Merge pull request #1419 from JonathonHall-Purism/pureboot-27-heads-u…

…pstream

Upstream PureBoot 27

.circleci/config.yml

@@ -194,6 +194,7 @@ jobs:
             - build/x86/coreboot-4.15
             - build/x86/coreboot-4.17
             - build/x86/coreboot-4.19
+            - build/x86/coreboot-git
             - build/ppc64/coreboot-git
       - save_cache:
           #Generate cache for the exact same modules definitions if hash is not previously existing

Makefile

@@ -9,7 +9,10 @@ GIT_STATUS	:= $(shell \
 	fi)
 HEADS_GIT_VERSION	:= $(shell git describe --abbrev=7 --tags --dirty)
 
-CB_OUTPUT_BASENAME	:= heads-$(BOARD)-$(HEADS_GIT_VERSION)
+# Override BRAND_NAME to set the name displayed in the UI, filenames, versions, etc.
+BRAND_NAME	?= Heads
+
+CB_OUTPUT_BASENAME	:= $(shell echo $(BRAND_NAME) | tr A-Z a-z)-$(BOARD)-$(HEADS_GIT_VERSION)
 CB_OUTPUT_FILE		:= $(CB_OUTPUT_BASENAME).rom
 CB_OUTPUT_FILE_GPG_INJ	:= $(CB_OUTPUT_BASENAME)-gpg-injected.rom
 CB_BOOTBLOCK_FILE	:= $(CB_OUTPUT_BASENAME).bootblock
@@ -180,6 +183,7 @@ FORCE:
 define install_config =
 	sed -e 's!@BOARD_BUILD_DIR@!$(board_build)!g' \
 	    -e 's!@BLOB_DIR@!$(pwd)/blobs!g' \
+	    -e 's!@BRAND_NAME@!$(BRAND_NAME)!g' \
 	    "$1" > "$2"
 endef
 
@@ -513,6 +517,8 @@ bin_modules-$(CONFIG_TPM2_TOOLS) += tpm2-tools
 bin_modules-$(CONFIG_BASH) += bash
 bin_modules-$(CONFIG_POWERPC_UTILS) += powerpc-utils
 bin_modules-$(CONFIG_IO386) += io386
+bin_modules-$(CONFIG_IOPORT) += ioport
+bin_modules-$(CONFIG_ZSTD) += zstd
 
 $(foreach m, $(bin_modules-y), \
 	$(call map,initrd_bin_add,$(call bins,$m)) \
@@ -568,6 +574,7 @@ $(COREBOOT_UTIL_DIR)/superiotool/superiotool: \
 initrd-y += $(pwd)/blobs/dev.cpio
 initrd-y += $(build)/$(initrd_dir)/modules.cpio
 initrd-y += $(build)/$(initrd_dir)/tools.cpio
+initrd-y += $(build)/$(initrd_dir)/board.cpio
 initrd-$(CONFIG_HEADS) += $(build)/$(initrd_dir)/heads.cpio
 
 #$(build)/$(initrd_dir)/.build: $(build)/$(initrd_dir)/initrd.cpio.xz
@@ -597,6 +604,17 @@ $(build)/$(initrd_dir)/initrd.cpio.xz: $(initrd-y)
 bundle-$(CONFIG_LINUX_BUNDLED)	+= $(board_build)/$(LINUX_IMAGE_FILE).bundled
 all: $(bundle-y)
 
+# The board.cpio is built from the board's initrd/ directory.  It contains
+# board-specific support scripts.
+
+ifeq ($(wildcard $(pwd)/boards/$(BOARD)/initrd),)
+$(build)/$(initrd_dir)/board.cpio:
+	cpio -H newc -o </dev/null >"$@"
+else
+$(build)/$(initrd_dir)/board.cpio: FORCE
+	$(call do-cpio,$@,$(pwd)/boards/$(BOARD)/initrd)
+endif
+
 #
 # The heads.cpio is built from the initrd directory in the
 # Heads tree.
@@ -633,6 +651,8 @@ $(initrd_tmp_dir)/etc/config: FORCE
 		>> $@ ; \
 		echo export CONFIG_BOARD=$(BOARD) \
 		>> $@ ; \
+		echo export CONFIG_BRAND_NAME=$(BRAND_NAME) \
+		>> $@ ; \
 	)
 
