Merge branch 'master' into gpg2

blobs/librem_skl/get_blobs.sh

@@ -26,10 +26,10 @@ SKL_ME_PATCH_SHA="49019f89206d6371b1377cf738426c3b0ac60c4b1bb89d5d5de00481e7e4fe
 
 # Link found on : http://www.win-raid.com/t832f39-Intel-Engine-Firmware-Repositories.html
 # Update link if it changes and becomes invalid.
-SKL_ME_RAR_URL="https://mega.nz/#!DNdDVQ7I!hronBMVN8m82JciiT6UQwtwh-LVlHXIo-NzTB0324rk"
-SKL_ME_FILENAME="11.0.18.1002_CON_LP_C0_NPDM_PRD_RGN.bin"
-SKL_ME_FULL_FILENAME="Intel CSME 11.0 Firmware Repository Pack r52/$SKL_ME_FILENAME"
-SKL_ME_RAR_SHA="28b7c31ae6888623d2271f0c74cb7bbca55a56af73b26f9796742467a841441a"
+SKL_ME_RAR_URL="https://mega.nz/#!2ElyFQDT!cC0gTlH8rB9EWD4MGX0mVElT94BauqFn-dBKuoEselc"
+SKL_ME_FILENAME="11.0.18.1002_CON_LP_C_NPDM_PRD_RGN.bin"
+SKL_ME_FULL_FILENAME="Intel CSME 11.0 Firmware Repository Pack r53/$SKL_ME_FILENAME"
+SKL_ME_RAR_SHA="1450d7ea985fbcf0ea79ba61bdc71ed3c5de52a6a82f14c07120b6b321e97352"
 
 # Needed to download SKL_ME_RAR_URL
 MEGADOWN_URL="https://github.com/tonikelope/megadown.git"

boards/x230-flash/x230-flash.config

@@ -3,7 +3,7 @@ BOARD=x230.flash
 
 export CONFIG_COREBOOT=y
 CONFIG_FLASHROM=y
-CONFIG_GPG=y
+#CONFIG_GPG=y
 CONFIG_FLASHTOOLS=y
 CONFIG_PCIUTILS=y
 #CONFIG_MBEDTLS=y

boards/x230/x230.config

@@ -33,14 +33,6 @@ export CONFIG_USB_BOOT_DEV="/dev/sdb1"
 # the ME image and part of the coreboot image, and a 4 MB one that
 # has the rest of the coreboot and the reset vector.
 #
-# When flashing via an external programmer it is easiest to have
-# to separate files for these pieces.
-all: $(build)/$(BOARD)/$(BOARD)-8.rom
-$(build)/$(BOARD)/$(BOARD)-8.rom: $(build)/$(BOARD)/coreboot.rom
-	$(call do,DD 8MB,$@,dd of=$@ if=$< bs=65536 count=128 skip=0 status=none)
-	@sha256sum $@
-
-all: $(build)/$(BOARD)/$(BOARD)-4.rom
-$(build)/$(BOARD)/$(BOARD)-4.rom: $(build)/$(BOARD)/coreboot.rom
-	$(call do,DD 4MB,$@,dd of=$@ if=$< bs=65536 count=64 skip=128 status=none)
-	@sha256sum $@
+# Only flashing to the bios region is safe to do. The easiest is to
+# flash internally when the IFD is unlocked for writing, and x230-flash
+# is installed first.

