From 7f1288b89c4765bc8ce86ca213bcdbc7535f2084 Mon Sep 17 00:00:00 2001 From: Duncan Guthrie Date: Fri, 5 Jan 2018 21:09:07 +0000 Subject: [PATCH 01/22] Preliminary support for GnuPG2 --- modules/gpg2 | 58 +++++++++++++++++++++++++++++++++++++++++++ modules/libassuan | 24 ++++++++++++++++++ modules/libgcrypt | 24 ++++++++++++++++++ modules/libgpg-error | 26 +++++++++++++++++++ modules/libksba | 24 ++++++++++++++++++ modules/libusb | 13 ++++++---- modules/libusb-compat | 2 ++ modules/npth | 24 ++++++++++++++++++ 8 files changed, 190 insertions(+), 5 deletions(-) create mode 100644 modules/gpg2 create mode 100644 modules/libassuan create mode 100644 modules/libgcrypt create mode 100644 modules/libgpg-error create mode 100644 modules/libksba create mode 100644 modules/npth diff --git a/modules/gpg2 b/modules/gpg2 new file mode 100644 index 000000000..df79d9d5d --- /dev/null +++ b/modules/gpg2 @@ -0,0 +1,58 @@ +modules-$(CONFIG_GPG2) += gpg2 + +gpg2_version := 2.2.4 +gpg2_dir := gnupg-$(gpg2_version) +gpg2_tar := gnupg-$(gpg2_version).tar.bz2 +gpg2_url := https://www.gnupg.org/ftp/gcrypt/gnupg/$(gpg2_tar) +gpg2_hash := 401a3e64780fdfa6d7670de0880aa5c9d589b3db7a7098979d7606cec546f2ec + +# For reproducibility reasons we have to override the exec_prefix +# and datarootdir on the configure line so that the Makefiles will +# be generated with the correct paths, but then re-write them when +# we use the install target so that they will be copied to the correct +# location. +gpg2_configure := ./configure \ + $(CROSS_TOOLS) \ + --host x86_64-linux-musl \ + --with-libusb="$(INSTALL)" \ + --with-libgpg-error-prefix="$(INSTALL)" \ + --with-libgcrypt-prefix="$(INSTALL)" \ + --with-libassuan-prefix="$(INSTALL)" \ + --with-ksba-prefix="$(INSTALL)" \ + --with-npth-prefix="$(INSTALL)" \ + --prefix "/" \ + --enable-scdaemon \ + --enable-ccid-driver \ + --disable-tofu \ + --disable-rpath \ + --disable-regex \ + --disable-doc \ + --disable-bzip2 \ + --disable-asm \ + --disable-exec \ + --disable-photo-viewers \ + --disable-keyserver-helpers \ + --disable-ldap \ + --disable-hkp \ + --disable-finger \ + --disable-dns-srv \ + --disable-dns-cert \ + --disable-regex \ + --disable-nls \ + --disable-all-tests \ + --disable-wks-server \ + --disable-wks-tools \ + --disable-gnutls \ + --disable-dirmgnr \ + +# Run one build to generate the executables with the pre-defined +# exec_prefix and datarootdir, then a second make to install the binaries +# into our actual target location +gpg2_target := $(MAKE_JOBS) \ + && $(MAKE) -C $(build)/$(gpg2_dir) \ + DESTDIR="$(INSTALL)" \ + install + +gpg2_output := g10/gpg + +gpg2_depends := libgpg-error libgcrypt libksba libassuan npth libusb-compat $(musl_dep) diff --git a/modules/libassuan b/modules/libassuan new file mode 100644 index 000000000..0575a97fe --- /dev/null +++ b/modules/libassuan @@ -0,0 +1,24 @@ +modules-$(CONFIG_GPG2) += libassuan +libassuan_version := 2.5.1 +libassuan_dir := libassuan-$(libassuan_version) +libassuan_tar := libassuan-$(libassuan_version).tar.bz2 +libassuan_url := https://gnupg.org/ftp/gcrypt/libassuan/$(libassuan_tar) +libassuan_hash := 47f96c37b4f2aac289f0bc1bacfa8bd8b4b209a488d3d15e2229cb6cc9b26449 + +libassuan_configure := ./configure \ + $(CROSS_TOOLS) \ + --host x86_64-linux-musl \ + --prefix "/" \ + --disable-static \ + --disable-nls \ + --with-libgpg-error-prefix="$(INSTALL)" \ + --disable-asm \ + +libassuan_target := $(MAKE_JOBS) \ + DESTDIR="$(INSTALL)" \ + $(CROSS_TOOLS) \ + install \ + +libassuan_libraries := src/.libs/libassuan.so + +libassuan_depends := libgpg-error $(musl_dep) diff --git a/modules/libgcrypt b/modules/libgcrypt new file mode 100644 index 000000000..aa1e7820d --- /dev/null +++ b/modules/libgcrypt @@ -0,0 +1,24 @@ +modules-$(CONFIG_GPG2) += libgcrypt +libgcrypt_version := 1.8.2 +libgcrypt_dir := libgcrypt-$(libgcrypt_version) +libgcrypt_tar := libgcrypt-$(libgcrypt_version).tar.bz2 +libgcrypt_url := https://gnupg.org/ftp/gcrypt/libgcrypt/$(libgcrypt_tar) +libgcrypt_hash := c8064cae7558144b13ef0eb87093412380efa16c4ee30ad12ecb54886a524c07 + +libgcrypt_configure := ./configure \ + $(CROSS_TOOLS) \ + --host=x86_64-linux-musl \ + --prefix "/" \ + --disable-static \ + --with-libgpg-error-prefix="$(INSTALL)" \ + --disable-asm \ + --disable-nls \ + +libgcrypt_target := $(MAKE_JOBS) \ + DESTDIR="$(INSTALL)" \ + $(CROSS_TOOLS) \ + install \ + +libgcrypt_libraries := src/.libs/libgcrypt.so + +libgcrypt_depends := libgpg-error $(musl_dep) diff --git a/modules/libgpg-error b/modules/libgpg-error new file mode 100644 index 000000000..91974cf58 --- /dev/null +++ b/modules/libgpg-error @@ -0,0 +1,26 @@ +modules-$(CONFIG_GPG2) += libgpg-error +libgpg-error_version := 1.27 +libgpg-error_dir := libgpg-error-$(libgpg-error_version) +libgpg-error_tar := libgpg-error-$(libgpg-error_version).tar.bz2 +libgpg-error_url := https://gnupg.org/ftp/gcrypt/libgpg-error/$(libgpg-error_tar) +libgpg-error_hash := 4f93aac6fecb7da2b92871bb9ee33032be6a87b174f54abf8ddf0911a22d29d2 + +libgpg-error_configure := ./configure \ + $(CROSS_TOOLS) \ + --prefix "/" \ + --host=x86_64-linux-musl \ + --disable-static \ + --disable-nls \ + --disable-languages \ + --disable-doc \ + --disable-tests \ + --disable-asm \ + +libgpg-error_target := $(MAKE_JOBS) \ + DESTDIR="$(INSTALL)" \ + $(CROSS_TOOLS) \ + install \ + +libgpg-error_libraries := src/.libs/libgpg-error.so + +libgpg-error_depends := $(musl_dep) diff --git a/modules/libksba b/modules/libksba new file mode 100644 index 000000000..fa427d33e --- /dev/null +++ b/modules/libksba @@ -0,0 +1,24 @@ +modules-$(CONFIG_GPG2) += libksba +libksba_version := 1.3.5 +libksba_dir := libksba-$(libksba_version) +libksba_tar := libksba-$(libksba_version).tar.bz2 +libksba_url := https://gnupg.org/ftp/gcrypt/libksba/$(libksba_tar) +libksba_hash := 41444fd7a6ff73a79ad9728f985e71c9ba8cd3e5e53358e70d5f066d35c1a340 + +libksba_configure := ./configure \ + $(CROSS_TOOLS) \ + --host x86_64-linux-musl \ + --prefix "/" \ + --disable-static \ + --disable-nls \ + --with-libgpg-error-prefix="$(INSTALL)" \ + --disable-asm \ + +libksba_target := $(MAKE_JOBS) \ + DESTDIR="$(INSTALL)" \ + $(CROSS_TOOLS) \ + install \ + +libksba_libraries := src/.libs/libksba.so + +libksba_depends := libgpg-error $(musl_dep) diff --git a/modules/libusb b/modules/libusb index cd767697b..b7fe959c4 100644 --- a/modules/libusb +++ b/modules/libusb @@ -1,5 +1,6 @@ # GPG with Yubikey support requires libusb modules-$(CONFIG_GPG) += libusb +modules-$(CONFIG_GPG2) += libusb libusb_version := 1.0.21 libusb_dir := libusb-$(libusb_version) @@ -7,15 +8,17 @@ libusb_tar := libusb-$(libusb_version).tar.bz2 libusb_url := https://downloads.sourceforge.net/project/libusb/libusb-1.0/libusb-$(libusb_version)/$(libusb_tar) libusb_hash := 7dce9cce9a81194b7065ee912bcd55eeffebab694ea403ffb91b67db66b1824b -libusb_configure := ./configure \ - $(CROSS_TOOLS) \ - --host i386-elf-linux \ - --prefix "/" \ - --disable-udev \ +libusb_configure := ./configure\ + $(CROSS_TOOLS)\ + --host i386-elf-linux\ + --prefix "/"\ + --disable-udev\ + --disable-tests\ # Run one build to generate the executables with the pre-defined # exec_prefix and datarootdir, then a second make to install the binaries # into our actual target location + libusb_target := $(MAKE_JOBS) \ DESTDIR="$(INSTALL)" \ $(CROSS_TOOLS) \ diff --git a/modules/libusb-compat b/modules/libusb-compat index c09101399..f95854ee1 100644 --- a/modules/libusb-compat +++ b/modules/libusb-compat @@ -1,7 +1,9 @@ # GPG 1.4.21 uses an old version of libusb, which # is emulated with the compatibility library. # This is a bit of a hack to set it up. + modules-$(CONFIG_GPG) += libusb-compat +modules-$(CONFIG_GPG2) += libusb-compat libusb-compat_version := 0.1.5 libusb-compat_dir := libusb-compat-$(libusb-compat_version) diff --git a/modules/npth b/modules/npth new file mode 100644 index 000000000..4ba238a3b --- /dev/null +++ b/modules/npth @@ -0,0 +1,24 @@ +modules-$(CONFIG_GPG2) += npth +npth_version := 1.5 +npth_dir := npth-$(npth_version) +npth_tar := npth-$(npth_version).tar.bz2 +npth_url := https://gnupg.org/ftp/gcrypt/npth/$(npth_tar) +npth_hash := 294a690c1f537b92ed829d867bee537e46be93fbd60b16c04630fbbfcd9db3c2 + +npth_configure := ./configure \ + $(CROSS_TOOLS) \ + --host x86_64-linux-musl \ + --prefix "/" \ + --disable-static \ + --disable-nls \ + --with-libgpg-error-prefix="$(INSTALL)" \ + --disable-asm \ + +npth_target := $(MAKE_JOBS) \ + DESTDIR="$(INSTALL)" \ + $(CROSS_TOOLS) \ + install \ + +npth_libraries := src/.libs/libnpth.so + +npth_depends := libgpg-error $(musl_dep) From c1c615e6775588a9ab039fc19a6cd9c412f251cc Mon Sep 17 00:00:00 2001 From: Trammell hudson Date: Tue, 18 Sep 2018 05:12:47 -0400 Subject: [PATCH 02/22] copy gpg2 executables and pass in the libusb include path --- Makefile | 1 + modules/gpg2 | 1 + 2 files changed, 2 insertions(+) diff --git a/Makefile b/Makefile index cad491c3a..2184e5fbb 100644 --- a/Makefile +++ b/Makefile @@ -393,6 +393,7 @@ bin_modules-$(CONFIG_PCIUTILS) += pciutils bin_modules-$(CONFIG_FLASHROM) += flashrom bin_modules-$(CONFIG_CRYPTSETUP) += cryptsetup bin_modules-$(CONFIG_GPG) += gpg +bin_modules-$(CONFIG_GPG2) += gpg2 bin_modules-$(CONFIG_LVM2) += lvm2 bin_modules-$(CONFIG_DROPBEAR) += dropbear bin_modules-$(CONFIG_FLASHTOOLS) += flashtools diff --git a/modules/gpg2 b/modules/gpg2 index df79d9d5d..96fe3b034 100644 --- a/modules/gpg2 +++ b/modules/gpg2 @@ -13,6 +13,7 @@ gpg2_hash := 401a3e64780fdfa6d7670de0880aa5c9d589b3db7a7098979d7606cec546f2ec # location. gpg2_configure := ./configure \ $(CROSS_TOOLS) \ + CPPFLAGS="-I$(INSTALL)/include/libusb-1.0" \ --host x86_64-linux-musl \ --with-libusb="$(INSTALL)" \ --with-libgpg-error-prefix="$(INSTALL)" \ From d61587c17985248ea8dc6a6385658539fcf3b44a Mon Sep 17 00:00:00 2001 From: Trammell hudson Date: Tue, 18 Sep 2018 05:14:05 -0400 Subject: [PATCH 03/22] switch to gpg2 for qemu targets --- boards/qemu-coreboot/qemu-coreboot.config | 2 +- boards/qemu-linuxboot/qemu-linuxboot.config | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/boards/qemu-coreboot/qemu-coreboot.config b/boards/qemu-coreboot/qemu-coreboot.config index 9427a2ac3..0f1a592ac 100644 --- a/boards/qemu-coreboot/qemu-coreboot.config +++ b/boards/qemu-coreboot/qemu-coreboot.config @@ -17,7 +17,7 @@ CONFIG_FLASHROM=y CONFIG_PCIUTILS=y CONFIG_UTIL_LINUX=y CONFIG_CRYPTSETUP=y -CONFIG_GPG=y +CONFIG_GPG2=y CONFIG_LVM2=y CONFIG_MBEDTLS=y CONFIG_DROPBEAR=y diff --git a/boards/qemu-linuxboot/qemu-linuxboot.config b/boards/qemu-linuxboot/qemu-linuxboot.config index 9b2d8644c..730ce633d 100644 --- a/boards/qemu-linuxboot/qemu-linuxboot.config +++ b/boards/qemu-linuxboot/qemu-linuxboot.config @@ -18,7 +18,7 @@ endif CONFIG_FLASHROM=y CONFIG_FLASHTOOLS=y -CONFIG_GPG=y +CONFIG_GPG2=y CONFIG_KEXEC=y CONFIG_UTIL_LINUX=y CONFIG_DROPBEAR=y From b1736d7cb3f37a64f1575b4aa62f9de49489f6ba Mon Sep 17 00:00:00 2001 From: Trammell hudson Date: Tue, 18 Sep 2018 05:32:46 -0400 Subject: [PATCH 04/22] use full version names on output libraries --- modules/libassuan | 2 +- modules/libgcrypt | 2 +- modules/libgpg-error | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/libassuan b/modules/libassuan index 