5ff646690959b887e6c Mon Sep 17 00:00:00 2001 From: Matt DeVillier Date: Sat, 18 May 2019 20:22:11 -0500 Subject: [PATCH 012/189] unseal-hotp: ensure /boot mounted before checking HOTP secret If /boot isn't mounted, we can't read the HOTP secret, so no point in reading from the TPM. This speeds up getting to the main menu in the case of an inaccessible or non-existant /boot, and maintains the warning condition from not being able to validate the HOTP. Signed-off-by: Matt DeVillier --- initrd/bin/unseal-hotp | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/initrd/bin/unseal-hotp b/initrd/bin/unseal-hotp index 27094e79f..f4d397ec8 100755 --- a/initrd/bin/unseal-hotp +++ b/initrd/bin/unseal-hotp @@ -16,6 +16,11 @@ mount_boot_or_die() fi } +# Store counter in file instead of TPM for now, as it conflicts with Heads +# config TPM counter as TPM 1.2 can only increment one counter between reboots +# get current value of HOTP counter in TPM, create if absent +mount_boot_or_die + tpm nv_readvalue \ -in 4d47 \ -sz 312 \ @@ -30,10 +35,6 @@ tpm unsealfile \ shred -n 10 -z -u "$HOTP_SEALED" 2> /dev/null -# Store counter in file instead of TPM for now, as it conflicts with Heads -# config TPM counter as TPM 1.2 can only increment one counter between reboots -# get current value of HOTP counter in TPM, create if absent -mount_boot_or_die #check_tpm_counter $HOTP_COUNTER hotp \ #|| die "Unable to find/create TPM counter" From 2686c836c6aa8abfb6ee605c3bd2987d1028b701 Mon Sep 17 00:00:00 2001 From: Matt DeVillier Date: Mon, 27 May 2019 11:45:09 -0500 Subject: [PATCH 013/189] gui-init: ensure /boot is sane first thing Before anything else, ensure that a default boot device is set. If not, prompt the user to set one. If set, ensure that /boot can be mounted successfully; else prompt the user to select a new boot device. Signed-off-by: Matt DeVillier --- initrd/bin/gui-init | 22 +++++++++++++++++++--- 1 file changed, 19 insertions(+), 3 deletions(-) diff --git a/initrd/bin/gui-init b/initrd/bin/gui-init index 8c4419658..904c0d2c2 100755 --- a/initrd/bin/gui-init +++ b/initrd/bin/gui-init @@ -8,10 +8,23 @@ CONFIG_BOOT_GUI_MENU_NAME='Heads Boot Menu' mount_boot() { + # ensure default boot device is set + if [ ! -e "$CONFIG_BOOT_DEV" ]; then + if (whiptail $CONFIG_ERROR_BG_COLOR --clear --title "ERROR: $CONFIG_BOOT_DEV missing!" \ + --yesno "The /boot device $CONFIG_BOOT_DEV could not be found!\n\nYou will need to configure the correct device for /boot.\n\nWould you like to configure the /boot device now?" 30 90) then + config-gui.sh + fi # Mount local disk if it is not already mounted - if ! grep -q /boot /proc/mounts ; then - mount -o ro /boot \ - || recovery "Unable to mount /boot" + elif ! grep -q /boot /proc/mounts ; then + mount -o ro /boot + if [ $? -ne 0 ]; then + if (whiptail $CONFIG_ERROR_BG_COLOR --clear --title 'ERROR: Cannot mount /boot' \ + --yesno "The /boot partition at $CONFIG_BOOT_DEV could not be mounted!\n\nWould you like to configure the /boot device now?" 30 90) then + config-gui.sh + else + recovery "Unable to mount /boot" + fi + fi fi } verify_global_hashes() @@ -104,6 +117,9 @@ update_totp() /bin/reboot } +# ensure /boot is sane and mount it before anything else +mount_boot + last_half=X while true; do MAIN_MENU_OPTIONS="" From 4a85c85336130b801c178741ed7246bdfc3eabef Mon Sep 17 00:00:00 2001 From: Matt DeVillier Date: Wed, 19 Jun 2019 16:27:05 -0500 Subject: [PATCH 014/189] gui-init: load USB modules at startup ensures external USB keyboards are accessible Signed-off-by: Matt DeVillier --- initrd/bin/gui-init | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/initrd/bin/gui-init b/initrd/bin/gui-init index 904c0d2c2..bb414cb5f 100755 --- a/initrd/bin/gui-init +++ b/initrd/bin/gui-init @@ -117,7 +117,10 @@ update_totp() /bin/reboot } -# ensure /boot is sane and mount it before anything else +# enable USB to load modules for external kb +enable_usb + +# ensure /boot is sane and mount it mount_boot last_half=X From 6cfbc86618ae05908ca035aa59ba43e48c0c2a0d Mon Sep 17 00:00:00 2001 From: Matt DeVillier Date: Wed, 19 Jun 2019 16:27:44 -0500 Subject: [PATCH 015/189] initrd: don't mount efivars fs on non-linuxboot systems it doesn't exist and produces a spurious error on Heads systems Signed-off-by: Matt DeVillier --- initrd/init | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/initrd/init b/initrd/init index fd79d6773..892a2a7c8 100755 --- a/initrd/init +++ b/initrd/init @@ -16,7 +16,9 @@ mkdir /proc /sys /dev /tmp /boot /media 2>&- 1>&- mount /dev 2>/dev/ttyprintk mount /proc 2>/dev/ttyprintk mount /sys 2>/dev/ttyprintk -mount /sys/firmware/efi/efivars +if [ "$CONFIG_LINUXBOOT" = "y" ]; then + mount /sys/firmware/efi/efivars +fi # Setup the pty psudeo filesystem mkdir /dev/pts From 94f7f9802297c59022d93ca73f336b3ac390192d Mon Sep 17 00:00:00 2001 From: Matt DeVillier Date: Thu, 27 Jun 2019 17:30:54 -0500 Subject: [PATCH 016/189] gui-init: update Settings, Boot Options menu text 'Options' makes more sense than 'Settings' given the submenu's contents. Tidy up Boot Options as well Signed-off-by: Matt DeVillier --- initrd/bin/gui-init | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/initrd/bin/gui-init b/initrd/bin/gui-init index bb414cb5f..01102de60 100755 --- a/initrd/bin/gui-init +++ b/initrd/bin/gui-init @@ -194,7 +194,7 @@ while true; do --menu "$date\nTOTP: $TOTP | HOTP: $HOTP" 20 90 10 \ 'y' ' Default boot' \ 'r' ' Refresh TOTP/HOTP' \ - 'a' ' Settings -->' \ + 'a' ' Options -->' \ 'P' ' Power Off' \ 2>/tmp/whiptail || recovery "GUI menu failed" @@ -202,9 +202,9 @@ while true; do fi if [ "$totp_confirm" = "a" ]; then - whiptail --clear --title "Settings" \ - --menu "Configure Settings" 20 90 10 \ - 'o' ' Other Boot Options -->' \ + whiptail --clear --title "HEADS Options" \ + --menu "" 20 90 10 \ + 'o' ' Boot Options -->' \ 't' ' TPM/TOTP/HOTP Options -->' \ 's' ' Update checksums and sign all files in /boot' \ 'c' ' Change configuration settings -->' \ @@ -218,7 +218,7 @@ while true; do fi if [ "$totp_confirm" = "o" ]; then - whiptail --clear --title "Other Boot Options" \ + whiptail --clear --title "Boot Options" \ --menu "Select A Boot Option" 20 90 10 \ 'm' ' Show OS boot menu' \ 'u' ' USB boot' \ From db5d282a7bb92aa1765ed1febdc63dd92d015c78 Mon Sep 17 00:00:00 2001 From: Matt DeVillier Date: Fri, 28 Jun 2019 23:26:20 -0500 Subject: [PATCH 017/189] seal-libremkey: add newlines for readability improve readability of console output by adding newlines as needed Signed-off-by: Matt DeVillier --- initrd/bin/seal-libremkey | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/initrd/bin/seal-libremkey b/initrd/bin/seal-libremkey index 4551aab1a..c1dab8e6d 100755 --- a/initrd/bin/seal-libremkey +++ b/initrd/bin/seal-libremkey @@ -59,12 +59,15 @@ if ! libremkey_hotp_verification info ; then fi fi -read -s -p "Enter your Librem Key Admin PIN" admin_pin -echo +echo -e "" +read -s -p "Enter your Librem Key Admin PIN: " admin_pin +echo -e "\n" libremkey_hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value if [ $? -ne 0 ]; then - read -s -p "Error setting HOTP secret, re-enter Admin PIN and try again:" admin_pin + echo -e "\n" + read -s -p "Error setting HOTP secret, re-enter Admin PIN and try again: " admin_pin + echo -e "\n" if ! libremkey_hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value ; then # don't leak key on failure shred -n 10 -z -u "$HOTP_SECRET" 2> /dev/null @@ -91,7 +94,7 @@ echo $counter_value > $HOTP_COUNTER \ #|| die "Unable to create hotp counter file" mount -o remount,ro /boot -echo "Librem Key initialized successfully. Press Enter to continue." +echo -e "\nLibrem Key initialized successfully. Press Enter to continue." read exit 0 From ed2f19d862dd4aec085ca76dc9cf87e4d92f1ab8 Mon Sep 17 00:00:00 2001 From: Matt DeVillier Date: Fri, 5 Jul 2019 17:04:00 -0500 Subject: [PATCH 018/189] gui-init: move update_checksums() to /etc/functions Move the non-GUI component of update_checksums() to /etc/functions so it can be reused outside of gui-init. Add check that /boot/kexec_default_hashes.txt exists before parsing it, since doesn't exist if there's no default boot target set yet. Eliminates spurious error text and/or premature exit depending on state of errexit. Signed-off-by: Matt DeVillier --- initrd/bin/gui-init | 31 +++++-------------------------- initrd/etc/functions | 33 +++++++++++++++++++++++++++++++++ 2 files changed, 38 insertions(+), 26 deletions(-) diff --git a/initrd/bin/gui-init b/initrd/bin/gui-init index 01102de60..eecc1d012 100755 --- a/initrd/bin/gui-init +++ b/initrd/bin/gui-init @@ -40,7 +40,7 @@ verify_global_hashes() elif [ ! -f $TMP_HASH_FILE ]; then if (whiptail $CONFIG_ERROR_BG_COLOR --clear --title 'ERROR: Missing Hash File!' \ --yesno "The file containing hashes for /boot is missing!\n\nIf you are setting this system up for the first time, select Yes to update\nyour list of checksums.\n\nOtherwise this could indicate a compromise and you should select No to\nreturn to the main menu.\n\nWould you like to update your checksums now?" 30 90) then - update_checksums + prompt_update_checksums fi return 1 else @@ -67,37 +67,16 @@ verify_global_hashes() fi if (whiptail $CONFIG_ERROR_BG_COLOR --clear --title 'ERROR: Boot Hash Mismatch' --yesno "$TEXT" 30 90) then - update_checksums + prompt_update_checksums fi return 1 fi } -update_checksums() +prompt_update_checksums() { if (whiptail --title 'Update Checksums and sign all files in /boot' \ --yesno "You have chosen to update the checksums and sign all of the files in /boot.\n\nThis means that you trust that the files in /boot have not been tampered with.\n\nYou will need your GPG key to continue and this change will modify your disk.\n\nDo you want to continue?" 16 90) then - mount_boot - mount -o rw,remount /boot - - cd /boot - find ./ -type f ! -name '*kexec*' | xargs sha256sum > /boot/kexec_hashes.txt - DEFAULT_FILES=$(cat /boot/kexec_default_hashes.txt | cut -f3 -d ' ') - echo $DEFAULT_FILES | xargs sha256sum > /boot/kexec_default_hashes.txt - - # Remove any package trigger log files - # We don't need them after the user decides to sign - rm -f /boot/kexec_package_trigger* - - # sign and auto-roll config counter - extparam= - if [ "$CONFIG_TPM" = "y" ]; then - extparam=-u - fi - kexec-sign-config -p /boot $extparam \ - || die "Failed to sign default config" - - # switch back to ro mode - mount -o ro,remount /boot + update_checksums else echo "Returning to the main menu" fi @@ -331,7 +310,7 @@ while true; do fi if [ "$totp_confirm" = "s" ]; then - update_checksums + prompt_update_checksums continue fi diff --git a/initrd/etc/functions b/initrd/etc/functions index 453590b84..7a2cfdacb 100755 --- a/initrd/etc/functions +++ b/initrd/etc/functions @@ -240,3 +240,36 @@ replace_config() { combine_configs() { cat /etc/config* > /tmp/config } + +update_checksums() +{ + # clear screen + printf "\033c" + # ensure /boot mounted + if ! grep -q /boot /proc/mounts ; then + mount -o ro /boot \ + || recovery "Unable to mount /boot" + fi + # remount RW + mount -o rw,remount /boot + cd /boot + find ./ -type f ! -name '*kexec*' | xargs sha256sum > /boot/kexec_hashes.txt + if [ -e /boot/kexec_default_hashes.txt ]; then + DEFAULT_FILES=$(cat /boot/kexec_default_hashes.txt | cut -f3 -d ' ') + echo $DEFAULT_FILES | xargs sha256sum > /boot/kexec_default_hashes.txt + fi + # Remove any package trigger log files + # We don't need them after the user decides to sign + rm -f /boot/kexec_package_trigger* + + # sign and auto-roll config counter + extparam= + if [ "$CONFIG_TPM" = "y" ]; then + extparam=-u + fi + kexec-sign-config -p /boot $extparam \ + || die "Failed to sign default config" + + # switch back to ro mode + mount -o ro,remount /boot +} From a9e494f670ebf9b5ac2c431c94ae6ac1d41608a0 Mon Sep 17 00:00:00 2001 From: Matt DeVillier Date: Fri, 5 Jul 2019 17:07:06 -0500 Subject: [PATCH 019/189] gpg-gui: prompt user to update checksums after adding key In order to streamline the initial setup, prompt user to update checksums/sign /boot files after adding a key and updating the firmware, in order to avoid an extra reboot. Signed-off-by: Matt DeVillier --- initrd/bin/gpg-gui.sh | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/initrd/bin/gpg-gui.sh b/initrd/bin/gpg-gui.sh index 0e93c5380..54e9a7126 100755 --- a/initrd/bin/gpg-gui.sh +++ b/initrd/bin/gpg-gui.sh @@ -105,9 +105,18 @@ gpg_flash_rom() { fi /bin/flash.sh /tmp/gpg-gui.rom - whiptail --title 'BIOS Flashed Successfully' \ - --msgbox "BIOS flashed successfully.\n\nIf your keys have changed, be sure to re-sign all files in /boot\nafter you reboot.\n\nPress Enter to reboot" 16 60 + + if (whiptail --title 'BIOS Flashed Successfully' \ + --yesno "Would you like to update the checksums and sign all of the files in /boot?\n\nYou will need your GPG key to continue and this will modify your disk.\n\nOtherwise the system will reboot immediately." 16 90) then + update_checksums + else + /bin/reboot + fi + + whiptail --title 'Files in /boot Updated Successfully'\ + --msgbox "Checksums have been updated and /boot files signed.\n\nPress Enter to reboot" 16 60 /bin/reboot + } gpg_post_gen_mgmt() { GPG_GEN_KEY=`grep -A1 pub /tmp/gpg_card_edit_output | tail -n1 | sed -nr 's/^([ ])*//p'` From 6fc5571289d3e45d344c3a7329f36ac1c4172712 Mon Sep 17 00:00:00 2001 From: Matt DeVillier Date: Fri, 5 Jul 2019 18:02:27 -0500 Subject: [PATCH 020/189] boards/librem15v[3,4]: add missing background colors The error/warning background gradient colors were defined for the librem 13 boards, but not for the librem 15 ones. Add the missing exports. Signed-off-by: Matt DeVillier --- boards/librem15v3/librem15v3.config | 2 ++ boards/librem15v4/librem15v4.config | 2 ++ 2 files changed, 4 insertions(+) diff --git a/boards/librem15v3/librem15v3.config b/boards/librem15v3/librem15v3.config index ee99c0cdf..80c522952 100644 --- a/boards/librem15v3/librem15v3.config +++ b/boards/librem15v3/librem15v3.config @@ -35,3 +35,5 @@ export CONFIG_BOOT_KERNEL_REMOVE="" export CONFIG_BOOT_DEV="/dev/sda1" export CONFIG_BOOT_GUI_MENU_NAME="Purism Librem 15v3 Heads Boot Menu" export CONFIG_USB_BOOT_DEV="/dev/sdb1" +export CONFIG_WARNING_BG_COLOR="--background-gradient 0 0 0 150 125 0" +export CONFIG_ERROR_BG_COLOR="--background-gradient 0 0 0 150 0 0" diff --git a/boards/librem15v4/librem15v4.config b/boards/librem15v4/librem15v4.config index 38041122e..16f6aa44c 100644 --- a/boards/librem15v4/librem15v4.config +++ b/boards/librem15v4/librem15v4.config @@ -35,3 +35,5 @@ export CONFIG_BOOT_KERNEL_REMOVE="" export CONFIG_BOOT_DEV="/dev/sda1" export CONFIG_BOOT_GUI_MENU_NAME="Purism Librem 15v4 Heads Boot Menu" export CONFIG_USB_BOOT_DEV="/dev/sdb1" +export CONFIG_WARNING_BG_COLOR="--background-gradient 0 0 0 150 125 0" +export CONFIG_ERROR_BG_COLOR="--background-gradient 0 0 0 150 0 0" From 57c4207bf89ef929450a6c4f271e9e47b2cd63c2 Mon Sep 17 00:00:00 2001 From: Matt DeVillier Date: Sun, 7 Jul 2019 20:45:36 -0500 Subject: [PATCH 021/189] gpg_flash_rom: persist user config when flashing If the user has changed the /boot config but not yet flashed, it's reasonable for them to expect that flashing to add/update a GPG key won't revert those changes. Signed-off-by: Matt DeVillier --- initrd/bin/gpg-gui.sh | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/initrd/bin/gpg-gui.sh b/initrd/bin/gpg-gui.sh index 54e9a7126..4a6646e9f 100755 --- a/initrd/bin/gpg-gui.sh +++ b/initrd/bin/gpg-gui.sh @@ -104,6 +104,12 @@ gpg_flash_rom() { cbfs -o /tmp/gpg-gui.rom -d "heads/initrd/.gnupg/otrust.txt" fi + # persist user config changes + if (cbfs -o /tmp/gpg-gui.rom -l | grep -q "heads/initrd/etc/config.user") then + cbfs -o /tmp/gpg-gui.rom -d "heads/initrd/etc/config.user" + fi + cbfs -o /tmp/gpg-gui.rom -a "heads/initrd/etc/config.user" -f /etc/config.user + /bin/flash.sh /tmp/gpg-gui.rom if (whiptail --title 'BIOS Flashed Successfully' \ From b1d57dac66e50ebb5f2c04427ba29abc1480a1f1 Mon Sep 17 00:00:00 2001 From: Matt DeVillier Date: Sun, 7 Jul 2019 20:47:04 -0500 Subject: [PATCH 022/189] gui-init: retry mounting /boot after device changed If CONFIG_BOOT_DEV isn't set or otherwise fails to mount, we prompt the user to change the /boot device, but never attempt to mount it to ensure it's sane, leading to potential failures later in the config/boot process. Ensure that CONFIG_BOOT_DEV is updated after the /boot device is changed, and attempt to re-mount /boot after the change. Signed-off-by: Matt DeVillier --- initrd/bin/gui-init | 25 ++++++++++++++++--------- 1 file changed, 16 insertions(+), 9 deletions(-) diff --git a/initrd/bin/gui-init b/initrd/bin/gui-init index eecc1d012..f9f12f680 100755 --- a/initrd/bin/gui-init +++ b/initrd/bin/gui-init @@ -8,15 +8,22 @@ CONFIG_BOOT_GUI_MENU_NAME='Heads Boot Menu' mount_boot() { - # ensure default boot device is set - if [ ! -e "$CONFIG_BOOT_DEV" ]; then - if (whiptail $CONFIG_ERROR_BG_COLOR --clear --title "ERROR: $CONFIG_BOOT_DEV missing!" \ - --yesno "The /boot device $CONFIG_BOOT_DEV could not be found!\n\nYou will need to configure the correct device for /boot.\n\nWould you like to configure the /boot device now?" 30 90) then - config-gui.sh - fi + # Mount local disk if it is not already mounted - elif ! grep -q /boot /proc/mounts ; then - mount -o ro /boot + while ! grep -q /boot /proc/mounts ; do + # ensure default boot device is set + if [ ! -e "$CONFIG_BOOT_DEV" ]; then + if (whiptail $CONFIG_ERROR_BG_COLOR --clear --title "ERROR: $CONFIG_BOOT_DEV missing!" \ + --yesno "The /boot device $CONFIG_BOOT_DEV could not be found!\n\nYou will need to configure the correct device for /boot.\n\nWould you like to configure the /boot device now?" 30 90) then + config-gui.sh + else + # exit to main menu + break + fi + fi + # update CONFIG_BOOT_DEV + . /tmp/config + mount -o ro $CONFIG_BOOT_DEV /boot if [ $? -ne 0 ]; then if (whiptail $CONFIG_ERROR_BG_COLOR --clear --title 'ERROR: Cannot mount /boot' \ --yesno "The /boot partition at $CONFIG_BOOT_DEV could not be mounted!\n\nWould you like to configure the /boot device now?" 30 90) then @@ -25,7 +32,7 @@ mount_boot() recovery "Unable to mount /boot" fi fi - fi + done } verify_global_hashes() { From 0d51b62ebb9ae831b58b3fcbc7508e464271c3a6 Mon Sep 17 00:00:00 2001 From: Matt DeVillier Date: Mon, 8 Jul 2019 22:16:57 -0500 Subject: [PATCH 023/189] gpg-gui: add option to replace existing key(s) Introduce option to remove any existing key(s) from firmware and add a user-suppled key, before reflashing. Move existing code for adding a new key to a separate function so it can be reused for new feature without duplication. Signed-off-by: Matt DeVillier --- initrd/bin/gpg-gui.sh | 70 ++++++++++++++++++++++++++++--------------- 1 file changed, 46 insertions(+), 24 deletions(-) diff --git a/initrd/bin/gpg-gui.sh b/initrd/bin/gpg-gui.sh index 4a6646e9f..ea8efa732 100755 --- a/initrd/bin/gpg-gui.sh +++ b/initrd/bin/gpg-gui.sh @@ -68,6 +68,14 @@ file_selector() { fi } gpg_flash_rom() { + + if [ "$1" = "replace" ]; then + # clear local keyring + [ -e /.gnupg/pubring.gpg ] && rm /.gnupg/pubring.gpg + [ -e /.gnupg/pubring.kbx ] && rm /.gnupg/pubring.kbx + [ -e /.gnupg/trustdb.gpg ] && rm /.gnupg/trustdb.gpg + fi + cat "$PUBKEY" | gpg --import #update /.gnupg/trustdb.gpg to ultimately trust all user provided public keys gpg --list-keys --fingerprint --with-colons |sed -E -n -e 's/^fpr:::::::::([0-9A-F]+):$/\1:6:/p' |gpg --import-ownertrust @@ -177,12 +185,40 @@ gpg_sc_oem_reset() { } | gpg --command-fd=0 --status-fd=2 --pinentry-mode=loopback --card-edit > /tmp/gpg_card_edit_output || return 2 } +gpg_add_key_reflash() { + if (whiptail --title 'GPG public key required' \ + --yesno "This requires you insert a USB drive containing:\n* Your GPG public key (*.key or *.asc)\n\nAfter you select this file, this program will copy and reflash your BIOS\n\nDo you want to proceed?" 16 90) then + mount_usb + if grep -q /media /proc/mounts ; then + find /media -name '*.key' > /tmp/filelist.txt + find /media -name '*.asc' >> /tmp/filelist.txt + file_selector "/tmp/filelist.txt" "Choose your GPG public key" + PUBKEY=$FILE + + /bin/flash.sh -r /tmp/gpg-gui.rom + if [ ! -s /tmp/gpg-gui.rom ]; then + whiptail $CONFIG_ERROR_BG_COLOR --title 'ERROR: BIOS Read Failed!' \ + --msgbox "Unable to read BIOS" 16 60 + exit 1 + fi + + if (whiptail --title 'Update ROM?' \ + --yesno "This will reflash your BIOS with the updated version\n\nDo you want to proceed?" 16 90) then + gpg_flash_rom + else + exit 0 + fi + fi + fi +} + while true; do unset menu_choice whiptail --clear --title "GPG Management Menu" \ --menu 'Select the GPG function to perform' 20 90 10 \ 'r' ' Add GPG key to running BIOS + reflash' \ 'a' ' Add GPG key to standalone BIOS image + flash' \ + 'e' ' Replace GPG key(s) in the current ROM + reflash' \ 'l' ' List GPG keys in your keyring' \ 'g' ' Generate GPG keys manually on a USB security token' \ 'o' ' OEM Factory reset + auto keygen USB security token' \ @@ -228,30 +264,16 @@ while true; do fi ;; "r" ) - if (whiptail --title 'GPG public key required' \ - --yesno "This requires you insert a USB drive containing:\n* Your GPG public key (*.key or *.asc)\n\nAfter you select this file, this program will copy and reflash your BIOS\n\nDo you want to proceed?" 16 90) then - mount_usb - if grep -q /media /proc/mounts ; then - find /media -name '*.key' > /tmp/filelist.txt - find /media -name '*.asc' >> /tmp/filelist.txt - file_selector "/tmp/filelist.txt" "Choose your GPG public key" - PUBKEY=$FILE - - /bin/flash.sh -r /tmp/gpg-gui.rom - if [ ! -s /tmp/gpg-gui.rom ]; then - whiptail $CONFIG_ERROR_BG_COLOR --title 'ERROR: BIOS Read Failed!' \ - --msgbox "Unable to read BIOS" 16 60 - exit 1 - fi - - if (whiptail --title 'Update ROM?' \ - --yesno "This will reflash your BIOS with the updated version\n\nDo you want to proceed?" 16 90) then - gpg_flash_rom - else - exit 0 - fi - fi - fi + gpg_add_key_reflash + exit 0; + ;; + "e" ) + # clear local keyring + [ -e /.gnupg/pubring.gpg ] && rm /.gnupg/pubring.gpg + [ -e /.gnupg/pubring.kbx ] && rm /.gnupg/pubring.kbx + [ -e /.gnupg/trustdb.gpg ] && rm /.gnupg/trustdb.gpg + # add key and reflash + gpg_add_key_reflash ;; "l" ) GPG_KEYRING=`gpg -k` From a37e1f434dc1bb232ab05a1f48d537d28c85d7a0 Mon Sep 17 00:00:00 2001 From: Trammell hudson Date: Tue, 30 Jul 2019 15:36:57 +0200 Subject: [PATCH 024/189] add Intel msrtools commands --- Makefile | 1 + boards/qemu-coreboot/qemu-coreboot.config | 1 + modules/msrtools | 26 +++++++++++++++++++++++ 3 files changed, 28 insertions(+) create mode 100644 modules/msrtools diff --git a/Makefile b/Makefile index 74818a110..cc5cac6ad 100644 --- a/Makefile +++ b/Makefile @@ -424,6 +424,7 @@ bin_modules-$(CONFIG_NEWT) += newt bin_modules-$(CONFIG_CAIRO) += cairo bin_modules-$(CONFIG_FBWHIPTAIL) += fbwhiptail bin_modules-$(CONFIG_LIBREMKEY) += libremkey-hotp-verification +bin_modules-$(CONFIG_MSRTOOLS) += msrtools $(foreach m, $(bin_modules-y), \ $(call map,initrd_bin_add,$(call bins,$m)) \ diff --git a/boards/qemu-coreboot/qemu-coreboot.config b/boards/qemu-coreboot/qemu-coreboot.config index d670dc21a..1dc025692 100644 --- a/boards/qemu-coreboot/qemu-coreboot.config +++ b/boards/qemu-coreboot/qemu-coreboot.config @@ -21,6 +21,7 @@ CONFIG_GPG2=y CONFIG_LVM2=y CONFIG_MBEDTLS=y CONFIG_DROPBEAR=y +CONFIG_MSRTOOLS=y #Uncomment only one of the following block #Required for graphical gui-init (FBWhiptail) diff --git a/modules/msrtools b/modules/msrtools new file mode 100644 index 000000000..9adfab0cb --- /dev/null +++ b/modules/msrtools @@ -0,0 +1,26 @@ +modules-$(CONFIG_MSRTOOLS) += msrtools + +msrtools_depends := $(musl_dep) + +msrtools_version := git +msrtools_repo := https://github.com/osresearch/msr-tools + +#msrtools_version := 1.3 +msrtools_dir := msrtools-$(msrtools_version) +msrtools_tar := msr-tools-$(msrtools_version).tar.gz +msrtools_url := https://github.com/intel/msr-tools/archive/msr-tools-$(msrtools_version).tar.gz +msrtools_hash := e8205aa3d19e536080f5974ed06ab9a88c4c3f37870c2f6a3a08a2f39302c22c + +msrtools_target := \ + $(CROSS_TOOLS) \ + CFLAGS="-I$(INSTALL)/include" \ + LDFLAGS="-L$(INSTALL)/lib" \ + +msrtools_output := \ + wrmsr \ + rdmsr \ + cpuid \ + +msrtools_libraries := \ + +msrtools_configure := From 5ca3069b2387d937decceb60debf410652f386ab Mon Sep 17 00:00:00 2001 From: Matt DeVillier Date: Mon, 8 Jul 2019 22:19:27 -0500 Subject: [PATCH 025/189] config-gui: add optional param to set file_selector title Signed-off-by: Matt DeVillier --- initrd/bin/config-gui.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/initrd/bin/config-gui.sh b/initrd/bin/config-gui.sh index eb3b2f481..51647aee3 100755 --- a/initrd/bin/config-gui.sh +++ b/initrd/bin/config-gui.sh @@ -8,6 +8,7 @@ file_selector() { FILE="" FILE_LIST=$1 MENU_MSG=${2:-"Choose the file"} + MENU_TITLE=${3:-"Select your File"} # create file menu options if [ `cat "$FILE_LIST" | wc -l` -gt 0 ]; then option="" @@ -23,7 +24,7 @@ file_selector() { done < $FILE_LIST MENU_OPTIONS="$MENU_OPTIONS a Abort" - whiptail --clear --title "Select your File" \ + whiptail --clear --title "${MENU_TITLE}" \ --menu "${MENU_MSG} [1-$n, a to abort]:" 20 120 8 \ -- $MENU_OPTIONS \ 2>/tmp/whiptail || die "Aborting" From 34394032defb73ddd7f099ab5820364f854a29fe Mon Sep 17 00:00:00 2001 From: Matt DeVillier Date: Mon, 8 Jul 2019 22:20:45 -0500 Subject: [PATCH 026/189] config-gui: add optional param to bypass menu Add optional parameter to bypass menu selection and immediately select a menu option. This allows us to call the 'Set Boot Device' option directly, saving the user an unnecessary step. Signed-off-by: Matt DeVillier --- initrd/bin/config-gui.sh | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/initrd/bin/config-gui.sh b/initrd/bin/config-gui.sh index 51647aee3..4dbe65265 100755 --- a/initrd/bin/config-gui.sh +++ b/initrd/bin/config-gui.sh @@ -51,16 +51,24 @@ file_selector() { fi } +param=$1 + while true; do + if [ ! -z "$param" ]; then + # use first char from parameter + menu_choice=${param::1} + unset param + else unset menu_choice whiptail --clear --title "Config Management Menu" \ --menu "This menu lets you change settings for the current BIOS session.\n\nAll changes will revert after a reboot,\n\nunless you also save them to the running BIOS." 20 90 10 \ 'b' ' Change the /boot device' \ 's' ' Save the current configuration to the running BIOS' \ - 'x' ' Exit' \ + 'x' ' Return to Main Menu' \ 2>/tmp/whiptail || recovery "GUI menu failed" menu_choice=$(cat /tmp/whiptail) + fi case "$menu_choice" in "x" ) From c982be5bd48314bb3e20ca4a277995a19192a697 Mon Sep 17 00:00:00 2001 From: Matt DeVillier Date: Mon, 8 Jul 2019 22:23:04 -0500 Subject: [PATCH 027/189] config-gui: filter out invalid boot device options use similar filtering logic as with USB drives to provide the user a more sane list of boot device options. Show user only valid bootable partitions, not block devices. There's no point in showing /dev/nvme0 and /dev/nvme0n1 (eg) when /dev/nvme0n1p[1..n] (eg) exist, as the former are not valid boot devices. Signed-off-by: Matt DeVillier --- initrd/bin/config-gui.sh | 23 ++++++++++++++++++----- 1 file changed, 18 insertions(+), 5 deletions(-) diff --git a/initrd/bin/config-gui.sh b/initrd/bin/config-gui.sh index 4dbe65265..e1ea3ebd1 100755 --- a/initrd/bin/config-gui.sh +++ b/initrd/bin/config-gui.sh @@ -59,15 +59,15 @@ while true; do menu_choice=${param::1} unset param else - unset menu_choice - whiptail --clear --title "Config Management Menu" \ + unset menu_choice + whiptail --clear --title "Config Management Menu" \ --menu "This menu lets you change settings for the current BIOS session.\n\nAll changes will revert after a reboot,\n\nunless you also save them to the running BIOS." 20 90 10 \ 'b' ' Change the /boot device' \ 's' ' Save the current configuration to the running BIOS' \ 'x' ' Return to Main Menu' \ 2>/tmp/whiptail || recovery "GUI menu failed" - menu_choice=$(cat /tmp/whiptail) + menu_choice=$(cat /tmp/whiptail) fi case "$menu_choice" in @@ -76,8 +76,21 @@ while true; do ;; "b" ) CURRENT_OPTION=`grep 'CONFIG_BOOT_DEV=' /tmp/config | tail -n1 | cut -f2 -d '=' | tr -d '"'` - find /dev -name 'sd*' -o -name 'nvme*' > /tmp/filelist.txt - file_selector "/tmp/filelist.txt" "Choose the default /boot device.\n\nCurrently set to $CURRENT_OPTION." + fdisk -l | grep "Disk" | cut -f2 -d " " | cut -f1 -d ":" > /tmp/disklist.txt + # filter out extraneous options + > /tmp/boot_device_list.txt + for i in `cat /tmp/disklist.txt`; do + # remove block device from list if numeric partitions exist, since not bootable + let DEV_NUM_PARTITIONS=`ls -1 $i* | wc -l`-1 + if [ ${DEV_NUM_PARTITIONS} -eq 0 ]; then + echo $i >> /tmp/boot_device_list.txt + else + ls $i* | tail -${DEV_NUM_PARTITIONS} >> /tmp/boot_device_list.txt + fi + done + file_selector "/tmp/boot_device_list.txt" \ + "Choose the default /boot device.\n\nCurrently set to $CURRENT_OPTION." \ + "Boot Device Selection" if [ "$FILE" == "" ]; then return else From 258783e98e34a038e5b4448b320910baf02e9f17 Mon Sep 17 00:00:00 2001 From: Matt DeVillier Date: Mon, 8 Jul 2019 22:25:57 -0500 Subject: [PATCH 028/189] gui-init: don't reboot after updating TOTP/HOTP Updating TOTP/HOTP is mainly necessary after a user updates their firmware, and no need to force another reboot. Signed-off-by: Matt DeVillier --- initrd/bin/gui-init | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/initrd/bin/gui-init b/initrd/bin/gui-init index f9f12f680..23045137a 100755 --- a/initrd/bin/gui-init +++ b/initrd/bin/gui-init @@ -97,10 +97,9 @@ update_totp() read /bin/seal-libremkey else - echo "Once you have scanned the QR code, hit Enter to reboot" + echo "Once you have scanned the QR code, hit Enter to continue" read fi - /bin/reboot } # enable USB to load modules for external kb From 0690c8c011ea188f078564422594691804213927 Mon Sep 17 00:00:00 2001 From: Matt DeVillier Date: Mon, 8 Jul 2019 22:27:40 -0500 Subject: [PATCH 029/189] gui-init: use direct boot device selection If the boot device is invalid or unabled to be mounted and the user opts to select a new boot device, jump directly to that menu option and avoid the additional step of showing the config main menu. Signed-off-by: Matt DeVillier --- initrd/bin/gui-init | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/initrd/bin/gui-init b/initrd/bin/gui-init index 23045137a..bac7a298d 100755 --- a/initrd/bin/gui-init +++ b/initrd/bin/gui-init @@ -15,7 +15,7 @@ mount_boot() if [ ! -e "$CONFIG_BOOT_DEV" ]; then if (whiptail $CONFIG_ERROR_BG_COLOR --clear --title "ERROR: $CONFIG_BOOT_DEV missing!" \ --yesno "The /boot device $CONFIG_BOOT_DEV could not be found!\n\nYou will need to configure the correct device for /boot.\n\nWould you like to configure the /boot device now?" 30 90) then - config-gui.sh + config-gui.sh boot_device_select else # exit to main menu break @@ -27,7 +27,7 @@ mount_boot() if [ $? -ne 0 ]; then if (whiptail $CONFIG_ERROR_BG_COLOR --clear --title 'ERROR: Cannot mount /boot' \ --yesno "The /boot partition at $CONFIG_BOOT_DEV could not be mounted!\n\nWould you like to configure the /boot device now?" 30 90) then - config-gui.sh + config-gui.sh boot_device_select else recovery "Unable to mount /boot" fi From 928f003550dbe48fe25205fe5e9911b6423d9191 Mon Sep 17 00:00:00 2001 From: Matt DeVillier Date: Tue, 9 Jul 2019 09:02:46 -0500 Subject: [PATCH 030/189] config-gui: add 'Full Reset' option Add Full Reset option to clear all GPG keys and user settings, both from the local filesystem and running firmware, and clear/reset the TPM Signed-off-by: Matt DeVillier --- initrd/bin/config-gui.sh | 42 ++++++++++++++++++++++++++++++++-------- 1 file changed, 34 insertions(+), 8 deletions(-) diff --git a/initrd/bin/config-gui.sh b/initrd/bin/config-gui.sh index e1ea3ebd1..ed31c478f 100755 --- a/initrd/bin/config-gui.sh +++ b/initrd/bin/config-gui.sh @@ -64,6 +64,7 @@ while true; do --menu "This menu lets you change settings for the current BIOS session.\n\nAll changes will revert after a reboot,\n\nunless you also save them to the running BIOS." 20 90 10 \ 'b' ' Change the /boot device' \ 's' ' Save the current configuration to the running BIOS' \ + 'r' ' Clear GPG key(s) and reset all user settings' \ 'x' ' Return to Main Menu' \ 2>/tmp/whiptail || recovery "GUI menu failed" @@ -115,15 +116,40 @@ while true; do cbfs -o /tmp/config-gui.rom -d "heads/initrd/etc/config.user" fi cbfs -o /tmp/config-gui.rom -a "heads/initrd/etc/config.user" -f /etc/config.user - - if (whiptail --title 'Update ROM?' \ - --yesno "This will reflash your BIOS with the updated version\n\nDo you want to proceed?" 16 90) then - /bin/flash.sh /tmp/config-gui.rom - whiptail --title 'BIOS Updated Successfully' \ - --msgbox "BIOS updated successfully.\n\nIf your keys have changed, be sure to re-sign all files in /boot\nafter you reboot.\n\nPress Enter to reboot" 16 60 + ;; + "r" ) + # prompt for confirmation + if (whiptail --title 'Reset Configuration?' \ + --yesno "This will clear all GPG keys, clear boot signatures and checksums, + \nreset the /boot device, clear/reset the TPM (if present), + \nand reflash your BIOS with the cleaned configuration. + \n\nDo you want to proceed?" 16 90) then + # read current firmware + /bin/flash.sh -r /tmp/config-gui.rom + if [ ! -s /tmp/config-gui.rom ]; then + whiptail $CONFIG_ERROR_BG_COLOR --title 'ERROR: BIOS Read Failed!' \ + --msgbox "Unable to read BIOS" 16 60 + exit 1 + fi + # clear local keyring + rm /.gnupg/* | true + # clear /boot signatures/checksums + mount -o remount,rw /boot + rm /boot/kexec* | true + mount -o remount,ro /boot + # clear GPG keys and user settings + for i in `cbfs -o /tmp/config-gui.rom -l | grep -e "heads/"`; do + cbfs -o /tmp/config-gui.rom -d $i + done + # flash cleared ROM + /bin/flash.sh -c /tmp/config-gui.rom + # reset TPM if present + if [ "$CONFIG_TPM" = "y" ]; then + /bin/tpm-reset + fi + whiptail --title 'Configuration Reset Updated Successfully' \ + --msgbox "Configuration reset and BIOS updated successfully.\n\nPress Enter to reboot" 16 60 /bin/reboot - else - exit 0 fi ;; esac From 29f89ae47b33ee827dd8a29c89a745ba500457c6 Mon Sep 17 00:00:00 2001 From: Matt DeVillier Date: Tue, 9 Jul 2019 11:41:31 -0500 Subject: [PATCH 031/189] gpg_flash_rom(): ensure files exist before adding to CBFS Check that any files added to cbfs exist before attempting to add them, so flashing doesn't fail after a reset. Signed-off-by: Matt DeVillier --- initrd/bin/gpg-gui.sh | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/initrd/bin/gpg-gui.sh b/initrd/bin/gpg-gui.sh index ea8efa732..6a7523745 100755 --- a/initrd/bin/gpg-gui.sh +++ b/initrd/bin/gpg-gui.sh @@ -105,7 +105,9 @@ gpg_flash_rom() { if (cbfs -o /tmp/gpg-gui.rom -l | grep -q "heads/initrd/.gnupg/trustdb.gpg") then cbfs -o /tmp/gpg-gui.rom -d "heads/initrd/.gnupg/trustdb.gpg" fi - cbfs -o /tmp/gpg-gui.rom -a "heads/initrd/.gnupg/trustdb.gpg" -f /.gnupg/trustdb.gpg + if [ -e /.gnupg/trustdb.gpg ]; then + cbfs -o /tmp/gpg-gui.rom -a "heads/initrd/.gnupg/trustdb.gpg" -f /.gnupg/trustdb.gpg + fi #Remove old method owner trust exported file if (cbfs -o /tmp/gpg-gui.rom -l | grep -q "heads/initrd/.gnupg/otrust.txt") then @@ -116,8 +118,9 @@ gpg_flash_rom() { if (cbfs -o /tmp/gpg-gui.rom -l | grep -q "heads/initrd/etc/config.user") then cbfs -o /tmp/gpg-gui.rom -d "heads/initrd/etc/config.user" fi - cbfs -o /tmp/gpg-gui.rom -a "heads/initrd/etc/config.user" -f /etc/config.user - + if [ -e /etc/config.user ]; then + cbfs -o /tmp/gpg-gui.rom -a "heads/initrd/etc/config.user" -f /etc/config.user + fi /bin/flash.sh /tmp/gpg-gui.rom if (whiptail --title 'BIOS Flashed Successfully' \ From 5ff3849c169e8afe0ea61cc995cf3c70e192b059 Mon Sep 17 00:00:00 2001 From: Matt DeVillier Date: Tue, 9 Jul 2019 11:43:06 -0500 Subject: [PATCH 032/189] kecec_select_boot: default to Y when setting new boot option Next prompt will be to ensure GPG key is attached, which defaults to Y, so default here as well for consistency Signed-off-by: Matt DeVillier --- initrd/bin/kexec-select-boot | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/initrd/bin/kexec-select-boot b/initrd/bin/kexec-select-boot index 36b35a613..793d6a79b 100755 --- a/initrd/bin/kexec-select-boot +++ b/initrd/bin/kexec-select-boot @@ -186,11 +186,12 @@ scan_options() { save_default_option() { read \ -n 1 \ - -p "Saving a default will modify the disk. Proceed? (y/n): " \ + -p "Saving a default will modify the disk. Proceed? (Y/n): " \ default_confirm echo - if [ "$default_confirm" = "y" ]; then + [ "$default_confirm" = "" ] && default_confirm="y" + if [[ "$default_confirm" = "y" || "$default_confirm" = "Y" ]]; then if kexec-save-default \ -b "$bootdir" \ -d "$paramsdev" \ From c33209add18122894c10b8fef810de7eec04d559 Mon Sep 17 00:00:00 2001 From: Matt DeVillier Date: Tue, 9 Jul 2019 16:46:14 -0500 Subject: [PATCH 033/189] confirm_gpg_card: prompt for retry on detection failure Initial card detection can sometimes fail, so prompt the user to remove/reinsert their GPG card before retrying. Since errexit is likely set, disable it prior to calling --card-status so we can handle the error ourself, then re-set if necessary when done. Signed-off-by: Matt DeVillier --- initrd/etc/functions | 24 ++++++++++++++++++++++-- 1 file changed, 22 insertions(+), 2 deletions(-) diff --git a/initrd/etc/functions b/initrd/etc/functions index 7a2cfdacb..d6cf0c14e 100755 --- a/initrd/etc/functions +++ b/initrd/etc/functions @@ -136,8 +136,28 @@ confirm_gpg_card() # setup the USB so we can reach the GPG card enable_usb - gpg --card-status \ - || die "gpg card read failed" + echo -e "\nVerifying presence of GPG card...\n" + # ensure we don't exit without retrying + errexit=$(set -o | grep errexit | awk '{print $2}') + set +e + gpg --card-status > /dev/null + if [ $? -ne 0 ]; then + # prompt for reinsertion and try a second time + read -n1 -r -p \ + "Can't access GPG key; remove and reinsert, then press Enter to retry. " \ + ignored + # restore prev errexit state + if [ "$errexit" = "on" ]; then + set -e + fi + # retry card status + gpg --card-status > /dev/null \ + || die "gpg card read failed" + fi + # restore prev errexit state + if [ "$errexit" = "on" ]; then + set -e + fi } From e8e1032027d646615a007bf48282c0f9bbf66520 Mon Sep 17 00:00:00 2001 From: Matt DeVillier Date: Tue, 9 Jul 2019 16:53:40 -0500 Subject: [PATCH 034/189] gpg_add_key_reflash: handle user cancellation if user chooses abort option, exit without flashing ROM Signed-off-by: Matt DeVillier --- initrd/bin/gpg-gui.sh | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/initrd/bin/gpg-gui.sh b/initrd/bin/gpg-gui.sh index 6a7523745..0b016b626 100755 --- a/initrd/bin/gpg-gui.sh +++ b/initrd/bin/gpg-gui.sh @@ -196,7 +196,12 @@ gpg_add_key_reflash() { find /media -name '*.key' > /tmp/filelist.txt find /media -name '*.asc' >> /tmp/filelist.txt file_selector "/tmp/filelist.txt" "Choose your GPG public key" - PUBKEY=$FILE + # bail if user didn't select a file + if [ "$FILE" = "" ]; then + return + else + PUBKEY=$FILE + fi /bin/flash.sh -r /tmp/gpg-gui.rom if [ ! -s /tmp/gpg-gui.rom ]; then From a27affcc7d751018f0e9bd5c685e4fd04a4f1908 Mon Sep 17 00:00:00 2001 From: Matt DeVillier Date: Wed, 31 Jul 2019 22:53:04 -0500 Subject: [PATCH 035/189] flash.sh: persist serial in cbfs Librem devices store their serial number as a text file in cbfs; persist this across flashes. Signed-off-by: Matt DeVillier --- initrd/bin/flash.sh | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/initrd/bin/flash.sh b/initrd/bin/flash.sh index e89c9a98c..121b42b1e 100755 --- a/initrd/bin/flash.sh +++ b/initrd/bin/flash.sh @@ -43,6 +43,12 @@ flash_rom() { preserve_rom /tmp/${CONFIG_BOARD}.rom \ || die "$ROM: Config preservation failed" fi + # persist serial number from CBFS + if cbfs -r serial_number > /tmp/serial 2>/dev/null; then + echo "Persisting system serial" + cbfs -o /tmp/${CONFIG_BOARD}.rom -d serial_number 2>/dev/null || true + cbfs -o /tmp/${CONFIG_BOARD}.rom -a serial_number -f /tmp/serial + fi flashrom $FLASHROM_OPTIONS -w /tmp/${CONFIG_BOARD}.rom \ || die "$ROM: Flash failed" From 4f54a97cf208e28f624a206ad62469966b8c726e Mon Sep 17 00:00:00 2001 From: Matt DeVillier Date: Mon, 19 Aug 2019 17:07:22 -0500 Subject: [PATCH 036/189] etc/function: add detect_boot_device() Add function to detect boot device. Start by checking CONFIG_BOOT_DEV, then iterate thru all bootable partitions. Check if partition is mountable, contains grub directory. Update CONFIG_BOOT_DEV and mount on /boot if successful. Signed-off-by: Matt DeVillier --- initrd/etc/functions | 47 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) diff --git a/initrd/etc/functions b/initrd/etc/functions index d6cf0c14e..056c3e822 100755 --- a/initrd/etc/functions +++ b/initrd/etc/functions @@ -293,3 +293,50 @@ update_checksums() # switch back to ro mode mount -o ro,remount /boot } + +# detect and set /boot device +# mount /boot if successful +detect_boot_device() +{ + # unmount /boot to be safe + umount /boot 2>/dev/null + + # check $CONFIG_BOOT_DEV if set/valid + if [ -e "$CONFIG_BOOT_DEV" ]; then + mount -o ro $CONFIG_BOOT_DEV /boot >/dev/null 2>&1 + if [[ $? && -d /boot/grub ]]; then + # CONFIG_BOOT_DEV is valid device and contains an installed OS + return 0 + fi + fi + + # generate list of possible boot devices + fdisk -l | grep "Disk" | cut -f2 -d " " | cut -f1 -d ":" > /tmp/disklist + + # filter out extraneous options + > /tmp/boot_device_list + for i in `cat /tmp/disklist`; do + # remove block device from list if numeric partitions exist, since not bootable + let DEV_NUM_PARTITIONS=`ls -1 $i* | wc -l`-1 + if [ ${DEV_NUM_PARTITIONS} -eq 0 ]; then + echo $i >> /tmp/boot_device_list + else + ls $i* | tail -${DEV_NUM_PARTITIONS} >> /tmp/boot_device_list + fi + done + + # iterate thru possible options and check for grub dir + for i in `cat /tmp/boot_device_list`; do + umount /boot 2>/dev/null + mount -o ro $i /boot >/dev/null 2>&1 + if [[ $? && -d /boot/grub ]]; then + CONFIG_BOOT_DEV="$i" + return 0 + fi + done + + # no valid boot device found + echo "Unable to locate /boot files on any mounted disk" + umount /boot 2>/dev/null + return 1 +} From f067d9af234be0985295d6b5913aee45726e8219 Mon Sep 17 00:00:00 2001 From: Matt DeVillier Date: Thu, 15 Aug 2019 13:36:05 -0500 Subject: [PATCH 037/189] initrd/bin: add OEM Factory Reset Add oem-factory-reset script which performs an unattended reset and configuration of the device's TPM, GPG security token, and boot device / boot selection. Signed-off-by: Matt DeVillier --- initrd/bin/oem-factory-reset | 355 +++++++++++++++++++++++++++++++++++ 1 file changed, 355 insertions(+) create mode 100755 initrd/bin/oem-factory-reset diff --git a/initrd/bin/oem-factory-reset b/initrd/bin/oem-factory-reset new file mode 100755 index 000000000..e5138387a --- /dev/null +++ b/initrd/bin/oem-factory-reset @@ -0,0 +1,355 @@ +#!/bin/sh +# Automated setup of TPM, GPG keys, and disk + +set -o pipefail + +# use TERM to exit on error +trap "exit 1" TERM +export TOP_PID=$$ + +## Static local variables + +CLEAR="--clear" +CONTINUE="--yes-button Continue" +CANCEL="--no-button Cancel" +HEIGHT="150" +WIDTH="220" + +USER_PIN_DEF=123456 +ADMIN_PIN_DEF=12345678 +TPM_PASS_DEF=12345678 + +## External files sourced + +. /etc/functions +. /tmp/config + +## functions + +die() { + + local msg=$1 + if [ -n "$msg" ]; then + echo -e "\n$msg" + fi + kill -s TERM $TOP_PID + exit 1 +} + +whiptail_error() +{ + local msg=$1 + if [ "$msg" = "" ]; then + die "whiptail error: An error msg is required" + fi + whiptail --msgbox "${msg}\n\n" $WIDTH $HEIGHT $CONFIG_ERROR_BG_COLOR --title "Error" +} + +whiptail_error_die() +{ + whiptail_error "$@" + die +} + +gpg_key_reset() +{ + GPG_KEY_NAME=`date +%Y%m%d%H%M%S` + # Factory reset GPG card + { + echo admin + echo factory-reset + echo y + echo yes + } | gpg --command-fd=0 --status-fd=1 --pinentry-mode=loopback --card-edit \ + > /tmp/gpg_card_edit_output 2>/dev/null + if [ $? -ne 0 ]; then + ERROR=`cat /tmp/gpg_card_edit_output` + whiptail_error_die "GPG Key factory reset failed!\n\n$ERROR" + fi + # Generate OEM GPG keys + { + echo admin + echo generate + echo n + echo ${ADMIN_PIN_DEF} + echo ${USER_PIN_DEF} + echo 0 + echo y + echo "OEM Key" + echo "oem-${GPG_KEY_NAME}@example.com" + echo "OEM-generated key" + } | gpg --command-fd=0 --status-fd=2 --pinentry-mode=loopback --card-edit \ + > /tmp/gpg_card_edit_output 2>/dev/null + if [ $? -ne 0 ]; then + ERROR=`cat /tmp/gpg_card_edit_output` + whiptail_error_die "GPG Key automatic keygen failed!\n\n$ERROR" + fi +} + +generate_checksums() +{ + # ensure /boot mounted + if ! grep -q /boot /proc/mounts ; then + mount -o rw /boot || whiptail_error_die "Unable to mount /boot" + else + mount -o remount,rw /boot || whiptail_error_die "Unable to mount /boot" + fi + + # clear any existing checksums/signatures + rm /boot/kexec* 2>/dev/null + + # create Heads TPM counter + tpm counter_create \ + -pwdo "$TPM_PASS_DEF" \ + -pwdc '' \ + -la -3135106223 \ + | tee /tmp/counter \ + || whiptail_error_die "Unable to create TPM counter" + TPM_COUNTER=`cut -d: -f1 < /tmp/counter` + + # increment TPM counter + increment_tpm_counter $TPM_COUNTER >/dev/null 2>&1 \ + || whiptail_error_die "Unable to increment tpm counter" + + # create rollback file + sha256sum /tmp/counter-$TPM_COUNTER > /boot/kexec_rollback.txt 2>/dev/null \ + || whiptail_error_die "Unable to create rollback file" + + # set default boot option + set_default_boot_option + + # generate hashes + find /boot -type f ! -name '*kexec*' \ + | xargs sha256sum > /boot/kexec_hashes.txt 2>/dev/null \ + || whiptail_error_die "Error generating kexec hashes" + + param_files=`find /boot/kexec*.txt` + [ -z "$param_files" ] \ + && whiptail_error_die "No kexec parameter files to sign" + + # sign kexec boot files + if sha256sum $param_files 2>/dev/null | gpg \ + --pinentry-mode loopback \ + --passphrase $USER_PIN_DEF \ + --digest-algo SHA256 \ + --detach-sign \ + -a \ + > /boot/kexec.sig 2>/tmp/error; then + # successful - update the validated params + if ! check_config /boot >/dev/null 2>/tmp/error ; then + cat /tmp/error + ret=1 + else + ret=0 + fi + else + cat /tmp/error + ret=1 + fi + + # done writing to /boot, switch back to RO + mount -o ro,remount /boot + + if [ $ret = 1 ] ; then + ERROR=$(tail -n 1 /tmp/error) + whiptail_error_die "Error signing kexec boot files:\n\n$ERROR" + fi +} + +set_default_boot_option() +{ + option_file="/tmp/kexec_options.txt" + tmp_menu_file="/tmp/kexec/kexec_menu.txt" + hash_file="/boot/kexec_default_hashes.txt" + + mkdir -p /tmp/kexec/ + rm $option_file 2>/dev/null + # parse boot options from grub.cfg + for i in `find /boot -name "grub.cfg"`; do + kexec-parse-boot "/boot" "$i" >> $option_file + done + [ ! -r $option_file ] \ + && whiptail_error_die "Failed to parse any boot options" + + # sort boot options + sort -r $option_file | uniq > $tmp_menu_file + + ## save first option as default + entry=`head -n 1 $tmp_menu_file | tail -1` + + # clear existing default configs + rm "/boot/kexec_default.*.txt" 2>/dev/null + + # write new config + echo "$entry" > /boot/kexec_default.1.txt + + # validate boot option + cd /boot && /bin/kexec-boot -b "/boot" -e "$entry" -f \ + | xargs sha256sum > $hash_file 2>/dev/null \ + || whiptail_error_die "Failed to create hashes of boot files" +} + +## main script start + +# check for args +if [ "$1" != "" ]; then + title_text=$1 +else + title_text="OEM Factory Reset" +fi +if [ "$2" != "" ]; then + bg_color=$2 +else + bg_color="" +fi + +# show warning prompt +if ! whiptail --yesno " + This operation will automatically:\n\n + * ERASE the TPM and reset it with a default password\n + * ERASE any keys or passwords on the GPG smart card,\n + reset it to a factory state, and generate new keys\n + * Add the new GPG key to the firmware and reflash it\n + * Sign all of the files in /boot with the new GPG key\n\n + It requires that you already have an OS installed on a\n + dedicated /boot partition. Do you wish to continue?\n" \ + $WIDTH $HEIGHT $CONTINUE $CANCEL $CLEAR $bg_color --title "$title_text" ; then + exit 1 +fi + +## sanity check the USB, GPG key, and boot device before proceeding further + +# mount USB, then remount rw +echo -e "\nChecking for USB media...\n" +# ensure /media not mounted +umount /media 2>/dev/null +# mount-usb will detect and prompt if no USB inserted +if ! mount-usb rw 2>/tmp/error; then + ERROR=$(tail -n 1 /tmp/error) + whiptail_error_die "Unable to mount USB on /media:\n\n${ERROR}" +fi + +# ensure GPG key connected +echo -e "\nChecking for GPG Key...\n" +# USB kernel modules already loaded via mount-usb +if ! gpg --card-status >/dev/null 2>&1 ; then + whiptail_error "Can't access GPG Key; remove and reinsert, then press Enter to retry." + if ! gpg --card-status >/dev/null 2>/tmp/error ; then + ERROR=$(tail -n 1 /tmp/error) + whiptail_error_die "Unable to detect GPG Key:\n\n${ERROR}" + fi +fi + +# detect and set /boot device +echo -e "\nDetecting and setting boot device...\n" +if ! detect_boot_device ; then + whiptail_error_die "Unable to locate /boot files on any mounted disk" +else + echo -e "Boot device set to $CONFIG_BOOT_DEV\n" +fi + +# update configs +replace_config /etc/config.user "CONFIG_BOOT_DEV" "$CONFIG_BOOT_DEV" +combine_configs + +## reset TPM and set default password +echo -e "\nResetting TPM...\n" +{ + echo $TPM_PASS_DEF + echo $TPM_PASS_DEF +} | /bin/tpm-reset >/dev/null 2>/tmp/error +if [ $? -ne 0 ]; then + ERROR=$(tail -n 1 /tmp/error) + whiptail_error_die "Error resetting TPM:\n\n${ERROR}" +fi + +# clear local keyring +rm /.gnupg/*.gpg 2>/dev/null +rm /.gnupg/*.kbx 2>/dev/null +gpg --list-keys >/dev/null 2>&1 + +## reset the GPG Key +echo -e "\nResetting GPG Key...\n(this will take a minute or two)\n" +gpg_key_reset + +## export generated key to USB +echo -e "\nExporting generated key to USB...\n" +# parse name of generated key +GPG_GEN_KEY=`grep -A1 pub /tmp/gpg_card_edit_output | tail -n1 | sed -nr 's/^([ ])*//p'` +PUBKEY="/tmp/${GPG_GEN_KEY}.asc" +# export pubkey to file +if ! gpg --export --armor $GPG_GEN_KEY > "${PUBKEY}" 2>/tmp/error ; then + ERROR=$(tail -n 1 /tmp/error) + whiptail_error_die "GPG Key gpg export to file failed!\n\n$ERROR" +fi +# copy to USB +if ! cp "${PUBKEY}" "/media/${GPG_GEN_KEY}.asc" 2>/tmp/error ; then + ERROR=$(tail -n 1 /tmp/error) + whiptail_error_die "Key export error: unable to copy ${GPG_GEN_KEY}.asc to /media:\n\n$ERROR" +fi +umount /media 2>/dev/null + +## flash generated key to ROM +echo -e "\nReading current firmware...\n(this will take a minute or two)\n" +/bin/flash.sh -r /tmp/oem-setup.rom >/dev/null 2>/tmp/error +if [ ! -s /tmp/oem-setup.rom ]; then + ERROR=$(tail -n 1 /tmp/error) + whiptail_error_die "Error reading current firmware:\n\n$ERROR" +fi + +# ensure key imported locally +if ! cat "$PUBKEY" | gpg --import >/dev/null 2>/tmp/error ; then + ERROR=$(tail -n 1 /tmp/error) + whiptail_error_die "Error importing GPG key:\n\n$ERROR" +fi +# update /.gnupg/trustdb.gpg to ultimately trust all user provided public keys +if ! gpg --list-keys --fingerprint --with-colons 2>/dev/null \ + | sed -E -n -e 's/^fpr:::::::::([0-9A-F]+):$/\1:6:/p' \ + | gpg --import-ownertrust >/dev/null 2>/tmp/error ; then + ERROR=$(tail -n 1 /tmp/error) + whiptail_error_die "Error importing GPG ownertrust:\n\n$ERROR" +fi +if ! gpg --update-trust >/dev/null 2>/tmp/error ; then + ERROR=$(tail -n 1 /tmp/error) + whiptail_error_die "Error updating GPG ownertrust:\n\n$ERROR" +fi +# clear any existing heads/gpg files from current firmware +for i in `cbfs -o /tmp/oem-setup.rom -l | grep -e "heads/"`; do + cbfs -o /tmp/oem-setup.rom -d $i +done +# add heads/gpg files to current firmware +if [ -e /.gnupg/pubring.kbx ];then + cbfs -o /tmp/oem-setup.rom -a "heads/initrd/.gnupg/pubring.kbx" -f /.gnupg/pubring.kbx + if [ -e /.gnupg/pubring.gpg ];then + rm /.gnupg/pubring.gpg + fi +elif [ -e /.gnupg/pubring.gpg ];then + cbfs -o /tmp/oem-setup.rom -a "heads/initrd/.gnupg/pubring.gpg" -f /.gnupg/pubring.gpg +fi +if [ -e /.gnupg/trustdb.gpg ]; then + cbfs -o /tmp/oem-setup.rom -a "heads/initrd/.gnupg/trustdb.gpg" -f /.gnupg/trustdb.gpg +fi +# persist user config changes (boot device) +if [ -e /etc/config.user ]; then + cbfs -o /tmp/oem-setup.rom -a "heads/initrd/etc/config.user" -f /etc/config.user +fi +# flash updated firmware image +echo -e "\nAdding generated key to current firmware and re-flashing...\n" +if ! /bin/flash.sh /tmp/oem-setup.rom >/dev/null 2>/tmp/error ; then + ERROR=$(tail -n 1 /tmp/error) + whiptail_error_die "Error flashing updated firmware image:\n\n$ERROR" +fi + +## sign files in /boot and generate checksums +echo -e "\nSigning boot files and generating checksums...\n" +generate_checksums + +## all done -- reboot +whiptail --msgbox " + The OEM Factory Reset has completed successfully\n\n + After rebooting, you will need to generate new TOTP/HOTP secrets\n + when prompted in order to complete the setup process.\n\n + Press any key to reboot.\n" \ + $WIDTH $HEIGHT --title "OEM Factory Reset Complete" + +reboot From d8bcc7b841660a633f689296916302cf72d38356 Mon Sep 17 00:00:00 2001 From: Matt DeVillier Date: Fri, 16 Aug 2019 09:33:17 -0500 Subject: [PATCH 038/189] gui-init: add OEM Factory Reset to options menu Add an OEM Factory Reset menu option, which performs an unattended reset and configuration of the device's TPM, GPG security token, and boot device / boot selection. Signed-off-by: Matt DeVillier --- initrd/bin/gui-init | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/initrd/bin/gui-init b/initrd/bin/gui-init index bac7a298d..5ba4edac5 100755 --- a/initrd/bin/gui-init +++ b/initrd/bin/gui-init @@ -195,6 +195,7 @@ while true; do 'c' ' Change configuration settings -->' \ 'f' ' Flash/Update the BIOS -->' \ 'G' ' GPG Options -->' \ + 'F' ' OEM Factory Reset -->' \ 'x' ' Exit to recovery shell' \ 'r' ' <-- Return to main menu' \ 2>/tmp/whiptail || recovery "GUI menu failed" @@ -335,6 +336,11 @@ while true; do continue fi + if [ "$totp_confirm" = "F" ]; then + oem-factory-reset + continue + fi + if [ "$totp_confirm" = "P" ]; then poweroff fi From ba23fb7ac2ce81adaf692b7cd3fc5fc380668697 Mon Sep 17 00:00:00 2001 From: Matt DeVillier Date: Fri, 16 Aug 2019 09:35:40 -0500 Subject: [PATCH 039/189] gpg-gui: remove OEM factory reset option superseded by newer version in main options menu Signed-off-by: Matt DeVillier --- initrd/bin/gpg-gui.sh | 42 ------------------------------------------ 1 file changed, 42 deletions(-) diff --git a/initrd/bin/gpg-gui.sh b/initrd/bin/gpg-gui.sh index 0b016b626..c7d179e33 100755 --- a/initrd/bin/gpg-gui.sh +++ b/initrd/bin/gpg-gui.sh @@ -164,29 +164,6 @@ gpg_post_gen_mgmt() { gpg_flash_rom fi } -gpg_sc_oem_reset() { - GPG_KEY_NAME=`date +%Y%m%d%H%M%S` - # Factory reset GPG card - { - echo admin - echo factory-reset - echo y - echo yes - } | gpg --command-fd=0 --status-fd=1 --pinentry-mode=loopback --card-edit > /tmp/gpg_card_edit_output || return 1 - # Generate OEM GPG keys - { - echo admin - echo generate - echo n - echo 12345678 - echo 123456 - echo 0 - echo y - echo "OEM Key" - echo "oem-${GPG_KEY_NAME}@example.com" - echo "OEM-generated key" - } | gpg --command-fd=0 --status-fd=2 --pinentry-mode=loopback --card-edit > /tmp/gpg_card_edit_output || return 2 -} gpg_add_key_reflash() { if (whiptail --title 'GPG public key required' \ @@ -229,7 +206,6 @@ while true; do 'e' ' Replace GPG key(s) in the current ROM + reflash' \ 'l' ' List GPG keys in your keyring' \ 'g' ' Generate GPG keys manually on a USB security token' \ - 'o' ' OEM Factory reset + auto keygen USB security token' \ 'x' ' Exit' \ 2>/tmp/whiptail || recovery "GUI menu failed" @@ -303,24 +279,6 @@ while true; do gpg_post_gen_mgmt fi ;; - "o" ) - if (whiptail $CONFIG_WARNING_BG_COLOR --title 'WARNING: Factory Reset USB Security Token?' \ - --yesno "This will perform a FACTORY RESET of the USB security token!\n\nThis will:\n* Reset all security token passwords to default\n* Erase any keys on the security token\n* Generate new automated GPG keys on the token\n\nAny data now on the USB security token will be LOST!\n\nDo you want to proceed?" 16 120) then - confirm_gpg_card - gpg_sc_oem_reset - if [ $? -eq 0 ]; then - gpg_post_gen_mgmt - elif [ $? -eq 1 ]; then - GPG_OUTPUT=`cat /tmp/gpg_card_edit_output` - whiptail $CONFIG_ERROR_BG_COLOR --title 'ERROR: Factory Reset Failed!' \ - --msgbox "Factory Reset Failed!\n\n$GPG_OUTPUT" 16 120 - elif [ $? -eq 2 ]; then - GPG_OUTPUT=`cat /tmp/gpg_card_edit_output` - whiptail $CONFIG_ERROR_BG_COLOR --title 'ERROR: Automatic Keygen Failed!' \ - --msgbox "Automatic Keygen Failed!\n\n$GPG_OUTPUT" 16 120 - fi - fi - ;; esac done From aab9004c5303ca37fb9adf8c86f854b3ad5fe93d Mon Sep 17 00:00:00 2001 From: Matt DeVillier Date: Mon, 19 Aug 2019 17:09:42 -0500 Subject: [PATCH 040/189] gui-init: add clean boot check Add a check to determine if first boot after flashing a cleaned ROM, and prompt user to run the OEM Factory Reset if so Signed-off-by: Matt DeVillier --- initrd/bin/gui-init | 36 ++++++++++++++++++++++++++++++++++-- 1 file changed, 34 insertions(+), 2 deletions(-) diff --git a/initrd/bin/gui-init b/initrd/bin/gui-init index 5ba4edac5..dfa6a9233 100755 --- a/initrd/bin/gui-init +++ b/initrd/bin/gui-init @@ -102,11 +102,43 @@ update_totp() fi } +clean_boot_check() +{ + # assume /boot mounted + if ! grep -q /boot /proc/mounts ; then + return + fi + + # check for any kexec files in /boot + kexec_files=`find /boot -name kexec*.txt` + [ ! -z "$kexec_files" ] && return + + #check for GPG key in keyring + GPG_KEY_COUNT=`gpg -k 2>/dev/null | wc -l` + [ $GPG_KEY_COUNT -ne 0 ] && return + + # check for USB security token + if ! gpg --card-status > /dev/null ; then + return + fi + + # OS is installed, no kexec files present, no GPG keys in keyring, security token present + # prompt user to run OEM factory reset + oem-factory-reset \ + "Clean Boot Detected - Perform OEM Factory Reset?" "$CONFIG_WARNING_BG_COLOR" +} + # enable USB to load modules for external kb enable_usb -# ensure /boot is sane and mount it -mount_boot +if detect_boot_device ; then + # /boot device with installed OS found + clean_boot_check +else + # can't determine /boot device or no OS installed, + # so fall back to interactive selection + mount_boot +fi last_half=X while true; do From 5fa06316cfc125c29c6ec3fe07f234cab91dc8d4 Mon Sep 17 00:00:00 2001 From: MrChromebox Date: Mon, 30 Sep 2019 12:10:58 -0500 Subject: [PATCH 041/189] blobs/librem_skl: update get_blobs script update file hashes to match Purism fork --- blobs/librem_skl/get_blobs.sh | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/blobs/librem_skl/get_blobs.sh b/blobs/librem_skl/get_blobs.sh index 02ffad77d..1bbb1003f 100755 --- a/blobs/librem_skl/get_blobs.sh +++ b/blobs/librem_skl/get_blobs.sh @@ -2,10 +2,11 @@ # depends on : wget sha256sum gunzip # Purism source -PURISM_SOURCE="https://source.puri.sm/coreboot/releases/raw/master" +RELEASES_GIT_HASH="ced905accd065df3de6561ee7278400f320f14f7" +PURISM_SOURCE="https://source.puri.sm/coreboot/releases/raw/${RELEASES_GIT_HASH}" # Librem 13 v2/v3 and Librem 15 v3 binary blob hashes -SKL_UCODE_SHA="9c84936df700d74612a99e6ab581640ecf423d25a0b74a1ea23a6d9872349213" +SKL_UCODE_SHA="6c6e420fe0490de51a504303d4c5d12ef8832ffb98a2d5327a9a07f05e62b01f" SKL_DESCRIPTOR_SHA="642ca36f52aabb5198b82e013bf64a73a5148693a58376fffce322a4d438b524" SKL_ME_SHA="cf06d3eb8b24490a1ab46fd988b6cef822e5347cd6a2e92bc332cb4a376eb8bc" SKL_FSPM_SHA="5da3ad7718eb3f6700fb9d97be988d9c8bdd2d8b5910273a80928c49122d5b2d" @@ -26,7 +27,7 @@ IFDTOOL_BIN="./ifdtool" COREBOOT_IMAGE="coreboot-l13v3.rom" COREBOOT_IMAGE_FILE="$COREBOOT_IMAGE.gz" COREBOOT_IMAGE_URL="$PURISM_SOURCE/librem_13v3/$COREBOOT_IMAGE_FILE" -COREBOOT_IMAGE_SHA="34276a7b82624cfb29aed688df7f2b4e747a9e951196e376732e972c8575ece6" +COREBOOT_IMAGE_SHA="f20b999457205f033bf122a436f906172bc53ff718034a32f931d9e1712a1033" die () { local msg=$1 @@ -121,4 +122,4 @@ rm -f $COREBOOT_IMAGE >/dev/null 2>&1 rm -f *.gz >/dev/null 2>&1 echo "" -echo "All blobs have been verified and are ready for use" \ No newline at end of file +echo "All blobs have been verified and are ready for use" From 71a2ddfb1e69772a418c4d919fa9d1d72f50232f Mon Sep 17 00:00:00 2001 From: MrChromebox Date: Mon, 30 Sep 2019 12:12:36 -0500 Subject: [PATCH 042/189] blobs/librem_kbl: update get_blobs script update file hashes to match Purism fork --- blobs/librem_kbl/get_blobs.sh | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/blobs/librem_kbl/get_blobs.sh b/blobs/librem_kbl/get_blobs.sh index 7614119f1..dbf771f0a 100755 --- a/blobs/librem_kbl/get_blobs.sh +++ b/blobs/librem_kbl/get_blobs.sh @@ -2,10 +2,11 @@ # depends on : wget sha256sum gunzip # Purism source -PURISM_SOURCE="https://source.puri.sm/coreboot/releases/raw/master" +RELEASES_GIT_HASH="ced905accd065df3de6561ee7278400f320f14f7" +PURISM_SOURCE="https://source.puri.sm/coreboot/releases/raw/${RELEASES_GIT_HASH}" # Librem 13 v4 and Librem 15 v4 binary blob hashes -KBL_UCODE_SHA="a420274eecca369fcca465cc46725d61c0ae8ca2e18f201b1751faf9e081fb2e" +KBL_UCODE_SHA="0e3a06d8949a1d7df2c75b414765b98181766e3bd5bc7c317fad65bfcf7c276b" KBL_DESCRIPTOR_SHA="642ca36f52aabb5198b82e013bf64a73a5148693a58376fffce322a4d438b524" KBL_ME_SHA="0eec2e1135193941edd39d0ec0f463e353d0c6c9068867a2f32a72b64334fb34" KBL_FSPM_SHA="5da3ad7718eb3f6700fb9d97be988d9c8bdd2d8b5910273a80928c49122d5b2d" @@ -26,7 +27,7 @@ IFDTOOL_BIN="./ifdtool" COREBOOT_IMAGE="coreboot-l13v4.rom" COREBOOT_IMAGE_FILE="$COREBOOT_IMAGE.gz" COREBOOT_IMAGE_URL="$PURISM_SOURCE/librem_13v4/$COREBOOT_IMAGE_FILE" -COREBOOT_IMAGE_SHA="4491efd0a8b2de5a88fd7491a5d2605884ed956c3d271d7761906269b4cfb601" +COREBOOT_IMAGE_SHA="147b911aad362bc67084d1591950e22557ffaba056f42484b521aa48a617c5b0" die () { local msg=$1 @@ -121,4 +122,4 @@ rm -f $COREBOOT_IMAGE >/dev/null 2>&1 rm -f *.gz >/dev/null 2>&1 echo "" -echo "All blobs have been verified and are ready for use" \ No newline at end of file +echo "All blobs have been verified and are ready for use" From 4f0e7785824591c0e4463f459eff570904e09207 Mon Sep 17 00:00:00 2001 From: Trammell hudson Date: Tue, 29 Oct 2019 12:52:27 +0100 Subject: [PATCH 043/189] musl-cross: update patch for recent git commits (#617) Signed-off-by: Trammell hudson --- patches/musl-cross.patch | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/patches/musl-cross.patch b/patches/musl-cross.patch index 267c339a3..7161e6736 100644 --- a/patches/musl-cross.patch +++ b/patches/musl-cross.patch @@ -1,5 +1,5 @@ diff --git a/config.sh b/config.sh -index 4e321c9..6d9ea32 100644 +index ec3c1ce..844fb3d 100644 --- a/config.sh +++ b/config.sh @@ -1,13 +1,15 @@ @@ -20,7 +20,7 @@ index 4e321c9..6d9ea32 100644 # If you use arm, you may need more fine-tuning: # arm hardfloat v7 -@@ -20,7 +22,10 @@ CC_BASE_PREFIX=/opt/cross +@@ -20,11 +22,14 @@ CC_BASE_PREFIX=/opt/cross #GCC_BOOTSTRAP_CONFFLAGS="--with-arch=armv7-a --with-float=softfp" #GCC_CONFFLAGS="--with-arch=armv7-a --with-float=softfp" @@ -29,6 +29,10 @@ index 4e321c9..6d9ea32 100644 # Enable this to build the bootstrap gcc (thrown away) without optimization, to reduce build time GCC_STAGE1_NOOPT=1 -+ + +# Build GMP, MPFR and MPC +GCC_BUILTIN_PREREQS=yes ++ + # uncomment these to get smaller/stripped binaries + #export CFLAGS="-Os -g0 -s" + #export CXXFLAGS="-Os -g0" From 56aa508b8dd69915a94d237b52e6c428d95c7077 Mon Sep 17 00:00:00 2001 From: Trammell hudson Date: Tue, 29 Oct 2019 13:15:56 +0100 Subject: [PATCH 044/189] musl-cross: pin to a specific checkout (#617) Add `--strip 1` to tar file extraction in the `Makefile`, which ensures that the directory name in `build/` will match the one listed in `$($(MODULE)_dir)`. Signed-off-by: Trammell hudson --- Makefile | 7 ++++--- modules/musl-cross | 8 +++++--- .../{musl-cross.patch => musl-cross-81d563e.patch} | 12 ++++++++++++ 3 files changed, 21 insertions(+), 6 deletions(-) rename patches/{musl-cross.patch => musl-cross-81d563e.patch} (57%) diff --git a/Makefile b/Makefile index cc5cac6ad..21e38108b 100644 --- a/Makefile +++ b/Makefile @@ -264,9 +264,10 @@ define define_module = # Unpack the tar file and touch the canary so that we know # that the files are all present $(build)/$($1_base_dir)/.canary: $(packages)/.$1-$($1_version)_verify - tar -xf "$(packages)/$($1_tar)" -C "$(build)" + mkdir -p "$$(dir $$@)" + tar -xf "$(packages)/$($1_tar)" --strip 1 -C "$$(dir $$@)" if [ -r patches/$1-$($1_version).patch ]; then \ - ( cd $(build)/$($1_base_dir) ; patch -p1 ) \ + ( cd $$(dir $$@) ; patch -p1 ) \ < patches/$1-$($1_version).patch \ || exit 1 ; \ fi @@ -274,7 +275,7 @@ define define_module = [ -r patches/$1-$($1_version) ] ; then \ for patch in patches/$1-$($1_version)/*.patch ; do \ echo "Applying patch file : $$$$patch " ; \ - ( cd $(build)/$($1_base_dir) ; patch -p1 ) \ + ( cd $$(dir $$@) ; patch -p1 ) \ < $$$$patch \ || exit 1 ; \ done ; \ diff --git a/modules/musl-cross b/modules/musl-cross index 199731859..b15d670d6 100644 --- a/modules/musl-cross +++ b/modules/musl-cross @@ -23,9 +23,11 @@ else # Force a full build of the cross compiler modules-y += musl-cross -musl-cross_version := git -musl-cross_dir := musl-cross-$(musl-cross_version) -musl-cross_repo := https://github.com/GregorR/musl-cross +musl-cross_version := 81d563e +musl-cross_dir := musl-cross +musl-cross_url := https://github.com/GregorR/musl-cross/archive/$(musl-cross_version).tar.gz +musl-cross_tar := musl-cross-$(musl-cross_version).tar.gz +musl-cross_hash := 6362751b2442dc273c0889e5ef3ce6306a38b9c415cbe8cb4cfe3b8c6d776e96 CROSS_TOP := crossgcc/x86_64-linux-musl/bin/x86_64-musl-linux- CROSS := $(build)/../$(CROSS_TOP) diff --git a/patches/musl-cross.patch b/patches/musl-cross-81d563e.patch similarity index 57% rename from patches/musl-cross.patch rename to patches/musl-cross-81d563e.patch index 7161e6736..e7633b7ba 100644 --- a/patches/musl-cross.patch +++ b/patches/musl-cross-81d563e.patch @@ -36,3 +36,15 @@ index ec3c1ce..844fb3d 100644 # uncomment these to get smaller/stripped binaries #export CFLAGS="-Os -g0 -s" #export CXXFLAGS="-Os -g0" +--- /dev/null 2019-10-28 16:42:28.211999999 +0100 ++++ musl-cross/hashes/gmp-6.1.0.tar.bz2.sha256 2019-10-29 13:08:53.288687684 +0100 +@@ -0,0 +1 @@ ++498449a994efeba527885c10405993427995d3f86b8768d8cdf8d9dd7c6b73e8 gmp-6.1.0.tar.bz2 +--- /dev/null 2019-10-28 16:42:28.211999999 +0100 ++++ musl-cross/hashes/mpfr-3.1.4.tar.bz2.sha256 2019-10-29 13:08:53.292687684 +0100 +@@ -0,0 +1 @@ ++d3103a80cdad2407ed581f3618c4bed04e0c92d1cf771a65ead662cc397f7775 mpfr-3.1.4.tar.bz2 +--- /dev/null 2019-10-28 16:42:28.211999999 +0100 ++++ musl-cross/hashes/mpc-1.0.3.tar.gz.sha256 2019-10-29 13:08:53.296687684 +0100 +@@ -0,0 +1 @@ ++617decc6ea09889fb08ede330917a00b16809b8db88c29c31bfbb49cbf88ecc3 mpc-1.0.3.tar.gz From e5038e6adf9133a51c80b9699e552a68167db63b Mon Sep 17 00:00:00 2001 From: Trammell hudson Date: Tue, 29 Oct 2019 13:26:23 +0100 Subject: [PATCH 045/189] musl-cross: crossgcc binary changed names (#617) Signed-off-by: Trammell hudson --- modules/musl-cross | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/musl-cross b/modules/musl-cross index b15d670d6..f04a0799d 100644 --- a/modules/musl-cross +++ b/modules/musl-cross @@ -29,7 +29,7 @@ musl-cross_url := https://github.com/GregorR/musl-cross/archive/$(musl-cross_ver musl-cross_tar := musl-cross-$(musl-cross_version).tar.gz musl-cross_hash := 6362751b2442dc273c0889e5ef3ce6306a38b9c415cbe8cb4cfe3b8c6d776e96 -CROSS_TOP := crossgcc/x86_64-linux-musl/bin/x86_64-musl-linux- +CROSS_TOP := crossgcc/x86_64-linux-musl/bin/x86_64-linux-musl- CROSS := $(build)/../$(CROSS_TOP) musl-cross_output := ../../$(CROSS_TOP)gcc From 2980eb0522bfaf52f74ccbd33b564089e6abf933 Mon Sep 17 00:00:00 2001 From: Trammell hudson Date: Tue, 29 Oct 2019 13:36:04 +0100 Subject: [PATCH 046/189] pin msrtools and tpmtotp to current git heads Signed-off-by: Trammell hudson --- modules/msrtools | 11 ++++++----- modules/tpmtotp | 10 +++++----- 2 files changed, 11 insertions(+), 10 deletions(-) diff --git a/modules/msrtools b/modules/msrtools index 9adfab0cb..6cfc30c2c 100644 --- a/modules/msrtools +++ b/modules/msrtools @@ -2,14 +2,15 @@ modules-$(CONFIG_MSRTOOLS) += msrtools msrtools_depends := $(musl_dep) -msrtools_version := git -msrtools_repo := https://github.com/osresearch/msr-tools +#msrtools_version := git +#msrtools_repo := https://github.com/osresearch/msr-tools -#msrtools_version := 1.3 +msrtools_version := 572ef8a msrtools_dir := msrtools-$(msrtools_version) msrtools_tar := msr-tools-$(msrtools_version).tar.gz -msrtools_url := https://github.com/intel/msr-tools/archive/msr-tools-$(msrtools_version).tar.gz -msrtools_hash := e8205aa3d19e536080f5974ed06ab9a88c4c3f37870c2f6a3a08a2f39302c22c +#msrtools_url := https://github.com/intel/msr-tools/archive/msr-tools-$(msrtools_version).tar.gz +msrtools_url := https://github.com/osresearch/msr-tools/archive/$(msrtools_version).tar.gz +msrtools_hash := 80554790d0a404205fe215c9ae8d2de159e980ec23821d636f201f12550e6ac0 msrtools_target := \ $(CROSS_TOOLS) \ diff --git a/modules/tpmtotp b/modules/tpmtotp index 792dd512c..6c870ca42 100644 --- a/modules/tpmtotp +++ b/modules/tpmtotp @@ -2,14 +2,14 @@ modules-$(CONFIG_TPMTOTP) += tpmtotp tpmtotp_depends := mbedtls qrencode $(musl_dep) -tpmtotp_version := git -tpmtotp_repo := https://github.com/osresearch/tpmtotp +#tpmtotp_version := git +#tpmtotp_repo := https://github.com/osresearch/tpmtotp -#tpmtotp_version := 0.3.0 +tpmtotp_version := 18b860f tpmtotp_dir := tpmtotp-$(tpmtotp_version) tpmtotp_tar := tpmtotp-$(tpmtotp_version).tar.gz -tpmtotp_url := https://github.com/osresearch/tpmtotp/archive/v$(tpmtotp_version).tar.gz -tpmtotp_hash := e8205aa3d19e536080f5974ed06ab9a88c4c3f37870c2f6a3a08a2f39302c22c +tpmtotp_url := https://github.com/osresearch/tpmtotp/archive/$(tpmtotp_version).tar.gz +tpmtotp_hash := 1082f2b0e4af833e04220dddedcc21a39eb39ee4dc5668bb010e7bcc795c606c tpmtotp_target := \ $(CROSS_TOOLS) \ From 5a4cb4acbbe4c28a8e8502db865eb8b440bc1222 Mon Sep 17 00:00:00 2001 From: Matt DeVillier Date: Wed, 13 Nov 2019 16:55:16 -0600 Subject: [PATCH 047/189] blobs/librem_*: update CPU microcode Update hashes for CPU microcde, git releases repo, precompiled images used for extraction Signed-off-by: Matt DeVillier --- blobs/librem_kbl/get_blobs.sh | 6 +++--- blobs/librem_skl/get_blobs.sh | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/blobs/librem_kbl/get_blobs.sh b/blobs/librem_kbl/get_blobs.sh index dbf771f0a..c7a13376b 100755 --- a/blobs/librem_kbl/get_blobs.sh +++ b/blobs/librem_kbl/get_blobs.sh @@ -2,11 +2,11 @@ # depends on : wget sha256sum gunzip # Purism source -RELEASES_GIT_HASH="ced905accd065df3de6561ee7278400f320f14f7" +RELEASES_GIT_HASH="631b4a4e9bf562768afc262647ef4ef4f4ffaebd" PURISM_SOURCE="https://source.puri.sm/coreboot/releases/raw/${RELEASES_GIT_HASH}" # Librem 13 v4 and Librem 15 v4 binary blob hashes -KBL_UCODE_SHA="0e3a06d8949a1d7df2c75b414765b98181766e3bd5bc7c317fad65bfcf7c276b" +KBL_UCODE_SHA="bb07f0f77abe08e553f85b99d18fa129f991bf3613cf73d77c4f0ece87dd251e" KBL_DESCRIPTOR_SHA="642ca36f52aabb5198b82e013bf64a73a5148693a58376fffce322a4d438b524" KBL_ME_SHA="0eec2e1135193941edd39d0ec0f463e353d0c6c9068867a2f32a72b64334fb34" KBL_FSPM_SHA="5da3ad7718eb3f6700fb9d97be988d9c8bdd2d8b5910273a80928c49122d5b2d" @@ -27,7 +27,7 @@ IFDTOOL_BIN="./ifdtool" COREBOOT_IMAGE="coreboot-l13v4.rom" COREBOOT_IMAGE_FILE="$COREBOOT_IMAGE.gz" COREBOOT_IMAGE_URL="$PURISM_SOURCE/librem_13v4/$COREBOOT_IMAGE_FILE" -COREBOOT_IMAGE_SHA="147b911aad362bc67084d1591950e22557ffaba056f42484b521aa48a617c5b0" +COREBOOT_IMAGE_SHA="93c86230c618f9f19c29672f15f431f516db9247fac95bb2eacbc0fa33ea1e6a" die () { local msg=$1 diff --git a/blobs/librem_skl/get_blobs.sh b/blobs/librem_skl/get_blobs.sh index 1bbb1003f..10482e811 100755 --- a/blobs/librem_skl/get_blobs.sh +++ b/blobs/librem_skl/get_blobs.sh @@ -2,11 +2,11 @@ # depends on : wget sha256sum gunzip # Purism source -RELEASES_GIT_HASH="ced905accd065df3de6561ee7278400f320f14f7" +RELEASES_GIT_HASH="631b4a4e9bf562768afc262647ef4ef4f4ffaebd" PURISM_SOURCE="https://source.puri.sm/coreboot/releases/raw/${RELEASES_GIT_HASH}" # Librem 13 v2/v3 and Librem 15 v3 binary blob hashes -SKL_UCODE_SHA="6c6e420fe0490de51a504303d4c5d12ef8832ffb98a2d5327a9a07f05e62b01f" +SKL_UCODE_SHA="e528d2ccc5d76cd04bfabb556a3fbb70b93d9aca43e291e0f0104fbaae5720fd" SKL_DESCRIPTOR_SHA="642ca36f52aabb5198b82e013bf64a73a5148693a58376fffce322a4d438b524" SKL_ME_SHA="cf06d3eb8b24490a1ab46fd988b6cef822e5347cd6a2e92bc332cb4a376eb8bc" SKL_FSPM_SHA="5da3ad7718eb3f6700fb9d97be988d9c8bdd2d8b5910273a80928c49122d5b2d" @@ -27,7 +27,7 @@ IFDTOOL_BIN="./ifdtool" COREBOOT_IMAGE="coreboot-l13v3.rom" COREBOOT_IMAGE_FILE="$COREBOOT_IMAGE.gz" COREBOOT_IMAGE_URL="$PURISM_SOURCE/librem_13v3/$COREBOOT_IMAGE_FILE" -COREBOOT_IMAGE_SHA="f20b999457205f033bf122a436f906172bc53ff718034a32f931d9e1712a1033" +COREBOOT_IMAGE_SHA="784d8c9e9e3cf11e99b7f8a473d0ec18738193b2b57bb7a37386b536dab84be2" die () { local msg=$1 From 0599ce97afc9f8b6141b83ec5acb338bb823280e Mon Sep 17 00:00:00 2001 From: Matt DeVillier Date: Mon, 18 Nov 2019 11:13:27 -0600 Subject: [PATCH 048/189] config-gui: fix Save Config option when commit [928f003] config-gui: add 'Full Reset' option was added, the bottom end of the save config option was accidentally truncated; restore it to fix save config option Signed-off-by: Matt DeVillier --- initrd/bin/config-gui.sh | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/initrd/bin/config-gui.sh b/initrd/bin/config-gui.sh index ed31c478f..683738e0a 100755 --- a/initrd/bin/config-gui.sh +++ b/initrd/bin/config-gui.sh @@ -116,6 +116,16 @@ while true; do cbfs -o /tmp/config-gui.rom -d "heads/initrd/etc/config.user" fi cbfs -o /tmp/config-gui.rom -a "heads/initrd/etc/config.user" -f /etc/config.user + + if (whiptail --title 'Update ROM?' \ + --yesno "This will reflash your BIOS with the updated version\n\nDo you want to proceed?" 16 90) then + /bin/flash.sh /tmp/config-gui.rom + whiptail --title 'BIOS Updated Successfully' \ + --msgbox "BIOS updated successfully.\n\nIf your keys have changed, be sure to re-sign all files in /boot\nafter you reboot.\n\nPress Enter to reboot" 16 60 + /bin/reboot + else + exit 0 + fi ;; "r" ) # prompt for confirmation @@ -150,6 +160,8 @@ while true; do whiptail --title 'Configuration Reset Updated Successfully' \ --msgbox "Configuration reset and BIOS updated successfully.\n\nPress Enter to reboot" 16 60 /bin/reboot + else + exit 0 fi ;; esac From 5dc9b0b457bcbd4936697f256667931cdcf525fa Mon Sep 17 00:00:00 2001 From: Matt DeVillier Date: Wed, 28 Aug 2019 21:47:45 -0500 Subject: [PATCH 049/189] config-gui: mount new /boot after selection Users may wish to temporarily boot an OS from a drive other than their primary boot drive, without changing the default and saving to ROM. Mounting /boot after changing the device selection facilitates this by allowing the user to then choose an unsafe boot from the newly-selected boot drive. Signed-off-by: Matt DeVillier --- initrd/bin/config-gui.sh | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/initrd/bin/config-gui.sh b/initrd/bin/config-gui.sh index 683738e0a..74e8e7f98 100755 --- a/initrd/bin/config-gui.sh +++ b/initrd/bin/config-gui.sh @@ -101,6 +101,15 @@ while true; do replace_config /etc/config.user "CONFIG_BOOT_DEV" "$SELECTED_FILE" combine_configs + # mount newly selected /boot device + if ! ( umount /boot 2>/tmp/error && \ + mount -o ro $SELECTED_FILE /boot 2>/tmp/error ); then + ERROR=`cat /tmp/error` + whiptail $CONFIG_ERROR_BG_COLOR --title 'ERROR: unable to mount /boot' \ + --msgbox "Unable to un/re-mount /boot:\n\n$ERROR" 16 60 + exit 1 + fi + whiptail --title 'Config change successful' \ --msgbox "The /boot device was successfully changed to $SELECTED_FILE" 16 60 ;; From c14c09b60216a0861538eaf024347010f466eb12 Mon Sep 17 00:00:00 2001 From: Matt DeVillier Date: Wed, 28 Aug 2019 10:47:53 -0500 Subject: [PATCH 050/189] flash-gui: clear boot signatures after flashing a cleaned ROM If the user chooses to flash a "cleaned" ROM (not persisting settings or GPG keys) then the signatures on /boot are no longer valid, so clear them out. This allows for the OEM factory reset prompt to be shown on the next boot. Signed-off-by: Matt DeVillier --- initrd/bin/flash-gui.sh | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/initrd/bin/flash-gui.sh b/initrd/bin/flash-gui.sh index 4105a9aea..dba97d405 100755 --- a/initrd/bin/flash-gui.sh +++ b/initrd/bin/flash-gui.sh @@ -71,7 +71,7 @@ file_selector() { while true; do unset menu_choice whiptail --clear --title "Firmware Management Menu" \ - --menu "Select the firmware function to perform\n\nRetaining settings copies existing settings to the new firmware:\n* Keeps your GPG keyring\n* Keeps changes to the default /boot device\n\nErasing settings uses the new firmware as-is:\n* Erases any existing GPG keyring\n* Restores firmware to default factory settings\n\nIf you are just updating your firmware, you probably want to retain\nyour settings." 20 90 10 \ + --menu "Select the firmware function to perform\n\nRetaining settings copies existing settings to the new firmware:\n* Keeps your GPG keyring\n* Keeps changes to the default /boot device\n\nErasing settings uses the new firmware as-is:\n* Erases any existing GPG keyring\n* Restores firmware to default factory settings\n* Clears out /boot signatures\n\nIf you are just updating your firmware, you probably want to retain\nyour settings." 20 90 10 \ 'f' ' Flash the firmware with a new ROM, retain settings' \ 'c' ' Flash the firmware with a new ROM, erase settings' \ 'x' ' Exit' \ @@ -100,6 +100,14 @@ while true; do --yesno "This will replace your old ROM with $ROM\n\nDo you want to proceed?" 16 90) then if [ "$menu_choice" == "c" ]; then /bin/flash.sh -c "$ROM" + # after flash, /boot signatures are now invalid so go ahead and clear them + if ls /boot/kexec* >/dev/null 2>&1 ; then + ( + mount -o remount,rw /boot 2>/dev/null + rm /boot/kexec* 2>/dev/null + mount -o remount,ro /boot 2>/dev/null + ) + fi else /bin/flash.sh "$ROM" fi From 018279b2bf6d30c0bd591e58ca1998647a7e530e Mon Sep 17 00:00:00 2001 From: Kyle Rankin Date: Thu, 7 Nov 2019 11:01:49 -0800 Subject: [PATCH 051/189] Add ability to enter custom password for OEM reset Normally we resort to default passwords for OEM reset, however we have a use case where it would be convenient to set a custom password instead. This patch adds a simple prompt (that defaults to the defaults if you hit Enter) that enables someone using the OEM reset to enter a single password that will replace the defaults (TPM, GPG Admin, GPG User). --- initrd/bin/oem-factory-reset | 48 +++++++++++++++++++++++++++++++++++- 1 file changed, 47 insertions(+), 1 deletion(-) diff --git a/initrd/bin/oem-factory-reset b/initrd/bin/oem-factory-reset index e5138387a..1b40bcd22 100755 --- a/initrd/bin/oem-factory-reset +++ b/initrd/bin/oem-factory-reset @@ -18,6 +18,7 @@ WIDTH="220" USER_PIN_DEF=123456 ADMIN_PIN_DEF=12345678 TPM_PASS_DEF=12345678 +CUSTOM_PASS="" ## External files sourced @@ -85,6 +86,29 @@ gpg_key_reset() whiptail_error_die "GPG Key automatic keygen failed!\n\n$ERROR" fi } +gpg_key_change_pin() +{ + # 1 = user PIN, 3 = admin PIN + PIN_TYPE=$1 + PIN_ORIG=$2 + PIN_NEW=$3 + # Change PIN + { + echo admin + echo passwd + echo ${PIN_TYPE} + echo ${PIN_ORIG} + echo ${PIN_NEW} + echo ${PIN_NEW} + echo q + echo q + } | gpg --command-fd=0 --status-fd=2 --pinentry-mode=loopback --card-edit \ + > /tmp/gpg_card_edit_output 2>/dev/null + if [ $? -ne 0 ]; then + ERROR=`cat /tmp/gpg_card_edit_output` + whiptail_error_die "GPG Key PIN change failed!\n\n$ERROR" + fi +} generate_checksums() { @@ -130,7 +154,7 @@ generate_checksums() # sign kexec boot files if sha256sum $param_files 2>/dev/null | gpg \ --pinentry-mode loopback \ - --passphrase $USER_PIN_DEF \ + --passphrase "$USER_PIN_DEF" \ --digest-algo SHA256 \ --detach-sign \ -a \ @@ -217,6 +241,19 @@ if ! whiptail --yesno " exit 1 fi +# Prompt to change default passwords +echo -e -n "Would you like to set a custom password? [y/N]:" +read -n 1 prompt_output +echo +if [ "$prompt_output" == "y" \ + -o "$prompt_output" == "Y" ] \ +; then + echo -e -n "Enter the custom password: " + read CUSTOM_PASS + echo + TPM_PASS_DEF=$CUSTOM_PASS +fi + ## sanity check the USB, GPG key, and boot device before proceeding further # mount USB, then remount rw @@ -272,6 +309,15 @@ gpg --list-keys >/dev/null 2>&1 echo -e "\nResetting GPG Key...\n(this will take a minute or two)\n" gpg_key_reset +if [ "$CUSTOM_PASS" != "" ]; then + echo -e "\nChanging default GPG Admin PIN\n" + gpg_key_change_pin "3" "$ADMIN_PIN_DEF" "$CUSTOM_PASS" + echo -e "\nChanging default GPG User PIN\n" + gpg_key_change_pin "1" "$USER_PIN_DEF" "$CUSTOM_PASS" + USER_PIN_DEF=$CUSTOM_PASS + ADMIN_PIN_DEF=$CUSTOM_PASS +fi + ## export generated key to USB echo -e "\nExporting generated key to USB...\n" # parse name of generated key From 4d32b4adf841fff539da5cc8977af0937b565aec Mon Sep 17 00:00:00 2001 From: Matt DeVillier Date: Wed, 13 Nov 2019 17:28:12 -0600 Subject: [PATCH 052/189] functions: fix handling of checksum update fail If kexec-sign-config fails due to GPG key not present, the double die() results in a kernel panic (and if it didn't, /boot would be left mounted RW). Fix this by removing call to die() and ensuring /boot remounted RO regardless checksum update success or failure. Signed-off-by: Matt DeVillier --- initrd/etc/functions | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/initrd/etc/functions b/initrd/etc/functions index 056c3e822..dc3b67651 100755 --- a/initrd/etc/functions +++ b/initrd/etc/functions @@ -287,8 +287,10 @@ update_checksums() if [ "$CONFIG_TPM" = "y" ]; then extparam=-u fi - kexec-sign-config -p /boot $extparam \ - || die "Failed to sign default config" + if ! kexec-sign-config -p /boot $extparam ; then + echo "Failed to sign default config; press Enter to continue." + read + fi # switch back to ro mode mount -o ro,remount /boot From 7998e96b98bfde7eb4a6911aaf5eb237ece86bef Mon Sep 17 00:00:00 2001 From: Matt DeVillier Date: Wed, 13 Nov 2019 17:36:29 -0600 Subject: [PATCH 053/189] functions: check both grub/grub2 dirs for boot files Signed-off-by: Matt DeVillier --- initrd/etc/functions | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/initrd/etc/functions b/initrd/etc/functions index dc3b67651..2e8bd6a4b 100755 --- a/initrd/etc/functions +++ b/initrd/etc/functions @@ -305,10 +305,11 @@ detect_boot_device() # check $CONFIG_BOOT_DEV if set/valid if [ -e "$CONFIG_BOOT_DEV" ]; then - mount -o ro $CONFIG_BOOT_DEV /boot >/dev/null 2>&1 - if [[ $? && -d /boot/grub ]]; then - # CONFIG_BOOT_DEV is valid device and contains an installed OS - return 0 + if mount -o ro $CONFIG_BOOT_DEV /boot >/dev/null 2>&1; then + if ls -d /boot/grub* >/dev/null 2>&1; then + # CONFIG_BOOT_DEV is valid device and contains an installed OS + return 0 + fi fi fi @@ -330,10 +331,11 @@ detect_boot_device() # iterate thru possible options and check for grub dir for i in `cat /tmp/boot_device_list`; do umount /boot 2>/dev/null - mount -o ro $i /boot >/dev/null 2>&1 - if [[ $? && -d /boot/grub ]]; then - CONFIG_BOOT_DEV="$i" - return 0 + if mount -o ro $i /boot >/dev/null 2>&1; then + if ls -d /boot/grub* >/dev/null 2>&1; then + CONFIG_BOOT_DEV="$i" + return 0 + fi fi done From 858f0272850eec7b7135c8182c4c70650b9e7259 Mon Sep 17 00:00:00 2001 From: Matt DeVillier Date: Mon, 18 Nov 2019 19:12:06 -0600 Subject: [PATCH 054/189] config/coreboot-librem*: drop secondary payloads Drop coreinto/memtest secondary payloads as they are not usable with Linux as primary payload. Leftover copy-pasta from original SeaBIOS configs. Signed-off-by: Matt DeVillier --- config/coreboot-librem13v2.config | 2 -- config/coreboot-librem13v4.config | 2 -- config/coreboot-librem15v3.config | 2 -- config/coreboot-librem15v4.config | 2 -- 4 files changed, 8 deletions(-) diff --git a/config/coreboot-librem13v2.config b/config/coreboot-librem13v2.config index b56ba9d32..44f152bb7 100644 --- a/config/coreboot-librem13v2.config +++ b/config/coreboot-librem13v2.config @@ -28,5 +28,3 @@ CONFIG_PAYLOAD_LINUX=y CONFIG_PAYLOAD_FILE="../../build/librem13v2/bzImage" CONFIG_LINUX_COMMAND_LINE="intel_iommu=on quiet loglevel=3" CONFIG_LINUX_INITRD="../../build/librem13v2/initrd.cpio.xz" -CONFIG_COREINFO_SECONDARY_PAYLOAD=y -CONFIG_MEMTEST_SECONDARY_PAYLOAD=y diff --git a/config/coreboot-librem13v4.config b/config/coreboot-librem13v4.config index c2935736c..e95562dc5 100644 --- a/config/coreboot-librem13v4.config +++ b/config/coreboot-librem13v4.config @@ -28,5 +28,3 @@ CONFIG_PAYLOAD_LINUX=y CONFIG_PAYLOAD_FILE="../../build/librem13v4/bzImage" CONFIG_LINUX_COMMAND_LINE="intel_iommu=on quiet loglevel=3" CONFIG_LINUX_INITRD="../../build/librem13v4/initrd.cpio.xz" -CONFIG_COREINFO_SECONDARY_PAYLOAD=y -CONFIG_MEMTEST_SECONDARY_PAYLOAD=y diff --git a/config/coreboot-librem15v3.config b/config/coreboot-librem15v3.config index bf5a2bc14..1d3f829dc 100644 --- a/config/coreboot-librem15v3.config +++ b/config/coreboot-librem15v3.config @@ -28,5 +28,3 @@ CONFIG_PAYLOAD_LINUX=y CONFIG_PAYLOAD_FILE="../../build/librem15v3/bzImage" CONFIG_LINUX_COMMAND_LINE="intel_iommu=on quiet loglevel=3" CONFIG_LINUX_INITRD="../../build/librem15v3/initrd.cpio.xz" -CONFIG_COREINFO_SECONDARY_PAYLOAD=y -CONFIG_MEMTEST_SECONDARY_PAYLOAD=y diff --git a/config/coreboot-librem15v4.config b/config/coreboot-librem15v4.config index 541d558a7..1baa87bd2 100644 --- a/config/coreboot-librem15v4.config +++ b/config/coreboot-librem15v4.config @@ -28,5 +28,3 @@ CONFIG_PAYLOAD_LINUX=y CONFIG_PAYLOAD_FILE="../../build/librem15v4/bzImage" CONFIG_LINUX_COMMAND_LINE="intel_iommu=on quiet loglevel=3" CONFIG_LINUX_INITRD="../../build/librem15v4/initrd.cpio.xz" -CONFIG_COREINFO_SECONDARY_PAYLOAD=y -CONFIG_MEMTEST_SECONDARY_PAYLOAD=y From 5d28532a0f1311b3f6832d6f199c466888d558f1 Mon Sep 17 00:00:00 2001 From: Matt DeVillier Date: Wed, 28 Aug 2019 10:59:43 -0500 Subject: [PATCH 055/189] board/librem*.config: set default boot device to NVMe Automatic /boot detection will fall back to /dev/sd* Signed-off-by: Matt DeVillier --- boards/librem13v2/librem13v2.config | 2 +- boards/librem13v4/librem13v4.config | 2 +- boards/librem15v3/librem15v3.config | 2 +- boards/librem15v4/librem15v4.config | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/boards/librem13v2/librem13v2.config b/boards/librem13v2/librem13v2.config index eca005831..e37d506b7 100644 --- a/boards/librem13v2/librem13v2.config +++ b/boards/librem13v2/librem13v2.config @@ -30,7 +30,7 @@ export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on" export CONFIG_BOOT_KERNEL_REMOVE="" -export CONFIG_BOOT_DEV="/dev/sda1" +export CONFIG_BOOT_DEV="/dev/nvme0n1p1" export CONFIG_BOOT_GUI_MENU_NAME="Purism Librem 13v2 Heads Boot Menu" export CONFIG_USB_BOOT_DEV="/dev/sdb1" export CONFIG_WARNING_BG_COLOR="--background-gradient 0 0 0 150 125 0" diff --git a/boards/librem13v4/librem13v4.config b/boards/librem13v4/librem13v4.config index 12fe04886..f78f13a92 100644 --- a/boards/librem13v4/librem13v4.config +++ b/boards/librem13v4/librem13v4.config @@ -30,7 +30,7 @@ export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on" export CONFIG_BOOT_KERNEL_REMOVE="" -export CONFIG_BOOT_DEV="/dev/sda1" +export CONFIG_BOOT_DEV="/dev/nvme0n1p1" export CONFIG_BOOT_GUI_MENU_NAME="Purism Librem 13v2 Heads Boot Menu" export CONFIG_USB_BOOT_DEV="/dev/sdb1" export CONFIG_WARNING_BG_COLOR="--background-gradient 0 0 0 150 125 0" diff --git a/boards/librem15v3/librem15v3.config b/boards/librem15v3/librem15v3.config index 80c522952..f9d05253f 100644 --- a/boards/librem15v3/librem15v3.config +++ b/boards/librem15v3/librem15v3.config @@ -32,7 +32,7 @@ export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on" export CONFIG_BOOT_KERNEL_REMOVE="" -export CONFIG_BOOT_DEV="/dev/sda1" +export CONFIG_BOOT_DEV="/dev/nvme0n1p1" export CONFIG_BOOT_GUI_MENU_NAME="Purism Librem 15v3 Heads Boot Menu" export CONFIG_USB_BOOT_DEV="/dev/sdb1" export CONFIG_WARNING_BG_COLOR="--background-gradient 0 0 0 150 125 0" diff --git a/boards/librem15v4/librem15v4.config b/boards/librem15v4/librem15v4.config index 16f6aa44c..5f79a91d4 100644 --- a/boards/librem15v4/librem15v4.config +++ b/boards/librem15v4/librem15v4.config @@ -32,7 +32,7 @@ export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on" export CONFIG_BOOT_KERNEL_REMOVE="" -export CONFIG_BOOT_DEV="/dev/sda1" +export CONFIG_BOOT_DEV="/dev/nvme0n1p1" export CONFIG_BOOT_GUI_MENU_NAME="Purism Librem 15v4 Heads Boot Menu" export CONFIG_USB_BOOT_DEV="/dev/sdb1" export CONFIG_WARNING_BG_COLOR="--background-gradient 0 0 0 150 125 0" From b9fd6e27086fe3ff3dbdfa856bf5cd2e69566da6 Mon Sep 17 00:00:00 2001 From: Matt DeVillier Date: Wed, 21 Aug 2019 15:39:34 -0500 Subject: [PATCH 056/189] gui-init: update TOTP error prompt Update text on TOTP error prompt to provide better guidance for users following the use of the OEM factory reset function Signed-off-by: Matt DeVillier --- initrd/bin/gui-init | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/initrd/bin/gui-init b/initrd/bin/gui-init index dfa6a9233..2b28fc212 100755 --- a/initrd/bin/gui-init +++ b/initrd/bin/gui-init @@ -169,8 +169,14 @@ while true; do TOTP=`unseal-totp` if [ $? -ne 0 ]; then whiptail $CONFIG_ERROR_BG_COLOR --clear --title "ERROR: TOTP Generation Failed!" \ - --menu "ERROR: Heads couldn't generate the TOTP code.