PoC : Flashprog, cryptsetup, msi board, basic introspection: staging all pending PRs for testing #1773

Signed-off-by: Thierry Laurion <[email protected]>

cryptsetup2 2.6.1 is a new release that supports reencryption of Q4.2 release LUKS2 volumes. This is a critical feature for the Qubes OS 4.2 release. cryptsetup 2.6.1 requires lvm2 2.03.23, which is also included in this PR. lvm2 in turn requires libaio, which is also included in this PR. util-linux 2.39 is also included in this PR and a dependency of lvm2. patches for reproducible builds are included for all packages. luks-functions is updated to support the new cryptsetup2 version calls reencryption happen in direct-io, offline mode and without locking. from tests, this is best for performance and reliability in single-user mode TODO: - async (AIO) calls are not used. direct-io is used instead. libaio could be hacked out - this could be subject to future work - time to deprecated legacy boards the do not enough space for the new space requirements - x230-legacy, x230-legacy-flash, x230-hotp-legacy - t430-legacy, t430-legacy-flash, t430-hotp-legacy already deprecated Signed-off-by: Thierry Laurion <[email protected]>

The x230-hotp-legacy, x230-legacy-flash, and x230-legacy boards are officially deprecated. They have been moved to the unmaintained_boards directory. CircleCI has been updated to reflect this change. Signed-off-by: Thierry Laurion <[email protected]>

cloudfare patches to speed up LUKS encryption were upstreamed into linux kernel and backported to 5.10.9: cloudflare/linux#1 (comment) Therefore, we bump to latest of 5.10.x (bump from 5.10.5 which doesn't contain the fixes) Trace: sed -i 's/5.10.5/5.10.214/g' boards/*/*.config find ./boards/*/*.config | awk -F "/" {'print $3'}| while read board; do echo "make BOARD=$board linux"; make BOARD=$board linux; echo make BOARD=$board linux.save_in_oldconfig_format_in_place || make BOARD=$board linux.modify_and_save_oldconfig_in_place; done git status | grep modified | awk -F ":" {'print $2'}| xargs git add git commit --signoff Signed-off-by: Thierry Laurion <[email protected]>

…rnel IO queuing on kernel 5.10.9+ kernels TODO: any positive impact if AIO is added in kernel config for async ops (otherwise direct-io fallback as of now)? Signed-off-by: Thierry Laurion <[email protected]>

…ons thought about future changes config/linux-*: Deactivate AIO for new round of tests on clean Q4.2.1 install for perf diff Signed-off-by: Thierry Laurion <[email protected]>

…eck which slots unlocks against passphrase, and wipe all other slots with user confirmation when not 1/8, then create DUK in slot 8 not 1 Signed-off-by: Thierry Laurion <[email protected]>

…ce DUK code is now dynamic TODO: multi LUKS volumes (Q4.2.1 non-default BRTFS deployment) not supported still with reencryption. Not a regression, just not yet handled since no OEM known to ship such setup. Signed-off-by: Thierry Laurion <[email protected]>

Otherwise we get ehci-pci and xhci_hcd kernel messages in dmesg debug AFTER "Verifying presence of GPG card" which explains why dongle might not be found in time and fails in oem-factory-reset Fixes Nitrokey#48 Signed-off-by: Thierry Laurion <[email protected]>

…slot testing and reuse found keyslot unlocked by passphrase to reencrypt Signed-off-by: Thierry Laurion <[email protected]>

…f kexec -l when BOARD is in DEBUG+TRACE mode (configuration settings menu + flash) Signed-off-by: Thierry Laurion <[email protected]>

DO_WITH_DEBUG traces command exit status (if failed), stdout/stderr (if not empty), and PATH (if command was not found). The caller still observes the exit status, and stdout/stderr still go to the caller as well. This way, DO_WITH_DEBUG can be inserted anywhere with minimal spam in the logs and without affecting the script. Signed-off-by: Jonathon Hall <[email protected]>

"$1 err:" looked like an error, but often there's output on stderr that's diagnostic (like kexec -d). "$1 stderr:" is clearer. Signed-off-by: Jonathon Hall <[email protected]>

`eval "$kexeccmd"` should become `DO_WITH_DEBUG eval "$kexeccmd"` when adding DO_WITH_DEBUG, command invocation is still the same, still needs eval. Restore DO_WITH_DEBUG in front of kexec-parse-boot that had been removed. Signed-off-by: Jonathon Hall <[email protected]>

LOG() is added to log to the log only (not kmsg, more verbose than TRACE). DO_WITH_DEBUG only captures stdout/stderr to the log with LOG(). kexec-boot silences stderr from kexec, we don't want it on the console. No need to repeat the kexec command when asking in debug to continue boot, it's no longer hidden behind verbose output from kexec. Signed-off-by: Jonathon Hall <[email protected]>

Log the board and version when entering the recovery shell. Extract the firmware version logic from init. Currently this is the only way to get the debug log. If we add a way from the GUI, we may want to log the board and version somewhere else too. Signed-off-by: Jonathon Hall <[email protected]>

…what state is the USB Security dongle Signed-off-by: Thierry Laurion <[email protected]>

…ard configs. Next step is creating fbwhiptail/whiptail/tpm1/tpm2 mk files and include them in all boards Signed-off-by: Thierry Laurion <[email protected]>

Signed-off-by: Christian Foerster <[email protected]>

This reverts commit cc70e77. Signed-off-by: Christian Foerster <[email protected]>

This reverts commit be65c4b. Signed-off-by: Christian Foerster <[email protected]>

This reverts commit ba20d98. Signed-off-by: Christian Foerster <[email protected]>

Signed-off-by: Christian Foerster <[email protected]>

…em-factory-reset scripts Signed-off-by: Thierry Laurion <[email protected]>

The coreboot power failure state Kconfig options are wired up to the Power on AC feature on Clevo mainboards. Set the power failure state to 0 to prevent these boards from powering on or waking up with AC attach. Signed-off-by: Michał Kopeć <[email protected]>

Ease cleaning up everything. IMOH better then real.clean target Signed-off-by: Thierry Laurion <[email protected]>

…sk Unlock Key. Fixes linuxboot#1092. Supersedes linuxboot#1093 - Cherry-picks ed1c23a (credit to @hardened-vault) thank you!) - Addresses and correct self-review under linuxboot#1093 (@hardened-vault: you don't answer often here!) - kexec-unseal-key: Warn a user who attempts to default boot while his Disk Unlock Key passphrase fails to unseal because LUKS headers changed. (linuxboot#1093 (comment)) - kexec-seal-key: Identical as in ed1c23a - kexec-add-key: Tell the user that the Headers did not change when changing TPM released Disk Unlock Key (Through changing default boot at Options->Boot Options -> Show OS boot options: select a new boot option and set a Disk Unlock Key in TPM, accept to modify disk and sign /boot options) - Here, we cancel the diff output shown on screen linuxboot#1093 (comment) - And we change the warning given to the user to past tense "Headers of LUKS containers to be unlocked via TPM Disk Unlock Key passphrase did not change." Signed-off-by: Thierry Laurion <[email protected]>

…erbiage, remove irrelevant DEBUG trace under kexec-unseal-key TODO: - $(pcrs) call sometimes fail in DEBUG call, outputting too many chars to be inserted in kmesg. Call removed here since redundant (PCR6 already extended with LUKS header) - Notes added for TPM2 simplification over TPM1 in code as TODO Signed-off-by: Thierry Laurion <[email protected]>

…ior of TPM unsealing ops move code from kexec-unseal-key to kexec-insert-key, address code review and apply verbiage suggestion changes Signed-off-by: Thierry Laurion <[email protected]>

…rl script contains reproducible date and fake compiler_flags hardcode VERSION='reproducible_build' into generated configure script to get rid of generate random git abbrev 8/12 chars (could not find source) patches/openssl-3.0.8.patch: clean up tpm2-tools/tpm2-tss: hack configure scripts to not contain hardcoded libs and other rpath related strings, using sed instead of patching configure script like cryptsetup2 patch Will be clened up in other commits. Leaving here as trace for autotools sed patching for reproducible builds. CircleCI: change working dir from project->heads so that CircleCI and local builds are from heads directory, helping reproducible builds TODO: change other patches a well and generalize to gpg toolstack, removing patches that are a maintainership burden. Signed-off-by: Thierry Laurion <[email protected]>

…ACKAGE_VERSION string which configure.ac points to ./VERSION already tpm2-tools-5.6 patch: comment out git versioning output under ./VERSION; module: output current version under ./VERSION instead. Document under module Signed-off-by: Thierry Laurion <[email protected]>

…move patch 3.2.0->3.2.2 disable static lib builds Signed-off-by: Thierry Laurion <[email protected]>

…calls as opposed to patch version specific autotools/configure scripts to force reproducible builds Signed-off-by: Thierry Laurion <[email protected]>

Discussed under linuxboot#1630 (comment) TODO added in code. Signed-off-by: Thierry Laurion <[email protected]>

Signed-off-by: Christian Foerster <[email protected]>

…ve them from CircleCI, add Makefile helper and document untested_boards/README.md Signed-off-by: Thierry Laurion <[email protected]>

…es to not delete already downloaded packages to economize bandwidth Signed-off-by: Thierry Laurion <[email protected]>

Signed-off-by: Thierry Laurion <[email protected]>

@JonathonHall-Purism

… card QEMU TCG is not so good at getting exclusive access, so assigning SUB device to testing qube needs to be done AFTER kernel modules are loaded otherwise race codition between host and qemu. Otherwise error -32, requiring to kill sys-usb and restart testing qube, and let the first attempt which loads drivers to fail prior of assigning USB Security dongle so that drivers are loaded. Makes testing through QEMU TCG (not KVM which is better at getting exclusive USB device access) a little bit more usable (helps me keep sanity in development cycles) --- @JonathonHall-Purism I could do PR seperately for this against master if you agree. Signed-off-by: Thierry Laurion <[email protected]>

Signed-off-by: Thierry Laurion <[email protected]>

…r/tlaurion/1541

…h from linuxboot#1661 (less and less required but still some). Cannot remove 5.10.5 because kgpe-d16 uses it. Signed-off-by: Thierry Laurion <[email protected]>

…included for builds (affects tpm2 boards builds) Signed-off-by: Thierry Laurion <[email protected]>

…onsole_for_internal_hack' into cryptsetup_version_bump-reencryption_cleanup-staging2

…ion_bump-reencryption_cleanup-staging2

…ree/cryptsetup_version_bump-reencryption_cleanup-staging - LUKSv1 works Signed-off-by: Thierry Laurion <[email protected]>

…onsole_for_internal_hack' into cryptsetup_version_bump-reencryption_cleanup-staging2 Signed-off-by: Thierry Laurion <[email protected]>

Signed-off-by: Thierry Laurion <[email protected]>

Caching of DUK should happen but doesn't so: two prompts for DRK wiping only occurs on first LUKS TODO fix and revert changes unneaded in this commit, context switching Signed-off-by: Thierry Laurion <[email protected]>

…ion_bump-reencryption_cleanup

Signed-off-by: Thierry Laurion <[email protected]>

…e LUKS containers scenario), cleanup keyslot-> key slot everywhere Signed-off-by: Thierry Laurion <[email protected]>

…ify_and_save_oldconfig_in_place helper Signed-off-by: Thierry Laurion <[email protected]>

