-
-
Notifications
You must be signed in to change notification settings - Fork 187
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
x220, add GPG key to running Bios and reflash not working #870
Comments
@MrChromebox seems like last version of flashrom dropped support for x220? @SebastianMcMillan ? Current flashrom statement is https://github.com/osresearch/heads/blob/f23ced0a3bef2b65384b1ad6668f62ed2c9be633/boards/x220/x220.config#L39 looking to see if some patches were applied in tree in the past. I remember the SPI chip was specified in the past. I remember maybe falsely that past flashrom upgrade made it irrelevant to specify (since different SPI chips would need to be specified and tested in loop, but I do not own hardware) |
@tlaurion flashrom 1.2 removed the need for |
note that with hardware sequencing enabled, there is no need to specify the chip via |
thank you for your answers.Does it means that wherever flashing is used "-p internal:ich_spi_mode=hwseq" must be added to the flashing command? |
@userongihu it means that CONFIG_FLASHROM_OPTIONS needs to be updated for the board config to amend the parameter list. for updating your device currently (after building with the updated params), would recommend simply flashing from the recovery shell: |
Force use of hardware sequencing for internal flashing to avoid needing to specify the chip to be flashed. Addresses linuxboot#870 Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
Thank you MrChromebox.Do I get it right that you updated the missing parameters?So all I need to do is make a new build running "make BOARD=x220" and then running the commands you mentioned above?Sorry for asking such a noob question... |
@userongihu I submitted a patch (pull request) to add the missing param, but it has not been accepted (merged) yet, so until that time you would need to make the change manually on your local copy before rebuilding |
@userongihu please try Please also tag me with result so that I can see it right away. |
@SebastianMcMillan ? |
@tlaurion ,here is the output of the flash https://postimg.cc/tYvk7pLS/2898bc5f |
When rebooting after flashing there are still no GPG keys on the keyring.Setting up TOTP works.After rebooting TOTP also persists,saying because I could get GPG to the key ring ,but after a reboot the keys were somehow gone.Also when hitting the option "update checksums and sign all files in /boot" it requires a gpg-card,but it doesn't recognize my card when plugged in,although Heads recognizes the card insofar,that it is possible to generate PGP keys with card.Maybe I have to add Update:@tlaurion,I rebuilt and ran flashrom with the updated flashromparams that you suggested.Rebooted and tried "add PGP keys to running Bios and reflash" but failed and it returned to the usual screen.But after running "add PGP keys to standalone Bios and reflash" option it returned to a screen that says "TOTP secret cannot be unsealed".I never got that screen before.But I keep on getting the message "No GPG keys in the key ring".When running bin/gpg-gui.sh it imports keys https://postimg.cc/n9ryQZ1H.The error message "No Board....." below,I am getting only with the build that has the new flashparams. |
To be more specific the screen said "ERROR:TOTP generation failed!" not "TOTP secret cannot be unsealed". |
https://postimg.cc/n9ryQZ1H isn't working anymore,see https://postimg.cc/YGvJ9Gmq instead. |
Force use of hardware sequencing for internal flashing to avoid needing to specify the chip to be flashed. Addresses #870 Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
@userongihu: Ok. I'm confused.
You were able to flash new rom manually from recovery shell. Good. So this means that the flash parameters works. On host buildsystem:
On your x220:
Then on next reboot, all commands requiring to access the rom by doing read/write commands through flashrom will take the new : x220/t420/xx20 boards testers (@SebastianMcMillan @techge @eganonoa @shamen123 @Thrilleratplay) |
I've been having tons of issues actually building heads, which is why I
haven't been able to do anything right now. Building in anything newer than
Debian 10 straight-up is broken and I've got no time right now to set up a
Debian 10 system. I'll get a Debian 10 system setup this weekend for me to
take a look though. However, here's my understanding:
GPG key is added and flashed, but is lost on reboot. This sounds like an
issue we had a while back where there wasn't enough space to add the key.
…On Tue, Oct 27, 2020, 09:53 tlaurion ***@***.***> wrote:
@userongihu <https://github.com/userongihu> please try
flashrom -p internal:ich_spi_mode=hwseq -f -n --ifd -i bios -w
/media/<filename to flash>
If you report this as successful, I will merge #871
<#871> to fix problem in newer
builds.
Please also tag me with result so that I can see it right away.
Ok. I'm confused.
So following :
mount-usb
flashrom -p internal:ich_spi_mode=hwseq -f -n --ifd -i bios -w /media/<filename to flash>
reboot
You were able to flash new rom manually from recovery shell. Good.
What rom have you flashed?