\n\nIf this is the first time the system has booted, you should reset the TPM\nand set your own password\n\nIf you just reflashed your BIOS, you'll need to generate a new TOTP secret.\n\nIf you have not just reflashed your BIOS, THIS COULD INDICATE TAMPERING!\n\nHow would you like to proceed?" 30 90 4 \ - 'g' ' Generate new TOTP/HOTP secret' \ + --menu " ERROR: Heads couldn't generate the TOTP code.\n + If you have just completed a Factory Reset, or just reflashed + your BIOS, you should generate a new HOTP/TOTP secret.\n + If this is the first time the system has booted, you should + reset the TPM and set your own password.\n + If you have not just reflashed your BIOS, THIS COULD INDICATE TAMPERING!\n + How would you like to proceed?" 30 90 4 \ + 'g' ' Generate new HOTP/TOTP secret' \ 'i' ' Ignore error and continue to default boot menu' \ 'p' ' Reset the TPM' \ 'x' ' Exit to recovery shell' \ From 0dbc748233b2103cf2bbe1b655e952a094268389 Mon Sep 17 00:00:00 2001 From: Matt DeVillier Date: Sat, 18 May 2019 20:22:11 -0500 Subject: [PATCH 057/189] unseal-hotp: ensure /boot mounted before checking HOTP secret If /boot isn't mounted, we can't read the HOTP counter, so no point in reading from the TPM. This speeds up getting to the main menu in the case of an inaccessible or non-existant /boot. Signed-off-by: Matt DeVillier --- initrd/bin/unseal-hotp | 29 ++++++++++++++--------------- 1 file changed, 14 insertions(+), 15 deletions(-) diff --git a/initrd/bin/unseal-hotp b/initrd/bin/unseal-hotp index f4d397ec8..0fc3fb28e 100755 --- a/initrd/bin/unseal-hotp +++ b/initrd/bin/unseal-hotp @@ -21,21 +21,6 @@ mount_boot_or_die() # get current value of HOTP counter in TPM, create if absent mount_boot_or_die -tpm nv_readvalue \ - -in 4d47 \ - -sz 312 \ - -of "$HOTP_SEALED" \ -|| die "Unable to retrieve sealed file from TPM NV" - -tpm unsealfile \ - -hk 40000000 \ - -if "$HOTP_SEALED" \ - -of "$HOTP_SECRET" \ -|| die "Unable to unseal HOTP secret" - -shred -n 10 -z -u "$HOTP_SEALED" 2> /dev/null - - #check_tpm_counter $HOTP_COUNTER hotp \ #|| die "Unable to find/create TPM counter" #counter="$TPM_COUNTER" @@ -51,6 +36,20 @@ fi #counter_value=$(printf "%d" 0x${counter_value}) +tpm nv_readvalue \ + -in 4d47 \ + -sz 312 \ + -of "$HOTP_SEALED" \ +|| die "Unable to retrieve sealed file from TPM NV" + +tpm unsealfile \ + -hk 40000000 \ + -if "$HOTP_SEALED" \ + -of "$HOTP_SECRET" \ +|| die "Unable to unseal HOTP secret" + +shred -n 10 -z -u "$HOTP_SEALED" 2> /dev/null + if ! hotp $counter_value < "$HOTP_SECRET"; then shred -n 10 -z -u "$HOTP_SECRET" 2> /dev/null die 'Unable to compute HOTP hash?' From e8fb231bc7ee45dd35ba4ed235a78020dd6c4569 Mon Sep 17 00:00:00 2001 From: Matt DeVillier Date: Thu, 21 Nov 2019 15:38:38 -0600 Subject: [PATCH 058/189] config/coreboot-librem*: disable iGPU IOMMU for Linux payload Disabling IOMMU on the iGPU for Heads (mostly) eliminates display corruption when kexec'ing to new kernel (and has no effect on iGPU/IOMMU for kexec'ed kernel) Signed-off-by: Matt DeVillier --- config/coreboot-librem13v2.config | 2 +- config/coreboot-librem13v4.config | 2 +- config/coreboot-librem15v3.config | 2 +- config/coreboot-librem15v4.config | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/config/coreboot-librem13v2.config b/config/coreboot-librem13v2.config index 44f152bb7..a27a26274 100644 --- a/config/coreboot-librem13v2.config +++ b/config/coreboot-librem13v2.config @@ -26,5 +26,5 @@ CONFIG_FSP_M_XIP=y CONFIG_DEFAULT_CONSOLE_LOGLEVEL_8=y CONFIG_PAYLOAD_LINUX=y CONFIG_PAYLOAD_FILE="../../build/librem13v2/bzImage" -CONFIG_LINUX_COMMAND_LINE="intel_iommu=on quiet loglevel=3" +CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet loglevel=3" CONFIG_LINUX_INITRD="../../build/librem13v2/initrd.cpio.xz" diff --git a/config/coreboot-librem13v4.config b/config/coreboot-librem13v4.config index e95562dc5..79aacb18a 100644 --- a/config/coreboot-librem13v4.config +++ b/config/coreboot-librem13v4.config @@ -26,5 +26,5 @@ CONFIG_FSP_M_XIP=y CONFIG_DEFAULT_CONSOLE_LOGLEVEL_8=y CONFIG_PAYLOAD_LINUX=y CONFIG_PAYLOAD_FILE="../../build/librem13v4/bzImage" -CONFIG_LINUX_COMMAND_LINE="intel_iommu=on quiet loglevel=3" +CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet loglevel=3" CONFIG_LINUX_INITRD="../../build/librem13v4/initrd.cpio.xz" diff --git a/config/coreboot-librem15v3.config b/config/coreboot-librem15v3.config index 1d3f829dc..c81c72dfc 100644 --- a/config/coreboot-librem15v3.config +++ b/config/coreboot-librem15v3.config @@ -26,5 +26,5 @@ CONFIG_FSP_M_XIP=y CONFIG_DEFAULT_CONSOLE_LOGLEVEL_8=y CONFIG_PAYLOAD_LINUX=y CONFIG_PAYLOAD_FILE="../../build/librem15v3/bzImage" -CONFIG_LINUX_COMMAND_LINE="intel_iommu=on quiet loglevel=3" +CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet loglevel=3" CONFIG_LINUX_INITRD="../../build/librem15v3/initrd.cpio.xz" diff --git a/config/coreboot-librem15v4.config b/config/coreboot-librem15v4.config index 1baa87bd2..32a0742da 100644 --- a/config/coreboot-librem15v4.config +++ b/config/coreboot-librem15v4.config @@ -26,5 +26,5 @@ CONFIG_FSP_M_XIP=y CONFIG_DEFAULT_CONSOLE_LOGLEVEL_8=y CONFIG_PAYLOAD_LINUX=y CONFIG_PAYLOAD_FILE="../../build/librem15v4/bzImage" -CONFIG_LINUX_COMMAND_LINE="intel_iommu=on quiet loglevel=3" +CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet loglevel=3" CONFIG_LINUX_INITRD="../../build/librem15v4/initrd.cpio.xz" From 4db6fbd51a66aa01f63797f98568b339d05c5f39 Mon Sep 17 00:00:00 2001 From: Matt DeVillier Date: Wed, 20 Nov 2019 16:27:40 -0600 Subject: [PATCH 059/189] oem-factory-reset: enforce 8-char min on custom password Since the custom password is used to set the GPG admin password as well as the TPM and GPG user passwords, an 8-character minimum is required. Inform the user of this, and validate custom password length upon entry. Signed-off-by: Matt DeVillier --- initrd/bin/oem-factory-reset | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/initrd/bin/oem-factory-reset b/initrd/bin/oem-factory-reset index 1b40bcd22..d30ac7fa9 100755 --- a/initrd/bin/oem-factory-reset +++ b/initrd/bin/oem-factory-reset @@ -242,14 +242,21 @@ if ! whiptail --yesno " fi # Prompt to change default passwords -echo -e -n "Would you like to set a custom password? [y/N]:" +echo -e -n "Would you like to set a custom password? [y/N]: " read -n 1 prompt_output echo if [ "$prompt_output" == "y" \ -o "$prompt_output" == "Y" ] \ ; then - echo -e -n "Enter the custom password: " - read CUSTOM_PASS + echo -e "\nThe custom password will be used for the +TPM admin and GPG user/admin passwords. +It must be at least 8 characters in length.\n" + CUSTOM_PASS="" + echo + while [[ ${#CUSTOM_PASS} -lt 8 ]] ; do + echo -e -n "Enter the custom password: " + read CUSTOM_PASS + done echo TPM_PASS_DEF=$CUSTOM_PASS fi From 81df9496323db45a1c71f16d8923e54e27821568 Mon Sep 17 00:00:00 2001 From: Martin Kepplinger Date: Tue, 26 Nov 2019 18:10:39 +0100 Subject: [PATCH 060/189] oem-factory-reset: Fix description for rebooting when finished As is in many cases in Heads, not any key will work, just Enter. Signed-off-by: Martin Kepplinger --- initrd/bin/oem-factory-reset | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/initrd/bin/oem-factory-reset b/initrd/bin/oem-factory-reset index d30ac7fa9..fcd2b1066 100755 --- a/initrd/bin/oem-factory-reset +++ b/initrd/bin/oem-factory-reset @@ -402,7 +402,7 @@ whiptail --msgbox " The OEM Factory Reset has completed successfully\n\n After rebooting, you will need to generate new TOTP/HOTP secrets\n when prompted in order to complete the setup process.\n\n - Press any key to reboot.\n" \ + Press Enter to reboot.\n" \ $WIDTH $HEIGHT --title "OEM Factory Reset Complete" reboot From 7370b75945681cbf49db392e3e25a3eb839ce533 Mon Sep 17 00:00:00 2001 From: rofl0r Date: Mon, 2 Dec 2019 23:03:09 +0000 Subject: [PATCH 061/189] update musl-cross to 1952975 this should fix issues with compressed ELF header sections. --- modules/musl-cross | 4 ++-- ...-cross-81d563e.patch => musl-cross-1952975.patch} | 12 ------------ 2 files changed, 2 insertions(+), 14 deletions(-) rename patches/{musl-cross-81d563e.patch => musl-cross-1952975.patch} (57%) diff --git a/modules/musl-cross b/modules/musl-cross index f04a0799d..5865cbd91 100644 --- a/modules/musl-cross +++ b/modules/musl-cross @@ -23,11 +23,11 @@ else # Force a full build of the cross compiler modules-y += musl-cross -musl-cross_version := 81d563e +musl-cross_version := 1952975 musl-cross_dir := musl-cross musl-cross_url := https://github.com/GregorR/musl-cross/archive/$(musl-cross_version).tar.gz musl-cross_tar := musl-cross-$(musl-cross_version).tar.gz -musl-cross_hash := 6362751b2442dc273c0889e5ef3ce6306a38b9c415cbe8cb4cfe3b8c6d776e96 +musl-cross_hash := dea10cfe4bfe5f5b131d8f98e65127cf5093477af56054d15563e858dc3b25cb CROSS_TOP := crossgcc/x86_64-linux-musl/bin/x86_64-linux-musl- CROSS := $(build)/../$(CROSS_TOP) diff --git a/patches/musl-cross-81d563e.patch b/patches/musl-cross-1952975.patch similarity index 57% rename from patches/musl-cross-81d563e.patch rename to patches/musl-cross-1952975.patch index e7633b7ba..7161e6736 100644 --- a/patches/musl-cross-81d563e.patch +++ b/patches/musl-cross-1952975.patch @@ -36,15 +36,3 @@ index ec3c1ce..844fb3d 100644 # uncomment these to get smaller/stripped binaries #export CFLAGS="-Os -g0 -s" #export CXXFLAGS="-Os -g0" ---- /dev/null 2019-10-28 16:42:28.211999999 +0100 -+++ musl-cross/hashes/gmp-6.1.0.tar.bz2.sha256 2019-10-29 13:08:53.288687684 +0100 -@@ -0,0 +1 @@ -+498449a994efeba527885c10405993427995d3f86b8768d8cdf8d9dd7c6b73e8 gmp-6.1.0.tar.bz2 ---- /dev/null 2019-10-28 16:42:28.211999999 +0100 -+++ musl-cross/hashes/mpfr-3.1.4.tar.bz2.sha256 2019-10-29 13:08:53.292687684 +0100 -@@ -0,0 +1 @@ -+d3103a80cdad2407ed581f3618c4bed04e0c92d1cf771a65ead662cc397f7775 mpfr-3.1.4.tar.bz2 ---- /dev/null 2019-10-28 16:42:28.211999999 +0100 -+++ musl-cross/hashes/mpc-1.0.3.tar.gz.sha256 2019-10-29 13:08:53.296687684 +0100 -@@ -0,0 +1 @@ -+617decc6ea09889fb08ede330917a00b16809b8db88c29c31bfbb49cbf88ecc3 mpc-1.0.3.tar.gz From 027ae39abe602a8d229746e100fbf62375563cdf Mon Sep 17 00:00:00 2001 From: Trammell hudson Date: Tue, 3 Dec 2019 10:48:10 +0100 Subject: [PATCH 062/189] modules: add module_tar_opt to allow different strip options Signed-off-by: Trammell hudson --- Makefile | 2 +- modules/coreboot | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 21e38108b..c95527aab 100644 --- a/Makefile +++ b/Makefile @@ -265,7 +265,7 @@ define define_module = # that the files are all present $(build)/$($1_base_dir)/.canary: $(packages)/.$1-$($1_version)_verify mkdir -p "$$(dir $$@)" - tar -xf "$(packages)/$($1_tar)" --strip 1 -C "$$(dir $$@)" + tar -xf "$(packages)/$($1_tar)" $(or $($1_tar_opt),--strip 1) -C "$$(dir $$@)" if [ -r patches/$1-$($1_version).patch ]; then \ ( cd $$(dir $$@) ; patch -p1 ) \ < patches/$1-$($1_version).patch \ diff --git a/modules/coreboot b/modules/coreboot index b2dfec590..15441ca1c 100644 --- a/modules/coreboot +++ b/modules/coreboot @@ -108,6 +108,7 @@ modules-y += coreboot-blobs coreboot-blobs_version := $(coreboot_version) coreboot-blobs_tar := coreboot-blobs-$(coreboot-blobs_version).tar.xz +coreboot-blobs_tar_opt := --strip 3 coreboot-blobs_dir := coreboot-$(coreboot-blobs_version)/3rdparty/blobs coreboot-blobs_url := https://www.coreboot.org/releases/$(coreboot-blobs_tar) coreboot-blobs_hash := 18aa509ae3af005a05d7b1e0b0246dc640249c14fc828f5144b6fd20bb10e295 From f0f6e80e953a18fe9765c2f6df0e7d0b21a3e4b1 Mon Sep 17 00:00:00 2001 From: alex-nitrokey Date: Thu, 2 Jan 2020 17:29:11 +0100 Subject: [PATCH 063/189] Add option to choose GnuPG userinfo during OEM reset --- initrd/bin/oem-factory-reset | 29 +++++++++++++++++++++++++---- 1 file changed, 25 insertions(+), 4 deletions(-) diff --git a/initrd/bin/oem-factory-reset b/initrd/bin/oem-factory-reset index fcd2b1066..a84e6a8cb 100755 --- a/initrd/bin/oem-factory-reset +++ b/initrd/bin/oem-factory-reset @@ -20,6 +20,10 @@ ADMIN_PIN_DEF=12345678 TPM_PASS_DEF=12345678 CUSTOM_PASS="" +GPG_USER_NAME="OEM Key" +GPG_KEY_NAME=`date +%Y%m%d%H%M%S` +GPG_USER_MAIL="oem-${GPG_KEY_NAME}@example.com" +GPG_USER_COMMENT="OEM-generated key" ## External files sourced . /etc/functions @@ -54,7 +58,6 @@ whiptail_error_die() gpg_key_reset() { - GPG_KEY_NAME=`date +%Y%m%d%H%M%S` # Factory reset GPG card { echo admin @@ -76,9 +79,9 @@ gpg_key_reset() echo ${USER_PIN_DEF} echo 0 echo y - echo "OEM Key" - echo "oem-${GPG_KEY_NAME}@example.com" - echo "OEM-generated key" + echo ${GPG_USER_NAME} + echo ${GPG_USER_MAIL} + echo ${GPG_USER_COMMENT} } | gpg --command-fd=0 --status-fd=2 --pinentry-mode=loopback --card-edit \ > /tmp/gpg_card_edit_output 2>/dev/null if [ $? -ne 0 ]; then @@ -261,6 +264,24 @@ It must be at least 8 characters in length.\n" TPM_PASS_DEF=$CUSTOM_PASS fi +# Prompt to change default GnuPG key information +echo -e -n "Would you like to set custom user information for the GnuPG key? [y/N]: " +read -n 1 prompt_output +echo +if [ "$prompt_output" == "y" \ + -o "$prompt_output" == "Y" ] \ +; then + echo -e "\nPlease enter the following information...\n" + echo + echo -e -n "Real name: " + read GPG_USER_NAME + echo -e -n "Email address: " + read GPG_USER_MAIL + echo -e -n "Comment: " + read GPG_USER_COMMENT + echo +fi + ## sanity check the USB, GPG key, and boot device before proceeding further # mount USB, then remount rw From 69f3cc46ab55311d4389408fcba5ec8f37b423f6 Mon Sep 17 00:00:00 2001 From: Trammell Hudson Date: Tue, 7 Jan 2020 19:01:59 +0100 Subject: [PATCH 064/189] libksba: fix qsort handler to sort the string table in a reproducible way Signed-off-by: Trammell Hudson --- patches/libkbsa-1.3.5.patch | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 patches/libkbsa-1.3.5.patch diff --git a/patches/libkbsa-1.3.5.patch b/patches/libkbsa-1.3.5.patch new file mode 100644 index 000000000..594083d5b --- /dev/null +++ b/patches/libkbsa-1.3.5.patch @@ -0,0 +1,20 @@ +--- clean/libksba-1.3.5/src/asn1-gentables.c 2016-08-22 11:38:21.000000000 +0200 ++++ libksba-1.3.5/src/asn1-gentables.c 2020-01-07 18:56:03.658790390 +0100 +@@ -112,7 +112,16 @@ + const struct name_list_s **a = (const struct name_list_s **)aptr; + const struct name_list_s **b = (const struct name_list_s **)bptr; + +- return strlen ((*a)->name) < strlen ((*b)->name); ++ const size_t len_a = strlen((*a)->name); ++ const size_t len_b = strlen((*b)->name); ++ ++ if (len_a == len_b) ++ return strcmp((*a)->name, (*b)->name); ++ else ++ if (len_a < len_b) ++ return -1; ++ else ++ return +1; + } + + static void From 6c93a5e85407aa1199fd205d63212e0a7263f5d2 Mon Sep 17 00:00:00 2001 From: Trammell hudson Date: Wed, 8 Jan 2020 10:01:21 +0100 Subject: [PATCH 065/189] libksba: fix name of patch file Signed-off-by: Trammell hudson --- patches/libkbsa-1.3.5.patch | 20 -------------------- patches/libksba-1.3.5.patch | 23 +++++++++++++++++++++++ 2 files changed, 23 insertions(+), 20 deletions(-) delete mode 100644 patches/libkbsa-1.3.5.patch create mode 100644 patches/libksba-1.3.5.patch diff --git a/patches/libkbsa-1.3.5.patch b/patches/libkbsa-1.3.5.patch deleted file mode 100644 index 594083d5b..000000000 --- a/patches/libkbsa-1.3.5.patch +++ /dev/null @@ -1,20 +0,0 @@ ---- clean/libksba-1.3.5/src/asn1-gentables.c 2016-08-22 11:38:21.000000000 +0200 -+++ libksba-1.3.5/src/asn1-gentables.c 2020-01-07 18:56:03.658790390 +0100 -@@ -112,7 +112,16 @@ - const struct name_list_s **a = (const struct name_list_s **)aptr; - const struct name_list_s **b = (const struct name_list_s **)bptr; - -- return strlen ((*a)->name) < strlen ((*b)->name); -+ const size_t len_a = strlen((*a)->name); -+ const size_t len_b = strlen((*b)->name); -+ -+ if (len_a == len_b) -+ return strcmp((*a)->name, (*b)->name); -+ else -+ if (len_a < len_b) -+ return -1; -+ else -+ return +1; - } - - static void diff --git a/patches/libksba-1.3.5.patch b/patches/libksba-1.3.5.patch new file mode 100644 index 000000000..13fa7be47 --- /dev/null +++ b/patches/libksba-1.3.5.patch @@ -0,0 +1,23 @@ +--- clean/libksba-1.3.5/src/asn1-gentables.c 2016-08-22 11:38:21.000000000 +0200 ++++ libksba-1.3.5/src/asn1-gentables.c 2020-01-08 10:00:27.297737650 +0100 +@@ -109,10 +109,17 @@ + static int + cmp_string (const void *aptr, const void *bptr) + { +- const struct name_list_s **a = (const struct name_list_s **)aptr; +- const struct name_list_s **b = (const struct name_list_s **)bptr; ++ const char *a = (*(const struct name_list_s **)aptr)->name; ++ const char *b = (*(const struct name_list_s **)bptr)->name; + +- return strlen ((*a)->name) < strlen ((*b)->name); ++ const size_t len_a = strlen(a); ++ const size_t len_b = strlen(b); ++ ++ if (len_a < len_b) ++ return -1; ++ if (len_a > len_b) ++ return +1; ++ return strcmp(a, b); + } + + static void From 791d064397594ab5f62374b1fe6f5dfc6aa72883 Mon Sep 17 00:00:00 2001 From: Trammell Hudson Date: Wed, 8 Jan 2020 17:08:15 +0100 Subject: [PATCH 066/189] musl-cross-make: replace all cross compilers with musl-cross-make Signed-off-by: Trammell Hudson --- Makefile | 14 +++-- blobs/dev.cpio | Bin 508 -> 1024 bytes config/coreboot-kgpe-d16.config | 1 + config/coreboot-librem13v2.config | 1 + config/coreboot-librem13v4.config | 1 + config/coreboot-librem15v3.config | 1 + config/coreboot-librem15v4.config | 1 + config/coreboot-qemu.config | 1 + config/coreboot-x220.config | 1 + config/coreboot-x230-flash.config | 1 + config/coreboot-x230.config | 1 + modules/coreboot | 45 +++++--------- modules/musl | 41 ------------- modules/musl-cross | 55 ++++++++++++------ .../0010-cross-compiler-support.patch | 27 +++++++++ 15 files changed, 95 insertions(+), 96 deletions(-) delete mode 100644 modules/musl create mode 100644 patches/coreboot-4.8.1/0010-cross-compiler-support.patch diff --git a/Makefile b/Makefile index c95527aab..a0bda55be 100644 --- a/Makefile +++ b/Makefile @@ -106,11 +106,13 @@ SHELL := /bin/bash # be defined prior to any other module. include modules/musl-cross -musl_dep := musl -heads_cc := $(INSTALL)/bin/musl-gcc \ +musl_dep := musl-cross +heads_cc := $(CROSS)gcc \ -fdebug-prefix-map=$(pwd)=heads \ -gno-record-gcc-switches \ -D__MUSL__ \ + -I$(INSTALL)/include \ + -L$(INSTALL)/lib \ CROSS_TOOLS_NOCC := \ AR="$(CROSS)ar" \ @@ -145,8 +147,9 @@ all: FORCE: # Make helpers to operate on lists of things +# Prefix is "smart" and doesn't add the prefix for absolute file paths define prefix = -$(foreach _, $2, $1$_) +$(foreach _, $2, $(if $(patsubst /%,,$_),$1$_,$_)) endef define map = $(foreach _,$2,$(eval $(call $1,$_))) @@ -410,6 +413,7 @@ endef # Only some modules have binaries that we install # Shouldn't this be specified in the module file? +#bin_modules-$(CONFIG_MUSL) += musl-cross bin_modules-$(CONFIG_KEXEC) += kexec bin_modules-$(CONFIG_TPMTOTP) += tpmtotp bin_modules-$(CONFIG_PCIUTILS) += pciutils @@ -451,8 +455,7 @@ endif $(COREBOOT_UTIL_DIR)/cbmem/cbmem \ $(COREBOOT_UTIL_DIR)/superiotool/superiotool \ $(COREBOOT_UTIL_DIR)/inteltool/inteltool \ -: $(build)/$(coreboot_base_dir)/.canary \ - $(build)/$(musl_dir)/.build +: $(build)/$(coreboot_base_dir)/.canary +$(call do,MAKE,$(notdir $@),\ $(MAKE) -C "$(dir $@)" $(CROSS_TOOLS) \ ) @@ -564,7 +567,6 @@ modules.clean: real.clean: for dir in \ $(module_dirs) \ - $(musl_dir) \ $(kernel_headers) \ ; do \ if [ ! -z "$$dir" ]; then \ diff --git a/blobs/dev.cpio b/blobs/dev.cpio index 5e71bf641315bab5d49848930892cf945486101c..43f1088091ea1eabac3cece67ee3fd1e492355b2 100644 GIT binary patch literal 1024 zcmeH@zYc;h5XN~G9suY8EihL8BqmP8-9%t8DKZd^kM993#L@_(gST9JckS=Hk3=LQ zKnP_#$O?iHLOLW<_%sKaC8;)0WO5k)F-EAWb@Q|=3yG4M1axHj5UUYA!%ilZ50!>l zBQm|JyZ4=FG&bkM8xF;&K?mb~Vy7gLy=cmt`_9XV+tm}bgIqjSZr^?E&PLxh`HSB> v`HPv7-#&Wbykd4?A!=~JpvSQNx}>~acfMB+s(mi`@syXgZKH&L{D1>*A%TLW delta 90 zcmZqR_`}R+U=DL}LRWFfz25Y{+CX lS%HaX;z?cpv_wnu6w72Ykd&jLGf+x{(HuysO}@go0suG77wiB4 diff --git a/config/coreboot-kgpe-d16.config b/config/coreboot-kgpe-d16.config index 4be5a04b7..01cf91ee6 100644 --- a/config/coreboot-kgpe-d16.config +++ b/config/coreboot-kgpe-d16.config @@ -1,4 +1,5 @@ CONFIG_LOCALVERSION="heads" +CONFIG_ANY_TOOLCHAIN=y CONFIG_USE_OPTION_TABLE=y # CONFIG_COLLECT_TIMESTAMPS is not set CONFIG_VENDOR_ASUS=y diff --git a/config/coreboot-librem13v2.config b/config/coreboot-librem13v2.config index a27a26274..412c2bfc2 100644 --- a/config/coreboot-librem13v2.config +++ b/config/coreboot-librem13v2.config @@ -1,4 +1,5 @@ CONFIG_LOCALVERSION="4.8.1-Purism-1-heads-beta" +CONFIG_ANY_TOOLCHAIN=y CONFIG_USE_BLOBS=y CONFIG_MEASURED_BOOT=y CONFIG_VENDOR_PURISM=y diff --git a/config/coreboot-librem13v4.config b/config/coreboot-librem13v4.config index 79aacb18a..0d4abc8b5 100644 --- a/config/coreboot-librem13v4.config +++ b/config/coreboot-librem13v4.config @@ -1,4 +1,5 @@ CONFIG_LOCALVERSION="4.8.1-Purism-1-heads-beta" +CONFIG_ANY_TOOLCHAIN=y CONFIG_USE_BLOBS=y CONFIG_MEASURED_BOOT=y CONFIG_VENDOR_PURISM=y diff --git a/config/coreboot-librem15v3.config b/config/coreboot-librem15v3.config index c81c72dfc..4359227eb 100644 --- a/config/coreboot-librem15v3.config +++ b/config/coreboot-librem15v3.config @@ -1,4 +1,5 @@ CONFIG_LOCALVERSION="4.8.1-Purism-1-heads-beta" +CONFIG_ANY_TOOLCHAIN=y CONFIG_USE_BLOBS=y CONFIG_MEASURED_BOOT=y CONFIG_VENDOR_PURISM=y diff --git a/config/coreboot-librem15v4.config b/config/coreboot-librem15v4.config index 32a0742da..013718c26 100644 --- a/config/coreboot-librem15v4.config +++ b/config/coreboot-librem15v4.config @@ -1,4 +1,5 @@ CONFIG_LOCALVERSION="4.8.1-Purism-1-heads-beta" +CONFIG_ANY_TOOLCHAIN=y CONFIG_USE_BLOBS=y CONFIG_MEASURED_BOOT=y CONFIG_VENDOR_PURISM=y diff --git a/config/coreboot-qemu.config b/config/coreboot-qemu.config index cfccf5269..73856e412 100644 --- a/config/coreboot-qemu.config +++ b/config/coreboot-qemu.config @@ -1,4 +1,5 @@ CONFIG_LOCALVERSION="-heads" +CONFIG_ANY_TOOLCHAIN=y # CONFIG_INCLUDE_CONFIG_FILE is not set CONFIG_CBFS_SIZE=0x700000 # CONFIG_POST_IO is not set diff --git a/config/coreboot-x220.config b/config/coreboot-x220.config index a91aef7dc..5671c71ba 100644 --- a/config/coreboot-x220.config +++ b/config/coreboot-x220.config @@ -1,4 +1,5 @@ CONFIG_LOCALVERSION="heads" +CONFIG_ANY_TOOLCHAIN=y # CONFIG_INCLUDE_CONFIG_FILE is not set # CONFIG_COLLECT_TIMESTAMPS is not set CONFIG_USE_BLOBS=y diff --git a/config/coreboot-x230-flash.config b/config/coreboot-x230-flash.config index 66f3a53cb..6461d02be 100644 --- a/config/coreboot-x230-flash.config +++ b/config/coreboot-x230-flash.config @@ -1,4 +1,5 @@ CONFIG_LOCALVERSION="heads" +CONFIG_ANY_TOOLCHAIN=y # CONFIG_INCLUDE_CONFIG_FILE is not set # CONFIG_COLLECT_TIMESTAMPS is not set CONFIG_USE_BLOBS=y diff --git a/config/coreboot-x230.config b/config/coreboot-x230.config index 65b13b581..c69f4174e 100644 --- a/config/coreboot-x230.config +++ b/config/coreboot-x230.config @@ -1,4 +1,5 @@ CONFIG_LOCALVERSION="heads" +CONFIG_ANY_TOOLCHAIN=y # CONFIG_INCLUDE_CONFIG_FILE is not set # CONFIG_COLLECT_TIMESTAMPS is not set CONFIG_USE_BLOBS=y diff --git a/modules/coreboot b/modules/coreboot index 15441ca1c..2ba9473d0 100644 --- a/modules/coreboot +++ b/modules/coreboot @@ -9,7 +9,7 @@ coreboot_tar := coreboot-$(coreboot_version).tar.xz coreboot_url := https://www.coreboot.org/releases/$(coreboot_tar) coreboot_hash := f0ddf4db0628c1fe1e8348c40084d9cbeb5771400c963fd419cda3995b69ad23 -# Coreboot builds are specialized on a per-target basis. +# coreboot builds are specialized on a per-target basis. # The builds are done in a per-target subdirectory CONFIG_COREBOOT_CONFIG ?= config/coreboot-$(BOARD).config @@ -29,9 +29,18 @@ coreboot_configure := \ CFLAGS_x86_32="$(EXTRA_FLAGS)" \ CFLAGS_x86_64="$(EXTRA_FLAGS)" \ +COREBOOT_IASL="$(build)/$(coreboot_base_dir)/util/crossgcc/xgcc/bin/iasl" + +# coreboot is built with the 32-bit compiler; ideally we could use the same +# x86_64-linux-musl -m32 to build it, but this causes some link errors that need +# to be tracked down. +# CROSS="$(CROSS)" \ + coreboot_target := \ -C "$(build)/$(coreboot_base_dir)" \ obj="$(build)/$(coreboot_dir)" \ + CROSS="$(dir $(CROSS))i386-linux-musl-" \ + IASL="$(COREBOOT_IASL)" \ DOTCONFIG="$(build)/$(coreboot_dir)/.config" \ BUILD_TIMELESS=1 \ CFLAGS_x86_32="$(EXTRA_FLAGS)" \ @@ -39,35 +48,11 @@ coreboot_target := \ $(MAKE_JOBS) coreboot_output := coreboot.rom -coreboot_depend += linux initrd - -COREBOOT_XGCC_REL := $(coreboot_base_dir)/util/crossgcc/xgcc -COREBOOT_XGCC_PATH := $(build)/$(COREBOOT_XGCC_REL) -COREBOOT_XGCC := $(COREBOOT_XGCC_PATH)/bin/i386-elf-gcc - -# hack to force a build dependency on the cross compiler -coreboot-gcc $(build)/$(coreboot_dir)/.configured: $(COREBOOT_XGCC) - -ifeq "$(TOOLCHAIN)" "" -# Force a rebuild of the entire coreboot toolchain -$(COREBOOT_XGCC): $(build)/$(coreboot_base_dir)/.canary - echo '******* Building crossgcc-i386 (this might take a while) ******' - $(MAKE) -C "$(build)/$(coreboot_base_dir)" CPUS=`nproc` crossgcc-i386 - #echo '******* Building crossgcc-arm (this might take a while) ******' - #$(MAKE) -C "$(build)/$(coreboot_base_dir)" crossgcc-arm -else -# Use the pre-build one from the external toolchain build -$(COREBOOT_XGCC): $(build)/$(coreboot_base_dir)/.canary - if [ ! -e "$(TOOLCHAIN)/build/$(COREBOOT_XGCC_REL)" ]; then \ - echo >&2 "ERROR: TOOLCHAIN=$(TOOLCHAIN) does not have coreboot" ; \ - exit 1 ; \ - fi - if [ ! -e "$(COREBOOT_XGCC_PATH)" ]; then \ - ln -s \ - "$(TOOLCHAIN)/build/$(COREBOOT_XGCC_REL)" \ - "$(COREBOOT_XGCC_PATH)" ; \ - fi -endif +coreboot_depend += linux initrd $(musl_dep) + +$(build)/$(coreboot_dir)/.configured: $(COREBOOT_IASL) +$(COREBOOT_IASL): $(build)/$(coreboot_base_dir)/.canary + $(MAKE) -C "$(build)/$(coreboot_base_dir)" CPUS=`nproc` iasl # Force a rebuild if the inputs have changed $(build)/$(coreboot_dir)/.build: \ diff --git a/modules/musl b/modules/musl deleted file mode 100644 index eec76de34..000000000 --- a/modules/musl +++ /dev/null @@ -1,41 +0,0 @@ -CONFIG_MUSL ?= y -modules-$(CONFIG_MUSL) += musl - -musl_version := 1.1.15 -musl_dir := musl-$(musl_version) -musl_tar := musl-$(musl_version).tar.gz -musl_url := https://www.musl-libc.org/releases/$(musl_tar) -musl_hash := 97e447c7ee2a7f613186ec54a93054fe15469fe34d7d323080f7ef38f5ecb0fa - -musl_output := ../../install/bin/musl-gcc - -# -# Note that for syslibdir to be /lib the install will fail. -# this is unfortunate since it prevents the binaries from running -# and requires that we treat the rest of the build as a cross compile. -# -# That works, with some hacks... -# -musl_configure := ./configure \ - $(CROSS_TOOLS_NOCC) \ - CC="$(CROSS)gcc" \ - --prefix="$(INSTALL)" \ - --syslibdir="/lib" \ - --enable-gcc-wrapper \ - --enable-shared \ - -musl_target := \ - $(MAKE_JOBS) \ - $(CROSS_TOOLS_NOCC) \ - CC="$(CROSS)gcc" \ - install \ - -musl_libraries := \ - lib/libc.so \ - - -musl_depends := musl-cross - -# Fake a target so that musl will force a header install by the -# Linux kernel sources. -$(build)/$(musl_dir)/.build: $(INSTALL)/include/linux/limits.h diff --git a/modules/musl-cross b/modules/musl-cross index 5865cbd91..617c66e3a 100644 --- a/modules/musl-cross +++ b/modules/musl-cross @@ -1,5 +1,14 @@ +CONFIG_MUSL ?= y + ifeq "$(MUSL_CROSS_ONCE)" "" MUSL_CROSS_ONCE := 1 +modules-$(CONFIG_MUSL) += musl-cross + +musl-cross_version := 38e52db +musl-cross_dir := musl-cross-$(musl-cross_version) +musl-cross_url := https://github.com/richfelker/musl-cross-make/archive/$(musl-cross_version).tar.gz +musl-cross_tar := musl-cross-$(musl-cross_version).tar.gz +musl-cross_hash := b4b85d6d3ddab0f2b8650a53e775673f8c346fa2fb07d652a9880bd206ade100 ifneq "$(CROSS)" "" @@ -7,39 +16,47 @@ ifneq "$(CROSS)" "" # check that $(CROSS)gcc exists or else things just won't work ifneq "y" "$(shell [ -x '$(CROSS)gcc' ] && echo y)" $(error $(CROSS)gcc does not exist - can not build) +else +$(info Using $(CROSS)gcc) endif # The cross compiler has already been built, so the musl-cross target -# is a NOP. -#musl-cross.intermediate: +# is a NOP. We really don't need to check out this code tree, but it is easier +# if we have a target for it. +musl-cross_target := --version -musl-cross_dir := musl-cross-ext -$(build)/$(musl-cross_dir)/.build: - mkdir -p $(dir $@) - touch $@ +# Ask the compiler where to find its own libc.so +musl-cross_libraries := \ + $(shell $(CROSS)gcc --print-file-name=libc.so) \ else # Force a full build of the cross compiler +# have to build both x86_64 and i386 versions for coreboot -modules-y += musl-cross -musl-cross_version := 1952975 -musl-cross_dir := musl-cross -musl-cross_url := https://github.com/GregorR/musl-cross/archive/$(musl-cross_version).tar.gz -musl-cross_tar := musl-cross-$(musl-cross_version).tar.gz -musl-cross_hash := dea10cfe4bfe5f5b131d8f98e65127cf5093477af56054d15563e858dc3b25cb +musl-cross_configure := \ + /bin/echo -e >> Makefile 'both:' ; \ + /bin/echo -e >> Makefile '\t$$$$(MAKE) TARGET=x86_64-linux-musl install' ; \ + /bin/echo -e >> Makefile '\t$$$$(MAKE) TARGET=i386-linux-musl install' ; \ -CROSS_TOP := crossgcc/x86_64-linux-musl/bin/x86_64-linux-musl- -CROSS := $(build)/../$(CROSS_TOP) -musl-cross_output := ../../$(CROSS_TOP)gcc +CROSS_PATH ?= $(pwd)/crossgcc -musl-cross_configure := \ - /bin/echo -e > Makefile \ - '$(musl-cross_output):\n\tCC_BASE_PREFIX="$(pwd)/crossgcc" ./build.sh' +musl-cross_target := \ + OUTPUT="$(CROSS_PATH)" \ + MAKE="$(MAKE)" \ + both +CROSS := $(CROSS_PATH)/bin/x86_64-linux-musl- +musl-cross_libraries := $(CROSS_PATH)/x86_64-linux-musl/lib/libc.so endif -musl-cross_target := + +musl-cross_output := $(CROSS)gcc + +## Fake a target so that musl will force a header install by the +## Linux kernel sources. +$(build)/$(musl-cross_dir)/.build: $(INSTALL)/include/linux/limits.h + endif diff --git a/patches/coreboot-4.8.1/0010-cross-compiler-support.patch b/patches/coreboot-4.8.1/0010-cross-compiler-support.patch new file mode 100644 index 000000000..b99941df7 --- /dev/null +++ b/patches/coreboot-4.8.1/0010-cross-compiler-support.patch @@ -0,0 +1,27 @@ +--- clean/coreboot-4.8.1/Makefile 2018-05-16 21:00:17.000000000 +0200 ++++ coreboot-4.8.1/Makefile 2020-01-08 17:01:32.998287979 +0100 +@@ -152,6 +152,24 @@ + + -include .xcompile + ++ifneq "$(CROSS)" "" ++ $(info coreboot: Using $(CROSS)gcc) ++ CROSS_COMPILE_x86_32 := $(CROSS) ++ CC_x86_32 := $(CROSS_COMPILE_x86_32)gcc ++ CPP_x86_32 := $(CROSS_COMPILE_x86_32)cpp ++ AS_x86_32 := $(CROSS_COMPILE_x86_32)as --32 ++ LD_x86_32 := $(CROSS_COMPILE_x86_32)ld.bfd -b elf32-i386 -melf_i386 ++ NM_x86_32 := $(CROSS_COMPILE_x86_32)nm ++ OBJCOPY_x86_32 := $(CROSS_COMPILE_x86_32)objcopy ++ OBJDUMP_x86_32 := $(CROSS_COMPILE_x86_32)objdump ++ READELF_x86_32 := $(CROSS_COMPILE_x86_32)readelf ++ STRIP_x86_32 := $(CROSS_COMPILE_x86_32)strip ++ AR_x86_32 := $(CROSS_COMPILE_x86_32)ar ++ GNATBIND_x86_32 := $(CROSS_COMPILE_x86_32)gnatbind ++ COMPILER_RT_x86_32 := $(shell $(CC_x86_32) --print-libgcc-file-name) ++endif ++ ++ + ifneq ($(XCOMPILE_COMPLETE),1) + $(shell rm -f .xcompile) + $(error .xcompile deleted because it's invalid. \ From fed0858126f09f1701a415d2ca2e13ff25e6966a Mon Sep 17 00:00:00 2001 From: Trammell Hudson Date: Wed, 8 Jan 2020 17:33:49 +0100 Subject: [PATCH 067/189] circleci: try using the osresearch/musl-cross docker image Signed-off-by: Trammell Hudson --- .circleci/config.yml | 46 ++++---------------------------------------- 1 file changed, 4 insertions(+), 42 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index c23a19e10..56ecdf1be 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -2,35 +2,8 @@ version: 2 jobs: build: docker: - - image: osresearch/heads-ubuntu:16.04 + - image: osresearch/musl-cross:38e52db steps: - - run: - name: Install dependencies - command: | - apt update - apt install -y \ - build-essential \ - zlib1g-dev \ - uuid-dev \ - libdigest-sha-perl \ - libelf-dev \ - bc \ - bzip2 \ - bison \ - flex \ - git \ - gnupg \ - iasl \ - m4 \ - nasm \ - patch \ - python \ - wget \ - gnat \ - cpio \ - ccache \ - lzma \ - - checkout - run: @@ -38,22 +11,11 @@ jobs: command: | make -j4 bootstrap - - run: - name: Bootstrap coreboot-gcc - command: | - ./build/make-4.2.1/make \ - TOOLCHAIN=/home/builder/heads \ - V=1 \ - BOARD=qemu-coreboot \ - coreboot-gcc - - - run: name: qemu-coreboot command: | ./build/make-4.2.1/make \ - TOOLCHAIN=/home/builder/heads \ - V=1 \ + CROSS=/cross/bin/x86_64-linux-musl- \ -j4 \ BOARD=qemu-coreboot \ @@ -67,7 +29,7 @@ jobs: name: qemu-linuxboot command: | ./build/make-4.2.1/make \ - TOOLCHAIN=/home/builder/heads \ + CROSS=/cross/bin/x86_64-linux-musl- \ V=1 \ -j4 \ BOARD=qemu-linuxboot \ @@ -82,7 +44,7 @@ jobs: name: x230 command: | ./build/make-4.2.1/make \ - TOOLCHAIN=/home/builder/heads \ + CROSS=/cross/bin/x86_64-linux-musl- \ -j4 \ V=1 \ BOARD=x230 \ From 35ddd3e065c65b16e77d14cf443e55d000950d0d Mon Sep 17 00:00:00 2001 From: Trammell hudson Date: Wed, 8 Jan 2020 22:45:39 +0100 Subject: [PATCH 068/189] circleci: pre-build edk2 for linuxboot Signed-off-by: Trammell hudson --- .circleci/config.yml | 28 +++++++++++++++++----------- 1 file changed, 17 insertions(+), 11 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 56ecdf1be..8f87d8530 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -12,25 +12,19 @@ jobs: make -j4 bootstrap - run: - name: qemu-coreboot + name: qemu-linuxboot-edk2 command: | ./build/make-4.2.1/make \ CROSS=/cross/bin/x86_64-linux-musl- \ - -j4 \ - BOARD=qemu-coreboot \ - - - store-artifacts: - path: build/qemu-coreboot/coreboot.rom - - store-artifacts: - path: build/qemu-coreboot/hashes.txt - + BOARD=qemu-linuxboot \ + `/bin/pwd`/build/linuxboot-git/build/qemu/.configured \ + # Run first to avoid too many processes - run: name: qemu-linuxboot command: | ./build/make-4.2.1/make \ CROSS=/cross/bin/x86_64-linux-musl- \ - V=1 \ -j4 \ BOARD=qemu-linuxboot \ @@ -40,13 +34,25 @@ jobs: path: build/qemu-linuxboot/hashes.txt + - run: + name: qemu-coreboot + command: | + ./build/make-4.2.1/make \ + CROSS=/cross/bin/x86_64-linux-musl- \ + -j4 \ + BOARD=qemu-coreboot \ + + - store-artifacts: + path: build/qemu-coreboot/coreboot.rom + - store-artifacts: + path: build/qemu-coreboot/hashes.txt + - run: name: x230 command: | ./build/make-4.2.1/make \ CROSS=/cross/bin/x86_64-linux-musl- \ -j4 \ - V=1 \ BOARD=x230 \ - store-artifacts: From c069901f90bacfc5091fbe70c53b71b1fa77fb93 Mon Sep 17 00:00:00 2001 From: Trammell hudson Date: Wed, 8 Jan 2020 22:47:27 +0100 Subject: [PATCH 069/189] circleci: no tabs! Signed-off-by: Trammell hudson --- .circleci/config.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 8f87d8530..f854666e0 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -17,8 +17,8 @@ jobs: ./build/make-4.2.1/make \ CROSS=/cross/bin/x86_64-linux-musl- \ BOARD=qemu-linuxboot \ - `/bin/pwd`/build/linuxboot-git/build/qemu/.configured \ - # Run first to avoid too many processes + `/bin/pwd`/build/linuxboot-git/build/qemu/.configured \ + # Run first to avoid too many processes - run: name: qemu-linuxboot From 97402ed32db6e2b15fd7c812283349eefbd1f330 Mon Sep 17 00:00:00 2001 From: Trammell hudson Date: Wed, 8 Jan 2020 23:10:46 +0100 Subject: [PATCH 070/189] circleci: replace -j4 with --load 2 --- .circleci/config.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index f854666e0..5aea39c6c 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -25,7 +25,7 @@ jobs: command: | ./build/make-4.2.1/make \ CROSS=/cross/bin/x86_64-linux-musl- \ - -j4 \ + --load 2 \ BOARD=qemu-linuxboot \ - store-artifacts: @@ -39,7 +39,7 @@ jobs: command: | ./build/make-4.2.1/make \ CROSS=/cross/bin/x86_64-linux-musl- \ - -j4 \ + --load 2 \ BOARD=qemu-coreboot \ - store-artifacts: @@ -52,7 +52,7 @@ jobs: command: | ./build/make-4.2.1/make \ CROSS=/cross/bin/x86_64-linux-musl- \ - -j4 \ + --load 2 \ BOARD=x230 \ - store-artifacts: From 31f021e5f7fc2d13c05c23c1d17a1e9b036bebf8 Mon Sep 17 00:00:00 2001 From: Trammell hudson Date: Wed, 8 Jan 2020 23:26:20 +0100 Subject: [PATCH 071/189] circleci: enable V=1 to produce more output and avoid timing out Signed-off-by: Trammell hudson --- .circleci/config.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.circleci/config.yml b/.circleci/config.yml index 5aea39c6c..332b0843b 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -26,6 +26,7 @@ jobs: ./build/make-4.2.1/make \ CROSS=/cross/bin/x86_64-linux-musl- \ --load 2 \ + V=1 \ BOARD=qemu-linuxboot \ - store-artifacts: @@ -40,6 +41,7 @@ jobs: ./build/make-4.2.1/make \ CROSS=/cross/bin/x86_64-linux-musl- \ --load 2 \ + V=1 \ BOARD=qemu-coreboot \ - store-artifacts: @@ -53,6 +55,7 @@ jobs: ./build/make-4.2.1/make \ CROSS=/cross/bin/x86_64-linux-musl- \ --load 2 \ + V=1 \ BOARD=x230 \ - store-artifacts: From 1e77a72f99f270f3b19fed39f4f73f88509a9927 Mon Sep 17 00:00:00 2001 From: Trammell hudson Date: Thu, 9 Jan 2020 00:07:19 +0100 Subject: [PATCH 072/189] circleci: skip linuxboot steps for now Signed-off-by: Trammell hudson --- .circleci/config.yml | 46 +++++++++++++++++++++++--------------------- 1 file changed, 24 insertions(+), 22 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 332b0843b..4d4ff24f4 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -11,28 +11,30 @@ jobs: command: | make -j4 bootstrap - - run: - name: qemu-linuxboot-edk2 - command: | - ./build/make-4.2.1/make \ - CROSS=/cross/bin/x86_64-linux-musl- \ - BOARD=qemu-linuxboot \ - `/bin/pwd`/build/linuxboot-git/build/qemu/.configured \ - # Run first to avoid too many processes - - - run: - name: qemu-linuxboot - command: | - ./build/make-4.2.1/make \ - CROSS=/cross/bin/x86_64-linux-musl- \ - --load 2 \ - V=1 \ - BOARD=qemu-linuxboot \ - - - store-artifacts: - path: build/qemu-linuxboot/linuxboot.rom - - store-artifacts: - path: build/qemu-linuxboot/hashes.txt +# linuxboot steps need something to pass in the kernel header path +# skipping for now +# - run: +# name: qemu-linuxboot-edk2 +# command: | +# ./build/make-4.2.1/make \ +# CROSS=/cross/bin/x86_64-linux-musl- \ +# BOARD=qemu-linuxboot \ +# `/bin/pwd`/build/linuxboot-git/build/qemu/.configured \ +# # Run first to avoid too many processes +# +# - run: +# name: qemu-linuxboot +# command: | +# ./build/make-4.2.1/make \ +# CROSS=/cross/bin/x86_64-linux-musl- \ +# --load 2 \ +# V=1 \ +# BOARD=qemu-linuxboot \ +# +# - store-artifacts: +# path: build/qemu-linuxboot/linuxboot.rom +# - store-artifacts: +# path: build/qemu-linuxboot/hashes.txt - run: From 6962bfda10772606dcbc33477c81adb04c41c9c3 Mon Sep 17 00:00:00 2001 From: Trammell hudson Date: Thu, 9 Jan 2020 13:27:09 +0100 Subject: [PATCH 073/189] lvm2: turn off buffering, which prevents segfault with new musl (#651) Signed-off-by: Trammell hudson --- modules/lvm2 | 2 +- patches/lvm2-2.02.168.patch | 50 ++++++++++++++++++++++++------------- 2 files changed, 34 insertions(+), 18 deletions(-) diff --git a/modules/lvm2 b/modules/lvm2 index 91f0f53f0..e3005f1bd 100644 --- a/modules/lvm2 +++ b/modules/lvm2 @@ -1,7 +1,7 @@ modules-$(CONFIG_LVM2) += lvm2 lvm2_version := 2.02.168 -lvm2_dir := LVM2.$(lvm2_version) +lvm2_dir := lvm2.$(lvm2_version) lvm2_tar := LVM2.$(lvm2_version).tgz lvm2_url := https://mirrors.kernel.org/sourceware/lvm2/$(lvm2_tar) lvm2_hash := 23a3d1cddd41b3ef51812ebf83e9fa491f502fe74130d4263be327a91914660d diff --git a/patches/lvm2-2.02.168.patch b/patches/lvm2-2.02.168.patch index d6547c475..0a0956998 100644 --- a/patches/lvm2-2.02.168.patch +++ b/patches/lvm2-2.02.168.patch @@ -1,6 +1,6 @@ -diff -u --recursive ../clean/LVM2.2.02.168/lib/mm/memlock.c LVM2.2.02.168/lib/mm/memlock.c ---- ../clean/LVM2.2.02.168/lib/mm/memlock.c 2016-11-30 18:17:29.000000000 -0500 -+++ LVM2.2.02.168/lib/mm/memlock.c 2017-04-12 08:18:18.533783802 -0400 +diff --recursive -u clean/LVM2.2.02.168/lib/mm/memlock.c lvm2.2.02.168/lib/mm/memlock.c +--- clean/LVM2.2.02.168/lib/mm/memlock.c 2016-12-01 00:17:29.000000000 +0100 ++++ lvm2.2.02.168/lib/mm/memlock.c 2020-01-09 13:23:14.017310025 +0100 @@ -150,6 +150,7 @@ static void _allocate_memory(void) @@ -9,7 +9,7 @@ diff -u --recursive ../clean/LVM2.2.02.168/lib/mm/memlock.c LVM2.2.02.168/lib/mm #ifndef VALGRIND_POOL void *stack_mem; struct rlimit limit; -@@ -208,6 +209,7 @@ +@@ -208,11 +209,14 @@ for (i = 0; i < area; ++i) free(areas[i]); #endif @@ -17,7 +17,14 @@ diff -u --recursive ../clean/LVM2.2.02.168/lib/mm/memlock.c LVM2.2.02.168/lib/mm } static void _release_memory(void) -@@ -288,7 +290,7 @@ + { ++#if 0 + free(_malloc_mem); ++#endif + } + + /* +@@ -288,7 +292,7 @@ if (lock == LVM_MLOCK) { if (mlock((const void*)from, sz) < 0) { @@ -26,9 +33,9 @@ diff -u --recursive ../clean/LVM2.2.02.168/lib/mm/memlock.c LVM2.2.02.168/lib/mm return 0; } } else { -diff -u --recursive ../clean/LVM2.2.02.168/libdm/libdm-stats.c LVM2.2.02.168/libdm/libdm-stats.c ---- ../clean/LVM2.2.02.168/libdm/libdm-stats.c 2016-11-30 18:17:30.000000000 -0500 -+++ LVM2.2.02.168/libdm/libdm-stats.c 2017-04-10 16:50:01.622529656 -0400 +diff --recursive -u clean/LVM2.2.02.168/libdm/libdm-stats.c lvm2.2.02.168/libdm/libdm-stats.c +--- clean/LVM2.2.02.168/libdm/libdm-stats.c 2016-12-01 00:17:30.000000000 +0100 ++++ lvm2.2.02.168/libdm/libdm-stats.c 2020-01-09 13:23:14.017310025 +0100 @@ -17,7 +17,24 @@ #include "dmlib.h" @@ -90,9 +97,9 @@ diff -u --recursive ../clean/LVM2.2.02.168/libdm/libdm-stats.c LVM2.2.02.168/lib buflen += id_len + 1; /* range end plus "-" */ } buflen++; -diff -u --recursive ../clean/LVM2.2.02.168/libdm/Makefile.in LVM2.2.02.168/libdm/Makefile.in ---- ../clean/LVM2.2.02.168/libdm/Makefile.in 2016-11-30 18:17:30.000000000 -0500 -+++ LVM2.2.02.168/libdm/Makefile.in 2017-04-10 16:50:01.622529656 -0400 +diff --recursive -u clean/LVM2.2.02.168/libdm/Makefile.in lvm2.2.02.168/libdm/Makefile.in +--- clean/LVM2.2.02.168/libdm/Makefile.in 2016-12-01 00:17:30.000000000 +0100 ++++ lvm2.2.02.168/libdm/Makefile.in 2020-01-09 13:23:14.017310025 +0100 @@ -56,7 +56,8 @@ CFLAGS += $(UDEV_CFLAGS) $(VALGRIND_CFLAGS) @@ -103,9 +110,9 @@ diff -u --recursive ../clean/LVM2.2.02.168/libdm/Makefile.in LVM2.2.02.168/libdm device-mapper: all -diff -u --recursive ../clean/LVM2.2.02.168/make.tmpl.in LVM2.2.02.168/make.tmpl.in ---- ../clean/LVM2.2.02.168/make.tmpl.in 2016-11-30 18:17:30.000000000 -0500 -+++ LVM2.2.02.168/make.tmpl.in 2017-04-10 16:50:01.626529699 -0400 +diff --recursive -u clean/LVM2.2.02.168/make.tmpl.in lvm2.2.02.168/make.tmpl.in +--- clean/LVM2.2.02.168/make.tmpl.in 2016-12-01 00:17:30.000000000 +0100 ++++ lvm2.2.02.168/make.tmpl.in 2020-01-09 13:23:14.017310025 +0100 @@ -142,7 +142,7 @@ M_INSTALL_PROGRAM = -m 555 M_INSTALL_DATA = -m 444 @@ -126,9 +133,9 @@ diff -u --recursive ../clean/LVM2.2.02.168/make.tmpl.in LVM2.2.02.168/make.tmpl. LVM_VERSION := $(shell cat $(top_srcdir)/VERSION) -diff -u --recursive ../clean/LVM2.2.02.168/tools/lvmcmdline.c LVM2.2.02.168/tools/lvmcmdline.c ---- ../clean/LVM2.2.02.168/tools/lvmcmdline.c 2016-11-30 18:17:32.000000000 -0500 -+++ LVM2.2.02.168/tools/lvmcmdline.c 2017-04-10 16:50:01.626529699 -0400 +diff --recursive -u clean/LVM2.2.02.168/tools/lvmcmdline.c lvm2.2.02.168/tools/lvmcmdline.c +--- clean/LVM2.2.02.168/tools/lvmcmdline.c 2016-12-01 00:17:32.000000000 +0100 ++++ lvm2.2.02.168/tools/lvmcmdline.c 2020-01-09 13:23:49.057418263 +0100 @@ -1817,6 +1817,7 @@ { int err = is_valid_fd(STDERR_FILENO); @@ -145,3 +152,12 @@ diff -u --recursive ../clean/LVM2.2.02.168/tools/lvmcmdline.c LVM2.2.02.168/tool return 1; } +@@ -2023,7 +2025,7 @@ + */ + dm_set_name_mangling_mode(DM_STRING_MANGLING_NONE); + +- if (!(cmd = create_toolcontext(0, NULL, 1, 0, ++ if (!(cmd = create_toolcontext(0, NULL, 0, 0, + set_connections, set_filters))) { + udev_fin_library_context(); + return_NULL; From 23d012640739d5a85fbf2afe307e50d3bd281b88 Mon Sep 17 00:00:00 2001 From: Francis Lam Date: Thu, 16 Jan 2020 09:30:15 -0800 Subject: [PATCH 074/189] kexec: update to 2.0.20 Fix issue with kexec failing to load the target kernel when building with musl-cross-make --- modules/kexec | 4 +- patches/kexec-2.0.16.patch | 89 -------------------------------------- patches/kexec-2.0.20.patch | 76 ++++++++++++++++++++++++++++++++ 3 files changed, 78 insertions(+), 91 deletions(-) delete mode 100644 patches/kexec-2.0.16.patch create mode 100644 patches/kexec-2.0.20.patch diff --git a/modules/kexec b/modules/kexec index d2311c218..18f27dcf0 100644 --- a/modules/kexec +++ b/modules/kexec @@ -1,10 +1,10 @@ modules-$(CONFIG_KEXEC) += kexec -kexec_version := 2.0.16 +kexec_version := 2.0.20 kexec_dir := kexec-tools-$(kexec_version) kexec_tar := kexec-tools-$(kexec_version).tar.gz kexec_url := https://kernel.org/pub/linux/utils/kernel/kexec/$(kexec_tar) -kexec_hash := cf17fc99bf77c9b39f06ee88ac0e86d0349c4a0c3f8214a3cc78eece872f6f3a +kexec_hash := cb16d79818e0c9de3bb3e33ede5677c34a1d28c646379c7ab44e0faa3eb57a16 kexec_configure := ./configure \ $(CROSS_TOOLS) \ diff --git a/patches/kexec-2.0.16.patch b/patches/kexec-2.0.16.patch deleted file mode 100644 index fc9a2579e..000000000 --- a/patches/kexec-2.0.16.patch +++ /dev/null @@ -1,89 +0,0 @@ -diff -u --recursive clean/kexec-tools-2.0.16/Makefile.in kexec-tools-2.0.16/Makefile.in ---- clean/kexec-tools-2.0.16/Makefile.in 2016-12-09 04:42:06.000000000 -0500 -+++ kexec-tools-2.0.16/Makefile.in 2018-02-28 05:39:20.461000000 -0500 -@@ -158,16 +158,16 @@ - - # kdump (read a crashdump from memory) - # --include $(srcdir)/kdump/Makefile -+#include $(srcdir)/kdump/Makefile - - # vmcore-dmesg (read dmesg from a vmcore) - # --include $(srcdir)/vmcore-dmesg/Makefile -+#include $(srcdir)/vmcore-dmesg/Makefile - - # - # kexec_test (test program) - # --include $(srcdir)/kexec_test/Makefile -+#include $(srcdir)/kexec_test/Makefile - - SPEC=$(PACKAGE_NAME).spec - GENERATED_SRCS:= $(SPEC) -diff -u --recursive clean/kexec-tools-2.0.16/include/config.h kexec-tools-2.0.16/include/config.h ---- clean/kexec-tools-2.0.16/include/config.h 2017-11-20 04:17:12.000000000 -0500 -+++ kexec-tools-2.0.16/include/config.h 2018-02-28 05:39:22.420000000 -0500 -@@ -17,7 +17,7 @@ - /* #undef HAVE_LIBXENCTRL */ - - /* Define to 1 if you have the `z' library (-lz). */ --/* #undef HAVE_LIBZ */ -+#define HAVE_LIBZ 1 - - /* Define to 1 if you have the header file. */ - #define HAVE_MEMORY_H 1 -diff -u --recursive clean/kexec-tools-2.0.16/kexec/kexec.c kexec-tools-2.0.16/kexec/kexec.c ---- clean/kexec-tools-2.0.16/kexec/kexec.c 2017-03-02 04:45:46.000000000 -0500 -+++ kexec-tools-2.0.16/kexec/kexec.c 2018-02-28 10:40:01.662000000 -0500 -@@ -794,6 +794,27 @@ - if (sort_segments(&info) < 0) { - return -1; - } -+ -+#if 1 -+ // force segment 0 to have memsz == bufsz -+ // so that it won't overwrite EBDA -+ if (info.segment[0].mem == 0) -+ { -+ if (kexec_debug) -+ printf("hack ebda into segment 0!\n"); -+ -+ uint8_t * ebda = calloc(1, info.segment[0].memsz); -+ memcpy(ebda, info.segment[0].buf, info.segment[0].bufsz); -+ info.segment[0].bufsz = info.segment[0].memsz; -+ info.segment[0].buf = ebda; -+ -+ // install some default EBDA values that are off scale, -+ // which will force Xen to use the multiboot info -+ *(uint16_t*)(ebda + 0x40e) = 0xFFFF; // segment -+ *(uint16_t*)(ebda + 0x413) = 0xFFFF; // size -+ } -+#endif -+ - /* if purgatory is loaded update it */ - update_purgatory(&info); - if (entry) -diff -u --recursive clean/kexec-tools-2.0.16/purgatory/Makefile kexec-tools-2.0.16/purgatory/Makefile ---- clean/kexec-tools-2.0.16/purgatory/Makefile 2017-01-31 06:23:48.000000000 -0500 -+++ kexec-tools-2.0.16/purgatory/Makefile 2018-02-28 05:39:20.461000000 -0500 -@@ -44,7 +44,6 @@ - mkdir -p $(@D) - $(COMPILE.c) -o $@ $^ - --$(PURGATORY): CC=$(TARGET_CC) - $(PURGATORY): CFLAGS+=$(PURGATORY_EXTRA_CFLAGS) \ - $($(ARCH)_PURGATORY_EXTRA_CFLAGS) \ - -Os -fno-builtin -ffreestanding \ -diff -u --recursive clean/kexec-tools-2.0.16/util/Makefile kexec-tools-2.0.16/util/Makefile ---- clean/kexec-tools-2.0.16/util/Makefile 2010-07-29 05:22:16.000000000 -0400 -+++ kexec-tools-2.0.16/util/Makefile 2018-02-28 05:39:20.461000000 -0500 -@@ -2,7 +2,7 @@ - - $(BIN_TO_HEX): $(srcdir)/util/bin-to-hex.c - @$(MKDIR) -p $(@D) -- $(LINK.o) $(CFLAGS) -o $@ $^ -+ $(BUILD_CC) $(BUILD_CFLAGS) -o $@ $^ - - $(BIN_TO_HEX): CC=$(BUILD_CC) - $(BIN_TO_HEX): CFLAGS=$(BUILD_CFLAGS) diff --git a/patches/kexec-2.0.20.patch b/patches/kexec-2.0.20.patch new file mode 100644 index 000000000..9e940494a --- /dev/null +++ b/patches/kexec-2.0.20.patch @@ -0,0 +1,76 @@ +diff --git ./Makefile.in ./Makefile.in +index fb01134..bf1973e 100644 +--- ./Makefile.in ++++ ./Makefile.in +@@ -157,12 +157,12 @@ include $(srcdir)/kexec/Makefile + + # vmcore-dmesg (read dmesg from a vmcore) + # +-include $(srcdir)/vmcore-dmesg/Makefile ++#include $(srcdir)/vmcore-dmesg/Makefile + + # + # kexec_test (test program) + # +-include $(srcdir)/kexec_test/Makefile ++#include $(srcdir)/kexec_test/Makefile + + SPEC=$(PACKAGE_NAME).spec + GENERATED_SRCS:= $(SPEC) +diff --git ./kexec/kexec.c ./kexec/kexec.c +index bc6ab3d..b82725b 100644 +--- ./kexec/kexec.c ++++ ./kexec/kexec.c +@@ -805,6 +805,27 @@ static int my_load(const char *type, int fileind, int argc, char **argv, + if (sort_segments(&info) < 0) { + return -1; + } ++ ++#if 1 ++ // force segment 0 to have memsz == bufsz ++ // so that it won't overwrite EBDA ++ if (info.segment[0].mem == 0) ++ { ++ if (kexec_debug) ++ printf("hack ebda into segment 0!\n"); ++ ++ uint8_t * ebda = calloc(1, info.segment[0].memsz); ++ memcpy(ebda, info.segment[0].buf, info.segment[0].bufsz); ++ info.segment[0].bufsz = info.segment[0].memsz; ++ info.segment[0].buf = ebda; ++ ++ // install some default EBDA values that are off scale, ++ // which will force Xen to use the multiboot info ++ *(uint16_t*)(ebda + 0x40e) = 0xFFFF; // segment ++ *(uint16_t*)(ebda + 0x413) = 0xFFFF; // size ++ } ++#endif ++ + /* if purgatory is loaded update it */ + update_purgatory(&info); + if (entry) +diff --git ./purgatory/Makefile ./purgatory/Makefile +index 2dd6c47..2de8f07 100644 +--- ./purgatory/Makefile ++++ ./purgatory/Makefile +@@ -44,7 +44,6 @@ purgatory/sha256.o: $(srcdir)/util_lib/sha256.c + mkdir -p $(@D) + $(COMPILE.c) -o $@ $^ + +-$(PURGATORY): CC=$(TARGET_CC) + $(PURGATORY): CFLAGS=$(PURGATORY_EXTRA_CFLAGS) \ + $($(ARCH)_PURGATORY_EXTRA_CFLAGS) \ + -Os -fno-builtin -ffreestanding \ +diff --git ./util/Makefile ./util/Makefile +index 948ee63..833a897 100644 +--- ./util/Makefile ++++ ./util/Makefile +@@ -2,7 +2,7 @@ BIN_TO_HEX:= bin/bin-to-hex + + $(BIN_TO_HEX): $(srcdir)/util/bin-to-hex.c + @$(MKDIR) -p $(@D) +- $(LINK.o) $(CFLAGS) -o $@ $^ ++ $(BUILD_CC) $(BUILD_CFLAGS) -o $@ $^ + + $(BIN_TO_HEX): CC=$(BUILD_CC) + $(BIN_TO_HEX): CFLAGS=$(BUILD_CFLAGS) From d63d5b4508072fef03223342879e349e97860587 Mon Sep 17 00:00:00 2001 From: Francis Lam Date: Thu, 16 Jan 2020 09:30:48 -0800 Subject: [PATCH 075/189] modules: update to use full commit id The short commit id can cause the tar archive potentially cause the root directory in the archive to be named with the short id causing the verification to fail --- modules/msrtools | 2 +- modules/musl-cross | 2 +- modules/tpmtotp | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/msrtools b/modules/msrtools index 6cfc30c2c..8a9b6b5b2 100644 --- a/modules/msrtools +++ b/modules/msrtools @@ -5,7 +5,7 @@ msrtools_depends := $(musl_dep) #msrtools_version := git #msrtools_repo := https://github.com/osresearch/msr-tools -msrtools_version := 572ef8a +msrtools_version := 572ef8a2b873eda15a322daa48861140a078b92c msrtools_dir := msrtools-$(msrtools_version) msrtools_tar := msr-tools-$(msrtools_version).tar.gz #msrtools_url := https://github.com/intel/msr-tools/archive/msr-tools-$(msrtools_version).tar.gz diff --git a/modules/musl-cross b/modules/musl-cross index 617c66e3a..f9cf79db0 100644 --- a/modules/musl-cross +++ b/modules/musl-cross @@ -4,7 +4,7 @@ ifeq "$(MUSL_CROSS_ONCE)" "" MUSL_CROSS_ONCE := 1 modules-$(CONFIG_MUSL) += musl-cross -musl-cross_version := 38e52db +musl-cross_version := 38e52db8358c043ae82b346a2e6e66bc86a53bc1 musl-cross_dir := musl-cross-$(musl-cross_version) musl-cross_url := https://github.com/richfelker/musl-cross-make/archive/$(musl-cross_version).tar.gz musl-cross_tar := musl-cross-$(musl-cross_version).tar.gz diff --git a/modules/tpmtotp b/modules/tpmtotp index 6c870ca42..433df8ceb 100644 --- a/modules/tpmtotp +++ b/modules/tpmtotp @@ -5,7 +5,7 @@ tpmtotp_depends := mbedtls qrencode $(musl_dep) #tpmtotp_version := git #tpmtotp_repo := https://github.com/osresearch/tpmtotp -tpmtotp_version := 18b860f +tpmtotp_version := 18b860fdcf5a55537c8395b891f2b2a5c24fc00a tpmtotp_dir := tpmtotp-$(tpmtotp_version) tpmtotp_tar := tpmtotp-$(tpmtotp_version).tar.gz tpmtotp_url := https://github.com/osresearch/tpmtotp/archive/$(tpmtotp_version).tar.gz From c3213e150a16bcacd1fea8d189efbe1be69573b5 Mon Sep 17 00:00:00 2001 From: Francis Lam Date: Thu, 16 Jan 2020 09:33:41 -0800 Subject: [PATCH 076/189] initrd: update distro keys Update distro keys to the latest with updated expiration dates --- initrd/etc/distro/keys/fedora.key | 360 ++++++++++++++---------------- initrd/etc/distro/keys/tails.key | 186 +++++++-------- 2 files changed, 262 insertions(+), 284 deletions(-) diff --git a/initrd/etc/distro/keys/fedora.key b/initrd/etc/distro/keys/fedora.key index e14b4cadb..684a758a0 100644 --- a/initrd/etc/distro/keys/fedora.key +++ b/initrd/etc/distro/keys/fedora.key @@ -1,194 +1,172 @@ -----BEGIN PGP PUBLIC KEY BLOCK----- -mQINBFfTPiIBEACnRl8tUymlDOBNJWjtICofXNyM4qt2qfGTme3YZ0ZVOay55pK6 -1OLiyNLXyJfDH9d2U6dZn5UYLNdE3QXRVua5GXlSituY0+pzs7n9doW/U8kdhm9a -zOfyR1Wh/u/FHUmiXUvuwLVzqee7lSU3Ry1voDzPIyM/3/eXDa4wAkbYuestYV2F -G2VqcMgDIEudYlkz6N1OigMWvkvYXFHVC1A55ydHenWffQzQaPpGuJLA61ARZ5Cu -X46xgOCPc+aSvAm/D0cmOS7xhZcUqs1A5uGtViZqsRt59Bp0HVNxftfBCO/rQx+9 -FrV1vYXkbTdzG3unlVCJxxC2dW2W6hb3SNgPbE5fgiG9twvVU+3GsFUwARclRWiZ -HjbWdjlRTkRySzkkdnXalJo3G4UAEDfkvujM2dB4Dt6gVkCPvSKVpK6HTtBdHmDO -scYfazX/j86somO9npHSrb11tYaLbx2PYfEvw6F7rsxr78/GBjzPnKkK3suXxDlS -8q7tT1FYV89EzjME5+ThJOyPxyXHKQQwozIXcB/BUfyWGlfFFh8baD+DA8lNgQvl -/TVFvW6bUV6ll5JoVJJhC87EACL7mlo6AQtwCivUEPxusVXM6u53UKbsc4gVdkZd -WpUyT2YsgKK05/eVDIkMLHXb3efVbJ6NCj88Fq6hYB7+Y5MRbRFJpvS4DQARAQAB -tDxGZWRvcmEgMjYgUHJpbWFyeSAoMjYpIDxmZWRvcmEtMjYtcHJpbWFyeUBmZWRv -cmFwcm9qZWN0Lm9yZz6JAjgEEwECACIFAlfTPiICGw8GCwkIBwMCBhUIAgkKCwQW -AgMBAh4BAheAAAoJEIEqa0tk2rhdFk8P/1WZFEEBfUr9ywRxeVAwiKx9Ggzf8m61 -p98spnUGj8N53bKwguKnMqAUtm9/XQPRGYRfqKKuKF/4AySCOmqFP86zHThnbFcb -fMyiJOxBN5N/5dhUxTkZG1M51vFPQx53dnea3w7ypJekTwfEna46PKUD7dTV3HJg -d2YOojD9mxup0iAmi7/3mi0cHwTCZS9FF/A4eBWjuEd4OM3KzPF7HBdY37a1IBLR -k7wruMEGSq6EXcoeqG2sMmU7RnEeQxy3WqMYdRdzUjbfBN7mCAcuv2yKB1FFW4/v -PhP7ObpCCLiaL46APdGFHZ30EC4oaeqSygJ8+zAIFK40t/a0iNNf8ZKKeeuasinr -qNJAep/WoVjIpx/LlF9vw522fhYXJ75LYLBCQNke/4rQ1Rl29io2Dg29aPrEwFPj -+7zDztdvaGmu5wLPvsC+w5pyqOT2LPC19y3D7T+KfXp0gEwyZedviDwZdIXz1PX1 -IMytlwRXlrhkp/2WzJvAkJCmRSb8QsxY9Y2A4rfqrNCk6kgjc+3pXNdxumaXEp33 -pjm+z61Qrg2XXFHUhQyRiBnEtyo2Hj3tJQdrPxwGIgtKFZCv+oAwewnMw9TFycI6 -rYEfS4wdAIOGoSF/PL9Eq2xoUJQw8QFCrURm7sfS0/VmvXoSjqzZLeWI4e+JvId0 -QFFBR5ZKOqzomQINBFeocJYBEAD0YKTqzt0QVgmHkRO0G8HpwdsNEzPANkDWe4KC -1YnKTDjl4ojvBfGc4bzLb+jXM4364DWGxArW6QJFW0DWI9DsK8+5TO+Zi9xtLi5B -XKImw2cYh7HKbCdNtBxT3xI1UVUuAkL8qbschWTUKgLYC1ywwjiFmjY7fEUpr3jz -QrhYxazqN0NvR/lq9k3VAetXTRfOEOhUrIhrTRQnsK58rspF4nWqZTj6D8jkSGcQ -qs9D3/btbsx69QkFKIIfxvfZxIHccaYfJhjgNU75b4Zl6NQvRm0jB8jpFqMTvG7z -vwubRiCku0YST+jy5RiZyaL5Yue0RP8dW0xfsVdRE7zsNaTRuvwVOBfXIFuGj81q -0JrO7G5HW2Kmo2byOeqidPyrlFtJv1PfByUFKIZ530HM4mnVH8193ZbravjJCpj1 -Ye07cq0yy0Nt2rvEpi63EYCBOaOQ9SJaYf77SZlZj/r7W2Hnnn40RqfzRUS3EAIu -cx1KtqNly5B4zm56J8I9rPmqf/zfj+0/kGj8YRm8MP2+F7Se836PGF5d3zjazamc -f0ORQmG67dwqddB+a5JhAxWl8OlFNsNBdRnu4qY3i6jK8jhI4U6NwQYEcWmnEeK5 -rbU20lEKPKla+1bK5OlU02JINuS0iXyCMEYyLdheCRQVGXGADVgXy790nTb/IpGV -mDj7lQARAQABtEBGZWRvcmEgMjYgU2Vjb25kYXJ5ICgyNikgPGZlZG9yYS0yNi1z -ZWNvbmRhcnlAZmVkb3JhcHJvamVjdC5vcmc+iQI4BBMBAgAiBQJXqHCWAhsPBgsJ -CAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRBFYP1NO5IdCWGXD/wOG5fluN233GHQ -sZ1WQneDaq/zi/GyyNelbR5TVJhmZ/ifi51EGx4/w6ZdWokmVQ6UejatdeQCQhlF -lF1g9Ax/oYoEbdJVmFRP7HzXqWcENXnCSXcpha3C1N8g12a1B3qew0gbuRbhwnnz -cDUQSSrcefS1XpnhRmDUt7WanbWOWQ6kktYdAkfVd2/k/Y5nHUZp25mnjsNPbsff -ev6xTdUB4dVkirBR4quMYwDXzzKKLz5E7pZB94C8WUCAYPOKM5pCuJR3L4pAjHGj -UyrSSxAaCepfiwJcCOQHMJY7CpuRqmhc1o3BaV8nO1HWMzbI78RChYshKCDY38Cz -h6SoeMJzaKUDAsvz7tNhOl816s0dbtVw43Ngou7G7tOxmnI47AMNHBuBbA/qKRg6 -et96lWcjmJiS1xks4FZFSEoA9BzH2G9o5LgYKKTRZIRPVZ61nsKa+as4E5oyDbXn -UmnbanrfUvALL+vOYTEeFCB7qif2Ek58ujIQBLczmU+2S74pdQlu7kSYnrqNkkRx -FOgFWt5udiOw5R2vnUO2VAISDlUnkgyHp2SUnHAE2Q4StccvR9JeZUH9IuVioN/n -AwzYTTKyOiZXzipkxwznSjukiS4WPqdnLrTCNQ7WPpyygQDS/Z1DLt/+Rdxz4wkX -76JjNVL+8hBF07H2vzBvtkCoZXEQ17kCDQRXqHCWEAgA6UwG6HiPE0EY3UpaAJDQ -SibtS5zaId0H8SXhdAk3ZVtzbskmI8FVuAyi6+Phl9Ps2RjVR88p9Uk6dV2QnRp8 -DpXQFeGfjMkfokl5TmnGu5txXWMGdGeiAs/VlMzRuUZI05fJR6eeA8gn4wpBPmuX -BgFre/3tuMxuahBLIhrLuThMMKZrfV42zaYN9waddnN+upM96aKQziNbmU7CSVGX -K1wKtvbSF51BXeO7w7KdTspKedjVLMhWrlUEAKmdeZDj+9slw4QXpqWMP8vmmIxb -rYXm94r6IgYFKYk1eZ2t8JbNdjFfRKGLKsPI2W9uH8+fI9/Xqw+mSwFMGqruBpmx -ZwADBQf/R2o8TOghFlNt90wrfP0XaumUP+aZLvb6ndjESTS7PaX1R1wsHtPaVDWn -aTgfA66rrCp/66vmKf6uHlPeUx0RREaIJ56uKP3n0x8HDn1ZBba83NoriWdVqar6 -f3+UBoZ0u1GBK/F8vG70Xj3x0dJ2psFP62yrDg5z+/TCM+o7EnUl5KYOpa3R25W6 -UEHoEexUIqxZp9+4FGH7+aO2LKbslEL3AVgraUBiFknJl7ikH3ZxljiFVigjBq/J -N2F5CrmeAhdAZedF3lE/epQ+LSQ+TTN7ukGt2l37aJDTRGNHqe6KCy9KqIBr8XAa -z9mJ34QF4hB/tDUSGQP5eg93ecG5PokCHwQYAQIACQUCV6hwlgIbDAAKCRBFYP1N -O5IdCQHSEAC4g0BMaQu5qzLHeh/bFXtxT4vFucXLAenyLH+oIEo43crSUpjQiXzB -itUc9sWMX7/mjj8EWOGbIQNYZO712Ei7fPO7u/auZ7qIlVUKlEHZ+du1ORC5+khK -rimgjP/ZIhTYKHiIJD3BLs2rEGXdx3TQCYRIgRm066KKZ2gQy3YHngqipmOzvz9j -4ctpmD6NabgX3eWjUCzxofd3m67c6sQVKxUNQzujCgtaLIClYQEMO0E7Xq9auq9L -OvD+40dLE63jfYKSIvsQ+3qUmT0CEfk5K3GDYC30xQU4cvqCybOreSTQR0L/f/wU -bTYt7Iyj/8eZwfi9wh2zVY2MOoe2zT6XIW2oKJFD9ka7IZsezMR4PBhEGCg69uWb -PXbwIP3har1pzIrwR1Uto9qCosupnkz3+ILQOiGxY5vtKXUr/0ulQ3gjZiLNL12m -5MvnAUg4aoms0W76wYUQG/NnccBzKE9hUAlgSak8n0gZPSRbG0wjOIcbE/arSpQ2 -k8WkwxkcUuHfOnBq/2ME1njWkNp+h+F/ifZcwcBiRNZ+S8Y/kV2kh36pjkic4mCc -4JjoNLxMic3Jpbf15Q8X0mgDbp1RVPtm4QTagq3kXRGjFpVaUfJF6ZdzPBm5qJ6F -7ZX9p/av2zCpAw7ZjY7u8pfCZttaiaHYd6KYgPX5LEQK5QSTxy/JNJkCDQRYrJKj -ARAA027KAF6Qz5PhbXMARD2UFXtGEGHTqmr30EFQ/0WAHB5yVvytW2YULrAY1CHn -PUnxot7gTTZm84gL6Xf8nDCslh7lkC5gYGyJq6pz2wTzF5sXjRp2YwNYY1Q6dKc4 -9voGUIamFkn+pEMvbvQNZklOtypf7X8O/oV+03NyPH3hgBQh3BUIBEsVIm/DMPzj -hkdwJvXynQPitZCXkCImb1zHDRcftwn6Gr4RXYnLqE9im3Ers0Zu+nbijR5S2j+v -yG2cTYg1ofEg1aRWhT5akf0f/sImwOnvcDH+gmeL31GOzSmH+LWAbNBGHZJ94/yo -SScXW/jOOkP8cKvaL2aO1yIS6yFD7jMPdV/XG75FP2vZBNX33aTZhdXw51HBJLrh -KjpfmjFbFARGwEPOsq8KQ3y+F0/b8JwyJIICmcrw02eqtNFyoNxnqyrmbUAZf2HB -w17gZQdX86RpfGvIav/hnk9rFcY5WMD1467CndTXj+nLULEeoB7j91uaIT+KwK7T -OjjTfK5U4qHQy1RhwaVMyEXYK+0Qi9QKgfb63UNjFWTGrE3FJ1LyqNB+JqbPsdOY -xmqNG9GdEyXOsK+smxx9/DVRtOlV+ayWZX2XIRsJFs5mMWouef+5Z9byZpPpG3Uu -6StI35nlSfAO+1ywi9+qCRQogq2I1fmRoLwfs9PCc8HO7IMAEQEAAbQsRmVkb3Jh -IDI3ICgyNykgPGZlZG9yYS0yN0BmZWRvcmFwcm9qZWN0Lm9yZz6JAjgEEwECACIF -AliskqMCGw8GCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEPVedDD1KC7k3MMP -/ixT1RMlYLjHlP0AARLBORRDe5HA0XmbXcKu6f2igtvZswsXh4IIrWDhpayDZCdu -gKuqfqFusOycQViZyqEwWCQxczSG6f+hmxuKCnBJ1kGX050S06+WrpFXVgRXr8wt -Ibq2qGys946GESF/NulVM0vwONfM6Zw1T7aaN8fOlfX9vdq6otrZ/UOXEAuQpN/3 -I0AxMJDfYB8+I/3NaGuswTnB2ypGmXVgNnSLOlzsQiB4O/IulUMDDLPr35tr21dw -AgnDlZ3d3ejcSELgyxEMHbXQdsyPEe+G42nKLK3Gnyvhdg55DO1qy0gokyiyQTEQ -8fl9pzo0+aS7rbOBQv12ETtt0jLTwDM0POdmdZZI7GlQ7I8zagmrFAdLwzxy0BPG -o9M3ITQUs7h6CqVzWE8ic7XpFi/0F5FLF7tMezeVoQZWfpZ4ui7WVOdZewSXdZ/m -Sp0OIJo0NX31S24M2/WdTDY3tLOtRXSplCUBlC2Kod9luBlfkS77SOgCVfxJhQlB -H0Sd3gPLSYsinuddsIopv1g4b8xbrjwbqdmd07n4miUDsrC5Tefh1EIrU7XHe4/G -YKbCACGbUljjMWyACVm85/II3yI+GQ3qNGWVx9FYA5F7ab9YPEdmkQM+qG+WGFuV -ZyNlBK+d8dWe5ZlIb/01GZ9uiHlNeowifNJO6Sb0EhfGmQINBFmSAVYBEADakUeJ -gNnAP2CE3vw+iI0Um9XvuBP6NdESRiJIEPgXhKWM058JPZDkpRETS4pbB3xUyPLo -ogoO76lheBEOPEAGp5mb/7vEcwlYqjtuetFi9hcsbNPxDeOLQ9KR7Xs2idU+DlCJ -W1WyU9UiLoyZpQgAqF7Y50MoxPKJtfDuM52YkulYLU+MleRtxJzHYcXArU3x3Czz -1FnemVtol3/1/BvmGQPIyj2HdG4vxWbiX79AUSlchh+MbNqOOpVVK16lLEbJCxCb -PdCsKCTOI+FsdQsB4bnX5ddNcvxxACwHNUifVD/1XH8Ax77DHohRbccRtIZqZEIK -ecHxVyFdr2mAl9mEXSzaFvRzWa+5seCgGoV0INBhj6NEtHhSxBYzLmr5noQ8JNPa -6eRipPvYTle2vstq2YUJ8D0ZbKbxaCPstemCQZrQKzh0tgezIgVXKc2U0i3ZOEYf -4ISMHeBnH36nRMBnaH/HkLyZyHXNE4vswJpwPjNtaofzQDD+TmCe2ObKei8iUqfL -o/8Je8IvnodS9C5l0fyEaMmo5BWc+SYRSTR9libNruwu4j6Kuoxge9SbRuD2S0qz -KK2LYRZrlkxjP8REnpvXxUfeSvNYHrbjzYDv677S6pqWdNqyoPduKiZWy6Vg4g+p -Ymk5T7vrpNizGK6exKiYZ5tAUaO3lrdpHOolUwARAQABtCxGZWRvcmEgMjggKDI4 -KSA8ZmVkb3JhLTI4QGZlZG9yYXByb2plY3Qub3JnPokCOAQTAQIAIgUCWZIBVgIb -DwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQ4I5+Yp22L7GMDhAAwwQhpXFX -xegkgi0pFbA98Om3UBiQtcDemQSls0HEJh+J9sm4g0Sj2K7khFnJCKsQNVnJDVxv -xJ9j/AFZErRMjudUF7ACZfKDtNxq3gkH7qICPKk/DzeXblrzPc/RX+kkl9I5jFBh -apypsExa2yilfk8IiKq6nd2Ro7K+gEh/CMhfe7YBGInZ3FmZWsq1+WKTZCUNmA8+ -+eWIbmukrAoieTHTvIcOmc+dfaUAmjWtOnc69E9UmTCwEMEbPVMSmZv0qnp0kByW -UeV5cZR7NoXmaMaTr5aUY6wJuLshbWzgmudorf1udUwqYlpxZJtQCxlHezulrDJG -19d4dC5vGdYbnpeq01s9L9yieccKafWfldBU+YBZbo9e9Uzu/766pxEAtqYYSyZb -oiqsj5NCoq2fRc4DjfCDVEaK7HSPcQpQFA+p18sD2qccEPPo+F2+M8PZLf4khipG -RH1nm9AmM/v25a/9w22bDuUUvpcWwW45YsNToTTM4d6Ts750lCw/4K3jHnrQWxL7 -VfwLw0H1xlxnVqIXlL3HeOIn9EoaygxV2gJtPjB/Gwr2z/K+HoibAxvo7VcpxD+N -38LaPtrx/ERMxeYBJvMgSqGaC3MXj36/qv0zTyyTItYX9JfbOrikoJa+aKQGmTWL -rcuKaYl6Jzsq3vRTbNRRi4SpXwTwMyuW4pWZAg0EWohlNwEQAKOHQMrLA93QfH0j -icZixtRuohTtMZmDFpP2OdVJGCRx19Gq3YI/sR21FvKqQxQrIvbcIvADP5hKZ/0V -/2fEFKXwWIpQI01ZRg7d9oQBmRnmt4OvqHpbhrSeIExZ9UuqZiOlmaRwGqAuCX7b -BWr38T0Wr1LMOS3NzNQXvDABauwpbmvAQSr6LyOToVJRM0ypZmrr3LsO+jHyTxAj -G2i7l0gvdnypB2Rz/TKdOzht1pz3gWwkEzrSopIc/bcxjumnA6XvC20CydojMFoI -PRQgzmq18UE0Vph94nmQfWt/43OAWMnzLUPGJl0Rfa3g7Je+G4BBK9jKi0OsnMJu -6yNdBgxhiqd8ZyoyZMKSAbFht19UZsyzfHWYw5tlYxBtv0cY3QpMFoV3ADsScwGs -IbLcj1bGeAYgYBM49aQ89RTGVoj2PDFPe2pvBhjkqfZGEPgJnKPhUhpC8Z0xqinT -U7vxBUUeF0fbhpuo24+tioQNn5pJOCdgUolykZKxFUv4rD/HXCKTw9jOkL203NTU -tEKL2OxfSmT2A4NKBsotavJkSBloh1wFwkPhTeyUON0F5MNjyklX3P2vvP6AU8Ac -upK0YqPaJxu/zR0wZN+BSbcepYRL9deiZf1lYDW1XRmU04zz8i6eYhLP0w2lzcsK -Glxxx9+Ot+9YF+iQMppc72oJSBy3ABEBAAG0LEZlZG9yYSAyOSAoMjkpIDxmZWRv -cmEtMjlAZmVkb3JhcHJvamVjdC5vcmc+iQI4BBMBAgAiBQJaiGU3AhsPBgsJCAcD -AgYVCAIJCgsEFgIDAQIeAQIXgAAKCRCiCqVrQpR2tHtrEACW40dD3dPu7/IhBpMK -zi4Zv+MSDupubqFHHmeyqt2beoo2qfJcrrWec82gMk2TVaFnDDhF2u/EIM4bLI2E -ZJ6OO9czpEEMQ5j8qYPqG4+jzE3mLslUb4TaaXBMZ7sdKDjt3TAfJ0M1NEtCpPRV -memTFF7em5DgM00clkbVKxGX9J/ZUjVfIH+EdsUZstL0q8ffaUIgAC23p1sZNFkL -2CwYvpdH/qjsRTl+mPtTmtiINMVpiqaobbUtllX3G2oKgdwoSVjuNftF+aTxafUb -bMLZdHQtft5UfsYF5fDoluYtmPFKB3bfnMTWU1JpIswc4cxyBIdagQL1QvMtgm5N -qCMrdyOTRWQouhxqRFyxv120VzGBkZ1Ad8xfuYP16m4maoHhrpM5mgv+2Krbw5Fq -RRuNh8vP2eCep3+kmSf0w1ZzHLfIG051Nipx77rX9dCThxHa0fxXZ4/t8vxgxug2 -Q89txsqVy8ob9OBpLS1WsUxSYDXGYOKHN/qC6kAA2VwyRijSGb7PWEu+CqiynXih -Ohwl5csAVXDl3Gdv1uaqMHL7vu7+uqtjQSQtB31edeCjBRCXRFI1eBwgh8SRUGKk -v/ZgH4wUGYxApxMNdfuVz+GXpbgEWZWPYoeQ91nNQ4lBVh973RG3eF9cdWJTDXXy -GRNomGsI9XCQVtpRaxwQDY5oUpkCDQRL0ilCARAAyxp1I9uGVSlu5YhTfyQOQoLc -5TZyrO7AYO31WzVq8ohN1EW59SV763cB7ZCsmPev4n2dS3d5RNoDhetWxmdglsCT -Xnu+kqfWforD/EUF2xuY8I/+ATPRyu6YZLahVSfFW2No3043H8UbxjPGAcFxfIcd -Ag2VEQI739cUUkCe4gKOfKnB517cTgL0JgG0fc+kP4fw/mPz4aCCadTleFTRwmwr -PTOx1FQaYAudzw3E1ELsHIHmOqUIKPXk9XizUmVayeQXLYr5dVHA+j+giBpJHk9o -DYaop3UT54FFxl1u0M6Hn3vn1UKiUpu06tqvaKlWeOifeuMGgkSLUckqbluXcWTt -+FjOsLMNgT9jJQAmx+Jd5bqraV6Nwb355PhwBR9x3DLsHWrpcb+82ClwnzaEn4K6 -RH6NhMeCJvyN1nbcDBPxm58Hat1Sc4AMS1RYXMwx8DZI5iHTwJTSff4sUY4qeHYG -bVvFXAQqzaC/i4Q6yH475y3UbrwR8vT97AhexWcnGh5TFj+kYi7R5xDBnG2fEKUB -4tnUXlNcMq/UIILhlPo6kl2Gq9chHLHURmrKaTSGfPkGsG5v2uHaE9dExLTwK4Uq -B5cG76kw2I7X1fdpQv9osIDuoGIBvV6zuFfHVd/RX5u6CxX7024OZr+EPxOgFqP4 -JI5rcZHLpW8gL4xbWAEAEQEAAbQhRVBFTCAoNikgPGVwZWxAZmVkb3JhcHJvamVj -dC5vcmc+iQI2BBMBAgAgBQJL0ilCAhsPBgsJCAcDAgQVAggDBBYCAwECHgECF4AA -CgkQO0nfKgYIuJUfxg/8Cxj7/ajt/Xsm/TZa8HynVBKNbR8Sna4Tc/l2KzuMlQ0w -WUT0rry9smqHkiIUDioTT3xIE/ZnbG7IHH5qB8ZhlXJ/pW4XlrEr3IK17s9IC7fE -xhihhkTgKC16blLG9RzbShDsD0OM9bkNpzs+YS0cgzldCNi8GFfAYxiIwSlDBRFM -RU7C+1zmZKwIP1m0x9j1t4a30lrXEQOxGKJyNwfNHd/X38LO0psim0uT5mY6jj7k -71dhdLTISiIZ3AcKKI1mTxMX7R6SocylYfH3Qzv9z9ctRZNwop/FGwjvTFjBTUdu -31cwgDZRD5Y7BwPtxM+Be7m6BadDjhKL+GMouARG4KmZ7YUxuLm/Z8orqSGd3JDx -6951XA1BnC+pUA/55JjVSHi2D8dbhzzkpVn7qIwGIM0R+iy+yHYOBRxwQNLaOxVv -HUFxSDsjYiRQDk9o/D+frVXavMAdDw0h/MkaZ+B3SfUWKrmruDpI5bsTln9LkWkv -/0lHAmYftfygRDpnLwR2EWQOSZf52pAoMRm9qWkDs6qqTnByr5ci7szubsmzF2oq -SxMUxiVwZV622wEn12v8hmEgBolaxs/QhOuu+nTJZvBfrN11xNd0Ga15o5aHOo8D -pY53wJI0xl44gezlCxEnnfejEV7Xy5NFuQG/aXe7Sg0ekByO64B13wqKUZ2dlVWZ -Ag0EUq5ohAEQALVSmFfAyoIBqs9Qf9mw4WyVpt5NU7akOTlic73p/6uBkHvECsE5 -J5CTsH3SKpInzn9zvY4Cfg5di9PreB8J5ekmzkzt6ZeQ+w1BZZKO732Vb4CpI2aN -haGZGUtEaXQ47uAjCPvvp0he9ww0WXNI+PTQ3bECqMxuOWdXafZpsATmCrpWmo+8 -VdXJ+tVr+5qWiANWZ/qHa3hF2mJ+rypMewcVTfGkLP5Pr90ZYoZDjZlB9NoucMyN -OgCyZjQDJ6+QhtfqJlW3Ma9qdik9xZbhfREM9ymp8U1mTrjfEjiWxn5jYSv1i7lL -/zHSXL62aYiiRoTTDBt1S7vjRhNmMJ6yuhhaJGDnO5DbF8rEmhXkT4SH61jAYMmf -od9aFGCe51FHC+4njnO1hW0q6UrDxBCl3ZJNatxBAMlpFaacyihf88BNOMIETEH1 -2TPfwOu6+TsiQcy2wiqWQA5Ax2xfV3dOi/oETZcOMgbTMXEt24kZtXBz/qshz3lP -TnmPfoTPQeuPF2lMY44fFGowrmb1+UVtrHG0OdLvDvtarNbseMWsPRV5PHa+eOMa -pyEcRCl8OkU7NvwtMWGBiJ3JE1R+VBjflYs7Ms1X6lXd5DcmDXVQXB6VI0up9B+4 -VEZz7NzCQ2MeHnI++b2h1HUEh+onqwoY8Zu081ejsRExHKlbJHPTOLS3ABEBAAG0 -KEZlZG9yYSBFUEVMICg3KSA8ZXBlbEBmZWRvcmFwcm9qZWN0Lm9yZz6JAjgEEwEC -ACIFAlKuaIQCGw8GCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEGovrqI1LGTl -x8YP/iymqmxOO0MzuqnK0oscqu5m2+5aKq3lF+9P3DD0ZRQUxnhlkZfidReDj2qL -EMtrJZHx10b+zmTI6LcLS5f/qKfNpjJGD4GHvRuuopQrXgXUGus+Lb15op8b4a4w -W1d0EbZrs60+bDfK4qar0Sm/oHSY/oTkpJ29JFKola0ZwDrBFL/APNckQ0enmt70 -iybcJjJ2nLQYtEDnCjh88Hm4t1SEsRQO+HYor/98yONrejQv5I3Pw3RoNnKfkDEJ -T1EHcQdxN5wWCjLm6ZGP30Fmt5tHU077iAGuK8h928Ph8k180EdfCFIf0AIYI28e -ddWMdAX2IdYCkqREh6HwWvafl218kQXtIRfwZtfsVuxajb2RcytWA2oc3IOd8AFW -g+5uBB20lkmRVkCRoesy7wDK3BPrZDh42qYkjVpZtlA0jmNZipzpEq4Irr8X32q2 -EVP2Ak7Xv7JG4vpS/b++DNVHVEZ3BUsrCVSMY8CNh+WkJDBYwABLGK/24/Jg8dwS -tKttEbTCMh8BHe+6zU5I7HfFkdmlcV+ZBOwM/vNVE4vNX3xHcnAUDEnj/Gp443i8 -I8VTo6xPeVZDzDuKXmiFj3nCa6N+vqWTz2QTMl05PNyfsMFtSu7fcJAwYpncS+1G -OwLsUNsvTXurFL5lUD8caTJ+K7hymBXxVSduqXl4Bn7UuXoP -=PJUG +mQINBFturGcBEACv0xBo91V2n0uEC2vh69ywCiSyvUgN/AQH8EZpCVtM7NyjKgKm +bbY4G3R0M3ir1xXmvUDvK0493/qOiFrjkplvzXFTGpPTi0ypqGgxc5d0ohRA1M75 +L+0AIlXoOgHQ358/c4uO8X0JAA1NYxCkAW1KSJgFJ3RjukrfqSHWthS1d4o8fhHy +KJKEnirE5hHqB50dafXrBfgZdaOs3C6ppRIePFe2o4vUEapMTCHFw0woQR8Ah4/R +n7Z9G9Ln+0Cinmy0nbIDiZJ+pgLAXCOWBfDUzcOjDGKvcpoZharA07c0q1/5ojzO +4F0Fh4g/BUmtrASwHfcIbjHyCSr1j/3Iz883iy07gJY5Yhiuaqmp0o0f9fgHkG53 +2xCU1owmACqaIBNQMukvXRDtB2GJMuKa/asTZDP6R5re+iXs7+s9ohcRRAKGyAyc +YKIQKcaA+6M8T7/G+TPHZX6HJWqJJiYB+EC2ERblpvq9TPlLguEWcmvjbVc31nyq +SDoO3ncFWKFmVsbQPTbP+pKUmlLfJwtb5XqxNR5GEXSwVv4I7IqBmJz1MmRafnBZ +g0FJUtH668GnldO20XbnSVBr820F5SISMXVwCXDXEvGwwiB8Lt8PvqzXnGIFDAu3 +DlQI5sxSqpPVWSyw08ppKT2Tpmy8adiBotLfaCFl2VTHwOae48X2dMPBvQARAQAB +tDFGZWRvcmEgKDMwKSA8ZmVkb3JhLTMwLXByaW1hcnlAZmVkb3JhcHJvamVjdC5v +cmc+iQI4BBMBAgAiBQJbbqxnAhsPBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAK +CRDvPBEfz8ZZudTnD/9170LL3nyTVUCFmBjT9wZ4gYnpwtKVPa/pKnxbbS+Bmmac +g9TrT9pZbqOHrNJLiZ3Zx1Hp+8uxr3Lo6kbYwImLhkOEDrf4aP17HfQ6VYFbQZI8 +f79OFxWJ7si9+3gfzeh9UYFEqOQfzIjLWFyfnas0OnV/P+RMQ1Zr+vPRqO7AR2va +N9wg+Xl7157dhXPCGYnGMNSoxCbpRs0JNlzvJMuAea5nTTznRaJZtK/xKsqLn51D +K07k9MHVFXakOH8QtMCUglbwfTfIpO5YRq5imxlWbqsYWVQy1WGJFyW6hWC0+RcJ +Ox5zGtOfi4/dN+xJ+ibnbyvy/il7Qm+vyFhCYqIPyS5m2UVJUuao3eApE38k78/o +8aQOTnFQZ+U1Sw+6woFTxjqRQBXlQm2+7Bt3bqGATg4sXXWPbmwdL87Ic+mxn/ml +SMfQux/5k6iAu1kQhwkO2YJn9eII6HIPkW+2m5N1JsUyJQe4cbtZE5Yh3TRA0dm7 ++zoBRfCXkOW4krchbgww/ptVmzMMP7GINJdROrJnsGl5FVeid9qHzV7aZycWSma7 +CxBYB1J8HCbty5NjtD6XMYRrMLxXugvX6Q4NPPH+2NKjzX4SIDejS6JjgrP3KA3O +pMuo7ZHMfveBngv8yP+ZD/1sS6l+dfExvdaJdOdgFCnp4p3gPbw5+Lv70HrMjJkC +DQRcat0DARAA1IRnwnz9Yo4oIAblW0f6QQ0ljAt01m3wvKbe34WZGK4pc31lDH07 +IpD8pkq4knDjVz+gzcmea+7YKyFXVayb0SKiBUTtJrn6fR8n1igzv/wrcqezkM2M +OjVbYTv2lqchXyaY+rOImbGBqn/YAclfG6wQfL/IxLArVTo9QVN2zGy5DLESPflo +i4w2Mr6KajQULiHvKIMUsaWHW1M+vo8c374UaAc1nYyE3f/xo3fdJJKwTjFpDi06 +jtd9zg9VjE9PBuTbkOCoY2LFb0mwaX3ZE3Dbj/IAT/S8QkA3PntXgIWfeYN6pFy3 +ihCvY/hfsLhvzqxAMQbLHAsV0VAd/EB+ghXt1MRqEjJwYvoxIYnLnaPiLaRTsu6z +2mMkYeD5ruEB3AvN2zY6fDSOs0x6wZlbj6pMTJ9OxjAEGr/XswV4+rpqk1+HFHbC +VGryayd7u609JYQXYhq0Pcz2y9O7tip/jlzwAt3Skn+xvE78DQHa8vXrBkqYt/Gm +tZskGFWbwJbCAZGzd329cLwyROXM1Yc8EO+1dreuo8XoNKPf9jmVR9wqMw9mY79v +Cx7lv450B7bENH1MkGEZh8TRFZFtdBhjO30MMc6cRRUtTv9lxJ3zLu8gR2bIC0qI +31HLdBYS4RDf4PyCDV/WQla8yufw3tuwjY2BNXIGA/5U5kNEso3ylcMAEQEAAbQx +RmVkb3JhICgzMSkgPGZlZG9yYS0zMS1wcmltYXJ5QGZlZG9yYXByb2plY3Qub3Jn +PokCPgQTAQIAKAIbDwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AFAlxq5E0FCRLP +D/0ACgkQUMs5CzwzWcQZgw//dCBcAHxXEKuRDZe/6NgmEPZNmnUx21eUaCDlgv6P +SOf27Z9cvFg4TzlDZrIG1Kkas+rK5VaZYPi5KSI+uz1SwwcKVWwiQvKNX87XdjK8 +lanb7uetllYVKKyCPolu536g9Mr+eZx/W/yUdapaFGvC6XisPOCYL8RecFX8kYnd +VoyNAwZNrWhUeMQn1OU29utn23RY+YgfcbJD+6DXktvfknw45Z8m7ZRaKq/VAJ2N +br4QT5Bpo+OUiZKXz/i/pBmF1WlHdvTP6vz7eOl9Sg76+mdJfG0lBJN833DXY7hI +bRwakstVDzwIpBl9UOcBnbu0e/pr/wEanyOjguOIqaDjDStQIruvrJWz2KYcF4oI +Us/cmLhtBHVre2pHykdEdOCrno+C1y1nMU0eJfFw804WIDz9IPs9F0CawJFYYkq8 +yAngtytRj0olLTQMUky/qlloML0MgDzaD1fzmJmPsFMVJygmaRFj5C+/ZYegjGyc +f85azjM0bpks2jpylvQDpYr4h+EY/PTpg4nwRLENAnsHRzfZcuoOGRSSRmFyeR02 ++Y3QbrUwt7Q37x/Ge3bVynQuIqiQiMY+vfF5/FI1Xn2UNp27+Xl3GS3x7b2zQU07 +9b7wVeBu2ohymEUo+x5sYSwWQvGP55hQHpjqDmA6UeXlJj5kmxWsqC30bBV5ghy7 +O3OZAg0EXVFWqwEQANYwGpi/8bWvg/DKI9AJ+Dl9cUZdXUUJnfaoyL2AtRO/UJfu +tjIfgieP3eiJz6W3WRDSRAKQg07BBzM6SbpcOQR6SYyseScmkUvCtMrgBLbxtgXZ +GMsz5An90ZcMw9iw/S2Qu+jFoev1ZNGrz0D4CY41xQBAgwmDcnFcABp8GLZSzNRQ +Q8hTfkzK58W3Z493WT/qFUA7xLZVPvZPFdJjsdrhfYnSkbNupDoOrcBXOiCyegiL +T0Dt9i61hk9VUAQZFSpq+XS2HwvK5lKEBJnfwJ0AcEy9ZXhtVmCF3/ANXl6/ctdQ +TSiK0sCo1J6IMneCspY3q/Sp1TSXdhrrSy6AAF3fFoT5E57yQMLLdaYBo7nVDzzR +kDaJc5MkU5uqQFM/2P35l5D4o0TxIGiIfUTJsq0FTwebKBm+7xkLVMpTIvmDAZQm +3y96uDLkHDdDtq/nbSw0YPdwhavh8EBVjB0GhlPxFyydTU8/rs2Y4YVzBIUn8umI +4wKlnUgG+M4LsrIoRljb/reSNbveYHs4c53XwEe0ZWQDdAB1WVxK6V7/PrxU4DLp +uKETqZ3E/bwPgg2y2zzDrKvgb7doQg3y7SpFCrrpGLmY5dPKV74425218aDdT2WC +JyDPqhWTXtFPSNX24vorjWwZnWwf/rJNdApqB0BivfDWLHYvjomDML7/7pJLABEB +AAG0MUZlZG9yYSAoMzIpIDxmZWRvcmEtMzItcHJpbWFyeUBmZWRvcmFwcm9qZWN0 +Lm9yZz6JAjgEEwECACIFAl1RVqsCGw8GCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheA +AAoJEGwTAm0SyUTQt0AP/Ap0Ay1/Ovs7bLTr+w4+etvcPf1jYNdsHzLSISZF0Evb +0Grlu3HCYCRrsllElUXE+w5WpnooBGNLT+gIGYlzSMJEA0UK0zhSNUdNKzGsl+4+ +R6W+uU0T21xHo4JGm6P89mBRrf2KJ8X8VNR8OCHhD3XGJCgup8HE4nOtq9Aegr1X +Osw1M67onqXjN4bNj+hyPoOlP7l91Q7/ceAYU2I1g8LoZXN6IDcABVHSwLIYQ26q +p2DBTFXcEiG3TkzlZx2/GDVT3HkjfKOQtDD6J29fil69OIKH3/S77iDzRxP/bULG +x3Hv4NUdp7BdsXztBAhw4CKeDRLlATruva49XGZbL/npMpSoOjI/xI2xXraVPaO6 +2yMt683FSTLTXWDnDdtzrVR5p4quu6sV1Gz5HAFWRea2qb+LqDRlNZnJYY7qAl34 +dYCpjU1iKrj5wy80tq2YDaw6gKxE2YT2rqMz8RJWBofyFKnwZwu7O33+vg9lkaXk +K9R6V06IPbbW7yvO4eYuzh2yDAkn2mAtPRxQCw6lsw8jQmkYg9DZIbrIrsuY7ocU +7FsCTPsgZS3SDLUzM9PIG+cH5aAPUj4hBdewluE/n5353eY6eqx3qgMz+CsoHOuG +hR6g1p1z27OOoqU6uat0hHcHPfxJKJaV17l+7rE+ol2YZlE2Ne1zImVtI9UMiWjH +mQINBEvSKUIBEADLGnUj24ZVKW7liFN/JA5CgtzlNnKs7sBg7fVbNWryiE3URbn1 +JXvrdwHtkKyY96/ifZ1Ld3lE2gOF61bGZ2CWwJNee76Sp9Z+isP8RQXbG5jwj/4B +M9HK7phktqFVJ8VbY2jfTjcfxRvGM8YBwXF8hx0CDZURAjvf1xRSQJ7iAo58qcHn +XtxOAvQmAbR9z6Q/h/D+Y/PhoIJp1OV4VNHCbCs9M7HUVBpgC53PDcTUQuwcgeY6 +pQgo9eT1eLNSZVrJ5Bctivl1UcD6P6CIGkkeT2gNhqindRPngUXGXW7Qzoefe+fV +QqJSm7Tq2q9oqVZ46J964waCRItRySpuW5dxZO34WM6wsw2BP2MlACbH4l3luqtp +Xo3Bvfnk+HAFH3HcMuwdaulxv7zYKXCfNoSfgrpEfo2Ex4Im/I3WdtwME/Gbnwdq +3VJzgAxLVFhczDHwNkjmIdPAlNJ9/ixRjip4dgZtW8VcBCrNoL+LhDrIfjvnLdRu +vBHy9P3sCF7FZycaHlMWP6RiLtHnEMGcbZ8QpQHi2dReU1wyr9QgguGU+jqSXYar +1yEcsdRGasppNIZ8+Qawbm/a4doT10TEtPArhSoHlwbvqTDYjtfV92lC/2iwgO6g +YgG9XrO4V8dV39Ffm7oLFfvTbg5mv4Q/E6AWo/gkjmtxkculbyAvjFtYAQARAQAB +tCFFUEVMICg2KSA8ZXBlbEBmZWRvcmFwcm9qZWN0Lm9yZz6JAjYEEwECACAFAkvS +KUICGw8GCwkIBwMCBBUCCAMEFgIDAQIeAQIXgAAKCRA7Sd8qBgi4lR/GD/wLGPv9 +qO39eyb9NlrwfKdUEo1tHxKdrhNz+XYrO4yVDTBZRPSuvL2yaoeSIhQOKhNPfEgT +9mdsbsgcfmoHxmGVcn+lbheWsSvcgrXuz0gLt8TGGKGGROAoLXpuUsb1HNtKEOwP +Q4z1uQ2nOz5hLRyDOV0I2LwYV8BjGIjBKUMFEUxFTsL7XOZkrAg/WbTH2PW3hrfS +WtcRA7EYonI3B80d39ffws7SmyKbS5PmZjqOPuTvV2F0tMhKIhncBwoojWZPExft +HpKhzKVh8fdDO/3P1y1Fk3Cin8UbCO9MWMFNR27fVzCANlEPljsHA+3Ez4F7uboF +p0OOEov4Yyi4BEbgqZnthTG4ub9nyiupIZ3ckPHr3nVcDUGcL6lQD/nkmNVIeLYP +x1uHPOSlWfuojAYgzRH6LL7Idg4FHHBA0to7FW8dQXFIOyNiJFAOT2j8P5+tVdq8 +wB0PDSH8yRpn4HdJ9RYquau4OkjluxOWf0uRaS//SUcCZh+1/KBEOmcvBHYRZA5J +l/nakCgxGb2paQOzqqpOcHKvlyLuzO5uybMXaipLExTGJXBlXrbbASfXa/yGYSAG +iVrGz9CE6676dMlm8F+s3XXE13QZrXmjloc6jwOljnfAkjTGXjiB7OULESed96MR +XtfLk0W5Ab9pd7tKDR6QHI7rgHXfCopRnZ2VVZkCDQRSrmiEARAAtVKYV8DKggGq +z1B/2bDhbJWm3k1TtqQ5OWJzven/q4GQe8QKwTknkJOwfdIqkifOf3O9jgJ+Dl2L +0+t4Hwnl6SbOTO3pl5D7DUFlko7vfZVvgKkjZo2FoZkZS0RpdDju4CMI+++nSF73 +DDRZc0j49NDdsQKozG45Z1dp9mmwBOYKulaaj7xV1cn61Wv7mpaIA1Zn+odreEXa +Yn6vKkx7BxVN8aQs/k+v3RlihkONmUH02i5wzI06ALJmNAMnr5CG1+omVbcxr2p2 +KT3FluF9EQz3KanxTWZOuN8SOJbGfmNhK/WLuUv/MdJcvrZpiKJGhNMMG3VLu+NG +E2YwnrK6GFokYOc7kNsXysSaFeRPhIfrWMBgyZ+h31oUYJ7nUUcL7ieOc7WFbSrp +SsPEEKXdkk1q3EEAyWkVppzKKF/zwE04wgRMQfXZM9/A67r5OyJBzLbCKpZADkDH +bF9Xd06L+gRNlw4yBtMxcS3biRm1cHP+qyHPeU9OeY9+hM9B648XaUxjjh8UajCu +ZvX5RW2scbQ50u8O+1qs1ux4xaw9FXk8dr544xqnIRxEKXw6RTs2/C0xYYGInckT +VH5UGN+VizsyzVfqVd3kNyYNdVBcHpUjS6n0H7hURnPs3MJDYx4ecj75vaHUdQSH +6ierChjxm7TzV6OxETEcqVskc9M4tLcAEQEAAbQoRmVkb3JhIEVQRUwgKDcpIDxl +cGVsQGZlZG9yYXByb2plY3Qub3JnPokCOAQTAQIAIgUCUq5ohAIbDwYLCQgHAwIG +FQgCCQoLBBYCAwECHgECF4AACgkQai+uojUsZOXHxg/+LKaqbE47QzO6qcrSixyq +7mbb7loqreUX70/cMPRlFBTGeGWRl+J1F4OPaosQy2slkfHXRv7OZMjotwtLl/+o +p82mMkYPgYe9G66ilCteBdQa6z4tvXminxvhrjBbV3QRtmuzrT5sN8ripqvRKb+g +dJj+hOSknb0kUqiVrRnAOsEUv8A81yRDR6ea3vSLJtwmMnactBi0QOcKOHzwebi3 +VISxFA74diiv/3zI42t6NC/kjc/DdGg2cp+QMQlPUQdxB3E3nBYKMubpkY/fQWa3 +m0dTTvuIAa4ryH3bw+HyTXzQR18IUh/QAhgjbx511Yx0BfYh1gKSpESHofBa9p+X +bXyRBe0hF/Bm1+xW7FqNvZFzK1YDahzcg53wAVaD7m4EHbSWSZFWQJGh6zLvAMrc +E+tkOHjapiSNWlm2UDSOY1mKnOkSrgiuvxffarYRU/YCTte/skbi+lL9v74M1UdU +RncFSysJVIxjwI2H5aQkMFjAAEsYr/bj8mDx3BK0q20RtMIyHwEd77rNTkjsd8WR +2aVxX5kE7Az+81UTi81ffEdycBQMSeP8anjjeLwjxVOjrE95VkPMO4peaIWPecJr +o36+pZPPZBMyXTk83J+wwW1K7t9wkDBimdxL7UY7AuxQ2y9Ne6sUvmVQPxxpMn4r +uHKYFfFVJ26peXgGftS5eg+ZAg0EXPfO+wEQAMk4ghaWUa53Gem8meTFDPYK2hYj +uCh1WehyWt2XzeRWOpJCn7Z2DG4bmZSIANR9gdpFDPErDx5+5CfDHNT2RnvSeALG +2ZtBYaZSZ9JOGJqk7PTTTXz56jkwVpt3a92IajXL7nWbaxEOk3yp0JqpeSjrlzIy +4teuiMkci69ED/HuKo6tF/JrzHc7ELg8SCXmmAOc/ylUrSUtidwMRAI3voP25uFl +BaEhIX/Mkj57zTpXvWHN/Iv8y3eZCb+WL6VEpTblSyT11Zp/g0f/Bkcwg8CRUni4 +Pgf+5Lj3CpafKJNgZPuFRuJ5wXtyuEsKaVHO8lHyaRE/r/hP8Xe00M9Zl4M0QNUV +SRMUc1Tr+Hb47f3ww1j986HIpo0reecTSDpAnV04ffWVccBGWkU61a3dWZlTQmdY +t5h29qngR9/2pNZkmEjsKrRabwOAtSleA2WSaq68Ts/ZbkQCvYTkCopCgNt/D8aJ +Z1G8dYp40YxEucYjdC6hfdSkCVcPu/XdV1nE3J2+l7Klt/8B9HKsdEqGRSPdxTWl +iQzcM1kTvsLklR7r/SfFu3gRNRkFOAuBgkY/xzs9uRWc7oj8qAvWPD7sxboDPw7H +5FdkvIYxWZtb9MxzyFol8osyhSjdNWTyc+JSGg4LT+QjuP2KUWsHEFTl1S0XghMB +ZzzGcbqMmz8iy9GlABEBAAG0KEZlZG9yYSBFUEVMICg4KSA8ZXBlbEBmZWRvcmFw +cm9qZWN0Lm9yZz6JAjgEEwECACIFAlz3zvsCGw8GCwkIBwMCBhUIAgkKCwQWAgMB +Ah4BAheAAAoJECHqRasvhtahZqAP/jGctbCzfgYHJUNCSOmuTR9fsjKGmb9TsGwg +cqykcsv5jjq8AAZj/28y90TR9yv0STZmnvMTVFaZILPPNSBMboEWhMbUfgWGj/tn +wFcr+PJujBdJl+pedM5+FIVqXAN3CVIm99g1X0xvK9vE3yplFTXPs8RZmsjMUMNO +gVGTRHvXMemc9M0gnn9hdPA2pT07EgjyExCPi58XXXTjQAlBntuvevN6uXIE4H4l +3XNI9WsA+l4zImmlYUdIMAhYrrH5qbXdUgide2oH8LPgYEcsUrl3b8hiylXDjtKi +WPyOIUS2cCrr7UCrlYfeIHhsTZ7rPTQNIX3d+vA7JY3taY8ihzZCw1EmGB8kL6Kw +ZADDCrzEBscQF67IwbwZmPPGiGDQfhs5IS6NUtOMfXFsAbgOeFY7/VVctf4tcQvJ +w7xlBNyOP/gBAq6jjC8w+u/0DXr2gRMb5XBCU13vhUE8YK+GfPAZc1tMr8ofX5ZE +fRhJv7jV+UHc0qExJTp0YjRIa0jENIeFVU2bHb/peJP1T/OetmwbkrDychtsXP70 +wZRRaAkyx3VmX1HyDPtX1+mfsvvLkuEnwc4Iyxj9nv/sdSz638DUwjiDtDmDlS5J +l2CLTPG6SJa4KQt4CIA/jLvMorg6Mnrjg0NxYIdrfrOfBWaTPeLEvxDRq5HXk6qr +YGNH9/KimQINBFvrElgBEACjNft3anFHNzwHW6dzxGinWEzFin3xBUjhre7e23Dg +DRIceDtePOqXGnIN5yGGH4VZrEGHfjTPoCcrRSpM75ryPLa3Pi0UHXRso/OkO2ta ++VaQRlwU2WAYqd3g/eck+x7MZHuKKyfyxDSUywuJumWhIqeJLyG/J9e1riHwaxYw +tLDvHCAtK4osoJ6GZDx95Rr4El/N5CtZBlIzRQUJMo695MIxeKA6RmlQVp8mGPQm +20Hveo0kBsLYFJxTW4D+KnwpQr2mJLsEQnCgKcr8TF5hDowz8+o3wdUrfteiVfkd +X64kXJm85jaR/K0ubnv96iTxoeh2Wf2jNAn3EjKhPzEeYFI2gCm2tzwUEzSuOjtr +x7FqDp7/iJRANmKQJ9KzhCT5JLkeS5do8d196xiI79Zlx8ISQRvCNuu1Or7idwvI +gHy/+BCyPUARv430YvXU4d01FVKTlNrbRsq91SVojek4UXkAk9oh4d3Y/AQF1DLs +4nK1vBukwWIKwcfVA/RidSqXofx6pahTPvguTkAARhMEJPLtbQBzD5kqkdgdP/6s +7ziTwGkGO8iF0TvkCwMXWXHl1B/m6b3h/wWOIFNfAZ0FxZmmD5UhytjVjhdI7jiy +Zf6JjNupVCVx1eqMGZfm3jkZqzWOB9wrVrb6rtI25ZuoRQJ/idnXkxZmq4m1MCZb +CQARAQABtDVGZWRvcmEgKGlvdCAyMDE5KSA8ZmVkb3JhLWlvdC0yMDE5QGZlZG9y +YXByb2plY3Qub3JnPokCPgQTAQIAKAUCW+sSWAIbDwUJEw5BKAYLCQgHAwIGFQgC +CQoLBBYCAwECHgECF4AACgkQe7kHItu9z3xs8Q/9HqL76vo5xZjl78USwgX7t2f8 +Aa6sqD6OIV4V9KPCaNeqP8OF6LqYFxkv3GX3FMHGPHVKOBLQ6LvuGozcnnpZ3ypq +6ChAy2L4W7ytFggpluArxSN5jmHoOXO51wPDPCSjd4rRi1+XnMDiA3VIk0vTcGHU +K13JgvzuUrIbFYhVwwCn8Rt0GvCWVLyvKRbykN3xgFmromREKdDCUymYS/u4hXw5 +xQt2AE9IgX9puLlGH5AdbJumMipcaI9erH/KVoBvtAHA5ozkL0PDocRaWA/W+i8r +XEeI8TJBA7Q/Xb/L12aIOCzeyEKGP911iR3/99UGMgfswKvF4WT4KdAV2VZoPizu +0Am2MUYhoexdnHY6GtU1UKcWt2hW7HmGBCZVdVpUF3W/gebe+ahLPT9UhqNTin2v +w7MxMKy2uWPZri76R165F3TP434dZLNfkNa1rdtQrRaD1Be9/hAQthYWKoCFowbM +LAr1BgzkUs97arxBTzqkr9GTCy5CX+nObIbwkrFYugRfA4bSzNFSpCo71cudqNwK +JEw65lF90+T5ma7lM6ZwijH1A9pYeGQS0eUOrV/0VTsxXQOyS6Mcfper+dkOpypZ +dSnJGzid9HPUSUdjI94wtRYInrcD09v5OnJcoxUDVVjVhH4FIqKVYstucn/LB67n +nn+55uTOKdm729ex0UI= +=FHrh -----END PGP PUBLIC KEY BLOCK----- diff --git a/initrd/etc/distro/keys/tails.key b/initrd/etc/distro/keys/tails.key index b43b9a543..dae415b93 100644 --- a/initrd/etc/distro/keys/tails.key +++ b/initrd/etc/distro/keys/tails.key @@ -12,34 +12,34 @@ zXSl42yg3EEsJlijBSR3wsIJ3+sWvQPMBdjgN0RjvoyI+zI7BeP8LC6ngz3GC8JS D5B8XNUYV32tlCs1ILdUPUF1BbxH2sWxysbpl9RvOG56JArSG2k+KlihXH5fmNiC NMWZ5vBShQ+bpBXh55fu3F7axequpWzocRfH+mfvBh5yvZnjDRGC3UZ06CFWN6JP 8wDFR+o8ZHSsq0Gx/2mIXVsJT6h0mF92Q1iqH2SQhFeRL3M+RcED6Bx33QARAQAB -tEJUYWlscyBkZXZlbG9wZXJzIChvZmZsaW5lIGxvbmctdGVybSBpZGVudGl0eSBr -ZXkpIDx0YWlsc0Bib3VtLm9yZz6JAlQEEwEKAD4CGwEFCwkIBwMFFQoJCAsFFgID -AQACHgECF4AWIQSkkND00xGkFT4rt8rbuAKyWKzYTwUCW4f3egUJCV4TZAAKCRDb -uAKyWKzYTy6iEACJ2vlgJLNN/IYTH1b3rBwRJDreicvOnOYjo8E1fWhsMv+ATs3G -0KgxOz6FzwERqmdbYAf+J39k+uQ8s+bBSgZ2J8YTQnF0unlrVQwCCxWOB2jpBUj+ -yhmFrtP3pcDYf42OFO3TjidIGzOwweYsavRFi66otgCtdCCp6NczLUNasBFlWGeT -QET9RSzhYlJypPTh2WJqTohn1eXqKesWao9B25JlTKosSWgc9v25fBslMZvWpb+V -cm/ePHcDz/8iiUBxZYCTYzmxHfS+j2gSZaphEEC2i5ftJzaRAOQ5JaRYHbpuoOhL -L4lEzGD5vEYg8mSUCUEJlx+fAUviJJ8fQR74mosdU1/7z2CeMzBbccQfhmq4wD0R -89YKmQUrLy+BTB8IqWCBco6Ht8AahIFMUK/ZjquOaPEPQU3iVPhuHv/hOE4mFWNC -/+GKzRnVv3mmZ49BG5tjjPlukJ6N9gV+3xTnjTseZAWGhySuk8+F66+OYHGnFUv+ -/fA9AqQOnNGVVhUpmIpC+V9xw5h6hr72V8zQ9gBdmFHGJjx2ua3AFItQgrJK05JV -64yApq9BjmqMlFfDmcbjNyq4/HY/ibLhzlswofJAwOy5Up3Y3EGxe2fmDO9ktlEY -extaMjQNcgik+e+FbqPDEbxJQ3Z/F4gf4YziHlxN31CE46g53UO2CdRv9rQhVGFp -bHMgZGV2ZWxvcGVycyA8dGFpbHNAYm91bS5vcmc+iQJUBBMBCgA+AhsBBQsJCAcD -BRUKCQgLBRYCAwEAAh4BAheAFiEEpJDQ9NMRpBU+K7fK27gCslis2E8FAluH93MF -CQleE2QACgkQ27gCslis2E+R2Q/+JE4gEhi+e/EMnDRflMYjiCdwssr8ZovyoxWQ -6Cz1AsWuLmRzTIWlMjkfQxs+fAXK/+yys85jiXzzDJkiw13BXTESdWpe7WAZImNy -GLe7lA0A+UMfD52FIjjkcuestH/J1CadykACyARZCL7l2eqY2UZL+oLRH4uNAqK4 -YRs9dey2bEQsZk4fvbEGf5RxY3799AHtcucIkJIzZjiUWZcKtYAW8FrspBj0cX5T -Lyd298or61lQf1IixnHyD2dxy1yTx3SwWyxAF5YFFvwkvTrPiyQSQEhQyUcLzOs5 -v69zd09MOfR+atyxpeG/p6HnOtsAuCc/hvghvsYalGK8eq/Ods6h97xPb01UOCgZ -bcXcy798KZzu9MM1ZZIqz+M+SvCCpch/dKH8yyZUipR+dR8ABYA7noZFdyAwlTzk -PaHwBzJ7g3CuABH8KA2KpP8POIAgyVosxm7q/73NdoH0ngRlx5oTBwblNRNxjd4Z -+FhZsrqN+NVlOOOFQRMeI9SAsXFHEsvZnRUbEwoeroFUUymJfQm5okXz99EZY6pM -Wd79Tr3fLNuBM+sUc8yx/wX31NwQRCrW+RwZj5TfKHTt99M9EIiLlSqUz6Gj5GYC -nf97bq4PqqF7/kGkkaNV+k/T4+mkvHW4IVyvuqhqna0E2WeoSRsSDq/pR0MGDyFZ -pP7t0hy5Ag0EVLvR7AEQAN/E325mECH9+a8jCu0yHu5s5GOT9MOjyChyAFuont9Y +tCFUYWlscyBkZXZlbG9wZXJzIDx0YWlsc0Bib3VtLm9yZz6JAlQEEwEKAD4CGwEF +CwkIBwMFFQoJCAsFFgIDAQACHgECF4AWIQSkkND00xGkFT4rt8rbuAKyWKzYTwUC +XZyG4AUJCsH5xgAKCRDbuAKyWKzYTwa3D/9JVmXlwcyi7F8/VpodUpjDlkJ+0aB4 +XPwunstpF6hq3v66JcCHcIvqXyEvp62pnmFgcANw88f05T+bl5bIOvR3+xlGGUlN +ybAAo7D9JfYbdOmlZSlQB+oxLD70ulGx9ZoC4smMrfOF7z/5zVtk+RRNKCemk2CG +dhAXCwI2OqGDurmAMBiPnrGKMrwInt9LzTLnVi3XmqNjGn10uOCUJLS2PZnIDvXW +KuevABfKbEIAFk2tYlhG27Yz3CL0luZmYzVuqFLn6Wa80NQ0RqDBiUHkvLi1T5f6 +R1QImtaTRB9GesAUhaoXrSNBSSJBcc8Xi4s6feathNcvvLG+GiYDGlJ/qoewVnzM +Ml1YOVBlKOXL6zNvL3mxRRYeV73w8+2jHozYaAhRWybAyybDH4AEzP0JVUe7zaNV +8F6kLgJ3f/vj18imNsSu2SRIKfUMEzQCN0/NBX8Cn8B5k99erYdd11P2oHPXK4qH +kYZrpknyXNqIURuDa45HgkIRAGToGer99R74iOdmMwO5RRjWqc8uAnUVaZD871xx +mF+ns9FXUEn2DcgX6l4Yvsl1QiWI2MR/G615b5Jkihyp5qptKteZnpVUasdSUIOI +93NKH/wEaHAHHiD78AjxZaQBTBVhOVFQvkXYteWZ2V+5PJBk7A67L8inFP1NoHdk +QnbURTdJEIrxJLRCVGFpbHMgZGV2ZWxvcGVycyAob2ZmbGluZSBsb25nLXRlcm0g +aWRlbnRpdHkga2V5KSA8dGFpbHNAYm91bS5vcmc+iQJUBBMBCgA+AhsBBQsJCAcD +BRUKCQgLBRYCAwEAAh4BAheAFiEEpJDQ9NMRpBU+K7fK27gCslis2E8FAl2chtUF +CQrB+cYACgkQ27gCslis2E8vkQ//Z+KpA+LY2xjy6SxAPLxLH30oGpYKPyA1ri0P +NmhGp/cj30iLr4aDXw/N4FM6XRILcce1pSxvaUbx+UGijm6KyDhcOmA309Vm2cEy +14Ik+89csjhfK+Q4kcZAhPEcQoVrM18JtKEDW61iEdkO8FxFKkkZiaui/uEyY22F +KpZQiJos9pyNMxb1bFKgWUKXgZBcSZSbE9Eo76jIIkra/4A8gww/nHcGdoBIcjSd +rAlLUzKF4k9Q3a2nN9UpAzUEoG6VaFVaM9ytgnpigHKuwQmk1EqnNPeynjjmSHxo +q3VAll8oaPO5yDFSM0XXIDypc7aXarzC1rCnZHEOMG4Zmi/SPO0SpdPDq9ZBT4hX +PmQrByRWMkHwxSm9Kcarcl4eCH08aY2akd98MpTByc1s8jO78Dqwpmw0BDR0vfZx +1J8E6+kou2+j3OXuXrPRwkT0/RnUdlM2/nsfWJQ7g6e+qfkZtGyA/etX0nfrutRr +DMtxncy6xHWRHyAEYJx5n/tD+zGzEEBNZ+zI2BX75hBvyF4UnVp4cyqe/6+0rrD7 +hcOSP4svAQXQdGHOcMiaiBFa+2AVzmtKvjX2YnaF0YfjD8Q5+9AqJKdkVWJhIJC2 +1OpXaaSzvQgUzUpmAlrn37vFZeeyCEbyL8Xjx6pSo2ckyNm2nrlXeF3YBlUWNfv3 +pGogBnK5Ag0EVLvR7AEQAN/E325mECH9+a8jCu0yHu5s5GOT9MOjyChyAFuont9Y KiUj+1f3Eu65rHmuGDAjAz6NZS9ONENzIcDvrKvTcQbtfggtQJ5ExUPt6n2X7xdN FW53KkonS+DjXwTQrr2vpnImb42XsNnZVBjaSzqpbxWF6rXWgTMeICWVuvkRfRab 8qNLh4ugPuC+dqVermt98uTf6eKa2sssBw4m36/sPXqoJ/TWahoCglob/uKbh3mr @@ -198,8 +198,8 @@ Z+0fex3DsVwXMdyMS78zfnm21bMpsgfJx7YZI1gFQXAKtVlEWPHajyjd2tCysYHy 1AnbehkHRIsYVqXV1AwF2bSN2rKf+nCTjvNgt5VNAiJGy4N+QuXFy5X4NdgMdYq7 vYT66IeZwlT9HV0wEB1jsX1y+50faxfn2YOPFpKXzNd7VOQDDx19J1IsNw2Q7gnr 4woqqJw+bLG7ClRuNfN861Dlxc52sH6rjdceiFsLKBj7T1mQFAUZB7TCMIvK2rry -lc5iXQARAQABiQRyBBgBCgAmAhsCFiEEpJDQ9NMRpBU+K7fK27gCslis2E8FAluH -+M8FCQR1mLkCQMF0IAQZAQoAHRYhBAVGn7herWWJtD1B09IdrTivKBwLBQJZpDyW +lc5iXQARAQABiQRyBBgBCgAmAhsCFiEEpJDQ9NMRpBU+K7fK27gCslis2E8FAl2c +hw4FCQXZffgCQMF0IAQZAQoAHRYhBAVGn7herWWJtD1B09IdrTivKBwLBQJZpDyW AAoJENIdrTivKBwLz48P/jgM5REXNkh4oW2GHC2ZfPMiupF11zTBKWuIrsjLzUhO IqMypbKDBAQfqV+TSal6RTvvZHQxYUxak4OK/TtjDL47XzHGQmzZbFndH42XVOua kD5dT2Sv+5oWNSZDz+Yk/1tg4aRCD1MqATPD7N2O8Y7+NFU2dtQLV2MPa/70K/Fm @@ -211,17 +211,17 @@ ghRuv6XsgjUz137gNkT2P+PNOBV19sTV3haz4i6gBr180xvvtOArwP1vTxnAa+Pm s9bJt6W60PO6kjWmDXnPykwq7fpmI7qgJ2svlqRcLN3GRLX3bc0jCpspUEWAiq2J QP3ejT2QmNF8GFCITQSB64Vb+aOBE3aifBjt82k+KSvy/P8gkPCc3fsxdYSgnesr k6EngA7vOM/x9unm3yPMctpT2kKav/xh0IYQdsyF6QX/ScKl3kvuRt3LTkx7nd/L -CRDbuAKyWKzYT7FlD/4m0ohmF5KffUQGW0L514b5uU1BkmhLv5kFEPPB3qxClfP/ -SzxdiiCyZHCSOqsGwepf3E+1X1KJEMt2Hv1XAAxLbfgyPv+uBrSjxqi1LWE8+2UB -W2zVAvGksKbzVn/GnGevKxknkvmxN9GEqiRTXdtMCNY/PtG1jISAYM9Li2TmL/IE -mmZlSHhxbaVfrIrsI5Sx20Xwp/WhQ5+ZDMLZEUQ9a1ptVsCHLgs/rJhyCfrZc8VT -KfTklb4dMWYg+8QdUO9YkzSdpwLulfVIYD3wIOZPKLzaxiXxP9lJWEiEuXvt+HAG -kWn1yeIBBqlBFRDF57EN58xPxNJ2Gq6RYW9vb3/h4GWpC6znoHeHYOwJAFPL7Jr3 -7G1YPlYEJWcprLoGsJpiHFixluopp+LVMmqoa6td2JRl4HIjsJy9Ocw/suVX+EXs -hgRfyKEkuODqayHeiP1Pof89/WvMqCC305LvBlT104CA3p4RqBho88tcJQDpVYib -FJOiuOTZn1NE8COo5Uu0j19R/amI4pLOrtfEDy63kaTVmfOrFkdGxDxikyt2DgXG -i41HNbWc0PiinSt5NGoR1oXyV4ouEYWuNEQe90hPtiuOXP5cHcekjUAgofhhtP06 -uUtwaDwLzno/gL/xChXWGboT58+c01lxBpis7grO3dW2siCtXC3HNat+WVn1gbkC +CRDbuAKyWKzYT4rbD/9nPA8b0jGyEJvdCv8y3W3CpgDV8WSs7JTlAojJ+m2826kL +fAmBbbsTSAY6DikZzbiU+il+m/sWUjTvtbmoirIwrbRhom+eQvXTC0IwOCBaqBO8 +lWfr/r2w0v9pypTuU2QzypJD59bf4ozV2+XPhpI3Jo8812/zpPQ2C9vxJzZLIzUb +kPw90uOedX9BIa3gQ5i9kdMrp09K0pa6JHQGr5+V4Q4yHZt0DjFFnU/mjmGr1Lt0 +wZ6D4S5OE+EOmQLHajqKBSklUaCJ/Q+f7BENnMSPvLL7rQmm8X7jE+jB8N27bV5y +qt+Wqdm2l0BJj/IwzWtXO2dZcPo6KYZ63V7J8NQY4pcyU80xjxHCgFtS1rCn7phX +HRFac+klAfTkord+CvsOTdWhO78nY2qlkHl/MErJzZQ2k4BLwgFbIudmOScg0N/g +JDQoPvCmv8WmxflsZx+ZRH1pDSwrB0trCIyzf6cA/t/7S8GhC1Ecd7GFmKr7CE5J +K44faVqQVH0iDYuI4ERBZ9kkf1qtsv9VDc51ghQn8wqe6yXKqyJc2DyOCQsP9AQM +L3+nziTPQ0Rj6AY/qpu+hVO0UDRXI8c/2JvM4LYJPMa24aSJSX0t+7Rl3tUagOle +1mpkxLGyf1jAZzXUgFvstI3iMzGB9sxQZzb4G1PaRMGjP5dhfupCkkPxSuXS9rkC DQRZpDyvARAAtfnSrtM7lNxN5FPfT0V8cUpXW5D3jhM6mC6NUSvKSDAeITNdQ5Rv o+k2GaN2dORrFSTRlBnGlF2DDpXY128zcvJakG3jadgGvAMflrpTDbFN52591u/+ JGbZ3rhTSKb0a+Vmo4MxDPKWF6ic69Ktk2NMze8pgJMpaqBSOqjWGnVpQw/eE/aO @@ -233,7 +233,7 @@ ef7D52q8Kt+DyfLSBjudGV0g7mRXEGDpJxBPhbkGJMwCoXTWlV5mPafpNIk1HR6i gC8ndBGxNk/yENfSGQpAHmVR9LzfXwFBdoDgUL1CzAu0iGfiRO62rGMlx0ZkUADL REpeLqZexYmQ3DJ1G/czh9f6aA1CDbD37kZ83St8GcDSFI+jvud5Dn7/zfOp+B61 Ykn3Zm5dHQ8BO07LbbqyAH+312aBlCWdsj8sIGF4KcxQSzuj1tuCLUUAEQEAAYkE -cgQYAQoAJgIbAhYhBKSQ0PTTEaQVPiu3ytu4ArJYrNhPBQJbh/jPBQkEdZigAkDB +cgQYAQoAJgIbAhYhBKSQ0PTTEaQVPiu3ytu4ArJYrNhPBQJdnIcPBQkF2X3fAkDB dCAEGQEKAB0WIQQvr5ug1luzcfC8LUYwIKepwrcnMwUCWaQ8rwAKCRAwIKepwrcn MxWKEACjpk4elL0hsOygwHaWilUwGIWnM/s8J/COeZ4aPJYL0uBRd4duvewHEf7c Ws9N/69HRY1m5o1wI/lBOKB32QXMaaLVXDuMkuXrZaNkT9D4WdCJ719izhkBQ45d @@ -245,34 +245,34 @@ Lvg07g/JA9p8+6lBlmMUkC7p4zihcUIoNXehfFsumReFea5qzQn7VWOQEYTNwtv/ FKV7kRBGctnHuOYgjmgKxIwmUO6ufA5grrE16peYhkRLeN4+m+pOG9swUwtvVdzS 7zY0Qq0qP5zWrh9P13znHb8zexd9DafgIGbP7lJqPP1Lh2/Kc676/SpyT+2A8teg sFdlc7yU0fHAOcbhOpMccXkYNGjqzAUnqY3K17Pi4JHHKM0xHYmRlZYWJ2fZb5IN -54EM0sGPZsOcIa1qg79qzjrY8ep0XJOLK3DMXKTjlWW+zxhZlAkQ27gCslis2E8X -AA/8CqeuxtsKzSosGloWVUkK7YrhwgMAMVxjdqCSetsO5oTB3OWAHAPlYoTaPcJh -69/Aixib6Ijs0sAf5nUlFRXeMON+gWo+52YW4HYf4+B87KUPye8XL8S9fsibxJ6V -rR5kRAoqxSUfpUhxUoNvaJhGD11SSCnMELxvpm86z1uAEkJH4cZ4vZtrdmD5gQNB -d9Xi58xV8Skzpu2W9PypFupM8K/9z/JfzAnm6HFAOVItAkv8S9sT0F5LGdS/G6Qc -SfDZGZUUSmNwy1+igCQdzReWkSFzzB2UJxX2Ap/b8gy7v8BLeP/VTG7BTZfKLrPv -i1V7Z0+w7iGW+tksP9ElK4cHSLMglcWoebY3DC9r98vBYmPTKHzB99LLcFnJHDJp -wqAUJIvw1NggjkFjNKSMQhJhuo1I4Rg+x/i8zPxcpCMCRol1vWC9Kts1cHDMwlrT -9v3W69gcOkVcfpD0MAE3xLCApR7C0Aky2BgWvQt00O38SCnOzdK/Thja61lSbPij -xmUL52K5d5v3WKKCo9vBCr/hqXwJxDApgn3YMLbndw0skmZ1sWKEGLJisYfrZTCQ -QmgBdN/C7RGf67XaXHjj966XOleBYI9QjciavBl0eX+nIJV1oSa41+/zLXYD90f0 -OPd1CpCoFgq+quk8lv6xlr8jsCLKZp8RNx7tj8UGBV9Bn0W4MwRZpCe2FgkrBgEE +54EM0sGPZsOcIa1qg79qzjrY8ep0XJOLK3DMXKTjlWW+zxhZlAkQ27gCslis2E+5 +hA/9FQDQu1N2EZl7FrrAdP9xO7y1ZUs33gys9eA7bY8ETMlDqchnEbnbqP25W2yO +bzrKtshVn44fWUGOwSmIDfVm0ATkuJgMReMTo3APfOHlV4HKlMZYMF7NufJs4f+0 +/DYCq2FN1ZscQmph8YKAsTFKxXWNw60ilfQoY/KxLbQ6YTw8rfd2FM0ZwjV1PbsF +7HR0FkZjbaJKry1vqtOS+cjs360t1rclm1KRMV9/yJJMow2VV+9FIhbZMowrfZI7 +Qx/Sx1pYNT07D9dBNeGSRnLWEubO/mb8s1Hzgty6CEf6qlEwdRMVELXaVJcf53CK +EqZe6uhVmTq7wrmbpnb/I0Wer6igL+aUvtkM46O8zVCT6T/mnsXyoCV6zmCPYM9R +ECEyRACx4Ik+ExjLnRLezYhOkl7uN3qTS5rxR2otbESgWNx9L85Iz75ahU0zas4F +R1cZ+YC2fCRAqmPveAidJbJ0ZJrx/JH09udX5LafUQIVkY6xmoE/9T8bIVSbDFwi +fig9OdP/OtaDJBS0BOfQ9QdlpIWe2owVZa9Aa54U2jjiupCGY0XB/LoNWe02WGUN +amnXegG+pHGGGt/atMAFAtsAJeXpLIddO3mQdbR25QgJ58fHtkX9y/FMT4bb3FII +Vfd4PMmQibGXEwi641+MtwlJ52QVZRmL+2XahXoqCx3hpPy4MwRZpCe2FgkrBgEE AdpHDwEBB0DtqAgreIYCHrjvjYlBdMOugNUQhW+E0ko4ynwSUi10l4kCswQYAQoA -JgIbAhYhBKSQ0PTTEaQVPiu3ytu4ArJYrNhPBQJbh/jPBQkEda2ZAIF2IAQZFgoA +JgIbAhYhBKSQ0PTTEaQVPiu3ytu4ArJYrNhPBQJdnIcPBQkF2ZLYAIF2IAQZFgoA HRYhBM1NQ1GvppM/V0qa+5CytL167SNfBQJZpCe2AAoJEJCytL167SNfLMcA/iHy x9wWfgOAHlRrf7lWpk5OF5BHNSrTqJay+OiAOJG2AP9PA+oPGmdr3WZpf6OcWc/U -vzu7VzEY4UorRPpt0sEKBgkQ27gCslis2E9pPxAAiCSmy+UOcnMzvtXQqczXPUys -OFmJBZI/AIxa67NtOWPHmbii2KA2YnoHxbXoUJVmq25EHjJQITjOhEM7GvDknkHq -Gq7+bcjvPTQURK/LL+5VEAfapUHHRrlEOJaUBhA5TXIHYMi6ND+IRG1o4e4ljLMp -oHyS4Nl8yqWmjr/mUWXUpw/D4K7+Xy9CCNA7PT7NLgtHp83sdLZ7DR1jUX1GTXNl -vEoILlFEtqSL/cp8nbIvnhPX6LmGoIq1Mh7UtdAp93b+JPDzobZBtRI73jPAxesm -b6Ipnju3jH6Pj6ig88OV9ah3eHmpplti0b/R41oq+JZONxs+e1Mp/T9/QGHH9L+n -j2uPdsFQ+x1FM2HeYjl68RLX1iP1TFUTlHBAIjKzVc1gFMO6mx2dsrhZR/4462/Z -lZg/EhtHK6lIIC0rsM2z5DY2jdvbKvNc24DVxFCtTy74/fuJWmClNVwLz/TstAUK -nVhTM33U/qUwelF63tPvYnna/Iq0NkAAB8UpcEuh0Vmzo/rSokeiuNStJp3eRVHN -PmIt58YVo+kTQSvNYAmXYEFjj4dmv1WaZbi4qdl8Eqq+Y9UXS5QO2GjDZs8+/NkA -fWIjjzHwa/blm0C03b5PkvzUv2qfkFHuYVYvlcEA7F0DyJcHcQlWthB6HEDTwx0L -8yYhRA/TeCS394jPwxe5Ag0EW4f3OwEQAL9qkAF7ImnL8bakmqQ640hqsh4SLjjF +vzu7VzEY4UorRPpt0sEKBgkQ27gCslis2E9AiA//XhNebVlk5rGxYXG/DfV2ulDI +YLAp4gkCD29msFRz57+QOYWnEwjA8cyICK3NHc1CfZFP03vJT0P/CDiZnljxFs9C +YstAjUMF8niiclOzyN7qAHSYQCmTWo88HUru7YhGo8tTSJj4D5gkvuXSgu7TW95M +ZhQnbUehy2H8Y1TbVTh7bv4cUw293RNN8nvoP/JO85u0rwOKwNsuqKjLVM7t6YxF +LW/ObS9CiIoAuPuwy/5zziRy78SfquQTkmrDVzndcurEJJEw51CZpVkOD1uhy3u5 +7/3h4AYeHSttEplRhbf37M/fFH2G0ASuRx2higAA0hEpgmo6oPk9CNWCQTZt/J90 +JzoXwa9xTQjjPP/TvGJ1EmUY6isnV5cQk3BCQaW5Bscp5yHIHe8n+TrJDI2CPzX1 +JFOTKx6eJ3aEROXR7lLBftcf3iP/pi5fcvbAuPkTXc2AJpBMXbPw1Q10v0Of7K/t +sj+FS3G0oPeSNaXNRmB5WDc1wqh3kA8sBgw1k7K6lO+stGQE2RgJFQIXmhyRn6Kr +XurlafdSlrXS30dn676Bus5p8yp2aho5AxkwJm76BSnczjMV1JBJqBJRZ52ntIzq +fW0Cl2qZ4S1SIxShW/vfgGBld0CdhPHpkpZP/jzInUucdZbYsBiLaLdnKFb8q6m2 +KRpjnPmgkok8w6gYDne5Ag0EW4f3OwEQAL9qkAF7ImnL8bakmqQ640hqsh4SLjjF E4XJb/VzXZmYJGbTDBDmNhQUpupyn2W6vJ7HRzW/cCOKZ4IpHxF3qoBYiLMQybjS cSEZcbvxBdhgxxWcPZXsdCnmq70+a3mUa1qODYjR8iAhyibDXZodPkpVSOCa1WSt opJ48EopahUBOkYwa3K/uM/SnCGvMV8iFbnVPfKA0VlJrbi/0jS2lbrOVSJTKxaI @@ -283,30 +283,30 @@ wWVoY0dq3HS0WH/BC4R9oT4euD/7177t8mLpCkFOiTPyn16cfgyubdRB6bXJMiNW jq1vMUNfceZnfR1tLdUEdKbgveIsR4VdNvVqBhwpRvzETa7ansTh9ifdPXIV5Cy+ Q5UJaguDGcHUGIE+QbGE52Wqu7s9MWiO904d4VUt6avJpF7g8Khvf+f6ccltIqS3 zQE+E5f74WmWsjEjGlpSpPo9rptYIGtCV11qyUfrEb1oYGCwn1y8TjqCE6oCkEaM -9n7dCClfYEv/ABEBAAGJBHIEGAEKACYWIQSkkND00xGkFT4rt8rbuAKyWKzYTwUC -W4f3OwIbAgUJApHcgAJACRDbuAKyWKzYT8F0IAQZAQoAHRYhBP4CnLSq1HiOHXgo -6Kiw9ORbG1DiBQJbh/c7AAoJEKiw9ORbG1DiPlsP/3SW95eFOmne+DNYROtGzPba -n3NCY2IkYMaZZgb2PvtnhRFTekCai/W0iemueOupPbNVdapkHADU+kO2RmnJshw+ -agKV/qDsWxldIaaTIiRIKv5yCDV3vNMFaZ/JcxTA7aLU+mWYNmWL0diIWVFqS62/ -1NTmpu2A0mwBNnNVChOH+R8AAgOIc5bc1cVaX6GTInbJMcuBFR3upziO0o4qSEEy -M6nQVNzM8Ejbi0k1OVtToF83oJ8n7ScaVxp8JGeHYXxLBQ/tzhIaM8KiIQo3Au75 -hmVwKTt2oA1swyZ4uBvttmk8DzduyoaCwmWjC556cGAhurDrB2e5Rs4CrzNbqQBa -WMpI/+92679l/Zg5Iw1mOU6qbidciLi70ZkZzbYUV7RXZU6XUKDo54WoEOR3jmGp -m5QTY7XSY5ZFPnAXt8So+YL/MrRC3ncwlKR2LRLa32pytTx3a/Ama8HWaySdnR7d -VQYljMZuNniD1FRjBiJXu/dvRKMyJQv2mU15m+/wAiwuKG70Q4CzkxRZFv/Y184U -57GVx7yiR5m5Og/VWRid2uno1Q+8XrXkyf5yYSEXaA0BUlmltRqiuMl4nEayKj7k -vP9AUVUkv5NbiFOuF7VRMi2hafiUfIowM9fTyV+tCBxk+/nx4O9pM60TSxo8TRQY -pNJ3jTN3WblMfOJ8vK2yXwcP/3EuXy+Wnc0oQ3B3X+riPohxPep6OX6NC6s80Y1N -7nHPP9BUlSTgNGxR4VoHzrRxuAgQeEM0faw0OjmXmaI9KqeJFU4RyMuZaGyOVzxg -jCOeJfxogkVmPpS7IHMOSWkagPaRymBXBZgNMxnLxMew1EnfngvMCV5tJQ1Uv0pP -sBnmdf1+TQnhZyaHUA3VYyC8lA9ZuQhtXzjuCdA4F5w9kIx27CnSAtyqNobyHGke -aB62qPobjIU1Ek7BGrvUDFXPTwr8SM4wbnmwky7eQ9UL6t++/I5d4QMzVp8WRW71 -2KeAgTmO3VGhJ1F1hFz5f2ENOQ/5nt0fvNBsDrigc6XouZDCkYY877TRCBvKr7gN -X5xCpLMRJecyezctAZSegySOWqv/ODmZ7r8Nmf9PMuWeAbGJktUPCHkcKkTT7IoX -cTtxyP5SJ6Pj5BArkX/RGt3RX0JWclqckJ1Lr5U7xFft79nXAmvVHahXJwYNFefv -/sJIGTDaAavQdiujiuxWemtqli3jjII0rrxKEb+WlqhWq4gK6epjixuiKEfyUbEZ -cBEB3KAiwLudRfKp7+7c9j/+Q6/JXdIJ0oCnI/tMndqdBHlWJUHMJGyutg91MfHd -qdDoafsIclj3n7qzixWlJ1iqcfnCK17cOhHGrI5JLz10irjz6hMu4LOUNGWeDO2O -zerI -=B0uR +9n7dCClfYEv/ABEBAAGJBHIEGAEKACYCGwIWIQSkkND00xGkFT4rt8rbuAKyWKzY +TwUCXZyHDwUJA/XDUwJAwXQgBBkBCgAdFiEE/gKctKrUeI4deCjoqLD05FsbUOIF +AluH9zsACgkQqLD05FsbUOI+Ww//dJb3l4U6ad74M1hE60bM9tqfc0JjYiRgxplm +BvY++2eFEVN6QJqL9bSJ6a5466k9s1V1qmQcANT6Q7ZGacmyHD5qApX+oOxbGV0h +ppMiJEgq/nIINXe80wVpn8lzFMDtotT6ZZg2ZYvR2IhZUWpLrb/U1Oam7YDSbAE2 +c1UKE4f5HwACA4hzltzVxVpfoZMidskxy4EVHe6nOI7SjipIQTIzqdBU3MzwSNuL +STU5W1OgXzegnyftJxpXGnwkZ4dhfEsFD+3OEhozwqIhCjcC7vmGZXApO3agDWzD +Jni4G+22aTwPN27KhoLCZaMLnnpwYCG6sOsHZ7lGzgKvM1upAFpYykj/73brv2X9 +mDkjDWY5TqpuJ1yIuLvRmRnNthRXtFdlTpdQoOjnhagQ5HeOYamblBNjtdJjlkU+ +cBe3xKj5gv8ytELedzCUpHYtEtrfanK1PHdr8CZrwdZrJJ2dHt1VBiWMxm42eIPU +VGMGIle7929EozIlC/aZTXmb7/ACLC4obvRDgLOTFFkW/9jXzhTnsZXHvKJHmbk6 +D9VZGJ3a6ejVD7xeteTJ/nJhIRdoDQFSWaW1GqK4yXicRrIqPuS8/0BRVSS/k1uI +U64XtVEyLaFp+JR8ijAz19PJX60IHGT7+fHg72kzrRNLGjxNFBik0neNM3dZuUx8 +4ny8rbIJENu4ArJYrNhP5GYP/AvzdcT6Z8F9qmH1y4WN3fjfqyJcL6rBMNUSQI4z +OhGXJV3NncONmu3gitfkwx8+GA0ieGR7DwS7wSZZRj331vnU67AKqDgxXegF0pfv +DxAuPH06hC9kYHIZJlP4tqvaJNTgUXwdGE88lihhEK6ZpJhj19IYLim72UbaPHWr +WJLKh1V+dUacCTrzvW/Y+U6hHX5gmMN4zXGoLwVQHynwh2yaCraiNcQnpYZCt95I ++xpO0dlF83rcsJab94hmxjmkZG3joih3bCzH+AoUzJ/LjcOjsaULiwgkfig+FE5i +N5OmaBXYRo+AZ8ujAldexvO0fHFawSd2DyU4igN35OVcZmulUoTegDaPDTvSStFO +1deWAP7BtkNFPPJ91BX+GhT6An6hTOI2GTfn45Rbk40n5nqYFqIRsF1p+PdxAGHJ +lu5Hsd37F1Yz7tmN0M/lK7IVsS25+E8ld/mwvuQYCreO0YuveV9HcyB+94GQ24MI +DsJQdNzHFIuxw1PktV33+YTu8qX05x3IgPrkRndq4u4BXRhtcONT52CoPQSlxiaD +QuUDwwJQVA2YHJxWFkSKkbUEOGAQZLm256uGToMMllaDM0jlmZVbP/Trwn/4D2JM +nmSMb56qXS5EANtrvBWB4dw70BHF01qnreMNkMmoF6YNf+8ru9L0V0TlAgaSKb9H +kP8+ +=KGfa -----END PGP PUBLIC KEY BLOCK----- From ed3602f0ba62ccdb806cda5a5a055bbc386c2185 Mon Sep 17 00:00:00 2001 From: Francis Lam Date: Thu, 16 Jan 2020 09:36:42 -0800 Subject: [PATCH 077/189] modules: maintain reproducibility by removing rpath --- modules/libgcrypt | 3 +- patches/cryptsetup-1.7.3.patch | 512 ++++++++++++++++++++++++++++++++- patches/libassuan-2.5.1.patch | 176 ++++++++++++ patches/libgcrypt-1.8.3.patch | 176 ++++++++++++ patches/libksba-1.3.5.patch | 181 +++++++++++- 5 files changed, 1041 insertions(+), 7 deletions(-) create mode 100644 patches/libassuan-2.5.1.patch create mode 100644 patches/libgcrypt-1.8.3.patch diff --git a/modules/libgcrypt b/modules/libgcrypt index aa7e1ef8e..1ba82fceb 100644 --- a/modules/libgcrypt +++ b/modules/libgcrypt @@ -12,8 +12,7 @@ libgcrypt_configure := ./configure \ --disable-static \ --with-libgpg-error-prefix="$(INSTALL)" \ --disable-asm \ - --disable-nls \ - + libgcrypt_target := $(MAKE_JOBS) \ DESTDIR="$(INSTALL)" \ $(CROSS_TOOLS) \ diff --git a/patches/cryptsetup-1.7.3.patch b/patches/cryptsetup-1.7.3.patch index c36d36fd8..be7350d85 100644 --- a/patches/cryptsetup-1.7.3.patch +++ b/patches/cryptsetup-1.7.3.patch @@ -1,6 +1,512 @@ -diff -u --recursive ../../clean/cryptsetup-1.7.3/src/Makefile.in ./cryptsetup-1.7.3/src/Makefile.in ---- ../../clean/cryptsetup-1.7.3/src/Makefile.in 2016-10-28 09:45:06.000000000 -0400 -+++ cryptsetup-1.7.3/src/Makefile.in 2017-01-27 17:24:13.115962328 -0500 +diff -u -r cryptsetup-1.7.3-clean/configure cryptsetup-1.7.3/configure +--- cryptsetup-1.7.3-clean/configure 2016-10-28 06:45:06.000000000 -0700 ++++ cryptsetup-1.7.3/configure 2020-01-12 14:12:13.835035728 -0800 +@@ -10113,7 +10113,7 @@ + hardcode_automatic=no + hardcode_direct=no + hardcode_direct_absolute=no +- hardcode_libdir_flag_spec= ++ hardcode_libdir_flag_spec=" " + hardcode_libdir_separator= + hardcode_minus_L=no + hardcode_shlibpath_var=unsupported +@@ -10197,7 +10197,7 @@ + # are reset later if shared libraries are not supported. Putting them + # here allows them to be overridden if necessary. + runpath_var=LD_RUN_PATH +- hardcode_libdir_flag_spec='$wl-rpath $wl$libdir' ++ hardcode_libdir_flag_spec=" " + export_dynamic_flag_spec='$wl--export-dynamic' + # ancient GNU ld didn't support --whole-archive et. al. + if $LD --help 2>&1 | $GREP 'no-whole-archive' > /dev/null; then +@@ -10243,7 +10243,7 @@ + ;; + m68k) + archive_cmds='$RM $output_objdir/a2ixlibrary.data~$ECHO "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$ECHO "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$ECHO "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$ECHO "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)' +- hardcode_libdir_flag_spec='-L$libdir' ++ hardcode_libdir_flag_spec=" " + hardcode_minus_L=yes + ;; + esac +@@ -10263,7 +10263,7 @@ + cygwin* | mingw* | pw32* | cegcc*) + # _LT_TAGVAR(hardcode_libdir_flag_spec, ) is actually meaningless, + # as there is no search path for DLLs. +- hardcode_libdir_flag_spec='-L$libdir' ++ hardcode_libdir_flag_spec=" " + export_dynamic_flag_spec='$wl--export-all-symbols' + allow_undefined_flag=unsupported + always_export_symbols=no +@@ -10293,7 +10293,7 @@ + ;; + + os2*) +- hardcode_libdir_flag_spec='-L$libdir' ++ hardcode_libdir_flag_spec=" " + hardcode_minus_L=yes + allow_undefined_flag=unsupported + shrext_cmds=.dll +@@ -10323,7 +10323,7 @@ + interix[3-9]*) + hardcode_direct=no + hardcode_shlibpath_var=no +- hardcode_libdir_flag_spec='$wl-rpath,$libdir' ++ hardcode_libdir_flag_spec=" " + export_dynamic_flag_spec='$wl-E' + # Hack: On Interix 3.x, we cannot compile PIC because of a broken gcc. + # Instead, shared libraries are loaded at an image base (0x10000000 by +@@ -10399,7 +10399,7 @@ + xlf* | bgf* | bgxlf* | mpixlf*) + # IBM XL Fortran 10.1 on PPC cannot create shared libs itself + whole_archive_flag_spec='--whole-archive$convenience --no-whole-archive' +- hardcode_libdir_flag_spec='$wl-rpath $wl$libdir' ++ hardcode_libdir_flag_spec=" " + archive_cmds='$LD -shared $libobjs $deplibs $linker_flags -soname $soname -o $lib' + if test yes = "$supports_anon_versioning"; then + archive_expsym_cmds='echo "{ global:" > $output_objdir/$libname.ver~ +@@ -10466,7 +10466,7 @@ + # DT_RUNPATH tag from executables and libraries. But doing so + # requires that you compile everything twice, which is a pain. + if $LD --help 2>&1 | $GREP ': supported targets:.