From 279d38488527d60608779470fbb6f3c11b00a4f7 Mon Sep 17 00:00:00 2001 From: Trammell Hudson Date: Tue, 25 Oct 2016 14:42:36 -0400 Subject: [PATCH 01/16] check signatures on kernel, initramfs and xen (issue #43) --- initrd/start-xen | 32 +++++++++++++++++++++++++++----- 1 file changed, 27 insertions(+), 5 deletions(-) diff --git a/initrd/start-xen b/initrd/start-xen index db49603a7..803813522 100755 --- a/initrd/start-xen +++ b/initrd/start-xen @@ -1,9 +1,31 @@ #!/bin/sh -mount -o ro -t ext4 /dev/sda1 /boot +mount -o ro -t ext4 /dev/sda2 /boot -exec kexec \ +die() { echo >&2 "$*"; exit 1; } + +XEN=/boot/xen-4.6.3.gz +INITRD=/boot/initramfs-4.4.12-9.pvops.qubes.x86_64.img +KERNEL=/boot/vmlinuz-4.4.12-9.pvops.qubes.x86_64 + +echo "+++ Checking $XEN" +gpgv "${XEN}.asc" "${XEN}" || die "Xen signature failed" +echo "+++ Checking $INITRD" + +gpgv "${INITRD}.asc" "${INITRD}" || die "Initrd signature failed" + +echo "+++ Checking $KERNEL" +gpgv "${KERNEL}.asc" "${KERNEL}" || die "Kernel signature failed" + + +# should also check xen command line arguments! +# should also check kernel command line arguments! + +kexec \ -l \ - --module "/boot/vmlinuz-4.1.13-9.pvops.qubes.x86_64 placeholder root=/dev/mapper/qubes_dom0-root ro i915.preliminary_hw_support=1 rd.lvm.lv=qubes_dom0/root rd.luks.uuid=luks-0f662ac6-2939-48fe-bc95-f5a7e3d6fefb vconsole.font=latarcyrheb-sun16 rd.lvm.lv=qubes_dom0/swap rhgb" \ - --module "/boot/initramfs-4.1.13-9.pvops.qubes.x86_64.img" \ + --module "${KERNEL} placeholder root=/dev/mapper/luks-886ba0fa-8a51-4780-91bf-06c5944baab4 ro rd.luks.uuid=luks-886ba0fa-8a51-4780-91bf-06c5944baab4 rd.lvm.lv=qubes_dom0/00 rd.luks.uuid=luks-28948c05-c995-466c-91a2-bd517a7dd50f rd.lvm.lv=qubes_dom0/02 i915.preliminary_hw_support=1 rhgb" \ + --module "${INITRD}" \ --command-line "no-real-mode reboot=no console=vga dom0_mem=min:1024M dom0_mem=max:4096M" \ - /boot/xen-4.6.3.gz + "${XEN}" + + +echo "Ready to start Xen: run 'kexec -e' to execute it" From 16bad1abd4e9f3fb5f39e3ca1e781d6ecee0836e Mon Sep 17 00:00:00 2001 From: Trammell Hudson Date: Wed, 26 Oct 2016 15:10:53 -0400 Subject: [PATCH 02/16] enable aes-xts in Heads kernel (issue #44) --- config/linux.config | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/config/linux.config b/config/linux.config index c3dfc273e..a56878407 100644 --- a/config/linux.config +++ b/config/linux.config @@ -2023,17 +2023,17 @@ CONFIG_CRYPTO_RSA=m CONFIG_CRYPTO_MANAGER=y CONFIG_CRYPTO_MANAGER2=y CONFIG_CRYPTO_MANAGER_DISABLE_TESTS=y -CONFIG_CRYPTO_GF128MUL=m +CONFIG_CRYPTO_GF128MUL=y CONFIG_CRYPTO_NULL=m CONFIG_CRYPTO_NULL2=y # CONFIG_CRYPTO_PCRYPT is not set CONFIG_CRYPTO_WORKQUEUE=y -CONFIG_CRYPTO_CRYPTD=m +CONFIG_CRYPTO_CRYPTD=y CONFIG_CRYPTO_MCRYPTD=m CONFIG_CRYPTO_AUTHENC=m # CONFIG_CRYPTO_TEST is not set -CONFIG_CRYPTO_ABLK_HELPER=m -CONFIG_CRYPTO_GLUE_HELPER_X86=m +CONFIG_CRYPTO_ABLK_HELPER=y +CONFIG_CRYPTO_GLUE_HELPER_X86=y # # Authenticated Encryption with Associated Data @@ -2051,9 +2051,9 @@ CONFIG_CRYPTO_CBC=y CONFIG_CRYPTO_CTR=m CONFIG_CRYPTO_CTS=m CONFIG_CRYPTO_ECB=y -CONFIG_CRYPTO_LRW=m +CONFIG_CRYPTO_LRW=y CONFIG_CRYPTO_PCBC=m -CONFIG_CRYPTO_XTS=m +CONFIG_CRYPTO_XTS=y CONFIG_CRYPTO_KEYWRAP=m # @@ -2098,8 +2098,8 @@ CONFIG_CRYPTO_GHASH_CLMUL_NI_INTEL=m # Ciphers # CONFIG_CRYPTO_AES=y -CONFIG_CRYPTO_AES_X86_64=m -CONFIG_CRYPTO_AES_NI_INTEL=m +CONFIG_CRYPTO_AES_X86_64=y +CONFIG_CRYPTO_AES_NI_INTEL=y CONFIG_CRYPTO_ANUBIS=m CONFIG_CRYPTO_ARC4=m CONFIG_CRYPTO_BLOWFISH=m From 9311428082b68140d2e3de38ca002ed0675721e4 Mon Sep 17 00:00:00 2001 From: Trammell Hudson Date: Wed, 26 Oct 2016 15:11:12 -0400 Subject: [PATCH 03/16] add /sbin paths --- initrd/init | 1 + 1 file changed, 1 insertion(+) diff --git a/initrd/init b/initrd/init index b7154e9b5..08af1b938 100755 --- a/initrd/init +++ b/initrd/init @@ -35,4 +35,5 @@ echo # Start an interactive shell +export PATH=/sbin:/usr/sbin:/bin:/usr/bin exec /bin/ash From f65fe75823f046e1813e129009f0619f074b4edc Mon Sep 17 00:00:00 2001 From: Trammell Hudson Date: Fri, 28 Oct 2016 04:57:11 -0400 Subject: [PATCH 04/16] simplify startup arguments for qubes r3.2 --- initrd/start-xen | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/initrd/start-xen b/initrd/start-xen index 803813522..7c4623eb7 100755 --- a/initrd/start-xen +++ b/initrd/start-xen @@ -1,11 +1,11 @@ #!/bin/sh -mount -o ro -t ext4 /dev/sda2 /boot +mount -o ro -t ext4 /dev/sda1 /boot die() { echo >&2 "$*"; exit 1; } XEN=/boot/xen-4.6.3.gz -INITRD=/boot/initramfs-4.4.12-9.pvops.qubes.x86_64.img -KERNEL=/boot/vmlinuz-4.4.12-9.pvops.qubes.x86_64 +INITRD=/boot/initramfs-4.4.14-11.pvops.qubes.x86_64.img +KERNEL=/boot/vmlinuz-4.4.14-11.pvops.qubes.x86_64 echo "+++ Checking $XEN" gpgv "${XEN}.asc" "${XEN}" || die "Xen signature failed" @@ -22,7 +22,7 @@ gpgv "${KERNEL}.asc" "${KERNEL}" || die "Kernel signature failed" kexec \ -l \ - --module "${KERNEL} placeholder root=/dev/mapper/luks-886ba0fa-8a51-4780-91bf-06c5944baab4 ro rd.luks.uuid=luks-886ba0fa-8a51-4780-91bf-06c5944baab4 rd.lvm.lv=qubes_dom0/00 rd.luks.uuid=luks-28948c05-c995-466c-91a2-bd517a7dd50f rd.lvm.lv=qubes_dom0/02 i915.preliminary_hw_support=1 rhgb" \ + --module "${KERNEL} root=LABEL=root rhgb" \ --module "${INITRD}" \ --command-line "no-real-mode reboot=no console=vga dom0_mem=min:1024M dom0_mem=max:4096M" \ "${XEN}" From 5a5e7047c70191d5c5c24ab96a21f43734b5b668 Mon Sep 17 00:00:00 2001 From: Trammell Hudson Date: Fri, 28 Oct 2016 04:58:39 -0400 Subject: [PATCH 05/16] fix default location for trusted keys --- initrd/.gnupg/trustedkeys.gpg | Bin 0 -> 17559 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 initrd/.gnupg/trustedkeys.gpg diff --git a/initrd/.gnupg/trustedkeys.gpg b/initrd/.gnupg/trustedkeys.gpg new file mode 100644 index 0000000000000000000000000000000000000000..3381d1de094d1747e193cd7dbd19ed2767761bfc GIT binary patch literal 17559 zcmb8WQyS!SYn{iZor2 zUE;V{HA`EM&PowQ`C>fUP_SD=5$IOZh%YYFCMuVw+-yT_rSy1v08lhTa@W>5t?732 zs$49{L?pap^>=m8+zKL~oW0n6=uWT{vq*?IIHw8%=lZ&dWkz5doZP@x3Q(&zu+fXW zK0hiN#ov4r07r@7uS!W#N#5Tv$xZ?wi0|2_e%5(}Alq?%8+5oekxKWz$2_C{5fAZl zdV^L(>1wSz&R6|;Nusg`6ikYxI?G5XB)=9^NNfNmLV?3eE>s_I_;B^^aLsdpl0uhJ zEVF1gR=AXJ{5~~f-MOuPLvbej%Akm=W(|u|K34>c^w%}@{=kv4YpNWT7O=ZWeT11F z0=UG<$h(kWNPMyVurRHB8ffU`YI)9}0ReV@-%cJc`)-GTYMX9Srhmv+GpqBxC`5bf1Yrf0sDX!uGk!!IT>Qq z8>=@JHF*ZfV8wL3e}~4SWDD}MY9(Q@lD{zC}5a(=@1`%i^MOS<}~AvdhigsU26q}yOq z@48Bc>lOeaAOK)9p^B5Ct*xnz4S|HKiL<>O0guJMeFa>cY;Ec6OkMaQf%rg>0f7K0 zfUtqVpdlf^fq}qKA%GyEph3`pfB}K<0D;g0K!Mbd(o#Voq0MsZ0iYleTD8AbU~j|v z1v38tqd`5@B^y9q=nn;)l97k&sZ8yIxVJf-!)p= z&KQZM8z1-SUN=e#=Y!H3Hfj~pvzY|86L4MBOJ8JPIMuu9cPAmf(dBH*69Sf%MHT%Rk0{F6xa7$F0K zj0gk(0}7;KKHLl%3?7Cb@V7>y)6K>~9^#sVQ2_G8z_Uc3f3bORKsvRPRBf7!LO>A% z2DvJap`ZqcLeVoPb(0?B1d#KLU6^6H!lmhMC)PW;^3<*nB!=i%;<5(FUmEx zCFb*?)dsmA)K>VzDkINBXrd7NjJ_=+`GQ=y zG(nAWGjwcn`=0RQUjFizC66<*?iOQf%5_Y0Wf~6#kd)c9ycoYR)7&?S{yj)g{}%Iv zN3VYdiFJ*vrxx;oLaq`5pgE31o!qCPYb%YTPS;Rxsbu)Gz@|qG%3)rwrZv=tiXOZc zX8^JpEo(#@M?_*44ux`wI4z@+@aqsnxB9+zGbSTj!`tgAJLOgtUMx-q@{%$K23)ho z^lBl-Z9HXvG3XqS5Cs_|7clE3!m4w;VuRlIX)@DpoI6^T)g{o8sb0(&OV2rVyD-!Kn} z$p7S&QdRl?Ertqk04#SGgv(+e6$d8f^3l=wJibv=eC5F`ih;jwT#+6_V7Umr#mk>py|iUYdX9w}Y9#h(Q(>TE%GXfw-GmR53l8iPOX zfn4N)SwYfC&KnbZpHVoz5eKQiA9kb9qiP?z_TktH>8=$1mIopr)W6GP+v9I}z`{@W zFPky5G9kf#QwboQjD`?Ps|m9!Mh-P(N_U%E+lT) zT&x;}mYeA!jp8XE`w6)0n;6__0}w;pK?b3Of;r%^9KXoxwz-P50%R0J>#G_B_lv{= zc?=ck09UBtx5b&*7X1XR)yD5JGwu9<8r1h817q5Y~ zd)nvYtdKn0MbCUg7SL^w=V^{qVc3pDm-Mng!bTk6StP{vob}_YNdymK*Tx-5JJfYv zq#nrKP9p_OJzyXc!A90ic|=*a&X)>7n|lQM+$a9&FtHq=&qI1r=$xgs#FVId>Gcqc zcBHDVtd!SZ>!*}HkF`(!4#k#uO&?