On machines without a TPM, we'd still like some way for the BIOS to
attest that it has not been modified. With a Librem Key, we can have the
BIOS use its own ROM measurement converted to a SHA256sum and truncated
so it fits within an HOTP secret. Like with a TPM, a malicious BIOS with
access to the correct measurements can send pre-known good measurements
to the Librem Key.

This approach provides one big drawback in that we have to truncate the
SHA256sum to 20 characters so that it fits within the limitations of
HOTP secrets. This means the possibility of collisions is much higher
but again, an attacker could also capture and spoof an existing ROM's
measurements if they have prior access to it, either with this approach
or with a TPM.

Signed-off-by: Kyle Rankin <[email protected]>

Reduce friction when generating a new TOTP/HOTP secret by eliminating
an unnecessary 'press enter to continue' prompt following QR code
generation, and by attempting to use the default admin PIN set by
the OEM factory reset function. Fall back to prompting the user
if the default PIN fails.

Also, ensure error messages are visible to users before being returned
back to the GUI menu from which they came by wrapping existing calls to die()

Signed-off-by: Matt DeVillier <[email protected]>

Currently Heads will check files in /boot for tampering before booting
into a system. It would be nice if you could use the trusted environment
within Heads and extend this to check files in / itself. This new script
adds that functionality, however due to the length of time it takes to
perform these kinds of checks, it doesn't run automatically (yet).

This feature can be configured from the config GUI - the root device/
directories to check can be set, and it can be configured to run during
boot.

To make this a bit easier to use, I added a feature to detect whether
the hash file exists and if not, to display a more limited menu to the
user guiding them to create the initial hash file. Otherwise it will
display the date the file was last modified, which can be useful to
determine how stale it is.

Use commit hash from 4.16-Purism-1 tag.

Signed-off-by: Matt DeVillier <[email protected]>

Use Purism's repo for all Librem boards other than the Librem Server L1UM.

Signed-off-by: Matt DeVillier <[email protected]>

Signed-off-by: Matt DeVillier <[email protected]>

Signed-off-by: Matt DeVillier <[email protected]>

Signed-off-by: Matt DeVillier <[email protected]>

Extract utilities from config-gui.sh for use in additional config
settings.  read_rom() reads the current ROM with a message for failure.
replace_rom_file() replaces a CBFS file in a ROM.  set_config() sets a
configuration variable in a file.

Signed-off-by: Jonathon Hall <[email protected]>

Move boot menu scanning logic to scan_boot_options() in /etc/functions

Signed-off-by: Jonathon Hall <[email protected]>

pause_automatic_boot() prompts that an automatic boot is about to occur
and allows the user to interrupt it.

Signed-off-by: Jonathon Hall <[email protected]>

enable_usb_storage() inserts usb-storage.ko if not already loaded, then
waits for USB storage devices to appear.

Signed-off-by: Jonathon Hall <[email protected]>

Add these two functions for use in config-gui.sh for future toggles.

load_config_value() obtains the value of a config setting, defaulting
to 'n'.  get_config_display_action() displays 'Enable' or 'Disable'
depending on the current value.

Signed-off-by: Jonathon Hall <[email protected]>

toggle_config() toggles the value of a config.

Signed-off-by: Jonathon Hall <[email protected]>

Signed-off-by: Matt DeVillier <[email protected]>

PureBoot Basic mode provides the full Linux userspace in firmware from
Heads without requiring verified boot or a Librem Key.  Basic and
verified boot can be switched freely without changing firmware, such as
if a Librem Key is lost.

PureBoot Basic can apply firmware updates from a USB flash drive, and
having a complete Linux userspace enables more sophisticated recovery
options.

Basic mode boots to the first boot option by default, setting a default
is not required.  This can be configured in the config GUI.

Signed-off-by: Jonathon Hall <[email protected]>

Restricted Boot mode only allows booting from signed files, whether that
is signed kernels in /boot or signed ISOs on mounted USB disks. This
disables booting from abitrary USB disks as well as the forced "unsafe"
boot mode. This also disables the recovery console so you can't bypass
this mode simply by running kexec manually.

Signed-off-by: Jonathon Hall <[email protected]>

Add the PureOS archive signing key to the keys accepted for signed
ISOs.

Signed-off-by: Jonathon Hall <[email protected]>

USB autoboot automatically boots to a USB flash drive if one is present
during boot.  This is intended for headless deployments as a method to
recover the installed operating system from USB without needing to
attach a display and keyboard.

USB autoboot can be controlled in config.user and the config GUI.

Signed-off-by: Jonathon Hall <[email protected]>

Add ioport module, enable for librem_mini_v2.  Only inb and outb are
included, inw/outw/inl/outl aren't needed.

Signed-off-by: Jonathon Hall <[email protected]>

Boards can place a file in $(board)/initrd/bin/board-init.sh to perform
board-specific initialization.

If present, the board's $(board)/initrd directory is included in the
initrd via board.initrd.

Signed-off-by: Jonathon Hall <[email protected]>

Mini v1/v2's EC can automatically power on the system when power is
applied, based on a value in EC BRAM.  Add a configuration setting to
optionally set this value.

Signed-off-by: Jonathon Hall <[email protected]>

Blob jail provides device firmware blobs to the OS, so the OS does not
have to ship them.  The firmware is passed through the initrd to
/run/firmware, so it works with both installed and live OSes, and there
are no race conditions between firmware load and firmware availability.

