Merge remote-tracking branch 'osresearch/master' into pr/tlaurion/1630

FAQ.md

@@ -112,8 +112,8 @@ your disk password, which is perhaps an improvement.
 
 Disk key in TPM (LUKS TPM Disk Unlock Key) or user passphrase?
 ---
-Depends on your threat model.  With the disk key in the TPM an attacker
-would need to have the entire machine (or a backdoor in the TPM)
+Depends on your threat model.  With the Disk Unlock Key in the TPM an
+attacker would need to have the entire machine (or a backdoor in the TPM)
 to get the key and their attempts to unlock it can be rate limited
 by the TPM hardware.
 

boards/qemu-coreboot-fbwhiptail-tpm1-hotp/qemu-coreboot-fbwhiptail-tpm1-hotp.config

@@ -8,66 +8,90 @@ export CONFIG_COREBOOT=y
 export CONFIG_COREBOOT_VERSION=4.22.01
 export CONFIG_LINUX_VERSION=5.10.5
 
+CONFIG_COREBOOT_CONFIG=config/coreboot-qemu-tpm1.config
+CONFIG_LINUX_CONFIG=config/linux-qemu.config
+
 #Enable only one RESTRICTED/BASIC boot modes below to test them manually (we cannot inject config under QEMU (no internal flashing)
 #export CONFIG_RESTRICTED_BOOT=y
 #export CONFIG_BASIC=y
 
+#Enable HAVE_GPG_KEY_BACKUP to test GPG key backup drive (we cannot inject config under QEMU (no internal flashing))
+#export CONFIG_HAVE_GPG_KEY_BACKUP=y
+
 #Enable DEBUG output
 export CONFIG_DEBUG_OUTPUT=y
 export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y
+#Enable TPM2 pcap output under /tmp
+#export CONFIG_TPM2_CAPTURE_PCAP=y
+
+#On-demand hardware support (modules.cpio)
+CONFIG_LINUX_USB=y
+CONFIG_LINUX_E1000=y
+#CONFIG_MOBILE_TETHERING=y
 
-CONFIG_COREBOOT_CONFIG=config/coreboot-qemu-tpm1.config
-CONFIG_LINUX_CONFIG=config/linux-qemu.config
 
+
+#Modules packed into tools.cpio
 ifeq "$(CONFIG_UROOT)" "y"
 CONFIG_BUSYBOX=n
 else
-CONFIG_KEXEC=y
-CONFIG_QRENCODE=y
-CONFIG_TPMTOTP=y
-CONFIG_POPT=y
-CONFIG_FLASHTOOLS=y
-CONFIG_FLASHROM=y
-CONFIG_PCIUTILS=y
-CONFIG_UTIL_LINUX=y
 CONFIG_CRYPTSETUP2=y
+CONFIG_FLASHROM=y
+CONFIG_FLASHTOOLS=y
 CONFIG_GPG2=y
+CONFIG_KEXEC=y
+CONFIG_UTIL_LINUX=y
 CONFIG_LVM2=y
 CONFIG_MBEDTLS=y
-CONFIG_DROPBEAR=y
+CONFIG_PCIUTILS=y
+#Runtime tools to write to EC/MSR
+CONFIG_IOTOOLS=y
 CONFIG_MSRTOOLS=y
+#Remote attestation support
+# TPM2 requirements
+#CONFIG_TPM2_TSS=y
+#CONFIG_OPENSSL=y
+#Remote Attestation common tools
+CONFIG_POPT=y
+CONFIG_QRENCODE=y
+CONFIG_TPMTOTP=y
+#HOTP based remote attestation for supported USB Security dongle
+#With/Without TPM support
 CONFIG_HOTPKEY=y
-export CONFIG_AUTO_BOOT_TIMEOUT=5
-
-#Uncomment only one of the following block
-#Required for graphical gui-init (FBWhiptail)
+#Nitrokey Storage admin tool (deprecated)
+#CONFIG_NKSTORECLI=n
+#GUI Support
+#FBWhiptail based (Graphical):
 CONFIG_CAIRO=y
 CONFIG_FBWHIPTAIL=y
-#
 #text-based init (generic-init and gui-init)
 #CONFIG_NEWT=y
 #CONFIG_SLANG=y
-
+#Additional tools (tools.cpio):
+#SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E)
+CONFIG_DROPBEAR=y
 endif
 