|FY8c^ob!LR&EqM#{=C3fP6IOZHr6lH%!Rspk9 zIb(N{`b9T*#fv%ufKx?fku_mc|q0VR@myf3m)nCEG+$Y_dV7!5`Mr6 zqHilyNj6XHs`l3WeO^f2KO%d&Illw!lp|I+;&+PqYrDQb2OBE1>n`g!KAhW}n}uIB zJSVa3ivSs0g41Nt hn_-^u3Cxe5s{}kfYh4w(31wVT=@TU&41Yx4Z+yIyfY{yq#0nq|I<2Nl^ygrqI67Op9!R?Y9AR|1iBD|G0Ah*d#$0-?kjiOk}PcH@p?jX${CJP zH5L0^mo?Y#!~2NKwowDA?FmgNqYf_x)ihXtjjK66;v^ioQu4sOr@qCO!_Bab$Hb3! zv`cZFSztzXh|v-tY%X;QvgxbMIM*&*0Enc%Dn8hjai80;jC>J8p2>^+Rh^3CFlh32 zmpRV4pVzv0Di;SQd5zxk`=COqHixT$lLvqLn+jpBsv>0lV5{SNVvASsj$c6mHKy?% z<76@z!(WuYOPH-zZ*CG%!*0#=ybfGoz!jQ7VK>AZ1D27}rr|_P6bGKz8EOJFNhLW0 z+UFOQH^wMr8>6M2T(8*MS7$9rYT9G3hXUx+0!WryFdxI5dWg}tu0`q?U0zBkif7A| zan2X4z-iW~u%9hV-mEk-M;Oakut`lO7chq?)wh!%C zdVvveA8i_aQoXgKB*`hyY)oY_YTA$UK^7D01oFbPuLMysm6XZXHTi#&nX|jG1D&zG z?f-(z(*HY|p}N6;Gv>N|_y#7-TFBHHM06<+DwSi*xk1z8Xy!bx7HlXGM>O~9bCLk` zSobVA!Sbyk+P6}-EODSUx5^x~&2rE9)X)G|0;R^@hra|kx(9E5c6GyKoY!T;d=1xm z4fIJ(@~d2kaNb71^u3&5no2eVf1`|yUwt!wrhONIH$tOfzI3C5ai{>~JR(B^B!F8k zla6Cd2qa!5A>Km%(gwbY2He6%ZVzaQ3hBd_FJK1fP zgf(wlWcvF5u}un#p^Zme#+WjD+Fwltt08X0a8cRbY`IMgsbu!FG2f)p(}})sdb$?G z2gqVmtKvr`1!9a!Zr2?)$JWOh+(Dx6hGPvyH=a1CJ1;>5fvPx9?X`N<%C-;iMaueP ze$hV^H#?nLuoR{xGDaETou+o;iTq`XE($;kfF|9ixCBld2xo?tTCDhjyv;x3QAGTf zx2(K)q|V0J#kv|im+*inan-!lI&-5`OFgU3V$2QSf~688g&rl95}3C}SDl+^1-T-s z&9l$1_+QAZ`=6BX4>FUF0LZ1Ej7Wgk1ySWsL<+d!=pNJY-l7G_FLY>BgUNMY)-vW5 z4efiqawNqvB1i>toKNm zTlLA=obUNmsr+31hep=2S2V?1^f$6pwb0YtyALQ6CV=XEdQAOvw#jnx$WfJR+oxNW zDR)r}FZ&>=$+)K`jz6ClOx6477W`So;Hvh~P~W%d z{IW9*0R~qT1)iF6yS>qlteYQBUdN1ACTVlXb#+>AcEqlL>+S6Vk7wu{OWIFzs2p%AkV##eNdiMdEH}D zpy;gmV0A$z^b5e~RQZn^>yTt+(AeEZyv`;5}h!=)s4{N*S=mWe|}(&uK` zgt`f1F!swfiaeehYEccsIOVYg+b^otmi2Bl|ANfms}TTdpX!shrT1pbIwxc49%i?? zUKTiYjr_F3clmyLURub;fIs#8w_kMxR=)wQxlOoXyo*8;P0z9V^czi)htnqr84@I+ zrNq1P&*kUDW$pWYa#{`{<0@e`d#-Tu_rR<#ns7$Lb}#pL$F*$UCL}*2NaL86rZ52` z8e5GWJfFr;eGfzB;dME{@4rxavT65%iB8PW zSL!#rxT;JRW&Jf4WkbF@#3z+|ry;C^6#47Uo=}155O>aW!w@+QtvWmpU zN)=PAjUwQLur#p|tOi+o@ctj*Rhzhl| zY!p!a$vQf+L$+_B;*e^tU(;9c`j&FHdBZa0ff&_NzoP=T`|WU zZqj*qzmO*Wgx}x{oZ-TsD~%cQg0rZtTQ6P3ax1!eSKRYk z1vf2c#%boohs*T&Y@ZC5Tx^x(cQQ0ZAV=%1-1xKvkatK}mb*p_`PL30aT(ImgENbT zUgiA*+OJa6eZ~Ied6FC=)e%}j<9-A;rMsE~}uz98v)C1~g1zUbnecv@Y&!ebjd4f{C?)k?}d|zsMbKN22-0 zw7RB@eiSuf=<+QCVCNe=1%b=FVNPZlUH#0`W73<`p-&+R1_vB4f|QZf8nY|w=E@-C zE5>3e0}34D1lS}P>tZ?Z96t+TAgtp)z_23wU&*ZHKa<(=CH#*Dd1&k7ZF&6M+P3oj z)tfZWD=;i*=r70#0QhKx+GRAC++v5}>MiSD`_nyI&v8z37g8Zy-+f~jw50+jtsOpw zqDACOW=PSFkI;3|M8NV~YIs(e9H}{;Vf=n2xDd6)LOVP3cK-Z;CZB!w0{$}BZZ{A` zuHRZ^?XCfB{QXA@Q~~2=1&<&p?=av)3?(I_R))q33HmcT3oM!Yl;E#@;4?GQNrgj; zRAp{FCNG@9{qtZ4fZ+3mqY@-4H(WWd+63mLVg3jho2AAfioi*60rKWa#D&Jz7+OB& z?GL;0Lf1;t=-^usuo^+)1Dk2Lxx&ycOoVF_4|+3E`Vg2?8J|WUBc1{i@E$uXbAU|8 zk;I!LJe27ncurbE>8B%qewF9WcqEeFS8cc|aXLC-mYXrCen7`RgH*!D^cq~ z3J3K-IQpWs{47x&aKOH_umhu=>Zy#H`Zu}YcawW4j9RR>^sW2RF`9vUy?cG;qa1cT zQVhc+-fq;kKUOxdsm(w`3cb`qpoE<~YruA!dhz{Yb8G6_^+8tSfJ16`y<^pDI6JI_ zQUA6P#`3+dj4CTTfP=b%g)6)|9jgE9Wg9$lj&|5b7#c2Ktnp{~$ZXBTUKC1!~@%XaH z`FPd8g8k+RY<&r$Zn%eV6Ta)0>`lG7_qpx8hBcbJfqvSJ`M`<7D2=*C$nO3-iJNR? zE;pT}a;UdV5_bsi$B7SD7W3t#n5cZ&-63^Q%|%vOAWQ||#>aIgXIK#TTk(6_a%^$c zO?~%=r)p|6*wxCn#4@PGvWr5K1PnF|bz*~tocQCJR* zBQmJIG_%NHse1^hQ#b;Nti2$x@QTcY$9aMrnq;qTZ##Jo`_fX2B^>v=U@3yLvu=cd zZRa;dczr{=s@D9Qe-GSPi-?iy8%*yb; z-t2#=(lQkm8k>JEBZ0tle@u=HZJ&0RD`oeo=5kOM?fqQv`I@s^Wk)lmEYZX7b7QNfQV0{h_4|#!?*C@KAv(MDO zn;`{)TQ4s&ye+sIQ>~LsXcO4CezjNQiSaqq`*RCil5qB8J({FBMX+e zkLa5i)$9G07<1SR^t_b}9&LEM1UFw=tV!TN{v-OJ@q$WvzsbXscHwzYbfOur7nGa+ za8xcmtfv_9eZk889I?gKb)X2WmO-NXF^&*nh|e%BnR+d{kM0zcj(bZ(-8kW643u%dgkv$9VQ# zz_R@_-`T4s05~ZVIF&*~wbHW37ljzBSwe!V(c8fARTMc^! zUF}inaUkGR@Yj-D7X#scx2E6qRSFPi)FbSI8b`-sI-=pr>R|q5f64eWZci7C78%Wz zSs(-*aUMy`P#Yb1#gX#*{{^2h#ln9x(?@_OF_}Jk^m_F`*cID8oU@|gWSQq1Zrt|9 z|HR4!HrE(p?=u6U7e5wBuq+N5>zg%TuVo`uwe%}Fs zJViR1mmhNH4y65g4eCXjFsIVk0e)0C_y8FmW^)SoRF}6kx*M*9s4H!8c`SI&JJ~&l zPkPrLP`V+Ug#AIbck@EGVmt2Q+rqfdwn}Up~*somC8|nWIDUM(WsOA^VNbG6lG})7iWi^{3kCl3iMn$6Tov}#nxPwD3GiHKiA~Ak z&m+Qqq-TyXz+?hOCc31ijq)}B-b>r?4Tp}x(_7F?Ngw`mTz$Bi(!rHWvaP&OuA|%4 zXLdTXXT~h8sR2EZe&eqGzu>cuPWT`32mOvWw@Ea5X%43&S}W+fW z4V}wKzIrsLjFd7jTMpCHE2s+g^b{X@^^>P4HUv7b?AbfUSlR5&5XR{*NsEl= zFP}BCFlAh8NDUGw+*E#UuBQ^ugS(BW+~jC7`<#Siei7?cSt--071piV?sP!5x|1oh zmz&qrpFo<0F#3GzTVyUtz-X(3&IFXiA&C2T-WX?yHePS%tB7dcmaKN8MdI#!VTXf* z^Y}%gfhC5a;cY_n@huQ8FZFTTguOcHH7@xov3ZhRSt%d-o}BE76gK2y8}U4S@Yjjz zqM<`d^DBlIeK59J&gl!F>4|s4u@1O4Ky8U;adQjoc;p zav7dz#?~<=>A$*qqqBVdXFk(OeEQ$st4`&n2|c1S)m9q{IP=4cyWqSf-0La6DR z;N-`smBQ=711W;Q-g~KUd_nq932K82Neit;XHsSw4*W=4)#J~ZJLcDS%oZcT*QJ&B z&sVICL5!Miu8V1JqnU7BK(B@Kcz4g@IxNBvr3syn`lqazw`(ir&cA1K1H^8*pa91a9K|oa z0$D#)%gl@5djNw@p!=+G4f8^sKR9=cZgwr@UW4U%$O5D0;dZd(lN%)^%MnArE=^s? zx(_1|x31D+E_~>9E=~vDe-y7l1`Cs(qYlQJ7GC6vCP#hxk3_|7MGZH+S8hsI2Ox%-)bLR( z`74h%mTzf1k}6Zd!d=LwT${1m1~~Mivy5vc*?zh#;L1xbrv*1PaZz4!jglO*n>o;B zw6%-k0tLw9$!(XvBxEXT?7SaXr9#anz4sxMAE%k$bAZHWYmf4_UqBGpBd0<_%n0~z zd8%5dRttr@59c0#B-BN}C>GJ;WAbOWHAqy+joj5ex#MKdan|&$xc8X!I_?EG%_=CHR zA3nh)bwT7w`T;8H;-L~OFR?mDdMCcWHI{T|e8KRBMdf;GmS0bYzY0eP>t$K)l0`YcyZ!Z{6|sD+%+10i#Opsp{bbQAZ*5?V^;qMS5k7ewgq5g~ zH8Y-#o&s88zIZDl$VCv;UmV}(nn6z07kINEL)FrU0ef-^V-DvONJihp3WMc->0JTT z<#!vhaS!tQ^7M%%MN@WbGt%p-h5co{OSE6 zp`8G0#8_L^iF%}06msg&MY~PQkk^(ZwRD)e=}SN?PY_<1aK}_4y@Hz`6C5uz*d^DT zw~(vmyc$D#iUzCX5H~Z(GxtYl3rMk7w4y%MGV{NgQ<*g-9i1B#F3Pg zcuLRQVP;<5_?A2RwUlY8E>xGm-WMH`mA@VfH4l{a&hCKFS@i(x7F5#5E;EJ?%Xk~& z_Nj5(0#PWp&TVD(2Ec$j++U^M2}USWU^y>_o65H&9|5mt z1+by!s6sSap)Ma_3$b(9JRWM!?_%sw*0!iWZUqczBnw37r3|aLZTlS0;B*C3?qUzP zP_TEc#5Y-|W@)!Xf#Fy%-Z`Y>;%uvBgFyaF_(pvO!&IB4$xgiCXuVH<&;!x-!wUo& zSyn6&SSr5-k&B5+yiw!0df2ZHwQA2w<1@5gh%=E2eD%~kf#CknuKtX%DsFGhE#a9Wia!DNMtHhATZ}WbaMt?v^0-JffE_LzfS4?O{Xg zu!ENwhU2$t0Gb6*&Bd6biI$@Hp=_`&Zs*$gqiNnpRD;4WZLeZ$ zmG@}0Ju$|5Kt)_azL>dJ4IRU26Zvzio>eH?*Nw3*hF+{R*PrL__(?=uA8xTt^d;qn zgTdl69b*QnR&2x9o@#l6aTYK*LwO+pcxmZhHSsKo_xU0_c`zpCe@&4esVX@#f5Z#l zNTyhbA!%YtjWB784<|YotyTaB1;08i5gyTw0nhsB1&rK7)@}x|=&&?7!b7w*oZ#G{ z*IbH=)D+w)nF)9!04~jN0jr&E2MxMl4r(9=g9Pbw<*2Ob`&8j-aa*2SLX_6Yn5$*W zjt|PBA&v2NgstF|>-96Te(VVm`&JlQ=?2FdoH>idOP}moby!V_hLf2;ur>Pdhir`y zaeMmS$r_V1mYWNIGIc}UWrsStLD!&b%)J^ETX_)AbC|ALEUYdq+buiiCBi+Xb0i$> zgSTw3XVjL0P@P?j2)i4OXBr#C!+`G5Qx9`zX z4^tpL)Qw;76k`KCRX1wj99rxKkVN)QvZv(K+4^wMtP934cr**XQw<46^C_Xy<>s6B zc_Yzx4;x6lcc4Cv*Et^bG7njzJK=u#7pw<6hX4?kK_m0{GkD`Q2HyG@bQ<~i<$~AZ zLBV$

4Fx@sZblQ-5e{B? zGE*zg2u+D8H|bF}^%aXPQ;BoyI6jj#xr8%2u3v#vaWuQhAR;^d(ujctV_Ic2Qe(Z^ zX6cQcDz*}o+e6B)UAZ!pC;3M`a-V1yfu}k;Rsh=0-d)8RuzUBGm))LibDO8&@O7$m8ORwcK|5Y)_jKNU+=&#L^-7iv^?= zmxe%2l8lj8X+qS@v>;ko!FGghzckOM7yIIpUn=~g??@Bt73&R!Hh4M_4ItpQe?JOw zq~YS~hVPW#?&&ue`zdEiZF&DV4^qCTXY6d5B9P23n9T3&Dey`fBCG3Y`H6jAv;0x> z&y?QJ#J@&aoAz17b?_0wqzSq@KMbwUrW8AE zMtw*EvokiU4@^8;6|pf#R|d5at|yQG6YKrGmG-}5y?6-tZ$jt0MC|AE@Is1VRX;5` zG+egP*Vl3QxApPE(scJrYxgeC-kJu8S*pA)U5;$O6kdmQdn!WhX>cL0s{zOn$7;Q* zBX|WfTJ;_&tBa}0gp8mM3&kPOXz%Dg5ObQuSB^r_VkhS6T=n)v-?R7T_Guz&=j&Z5 zL>f=A`q@AFgQl)Sz0*mhDd*}v<=O!2$1*+9RtdPDZ{eT8R-cl8#W)7advOEax&3gGX$mz5M2QDms`RIb=*|u#yowVJ-flrCgzvGW+Nf zSw^$pmKRA(QpA$a!0Y)XLaCSMnzPa%R1E#Yf}Oz$?5dG86q2Hn8rTccnn9~b#>c%pA3c;Jt04F>)GG!X?z2XErAD24j6#s~HU+;5@zYX= z#kGz+1To0V<3Xh{eg$NSCrp#zQ|gS`&juN90RTP&s2#8<+ukj8D~F@e9P%qC@+~9A zx-1W)Ud^|9*uy?s>LZe$DQxF@rn`q75&}}?CMipvq1I^gnrd#NjWmNgbI%eLm9a!c zGf0OOD#ND0e4zv&LK(3{jX_fv)VH`QA_{c0)aRr%;J9AAXo|&UbB`^oFb~@+CF2H+ zk!T_7=Y)+dF7;0r+Fn!nBx`hp(pJX6j%H#^eRTYDpYiwjr|}||HA$A>PrtS@|HXOR zbKZ_*N}5n>=`JcWA!#IuD6H(W?iHAx`oSXPWU=cdH$!X{<&#Tm}4{sxus0(K!{#`C)2L{ z%Sh ztsF7c??s5Erf@DV!b_QKWY?<1aiW=7pmu-RTGIjVOm0v5yN}mwXQhgPsU17y_H-pO z(Q*FO*H<9hAKcAs?8P{4#fLxfz=6d!dQotu-NONk)hWOP(?y~wLdaJZ<<{YZBJ5Mp zBK}>JHitH|uk8CBW%H=Xtz*xCJiGxIYL`g-oa;@F(E*bo{$!uSD`MUsY3~LXH~Nmc zJ0h_HBsm!(=ZfTvziHi5Is}t-w zJ)_~rNe_Rz1H+{E>KKsBRz<4g;lvYIzM6CGF(u94J+zM`(Re^m+`t+Ev5FL^jf_I{jaR~@QI+qP$ zEf;S^8)Sogj>lVQD0M$d6dl3lk8J4x1AfnEiK}>HUm9g{@E?SP6_@3aORd)>i;-h_ zaN>%pD2(!)D)NE>gfNg+Q)q+F^3M^-Z6J|$Cdh66s=z9x_ds0JPh3l>Am-b(-;Y2s zckUIhp>JFgkUTpK$R?k+#A6Zj%LVIqkHZ;s6zu#1L(%Vd1|E9Ox*)&H)E^Xi;%+z= zm%0wEvDBE9pap+{G^#6y)x>v&%f#ZuK6P=*l3IcqNa>`~RagU};qmLyYeRz~TIJ7K zJ{r2U&VE#{TQ{tj=z7&VIGH6T&!