Merged
Conversation
Besides the fact that keylime-init uses a local network location for downloading something, it is unused. Remove dead code. Was is this anyways?
update file hashes to match Purism fork
update file hashes to match Purism fork
update Librem blobs
Signed-off-by: Trammell hudson <hudson@trmm.net>
Add `--strip 1` to tar file extraction in the `Makefile`, which ensures that the directory name in `build/` will match the one listed in `$($(MODULE)_dir)`. Signed-off-by: Trammell hudson <hudson@trmm.net>
Signed-off-by: Trammell hudson <hudson@trmm.net>
Signed-off-by: Trammell hudson <hudson@trmm.net>
Update hashes for CPU microcde, git releases repo, precompiled images used for extraction Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
when commit [928f003] config-gui: add 'Full Reset' option was added, the bottom end of the save config option was accidentally truncated; restore it to fix save config option Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
Users may wish to temporarily boot an OS from a drive other than their primary boot drive, without changing the default and saving to ROM. Mounting /boot after changing the device selection facilitates this by allowing the user to then choose an unsafe boot from the newly-selected boot drive. Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
If the user chooses to flash a "cleaned" ROM (not persisting settings or GPG keys) then the signatures on /boot are no longer valid, so clear them out. This allows for the OEM factory reset prompt to be shown on the next boot. Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
Normally we resort to default passwords for OEM reset, however we have a use case where it would be convenient to set a custom password instead. This patch adds a simple prompt (that defaults to the defaults if you hit Enter) that enables someone using the OEM reset to enter a single password that will replace the defaults (TPM, GPG Admin, GPG User).
If kexec-sign-config fails due to GPG key not present, the double die() results in a kernel panic (and if it didn't, /boot would be left mounted RW). Fix this by removing call to die() and ensuring /boot remounted RO regardless checksum update success or failure. Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
Drop coreinto/memtest secondary payloads as they are not usable with Linux as primary payload. Leftover copy-pasta from original SeaBIOS configs. Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
Automatic /boot detection will fall back to /dev/sd* Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
Update text on TOTP error prompt to provide better guidance for users following the use of the OEM factory reset function Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
If /boot isn't mounted, we can't read the HOTP counter, so no point in reading from the TPM. This speeds up getting to the main menu in the case of an inaccessible or non-existant /boot. Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
Disabling IOMMU on the iGPU for Heads (mostly) eliminates display corruption when kexec'ing to new kernel (and has no effect on iGPU/IOMMU for kexec'ed kernel) Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
Resync with Purism tree
Update Librem configs
gui-init: update TOTP error prompt
unseal-hotp: ensure /boot mounted before checking HOTP secret
Since the custom password is used to set the GPG admin password as well as the TPM and GPG user passwords, an 8-character minimum is required. Inform the user of this, and validate custom password length upon entry. Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
oem-factory-reset: enforce 8-char min on custom password
As is in many cases in Heads, not any key will work, just Enter. Signed-off-by: Martin Kepplinger <martin.kepplinger@puri.sm>
oem-factory-reset: Fix description for rebooting when finished
The short commit id can cause the tar archive potentially cause the root directory in the archive to be named with the short id causing the verification to fail
Update distro keys to the latest with updated expiration dates
Fix kexec and repro
Pass through new toolchain path via $(CROSS) so we can set the c/c++ compiler paths correctly for CMake. Adjust patch to use new paths, and fix compiler/linker paths to correct a libusb linking issue. Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
Update hashes of coreboot images, releases repo, FSP blobs, and VBT file. Updated VBT from coreboot 4.11 release eliminates flickering on some 13v4/15v4 displays. Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
blobs/librem_{kbl,skl}: update blobs
busyboy tty isn't working after the musl-cross-make change so revert to known good value.
init: fix invalid GPG_TTY variable
libremkey-hotp-verification: toolchain adjustments
Not setting USB_FAILED when call to mount-usb succeeds results in a spurious 'sh: 0 unknown operand' error printed to console. Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
flash-gui: set unset variable USB_FAILED
Flash.sh cleanup : flashrom specifics now in board configs (#592)
Some (out of tree) servers require use of a USB keyboard, and need the USB kernel modules loaded prior to checking for keypress to enter a recovery console. Since loading the modules affects the value in PRC5 and can cause issues putting a LUKS key in TPM, guard the loading of the USB modules with CONFIG_USB_KEYBOARD and remove the unguarded call from gui-init. This should resolve issues #603 and #674. Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
* Add support for the Lenovo ThinkPad T420 and X220. * Fix the autodetection of ifdtool and me_cleaner. * Enable FBWhiptail mode for X220 and T420 * Decreased CBFS size to fix 50 seconds boot delay problems
init: load usb modules for devices using USB keyboard gui-init: remove enable_usb to fix generic Heads users who wanted to release LUKS disk encryption key from TPM if measurements were valid (fix regression)
Modeled after modules/tpmtotp, use a specific git commit hash for module libremkey-hotp-verification. Add hidapi as a submodule with dummy/placeholder in modules (like coreboot-blobs), also specified by git commit hash. Adjust libremkey-hotp-verification patch file name so patch applied properly. Addresses issue #640 Test: build Librem 13v4 Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
…be exported by Makefile
Commit 6b5adcc moved the call to enable_usb from gui-init to init and guarded it with CONFIG_USB_KEYBOARD, but it was missed that this is needed for the clean boot check logic when a librem key is used. Add the call back to gui-init and guard it properly Test: clean_boot_detect works properly on a librem 13v4 Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
Flash.sh cleanup: Fix FLASHROM_OPTIONS -> CONFIG_FLASHROM_OPTIONS
fix $GPG_GEN_KEY getting clobbered when using a custom password Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
gui-init: fix checking librem key card-status
oem-factory-reset: fix GPG key backup filename
Fix Screen Garble
T420: Fix screen garble
modules/libremkey-hotp-verification: make reproducible
mount-usb switched to dynamic USB device detection a while back, so eliminate instances of CONFIG_BOOT_USB_DEV, and derive the mounted USB device from /etc/mtab in the one place where it's actually needed (usb-scan). Clean up areas around calls to mount-usb for clarity/readability. Addresses issue #673 Test: Build Librem 13v4, boot ISO file on USB Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
Fix coreboot build for kgpe-d16
Eliminate use of CONFIG_USB_BOOT_DEV
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
9 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.