initrd/bin/config-gui.sh

@@ -0,0 +1,138 @@
+#!/bin/sh
+#
+set -e -o pipefail
+. /etc/functions
+. /tmp/config
+
+file_selector() {
+  FILE=""
+  FILE_LIST=$1
+  MENU_MSG=${2:-"Choose the file"}
+# create file menu options
+  if [ `cat "$FILE_LIST" | wc -l` -gt 0 ]; then
+    option=""
+    while [ -z "$option" ]
+    do
+      MENU_OPTIONS=""
+      n=0
+      while read option
+      do
+        n=`expr $n + 1`
+        option=$(echo $option | tr " " "_")
+        MENU_OPTIONS="$MENU_OPTIONS $n ${option}"
+      done < $FILE_LIST
+
+      MENU_OPTIONS="$MENU_OPTIONS a Abort"
+      whiptail --clear --title "Select your File" \
+        --menu "${MENU_MSG} [1-$n, a to abort]:" 20 120 8 \
+        -- $MENU_OPTIONS \
+        2>/tmp/whiptail || die "Aborting"
+
+      option_index=$(cat /tmp/whiptail)
+
+      if [ "$option_index" = "a" ]; then
+        option="a"
+        return
+      fi
+
+      option=`head -n $option_index $FILE_LIST | tail -1`
+      if [ "$option" == "a" ]; then
+        return
+      fi
+    done
+    if [ -n "$option" ]; then
+      FILE=$option
+    fi
+  else
+    whiptail $CONFIG_ERROR_BG_COLOR --title 'ERROR: No Files Found' \
+      --msgbox "No Files found matching the pattern. Aborting." 16 60
+    exit 1
+  fi
+}
+
+while true; do
+  unset menu_choice
+  whiptail --clear --title "Config Management Menu" \
+    --menu "This menu lets you change settings for the current BIOS session.\n\nAll changes will revert after a reboot,\n\nunless you also save them to the running BIOS." 20 90 10 \
+    'b' ' Change the /boot device' \
+    'u' ' Change the USB boot device' \
+    's' ' Save the current configuration to the running BIOS' \
+    'x' ' Exit' \
+    2>/tmp/whiptail || recovery "GUI menu failed"
+
+  menu_choice=$(cat /tmp/whiptail)
+
+  case "$menu_choice" in
+    "x" )
+      exit 0
+    ;;
+    "b" )
+      CURRENT_OPTION=`grep 'CONFIG_BOOT_DEV=' /tmp/config | tail -n1 | cut -f2 -d '=' | tr -d '"'`
+      find /dev -name 'sd*' -o -name 'nvme*' > /tmp/filelist.txt
+      file_selector "/tmp/filelist.txt" "Choose the default /boot device.\n\nCurrently set to $CURRENT_OPTION."
+      if [ "$FILE" == "" ]; then
+        return
+      else
+        SELECTED_FILE=$FILE
+      fi
+
+      replace_config /etc/config.user "CONFIG_BOOT_DEV" "$SELECTED_FILE"
+      combine_configs
+
+      whiptail --title 'Config change successful' \
+        --msgbox "The /boot device was successfully changed to $SELECTED_FILE" 16 60
+    ;;
+    "u" )
+      whiptail --title 'Insert a USB thumb drive' \
+        --msgbox "Insert a USB thumb drive so we can detect the device" 16 60
+
+      enable_usb
+
+      if ! lsmod | grep -q usb_storage; then
+        insmod /lib/modules/usb-storage.ko \
+        || die "usb_storage: module load failed"
+        sleep 5
+      fi
+
+      CURRENT_OPTION=`grep 'CONFIG_USB_BOOT_DEV=' /tmp/config | tail -n1 | cut -f2 -d '=' | tr -d '"'`
+      find /dev -name 'sd*' -o -name 'nvme*' > /tmp/filelist.txt
+      file_selector "/tmp/filelist.txt" "Choose the default USB boot device.\n\nCurrently set to $CURRENT_OPTION."
+      if [ "$FILE" == "" ]; then
+        return
+      else
+        SELECTED_FILE=$FILE
+      fi
+
+      replace_config /etc/config.user "CONFIG_USB_BOOT_DEV" "$SELECTED_FILE"
+      combine_configs
+
+      whiptail --title 'Config change successful' \
+        --msgbox "The USB boot device was successfully changed to $SELECTED_FILE" 16 60
+    ;;
+    "s" )
+      /bin/flash.sh -r /tmp/config-gui.rom
+      if [ ! -s /tmp/config-gui.rom ]; then
+        whiptail $CONFIG_ERROR_BG_COLOR --title 'ERROR: BIOS Read Failed!' \
+          --msgbox "Unable to read BIOS" 16 60
+        exit 1
+      fi
+
+      if (cbfs -o /tmp/config-gui.rom -l | grep -q "heads/initrd/etc/config.user") then
+        cbfs -o /tmp/config-gui.rom -d "heads/initrd/etc/config.user"
+      fi
+      cbfs -o /tmp/config-gui.rom -a "heads/initrd/etc/config.user" -f /etc/config.user
+
+      if (whiptail --title 'Update ROM?' \
+          --yesno "This will reflash your BIOS with the updated version\n\nDo you want to proceed?" 16 90) then
+        /bin/flash.sh /tmp/config-gui.rom
+        whiptail --title 'BIOS Updated Successfully' \
+          --msgbox "BIOS updated successfully.\n\nIf your keys have changed, be sure to re-sign all files in /boot\nafter you reboot.\n\nPress Enter to reboot" 16 60
+        /bin/reboot
+      else
+        exit 0
+      fi
+    ;;
+  esac
+
+done
+exit 0