* elf' > /dev/null; then +- hardcode_libdir_flag_spec='$wl-rpath $wl$libdir' ++ hardcode_libdir_flag_spec=" " + archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags $wl-soname $wl$soname -o $lib' + archive_expsym_cmds='$CC -shared $libobjs $deplibs $compiler_flags $wl-soname $wl$soname $wl-retain-symbols-file $wl$export_symbols -o $lib' + else +@@ -10495,7 +10495,7 @@ + + if test no = "$ld_shlibs"; then + runpath_var= +- hardcode_libdir_flag_spec= ++ hardcode_libdir_flag_spec=" " + export_dynamic_flag_spec= + whole_archive_flag_spec= + fi +@@ -10613,7 +10613,7 @@ + # path is not listed in the libpath. Setting hardcode_minus_L + # to unsupported forces relinking + hardcode_minus_L=yes +- hardcode_libdir_flag_spec='-L$libdir' ++ hardcode_libdir_flag_spec=" " + hardcode_libdir_separator= + fi + ;; +@@ -10697,11 +10697,11 @@ + aix_libpath=$lt_cv_aix_libpath_ + fi + +- hardcode_libdir_flag_spec='$wl-blibpath:$libdir:'"$aix_libpath" ++ hardcode_libdir_flag_spec=" " + archive_expsym_cmds='$CC -o $output_objdir/$soname $libobjs $deplibs $wl'$no_entry_flag' $compiler_flags `if test -n "$allow_undefined_flag"; then func_echo_all "$wl$allow_undefined_flag"; else :; fi` $wl'$exp_sym_flag:\$export_symbols' '$shared_flag + else + if test ia64 = "$host_cpu"; then +- hardcode_libdir_flag_spec='$wl-R $libdir:/usr/lib:/lib' ++ hardcode_libdir_flag_spec=" " + allow_undefined_flag="-z nodefs" + archive_expsym_cmds="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs '"\$wl$no_entry_flag"' $compiler_flags $wl$allow_undefined_flag '"\$wl$exp_sym_flag:\$export_symbols" + else +@@ -10750,7 +10750,7 @@ + aix_libpath=$lt_cv_aix_libpath_ + fi + +- hardcode_libdir_flag_spec='$wl-blibpath:$libdir:'"$aix_libpath" ++ hardcode_libdir_flag_spec=" " + # Warning - without using the other run time loading flags, + # -berok will link without error, but may produce a broken library. + no_undefined_flag=' $wl-bernotok' +@@ -10790,7 +10790,7 @@ + ;; + m68k) + archive_cmds='$RM $output_objdir/a2ixlibrary.data~$ECHO "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$ECHO "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$ECHO "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$ECHO "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)' +- hardcode_libdir_flag_spec='-L$libdir' ++ hardcode_libdir_flag_spec=" " + hardcode_minus_L=yes + ;; + esac +@@ -10808,7 +10808,7 @@ + case $cc_basename in + cl*) + # Native MSVC +- hardcode_libdir_flag_spec=' ' ++ hardcode_libdir_flag_spec=" " + allow_undefined_flag=unsupported + always_export_symbols=yes + file_list_spec='@' +@@ -10849,7 +10849,7 @@ + ;; + *) + # Assume MSVC wrapper +- hardcode_libdir_flag_spec=' ' ++ hardcode_libdir_flag_spec=" " + allow_undefined_flag=unsupported + # Tell ltmain to make .lib files, not .a files. + libext=lib +@@ -10900,7 +10900,7 @@ + + dgux*) + archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' +- hardcode_libdir_flag_spec='-L$libdir' ++ hardcode_libdir_flag_spec=" " + hardcode_shlibpath_var=no + ;; + +@@ -10910,7 +10910,7 @@ + # extra space). + freebsd2.2*) + archive_cmds='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags /usr/lib/c++rt0.o' +- hardcode_libdir_flag_spec='-R$libdir' ++ hardcode_libdir_flag_spec=" " + hardcode_direct=yes + hardcode_shlibpath_var=no + ;; +@@ -10926,7 +10926,7 @@ + # FreeBSD 3 and greater uses gcc -shared to do shared libraries. + freebsd* | dragonfly*) + archive_cmds='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags' +- hardcode_libdir_flag_spec='-R$libdir' ++ hardcode_libdir_flag_spec=" " + hardcode_direct=yes + hardcode_shlibpath_var=no + ;; +@@ -10937,7 +10937,7 @@ + else + archive_cmds='$RM $output_objdir/$soname~$LD -b +b $install_libdir -o $output_objdir/$soname $libobjs $deplibs $linker_flags~test "x$output_objdir/$soname" = "x$lib" || mv $output_objdir/$soname $lib' + fi +- hardcode_libdir_flag_spec='$wl+b $wl$libdir' ++ hardcode_libdir_flag_spec=" " + hardcode_libdir_separator=: + hardcode_direct=yes + +@@ -10954,7 +10954,7 @@ + archive_cmds='$LD -b +h $soname +b $install_libdir -o $lib $libobjs $deplibs $linker_flags' + fi + if test no = "$with_gnu_ld"; then +- hardcode_libdir_flag_spec='$wl+b $wl$libdir' ++ hardcode_libdir_flag_spec=" " + hardcode_libdir_separator=: + hardcode_direct=yes + hardcode_direct_absolute=yes +@@ -11031,7 +11031,7 @@ + esac + fi + if test no = "$with_gnu_ld"; then +- hardcode_libdir_flag_spec='$wl+b $wl$libdir' ++ hardcode_libdir_flag_spec=" " + hardcode_libdir_separator=: + + case $host_cpu in +@@ -11090,7 +11090,7 @@ + archive_expsym_cmds='$CC -shared $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry $output_objdir/so_locations -exports_file $export_symbols -o $lib' + fi + archive_cmds_need_lc='no' +- hardcode_libdir_flag_spec='$wl-rpath $wl$libdir' ++ hardcode_libdir_flag_spec=" " + hardcode_libdir_separator=: + inherit_rpath=yes + link_all_deplibs=yes +@@ -11112,7 +11112,7 @@ + else + archive_cmds='$LD -shared -o $lib $libobjs $deplibs $linker_flags' # ELF + fi +- hardcode_libdir_flag_spec='-R$libdir' ++ hardcode_libdir_flag_spec=" " + hardcode_direct=yes + hardcode_shlibpath_var=no + ;; +@@ -11120,7 +11120,7 @@ + newsos6) + archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' + hardcode_direct=yes +- hardcode_libdir_flag_spec='$wl-rpath $wl$libdir' ++ hardcode_libdir_flag_spec=" " + hardcode_libdir_separator=: + hardcode_shlibpath_var=no + ;; +@@ -11136,11 +11136,11 @@ + if test -z "`echo __ELF__ | $CC -E - | $GREP __ELF__`"; then + archive_cmds='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags' + archive_expsym_cmds='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags $wl-retain-symbols-file,$export_symbols' +- hardcode_libdir_flag_spec='$wl-rpath,$libdir' ++ hardcode_libdir_flag_spec=" " + export_dynamic_flag_spec='$wl-E' + else + archive_cmds='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags' +- hardcode_libdir_flag_spec='$wl-rpath,$libdir' ++ hardcode_libdir_flag_spec=" " + fi + else + ld_shlibs=no +@@ -11148,7 +11148,7 @@ + ;; + + os2*) +- hardcode_libdir_flag_spec='-L$libdir' ++ hardcode_libdir_flag_spec=" " + hardcode_minus_L=yes + allow_undefined_flag=unsupported + shrext_cmds=.dll +@@ -11184,7 +11184,7 @@ + archive_cmds='$CC -shared$allow_undefined_flag $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry $output_objdir/so_locations -o $lib' + fi + archive_cmds_need_lc='no' +- hardcode_libdir_flag_spec='$wl-rpath $wl$libdir' ++ hardcode_libdir_flag_spec=" " + hardcode_libdir_separator=: + ;; + +@@ -11192,7 +11192,7 @@ + if test yes = "$GCC"; then + allow_undefined_flag=' $wl-expect_unresolved $wl\*' + archive_cmds='$CC -shared$allow_undefined_flag $pic_flag $libobjs $deplibs $compiler_flags $wl-msym $wl-soname $wl$soname `test -n "$verstring" && func_echo_all "$wl-set_version $wl$verstring"` $wl-update_registry $wl$output_objdir/so_locations -o $lib' +- hardcode_libdir_flag_spec='$wl-rpath $wl$libdir' ++ hardcode_libdir_flag_spec=" " + else + allow_undefined_flag=' -expect_unresolved \*' + archive_cmds='$CC -shared$allow_undefined_flag $libobjs $deplibs $compiler_flags -msym -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry $output_objdir/so_locations -o $lib' +@@ -11200,7 +11200,7 @@ + $CC -shared$allow_undefined_flag $wl-input $wl$lib.exp $compiler_flags $libobjs $deplibs -soname $soname `test -n "$verstring" && $ECHO "-set_version $verstring"` -update_registry $output_objdir/so_locations -o $lib~$RM $lib.exp' + + # Both c and cxx compiler support -rpath directly +- hardcode_libdir_flag_spec='-rpath $libdir' ++ hardcode_libdir_flag_spec=" " + fi + archive_cmds_need_lc='no' + hardcode_libdir_separator=: +@@ -11229,7 +11229,7 @@ + ;; + esac + fi +- hardcode_libdir_flag_spec='-R$libdir' ++ hardcode_libdir_flag_spec=" " + hardcode_shlibpath_var=no + case $host_os in + solaris2.[0-5] | solaris2.[0-5].*) ;; +@@ -11256,7 +11256,7 @@ + else + archive_cmds='$LD -assert pure-text -Bstatic -o $lib $libobjs $deplibs $linker_flags' + fi +- hardcode_libdir_flag_spec='-L$libdir' ++ hardcode_libdir_flag_spec=" " + hardcode_direct=yes + hardcode_minus_L=yes + hardcode_shlibpath_var=no +@@ -11326,7 +11326,7 @@ + allow_undefined_flag='$wl-z,nodefs' + archive_cmds_need_lc=no + hardcode_shlibpath_var=no +- hardcode_libdir_flag_spec='$wl-R,$libdir' ++ hardcode_libdir_flag_spec=" " + hardcode_libdir_separator=':' + link_all_deplibs=yes + export_dynamic_flag_spec='$wl-Bexport' +@@ -11343,7 +11343,7 @@ + + uts4*) + archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' +- hardcode_libdir_flag_spec='-L$libdir' ++ hardcode_libdir_flag_spec=" " + hardcode_shlibpath_var=no + ;; + +@@ -11711,7 +11711,7 @@ + version_type=linux # correct to gnu/linux during the next big refactor + need_lib_prefix=no + need_version=no +- hardcode_into_libs=yes ++ hardcode_into_libs=no + if test ia64 = "$host_cpu"; then + # AIX 5 supports IA64 + library_names_spec='$libname$release$shared_ext$major $libname$release$shared_ext$versuffix $libname$shared_ext' +@@ -12001,16 +12001,16 @@ + ;; + freebsd3.[01]* | freebsdelf3.[01]*) + shlibpath_overrides_runpath=yes +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + freebsd3.[2-9]* | freebsdelf3.[2-9]* | \ + freebsd4.[0-5] | freebsdelf4.[0-5] | freebsd4.1.1 | freebsdelf4.1.1) + shlibpath_overrides_runpath=no +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + *) # from 4.6 on, and DragonFly + shlibpath_overrides_runpath=yes +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + esac + ;; +@@ -12025,7 +12025,7 @@ + shlibpath_var=LIBRARY_PATH + shlibpath_overrides_runpath=no + sys_lib_dlsearch_path_spec='/boot/home/config/lib /boot/common/lib /boot/system/lib' +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + + hpux9* | hpux10* | hpux11*) +@@ -12037,7 +12037,7 @@ + case $host_cpu in + ia64*) + shrext_cmds='.so' +- hardcode_into_libs=yes ++ hardcode_into_libs=no + dynamic_linker="$host_os dld.so" + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=yes # Unless +noenvvar is specified. +@@ -12053,7 +12053,7 @@ + ;; + hppa*64*) + shrext_cmds='.sl' +- hardcode_into_libs=yes ++ hardcode_into_libs=no + dynamic_linker="$host_os dld.sl" + shlibpath_var=LD_LIBRARY_PATH # How should we handle SHLIB_PATH + shlibpath_overrides_runpath=yes # Unless +noenvvar is specified. +@@ -12086,7 +12086,7 @@ + dynamic_linker='Interix 3.x ld.so.1 (PE, like ELF)' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=no +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + + irix5* | irix6* | nonstopux*) +@@ -12123,7 +12123,7 @@ + shlibpath_overrides_runpath=no + sys_lib_search_path_spec="/usr/lib$libsuff /lib$libsuff /usr/local/lib$libsuff" + sys_lib_dlsearch_path_spec="/usr/lib$libsuff /lib$libsuff" +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + + # No shared lib support for Linux oldld, aout, or coff. +@@ -12144,11 +12144,11 @@ + # This implies no fast_install, which is unacceptable. + # Some rework will be needed to allow for fast_install + # before this can be enabled. +- hardcode_into_libs=yes ++ hardcode_into_libs=no + + dynamic_linker='Android linker' + # Don't embed -rpath directories since the linker doesn't support them. +- hardcode_libdir_flag_spec='-L$libdir' ++ hardcode_libdir_flag_spec=" " + ;; + + # This must be glibc/ELF. +@@ -12199,7 +12199,7 @@ + # This implies no fast_install, which is unacceptable. + # Some rework will be needed to allow for fast_install + # before this can be enabled. +- hardcode_into_libs=yes ++ hardcode_into_libs=no + + # Ideally, we could use ldconfig to report *all* directores which are + # searched for libraries, however this is still not possible. Aside from not +@@ -12229,7 +12229,7 @@ + soname_spec='${libname}${release}${shared_ext}$major' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=no +- hardcode_into_libs=yes ++ hardcode_into_libs=no + dynamic_linker='NetBSD ld.elf_so' + ;; + +@@ -12248,7 +12248,7 @@ + fi + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=yes +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + + newsos6) +@@ -12266,7 +12266,7 @@ + soname_spec='$libname$release$shared_ext$major' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=no +- hardcode_into_libs=yes ++ hardcode_into_libs=no + dynamic_linker='ldqnx.so' + ;; + +@@ -12338,7 +12338,7 @@ + soname_spec='$libname$release$shared_ext$major' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=yes +- hardcode_into_libs=yes ++ hardcode_into_libs=no + # ldd complains unless libraries are executable + postinstall_cmds='chmod +x $lib' + ;; +@@ -12395,7 +12395,7 @@ + soname_spec='$libname$release$shared_ext$major' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=yes +- hardcode_into_libs=yes ++ hardcode_into_libs=no + if test yes = "$with_gnu_ld"; then + sys_lib_search_path_spec='/usr/local/lib /usr/gnu/lib /usr/ccs/lib /usr/lib /lib' + else +@@ -12417,7 +12417,7 @@ + library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$shared_ext' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=no +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + + uts4*) +@@ -14964,7 +14964,7 @@ + wl="$acl_cv_wl" + libext="$acl_cv_libext" + shlibext="$acl_cv_shlibext" +- hardcode_libdir_flag_spec="$acl_cv_hardcode_libdir_flag_spec" ++ hardcode_libdir_flag_spec=" " + hardcode_libdir_separator="$acl_cv_hardcode_libdir_separator" + hardcode_direct="$acl_cv_hardcode_direct" + hardcode_minus_L="$acl_cv_hardcode_minus_L" +@@ -19683,7 +19683,7 @@ + with_gnu_ld='`$ECHO "$with_gnu_ld" | $SED "$delay_single_quote_subst"`' + allow_undefined_flag='`$ECHO "$allow_undefined_flag" | $SED "$delay_single_quote_subst"`' + no_undefined_flag='`$ECHO "$no_undefined_flag" | $SED "$delay_single_quote_subst"`' +-hardcode_libdir_flag_spec='`$ECHO "$hardcode_libdir_flag_spec" | $SED "$delay_single_quote_subst"`' ++hardcode_libdir_flag_spec=" " + hardcode_libdir_separator='`$ECHO "$hardcode_libdir_separator" | $SED "$delay_single_quote_subst"`' + hardcode_direct='`$ECHO "$hardcode_direct" | $SED "$delay_single_quote_subst"`' + hardcode_direct_absolute='`$ECHO "$hardcode_direct_absolute" | $SED "$delay_single_quote_subst"`' +@@ -19714,7 +19714,7 @@ + postuninstall_cmds='`$ECHO "$postuninstall_cmds" | $SED "$delay_single_quote_subst"`' + finish_cmds='`$ECHO "$finish_cmds" | $SED "$delay_single_quote_subst"`' + finish_eval='`$ECHO "$finish_eval" | $SED "$delay_single_quote_subst"`' +-hardcode_into_libs='`$ECHO "$hardcode_into_libs" | $SED "$delay_single_quote_subst"`' ++hardcode_into_libs=no + sys_lib_search_path_spec='`$ECHO "$sys_lib_search_path_spec" | $SED "$delay_single_quote_subst"`' + configure_time_dlsearch_path='`$ECHO "$configure_time_dlsearch_path" | $SED "$delay_single_quote_subst"`' + configure_time_lt_sys_library_path='`$ECHO "$configure_time_lt_sys_library_path" | $SED "$delay_single_quote_subst"`' +@@ -20877,7 +20877,7 @@ + finish_eval=$lt_finish_eval + + # Whether we should hardcode library paths into libraries. +-hardcode_into_libs=$hardcode_into_libs ++hardcode_into_libs=no + + # Compile-time system search path for libraries. + sys_lib_search_path_spec=$lt_sys_lib_search_path_spec +@@ -20974,7 +20974,7 @@ + + # Flag to hardcode \$libdir into a binary during linking. + # This must work even if \$libdir does not exist +-hardcode_libdir_flag_spec=$lt_hardcode_libdir_flag_spec ++hardcode_libdir_flag_spec=" " + + # Whether we need a single "-rpath" flag with a separated argument. + hardcode_libdir_separator=$lt_hardcode_libdir_separator +diff -u -r cryptsetup-1.7.3-clean/src/Makefile.in cryptsetup-1.7.3/src/Makefile.in +--- cryptsetup-1.7.3-clean/src/Makefile.in 2016-10-28 06:45:06.000000000 -0700 ++++ cryptsetup-1.7.3/src/Makefile.in 2020-01-12 13:42:22.744734385 -0800 @@ -479,6 +479,8 @@ cryptsetup_LDADD = \ $(top_builddir)/lib/libcryptsetup.la \ diff --git a/patches/libassuan-2.5.1.patch b/patches/libassuan-2.5.1.patch new file mode 100644 index 000000000..ff27dbd27 --- /dev/null +++ b/patches/libassuan-2.5.1.patch @@ -0,0 +1,176 @@ +diff -u -r libassuan-2.5.1-clean/configure libassuan-2.5.1/configure +--- libassuan-2.5.1-clean/configure 2017-12-07 06:55:50.000000000 -0800 ++++ libassuan-2.5.1/configure 2020-01-12 13:39:50.655638965 -0800 +@@ -10781,7 +10781,7 @@ + version_type=linux # correct to gnu/linux during the next big refactor + need_lib_prefix=no + need_version=no +- hardcode_into_libs=yes ++ hardcode_into_libs=no + if test "$host_cpu" = ia64; then + # AIX 5 supports IA64 + library_names_spec='${libname}${release}${shared_ext}$major ${libname}${release}${shared_ext}$versuffix $libname${shared_ext}' +@@ -11020,16 +11020,16 @@ + ;; + freebsd3.[01]* | freebsdelf3.[01]*) + shlibpath_overrides_runpath=yes +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + freebsd3.[2-9]* | freebsdelf3.[2-9]* | \ + freebsd4.[0-5] | freebsdelf4.[0-5] | freebsd4.1.1 | freebsdelf4.1.1) + shlibpath_overrides_runpath=no +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + *) # from 4.6 on, and DragonFly + shlibpath_overrides_runpath=yes +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + esac + ;; +@@ -11042,7 +11042,7 @@ + soname_spec='${libname}${release}${shared_ext}$major' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=no +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + + haiku*) +@@ -11055,7 +11055,7 @@ + shlibpath_var=LIBRARY_PATH + shlibpath_overrides_runpath=yes + sys_lib_dlsearch_path_spec='/boot/home/config/lib /boot/common/lib /boot/system/lib' +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + + hpux9* | hpux10* | hpux11*) +@@ -11067,7 +11067,7 @@ + case $host_cpu in + ia64*) + shrext_cmds='.so' +- hardcode_into_libs=yes ++ hardcode_into_libs=no + dynamic_linker="$host_os dld.so" + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=yes # Unless +noenvvar is specified. +@@ -11082,7 +11082,7 @@ + ;; + hppa*64*) + shrext_cmds='.sl' +- hardcode_into_libs=yes ++ hardcode_into_libs=no + dynamic_linker="$host_os dld.sl" + shlibpath_var=LD_LIBRARY_PATH # How should we handle SHLIB_PATH + shlibpath_overrides_runpath=yes # Unless +noenvvar is specified. +@@ -11115,7 +11115,7 @@ + dynamic_linker='Interix 3.x ld.so.1 (PE, like ELF)' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=no +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + + irix5* | irix6* | nonstopux*) +@@ -11152,7 +11152,7 @@ + shlibpath_overrides_runpath=no + sys_lib_search_path_spec="/usr/lib${libsuff} /lib${libsuff} /usr/local/lib${libsuff}" + sys_lib_dlsearch_path_spec="/usr/lib${libsuff} /lib${libsuff}" +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + + # No shared lib support for Linux oldld, aout, or coff. +@@ -11173,7 +11173,7 @@ + # This implies no fast_install, which is unacceptable. + # Some rework will be needed to allow for fast_install + # before this can be enabled. +- hardcode_into_libs=yes ++ hardcode_into_libs=no + + dynamic_linker='Android linker' + # Don't embed -rpath directories since the linker doesn't support them. +@@ -11228,7 +11228,7 @@ + # This implies no fast_install, which is unacceptable. + # Some rework will be needed to allow for fast_install + # before this can be enabled. +- hardcode_into_libs=yes ++ hardcode_into_libs=no + + # Append ld.so.conf contents to the search path + if test -f /etc/ld.so.conf; then +@@ -11253,7 +11253,7 @@ + soname_spec='${libname}${release}${shared_ext}$major' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=no +- hardcode_into_libs=yes ++ hardcode_into_libs=no + dynamic_linker='NetBSD ld.elf_so' + ;; + +@@ -11272,7 +11272,7 @@ + fi + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=yes +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + + newsos6) +@@ -11290,7 +11290,7 @@ + soname_spec='${libname}${release}${shared_ext}$major' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=no +- hardcode_into_libs=yes ++ hardcode_into_libs=no + dynamic_linker='ldqnx.so' + ;; + +@@ -11352,7 +11352,7 @@ + soname_spec='${libname}${release}${shared_ext}$major' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=yes +- hardcode_into_libs=yes ++ hardcode_into_libs=no + # ldd complains unless libraries are executable + postinstall_cmds='chmod +x $lib' + ;; +@@ -11409,7 +11409,7 @@ + soname_spec='${libname}${release}${shared_ext}$major' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=yes +- hardcode_into_libs=yes ++ hardcode_into_libs=no + if test "$with_gnu_ld" = yes; then + sys_lib_search_path_spec='/usr/local/lib /usr/gnu/lib /usr/ccs/lib /usr/lib /lib' + else +@@ -11431,7 +11431,7 @@ + library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=no +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + + uts4*) +@@ -15680,7 +15680,7 @@ + postuninstall_cmds='`$ECHO "$postuninstall_cmds" | $SED "$delay_single_quote_subst"`' + finish_cmds='`$ECHO "$finish_cmds" | $SED "$delay_single_quote_subst"`' + finish_eval='`$ECHO "$finish_eval" | $SED "$delay_single_quote_subst"`' +-hardcode_into_libs='`$ECHO "$hardcode_into_libs" | $SED "$delay_single_quote_subst"`' ++hardcode_into_libs=no + sys_lib_search_path_spec='`$ECHO "$sys_lib_search_path_spec" | $SED "$delay_single_quote_subst"`' + sys_lib_dlsearch_path_spec='`$ECHO "$sys_lib_dlsearch_path_spec" | $SED "$delay_single_quote_subst"`' + hardcode_action='`$ECHO "$hardcode_action" | $SED "$delay_single_quote_subst"`' +@@ -16896,7 +16896,7 @@ + finish_eval=$lt_finish_eval + + # Whether we should hardcode library paths into libraries. +-hardcode_into_libs=$hardcode_into_libs ++hardcode_into_libs=no + + # Compile-time system search path for libraries. + sys_lib_search_path_spec=$lt_sys_lib_search_path_spec diff --git a/patches/libgcrypt-1.8.3.patch b/patches/libgcrypt-1.8.3.patch new file mode 100644 index 000000000..902d96ec2 --- /dev/null +++ b/patches/libgcrypt-1.8.3.patch @@ -0,0 +1,176 @@ +diff -u -r libgcrypt-1.8.3-clean/configure libgcrypt-1.8.3/configure +--- libgcrypt-1.8.3-clean/configure 2018-06-13 00:39:33.000000000 -0700 ++++ libgcrypt-1.8.3/configure 2020-01-12 13:32:34.840010800 -0800 +@@ -11292,7 +11292,7 @@ + version_type=linux # correct to gnu/linux during the next big refactor + need_lib_prefix=no + need_version=no +- hardcode_into_libs=yes ++ hardcode_into_libs=no + if test "$host_cpu" = ia64; then + # AIX 5 supports IA64 + library_names_spec='${libname}${release}${shared_ext}$major ${libname}${release}${shared_ext}$versuffix $libname${shared_ext}' +@@ -11531,16 +11531,16 @@ + ;; + freebsd3.[01]* | freebsdelf3.[01]*) + shlibpath_overrides_runpath=yes +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + freebsd3.[2-9]* | freebsdelf3.[2-9]* | \ + freebsd4.[0-5] | freebsdelf4.[0-5] | freebsd4.1.1 | freebsdelf4.1.1) + shlibpath_overrides_runpath=no +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + *) # from 4.6 on, and DragonFly + shlibpath_overrides_runpath=yes +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + esac + ;; +@@ -11553,7 +11553,7 @@ + soname_spec='${libname}${release}${shared_ext}$major' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=no +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + + haiku*) +@@ -11566,7 +11566,7 @@ + shlibpath_var=LIBRARY_PATH + shlibpath_overrides_runpath=yes + sys_lib_dlsearch_path_spec='/boot/home/config/lib /boot/common/lib /boot/system/lib' +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + + hpux9* | hpux10* | hpux11*) +@@ -11578,7 +11578,7 @@ + case $host_cpu in + ia64*) + shrext_cmds='.so' +- hardcode_into_libs=yes ++ hardcode_into_libs=no + dynamic_linker="$host_os dld.so" + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=yes # Unless +noenvvar is specified. +@@ -11593,7 +11593,7 @@ + ;; + hppa*64*) + shrext_cmds='.sl' +- hardcode_into_libs=yes ++ hardcode_into_libs=no + dynamic_linker="$host_os dld.sl" + shlibpath_var=LD_LIBRARY_PATH # How should we handle SHLIB_PATH + shlibpath_overrides_runpath=yes # Unless +noenvvar is specified. +@@ -11626,7 +11626,7 @@ + dynamic_linker='Interix 3.x ld.so.1 (PE, like ELF)' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=no +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + + irix5* | irix6* | nonstopux*) +@@ -11663,7 +11663,7 @@ + shlibpath_overrides_runpath=no + sys_lib_search_path_spec="/usr/lib${libsuff} /lib${libsuff} /usr/local/lib${libsuff}" + sys_lib_dlsearch_path_spec="/usr/lib${libsuff} /lib${libsuff}" +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + + # No shared lib support for Linux oldld, aout, or coff. +@@ -11684,7 +11684,7 @@ + # This implies no fast_install, which is unacceptable. + # Some rework will be needed to allow for fast_install + # before this can be enabled. +- hardcode_into_libs=yes ++ hardcode_into_libs=no + + dynamic_linker='Android linker' + # Don't embed -rpath directories since the linker doesn't support them. +@@ -11739,7 +11739,7 @@ + # This implies no fast_install, which is unacceptable. + # Some rework will be needed to allow for fast_install + # before this can be enabled. +- hardcode_into_libs=yes ++ hardcode_into_libs=no + + # Append ld.so.conf contents to the search path + if test -f /etc/ld.so.conf; then +@@ -11764,7 +11764,7 @@ + soname_spec='${libname}${release}${shared_ext}$major' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=no +- hardcode_into_libs=yes ++ hardcode_into_libs=no + dynamic_linker='NetBSD ld.elf_so' + ;; + +@@ -11783,7 +11783,7 @@ + fi + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=yes +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + + newsos6) +@@ -11801,7 +11801,7 @@ + soname_spec='${libname}${release}${shared_ext}$major' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=no +- hardcode_into_libs=yes ++ hardcode_into_libs=no + dynamic_linker='ldqnx.so' + ;; + +@@ -11863,7 +11863,7 @@ + soname_spec='${libname}${release}${shared_ext}$major' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=yes +- hardcode_into_libs=yes ++ hardcode_into_libs=no + # ldd complains unless libraries are executable + postinstall_cmds='chmod +x $lib' + ;; +@@ -11920,7 +11920,7 @@ + soname_spec='${libname}${release}${shared_ext}$major' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=yes +- hardcode_into_libs=yes ++ hardcode_into_libs=no + if test "$with_gnu_ld" = yes; then + sys_lib_search_path_spec='/usr/local/lib /usr/gnu/lib /usr/ccs/lib /usr/lib /lib' + else +@@ -11942,7 +11942,7 @@ + library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=no +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + + uts4*) +@@ -19824,7 +19824,7 @@ + postuninstall_cmds='`$ECHO "$postuninstall_cmds" | $SED "$delay_single_quote_subst"`' + finish_cmds='`$ECHO "$finish_cmds" | $SED "$delay_single_quote_subst"`' + finish_eval='`$ECHO "$finish_eval" | $SED "$delay_single_quote_subst"`' +-hardcode_into_libs='`$ECHO "$hardcode_into_libs" | $SED "$delay_single_quote_subst"`' ++hardcode_into_libs=no + sys_lib_search_path_spec='`$ECHO "$sys_lib_search_path_spec" | $SED "$delay_single_quote_subst"`' + sys_lib_dlsearch_path_spec='`$ECHO "$sys_lib_dlsearch_path_spec" | $SED "$delay_single_quote_subst"`' + hardcode_action='`$ECHO "$hardcode_action" | $SED "$delay_single_quote_subst"`' +@@ -21088,7 +21088,7 @@ + finish_eval=$lt_finish_eval + + # Whether we should hardcode library paths into libraries. +-hardcode_into_libs=$hardcode_into_libs ++hardcode_into_libs=no + + # Compile-time system search path for libraries. + sys_lib_search_path_spec=$lt_sys_lib_search_path_spec diff --git a/patches/libksba-1.3.5.patch b/patches/libksba-1.3.5.patch index 13fa7be47..8c1ee16e9 100644 --- a/patches/libksba-1.3.5.patch +++ b/patches/libksba-1.3.5.patch @@ -1,5 +1,182 @@ ---- clean/libksba-1.3.5/src/asn1-gentables.c 2016-08-22 11:38:21.000000000 +0200 -+++ libksba-1.3.5/src/asn1-gentables.c 2020-01-08 10:00:27.297737650 +0100 +diff -u -r libksba-1.3.5-clean/configure libksba-1.3.5/configure +--- libksba-1.3.5-clean/configure 2016-08-22 02:56:54.000000000 -0700 ++++ libksba-1.3.5/configure 2020-01-12 13:34:53.557259138 -0800 +@@ -10734,7 +10734,7 @@ + version_type=linux # correct to gnu/linux during the next big refactor + need_lib_prefix=no + need_version=no +- hardcode_into_libs=yes ++ hardcode_into_libs=no + if test "$host_cpu" = ia64; then + # AIX 5 supports IA64 + library_names_spec='${libname}${release}${shared_ext}$major ${libname}${release}${shared_ext}$versuffix $libname${shared_ext}' +@@ -10973,16 +10973,16 @@ + ;; + freebsd3.[01]* | freebsdelf3.[01]*) + shlibpath_overrides_runpath=yes +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + freebsd3.[2-9]* | freebsdelf3.[2-9]* | \ + freebsd4.[0-5] | freebsdelf4.[0-5] | freebsd4.1.1 | freebsdelf4.1.1) + shlibpath_overrides_runpath=no +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + *) # from 4.6 on, and DragonFly + shlibpath_overrides_runpath=yes +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + esac + ;; +@@ -10995,7 +10995,7 @@ + soname_spec='${libname}${release}${shared_ext}$major' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=no +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + + haiku*) +@@ -11008,7 +11008,7 @@ + shlibpath_var=LIBRARY_PATH + shlibpath_overrides_runpath=yes + sys_lib_dlsearch_path_spec='/boot/home/config/lib /boot/common/lib /boot/system/lib' +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + + hpux9* | hpux10* | hpux11*) +@@ -11020,7 +11020,7 @@ + case $host_cpu in + ia64*) + shrext_cmds='.so' +- hardcode_into_libs=yes ++ hardcode_into_libs=no + dynamic_linker="$host_os dld.so" + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=yes # Unless +noenvvar is specified. +@@ -11035,7 +11035,7 @@ + ;; + hppa*64*) + shrext_cmds='.sl' +- hardcode_into_libs=yes ++ hardcode_into_libs=no + dynamic_linker="$host_os dld.sl" + shlibpath_var=LD_LIBRARY_PATH # How should we handle SHLIB_PATH + shlibpath_overrides_runpath=yes # Unless +noenvvar is specified. +@@ -11068,7 +11068,7 @@ + dynamic_linker='Interix 3.x ld.so.1 (PE, like ELF)' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=no +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + + irix5* | irix6* | nonstopux*) +@@ -11105,7 +11105,7 @@ + shlibpath_overrides_runpath=no + sys_lib_search_path_spec="/usr/lib${libsuff} /lib${libsuff} /usr/local/lib${libsuff}" + sys_lib_dlsearch_path_spec="/usr/lib${libsuff} /lib${libsuff}" +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + + # No shared lib support for Linux oldld, aout, or coff. +@@ -11126,7 +11126,7 @@ + # This implies no fast_install, which is unacceptable. + # Some rework will be needed to allow for fast_install + # before this can be enabled. +- hardcode_into_libs=yes ++ hardcode_into_libs=no + + dynamic_linker='Android linker' + # Don't embed -rpath directories since the linker doesn't support them. +@@ -11181,7 +11181,7 @@ + # This implies no fast_install, which is unacceptable. + # Some rework will be needed to allow for fast_install + # before this can be enabled. +- hardcode_into_libs=yes ++ hardcode_into_libs=no + + # Append ld.so.conf contents to the search path + if test -f /etc/ld.so.conf; then +@@ -11206,7 +11206,7 @@ + soname_spec='${libname}${release}${shared_ext}$major' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=no +- hardcode_into_libs=yes ++ hardcode_into_libs=no + dynamic_linker='NetBSD ld.elf_so' + ;; + +@@ -11225,7 +11225,7 @@ + fi + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=yes +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + + newsos6) +@@ -11243,7 +11243,7 @@ + soname_spec='${libname}${release}${shared_ext}$major' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=no +- hardcode_into_libs=yes ++ hardcode_into_libs=no + dynamic_linker='ldqnx.so' + ;; + +@@ -11305,7 +11305,7 @@ + soname_spec='${libname}${release}${shared_ext}$major' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=yes +- hardcode_into_libs=yes ++ hardcode_into_libs=no + # ldd complains unless libraries are executable + postinstall_cmds='chmod +x $lib' + ;; +@@ -11362,7 +11362,7 @@ + soname_spec='${libname}${release}${shared_ext}$major' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=yes +- hardcode_into_libs=yes ++ hardcode_into_libs=no + if test "$with_gnu_ld" = yes; then + sys_lib_search_path_spec='/usr/local/lib /usr/gnu/lib /usr/ccs/lib /usr/lib /lib' + else +@@ -11384,7 +11384,7 @@ + library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=no +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + + uts4*) +@@ -15804,7 +15804,7 @@ + postuninstall_cmds='`$ECHO "$postuninstall_cmds" | $SED "$delay_single_quote_subst"`' + finish_cmds='`$ECHO "$finish_cmds" | $SED "$delay_single_quote_subst"`' + finish_eval='`$ECHO "$finish_eval" | $SED "$delay_single_quote_subst"`' +-hardcode_into_libs='`$ECHO "$hardcode_into_libs" | $SED "$delay_single_quote_subst"`' ++hardcode_into_libs=no + sys_lib_search_path_spec='`$ECHO "$sys_lib_search_path_spec" | $SED "$delay_single_quote_subst"`' + sys_lib_dlsearch_path_spec='`$ECHO "$sys_lib_dlsearch_path_spec" | $SED "$delay_single_quote_subst"`' + hardcode_action='`$ECHO "$hardcode_action" | $SED "$delay_single_quote_subst"`' +@@ -17021,7 +17021,7 @@ + finish_eval=$lt_finish_eval + + # Whether we should hardcode library paths into libraries. +-hardcode_into_libs=$hardcode_into_libs ++hardcode_into_libs=no + + # Compile-time system search path for libraries. + sys_lib_search_path_spec=$lt_sys_lib_search_path_spec +diff -u -r libksba-1.3.5-clean/src/asn1-gentables.c libksba-1.3.5/src/asn1-gentables.c +--- libksba-1.3.5-clean/src/asn1-gentables.c 2016-08-22 02:38:21.000000000 -0700 ++++ libksba-1.3.5/src/asn1-gentables.c 2020-01-12 13:34:45.877191990 -0800 @@ -109,10 +109,17 @@ static int cmp_string (const void *aptr, const void *bptr) From ad2395d3db59668779cc0d303fd1cbea0cdaa330 Mon Sep 17 00:00:00 2001 From: Matt DeVillier Date: Tue, 21 Jan 2020 21:43:56 -0600 Subject: [PATCH 078/189] libremkey-hotp-verification: toolchain adjustments Pass through new toolchain path via $(CROSS) so we can set the c/c++ compiler paths correctly for CMake. Adjust patch to use new paths, and fix compiler/linker paths to correct a libusb linking issue. Signed-off-by: Matt DeVillier --- modules/libremkey-hotp-verification | 1 + patches/libremkey-hotp-verification.patch | 17 +++++++++++++---- 2 files changed, 14 insertions(+), 4 deletions(-) diff --git a/modules/libremkey-hotp-verification b/modules/libremkey-hotp-verification index c9b9d45ab..c8339df41 100644 --- a/modules/libremkey-hotp-verification +++ b/modules/libremkey-hotp-verification @@ -16,4 +16,5 @@ libremkey-hotp-verification_output := \ libremkey-hotp-verification_configure := \ INSTALL="$(INSTALL)" \ + CROSS="$(CROSS)" \ cmake -DCMAKE_TOOLCHAIN_FILE=./Toolchain-heads.cmake -DCMAKE_AR="$(CROSS)ar" . diff --git a/patches/libremkey-hotp-verification.patch b/patches/libremkey-hotp-verification.patch index c2b5dfeae..5f058f22d 100644 --- a/patches/libremkey-hotp-verification.patch +++ b/patches/libremkey-hotp-verification.patch @@ -1,15 +1,24 @@ --- nitrokey-hotp-verification-a/Toolchain-heads.cmake 2018-05-22 09:55:46.907209235 -0700 +++ nitrokey-hotp-verification-b/Toolchain-heads.cmake 2018-05-22 09:55:26.659371966 -0700 -@@ -0,0 +1,18 @@ +@@ -0,0 +1,27 @@ +SET(CMAKE_SYSTEM_NAME Linux) +SET(CMAKE_SYSTEM_VERSION 1) + +# Specify the cross compiler -+SET(CMAKE_C_COMPILER $ENV{INSTALL}/bin/musl-gcc) -+SET(CMAKE_CXX_COMPILER $ENV{INSTALL}/bin/musl-gcc) ++SET(CMAKE_C_COMPILER $ENV{CROSS}gcc) ++SET(CMAKE_CXX_COMPILER $ENV{CROSS}gcc) ++ ++#sysroot location ++set(MYSYSROOT $ENV{INSTALL}) ++ ++# compiler/linker flags ++set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} --sysroot=${MYSYSROOT}" CACHE INTERNAL "" FORCE) ++set(CMAKE_C_LINK_FLAGS "${CMAKE_C_LINK_FLAGS} --sysroot=${MYSYSROOT}" CACHE INTERNAL "" FORCE) ++set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} --sysroot=${MYSYSROOT}" CACHE INTERNAL "" FORCE) ++set(CMAKE_CXX_LINK_FLAGS "${CMAKE_CXX_LINK_FLAGS} --sysroot=${MYSYSROOT}" CACHE INTERNAL "" FORCE) + +# Where is the target environment -+SET(CMAKE_FIND_ROOT_PATH $ENV{INSTALL}) ++SET(CMAKE_FIND_ROOT_PATH "${MYSYSROOT}") + +# Search for programs only in the build host directories +SET(CMAKE_FIND_ROOT_PATH_MODE_PROGRAM NEVER) From a3bbdbab540386317596a2ac7124c85a9523b843 Mon Sep 17 00:00:00 2001 From: Matt DeVillier Date: Tue, 26 Nov 2019 17:52:57 -0600 Subject: [PATCH 079/189] blobs/librem*: update hashes for FSP and VBT Update hashes of coreboot images, releases repo, FSP blobs, and VBT file. Updated VBT from coreboot 4.11 release eliminates flickering on some 13v4/15v4 displays. Signed-off-by: Matt DeVillier --- blobs/librem_kbl/get_blobs.sh | 10 +++++----- blobs/librem_skl/get_blobs.sh | 14 +++++++------- 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/blobs/librem_kbl/get_blobs.sh b/blobs/librem_kbl/get_blobs.sh index c7a13376b..ff7087f64 100755 --- a/blobs/librem_kbl/get_blobs.sh +++ b/blobs/librem_kbl/get_blobs.sh @@ -2,16 +2,16 @@ # depends on : wget sha256sum gunzip # Purism source -RELEASES_GIT_HASH="631b4a4e9bf562768afc262647ef4ef4f4ffaebd" +RELEASES_GIT_HASH="9828ffc0fbe7e0da65f10fe5e14f68f0ef061d5d" PURISM_SOURCE="https://source.puri.sm/coreboot/releases/raw/${RELEASES_GIT_HASH}" # Librem 13 v4 and Librem 15 v4 binary blob hashes KBL_UCODE_SHA="bb07f0f77abe08e553f85b99d18fa129f991bf3613cf73d77c4f0ece87dd251e" KBL_DESCRIPTOR_SHA="642ca36f52aabb5198b82e013bf64a73a5148693a58376fffce322a4d438b524" KBL_ME_SHA="0eec2e1135193941edd39d0ec0f463e353d0c6c9068867a2f32a72b64334fb34" -KBL_FSPM_SHA="5da3ad7718eb3f6700fb9d97be988d9c8bdd2d8b5910273a80928c49122d5b2d" -KBL_FSPS_SHA="c81ffa40df0b6cd6cfde4f476d452a1f6f2217bc96a3b98a4fa4a037ee7039cf" -KBL_VBT_SHA="0ba40c1b8c0fb030a0e1a789eda8b2a7369339a410ad8c4620719e451ea69b98" +KBL_FSPM_SHA="b285fc2240df7fee4fa069444cc2be2ebf5ea70af21b722b0e3dd102321b4877" +KBL_FSPS_SHA="223d0f3d3ff28c46a3ac33442385ffedefe2d3063774784d4fef432013568019" +KBL_VBT_SHA="45135459f7cbc06675fec5688479c2e2f4335d77c61bb58e4016d32ba7daa9d0" # cbfstool, ifdtool, coreboot image from Purism repo CBFSTOOL_FILE="cbfstool.gz" @@ -27,7 +27,7 @@ IFDTOOL_BIN="./ifdtool" COREBOOT_IMAGE="coreboot-l13v4.rom" COREBOOT_IMAGE_FILE="$COREBOOT_IMAGE.gz" COREBOOT_IMAGE_URL="$PURISM_SOURCE/librem_13v4/$COREBOOT_IMAGE_FILE" -COREBOOT_IMAGE_SHA="93c86230c618f9f19c29672f15f431f516db9247fac95bb2eacbc0fa33ea1e6a" +COREBOOT_IMAGE_SHA="5a7548e2742289fa66339f817f4247599d51bc7a5a6a9e887efd39fcf7f9e831" die () { local msg=$1 diff --git a/blobs/librem_skl/get_blobs.sh b/blobs/librem_skl/get_blobs.sh index 10482e811..e455f3d41 100755 --- a/blobs/librem_skl/get_blobs.sh +++ b/blobs/librem_skl/get_blobs.sh @@ -2,16 +2,16 @@ # depends on : wget sha256sum gunzip # Purism source -RELEASES_GIT_HASH="631b4a4e9bf562768afc262647ef4ef4f4ffaebd" +RELEASES_GIT_HASH="9828ffc0fbe7e0da65f10fe5e14f68f0ef061d5d" PURISM_SOURCE="https://source.puri.sm/coreboot/releases/raw/${RELEASES_GIT_HASH}" # Librem 13 v2/v3 and Librem 15 v3 binary blob hashes SKL_UCODE_SHA="e528d2ccc5d76cd04bfabb556a3fbb70b93d9aca43e291e0f0104fbaae5720fd" SKL_DESCRIPTOR_SHA="642ca36f52aabb5198b82e013bf64a73a5148693a58376fffce322a4d438b524" SKL_ME_SHA="cf06d3eb8b24490a1ab46fd988b6cef822e5347cd6a2e92bc332cb4a376eb8bc" -SKL_FSPM_SHA="5da3ad7718eb3f6700fb9d97be988d9c8bdd2d8b5910273a80928c49122d5b2d" -SKL_FSPS_SHA="c81ffa40df0b6cd6cfde4f476d452a1f6f2217bc96a3b98a4fa4a037ee7039cf" -SKL_VBT_SHA="0ba40c1b8c0fb030a0e1a789eda8b2a7369339a410ad8c4620719e451ea69b98" +SKL_FSPM_SHA="5f402416894c324b6cbf8cba85068ac2c3de9be8dd4f37fae3af6cfed7acc38e" +SKL_FSPS_SHA="223d0f3d3ff28c46a3ac33442385ffedefe2d3063774784d4fef432013568019" +SKL_VBT_SHA="45135459f7cbc06675fec5688479c2e2f4335d77c61bb58e4016d32ba7daa9d0" # cbfstool, ifdtool, coreboot image from Purism repo CBFSTOOL_FILE="cbfstool.gz" @@ -24,10 +24,10 @@ IFDTOOL_URL="$PURISM_SOURCE/tools/$IFDTOOL_FILE" IFDTOOL_SHA="08228ece4968794499ebd49a851f7d3f7f1b81352da8cd6e0c7916ac931a7d72" IFDTOOL_BIN="./ifdtool" -COREBOOT_IMAGE="coreboot-l13v3.rom" +COREBOOT_IMAGE="coreboot-l13v2.rom" COREBOOT_IMAGE_FILE="$COREBOOT_IMAGE.gz" -COREBOOT_IMAGE_URL="$PURISM_SOURCE/librem_13v3/$COREBOOT_IMAGE_FILE" -COREBOOT_IMAGE_SHA="784d8c9e9e3cf11e99b7f8a473d0ec18738193b2b57bb7a37386b536dab84be2" +COREBOOT_IMAGE_URL="$PURISM_SOURCE/librem_13v2/$COREBOOT_IMAGE_FILE" +COREBOOT_IMAGE_SHA="c703e0e705554bc7eb90814ae933d4372c0042927a6bbd7f27024cb99a8993d6" die () { local msg=$1 From 92e706bf1bd6affdbf28f99d9de0ed513ceaff48 Mon Sep 17 00:00:00 2001 From: Francis Lam Date: Sat, 25 Jan 2020 20:45:03 -0800 Subject: [PATCH 080/189] init: fix invalid GPG_TTY variable busyboy tty isn't working after the musl-cross-make change so revert to known good value. --- initrd/init | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/initrd/init b/initrd/init index 892a2a7c8..3bac630b2 100755 --- a/initrd/init +++ b/initrd/init @@ -52,7 +52,7 @@ if [ "$CONFIG_LINUXBOOT" = "y" ]; then fi # Set GPG_TTY before calling gpg in key-init -export GPG_TTY=$(tty) +export GPG_TTY=/dev/console /bin/key-init From 132dcb234425770045780592c1726828cecf6719 Mon Sep 17 00:00:00 2001 From: Matt DeVillier Date: Tue, 28 Jan 2020 20:44:34 -0600 Subject: [PATCH 081/189] flash-gui: set unset variable USB_FAILED Not setting USB_FAILED when call to mount-usb succeeds results in a spurious 'sh: 0 unknown operand' error printed to console. Signed-off-by: Matt DeVillier --- initrd/bin/flash-gui.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/initrd/bin/flash-gui.sh b/initrd/bin/flash-gui.sh index dba97d405..8a4e05b9a 100755 --- a/initrd/bin/flash-gui.sh +++ b/initrd/bin/flash-gui.sh @@ -7,7 +7,7 @@ set -e -o pipefail mount_usb(){ # Mount the USB boot device if ! grep -q /media /proc/mounts ; then - mount-usb "$CONFIG_USB_BOOT_DEV" || USB_FAILED=1 + mount-usb "$CONFIG_USB_BOOT_DEV" && USB_FAILED=0 || USB_FAILED=1 if [ $USB_FAILED -ne 0 ]; then if [ ! -e "$CONFIG_USB_BOOT_DEV" ]; then whiptail --title 'USB Drive Missing' \ From 6c85d7a61ea01392dd572b255eceb881c309feaa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gabe=20Ga=C5=82=C4=85zka?= <38294951+flawedworld@users.noreply.github.com> Date: Sat, 1 Feb 2020 17:43:35 +0000 Subject: [PATCH 082/189] Add ability to change CMOS values for X230 Add ability to change CMOS values by genning SMBIOS tables and using the values from stock bios, this allows for editing of SMBIOS values to change things such as VRAM allocation, FN and CTRL key swap etc --- config/coreboot-x230.config | 3 +++ 1 file changed, 3 insertions(+) diff --git a/config/coreboot-x230.config b/config/coreboot-x230.config index c69f4174e..1ec6037bf 100644 --- a/config/coreboot-x230.config +++ b/config/coreboot-x230.config @@ -23,3 +23,6 @@ CONFIG_PAYLOAD_OPTIONS="" CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet" CONFIG_LINUX_INITRD="../../build/x230/initrd.cpio.xz" CONFIG_DEBUG_SMM_RELOCATION=y +CONFIG_USE_OPTION_TABLE=y +CONFIG_GENERATE_SMBIOS_TABLES=y +CONFIG_SMBIOS_PROVIDED_BY_MOBO=y From e341f40cc44e22e0191553de5e0ad034a4eaf03b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gabe=20Ga=C5=82=C4=85zka?= <38294951+flawedworld@users.noreply.github.com> Date: Mon, 3 Feb 2020 22:09:42 +0000 Subject: [PATCH 083/189] Update coreboot-x230.config --- config/coreboot-x230.config | 2 -- 1 file changed, 2 deletions(-) diff --git a/config/coreboot-x230.config b/config/coreboot-x230.config index 1ec6037bf..c8ef10f44 100644 --- a/config/coreboot-x230.config +++ b/config/coreboot-x230.config @@ -24,5 +24,3 @@ CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet" CONFIG_LINUX_INITRD="../../build/x230/initrd.cpio.xz" CONFIG_DEBUG_SMM_RELOCATION=y CONFIG_USE_OPTION_TABLE=y -CONFIG_GENERATE_SMBIOS_TABLES=y -CONFIG_SMBIOS_PROVIDED_BY_MOBO=y From f0d85ba2d732a4944c8d2065aee6def74996b28c Mon Sep 17 00:00:00 2001 From: Sebastian McMillan <22755892+SebastianMcMillan@users.noreply.github.com> Date: Wed, 19 Feb 2020 11:04:56 -0600 Subject: [PATCH 084/189] Flash.sh cleanup : flashrom specifics now in board configs (#592) Flash.sh cleanup : flashrom specifics now in board configs (#592) --- boards/kgpe-d16/kgpe-d16.config | 1 + boards/librem13v2/librem13v2.config | 1 + boards/librem13v4/librem13v4.config | 1 + boards/librem15v3/librem15v3.config | 1 + boards/librem15v4/librem15v4.config | 1 + boards/x220/x220.config | 1 + boards/x230-flash/x230-flash.config | 1 + boards/x230/x230.config | 1 + initrd/bin/flash.sh | 12 +++--------- 9 files changed, 11 insertions(+), 9 deletions(-) diff --git a/boards/kgpe-d16/kgpe-d16.config b/boards/kgpe-d16/kgpe-d16.config index 466fdf015..40c5f737e 100644 --- a/boards/kgpe-d16/kgpe-d16.config +++ b/boards/kgpe-d16/kgpe-d16.config @@ -30,4 +30,5 @@ export CONFIG_BOOT_KERNEL_REMOVE="" export CONFIG_BOOT_DEV="/dev/sda1" export CONFIG_USB_BOOT_DEV="/dev/sdb1" export CONFIG_BOOT_RECOVERY_SERIAL="/dev/ttyS0" +export FLASHROM_OPTIONS='--force --noverify -p internal' #export CONFIG_BOOT_STATIC_IP=192.168.1.2 diff --git a/boards/librem13v2/librem13v2.config b/boards/librem13v2/librem13v2.config index e37d506b7..0e562f4f4 100644 --- a/boards/librem13v2/librem13v2.config +++ b/boards/librem13v2/librem13v2.config @@ -35,3 +35,4 @@ export CONFIG_BOOT_GUI_MENU_NAME="Purism Librem 13v2 Heads Boot Menu" export CONFIG_USB_BOOT_DEV="/dev/sdb1" export CONFIG_WARNING_BG_COLOR="--background-gradient 0 0 0 150 125 0" export CONFIG_ERROR_BG_COLOR="--background-gradient 0 0 0 150 0 0" +export FLASHROM_OPTIONS='-p internal:laptop=force_I_want_a_brick,ich_spi_mode=hwseq' diff --git a/boards/librem13v4/librem13v4.config b/boards/librem13v4/librem13v4.config index f78f13a92..f76dd3280 100644 --- a/boards/librem13v4/librem13v4.config +++ b/boards/librem13v4/librem13v4.config @@ -35,3 +35,4 @@ export CONFIG_BOOT_GUI_MENU_NAME="Purism Librem 13v2 Heads Boot Menu" export CONFIG_USB_BOOT_DEV="/dev/sdb1" export CONFIG_WARNING_BG_COLOR="--background-gradient 0 0 0 150 125 0" export CONFIG_ERROR_BG_COLOR="--background-gradient 0 0 0 150 0 0" +export FLASHROM_OPTIONS='-p internal:laptop=force_I_want_a_brick,ich_spi_mode=hwseq' diff --git a/boards/librem15v3/librem15v3.config b/boards/librem15v3/librem15v3.config index f9d05253f..d4d47163a 100644 --- a/boards/librem15v3/librem15v3.config +++ b/boards/librem15v3/librem15v3.config @@ -37,3 +37,4 @@ export CONFIG_BOOT_GUI_MENU_NAME="Purism Librem 15v3 Heads Boot Menu" export CONFIG_USB_BOOT_DEV="/dev/sdb1" export CONFIG_WARNING_BG_COLOR="--background-gradient 0 0 0 150 125 0" export CONFIG_ERROR_BG_COLOR="--background-gradient 0 0 0 150 0 0" +export FLASHROM_OPTIONS='-p internal:laptop=force_I_want_a_brick,ich_spi_mode=hwseq' diff --git a/boards/librem15v4/librem15v4.config b/boards/librem15v4/librem15v4.config index 5f79a91d4..23e776711 100644 --- a/boards/librem15v4/librem15v4.config +++ b/boards/librem15v4/librem15v4.config @@ -37,3 +37,4 @@ export CONFIG_BOOT_GUI_MENU_NAME="Purism Librem 15v4 Heads Boot Menu" export CONFIG_USB_BOOT_DEV="/dev/sdb1" export CONFIG_WARNING_BG_COLOR="--background-gradient 0 0 0 150 125 0" export CONFIG_ERROR_BG_COLOR="--background-gradient 0 0 0 150 0 0" +export FLASHROM_OPTIONS='-p internal:laptop=force_I_want_a_brick,ich_spi_mode=hwseq' diff --git a/boards/x220/x220.config b/boards/x220/x220.config index 0b901bdba..f731c0e68 100644 --- a/boards/x220/x220.config +++ b/boards/x220/x220.config @@ -28,3 +28,4 @@ export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on" export CONFIG_BOOT_KERNEL_REMOVE="quiet" export CONFIG_BOOT_DEV="/dev/sda1" export CONFIG_USB_BOOT_DEV="/dev/sdb1" +export FLASHROM_OPTIONS='--force --noverify-all -p internal:laptop=force_I_want_a_brick,ich_spi_mode=hwseq --ifd --image bios' diff --git a/boards/x230-flash/x230-flash.config b/boards/x230-flash/x230-flash.config index b10d17aff..e8a9abf6d 100644 --- a/boards/x230-flash/x230-flash.config +++ b/boards/x230-flash/x230-flash.config @@ -17,6 +17,7 @@ CONFIG_LINUX_E1000E=y export CONFIG_USB_BOOT_DEV="/dev/sdb1" export CONFIG_BOOTSCRIPT=/bin/x230-flash.init +export FLASHROM_OPTIONS='--force --noverify-all -p internal:laptop=force_I_want_a_brick,ich_spi_mode=hwseq --ifd --image bios' # This board is "special" in that we only want the top 4 MB of the ROM # for flashing into SPI flash 1 on the mainboard. This is enough to diff --git a/boards/x230/x230.config b/boards/x230/x230.config index 1d46ba920..acbf3dbae 100644 --- a/boards/x230/x230.config +++ b/boards/x230/x230.config @@ -34,6 +34,7 @@ export CONFIG_BOOT_GUI_MENU_NAME="Thinkpad X230 Heads Boot Menu" export CONFIG_USB_BOOT_DEV="/dev/sdb1" export CONFIG_WARNING_BG_COLOR="--background-gradient 0 0 0 150 125 0" export CONFIG_ERROR_BG_COLOR="--background-gradient 0 0 0 150 0 0" +export FLASHROM_OPTIONS='--force --noverify-all -p internal:laptop=force_I_want_a_brick,ich_spi_mode=hwseq --ifd --image bios' # This board has two SPI flash chips, an 8 MB that holds the IFD, # the ME image and part of the coreboot image, and a 4 MB one that diff --git a/initrd/bin/flash.sh b/initrd/bin/flash.sh index 121b42b1e..f73bda98d 100755 --- a/initrd/bin/flash.sh +++ b/initrd/bin/flash.sh @@ -6,15 +6,9 @@ set -e -o pipefail . /etc/functions . /tmp/config -case "$CONFIG_BOARD" in - librem* ) - FLASHROM_OPTIONS='-p internal:laptop=force_I_want_a_brick,ich_spi_mode=hwseq' - ;; - x230* ) - FLASHROM_OPTIONS='--force --noverify-all --programmer internal --ifd --image bios' - ;; - "kgpe-d16" ) - FLASHROM_OPTIONS='--force --noverify --programmer internal' +case "$FLASHROM_OPTIONS" in + -* ) + echo "Board $CONFIG_BOARD detected, continuing..." ;; * ) die "ERROR: No board has been configured!\n\nEach board requires specific flashrom options and it's unsafe to flash without them.\n\nAborting." From 6b5adcca6f002ab440d616186942ce44ca3bd152 Mon Sep 17 00:00:00 2001 From: Matt DeVillier Date: Wed, 19 Feb 2020 11:40:34 -0600 Subject: [PATCH 085/189] init: load usb modules for devices using USB keyboard Some (out of tree) servers require use of a USB keyboard, and need the USB kernel modules loaded prior to checking for keypress to enter a recovery console. Since loading the modules affects the value in PRC5 and can cause issues putting a LUKS key in TPM, guard the loading of the USB modules with CONFIG_USB_KEYBOARD and remove the unguarded call from gui-init. This should resolve issues #603 and #674. Signed-off-by: Matt DeVillier --- initrd/bin/gui-init | 3 --- initrd/init | 5 +++++ 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/initrd/bin/gui-init b/initrd/bin/gui-init index 2b28fc212..757dfc9a0 100755 --- a/initrd/bin/gui-init +++ b/initrd/bin/gui-init @@ -128,9 +128,6 @@ clean_boot_check() "Clean Boot Detected - Perform OEM Factory Reset?" "$CONFIG_WARNING_BG_COLOR" } -# enable USB to load modules for external kb -enable_usb - if detect_boot_device ; then # /boot device with installed OS found clean_boot_check diff --git a/initrd/init b/initrd/init index 3bac630b2..509024bff 100755 --- a/initrd/init +++ b/initrd/init @@ -64,6 +64,11 @@ if [ ! -z "$CONFIG_BOOT_RECOVERY_SERIAL" ]; then > "$CONFIG_BOOT_RECOVERY_SERIAL" 2>&1 & fi +# load USB modules for boards using a USB keyboard +if [ "$CONFIG_USB_KEYBOARD" = "y" ]; then + enable_usb +fi + # If the user has been holding down r, enter a recovery shell # otherwise immediately start the configured boot script. # We don't print a prompt, since this is a near instant timeout. From 21faf524b9d791a75f1710ada502f21298b8fa77 Mon Sep 17 00:00:00 2001 From: Sebastian McMillan <22755892+SebastianMcMillan@users.noreply.github.com> Date: Wed, 19 Feb 2020 11:51:03 -0600 Subject: [PATCH 086/189] T420 initial support + X220 FBWhiptail Support (#578) * Add support for the Lenovo ThinkPad T420 and X220. * Fix the autodetection of ifdtool and me_cleaner. * Enable FBWhiptail mode for X220 and T420 * Decreased CBFS size to fix 50 seconds boot delay problems --- blobs/t420/extract.sh | 65 +++++++++++++++++++++++++++++++++++++ blobs/t420/layout.txt | 4 +++ blobs/t420/readme.md | 29 +++++++++++++++++ blobs/x220/extract.sh | 7 ++-- boards/t420/t420.config | 37 +++++++++++++++++++++ boards/x220/x220.config | 16 ++++++--- config/coreboot-t420.config | 25 ++++++++++++++ config/coreboot-x220.config | 7 ++-- 8 files changed, 178 insertions(+), 12 deletions(-) create mode 100755 blobs/t420/extract.sh create mode 100644 blobs/t420/layout.txt create mode 100644 blobs/t420/readme.md create mode 100644 boards/t420/t420.config create mode 100644 config/coreboot-t420.config diff --git a/blobs/t420/extract.sh b/blobs/t420/extract.sh new file mode 100755 index 000000000..e34c3f907 --- /dev/null +++ b/blobs/t420/extract.sh @@ -0,0 +1,65 @@ +#!/bin/bash + +function printusage { + echo "Usage: $0 -f -m (optional) -i (optional)" + exit 0 +} + +BLOBDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" + +if [ "$#" -eq 0 ]; then printusage; fi + +while getopts ":f:m:i:" opt; do + case $opt in + f) + FILE="$OPTARG" + ;; + m) + if [ -x "$OPTARG" ]; then + MECLEAN="$OPTARG" + fi + ;; + i) + if [ -x "$OPTARG" ]; then + IFDTOOL="$OPTARG" + fi + ;; + esac +done + +if [ -z "$MECLEAN" ]; then + MECLEAN=`command -v $BLOBDIR/../../build/coreboot-*/util/me_cleaner/me_cleaner.py 2>&1` + if [ -z "$MECLEAN" ]; then + echo "me_cleaner.py required but not found or specified with -m. Aborting." + exit 1; + fi +fi + +if [ -z "$IFDTOOL" ]; then + IFDTOOL=`command -v $BLOBDIR/../../build/coreboot-*/util/ifdtool/ifdtool 2>&1` + if [ -z "$IFDTOOL" ]; then + echo "ifdtool required but not found or specified with -m. Aborting." + exit 1; + fi +fi + +echo "FILE: $FILE" +echo "ME: $MECLEAN" +echo "IFD: $IFDTOOL" + +bioscopy=$(mktemp) +extractdir=$(mktemp -d) + +cp "$FILE" $bioscopy + +cd "$extractdir" +$IFDTOOL -x $bioscopy +cp "$extractdir/flashregion_3_gbe.bin" "$BLOBDIR/gbe.bin" +$MECLEAN -O "$BLOBDIR/me.bin" -r -t "$extractdir/flashregion_2_intel_me.bin" +$IFDTOOL -n "$BLOBDIR/layout.txt" $bioscopy +$IFDTOOL -x $bioscopy.new +cp "$extractdir/flashregion_0_flashdescriptor.bin" "$BLOBDIR/ifd.bin" + +rm "$bioscopy" +rm "$bioscopy.new" +rm -r "$extractdir" diff --git a/blobs/t420/layout.txt b/blobs/t420/layout.txt new file mode 100644 index 000000000..bbd90962c --- /dev/null +++ b/blobs/t420/layout.txt @@ -0,0 +1,4 @@ +00000000:00000fff fd +00018000:007fffff bios +00003000:00017fff me +00001000:00002fff gbe diff --git a/blobs/t420/readme.md b/blobs/t420/readme.md new file mode 100644 index 000000000..4a40a0528 --- /dev/null +++ b/blobs/t420/readme.md @@ -0,0 +1,29 @@ +To build for T420, we need to have the following files in this folder: +* `me.bin` - ME binary that has been stripped and truncated with me_cleaner +* `gbe.bin` - Network card blob from the original firmware +* `ifd.bin` - Flash layout file has been provided as text + +To get the binaries, start with a copy of the original Lenovo firmware image. +If you do not have one already, you can read one out from the laptops SPI flash with flashrom + +``` +flashrom -p -r original.bin +``` + +Set `` to the flashrom programmer type that you will use (for example, `linux_spi:dev=/dev/spidev0.0` on a Raspberry Pi). + +Once you have the image, the provided extraction script will extract the files needed. + +``` +./extract.sh -f +``` + +Use the options '-m' and '-i' to provide me_cleaner and ifdtool if they can not be located automatically. + +The flash layout will be automatically adjusted and the ME image cleaned and truncated. + +You can now compile the image with: + +``` +make BOARD=t420 +``` diff --git a/blobs/x220/extract.sh b/blobs/x220/extract.sh index 173ed7fc6..e34c3f907 100755 --- a/blobs/x220/extract.sh +++ b/blobs/x220/extract.sh @@ -5,6 +5,8 @@ function printusage { exit 0 } +BLOBDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" + if [ "$#" -eq 0 ]; then printusage; fi while getopts ":f:m:i:" opt; do @@ -26,7 +28,7 @@ while getopts ":f:m:i:" opt; do done if [ -z "$MECLEAN" ]; then - MECLEAN=`command -v me_cleaner.py 2>&1` + MECLEAN=`command -v $BLOBDIR/../../build/coreboot-*/util/me_cleaner/me_cleaner.py 2>&1` if [ -z "$MECLEAN" ]; then echo "me_cleaner.py required but not found or specified with -m. Aborting." exit 1; @@ -34,7 +36,7 @@ if [ -z "$MECLEAN" ]; then fi if [ -z "$IFDTOOL" ]; then - IFDTOOL=`command -v ifdtool 2>&1` + IFDTOOL=`command -v $BLOBDIR/../../build/coreboot-*/util/ifdtool/ifdtool 2>&1` if [ -z "$IFDTOOL" ]; then echo "ifdtool required but not found or specified with -m. Aborting." exit 1; @@ -47,7 +49,6 @@ echo "IFD: $IFDTOOL" bioscopy=$(mktemp) extractdir=$(mktemp -d) -BLOBDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" cp "$FILE" $bioscopy diff --git a/boards/t420/t420.config b/boards/t420/t420.config new file mode 100644 index 000000000..5b2946248 --- /dev/null +++ b/boards/t420/t420.config @@ -0,0 +1,37 @@ +# Configuration for a T420 running Qubes and other OS, T420 is identical to X230 on the Linux Side of things. +export CONFIG_COREBOOT=y +CONFIG_COREBOOT_CONFIG=config/coreboot-t420.config +CONFIG_LINUX_CONFIG=config/linux-x230.config + +CONFIG_CRYPTSETUP=y +CONFIG_FLASHROM=y +CONFIG_FLASHTOOLS=y +CONFIG_GPG2=y +CONFIG_KEXEC=y +CONFIG_UTIL_LINUX=y +CONFIG_LVM2=y +CONFIG_MBEDTLS=y +CONFIG_PCIUTILS=y +CONFIG_POPT=y +CONFIG_QRENCODE=y +CONFIG_TPMTOTP=y +CONFIG_DROPBEAR=y + +CONFIG_CAIRO=y +CONFIG_FBWHIPTAIL=y + +CONFIG_LINUX_USB=y +CONFIG_LINUX_E1000E=y + +export CONFIG_TPM=y +export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOT_REQ_HASH=n +export CONFIG_BOOT_REQ_ROLLBACK=n +export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on intel_iommu=igfx_off" +export CONFIG_BOOT_KERNEL_REMOVE="quiet" +export CONFIG_BOOT_DEV="/dev/sda1" +export CONFIG_BOOT_GUI_MENU_NAME="ThinkPad T420 Heads Boot Menu" +export CONFIG_USB_BOOT_DEV="/dev/sdb1" +export CONFIG_WARNING_BG_COLOR="--background-gradient 0 0 0 150 125 0" +export CONFIG_ERROR_BG_COLOR="--background-gradient 0 0 0 150 0 0" +export FLASHROM_OPTIONS='--force --noverify-all -p internal:laptop=force_I_want_a_brick,ich_spi_mode=hwseq --ifd --image bios' diff --git a/boards/x220/x220.config b/boards/x220/x220.config index f731c0e68..39b21751a 100644 --- a/boards/x220/x220.config +++ b/boards/x220/x220.config @@ -1,12 +1,12 @@ -# Configuration for a x220 running Qubes and other OS -# The Linux configuration is close enough to the x230 +# Configuration for a x220 running Qubes and other OS, X220 is identical to X230 on the Linux Side of things. export CONFIG_COREBOOT=y CONFIG_COREBOOT_CONFIG=config/coreboot-x220.config CONFIG_LINUX_CONFIG=config/linux-x230.config CONFIG_CRYPTSETUP=y CONFIG_FLASHROM=y -CONFIG_GPG=y +CONFIG_FLASHTOOLS=y +CONFIG_GPG2=y CONFIG_KEXEC=y CONFIG_UTIL_LINUX=y CONFIG_LVM2=y @@ -17,15 +17,21 @@ CONFIG_QRENCODE=y CONFIG_TPMTOTP=y CONFIG_DROPBEAR=y +CONFIG_CAIRO=y +CONFIG_FBWHIPTAIL=y + CONFIG_LINUX_USB=y CONFIG_LINUX_E1000E=y -export CONFIG_BOOTSCRIPT=/bin/generic-init export CONFIG_TPM=y +export CONFIG_BOOTSCRIPT=/bin/gui-init export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n -export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on" +export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on intel_iommu=igfx_off" export CONFIG_BOOT_KERNEL_REMOVE="quiet" export CONFIG_BOOT_DEV="/dev/sda1" +export CONFIG_BOOT_GUI_MENU_NAME="ThinkPad X220 Heads Boot Menu" export CONFIG_USB_BOOT_DEV="/dev/sdb1" +export CONFIG_WARNING_BG_COLOR="--background-gradient 0 0 0 150 125 0" +export CONFIG_ERROR_BG_COLOR="--background-gradient 0 0 0 150 0 0" export FLASHROM_OPTIONS='--force --noverify-all -p internal:laptop=force_I_want_a_brick,ich_spi_mode=hwseq --ifd --image bios' diff --git a/config/coreboot-t420.config b/config/coreboot-t420.config new file mode 100644 index 000000000..dfce0080d --- /dev/null +++ b/config/coreboot-t420.config @@ -0,0 +1,25 @@ +CONFIG_LOCALVERSION="heads" +CONFIG_ANY_TOOLCHAIN=y +# CONFIG_INCLUDE_CONFIG_FILE is not set +# CONFIG_COLLECT_TIMESTAMPS is not set +CONFIG_USE_BLOBS=y +CONFIG_MEASURED_BOOT=y +CONFIG_VENDOR_LENOVO=y +CONFIG_CBFS_SIZE=0x700000 +CONFIG_ONBOARD_VGA_IS_PRIMARY=y +CONFIG_HAVE_IFD_BIN=y +CONFIG_HAVE_ME_BIN=y +CONFIG_HAVE_GBE_BIN=y +CONFIG_IFD_BIN_PATH="../../blobs/t420/ifd.bin" +CONFIG_ME_BIN_PATH="../../blobs/t420/me.bin" +CONFIG_BOARD_LENOVO_T420=y +CONFIG_DRIVERS_PS2_KEYBOARD=y +CONFIG_NO_POST=y +CONFIG_GBE_BIN_PATH="../../blobs/t420/gbe.bin" +CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000 +CONFIG_DEFAULT_CONSOLE_LOGLEVEL_5=y +CONFIG_PAYLOAD_LINUX=y +CONFIG_PAYLOAD_FILE="../../build/t420/bzImage" +CONFIG_LINUX_COMMAND_LINE="quiet" +CONFIG_LINUX_INITRD="../../build/t420/initrd.cpio.xz" +CONFIG_DEBUG_SMM_RELOCATION=y diff --git a/config/coreboot-x220.config b/config/coreboot-x220.config index 5671c71ba..ab22774a7 100644 --- a/config/coreboot-x220.config +++ b/config/coreboot-x220.config @@ -5,7 +5,7 @@ CONFIG_ANY_TOOLCHAIN=y CONFIG_USE_BLOBS=y CONFIG_MEASURED_BOOT=y CONFIG_VENDOR_LENOVO=y -CONFIG_CBFS_SIZE=0x7e8000 +CONFIG_CBFS_SIZE=0x700000 CONFIG_ONBOARD_VGA_IS_PRIMARY=y CONFIG_HAVE_IFD_BIN=y CONFIG_HAVE_ME_BIN=y @@ -15,12 +15,11 @@ CONFIG_ME_BIN_PATH="../../blobs/x220/me.bin" CONFIG_BOARD_LENOVO_X220=y CONFIG_DRIVERS_PS2_KEYBOARD=y CONFIG_NO_POST=y -CONFIG_CHECK_ME=y CONFIG_GBE_BIN_PATH="../../blobs/x220/gbe.bin" +#CONFIG_DEBUG_TPM=y CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000 -CONFIG_DEFAULT_CONSOLE_LOGLEVEL_5=y CONFIG_PAYLOAD_LINUX=y CONFIG_PAYLOAD_FILE="../../build/x220/bzImage" -CONFIG_LINUX_COMMAND_LINE="quiet" +CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet loglevel=3" CONFIG_LINUX_INITRD="../../build/x220/initrd.cpio.xz" CONFIG_DEBUG_SMM_RELOCATION=y From 28fedf9a7e6040fabd323f16a4166099e24f6c38 Mon Sep 17 00:00:00 2001 From: Matt DeVillier Date: Wed, 19 Feb 2020 13:28:15 -0600 Subject: [PATCH 087/189] modules/libremkey-hotp-verification: make reproducible Modeled after modules/tpmtotp, use a specific git commit hash for module libremkey-hotp-verification. Add hidapi as a submodule with dummy/placeholder in modules (like coreboot-blobs), also specified by git commit hash. Adjust libremkey-hotp-verification patch file name so patch applied properly. Addresses issue #640 Test: build Librem 13v4 Signed-off-by: Matt DeVillier --- modules/hidapi | 2 ++ modules/libremkey-hotp-verification | 23 ++++++++++++++++--- ...6a7a1950226d0ef94e2eeed0ffb510eba89.patch} | 0 3 files changed, 22 insertions(+), 3 deletions(-) create mode 100644 modules/hidapi rename patches/{libremkey-hotp-verification.patch => libremkey-hotp-verification-e5fa36a7a1950226d0ef94e2eeed0ffb510eba89.patch} (100%) diff --git a/modules/hidapi b/modules/hidapi new file mode 100644 index 000000000..0a0ab5b10 --- /dev/null +++ b/modules/hidapi @@ -0,0 +1,2 @@ +# empty placeholder file +# This submodule is defined in modules/libremkey-hotp-verification diff --git a/modules/libremkey-hotp-verification b/modules/libremkey-hotp-verification index c8339df41..1a943847a 100644 --- a/modules/libremkey-hotp-verification +++ b/modules/libremkey-hotp-verification @@ -2,9 +2,11 @@ modules-$(CONFIG_LIBREMKEY) += libremkey-hotp-verification libremkey-hotp-verification_depends := libusb $(musl_dep) -libremkey-hotp-verification_version := git -libremkey-hotp-verification_dir := libremkey-hotp-verification -libremkey-hotp-verification_repo := --recursive https://github.com/Nitrokey/nitrokey-hotp-verification +libremkey-hotp-verification_version := e5fa36a7a1950226d0ef94e2eeed0ffb510eba89 +libremkey-hotp-verification_dir := libremkey-hotp-verification-$(libremkey-hotp-verification_version) +libremkey-hotp-verification_tar := nitrokey-hotp-verification-$(libremkey-hotp-verification_version).tar.gz +libremkey-hotp-verification_url := https://github.com/Nitrokey/nitrokey-hotp-verification/archive/$(libremkey-hotp-verification_version).tar.gz +libremkey-hotp-verification_hash := 668113ebc21cc875d49266c8d3a47acfd524a8d6b64f75b7ce5833d595415469 libremkey-hotp-verification_target := \ $(MAKE_JOBS) \ @@ -18,3 +20,18 @@ libremkey-hotp-verification_configure := \ INSTALL="$(INSTALL)" \ CROSS="$(CROSS)" \ cmake -DCMAKE_TOOLCHAIN_FILE=./Toolchain-heads.cmake -DCMAKE_AR="$(CROSS)ar" . + +libremkey-hotp-verification_depends += hidapi +modules-y += hidapi + +hidapi_version := e5ae0d30a523c565595bdfba3d5f2e9e1faf0bd0 +hidapi_dir := libremkey-hotp-verification-$(libremkey-hotp-verification_version)/hidapi +hidapi_tar := hidapi-$(hidapi_version).tar.xz +hidapi_url := https://github.com/Nitrokey/hidapi/archive/$(hidapi_version).tar.gz +hidapi_hash := acc2a5089a8917085c2b3ebe9446065a21c760ba7e13cb54917043c4122188e0 + + +## hidapi will be built as part of libremkey-hotp-verification +## so nothing to do here (but need make to be happy) +hidapi_output := .built +hidapi_configure := echo -e 'all:\n\ttouch .built' > Makefile diff --git a/patches/libremkey-hotp-verification.patch b/patches/libremkey-hotp-verification-e5fa36a7a1950226d0ef94e2eeed0ffb510eba89.patch similarity index 100% rename from patches/libremkey-hotp-verification.patch rename to patches/libremkey-hotp-verification-e5fa36a7a1950226d0ef94e2eeed0ffb510eba89.patch From 62f180d0983ceed06bc948d44e184fd75111f79a Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Wed, 19 Feb 2020 16:33:43 -0500 Subject: [PATCH 088/189] Flash.sh cleanup: Fix FLASHROM_OPTIONS -> CONFIG_FLASHROM_OPTIONS to be exported by Makefile --- boards/kgpe-d16/kgpe-d16.config | 2 +- boards/librem13v2/librem13v2.config | 2 +- boards/librem13v4/librem13v4.config | 2 +- boards/librem15v3/librem15v3.config | 2 +- boards/librem15v4/librem15v4.config | 2 +- boards/t420/t420.config | 2 +- boards/x220/x220.config | 2 +- boards/x230-flash/x230-flash.config | 2 +- boards/x230/x230.config | 2 +- initrd/bin/flash.sh | 10 +++++----- 10 files changed, 14 insertions(+), 14 deletions(-) diff --git a/boards/kgpe-d16/kgpe-d16.config b/boards/kgpe-d16/kgpe-d16.config index 40c5f737e..d34aa60c5 100644 --- a/boards/kgpe-d16/kgpe-d16.config +++ b/boards/kgpe-d16/kgpe-d16.config @@ -30,5 +30,5 @@ export CONFIG_BOOT_KERNEL_REMOVE="" export CONFIG_BOOT_DEV="/dev/sda1" export CONFIG_USB_BOOT_DEV="/dev/sdb1" export CONFIG_BOOT_RECOVERY_SERIAL="/dev/ttyS0" -export FLASHROM_OPTIONS='--force --noverify -p internal' +export CONFIG_FLASHROM_OPTIONS="--force --noverify -p internal" #export CONFIG_BOOT_STATIC_IP=192.168.1.2 diff --git a/boards/librem13v2/librem13v2.config b/boards/librem13v2/librem13v2.config index 0e562f4f4..515bd7737 100644 --- a/boards/librem13v2/librem13v2.config +++ b/boards/librem13v2/librem13v2.config @@ -35,4 +35,4 @@ export CONFIG_BOOT_GUI_MENU_NAME="Purism Librem 13v2 Heads Boot Menu" export CONFIG_USB_BOOT_DEV="/dev/sdb1" export CONFIG_WARNING_BG_COLOR="--background-gradient 0 0 0 150 125 0" export CONFIG_ERROR_BG_COLOR="--background-gradient 0 0 0 150 0 0" -export FLASHROM_OPTIONS='-p internal:laptop=force_I_want_a_brick,ich_spi_mode=hwseq' +export CONFIG_FLASHROM_OPTIONS="-p internal:laptop=force_I_want_a_brick,ich_spi_mode=hwseq" diff --git a/boards/librem13v4/librem13v4.config b/boards/librem13v4/librem13v4.config index f76dd3280..ece2fc5c5 100644 --- a/boards/librem13v4/librem13v4.config +++ b/boards/librem13v4/librem13v4.config @@ -35,4 +35,4 @@ export CONFIG_BOOT_GUI_MENU_NAME="Purism Librem 13v2 Heads Boot Menu" export CONFIG_USB_BOOT_DEV="/dev/sdb1" export CONFIG_WARNING_BG_COLOR="--background-gradient 0 0 0 150 125 0" export CONFIG_ERROR_BG_COLOR="--background-gradient 0 0 0 150 0 0" -export FLASHROM_OPTIONS='-p internal:laptop=force_I_want_a_brick,ich_spi_mode=hwseq' +export CONFIG_FLASHROM_OPTIONS="-p internal:laptop=force_I_want_a_brick,ich_spi_mode=hwseq" diff --git a/boards/librem15v3/librem15v3.config b/boards/librem15v3/librem15v3.config index d4d47163a..9174b50c6 100644 --- a/boards/librem15v3/librem15v3.config +++ b/boards/librem15v3/librem15v3.config @@ -37,4 +37,4 @@ export CONFIG_BOOT_GUI_MENU_NAME="Purism Librem 15v3 Heads Boot Menu" export CONFIG_USB_BOOT_DEV="/dev/sdb1" export CONFIG_WARNING_BG_COLOR="--background-gradient 0 0 0 150 125 0" export CONFIG_ERROR_BG_COLOR="--background-gradient 0 0 0 150 0 0" -export FLASHROM_OPTIONS='-p internal:laptop=force_I_want_a_brick,ich_spi_mode=hwseq' +export CONFIG_FLASHROM_OPTIONS="-p internal:laptop=force_I_want_a_brick,ich_spi_mode=hwseq" diff --git a/boards/librem15v4/librem15v4.config b/boards/librem15v4/librem15v4.config index 23e776711..cd9224617 100644 --- a/boards/librem15v4/librem15v4.config +++ b/boards/librem15v4/librem15v4.config @@ -37,4 +37,4 @@ export CONFIG_BOOT_GUI_MENU_NAME="Purism Librem 15v4 Heads Boot Menu" export CONFIG_USB_BOOT_DEV="/dev/sdb1" export CONFIG_WARNING_BG_COLOR="--background-gradient 0 0 0 150 125 0" export CONFIG_ERROR_BG_COLOR="--background-gradient 0 0 0 150 0 0" -export FLASHROM_OPTIONS='-p internal:laptop=force_I_want_a_brick,ich_spi_mode=hwseq' +export CONFIG_FLASHROM_OPTIONS="-p internal:laptop=force_I_want_a_brick,ich_spi_mode=hwseq" diff --git a/boards/t420/t420.config b/boards/t420/t420.config index 5b2946248..7d436d910 100644 --- a/boards/t420/t420.config +++ b/boards/t420/t420.config @@ -34,4 +34,4 @@ export CONFIG_BOOT_GUI_MENU_NAME="ThinkPad T420 Heads Boot Menu" export CONFIG_USB_BOOT_DEV="/dev/sdb1" export CONFIG_WARNING_BG_COLOR="--background-gradient 0 0 0 150 125 0" export CONFIG_ERROR_BG_COLOR="--background-gradient 0 0 0 150 0 0" -export FLASHROM_OPTIONS='--force --noverify-all -p internal:laptop=force_I_want_a_brick,ich_spi_mode=hwseq --ifd --image bios' +export CONFIG_FLASHROM_OPTIONS="--force --noverify-all -p internal:laptop=force_I_want_a_brick,ich_spi_mode=hwseq --ifd --image bios" diff --git a/boards/x220/x220.config b/boards/x220/x220.config index 39b21751a..5840d8722 100644 --- a/boards/x220/x220.config +++ b/boards/x220/x220.config @@ -34,4 +34,4 @@ export CONFIG_BOOT_GUI_MENU_NAME="ThinkPad X220 Heads Boot Menu" export CONFIG_USB_BOOT_DEV="/dev/sdb1" export CONFIG_WARNING_BG_COLOR="--background-gradient 0 0 0 150 125 0" export CONFIG_ERROR_BG_COLOR="--background-gradient 0 0 0 150 0 0" -export FLASHROM_OPTIONS='--force --noverify-all -p internal:laptop=force_I_want_a_brick,ich_spi_mode=hwseq --ifd --image bios' +export CONFIG_FLASHROM_OPTIONS="--force --noverify-all -p internal:laptop=force_I_want_a_brick,ich_spi_mode=hwseq --ifd --image bios" diff --git a/boards/x230-flash/x230-flash.config b/boards/x230-flash/x230-flash.config index e8a9abf6d..0cce66730 100644 --- a/boards/x230-flash/x230-flash.config +++ b/boards/x230-flash/x230-flash.config @@ -17,7 +17,7 @@ CONFIG_LINUX_E1000E=y export CONFIG_USB_BOOT_DEV="/dev/sdb1" export CONFIG_BOOTSCRIPT=/bin/x230-flash.init -export FLASHROM_OPTIONS='--force --noverify-all -p internal:laptop=force_I_want_a_brick,ich_spi_mode=hwseq --ifd --image bios' +export CONFIG_FLASHROM_OPTIONS="--force --noverify-all -p internal:laptop=force_I_want_a_brick,ich_spi_mode=hwseq --ifd --image bios" # This board is "special" in that we only want the top 4 MB of the ROM # for flashing into SPI flash 1 on the mainboard. This is enough to diff --git a/boards/x230/x230.config b/boards/x230/x230.config index acbf3dbae..f800b6a8b 100644 --- a/boards/x230/x230.config +++ b/boards/x230/x230.config @@ -34,7 +34,7 @@ export CONFIG_BOOT_GUI_MENU_NAME="Thinkpad X230 Heads Boot Menu" export CONFIG_USB_BOOT_DEV="/dev/sdb1" export CONFIG_WARNING_BG_COLOR="--background-gradient 0 0 0 150 125 0" export CONFIG_ERROR_BG_COLOR="--background-gradient 0 0 0 150 0 0" -export FLASHROM_OPTIONS='--force --noverify-all -p internal:laptop=force_I_want_a_brick,ich_spi_mode=hwseq --ifd --image bios' +export CONFIG_FLASHROM_OPTIONS="--force --noverify-all -p internal:laptop=force_I_want_a_brick,ich_spi_mode=hwseq --ifd --image bios" # This board has two SPI flash chips, an 8 MB that holds the IFD, # the ME image and part of the coreboot image, and a 4 MB one that diff --git a/initrd/bin/flash.sh b/initrd/bin/flash.sh index f73bda98d..d82d43b71 100755 --- a/initrd/bin/flash.sh +++ b/initrd/bin/flash.sh @@ -6,7 +6,7 @@ set -e -o pipefail . /etc/functions . /tmp/config -case "$FLASHROM_OPTIONS" in +case "$CONFIG_FLASHROM_OPTIONS" in -* ) echo "Board $CONFIG_BOARD detected, continuing..." ;; @@ -18,11 +18,11 @@ esac flash_rom() { ROM=$1 if [ "$READ" -eq 1 ]; then - flashrom $FLASHROM_OPTIONS -r "${ROM}.1" \ + flashrom $CONFIG_FLASHROM_OPTIONS -r "${ROM}.1" \ || die "$ROM: Read failed" - flashrom $FLASHROM_OPTIONS -r "${ROM}.2" \ + flashrom $CONFIG_FLASHROM_OPTIONS -r "${ROM}.2" \ || die "$ROM: Read failed" - flashrom $FLASHROM_OPTIONS -r "${ROM}.3" \ + flashrom $CONFIG_FLASHROM_OPTIONS -r "${ROM}.3" \ || die "$ROM: Read failed" if [ `sha256sum ${ROM}.[123] | cut -f1 -d ' ' | uniq | wc -l` -eq 1 ]; then mv ${ROM}.1 $ROM @@ -44,7 +44,7 @@ flash_rom() { cbfs -o /tmp/${CONFIG_BOARD}.rom -a serial_number -f /tmp/serial fi - flashrom $FLASHROM_OPTIONS -w /tmp/${CONFIG_BOARD}.rom \ + flashrom $CONFIG_FLASHROM_OPTIONS -w /tmp/${CONFIG_BOARD}.rom \ || die "$ROM: Flash failed" fi } From 30b098bfacd08a5877a7f7c25f85345844481aa5 Mon Sep 17 00:00:00 2001 From: Matt DeVillier Date: Wed, 19 Feb 2020 16:27:57 -0600 Subject: [PATCH 089/189] gui-init: fix checking librem key card-status Commit 6b5adcca moved the call to enable_usb from gui-init to init and guarded it with CONFIG_USB_KEYBOARD, but it was missed that this is needed for the clean boot check logic when a librem key is used. Add the call back to gui-init and guard it properly Test: clean_boot_detect works properly on a librem 13v4 Signed-off-by: Matt DeVillier --- initrd/bin/gui-init | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/initrd/bin/gui-init b/initrd/bin/gui-init index 757dfc9a0..1ac0273f8 100755 --- a/initrd/bin/gui-init +++ b/initrd/bin/gui-init @@ -118,8 +118,11 @@ clean_boot_check() [ $GPG_KEY_COUNT -ne 0 ] && return # check for USB security token - if ! gpg --card-status > /dev/null ; then - return + if [ "$CONFIG_LIBREMKEY" = "y" ]; then + enable_usb + if ! gpg --card-status > /dev/null ; then + return + fi fi # OS is installed, no kexec files present, no GPG keys in keyring, security token present From 83a67d27988ae1663b0b5fa2092778035f286dd6 Mon Sep 17 00:00:00 2001 From: Matt DeVillier Date: Wed, 19 Feb 2020 14:15:27 -0600 Subject: [PATCH 090/189] oem-factory-reset: fix GPG key backup filename fix $GPG_GEN_KEY getting clobbered when using a custom password Signed-off-by: Matt DeVillier --- initrd/bin/oem-factory-reset | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/initrd/bin/oem-factory-reset b/initrd/bin/oem-factory-reset index fcd2b1066..2628eed91 100755 --- a/initrd/bin/oem-factory-reset +++ b/initrd/bin/oem-factory-reset @@ -316,6 +316,10 @@ gpg --list-keys >/dev/null 2>&1 echo -e "\nResetting GPG Key...\n(this will take a minute or two)\n" gpg_key_reset +# parse name of generated key +GPG_GEN_KEY=`grep -A1 pub /tmp/gpg_card_edit_output | tail -n1 | sed -nr 's/^([ ])*//p'` +PUBKEY="/tmp/${GPG_GEN_KEY}.asc" + if [ "$CUSTOM_PASS" != "" ]; then echo -e "\nChanging default GPG Admin PIN\n" gpg_key_change_pin "3" "$ADMIN_PIN_DEF" "$CUSTOM_PASS" @@ -327,9 +331,6 @@ fi ## export generated key to USB echo -e "\nExporting generated key to USB...\n" -# parse name of generated key -GPG_GEN_KEY=`grep -A1 pub /tmp/gpg_card_edit_output | tail -n1 | sed -nr 's/^([ ])*//p'` -PUBKEY="/tmp/${GPG_GEN_KEY}.asc" # export pubkey to file if ! gpg --export --armor $GPG_GEN_KEY > "${PUBKEY}" 2>/tmp/error ; then ERROR=$(tail -n 1 /tmp/error) From 3165ba60f6d6262e8890b3821a0ea01c6924b805 Mon Sep 17 00:00:00 2001 From: Sebastian McMillan <22755892+SebastianMcMillan@users.noreply.github.com> Date: Wed, 19 Feb 2020 19:03:31 -0600 Subject: [PATCH 091/189] Update coreboot-t420.config Fix Screen Garble --- config/coreboot-t420.config | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/coreboot-t420.config b/config/coreboot-t420.config index dfce0080d..82095d22a 100644 --- a/config/coreboot-t420.config +++ b/config/coreboot-t420.config @@ -20,6 +20,6 @@ CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000 CONFIG_DEFAULT_CONSOLE_LOGLEVEL_5=y CONFIG_PAYLOAD_LINUX=y CONFIG_PAYLOAD_FILE="../../build/t420/bzImage" -CONFIG_LINUX_COMMAND_LINE="quiet" +CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet loglevel=3" CONFIG_LINUX_INITRD="../../build/t420/initrd.cpio.xz" CONFIG_DEBUG_SMM_RELOCATION=y From 1bd93d66790075403ca193417b11e21d2eb2447b Mon Sep 17 00:00:00 2001 From: Matt DeVillier Date: Wed, 19 Feb 2020 22:16:39 -0600 Subject: [PATCH 092/189] Eliminate use of CONFIG_USB_BOOT_DEV mount-usb switched to dynamic USB device detection a while back, so eliminate instances of CONFIG_BOOT_USB_DEV, and derive the mounted USB device from /etc/mtab in the one place where it's actually needed (usb-scan). Clean up areas around calls to mount-usb for clarity/readability. Addresses issue #673 Test: Build Librem 13v4, boot ISO file on USB Signed-off-by: Matt DeVillier --- boards/kgpe-d16/kgpe-d16.config | 1 - boards/leopard/leopard.config | 1 - boards/librem13v2/librem13v2.config | 1 - boards/librem13v4/librem13v4.config | 1 - boards/librem15v3/librem15v3.config | 1 - boards/librem15v4/librem15v4.config | 1 - boards/qemu-coreboot/qemu-coreboot.config | 1 - boards/qemu-linuxboot/qemu-linuxboot.config | 1 - boards/r630/r630.config | 1 - boards/s2600wf/s2600wf.config | 1 - boards/t420/t420.config | 1 - boards/tioga/tioga.config | 1 - boards/winterfell/winterfell.config | 1 - boards/x220/x220.config | 1 - boards/x230-flash/x230-flash.config | 1 - boards/x230/x230.config | 1 - initrd/bin/flash-gui.sh | 12 +++++------- initrd/bin/gpg-gui.sh | 12 +++++------- initrd/bin/usb-scan | 4 +++- initrd/init | 3 --- 20 files changed, 13 insertions(+), 34 deletions(-) diff --git a/boards/kgpe-d16/kgpe-d16.config b/boards/kgpe-d16/kgpe-d16.config index d34aa60c5..072f36ac8 100644 --- a/boards/kgpe-d16/kgpe-d16.config +++ b/boards/kgpe-d16/kgpe-d16.config @@ -28,7 +28,6 @@ export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOOT_KERNEL_ADD="nohz=on console=ttyS1,115200n8 " export CONFIG_BOOT_KERNEL_REMOVE="" export CONFIG_BOOT_DEV="/dev/sda1" -export CONFIG_USB_BOOT_DEV="/dev/sdb1" export CONFIG_BOOT_RECOVERY_SERIAL="/dev/ttyS0" export CONFIG_FLASHROM_OPTIONS="--force --noverify -p internal" #export CONFIG_BOOT_STATIC_IP=192.168.1.2 diff --git a/boards/leopard/leopard.config b/boards/leopard/leopard.config index d0471623c..672ed47f8 100644 --- a/boards/leopard/leopard.config +++ b/boards/leopard/leopard.config @@ -42,7 +42,6 @@ export CONFIG_TPM=n export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOOT_DEV="/dev/sda1" -export CONFIG_USB_BOOT_DEV="/dev/sdb1" $(build)/$(BOARD)/linuxboot.rom: linuxboot.intermediate diff --git a/boards/librem13v2/librem13v2.config b/boards/librem13v2/librem13v2.config index 515bd7737..2d3f3aca2 100644 --- a/boards/librem13v2/librem13v2.config +++ b/boards/librem13v2/librem13v2.config @@ -32,7 +32,6 @@ export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on" export CONFIG_BOOT_KERNEL_REMOVE="" export CONFIG_BOOT_DEV="/dev/nvme0n1p1" export CONFIG_BOOT_GUI_MENU_NAME="Purism Librem 13v2 Heads Boot Menu" -export CONFIG_USB_BOOT_DEV="/dev/sdb1" export CONFIG_WARNING_BG_COLOR="--background-gradient 0 0 0 150 125 0" export CONFIG_ERROR_BG_COLOR="--background-gradient 0 0 0 150 0 0" export CONFIG_FLASHROM_OPTIONS="-p internal:laptop=force_I_want_a_brick,ich_spi_mode=hwseq" diff --git a/boards/librem13v4/librem13v4.config b/boards/librem13v4/librem13v4.config index ece2fc5c5..e1a4bbc09 100644 --- a/boards/librem13v4/librem13v4.config +++ b/boards/librem13v4/librem13v4.config @@ -32,7 +32,6 @@ export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on" export CONFIG_BOOT_KERNEL_REMOVE="" export CONFIG_BOOT_DEV="/dev/nvme0n1p1" export CONFIG_BOOT_GUI_MENU_NAME="Purism Librem 13v2 Heads Boot Menu" -export CONFIG_USB_BOOT_DEV="/dev/sdb1" export CONFIG_WARNING_BG_COLOR="--background-gradient 0 0 0 150 125 0" export CONFIG_ERROR_BG_COLOR="--background-gradient 0 0 0 150 0 0" export CONFIG_FLASHROM_OPTIONS="-p internal:laptop=force_I_want_a_brick,ich_spi_mode=hwseq" diff --git a/boards/librem15v3/librem15v3.config b/boards/librem15v3/librem15v3.config index 9174b50c6..2580e15b1 100644 --- a/boards/librem15v3/librem15v3.config +++ b/boards/librem15v3/librem15v3.config @@ -34,7 +34,6 @@ export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on" export CONFIG_BOOT_KERNEL_REMOVE="" export CONFIG_BOOT_DEV="/dev/nvme0n1p1" export CONFIG_BOOT_GUI_MENU_NAME="Purism Librem 15v3 Heads Boot Menu" -export CONFIG_USB_BOOT_DEV="/dev/sdb1" export CONFIG_WARNING_BG_COLOR="--background-gradient 0 0 0 150 125 0" export CONFIG_ERROR_BG_COLOR="--background-gradient 0 0 0 150 0 0" export CONFIG_FLASHROM_OPTIONS="-p internal:laptop=force_I_want_a_brick,ich_spi_mode=hwseq" diff --git a/boards/librem15v4/librem15v4.config b/boards/librem15v4/librem15v4.config index cd9224617..107be0325 100644 --- a/boards/librem15v4/librem15v4.config +++ b/boards/librem15v4/librem15v4.config @@ -34,7 +34,6 @@ export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on" export CONFIG_BOOT_KERNEL_REMOVE="" export CONFIG_BOOT_DEV="/dev/nvme0n1p1" export CONFIG_BOOT_GUI_MENU_NAME="Purism Librem 15v4 Heads Boot Menu" -export CONFIG_USB_BOOT_DEV="/dev/sdb1" export CONFIG_WARNING_BG_COLOR="--background-gradient 0 0 0 150 125 0" export CONFIG_ERROR_BG_COLOR="--background-gradient 0 0 0 150 0 0" export CONFIG_FLASHROM_OPTIONS="-p internal:laptop=force_I_want_a_brick,ich_spi_mode=hwseq" diff --git a/boards/qemu-coreboot/qemu-coreboot.config b/boards/qemu-coreboot/qemu-coreboot.config index 1dc025692..aeb57c787 100644 --- a/boards/qemu-coreboot/qemu-coreboot.config +++ b/boards/qemu-coreboot/qemu-coreboot.config @@ -49,7 +49,6 @@ export CONFIG_BOOTSCRIPT=/bin/generic-init export CONFIG_TPM=n export CONFIG_BOOT_DEV="/dev/sda1" -export CONFIG_USB_BOOT_DEV="/dev/sdb1" #run: coreboot.intermediate run: diff --git a/boards/qemu-linuxboot/qemu-linuxboot.config b/boards/qemu-linuxboot/qemu-linuxboot.config index 730ce633d..4a9a3317d 100644 --- a/boards/qemu-linuxboot/qemu-linuxboot.config +++ b/boards/qemu-linuxboot/qemu-linuxboot.config @@ -36,7 +36,6 @@ export CONFIG_BOOTSCRIPT_NETWORK=/bin/network-init-recovery export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOOT_DEV="/dev/sda1" -export CONFIG_USB_BOOT_DEV="/dev/sdb1" export CONFIG_BOOT_STATIC_IP=10.0.2.15 # You can ssh into the qemu instance by running diff --git a/boards/r630/r630.config b/boards/r630/r630.config index 23c8d43b5..8f24f0573 100644 --- a/boards/r630/r630.config +++ b/boards/r630/r630.config @@ -28,4 +28,3 @@ export CONFIG_BOOTSCRIPT=/bin/generic-init export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOOT_DEV="/dev/sda1" -export CONFIG_USB_BOOT_DEV="/dev/sdb1" diff --git a/boards/s2600wf/s2600wf.config b/boards/s2600wf/s2600wf.config index 8af985110..2c810da0f 100644 --- a/boards/s2600wf/s2600wf.config +++ b/boards/s2600wf/s2600wf.config @@ -40,4 +40,3 @@ export CONFIG_BOOTSCRIPT=/bin/generic-init export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOOT_DEV="/dev/sda1" -export CONFIG_USB_BOOT_DEV="/dev/sdb1" diff --git a/boards/t420/t420.config b/boards/t420/t420.config index 7d436d910..ea4406424 100644 --- a/boards/t420/t420.config +++ b/boards/t420/t420.config @@ -31,7 +31,6 @@ export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on intel_iommu=igfx_off" export CONFIG_BOOT_KERNEL_REMOVE="quiet" export CONFIG_BOOT_DEV="/dev/sda1" export CONFIG_BOOT_GUI_MENU_NAME="ThinkPad T420 Heads Boot Menu" -export CONFIG_USB_BOOT_DEV="/dev/sdb1" export CONFIG_WARNING_BG_COLOR="--background-gradient 0 0 0 150 125 0" export CONFIG_ERROR_BG_COLOR="--background-gradient 0 0 0 150 0 0" export CONFIG_FLASHROM_OPTIONS="--force --noverify-all -p internal:laptop=force_I_want_a_brick,ich_spi_mode=hwseq --ifd --image bios" diff --git a/boards/tioga/tioga.config b/boards/tioga/tioga.config index f1144254e..af16c1ce7 100644 --- a/boards/tioga/tioga.config +++ b/boards/tioga/tioga.config @@ -43,7 +43,6 @@ export CONFIG_TPM=n export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOOT_DEV="/dev/sda1" -export CONFIG_USB_BOOT_DEV="/dev/sdb1" $(build)/$(BOARD)/linuxboot.rom: linuxboot.intermediate diff --git a/boards/winterfell/winterfell.config b/boards/winterfell/winterfell.config index 8e457c6b5..b49421c2f 100644 --- a/boards/winterfell/winterfell.config +++ b/boards/winterfell/winterfell.config @@ -42,7 +42,6 @@ export CONFIG_TPM=n export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOOT_DEV="/dev/sda1" -export CONFIG_USB_BOOT_DEV="/dev/sdb1" #$(build)/$(BOARD)/linuxboot.rom: $(build)/$(linuxboot_dir)/ diff --git a/boards/x220/x220.config b/boards/x220/x220.config index 5840d8722..3af04149e 100644 --- a/boards/x220/x220.config +++ b/boards/x220/x220.config @@ -31,7 +31,6 @@ export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on intel_iommu=igfx_off" export CONFIG_BOOT_KERNEL_REMOVE="quiet" export CONFIG_BOOT_DEV="/dev/sda1" export CONFIG_BOOT_GUI_MENU_NAME="ThinkPad X220 Heads Boot Menu" -export CONFIG_USB_BOOT_DEV="/dev/sdb1" export CONFIG_WARNING_BG_COLOR="--background-gradient 0 0 0 150 125 0" export CONFIG_ERROR_BG_COLOR="--background-gradient 0 0 0 150 0 0" export CONFIG_FLASHROM_OPTIONS="--force --noverify-all -p internal:laptop=force_I_want_a_brick,ich_spi_mode=hwseq --ifd --image bios" diff --git a/boards/x230-flash/x230-flash.config b/boards/x230-flash/x230-flash.config index 0cce66730..5530ba27a 100644 --- a/boards/x230-flash/x230-flash.config +++ b/boards/x230-flash/x230-flash.config @@ -15,7 +15,6 @@ CONFIG_LINUX_CONFIG=config/linux-x230-flash.config CONFIG_LINUX_USB=y CONFIG_LINUX_E1000E=y -export CONFIG_USB_BOOT_DEV="/dev/sdb1" export CONFIG_BOOTSCRIPT=/bin/x230-flash.init export CONFIG_FLASHROM_OPTIONS="--force --noverify-all -p internal:laptop=force_I_want_a_brick,ich_spi_mode=hwseq --ifd --image bios" diff --git a/boards/x230/x230.config b/boards/x230/x230.config index f800b6a8b..ad49270eb 100644 --- a/boards/x230/x230.config +++ b/boards/x230/x230.config @@ -31,7 +31,6 @@ export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on intel_iommu=igfx_off" export CONFIG_BOOT_KERNEL_REMOVE="quiet" export CONFIG_BOOT_DEV="/dev/sda1" export CONFIG_BOOT_GUI_MENU_NAME="Thinkpad X230 Heads Boot Menu" -export CONFIG_USB_BOOT_DEV="/dev/sdb1" export CONFIG_WARNING_BG_COLOR="--background-gradient 0 0 0 150 125 0" export CONFIG_ERROR_BG_COLOR="--background-gradient 0 0 0 150 0 0" export CONFIG_FLASHROM_OPTIONS="--force --noverify-all -p internal:laptop=force_I_want_a_brick,ich_spi_mode=hwseq --ifd --image bios" diff --git a/initrd/bin/flash-gui.sh b/initrd/bin/flash-gui.sh index 8a4e05b9a..c8cbd364b 100755 --- a/initrd/bin/flash-gui.sh +++ b/initrd/bin/flash-gui.sh @@ -7,16 +7,14 @@ set -e -o pipefail mount_usb(){ # Mount the USB boot device if ! grep -q /media /proc/mounts ; then - mount-usb "$CONFIG_USB_BOOT_DEV" && USB_FAILED=0 || USB_FAILED=1 + mount-usb && USB_FAILED=0 || USB_FAILED=1 if [ $USB_FAILED -ne 0 ]; then - if [ ! -e "$CONFIG_USB_BOOT_DEV" ]; then - whiptail --title 'USB Drive Missing' \ - --msgbox "Insert your USB drive and press Enter to continue." 