`WHbjHQb_qa!Q_0HVaZY{qSjz=ReeNMhl+`eZW zb^yYHsF-cM{k8sewB#oZFaF&VjdJXKGO_bWP%cwOA}+ZT-M#dC4V%Fp54|;cuQstR zD@}iSz2{@wDHC^!kyL_ZYo@d!W6Bo~T4|Wy@0#DD@<63U$@^1Bk{KbENS%4rA znrC*LYR-jIwiL!N?%n_!vACe!jH7rjVEVjw-5UClQq0`CPJV*WBEl>bOek5qeVo0C zDC^i~%)KJ`-}44o|MPcB!KVZ$ z{l4n8fGY$4(QCy)nLQ$GF)hXRr7E=HRLbt>WZ_HGiAhZz=I&(Mf(d^!;)cjkJAIH? zz%OXDiJfUQNED=xF6ZHD-4Ej`*UN^z|2>t+2biBSNkw|5PH~U5CRy1~-2U0JbbyM% zaNVQaS@Y|+DbaGe0cq9^R?zKvy!=nu^MzgP+aE$Z;L?YM28EoM0%bRq-T4oa;s78J zQ8kbPHeG~n4ERtORO>(G=RFFen}!~NCuX>bxVXE&lpUV(Kd%jUxj+SH?TJ5n9R%nM z;Jn|+{&YWi6~%H8eTbd?p7t6Lx~yBa3DaFhnu)&Dg+y&g#G6ZsEwjiha?=e8yuRka z`f0uyNj53@YwM@#h_MhIAfl9_lDAi!qY|pd zqh^NG7PIg#&FDQ8wHLv~!lyus?ZQmHPpuMV(neI`6~z2@q?%4&pPTj#uJ z#R@4rnKKUO41I3Twe&3PF7~Z4T91{#4-(Y0m?lksIZGR(hv1M$i^rq^9&kiPF%o_y zD!-c;=b~Z4KCB>mLGPG!tgwYFSn%H)S;`NlVzvuN+dj2Pt)$6HmM7P8CF=NMwrz(O zIUqeLd@4(@fK`h{ezSUlQ8oh!2Y9Do$rHYPzLfFnK$shRSBh}zY_w0K&GqVjE0bfP zad>iHT3T@-#;-#2g-8>R7(i;9!_&(S7fg3dAv(Rd&tTmV2_GR(*1Zl--P<-zX*Dc@ z=~bzHAu1;(xgoBJ`+D+15wEACH>#w3g=;HCJoUcmlan{Zfp4(!4#ABYZpEv~wUAuE z%ko0hh+U=w_oiEhf><4Pl2cUSE&o6*o14GeF@xIqmcCoco9VFECg#{M!O*}0EsS0G zPx(0ew}6z?I63oW!hsx+p>HfV33#b4MfHn62Fj+sTt%JniH$x^<9uA13XwN(tz1}Y zixdC*wXzBQ*R_(*pbBk6y?~>;D}_SkTx+F&wReCyR6}zprBse+07skKH0BqSfMs#Y z#f6Nx!#uI*mP~afZ^^qR22dMi?C&gpd$lZ)YB;%Ra6lzT%HLcDJzhO)VXpv`c#1Xf zY4h#^6IvjE`YEu0Zg8|zb4cd?wT_2v1l$X4hyIDn} zp=bk}KIZ)YUyfDGHlhEm9RGc-{O58krw9Mz8TjBZW}Im6*;H6RW?rIfcb#=3zVu~4 zW*uqx2h^Y7PZ~yI6|J{j5ilZVt? zG7f=#YFG3Gmr+&-d2*4hP|xUDW1E}^_#)M?AggB@8taFE$UW?odb)|c^S?S^$$(xpWTAB zWJI=My`+Y){rv@z<;e0VsO0QX<0^>n4_5-J7q>=*wgmT0xZBEM;(1qCgHU2nbfG#g zgypvz{`z-{ws^B3YlmELtd_cEyykMAy?KGpyb9NDidg?wkq`MwY3?+1$<0dWyf7UV zzuI+=K)f`0J}EA4ECf!~dP**P94*2>SVoDUrvYidTmgNaRRTLE@4gc3du@_8h_xvO ZqogWD_T Date: Fri, 28 Oct 2016 04:58:57 -0400 Subject: [PATCH 06/16] fix default location for trusted keys --- initrd/trustedkeys.gpg | Bin 17559 -> 0 bytes 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 initrd/trustedkeys.gpg diff --git a/initrd/trustedkeys.gpg b/initrd/trustedkeys.gpg deleted file mode 100644 index 3381d1de094d1747e193cd7dbd19ed2767761bfc..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 17559 zcmb8WQyS!SYn{iZor2 zUE;V{HA`EM&PowQ`C>fUP_SD=5$IOZh%YYFCMuVw+-yT_rSy1v08lhTa@W>5t?732 zs$49{L?pap^>=m8+zKL~oW0n6=uWT{vq*?IIHw8%=lZ&dWkz5doZP@x3Q(&zu+fXW zK0hiN#ov4r07r@7uS!W#N#5Tv$xZ?wi0|2_e%5(}Alq?%8+5oekxKWz$2_C{5fAZl zdV^L(>1wSz&R6|;Nusg`6ikYxI?G5XB)=9^NNfNmLV?3eE>s_I_;B^^aLsdpl0uhJ zEVF1gR=AXJ{5~~f-MOuPLvbej%Akm=W(|u|K34>c^w%}@{=kv4YpNWT7O=ZWeT11F z0=UG<$h(kWNPMyVurRHB8ffU`YI)9}0ReV@-%cJc`)-GTYMX9Srhmv+GpqBxC`5bf1Yrf0sDX!uGk!!IT>Qq z8>=@JHF*ZfV8wL3e}~4SWDD}MY9(Q@lD{zC}5a(=@1`%i^MOS<}~AvdhigsU26q}yOq z@48Bc>lOeaAOK)9p^B5Ct*xnz4S|HKiL<>O0guJMeFa>cY;Ec6OkMaQf%rg>0f7K0 zfUtqVpdlf^fq}qKA%GyEph3`pfB}K<0D;g0K!Mbd(o#Voq0MsZ0iYleTD8AbU~j|v z1v38tqd`5@B^y9q=nn;)l97k&sZ8yIxVJf-!)p= z&KQZM8z1-SUN=e#=Y!H3Hfj~pvzY|86L4MBOJ8JPIMuu9cPAmf(dBH*69Sf%MHT%Rk0{F6xa7$F0K zj0gk(0}7;KKHLl%3?7Cb@V7>y)6K>~9^#sVQ2_G8z_Uc3f3bORKsvRPRBf7!LO>A% z2DvJap`ZqcLeVoPb(0?B1d#KLU6^6H!lmhMC)PW;^3<*nB!=i%;<5(FUmEx zCFb*?)dsmA)K>VzDkINBXrd7NjJ_=+`GQ=y zG(nAWGjwcn`=0RQUjFizC66<*?iOQf%5_Y0Wf~6#kd)c9ycoYR)7&?S{yj)g{}%Iv zN3VYdiFJ*vrxx;oLaq`5pgE31o!qCPYb%YTPS;Rxsbu)Gz@|qG%3)rwrZv=tiXOZc zX8^JpEo(#@M?_*44ux`wI4z@+@aqsnxB9+zGbSTj!`tgAJLOgtUMx-q@{%$K23)ho z^lBl-Z9HXvG3XqS5Cs_|7clE3!m4w;VuRlIX)@DpoI6^T)g{o8sb0(&OV2rVyD-!Kn} z$p7S&QdRl?Ertqk04#SGgv(+e6$d8f^3l=wJibv=eC5F`ih;jwT#+6_V7Umr#mk>py|iUYdX9w}Y9#h(Q(>TE%GXfw-GmR53l8iPOX zfn4N)SwYfC&KnbZpHVoz5eKQiA9kb9qiP?z_TktH>8=$1mIopr)W6GP+v9I}z`{@W zFPky5G9kf#QwboQjD`?Ps|m9!Mh-P(N_U%E+lT) zT&x;}mYeA!jp8XE`w6)0n;6__0}w;pK?b3Of;r%^9KXoxwz-P50%R0J>#G_B_lv{= zc?=ck09UBtx5b&*7X1XR)yD5JGwu9<8r1h817q5Y~ zd)nvYtdKn0MbCUg7SL^w=V^{qVc3pDm-Mng!bTk6StP{vob}_YNdymK*Tx-5JJfYv zq#nrKP9p_OJzyXc!A90ic|=*a&X)>7n|lQM+$a9&FtHq=&qI1r=$xgs#FVId>Gcqc zcBHDVtd!SZ>!*}HkF`(!4#k#uO&?|FY8c^ob!LR&EqM#{=C3fP6IOZHr6lH%!Rspk9 zIb(N{`b9T*#fv%ufKx?fku_mc|q0VR@myf3m)nCEG+$Y_dV7!5`Mr6 zqHilyNj6XHs`l3WeO^f2KO%d&Illw!lp|I+;&+PqYrDQb2OBE1>n`g!KAhW}n}uIB zJSVa3ivSs0g41Nt hn_-^u3Cxe5s{}kfYh4w(31wVT=@TU&41Yx4Z+yIyfY{yq#0nq|I<2Nl^ygrqI67Op9!R?Y9AR|1iBD|G0Ah*d#$0-?kjiOk}PcH@p?jX${CJP zH5L0^mo?Y#!~2NKwowDA?FmgNqYf_x)ihXtjjK66;v^ioQu4sOr@qCO!_Bab$Hb3! zv`cZFSztzXh|v-tY%X;QvgxbMIM*&*0Enc%Dn8hjai80;jC>J8p2>^+Rh^3CFlh32 zmpRV4pVzv0Di;SQd5zxk`=COqHixT$lLvqLn+jpBsv>0lV5{SNVvASsj$c6mHKy?% z<76@z!(WuYOPH-zZ*CG%!*0#=ybfGoz!jQ7VK>AZ1D27}rr|_P6bGKz8EOJFNhLW0 z+UFOQH^wMr8>6M2T(8*MS7$9rYT9G3hXUx+0!WryFdxI5dWg}tu0`q?U0zBkif7A| zan2X4z-iW~u%9hV-mEk-M;Oakut`lO7chq?)wh!%C zdVvveA8i_aQoXgKB*`hyY)oY_YTA$UK^7D01oFbPuLMysm6XZXHTi#&nX|jG1D&zG z?f-(z(*HY|p}N6;Gv>N|_y#7-TFBHHM06<+DwSi*xk1z8Xy!bx7HlXGM>O~9bCLk` zSobVA!Sbyk+P6}-EODSUx5^x~&2rE9)X)G|0;R^@hra|kx(9E5c6GyKoY!T;d=1xm z4fIJ(@~d2kaNb71^u3&5no2eVf1`|yUwt!wrhONIH$tOfzI3C5ai{>~JR(B^B!F8k zla6Cd2qa!5A>Km%(gwbY2He6%ZVzaQ3hBd_FJK1fP zgf(wlWcvF5u}un#p^Zme#+WjD+Fwltt08X0a8cRbY`IMgsbu!FG2f)p(}})sdb$?G z2gqVmtKvr`1!9a!Zr2?)$JWOh+(Dx6hGPvyH=a1CJ1;>5fvPx9?X`N<%C-;iMaueP ze$hV^H#?nLuoR{xGDaETou+o;iTq`XE($;kfF|9ixCBld2xo?tTCDhjyv;x3QAGTf zx2(K)q|V0J#kv|im+*inan-!lI&-5`OFgU3V$2QSf~688g&rl95}3C}SDl+^1-T-s z&9l$1_+QAZ`=6BX4>FUF0LZ1Ej7Wgk1ySWsL<+d!=pNJY-l7G_FLY>BgUNMY)-vW5 z4efiqawNqvB1i>toKNm zTlLA=obUNmsr+31hep=2S2V?1^f$6pwb0YtyALQ6CV=XEdQAOvw#jnx$WfJR+oxNW zDR)r}FZ&>=$+)K`jz6ClOx6477W`So;Hvh~P~W%d z{IW9*0R~qT1)iF6yS>qlteYQBUdN1ACTVlXb#+>AcEqlL>+S6Vk7wu{OWIFzs2p%AkV##eNdiMdEH}D zpy;gmV0A$z^b5e~RQZn^>yTt+(AeEZyv`;5}h!=)s4{N*S=mWe|}(&uK` zgt`f1F!swfiaeehYEccsIOVYg+b^otmi2Bl|ANfms}TTdpX!shrT1pbIwxc49%i?? zUKTiYjr_F3clmyLURub;fIs#8w_kMxR=)wQxlOoXyo*8;P0z9V^czi)htnqr84@I+ zrNq1P&*kUDW$pWYa#{`{<0@e`d#-Tu_rR<#ns7$Lb}#pL$F*$UCL}*2NaL86rZ52` z8e5GWJfFr;eGfzB;dME{@4rxavT65%iB8PW zSL!#rxT;JRW&Jf4WkbF@#3z+|ry;C^6#47Uo=}155O>aW!w@+QtvWmpU zN)=PAjUwQLur#p|tOi+o@ctj*Rhzhl| zY!p!a$vQf+L$+_B;*e^tU(;9c`j&FHdBZa0ff&_NzoP=T`|WU zZqj*qzmO*Wgx}x{oZ-TsD~%cQg0rZtTQ6P3ax1!eSKRYk z1vf2c#%boohs*T&Y@ZC5Tx^x(cQQ0ZAV=%1-1xKvkatK}mb*p_`PL30aT(ImgENbT zUgiA*+OJa6eZ~Ied6FC=)e%}j<9-A;rMsE~}uz98v)C1~g1zUbnecv@Y&!ebjd4f{C?)k?}d|zsMbKN22-0 zw7RB@eiSuf=<+QCVCNe=1%b=FVNPZlUH#0`W73<`p-&+R1_vB4f|QZf8nY|w=E@-C zE5>3e0}34D1lS}P>tZ?Z96t+TAgtp)z_23wU&*ZHKa<(=CH#*Dd1&k7ZF&6M+P3oj z)tfZWD=;i*=r70#0QhKx+GRAC++v5}>MiSD`_nyI&v8z37g8Zy-+f~jw50+jtsOpw zqDACOW=PSFkI;3|M8NV~YIs(e9H}{;Vf=n2xDd6)LOVP3cK-Z;CZB!w0{$}BZZ{A` zuHRZ^?XCfB{QXA@Q~~2=1&<&p?=av)3?(I_R))q33HmcT3oM!Yl;E#@;4?GQNrgj; zRAp{FCNG@9{qtZ4fZ+3mqY@-4H(WWd+63mLVg3jho2AAfioi*60rKWa#D&Jz7+OB& z?GL;0Lf1;t=-^usuo^+)1Dk2Lxx&ycOoVF_4|+3E`Vg2?8J|WUBc1{i@E$uXbAU|8 zk;I!LJe27ncurbE>8B%qewF9WcqEeFS8cc|aXLC-mYXrCen7`RgH*!D^cq~ z3J3K-IQpWs{47x&aKOH_umhu=>Zy#H`Zu}YcawW4j9RR>^sW2RF`9vUy?cG;qa1cT zQVhc+-fq;kKUOxdsm(w`3cb`qpoE<~YruA!dhz{Yb8G6_^+8tSfJ16`y<^pDI6JI_ zQUA6P#`3+dj4CTTfP=b%g)6)|9jgE9Wg9$lj&|5b7#c2Ktnp{~$ZXBTUKC1!~@%XaH z`FPd8g8k+RY<&r$Zn%eV6Ta)0>`lG7_qpx8hBcbJfqvSJ`M`<7D2=*C$nO3-iJNR? zE;pT}a;UdV5_bsi$B7SD7W3t#n5cZ&-63^Q%|%vOAWQ||#>aIgXIK#TTk(6_a%^$c zO?~%=r)p|6*wxCn#4@PGvWr5K1PnF|bz*~tocQCJR* zBQmJIG_%NHse1^hQ#b;Nti2$x@QTcY$9aMrnq;qTZ##Jo`_fX2B^>v=U@3yLvu=cd zZRa;dczr{=s@D9Qe-GSPi-?iy8%*yb; z-t2#=(lQkm8k>JEBZ0tle@u=HZJ&0RD`oeo=5kOM?fqQv`I@s^Wk)lmEYZX7b7QNfQV0{h_4|#!?*C@KAv(MDO zn;`{)TQ4s&ye+sIQ>~LsXcO4CezjNQiSaqq`*RCil5qB8J({FBMX+e zkLa5i)$9G07<1SR^t_b}9&LEM1UFw=tV!TN{v-OJ@q$WvzsbXscHwzYbfOur7nGa+ za8xcmtfv_9eZk889I?gKb)X2WmO-NXF^&*nh|e%BnR+d{kM0zcj(bZ(-8kW643u%dgkv$9VQ# zz_R@_-`T4s05~ZVIF&*~wbHW37ljzBSwe!V(c8fARTMc^! zUF}inaUkGR@Yj-D7X#scx2E6qRSFPi)FbSI8b`-sI-=pr>R|q5f64eWZci7C78%Wz zSs(-*aUMy`P#Yb1#gX#*{{^2h#ln9x(?@_OF_}Jk^m_F`*cID8oU@|gWSQq1Zrt|9 z|HR4!HrE(p?