0575a97fe..3c4e319aa 100644 --- a/modules/libassuan +++ b/modules/libassuan @@ -19,6 +19,6 @@ libassuan_target := $(MAKE_JOBS) \ $(CROSS_TOOLS) \ install \ -libassuan_libraries := src/.libs/libassuan.so +libassuan_libraries := src/.libs/libassuan.so.0 libassuan_depends := libgpg-error $(musl_dep) diff --git a/modules/libgcrypt b/modules/libgcrypt index aa1e7820d..ad7728b81 100644 --- a/modules/libgcrypt +++ b/modules/libgcrypt @@ -19,6 +19,6 @@ libgcrypt_target := $(MAKE_JOBS) \ $(CROSS_TOOLS) \ install \ -libgcrypt_libraries := src/.libs/libgcrypt.so +libgcrypt_libraries := src/.libs/libgcrypt.so.20 libgcrypt_depends := libgpg-error $(musl_dep) diff --git a/modules/libgpg-error b/modules/libgpg-error index 91974cf58..8a58c22b1 100644 --- a/modules/libgpg-error +++ b/modules/libgpg-error @@ -21,6 +21,6 @@ libgpg-error_target := $(MAKE_JOBS) \ $(CROSS_TOOLS) \ install \ -libgpg-error_libraries := src/.libs/libgpg-error.so +libgpg-error_libraries := src/.libs/libgpg-error.so.0 libgpg-error_depends := $(musl_dep) From b89ed83af67e1ee7edc973ecbe217ad2da44cd56 Mon Sep 17 00:00:00 2001 From: Trammell hudson Date: Wed, 19 Sep 2018 06:32:00 -0400 Subject: [PATCH 05/22] enable Unix Domain sockets for gpg-agent --- config/linux-kgpe-d16.config | 1 + config/linux-librem13v2.config | 1 + config/linux-linuxboot.config | 1 + config/linux-x230.config | 1 + 4 files changed, 4 insertions(+) diff --git a/config/linux-kgpe-d16.config b/config/linux-kgpe-d16.config index 2c451e224..c925feb6a 100644 --- a/config/linux-kgpe-d16.config +++ b/config/linux-kgpe-d16.config @@ -64,6 +64,7 @@ CONFIG_PCI_PRI=y # CONFIG_COREDUMP is not set CONFIG_NET=y CONFIG_PACKET=y +CONFIG_UNIX=y CONFIG_INET=y CONFIG_SYN_COOKIES=y # CONFIG_INET_XFRM_MODE_TRANSPORT is not set diff --git a/config/linux-librem13v2.config b/config/linux-librem13v2.config index ebb1dd566..f107eb102 100644 --- a/config/linux-librem13v2.config +++ b/config/linux-librem13v2.config @@ -63,6 +63,7 @@ CONFIG_PCI_PRI=y # CONFIG_COREDUMP is not set CONFIG_NET=y CONFIG_PACKET=y +CONFIG_UNIX=y CONFIG_INET=y CONFIG_SYN_COOKIES=y # CONFIG_INET_XFRM_MODE_TRANSPORT is not set diff --git a/config/linux-linuxboot.config b/config/linux-linuxboot.config index 1074b6ac5..bd692577d 100644 --- a/config/linux-linuxboot.config +++ b/config/linux-linuxboot.config @@ -84,6 +84,7 @@ CONFIG_PCI_PRI=y CONFIG_IA32_EMULATION=y CONFIG_NET=y CONFIG_PACKET=y +CONFIG_UNIX=y CONFIG_INET=y CONFIG_SYN_COOKIES=y # CONFIG_INET_XFRM_MODE_TRANSPORT is not set diff --git a/config/linux-x230.config b/config/linux-x230.config index 3f13d3278..ff9d94add 100644 --- a/config/linux-x230.config +++ b/config/linux-x230.config @@ -64,6 +64,7 @@ CONFIG_PCI_PRI=y # CONFIG_COREDUMP is not set CONFIG_NET=y CONFIG_PACKET=y +CONFIG_UNIX=y CONFIG_INET=y CONFIG_SYN_COOKIES=y # CONFIG_INET_XFRM_MODE_TRANSPORT is not set From 49269f2bb4a5c6668606e087418b1477d985c386 Mon Sep 17 00:00:00 2001 From: tlaurion Date: Wed, 19 Sep 2018 06:33:18 -0400 Subject: [PATCH 06/22] gpg2 library fixes --- modules/gpg2 | 4 ++-- modules/libksba | 2 +- modules/npth | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/modules/gpg2 b/modules/gpg2 index 96fe3b034..ea3ca07ee 100644 --- a/modules/gpg2 +++ b/modules/gpg2 @@ -44,7 +44,7 @@ gpg2_configure := ./configure \ --disable-wks-server \ --disable-wks-tools \ --disable-gnutls \ - --disable-dirmgnr \ + --disable-dirmngr \ # Run one build to generate the executables with the pre-defined # exec_prefix and datarootdir, then a second make to install the binaries @@ -54,6 +54,6 @@ gpg2_target := $(MAKE_JOBS) \ DESTDIR="$(INSTALL)" \ install -gpg2_output := g10/gpg +gpg2_output := g10/gpg agent/gpg-agent scd/scdaemon gpg2_depends := libgpg-error libgcrypt libksba libassuan npth libusb-compat $(musl_dep) diff --git a/modules/libksba b/modules/libksba index fa427d33e..d35291338 100644 --- a/modules/libksba +++ b/modules/libksba @@ -19,6 +19,6 @@ libksba_target := $(MAKE_JOBS) \ $(CROSS_TOOLS) \ install \ -libksba_libraries := src/.libs/libksba.so +libksba_libraries := src/.libs/libksba.so.8 libksba_depends := libgpg-error $(musl_dep) diff --git a/modules/npth b/modules/npth index 4ba238a3b..70708cc65 100644 --- a/modules/npth +++ b/modules/npth @@ -19,6 +19,6 @@ npth_target := $(MAKE_JOBS) \ $(CROSS_TOOLS) \ install \ -npth_libraries := src/.libs/libnpth.so +npth_libraries := src/.libs/libnpth.so.0 npth_depends := libgpg-error $(musl_dep) From c261907ee67575f026d89bad594352be219b7aca Mon Sep 17 00:00:00 2001 From: Trammell hudson Date: Wed, 19 Sep 2018 06:58:08 -0400 Subject: [PATCH 07/22] gpg2 pinentry program is required for passwords or PINs --- Makefile | 1 + modules/pinentry | 39 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 40 insertions(+) create mode 100644 modules/pinentry diff --git a/Makefile b/Makefile index 2184e5fbb..910830dd3 100644 --- a/Makefile +++ b/Makefile @@ -394,6 +394,7 @@ bin_modules-$(CONFIG_FLASHROM) += flashrom bin_modules-$(CONFIG_CRYPTSETUP) += cryptsetup bin_modules-$(CONFIG_GPG) += gpg bin_modules-$(CONFIG_GPG2) += gpg2 +bin_modules-$(CONFIG_PINENTRY) += pinetry bin_modules-$(CONFIG_LVM2) += lvm2 bin_modules-$(CONFIG_DROPBEAR) += dropbear bin_modules-$(CONFIG_FLASHTOOLS) += flashtools diff --git a/modules/pinentry b/modules/pinentry new file mode 100644 index 000000000..ed4da471a --- /dev/null +++ b/modules/pinentry @@ -0,0 +1,39 @@ +# pinentry is required for gpg2 to be able to read user passwords +CONFIG_PINENTRY ?