Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

KGPE-D16 port (no TPM support) atop osresearch #330

Closed
wants to merge 8 commits into from
Closed

KGPE-D16 port (no TPM support) atop osresearch #330

wants to merge 8 commits into from

Conversation

tlaurion
Copy link
Collaborator

@tlaurion tlaurion commented Feb 27, 2018
edited
Loading

Contains flammit's modifications made atop of this branch

  • Ported to the new build system. Building the kgpe-d16 image is made by make BOARD=kgpe-d16
  • Reduced the coreboot patches needed to the minimum, permitting kvm chip to boot.
  • Reduced flashrom patches to the bare minimal.

Usage:

  • System boots without outputting console to the onboard vga card until the kernel setups it's own console configuration. To have a console, connect to the kvm chip which gets it's IP from DHCP. From there, connect to the system serial console with screen /dev/ttyS0 115200.
  • Flashing heads update firmwares is done through flashrom-kgpe-d16.sh /media/coreboot.rom from bmc or serial.
  • Qubes disk password is prompted through OpenBMC console.

Limitation:

  • It is currently impossible to reflash the kvm chip from within the kvm. It's possible to do it from the console connection. I do it from a serial to usb connection from my Qubes laptop through sudo minicom -D /dev/ttyUSB0 then flashrom-kgpe-d16-openbmc.sh /media/flash-asus-20180122172732. Do not forget to turn off REST api access and changing default ssh password when building OpenBMC

Still missing:

  • TPM2.0 toolset to properly acquire, measure and attest system integrity.
  • User's GPG keys flashed into a seperate CBFS partition, so reproducible build images could be downloaded from verified build servers on the internet, instead of needing to be produced from user's own build-system with integrated keys.
  • Xen patches to properly support no-real-boot option should be upstreamed into Xen/Qubes. As a result, Xen/Qubes upgrades would'nt need to be incorporated into the firmware like it is the case now, reducing the lifespan of the motherboard soldered SPI flash chips. This is a lot to ask from users to maintain updated heads roms images in check with Qubes issued QSB. Heads upgrades should happen rarely, only when heads related security updates or desired features updates needs to be applied.

make BOARD=kgpe-d16 -j4
9569b9fe7b959e3aba7c259f4a9f0d66a7d1f5bfa476b6d1e8fc38426a07f7e8 build/kgpe-d16/coreboot.rom

flammit and others added 8 commits February 19, 2018 14:29
@flammit
Update qubes xen version for Qubes 4.0rc4
a6a5fef
@flammit
update mpc url for musl-cross patch
ffa857d
@flammit
Make TPM dependency optional and controlled by flag CONFIG_TPM
b507239 
if "CONFIG_TPM=y" is not present in the config file, functionalities
needing TPM could be disabled, while leaving other functionalities intact.

This will make Heads a more general-usage bootloader payload atop coreboot.
@flammit
Cleanup of init to support server and desktop
e9312e1 
Guarded linuxboot specific init entries
Removed Makefile entries into separate file (conflicts with srcing /etc/config)
Added CONFIG_BOOT_LOCAL/_REMOTE to control interface setup
Fixed CONFIG_TPM usage
@tlaurion
Reduced required patches to be able to flash kvm with OpenBMC from fl…
94389f3 
…ashrom and boot the system with the kvm chip installed.
@tlaurion
Merging with osresearch
48ad2cf
@tlaurion
Adding kgpe-d16 specifics
e7f7653
@tlaurion
linux config changes
95f86fa
This was referenced Feb 27, 2018
Closed
Closed
This was referenced Feb 28, 2018
Closed
Closed
@tlaurion tlaurion closed this Mar 1, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@tlaurion @flammit