GitLab

Grepping on just 'Disk' can lead to disk UUID identifier strings
being added to /tmp/disklist, which then fail to parse later on.
Avoid this by grepping on 'Disk /dev' instead.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>

Current implementation of autodetection misidentifes older Librem
Keys as Nitrokeys due to VID conflict; assume all Librem users
are using a Librem Key.
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>

Show state of flashrom reads/writes by means of a progress bar,
as used in the Librem coreboot flashing scripts
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>

change MOTD, menu headers, and coreboot version
string to reflect Pureboot branding
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>

on Librem devices, tty0 and stdout are same device, resulting in
the MOTD being printed to screen twice

Reduce friction when generating a new TOTP/HOTP secret by eliminating
an unnecessary 'press enter to continue' prompt following QR code
generation, and by attempting to use the default admin PIN set by
the OEM factory reset function. Fall back to prompting the user
if the default PIN fails.

Also, ensure error messages are visible to users before being returned
back to the GUI menu from which they came by wrapping existing calls to die()
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>

prompt user to generate a new TOTP/HOTP secret upon
mismatch, to avoid unnecessary failure after flashing
and updated ROM.

skip calling seal-totp since there's nothing to do in the
non-TPM case other than an unnecessary firmware read

Kyle Rankin authored Nov 25, 2019 and Matt Devillier committed Jun 23, 2021

On machines without a TPM, we'd still like some way for the BIOS to
attest that it has not been modified. With a Librem Key, we can have the
BIOS use its own ROM measurement converted to a SHA256sum and truncated
so it fits within an HOTP secret. Like with a TPM, a malicious BIOS with
access to the correct measurements can send pre-known good measurements
to the Librem Key.

This approach provides one big drawback in that we have to truncate the
SHA256sum to 20 characters so that it fits within the limitations of
HOTP secrets. This means the possibility of collisions is much higher
but again, an attacker could also capture and spoof an existing ROM's
measurements if they have prior access to it, either with this approach
or with a TPM.
Signed-off-by: Kyle Rankin <kyle.rankin@puri.sm>

Fix exit codes for ME download scripts

Incorrect parentheses brackets used in those scripts meant that the script as a whole did not return the correct exit code. The use of `( )` brackets created a sub-shell to which the exit code applied to that sub-shell. Changing to `{ }` does not create a sub-shell and as such, the script will return its true return code.

CircleCI: Overhaul with parallelisation and parameters for a cleaner config

CircleCI: passing CPUS=24 to CPUS=16 to try to fix latest problems linked to master not building and https://github.com/osresearch/heads/pull/977

Update README.md

Change Heads Wiki link from index.md to https://osresearch.net

* Bump CircleCI config version to 2.1.
* Use commands and parameters to get rid of repeated commands. New boards can be added with just 5 lines at the bottom of the config.
* Made use of some parallelisation. Currently a single board from each Coreboot version is built. Afterwards all remaining boards are built in parallel.

x230-nkstorecli PoC board removal, both in tree and in CI (board buil…

x230-nkstorecli PoC board removal, both in tree and in CI (board builds fails. fits in maximized boards.)

Upgrade to cryptsetup 2.3 and make cryptsetup1/cryptsetup2 optionals

* CircleCI: pass CPUS=4 to CPUS=24

libusb: replace package origin from sourceforge to github release

without hardcoding url... sorry guys

libusb: replace package origin from sourceforge to github release

Last CI build in master fails because of a 302 temporary redirect resulting to bad checksum.

Bump Librem and KGPE-D16 to Linux 5.10.5

xx30 boards: correct documentation, typos

modules/hotp-verification: Update module to latest version

Update nitrokey-hotp-verification to upstream master, which
pulls in 2 changes:
- update OTP secret length from 20 bytes to 40 bytes
- fixes handling for branding strings containing spaces

Test: build/boot Librem 13v4, verify LK verification working
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>

Add `CONFIG_CPU_MICROCODE_CBFS_NONE=y` to KGPE-D16 Coreboot configs. This disables microcode being included and loaded by Coreboot because of a current issue in which newer kernels panic when doing so.
Added note to KGPE-D16 configs about the current microcode bug, why microcode is not included and encouraging AMD Opteron 6300 series users to make sure their operating system loads microcode.

Update all Librem and KGPE-D16 board to build with Linux 5.10.5. Update KGPE-D16 and Librem linux configs to 5.10.5 with `make savedefconfig`.

modules/linux: Add support for building against Linux 5.10.5. All patches besides `0000-efi_bds.patch` port cleanly. As a result of `0000-efi_bds.patch` missing, it is strongly encouraged that no linuxboot boards use Linux 5.10.5 until a proper review has been done.

Kgpe d16 flashrom fix

coreboot configs : remove CONFIG_ANY_TOOLCHAIN in coreboot configs

coreboot configs : CONFIG_ANY_TOOLCHAIN=y is not needed anymore since built against coreboot's version muslcross built toolchain.

xx30-flash boards: produce top.rom and remove 12mb rom for clarity

CircleCI: Add coreboot+musl-cross cache