+#Runtime on-demand additional hardware support (modules.cpio)
 export CONFIG_LINUX_USB_COMPANION_CONTROLLER=y
-CONFIG_LINUX_USB=y
-CONFIG_LINUX_E1000=y
 
-#Uncomment only one BOOTSCRIPT:
-#Whiptail-based init (text-based or FBWhiptail)
+
+#Runtime configuration
+#Automatically boot if HOTP is valid
+export CONFIG_AUTO_BOOT_TIMEOUT=5
+#TPM2 requirements
+#export CONFIG_TPM2_TOOLS=y
+#export CONFIG_PRIMARY_KEY_TYPE=ecc
+#TPM1 requirements
+export CONFIG_TPM=y
 export CONFIG_BOOTSCRIPT=/bin/gui-init
-#
 #text-based original init:
 #export CONFIG_BOOTSCRIPT=/bin/generic-init
 export CONFIG_BOOT_REQ_HASH=n
 export CONFIG_BOOT_REQ_ROLLBACK=n
 export CONFIG_BOOT_RECOVERY_SERIAL="/dev/ttyS0"
 export CONFIG_BOOT_KERNEL_ADD="console=ttyS0 console=tty systemd.zram=0"
 export CONFIG_BOOT_KERNEL_REMOVE="quiet rhgb splash"
-
-export CONFIG_TPM=y
-
 export CONFIG_BOOT_DEV="/dev/vda1"
 export CONFIG_BOARD_NAME="qemu-coreboot-fbwhiptail-tpm1-hotp"
 

boards/qemu-coreboot-fbwhiptail-tpm1/qemu-coreboot-fbwhiptail-tpm1.config

@@ -6,6 +6,9 @@ export CONFIG_COREBOOT=y
 export CONFIG_COREBOOT_VERSION=4.22.01
 export CONFIG_LINUX_VERSION=5.10.5
 
+CONFIG_COREBOOT_CONFIG=config/coreboot-qemu-tpm2.config
+CONFIG_LINUX_CONFIG=config/linux-qemu.config
+
 #Enable only one RESTRICTED/BASIC boot modes below to test them manually (we cannot inject config under QEMU (no internal flashing)
 #export CONFIG_RESTRICTED_BOOT=y
 #export CONFIG_BASIC=y
@@ -16,58 +19,77 @@ export CONFIG_LINUX_VERSION=5.10.5
 #Enable DEBUG output
 export CONFIG_DEBUG_OUTPUT=y
 export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y
+#Enable TPM2 pcap output under /tmp
+#export CONFIG_TPM2_CAPTURE_PCAP=y
 
-CONFIG_COREBOOT_CONFIG=config/coreboot-qemu-tpm1.config
-CONFIG_LINUX_CONFIG=config/linux-qemu.config
+#On-demand hardware support (modules.cpio)
+CONFIG_LINUX_USB=y
+CONFIG_LINUX_E1000=y
+#CONFIG_MOBILE_TETHERING=y
 
