add x230-nkstorecli board config

[daringer]

• add x230-nkstorecli board config
• modules added: nkstorecli, libnitrokey, libhidapi-libusb

[tlaurion]

@daringer : no CI (yellow/green light) link on commit?

[daringer]

Mmh good question, don't know why... Currently on the run, will be back at the desk in ~30mins

[daringer]

mmh shouldn't this be usually shown here, too...
https://app.circleci.com/pipelines/github/Nitrokey/heads/105/workflows/dfb7251a-85db-48ca-88e4-6299030615d1/jobs/111
nearly done, here it shows the yellow/green dot ... don't know why not here inside the PR

edit: "Experiencing Issues with GitHub API Requests, GitHub Issues, PRs, Dashboard, Projects, and GitHub GitHub Packages" is what https://status.circleci.com/ says ...

[tlaurion]

The patch is pretty massive. Would love to know why not upstreamed and applied in a patch under Heads.

[tlaurion]

Building locally and will report binary hashes discrepencies if any.

[tlaurion]

@jans23 @daringer: building here:
https://app.circleci.com/pipelines/github/tlaurion/heads/369/workflows/ea2692ba-59cc-4a05-a903-e81bf94cd907/jobs/398
and locally to compare hashes of binaries now added for reproducibility.

Sorry for the delay, CircleCI automatic builds were faulty in the past days. Now back on track with past commit and should build successfully.

EDIT:
hashes for additional commit cb523b7:
local
30f0d55a9a6190e9e01d1707f2507b4ddfcee9835ea84d94f1e425cf02e2596f ./bin/nkstorecli
CircleCI:
1f86928eb55b893d6770ed90b0ffe895da940e39b612c2fbb55adeb45e47ac6f ./bin/nkstorecli

[tlaurion]

@szszszsz @daringer @jans23 : produced binaries are different as per #817 (comment)

[tlaurion]

@szszszsz @daringer @jans23 @alex-nitrokey
As per Quest to reduce firmware size guidelines output of CI's built PR :