… create discrepencies betweeen passphrases. Check possibilities user@heads-tests-d12-nix-cryptsetup:~/heads$ docker run -e DISPLAY=$DISPLAY --network host --rm -ti -v $(pwd):$(pwd) -w $(pwd) linuxboot/heads:dev-env -- make BOARD=qemu-coreboot-whiptail-tpm1 run ---------------------------------------------------------------------- !!!!!! BUILD SYSTEM INFO !!!!!! System CPUS: 12 System Available Memory: 14940 GB System Load Average: 0.18 ---------------------------------------------------------------------- Used **CPUS**: 12 Used **LOADAVG**: 18 Used **AVAILABLE_MEM_GB**: 14940 GB ---------------------------------------------------------------------- **MAKE_JOBS**: -j12 --load-average=18 Variables available for override (use 'make VAR_NAME=value'): **CPUS** (default: number of processors, e.g., 'make CPUS=4') **LOADAVG** (default: 1.5 times CPUS, e.g., 'make LOADAVG=54') **AVAILABLE_MEM_GB** (default: memory available on the system in GB, e.g., 'make AVAILABLE_MEM_GB=4') **MEM_PER_JOB_GB** (default: 1GB per job, e.g., 'make MEM_PER_JOB_GB=2') ---------------------------------------------------------------------- !!!!!! Build starts !!!!!! swtpm socket \ \ --tpmstate dir="/home/user/heads/build/x86/qemu-coreboot-whiptail-tpm1/vtpm" \ --flags "startup-clear" \ --terminate \ --ctrl type=unixio,path="/home/user/heads/build/x86/qemu-coreboot-whiptail-tpm1/vtpm/sock" & sleep 0.5 qemu-system-x86_64 -drive file="/home/user/heads/build/x86/qemu-coreboot-whiptail-tpm1/root.qcow2",if=virtio \ --machine q35,accel=kvm:tcg \ -rtc base=utc \ -smp 1 \ -vga std \ -m "$(cat "/home/user/heads/build/x86/qemu-coreboot-whiptail-tpm1/memory")" \ -serial stdio \ --bios "/home/user/heads/build/x86/qemu-coreboot-whiptail-tpm1/heads-qemu-coreboot-whiptail-tpm1-v0.2.0-2236-g33c0c92.rom" \ -object rng-random,filename=/dev/urandom,id=rng0 \ -device virtio-rng-pci,rng=rng0 \ -netdev user,id=u1 -device e1000,netdev=u1 \ -chardev socket,id=chrtpm,path="/home/user/heads/build/x86/qemu-coreboot-whiptail-tpm1/vtpm/sock" \ -tpmdev emulator,id=tpm0,chardev=chrtpm \ -device tpm-tis,tpmdev=tpm0 \ -device qemu-xhci,id=usb \ -device usb-tablet \ -drive file="/home/user/heads/build/x86/qemu-coreboot-whiptail-tpm1/usb_fd.raw",if=none,id=usb-fd-drive,format=raw \ -device usb-storage,bus=usb.0,drive=usb-fd-drive \ -usb -device canokey,file=/home/user/heads/build/x86/qemu-coreboot-whiptail-tpm1/.canokey-file \ qemu-system-x86_64: Gdk: gdk_atom_intern: assertion 'atom_name != NULL' failed qemu-system-x86_64: Gdk: gdk_atom_intern: assertion 'atom_name != NULL' failed qemu-system-x86_64: warning: dbind: Couldn't connect to accessibility bus: Failed to connect to socket /run/user/1000/at-spi/bus_0: No such file or directory Could not access KVM kernel module: No such file or directory qemu-system-x86_64: failed to initialize kvm: No such file or directory qemu-system-x86_64: falling back to tcg Fontconfig error: Cannot load default config file: No such file: (null) Fontconfig error: No writable cache directories Fontconfig error: No writable cache directories Fontconfig error: No writable cache directories Fontconfig error: No writable cache directories [ 0.000000] Linux version 5.10.214-Heads (linux-qemu.config@linuxboot) (x86_64-linux-musl-gcc (GCC) 8.3.0, GNU ld (GNU Binutils) 2.32) #0 SMP 1970-00-00 [ 0.000000] Command line: debug console=ttyS0,115200 console=tty [ 0.000000] KERNEL supported cpus: [ 0.000000] Intel GenuineIntel [ 0.000000] AMD AuthenticAMD [ 0.000000] BIOS-provided physical RAM map: [ 0.000000] BIOS-e820: [mem 0x0000000000000000-0x0000000000000fff] reserved [ 0.000000] BIOS-e820: [mem 0x0000000000001000-0x000000000009ffff] usable [ 0.000000] BIOS-e820: [mem 0x00000000000a0000-0x00000000000fffff] reserved [ 0.000000] BIOS-e820: [mem 0x0000000000100000-0x000000007ff42fff] usable [ 0.000000] BIOS-e820: [mem 0x000000007ff43000-0x000000007fffffff] reserved [ 0.000000] BIOS-e820: [mem 0x00000000b0000000-0x00000000bfffffff] reserved [ 0.000000] BIOS-e820: [mem 0x00000000fed40000-0x00000000fed44fff] reserved [ 0.000000] BIOS-e820: [mem 0x0000000100000000-0x000000017fffffff] usable [ 0.000000] NX (Execute Disable) protection: active [ 0.000000] SMBIOS 3.0 present. [ 0.000000] DMI: QEMU Standard PC (Q35 + ICH9, 2009), BIOS Heads-v0.2.0-2236-g33c0c92 01/01/1970 [ 0.000000] tsc: Fast TSC calibration using PIT [ 0.000000] tsc: Detected 2495.959 MHz processor [ 0.001357] e820: update [mem 0x00000000-0x00000fff] usable ==> reserved [ 0.001541] e820: remove [mem 0x000a0000-0x000fffff] usable [ 0.001732] last_pfn = 0x180000 max_arch_pfn = 0x400000000 [ 0.002335] MTRR default type: uncachable [ 0.002382] MTRR fixed ranges disabled: [ 0.002517] 00000-FFFFF uncachable [ 0.002547] MTRR variable ranges enabled: [ 0.002692] 0 base 00FF000000 mask FFFF000000 write-protect [ 0.002726] 1 disabled [ 0.002737] 2 disabled [ 0.002747] 3 disabled [ 0.002757] 4 disabled [ 0.002767] 5 disabled [ 0.002776] 6 disabled [ 0.002786] 7 disabled [ 0.003161] x86/PAT: Configuration [0-7]: WB WC UC- UC WB WP UC- WT [ 0.003557] CPU MTRRs all blank - virtualized system. [ 0.003631] last_pfn = 0x7ff43 max_arch_pfn = 0x400000000 [ 0.009206] RAMDISK: [mem 0x04000000-0x044a9fff] [ 0.009667] ACPI: Early table checksum verification disabled [ 0.010157] ACPI: RSDP 0x000000007FF4B000 000024 (v02 ) [ 0.010533] ACPI: XSDT 0x000000007FF7B040 00005C (v01 COREv4 COREBOOT 00000000 CORE 20230628) [ 0.011289] ACPI: FACP 0x000000007FF5D409 0000F4 (v03 BOCHS BXPC 00000001 BXPC 00000001) [ 0.011953] ACPI: DSDT 0x000000007FF5B080 002389 (v01 BOCHS BXPC 00000001 BXPC 00000001) [ 0.012061] ACPI: FACS 0x000000007FF5B040 000040 [ 0.012138] ACPI: APIC 0x000000007FF5D4FD 000078 (v03 BOCHS BXPC 00000001 BXPC 00000001) [ 0.012181] ACPI: HPET 0x000000007FF5D575 000038 (v01 BOCHS BXPC 00000001 BXPC 00000001) [ 0.012219] ACPI: TCPA 0x000000007FF5D5AD 000032 (v02 BOCHS BXPC 00000001 BXPC 00000001) [ 0.012254] ACPI: MCFG 0x000000007FF5D5DF 00003C (v01 BOCHS BXPC 00000001 BXPC 00000001) [ 0.012289] ACPI: WAET 0x000000007FF5D61B 000028 (v01 BOCHS BXPC 00000001 BXPC 00000001) [ 0.012323] ACPI: SSDT 0x000000007FF7B170 000383 (v02 COREv4 COREBOOT 0000002A CORE 20230628) [ 0.012443] ACPI: Reserving FACP table memory at [mem 0x7ff5d409-0x7ff5d4fc] [ 0.012481] ACPI: Reserving DSDT table memory at [mem 0x7ff5b080-0x7ff5d408] [ 0.012495] ACPI: Reserving FACS table memory at [mem 0x7ff5b040-0x7ff5b07f] [ 0.012509] ACPI: Reserving APIC table memory at [mem 0x7ff5d4fd-0x7ff5d574] [ 0.012521] ACPI: Reserving HPET table memory at [mem 0x7ff5d575-0x7ff5d5ac] [ 0.012533] ACPI: Reserving TCPA table memory at [mem 0x7ff5d5ad-0x7ff5d5de] [ 0.012544] ACPI: Reserving MCFG table memory at [mem 0x7ff5d5df-0x7ff5d61a] [ 0.012556] ACPI: Reserving WAET table memory at [mem 0x7ff5d61b-0x7ff5d642] [ 0.012567] ACPI: Reserving SSDT table memory at [mem 0x7ff7b170-0x7ff7b4f2] [ 0.013184] ACPI: Local APIC address 0xfee00000 [ 0.015495] Zone ranges: [ 0.015536] DMA32 [mem 0x0000000000001000-0x00000000ffffffff] [ 0.015593] Normal [mem 0x0000000100000000-0x000000017fffffff] [ 0.015618] Movable zone start for each node [ 0.015661] Early memory node ranges [ 0.015704] node 0: [mem 0x0000000000001000-0x000000000009ffff] [ 0.015739] node 0: [mem 0x0000000000100000-0x000000007ff42fff] [ 0.015750] node 0: [mem 0x0000000100000000-0x000000017fffffff] [ 0.015883] Initmem setup node 0 [mem 0x0000000000001000-0x000000017fffffff] [ 0.016167] On node 0 totalpages: 1048290 [ 0.016272] DMA32 zone: 8188 pages used for memmap [ 0.016306] DMA32 zone: 22 pages reserved [ 0.016380] DMA32 zone: 524002 pages, LIFO batch:63 [ 0.016496] Normal zone: 8192 pages used for memmap [ 0.016509] Normal zone: 524288 pages, LIFO batch:63 [ 0.017082] On node 0, zone DMA32: 1 pages in unavailable ranges [ 0.061888] On node 0, zone DMA32: 96 pages in unavailable ranges [ 0.107038] On node 0, zone Normal: 189 pages in unavailable ranges [ 0.107538] ACPI: PM-Timer IO Port: 0x608 [ 0.107592] ACPI: Local APIC address 0xfee00000 [ 0.108108] ACPI: LAPIC_NMI (acpi_id[0xff] dfl dfl lint[0x1]) [ 0.108614] IOAPIC[0]: apic_id 0, version 32, address 0xfec00000, GSI 0-23 [ 0.108742] ACPI: INT_SRC_OVR (bus 0 bus_irq 0 global_irq 2 dfl dfl) [ 0.109010] ACPI: INT_SRC_OVR (bus 0 bus_irq 5 global_irq 5 high level) [ 0.109072] ACPI: INT_SRC_OVR (bus 0 bus_irq 9 global_irq 9 high level) [ 0.109174] ACPI: INT_SRC_OVR (bus 0 bus_irq 10 global_irq 10 high level) [ 0.109190] ACPI: INT_SRC_OVR (bus 0 bus_irq 11 global_irq 11 high level) [ 0.109307] ACPI: IRQ0 used by override. [ 0.109377] ACPI: IRQ5 used by override. [ 0.109391] ACPI: IRQ9 used by override. [ 0.109401] ACPI: IRQ10 used by override. [ 0.109411] ACPI: IRQ11 used by override. [ 0.109484] Using ACPI (MADT) for SMP configuration information [ 0.109542] ACPI: HPET id: 0x8086a201 base: 0xfed00000 [ 0.109846] smpboot: Allowing 1 CPUs, 0 hotplug CPUs [ 0.110639] [mem 0xc0000000-0xfed3ffff] available for PCI devices [ 0.111036] clocksource: refined-jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 7645519600211568 ns [ 0.123287] setup_percpu: NR_CPUS:64 nr_cpumask_bits:64 nr_cpu_ids:1 nr_node_ids:1 [ 0.130518] percpu: Embedded 47 pages/cpu s153944 r8192 d30376 u2097152 [ 0.130938] pcpu-alloc: s153944 r8192 d30376 u2097152 alloc=1*2097152 [ 0.131032] pcpu-alloc: [0] 0 [ 0.132894] Built 1 zonelists, mobility grouping on. Total pages: 1031888 [ 0.133099] Kernel command line: debug console=ttyS0,115200 console=tty [ 0.145248] Dentry cache hash table entries: 524288 (order: 10, 4194304 bytes, linear) [ 0.151062] Inode-cache hash table entries: 262144 (order: 9, 2097152 bytes, linear) [ 0.152916] mem auto-init: stack:off, heap alloc:off, heap free:off [ 0.448236] Memory: 4031744K/4193160K available (8194K kernel code, 1468K rwdata, 1988K rodata, 1104K init, 1896K bss, 161160K reserved, 0K cma-reserved) [ 0.452037] SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=1, Nodes=1 [ 0.459609] rcu: Hierarchical RCU implementation. [ 0.459672] rcu: RCU restricting CPUs from NR_CPUS=64 to nr_cpu_ids=1. [ 0.459865] rcu: RCU calculated value of scheduler-enlistment delay is 25 jiffies. [ 0.459907] rcu: Adjusting geometry for rcu_fanout_leaf=16, nr_cpu_ids=1 [ 0.460712] NR_IRQS: 4352, nr_irqs: 256, preallocated irqs: 16 [ 0.473945] Console: colour dummy device 80x25 [ 0.477120] printk: console [tty0] enabled [ 0.516684] printk: console [ttyS0] enabled [ 0.517516] ACPI: Core revision 20200925 [ 0.522307] ACPI BIOS Warning (bug): Incorrect checksum in table [SSDT] - 0x05, should be 0x36 (20200925/tbprint-177) [ 0.528661] clocksource: hpet: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604467 ns [ 0.537811] APIC: Switch to symmetric I/O mode setup [ 0.546152] ..TIMER: vector=0x30 apic1=0 pin1=2 apic2=0 pin2=0 [ 0.568164] clocksource: tsc-early: mask: 0xffffffffffffffff max_cycles: 0x23fa509ef93, max_idle_ns: 440795283110 ns [ 0.570789] Calibrating delay loop (skipped), value calculated using timer frequency.. 