Merge remote-tracking branch 'osresearch/master' into flashprog

Signed-off-by: Thierry Laurion <[email protected]>

Author: tlaurion

.circleci/config.yml

@@ -491,6 +491,13 @@ workflows:
           requires:
             - librem_14
 
+      - build:
+          name: librem_11
+          target: librem_11
+          subcommand: ""
+          requires:
+            - librem_14
+
       # dasharo release
       - build:
           name: nitropad-ns50

bin/seed_package_mirror.sh

@@ -0,0 +1,64 @@
+#! /usr/bin/env bash
+
+set -eo pipefail
+
+usage() {
+cat >&2 <<USAGE_END
+$0 <mirror-directory>
+
+Downloads all current package artifacts needed to build Heads and copies them
+to a mirror directory, for seeding a package mirror.
+
+Parameters:
+  <mirror-directory>: Path to a directory where the packages are placed.
+  Created if it does not already exist.
+USAGE_END
+}
+
+ARGS_DONE=
+while [[ $# -ge 1 ]] && [ -z "$ARGS_DONE" ]; do
+	case "$1" in
+		--)
+			ARGS_DONE=y
+			shift
+			;;
+		--help)
+			usage
+			exit 0
+			;;
+		--*)
+			echo "unknown parameter: $1" >&2
+			usage
+			exit 1
+			;;
+		*)
+			ARGS_DONE=y
+			;;
+	esac
+done
+
+if [[ $# -ne 1 ]]; then
+	usage
+	exit 1
+fi
+
+ARG_MIRROR_DIR="$(realpath "$1")"
+
+cd "$(dirname "${BASH_SOURCE[0]}")/.."
+
+echo
+echo "Cleaning build to download all packages..."
+# fetch packages for representative boards
+rm -rf build/x86 build/ppc64
+rm -rf packages/x86 packages/ppc64
+echo
+echo "Downloading packages..."
+make packages BOARD=qemu-coreboot-fbwhiptail-tpm1-hotp
+make packages BOARD=talos-2 # newt, PPC
+make packages BOARD=librem_l1um_v2 # TPM2
+make packages BOARD=librem_l1um # coreboot 4.11
+make packages BOARD=x230-maximized # io386
+echo
+echo "Copying to mirror directory..."
+mkdir -p "$ARG_MIRROR_DIR"
+cp packages/x86/* packages/ppc64/* "$ARG_MIRROR_DIR/"

boards/qemu-coreboot-whiptail-tpm2/qemu-coreboot-whiptail-tpm2.config

@@ -17,10 +17,10 @@ CONFIG_LINUX_CONFIG=config/linux-qemu.config
 #export CONFIG_HAVE_GPG_KEY_BACKUP=y
 
 #Enable DEBUG output
-export CONFIG_DEBUG_OUTPUT=y
-export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y
+#export CONFIG_DEBUG_OUTPUT=y
+#export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y
 #Enable TPM2 pcap output under /tmp
-export CONFIG_TPM2_CAPTURE_PCAP=y
+#export CONFIG_TPM2_CAPTURE_PCAP=y
 
 #On-demand hardware support (modules.cpio)
 CONFIG_LINUX_USB=y

config/coreboot-librem_11.config

@@ -140,7 +140,7 @@ CONFIG_DCACHE_BSP_STACK_SIZE=0x30400
 CONFIG_MAX_ACPI_TABLE_SIZE_KB=144
 CONFIG_HAVE_INTEL_FIRMWARE=y
 CONFIG_MRC_SETTINGS_CACHE_SIZE=0x10000
-# CONFIG_DRIVERS_INTEL_WIFI is not set
+CONFIG_DRIVERS_INTEL_WIFI=y
 CONFIG_IFD_BIN_PATH="3rdparty/purism-blobs/mainboard/purism/librem_jsl/librem_11/flashdescriptor.bin"
 CONFIG_ME_BIN_PATH="3rdparty/purism-blobs/mainboard/purism/librem_jsl/librem_11/me.bin"
 CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x20000
@@ -563,6 +563,7 @@ CONFIG_USE_PC_CMOS_ALTCENTURY=y
 CONFIG_PC_CMOS_BASE_PORT_BANK0=0x70
 # CONFIG_DRIVERS_SIL_3114 is not set
 CONFIG_DRIVERS_USB_ACPI=y
+CONFIG_DRIVERS_WIFI_GENERIC=y
 # CONFIG_DRIVERS_MTK_WIFI is not set
 CONFIG_MP_SERVICES_PPI=y
 CONFIG_MP_SERVICES_PPI_V1=y