user@x230-master:~/heads/build/x230-nkstorecli$ find . -type f -ls | sort -r -n -k7
    71470  12288 -rw-r--r--   1 user     user     12582912 Sep  4 11:56 ./coreboot.rom
    79977  11756 -rw-r--r--   1 user     user     12052480 Sep  4 11:55 ./initrd.cpio
    71066  11240 -rw-r--r--   1 user     user     11509248 Sep  4 11:55 ./tools.cpio
    40914   2956 -rw-r--r--   1 user     user      3023312 Aug 31 17:16 ./bzImage
    81501   1592 -rwx------   1 user     user      1627856 Sep  4 16:33 ./bin/lvm
    81614   1132 -rwx------   1 user     user      1156424 Sep  4 16:33 ./lib/libgcrypt.so.20
    81458    868 -rwx------   1 user     user       886464 Sep  4 16:33 ./bin/gpg
    81512    760 -rwx------   1 user     user       775864 Sep  4 16:33 ./bin/nkstorecli
    81611    740 -rwx------   1 user     user       757232 Sep  4 16:33 ./lib/libcairo.so.2
    81621    652 -rwx------   1 user     user       666216 Sep  4 16:33 ./lib/libpixman-1.so.0
    81610    584 -rwx------   1 user     user       596544 Sep  4 16:33 ./lib/libc.so
    81452    556 -rwx------   1 user     user       568264 Sep  4 16:33 ./bin/flashrom
    81419    472 -rwx------   1 user     user       483160 Sep  4 16:33 ./bin/busybox
    81533    392 -rwx------   1 user     user       399528 Sep  4 16:33 ./bin/scdaemon
    40915    372 -rw-r--r--   1 user     user       379904 Aug 31 17:16 ./modules.cpio
    81459    364 -rwx------   1 user     user       371888 Sep  4 16:33 ./bin/gpg-agent
    81625    332 -rwx------   1 user     user       339304 Sep  4 16:33 ./lib/libtpm.so
    81613    328 -rwx------   1 user     user       333240 Sep  4 16:33 ./lib/libdevmapper.so.1.02
    81617    320 -rwx------   1 user     user       325104 Sep  4 16:33 ./lib/libmbedcrypto.so.0
    81616    224 -rwx------   1 user     user       227696 Sep  4 16:33 ./lib/libksba.so.8
    81622    204 -rwx------   1 user     user       207912 Sep  4 16:33 ./lib/libpng16.so.16
    81477    168 -rwx------   1 user     user       170984 Sep  4 16:33 ./bin/kexec
    71110    164 -rw-r--r--   1 user     user       164352 Aug 31 18:58 ./heads.cpio
    81633    160 -rw-------   1 user     user       159840 Sep  4 16:33 ./lib/modules/xhci-hcd.ko
    81612    156 -rwx------   1 user     user       159000 Sep  4 16:33 ./lib/libcryptsetup.so.4
    81440    136 -rwx------   1 user     user       137464 Sep  4 16:33 ./bin/dmsetup
    81632    132 -rw-------   1 user     user       132360 Sep  4 16:33 ./lib/modules/usb-storage.ko
    81564    124 -rwx------   1 user     user       126584 Sep  4 16:33 ./bin/tpm
    81615    124 -rwx------   1 user     user       125904 Sep  4 16:33 ./lib/libgpg-error.so.0
    81629    108 -rwx------   1 user     user       108832 Sep  4 16:33 ./lib/libz.so.1
    81627     96 -rwx------   1 user     user        96896 Sep  4 16:33 ./lib/libusb-1.0.so.0
    81609     76 -rwx------   1 user     user        76736 Sep  4 16:33 ./lib/libassuan.so.0
    81498     72 -rwx------   1 user     user        73600 Sep  4 16:33 ./bin/lspci
    81630     64 -rw-------   1 user     user        64800 Sep  4 16:33 ./lib/modules/ehci-hcd.ko
    81432     64 -rwx------   1 user     user        62328 Sep  4 16:33 ./bin/cryptsetup-reencrypt
    81431     60 -rwx------   1 user     user        59144 Sep  4 16:33 ./bin/cryptsetup
    81620     52 -rwx------   1 user     user        52272 Sep  4 16:33 ./lib/libpci.so.3.5.4
    81619     52 -rwx------   1 user     user        52272 Sep  4 16:33 ./lib/libpci.so.3
    81520     52 -rwx------   1 user     user        52200 Sep  4 16:33 ./bin/pinentry-tty
    81448     52 -rwx------   1 user     user        51616 Sep  4 16:33 ./bin/fbwhiptail
    81623     48 -rwx------   1 user     user        48088 Sep  4 16:33 ./lib/libpopt.so.0
    81624     48 -rwx------   1 user     user        47448 Sep  4 16:33 ./lib/libqrencode.so.3
    81581     32 -rwx------   1 user     user        32560 Sep  4 16:33 ./bin/veritysetup
    81474     32 -rwx------   1 user     user        29944 Sep  4 16:33 ./bin/hotp_verification
    81425     28 -rwx------   1 user     user        27048 Sep  4 16:33 ./bin/cbmem
    81454     24 -rwx------   1 user     user        22432 Sep  4 16:33 ./bin/flashtool
    81596     20 -rw-------   1 user     user        19992 Sep  4 16:33 ./etc/distro/keys/tails.key
    81626     20 -rwx------   1 user     user        18464 Sep  4 16:33 ./lib/libusb-0.1.so.4
    81423     20 -rwx------   1 user     user        18352 Sep  4 16:33 ./bin/cbfs
    81569     20 -rwx------   1 user     user        18320 Sep  4 16:33 ./bin/uefi
    81464     16 -rwx------   1 user     user        15599 Sep  4 16:33 ./bin/gui-init
    81516     16 -rwx------   1 user     user        15100 Sep  4 16:33 ./bin/oem-factory-reset
    81628     16 -rwx------   1 user     user        14656 Sep  4 16:33 ./lib/libuuid.so.1
    81618     16 -rwx------   1 user     user        14552 Sep  4 16:33 ./lib/libnpth.so.0
    81523     16 -rwx------   1 user     user        14200 Sep  4 16:33 ./bin/poke
    81594     12 -rw-------   1 user     user        10955 Sep  4 16:33 ./etc/distro/keys/fedora.key
    81631     12 -rw-------   1 user     user        10728 Sep  4 16:33 ./lib/modules/ehci-pci.ko
    81634     12 -rw-------   1 user     user        10568 Sep  4 16:33 ./lib/modules/xhci-pci.ko
    81518     12 -rwx------   1 user     user        10096 Sep  4 16:33 ./bin/peek