 # Ensure that the initrd depends on all of the modules that produce

blobs/librem_jail/README

@@ -0,0 +1 @@
+This directory contains firmware/microcode needed for the Intel AX200 WiFi module, its Bluetooth counterparts, and the Bluetooth component (ar3k) of Ath9k WiFi modules. It is synchronized via the main system firmware (Pureboot) at each boot, and should not be modified.

boards/librem_13v2/librem_13v2.config

@@ -3,7 +3,7 @@ CONFIG_LINUX_CONFIG=config/linux-librem_common.config
 CONFIG_COREBOOT_CONFIG=config/coreboot-librem_13v2.config
 
 export CONFIG_COREBOOT=y
-export CONFIG_COREBOOT_VERSION=4.17
+export CONFIG_COREBOOT_VERSION=purism
 export CONFIG_LINUX_VERSION=5.10.5
 export CONFIG_PURISM_BLOBS=y
 
@@ -30,6 +30,8 @@ CONFIG_LINUX_USB=y
 
 export CONFIG_TPM=y
 export CONFIG_TPM_NO_LUKS_DISK_UNLOCK=y
+export CONFIG_TOTP_SKIP_QRCODE=y
+export CONFIG_OEMRESET_OFFER_DEFAULTS=y
 export CONFIG_BOOTSCRIPT=/bin/gui-init
 export CONFIG_BOOT_REQ_HASH=n
 export CONFIG_BOOT_REQ_ROLLBACK=n
@@ -39,3 +41,6 @@ export CONFIG_BOOT_DEV="/dev/nvme0n1p1"
 export CONFIG_BOARD_NAME="Librem 13 v2/v3"
 export CONFIG_FLASHROM_OPTIONS="-p internal"
 export CONFIG_AUTO_BOOT_TIMEOUT=5
+export CONFIG_ROOT_DEV="/dev/nvme0n1p2"
+export CONFIG_ROOT_DIRLIST="bin boot lib sbin usr"
+export CONFIG_ROOT_CHECK_AT_BOOT="n"

boards/librem_13v4/librem_13v4.config

@@ -3,7 +3,7 @@ CONFIG_LINUX_CONFIG=config/linux-librem_common.config
 CONFIG_COREBOOT_CONFIG=config/coreboot-librem_13v4.config
 
 export CONFIG_COREBOOT=y
-export CONFIG_COREBOOT_VERSION=4.17
+export CONFIG_COREBOOT_VERSION=purism
 export CONFIG_LINUX_VERSION=5.10.5
 export CONFIG_PURISM_BLOBS=y
 
@@ -30,6 +30,8 @@ CONFIG_LINUX_USB=y
 
 export CONFIG_TPM=y
 export CONFIG_TPM_NO_LUKS_DISK_UNLOCK=y
+export CONFIG_TOTP_SKIP_QRCODE=y
+export CONFIG_OEMRESET_OFFER_DEFAULTS=y
 export CONFIG_BOOTSCRIPT=/bin/gui-init
 export CONFIG_BOOT_REQ_HASH=n
 export CONFIG_BOOT_REQ_ROLLBACK=n
@@ -39,3 +41,6 @@ export CONFIG_BOOT_DEV="/dev/nvme0n1p1"
 export CONFIG_BOARD_NAME="Librem 13 v4"
 export CONFIG_FLASHROM_OPTIONS="-p internal"
 export CONFIG_AUTO_BOOT_TIMEOUT=5
+export CONFIG_ROOT_DEV="/dev/nvme0n1p2"
+export CONFIG_ROOT_DIRLIST="bin boot lib sbin usr"
+export CONFIG_ROOT_CHECK_AT_BOOT="n"

boards/librem_14/librem_14.config

@@ -3,7 +3,7 @@ CONFIG_LINUX_CONFIG=config/linux-librem_common.config
 CONFIG_COREBOOT_CONFIG=config/coreboot-librem_14.config
 
 export CONFIG_COREBOOT=y
-export CONFIG_COREBOOT_VERSION=4.17
+export CONFIG_COREBOOT_VERSION=purism
 export CONFIG_LINUX_VERSION=5.10.5
 export CONFIG_PURISM_BLOBS=y
 