4991.91 BogoMIPS (lpj=9983836) [ 0.580126] process: using AMD E400 aware idle routine [ 0.580600] Last level iTLB entries: 4KB 512, 2MB 255, 4MB 127 [ 0.580866] Last level dTLB entries: 4KB 512, 2MB 255, 4MB 127, 1GB 0 [ 0.581610] Spectre V1 : Mitigation: usercopy/swapgs barriers and __user pointer sanitization [ 0.582280] Spectre V2 : Mitigation: Retpolines [ 0.582520] Spectre V2 : Spectre v2 / SpectreRSB mitigation: Filling RSB on context switch [ 0.583093] Spectre V2 : Spectre v2 / SpectreRSB : Filling RSB on VMEXIT [ 0.586427] x86/fpu: x87 FPU will use FXSAVE [ 0.782370] Freeing SMP alternatives memory: 12K [ 0.783775] pid_max: default: 4096 minimum: 301 [ 0.790154] Mount-cache hash table entries: 8192 (order: 4, 65536 bytes, linear) [ 0.790608] Mountpoint-cache hash table entries: 8192 (order: 4, 65536 bytes, linear) [ 0.925158] smpboot: CPU0: AMD QEMU Virtual CPU version 2.5+ (family: 0xf, model: 0x6b, stepping: 0x1) [ 0.927305] Performance Events: PMU not available due to virtualization, using software events only. [ 0.929076] rcu: Hierarchical SRCU implementation. [ 0.932310] NMI watchdog: Perf NMI watchdog permanently disabled [ 0.934335] smp: Bringing up secondary CPUs ... [ 0.934513] smp: Brought up 1 node, 1 CPU [ 0.934695] smpboot: Max logical packages: 1 [ 0.934845] smpboot: Total of 1 processors activated (4991.91 BogoMIPS) [ 0.946462] devtmpfs: initialized [ 0.952034] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 7645041785100000 ns [ 0.952495] futex hash table entries: 16 (order: -2, 1024 bytes, linear) [ 0.960200] NET: Registered protocol family 16 [ 0.969911] thermal_sys: Registered thermal governor 'step_wise' [ 0.969977] thermal_sys: Registered thermal governor 'user_space' [ 0.970661] cpuidle: using governor menu [ 0.972553] ACPI: bus type PCI registered [ 0.974659] PCI: Using configuration type 1 for base access [ 1.004364] cryptd: max_cpu_qlen set to 1000 [ 1.007305] ACPI: Added _OSI(Module Device) [ 1.007392] ACPI: Added _OSI(Processor Device) [ 1.007462] ACPI: Added _OSI(3.0 _SCP Extensions) [ 1.007519] ACPI: Added _OSI(Processor Aggregator Device) [ 1.007665] ACPI: Added _OSI(Linux-Dell-Video) [ 1.007731] ACPI: Added _OSI(Linux-Lenovo-NV-HDMI-Audio) [ 1.007803] ACPI: Added _OSI(Linux-HPI-Hybrid-Graphics) [ 1.035505] ACPI BIOS Error (bug): Failure creating named object [\_SB.PCI0._PRT], AE_ALREADY_EXISTS (20200925/dswload2-327) [ 1.036879] ACPI Error: AE_ALREADY_EXISTS, During name lookup/catalog (20200925/psobject-221) [ 1.037185] ACPI: Skipping parse of AML opcode: Method (0x0014) [ 1.037952] ACPI: 2 ACPI AML tables successfully acquired and loaded [ 1.056897] ACPI: Interpreter enabled [ 1.057670] ACPI: (supports S0 S5) [ 1.058064] ACPI: Using IOAPIC for interrupt routing [ 1.059908] PCI: Using host bridge windows from ACPI; if necessary, use "pci=nocrs" and report a bug [ 1.062038] ACPI: Enabled 2 GPEs in block 00 to 3F [ 1.095615] ACPI: PCI Root Bridge [PCI0] (domain 0000 [bus 00-ff]) [ 1.096537] acpi PNP0A08:00: _OSC: OS supports [ASPM ClockPM Segments MSI HPX-Type3] [ 1.097987] acpi PNP0A08:00: PCIe port services disabled; not requesting _OSC control [ 1.103477] PCI host bridge to bus 0000:00 [ 1.103872] pci_bus 0000:00: root bus resource [io 0x0000-0x0cf7 window] [ 1.104077] pci_bus 0000:00: root bus resource [io 0x0d00-0xffff window] [ 1.104296] pci_bus 0000:00: root bus resource [mem 0x000a0000-0x000bffff window] [ 1.104708] pci_bus 0000:00: root bus resource [mem 0x80000000-0xafffffff window] [ 1.104974] pci_bus 0000:00: root bus resource [mem 0xc0000000-0xfebfffff window] [ 1.105227] pci_bus 0000:00: root bus resource [mem 0x180000000-0x97fffffff window] [ 1.105469] pci_bus 0000:00: root bus resource [mem 0xfed40000-0xfed44fff] [ 1.106015] pci_bus 0000:00: root bus resource [bus 00-ff] [ 1.108059] pci 0000:00:00.0: [8086:29c0] type 00 class 0x060000 [ 1.113296] pci 0000:00:01.0: [1234:1111] type 00 class 0x030000 [ 1.115317] pci 0000:00:01.0: reg 0x10: [mem 0xc0000000-0xc0ffffff pref] [ 1.117495] pci 0000:00:01.0: reg 0x18: [mem 0xc107c000-0xc107cfff] [ 1.118427] pci 0000:00:01.0: reg 0x30: [mem 0xc1060000-0xc106ffff pref] [ 1.118967] pci 0000:00:01.0: BAR 0: assigned to efifb [ 1.119922] pci 0000:00:02.0: [1af4:1005] type 00 class 0x00ff00 [ 1.122482] pci 0000:00:02.0: reg 0x10: [io 0x10c0-0x10df] [ 1.123543] pci 0000:00:02.0: reg 0x14: [mem 0xc107d000-0xc107dfff] [ 1.127232] pci 0000:00:02.0: reg 0x20: [mem 0xc1070000-0xc1073fff 64bit pref] [ 1.130852] pci 0000:00:03.0: [8086:100e] type 00 class 0x020000 [ 1.132266] pci 0000:00:03.0: reg 0x10: [mem 0xc1040000-0xc105ffff] [ 1.133730] pci 0000:00:03.0: reg 0x14: [io 0x1080-0x10bf] [ 1.136991] pci 0000:00:03.0: reg 0x30: [mem 0xc1000000-0xc103ffff pref] [ 1.139184] pci 0000:00:04.0: [1b36:000d] type 00 class 0x0c0330 [ 1.139636] pci 0000:00:04.0: reg 0x10: [mem 0xc1074000-0xc1077fff 64bit] [ 1.142062] pci 0000:00:05.0: [1af4:1001] type 00 class 0x010000 [ 1.142872] pci 0000:00:05.0: reg 0x10: [io 0x1000-0x107f] [ 1.144388] pci 0000:00:05.0: reg 0x14: [mem 0xc107e000-0xc107efff] [ 1.150893] pci 0000:00:05.0: reg 0x20: [mem 0xc1078000-0xc107bfff 64bit pref] [ 1.152445] pci 0000:00:1d.0: [8086:2934] type 00 class 0x0c0300 [ 1.155671] pci 0000:00:1d.0: reg 0x20: [io 0x10e0-0x10ff] [ 1.156930] pci 0000:00:1d.1: [8086:2935] type 00 class 0x0c0300 [ 1.158128] pci 0000:00:1d.1: reg 0x20: [io 0x1100-0x111f] [ 1.159414] pci 0000:00:1d.2: [8086:2936] type 00 class 0x0c0300 [ 1.161381] pci 0000:00:1d.2: reg 0x20: [io 0x1120-0x113f] [ 1.162881] pci 0000:00:1d.7: [8086:293a] type 00 class 0x0c0320 [ 1.163226] pci 0000:00:1d.7: reg 0x10: [mem 0xc107f000-0xc107ffff] [ 1.166913] pci 0000:00:1f.0: [8086:2918] type 00 class 0x060100 [ 1.167696] pci 0000:00:1f.0: quirk: [io 0x0600-0x067f] claimed by ICH6 ACPI/GPIO/TCO [ 1.167952] pci 0000:00:1f.0: quirk: [io 0x0580-0x05bf] claimed by ICH6 GPIO [ 1.168556] pci 0000:00:1f.2: [8086:2922] type 00 class 0x010601 [ 1.171301] pci 0000:00:1f.2: reg 0x20: [io 0x1140-0x115f] [ 1.171939] pci 0000:00:1f.2: reg 0x24: [mem 0xc1080000-0xc1080fff] [ 1.173311] pci 0000:00:1f.3: [8086:2930] type 00 class 0x0c0500 [ 1.178514] pci 0000:00:1f.3: reg 0x20: [io 0x0400-0x043f] [ 1.181944] pci_bus 0000:00: on NUMA node 0 [ 1.186760] ACPI: PCI Interrupt Link [LNKA] (IRQs 5 10 11) *0 [ 1.188131] ACPI: PCI Interrupt Link [LNKB] (IRQs 5 10 11) *0 [ 1.189103] ACPI: PCI Interrupt Link [LNKC] (IRQs 5 10 11) *0 [ 1.190087] ACPI: PCI Interrupt Link [LNKD] (IRQs 5 10 11) *0 [ 1.191177] ACPI: PCI Interrupt Link [LNKE] (IRQs 5 10 11) *0 [ 1.192259] ACPI: PCI Interrupt Link [LNKF] (IRQs 5 10 11) *0 [ 1.193416] ACPI: PCI Interrupt Link [LNKG] (IRQs 5 10 11) *0 [ 1.195093] ACPI: PCI Interrupt Link [LNKH] (IRQs 5 10 11) *0 [ 1.195807] ACPI: PCI Interrupt Link [GSIA] (IRQs *16) [ 1.196292] ACPI: PCI Interrupt Link [GSIB] (IRQs *17) [ 1.196657] ACPI: PCI Interrupt Link [GSIC] (IRQs *18) [ 1.196921] ACPI: PCI Interrupt Link [GSID] (IRQs *19) [ 1.197178] ACPI: PCI Interrupt Link [GSIE] (IRQs *20) [ 1.197502] ACPI: PCI Interrupt Link [GSIF] (IRQs *21) [ 1.197802] ACPI: PCI Interrupt Link [GSIG] (IRQs *22) [ 1.198094] ACPI: PCI Interrupt Link [GSIH] (IRQs *23) [ 1.204033] iommu: Default domain type: Translated [ 1.206821] SCSI subsystem initialized [ 1.207845] libata version 3.00 loaded. [ 1.208348] ACPI: bus type USB registered [ 1.209026] usbcore: registered new interface driver usbfs [ 1.209613] usbcore: registered new interface driver hub [ 1.209978] usbcore: registered new device driver usb [ 1.220060] PCI: Using ACPI for IRQ routing [ 1.220278] PCI: pci_cache_line_size set to 64 bytes [ 1.220860] e820: reserve RAM buffer [mem 0x7ff43000-0x7fffffff] [ 1.221769] hpet: 3 channels of 0 reserved for per-cpu timers [ 1.223374] clocksource: Switched to clocksource tsc-early [ 1.225210] pnp: PnP ACPI init [ 1.226654] pnp 00:00: Plug and Play ACPI device, IDs PNP0c31 (active) [ 1.228067] pnp 00:01: Plug and Play ACPI device, IDs PNP0303 (active) [ 1.228810] pnp 00:02: Plug and Play ACPI device, IDs PNP0f13 (active) [ 1.229182] pnp 00:03: Plug and Play ACPI device, IDs PNP0400 (active) [ 1.229606] pnp 00:04: Plug and Play ACPI device, IDs PNP0501 (active) [ 1.230109] pnp 00:05: Plug and Play ACPI device, IDs PNP0b00 (active) [ 1.230828] pnp 00:06: Plug and Play ACPI device, IDs PNP0c31 (active) [ 1.232508] system 00:07: [mem 0xb0000000-0xbfffffff window] has been reserved [ 1.233295] system 00:07: Plug and Play ACPI device, IDs PNP0c01 (active) [ 1.236100] pnp: PnP ACPI: found 8 devices [ 1.263351] clocksource: acpi_pm: mask: 0xffffff max_cycles: 0xffffff, max_idle_ns: 2085701024 ns [ 1.263981] NET: Registered protocol family 2 [ 1.265186] IP idents hash table entries: 65536 (order: 7, 524288 bytes, linear) [ 1.269566] tcp_listen_portaddr_hash hash table entries: 2048 (order: 3, 32768 bytes, linear) [ 1.270669] TCP established hash table entries: 32768 (order: 6, 262144 bytes, linear) [ 1.271906] TCP bind hash table entries: 32768 (order: 7, 524288 bytes, linear) [ 1.272957] TCP: Hash tables configured (established 32768 bind 32768) [ 1.274775] UDP hash table entries: 2048 (order: 4, 65536 bytes, linear) [ 1.275209] UDP-Lite hash table entries: 2048 (order: 4, 65536 bytes, linear) [ 1.276687] NET: Registered protocol family 1 [ 1.277887] pci_bus 0000:00: resource 4 [io 0x0000-0x0cf7 window] [ 1.278270] pci_bus 0000:00: resource 5 [io 0x0d00-0xffff window] [ 1.278673] pci_bus 0000:00: resource 6 [mem 0x000a0000-0x000bffff window] [ 1.279155] pci_bus 0000:00: resource 7 [mem 0x80000000-0xafffffff window] [ 1.279539] pci_bus 0000:00: resource 8 [mem 0xc0000000-0xfebfffff window] [ 1.280015] pci_bus 0000:00: resource 9 [mem 0x180000000-0x97fffffff window] [ 1.280429] pci_bus 0000:00: resource 10 [mem 0xfed40000-0xfed44fff] [ 1.281496] pci 0000:00:01.0: Video device with shadowed ROM at [mem 0x000c0000-0x000dffff] [ 1.286658] PCI Interrupt Link [GSIE] enabled at IRQ 20 [ 1.293801] pci 0000:00:04.0: quirk_usb_early_handoff+0x0/0x62c took 10955 usecs [ 1.297288] PCI Interrupt Link [GSIA] enabled at IRQ 16 [ 1.302459] PCI Interrupt Link [GSIB] enabled at IRQ 17 [ 1.308171] PCI Interrupt Link [GSIC] enabled at IRQ 18 [ 1.313464] PCI Interrupt Link [GSID] enabled at IRQ 19 [ 1.316564] PCI: CLS 64 bytes, default 64 [ 1.323320] Trying to unpack rootfs image as initramfs... [ 2.943071] Freeing initrd memory: 4776K [ 2.943562] PCI-DMA: Using software bounce buffering for IO (SWIOTLB) [ 2.943845] software IO TLB: mapped [mem 0x000000007bf43000-0x000000007ff43000] (64MB) [ 2.949679] workingset: timestamp_bits=46 max_order=20 bucket_order=0 [ 2.958202] SGI XFS with security attributes, no debug enabled [ 2.962667] NET: Registered protocol family 38 [ 2.963227] Block layer SCSI generic (bsg) driver version 0.4 loaded (major 249) [ 2.963527] io scheduler mq-deadline registered [ 2.965725] efifb: probing for efifb [ 2.966811] efifb: framebuffer at 0xc0000000, using 3072k, total 3072k [ 2.967354] efifb: mode is 1024x768x32, linelength=4096, pages=1 [ 2.968458] efifb: scrolling: redraw [ 2.968838] efifb: Truecolor: size=8:8:8:8, shift=24:16:8:0 [ 2.992832] Console: switching to colour frame buffer device 128x48 [ 3.003452] fb0: EFI VGA frame buffer device [ 3.007750] input: Power Button as /devices/LNXSYSTM:00/LNXPWRBN:00/input/input0 [ 3.013649] ACPI: Power Button [PWRF] [ 3.023407] PCI Interrupt Link [GSIG] enabled at IRQ 22 [ 3.030857] PCI Interrupt