Upstream PureBoot 27 #1419
Merged
Upstream PureBoot 27 #1419
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
On machines without a TPM, we'd still like some way for the BIOS to attest that it has not been modified. With a Librem Key, we can have the BIOS use its own ROM measurement converted to a SHA256sum and truncated so it fits within an HOTP secret. Like with a TPM, a malicious BIOS with access to the correct measurements can send pre-known good measurements to the Librem Key. This approach provides one big drawback in that we have to truncate the SHA256sum to 20 characters so that it fits within the limitations of HOTP secrets. This means the possibility of collisions is much higher but again, an attacker could also capture and spoof an existing ROM's measurements if they have prior access to it, either with this approach or with a TPM. Signed-off-by: Kyle Rankin <kyle.rankin@puri.sm>
Reduce friction when generating a new TOTP/HOTP secret by eliminating an unnecessary 'press enter to continue' prompt following QR code generation, and by attempting to use the default admin PIN set by the OEM factory reset function. Fall back to prompting the user if the default PIN fails. Also, ensure error messages are visible to users before being returned back to the GUI menu from which they came by wrapping existing calls to die() Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
Currently Heads will check files in /boot for tampering before booting into a system. It would be nice if you could use the trusted environment within Heads and extend this to check files in / itself. This new script adds that functionality, however due to the length of time it takes to perform these kinds of checks, it doesn't run automatically (yet). This feature can be configured from the config GUI - the root device/ directories to check can be set, and it can be configured to run during boot. To make this a bit easier to use, I added a feature to detect whether the hash file exists and if not, to display a more limited menu to the user guiding them to create the initial hash file. Otherwise it will display the date the file was last modified, which can be useful to determine how stale it is.
Use commit hash from 4.16-Purism-1 tag. Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
Use Purism's repo for all Librem boards other than the Librem Server L1UM. Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
Extract utilities from config-gui.sh for use in additional config settings. read_rom() reads the current ROM with a message for failure. replace_rom_file() replaces a CBFS file in a ROM. set_config() sets a configuration variable in a file. Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Move boot menu scanning logic to scan_boot_options() in /etc/functions Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
pause_automatic_boot() prompts that an automatic boot is about to occur and allows the user to interrupt it. Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
enable_usb_storage() inserts usb-storage.ko if not already loaded, then waits for USB storage devices to appear. Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Add these two functions for use in config-gui.sh for future toggles. load_config_value() obtains the value of a config setting, defaulting to 'n'. get_config_display_action() displays 'Enable' or 'Disable' depending on the current value. Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
toggle_config() toggles the value of a config. Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
PureBoot Basic mode provides the full Linux userspace in firmware from Heads without requiring verified boot or a Librem Key. Basic and verified boot can be switched freely without changing firmware, such as if a Librem Key is lost. PureBoot Basic can apply firmware updates from a USB flash drive, and having a complete Linux userspace enables more sophisticated recovery options. Basic mode boots to the first boot option by default, setting a default is not required. This can be configured in the config GUI. Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Restricted Boot mode only allows booting from signed files, whether that is signed kernels in /boot or signed ISOs on mounted USB disks. This disables booting from abitrary USB disks as well as the forced "unsafe" boot mode. This also disables the recovery console so you can't bypass this mode simply by running kexec manually. Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Add the PureOS archive signing key to the keys accepted for signed ISOs. Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
USB autoboot automatically boots to a USB flash drive if one is present during boot. This is intended for headless deployments as a method to recover the installed operating system from USB without needing to attach a display and keyboard. USB autoboot can be controlled in config.user and the config GUI. Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Add ioport module, enable for librem_mini_v2. Only inb and outb are included, inw/outw/inl/outl aren't needed. Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Boards can place a file in $(board)/initrd/bin/board-init.sh to perform board-specific initialization. If present, the board's $(board)/initrd directory is included in the initrd via board.initrd. Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Mini v1/v2's EC can automatically power on the system when power is applied, based on a value in EC BRAM. Add a configuration setting to optionally set this value. Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Blob jail provides device firmware blobs to the OS, so the OS does not have to ship them. The firmware is passed through the initrd to /run/firmware, so it works with both installed and live OSes, and there are no race conditions between firmware load and firmware availability. The injection method in the initrd is specific to the style of init script used by PureOS, since it must add a copy command to copy the firmware from the initrd to /run. If the init script is not of this type, boot proceeds without device firmware. This feature can be enabled or disabled from the config GUI. Blob jail is enabled automatically if the Intel AX200 Wi-Fi module is installed and the feature hasn't been explicitly configured. Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