= $(CONFIG_GPG2) +modules-$(CONFIG_PINENTRY) += pinentry + +pinentry_version := 1.1.0 +pinentry_dir := pinentry-$(pinentry_version) +pinentry_tar := pinentry-$(pinentry_version).tar.bz2 +pinentry_url := https://www.gnupg.org/ftp/gcrypt/pinentry/$(pinentry_tar) +pinentry_hash := 68076686fa724a290ea49cdf0d1c0c1500907d1b759a3bcbfbec0293e8f56570 + +# For reproducibility reasons we have to override the exec_prefix +# and datarootdir on the configure line so that the Makefiles will +# be generated with the correct paths, but then re-write them when +# we use the install target so that they will be copied to the correct +# location. +pinentry_configure := ./configure \ + $(CROSS_TOOLS) \ + --host x86_64-linux-musl \ + --prefix "/" \ + --enable-pinentry-tty \ + --disable-pinentry-curses \ + --disable-pinentry-qt5 \ + --disable-pinentry-fltk \ + --disable-pinentry-emacs \ + --with-libgpg-error-prefix="$(INSTALL)" \ + --with-libassuan-prefix="$(INSTALL)" \ + +# Run one build to generate the executables with the pre-defined +# exec_prefix and datarootdir, then a second make to install the binaries +# into our actual target location +pinentry_target := $(MAKE_JOBS) \ + && $(MAKE) -C $(build)/$(pinentry_dir) \ + DESTDIR="$(INSTALL)" \ + install \ + && cp $(build)/$(pinentry_dir)/tty/pinentry-tty $(build)/$(pinentry_dir)/tty/pinentry + +pinentry_output := tty/pinentry + +pinentry_depends := libgpg-error libassuan $(musl_dep) From 82701fb10fb88bb48827dd783448d426f234e4b6 Mon Sep 17 00:00:00 2001 From: Trammell hudson Date: Wed, 19 Sep 2018 07:21:02 -0400 Subject: [PATCH 08/22] typo on pinentry --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 910830dd3..912a9b53a 100644 --- a/Makefile +++ b/Makefile @@ -394,7 +394,7 @@ bin_modules-$(CONFIG_FLASHROM) += flashrom bin_modules-$(CONFIG_CRYPTSETUP) += cryptsetup bin_modules-$(CONFIG_GPG) += gpg bin_modules-$(CONFIG_GPG2) += gpg2 -bin_modules-$(CONFIG_PINENTRY) += pinetry +bin_modules-$(CONFIG_PINENTRY) += pinentry bin_modules-$(CONFIG_LVM2) += lvm2 bin_modules-$(CONFIG_DROPBEAR) += dropbear bin_modules-$(CONFIG_FLASHTOOLS) += flashtools From 8ba3c3340287d3e501418e91a98a579ca559ed83 Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Thu, 4 Oct 2018 21:32:04 -0400 Subject: [PATCH 09/22] required changes to apply on top of osresearch/gpg2 for gpg2 to actually work, tools and libs updated to latest versions --- boards/x230/x230.config | 2 +- initrd/.gnupg/gpg-agent.conf | 1 + modules/gpg2 | 4 ++-- modules/libgcrypt | 4 ++-- modules/libgpg-error | 4 ++-- modules/npth | 4 ++-- modules/pinentry | 1 + 7 files changed, 11 insertions(+), 9 deletions(-) create mode 100644 initrd/.gnupg/gpg-agent.conf diff --git a/boards/x230/x230.config b/boards/x230/x230.config index e479f5a1b..5a4d56a41 100644 --- a/boards/x230/x230.config +++ b/boards/x230/x230.config @@ -6,7 +6,7 @@ CONFIG_LINUX_CONFIG=config/linux-x230.config CONFIG_CRYPTSETUP=y CONFIG_FLASHROM=y CONFIG_FLASHTOOLS=y -CONFIG_GPG=y +CONFIG_GPG2=y CONFIG_KEXEC=y CONFIG_UTIL_LINUX=y CONFIG_LVM2=y diff --git a/initrd/.gnupg/gpg-agent.conf b/initrd/.gnupg/gpg-agent.conf new file mode 100644 index 000000000..db6595868 --- /dev/null +++ b/initrd/.gnupg/gpg-agent.conf @@ -0,0 +1 @@ +scdaemon-program /bin/scdaemon diff --git a/modules/gpg2 b/modules/gpg2 index ea3ca07ee..a386093c9 100644 --- a/modules/gpg2 +++ b/modules/gpg2 @@ -1,10 +1,10 @@ modules-$(CONFIG_GPG2) += gpg2 -gpg2_version := 2.2.4 +gpg2_version := 2.2.10 gpg2_dir := gnupg-$(gpg2_version) gpg2_tar := gnupg-$(gpg2_version).tar.bz2 gpg2_url := https://www.gnupg.org/ftp/gcrypt/gnupg/$(gpg2_tar) -gpg2_hash := 401a3e64780fdfa6d7670de0880aa5c9d589b3db7a7098979d7606cec546f2ec +gpg2_hash := 799dd37a86a1448732e339bd20440f4f5ee6e69755f6fd7a73ee8af30840c915 # For reproducibility reasons we have to override the exec_prefix # and datarootdir on the configure line so that the Makefiles will diff --git a/modules/libgcrypt b/modules/libgcrypt index ad7728b81..aa7e1ef8e 100644 --- a/modules/libgcrypt +++ b/modules/libgcrypt @@ -1,9 +1,9 @@ modules-$(CONFIG_GPG2) += libgcrypt -libgcrypt_version := 1.8.2 +libgcrypt_version := 1.8.3 libgcrypt_dir := libgcrypt-$(libgcrypt_version) libgcrypt_tar := libgcrypt-$(libgcrypt_version).tar.bz2 libgcrypt_url := https://gnupg.org/ftp/gcrypt/libgcrypt/$(libgcrypt_tar) -libgcrypt_hash := c8064cae7558144b13ef0eb87093412380efa16c4ee30ad12ecb54886a524c07 +libgcrypt_hash := 66ec90be036747602f2b48f98312361a9180c97c68a690a5f376fa0f67d0af7c libgcrypt_configure := ./configure \ $(CROSS_TOOLS) \ diff --git a/modules/libgpg-error b/modules/libgpg-error index 8a58c22b1..752e11aad 100644 --- a/modules/libgpg-error +++ b/modules/libgpg-error @@ -1,9 +1,9 @@ modules-$(CONFIG_GPG2) += libgpg-error -libgpg-error_version := 1.27 +libgpg-error_version := 1.32 libgpg-error_dir := libgpg-error-$(libgpg-error_version) libgpg-error_tar := libgpg-error-$(libgpg-error_version).tar.bz2 libgpg-error_url := https://gnupg.org/ftp/gcrypt/libgpg-error/$(libgpg-error_tar) -libgpg-error_hash := 4f93aac6fecb7da2b92871bb9ee33032be6a87b174f54abf8ddf0911a22d29d2 +libgpg-error_hash := c345c5e73cc2332f8d50db84a2280abfb1d8f6d4f1858b9daa30404db44540ca libgpg-error_configure := ./configure \ $(CROSS_TOOLS) \ diff --git a/modules/npth b/modules/npth index 70708cc65..e0f30c69e 100644 --- a/modules/npth +++ b/modules/npth @@ -1,9 +1,9 @@ modules-$(CONFIG_GPG2) += npth -npth_version := 1.5 +npth_version := 1.6 npth_dir := npth-$(npth_version) npth_tar := npth-$(npth_version).tar.bz2 npth_url := https://gnupg.org/ftp/gcrypt/npth/$(npth_tar) -npth_hash := 294a690c1f537b92ed829d867bee537e46be93fbd60b16c04630fbbfcd9db3c2 +npth_hash := 1393abd9adcf0762d34798dc34fdcf4d0d22a8410721e76f1e3afcd1daa4e2d1 npth_configure := ./configure \ $(CROSS_TOOLS) \ diff --git a/modules/pinentry b/modules/pinentry index ed4da471a..691f63c36 100644 --- a/modules/pinentry +++ b/modules/pinentry @@ -22,6 +22,7 @@ pinentry_configure := ./configure \ --disable-pinentry-qt5 \ --disable-pinentry-fltk \ --disable-pinentry-emacs \ + --disable-fallback-curses \ --with-libgpg-error-prefix="$(INSTALL)" \ --with-libassuan-prefix="$(INSTALL)" \ From e5a739e54cdda3c2fcc805a971b8ab3eea131c27 Mon Sep 17 00:00:00 2001 From: Trammell Hudson Date: Wed, 17 Oct 2018 17:42:43 -0400 Subject: [PATCH 10/22] use /bin for libexecdir and disable curses pinentry --- modules/gpg2 | 1 + modules/pinentry | 1 + 2 files changed, 2 insertions(+) diff --git a/modules/gpg2 b/modules/gpg2 index a386093c9..318a4cd11 100644 --- a/modules/gpg2 +++ b/modules/gpg2 @@ -22,6 +22,7 @@ gpg2_configure := ./configure \ --with-ksba-prefix="$(INSTALL)" \ --with-npth-prefix="$(INSTALL)" \ --prefix "/" \ + --libexecdir "/bin" \ --enable-scdaemon \ --enable-ccid-driver \ --disable-tofu \ diff --git a/modules/pinentry b/modules/pinentry index 691f63c36..e6e440dd7 100644 --- a/modules/pinentry +++ b/modules/pinentry @@ -18,6 +18,7 @@ pinentry_configure := ./configure \ --host x86_64-linux-musl \ --prefix "/" \ --enable-pinentry-tty \ + --disable-fallback-curses \ --disable-pinentry-curses \ --disable-pinentry-qt5 \ --disable-pinentry-fltk \ From 6335ece90244452bb26c477556c34bdb2d96eee2 Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Wed, 14 Nov 2018 19:39:11 -0500 Subject: [PATCH 11/22] gpg2 pubring extension change from gpg to kbx --- initrd/bin/flash-gui.sh | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/initrd/bin/flash-gui.sh b/initrd/bin/flash-gui.sh index 191d977b0..7a7ec46a5 100755 --- a/initrd/bin/flash-gui.sh +++ b/initrd/bin/flash-gui.sh @@ -139,10 +139,10 @@ while true; do cat $PUBKEY | gpg --import cp $ROM /tmp/gpg-gui.rom - if (cbfs -o /tmp/gpg-gui.rom -l | grep -q "heads/initrd/.gnupg/pubring.gpg") then - cbfs -o /tmp/gpg-gui.rom -d "heads/initrd/.gnupg/pubring.gpg" + if (cbfs -o /tmp/gpg-gui.rom -l | grep -q "heads/initrd/.gnupg/pubring.kbx") then + cbfs -o /tmp/gpg-gui.rom -d "heads/initrd/.gnupg/pubring.kbx" fi - cbfs -o /tmp/gpg-gui.rom -a "heads/initrd/.gnupg/pubring.gpg" -f /.gnupg/pubring.gpg + cbfs -o /tmp/gpg-gui.rom -a "heads/initrd/.gnupg/pubring.kbx" -f /.gnupg/pubring.kbx if (cbfs -o /tmp/gpg-gui.rom -l | grep -q "heads/initrd/.gnupg/trustdb.gpg") then cbfs -o /tmp/gpg-gui.rom -d "heads/initrd/.gnupg/trustdb.gpg" @@ -180,10 +180,10 @@ while true; do fi cat $PUBKEY | gpg --import - if (cbfs -o /tmp/gpg-gui.rom -l | grep -q "heads/initrd/.gnupg/pubring.gpg") then - cbfs -o /tmp/gpg-gui.rom -d "heads/initrd/.gnupg/pubring.gpg" + if (cbfs -o /tmp/gpg-gui.rom -l | grep -q "heads/initrd/.gnupg/pubring.kbx") then + cbfs -o /tmp/gpg-gui.rom -d "heads/initrd/.gnupg/pubring.kbx" fi - cbfs -o /tmp/gpg-gui.rom -a "heads/initrd/.gnupg/pubring.gpg" -f /.gnupg/pubring.gpg + cbfs -o /tmp/gpg-gui.rom -a "heads/initrd/.gnupg/pubring.kbx" -f /.gnupg/pubring.kbx if (cbfs -o /tmp/gpg-gui.rom -l | grep -q "heads/initrd/.gnupg/trustdb.gpg") then cbfs -o /tmp/gpg-gui.rom -d "heads/initrd/.gnupg/trustdb.gpg" From 44d566a72ac51d25692928ad3f35c9b553848056 Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Wed, 14 Nov 2018 19:41:02 -0500 Subject: [PATCH 12/22] pinentry-tty path needs to be known from gpg-agent --- initrd/.gnupg/gpg-agent.conf | 2 ++ modules/pinentry | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/initrd/.gnupg/gpg-agent.conf b/initrd/.gnupg/gpg-agent.conf index db6595868..eba090d1d 100644 --- a/initrd/.gnupg/gpg-agent.conf +++ b/initrd/.gnupg/gpg-agent.conf @@ -1 +1,3 @@ scdaemon-program /bin/scdaemon +pinentry-program /bin/pinentry-tty +daemon diff --git a/modules/pinentry b/modules/pinentry index e6e440dd7..c59b70430 100644 --- a/modules/pinentry +++ b/modules/pinentry @@ -36,6 +36,6 @@ pinentry_target := $(MAKE_JOBS) \ install \ && cp $(build)/$(pinentry_dir)/tty/pinentry-tty $(build)/$(pinentry_dir)/tty/pinentry -pinentry_output := tty/pinentry +pinentry_output := tty/pinentry-tty pinentry_depends := libgpg-error libassuan $(musl_dep) From fb3e2066b8ee33b29c3fbc387a1b707956c646f3 Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Wed, 14 Nov 2018 19:45:44 -0500 Subject: [PATCH 13/22] GPG_TTY is forced to /dev/console under init. Ash console is never called; trying to get console tty from the tty returns "no console". NEEDs BETTER FIX. --- initrd/init | 3 +++ 1 file changed, 3 insertions(+) diff --git a/initrd/init b/initrd/init index d489f6ae5..305d05af7 100755 --- a/initrd/init +++ b/initrd/init @@ -5,6 +5,9 @@ echo "hello world" > /dev/ttyprintk # Setup our path export PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin +#export GPG_TTY STATICALLY (NEED TO FIX) +export GPG_TTY=/dev/console + # This is the very first script invoked by the Linux kernel and is # running out of the ram disk. There are no fileysstems mounted. # It is important to have a way to invoke a recovery shell in case From 46ddc20f74b84d20b3d87c2b0d64bfe7bc0cfff4 Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Wed, 14 Nov 2018 19:46:46 -0500 Subject: [PATCH 14/22] instruct gpg to use gpg-agent. --- initrd/.gnupg/gpg.conf | 1 + 1 file changed, 1 insertion(+) create mode 100644 initrd/.gnupg/gpg.conf diff --git a/initrd/.gnupg/gpg.conf b/initrd/.gnupg/gpg.conf new file mode 100644 index 000000000..d53cb13d6 --- /dev/null +++ b/initrd/.gnupg/gpg.conf @@ -0,0 +1 @@ +use-agent From 75c11481f689c51c2dbf07beb4715bfb5989241b Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Wed, 