Link [GSIF] enabled at IRQ 21 [ 3.037518] Serial: 8250/16550 driver, 4 ports, IRQ sharing disabled [ 3.041854] 00:04: ttyS0 at I/O 0x3f8 (irq = 4, base_baud = 115200) is a 16550A [ 3.049518] Non-volatile memory driver v1.3 [ 3.070723] random: crng init done [ 3.072586] tpm_tis 00:00: 1.2 TPM (device-id 0x1, rev-id 1) [ 3.100088] tpm_tis 00:06: can't request region for resource [mem 0xfed40000-0xfed44fff] [ 3.101091] tpm_tis: probe of 00:06 failed with error -16 [ 3.104601] AMD-Vi: AMD IOMMUv2 functionality not available on this system - This is not a bug. [ 3.146690] brd: module loaded [ 3.164378] loop: module loaded [ 3.173788] virtio_blk virtio1: [vda] 41943040 512-byte logical blocks (21.5 GB/20.0 GiB) [ 3.174829] vda: detected capacity change from 0 to 21474836480 [ 3.203684] vda: vda1 vda2 < vda5 > vda3 [ 3.208445] Loading iSCSI transport class v2.0-870. [ 3.212527] iscsi: registered transport (tcp) [ 3.214410] ahci 0000:00:1f.2: version 3.0 [ 3.221907] ahci 0000:00:1f.2: AHCI 0001.0000 32 slots 6 ports 1.5 Gbps 0x3f impl SATA mode [ 3.222549] ahci 0000:00:1f.2: flags: 64bit ncq only [ 3.236903] scsi host0: ahci [ 3.248032] scsi host1: ahci [ 3.253186] scsi host2: ahci [ 3.258463] scsi host3: ahci [ 3.269146] scsi host4: ahci [ 3.274076] scsi host5: ahci [ 3.279672] ata1: SATA max UDMA/133 abar m4096@0xc1080000 port 0xc1080100 irq 28 [ 3.284624] ata2: SATA max UDMA/133 abar m4096@0xc1080000 port 0xc1080180 irq 28 [ 3.288775] ata3: SATA max UDMA/133 abar m4096@0xc1080000 port 0xc1080200 irq 28 [ 3.293097] ata4: SATA max UDMA/133 abar m4096@0xc1080000 port 0xc1080280 irq 28 [ 3.297411] ata5: SATA max UDMA/133 abar m4096@0xc1080000 port 0xc1080300 irq 28 [ 3.300612] ata6: SATA max UDMA/133 abar m4096@0xc1080000 port 0xc1080380 irq 28 [ 3.307565] i8042: PNP: PS/2 Controller [PNP0303:KBD,PNP0f13:MOU] at 0x60,0x64 irq 1,12 [ 3.315477] serio: i8042 KBD port at 0x60,0x64 irq 1 [ 3.319388] serio: i8042 AUX port at 0x60,0x64 irq 12 [ 3.323920] rtc_cmos 00:05: RTC can wake from S4 [ 3.336706] input: AT Translated Set 2 keyboard as /devices/platform/i8042/serio0/input/input1 [ 3.352978] rtc_cmos 00:05: registered as rtc0 [ 3.360480] rtc_cmos 00:05: setting system clock to 2024-05-27T15:52:30 UTC (1716825150) [ 3.368800] rtc_cmos 00:05: alarms up to one day, y3k, 242 bytes nvram, hpet irqs [ 3.376906] i801_smbus 0000:00:1f.3: SMBus using PCI interrupt [ 3.383352] i2c i2c-0: 1/1 memory slots populated (from DMI) [ 3.387339] i2c i2c-0: Memory type 0x07 not supported yet, not instantiating SPD [ 3.396422] device-mapper: ioctl: 4.43.0-ioctl (2020-10-01) initialised: [email protected] [ 3.405510] NET: Registered protocol family 17 [ 3.420548] IPI shorthand broadcast: enabled [ 3.428621] sched_clock: Marking stable (3361782024, 65863750)->(3431691428, -4045654) [ 3.706716] ata2: SATA link down (SStatus 0 SControl 300) [ 3.711943] ata1: SATA link down (SStatus 0 SControl 300) [ 3.714891] ata4: SATA link down (SStatus 0 SControl 300) [ 3.718216] ata3: SATA link up 1.5 Gbps (SStatus 113 SControl 300) [ 3.727435] ata3.00: ATAPI: QEMU DVD-ROM, 2.5+, max UDMA/100 [ 3.730891] ata3.00: applying bridge limits [ 3.735031] ata3.00: configured for UDMA/100 [ 3.739480] ata5: SATA link down (SStatus 0 SControl 300) [ 3.743073] ata6: SATA link down (SStatus 0 SControl 300) [ 3.760009] scsi 2:0:0:0: CD-ROM QEMU QEMU DVD-ROM 2.5+ PQ: 0 ANSI: 5 [ 3.791903] sr 2:0:0:0: [sr0] scsi3-mmc drive: 4x/4x cd/rw xa/form2 tray [ 3.795666] cdrom: Uniform CD-ROM driver Revision: 3.20 [ 3.823522] sr 2:0:0:0: Attached scsi CD-ROM sr0 [ 3.830867] sr 2:0:0:0: Attached scsi generic sg0 type 5 [ 4.053435] Freeing unused kernel image (initmem) memory: 1104K [ 4.057245] tsc: Refined TSC clocksource calibration: 2495.997 MHz [ 4.063272] clocksource: tsc: mask: 0xffffffffffffffff max_cycles: 0x23fa7454d2a, max_idle_ns: 440795253903 ns [ 4.067419] clocksource: Switched to clocksource tsc [ 4.070828] Write protecting the kernel read-only data: 12288k [ 4.080468] Freeing unused kernel image (text/rodata gap) memory: 2044K [ 4.084568] Freeing unused kernel image (rodata/data gap) memory: 60K [ 4.087965] Run /init as init process [ 4.091279] with arguments: [ 4.095800] /init [ 4.099096] with environment: [ 4.103714] HOME=/ [ 4.109606] TERM=linux [ 4.169820] [U] hello world [ 4.371287] DEBUG: Debug output enabled from board CONFIG_DEBUG_OUTPUT=y option (/etc/config) [ 4.392830] TRACE: Under init [ 4.433899] DEBUG: Applying panic_on_oom setting to sysctl [ 4.539072] TRACE: /bin/tpmr(32): main [ 4.633463] TRACE: /bin/cbfs-init(5): main [ 4.728134] TRACE: /bin/key-init(5): main [ 5.824993] TRACE: Under /etc/ash_functions:combine_configs [ 5.904298] TRACE: Under /etc/ash_functions:pause_recovery !!! Hit enter to proceed to recovery shell !!! [ 6.137010] TRACE: /bin/setconsolefont.sh(6): main [ 6.188579] DEBUG: Board does not ship setfont, not checking console font [ 6.451536] TRACE: /bin/gui-init(643): main [ 6.482343] TRACE: /etc/functions(715): detect_boot_device [ 6.541819] TRACE: /etc/functions(682): mount_possible_boot_device [ 6.604383] TRACE: /etc/functions(642): is_gpt_bios_grub [ 6.731484] TRACE: /dev/vda1 is partition 1 of vda [ 6.871167] TRACE: /etc/functions(619): find_lvm_vg_name [ 7.119158] TRACE: Try mounting /dev/vda1 as /boot [ 7.175186] EXT4-fs (vda1): mounted filesystem with ordered data mode. Opts: (null) [ 7.237208] TRACE: /bin/gui-init(317): clean_boot_check [ 7.348743] TRACE: /bin/gui-init(346): check_gpg_key [ 12.484804] TRACE: Under /etc/ash_functions:recovery !!!!! Console recovery shell [ 12.660433] DEBUG: Board qemu-coreboot-whiptail-tpm1 - version Heads-v0.2.0-2236-g33c0c92 [ 12.694824] DEBUG: Extending TPM PCR 4 for recovery shell access [ 12.782961] TRACE: /bin/tpmr(32): main [ 12.844959] DEBUG: Direct translation from tpmr to tpm1 call [ 12.889837] DEBUG: exec tpm extend -ix 4 -ic recovery New value of PCR[4]: 8a6a96fde1a8dd96271479dc40742b36aba3c2b3 !!!!! Starting recovery shell ~ # oem-factory-reset [ 19.391027] TRACE: /bin/oem-factory-reset(11): main Would you like to use default configuration options? If N, you will be prompted for each option [Y/n]: n **************************************************** **** Factory Reset / Re-Ownership Questionnaire **** **************************************************** The following questionnaire will help you configure the security components of your system. Each prompt requires a single letter answer: eg. (Y/n). If you don't know what to answer, pressing Enter will select the default answer for that prompt: eg. Y, above. Would you like to change the current LUKS Disk Recovery Key passphrase? (Highly recommended if you didn't install the Operating System yourself, so that past configured passphrase would not permit to access content. Note that without re-encrypting disk, a backed up header could be restored to access encrypted content with old passphrase) [y/N]: y Would you like to re-encrypt LUKS encrypted container and generate new LUKS Disk Recovery Key? (Highly recommended if you didn't install the operating system yourself: this would prevent any LUKS backed up header to be restored to access encrypted data) [y/N]: y [ 23.007856] TRACE: /etc/luks-functions(296): test_luks_current_disk_recovery_key_passphrase [ 23.029224] TRACE: /etc/luks-functions(270): select_luks_container Failed to set up async io, using sync io. [ 23.367334] TRACE: /etc/gui_functions(83): file_selector ────────────────────┤ Select your File ├──────────────────────────────────────── ner device [1-2, a to abort]: 1 /dev/vda3 2 /dev/vda5 a Abort <Ok> <Cancel> ──────────────────────────────────────────────────────────────────────────────── Enter the current LUKS Disk Recovery Key passphrase (Configured at OS installation or by OEM): PleaseChangeMe Testing opening /dev/vda3 LUKS encrypted drive content with the current LUKS Disk Recovery Key passphrase... [ 37.855527] DEBUG: cryptsetup open --test-passphrase /dev/vda3 --key-file /tmp/luks_current_Disk_Recovery_Key_passphrase Success. Would you like to format an encrypted USB Thumb drive to store GPG key material? (Required to enable GPG authentication) [y/N]: y ++++ Master key and subkeys will be generated in memory, backed up to dedicated LUKS container +++ Would you like in-memory generated subkeys to be copied to USB Security Dongle's smartcard? (Highly recommended so the smartcard is used on daily basis and backup is kept safe, but not required) [Y/n]: y ++++ Subkeys will be copied to USB Security Dongle's smartcard ++++ [ 49.945161] *** WARNING: Please keep your GPG key material backup thumb drive safe *** The following Security Components will be configured with defaults or further chosen PINs/passwords: LUKS Disk Recovery Key passphrase TPM Owner Password GPG Key material backup passphrase (Same as GPG Admin PIN) GPG Admin PIN GPG User PIN Would you like to set a single custom password to all previously stated security components? [y/N]: y The chosen custom password must be between 8 and 25 characters in length. Enter the custom password: PleaseChangeMe Would you like to set custom user information for the GnuPG key? [y/N]: n [ 68.395411] TRACE: /bin/oem-factory-reset(396): select_thumb_drive_for_key_material [ 68.424600] TRACE: Under /etc/ash_functions:enable_usb [ 68.500643] TRACE: /sbin/insmod(9): main [ 68.640669] DEBUG: Extending TPM PCR 5 with /lib/modules/ehci-hcd.ko prior of usage [ 68.729157] TRACE: /bin/tpmr(32): main [ 68.789771] DEBUG: Direct translation from tpmr to tpm1 call [ 68.834212] DEBUG: exec tpm extend -ix 5 -if /lib/modules/ehci-hcd.ko New value of PCR[5]: 21633d409dd476cc5f4a0150a36d5950f5d64f68 [ 68.997245] DEBUG: Loading /lib/modules/ehci-hcd.ko with busybox insmod [ 69.034636] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver [ 69.133241] TRACE: /sbin/insmod(9): main [ 69.298849] DEBUG: Extending TPM PCR 5 with /lib/modules/uhci-hcd.ko prior of usage [ 69.391626] TRACE: /bin/tpmr(32): main [ 69.457393] DEBUG: Direct translation from tpmr to tpm1 call [ 69.511547] DEBUG: exec tpm extend -ix 5 -if /lib/modules/uhci-hcd.ko New value of PCR[5]: 59a733f2744b73a686aadb622bf21b6cb2e857e1 [ 69.678876] DEBUG: Loading /lib/modules/uhci-hcd.ko with busybox insmod [ 69.715292] uhci_hcd: USB Universal Host Controller Interface driver [ 69.730616] uhci_hcd 0000:00:1d.0: UHCI Host Controller [ 69.737232] uhci_hcd 0000:00:1d.0: new USB bus registered, assigned bus number 1 [ 69.754386] uhci_hcd 0000:00:1d.0: detected 2 ports [ 69.763973] uhci_hcd 0000:00:1d.0: irq 16, io base 0x000010e0 [ 69.782620] hub 1-0:1.0: USB hub found [ 69.793768] hub 1-0:1.0: 2 ports detected [ 69.808344] uhci_hcd 0000:00:1d.1: UHCI Host Controller [ 69.817408] uhci_hcd 0000:00:1d.1: new USB bus registered, assigned bus number 2 [ 69.824656] uhci_hcd 0000:00:1d.1: detected 2 ports [ 69.833349] uhci_hcd 0000:00:1d.1: irq 17, io base 0x00001100 [ 69.844305] hub 2-0:1.0: USB hub found [ 69.850634] hub 2-0:1.0: 2 ports detected [ 69.863831] uhci_hcd 0000:00:1d.2: UHCI Host Controller [ 69.869789] uhci_hcd 0000:00:1d.2: new USB bus registered, assigned bus number 3 [ 69.881549] uhci_hcd 0000:00:1d.2: detected 2 ports [ 69.890176] uhci_hcd 0000:00:1d.2: irq 