    81415     12 -rwx------   1 user     user        10088 Sep  4 16:33 ./bin/base32
    81562     12 -rwx------   1 user     user        10048 Sep  4 16:33 ./bin/totp
    81472     12 -rwx------   1 user     user        10024 Sep  4 16:33 ./bin/hotp
    81486     12 -rwx------   1 user     user         9894 Sep  4 16:33 ./bin/kexec-select-boot
      297     12 -rw-r--r--   1 user     user         9540 Sep  4 11:56 ./hashes.txt
    81460     12 -rwx------   1 user     user         8845 Sep  4 16:33 ./bin/gpg-gui.sh
    81598     12 -rwx------   1 user     user         8196 Sep  4 16:33 ./etc/functions
    81527      8 -rwx------   1 user     user         5912 Sep  4 16:33 ./bin/qrenc
    81428      8 -rwx------   1 user     user         4851 Sep  4 16:33 ./bin/config-gui.sh
    81485      8 -rwx------   1 user     user         4195 Sep  4 16:33 ./bin/kexec-seal-key
    81482      4 -rwx------   1 user     user         3680 Sep  4 16:33 ./bin/kexec-parse-boot
    81606      4 -rwx------   1 user     user         3506 Sep  4 16:33 ./init
    81508      4 -rwx------   1 user     user         3497 Sep  4 16:33 ./bin/mount-usb
    81483      4 -rwx------   1 user     user         3410 Sep  4 16:33 ./bin/kexec-save-default
    81534      4 -rwx------   1 user     user         3381 Sep  4 16:33 ./bin/seal-hotpkey
    81478      4 -rwx------   1 user     user         3099 Sep  4 16:33 ./bin/kexec-boot
    81450      4 -rwx------   1 user     user         2465 Sep  4 16:33 ./bin/flash-gui.sh
    81479      4 -rwx------   1 user     user         2344 Sep  4 16:33 ./bin/kexec-insert-key
    81579      4 -rwx------   1 user     user         2081 Sep  4 16:33 ./bin/usb-scan
    81481      4 -rwx------   1 user     user         2059 Sep  4 16:33 ./bin/kexec-parse-bls
    81535      4 -rwx------   1 user     user         2027 Sep  4 16:33 ./bin/seal-totp
    81600      4 -rwx------   1 user     user         1886 Sep  4 16:33 ./etc/gui_functions
    81574      4 -rwx------   1 user     user         1838 Sep  4 16:33 ./bin/unseal-hotp
    81451      4 -rwx------   1 user     user         1724 Sep  4 16:33 ./bin/flash.sh
    81484      4 -rwx------   1 user     user         1677 Sep  4 16:33 ./bin/kexec-save-key
    81595      4 -rw-------   1 user     user         1629 Sep  4 16:33 ./etc/distro/keys/qubes-4.key
    81487      4 -rwx------   1 user     user         1407 Sep  4 16:33 ./bin/kexec-sign-config
    81480      4 -rwx------   1 user     user         1375 Sep  4 16:33 ./bin/kexec-iso-init
    81635      4 -rwx------   1 user     user         1373 Sep  4 16:33 ./mount-boot
    81456      4 -rwx------   1 user     user         1299 Sep  4 16:33 ./bin/generic-init
    71088      4 -rw-------   1 user     user         1247 Sep  4 16:33 ./.ash_history
    81511      4 -rwx------   1 user     user         1244 Sep  4 16:33 ./bin/network-init-recovery
    81473      4 -rwx------   1 user     user         1085 Sep  4 16:33 ./bin/hotp_initialize
    81488      4 -rwx------   1 user     user         1044 Sep  4 16:33 ./bin/kexec-unseal-key
    81651      4 -rwx------   1 user     user         1000 Sep  4 16:33 ./sbin/insmod
    81640      4 -rwx------   1 user     user          922 Sep  4 16:33 ./sbin/config-dhcp.sh
    81424      4 -rwx------   1 user     user          799 Sep  4 16:33 ./bin/cbfs-init
    81593      4 -rw-------   1 user     user          788 Sep  4 16:33 ./etc/config
    81489      4 -rwx------   1 user     user          770 Sep  4 16:33 ./bin/key-init
    81565      4 -rwx------   1 user     user          694 Sep  4 16:33 ./bin/tpm-reset
    81570      4 -rwx------   1 user     user          661 Sep  4 16:33 ./bin/uefi-init
    81575      4 -rwx------   1 user     user          634 Sep  4 16:33 ./bin/unseal-totp
    81587      4 -rwx------   1 user     user          574 Sep  4 16:33 ./bin/x230-flash.init
    81554      4 -rwx------   1 user     user          574 Sep  4 16:33 ./bin/t430-flash.init
    81528      4 -rwx------   1 user     user          366 Sep  4 16:33 ./bin/qubes-measure-luks
    81453      4 -rwx------   1 user     user          360 Sep  4 16:33 ./bin/flashrom-kgpe-d16-openbmc.sh
    81585      4 -rwx------   1 user     user          320 Sep  4 16:33 ./bin/wget-measure.sh
    81529      4 -rwx------   1 user     user          258 Sep  4 16:33 ./bin/reboot
    81578      4 -rwx------   1 user     user          220 Sep  4 16:33 ./bin/usb-init
    81524      4 -rwx------   1 user     user          205 Sep  4 16:33 ./bin/poweroff
    81597      4 -rw-------   1 user     user          197 Sep  4 16:33 ./etc/fstab
    81602      4 -rw-------   1 user     user          174 Sep  4 16:33 ./etc/motd
    81461      4 -rwx------   1 user     user          106 Sep  4 16:33 ./bin/gpgv
    81408      4 -rw-------   1 user     user           73 Sep  4 16:33 ./.gnupg/gpg-agent.conf
    81586      4 -rwx------   1 user     user           35 Sep  4 16:33 ./bin/whiptail
    81605      4 -rw-------   1 user     user           27 Sep  4 16:33 ./etc/shells
    81604      4 -rw-------   1 user     user           27 Sep  4 16:33 ./etc/passwd
    81601      4 -rw-------   1 user     user           20 Sep  4 16:33 ./etc/hosts
    81599      4 -rw-------   1 user     user           10 Sep  4 16:33 ./etc/group
    81409      4 -rw-------   1 user     user           10 Sep  4 16:33 ./.gnupg/gpg.conf