@@ -28,6 +28,8 @@ CONFIG_LINUX_USB=y
 
 export CONFIG_TPM=y
 export CONFIG_TPM_NO_LUKS_DISK_UNLOCK=y
+export CONFIG_TOTP_SKIP_QRCODE=y
+export CONFIG_OEMRESET_OFFER_DEFAULTS=y
 
 export CONFIG_BOOTSCRIPT=/bin/gui-init
 export CONFIG_BOOT_REQ_HASH=n
@@ -39,3 +41,6 @@ export CONFIG_BOARD_NAME="Librem 14"
 export CONFIG_FLASHROM_OPTIONS="-p internal"
 
 export CONFIG_AUTO_BOOT_TIMEOUT=5
+export CONFIG_ROOT_DEV="/dev/nvme0n1p2"
+export CONFIG_ROOT_DIRLIST="bin boot lib sbin usr"
+export CONFIG_ROOT_CHECK_AT_BOOT="n"

boards/librem_15v3/librem_15v3.config

@@ -3,7 +3,7 @@ CONFIG_LINUX_CONFIG=config/linux-librem_common.config
 CONFIG_COREBOOT_CONFIG=config/coreboot-librem_15v3.config
 
 export CONFIG_COREBOOT=y
-export CONFIG_COREBOOT_VERSION=4.17
+export CONFIG_COREBOOT_VERSION=purism
 export CONFIG_LINUX_VERSION=5.10.5
 export CONFIG_PURISM_BLOBS=y
 
@@ -30,6 +30,8 @@ CONFIG_LINUX_USB=y
 
 export CONFIG_TPM=y
 export CONFIG_TPM_NO_LUKS_DISK_UNLOCK=y
+export CONFIG_TOTP_SKIP_QRCODE=y
+export CONFIG_OEMRESET_OFFER_DEFAULTS=y
 export CONFIG_BOOTSCRIPT=/bin/gui-init
 export CONFIG_BOOT_REQ_HASH=n
 export CONFIG_BOOT_REQ_ROLLBACK=n
@@ -39,3 +41,6 @@ export CONFIG_BOOT_DEV="/dev/nvme0n1p1"
 export CONFIG_BOARD_NAME="Librem 15 v3"
 export CONFIG_FLASHROM_OPTIONS="-p internal"
 export CONFIG_AUTO_BOOT_TIMEOUT=5
+export CONFIG_ROOT_DEV="/dev/nvme0n1p2"
+export CONFIG_ROOT_DIRLIST="bin boot lib sbin usr"
+export CONFIG_ROOT_CHECK_AT_BOOT="n"

boards/librem_15v4/librem_15v4.config

@@ -3,7 +3,7 @@ CONFIG_LINUX_CONFIG=config/linux-librem_common.config
 CONFIG_COREBOOT_CONFIG=config/coreboot-librem_15v4.config
 
 export CONFIG_COREBOOT=y
-export CONFIG_COREBOOT_VERSION=4.17
+export CONFIG_COREBOOT_VERSION=purism
 export CONFIG_LINUX_VERSION=5.10.5
 export CONFIG_PURISM_BLOBS=y
 
@@ -30,6 +30,8 @@ CONFIG_LINUX_USB=y
 
 export CONFIG_TPM=y
 export CONFIG_TPM_NO_LUKS_DISK_UNLOCK=y
+export CONFIG_TOTP_SKIP_QRCODE=y
+export CONFIG_OEMRESET_OFFER_DEFAULTS=y
 export CONFIG_BOOTSCRIPT=/bin/gui-init
 export CONFIG_BOOT_REQ_HASH=n
 export CONFIG_BOOT_REQ_ROLLBACK=n
@@ -39,3 +41,6 @@ export CONFIG_BOOT_DEV="/dev/nvme0n1p1"
 export CONFIG_BOARD_NAME="Librem 15 v4"
 export CONFIG_FLASHROM_OPTIONS="-p internal"
 export CONFIG_AUTO_BOOT_TIMEOUT=5
+export CONFIG_ROOT_DEV="/dev/nvme0n1p2"
+export CONFIG_ROOT_DIRLIST="bin boot lib sbin usr"
+export CONFIG_ROOT_CHECK_AT_BOOT="n"