initrd/bin/cbfs-init

@@ -15,17 +15,19 @@ cbfsfiles=`cbfs -t 50 -l 2>/dev/null | grep "^heads/initrd/"`
 for cbfsname in `echo $cbfsfiles`; do
 	filename=${cbfsname:12}
 	if [ ! -z "$filename" ]; then
-		echo "Loading $filename from CBFS"
 		mkdir -p `dirname $filename` \
 		|| die "$filename: mkdir failed"
-		cbfs -t 50 -r $cbfsname > "$filename" \
+		echo "Extracting CBFS file $cbfsname into $filename"
+		cbfs -t 50 $CBFS_ARG -r $cbfsname > "$filename" \
 		|| die "$filename: cbfs file read failed"
 		if [ "$CONFIG_TPM" = "y" ]; then
-			TMPFILE=/tmp/cbfs.$$
-			echo "$filename" > $TMPFILE
-			cat $filename >> $TMPFILE
-			DEBUG "Extending TPM PCR $CONFIG_PCR with $filename"
-			tpmr extend -ix "$CONFIG_PCR" -if $TMPFILE \
+			TRACE_FUNC
+			echo "TPM: Extending PCR[$CONFIG_PCR] with $filename"
+			# Measure both the filename and its content.  This
+			# ensures that renaming files or pivoting file content
+			# will still affect the resulting PCR measurement.
+			tpmr extend -ix "$CONFIG_PCR" -ic "$filename"
+			tpmr extend -ix "$CONFIG_PCR" -if "$filename" \
 			|| die "$filename: tpm extend failed"
 		fi
 	fi

initrd/bin/gui-init

@@ -363,7 +363,7 @@ check_gpg_key()
     option=$(cat /tmp/whiptail)
     case "$option" in 
       g )
-        gpg-gui.sh && BG_COLOR_MAIN_MENU="normnal"
+        gpg-gui.sh && BG_COLOR_MAIN_MENU="normal"
         ;;
       i )
         skip_to_menu="true"

initrd/bin/kexec-insert-key

@@ -65,7 +65,8 @@ if ! kexec-unseal-key "$INITRD_DIR/secret.key"; then
 fi
 
 # Override PCR 4 so that user can't read the key
-DEBUG "Extending TPM PCR 4 to prevent further secret unsealing"
+TRACE_FUNC
+echo "TPM: Extending PCR[4] to prevent any future secret unsealing"
 tpmr extend -ix 4 -ic generic ||
 	die 'Unable to scramble PCR'
 

initrd/bin/kexec-select-boot

@@ -384,9 +384,10 @@ while true; do
 	if [ "$CONFIG_TPM" = "y" ]; then
 		if [ ! -r "$TMP_KEY_DEVICES" ]; then
 			# Extend PCR4 as soon as possible
-			DEBUG "Extending TPM PCR 4 to prevent further secret unsealing"
+			TRACE_FUNC
+			DEBUG "TPM: Extending PCR[4] to prevent further secret unsealing"
 			tpmr extend -ix 4 -ic generic ||
-				die "Failed to extend PCR 4"
+				die "Failed to extend TPM PCR[4]"
 		fi
 	fi
 

initrd/bin/key-init

@@ -1,19 +1,35 @@
 #!/bin/bash
 set -e -o pipefail
 . /etc/functions
+. /etc/gui_functions
 
 TRACE_FUNC
 
 # Post processing of keys
 
-# Import user's keys
-gpg --import /.gnupg/keys/*.key  /.gnupg/keys/*.asc 2>/dev/null || true
+# Good system clock is required for GPG to work properly.
+# if system year is less then 2024, prompt user to set correct time
+if [ "$(date +%Y)" -lt 2024 ]; then
+    if whiptail_warning --title "System Time Incorrect" \
+        --yesno "The system time is incorrect. Please set the correct time." \
+        0 80 --yes-button Continue --no-button Skip --clear; then
+        change-time.sh
+    fi
+fi
+
+# Import user's keys if they exist
+if [ -d /.gnupg/keys ]; then
+    # This is legacy location for user's keys. cbfs-init takes for granted that keyring and trustdb are in /.gnupg
+    #  oem-factory-reset generates keyring and trustdb which cbfs-init dumps to /.gnupg
+    # TODO: Remove individual key imports. This is still valid for distro keys only below.
+    gpg --import /.gnupg/keys/*.key  /.gnupg/keys/*.asc 2>/dev/null || warn "Importing user's keys failed"
+fi
 