14 Nov 2018 19:47:24 -0500 Subject: [PATCH 15/22] Port gpg1 patch to gpg2 to force crosscompiling and output to stderr. --- patches/gpg2-2.2.10.patch | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 patches/gpg2-2.2.10.patch diff --git a/patches/gpg2-2.2.10.patch b/patches/gpg2-2.2.10.patch new file mode 100644 index 000000000..ed940b1b3 --- /dev/null +++ b/patches/gpg2-2.2.10.patch @@ -0,0 +1,27 @@ +diff -u --recursive /home/tlaurion/build/clean/gnupg-2.2.10/configure gnupg-2.2.10/configure +--- /home/tlaurion/build/clean/gnupg-2.2.10/configure 2016-08-17 09:20:25.000000000 -0400 ++++ gnupg-2.2.10/configure 2018-01-20 16:55:14.502067084 -0500 +@@ -572,7 +572,7 @@ + ac_clean_files= + ac_config_libobj_dir=. + LIBOBJS= +-cross_compiling=no ++cross_compiling=yes + subdirs= + MFLAGS= + MAKEFLAGS= +diff -u --recursive gnupg-2.2.10/common/ttyio.c gnupg-2.2.10/common/ttyio.c.mod +--- gnupg-2.2.10/common/ttyio.c 2017-08-28 06:22:54.000000000 -0400 ++++ gnupg-2.2.10/common/ttyio.c.mod 2018-09-18 23:00:07.386250017 -0400 +@@ -190,7 +190,9 @@ + #elif defined (HAVE_W32CE_SYSTEM) + ttyfp = stderr; + #else +- ttyfp = batchmode? stderr : fopen (tty_get_ttyname (), "r+"); ++ //ttyfp = batchmode? stderr : fopen( tty_get_ttyname (), "r+"); ++ ttyfp = stderr; ++ + if( !ttyfp ) { + log_error("cannot open '%s': %s\n", tty_get_ttyname (), + strerror(errno) ); + From ca3a5fd2eb57090dbce1d94a67ace3258c0b829f Mon Sep 17 00:00:00 2001 From: Jason Andryuk Date: Sat, 1 Dec 2018 08:37:34 -0500 Subject: [PATCH 16/22] Set GPG_TTY before calling gpg in key-init gpg2 needs GPG_TTY set to function properly. We set it in /init so it is inherited by all children. The call to $(tty) must be after /dev and (preferably) /dev/pts are mounted. Signed-off-by: Jason Andryuk --- initrd/init | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/initrd/init b/initrd/init index 305d05af7..6775f9795 100755 --- a/initrd/init +++ b/initrd/init @@ -5,9 +5,6 @@ echo "hello world" > /dev/ttyprintk # Setup our path export PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin -#export GPG_TTY STATICALLY (NEED TO FIX) -export GPG_TTY=/dev/console - # This is the very first script invoked by the Linux kernel and is # running out of the ram disk. There are no fileysstems mounted. # It is important to have a way to invoke a recovery shell in case @@ -60,6 +57,10 @@ fi if [ "$CONFIG_LINUXBOOT" = "y" ]; then /bin/uefi-init fi + +# Set GPG_TTY before calling gpg in key-init +export GPG_TTY=$(tty) + /bin/key-init # Setup recovery serial shell From 92c547c0d41294acb1fd3d90b7dd27a677d8bf81 Mon Sep 17 00:00:00 2001 From: Itay Grudev Date: Fri, 4 Jan 2019 09:21:44 +0200 Subject: [PATCH 17/22] Enabled GPG2 in the Librem board config --- boards/librem13v2/librem13v2.config | 1 + boards/librem15v3/librem15v3.config | 1 + 2 files changed, 2 insertions(+) diff --git a/boards/librem13v2/librem13v2.config b/boards/librem13v2/librem13v2.config index 699d591b8..92b2e8c38 100644 --- a/boards/librem13v2/librem13v2.config +++ b/boards/librem13v2/librem13v2.config @@ -7,6 +7,7 @@ CONFIG_CRYPTSETUP=y CONFIG_FLASHROM=y CONFIG_FLASHTOOLS=y CONFIG_GPG=y +CONFIG_GPG2=y CONFIG_KEXEC=y CONFIG_UTIL_LINUX=y CONFIG_LVM2=y diff --git a/boards/librem15v3/librem15v3.config b/boards/librem15v3/librem15v3.config index 61c17042c..8387d9cc9 100644 --- a/boards/librem15v3/librem15v3.config +++ b/boards/librem15v3/librem15v3.config @@ -9,6 +9,7 @@ CONFIG_CRYPTSETUP=y CONFIG_FLASHROM=y CONFIG_FLASHTOOLS=y CONFIG_GPG=y +CONFIG_GPG2=y CONFIG_KEXEC=y CONFIG_UTIL_LINUX=y CONFIG_LVM2=y From 3bc79495bb078ff1d9d83171ba40abcb8311d6f9 Mon Sep 17 00:00:00 2001 From: Itay Grudev Date: Fri, 4 Jan 2019 09:33:13 +0200 Subject: [PATCH 18/22] Disabled libsecret support in the pinentry module --- modules/pinentry | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/pinentry b/modules/pinentry index c59b70430..7de67e203 100644 --- a/modules/pinentry +++ b/modules/pinentry @@ -18,6 +18,7 @@ pinentry_configure := ./configure \ --host x86_64-linux-musl \ --prefix "/" \ --enable-pinentry-tty \ + --disable-libsecret \ --disable-fallback-curses \ --disable-pinentry-curses \ --disable-pinentry-qt5 \ From 4f75da7ea79f2fb3ea73f215a062388a29f476a7 Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Sat, 26 Jan 2019 12:16:53 -0500 Subject: [PATCH 19/22] Removing CONFIG_GPG in librem boards --- boards/librem13v2/librem13v2.config | 1 - boards/librem15v3/librem15v3.config | 1 - 2 files changed, 2 deletions(-) diff --git a/boards/librem13v2/librem13v2.config b/boards/librem13v2/librem13v2.config index 92b2e8c38..5d5db1cb5 100644 --- a/boards/librem13v2/librem13v2.config +++ b/boards/librem13v2/librem13v2.config @@ -6,7 +6,6 @@ export CONFIG_COREBOOT=y CONFIG_CRYPTSETUP=y CONFIG_FLASHROM=y CONFIG_FLASHTOOLS=y -CONFIG_GPG=y CONFIG_GPG2=y CONFIG_KEXEC=y CONFIG_UTIL_LINUX=y diff --git a/boards/librem15v3/librem15v3.config b/boards/librem15v3/librem15v3.config index 8387d9cc9..8cb378e3d 100644 --- a/boards/librem15v3/librem15v3.config +++ b/boards/librem15v3/librem15v3.config @@ -8,7 +8,6 @@ export CONFIG_COREBOOT=y CONFIG_CRYPTSETUP=y CONFIG_FLASHROM=y CONFIG_FLASHTOOLS=y -CONFIG_GPG=y CONFIG_GPG2=y CONFIG_KEXEC=y CONFIG_UTIL_LINUX=y From 5eee5aa296ce388dd6ccc9c856af2a0b45584520 Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Sat, 26 Jan 2019 12:20:31 -0500 Subject: [PATCH 20/22] GPG2 required changes for key and trustdb generation and inclusion in rom .ash_history: add examples to generate keys and otrust in rom flash-gui: export otrust and import it in rom key-init: import otrust.txt if