+
+
+#Modules packed into tools.cpio
 ifeq "$(CONFIG_UROOT)" "y"
 CONFIG_BUSYBOX=n
 else
-CONFIG_KEXEC=y
-CONFIG_QRENCODE=y
-CONFIG_TPMTOTP=y
-CONFIG_POPT=y
-CONFIG_FLASHTOOLS=y
-CONFIG_FLASHROM=y
-CONFIG_PCIUTILS=y
-CONFIG_UTIL_LINUX=y
 CONFIG_CRYPTSETUP2=y
+CONFIG_FLASHROM=y
+CONFIG_FLASHTOOLS=y
 CONFIG_GPG2=y
+CONFIG_KEXEC=y
+CONFIG_UTIL_LINUX=y
 CONFIG_LVM2=y
 CONFIG_MBEDTLS=y
-CONFIG_DROPBEAR=y
+CONFIG_PCIUTILS=y
+#Runtime tools to write to EC/MSR
+CONFIG_IOTOOLS=y
 CONFIG_MSRTOOLS=y
+#Remote attestation support
+# TPM2 requirements
+#CONFIG_TPM2_TSS=y
+#CONFIG_OPENSSL=y
+#Remote Attestation common tools
+CONFIG_POPT=y
+CONFIG_QRENCODE=y
+CONFIG_TPMTOTP=y
+#HOTP based remote attestation for supported USB Security dongle
+#With/Without TPM support
 #CONFIG_HOTPKEY=y
-
-#Uncomment only one of the following block
-#Required for graphical gui-init (FBWhiptail)
+#Nitrokey Storage admin tool (deprecated)
+#CONFIG_NKSTORECLI=n
+#GUI Support
+#FBWhiptail based (Graphical):
 CONFIG_CAIRO=y
 CONFIG_FBWHIPTAIL=y
-#
 #text-based init (generic-init and gui-init)
 #CONFIG_NEWT=y
 #CONFIG_SLANG=y
-
+#Additional tools (tools.cpio):
+#SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E)
+CONFIG_DROPBEAR=y
 endif
 
+#Runtime on-demand additional hardware support (modules.cpio)
 export CONFIG_LINUX_USB_COMPANION_CONTROLLER=y
-CONFIG_LINUX_USB=y
-CONFIG_LINUX_E1000=y
 
-#Uncomment only one BOOTSCRIPT:
-#Whiptail-based init (text-based or FBWhiptail)
+
+#Runtime configuration
+#Automatically boot if HOTP is valid
+export CONFIG_AUTO_BOOT_TIMEOUT=5
+#TPM2 requirements
+#export CONFIG_TPM2_TOOLS=y
+#export CONFIG_PRIMARY_KEY_TYPE=ecc
+#TPM1 requirements
+export CONFIG_TPM=y
 export CONFIG_BOOTSCRIPT=/bin/gui-init
-#
 #text-based original init:
 #export CONFIG_BOOTSCRIPT=/bin/generic-init
 export CONFIG_BOOT_REQ_HASH=n
 export CONFIG_BOOT_REQ_ROLLBACK=n
 export CONFIG_BOOT_RECOVERY_SERIAL="/dev/ttyS0"
 export CONFIG_BOOT_KERNEL_ADD="console=ttyS0 console=tty systemd.zram=0"
 export CONFIG_BOOT_KERNEL_REMOVE="quiet rhgb splash"
-
-export CONFIG_TPM=y
-
 export CONFIG_BOOT_DEV="/dev/vda1"
 export CONFIG_BOARD_NAME="qemu-coreboot-fbwhiptail-tpm1"
 

boards/qemu-coreboot-fbwhiptail-tpm2-hotp/qemu-coreboot-fbwhiptail-tpm2-hotp.config

@@ -7,72 +7,90 @@ export CONFIG_COREBOOT=y
 export CONFIG_COREBOOT_VERSION=4.22.01
 export CONFIG_LINUX_VERSION=5.10.5
 
+CONFIG_COREBOOT_CONFIG=config/coreboot-qemu-tpm2.config
+CONFIG_LINUX_CONFIG=config/linux-qemu.config
+
 #Enable only one RESTRICTED/BASIC boot modes below to test them manually (we cannot inject config under QEMU (no internal flashing)
 #export CONFIG_RESTRICTED_BOOT=y
 #export CONFIG_BASIC=y
 
+#Enable HAVE_GPG_KEY_BACKUP to test GPG key backup drive (we cannot inject config under QEMU (no internal flashing))
+#export CONFIG_HAVE_GPG_KEY_BACKUP=y
+
 #Enable DEBUG output
 export CONFIG_DEBUG_OUTPUT=y
 export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y
 #Enable TPM2 pcap output under /tmp
 export CONFIG_TPM2_CAPTURE_PCAP=y
 
-CONFIG_COREBOOT_CONFIG=config/coreboot-qemu-tpm2.config
-CONFIG_LINUX_CONFIG=config/linux-qemu.config
+#On-demand hardware support (modules.cpio)
+CONFIG_LINUX_USB=y
+CONFIG_LINUX_E1000=y
+#CONFIG_MOBILE_TETHERING=y
+
+
 