nkstorecli is now the next candidate just after gpg for size reduction.

This is no surprise, since nkstorecli is statically linked to libusb, libhidapi-libusb and libnitrokey, which makes the binary more like a PoC then a final product to be included in mainstream Heads.

Note that libusb is now included two times inside of Heads' ROM: one statically linked inside of nkstorecli, and one dynamically linked 81627 96 -rwx------ 1 user user 96896 Sep 4 16:33 ./lib/libusb-1.0.so.0, which is also causes the size problem and why e1000e and dropbear needed to be deleted of x230 standard board to fit available space; which means nobody from Heads community can use it easily as of right now but by loosing ethernet and dropbear under Heads, which might/might not be a problem for some users.

[szszszsz]

Hi!

1. Regarding nkstorecli, dynamic link should save 100 kB at most. There should be possibility to decrease further the size with implementation changes.
2. Why do you need these graphic libraries? Is this all for the Head's GUI?

• ./lib/libcairo.so.2 - 757 kiB
• ./lib/libpixman-1.so.0 - 666 kiB
• ./lib/libpng16.so.16 - 207 kiB

[tlaurion]

Hi!

1. Regarding `nkstorecli`, dynamic link should  save 100 kB at most. There should be possibility to decrease further the size with implementation changes.

Awesome news.

2. Why do you need these graphic libraries? Is this all for the Head's GUI?

Heads GUI (FbWhiptail graphic frontend to bash) is the reason of all those dependencies if we want it to be beautiful graphics.

So if we want FBWHIPTAIL:

* ./lib/libcairo.so.2 - 757 kiB

fbwhiptail_depends := cairo $(musl_dep)

* ./lib/libpixman-1.so.0 - 666  kiB

cairo_depends := pixman $(musl_dep)

* ./lib/libpng16.so.16 - 207 kiB

pixman_depends := libpng $(musl_dep)

Else, another subset of dependencies are required (SLANG and NEWT) to be remote console friendly.
Edit: note that gui-init can be used in remote serial consoles instead of generic-init here on server and workstation boards, if you want to test it out.

[tlaurion]

@daringer @szszszsz @jans23: We merge as is with tweaks and reproducibility being other PR and issues?

[daringer]

ok for me!

[jans23]

@daringer @szszszsz @jans23: We merge as is with tweaks and reproducibility being other PR and issues?

Good for me.

[daringer]

created issue to track/fix the reproducibility topic

@tlaurion, before merging I would suggest to update this PR to latest libnitrokey version (means we should get rid of the libnitrokey patch) and fix CI conflicts, ok for you?

[tlaurion]

@daringer +1

[daringer]

good, local build seems fine, let's see what CI will say...

[daringer]

• reproduced current master branch behavior
• re-run with x230-nkstorecli before librem_mini-NoTPM is here (edit), looks good now
• waiting for this one, then this PR shall be ready to merge

[daringer]

looks good for x230-nkstorecli, librem_mini-NoTPM leads to the overall CI fail

[tlaurion]

Should be rebased on master once #842 is reviewed and merged in.

[tlaurion]

@daringer can you rebase on master to trigger a build please?

[daringer]

done

[daringer]

looks good