present to supress warning about user public key being untrusted --- initrd/.ash_history | 27 +++++++++++++++------------ initrd/bin/flash-gui.sh | 8 +++++++- initrd/bin/key-init | 7 ++++++- 3 files changed, 28 insertions(+), 14 deletions(-) diff --git a/initrd/.ash_history b/initrd/.ash_history index d7acdebe9..996900531 100644 --- a/initrd/.ash_history +++ b/initrd/.ash_history @@ -1,14 +1,17 @@ -mount /dev/sda1 /boot -mount -o remount,rw /boot -rm /boot/kexec_* -mount-usb -mkdir -p /media/gpg_keys -gpg --home=/media/gpg_keys --card-edit -gpg --home=/media/gpg_keys --export --armor e@mail.address > /media/gpg_keys/public.key -gpg --home=/media/gpg_keys --export-secret-keys --armor e@mail.address > /media/gpg_keys/private.key -cbfs -o /media/coreboot.rom -a "heads/initrd/.gnupg/keys/public.key" -f /media/gpg_keys/public.key -cbfs -o /media/coreboot.rom -a "heads/initrd/.gnupg/keys/private.key" -f /media/gpg_keys/private.key -mount -o remount,ro /media -flash.sh /media/coreboot.com +#remove invalid kexec_* signed files +mount /dev/sda1 /boot && mount -o remount,rw /boot && rm /boot/kexec* && mount -o remount,ro /boot +#Generate keys from GPG smartcard: +mount-usb && gpg --home=/.gnupg/ --card-edit +#Copy generated public key, private_subkey, trustdb and artifacts to external media for backup: +mount -o remount,rw /media && mkdir -p /media/gpg_keys; gpg --export-secret-keys --armor email@address.com > /media/gpg_keys/private.key && gpg --export --armor email@address.com > /media/gpg_keys/public.key && gpg --export-ownertrust > /media/gpg_keys/otrust.txt && cp -r ./.gnupg/* /media/gpg_keys/ 2> /dev/null +#Insert public key and trustdb export into reproducible rom: +cbfs -o /media/coreboot.rom -a "heads/initrd/.gnupg/keys/public.key" -f /media/gpg_keys/public.key && cbfs -o /media/coreboot.rom -a "heads/initrd/.gnupg/keys/otrust.txt" -f /media/gpg_keys/otrust.txt +#Flush changes to external media: +mount -o,remount ro /media +#Flash modified reproducible rom with inserted public key and trustdb export from precedent step. Flushes actual rom's keys (-c: clean): +flash.sh -c /media/coreboot.rom +#Attest integrity of firmware as it is +seal-totp +#Verify Intel ME state: cbmem --console | grep '^ME' cbmem --console | less diff --git a/initrd/bin/flash-gui.sh b/initrd/bin/flash-gui.sh index 7a7ec46a5..6c121746d 100755 --- a/initrd/bin/flash-gui.sh +++ b/initrd/bin/flash-gui.sh @@ -143,12 +143,18 @@ while true; do cbfs -o /tmp/gpg-gui.rom -d "heads/initrd/.gnupg/pubring.kbx" fi cbfs -o /tmp/gpg-gui.rom -a "heads/initrd/.gnupg/pubring.kbx" -f /.gnupg/pubring.kbx - + + #TODO: Remove this? Not useful in GPG2 if (cbfs -o /tmp/gpg-gui.rom -l | grep -q "heads/initrd/.gnupg/trustdb.gpg") then cbfs -o /tmp/gpg-gui.rom -d "heads/initrd/.gnupg/trustdb.gpg" fi cbfs -o /tmp/gpg-gui.rom -a "heads/initrd/.gnupg/trustdb.gpg" -f /.gnupg/trustdb.gpg + if (cbfs -o /tmp/gpg-gui.rom -l | grep -q "heads/initrd/.gnupg/otrust.txt") then + cbfs -o /tmp/gpg-gui.rom -d "heads/initrd/.gnupg/otrust.txt" + fi + cbfs -o /tmp/gpg-gui.rom -a "heads/initrd/.gnupg/otrust.txt" -f /.gnupg/otrust.txt + if (whiptail --title 'Flash ROM?' \ --yesno "This will replace your old ROM with $ROM\n\nDo you want to proceed?" 16 90) then /bin/flash.sh /tmp/gpg-gui.rom diff --git a/initrd/bin/key-init b/initrd/bin/key-init index f59d302e8..545a774ff 100755 --- a/initrd/bin/key-init +++ b/initrd/bin/key-init @@ -5,7 +5,12 @@ set -e -o pipefail # Post processing of keys # Import user's keys -gpg --import /.gnupg/keys/* 2>/dev/null || true +gpg --import /.gnupg/keys/*.key 2>/dev/null || true + +#Import trustdb if it exists +if [ -s /.gnupg/keys/otrust.txt ]; then + gpg --import-ownertrust /.gnupg/keys/otrust.txt +fi # Import trusted distro keys allowed for ISO signing gpg --homedir=/etc/distro/ --import /etc/distro/keys/* 2>/dev/null || true From 8dd1082808f8479f5b9eb5c9827deca53e6b4164 Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Sat, 26 Jan 2019 12:52:37 -0500 Subject: [PATCH 21/22] module/pinentry: disable-pinentry-qt instead of qt5 else: make[4]: Entering directory '/home/user/heads/build/pinentry-1.1.0/qt' g++ -DHAVE_CONFIG_H -I. -I.. -I//include -I//include -I.. -I../secmem -I../pinentry -Wall -I/home/user/heads/install/usr/include -I/home/user/heads/install/usr/include/QtCore -I/home/user/heads/install/usr/include/QtGui -DQT_SHARED -g -O2 -MT pinentrydialog.o -MD -MP -MF .deps/pinentrydialog.Tpo -c -o pinentrydialog.o pinentrydialog.cpp In file included from pinentrydialog.cpp:24: pinentrydialog.h:27:10: fatal error: QDialog: No such file or directory --- modules/pinentry | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/pinentry b/modules/pinentry index 7de67e203..1981f6eae 100644 --- a/modules/pinentry +++ b/modules/pinentry @@ -21,7 +21,7 @@ pinentry_configure := ./configure \ --disable-libsecret \ --disable-fallback-curses \ --disable-pinentry-curses \ - --disable-pinentry-qt5 \ + --disable-pinentry-qt \ --disable-pinentry-fltk \ --disable-pinentry-emacs \ --disable-fallback-curses \ From 005a19eeda7267d8a731fffe3a91ee0696a0df9a Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Fri, 8 Feb 2019 12:38:38 -0500 Subject: [PATCH 22/22] properly deal with trusting keys to supress UX confusion about trusted keys key-init makes sure trustdb is updated at run time and user and distro keys are ultimately trusted. Each time a file is signed, the related public key is showed without error on it's trustability. flash-gui deals with gpg1 to gpg2 migration. If pubring.kbx is found, pubring.gpg is deleted from running rom dump. --- initrd/bin/flash-gui.sh | 66 ++++++++++++++++++++++++++++++++++------- initrd/bin/key-init | 11 ++++--- 2 files changed, 60 insertions(+), 17 deletions(-) diff --git a/initrd/bin/flash-gui.sh b/initrd/bin/flash-gui.sh index 6c121746d..734b78c70 100755 --- a/initrd/bin/flash-gui.sh +++ b/initrd/bin/flash-gui.sh @@ -101,9 +101,9 @@ while true; do if (whiptail --title 'Flash ROM?' \ --yesno "This will replace your old ROM with $ROM\n\nDo you want to proceed?" 