16 60 USB_FAILED=0 - mount-usb "$CONFIG_USB_BOOT_DEV" || USB_FAILED=1 - fi + whiptail --title 'USB Drive Missing' \ + --msgbox "Insert your USB drive and press Enter to continue." 16 60 + mount-usb && USB_FAILED=0 || USB_FAILED=1 if [ $USB_FAILED -ne 0 ]; then whiptail $CONFIG_ERROR_BG_COLOR --title 'ERROR: Mounting /media Failed' \ - --msgbox "Unable to mount $CONFIG_USB_BOOT_DEV" 16 60 + --msgbox "Unable to mount USB device" 16 60 fi fi fi diff --git a/initrd/bin/gpg-gui.sh b/initrd/bin/gpg-gui.sh index c7d179e33..9ab70b6cc 100755 --- a/initrd/bin/gpg-gui.sh +++ b/initrd/bin/gpg-gui.sh @@ -7,16 +7,14 @@ set -e -o pipefail mount_usb(){ # Mount the USB boot device if ! grep -q /media /proc/mounts ; then - mount-usb "$CONFIG_USB_BOOT_DEV" || USB_FAILED=1 + mount-usb && USB_FAILED=0 || USB_FAILED=1 if [ $USB_FAILED -ne 0 ]; then - if [ ! -e "$CONFIG_USB_BOOT_DEV" ]; then - whiptail --title 'USB Drive Missing' \ - --msgbox "Insert your USB drive and press Enter to continue." 16 60 USB_FAILED=0 - mount-usb "$CONFIG_USB_BOOT_DEV" || USB_FAILED=1 - fi + whiptail --title 'USB Drive Missing' \ + --msgbox "Insert your USB drive and press Enter to continue." 16 60 + mount-usb && USB_FAILED=0 || USB_FAILED=1 if [ $USB_FAILED -ne 0 ]; then whiptail $CONFIG_ERROR_BG_COLOR --title 'ERROR: Mounting /media Failed' \ - --msgbox "Unable to mount $CONFIG_USB_BOOT_DEV" 16 60 + --msgbox "Unable to mount USB device" 16 60 fi fi fi diff --git a/initrd/bin/usb-scan b/initrd/bin/usb-scan index 4d576555c..a9debdf5c 100755 --- a/initrd/bin/usb-scan +++ b/initrd/bin/usb-scan @@ -15,6 +15,8 @@ if ! grep -q /media /proc/mounts ; then mount-usb "$CONFIG_USB_BOOT_DEV" \ || die "Unable to mount /media" fi +# Get USB boot device +USB_BOOT_DEV=$(grep "/media" /etc/mtab | cut -f 1 -d' ') # Check for ISO first get_menu_option() { @@ -72,7 +74,7 @@ if [ `cat /tmp/iso_menu.txt | wc -l` -gt 0 ]; then if [ -n "$option" ]; then MOUNTED_ISO=$option ISO=${option:7} # remove /media/ to get device relative path - kexec-iso-init $MOUNTED_ISO $ISO $CONFIG_USB_BOOT_DEV + kexec-iso-init $MOUNTED_ISO $ISO $USB_BOOT_DEV die "Something failed in iso init" fi diff --git a/initrd/init b/initrd/init index 509024bff..40063deaa 100755 --- a/initrd/init +++ b/initrd/init @@ -97,9 +97,6 @@ combine_configs if [ ! -z "$CONFIG_BOOT_DEV" ]; then echo >> /etc/fstab "$CONFIG_BOOT_DEV /boot auto defaults,ro 0 0" fi -if [ ! -z "$CONFIG_USB_BOOT_DEV" ]; then - echo >> /etc/fstab "$CONFIG_USB_BOOT_DEV /media auto defaults,ro 0 0" -fi if [ ! -x "$CONFIG_BOOTSCRIPT" -a ! -x "$CONFIG_BOOTSCRIPT_NETWORK" ]; then recovery 'Boot script missing? Entering recovery shell' From 801bbed601de9e3a2617f83c9b7b81fd2118a253 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gabe=20Ga=C5=82=C4=85zka?= <38294951+flawedworld@users.noreply.github.com> Date: Sun, 23 Feb 2020 18:51:42 +0000 Subject: [PATCH 093/189] Update coreboot-x230.config --- config/coreboot-x230.config | 1 + 1 file changed, 1 insertion(+) diff --git a/config/coreboot-x230.config b/config/coreboot-x230.config index c8ef10f44..cdab5d864 100644 --- a/config/coreboot-x230.config +++ b/config/coreboot-x230.config @@ -24,3 +24,4 @@ CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet" CONFIG_LINUX_INITRD="../../build/x230/initrd.cpio.xz" CONFIG_DEBUG_SMM_RELOCATION=y CONFIG_USE_OPTION_TABLE=y +CONFIG_STATIC_OPTION_TABLE=y From f62364ffa23c5e36b93b593174847ecd52a17986 Mon Sep 17 00:00:00 2001 From: tlaurion Date: Mon, 9 Mar 2020 14:21:46 -0400 Subject: [PATCH 094/189] Update README.md - Add basic board building - Remove xen as Heads dependency - change musl-cross in text to musl-cross-make to reflect new building tools reality --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 152679131..68f0b5b22 100644 --- a/README.md +++ b/README.md @@ -28,11 +28,12 @@ Please refer to [Heads-wiki](https://github.com/osresearch/heads-wiki/blob/maste Building heads === +`make BOARD=board_name` where board_name is the name of the board directory under `./boards` directory. In order to build reproducible firmware images, Heads builds a specific version of gcc and uses it to compile the Linux kernel and various tools that go into the initrd. Unfortunately this means the first step is a -little slow since it will clone the `musl-cross` tree and build gcc... +little slow since it will clone the `musl-cross-make` tree and build gcc... Once that is done, the top level `Makefile` will handle most of the remaining details -- it downloads the various packages, verifies the @@ -57,7 +58,6 @@ directory and include: * [lvm2](https://sourceware.org/lvm2/) * [gnupg](https://www.gnupg.org/) * [Linux kernel](https://kernel.org) -* [Xen hypervisor](https://www.xenproject.org/) We also recommend installing [Qubes OS](https://www.qubes-os.org/), although there Heads can `kexec` into any Linux or @@ -69,7 +69,7 @@ Notes: * Building coreboot's cross compilers can take a while. Luckily this is only done once. * Builds are finally reproducible! The [reproduciblebuilds tag](https://github.com/osresearch/heads/issues?q=is%3Aopen+is%3Aissue+milestone%3Areproduciblebuilds) tracks any regressions. -* Currently only tested in QEMU, the Thinkpad x230 and the Chell Chromebook. +* Currently only tested in QEMU, the Thinkpad x230, Librem series and the Chell Chromebook. ** Xen and the TPM do not work in QEMU, so it is only for testing the `initrd` image. * Building for the Lenovo X220 requires binary blobs to be placed in the blobs/x220/ folder. See the readme.md file in that folder From b1471d945ad91bf95e79fd5bcc41020b7d324e66 Mon Sep 17 00:00:00 2001 From: Sebastian McMillan <22755892+SebastianMcMillan@users.noreply.github.com> Date: Mon, 9 Mar 2020 15:53:19 -0500 Subject: [PATCH 095/189] Update coreboot-x220.config Add some room in the CBFS to actually save GPG keys, as well as have room to add libremkey support. --- config/coreboot-x220.config | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/coreboot-x220.config b/config/coreboot-x220.config index ab22774a7..01a66302e 100644 --- a/config/coreboot-x220.config +++ b/config/coreboot-x220.config @@ -5,7 +5,7 @@ CONFIG_ANY_TOOLCHAIN=y CONFIG_USE_BLOBS=y CONFIG_MEASURED_BOOT=y CONFIG_VENDOR_LENOVO=y -CONFIG_CBFS_SIZE=0x700000 +CONFIG_CBFS_SIZE=0x750000 CONFIG_ONBOARD_VGA_IS_PRIMARY=y CONFIG_HAVE_IFD_BIN=y CONFIG_HAVE_ME_BIN=y From cc2eb8f207248f97bf71e72e4783965f0e13991a Mon Sep 17 00:00:00 2001 From: Sebastian McMillan <22755892+SebastianMcMillan@users.noreply.github.com> Date: Mon, 9 Mar 2020 15:59:00 -0500 Subject: [PATCH 096/189] Update coreboot-t420.config --- config/coreboot-t420.config | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/coreboot-t420.config b/config/coreboot-t420.config index 82095d22a..793ff17d6 100644 --- a/config/coreboot-t420.config +++ b/config/coreboot-t420.config @@ -5,7 +5,7 @@ CONFIG_ANY_TOOLCHAIN=y CONFIG_USE_BLOBS=y CONFIG_MEASURED_BOOT=y CONFIG_VENDOR_LENOVO=y -CONFIG_CBFS_SIZE=0x700000 +CONFIG_CBFS_SIZE=0x750000 CONFIG_ONBOARD_VGA_IS_PRIMARY=y CONFIG_HAVE_IFD_BIN=y CONFIG_HAVE_ME_BIN=y From 58cb8df26652f2fe03764ea921cf90bae63aec83 Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Sun, 15 Mar 2020 11:05:54 -0400 Subject: [PATCH 097/189] coreboot-4.8.1: acpica-unix2 cannot be downloaded per www.acpica.org since cert is signed by Intel which cert authority is unknown from older build systems... Cert was renewed March 10 2020. URL changed to crux.ster.zone --- .../0060-buildgcc-acpica-unix2-url-change.patch | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 patches/coreboot-4.8.1/0060-buildgcc-acpica-unix2-url-change.patch diff --git a/patches/coreboot-4.8.1/0060-buildgcc-acpica-unix2-url-change.patch b/patches/coreboot-4.8.1/0060-buildgcc-acpica-unix2-url-change.patch new file mode 100644 index 000000000..50937453d --- /dev/null +++ b/patches/coreboot-4.8.1/0060-buildgcc-acpica-unix2-url-change.patch @@ -0,0 +1,11 @@ +--- ./util/crossgcc/buildgcc.orig 2018-05-16 15:00:17.000000000 -0400 ++++ ./util/crossgcc/buildgcc 2020-03-15 10:47:36.186000000 -0400 +@@ -72,7 +72,7 @@ + GCC_ARCHIVE="https://ftpmirror.gnu.org/gcc/gcc-${GCC_VERSION}/gcc-${GCC_VERSION}.tar.xz" + BINUTILS_ARCHIVE="https://ftpmirror.gnu.org/binutils/binutils-${BINUTILS_VERSION}.tar.xz" + GDB_ARCHIVE="https://ftpmirror.gnu.org/gdb/gdb-${GDB_VERSION}.tar.xz" +-IASL_ARCHIVE="https://acpica.org/sites/acpica/files/acpica-unix2-${IASL_VERSION}.tar.gz" ++IASL_ARCHIVE="https://crux.ster.zone/distfiles/acpica-unix2-${IASL_VERSION}.tar.gz" + PYTHON_ARCHIVE="https://www.python.org/ftp/python/${PYTHON_VERSION}/Python-${PYTHON_VERSION}.tar.xz" + EXPAT_ARCHIVE="https://downloads.sourceforge.net/sourceforge/expat/expat-${EXPAT_VERSION}.tar.bz2" + # CLANG toolchain archive locations From a16b97b6eabbd0e962f95bdc02ed3c1923bef456 Mon Sep 17 00:00:00 2001 From: alex-nitrokey Date: Thu, 26 Mar 2020 15:05:51 +0100 Subject: [PATCH 098/189] Add more input validation Based on tlaurion's work done here https://gitlab.com/tlaurion/heads/-/blob/ff148e4dafff2a01dc00ce92f115cb74a5557aa0/initrd/bin/factory-reset-libremkey.sh#L53 --- initrd/bin/oem-factory-reset | 37 +++++++++++++++++++++++++++--------- 1 file changed, 28 insertions(+), 9 deletions(-) diff --git a/initrd/bin/oem-factory-reset b/initrd/bin/oem-factory-reset index a84e6a8cb..79f192678 100755 --- a/initrd/bin/oem-factory-reset +++ b/initrd/bin/oem-factory-reset @@ -89,6 +89,7 @@ gpg_key_reset() whiptail_error_die "GPG Key automatic keygen failed!\n\n$ERROR" fi } + gpg_key_change_pin() { # 1 = user PIN, 3 = admin PIN @@ -271,15 +272,33 @@ echo if [ "$prompt_output" == "y" \ -o "$prompt_output" == "Y" ] \ ; then - echo -e "\nPlease enter the following information...\n" - echo - echo -e -n "Real name: " - read GPG_USER_NAME - echo -e -n "Email address: " - read GPG_USER_MAIL - echo -e -n "Comment: " - read GPG_USER_COMMENT - echo + echo -e "\n\n" + echo -e "We will generate a GnuPG (PGP) keypair identifiable with the following text form:" + echo -e "Real Name (Comment) email@address.org" + + echo -e "\nEnter your Real Name (At least 5 characters long):" + read -r GPG_USER_NAME + while [[ ${#GPG_USER_NAME} -lt 5 ]]; do + { + echo -e "\nEnter your Real Name (At least 5 characters long):" + read -r GPG_USER_NAME + };done + + echo -e "\nEnter your email@adress.org:" + read -r GPG_USER_MAIL + while ! $(expr "$GPG_USER_MAIL" : '.*@' >/dev/null); do + { + echo -e "\nEnter your email@address.org:" + read -r GPG_USER_MAIL + };done + + echo -e "\nEnter Comment (Optional, to distinguish this key from others with same previous attributes. Must be smaller then 60 characters):" + read -r GPG_USER_MAIL + while [[ ${#gpgcard_comment} -gt 60 ]]; do + { + echo -e "\nEnter Comment (Optional, to distinguish this key from others with same previous attributes. Must be smaller then 60 characters):" + read -r GPG_USER_MAIL + };done fi ## sanity check the USB, GPG key, and boot device before proceeding further From b29447ef8f93cfe2c91be9a5754ebca31ee9fb5d Mon Sep 17 00:00:00 2001 From: Matt DeVillier Date: Tue, 30 Jul 2019 21:46:34 -0500 Subject: [PATCH 099/189] modules/flashrom: update to v1.2 release - Update flashrom module to v1.2. - Drop Thinkpad x220 patch as it's now properly supported. - Drop 'laptop=force_I_want_a_brick' from board FLASHROM_OPTIONS since it's no longer needed. - Migrate kgpe-d16 patch. The kgpe-d16 patch needed a complete overhaul when rebased against flashrom v1.2, and needs close inspection/testing as a result. The following changes were made from the previous patch: - dropped addition of 4-byte addressing (4BA), since now supported - dropped addtiion of Macronix MX25L256 and MX66L512 chips, since now supported - added 4BA erase commands for Winbond W25Q256 chip - dropped code to show progress indicator, since another PR already adds that Signed-off-by: Matt DeVillier --- blobs/x220/readme.md | 2 +- boards/librem13v2/librem13v2.config | 2 +- boards/librem13v4/librem13v4.config | 2 +- boards/librem15v3/librem15v3.config | 2 +- boards/librem15v4/librem15v4.config | 2 +- boards/t420/t420.config | 2 +- boards/x220/x220.config | 2 +- boards/x230-flash/x230-flash.config | 2 +- boards/x230/x230.config | 2 +- modules/flashrom | 4 +- .../flashrom-1.0/0100-enable-kgpe-d16.patch | 2599 ----------------- .../0101-enable-thinkpad-x220.patch | 12 - .../flashrom-v1.2/0100-enable-kgpe-d16.patch | 1097 +++++++ 13 files changed, 1108 insertions(+), 2622 deletions(-) delete mode 100644 patches/flashrom-1.0/0100-enable-kgpe-d16.patch delete mode 100644 patches/flashrom-1.0/0101-enable-thinkpad-x220.patch create mode 100644 patches/flashrom-v1.2/0100-enable-kgpe-d16.patch diff --git a/blobs/x220/readme.md b/blobs/x220/readme.md index ff682f3b6..2d2ce210e 100644 --- a/blobs/x220/readme.md +++ b/blobs/x220/readme.md @@ -7,7 +7,7 @@ To get the binaries, start with a copy of the original Lenovo firmware image. If you do not have one already, you can read one out from the laptops SPI flash. ``` -flashrom --programmer internal:laptop=force_I_want_a_brick -r original.bin +flashrom --programmer internal -r original.bin ``` Once you have the image, the provided extraction script will extract the files needed. diff --git a/boards/librem13v2/librem13v2.config b/boards/librem13v2/librem13v2.config index 2d3f3aca2..776256be9 100644 --- a/boards/librem13v2/librem13v2.config +++ b/boards/librem13v2/librem13v2.config @@ -34,4 +34,4 @@ export CONFIG_BOOT_DEV="/dev/nvme0n1p1" export CONFIG_BOOT_GUI_MENU_NAME="Purism Librem 13v2 Heads Boot Menu" export CONFIG_WARNING_BG_COLOR="--background-gradient 0 0 0 150 125 0" export CONFIG_ERROR_BG_COLOR="--background-gradient 0 0 0 150 0 0" -export CONFIG_FLASHROM_OPTIONS="-p internal:laptop=force_I_want_a_brick,ich_spi_mode=hwseq" +export CONFIG_FLASHROM_OPTIONS="-p internal" diff --git a/boards/librem13v4/librem13v4.config b/boards/librem13v4/librem13v4.config index e1a4bbc09..1b0a83ab2 100644 --- a/boards/librem13v4/librem13v4.config +++ b/boards/librem13v4/librem13v4.config @@ -34,4 +34,4 @@ export CONFIG_BOOT_DEV="/dev/nvme0n1p1" export CONFIG_BOOT_GUI_MENU_NAME="Purism Librem 13v2 Heads Boot Menu" export CONFIG_WARNING_BG_COLOR="--background-gradient 0 0 0 150 125 0" export CONFIG_ERROR_BG_COLOR="--background-gradient 0 0 0 150 0 0" -export CONFIG_FLASHROM_OPTIONS="-p internal:laptop=force_I_want_a_brick,ich_spi_mode=hwseq" +export CONFIG_FLASHROM_OPTIONS="-p internal" diff --git a/boards/librem15v3/librem15v3.config b/boards/librem15v3/librem15v3.config index 2580e15b1..c73f5b8f2 100644 --- a/boards/librem15v3/librem15v3.config +++ b/boards/librem15v3/librem15v3.config @@ -36,4 +36,4 @@ export CONFIG_BOOT_DEV="/dev/nvme0n1p1" export CONFIG_BOOT_GUI_MENU_NAME="Purism Librem 15v3 Heads Boot Menu" export CONFIG_WARNING_BG_COLOR="--background-gradient 0 0 0 150 125 0" export CONFIG_ERROR_BG_COLOR="--background-gradient 0 0 0 150 0 0" -export CONFIG_FLASHROM_OPTIONS="-p internal:laptop=force_I_want_a_brick,ich_spi_mode=hwseq" +export CONFIG_FLASHROM_OPTIONS="-p internal" diff --git a/boards/librem15v4/librem15v4.config b/boards/librem15v4/librem15v4.config index 107be0325..b2349799d 100644 --- a/boards/librem15v4/librem15v4.config +++ b/boards/librem15v4/librem15v4.config @@ -36,4 +36,4 @@ export CONFIG_BOOT_DEV="/dev/nvme0n1p1" export CONFIG_BOOT_GUI_MENU_NAME="Purism Librem 15v4 Heads Boot Menu" export CONFIG_WARNING_BG_COLOR="--background-gradient 0 0 0 150 125 0" export CONFIG_ERROR_BG_COLOR="--background-gradient 0 0 0 150 0 0" -export CONFIG_FLASHROM_OPTIONS="-p internal:laptop=force_I_want_a_brick,ich_spi_mode=hwseq" +export CONFIG_FLASHROM_OPTIONS="-p internal" diff --git a/boards/t420/t420.config b/boards/t420/t420.config index ea4406424..71d769f23 100644 --- a/boards/t420/t420.config +++ b/boards/t420/t420.config @@ -33,4 +33,4 @@ export CONFIG_BOOT_DEV="/dev/sda1" export CONFIG_BOOT_GUI_MENU_NAME="ThinkPad T420 Heads Boot Menu" export CONFIG_WARNING_BG_COLOR="--background-gradient 0 0 0 150 125 0" export CONFIG_ERROR_BG_COLOR="--background-gradient 0 0 0 150 0 0" -export CONFIG_FLASHROM_OPTIONS="--force --noverify-all -p internal:laptop=force_I_want_a_brick,ich_spi_mode=hwseq --ifd --image bios" +export CONFIG_FLASHROM_OPTIONS="--force --noverify-all -p internal --ifd --image bios" diff --git a/boards/x220/x220.config b/boards/x220/x220.config index 3af04149e..7548b773a 100644 --- a/boards/x220/x220.config +++ b/boards/x220/x220.config @@ -33,4 +33,4 @@ export CONFIG_BOOT_DEV="/dev/sda1" export CONFIG_BOOT_GUI_MENU_NAME="ThinkPad X220 Heads Boot Menu" export CONFIG_WARNING_BG_COLOR="--background-gradient 0 0 0 150 125 0" export CONFIG_ERROR_BG_COLOR="--background-gradient 0 0 0 150 0 0" -export CONFIG_FLASHROM_OPTIONS="--force --noverify-all -p internal:laptop=force_I_want_a_brick,ich_spi_mode=hwseq --ifd --image bios" +export CONFIG_FLASHROM_OPTIONS="--force --noverify-all -p internal --ifd --image bios" diff --git a/boards/x230-flash/x230-flash.config b/boards/x230-flash/x230-flash.config index 5530ba27a..f991b1161 100644 --- a/boards/x230-flash/x230-flash.config +++ b/boards/x230-flash/x230-flash.config @@ -16,7 +16,7 @@ CONFIG_LINUX_USB=y CONFIG_LINUX_E1000E=y export CONFIG_BOOTSCRIPT=/bin/x230-flash.init -export CONFIG_FLASHROM_OPTIONS="--force --noverify-all -p internal:laptop=force_I_want_a_brick,ich_spi_mode=hwseq --ifd --image bios" +export CONFIG_FLASHROM_OPTIONS="--force --noverify-all -p internal --ifd --image bios" # This board is "special" in that we only want the top 4 MB of the ROM # for flashing into SPI flash 1 on the mainboard. This is enough to diff --git a/boards/x230/x230.config b/boards/x230/x230.config index ad49270eb..48a11525b 100644 --- a/boards/x230/x230.config +++ b/boards/x230/x230.config @@ -33,7 +33,7 @@ export CONFIG_BOOT_DEV="/dev/sda1" export CONFIG_BOOT_GUI_MENU_NAME="Thinkpad X230 Heads Boot Menu" export CONFIG_WARNING_BG_COLOR="--background-gradient 0 0 0 150 125 0" export CONFIG_ERROR_BG_COLOR="--background-gradient 0 0 0 150 0 0" -export CONFIG_FLASHROM_OPTIONS="--force --noverify-all -p internal:laptop=force_I_want_a_brick,ich_spi_mode=hwseq --ifd --image bios" +export CONFIG_FLASHROM_OPTIONS="--force --noverify-all -p internal --ifd --image bios" # This board has two SPI flash chips, an 8 MB that holds the IFD, # the ME image and part of the coreboot image, and a 4 MB one that diff --git a/modules/flashrom b/modules/flashrom index 0a29b1846..1f6b1566c 100644 --- a/modules/flashrom +++ b/modules/flashrom @@ -5,11 +5,11 @@ flashrom_depends := pciutils $(musl_dep) #flashrom_version := git #flashrom_repo := https://github.com/osresearch/flashrom -flashrom_version := 1.0 +flashrom_version := v1.2 flashrom_dir := flashrom-$(flashrom_version) flashrom_tar := flashrom-$(flashrom_version).tar.bz2 flashrom_url := https://download.flashrom.org/releases/$(flashrom_tar) -flashrom_hash := 3702fa215ba5fb5af8e54c852d239899cfa1389194c1e51cb2a170c4dc9dee64 +flashrom_hash := e1f8d95881f5a4365dfe58776ce821dfcee0f138f75d0f44f8a3cd032d9ea42b flashrom_target := \ $(MAKE_JOBS) \ diff --git a/patches/flashrom-1.0/0100-enable-kgpe-d16.patch b/patches/flashrom-1.0/0100-enable-kgpe-d16.patch deleted file mode 100644 index 429e18677..000000000 --- a/patches/flashrom-1.0/0100-enable-kgpe-d16.patch +++ /dev/null @@ -1,2599 +0,0 @@ -diff --git ./Makefile ./Makefile -index 9cf52b2..3bc0d8c 100644 ---- ./Makefile -+++ ./Makefile -@@ -214,6 +214,16 @@ UNSUPPORTED_FEATURES += CONFIG_GFXNVIDIA=yes - else - override CONFIG_GFXNVIDIA = no - endif -+ifeq ($(CONFIG_AST1100), yes) -+UNSUPPORTED_FEATURES += CONFIG_AST1100=yes -+else -+override CONFIG_AST1100 = no -+endif -+ifeq ($(CONFIG_AST2400), yes) -+UNSUPPORTED_FEATURES += CONFIG_AST2400=yes -+else -+override CONFIG_AST2400 = no -+endif - ifeq ($(CONFIG_SATASII), yes) - UNSUPPORTED_FEATURES += CONFIG_SATASII=yes - else -@@ -441,6 +451,16 @@ UNSUPPORTED_FEATURES += CONFIG_GFXNVIDIA=yes - else - override CONFIG_GFXNVIDIA = no - endif -+ifeq ($(CONFIG_AST1100), yes) -+UNSUPPORTED_FEATURES += CONFIG_AST1100=yes -+else -+override CONFIG_AST1100 = no -+endif -+ifeq ($(CONFIG_AST2400), yes) -+UNSUPPORTED_FEATURES += CONFIG_AST2400=yes -+else -+override CONFIG_AST2400 = no -+endif - ifeq ($(CONFIG_SATASII), yes) - UNSUPPORTED_FEATURES += CONFIG_SATASII=yes - else -@@ -514,7 +534,7 @@ endif - CHIP_OBJS = jedec.o stm50.o w39.o w29ee011.o \ - sst28sf040.o 82802ab.o \ - sst49lfxxxc.o sst_fwhub.o flashchips.o spi.o spi25.o spi25_statusreg.o \ -- opaque.o sfdp.o en29lv640b.o at45db.o -+ spi4ba.o opaque.o sfdp.o en29lv640b.o at45db.o - - ############################################################################### - # Library code. -@@ -565,6 +585,12 @@ CONFIG_NIC3COM ?= yes - # Enable NVIDIA graphics cards. Note: write and erase do not work properly. - CONFIG_GFXNVIDIA ?= yes - -+# Enable AST1100 BMC SoCs. -+CONFIG_AST1100 ?= yes -+ -+# Enable AST2400 BMC SoCs. -+CONFIG_AST2400 ?= yes -+ - # Always enable SiI SATA controllers for now. - CONFIG_SATASII ?= yes - -@@ -664,6 +690,8 @@ ifeq ($(CONFIG_ENABLE_LIBPCI_PROGRAMMERS), no) - override CONFIG_INTERNAL = no - override CONFIG_NIC3COM = no - override CONFIG_GFXNVIDIA = no -+override CONFIG_AST1100 = no -+override CONFIG_AST2400 = no - override CONFIG_SATASII = no - override CONFIG_ATAHPT = no - override CONFIG_ATAVIA = no -@@ -776,6 +804,18 @@ PROGRAMMER_OBJS += gfxnvidia.o - NEED_LIBPCI += CONFIG_GFXNVIDIA - endif - -+ifeq ($(CONFIG_AST1100), yes) -+FEATURE_CFLAGS += -D'CONFIG_AST1100=1' -+PROGRAMMER_OBJS += ast1100.o -+NEED_LIBPCI += CONFIG_AST1100 -+endif -+ -+ifeq ($(CONFIG_AST2400), yes) -+FEATURE_CFLAGS += -D'CONFIG_AST2400=1' -+PROGRAMMER_OBJS += ast2400.o -+NEED_LIBPCI += CONFIG_AST2400 -+endif -+ - ifeq ($(CONFIG_SATASII), yes) - FEATURE_CFLAGS += -D'CONFIG_SATASII=1' - PROGRAMMER_OBJS += satasii.o -diff --git ./ast1100.c ./ast1100.c -new file mode 100644 -index 0000000..cf28422 ---- /dev/null -+++ ./ast1100.c -@@ -0,0 +1,421 @@ -+/* -+ * This file is part of the flashrom project. -+ * -+ * Copyright (C) 2017 Raptor Engineering, LLC -+ * -+ * This program is free software; you can redistribute it and/or modify -+ * it under the terms of the GNU General Public License as published by -+ * the Free Software Foundation; either version 2 of the License, or -+ * (at your option) any later version. -+ * -+ * This program is distributed in the hope that it will be useful, -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+ * GNU General Public License for more details. -+ * -+ * You should have received a copy of the GNU General Public License -+ * along with this program; if not, write to the Free Software -+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA -+ */ -+ -+#include -+#include -+#include "flash.h" -+#include "programmer.h" -+#include "hwaccess.h" -+ -+#define PCI_VENDOR_ID_ASPEED 0x1a03 -+ -+#define ASPEED_MEMMAP_SIZE (128 * 1024) -+#define ASPEED_P2A_OFFSET 0x10000 -+ -+#define AST1100_SCU_APB_ADDR 0x1e6e2000 -+#define AST1100_SCU_APB_BRIDGE_OFFSET (AST1100_SCU_APB_ADDR & 0xffff) -+#define AST1100_SCU_PROT_KEY 0x00 -+#define AST1100_SCU_HW_STRAP 0x70 -+ -+#define AST1100_SCU_PASSWORD 0x1688a8a8 -+#define AST1100_SCU_BOOT_SRC_MASK 0x3 -+#define AST1100_SCU_BOOT_SPI 0x2 -+#define AST1100_SCU_BOOT_NONE 0x3 -+ -+#define AST1100_SMC_APB_ADDR 0x16000000 -+#define AST1100_SMC_SMC00 0x00 -+#define AST1100_SMC_CE_CTL(N) (0x4 + (N * 4)) -+ -+#define AST1100_SMC_SEGMENT_SIZE_MASK 0x3 -+#define AST1100_SMC_SEGMENT_SIZE_32M 0x0 -+#define AST1100_SMC_SEGMENT_SIZE_16M 0x1 -+#define AST1100_SMC_SEGMENT_SIZE_8M 0x2 -+#define AST1100_SMC_SEGMENT_SIZE_4M 0x3 -+ -+#define AST1100_SMC_FLASH_MMIO_ADDR 0x10000000 -+ -+#define AST1100_SPI_CMD_FAST_R_MODE 0x1 -+#define AST1100_SPI_CMD_USER_MODE 0x3 -+#define AST1100_SPI_CMD_MASK 0x3 -+#define AST1100_SPI_STOP_CE_ACTIVE (0x1 << 2) -+#define AST1100_SPI_SPEED_SHIFT 8 -+#define AST1100_SPI_SPEED_MASK (0x7 << AST1100_SPI_SPEED_SHIFT) -+ -+#define AST1100_SPI_FLASH_MMIO_ADDR 0x30000000 -+ -+#define AST1100_WDT_APB_ADDR 0x1e785000 -+#define AST1100_WDT_APB_BRIDGE_OFFSET (AST1100_WDT_APB_ADDR & 0xffff) -+ -+#define AST1100_WDT1_CTR 0x00 -+#define AST1100_WDT1_CTR_RELOAD 0x04 -+#define AST1100_WDT1_CTR_RESTART 0x08 -+#define AST1100_WDT1_CTL 0x0c -+ -+#define AST1100_WDT_SET_CLOCK (0x1 << 4) -+#define AST1100_WDT_RESET_SYSTEM (0x1 << 1) -+#define AST1100_WDT_ENABLE (0x1 << 0) -+ -+uint8_t *ast1100_device_bar = 0; -+uint8_t ast1100_device_spi_bus = 0; -+uint8_t ast1100_device_spi_speed = 0; -+uint8_t ast1100_device_halt_cpu = 0; -+uint8_t ast1100_device_reset_cpu = 0; -+uint8_t ast1100_device_resume_cpu = 0; -+uint8_t ast1100_device_tickle_fw = 0; -+uint32_t ast1100_device_flash_mmio_offset = 0; -+uint32_t ast1100_original_wdt_conf = 0; -+ -+const struct dev_entry bmc_aspeed_ast1100[] = { -+ {PCI_VENDOR_ID_ASPEED, 0x2000, OK, "ASPEED", "AST1100" }, -+ -+ {0}, -+}; -+ -+static int ast1100_spi_send_command(struct flashctx *flash, -+ unsigned int writecnt, unsigned int readcnt, -+ const unsigned char *writearr, -+ unsigned char *readarr); -+ -+static const struct spi_master spi_master_ast1100 = { -+ .type = SPI_CONTROLLER_AST1100, -+ .max_data_read = 256, -+ .max_data_write = 256, -+ .command = ast1100_spi_send_command, -+ .multicommand = default_spi_send_multicommand, -+ .read = default_spi_read, -+ .write_256 = default_spi_write_256, -+ .write_aai = default_spi_write_aai, -+}; -+ -+static int ast1100_set_a2b_bridge_scu(void) -+{ -+ pci_mmio_writel(0x0, ast1100_device_bar + 0xf000); -+ pci_mmio_writel(AST1100_SCU_APB_ADDR & 0xffff0000, ast1100_device_bar + 0xf004); -+ pci_mmio_writel(0x1, ast1100_device_bar + 0xf000); -+ -+ return 0; -+} -+ -+static int ast1100_set_a2b_bridge_wdt(void) -+{ -+ pci_mmio_writel(0x0, ast1100_device_bar + 0xf000); -+ pci_mmio_writel(AST1100_WDT_APB_ADDR & 0xffff0000, ast1100_device_bar + 0xf004); -+ pci_mmio_writel(0x1, ast1100_device_bar + 0xf000); -+ -+ return 0; -+} -+ -+static int ast1100_set_a2b_bridge_smc(void) -+{ -+ pci_mmio_writel(0x0, ast1100_device_bar + 0xf000); -+ pci_mmio_writel(AST1100_SMC_APB_ADDR, ast1100_device_bar + 0xf004); -+ pci_mmio_writel(0x1, ast1100_device_bar + 0xf000); -+ -+ return 0; -+} -+ -+static int ast1100_set_a2b_bridge_smc_flash(void) -+{ -+ pci_mmio_writel(0x0, ast1100_device_bar + 0xf000); -+ pci_mmio_writel(AST1100_SMC_FLASH_MMIO_ADDR + ast1100_device_flash_mmio_offset, ast1100_device_bar + 0xf004); -+ pci_mmio_writel(0x1, ast1100_device_bar + 0xf000); -+ -+ return 0; -+} -+ -+static int ast1100_disable_cpu(void) { -+ uint32_t dword; -+ -+ if (ast1100_device_halt_cpu) { -+ dword = pci_mmio_readl(ast1100_device_bar + ASPEED_P2A_OFFSET + AST1100_SCU_APB_BRIDGE_OFFSET + AST1100_SCU_HW_STRAP); -+ if (((dword & AST1100_SCU_BOOT_SRC_MASK) != AST1100_SCU_BOOT_SPI) -+ && ((dword & AST1100_SCU_BOOT_SRC_MASK) != AST1100_SCU_BOOT_NONE)) { /* NONE permitted to allow for BMC recovery after Ctrl+C or crash */ -+ msg_perr("CPU halt requested but CPU firmware source is not SPI.\n"); -+ pci_mmio_writel(0x0, ast1100_device_bar + ASPEED_P2A_OFFSET + AST1100_SCU_APB_BRIDGE_OFFSET + AST1100_SCU_PROT_KEY); -+ ast1100_device_halt_cpu = 0; -+ return 1; -+ } -+ -+ /* Disable CPU */ -+ ast1100_set_a2b_bridge_scu(); -+ pci_mmio_writel((dword & ~AST1100_SCU_BOOT_SRC_MASK) | AST1100_SCU_BOOT_NONE, ast1100_device_bar + ASPEED_P2A_OFFSET + AST1100_SCU_APB_BRIDGE_OFFSET + AST1100_SCU_HW_STRAP); -+ ast1100_original_wdt_conf = pci_mmio_readl(ast1100_device_bar + ASPEED_P2A_OFFSET + AST1100_WDT_APB_BRIDGE_OFFSET + AST1100_WDT1_CTL); -+ pci_mmio_writel(ast1100_original_wdt_conf & 0xffff0, ast1100_device_bar + ASPEED_P2A_OFFSET + AST1100_WDT_APB_BRIDGE_OFFSET + AST1100_WDT1_CTL); -+ } -+ -+ return 0; -+} -+ -+static int ast1100_enable_cpu(void) { -+ uint32_t dword; -+ -+ if (ast1100_device_halt_cpu && ast1100_device_resume_cpu) { -+ /* Re-enable CPU */ -+ ast1100_set_a2b_bridge_scu(); -+ dword = pci_mmio_readl(ast1100_device_bar + ASPEED_P2A_OFFSET + AST1100_SCU_APB_BRIDGE_OFFSET + AST1100_SCU_HW_STRAP); -+ pci_mmio_writel((dword & ~AST1100_SCU_BOOT_SRC_MASK) | AST1100_SCU_BOOT_SPI, ast1100_device_bar + ASPEED_P2A_OFFSET + AST1100_SCU_APB_BRIDGE_OFFSET + AST1100_SCU_HW_STRAP); -+ } -+ -+ return 0; -+} -+ -+static int ast1100_reset_cpu(void) { -+ if (ast1100_device_reset_cpu) { -+ /* Disable WDT from issuing full SoC reset -+ * Without this, OpenPOWER systems will crash when the GPIO blocks are reset on WDT timeout -+ */ -+ msg_pinfo("Configuring P2A bridge for WDT access\n"); -+ ast1100_set_a2b_bridge_wdt(); -+ ast1100_original_wdt_conf = pci_mmio_readl(ast1100_device_bar + ASPEED_P2A_OFFSET + AST1100_WDT_APB_BRIDGE_OFFSET + AST1100_WDT1_CTL); -+ -+ /* Initiate reset */ -+ msg_pinfo("Setting WDT to reset CPU immediately\n"); -+ pci_mmio_writel(ast1100_original_wdt_conf & 0xffff0, ast1100_device_bar + ASPEED_P2A_OFFSET + AST1100_WDT_APB_BRIDGE_OFFSET + AST1100_WDT1_CTL); -+ pci_mmio_writel(0xec08ce00, ast1100_device_bar + ASPEED_P2A_OFFSET + AST1100_WDT_APB_BRIDGE_OFFSET + AST1100_WDT1_CTR_RELOAD); -+ pci_mmio_writel(0x4755, ast1100_device_bar + ASPEED_P2A_OFFSET + AST1100_WDT_APB_BRIDGE_OFFSET + AST1100_WDT1_CTR_RESTART); -+ pci_mmio_writel(AST1100_WDT_SET_CLOCK, ast1100_device_bar + ASPEED_P2A_OFFSET + AST1100_WDT_APB_BRIDGE_OFFSET + AST1100_WDT1_CTL); -+ pci_mmio_writel(AST1100_WDT_RESET_SYSTEM | AST1100_WDT_ENABLE, ast1100_device_bar + ASPEED_P2A_OFFSET + AST1100_WDT_APB_BRIDGE_OFFSET + AST1100_WDT1_CTL); -+ -+ } -+ -+ return 0; -+} -+ -+static int ast1100_shutdown(void *data) { -+ /* Reactivate CPU if previously deactivated */ -+ ast1100_enable_cpu(); -+ -+ /* Reset CPU if requested */ -+ ast1100_reset_cpu(); -+ -+ /* Disable backdoor APB access */ -+ pci_mmio_writel(0x0, ast1100_device_bar + 0xf000); -+ -+ return 0; -+} -+ -+int ast1100_init(void) -+{ -+ struct pci_dev *dev = NULL; -+ uint32_t dword; -+ -+ char *arg; -+ -+ ast1100_device_spi_bus = 0; -+ arg = extract_programmer_param("spibus"); -+ if (arg) -+ ast1100_device_spi_bus = strtol(arg, NULL, 0); -+ free(arg); -+ -+ ast1100_device_spi_speed = 0; -+ arg = extract_programmer_param("spispeed"); -+ if (arg) -+ ast1100_device_spi_speed = strtol(arg, NULL, 0); -+ free(arg); -+ -+ ast1100_device_halt_cpu = 0; -+ arg = extract_programmer_param("cpu"); -+ if (arg && !strcmp(arg,"pause")) { -+ ast1100_device_halt_cpu = 1; -+ ast1100_device_resume_cpu = 1; -+ ast1100_device_reset_cpu = 0; -+ } -+ else if (arg && !strcmp(arg,"halt")) { -+ ast1100_device_halt_cpu = 1; -+ ast1100_device_resume_cpu = 0; -+ ast1100_device_reset_cpu = 0; -+ } -+ else if (arg && !strcmp(arg,"reset")) { -+ ast1100_device_halt_cpu = 1; -+ ast1100_device_resume_cpu = 1; -+ ast1100_device_reset_cpu = 1; -+ } -+ else if (arg) { -+ msg_perr("Invalid CPU option! Valid values are: pause | halt | reset\n"); -+ return 1; -+ } -+ arg = extract_programmer_param("tickle"); -+ if (arg && !strcmp(arg,"true")) -+ ast1100_device_tickle_fw = 1; -+ free(arg); -+ -+ if ((ast1100_device_spi_bus < 0) || (ast1100_device_spi_bus > 2)) { -+ msg_perr("SPI bus number out of range! Valid values are 0 - 2.\n"); -+ return 1; -+ } -+ -+ if (rget_io_perms()) -+ return 1; -+ -+ dev = pcidev_init(bmc_aspeed_ast1100, PCI_BASE_ADDRESS_1); -+ if (!dev) -+ return 1; -+ -+ uintptr_t io_base_addr = pcidev_readbar(dev, PCI_BASE_ADDRESS_1); -+ if (!io_base_addr) -+ return 1; -+ -+ msg_pinfo("Detected ASPEED MMIO base address: %p.\n", (void*)io_base_addr); -+ -+ ast1100_device_bar = rphysmap("ASPEED", io_base_addr, ASPEED_MEMMAP_SIZE); -+ if (ast1100_device_bar == ERROR_PTR) -+ return 1; -+ -+ if (register_shutdown(ast1100_shutdown, dev)) -+ return 1; -+ -+ io_base_addr += ASPEED_P2A_OFFSET; -+ msg_pinfo("ASPEED P2A base address: %p.\n", (void*)io_base_addr); -+ -+ msg_pinfo("Configuring P2A bridge for SCU access\n"); -+ ast1100_set_a2b_bridge_scu(); -+ pci_mmio_writel(AST1100_SCU_PASSWORD, ast1100_device_bar + ASPEED_P2A_OFFSET + AST1100_SCU_APB_BRIDGE_OFFSET + AST1100_SCU_PROT_KEY); -+ -+ /* Halt CPU if requested */ -+ if (ast1100_disable_cpu()) -+ return 1; -+ -+ msg_pinfo("Configuring P2A bridge for SMC access\n"); -+ ast1100_set_a2b_bridge_smc(); -+ -+ dword = pci_mmio_readl(ast1100_device_bar + ASPEED_P2A_OFFSET + AST1100_SMC_SMC00); -+ if (((dword >> ((ast1100_device_spi_bus * 2) + 4)) & 0x3) != 0x2) { -+ msg_perr("CE%01x Flash type is not SPI!\n", ast1100_device_spi_bus); -+ return 1; -+ } -+ -+ msg_pinfo("Setting CE%01x SPI relative clock speed to %d\n", ast1100_device_spi_bus, ast1100_device_spi_speed); -+ dword = pci_mmio_readl(ast1100_device_bar + ASPEED_P2A_OFFSET + AST1100_SMC_CE_CTL(ast1100_device_spi_bus)); -+ dword &= ~AST1100_SPI_SPEED_MASK; -+ pci_mmio_writel(dword | ((ast1100_device_spi_speed << AST1100_SPI_SPEED_SHIFT) & AST1100_SPI_SPEED_MASK), ast1100_device_bar + ASPEED_P2A_OFFSET + AST1100_SMC_CE_CTL(ast1100_device_spi_bus)); -+ -+ msg_pinfo("Enabling CE%01x write\n", ast1100_device_spi_bus); -+ dword = pci_mmio_readl(ast1100_device_bar + ASPEED_P2A_OFFSET + AST1100_SMC_SMC00); -+ pci_mmio_writel(dword | (0x1 << (10 + ast1100_device_spi_bus)), ast1100_device_bar + ASPEED_P2A_OFFSET + AST1100_SMC_SMC00); -+ -+ dword = pci_mmio_readl(ast1100_device_bar + ASPEED_P2A_OFFSET + AST1100_SMC_SMC00); -+ dword &= AST1100_SMC_SEGMENT_SIZE_MASK; -+ switch (dword & AST1100_SMC_SEGMENT_SIZE_MASK) { -+ case AST1100_SMC_SEGMENT_SIZE_32M: -+ ast1100_device_flash_mmio_offset = 0x2000000; -+ break; -+ case AST1100_SMC_SEGMENT_SIZE_16M: -+ ast1100_device_flash_mmio_offset = 0x1000000; -+ break; -+ case AST1100_SMC_SEGMENT_SIZE_8M: -+ ast1100_device_flash_mmio_offset = 0x800000; -+ break; -+ case AST1100_SMC_SEGMENT_SIZE_4M: -+ ast1100_device_flash_mmio_offset = 0x400000; -+ break; -+ default: -+ ast1100_device_flash_mmio_offset = 0x2000000; -+ } -+ msg_pinfo("Segment size: 0x%08x\n", ast1100_device_flash_mmio_offset); -+ -+ ast1100_device_flash_mmio_offset = ast1100_device_flash_mmio_offset * ast1100_device_spi_bus; -+ msg_pinfo("Using CE%01x offset 0x%08x\n", ast1100_device_spi_bus, ast1100_device_flash_mmio_offset); -+ -+ register_spi_master(&spi_master_ast1100); -+ -+ return 0; -+} -+ -+static void ast1100_spi_xfer_data(struct flashctx *flash, -+ unsigned int writecnt, unsigned int readcnt, -+ const unsigned char *writearr, -+ unsigned char *readarr) -+{ -+ int i; -+ uint32_t dword; -+ -+ for (i = 0; i < writecnt; i++) -+ msg_pspew("[%02x]", writearr[i]); -+ msg_pspew("\n"); -+ -+ for (i = 0; i < writecnt; i=i+4) { -+ if ((writecnt - i) < 4) -+ break; -+ dword = writearr[i]; -+ dword |= writearr[i + 1] << 8; -+ dword |= writearr[i + 2] << 16; -+ dword |= writearr[i + 3] << 24; -+ pci_mmio_writel(dword, ast1100_device_bar + ASPEED_P2A_OFFSET); -+ } -+ for (; i < writecnt; i++) -+ pci_mmio_writeb(writearr[i], ast1100_device_bar + ASPEED_P2A_OFFSET); -+ programmer_delay(1); -+ for (i = 0; i < readcnt;) { -+ dword = pci_mmio_readl(ast1100_device_bar + ASPEED_P2A_OFFSET); -+ if (i < readcnt) -+ readarr[i] = dword & 0xff; -+ i++; -+ if (i < readcnt) -+ readarr[i] = (dword >> 8) & 0xff; -+ i++; -+ if (i < readcnt) -+ readarr[i] = (dword >> 16) & 0xff; -+ i++; -+ if (i < readcnt) -+ readarr[i] = (dword >> 24) & 0xff; -+ i++; -+ } -+ -+ for (i = 0; i < readcnt; i++) -+ msg_pspew("[%02x]", readarr[i]); -+ msg_pspew("\n"); -+} -+ -+/* Returns 0 upon success, a negative number upon errors. */ -+static int ast1100_spi_send_command(struct flashctx *flash, -+ unsigned int writecnt, unsigned int readcnt, -+ const unsigned char *writearr, -+ unsigned char *readarr) -+{ -+ uint32_t dword; -+ -+ msg_pspew("%s, cmd=0x%02x, writecnt=%d, readcnt=%d\n", __func__, *writearr, writecnt, readcnt); -+ -+ /* Set up user command mode */ -+ ast1100_set_a2b_bridge_smc(); -+ dword = pci_mmio_readl(ast1100_device_bar + ASPEED_P2A_OFFSET + AST1100_SMC_CE_CTL(ast1100_device_spi_bus)); -+ pci_mmio_writel(dword | AST1100_SPI_CMD_USER_MODE, ast1100_device_bar + ASPEED_P2A_OFFSET + AST1100_SMC_CE_CTL(ast1100_device_spi_bus)); -+ dword = pci_mmio_readl(ast1100_device_bar + ASPEED_P2A_OFFSET + AST1100_SMC_CE_CTL(ast1100_device_spi_bus)); -+ pci_mmio_writel(dword & ~AST1100_SPI_STOP_CE_ACTIVE, ast1100_device_bar + ASPEED_P2A_OFFSET + AST1100_SMC_CE_CTL(ast1100_device_spi_bus)); -+ -+ /* Transfer data */ -+ ast1100_set_a2b_bridge_smc_flash(); -+ ast1100_spi_xfer_data(flash, writecnt, readcnt, writearr, readarr); -+ -+ /* Tear down user command mode */ -+ ast1100_set_a2b_bridge_smc(); -+ dword = pci_mmio_readl(ast1100_device_bar + ASPEED_P2A_OFFSET + AST1100_SMC_CE_CTL(ast1100_device_spi_bus)); -+ pci_mmio_writel(dword | AST1100_SPI_STOP_CE_ACTIVE, ast1100_device_bar + ASPEED_P2A_OFFSET + AST1100_SMC_CE_CTL(ast1100_device_spi_bus)); -+ dword = pci_mmio_readl(ast1100_device_bar + ASPEED_P2A_OFFSET + AST1100_SMC_CE_CTL(ast1100_device_spi_bus)); -+ pci_mmio_writel((dword & ~AST1100_SPI_CMD_MASK) | AST1100_SPI_CMD_FAST_R_MODE, ast1100_device_bar + ASPEED_P2A_OFFSET + AST1100_SMC_CE_CTL(ast1100_device_spi_bus)); -+ -+ if (ast1100_device_tickle_fw) { -+ ast1100_enable_cpu(); -+ programmer_delay(100); -+ ast1100_disable_cpu(); -+ } -+ -+ return 0; -+} -diff --git ./ast2400.c ./ast2400.c -new file mode 100644 -index 0000000..01cee76 ---- /dev/null -+++ ./ast2400.c -@@ -0,0 +1,426 @@ -+/* -+ * This file is part of the flashrom project. -+ * -+ * Copyright (C) 2016 - 2017 Raptor Engineering, LLC -+ * -+ * This program is free software; you can redistribute it and/or modify -+ * it under the terms of the GNU General Public License as published by -+ * the Free Software Foundation; either version 2 of the License, or -+ * (at your option) any later version. -+ * -+ * This program is distributed in the hope that it will be useful, -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+ * GNU General Public License for more details. -+ * -+ * You should have received a copy of the GNU General Public License -+ * along with this program; if not, write to the Free Software -+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA -+ */ -+ -+#include -+#include -+#include "flash.h" -+#include "programmer.h" -+#include "hwaccess.h" -+ -+#define PCI_VENDOR_ID_ASPEED 0x1a03 -+ -+#define ASPEED_MEMMAP_SIZE (128 * 1024) -+#define ASPEED_P2A_OFFSET 0x10000 -+ -+#define AST2400_SCU_APB_ADDR 0x1e6e2000 -+#define AST2400_SCU_APB_BRIDGE_OFFSET (AST2400_SCU_APB_ADDR & 0xffff) -+#define AST2400_SCU_PROT_KEY 0x00 -+#define AST2400_SCU_MISC_CTL 0x2c -+#define AST2400_SCU_HW_STRAP 0x70 -+ -+#define AST2400_SCU_PASSWORD 0x1688a8a8 -+#define AST2400_SCU_BOOT_SRC_MASK 0x3 -+#define AST2400_SCU_BOOT_SPI 0x2 -+#define AST2400_SCU_BOOT_NONE 0x3 -+ -+#define AST2400_SMC_APB_ADDR 0x1e620000 -+#define AST2400_SMC_FMC00 0x00 -+#define AST2400_SMC_CE_CTL(N) (0x10 + (N * 4)) -+#define AST2400_SMC_CE_SEG(N) (0x30 + (N * 4)) -+ -+#define AST2400_SMC_FLASH_MMIO_ADDR 0x20000000 -+ -+#define AST2400_SPI_APB_ADDR 0x1e630000 -+#define AST2400_SPI_CFG 0x00 -+#define AST2400_SPI_CTL 0x04 -+ -+#define AST2400_SPI_CFG_WRITE_EN 0x1 -+#define AST2400_SPI_CMD_FAST_R_MODE 0x1 -+#define AST2400_SPI_CMD_USER_MODE 0x3 -+#define AST2400_SPI_CMD_MASK 0x3 -+#define AST2400_SPI_STOP_CE_ACTIVE (0x1 << 2) -+#define AST2400_SPI_CPOL_1 (0x1 << 4) -+#define AST2400_SPI_LSB_FIRST_CTRL (0x1 << 5) -+#define AST2400_SPI_SPEED_MASK (0xf << 8) -+#define AST2400_SPI_IO_MODE_MASK (0x3 << 28) -+ -+#define AST2400_SPI_FLASH_MMIO_ADDR 0x30000000 -+ -+#define AST2400_WDT_APB_ADDR 0x1e785000 -+#define AST2400_WDT_APB_BRIDGE_OFFSET (AST2400_WDT_APB_ADDR & 0xffff) -+ -+#define AST2400_WDT1_CTL 0x0c -+ -+#define AST2400_WDT_RESET_MODE_MASK (0x3 << 5) -+#define AST2400_WDT_RESET_CPU_ONLY (0x2 << 5) -+ -+uint8_t *ast2400_device_bar = 0; -+uint8_t ast2400_device_spi_bus = 0; -+uint8_t ast2400_device_halt_cpu = 0; -+uint8_t ast2400_device_resume_cpu = 0; -+uint8_t ast2400_device_tickle_fw = 0; -+uint32_t ast2400_device_flash_mmio_offset = 0; -+uint32_t ast2400_device_host_mode = 0; -+uint32_t ast2400_original_wdt_conf = 0; -+ -+const struct dev_entry bmc_aspeed_ast2400[] = { -+ {PCI_VENDOR_ID_ASPEED, 0x2000, OK, "ASPEED", "AST2400" }, -+ -+ {0}, -+}; -+ -+static int ast2400_spi_send_command(struct flashctx *flash, -+ unsigned int writecnt, unsigned int readcnt, -+ const unsigned char *writearr, -+ unsigned char *readarr); -+ -+static const struct spi_master spi_master_ast2400 = { -+ .type = SPI_CONTROLLER_AST2400, -+ .max_data_read = 256, -+ .max_data_write = 256, -+ .command = ast2400_spi_send_command, -+ .multicommand = default_spi_send_multicommand, -+ .read = default_spi_read, -+ .write_256 = default_spi_write_256, -+ .write_aai = default_spi_write_aai, -+}; -+ -+static int ast2400_set_a2b_bridge_scu(void) -+{ -+ pci_mmio_writel(0x0, ast2400_device_bar + 0xf000); -+ pci_mmio_writel(AST2400_SCU_APB_ADDR & 0xffff0000, ast2400_device_bar + 0xf004); -+ pci_mmio_writel(0x1, ast2400_device_bar + 0xf000); -+ -+ return 0; -+} -+ -+static int ast2400_set_a2b_bridge_wdt(void) -+{ -+ pci_mmio_writel(0x0, ast2400_device_bar + 0xf000); -+ pci_mmio_writel(AST2400_WDT_APB_ADDR & 0xffff0000, ast2400_device_bar + 0xf004); -+ pci_mmio_writel(0x1, ast2400_device_bar + 0xf000); -+ -+ return 0; -+} -+ -+static int ast2400_set_a2b_bridge_smc(void) -+{ -+ pci_mmio_writel(0x0, ast2400_device_bar + 0xf000); -+ pci_mmio_writel(AST2400_SMC_APB_ADDR, ast2400_device_bar + 0xf004); -+ pci_mmio_writel(0x1, ast2400_device_bar + 0xf000); -+ -+ return 0; -+} -+ -+static int ast2400_set_a2b_bridge_spi(void) -+{ -+ pci_mmio_writel(0x0, ast2400_device_bar + 0xf000); -+ pci_mmio_writel(AST2400_SPI_APB_ADDR, ast2400_device_bar + 0xf004); -+ pci_mmio_writel(0x1, ast2400_device_bar + 0xf000); -+ -+ return 0; -+} -+ -+static int ast2400_set_a2b_bridge_smc_flash(void) -+{ -+ pci_mmio_writel(0x0, ast2400_device_bar + 0xf000); -+ pci_mmio_writel(AST2400_SMC_FLASH_MMIO_ADDR + ast2400_device_flash_mmio_offset, ast2400_device_bar + 0xf004); -+ pci_mmio_writel(0x1, ast2400_device_bar + 0xf000); -+ -+ return 0; -+} -+ -+static int ast2400_set_a2b_bridge_spi_flash(void) -+{ -+ pci_mmio_writel(0x0, ast2400_device_bar + 0xf000); -+ pci_mmio_writel(AST2400_SPI_FLASH_MMIO_ADDR, ast2400_device_bar + 0xf004); -+ pci_mmio_writel(0x1, ast2400_device_bar + 0xf000); -+ -+ return 0; -+} -+ -+static int ast2400_disable_cpu(void) { -+ uint32_t dword; -+ -+ if (ast2400_device_halt_cpu) { -+ dword = pci_mmio_readl(ast2400_device_bar + ASPEED_P2A_OFFSET + AST2400_SCU_APB_BRIDGE_OFFSET + AST2400_SCU_HW_STRAP); -+ if (((dword & AST2400_SCU_BOOT_SRC_MASK) != AST2400_SCU_BOOT_SPI) -+ && ((dword & AST2400_SCU_BOOT_SRC_MASK) != AST2400_SCU_BOOT_NONE)) { /* NONE permitted to allow for BMC recovery after Ctrl+C or crash */ -+ msg_perr("CPU halt requested but CPU firmware source is not SPI.\n"); -+ pci_mmio_writel(0x0, ast2400_device_bar + ASPEED_P2A_OFFSET + AST2400_SCU_APB_BRIDGE_OFFSET + AST2400_SCU_PROT_KEY); -+ ast2400_device_halt_cpu = 0; -+ return 1; -+ } -+ -+ /* Disable WDT from issuing full SoC reset -+ * Without this, OpenPOWER systems will crash when the GPIO blocks are reset on WDT timeout -+ */ -+ msg_pinfo("Configuring P2A bridge for WDT access\n"); -+ ast2400_set_a2b_bridge_wdt(); -+ ast2400_original_wdt_conf = pci_mmio_readl(ast2400_device_bar + ASPEED_P2A_OFFSET + AST2400_WDT_APB_BRIDGE_OFFSET + AST2400_WDT1_CTL); -+ pci_mmio_writel((ast2400_original_wdt_conf & ~AST2400_WDT_RESET_MODE_MASK) | AST2400_WDT_RESET_CPU_ONLY, ast2400_device_bar + ASPEED_P2A_OFFSET + AST2400_WDT_APB_BRIDGE_OFFSET + AST2400_WDT1_CTL); -+ -+ /* Disable CPU */ -+ ast2400_set_a2b_bridge_scu(); -+ pci_mmio_writel((dword & ~AST2400_SCU_BOOT_SRC_MASK) | AST2400_SCU_BOOT_NONE, ast2400_device_bar + ASPEED_P2A_OFFSET + AST2400_SCU_APB_BRIDGE_OFFSET + AST2400_SCU_HW_STRAP); -+ } -+ -+ return 0; -+} -+ -+static int ast2400_enable_cpu(void) { -+ uint32_t dword; -+ -+ if (ast2400_device_halt_cpu && ast2400_device_resume_cpu) { -+ /* Re-enable CPU */ -+ ast2400_set_a2b_bridge_scu(); -+ dword = pci_mmio_readl(ast2400_device_bar + ASPEED_P2A_OFFSET + AST2400_SCU_APB_BRIDGE_OFFSET + AST2400_SCU_HW_STRAP); -+ pci_mmio_writel((dword & ~AST2400_SCU_BOOT_SRC_MASK) | AST2400_SCU_BOOT_SPI, ast2400_device_bar + ASPEED_P2A_OFFSET + AST2400_SCU_APB_BRIDGE_OFFSET + AST2400_SCU_HW_STRAP); -+ -+ /* Reset WDT configuration */ -+ ast2400_set_a2b_bridge_wdt(); -+ pci_mmio_writel((ast2400_original_wdt_conf & ~AST2400_WDT_RESET_MODE_MASK) | AST2400_WDT_RESET_CPU_ONLY, ast2400_device_bar + ASPEED_P2A_OFFSET + AST2400_WDT_APB_BRIDGE_OFFSET + AST2400_WDT1_CTL); -+ } -+ -+ return 0; -+} -+ -+static int ast2400_shutdown(void *data) { -+ /* Reactivate CPU if previously deactivated */ -+ ast2400_enable_cpu(); -+ -+ /* Disable backdoor APB access */ -+ pci_mmio_writel(0x0, ast2400_device_bar + 0xf000); -+ -+ return 0; -+} -+ -+int ast2400_init(void) -+{ -+ struct pci_dev *dev = NULL; -+ uint32_t dword; -+ uint8_t divisor; -+ -+ char *arg; -+ -+ ast2400_device_spi_bus = 0; -+ arg = extract_programmer_param("spibus"); -+ if (arg) { -+ if (!strcmp(arg,"host")) -+ ast2400_device_host_mode = 1; -+ else -+ ast2400_device_spi_bus = strtol(arg, NULL, 0); -+ } -+ free(arg); -+ -+ ast2400_device_halt_cpu = 0; -+ arg = extract_programmer_param("cpu"); -+ if (arg && !strcmp(arg,"pause")) { -+ ast2400_device_halt_cpu = 1; -+ ast2400_device_resume_cpu = 1; -+ } -+ if (arg && !strcmp(arg,"halt")) { -+ ast2400_device_halt_cpu = 1; -+ ast2400_device_resume_cpu = 0; -+ } -+ arg = extract_programmer_param("tickle"); -+ if (arg && !strcmp(arg,"true")) -+ ast2400_device_tickle_fw = 1; -+ free(arg); -+ -+ if ((ast2400_device_host_mode == 0) && ((ast2400_device_spi_bus < 0) || (ast2400_device_spi_bus > 4))) { -+ msg_perr("SPI bus number out of range! Valid values are 0 - 4.\n"); -+ return 1; -+ } -+ -+ if (rget_io_perms()) -+ return 1; -+ -+ dev = pcidev_init(bmc_aspeed_ast2400, PCI_BASE_ADDRESS_1); -+ if (!dev) -+ return 1; -+ -+ uintptr_t io_base_addr = pcidev_readbar(dev, PCI_BASE_ADDRESS_1); -+ if (!io_base_addr) -+ return 1; -+ -+ msg_pinfo("Detected ASPEED MMIO base address: %p.\n", (void*)io_base_addr); -+ -+ ast2400_device_bar = rphysmap("ASPEED", io_base_addr, ASPEED_MEMMAP_SIZE); -+ if (ast2400_device_bar == ERROR_PTR) -+ return 1; -+ -+ if (register_shutdown(ast2400_shutdown, dev)) -+ return 1; -+ -+ io_base_addr += ASPEED_P2A_OFFSET; -+ msg_pinfo("ASPEED P2A base address: %p.\n", (void*)io_base_addr); -+ -+ msg_pinfo("Configuring P2A bridge for SCU access\n"); -+ ast2400_set_a2b_bridge_scu(); -+ pci_mmio_writel(AST2400_SCU_PASSWORD, ast2400_device_bar + ASPEED_P2A_OFFSET + AST2400_SCU_APB_BRIDGE_OFFSET + AST2400_SCU_PROT_KEY); -+ -+ dword = pci_mmio_readl(ast2400_device_bar + ASPEED_P2A_OFFSET + AST2400_SCU_APB_BRIDGE_OFFSET + AST2400_SCU_MISC_CTL); -+ pci_mmio_writel(dword & ~((0x1 << 24) | (0x2 << 22)), ast2400_device_bar + ASPEED_P2A_OFFSET + AST2400_SCU_APB_BRIDGE_OFFSET + AST2400_SCU_MISC_CTL); -+ -+ /* Halt CPU if requested */ -+ if (ast2400_disable_cpu()) -+ return 1; -+ -+ msg_pinfo("Configuring P2A bridge for SMC access\n"); -+ ast2400_set_a2b_bridge_smc(); -+ -+ if (ast2400_device_host_mode) { -+ msg_pinfo("Configuring P2A bridge for SPI access\n"); -+ ast2400_set_a2b_bridge_spi(); -+ -+ divisor = 0; /* Slowest speed for now */ -+ -+ dword = pci_mmio_readl(ast2400_device_bar + ASPEED_P2A_OFFSET + AST2400_SPI_CTL); -+ dword &= ~AST2400_SPI_SPEED_MASK; -+ dword |= (divisor << 8); -+ dword &= ~AST2400_SPI_CPOL_1; -+ dword &= ~AST2400_SPI_LSB_FIRST_CTRL; /* MSB first */ -+ dword &= ~AST2400_SPI_IO_MODE_MASK; /* Single bit I/O mode */ -+ pci_mmio_writel(dword, ast2400_device_bar + ASPEED_P2A_OFFSET + AST2400_SPI_CTL); -+ } -+ else { -+ dword = pci_mmio_readl(ast2400_device_bar + ASPEED_P2A_OFFSET + AST2400_SMC_FMC00); -+ if (((dword >> (ast2400_device_spi_bus * 2)) & 0x3) != 0x2) { -+ msg_perr("CE%01x Flash type is not SPI!\n", ast2400_device_spi_bus); -+ return 1; -+ } -+ -+ msg_pinfo("Enabling CE%01x write\n", ast2400_device_spi_bus); -+ dword = pci_mmio_readl(ast2400_device_bar + ASPEED_P2A_OFFSET + AST2400_SMC_FMC00); -+ pci_mmio_writel(dword | (0x1 << (16 + ast2400_device_spi_bus)), ast2400_device_bar + ASPEED_P2A_OFFSET + AST2400_SMC_FMC00); -+ -+ dword = pci_mmio_readl(ast2400_device_bar + ASPEED_P2A_OFFSET + AST2400_SMC_CE_SEG(ast2400_device_spi_bus)); -+ ast2400_device_flash_mmio_offset = ((dword >> 16) & 0x3f) * 0x800000; -+ msg_pinfo("Using CE%01x offset 0x%08x\n", ast2400_device_spi_bus, ast2400_device_flash_mmio_offset); -+ } -+ -+ register_spi_master(&spi_master_ast2400); -+ -+ return 0; -+} -+ -+static void ast2400_spi_xfer_data(struct flashctx *flash, -+ unsigned int writecnt, unsigned int readcnt, -+ const unsigned char *writearr, -+ unsigned char *readarr) -+{ -+ int i; -+ uint32_t dword; -+ -+ for (i = 0; i < writecnt; i++) -+ msg_pspew("[%02x]", writearr[i]); -+ msg_pspew("\n"); -+ -+ for (i = 0; i < writecnt; i=i+4) { -+ if ((writecnt - i) < 4) -+ break; -+ dword = writearr[i]; -+ dword |= writearr[i + 1] << 8; -+ dword |= writearr[i + 2] << 16; -+ dword |= writearr[i + 3] << 24; -+ pci_mmio_writel(dword, ast2400_device_bar + ASPEED_P2A_OFFSET); -+ } -+ for (; i < writecnt; i++) -+ pci_mmio_writeb(writearr[i], ast2400_device_bar + ASPEED_P2A_OFFSET); -+ programmer_delay(1); -+ for (i = 0; i < readcnt;) { -+ dword = pci_mmio_readl(ast2400_device_bar + ASPEED_P2A_OFFSET); -+ if (i < readcnt) -+ readarr[i] = dword & 0xff; -+ i++; -+ if (i < readcnt) -+ readarr[i] = (dword >> 8) & 0xff; -+ i++; -+ if (i < readcnt) -+ readarr[i] = (dword >> 16) & 0xff; -+ i++; -+ if (i < readcnt) -+ readarr[i] = (dword >> 24) & 0xff; -+ i++; -+ } -+ -+ for (i = 0; i < readcnt; i++) -+ msg_pspew("[%02x]", readarr[i]); -+ msg_pspew("\n"); -+} -+ -+/* Returns 0 upon success, a negative number upon errors. */ -+static int ast2400_spi_send_command(struct flashctx *flash, -+ unsigned int writecnt, unsigned int readcnt, -+ const unsigned char *writearr, -+ unsigned char *readarr) -+{ -+ uint32_t dword; -+ -+ msg_pspew("%s, cmd=0x%02x, writecnt=%d, readcnt=%d\n", __func__, *writearr, writecnt, readcnt); -+ -+ if (ast2400_device_host_mode) { -+ /* Set up user command mode */ -+ ast2400_set_a2b_bridge_spi(); -+ dword = pci_mmio_readl(ast2400_device_bar + ASPEED_P2A_OFFSET + AST2400_SPI_CFG); -+ pci_mmio_writel(dword | AST2400_SPI_CFG_WRITE_EN, ast2400_device_bar + ASPEED_P2A_OFFSET + AST2400_SPI_CFG); -+ dword = pci_mmio_readl(ast2400_device_bar + ASPEED_P2A_OFFSET + AST2400_SPI_CTL); -+ pci_mmio_writel(dword | AST2400_SPI_CMD_USER_MODE, ast2400_device_bar + ASPEED_P2A_OFFSET + AST2400_SPI_CTL); -+ -+ /* Transfer data */ -+ ast2400_set_a2b_bridge_spi_flash(); -+ ast2400_spi_xfer_data(flash, writecnt, readcnt, writearr, readarr); -+ -+ /* Tear down user command mode */ -+ ast2400_set_a2b_bridge_spi(); -+ dword = pci_mmio_readl(ast2400_device_bar + ASPEED_P2A_OFFSET + AST2400_SPI_CTL); -+ pci_mmio_writel((dword & ~AST2400_SPI_CMD_MASK) | AST2400_SPI_CMD_FAST_R_MODE, ast2400_device_bar + ASPEED_P2A_OFFSET + AST2400_SPI_CTL); -+ dword = pci_mmio_readl(ast2400_device_bar + ASPEED_P2A_OFFSET + AST2400_SPI_CFG); -+ pci_mmio_writel(dword & ~AST2400_SPI_CFG_WRITE_EN, ast2400_device_bar + ASPEED_P2A_OFFSET + AST2400_SPI_CFG); -+ } -+ else { -+ /* Set up user command mode */ -+ ast2400_set_a2b_bridge_smc(); -+ dword = pci_mmio_readl(ast2400_device_bar + ASPEED_P2A_OFFSET + AST2400_SMC_CE_CTL(ast2400_device_spi_bus)); -+ pci_mmio_writel(dword | AST2400_SPI_CMD_USER_MODE, ast2400_device_bar + ASPEED_P2A_OFFSET + AST2400_SMC_CE_CTL(ast2400_device_spi_bus)); -+ dword = pci_mmio_readl(ast2400_device_bar + ASPEED_P2A_OFFSET + AST2400_SMC_CE_CTL(ast2400_device_spi_bus)); -+ pci_mmio_writel(dword & ~AST2400_SPI_STOP_CE_ACTIVE, ast2400_device_bar + ASPEED_P2A_OFFSET + AST2400_SMC_CE_CTL(ast2400_device_spi_bus)); -+ -+ /* Transfer data */ -+ ast2400_set_a2b_bridge_smc_flash(); -+ ast2400_spi_xfer_data(flash, writecnt, readcnt, writearr, readarr); -+ -+ /* Tear down user command mode */ -+ ast2400_set_a2b_bridge_smc(); -+ dword = pci_mmio_readl(ast2400_device_bar + ASPEED_P2A_OFFSET + AST2400_SMC_CE_CTL(ast2400_device_spi_bus)); -+ pci_mmio_writel(dword | AST2400_SPI_STOP_CE_ACTIVE, ast2400_device_bar + ASPEED_P2A_OFFSET + AST2400_SMC_CE_CTL(ast2400_device_spi_bus)); -+ dword = pci_mmio_readl(ast2400_device_bar + ASPEED_P2A_OFFSET + AST2400_SMC_CE_CTL(ast2400_device_spi_bus)); -+ pci_mmio_writel((dword & ~AST2400_SPI_CMD_MASK) | AST2400_SPI_CMD_FAST_R_MODE, ast2400_device_bar + ASPEED_P2A_OFFSET + AST2400_SMC_CE_CTL(ast2400_device_spi_bus)); -+ } -+ -+ if (ast2400_device_tickle_fw) { -+ ast2400_enable_cpu(); -+ programmer_delay(100); -+ ast2400_disable_cpu(); -+ } -+ -+ return 0; -+} -diff --git ./chipdrivers.h ./chipdrivers.h -index c85eac9..20529d5 100644 ---- ./chipdrivers.h -+++ ./chipdrivers.h -@@ -195,4 +195,26 @@ int erase_sector_stm50(struct flashctx *flash, unsigned int block, unsigned int - int probe_en29lv640b(struct flashctx *flash); - int write_en29lv640b(struct flashctx *flash, const uint8_t *buf, unsigned int start, unsigned int len); - -+/* spi4ba.c */ -+int spi_enter_4ba_b7(struct flashctx *flash); -+int spi_enter_4ba_b7_we(struct flashctx *flash); -+int spi_byte_program_4ba(struct flashctx *flash, unsigned int addr, uint8_t databyte); -+int spi_nbyte_program_4ba(struct flashctx *flash, unsigned int addr, const uint8_t *bytes, unsigned int len); -+int spi_nbyte_read_4ba(struct flashctx *flash, unsigned int addr, uint8_t *bytes, unsigned int len); -+int spi_block_erase_20_4ba(struct flashctx *flash, unsigned int addr, unsigned int blocklen); -+int spi_block_erase_52_4ba(struct flashctx *flash, unsigned int addr, unsigned int blocklen); -+int spi_block_erase_d8_4ba(struct flashctx *flash, unsigned int addr, unsigned int blocklen); -+int spi_byte_program_4ba_ereg(struct flashctx *flash, unsigned int addr, uint8_t databyte); -+int spi_nbyte_program_4ba_ereg(struct flashctx *flash, unsigned int addr, const uint8_t *bytes, unsigned int len); -+int spi_nbyte_read_4ba_ereg(struct flashctx *flash, unsigned int addr, uint8_t *bytes, unsigned int len); -+int spi_block_erase_20_4ba_ereg(struct flashctx *flash, unsigned int addr, unsigned int blocklen); -+int spi_block_erase_52_4ba_ereg(struct flashctx *flash, unsigned int addr, unsigned int blocklen); -+int spi_block_erase_d8_4ba_ereg(struct flashctx *flash, unsigned int addr, unsigned int blocklen); -+int spi_byte_program_4ba_direct(struct flashctx *flash, unsigned int addr, uint8_t databyte); -+int spi_nbyte_program_4ba_direct(struct flashctx *flash, unsigned int addr, const uint8_t *bytes, unsigned int len); -+int spi_nbyte_read_4ba_direct(struct flashctx *flash, unsigned int addr, uint8_t *bytes, unsigned int len); -+int spi_block_erase_21_4ba_direct(struct flashctx *flash, unsigned int addr, unsigned int blocklen); -+int spi_block_erase_5c_4ba_direct(struct flashctx *flash, unsigned int addr, unsigned int blocklen); -+int spi_block_erase_dc_4ba_direct(struct flashctx *flash, unsigned int addr, unsigned int blocklen); -+ - #endif /* !__CHIPDRIVERS_H__ */ -diff --git ./cli_output.c ./cli_output.c -index 61a9af6..4adfd7d 100644 ---- ./cli_output.c -+++ ./cli_output.c -@@ -90,7 +90,8 @@ int flashrom_print_cb(enum flashrom_log_level level, const char *fmt, va_list ap - fflush(output_type); - } - #ifndef STANDALONE -- if ((level <= verbose_logfile) && logfile) { -+ /* skip of msgs starting from '\b' added to skip progress percents */ -+ if ((level <= verbose_logfile) && logfile && (!fmt || fmt[0] != '\b')) { - ret = vfprintf(logfile, fmt, logfile_args); - if (level != FLASHROM_MSG_SPEW) - fflush(logfile); -diff --git ./flash.h ./flash.h -index 9c3784b..58ad387 100644 ---- ./flash.h -+++ ./flash.h -@@ -119,6 +119,14 @@ enum write_granularity { - #define FEATURE_WRSR_EITHER (FEATURE_WRSR_EWSR | FEATURE_WRSR_WREN) - #define FEATURE_OTP (1 << 8) - #define FEATURE_QPI (1 << 9) -+/* Feature bits used for 4-bytes addressing mode */ -+#define FEATURE_4BA_SUPPORT (1 << 10) -+#define FEATURE_4BA_ONLY (1 << 11) -+#define FEATURE_4BA_EXTENDED_ADDR_REG (1 << 12) -+#define FEATURE_4BA_DIRECT_READ (1 << 13) -+#define FEATURE_4BA_DIRECT_WRITE (1 << 14) -+#define FEATURE_4BA_ALL_ERASERS_DIRECT (1 << 15) -+#define FEATURE_4BA_ALL_DIRECT (FEATURE_4BA_DIRECT_READ | FEATURE_4BA_DIRECT_WRITE | FEATURE_4BA_ALL_ERASERS_DIRECT) - - enum test_state { - OK = 0, -@@ -164,6 +172,14 @@ struct flashchip { - unsigned int page_size; - int feature_bits; - -+ /* set of function pointers to use in 4-bytes addressing mode */ -+ struct four_bytes_addr_funcs_set { -+ int (*enter_4ba) (struct flashctx *flash); -+ int (*read_nbyte) (struct flashctx *flash, unsigned int addr, uint8_t *bytes, unsigned int len); -+ int (*program_byte) (struct flashctx *flash, unsigned int addr, const uint8_t databyte); -+ int (*program_nbyte) (struct flashctx *flash, unsigned int addr, const uint8_t *bytes, unsigned int len); -+ } four_bytes_addr_funcs; -+ - /* Indicate how well flashrom supports different operations of this flash chip. */ - struct tested { - enum test_state probe; -@@ -347,6 +363,11 @@ __attribute__((format(printf, 2, 3))); - #define msg_pspew(...) print(FLASHROM_MSG_SPEW, __VA_ARGS__) /* programmer debug spew */ - #define msg_cspew(...) print(FLASHROM_MSG_SPEW, __VA_ARGS__) /* chip debug spew */ - -+/* Read progress will be shown for reads more than 256KB */ -+#define MIN_LENGTH_TO_SHOW_READ_PROGRESS 256 * 1024 -+/* Read progress will be shown for erases and writes more than 64KB */ -+#define MIN_LENGTH_TO_SHOW_ERASE_AND_WRITE_PROGRESS 64 * 1024 -+ - /* layout.c */ - int register_include_arg(char *name); - int read_romlayout(const char *name); -diff --git ./flashchips.c ./flashchips.c -index 7ef361b..c90fd94 100644 ---- ./flashchips.c -+++ ./flashchips.c -@@ -8045,6 +8045,100 @@ const struct flashchip flashchips[] = { - - { - .vendor = "Macronix", -+ .name = "MX25L25635F/MX25L25645E/MX25L25665E", -+ .bustype = BUS_SPI, -+ .manufacture_id = MACRONIX_ID, -+ .model_id = MACRONIX_MX25L25635F, -+ .total_size = 32768, -+ .page_size = 256, -+ /* OTP: 512B total; enter 0xB1, exit 0xC1 */ -+ .feature_bits = FEATURE_WRSR_WREN | FEATURE_OTP | FEATURE_4BA_SUPPORT, -+ .four_bytes_addr_funcs = -+ { -+ .enter_4ba = spi_enter_4ba_b7, /* enter 4-bytes addressing mode by CMD B7 */ -+ .read_nbyte = spi_nbyte_read_4ba, /* read from 4-bytes addressing mode */ -+ .program_byte = spi_byte_program_4ba, /* write from 4-bytes addressing mode */ -+ .program_nbyte = spi_nbyte_program_4ba /* write from 4-bytes addressing mode */ -+ }, -+ .tested = TEST_OK_PREW, -+ .probe = probe_spi_rdid, -+ .probe_timing = TIMING_ZERO, -+ .block_erasers = -+ { -+ { -+ .eraseblocks = { {4 * 1024, 8192} }, -+ .block_erase = spi_block_erase_20_4ba, -+ }, { -+ .eraseblocks = { {32 * 1024, 1024} }, -+ .block_erase = spi_block_erase_52_4ba, -+ }, { -+ .eraseblocks = { {64 * 1024, 512} }, -+ .block_erase = spi_block_erase_d8_4ba, -+ }, { -+ .eraseblocks = { {32 * 1024 * 1024, 1} }, -+ .block_erase = spi_block_erase_60, -+ }, { -+ .eraseblocks = { {32 * 1024 * 1024, 1} }, -+ .block_erase = spi_block_erase_c7, -+ } -+ }, -+ /* TODO: security register and SBLK/SBULK; MX25L12835F: configuration register */ -+ .printlock = spi_prettyprint_status_register_bp3_srwd, /* bit6 is quad enable */ -+ .unlock = spi_disable_blockprotect_bp3_srwd, -+ .write = spi_chip_write_256, -+ .read = spi_chip_read, /* Fast read (0x0B) supported */ -+ .voltage = {2700, 3600}, -+ }, -+ -+ { -+ .vendor = "Macronix", -+ .name = "MX66L51235F", -+ .bustype = BUS_SPI, -+ .manufacture_id = MACRONIX_ID, -+ .model_id = MACRONIX_MX66L51235F, -+ .total_size = 65536, -+ .page_size = 256, -+ /* OTP: 512B total; enter 0xB1, exit 0xC1 */ -+ .feature_bits = FEATURE_WRSR_WREN | FEATURE_OTP | FEATURE_4BA_SUPPORT, -+ .four_bytes_addr_funcs = -+ { -+ .enter_4ba = spi_enter_4ba_b7, /* enter 4-bytes addressing mode by CMD B7 */ -+ .read_nbyte = spi_nbyte_read_4ba, /* read from 4-bytes addressing mode */ -+ .program_byte = spi_byte_program_4ba, /* write from 4-bytes addressing mode */ -+ .program_nbyte = spi_nbyte_program_4ba /* write from 4-bytes addressing mode */ -+ }, -+ .tested = TEST_OK_PREW, -+ .probe = probe_spi_rdid, -+ .probe_timing = TIMING_ZERO, -+ .block_erasers = -+ { -+ { -+ .eraseblocks = { {4 * 1024, 16384} }, -+ .block_erase = spi_block_erase_20_4ba, -+ }, { -+ .eraseblocks = { {32 * 1024, 2048} }, -+ .block_erase = spi_block_erase_52_4ba, -+ }, { -+ .eraseblocks = { {64 * 1024, 1024} }, -+ .block_erase = spi_block_erase_d8_4ba, -+ }, { -+ .eraseblocks = { {64 * 1024 * 1024, 1} }, -+ .block_erase = spi_block_erase_60, -+ }, { -+ .eraseblocks = { {64 * 1024 * 1024, 1} }, -+ .block_erase = spi_block_erase_c7, -+ } -+ }, -+ /* TODO: security register and SBLK/SBULK; MX25L12835F: configuration register */ -+ .printlock = spi_prettyprint_status_register_bp3_srwd, /* bit6 is quad enable */ -+ .unlock = spi_disable_blockprotect_bp3_srwd, -+ .write = spi_chip_write_256, -+ .read = spi_chip_read, /* Fast read (0x0B) supported */ -+ .voltage = {2700, 3600}, -+ }, -+ -+ { -+ .vendor = "Macronix", - .name = "MX25U1635E", - .bustype = BUS_SPI, - .manufacture_id = MACRONIX_ID, -@@ -11747,7 +11841,7 @@ const struct flashchip flashchips[] = { - .total_size = 16384, - .page_size = 256, - .feature_bits = FEATURE_WRSR_WREN, -- .tested = TEST_UNTESTED, -+ .tested = TEST_OK_PREW, - .probe = probe_spi_rdid, - .probe_timing = TIMING_ZERO, - .block_erasers = { -@@ -14588,6 +14682,54 @@ const struct flashchip flashchips[] = { - - { - .vendor = "Winbond", -+ .name = "W25Q256.V", -+ .bustype = BUS_SPI, -+ .manufacture_id = WINBOND_NEX_ID, -+ .model_id = WINBOND_NEX_W25Q256_V, -+ .total_size = 32768, -+ .page_size = 256, -+ /* supports SFDP */ -+ /* OTP: 1024B total, 256B reserved; read 0x48; write 0x42, erase 0x44, read ID 0x4B */ -+ /* FOUR_BYTE_ADDR: supports 4-bytes addressing mode */ -+ .feature_bits = FEATURE_WRSR_WREN | FEATURE_OTP | FEATURE_4BA_SUPPORT | FEATURE_4BA_DIRECT_READ, -+ .four_bytes_addr_funcs = -+ { -+ .enter_4ba = spi_enter_4ba_b7_we, /* enter 4-bytes addressing mode by CMD B7 + WREN */ -+ .read_nbyte = spi_nbyte_read_4ba_direct, /* read directly from any mode, no need to enter 4ba */ -+ .program_byte = spi_byte_program_4ba, /* write from 4-bytes addressing mode */ -+ .program_nbyte = spi_nbyte_program_4ba /* write from 4-bytes addressing mode */ -+ }, -+ .tested = TEST_OK_PREW, -+ .probe = probe_spi_rdid, -+ .probe_timing = TIMING_ZERO, -+ .block_erasers = -+ { -+ { -+ .eraseblocks = { {4 * 1024, 8192} }, -+ .block_erase = spi_block_erase_20_4ba, /* erases 4k from 4-bytes addressing mode */ -+ }, { -+ .eraseblocks = { {32 * 1024, 1024} }, -+ .block_erase = spi_block_erase_52_4ba, /* erases 32k from 4-bytes addressing mode */ -+ }, { -+ .eraseblocks = { {64 * 1024, 512} }, -+ .block_erase = spi_block_erase_d8_4ba, /* erases 64k from 4-bytes addressing mode */ -+ }, { -+ .eraseblocks = { {32 * 1024 * 1024, 1} }, -+ .block_erase = spi_block_erase_60, -+ }, { -+ .eraseblocks = { {32 * 1024 * 1024, 1} }, -+ .block_erase = spi_block_erase_c7, -+ } -+ }, -+ .printlock = spi_prettyprint_status_register_plain, /* TODO: improve */ -+ .unlock = spi_disable_blockprotect, -+ .write = spi_chip_write_256, -+ .read = spi_chip_read, -+ .voltage = {2700, 3600}, -+ }, -+ -+ { -+ .vendor = "Winbond", - .name = "W25Q20.W", - .bustype = BUS_SPI, - .manufacture_id = WINBOND_NEX_ID, -diff --git ./flashchips.h ./flashchips.h -index 15574bb..62eb9a5 100644 ---- ./flashchips.h -+++ ./flashchips.h -@@ -482,6 +482,7 @@ - #define MACRONIX_MX25L25635F 0x2019 /* Same as MX25L25639F, but the latter seems to not support REMS */ - #define MACRONIX_MX25L1635D 0x2415 - #define MACRONIX_MX25L1635E 0x2515 /* MX25L1635{E} */ -+#define MACRONIX_MX66L51235F 0x201a /* MX66L51235F */ - #define MACRONIX_MX25U1635E 0x2535 - #define MACRONIX_MX25U3235E 0x2536 /* Same as MX25U6435F */ - #define MACRONIX_MX25U6435E 0x2537 /* Same as MX25U6435F */ -diff --git ./flashrom.c ./flashrom.c -index c600efc..767c2c4 100644 ---- ./flashrom.c -+++ ./flashrom.c -@@ -6,6 +6,7 @@ - * Copyright (C) 2005-2008 coresystems GmbH - * Copyright (C) 2008,2009 Carl-Daniel Hailfinger - * Copyright (C) 2016 secunet Security Networks AG -+ * Copyright (C) 2016-2017 Raptor Engineering, LLC - * (Written by Nico Huber for secunet) - * - * This program is free software; you can redistribute it and/or modify -@@ -136,6 +137,30 @@ const struct programmer_entry programmer_table[] = { - }, - #endif - -+#if CONFIG_AST1100 == 1 -+ { -+ .name = "ast1100", -+ .type = PCI, -+ .devs.dev = bmc_aspeed_ast1100, -+ .init = ast1100_init, -+ .map_flash_region = fallback_map, -+ .unmap_flash_region = fallback_unmap, -+ .delay = internal_delay, -+ }, -+#endif -+ -+#if CONFIG_AST2400 == 1 -+ { -+ .name = "ast2400", -+ .type = PCI, -+ .devs.dev = bmc_aspeed_ast2400, -+ .init = ast2400_init, -+ .map_flash_region = fallback_map, -+ .unmap_flash_region = fallback_unmap, -+ .delay = internal_delay, -+ }, -+#endif -+ - #if CONFIG_DRKAISER == 1 - { - .name = "drkaiser", -@@ -1600,6 +1625,18 @@ static int walk_eraseblocks(struct flashctx *const flashctx, - bool first = true; - struct block_eraser *const eraser = &flashctx->chip->block_erasers[erasefunction]; - -+ int show_progress = 0; -+ unsigned int percent_last, percent_current; -+ unsigned long size = flashctx->chip->total_size * 1024; -+ -+ /* progress visualizaion init */ -+ if(size >= MIN_LENGTH_TO_SHOW_ERASE_AND_WRITE_PROGRESS) { -+ msg_cinfo(" "); /* only this space will go to logfile but all strings with \b wont. */ -+ msg_cinfo("\b 0%%"); -+ percent_last = percent_current = 0; -+ show_progress = 1; /* enable progress visualizaion */ -+ } -+ - info->erase_start = 0; - for (i = 0; i < NUM_ERASEREGIONS; ++i) { - /* count==0 for all automatically initialized array -@@ -1620,6 +1657,14 @@ static int walk_eraseblocks(struct flashctx *const flashctx, - msg_cdbg(", "); - msg_cdbg("0x%06x-0x%06x:", info->erase_start, info->erase_end); - -+ if(show_progress) { -+ percent_current = (unsigned int) ((unsigned long long)info->erase_start * 100 / size); -+ if(percent_current != percent_last) { -+ msg_cinfo("\b\b\b%2d%%", percent_current); -+ percent_last = percent_current; -+ } -+ } -+ - ret = per_blockfn(flashctx, info, eraser->block_erase); - if (ret) - return ret; -@@ -1627,6 +1672,10 @@ static int walk_eraseblocks(struct flashctx *const flashctx, - if (info->region_end < info->erase_start) - break; - } -+ -+ if(show_progress) -+ msg_cinfo("\b\b\b\b"); /* remove progress percents from the screen */ -+ - msg_cdbg("\n"); - return 0; - } -@@ -2223,6 +2272,44 @@ int prepare_flash_access(struct flashctx *const flash, - if (flash->chip->unlock) - flash->chip->unlock(flash); - -+ /* Switching to 4-Bytes Addressing mode if flash chip supports it */ -+ if(flash->chip->feature_bits & FEATURE_4BA_SUPPORT) { -+ /* Do not switch if chip is already in 4-bytes addressing mode */ -+ if (flash->chip->feature_bits & FEATURE_4BA_ONLY) { -+ msg_cdbg("Flash chip is already in 4-bytes addressing mode.\n"); -+ } -+ /* Do not switch to 4-Bytes Addressing mode if using Extended Address Register */ -+ else if(flash->chip->feature_bits & FEATURE_4BA_EXTENDED_ADDR_REG) { -+ msg_cdbg("Using 4-bytes addressing with extended address register.\n"); -+ } -+ /* Go to 4-Bytes Addressing mode if selected -+ operation requires 4-Bytes Addressing mode -+ (no need if functions are direct-4BA) */ -+ else if(((read_it || verify_it) -+ && (!(flash->chip->feature_bits & FEATURE_4BA_DIRECT_READ))) -+ || ((erase_it || write_it) -+ && ((flash->chip->feature_bits & FEATURE_4BA_ALL_DIRECT) != FEATURE_4BA_ALL_DIRECT))) { -+ -+ if (!flash->chip->four_bytes_addr_funcs.enter_4ba) { -+ msg_cerr("No function for Enter 4-bytes addressing mode for this flash chip.\n" -+ "Please report to flashrom@flashrom.org\n"); -+ return 1; -+ } -+ -+ if(flash->chip->four_bytes_addr_funcs.enter_4ba(flash)) { -+ msg_cerr("Switching to 4-bytes addressing mode failed!\n"); -+ return 1; -+ } -+ -+ msg_cdbg("Switched to 4-bytes addressing mode.\n"); -+ } -+ /* Do not switch to 4-Bytes Addressing mode if all instructions are direct-4BA -+ or if the flash chip is 4-Bytes Addressing Only and always in 4BA-mode */ -+ else { -+ msg_cdbg2("No need to switch to 4-bytes addressing mode.\n"); -+ } -+ } -+ - return 0; - } - -diff --git ./pcidev.c ./pcidev.c -index f4e5542..d36e5c4 100644 ---- ./pcidev.c -+++ ./pcidev.c -@@ -37,11 +37,13 @@ enum pci_bartype { - uintptr_t pcidev_readbar(struct pci_dev *dev, int bar) - { - uint64_t addr; -- uint32_t upperaddr; - uint8_t headertype; - uint16_t supported_cycles; - enum pci_bartype bartype = TYPE_UNKNOWN; - -+#ifndef __PPC64__ -+ uint32_t upperaddr; -+#endif - - headertype = pci_read_byte(dev, PCI_HEADER_TYPE) & 0x7f; - msg_pspew("PCI header type 0x%02x\n", headertype); -@@ -97,6 +99,12 @@ uintptr_t pcidev_readbar(struct pci_dev *dev, int bar) - switch (bartype) { - case TYPE_MEMBAR: - msg_pdbg("MEM"); -+#ifdef __PPC64__ -+ /* PowerPC is able to translate 32-bit BARs into 64-bit host windows. -+ * Use the dev->base_addr[x] mechanism to handle mapping. -+ */ -+ addr = dev->base_addr[(bar - 0x10) / 0x4] & PCI_BASE_ADDRESS_MEM_MASK; -+#else - if (!(supported_cycles & PCI_COMMAND_MEMORY)) { - msg_perr("MEM BAR access requested, but device has MEM space accesses disabled.\n"); - /* TODO: Abort here? */ -@@ -122,6 +130,7 @@ uintptr_t pcidev_readbar(struct pci_dev *dev, int bar) - } - } - addr &= PCI_BASE_ADDRESS_MEM_MASK; -+#endif - break; - case TYPE_IOBAR: - msg_pdbg("I/O\n"); -diff --git ./programmer.h ./programmer.h -index a98b713..c9c3a26 100644 ---- ./programmer.h -+++ ./programmer.h -@@ -5,6 +5,7 @@ - * Copyright (C) 2000 Ronald G. Minnich - * Copyright (C) 2005-2009 coresystems GmbH - * Copyright (C) 2006-2009 Carl-Daniel Hailfinger -+ * Copyright (C) 2016-2017 Raptor Engineering, LLC - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by -@@ -45,6 +46,12 @@ enum programmer { - #if CONFIG_GFXNVIDIA == 1 - PROGRAMMER_GFXNVIDIA, - #endif -+#if CONFIG_AST1100 == 1 -+ PROGRAMMER_AST1100, -+#endif -+#if CONFIG_AST2400 == 1 -+ PROGRAMMER_AST2400, -+#endif - #if CONFIG_DRKAISER == 1 - PROGRAMMER_DRKAISER, - #endif -@@ -404,6 +411,18 @@ int gfxnvidia_init(void); - extern const struct dev_entry gfx_nvidia[]; - #endif - -+/* ast1100.c */ -+#if CONFIG_AST1100 == 1 -+int ast1100_init(void); -+extern const struct dev_entry bmc_aspeed_ast1100[]; -+#endif -+ -+/* ast2400.c */ -+#if CONFIG_AST2400 == 1 -+int ast2400_init(void); -+extern const struct dev_entry bmc_aspeed_ast2400[]; -+#endif -+ - /* drkaiser.c */ - #if CONFIG_DRKAISER == 1 - int drkaiser_init(void); -@@ -605,6 +624,14 @@ enum spi_controller { - #if CONFIG_CH341A_SPI == 1 - SPI_CONTROLLER_CH341A_SPI, - #endif -+ -+#if CONFIG_AST1100 == 1 -+ SPI_CONTROLLER_AST1100, -+#endif -+ -+#if CONFIG_AST2400 == 1 -+ SPI_CONTROLLER_AST2400, -+#endif - }; - - #define MAX_DATA_UNSPECIFIED 0 -diff --git ./spi.c ./spi.c -index c306ac3..817c8de 100644 ---- ./spi.c -+++ ./spi.c -@@ -112,7 +126,10 @@ int spi_chip_read(struct flashctx *flash, uint8_t *buf, unsigned int start, - * means 0xffffff, the highest unsigned 24bit number. - */ - addrbase = spi_get_valid_read_addr(flash); -- if (addrbase + flash->chip->total_size * 1024 > (1 << 24)) { -+ /* Show flash chip size warning if flash chip doesn't support -+ 4-Bytes Addressing mode and last address excedes 24 bits */ -+ if (!(flash->chip->feature_bits & FEATURE_4BA_SUPPORT) && -+ addrbase + flash->chip->total_size * 1024 > (1 << 24)) { - msg_perr("Flash chip size exceeds the allowed access window. "); - msg_perr("Read will probably fail.