 # Import trusted distro keys allowed for ISO signing
-gpg --homedir=/etc/distro/ --import /etc/distro/keys/* 2>/dev/null || true
+gpg --homedir=/etc/distro/ --import /etc/distro/keys/* 2>/dev/null || warn "Importing distro keys failed"
 #Set distro keys trust level to ultimate (trust anything that was signed with these keys)
-gpg --homedir=/etc/distro/ --list-keys --fingerprint --with-colons|sed -E -n -e 's/^fpr:::::::::([0-9A-F]+):$/\1:6:/p' |gpg --homedir=/etc/distro/ --import-ownertrust 2>/dev/null || true
-gpg --homedir=/etc/distro/ --update-trust 2>/dev/null || true
+gpg --homedir=/etc/distro/ --list-keys --fingerprint --with-colons|sed -E -n -e 's/^fpr:::::::::([0-9A-F]+):$/\1:6:/p' |gpg --homedir=/etc/distro/ --import-ownertrust 2>/dev/null || warn "Setting distro keys ultimate trust failed"
+gpg --homedir=/etc/distro/ --update-trust 2>/dev/null || warn "Updating distro keys trust failed"
 
 # Add user's keys to the list of trusted keys for ISO signing
-gpg --export | gpg --homedir=/etc/distro/ --import 2>/dev/null || true
+gpg --export | gpg --homedir=/etc/distro/ --import 2>/dev/null || warn "Adding user's keys to distro keys failed"

initrd/bin/oem-factory-reset

@@ -62,7 +62,7 @@ die() {
     exit 1
 }
 
-whiptail_error() {
+local_whiptail_error() {
     local msg=$1
     if [ "$msg" = "" ]; then
         die "whiptail error: An error msg is required"
@@ -71,7 +71,7 @@ whiptail_error() {
 }
 
 whiptail_error_die() {
-    whiptail_error "$@"
+    local_whiptail_error "$@"
     die
 }
 
@@ -1111,7 +1111,7 @@ if [ "$GPG_GEN_KEY_IN_MEMORY" = "n" -o "$GPG_GEN_KEY_IN_MEMORY_COPY_TO_SMARTCARD
     echo -e "\nChecking for USB Security Dongle...\n"
     enable_usb
     if ! gpg --card-status >/dev/null 2>&1; then
-        whiptail_error "Can't access USB Security Dongle; \nPlease remove and reinsert, then press Enter."
+        local_whiptail_error "Can't access USB Security Dongle; \nPlease remove and reinsert, then press Enter."
         if ! gpg --card-status >/dev/null 2>/tmp/error; then
             ERROR=$(tail -n 1 /tmp/error | fold -s)
             whiptail_error_die "Unable to detect USB Security Dongle:\n\n${ERROR}"

initrd/bin/qubes-measure-luks

@@ -19,6 +19,7 @@ sha256sum /tmp/lukshdr-* >/tmp/luksDump.txt || die "Unable to hash LUKS headers"
 DEBUG "Removing /tmp/lukshdr-*"
 rm /tmp/lukshdr-*
 
-DEBUG "Extending TPM PCR 6 with hash of LUKS headers from /tmp/luksDump.txt"
+TRACE_FUNC
+echo "TPM: Extending PCR[6] with hash of LUKS headers from /tmp/luksDump.txt"
 tpmr extend -ix 6 -if /tmp/luksDump.txt ||
 	die "Unable to extend PCR"

initrd/bin/tpmr

@@ -29,11 +29,11 @@ else
 	. /etc/config
 fi
 
-TRACE_FUNC
 
 # Busybox xxd lacks -r, and we get hex dumps from TPM1 commands.  This converts
 # a hex dump to binary data using sed and printf
 hex2bin() {
+	TRACE_FUNC
 	sed 's/\([0-9A-F]\{2\}\)/\\\\\\x\1/gI' | xargs printf
 }
 
@@ -43,6 +43,7 @@ hex2bin() {
 # as a file still chokes if the password begins with 'hex:', oddly tpm2-tools
 # accepts 'hex:' in the file content.)
 tpm2_password_hex() {
+	TRACE_FUNC
 	echo "hex:$(echo -n "$1" | xxd -p | tr -d ' \n')"
 }
 
@@ -61,7 +62,7 @@ tpm2_pcrread() {
 
 	if [ -z "$APPEND" ]; then
 		# Don't append - truncate file now so real command always
-		# appends
+		# overwrites
 		true >"$file"
 	fi
 
@@ -79,7 +80,7 @@ tpm1_pcrread() {
 
 	if [ -z "$APPEND" ]; then
 		# Don't append - truncate file now so real command always
-		# appends
+		# overwrites
 		true >"$file"
 	fi
 