boards/librem_l1um/librem_l1um.config

@@ -28,6 +28,8 @@ CONFIG_LINUX_USB=y
 
 export CONFIG_TPM=y
 export CONFIG_TPM_NO_LUKS_DISK_UNLOCK=y
+export CONFIG_TOTP_SKIP_QRCODE=y
+export CONFIG_OEMRESET_OFFER_DEFAULTS=y
 
 export CONFIG_BOOTSCRIPT=/bin/gui-init
 export CONFIG_BOOT_REQ_HASH=n
@@ -39,3 +41,6 @@ export CONFIG_BOARD_NAME="Librem Server L1UM"
 export CONFIG_AUTO_BOOT_TIMEOUT=5
 export CONFIG_FLASHROM_OPTIONS="-p internal"
 export CONFIG_USB_KEYBOARD=y
+export CONFIG_ROOT_DEV="/dev/nvme0n1p2"
+export CONFIG_ROOT_DIRLIST="bin boot lib sbin usr"
+export CONFIG_ROOT_CHECK_AT_BOOT="n"

boards/librem_l1um_v2/librem_l1um_v2.config

@@ -0,0 +1,51 @@
+# Configuration for librem_l1um_v2
+CONFIG_LINUX_CONFIG=config/linux-librem_common-6.1.8.config
+CONFIG_COREBOOT_CONFIG=config/coreboot-librem_l1um_v2.config
+
+export CONFIG_COREBOOT=y
+export CONFIG_COREBOOT_VERSION=purism
+export CONFIG_LINUX_VERSION=6.1.8
+export CONFIG_PURISM_BLOBS=y
+
+CONFIG_CRYPTSETUP2=y
+CONFIG_FLASHROM=y
+CONFIG_FLASHTOOLS=y
+CONFIG_GPG2=y
+CONFIG_KEXEC=y
+CONFIG_UTIL_LINUX=y
+CONFIG_LVM2=y
+CONFIG_MBEDTLS=y
+CONFIG_PCIUTILS=y
+CONFIG_POPT=y
+CONFIG_QRENCODE=y
+CONFIG_TPMTOTP=y
+
+CONFIG_CAIRO=y
+CONFIG_FBWHIPTAIL=y
+CONFIG_HOTPKEY=y
+
+CONFIG_LINUX_USB=y
+
+export CONFIG_TPM=y
+export CONFIG_TPM2_TOOLS=y
+CONFIG_TPM2_TSS=y
+CONFIG_OPENSSL=y
+CONFIG_PRIMARY_KEY_TYPE=ecc
+export CONFIG_TPM_NO_LUKS_DISK_UNLOCK=y
+export CONFIG_TOTP_SKIP_QRCODE=y
+export CONFIG_OEMRESET_OFFER_DEFAULTS=y
+
+export CONFIG_BOOTSCRIPT=/bin/gui-init
+export CONFIG_BOOT_REQ_HASH=n
+export CONFIG_BOOT_REQ_ROLLBACK=n
+export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on"
+export CONFIG_BOOT_KERNEL_REMOVE="plymouth.ignore-serial-consoles"
+export CONFIG_BOOT_RECOVERY_SERIAL="/dev/ttyS0"
+export CONFIG_BOOT_DEV="/dev/nvme0n1p1"
+export CONFIG_BOARD_NAME="Librem Server L1UM v2"
+export CONFIG_AUTO_BOOT_TIMEOUT=5
+export CONFIG_FLASHROM_OPTIONS="-p internal"
+export CONFIG_USB_KEYBOARD=y
+export CONFIG_ROOT_DEV="/dev/nvme0n1p2"
+export CONFIG_ROOT_DIRLIST="bin boot lib sbin usr"
+export CONFIG_ROOT_CHECK_AT_BOOT="n"

boards/librem_mini/initrd/bin/board-init.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+set -o pipefail
+
+. /tmp/config
+
+# If CONFIG_AUTOMATIC_POWERON is set, always set the EC BRAM setting during
+# boot.  It persists as long as the RTC battery is set, but set it during every
+# boot for robustness in case the battery is temporarily removed, or the user
+# toggles in config-gui and then does not flash, etc.
+if [ "$CONFIG_AUTOMATIC_POWERON" = "y" ]; then
+	set_ec_poweron.sh y
+fi
+
+# Don't disable the setting in the EC BRAM though if CONFIG_AUTOMATIC_POWERON
+# is not enabled.  The default is disabled anyway, and the OS could configure
+# it.

