Nlnet past funded work placeholder for Accessible Security project (2019)

[tlaurion]

This is a placeholder for NLnet funded Accessible Security Project (2019) to be able to refer here in its website (they can't change references per platform limitation) section to funded output at https://nlnet.nl/project/AccessibleSecurity/ through https://nlnet.nl/PET/ fund.

---

A big thanks for NlNet to have trusted me managing the project, once again, and to all direct and indirect participants.

---

Funded work outcomes:

• Remote administration support Optional under QubesOS Q4.1
• Actual trimming (discards) of unused data on qubes by default on QubesOS 4.1
• Mac randomization by default under QubesOS 4.1
• FWUPD support (optional) under QubesOS 4.1
• Talos II coreboot initial first phase port -> Heads port

---

Details and FOSS outcome:

Remote administration support Optional under Q4.1 (Whonix-Qubes collaboration)

• GUI daemon adrelanos/qubes-remote-support#1
• Various fixes adrelanos/qubes-remote-support#2
  • Thanks to @marmarek, @marmata and @adrelanos for accepting to jump in this sub-project and delivering the expected outcome.

Actual trimming (discards) of unused data on qubes by default on Q4.1

• Update to anaconda-29.24.7 QubesOS/qubes-anaconda#1
• Update to version 31.22 QubesOS/qubes-anaconda#4
  • Thanks to @marmarek for accepting to deliver the expected outcome of this subproject.

QubesOS Mac randomization by default under Q4.1

• network: enable MAC randomization for wifi connections by default QubesOS/qubes-core-agent-linux#297
  • Thanks to @marmarek for having accepted to deliver this sub-project outcome

Qubes OS FWUPD support (optional) under Q4.1

• https://github.com/3mdeb/qubes-fwupd
  • Thanks to @3mdeb team, more specifically @Asiderr to have delivered this sub-project outcome

Talos II coreboot initial first phase port (Thanks to whole @3mdeb's @Dasharo team!)

• Outcome blog post https://blog.3mdeb.com/2022/2022-02-16-talos2_coreboot_status/
  - First release at https://docs.dasharo.com/variants/talos_2/releases/
  • Initialization of the remaining cores
    • Patches:
      • XIVE (eXternal Interrupt Virtualization Engine) implementation:
        • code: XIVE 3mdeb/coreboot#90
      • IPMI and watchdog fixes
        • code:
          • Setup watchdog in romstage for 2 minutes Dasharo/coreboot#22
          • Implement block transfer interface of IPMI 3mdeb/coreboot#105
      • single CPU power management (OCC complex):
        • code: OCC startup (istep 21.1) 3mdeb/coreboot#100
  • Memory layout and boot time optimizations
    • Patches:
      • memlayout:
        • code: Simpler memlayout Dasharo/coreboot#23
      • MVPD cache:
        • code: Construct MVPD partition in memory on startup 3mdeb/coreboot#102
  • PCIe initialization
    • Patches:
      • analyze/documentation: Add documentation on PCIe initialization 3mdeb/openpower-coreboot-docs#62
      • code: PCIe initialization 3mdeb/coreboot#106
• Second CPU initialization
  • Outcome blob post https://blog.3mdeb.com/2022/2022-04-12-talos2_2nd_cpu_and_testing/
    • Patches:
      • dependencies for the second CPU initialization (RAM):
        • FSI:
          • code: Implement FSI for Power9 Dasharo/coreboot#56
          • isteps 8.1 - 8.4:
            • code: Implement isteps 8.1-8.4 Dasharo/coreboot#64
          • XBus initialization:
            • code:
              • XBus initialization Dasharo/coreboot#65
              • XBus / SMP link configuration Dasharo/coreboot#69
              • Implement istep 10.1 Dasharo/coreboot#76
          • initialization of memory controller of the second CPU + perform training of RAM local to the second CPU:
            • code Enable RAM local to the second CPU Dasharo/coreboot#90
    • Second CPU initialization (power management)
      • Patches:
        • MVPD for the second CPU:
          • code: MVPD for second CPU Dasharo/coreboot#57
        • HOMER image for the second CPU:
          • code: Build HOMER image for the second CPU Dasharo/coreboot#93
        • CPU power management (OCC complex):
          • code: Start OCC for the second CPU Dasharo/coreboot#94
    • Second CPU initialization (other components)
      • Patches:
        • dependencies (istep 10.6):
          • code: Implement istep 10.6 Dasharo/coreboot#99
        • RNG initialization:
          • code: Initialize RNG for second CPU Dasharo/coreboot#100
        • PCI initialization:
          • code: Initialize PCIe for the second CPU Dasharo/coreboot#77
        • time synchronization:
          • code: Configure TOD for up to two CPUs Dasharo/coreboot#97
          • code: Include second CPU in DT Dasharo/coreboot#101
          • documentation: Sensors in HB 3mdeb/openpower-coreboot-docs#71
        • switch from FIT to ELF payload type:
          • code: Switch away from FIT payload Dasharo/coreboot#106
        • parallel initialization of the CPUs (faster boot time):
          • code: Faster load Dasharo/coreboot#110
• TPM support
  • Documentation on overview of available TPM options for the POWER9:
    • https://github.com/3mdeb/openpower-coreboot-docs/blob/main/devnotes/tpm_over_i2c.md
  • More detailed documentation on the selected approach (TPM over I2c):
    • https://github.com/3mdeb/openpower-coreboot-docs/blob/main/devnotes/tpm_over_i2c.md
  • Support for the selected I2C TPM module in coreboot:
    • I2C TPM device support Dasharo/coreboot#185
    • Make trusted boot work in skiboot Dasharo/coreboot#192
  • Support for the selected I2C TPM module in skiboot:
    • Add support for Infineon I2C TPM1.2 chip Dasharo/skiboot#1
  • Fix coreboot's cbmem utility to print TPM eventlog on POWER9:
    • coreboot changes: Make cbmem work and print TCPA log Dasharo/coreboot#197
    • skiboot changes: Heads corrections Dasharo/skiboot#2
  • Additionally, open-source hardware PCB design was created with the selected TPM module to simplify usage of the solution for the end-users
    • https://github.com/3mdeb/talos-tpm-module
      • the module will be available in 3mdeb shop, or anyone can produce it by themselves
  • Presentation of TPM module usage on POWER9 with coreboot + skiboot + heads firmware stack:
    • https://asciinema.org/a/rBc1WMiq5YEm7rDxQINmEtdOX