\n"); - /* Try to get the best alignment subject to constraints. */ -diff --git ./spi25.c ./spi25.c -index 76242be..c324835 100644 ---- ./spi25.c -+++ ./spi25.c -@@ -28,6 +28,7 @@ - #include "chipdrivers.h" - #include "programmer.h" - #include "spi.h" -+#include "spi4ba.h" - - static int spi_rdid(struct flashctx *flash, unsigned char *readarr, int bytes) - { -@@ -967,7 +968,11 @@ int spi_read_chunked(struct flashctx *flash, uint8_t *buf, unsigned int start, - lenhere = min(start + len, (i + 1) * area_size) - starthere; - for (j = 0; j < lenhere; j += chunksize) { - toread = min(chunksize, lenhere - j); -- rc = spi_nbyte_read(flash, starthere + j, buf + starthere - start + j, toread); -+ rc = (flash->chip->feature_bits & FEATURE_4BA_SUPPORT) == 0 -+ ? spi_nbyte_read(flash, starthere + j, buf + starthere - start + j, toread) -+ : flash->chip->four_bytes_addr_funcs.read_nbyte(flash, starthere + j, -+ buf + starthere - start + j, toread); -+ - if (rc) - break; - } -@@ -994,6 +999,16 @@ int spi_write_chunked(struct flashctx *flash, const uint8_t *buf, unsigned int s - * we're OK for now. - */ - unsigned int page_size = flash->chip->page_size; -+ int show_progress = 0; -+ unsigned int percent_last, percent_current; -+ -+ /* progress visualizaion init */ -+ if(len >= MIN_LENGTH_TO_SHOW_READ_PROGRESS) { -+ msg_cinfo(" "); /* only this space will go to logfile but all strings with \b wont. */ -+ msg_cinfo("\b 0%%"); -+ percent_last = percent_current = 0; -+ show_progress = 1; /* enable progress visualizaion */ -+ } - - /* Warning: This loop has a very unusual condition and body. - * The loop needs to go through each page with at least one affected -@@ -1012,7 +1027,10 @@ int spi_write_chunked(struct flashctx *flash, const uint8_t *buf, unsigned int s - lenhere = min(start + len, (i + 1) * page_size) - starthere; - for (j = 0; j < lenhere; j += chunksize) { - towrite = min(chunksize, lenhere - j); -- rc = spi_nbyte_program(flash, starthere + j, buf + starthere - start + j, towrite); -+ rc = (flash->chip->feature_bits & FEATURE_4BA_SUPPORT) == 0 -+ ? spi_nbyte_program(flash, starthere + j, buf + starthere - start + j, towrite) -+ : flash->chip->four_bytes_addr_funcs.program_nbyte(flash, starthere + j, -+ buf + starthere - start + j, towrite); - if (rc) - break; - while (spi_read_status_register(flash) & SPI_SR_WIP) -@@ -1020,8 +1038,20 @@ int spi_write_chunked(struct flashctx *flash, const uint8_t *buf, unsigned int s - } - if (rc) - break; -+ -+ if(show_progress) { -+ percent_current = (unsigned int) ((unsigned long long)(starthere + -+ lenhere - start) * 100 / len); -+ if(percent_current != percent_last) { -+ msg_cinfo("\b\b\b%2d%%", percent_current); -+ percent_last = percent_current; -+ } -+ } - } - -+ if(show_progress && !rc) -+ msg_cinfo("\b\b\b\b"); /* remove progress percents from the screen */ -+ - return rc; - } - -@@ -1038,7 +1068,9 @@ int spi_chip_write_1(struct flashctx *flash, const uint8_t *buf, unsigned int st - int result = 0; - - for (i = start; i < start + len; i++) { -- result = spi_byte_program(flash, i, buf[i - start]); -+ result = (flash->chip->feature_bits & FEATURE_4BA_SUPPORT) == 0 -+ ? spi_byte_program(flash, i, buf[i - start]) -+ : flash->chip->four_bytes_addr_funcs.program_byte(flash, i, buf[i - start]); - if (result) - return 1; - while (spi_read_status_register(flash) & SPI_SR_WIP) -diff --git ./spi4ba.c ./spi4ba.c -new file mode 100644 -index 0000000..6e1cc9b ---- /dev/null -+++ ./spi4ba.c -@@ -0,0 +1,920 @@ -+/* -+ * This file is part of the flashrom project. -+ * -+ * Copyright (C) 2014 Boris Baykov -+ * -+ * This program is free software; you can redistribute it and/or modify -+ * it under the terms of the GNU General Public License as published by -+ * the Free Software Foundation; version 2 of the License. -+ * -+ * This program is distributed in the hope that it will be useful, -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+ * GNU General Public License for more details. -+ * -+ * You should have received a copy of the GNU General Public License -+ * along with this program; if not, write to the Free Software -+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA -+ */ -+ -+/* -+ * SPI chip driver functions for 4-bytes addressing -+ */ -+ -+#include -+#include "flash.h" -+#include "chipdrivers.h" -+#include "spi.h" -+#include "programmer.h" -+#include "spi4ba.h" -+ -+/* #define MSG_TRACE_4BA_FUNCS 1 */ -+ -+#ifdef MSG_TRACE_4BA_FUNCS -+#define msg_trace(...) print(MSG_DEBUG, __VA_ARGS__) -+#else -+#define msg_trace(...) -+#endif -+ -+/* Enter 4-bytes addressing mode (without sending WREN before) */ -+int spi_enter_4ba_b7(struct flashctx *flash) -+{ -+ const unsigned char cmd[JEDEC_ENTER_4_BYTE_ADDR_MODE_OUTSIZE] = { JEDEC_ENTER_4_BYTE_ADDR_MODE }; -+ -+ msg_trace("-> %s\n", __func__); -+ -+ /* Switch to 4-bytes addressing mode */ -+ return spi_send_command(flash, sizeof(cmd), 0, cmd, NULL); -+} -+ -+/* Enter 4-bytes addressing mode with sending WREN before */ -+int spi_enter_4ba_b7_we(struct flashctx *flash) -+{ -+ int result; -+ struct spi_command cmds[] = { -+ { -+ .writecnt = JEDEC_WREN_OUTSIZE, -+ .writearr = (const unsigned char[]){ JEDEC_WREN }, -+ .readcnt = 0, -+ .readarr = NULL, -+ }, { -+ .writecnt = JEDEC_ENTER_4_BYTE_ADDR_MODE_OUTSIZE, -+ .writearr = (const unsigned char[]){ JEDEC_ENTER_4_BYTE_ADDR_MODE }, -+ .readcnt = 0, -+ .readarr = NULL, -+ }, { -+ .writecnt = 0, -+ .writearr = NULL, -+ .readcnt = 0, -+ .readarr = NULL, -+ }}; -+ -+ msg_trace("-> %s\n", __func__); -+ -+ /* Switch to 4-bytes addressing mode */ -+ result = spi_send_multicommand(flash, cmds); -+ if (result) { -+ msg_cerr("%s failed during command execution\n", __func__); -+ } -+ return result; -+} -+ -+/* Program one flash byte from 4-bytes addressing mode */ -+int spi_byte_program_4ba(struct flashctx *flash, unsigned int addr, -+ uint8_t databyte) -+{ -+ int result; -+ struct spi_command cmds[] = { -+ { -+ .writecnt = JEDEC_WREN_OUTSIZE, -+ .writearr = (const unsigned char[]){ JEDEC_WREN }, -+ .readcnt = 0, -+ .readarr = NULL, -+ }, { -+ .writecnt = JEDEC_BYTE_PROGRAM_OUTSIZE + 1, -+ .writearr = (const unsigned char[]){ -+ JEDEC_BYTE_PROGRAM, -+ (addr >> 24) & 0xff, -+ (addr >> 16) & 0xff, -+ (addr >> 8) & 0xff, -+ (addr & 0xff), -+ databyte -+ }, -+ .readcnt = 0, -+ .readarr = NULL, -+ }, { -+ .writecnt = 0, -+ .writearr = NULL, -+ .readcnt = 0, -+ .readarr = NULL, -+ }}; -+ -+ msg_trace("-> %s (0x%08X)\n", __func__, addr); -+ -+ result = spi_send_multicommand(flash, cmds); -+ if (result) { -+ msg_cerr("%s failed during command execution at address 0x%x\n", -+ __func__, addr); -+ } -+ return result; -+} -+ -+/* Program flash bytes from 4-bytes addressing mode */ -+int spi_nbyte_program_4ba(struct flashctx *flash, unsigned int addr, -+ const uint8_t *bytes, unsigned int len) -+{ -+ int result; -+ unsigned char cmd[(JEDEC_BYTE_PROGRAM_OUTSIZE + 1) - 1 + 256] = { -+ JEDEC_BYTE_PROGRAM, -+ (addr >> 24) & 0xff, -+ (addr >> 16) & 0xff, -+ (addr >> 8) & 0xff, -+ (addr >> 0) & 0xff -+ }; -+ struct spi_command cmds[] = { -+ { -+ .writecnt = JEDEC_WREN_OUTSIZE, -+ .writearr = (const unsigned char[]){ JEDEC_WREN }, -+ .readcnt = 0, -+ .readarr = NULL, -+ }, { -+ .writecnt = (JEDEC_BYTE_PROGRAM_OUTSIZE + 1) - 1 + len, -+ .writearr = cmd, -+ .readcnt = 0, -+ .readarr = NULL, -+ }, { -+ .writecnt = 0, -+ .writearr = NULL, -+ .readcnt = 0, -+ .readarr = NULL, -+ }}; -+ -+ msg_trace("-> %s (0x%08X-0x%08X)\n", __func__, addr, addr + len - 1); -+ -+ if (!len) { -+ msg_cerr("%s called for zero-length write\n", __func__); -+ return 1; -+ } -+ if (len > 256) { -+ msg_cerr("%s called for too long a write\n", __func__); -+ return 1; -+ } -+ -+ memcpy(&cmd[(JEDEC_BYTE_PROGRAM_OUTSIZE + 1) - 1], bytes, len); -+ -+ result = spi_send_multicommand(flash, cmds); -+ if (result) { -+ msg_cerr("%s failed during command execution at address 0x%x\n", -+ __func__, addr); -+ } -+ return result; -+} -+ -+/* Read flash bytes from 4-bytes addressing mode */ -+int spi_nbyte_read_4ba(struct flashctx *flash, unsigned int addr, -+ uint8_t *bytes, unsigned int len) -+{ -+ const unsigned char cmd[JEDEC_READ_OUTSIZE + 1] = { -+ JEDEC_READ, -+ (addr >> 24) & 0xff, -+ (addr >> 16) & 0xff, -+ (addr >> 8) & 0xff, -+ (addr >> 0) & 0xff -+ }; -+ -+ msg_trace("-> %s (0x%08X-0x%08X)\n", __func__, addr, addr + len - 1); -+ -+ /* Send Read */ -+ return spi_send_command(flash, sizeof(cmd), len, cmd, bytes); -+} -+ -+/* Erases 4 KB of flash from 4-bytes addressing mode */ -+int spi_block_erase_20_4ba(struct flashctx *flash, unsigned int addr, -+ unsigned int blocklen) -+{ -+ int result; -+ struct spi_command cmds[] = { -+ { -+ .writecnt = JEDEC_WREN_OUTSIZE, -+ .writearr = (const unsigned char[]){ JEDEC_WREN }, -+ .readcnt = 0, -+ .readarr = NULL, -+ }, { -+ .writecnt = JEDEC_SE_OUTSIZE + 1, -+ .writearr = (const unsigned char[]){ -+ JEDEC_SE, -+ (addr >> 24) & 0xff, -+ (addr >> 16) & 0xff, -+ (addr >> 8) & 0xff, -+ (addr & 0xff) -+ }, -+ .readcnt = 0, -+ .readarr = NULL, -+ }, { -+ .writecnt = 0, -+ .writearr = NULL, -+ .readcnt = 0, -+ .readarr = NULL, -+ }}; -+ -+ msg_trace("-> %s (0x%08X-0x%08X)\n", __func__, addr, addr + blocklen - 1); -+ -+ result = spi_send_multicommand(flash, cmds); -+ if (result) { -+ msg_cerr("%s failed during command execution at address 0x%x\n", -+ __func__, addr); -+ return result; -+ } -+ /* Wait until the Write-In-Progress bit is cleared. -+ * This usually takes 15-800 ms, so wait in 10 ms steps. -+ */ -+ while (spi_read_status_register(flash) & SPI_SR_WIP) -+ programmer_delay(10 * 1000); -+ /* FIXME: Check the status register for errors. */ -+ return 0; -+} -+ -+/* Erases 32 KB of flash from 4-bytes addressing mode */ -+int spi_block_erase_52_4ba(struct flashctx *flash, unsigned int addr, -+ unsigned int blocklen) -+{ -+ int result; -+ struct spi_command cmds[] = { -+ { -+ .writecnt = JEDEC_WREN_OUTSIZE, -+ .writearr = (const unsigned char[]){ JEDEC_WREN }, -+ .readcnt = 0, -+ .readarr = NULL, -+ }, { -+ .writecnt = JEDEC_BE_52_OUTSIZE + 1, -+ .writearr = (const unsigned char[]){ -+ JEDEC_BE_52, -+ (addr >> 24) & 0xff, -+ (addr >> 16) & 0xff, -+ (addr >> 8) & 0xff, -+ (addr & 0xff) -+ }, -+ .readcnt = 0, -+ .readarr = NULL, -+ }, { -+ .writecnt = 0, -+ .writearr = NULL, -+ .readcnt = 0, -+ .readarr = NULL, -+ }}; -+ -+ msg_trace("-> %s (0x%08X-0x%08X)\n", __func__, addr, addr + blocklen - 1); -+ -+ result = spi_send_multicommand(flash, cmds); -+ if (result) { -+ msg_cerr("%s failed during command execution at address 0x%x\n", -+ __func__, addr); -+ return result; -+ } -+ /* Wait until the Write-In-Progress bit is cleared. -+ * This usually takes 100-4000 ms, so wait in 100 ms steps. -+ */ -+ while (spi_read_status_register(flash) & SPI_SR_WIP) -+ programmer_delay(100 * 1000); -+ /* FIXME: Check the status register for errors. */ -+ return 0; -+} -+ -+/* Erases 64 KB of flash from 4-bytes addressing mode */ -+int spi_block_erase_d8_4ba(struct flashctx *flash, unsigned int addr, -+ unsigned int blocklen) -+{ -+ int result; -+ struct spi_command cmds[] = { -+ { -+ .writecnt = JEDEC_WREN_OUTSIZE, -+ .writearr = (const unsigned char[]){ JEDEC_WREN }, -+ .readcnt = 0, -+ .readarr = NULL, -+ }, { -+ .writecnt = JEDEC_BE_D8_OUTSIZE + 1, -+ .writearr = (const unsigned char[]){ -+ JEDEC_BE_D8, -+ (addr >> 24) & 0xff, -+ (addr >> 16) & 0xff, -+ (addr >> 8) & 0xff, -+ (addr & 0xff) -+ }, -+ .readcnt = 0, -+ .readarr = NULL, -+ }, { -+ .writecnt = 0, -+ .writearr = NULL, -+ .readcnt = 0, -+ .readarr = NULL, -+ }}; -+ -+ msg_trace("-> %s (0x%08X-0x%08X)\n", __func__, addr, addr + blocklen - 1); -+ -+ result = spi_send_multicommand(flash, cmds); -+ if (result) { -+ msg_cerr("%s failed during command execution at address 0x%x\n", -+ __func__, addr); -+ return result; -+ } -+ /* Wait until the Write-In-Progress bit is cleared. -+ * This usually takes 100-4000 ms, so wait in 100 ms steps. -+ */ -+ while (spi_read_status_register(flash) & SPI_SR_WIP) -+ programmer_delay(100 * 1000); -+ /* FIXME: Check the status register for errors. */ -+ return 0; -+} -+ -+/* Write Extended Address Register value */ -+int spi_write_extended_address_register(struct flashctx *flash, uint8_t regdata) -+{ -+ int result; -+ struct spi_command cmds[] = { -+ { -+ .writecnt = JEDEC_WREN_OUTSIZE, -+ .writearr = (const unsigned char[]){ JEDEC_WREN }, -+ .readcnt = 0, -+ .readarr = NULL, -+ }, { -+ .writecnt = JEDEC_WRITE_EXT_ADDR_REG_OUTSIZE, -+ .writearr = (const unsigned char[]){ -+ JEDEC_WRITE_EXT_ADDR_REG, -+ regdata -+ }, -+ .readcnt = 0, -+ .readarr = NULL, -+ }, { -+ .writecnt = 0, -+ .writearr = NULL, -+ .readcnt = 0, -+ .readarr = NULL, -+ }}; -+ -+ msg_trace("-> %s (%02X)\n", __func__, regdata); -+ -+ result = spi_send_multicommand(flash, cmds); -+ if (result) { -+ msg_cerr("%s failed during command execution\n", __func__); -+ return result; -+ } -+ return 0; -+} -+ -+/* Assign required value of Extended Address Register. This function -+ keeps last value of the register and writes the register if the -+ value has to be changed only. */ -+int set_extended_address_register(struct flashctx *flash, uint8_t data) -+{ -+ static uint8_t ext_addr_reg_state; /* memory for last register state */ -+ static int ext_addr_reg_state_valid = 0; -+ int result; -+ -+ if (ext_addr_reg_state_valid == 0 || data != ext_addr_reg_state) { -+ result = spi_write_extended_address_register(flash, data); -+ if (result) { -+ ext_addr_reg_state_valid = 0; -+ return result; -+ } -+ ext_addr_reg_state = data; -+ ext_addr_reg_state_valid = 1; -+ } -+ return 0; -+} -+ -+/* Program one flash byte using Extended Address Register -+ from 3-bytes addressing mode */ -+int spi_byte_program_4ba_ereg(struct flashctx *flash, unsigned int addr, -+ uint8_t databyte) -+{ -+ int result; -+ struct spi_command cmds[] = { -+ { -+ .writecnt = JEDEC_WREN_OUTSIZE, -+ .writearr = (const unsigned char[]){ JEDEC_WREN }, -+ .readcnt = 0, -+ .readarr = NULL, -+ }, { -+ .writecnt = JEDEC_BYTE_PROGRAM_OUTSIZE, -+ .writearr = (const unsigned char[]){ -+ JEDEC_BYTE_PROGRAM, -+ (addr >> 16) & 0xff, -+ (addr >> 8) & 0xff, -+ (addr & 0xff), -+ databyte -+ }, -+ .readcnt = 0, -+ .readarr = NULL, -+ }, { -+ .writecnt = 0, -+ .writearr = NULL, -+ .readcnt = 0, -+ .readarr = NULL, -+ }}; -+ -+ msg_trace("-> %s (0x%08X)\n", __func__, addr); -+ -+ result = set_extended_address_register(flash, (addr >> 24) & 0xff); -+ if (result) -+ return result; -+ -+ result = spi_send_multicommand(flash, cmds); -+ if (result) { -+ msg_cerr("%s failed during command execution at address 0x%x\n", -+ __func__, addr); -+ } -+ return result; -+} -+ -+/* Program flash bytes using Extended Address Register -+ from 3-bytes addressing mode */ -+int spi_nbyte_program_4ba_ereg(struct flashctx *flash, unsigned int addr, -+ const uint8_t *bytes, unsigned int len) -+{ -+ int result; -+ unsigned char cmd[JEDEC_BYTE_PROGRAM_OUTSIZE - 1 + 256] = { -+ JEDEC_BYTE_PROGRAM, -+ (addr >> 16) & 0xff, -+ (addr >> 8) & 0xff, -+ (addr >> 0) & 0xff -+ }; -+ struct spi_command cmds[] = { -+ { -+ .writecnt = JEDEC_WREN_OUTSIZE, -+ .writearr = (const unsigned char[]){ JEDEC_WREN }, -+ .readcnt = 0, -+ .readarr = NULL, -+ }, { -+ .writecnt = JEDEC_BYTE_PROGRAM_OUTSIZE - 1 + len, -+ .writearr = cmd, -+ .readcnt = 0, -+ .readarr = NULL, -+ }, { -+ .writecnt = 0, -+ .writearr = NULL, -+ .readcnt = 0, -+ .readarr = NULL, -+ }}; -+ -+ msg_trace("-> %s (0x%08X-0x%08X)\n", __func__, addr, addr + len - 1); -+ -+ if (!len) { -+ msg_cerr("%s called for zero-length write\n", __func__); -+ return 1; -+ } -+ if (len > 256) { -+ msg_cerr("%s called for too long a write\n", __func__); -+ return 1; -+ } -+ -+ memcpy(&cmd[JEDEC_BYTE_PROGRAM_OUTSIZE - 1], bytes, len); -+ -+ result = set_extended_address_register(flash, (addr >> 24) & 0xff); -+ if (result) -+ return result; -+ -+ result = spi_send_multicommand(flash, cmds); -+ if (result) { -+ msg_cerr("%s failed during command execution at address 0x%x\n", -+ __func__, addr); -+ } -+ return result; -+} -+ -+/* Read flash bytes using Extended Address Register -+ from 3-bytes addressing mode */ -+int spi_nbyte_read_4ba_ereg(struct flashctx *flash, unsigned int addr, -+ uint8_t *bytes, unsigned int len) -+{ -+ int result; -+ const unsigned char cmd[JEDEC_READ_OUTSIZE] = { -+ JEDEC_READ, -+ (addr >> 16) & 0xff, -+ (addr >> 8) & 0xff, -+ (addr >> 0) & 0xff -+ }; -+ -+ msg_trace("-> %s (0x%08X-0x%08X)\n", __func__, addr, addr + len - 1); -+ -+ result = set_extended_address_register(flash, (addr >> 24) & 0xff); -+ if (result) -+ return result; -+ -+ /* Send Read */ -+ return spi_send_command(flash, sizeof(cmd), len, cmd, bytes); -+} -+ -+/* Erases 4 KB of flash using Extended Address Register -+ from 3-bytes addressing mode */ -+int spi_block_erase_20_4ba_ereg(struct flashctx *flash, unsigned int addr, -+ unsigned int blocklen) -+{ -+ int result; -+ struct spi_command cmds[] = { -+ { -+ .writecnt = JEDEC_WREN_OUTSIZE, -+ .writearr = (const unsigned char[]){ JEDEC_WREN }, -+ .readcnt = 0, -+ .readarr = NULL, -+ }, { -+ .writecnt = JEDEC_SE_OUTSIZE, -+ .writearr = (const unsigned char[]){ -+ JEDEC_SE, -+ (addr >> 16) & 0xff, -+ (addr >> 8) & 0xff, -+ (addr & 0xff) -+ }, -+ .readcnt = 0, -+ .readarr = NULL, -+ }, { -+ .writecnt = 0, -+ .writearr = NULL, -+ .readcnt = 0, -+ .readarr = NULL, -+ }}; -+ -+ msg_trace("-> %s (0x%08X-0x%08X)\n", __func__, addr, addr + blocklen - 1); -+ -+ result = set_extended_address_register(flash, (addr >> 24) & 0xff); -+ if (result) -+ return result; -+ -+ result = spi_send_multicommand(flash, cmds); -+ if (result) { -+ msg_cerr("%s failed during command execution at address 0x%x\n", -+ __func__, addr); -+ return result; -+ } -+ /* Wait until the Write-In-Progress bit is cleared. -+ * This usually takes 15-800 ms, so wait in 10 ms steps. -+ */ -+ while (spi_read_status_register(flash) & SPI_SR_WIP) -+ programmer_delay(10 * 1000); -+ /* FIXME: Check the status register for errors. */ -+ return 0; -+} -+ -+/* Erases 32 KB of flash using Extended Address Register -+ from 3-bytes addressing mode */ -+int spi_block_erase_52_4ba_ereg(struct flashctx *flash, unsigned int addr, -+ unsigned int blocklen) -+{ -+ int result; -+ struct spi_command cmds[] = { -+ { -+ .writecnt = JEDEC_WREN_OUTSIZE, -+ .writearr = (const unsigned char[]){ JEDEC_WREN }, -+ .readcnt = 0, -+ .readarr = NULL, -+ }, { -+ .writecnt = JEDEC_BE_52_OUTSIZE, -+ .writearr = (const unsigned char[]){ -+ JEDEC_BE_52, -+ (addr >> 16) & 0xff, -+ (addr >> 8) & 0xff, -+ (addr & 0xff) -+ }, -+ .readcnt = 0, -+ .readarr = NULL, -+ }, { -+ .writecnt = 0, -+ .writearr = NULL, -+ .readcnt = 0, -+ .readarr = NULL, -+ }}; -+ -+ msg_trace("-> %s (0x%08X-0x%08X)\n", __func__, addr, addr + blocklen - 1); -+ -+ result = set_extended_address_register(flash, (addr >> 24) & 0xff); -+ if (result) -+ return result; -+ -+ result = spi_send_multicommand(flash, cmds); -+ if (result) { -+ msg_cerr("%s failed during command execution at address 0x%x\n", -+ __func__, addr); -+ return result; -+ } -+ /* Wait until the Write-In-Progress bit is cleared. -+ * This usually takes 100-4000 ms, so wait in 100 ms steps. -+ */ -+ while (spi_read_status_register(flash) & SPI_SR_WIP) -+ programmer_delay(100 * 1000); -+ /* FIXME: Check the status register for errors. */ -+ return 0; -+} -+ -+/* Erases 64 KB of flash using Extended Address Register -+ from 3-bytes addressing mode */ -+int spi_block_erase_d8_4ba_ereg(struct flashctx *flash, unsigned int addr, -+ unsigned int blocklen) -+{ -+ int result; -+ struct spi_command cmds[] = { -+ { -+ .writecnt = JEDEC_WREN_OUTSIZE, -+ .writearr = (const unsigned char[]){ JEDEC_WREN }, -+ .readcnt = 0, -+ .readarr = NULL, -+ }, { -+ .writecnt = JEDEC_BE_D8_OUTSIZE, -+ .writearr = (const unsigned char[]){ -+ JEDEC_BE_D8, -+ (addr >> 16) & 0xff, -+ (addr >> 8) & 0xff, -+ (addr & 0xff) -+ }, -+ .readcnt = 0, -+ .readarr = NULL, -+ }, { -+ .writecnt = 0, -+ .writearr = NULL, -+ .readcnt = 0, -+ .readarr = NULL, -+ }}; -+ -+ msg_trace("-> %s (0x%08X-0x%08X)\n", __func__, addr, addr + blocklen - 1); -+ -+ result = set_extended_address_register(flash, (addr >> 24) & 0xff); -+ if (result) -+ return result; -+ -+ result = spi_send_multicommand(flash, cmds); -+ if (result) { -+ msg_cerr("%s failed during command execution at address 0x%x\n", -+ __func__, addr); -+ return result; -+ } -+ /* Wait until the Write-In-Progress bit is cleared. -+ * This usually takes 100-4000 ms, so wait in 100 ms steps. -+ */ -+ while (spi_read_status_register(flash) & SPI_SR_WIP) -+ programmer_delay(100 * 1000); -+ /* FIXME: Check the status register for errors. */ -+ return 0; -+} -+ -+/* Program one flash byte with 4-bytes address from ANY mode (3-bytes or 4-bytes) -+ JEDEC_BYTE_PROGRAM_4BA (12h) instruction is new for 4-bytes addressing flash chips. -+ The presence of this instruction for an exact chip should be checked -+ by its datasheet or from SFDP 4-Bytes Address Instruction Table (JESD216B). */ -+int spi_byte_program_4ba_direct(struct flashctx *flash, unsigned int addr, -+ uint8_t databyte) -+{ -+ int result; -+ struct spi_command cmds[] = { -+ { -+ .writecnt = JEDEC_WREN_OUTSIZE, -+ .writearr = (const unsigned char[]){ JEDEC_WREN }, -+ .readcnt = 0, -+ .readarr = NULL, -+ }, { -+ .writecnt = JEDEC_BYTE_PROGRAM_4BA_OUTSIZE, -+ .writearr = (const unsigned char[]){ -+ JEDEC_BYTE_PROGRAM_4BA, -+ (addr >> 24) & 0xff, -+ (addr >> 16) & 0xff, -+ (addr >> 8) & 0xff, -+ (addr & 0xff), -+ databyte -+ }, -+ .readcnt = 0, -+ .readarr = NULL, -+ }, { -+ .writecnt = 0, -+ .writearr = NULL, -+ .readcnt = 0, -+ .readarr = NULL, -+ }}; -+ -+ msg_trace("-> %s (0x%08X)\n", __func__, addr); -+ -+ result = spi_send_multicommand(flash, cmds); -+ if (result) { -+ msg_cerr("%s failed during command execution at address 0x%x\n", -+ __func__, addr); -+ } -+ return result; -+} -+ -+/* Program flash bytes with 4-bytes address from ANY mode (3-bytes or 4-bytes) -+ JEDEC_BYTE_PROGRAM_4BA (12h) instruction is new for 4-bytes addressing flash chips. -+ The presence of this instruction for an exact chip should be checked -+ by its datasheet or from SFDP 4-Bytes Address Instruction Table (JESD216B). */ -+int spi_nbyte_program_4ba_direct(struct flashctx *flash, unsigned int addr, -+ const uint8_t *bytes, unsigned int len) -+{ -+ int result; -+ unsigned char cmd[JEDEC_BYTE_PROGRAM_4BA_OUTSIZE - 1 + 256] = { -+ JEDEC_BYTE_PROGRAM_4BA, -+ (addr >> 24) & 0xff, -+ (addr >> 16) & 0xff, -+ (addr >> 8) & 0xff, -+ (addr >> 0) & 0xff -+ }; -+ struct spi_command cmds[] = { -+ { -+ .writecnt = JEDEC_WREN_OUTSIZE, -+ .writearr = (const unsigned char[]){ JEDEC_WREN }, -+ .readcnt = 0, -+ .readarr = NULL, -+ }, { -+ .writecnt = JEDEC_BYTE_PROGRAM_4BA_OUTSIZE - 1 + len, -+ .writearr = cmd, -+ .readcnt = 0, -+ .readarr = NULL, -+ }, { -+ .writecnt = 0, -+ .writearr = NULL, -+ .readcnt = 0, -+ .readarr = NULL, -+ }}; -+ -+ msg_trace("-> %s (0x%08X-0x%08X)\n", __func__, addr, addr + len - 1); -+ -+ if (!len) { -+ msg_cerr("%s called for zero-length write\n", __func__); -+ return 1; -+ } -+ if (len > 256) { -+ msg_cerr("%s called for too long a write\n", __func__); -+ return 1; -+ } -+ -+ memcpy(&cmd[JEDEC_BYTE_PROGRAM_4BA_OUTSIZE - 1], bytes, len); -+ -+ result = spi_send_multicommand(flash, cmds); -+ if (result) { -+ msg_cerr("%s failed during command execution at address 0x%x\n", -+ __func__, addr); -+ } -+ return result; -+} -+ -+/* Read flash bytes with 4-bytes address from ANY mode (3-bytes or 4-bytes) -+ JEDEC_READ_4BA (13h) instruction is new for 4-bytes addressing flash chips. -+ The presence of this instruction for an exact chip should be checked -+ by its datasheet or from SFDP 4-Bytes Address Instruction Table (JESD216B). */ -+int spi_nbyte_read_4ba_direct(struct flashctx *flash, unsigned int addr, -+ uint8_t *bytes, unsigned int len) -+{ -+ const unsigned char cmd[JEDEC_READ_4BA_OUTSIZE] = { -+ JEDEC_READ_4BA, -+ (addr >> 24) & 0xff, -+ (addr >> 16) & 0xff, -+ (addr >> 8) & 0xff, -+ (addr >> 0) & 0xff -+ }; -+ -+ msg_trace("-> %s (0x%08X-0x%08X)\n", __func__, addr, addr + len - 1); -+ -+ /* Send Read */ -+ return spi_send_command(flash, sizeof(cmd), len, cmd, bytes); -+} -+ -+/* Erase 4 KB of flash with 4-bytes address from ANY mode (3-bytes or 4-bytes) -+ JEDEC_SE_4BA (21h) instruction is new for 4-bytes addressing flash chips. -+ The presence of this instruction for an exact chip should be checked -+ by its datasheet or from SFDP 4-Bytes Address Instruction Table (JESD216B). */ -+int spi_block_erase_21_4ba_direct(struct flashctx *flash, unsigned int addr, -+ unsigned int blocklen) -+{ -+ int result; -+ struct spi_command cmds[] = { -+ { -+ .writecnt = JEDEC_WREN_OUTSIZE, -+ .writearr = (const unsigned char[]){ JEDEC_WREN }, -+ .readcnt = 0, -+ .readarr = NULL, -+ }, { -+ .writecnt = JEDEC_SE_4BA_OUTSIZE, -+ .writearr = (const unsigned char[]){ -+ JEDEC_SE_4BA, -+ (addr >> 24) & 0xff, -+ (addr >> 16) & 0xff, -+ (addr >> 8) & 0xff, -+ (addr & 0xff) -+ }, -+ .readcnt = 0, -+ .readarr = NULL, -+ }, { -+ .writecnt = 0, -+ .writearr = NULL, -+ .readcnt = 0, -+ .readarr = NULL, -+ }}; -+ -+ msg_trace("-> %s (0x%08X-0x%08X)\n", __func__, addr, addr + blocklen - 1); -+ -+ result = spi_send_multicommand(flash, cmds); -+ if (result) { -+ msg_cerr("%s failed during command execution at address 0x%x\n", -+ __func__, addr); -+ return result; -+ } -+ /* Wait until the Write-In-Progress bit is cleared. -+ * This usually takes 15-800 ms, so wait in 10 ms steps. -+ */ -+ while (spi_read_status_register(flash) & SPI_SR_WIP) -+ programmer_delay(10 * 1000); -+ /* FIXME: Check the status register for errors. */ -+ return 0; -+} -+ -+/* Erase 32 KB of flash with 4-bytes address from ANY mode (3-bytes or 4-bytes) -+ JEDEC_BE_5C_4BA (5Ch) instruction is new for 4-bytes addressing flash chips. -+ The presence of this instruction for an exact chip should be checked -+ by its datasheet or from SFDP 4-Bytes Address Instruction Table (JESD216B). */ -+int spi_block_erase_5c_4ba_direct(struct flashctx *flash, unsigned int addr, -+ unsigned int blocklen) -+{ -+ int result; -+ struct spi_command cmds[] = { -+ { -+ .writecnt = JEDEC_WREN_OUTSIZE, -+ .writearr = (const unsigned char[]){ JEDEC_WREN }, -+ .readcnt = 0, -+ .readarr = NULL, -+ }, { -+ .writecnt = JEDEC_BE_5C_4BA_OUTSIZE, -+ .writearr = (const unsigned char[]){ -+ JEDEC_BE_5C_4BA, -+ (addr >> 24) & 0xff, -+ (addr >> 16) & 0xff, -+ (addr >> 8) & 0xff, -+ (addr & 0xff) -+ }, -+ .readcnt = 0, -+ .readarr = NULL, -+ }, { -+ .writecnt = 0, -+ .writearr = NULL, -+ .readcnt = 0, -+ .readarr = NULL, -+ }}; -+ -+ msg_trace("-> %s (0x%08X-0x%08X)\n", __func__, addr, addr + blocklen - 1); -+ -+ result = spi_send_multicommand(flash, cmds); -+ if (result) { -+ msg_cerr("%s failed during command execution at address 0x%x\n", -+ __func__, addr); -+ return result; -+ } -+ /* Wait until the Write-In-Progress bit is cleared. -+ * This usually takes 100-4000 ms, so wait in 100 ms steps. -+ */ -+ while (spi_read_status_register(flash) & SPI_SR_WIP) -+ programmer_delay(100 * 1000); -+ /* FIXME: Check the status register for errors. */ -+ return 0; -+} -+ -+/* Erase 64 KB of flash with 4-bytes address from ANY mode (3-bytes or 4-bytes) -+ JEDEC_BE_DC_4BA (DCh) instruction is new for 4-bytes addressing flash chips. -+ The presence of this instruction for an exact chip should be checked -+ by its datasheet or from SFDP 4-Bytes Address Instruction Table (JESD216B). */ -+int spi_block_erase_dc_4ba_direct(struct flashctx *flash, unsigned int addr, -+ unsigned int blocklen) -+{ -+ int result; -+ struct spi_command cmds[] = { -+ { -+ .writecnt = JEDEC_WREN_OUTSIZE, -+ .writearr = (const unsigned char[]){ JEDEC_WREN }, -+ .readcnt = 0, -+ .readarr = NULL, -+ }, { -+ .writecnt = JEDEC_BE_DC_4BA_OUTSIZE, -+ .writearr = (const unsigned char[]){ -+ JEDEC_BE_DC_4BA, -+ (addr >> 24) & 0xff, -+ (addr >> 16) & 0xff, -+ (addr >> 8) & 0xff, -+ (addr & 0xff) -+ }, -+ .readcnt = 0, -+ .readarr = NULL, -+ }, { -+ .writecnt = 0, -+ .writearr = NULL, -+ .readcnt = 0, -+ .readarr = NULL, -+ }}; -+ -+ msg_trace("-> %s (0x%08X-0x%08X)\n", __func__, addr, addr + blocklen - 1); -+ -+ result = spi_send_multicommand(flash, cmds); -+ if (result) { -+ msg_cerr("%s failed during command execution at address 0x%x\n", -+ __func__, addr); -+ return result; -+ } -+ /* Wait until the Write-In-Progress bit is cleared. -+ * This usually takes 100-4000 ms, so wait in 100 ms steps. -+ */ -+ while (spi_read_status_register(flash) & SPI_SR_WIP) -+ programmer_delay(100 * 1000); -+ /* FIXME: Check the status register for errors. */ -+ return 0; -+} -diff --git ./spi4ba.h ./spi4ba.h -new file mode 100644 -index 0000000..8e500d1 ---- /dev/null -+++ ./spi4ba.h -@@ -0,0 +1,114 @@ -+/* -+ * This file is part of the flashrom project. -+ * -+ * Copyright (C) 2014 Boris Baykov -+ * -+ * This program is free software; you can redistribute it and/or modify -+ * it under the terms of the GNU General Public License as published by -+ * the Free Software Foundation; either version 2 of the License, or -+ * (at your option) any later version. -+ * -+ * This program is distributed in the hope that it will be useful, -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+ * GNU General Public License for more details. -+ * -+ * You should have received a copy of the GNU General Public License -+ * along with this program; if not, write to the Free Software -+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA -+*/ -+ -+/* -+ * JEDEC flash chips instructions for 4-bytes addressing -+ * SPI chip driver functions for 4-bytes addressing -+ */ -+ -+#ifndef __SPI_4BA_H__ -+#define __SPI_4BA_H__ 1 -+ -+/* Enter 4-byte Address Mode */ -+#define JEDEC_ENTER_4_BYTE_ADDR_MODE 0xB7 -+#define JEDEC_ENTER_4_BYTE_ADDR_MODE_OUTSIZE 0x01 -+#define JEDEC_ENTER_4_BYTE_ADDR_MODE_INSIZE 0x00 -+ -+/* Exit 4-byte Address Mode */ -+#define JEDEC_EXIT_4_BYTE_ADDR_MODE 0xE9 -+#define JEDEC_EXIT_4_BYTE_ADDR_MODE_OUTSIZE 0x01 -+#define JEDEC_EXIT_4_BYTE_ADDR_MODE_INSIZE 0x00 -+ -+/* Write Extended Address Register */ -+#define JEDEC_WRITE_EXT_ADDR_REG 0xC5 -+#define JEDEC_WRITE_EXT_ADDR_REG_OUTSIZE 0x02 -+#define JEDEC_WRITE_EXT_ADDR_REG_INSIZE 0x00 -+ -+/* Read Extended Address Register */ -+#define JEDEC_READ_EXT_ADDR_REG 0xC8 -+#define JEDEC_READ_EXT_ADDR_REG_OUTSIZE 0x01 -+#define JEDEC_READ_EXT_ADDR_REG_INSIZE 0x01 -+ -+/* Read the memory with 4-byte address -+ From ANY mode (3-bytes or 4-bytes) it works with 4-byte address */ -+#define JEDEC_READ_4BA 0x13 -+#define JEDEC_READ_4BA_OUTSIZE 0x05 -+/* JEDEC_READ_4BA_INSIZE : any length */ -+ -+/* Write memory byte with 4-byte address -+ From ANY mode (3-bytes or 4-bytes) it works with 4-byte address */ -+#define JEDEC_BYTE_PROGRAM_4BA 0x12 -+#define JEDEC_BYTE_PROGRAM_4BA_OUTSIZE 0x06 -+#define JEDEC_BYTE_PROGRAM_4BA_INSIZE 0x00 -+ -+/* Sector Erase 0x21 (with 4-byte address), usually 4k size. -+ From ANY mode (3-bytes or 4-bytes) it works with 4-byte address */ -+#define JEDEC_SE_4BA 0x21 -+#define JEDEC_SE_4BA_OUTSIZE 0x05 -+#define JEDEC_SE_4BA_INSIZE 0x00 -+ -+/* Block Erase 0x5C (with 4-byte address), usually 32k size. -+ From ANY mode (3-bytes or 4-bytes) it works with 4-byte address */ -+#define JEDEC_BE_5C_4BA 0x5C -+#define JEDEC_BE_5C_4BA_OUTSIZE 0x05 -+#define JEDEC_BE_5C_4BA_INSIZE 0x00 -+ -+/* Block Erase 0xDC (with 4-byte address), usually 64k size. -+ From ANY mode (3-bytes or 4-bytes) it works with 4-byte address */ -+#define JEDEC_BE_DC_4BA 0xdc -+#define JEDEC_BE_DC_4BA_OUTSIZE 0x05 -+#define JEDEC_BE_DC_4BA_INSIZE 0x00 -+ -+/* enter 4-bytes addressing mode */ -+int spi_enter_4ba_b7(struct flashctx *flash); -+int spi_enter_4ba_b7_we(struct flashctx *flash); -+ -+/* read/write flash bytes in 4-bytes addressing mode */ -+int spi_byte_program_4ba(struct flashctx *flash, unsigned int addr, uint8_t databyte); -+int spi_nbyte_program_4ba(struct flashctx *flash, unsigned int addr, const uint8_t *bytes, unsigned int len); -+int spi_nbyte_read_4ba(struct flashctx *flash, unsigned int addr, uint8_t *bytes, unsigned int len); -+ -+/* erase flash bytes in 4-bytes addressing mode */ -+int spi_block_erase_20_4ba(struct flashctx *flash, unsigned int addr, unsigned int blocklen); -+int spi_block_erase_52_4ba(struct flashctx *flash, unsigned int addr, unsigned int blocklen); -+int spi_block_erase_d8_4ba(struct flashctx *flash, unsigned int addr, unsigned int blocklen); -+ -+/* read/write flash bytes from 3-bytes addressing mode using extended address register */ -+int spi_byte_program_4ba_ereg(struct flashctx *flash, unsigned int addr, uint8_t databyte); -+int spi_nbyte_program_4ba_ereg(struct flashctx *flash, unsigned int addr, const uint8_t *bytes, unsigned int len); -+int spi_nbyte_read_4ba_ereg(struct flashctx *flash, unsigned int addr, uint8_t *bytes, unsigned int len); -+ -+/* erase flash bytes from 3-bytes addressing mode using extended address register */ -+int spi_block_erase_20_4ba_ereg(struct flashctx *flash, unsigned int addr, unsigned int blocklen); -+int spi_block_erase_52_4ba_ereg(struct flashctx *flash, unsigned int addr, unsigned int blocklen); -+int spi_block_erase_d8_4ba_ereg(struct flashctx *flash, unsigned int addr, unsigned int blocklen); -+ -+/* read/write flash bytes with 4-bytes address from any mode (3-byte or 4-byte) */ -+int spi_byte_program_4ba_direct(struct flashctx *flash, unsigned int addr, uint8_t databyte); -+int spi_nbyte_program_4ba_direct(struct flashctx *flash, unsigned int addr, const uint8_t *bytes, unsigned int len); -+int spi_nbyte_read_4ba_direct(struct flashctx *flash, unsigned int addr, uint8_t *bytes, unsigned int len); -+ -+/* erase flash bytes with 4-bytes address from any mode (3-byte or 4-byte) */ -+int spi_block_erase_21_4ba_direct(struct flashctx *flash, unsigned int addr, unsigned int blocklen); -+int spi_block_erase_5c_4ba_direct(struct flashctx *flash, unsigned int addr, unsigned int blocklen); -+int spi_block_erase_dc_4ba_direct(struct flashctx *flash, unsigned int addr, unsigned int blocklen); -+ -+ -+#endif /* __SPI_4BA_H__ */ diff --git a/patches/flashrom-1.0/0101-enable-thinkpad-x220.patch b/patches/flashrom-1.0/0101-enable-thinkpad-x220.patch deleted file mode 100644 index 43f8b5cab..000000000 --- a/patches/flashrom-1.0/0101-enable-thinkpad-x220.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff --git ./board_enable.c ./board_enable.c -index b6e17ef..23acd7c 100644 ---- ./board_enable.c -+++ ./board_enable.c -@@ -2434,6 +2434,7 @@ const struct board_match board_matches[] = { - {0x8086, 0x27a0, 0x17aa, 0x2017, 0x8086, 0x27b9, 0x17aa, 0x2009, "^ThinkPad T60", NULL, NULL, P2, "IBM/Lenovo", "ThinkPad T60(s)", 0, OK, p2_whitelist_laptop}, - {0x8086, 0x2917, 0x17AA, 0x20F5, 0x8086, 0x2930, 0x17AA, 0x20F9, "^ThinkPad X200", NULL, NULL, P2, "IBM/Lenovo", "ThinkPad X200", 0, OK, p2_whitelist_laptop}, - {0x8086, 0x3B07, 0x17AA, 0x2166, 0x8086, 0x3B30, 0x17AA, 0x2167, "^Lenovo X201", NULL, NULL, P2, "IBM/Lenovo", "ThinkPad X201", 0, OK, p2_whitelist_laptop}, -+ {0x8086, 0x1C22, 0x17AA, 0x21DB, 0x8086, 0x1C4F, 0x17AA, 0x21DB, "^ThinkPad X220", NULL, NULL, P2, "IBM/Lenovo", "ThinkPad X220", 0, OK, p2_whitelist_laptop}, - {0x8086, 0x1E22, 0x17AA, 0x21FA, 0x8086, 0x1E55, 0x17AA, 0x21FA, "^ThinkPad X230", NULL, NULL, P2, "IBM/Lenovo", "ThinkPad X230", 0, OK, p2_whitelist_laptop}, - {0x8086, 0x27A0, 0x17AA, 0x2017, 0x8086, 0x27B9, 0x17AA, 0x2009, "^ThinkPad X60", NULL, NULL, P2, "IBM/Lenovo", "ThinkPad X60(s)", 0, OK, p2_whitelist_laptop}, - {0x8086, 0x2411, 0x8086, 0x2411, 0x8086, 0x7125, 0x0e11, 0xb165, NULL, NULL, NULL, P3, "Mitac", "6513WU", 0, OK, board_mitac_6513wu}, diff --git a/patches/flashrom-v1.2/0100-enable-kgpe-d16.patch b/patches/flashrom-v1.2/0100-enable-kgpe-d16.patch new file mode 100644 index 000000000..b4f8fa0b6 --- /dev/null +++ b/patches/flashrom-v1.2/0100-enable-kgpe-d16.patch @@ -0,0 +1,1097 @@ +diff --git a/Makefile b/Makefile +index 7242b09..c2fb32e 100644 +--- a/Makefile ++++ b/Makefile +@@ -236,6 +236,16 @@ UNSUPPORTED_FEATURES += CONFIG_GFXNVIDIA=yes + else + override CONFIG_GFXNVIDIA = no + endif ++ifeq ($(CONFIG_AST1100), yes) ++UNSUPPORTED_FEATURES += CONFIG_AST1100=yes ++else ++override CONFIG_AST1100 = no ++endif ++ifeq ($(CONFIG_AST2400), yes) ++UNSUPPORTED_FEATURES += CONFIG_AST2400=yes ++else ++override CONFIG_AST2400 = no ++endif + ifeq ($(CONFIG_SATASII), yes) + UNSUPPORTED_FEATURES += CONFIG_SATASII=yes + else +@@ -492,6 +502,16 @@ UNSUPPORTED_FEATURES += CONFIG_GFXNVIDIA=yes + else + override CONFIG_GFXNVIDIA = no + endif ++ifeq ($(CONFIG_AST1100), yes) ++UNSUPPORTED_FEATURES += CONFIG_AST1100=yes ++else ++override CONFIG_AST1100 = no ++endif ++ifeq ($(CONFIG_AST2400), yes) ++UNSUPPORTED_FEATURES += CONFIG_AST2400=yes ++else ++override CONFIG_AST2400 = no ++endif + ifeq ($(CONFIG_SATASII), yes) + UNSUPPORTED_FEATURES += CONFIG_SATASII=yes + else +@@ -616,6 +636,12 @@ CONFIG_NIC3COM ?= yes + # Enable NVIDIA graphics cards. Note: write and erase do not work properly. + CONFIG_GFXNVIDIA ?= yes + ++# Enable AST1100 BMC SoCs. ++CONFIG_AST1100 ?= yes ++ ++# Enable AST2400 BMC SoCs. ++CONFIG_AST2400 ?= yes ++ + # Always enable SiI SATA controllers for now. + CONFIG_SATASII ?= yes + +@@ -728,6 +754,8 @@ ifeq ($(CONFIG_ENABLE_LIBPCI_PROGRAMMERS), no) + override CONFIG_INTERNAL = no + override CONFIG_NIC3COM = no + override CONFIG_GFXNVIDIA = no ++override CONFIG_AST1100 = no ++override CONFIG_AST2400 = no + override CONFIG_SATASII = no + override CONFIG_ATAHPT = no + override CONFIG_ATAVIA = no +@@ -840,6 +868,18 @@ PROGRAMMER_OBJS += gfxnvidia.o + NEED_LIBPCI += CONFIG_GFXNVIDIA + endif + ++ifeq ($(CONFIG_AST1100), yes) ++FEATURE_CFLAGS += -D'CONFIG_AST1100=1' ++PROGRAMMER_OBJS += ast1100.o ++NEED_LIBPCI += CONFIG_AST1100 ++endif ++ ++ifeq ($(CONFIG_AST2400), yes) ++FEATURE_CFLAGS += -D'CONFIG_AST2400=1' ++PROGRAMMER_OBJS += ast2400.o ++NEED_LIBPCI += CONFIG_AST2400 ++endif ++ + ifeq ($(CONFIG_SATASII), yes) + FEATURE_CFLAGS += -D'CONFIG_SATASII=1' + PROGRAMMER_OBJS += satasii.o +diff --git a/ast1100.c b/ast1100.c +new file mode 100644 +index 0000000..c7474e5 +--- /dev/null ++++ b/ast1100.c +@@ -0,0 +1,420 @@ ++/* ++ * This file is part of the flashrom project. ++ * ++ * Copyright (C) 2017 Raptor Engineering, LLC ++ * ++ * This program is free software; you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License as published by ++ * the Free Software Foundation; either version 2 of the License, or ++ * (at your option) any later version. ++ * ++ * This program is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ * GNU General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License ++ * along with this program; if not, write to the Free Software ++ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA ++ */ ++ ++#include ++#include ++#include "flash.h" ++#include "programmer.h" ++#include "hwaccess.h" ++ ++#define PCI_VENDOR_ID_ASPEED 0x1a03 ++ ++#define ASPEED_MEMMAP_SIZE (128 * 1024) ++#define ASPEED_P2A_OFFSET 0x10000 ++ ++#define AST1100_SCU_APB_ADDR 0x1e6e2000 ++#define AST1100_SCU_APB_BRIDGE_OFFSET (AST1100_SCU_APB_ADDR & 0xffff) ++#define AST1100_SCU_PROT_KEY 0x00 ++#define AST1100_SCU_HW_STRAP 0x70 ++ ++#define AST1100_SCU_PASSWORD 0x1688a8a8 ++#define AST1100_SCU_BOOT_SRC_MASK 0x3 ++#define AST1100_SCU_BOOT_SPI 0x2 ++#define AST1100_SCU_BOOT_NONE 0x3 ++ ++#define AST1100_SMC_APB_ADDR 0x16000000 ++#define AST1100_SMC_SMC00 0x00 ++#define AST1100_SMC_CE_CTL(N) (0x4 + (N * 4)) ++ ++#define AST1100_SMC_SEGMENT_SIZE_MASK 0x3 ++#define AST1100_SMC_SEGMENT_SIZE_32M 0x0 ++#define AST1100_SMC_SEGMENT_SIZE_16M 0x1 ++#define AST1100_SMC_SEGMENT_SIZE_8M 0x2 ++#define AST1100_SMC_SEGMENT_SIZE_4M 0x3 ++ ++#define AST1100_SMC_FLASH_MMIO_ADDR 0x10000000 ++ ++#define AST1100_SPI_CMD_FAST_R_MODE 0x1 ++#define AST1100_SPI_CMD_USER_MODE 0x3 ++#define AST1100_SPI_CMD_MASK 0x3 ++#define AST1100_SPI_STOP_CE_ACTIVE (0x1 << 2) ++#define AST1100_SPI_SPEED_SHIFT 8 ++#define AST1100_SPI_SPEED_MASK (0x7 << AST1100_SPI_SPEED_SHIFT) ++ ++#define AST1100_SPI_FLASH_MMIO_ADDR 0x30000000 ++ ++#define AST1100_WDT_APB_ADDR 0x1e785000 ++#define AST1100_WDT_APB_BRIDGE_OFFSET (AST1100_WDT_APB_ADDR & 0xffff) ++ ++#define AST1100_WDT1_CTR 0x00 ++#define AST1100_WDT1_CTR_RELOAD 0x04 ++#define AST1100_WDT1_CTR_RESTART 0x08 ++#define AST1100_WDT1_CTL 0x0c ++ ++#define AST1100_WDT_SET_CLOCK (0x1 << 4) ++#define AST1100_WDT_RESET_SYSTEM (0x1 << 1) ++#define AST1100_WDT_ENABLE (0x1 << 0) ++ ++uint8_t *ast1100_device_bar = 0; ++uint8_t ast1100_device_spi_bus = 0; ++uint8_t ast1100_device_spi_speed = 0; ++uint8_t ast1100_device_halt_cpu = 0; ++uint8_t ast1100_device_reset_cpu = 0; ++uint8_t ast1100_device_resume_cpu = 0; ++uint8_t ast1100_device_tickle_fw = 0; ++uint32_t ast1100_device_flash_mmio_offset = 0; ++uint32_t ast1100_original_wdt_conf = 0; ++ ++const struct dev_entry bmc_aspeed_ast1100[] = { ++ {PCI_VENDOR_ID_ASPEED, 0x2000, OK, "ASPEED", "AST1100" }, ++ ++ {0}, ++}; ++ ++static int ast1100_spi_send_command(struct flashctx *flash, ++ unsigned int writecnt, unsigned int readcnt, ++ const unsigned char *writearr, ++ unsigned char *readarr); ++ ++static const struct spi_master spi_master_ast1100 = { ++ .max_data_read = 256, ++ .max_data_write = 256, ++ .command = ast1100_spi_send_command, ++ .multicommand = default_spi_send_multicommand, ++ .read = default_spi_read, ++ .write_256 = default_spi_write_256, ++ .write_aai = default_spi_write_aai, ++}; ++ ++static int ast1100_set_a2b_bridge_scu(void) ++{ ++ pci_mmio_writel(0x0, ast1100_device_bar + 0xf000); ++ pci_mmio_writel(AST1100_SCU_APB_ADDR & 0xffff0000, ast1100_device_bar + 0xf004); ++ pci_mmio_writel(0x1, ast1100_device_bar + 0xf000); ++ ++ return 0; ++} ++ ++static int ast1100_set_a2b_bridge_wdt(void) ++{ ++ pci_mmio_writel(0x0, ast1100_device_bar + 0xf000); ++ pci_mmio_writel(AST1100_WDT_APB_ADDR & 0xffff0000, ast1100_device_bar + 0xf004); ++ pci_mmio_writel(0x1, ast1100_device_bar + 0xf000); ++ ++ return 0; ++} ++ ++static int ast1100_set_a2b_bridge_smc(void) ++{ ++ pci_mmio_writel(0x0, ast1100_device_bar + 0xf000); ++ pci_mmio_writel(AST1100_SMC_APB_ADDR, ast1100_device_bar + 0xf004); ++ pci_mmio_writel(0x1, ast1100_device_bar + 0xf000); ++ ++ return 0; ++} ++ ++static int ast1100_set_a2b_bridge_smc_flash(void) ++{ ++ pci_mmio_writel(0x0, ast1100_device_bar + 0xf000); ++ pci_mmio_writel(AST1100_SMC_FLASH_MMIO_ADDR + ast1100_device_flash_mmio_offset, ast1100_device_bar + 0xf004); ++ pci_mmio_writel(0x1, ast1100_device_bar + 0xf000); ++ ++ return 0; ++} ++ ++static int ast1100_disable_cpu(void) { ++ uint32_t dword; ++ ++ if (ast1100_device_halt_cpu) { ++ dword = pci_mmio_readl(ast1100_device_bar + ASPEED_P2A_OFFSET + AST1100_SCU_APB_BRIDGE_OFFSET + AST1100_SCU_HW_STRAP); ++ if (((dword & AST1100_SCU_BOOT_SRC_MASK) != AST1100_SCU_BOOT_SPI) ++ && ((dword & AST1100_SCU_BOOT_SRC_MASK) != AST1100_SCU_BOOT_NONE)) { /* NONE permitted to allow for BMC recovery after Ctrl+C or crash */ ++ msg_perr("CPU halt requested but CPU firmware source is not SPI.\n"); ++ pci_mmio_writel(0x0, ast1100_device_bar + ASPEED_P2A_OFFSET + AST1100_SCU_APB_BRIDGE_OFFSET + AST1100_SCU_PROT_KEY); ++ ast1100_device_halt_cpu = 0; ++ return 1; ++ } ++ ++ /* Disable CPU */ ++ ast1100_set_a2b_bridge_scu(); ++ pci_mmio_writel((dword & ~AST1100_SCU_BOOT_SRC_MASK) | AST1100_SCU_BOOT_NONE, ast1100_device_bar + ASPEED_P2A_OFFSET + AST1100_SCU_APB_BRIDGE_OFFSET + AST1100_SCU_HW_STRAP); ++ ast1100_original_wdt_conf = pci_mmio_readl(ast1100_device_bar + ASPEED_P2A_OFFSET + AST1100_WDT_APB_BRIDGE_OFFSET + AST1100_WDT1_CTL); ++ pci_mmio_writel(ast1100_original_wdt_conf & 0xffff0, ast1100_device_bar + ASPEED_P2A_OFFSET + AST1100_WDT_APB_BRIDGE_OFFSET + AST1100_WDT1_CTL); ++ } ++ ++ return 0; ++} ++ ++static int ast1100_enable_cpu(void) { ++ uint32_t dword; ++ ++ if (ast1100_device_halt_cpu && ast1100_device_resume_cpu) { ++ /* Re-enable CPU */ ++ ast1100_set_a2b_bridge_scu(); ++ dword = pci_mmio_readl(ast1100_device_bar + ASPEED_P2A_OFFSET + AST1100_SCU_APB_BRIDGE_OFFSET + AST1100_SCU_HW_STRAP); ++ pci_mmio_writel((dword & ~AST1100_SCU_BOOT_SRC_MASK) | AST1100_SCU_BOOT_SPI, ast1100_device_bar + ASPEED_P2A_OFFSET + AST1100_SCU_APB_BRIDGE_OFFSET + AST1100_SCU_HW_STRAP); ++ } ++ ++ return 0; ++} ++ ++static int ast1100_reset_cpu(void) { ++ if (ast1100_device_reset_cpu) { ++ /* Disable WDT from issuing full SoC reset ++ * Without this, OpenPOWER systems will crash when the GPIO blocks are reset on WDT timeout ++ */ ++ msg_pinfo("Configuring P2A bridge for WDT access\n"); ++ ast1100_set_a2b_bridge_wdt(); ++ ast1100_original_wdt_conf = pci_mmio_readl(ast1100_device_bar + ASPEED_P2A_OFFSET + AST1100_WDT_APB_BRIDGE_OFFSET + AST1100_WDT1_CTL); ++ ++ /* Initiate reset */ ++ msg_pinfo("Setting WDT to reset CPU immediately\n"); ++ pci_mmio_writel(ast1100_original_wdt_conf & 0xffff0, ast1100_device_bar + ASPEED_P2A_OFFSET + AST1100_WDT_APB_BRIDGE_OFFSET + AST1100_WDT1_CTL); ++ pci_mmio_writel(0xec08ce00, ast1100_device_bar + ASPEED_P2A_OFFSET + AST1100_WDT_APB_BRIDGE_OFFSET + AST1100_WDT1_CTR_RELOAD); ++ pci_mmio_writel(0x4755, ast1100_device_bar + ASPEED_P2A_OFFSET + AST1100_WDT_APB_BRIDGE_OFFSET + AST1100_WDT1_CTR_RESTART); ++ pci_mmio_writel(AST1100_WDT_SET_CLOCK, ast1100_device_bar + ASPEED_P2A_OFFSET + AST1100_WDT_APB_BRIDGE_OFFSET + AST1100_WDT1_CTL); ++ pci_mmio_writel(AST1100_WDT_RESET_SYSTEM | AST1100_WDT_ENABLE, ast1100_device_bar + ASPEED_P2A_OFFSET + AST1100_WDT_APB_BRIDGE_OFFSET + AST1100_WDT1_CTL); ++ ++ } ++ ++ return 0; ++} ++ ++static int ast1100_shutdown(void *data) { ++ /* Reactivate CPU if previously deactivated */ ++ ast1100_enable_cpu(); ++ ++ /* Reset CPU if requested */ ++ ast1100_reset_cpu(); ++ ++ /* Disable backdoor APB access */ ++ pci_mmio_writel(0x0, ast1100_device_bar + 0xf000); ++ ++ return 0; ++} ++ ++int ast1100_init(void) ++{ ++ struct pci_dev *dev = NULL; ++ uint32_t dword; ++ ++ char *arg; ++ ++ ast1100_device_spi_bus = 0; ++ arg = extract_programmer_param("spibus"); ++ if (arg) ++ ast1100_device_spi_bus = strtol(arg, NULL, 0); ++ free(arg); ++ ++ ast1100_device_spi_speed = 0; ++ arg = extract_programmer_param("spispeed"); ++ if (arg) ++ ast1100_device_spi_speed = strtol(arg, NULL, 0); ++ free(arg); ++ ++ ast1100_device_halt_cpu = 0; ++ arg = extract_programmer_param("cpu"); ++ if (arg && !strcmp(arg,"pause")) { ++ ast1100_device_halt_cpu = 1; ++ ast1100_device_resume_cpu = 1; ++ ast1100_device_reset_cpu = 0; ++ } ++ else if (arg && !strcmp(arg,"halt")) { ++ ast1100_device_halt_cpu = 1; ++ ast1100_device_resume_cpu = 0; ++ ast1100_device_reset_cpu = 0; ++ } ++ else if (arg && !strcmp(arg,"reset")) { ++ ast1100_device_halt_cpu = 1; ++ ast1100_device_resume_cpu = 1; ++ ast1100_device_reset_cpu = 1; ++ } ++ else if (arg) { ++ msg_perr("Invalid CPU option! Valid values are: pause | halt | reset\n"); ++ return 1; ++ } ++ arg = extract_programmer_param("tickle"); ++ if (arg && !strcmp(arg,"true")) ++ ast1100_device_tickle_fw = 1; ++ free(arg); ++ ++ if (ast1100_device_spi_bus > 2) { ++ msg_perr("SPI bus number out of range! Valid values are 0 - 2.\n"); ++ return 1; ++ } ++ ++ if (rget_io_perms()) ++ return 1; ++ ++ dev = pcidev_init(bmc_aspeed_ast1100, PCI_BASE_ADDRESS_1); ++ if (!dev) ++ return 1; ++ ++ uintptr_t io_base_addr = pcidev_readbar(dev, PCI_BASE_ADDRESS_1); ++ if (!io_base_addr) ++ return 1; ++ ++ msg_pinfo("Detected ASPEED MMIO base address: %p.\n", (void*)io_base_addr); ++ ++ ast1100_device_bar = rphysmap("ASPEED", io_base_addr, ASPEED_MEMMAP_SIZE); ++ if (ast1100_device_bar == ERROR_PTR) ++ return 1; ++ ++ if (register_shutdown(ast1100_shutdown, dev)) ++ return 1; ++ ++ io_base_addr += ASPEED_P2A_OFFSET; ++ msg_pinfo("ASPEED P2A base address: %p.\n", (void*)io_base_addr); ++ ++ msg_pinfo("Configuring P2A bridge for SCU access\n"); ++ ast1100_set_a2b_bridge_scu(); ++ pci_mmio_writel(AST1100_SCU_PASSWORD, ast1100_device_bar + ASPEED_P2A_OFFSET + AST1100_SCU_APB_BRIDGE_OFFSET + AST1100_SCU_PROT_KEY); ++ ++ /* Halt CPU if requested */ ++ if (ast1100_disable_cpu()) ++ return 1; ++ ++ msg_pinfo("Configuring P2A bridge for SMC access\n"); ++ ast1100_set_a2b_bridge_smc(); ++ ++ dword = pci_mmio_readl(ast1100_device_bar + ASPEED_P2A_OFFSET + AST1100_SMC_SMC00); ++ if (((dword >> ((ast1100_device_spi_bus * 2) + 4)) & 0x3) != 0x2) { ++ msg_perr("CE%01x Flash type is not SPI!\n", ast1100_device_spi_bus); ++ return 1; ++ } ++ ++ msg_pinfo("Setting CE%01x SPI relative clock speed to %d\n", ast1100_device_spi_bus, ast1100_device_spi_speed); ++ dword = pci_mmio_readl(ast1100_device_bar + ASPEED_P2A_OFFSET + AST1100_SMC_CE_CTL(ast1100_device_spi_bus)); ++ dword &= ~AST1100_SPI_SPEED_MASK; ++ pci_mmio_writel(dword | ((ast1100_device_spi_speed << AST1100_SPI_SPEED_SHIFT) & AST1100_SPI_SPEED_MASK), ast1100_device_bar + ASPEED_P2A_OFFSET + AST1100_SMC_CE_CTL(ast1100_device_spi_bus)); ++ ++ msg_pinfo("Enabling CE%01x write\n", ast1100_device_spi_bus); ++ dword = pci_mmio_readl(ast1100_device_bar + ASPEED_P2A_OFFSET + AST1100_SMC_SMC00); ++ pci_mmio_writel(dword | (0x1 << (10 + ast1100_device_spi_bus)), ast1100_device_bar + ASPEED_P2A_OFFSET + AST1100_SMC_SMC00); ++ ++ dword = pci_mmio_readl(ast1100_device_bar + ASPEED_P2A_OFFSET + AST1100_SMC_SMC00); ++ dword &= AST1100_SMC_SEGMENT_SIZE_MASK; ++ switch (dword & AST1100_SMC_SEGMENT_SIZE_MASK) { ++ case AST1100_SMC_SEGMENT_SIZE_32M: ++ ast1100_device_flash_mmio_offset = 0x2000000; ++ break; ++ case AST1100_SMC_SEGMENT_SIZE_16M: ++ ast1100_device_flash_mmio_offset = 0x1000000; ++ break; ++ case AST1100_SMC_SEGMENT_SIZE_8M: ++ ast1100_device_flash_mmio_offset = 0x800000; ++ break; ++ case AST1100_SMC_SEGMENT_SIZE_4M: ++ ast1100_device_flash_mmio_offset = 0x400000; ++ break; ++ default: ++ ast1100_device_flash_mmio_offset = 0x2000000; ++ } ++ msg_pinfo("Segment size: 0x%08x\n", ast1100_device_flash_mmio_offset); ++ ++ ast1100_device_flash_mmio_offset = ast1100_device_flash_mmio_offset * ast1100_device_spi_bus; ++ msg_pinfo("Using CE%01x offset 0x%08x\n", ast1100_device_spi_bus, ast1100_device_flash_mmio_offset); ++ ++ register_spi_master(&spi_master_ast1100); ++ ++ return 0; ++} ++ ++static void ast1100_spi_xfer_data(struct flashctx *flash, ++ unsigned int writecnt, unsigned int readcnt, ++ const unsigned char *writearr, ++ unsigned char *readarr) ++{ ++ unsigned int i; ++ uint32_t dword; ++ ++ for (i = 0; i < writecnt; i++) ++ msg_pspew("[%02x]", writearr[i]); ++ msg_pspew("\n"); ++ ++ for (i = 0; i < writecnt; i=i+4) { ++ if ((writecnt - i) < 4) ++ break; ++ dword = writearr[i]; ++ dword |= writearr[i + 1] << 8; ++ dword |= writearr[i + 2] << 16; ++ dword |= writearr[i + 3] << 24; ++ pci_mmio_writel(dword, ast1100_device_bar + ASPEED_P2A_OFFSET); ++ } ++ for (; i < writecnt; i++) ++ pci_mmio_writeb(writearr[i], ast1100_device_bar + ASPEED_P2A_OFFSET); ++ programmer_delay(1); ++ for (i = 0; i < readcnt;) { ++ dword = pci_mmio_readl(ast1100_device_bar + ASPEED_P2A_OFFSET); ++ if (i < readcnt) ++ readarr[i] = dword & 0xff; ++ i++; ++ if (i < readcnt) ++ readarr[i] = (dword >> 8) & 0xff; ++ i++; ++ if (i < readcnt) ++ readarr[i] = (dword >> 16) & 0xff; ++ i++; ++ if (i < readcnt) ++ readarr[i] = (dword >> 24) & 0xff; ++ i++; ++ } ++ ++ for (i = 0; i < readcnt; i++) ++ msg_pspew("[%02x]", readarr[i]); ++ msg_pspew("\n"); ++} ++ ++/* Returns 0 upon success, a negative number upon errors. */ ++static int ast1100_spi_send_command(struct flashctx *flash, ++ unsigned int writecnt, unsigned int readcnt, ++ const unsigned char *writearr, ++ unsigned char *readarr) ++{ ++ uint32_t dword; ++ ++ msg_pspew("%s, cmd=0x%02x, writecnt=%d, readcnt=%d\n", __func__, *writearr, writecnt, readcnt); ++ ++ /* Set up user command mode */ ++ ast1100_set_a2b_bridge_smc(); ++ dword = pci_mmio_readl(ast1100_device_bar + ASPEED_P2A_OFFSET + AST1100_SMC_CE_CTL(ast1100_device_spi_bus)); ++ pci_mmio_writel(dword | AST1100_SPI_CMD_USER_MODE, ast1100_device_bar + ASPEED_P2A_OFFSET + AST1100_SMC_CE_CTL(ast1100_device_spi_bus)); ++ dword = pci_mmio_readl(ast1100_device_bar + ASPEED_P2A_OFFSET + AST1100_SMC_CE_CTL(ast1100_device_spi_bus)); ++ pci_mmio_writel(dword & ~AST1100_SPI_STOP_CE_ACTIVE, ast1100_device_bar + ASPEED_P2A_OFFSET + AST1100_SMC_CE_CTL(ast1100_device_spi_bus)); ++ ++ /* Transfer data */ ++ ast1100_set_a2b_bridge_smc_flash(); ++ ast1100_spi_xfer_data(flash, writecnt, readcnt, writearr, readarr); ++ ++ /* Tear down user command mode */ ++ ast1100_set_a2b_bridge_smc(); ++ dword = pci_mmio_readl(ast1100_device_bar + ASPEED_P2A_OFFSET + AST1100_SMC_CE_CTL(ast1100_device_spi_bus)); ++ pci_mmio_writel(dword | AST1100_SPI_STOP_CE_ACTIVE, ast1100_device_bar + ASPEED_P2A_OFFSET + AST1100_SMC_CE_CTL(ast1100_device_spi_bus)); ++ dword = pci_mmio_readl(ast1100_device_bar + ASPEED_P2A_OFFSET + AST1100_SMC_CE_CTL(ast1100_device_spi_bus)); ++ pci_mmio_writel((dword & ~AST1100_SPI_CMD_MASK) | AST1100_SPI_CMD_FAST_R_MODE, ast1100_device_bar + ASPEED_P2A_OFFSET + AST1100_SMC_CE_CTL(ast1100_device_spi_bus)); ++ ++ if (ast1100_device_tickle_fw) { ++ ast1100_enable_cpu(); ++ programmer_delay(100); ++ ast1100_disable_cpu(); ++ } ++ ++ return 0; ++} +diff --git a/ast2400.c b/ast2400.c +new file mode 100644 +index 0000000..761a38d +--- /dev/null ++++ b/ast2400.c +@@ -0,0 +1,425 @@ ++/* ++ * This file is part of the flashrom project. ++ * ++ * Copyright (C) 2016 - 2017 Raptor Engineering, LLC ++ * ++ * This program is free software; you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License as published by ++ * the Free Software Foundation; either version 2 of the License, or ++ * (at your option) any later version. ++ * ++ * This program is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ * GNU General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License ++ * along with this program; if not, write to the Free Software ++ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA ++ */ ++ ++#include ++#include ++#include "flash.h" ++#include "programmer.h" ++#include "hwaccess.h" ++ ++#define PCI_VENDOR_ID_ASPEED 0x1a03 ++ ++#define ASPEED_MEMMAP_SIZE (128 * 1024) ++#define ASPEED_P2A_OFFSET 0x10000 ++ ++#define AST2400_SCU_APB_ADDR 0x1e6e2000 ++#define AST2400_SCU_APB_BRIDGE_OFFSET (AST2400_SCU_APB_ADDR & 0xffff) ++#define AST2400_SCU_PROT_KEY 0x00 ++#define AST2400_SCU_MISC_CTL 0x2c ++#define AST2400_SCU_HW_STRAP 0x70 ++ ++#define AST2400_SCU_PASSWORD 0x1688a8a8 ++#define AST2400_SCU_BOOT_SRC_MASK 0x3 ++#define AST2400_SCU_BOOT_SPI 0x2 ++#define AST2400_SCU_BOOT_NONE 0x3 ++ ++#define AST2400_SMC_APB_ADDR 0x1e620000 ++#define AST2400_SMC_FMC00 0x00 ++#define AST2400_SMC_CE_CTL(N) (0x10 + (N * 4)) ++#define AST2400_SMC_CE_SEG(N) (0x30 + (N * 4)) ++ ++#define AST2400_SMC_FLASH_MMIO_ADDR 0x20000000 ++ ++#define AST2400_SPI_APB_ADDR 0x1e630000 ++#define AST2400_SPI_CFG 0x00 ++#define AST2400_SPI_CTL 0x04 ++ ++#define AST2400_SPI_CFG_WRITE_EN 0x1 ++#define AST2400_SPI_CMD_FAST_R_MODE 0x1 ++#define AST2400_SPI_CMD_USER_MODE 0x3 ++#define AST2400_SPI_CMD_MASK 0x3 ++#define AST2400_SPI_STOP_CE_ACTIVE (0x1 << 2) ++#define AST2400_SPI_CPOL_1 (0x1 << 4) ++#define AST2400_SPI_LSB_FIRST_CTRL (0x1 << 5) ++#define AST2400_SPI_SPEED_MASK (0xf << 8) ++#define AST2400_SPI_IO_MODE_MASK (0x3 << 28) ++ ++#define AST2400_SPI_FLASH_MMIO_ADDR 0x30000000 ++ ++#define AST2400_WDT_APB_ADDR 0x1e785000 ++#define AST2400_WDT_APB_BRIDGE_OFFSET (AST2400_WDT_APB_ADDR & 0xffff) ++ ++#define AST2400_WDT1_CTL 0x0c ++ ++#define AST2400_WDT_RESET_MODE_MASK (0x3 << 5) ++#define AST2400_WDT_RESET_CPU_ONLY (0x2 << 5) ++ ++uint8_t *ast2400_device_bar = 0; ++uint8_t ast2400_device_spi_bus = 0; ++uint8_t ast2400_device_halt_cpu = 0; ++uint8_t ast2400_device_resume_cpu = 0; ++uint8_t ast2400_device_tickle_fw = 0; ++uint32_t ast2400_device_flash_mmio_offset = 0; ++uint32_t ast2400_device_host_mode = 0; ++uint32_t ast2400_original_wdt_conf = 0; ++ ++const struct dev_entry bmc_aspeed_ast2400[] = { ++ {PCI_VENDOR_ID_ASPEED, 0x2000, OK, "ASPEED", "AST2400" }, ++ ++ {0}, ++}; ++ ++static int ast2400_spi_send_command(struct flashctx *flash, ++ unsigned int writecnt, unsigned int readcnt, ++ const unsigned char *writearr, ++ unsigned char *readarr); ++ ++static const struct spi_master spi_master_ast2400 = { ++ .max_data_read = 256, ++ .max_data_write = 256, ++ .command = ast2400_spi_send_command, ++ .multicommand = default_spi_send_multicommand, ++ .read = default_spi_read, ++ .write_256 = default_spi_write_256, ++ .write_aai = default_spi_write_aai, ++}; ++ ++static int ast2400_set_a2b_bridge_scu(void) ++{ ++ pci_mmio_writel(0x0, ast2400_device_bar + 0xf000); ++ pci_mmio_writel(AST2400_SCU_APB_ADDR & 0xffff0000, ast2400_device_bar + 0xf004); ++ pci_mmio_writel(0x1, ast2400_device_bar + 0xf000); ++ ++ return 0; ++} ++ ++static int ast2400_set_a2b_bridge_wdt(void) ++{ ++ pci_mmio_writel(0x0, ast2400_device_bar + 0xf000); ++ pci_mmio_writel(AST2400_WDT_APB_ADDR & 0xffff0000, ast2400_device_bar + 0xf004); ++ pci_mmio_writel(0x1, ast2400_device_bar + 0xf000); ++ ++ return 0; ++} ++ ++static int ast2400_set_a2b_bridge_smc(void) ++{ ++ pci_mmio_writel(0x0, ast2400_device_bar + 0xf000); ++ pci_mmio_writel(AST2400_SMC_APB_ADDR, ast2400_device_bar + 0xf004); ++ pci_mmio_writel(0x1, ast2400_device_bar + 0xf000); ++ ++ return 0; ++} ++ ++static int ast2400_set_a2b_bridge_spi(void) ++{ ++ pci_mmio_writel(0x0, ast2400_device_bar + 0xf000); ++ pci_mmio_writel(AST2400_SPI_APB_ADDR, ast2400_device_bar + 0xf004); ++ pci_mmio_writel(0x1, ast2400_device_bar + 0xf000); ++ ++ return 0; ++} ++ ++static int ast2400_set_a2b_bridge_smc_flash(void) ++{ ++ pci_mmio_writel(0x0, ast2400_device_bar + 0xf000); ++ pci_mmio_writel(AST2400_SMC_FLASH_MMIO_ADDR + ast2400_device_flash_mmio_offset, ast2400_device_bar + 0xf004); ++ pci_mmio_writel(0x1, ast2400_device_bar + 0xf000); ++ ++ return 0; ++} ++ ++static int ast2400_set_a2b_bridge_spi_flash(void) ++{ ++ pci_mmio_writel(0x0, ast2400_device_bar + 0xf000); ++ pci_mmio_writel(AST2400_SPI_FLASH_MMIO_ADDR, ast2400_device_bar + 0xf004); ++ pci_mmio_writel(0x1, ast2400_device_bar + 0xf000); ++ ++ return 0; ++} ++ ++static int ast2400_disable_cpu(void) { ++ uint32_t dword; ++ ++ if (ast2400_device_halt_cpu) { ++ dword = pci_mmio_readl(ast2400_device_bar + ASPEED_P2A_OFFSET + AST2400_SCU_APB_BRIDGE_OFFSET + AST2400_SCU_HW_STRAP); ++ if (((dword & AST2400_SCU_BOOT_SRC_MASK) != AST2400_SCU_BOOT_SPI) ++ && ((dword & AST2400_SCU_BOOT_SRC_MASK) != AST2400_SCU_BOOT_NONE)) { /* NONE permitted to allow for BMC recovery after Ctrl+C or crash */ ++ msg_perr("CPU halt requested but CPU firmware source is not SPI.\n"); ++ pci_mmio_writel(0x0, ast2400_device_bar + ASPEED_P2A_OFFSET + AST2400_SCU_APB_BRIDGE_OFFSET + AST2400_SCU_PROT_KEY); ++ ast2400_device_halt_cpu = 0; ++ return 1; ++ } ++ ++ /* Disable WDT from issuing full SoC reset ++ * Without this, OpenPOWER systems will crash when the GPIO blocks are reset on WDT timeout ++ */ ++ msg_pinfo("Configuring P2A bridge for WDT access\n"); ++ ast2400_set_a2b_bridge_wdt(); ++ ast2400_original_wdt_conf = pci_mmio_readl(ast2400_device_bar + ASPEED_P2A_OFFSET + AST2400_WDT_APB_BRIDGE_OFFSET + AST2400_WDT1_CTL); ++ pci_mmio_writel((ast2400_original_wdt_conf & ~AST2400_WDT_RESET_MODE_MASK) | AST2400_WDT_RESET_CPU_ONLY, ast2400_device_bar + ASPEED_P2A_OFFSET + AST2400_WDT_APB_BRIDGE_OFFSET + AST2400_WDT1_CTL); ++ ++ /* Disable CPU */ ++ ast2400_set_a2b_bridge_scu(); ++ pci_mmio_writel((dword & ~AST2400_SCU_BOOT_SRC_MASK) | AST2400_SCU_BOOT_NONE, ast2400_device_bar + ASPEED_P2A_OFFSET + AST2400_SCU_APB_BRIDGE_OFFSET + AST2400_SCU_HW_STRAP); ++ } ++ ++ return 0; ++} ++ ++static int ast2400_enable_cpu(void) { ++ uint32_t dword; ++ ++ if (ast2400_device_halt_cpu && ast2400_device_resume_cpu) { ++ /* Re-enable CPU */ ++ ast2400_set_a2b_bridge_scu(); ++ dword = pci_mmio_readl(ast2400_device_bar + ASPEED_P2A_OFFSET + AST2400_SCU_APB_BRIDGE_OFFSET + AST2400_SCU_HW_STRAP); ++ pci_mmio_writel((dword & ~AST2400_SCU_BOOT_SRC_MASK) | AST2400_SCU_BOOT_SPI, ast2400_device_bar + ASPEED_P2A_OFFSET + AST2400_SCU_APB_BRIDGE_OFFSET + AST2400_SCU_HW_STRAP); ++ ++ /* Reset WDT configuration */ ++ ast2400_set_a2b_bridge_wdt(); ++ pci_mmio_writel((ast2400_original_wdt_conf & ~AST2400_WDT_RESET_MODE_MASK) | AST2400_WDT_RESET_CPU_ONLY, ast2400_device_bar + ASPEED_P2A_OFFSET + AST2400_WDT_APB_BRIDGE_OFFSET + AST2400_WDT1_CTL); ++ } ++ ++ return 0; ++} ++ ++static int ast2400_shutdown(void *data) { ++ /* Reactivate CPU if previously deactivated */ ++ ast2400_enable_cpu(); ++ ++ /* Disable backdoor APB access */ ++ pci_mmio_writel(0x0, ast2400_device_bar + 0xf000); ++ ++ return 0; ++} ++ ++int ast2400_init(void) ++{ ++ struct pci_dev *dev = NULL; ++ uint32_t dword; ++ uint8_t divisor; ++ ++ char *arg; ++ ++ ast2400_device_spi_bus = 0; ++ arg = extract_programmer_param("spibus"); ++ if (arg) { ++ if (!strcmp(arg,"host")) ++ ast2400_device_host_mode = 1; ++ else ++ ast2400_device_spi_bus = strtol(arg, NULL, 0); ++ } ++ free(arg); ++ ++ ast2400_device_halt_cpu = 0; ++ arg = extract_programmer_param("cpu"); ++ if (arg && !strcmp(arg,"pause")) { ++ ast2400_device_halt_cpu = 1; ++ ast2400_device_resume_cpu = 1; ++ } ++ if (arg && !strcmp(arg,"halt")) { ++ ast2400_device_halt_cpu = 1; ++ ast2400_device_resume_cpu = 0; ++ } ++ arg = extract_programmer_param("tickle"); ++ if (arg && !strcmp(arg,"true")) ++ ast2400_device_tickle_fw = 1; ++ free(arg); ++ ++ if ((ast2400_device_host_mode == 0) && (ast2400_device_spi_bus > 4)) { ++ msg_perr("SPI bus number out of range! Valid values are 0 - 4.\n"); ++ return 1; ++ } ++ ++ if (rget_io_perms()) ++ return 1; ++ ++ dev = pcidev_init(bmc_aspeed_ast2400, PCI_BASE_ADDRESS_1); ++ if (!dev) ++ return 1; ++ ++ uintptr_t io_base_addr = pcidev_readbar(dev, PCI_BASE_ADDRESS_1); ++ if (!io_base_addr) ++ return 1; ++ ++ msg_pinfo("Detected ASPEED MMIO base address: %p.\n", (void*)io_base_addr); ++ ++ ast2400_device_bar = rphysmap("ASPEED", io_base_addr, ASPEED_MEMMAP_SIZE); ++ if (ast2400_device_bar == ERROR_PTR) ++ return 1; ++ ++ if (register_shutdown(ast2400_shutdown, dev)) ++ return 1; ++ ++ io_base_addr += ASPEED_P2A_OFFSET; ++ msg_pinfo("ASPEED P2A base address: %p.\n", (void*)io_base_addr); ++ ++ msg_pinfo("Configuring P2A bridge for SCU access\n"); ++ ast2400_set_a2b_bridge_scu(); ++ pci_mmio_writel(AST2400_SCU_PASSWORD, ast2400_device_bar + ASPEED_P2A_OFFSET + AST2400_SCU_APB_BRIDGE_OFFSET + AST2400_SCU_PROT_KEY); ++ ++ dword = pci_mmio_readl(ast2400_device_bar + ASPEED_P2A_OFFSET + AST2400_SCU_APB_BRIDGE_OFFSET + AST2400_SCU_MISC_CTL); ++ pci_mmio_writel(dword & ~((0x1 << 24) | (0x2 << 22)), ast2400_device_bar + ASPEED_P2A_OFFSET + AST2400_SCU_APB_BRIDGE_OFFSET + AST2400_SCU_MISC_CTL); ++ ++ /* Halt CPU if requested */ ++ if (ast2400_disable_cpu()) ++ return 1; ++ ++ msg_pinfo("Configuring P2A bridge for SMC access\n"); ++ ast2400_set_a2b_bridge_smc(); ++ ++ if (ast2400_device_host_mode) { ++ msg_pinfo("Configuring P2A bridge for SPI access\n"); ++ ast2400_set_a2b_bridge_spi(); ++ ++ divisor = 0; /* Slowest speed for now */ ++ ++ dword = pci_mmio_readl(ast2400_device_bar + ASPEED_P2A_OFFSET + AST2400_SPI_CTL); ++ dword &= ~AST2400_SPI_SPEED_MASK; ++ dword |= (divisor << 8); ++ dword &= ~AST2400_SPI_CPOL_1; ++ dword &= ~AST2400_SPI_LSB_FIRST_CTRL; /* MSB first */ ++ dword &= ~AST2400_SPI_IO_MODE_MASK; /* Single bit I/O mode */ ++ pci_mmio_writel(dword, ast2400_device_bar + ASPEED_P2A_OFFSET + AST2400_SPI_CTL); ++ } ++ else { ++ dword = pci_mmio_readl(ast2400_device_bar + ASPEED_P2A_OFFSET + AST2400_SMC_FMC00); ++ if (((dword >> (ast2400_device_spi_bus * 2)) & 0x3) != 0x2) { ++ msg_perr("CE%01x Flash type is not SPI!\n", ast2400_device_spi_bus); ++ return 1; ++ } ++ ++ msg_pinfo("Enabling CE%01x write\n", ast2400_device_spi_bus); ++ dword = pci_mmio_readl(ast2400_device_bar + ASPEED_P2A_OFFSET + AST2400_SMC_FMC00); ++ pci_mmio_writel(dword | (0x1 << (16 + ast2400_device_spi_bus)), ast2400_device_bar + ASPEED_P2A_OFFSET + AST2400_SMC_FMC00); ++ ++ dword = pci_mmio_readl(ast2400_device_bar + ASPEED_P2A_OFFSET + AST2400_SMC_CE_SEG(ast2400_device_spi_bus)); ++ ast2400_device_flash_mmio_offset = ((dword >> 16) & 0x3f) * 0x800000; ++ msg_pinfo("Using CE%01x offset 0x%08x\n", ast2400_device_spi_bus, ast2400_device_flash_mmio_offset); ++ } ++ ++ register_spi_master(&spi_master_ast2400); ++ ++ return 0; ++} ++ ++static void ast2400_spi_xfer_data(struct flashctx *flash, ++ unsigned int writecnt, unsigned int readcnt, ++ const unsigned char *writearr, ++ unsigned char *readarr) ++{ ++ unsigned int i; ++ uint32_t dword; ++ ++ for (i = 0; i < writecnt; i++) ++ msg_pspew("[%02x]", writearr[i]); ++ msg_pspew("\n"); ++ ++ for (i = 0; i < writecnt; i=i+4) { ++ if ((writecnt - i) < 4) ++ break; ++ dword = writearr[i]; ++ dword |= writearr[i + 1] << 8; ++ dword |= writearr[i + 2] << 16; ++ dword |= writearr[i + 3] << 24; ++ pci_mmio_writel(dword, ast2400_device_bar + ASPEED_P2A_OFFSET); ++ } ++ for (; i < writecnt; i++) ++ pci_mmio_writeb(writearr[i], ast2400_device_bar + ASPEED_P2A_OFFSET); ++ programmer_delay(1); ++ for (i = 0; i < readcnt;) { ++ dword = pci_mmio_readl(ast2400_device_bar + ASPEED_P2A_OFFSET); ++ if (i < readcnt) ++ readarr[i] = dword & 0xff; ++ i++; ++ if (i < readcnt) ++ readarr[i] = (dword >> 8) & 0xff; ++ i++; ++ if (i < readcnt) ++ readarr[i] = (dword >> 16) & 0xff; ++ i++; ++ if (i < readcnt) ++ readarr[i] = (dword >> 24) & 0xff; ++ i++; ++ } ++ ++ for (i = 0; i < readcnt; i++) ++ msg_pspew("[%02x]", readarr[i]); ++ msg_pspew("\n"); ++} ++ ++/* Returns 0 upon success, a negative number upon errors. */ ++static int ast2400_spi_send_command(struct flashctx *flash, ++ unsigned int writecnt, unsigned int readcnt, ++ const unsigned char *writearr, ++ unsigned char *readarr) ++{ ++ uint32_t dword; ++ ++ msg_pspew("%s, cmd=0x%02x, writecnt=%d, readcnt=%d\n", __func__, *writearr, writecnt, readcnt); ++ ++ if (ast2400_device_host_mode) { ++ /* Set up user command mode */ ++ ast2400_set_a2b_bridge_spi(); ++ dword = pci_mmio_readl(ast2400_device_bar + ASPEED_P2A_OFFSET + AST2400_SPI_CFG); ++ pci_mmio_writel(dword | AST2400_SPI_CFG_WRITE_EN, ast2400_device_bar + ASPEED_P2A_OFFSET + AST2400_SPI_CFG); ++ dword = pci_mmio_readl(ast2400_device_bar + ASPEED_P2A_OFFSET + AST2400_SPI_CTL); ++ pci_mmio_writel(dword | AST2400_SPI_CMD_USER_MODE, ast2400_device_bar + ASPEED_P2A_OFFSET + AST2400_SPI_CTL); ++ ++ /* Transfer data */ ++ ast2400_set_a2b_bridge_spi_flash(); ++ ast2400_spi_xfer_data(flash, writecnt, readcnt, writearr, readarr); ++ ++ /* Tear down user command mode */ ++ ast2400_set_a2b_bridge_spi(); ++ dword = pci_mmio_readl(ast2400_device_bar + ASPEED_P2A_OFFSET + AST2400_SPI_CTL); ++ pci_mmio_writel((dword & ~AST2400_SPI_CMD_MASK) | AST2400_SPI_CMD_FAST_R_MODE, ast2400_device_bar + ASPEED_P2A_OFFSET + AST2400_SPI_CTL); ++ dword = pci_mmio_readl(ast2400_device_bar + ASPEED_P2A_OFFSET + AST2400_SPI_CFG); ++ pci_mmio_writel(dword & ~AST2400_SPI_CFG_WRITE_EN, ast2400_device_bar + ASPEED_P2A_OFFSET + AST2400_SPI_CFG); ++ } ++ else { ++ /* Set up user command mode */ ++ ast2400_set_a2b_bridge_smc(); ++ dword = pci_mmio_readl(ast2400_device_bar + ASPEED_P2A_OFFSET + AST2400_SMC_CE_CTL(ast2400_device_spi_bus)); ++ pci_mmio_writel(dword | AST2400_SPI_CMD_USER_MODE, ast2400_device_bar + ASPEED_P2A_OFFSET + AST2400_SMC_CE_CTL(ast2400_device_spi_bus)); ++ dword = pci_mmio_readl(ast2400_device_bar + ASPEED_P2A_OFFSET + AST2400_SMC_CE_CTL(ast2400_device_spi_bus)); ++ pci_mmio_writel(dword & ~AST2400_SPI_STOP_CE_ACTIVE, ast2400_device_bar + ASPEED_P2A_OFFSET + AST2400_SMC_CE_CTL(ast2400_device_spi_bus)); ++ ++ /* Transfer data */ ++ ast2400_set_a2b_bridge_smc_flash(); ++ ast2400_spi_xfer_data(flash, writecnt, readcnt, writearr, readarr); ++ ++ /* Tear down user command mode */ ++ ast2400_set_a2b_bridge_smc(); ++ dword = pci_mmio_readl(ast2400_device_bar + ASPEED_P2A_OFFSET + AST2400_SMC_CE_CTL(ast2400_device_spi_bus)); ++ pci_mmio_writel(dword | AST2400_SPI_STOP_CE_ACTIVE, ast2400_device_bar + ASPEED_P2A_OFFSET + AST2400_SMC_CE_CTL(ast2400_device_spi_bus)); ++ dword = pci_mmio_readl(ast2400_device_bar + ASPEED_P2A_OFFSET + AST2400_SMC_CE_CTL(ast2400_device_spi_bus)); ++ pci_mmio_writel((dword & ~AST2400_SPI_CMD_MASK) | AST2400_SPI_CMD_FAST_R_MODE, ast2400_device_bar + ASPEED_P2A_OFFSET + AST2400_SMC_CE_CTL(ast2400_device_spi_bus)); ++ } ++ ++ if (ast2400_device_tickle_fw) { ++ ast2400_enable_cpu(); ++ programmer_delay(100); ++ ast2400_disable_cpu(); ++ } ++ ++ return 0; ++} +diff --git a/flashchips.c b/flashchips.c +index 58dd4f3..719185b 100644 +--- a/flashchips.c ++++ b/flashchips.c +@@ -12273,7 +12273,7 @@ const struct flashchip flashchips[] = { + .total_size = 1024, + .page_size = 256, + .feature_bits = FEATURE_WRSR_WREN, +- .tested = TEST_UNTESTED, ++ .tested = TEST_OK_PREW, + .probe = probe_spi_rdid, + .probe_timing = TIMING_ZERO, + .block_erasers = +@@ -16659,11 +16659,20 @@ const struct flashchip flashchips[] = { + .block_erasers = + { + { ++ .eraseblocks = { {4 * 1024, 8192} }, ++ .block_erase = spi_block_erase_21, ++ }, { + .eraseblocks = { {4 * 1024, 8192} }, + .block_erase = spi_block_erase_20, ++ }, { ++ .eraseblocks = { {32 * 1024, 1024} }, ++ .block_erase = spi_block_erase_5c, + }, { + .eraseblocks = { {32 * 1024, 1024} }, + .block_erase = spi_block_erase_52, ++ }, { ++ .eraseblocks = { {64 * 1024, 512} }, ++ .block_erase = spi_block_erase_dc, + }, { + .eraseblocks = { {64 * 1024, 512} }, + .block_erase = spi_block_erase_d8, +diff --git a/flashrom.c b/flashrom.c +index e540027..75bfd89 100644 +--- a/flashrom.c ++++ b/flashrom.c +@@ -6,6 +6,7 @@ + * Copyright (C) 2005-2008 coresystems GmbH + * Copyright (C) 2008,2009 Carl-Daniel Hailfinger + * Copyright (C) 2016 secunet Security Networks AG ++ * Copyright (C) 2016-2017 Raptor Engineering, LLC + * (Written by Nico Huber for secunet) + * + * This program is free software; you can redistribute it and/or modify +@@ -133,6 +134,30 @@ const struct programmer_entry programmer_table[] = { + }, + #endif + ++#if CONFIG_AST1100 == 1 ++ { ++ .name = "ast1100", ++ .type = PCI, ++ .devs.dev = bmc_aspeed_ast1100, ++ .init = ast1100_init, ++ .map_flash_region = fallback_map, ++ .unmap_flash_region = fallback_unmap, ++ .delay = internal_delay, ++ }, ++#endif ++ ++#if CONFIG_AST2400 == 1 ++ { ++ .name = "ast2400", ++ .type = PCI, ++ .devs.dev = bmc_aspeed_ast2400, ++ .init = ast2400_init, ++ .map_flash_region = fallback_map, ++ .unmap_flash_region = fallback_unmap, ++ .delay = internal_delay, ++ }, ++#endif ++ + #if CONFIG_DRKAISER == 1 + { + .name = "drkaiser", +diff --git a/pcidev.c b/pcidev.c +index 54c1fd3..97c8c1f 100644 +--- a/pcidev.c ++++ b/pcidev.c +@@ -33,11 +33,13 @@ enum pci_bartype { + uintptr_t pcidev_readbar(struct pci_dev *dev, int bar) + { + uint64_t addr; +- uint32_t upperaddr; + uint8_t headertype; + uint16_t supported_cycles; + enum pci_bartype bartype = TYPE_UNKNOWN; + ++#ifndef __PPC64__ ++ uint32_t upperaddr; ++#endif + + headertype = pci_read_byte(dev, PCI_HEADER_TYPE) & 0x7f; + msg_pspew("PCI header type 0x%02x\n", headertype); +@@ -93,6 +95,12 @@ uintptr_t pcidev_readbar(struct pci_dev *dev, int bar) + switch (bartype) { + case TYPE_MEMBAR: + msg_pdbg("MEM"); ++#ifdef __PPC64__ ++ /* PowerPC is able to translate 32-bit BARs into 64-bit host windows. ++ * Use the dev->base_addr[x] mechanism to handle mapping. ++ */ ++ addr = dev->base_addr[(bar - 0x10) / 0x4] & PCI_BASE_ADDRESS_MEM_MASK; ++#else + if (!(supported_cycles & PCI_COMMAND_MEMORY)) { + msg_perr("MEM BAR access requested, but device has MEM space accesses disabled.\n"); + /* TODO: Abort here? */ +@@ -118,6 +126,7 @@ uintptr_t pcidev_readbar(struct pci_dev *dev, int bar) + } + } + addr &= PCI_BASE_ADDRESS_MEM_MASK; ++#endif + break; + case TYPE_IOBAR: + msg_pdbg("I/O\n"); +diff --git a/programmer.h b/programmer.h +index 3cf53b9..7be47d1 100644 +--- a/programmer.h ++++ b/programmer.h +@@ -5,6 +5,7 @@ + * Copyright (C) 2000 Ronald G. Minnich + * Copyright (C) 2005-2009 coresystems GmbH + * Copyright (C) 2006-2009 Carl-Daniel Hailfinger ++ * Copyright (C) 2016-2017 Raptor Engineering, LLC + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by +@@ -43,6 +44,12 @@ enum programmer { + #if CONFIG_GFXNVIDIA == 1 + PROGRAMMER_GFXNVIDIA, + #endif ++#if CONFIG_AST1100 == 1 ++ PROGRAMMER_AST1100, ++#endif ++#if CONFIG_AST2400 == 1 ++ PROGRAMMER_AST2400, ++#endif + #if CONFIG_DRKAISER == 1 + PROGRAMMER_DRKAISER, + #endif +@@ -401,6 +408,18 @@ int gfxnvidia_init(void); + extern const struct dev_entry gfx_nvidia[]; + #endif + ++/* ast1100.c */ ++#if CONFIG_AST1100 == 1 ++int ast1100_init(void); ++extern const struct dev_entry bmc_aspeed_ast1100[]; ++#endif ++ ++/* ast2400.c */ ++#if CONFIG_AST2400 == 1 ++int ast2400_init(void); ++extern const struct dev_entry bmc_aspeed_ast2400[]; ++#endif ++ + /* drkaiser.c */ + #if CONFIG_DRKAISER == 1 + int drkaiser_init(void); From 01dabe19e73c17ba2a17e2e2e2b74584b1295e84 Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Wed, 22 Apr 2020 15:00:48 -0400 Subject: [PATCH 100/189] network-init-recovery: do DHCP, then ask NTP from DNS server before attempting sync on internet --- initrd/bin/network-init-recovery | 35 ++++++++++++++++++++++++-------- 1 file changed, 27 insertions(+), 8 deletions(-) diff --git a/initrd/bin/network-init-recovery b/initrd/bin/network-init-recovery index 23ebcb259..7f24492ed 100755 --- a/initrd/bin/network-init-recovery +++ b/initrd/bin/network-init-recovery @@ -14,15 +14,34 @@ if [ -e /sys/class/net/eth0 ]; then # Set up static IP if [ ! -z "$CONFIG_BOOT_STATIC_IP" ]; then ifconfig eth0 $CONFIG_BOOT_STATIC_IP + #Get ip from DHCP + elif [ -e /sbin/udhcpc ];then + if udhcpc -T 1 -q; then + if [ -e /sbin/ntpd ]; then + DNS_SERVER=$(grep nameserver /etc/resolv.conf|awk -F " " {'print $2'}) + killall ntpd 2&>1 > /dev/null + if ! ntpd -d -N -n -q -p $DNS_SERVER > /dev/ttyprintk; then + if ! ntpd -d -d -N -n -q -p ntp.pool.org> /dev/ttyprintk; then + echo "NTP sync unsuccessful." > /dev/tty0 + fi + fi + hwclock -w + echo "" > /dev/tty0 + echo "UTC/GMT current date and time:" > /dev/tty0 + date > /dev/tty0 + fi + fi fi - # TODO: Set up DHCP if available + ifconfig eth0 > /dev/ttyprintk - - # Set up the ssh server, allow root logins and log to stderr - if [ ! -d /etc/dropbear ]; then - mkdir /etc/dropbear + + if [ -e /bin/dropbear ]; then + # Set up the ssh server, allow root logins and log to stderr + if [ ! -d /etc/dropbear ]; then + mkdir /etc/dropbear + fi + dropbear -B -R 2>/dev/ttyprintk fi - dropbear -B -R 2>/dev/ttyprintk - - ifconfig eth0 | head -1 > /dev/tty0 + echo "" > /dev/tty0 + ifconfig eth0 | head -2 > /dev/tty0 fi From ba68c723bf209b5891b84b6564390f8b85c7c7f6 Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Wed, 22 Apr 2020 23:02:46 -0400 Subject: [PATCH 101/189] qemu-coreboot: Now useful to debug something through make BOARD=qemu-coreboot. TODO: map a virtual TPM instance and USB passthrough. Thanks to @orangecms for the tip --- boards/qemu-coreboot/qemu-coreboot.config | 5 ++++- config/coreboot-qemu.config | 1 + 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/boards/qemu-coreboot/qemu-coreboot.config b/boards/qemu-coreboot/qemu-coreboot.config index aeb57c787..a36b70326 100644 --- a/boards/qemu-coreboot/qemu-coreboot.config +++ b/boards/qemu-coreboot/qemu-coreboot.config @@ -50,10 +50,13 @@ export CONFIG_TPM=n export CONFIG_BOOT_DEV="/dev/sda1" -#run: coreboot.intermediate +#borrowed from https://github.com/orangecms/webboot/blob/boot-via-qemu/run-webboot.sh run: qemu-system-x86_64 \ --machine q35 \ --serial /dev/tty \ --bios $(build)/$(BOARD)/coreboot.rom \ + -object rng-random,filename=/dev/urandom,id=rng0 \ + -device virtio-rng-pci,rng=rng0 \ + -netdev user,id=u1 -device e1000,netdev=u1 \ ; stty sane diff --git a/config/coreboot-qemu.config b/config/coreboot-qemu.config index 73856e412..87d0f64a2 100644 --- a/config/coreboot-qemu.config +++ b/config/coreboot-qemu.config @@ -14,5 +14,6 @@ CONFIG_CPU_MICROCODE_CBFS_GENERATE=y # CONFIG_CONSOLE_SERIAL is not set CONFIG_DEFAULT_CONSOLE_LOGLEVEL_6=y CONFIG_PAYLOAD_LINUX=y +CONFIG_LINUX_COMMAND_LINE="debug console=ttyS0 vga=786" CONFIG_PAYLOAD_FILE="../../build/qemu-coreboot/bzImage" CONFIG_LINUX_INITRD="../../build/qemu-coreboot/initrd.cpio.xz" From 15e19d0594ac8deda89a20e0db1b54a4a5c2c3fa Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Sun, 3 May 2020 23:19:58 -0400 Subject: [PATCH 102/189] coreboot patch: remove acpica-unix2-20180531.tar.gz url change fix since acpica.org is now functional again while crux.ster.zone is not... --- .../0060-buildgcc-acpica-unix2-url-change.patch | 11 ----------- 1 file changed, 11 deletions(-) delete mode 100644 patches/coreboot-4.8.1/0060-buildgcc-acpica-unix2-url-change.patch diff --git a/patches/coreboot-4.8.1/0060-buildgcc-acpica-unix2-url-change.patch b/patches/coreboot-4.8.1/0060-buildgcc-acpica-unix2-url-change.patch deleted file mode 100644 index 50937453d..000000000 --- a/patches/coreboot-4.8.1/0060-buildgcc-acpica-unix2-url-change.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- ./util/crossgcc/buildgcc.orig 2018-05-16 15:00:17.000000000 -0400 -+++ ./util/crossgcc/buildgcc 2020-03-15 10:47:36.186000000 -0400 -@@ -72,7 +72,7 @@ - GCC_ARCHIVE="https://ftpmirror.gnu.org/gcc/gcc-${GCC_VERSION}/gcc-${GCC_VERSION}.tar.xz" - BINUTILS_ARCHIVE="https://ftpmirror.gnu.org/binutils/binutils-${BINUTILS_VERSION}.tar.xz" - GDB_ARCHIVE="https://ftpmirror.gnu.org/gdb/gdb-${GDB_VERSION}.tar.xz" --IASL_ARCHIVE="https://acpica.org/sites/acpica/files/acpica-unix2-${IASL_VERSION}.tar.gz" -+IASL_ARCHIVE="https://crux.ster.zone/distfiles/acpica-unix2-${IASL_VERSION}.tar.gz" - PYTHON_ARCHIVE="https://www.python.org/ftp/python/${PYTHON_VERSION}/Python-${PYTHON_VERSION}.tar.xz" - EXPAT_ARCHIVE="https://downloads.sourceforge.net/sourceforge/expat/expat-${EXPAT_VERSION}.tar.bz2" - # CLANG toolchain archive locations From a2d50a10f7fc4a34e1ded95519fdb4536798e2a1 Mon Sep 17 00:00:00 2001 From: Matt DeVillier Date: Tue, 14 Jan 2020 17:07:53 -0600 Subject: [PATCH 103/189] mount-usb: replace fixed timeout with drive detection Rather than wait a fixed 5s for the usb storage kernel modules to load, and the user to insert a drive, check for new USB drives inserted every 1s with a 5s timeout. Signed-off-by: Matt DeVillier --- initrd/bin/mount-usb | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/initrd/bin/mount-usb b/initrd/bin/mount-usb index 94946675a..0ac031cbd 100755 --- a/initrd/bin/mount-usb +++ b/initrd/bin/mount-usb @@ -5,9 +5,16 @@ enable_usb if ! lsmod | grep -q usb_storage; then - insmod /lib/modules/usb-storage.ko \ + count=$(ls /dev/sd* 2>/dev/null | wc -l) + timeout=0 + echo "Scanning for USB storage devices..." + insmod /lib/modules/usb-storage.ko >/dev/null 2>&1 \ || die "usb_storage: module load failed" - sleep 5 + while [[ $count == $(ls /dev/sd* 2>/dev/null | wc -l) ]]; do + [[ $timeout -ge 4 ]] && break + sleep 1 + timeout=$(($timeout+1)) + done fi if [ ! -d /media ]; then From 8d6f47fb4d37f67b812d9bb1a8055a84fb28b916 Mon Sep 17 00:00:00 2001 From: Matt DeVillier Date: Tue, 28 Jan 2020 20:47:00 -0600 Subject: [PATCH 104/189] mount-usb: suppress error output from calls to `stat` If no USB storage devices inserted, stat will output unnecessary error text to console Signed-off-by: Matt DeVillier --- initrd/bin/mount-usb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/initrd/bin/mount-usb b/initrd/bin/mount-usb index 0ac031cbd..ca7a745fb 100755 --- a/initrd/bin/mount-usb +++ b/initrd/bin/mount-usb @@ -21,7 +21,7 @@ if [ ! -d /media ]; then mkdir /media fi -stat -c %N /sys/block/sd* | grep usb | cut -f1 -d ' ' | sed "s/[']//g;s|/sys/block|/dev|" > /tmp/usb_block_devices +stat -c %N /sys/block/sd* 2>/dev/null | grep usb | cut -f1 -d ' ' | sed "s/[']//g;s|/sys/block|/dev|" > /tmp/usb_block_devices if [ -z `cat /tmp/usb_block_devices` ]; then if [ -x /bin/whiptail ]; then whiptail --title 'USB Drive Missing' \ @@ -31,7 +31,7 @@ if [ -z `cat /tmp/usb_block_devices` ]; then read fi sleep 1 - stat -c %N /sys/block/sd* | grep usb | cut -f1 -d ' ' | sed "s/[']//g;s|/sys/block|/dev|" > /tmp/usb_block_devices + stat -c %N /sys/block/sd* 2>/dev/null | grep usb | cut -f1 -d ' ' | sed "s/[']//g;s|/sys/block|/dev|" > /tmp/usb_block_devices if [ -z `cat /tmp/usb_block_devices` ]; then if [ -x /bin/whiptail ]; then whiptail $CONFIG_ERROR_BG_COLOR --title 'ERROR: USB Drive Missing' \ From 040e358b2d4ded3ca0d5c101598600499c8bb87c Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Mon, 4 May 2020 12:07:14 -0400 Subject: [PATCH 105/189] CIs: pass CircleCI to debian:bullseye docker image, provide logs.tar.gz and cpios to facilitate debugging of reproducibility issues --- .circleci/config.yml | 60 ++++++++++++++++++++++++++++++++++++-------- 1 file changed, 49 insertions(+), 11 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 4d4ff24f4..feba622a2 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -2,14 +2,22 @@ version: 2 jobs: build: docker: - - image: osresearch/musl-cross:38e52db + - image: debian:bullseye steps: + - run: + name: Install dependencies + command: | + apt update + apt install -y build-essential zlib1g-dev uuid-dev libdigest-sha-perl libelf-dev bc bzip2 bison flex git gnupg iasl m4 nasm patch python wget gnat cpio ccache pkg-config cmake libusb-1.0-0-dev autoconf texinfo ncurses-dev - checkout + - restore_cache: + key: heads-{{ .Branch }}{{ .Environment.CACHE_VERSION }} + - run: - name: Bootstrap make + name: git reset command: | - make -j4 bootstrap + git reset --hard "$CIRCLE_SHA1" \ # linuxboot steps need something to pass in the kernel header path # skipping for now @@ -40,31 +48,61 @@ jobs: - run: name: qemu-coreboot command: | - ./build/make-4.2.1/make \ - CROSS=/cross/bin/x86_64-linux-musl- \ - --load 2 \ + rm -rf build/make-4.2.1/ build/qemu-coreboot/* && make --load 2 \ V=1 \ BOARD=qemu-coreboot \ + no_output_timeout: 3h + - run: + name: Output qemu-coreboot hashes + command: | + cat build/qemu-coreboot/hashes.txt \ - store-artifacts: path: build/qemu-coreboot/coreboot.rom - store-artifacts: path: build/qemu-coreboot/hashes.txt - + - run: + name: x230-flash + command: | + make --load 2 \ + V=1 \ + BOARD=x230-flash \ + no_output_timeout: 3h + - run: + name: Ouput x230-flash hashes + command: | + cat build/x230-flash/hashes.txt \ - run: name: x230 command: | - ./build/make-4.2.1/make \ - CROSS=/cross/bin/x86_64-linux-musl- \ - --load 2 \ + make --load 2 \ V=1 \ BOARD=x230 \ + no_output_timeout: 3h + - run: + name: Ouput x230 hashes + command: | + cat build/x230/hashes.txt \ + - run: + name: Archiving build logs to bundle in artifacts + command: | + tar zcvf logs.tar.gz ./build/log/* + - store-artifacts: + path: build/x230-flash/x230-flash.rom - store-artifacts: path: build/x230/coreboot.rom - store-artifacts: - path: build/x230/hashes.txt + path: build/x230/initrd.cpio.xz + - store-artifacts: + path: logs.tar.gz + - save_cache: + key: heads-{{ .Branch }}{{ .Environment.CACHE_VERSION }} + paths: + - packages + - crossgcc + - build workflows: version: 2 From 31a103fdaee1158c0b294ecd6c7f9ecca0ef5146 Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Wed, 22 Apr 2020 23:02:46 -0400 Subject: [PATCH 106/189] Working config to do make BOARD=qemu-coreboot-fbwhiptail and then make BOARD=qemu-coreboot-fbwhiptail run --- .../qemu-coreboot-fbwhiptail.config | 62 +++++++++++++++++++ config/coreboot-qemu-fbwhiptail.config | 19 ++++++ 2 files changed, 81 insertions(+) create mode 100644 boards/qemu-coreboot-fbwhiptail/qemu-coreboot-fbwhiptail.config create mode 100644 config/coreboot-qemu-fbwhiptail.config diff --git a/boards/qemu-coreboot-fbwhiptail/qemu-coreboot-fbwhiptail.config b/boards/qemu-coreboot-fbwhiptail/qemu-coreboot-fbwhiptail.config new file mode 100644 index 000000000..72ebec595 --- /dev/null +++ b/boards/qemu-coreboot-fbwhiptail/qemu-coreboot-fbwhiptail.config @@ -0,0 +1,62 @@ +# Configuration for building a coreboot ROM that works in +# the qemu emulator in GUI mode thanks to FBWhiptail + +export CONFIG_COREBOOT=y +CONFIG_COREBOOT_CONFIG=config/coreboot-qemu-fbwhiptail.config +CONFIG_LINUX_CONFIG=config/linux-qemu.config + +ifeq "$(CONFIG_UROOT)" "y" +CONFIG_BUSYBOX=n +else +CONFIG_KEXEC=y +CONFIG_QRENCODE=y +CONFIG_TPMTOTP=y +CONFIG_POPT=y +CONFIG_FLASHTOOLS=y +CONFIG_FLASHROM=y +CONFIG_PCIUTILS=y +CONFIG_UTIL_LINUX=y +CONFIG_CRYPTSETUP=y +CONFIG_GPG2=y +CONFIG_LVM2=y +CONFIG_MBEDTLS=y +CONFIG_DROPBEAR=y +CONFIG_MSRTOOLS=y + +#Uncomment only one of the following block +#Required for graphical gui-init (FBWhiptail) +CONFIG_CAIRO=y +CONFIG_FBWHIPTAIL=y +# +#text-based init (generic-init and gui-init) +#CONFIG_NEWT=y +#CONFIG_SLANG=y + +endif + +CONFIG_LINUX_ATA=y +CONFIG_LINUX_AHCI=y +CONFIG_LINUX_USB=y +CONFIG_LINUX_E1000=y + +#Uncomment only one BOOTSCRIPT: +#Whiptail-based init (text-based or FBWhiptail) +export CONFIG_BOOTSCRIPT=/bin/gui-init +# +#text-based original init: +#export CONFIG_BOOTSCRIPT=/bin/generic-init + +export CONFIG_TPM=n + +export CONFIG_BOOT_DEV="/dev/sda1" + +#borrowed from https://github.com/orangecms/webboot/blob/boot-via-qemu/run-webboot.sh +run: + qemu-system-x86_64 \ + --machine q35 \ + --bios $(build)/$(BOARD)/coreboot.rom \ + -object rng-random,filename=/dev/urandom,id=rng0 \ + -device virtio-rng-pci,rng=rng0 \ + -netdev user,id=u1 -device e1000,netdev=u1 \ + -serial stdio \ + ; stty sane diff --git a/config/coreboot-qemu-fbwhiptail.config b/config/coreboot-qemu-fbwhiptail.config new file mode 100644 index 000000000..a1a6f4323 --- /dev/null +++ b/config/coreboot-qemu-fbwhiptail.config @@ -0,0 +1,19 @@ +CONFIG_LOCALVERSION="-heads" +CONFIG_ANY_TOOLCHAIN=y +# CONFIG_INCLUDE_CONFIG_FILE is not set +CONFIG_CBFS_SIZE=0x700000 +# CONFIG_POST_IO is not set +CONFIG_BOARD_EMULATION_QEMU_X86_Q35=y +# CONFIG_POST_DEVICE is not set +CONFIG_DRIVERS_PS2_KEYBOARD=y +CONFIG_COREBOOT_ROMSIZE_KB_8192=y +CONFIG_PCIEXP_ASPM=y +CONFIG_PCIEXP_COMMON_CLOCK=y +CONFIG_UART_PCI_ADDR=0 +CONFIG_CPU_MICROCODE_CBFS_GENERATE=y +# CONFIG_CONSOLE_SERIAL is not set +CONFIG_DEFAULT_CONSOLE_LOGLEVEL_6=y +CONFIG_PAYLOAD_LINUX=y +CONFIG_LINUX_COMMAND_LINE="debug" +CONFIG_PAYLOAD_FILE="../../build/qemu-coreboot-fbwhiptail/bzImage" +CONFIG_LINUX_INITRD="../../build/qemu-coreboot-fbwhiptail/initrd.cpio.xz" From 29e28005abf4a28c3226bbf9b0297c64616f907e Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Tue, 5 May 2020 10:54:31 -0400 Subject: [PATCH 107/189] qemu-coreboot-fbwhiptail: removing of unneeded comments --- .../qemu-coreboot-fbwhiptail.config | 9 --------- 1 file changed, 9 deletions(-) diff --git a/boards/qemu-coreboot-fbwhiptail/qemu-coreboot-fbwhiptail.config b/boards/qemu-coreboot-fbwhiptail/qemu-coreboot-fbwhiptail.config index 72ebec595..125879a46 100644 --- a/boards/qemu-coreboot-fbwhiptail/qemu-coreboot-fbwhiptail.config +++ b/boards/qemu-coreboot-fbwhiptail/qemu-coreboot-fbwhiptail.config @@ -23,14 +23,9 @@ CONFIG_MBEDTLS=y CONFIG_DROPBEAR=y CONFIG_MSRTOOLS=y -#Uncomment only one of the following block #Required for graphical gui-init (FBWhiptail) CONFIG_CAIRO=y CONFIG_FBWHIPTAIL=y -# -#text-based init (generic-init and gui-init) -#CONFIG_NEWT=y -#CONFIG_SLANG=y endif @@ -39,12 +34,8 @@ CONFIG_LINUX_AHCI=y CONFIG_LINUX_USB=y CONFIG_LINUX_E1000=y -#Uncomment only one BOOTSCRIPT: #Whiptail-based init (text-based or FBWhiptail) export CONFIG_BOOTSCRIPT=/bin/gui-init -# -#text-based original init: -#export CONFIG_BOOTSCRIPT=/bin/generic-init export CONFIG_TPM=n From 5a033fa80dc8d6134fd31f6a8077e1b10b370328 Mon Sep 17 00:00:00 2001 From: flawedworld <38294951+flawedworld@users.noreply.github.com> Date: Fri, 15 May 2020 18:51:49 +0100 Subject: [PATCH 108/189] T430 TPM Backport --- .../0060-enable-tpm-on-t430.patch | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 patches/coreboot-4.8.1/0060-enable-tpm-on-t430.patch diff --git a/patches/coreboot-4.8.1/0060-enable-tpm-on-t430.patch b/patches/coreboot-4.8.1/0060-enable-tpm-on-t430.patch new file mode 100644 index 000000000..ed28a72a1 --- /dev/null +++ b/patches/coreboot-4.8.1/0060-enable-tpm-on-t430.patch @@ -0,0 +1,23 @@ +mb/lenovo/t430/devicetree: Add missing TPM entry +Tested on Lenovo T430: +The TPM is advertised through ACPI tables and the version can be +read using tpm_version, tcsd and tpm_tis. +Change-Id: I0b0c39e7aa1be4a479325d4b5eff5892a7e2f69f +Signed-off-by: Patrick Rudolph +Reviewed-on: https://review.coreboot.org/26780 +Tested-by: build bot (Jenkins) +Reviewed-by: Arthur Heymans +Reviewed-by: Paul Menzel +Original Commit at: https://review.coreboot.org/c/coreboot/+/26780 +--- ./src/mainboard/lenovo/t430/devicetree.cb 2020-01-15 17:42:17.441317488 +0000 ++++ ./src/mainboard/lenovo/t430/devicetree.cb 2020-01-15 17:37:39.889846000 +0000 +@@ -165,6 +165,9 @@ + + register "has_thinker1" = "0" + end ++ chip drivers/pc80/tpm ++ device pnp 0c31.0 on end ++ end + end + device pci 1f.2 on # SATA Controller 1 + subsystemid 0x17aa 0x21f3 From 23735d729a14df0f304160e2fde149f5d22ef109 Mon Sep 17 00:00:00 2001 From: flawedworld <38294951+flawedworld@users.noreply.github.com> Date: Fri, 15 May 2020 18:52:11 +0100 Subject: [PATCH 109/189] Add T430 board support Co-authored-by: Sebastian McMillan <22755892+SebastianMcMillan@users.noreply.github.com> Co-authored-by: Andrew Montoya --- boards/t430-flash/t430-flash.config | 23 +++++++++++++++ boards/t430/t430.config | 44 +++++++++++++++++++++++++++++ config/coreboot-t430-flash.config | 18 ++++++++++++ config/coreboot-t430.config | 26 +++++++++++++++++ initrd/bin/t430-flash.init | 26 +++++++++++++++++ 5 files changed, 137 insertions(+) create mode 100644 boards/t430-flash/t430-flash.config create mode 100644 boards/t430/t430.config create mode 100644 config/coreboot-t430-flash.config create mode 100644 config/coreboot-t430.config create mode 100755 initrd/bin/t430-flash.init diff --git a/boards/t430-flash/t430-flash.config b/boards/t430-flash/t430-flash.config new file mode 100644 index 000000000..16b3617f2 --- /dev/null +++ b/boards/t430-flash/t430-flash.config @@ -0,0 +1,23 @@ +# Minimal configuration for a t430 to support flashrom, USB and networking +BOARD=t430.flash + +export CONFIG_COREBOOT=y +CONFIG_FLASHROM=y +CONFIG_FLASHTOOLS=y +CONFIG_PCIUTILS=y + +CONFIG_LINUX_CONFIG=config/linux-x230-flash.config +CONFIG_LINUX_USB=y +CONFIG_LINUX_E1000E=y + +export CONFIG_BOOTSCRIPT=/bin/t430-flash.init +export CONFIG_FLASHROM_OPTIONS="--force --noverify-all -p internal --ifd --image bios" + +# This board is "special" in that we only want the top 4 MB of the ROM +# for flashing into SPI flash 1 on the mainboard. This is enough to +# allow the board to boot into a minimal Heads and read the full +# ROM from an external USB media. +all: $(build)/$(BOARD)/$(BOARD).rom +$(build)/$(BOARD)/$(BOARD).rom: $(build)/$(BOARD)/coreboot.rom + dd of=$@ if=$< bs=65536 count=64 skip=128 + sha256sum $@ diff --git a/boards/t430/t430.config b/boards/t430/t430.config new file mode 100644 index 000000000..b2487e439 --- /dev/null +++ b/boards/t430/t430.config @@ -0,0 +1,44 @@ +# Configuration for a t430 running Qubes and other OSes +export CONFIG_COREBOOT=y +CONFIG_COREBOOT_CONFIG=config/coreboot-t430.config +CONFIG_LINUX_CONFIG=config/linux-x230.config + +CONFIG_CRYPTSETUP=y +CONFIG_FLASHROM=y +CONFIG_FLASHTOOLS=y +CONFIG_GPG2=y +CONFIG_KEXEC=y +CONFIG_UTIL_LINUX=y +CONFIG_LVM2=y +CONFIG_MBEDTLS=y +CONFIG_PCIUTILS=y +CONFIG_POPT=y +CONFIG_QRENCODE=y +CONFIG_TPMTOTP=y +CONFIG_DROPBEAR=y + +CONFIG_CAIRO=y +CONFIG_FBWHIPTAIL=y + +CONFIG_LINUX_USB=y +CONFIG_LINUX_E1000E=y + +export CONFIG_TPM=y +export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOT_REQ_HASH=n +export CONFIG_BOOT_REQ_ROLLBACK=n +export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on intel_iommu=igfx_off" +export CONFIG_BOOT_KERNEL_REMOVE="quiet" +export CONFIG_BOOT_DEV="/dev/sda1" +export CONFIG_BOOT_GUI_MENU_NAME="Thinkpad T430 Heads Boot Menu" +export CONFIG_WARNING_BG_COLOR="--background-gradient 0 0 0 150 125 0" +export CONFIG_ERROR_BG_COLOR="--background-gradient 0 0 0 150 0 0" +export CONFIG_FLASHROM_OPTIONS="--force --noverify-all -p internal --ifd --image bios" + +# This board has two SPI flash chips, an 8 MB that holds the IFD, +# the ME image and part of the coreboot image, and a 4 MB one that +# has the rest of the coreboot and the reset vector. +# +# Only flashing to the bios region is safe to do. The easiest is to +# flash internally when the IFD is unlocked for writing, and t430-flash +# is installed first. diff --git a/config/coreboot-t430-flash.config b/config/coreboot-t430-flash.config new file mode 100644 index 000000000..c44c75375 --- /dev/null +++ b/config/coreboot-t430-flash.config @@ -0,0 +1,18 @@ +CONFIG_LOCALVERSION="heads" +CONFIG_ANY_TOOLCHAIN=y +# CONFIG_INCLUDE_CONFIG_FILE is not set +# CONFIG_COLLECT_TIMESTAMPS is not set +CONFIG_USE_BLOBS=y +CONFIG_MEASURED_BOOT=y +CONFIG_VENDOR_LENOVO=y +CONFIG_CBFS_SIZE=0x400000 +# CONFIG_POST_DEVICE is not set +CONFIG_DRIVERS_UART_8250IO=y +CONFIG_BOARD_LENOVO_THINKPAD_T430=y +CONFIG_DRIVERS_PS2_KEYBOARD=y +CONFIG_UART_PCI_ADDR=0 +CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000 +CONFIG_DEFAULT_CONSOLE_LOGLEVEL_8=y +CONFIG_PAYLOAD_LINUX=y +CONFIG_PAYLOAD_FILE="../../build/t430-flash/bzImage" +CONFIG_LINUX_INITRD="../../build/t430-flash/initrd.cpio.xz" diff --git a/config/coreboot-t430.config b/config/coreboot-t430.config new file mode 100644 index 000000000..f16bb852a --- /dev/null +++ b/config/coreboot-t430.config @@ -0,0 +1,26 @@ +CONFIG_LOCALVERSION="heads" +CONFIG_ANY_TOOLCHAIN=y +# CONFIG_INCLUDE_CONFIG_FILE is not set +# CONFIG_COLLECT_TIMESTAMPS is not set +CONFIG_USE_BLOBS=y +CONFIG_MEASURED_BOOT=y +CONFIG_VENDOR_LENOVO=y +CONFIG_CBFS_SIZE=0x800000 +# CONFIG_POST_IO is not set +# CONFIG_POST_DEVICE is not set +CONFIG_DRIVERS_UART_8250IO=y +CONFIG_BOARD_LENOVO_THINKPAD_T430=y +CONFIG_DRIVERS_PS2_KEYBOARD=y +CONFIG_UART_PCI_ADDR=0 +# CONFIG_CONSOLE_SERIAL is not set +CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000 +CONFIG_DEFAULT_CONSOLE_LOGLEVEL_5=y +CONFIG_PAYLOAD_LINUX=y +CONFIG_PAYLOAD_FILE="../../build/t430/bzImage" +CONFIG_PAYLOAD_OPTIONS="" +# CONFIG_PXE is not set +CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet" +CONFIG_LINUX_INITRD="../../build/t430/initrd.cpio.xz" +CONFIG_DEBUG_SMM_RELOCATION=y +CONFIG_USE_OPTION_TABLE=y +CONFIG_STATIC_OPTION_TABLE=y diff --git a/initrd/bin/t430-flash.init b/initrd/bin/t430-flash.init new file mode 100755 index 000000000..9b97970eb --- /dev/null +++ b/initrd/bin/t430-flash.init @@ -0,0 +1,26 @@ +#!