Add driver blobs needed for Intel AX200 WiFi/BT, as well as Atheros ar3k BT. Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Stop manually loading config values, just update config in environment. Never test values against "n", since many default to empty. Always test ="y" or !="y", any other value is off. Add set_user_config() function to set a value in config.user, combine configs, and update config in environment. Use it in setting implementations. Remove toggle_config, it wasn't very useful because the settings still test y/n in order to show specific confirmation and success messages. Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
PureBoot doesn't have any other three-valued settings and this doesn't present very well in the config UI. Instead make this a two-valued setting; drop the mode that forces the EC setting to "stay off" at every boot because this is the default. When disabling automatic power-on, disable the EC BRAM setting too. Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
This is particularly beneficial for servers with Aspeed BMC video, because it introduces framebuffer console acceleration. The framebuffer console is much more responsive. Patches were ported from 5.10.5: 0001-fake-acpi.patch: This may not be needed any more, but it applies cleanly and I don't think it would harm anything. 0002-nmi-squelch.patch: The comment mentions qemu but I see this message on physical machines occasionally, so I think this is needed. 0003-fake-trampoline.patch: This patch does not apply cleanly. It could be ported, but I don't think it's needed, I dropped it. Dates back to a very old commit where Linux was being embedded into a vendor UEFI firmware: a4d7654. 0010-winterfell-ahci.patch: Minor change of %x to %lx in context. Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
These changes primarily improve server boards using BMC video. The correct DRI card is selected even if it isn't the first one, and performance is greatly improved on non-UMA cards. Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Add Linux 6.1.8 configuration, used by Librem L1UM v2 Add coreboot configuration for Librem L1UM v2 Add Librem L1UM v2 board configuration Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Only try the default PIN automatically for 1 month after key creation. This simplifies initial ownership but still encourages changing the PIN. Never enter a PIN automatically if fewer than 3 attempts remain, to avoid causing lockout if the PIN has been changed. Remind what the default PIN was if it is not attempted for either reason. Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Librem boards now use Purism's coreboot distribution cloned from git, persist it in CI cache. Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
|
@JonathonHall-Purism can you rebase on master and test with qemu and setup a TPM unsealed disk encryption key? |
The CONFIG_BASIC test was backwards, as a result it skipped the LUKS disk unlock logic if basic mode was _not_ enabled. This wasn't observed in the PureBoot distribution because we disable the LUKS disk unlock feature. CONFIG_BOOT_REQ_ROLLBACK and CONFIG_BOOT_REQ_HASH logic was also skipped incorrectly, though neither of these are enabled on any board so this had no effect in the PureBoot distribution either. Test basic with each bit of logic to eliminate duplication of the kexec-boot call and fix the LUKS disk unlock feature. Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
JonathonHall-Purism
force-pushed
the
pureboot-27-heads-upstream
branch
from
0d78a4b to
157efc6
Compare
The "disable restricted boot" prompt got slightly too long when fixing the TPM wording. Re-wrap that line to match the others. Wrapping could use some general cleanup but this is sufficient so the text isn't truncated. Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
|
As of now I see no regression. Will need to test ownership a bit more thoroughly. |
tlaurion
reviewed
Jul 10, 2023
The -s mode was removed, remove it from usage. Remove the test to skip checking for board flashrom options with -s mode. Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
tlaurion
reviewed
Jul 10, 2023
The early recovery shell ("hold R") and serial recovery both could
bypass Restricted Boot since they occurred before config.user was
loaded. Load config.user earlier before these recovery methods.
Executing a shell directly (if recovery failed) also would bypass
Restricted Boot, additionally leaking /tmp/secret. Remove this from
the early recovery shell logic. Also remove the final failsafe exec
and move the "just in case" recovery from normal boot here instead, in
case the regular init script fails.
Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
Simplify "enable" prompt a bit, clarify that firmware updating is blocked, and remove mention of "failsafe boot mode". Reword "disable" prompt similarly. Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
JonathonHall-Purism
force-pushed
the
pureboot-27-heads-upstream
branch
from
88d7a90 to
440dc5b
Compare
For iterating, enabling these in the board config is easiest. It's also possible to manually inject config.user ahead of time, or enable at runtime without flashing, but the normal enable/flash/reboot path does not work in qemu since it is unable to flash. Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
|
Testing roms from merged #1419 #1428 board images at https://app.circleci.com/pipelines/github/tlaurion/heads/1819/workflows/683cf547-010b-4dea-bb5f-3420931203ea Tested on qemu boards:
Regression testing + specifics (tested and retested so many times, hopefully nothing was unseen)
|
So much faster!
Nothing to report there as per off-channel discussions. From my eyes, changes are proper and gains are amazing. |
|
And its a merge! |
|
Just confirming I have flashed heads-x220-maximized-v0.2.0-1705-gedf200e.rom. Seems to work fine, although not extensively tested yet) |
|
Also have tested heads-t430-maximized-v0.2.0-1705-gedf200e.rom on my t430 which also seems to work fine. |
Merged
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is the state of PureBoot 27, except for the branding and build scripts. This includes all the major features we have added - Basic mode, Restricted Boot, automatic USB boot for basic mode, blob jail, root file hashing, Mini automatic power-on, and improvements to config-gui.sh to control those features.
There are now configs for skipping the pause after the QR code, and to show the "use defaults?" prompt for OEM reset, both are enabled for all Librem boards
I reworked the Heads/PureBoot branding to use CONFIG_BRAND_NAME, so I can carry the PureBoot branding change downstream easily.