The injection method in the initrd is specific to the style of init
script used by PureOS, since it must add a copy command to copy the
firmware from the initrd to /run.  If the init script is not of this
type, boot proceeds without device firmware.

This feature can be enabled or disabled from the config GUI.

Blob jail is enabled automatically if the Intel AX200 Wi-Fi module is
installed and the feature hasn't been explicitly configured.

Signed-off-by: Matt DeVillier <[email protected]>

Add driver blobs needed for Intel AX200 WiFi/BT, as well as
Atheros ar3k BT.

Signed-off-by: Matt DeVillier <[email protected]>

Signed-off-by: Jonathon Hall <[email protected]>

Stop manually loading config values, just update config in environment.

Never test values against "n", since many default to empty.  Always
test ="y" or !="y", any other value is off.

Add set_user_config() function to set a value in config.user,
combine configs, and update config in environment.  Use it in setting
implementations.

Remove toggle_config, it wasn't very useful because the settings still
test y/n in order to show specific confirmation and success messages.

Signed-off-by: Jonathon Hall <[email protected]>

PureBoot doesn't have any other three-valued settings and this doesn't
present very well in the config UI.

Instead make this a two-valued setting; drop the mode that forces the
EC setting to "stay off" at every boot because this is the default.

When disabling automatic power-on, disable the EC BRAM setting too.

Signed-off-by: Jonathon Hall <[email protected]>

This is particularly beneficial for servers with Aspeed BMC video,
because it introduces framebuffer console acceleration.  The
framebuffer console is much more responsive.

Patches were ported from 5.10.5:

0001-fake-acpi.patch: This may not be needed any more, but it applies
cleanly and I don't think it would harm anything.

0002-nmi-squelch.patch: The comment mentions qemu but I see this
message on physical machines occasionally, so I think this is needed.

0003-fake-trampoline.patch: This patch does not apply cleanly.  It
could be ported, but I don't think it's needed, I dropped it.  Dates
back to a very old commit where Linux was being embedded into a vendor
UEFI firmware: a4d7654.

0010-winterfell-ahci.patch: Minor change of %x to %lx in context.

Signed-off-by: Jonathon Hall <[email protected]>

These changes primarily improve server boards using BMC video.  The
correct DRI card is selected even if it isn't the first one, and
performance is greatly improved on non-UMA cards.

Signed-off-by: Jonathon Hall <[email protected]>

Add Linux 6.1.8 configuration, used by Librem L1UM v2

Add coreboot configuration for Librem L1UM v2

Add Librem L1UM v2 board configuration

Signed-off-by: Jonathon Hall <[email protected]>

Only try the default PIN automatically for 1 month after key creation.
This simplifies initial ownership but still encourages changing the
PIN.

Never enter a PIN automatically if fewer than 3 attempts remain, to
avoid causing lockout if the PIN has been changed.

Remind what the default PIN was if it is not attempted for either
reason.

Signed-off-by: Jonathon Hall <[email protected]>

Librem boards now use Purism's coreboot distribution cloned from git,
persist it in CI cache.

Signed-off-by: Jonathon Hall <[email protected]>

…eads-upstream

The CONFIG_BASIC test was backwards, as a result it skipped the
LUKS disk unlock logic if basic mode was _not_ enabled.  This wasn't
observed in the PureBoot distribution because we disable the LUKS disk
unlock feature.

CONFIG_BOOT_REQ_ROLLBACK and CONFIG_BOOT_REQ_HASH logic was also
skipped incorrectly, though neither of these are enabled on any board
so this had no effect in the PureBoot distribution either.

Test basic with each bit of logic to eliminate duplication of the
kexec-boot call and fix the LUKS disk unlock feature.

Signed-off-by: Jonathon Hall <[email protected]>

The "disable restricted boot" prompt got slightly too long when fixing
the TPM wording.  Re-wrap that line to match the others.  Wrapping
could use some general cleanup but this is sufficient so the text isn't
truncated.

Signed-off-by: Jonathon Hall <[email protected]>

The -s mode was removed, remove it from usage.  Remove the test to skip
checking for board flashrom options with -s mode.

Signed-off-by: Jonathon Hall <[email protected]>

The early recovery shell ("hold R") and serial recovery both could
bypass Restricted Boot since they occurred before config.user was
loaded.  Load config.user earlier before these recovery methods.

Executing a shell directly (if recovery failed) also would bypass
Restricted Boot, additionally leaking /tmp/secret.  Remove this from
the early recovery shell logic.  Also remove the final failsafe exec
and move the "just in case" recovery from normal boot here instead, in
case the regular init script fails.

Signed-off-by: Jonathon Hall <[email protected]>

Simplify "enable" prompt a bit, clarify that firmware updating is
blocked, and remove mention of "failsafe boot mode".  Reword "disable"
prompt similarly.

Signed-off-by: Jonathon Hall <[email protected]>

…eads-upstream

…eads-upstream

For iterating, enabling these in the board config is easiest.  It's
also possible to manually inject config.user ahead of time, or enable
at runtime without flashing, but the normal enable/flash/reboot path
does not work in qemu since it is unable to flash.

Signed-off-by: Jonathon Hall <[email protected]>