@@ -100,11 +101,12 @@ is_hash() {
 
 # extend_pcr_state - extend a PCR state value with more hashes or raw data (which is hashed)
 # usage:
-# extend_pcr_state <alg> <initial_state> <files/hashes...>
+# extend_pcr_state <alg> <state> <files/hashes...>
 # alg - either 'sha1' or 'sha256' to specify algorithm
-# initial_state - a hash value setting the initial state
+# state - a hash value setting the initial state
 # files/hashes... - any number of files or hashes, state is extended once for each item
 extend_pcr_state() {
+	TRACE_FUNC
 	local alg="$1"
 	local state="$2"
 	local next extend
@@ -233,14 +235,20 @@ tpm2_extend() {
 	while true; do
 		case "$1" in
 		-ix)
+			# store index and shift so -ic and -if can be processed
 			index="$2"
 			shift 2
 			;;
 		-ic)
+			string=$(echo -n "$2")
 			hash="$(echo -n "$2" | sha256sum | cut -d' ' -f1)"
+			TRACE_FUNC
+			DEBUG "TPM: Will extend PCR[$index] with hash of string $string"
 			shift 2
 			;;
 		-if)
+			TRACE_FUNC
+			DEBUG "TPM: Will extend PCR[$index] with hash of file content $2"
 			hash="$(sha256sum "$2" | cut -d' ' -f1)"
 			shift 2
 			;;
@@ -250,7 +258,10 @@ tpm2_extend() {
 		esac
 	done
 	tpm2 pcrextend "$index:sha256=$hash"
-	DO_WITH_DEBUG tpm2 pcrread "sha256:$index"
+	tpm2 pcrread "sha256:$index"
+
+	TRACE_FUNC
+	DEBUG "TPM: Extended PCR[$index] with hash $hash"
 }
 
 tpm2_counter_read() {
@@ -348,9 +359,9 @@ tpm2_startsession() {
 		die "tpm2_flushcontext: unable to flush saved session"
 	tpm2 readpublic -Q -c "$PRIMARY_HANDLE" -t "$PRIMARY_HANDLE_FILE"
 	#TODO: do the right thing to not have to suppress "WARN: check public portion the tpmkey manually" see https://github.com/linuxboot/heads/pull/1630#issuecomment-2075120429
-	tpm2 startauthsession -Q -c "$PRIMARY_HANDLE_FILE" --hmac-session -S "$ENC_SESSION_FILE" 2>&1 > /dev/null
+	tpm2 startauthsession -Q -c "$PRIMARY_HANDLE_FILE" --hmac-session -S "$ENC_SESSION_FILE" > /dev/null 2>&1
 	#TODO: do the right thing to not have to suppress "WARN: check public portion the tpmkey manually" see https://github.com/linuxboot/heads/pull/1630#issuecomment-2075120429
-	tpm2 startauthsession -Q -c "$PRIMARY_HANDLE_FILE" --hmac-session -S "$DEC_SESSION_FILE" 2>&1 > /dev/null
+	tpm2 startauthsession -Q -c "$PRIMARY_HANDLE_FILE" --hmac-session -S "$DEC_SESSION_FILE" > /dev/null 2>&1
 	tpm2 sessionconfig -Q --disable-encrypt "$DEC_SESSION_FILE"
 }
 
@@ -381,6 +392,7 @@ cleanup_shred() {
 # tpm2_destroy: Destroy a sealed file in the TPM.  The mechanism differs by
 # TPM version - TPM2 evicts the file object, so it no longer exists.
 tpm2_destroy() {
+	TRACE_FUNC
 	index="$1" # Index of the sealed file
 	size="$2"  # Size of zeroes to overwrite for TPM1 (unused in TPM2)
 
@@ -396,6 +408,7 @@ tpm2_destroy() {
 # TPM version - TPM1 overwrites the file with zeroes, since this can be done
 # without authorization.  (Deletion requires authorization.)
 tpm1_destroy() {
+	TRACE_FUNC
 	index="$1" # Index of the sealed file
 	size="$2"  # Size of zeroes to overwrite for TPM1
 
@@ -761,6 +774,21 @@ if [ "$CONFIG_TPM2_TOOLS" != "y" ]; then
 		shift
 		tpm1_destroy "$@"
 		;;
+	extend)
+		#check if we extend with a hash or a file
+		if [ "$4" = "-if" ]; then
+			DEBUG "TPM: Will extend PCR[$3] hash content of file $5"
+			hash="$(sha1sum "$5" | cut -d' ' -f1)"
+		elif [ "$4" = "-ic" ]; then
+			string=$(echo -n "$5")
+			DEBUG "TPM: Will extend PCR[$3] with hash of filename $string"
+			hash="$(echo -n "$5" | sha1sum | cut -d' ' -f1)"
+		fi
+		
+		TRACE_FUNC
+		DEBUG "TPM: Extending PCR[$3] with hash $hash"
+		DO_WITH_DEBUG exec tpm "$@"
+		;;
 	seal)
 		shift
 		tpm1_seal "$@"
@@ -799,6 +827,8 @@ calcfuturepcr)
 	replay_pcr "sha256" "$@"
 	;;
 extend)
+	TRACE_FUNC
+	DEBUG "TPM: Extending PCR[$2] with $4"
 	tpm2_extend "$@"
 	;;
 counter_read)