-
-
Notifications
You must be signed in to change notification settings - Fork 187
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add Nitropad NV41/NS50 TPM2 boards #1417
Conversation
I guess I will revisit this reply with information as I go and we can split this up in smaller discussions as well!
I think it is time that we skim the OEM Factory Reset/Re-Ownership wizard into something called Ownership plain and simple. I took the time to look at Pureboot next branch and saw that they decided to hide most of the re-ownership options under "choose defaults". I think that might address Nitrokey's concerns as well? I guess code should continue to use default while board config overrides could be implemented. CONFIG_GPG_DEFAULT_ALGO or something?
This one is problematic and discussible under #1233
Same as previously discussed point. Maybe you could check for -V output under /tmp and see if there is some output that could be patched against. There was some output on the Dasharo port of flashrom that needed to be removed otherwise it was failing as well. You can check their commit log to see patch commit.
What OS are you building on (local and CI?) |
As this looks like this could take some more time - should I pull out the make-the-Nitrokey 3-work into a separate PR ? This would be the |
We have to remember that current OEM Init/Re-ownership thing completely resets uses' cryptographic token. This would mean one token per device. Which key needs to be an elliptic curve key? The master public key? The key signing the image? Maybe it is just enough to have a subkey for those boards, so that the user could maintain their main long term identity keys and one or more device-specific subkeys on the token? OpenPGP is ugly and allows only 3 keys on the token, but if we have included support for tokens like Nitrokey HSM 2/SmartCard-HSM or other PKCS#11 tokens, it would be easier to manage multiple different keys and key types. |
https://dev.gnupg.org/rGf808012ac2cf67ec563da178d963f300a7f2564d should already be included in #1350 - can you try if 2.4.0 works for you? |
Inside
Totally second that, the main issue is here that we would also have to replace
Didn't test within HEADS, but locally it works as expected |
So this is from the "any other changes" category, not required to this board at all? Maybe those should go into separate PRs? Regarding the use of the elliptic curves in general:
However:
|
@daringer splitting would definitely help things merged faster |
e13b420
to
66682d0
Compare
rebased on current master so got rid of any flashrom & gpg fixes - now ready for review & merge ... |
@daringer initial review! |
Your hotp commit would benefit little more detail or a link to changelog? |
Note that coreboot fork affected by this as all coreboot cross buildstack |
@daringer #1419 and #1428 merged. if linuxconfigs saved in oldconfig in tree based on earlier linux version that in this PR, I would be ok merging once this PR is rebased on current master. Also note that you have two boards depending on the same coreboot fork. Not sure why you do that since we build in a different difrectory what is board specific. I would advise not having two identical forks of coreboot being downloaded but reuse the same source directory, just like Heads does for a same coreboot version today used across different boards, which works correctly under CircleCI. That will permit the coreboot level cache to not explode in size either. Now you and Purism are building from coreboot-git, so having this PR build your boards updating .circleci config will tell us if everything is fine, not creating additional problems. So todo:
|
66682d0
to
39aa7e1
Compare
okay, thanks for all the inputs, the most recent push includes:
tested successfully on Nitropad NV41 + Nitropad NS50 |
We are changing from defconfig to oldconfig as said under this comment Please do:
And push result as new commit to keep configs in oldconfig, which permits to compare boards configs directly between version bump (that was a hassle before) and between boards of the same linux kernel version. |
.circleci/config.yml
Outdated
target: nitropad-nv41 | ||
subcommand: "" | ||
requires: | ||
- prep_env |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please depend on librem_14 instead.
Logic here is that we try to only build musl-cross and tools built with musl-cross once and pass workspaces to other boards sharing the most things in common for the same architecture (x86).
That way, we don't use CircleCI to rebuild musl-cross-make nor modules that were already built (cache is used to rebuild any changes if needed) and only builds coreboot and linux.