=u6U7e5wBuq+N5>zg%TuVo`uwe%}Fs zJViR1mmhNH4y65g4eCXjFsIVk0e)0C_y8FmW^)SoRF}6kx*M*9s4H!8c`SI&JJ~&l zPkPrLP`V+Ug#AIbck@EGVmt2Q+rqfdwn}Up~*somC8|nWIDUM(WsOA^VNbG6lG})7iWi^{3kCl3iMn$6Tov}#nxPwD3GiHKiA~Ak z&m+Qqq-TyXz+?hOCc31ijq)}B-b>r?4Tp}x(_7F?Ngw`mTz$Bi(!rHWvaP&OuA|%4 zXLdTXXT~h8sR2EZe&eqGzu>cuPWT`32mOvWw@Ea5X%43&S}W+fW z4V}wKzIrsLjFd7jTMpCHE2s+g^b{X@^^>P4HUv7b?AbfUSlR5&5XR{*NsEl= zFP}BCFlAh8NDUGw+*E#UuBQ^ugS(BW+~jC7`<#Siei7?cSt--071piV?sP!5x|1oh zmz&qrpFo<0F#3GzTVyUtz-X(3&IFXiA&C2T-WX?yHePS%tB7dcmaKN8MdI#!VTXf* z^Y}%gfhC5a;cY_n@huQ8FZFTTguOcHH7@xov3ZhRSt%d-o}BE76gK2y8}U4S@Yjjz zqM<`d^DBlIeK59J&gl!F>4|s4u@1O4Ky8U;adQjoc;p zav7dz#?~<=>A$*qqqBVdXFk(OeEQ$st4`&n2|c1S)m9q{IP=4cyWqSf-0La6DR z;N-`smBQ=711W;Q-g~KUd_nq932K82Neit;XHsSw4*W=4)#J~ZJLcDS%oZcT*QJ&B z&sVICL5!Miu8V1JqnU7BK(B@Kcz4g@IxNBvr3syn`lqazw`(ir&cA1K1H^8*pa91a9K|oa z0$D#)%gl@5djNw@p!=+G4f8^sKR9=cZgwr@UW4U%$O5D0;dZd(lN%)^%MnArE=^s? zx(_1|x31D+E_~>9E=~vDe-y7l1`Cs(qYlQJ7GC6vCP#hxk3_|7MGZH+S8hsI2Ox%-)bLR( z`74h%mTzf1k}6Zd!d=LwT${1m1~~Mivy5vc*?zh#;L1xbrv*1PaZz4!jglO*n>o;B zw6%-k0tLw9$!(XvBxEXT?7SaXr9#anz4sxMAE%k$bAZHWYmf4_UqBGpBd0<_%n0~z zd8%5dRttr@59c0#B-BN}C>GJ;WAbOWHAqy+joj5ex#MKdan|&$xc8X!I_?EG%_=CHR zA3nh)bwT7w`T;8H;-L~OFR?mDdMCcWHI{T|e8KRBMdf;GmS0bYzY0eP>t$K)l0`YcyZ!Z{6|sD+%+10i#Opsp{bbQAZ*5?V^;qMS5k7ewgq5g~ zH8Y-#o&s88zIZDl$VCv;UmV}(nn6z07kINEL)FrU0ef-^V-DvONJihp3WMc->0JTT z<#!vhaS!tQ^7M%%MN@WbGt%p-h5co{OSE6 zp`8G0#8_L^iF%}06msg&MY~PQkk^(ZwRD)e=}SN?PY_<1aK}_4y@Hz`6C5uz*d^DT zw~(vmyc$D#iUzCX5H~Z(GxtYl3rMk7w4y%MGV{NgQ<*g-9i1B#F3Pg zcuLRQVP;<5_?A2RwUlY8E>xGm-WMH`mA@VfH4l{a&hCKFS@i(x7F5#5E;EJ?%Xk~& z_Nj5(0#PWp&TVD(2Ec$j++U^M2}USWU^y>_o65H&9|5mt z1+by!s6sSap)Ma_3$b(9JRWM!?_%sw*0!iWZUqczBnw37r3|aLZTlS0;B*C3?qUzP zP_TEc#5Y-|W@)!Xf#Fy%-Z`Y>;%uvBgFyaF_(pvO!&IB4$xgiCXuVH<&;!x-!wUo& zSyn6&SSr5-k&B5+yiw!0df2ZHwQA2w<1@5gh%=E2eD%~kf#CknuKtX%DsFGhE#a9Wia!DNMtHhATZ}WbaMt?v^0-JffE_LzfS4?O{Xg zu!ENwhU2$t0Gb6*&Bd6biI$@Hp=_`&Zs*$gqiNnpRD;4WZLeZ$ zmG@}0Ju$|5Kt)_azL>dJ4IRU26Zvzio>eH?*Nw3*hF+{R*PrL__(?=uA8xTt^d;qn zgTdl69b*QnR&2x9o@#l6aTYK*LwO+pcxmZhHSsKo_xU0_c`zpCe@&4esVX@#f5Z#l zNTyhbA!%YtjWB784<|YotyTaB1;08i5gyTw0nhsB1&rK7)@}x|=&&?7!b7w*oZ#G{ z*IbH=)D+w)nF)9!04~jN0jr&E2MxMl4r(9=g9Pbw<*2Ob`&8j-aa*2SLX_6Yn5$*W zjt|PBA&v2NgstF|>-96Te(VVm`&JlQ=?2FdoH>idOP}moby!V_hLf2;ur>Pdhir`y zaeMmS$r_V1mYWNIGIc}UWrsStLD!&b%)J^ETX_)AbC|ALEUYdq+buiiCBi+Xb0i$> zgSTw3XVjL0P@P?j2)i4OXBr#C!+`G5Qx9`zX z4^tpL)Qw;76k`KCRX1wj99rxKkVN)QvZv(K+4^wMtP934cr**XQw<46^C_Xy<>s6B zc_Yzx4;x6lcc4Cv*Et^bG7njzJK=u#7pw<6hX4?kK_m0{GkD`Q2HyG@bQ<~i<$~AZ zLBV$

4Fx@sZblQ-5e{B? zGE*zg2u+D8H|bF}^%aXPQ;BoyI6jj#xr8%2u3v#vaWuQhAR;^d(ujctV_Ic2Qe(Z^ zX6cQcDz*}o+e6B)UAZ!pC;3M`a-V1yfu}k;Rsh=0-d)8RuzUBGm))LibDO8&@O7$m8ORwcK|5Y)_jKNU+=&#L^-7iv^?= zmxe%2l8lj8X+qS@v>;ko!FGghzckOM7yIIpUn=~g??@Bt73&R!Hh4M_4ItpQe?JOw zq~YS~hVPW#?&&ue`zdEiZF&DV4^qCTXY6d5B9P23n9T3&Dey`fBCG3Y`H6jAv;0x> z&y?QJ#J@&aoAz17b?_0wqzSq@KMbwUrW8AE zMtw*EvokiU4@^8;6|pf#R|d5at|yQG6YKrGmG-}5y?6-tZ$jt0MC|AE@Is1VRX;5` zG+egP*Vl3QxApPE(scJrYxgeC-kJu8S*pA)U5;$O6kdmQdn!WhX>cL0s{zOn$7;Q* zBX|WfTJ;_&tBa}0gp8mM3&kPOXz%Dg5ObQuSB^r_VkhS6T=n)v-?R7T_Guz&=j&Z5 zL>f=A`q@AFgQl)Sz0*mhDd*}v<=O!2$1*+9RtdPDZ{eT8R-cl8#W)7advOEax&3gGX$mz5M2QDms`RIb=*|u#yowVJ-flrCgzvGW+Nf zSw^$pmKRA(QpA$a!0Y)XLaCSMnzPa%R1E#Yf}Oz$?5dG86q2Hn8rTccnn9~b#>c%pA3c;Jt04F>)GG!X?z2XErAD24j6#s~HU+;5@zYX= z#kGz+1To0V<3Xh{eg$NSCrp#zQ|gS`&juN90RTP&s2#8<+ukj8D~F@e9P%qC@+~9A zx-1W)Ud^|9*uy?s>LZe$DQxF@rn`q75&}}?CMipvq1I^gnrd#NjWmNgbI%eLm9a!c zGf0OOD#ND0e4zv&LK(3{jX_fv)VH`QA_{c0)aRr%;J9AAXo|&UbB`^oFb~@+CF2H+ zk!T_7=Y)+dF7;0r+Fn!nBx`hp(pJX6j%H#^eRTYDpYiwjr|}||HA$A>PrtS@|HXOR zbKZ_*N}5n>=`JcWA!#IuD6H(W?iHAx`oSXPWU=cdH$!X{<&#Tm}4{sxus0(K!{#`C)2L{ z%Sh ztsF7c??s5Erf@DV!b_QKWY?<1aiW=7pmu-RTGIjVOm0v5yN}mwXQhgPsU17y_H-pO z(Q*FO*H<9hAKcAs?8P{4#fLxfz=6d!dQotu-NONk)hWOP(?y~wLdaJZ<<{YZBJ5Mp zBK}>JHitH|uk8CBW%H=Xtz*xCJiGxIYL`g-oa;@F(E*bo{$!uSD`MUsY3~LXH~Nmc zJ0h_HBsm!(=ZfTvziHi5Is}t-w zJ)_~rNe_Rz1H+{E>KKsBRz<4g;lvYIzM6CGF(u94J+zM`(Re^m+`t+Ev5FL^jf_I{jaR~@QI+qP$ zEf;S^8)Sogj>lVQD0M$d6dl3lk8J4x1AfnEiK}>HUm9g{@E?SP6_@3aORd)>i;-h_ zaN>%pD2(!)D)NE>gfNg+Q)q+F^3M^-Z6J|$Cdh66s=z9x_ds0JPh3l>Am-b(-;Y2s zckUIhp>JFgkUTpK$R?k+#A6Zj%LVIqkHZ;s6zu#1L(%Vd1|E9Ox*)&H)E^Xi;%+z= zm%0wEvDBE9pap+{G^#6y)x>v&%f#ZuK6P=*l3IcqNa>`~RagU};qmLyYeRz~TIJ7K zJ{r2U&VE#{TQ{tj=z7&VIGH6T&!`WHbjHQb_qa!Q_0HVaZY{qSjz=ReeNMhl+`eZW zb^yYHsF-cM{k8sewB#oZFaF&VjdJXKGO_bWP%cwOA}+ZT-M#dC4V%Fp54|;cuQstR zD@}iSz2{@wDHC^!kyL_ZYo@d!W6Bo~T4|Wy@0#DD@<63U$@^1Bk{KbENS%4rA znrC*LYR-jIwiL!N?%n_!vACe!jH7rjVEVjw-5UClQq0`CPJV*WBEl>bOek5qeVo0C zDC^i~%)KJ`-}44o|MPcB!KVZ$ z{l4n8fGY$4(QCy)nLQ$GF)hXRr7E=HRLbt>WZ_HGiAhZz=I&(Mf(d^!;)cjkJAIH? zz%OXDiJfUQNED=xF6ZHD-4Ej`*UN^z|2>t+2biBSNkw|5PH~U5CRy1~-2U0JbbyM% zaNVQaS@Y|+DbaGe0cq9^R?zKvy!=nu^MzgP+aE$Z;L?YM28EoM0%bRq-T4oa;s78J zQ8kbPHeG~n4ERtORO>(G=RFFen}!~NCuX>bxVXE&lpUV(Kd%jUxj+SH?TJ5n9R%nM z;Jn|+{&YWi6~%H8eTbd?p7t6Lx~yBa3DaFhnu)&Dg+y&g#G6ZsEwjiha?=e8yuRka z`f0uyNj53@YwM@#h_MhIAfl9_lDAi!qY|pd zqh^NG7PIg#&FDQ8wHLv~!lyus?ZQmHPpuMV(neI`6~z2@q?%4&pPTj#uJ z#R@4rnKKUO41I3Twe&3PF7~Z4T91{#4-(Y0m?lksIZGR(hv1M$i^rq^9&kiPF%o_y zD!-c;=b~Z4KCB>mLGPG!tgwYFSn%H)S;`NlVzvuN+dj2Pt)$6HmM7P8CF=NMwrz(O zIUqeLd@4(@fK`h{ezSUlQ8oh!2Y9Do$rHYPzLfFnK$shRSBh}zY_w0K&GqVjE0bfP zad>iHT3T@-#;-#2g-8>R7(i;9!_&(S7fg3dAv(Rd&tTmV2_GR(*1Zl--P<-zX*Dc@ z=~bzHAu1;(xgoBJ`+D+15wEACH>#w3g=;HCJoUcmlan{Zfp4(!4#ABYZpEv~wUAuE z%ko0hh+U=w_oiEhf><4Pl2cUSE&o6*o14GeF@xIqmcCoco9VFECg#{M!O*}0EsS0G zPx(0ew}6z?I63oW!hsx+p>HfV33#b4MfHn62Fj+sTt%JniH$x^<9uA13XwN(tz1}Y zixdC*wXzBQ*R_(*pbBk6y?~>;D}_SkTx+F&wReCyR6}zprBse+07skKH0BqSfMs#Y z#f6Nx!#uI*mP~afZ^^qR22dMi?C&gpd$lZ)YB;%Ra6lzT%HLcDJzhO)VXpv`c#1Xf zY4h#^6IvjE`YEu0Zg8|zb4cd?wT_2v1l$X4hyIDn} zp=bk}KIZ)YUyfDGHlhEm9RGc-{O58krw9Mz8TjBZW}Im6*;H6RW?rIfcb#=3zVu~4 zW*uqx2h^Y7PZ~yI6|J{j5ilZVt? zG7f=#YFG3Gmr+&-d2*4hP|xUDW1E}^_#)M?AggB@8taFE$UW?odb)|c^S?S^$$(xpWTAB zWJI=My`+Y){rv@z<;e0VsO0QX<0^>n4_5-J7q>=*wgmT0xZBEM;(1qCgHU2nbfG#g zgypvz{`z-{ws^B3YlmELtd_cEyykMAy?KGpyb9NDidg?wkq`MwY3?+1$<0dWyf7UV zzuI+=K)f`0J}EA4ECf!~dP**P94*2>SVoDUrvYidTmgNaRRTLE@4gc3du@_8h_xvO ZqogWD_T Date: Fri, 28 Oct 2016 04:59:21 -0400 Subject: [PATCH 07/16] move start-xen so that it is in the path --- initrd/{ => bin}/start-xen | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename initrd/{ => bin}/start-xen (100%) diff --git a/initrd/start-xen b/initrd/bin/start-xen similarity index 100% rename from initrd/start-xen rename to initrd/bin/start-xen From e9e6d661d3297f4ad2788b7470855e4998a20f10 Mon Sep 17 00:00:00 2001 From: Trammell Hudson Date: Fri, 28 Oct 2016 04:59:51 -0400 Subject: [PATCH 08/16] wrappers to seal/unseal drive encryption keys from the TPM --- initrd/bin/seal-key | 74 +++++++++++++++++++++++++++++++++++++++++++ initrd/bin/unseal-key | 27 ++++++++++++++++ 2 files changed, 101 insertions(+) create mode 100755 initrd/bin/seal-key create mode 100755 initrd/bin/unseal-key diff --git a/initrd/bin/seal-key b/initrd/bin/seal-key new file mode 100755 index 000000000..29f182fba --- /dev/null +++ b/initrd/bin/seal-key @@ -0,0 +1,74 @@ +#!