boards/librem_mini/initrd/bin/set_ec_poweron.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+
+# Set the EC BRAM setting for automatic power-on.
+# If $1 is 'y', enable automatic power-on.  Otherwise, disable it.
+
+# EC BRAM bank 1
+BRAMADDR=0x360
+BRAMDATA=0x361
+
+outb "$BRAMADDR" 0x29 # Select byte at offset 29h
+if [ "$1" = "y" ]; then
+	outb "$BRAMDATA" 0x00 # 0 -> automatic power-on
+else
+	outb "$BRAMDATA" 0x01 # 1 -> stay off
+fi
+

boards/librem_mini/librem_mini.config

@@ -3,14 +3,15 @@ CONFIG_LINUX_CONFIG=config/linux-librem_common.config
 CONFIG_COREBOOT_CONFIG=config/coreboot-librem_mini.config
 
 export CONFIG_COREBOOT=y
-export CONFIG_COREBOOT_VERSION=4.17
+export CONFIG_COREBOOT_VERSION=purism
 export CONFIG_LINUX_VERSION=5.10.5
 export CONFIG_PURISM_BLOBS=y
 
 CONFIG_CRYPTSETUP2=y
 CONFIG_FLASHROM=y
 CONFIG_FLASHTOOLS=y
 CONFIG_GPG2=y
+CONFIG_IOPORT=y
 CONFIG_KEXEC=y
 CONFIG_UTIL_LINUX=y
 CONFIG_LVM2=y
@@ -28,6 +29,8 @@ CONFIG_LINUX_USB=y
 
 export CONFIG_TPM=n
 export CONFIG_TPM_NO_LUKS_DISK_UNLOCK=y
+export CONFIG_TOTP_SKIP_QRCODE=y
+export CONFIG_OEMRESET_OFFER_DEFAULTS=y
 
 export CONFIG_BOOTSCRIPT=/bin/gui-init
 export CONFIG_BOOT_REQ_HASH=n
@@ -39,3 +42,7 @@ export CONFIG_BOARD_NAME="Librem Mini"
 export CONFIG_FLASHROM_OPTIONS="-p internal"
 export CONFIG_USB_KEYBOARD=y
 export CONFIG_AUTO_BOOT_TIMEOUT=5
+export CONFIG_ROOT_DEV="/dev/nvme0n1p2"
+export CONFIG_ROOT_DIRLIST="bin boot lib sbin usr"
+export CONFIG_ROOT_CHECK_AT_BOOT="n"
+export CONFIG_SUPPORT_AUTOMATIC_POWERON=y

boards/librem_mini_v2/initrd/bin/board-init.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+set -o pipefail
+
+. /tmp/config
+
+# If CONFIG_AUTOMATIC_POWERON is set, always set the EC BRAM setting during
+# boot.  It persists as long as the RTC battery is set, but set it during every
+# boot for robustness in case the battery is temporarily removed, or the user
+# toggles in config-gui and then does not flash, etc.
+if [ "$CONFIG_AUTOMATIC_POWERON" = "y" ]; then
+	set_ec_poweron.sh y
+fi
+
+# Don't disable the setting in the EC BRAM though if CONFIG_AUTOMATIC_POWERON
+# is not enabled.  The default is disabled anyway, and the OS could configure
+# it.

boards/librem_mini_v2/initrd/bin/set_ec_poweron.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+
+# Set the EC BRAM setting for automatic power-on.
+# If $1 is 'y', enable automatic power-on.  Otherwise, disable it.
+
+# EC BRAM bank 1
+BRAMADDR=0x360
+BRAMDATA=0x361
+
+outb "$BRAMADDR" 0x29 # Select byte at offset 29h
+if [ "$1" = "y" ]; then
+	outb "$BRAMDATA" 0x00 # 0 -> automatic power-on
+else
+	outb "$BRAMDATA" 0x01 # 1 -> stay off
+fi
+