Review documentation and reproducibility of past results on Talos II testing platform provided by RaptorSystems free of charge (@tlaurion)

• testing of Dasharo releases 0.4.1, 0.5.0 and 0.6 releases, leading to many opened issue and countless hours of troubleshooting on both sides
  • First tested result was 0.4.1 which never worked on my CPU lower end CPU shipped by RaptorSystems:
    • Talos II : One CPU one ram module 0.4.1 release - SCOM stopped working Dasharo/dasharo-issues#81
  • 0.5 release brought dual CPU support, which broke single CPU support:
    • Talos II - 0.5.0 - One CPU : Doesn't boot Dasharo/dasharo-issues#80
  • 0.6 release was the first release actually booting on my platform, but Heads support was not functional:
    • Talos II - 0.6 Release - Cannot boot if no TPM - TPM module cannot be expected (cannot be bought) Dasharo/dasharo-issues#191
  • 0.6.1 is unreleased and where current testing is happening, including missing flashrom support
    • Talos II - 0.6 - Heads - No flashrom support Dasharo/dasharo-issues#190
  • 0.6.1 is happening in both Heads and Dasharo, where final outcome (with 3mdeb selling TPM module) will lead into final publicizing of Heads being officially supported on Talos II.
• Documentation reviewed, corrected and tested were:
  • Dasharo building manual:
    • https://docs.dasharo.com/variants/talos_2/building-manual/
  • Heads upstream work, leading to ongoing 0.6.1 release which is now upstream under Heads, and built on CircleCI:
    • Add Talos 2 board (OpenPower) #1002
  • Dasharo Initial deployement and updates without flashing through OpenBMC
    • https://docs.dasharo.com/variants/talos_2/initial-deployment/
    • Fix Talos II installation instructions Dasharo/docs#175
  • Dasharo firmware upgrade (so users can switch between heads<->petitboot, hostboot<->coreboot)
    • https://docs.dasharo.com/variants/talos_2/firmware-update/

[tlaurion]

Published as "website" update at https://nlnet.nl/project/AccessibleSecurity/ from NlNet team, adding Heads logo.

Closing issue as resolved.

[tlaurion]

To be added:

• Unused work from Enable vboot on Lenovo devices for measured boot #709 which was also paid through grant
  • Unpaid work from my side leading to maximized builds that were generalized then and blob download+cleaning generalized to libreboot under their since then "minimal blob policy"