18, io base 0x00001120 [ 69.898990] hub 3-0:1.0: USB hub found [ 69.906946] hub 3-0:1.0: 2 ports detected [ 69.995004] TRACE: /sbin/insmod(9): main [ 70.138781] DEBUG: Extending TPM PCR 5 with /lib/modules/ohci-hcd.ko prior of usage [ 70.239829] TRACE: /bin/tpmr(32): main [ 70.313655] DEBUG: Direct translation from tpmr to tpm1 call [ 70.386398] DEBUG: exec tpm extend -ix 5 -if /lib/modules/ohci-hcd.ko New value of PCR[5]: cc5c54502fbba28806e9a56466a8f595b8b40581 [ 70.548351] DEBUG: Loading /lib/modules/ohci-hcd.ko with busybox insmod [ 70.576662] ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver [ 70.664555] TRACE: /sbin/insmod(9): main [ 70.818989] DEBUG: Extending TPM PCR 5 with /lib/modules/ohci-pci.ko prior of usage [ 70.908984] TRACE: /bin/tpmr(32): main [ 70.979160] DEBUG: Direct translation from tpmr to tpm1 call [ 71.031400] DEBUG: exec tpm extend -ix 5 -if /lib/modules/ohci-pci.ko New value of PCR[5]: 32f59488f65d9b9a712f5ff35d89c3053492fa65 [ 71.198320] DEBUG: Loading /lib/modules/ohci-pci.ko with busybox insmod [ 71.230458] ohci-pci: OHCI PCI platform driver [ 71.319015] TRACE: /sbin/insmod(9): main [ 71.466523] DEBUG: Extending TPM PCR 5 with /lib/modules/ehci-pci.ko prior of usage [ 71.554317] TRACE: /bin/tpmr(32): main [ 71.621898] DEBUG: Direct translation from tpmr to tpm1 call [ 71.676368] DEBUG: exec tpm extend -ix 5 -if /lib/modules/ehci-pci.ko New value of PCR[5]: 57dd398e1d34495588e88c04ec803c68d2e8a880 [ 71.865504] DEBUG: Loading /lib/modules/ehci-pci.ko with busybox insmod [ 71.895471] ehci-pci: EHCI PCI platform driver [ 71.915057] ehci-pci 0000:00:1d.7: EHCI Host Controller [ 71.922375] ehci-pci 0000:00:1d.7: new USB bus registered, assigned bus number 4 [ 71.931944] ehci-pci 0000:00:1d.7: irq 19, io mem 0xc107f000 [ 71.954678] ehci-pci 0000:00:1d.7: USB 2.0 started, EHCI 1.00 [ 71.972250] hub 4-0:1.0: USB hub found [ 71.978783] hub 4-0:1.0: 6 ports detected [ 71.988734] hub 1-0:1.0: USB hub found [ 71.994990] hub 1-0:1.0: 2 ports detected [ 72.003349] hub 2-0:1.0: USB hub found [ 72.009942] hub 2-0:1.0: 2 ports detected [ 72.018163] hub 3-0:1.0: USB hub found [ 72.033954] hub 3-0:1.0: 2 ports detected [ 72.135439] TRACE: /sbin/insmod(9): main [ 72.315577] DEBUG: Extending TPM PCR 5 with /lib/modules/xhci-hcd.ko prior of usage [ 72.409790] TRACE: /bin/tpmr(32): main [ 72.474356] DEBUG: Direct translation from tpmr to tpm1 call [ 72.522906] DEBUG: exec tpm extend -ix 5 -if /lib/modules/xhci-hcd.ko New value of PCR[5]: 8600091b27a18d60649ae54e943376f58d2e267c [ 72.693318] DEBUG: Loading /lib/modules/xhci-hcd.ko with busybox insmod [ 72.807533] TRACE: /sbin/insmod(9): main [ 72.939792] DEBUG: Extending TPM PCR 5 with /lib/modules/xhci-pci.ko prior of usage [ 73.027008] TRACE: /bin/tpmr(32): main [ 73.096260] DEBUG: Direct translation from tpmr to tpm1 call [ 73.145608] DEBUG: exec tpm extend -ix 5 -if /lib/modules/xhci-pci.ko New value of PCR[5]: c93b075b09b770746b1a1b45d6e3d63feaf83443 [ 73.312686] DEBUG: Loading /lib/modules/xhci-pci.ko with busybox insmod [ 73.340372] xhci_hcd 0000:00:04.0: xHCI Host Controller [ 73.345734] xhci_hcd 0000:00:04.0: new USB bus registered, assigned bus number 5 [ 73.357649] xhci_hcd 0000:00:04.0: hcc params 0x00087001 hci version 0x100 quirks 0x0000000000000010 [ 73.366477] xhci_hcd 0000:00:04.0: xHCI Host Controller [ 73.373721] xhci_hcd 0000:00:04.0: new USB bus registered, assigned bus number 6 [ 73.380270] xhci_hcd 0000:00:04.0: Host supports USB 3.0 SuperSpeed [ 73.389371] hub 5-0:1.0: USB hub found [ 73.395743] hub 5-0:1.0: 4 ports detected [ 73.404306] usb usb6: We don't know the algorithms for LPM for this host, disabling LPM. [ 73.416743] hub 6-0:1.0: USB hub found [ 73.424014] hub 6-0:1.0: 4 ports detected [ 73.670772] usb 5-1: new high-speed USB device number 2 using xhci_hcd [ 73.954700] usb 6-2: new SuperSpeed Gen 1 USB device number 2 using xhci_hcd [ 74.106242] usb 5-3: new full-speed USB device number 3 using xhci_hcd [ 75.470413] TRACE: /etc/functions(224): enable_usb_storage Scanning for USB storage devices... [ 75.584285] TRACE: /sbin/insmod(9): main [ 75.738969] DEBUG: Extending TPM PCR 5 with /lib/modules/usb-storage.ko prior of usage [ 75.827679] TRACE: /bin/tpmr(32): main [ 75.896708] DEBUG: Direct translation from tpmr to tpm1 call [ 75.949769] DEBUG: exec tpm extend -ix 5 -if /lib/modules/usb-storage.ko [ 76.104403] DEBUG: Loading /lib/modules/usb-storage.ko with busybox insmod [ 76.128919] usb-storage 6-2:1.0: USB Mass Storage device detected [ 76.138181] scsi host6: usb-storage 6-2:1.0 [ 76.145825] usbcore: registered new interface driver usb-storage [ 76.197467] TRACE: /etc/functions(261): list_usb_storage [ 76.253448] DEBUG: Listing USB storage devices (including partitions) [ 77.150291] scsi 6:0:0:0: Direct-Access QEMU QEMU HARDDISK 2.5+ PQ: 0 ANSI: 5 [ 77.160923] sd 6:0:0:0: Power-on or device reset occurred [ 77.166811] sd 6:0:0:0: Attached scsi generic sg1 type 0 [ 77.175608] sd 6:0:0:0: [sda] 524288 512-byte logical blocks: (268 MB/256 MiB) [ 77.183599] sd 6:0:0:0: [sda] Write Protect is off [ 77.196370] sd 6:0:0:0: [sda] Mode Sense: 63 00 00 08 [ 77.207786] sd 6:0:0:0: [sda] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA [ 77.225782] sda: [ 77.239543] sd 6:0:0:0: [sda] Attached SCSI disk [ 77.394171] TRACE: /etc/functions(261): list_usb_storage [ 77.444845] DEBUG: Listing USB storage devices (including partitions) [ 77.585183] DEBUG: USB storage device of size greater then 0: /sys/block/sda [ 77.708205] DEBUG: USB storage device without partition table: /dev/sda [ 77.751699] TRACE: /bin/oem-factory-reset(298): prompt_insert_to_be_wiped_thumb_drive ┌────────────┤ WARNING: Please insert the thumb drive to be wiped ├────────────┐ │ │ │ The thumb drive will be WIPED next. │ │ │ │ Please connect only the thumb drive to be wiped and disconnect others. │ │ │ │ <Ok> │ │ │ └──────────────────────────────────────────────────────────────────────────────┘ [ 86.972495] TRACE: /etc/functions(261): list_usb_storage [ 87.020445] DEBUG: Listing USB storage devices (disks only) since list_usb_storage was called with 'disks' argument [ 87.156871] DEBUG: USB storage device of size greater then 0: /sys/block/sda [ 87.276470] DEBUG: USB storage device without partition table: /dev/sda [ 87.349246] TRACE: /etc/gui_functions(83): file_selector ────────────────────┤ Select your File ├──────────────────────────────────────── to partition [1-1, a to abort]: 1 /dev/sda - 256 MB a Abort <Ok> <Cancel> ──────────────────────────────────────────────────────────────────────────────── [ 88.878599] TRACE: /etc/luks-functions(19): select_luks_container_size_percent ┌─────────────┤ Select LUKS container size percentage of device ├──────────────┐ │ Select LUKS container size percentage of device: │ │ │ │ 10 10% │ │ 25 25% │ │ 50 50% │ │ 75 75% │ │ │ │ │ │ <Ok> <Cancel> │ │ │ └──────────────────────────────────────────────────────────────────────────────┘ [ 89.637742] TRACE: /etc/luks-functions(191): confirm_thumb_drive_format ┌───────────┤ WARNING: Wiping and repartitioning /dev/sda (256 MB) ├───────────┐ │ │ │ WARNING: Wiping and repartitioning /dev/sda (256 MB) with 25 MB │ │ assigned to private LUKS ext4 partition, │ │ rest assigned to exFAT public partition. │ │ │ │ Are you sure you want to continue? │ │ │ │ <Yes> <No> │ │ │ └──────────────────────────────────────────────────────────────────────────────┘ Checking for USB Security Dongle... [ 90.384067] TRACE: Under /etc/ash_functions:enable_usb [ 90.469650] TRACE: /sbin/insmod(9): main [ 90.609009] DEBUG: /lib/modules/ehci-hcd.ko: already loaded [ 90.707119] TRACE: /sbin/insmod(9): main [ 90.847934] DEBUG: /lib/modules/uhci-hcd.ko: already loaded [ 90.933045] TRACE: /sbin/insmod(9): main [ 91.070657] DEBUG: /lib/modules/ohci-hcd.ko: already loaded [ 91.162513] TRACE: /sbin/insmod(9): main [ 91.306892] DEBUG: /lib/modules/ohci-pci.ko: already loaded [ 91.391118] TRACE: /sbin/insmod(9): main [ 91.524929] DEBUG: /lib/modules/ehci-pci.ko: already loaded [ 91.603619] TRACE: /sbin/insmod(9): main [ 91.756308] DEBUG: /lib/modules/xhci-hcd.ko: already loaded [ 91.841776] TRACE: /sbin/insmod(9): main [ 91.979223] DEBUG: /lib/modules/xhci-pci.ko: already loaded [ 94.223028] TRACE: /bin/oem-factory-reset(823): usb_security_token_capabilities_check [ 94.254971] TRACE: Under /etc/ash_functions:enable_usb [ 94.339009] TRACE: /sbin/insmod(9): main [ 94.477943] DEBUG: /lib/modules/ehci-hcd.ko: already loaded [ 94.564028] TRACE: /sbin/insmod(9): main [ 94.712265] DEBUG: /lib/modules/uhci-hcd.ko: already loaded [ 94.799991] TRACE: /sbin/insmod(9): main [ 94.936861] DEBUG: /lib/modules/ohci-hcd.ko: already loaded [ 95.033428] TRACE: /sbin/insmod(9): main [ 95.168483] DEBUG: /lib/modules/ohci-pci.ko: already loaded [ 95.267025] TRACE: /sbin/insmod(9): main [ 95.407182] DEBUG: /lib/modules/ehci-pci.ko: already loaded [ 95.488336] TRACE: /sbin/insmod(9): main [ 95.623872] DEBUG: /lib/modules/xhci-hcd.ko: already loaded [ 95.712048] TRACE: /sbin/insmod(9): main [ 95.853145] DEBUG: /lib/modules/xhci-pci.ko: already loaded [ 97.965156] TRACE: /etc/functions(568): assert_signable Detecting and setting boot device... [ 98.143017] TRACE: /etc/functions(715): detect_boot_device [ 98.208597] TRACE: /etc/functions(682): mount_possible_boot_device [ 98.260205] TRACE: /etc/functions(642): is_gpt_bios_grub [ 98.345172] TRACE: /dev/vda1 is partition 1 of vda [ 98.447506] TRACE: /etc/functions(619): find_lvm_vg_name [ 98.573805] TRACE: Try mounting /dev/vda1 as /boot [ 98.603662] EXT4-fs (vda1): mounted filesystem with ordered data mode. Opts: (null) Boot device set to /dev/vda1 [ 98.655448] TRACE: /etc/functions(437): replace_config [ 98.828296] TRACE: Under /etc/ash_functions:combine_configs [ 98.869857] TRACE: /etc/luks-functions(430): luks_change_passphrase [ 98.904659] TRACE: /etc/luks-functions(270): select_luks_container Changing /dev/vda3 LUKS encrypted disk passphrase to the new LUKS Disk Recovery Key passphrase... Success. [ 115.276667] TRACE: /etc/luks-functions(345): luks_reencrypt [ 115.308592] TRACE: /etc/luks-functions(270): select_luks_container Reencrypting /dev/vda3 LUKS encrypted drive content with current Recovery Disk Key passphrase... [ 115.343396] *** WARNING: DO NOT POWER DOWN MACHINE, UNPLUG AC OR REMOVE BATTERY DURING REENCRYPTION PROCESS *** [ 116.414815] DEBUG: cryptsetup open --test-passphrase /dev/vda3 --key-slot 0 --key-file /tmp/luks_current_Disk_Recovery_Key_passphrase Resuming LUKS reencryption in forced offline mode. Progress: 1.9%, ETA 32m27s, 360 MiB written, speed 9.3 MiB/sqemu: terminating on signal 2 make: *** wait: No child processes. Stop. user@heads-tests-d12-nix-cryptsetup:~/heads$ sudo qemu-img snapshot ~/qemu-disks/debian-12-2_luks.qcow2 -l Snapshot list: ID TAG VM SIZE DATE VM CLOCK ICOUNT 1 clean-install_2-luks 0 B 2024-05-23 13:49:47 00:00:00.000 0 2 duk_worked_against_2luks_slots 0 B 2024-05-23 16:31:32 00:00:00.000 0 3 before_reencrypt 0 B 2024-05-27 11:20:40 00:00:00.000 0 user@heads-tests-d12-nix-cryptsetup:~/heads$ sudo qemu-img snapshot ~/qemu-disks/debian-12-2_luks.qcow2 -a before_reencrypt Signed-off-by: Thierry Laurion <[email protected]>