/bin/sh +# Initialize the USB and network device drivers, +# invoke a recovery shell and prompt the user for how to proceed + +. /etc/functions +. /tmp/config + +insmod /lib/modules/ehci-hcd.ko +insmod /lib/modules/ehci-pci.ko +insmod /lib/modules/xhci-hcd.ko +insmod /lib/modules/xhci-pci.ko +insmod /lib/modules/e1000e.ko +insmod /lib/modules/usb-storage.ko + +tpm extend -ix 4 -ic recovery +sleep 2 + +echo '***** Starting recovery shell' +echo '' +echo 'To install from flash drive:' +echo '' +echo ' mount -o ro /dev/sdb1 /media' +echo ' flash.sh /media/t430.rom' +echo '' + +exec /bin/ash From 241b0bc6804fc16856525472248503ee4814c32c Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Tue, 19 May 2020 19:39:45 -0400 Subject: [PATCH 110/189] upgrade gpg toolstack to latest versions - Remove unrecognized configure options - fixes gawk issue #668 by upgrading to libgpg-error 1.37 instead of patching 1.32 for regex change (fixed upstream) - move patches so they match new versions for libassuan, gpg and libgcrypt (no change) Version change: - gpg 2.2.10 -> 2.2.20 - libassuan 2.5.1 -> 2.5.3 - libgcrypt 1.8.3 -> 1.8.5 - libgpg-error 1.32 -> 1.37 Size changes: - gpg 886.5 -> 911.3 kB - gpg-agent: 371.9 -> 376.0 kB - scdaemon: 399.5 -> 407.8 kB - libgpg-error.so.0 125.9 -> 130.0 kB Unrecognized options on gpg2 toolstack: - disable-nls and disable-asm disable-keyserver-helpers disable-hkp disable-finger disable-dns-srv disable-dns-cert and disable-wks-server --- .gitlab-ci.yml | 29 +++++++++++++++++++ modules/gpg2 | 13 ++------- modules/libassuan | 8 ++--- modules/libgcrypt | 6 ++-- modules/libgpg-error | 5 ++-- modules/libksba | 4 +-- modules/npth | 4 +-- modules/pinentry | 3 +- .../{gpg2-2.2.10.patch => gpg2-2.2.20.patch} | 0 ...suan-2.5.1.patch => libassuan-2.5.3.patch} | 0 ...rypt-1.8.3.patch => libgcrypt-1.8.5.patch} | 0 11 files changed, 44 insertions(+), 28 deletions(-) create mode 100644 .gitlab-ci.yml rename patches/{gpg2-2.2.10.patch => gpg2-2.2.20.patch} (100%) rename patches/{libassuan-2.5.1.patch => libassuan-2.5.3.patch} (100%) rename patches/{libgcrypt-1.8.3.patch => libgcrypt-1.8.5.patch} (100%) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml new file mode 100644 index 000000000..40bf99ebb --- /dev/null +++ b/.gitlab-ci.yml @@ -0,0 +1,29 @@ +image: fedora:30 + +variables: + DOCKER_DRIVER: overlay2 + +stages: + - build + +build: + stage: build + retry: 2 + cache: + paths: + - ./ + key: "$CI_COMMIT_REF_SLUG" + script: + - dnf install -y @development-tools gcc-c++ gcc-gnat zlib-devel perl-Digest-MD5 perl-Digest-SHA uuid-devel pcsc-tools ncurses-devel lbzip2 libuuid-devel lzma elfutils-libelf-devel bc bzip2 bison flex git gnupg iasl m4 nasm patch python wget libusb-devel cmake automake pv bsdiff autoconf libtool cpio texinfo + - git fetch origin + - git reset --hard origin/$CI_COMMIT_REF_NAME + - make BOARD=x230 || (find ./build/log/ -cmin 1|xargs tail; exit 1) + - echo "x230 hashes:" + - cat ./build/x230/hashes.txt + - tar zcvf logs.tar.gz ./build/log/* + artifacts: + paths: + - ./build/x230/coreboot.rom + - ./build/x230/hashes.txt + - ./build/x230/initrd.cpio.xz + - ./logs.tar.gz diff --git a/modules/gpg2 b/modules/gpg2 index 318a4cd11..060998992 100644 --- a/modules/gpg2 +++ b/modules/gpg2 @@ -1,10 +1,10 @@ modules-$(CONFIG_GPG2) += gpg2 -gpg2_version := 2.2.10 +gpg2_version := 2.2.20 gpg2_dir := gnupg-$(gpg2_version) gpg2_tar := gnupg-$(gpg2_version).tar.bz2 gpg2_url := https://www.gnupg.org/ftp/gcrypt/gnupg/$(gpg2_tar) -gpg2_hash := 799dd37a86a1448732e339bd20440f4f5ee6e69755f6fd7a73ee8af30840c915 +gpg2_hash := 04a7c9d48b74c399168ee8270e548588ddbe52218c337703d7f06373d326ca30 # For reproducibility reasons we have to override the exec_prefix # and datarootdir on the configure line so that the Makefiles will @@ -16,7 +16,7 @@ gpg2_configure := ./configure \ CPPFLAGS="-I$(INSTALL)/include/libusb-1.0" \ --host x86_64-linux-musl \ --with-libusb="$(INSTALL)" \ - --with-libgpg-error-prefix="$(INSTALL)" \ + --with-gpg-error-prefix="$(INSTALL)" \ --with-libgcrypt-prefix="$(INSTALL)" \ --with-libassuan-prefix="$(INSTALL)" \ --with-ksba-prefix="$(INSTALL)" \ @@ -30,19 +30,12 @@ gpg2_configure := ./configure \ --disable-regex \ --disable-doc \ --disable-bzip2 \ - --disable-asm \ --disable-exec \ --disable-photo-viewers \ - --disable-keyserver-helpers \ --disable-ldap \ - --disable-hkp \ - --disable-finger \ - --disable-dns-srv \ - --disable-dns-cert \ --disable-regex \ --disable-nls \ --disable-all-tests \ - --disable-wks-server \ --disable-wks-tools \ --disable-gnutls \ --disable-dirmngr \ diff --git a/modules/libassuan b/modules/libassuan index 3c4e319aa..800993404 100644 --- a/modules/libassuan +++ b/modules/libassuan @@ -1,18 +1,16 @@ modules-$(CONFIG_GPG2) += libassuan -libassuan_version := 2.5.1 +libassuan_version := 2.5.3 libassuan_dir := libassuan-$(libassuan_version) libassuan_tar := libassuan-$(libassuan_version).tar.bz2 libassuan_url := https://gnupg.org/ftp/gcrypt/libassuan/$(libassuan_tar) -libassuan_hash := 47f96c37b4f2aac289f0bc1bacfa8bd8b4b209a488d3d15e2229cb6cc9b26449 +libassuan_hash := 91bcb0403866b4e7c4bc1cc52ed4c364a9b5414b3994f718c70303f7f765e702 libassuan_configure := ./configure \ $(CROSS_TOOLS) \ --host x86_64-linux-musl \ --prefix "/" \ --disable-static \ - --disable-nls \ - --with-libgpg-error-prefix="$(INSTALL)" \ - --disable-asm \ + --with-gpg-error-prefix="$(INSTALL)" \ libassuan_target := $(MAKE_JOBS) \ DESTDIR="$(INSTALL)" \ diff --git a/modules/libgcrypt b/modules/libgcrypt index 1ba82fceb..602995498 100644 --- a/modules/libgcrypt +++ b/modules/libgcrypt @@ -1,16 +1,16 @@ modules-$(CONFIG_GPG2) += libgcrypt -libgcrypt_version := 1.8.3 +libgcrypt_version := 1.8.5 libgcrypt_dir := libgcrypt-$(libgcrypt_version) libgcrypt_tar := libgcrypt-$(libgcrypt_version).tar.bz2 libgcrypt_url := https://gnupg.org/ftp/gcrypt/libgcrypt/$(libgcrypt_tar) -libgcrypt_hash := 66ec90be036747602f2b48f98312361a9180c97c68a690a5f376fa0f67d0af7c +libgcrypt_hash := 3b4a2a94cb637eff5bdebbcaf46f4d95c4f25206f459809339cdada0eb577ac3 libgcrypt_configure := ./configure \ $(CROSS_TOOLS) \ --host=x86_64-linux-musl \ --prefix "/" \ --disable-static \ - --with-libgpg-error-prefix="$(INSTALL)" \ + --with-gpg-error-prefix="$(INSTALL)" \ --disable-asm \ libgcrypt_target := $(MAKE_JOBS) \ diff --git a/modules/libgpg-error b/modules/libgpg-error index 752e11aad..00bd06440 100644 --- a/modules/libgpg-error +++ b/modules/libgpg-error @@ -1,9 +1,9 @@ modules-$(CONFIG_GPG2) += libgpg-error -libgpg-error_version := 1.32 +libgpg-error_version := 1.37 libgpg-error_dir := libgpg-error-$(libgpg-error_version) libgpg-error_tar := libgpg-error-$(libgpg-error_version).tar.bz2 libgpg-error_url := https://gnupg.org/ftp/gcrypt/libgpg-error/$(libgpg-error_tar) -libgpg-error_hash := c345c5e73cc2332f8d50db84a2280abfb1d8f6d4f1858b9daa30404db44540ca +libgpg-error_hash := b32d6ff72a73cf79797f7f2d039e95e9c6f92f0c1450215410840ab62aea9763 libgpg-error_configure := ./configure \ $(CROSS_TOOLS) \ @@ -14,7 +14,6 @@ libgpg-error_configure := ./configure \ --disable-languages \ --disable-doc \ --disable-tests \ - --disable-asm \ libgpg-error_target := $(MAKE_JOBS) \ DESTDIR="$(INSTALL)" \ diff --git a/modules/libksba b/modules/libksba index d35291338..587280ed9 100644 --- a/modules/libksba +++ b/modules/libksba @@ -10,9 +10,7 @@ libksba_configure := ./configure \ --host x86_64-linux-musl \ --prefix "/" \ --disable-static \ - --disable-nls \ - --with-libgpg-error-prefix="$(INSTALL)" \ - --disable-asm \ + --with-gpg-error-prefix="$(INSTALL)" \ libksba_target := $(MAKE_JOBS) \ DESTDIR="$(INSTALL)" \ diff --git a/modules/npth b/modules/npth index e0f30c69e..2128e1d4a 100644 --- a/modules/npth +++ b/modules/npth @@ -10,9 +10,7 @@ npth_configure := ./configure \ --host x86_64-linux-musl \ --prefix "/" \ --disable-static \ - --disable-nls \ - --with-libgpg-error-prefix="$(INSTALL)" \ - --disable-asm \ + --with-gpg-error-prefix="$(INSTALL)" \ npth_target := $(MAKE_JOBS) \ DESTDIR="$(INSTALL)" \ diff --git a/modules/pinentry b/modules/pinentry index c0e93d7fa..54d40e119 100644 --- a/modules/pinentry +++ b/modules/pinentry @@ -27,7 +27,8 @@ pinentry_configure := ./configure \ --disable-pinentry-fltk \ --disable-pinentry-emacs \ --disable-fallback-curses \ - --with-libgpg-error-prefix="$(INSTALL)" \ + --disable-pinentry-qt5 \ + --with-gpg-error-prefix="$(INSTALL)" \ --with-libassuan-prefix="$(INSTALL)" \ # Run one build to generate the executables with the pre-defined diff --git a/patches/gpg2-2.2.10.patch b/patches/gpg2-2.2.20.patch similarity index 100% rename from patches/gpg2-2.2.10.patch rename to patches/gpg2-2.2.20.patch diff --git a/patches/libassuan-2.5.1.patch b/patches/libassuan-2.5.3.patch similarity index 100% rename from patches/libassuan-2.5.1.patch rename to patches/libassuan-2.5.3.patch diff --git a/patches/libgcrypt-1.8.3.patch b/patches/libgcrypt-1.8.5.patch similarity index 100% rename from patches/libgcrypt-1.8.3.patch rename to patches/libgcrypt-1.8.5.patch From d5083f410c45f2256d52a7dcbb9abdafa9895a82 Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Sat, 16 May 2020 13:38:14 -0400 Subject: [PATCH 111/189] x230-hotp-verification: Add x230-hotp-verification board to have a HOTP supported remote attestation for Nitrokey Pro 2, Nitrokey Storage 2 and Librem Key --- .circleci/config.yml | 15 ++++++ .../x230-hotp-verification.config | 48 +++++++++++++++++++ config/coreboot-x230-hotp-verification.config | 15 ++++++ 3 files changed, 78 insertions(+) create mode 100644 boards/x230-hotp-verification/x230-hotp-verification.config create mode 100644 config/coreboot-x230-hotp-verification.config diff --git a/.circleci/config.yml b/.circleci/config.yml index feba622a2..47a7dab74 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -83,6 +83,17 @@ jobs: name: Ouput x230 hashes command: | cat build/x230/hashes.txt \ + - run: + name: x230-hotp-verification + command: | + make --load 2 \ + V=1 \ + BOARD=x230-hotp-verification \ + no_output_timeout: 3h + - run: + name: Ouput x230-hotp-verification hashes + command: | + cat build/x230-hotp-verification/hashes.txt \ - run: name: Archiving build logs to bundle in artifacts command: | @@ -94,6 +105,10 @@ jobs: path: build/x230/coreboot.rom - store-artifacts: path: build/x230/initrd.cpio.xz + - store-artifacts: + path: build/x230-hotp-verification/coreboot.rom + - store-artifacts: + path: build/x230-hotp-verification/initrd.cpio.xz - store-artifacts: path: logs.tar.gz diff --git a/boards/x230-hotp-verification/x230-hotp-verification.config b/boards/x230-hotp-verification/x230-hotp-verification.config new file mode 100644 index 000000000..1c9ef31b2 --- /dev/null +++ b/boards/x230-hotp-verification/x230-hotp-verification.config @@ -0,0 +1,48 @@ +# Configuration for a x230-hotp-verification (Nitrokey/Purism USB Security dongle enabled HOTP support) +# running Qubes and other OSes +export CONFIG_COREBOOT=y +CONFIG_COREBOOT_CONFIG=config/coreboot-x230-hotp-verification.config +CONFIG_LINUX_CONFIG=config/linux-x230.config + +CONFIG_CRYPTSETUP=y +CONFIG_FLASHROM=y +CONFIG_FLASHTOOLS=y +CONFIG_GPG2=y +CONFIG_KEXEC=y +CONFIG_UTIL_LINUX=y +CONFIG_LVM2=y +CONFIG_MBEDTLS=y +CONFIG_PCIUTILS=y +CONFIG_POPT=y +CONFIG_QRENCODE=y +CONFIG_TPMTOTP=y +CONFIG_DROPBEAR=y + +#CONFIG_SLANG=y +#CONFIG_NEWT=y +CONFIG_CAIRO=y +CONFIG_FBWHIPTAIL=y +CONFIG_LIBREMKEY=y + +CONFIG_LINUX_USB=y +CONFIG_LINUX_E1000E=y + +export CONFIG_TPM=y +export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOT_REQ_HASH=n +export CONFIG_BOOT_REQ_ROLLBACK=n +export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on intel_iommu=igfx_off" +export CONFIG_BOOT_KERNEL_REMOVE="quiet" +export CONFIG_BOOT_DEV="/dev/sda1" +export CONFIG_BOOT_GUI_MENU_NAME="Thinkpad X230 Heads Boot Menu" +export CONFIG_WARNING_BG_COLOR="--background-gradient 0 0 0 150 125 0" +export CONFIG_ERROR_BG_COLOR="--background-gradient 0 0 0 150 0 0" +export CONFIG_FLASHROM_OPTIONS="--force --noverify-all -p internal --ifd --image bios" + +# This board has two SPI flash chips, an 8 MB that holds the IFD, +# the ME image and part of the coreboot image, and a 4 MB one that +# has the rest of the coreboot and the reset vector. +# +# Only flashing to the bios region is safe to do. The easiest is to +# flash internally when the IFD is unlocked for writing, and x230-flash +# is installed first. diff --git a/config/coreboot-x230-hotp-verification.config b/config/coreboot-x230-hotp-verification.config new file mode 100644 index 000000000..db20e18cf --- /dev/null +++ b/config/coreboot-x230-hotp-verification.config @@ -0,0 +1,15 @@ +CONFIG_LOCALVERSION="heads" +CONFIG_ANY_TOOLCHAIN=y +CONFIG_MEASURED_BOOT=y +CONFIG_VENDOR_LENOVO=y +CONFIG_CBFS_SIZE=0x800000 +CONFIG_BOARD_LENOVO_X230=y +CONFIG_NO_POST=y +CONFIG_UART_PCI_ADDR=0 +CONFIG_NO_GFX_INIT=y +CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000 +CONFIG_DEFAULT_CONSOLE_LOGLEVEL_5=y +CONFIG_PAYLOAD_LINUX=y +CONFIG_PAYLOAD_FILE="../../build/x230-hotp-verification/bzImage" +CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet" +CONFIG_LINUX_INITRD="../../build/x230-hotp-verification/initrd.cpio.xz" From 2d50e01071f43d0db9995320fb2f6ff6c810bbc9 Mon Sep 17 00:00:00 2001 From: Szczepan Zalega Date: Thu, 21 May 2020 07:38:02 +0200 Subject: [PATCH 112/189] Make hotp-verification hashes same across two CIs Move from CMake build system to GNU Make for hotp-verification Change version to one supporting Makefile build Fixes https://github.com/osresearch/heads/pull/724 Connected: - https://github.com/Nitrokey/nitrokey-hotp-verification/issues/13 - https://github.com/osresearch/heads/pull/722 --- modules/libremkey-hotp-verification | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/libremkey-hotp-verification b/modules/libremkey-hotp-verification index 1a943847a..5ebb713b6 100644 --- a/modules/libremkey-hotp-verification +++ b/modules/libremkey-hotp-verification @@ -2,11 +2,11 @@ modules-$(CONFIG_LIBREMKEY) += libremkey-hotp-verification libremkey-hotp-verification_depends := libusb $(musl_dep) -libremkey-hotp-verification_version := e5fa36a7a1950226d0ef94e2eeed0ffb510eba89 +libremkey-hotp-verification_version := 809953b9b4bef97a4cffaa20d675bd7fe9d8da53 libremkey-hotp-verification_dir := libremkey-hotp-verification-$(libremkey-hotp-verification_version) libremkey-hotp-verification_tar := nitrokey-hotp-verification-$(libremkey-hotp-verification_version).tar.gz libremkey-hotp-verification_url := https://github.com/Nitrokey/nitrokey-hotp-verification/archive/$(libremkey-hotp-verification_version).tar.gz -libremkey-hotp-verification_hash := 668113ebc21cc875d49266c8d3a47acfd524a8d6b64f75b7ce5833d595415469 +libremkey-hotp-verification_hash := 251e5cef74e4e45eeddc49e4a1da1e22d1de774cd32cb0451a9030579ae958ba libremkey-hotp-verification_target := \ $(MAKE_JOBS) \ @@ -19,7 +19,7 @@ libremkey-hotp-verification_output := \ libremkey-hotp-verification_configure := \ INSTALL="$(INSTALL)" \ CROSS="$(CROSS)" \ - cmake -DCMAKE_TOOLCHAIN_FILE=./Toolchain-heads.cmake -DCMAKE_AR="$(CROSS)ar" . + $(CROSS_TOOLS) $(MAKE) LDFLAGS="$(INSTALL)/lib/libusb-1.0.so" && $(MAKE) install INSTALL="$(INSTALL)" libremkey-hotp-verification_depends += hidapi modules-y += hidapi From fdbac6637ff517e5366c313e1ec343c7308c0b37 Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Fri, 22 May 2020 14:46:24 -0400 Subject: [PATCH 113/189] Add gitlab-ci CI configuration which builds for x230-hotp-verification for the moment --- .gitlab-ci.yml | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 .gitlab-ci.yml diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml new file mode 100644 index 000000000..957033198 --- /dev/null +++ b/.gitlab-ci.yml @@ -0,0 +1,30 @@ +image: fedora:32 + +variables: + DOCKER_DRIVER: overlay2 + +stages: + - build + +build: + stage: build + retry: 2 + cache: + paths: + - ./ + key: "$CI_COMMIT_REF_SLUG" + script: + - dnf install -y @development-tools gcc-c++ gcc-gnat zlib-devel perl-Digest-MD5 perl-Digest-SHA uuid-devel pcsc-tools ncurses-devel lbzip2 libuuid-devel lzma elfutils-libelf-devel bc bzip2 bison flex git gnupg iasl m4 nasm patch python wget libusb-devel cmake automake pv bsdiff autoconf libtool cpio texinfo + - git fetch origin + - git reset --hard origin/$CI_COMMIT_REF_NAME + - echo "Building BOARD=x230-hotp-verification board..." + - make BOARD=x230-hotp-verification || (find ./build/log/ -cmin 1|xargs tail; exit 1) + - echo "x230-hotp-verification hashes:" + - cat ./build/x230-hotp-verification/hashes.txt + - tar zcvf logs.tar.gz ./build/log/* + artifacts: + paths: + - ./build/x230-hotp-verification/coreboot.rom + - ./build/x230-hotp-verification/hashes.txt + - ./build/x230-hotp-verification/initrd.cpio.xz + - ./logs.tar.gz From 0cd1a0d04c80dc1ddbce44b7f22631f6f1a37c34 Mon Sep 17 00:00:00 2001 From: tlaurion Date: Fri, 22 May 2020 14:55:41 -0400 Subject: [PATCH 114/189] Revert "GPG toolstack upgrade to latest available versions (Fixes Gawk issue)" --- .gitlab-ci.yml | 29 ------------------- modules/gpg2 | 13 +++++++-- modules/libassuan | 8 +++-- modules/libgcrypt | 6 ++-- modules/libgpg-error | 5 ++-- modules/libksba | 4 ++- modules/npth | 4 ++- modules/pinentry | 3 +- .../{gpg2-2.2.20.patch => gpg2-2.2.10.patch} | 0 ...suan-2.5.3.patch => libassuan-2.5.1.patch} | 0 ...rypt-1.8.5.patch => libgcrypt-1.8.3.patch} | 0 11 files changed, 28 insertions(+), 44 deletions(-) delete mode 100644 .gitlab-ci.yml rename patches/{gpg2-2.2.20.patch => gpg2-2.2.10.patch} (100%) rename patches/{libassuan-2.5.3.patch => libassuan-2.5.1.patch} (100%) rename patches/{libgcrypt-1.8.5.patch => libgcrypt-1.8.3.patch} (100%) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml deleted file mode 100644 index 40bf99ebb..000000000 --- a/.gitlab-ci.yml +++ /dev/null @@ -1,29 +0,0 @@ -image: fedora:30 - -variables: - DOCKER_DRIVER: overlay2 - -stages: - - build - -build: - stage: build - retry: 2 - cache: - paths: - - ./ - key: "$CI_COMMIT_REF_SLUG" - script: - - dnf install -y @development-tools gcc-c++ gcc-gnat zlib-devel perl-Digest-MD5 perl-Digest-SHA uuid-devel pcsc-tools ncurses-devel lbzip2 libuuid-devel lzma elfutils-libelf-devel bc bzip2 bison flex git gnupg iasl m4 nasm patch python wget libusb-devel cmake automake pv bsdiff autoconf libtool cpio texinfo - - git fetch origin - - git reset --hard origin/$CI_COMMIT_REF_NAME - - make BOARD=x230 || (find ./build/log/ -cmin 1|xargs tail; exit 1) - - echo "x230 hashes:" - - cat ./build/x230/hashes.txt - - tar zcvf logs.tar.gz ./build/log/* - artifacts: - paths: - - ./build/x230/coreboot.rom - - ./build/x230/hashes.txt - - ./build/x230/initrd.cpio.xz - - ./logs.tar.gz diff --git a/modules/gpg2 b/modules/gpg2 index 060998992..318a4cd11 100644 --- a/modules/gpg2 +++ b/modules/gpg2 @@ -1,10 +1,10 @@ modules-$(CONFIG_GPG2) += gpg2 -gpg2_version := 2.2.20 +gpg2_version := 2.2.10 gpg2_dir := gnupg-$(gpg2_version) gpg2_tar := gnupg-$(gpg2_version).tar.bz2 gpg2_url := https://www.gnupg.org/ftp/gcrypt/gnupg/$(gpg2_tar) -gpg2_hash := 04a7c9d48b74c399168ee8270e548588ddbe52218c337703d7f06373d326ca30 +gpg2_hash := 799dd37a86a1448732e339bd20440f4f5ee6e69755f6fd7a73ee8af30840c915 # For reproducibility reasons we have to override the exec_prefix # and datarootdir on the configure line so that the Makefiles will @@ -16,7 +16,7 @@ gpg2_configure := ./configure \ CPPFLAGS="-I$(INSTALL)/include/libusb-1.0" \ --host x86_64-linux-musl \ --with-libusb="$(INSTALL)" \ - --with-gpg-error-prefix="$(INSTALL)" \ + --with-libgpg-error-prefix="$(INSTALL)" \ --with-libgcrypt-prefix="$(INSTALL)" \ --with-libassuan-prefix="$(INSTALL)" \ --with-ksba-prefix="$(INSTALL)" \ @@ -30,12 +30,19 @@ gpg2_configure := ./configure \ --disable-regex \ --disable-doc \ --disable-bzip2 \ + --disable-asm \ --disable-exec \ --disable-photo-viewers \ + --disable-keyserver-helpers \ --disable-ldap \ + --disable-hkp \ + --disable-finger \ + --disable-dns-srv \ + --disable-dns-cert \ --disable-regex \ --disable-nls \ --disable-all-tests \ + --disable-wks-server \ --disable-wks-tools \ --disable-gnutls \ --disable-dirmngr \ diff --git a/modules/libassuan b/modules/libassuan index 800993404..3c4e319aa 100644 --- a/modules/libassuan +++ b/modules/libassuan @@ -1,16 +1,18 @@ modules-$(CONFIG_GPG2) += libassuan -libassuan_version := 2.5.3 +libassuan_version := 2.5.1 libassuan_dir := libassuan-$(libassuan_version) libassuan_tar := libassuan-$(libassuan_version).tar.bz2 libassuan_url := https://gnupg.org/ftp/gcrypt/libassuan/$(libassuan_tar) -libassuan_hash := 91bcb0403866b4e7c4bc1cc52ed4c364a9b5414b3994f718c70303f7f765e702 +libassuan_hash := 47f96c37b4f2aac289f0bc1bacfa8bd8b4b209a488d3d15e2229cb6cc9b26449 libassuan_configure := ./configure \ $(CROSS_TOOLS) \ --host x86_64-linux-musl \ --prefix "/" \ --disable-static \ - --with-gpg-error-prefix="$(INSTALL)" \ + --disable-nls \ + --with-libgpg-error-prefix="$(INSTALL)" \ + --disable-asm \ libassuan_target := $(MAKE_JOBS) \ DESTDIR="$(INSTALL)" \ diff --git a/modules/libgcrypt b/modules/libgcrypt index 602995498..1ba82fceb 100644 --- a/modules/libgcrypt +++ b/modules/libgcrypt @@ -1,16 +1,16 @@ modules-$(CONFIG_GPG2) += libgcrypt -libgcrypt_version := 1.8.5 +libgcrypt_version := 1.8.3 libgcrypt_dir := libgcrypt-$(libgcrypt_version) libgcrypt_tar := libgcrypt-$(libgcrypt_version).tar.bz2 libgcrypt_url := https://gnupg.org/ftp/gcrypt/libgcrypt/$(libgcrypt_tar) -libgcrypt_hash := 3b4a2a94cb637eff5bdebbcaf46f4d95c4f25206f459809339cdada0eb577ac3 +libgcrypt_hash := 66ec90be036747602f2b48f98312361a9180c97c68a690a5f376fa0f67d0af7c libgcrypt_configure := ./configure \ $(CROSS_TOOLS) \ --host=x86_64-linux-musl \ --prefix "/" \ --disable-static \ - --with-gpg-error-prefix="$(INSTALL)" \ + --with-libgpg-error-prefix="$(INSTALL)" \ --disable-asm \ libgcrypt_target := $(MAKE_JOBS) \ diff --git a/modules/libgpg-error b/modules/libgpg-error index 00bd06440..752e11aad 100644 --- a/modules/libgpg-error +++ b/modules/libgpg-error @@ -1,9 +1,9 @@ modules-$(CONFIG_GPG2) += libgpg-error -libgpg-error_version := 1.37 +libgpg-error_version := 1.32 libgpg-error_dir := libgpg-error-$(libgpg-error_version) libgpg-error_tar := libgpg-error-$(libgpg-error_version).tar.bz2 libgpg-error_url := https://gnupg.org/ftp/gcrypt/libgpg-error/$(libgpg-error_tar) -libgpg-error_hash := b32d6ff72a73cf79797f7f2d039e95e9c6f92f0c1450215410840ab62aea9763 +libgpg-error_hash := c345c5e73cc2332f8d50db84a2280abfb1d8f6d4f1858b9daa30404db44540ca libgpg-error_configure := ./configure \ $(CROSS_TOOLS) \ @@ -14,6 +14,7 @@ libgpg-error_configure := ./configure \ --disable-languages \ --disable-doc \ --disable-tests \ + --disable-asm \ libgpg-error_target := $(MAKE_JOBS) \ DESTDIR="$(INSTALL)" \ diff --git a/modules/libksba b/modules/libksba index 587280ed9..d35291338 100644 --- a/modules/libksba +++ b/modules/libksba @@ -10,7 +10,9 @@ libksba_configure := ./configure \ --host x86_64-linux-musl \ --prefix "/" \ --disable-static \ - --with-gpg-error-prefix="$(INSTALL)" \ + --disable-nls \ + --with-libgpg-error-prefix="$(INSTALL)" \ + --disable-asm \ libksba_target := $(MAKE_JOBS) \ DESTDIR="$(INSTALL)" \ diff --git a/modules/npth b/modules/npth index 2128e1d4a..e0f30c69e 100644 --- a/modules/npth +++ b/modules/npth @@ -10,7 +10,9 @@ npth_configure := ./configure \ --host x86_64-linux-musl \ --prefix "/" \ --disable-static \ - --with-gpg-error-prefix="$(INSTALL)" \ + --disable-nls \ + --with-libgpg-error-prefix="$(INSTALL)" \ + --disable-asm \ npth_target := $(MAKE_JOBS) \ DESTDIR="$(INSTALL)" \ diff --git a/modules/pinentry b/modules/pinentry index 54d40e119..c0e93d7fa 100644 --- a/modules/pinentry +++ b/modules/pinentry @@ -27,8 +27,7 @@ pinentry_configure := ./configure \ --disable-pinentry-fltk \ --disable-pinentry-emacs \ --disable-fallback-curses \ - --disable-pinentry-qt5 \ - --with-gpg-error-prefix="$(INSTALL)" \ + --with-libgpg-error-prefix="$(INSTALL)" \ --with-libassuan-prefix="$(INSTALL)" \ # Run one build to generate the executables with the pre-defined diff --git a/patches/gpg2-2.2.20.patch b/patches/gpg2-2.2.10.patch similarity index 100% rename from patches/gpg2-2.2.20.patch rename to patches/gpg2-2.2.10.patch diff --git a/patches/libassuan-2.5.3.patch b/patches/libassuan-2.5.1.patch similarity index 100% rename from patches/libassuan-2.5.3.patch rename to patches/libassuan-2.5.1.patch diff --git a/patches/libgcrypt-1.8.5.patch b/patches/libgcrypt-1.8.3.patch similarity index 100% rename from patches/libgcrypt-1.8.5.patch rename to patches/libgcrypt-1.8.3.patch From 972c25de7df9cf797fd211bc795fe057462a6432 Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Fri, 22 May 2020 15:13:06 -0400 Subject: [PATCH 115/189] upgrade gpg toolstack to latest versions - Remove unrecognized configure options - fixes gawk issue #668 by upgrading to libgpg-error 1.37 instead of patching 1.32 for regex change (fixed upstream) - move patches so they match new versions for libassuan, gpg and libgcrypt (no change) Version change: - gpg 2.2.10 -> 2.2.20 - libassuan 2.5.1 -> 2.5.3 - libgcrypt 1.8.3 -> 1.8.5 - libgpg-error 1.32 -> 1.37 Size changes: - gpg 886.5 -> 911.3 kB - gpg-agent: 371.9 -> 376.0 kB - scdaemon: 399.5 -> 407.8 kB - libgpg-error.so.0 125.9 -> 130.0 kB Unrecognized options on gpg2 toolstack: - disable-nls and disable-asm disable-keyserver-helpers disable-hkp disable-finger disable-dns-srv disable-dns-cert and disable-wks-server --- modules/gpg2 | 13 +++---------- modules/libassuan | 8 +++----- modules/libgcrypt | 6 +++--- modules/libgpg-error | 5 ++--- modules/libksba | 4 +--- modules/npth | 4 +--- modules/pinentry | 3 ++- 7 files changed, 15 insertions(+), 28 deletions(-) diff --git a/modules/gpg2 b/modules/gpg2 index 318a4cd11..060998992 100644 --- a/modules/gpg2 +++ b/modules/gpg2 @@ -1,10 +1,10 @@ modules-$(CONFIG_GPG2) += gpg2 -gpg2_version := 2.2.10 +gpg2_version := 2.2.20 gpg2_dir := gnupg-$(gpg2_version) gpg2_tar := gnupg-$(gpg2_version).tar.bz2 gpg2_url := https://www.gnupg.org/ftp/gcrypt/gnupg/$(gpg2_tar) -gpg2_hash := 799dd37a86a1448732e339bd20440f4f5ee6e69755f6fd7a73ee8af30840c915 +gpg2_hash := 04a7c9d48b74c399168ee8270e548588ddbe52218c337703d7f06373d326ca30 # For reproducibility reasons we have to override the exec_prefix # and datarootdir on the configure line so that the Makefiles will @@ -16,7 +16,7 @@ gpg2_configure := ./configure \ CPPFLAGS="-I$(INSTALL)/include/libusb-1.0" \ --host x86_64-linux-musl \ --with-libusb="$(INSTALL)" \ - --with-libgpg-error-prefix="$(INSTALL)" \ + --with-gpg-error-prefix="$(INSTALL)" \ --with-libgcrypt-prefix="$(INSTALL)" \ --with-libassuan-prefix="$(INSTALL)" \ --with-ksba-prefix="$(INSTALL)" \ @@ -30,19 +30,12 @@ gpg2_configure := ./configure \ --disable-regex \ --disable-doc \ --disable-bzip2 \ - --disable-asm \ --disable-exec \ --disable-photo-viewers \ - --disable-keyserver-helpers \ --disable-ldap \ - --disable-hkp \ - --disable-finger \ - --disable-dns-srv \ - --disable-dns-cert \ --disable-regex \ --disable-nls \ --disable-all-tests \ - --disable-wks-server \ --disable-wks-tools \ --disable-gnutls \ --disable-dirmngr \ diff --git a/modules/libassuan b/modules/libassuan index 3c4e319aa..800993404 100644 --- a/modules/libassuan +++ b/modules/libassuan @@ -1,18 +1,16 @@ modules-$(CONFIG_GPG2) += libassuan -libassuan_version := 2.5.1 +libassuan_version := 2.5.3 libassuan_dir := libassuan-$(libassuan_version) libassuan_tar := libassuan-$(libassuan_version).tar.bz2 libassuan_url := https://gnupg.org/ftp/gcrypt/libassuan/$(libassuan_tar) -libassuan_hash := 47f96c37b4f2aac289f0bc1bacfa8bd8b4b209a488d3d15e2229cb6cc9b26449 +libassuan_hash := 91bcb0403866b4e7c4bc1cc52ed4c364a9b5414b3994f718c70303f7f765e702 libassuan_configure := ./configure \ $(CROSS_TOOLS) \ --host x86_64-linux-musl \ --prefix "/" \ --disable-static \ - --disable-nls \ - --with-libgpg-error-prefix="$(INSTALL)" \ - --disable-asm \ + --with-gpg-error-prefix="$(INSTALL)" \ libassuan_target := $(MAKE_JOBS) \ DESTDIR="$(INSTALL)" \ diff --git a/modules/libgcrypt b/modules/libgcrypt index 1ba82fceb..602995498 100644 --- a/modules/libgcrypt +++ b/modules/libgcrypt @@ -1,16 +1,16 @@ modules-$(CONFIG_GPG2) += libgcrypt -libgcrypt_version := 1.8.3 +libgcrypt_version := 1.8.5 libgcrypt_dir := libgcrypt-$(libgcrypt_version) libgcrypt_tar := libgcrypt-$(libgcrypt_version).tar.bz2 libgcrypt_url := https://gnupg.org/ftp/gcrypt/libgcrypt/$(libgcrypt_tar) -libgcrypt_hash := 66ec90be036747602f2b48f98312361a9180c97c68a690a5f376fa0f67d0af7c +libgcrypt_hash := 3b4a2a94cb637eff5bdebbcaf46f4d95c4f25206f459809339cdada0eb577ac3 libgcrypt_configure := ./configure \ $(CROSS_TOOLS) \ --host=x86_64-linux-musl \ --prefix "/" \ --disable-static \ - --with-libgpg-error-prefix="$(INSTALL)" \ + --with-gpg-error-prefix="$(INSTALL)" \ --disable-asm \ libgcrypt_target := $(MAKE_JOBS) \ diff --git a/modules/libgpg-error b/modules/libgpg-error index 752e11aad..00bd06440 100644 --- a/modules/libgpg-error +++ b/modules/libgpg-error @@ -1,9 +1,9 @@ modules-$(CONFIG_GPG2) += libgpg-error -libgpg-error_version := 1.32 +libgpg-error_version := 1.37 libgpg-error_dir := libgpg-error-$(libgpg-error_version) libgpg-error_tar := libgpg-error-$(libgpg-error_version).tar.bz2 libgpg-error_url := https://gnupg.org/ftp/gcrypt/libgpg-error/$(libgpg-error_tar) -libgpg-error_hash := c345c5e73cc2332f8d50db84a2280abfb1d8f6d4f1858b9daa30404db44540ca +libgpg-error_hash := b32d6ff72a73cf79797f7f2d039e95e9c6f92f0c1450215410840ab62aea9763 libgpg-error_configure := ./configure \ $(CROSS_TOOLS) \ @@ -14,7 +14,6 @@ libgpg-error_configure := ./configure \ --disable-languages \ --disable-doc \ --disable-tests \ - --disable-asm \ libgpg-error_target := $(MAKE_JOBS) \ DESTDIR="$(INSTALL)" \ diff --git a/modules/libksba b/modules/libksba index d35291338..587280ed9 100644 --- a/modules/libksba +++ b/modules/libksba @@ -10,9 +10,7 @@ libksba_configure := ./configure \ --host x86_64-linux-musl \ --prefix "/" \ --disable-static \ - --disable-nls \ - --with-libgpg-error-prefix="$(INSTALL)" \ - --disable-asm \ + --with-gpg-error-prefix="$(INSTALL)" \ libksba_target := $(MAKE_JOBS) \ DESTDIR="$(INSTALL)" \ diff --git a/modules/npth b/modules/npth index e0f30c69e..2128e1d4a 100644 --- a/modules/npth +++ b/modules/npth @@ -10,9 +10,7 @@ npth_configure := ./configure \ --host x86_64-linux-musl \ --prefix "/" \ --disable-static \ - --disable-nls \ - --with-libgpg-error-prefix="$(INSTALL)" \ - --disable-asm \ + --with-gpg-error-prefix="$(INSTALL)" \ npth_target := $(MAKE_JOBS) \ DESTDIR="$(INSTALL)" \ diff --git a/modules/pinentry b/modules/pinentry index c0e93d7fa..54d40e119 100644 --- a/modules/pinentry +++ b/modules/pinentry @@ -27,7 +27,8 @@ pinentry_configure := ./configure \ --disable-pinentry-fltk \ --disable-pinentry-emacs \ --disable-fallback-curses \ - --with-libgpg-error-prefix="$(INSTALL)" \ + --disable-pinentry-qt5 \ + --with-gpg-error-prefix="$(INSTALL)" \ --with-libassuan-prefix="$(INSTALL)" \ # Run one build to generate the executables with the pre-defined From b88daa7710c0ee5285122b6901a5a3686b4ec52d Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Fri, 22 May 2020 14:46:24 -0400 Subject: [PATCH 116/189] Add Fedora 30 gitlab-ci CI configuration building x230-hotp-verification --- .gitlab-ci.yml | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 .gitlab-ci.yml diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml new file mode 100644 index 000000000..734302447 --- /dev/null +++ b/.gitlab-ci.yml @@ -0,0 +1,30 @@ +image: fedora:30 + +variables: + DOCKER_DRIVER: overlay2 + +stages: + - build + +build: + stage: build + retry: 2 + cache: + paths: + - ./ + key: "$CI_COMMIT_REF_SLUG" + script: + - dnf install -y @development-tools gcc-c++ gcc-gnat zlib-devel perl-Digest-MD5 perl-Digest-SHA uuid-devel pcsc-tools ncurses-devel lbzip2 libuuid-devel lzma elfutils-libelf-devel bc bzip2 bison flex git gnupg iasl m4 nasm patch python wget libusb-devel cmake automake pv bsdiff autoconf libtool cpio texinfo + - git fetch origin + - git reset --hard origin/$CI_COMMIT_REF_NAME + - echo "Building BOARD=x230-hotp-verification board..." + - make BOARD=x230-hotp-verification || (find ./build/log/ -cmin 1|xargs tail; exit 1) + - echo "x230-hotp-verification hashes:" + - cat ./build/x230-hotp-verification/hashes.txt + - tar zcvf logs.tar.gz ./build/log/* + artifacts: + paths: + - ./build/x230-hotp-verification/coreboot.rom + - ./build/x230-hotp-verification/hashes.txt + - ./build/x230-hotp-verification/initrd.cpio.xz + - ./logs.tar.gz From 7600ce4bff4075aeb4f490bcdcfff597cdfbea74 Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Sun, 24 May 2020 17:12:13 -0400 Subject: [PATCH 117/189] GitlabCI: restrict cache, store cleaned build artifacts for x230* and qemu-coreboot --- .circleci/config.yml | 49 ++++++++++++++++++++++++-------------------- .gitlab-ci.yml | 45 ++++++++++++++++++++++++++++++++++------ 2 files changed, 66 insertions(+), 28 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 47a7dab74..fba86d2b4 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -48,7 +48,7 @@ jobs: - run: name: qemu-coreboot command: | - rm -rf build/make-4.2.1/ build/qemu-coreboot/* && make --load 2 \ + rm -rf build/make-4.2.1/ build/qemu-coreboot/* build/log/* && make --load 2 \ V=1 \ BOARD=qemu-coreboot \ no_output_timeout: 3h @@ -56,15 +56,17 @@ jobs: name: Output qemu-coreboot hashes command: | cat build/qemu-coreboot/hashes.txt \ - - - store-artifacts: - path: build/qemu-coreboot/coreboot.rom + - run: + name: Archiving build logs for qemu-coreboot + command: | + tar zcvf build/qemu-coreboot/logs.tar.gz build/log/* - store-artifacts: - path: build/qemu-coreboot/hashes.txt + path: build/qemu-coreboot + - run: name: x230-flash command: | - make --load 2 \ + rm -rf build/x230-flash/* build/log/* && make --load 2 \ V=1 \ BOARD=x230-flash \ no_output_timeout: 3h @@ -72,10 +74,17 @@ jobs: name: Ouput x230-flash hashes command: | cat build/x230-flash/hashes.txt \ + - run: + name: Archiving build logs for x230-flash + command: | + tar zcvf build/x230-flash/logs.tar.gz build/log/* + - store-artifacts: + path: build/x230-flash + - run: name: x230 command: | - make --load 2 \ + rm -rf build/x230/* build/log/* && make --load 2 \ V=1 \ BOARD=x230 \ no_output_timeout: 3h @@ -83,10 +92,17 @@ jobs: name: Ouput x230 hashes command: | cat build/x230/hashes.txt \ + - run: + name: Archiving build logs for x230 + command: | + tar zcvf build/x230/logs.tar.gz build/log/* + - store-artifacts: + path: build/x230 + - run: name: x230-hotp-verification command: | - make --load 2 \ + rm -rf build/x230-hotp-verification/* build/log/* && make --load 2 \ V=1 \ BOARD=x230-hotp-verification \ no_output_timeout: 3h @@ -95,22 +111,11 @@ jobs: command: | cat build/x230-hotp-verification/hashes.txt \ - run: - name: Archiving build logs to bundle in artifacts + name: Archiving build logs for x230-hotp-verification command: | - tar zcvf logs.tar.gz ./build/log/* - - - store-artifacts: - path: build/x230-flash/x230-flash.rom - - store-artifacts: - path: build/x230/coreboot.rom - - store-artifacts: - path: build/x230/initrd.cpio.xz - - store-artifacts: - path: build/x230-hotp-verification/coreboot.rom - - store-artifacts: - path: build/x230-hotp-verification/initrd.cpio.xz + tar zcvf build/x230-hotp-verification/logs.tar.gz build/log/* - store-artifacts: - path: logs.tar.gz + path: build/x230-hotp-verification - save_cache: key: heads-{{ .Branch }}{{ .Environment.CACHE_VERSION }} diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 734302447..ccaec9475 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -11,20 +11,53 @@ build: retry: 2 cache: paths: - - ./ + - packages + - crossgcc + - build key: "$CI_COMMIT_REF_SLUG" script: - dnf install -y @development-tools gcc-c++ gcc-gnat zlib-devel perl-Digest-MD5 perl-Digest-SHA uuid-devel pcsc-tools ncurses-devel lbzip2 libuuid-devel lzma elfutils-libelf-devel bc bzip2 bison flex git gnupg iasl m4 nasm patch python wget libusb-devel cmake automake pv bsdiff autoconf libtool cpio texinfo - git fetch origin - git reset --hard origin/$CI_COMMIT_REF_NAME + - echo "Removing old qemu-coreboot artifacts..." + - rm -rf ./build/qemu-coreboot/* + - rm -rf ./build/log/* + - echo "Building BOARD=qemu-coreboot board..." + - make BOARD=qemu-coreboot || (find ./build/log/ -cmin 1|xargs tail; exit 1) + - echo "qemu-coreboot hashes:" + - cat ./build/qemu-coreboot/hashes.txt + - echo "Archiving qemu-coreboot logs..." + - tar zcvf ./build/qemu-coreboot/logs.tar.gz ./build/log/* + - echo "Removing old x230-flash artifacts..." + - rm -rf ./build/x230-flash/* + - rm -rf ./build/log/* + - echo "Building BOARD=x230-flash board..." + - make BOARD=x230-flash || (find ./build/log/ -cmin 1|xargs tail; exit 1) + - echo "x230-flash hashes:" + - cat ./build/x230-flash/hashes.txt + - echo "Archiving x230-flash logs..." + - tar zcvf ./build/x230-flash/logs.tar.gz ./build/log/* + - echo "Removing old x230-hotp-verification artifacts..." + - rm -rf ./build/x230-hotp-verification/* + - rm -rf ./build/log/* - echo "Building BOARD=x230-hotp-verification board..." - make BOARD=x230-hotp-verification || (find ./build/log/ -cmin 1|xargs tail; exit 1) - echo "x230-hotp-verification hashes:" - cat ./build/x230-hotp-verification/hashes.txt - - tar zcvf logs.tar.gz ./build/log/* + - echo "Archiving x230-hotp-verification logs..." + - tar zcvf ./build/x230-hotp-verification/logs.tar.gz ./build/log/* + - echo "Removing old x230 artifacts..." + - rm -rf ./build/x230/* + - rm -rf ./build/log/* + - echo "Building BOARD=x230 board..." + - make BOARD=x230 || (find ./build/log/ -cmin 1|xargs tail; exit 1) + - echo "x230 hashes:" + - cat ./build/x230/hashes.txt + - echo "Archiving x230 logs..." + - tar zcvf ./build/x230/logs.tar.gz ./build/log/* artifacts: paths: - - ./build/x230-hotp-verification/coreboot.rom - - ./build/x230-hotp-verification/hashes.txt - - ./build/x230-hotp-verification/initrd.cpio.xz - - ./logs.tar.gz + - ./build/qemu-coreboot + - ./build/x230-flash + - ./build/x230-hotp-verification + - ./build/x230 From 9090f1a1f9c2132b91466b5ddfb533cc21159498 Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Wed, 3 Jun 2020 16:42:40 -0400 Subject: [PATCH 118/189] libpng : moving archive download from sourceforge to github Fixes #735 --- modules/libpng | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/libpng b/modules/libpng index d6d9e6503..e5c3d7184 100644 --- a/modules/libpng +++ b/modules/libpng @@ -3,7 +3,7 @@ modules-$(CONFIG_CAIRO) += libpng libpng_version := 1.6.34 libpng_dir := libpng-$(libpng_version) libpng_tar := libpng-$(libpng_version).tar.gz -libpng_url := https://download.sourceforge.net/libpng/$(libpng_tar) +libpng_url := https://github.com/glennrp/libpng-releases/raw/master/$(libpng_tar) libpng_hash := 574623a4901a9969080ab4a2df9437026c8a87150dfd5c235e28c94b212964a7 libpng_configure := \ From dcbeb26e035110e82eda40a9732736fb0cfdf12f Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Sat, 6 Jun 2020 12:35:13 -0400 Subject: [PATCH 119/189] CIs: move qemu-coreboot to be built last, add t430 and t430-flash boards to CIs --- .circleci/config.yml | 68 +++++++++++++++++++++++++++++++++----------- .gitlab-ci.yml | 40 ++++++++++++++++++++------ 2 files changed, 83 insertions(+), 25 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index fba86d2b4..0648492c5 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -44,42 +44,59 @@ jobs: # - store-artifacts: # path: build/qemu-linuxboot/hashes.txt + - run: + name: x230-flash + command: | + rm -rf build/x230-flash/* build/log/* && make --load 2 \ + V=1 \ + BOARD=x230-flash \ + no_output_timeout: 3h + - run: + name: Ouput x230-flash hashes + command: | + cat build/x230-flash/hashes.txt \ + - run: + name: Archiving build logs for x230-flash + command: | + tar zcvf build/x230-flash/logs.tar.gz build/log/* + - store-artifacts: + path: build/x230-flash - run: - name: qemu-coreboot + name: t430-flash command: | - rm -rf build/make-4.2.1/ build/qemu-coreboot/* build/log/* && make --load 2 \ + rm -rf build/t430-flash/* build/log/* && make --load 2 \ V=1 \ - BOARD=qemu-coreboot \ + BOARD=t430-flash \ no_output_timeout: 3h - run: - name: Output qemu-coreboot hashes + name: Ouput t430-flash hashes command: | - cat build/qemu-coreboot/hashes.txt \ + cat build/t430-flash/hashes.txt \ - run: - name: Archiving build logs for qemu-coreboot + name: Archiving build logs for t430-flash command: | - tar zcvf build/qemu-coreboot/logs.tar.gz build/log/* + tar zcvf build/t430-flash/logs.tar.gz build/log/* - store-artifacts: - path: build/qemu-coreboot + path: build/t430-flash - run: - name: x230-flash + name: t430 command: | - rm -rf build/x230-flash/* build/log/* && make --load 2 \ + rm -rf build/t430/* build/log/* && make --load 2 \ V=1 \ - BOARD=x230-flash \ + BOARD=t430 \ no_output_timeout: 3h - run: - name: Ouput x230-flash hashes + name: Ouput t430 hashes command: | - cat build/x230-flash/hashes.txt \ + cat build/t430/hashes.txt \ - run: - name: Archiving build logs for x230-flash + name: Archiving build logs for t430 command: | - tar zcvf build/x230-flash/logs.tar.gz build/log/* + tar zcvf build/t430/logs.tar.gz build/log/* - store-artifacts: - path: build/x230-flash + path: build/t430 - run: name: x230 @@ -99,6 +116,7 @@ jobs: - store-artifacts: path: build/x230 + - run: name: x230-hotp-verification command: | @@ -117,6 +135,24 @@ jobs: - store-artifacts: path: build/x230-hotp-verification + - run: + name: qemu-coreboot + command: | + rm -rf build/make-4.2.1/ build/qemu-coreboot/* build/log/* && make --load 2 \ + V=1 \ + BOARD=qemu-coreboot \ + no_output_timeout: 3h + - run: + name: Output qemu-coreboot hashes + command: | + cat build/qemu-coreboot/hashes.txt \ + - run: + name: Archiving build logs for qemu-coreboot + command: | + tar zcvf build/qemu-coreboot/logs.tar.gz build/log/* + - store-artifacts: + path: build/qemu-coreboot + - save_cache: key: heads-{{ .Branch }}{{ .Environment.CACHE_VERSION }} paths: diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index ccaec9475..98bdcdc19 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -19,15 +19,6 @@ build: - dnf install -y @development-tools gcc-c++ gcc-gnat zlib-devel perl-Digest-MD5 perl-Digest-SHA uuid-devel pcsc-tools ncurses-devel lbzip2 libuuid-devel lzma elfutils-libelf-devel bc bzip2 bison flex git gnupg iasl m4 nasm patch python wget libusb-devel cmake automake pv bsdiff autoconf libtool cpio texinfo - git fetch origin - git reset --hard origin/$CI_COMMIT_REF_NAME - - echo "Removing old qemu-coreboot artifacts..." - - rm -rf ./build/qemu-coreboot/* - - rm -rf ./build/log/* - - echo "Building BOARD=qemu-coreboot board..." - - make BOARD=qemu-coreboot || (find ./build/log/ -cmin 1|xargs tail; exit 1) - - echo "qemu-coreboot hashes:" - - cat ./build/qemu-coreboot/hashes.txt - - echo "Archiving qemu-coreboot logs..." - - tar zcvf ./build/qemu-coreboot/logs.tar.gz ./build/log/* - echo "Removing old x230-flash artifacts..." - rm -rf ./build/x230-flash/* - rm -rf ./build/log/* @@ -37,6 +28,15 @@ build: - cat ./build/x230-flash/hashes.txt - echo "Archiving x230-flash logs..." - tar zcvf ./build/x230-flash/logs.tar.gz ./build/log/* + - echo "Removing old t430-flash artifacts..." + - rm -rf ./build/t430-flash/* + - rm -rf ./build/log/* + - echo "Building BOARD=t430-flash board..." + - make BOARD=t430-flash || (find ./build/log/ -cmin 1|xargs tail; exit 1) + - echo "t430-flash hashes:" + - cat ./build/t430-flash/hashes.txt + - echo "Archiving t430-flash logs..." + - tar zcvf ./build/t430-flash/logs.tar.gz ./build/log/* - echo "Removing old x230-hotp-verification artifacts..." - rm -rf ./build/x230-hotp-verification/* - rm -rf ./build/log/* @@ -55,9 +55,31 @@ build: - cat ./build/x230/hashes.txt - echo "Archiving x230 logs..." - tar zcvf ./build/x230/logs.tar.gz ./build/log/* + + - echo "Removing old t430 artifacts..." + - rm -rf ./build/t430/* + - rm -rf ./build/log/* + - echo "Building BOARD=t430 board..." + - make BOARD=t430 || (find ./build/log/ -cmin 1|xargs tail; exit 1) + - echo "t430 hashes:" + - cat ./build/t430/hashes.txt + - echo "Archiving t430 logs..." + - tar zcvf ./build/t430/logs.tar.gz ./build/log/* + + - echo "Removing old qemu-coreboot artifacts..." + - rm -rf ./build/qemu-coreboot/* + - rm -rf ./build/log/* + - echo "Building BOARD=qemu-coreboot board..." + - make BOARD=qemu-coreboot || (find ./build/log/ -cmin 1|xargs tail; exit 1) + - echo "qemu-coreboot hashes:" + - cat ./build/qemu-coreboot/hashes.txt + - echo "Archiving qemu-coreboot logs..." + - tar zcvf ./build/qemu-coreboot/logs.tar.gz ./build/log/* artifacts: paths: - ./build/qemu-coreboot - ./build/x230-flash + - ./build/t430-flash - ./build/x230-hotp-verification - ./build/x230 + - ./build/t430 From 11a0fdc061b6483af8644a84adf05e54c8425683 Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Sun, 7 Jun 2020 15:58:21 -0400 Subject: [PATCH 120/189] CIs: Replace cache fingerprint with username of the user launching the build to make it reusable between PRs --- .circleci/config.yml | 4 ++-- .gitlab-ci.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 0648492c5..45b325489 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -12,7 +12,7 @@ jobs: - checkout - restore_cache: - key: heads-{{ .Branch }}{{ .Environment.CACHE_VERSION }} + key: heads-{{ .Environment.CIRCLE_USERNAME }}-{{ .Environment.CACHE_VERSION }} - run: name: git reset @@ -154,7 +154,7 @@ jobs: path: build/qemu-coreboot - save_cache: - key: heads-{{ .Branch }}{{ .Environment.CACHE_VERSION }} + key: heads-{{ .CIRCLE_PROJECT_USERNAME }}{{ .Environment.CACHE_VERSION }} paths: - packages - crossgcc diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 98bdcdc19..beec06a4d 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -14,7 +14,7 @@ build: - packages - crossgcc - build - key: "$CI_COMMIT_REF_SLUG" + key: "heads-$GITLAB_USER_LOGIN" script: - dnf install -y @development-tools gcc-c++ gcc-gnat zlib-devel perl-Digest-MD5 perl-Digest-SHA uuid-devel pcsc-tools ncurses-devel lbzip2 libuuid-devel lzma elfutils-libelf-devel bc bzip2 bison flex git gnupg iasl m4 nasm patch python wget libusb-devel cmake automake pv bsdiff autoconf libtool cpio texinfo - git fetch origin From 0cae2d7805868b9ee5d1a81a36b4424589e69aef Mon Sep 17 00:00:00 2001 From: Matt DeVillier Date: Thu, 21 Nov 2019 16:01:50 -0600 Subject: [PATCH 121/189] kexec-save-default: guard TPM LUKS usage with config option Add CONFIG_TPM_NO_LUKS_DISK_UNLOCK to allow Librem boards to opt out of using TPM to store LUKS key, and use it to guard the user option to add the disk encryption key to the TPM. Select this option for all Librem boards; all other boards which select CONFIG_TPM=y will have no change in functionality. Signed-off-by: Matt DeVillier --- boards/librem13v2/librem13v2.config | 1 + boards/librem13v4/librem13v4.config | 1 + boards/librem15v3/librem15v3.config | 1 + boards/librem15v4/librem15v4.config | 1 + initrd/bin/kexec-save-default | 2 +- 5 files changed, 5 insertions(+), 1 deletion(-) diff --git a/boards/librem13v2/librem13v2.config b/boards/librem13v2/librem13v2.config index 776256be9..312fb7225 100644 --- a/boards/librem13v2/librem13v2.config +++ b/boards/librem13v2/librem13v2.config @@ -25,6 +25,7 @@ CONFIG_LIBREMKEY=y CONFIG_LINUX_USB=y export CONFIG_TPM=y +export CONFIG_TPM_NO_LUKS_DISK_UNLOCK=y export CONFIG_BOOTSCRIPT=/bin/gui-init export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n diff --git a/boards/librem13v4/librem13v4.config b/boards/librem13v4/librem13v4.config index 1b0a83ab2..765c0d83f 100644 --- a/boards/librem13v4/librem13v4.config +++ b/boards/librem13v4/librem13v4.config @@ -25,6 +25,7 @@ CONFIG_LIBREMKEY=y CONFIG_LINUX_USB=y export CONFIG_TPM=y +export CONFIG_TPM_NO_LUKS_DISK_UNLOCK=y export CONFIG_BOOTSCRIPT=/bin/gui-init export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n diff --git a/boards/librem15v3/librem15v3.config b/boards/librem15v3/librem15v3.config index c73f5b8f2..82d2ad8ba 100644 --- a/boards/librem15v3/librem15v3.config +++ b/boards/librem15v3/librem15v3.config @@ -27,6 +27,7 @@ CONFIG_LIBREMKEY=y CONFIG_LINUX_USB=y export CONFIG_TPM=y +export CONFIG_TPM_NO_LUKS_DISK_UNLOCK=y export CONFIG_BOOTSCRIPT=/bin/gui-init export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n diff --git a/boards/librem15v4/librem15v4.config b/boards/librem15v4/librem15v4.config index b2349799d..0fcddcbb5 100644 --- a/boards/librem15v4/librem15v4.config +++ b/boards/librem15v4/librem15v4.config @@ -27,6 +27,7 @@ CONFIG_LIBREMKEY=y CONFIG_LINUX_USB=y export CONFIG_TPM=y +export CONFIG_TPM_NO_LUKS_DISK_UNLOCK=y export CONFIG_BOOTSCRIPT=/bin/gui-init export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n diff --git a/initrd/bin/kexec-save-default b/initrd/bin/kexec-save-default index 85ac3f27e..fe04e864f 100755 --- a/initrd/bin/kexec-save-default +++ b/initrd/bin/kexec-save-default @@ -45,7 +45,7 @@ fi KEY_DEVICES="$paramsdir/kexec_key_devices.txt" KEY_LVM="$paramsdir/kexec_key_lvm.txt" save_key="n" -if [ "$CONFIG_TPM" = "y" ]; then +if [[ "$CONFIG_TPM" = "y" && "$CONFIG_TPM_NO_LUKS_DISK_UNLOCK" != "y" ]]; then if [ ! -r "$KEY_DEVICES" ]; then read \ -n 1 \ From 0e349c565e871fe49cd9b94799af82566f13e79c Mon Sep 17 00:00:00 2001 From: alex-nitrokey Date: Tue, 9 Jun 2020 18:42:55 +0200 Subject: [PATCH 122/189] Update hotp-verification --- modules/libremkey-hotp-verification | 4 +- ...36a7a1950226d0ef94e2eeed0ffb510eba89.patch | 73 ------------------- 2 files changed, 2 insertions(+), 75 deletions(-) delete mode 100644 patches/libremkey-hotp-verification-e5fa36a7a1950226d0ef94e2eeed0ffb510eba89.patch diff --git a/modules/libremkey-hotp-verification b/modules/libremkey-hotp-verification index 5ebb713b6..c01c07cd3 100644 --- a/modules/libremkey-hotp-verification +++ b/modules/libremkey-hotp-verification @@ -2,11 +2,11 @@ modules-$(CONFIG_LIBREMKEY) += libremkey-hotp-verification libremkey-hotp-verification_depends := libusb $(musl_dep) -libremkey-hotp-verification_version := 809953b9b4bef97a4cffaa20d675bd7fe9d8da53 +libremkey-hotp-verification_version := 1cf1e1f3601b79692b81d409597136b8ff7c723a libremkey-hotp-verification_dir := libremkey-hotp-verification-$(libremkey-hotp-verification_version) libremkey-hotp-verification_tar := nitrokey-hotp-verification-$(libremkey-hotp-verification_version).tar.gz libremkey-hotp-verification_url := https://github.com/Nitrokey/nitrokey-hotp-verification/archive/$(libremkey-hotp-verification_version).tar.gz -libremkey-hotp-verification_hash := 251e5cef74e4e45eeddc49e4a1da1e22d1de774cd32cb0451a9030579ae958ba +libremkey-hotp-verification_hash := 21152cfb272f8edeff1220065940d5d6dfc12dbb2a48b84e64b24f8fc89c2567 libremkey-hotp-verification_target := \ $(MAKE_JOBS) \ diff --git a/patches/libremkey-hotp-verification-e5fa36a7a1950226d0ef94e2eeed0ffb510eba89.patch b/patches/libremkey-hotp-verification-e5fa36a7a1950226d0ef94e2eeed0ffb510eba89.patch deleted file mode 100644 index 5f058f22d..000000000 --- a/patches/libremkey-hotp-verification-e5fa36a7a1950226d0ef94e2eeed0ffb510eba89.patch +++ /dev/null @@ -1,73 +0,0 @@ ---- nitrokey-hotp-verification-a/Toolchain-heads.cmake 2018-05-22 09:55:46.907209235 -0700 -+++ nitrokey-hotp-verification-b/Toolchain-heads.cmake 2018-05-22 09:55:26.659371966 -0700 -@@ -0,0 +1,27 @@ -+SET(CMAKE_SYSTEM_NAME Linux) -+SET(CMAKE_SYSTEM_VERSION 1) -+ -+# Specify the cross compiler -+SET(CMAKE_C_COMPILER $ENV{CROSS}gcc) -+SET(CMAKE_CXX_COMPILER $ENV{CROSS}gcc) -+ -+#sysroot location -+set(MYSYSROOT $ENV{INSTALL}) -+ -+# compiler/linker flags -+set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} --sysroot=${MYSYSROOT}" CACHE INTERNAL "" FORCE) -+set(CMAKE_C_LINK_FLAGS "${CMAKE_C_LINK_FLAGS} --sysroot=${MYSYSROOT}" CACHE INTERNAL "" FORCE) -+set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} --sysroot=${MYSYSROOT}" CACHE INTERNAL "" FORCE) -+set(CMAKE_CXX_LINK_FLAGS "${CMAKE_CXX_LINK_FLAGS} --sysroot=${MYSYSROOT}" CACHE INTERNAL "" FORCE) -+ -+# Where is the target environment -+SET(CMAKE_FIND_ROOT_PATH "${MYSYSROOT}") -+ -+# Search for programs only in the build host directories -+SET(CMAKE_FIND_ROOT_PATH_MODE_PROGRAM NEVER) -+ -+# Search for libraries and headers only in the target directories -+SET(CMAKE_FIND_ROOT_PATH_MODE_LIBRARY ONLY) -+SET(CMAKE_FIND_ROOT_PATH_MODE_INCLUDE ONLY) -+ -+INCLUDE_DIRECTORIES(hidapi) ---- libremkey-hotp-verification/device.c 2018-06-20 16:13:36.417804210 -0700 -+++ libremkey-hotp-verification-b/device.c 2018-06-20 16:14:34.532367723 -0700 -@@ -34,7 +34,7 @@ - const unsigned short m_vid = 0x20a0; - const unsigned short m_pid = 0x4108; - --static const int CONNECTION_ATTEMPTS_COUNT = 80; -+static const int CONNECTION_ATTEMPTS_COUNT = 2; - - static const int CONNECTION_ATTEMPT_DELAY_MICRO_SECONDS = 1000*1000/2; - ---- libremkey-hotp-verification/libremkey_hotp_initialize -+++ libremkey-hotp-verification-b/libremkey_hotp_initialize -@@ -14,9 +14,9 @@ fi - PIN=$1 - SECRET=$2 - COUNTER=$3 --SECRET_B32=$(echo -n $SECRET | base32) -+SECRET_B32=$(cat $SECRET | base32) - --libremkey_hotp_verification set $SECRET_B32 $PIN -+libremkey_hotp_verification set $SECRET_B32 "$PIN" - if [ $? -ne 0 ]; then - echo "ERROR: Setting HOTP secret on Librem Key failed!" - exit 1 -@@ -25,7 +25,7 @@ fi - i=9 - while [ "$i" -lt "$COUNTER" ]; do - echo "Updating counter to $i" -- HOTP_CODE=$(echo $SECRET | hotp $i) -+ HOTP_CODE=$(hotp $i < $SECRET) - libremkey_hotp_verification check $HOTP_CODE > /dev/null - if [ $? -ne 0 ]; then - echo "HOTP check failed for counter=$i, code=$HOTP_CODE" -@@ -34,7 +34,7 @@ while [ "$i" -lt "$COUNTER" ]; do - let "i += 10" - done - --HOTP_CODE=$(echo $SECRET | hotp $COUNTER) -+HOTP_CODE=$(hotp $COUNTER < $SECRET) - libremkey_hotp_verification check $HOTP_CODE > /dev/null - if [ $? -ne 0 ]; then - echo "HOTP check failed for counter=$COUNTER, code=$HOTP_CODE" From cbad9b663724c95508f0eec027841d93c723c006 Mon Sep 17 00:00:00 2001 From: Matt DeVillier Date: Thu, 23 Apr 2020 18:36:03 -0500 Subject: [PATCH 123/189] oem-factory-reset: Handle non-TPM case Guard TPM-related bits by checking CONFIG_TPM = y Signed-off-by: Matt DeVillier --- initrd/bin/oem-factory-reset | 74 +++++++++++++++++++++--------------- 1 file changed, 43 insertions(+), 31 deletions(-) diff --git a/initrd/bin/oem-factory-reset b/initrd/bin/oem-factory-reset index 2628eed91..6b89c8e02 100755 --- a/initrd/bin/oem-factory-reset +++ b/initrd/bin/oem-factory-reset @@ -123,21 +123,26 @@ generate_checksums() rm /boot/kexec* 2>/dev/null # create Heads TPM counter - tpm counter_create \ - -pwdo "$TPM_PASS_DEF" \ - -pwdc '' \ - -la -3135106223 \ - | tee /tmp/counter \ - || whiptail_error_die "Unable to create TPM counter" - TPM_COUNTER=`cut -d: -f1 < /tmp/counter` - - # increment TPM counter - increment_tpm_counter $TPM_COUNTER >/dev/null 2>&1 \ - || whiptail_error_die "Unable to increment tpm counter" - - # create rollback file - sha256sum /tmp/counter-$TPM_COUNTER > /boot/kexec_rollback.txt 2>/dev/null \ - || whiptail_error_die "Unable to create rollback file" + if [ "$CONFIG_TPM" = "y" ]; then + tpm counter_create \ + -pwdo "$TPM_PASS_DEF" \ + -pwdc '' \ + -la -3135106223 \ + | tee /tmp/counter \ + || whiptail_error_die "Unable to create TPM counter" + TPM_COUNTER=`cut -d: -f1 < /tmp/counter` + + # increment TPM counter + increment_tpm_counter $TPM_COUNTER >/dev/null 2>&1 \ + || whiptail_error_die "Unable to increment tpm counter" + + # create rollback file + sha256sum /tmp/counter-$TPM_COUNTER > /boot/kexec_rollback.txt 2>/dev/null \ + || whiptail_error_die "Unable to create rollback file" + else + ## needs to exist for initial call to unseal-hotp + echo "0" > /boot/kexec_hotp_counter + fi # set default boot option set_default_boot_option @@ -228,15 +233,20 @@ else fi # show warning prompt +if [ "$CONFIG_TPM" = "y" ]; then + TPM_STR=" * ERASE the TPM and reset it with a default password\n" +else + TPM_STR="" +fi if ! whiptail --yesno " - This operation will automatically:\n\n - * ERASE the TPM and reset it with a default password\n - * ERASE any keys or passwords on the GPG smart card,\n - reset it to a factory state, and generate new keys\n - * Add the new GPG key to the firmware and reflash it\n - * Sign all of the files in /boot with the new GPG key\n\n - It requires that you already have an OS installed on a\n - dedicated /boot partition. Do you wish to continue?\n" \ + This operation will automatically:\n\n +$TPM_STR + * ERASE any keys or passwords on the GPG smart card,\n + reset it to a factory state, and generate new keys\n + * Add the new GPG key to the firmware and reflash it\n + * Sign all of the files in /boot with the new GPG key\n\n + It requires that you already have an OS installed on a\n + dedicated /boot partition. Do you wish to continue?\n" \ $WIDTH $HEIGHT $CONTINUE $CANCEL $CLEAR $bg_color --title "$title_text" ; then exit 1 fi @@ -297,14 +307,16 @@ replace_config /etc/config.user "CONFIG_BOOT_DEV" "$CONFIG_BOOT_DEV" combine_configs ## reset TPM and set default password -echo -e "\nResetting TPM...\n" -{ - echo $TPM_PASS_DEF - echo $TPM_PASS_DEF -} | /bin/tpm-reset >/dev/null 2>/tmp/error -if [ $? -ne 0 ]; then - ERROR=$(tail -n 1 /tmp/error) - whiptail_error_die "Error resetting TPM:\n\n${ERROR}" +if [ "$CONFIG_TPM" = "y" ]; then + echo -e "\nResetting TPM...\n" + { + echo $TPM_PASS_DEF + echo $TPM_PASS_DEF + } | /bin/tpm-reset >/dev/null 2>/tmp/error + if [ $? -ne 0 ]; then + ERROR=$(tail -n 1 /tmp/error) + whiptail_error_die "Error resetting TPM:\n\n${ERROR}" + fi fi # clear local keyring From 1ba73ac1d5c1317fadcda9d086225b0544deaa67 Mon Sep 17 00:00:00 2001 From: alex-nitrokey Date: Thu, 11 Jun 2020 15:29:51 +0200 Subject: [PATCH 124/189] Rename CONFIG_LIBREMKEY to CONFIG_HOTPKEY --- Makefile | 2 +- boards/librem13v2/librem13v2.config | 2 +- boards/librem13v4/librem13v4.config | 2 +- boards/librem15v3/librem15v3.config | 2 +- boards/librem15v4/librem15v4.config | 2 +- boards/x230-hotp-verification/x230-hotp-verification.config | 2 +- initrd/bin/gui-init | 2 +- modules/libremkey-hotp-verification | 2 +- 8 files changed, 8 insertions(+), 8 deletions(-) diff --git a/Makefile b/Makefile index a0bda55be..a3f73118e 100644 --- a/Makefile +++ b/Makefile @@ -428,7 +428,7 @@ bin_modules-$(CONFIG_FLASHTOOLS) += flashtools bin_modules-$(CONFIG_NEWT) += newt bin_modules-$(CONFIG_CAIRO) += cairo bin_modules-$(CONFIG_FBWHIPTAIL) += fbwhiptail -bin_modules-$(CONFIG_LIBREMKEY) += libremkey-hotp-verification +bin_modules-$(CONFIG_HOTPKEY) += libremkey-hotp-verification bin_modules-$(CONFIG_MSRTOOLS) += msrtools $(foreach m, $(bin_modules-y), \ diff --git a/boards/librem13v2/librem13v2.config b/boards/librem13v2/librem13v2.config index 776256be9..0ceaea82f 100644 --- a/boards/librem13v2/librem13v2.config +++ b/boards/librem13v2/librem13v2.config @@ -20,7 +20,7 @@ CONFIG_TPMTOTP=y #CONFIG_NEWT=y CONFIG_CAIRO=y CONFIG_FBWHIPTAIL=y -CONFIG_LIBREMKEY=y +CONFIG_HOTPKEY=y CONFIG_LINUX_USB=y diff --git a/boards/librem13v4/librem13v4.config b/boards/librem13v4/librem13v4.config index 1b0a83ab2..4b1467237 100644 --- a/boards/librem13v4/librem13v4.config +++ b/boards/librem13v4/librem13v4.config @@ -20,7 +20,7 @@ CONFIG_TPMTOTP=y #CONFIG_NEWT=y CONFIG_CAIRO=y CONFIG_FBWHIPTAIL=y -CONFIG_LIBREMKEY=y +CONFIG_HOTPKEY=y CONFIG_LINUX_USB=y diff --git a/boards/librem15v3/librem15v3.config b/boards/librem15v3/librem15v3.config index c73f5b8f2..75c5fc922 100644 --- a/boards/librem15v3/librem15v3.config +++ b/boards/librem15v3/librem15v3.config @@ -22,7 +22,7 @@ CONFIG_TPMTOTP=y #CONFIG_NEWT=y CONFIG_CAIRO=y CONFIG_FBWHIPTAIL=y -CONFIG_LIBREMKEY=y +CONFIG_HOTPKEY=y CONFIG_LINUX_USB=y diff --git a/boards/librem15v4/librem15v4.config b/boards/librem15v4/librem15v4.config index b2349799d..8f1c88243 100644 --- a/boards/librem15v4/librem15v4.config +++ b/boards/librem15v4/librem15v4.config @@ -22,7 +22,7 @@ CONFIG_TPMTOTP=y #CONFIG_NEWT=y CONFIG_CAIRO=y CONFIG_FBWHIPTAIL=y -CONFIG_LIBREMKEY=y +CONFIG_HOTPKEY=y CONFIG_LINUX_USB=y diff --git a/boards/x230-hotp-verification/x230-hotp-verification.config b/boards/x230-hotp-verification/x230-hotp-verification.config index 1c9ef31b2..93ce9831b 100644 --- a/boards/x230-hotp-verification/x230-hotp-verification.config +++ b/boards/x230-hotp-verification/x230-hotp-verification.config @@ -22,7 +22,7 @@ CONFIG_DROPBEAR=y #CONFIG_NEWT=y CONFIG_CAIRO=y CONFIG_FBWHIPTAIL=y -CONFIG_LIBREMKEY=y +CONFIG_HOTPKEY=y CONFIG_LINUX_USB=y CONFIG_LINUX_E1000E=y diff --git a/initrd/bin/gui-init b/initrd/bin/gui-init index 1ac0273f8..323700baa 100755 --- a/initrd/bin/gui-init +++ b/initrd/bin/gui-init @@ -118,7 +118,7 @@ clean_boot_check() [ $GPG_KEY_COUNT -ne 0 ] && return # check for USB security token - if [ "$CONFIG_LIBREMKEY" = "y" ]; then + if [ "$CONFIG_HOTPKEY" = "y" ]; then enable_usb if ! gpg --card-status > /dev/null ; then return diff --git a/modules/libremkey-hotp-verification b/modules/libremkey-hotp-verification index 5ebb713b6..94397e1a1 100644 --- a/modules/libremkey-hotp-verification +++ b/modules/libremkey-hotp-verification @@ -1,4 +1,4 @@ -modules-$(CONFIG_LIBREMKEY) += libremkey-hotp-verification +modules-$(CONFIG_HOTPKEY) += libremkey-hotp-verification libremkey-hotp-verification_depends := libusb $(musl_dep) From 342431746dda12db84c0306a45e84dc85448b4e1 Mon Sep 17 00:00:00 2001 From: alex-nitrokey Date: Thu, 11 Jun 2020 15:39:12 +0200 Subject: [PATCH 125/189] Quick fix to build --- config/coreboot-x230-hotp-verification.config | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/coreboot-x230-hotp-verification.config b/config/coreboot-x230-hotp-verification.config index db20e18cf..150c73332 100644 --- a/config/coreboot-x230-hotp-verification.config +++ b/config/coreboot-x230-hotp-verification.config @@ -2,7 +2,7 @@ CONFIG_LOCALVERSION="heads" CONFIG_ANY_TOOLCHAIN=y CONFIG_MEASURED_BOOT=y CONFIG_VENDOR_LENOVO=y -CONFIG_CBFS_SIZE=0x800000 +CONFIG_CBFS_SIZE=0x710000 CONFIG_BOARD_LENOVO_X230=y CONFIG_NO_POST=y CONFIG_UART_PCI_ADDR=0 From 4069619ead133aee352a17e696f4f46b7c135f83 Mon Sep 17 00:00:00 2001 From: alex-nitrokey Date: Thu, 11 Jun 2020 15:54:10 +0200 Subject: [PATCH 126/189] Rename libremkey-hotp-verification module --- Makefile | 2 +- modules/hidapi | 2 +- modules/hotp-verification | 37 +++++++++++++++++++++++++++++ modules/libremkey-hotp-verification | 37 ----------------------------- 4 files changed, 39 insertions(+), 39 deletions(-) create mode 100644 modules/hotp-verification delete mode 100644 modules/libremkey-hotp-verification diff --git a/Makefile b/Makefile index a3f73118e..084ad0331 100644 --- a/Makefile +++ b/Makefile @@ -428,7 +428,7 @@ bin_modules-$(CONFIG_FLASHTOOLS) += flashtools bin_modules-$(CONFIG_NEWT) += newt bin_modules-$(CONFIG_CAIRO) += cairo bin_modules-$(CONFIG_FBWHIPTAIL) += fbwhiptail -bin_modules-$(CONFIG_HOTPKEY) += libremkey-hotp-verification +bin_modules-$(CONFIG_HOTPKEY) += hotp-verification bin_modules-$(CONFIG_MSRTOOLS) += msrtools $(foreach m, $(bin_modules-y), \ diff --git a/modules/hidapi b/modules/hidapi index 0a0ab5b10..d62b4224f 100644 --- a/modules/hidapi +++ b/modules/hidapi @@ -1,2 +1,2 @@ # empty placeholder file -# This submodule is defined in modules/libremkey-hotp-verification +# This submodule is defined in modules/hotp-verification diff --git a/modules/hotp-verification b/modules/hotp-verification new file mode 100644 index 000000000..164f27357 --- /dev/null +++ b/modules/hotp-verification @@ -0,0 +1,37 @@ +modules-$(CONFIG_HOTPKEY) += hotp-verification + +hotp-verification_depends := libusb $(musl_dep) + +hotp-verification_version := 1cf1e1f3601b79692b81d409597136b8ff7c723a +hotp-verification_dir := hotp-verification-$(hotp-verification_version) +hotp-verification_tar := nitrokey-hotp-verification-$(hotp-verification_version).tar.gz +hotp-verification_url := https://github.com/Nitrokey/nitrokey-hotp-verification/archive/$(hotp-verification_version).tar.gz +hotp-verification_hash := 21152cfb272f8edeff1220065940d5d6dfc12dbb2a48b84e64b24f8fc89c2567 + +hotp-verification_target := \ + $(MAKE_JOBS) \ + $(CROSS_TOOLS) \ + +hotp-verification_output := \ + libremkey_hotp_verification \ + libremkey_hotp_initialize + +hotp-verification_configure := \ + INSTALL="$(INSTALL)" \ + CROSS="$(CROSS)" \ + $(CROSS_TOOLS) $(MAKE) LDFLAGS="$(INSTALL)/lib/libusb-1.0.so" && $(MAKE) install INSTALL="$(INSTALL)" + +hotp-verification_depends += hidapi +modules-y += hidapi + +hidapi_version := e5ae0d30a523c565595bdfba3d5f2e9e1faf0bd0 +hidapi_dir := hotp-verification-$(hotp-verification_version)/hidapi +hidapi_tar := hidapi-$(hidapi_version).tar.xz +hidapi_url := https://github.com/Nitrokey/hidapi/archive/$(hidapi_version).tar.gz +hidapi_hash := acc2a5089a8917085c2b3ebe9446065a21c760ba7e13cb54917043c4122188e0 + + +## hidapi will be built as part of hotp-verification +## so nothing to do here (but need make to be happy) +hidapi_output := .built +hidapi_configure := echo -e 'all:\n\ttouch .built' > Makefile diff --git a/modules/libremkey-hotp-verification b/modules/libremkey-hotp-verification deleted file mode 100644 index 81d0db758..000000000 --- a/modules/libremkey-hotp-verification +++ /dev/null @@ -1,37 +0,0 @@ -modules-$(CONFIG_HOTPKEY) += libremkey-hotp-verification - -libremkey-hotp-verification_depends := libusb $(musl_dep) - -libremkey-hotp-verification_version := 1cf1e1f3601b79692b81d409597136b8ff7c723a -libremkey-hotp-verification_dir := libremkey-hotp-verification-$(libremkey-hotp-verification_version) -libremkey-hotp-verification_tar := nitrokey-hotp-verification-$(libremkey-hotp-verification_version).tar.gz -libremkey-hotp-verification_url := https://github.com/Nitrokey/nitrokey-hotp-verification/archive/$(libremkey-hotp-verification_version).tar.gz -libremkey-hotp-verification_hash := 21152cfb272f8edeff1220065940d5d6dfc12dbb2a48b84e64b24f8fc89c2567 - -libremkey-hotp-verification_target := \ - $(MAKE_JOBS) \ - $(CROSS_TOOLS) \ - -libremkey-hotp-verification_output := \ - libremkey_hotp_verification \ - libremkey_hotp_initialize - -libremkey-hotp-verification_configure := \ - INSTALL="$(INSTALL)" \ - CROSS="$(CROSS)" \ - $(CROSS_TOOLS) $(MAKE) LDFLAGS="$(INSTALL)/lib/libusb-1.0.so" && $(MAKE) install INSTALL="$(INSTALL)" - -libremkey-hotp-verification_depends += hidapi -modules-y += hidapi - -hidapi_version := e5ae0d30a523c565595bdfba3d5f2e9e1faf0bd0 -hidapi_dir := libremkey-hotp-verification-$(libremkey-hotp-verification_version)/hidapi -hidapi_tar := hidapi-$(hidapi_version).tar.xz -hidapi_url := https://github.com/Nitrokey/hidapi/archive/$(hidapi_version).tar.gz -hidapi_hash := acc2a5089a8917085c2b3ebe9446065a21c760ba7e13cb54917043c4122188e0 - - -## hidapi will be built as part of libremkey-hotp-verification -## so nothing to do here (but need make to be happy) -hidapi_output := .built -hidapi_configure := echo -e 'all:\n\ttouch .built' > Makefile From 28735a8c849b55e6dc647591e9540af9b9c4a820 Mon Sep 17 00:00:00 2001 From: alex-nitrokey Date: Thu, 11 Jun 2020 17:04:03 +0200 Subject: [PATCH 127/189] Add CONFIG_HOTP_BRANDING --- Makefile | 3 +++ initrd/bin/gui-init | 7 ++++--- initrd/bin/kexec-seal-key | 4 ++-- initrd/bin/seal-libremkey | 10 +++++----- 4 files changed, 14 insertions(+), 10 deletions(-) diff --git a/Makefile b/Makefile index 084ad0331..6a8bf3ef6 100644 --- a/Makefile +++ b/Makefile @@ -48,6 +48,9 @@ include $(CONFIG) # Unless otherwise specified, we are building for heads CONFIG_HEADS ?= y +# HOTP USB Security naming if not specified in boards config +CONFIG_HOTPKEY_BRANDING ?= "HOTP USB Security dongle" + # Some things want usernames, we use the current checkout # so that they are reproducible GIT_HASH := $(shell git rev-parse HEAD) diff --git a/initrd/bin/gui-init b/initrd/bin/gui-init index 323700baa..2ec6c6594 100755 --- a/initrd/bin/gui-init +++ b/initrd/bin/gui-init @@ -93,7 +93,7 @@ update_totp() echo "Scan the QR code to add the new TOTP secret" /bin/seal-totp if [ -x /bin/libremkey_hotp_verification ]; then - echo "Once you have scanned the QR code, hit Enter to configure your Librem Key" + echo "Once you have scanned the QR code, hit Enter to configure your $(CONFIG_HOTPKEY_BRANDING)" read /bin/seal-libremkey else @@ -192,7 +192,8 @@ while true; do HOTP=`unseal-hotp` enable_usb if ! libremkey_hotp_verification info ; then - whiptail $CONFIG_WARNING_BG_COLOR --clear --title 'WARNING: Please Insert Your Librem Key' --msgbox "Your Librem Key was not detected.\n\nPlease insert your Librem Key" 30 90 + whiptail $CONFIG_WARNING_BG_COLOR --clear --title 'WARNING: Please Insert Your + $(CONFIG_HOTPKEY_BRANDING)' --msgbox "Your $(CONFIG_HOTPKEY_BRANDING) was not detected.\n\nPlease insert your $(CONFIG_HOTPKEY_BRANDING)" 30 90 fi # Don't output HOTP codes to screen, so as to make replay attacks harder libremkey_hotp_verification check $HOTP @@ -205,7 +206,7 @@ while true; do MAIN_MENU_BG_COLOR=$CONFIG_ERROR_BG_COLOR ;; * ) - HOTP="Error checking code, Insert Librem Key and retry" + HOTP="Error checking code, Insert $(CONFIG_HOTPKEY_BRANDING) and retry" MAIN_MENU_BG_COLOR=$CONFIG_WARNING_BG_COLOR ;; esac diff --git a/initrd/bin/kexec-seal-key b/initrd/bin/kexec-seal-key index 46980af8e..2da427cdb 100755 --- a/initrd/bin/kexec-seal-key +++ b/initrd/bin/kexec-seal-key @@ -84,8 +84,8 @@ cat "$KEY_DEVICES" | cut -d\ -f1 | xargs /bin/qubes-measure-luks \ || die "Unable to measure the LUKS headers" luks_pcr=`tpm calcfuturepcr -ix 16 -if /tmp/luksDump.txt` -# Librem Key loads USB modules which changes PCR5. -# In the event Librem Key is enabled, skip verification of PCR5 +# HOTP USB Secrity dongle loads USB modules which changes PCR5. +# In the event HOTP USB Security dongle is enabled, skip verification of PCR5 if [ -x /bin/libremkey_hotp_verification ]; then pcr_5="X" else diff --git a/initrd/bin/seal-libremkey b/initrd/bin/seal-libremkey index c1dab8e6d..87885eb2b 100755 --- a/initrd/bin/seal-libremkey +++ b/initrd/bin/seal-libremkey @@ -1,5 +1,5 @@ #!/bin/sh -# Retrieve the sealed TOTP secret and initialize a Librem Key with it +# Retrieve the sealed TOTP secret and initialize a USB Security dongle with it . /etc/functions @@ -50,17 +50,17 @@ counter_value=1 enable_usb if ! libremkey_hotp_verification info ; then - echo "Insert your Librem Key and press Enter to configure it" + echo "Insert your $(CONFIG_HOTPKEY_BRANDING) and press Enter to configure it" read if ! libremkey_hotp_verification info ; then # don't leak key on failure shred -n 10 -z -u "$HOTP_SECRET" 2> /dev/null - die "Unable to find Librem Key" + die "Unable to find $(CONFIG_HOTPKEY_BRANDING)" fi fi echo -e "" -read -s -p "Enter your Librem Key Admin PIN: " admin_pin +read -s -p "Enter your $(CONFIG_HOTPKEY_BRANDING) Admin PIN: " admin_pin echo -e "\n" libremkey_hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value @@ -94,7 +94,7 @@ echo $counter_value > $HOTP_COUNTER \ #|| die "Unable to create hotp counter file" mount -o remount,ro /boot -echo -e "\nLibrem Key initialized successfully. Press Enter to continue." +echo -e "\n$(CONFIG_HOTPKEY_BRANDING) initialized successfully. Press Enter to continue." read exit 0 From 9798cf9c66ff281fa172bcd0ea897c592b332a47 Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Sat, 20 Jun 2020 11:04:10 -0400 Subject: [PATCH 128/189] x230-htop-verification: coreboot CBFS_SIZE changed to 0x710000 as per https://github.com/osresearch/heads/pull/748/files#diff-540d604c350e8fd52c25559b642795fbR5 --- config/coreboot-x230-hotp-verification.config | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/coreboot-x230-hotp-verification.config b/config/coreboot-x230-hotp-verification.config index db20e18cf..150c73332 100644 --- a/config/coreboot-x230-hotp-verification.config +++ b/config/coreboot-x230-hotp-verification.config @@ -2,7 +2,7 @@ CONFIG_LOCALVERSION="heads" CONFIG_ANY_TOOLCHAIN=y CONFIG_MEASURED_BOOT=y CONFIG_VENDOR_LENOVO=y -CONFIG_CBFS_SIZE=0x800000 +CONFIG_CBFS_SIZE=0x710000 CONFIG_BOARD_LENOVO_X230=y CONFIG_NO_POST=y CONFIG_UART_PCI_ADDR=0 From 27637110834b7487417cf75e509a10a7c4f23401 Mon Sep 17 00:00:00 2001 From: alex-nitrokey Date: Tue, 23 Jun 2020 15:32:51 +0200 Subject: [PATCH 129/189] Add option to export pubkey --- initrd/bin/gpg-gui.sh | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/initrd/bin/gpg-gui.sh b/initrd/bin/gpg-gui.sh index 9ab70b6cc..132cf6b8e 100755 --- a/initrd/bin/gpg-gui.sh +++ b/initrd/bin/gpg-gui.sh @@ -137,7 +137,7 @@ gpg_post_gen_mgmt() { GPG_GEN_KEY=`grep -A1 pub /tmp/gpg_card_edit_output | tail -n1 | sed -nr 's/^([ ])*//p'` gpg --export --armor $GPG_GEN_KEY > "/tmp/${GPG_GEN_KEY}.asc" if (whiptail --title 'Add Public Key to USB disk?' \ - --yesno "Would you like to copy the GPG public key you generated to a USB disk?\n\nOtherwise you will not be able to copy it outside of Heads later\n\nThe file will show up as ${GPG_GEN_KEY}.asc" 16 90) then + --yesno "Would you like to copy the GPG public key you generated to a USB disk?\n\nYou may need it, if you want to use it outside of Heads later.\n\nThe file will show up as ${GPG_GEN_KEY}.asc" 16 90) then mount_usb mount -o remount,rw /media cp "/tmp/${GPG_GEN_KEY}.asc" "/media/${GPG_GEN_KEY}.asc" @@ -203,6 +203,7 @@ while true; do 'a' ' Add GPG key to standalone BIOS image + flash' \ 'e' ' Replace GPG key(s) in the current ROM + reflash' \ 'l' ' List GPG keys in your keyring' \ + 'p' ' Export public GPG key to USB drive' \ 'g' ' Generate GPG keys manually on a USB security token' \ 'x' ' Exit' \ 2>/tmp/whiptail || recovery "GUI menu failed" @@ -262,6 +263,23 @@ while true; do whiptail --title 'GPG Keyring' \ --msgbox "${GPG_KEYRING}" 16 60 ;; + "p" ) + if (whiptail --title 'Export Public Key(s) to USB drive?' \ + --yesno "Would you like to copy GPG public key(s) to a USB drive?\n\nThe file will show up as public-key.asc" 16 90) then + mount_usb + mount -o remount,rw /media + gpg --export --armor > "/tmp/public-key.asc" + cp "/tmp/public-key.asc" "/media/public-key.asc" + if [ $? -eq 0 ]; then + whiptail --title "The GPG Key Copied Successfully" \ + --msgbox "public-key.asc copied successfully." 16 60 + else + whiptail $CONFIG_ERROR_BG_COLOR --title 'ERROR: Copy Failed' \ + --msgbox "Unable to copy public-key.asc to /media" 16 60 + fi + umount /media + fi + ;; "g" ) confirm_gpg_card echo -e "\n\n\n\n" From 6d29ab71f9a4ef921f9723186e600744e58716dd Mon Sep 17 00:00:00 2001 From: alex-nitrokey Date: Wed, 24 Jun 2020 09:44:50 +0200 Subject: [PATCH 130/189] dd partition Label to menu list --- initrd/bin/mount-usb | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/initrd/bin/mount-usb b/initrd/bin/mount-usb index 94946675a..de9eb9d22 100755 --- a/initrd/bin/mount-usb +++ b/initrd/bin/mount-usb @@ -55,9 +55,11 @@ if [ -z ${USB_MOUNT_DEVICE} ]; then # remove block device from list if numeric partitions exist, since not bootable let USB_NUM_PARTITIONS=`ls -1 $i* | wc -l`-1 if [ ${USB_NUM_PARTITIONS} -eq 0 ]; then - echo $i >> /tmp/usb_disk_list + echo $i $(blkid | grep $i | grep -o 'LABEL=".*"' | sed 's/\ UUID.*$//') >> /tmp/usb_disk_list else - ls $i* | tail -${USB_NUM_PARTITIONS} >> /tmp/usb_disk_list + for j in $(ls $i* | tail -${USB_NUM_PARTITIONS}); do + echo $j $(blkid | grep $j | grep -o 'LABEL=".*"' | sed 's/\ UUID.*$//') >> /tmp/usb_disk_list + done fi done @@ -95,7 +97,7 @@ if [ -z ${USB_MOUNT_DEVICE} ]; then if [ "$option_index" = "a" ]; then exit 1 fi - USB_MOUNT_DEVICE=`head -n $option_index /tmp/usb_disk_list | tail -1` + USB_MOUNT_DEVICE=`head -n $option_index /tmp/usb_disk_list | tail -1 | sed 's/\ .*$//'` fi if [ "$1" = "rw" ]; then From c07f3b7f7c4d730a87704be607b62e22babbda17 Mon Sep 17 00:00:00 2001 From: alex-nitrokey Date: Wed, 24 Jun 2020 10:07:36 +0200 Subject: [PATCH 131/189] Add systeminfo menu option --- initrd/bin/gui-init | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/initrd/bin/gui-init b/initrd/bin/gui-init index 1ac0273f8..4f2cdc8ee 100755 --- a/initrd/bin/gui-init +++ b/initrd/bin/gui-init @@ -233,6 +233,7 @@ while true; do 'c' ' Change configuration settings -->' \ 'f' ' Flash/Update the BIOS -->' \ 'G' ' GPG Options -->' \ + 'S' ' Systeminfo' \ 'F' ' OEM Factory Reset -->' \ 'x' ' Exit to recovery shell' \ 'r' ' <-- Return to main menu' \ @@ -374,6 +375,12 @@ while true; do continue fi + if [ "$totp_confirm" = "S" ]; then + whiptail --title 'Systeminfo' \ + --msgbox "$(cat /proc/meminfo | grep 'MemTotal' | sed 's/MemTotal:/Mem:/')\n\n$(cat /proc/cpuinfo | grep 'model name' | uniq | sed 's/model name.*:/CPU:/')\n\n$(fdisk -l | grep '/dev/sd.:' | sed 's/B,.*/B/')" 16 60 + continue + fi + if [ "$totp_confirm" = "F" ]; then oem-factory-reset continue From 53b67d27a430edcdcc63f971acf6fbb43304a028 Mon Sep 17 00:00:00 2001 From: alex-nitrokey Date: Wed, 24 Jun 2020 16:11:41 +0200 Subject: [PATCH 132/189] Prepare usage of /boot/kexec_hotp_key as branding --- Makefile | 3 --- initrd/bin/gui-init | 8 +++++++- initrd/bin/seal-libremkey | 8 ++++++++ 3 files changed, 15 insertions(+), 4 deletions(-) diff --git a/Makefile b/Makefile index 6a8bf3ef6..084ad0331 100644 --- a/Makefile +++ b/Makefile @@ -48,9 +48,6 @@ include $(CONFIG) # Unless otherwise specified, we are building for heads CONFIG_HEADS ?= y -# HOTP USB Security naming if not specified in boards config -CONFIG_HOTPKEY_BRANDING ?= "HOTP USB Security dongle" - # Some things want usernames, we use the current checkout # so that they are reproducible GIT_HASH := $(shell git rev-parse HEAD) diff --git a/initrd/bin/gui-init b/initrd/bin/gui-init index 2ec6c6594..8b0197ce7 100755 --- a/initrd/bin/gui-init +++ b/initrd/bin/gui-init @@ -3,6 +3,12 @@ CONFIG_BOOT_GUI_MENU_NAME='Heads Boot Menu' +if [ -r /boot/kexec_hotp_key ]; then + CONFIG_HOTPKEY_BRANDING="$(cat /boot/kexec_hotp_key)" +else + CONFIG_HOTPKEY_BRANDING="HOTP USB security dongle" +fi + . /etc/functions . /tmp/config @@ -93,7 +99,7 @@ update_totp() echo "Scan the QR code to add the new TOTP secret" /bin/seal-totp if [ -x /bin/libremkey_hotp_verification ]; then - echo "Once you have scanned the QR code, hit Enter to configure your $(CONFIG_HOTPKEY_BRANDING)" + echo "Once you have scanned the QR code, hit Enter to configure your HOTP USB security dongle (e.g. Librem Key or Nitrokey)" read /bin/seal-libremkey else diff --git a/initrd/bin/seal-libremkey b/initrd/bin/seal-libremkey index 87885eb2b..e82f67949 100755 --- a/initrd/bin/seal-libremkey +++ b/initrd/bin/seal-libremkey @@ -6,6 +6,10 @@ HOTP_SEALED="/tmp/secret/hotp.sealed" HOTP_SECRET="/tmp/secret/hotp.key" HOTP_COUNTER="/boot/kexec_hotp_counter" +HOTP_KEY="/boot/kexec_hotp_key" + +CONFIG_HOTPKEY_BRANDING="HOTP USB security dongle" + mount_boot() { @@ -59,6 +63,8 @@ if ! libremkey_hotp_verification info ; then fi fi +# TODO find out branding now and set variable + echo -e "" read -s -p "Enter your $(CONFIG_HOTPKEY_BRANDING) Admin PIN: " admin_pin echo -e "\n" @@ -75,6 +81,8 @@ if [ $? -ne 0 ]; then fi fi +# TODO store key branding in HOTP_KEY + # HOTP key no longer needed shred -n 10 -z -u "$HOTP_SECRET" 2> /dev/null From 407778eb9a22ec9cb6b5e2d3e2865434681fcbd0 Mon Sep 17 00:00:00 2001 From: alex-nitrokey Date: Wed, 24 Jun 2020 16:16:03 +0200 Subject: [PATCH 133/189] Remove unintented paranthesis --- initrd/bin/gui-init | 4 ++-- initrd/bin/seal-libremkey | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/initrd/bin/gui-init b/initrd/bin/gui-init index 8b0197ce7..26813b3e0 100755 --- a/initrd/bin/gui-init +++ b/initrd/bin/gui-init @@ -199,7 +199,7 @@ while true; do enable_usb if ! libremkey_hotp_verification info ; then whiptail $CONFIG_WARNING_BG_COLOR --clear --title 'WARNING: Please Insert Your - $(CONFIG_HOTPKEY_BRANDING)' --msgbox "Your $(CONFIG_HOTPKEY_BRANDING) was not detected.\n\nPlease insert your $(CONFIG_HOTPKEY_BRANDING)" 30 90 + $CONFIG_HOTPKEY_BRANDING' --msgbox "Your $CONFIG_HOTPKEY_BRANDING was not detected.\n\nPlease insert your $CONFIG_HOTPKEY_BRANDING" 30 90 fi # Don't output HOTP codes to screen, so as to make replay attacks harder libremkey_hotp_verification check $HOTP @@ -212,7 +212,7 @@ while true; do MAIN_MENU_BG_COLOR=$CONFIG_ERROR_BG_COLOR ;; * ) - HOTP="Error checking code, Insert $(CONFIG_HOTPKEY_BRANDING) and retry" + HOTP="Error checking code, Insert $CONFIG_HOTPKEY_BRANDING and retry" MAIN_MENU_BG_COLOR=$CONFIG_WARNING_BG_COLOR ;; esac diff --git a/initrd/bin/seal-libremkey b/initrd/bin/seal-libremkey index e82f67949..2e5e07495 100755 --- a/initrd/bin/seal-libremkey +++ b/initrd/bin/seal-libremkey @@ -54,19 +54,19 @@ counter_value=1 enable_usb if ! libremkey_hotp_verification info ; then - echo "Insert your $(CONFIG_HOTPKEY_BRANDING) and press Enter to configure it" + echo "Insert your $CONFIG_HOTPKEY_BRANDING and press Enter to configure it" read if ! libremkey_hotp_verification info ; then # don't leak key on failure shred -n 10 -z -u "$HOTP_SECRET" 2> /dev/null - die "Unable to find $(CONFIG_HOTPKEY_BRANDING)" + die "Unable to find $CONFIG_HOTPKEY_BRANDING" fi fi # TODO find out branding now and set variable echo -e "" -read -s -p "Enter your $(CONFIG_HOTPKEY_BRANDING) Admin PIN: " admin_pin +read -s -p "Enter your $CONFIG_HOTPKEY_BRANDING Admin PIN: " admin_pin echo -e "\n" libremkey_hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value @@ -102,7 +102,7 @@ echo $counter_value > $HOTP_COUNTER \ #|| die "Unable to create hotp counter file" mount -o remount,ro /boot -echo -e "\n$(CONFIG_HOTPKEY_BRANDING) initialized successfully. Press Enter to continue." +echo -e "\n$CONFIG_HOTPKEY_BRANDING initialized successfully. Press Enter to continue." read exit 0 From 38ba25706372d22bf1f033c5543b71496e4d7d61 Mon Sep 17 00:00:00 2001 From: alex-nitrokey Date: Wed, 24 Jun 2020 16:31:22 +0200 Subject: [PATCH 134/189] Include upstream updates of hotp_verification --- modules/libremkey-hotp-verification | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/libremkey-hotp-verification b/modules/libremkey-hotp-verification index c01c07cd3..53a0f1465 100644 --- a/modules/libremkey-hotp-verification +++ b/modules/libremkey-hotp-verification @@ -2,11 +2,11 @@ modules-$(CONFIG_LIBREMKEY) += libremkey-hotp-verification libremkey-hotp-verification_depends := libusb $(musl_dep) -libremkey-hotp-verification_version := 1cf1e1f3601b79692b81d409597136b8ff7c723a +libremkey-hotp-verification_version := 29094d8ff0f1c9321886079860f3747aa04c44b4 libremkey-hotp-verification_dir := libremkey-hotp-verification-$(libremkey-hotp-verification_version) libremkey-hotp-verification_tar := nitrokey-hotp-verification-$(libremkey-hotp-verification_version).tar.gz libremkey-hotp-verification_url := https://github.com/Nitrokey/nitrokey-hotp-verification/archive/$(libremkey-hotp-verification_version).tar.gz -libremkey-hotp-verification_hash := 21152cfb272f8edeff1220065940d5d6dfc12dbb2a48b84e64b24f8fc89c2567 +libremkey-hotp-verification_hash := b8591a6abafaefd769e7e58d121d4ba6af1c54587b4b7f3438d65b37632fa2b0 libremkey-hotp-verification_target := \ $(MAKE_JOBS) \ From aab2c327e38901876e8d904fb788ddc49b99be11 Mon Sep 17 00:00:00 2001 From: alex-nitrokey Date: Wed, 24 Jun 2020 17:25:39 +0200 Subject: [PATCH 135/189] Fix warning box title --- initrd/bin/gui-init | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/initrd/bin/gui-init b/initrd/bin/gui-init index 26813b3e0..71cdb79c6 100755 --- a/initrd/bin/gui-init +++ b/initrd/bin/gui-init @@ -198,8 +198,9 @@ while true; do HOTP=`unseal-hotp` enable_usb if ! libremkey_hotp_verification info ; then - whiptail $CONFIG_WARNING_BG_COLOR --clear --title 'WARNING: Please Insert Your - $CONFIG_HOTPKEY_BRANDING' --msgbox "Your $CONFIG_HOTPKEY_BRANDING was not detected.\n\nPlease insert your $CONFIG_HOTPKEY_BRANDING" 30 90 + whiptail $CONFIG_WARNING_BG_COLOR --clear \ + --title "WARNING: Please Insert Your $CONFIG_HOTPKEY_BRANDING" \ + --msgbox "Your $CONFIG_HOTPKEY_BRANDING was not detected.\n\nPlease insert your $CONFIG_HOTPKEY_BRANDING" 30 90 fi # Don't output HOTP codes to screen, so as to make replay attacks harder libremkey_hotp_verification check $HOTP From 92b18265377c8797914cadc20663beae90ccc667 Mon Sep 17 00:00:00 2001 From: alex-nitrokey Date: Wed, 24 Jun 2020 17:36:53 +0200 Subject: [PATCH 136/189] /boot needs to get mounted first --- initrd/bin/gui-init | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/initrd/bin/gui-init b/initrd/bin/gui-init index 71cdb79c6..7e3be63d4 100755 --- a/initrd/bin/gui-init +++ b/initrd/bin/gui-init @@ -3,12 +3,6 @@ CONFIG_BOOT_GUI_MENU_NAME='Heads Boot Menu' -if [ -r /boot/kexec_hotp_key ]; then - CONFIG_HOTPKEY_BRANDING="$(cat /boot/kexec_hotp_key)" -else - CONFIG_HOTPKEY_BRANDING="HOTP USB security dongle" -fi - . /etc/functions . /tmp/config @@ -146,6 +140,13 @@ else mount_boot fi +# Use stored HOTP key branding +if [ -r /boot/kexec_hotp_key ]; then + CONFIG_HOTPKEY_BRANDING="$(cat /boot/kexec_hotp_key)" +else + CONFIG_HOTPKEY_BRANDING="HOTP USB Security Dongle" +fi + last_half=X while true; do MAIN_MENU_OPTIONS="" From 5867fc516cce80ec751196902f895c9237647bac Mon Sep 17 00:00:00 2001 From: alex-nitrokey Date: Wed, 24 Jun 2020 17:40:49 +0200 Subject: [PATCH 137/189] Store HOTP USB Security Key branding in /boot --- initrd/bin/seal-libremkey | 25 +++++++++++++++++++------ 1 file changed, 19 insertions(+), 6 deletions(-) diff --git a/initrd/bin/seal-libremkey b/initrd/bin/seal-libremkey index 2e5e07495..914a51885 100755 --- a/initrd/bin/seal-libremkey +++ b/initrd/bin/seal-libremkey @@ -8,9 +8,6 @@ HOTP_SECRET="/tmp/secret/hotp.key" HOTP_COUNTER="/boot/kexec_hotp_counter" HOTP_KEY="/boot/kexec_hotp_key" -CONFIG_HOTPKEY_BRANDING="HOTP USB security dongle" - - mount_boot() { # Mount local disk if it is not already mounted @@ -20,6 +17,13 @@ mount_boot() fi } +# Use stored HOTP key branding (this might be useful after OEM reset) +if [ -r /boot/kexec_hotp_key ]; then + CONFIG_HOTPKEY_BRANDING="$(cat /boot/kexec_hotp_key)" +else + CONFIG_HOTPKEY_BRANDING="HOTP USB Security Dongle" +fi + tpm nv_readvalue \ -in 4d47 \ -sz 312 \ @@ -63,7 +67,14 @@ if ! libremkey_hotp_verification info ; then fi fi -# TODO find out branding now and set variable +# Set HOTP USB security key branding based on VID +if [ ! $(lsusb | grep -q "20a0:") ]; then + CONFIG_HOTPKEY_BRANDING="Nitrokey" +elif [ ! $(lsusb | grep -q "316d:") ]; then + CONFIG_HOTPKEY_BRANDING="Librem Key" +else + CONFIG_HOTPKEY_BRANDING="HOTP USB security key" +fi echo -e "" read -s -p "Enter your $CONFIG_HOTPKEY_BRANDING Admin PIN: " admin_pin @@ -81,8 +92,6 @@ if [ $? -ne 0 ]; then fi fi -# TODO store key branding in HOTP_KEY - # HOTP key no longer needed shred -n 10 -z -u "$HOTP_SECRET" 2> /dev/null @@ -98,6 +107,10 @@ counter_value=`expr $counter_value + 1` echo $counter_value > $HOTP_COUNTER \ || die "Unable to create hotp counter file" +# Store/overwrite HOTP USB security key branding found out beforehand +echo $CONFIG_HOTPKEY_BRANDING > $HOTP_KEY \ +|| die "Unable to store hotp key file" + #sha256sum /tmp/counter-$counter > $HOTP_COUNTER \ #|| die "Unable to create hotp counter file" mount -o remount,ro /boot From 3236f0e1707481f418dfa065073a7eaac72605ce Mon Sep 17 00:00:00 2001 From: alex-nitrokey Date: Wed, 24 Jun 2020 17:44:29 +0200 Subject: [PATCH 138/189] Change name seal-libremkey -> seal-hotpkey --- initrd/bin/gui-init | 2 +- initrd/bin/{seal-libremkey => seal-hotpkey} | 0 2 files changed, 1 insertion(+), 1 deletion(-) rename initrd/bin/{seal-libremkey => seal-hotpkey} (100%) diff --git a/initrd/bin/gui-init b/initrd/bin/gui-init index 7e3be63d4..f00854324 100755 --- a/initrd/bin/gui-init +++ b/initrd/bin/gui-init @@ -95,7 +95,7 @@ update_totp() if [ -x /bin/libremkey_hotp_verification ]; then echo "Once you have scanned the QR code, hit Enter to configure your HOTP USB security dongle (e.g. Librem Key or Nitrokey)" read - /bin/seal-libremkey + /bin/seal-hotpkey else echo "Once you have scanned the QR code, hit Enter to continue" read diff --git a/initrd/bin/seal-libremkey b/initrd/bin/seal-hotpkey similarity index 100% rename from initrd/bin/seal-libremkey rename to initrd/bin/seal-hotpkey From 2fe946ccbe8eede9c07d84c4cb3b6bf94873e862 Mon Sep 17 00:00:00 2001 From: alex-nitrokey Date: Wed, 24 Jun 2020 17:54:39 +0200 Subject: [PATCH 139/189] Fix termonology --- initrd/bin/gui-init | 2 +- initrd/bin/kexec-seal-key | 4 ++-- initrd/bin/seal-hotpkey | 6 +++--- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/initrd/bin/gui-init b/initrd/bin/gui-init index f00854324..02fca80d8 100755 --- a/initrd/bin/gui-init +++ b/initrd/bin/gui-init @@ -93,7 +93,7 @@ update_totp() echo "Scan the QR code to add the new TOTP secret" /bin/seal-totp if [ -x /bin/libremkey_hotp_verification ]; then - echo "Once you have scanned the QR code, hit Enter to configure your HOTP USB security dongle (e.g. Librem Key or Nitrokey)" + echo "Once you have scanned the QR code, hit Enter to configure your HOTP USB Security Dongle (e.g. Librem Key or Nitrokey)" read /bin/seal-hotpkey else diff --git a/initrd/bin/kexec-seal-key b/initrd/bin/kexec-seal-key index 2da427cdb..6219fb75e 100755 --- a/initrd/bin/kexec-seal-key +++ b/initrd/bin/kexec-seal-key @@ -84,8 +84,8 @@ cat "$KEY_DEVICES" | cut -d\ -f1 | xargs /bin/qubes-measure-luks \ || die "Unable to measure the LUKS headers" luks_pcr=`tpm calcfuturepcr -ix 16 -if /tmp/luksDump.txt` -# HOTP USB Secrity dongle loads USB modules which changes PCR5. -# In the event HOTP USB Security dongle is enabled, skip verification of PCR5 +# HOTP USB Secrity Dongle loads USB modules which changes PCR5. +# In the event HOTP USB Security Dongle is enabled, skip verification of PCR5 if [ -x /bin/libremkey_hotp_verification ]; then pcr_5="X" else diff --git a/initrd/bin/seal-hotpkey b/initrd/bin/seal-hotpkey index 914a51885..98020db6c 100755 --- a/initrd/bin/seal-hotpkey +++ b/initrd/bin/seal-hotpkey @@ -67,13 +67,13 @@ if ! libremkey_hotp_verification info ; then fi fi -# Set HOTP USB security key branding based on VID +# Set HOTP USB Security Dongle branding based on VID if [ ! $(lsusb | grep -q "20a0:") ]; then CONFIG_HOTPKEY_BRANDING="Nitrokey" elif [ ! $(lsusb | grep -q "316d:") ]; then CONFIG_HOTPKEY_BRANDING="Librem Key" else - CONFIG_HOTPKEY_BRANDING="HOTP USB security key" + CONFIG_HOTPKEY_BRANDING="HOTP USB Security Dongle" fi echo -e "" @@ -107,7 +107,7 @@ counter_value=`expr $counter_value + 1` echo $counter_value > $HOTP_COUNTER \ || die "Unable to create hotp counter file" -# Store/overwrite HOTP USB security key branding found out beforehand +# Store/overwrite HOTP USB Security Dongle branding found out beforehand echo $CONFIG_HOTPKEY_BRANDING > $HOTP_KEY \ || die "Unable to store hotp key file" From fecb9cfd80dc1115017147777ab4a1a81214f40f Mon Sep 17 00:00:00 2001 From: alex-nitrokey Date: Wed, 24 Jun 2020 18:12:56 +0200 Subject: [PATCH 140/189] Rename CONFIG_HOTP_BRANDING to HOTP_BRANDING reason: it not a config option anymore --- initrd/bin/gui-init | 10 +++++----- initrd/bin/seal-hotpkey | 20 ++++++++++---------- 2 files changed, 15 insertions(+), 15 deletions(-) diff --git a/initrd/bin/gui-init b/initrd/bin/gui-init index 02fca80d8..b674356cd 100755 --- a/initrd/bin/gui-init +++ b/initrd/bin/gui-init @@ -142,9 +142,9 @@ fi # Use stored HOTP key branding if [ -r /boot/kexec_hotp_key ]; then - CONFIG_HOTPKEY_BRANDING="$(cat /boot/kexec_hotp_key)" + HOTPKEY_BRANDING="$(cat /boot/kexec_hotp_key)" else - CONFIG_HOTPKEY_BRANDING="HOTP USB Security Dongle" + HOTPKEY_BRANDING="HOTP USB Security Dongle" fi last_half=X @@ -200,8 +200,8 @@ while true; do enable_usb if ! libremkey_hotp_verification info ; then whiptail $CONFIG_WARNING_BG_COLOR --clear \ - --title "WARNING: Please Insert Your $CONFIG_HOTPKEY_BRANDING" \ - --msgbox "Your $CONFIG_HOTPKEY_BRANDING was not detected.\n\nPlease insert your $CONFIG_HOTPKEY_BRANDING" 30 90 + --title "WARNING: Please Insert Your $HOTPKEY_BRANDING" \ + --msgbox "Your $HOTPKEY_BRANDING was not detected.\n\nPlease insert your $HOTPKEY_BRANDING" 30 90 fi # Don't output HOTP codes to screen, so as to make replay attacks harder libremkey_hotp_verification check $HOTP @@ -214,7 +214,7 @@ while true; do MAIN_MENU_BG_COLOR=$CONFIG_ERROR_BG_COLOR ;; * ) - HOTP="Error checking code, Insert $CONFIG_HOTPKEY_BRANDING and retry" + HOTP="Error checking code, Insert $HOTPKEY_BRANDING and retry" MAIN_MENU_BG_COLOR=$CONFIG_WARNING_BG_COLOR ;; esac diff --git a/initrd/bin/seal-hotpkey b/initrd/bin/seal-hotpkey index 98020db6c..d66ce0c12 100755 --- a/initrd/bin/seal-hotpkey +++ b/initrd/bin/seal-hotpkey @@ -19,9 +19,9 @@ mount_boot() # Use stored HOTP key branding (this might be useful after OEM reset) if [ -r /boot/kexec_hotp_key ]; then - CONFIG_HOTPKEY_BRANDING="$(cat /boot/kexec_hotp_key)" + HOTPKEY_BRANDING="$(cat /boot/kexec_hotp_key)" else - CONFIG_HOTPKEY_BRANDING="HOTP USB Security Dongle" + HOTPKEY_BRANDING="HOTP USB Security Dongle" fi tpm nv_readvalue \ @@ -58,26 +58,26 @@ counter_value=1 enable_usb if ! libremkey_hotp_verification info ; then - echo "Insert your $CONFIG_HOTPKEY_BRANDING and press Enter to configure it" + echo "Insert your $HOTPKEY_BRANDING and press Enter to configure it" read if ! libremkey_hotp_verification info ; then # don't leak key on failure shred -n 10 -z -u "$HOTP_SECRET" 2> /dev/null - die "Unable to find $CONFIG_HOTPKEY_BRANDING" + die "Unable to find $HOTPKEY_BRANDING" fi fi # Set HOTP USB Security Dongle branding based on VID if [ ! $(lsusb | grep -q "20a0:") ]; then - CONFIG_HOTPKEY_BRANDING="Nitrokey" + HOTPKEY_BRANDING="Nitrokey" elif [ ! $(lsusb | grep -q "316d:") ]; then - CONFIG_HOTPKEY_BRANDING="Librem Key" + HOTPKEY_BRANDING="Librem Key" else - CONFIG_HOTPKEY_BRANDING="HOTP USB Security Dongle" + HOTPKEY_BRANDING="HOTP USB Security Dongle" fi echo -e "" -read -s -p "Enter your $CONFIG_HOTPKEY_BRANDING Admin PIN: " admin_pin +read -s -p "Enter your $HOTPKEY_BRANDING Admin PIN: " admin_pin echo -e "\n" libremkey_hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value @@ -108,14 +108,14 @@ echo $counter_value > $HOTP_COUNTER \ || die "Unable to create hotp counter file" # Store/overwrite HOTP USB Security Dongle branding found out beforehand -echo $CONFIG_HOTPKEY_BRANDING > $HOTP_KEY \ +echo $HOTPKEY_BRANDING > $HOTP_KEY \ || die "Unable to store hotp key file" #sha256sum /tmp/counter-$counter > $HOTP_COUNTER \ #|| die "Unable to create hotp counter file" mount -o remount,ro /boot -echo -e "\n$CONFIG_HOTPKEY_BRANDING initialized successfully. Press Enter to continue." +echo -e "\n$HOTPKEY_BRANDING initialized successfully. Press Enter to continue." read exit 0 From 20b07dd1b380151270431665f6088926e075d3d7 Mon Sep 17 00:00:00 2001 From: alex-nitrokey Date: Thu, 25 Jun 2020 09:46:11 +0200 Subject: [PATCH 141/189] swap label and device and minor formatting change --- initrd/bin/mount-usb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/initrd/bin/mount-usb b/initrd/bin/mount-usb index de9eb9d22..1e20f24a2 100755 --- a/initrd/bin/mount-usb +++ b/initrd/bin/mount-usb @@ -55,10 +55,10 @@ if [ -z ${USB_MOUNT_DEVICE} ]; then # remove block device from list if numeric partitions exist, since not bootable let USB_NUM_PARTITIONS=`ls -1 $i* | wc -l`-1 if [ ${USB_NUM_PARTITIONS} -eq 0 ]; then - echo $i $(blkid | grep $i | grep -o 'LABEL=".*"' | sed 's/\ UUID.*$//') >> /tmp/usb_disk_list + echo $(blkid | grep $i | grep -o 'LABEL=".*"' | cut -f2 -d '"') $i >> /tmp/usb_disk_list else for j in $(ls $i* | tail -${USB_NUM_PARTITIONS}); do - echo $j $(blkid | grep $j | grep -o 'LABEL=".*"' | sed 's/\ UUID.*$//') >> /tmp/usb_disk_list + echo $(blkid | grep $j | grep -o 'LABEL=".*"' | cut -f2 -d '"') $j >> /tmp/usb_disk_list done fi done From 481082f2d8ff4e909d31d7f94ab0275221350d14 Mon Sep 17 00:00:00 2001 From: alex-nitrokey Date: Thu, 25 Jun 2020 09:58:01 +0200 Subject: [PATCH 142/189] Include adaption of @MrChromebox See https://source.puri.sm/coreboot/purism-heads/-/commit/5a3f5992337316caf4831fbc46099a8f2a624bd4 --- initrd/bin/gui-init | 9 ++++++--- initrd/init | 3 +++ 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/initrd/bin/gui-init b/initrd/bin/gui-init index 4f2cdc8ee..51742a107 100755 --- a/initrd/bin/gui-init +++ b/initrd/bin/gui-init @@ -218,6 +218,7 @@ while true; do 'y' ' Default boot' \ 'r' ' Refresh TOTP/HOTP' \ 'a' ' Options -->' \ + 'S' ' System Info' \ 'P' ' Power Off' \ 2>/tmp/whiptail || recovery "GUI menu failed" @@ -233,7 +234,6 @@ while true; do 'c' ' Change configuration settings -->' \ 'f' ' Flash/Update the BIOS -->' \ 'G' ' GPG Options -->' \ - 'S' ' Systeminfo' \ 'F' ' OEM Factory Reset -->' \ 'x' ' Exit to recovery shell' \ 'r' ' <-- Return to main menu' \ @@ -376,8 +376,11 @@ while true; do fi if [ "$totp_confirm" = "S" ]; then - whiptail --title 'Systeminfo' \ - --msgbox "$(cat /proc/meminfo | grep 'MemTotal' | sed 's/MemTotal:/Mem:/')\n\n$(cat /proc/cpuinfo | grep 'model name' | uniq | sed 's/model name.*:/CPU:/')\n\n$(fdisk -l | grep '/dev/sd.:' | sed 's/B,.*/B/')" 16 60 + memtotal=$(cat /proc/meminfo | grep 'MemTotal' | tr -s ' ' | cut -f2 -d ' ') + memtotal=$((${memtotal} / 1024 / 1024 + 1)) + cpustr=$(cat /proc/cpuinfo | grep 'model name' | uniq | sed -r 's/\(R\)//;s/\(TM\)//;s/CPU //;s/model name.*: //') + whiptail --title 'System Info' \ + --msgbox "VER: ${FW_VER}\n\nCPU: ${cpustr}\nRAM: ${memtotal} MB\n\n$(fdisk -l | grep -e '/dev/sd.:' -e '/dev/nvme.*:' | sed 's/B,.*/B/')" 16 60 continue fi diff --git a/initrd/init b/initrd/init index 40063deaa..8419739ba 100755 --- a/initrd/init +++ b/initrd/init @@ -92,6 +92,9 @@ fi combine_configs . /tmp/config +# export firmware version +export FW_VER=$(dmesg | grep 'DMI' | grep -o 'BIOS.*' | cut -f2 -d ' ') + # Add our boot devices into the /etc/fstab, if they are defined # in the configuration file. if [ ! -z "$CONFIG_BOOT_DEV" ]; then From e418ecbf71370c24187d401b48d6c3f0cd0b1f49 Mon Sep 17 00:00:00 2001 From: alex-nitrokey Date: Thu, 25 Jun 2020 10:41:01 +0200 Subject: [PATCH 143/189] Fix MEMTOTAL calculation --- initrd/bin/gui-init | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/initrd/bin/gui-init b/initrd/bin/gui-init index 51742a107..2059c2aa8 100755 --- a/initrd/bin/gui-init +++ b/initrd/bin/gui-init @@ -377,7 +377,7 @@ while true; do if [ "$totp_confirm" = "S" ]; then memtotal=$(cat /proc/meminfo | grep 'MemTotal' | tr -s ' ' | cut -f2 -d ' ') - memtotal=$((${memtotal} / 1024 / 1024 + 1)) + memtotal=$((${memtotal} / 1024 + 1)) cpustr=$(cat /proc/cpuinfo | grep 'model name' | uniq | sed -r 's/\(R\)//;s/\(TM\)//;s/CPU //;s/model name.*: //') whiptail --title 'System Info' \ --msgbox "VER: ${FW_VER}\n\nCPU: ${cpustr}\nRAM: ${memtotal} MB\n\n$(fdisk -l | grep -e '/dev/sd.:' -e '/dev/nvme.*:' | sed 's/B,.*/B/')" 16 60 From 53dc659c014ce63c3dcd7d40140cb062121df6f4 Mon Sep 17 00:00:00 2001 From: alex-nitrokey Date: Thu, 25 Jun 2020 15:35:47 +0200 Subject: [PATCH 144/189] Replace libremkey_htop_* by hotp_* --- initrd/bin/gui-init | 8 ++++---- initrd/bin/kexec-seal-key | 2 +- initrd/bin/seal-hotpkey | 8 ++++---- modules/hotp-verification | 8 ++++---- 4 files changed, 13 insertions(+), 13 deletions(-) diff --git a/initrd/bin/gui-init b/initrd/bin/gui-init index b674356cd..2b53130d2 100755 --- a/initrd/bin/gui-init +++ b/initrd/bin/gui-init @@ -92,7 +92,7 @@ update_totp() { echo "Scan the QR code to add the new TOTP secret" /bin/seal-totp - if [ -x /bin/libremkey_hotp_verification ]; then + if [ -x /bin/hotp_verification ]; then echo "Once you have scanned the QR code, hit Enter to configure your HOTP USB Security Dongle (e.g. Librem Key or Nitrokey)" read /bin/seal-hotpkey @@ -195,16 +195,16 @@ while true; do fi if [ "$totp_confirm" = "i" -o -z "$totp_confirm" ]; then - if [ -x /bin/libremkey_hotp_verification ]; then + if [ -x /bin/hotp_verification ]; then HOTP=`unseal-hotp` enable_usb - if ! libremkey_hotp_verification info ; then + if ! hotp_verification info ; then whiptail $CONFIG_WARNING_BG_COLOR --clear \ --title "WARNING: Please Insert Your $HOTPKEY_BRANDING" \ --msgbox "Your $HOTPKEY_BRANDING was not detected.\n\nPlease insert your $HOTPKEY_BRANDING" 30 90 fi # Don't output HOTP codes to screen, so as to make replay attacks harder - libremkey_hotp_verification check $HOTP + hotp_verification check $HOTP case "$?" in 0 ) HOTP="Success" diff --git a/initrd/bin/kexec-seal-key b/initrd/bin/kexec-seal-key index 6219fb75e..7000070b6 100755 --- a/initrd/bin/kexec-seal-key +++ b/initrd/bin/kexec-seal-key @@ -86,7 +86,7 @@ luks_pcr=`tpm calcfuturepcr -ix 16 -if /tmp/luksDump.txt` # HOTP USB Secrity Dongle loads USB modules which changes PCR5. # In the event HOTP USB Security Dongle is enabled, skip verification of PCR5 -if [ -x /bin/libremkey_hotp_verification ]; then +if [ -x /bin/hotp_verification ]; then pcr_5="X" else pcr_5="0000000000000000000000000000000000000000" diff --git a/initrd/bin/seal-hotpkey b/initrd/bin/seal-hotpkey index d66ce0c12..8dc37bb25 100755 --- a/initrd/bin/seal-hotpkey +++ b/initrd/bin/seal-hotpkey @@ -57,10 +57,10 @@ mount_boot counter_value=1 enable_usb -if ! libremkey_hotp_verification info ; then +if ! hotp_verification info ; then echo "Insert your $HOTPKEY_BRANDING and press Enter to configure it" read - if ! libremkey_hotp_verification info ; then + if ! hotp_verification info ; then # don't leak key on failure shred -n 10 -z -u "$HOTP_SECRET" 2> /dev/null die "Unable to find $HOTPKEY_BRANDING" @@ -80,12 +80,12 @@ echo -e "" read -s -p "Enter your $HOTPKEY_BRANDING Admin PIN: " admin_pin echo -e "\n" -libremkey_hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value +hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value $HOTPKEY_BRANDING if [ $? -ne 0 ]; then echo -e "\n" read -s -p "Error setting HOTP secret, re-enter Admin PIN and try again: " admin_pin echo -e "\n" - if ! libremkey_hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value ; then + if ! hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value $HOTPKEY_BRANDING ; then # don't leak key on failure shred -n 10 -z -u "$HOTP_SECRET" 2> /dev/null die "Setting HOTP secret failed" diff --git a/modules/hotp-verification b/modules/hotp-verification index 5df7b5562..15eff604a 100644 --- a/modules/hotp-verification +++ b/modules/hotp-verification @@ -2,19 +2,19 @@ modules-$(CONFIG_HOTPKEY) += hotp-verification hotp-verification_depends := libusb $(musl_dep) -hotp-verification_version := 29094d8ff0f1c9321886079860f3747aa04c44b4 +hotp-verification_version := 5fb260e631b237a298b6dcca47bbd728f2c5ac3a hotp-verification_dir := hotp-verification-$(hotp-verification_version) hotp-verification_tar := nitrokey-hotp-verification-$(hotp-verification_version).tar.gz hotp-verification_url := https://github.com/Nitrokey/nitrokey-hotp-verification/archive/$(hotp-verification_version).tar.gz -hotp-verification_hash := b8591a6abafaefd769e7e58d121d4ba6af1c54587b4b7f3438d65b37632fa2b0 +hotp-verification_hash := 5d98d158ba97fb970061d68e2c6f41582395e687b7752efb1a8038762b0e7b79 hotp-verification_target := \ $(MAKE_JOBS) \ $(CROSS_TOOLS) \ hotp-verification_output := \ - libremkey_hotp_verification \ - libremkey_hotp_initialize + hotp_verification \ + hotp_initialize hotp-verification_configure := \ INSTALL="$(INSTALL)" \ From 84b2f9b5405082b81d485809511ed4d6bd50abbc Mon Sep 17 00:00:00 2001 From: alex-nitrokey Date: Tue, 30 Jun 2020 09:28:35 +0200 Subject: [PATCH 145/189] Re-arrange the order of label and device --- initrd/bin/mount-usb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/initrd/bin/mount-usb b/initrd/bin/mount-usb index 1e20f24a2..31caf3375 100755 --- a/initrd/bin/mount-usb +++ b/initrd/bin/mount-usb @@ -55,10 +55,10 @@ if [ -z ${USB_MOUNT_DEVICE} ]; then # remove block device from list if numeric partitions exist, since not bootable let USB_NUM_PARTITIONS=`ls -1 $i* | wc -l`-1 if [ ${USB_NUM_PARTITIONS} -eq 0 ]; then - echo $(blkid | grep $i | grep -o 'LABEL=".*"' | cut -f2 -d '"') $i >> /tmp/usb_disk_list + echo $i $(blkid | grep $i | grep -o 'LABEL=".*"' | cut -f2 -d '"') >> /tmp/usb_disk_list else for j in $(ls $i* | tail -${USB_NUM_PARTITIONS}); do - echo $(blkid | grep $j | grep -o 'LABEL=".*"' | cut -f2 -d '"') $j >> /tmp/usb_disk_list + echo $j $(blkid | grep $j | grep -o 'LABEL=".*"' | cut -f2 -d '"') >> /tmp/usb_disk_list done fi done From d3d4529545848f5ee3a2b96eb89324582b61f69a Mon Sep 17 00:00:00 2001 From: Szczepan Zalega Date: Tue, 30 Jun 2020 13:45:21 +0200 Subject: [PATCH 146/189] GitlabCI: reset cache, and investigate Calculate the uncompressed used cache space Decrease retry count --- .gitlab-ci.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index beec06a4d..545d8b59a 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -8,13 +8,13 @@ stages: build: stage: build - retry: 2 + retry: 1 cache: paths: - packages - crossgcc - build - key: "heads-$GITLAB_USER_LOGIN" + key: "heads-$GITLAB_USER_LOGIN-2" script: - dnf install -y @development-tools gcc-c++ gcc-gnat zlib-devel perl-Digest-MD5 perl-Digest-SHA uuid-devel pcsc-tools ncurses-devel lbzip2 libuuid-devel lzma elfutils-libelf-devel bc bzip2 bison flex git gnupg iasl m4 nasm patch python wget libusb-devel cmake automake pv bsdiff autoconf libtool cpio texinfo - git fetch origin @@ -75,6 +75,8 @@ build: - cat ./build/qemu-coreboot/hashes.txt - echo "Archiving qemu-coreboot logs..." - tar zcvf ./build/qemu-coreboot/logs.tar.gz ./build/log/* + - echo "Calculate used space for cache" + - du -shc packages crossgcc build artifacts: paths: - ./build/qemu-coreboot From 9c9edb0cfc10b626c7fb5b9bd0a3a5348e0da756 Mon Sep 17 00:00:00 2001 From: Szczepan Zalega Date: Tue, 30 Jun 2020 16:00:04 +0200 Subject: [PATCH 147/189] Remove pkg-config and git version use --- modules/hotp-verification | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/hotp-verification b/modules/hotp-verification index 15eff604a..ebc63a58e 100644 --- a/modules/hotp-verification +++ b/modules/hotp-verification @@ -19,7 +19,7 @@ hotp-verification_output := \ hotp-verification_configure := \ INSTALL="$(INSTALL)" \ CROSS="$(CROSS)" \ - $(CROSS_TOOLS) $(MAKE) LDFLAGS="$(INSTALL)/lib/libusb-1.0.so" && $(MAKE) install INSTALL="$(INSTALL)" + $(CROSS_TOOLS) $(MAKE) LDFLAGS="$(INSTALL)/lib/libusb-1.0.so" GITVERSION="" LIBUSB_FLAGS="-I/usr/include/libusb-1.0" PKGCONFIG="" && $(MAKE) install INSTALL="$(INSTALL)" hotp-verification_depends += hidapi modules-y += hidapi From 30236ffbaaea83acadaf10f3337376a0affa22fc Mon Sep 17 00:00:00 2001 From: alex-nitrokey Date: Tue, 30 Jun 2020 18:29:42 +0200 Subject: [PATCH 148/189] Delete AES keys of Nitrokey Storage after reset If smartcard Nitrokey Storage was factory-reset, we delete AES keys on it as well. Explaination: After oem-factory-reset was started the AES on the Nitrokey Storage that is used for the encrypted volume and the password safe is is not usable anymore because the smart card was factory-reset. To make it usable, a user needs to delete it via Nitrokey App. By doing so, the HOTP secret is deleted as well, resulting in a bad warning in Heads. Therefore, we are resetting AES key right after factory-reset with hotp_verification --- initrd/bin/oem-factory-reset | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/initrd/bin/oem-factory-reset b/initrd/bin/oem-factory-reset index f0707a0c5..9db1c6ef2 100755 --- a/initrd/bin/oem-factory-reset +++ b/initrd/bin/oem-factory-reset @@ -70,6 +70,10 @@ gpg_key_reset() ERROR=`cat /tmp/gpg_card_edit_output` whiptail_error_die "GPG Key factory reset failed!\n\n$ERROR" fi + # If NK Storage is inserted, reset AES keys as well + if [ ! $(lsusb | grep -q "20a0:") ] && [ -x /bin/hotp_verification ] ; then + /bin/hotp_verification regenerate ${ADMIN_PIN_DEF} + fi # Generate OEM GPG keys { echo admin From 19cd15cf969b16f1458b38046af405d4b589e28d Mon Sep 17 00:00:00 2001 From: alex-nitrokey Date: Tue, 30 Jun 2020 19:16:10 +0200 Subject: [PATCH 149/189] Remove gnupg pubkey export in oem-factory-reset Since #758 is merged, users have a option to export GnuPG pubkey if necessary. Thus, we they do not need to insert a USB drive during factory reset. Until now the whole process failed just because a user did not provide a USB drive instead. This shall be fixed by this commit --- initrd/bin/oem-factory-reset | 23 +++-------------------- 1 file changed, 3 insertions(+), 20 deletions(-) diff --git a/initrd/bin/oem-factory-reset b/initrd/bin/oem-factory-reset index f0707a0c5..594b0b2ae 100755 --- a/initrd/bin/oem-factory-reset +++ b/initrd/bin/oem-factory-reset @@ -311,21 +311,11 @@ if [ "$prompt_output" == "y" \ };done fi -## sanity check the USB, GPG key, and boot device before proceeding further - -# mount USB, then remount rw -echo -e "\nChecking for USB media...\n" -# ensure /media not mounted -umount /media 2>/dev/null -# mount-usb will detect and prompt if no USB inserted -if ! mount-usb rw 2>/tmp/error; then - ERROR=$(tail -n 1 /tmp/error) - whiptail_error_die "Unable to mount USB on /media:\n\n${ERROR}" -fi +## sanity check the GPG key, and boot device before proceeding further # ensure GPG key connected echo -e "\nChecking for GPG Key...\n" -# USB kernel modules already loaded via mount-usb +enable_usb if ! gpg --card-status >/dev/null 2>&1 ; then whiptail_error "Can't access GPG Key; remove and reinsert, then press Enter to retry." if ! gpg --card-status >/dev/null 2>/tmp/error ; then @@ -381,19 +371,12 @@ if [ "$CUSTOM_PASS" != "" ]; then ADMIN_PIN_DEF=$CUSTOM_PASS fi -## export generated key to USB -echo -e "\nExporting generated key to USB...\n" # export pubkey to file +echo -e "\nExporting generated key...\n" if ! gpg --export --armor $GPG_GEN_KEY > "${PUBKEY}" 2>/tmp/error ; then ERROR=$(tail -n 1 /tmp/error) whiptail_error_die "GPG Key gpg export to file failed!\n\n$ERROR" fi -# copy to USB -if ! cp "${PUBKEY}" "/media/${GPG_GEN_KEY}.asc" 2>/tmp/error ; then - ERROR=$(tail -n 1 /tmp/error) - whiptail_error_die "Key export error: unable to copy ${GPG_GEN_KEY}.asc to /media:\n\n$ERROR" -fi -umount /media 2>/dev/null ## flash generated key to ROM echo -e "\nReading current firmware...\n(this will take a minute or two)\n" From cdbd0fcf2ab65f083ab949d127283e3c016ae3a0 Mon Sep 17 00:00:00 2001 From: Matt DeVillier Date: Wed, 1 Jul 2020 11:44:40 -0500 Subject: [PATCH 150/189] gui-init: Fix RAM and firmware version strings Show RAM in GB, since the calculation in MB is imprecise as it excludes RAM allocated for GPU (eg). Fix display of firmware version strings which contain spaces by adjusting cut and simply chopping off the date at the end, which is a fixed 10-char length. Signed-off-by: Matt DeVillier --- initrd/bin/gui-init | 4 ++-- initrd/init | 4 +++- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/initrd/bin/gui-init b/initrd/bin/gui-init index 2059c2aa8..a3bf44445 100755 --- a/initrd/bin/gui-init +++ b/initrd/bin/gui-init @@ -377,10 +377,10 @@ while true; do if [ "$totp_confirm" = "S" ]; then memtotal=$(cat /proc/meminfo | grep 'MemTotal' | tr -s ' ' | cut -f2 -d ' ') - memtotal=$((${memtotal} / 1024 + 1)) + memtotal=$((${memtotal} / 1024 / 1024 + 1)) cpustr=$(cat /proc/cpuinfo | grep 'model name' | uniq | sed -r 's/\(R\)//;s/\(TM\)//;s/CPU //;s/model name.*: //') whiptail --title 'System Info' \ - --msgbox "VER: ${FW_VER}\n\nCPU: ${cpustr}\nRAM: ${memtotal} MB\n\n$(fdisk -l | grep -e '/dev/sd.:' -e '/dev/nvme.*:' | sed 's/B,.*/B/')" 16 60 + --msgbox "VER: ${FW_VER}\n\nCPU: ${cpustr}\nRAM: ${memtotal} GB\n\n$(fdisk -l | grep -e '/dev/sd.:' -e '/dev/nvme.*:' | sed 's/B,.*/B/')" 16 60 continue fi diff --git a/initrd/init b/initrd/init index 8419739ba..660e4dfea 100755 --- a/initrd/init +++ b/initrd/init @@ -93,7 +93,9 @@ combine_configs . /tmp/config # export firmware version -export FW_VER=$(dmesg | grep 'DMI' | grep -o 'BIOS.*' | cut -f2 -d ' ') +export FW_VER=$(dmesg | grep 'DMI' | grep -o 'BIOS.*' | cut -f2- -d ' ') +# chop off date, since will always be epoch w/timeless builds +FW_VER=${FW_VER::-10} # Add our boot devices into the /etc/fstab, if they are defined # in the configuration file. From 43971dc029ddbdb2e89339a8ecf8e9ae387f41af Mon Sep 17 00:00:00 2001 From: Alexander Paetzelt Date: Tue, 7 Jul 2020 10:32:22 +0200 Subject: [PATCH 151/189] Make export to USB drive an option --- initrd/bin/oem-factory-reset | 57 +++++++++++++++++++++++++++++------- 1 file changed, 46 insertions(+), 11 deletions(-) diff --git a/initrd/bin/oem-factory-reset b/initrd/bin/oem-factory-reset index 594b0b2ae..2840aabe2 100755 --- a/initrd/bin/oem-factory-reset +++ b/initrd/bin/oem-factory-reset @@ -24,6 +24,7 @@ GPG_USER_NAME="OEM Key" GPG_KEY_NAME=`date +%Y%m%d%H%M%S` GPG_USER_MAIL="oem-${GPG_KEY_NAME}@example.com" GPG_USER_COMMENT="OEM-generated key" + ## External files sourced . /etc/functions @@ -311,16 +312,41 @@ if [ "$prompt_output" == "y" \ };done fi -## sanity check the GPG key, and boot device before proceeding further +## sanity check the USB, GPG key, and boot device before proceeding further + +# Prompt to insert USB drive if desired +echo -e -n "Would you like to export your public key to an USB drive? [y/N]: " +read -n 1 prompt_output +echo +if [ "$prompt_output" == "y" \ + -o "$prompt_output" == "Y" ] \ +; then + GPG_EXPORT=1 + # mount USB, then remount rw + echo -e "\nPlease insert an USB drive and hit enter.\n" + read + echo -e "\nChecking for USB media...\n" + # ensure /media not mounted + umount /media 2>/dev/null + # mount-usb will detect and prompt if no USB inserted + if ! mount-usb rw 2>/tmp/error; then + ERROR=$(tail -n 1 /tmp/error) + whiptail_error_die "Unable to mount USB on /media:\n\n${ERROR}" + fi +else + GPG_EXPORT=0 + # needed for USB Security dongle below and is ensured via mount-usb in case of GPG_EXPORT=1 + enable_usb +fi -# ensure GPG key connected -echo -e "\nChecking for GPG Key...\n" -enable_usb +# ensure USB Security Dongle connected +echo -e "\nChecking for USB Security Dongle...\n" +# USB kernel modules already loaded via mount-usb if ! gpg --card-status >/dev/null 2>&1 ; then - whiptail_error "Can't access GPG Key; remove and reinsert, then press Enter to retry." + whiptail_error "Can't access USB Security Dongle; \nPlease remove and reinsert, then press Enter." if ! gpg --card-status >/dev/null 2>/tmp/error ; then ERROR=$(tail -n 1 /tmp/error) - whiptail_error_die "Unable to detect GPG Key:\n\n${ERROR}" + whiptail_error_die "Unable to detect USB Security Dongle:\n\n${ERROR}" fi fi @@ -371,11 +397,20 @@ if [ "$CUSTOM_PASS" != "" ]; then ADMIN_PIN_DEF=$CUSTOM_PASS fi -# export pubkey to file -echo -e "\nExporting generated key...\n" -if ! gpg --export --armor $GPG_GEN_KEY > "${PUBKEY}" 2>/tmp/error ; then - ERROR=$(tail -n 1 /tmp/error) - whiptail_error_die "GPG Key gpg export to file failed!\n\n$ERROR" +## export generated key to USB +if [ $GPG_EXPORT -ne 0 ]; then + echo -e "\nExporting generated key to USB...\n" + # export pubkey to file + if ! gpg --export --armor $GPG_GEN_KEY > "${PUBKEY}" 2>/tmp/error ; then + ERROR=$(tail -n 1 /tmp/error) + whiptail_error_die "GPG Key gpg export to file failed!\n\n$ERROR" + fi + # copy to USB + if ! cp "${PUBKEY}" "/media/${GPG_GEN_KEY}.asc" 2>/tmp/error ; then + ERROR=$(tail -n 1 /tmp/error) + whiptail_error_die "Key export error: unable to copy ${GPG_GEN_KEY}.asc to /media:\n\n$ERROR" + fi + umount /media 2>/dev/null fi ## flash generated key to ROM From 6fe409aaf34fb689d7f72e5040e5a8ec47ef4215 Mon Sep 17 00:00:00 2001 From: Alexander Paetzelt Date: Tue, 7 Jul 2020 11:16:18 +0200 Subject: [PATCH 152/189] Still need the exported pubkey file --- initrd/bin/oem-factory-reset | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/initrd/bin/oem-factory-reset b/initrd/bin/oem-factory-reset index 2840aabe2..0f873e25f 100755 --- a/initrd/bin/oem-factory-reset +++ b/initrd/bin/oem-factory-reset @@ -397,14 +397,15 @@ if [ "$CUSTOM_PASS" != "" ]; then ADMIN_PIN_DEF=$CUSTOM_PASS fi -## export generated key to USB +# export pubkey to file +if ! gpg --export --armor $GPG_GEN_KEY > "${PUBKEY}" 2>/tmp/error ; then + ERROR=$(tail -n 1 /tmp/error) + whiptail_error_die "GPG Key gpg export to file failed!\n\n$ERROR" +fi + +## export pubkey to USB if [ $GPG_EXPORT -ne 0 ]; then echo -e "\nExporting generated key to USB...\n" - # export pubkey to file - if ! gpg --export --armor $GPG_GEN_KEY > "${PUBKEY}" 2>/tmp/error ; then - ERROR=$(tail -n 1 /tmp/error) - whiptail_error_die "GPG Key gpg export to file failed!\n\n$ERROR" - fi # copy to USB if ! cp "${PUBKEY}" "/media/${GPG_GEN_KEY}.asc" 2>/tmp/error ; then ERROR=$(tail -n 1 /tmp/error) From 5cb45bbc9906aeef6e0d1f78eced0b00d31ad8b1 Mon Sep 17 00:00:00 2001 From: Matt DeVillier Date: Tue, 7 Jul 2020 17:03:48 -0500 Subject: [PATCH 153/189] Revert "upgrade gpg toolstack to latest versions" This reverts commit 972c25de7df9cf797fd211bc795fe057462a6432. This commit broke OEM factory reset functionality, so revert it until the issue can be properly diagnosed. Signed-off-by: Matt DeVillier --- modules/gpg2 | 13 ++++++++++--- modules/libassuan | 8 +++++--- modules/libgcrypt | 6 +++--- modules/libgpg-error | 5 +++-- modules/libksba | 4 +++- modules/npth | 4 +++- modules/pinentry | 3 +-- 7 files changed, 28 insertions(+), 15 deletions(-) diff --git a/modules/gpg2 b/modules/gpg2 index 060998992..318a4cd11 100644 --- a/modules/gpg2 +++ b/modules/gpg2 @@ -1,10 +1,10 @@ modules-$(CONFIG_GPG2) += gpg2 -gpg2_version := 2.2.20 +gpg2_version := 2.2.10 gpg2_dir := gnupg-$(gpg2_version) gpg2_tar := gnupg-$(gpg2_version).tar.bz2 gpg2_url := https://www.gnupg.org/ftp/gcrypt/gnupg/$(gpg2_tar) -gpg2_hash := 04a7c9d48b74c399168ee8270e548588ddbe52218c337703d7f06373d326ca30 +gpg2_hash := 799dd37a86a1448732e339bd20440f4f5ee6e69755f6fd7a73ee8af30840c915 # For reproducibility reasons we have to override the exec_prefix # and datarootdir on the configure line so that the Makefiles will @@ -16,7 +16,7 @@ gpg2_configure := ./configure \ CPPFLAGS="-I$(INSTALL)/include/libusb-1.0" \ --host x86_64-linux-musl \ --with-libusb="$(INSTALL)" \ - --with-gpg-error-prefix="$(INSTALL)" \ + --with-libgpg-error-prefix="$(INSTALL)" \ --with-libgcrypt-prefix="$(INSTALL)" \ --with-libassuan-prefix="$(INSTALL)" \ --with-ksba-prefix="$(INSTALL)" \ @@ -30,12 +30,19 @@ gpg2_configure := ./configure \ --disable-regex \ --disable-doc \ --disable-bzip2 \ + --disable-asm \ --disable-exec \ --disable-photo-viewers \ + --disable-keyserver-helpers \ --disable-ldap \ + --disable-hkp \ + --disable-finger \ + --disable-dns-srv \ + --disable-dns-cert \ --disable-regex \ --disable-nls \ --disable-all-tests \ + --disable-wks-server \ --disable-wks-tools \ --disable-gnutls \ --disable-dirmngr \ diff --git a/modules/libassuan b/modules/libassuan index 800993404..3c4e319aa 100644 --- a/modules/libassuan +++ b/modules/libassuan @@ -1,16 +1,18 @@ modules-$(CONFIG_GPG2) += libassuan -libassuan_version := 2.5.3 +libassuan_version := 2.5.1 libassuan_dir := libassuan-$(libassuan_version) libassuan_tar := libassuan-$(libassuan_version).tar.bz2 libassuan_url := https://gnupg.org/ftp/gcrypt/libassuan/$(libassuan_tar) -libassuan_hash := 91bcb0403866b4e7c4bc1cc52ed4c364a9b5414b3994f718c70303f7f765e702 +libassuan_hash := 47f96c37b4f2aac289f0bc1bacfa8bd8b4b209a488d3d15e2229cb6cc9b26449 libassuan_configure := ./configure \ $(CROSS_TOOLS) \ --host x86_64-linux-musl \ --prefix "/" \ --disable-static \ - --with-gpg-error-prefix="$(INSTALL)" \ + --disable-nls \ + --with-libgpg-error-prefix="$(INSTALL)" \ + --disable-asm \ libassuan_target := $(MAKE_JOBS) \ DESTDIR="$(INSTALL)" \ diff --git a/modules/libgcrypt b/modules/libgcrypt index 602995498..1ba82fceb 100644 --- a/modules/libgcrypt +++ b/modules/libgcrypt @@ -1,16 +1,16 @@ modules-$(CONFIG_GPG2) += libgcrypt -libgcrypt_version := 1.8.5 +libgcrypt_version := 1.8.3 libgcrypt_dir := libgcrypt-$(libgcrypt_version) libgcrypt_tar := libgcrypt-$(libgcrypt_version).tar.bz2 libgcrypt_url := https://gnupg.org/ftp/gcrypt/libgcrypt/$(libgcrypt_tar) -libgcrypt_hash := 3b4a2a94cb637eff5bdebbcaf46f4d95c4f25206f459809339cdada0eb577ac3 +libgcrypt_hash := 66ec90be036747602f2b48f98312361a9180c97c68a690a5f376fa0f67d0af7c libgcrypt_configure := ./configure \ $(CROSS_TOOLS) \ --host=x86_64-linux-musl \ --prefix "/" \ --disable-static \ - --with-gpg-error-prefix="$(INSTALL)" \ + --with-libgpg-error-prefix="$(INSTALL)" \ --disable-asm \ libgcrypt_target := $(MAKE_JOBS) \ diff --git a/modules/libgpg-error b/modules/libgpg-error index 00bd06440..752e11aad 100644 --- a/modules/libgpg-error +++ b/modules/libgpg-error @@ -1,9 +1,9 @@ modules-$(CONFIG_GPG2) += libgpg-error -libgpg-error_version := 1.37 +libgpg-error_version := 1.32 libgpg-error_dir := libgpg-error-$(libgpg-error_version) libgpg-error_tar := libgpg-error-$(libgpg-error_version).tar.bz2 libgpg-error_url := https://gnupg.org/ftp/gcrypt/libgpg-error/$(libgpg-error_tar) -libgpg-error_hash := b32d6ff72a73cf79797f7f2d039e95e9c6f92f0c1450215410840ab62aea9763 +libgpg-error_hash := c345c5e73cc2332f8d50db84a2280abfb1d8f6d4f1858b9daa30404db44540ca libgpg-error_configure := ./configure \ $(CROSS_TOOLS) \ @@ -14,6 +14,7 @@ libgpg-error_configure := ./configure \ --disable-languages \ --disable-doc \ --disable-tests \ + --disable-asm \ libgpg-error_target := $(MAKE_JOBS) \ DESTDIR="$(INSTALL)" \ diff --git a/modules/libksba b/modules/libksba index 587280ed9..d35291338 100644 --- a/modules/libksba +++ b/modules/libksba @@ -10,7 +10,9 @@ libksba_configure := ./configure \ --host x86_64-linux-musl \ --prefix "/" \ --disable-static \ - --with-gpg-error-prefix="$(INSTALL)" \ + --disable-nls \ + --with-libgpg-error-prefix="$(INSTALL)" \ + --disable-asm \ libksba_target := $(MAKE_JOBS) \ DESTDIR="$(INSTALL)" \ diff --git a/modules/npth b/modules/npth index 2128e1d4a..e0f30c69e 100644 --- a/modules/npth +++ b/modules/npth @@ -10,7 +10,9 @@ npth_configure := ./configure \ --host x86_64-linux-musl \ --prefix "/" \ --disable-static \ - --with-gpg-error-prefix="$(INSTALL)" \ + --disable-nls \ + --with-libgpg-error-prefix="$(INSTALL)" \ + --disable-asm \ npth_target := $(MAKE_JOBS) \ DESTDIR="$(INSTALL)" \ diff --git a/modules/pinentry b/modules/pinentry index 54d40e119..c0e93d7fa 100644 --- a/modules/pinentry +++ b/modules/pinentry @@ -27,8 +27,7 @@ pinentry_configure := ./configure \ --disable-pinentry-fltk \ --disable-pinentry-emacs \ --disable-fallback-curses \ - --disable-pinentry-qt5 \ - --with-gpg-error-prefix="$(INSTALL)" \ + --with-libgpg-error-prefix="$(INSTALL)" \ --with-libassuan-prefix="$(INSTALL)" \ # Run one build to generate the executables with the pre-defined From 5f067ea908c1c22855801bfe4d9ee4f07739241e Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Fri, 10 Jul 2020 09:44:01 -0400 Subject: [PATCH 154/189] coreboot: 4.8.1 fixed in Makefile, coreboot module and board configs (coreboot_481) to facilitate newer coreboot version integration and testing without breaking old fixed boards --- boards/kgpe-d16/kgpe-d16.config | 2 ++ boards/librem13v2/librem13v2.config | 2 ++ boards/librem13v4/librem13v4.config | 2 ++ boards/librem15v3/librem15v3.config | 2 ++ boards/librem15v4/librem15v4.config | 2 ++ .../qemu-coreboot-fbwhiptail.config | 2 ++ boards/qemu-coreboot/qemu-coreboot.config | 2 ++ boards/t420/t420.config | 2 ++ boards/t430-flash/t430-flash.config | 2 ++ boards/t430/t430.config | 2 ++ boards/x220/x220.config | 2 ++ boards/x230-flash/x230-flash.config | 2 ++ .../x230-hotp-verification/x230-hotp-verification.config | 2 ++ boards/x230/x230.config | 2 ++ modules/coreboot | 9 +++++++-- 15 files changed, 35 insertions(+), 2 deletions(-) diff --git a/boards/kgpe-d16/kgpe-d16.config b/boards/kgpe-d16/kgpe-d16.config index 072f36ac8..58130699e 100644 --- a/boards/kgpe-d16/kgpe-d16.config +++ b/boards/kgpe-d16/kgpe-d16.config @@ -1,5 +1,7 @@ # Configuration for a kgpe-d16 running non-Qubes export CONFIG_COREBOOT=y +export CONFIG_COREBOOT_VERSION=4.8.1 + CONFIG_COREBOOT_CONFIG=config/coreboot-kgpe-d16.config CONFIG_LINUX_CONFIG=config/linux-kgpe-d16.config diff --git a/boards/librem13v2/librem13v2.config b/boards/librem13v2/librem13v2.config index 312fb7225..72d4554c5 100644 --- a/boards/librem13v2/librem13v2.config +++ b/boards/librem13v2/librem13v2.config @@ -3,6 +3,8 @@ CONFIG_LINUX_CONFIG=config/linux-librem13v2.config CONFIG_COREBOOT_CONFIG=config/coreboot-librem13v2.config export CONFIG_COREBOOT=y +export CONFIG_COREBOOT_VERSION=4.8.1 + CONFIG_CRYPTSETUP=y CONFIG_FLASHROM=y CONFIG_FLASHTOOLS=y diff --git a/boards/librem13v4/librem13v4.config b/boards/librem13v4/librem13v4.config index 765c0d83f..c9200f8fd 100644 --- a/boards/librem13v4/librem13v4.config +++ b/boards/librem13v4/librem13v4.config @@ -3,6 +3,8 @@ CONFIG_LINUX_CONFIG=config/linux-librem13v2.config CONFIG_COREBOOT_CONFIG=config/coreboot-librem13v4.config export CONFIG_COREBOOT=y +export CONFIG_COREBOOT_VERSION=4.8.1 + CONFIG_CRYPTSETUP=y CONFIG_FLASHROM=y CONFIG_FLASHTOOLS=y diff --git a/boards/librem15v3/librem15v3.config b/boards/librem15v3/librem15v3.config index 82d2ad8ba..609afc36a 100644 --- a/boards/librem15v3/librem15v3.config +++ b/boards/librem15v3/librem15v3.config @@ -5,6 +5,8 @@ CONFIG_LINUX_CONFIG=config/linux-librem13v2.config CONFIG_COREBOOT_CONFIG=config/coreboot-librem15v3.config export CONFIG_COREBOOT=y +export CONFIG_COREBOOT_VERSION=4.8.1 + CONFIG_CRYPTSETUP=y CONFIG_FLASHROM=y CONFIG_FLASHTOOLS=y diff --git a/boards/librem15v4/librem15v4.config b/boards/librem15v4/librem15v4.config index 0fcddcbb5..c58e146d2 100644 --- a/boards/librem15v4/librem15v4.config +++ b/boards/librem15v4/librem15v4.config @@ -5,6 +5,8 @@ CONFIG_LINUX_CONFIG=config/linux-librem13v2.config CONFIG_COREBOOT_CONFIG=config/coreboot-librem15v4.config export CONFIG_COREBOOT=y +export CONFIG_COREBOOT_VERSION=4.8.1 + CONFIG_CRYPTSETUP=y CONFIG_FLASHROM=y CONFIG_FLASHTOOLS=y diff --git a/boards/qemu-coreboot-fbwhiptail/qemu-coreboot-fbwhiptail.config b/boards/qemu-coreboot-fbwhiptail/qemu-coreboot-fbwhiptail.config index 125879a46..73ced6bad 100644 --- a/boards/qemu-coreboot-fbwhiptail/qemu-coreboot-fbwhiptail.config +++ b/boards/qemu-coreboot-fbwhiptail/qemu-coreboot-fbwhiptail.config @@ -2,6 +2,8 @@ # the qemu emulator in GUI mode thanks to FBWhiptail export CONFIG_COREBOOT=y +export CONFIG_COREBOOT_VERSION=4.8.1 + CONFIG_COREBOOT_CONFIG=config/coreboot-qemu-fbwhiptail.config CONFIG_LINUX_CONFIG=config/linux-qemu.config diff --git a/boards/qemu-coreboot/qemu-coreboot.config b/boards/qemu-coreboot/qemu-coreboot.config index a36b70326..ce2a2fa74 100644 --- a/boards/qemu-coreboot/qemu-coreboot.config +++ b/boards/qemu-coreboot/qemu-coreboot.config @@ -2,6 +2,8 @@ # the qemu emulator. Note that the TPM does not work, so this # will just drop into the recovery shell. export CONFIG_COREBOOT=y +export CONFIG_COREBOOT_VERSION=4.8.1 + CONFIG_COREBOOT_CONFIG=config/coreboot-qemu.config CONFIG_LINUX_CONFIG=config/linux-qemu.config diff --git a/boards/t420/t420.config b/boards/t420/t420.config index 71d769f23..c83e3097d 100644 --- a/boards/t420/t420.config +++ b/boards/t420/t420.config @@ -1,5 +1,7 @@ # Configuration for a T420 running Qubes and other OS, T420 is identical to X230 on the Linux Side of things. export CONFIG_COREBOOT=y +export CONFIG_COREBOOT_VERSION=4.8.1 + CONFIG_COREBOOT_CONFIG=config/coreboot-t420.config CONFIG_LINUX_CONFIG=config/linux-x230.config diff --git a/boards/t430-flash/t430-flash.config b/boards/t430-flash/t430-flash.config index 16b3617f2..626fde196 100644 --- a/boards/t430-flash/t430-flash.config +++ b/boards/t430-flash/t430-flash.config @@ -2,6 +2,8 @@ BOARD=t430.flash export CONFIG_COREBOOT=y +export CONFIG_COREBOOT_VERSION=4.8.1 + CONFIG_FLASHROM=y CONFIG_FLASHTOOLS=y CONFIG_PCIUTILS=y diff --git a/boards/t430/t430.config b/boards/t430/t430.config index b2487e439..3eaaba715 100644 --- a/boards/t430/t430.config +++ b/boards/t430/t430.config @@ -1,5 +1,7 @@ # Configuration for a t430 running Qubes and other OSes export CONFIG_COREBOOT=y +export CONFIG_COREBOOT_VERSION=4.8.1 + CONFIG_COREBOOT_CONFIG=config/coreboot-t430.config CONFIG_LINUX_CONFIG=config/linux-x230.config diff --git a/boards/x220/x220.config b/boards/x220/x220.config index 7548b773a..0efffec41 100644 --- a/boards/x220/x220.config +++ b/boards/x220/x220.config @@ -1,5 +1,7 @@ # Configuration for a x220 running Qubes and other OS, X220 is identical to X230 on the Linux Side of things. export CONFIG_COREBOOT=y +export CONFIG_COREBOOT_VERSION=4.8.1 + CONFIG_COREBOOT_CONFIG=config/coreboot-x220.config CONFIG_LINUX_CONFIG=config/linux-x230.config diff --git a/boards/x230-flash/x230-flash.config b/boards/x230-flash/x230-flash.config index f991b1161..c878012de 100644 --- a/boards/x230-flash/x230-flash.config +++ b/boards/x230-flash/x230-flash.config @@ -2,6 +2,8 @@ BOARD=x230.flash export CONFIG_COREBOOT=y +export CONFIG_COREBOOT_VERSION=4.8.1 + CONFIG_FLASHROM=y #CONFIG_GPG=y CONFIG_FLASHTOOLS=y diff --git a/boards/x230-hotp-verification/x230-hotp-verification.config b/boards/x230-hotp-verification/x230-hotp-verification.config index 1c9ef31b2..c5d83ee19 100644 --- a/boards/x230-hotp-verification/x230-hotp-verification.config +++ b/boards/x230-hotp-verification/x230-hotp-verification.config @@ -1,6 +1,8 @@ # Configuration for a x230-hotp-verification (Nitrokey/Purism USB Security dongle enabled HOTP support) # running Qubes and other OSes export CONFIG_COREBOOT=y +export CONFIG_COREBOOT_VERSION=4.8.1 + CONFIG_COREBOOT_CONFIG=config/coreboot-x230-hotp-verification.config CONFIG_LINUX_CONFIG=config/linux-x230.config diff --git a/boards/x230/x230.config b/boards/x230/x230.config index 48a11525b..8a04bc570 100644 --- a/boards/x230/x230.config +++ b/boards/x230/x230.config @@ -1,5 +1,7 @@ # Configuration for a x230 running Qubes and other OSes export CONFIG_COREBOOT=y +export CONFIG_COREBOOT_VERSION=4.8.1 + CONFIG_COREBOOT_CONFIG=config/coreboot-x230.config CONFIG_LINUX_CONFIG=config/linux-x230.config diff --git a/modules/coreboot b/modules/coreboot index 2f63ee2ef..a14ea3eda 100644 --- a/modules/coreboot +++ b/modules/coreboot @@ -1,13 +1,18 @@ modules-$(CONFIG_COREBOOT) += coreboot +ifeq "$(CONFIG_COREBOOT_VERSION)" "4.8.1" +coreboot_version := 4.8.1 +coreboot_hash := f0ddf4db0628c1fe1e8348c40084d9cbeb5771400c963fd419cda3995b69ad23 +else +$(error "$(BOARD): does not specify coreboot version under CONFIG_COREBOOT_VERSION") +endif + #coreboot_version := git #coreboot_repo := https://github.com/osresearch/coreboot -coreboot_version := 4.8.1 coreboot_base_dir := coreboot-$(coreboot_version) coreboot_dir := $(coreboot_base_dir)/$(BOARD) coreboot_tar := coreboot-$(coreboot_version).tar.xz coreboot_url := https://www.coreboot.org/releases/$(coreboot_tar) -coreboot_hash := f0ddf4db0628c1fe1e8348c40084d9cbeb5771400c963fd419cda3995b69ad23 # coreboot builds are specialized on a per-target basis. # The builds are done in a per-target subdirectory From f7c4cae903af099ec8ed0b64c75b69dc878f44d2 Mon Sep 17 00:00:00 2001 From: Matt DeVillier Date: Fri, 10 Jul 2020 12:58:32 -0500 Subject: [PATCH 155/189] *gui.sh: move common ops to gui_functions Move code duplicated across several GUI scripts into a common gui_functions file and include/use that. Signed-off-by: Matt DeVillier --- initrd/bin/config-gui.sh | 48 +--------------------------- initrd/bin/flash-gui.sh | 63 +------------------------------------ initrd/bin/gpg-gui.sh | 62 +----------------------------------- initrd/etc/gui_functions | 68 ++++++++++++++++++++++++++++++++++++++++ 4 files changed, 71 insertions(+), 170 deletions(-) create mode 100755 initrd/etc/gui_functions diff --git a/initrd/bin/config-gui.sh b/initrd/bin/config-gui.sh index 74e8e7f98..37b4808b4 100755 --- a/initrd/bin/config-gui.sh +++ b/initrd/bin/config-gui.sh @@ -2,55 +2,9 @@ # set -e -o pipefail . /etc/functions +. /etc/gui_functions . /tmp/config -file_selector() { - FILE="" - FILE_LIST=$1 - MENU_MSG=${2:-"Choose the file"} - MENU_TITLE=${3:-"Select your File"} -# create file menu options - if [ `cat "$FILE_LIST" | wc -l` -gt 0 ]; then - option="" - while [ -z "$option" ] - do - MENU_OPTIONS="" - n=0 - while read option - do - n=`expr $n + 1` - option=$(echo $option | tr " " "_") - MENU_OPTIONS="$MENU_OPTIONS $n ${option}" - done < $FILE_LIST - - MENU_OPTIONS="$MENU_OPTIONS a Abort" - whiptail --clear --title "${MENU_TITLE}" \ - --menu "${MENU_MSG} [1-$n, a to abort]:" 20 120 8 \ - -- $MENU_OPTIONS \ - 2>/tmp/whiptail || die "Aborting" - - option_index=$(cat /tmp/whiptail) - - if [ "$option_index" = "a" ]; then - option="a" - return - fi - - option=`head -n $option_index $FILE_LIST | tail -1` - if [ "$option" == "a" ]; then - return - fi - done - if [ -n "$option" ]; then - FILE=$option - fi - else - whiptail $CONFIG_ERROR_BG_COLOR --title 'ERROR: No Files Found' \ - --msgbox "No Files found matching the pattern. Aborting." 16 60 - exit 1 - fi -} - param=$1 while true; do diff --git a/initrd/bin/flash-gui.sh b/initrd/bin/flash-gui.sh index c8cbd364b..933a705cb 100755 --- a/initrd/bin/flash-gui.sh +++ b/initrd/bin/flash-gui.sh @@ -2,70 +2,9 @@ # set -e -o pipefail . /etc/functions +. /etc/gui_functions . /tmp/config -mount_usb(){ -# Mount the USB boot device - if ! grep -q /media /proc/mounts ; then - mount-usb && USB_FAILED=0 || USB_FAILED=1 - if [ $USB_FAILED -ne 0 ]; then - whiptail --title 'USB Drive Missing' \ - --msgbox "Insert your USB drive and press Enter to continue." 16 60 - mount-usb && USB_FAILED=0 || USB_FAILED=1 - if [ $USB_FAILED -ne 0 ]; then - whiptail $CONFIG_ERROR_BG_COLOR --title 'ERROR: Mounting /media Failed' \ - --msgbox "Unable to mount USB device" 16 60 - fi - fi - fi -} - -file_selector() { - FILE="" - FILE_LIST=$1 - MENU_MSG=${2:-"Choose the file"} -# create file menu options - if [ `cat "$FILE_LIST" | wc -l` -gt 0 ]; then - option="" - while [ -z "$option" ] - do - MENU_OPTIONS="" - n=0 - while read option - do - n=`expr $n + 1` - option=$(echo $option | tr " " "_") - MENU_OPTIONS="$MENU_OPTIONS $n ${option}" - done < $FILE_LIST - - MENU_OPTIONS="$MENU_OPTIONS a Abort" - whiptail --clear --title "Select your File" \ - --menu "${MENU_MSG} [1-$n, a to abort]:" 20 120 8 \ - -- $MENU_OPTIONS \ - 2>/tmp/whiptail || die "Aborting" - - option_index=$(cat /tmp/whiptail) - - if [ "$option_index" = "a" ]; then - option="a" - return - fi - - option=`head -n $option_index $FILE_LIST | tail -1` - if [ "$option" == "a" ]; then - return - fi - done - if [ -n "$option" ]; then - FILE=$option - fi - else - whiptail $CONFIG_ERROR_BG_COLOR --title 'ERROR: No Files Found' \ - --msgbox "No Files found matching the pattern. Aborting." 16 60 - exit 1 - fi -} - while true; do unset menu_choice whiptail --clear --title "Firmware Management Menu" \ diff --git a/initrd/bin/gpg-gui.sh b/initrd/bin/gpg-gui.sh index 132cf6b8e..cb63a660e 100755 --- a/initrd/bin/gpg-gui.sh +++ b/initrd/bin/gpg-gui.sh @@ -2,69 +2,9 @@ # set -e -o pipefail . /etc/functions +. /etc/gui_functions . /tmp/config -mount_usb(){ -# Mount the USB boot device - if ! grep -q /media /proc/mounts ; then - mount-usb && USB_FAILED=0 || USB_FAILED=1 - if [ $USB_FAILED -ne 0 ]; then - whiptail --title 'USB Drive Missing' \ - --msgbox "Insert your USB drive and press Enter to continue." 16 60 - mount-usb && USB_FAILED=0 || USB_FAILED=1 - if [ $USB_FAILED -ne 0 ]; then - whiptail $CONFIG_ERROR_BG_COLOR --title 'ERROR: Mounting /media Failed' \ - --msgbox "Unable to mount USB device" 16 60 - fi - fi - fi -} - -file_selector() { - FILE="" - FILE_LIST=$1 - MENU_MSG=${2:-"Choose the file"} -# create file menu options - if [ `cat "$FILE_LIST" | wc -l` -gt 0 ]; then - option="" - while [ -z "$option" ] - do - MENU_OPTIONS="" - n=0 - while read option - do - n=`expr $n + 1` - option=$(echo $option | tr " " "_") - MENU_OPTIONS="$MENU_OPTIONS $n ${option}" - done < $FILE_LIST - - MENU_OPTIONS="$MENU_OPTIONS a Abort" - whiptail --clear --title "Select your File" \ - --menu "${MENU_MSG} [1-$n, a to abort]:" 20 120 8 \ - -- $MENU_OPTIONS \ - 2>/tmp/whiptail || die "Aborting" - - option_index=$(cat /tmp/whiptail) - - if [ "$option_index" = "a" ]; then - option="a" - return - fi - - option=`head -n $option_index $FILE_LIST | tail -1` - if [ "$option" == "a" ]; then - return - fi - done - if [ -n "$option" ]; then - FILE=$option - fi - else - whiptail $CONFIG_ERROR_BG_COLOR --title 'ERROR: No Files Found' \ - --msgbox "No Files found matching the pattern. Aborting." 16 60 - exit 1 - fi -} gpg_flash_rom() { if [ "$1" = "replace" ]; then diff --git a/initrd/etc/gui_functions b/initrd/etc/gui_functions new file mode 100755 index 000000000..70d177be8 --- /dev/null +++ b/initrd/etc/gui_functions @@ -0,0 +1,68 @@ +#!/bin/sh +# Shell functions for common operations using fbwhiptail + +mount_usb() +{ + # Mount the USB boot device + if ! grep -q /media /proc/mounts ; then + mount-usb && USB_FAILED=0 || USB_FAILED=1 + if [ $USB_FAILED -ne 0 ]; then + whiptail --title 'USB Drive Missing' \ + --msgbox "Insert your USB drive and press Enter to continue." 16 60 + mount-usb && USB_FAILED=0 || USB_FAILED=1 + if [ $USB_FAILED -ne 0 ]; then + whiptail $CONFIG_ERROR_BG_COLOR --title 'ERROR: Mounting /media Failed' \ + --msgbox "Unable to mount USB device" 16 60 + fi + fi + fi +} + +file_selector() +{ + FILE="" + FILE_LIST=$1 + MENU_MSG=${2:-"Choose the file"} + MENU_TITLE=${3:-"Select your File"} + + # create file menu options + if [ `cat "$FILE_LIST" | wc -l` -gt 0 ]; then + option="" + while [ -z "$option" ] + do + MENU_OPTIONS="" + n=0 + while read option + do + n=`expr $n + 1` + option=$(echo $option | tr " " "_") + MENU_OPTIONS="$MENU_OPTIONS $n ${option}" + done < $FILE_LIST + + MENU_OPTIONS="$MENU_OPTIONS a Abort" + whiptail --clear --title "${MENU_TITLE}" \ + --menu "${MENU_MSG} [1-$n, a to abort]:" 20 120 8 \ + -- $MENU_OPTIONS \ + 2>/tmp/whiptail || die "Aborting" + + option_index=$(cat /tmp/whiptail) + + if [ "$option_index" = "a" ]; then + option="a" + return + fi + + option=`head -n $option_index $FILE_LIST | tail -1` + if [ "$option" == "a" ]; then + return + fi + done + if [ -n "$option" ]; then + FILE=$option + fi + else + whiptail $CONFIG_ERROR_BG_COLOR --title 'ERROR: No Files Found' \ + --msgbox "No Files found matching the pattern. Aborting." 16 60 + exit 1 + fi +} From c2c45dae0eddba1eb1fcca40d0a2e1d5137464ce Mon Sep 17 00:00:00 2001 From: Matt DeVillier Date: Mon, 13 Jul 2020 17:22:40 -0500 Subject: [PATCH 156/189] Encapsulate changes to working directory inside subshells For the handful of operations which need to be done with /boot as the pwd, encapsulate them in subshells to ensure the pwd doesn't unexpectedly change for other operations, as functions which need to mount/unmount /boot may fail if the pwd isn't root. Also, set the pwd to root at the start of detect_boot_device as an added safety measure. Test: run oem-factory-reset function, ensure it doesn't fail to detect boot device due to incorrect working directory. Signed-off-by: Matt DeVillier --- initrd/bin/gui-init | 2 +- initrd/bin/oem-factory-reset | 4 ++-- initrd/etc/functions | 18 ++++++++++-------- 3 files changed, 13 insertions(+), 11 deletions(-) diff --git a/initrd/bin/gui-init b/initrd/bin/gui-init index a3bf44445..b98fce17c 100755 --- a/initrd/bin/gui-init +++ b/initrd/bin/gui-init @@ -42,7 +42,7 @@ verify_global_hashes() TMP_PACKAGE_TRIGGER_PRE="/tmp/kexec/kexec_package_trigger_pre.txt" TMP_PACKAGE_TRIGGER_POST="/tmp/kexec/kexec_package_trigger_post.txt" - if cd /boot && sha256sum -c "$TMP_HASH_FILE" > /tmp/hash_output ; then + if ( cd /boot && sha256sum -c "$TMP_HASH_FILE" > /tmp/hash_output ) then return 0 elif [ ! -f $TMP_HASH_FILE ]; then if (whiptail $CONFIG_ERROR_BG_COLOR --clear --title 'ERROR: Missing Hash File!' \ diff --git a/initrd/bin/oem-factory-reset b/initrd/bin/oem-factory-reset index f0707a0c5..a2e97b7b1 100755 --- a/initrd/bin/oem-factory-reset +++ b/initrd/bin/oem-factory-reset @@ -217,8 +217,8 @@ set_default_boot_option() echo "$entry" > /boot/kexec_default.1.txt # validate boot option - cd /boot && /bin/kexec-boot -b "/boot" -e "$entry" -f \ - | xargs sha256sum > $hash_file 2>/dev/null \ + ( cd /boot && /bin/kexec-boot -b "/boot" -e "$entry" -f \ + | xargs sha256sum > $hash_file 2>/dev/null ) \ || whiptail_error_die "Failed to create hashes of boot files" } diff --git a/initrd/etc/functions b/initrd/etc/functions index 2e8bd6a4b..3ccf7bc7f 100755 --- a/initrd/etc/functions +++ b/initrd/etc/functions @@ -271,13 +271,15 @@ update_checksums() || recovery "Unable to mount /boot" fi # remount RW - mount -o rw,remount /boot - cd /boot - find ./ -type f ! -name '*kexec*' | xargs sha256sum > /boot/kexec_hashes.txt - if [ -e /boot/kexec_default_hashes.txt ]; then - DEFAULT_FILES=$(cat /boot/kexec_default_hashes.txt | cut -f3 -d ' ') - echo $DEFAULT_FILES | xargs sha256sum > /boot/kexec_default_hashes.txt - fi + mount -o rw,remount /boot + ( + cd /boot + find ./ -type f ! -name '*kexec*' | xargs sha256sum > /boot/kexec_hashes.txt + if [ -e /boot/kexec_default_hashes.txt ]; then + DEFAULT_FILES=$(cat /boot/kexec_default_hashes.txt | cut -f3 -d ' ') + echo $DEFAULT_FILES | xargs sha256sum > /boot/kexec_default_hashes.txt + fi + ) # Remove any package trigger log files # We don't need them after the user decides to sign rm -f /boot/kexec_package_trigger* @@ -301,7 +303,7 @@ update_checksums() detect_boot_device() { # unmount /boot to be safe - umount /boot 2>/dev/null + cd / && umount /boot 2>/dev/null # check $CONFIG_BOOT_DEV if set/valid if [ -e "$CONFIG_BOOT_DEV" ]; then From d472c43c7916e318407e028d54a6087f04508dcc Mon Sep 17 00:00:00 2001 From: Alexander Paetzelt Date: Wed, 15 Jul 2020 09:35:47 +0200 Subject: [PATCH 157/189] Fix quoting of variable --- initrd/bin/seal-hotpkey | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/initrd/bin/seal-hotpkey b/initrd/bin/seal-hotpkey index 8dc37bb25..3d116ad21 100755 --- a/initrd/bin/seal-hotpkey +++ b/initrd/bin/seal-hotpkey @@ -80,12 +80,12 @@ echo -e "" read -s -p "Enter your $HOTPKEY_BRANDING Admin PIN: " admin_pin echo -e "\n" -hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value $HOTPKEY_BRANDING +hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value "$HOTPKEY_BRANDING" if [ $? -ne 0 ]; then echo -e "\n" read -s -p "Error setting HOTP secret, re-enter Admin PIN and try again: " admin_pin echo -e "\n" - if ! hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value $HOTPKEY_BRANDING ; then + if ! hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value "$HOTPKEY_BRANDING" ; then # don't leak key on failure shred -n 10 -z -u "$HOTP_SECRET" 2> /dev/null die "Setting HOTP secret failed" From ba4fcefceaeb8762fbabb060c1a13e731de020c5 Mon Sep 17 00:00:00 2001 From: Matt DeVillier Date: Fri, 10 Jul 2020 13:00:13 -0500 Subject: [PATCH 158/189] usb-scan/mount: Improve USB handling Currently, /media is mounted once per boot, which causes issues if a user need to change USB sticks, or unknowning performs an operation that mounts /media and then needs to access a different USB stick later (eg, updating the firmware). To mitigate this, always unmount /media if mounted before scanning for USB devices, so the user can choose the correct device at the time of its use. Additionally, add a unique exit code for user abort so we're not treating it the same as a failure, and use it to prevent unnecessary GUI prompts when cancelling selection of a USB device. Signed-off-by: Matt DeVillier --- initrd/bin/mount-usb | 2 +- initrd/bin/usb-scan | 7 +++---- initrd/etc/gui_functions | 21 ++++++++++++--------- 3 files changed, 16 insertions(+), 14 deletions(-) diff --git a/initrd/bin/mount-usb b/initrd/bin/mount-usb index ca7a745fb..2448fc37d 100755 --- a/initrd/bin/mount-usb +++ b/initrd/bin/mount-usb @@ -100,7 +100,7 @@ if [ -z ${USB_MOUNT_DEVICE} ]; then fi if [ "$option_index" = "a" ]; then - exit 1 + exit 5 fi USB_MOUNT_DEVICE=`head -n $option_index /tmp/usb_disk_list | tail -1` fi diff --git a/initrd/bin/usb-scan b/initrd/bin/usb-scan index a9debdf5c..d9f26b04b 100755 --- a/initrd/bin/usb-scan +++ b/initrd/bin/usb-scan @@ -2,6 +2,7 @@ # Scan for USB installation options set -e -o pipefail . /etc/functions +. /etc/gui_functions . /tmp/config # Unmount any previous boot device @@ -11,10 +12,8 @@ if grep -q /boot /proc/mounts ; then fi # Mount the USB boot device -if ! grep -q /media /proc/mounts ; then - mount-usb "$CONFIG_USB_BOOT_DEV" \ - || die "Unable to mount /media" -fi +mount_usb || die "Unable to mount /media" + # Get USB boot device USB_BOOT_DEV=$(grep "/media" /etc/mtab | cut -f 1 -d' ') diff --git a/initrd/etc/gui_functions b/initrd/etc/gui_functions index 70d177be8..efdc1384d 100755 --- a/initrd/etc/gui_functions +++ b/initrd/etc/gui_functions @@ -3,17 +3,20 @@ mount_usb() { + # Unmount any previous USB device + if grep -q /media /proc/mounts ; then + umount /media || die "Unable to unmount /media" + fi # Mount the USB boot device - if ! grep -q /media /proc/mounts ; then - mount-usb && USB_FAILED=0 || USB_FAILED=1 + mount-usb && USB_FAILED=0 || ( [ $? -eq 5 ] && exit 1 || USB_FAILED=1 ) + if [ $USB_FAILED -ne 0 ]; then + whiptail --title 'USB Drive Missing' \ + --msgbox "Insert your USB drive and press Enter to continue." 16 60 + mount-usb && USB_FAILED=0 || ( [ $? -eq 5 ] && exit 1 || USB_FAILED=1 ) if [ $USB_FAILED -ne 0 ]; then - whiptail --title 'USB Drive Missing' \ - --msgbox "Insert your USB drive and press Enter to continue." 16 60 - mount-usb && USB_FAILED=0 || USB_FAILED=1 - if [ $USB_FAILED -ne 0 ]; then - whiptail $CONFIG_ERROR_BG_COLOR --title 'ERROR: Mounting /media Failed' \ - --msgbox "Unable to mount USB device" 16 60 - fi + whiptail $CONFIG_ERROR_BG_COLOR --title 'ERROR: Mounting /media Failed' \ + --msgbox "Unable to mount USB device" 16 60 + exit 1 fi fi } From d6ea02d7d5db2084a6ecee4f2f4405f354c327fa Mon Sep 17 00:00:00 2001 From: Matt DeVillier Date: Fri, 10 Jul 2020 16:53:10 -0500 Subject: [PATCH 159/189] flash-gui: Improve readability of prompts Adjust text on GUI dialogs to prevent filenames from being truncated and to improve clarity/readability. Signed-off-by: Matt DeVillier --- initrd/bin/flash-gui.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/initrd/bin/flash-gui.sh b/initrd/bin/flash-gui.sh index 933a705cb..6e2a0840a 100755 --- a/initrd/bin/flash-gui.sh +++ b/initrd/bin/flash-gui.sh @@ -22,7 +22,7 @@ while true; do ;; f|c ) if (whiptail --title 'Flash the BIOS with a new ROM' \ - --yesno "This requires you insert a USB drive containing:\n* Your BIOS image (*.rom)\n\nAfter you select this file, this program will reflash your BIOS\n\nDo you want to proceed?" 16 90) then + --yesno "You will need to insert a USB drive containing your BIOS image (*.rom).\n\nAfter you select this file, this program will reflash your BIOS.\n\nDo you want to proceed?" 16 90) then mount_usb if grep -q /media /proc/mounts ; then find /media ! -path '*/\.*' -type f -name '*.rom' | sort > /tmp/filelist.txt @@ -34,7 +34,7 @@ while true; do fi if (whiptail --title 'Flash ROM?' \ - --yesno "This will replace your old ROM with $ROM\n\nDo you want to proceed?" 16 90) then + --yesno "This will replace your current ROM with:\n\n$ROM\n\nDo you want to proceed?" 16 60) then if [ "$menu_choice" == "c" ]; then /bin/flash.sh -c "$ROM" # after flash, /boot signatures are now invalid so go ahead and clear them @@ -49,7 +49,7 @@ while true; do /bin/flash.sh "$ROM" fi whiptail --title 'ROM Flashed Successfully' \ - --msgbox "$ROM flashed successfully.\nPress Enter to reboot" 16 60 + --msgbox "$ROM flashed successfully.\n\nPress Enter to reboot\n" 16 60 umount /media /bin/reboot else From ffedd3ac11a332927dd6fc12849a7a1e8666f7fb Mon Sep 17 00:00:00 2001 From: Matt DeVillier Date: Fri, 10 Jul 2020 17:28:26 -0500 Subject: [PATCH 160/189] configs/busybox: include 'fold' utility Will be used to wrap long error messages so not truncated when shown in fbwhiptail dialogs. Signed-off-by: Matt DeVillier --- config/busybox.config | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/busybox.config b/config/busybox.config index e7ef9aaad..23b895e05 100644 --- a/config/busybox.config +++ b/config/busybox.config @@ -227,7 +227,7 @@ CONFIG_EXPR=y CONFIG_EXPR_MATH_SUPPORT_64=y CONFIG_FACTOR=y CONFIG_FALSE=y -# CONFIG_FOLD is not set +CONFIG_FOLD=y # CONFIG_FSYNC is not set CONFIG_HEAD=y CONFIG_FEATURE_FANCY_HEAD=y From 5005c9295317aedc3783d7e40df7961f072db9ac Mon Sep 17 00:00:00 2001 From: Matt DeVillier Date: Fri, 10 Jul 2020 17:29:43 -0500 Subject: [PATCH 161/189] oem-factory-reset: Improve readability of error output Use fold to wrap long lines. Don't show pubkey filename if not needed. Signed-off-by: Matt DeVillier --- initrd/bin/oem-factory-reset | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/initrd/bin/oem-factory-reset b/initrd/bin/oem-factory-reset index f0707a0c5..a104149a8 100755 --- a/initrd/bin/oem-factory-reset +++ b/initrd/bin/oem-factory-reset @@ -109,7 +109,7 @@ gpg_key_change_pin() } | gpg --command-fd=0 --status-fd=2 --pinentry-mode=loopback --card-edit \ > /tmp/gpg_card_edit_output 2>/dev/null if [ $? -ne 0 ]; then - ERROR=`cat /tmp/gpg_card_edit_output` + ERROR=`cat /tmp/gpg_card_edit_output | fold -s` whiptail_error_die "GPG Key PIN change failed!\n\n$ERROR" fi } @@ -184,7 +184,7 @@ generate_checksums() mount -o ro,remount /boot if [ $ret = 1 ] ; then - ERROR=$(tail -n 1 /tmp/error) + ERROR=$(tail -n 1 /tmp/error | fold -s) whiptail_error_die "Error signing kexec boot files:\n\n$ERROR" fi } @@ -319,7 +319,7 @@ echo -e "\nChecking for USB media...\n" umount /media 2>/dev/null # mount-usb will detect and prompt if no USB inserted if ! mount-usb rw 2>/tmp/error; then - ERROR=$(tail -n 1 /tmp/error) + ERROR=$(tail -n 1 /tmp/error | fold -s) whiptail_error_die "Unable to mount USB on /media:\n\n${ERROR}" fi @@ -329,7 +329,7 @@ echo -e "\nChecking for GPG Key...\n" if ! gpg --card-status >/dev/null 2>&1 ; then whiptail_error "Can't access GPG Key; remove and reinsert, then press Enter to retry." if ! gpg --card-status >/dev/null 2>/tmp/error ; then - ERROR=$(tail -n 1 /tmp/error) + ERROR=$(tail -n 1 /tmp/error | fold -s) whiptail_error_die "Unable to detect GPG Key:\n\n${ERROR}" fi fi @@ -354,7 +354,7 @@ if [ "$CONFIG_TPM" = "y" ]; then echo $TPM_PASS_DEF } | /bin/tpm-reset >/dev/null 2>/tmp/error if [ $? -ne 0 ]; then - ERROR=$(tail -n 1 /tmp/error) + ERROR=$(tail -n 1 /tmp/error | fold -s) whiptail_error_die "Error resetting TPM:\n\n${ERROR}" fi fi @@ -385,13 +385,13 @@ fi echo -e "\nExporting generated key to USB...\n" # export pubkey to file if ! gpg --export --armor $GPG_GEN_KEY > "${PUBKEY}" 2>/tmp/error ; then - ERROR=$(tail -n 1 /tmp/error) + ERROR=$(tail -n 1 /tmp/error | fold -s) whiptail_error_die "GPG Key gpg export to file failed!\n\n$ERROR" fi # copy to USB if ! cp "${PUBKEY}" "/media/${GPG_GEN_KEY}.asc" 2>/tmp/error ; then - ERROR=$(tail -n 1 /tmp/error) - whiptail_error_die "Key export error: unable to copy ${GPG_GEN_KEY}.asc to /media:\n\n$ERROR" + ERROR=$(tail -n 1 /tmp/error | fold -s) + whiptail_error_die "Key export error: unable to copy exported pubkey to /media:\n\n$ERROR" fi umount /media 2>/dev/null @@ -399,24 +399,24 @@ umount /media 2>/dev/null echo -e "\nReading current firmware...\n(this will take a minute or two)\n" /bin/flash.sh -r /tmp/oem-setup.rom >/dev/null 2>/tmp/error if [ ! -s /tmp/oem-setup.rom ]; then - ERROR=$(tail -n 1 /tmp/error) + ERROR=$(tail -n 1 /tmp/error | fold -s) whiptail_error_die "Error reading current firmware:\n\n$ERROR" fi # ensure key imported locally if ! cat "$PUBKEY" | gpg --import >/dev/null 2>/tmp/error ; then - ERROR=$(tail -n 1 /tmp/error) + ERROR=$(tail -n 1 /tmp/error | fold -s) whiptail_error_die "Error importing GPG key:\n\n$ERROR" fi # update /.gnupg/trustdb.gpg to ultimately trust all user provided public keys if ! gpg --list-keys --fingerprint --with-colons 2>/dev/null \ | sed -E -n -e 's/^fpr:::::::::([0-9A-F]+):$/\1:6:/p' \ | gpg --import-ownertrust >/dev/null 2>/tmp/error ; then - ERROR=$(tail -n 1 /tmp/error) + ERROR=$(tail -n 1 /tmp/error | fold -s) whiptail_error_die "Error importing GPG ownertrust:\n\n$ERROR" fi if ! gpg --update-trust >/dev/null 2>/tmp/error ; then - ERROR=$(tail -n 1 /tmp/error) + ERROR=$(tail -n 1 /tmp/error | fold -s) whiptail_error_die "Error updating GPG ownertrust:\n\n$ERROR" fi # clear any existing heads/gpg files from current firmware @@ -442,7 +442,7 @@ fi # flash updated firmware image echo -e "\nAdding generated key to current firmware and re-flashing...\n" if ! /bin/flash.sh /tmp/oem-setup.rom >/dev/null 2>/tmp/error ; then - ERROR=$(tail -n 1 /tmp/error) + ERROR=$(tail -n 1 /tmp/error | fold -s) whiptail_error_die "Error flashing updated firmware image:\n\n$ERROR" fi From 2dbe6c9d3b4f77bc637d7d729e8ae6c9c609c46b Mon Sep 17 00:00:00 2001 From: Matt DeVillier Date: Fri, 10 Jul 2020 18:09:05 -0500 Subject: [PATCH 162/189] gui-init: Improve readability of checksum dialogs Add a linebreak before showing list of files with changed checksums. Fix text truncation on checksum update prompt. Signed-off-by: Matt DeVillier --- initrd/bin/gui-init | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/initrd/bin/gui-init b/initrd/bin/gui-init index a3bf44445..913b26c1c 100755 --- a/initrd/bin/gui-init +++ b/initrd/bin/gui-init @@ -70,7 +70,7 @@ verify_global_hashes() fi else - TEXT="The following files failed the verification process:\n${CHANGED_FILES}\n\nThis could indicate a compromise!\n\nWould you like to update your checksums now?" + TEXT="The following files failed the verification process:\n\n${CHANGED_FILES}\n\nThis could indicate a compromise!\n\nWould you like to update your checksums now?" fi if (whiptail $CONFIG_ERROR_BG_COLOR --clear --title 'ERROR: Boot Hash Mismatch' --yesno "$TEXT" 30 90) then @@ -82,7 +82,7 @@ verify_global_hashes() prompt_update_checksums() { if (whiptail --title 'Update Checksums and sign all files in /boot' \ - --yesno "You have chosen to update the checksums and sign all of the files in /boot.\n\nThis means that you trust that the files in /boot have not been tampered with.\n\nYou will need your GPG key to continue and this change will modify your disk.\n\nDo you want to continue?" 16 90) then + --yesno "You have chosen to update the checksums and sign all of the files in /boot.\n\nThis means that you trust that these files have not been tampered with.\n\nYou will need your GPG key available, and this change will modify your disk.\n\nDo you want to continue?" 16 90) then update_checksums else echo "Returning to the main menu" From efe30b72bf2849c087bb0faaae9ab48ba8278086 Mon Sep 17 00:00:00 2001 From: Matt DeVillier Date: Tue, 7 Jul 2020 17:45:18 -0500 Subject: [PATCH 163/189] modules/hotp-verification: update to upstream master Update hotp-verification to Nitrokey upstream commit 03a198c4. Test: build/boot Librem 13v4, verify Librem key verification functional. Signed-off-by: Matt DeVillier --- modules/hotp-verification | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/hotp-verification b/modules/hotp-verification index ebc63a58e..d78d4625d 100644 --- a/modules/hotp-verification +++ b/modules/hotp-verification @@ -2,11 +2,11 @@ modules-$(CONFIG_HOTPKEY) += hotp-verification hotp-verification_depends := libusb $(musl_dep) -hotp-verification_version := 5fb260e631b237a298b6dcca47bbd728f2c5ac3a +hotp-verification_version := 03a198c418a60c54ef3ec67ea8a9a2d29b675b9b hotp-verification_dir := hotp-verification-$(hotp-verification_version) hotp-verification_tar := nitrokey-hotp-verification-$(hotp-verification_version).tar.gz hotp-verification_url := https://github.com/Nitrokey/nitrokey-hotp-verification/archive/$(hotp-verification_version).tar.gz -hotp-verification_hash := 5d98d158ba97fb970061d68e2c6f41582395e687b7752efb1a8038762b0e7b79 +hotp-verification_hash := 0fca30856b38517db6a0bb420b8b3a76730af17ce987b7dd9e700992c82559b4 hotp-verification_target := \ $(MAKE_JOBS) \ From a89d5a278021183d828263a3595b819700d4b071 Mon Sep 17 00:00:00 2001 From: Matt DeVillier Date: Fri, 24 Jul 2020 00:11:33 -0500 Subject: [PATCH 164/189] seal-hotp: Fix HOTP key identification With current implementation, Librem Keys with VID 0x316d are not identified properly; correct the if/else logic to resolve. Signed-off-by: Matt DeVillier --- initrd/bin/seal-hotpkey | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/initrd/bin/seal-hotpkey b/initrd/bin/seal-hotpkey index 3d116ad21..70b0e933f 100755 --- a/initrd/bin/seal-hotpkey +++ b/initrd/bin/seal-hotpkey @@ -68,9 +68,9 @@ if ! hotp_verification info ; then fi # Set HOTP USB Security Dongle branding based on VID -if [ ! $(lsusb | grep -q "20a0:") ]; then +if lsusb | grep -q "20a0:" ; then HOTPKEY_BRANDING="Nitrokey" -elif [ ! $(lsusb | grep -q "316d:") ]; then +elif lsusb | grep -q "316d:" ; then HOTPKEY_BRANDING="Librem Key" else HOTPKEY_BRANDING="HOTP USB Security Dongle" From 302f044e8eccf91a213fbf75f14b90f974ecf993 Mon Sep 17 00:00:00 2001 From: Matt DeVillier Date: Mon, 27 Jul 2020 20:40:41 -0500 Subject: [PATCH 165/189] patches: Add patch to fix hotp-verification Commit 7ea13ee0 made some significant changes to Librem/Nitrokey verification which broke both compilation and calls to hotp_initialize. Fix them via a patch until it's fixed upstream. Signed-off-by: Matt DeVillier --- ...98c418a60c54ef3ec67ea8a9a2d29b675b9b.patch | 147 ++++++++++++++++++ 1 file changed, 147 insertions(+) create mode 100644 patches/hotp-verification-03a198c418a60c54ef3ec67ea8a9a2d29b675b9b.patch diff --git a/patches/hotp-verification-03a198c418a60c54ef3ec67ea8a9a2d29b675b9b.patch b/patches/hotp-verification-03a198c418a60c54ef3ec67ea8a9a2d29b675b9b.patch new file mode 100644 index 000000000..a4ceccb6d --- /dev/null +++ b/patches/hotp-verification-03a198c418a60c54ef3ec67ea8a9a2d29b675b9b.patch @@ -0,0 +1,147 @@ +diff --git a/Makefile b/Makefile +index a0d3790..a3b0ad5 100644 +--- a/Makefile ++++ b/Makefile +@@ -45,20 +45,16 @@ LIBUSB_LIB=$(shell $(PKGCONFIG) --libs libusb-1.0) + CFLAGS= -Wall -Wextra -fno-guess-branch-probability -Wdate-time -frandom-seed=42 -O2 -gno-record-gcc-switches -DNDEBUG -fdebug-prefix-map=${PWD}=heads -c -std=gnu11 -DNK_REMOVE_PTHREAD $(LIBUSB_FLAGS) + + OUTDIR= +-OUT=nitrokey_hotp_verification +-OUT2=libremkey_hotp_verification ++OUT=hotp_verification + LDFLAGS=$(LIBUSB_LIB) + +-all: $(OUT) $(OUT2) ++all: $(OUT) + ls -lh $^ + sha256sum $^ + + clean: + -rm $(OBJS) $(OUT) version.c + +-$(OUT2): $(OUT) +- cp $< $@ +- + $(OUT): $(OBJS) + $(CC) $^ $(LDFLAGS) -o $@ + +@@ -74,7 +70,7 @@ $(SRCDIR)/version.c: $(SRCDIR)/version.c.in + INSTALL=/usr/local/ + .PHONY: install + install: +- cp -v $(OUT) $(OUT2) $(INSTALL)/bin ++ cp -v $(OUT) $(INSTALL)/bin + + .PHONY: github_sha + GVER=$(shell git rev-parse HEAD) +diff --git a/libremkey_hotp_initialize b/hotp_initialize +similarity index 51% +rename from libremkey_hotp_initialize +rename to hotp_initialize +index d062c92..3ef3540 100755 +--- a/libremkey_hotp_initialize ++++ b/hotp_initialize +@@ -2,11 +2,11 @@ + + usage() + { +- echo "This command initializes the Librem Key HOTP counter to the specified value" +- echo "usage: $0 " ++ echo "This command initializes the HOTP counter on a HOTP security key to the specified value" ++ echo "usage: $0 " + } + +-if [ "$3" == "" ]; then ++if [ "$4" == "" ]; then + usage + exit 1 + fi +@@ -15,10 +15,11 @@ PIN=$1 + SECRET=$2 + COUNTER=$3 + SECRET_B32=$(cat $SECRET | base32) ++HOTPKEY_BRANDING=$4 + +-libremkey_hotp_verification set $SECRET_B32 "$PIN" ++hotp_verification set $SECRET_B32 "$PIN" + if [ $? -ne 0 ]; then +- echo "ERROR: Setting HOTP secret on Librem Key failed!" ++ echo "ERROR: Setting HOTP secret on $HOTPKEY_BRANDING failed!" + exit 1 + fi + +@@ -26,7 +27,7 @@ i=9 + while [ "$i" -lt "$COUNTER" ]; do + echo "Updating counter to $i" + HOTP_CODE=$(hotp $i < $SECRET) +- libremkey_hotp_verification check $HOTP_CODE > /dev/null ++ hotp_verification check $HOTP_CODE > /dev/null + if [ $? -ne 0 ]; then + echo "HOTP check failed for counter=$i, code=$HOTP_CODE" + exit 1 +@@ -35,10 +36,10 @@ while [ "$i" -lt "$COUNTER" ]; do + done + + HOTP_CODE=$(hotp $COUNTER < $SECRET) +-libremkey_hotp_verification check $HOTP_CODE > /dev/null ++hotp_verification check $HOTP_CODE > /dev/null + if [ $? -ne 0 ]; then + echo "HOTP check failed for counter=$COUNTER, code=$HOTP_CODE" + exit 1 + else +- echo "Librem Key initialized at counter $COUNTER" ++ echo "$HOTPKEY_BRANDING initialized at counter $COUNTER" + fi +diff --git a/nitrokey_hotp_initialize b/nitrokey_hotp_initialize +deleted file mode 100755 +index 817987d..0000000 +--- a/nitrokey_hotp_initialize ++++ /dev/null +@@ -1,44 +0,0 @@ +-#!/bin/sh +- +-usage() +-{ +- echo "This command initializes the Nitrokey HOTP counter to the specified value" +- echo "usage: $0 " +-} +- +-if [ "$3" == "" ]; then +- usage +- exit 1 +-fi +- +-PIN=$1 +-SECRET=$2 +-COUNTER=$3 +-SECRET_B32=$(cat $SECRET | base32) +- +-nitrokey_hotp_verification set $SECRET_B32 "$PIN" +-if [ $? -ne 0 ]; then +- echo "ERROR: Setting HOTP secret on Nitrokey failed!" +- exit 1 +-fi +- +-i=9 +-while [ "$i" -lt "$COUNTER" ]; do +- echo "Updating counter to $i" +- HOTP_CODE=$(hotp $i < $SECRET) +- nitrokey_hotp_verification check $HOTP_CODE > /dev/null +- if [ $? -ne 0 ]; then +- echo "HOTP check failed for counter=$i, code=$HOTP_CODE" +- exit 1 +- fi +- let "i += 10" +-done +- +-HOTP_CODE=$(hotp $COUNTER < $SECRET) +-nitrokey_hotp_verification check $HOTP_CODE > /dev/null +-if [ $? -ne 0 ]; then +- echo "HOTP check failed for counter=$COUNTER, code=$HOTP_CODE" +- exit 1 +-else +- echo "Nitrokey initialized at counter $COUNTER" +-fi +-- +2.20.1 + From 009c10465a8eb7d77b01129193c3e58d55b48e43 Mon Sep 17 00:00:00 2001 From: Matt DeVillier Date: Tue, 28 Jul 2020 22:24:32 -0500 Subject: [PATCH 166/189] oem-factory-reset: Parse BLS format grub files The same grub parsing logic used in kexec-select-boot should be used here as well, so copy it over. Test: oem-factory-reset succeeds with Fedora 32 installed. Signed-off-by: Matt DeVillier --- initrd/bin/oem-factory-reset | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/initrd/bin/oem-factory-reset b/initrd/bin/oem-factory-reset index f0707a0c5..2546aa376 100755 --- a/initrd/bin/oem-factory-reset +++ b/initrd/bin/oem-factory-reset @@ -201,6 +201,14 @@ set_default_boot_option() for i in `find /boot -name "grub.cfg"`; do kexec-parse-boot "/boot" "$i" >> $option_file done + # FC29/30+ may use BLS format grub config files + # https://fedoraproject.org/wiki/Changes/BootLoaderSpecByDefault + # only parse these if $option_file is still empty + if [ ! -s $option_file ] && [ -d "/boot/loader/entries" ]; then + for i in `find /boot -name "grub.cfg"`; do + kexec-parse-bls "/boot" "$i" "/boot/loader/entries" >> $option_file + done + fi [ ! -r $option_file ] \ && whiptail_error_die "Failed to parse any boot options" From 4c64ca631a1edee6f89e6182b6827760391c6829 Mon Sep 17 00:00:00 2001 From: Matt DeVillier Date: Wed, 29 Jul 2020 00:18:57 -0500 Subject: [PATCH 167/189] oem-factory-reset: Fix index used for default boot option Since we sort the boot options prior to selecting the new default entry, we need to use the index of the entry in the list prior to being sorted, vs always setting it as 1. This fixes setting/booting of the default OS target where the list entries are changed when calling sort. Test: perform OEM factory reset with Fedora 32 installed, verify default boot succeeds followng reset. Signed-off-by: Matt DeVillier --- initrd/bin/oem-factory-reset | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/initrd/bin/oem-factory-reset b/initrd/bin/oem-factory-reset index 2546aa376..0dbbb4528 100755 --- a/initrd/bin/oem-factory-reset +++ b/initrd/bin/oem-factory-reset @@ -221,8 +221,11 @@ set_default_boot_option() # clear existing default configs rm "/boot/kexec_default.*.txt" 2>/dev/null + # get correct index for entry + index=$(grep -n "$entry" $option_file | cut -f1 -d ':') + # write new config - echo "$entry" > /boot/kexec_default.1.txt + echo "$entry" > /boot/kexec_default.$index.txt # validate boot option cd /boot && /bin/kexec-boot -b "/boot" -e "$entry" -f \ From 97143953e8705c02403af3e45923838dac9f9251 Mon Sep 17 00:00:00 2001 From: Matt DeVillier Date: Tue, 28 Jul 2020 22:26:20 -0500 Subject: [PATCH 168/189] Fix check for valid boot options -r will always succeed since the file will be generated regardless of number of boot entries found. Use -s instead to check for zero file size. Signed-off-by: Matt DeVillier --- initrd/bin/kexec-select-boot | 2 +- initrd/bin/oem-factory-reset | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/initrd/bin/kexec-select-boot b/initrd/bin/kexec-select-boot index 793d6a79b..ef155be4b 100755 --- a/initrd/bin/kexec-select-boot +++ b/initrd/bin/kexec-select-boot @@ -173,7 +173,7 @@ scan_options() { kexec-parse-bls "$bootdir" "$i" "$bootdir/loader/entries" >> $option_file done fi - if [ ! -r $option_file ]; then + if [ ! -s $option_file ]; then die "Failed to parse any boot options" fi if [ "$unique" = 'y' ]; then diff --git a/initrd/bin/oem-factory-reset b/initrd/bin/oem-factory-reset index 0dbbb4528..dbb0c3cb0 100755 --- a/initrd/bin/oem-factory-reset +++ b/initrd/bin/oem-factory-reset @@ -209,7 +209,7 @@ set_default_boot_option() kexec-parse-bls "/boot" "$i" "/boot/loader/entries" >> $option_file done fi - [ ! -r $option_file ] \ + [ ! -s $option_file ] \ && whiptail_error_die "Failed to parse any boot options" # sort boot options From d6292015a14680cbb3ecbb7b3b20080d285bd574 Mon Sep 17 00:00:00 2001 From: Matt DeVillier Date: Thu, 30 Jul 2020 14:26:59 -0500 Subject: [PATCH 169/189] modules/hotp-verification: Update and drop patch Update to nitrokey-hotp-verification master (c0956cf) and drop existing patch which is no longer needed. Test: clean build for Librem 13v2 Signed-off-by: Matt DeVillier --- modules/hotp-verification | 4 +- ...98c418a60c54ef3ec67ea8a9a2d29b675b9b.patch | 147 ------------------ 2 files changed, 2 insertions(+), 149 deletions(-) delete mode 100644 patches/hotp-verification-03a198c418a60c54ef3ec67ea8a9a2d29b675b9b.patch diff --git a/modules/hotp-verification b/modules/hotp-verification index d78d4625d..d424f1b80 100644 --- a/modules/hotp-verification +++ b/modules/hotp-verification @@ -2,11 +2,11 @@ modules-$(CONFIG_HOTPKEY) += hotp-verification hotp-verification_depends := libusb $(musl_dep) -hotp-verification_version := 03a198c418a60c54ef3ec67ea8a9a2d29b675b9b +hotp-verification_version := c0956cfa085bcfc2500c1085dad350a440ccbe40 hotp-verification_dir := hotp-verification-$(hotp-verification_version) hotp-verification_tar := nitrokey-hotp-verification-$(hotp-verification_version).tar.gz hotp-verification_url := https://github.com/Nitrokey/nitrokey-hotp-verification/archive/$(hotp-verification_version).tar.gz -hotp-verification_hash := 0fca30856b38517db6a0bb420b8b3a76730af17ce987b7dd9e700992c82559b4 +hotp-verification_hash := c06e9751bc45bf8e57ddb39f15352442eda07530f6fe0e8e1ed3e54274fc165f hotp-verification_target := \ $(MAKE_JOBS) \ diff --git a/patches/hotp-verification-03a198c418a60c54ef3ec67ea8a9a2d29b675b9b.patch b/patches/hotp-verification-03a198c418a60c54ef3ec67ea8a9a2d29b675b9b.patch deleted file mode 100644 index a4ceccb6d..000000000 --- a/patches/hotp-verification-03a198c418a60c54ef3ec67ea8a9a2d29b675b9b.patch +++ /dev/null @@ -1,147 +0,0 @@ -diff --git a/Makefile b/Makefile -index a0d3790..a3b0ad5 100644 ---- a/Makefile -+++ b/Makefile -@@ -45,20 +45,16 @@ LIBUSB_LIB=$(shell $(PKGCONFIG) --libs libusb-1.0) - CFLAGS= -Wall -Wextra -fno-guess-branch-probability -Wdate-time -frandom-seed=42 -O2 -gno-record-gcc-switches -DNDEBUG -fdebug-prefix-map=${PWD}=heads -c -std=gnu11 -DNK_REMOVE_PTHREAD $(LIBUSB_FLAGS) - - OUTDIR= --OUT=nitrokey_hotp_verification --OUT2=libremkey_hotp_verification -+OUT=hotp_verification - LDFLAGS=$(LIBUSB_LIB) - --all: $(OUT) $(OUT2) -+all: $(OUT) - ls -lh $^ - sha256sum $^ - - clean: - -rm $(OBJS) $(OUT) version.c - --$(OUT2): $(OUT) -- cp $< $@ -- - $(OUT): $(OBJS) - $(CC) $^ $(LDFLAGS) -o $@ - -@@ -74,7 +70,7 @@ $(SRCDIR)/version.c: $(SRCDIR)/version.c.in - INSTALL=/usr/local/ - .PHONY: install - install: -- cp -v $(OUT) $(OUT2) $(INSTALL)/bin -+ cp -v $(OUT) $(INSTALL)/bin - - .PHONY: github_sha - GVER=$(shell git rev-parse HEAD) -diff --git a/libremkey_hotp_initialize b/hotp_initialize -similarity index 51% -rename from libremkey_hotp_initialize -rename to hotp_initialize -index d062c92..3ef3540 100755 ---- a/libremkey_hotp_initialize -+++ b/hotp_initialize -@@ -2,11 +2,11 @@ - - usage() - { -- echo "This command initializes the Librem Key HOTP counter to the specified value" -- echo "usage: $0 " -+ echo "This command initializes the HOTP counter on a HOTP security key to the specified value" -+ echo "usage: $0 " - } - --if [ "$3" == "" ]; then -+if [ "$4" == "" ]; then - usage - exit 1 - fi -@@ -15,10 +15,11 @@ PIN=$1 - SECRET=$2 - COUNTER=$3 - SECRET_B32=$(cat $SECRET | base32) -+HOTPKEY_BRANDING=$4 - --libremkey_hotp_verification set $SECRET_B32 "$PIN" -+hotp_verification set $SECRET_B32 "$PIN" - if [ $? -ne 0 ]; then -- echo "ERROR: Setting HOTP secret on Librem Key failed!" -+ echo "ERROR: Setting HOTP secret on $HOTPKEY_BRANDING failed!" - exit 1 - fi - -@@ -26,7 +27,7 @@ i=9 - while [ "$i" -lt "$COUNTER" ]; do - echo "Updating counter to $i" - HOTP_CODE=$(hotp $i < $SECRET) -- libremkey_hotp_verification check $HOTP_CODE > /dev/null -+ hotp_verification check $HOTP_CODE > /dev/null - if [ $? -ne 0 ]; then - echo "HOTP check failed for counter=$i, code=$HOTP_CODE" - exit 1 -@@ -35,10 +36,10 @@ while [ "$i" -lt "$COUNTER" ]; do - done - - HOTP_CODE=$(hotp $COUNTER < $SECRET) --libremkey_hotp_verification check $HOTP_CODE > /dev/null -+hotp_verification check $HOTP_CODE > /dev/null - if [ $? -ne 0 ]; then - echo "HOTP check failed for counter=$COUNTER, code=$HOTP_CODE" - exit 1 - else -- echo "Librem Key initialized at counter $COUNTER" -+ echo "$HOTPKEY_BRANDING initialized at counter $COUNTER" - fi -diff --git a/nitrokey_hotp_initialize b/nitrokey_hotp_initialize -deleted file mode 100755 -index 817987d..0000000 ---- a/nitrokey_hotp_initialize -+++ /dev/null -@@ -1,44 +0,0 @@ --#!/bin/sh -- --usage() --{ -- echo "This command initializes the Nitrokey HOTP counter to the specified value" -- echo "usage: $0 " --} -- --if [ "$3" == "" ]; then -- usage -- exit 1 --fi -- --PIN=$1 --SECRET=$2 --COUNTER=$3 --SECRET_B32=$(cat $SECRET | base32) -- --nitrokey_hotp_verification set $SECRET_B32 "$PIN" --if [ $? -ne 0 ]; then -- echo "ERROR: Setting HOTP secret on Nitrokey failed!" -- exit 1 --fi -- --i=9 --while [ "$i" -lt "$COUNTER" ]; do -- echo "Updating counter to $i" -- HOTP_CODE=$(hotp $i < $SECRET) -- nitrokey_hotp_verification check $HOTP_CODE > /dev/null -- if [ $? -ne 0 ]; then -- echo "HOTP check failed for counter=$i, code=$HOTP_CODE" -- exit 1 -- fi -- let "i += 10" --done -- --HOTP_CODE=$(hotp $COUNTER < $SECRET) --nitrokey_hotp_verification check $HOTP_CODE > /dev/null --if [ $? -ne 0 ]; then -- echo "HOTP check failed for counter=$COUNTER, code=$HOTP_CODE" -- exit 1 --else -- echo "Nitrokey initialized at counter $COUNTER" --fi --- -2.20.1 - From 5d641ee5b17499e774fbb4ddaf1eaa0741c69095 Mon Sep 17 00:00:00 2001 From: Matt DeVillier Date: Thu, 23 Jul 2020 19:54:53 -0500 Subject: [PATCH 170/189] gui-init: Guard TPM reset function with CONFIG_TPM Attempting to reset the TPM when once isn't present causes a kernel panic, so let's not allow users to do that. Test: verify 'No TPM Detected' shown on Librem Mini when Reset TPM option selected from menu. Signed-off-by: Matt DeVillier --- initrd/bin/gui-init | 40 ++++++++++++++++++++++------------------ 1 file changed, 22 insertions(+), 18 deletions(-) diff --git a/initrd/bin/gui-init b/initrd/bin/gui-init index b419f1ebd..522021f23 100755 --- a/initrd/bin/gui-init +++ b/initrd/bin/gui-init @@ -313,30 +313,34 @@ while true; do fi if [ "$totp_confirm" = "p" ]; then - if (whiptail --title 'Reset the TPM' \ - --yesno "This will clear the TPM and TPM password, replace them with new ones!\n\nDo you want to proceed?" 16 90) then - /bin/tpm-reset + if [ "$CONFIG_TPM" = "y" ]; then + if (whiptail --title 'Reset the TPM' \ + --yesno "This will clear the TPM and TPM password, replace them with new ones!\n\nDo you want to proceed?" 16 90) then + /bin/tpm-reset - # now that the TPM is reset, remove invalid TPM counter files - mount_boot - mount -o rw,remount /boot - rm -f /boot/kexec_rollback.txt + # now that the TPM is reset, remove invalid TPM counter files + mount_boot + mount -o rw,remount /boot + rm -f /boot/kexec_rollback.txt - # create Heads TPM counter before any others - check_tpm_counter /boot/kexec_rollback.txt \ - || die "Unable to find/create tpm counter" - counter="$TPM_COUNTER" + # create Heads TPM counter before any others + check_tpm_counter /boot/kexec_rollback.txt \ + || die "Unable to find/create tpm counter" + counter="$TPM_COUNTER" - increment_tpm_counter $counter \ - || die "Unable to increment tpm counter" + increment_tpm_counter $counter \ + || die "Unable to increment tpm counter" - sha256sum /tmp/counter-$counter > /boot/kexec_rollback.txt \ - || die "Unable to create rollback file" - mount -o ro,remount /boot + sha256sum /tmp/counter-$counter > /boot/kexec_rollback.txt \ + || die "Unable to create rollback file" + mount -o ro,remount /boot - update_totp + update_totp + else + echo "Returning to the main menu" + fi else - echo "Returning to the main menu" + whiptail --clear --title 'ERROR: No TPM Detected' --msgbox "This device does not have a TPM.\n\nPress OK to return to the Main Menu" 30 90 fi continue fi From 83cac9ed14382c07cbacd7b00a45c47407c086ac Mon Sep 17 00:00:00 2001 From: alex-nitrokey Date: Thu, 30 Jul 2020 22:08:13 +0200 Subject: [PATCH 171/189] Fix kexec to work with Debian Installer (fixes #699) This patch was reported by @bemoody in issue #699 Tested via `BOARD=x230-hotp-verification` on a Thinkpad x230 Signed-off-by: alex-nitrokey --- patches/kexec-2.0.20.patch | 38 ++++++++++++++++++++++++++------------ 1 file changed, 26 insertions(+), 12 deletions(-) diff --git a/patches/kexec-2.0.20.patch b/patches/kexec-2.0.20.patch index 9e940494a..c16cda1b6 100644 --- a/patches/kexec-2.0.20.patch +++ b/patches/kexec-2.0.20.patch @@ -1,7 +1,7 @@ -diff --git ./Makefile.in ./Makefile.in +diff --git a/Makefile.in b/Makefile.in index fb01134..bf1973e 100644 ---- ./Makefile.in -+++ ./Makefile.in +--- a/Makefile.in ++++ b/Makefile.in @@ -157,12 +157,12 @@ include $(srcdir)/kexec/Makefile # vmcore-dmesg (read dmesg from a vmcore) @@ -17,10 +17,24 @@ index fb01134..bf1973e 100644 SPEC=$(PACKAGE_NAME).spec GENERATED_SRCS:= $(SPEC) -diff --git ./kexec/kexec.c ./kexec/kexec.c +diff --git a/kexec/arch/i386/x86-linux-setup.c b/kexec/arch/i386/x86-linux-setup.c +index 057ee14..43e017a 100644 +--- a/kexec/arch/i386/x86-linux-setup.c ++++ b/kexec/arch/i386/x86-linux-setup.c +@@ -137,7 +137,8 @@ static int setup_linux_vesafb(struct x86_linux_param_header *real_mode) + goto out; + if (-1 == ioctl(fd, FBIOGET_VSCREENINFO, &var)) + goto out; +- if (0 == strcmp(fix.id, "VESA VGA")) { ++ if (0 == strcmp(fix.id, "VESA VGA") ++ || 0 == strcmp(fix.id, "inteldrmfb")) { + /* VIDEO_TYPE_VLFB */ + real_mode->orig_video_isVGA = 0x23; + } else if (0 == strcmp(fix.id, "EFI VGA")) { +diff --git a/kexec/kexec.c b/kexec/kexec.c index bc6ab3d..b82725b 100644 ---- ./kexec/kexec.c -+++ ./kexec/kexec.c +--- a/kexec/kexec.c ++++ b/kexec/kexec.c @@ -805,6 +805,27 @@ static int my_load(const char *type, int fileind, int argc, char **argv, if (sort_segments(&info) < 0) { return -1; @@ -49,10 +63,10 @@ index bc6ab3d..b82725b 100644 /* if purgatory is loaded update it */ update_purgatory(&info); if (entry) -diff --git ./purgatory/Makefile ./purgatory/Makefile +diff --git a/purgatory/Makefile b/purgatory/Makefile index 2dd6c47..2de8f07 100644 ---- ./purgatory/Makefile -+++ ./purgatory/Makefile +--- a/purgatory/Makefile ++++ b/purgatory/Makefile @@ -44,7 +44,6 @@ purgatory/sha256.o: $(srcdir)/util_lib/sha256.c mkdir -p $(@D) $(COMPILE.c) -o $@ $^ @@ -61,10 +75,10 @@ index 2dd6c47..2de8f07 100644 $(PURGATORY): CFLAGS=$(PURGATORY_EXTRA_CFLAGS) \ $($(ARCH)_PURGATORY_EXTRA_CFLAGS) \ -Os -fno-builtin -ffreestanding \ -diff --git ./util/Makefile ./util/Makefile +diff --git a/util/Makefile b/util/Makefile index 948ee63..833a897 100644 ---- ./util/Makefile -+++ ./util/Makefile +--- a/util/Makefile ++++ b/util/Makefile @@ -2,7 +2,7 @@ BIN_TO_HEX:= bin/bin-to-hex $(BIN_TO_HEX): $(srcdir)/util/bin-to-hex.c From 244de9de94a6c0302d2f9dbd4f3146e91b0155a3 Mon Sep 17 00:00:00 2001 From: Matt DeVillier Date: Tue, 10 Dec 2019 09:53:24 -0600 Subject: [PATCH 172/189] gui-init: remove double-prompt for checksum update Not need to prompt the user twice for the same action Signed-off-by: Matt DeVillier --- initrd/bin/gui-init | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/initrd/bin/gui-init b/initrd/bin/gui-init index 522021f23..5cbca8c8e 100755 --- a/initrd/bin/gui-init +++ b/initrd/bin/gui-init @@ -47,7 +47,7 @@ verify_global_hashes() elif [ ! -f $TMP_HASH_FILE ]; then if (whiptail $CONFIG_ERROR_BG_COLOR --clear --title 'ERROR: Missing Hash File!' \ --yesno "The file containing hashes for /boot is missing!\n\nIf you are setting this system up for the first time, select Yes to update\nyour list of checksums.\n\nOtherwise this could indicate a compromise and you should select No to\nreturn to the main menu.\n\nWould you like to update your checksums now?" 30 90) then - prompt_update_checksums + update_checksums fi return 1 else @@ -74,7 +74,7 @@ verify_global_hashes() fi if (whiptail $CONFIG_ERROR_BG_COLOR --clear --title 'ERROR: Boot Hash Mismatch' --yesno "$TEXT" 30 90) then - prompt_update_checksums + update_checksums fi return 1 fi From 0afa5994917c9e2f520caae06d6a20e30c8c8ba1 Mon Sep 17 00:00:00 2001 From: Matt DeVillier Date: Thu, 27 Feb 2020 14:39:13 -0600 Subject: [PATCH 173/189] Fix eval of DEV_NUM_PARTITIONS Using 'let' in these scripts fails when evaluating to zero for some reason, so replace with '$(())' which works as intended. Test: Boot device selection menu shown properly when new/unpartitioned drive installed. Signed-off-by: Matt DeVillier --- initrd/bin/config-gui.sh | 2 +- initrd/etc/functions | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/initrd/bin/config-gui.sh b/initrd/bin/config-gui.sh index 37b4808b4..6b22e87be 100755 --- a/initrd/bin/config-gui.sh +++ b/initrd/bin/config-gui.sh @@ -36,7 +36,7 @@ while true; do > /tmp/boot_device_list.txt for i in `cat /tmp/disklist.txt`; do # remove block device from list if numeric partitions exist, since not bootable - let DEV_NUM_PARTITIONS=`ls -1 $i* | wc -l`-1 + DEV_NUM_PARTITIONS=$((`ls -1 $i* | wc -l`-1)) if [ ${DEV_NUM_PARTITIONS} -eq 0 ]; then echo $i >> /tmp/boot_device_list.txt else diff --git a/initrd/etc/functions b/initrd/etc/functions index 3ccf7bc7f..a5935f61c 100755 --- a/initrd/etc/functions +++ b/initrd/etc/functions @@ -322,7 +322,7 @@ detect_boot_device() > /tmp/boot_device_list for i in `cat /tmp/disklist`; do # remove block device from list if numeric partitions exist, since not bootable - let DEV_NUM_PARTITIONS=`ls -1 $i* | wc -l`-1 + DEV_NUM_PARTITIONS=$((`ls -1 $i* | wc -l`-1)) if [ ${DEV_NUM_PARTITIONS} -eq 0 ]; then echo $i >> /tmp/boot_device_list else From 0b970b745e9239a5bf24ef3fe0bb0683a477365b Mon Sep 17 00:00:00 2001 From: Matt DeVillier Date: Fri, 28 Feb 2020 18:54:14 -0600 Subject: [PATCH 174/189] config-gui: clean up boot device selection When a new /boot device is selected, wait until after successfully mounting the newly-selected device before updating CONFIG_BOOT_DEV. Also, don't assume /boot already mounted, as this can cause a false failure and prevent mounting of the newly-selected device. Lastly, tidy up the error output in case mounting /boot fails. Signed-off-by: Matt DeVillier --- initrd/bin/config-gui.sh | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/initrd/bin/config-gui.sh b/initrd/bin/config-gui.sh index 6b22e87be..f1fce23a6 100755 --- a/initrd/bin/config-gui.sh +++ b/initrd/bin/config-gui.sh @@ -52,18 +52,21 @@ while true; do SELECTED_FILE=$FILE fi - replace_config /etc/config.user "CONFIG_BOOT_DEV" "$SELECTED_FILE" - combine_configs - + # unmount /boot if needed + if grep -q /boot /proc/mounts ; then + umount /boot 2>/dev/null + fi # mount newly selected /boot device - if ! ( umount /boot 2>/tmp/error && \ - mount -o ro $SELECTED_FILE /boot 2>/tmp/error ); then + if ! mount -o ro $SELECTED_FILE /boot 2>/tmp/error ; then ERROR=`cat /tmp/error` whiptail $CONFIG_ERROR_BG_COLOR --title 'ERROR: unable to mount /boot' \ - --msgbox "Unable to un/re-mount /boot:\n\n$ERROR" 16 60 + --msgbox " $ERROR\n\n" 16 60 exit 1 fi + replace_config /etc/config.user "CONFIG_BOOT_DEV" "$SELECTED_FILE" + combine_configs + whiptail --title 'Config change successful' \ --msgbox "The /boot device was successfully changed to $SELECTED_FILE" 16 60 ;; From a224c430260f1f7c9e10aba59546d3a3bea6b8ae Mon Sep 17 00:00:00 2001 From: alex-nitrokey Date: Wed, 5 Aug 2020 11:49:06 +0200 Subject: [PATCH 175/189] Add PID for Storage --- initrd/bin/oem-factory-reset | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/initrd/bin/oem-factory-reset b/initrd/bin/oem-factory-reset index 9db1c6ef2..002e399d4 100755 --- a/initrd/bin/oem-factory-reset +++ b/initrd/bin/oem-factory-reset @@ -70,9 +70,9 @@ gpg_key_reset() ERROR=`cat /tmp/gpg_card_edit_output` whiptail_error_die "GPG Key factory reset failed!\n\n$ERROR" fi - # If NK Storage is inserted, reset AES keys as well - if [ ! $(lsusb | grep -q "20a0:") ] && [ -x /bin/hotp_verification ] ; then - /bin/hotp_verification regenerate ${ADMIN_PIN_DEF} + # If Nitrokey Storage is inserted, reset AES keys as well + if lsusb | grep -q "20a0:4109" && [ -x /bin/hotp_verification ] ; then + /bin/hotp_verification regenerate ${ADMIN_PIN_DEF} fi # Generate OEM GPG keys { From 63b400c73f3e1b2102a1931397232e3559d45e7b Mon Sep 17 00:00:00 2001 From: tlaurion Date: Tue, 11 Aug 2020 16:38:26 -0400 Subject: [PATCH 176/189] CircleCI : specialized caches (#798) CircleCI: two cache save/restore mechanisms. One bound to musl-cross+patches, one for modules + patches. * Replacing the generic cache bound to CircleCI user to have two caches levels. One for musl-cross and its patchsets, one for all modules and their patchset being the same. So if modules changed, we use the cache for musl-cross as a fallback to economize one hour of precious build time out of two, while most of Heads changes are on the scripts and can be built on top of packages+patches cache --- .circleci/config.yml | 32 +++++++++++++++++++++++++++----- 1 file changed, 27 insertions(+), 5 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index c597797d3..0a0d96531 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -11,14 +11,29 @@ jobs: apt install -y build-essential zlib1g-dev uuid-dev libdigest-sha-perl libelf-dev bc bzip2 bison flex git gnupg iasl m4 nasm patch python wget gnat cpio ccache pkg-config cmake libusb-1.0-0-dev autoconf texinfo ncurses-dev - checkout - - restore_cache: - key: heads-{{ .Environment.CIRCLE_USERNAME }}-{{ .Environment.CACHE_VERSION }} - - run: name: git reset command: | git reset --hard "$CIRCLE_SHA1" \ + - run: + name: Creating all modules and patches digest + command: | + find ./patches/ ./modules/ -type f | sort -h |xargs sha256sum > /tmp/all_modules_and_patches.sha256sums \ + + - run: + name: Creating musl-cross-make and musl-cross-make patches digest + command: | + find ./patches/musl-cross-* modules/musl-cross* -type f | sort -h | xargs sha256sum > /tmp/musl-cross_module_and_patches.sha256sums \ + + + - restore_cache: + keys: + #Restore existing cache for modules checksums validated to be exactly the same as in github current commit + - heads-modules-and-patches-{{ checksum "/tmp/all_modules_and_patches.sha256sums" }} + #If precedent fails. Restore cache for musl-cross module checksum validated to be exactly the same as in github current commit + - heads-cross-musl-{{ checksum "/tmp/musl-cross_module_and_patches.sha256sums" }} + # linuxboot steps need something to pass in the kernel header path # skipping for now # - run: @@ -153,12 +168,19 @@ jobs: path: build/qemu-coreboot - save_cache: - key: heads-{{ .Environment.CIRCLE_USERNAME }}-{{ .Environment.CACHE_VERSION }} + #Generate cache for the same musl-cross module definition if hash is not previously existing + key: heads-cross-musl-{{ checksum "/tmp/musl-cross_module_and_patches.sha256sums" }} + paths: + - crossgcc + - build/musl-cross-* + + - save_cache: + #Generate cache for the exact same modules definitions if hash is not previously existing + key: heads-modules-and-patches-{{ checksum "/tmp/all_modules_and_patches.sha256sums" }} paths: - packages - crossgcc - build - workflows: version: 2 build_and_test: From 28d3b7c89c114fccdf937f55ccce4397fa9338d1 Mon Sep 17 00:00:00 2001 From: Patrick Rudolph <36034716+PatrickRudolph@users.noreply.github.com> Date: Tue, 11 Aug 2020 23:54:59 +0200 Subject: [PATCH 177/189] patches/coreboot-4.8.1: Measure firmware into PCR2 (#793) As part of migration to coreboot 4.12, which includes measured boot without additional patches, measure all parts of the firmware and the payload into PCR2. The same is done in coreboot 4.12. This commit ensures that boards not migrated yet will show the same behaviour. TODO: Update heads-wiki. Signed-off-by: Patrick Rudolph --- patches/coreboot-4.8.1/0000-measuredboot.patch | 2 +- ...9-Add-heads-TPM-measurements-to-Skylake-Kabylake.patch | 8 ++++---- patches/coreboot-4.8.1/0030-sandybridge.patch | 4 ++-- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/patches/coreboot-4.8.1/0000-measuredboot.patch b/patches/coreboot-4.8.1/0000-measuredboot.patch index 7731a5aef..7e3cce95b 100644 --- a/patches/coreboot-4.8.1/0000-measuredboot.patch +++ b/patches/coreboot-4.8.1/0000-measuredboot.patch @@ -167,7 +167,7 @@ index 6fd55d7..b5b7d91 100644 +{ + if (IS_ENABLED(CONFIG_MEASURED_BOOT) && !