16 90) then if [ "$menu_choice" == "c" ]; then - /bin/flash.sh -c $ROM + /bin/flash.sh -c "$ROM" else - /bin/flash.sh $ROM + /bin/flash.sh "$ROM" fi whiptail --title 'ROM Flashed Successfully' \ --msgbox "$ROM flashed successfully. Press Enter to reboot" 16 60 @@ -137,23 +137,42 @@ while true; do ROM=$FILE fi - cat $PUBKEY | gpg --import - cp $ROM /tmp/gpg-gui.rom - if (cbfs -o /tmp/gpg-gui.rom -l | grep -q "heads/initrd/.gnupg/pubring.kbx") then + cat "$PUBKEY" | gpg --import + #update /.gnupg/trustdb.gpg to ultimately trust all user provided public keys + gpg --list-keys --fingerprint --with-colons |sed -E -n -e 's/^fpr:::::::::([0-9A-F]+):$/\1:6:/p' |gpg --import-ownertrust + gpg --update-trust + + cp "$ROM" /tmp/gpg-gui.rom + if (cbfs -o /tmp/gpg-gui.rom -l | grep -q "heads/initrd/.gnupg/pubring.kbx"); then cbfs -o /tmp/gpg-gui.rom -d "heads/initrd/.gnupg/pubring.kbx" + if (cbfs -o /tmp/gpg-gui.rom -l | grep -q "heads/initrd/.gnupg/pubring.gpg"); then + cbfs -o /tmp/gpg-gui.rom -d "heads/initrd/.gnupg/pubring.gpg" + if [ -e /.gnupg/pubring.gpg ];then + rm /.gnupg/pubring.gpg + fi + fi fi - cbfs -o /tmp/gpg-gui.rom -a "heads/initrd/.gnupg/pubring.kbx" -f /.gnupg/pubring.kbx - #TODO: Remove this? Not useful in GPG2 + #to be compatible with gpgv1 + if [ -e /.gnupg/pubring.kbx ];then + cbfs -o /tmp/gpg-gui.rom -a "heads/initrd/.gnupg/pubring.kbx" -f /.gnupg/pubring.kbx + if [ -e /.gnupg/pubring.gpg ];then + rm /.gnupg/pubring.gpg + fi + fi + if [ -e /.gnupg/pubring.gpg ];then + cbfs -o /tmp/gpg-gui.rom -a "heads/initrd/.gnupg/pubring.gpg" -f /.gnupg/pubring.gpg + fi + if (cbfs -o /tmp/gpg-gui.rom -l | grep -q "heads/initrd/.gnupg/trustdb.gpg") then cbfs -o /tmp/gpg-gui.rom -d "heads/initrd/.gnupg/trustdb.gpg" fi cbfs -o /tmp/gpg-gui.rom -a "heads/initrd/.gnupg/trustdb.gpg" -f /.gnupg/trustdb.gpg + #Remove old method owner trust exported file if (cbfs -o /tmp/gpg-gui.rom -l | grep -q "heads/initrd/.gnupg/otrust.txt") then cbfs -o /tmp/gpg-gui.rom -d "heads/initrd/.gnupg/otrust.txt" fi - cbfs -o /tmp/gpg-gui.rom -a "heads/initrd/.gnupg/otrust.txt" -f /.gnupg/otrust.txt if (whiptail --title 'Flash ROM?' \ --yesno "This will replace your old ROM with $ROM\n\nDo you want to proceed?" 16 90) then @@ -185,17 +204,42 @@ while true; do exit 1 fi - cat $PUBKEY | gpg --import - if (cbfs -o /tmp/gpg-gui.rom -l | grep -q "heads/initrd/.gnupg/pubring.kbx") then + cat "$PUBKEY" | gpg --import + #update /.gnupg/trustdb.gpg to ultimately trust all user provided public keys + gpg --list-keys --fingerprint --with-colons |sed -E -n -e 's/^fpr:::::::::([0-9A-F]+):$/\1:6:/p' |gpg --import-ownertrust + gpg --update-trust + + if (cbfs -o /tmp/gpg-gui.rom -l | grep -q "heads/initrd/.gnupg/pubring.kbx"); then cbfs -o /tmp/gpg-gui.rom -d "heads/initrd/.gnupg/pubring.kbx" + if (cbfs -o /tmp/gpg-gui.rom -l | grep -q "heads/initrd/.gnupg/pubring.gpg"); then + cbfs -o /tmp/gpg-gui.rom -d "heads/initrd/.gnupg/pubring.gpg" + if [ -e /.gnupg/pubring.gpg ];then + rm /.gnupg/pubring.gpg + fi + fi + fi + + #to be compatible with gpgv1 + if [ -e /.gnupg/pubring.kbx ];then + cbfs -o /tmp/gpg-gui.rom -a "heads/initrd/.gnupg/pubring.kbx" -f /.gnupg/pubring.kbx + if [ -e /.gnupg/pubring.gpg ];then + rm /.gnupg/pubring.gpg + fi + fi + if [ -e /.gnupg/pubring.gpg ];then + cbfs -o /tmp/gpg-gui.rom -a "heads/initrd/.gnupg/pubring.gpg" -f /.gnupg/pubring.gpg fi - cbfs -o /tmp/gpg-gui.rom -a "heads/initrd/.gnupg/pubring.kbx" -f /.gnupg/pubring.kbx if (cbfs -o /tmp/gpg-gui.rom -l | grep -q "heads/initrd/.gnupg/trustdb.gpg") then cbfs -o /tmp/gpg-gui.rom -d "heads/initrd/.gnupg/trustdb.gpg" fi cbfs -o /tmp/gpg-gui.rom -a "heads/initrd/.gnupg/trustdb.gpg" -f /.gnupg/trustdb.gpg + #Remove old method owner trust exported file + if (cbfs -o /tmp/gpg-gui.rom -l | grep -q "heads/initrd/.gnupg/otrust.txt") then + cbfs -o /tmp/gpg-gui.rom -d "heads/initrd/.gnupg/otrust.txt" + fi + if (whiptail --title 'Update ROM?' \ --yesno "This will reflash your BIOS with the updated version\n\nDo you want to proceed?" 16 90) then /bin/flash.sh /tmp/gpg-gui.rom diff --git a/initrd/bin/key-init b/initrd/bin/key-init index 545a774ff..bb4c1b5c9 100755 --- a/initrd/bin/key-init +++ b/initrd/bin/key-init @@ -5,14 +5,13 @@ set -e -o pipefail # Post processing of keys # Import user's keys -gpg --import /.gnupg/keys/*.key 2>/dev/null || true - -#Import trustdb if it exists -if [ -s /.gnupg/keys/otrust.txt ]; then - gpg --import-ownertrust /.gnupg/keys/otrust.txt -fi +gpg --import /.gnupg/keys/*.key /.gnupg/keys/*.asc 2>/dev/null || true # Import trusted distro keys allowed for ISO signing gpg --homedir=/etc/distro/ --import /etc/distro/keys/* 2>/dev/null || true +#Set distro keys trust level to ultimate (trust anything that was signed with these keys) +gpg --homedir=/etc/distro/ --list-keys --fingerprint --with-colons|sed -E -n -e 's/^fpr:::::::::([0-9A-F]+):$/\1:6:/p' |gpg --homedir=/etc/distro/ --import-ownertrust 2>/dev/null || true +gpg --homedir=/etc/distro/ --update-trust 2>/dev/null || true + # Add user's keys to the list of trusted keys for ISO signing gpg --export | gpg --homedir=/etc/distro/ --import 2>/dev/null || true