By depending on librem_14, you will share the same cache for linux with librems, which now share the same linux kernel version.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@daringer I'm testing your config. For some reason, your fork is not built by circleci. I pushed exact for build test at https://app.circleci.com/pipelines/github/tlaurion/heads/1831/workflows/eab77bd8-f556-4927-ab4d-18e2488f8fd6
Hold on, you might have done the right thing. If save cache works, your approach might speed the builds, but I doubt save_cache can merge multiple directories that are shared across archoitectures (it should fail, we will see). Directories need to be unique, which is why save_cache only had one x86 and one ppc64 cache to merge.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
updated based on #1417 (review)
CircleCI: depend on NV41 for save_cache Makefile: consider that coreboot-git is now shared between forks on x86 (Nitrokey/Purism share build/x86/coreboot-git now) Addressesses requested change at linuxboot#1417 (review)
Another approach at linuxboot#1449 Signed-off-by: Krystian Hebel <[email protected]>
85bde57
to
6d08031
Compare
TODO: revert circleci config after making sure rebuilding from cache from CI works CircleCI: depend on NV41 for save_cache Makefile: consider that coreboot-git is now shared between forks on x86 (Nitrokey/Purism share build/x86/coreboot-git now) modules/coreboot: have clevo/nv boards based on dasharo fork and apply clevo_patches Addressesses requested change at linuxboot#1417 (review) co-Signed-off-by: Krystian Hebel <[email protected]> and [email protected]
TODO: revert circleci config after making sure rebuilding from cache from CI works CircleCI: depend on NV41 for save_cache Makefile: consider that coreboot-git is now shared between forks on x86 (Nitrokey/Purism share build/x86/coreboot-git now) modules/coreboot: have clevo/nv boards based on dasharo fork and apply clevo_patches Addressesses requested change at linuxboot#1417 (review) co-Signed-off-by: Krystian Hebel <[email protected]> and [email protected]
CircleCI: depend on NV41 for save_cache Makefile: consider that coreboot-git is now shared between forks on x86 (Nitrokey/Purism share build/x86/coreboot-git now) Addressesses requested change at linuxboot#1417 (review)
@daringer #1462 finally resolves our problems, and under https://github.com/tlaurion/heads/tree/staging_nitrokey_git I pushed what this PR should look like so, reusing #1462 toolcain logic, for which nv41/ns50 builds locally against 4.19 toolchain. So We should be able to piggyback nv41/ns50 to x230-hotp-maximized under CircleCI cache, maining we will reuse musl-cross-make build there and also 4.19 coreboot's buildstack |
…reboot module, patch and circleci fix
Finally! Two testing CircleCI pipelines were successful building without cache and rebuilding with cache from a previous successful build:
I will update https://github.com/tlaurion/heads/tree/staging_nitrokey_git to use clevo_release buildstack (second approach above) where there will be need of improving CircleCI/coreboot module's targets to optimize rebuilds when only scripts change. As of now, a full build when modules changes takes nearly 2 hours, where a rebuild from cache takes 50 minutes. Also to be noted that CircleCI has some instabilities where restoring workspaces and saving workspaces are sometimes failing in the past days, so wil keep an eye on that: it requires CircleCI builds to be restarted from failed step to succeed. |
…d on top of linuxboot#1417 and linuxboot#1462 PoC: reuse 4.19 buildstack to make clear if there is a gain or not, since nv41/ns50 are based on x230-hotp-maximized which wil be cached after clean build
CircleCI: depend on NV41 for save_cache Makefile: consider that coreboot-git is now shared between forks on x86 (Nitrokey/Purism share build/x86/coreboot-git now) Addressesses requested change at linuxboot#1417 (review)
#1469 is ready to be used as a guideline to clean this PR to make it ready to be merged. |
…1/ns50 build on top of linuxboot#1417 and linuxboot#1462
…1/ns50 build on top of linuxboot#1417 and linuxboot#1462
…1/ns50 build on top of linuxboot#1417 and linuxboot#1462
tested ci image on nv41 and ns50:
|
Thanks for Nlnet for supporting this part of the work https://nlnet.nl/project/HEADS-TPM2.0/#ack |
This PR introduces two new boards:
nitropad-nv41
+nitropad-ns50
with TPM2 and overall Nitrokey 3 support (hotp-verification
). Re-based on the currentmaster
there is no need forgpg
patches anymore.The current state is that both boards work as expected, tpm2 works nicely, hotp-verification works using Nitrokey 3 (or others). LUKS + TPM is disabled through config, because our tests have not shown a robust behavior here.
Changes:
.npf
handling (a zip + hash file) during updatehotp-verification
with Nitrokey 3 supportCONFIG_GPG_DEFAULT_ALGO
w/o it being set, gpg defaults to create RSA-3072 keys, settingp256
leads to NIST-P256 keys during key generation onoem-factory-reset
iotools
andnitrokey-blobs