test encrtption key now supports testing multiple luks containers on same disk only when DUK already setuped TODO: generalize and make reencryption and passphrase work again Signed-off-by: Thierry Laurion <[email protected]>

Logic problem is that we first - Check if passphrase can unlock all kuks containers on same block device (UX is weird) - If passphrase can unlock all LUKS container (fast) we need to tracck which keyslot did that (do we? maybe not) - Then we try to reuse the same keyslot to reencrypt that luks container, so we need to do this for the same keyslot of each luks container Signed-off-by: Thierry Laurion <[email protected]>

Signed-off-by: Thierry Laurion <[email protected]>

…e we know reencrypt work ( optimize qemu slow testings ) Signed-off-by: Thierry Laurion <[email protected]>

…uthenticated heads thumb drive LUKS now failing Narrow bug domain: - Factory reset works with - LUKS Reencryption: Y - LUKS Passphrase change: N - Gen private keys in memory + copy to card (authenticated Head) : N - public key backup to usb thumb drive containing public/encrypted partition: Y Signed-off-by: Thierry Laurion <[email protected]>

…t sure I get source now. This was diff then master Signed-off-by: Thierry Laurion <[email protected]>

…/heads fork to upstream - files: boards + coreboot + linux, borrowed directly from Dasharo@cb43039 tip - cbfs-init modified as per downstream fork dasharo+heads used modifications (flashrom) - ash_functions modified as per downstream fork dasharo+heads used modifications (CBFS) - network-init-recovery modified as per downstream fork dasharo+heads used modifications (igc) - modules/linux modified as per downstream fork dasharo+heads used modifications (igc) - modules/coreboot modified as per downstream fork dasharo+heads used modifications (also impact nv41/ns50: coreboot version bump) - Circleci: added boards being dependent of nv41 This requires Nk3 firmware to be 1.7.1+ as per https://www.nitrokey.com/blog/2024/heads-v25-and-nitrokey-3-firmware-v171-security-updatehttps://www.nitrokey.com/blog/2024/heads-v25-and-nitrokey-3-firmware-v171-security-update DISCLAIMER: UNTESTED Sorry, not gonna cherry-pick commits here, way too messy. Signed-off-by: Thierry Laurion <[email protected]>