+#Modules packed into tools.cpio
 ifeq "$(CONFIG_UROOT)" "y"
 CONFIG_BUSYBOX=n
 else
-CONFIG_KEXEC=y
-CONFIG_QRENCODE=y
-CONFIG_TPMTOTP=y
-CONFIG_POPT=y
-CONFIG_FLASHTOOLS=y
-CONFIG_FLASHROM=y
-CONFIG_PCIUTILS=y
-CONFIG_UTIL_LINUX=y
 CONFIG_CRYPTSETUP2=y
+CONFIG_FLASHROM=y
+CONFIG_FLASHTOOLS=y
 CONFIG_GPG2=y
+CONFIG_KEXEC=y
+CONFIG_UTIL_LINUX=y
 CONFIG_LVM2=y
 CONFIG_MBEDTLS=y
-CONFIG_DROPBEAR=y
+CONFIG_PCIUTILS=y
+#Runtime tools to write to EC/MSR
+CONFIG_IOTOOLS=y
 CONFIG_MSRTOOLS=y
+#Remote attestation support
+# TPM2 requirements
+CONFIG_TPM2_TSS=y
+CONFIG_OPENSSL=y
+#Remote Attestation common tools
+CONFIG_POPT=y
+CONFIG_QRENCODE=y
+CONFIG_TPMTOTP=y
+#HOTP based remote attestation for supported USB Security dongle
+#With/Without TPM support
 CONFIG_HOTPKEY=y
-export CONFIG_AUTO_BOOT_TIMEOUT=5
-
-#Uncomment only one of the following block
-#Required for graphical gui-init (FBWhiptail)
+#Nitrokey Storage admin tool (deprecated)
+#CONFIG_NKSTORECLI=n
+#GUI Support
+#FBWhiptail based (Graphical):
 CONFIG_CAIRO=y
 CONFIG_FBWHIPTAIL=y
-#
 #text-based init (generic-init and gui-init)
 #CONFIG_NEWT=y
 #CONFIG_SLANG=y
-
+#Additional tools (tools.cpio):
+#SSH server (requires ethernet drivers, eg: CONFIG_LINUX_E1000E)
+CONFIG_DROPBEAR=y
 endif
 
+#Runtime on-demand additional hardware support (modules.cpio)
 export CONFIG_LINUX_USB_COMPANION_CONTROLLER=y
-CONFIG_LINUX_USB=y
-CONFIG_LINUX_E1000=y
 
-#Uncomment only one BOOTSCRIPT:
-#Whiptail-based init (text-based or FBWhiptail)
+
+#Runtime configuration
+#Automatically boot if HOTP is valid
+export CONFIG_AUTO_BOOT_TIMEOUT=5
+#TPM2 requirements
+export CONFIG_TPM2_TOOLS=y
+export CONFIG_PRIMARY_KEY_TYPE=ecc
+#TPM1 requirements
+#export CONFIG_TPM=y
 export CONFIG_BOOTSCRIPT=/bin/gui-init
-#
 #text-based original init:
 #export CONFIG_BOOTSCRIPT=/bin/generic-init
 export CONFIG_BOOT_REQ_HASH=n
 export CONFIG_BOOT_REQ_ROLLBACK=n
 export CONFIG_BOOT_RECOVERY_SERIAL="/dev/ttyS0"
 export CONFIG_BOOT_KERNEL_ADD="console=ttyS0 console=tty systemd.zram=0"
 export CONFIG_BOOT_KERNEL_REMOVE="quiet rhgb splash"
-
-#TPM2 requirements
-export CONFIG_TPM2_TOOLS=y
-export CONFIG_PRIMARY_KEY_TYPE=ecc
-CONFIG_TPM2_TSS=y
-CONFIG_OPENSSL=y
-
 export CONFIG_BOOT_DEV="/dev/vda1"
 export CONFIG_BOARD_NAME="qemu-coreboot-fbwhiptail-tpm2-hotp"