initrd/bin/flash-gui.sh

@@ -2,7 +2,7 @@
 #
 set -e -o pipefail
 . /etc/functions
-. /etc/config
+. /tmp/config
 
 mount_usb(){
 # Mount the USB boot device

initrd/bin/flash.sh

@@ -4,7 +4,7 @@
 #
 set -e -o pipefail
 . /etc/functions
-. /etc/config
+. /tmp/config
 
 case "$CONFIG_BOARD" in
   librem* )

initrd/bin/generic-init

@@ -2,7 +2,7 @@
 # Boot from a local disk installation
 
 . /etc/functions
-. /etc/config
+. /tmp/config
 
 mount_boot()
 {

initrd/bin/gui-init

@@ -4,7 +4,7 @@
 CONFIG_BOOT_GUI_MENU_NAME='Heads Boot Menu'
 
 . /etc/functions
-. /etc/config
+. /tmp/config
 
 mount_boot()
 {
@@ -183,6 +183,7 @@ while true; do
       --menu "Configure Advanced Settings" 20 90 10 \
       'g' ' Generate new TOTP/HOTP secret' \
       's' ' Update checksums and sign all files in /boot' \
+      'c' ' Change configuration settings -->' \
       'f' ' Flash/Update the BIOS -->' \
       'p' ' Reset the TPM' \
       'n' ' TOTP/HOTP does not match after refresh, troubleshoot' \
@@ -286,6 +287,11 @@ while true; do
     continue
   fi
 
+  if [ "$totp_confirm" = "c" ]; then
+    config-gui.sh
+    continue
+  fi
+
   if [ "$totp_confirm" = "f" ]; then
     flash-gui.sh
     continue

initrd/bin/kexec-boot

@@ -1,7 +1,7 @@
 #!/bin/sh
 # Launches kexec from saved configuration entries
 set -e -o pipefail
-. /etc/config
+. /tmp/config
 . /etc/functions
 
 dryrun="n"

initrd/bin/kexec-iso-init

@@ -2,7 +2,7 @@
 # Boot from signed ISO
 set -e -o pipefail
 . /etc/functions
-. /etc/config
+. /tmp/config
 
 MOUNTED_ISO_PATH="$1"
 ISO_PATH="$2"

initrd/bin/kexec-save-default

@@ -1,7 +1,7 @@
 #!/bin/sh
 # Save these options to be the persistent default
 set -e -o pipefail
-. /etc/config
+. /tmp/config
 . /etc/functions
 
 while getopts "b:d:p:i:" arg; do

initrd/bin/kexec-seal-key

@@ -11,7 +11,7 @@ TPM_SEALED="/tmp/secret/secret.sealed"
 RECOVERY_KEY="/tmp/secret/recovery.key"
 
 . /etc/functions
-. /etc/config
+. /tmp/config
 
 paramsdir=$1
 if [ -z "$paramsdir" ]; then

initrd/bin/kexec-select-boot

@@ -1,7 +1,7 @@
 #!/bin/sh
 # Generic configurable boot script via kexec
 set -e -o pipefail
-. /etc/config
+. /tmp/config
 . /etc/functions
 
 add=""

initrd/bin/kexec-sign-config

@@ -1,7 +1,7 @@
 #!/bin/sh
 # Sign a valid directory of kexec params
 set -e -o pipefail
-. /etc/config
+. /tmp/config
 . /etc/functions
 
 rollback="n"

initrd/bin/usb-init

@@ -2,7 +2,7 @@
 # Boot a USB installation
 
 . /etc/functions
-. /etc/config
+. /tmp/config
 
 if [ "$CONFIG_TPM" = "y" ]; then
 	# Extend PCR4 as soon as possible

initrd/bin/usb-scan

@@ -2,7 +2,7 @@
 # Scan for USB installation options
 set -e -o pipefail
 . /etc/functions
-. /etc/config
+. /tmp/config
 