Signed-off-by: Thierry Laurion <[email protected]>

… released 2 weeks ago. Expected that patches from 2 years ago were merged upstream - delete unapplied kgpe-d16 patch (will need to be brought back, was not applied currently on master - add patches/flashrom-eace095b15eb034e42d97202cad70ce979d8ca38/0001-Add_RaptorPoint_PCH_support.patch which was not submitted to flashrom and needed by MSI - point modules/flashrom to release 1.4.0 commit FAILED: https://github.com/Dasharo/flashrom/commit/24b8fcfccef31fbb95bc1dd308180f57d5cdb64c.patch Cannot be applied over 1.4.0: if [ -d patches/flashrom-eace095b15eb034e42d97202cad70ce979d8ca38 ] && [ -r patches/flashrom-eace095b15eb034e42d97202cad70ce979d8ca38 ] ; then for patch in patches/flashrom-eace095b15eb034e42d97202cad70ce979d8ca38/*.patch ; do echo "Applying patch file : $patch " ; ( git apply --verbose --reject --binary --directory build/x86/flashrom-eace095b15eb034e42d97202cad70ce979d8ca38 ) < $patch || exit 1 ; done ; fi Applying patch file : patches/flashrom-eace095b15eb034e42d97202cad70ce979d8ca38/0001-Add_RaptorPoint_PCH_support.patch Checking patch build/x86/flashrom-eace095b15eb034e42d97202cad70ce979d8ca38/chipset_enable.c... error: while searching for: case CHIPSET_400_SERIES_COMET_POINT: case CHIPSET_500_SERIES_TIGER_POINT: case CHIPSET_600_SERIES_ALDER_POINT: case CHIPSET_METEOR_LAKE: case CHIPSET_ELKHART_LAKE: case CHIPSET_APOLLO_LAKE: error: patch failed: build/x86/flashrom-eace095b15eb034e42d97202cad70ce979d8ca38/chipset_enable.c:607 error: while searching for: break; case CHIPSET_500_SERIES_TIGER_POINT: case CHIPSET_600_SERIES_ALDER_POINT: case CHIPSET_METEOR_LAKE: boot_straps = boot_straps_pch500; break; error: patch failed: build/x86/flashrom-eace095b15eb034e42d97202cad70ce979d8ca38/chipset_enable.c:714 error: while searching for: case CHIPSET_400_SERIES_COMET_POINT: case CHIPSET_500_SERIES_TIGER_POINT: case CHIPSET_600_SERIES_ALDER_POINT: case CHIPSET_METEOR_LAKE: case CHIPSET_APOLLO_LAKE: case CHIPSET_GEMINI_LAKE: error: patch failed: build/x86/flashrom-eace095b15eb034e42d97202cad70ce979d8ca38/chipset_enable.c:749 Hunk #4 succeeded at 1017 (offset 5 lines). error: while searching for: {0x8086, 0x7a83, B_S, NT, "Intel", "Q670", enable_flash_pch600}, {0x8086, 0x7a84, B_S, DEP, "Intel", "Z690", enable_flash_pch600}, {0x8086, 0x7a88, B_S, NT, "Intel", "W680", enable_flash_pch600}, {0x8086, 0x7a8a, B_S, NT, "Intel", "W685", enable_flash_pch600}, {0x8086, 0x7a8d, B_S, NT, "Intel", "WM690", enable_flash_pch600}, {0x8086, 0x7a8c, B_S, NT, "Intel", "HM670", enable_flash_pch600}, {0x8086, 0x7e23, B_S, DEP, "Intel", "Meteor Lake-P/M", enable_flash_mtl}, {0}, error: patch failed: build/x86/flashrom-eace095b15eb034e42d97202cad70ce979d8ca38/chipset_enable.c:2175 Checking patch build/x86/flashrom-eace095b15eb034e42d97202cad70ce979d8ca38/ich_descriptors.c... error: while searching for: case CHIPSET_400_SERIES_COMET_POINT: case CHIPSET_500_SERIES_TIGER_POINT: case CHIPSET_600_SERIES_ALDER_POINT: case CHIPSET_METEOR_LAKE: case CHIPSET_ELKHART_LAKE: case CHIPSET_JASPER_LAKE: error: patch failed: build/x86/flashrom-eace095b15eb034e42d97202cad70ce979d8ca38/ich_descriptors.c:48 error: while searching for: case CHIPSET_C620_SERIES_LEWISBURG: case CHIPSET_APOLLO_LAKE: case CHIPSET_600_SERIES_ALDER_POINT: case CHIPSET_METEOR_LAKE: case CHIPSET_GEMINI_LAKE: case CHIPSET_JASPER_LAKE: error: patch failed: build/x86/flashrom-eace095b15eb034e42d97202cad70ce979d8ca38/ich_descriptors.c:77 error: while searching for: case CHIPSET_400_SERIES_COMET_POINT: case CHIPSET_500_SERIES_TIGER_POINT: case CHIPSET_600_SERIES_ALDER_POINT: case CHIPSET_METEOR_LAKE: case CHIPSET_APOLLO_LAKE: case CHIPSET_GEMINI_LAKE: error: patch failed: build/x86/flashrom-eace095b15eb034e42d97202cad70ce979d8ca38/ich_descriptors.c:215 error: while searching for: return freq_str[2][value]; case CHIPSET_500_SERIES_TIGER_POINT: case CHIPSET_600_SERIES_ALDER_POINT: case CHIPSET_METEOR_LAKE: return freq_str[3][value]; case CHIPSET_ELKHART_LAKE: error: patch failed: build/x86/flashrom-eace095b15eb034e42d97202cad70ce979d8ca38/ich_descriptors.c:313 error: while searching for: case CHIPSET_400_SERIES_COMET_POINT: case CHIPSET_500_SERIES_TIGER_POINT: case CHIPSET_600_SERIES_ALDER_POINT: case CHIPSET_METEOR_LAKE: case CHIPSET_APOLLO_LAKE: case CHIPSET_GEMINI_LAKE: error: patch failed: build/x86/flashrom-eace095b15eb034e42d97202cad70ce979d8ca38/ich_descriptors.c:361 error: while searching for: cs == CHIPSET_400_SERIES_COMET_POINT || cs == CHIPSET_500_SERIES_TIGER_POINT || cs == CHIPSET_600_SERIES_ALDER_POINT || cs == CHIPSET_JASPER_LAKE || cs == CHIPSET_METEOR_LAKE) { const char *const master_names[] = { "BIOS", "ME", "GbE", "unknown", "EC", error: patch failed: build/x86/flashrom-eace095b15eb034e42d97202cad70ce979d8ca38/ich_descriptors.c:489 error: while searching for: case CHIPSET_400_SERIES_COMET_POINT: case CHIPSET_500_SERIES_TIGER_POINT: case CHIPSET_600_SERIES_ALDER_POINT: case CHIPSET_METEOR_LAKE: case CHIPSET_GEMINI_LAKE: case CHIPSET_JASPER_LAKE: error: patch failed: build/x86/flashrom-eace095b15eb034e42d97202cad70ce979d8ca38/ich_descriptors.c:1087 error: while searching for: case CHIPSET_400_SERIES_COMET_POINT: case CHIPSET_500_SERIES_TIGER_POINT: case CHIPSET_600_SERIES_ALDER_POINT: case CHIPSET_METEOR_LAKE: case CHIPSET_APOLLO_LAKE: case CHIPSET_GEMINI_LAKE: error: patch failed: build/x86/flashrom-eace095b15eb034e42d97202cad70ce979d8ca38/ich_descriptors.c:1246 error: while searching for: case CHIPSET_400_SERIES_COMET_POINT: case CHIPSET_500_SERIES_TIGER_POINT: case CHIPSET_600_SERIES_ALDER_POINT: case CHIPSET_METEOR_LAKE: case CHIPSET_APOLLO_LAKE: case CHIPSET_GEMINI_LAKE: error: patch failed: build/x86/flashrom-eace095b15eb034e42d97202cad70ce979d8ca38/ich_descriptors.c:1291 Checking patch build/x86/flashrom-eace095b15eb034e42d97202cad70ce979d8ca38/ichspi.c... error: while searching for: case CHIPSET_400_SERIES_COMET_POINT: case CHIPSET_500_SERIES_TIGER_POINT: case CHIPSET_600_SERIES_ALDER_POINT: case CHIPSET_METEOR_LAKE: case CHIPSET_APOLLO_LAKE: case CHIPSET_GEMINI_LAKE: error: patch failed: build/x86/flashrom-eace095b15eb034e42d97202cad70ce979d8ca38/ichspi.c:1884 error: while searching for: case CHIPSET_400_SERIES_COMET_POINT: case CHIPSET_500_SERIES_TIGER_POINT: case CHIPSET_600_SERIES_ALDER_POINT: case CHIPSET_METEOR_LAKE: case CHIPSET_APOLLO_LAKE: case CHIPSET_GEMINI_LAKE: error: patch failed: build/x86/flashrom-eace095b15eb034e42d97202cad70ce979d8ca38/ichspi.c:1923 error: while searching for: case CHIPSET_400_SERIES_COMET_POINT: case CHIPSET_500_SERIES_TIGER_POINT: case CHIPSET_600_SERIES_ALDER_POINT: case CHIPSET_METEOR_LAKE: case CHIPSET_APOLLO_LAKE: case CHIPSET_GEMINI_LAKE: error: patch failed: build/x86/flashrom-eace095b15eb034e42d97202cad70ce979d8ca38/ichspi.c:1984 error: while searching for: case CHIPSET_400_SERIES_COMET_POINT: case CHIPSET_500_SERIES_TIGER_POINT: case CHIPSET_600_SERIES_ALDER_POINT: case CHIPSET_METEOR_LAKE: case CHIPSET_APOLLO_LAKE: case CHIPSET_GEMINI_LAKE: error: patch failed: build/x86/flashrom-eace095b15eb034e42d97202cad70ce979d8ca38/ichspi.c:2064 error: while searching for: case CHIPSET_400_SERIES_COMET_POINT: case CHIPSET_500_SERIES_TIGER_POINT: case CHIPSET_600_SERIES_ALDER_POINT: case CHIPSET_METEOR_LAKE: case CHIPSET_APOLLO_LAKE: case CHIPSET_GEMINI_LAKE: error: patch failed: build/x86/flashrom-eace095b15eb034e42d97202cad70ce979d8ca38/ichspi.c:2103 error: while searching for: ich_gen == CHIPSET_300_SERIES_CANNON_POINT || ich_gen == CHIPSET_400_SERIES_COMET_POINT || ich_gen == CHIPSET_500_SERIES_TIGER_POINT || ich_gen == CHIPSET_600_SERIES_ALDER_POINT)) { msg_pdbg("Enabling hardware sequencing by default for 100+ series PCH.\n"); ich_spi_mode = ich_hwseq; } error: patch failed: build/x86/flashrom-eace095b15eb034e42d97202cad70ce979d8ca38/ichspi.c:2140 Checking patch build/x86/flashrom-eace095b15eb034e42d97202cad70ce979d8ca38/include/programmer.h... error: while searching for: CHIPSET_400_SERIES_COMET_POINT, CHIPSET_500_SERIES_TIGER_POINT, CHIPSET_600_SERIES_ALDER_POINT, CHIPSET_METEOR_LAKE, CHIPSET_APOLLO_LAKE, CHIPSET_GEMINI_LAKE, error: patch failed: build/x86/flashrom-eace095b15eb034e42d97202cad70ce979d8ca38/include/programmer.h:376 Checking patch build/x86/flashrom-eace095b15eb034e42d97202cad70ce979d8ca38/util/ich_descriptors_tool/ich_descriptors_tool.c... Hunk #1 succeeded at 239 (offset 1 line). Applying patch build/x86/flashrom-eace095b15eb034e42d97202cad70ce979d8ca38/chipset_enable.c with 4 rejects... Rejected hunk #1. Rejected hunk #2. Rejected hunk #3. Hunk #4 applied cleanly. Rejected hunk #5. Applying patch build/x86/flashrom-eace095b15eb034e42d97202cad70ce979d8ca38/ich_descriptors.c with 9 rejects... Rejected hunk #1. Rejected hunk #2. Rejected hunk #3. Rejected hunk #4. Rejected hunk #5. Rejected hunk #6. Rejected hunk linuxboot#7. Rejected hunk #8. Rejected hunk #9. Applying patch build/x86/flashrom-eace095b15eb034e42d97202cad70ce979d8ca38/ichspi.c with 6 rejects... Rejected hunk #1. Rejected hunk #2. Rejected hunk #3. Rejected hunk #4. Rejected hunk #5. Rejected hunk #6. Applying patch build/x86/flashrom-eace095b15eb034e42d97202cad70ce979d8ca38/include/programmer.h with 1 reject... Rejected hunk #1. Applied patch build/x86/flashrom-eace095b15eb034e42d97202cad70ce979d8ca38/util/ich_descriptors_tool/ich_descriptors_tool.c cleanly. make: *** [Makefile:565: /home/user/heads/build/x86/flashrom-eace095b15eb034e42d97202cad70ce979d8ca38/.canary] Error 1 Signed-off-by: Thierry Laurion <[email protected]>