/bin/sh +# This will generate a disk encryption key and seal / ecncrypt +# with the current PCRs and then store it in the TPM NVRAM. +# It will then need to be bundled into initrd that is booted with Qubes. + +TPM_INDEX=3 +TPM_SIZE=312 +KEY_FILE=/tmp/secret.key + +die() { echo >&2 "$@"; exit 1; } +warn() { echo >&2 "$@"; } + +read -s -p "New key password: " key_password +echo +read -s -p "Repeat password: " key_password2 +echo + +if [ "$key_password" -ne "$key_password2" ]; then + die "Key passwords do not match" +fi + +dd \ + if=/dev/urandom \ + of="$KEY_FILE" \ + bs=1 \ + count=128 \ + 2>/dev/null \ +|| die "Unable to generate 128 random bytes" + + +# Use the current values of the PCRs, which will be read +# from the TPM as part of the sealing ("X"). +# should this read the storage root key? +sealfile2 \ + -if "$KEY_FILE" \ + -of /tmp/sealed \ + -pwdd "$key_password" \ + -hk 40000000 \ + -ix 0 X \ + -ix 1 X \ + -ix 2 X \ + -ix 3 X \ + -ix 4 X \ +|| die "Unable to seal secret" + +rm "$KEY_FILE" + + +# to create an nvram space we need the TPM owner password +# and the TPM physical presence must be asserted. +# +# The permissions are 0 since there is nothing special +# about the sealed file +physicalpresence -s \ +|| warn "Warning: Unable to assert physical presence" + +read -s -p "TPM Owner password: " tpm_password +echo + +nv_definespace \ + -in $TPM_INDEX \ + -sz $TPM_SIZE \ + -pwdo "$tpm_password" \ + -per 0 \ +|| die "Warning: Unable to define NVRAM space; trying anyway" + + +nv_writevalue \ + -in $TPM_INDEX \ + -if /tmp/sealed \ +|| die "Unable to write sealed secret to NVRAM" + +rm /tmp/sealed + diff --git a/initrd/bin/unseal-key b/initrd/bin/unseal-key new file mode 100755 index 000000000..774d70dec --- /dev/null +++ b/initrd/bin/unseal-key @@ -0,0 +1,27 @@ +#!/bin/sh +# This will unseal and unecncrypt the drive encryption key from the TPM +# It will then need to be bundled into initrd that is booted with Qubes. + +TPM_INDEX=3 +TPM_SIZE=312 + +die() { echo >&2 "$@"; exit 1; } +warn() { echo >&2 "$@"; } + +read -s -p "Encryption password: " tpm_password +echo + +nv_readvalue \ + -in "$TPM_INDEX" \ + -sz "$TPM_SIZE" \ + -of /tmp/sealed \ +|| die "Unable to read key from TPM NVRAM" + +unsealfile \ + -if /tmp/sealed \ + -of /tmp/secret.key \ + -pwdd "$tpm_password" \ + -hk 40000000 \ +|| die "Unable to unseal disk encryption key" + +rm /tmp/sealed From da2a6580ce918232355e3258d66e2f03f8608971 Mon Sep 17 00:00:00 2001 From: Trammell Hudson Date: Wed, 23 Nov 2016 10:45:39 -0500 Subject: [PATCH 09/16] allow key file to be specified on command line --- initrd/bin/unseal-key | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/initrd/bin/unseal-key b/initrd/bin/unseal-key index 774d70dec..387cd135d 100755 --- a/initrd/bin/unseal-key +++ b/initrd/bin/unseal-key @@ -8,6 +8,11 @@ TPM_SIZE=312 die() { echo >&2 "$@"; exit 1; } warn() { echo >&2 "$@"; } +key_file="$1" +if [ -z "$key_file" ]; then + key_file=/tmp/secret.key +fi + read -s -p "Encryption password: " tpm_password echo @@ -19,9 +24,11 @@ nv_readvalue \ unsealfile \ -if /tmp/sealed \ - -of /tmp/secret.key \ + -of "$key_file" \ -pwdd "$tpm_password" \ -hk 40000000 \ || die "Unable to unseal disk encryption key" rm /tmp/sealed + + From 1414023e6ecf6f440a7fea1d2a3b92182d3f88f4 Mon Sep 17 00:00:00 2001 From: Trammell Hudson Date: Wed, 23 Nov 2016 10:46:04 -0500 Subject: [PATCH 10/16] include cryptsetup in build, will break 4M ROM images --- Makefile | 3 +++ 1 file changed, 3 insertions(+) diff --git a/Makefile b/Makefile index d177e368c..6fb92e47a 100644 --- a/Makefile +++ b/Makefile @@ -151,6 +151,9 @@ $(build)/$(coreboot_dir)/util/cbmem/cbmem: $(build)/$(coreboot_dir)/.canary # Mounting dm-verity file systems requires dm-verity to be installed # We use gpgv to verify the signature on the root hash. # Both of these should be brought in as modules instead of from /sbin +#initrd_bins += initrd/bin/cryptsetup +initrd/bin/cryptsetup: /sbin/cryptsetup + cp "$<" "$@" initrd_bins += initrd/bin/dmsetup initrd/bin/dmsetup: /sbin/dmsetup cp "$<" "$@" From 3f444efe8c94ccbf1a5c4b57f7549cff5c71ad22 Mon Sep 17 00:00:00 2001 From: Trammell Hudson Date: Wed, 23 Nov 2016 10:46:32 -0500 Subject: [PATCH 11/16] formatting --- initrd/bin/start-xen | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/initrd/bin/start-xen b/initrd/bin/start-xen index 7c4623eb7..b780bec6a 100755 --- a/initrd/bin/start-xen +++ b/initrd/bin/start-xen @@ -9,14 +9,13 @@ KERNEL=/boot/vmlinuz-4.4.14-11.pvops.qubes.x86_64 echo "+++ Checking $XEN" gpgv "${XEN}.asc" "${XEN}" || die "Xen signature failed" -echo "+++ Checking $INITRD" +echo "+++ Checking $INITRD" gpgv "${INITRD}.asc" "${INITRD}" || die "Initrd signature failed" echo "+++ Checking $KERNEL" gpgv "${KERNEL}.asc" "${KERNEL}" || die "Kernel signature failed" - # should also check xen command line arguments! # should also check kernel command line arguments! From 638329709e0ad7585dc4f8e5506b85f3d73f6b12 Mon Sep 17 00:00:00 2001 From: Trammell Hudson Date: Wed, 23 Nov 2016 10:47:04 -0500 Subject: [PATCH 12/16] include find and compression tools --- config/busybox.config | 90 +++++++++++++++++++++---------------------- 1 file changed, 45 insertions(+), 45 deletions(-) diff --git a/config/busybox.config b/config/busybox.config index fe3e0a9d3..4370d44bb 100644 --- a/config/busybox.config +++ b/config/busybox.config @@ -1,7 +1,7 @@ # # Automatically generated make config: don't edit # Busybox version: 1.25.0 -# Sat Aug 6 15:56:20 2016 +# Tue Oct 25 14:38:11 2016 # CONFIG_HAVE_DOT_CONFIG=y @@ -132,10 +132,10 @@ CONFIG_FEATURE_HWIB=y # # Archival Utilities # -# CONFIG_FEATURE_SEAMLESS_XZ is not set +CONFIG_FEATURE_SEAMLESS_XZ=y # CONFIG_FEATURE_SEAMLESS_LZMA is not set -# CONFIG_FEATURE_SEAMLESS_BZ2 is not set -# CONFIG_FEATURE_SEAMLESS_GZ is not set +CONFIG_FEATURE_SEAMLESS_BZ2=y +CONFIG_FEATURE_SEAMLESS_GZ=y # CONFIG_FEATURE_SEAMLESS_Z is not set # CONFIG_AR is not set # CONFIG_FEATURE_AR_LONG_FILENAMES is not set @@ -149,34 +149,34 @@ CONFIG_FEATURE_GUNZIP_LONG_OPTIONS=y # CONFIG_LZMA is not set # CONFIG_UNXZ is not set # CONFIG_XZ is not set -# CONFIG_BZIP2 is not set -# CONFIG_CPIO is not set -# CONFIG_FEATURE_CPIO_O is not set -# CONFIG_FEATURE_CPIO_P is not set +CONFIG_BZIP2=y +CONFIG_CPIO=y +CONFIG_FEATURE_CPIO_O=y +CONFIG_FEATURE_CPIO_P=y # CONFIG_DPKG is not set # CONFIG_DPKG_DEB is not set # CONFIG_FEATURE_DPKG_DEB_EXTRACT_ONLY is not set -# CONFIG_GZIP is not set -# CONFIG_FEATURE_GZIP_LONG_OPTIONS is not set +CONFIG_GZIP=y +CONFIG_FEATURE_GZIP_LONG_OPTIONS=y CONFIG_GZIP_FAST=0 # CONFIG_FEATURE_GZIP_LEVELS is not set # CONFIG_LZOP is not set # CONFIG_LZOP_COMPR_HIGH is not set # CONFIG_RPM is not set # CONFIG_RPM2CPIO is not set -# CONFIG_TAR is not set -# CONFIG_FEATURE_TAR_CREATE is not set -# CONFIG_FEATURE_TAR_AUTODETECT is not set -# CONFIG_FEATURE_TAR_FROM is not set -# CONFIG_FEATURE_TAR_OLDGNU_COMPATIBILITY is not set -# CONFIG_FEATURE_TAR_OLDSUN_COMPATIBILITY is not set -# CONFIG_FEATURE_TAR_GNU_EXTENSIONS is not set -# CONFIG_FEATURE_TAR_LONG_OPTIONS is not set -# CONFIG_FEATURE_TAR_TO_COMMAND is not set -# CONFIG_FEATURE_TAR_UNAME_GNAME is not set -# CONFIG_FEATURE_TAR_NOPRESERVE_TIME is not set +CONFIG_TAR=y +CONFIG_FEATURE_TAR_CREATE=y +CONFIG_FEATURE_TAR_AUTODETECT=y +CONFIG_FEATURE_TAR_FROM=y +CONFIG_FEATURE_TAR_OLDGNU_COMPATIBILITY=y +CONFIG_FEATURE_TAR_OLDSUN_COMPATIBILITY=y +CONFIG_FEATURE_TAR_GNU_EXTENSIONS=y +CONFIG_FEATURE_TAR_LONG_OPTIONS=y +CONFIG_FEATURE_TAR_TO_COMMAND=y +CONFIG_FEATURE_TAR_UNAME_GNAME=y +CONFIG_FEATURE_TAR_NOPRESERVE_TIME=y # CONFIG_FEATURE_TAR_SELINUX is not set -# CONFIG_UNZIP is not set +CONFIG_UNZIP=y # # Coreutils @@ -411,30 +411,30 @@ CONFIG_FEATURE_ALLOW_EXEC=y # # Finding Utilities # -# CONFIG_FIND is not set -# CONFIG_FEATURE_FIND_PRINT0 is not set -# CONFIG_FEATURE_FIND_MTIME is not set -# CONFIG_FEATURE_FIND_MMIN is not set -# CONFIG_FEATURE_FIND_PERM is not set -# CONFIG_FEATURE_FIND_TYPE is not set -# CONFIG_FEATURE_FIND_XDEV is not set -# CONFIG_FEATURE_FIND_MAXDEPTH is not set -# CONFIG_FEATURE_FIND_NEWER is not set -# CONFIG_FEATURE_FIND_INUM is not set -# CONFIG_FEATURE_FIND_EXEC is not set -# CONFIG_FEATURE_FIND_EXEC_PLUS is not set -# CONFIG_FEATURE_FIND_USER is not set -# CONFIG_FEATURE_FIND_GROUP is not set -# CONFIG_FEATURE_FIND_NOT is not set -# CONFIG_FEATURE_FIND_DEPTH is not set -# CONFIG_FEATURE_FIND_PAREN is not set -# CONFIG_FEATURE_FIND_SIZE is not set -# CONFIG_FEATURE_FIND_PRUNE is not set -# CONFIG_FEATURE_FIND_DELETE is not set -# CONFIG_FEATURE_FIND_PATH is not set -# CONFIG_FEATURE_FIND_REGEX is not set +CONFIG_FIND=y +CONFIG_FEATURE_FIND_PRINT0=y +CONFIG_FEATURE_FIND_MTIME=y +CONFIG_FEATURE_FIND_MMIN=y +CONFIG_FEATURE_FIND_PERM=y +CONFIG_FEATURE_FIND_TYPE=y +CONFIG_FEATURE_FIND_XDEV=y +CONFIG_FEATURE_FIND_MAXDEPTH=y +CONFIG_FEATURE_FIND_NEWER=y +CONFIG_FEATURE_FIND_INUM=y +CONFIG_FEATURE_FIND_EXEC=y +CONFIG_FEATURE_FIND_EXEC_PLUS=y +CONFIG_FEATURE_FIND_USER=y +CONFIG_FEATURE_FIND_GROUP=y +CONFIG_FEATURE_FIND_NOT=y +CONFIG_FEATURE_FIND_DEPTH=y +CONFIG_FEATURE_FIND_PAREN=y +CONFIG_FEATURE_FIND_SIZE=y +CONFIG_FEATURE_FIND_PRUNE=y +CONFIG_FEATURE_FIND_DELETE=y +CONFIG_FEATURE_FIND_PATH=y +CONFIG_FEATURE_FIND_REGEX=y # CONFIG_FEATURE_FIND_CONTEXT is not set -# CONFIG_FEATURE_FIND_LINKS is not set +CONFIG_FEATURE_FIND_LINKS=y CONFIG_GREP=y CONFIG_FEATURE_GREP_EGREP_ALIAS=y CONFIG_FEATURE_GREP_FGREP_ALIAS=y From cc1c198810ac7c137e9e425c09bbb2ea9b996e9c Mon Sep 17 00:00:00 2001 From: Trammell Hudson Date: Wed, 23 Nov 2016 12:10:40 -0500 Subject: [PATCH 13/16] ignore modified .config files --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index 442d2cffd..0b969ab97 100644 --- a/.gitignore +++ b/.gitignore @@ -14,3 +14,4 @@ initrd/bin initrd/sbin initrd/lib typescript* +config/*.old From 4fbd6ca58bff576c5ba149de472a18615e82a665 Mon Sep 17 00:00:00 2001 From: Trammell Hudson Date: Wed, 23 Nov 2016 12:11:08 -0500 Subject: [PATCH 14/16] Make coreboot building modular to support multiple boards. This touches most of the module configurations since the coreboot build process had to add a few new features. The Linux kernel could make use of it as well if we need separate x230/chell/qemu kernels, for instance. --- Makefile | 25 ++++++++++++------- config/coreboot-qemu.config | 25 ++++++++++++++----- .../{coreboot.config => coreboot-x230.config} | 7 ++++-- modules/busybox | 1 + modules/coreboot | 22 ++++++++++++---- modules/cryptsetup | 1 + modules/kexec | 1 + modules/linux | 2 ++ modules/mbedtls | 1 + modules/qrencode | 1 + modules/tpmtotp | 1 + modules/xen | 2 ++ 12 files changed, 67 insertions(+), 22 deletions(-) rename config/{coreboot.config => coreboot-x230.config} (99%) diff --git a/Makefile b/Makefile index 6fb92e47a..57cea1b95 100644 --- a/Makefile +++ b/Makefile @@ -4,10 +4,15 @@ packages := $(pwd)/packages build := $(pwd)/build config := $(pwd)/build -all: x230.rom +# Currently supported targets are x230, chell and qemu +TARGET ?= x230 +all: $(TARGET).rom +# Bring in all of the module definitions; +# these are the external pieces that will be downloaded and built +# as part of creating the Heads firmware image. include modules/* all: $(modules) @@ -63,7 +68,7 @@ define define_module = endif # Copy our stored config file into the unpacked directory - $(build)/$($1_dir)/.config: config/$1.config $(build)/$($1_dir)/.canary + $(build)/$($1_dir)/.config: config/$($1_config) $(build)/$($1_dir)/.canary cp "$$<" "$$@" # Use the module's configure variable to build itself @@ -177,14 +182,14 @@ initrd_lib_install: $(initrd_bins) $(initrd_libs) # initrd image creation # # The initrd is constructed from various bits and pieces -# Note the touch and sort operation on the find output -- this -# ensures that the files always have the same timestamp and -# appear in the same order. +# The cpio-clean program is used ensure that the files +# always have the same timestamp and appear in the same order. # -# If there is in /dev/console, initrd can't startup. +# If there is no /dev/console, initrd can't startup. # We have to force it to be included into the cpio image. -# Since we are picking up the system's /dev/console, the -# timestamp will not be reproducible. +# Since we are picking up the system's /dev/console, there +# is a chance the build will not be reproducible (although +# unlikely that their device file has a different major/minor) # # initrd.cpio: $(initrd_bins) $(initrd_libs) initrd_lib_install @@ -224,6 +229,8 @@ $(call outputs,coreboot): $(build)/$(coreboot_dir)/bzImage #export CC := $(XGCC)/bin/x86_64-elf-gcc #export LDFLAGS := -L/lib/x86_64-linux-gnu -x230.rom: $(build)/$(coreboot_dir)/build/coreboot.rom +x230.rom: $(build)/$(coreboot_dir)/x230/coreboot.rom dd if="$<" of="$@" bs=1M skip=8 +qemu.rom: $(build)/$(coreboot_dir)/qemu/coreboot.rom + cp -a "$<" "$@" diff --git a/config/coreboot-qemu.config b/config/coreboot-qemu.config index 60d3e29a0..f9562bb4a 100644 --- a/config/coreboot-qemu.config +++ b/config/coreboot-qemu.config @@ -8,7 +8,6 @@ # CONFIG_LOCALVERSION="-heads" CONFIG_CBFS_PREFIX="fallback" -# CONFIG_MULTIPLE_CBFS_INSTANCES is not set CONFIG_COMPILER_GCC=y # CONFIG_COMPILER_LLVM_CLANG is not set # CONFIG_ANY_TOOLCHAIN is not set @@ -36,7 +35,6 @@ CONFIG_BOOTBLOCK_SOURCE="bootblock_simple.c" # CONFIG_GENERIC_GPIO_LIB is not set # CONFIG_BOARD_ID_AUTO is not set # CONFIG_BOARD_ID_MANUAL is not set -CONFIG_DEVICETREE="devicetree.cb" # CONFIG_RAM_CODE_SUPPORT is not set # CONFIG_BOOTSPLASH_IMAGE is not set @@ -68,6 +66,7 @@ CONFIG_DEVICETREE="devicetree.cb" # CONFIG_VENDOR_DIGITALLOGIC is not set # CONFIG_VENDOR_DMP is not set # CONFIG_VENDOR_ECS is not set +# CONFIG_VENDOR_ELMEX is not set CONFIG_VENDOR_EMULATION=y # CONFIG_VENDOR_ESD is not set # CONFIG_VENDOR_GETAC is not set @@ -114,7 +113,7 @@ CONFIG_MAINBOARD_DIR="emulation/qemu-q35" CONFIG_MAINBOARD_PART_NUMBER="QEMU x86 q35/ich9" CONFIG_MAINBOARD_VENDOR="Emulation" CONFIG_MAX_CPUS=1 -CONFIG_CACHE_ROM_SIZE_OVERRIDE=0 +CONFIG_CACHE_ROM_SIZE_OVERRIDE=0x0 CONFIG_CBFS_SIZE=0x400000 CONFIG_UART_FOR_CONSOLE=0 # CONFIG_ONBOARD_VGA_IS_PRIMARY is not set @@ -138,6 +137,7 @@ CONFIG_BOARD_EMULATION_QEMU_X86_Q35=y CONFIG_BOARD_EMULATION_QEMU_X86=y # CONFIG_POST_DEVICE is not set CONFIG_DRIVERS_PS2_KEYBOARD=y +CONFIG_DEVICETREE="devicetree.cb" CONFIG_TTYS0_LCS=3 # CONFIG_CONSOLE_POST is not set CONFIG_DRIVERS_UART_8250IO=y @@ -188,6 +188,8 @@ CONFIG_UART_PCI_ADDR=0 CONFIG_HPET_MIN_TICKS=0x80 # CONFIG_SOC_MARVELL_ARMADA38X is not set # CONFIG_SOC_MARVELL_BG4CD is not set +# CONFIG_SOC_MARVELL_MVMAP2315 is not set +CONFIG_TTYS0_BAUD=115200 # CONFIG_SOC_MEDIATEK_MT8173 is not set # CONFIG_SOC_NVIDIA_TEGRA124 is not set # CONFIG_SOC_NVIDIA_TEGRA210 is not set @@ -239,6 +241,7 @@ CONFIG_CPU_MICROCODE_CBFS_GENERATE=y # CONFIG_CPU_MICROCODE_CBFS_EXTERNAL_HEADER is not set # CONFIG_CPU_MICROCODE_CBFS_NONE is not set # CONFIG_CPU_MICROCODE_MULTIPLE_FILES is not set +CONFIG_CPU_UCODE_BINARIES="" # # Northbridge @@ -266,6 +269,7 @@ CONFIG_SOUTHBRIDGE_INTEL_I82801IX=y # # Super I/O # +# CONFIG_SUPERIO_NUVOTON_NCT6776_COM_A is not set # # Embedded Controllers @@ -273,10 +277,10 @@ CONFIG_SOUTHBRIDGE_INTEL_I82801IX=y CONFIG_VBOOT_VBNV_OFFSET=0x26 # CONFIG_VBOOT_VBNV_CMOS is not set # CONFIG_VBOOT_VBNV_EC is not set -# CONFIG_VBOOT_VBNV_FLASH is not set # CONFIG_VBOOT is not set # CONFIG_MAINBOARD_HAS_CHROMEOS is not set # CONFIG_UEFI_2_4_BINDING is not set +# CONFIG_UDK_2015_BINDING is not set # CONFIG_USE_SIEMENS_HWILIB is not set # CONFIG_ARCH_ARM is not set # CONFIG_ARCH_BOOTBLOCK_ARM is not set @@ -293,6 +297,10 @@ CONFIG_VBOOT_VBNV_OFFSET=0x26 # CONFIG_ARCH_RAMSTAGE_ARMV7 is not set # CONFIG_ARCH_BOOTBLOCK_ARMV7_M is not set # CONFIG_ARCH_VERSTAGE_ARMV7_M is not set +# CONFIG_ARCH_BOOTBLOCK_ARMV7_R is not set +# CONFIG_ARCH_VERSTAGE_ARMV7_R is not set +# CONFIG_ARCH_ROMSTAGE_ARMV7_R is not set +# CONFIG_ARCH_RAMSTAGE_ARMV7_R is not set # CONFIG_ARM_LPAE is not