(flags & SEG_NO_MEASURE)) + { -+ tlcl_measure(3, (const void*) start, size); ++ tlcl_measure(2, (const void*) start, size); + } +} + diff --git a/patches/coreboot-4.8.1/0009-Add-heads-TPM-measurements-to-Skylake-Kabylake.patch b/patches/coreboot-4.8.1/0009-Add-heads-TPM-measurements-to-Skylake-Kabylake.patch index 9b3898e72..1d53f90ca 100644 --- a/patches/coreboot-4.8.1/0009-Add-heads-TPM-measurements-to-Skylake-Kabylake.patch +++ b/patches/coreboot-4.8.1/0009-Add-heads-TPM-measurements-to-Skylake-Kabylake.patch @@ -51,9 +51,9 @@ index 30987ce..4957bc0 100644 + tlcl_lib_init(); + const void * const bootblock = (const void*) 0xFFFFF800; + const unsigned bootblock_size = 0x800; -+ tlcl_measure(0, bootblock, bootblock_size); ++ tlcl_measure(2, bootblock, bootblock_size); + -+ tlcl_measure(1, _romstage, _eromstage - _romstage); ++ tlcl_measure(2, _romstage, _eromstage - _romstage); + } + /* Signal that FSP component has been loaded. */ @@ -66,7 +66,7 @@ index 30987ce..4957bc0 100644 +void platform_segment_loaded(uintptr_t start, size_t size, int flags) +{ + if (IS_ENABLED(CONFIG_MEASURED_BOOT) && !(flags & SEG_NO_MEASURE)) { -+ tlcl_measure(1, (const void*) start, size); ++ tlcl_measure(2, (const void*) start, size); + } +} + @@ -87,7 +87,7 @@ index bda88d1..49568f6 100644 die("Failed to read FSPS!\n"); + if (IS_ENABLED(CONFIG_MEASURED_BOOT)) { -+ tlcl_measure(1, (const void*) dest, size); ++ tlcl_measure(2, (const void*) dest, size); + } + if (fsp_component_relocate((uintptr_t)dest, dest, size) < 0) diff --git a/patches/coreboot-4.8.1/0030-sandybridge.patch b/patches/coreboot-4.8.1/0030-sandybridge.patch index 8559b4090..b6083f085 100644 --- a/patches/coreboot-4.8.1/0030-sandybridge.patch +++ b/patches/coreboot-4.8.1/0030-sandybridge.patch @@ -22,10 +22,10 @@ index 0426b83..d348b9e 100644 + tlcl_lib_init(); + const void * const bootblock = (const void*) 0xFFFFF800; + const unsigned bootblock_size = 0x800; -+ tlcl_measure(0, bootblock, bootblock_size); ++ tlcl_measure(2, bootblock, bootblock_size); + + extern char _romstage, _eromstage; -+ tlcl_measure(1, &_romstage, &_eromstage - &_romstage); ++ tlcl_measure(2, &_romstage, &_eromstage - &_romstage); + } + /* USB is initialized in MRC if MRC is used. */ From c6a82a246411f091ccebdc683da83fafd989b08a Mon Sep 17 00:00:00 2001 From: tlaurion Date: Wed, 12 Aug 2020 15:07:54 -0400 Subject: [PATCH 178/189] CircleCI: mitigate issue #799 (#800) --- .circleci/config.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 0a0d96531..1fbcccf5f 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -61,8 +61,9 @@ jobs: - run: name: x230-flash + #We delete build/make-4.2.1/ directory until issue #799 is fixed. command: | - rm -rf build/x230-flash/* build/log/* && make --load 2 \ + rm -rf build/make-4.2.1/ build/x230-flash/* build/log/* && make --load 2 \ V=1 \ BOARD=x230-flash \ no_output_timeout: 3h @@ -152,7 +153,7 @@ jobs: - run: name: qemu-coreboot command: | - rm -rf build/make-4.2.1/ build/qemu-coreboot/* build/log/* && make --load 2 \ + rm -rf build/qemu-coreboot/* build/log/* && make --load 2 \ V=1 \ BOARD=qemu-coreboot \ no_output_timeout: 3h From 5f9e59afaef7354ec6171be079c5700564fa7f0b Mon Sep 17 00:00:00 2001 From: Matt DeVillier Date: Wed, 13 May 2020 15:51:12 -0500 Subject: [PATCH 179/189] modules/coreboot: Add option to build with coreboot 4.12 Add version and hash for coreboot and coreboot-blobs modules. Adjust to use own toolchain, fix blobs path and extraction depth. Test: build Librem 13v4 using both coreboot 4.8.1 and coreboot 4.12 (after adjusting board defconfig), verify correct toolchains used to build each, and that teh result is a bootable ROM. Signed-off-by: Matt DeVillier --- modules/coreboot | 23 +++++++++++++++++++++-- 1 file changed, 21 insertions(+), 2 deletions(-) diff --git a/modules/coreboot b/modules/coreboot index a14ea3eda..6a33c48cf 100644 --- a/modules/coreboot +++ b/modules/coreboot @@ -3,6 +3,9 @@ modules-$(CONFIG_COREBOOT) += coreboot ifeq "$(CONFIG_COREBOOT_VERSION)" "4.8.1" coreboot_version := 4.8.1 coreboot_hash := f0ddf4db0628c1fe1e8348c40084d9cbeb5771400c963fd419cda3995b69ad23 +else ifeq "$(CONFIG_COREBOOT_VERSION)" "4.12" +coreboot_version := 4.12 +coreboot_hash := edcad000ee9b73183c396ea76155629b3d27c693e0f1ae83e3424c4d936e2be2 else $(error "$(BOARD): does not specify coreboot version under CONFIG_COREBOOT_VERSION") endif @@ -55,7 +58,16 @@ coreboot_target := \ coreboot_output := coreboot.rom coreboot_depend += linux initrd $(musl_dep) -$(build)/$(coreboot_dir)/.configured: $(COREBOOT_IASL) +ifeq "$(CONFIG_COREBOOT_VERSION)" "4.8.1" +COREBOOT_TOOLCHAIN="" +$(COREBOOT_TOOLCHAIN): +else +COREBOOT_TOOLCHAIN="$(build)/$(coreboot_base_dir)/.xcompile" +$(COREBOOT_TOOLCHAIN): $(build)/$(coreboot_base_dir)/.canary + $(MAKE) -C "$(build)/$(coreboot_base_dir)" CPUS=`nproc` crossgcc-i386 +endif + +$(build)/$(coreboot_dir)/.configured: $(COREBOOT_IASL) $(COREBOOT_TOOLCHAIN) $(COREBOOT_IASL): $(build)/$(coreboot_base_dir)/.canary $(MAKE) -C "$(build)/$(coreboot_base_dir)" CPUS=`nproc` iasl @@ -98,10 +110,17 @@ modules-y += coreboot-blobs coreboot-blobs_version := $(coreboot_version) coreboot-blobs_tar := coreboot-blobs-$(coreboot-blobs_version).tar.xz +coreboot-blobs_url := https://www.coreboot.org/releases/$(coreboot-blobs_tar) + +ifeq "$(CONFIG_COREBOOT_VERSION)" "4.8.1" coreboot-blobs_tar_opt := --strip 3 coreboot-blobs_dir := coreboot-$(coreboot-blobs_version)/3rdparty/blobs -coreboot-blobs_url := https://www.coreboot.org/releases/$(coreboot-blobs_tar) coreboot-blobs_hash := 18aa509ae3af005a05d7b1e0b0246dc640249c14fc828f5144b6fd20bb10e295 +else +coreboot-blobs_tar_opt := --strip 2 +coreboot-blobs_dir := coreboot-$(coreboot-blobs_version)/3rdparty +coreboot-blobs_hash := 4735ee6850d55d1e65dee8b08cc9b28b8af00b42acf31365f5d9545406579104 +endif ## there is nothing to build for the blobs, this should be ## made easier to make happen From b14e564ac99efd8ca75c4e1a2233792d87fe41bf Mon Sep 17 00:00:00 2001 From: tlaurion Date: Thu, 20 Aug 2020 15:15:46 -0400 Subject: [PATCH 180/189] Fix CircleCI build problems (#808) * CircleCI: debian:10 docker based. Give possitility to override CACHE_VERSION through CircleCI when needed * Makefile: fix #799 with implementation of @osresearch's recommended https://github.com/osresearch/heads/issues/799#issuecomment-673059028 * modules/coreboot : indentation fix and putting version hashes together to facilitate future maintainership. --- .circleci/config.yml | 12 ++++++------ Makefile | 4 ++-- modules/coreboot | 22 +++++++++++----------- 3 files changed, 19 insertions(+), 19 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 1fbcccf5f..2fc584311 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -2,7 +2,7 @@ version: 2 jobs: build: docker: - - image: debian:bullseye + - image: debian:10 steps: - run: name: Install dependencies @@ -30,9 +30,9 @@ jobs: - restore_cache: keys: #Restore existing cache for modules checksums validated to be exactly the same as in github current commit - - heads-modules-and-patches-{{ checksum "/tmp/all_modules_and_patches.sha256sums" }} + - heads-modules-and-patches-{{ checksum "/tmp/all_modules_and_patches.sha256sums" }}{{ .Environment.CACHE_VERSION }} #If precedent fails. Restore cache for musl-cross module checksum validated to be exactly the same as in github current commit - - heads-cross-musl-{{ checksum "/tmp/musl-cross_module_and_patches.sha256sums" }} + - heads-cross-musl-{{ checksum "/tmp/musl-cross_module_and_patches.sha256sums" }}{{ .Environment.CACHE_VERSION }} # linuxboot steps need something to pass in the kernel header path # skipping for now @@ -63,7 +63,7 @@ jobs: name: x230-flash #We delete build/make-4.2.1/ directory until issue #799 is fixed. command: | - rm -rf build/make-4.2.1/ build/x230-flash/* build/log/* && make --load 2 \ + rm -rf build/x230-flash/* build/log/* && make --load 2 \ V=1 \ BOARD=x230-flash \ no_output_timeout: 3h @@ -170,14 +170,14 @@ jobs: - save_cache: #Generate cache for the same musl-cross module definition if hash is not previously existing - key: heads-cross-musl-{{ checksum "/tmp/musl-cross_module_and_patches.sha256sums" }} + key: heads-cross-musl-{{ checksum "/tmp/musl-cross_module_and_patches.sha256sums" }}{{ .Environment.CACHE_VERSION }} paths: - crossgcc - build/musl-cross-* - save_cache: #Generate cache for the exact same modules definitions if hash is not previously existing - key: heads-modules-and-patches-{{ checksum "/tmp/all_modules_and_patches.sha256sums" }} + key: heads-modules-and-patches-{{ checksum "/tmp/all_modules_and_patches.sha256sums" }}{{ .Environment.CACHE_VERSION }} paths: - packages - crossgcc diff --git a/Makefile b/Makefile index 084ad0331..10faebf7b 100644 --- a/Makefile +++ b/Makefile @@ -602,8 +602,8 @@ $(build)/$(make_dir)/.extract: $(packages)/$(make_tar) tar xf "$<" -C "$(build)" touch "$@" -$(build)/$(make_dir)/.patch: patches/make-$(make_version).patch $(build)/$(make_dir)/.extract - ( cd "$(dir $@)" ; patch -p1 ) < "$<" +$(build)/$(make_dir)/.patch: $(build)/$(make_dir)/.extract + ( cd "$(dir $@)" ; patch -p1 ) < "patches/make-$(make_version).patch" touch "$@" $(build)/$(make_dir)/.configured: $(build)/$(make_dir)/.patch diff --git a/modules/coreboot b/modules/coreboot index 6a33c48cf..5082c3944 100644 --- a/modules/coreboot +++ b/modules/coreboot @@ -1,13 +1,15 @@ modules-$(CONFIG_COREBOOT) += coreboot ifeq "$(CONFIG_COREBOOT_VERSION)" "4.8.1" -coreboot_version := 4.8.1 -coreboot_hash := f0ddf4db0628c1fe1e8348c40084d9cbeb5771400c963fd419cda3995b69ad23 + coreboot_version := 4.8.1 + coreboot_hash := f0ddf4db0628c1fe1e8348c40084d9cbeb5771400c963fd419cda3995b69ad23 + coreboot-blobs_hash := 18aa509ae3af005a05d7b1e0b0246dc640249c14fc828f5144b6fd20bb10e295 else ifeq "$(CONFIG_COREBOOT_VERSION)" "4.12" -coreboot_version := 4.12 -coreboot_hash := edcad000ee9b73183c396ea76155629b3d27c693e0f1ae83e3424c4d936e2be2 + coreboot_version := 4.12 + coreboot_hash := edcad000ee9b73183c396ea76155629b3d27c693e0f1ae83e3424c4d936e2be2 + coreboot-blobs_hash := 4735ee6850d55d1e65dee8b08cc9b28b8af00b42acf31365f5d9545406579104 else -$(error "$(BOARD): does not specify coreboot version under CONFIG_COREBOOT_VERSION") + $(error "$(BOARD): does not specify coreboot version under CONFIG_COREBOOT_VERSION") endif #coreboot_version := git @@ -113,13 +115,11 @@ coreboot-blobs_tar := coreboot-blobs-$(coreboot-blobs_version).tar.xz coreboot-blobs_url := https://www.coreboot.org/releases/$(coreboot-blobs_tar) ifeq "$(CONFIG_COREBOOT_VERSION)" "4.8.1" -coreboot-blobs_tar_opt := --strip 3 -coreboot-blobs_dir := coreboot-$(coreboot-blobs_version)/3rdparty/blobs -coreboot-blobs_hash := 18aa509ae3af005a05d7b1e0b0246dc640249c14fc828f5144b6fd20bb10e295 + coreboot-blobs_tar_opt := --strip 3 + coreboot-blobs_dir := coreboot-$(coreboot-blobs_version)/3rdparty/blobs else -coreboot-blobs_tar_opt := --strip 2 -coreboot-blobs_dir := coreboot-$(coreboot-blobs_version)/3rdparty -coreboot-blobs_hash := 4735ee6850d55d1e65dee8b08cc9b28b8af00b42acf31365f5d9545406579104 + coreboot-blobs_tar_opt := --strip 2 + coreboot-blobs_dir := coreboot-$(coreboot-blobs_version)/3rdparty endif ## there is nothing to build for the blobs, this should be From f23ced0a3bef2b65384b1ad6668f62ed2c9be633 Mon Sep 17 00:00:00 2001 From: MrChromebox Date: Thu, 20 Aug 2020 18:26:48 -0500 Subject: [PATCH 181/189] Support Multiple Kernel Options (#805) * modules/linux: Add support for multiple kernel versions Follow same pattern as used for coreboot. Add existing kernel version as default for all existing boards. Signed-off-by: Matt DeVillier * modules/linux: Add option to use 4.19 LTS kernel Add option to use kernel 4.19.139 (current LTS version). Duplicate existing patches from 4.14.62 as they all apply cleanly. Signed-off-by: Matt DeVillier --- boards/kgpe-d16/kgpe-d16.config | 1 + boards/librem13v2/librem13v2.config | 1 + boards/librem13v4/librem13v4.config | 1 + boards/librem15v3/librem15v3.config | 1 + boards/librem15v4/librem15v4.config | 1 + .../qemu-coreboot-fbwhiptail.config | 1 + boards/qemu-coreboot/qemu-coreboot.config | 1 + boards/qemu-linuxboot/qemu-linuxboot.config | 2 + boards/r630/r630.config | 2 + boards/s2600wf/s2600wf.config | 2 + boards/t420/t420.config | 1 + boards/t430-flash/t430-flash.config | 1 + boards/t430/t430.config | 1 + boards/tioga/tioga.config | 2 + boards/winterfell/winterfell.config | 2 + boards/x220/x220.config | 1 + boards/x230-flash/x230-flash.config | 1 + .../x230-hotp-verification.config | 1 + boards/x230/x230.config | 1 + modules/linux | 15 +++--- patches/linux-4.19.139/0000-efi_bds.patch | 54 +++++++++++++++++++ patches/linux-4.19.139/0001-fake-acpi.patch | 32 +++++++++++ patches/linux-4.19.139/0002-nmi-squelch.patch | 20 +++++++ .../linux-4.19.139/0003-fake-trampoline.patch | 28 ++++++++++ .../linux-4.19.139/0010-winterfell-ahci.patch | 18 +++++++ 25 files changed, 185 insertions(+), 6 deletions(-) create mode 100644 patches/linux-4.19.139/0000-efi_bds.patch create mode 100644 patches/linux-4.19.139/0001-fake-acpi.patch create mode 100644 patches/linux-4.19.139/0002-nmi-squelch.patch create mode 100644 patches/linux-4.19.139/0003-fake-trampoline.patch create mode 100644 patches/linux-4.19.139/0010-winterfell-ahci.patch diff --git a/boards/kgpe-d16/kgpe-d16.config b/boards/kgpe-d16/kgpe-d16.config index 58130699e..6c2c4ac60 100644 --- a/boards/kgpe-d16/kgpe-d16.config +++ b/boards/kgpe-d16/kgpe-d16.config @@ -1,6 +1,7 @@ # Configuration for a kgpe-d16 running non-Qubes export CONFIG_COREBOOT=y export CONFIG_COREBOOT_VERSION=4.8.1 +export CONFIG_LINUX_VERSION=4.14.62 CONFIG_COREBOOT_CONFIG=config/coreboot-kgpe-d16.config CONFIG_LINUX_CONFIG=config/linux-kgpe-d16.config diff --git a/boards/librem13v2/librem13v2.config b/boards/librem13v2/librem13v2.config index 46837ed5e..1fbbe88d5 100644 --- a/boards/librem13v2/librem13v2.config +++ b/boards/librem13v2/librem13v2.config @@ -4,6 +4,7 @@ CONFIG_COREBOOT_CONFIG=config/coreboot-librem13v2.config export CONFIG_COREBOOT=y export CONFIG_COREBOOT_VERSION=4.8.1 +export CONFIG_LINUX_VERSION=4.14.62 CONFIG_CRYPTSETUP=y CONFIG_FLASHROM=y diff --git a/boards/librem13v4/librem13v4.config b/boards/librem13v4/librem13v4.config index 5c5de684a..f3996b395 100644 --- a/boards/librem13v4/librem13v4.config +++ b/boards/librem13v4/librem13v4.config @@ -4,6 +4,7 @@ CONFIG_COREBOOT_CONFIG=config/coreboot-librem13v4.config export CONFIG_COREBOOT=y export CONFIG_COREBOOT_VERSION=4.8.1 +export CONFIG_LINUX_VERSION=4.14.62 CONFIG_CRYPTSETUP=y CONFIG_FLASHROM=y diff --git a/boards/librem15v3/librem15v3.config b/boards/librem15v3/librem15v3.config index 5177be03c..7f1169896 100644 --- a/boards/librem15v3/librem15v3.config +++ b/boards/librem15v3/librem15v3.config @@ -6,6 +6,7 @@ CONFIG_COREBOOT_CONFIG=config/coreboot-librem15v3.config export CONFIG_COREBOOT=y export CONFIG_COREBOOT_VERSION=4.8.1 +export CONFIG_LINUX_VERSION=4.14.62 CONFIG_CRYPTSETUP=y CONFIG_FLASHROM=y diff --git a/boards/librem15v4/librem15v4.config b/boards/librem15v4/librem15v4.config index 9adf6ef8d..651a6189e 100644 --- a/boards/librem15v4/librem15v4.config +++ b/boards/librem15v4/librem15v4.config @@ -6,6 +6,7 @@ CONFIG_COREBOOT_CONFIG=config/coreboot-librem15v4.config export CONFIG_COREBOOT=y export CONFIG_COREBOOT_VERSION=4.8.1 +export CONFIG_LINUX_VERSION=4.14.62 CONFIG_CRYPTSETUP=y CONFIG_FLASHROM=y diff --git a/boards/qemu-coreboot-fbwhiptail/qemu-coreboot-fbwhiptail.config b/boards/qemu-coreboot-fbwhiptail/qemu-coreboot-fbwhiptail.config index 73ced6bad..b6210ca77 100644 --- a/boards/qemu-coreboot-fbwhiptail/qemu-coreboot-fbwhiptail.config +++ b/boards/qemu-coreboot-fbwhiptail/qemu-coreboot-fbwhiptail.config @@ -3,6 +3,7 @@ export CONFIG_COREBOOT=y export CONFIG_COREBOOT_VERSION=4.8.1 +export CONFIG_LINUX_VERSION=4.14.62 CONFIG_COREBOOT_CONFIG=config/coreboot-qemu-fbwhiptail.config CONFIG_LINUX_CONFIG=config/linux-qemu.config diff --git a/boards/qemu-coreboot/qemu-coreboot.config b/boards/qemu-coreboot/qemu-coreboot.config index ce2a2fa74..dce3583ed 100644 --- a/boards/qemu-coreboot/qemu-coreboot.config +++ b/boards/qemu-coreboot/qemu-coreboot.config @@ -3,6 +3,7 @@ # will just drop into the recovery shell. export CONFIG_COREBOOT=y export CONFIG_COREBOOT_VERSION=4.8.1 +export CONFIG_LINUX_VERSION=4.14.62 CONFIG_COREBOOT_CONFIG=config/coreboot-qemu.config CONFIG_LINUX_CONFIG=config/linux-qemu.config diff --git a/boards/qemu-linuxboot/qemu-linuxboot.config b/boards/qemu-linuxboot/qemu-linuxboot.config index 4a9a3317d..645457897 100644 --- a/boards/qemu-linuxboot/qemu-linuxboot.config +++ b/boards/qemu-linuxboot/qemu-linuxboot.config @@ -1,6 +1,8 @@ # Configuration for emulating LinuxBoot+Heads with qemu # export CONFIG_LINUXBOOT=y +export CONFIG_LINUX_VERSION=4.14.62 + CONFIG_LINUXBOOT_BOARD=qemu CONFIG_LINUX_CONFIG=config/linux-linuxboot.config diff --git a/boards/r630/r630.config b/boards/r630/r630.config index 8f24f0573..2f0ec38e1 100644 --- a/boards/r630/r630.config +++ b/boards/r630/r630.config @@ -5,6 +5,8 @@ CONFIG_LINUXBOOT=y CONFIG_LINUXBOOT_ROM=blobs/r630-1.3.6.rom CONFIG_LINUX_CONFIG=config/linux-linuxboot.config +export CONFIG_LINUX_VERSION=4.14.62 + #CONFIG_CRYPTSETUP=y CONFIG_FLASHROM=y #CONFIG_GPG=y diff --git a/boards/s2600wf/s2600wf.config b/boards/s2600wf/s2600wf.config index 2c810da0f..591984b39 100644 --- a/boards/s2600wf/s2600wf.config +++ b/boards/s2600wf/s2600wf.config @@ -13,6 +13,8 @@ CONFIG_LINUXBOOT=y CONFIG_LINUXBOOT_ROM=blobs/s2600wf.rom CONFIG_LINUX_CONFIG=config/linux-linuxboot.config +export CONFIG_LINUX_VERSION=4.14.62 + #CONFIG_CRYPTSETUP=y #CONFIG_FLASHROM=y CONFIG_FLASHTOOLS=y diff --git a/boards/t420/t420.config b/boards/t420/t420.config index c83e3097d..0dcc865fa 100644 --- a/boards/t420/t420.config +++ b/boards/t420/t420.config @@ -1,6 +1,7 @@ # Configuration for a T420 running Qubes and other OS, T420 is identical to X230 on the Linux Side of things. export CONFIG_COREBOOT=y export CONFIG_COREBOOT_VERSION=4.8.1 +export CONFIG_LINUX_VERSION=4.14.62 CONFIG_COREBOOT_CONFIG=config/coreboot-t420.config CONFIG_LINUX_CONFIG=config/linux-x230.config diff --git a/boards/t430-flash/t430-flash.config b/boards/t430-flash/t430-flash.config index 626fde196..43be7cb21 100644 --- a/boards/t430-flash/t430-flash.config +++ b/boards/t430-flash/t430-flash.config @@ -3,6 +3,7 @@ BOARD=t430.flash export CONFIG_COREBOOT=y export CONFIG_COREBOOT_VERSION=4.8.1 +export CONFIG_LINUX_VERSION=4.14.62 CONFIG_FLASHROM=y CONFIG_FLASHTOOLS=y diff --git a/boards/t430/t430.config b/boards/t430/t430.config index 3eaaba715..dde673299 100644 --- a/boards/t430/t430.config +++ b/boards/t430/t430.config @@ -1,6 +1,7 @@ # Configuration for a t430 running Qubes and other OSes export CONFIG_COREBOOT=y export CONFIG_COREBOOT_VERSION=4.8.1 +export CONFIG_LINUX_VERSION=4.14.62 CONFIG_COREBOOT_CONFIG=config/coreboot-t430.config CONFIG_LINUX_CONFIG=config/linux-x230.config diff --git a/boards/tioga/tioga.config b/boards/tioga/tioga.config index af16c1ce7..c0dcb4f99 100644 --- a/boards/tioga/tioga.config +++ b/boards/tioga/tioga.config @@ -4,6 +4,8 @@ CONFIG_LINUXBOOT=y CONFIG_LINUXBOOT_ROM=blobs/tioga.rom CONFIG_LINUX_CONFIG=config/linux-linuxboot.config +export CONFIG_LINUX_VERSION=4.14.62 + # If you want to build with the go-based u-root instead of Heads CONFIG_UROOT ?= n diff --git a/boards/winterfell/winterfell.config b/boards/winterfell/winterfell.config index b49421c2f..fe1cc3b4b 100644 --- a/boards/winterfell/winterfell.config +++ b/boards/winterfell/winterfell.config @@ -4,6 +4,8 @@ CONFIG_LINUXBOOT=y CONFIG_LINUXBOOT_ROM=blobs/winterfell.rom CONFIG_LINUX_CONFIG=config/linux-linuxboot.config +export CONFIG_LINUX_VERSION=4.14.62 + # If you want to build with the go-based u-root instead of Heads CONFIG_UROOT ?= y diff --git a/boards/x220/x220.config b/boards/x220/x220.config index 0efffec41..ae2080e42 100644 --- a/boards/x220/x220.config +++ b/boards/x220/x220.config @@ -1,6 +1,7 @@ # Configuration for a x220 running Qubes and other OS, X220 is identical to X230 on the Linux Side of things. export CONFIG_COREBOOT=y export CONFIG_COREBOOT_VERSION=4.8.1 +export CONFIG_LINUX_VERSION=4.14.62 CONFIG_COREBOOT_CONFIG=config/coreboot-x220.config CONFIG_LINUX_CONFIG=config/linux-x230.config diff --git a/boards/x230-flash/x230-flash.config b/boards/x230-flash/x230-flash.config index c878012de..edb417ea7 100644 --- a/boards/x230-flash/x230-flash.config +++ b/boards/x230-flash/x230-flash.config @@ -3,6 +3,7 @@ BOARD=x230.flash export CONFIG_COREBOOT=y export CONFIG_COREBOOT_VERSION=4.8.1 +export CONFIG_LINUX_VERSION=4.14.62 CONFIG_FLASHROM=y #CONFIG_GPG=y diff --git a/boards/x230-hotp-verification/x230-hotp-verification.config b/boards/x230-hotp-verification/x230-hotp-verification.config index 59f0acdc3..5eef5868c 100644 --- a/boards/x230-hotp-verification/x230-hotp-verification.config +++ b/boards/x230-hotp-verification/x230-hotp-verification.config @@ -2,6 +2,7 @@ # running Qubes and other OSes export CONFIG_COREBOOT=y export CONFIG_COREBOOT_VERSION=4.8.1 +export CONFIG_LINUX_VERSION=4.14.62 CONFIG_COREBOOT_CONFIG=config/coreboot-x230-hotp-verification.config CONFIG_LINUX_CONFIG=config/linux-x230.config diff --git a/boards/x230/x230.config b/boards/x230/x230.config index 8a04bc570..f52fb3550 100644 --- a/boards/x230/x230.config +++ b/boards/x230/x230.config @@ -1,6 +1,7 @@ # Configuration for a x230 running Qubes and other OSes export CONFIG_COREBOOT=y export CONFIG_COREBOOT_VERSION=4.8.1 +export CONFIG_LINUX_VERSION=4.14.62 CONFIG_COREBOOT_CONFIG=config/coreboot-x230.config CONFIG_LINUX_CONFIG=config/linux-x230.config diff --git a/modules/linux b/modules/linux index f8817935b..101f54dac 100644 --- a/modules/linux +++ b/modules/linux @@ -1,6 +1,15 @@ modules-y += linux +ifeq "$(CONFIG_LINUX_VERSION)" "4.14.62" linux_version := 4.14.62 +linux_hash := 51ca4d7e8ee156dc0f19bc7768915cfae41dbb0b4f251e4fa8b178c5674c22ab +else ifeq "$(CONFIG_LINUX_VERSION)" "4.19.139" +linux_version := 4.19.139 +linux_hash := 9c4ebf21fe949f80fbcfbbd6e7fe181040d325e89475e230ab53ef01f9d55605 +else +$(error "$(BOARD): does not specify linux kernel version under CONFIG_LINUX_VERSION") +endif + linux_base_dir := linux-$(linux_version) # TODO: fixup the patch process @@ -15,12 +24,6 @@ linux_dir := $(linux_base_dir)/$(notdir $(basename $(linux_kconfig))) linux_tar := linux-$(linux_version).tar.xz linux_url := https://cdn.kernel.org/pub/linux/kernel/v4.x/$(linux_tar) -linux-4.9.38_hash := 76d789d87dd51d2fd58c095727171984fa4a992f5e25b9e3eb1e5fd5cd129074 -linux-4.9.80_hash := 9e2e83ccc0afc3f23340ed5e58a35d8c6300a7c58aa98ca913848de41226477b -linux-4.14.62_hash := 51ca4d7e8ee156dc0f19bc7768915cfae41dbb0b4f251e4fa8b178c5674c22ab - -linux_hash := $(linux-$(linux_version)_hash) - # Ensure that touching the config file will force a reconfig/rebuild $(build)/$(linux_dir)/.configured: $(linux_kconfig) diff --git a/patches/linux-4.19.139/0000-efi_bds.patch b/patches/linux-4.19.139/0000-efi_bds.patch new file mode 100644 index 000000000..0d2d76ea3 --- /dev/null +++ b/patches/linux-4.19.139/0000-efi_bds.patch @@ -0,0 +1,54 @@ +diff -u --recursive ../../clean/linux-4.14.62/arch/x86/boot/compressed/eboot.c linux-4.14.62/arch/x86/boot/compressed/eboot.c +--- ../../clean/linux-4.14.62/arch/x86/boot/compressed/eboot.c 2018-08-09 06:16:40.000000000 -0400 ++++ linux-4.14.62/arch/x86/boot/compressed/eboot.c 2018-08-09 10:13:11.801000000 -0400 +@@ -630,8 +630,8 @@ + u16 *s2; + u8 *s1; + int i; +- unsigned long ramdisk_addr; +- unsigned long ramdisk_size; ++ unsigned long ramdisk_addr = 0; ++ unsigned long ramdisk_size = 0; + + efi_early = c; + sys_table = (efi_system_table_t *)(unsigned long)efi_early->table; +@@ -686,9 +686,6 @@ + /* Fill in upper bits of command line address, NOP on 32 bit */ + boot_params->ext_cmd_line_ptr = (u64)(unsigned long)cmdline_ptr >> 32; + +- hdr->ramdisk_image = 0; +- hdr->ramdisk_size = 0; +- + /* Clear APM BIOS info */ + memset(bi, 0, sizeof(*bi)); + +@@ -712,10 +709,16 @@ + + if (status != EFI_SUCCESS) + goto fail2; +- hdr->ramdisk_image = ramdisk_addr & 0xffffffff; +- hdr->ramdisk_size = ramdisk_size & 0xffffffff; +- boot_params->ext_ramdisk_image = (u64)ramdisk_addr >> 32; +- boot_params->ext_ramdisk_size = (u64)ramdisk_size >> 32; ++ ++ // don't overwrite the bzImage or loader provided ramdisk pointer ++ // unless the kernel command line specified a different one. ++ if (ramdisk_addr != 0) ++ { ++ hdr->ramdisk_image = ramdisk_addr & 0xffffffff; ++ hdr->ramdisk_size = ramdisk_size & 0xffffffff; ++ boot_params->ext_ramdisk_image = (u64)ramdisk_addr >> 32; ++ boot_params->ext_ramdisk_size = (u64)ramdisk_size >> 32; ++ } + + return boot_params; + fail2: +--- clean/linux-4.14.62/arch/x86/boot/compressed/early_serial_console.c 2018-08-09 12:16:40.000000000 +0200 ++++ linux-4.14.62/arch/x86/boot/compressed/early_serial_console.c 2018-09-28 11:59:36.824015244 +0200 +@@ -1,5 +1,5 @@ + #include "misc.h" + +-int early_serial_base; ++int early_serial_base = 0x3f8; + + #include "../early_serial_console.c" diff --git a/patches/linux-4.19.139/0001-fake-acpi.patch b/patches/linux-4.19.139/0001-fake-acpi.patch new file mode 100644 index 000000000..0c8b3b546 --- /dev/null +++ b/patches/linux-4.19.139/0001-fake-acpi.patch @@ -0,0 +1,32 @@ +diff --recursive -u ./clean/linux-4.9.80/drivers/acpi/acpica/evxfevnt.c linux-4.9.80/drivers/acpi/acpica/evxfevnt.c +--- ./clean/linux-4.9.80/drivers/acpi/acpica/evxfevnt.c 2018-02-03 11:05:43.000000000 -0500 ++++ linux-4.9.80/drivers/acpi/acpica/evxfevnt.c 2018-02-07 15:51:28.786502597 -0500 +@@ -111,6 +111,8 @@ + } + + ACPI_ERROR((AE_INFO, "Hardware did not enter ACPI mode")); ++printk("%s:%d faking ACPI mode\n", __func__, __LINE__); ++ return_ACPI_STATUS(AE_OK); + return_ACPI_STATUS(AE_NO_HARDWARE_RESPONSE); + } + +diff --recursive -u ./clean/linux-4.9.80/drivers/acpi/acpica/hwacpi.c linux-4.9.80/drivers/acpi/acpica/hwacpi.c +--- ./clean/linux-4.9.80/drivers/acpi/acpica/hwacpi.c 2018-02-03 11:05:43.000000000 -0500 ++++ linux-4.9.80/drivers/acpi/acpica/hwacpi.c 2018-02-07 15:51:35.126557868 -0500 +@@ -168,12 +168,16 @@ + + status = acpi_read_bit_register(ACPI_BITREG_SCI_ENABLE, &value); + if (ACPI_FAILURE(status)) { ++printk("%s:%d faking ACPI mode\n", __func__, __LINE__); ++ return_UINT32(ACPI_SYS_MODE_ACPI); + return_UINT32(ACPI_SYS_MODE_LEGACY); + } + + if (value) { + return_UINT32(ACPI_SYS_MODE_ACPI); + } else { ++//printk("%s:%d faking ACPI mode\n", __func__, __LINE__); ++// return_UINT32(ACPI_SYS_MODE_ACPI); + return_UINT32(ACPI_SYS_MODE_LEGACY); + } + } diff --git a/patches/linux-4.19.139/0002-nmi-squelch.patch b/patches/linux-4.19.139/0002-nmi-squelch.patch new file mode 100644 index 000000000..bce1cd2f0 --- /dev/null +++ b/patches/linux-4.19.139/0002-nmi-squelch.patch @@ -0,0 +1,20 @@ +diff --recursive -u ./clean/linux-4.9.80/arch/x86/kernel/nmi.c linux-4.9.80/arch/x86/kernel/nmi.c +--- ./clean/linux-4.9.80/arch/x86/kernel/nmi.c 2018-02-03 11:05:43.000000000 -0500 ++++ linux-4.9.80/arch/x86/kernel/nmi.c 2018-02-07 18:56:10.475613884 -0500 +@@ -303,6 +303,8 @@ + + __this_cpu_add(nmi_stats.unknown, 1); + ++#if 0 ++// qemu generates these for some reason + pr_emerg("Uhhuh. NMI received for unknown reason %02x on CPU %d.\n", + reason, smp_processor_id()); + +@@ -311,6 +313,7 @@ + nmi_panic(regs, "NMI: Not continuing"); + + pr_emerg("Dazed and confused, but trying to continue\n"); ++#endif + } + NOKPROBE_SYMBOL(unknown_nmi_error); + diff --git a/patches/linux-4.19.139/0003-fake-trampoline.patch b/patches/linux-4.19.139/0003-fake-trampoline.patch new file mode 100644 index 000000000..e6ec15c9b --- /dev/null +++ b/patches/linux-4.19.139/0003-fake-trampoline.patch @@ -0,0 +1,28 @@ +diff --recursive -u ./clean/linux-4.9.80/arch/x86/realmode/init.c linux-4.9.80/arch/x86/realmode/init.c +--- ./clean/linux-4.9.80/arch/x86/realmode/init.c 2018-02-03 11:05:43.000000000 -0500 ++++ linux-4.9.80/arch/x86/realmode/init.c 2018-02-07 15:51:28.538500435 -0500 +@@ -35,8 +35,8 @@ + /* Has to be under 1M so we can execute real-mode AP code. */ + mem = memblock_find_in_range(0, 1<<20, size, PAGE_SIZE); + if (!mem) { +- pr_info("No sub-1M memory is available for the trampoline\n"); +- return; ++ mem = 0x4000; ++ pr_info("No sub-1M memory is available for the trampoline, guessing %p\n", mem); + } + + memblock_reserve(mem, size); +@@ -138,7 +138,12 @@ + static int __init init_real_mode(void) + { + if (!real_mode_header) +- panic("Real mode trampoline was not allocated"); ++ { ++ // ignore for now ++ //panic("Real mode trampoline was not allocated"); ++ pr_warn("Real mode trampoline was not allocated"); ++ return 0; ++ } + + setup_real_mode(); + set_real_mode_permissions(); diff --git a/patches/linux-4.19.139/0010-winterfell-ahci.patch b/patches/linux-4.19.139/0010-winterfell-ahci.patch new file mode 100644 index 000000000..9c4df7e28 --- /dev/null +++ b/patches/linux-4.19.139/0010-winterfell-ahci.patch @@ -0,0 +1,18 @@ +diff --recursive -u ./clean/linux-4.9.80/drivers/ata/libahci.c linux-4.9.80/drivers/ata/libahci.c +--- ./clean/linux-4.9.80/drivers/ata/libahci.c 2018-02-03 11:05:43.000000000 -0500 ++++ linux-4.9.80/drivers/ata/libahci.c 2018-02-07 18:02:32.526535910 -0500 +@@ -537,8 +537,12 @@ + } + + /* fabricate port_map from cap.nr_ports for < AHCI 1.3 */ +- if (!port_map && vers < 0x10300) { +- port_map = (1 << ahci_nr_ports(cap)) - 1; ++ if (!port_map) { // && vers < 0x10300) { ++ printk("%s: saved_port=%02x\n", __func__, hpriv->saved_port_map); ++ writel(0x1, mmio + HOST_PORTS_IMPL); ++ port_map = readl(mmio + HOST_PORTS_IMPL); ++ ++ //port_map = (1 << ahci_nr_ports(cap)) - 1; + dev_warn(dev, "forcing PORTS_IMPL to 0x%x\n", port_map); + + /* write the fixed up value to the PI register */ From a0753473510ec598f9db86cfb610cf61156ca5cb Mon Sep 17 00:00:00 2001 From: MrChromebox Date: Mon, 24 Aug 2020 15:42:33 -0500 Subject: [PATCH 182/189] kexec-parse-boot/bls: Strip boot dir from front of grub entries (#804) Some grub configs/bls entries contain the full paths to the kernel/initrd files, which the parsers currently fail to handle, causing a failed boot without any useful error being presented to the user. To fix this, strip the bootdir prefix from the menu entries when parsing, should it exist. Test: build/boot Librem 13v2 w/F32 and bls entries containing absolute paths. Signed-off-by: Matt DeVillier --- initrd/bin/kexec-parse-bls | 4 ++-- initrd/bin/kexec-parse-boot | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/initrd/bin/kexec-parse-bls b/initrd/bin/kexec-parse-bls index b70363f42..ee2e08818 100755 --- a/initrd/bin/kexec-parse-bls +++ b/initrd/bin/kexec-parse-bls @@ -67,10 +67,10 @@ bls_entry() { name=$val ;; linux*) - kernel=$val + kernel=${val#"$bootdir"} ;; initrd*) - initrd=$val + initrd=${val#"$bootdir"} ;; options) # default is "options $kernelopts" diff --git a/initrd/bin/kexec-parse-boot b/initrd/bin/kexec-parse-boot index 8dfa648d4..fbe31939a 100755 --- a/initrd/bin/kexec-parse-boot +++ b/initrd/bin/kexec-parse-boot @@ -170,11 +170,11 @@ syslinux_entry() { state="search" ;; *) - kernel="$val" + kernel="${val#"$bootdir"}" esac ;; initrd* | INITRD* ) - initrd="$val" + initrd="${val#"$bootdir"}" ;; append* | APPEND* ) if [ "$kexectype" = "multiboot" -o "$kexectype" = "xen" ]; then From cde6e24e8da5e3b8e80d498ac7ec3d557c991e2b Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Tue, 1 Sep 2020 12:31:47 -0400 Subject: [PATCH 183/189] xx30 boards: fixing CONFIG_CBFS_SIZE=0x710000 for x230 and t430 boards to fix #815 and #667 --- config/coreboot-t430.config | 2 +- config/coreboot-x230.config | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/config/coreboot-t430.config b/config/coreboot-t430.config index f16bb852a..b90f8d5a9 100644 --- a/config/coreboot-t430.config +++ b/config/coreboot-t430.config @@ -5,7 +5,7 @@ CONFIG_ANY_TOOLCHAIN=y CONFIG_USE_BLOBS=y CONFIG_MEASURED_BOOT=y CONFIG_VENDOR_LENOVO=y -CONFIG_CBFS_SIZE=0x800000 +CONFIG_CBFS_SIZE=0x710000 # CONFIG_POST_IO is not set # CONFIG_POST_DEVICE is not set CONFIG_DRIVERS_UART_8250IO=y diff --git a/config/coreboot-x230.config b/config/coreboot-x230.config index cdab5d864..68ef480c1 100644 --- a/config/coreboot-x230.config +++ b/config/coreboot-x230.config @@ -5,7 +5,7 @@ CONFIG_ANY_TOOLCHAIN=y CONFIG_USE_BLOBS=y CONFIG_MEASURED_BOOT=y CONFIG_VENDOR_LENOVO=y -CONFIG_CBFS_SIZE=0x700000 +CONFIG_CBFS_SIZE=0x710000 # CONFIG_POST_IO is not set # CONFIG_POST_DEVICE is not set CONFIG_DRIVERS_UART_8250IO=y From 268fb90623a49e7645becca456365c23730cb6b1 Mon Sep 17 00:00:00 2001 From: MrChromebox Date: Wed, 2 Sep 2020 13:39:37 -0500 Subject: [PATCH 184/189] Add new board: Purism Librem Mini (#806) * patches/coreboot-4.12: Add patch for Cannonlake ME status Add patch print ME status regardless of enablement state Signed-off-by: Matt DeVillier * modules: add purism-blobs module Rather than require users to manually run a script to download the required blobs to build Purism Librem boards, automate it so the correct version is automatically downloaded/extracted. Restrict to coreboot 4.12 for now since 4.8.1 still needs FSP blobs, which are not in module. Signed-off-by: Matt DeVillier * configs/linux-librem13v2: unset CONFIG_RETPOLINE Fixes compilation issue with newer kernels, ignored by older ones which don't need it Signed-off-by: Matt DeVillier * Add new board: Librem Mini Add Librem Mini board patch for coreboot 4.12, board config and coreboot config. Continue reusing existing librem13v2 Linux config, same as all other Librem boards currently. Use new purism-blobs module. Signed-off-by: Matt DeVillier * board/librem*: rename for consistency Use 'librem_' notation for consistency across all models. Rename linux config file since used by multiple Librem models. Signed-off-by: Matt DeVillier * CircleCI: add librem_mini board to test Signed-off-by: Matt DeVillier --- .circleci/config.yml | 18 + blobs/librem_kbl/readme.md | 4 +- blobs/librem_skl/readme.md | 4 +- .../librem_13v2.config} | 6 +- .../librem_13v4.config} | 6 +- .../librem_15v3.config} | 8 +- .../librem_15v4.config} | 8 +- boards/librem_mini/librem_mini.config | 42 + ...3v2.config => coreboot-librem_13v2.config} | 4 +- ...3v4.config => coreboot-librem_13v4.config} | 4 +- ...5v3.config => coreboot-librem_15v3.config} | 4 +- ...5v4.config => coreboot-librem_15v4.config} | 4 +- config/coreboot-librem_mini.config | 14 + ...13v2.config => linux-librem_common.config} | 1 + modules/coreboot | 1 + modules/purism-blobs | 12 + ...nnonlake-me.c-Always-print-ME-status.patch | 31 + ..._whl-Add-new-board-Librem-Mini-WHL-U.patch | 799 ++++++++++++++++++ 18 files changed, 943 insertions(+), 27 deletions(-) rename boards/{librem13v2/librem13v2.config => librem_13v2/librem_13v2.config} (86%) rename boards/{librem13v4/librem13v4.config => librem_13v4/librem_13v4.config} (86%) rename boards/{librem15v3/librem15v3.config => librem_15v3/librem_15v3.config} (82%) rename boards/{librem15v4/librem15v4.config => librem_15v4/librem_15v4.config} (82%) create mode 100644 boards/librem_mini/librem_mini.config rename config/{coreboot-librem13v2.config => coreboot-librem_13v2.config} (90%) rename config/{coreboot-librem13v4.config => coreboot-librem_13v4.config} (90%) rename config/{coreboot-librem15v3.config => coreboot-librem_15v3.config} (90%) rename config/{coreboot-librem15v4.config => coreboot-librem_15v4.config} (90%) create mode 100644 config/coreboot-librem_mini.config rename config/{linux-librem13v2.config => linux-librem_common.config} (99%) create mode 100644 modules/purism-blobs create mode 100644 patches/coreboot-4.12/0001-soc-cannonlake-me.c-Always-print-ME-status.patch create mode 100644 patches/coreboot-4.12/0002-mb-purism-librem_whl-Add-new-board-Librem-Mini-WHL-U.patch diff --git a/.circleci/config.yml b/.circleci/config.yml index 2fc584311..84a905068 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -150,6 +150,24 @@ jobs: - store-artifacts: path: build/x230-hotp-verification + - run: + name: librem_mini + command: | + rm -rf build/librem_mini/* build/log/* && make --load 2 \ + V=1 \ + BOARD=librem_mini \ + no_output_timeout: 3h + - run: + name: Ouput librem_mini hashes + command: | + cat build/librem_mini/hashes.txt \ + - run: + name: Archiving build logs for librem_mini + command: | + tar zcvf build/librem_mini/logs.tar.gz build/log/* + - store-artifacts: + path: build/librem_mini + - run: name: qemu-coreboot command: | diff --git a/blobs/librem_kbl/readme.md b/blobs/librem_kbl/readme.md index 427af8650..b24ec9a80 100644 --- a/blobs/librem_kbl/readme.md +++ b/blobs/librem_kbl/readme.md @@ -14,7 +14,7 @@ The script depends on: wget sha256sum python2.7 bspatch pv You can now compile the image with: ``` -make BOARD=librem13v4 +make BOARD=librem_13v4 or -make BOARD=librem15v4 +make BOARD=librem_15v4 ``` diff --git a/blobs/librem_skl/readme.md b/blobs/librem_skl/readme.md index 01d2596b2..39995cdc9 100644 --- a/blobs/librem_skl/readme.md +++ b/blobs/librem_skl/readme.md @@ -14,5 +14,7 @@ The script depends on: wget sha256sum python2.7 bspatch pv You can now compile the image with: ``` -make BOARD=librem13v2 +make BOARD=librem_13v2 +or +make BOARD=librem_15v3 ``` diff --git a/boards/librem13v2/librem13v2.config b/boards/librem_13v2/librem_13v2.config similarity index 86% rename from boards/librem13v2/librem13v2.config rename to boards/librem_13v2/librem_13v2.config index 1fbbe88d5..9c84e678c 100644 --- a/boards/librem13v2/librem13v2.config +++ b/boards/librem_13v2/librem_13v2.config @@ -1,6 +1,6 @@ -# Configuration for a librem13v2 -CONFIG_LINUX_CONFIG=config/linux-librem13v2.config -CONFIG_COREBOOT_CONFIG=config/coreboot-librem13v2.config +# Configuration for a librem_13v2 +CONFIG_LINUX_CONFIG=config/linux-librem_common.config +CONFIG_COREBOOT_CONFIG=config/coreboot-librem_13v2.config export CONFIG_COREBOOT=y export CONFIG_COREBOOT_VERSION=4.8.1 diff --git a/boards/librem13v4/librem13v4.config b/boards/librem_13v4/librem_13v4.config similarity index 86% rename from boards/librem13v4/librem13v4.config rename to boards/librem_13v4/librem_13v4.config index f3996b395..09540cfd8 100644 --- a/boards/librem13v4/librem13v4.config +++ b/boards/librem_13v4/librem_13v4.config @@ -1,6 +1,6 @@ -# Configuration for a librem13v4 -CONFIG_LINUX_CONFIG=config/linux-librem13v2.config -CONFIG_COREBOOT_CONFIG=config/coreboot-librem13v4.config +# Configuration for a librem_13v4 +CONFIG_LINUX_CONFIG=config/linux-librem_common.config +CONFIG_COREBOOT_CONFIG=config/coreboot-librem_13v4.config export CONFIG_COREBOOT=y export CONFIG_COREBOOT_VERSION=4.8.1 diff --git a/boards/librem15v3/librem15v3.config b/boards/librem_15v3/librem_15v3.config similarity index 82% rename from boards/librem15v3/librem15v3.config rename to boards/librem_15v3/librem_15v3.config index 7f1169896..2f1d5ca35 100644 --- a/boards/librem15v3/librem15v3.config +++ b/boards/librem_15v3/librem_15v3.config @@ -1,8 +1,6 @@ -# Configuration for a librem15v3 - -# The L15v3 Linux config is the same as the L13v2 linux config -CONFIG_LINUX_CONFIG=config/linux-librem13v2.config -CONFIG_COREBOOT_CONFIG=config/coreboot-librem15v3.config +# Configuration for a librem_15v3 +CONFIG_LINUX_CONFIG=config/linux-librem_common.config +CONFIG_COREBOOT_CONFIG=config/coreboot-librem_15v3.config export CONFIG_COREBOOT=y export CONFIG_COREBOOT_VERSION=4.8.1 diff --git a/boards/librem15v4/librem15v4.config b/boards/librem_15v4/librem_15v4.config similarity index 82% rename from boards/librem15v4/librem15v4.config rename to boards/librem_15v4/librem_15v4.config index 651a6189e..f9d0f5d98 100644 --- a/boards/librem15v4/librem15v4.config +++ b/boards/librem_15v4/librem_15v4.config @@ -1,8 +1,6 @@ -# Configuration for a librem15v4 - -# The L15v4 Linux config is the same as the L13v2 linux config -CONFIG_LINUX_CONFIG=config/linux-librem13v2.config -CONFIG_COREBOOT_CONFIG=config/coreboot-librem15v4.config +# Configuration for a librem_15v4 +CONFIG_LINUX_CONFIG=config/linux-librem_common.config +CONFIG_COREBOOT_CONFIG=config/coreboot-librem_15v4.config export CONFIG_COREBOOT=y export CONFIG_COREBOOT_VERSION=4.8.1 diff --git a/boards/librem_mini/librem_mini.config b/boards/librem_mini/librem_mini.config new file mode 100644 index 000000000..a68773c0c --- /dev/null +++ b/boards/librem_mini/librem_mini.config @@ -0,0 +1,42 @@ +# Configuration for a librem mini +CONFIG_LINUX_CONFIG=config/linux-librem_common.config +CONFIG_COREBOOT_CONFIG=config/coreboot-librem_mini.config + +export CONFIG_COREBOOT=y +export CONFIG_COREBOOT_VERSION=4.12 +export CONFIG_LINUX_VERSION=4.19.139 +export CONFIG_PURISM_BLOBS=y + +CONFIG_CRYPTSETUP=y +CONFIG_FLASHROM=y +CONFIG_FLASHTOOLS=y +CONFIG_GPG2=y +CONFIG_KEXEC=y +CONFIG_UTIL_LINUX=y +CONFIG_LVM2=y +CONFIG_MBEDTLS=y +CONFIG_PCIUTILS=y +CONFIG_POPT=y +CONFIG_QRENCODE=y +CONFIG_TPMTOTP=y + +CONFIG_CAIRO=y +CONFIG_FBWHIPTAIL=y +CONFIG_HOTPKEY=y + +CONFIG_LINUX_USB=y + +export CONFIG_TPM=y +export CONFIG_TPM_NO_LUKS_DISK_UNLOCK=y + +export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOT_REQ_HASH=n +export CONFIG_BOOT_REQ_ROLLBACK=n +export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on" +export CONFIG_BOOT_KERNEL_REMOVE="" +export CONFIG_BOOT_DEV="/dev/nvme0n1p1" +export CONFIG_BOOT_GUI_MENU_NAME="Purism Librem Mini Heads Boot Menu" +export CONFIG_WARNING_BG_COLOR="--background-gradient 0 0 0 150 125 0" +export CONFIG_ERROR_BG_COLOR="--background-gradient 0 0 0 150 0 0" +export CONFIG_FLASHROM_OPTIONS="-p internal" +export CONFIG_USB_KEYBOARD=y diff --git a/config/coreboot-librem13v2.config b/config/coreboot-librem_13v2.config similarity index 90% rename from config/coreboot-librem13v2.config rename to config/coreboot-librem_13v2.config index 412c2bfc2..d7c899877 100644 --- a/config/coreboot-librem13v2.config +++ b/config/coreboot-librem_13v2.config @@ -26,6 +26,6 @@ CONFIG_FSP_M_XIP=y # CONFIG_DRIVERS_INTEL_WIFI is not set CONFIG_DEFAULT_CONSOLE_LOGLEVEL_8=y CONFIG_PAYLOAD_LINUX=y -CONFIG_PAYLOAD_FILE="../../build/librem13v2/bzImage" +CONFIG_PAYLOAD_FILE="../../build/librem_13v2/bzImage" CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet loglevel=3" -CONFIG_LINUX_INITRD="../../build/librem13v2/initrd.cpio.xz" +CONFIG_LINUX_INITRD="../../build/librem_13v2/initrd.cpio.xz" diff --git a/config/coreboot-librem13v4.config b/config/coreboot-librem_13v4.config similarity index 90% rename from config/coreboot-librem13v4.config rename to config/coreboot-librem_13v4.config index 0d4abc8b5..66fd6aa07 100644 --- a/config/coreboot-librem13v4.config +++ b/config/coreboot-librem_13v4.config @@ -26,6 +26,6 @@ CONFIG_FSP_M_XIP=y # CONFIG_DRIVERS_INTEL_WIFI is not set CONFIG_DEFAULT_CONSOLE_LOGLEVEL_8=y CONFIG_PAYLOAD_LINUX=y -CONFIG_PAYLOAD_FILE="../../build/librem13v4/bzImage" +CONFIG_PAYLOAD_FILE="../../build/librem_13v4/bzImage" CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet loglevel=3" -CONFIG_LINUX_INITRD="../../build/librem13v4/initrd.cpio.xz" +CONFIG_LINUX_INITRD="../../build/librem_13v4/initrd.cpio.xz" diff --git a/config/coreboot-librem15v3.config b/config/coreboot-librem_15v3.config similarity index 90% rename from config/coreboot-librem15v3.config rename to config/coreboot-librem_15v3.config index 4359227eb..7be32773d 100644 --- a/config/coreboot-librem15v3.config +++ b/config/coreboot-librem_15v3.config @@ -26,6 +26,6 @@ CONFIG_FSP_M_XIP=y # CONFIG_DRIVERS_INTEL_WIFI is not set CONFIG_DEFAULT_CONSOLE_LOGLEVEL_8=y CONFIG_PAYLOAD_LINUX=y -CONFIG_PAYLOAD_FILE="../../build/librem15v3/bzImage" +CONFIG_PAYLOAD_FILE="../../build/librem_15v3/bzImage" CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet loglevel=3" -CONFIG_LINUX_INITRD="../../build/librem15v3/initrd.cpio.xz" +CONFIG_LINUX_INITRD="../../build/librem_15v3/initrd.cpio.xz" diff --git a/config/coreboot-librem15v4.config b/config/coreboot-librem_15v4.config similarity index 90% rename from config/coreboot-librem15v4.config rename to config/coreboot-librem_15v4.config index 013718c26..36c0e95b8 100644 --- a/config/coreboot-librem15v4.config +++ b/config/coreboot-librem_15v4.config @@ -26,6 +26,6 @@ CONFIG_FSP_M_XIP=y # CONFIG_DRIVERS_INTEL_WIFI is not set CONFIG_DEFAULT_CONSOLE_LOGLEVEL_8=y CONFIG_PAYLOAD_LINUX=y -CONFIG_PAYLOAD_FILE="../../build/librem15v4/bzImage" +CONFIG_PAYLOAD_FILE="../../build/librem_15v4/bzImage" CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet loglevel=3" -CONFIG_LINUX_INITRD="../../build/librem15v4/initrd.cpio.xz" +CONFIG_LINUX_INITRD="../../build/librem_15v4/initrd.cpio.xz" diff --git a/config/coreboot-librem_mini.config b/config/coreboot-librem_mini.config new file mode 100644 index 000000000..ced1b4d24 --- /dev/null +++ b/config/coreboot-librem_mini.config @@ -0,0 +1,14 @@ +CONFIG_LOCALVERSION="PureBoot-beta" +CONFIG_VENDOR_PURISM=y +CONFIG_INTEL_GMA_VBT_FILE="3rdparty/purism-blobs/mainboard/purism/librem_whl/vbt.bin" +CONFIG_IFD_BIN_PATH="3rdparty/purism-blobs/mainboard/purism/librem_whl/flashdescriptor.bin" +CONFIG_ME_BIN_PATH="3rdparty/purism-blobs/mainboard/purism/librem_whl/me.bin" +CONFIG_HAVE_IFD_BIN=y +CONFIG_BOARD_PURISM_LIBREM_MINI=y +CONFIG_CPU_MICROCODE_CBFS_EXTERNAL_BINS=y +CONFIG_CPU_UCODE_BINARIES="3rdparty/purism-blobs/mainboard/purism/librem_whl/cpu_microcode_blob.bin" +CONFIG_HAVE_ME_BIN=y +CONFIG_PAYLOAD_LINUX=y +CONFIG_PAYLOAD_FILE="../../build/librem_mini/bzImage" +CONFIG_LINUX_INITRD="../../build/librem_mini/initrd.cpio.xz" +CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet loglevel=2" diff --git a/config/linux-librem13v2.config b/config/linux-librem_common.config similarity index 99% rename from config/linux-librem13v2.config rename to config/linux-librem_common.config index 35a3f5ed5..d0742ec1b 100644 --- a/config/linux-librem13v2.config +++ b/config/linux-librem_common.config @@ -319,3 +319,4 @@ CONFIG_CRC8=m CONFIG_XZ_DEC_TEST=m CONFIG_CORDIC=m CONFIG_IRQ_POLL=y +# CONFIG_RETPOLINE is not set diff --git a/modules/coreboot b/modules/coreboot index 5082c3944..f9134dac7 100644 --- a/modules/coreboot +++ b/modules/coreboot @@ -8,6 +8,7 @@ else ifeq "$(CONFIG_COREBOOT_VERSION)" "4.12" coreboot_version := 4.12 coreboot_hash := edcad000ee9b73183c396ea76155629b3d27c693e0f1ae83e3424c4d936e2be2 coreboot-blobs_hash := 4735ee6850d55d1e65dee8b08cc9b28b8af00b42acf31365f5d9545406579104 + coreboot_depends := $(if $(CONFIG_PURISM_BLOBS), purism-blobs) else $(error "$(BOARD): does not specify coreboot version under CONFIG_COREBOOT_VERSION") endif diff --git a/modules/purism-blobs b/modules/purism-blobs new file mode 100644 index 000000000..abac8a3e6 --- /dev/null +++ b/modules/purism-blobs @@ -0,0 +1,12 @@ +modules-$(CONFIG_PURISM_BLOBS) += purism-blobs + +purism-blobs_base_dir := coreboot-$(CONFIG_COREBOOT_VERSION)/3rdparty/purism-blobs +purism-blobs_version := f53d4074a81c70352d39839884caac20181274d1 +purism-blobs_tar := purism-blobs-${purism-blobs_version}.tar.gz +purism-blobs_tar_opt := --strip 1 +purism-blobs_url := https://source.puri.sm/coreboot/purism-blobs/-/archive/${purism-blobs_version}/${purism-blobs_tar} +purism-blobs_hash := f1abd419f085a6d519a2b9b141aee9900553aabf644f0fe1801618fb54157556 + +## there is nothing to be built +purism-blobs_output := .built +purism-blobs_configure := echo -e 'all:\n\ttouch .built' > Makefile diff --git a/patches/coreboot-4.12/0001-soc-cannonlake-me.c-Always-print-ME-status.patch b/patches/coreboot-4.12/0001-soc-cannonlake-me.c-Always-print-ME-status.patch new file mode 100644 index 000000000..e590a336f --- /dev/null +++ b/patches/coreboot-4.12/0001-soc-cannonlake-me.c-Always-print-ME-status.patch @@ -0,0 +1,31 @@ +From 32e60b698d33eec419bf0e4865ece7b86ea1355a Mon Sep 17 00:00:00 2001 +From: Matt DeVillier +Date: Fri, 19 Jun 2020 17:02:22 -0500 +Subject: [PATCH] soc/cannonlake/me.c: Always print ME status + +Print the ME status even if the CSE device is disabled, so +we know which disabled state it's in. + +Change-Id: I939333199aa699039fec727beb094e4eb2ad7149 +Signed-off-by: Matt DeVillier +--- + src/soc/intel/cannonlake/me.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/src/soc/intel/cannonlake/me.c b/src/soc/intel/cannonlake/me.c +index a51b702e6a..3fae0bf534 100644 +--- a/src/soc/intel/cannonlake/me.c ++++ b/src/soc/intel/cannonlake/me.c +@@ -103,9 +103,6 @@ void dump_me_status(void *unused) + union me_hfsts5 hfsts5; + union me_hfsts6 hfsts6; + +- if (!is_cse_enabled()) +- return; +- + hfsts1.data = me_read_config32(PCI_ME_HFSTS1); + hfsts2.raw = me_read_config32(PCI_ME_HFSTS2); + hfsts3.data = me_read_config32(PCI_ME_HFSTS3); +-- +2.20.1 + diff --git a/patches/coreboot-4.12/0002-mb-purism-librem_whl-Add-new-board-Librem-Mini-WHL-U.patch b/patches/coreboot-4.12/0002-mb-purism-librem_whl-Add-new-board-Librem-Mini-WHL-U.patch new file mode 100644 index 000000000..aa660945f --- /dev/null +++ b/patches/coreboot-4.12/0002-mb-purism-librem_whl-Add-new-board-Librem-Mini-WHL-U.patch @@ -0,0 +1,799 @@ +From fcb25d39b270cdd21da3748e2d8f578b405f9a82 Mon Sep 17 00:00:00 2001 +From: Matt DeVillier +Date: Fri, 26 Jun 2020 00:21:39 -0500 +Subject: [PATCH] mb/purism/librem_whl: Add new board Librem Mini (WHL-U) + +Add new librem_whl baseboard and Librem Mini variant + +Signed-off-by: Matt DeVillier +Change-Id: I36af42766f85eb17f86f6ec9b48b87125fb911e6 +--- + src/mainboard/purism/librem_whl/Kconfig | 61 +++++ + src/mainboard/purism/librem_whl/Kconfig.name | 3 + + src/mainboard/purism/librem_whl/Makefile.inc | 10 + + .../purism/librem_whl/acpi/mainboard.asl | 16 ++ + .../purism/librem_whl/board_info.txt | 8 + + src/mainboard/purism/librem_whl/devicetree.cb | 223 +++++++++++++++++ + src/mainboard/purism/librem_whl/dsdt.asl | 26 ++ + src/mainboard/purism/librem_whl/ramstage.c | 16 ++ + src/mainboard/purism/librem_whl/romstage.c | 52 ++++ + .../librem_whl/variants/librem_mini/gpio.c | 229 ++++++++++++++++++ + .../variants/librem_mini/hda_verb.c | 33 +++ + .../librem_mini/include/variant/gpio.h | 11 + + 13 files changed, 688 insertions(+) + create mode 100644 src/mainboard/purism/librem_whl/Kconfig + create mode 100644 src/mainboard/purism/librem_whl/Kconfig.name + create mode 100644 src/mainboard/purism/librem_whl/Makefile.inc + create mode 100644 src/mainboard/purism/librem_whl/acpi/mainboard.asl + create mode 100644 src/mainboard/purism/librem_whl/board_info.txt + create mode 100644 src/mainboard/purism/librem_whl/devicetree.cb + create mode 100644 src/mainboard/purism/librem_whl/dsdt.asl + create mode 100644 src/mainboard/purism/librem_whl/ramstage.c + create mode 100644 src/mainboard/purism/librem_whl/romstage.c + create mode 100644 src/mainboard/purism/librem_whl/variants/librem_mini/gpio.c + create mode 100644 src/mainboard/purism/librem_whl/variants/librem_mini/hda_verb.c + create mode 100644 src/mainboard/purism/librem_whl/variants/librem_mini/include/variant/gpio.h + +diff --git a/src/mainboard/purism/librem_whl/Kconfig b/src/mainboard/purism/librem_whl/Kconfig +new file mode 100644 +index 0000000000..f7662a0e72 +--- /dev/null ++++ b/src/mainboard/purism/librem_whl/Kconfig +@@ -0,0 +1,61 @@ ++config BOARD_PURISM_BASEBOARD_LIBREM_WHL ++ def_bool n ++ select BOARD_ROMSIZE_KB_16384 ++ select DRIVERS_GENERIC_CBFS_SERIAL ++ select HAVE_ACPI_RESUME ++ select HAVE_ACPI_TABLES ++ select INTEL_GMA_HAVE_VBT ++ select NO_UART_ON_SUPERIO ++ select SOC_INTEL_COMMON_BLOCK_HDA ++ select SOC_INTEL_COMMON_BLOCK_HDA_VERB ++ select SOC_INTEL_WHISKEYLAKE ++ select SPD_READ_BY_WORD ++ select USE_LEGACY_8254_TIMER ++ ++if BOARD_PURISM_BASEBOARD_LIBREM_WHL ++ ++config MAINBOARD_DIR ++ string ++ default "purism/librem_whl" ++ ++config MAINBOARD_FAMILY ++ string ++ default "Librem Mini" if BOARD_PURISM_LIBREM_MINI ++ ++config MAINBOARD_PART_NUMBER ++ string ++ default "Librem Mini" if BOARD_PURISM_LIBREM_MINI ++ ++config VARIANT_DIR ++ string ++ default "librem_mini" if BOARD_PURISM_LIBREM_MINI ++ ++config CBFS_SIZE ++ hex ++ default 0x800000 ++ ++config MAX_CPUS ++ int ++ default 8 ++ ++config DIMM_MAX ++ int ++ default 2 ++ ++config DIMM_SPD_SIZE ++ int ++ default 512 ++ ++config VGA_BIOS_ID ++ string ++ default "8086,3ea0" ++ ++config PXE_ROM_ID ++ string ++ default "10ec,8168" ++ ++# This platform has limited means to display POST codes ++config NO_POST ++ default y ++ ++endif +diff --git a/src/mainboard/purism/librem_whl/Kconfig.name b/src/mainboard/purism/librem_whl/Kconfig.name +new file mode 100644 +index 0000000000..41a4003102 +--- /dev/null ++++ b/src/mainboard/purism/librem_whl/Kconfig.name +@@ -0,0 +1,3 @@ ++config BOARD_PURISM_LIBREM_MINI ++ bool "Librem Mini" ++ select BOARD_PURISM_BASEBOARD_LIBREM_WHL +diff --git a/src/mainboard/purism/librem_whl/Makefile.inc b/src/mainboard/purism/librem_whl/Makefile.inc +new file mode 100644 +index 0000000000..c03db05423 +--- /dev/null ++++ b/src/mainboard/purism/librem_whl/Makefile.inc +@@ -0,0 +1,10 @@ ++## ++## ++## ++## SPDX-License-Identifier: GPL-2.0-only ++ ++ramstage-y += variants/$(VARIANT_DIR)/gpio.c ++ramstage-y += variants/$(VARIANT_DIR)/hda_verb.c ++ramstage-y += ramstage.c ++ ++CPPFLAGS_common += -I$(src)/mainboard/$(MAINBOARDDIR)/variants/$(VARIANT_DIR)/include +diff --git a/src/mainboard/purism/librem_whl/acpi/mainboard.asl b/src/mainboard/purism/librem_whl/acpi/mainboard.asl +new file mode 100644 +index 0000000000..999030d2e5 +--- /dev/null ++++ b/src/mainboard/purism/librem_whl/acpi/mainboard.asl +@@ -0,0 +1,16 @@ ++/* SPDX-License-Identifier: GPL-2.0-only */ ++ ++Scope (\_SB.PCI0.LPCB) { ++ ++ Device (AC) ++ { ++ Name (_HID, "ACPI0003") ++ Name (_PCL, Package () { LPCB }) ++ Name (ACFG, One) ++ ++ Method (_PSR, 0, NotSerialized) ++ { ++ Return (ACFG) ++ } ++ } ++} +diff --git a/src/mainboard/purism/librem_whl/board_info.txt b/src/mainboard/purism/librem_whl/board_info.txt +new file mode 100644 +index 0000000000..e72dcdf2b7 +--- /dev/null ++++ b/src/mainboard/purism/librem_whl/board_info.txt +@@ -0,0 +1,8 @@ ++Vendor name: Purism ++Board name: librem_whl ++Category: desktop ++Release year: 2020 ++ROM package: SOIC-8 ++ROM protocol: SPI ++ROM socketed: n ++Flashrom support: y +diff --git a/src/mainboard/purism/librem_whl/devicetree.cb b/src/mainboard/purism/librem_whl/devicetree.cb +new file mode 100644 +index 0000000000..e67d910322 +--- /dev/null ++++ b/src/mainboard/purism/librem_whl/devicetree.cb +@@ -0,0 +1,223 @@ ++chip soc/intel/cannonlake ++ # Lock Down ++ register "common_soc_config" = "{ ++ .chipset_lockdown = CHIPSET_LOCKDOWN_COREBOOT, ++ }" ++ ++ # Send an extra VR mailbox command for the PS4 exit issue ++ register "SendVrMbxCmd" = "2" ++ ++# ACPI (soc/intel/cannonlake/acpi.c) ++ # Disable s0ix ++ register "s0ix_enable" = "0" ++ ++ # PM Timer Enabled ++ register "PmTimerDisabled" = "0" ++ ++ # Disable DPTF ++ register "dptf_enable" = "0" ++ ++# CPU (soc/intel/cannonlake/cpu.c) ++ # Power limit ++ register "tdp_pl1_override" = "15" ++ register "tdp_pl2_override" = "25" ++ ++ # Enable "Intel Speed Shift Technology" ++ register "speed_shift_enable" = "1" ++ ++ # Enable Enhanced Intel SpeedStep ++ register "eist_enable" = "1" ++ ++# FSP Memory (soc/intel/cannonlake/romstage/fsp_params.c) ++ register "SaGv" = "SaGv_Enabled" ++ ++# FSP Silicon (soc/intel/cannonlake/fsp_params.c) ++ # Serial I/O ++ register "SerialIoDevMode" = "{ ++ [PchSerialIoIndexI2C0] = PchSerialIoDisabled, ++ [PchSerialIoIndexI2C1] = PchSerialIoDisabled, ++ [PchSerialIoIndexI2C2] = PchSerialIoDisabled, ++ [PchSerialIoIndexI2C3] = PchSerialIoDisabled, ++ [PchSerialIoIndexI2C4] = PchSerialIoDisabled, ++ [PchSerialIoIndexI2C5] = PchSerialIoDisabled, ++ [PchSerialIoIndexSPI0] = PchSerialIoDisabled, ++ [PchSerialIoIndexSPI1] = PchSerialIoDisabled, ++ [PchSerialIoIndexSPI2] = PchSerialIoDisabled, ++ [PchSerialIoIndexUART0] = PchSerialIoDisabled, ++ [PchSerialIoIndexUART1] = PchSerialIoDisabled, ++ [PchSerialIoIndexUART2] = PchSerialIoDisabled, ++ }" ++ ++ # SATA ++ register "SataMode" = "Sata_AHCI" ++ register "SataSalpSupport" = "0" ++ register "SataPortsEnable[0]" = "1" # 2.5" ++ register "SataPortsEnable[2]" = "1" # m.2 ++ register "SataPortsDevSlp[0]" = "0" ++ register "SataPortsDevSlp[2]" = "0" ++ ++ # Audio ++ register "PchHdaDspEnable" = "0" ++ register "PchHdaAudioLinkHda" = "1" ++ register "PchHdaAudioLinkDmic0" = "0" ++ register "PchHdaAudioLinkDmic1" = "0" ++ register "PchHdaAudioLinkSsp0" = "0" ++ register "PchHdaAudioLinkSsp1" = "0" ++ register "PchHdaAudioLinkSsp2" = "0" ++ register "PchHdaAudioLinkSndw1" = "0" ++ register "PchHdaAudioLinkSndw2" = "0" ++ register "PchHdaAudioLinkSndw3" = "0" ++ register "PchHdaAudioLinkSndw4" = "0" ++ ++ # USB ++ register "SsicPortEnable" = "0" ++ ++ # USB2 ++ register "usb2_ports[0]" = "USB2_PORT_MID(OC_SKIP)" # Type-A front left upper ++ register "usb2_ports[1]" = "USB2_PORT_MID(OC_SKIP)" # Type-A front left lower ++ register "usb2_ports[2]" = "USB2_PORT_MID(OC2)" # Type-A rear upper ++ register "usb2_ports[3]" = "USB2_PORT_MID(OC_SKIP)" # Type-A front right lower ++ register "usb2_ports[4]" = "USB2_PORT_MID(OC_SKIP)" # Type-A front right upper ++ register "usb2_ports[5]" = "USB2_PORT_TYPE_C(OC3)" # Type-C rear ++ register "usb2_ports[6]" = "USB2_PORT_MID(OC_SKIP)" # m.2-2230/Bluetooth ++ register "usb2_ports[7]" = "USB2_PORT_EMPTY" # NC ++ register "usb2_ports[8]" = "USB2_PORT_EMPTY" # NC ++ register "usb2_ports[9]" = "USB2_PORT_MID(OC2)" # Type-A rear lower ++ register "usb2_ports[10]" = "USB2_PORT_EMPTY" # NC ++ register "usb2_ports[11]" = "USB2_PORT_EMPTY" # NC ++ register "usb2_ports[12]" = "USB2_PORT_EMPTY" # NC ++ register "usb2_ports[13]" = "USB2_PORT_EMPTY" # NC ++ register "usb2_ports[14]" = "USB2_PORT_EMPTY" # NC ++ register "usb2_ports[15]" = "USB2_PORT_EMPTY" # NC ++ ++ # USB3 ++ register "usb3_ports[0]" = "USB3_PORT_DEFAULT(OC_SKIP)" # Type-A front left upper ++ register "usb3_ports[1]" = "USB3_PORT_DEFAULT(OC_SKIP)" # Type-A front left lower ++ register "usb3_ports[2]" = "USB3_PORT_EMPTY" # NC ++ register "usb3_ports[3]" = "USB3_PORT_DEFAULT(OC3)" # Type-C rear ++ register "usb3_ports[4]" = "USB3_PORT_DEFAULT(OC2)" # Type-A rear lower ++ register "usb3_ports[5]" = "USB3_PORT_DEFAULT(OC2)" # Type-A rear upper ++ register "usb3_ports[6]" = "USB3_PORT_EMPTY" # NC ++ register "usb3_ports[7]" = "USB3_PORT_EMPTY" # NC ++ register "usb3_ports[8]" = "USB3_PORT_EMPTY" # NC ++ register "usb3_ports[9]" = "USB3_PORT_EMPTY" # NC ++ ++ # All SRCCLKREQ pins mapped directly ++ register "PcieClkSrcClkReq[0]" = "0" ++ register "PcieClkSrcClkReq[1]" = "1" ++ register "PcieClkSrcClkReq[2]" = "2" ++ register "PcieClkSrcClkReq[3]" = "3" ++ register "PcieClkSrcClkReq[4]" = "4" ++ register "PcieClkSrcClkReq[5]" = "5" ++ ++ # Set all SRCCLKREQ pins as free-use ++ register "PcieClkSrcUsage[0]" = "0x80" ++ register "PcieClkSrcUsage[1]" = "0x80" ++ register "PcieClkSrcUsage[2]" = "0x80" ++ register "PcieClkSrcUsage[3]" = "0x80" ++ register "PcieClkSrcUsage[4]" = "0x80" ++ register "PcieClkSrcUsage[5]" = "0x80" ++ ++ # PCI Express Root Port #8 x1, Clock 2 (WLAN) ++ register "PcieRpEnable[7]" = "1" ++ register "PcieRpLtrEnable[7]" = "1" ++ ++ # PCI Express Root Port #10 x1, Clock 3 (LAN) ++ register "PcieRpEnable[9]" = "1" ++ register "PcieRpLtrEnable[9]" = "0" ++ ++ # PCI Express Root port #13 x4, Clock 1 (NVMe) ++ register "PcieRpEnable[12]" = "1" ++ register "PcieRpLtrEnable[12]" = "1" ++ ++ # Misc ++ register "Device4Enable" = "1" ++ # HECI must be enabled w/HAP disable else S3 issues ++ register "HeciEnabled" = "1" ++ register "Heci3Enabled" = "0" ++ register "AcousticNoiseMitigation" = "1" ++ register "satapwroptimize" = "1" ++ ++ # Power ++ register "PchPmSlpS3MinAssert" = "3" # 50ms ++ register "PchPmSlpS4MinAssert" = "1" # 1s ++ register "PchPmSlpSusMinAssert" = "2" # 500ms ++ register "PchPmSlpAMinAssert" = "4" # 2s ++ ++ # Thermal ++ register "tcc_offset" = "12" ++ ++ # Serial IRQ Mode ++ register "serirq_mode" = "SERIRQ_CONTINUOUS" ++ ++# PMC (soc/intel/cannonlake/pmc.c) ++ # Disable deep Sx states ++ register "deep_sx_config" = "0" ++ ++# PM Util (soc/intel/cannonlake/pmutil.c) ++ # GPE configuration ++ # Note that GPE events called out in ASL code rely on this ++ # route. i.e. If this route changes then the affected GPE ++ # offset bits also need to be changed. ++ # sudo devmem2 0xfe001920 (pmc_bar + GPIO_GPE_CFG) ++ register "gpe0_dw0" = "PMC_GPP_C" ++ register "gpe0_dw1" = "PMC_GPP_D" ++ register "gpe0_dw2" = "PMC_GPP_E" ++ ++# Actual device tree ++ device cpu_cluster 0 on ++ device lapic 0 on end ++ end ++ ++ device domain 0 on ++ device pci 00.0 on end # Host Bridge ++ device pci 02.0 on end # Integrated Graphics Device ++ device pci 04.0 on end # SA Thermal device ++ device pci 12.0 on end # Thermal Subsystem ++ device pci 13.0 off end # Integrated Sensor Hub ++ device pci 14.0 on end # USB xHCI ++ device pci 14.1 off end # USB xDCI (OTG) ++ device pci 15.0 off end # I2C #0 ++ device pci 15.1 off end # I2C #1 ++ device pci 15.2 off end # I2C #2 ++ device pci 15.3 off end # I2C #3 ++ device pci 16.0 off end # Management Engine Interface 1 ++ device pci 16.1 off end # Management Engine Interface 2 ++ device pci 16.2 off end # Management Engine IDE-R ++ device pci 16.3 off end # Management Engine KT Redirection ++ device pci 16.4 off end # Management Engine Interface 3 ++ device pci 16.5 off end # Management Engine Interface 4 ++ device pci 17.0 on end # SATA ++ device pci 19.0 off end # I2C #4 ++ device pci 19.1 off end # I2C #5 ++ device pci 19.2 off end # UART #2 ++ device pci 1a.0 off end # eMMC ++ device pci 1c.0 on end # PCI Express Port 1 ++ device pci 1c.1 off end # PCI Express Port 2 ++ device pci 1c.2 off end # PCI Express Port 3 ++ device pci 1c.3 off end # PCI Express Port 4 ++ device pci 1c.4 off end # PCI Express Port 5 ++ device pci 1c.5 off end # PCI Express Port 6 ++ device pci 1c.6 off end # PCI Express Port 7 ++ device pci 1c.7 on end # PCI Express Port 8 (WLAN) ++ device pci 1d.0 on end # PCI Express Port 9 ++ device pci 1d.1 on end # PCI Express Port 10 (LAN) ++ device pci 1d.2 off end # PCI Express Port 11 ++ device pci 1d.3 off end # PCI Express Port 12 ++ device pci 1d.4 on end # PCI Express Port 13 (NVMe) ++ device pci 1d.5 off end # PCI Express Port 14 ++ device pci 1d.6 off end # PCI Express Port 15 ++ device pci 1d.7 off end # PCI Express Port 16 ++ device pci 1e.0 off end # UART #0 ++ device pci 1e.1 off end # UART #1 ++ device pci 1e.2 off end # GSPI #0 ++ device pci 1e.3 off end # GSPI #1 ++ device pci 1f.0 on end # LPC Bridge ++ device pci 1f.1 off end # P2SB ++ device pci 1f.2 off end # Power Management Controller ++ device pci 1f.3 on end # Intel HDA ++ device pci 1f.4 on end # SMBus ++ device pci 1f.5 on end # PCH SPI ++ device pci 1f.6 off end # GbE ++ end ++end +diff --git a/src/mainboard/purism/librem_whl/dsdt.asl b/src/mainboard/purism/librem_whl/dsdt.asl +new file mode 100644 +index 0000000000..296be17b35 +--- /dev/null ++++ b/src/mainboard/purism/librem_whl/dsdt.asl +@@ -0,0 +1,26 @@ ++/* SPDX-License-Identifier: GPL-2.0-only */ ++ ++#include ++DefinitionBlock( ++ "dsdt.aml", ++ "DSDT", ++ 0x02, /* DSDT revision: ACPI v2.0 and up */ ++ OEM_ID, ++ ACPI_TABLE_CREATOR, ++ 0x20110725 /* OEM revision */ ++) ++{ ++ #include ++ #include ++ #include ++ ++ Device (\_SB.PCI0) ++ { ++ #include ++ #include ++ } ++ ++ #include ++ ++ #include "acpi/mainboard.asl" ++} +diff --git a/src/mainboard/purism/librem_whl/ramstage.c b/src/mainboard/purism/librem_whl/ramstage.c +new file mode 100644 +index 0000000000..3479c0d3ed +--- /dev/null ++++ b/src/mainboard/purism/librem_whl/ramstage.c +@@ -0,0 +1,16 @@ ++/* SPDX-License-Identifier: GPL-2.0-only */ ++ ++#include ++#include ++ ++void mainboard_silicon_init_params(FSP_S_CONFIG *params) ++{ ++ /* Configure pads prior to SiliconInit() in case there's any ++ * dependencies during hardware initialization. */ ++ size_t num_gpios; ++ const struct pad_config *gpio_table = variant_gpio_table(&num_gpios); ++ cnl_configure_pads(gpio_table, num_gpios); ++ ++ /* Limit SATA speed to 3Gbps */ ++ params->SataSpeedLimit = 2; ++} +diff --git a/src/mainboard/purism/librem_whl/romstage.c b/src/mainboard/purism/librem_whl/romstage.c +new file mode 100644 +index 0000000000..9f8d600950 +--- /dev/null ++++ b/src/mainboard/purism/librem_whl/romstage.c +@@ -0,0 +1,52 @@ ++/* SPDX-License-Identifier: GPL-2.0-only */ ++ ++#include ++#include ++ ++static const struct cnl_mb_cfg memcfg = { ++ ++ /* Parameters required to access SPD for CH0D0/CH0D1/CH1D0/CH1D1. */ ++ .spd[0] = { ++ .read_type = READ_SMBUS, ++ .spd_spec = {.spd_smbus_address = 0xa0}, ++ }, ++ .spd[1] = {.read_type = NOT_EXISTING}, ++ .spd[2] = { ++ .read_type = READ_SMBUS, ++ .spd_spec = {.spd_smbus_address = 0xa4}, ++ }, ++ .spd[3] = {.read_type = NOT_EXISTING}, ++ ++ /* ++ * Rcomp resistor values. These values represent the resistance in ++ * ohms of the three rcomp resistors attached to the DDR_COMP_0, ++ * DDR_COMP_1, and DDR_COMP_2 pins on the DRAM. ++ */ ++ .rcomp_resistor = { 121, 81, 100 }, ++ ++ /* Rcomp target values */ ++ .rcomp_targets = { 100, 40, 20, 20, 26 }, ++ ++ /* ++ * Indicates whether memory is interleaved. ++ * Set to 1 for an interleaved design, ++ * set to 0 for non-interleaved design. ++ */ ++ .dq_pins_interleaved = 1, ++ ++ /* ++ * VREF_CA configuration. ++ * Set to 0 VREF_CA goes to both CH_A and CH_B, ++ * set to 1 VREF_CA goes to CH_A and VREF_DQ_A goes to CH_B, ++ * set to 2 VREF_CA goes to CH_A and VREF_DQ_B goes to CH_B. ++ */ ++ .vref_ca_config = 2, ++ ++ /* Early Command Training */ ++ .ect = 0, ++}; ++ ++void mainboard_memory_init_params(FSPM_UPD *memupd) ++{ ++ cannonlake_memcfg_init(&memupd->FspmConfig, &memcfg); ++} +diff --git a/src/mainboard/purism/librem_whl/variants/librem_mini/gpio.c b/src/mainboard/purism/librem_whl/variants/librem_mini/gpio.c +new file mode 100644 +index 0000000000..a5b2dcafa3 +--- /dev/null ++++ b/src/mainboard/purism/librem_whl/variants/librem_mini/gpio.c +@@ -0,0 +1,229 @@ ++/* SPDX-License-Identifier: GPL-2.0-only */ ++ ++#include ++ ++/* Pad configuration in ramstage. */ ++static const struct pad_config gpio_table[] = { ++ ++/* ------- GPIO Group GPP_A ------- */ ++ ++_PAD_CFG_STRUCT(GPP_A0, 0x44000702, 0x0000), /* RCIN# */ ++_PAD_CFG_STRUCT(GPP_A1, 0x44000702, 0x3c00), /* LAD0 */ ++_PAD_CFG_STRUCT(GPP_A2, 0x44000702, 0x3c00), /* LAD1 */ ++_PAD_CFG_STRUCT(GPP_A3, 0x44000702, 0x3c00), /* LAD2 */ ++_PAD_CFG_STRUCT(GPP_A4, 0x44000702, 0x3c00), /* LAD3 */ ++_PAD_CFG_STRUCT(GPP_A5, 0x44000700, 0x0000), /* LFRAME# */ ++_PAD_CFG_STRUCT(GPP_A6, 0x44000700, 0x0000), /* SERIRQ */ ++_PAD_CFG_STRUCT(GPP_A7, 0x84000200, 0x0000), /* PIRQA# */ ++_PAD_CFG_STRUCT(GPP_A8, 0x44000700, 0x0000), /* CLKRUN# */ ++_PAD_CFG_STRUCT(GPP_A9, 0x44000700, 0x1000), /* CLKOUT_LPC0 */ ++_PAD_CFG_STRUCT(GPP_A10, 0x44000700, 0x1000), /* CLKOUT_LPC1 */ ++_PAD_CFG_STRUCT(GPP_A11, 0x40880201, 0x0000), /* PME# */ ++_PAD_CFG_STRUCT(GPP_A12, 0x84000201, 0x0000), /* BM_BUSY# */ ++_PAD_CFG_STRUCT(GPP_A13, 0x84000201, 0x0000), /* SUSWARN#/SUSPWRDNACK*/ ++_PAD_CFG_STRUCT(GPP_A14, 0x44000700, 0x0000), /* SUS_STAT# */ ++_PAD_CFG_STRUCT(GPP_A15, 0x84000201, 0x0000), /* SUSACK# */ ++_PAD_CFG_STRUCT(GPP_A16, 0x84000200, 0x3000), /* SD_1P8_SEL */ ++_PAD_CFG_STRUCT(GPP_A17, 0x84000201, 0x0000), /* SD_VDD1_PWR_EN# */ ++_PAD_CFG_STRUCT(GPP_A18, 0x44000300, 0x3000), /* ISH_GP0 */ ++_PAD_CFG_STRUCT(GPP_A19, 0x44000300, 0x3000), /* ISH_GP1 */ ++_PAD_CFG_STRUCT(GPP_A20, 0x44000300, 0x3000), /* ISH_GP2 */ ++_PAD_CFG_STRUCT(GPP_A21, 0x44000300, 0x3000), /* ISH_GP3 */ ++_PAD_CFG_STRUCT(GPP_A22, 0x44000300, 0x3000), /* ISH_GP4 */ ++_PAD_CFG_STRUCT(GPP_A23, 0x44000300, 0x3000), /* ISH_GP5 */ ++ ++/* ------- GPIO Group GPP_B ------- */ ++ ++_PAD_CFG_STRUCT(GPP_B0, 0x84000700, 0x0000), /* Reserved */ ++_PAD_CFG_STRUCT(GPP_B1, 0x84000700, 0x0000), /* Reserved */ ++_PAD_CFG_STRUCT(GPP_B2, 0x84000201, 0x0000), /* VRALERT# */ ++_PAD_CFG_STRUCT(GPP_B3, 0x84000201, 0x0000), /* CPU_GP2 */ ++_PAD_CFG_STRUCT(GPP_B4, 0x84000201, 0x0000), /* CPU_GP3 */ ++_PAD_CFG_STRUCT(GPP_B5, 0x44000300, 0x0000), /* SRCCLKREQ0# */ ++_PAD_CFG_STRUCT(GPP_B6, 0x44000300, 0x0000), /* SRCCLKREQ1# */ ++_PAD_CFG_STRUCT(GPP_B7, 0x44000300, 0x0000), /* SRCCLKREQ2# */ ++_PAD_CFG_STRUCT(GPP_B8, 0x44000300, 0x0000), /* SRCCLKREQ3# */ ++_PAD_CFG_STRUCT(GPP_B9, 0x44000300, 0x0000), /* SRCCLKREQ4# */ ++_PAD_CFG_STRUCT(GPP_B10, 0x44000300, 0x0000), /* SRCCLKREQ5# */ ++_PAD_CFG_STRUCT(GPP_B11, 0x84000201, 0x0000), /* EXT_PWR_GATE# */ ++_PAD_CFG_STRUCT(GPP_B12, 0x44000700, 0x0000), /* SLP_S0# */ ++_PAD_CFG_STRUCT(GPP_B13, 0x44000700, 0x0000), /* PLTRST# */ ++_PAD_CFG_STRUCT(GPP_B14, 0x84000201, 0x0000), /* SPKR */ ++_PAD_CFG_STRUCT(GPP_B15, 0x80000701, 0x0000), /* GSPI0_CS0# */ ++_PAD_CFG_STRUCT(GPP_B16, 0x84000601, 0x0000), /* GSPI0_CLK */ ++_PAD_CFG_STRUCT(GPP_B17, 0x44000502, 0x0000), /* GSPI0_MISO */ ++_PAD_CFG_STRUCT(GPP_B18, 0x84000601, 0x0000), /* GSPI0_MOSI */ ++_PAD_CFG_STRUCT(GPP_B19, 0x84000400, 0x0000), /* GSPI1_CS0# */ ++_PAD_CFG_STRUCT(GPP_B20, 0x84000400, 0x0000), /* GSPI1_CLK */ ++_PAD_CFG_STRUCT(GPP_B21, 0x84000402, 0x0000), /* GSPI1_MISO */ ++_PAD_CFG_STRUCT(GPP_B22, 0x84000400, 0x0000), /* GSPI1_MOSI */ ++_PAD_CFG_STRUCT(GPP_B23, 0x44000201, 0x0000), /* SML1ALERT# */ ++ ++/* ------- GPIO Group GPP_G ------- */ ++ ++_PAD_CFG_STRUCT(GPP_G0, 0x84000200, 0x0000), /* SD_CMD */ ++_PAD_CFG_STRUCT(GPP_G1, 0x84000300, 0x0000), /* SD_DATA0 */ ++_PAD_CFG_STRUCT(GPP_G2, 0x84000300, 0x0000), /* SD_DATA1 */ ++_PAD_CFG_STRUCT(GPP_G3, 0x84000300, 0x0000), /* SD_DATA2 */ ++_PAD_CFG_STRUCT(GPP_G4, 0x84000300, 0x0000), /* SD_DATA3 */ ++_PAD_CFG_STRUCT(GPP_G5, 0x84000300, 0x3000), /* SD3_CD# */ ++_PAD_CFG_STRUCT(GPP_G6, 0x84000300, 0x0000), /* SD3_CLK */ ++_PAD_CFG_STRUCT(GPP_G7, 0x84000300, 0x1000), /* SD3_WP */ ++ ++/* ------- GPIO Group GPP_D ------- */ ++ ++_PAD_CFG_STRUCT(GPP_D0, 0x44000300, 0x0000), /* SPI1_CS# */ ++_PAD_CFG_STRUCT(GPP_D1, 0x44000300, 0x0000), /* SPI1_CLK */ ++_PAD_CFG_STRUCT(GPP_D2, 0x44000300, 0x0000), /* SPI1_MISO */ ++_PAD_CFG_STRUCT(GPP_D3, 0x44000300, 0x0000), /* SPI1_MOSI */ ++_PAD_CFG_STRUCT(GPP_D4, 0x44000300, 0x0000), /* IMGCLKOUT0 */ ++_PAD_CFG_STRUCT(GPP_D5, 0x44000700, 0x0000), /* ISH_I2C0_SDA */ ++_PAD_CFG_STRUCT(GPP_D6, 0x44000700, 0x0000), /* ISH_I2C0_SCL */ ++_PAD_CFG_STRUCT(GPP_D7, 0x84000201, 0x0000), /* ISH_I2C1_SDA */ ++_PAD_CFG_STRUCT(GPP_D8, 0x84000200, 0x0000), /* ISH_I2C1_SCL */ ++_PAD_CFG_STRUCT(GPP_D9, 0x84000201, 0x0000), /* ISH_SPI_CS# */ ++_PAD_CFG_STRUCT(GPP_D10, 0x84000201, 0x0000), /* ISH_SPI_CLK */ ++_PAD_CFG_STRUCT(GPP_D11, 0x44000201, 0x3000), /* ISH_SPI_MISO */ ++_PAD_CFG_STRUCT(GPP_D12, 0x42100102, 0x3000), /* ISH_SPI_MOSI */ ++_PAD_CFG_STRUCT(GPP_D13, 0x44000201, 0x0000), /* ISH_UART0_RXD */ ++_PAD_CFG_STRUCT(GPP_D14, 0x84000201, 0x0000), /* ISH_UART0_TXD */ ++_PAD_CFG_STRUCT(GPP_D15, 0x84000201, 0x0000), /* ISH_UART0_RTS# */ ++_PAD_CFG_STRUCT(GPP_D16, 0x44000200, 0x0000), /* ISH_UART0_CTS# */ ++_PAD_CFG_STRUCT(GPP_D17, 0x44000700, 0x0000), /* DMIC_CLK1 */ ++_PAD_CFG_STRUCT(GPP_D18, 0x44000700, 0x0000), /* DMIC_DATA1 */ ++_PAD_CFG_STRUCT(GPP_D19, 0x44000700, 0x0000), /* DMIC_CLK0 */ ++_PAD_CFG_STRUCT(GPP_D20, 0x44000700, 0x0000), /* DMIC_DATA0 */ ++_PAD_CFG_STRUCT(GPP_D21, 0x44000300, 0x0000), /* SPI1_IO2 */ ++_PAD_CFG_STRUCT(GPP_D22, 0x44000300, 0x0000), /* SPI1_IO3 */ ++_PAD_CFG_STRUCT(GPP_D23, 0x44000300, 0x0000), /* I2S_MCLK */ ++ ++/* ------- GPIO Group GPP_F ------- */ ++ ++_PAD_CFG_STRUCT(GPP_F0, 0x84000301, 0x0000), /* CNV_PA_BLANKING */ ++_PAD_CFG_STRUCT(GPP_F1, 0x84000200, 0x0000), /* GPIO */ ++_PAD_CFG_STRUCT(GPP_F2, 0x84000201, 0x3000), /* GPIO */ ++_PAD_CFG_STRUCT(GPP_F3, 0x84000200, 0x3000), /* GPIO */ ++_PAD_CFG_STRUCT(GPP_F4, 0x44000700, 0x3000), /* CNV_BRI_DT */ ++_PAD_CFG_STRUCT(GPP_F5, 0x44000702, 0x3000), /* CNV_BRI_RSP */ ++_PAD_CFG_STRUCT(GPP_F6, 0x44000700, 0x3000), /* CNV_RGI_DT */ ++_PAD_CFG_STRUCT(GPP_F7, 0x44000702, 0x3000), /* CNV_RGI_RSP */ ++_PAD_CFG_STRUCT(GPP_F8, 0x44000300, 0x0000), /* CNV_MFUART2_RXD */ ++_PAD_CFG_STRUCT(GPP_F9, 0x44000300, 0x0000), /* CNV_MFUART2_TXD */ ++_PAD_CFG_STRUCT(GPP_F10, 0x84000201, 0x0000), /* GPIO */ ++_PAD_CFG_STRUCT(GPP_F11, 0x44000300, 0x0000), /* EMMC_CMD */ ++_PAD_CFG_STRUCT(GPP_F12, 0x44000300, 0x0000), /* EMMC_DATA0 */ ++_PAD_CFG_STRUCT(GPP_F13, 0x44000300, 0x0000), /* EMMC_DATA1 */ ++_PAD_CFG_STRUCT(GPP_F14, 0x44000300, 0x0000), /* EMMC_DATA2 */ ++_PAD_CFG_STRUCT(GPP_F15, 0x44000300, 0x0000), /* EMMC_DATA3 */ ++_PAD_CFG_STRUCT(GPP_F16, 0x44000300, 0x0000), /* EMMC_DATA4 */ ++_PAD_CFG_STRUCT(GPP_F17, 0x44000300, 0x0000), /* EMMC_DATA5 */ ++_PAD_CFG_STRUCT(GPP_F18, 0x44000300, 0x0000), /* EMMC_DATA6 */ ++_PAD_CFG_STRUCT(GPP_F19, 0x44000300, 0x0000), /* EMMC_DATA7 */ ++_PAD_CFG_STRUCT(GPP_F20, 0x44000300, 0x0000), /* EMMC_RCLK */ ++_PAD_CFG_STRUCT(GPP_F21, 0x44000300, 0x0000), /* EMMC_CLK */ ++_PAD_CFG_STRUCT(GPP_F22, 0x44000300, 0x0000), /* EMMC_RESET# */ ++_PAD_CFG_STRUCT(GPP_F23, 0x44000700, 0x1000), /* A4WP_PRESENT */ ++ ++/* ------- GPIO Group GPP_H ------- */ ++ ++_PAD_CFG_STRUCT(GPP_H0, 0x44000300, 0x3000), /* I2S2_SCLK */ ++_PAD_CFG_STRUCT(GPP_H1, 0x44000f00, 0x3000), /* CNV_RF_RESET# */ ++_PAD_CFG_STRUCT(GPP_H2, 0x84000f00, 0x3000), /* MODEM_CLKREQ */ ++_PAD_CFG_STRUCT(GPP_H3, 0x84000300, 0x3000), /* I2S2_RXD */ ++_PAD_CFG_STRUCT(GPP_H4, 0x84000300, 0x0000), /* I2C2_SDA */ ++_PAD_CFG_STRUCT(GPP_H5, 0x84000300, 0x0000), /* I2C2_SCL */ ++_PAD_CFG_STRUCT(GPP_H6, 0x84000702, 0x0000), /* I2C3_SDA */ ++_PAD_CFG_STRUCT(GPP_H7, 0x84000702, 0x0000), /* I2C3_SCL */ ++_PAD_CFG_STRUCT(GPP_H8, 0x84000702, 0x0000), /* I2C4_SDA */ ++_PAD_CFG_STRUCT(GPP_H9, 0x84000702, 0x0000), /* I2C4_SCL */ ++_PAD_CFG_STRUCT(GPP_H10, 0x84000603, 0x0000), /* I2C5_SDA */ ++_PAD_CFG_STRUCT(GPP_H11, 0x84000603, 0x0000), /* I2C5_SCL */ ++_PAD_CFG_STRUCT(GPP_H12, 0x84000201, 0x0000), /* M2_SKT2_CFG0 */ ++_PAD_CFG_STRUCT(GPP_H13, 0x84000201, 0x0000), /* M2_SKT2_CFG1 */ ++_PAD_CFG_STRUCT(GPP_H14, 0x84000200, 0x0000), /* M2_SKT2_CFG2 */ ++_PAD_CFG_STRUCT(GPP_H15, 0x84000201, 0x0000), /* M2_SKT2_CFG3 */ ++_PAD_CFG_STRUCT(GPP_H16, 0x84000201, 0x0000), /* GPIO */ ++_PAD_CFG_STRUCT(GPP_H17, 0x84000201, 0x0000), /* GPIO */ ++_PAD_CFG_STRUCT(GPP_H18, 0x84000700, 0x0000), /* CPU_C10_GATE# */ ++_PAD_CFG_STRUCT(GPP_H19, 0x84000201, 0x0000), /* TIME_SYNC0 */ ++_PAD_CFG_STRUCT(GPP_H20, 0x84000300, 0x0000), /* IMGCLKOUT1 */ ++_PAD_CFG_STRUCT(GPP_H21, 0x84000200, 0x0000), /* GPIO */ ++_PAD_CFG_STRUCT(GPP_H22, 0x84000201, 0x0000), /* GPIO */ ++_PAD_CFG_STRUCT(GPP_H23, 0x84000200, 0x0000), /* GPIO */ ++ ++/* ------- GPIO Group GPD ------- */ ++ ++_PAD_CFG_STRUCT(GPD0, 0x44000702, 0x0000), /* BATLOW# */ ++_PAD_CFG_STRUCT(GPD1, 0x44000702, 0x3c00), /* ACPRESENT */ ++_PAD_CFG_STRUCT(GPD2, 0x44000702, 0x3c00), /* LAN_WAKE# */ ++_PAD_CFG_STRUCT(GPD3, 0x44000702, 0x3000), /* PRWBTN# */ ++_PAD_CFG_STRUCT(GPD4, 0x44000600, 0x0000), /* SLP_S3# */ ++_PAD_CFG_STRUCT(GPD5, 0x44000600, 0x0000), /* SLP_S4# */ ++_PAD_CFG_STRUCT(GPD6, 0x44000600, 0x0000), /* SLP_A# */ ++_PAD_CFG_STRUCT(GPD7, 0x44000200, 0x0000), /* GPIO */ ++_PAD_CFG_STRUCT(GPD8, 0x44000700, 0x0000), /* SUSCLK */ ++_PAD_CFG_STRUCT(GPD9, 0x44000700, 0x0000), /* SLP_WLAN# */ ++_PAD_CFG_STRUCT(GPD10, 0x44000600, 0x0000), /* SLP_S5# */ ++_PAD_CFG_STRUCT(GPD11, 0x44000600, 0x0000), /* LANPHYPC */ ++ ++/* ------- GPIO Group GPP_C ------- */ ++ ++_PAD_CFG_STRUCT(GPP_C0, 0x44000702, 0x0000), /* SMBCLK */ ++_PAD_CFG_STRUCT(GPP_C1, 0x44000702, 0x0000), /* SMBDATA */ ++_PAD_CFG_STRUCT(GPP_C2, 0x44000201, 0x0000), /* SMBALERT# */ ++_PAD_CFG_STRUCT(GPP_C3, 0x44000702, 0x0000), /* SML0CLK */ ++_PAD_CFG_STRUCT(GPP_C4, 0x44000702, 0x0000), /* SML0DATA */ ++_PAD_CFG_STRUCT(GPP_C5, 0x84000201, 0x0000), /* SML0ALERT# */ ++_PAD_CFG_STRUCT(GPP_C6, 0x44000300, 0x0000), /* SML1CLK */ ++_PAD_CFG_STRUCT(GPP_C7, 0x44000300, 0x0000), /* SML1DATA */ ++_PAD_CFG_STRUCT(GPP_C8, 0x84000201, 0x0000), /* UART0_RXD */ ++_PAD_CFG_STRUCT(GPP_C9, 0x84000201, 0x0000), /* UART0_TXD */ ++_PAD_CFG_STRUCT(GPP_C10, 0x84000200, 0x0000), /* UART0_RTS# */ ++_PAD_CFG_STRUCT(GPP_C11, 0x84000201, 0x0000), /* UART0_CTS# */ ++_PAD_CFG_STRUCT(GPP_C12, 0x84000603, 0x0000), /* UART1_RXD */ ++_PAD_CFG_STRUCT(GPP_C13, 0x84000700, 0x0000), /* UART1_TXD */ ++_PAD_CFG_STRUCT(GPP_C14, 0x84000700, 0x0000), /* UART1_RTS# */ ++_PAD_CFG_STRUCT(GPP_C15, 0x84000702, 0x0000), /* UART1_CTS# */ ++_PAD_CFG_STRUCT(GPP_C16, 0x84000402, 0x0000), /* I2C0_SDA */ ++_PAD_CFG_STRUCT(GPP_C17, 0x84000402, 0x0000), /* I2C0_SCL */ ++_PAD_CFG_STRUCT(GPP_C18, 0x44000702, 0x0000), /* I2C1_SDA */ ++_PAD_CFG_STRUCT(GPP_C19, 0x44000702, 0x0000), /* I2C1_SCL */ ++_PAD_CFG_STRUCT(GPP_C20, 0x44000300, 0x0000), /* UART2_RXD */ ++_PAD_CFG_STRUCT(GPP_C21, 0x44000300, 0x0000), /* UART2_TXD */ ++_PAD_CFG_STRUCT(GPP_C22, 0x84000201, 0x0000), /* UART2_RTS# */ ++_PAD_CFG_STRUCT(GPP_C23, 0x40100102, 0x1000), /* UART2_CTS# */ ++ ++/* ------- GPIO Group GPP_E ------- */ ++ ++_PAD_CFG_STRUCT(GPP_E0, 0x84000300, 0x0000), /* SATAXPCIE0 */ ++_PAD_CFG_STRUCT(GPP_E1, 0x84000300, 0x0000), /* SATAXPCIE1 */ ++_PAD_CFG_STRUCT(GPP_E2, 0x84000502, 0x3000), /* SATAXPCIE2 */ ++_PAD_CFG_STRUCT(GPP_E3, 0x82040102, 0x0000), /* CPU_GP0 */ ++_PAD_CFG_STRUCT(GPP_E4, 0x84000201, 0x0000), /* SATA_DEVSLP0 */ ++_PAD_CFG_STRUCT(GPP_E5, 0x84000300, 0x0000), /* SATA_DEVSLP1 */ ++_PAD_CFG_STRUCT(GPP_E6, 0x84000300, 0x0000), /* SATA_DEVSLP2 */ ++_PAD_CFG_STRUCT(GPP_E7, 0x82000102, 0x0000), /* CPU_GP1 */ ++_PAD_CFG_STRUCT(GPP_E8, 0x84000700, 0x0000), /* SATALED# */ ++_PAD_CFG_STRUCT(GPP_E9, 0x44001700, 0x0000), /* USB2_OC0# */ ++_PAD_CFG_STRUCT(GPP_E10, 0x44001700, 0x0000), /* USB2_OC1# */ ++_PAD_CFG_STRUCT(GPP_E11, 0x44000702, 0x0000), /* USB2_OC2# */ ++_PAD_CFG_STRUCT(GPP_E12, 0x44000702, 0x0000), /* USB2_OC3# */ ++_PAD_CFG_STRUCT(GPP_E13, 0x84000700, 0x0000), /* DDPB_HPD0 */ ++_PAD_CFG_STRUCT(GPP_E14, 0x84000702, 0x0000), /* DDPC_HPD1 */ ++_PAD_CFG_STRUCT(GPP_E15, 0x84000201, 0x0000), /* DDPD_HPD2 */ ++_PAD_CFG_STRUCT(GPP_E16, 0x80880102, 0x3000), /* GPIO */ ++_PAD_CFG_STRUCT(GPP_E17, 0x84000700, 0x0000), /* EDP_HPD */ ++_PAD_CFG_STRUCT(GPP_E18, 0x84000702, 0x0000), /* DPPB_CTRLCLK */ ++_PAD_CFG_STRUCT(GPP_E19, 0x84000602, 0x0000), /* DPPB_CTRLDATA */ ++_PAD_CFG_STRUCT(GPP_E20, 0x84000700, 0x0000), /* DPPC_CTRLCLK */ ++_PAD_CFG_STRUCT(GPP_E21, 0x84000602, 0x0000), /* DPPC_CTRLDATA */ ++_PAD_CFG_STRUCT(GPP_E22, 0x84000702, 0x0000), /* DPPD_CTRLCLK */ ++_PAD_CFG_STRUCT(GPP_E23, 0x84000602, 0x0000), /* DPPD_CTRLDATA */ ++ ++}; ++ ++const struct pad_config *variant_gpio_table(size_t *num) ++{ ++ *num = ARRAY_SIZE(gpio_table); ++ return gpio_table; ++} +diff --git a/src/mainboard/purism/librem_whl/variants/librem_mini/hda_verb.c b/src/mainboard/purism/librem_whl/variants/librem_mini/hda_verb.c +new file mode 100644 +index 0000000000..c3daf3c5ed +--- /dev/null ++++ b/src/mainboard/purism/librem_whl/variants/librem_mini/hda_verb.c +@@ -0,0 +1,33 @@ ++/* SPDX-License-Identifier: GPL-2.0-only */ ++ ++#include ++ ++const u32 cim_verb_data[] = { ++ 0x10ec0269, /* Codec Vendor/Device ID: Realtek ALC293 */ ++ 0x10ec0000, /* Subsystem ID */ ++ 11, /* Number of entries */ ++ ++ AZALIA_SUBVENDOR(0, 0x10ec0000), ++ AZALIA_PIN_CFG(0, 0x12, 0x40000000), ++ AZALIA_PIN_CFG(0, 0x15, 0x01214010), ++ AZALIA_PIN_CFG(0, 0x17, 0x411111f0), ++ AZALIA_PIN_CFG(0, 0x18, 0x01a19130), ++ AZALIA_PIN_CFG(0, 0x19, 0x411111f0), ++ AZALIA_PIN_CFG(0, 0x1a, 0x411111f0), ++ AZALIA_PIN_CFG(0, 0x1b, 0x411111f0), ++ AZALIA_PIN_CFG(0, 0x1d, 0x40422201), ++ AZALIA_PIN_CFG(0, 0x1e, 0x411111f0), ++ ++ 0x8086280b, /* Codec Vendor/Device ID: Intel CannonPoint HDMI */ ++ 0x80860101, /* Subsystem ID */ ++ 4, /* Number of entries */ ++ ++ AZALIA_SUBVENDOR(2, 0x80860101), ++ AZALIA_PIN_CFG(2, 0x05, 0x18560010), ++ AZALIA_PIN_CFG(2, 0x06, 0x18560020), ++ AZALIA_PIN_CFG(2, 0x07, 0x18560030), ++}; ++ ++const u32 pc_beep_verbs[] = {}; ++ ++AZALIA_ARRAY_SIZES; +diff --git a/src/mainboard/purism/librem_whl/variants/librem_mini/include/variant/gpio.h b/src/mainboard/purism/librem_whl/variants/librem_mini/include/variant/gpio.h +new file mode 100644 +index 0000000000..9094b0419d +--- /dev/null ++++ b/src/mainboard/purism/librem_whl/variants/librem_mini/include/variant/gpio.h +@@ -0,0 +1,11 @@ ++/* SPDX-License-Identifier: GPL-2.0-only */ ++ ++#ifndef VARIANT_GPIO_H ++#define VARIANT_GPIO_H ++ ++#include ++#include ++ ++const struct pad_config *variant_gpio_table(size_t *num); ++ ++#endif +-- +2.20.1 + From 480a2e11301127026c317909a6f37380505148a0 Mon Sep 17 00:00:00 2001 From: tlaurion Date: Wed, 2 Sep 2020 14:41:29 -0400 Subject: [PATCH 185/189] modules/fbwhiptail: fixate to latest commit ID to make sure Heads commit would produce the same binary signature long term. (#820) --- modules/fbwhiptail | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/modules/fbwhiptail b/modules/fbwhiptail index f54a62d82..1965ecc0f 100644 --- a/modules/fbwhiptail +++ b/modules/fbwhiptail @@ -2,9 +2,11 @@ modules-$(CONFIG_FBWHIPTAIL) += fbwhiptail fbwhiptail_depends := cairo $(musl_dep) -fbwhiptail_version := git -fbwhiptail_dir := fbwhiptail -fbwhiptail_repo := https://source.puri.sm/coreboot/fbwhiptail.git +fbwhiptail_version := e5001e925d5ac791d4cb8fb4cf9d3fb97cde3e51 +fbwhiptail_dir := fbwhiptail-$(fbwhiptail_version) +fbwhiptail_tar := fbwhiptail-master.tar.gz +fbwhiptail_url := https://source.puri.sm/coreboot/fbwhiptail/-/archive/$(fbwhiptail_version)/$(fbwhiptail_tar) +fbwhiptail_hash := 51f1a56541f73b70f370a676e170cb5ad71703f3b21d5b6668482cb9ebcf82e6 fbwhiptail_target := \ $(MAKE_JOBS) \ From 8067efc9aecdc1cfb254528706979323ec49c12c Mon Sep 17 00:00:00 2001 From: tlaurion Date: Wed, 2 Sep 2020 14:42:55 -0400 Subject: [PATCH 186/189] CircleCI: bring recent failing logs on CI output (#822) --- .circleci/config.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 84a905068..b59d382b9 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -65,7 +65,7 @@ jobs: command: | rm -rf build/x230-flash/* build/log/* && make --load 2 \ V=1 \ - BOARD=x230-flash \ + BOARD=x230-flash || (find ./build/log/ -cmin 1|xargs tail; exit 1) \ no_output_timeout: 3h - run: name: Ouput x230-flash hashes @@ -83,7 +83,7 @@ jobs: command: | rm -rf build/t430-flash/* build/log/* && make --load 2 \ V=1 \ - BOARD=t430-flash \ + BOARD=t430-flash || (find ./build/log/ -cmin 1|xargs tail; exit 1) \ no_output_timeout: 3h - run: name: Ouput t430-flash hashes @@ -101,7 +101,7 @@ jobs: command: | rm -rf build/t430/* build/log/* && make --load 2 \ V=1 \ - BOARD=t430 \ + BOARD=t430 || (find ./build/log/ -cmin 1|xargs tail; exit 1) \ no_output_timeout: 3h - run: name: Ouput t430 hashes @@ -119,7 +119,7 @@ jobs: command: | rm -rf build/x230/* build/log/* && make --load 2 \ V=1 \ - BOARD=x230 \ + BOARD=x230 || (find ./build/log/ -cmin 1|xargs tail; exit 1) \ no_output_timeout: 3h - run: name: Ouput x230 hashes @@ -137,7 +137,7 @@ jobs: command: | rm -rf build/x230-hotp-verification/* build/log/* && make --load 2 \ V=1 \ - BOARD=x230-hotp-verification \ + BOARD=x230-hotp-verification || (find ./build/log/ -cmin 1|xargs tail; exit 1) \ no_output_timeout: 3h - run: name: Ouput x230-hotp-verification hashes @@ -173,7 +173,7 @@ jobs: command: | rm -rf build/qemu-coreboot/* build/log/* && make --load 2 \ V=1 \ - BOARD=qemu-coreboot \ + BOARD=qemu-coreboot || (find ./build/log/ -cmin 1|xargs tail; exit 1) \ no_output_timeout: 3h - run: name: Output qemu-coreboot hashes From b2c49e8742d8f8aa2de2adaca5508ad9f0053dc8 Mon Sep 17 00:00:00 2001 From: tlaurion Date: Thu, 3 Sep 2020 22:02:16 -0400 Subject: [PATCH 187/189] CircleCI: removing librem_mini board under CircleCI (#825) Coreboot 4.12, on which the librem_mini depends, doesn't build under debian:10 docker image as of right now. It was building over debian:bullseye (where 4.8.1 boards didn't) which constructed a valid cache that was reused when building #806 (https://app.circleci.com/pipelines/github/tlaurion/heads/364/workflows/df9bad8d-8ff1-40da-b8d8-1b87a05be509/jobs/392) Consequently, more troubleshooting would need to be done under local debian:10 docker image. --- .circleci/config.yml | 18 ------------------ 1 file changed, 18 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index b59d382b9..b73fea41b 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -150,24 +150,6 @@ jobs: - store-artifacts: path: build/x230-hotp-verification - - run: - name: librem_mini - command: | - rm -rf build/librem_mini/* build/log/* && make --load 2 \ - V=1 \ - BOARD=librem_mini \ - no_output_timeout: 3h - - run: - name: Ouput librem_mini hashes - command: | - cat build/librem_mini/hashes.txt \ - - run: - name: Archiving build logs for librem_mini - command: | - tar zcvf build/librem_mini/logs.tar.gz build/log/* - - store-artifacts: - path: build/librem_mini - - run: name: qemu-coreboot command: | From 843d4adb4c4b9fdd108712a3fa5a5f8e6352621f Mon Sep 17 00:00:00 2001 From: Patrick Rudolph <36034716+PatrickRudolph@users.noreply.github.com> Date: Fri, 4 Sep 2020 20:01:47 +0200 Subject: [PATCH 188/189] blobs/*: Fix extract script (#792) Command returns a list of utilities found. This can happen if multiple coreboot folders are present. Use only one to fix a crash in the following lines. Test: Being able to extract blobs when two coreboot folders are present, both containing an IFDTOOL. Signed-off-by: Patrick Rudolph --- blobs/t420/extract.sh | 4 ++-- blobs/x220/extract.sh | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/blobs/t420/extract.sh b/blobs/t420/extract.sh index e34c3f907..422924741 100755 --- a/blobs/t420/extract.sh +++ b/blobs/t420/extract.sh @@ -28,7 +28,7 @@ while getopts ":f:m:i:" opt; do done if [ -z "$MECLEAN" ]; then - MECLEAN=`command -v $BLOBDIR/../../build/coreboot-*/util/me_cleaner/me_cleaner.py 2>&1` + MECLEAN=`command -v $BLOBDIR/../../build/coreboot-*/util/me_cleaner/me_cleaner.py 2>&1|head -n1` if [ -z "$MECLEAN" ]; then echo "me_cleaner.py required but not found or specified with -m. Aborting." exit 1; @@ -36,7 +36,7 @@ if [ -z "$MECLEAN" ]; then fi if [ -z "$IFDTOOL" ]; then - IFDTOOL=`command -v $BLOBDIR/../../build/coreboot-*/util/ifdtool/ifdtool 2>&1` + IFDTOOL=`command -v $BLOBDIR/../../build/coreboot-*/util/ifdtool/ifdtool 2>&1|head -n1` if [ -z "$IFDTOOL" ]; then echo "ifdtool required but not found or specified with -m. Aborting." exit 1; diff --git a/blobs/x220/extract.sh b/blobs/x220/extract.sh index e34c3f907..422924741 100755 --- a/blobs/x220/extract.sh +++ b/blobs/x220/extract.sh @@ -28,7 +28,7 @@ while getopts ":f:m:i:" opt; do done if [ -z "$MECLEAN" ]; then - MECLEAN=`command -v $BLOBDIR/../../build/coreboot-*/util/me_cleaner/me_cleaner.py 2>&1` + MECLEAN=`command -v $BLOBDIR/../../build/coreboot-*/util/me_cleaner/me_cleaner.py 2>&1|head -n1` if [ -z "$MECLEAN" ]; then echo "me_cleaner.py required but not found or specified with -m. Aborting." exit 1; @@ -36,7 +36,7 @@ if [ -z "$MECLEAN" ]; then fi if [ -z "$IFDTOOL" ]; then - IFDTOOL=`command -v $BLOBDIR/../../build/coreboot-*/util/ifdtool/ifdtool 2>&1` + IFDTOOL=`command -v $BLOBDIR/../../build/coreboot-*/util/ifdtool/ifdtool 2>&1|head -n1` if [ -z "$IFDTOOL" ]; then echo "ifdtool required but not found or specified with -m. Aborting." exit 1; From 5d95158ac44714f85b66d4541b86d7f8c5068d1d Mon Sep 17 00:00:00 2001 From: Sebastian McMillan <22755892+SebastianMcMillan@users.noreply.github.com> Date: Thu, 6 Jun 2019 19:30:39 -0500 Subject: [PATCH 189/189] Update and rename x230-flash.init to install.init --- initrd/bin/x230-flash.init | 26 -------------------------- 1 file changed, 26 deletions(-) delete mode 100755 initrd/bin/x230-flash.init diff --git a/initrd/bin/x230-flash.init b/initrd/bin/x230-flash.init deleted file mode 100755 index 0ba456f79..000000000 --- a/initrd/bin/x230-flash.init +++ /dev/null @@ -1,26 +0,0 @@ -#!/bin/sh -# Initialize the USB and network device drivers, -# invoke a recovery shell and prompt the user for how to proceed - -. /etc/functions -. /tmp/config - -insmod /lib/modules/ehci-hcd.ko -insmod /lib/modules/ehci-pci.ko -insmod /lib/modules/xhci-hcd.ko -insmod /lib/modules/xhci-pci.ko -insmod /lib/modules/e1000e.ko -insmod /lib/modules/usb-storage.ko - -tpm extend -ix 4 -ic recovery -sleep 2 - -echo '***** Starting recovery shell' -echo '' -echo 'To install from flash drive:' -echo '' -echo ' mount -o ro /dev/sdb1 /media' -echo ' flash.sh /media/x230.rom' -echo '' - -exec /bin/ash