On host buildsystem:
cd heads
git fetch origin
git reset --hard
make BOARD=x220 CPUS=2
(should work unless gpg2 toolstack now is too big. We do not have enough x220 boards partitipants, nor the board being under CI for checking this kind of regressions right now, so it might fail.)
sudo mount /dev/sdX /media
cp build/x220/heads-x220-.....gcd6ba01.rom /media
sudo umount /media
On your x220:
mount-usb
flashrom -p internal:ich_spi_mode=hwseq -f -n --ifd -i bios -w /media/<filename to flash>
reboot
Then on next reboot, all commands requiring to access the rom by doing
read/write commands through flashrom will take the new :
https://github.com/osresearch/heads/blob/master/boards/x220/x220.config#L39
(Which is required when adding GPG public key, updating firmware
internally...)
x220/t420/xx20 boards testers ***@***.***
<https://github.com/SebastianMcMillan> @techge <https://github.com/techge>
@eganonoa <https://github.com/eganonoa> @shamen123
<https://github.com/shamen123> @Thrilleratplay
<https://github.com/Thrilleratplay>)
cd6ba01
<cd6ba01>
and
e3519f2
<e3519f2>
were merged without being tested per board owners
<#692>.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#870 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AFNTUNHEFGU63A35UCLVJ33SM3NIHANCNFSM4S7NPE2A>
.
|
@tlaurion,what I did is going to board/x220/x220.config and changed the CONFIG_FLASHROM_OPTIONS to the command you suggested.Then I ran "make BOARD=x220" and after quite a while the build was ready without any error notification.From shell I ran "mount-usb"(the newly build coreboot.rom was on the USBdrive of course) and then ran the flashing command,which gave me a positive |
@userongihu run gpg-gui.sh from the recovery shell, and choose the option to add the key and flash. Should give more error info when it fails and drops back to shell vs main menu |
I flashed the corebootrom.rom that was in build/x220 after the buil was finished |
@MrChromebox,I just ran that command and the output is the same like on here |
@userongihu you're either using an old build, or building from old sources. The output filename should be `heads-X220-[build version]-[commit hash].rom |
From which source should I compile the right build?Should I git clone from this link https://github.com/osresearch/heads.git ? |
I followed the instructions posted here http://osresearch.net/ |
Are these 2 commands necessary to get the latest build: "git fetch origin" and |
@userongihu if you don't specify what to reset to, then it only resets any uncommitted changes to your current repo/branch, it doesn't reset to the latest remote sources edit: |
@MrChromebox,just rebuild following the guide mentioned above but the build was as usual |
That guide is not yet written but insights are present under https://github.com/osresearch/heads/blob/master/blobs/x220/readme.md Reviewing it, as a board I do not possess, shows that the line https://github.com/osresearch/heads/blob/master/blobs/x220/extract.sh#L58 is pretty incomplete for a board lacking required space, where: Where: The instructions from cleaning should be based on https://github.com/corna/me_cleaner/wiki/Internal-flashing-with-coreboot#neutralize-and-shrink-intel-me per explained reasons there: You can base yourself in my personal PoC to have externally flashable full ROMs from #703. The result would be expended BIOS region, for which CBFS region (in coreboot) should match space freed from neutered ME region. Otherwise, by applying plain original instructions, ME is DEACTIVATED, not neutered. So the space that could be cleaned from ME SHOULD be transferred to BIOS region, where a modified IFD would permit that transfer. I would entice any official xx20 heads user (@SebastianMcMillan @techge @eganonoa @shamen123 @Thrilleratplay) to draft an installation guide, similar to http://osresearch.net/x230-flashing/ so that this board doesn't die from absence of maintenance. And then could be transferred to other xx20 boards. I do not own the board and do not have the time to do this myself and not test what I produce here. Currently:
We need to have current base and have #873 to know if current commit is actually flashable when non-existent instreuctions are followed by everyone. I'm sorry @userongihu for this learning curve. But the x220 is the lesser SPI space version of the x230, where a lot less people are testing changes as they come. And... progress should continue. Heads project could force its users to unsolder and solder a 32mb flash chip to replace the actual 8mb SPI chip. But supporting 8mb chip where I personally struggle supporting the x230 (12mb chip) where other boards have 16mb and 32mb SPI chips.... becomes quite difficult without user+dev involvement from xx20 platforms owners. |
… output reduced ME under blob dir and modify both ME and BIOS regions accordingly to be able to accept CONFIG_CBFS_SIZE=0x750000 defined under coreboot configs (attempt to fix linuxboot#870)
@SebastianMcMillan @techge @eganonoa @shamen123 @Thrilleratplay @userongihu : |
@tlaurion,I just booted a live-distro from usb and in order to make a regular install from installer.If that doesn't work I will try it the way it is shown on the link you posted.I will report on how things went. |
Know that luks should be in version 1, not luks2 since not supported by Heads for the moment until opened issue is fixed. Qubesos latest stable works |
@tlaurion ,I just finished the Qubes Install.I chose the latest version.It ended without error messages but booting it doesn't work somehow.The regular install that I tried yesterday doesn't work either.USB booting a non-live distro does work,no problems.Easy like booting a live-distro.What do you mean that I have to consider luks1 for luks2 is currently not supported |
@tlaurion,I put the Qubes***.iso ans Qubes***.iso.asc and qubes***.key.asc on a usbdrive |
@userongihu Which QubesOS version?