set # CONFIG_ARCH_ARM64 is not set # CONFIG_ARCH_BOOTBLOCK_ARM64 is not set @@ -384,6 +392,7 @@ CONFIG_SUBSYSTEM_DEVICE_ID=0x0000 # CONFIG_SPI_FLASH is not set # CONFIG_HAVE_SPI_CONSOLE_SUPPORT is not set CONFIG_DRIVERS_UART=y +# CONFIG_DRIVERS_UART_8250IO_SKIP_INIT is not set # CONFIG_NO_UART_ON_SUPERIO is not set # CONFIG_UART_OVERRIDE_INPUT_CLOCK_DIVIDER is not set # CONFIG_UART_OVERRIDE_REFCLK is not set @@ -399,6 +408,8 @@ CONFIG_DRIVERS_EMULATION_QEMU_BOCHS=y # CONFIG_SMBIOS_PROVIDED_BY_MOBO is not set # CONFIG_DRIVERS_I2C_PCF8523 is not set # CONFIG_DRIVERS_I2C_RTD2132 is not set +# CONFIG_MAINBOARD_HAS_I2C_TPM_CR50 is not set +# CONFIG_DRIVER_I2C_TPM_ACPI is not set # CONFIG_INTEL_DP is not set # CONFIG_INTEL_DDI is not set # CONFIG_INTEL_EDID is not set @@ -420,6 +431,10 @@ CONFIG_DRIVERS_MC146818=y # CONFIG_DRIVER_XPOWERS_AXP209 is not set # CONFIG_ACPI_SATA_GENERATOR is not set # CONFIG_ACPI_INTEL_HARDWARE_SLEEP_VALUES is not set +# CONFIG_BOOT_DEVICE_NOT_SPI_FLASH is not set +CONFIG_BOOT_DEVICE_SPI_FLASH=y +CONFIG_BOOT_DEVICE_MEMORY_MAPPED=y +# CONFIG_BOOT_DEVICE_SUPPORTS_WRITES is not set # CONFIG_RTC is not set # CONFIG_TPM is not set CONFIG_STACK_SIZE=0x1000 @@ -447,7 +462,6 @@ CONFIG_CONSOLE_SERIAL_115200=y # CONFIG_CONSOLE_SERIAL_38400 is not set # CONFIG_CONSOLE_SERIAL_19200 is not set # CONFIG_CONSOLE_SERIAL_9600 is not set -CONFIG_TTYS0_BAUD=115200 # CONFIG_SPKMODEM is not set # CONFIG_CONSOLE_NE2K is not set CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x20000 @@ -535,7 +549,6 @@ CONFIG_LINUX_INITRD="" # CONFIG_DEBUG_BOOT_STATE is not set # CONFIG_ENABLE_APIC_EXT_ID is not set CONFIG_WARNINGS_ARE_ERRORS=y -CONFIG_IASL_WARNINGS_ARE_ERRORS=y # CONFIG_POWER_BUTTON_DEFAULT_ENABLE is not set # CONFIG_POWER_BUTTON_DEFAULT_DISABLE is not set # CONFIG_POWER_BUTTON_FORCE_ENABLE is not set diff --git a/config/coreboot.config b/config/coreboot-x230.config similarity index 99% rename from config/coreboot.config rename to config/coreboot-x230.config index 0436808b6..34ab78360 100644 --- a/config/coreboot.config +++ b/config/coreboot-x230.config @@ -68,6 +68,7 @@ CONFIG_MEASURED_BOOT=y # CONFIG_VENDOR_DIGITALLOGIC is not set # CONFIG_VENDOR_DMP is not set # CONFIG_VENDOR_ECS is not set +# CONFIG_VENDOR_ELMEX is not set # CONFIG_VENDOR_EMULATION is not set # CONFIG_VENDOR_ESD is not set # CONFIG_VENDOR_GETAC is not set @@ -114,7 +115,7 @@ CONFIG_MAINBOARD_DIR="lenovo/x230" CONFIG_MAINBOARD_PART_NUMBER="ThinkPad X230" CONFIG_MAINBOARD_VENDOR="LENOVO" CONFIG_MAX_CPUS=8 -CONFIG_CACHE_ROM_SIZE_OVERRIDE=0 +CONFIG_CACHE_ROM_SIZE_OVERRIDE=0x0 CONFIG_CBFS_SIZE=0x400000 CONFIG_UART_FOR_CONSOLE=0 CONFIG_VGA_BIOS_ID="8086,0166" @@ -137,7 +138,7 @@ CONFIG_ID_SECTION_OFFSET=0x80 CONFIG_USBDEBUG_HCD_INDEX=2 CONFIG_IFD_BIOS_SECTION="" CONFIG_IFD_ME_SECTION="" -CONFIG_TPM_PIRQ=0 +CONFIG_TPM_PIRQ=0x0 CONFIG_BOOT_DEVICE_SPI_FLASH_BUS=0 CONFIG_DRIVERS_PS2_KEYBOARD=y CONFIG_DEVICETREE="devicetree.cb" @@ -312,6 +313,7 @@ CONFIG_SOUTHBRIDGE_INTEL_COMMON_GPIO=y # # Super I/O # +# CONFIG_SUPERIO_NUVOTON_NCT6776_COM_A is not set # # Embedded Controllers @@ -461,6 +463,7 @@ CONFIG_SPI_FLASH_WINBOND=y # CONFIG_SPI_FLASH_FAST_READ_DUAL_OUTPUT_3B is not set # CONFIG_HAVE_SPI_CONSOLE_SUPPORT is not set CONFIG_DRIVERS_UART=y +# CONFIG_DRIVERS_UART_8250IO_SKIP_INIT is not set CONFIG_NO_UART_ON_SUPERIO=y # CONFIG_UART_OVERRIDE_INPUT_CLOCK_DIVIDER is not set # CONFIG_UART_OVERRIDE_REFCLK is not set diff --git a/modules/busybox b/modules/busybox index 2c3f11b20..87f98a5f4 100644 --- a/modules/busybox +++ b/modules/busybox @@ -7,5 +7,6 @@ busybox_url := https://busybox.net/downloads/$(busybox_tar) busybox_hash := 5a0fe06885ee1b805fb459ab6aaa023fe4f2eccee4fb8c0fd9a6c17c0daca2fc busybox_configure := make oldconfig +busybox_config := busybox.config busybox_output := busybox diff --git a/modules/coreboot b/modules/coreboot index c286767dd..a2b94c0e7 100644 --- a/modules/coreboot +++ b/modules/coreboot @@ -9,14 +9,26 @@ coreboot_dir := coreboot-$(coreboot_version) coreboot_repo := https://github.com/osresearch/coreboot -coreboot_configure := make oldconfig -coreboot_output := build/coreboot.rom +# Coreboot builds are specialized on a per-target basis. +# The builds are done in a per-target subdirectory +coreboot_config := coreboot-$(TARGET).config + +coreboot_configure := \ + make oldconfig obj=./$(TARGET) DOTCONFIG=../../config/coreboot-$(TARGET).config + +coreboot_target := \ + obj=./$(TARGET) DOTCONFIG=../../config/coreboot-$(TARGET).config -j 8 + +coreboot_output := $(TARGET)/coreboot.rom + # hack to force a build dependency on the cross compiler -$(build)/$(coreboot_dir)/.configured: $(build)/$(coreboot_dir)/util/crossgcc/xgcc/bin/iasl -$(build)/$(coreboot_dir)/util/crossgcc/xgcc/bin/iasl: - echo '******* Building gcc (this might take a while) ******' +$(build)/$(coreboot_dir)/.configured: $(build)/$(coreboot_dir)/util/crossgcc/xgcc/bin/i386-elf-gcc +$(build)/$(coreboot_dir)/util/crossgcc/xgcc/bin/i386-elf-gcc: + echo '******* Building crossgcc-i386 (this might take a while) ******' time make -C "$(build)/$(coreboot_dir)" crossgcc-i386 + #echo '******* Building crossgcc-arm (this might take a while) ******' + #time make -C "$(build)/$(coreboot_dir)" crossgcc-arm # The coreboot-blobs must be unpacked before we can build coreboot # if we are using a tar file; git checkout will clone the submodule. diff --git a/modules/cryptsetup b/modules/cryptsetup index 9d4652619..1ed4e1c9a 100644 --- a/modules/cryptsetup +++ b/modules/cryptsetup @@ -7,4 +7,5 @@ cryptsetup_url := https://www.kernel.org/pub/linux/utils/cryptsetup/v1.7/cryptse cryptsetup_hash := dbb35dbf5f0c1749168c86c913fe98e872247bfc8425314b494c2423e7e43342 cryptsetup_configure := ./configure +cryptsetup_config := cryptsetup.config cryptsetup_output := diff --git a/modules/kexec b/modules/kexec index e63490fb3..f0c112eb2 100644 --- a/modules/kexec +++ b/modules/kexec @@ -8,3 +8,4 @@ kexec_hash := cc7b60dad0da202004048a6179d8a53606943062dd627a2edba45a8ea3a85135 kexec_configure := ./configure kexec_output := build/sbin/kexec +kexec_config := kexec.config diff --git a/modules/linux b/modules/linux index af4a55f61..5badbcaed 100644 --- a/modules/linux +++ b/modules/linux @@ -12,3 +12,5 @@ linux_hash := $(linux-$(linux_version)_hash) linux_configure := make oldconfig linux_output := arch/x86/boot/bzImage +linux_config := linux.config +linux_target := -j 8 bzImage diff --git a/modules/mbedtls b/modules/mbedtls index 737c37c9d..2e1d40894 100644 --- a/modules/mbedtls +++ b/modules/mbedtls @@ -11,3 +11,4 @@ mbedtls_libraries := \ mbedtls_configure := mbedtls_target := SHARED=1 +mbedtls_config := mbedtls.config diff --git a/modules/qrencode b/modules/qrencode index 82ce7f943..30e3c7de9 100644 --- a/modules/qrencode +++ b/modules/qrencode @@ -8,3 +8,4 @@ qrencode_hash := e794e26a96019013c0e3665cb06b18992668f352c5553d0a553f5d144f7f2a7 qrencode_output := .libs/libqrencode.so.