 # Unmount any previous boot device
 if grep -q /boot /proc/mounts ; then

initrd/bin/x230-flash.init

@@ -3,7 +3,7 @@
 # invoke a recovery shell and prompt the user for how to proceed
 
 . /etc/functions
-. /etc/config
+. /tmp/config
 
 insmod /lib/modules/ehci-hcd.ko
 insmod /lib/modules/ehci-pci.ko

initrd/etc/functions

@@ -17,6 +17,10 @@ recovery() {
 	# but recreate the directory so that new tools can use it.
 	rm -rf /tmp/secret
 	mkdir -p /tmp/secret
+
+	# ensure /tmp/config exists for recovery scripts that depend on it
+	touch /tmp/config
+
 	if [ "$CONFIG_TPM" = y ]; then
 		tpm extend -ix 4 -ic recovery
 	fi
@@ -217,3 +221,21 @@ preserve_rom() {
 		fi
 	done
 }
+replace_config() {
+	CONFIG_FILE=$1
+	CONFIG_OPTION=$2
+	NEW_SETTING=$3
+
+	touch $CONFIG_FILE
+# first pull out the existing option from the global config and place in a tmp file
+	awk "gsub(\"^export ${CONFIG_OPTION}=.*\",\"export ${CONFIG_OPTION}=\\\"${NEW_SETTING}\\\"\")" /tmp/config > ${CONFIG_FILE}.tmp
+	awk "gsub(\"^${CONFIG_OPTION}=.*\",\"${CONFIG_OPTION}=\\\"${NEW_SETTING}\\\"\")" /tmp/config >> ${CONFIG_FILE}.tmp
+
+# then copy any remaining settings from the existing config file, minus the option you changed
+	grep -v "^export ${CONFIG_OPTION}=" ${CONFIG_FILE} | grep -v "^${CONFIG_OPTION}=" >> ${CONFIG_FILE}.tmp || true
+  sort ${CONFIG_FILE}.tmp | uniq > ${CONFIG_FILE}
+	rm -f ${CONFIG_FILE}.tmp
+}
+combine_configs() {
+	cat /etc/config* > /tmp/config
+}

initrd/init

@@ -42,15 +42,6 @@ hwclock -l -s
 . /etc/functions
 . /etc/config
 
-# Add our boot devices into the /etc/fstab, if they are defined
-# in the configuration file.
-if [ ! -z "$CONFIG_BOOT_DEV" ]; then
-	echo >> /etc/fstab "$CONFIG_BOOT_DEV /boot auto defaults,ro 0 0"
-fi
-if [ ! -z "$CONFIG_USB_BOOT_DEV" ]; then
-	echo >> /etc/fstab "$CONFIG_USB_BOOT_DEV /media auto defaults,ro 0 0"
-fi
-
 if [ "$CONFIG_COREBOOT" = "y" ]; then
 	/bin/cbfs-init
 fi
@@ -91,6 +82,18 @@ if [ "$boot_option" = "r" ]; then
 	exit
 fi
 
+combine_configs
+. /tmp/config
+
+# Add our boot devices into the /etc/fstab, if they are defined
+# in the configuration file.
+if [ ! -z "$CONFIG_BOOT_DEV" ]; then
+	echo >> /etc/fstab "$CONFIG_BOOT_DEV /boot auto defaults,ro 0 0"
+fi
+if [ ! -z "$CONFIG_USB_BOOT_DEV" ]; then
+	echo >> /etc/fstab "$CONFIG_USB_BOOT_DEV /media auto defaults,ro 0 0"
+fi
+
 if [ ! -x "$CONFIG_BOOTSCRIPT" -a ! -x "$CONFIG_BOOTSCRIPT_NETWORK" ]; then
 	recovery 'Boot script missing?  Entering recovery shell'
 else