…upstream fails to build on 1.4.0 2024-08-09 15:08:07+00:00 MAKE flashrom tail /home/user/heads/build/x86/log/flashrom.log ----- ichspi.c:2152:2: note: previously used here case CHIPSET_METEOR_LAKE: ^~~~ /home/user/heads/crossgcc/x86/bin/x86_64-linux-musl-gcc -fdebug-prefix-map=/home/user/heads=heads -gno-record-gcc-switches -D__MUSL__ --sysroot /home/user/heads/install/x86 -isystem /home/user/heads/install/x86/include -L/home/user/heads/install/x86/lib -MMD -Os -I/home/user/heads/install/x86/include/pci -Iinclude -I/home/user/heads/install/x86//include -D'HAVE_GETOPT_H=1' -D'IS_WINDOWS=0' -D'__FLASHROM_LITTLE_ENDIAN__=1' -D'CONFIG_DEFAULT_PROGRAMMER_NAME=NULL' -D'CONFIG_DEFAULT_PROGRAMMER_ARGS=""' -D'CONFIG_DELAY_MINIMUM_SLEEP_US=100000' -D'CONFIG_INTERNAL=1' -D'CONFIG_INTERNAL_DMI=1' -D'__FLASHROM_HAVE_OUTB__=1' -D'HAVE_UTSNAME=1' -D'HAVE_CLOCK_GETTIME=1' -D'FLASHROM_VERSION="1.4.0 (git:v0.2.0-2284-g88513e3f06)"' -o hwaccess_x86_io.o -c hwaccess_x86_io.c ichspi.c: In function 'init_ich_default': ichspi.c:2381:48: error: expected ';' before ')' token ich_gen == CHIPSET_C740_SERIES_EMMITSBURG)) { ^ ; ichspi.c:2381:48: error: expected statement before ')' token ichspi.c:2381:49: error: expected statement before ')' token ich_gen == CHIPSET_C740_SERIES_EMMITSBURG)) { ^ ichspi.c:2504:1: error: expected declaration or statement at end of input } ^ /home/user/heads/crossgcc/x86/bin/x86_64-linux-musl-gcc -fdebug-prefix-map=/home/user/heads=heads -gno-record-gcc-switches -D__MUSL__ --sysroot /home/user/heads/install/x86 -isystem /home/user/heads/install/x86/include -L/home/user/heads/install/x86/lib -MMD -Os -I/home/user/heads/install/x86/include/pci -Iinclude -I/home/user/heads/install/x86//include -D'HAVE_GETOPT_H=1' -D'IS_WINDOWS=0' -D'__FLASHROM_LITTLE_ENDIAN__=1' -D'CONFIG_DEFAULT_PROGRAMMER_NAME=NULL' -D'CONFIG_DEFAULT_PROGRAMMER_ARGS=""' -D'CONFIG_DELAY_MINIMUM_SLEEP_US=100000' -D'CONFIG_INTERNAL=1' -D'CONFIG_INTERNAL_DMI=1' -D'__FLASHROM_HAVE_OUTB__=1' -D'HAVE_UTSNAME=1' -D'HAVE_CLOCK_GETTIME=1' -D'FLASHROM_VERSION="1.4.0 (git:v0.2.0-2284-g88513e3f06)"' -o hwaccess_physmap.o -c hwaccess_physmap.c make[1]: *** [Makefile:1050: ichspi.o] Error 1 Signed-off-by: Thierry Laurion <[email protected]>

…nder Heads repro: git fetch https://review.coreboot.org/flashrom refs/changes/54/83854/3 && git format-patch -1 --stdout FETCH_HEAD > patches/flashrom-eace095b15eb034e42d97202cad70ce979d8ca38/0001-Add_RaptorPoint_PCH_support.patch Signed-off-by: Thierry Laurion <[email protected]>

… config layout against qemu-coreboot-fbwhiptail-tpm2 Signed-off-by: Thierry Laurion <[email protected]>

…ess workaround works in absence of flashrom --progress Respin of https://github.com/Dasharo/flashrom/commit/6b2061bc0699202f81aeb782f301f1bba9f8a826.patch which cannot be cherry-picked See Dasharo/flashrom#11 (comment) Signed-off-by: Thierry Laurion <[email protected]>

…flashrom Signed-off-by: Thierry Laurion <[email protected]>

Signed-off-by: Thierry Laurion <[email protected]>

…perations that will follow Signed-off-by: Thierry Laurion <[email protected]>

…m_Dasharo-Heads_msi_to_upstream

Per docs, noverify-all: -N | --noverify-all verify included regions only (cf. -i) Where noverify: -n | --noverify don't auto-verify Seems like we always intended to skip verification since we use internal programmer here and there would not be any misconnection from probe/clip. Also, on nv41, verification fails, which made me write older rom before rebooting and caused a brick. Could not replicate. But reviewing board configs options made noverify-all obviously not pertinent outside of boards specifying -i/--ifd, which still is non-sense for internal programmer. Signed-off-by: Thierry Laurion <[email protected]>

cbfs-init: remove temp files, measure direct cbfs output, extend PCR with proper introspection tracing flash.sh: do not die but go to recovery if flashrom fails, cosmetic fix for warning given to user kexec-insert-key: extend PCR with proper introspection tracing kexec-select-boot: extend PCR with proper introspection tracing kexec-measure-luks: extend PCR with proper introspection tracing tpmr: Add missing TRACE_FUNC, fix comments, extend give hash that was extended to tpm call in DEBUG, fix TPM startsession unsuppressed output still present ash_functions: extend PCR with proper introspection tracing insmod: DEBUG info more pertinent, extend PCR with proper introspection tracing Signed-off-by: Thierry Laurion <[email protected]>

…m_Dasharo-Heads_msi_to_upstream

Signed-off-by: Thierry Laurion <[email protected]>

Co-authored-by: JonathonHall-Purism <[email protected]> Signed-off-by: Thierry Laurion <[email protected]>

…for tarballs download - Add Makefile new app dep verification - Add modules/flashprog pointing to review.sourcearcade.org: website faisl to produce reproducible tarballs. Notes: - Unfortunately, we cannot use review platform to renerate reproducible tarballs, those don't have the same checksum on each download: user@heads-tests-deb12-nix:~/heads$ wget https://review.sourcearcade.org/changes/flashprog~72991/revisions/5/archive?format=tgz -O test.tar.gz --2024-08-31 09:38:14-- https://review.sourcearcade.org/changes/flashprog~72991/revisions/5/archive?format=tgz Resolving review.sourcearcade.org (review.sourcearcade.org)... 88.99.35.89 Connecting to review.sourcearcade.org (review.sourcearcade.org)|88.99.35.89|:443... connected. HTTP request sent, awaiting response... 200 OK Length: unspecified [application/x-gzip] Saving to: ‘test.tar.gz’ test.tar.gz [ <=> ] 508.19K 225KB/s in 2.3s 2024-08-31 09:38:18 (225 KB/s) - ‘test.tar.gz’ saved [520389] user@heads-tests-deb12-nix:~/heads$ sha256sum test.tar.gz af2fb823c2699d37db284c1b3066352a59446b7ea491a585df4eeaa25d932a29 test.tar.gz user@heads-tests-deb12-nix:~/heads$ sha256sum test.tar.gz af2fb823c2699d37db284c1b3066352a59446b7ea491a585df4eeaa25d932a29 test.tar.gz user@heads-tests-deb12-nix:~/heads$ wget https://review.sourcearcade.org/changes/flashprog~72991/revisions/5/archive?format=tgz -O test.tar.gz --2024-08-31 09:38:37-- https://review.sourcearcade.org/changes/flashprog~72991/revisions/5/archive?format=tgz Resolving review.sourcearcade.org (review.sourcearcade.org)... 88.99.35.89 Connecting to review.sourcearcade.org (review.sourcearcade.org)|88.99.35.89|:443... connected. HTTP request sent, awaiting response... 200 OK Length: unspecified [application/x-gzip] Saving to: ‘test.tar.gz’ test.tar.gz [ <=> ] 508.22K 855KB/s in 0.6s 2024-08-31 09:38:38 (855 KB/s) - ‘test.tar.gz’ saved [520417] user@heads-tests-deb12-nix:~/heads$ sha256sum test.tar.gz 9225002d508bd8e2fc42a2bdcd0741cb93ed2cfc811fcd7e03b0242205d4954b test.tar.gz user@heads-tests-deb12-nix:~/heads$ wget https://review.sourcearcade.org/changes/flashprog~72991/revisions/5/archive?format=tgz -O test.tar.gz --2024-08-31 09:38:43-- https://review.sourcearcade.org/changes/flashprog~72991/revisions/5/archive?format=tgz Resolving review.sourcearcade.org (review.sourcearcade.org)... 88.99.35.89 Connecting to review.sourcearcade.org (review.sourcearcade.org)|88.99.35.89|:443... connected. HTTP request sent, awaiting response... 200 OK Length: unspecified [application/x-gzip] Saving to: ‘test.tar.gz’ test.tar.gz [ <=> ] 508.18K 367KB/s in 1.4s 2024-08-31 09:38:45 (367 KB/s) - ‘test.tar.gz’ saved [520378] user@heads-tests-deb12-nix:~/heads$ sha256sum test.tar.gz ebdb7ac0c964178bc312d50547cc7ec82c1c5ffb7d04167fe0ac83deca94ee81 test.tar.gz - Github mirror is only for commited code. Will have to work around that somehow : https://github.com/SourceArcade/flashprog Signed-off-by: Thierry Laurion <[email protected]>

…tal branch This is https://github.com/SourceArcade/flashprog/tree/wp_cli Signed-off-by: Thierry Laurion <[email protected]>

Signed-off-by: Thierry Laurion <[email protected]>

…pecify flash program in board configs - boards: switch flashrom->flashprog, FLASH_OPTIONS: flashprog memory --progress --programmer internal TODO: check, Might break: - xx20 : x220/t420/t520: used hwseq: verify compat - legacy : not sure --ifd bios are support: verify compat (and drop, future PR drop legacy boards anyway...) - talos: linux_mtd is used: verify compat Tested: - x230 works with awesome progress bar on read, erase and write. Signed-off-by: Thierry Laurion <[email protected]>

…nternal programmer? Signed-off-by: Thierry Laurion <[email protected]>

Signed-off-by: Thierry Laurion <[email protected]>

…e returning to caller without being useful Signed-off-by: Thierry Laurion <[email protected]>

… going DEBUG/undoing can work reproducibly Signed-off-by: Thierry Laurion <[email protected]>

ash_functions: add unset_user_config; unset variable, delete from configs and source /tmp/config in running console Signed-off-by: Thierry Laurion <[email protected]>

…BLE_FUNCTION_TRACING_OUTPUT back to set_user_config 'n' for security reason By playing with this, I came to realize an attacker could: - Turn machine on, Enable DEBUG mode, flash user.config to CBFS, reboot - Refuse to reseal TOTP/HOTP, Extract secrets from DEBUG screen captures/mount-usb --mode rw + cp /tmp/debug.log /media, reboot - Turn Machine on, Disable DEBUG mode which called unset_user_config, flash user.config back to CBFS, reboot TOTP/HOTP/TpM DUK would be unchanged from prior commit where new unset_user_config was called TODO: Debate this. Convenience: - User could switch debug on, output log without resealing, send to devs, swith debug mode off Security: - We arrive to a point where authentication to prevent flashing/booting from usb/going to recovery shell is needed. The only possible trade-off between UX convenience without security loss is by enabling Authenticated Heads. Signed-off-by: Thierry Laurion <[email protected]>

…NFIG_ENABLE_FUNCTION_TRACING_OUTPUT back to set_user_config 'n' for security reason" I prefer this with Authenticated Heads. Todo: maybe we want to use log vs DEBUG calls to log under /tmp/debug.log for PCRs and stuff, requiring access to console to get traces behind auth. This reverts commit c745e04.

…ix-hard_debug-easy_undo-staging_all_pending Signed-off-by: Thierry Laurion <[email protected]>

…hprog_init_fix-hard_debug-easy_undo-staging_all_pending

…ashprog_init_fix-hard_debug-easy_undo-staging_all_pending Signed-off-by: Thierry Laurion <[email protected]>

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

PoC : Flashprog, cryptsetup, msi board, basic introspection: staging all pending PRs for testing #1773

PoC : Flashprog, cryptsetup, msi board, basic introspection: staging all pending PRs for testing #1773

Commits on Apr 7, 2024

Commits on Apr 11, 2024

Commits on Apr 12, 2024

Commits on Apr 26, 2024

Commits on May 7, 2024

Commits on May 9, 2024

Commits on May 17, 2024

Commits on May 22, 2024

Commits on May 23, 2024

Commits on May 24, 2024

Commits on May 27, 2024

Commits on May 28, 2024

Commits on Jun 3, 2024

Commits on Jun 4, 2024

Commits on Jul 31, 2024

Commits on Aug 9, 2024

Commits on Aug 11, 2024

Commits on Aug 23, 2024

Commits on Aug 24, 2024

Commits on Aug 28, 2024

Commits on Sep 1, 2024

Commits on Sep 2, 2024