$(qrencode_version) qrencode_configure := ./configure --without-tools +qrencode_config := qrencode.config diff --git a/modules/tpmtotp b/modules/tpmtotp index d47737805..cc43ac9a4 100644 --- a/modules/tpmtotp +++ b/modules/tpmtotp @@ -42,3 +42,4 @@ tpmtotp_libraries := \ libtpm/libtpm.so \ tpmtotp_configure := +tpmtotp_config := tpmtotp.config diff --git a/modules/xen b/modules/xen index 8792d2003..156e50dfc 100644 --- a/modules/xen +++ b/modules/xen @@ -10,3 +10,5 @@ xen_hash := 02badfce9a037bd1bd4a94210c1f6b85467746216c71795805102b514bcf1fc4 xen_output := xen.gz xen_configure := +xen_target := -j 8 +xen_config := xen.config From 4a832737448f0ecf02fab238cc97917c78c839fd Mon Sep 17 00:00:00 2001 From: Trammell Hudson Date: Tue, 29 Nov 2016 11:14:35 -0500 Subject: [PATCH 15/16] disable ACPI on qemu boots, this fixes #53 --- config/coreboot-qemu.config | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/coreboot-qemu.config b/config/coreboot-qemu.config index f9562bb4a..8c457b659 100644 --- a/config/coreboot-qemu.config +++ b/config/coreboot-qemu.config @@ -520,7 +520,7 @@ CONFIG_PAYLOAD_LINUX=y CONFIG_PAYLOAD_FILE="./bzImage" CONFIG_PAYLOAD_OPTIONS="" # CONFIG_PXE is not set -CONFIG_LINUX_COMMAND_LINE="console=ttyS0 console=tty" +CONFIG_LINUX_COMMAND_LINE="acpi=off console=ttyS0 console=tty" CONFIG_LINUX_INITRD="" # CONFIG_PAYLOAD_IS_FLAT_BINARY is not set From e55a6a4df42cd30a08481f1271dc61bde906d3f2 Mon Sep 17 00:00:00 2001 From: Trammell Hudson Date: Tue, 29 Nov 2016 11:19:48 -0500 Subject: [PATCH 16/16] Rework Makefile a bit. rename TARGET to BOARD (fix #55) use .INTERMEDIATE trick to avoid building multiple times (fix #52) Don't touch build/*/.config if we don't have to (fix #51) --- Makefile | 37 ++++++++++++++++++++++++++---------- config/coreboot-blobs.config | 1 - config/kexec.config | 1 - config/mbedtls.config | 1 - config/qrencode.config | 1 - config/tpmtotp.config | 1 - config/xen.config | 1 - modules/coreboot | 8 ++++---- modules/cryptsetup | 1 - modules/kexec | 1 - modules/mbedtls | 1 - modules/qrencode | 1 - modules/tpmtotp | 1 - modules/xen | 1 - 14 files changed, 31 insertions(+), 26 deletions(-) delete mode 100644 config/coreboot-blobs.config delete mode 100644 config/kexec.config delete mode 100644 config/mbedtls.config delete mode 100644 config/qrencode.config delete mode 100644 config/tpmtotp.config delete mode 100644 config/xen.config diff --git a/Makefile b/Makefile index 57cea1b95..ea0007c4f 100644 --- a/Makefile +++ b/Makefile @@ -5,9 +5,12 @@ build := $(pwd)/build config := $(pwd)/build # Currently supported targets are x230, chell and qemu -TARGET ?= x230 +BOARD ?= x230 -all: $(TARGET).rom +all: $(BOARD).rom + +# Disable all built in rules +.SUFFIXES: # Bring in all of the module definitions; @@ -15,7 +18,9 @@ all: $(TARGET).rom # as part of creating the Heads firmware image. include modules/* -all: $(modules) +# These will be built via their intermediate targets +# This increases the build time, so it is commented out for now +#all: $(foreach m,$(modules),$m.intermediate) define prefix = $(foreach _, $2, $1$_) @@ -68,8 +73,14 @@ define define_module = endif # Copy our stored config file into the unpacked directory - $(build)/$($1_dir)/.config: config/$($1_config) $(build)/$($1_dir)/.canary - cp "$$<" "$$@" + ifdef $1_config + $(build)/$($1_dir)/.config: config/$($1_config) $(build)/$($1_dir)/.canary + cp -a "$$<" "$$@" + else + $(build)/$($1_dir)/.config: $(build)/$($1_dir)/.canary + touch "$$@" + endif + # Use the module's configure variable to build itself $(build)/$($1_dir)/.configured: \ @@ -79,14 +90,18 @@ define define_module = touch "$$@" # Build the target after any dependencies - $(call outputs,$1): \ - $(build)/$($1_dir)/.configured \ - $(call outputs,$($1_depends)) - make -C "$(build)/$($1_dir)" $($1_target) + $(call outputs,$1): $1.intermediate # Short hand target for the module - $1: $(call outputs,$1) + #$1: $(call outputs,$1) + # Target for all of the outputs, which depend on their dependent modules +$1.intermediate: \ + $(build)/$($1_dir)/.configured \ + $(foreach d,$($1_depends),$d.intermediate) + make -C "$(build)/$($1_dir)" $($1_target) + +.INTERMEDIATE: $1.intermediate endef $(foreach _, $(modules), $(eval $(call define_module,$_))) @@ -208,6 +223,8 @@ initrd.cpio: $(initrd_bins) $(initrd_libs) initrd_lib_install echo "$@: Unchanged"; \ rm "$@.tmp"; \ fi + +initrd.intermediate: initrd.cpio # populate the coreboot initrd image from the one we built. diff --git a/config/coreboot-blobs.config b/config/coreboot-blobs.config deleted file mode 100644 index 556df42ea..000000000 --- a/config/coreboot-blobs.config +++ /dev/null @@ -1 +0,0 @@ -# nothing diff --git a/config/kexec.config b/config/kexec.config deleted file mode 100644 index 556df42ea..000000000 --- a/config/kexec.config +++ /dev/null @@ -1 +0,0 @@ -# nothing diff --git a/config/mbedtls.config b/config/mbedtls.config deleted file mode 100644 index 556df42ea..000000000 --- a/config/mbedtls.config +++ /dev/null @@ -1 +0,0 @@ -# nothing diff --git a/config/qrencode.config b/config/qrencode.config deleted file mode 100644 index 556df42ea..000000000 --- a/config/qrencode.config +++ /dev/null @@ -1 +0,0 @@ -# nothing diff --git a/config/tpmtotp.config b/config/tpmtotp.config deleted file mode 100644 index 556df42ea..000000000 --- a/config/tpmtotp.config +++ /dev/null @@ -1 +0,0 @@ -# nothing diff --git a/config/xen.config b/config/xen.config deleted file mode 100644 index c01ade299..000000000 --- a/config/xen.config +++ /dev/null @@ -1 +0,0 @@ -# Nothing diff --git a/modules/coreboot b/modules/coreboot index a2b94c0e7..204c416ef 100644 --- a/modules/coreboot +++ b/modules/coreboot @@ -11,15 +11,15 @@ coreboot_repo := https://github.com/osresearch/coreboot # Coreboot builds are specialized on a per-target basis. # The builds are done in a per-target subdirectory -coreboot_config := coreboot-$(TARGET).config +#coreboot_config := coreboot-$(TARGET).config coreboot_configure := \ - make oldconfig obj=./$(TARGET) DOTCONFIG=../../config/coreboot-$(TARGET).config + make oldconfig obj=./$(BOARD) DOTCONFIG=../../config/coreboot-$(BOARD).config coreboot_target := \ - obj=./$(TARGET) DOTCONFIG=../../config/coreboot-$(TARGET).config -j 8 + obj=./$(BOARD) DOTCONFIG=../../config/coreboot-$(BOARD).config -j 8 -coreboot_output := $(TARGET)/coreboot.rom +coreboot_output := $(BOARD)/coreboot.rom # hack to force a build dependency on the cross compiler diff --git a/modules/cryptsetup b/modules/cryptsetup index 1ed4e1c9a..9d4652619 100644 --- a/modules/cryptsetup +++ b/modules/cryptsetup @@ -7,5 +7,4 @@ cryptsetup_url := https://www.kernel.org/pub/linux/utils/cryptsetup/v1.7/cryptse cryptsetup_hash := dbb35dbf5f0c1749168c86c913fe98e872247bfc8425314b494c2423e7e43342 cryptsetup_configure := ./configure -cryptsetup_config := cryptsetup.config cryptsetup_output := diff --git a/modules/kexec b/modules/kexec index f0c112eb2..e63490fb3 100644 --- a/modules/kexec +++ b/modules/kexec @@ -8,4 +8,3 @@ kexec_hash := cc7b60dad0da202004048a6179d8a53606943062dd627a2edba45a8ea3a85135 kexec_configure := ./configure kexec_output := build/sbin/kexec -kexec_config := kexec.config diff --git a/modules/mbedtls b/modules/mbedtls index 2e1d40894..737c37c9d 100644 --- a/modules/mbedtls +++ b/modules/mbedtls @@ -11,4 +11,3 @@ mbedtls_libraries := \ mbedtls_configure := mbedtls_target := SHARED=1 -mbedtls_config := mbedtls.config diff --git a/modules/qrencode b/modules/qrencode index 30e3c7de9..82ce7f943 100644 --- a/modules/qrencode +++ b/modules/qrencode @@ -8,4 +8,3 @@ qrencode_hash := e794e26a96019013c0e3665cb06b18992668f352c5553d0a553f5d144f7f2a7 qrencode_output := .libs/libqrencode.so.$(qrencode_version) qrencode_configure := ./configure --without-tools -qrencode_config := qrencode.config diff --git a/modules/tpmtotp b/modules/tpmtotp index cc43ac9a4..d47737805 100644 --- a/modules/tpmtotp +++ b/modules/tpmtotp @@ -42,4 +42,3 @@ tpmtotp_libraries := \ libtpm/libtpm.so \ tpmtotp_configure := -tpmtotp_config := tpmtotp.config diff --git a/modules/xen b/modules/xen index 156e50dfc..49cc50f86 100644 --- a/modules/xen +++ b/modules/xen @@ -11,4 +11,3 @@ xen_hash := 02badfce9a037bd1bd4a94210c1f6b85467746216c71795805102b514bcf1fc4 xen_output := xen.gz xen_configure := xen_target := -j 8 -xen_config := xen.config