So the public key was not injected in ROM? I'm not sure I understand the path here. Current code is detecting:
If I underatand well, you do not have a public key in ROM. You have to go in GPG menu, and generate key. You can also go in main menu as of now (until #874 ) and generate key, inject, totp/hotp seal (you do not have HOTP support in rom as of now. Which USB security donlge are you using), and sign /boot content. When /boot config is signed, the next step is to define a boot default under boot options, which will give you the possibility to define a default boot option and should prompt for setting a Disk Unlock Key passphrase ,which would make the TPM release the Disk Unlock Key by the TPM if TPM measurements are valid. |
@tlaurion,I installed Qubes 4.0.3 Since yesterday /boot is not signed anymore and trying to sign requires a gpg-card to inserted and confirmed.I plug in my nitrokey-card and after quite some time there is a message saying |
no. I would simply perform the OEM reset from the options menu, and let Heads generate a fresh key and sign everything, and make sure that works. That rules out any issues from your key or it being in the correct places. |
@tlaurion,just ran "add GPGkey to running Bios and reflash" and the internal flash worked.Made a TMP reset,which worked as well.But hitting "default boot",I get a message |
@MrChromebox ,I am just reading your comment and I already made the reflash.Should I still make the OEM reset? |
just do the OEM factory reset, nothing else. Follow instructions upon completion and generate a new HOTP secret after rebooting. Booting the OS should work after that. |
I did the OEM and I got the message that an TOTP secret could not be generated and I should flash the Bios.I did that and somehow I am back on where I started. |
On the GPGkeyring is now the OEM key |
Still getting the "ERROR:missing hashfile" message. |
when did you get this message? you're making this a bit harder by not clearly communicating the steps you are performing and the errors returned. |
@MrChromebox,followed the steps and it worked.The OS is up and running! |
Right now Qubes is doing the initial setup. |
Qubes finished the initial set up and after typing in the userpasswd I got into the Desktop and internet connection worked.Then I shutdown the x220.Then I powered up and hit default boot |
this is expected after the first boot of Qubes, since it updates the grub config
Heads orders the boot options in the same order as they appear in the grub config. Generally speaking, the first / shortest entry is the correct one, but there are exceptions (like with some live USBs) |
I consider this issue resolved where others more specific should be opened. Closing here. |
… output reduced ME under blob dir and modify both ME and BIOS regions accordingly to be able to accept CONFIG_CBFS_SIZE=0x750000 defined under coreboot configs (attempt to fix linuxboot#870)
… output reduced ME under blob dir and modify both ME and BIOS regions accordingly to be able to accept CONFIG_CBFS_SIZE=0x750000 defined under coreboot configs (attempt to fix linuxboot#870)
… output reduced ME under blob dir and modify both ME and BIOS regions accordingly to be able to accept CONFIG_CBFS_SIZE=0x750000 defined under coreboot configs (attempt to fix linuxboot#870)
… output reduced ME under blob dir and modify both ME and BIOS regions accordingly to be able to accept CONFIG_CBFS_SIZE=0x750000 defined under coreboot configs (attempt to fix linuxboot#870)
… output reduced ME under blob dir and modify both ME and BIOS regions accordingly to be able to accept CONFIG_CBFS_SIZE=0x750000 defined under coreboot configs (attempt to fix linuxboot#870)
… output reduced ME under blob dir and modify both ME and BIOS regions accordingly to be able to accept CONFIG_CBFS_SIZE=0x750000 defined under coreboot configs (attempt to fix linuxboot#870)
After booting Heads I get the GPG Management Menu,but add GPG to running menu wont't work.I found this #675 .I can get flashrom working internally following this guide,but I am stuck at the and 6. step not knowing how to add checksums.Also not quite sure about what to do at step 4.After step 3 I get this output
https://postimg.cc/S2zKRgK3
At step 4 I ran bin/flash.sh -c chipname and the output was same like on the uploaded pic.Could some explain how I can get this thing working?
The text was updated successfully, but these errors were encountered: