├── .circleci └── config.yml ├── .envrc ├── .gitattributes ├── .github ├── FUNDING.yml └── ISSUE_TEMPLATE │ ├── bug-report-for-everything-except-build-errors.md │ ├── bug-report-for-heads-build-errors.md │ └── feature_request.md ├── .gitignore ├── .gitlab-ci.yml.deprecated ├── BOARDS_AND_TESTERS.md ├── CONTRIBUTING.md ├── COPYING ├── FAQ.md ├── Makefile ├── README.md ├── WP_NOTES.md ├── bin ├── cpio-clean ├── fetch_coreboot_crossgcc_archive.sh ├── fetch_source_archive.sh ├── find_undocumented_config.sh ├── inject_gpg_key.sh ├── prepare_module_config.sh ├── seed_package_mirror.sh └── verity-sign ├── blobs ├── dev.cpio ├── haswell │ ├── .gitignore │ └── obtain-mrc ├── librem_jail │ ├── README │ ├── librem_11 │ │ ├── i915 │ │ │ └── icl_dmc_ver1_09.bin │ │ ├── intel │ │ │ ├── ibt-19-0-0.ddc │ │ │ └── ibt-19-0-0.sfi │ │ └── iwlwifi-QuZ-a0-jf-b0-72.ucode │ └── librem_mini_v2 │ │ ├── ar3k │ │ ├── AthrBT_0x11020100.dfu │ │ └── ramps_0x11020100_40.dfu │ │ ├── intel │ │ ├── ibt-20-1-3.ddc │ │ └── ibt-20-1-3.sfi │ │ └── iwlwifi-cc-a0-59.ucode ├── optiplex_9010 │ ├── README.md │ ├── ifd.bin │ ├── ifd_t16650.bin │ └── layout.txt ├── p8z77-m_pro │ └── download_BIOS_clean.sh ├── t420 │ ├── extract.sh │ ├── layout.txt │ └── readme.md ├── t440p │ ├── .gitignore │ ├── README.md │ ├── download-clean-me │ ├── extract │ ├── gbe.bin │ └── ifd.bin ├── utils │ └── me_cleaner │ │ └── me_cleaner.py ├── w541 │ ├── .gitignore │ ├── README.md │ ├── download-clean-me │ ├── extract │ ├── gbe.bin │ └── ifd.bin ├── x220 │ ├── .gitignore │ ├── extract.sh │ ├── layout.txt │ └── readme.md ├── xx20 │ ├── .gitignore │ ├── download_parse_me.sh │ ├── gbe.bin │ ├── hashes.txt │ ├── ifd.bin │ ├── layout.txt │ ├── me7_update_parser.py │ └── readme.md ├── xx30 │ ├── .gitignore │ ├── README │ ├── README_vbios │ ├── download_clean_me.sh │ ├── download_clean_me_manually.sh │ ├── extract.sh │ ├── gbe.bin │ ├── hashes.txt │ ├── ifd.bin │ ├── optiplex_7010_9010.sh │ ├── vbios_t530.sh │ └── vbios_w530.sh ├── xx80 │ ├── .gitignore │ ├── README.md │ ├── download_clean_deguard_me_pad_tb.sh │ ├── gbe.bin │ ├── hashes.txt │ └── ifd.bin └── z220 │ ├── .gitignore │ └── download_BIOS_clean.sh ├── boards ├── EOL_UNTESTED_t440p-hotp-maximized │ └── EOL_UNTESTED_t440p-hotp-maximized.config ├── EOL_UNTESTED_t440p-maximized │ └── EOL_UNTESTED_t440p-maximized.config ├── EOL_UNTESTED_t530-hotp-maximized │ └── EOL_UNTESTED_t530-hotp-maximized.config ├── EOL_UNTESTED_t530-maximized │ └── EOL_UNTESTED_t530-maximized.config ├── EOL_UNTESTED_w541-hotp-maximized │ └── EOL_UNTESTED_w541-hotp-maximized.config ├── EOL_UNTESTED_w541-maximized │ └── EOL_UNTESTED_w541-maximized.config ├── EOL_UNTESTED_z220-cmt-hotp-maximized │ └── EOL_UNTESTED_z220-cmt-hotp-maximized.config ├── EOL_UNTESTED_z220-cmt-maximized │ └── EOL_UNTESTED_z220-cmt-maximized.config ├── EOL_librem_13v2 │ └── EOL_librem_13v2.config ├── EOL_librem_13v4 │ └── EOL_librem_13v4.config ├── EOL_librem_15v3 │ └── EOL_librem_15v3.config ├── EOL_librem_15v4 │ └── EOL_librem_15v4.config ├── EOL_librem_l1um │ └── EOL_librem_l1um.config ├── EOL_optiplex-7010_9010-hotp-maximized │ └── EOL_optiplex-7010_9010-hotp-maximized.config ├── EOL_optiplex-7010_9010-maximized │ └── EOL_optiplex-7010_9010-maximized.config ├── EOL_optiplex-7010_9010_TXT-hotp-maximized │ └── EOL_optiplex-7010_9010_TXT-hotp-maximized.config ├── EOL_optiplex-7010_9010_TXT-maximized │ └── EOL_optiplex-7010_9010_TXT-maximized.config ├── EOL_t420-hotp-maximized │ └── EOL_t420-hotp-maximized.config ├── EOL_t420-maximized │ └── EOL_t420-maximized.config ├── EOL_t430-hotp-maximized │ └── EOL_t430-hotp-maximized.config ├── EOL_t430-maximized │ └── EOL_t430-maximized.config ├── EOL_t480-hotp-maximized │ └── EOL_t480-hotp-maximized.config ├── EOL_t480-maximized │ └── EOL_t480-maximized.config ├── EOL_w530-hotp-maximized │ └── EOL_w530-hotp-maximized.config ├── EOL_w530-maximized │ └── EOL_w530-maximized.config ├── EOL_x220-hotp-maximized │ └── EOL_x220-hotp-maximized.config ├── EOL_x220-maximized │ └── EOL_x220-maximized.config ├── EOL_x230-hotp-maximized-fhd_edp │ └── EOL_x230-hotp-maximized-fhd_edp.config ├── EOL_x230-hotp-maximized │ └── EOL_x230-hotp-maximized.config ├── EOL_x230-hotp-maximized_usb-kb │ └── EOL_x230-hotp-maximized_usb-kb.config ├── EOL_x230-maximized-fhd_edp │ └── EOL_x230-maximized-fhd_edp.config ├── EOL_x230-maximized │ └── EOL_x230-maximized.config ├── UNMAINTAINED_kgpe-d16_server-whiptail │ └── UNMAINTAINED_kgpe-d16_server-whiptail.config ├── UNMAINTAINED_kgpe-d16_server │ └── UNMAINTAINED_kgpe-d16_server.config ├── UNMAINTAINED_kgpe-d16_workstation-usb_keyboard │ └── UNMAINTAINED_kgpe-d16_workstation-usb_keyboard.config ├── UNMAINTAINED_kgpe-d16_workstation │ └── UNMAINTAINED_kgpe-d16_workstation.config ├── UNTESTED_nitropad-ns50 │ └── UNTESTED_nitropad-ns50.config ├── UNTESTED_talos-2 │ └── UNTESTED_talos-2.config ├── librem_11 │ ├── initrd │ │ └── etc │ │ │ └── board_keys.map │ └── librem_11.config ├── librem_14 │ └── librem_14.config ├── librem_l1um_v2 │ └── librem_l1um_v2.config ├── librem_mini │ ├── initrd │ │ └── bin │ │ │ ├── board-init.sh │ │ │ └── set_ec_poweron.sh │ └── librem_mini.config ├── librem_mini_v2 │ ├── initrd │ │ └── bin │ │ │ ├── board-init.sh │ │ │ └── set_ec_poweron.sh │ └── librem_mini_v2.config ├── novacustom-nv4x_adl │ └── novacustom-nv4x_adl.config ├── novacustom-v540tu │ └── novacustom-v540tu.config ├── novacustom-v560tu │ └── novacustom-v560tu.config ├── qemu-coreboot-fbwhiptail-tpm1-hotp-prod │ └── qemu-coreboot-fbwhiptail-tpm1-hotp-prod.config ├── qemu-coreboot-fbwhiptail-tpm1-hotp-prod_quiet │ └── qemu-coreboot-fbwhiptail-tpm1-hotp-prod_quiet.config ├── qemu-coreboot-fbwhiptail-tpm1-hotp │ └── qemu-coreboot-fbwhiptail-tpm1-hotp.config ├── qemu-coreboot-fbwhiptail-tpm1-prod │ └── qemu-coreboot-fbwhiptail-tpm1-prod.config ├── qemu-coreboot-fbwhiptail-tpm1 │ └── qemu-coreboot-fbwhiptail-tpm1.config ├── qemu-coreboot-fbwhiptail-tpm2-hotp-prod │ └── qemu-coreboot-fbwhiptail-tpm2-hotp-prod.config ├── qemu-coreboot-fbwhiptail-tpm2-hotp-prod_quiet │ └── qemu-coreboot-fbwhiptail-tpm2-hotp-prod_quiet.config ├── qemu-coreboot-fbwhiptail-tpm2-hotp │ └── qemu-coreboot-fbwhiptail-tpm2-hotp.config ├── qemu-coreboot-fbwhiptail-tpm2-prod │ └── qemu-coreboot-fbwhiptail-tpm2-prod.config ├── qemu-coreboot-fbwhiptail-tpm2 │ └── qemu-coreboot-fbwhiptail-tpm2.config ├── qemu-coreboot-whiptail-tpm1-hotp-prod │ └── qemu-coreboot-whiptail-tpm1-hotp-prod.config ├── qemu-coreboot-whiptail-tpm1-hotp │ └── qemu-coreboot-whiptail-tpm1-hotp.config ├── qemu-coreboot-whiptail-tpm1-prod │ └── qemu-coreboot-whiptail-tpm1-prod.config ├── qemu-coreboot-whiptail-tpm1 │ └── qemu-coreboot-whiptail-tpm1.config ├── qemu-coreboot-whiptail-tpm2-hotp-prod │ └── qemu-coreboot-whiptail-tpm2-hotp-prod.config ├── qemu-coreboot-whiptail-tpm2-hotp │ └── qemu-coreboot-whiptail-tpm2-hotp.config ├── qemu-coreboot-whiptail-tpm2-prod │ └── qemu-coreboot-whiptail-tpm2-prod.config └── qemu-coreboot-whiptail-tpm2 │ └── qemu-coreboot-whiptail-tpm2.config ├── branding └── Heads │ ├── CREDITS │ ├── ThePlexus-bootsplash-1024x768-DonateQrCode.jpg │ ├── ThePlexus-bootsplash-1024x768.jpg │ ├── ThePlexus-logo.jpg │ ├── bing-d-wid_heads-red_blue_background-plain-3_DonateQrCode.jpg │ ├── bing-d-wid_logo.svg │ ├── bootsplash.jpg │ ├── d-wid-ThePlexus_coreboot-linuxboot-heads_background-plain_DonateQrCode.jpg │ ├── d-wid-ThePlexus_heads_ThrillerAtPlay-background-binary_DonateQrCode.jpg │ ├── d-wid_heads-Thrilleratplay_background-binary-2_DonateQrCode.jpg │ └── d-wid_heads_background-plain-2_DonateQrCode.jpg ├── build └── .gitignore ├── config ├── busybox.config ├── coreboot-kgpe-d16_server-whiptail.config ├── coreboot-kgpe-d16_server.config ├── coreboot-kgpe-d16_workstation-usb_keyboard.config ├── coreboot-kgpe-d16_workstation.config ├── coreboot-librem_11.config ├── coreboot-librem_13v2.config ├── coreboot-librem_13v4.config ├── coreboot-librem_14.config ├── coreboot-librem_15v3.config ├── coreboot-librem_15v4.config ├── coreboot-librem_l1um.config ├── coreboot-librem_l1um_v2.config ├── coreboot-librem_mini.config ├── coreboot-librem_mini_v2.config ├── coreboot-nitropad-ns50.config ├── coreboot-novacustom-nv4x_adl.config ├── coreboot-novacustom-v540tu.config ├── coreboot-novacustom-v560tu.config ├── coreboot-optiplex-7019_9010-maximized.config ├── coreboot-optiplex-7019_9010_TXT-maximized.config ├── coreboot-p8z77-m_pro-tpm1.config ├── coreboot-qemu-tpm1-prod.config ├── coreboot-qemu-tpm1.config ├── coreboot-qemu-tpm2-prod.config ├── coreboot-qemu-tpm2.config ├── coreboot-t420-maximized.config ├── coreboot-t420.config ├── coreboot-t430-legacy-flash.config ├── coreboot-t430-legacy.config ├── coreboot-t430-maximized.config ├── coreboot-t440p.config ├── coreboot-t480-maximized.config ├── coreboot-t520-maximized.config ├── coreboot-t530-dgpu-maximized.config ├── coreboot-t530-maximized.config ├── coreboot-talos-2.config ├── coreboot-w530-dgpu-K1000m-maximized.config ├── coreboot-w530-dgpu-K2000m-maximized.config ├── coreboot-w530-maximized.config ├── coreboot-w541.config ├── coreboot-x220-maximized.config ├── coreboot-x220.config ├── coreboot-x230-legacy-flash.config ├── coreboot-x230-legacy.config ├── coreboot-x230-maximized-fhd_edp.config ├── coreboot-x230-maximized.config ├── coreboot-z220-cmt.config ├── linux-c216.config ├── linux-kgpe-d16_server-whiptail.config ├── linux-kgpe-d16_server.config ├── linux-kgpe-d16_workstation.config ├── linux-librem_common-6.1.8.config ├── linux-librem_common.config ├── linux-linuxboot.config ├── linux-novacustom-common.config ├── linux-qemu.config ├── linux-t440p.config ├── linux-t480.config ├── linux-talos-2.config ├── linux-w541.config ├── linux-x230-flash.config ├── linux-x230-legacy.config └── linux-x230-maximized.config ├── doc ├── config.md └── logging.md ├── docker_latest.sh ├── docker_local_dev.sh ├── docker_repro.sh ├── flake.lock ├── flake.nix ├── funding.json ├── initrd ├── .bash_history ├── .gnupg │ ├── gpg-agent.conf │ └── gpg.conf ├── bin │ ├── basic-autoboot.sh │ ├── cbfs-init │ ├── cbfs.sh │ ├── change-time.sh │ ├── config-gui.sh │ ├── flash-gui.sh │ ├── flash.sh │ ├── flashprog-kgpe-d16-openbmc.sh │ ├── generic-init │ ├── gpg-gui.sh │ ├── gpgv │ ├── gui-init │ ├── gui-init-basic │ ├── inject_firmware.sh │ ├── kexec-boot │ ├── kexec-insert-key │ ├── kexec-iso-init │ ├── kexec-parse-bls │ ├── kexec-parse-boot │ ├── kexec-save-default │ ├── kexec-save-key │ ├── kexec-seal-key │ ├── kexec-select-boot │ ├── kexec-sign-config │ ├── kexec-unseal-key │ ├── key-init │ ├── lock_chip │ ├── media-scan │ ├── mount-usb │ ├── network-init-recovery │ ├── oem-factory-reset │ ├── oem-system-info-xx30 │ ├── poweroff │ ├── qubes-measure-luks │ ├── reboot │ ├── root-hashes-gui.sh │ ├── seal-hotpkey │ ├── seal-totp │ ├── setconsolefont.sh │ ├── talos-init │ ├── tpm-reset │ ├── tpmr │ ├── uefi-init │ ├── unpack_initramfs.sh │ ├── unseal-hotp │ ├── unseal-totp │ ├── usb-autoboot.sh │ ├── usb-init │ ├── wget-measure.sh │ └── wipe-totp ├── etc │ ├── diceware_dictionaries │ │ └── eff_short_wordlist_2_0.txt │ ├── distro │ │ ├── gpg-agent.conf │ │ └── keys │ │ │ ├── archlinux.key │ │ │ ├── qubes-4.1.key │ │ │ ├── qubes-4.2.key │ │ │ ├── qubes-r4.1-weekly-builds-signing-key.asc │ │ │ ├── qubes-weekly-builds-signing-key.asc │ │ │ └── tails.key │ ├── fstab │ ├── functions │ ├── group │ ├── gui_functions │ ├── hosts │ ├── luks-functions │ ├── mke2fs.conf │ ├── motd │ ├── mtab │ ├── passwd │ └── shells ├── init ├── mount-boot ├── run │ └── cryptsetup │ │ └── .placeholder └── sbin │ ├── config-dhcp.sh │ └── insmod ├── install └── .gitignore ├── modules ├── bash ├── busybox ├── cairo ├── coreboot ├── coreboot-blobs ├── cryptsetup ├── cryptsetup2 ├── dropbear ├── e2fsprogs ├── exfatprogs ├── fbwhiptail ├── flashprog ├── flashrom ├── flashtools ├── frotz ├── gpg ├── gpg2 ├── hidapi ├── hotp-verification ├── io386 ├── ioport ├── json-c ├── kbd ├── kexec ├── libaio ├── libassuan ├── libgcrypt ├── libgpg-error ├── libhidapi-libusb ├── libksba ├── libnitrokey ├── libpng ├── libusb ├── libusb-compat ├── linux ├── linuxboot ├── lvm2 ├── mbedtls ├── msrtools ├── musl-cross-make ├── ncurses ├── newt ├── nkstorecli ├── npth ├── openssl ├── pciutils ├── pinentry ├── pixman ├── popt ├── powerpc-utils ├── purism-blobs ├── qrencode ├── slang ├── tpm2-tools ├── tpm2-tss ├── tpmtotp ├── u-root ├── util-linux ├── zlib └── zstd ├── packages └── .gitignore ├── patches ├── bash-5.1.16.patch ├── busybox-1.36.1.patch ├── coreboot-24.02.01 │ ├── 0001-vc_wuffs-upgrade-to-Wuffs_0.4.0-alpha.8.patch │ ├── 0002-lib_jpeg-avoidcalling-malloc-and-free.patch │ ├── 0003-CONFIG_RESOURCE_ALLOCATION_TOP_DOWN-CONFIG_DOMAIN_RESOURCE_32BIT_LIMIT.patch │ └── 0004-cbmem_tpm-clear_whole_log_on_creation.patch ├── coreboot-24.12 │ ├── 0001-soc-intel-skylake-configure-usb-acpi.patch │ ├── 0002-soc-intel-skylake-Enable-4E-4F-PNP-I-O-ports-in-boot.patch │ ├── 0003-mb-lenovo-Add-ThinkPad-T480-and-ThinkPad-T480s.patch │ ├── 0004-do-not-break-building-other-thinkpads-with-the-hacks.patch │ ├── 0005-soc-intel-pmc-Hardcoded-poweroff-after-power-fail.patch │ ├── 0006-ec-dasharo-Comment-EC_DASHARO_EC_FLASH_SIZE.patch │ ├── 0007-src-intel-skylake-Disable-stack-overflow-debug-optio.patch │ ├── 0008-src-intel-x4x-Disable-stack-overflow-debug.patch │ ├── 0009-post-skylake-pr0.patch │ └── 0010-cbmem_tpm-clear_whole_log_on_creation.patch ├── coreboot-4.11 │ ├── 0000-cpu-x86-smm-Use-PRIxPTR-to-print-uintptr_t.patch │ ├── 0001-Add-Heads-TPM-measured-boot-support.patch │ ├── 0002-soc-intel-broadwell_de-Add-measured-boot-support.patch │ ├── 0003-drivers-generic-cbfs-serial-Add-driver-to-read-seria.patch │ ├── 0004-mb-purism-librem_l1um-Add-new-board.patch │ ├── 0005-soc-fsp_broadwell_de-acpi-Remove-ADR-from-uncore-obj.patch │ ├── 0020-kgpe-d16_measured-boot-support.patch │ ├── 0021-kgpe-d16_c-environment_bootblock.patch │ ├── 0022-kgpe-d16_dstd-asl_Remove-HID-for-PCI-devices.patch │ ├── 0070-crossgcc-iasl-2021-instead-of-2018_fix-old_coreboot-build-on-newer-platforms.patch │ ├── 0071-crossgcc-binutils-gold-error-strings.patch │ ├── 0072-crossgcc-gnat-eh.patch │ ├── 0073-build-race-condition-fixes.patch │ ├── 0074-make-43-fix.patch │ ├── 0075-northbridge-amd-Fixed-errors-in-fam15h-DQS-timing.patch │ └── 0076-northbridge-amd-Added-resets-for-ram-training-failur.patch ├── coreboot-4.19 │ ├── 0001-x230-fhd-variant.patch │ ├── 0002-libgfxinit-center_bootsplash_on_bigger_framebuffers.patch │ ├── 0003-linux_trampoline-handle_coreboot_framebuffer.patch │ └── 0004-bootsplash-Add_ImageMagick_voodoo.patch ├── coreboot-4.22.01 │ └── 0001-x230-fhd-variant.patch ├── coreboot-purism │ └── 0001-cbmem_tpm-clear_whole_log_on_creation.patch ├── coreboot-talos_2 │ ├── 0001-Use-usr-bin-env-in-skiboot.patch │ ├── 0002-acpi-unix2-mirror.patch │ └── 0003-ugly_skiboot-patch_fix_for_newer_gcc_from_musl_125.patch ├── cryptsetup-1.7.3.patch ├── cryptsetup2-2.6.1.patch ├── dropbear-2016.74.patch ├── flashrom-b1f858f65b2abd276542650d8cb9e382da258967 │ └── 0100-enable-kgpe-d16.patch ├── gpg-1.4.21.patch ├── gpg2-2.4.0.patch ├── kexec-2.0.26.patch ├── libassuan-2.5.5.patch ├── libgcrypt-1.10.1.patch ├── libgcrypt-1.10.2.patch ├── libgcrypt-1.8.3.patch ├── libgpg-error-1.46.patch ├── libksba-1.3.5.patch ├── libksba-1.6.3.patch ├── linux-4.14.62 │ ├── 0000-efi_bds.patch │ ├── 0001-fake-acpi.patch │ ├── 0002-nmi-squelch.patch │ ├── 0003-fake-trampoline.patch │ ├── 0004-libsubcmd_Fix_use-after-free-for-realloc.patch │ └── 0010-winterfell-ahci.patch ├── linux-4.19.139 │ ├── 0000-efi_bds.patch │ ├── 0001-fake-acpi.patch │ ├── 0002-nmi-squelch.patch │ ├── 0003-fake-trampoline.patch │ └── 0010-winterfell-ahci.patch ├── linux-5.10.214 │ ├── 0001-fake-acpi.patch │ ├── 0002-nmi-squelch.patch │ ├── 0003-fake-trampoline.patch │ ├── 0010-winterfell-ahci.patch │ └── shebangs.patch ├── linux-5.4.69 │ ├── 0000-efi_bds.patch │ ├── 0001-fake-acpi.patch │ ├── 0002-nmi-squelch.patch │ ├── 0003-fake-trampoline.patch │ └── 0010-winterfell-ahci.patch ├── linux-5.5-openpower │ ├── 0001-xhci-Reset-controller-on-xhci-shutdown.patch │ ├── 0002-Release-OpenPower-kernel.patch │ ├── 0003-Fix-mpt3sas-dma-crash.patch │ ├── 0004-drm-ast-Add-option-to-initialize-palette-on-driver-l.patch │ ├── 0005-Force-ASpeed-RAMDAC-palette-reset.patch │ ├── 0006-amdgpu-Prepare-DCN-floating-point-macros-for-generic.patch │ ├── 0007-amdgpu-Enable-initial-DCN-support-on-POWER.patch │ ├── 0008-amdgpu-Wrap-FPU-dependent-functions-in-dc20.patch │ ├── 0009-Fix-build-with-gcc-10-and-up.patch │ ├── 0010-arch-powerpc-Kconfig-enable-inclusion-of-drivers-fir.patch │ ├── 0011-drivers-firmware-google-expose-CBMEM-as-sysfs-file.patch │ └── shebangs.patch ├── linux-6.1.8 │ ├── 0001-fake-acpi.patch │ ├── 0002-nmi-squelch.patch │ └── 0010-winterfell-ahci.patch ├── linux-6.6.16-openpower │ ├── 0001-xhci-Reset-controller-on-xhci-shutdown.patch │ ├── 0002-Release-OpenPower-kernel.patch │ ├── 0003-drm-ast-Add-option-to-initialize-palette-on-driver-l.patch │ ├── 0004-Force-ASpeed-RAMDAC-palette-reset.patch │ ├── 0005-powerpc-Add-gpr1-and-fpu-save-restore-functions.patch │ ├── 0006-arch-powerpc-Kconfig-enable-inclusion-of-drivers-fir.patch │ └── 0007-drivers-firmware-google-expose-CBMEM-as-sysfs-file.patch ├── lvm2-2.02.168.patch ├── lvm2-2.03.23.patch ├── newt-0.52.24.patch ├── openssl-3.0.8.patch ├── pciutils-3.5.4.patch ├── powerpc-utils-1.3.5.patch ├── slang-2.3.3 │ └── unhardcode-ln-in-Makefile.patch ├── tpm2-tools-5.6.patch ├── tpm2-tss-3.2.2.patch └── util-linux-2.39.patch ├── targets ├── legacy_flash.mk ├── optiplex_blobs.mk ├── ppc_tgz.mk ├── qemu.md ├── qemu.mk ├── split_8mb4mb.mk ├── xx20_me_blobs.mk ├── xx30_me_blobs.mk └── xx80_me_blobs.mk └── unmaintained_boards ├── README.md ├── UNMAINTAINED_p8z77-m_pro-tpm1-hotp-maximized └── UNMAINTAINED_p8z77-m_pro-tpm1-hotp-maximized.config ├── UNMAINTAINED_p8z77-m_pro-tpm1-maximized └── UNMAINTAINED_p8z77-m_pro-tpm1-maximized.config ├── UNMAINTAINED_qemu-linuxboot └── UNMAINTAINED_qemu-linuxboot.config ├── UNMAINTAINED_t420 └── UNMAINTAINED_t420.config ├── UNMAINTAINED_t430-hotp-legacy └── UNMAINTAINED_t430-hotp-legacy.config ├── UNMAINTAINED_t430-legacy-flash └── UNMAINTAINED_t430-legacy-flash.config ├── UNMAINTAINED_t430-legacy └── UNMAINTAINED_t430-legacy.config ├── UNMAINTAINED_t520-hotp-maximized └── UNMAINTAINED_t520-hotp-maximized.config ├── UNMAINTAINED_t520-maximized └── UNMAINTAINED_t520-maximized.config ├── UNMAINTAINED_t530-dgpu-hotp-maximized └── UNMAINTAINED_t530-dgpu-hotp-maximized.config ├── UNMAINTAINED_t530-dgpu-maximized └── UNMAINTAINED_t530-dgpu-maximized.config ├── UNMAINTAINED_w530-dgpu-K1000m-hotp-maximized └── UNMAINTAINED_w530-dgpu-K1000m-hotp-maximized.config ├── UNMAINTAINED_w530-dgpu-K1000m-maximized └── UNMAINTAINED_w530-dgpu-K1000m-maximized.config ├── UNMAINTAINED_w530-dgpu-K2000m-hotp-maximized └── UNMAINTAINED_w530-dgpu-K2000m-hotp-maximized.config ├── UNMAINTAINED_w530-dgpu-K2000m-maximized └── UNMAINTAINED_w530-dgpu-K2000m-maximized.config ├── UNMAINTAINED_x220 └── UNMAINTAINED_x220.config ├── UNMAINTAINED_x230-hotp-legacy └── UNMAINTAINED_x230-hotp-legacy.config ├── UNMAINTAINED_x230-legacy-flash └── UNMAINTAINED_x230-legacy-flash.config ├── UNMAINTAINED_x230-legacy └── UNMAINTAINED_x230-legacy.config ├── UNTESTED_leopard └── UNTESTED_leopard.config ├── UNTESTED_r630 └── UNTESTED_r630.config ├── UNTESTED_s2600wf └── UNTESTED_s2600wf.config ├── UNTESTED_tioga └── UNTESTED_tioga.config ├── UNTESTED_winterfell ├── UNTESTED_winterfell.config └── uinit.go ├── x230-hotp-legacy └── x230-hotp-legacy.config ├── x230-legacy-flash └── x230-legacy-flash.config └── x230-legacy └── x230-legacy.config /.envrc: -------------------------------------------------------------------------------- 1 | has nix && use flake 2 | -------------------------------------------------------------------------------- /.gitattributes: -------------------------------------------------------------------------------- 1 | *.config linguist-language=Makefile 2 | modules/* linguist-language=Makefile 3 | -------------------------------------------------------------------------------- /.github/FUNDING.yml: -------------------------------------------------------------------------------- 1 | # These are supported funding model platforms 2 | 3 | github: tlaurion 4 | open_collective: insurgo 5 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/feature_request.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Feature request 3 | about: Please use this template to suggest an idea for this project 4 | title: '' 5 | labels: '' 6 | assignees: '' 7 | 8 | --- 9 | 10 | **Is your feature request related to a problem? Please describe.** 11 | A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] 12 | 13 | **Describe the solution you'd like** 14 | A clear and concise description of what you want to happen. 15 | 16 | **Describe alternatives you've considered** 17 | A clear and concise description of any alternative solutions or features you've considered. 18 | 19 | **Additional context** 20 | Add any other context or screenshots about the feature request here. 21 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | *.bad 2 | *.bz2 3 | *.cpio 4 | *.dep 5 | *.ffs 6 | *.fv 7 | *.gz 8 | *.img 9 | *.log 10 | *.lz 11 | *.o 12 | *.rom 13 | *.sec 14 | *.sign 15 | *.tgz 16 | *.vol 17 | *.xz 18 | *~ 19 | .*.sw* 20 | /.direnv 21 | clean 22 | config/*.old 23 | crossgcc 24 | typescript* 25 | result 26 | -------------------------------------------------------------------------------- /WP_NOTES.md: -------------------------------------------------------------------------------- 1 | Flashrom was passed to flashprog under https://github.com/linuxboot/heads/pull/1769 2 | 3 | Those are notes for @i-c-o-n and others wanting to move WP forward but track issues and users 4 | 5 | The problem with WP is that it is desired but even if partial write protection regions is present, WP is widely unused. 6 | 7 | Some random notes since support is incomplete (depends on chips, really) 8 | -QDPI is problematic for WP (same IO2 PIN) 9 | - Might be turned on by chipset for ME read https://matrix.to/#/!pAlHOfxQNPXOgFGTmo:matrix.org/$NCNidoPsw1ze6zv3m2jlPuGuNrdlDQmDcU81If-q55A?via=matrix.org&via=nitro.chat&via=tchncs.de 10 | - WP wanted, WP done, WP unused 11 | - WP wanted https://github.com/flashrom/flashrom/issues/185 https://github.com/linuxboot/heads/issues/985 12 | - WP done: https://github.com/linuxboot/heads/issues/1741 https://github.com/linuxboot/heads/issues/1546 13 | - Documented https://docs.dasharo.com/variants/asus_kgpe_d16/spi-wp/ 14 | - WP still unused 15 | 16 | Alternative, as suggested by @i-c-o-n is Chipset Platform Locking (PR0) which is enforced at platform's chipset level for a boot 17 | - This is implemented and enforced on <= Haswell from this PR merged : https://github.com/linuxboot/heads/pull/1373 18 | - Non-upstreamed work has been made from @root-hardenedvault work in vaultboot downstream fork of Heads at https://github.com/hardenedvault/vaultboot/blob/master/patches/coreboot/0001-x11.patch 19 | - Discussion point under flashrom-> flashprog PR under https://github.com/linuxboot/heads/pull/1769/files/f8eb0a27c3dcb17a8c6fcb85dd7f03e8513798ae#r1752395865 tagging @i-c-o-n 20 | 21 | 22 | Not sure what is the way forward here, but lets keep this file in tree to track improvements over time. 23 | -------------------------------------------------------------------------------- /bin/find_undocumented_config.sh: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env bash 2 | 3 | set -eo pipefail 4 | 5 | cd "$(dirname "${BASH_SOURCE[0]}")/.." 6 | 7 | # By default, just show the variables. Invoke with --show-files to show where 8 | # each undocumented variable appears (up to 3 occurrences) 9 | SHOW_FILES= 10 | if [ "$1" = --show-files ]; then 11 | SHOW_FILES=y 12 | fi 13 | 14 | # Don't search the entire repo, we only want config variables used by Heads: 15 | # - config and patches contain lots of CONFIG_ variables from other projects, 16 | # ignore them 17 | # - build/crossgcc/packages are all build outputs and will also contain lots of 18 | # other projects, ignore them 19 | # - modules files are mostly relevant (many do define CONFIG_ variables to 20 | # tweak the module), but a few have several variables actually from the 21 | # project being configured, not used by Heads. Exclude specific files only 22 | # 23 | # boards, initrd, Makefile, and modules cover all Heads variables pretty well 24 | # without introducing many false positives. 25 | GREP_VARS=(-EroIh '\bCONFIG_[A-Za-z0-9_]+') 26 | EXCLUDE_MODULES=" 27 | flashrom 28 | flashprog 29 | coreboot 30 | " 31 | ALL_VARS="$(grep "${GREP_VARS[@]}" boards initrd Makefile)" 32 | ALL_VARS+="$(grep --exclude-from=<(echo "${EXCLUDE_MODULES[@]}") "${GREP_VARS[@]}" modules)" 33 | 34 | ALL_VARS="$(echo "$ALL_VARS" | sort | uniq)" 35 | 36 | # Check each variable to see if it's already documented 37 | while IFS= read -r var; do 38 | if ! grep -Eq "\b$var\b" doc/config.md; then 39 | if [ "$SHOW_FILES" = y ]; then 40 | echo 41 | echo "$var" 42 | grep -r "$var" boards initrd Makefile modules | head -3 || true 43 | else 44 | echo "$var" 45 | fi 46 | fi 47 | done < <(echo "$ALL_VARS") 48 | -------------------------------------------------------------------------------- /bin/prepare_module_config.sh: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env bash 2 | 3 | TEMPLATE="$1" 4 | RESULT="$2" 5 | BOARD_BUILD="$3" 6 | BRAND_NAME="$4" 7 | 8 | repo="$(realpath "$(dirname "${BASH_SOURCE[0]}")/..")" 9 | # For both coreboot and Linux, the config file is in a board- 10 | # specific build directory, but the build occurs from the 11 | # parent of that directory. 12 | module_dir="$(realpath "$(dirname "$2")/..")" 13 | 14 | # Use relative paths since the config may be part of the ROM 15 | # artifacts, and relative paths won't depend on the workspace 16 | # absolute path. 17 | board_build_rel="$(realpath --relative-to "$module_dir" "$BOARD_BUILD")" 18 | repo_rel="$(realpath --relative-to "$module_dir" "$repo")" 19 | 20 | echo "board_build_rel=$board_build_rel" 21 | echo "repo_rel=$repo_rel" 22 | 23 | sed -e "s!@BOARD_BUILD_DIR@!${board_build_rel}!g" \ 24 | -e "s!@BLOB_DIR@!${repo_rel}/blobs!g" \ 25 | -e "s!@BRAND_DIR@!${repo_rel}/branding/$BRAND_NAME!g" \ 26 | -e "s!@BRAND_NAME@!$BRAND_NAME!g" \ 27 | "$TEMPLATE" > "$RESULT" 28 | -------------------------------------------------------------------------------- /bin/seed_package_mirror.sh: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env bash 2 | 3 | set -eo pipefail 4 | 5 | usage() { 6 | cat >&2 < 8 | 9 | Downloads all current package artifacts needed to build Heads and copies them 10 | to a mirror directory, for seeding a package mirror. 11 | 12 | Parameters: 13 | : Path to a directory where the packages are placed. 14 | Created if it does not already exist. 15 | USAGE_END 16 | } 17 | 18 | ARGS_DONE= 19 | while [[ $# -ge 1 ]] && [ -z "$ARGS_DONE" ]; do 20 | case "$1" in 21 | --) 22 | ARGS_DONE=y 23 | shift 24 | ;; 25 | --help) 26 | usage 27 | exit 0 28 | ;; 29 | --*) 30 | echo "unknown parameter: $1" >&2 31 | usage 32 | exit 1 33 | ;; 34 | *) 35 | ARGS_DONE=y 36 | ;; 37 | esac 38 | done 39 | 40 | if [[ $# -ne 1 ]]; then 41 | usage 42 | exit 1 43 | fi 44 | 45 | ARG_MIRROR_DIR="$(realpath "$1")" 46 | 47 | cd "$(dirname "${BASH_SOURCE[0]}")/.." 48 | 49 | echo 50 | echo "Cleaning build to download all packages..." 51 | # fetch packages for representative boards 52 | rm -rf build/x86 build/ppc64 53 | rm -rf packages/x86 packages/ppc64 54 | echo 55 | echo "Downloading packages..." 56 | make packages BOARD=qemu-coreboot-fbwhiptail-tpm1-hotp 57 | make packages BOARD=UNTESTED_talos-2 # newt, PPC 58 | make packages BOARD=librem_l1um_v2 # TPM2 59 | make packages BOARD=librem_l1um # coreboot 4.11 60 | make packages BOARD=x230-maximized # io386 61 | echo 62 | echo "Copying to mirror directory..." 63 | mkdir -p "$ARG_MIRROR_DIR" 64 | cp packages/x86/* packages/ppc64/* "$ARG_MIRROR_DIR/" 65 | -------------------------------------------------------------------------------- /blobs/dev.cpio: -------------------------------------------------------------------------------- 1 | 0707010056A3DF000041C00000000000000000000000025E15D9CC00000000000000FD0000000100000000000000000000000400000000dev0707010056935F000021800000000000000000000000015E15D9CC00000000000000FD0000000100000005000000010000000C00000000dev/console070701005693AA0000A1FF0000000000000000000000015E15DC0900000007000000FD0000000100000000000000000000000800000000lib/ld-libc.so0707010056936D0000A1FF0000000000000000000000015E15D9CC00000007000000FD0000000100000000000000000000001800000000lib/ld-musl-x86_64.so.1libc.so07070102E609840000A1FF000003EB000000640000000160E235D800000007000000080000000300000000000000000000001B00000000lib/ld-musl-powerpc64.so.1libc.so07070102E609830000A1FF000003EB000000640000000160E235D500000007000000080000000300000000000000000000001D00000000lib/ld-musl-powerpc64le.so.1libc.so07070100000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000B00000000TRAILER!!! -------------------------------------------------------------------------------- /blobs/haswell/.gitignore: -------------------------------------------------------------------------------- 1 | mrc.bin 2 | -------------------------------------------------------------------------------- /blobs/haswell/obtain-mrc: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -e 4 | 5 | function usage() { 6 | echo -n \ 7 | "Usage: $(basename "$0") path_to_output_directory 8 | Obtain mrc.bin from a Haswell Chromebook firmware image. 9 | " 10 | } 11 | 12 | MRC_BIN_HASH="d368ba45096a3b5490ed27014e1f9004bc363434ffdce0c368c08a89c4746722" 13 | 14 | if [[ "${BASH_SOURCE[0]}" == "$0" ]]; then 15 | if [[ "${1:-}" == "--help" ]]; then 16 | usage 17 | else 18 | if [[ -z "${COREBOOT_DIR}" ]]; then 19 | echo "ERROR: No COREBOOT_DIR variable defined." 20 | exit 1 21 | fi 22 | 23 | output_dir="$(realpath "${1:-./}")" 24 | 25 | # Obtain mrc.bin from a Haswell Chromebook firmware image. 26 | # https://doc.coreboot.org/northbridge/intel/haswell/mrc.bin.html#obtaining-mrc-bin 27 | if [[ ! -f "${output_dir}/mrc.bin" ]]; then 28 | pushd "${COREBOOT_DIR}" 29 | 30 | make -C util/cbfstool 31 | cd util/chromeos 32 | ./crosfirmware.sh peppy 33 | ../cbfstool/cbfstool coreboot-*.bin extract -f mrc.bin -n mrc.bin -r RO_SECTION 34 | 35 | mv mrc.bin "${output_dir}/mrc.bin" 36 | 37 | popd 38 | fi 39 | 40 | if ! echo "${MRC_BIN_HASH} ${output_dir}/mrc.bin" | sha256sum --check; then 41 | echo "ERROR: SHA256 checksum for mrc.bin doesn't match." 42 | exit 1 43 | fi 44 | fi 45 | fi 46 | -------------------------------------------------------------------------------- /blobs/librem_jail/README: -------------------------------------------------------------------------------- 1 | # Librem Blob Jail 2 | 3 | This directory contains firmware/microcode needed for peripherals in some Librem boards, for OSes that do not provide device firmware. 4 | 5 | When the blob jail feature is enabled, PureBoot provides device firmware to the OS by adding it to the initrd, then copying it to /run/firmware (see initrd/bin/inject_firmware.sh). 6 | 7 | ## Librem Mini v2 8 | 9 | Librem Mini v2 ships with an Atheros Wi-Fi/Bluetooth card, which does not require firmware for Wi-Fi (but it does for Bluetooth). However, some whitelabel variants ship with Intel AX200, which requires firmware for both Wi-Fi and Bluetooth. 10 | 11 | Device firmware is provided in a preconfigured variant build for librem_mini_v2, the basic_usb_autoboot_blob_jail build. 12 | 13 | ## Librem 11 14 | 15 | Librem 11 includes an Intel AX201 Wi-Fi/Bluetooth card, which requires firmware. All builds for librem_11 include the device firmware. 16 | 17 | Display microcontroller firmware is also provided to enable power management. 18 | -------------------------------------------------------------------------------- /blobs/librem_jail/librem_11/i915/icl_dmc_ver1_09.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/linuxboot/heads/9fabe7f26cacea874fac6502ddded564ee2f8af5/blobs/librem_jail/librem_11/i915/icl_dmc_ver1_09.bin -------------------------------------------------------------------------------- /blobs/librem_jail/librem_11/intel/ibt-19-0-0.ddc: -------------------------------------------------------------------------------- 1 | () -------------------------------------------------------------------------------- /blobs/librem_jail/librem_11/intel/ibt-19-0-0.sfi: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/linuxboot/heads/9fabe7f26cacea874fac6502ddded564ee2f8af5/blobs/librem_jail/librem_11/intel/ibt-19-0-0.sfi -------------------------------------------------------------------------------- /blobs/librem_jail/librem_11/iwlwifi-QuZ-a0-jf-b0-72.ucode: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/linuxboot/heads/9fabe7f26cacea874fac6502ddded564ee2f8af5/blobs/librem_jail/librem_11/iwlwifi-QuZ-a0-jf-b0-72.ucode -------------------------------------------------------------------------------- /blobs/librem_jail/librem_mini_v2/ar3k/AthrBT_0x11020100.dfu: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/linuxboot/heads/9fabe7f26cacea874fac6502ddded564ee2f8af5/blobs/librem_jail/librem_mini_v2/ar3k/AthrBT_0x11020100.dfu -------------------------------------------------------------------------------- /blobs/librem_jail/librem_mini_v2/ar3k/ramps_0x11020100_40.dfu: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/linuxboot/heads/9fabe7f26cacea874fac6502ddded564ee2f8af5/blobs/librem_jail/librem_mini_v2/ar3k/ramps_0x11020100_40.dfu -------------------------------------------------------------------------------- /blobs/librem_jail/librem_mini_v2/intel/ibt-20-1-3.ddc: -------------------------------------------------------------------------------- 1 | () -------------------------------------------------------------------------------- /blobs/librem_jail/librem_mini_v2/intel/ibt-20-1-3.sfi: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/linuxboot/heads/9fabe7f26cacea874fac6502ddded564ee2f8af5/blobs/librem_jail/librem_mini_v2/intel/ibt-20-1-3.sfi -------------------------------------------------------------------------------- /blobs/librem_jail/librem_mini_v2/iwlwifi-cc-a0-59.ucode: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/linuxboot/heads/9fabe7f26cacea874fac6502ddded564ee2f8af5/blobs/librem_jail/librem_mini_v2/iwlwifi-cc-a0-59.ucode -------------------------------------------------------------------------------- /blobs/optiplex_9010/README.md: -------------------------------------------------------------------------------- 1 | This blobs/optiplex_9010/ifd.bin is a configuration blob, and comes from my optiplex 9010 backup. 2 | It was put in place with: 3 | 4 | python ~/me_cleaner/me_cleaner.py -S -r -t -d -O /tmp/discarded.bin -D ~/heads/blobs/optiplex_9010/ifd.bin -M /tmp/temporary_me.bin optiplex_9010-internal_backup.rom 5 | ./build/x86/coreboot-24.02.01/util/ifdtool/ifdtool -n blobs/optiplex_9010/layout.txt blobs/optiplex_9010/ifd.bin -O blobs/optiplex_9010/ifd.bin 6 | 7 | NOTE: We rely on blobs/optiplex_9010/layout.txt which changes the size of the ME region to match Lenovo xx30 blob used in x230 and others. 8 | 9 | ---- 10 | 11 | blobs/optiplex_9010/ifd_t16650.bin comes from https://codeberg.org/libreboot/lbmk/src/branch/master/config/ifd/t1650/12_ifd 12 | Libreboot uses xx30 ME (downloaded from Lenovo, extracted+ neutered) as well, and reuses the dell t1650 IFD for their build, which we borrowed here with: 13 | 14 | wget https://codeberg.org/libreboot/lbmk/raw/branch/master/config/ifd/t1650/12_ifd -O ifd.bin 15 | 16 | Doc: https://libreboot.org/docs/install/dell7010.html 17 | -------------------------------------------------------------------------------- /blobs/optiplex_9010/ifd.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/linuxboot/heads/9fabe7f26cacea874fac6502ddded564ee2f8af5/blobs/optiplex_9010/ifd.bin -------------------------------------------------------------------------------- /blobs/optiplex_9010/ifd_t16650.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/linuxboot/heads/9fabe7f26cacea874fac6502ddded564ee2f8af5/blobs/optiplex_9010/ifd_t16650.bin -------------------------------------------------------------------------------- /blobs/optiplex_9010/layout.txt: -------------------------------------------------------------------------------- 1 | 00000000:00000fff fd 2 | 00001000:00004fff gbe 3 | 00005000:0001cfff me 4 | 0001d000:00bfffff bios 5 | -------------------------------------------------------------------------------- /blobs/t420/extract.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | function printusage { 4 | echo "Usage: $0 -f -m (optional) -i (optional)" 5 | exit 0 6 | } 7 | 8 | BLOBDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" 9 | 10 | if [ "$#" -eq 0 ]; then printusage; fi 11 | 12 | while getopts ":f:m:i:" opt; do 13 | case $opt in 14 | f) 15 | FILE="$OPTARG" 16 | ;; 17 | m) 18 | if [ -x "$OPTARG" ]; then 19 | MECLEAN="$OPTARG" 20 | fi 21 | ;; 22 | i) 23 | if [ -x "$OPTARG" ]; then 24 | IFDTOOL="$OPTARG" 25 | fi 26 | ;; 27 | esac 28 | done 29 | 30 | if [ -z "$MECLEAN" ]; then 31 | MECLEAN=`command -v $BLOBDIR/../../build/coreboot-*/util/me_cleaner/me_cleaner.py 2>&1|head -n1` 32 | if [ -z "$MECLEAN" ]; then 33 | echo "me_cleaner.py required but not found or specified with -m. Aborting." 34 | exit 1; 35 | fi 36 | fi 37 | 38 | if [ -z "$IFDTOOL" ]; then 39 | IFDTOOL=`command -v $BLOBDIR/../../build/coreboot-*/util/ifdtool/ifdtool 2>&1|head -n1` 40 | if [ -z "$IFDTOOL" ]; then 41 | echo "ifdtool required but not found or specified with -m. Aborting." 42 | exit 1; 43 | fi 44 | fi 45 | 46 | echo "FILE: $FILE" 47 | echo "ME: $MECLEAN" 48 | echo "IFD: $IFDTOOL" 49 | 50 | bioscopy=$(mktemp) 51 | extractdir=$(mktemp -d) 52 | 53 | cp "$FILE" $bioscopy 54 | 55 | cd "$extractdir" 56 | $IFDTOOL -x $bioscopy 57 | cp "$extractdir/flashregion_3_gbe.bin" "$BLOBDIR/gbe.bin" 58 | $MECLEAN -O "$BLOBDIR/me.bin" -r -t "$extractdir/flashregion_2_intel_me.bin" 59 | $IFDTOOL -n "$BLOBDIR/layout.txt" $bioscopy 60 | $IFDTOOL -x $bioscopy.new 61 | cp "$extractdir/flashregion_0_flashdescriptor.bin" "$BLOBDIR/ifd.bin" 62 | 63 | rm "$bioscopy" 64 | rm "$bioscopy.new" 65 | rm -r "$extractdir" 66 | -------------------------------------------------------------------------------- /blobs/t420/layout.txt: -------------------------------------------------------------------------------- 1 | 00000000:00000fff fd 2 | 00018000:007fffff bios 3 | 00003000:00017fff me 4 | 00001000:00002fff gbe 5 | -------------------------------------------------------------------------------- /blobs/t420/readme.md: -------------------------------------------------------------------------------- 1 | To build for T420, we need to have the following files in this folder: 2 | * `me.bin` - ME binary that has been stripped and truncated with me_cleaner 3 | * `gbe.bin` - Network card blob from the original firmware 4 | * `ifd.bin` - Flash layout file has been provided as text 5 | 6 | To get the binaries, start with a copy of the original Lenovo firmware image. 7 | If you do not have one already, you can read one out from the laptops SPI flash with flashrom 8 | 9 | ``` 10 | flashrom -p -r original.bin 11 | ``` 12 | 13 | Set `` to the flashrom programmer type that you will use (for example, `linux_spi:dev=/dev/spidev0.0` on a Raspberry Pi). 14 | 15 | Once you have the image, the provided extraction script will extract the files needed. 16 | 17 | ``` 18 | ./extract.sh -f 19 | ``` 20 | 21 | Use the options '-m' and '-i' to provide me_cleaner and ifdtool if they can not be located automatically. 22 | 23 | The flash layout will be automatically adjusted and the ME image cleaned and truncated. 24 | 25 | You can now compile the image with: 26 | 27 | ``` 28 | make BOARD=t420 29 | ``` 30 | -------------------------------------------------------------------------------- /blobs/t440p/.gitignore: -------------------------------------------------------------------------------- 1 | me.bin 2 | -------------------------------------------------------------------------------- /blobs/t440p/extract: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -e 4 | 5 | function usage() { 6 | echo -n \ 7 | "Usage: $(basename "$0") path_to_original_rom path_to_output_directory 8 | Extract Intel firmware from the original ROM. 9 | " 10 | } 11 | 12 | if [[ "${BASH_SOURCE[0]}" == "$0" ]]; then 13 | if [[ "${1:-}" == "--help" ]]; then 14 | usage 15 | else 16 | if [[ -z "${COREBOOT_DIR}" ]]; then 17 | echo "ERROR: No COREBOOT_DIR variable defined." 18 | exit 1 19 | fi 20 | 21 | original_rom="$(realpath "$1")" 22 | output_dir="$(realpath "${2:-./}")" 23 | 24 | # Neutralize Intel ME and resize the Intel Flash Descriptor (IFD) 25 | # layout. 26 | # https://github.com/corna/me_cleaner/wiki/External-flashing#neutralize-and-shrink-intel-me-useful-only-for-coreboot 27 | pushd "${COREBOOT_DIR}/util/me_cleaner" 28 | 29 | python me_cleaner.py -S -r -t -d -O out.bin -D ifd_shrinked.bin -M me_shrinked.bin "${original_rom}" 30 | 31 | mv ifd_shrinked.bin "${output_dir}/ifd.bin" 32 | mv me_shrinked.bin "${output_dir}/me.bin" 33 | rm ./*.bin 34 | 35 | popd 36 | 37 | # Extract the Intel Gigabit Ethernet (GbE) firmware. 38 | pushd "${COREBOOT_DIR}/util/ifdtool" 39 | 40 | make 41 | ./ifdtool -x "${original_rom}" 42 | 43 | mv flashregion_3_gbe.bin "${output_dir}/gbe.bin" 44 | rm ./*.bin 45 | 46 | popd 47 | fi 48 | fi 49 | -------------------------------------------------------------------------------- /blobs/t440p/gbe.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/linuxboot/heads/9fabe7f26cacea874fac6502ddded564ee2f8af5/blobs/t440p/gbe.bin -------------------------------------------------------------------------------- /blobs/t440p/ifd.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/linuxboot/heads/9fabe7f26cacea874fac6502ddded564ee2f8af5/blobs/t440p/ifd.bin -------------------------------------------------------------------------------- /blobs/w541/.gitignore: -------------------------------------------------------------------------------- 1 | me.bin 2 | -------------------------------------------------------------------------------- /blobs/w541/extract: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -e 4 | 5 | function usage() { 6 | echo -n \ 7 | "Usage: $(basename "$0") path_to_original_rom path_to_output_directory 8 | Extract Intel firmware from the original ROM. 9 | " 10 | } 11 | 12 | if [[ "${BASH_SOURCE[0]}" == "$0" ]]; then 13 | if [[ "${1:-}" == "--help" ]]; then 14 | usage 15 | else 16 | if [[ -z "${COREBOOT_DIR}" ]]; then 17 | echo "ERROR: No COREBOOT_DIR variable defined." 18 | exit 1 19 | fi 20 | 21 | original_rom="$(realpath "$1")" 22 | output_dir="$(realpath "${2:-./}")" 23 | 24 | # Neutralize Intel ME and resize the Intel Flash Descriptor (IFD) 25 | # layout. 26 | # https://github.com/corna/me_cleaner/wiki/External-flashing#neutralize-and-shrink-intel-me-useful-only-for-coreboot 27 | pushd "${COREBOOT_DIR}/util/me_cleaner" 28 | 29 | python me_cleaner.py -S -r -t -d -O out.bin -D ifd_shrinked.bin -M me_shrinked.bin "${original_rom}" 30 | 31 | mv ifd_shrinked.bin "${output_dir}/ifd.bin" 32 | mv me_shrinked.bin "${output_dir}/me.bin" 33 | rm ./*.bin 34 | 35 | popd 36 | 37 | # Extract the Intel Gigabit Ethernet (GbE) firmware. 38 | pushd "${COREBOOT_DIR}/util/ifdtool" 39 | 40 | make 41 | ./ifdtool -x "${original_rom}" 42 | 43 | mv flashregion_3_gbe.bin "${output_dir}/gbe.bin" 44 | rm ./*.bin 45 | 46 | popd 47 | fi 48 | fi 49 | -------------------------------------------------------------------------------- /blobs/w541/gbe.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/linuxboot/heads/9fabe7f26cacea874fac6502ddded564ee2f8af5/blobs/w541/gbe.bin -------------------------------------------------------------------------------- /blobs/w541/ifd.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/linuxboot/heads/9fabe7f26cacea874fac6502ddded564ee2f8af5/blobs/w541/ifd.bin -------------------------------------------------------------------------------- /blobs/x220/.gitignore: -------------------------------------------------------------------------------- 1 | gbe.bin 2 | me.bin 3 | ifd.bin 4 | -------------------------------------------------------------------------------- /blobs/x220/extract.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | function printusage { 4 | echo "Usage: $0 -f -m (optional) -i (optional)" 5 | exit 0 6 | } 7 | 8 | BLOBDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" 9 | 10 | if [ "$#" -eq 0 ]; then printusage; fi 11 | 12 | while getopts ":f:m:i:" opt; do 13 | case $opt in 14 | f) 15 | FILE="$OPTARG" 16 | ;; 17 | m) 18 | if [ -x "$OPTARG" ]; then 19 | MECLEAN="$OPTARG" 20 | fi 21 | ;; 22 | i) 23 | if [ -x "$OPTARG" ]; then 24 | IFDTOOL="$OPTARG" 25 | fi 26 | ;; 27 | esac 28 | done 29 | 30 | if [ -z "$MECLEAN" ]; then 31 | MECLEAN=`command -v $BLOBDIR/../../build/coreboot-*/util/me_cleaner/me_cleaner.py 2>&1|head -n1` 32 | if [ -z "$MECLEAN" ]; then 33 | echo "me_cleaner.py required but not found or specified with -m. Aborting." 34 | exit 1; 35 | fi 36 | fi 37 | 38 | if [ -z "$IFDTOOL" ]; then 39 | IFDTOOL=`command -v $BLOBDIR/../../build/coreboot-*/util/ifdtool/ifdtool 2>&1|head -n1` 40 | if [ -z "$IFDTOOL" ]; then 41 | echo "ifdtool required but not found or specified with -m. Aborting." 42 | exit 1; 43 | fi 44 | fi 45 | 46 | echo "FILE: $FILE" 47 | echo "ME: $MECLEAN" 48 | echo "IFD: $IFDTOOL" 49 | 50 | bioscopy=$(mktemp) 51 | extractdir=$(mktemp -d) 52 | 53 | cp "$FILE" $bioscopy 54 | 55 | cd "$extractdir" 56 | $IFDTOOL -x $bioscopy 57 | cp "$extractdir/flashregion_3_gbe.bin" "$BLOBDIR/gbe.bin" 58 | $MECLEAN -O "$BLOBDIR/me.bin" -r -t "$extractdir/flashregion_2_intel_me.bin" 59 | $IFDTOOL -n "$BLOBDIR/layout.txt" $bioscopy 60 | $IFDTOOL -x $bioscopy.new 61 | cp "$extractdir/flashregion_0_flashdescriptor.bin" "$BLOBDIR/ifd.bin" 62 | 63 | rm "$bioscopy" 64 | rm "$bioscopy.new" 65 | rm -r "$extractdir" 66 | -------------------------------------------------------------------------------- /blobs/x220/layout.txt: -------------------------------------------------------------------------------- 1 | 00000000:00000fff fd 2 | 00018000:007fffff bios 3 | 00003000:00017fff me 4 | 00001000:00002fff gbe 5 | -------------------------------------------------------------------------------- /blobs/x220/readme.md: -------------------------------------------------------------------------------- 1 | To build for X220 we need to have the following files in this folder: 2 | * `me.bin` - ME binary that has been stripped and truncated with me_cleaner 3 | * `gbe.bin` - Network card blob from the original firmware 4 | * `ifd.bin` - Flash layout file has been provided as text 5 | 6 | To get the binaries, start with a copy of the original Lenovo firmware image. 7 | If you do not have one already, you can read one out from the laptops SPI flash. 8 | 9 | ``` 10 | flashrom --programmer internal -r original.bin 11 | ``` 12 | 13 | Once you have the image, the provided extraction script will extract the files needed. 14 | 15 | ``` 16 | ./extract.sh -f 17 | ``` 18 | 19 | Use the options '-m' and '-i' to provide me_cleaner and ifdtool if they can not be located 20 | automatically. 21 | 22 | The flash layout will be automatically adjusted and the ME image cleaned and truncated. 23 | 24 | You can now compile the image with: 25 | 26 | make BOARD=x220 27 | -------------------------------------------------------------------------------- /blobs/xx20/.gitignore: -------------------------------------------------------------------------------- 1 | me.bin 2 | -------------------------------------------------------------------------------- /blobs/xx20/gbe.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/linuxboot/heads/9fabe7f26cacea874fac6502ddded564ee2f8af5/blobs/xx20/gbe.bin -------------------------------------------------------------------------------- /blobs/xx20/hashes.txt: -------------------------------------------------------------------------------- 1 | 9f72818e23290fb661e7899c953de2eb4cea96ff067b36348b3d061fd13366e5 gbe.bin 2 | 907dfd580b4a680712bb4ee526f266c37a455196541d85702986532728f1eee9 ifd.bin 3 | 1eef6716aa61dd844d58eca15a85faa1bf5f82715defd30bd3373e79ca1a3339 me.bin 4 | -------------------------------------------------------------------------------- /blobs/xx20/ifd.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/linuxboot/heads/9fabe7f26cacea874fac6502ddded564ee2f8af5/blobs/xx20/ifd.bin -------------------------------------------------------------------------------- /blobs/xx20/layout.txt: -------------------------------------------------------------------------------- 1 | 00000000:00000fff fd 2 | 00018000:007fffff bios 3 | 00003000:00017fff me 4 | 00001000:00002fff gbe 5 | -------------------------------------------------------------------------------- /blobs/xx30/.gitignore: -------------------------------------------------------------------------------- 1 | me.bin 2 | IVB_BIOSAC_PRODUCTION.bin 3 | SNB_IVB_SINIT_20190708_PW.bin 4 | sch5545_ecfw.bin 5 | -------------------------------------------------------------------------------- /blobs/xx30/README_vbios: -------------------------------------------------------------------------------- 1 | The vbios scripts in this directory help owners with discrete GPU's to initialize them. In order to do so it is required to place the iGPU and dGPU roms into this folder. These can either be extracted from the backup of the bios or extracted automatically from bios updates provided online by Lenovo using the VBiosFinder tool (see https://github.com/coderobe/VBiosFinder). 2 | 3 | The vbios scripts in this directory install the dependencies for VBiosFinder. They then run VBiosFinder against the latest relevant bios update, which finds and extracts the relevant roms. Finally, the scripts rename and move the relevant extracted roms, place them in this blobs directory, and clean up. 4 | 5 | The scripts require sudo to run, but should be run initally without sudo (e.g. ./vbios_w530.sh). The bios updates used, for example, are: 6 | 7 | * For the w530: https://download.lenovo.com/pccbbs/mobiles/g5uj39us.exe 8 | * For the t530: https://download.lenovo.com/pccbbs/mobiles/g4uj41us.exe 9 | 10 | The scripts have been successfully tested on Debian 10 and Ubuntu 21.04. 11 | 12 | NOTE: Once built the dGPU will still not yet be fully initialized. After successfully building the relevant rom for your board and before flashing it is necessary to build and use the nvramtool to change the value from Integrated-Only graphics to either Dual Graphics or Discrete Graphics. In the build directory find the coreboot version that you have just built. Navigate into that directory > utils > nvramtool and make the nvramtool. Then, for example, to initialize dual graphics run: 13 | 14 | nvramtool -C /path/to/12MB/rom -w hybrid_graphics_mode="Dual Graphics" 15 | 16 | -------------------------------------------------------------------------------- /blobs/xx30/gbe.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/linuxboot/heads/9fabe7f26cacea874fac6502ddded564ee2f8af5/blobs/xx30/gbe.bin -------------------------------------------------------------------------------- /blobs/xx30/hashes.txt: -------------------------------------------------------------------------------- 1 | 9f72818e23290fb661e7899c953de2eb4cea96ff067b36348b3d061fd13366e5 gbe.bin 2 | c96d19bbf5356b2b827e1ef52d79d0010884bfc889eab48835e4af9a634d129b ifd.bin 3 | c140d04d792bed555e616065d48bdc327bb78f0213ccc54c0ae95f12b28896a4 me.bin 4 | -------------------------------------------------------------------------------- /blobs/xx30/ifd.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/linuxboot/heads/9fabe7f26cacea874fac6502ddded564ee2f8af5/blobs/xx30/ifd.bin -------------------------------------------------------------------------------- /blobs/xx80/.gitignore: -------------------------------------------------------------------------------- 1 | me.bin 2 | tb.bin 3 | -------------------------------------------------------------------------------- /blobs/xx80/gbe.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/linuxboot/heads/9fabe7f26cacea874fac6502ddded564ee2f8af5/blobs/xx80/gbe.bin -------------------------------------------------------------------------------- /blobs/xx80/hashes.txt: -------------------------------------------------------------------------------- 1 | d3af2dfbf128bcddfc8c5810a11478697312e5701668f719f80f3f6322db5642 gbe.bin 2 | f2f6d5fb0a5e02964b494862032fd93f1f88e2febd9904b936083600645c7fdf ifd.bin 3 | 1990b42df67ba70292f4f6e2660efb909917452dcb9bd4b65ea2f86402cfa16b me.bin 4 | fc9c47ff4b16f036a7f49900f9da1983a5db44ca46156238b7b42e636d317388 tb.bin 5 | -------------------------------------------------------------------------------- /blobs/xx80/ifd.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/linuxboot/heads/9fabe7f26cacea874fac6502ddded564ee2f8af5/blobs/xx80/ifd.bin -------------------------------------------------------------------------------- /blobs/z220/.gitignore: -------------------------------------------------------------------------------- 1 | ifd.bin 2 | me.bin 3 | -------------------------------------------------------------------------------- /boards/librem_11/initrd/etc/board_keys.map: -------------------------------------------------------------------------------- 1 | keymaps 0-2,4-5,8,12 2 | # Use volume and power keys on tablet to navigate menus 3 | keycode 114 = Up 4 | keycode 115 = Down 5 | keycode 116 = Return 6 | -------------------------------------------------------------------------------- /boards/librem_11/librem_11.config: -------------------------------------------------------------------------------- 1 | # Configuration for librem_11 2 | CONFIG_LINUX_CONFIG=config/linux-librem_common-6.1.8.config 3 | CONFIG_COREBOOT_CONFIG=config/coreboot-librem_11.config 4 | 5 | export CONFIG_COREBOOT=y 6 | export CONFIG_COREBOOT_VERSION=purism 7 | export CONFIG_LINUX_VERSION=6.1.8 8 | 9 | CONFIG_CRYPTSETUP2=y 10 | CONFIG_FLASHPROG=y 11 | CONFIG_FLASHTOOLS=y 12 | CONFIG_GPG2=y 13 | CONFIG_KEXEC=y 14 | CONFIG_UTIL_LINUX=y 15 | CONFIG_KBD=y 16 | CONFIG_KBD_LOADKEYS=y 17 | CONFIG_LVM2=y 18 | CONFIG_MBEDTLS=y 19 | CONFIG_PCIUTILS=y 20 | CONFIG_POPT=y 21 | CONFIG_QRENCODE=y 22 | CONFIG_TPMTOTP=y 23 | 24 | CONFIG_CAIRO=y 25 | CONFIG_FBWHIPTAIL=y 26 | CONFIG_HOTPKEY=y 27 | 28 | CONFIG_LINUX_USB=y 29 | CONFIG_MOBILE_TETHERING=y 30 | 31 | export CONFIG_TPM=n 32 | 33 | #Enable DEBUG output 34 | export CONFIG_DEBUG_OUTPUT=n 35 | export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n 36 | #Enable TPM2 pcap output under /tmp 37 | export CONFIG_TPM2_CAPTURE_PCAP=n 38 | #Enable quiet mode: technical information logged under /tmp/debug.log 39 | export CONFIG_QUIET_MODE=y 40 | export CONFIG_BOOTSCRIPT=/bin/gui-init 41 | export CONFIG_BOOT_REQ_HASH=n 42 | export CONFIG_BOOT_REQ_ROLLBACK=n 43 | export CONFIG_BOOT_KERNEL_ADD="" 44 | export CONFIG_BOOT_KERNEL_REMOVE="" 45 | export CONFIG_BOARD_NAME="Librem 11" 46 | export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal" 47 | export CONFIG_USB_KEYBOARD_REQUIRED=y 48 | export CONFIG_AUTO_BOOT_TIMEOUT=5 49 | export CONFIG_ROOT_DEV="/dev/nvme0n1p2" 50 | export CONFIG_ROOT_DIRLIST="bin boot lib sbin usr" 51 | export CONFIG_ROOT_CHECK_AT_BOOT="n" 52 | 53 | # Librem 11 builds include firmware for integrated AX201 Wi-Fi, Bluetooth, and 54 | # graphics microcontroller. 55 | export CONFIG_SUPPORT_BLOB_JAIL=y 56 | -------------------------------------------------------------------------------- /boards/librem_14/librem_14.config: -------------------------------------------------------------------------------- 1 | # Configuration for a librem 14 2 | CONFIG_LINUX_CONFIG=config/linux-librem_common-6.1.8.config 3 | CONFIG_COREBOOT_CONFIG=config/coreboot-librem_14.config 4 | 5 | export CONFIG_COREBOOT=y 6 | export CONFIG_COREBOOT_VERSION=purism 7 | export CONFIG_LINUX_VERSION=6.1.8 8 | 9 | CONFIG_CRYPTSETUP2=y 10 | CONFIG_FLASHPROG=y 11 | CONFIG_FLASHTOOLS=y 12 | CONFIG_GPG2=y 13 | CONFIG_KEXEC=y 14 | CONFIG_UTIL_LINUX=y 15 | CONFIG_LVM2=y 16 | CONFIG_MBEDTLS=y 17 | CONFIG_PCIUTILS=y 18 | CONFIG_POPT=y 19 | CONFIG_QRENCODE=y 20 | CONFIG_TPMTOTP=y 21 | 22 | CONFIG_CAIRO=y 23 | CONFIG_FBWHIPTAIL=y 24 | CONFIG_HOTPKEY=y 25 | 26 | CONFIG_LINUX_USB=y 27 | CONFIG_MOBILE_TETHERING=y 28 | 29 | export CONFIG_TPM=y 30 | 31 | #Enable DEBUG output 32 | export CONFIG_DEBUG_OUTPUT=n 33 | export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n 34 | #Enable TPM2 pcap output under /tmp 35 | export CONFIG_TPM2_CAPTURE_PCAP=n 36 | #Enable quiet mode: technical information logged under /tmp/debug.log 37 | export CONFIG_QUIET_MODE=y 38 | export CONFIG_BOOTSCRIPT=/bin/gui-init 39 | export CONFIG_BOOT_REQ_HASH=n 40 | export CONFIG_BOOT_REQ_ROLLBACK=n 41 | export CONFIG_BOOT_KERNEL_ADD="" 42 | export CONFIG_BOOT_KERNEL_REMOVE="" 43 | export CONFIG_BOARD_NAME="Librem 14" 44 | export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal" 45 | 46 | export CONFIG_AUTO_BOOT_TIMEOUT=5 47 | export CONFIG_ROOT_DEV="/dev/nvme0n1p2" 48 | export CONFIG_ROOT_DIRLIST="bin boot lib sbin usr" 49 | export CONFIG_ROOT_CHECK_AT_BOOT="n" 50 | -------------------------------------------------------------------------------- /boards/librem_l1um_v2/librem_l1um_v2.config: -------------------------------------------------------------------------------- 1 | # Configuration for librem_l1um_v2 2 | CONFIG_LINUX_CONFIG=config/linux-librem_common-6.1.8.config 3 | CONFIG_COREBOOT_CONFIG=config/coreboot-librem_l1um_v2.config 4 | 5 | export CONFIG_COREBOOT=y 6 | export CONFIG_COREBOOT_VERSION=purism 7 | export CONFIG_LINUX_VERSION=6.1.8 8 | 9 | CONFIG_CRYPTSETUP2=y 10 | CONFIG_FLASHPROG=y 11 | CONFIG_FLASHTOOLS=y 12 | CONFIG_GPG2=y 13 | CONFIG_KEXEC=y 14 | CONFIG_UTIL_LINUX=y 15 | CONFIG_LVM2=y 16 | CONFIG_MBEDTLS=y 17 | CONFIG_PCIUTILS=y 18 | CONFIG_POPT=y 19 | CONFIG_QRENCODE=y 20 | CONFIG_TPMTOTP=y 21 | 22 | CONFIG_CAIRO=y 23 | CONFIG_FBWHIPTAIL=y 24 | CONFIG_HOTPKEY=y 25 | 26 | CONFIG_LINUX_USB=y 27 | CONFIG_MOBILE_TETHERING=y 28 | 29 | export CONFIG_TPM=y 30 | export CONFIG_TPM2_TOOLS=y 31 | CONFIG_TPM2_TSS=y 32 | CONFIG_OPENSSL=y 33 | CONFIG_PRIMARY_KEY_TYPE=ecc 34 | 35 | #Enable DEBUG output 36 | export CONFIG_DEBUG_OUTPUT=n 37 | export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n 38 | #Enable TPM2 pcap output under /tmp 39 | export CONFIG_TPM2_CAPTURE_PCAP=n 40 | #Enable quiet mode: technical information logged under /tmp/debug.log 41 | export CONFIG_QUIET_MODE=y 42 | export CONFIG_BOOTSCRIPT=/bin/gui-init 43 | export CONFIG_BOOT_REQ_HASH=n 44 | export CONFIG_BOOT_REQ_ROLLBACK=n 45 | export CONFIG_BOOT_KERNEL_ADD="" 46 | export CONFIG_BOOT_KERNEL_REMOVE="plymouth.ignore-serial-consoles" 47 | export CONFIG_BOOT_RECOVERY_SERIAL="/dev/ttyS0" 48 | export CONFIG_BOARD_NAME="Librem Server L1UM v2" 49 | export CONFIG_AUTO_BOOT_TIMEOUT=5 50 | export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal" 51 | export CONFIG_USB_KEYBOARD_REQUIRED=y 52 | export CONFIG_ROOT_DEV="/dev/nvme0n1p2" 53 | export CONFIG_ROOT_DIRLIST="bin boot lib sbin usr" 54 | export CONFIG_ROOT_CHECK_AT_BOOT="n" 55 | -------------------------------------------------------------------------------- /boards/librem_mini/initrd/bin/board-init.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -o pipefail 3 | 4 | . /tmp/config 5 | 6 | # If CONFIG_AUTOMATIC_POWERON is set, always set the EC BRAM setting during 7 | # boot. It persists as long as the RTC battery is set, but set it during every 8 | # boot for robustness in case the battery is temporarily removed, or the user 9 | # toggles in config-gui and then does not flash, etc. 10 | if [ "$CONFIG_AUTOMATIC_POWERON" = "y" ]; then 11 | set_ec_poweron.sh y 12 | fi 13 | 14 | # Don't disable the setting in the EC BRAM though if CONFIG_AUTOMATIC_POWERON 15 | # is not enabled. The default is disabled anyway, and the OS could configure 16 | # it. 17 | -------------------------------------------------------------------------------- /boards/librem_mini/initrd/bin/set_ec_poweron.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Set the EC BRAM setting for automatic power-on. 4 | # If $1 is 'y', enable automatic power-on. Otherwise, disable it. 5 | 6 | # EC BRAM bank 1 7 | BRAMADDR=0x360 8 | BRAMDATA=0x361 9 | 10 | if [ "$1" = "y" ]; then 11 | BRAM_VALUE="0x00" # 0 -> automatic power-on 12 | else 13 | BRAM_VALUE="0x01" # 1 -> stay off 14 | fi 15 | 16 | outb "$BRAMADDR" 0x29 # Select byte at offset 29h 17 | outb "$BRAMDATA" "$BRAM_VALUE" 18 | # There's also a 16-bit checksum at offset 3eh in bank 1. The only byte 19 | # included in the checksum is the automatic power-on setting, so the value is 20 | # the same, and the upper 8 bits remain 0. 21 | outb "$BRAMADDR" 0x3e 22 | outb "$BRAMDATA" "$BRAM_VALUE" 23 | -------------------------------------------------------------------------------- /boards/librem_mini/librem_mini.config: -------------------------------------------------------------------------------- 1 | # Configuration for a librem mini 2 | CONFIG_LINUX_CONFIG=config/linux-librem_common-6.1.8.config 3 | CONFIG_COREBOOT_CONFIG=config/coreboot-librem_mini.config 4 | 5 | export CONFIG_COREBOOT=y 6 | export CONFIG_COREBOOT_VERSION=purism 7 | export CONFIG_LINUX_VERSION=6.1.8 8 | 9 | CONFIG_CRYPTSETUP2=y 10 | CONFIG_FLASHPROG=y 11 | CONFIG_FLASHTOOLS=y 12 | CONFIG_GPG2=y 13 | CONFIG_IOPORT=y 14 | CONFIG_KBD=y 15 | CONFIG_KEXEC=y 16 | CONFIG_UTIL_LINUX=y 17 | CONFIG_LVM2=y 18 | CONFIG_MBEDTLS=y 19 | CONFIG_PCIUTILS=y 20 | CONFIG_POPT=y 21 | CONFIG_QRENCODE=y 22 | CONFIG_TPMTOTP=y 23 | 24 | CONFIG_CAIRO=y 25 | CONFIG_FBWHIPTAIL=y 26 | CONFIG_HOTPKEY=y 27 | 28 | CONFIG_LINUX_USB=y 29 | CONFIG_MOBILE_TETHERING=y 30 | 31 | export CONFIG_TPM=n 32 | 33 | #Enable DEBUG output 34 | export CONFIG_DEBUG_OUTPUT=n 35 | export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n 36 | #Enable TPM2 pcap output under /tmp 37 | export CONFIG_TPM2_CAPTURE_PCAP=n 38 | #Enable quiet mode: technical information logged under /tmp/debug.log 39 | export CONFIG_QUIET_MODE=y 40 | export CONFIG_BOOTSCRIPT=/bin/gui-init 41 | export CONFIG_BOOT_REQ_HASH=n 42 | export CONFIG_BOOT_REQ_ROLLBACK=n 43 | export CONFIG_BOOT_KERNEL_ADD="" 44 | export CONFIG_BOOT_KERNEL_REMOVE="" 45 | export CONFIG_BOARD_NAME="Librem Mini" 46 | export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal" 47 | export CONFIG_USB_KEYBOARD_REQUIRED=y 48 | export CONFIG_AUTO_BOOT_TIMEOUT=5 49 | export CONFIG_ROOT_DEV="/dev/nvme0n1p2" 50 | export CONFIG_ROOT_DIRLIST="bin boot lib sbin usr" 51 | export CONFIG_ROOT_CHECK_AT_BOOT="n" 52 | export CONFIG_SUPPORT_AUTOMATIC_POWERON=y 53 | -------------------------------------------------------------------------------- /boards/librem_mini_v2/initrd/bin/board-init.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -o pipefail 3 | 4 | . /tmp/config 5 | 6 | # If CONFIG_AUTOMATIC_POWERON is set, always set the EC BRAM setting during 7 | # boot. It persists as long as the RTC battery is set, but set it during every 8 | # boot for robustness in case the battery is temporarily removed, or the user 9 | # toggles in config-gui and then does not flash, etc. 10 | if [ "$CONFIG_AUTOMATIC_POWERON" = "y" ]; then 11 | set_ec_poweron.sh y 12 | fi 13 | 14 | # Don't disable the setting in the EC BRAM though if CONFIG_AUTOMATIC_POWERON 15 | # is not enabled. The default is disabled anyway, and the OS could configure 16 | # it. 17 | -------------------------------------------------------------------------------- /boards/librem_mini_v2/initrd/bin/set_ec_poweron.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Set the EC BRAM setting for automatic power-on. 4 | # If $1 is 'y', enable automatic power-on. Otherwise, disable it. 5 | 6 | # EC BRAM bank 1 7 | BRAMADDR=0x360 8 | BRAMDATA=0x361 9 | 10 | if [ "$1" = "y" ]; then 11 | BRAM_VALUE="0x00" # 0 -> automatic power-on 12 | else 13 | BRAM_VALUE="0x01" # 1 -> stay off 14 | fi 15 | 16 | outb "$BRAMADDR" 0x29 # Select byte at offset 29h 17 | outb "$BRAMDATA" "$BRAM_VALUE" 18 | # There's also a 16-bit checksum at offset 3eh in bank 1. The only byte 19 | # included in the checksum is the automatic power-on setting, so the value is 20 | # the same, and the upper 8 bits remain 0. 21 | outb "$BRAMADDR" 0x3e 22 | outb "$BRAMDATA" "$BRAM_VALUE" 23 | -------------------------------------------------------------------------------- /boards/librem_mini_v2/librem_mini_v2.config: -------------------------------------------------------------------------------- 1 | # Configuration for a librem mini v2 2 | CONFIG_LINUX_CONFIG=config/linux-librem_common-6.1.8.config 3 | CONFIG_COREBOOT_CONFIG=config/coreboot-librem_mini_v2.config 4 | 5 | export CONFIG_COREBOOT=y 6 | export CONFIG_COREBOOT_VERSION=purism 7 | export CONFIG_LINUX_VERSION=6.1.8 8 | 9 | CONFIG_CRYPTSETUP2=y 10 | CONFIG_FLASHPROG=y 11 | CONFIG_FLASHTOOLS=y 12 | CONFIG_GPG2=y 13 | CONFIG_IOPORT=y 14 | CONFIG_KBD=y 15 | CONFIG_KEXEC=y 16 | CONFIG_UTIL_LINUX=y 17 | CONFIG_LVM2=y 18 | CONFIG_MBEDTLS=y 19 | CONFIG_PCIUTILS=y 20 | CONFIG_POPT=y 21 | CONFIG_QRENCODE=y 22 | CONFIG_TPMTOTP=y 23 | 24 | CONFIG_CAIRO=y 25 | CONFIG_FBWHIPTAIL=y 26 | CONFIG_HOTPKEY=y 27 | 28 | CONFIG_LINUX_USB=y 29 | CONFIG_MOBILE_TETHERING=y 30 | 31 | export CONFIG_TPM=n 32 | 33 | #Enable DEBUG output 34 | export CONFIG_DEBUG_OUTPUT=n 35 | export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=n 36 | #Enable TPM2 pcap output under /tmp 37 | export CONFIG_TPM2_CAPTURE_PCAP=n 38 | #Enable quiet mode: technical information logged under /tmp/debug.log 39 | export CONFIG_QUIET_MODE=y 40 | export CONFIG_BOOTSCRIPT=/bin/gui-init 41 | export CONFIG_BOOT_REQ_HASH=n 42 | export CONFIG_BOOT_REQ_ROLLBACK=n 43 | export CONFIG_BOOT_KERNEL_ADD="" 44 | export CONFIG_BOOT_KERNEL_REMOVE="" 45 | export CONFIG_BOARD_NAME="Librem Mini v2" 46 | export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal" 47 | export CONFIG_USB_KEYBOARD_REQUIRED=y 48 | export CONFIG_AUTO_BOOT_TIMEOUT=5 49 | export CONFIG_ROOT_DEV="/dev/nvme0n1p2" 50 | export CONFIG_ROOT_DIRLIST="bin boot lib sbin usr" 51 | export CONFIG_ROOT_CHECK_AT_BOOT="n" 52 | export CONFIG_SUPPORT_AUTOMATIC_POWERON=y 53 | -------------------------------------------------------------------------------- /branding/Heads/ThePlexus-bootsplash-1024x768-DonateQrCode.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/linuxboot/heads/9fabe7f26cacea874fac6502ddded564ee2f8af5/branding/Heads/ThePlexus-bootsplash-1024x768-DonateQrCode.jpg -------------------------------------------------------------------------------- /branding/Heads/ThePlexus-bootsplash-1024x768.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/linuxboot/heads/9fabe7f26cacea874fac6502ddded564ee2f8af5/branding/Heads/ThePlexus-bootsplash-1024x768.jpg -------------------------------------------------------------------------------- /branding/Heads/ThePlexus-logo.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/linuxboot/heads/9fabe7f26cacea874fac6502ddded564ee2f8af5/branding/Heads/ThePlexus-logo.jpg -------------------------------------------------------------------------------- /branding/Heads/bing-d-wid_heads-red_blue_background-plain-3_DonateQrCode.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/linuxboot/heads/9fabe7f26cacea874fac6502ddded564ee2f8af5/branding/Heads/bing-d-wid_heads-red_blue_background-plain-3_DonateQrCode.jpg -------------------------------------------------------------------------------- /branding/Heads/bootsplash.jpg: -------------------------------------------------------------------------------- 1 | d-wid-ThePlexus_coreboot-linuxboot-heads_background-plain_DonateQrCode.jpg -------------------------------------------------------------------------------- /branding/Heads/d-wid-ThePlexus_coreboot-linuxboot-heads_background-plain_DonateQrCode.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/linuxboot/heads/9fabe7f26cacea874fac6502ddded564ee2f8af5/branding/Heads/d-wid-ThePlexus_coreboot-linuxboot-heads_background-plain_DonateQrCode.jpg -------------------------------------------------------------------------------- /branding/Heads/d-wid-ThePlexus_heads_ThrillerAtPlay-background-binary_DonateQrCode.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/linuxboot/heads/9fabe7f26cacea874fac6502ddded564ee2f8af5/branding/Heads/d-wid-ThePlexus_heads_ThrillerAtPlay-background-binary_DonateQrCode.jpg -------------------------------------------------------------------------------- /branding/Heads/d-wid_heads-Thrilleratplay_background-binary-2_DonateQrCode.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/linuxboot/heads/9fabe7f26cacea874fac6502ddded564ee2f8af5/branding/Heads/d-wid_heads-Thrilleratplay_background-binary-2_DonateQrCode.jpg -------------------------------------------------------------------------------- /branding/Heads/d-wid_heads_background-plain-2_DonateQrCode.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/linuxboot/heads/9fabe7f26cacea874fac6502ddded564ee2f8af5/branding/Heads/d-wid_heads_background-plain-2_DonateQrCode.jpg -------------------------------------------------------------------------------- /build/.gitignore: -------------------------------------------------------------------------------- 1 | * 2 | -------------------------------------------------------------------------------- /flake.lock: -------------------------------------------------------------------------------- 1 | { 2 | "nodes": { 3 | "flake-utils": { 4 | "inputs": { 5 | "systems": "systems" 6 | }, 7 | "locked": { 8 | "lastModified": 1710146030, 9 | "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", 10 | "owner": "numtide", 11 | "repo": "flake-utils", 12 | "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", 13 | "type": "github" 14 | }, 15 | "original": { 16 | "owner": "numtide", 17 | "repo": "flake-utils", 18 | "type": "github" 19 | } 20 | }, 21 | "nixpkgs": { 22 | "locked": { 23 | "lastModified": 1716509168, 24 | "narHash": "sha256-4zSIhSRRIoEBwjbPm3YiGtbd8HDWzFxJjw5DYSDy1n8=", 25 | "owner": "nixos", 26 | "repo": "nixpkgs", 27 | "rev": "bfb7a882678e518398ce9a31a881538679f6f092", 28 | "type": "github" 29 | }, 30 | "original": { 31 | "owner": "nixos", 32 | "ref": "nixos-unstable", 33 | "repo": "nixpkgs", 34 | "type": "github" 35 | } 36 | }, 37 | "root": { 38 | "inputs": { 39 | "flake-utils": "flake-utils", 40 | "nixpkgs": "nixpkgs" 41 | } 42 | }, 43 | "systems": { 44 | "locked": { 45 | "lastModified": 1681028828, 46 | "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", 47 | "owner": "nix-systems", 48 | "repo": "default", 49 | "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", 50 | "type": "github" 51 | }, 52 | "original": { 53 | "owner": "nix-systems", 54 | "repo": "default", 55 | "type": "github" 56 | } 57 | } 58 | }, 59 | "root": "root", 60 | "version": 7 61 | } 62 | -------------------------------------------------------------------------------- /initrd/.bash_history: -------------------------------------------------------------------------------- 1 | #mount /boot in read-only by default 2 | mount /boot 3 | #verify detached signature of /boot content 4 | find /boot/kexec*.txt | gpg --verify /boot/kexec.sig - 5 | #remove invalid kexec_* signed files 6 | mount /dev/sda1 /boot && mount -o remount,rw /boot && rm /boot/kexec* && mount -o remount,ro /boot 7 | #Generate keys on OpenPGP smartcard: 8 | mount-usb && gpg --home=/.gnupg/ --card-edit 9 | #Copy generated public key, private_subkey, trustdb and artifacts to external media for backup: 10 | mount -o remount,rw /media && mkdir -p /media/gpg_keys; gpg --export-secret-keys --armor email@address.com > /media/gpg_keys/private.key && gpg --export --armor email@address.com > /media/gpg_keys/public.key && gpg --export-ownertrust > /media/gpg_keys/otrust.txt && cp -r ./.gnupg/* /media/gpg_keys/ 2> /dev/null 11 | #Insert public key and trustdb export into reproducible rom: 12 | cbfs -o /media/coreboot.rom -a "heads/initrd/.gnupg/keys/public.key" -f /media/gpg_keys/public.key && cbfs -o /media/coreboot.rom -a "heads/initrd/.gnupg/keys/otrust.txt" -f /media/gpg_keys/otrust.txt 13 | #Flush changes to external media: 14 | mount -o,remount ro /media 15 | #Flash modified reproducible rom with inserted public key and trustdb export from precedent step. Flushes actual rom's keys (-c: clean): 16 | flash.sh -c /media/coreboot.rom 17 | #Attest integrity of firmware as it is 18 | seal-totp 19 | #Verify Intel ME state: 20 | cbmem --console | grep '^ME' 21 | cbmem --console | less 22 | # Reboot/power off (important for devices with no keyboard to escape recovery shell) 23 | reboot # Press Enter with this command to reboot 24 | poweroff # Press Enter with this command to power off 25 | -------------------------------------------------------------------------------- /initrd/.gnupg/gpg-agent.conf: -------------------------------------------------------------------------------- 1 | scdaemon-program /bin/scdaemon 2 | pinentry-program /bin/pinentry-tty 3 | daemon 4 | -------------------------------------------------------------------------------- /initrd/.gnupg/gpg.conf: -------------------------------------------------------------------------------- 1 | use-agent 2 | keyserver-options no-auto-key-retrieve 3 | -------------------------------------------------------------------------------- /initrd/bin/basic-autoboot.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -o pipefail 3 | 4 | . /etc/functions 5 | 6 | BOOT_MENU_OPTIONS=/tmp/basic-autoboot-options 7 | 8 | scan_boot_options /boot "grub.cfg" "$BOOT_MENU_OPTIONS" 9 | if [ -s "$BOOT_MENU_OPTIONS" ]; then 10 | kexec-boot -b /boot -e "$(head -1 "$BOOT_MENU_OPTIONS")" 11 | fi 12 | -------------------------------------------------------------------------------- /initrd/bin/cbfs-init: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -e -o pipefail 3 | . /etc/functions 4 | 5 | # CBFS extraction and measurement 6 | # This extraction and measurement cannot be suppressed by quiet mode, since 7 | # config.user is not yet loaded at this point. 8 | # To suppress this output, set CONFIG_QUIET_MODE=y needs be be set in /etc/config 9 | # which is defined at build time under board configuration file to be part of initrd.cpio 10 | # This script is called from initrd/init so really early in the boot process to put files in place in initramfs 11 | 12 | TRACE_FUNC 13 | 14 | # Update initrd with CBFS files 15 | if [ -z "$CONFIG_PCR" ]; then 16 | CONFIG_PCR=7 17 | fi 18 | 19 | # Load individual files 20 | cbfsfiles=`cbfs -t 50 -l 2>/dev/null | grep "^heads/initrd/"` 21 | 22 | for cbfsname in `echo $cbfsfiles`; do 23 | filename=${cbfsname:12} 24 | if [ ! -z "$filename" ]; then 25 | mkdir -p `dirname $filename` \ 26 | || die "$filename: mkdir failed" 27 | INFO "Extracting CBFS file $cbfsname into $filename" 28 | cbfs -t 50 $CBFS_ARG -r $cbfsname > "$filename" \ 29 | || die "$filename: cbfs file read failed" 30 | if [ "$CONFIG_TPM" = "y" ]; then 31 | TRACE_FUNC 32 | INFO "TPM: Extending PCR[$CONFIG_PCR] with filename $filename and then its content" 33 | # Measure both the filename and its content. This 34 | # ensures that renaming files or pivoting file content 35 | # will still affect the resulting PCR measurement. 36 | tpmr extend -ix "$CONFIG_PCR" -ic "$filename" 37 | tpmr extend -ix "$CONFIG_PCR" -if "$filename" \ 38 | || die "$filename: tpm extend failed" 39 | fi 40 | fi 41 | done 42 | -------------------------------------------------------------------------------- /initrd/bin/cbfs.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -e -o pipefail 3 | . /etc/functions 4 | . /tmp/config 5 | 6 | TRACE_FUNC 7 | 8 | if pnor "$2" -r HBI > /tmp/pnor.part 2>/dev/null; then 9 | cbfs "$@" -o /tmp/pnor.part && pnor "$2" -w HBI < /tmp/pnor.part 10 | else 11 | cbfs "$@" 12 | fi 13 | -------------------------------------------------------------------------------- /initrd/bin/flashprog-kgpe-d16-openbmc.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | . /etc/functions 3 | 4 | TRACE_FUNC 5 | 6 | ROM="$1" 7 | if [ -z "$1" ]; then 8 | die "Usage: $0 /media/kgpe-d16-openbmc.rom" 9 | fi 10 | 11 | cp "$ROM" /tmp/kgpe-d16-openbmc.rom 12 | sha256sum /tmp/kgpe-d16-openbmc.rom 13 | 14 | flashprog --programmer="ast1100:spibus=2,cpu=reset" -c "S25FL128P......0" -w /tmp/kgpe-d16-openbmc.rom \ 15 | || die "$ROM: Flash failed" 16 | 17 | warn "Reboot and hopefully it works" 18 | exit 0 19 | -------------------------------------------------------------------------------- /initrd/bin/generic-init: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Boot from a local disk installation 3 | 4 | . /etc/functions 5 | . /tmp/config 6 | 7 | mount_boot() 8 | { 9 | TRACE_FUNC 10 | # Mount local disk if it is not already mounted 11 | if ! grep -q /boot /proc/mounts ; then 12 | mount -o ro /boot \ 13 | || recovery "Unable to mount /boot" 14 | fi 15 | } 16 | 17 | 18 | # Confirm we have a good TOTP unseal and ask the user for next choice 19 | while true; do 20 | echo "y) Default boot" 21 | echo "n) TOTP does not match" 22 | echo "r) Recovery boot" 23 | echo "u) USB boot" 24 | echo "m) Boot menu" 25 | 26 | if ! confirm_totp "Boot mode"; then 27 | recovery 'Failed to unseal TOTP' 28 | fi 29 | 30 | if [ "$totp_confirm" = "r" ]; then 31 | recovery "User requested recovery shell" 32 | fi 33 | 34 | if [ "$totp_confirm" = "n" ]; then 35 | echo "" 36 | echo "To correct clock drift: 'date -s HH:MM:SS'" 37 | echo "and save it to the RTC: 'hwclock -w'" 38 | echo "then reboot and try again" 39 | echo "" 40 | recovery "TOTP mismatch" 41 | fi 42 | 43 | if [ "$totp_confirm" = "u" ]; then 44 | exec /bin/usb-init 45 | continue 46 | fi 47 | 48 | if [ "$totp_confirm" = "m" ]; then 49 | # Try to select a kernel from the menu 50 | mount_boot 51 | kexec-select-boot -m -b /boot -c "grub.cfg" 52 | continue 53 | fi 54 | 55 | if [ "$totp_confirm" = "y" -o -n "$totp_confirm" ]; then 56 | # Try to boot the default 57 | mount_boot 58 | kexec-select-boot -b /boot -c "grub.cfg" \ 59 | || recovery "Failed default boot" 60 | fi 61 | 62 | done 63 | 64 | recovery "Something failed during boot" 65 | -------------------------------------------------------------------------------- /initrd/bin/gpgv: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # if we are using the full GPG we need a wrapper for the gpgv executable 3 | . /etc/functions 4 | 5 | TRACE_FUNC 6 | exec gpg --verify "$@" 7 | -------------------------------------------------------------------------------- /initrd/bin/kexec-iso-init: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Boot from signed ISO 3 | set -e -o pipefail 4 | . /etc/functions 5 | . /tmp/config 6 | 7 | TRACE_FUNC 8 | 9 | MOUNTED_ISO_PATH="$1" 10 | ISO_PATH="$2" 11 | DEV="$3" 12 | 13 | echo '+++ Verifying ISO' 14 | # Verify the signature on the hashes 15 | ISOSIG="$MOUNTED_ISO_PATH.sig" 16 | if ! [ -r "$ISOSIG" ]; then 17 | ISOSIG="$MOUNTED_ISO_PATH.asc" 18 | fi 19 | 20 | ISO_PATH="${ISO_PATH##/}" 21 | 22 | gpgv --homedir=/etc/distro/ "$ISOSIG" "$MOUNTED_ISO_PATH" \ 23 | || die 'ISO signature failed' 24 | 25 | echo '+++ Mounting ISO and booting' 26 | mount -t iso9660 -o loop $MOUNTED_ISO_PATH /boot \ 27 | || die '$MOUNTED_ISO_PATH: Unable to mount /boot' 28 | 29 | DEV_UUID=`blkid $DEV | tail -1 | tr " " "\n" | grep UUID | cut -d\" -f2` 30 | ADD="fromiso=/dev/disk/by-uuid/$DEV_UUID/$ISO_PATH img_dev=/dev/disk/by-uuid/$DEV_UUID iso-scan/filename=/${ISO_PATH} img_loop=$ISO_PATH iso=$DEV_UUID/$ISO_PATH" 31 | REMOVE="" 32 | 33 | paramsdir="/media/kexec_iso/$ISO_PATH" 34 | check_config $paramsdir 35 | 36 | ADD_FILE=/tmp/kexec/kexec_iso_add.txt 37 | if [ -r $ADD_FILE ]; then 38 | NEW_ADD=`cat $ADD_FILE` 39 | ADD=$(eval "echo \"$NEW_ADD\"") 40 | fi 41 | echo "+++ Overriding standard ISO kernel arguments with additions: $ADD" 42 | 43 | REMOVE_FILE=/tmp/kexec/kexec_iso_remove.txt 44 | if [ -r $REMOVE_FILE ]; then 45 | NEW_REMOVE=`cat $REMOVE_FILE` 46 | REMOVE=$(eval "echo \"$NEW_REMOVE\"") 47 | fi 48 | echo "+++ Overriding standard ISO kernel arguments with suppressions: $REMOVE" 49 | 50 | # Call kexec and indicate that hashes have been verified 51 | DO_WITH_DEBUG kexec-select-boot -b /boot -d /media -p "$paramsdir" \ 52 | -a "$ADD" -r "$REMOVE" -c "*.cfg" -u -i 53 | 54 | die "Something failed in selecting boot" 55 | -------------------------------------------------------------------------------- /initrd/bin/kexec-unseal-key: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # This will unseal and unecncrypt the drive encryption key from the TPM 3 | # The TOTP secret will be shown to the user on each encryption attempt. 4 | # It will then need to be bundled into initrd that is booted with Qubes. 5 | set -e -o pipefail 6 | . /etc/functions 7 | 8 | TPM_INDEX=3 9 | TPM_SIZE=312 10 | 11 | . /etc/functions 12 | 13 | TRACE_FUNC 14 | 15 | mkdir -p /tmp/secret 16 | 17 | key_file="$1" 18 | 19 | if [ -z "$key_file" ]; then 20 | key_file="/tmp/secret/secret.key" 21 | fi 22 | 23 | DEBUG "CONFIG_TPM: $CONFIG_TPM" 24 | DEBUG "CONFIG_TPM2_TOOLS: $CONFIG_TPM2_TOOLS" 25 | DEBUG "Show PCRs" 26 | DEBUG "$(pcrs)" 27 | 28 | for tries in 1 2 3; do 29 | read -s -p "Enter LUKS TPM Disk Unlock Key passphrase (blank to abort): " tpm_password 30 | echo 31 | if [ -z "$tpm_password" ]; then 32 | die "Aborting unseal disk encryption key" 33 | fi 34 | 35 | if DO_WITH_DEBUG --mask-position 6 \ 36 | tpmr unseal "$TPM_INDEX" "0,1,2,3,4,5,6,7" "$TPM_SIZE" \ 37 | "$key_file" "$tpm_password"; then 38 | exit 0 39 | fi 40 | 41 | warn "Unable to unseal LUKS Disk Unlock Key from TPM" 42 | done 43 | 44 | die "Retry count exceeded..." 45 | -------------------------------------------------------------------------------- /initrd/bin/lock_chip: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # For this to work: 3 | # - io386 module needs to be enabled in board config 4 | # - =Skylake: same as above and CONFIG_SOC_INTEL_COMMON_SPI_LOCKDOWN_SMM=y, CONFIG_SPI_FLASH_SMM=y and mode (eg: CONFIG_BOOTMEDIA_LOCK_WHOLE_RO=y) 6 | # - Heads is actually doing the CONFIG_INTEL_CHIPSET_LOCKDOWN equivalent here. 7 | 8 | . /etc/functions 9 | 10 | TRACE_FUNC 11 | if [ "$CONFIG_FINALIZE_PLATFORM_LOCKING" = "y" ]; then 12 | APM_CNT=0xb2 13 | FIN_CODE=0xcb 14 | fi 15 | 16 | if [ -n "$APM_CNT" -a -n "$FIN_CODE" ]; then 17 | # PR0 lockdown is enabled by setting a lock bit (FLOCKDN) in the SPI controller, 18 | # which prevents further changes to the SPI controller configuration. The flash 19 | # will become write protected in the range specified in the PR0 register. Once 20 | # the protection is set and locked, it cannot be disabled 21 | # until the next system reset. 22 | echo "Finalizing chipset Write Protection through SMI PR0 lockdown call" 23 | io386 -o b -b x $APM_CNT $FIN_CODE 24 | else 25 | echo "NOT Finalizing chipset" 26 | echo "lock_chip called without valid APM_CNT and FIN_CODE defined under bin/lock_chip." 27 | fi 28 | -------------------------------------------------------------------------------- /initrd/bin/poweroff: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | . /etc/functions 3 | 4 | TRACE_FUNC 5 | 6 | # Shut down TPM 7 | if [ "$CONFIG_TPM" = "y" ]; then 8 | tpmr shutdown 9 | fi 10 | 11 | # Sync all mounted filesystems 12 | echo s > /proc/sysrq-trigger 13 | 14 | # Remount all mounted filesystems in read-only mode 15 | echo u > /proc/sysrq-trigger 16 | 17 | # Shut off the system 18 | echo o > /proc/sysrq-trigger 19 | -------------------------------------------------------------------------------- /initrd/bin/qubes-measure-luks: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Measure all of the LUKS Disk Encryption headers into 3 | # a PCR so that we can detect disk swap attacks. 4 | . /etc/functions 5 | 6 | TRACE_FUNC 7 | DEBUG "Arguments passed to qubes-measure-luks: $@" 8 | 9 | # Measure the LUKS headers into PCR 6 10 | for dev in "$@"; do 11 | DEBUG "Storing LUKS header for $dev into /tmp/lukshdr-$(echo "$dev" | sed 's/\//_/g')" 12 | cryptsetup luksHeaderBackup $dev \ 13 | --header-backup-file /tmp/lukshdr-$(echo "$dev" | sed 's/\//_/g') || 14 | die "$dev: Unable to read LUKS header" 15 | done 16 | 17 | DEBUG "Hashing LUKS headers into /tmp/luksDump.txt" 18 | sha256sum /tmp/lukshdr-* >/tmp/luksDump.txt || die "Unable to hash LUKS headers" 19 | DEBUG "Removing /tmp/lukshdr-*" 20 | rm /tmp/lukshdr-* 21 | 22 | TRACE_FUNC 23 | INFO "TPM: Extending PCR[6] with hash of LUKS headers from /tmp/luksDump.txt" 24 | tpmr extend -ix 6 -if /tmp/luksDump.txt || 25 | die "Unable to extend PCR" 26 | -------------------------------------------------------------------------------- /initrd/bin/reboot: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | . /etc/functions 3 | 4 | TRACE_FUNC 5 | 6 | if [ "$CONFIG_DEBUG_OUTPUT" = "y" ]; then 7 | #Generalize user prompt to continue reboot or go to recovery shell 8 | read -r -n 1 -s -p "Press any key to continue reboot or 'r' to go to recovery shell: " REPLY 9 | echo 10 | if [ "$REPLY" = "r" ] || [ "$REPLY" = "R" ]; then 11 | recovery "Reboot call bypassed to go into recovery shell to debug" 12 | fi 13 | fi 14 | 15 | # Shut down TPM 16 | if [ "$CONFIG_TPM" = "y" ]; then 17 | tpmr shutdown 18 | fi 19 | 20 | # Sync all mounted filesystems 21 | echo s > /proc/sysrq-trigger 22 | 23 | # Remount all mounted filesystems in read-only mode 24 | echo u > /proc/sysrq-trigger 25 | 26 | # Immediately reboot the system, without unmounting or syncing filesystems 27 | echo b > /proc/sysrq-trigger 28 | -------------------------------------------------------------------------------- /initrd/bin/setconsolefont.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -eo pipefail 4 | . /etc/functions 5 | 6 | TRACE_FUNC 7 | 8 | # If the board ships setfont, and the console size is >=1600 lines tall, 9 | # increase the console font size. 10 | if [ ! -x /bin/setfont ]; then 11 | DEBUG "Board does not ship setfont, not checking console font" 12 | exit 0 13 | fi 14 | 15 | if [ ! -f /sys/class/graphics/fb0/virtual_size ]; then 16 | DEBUG "fb0 virtual size is not known" 17 | exit 0 18 | fi 19 | 20 | CONSOLE_HEIGHT="$(cut -d, -f2 /sys/class/graphics/fb0/virtual_size)" 21 | 22 | # Deciding scale based on resolution is inherently heuristic, as the scale 23 | # really depends on resolution, physical size, how close the display is to the 24 | # user, and personal preference. 25 | # 26 | # fbwhiptail starts using 1.5x scale at 1350 lines, but we can only choose 1x 27 | # or 2x (without shipping more fonts). Err toward making the console too large 28 | # rather than too small and go to 2x at 1350 lines. 29 | if [ "$CONSOLE_HEIGHT" -ge 1350 ]; then 30 | DEBUG "Double console font size due to framebuffer height $CONSOLE_HEIGHT" 31 | # Double the default font size by reading it out, then applying it again 32 | # with setfont's -d option (double font size) 33 | setfont -O /tmp/default_font 34 | setfont -d /tmp/default_font 35 | rm /tmp/default_font 36 | else 37 | DEBUG "Keep default console font size due to framebuffer height $CONSOLE_HEIGHT" 38 | fi 39 | -------------------------------------------------------------------------------- /initrd/bin/talos-init: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # BMC on Talos must be informed that OS has been started in order to enable fan 3 | # control. This is done by writing 0xFE to I/O ports 0x81 and 0x82 (in that 4 | # order) through LPC connected to first CPU. LPC I/O space of first CPU is 5 | # mapped to memory at 0x80060300D0010000, I/O port number has to be added to 6 | # this address. Write can be performed using busybox's devmem applet. 7 | 8 | devmem 0x80060300D0010081 8 254 9 | devmem 0x80060300D0010082 8 254 10 | 11 | # Disable fast-reset which doesn't reset TPM and results in different values of 12 | # PRCs every time. 13 | nvram -p ibm,skiboot --update-config fast-reset=0 14 | 15 | # Proceed with standard init path 16 | exec /bin/gui-init 17 | -------------------------------------------------------------------------------- /initrd/bin/tpm-reset: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | . /etc/functions 3 | 4 | echo '*****' 5 | echo '***** WARNING: This will erase all keys and secrets from the TPM' 6 | echo '*****' 7 | 8 | prompt_new_owner_password 9 | 10 | tpmr reset "$tpm_owner_password" 11 | -------------------------------------------------------------------------------- /initrd/bin/uefi-init: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -e -o pipefail 3 | . /etc/functions 4 | 5 | # Update initrd with CBFS files 6 | if [ -z "$CONFIG_PCR" ]; then 7 | CONFIG_PCR=7 8 | fi 9 | 10 | CONFIG_GUID="74696e69-6472-632e-7069-6f2f75736572" 11 | 12 | # copy EFI file named $CONFIG_GUID to /tmp, measure and extract 13 | GUID=`uefi -l | grep "^$CONFIG_GUID"` 14 | 15 | if [ -n "GUID" ]; then 16 | echo "Loading $GUID from ROM" 17 | TMPFILE=/tmp/uefi.$$ 18 | uefi -r $GUID | gunzip -c > $TMPFILE \ 19 | || die "Failed to read config GUID from ROM" 20 | 21 | if [ "$CONFIG_TPM" = "y" ]; then 22 | tpmr extend -ix "$CONFIG_PCR" -if $TMPFILE \ 23 | || die "$filename: tpm extend failed" 24 | fi 25 | 26 | ( cd / ; cpio -iud < $TMPFILE 2>/dev/null ) \ 27 | || die "Failed to extract config GUID" 28 | fi 29 | -------------------------------------------------------------------------------- /initrd/bin/unseal-totp: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Retrieve the sealed file from the NVRAM, unseal it and compute the totp 3 | 4 | . /etc/functions 5 | 6 | TOTP_SECRET="/tmp/secret/totp.key" 7 | 8 | TRACE_FUNC 9 | 10 | if [ "$CONFIG_TPM" = "y" ]; then 11 | tpmr unseal 4d47 0,1,2,3,4,7 312 "$TOTP_SECRET" || 12 | die "Unable to unseal TOTP secret from TPM" 13 | fi 14 | 15 | if ! totp -q <"$TOTP_SECRET"; then 16 | shred -n 10 -z -u "$TOTP_SECRET" 2>/dev/null 17 | die 'Unable to compute TOTP hash?' 18 | fi 19 | 20 | shred -n 10 -z -u "$TOTP_SECRET" 2>/dev/null 21 | exit 0 22 | -------------------------------------------------------------------------------- /initrd/bin/usb-init: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Boot a USB installation 3 | 4 | . /etc/functions 5 | . /tmp/config 6 | 7 | TRACE_FUNC 8 | 9 | if [ "$CONFIG_TPM" = "y" ]; then 10 | # Extend PCR4 as soon as possible 11 | tpmr extend -ix 4 -ic usb 12 | fi 13 | 14 | DO_WITH_DEBUG media-scan usb 15 | recovery "Something failed during USB boot" 16 | -------------------------------------------------------------------------------- /initrd/bin/wget-measure.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # get a file and extend a TPM PCR 3 | . /etc/functions 4 | 5 | die() { 6 | TRACE_FUNC 7 | echo >&2 "$@" 8 | exit 1 9 | } 10 | 11 | INDEX="$1" 12 | URL="$2" 13 | 14 | if [ -z "$INDEX" -o -z "$URL" ]; then 15 | die "Usage: $0 pcr-index url" 16 | fi 17 | 18 | 19 | wget "$URL" || die "$URL: failed" 20 | 21 | FILE="`basename "$URL"`" 22 | tpmr extend -ix "$INDEX" -if "$FILE" || die "$FILE: tpm extend failed" 23 | 24 | 25 | -------------------------------------------------------------------------------- /initrd/bin/wipe-totp: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Wipe the sealed TOTP/HOTP secret. The secret is overwritten with all-0, 3 | # rather than deleted, because deletion requires authorization. Wiping the 4 | # secret will cause the next boot to prompt to regenerate the secret. 5 | 6 | . /etc/functions 7 | 8 | TPM_NVRAM_SPACE=4d47 9 | TPM_SIZE=312 10 | 11 | if [ "$CONFIG_TPM" = "y" ]; then 12 | tpmr destroy "$TPM_NVRAM_SPACE" "$TPM_SIZE" \ 13 | || die "Unable to wipe sealed secret" 14 | fi 15 | -------------------------------------------------------------------------------- /initrd/etc/distro/gpg-agent.conf: -------------------------------------------------------------------------------- 1 | disable-scdaemon 2 | -------------------------------------------------------------------------------- /initrd/etc/distro/keys/archlinux.key: -------------------------------------------------------------------------------- 1 | -----BEGIN PGP PUBLIC KEY BLOCK----- 2 | 3 | mDMEY1+RVxYJKwYBBAHaRw8BAQdAd3XdZwOmmiALePwd26Bu3hPblAfHflGN+Lud 4 | gE2Qyby0JFBpZXJyZSBTY2htaXR6IDxwaWVycmVAYXJjaGxpbnV4LmRlPoiWBBMW 5 | CAA+AhsDBQkcMgSABQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAFiEEPoDKGouJ9py6 6 | V9mKdqXvkFREmlwFAmNfk2gACgkQdqXvkFREmlzdiwD9Hf7TDfxBrJ1YwpD9lLtU 7 | VI4Kpze3P5deOb5REsGE5ocBAPn7WymPFoTUfrrxfmlsqZtSz+2D5GdXEWQYOTqU 8 | vu0MtCVQaWVycmUgU2NobWl0eiA8cGllcnJlQGFyY2hsaW51eC5vcmc+iJkEExYI 9 | AEECGwMFCRwyBIAFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AWIQQ+gMoai4n2nLpX 10 | 2Yp2pe+QVESaXAUCY1+TaAIZAQAKCRB2pe+QVESaXLQPAQCFeOXY4m9LPfMDNzrO 11 | IElLyh+w9p9PBa80AsAsjXGC1gEAy9Ymc3jnAj2MJDnby3b5WyNzDbjBMKVhv2Cv 12 | mDln0Aq4MwRjX5HTFgkrBgEEAdpHDwEBB0DjSWuxVrnVYEIcJlRJPmn54ReBGvqP 13 | +EYB2BVx5ZFPv4h+BBgWCAAmFiEEPoDKGouJ9py6V9mKdqXvkFREmlwFAmNfkdMC 14 | GyAFCRwyBIAACgkQdqXvkFREmlzEGwEAwvDuiUn1Mgw0x7/m0hXzveAAgLVdJWD+ 15 | 0/YiepxE9GoA/jCgNca2AuWyi416FYQkFtqtlIjWUb56hY5WlBvpNZIOuDgEY1+R 16 | VxIKKwYBBAGXVQEFAQEHQIhe0t8UMpN+G4c24ByW/Y1vu1m3C62KsvlRPzw/R0AN 17 | AwEIB4h+BBgWCAAmFiEEPoDKGouJ9py6V9mKdqXvkFREmlwFAmNfkVcCGwwFCRwy 18 | BIAACgkQdqXvkFREmlynZgD+PlibATlapVxz6EprGMfnktevUlfWQwShRJ+w/x8I 19 | zyAA/0nOvoE7j4sdvg4QoW/s2nPYaDy8EK/XAMRT15eScYIH 20 | =FFYH 21 | -----END PGP PUBLIC KEY BLOCK----- 22 | -------------------------------------------------------------------------------- /initrd/etc/distro/keys/qubes-4.1.key: -------------------------------------------------------------------------------- 1 | -----BEGIN PGP PUBLIC KEY BLOCK----- 2 | Version: GnuPG v1 3 | 4 | mQINBFi9Xv4BEADTkOlBTDmO6DsFJi754ilTFqsluGWleeProuz8Q+bHFlx0Mqtk 5 | uOUcxIjEWwxhn1qN98dIPYds+mD9Bohamdh+bJYxB/YYj9B2xvURhCpxVlWzzkzt 6 | i1lPYhj/MR637N9JqIdILmJSBFDxmnuWfQxfsbIsi4lUx5oq6HzIAYXzUzA+0/0a 7 | c/j0zAm9oBq+pXPad/xkH8ebkNAL0+HbHArBNFzrhVKmi1VskpxurPIYZEcQ0dUu 8 | n447TM/37y+dzmNYxvSuK2zBPFa9upXsKZEoVaJqksXDdX2YuMsZFiesdieL85w7 9 | sD1iI6Eqmp5EIZXa8t0/MHTaDrm1tDKJdSu/5zrh0RFh+J73qxJH8lDJqcTVggCe 10 | Xoasoi1LNg0CIgzVM+zLEDbpNd6mILdXQNHzsU4CP2UFpMxOUUDMEPYSE3WBExWX 11 | 0dBO8QgvTOzqvRWq7TL2jKaprsB/ZXiZief5hOK2QFL6HFEOuFuWLf3tb2+tpJoZ 12 | LXbXYW+6M+WNRHr9mDg3o6SuZmSwUCOa1FV/i51gqiUHmXEfIGH3iE5WWq2bvUG1 13 | dhjkzDGPL9fXbCWS6+QARakXRbxslsc4RgMrQR6nLEAuOL7GDaG3c7ldqgfotkal 14 | 5KDB5/1AxYW1TC0JfoKWalYrfXlUJlbHcvDFqHdyljOnoeJ8WVqLNE9hUQARAQAB 15 | tB5RdWJlcyBPUyBSZWxlYXNlIDQgU2lnbmluZyBLZXmJAjcEEwEIACEFAli9Xv4C 16 | GwMFCwkIBwIGFQgJCgsCBBYCAwECHgECF4AACgkQGEh5L54nlem9QRAAkaDEfYey 17 | FoldssIDE/gliYYb7RSYBjs+QrYJQjBxFGXXPgHS5kGMZfMkqVVBc8EtHh41q7gU 18 | mUIHVbjnKIcYaKLaVl/qb9Jkx+6/NxEYWjNVEMMwPk820QgI1alWrweH7ZuxxGlz 19 | CzOQsyKZLH3TESEf46CUjv9FHW2nKPAp5qVMzLRlgtquQAdfh7SWau7Kd+WPQOiB 20 | 9cj+j3/yswsrpLmvqJP8trS/aKAhsn2jGrxwSAbdGCzQorJjUy5HLZ6xVIk9yD0T 21 | +o9cbK4SQSuOHUiA9Z5gA7vuxwOuloDhIm74k2PBWMaUEvx19nIh4XmgGEKNzI6V 22 | SbR+s+d9ciQ/aC/bXdeeZOpCDaty54D8sKzMi2y15Urycxwpz508LwE6I3Zm0Won 23 | xMEf5gGR30szgQdh6sJKIqZ2nVDLBg4H1mc4CULhsgViN/vM3Rrj2t4kOwUM30AU 24 | M49o4JPzY4wvhsAmhIQGl38C8wDkSqPwntRsszpbLgzI3Lsxb00xiPcLR6Y/pviH 25 | AfHxh/1uYymjD1Fq9u9ylgR6+15qqEYY/uEHr2EQyVvXQ08R1iKkT+v8fufMFUWa 26 | rJxyB+5v/RPRKvRRi9Xb1HkoiFo3E/bEPYKlGA2colp5iqFYpTUBJYJXyMosgjI+ 27 | mqH0I+V+LuMtlE521YHKg0tsB9GVlfWBS10= 28 | =QN1j 29 | -----END PGP PUBLIC KEY BLOCK----- 30 | -------------------------------------------------------------------------------- /initrd/etc/distro/keys/qubes-4.2.key: -------------------------------------------------------------------------------- 1 | -----BEGIN PGP PUBLIC KEY BLOCK----- 2 | 3 | mQINBGM8PrkBEADVWKMPcCF/azZEX8TpvAsxVnqC6gocLedVkqyVHp17u/hcKveG 4 | DrmkTZiCBw8WDKqrJug0jVA4w2VmS2aSRZJhFAkHDHeaH2pAAWKWgvP/m8ta0Zc7 5 | 2TPRncx1+5MhINY76nb4dj1JTU5tHT/pT9wc8c15xvlAgYP+qYPwNjgWwfm5e7JN 6 | +cbFEwhl56ddMFJorA2cvmpxc7aR9znw56LFIHStzYVXYq9saNp7aTR1OF+T2Eqj 7 | T/ANOryA0uPgOCrADbys2/nTtAimgGjE+JbtvX0KGvuHkm7ZMUYVmLXVZlxVOHbI 8 | FTp3msKg+Aes/RbF/seUFp7YjyoPsvRPI/c4oWTl9I9YIjVEatsJJ1mGI6ypl/yN 9 | H9DxbOtmSfAdGOTJul2r/5ktyQyW4Ptf3s1a5ZkdFlqWX78W7aUWv/9SA91gGdEC 10 | KKbUxyVlOtosGJ0ZmRvj3f1locPVRj/wZiKFXkpm/irhQ1i0Rcm+u+EuEr6kE8gK 11 | Ffrs5Mm1EN894LA0U3bHxfiOEFHD5L9w89itiskfM3yhKhp3b/BzyUjNNFQMPZw7 12 | EnLBeYfPUKvABov2l2vHNERf0kAWrJ7Q2xnHCqIIaYuyU9wOr+Tjocj6qz8MMmOd 13 | /1dy33YpqPOFewzIEpUfAY7Van1F1wZMdE7jheRkgyygyhu/M4aeXObPIwARAQAB 14 | tCBRdWJlcyBPUyBSZWxlYXNlIDQuMiBTaWduaW5nIEtleYkCUQQTAQgAOxYhBJyI 15 | TfP4EGSlaaSp+uAi5Y+ONNifBQJjPD65AhsDBQsJCAcCAiICBhUKCQgLAgQWAgMB 16 | Ah4HAheAAAoJEOAi5Y+ONNifIdMQAImcs0f39sr3ZPcKEI33mBLqZYj62TiYz96B 17 | 0Q/QBlU5kcv4WnBb6KqNJV8e+0JZ4sC2LeGCkDs7z4M2+PC8MKTWEWaydGLn2ofQ 18 | jG3s5PYk7bwkg/G6m7hksRxrdNq38wX36Fm2AGjk6777wbJ/EFgD7/E9q9MhuXHh 19 | wrMuUhakEklpwir79EfSCv9vLW/54nT44CQzg58Z1j9i1FsunC0BIyVb29oVKfYU 20 | RY/KpfOyQ8pDI095Zcle0JpqIMOqER4gj9IC+KH7Em0YhmRpzC2OhX3YlAGSrrLL 21 | aToBF8gvNGz9vb1Al6fJ0SSv9HP8/o7XOfHRLud9ZynzCXaWkwENDNU7qI1NabsJ 22 | Leigz21VAvheAxJsCXEQKRnkWGti9sCf11VUNMIrKr92ptrnishIuBtOY1HcxQlo 23 | 8oEA5qLLpt3RHb8cJgGcuYTlG1IsCo7OAoLpJOXdVPTwPGIHqRM6Mo4TVZhWlywX 24 | 5ApK8/IePtyqBERAUXNSpg9IPMx1400FVerAuDo2X9AsyuLti5fLHYrQwq1XQ5IQ 25 | c3dEh4+I3aOMK8jOl0JnTXbv4YyC8P07QDHhfmjL+/+vStgZqeE0o6Qg9pXyzzII 26 | wFCUxrMg3v5/nh+gT5CYWVWHu2iOolD8eGQlek1ZFFKt+TycwWFcJ71lcZl71LK7 27 | RUA3lc/5 28 | =3ZMQ 29 | -----END PGP PUBLIC KEY BLOCK----- 30 | -------------------------------------------------------------------------------- /initrd/etc/distro/keys/qubes-weekly-builds-signing-key.asc: -------------------------------------------------------------------------------- 1 | -----BEGIN PGP PUBLIC KEY BLOCK----- 2 | 3 | mDMEZBCINxYJKwYBBAHaRw8BAQdA/xc8Ngu62T4TxbkpFo2e0qHjyNqH7fWlHRci 4 | wc5r34q0IlF1YmVzIE9TIFdlZWtseSBCdWlsZHMgU2lnbmluZyBLZXmIkwQTFgoA 5 | OxYhBJt+YdO7cMSxM1zltntyoRnMyle7BQJkEJClAhsDBQsJCAcCAiICBhUKCQgL 6 | AgQWAgMBAh4HAheAAAoJEHtyoRnMyle70NoA/3LIyLucEWgHcYWHyfjBM3rxxSfA 7 | HGj7Z1zXu5Ml/bZeAQCGT5clFt82smcPxpLkQxoIjTe4KemXw5UC0HEs0lChBQ== 8 | =RDvf 9 | -----END PGP PUBLIC KEY BLOCK----- 10 | -------------------------------------------------------------------------------- /initrd/etc/fstab: -------------------------------------------------------------------------------- 1 | devtmpfs /dev devtmpfs defaults 0 0 2 | devpts /dev/pts devpts defaults 0 0 3 | sysfs /sys sysfs defaults 0 0 4 | proc /proc proc defaults 0 0 5 | efivarfs /sys/firmware/efi/efivars efivarfs defaults 0 0 6 | -------------------------------------------------------------------------------- /initrd/etc/group: -------------------------------------------------------------------------------- 1 | root:x:0: 2 | -------------------------------------------------------------------------------- /initrd/etc/hosts: -------------------------------------------------------------------------------- 1 | 127.0.0.1 localhost 2 | -------------------------------------------------------------------------------- /initrd/etc/mke2fs.conf: -------------------------------------------------------------------------------- 1 | [defaults] 2 | base_features = sparse_super,large_file,filetype,resize_inode,dir_index,ext_attr 3 | default_mntopts = acl,user_xattr 4 | enable_periodic_fsck = 0 5 | blocksize = 4096 6 | inode_size = 256 7 | inode_ratio = 16384 8 | 9 | [fs_types] 10 | ext3 = { 11 | features = has_journal 12 | } 13 | ext4 = { 14 | features = has_journal,extent,huge_file,flex_bg,metadata_csum,metadata_csum_seed,64bit,dir_nlink,extra_isize,orphan_file 15 | } 16 | small = { 17 | blocksize = 1024 18 | inode_ratio = 4096 19 | } 20 | floppy = { 21 | blocksize = 1024 22 | inode_ratio = 8192 23 | } 24 | big = { 25 | inode_ratio = 32768 26 | } 27 | huge = { 28 | inode_ratio = 65536 29 | } 30 | news = { 31 | inode_ratio = 4096 32 | } 33 | largefile = { 34 | inode_ratio = 1048576 35 | blocksize = -1 36 | } 37 | largefile4 = { 38 | inode_ratio = 4194304 39 | blocksize = -1 40 | } 41 | hurd = { 42 | blocksize = 4096 43 | inode_size = 128 44 | warn_y2038_dates = 0 45 | } 46 | -------------------------------------------------------------------------------- /initrd/etc/motd: -------------------------------------------------------------------------------- 1 | _ _ _ 2 | | | | | ___ __ _ __| |___ 3 | | |_| |/ _ \/ _` |/ _` / __| 4 | | _ | __/ (_| | (_| \__ \ 5 | |_| |_|\___|\__,_|\__,_|___/ 6 | 7 | -------------------------------------------------------------------------------- /initrd/etc/mtab: -------------------------------------------------------------------------------- 1 | ../proc/self/mounts -------------------------------------------------------------------------------- /initrd/etc/passwd: -------------------------------------------------------------------------------- 1 | root:x:0:0:root:/:/bin/sh 2 | -------------------------------------------------------------------------------- /initrd/etc/shells: -------------------------------------------------------------------------------- 1 | /bin/sh 2 | /bin/ash 3 | /bin/bash 4 | -------------------------------------------------------------------------------- /initrd/mount-boot: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Extract the GPG signed dmsetup configuration from 3 | # the header of the file system, validate it against 4 | # the trusted key database, and execute it to mount 5 | # the /boot filesystem 6 | 7 | dev="$1" 8 | offset="$2" 9 | 10 | cmd=/tmp/mount-boot 11 | cmd_sig="$cmd.asc" 12 | 13 | if [ -z "$dev" ]; then 14 | dev=/dev/sda 15 | fi 16 | 17 | if [ -z "$offset" ]; then 18 | offset=256 19 | fi 20 | 21 | # 22 | # Find the size of the device 23 | # Is there a better way? 24 | # 25 | dev_size_file="/sys/class/block/`basename $dev`/size" 26 | if [ ! -r "$dev_size_file" ]; then 27 | echo >&2 '!!!!!' 28 | echo >&2 '!!!!! $dev file $dev_size_file not found' 29 | echo >&2 '!!!!! Dropping to recovery shell' 30 | echo >&2 '!!!!!' 31 | exit -1 32 | fi 33 | 34 | dev_blocks=`cat "$dev_size_file"` 35 | 36 | # 37 | # Extract the signed file from the hard disk image 38 | # 39 | if ! dd if="$dev" of="$cmd_sig" bs=512 skip="`expr $dev_blocks - 1`" > /dev/null 2>&1; then 40 | echo >&2 '!!!!!' 41 | echo >&2 '!!!!! Boot block extraction failed' 42 | echo >&2 '!!!!! Dropping to recovery shell' 43 | echo >&2 '!!!!!' 44 | exit -1 45 | fi 46 | 47 | # 48 | # Validate the file 49 | # 50 | if ! gpgv --keyring /trustedkeys.gpg "$cmd_sig"; then 51 | echo >&2 '!!!!!' 52 | echo >&2 '!!!!! GPG signature on block failed' 53 | echo >&2 '!!!!! Dropping to recovery shell' 54 | echo >&2 '!!!!!' 55 | exit -1 56 | fi 57 | 58 | # 59 | # Strip the PGP signature off the file 60 | # (too bad gpgv doesn't do this) 61 | # 62 | awk < "$cmd_sig" > "$cmd" ' 63 | /BEGIN PGP SIGNATURE/ { exit }; 64 | do_print {print}; 65 | /^$/ { do_print=1 }; 66 | ' 67 | 68 | # 69 | # And execute it! 70 | # 71 | sh -x "$cmd" 72 | -------------------------------------------------------------------------------- /initrd/run/cryptsetup/.placeholder: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/linuxboot/heads/9fabe7f26cacea874fac6502ddded564ee2f8af5/initrd/run/cryptsetup/.placeholder -------------------------------------------------------------------------------- /initrd/sbin/config-dhcp.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # udhcpc script 4 | 5 | [ -z "$1" ] && echo "Error: should be called from udhcpc" && exit 1 6 | 7 | RESOLV_CONF="/etc/resolv.conf" 8 | [ -n "$broadcast" ] && BROADCAST="broadcast $broadcast" 9 | [ -n "$subnet" ] && NETMASK="netmask $subnet" 10 | 11 | case "$1" in 12 | deconfig) 13 | grep -q -v ip= /proc/cmdline 14 | if [ $? -eq 0 ]; then 15 | /sbin/ifconfig $interface up 16 | fi 17 | grep -q -v nfsroot= /proc/cmdline 18 | if [ $? -eq 0 ]; then 19 | /sbin/ifconfig $interface 0.0.0.0 20 | fi 21 | ;; 22 | 23 | renew|bound) 24 | /sbin/ifconfig $interface $ip $BROADCAST $NETMASK 25 | 26 | if [ -n "$router" ] ; then 27 | echo "deleting routers" 28 | while route del default gw 0.0.0.0 dev $interface ; do 29 | : 30 | done 31 | 32 | for i in $router ; do 33 | route add default gw $i dev $interface 34 | done 35 | fi 36 | 37 | echo -n > $RESOLV_CONF 38 | [ -n "$domain" ] && echo search $domain >> $RESOLV_CONF 39 | for i in $dns ; do 40 | echo adding dns $i 41 | echo nameserver $i >> $RESOLV_CONF 42 | done 43 | ;; 44 | esac 45 | 46 | exit 0 47 | -------------------------------------------------------------------------------- /install/.gitignore: -------------------------------------------------------------------------------- 1 | * 2 | -------------------------------------------------------------------------------- /modules/bash: -------------------------------------------------------------------------------- 1 | # GNU bash 2 | modules-$(CONFIG_BASH) += bash 3 | 4 | bash_version := 5.1.16 5 | bash_dir := bash-$(bash_version) 6 | bash_tar := bash-$(bash_version).tar.gz 7 | bash_url := https://ftpmirror.gnu.org/bash/$(bash_tar) 8 | bash_hash := 5bac17218d3911834520dad13cd1f85ab944e1c09ae1aba55906be1f8192f558 9 | 10 | # --enable-debugger: Enables BASH_SOURCE tracing through functions as well as 11 | # BASH_ARGV/BASH_ARGC. (Otherwise BASH_SOURCE[0] is empty when calling a 12 | # function, it's only set in top level script code.) 13 | bash_configure := CFLAGS="-g0 -Os" LDFLAGS="-s" ./configure \ 14 | $(CROSS_TOOLS) \ 15 | --host $(target) \ 16 | --prefix="/usr" \ 17 | --infodir=/usr/share/info \ 18 | --mandir=/usr/share/man \ 19 | --disable-coprocesses \ 20 | --disable-net-redirections \ 21 | --disable-nls \ 22 | --enable-debugger \ 23 | --enable-largefile \ 24 | --enable-readline \ 25 | --enable-single-help-strings \ 26 | --without-bash-malloc 27 | 28 | bash_target := $(MAKE_JOBS) \ 29 | && $(MAKE) -C $(build)/$(bash_dir) \ 30 | DESTDIR="$(INSTALL)" \ 31 | install \ 32 | 33 | bash_output := bash 34 | 35 | bash_depends := $(musl_dep) 36 | -------------------------------------------------------------------------------- /modules/busybox: -------------------------------------------------------------------------------- 1 | # Busybox is always included, unless explicitly turned off 2 | CONFIG_BUSYBOX ?= y 3 | modules-$(CONFIG_BUSYBOX) += busybox 4 | 5 | busybox_version := 1.36.1 6 | busybox_dir := busybox-$(busybox_version) 7 | busybox_tar := busybox-$(busybox_version).tar.bz2 8 | busybox_url := https://busybox.net/downloads/$(busybox_tar) 9 | busybox_hash := b8cc24c9574d809e7279c3be349795c5d5ceb6fdf19ca709f80cde50e47de314 10 | 11 | busybox_configure := $(MAKE) CC="$(heads_cc)" oldconfig 12 | busybox_config := config/busybox.config 13 | busybox_output := busybox 14 | busybox_target := \ 15 | $(CROSS_TOOLS) \ 16 | $(MAKE_JOBS) \ 17 | 18 | # Install symlinks when the busybox program is installed 19 | 20 | ifeq "$(CONFIG_BUSYBOX)" "y" 21 | initrd_bins += $(initrd_bin_dir)/busybox 22 | endif 23 | 24 | $(initrd_bin_dir)/busybox: $(build)/$(busybox_dir)/.build 25 | $(call do,SYMLINK,bin/busybox,\ 26 | $(MAKE) \ 27 | -C $(build)/$(busybox_dir) \ 28 | CC="$(heads_cc)" \ 29 | CROSS_COMPILE="$(CROSS)" \ 30 | CONFIG_PREFIX="$(initrd_bin_dir)/.." \ 31 | install \ 32 | | tee -a $(build)/log/busybox.log \ 33 | $(VERBOSE_REDIRECT) \ 34 | ) 35 | @touch $< # ensure that our build file is still newer 36 | 37 | 38 | busybox_depends := $(musl_dep) 39 | -------------------------------------------------------------------------------- /modules/cairo: -------------------------------------------------------------------------------- 1 | modules-$(CONFIG_CAIRO) += cairo 2 | 3 | cairo_version := 1.14.12 4 | cairo_dir := cairo-$(cairo_version) 5 | cairo_tar := cairo-$(cairo_version).tar.xz 6 | cairo_url := https://www.cairographics.org/releases/$(cairo_tar) 7 | cairo_hash := 8c90f00c500b2299c0a323dd9beead2a00353752b2092ead558139bd67f7bf16 8 | 9 | cairo_configure := \ 10 | CFLAGS="-DCAIRO_NO_MUTEX=1 -Os" \ 11 | $(CROSS_TOOLS) \ 12 | ./configure \ 13 | --host $(MUSL_ARCH)-elf-linux \ 14 | --prefix="/" \ 15 | --disable-fc \ 16 | --disable-ft \ 17 | --disable-gobject \ 18 | --disable-pdf \ 19 | --disable-ps \ 20 | --disable-pthread \ 21 | --disable-script \ 22 | --disable-svg \ 23 | --disable-xcb \ 24 | --disable-xlib \ 25 | && sed \ 26 | -e 's/^hardcode_libdir_flag_spec.*/hardcode_libdir_flag_spec=" -D__LIBTOOL_RPATH_DISABLE__ "/' \ 27 | < libtool \ 28 | > libtool-2 \ 29 | && mv libtool-2 libtool \ 30 | && chmod 755 libtool 31 | 32 | cairo_target := \ 33 | $(MAKE_JOBS) \ 34 | $(CROSS_TOOLS) \ 35 | DESTDIR="$(INSTALL)" \ 36 | install 37 | 38 | cairo_libraries := src/.libs/libcairo.so.2 39 | 40 | cairo_depends := pixman $(musl_dep) 41 | -------------------------------------------------------------------------------- /modules/coreboot-blobs: -------------------------------------------------------------------------------- 1 | # empty placeholder file 2 | # This submodule is defined in modules/coreboot if necessary 3 | -------------------------------------------------------------------------------- /modules/cryptsetup: -------------------------------------------------------------------------------- 1 | modules-$(CONFIG_CRYPTSETUP) += cryptsetup 2 | 3 | cryptsetup_depends := util-linux popt lvm2 $(musl_dep) 4 | 5 | cryptsetup_version := 1.7.3 6 | cryptsetup_dir := cryptsetup-$(cryptsetup_version) 7 | cryptsetup_tar := cryptsetup-$(cryptsetup_version).tar.xz 8 | cryptsetup_url := https://www.kernel.org/pub/linux/utils/cryptsetup/v1.7/cryptsetup-$(cryptsetup_version).tar.xz 9 | cryptsetup_hash := af2b04e8475cf40b8d9ffd97a1acfa73aa787c890430afd89804fb544d6adc02 10 | 11 | # Use an empty prefix so that the executables will not include the 12 | # build path. 13 | cryptsetup_configure := \ 14 | $(CROSS_TOOLS) \ 15 | CFLAGS="-Os" \ 16 | ./configure \ 17 | --host $(MUSL_ARCH)-elf-linux \ 18 | --prefix "/" \ 19 | --disable-gcrypt-pbkdf2 \ 20 | --enable-cryptsetup-reencrypt \ 21 | --with-crypto_backend=kernel \ 22 | 23 | # but after building, replace prefix so that they will be installed 24 | # in the correct directory. 25 | cryptsetup_target := \ 26 | $(MAKE_JOBS) \ 27 | && $(MAKE) \ 28 | -C $(build)/$(cryptsetup_dir) \ 29 | prefix="$(INSTALL)" \ 30 | install 31 | 32 | cryptsetup_output := \ 33 | src/.libs/cryptsetup \ 34 | src/.libs/cryptsetup-reencrypt \ 35 | src/.libs/veritysetup \ 36 | 37 | cryptsetup_libraries := \ 38 | lib/.libs/libcryptsetup.so.4 \ 39 | 40 | -------------------------------------------------------------------------------- /modules/cryptsetup2: -------------------------------------------------------------------------------- 1 | modules-$(CONFIG_CRYPTSETUP2) += cryptsetup2 2 | 3 | cryptsetup2_depends := util-linux popt lvm2 json-c $(musl_dep) 4 | 5 | cryptsetup2_version := 2.6.1 6 | cryptsetup2_dir := cryptsetup-$(cryptsetup2_version) 7 | cryptsetup2_tar := cryptsetup-$(cryptsetup2_version).tar.xz 8 | cryptsetup2_url := https://www.kernel.org/pub/linux/utils/cryptsetup/v2.6/cryptsetup-$(cryptsetup2_version).tar.xz 9 | cryptsetup2_hash := 410ded65a1072ab9c8e41added37b9729c087fef4d2db02bb4ef529ad6da4693 10 | 11 | # Use an empty prefix so that the executables will not include the 12 | # build path. 13 | cryptsetup2_configure := \ 14 | $(CROSS_TOOLS) \ 15 | CFLAGS="-Os" \ 16 | ./configure \ 17 | --host $(MUSL_ARCH)-elf-linux \ 18 | --prefix "/" \ 19 | --enable-internal-sse-argon2 \ 20 | --disable-rpath \ 21 | --disable-gcrypt-pbkdf2 \ 22 | --disable-ssh-token \ 23 | --disable-asciidoc \ 24 | --disable-nls \ 25 | --disable-selinux \ 26 | --disable-udev \ 27 | --disable-external-tokens \ 28 | --with-crypto_backend=kernel \ 29 | --with-tmpfilesdir=$(INSTALL)/lib/tmpfiles.d 30 | 31 | # but after building, replace prefix so that they will be installed 32 | # in the correct directory. 33 | cryptsetup2_target := \ 34 | $(MAKE_JOBS) \ 35 | && $(MAKE) \ 36 | -C $(build)/$(cryptsetup2_dir) \ 37 | prefix="$(INSTALL)" \ 38 | install 39 | 40 | cryptsetup2_output := \ 41 | .libs/cryptsetup \ 42 | .libs/veritysetup \ 43 | 44 | cryptsetup2_libraries := \ 45 | .libs/libcryptsetup.so.12 \ 46 | 47 | -------------------------------------------------------------------------------- /modules/dropbear: -------------------------------------------------------------------------------- 1 | # dropbear is a tiny ssh client 2 | modules-$(CONFIG_DROPBEAR) += dropbear 3 | 4 | dropbear_version := 2016.74 5 | dropbear_dir := dropbear-$(dropbear_version) 6 | dropbear_tar := dropbear-$(dropbear_version).tar.bz2 7 | dropbear_url := https://mirror.dropbear.nl/mirror/releases/$(dropbear_tar) 8 | dropbear_hash := 2720ea54ed009af812701bcc290a2a601d5c107d12993e5d92c0f5f81f718891 9 | 10 | dropbear_configure := ./configure \ 11 | $(CROSS_TOOLS) \ 12 | --host $(MUSL_ARCH)-elf-linux \ 13 | --prefix "/" \ 14 | --disable-lastlog \ 15 | --disable-syslog \ 16 | --disable-utmp \ 17 | --disable-utmpx \ 18 | --disable-wtmp \ 19 | --disable-wtmpx \ 20 | 21 | dropbear_output := ssh scp dropbear 22 | dropbear_target := \ 23 | $(MAKE_JOBS) \ 24 | $(CROSS_TOOLS) \ 25 | DESTDIR="$(INSTALL)" \ 26 | dbclient scp dropbear \ 27 | && \ 28 | cp -a $(build)/$(dropbear_dir)/dbclient $(build)/$(dropbear_dir)/ssh 29 | 30 | dropbear_depends := zlib $(musl_dep) 31 | -------------------------------------------------------------------------------- /modules/e2fsprogs: -------------------------------------------------------------------------------- 1 | #Module is included unless defined in board to "n" 2 | CONFIG_E2FSPROGS ?= y 3 | modules-$(CONFIG_E2FSPROGS) += e2fsprogs 4 | 5 | e2fsprogs_version := 1.47.0 6 | e2fsprogs_dir := e2fsprogs-$(e2fsprogs_version) 7 | e2fsprogs_tar := e2fsprogs-$(e2fsprogs_version).tar.xz 8 | e2fsprogs_url := https://mirrors.edge.kernel.org/pub/linux/kernel/people/tytso/e2fsprogs/v$(e2fsprogs_version)/$(e2fsprogs_tar) 9 | e2fsprogs_hash := 144af53f2bbd921cef6f8bea88bb9faddca865da3fbc657cc9b4d2001097d5db 10 | 11 | # For reproducibility reasons we have to override the exec_prefix 12 | # and datarootdir on the configure line so that the Makefiles will 13 | # be generated with the correct paths, but then re-write them when 14 | # we use the install target so that they will be copied to the correct 15 | # location. 16 | e2fsprogs_configure := \ 17 | $(CROSS_TOOLS) \ 18 | CFLAGS="-Os" \ 19 | ./configure \ 20 | --host $(MUSL_ARCH)-linux-musl \ 21 | --prefix "" \ 22 | --libexecdir "/bin" \ 23 | 24 | # Run one build to generate the executables with the pre-defined 25 | # exec_prefix and datarootdir, then a second make to install the binaries 26 | # into our actual target location 27 | e2fsprogs_target := $(MAKE_JOBS) \ 28 | && $(MAKE) -C $(build)/$(e2fsprogs_dir) \ 29 | DESTDIR="$(INSTALL)" \ 30 | install 31 | 32 | e2fsprogs_output := misc/mke2fs 33 | 34 | e2fsprogs_depends := $(musl_dep) 35 | -------------------------------------------------------------------------------- /modules/exfatprogs: -------------------------------------------------------------------------------- 1 | #Module is included unless defined in board to "n" 2 | CONFIG_EXFATPROGS ?= y 3 | modules-$(CONFIG_EXFATPROGS) += exfatprogs 4 | 5 | exfatprogs_version := 1.2.1 6 | exfatprogs_dir := exfatprogs-$(exfatprogs_version) 7 | exfatprogs_tar := exfatprogs-$(exfatprogs_version).tar.xz 8 | exfatprogs_url := https://github.com/exfatprogs/exfatprogs/releases/download/$(exfatprogs_version)/$(exfatprogs_tar) 9 | exfatprogs_hash := a6f3b1fb4bd37835c8f8cb421aac4eb75b880a51342b29850c4063973162227b 10 | 11 | # For reproducibility reasons we have to override the exec_prefix 12 | # and datarootdir on the configure line so that the Makefiles will 13 | # be generated with the correct paths, but then re-write them when 14 | # we use the install target so that they will be copied to the correct 15 | # location. 16 | exfatprogs_configure := \ 17 | $(CROSS_TOOLS) \ 18 | CFLAGS="-Os" \ 19 | ./configure \ 20 | --host $(MUSL_ARCH)-linux-musl \ 21 | --prefix "" \ 22 | --libexecdir "/bin" \ 23 | 24 | # Run one build to generate the executables with the pre-defined 25 | # exec_prefix and datarootdir, then a second make to install the binaries 26 | # into our actual target location 27 | exfatprogs_target := $(MAKE_JOBS) \ 28 | && $(MAKE) -C $(build)/$(exfatprogs_dir) \ 29 | DESTDIR="$(INSTALL)" \ 30 | install 31 | 32 | exfatprogs_output := fsck/fsck.exfat mkfs/mkfs.exfat 33 | 34 | exfatprogs_depends := $(musl_dep) 35 | -------------------------------------------------------------------------------- /modules/fbwhiptail: -------------------------------------------------------------------------------- 1 | modules-$(CONFIG_FBWHIPTAIL) += fbwhiptail 2 | 3 | fbwhiptail_depends := cairo $(musl_dep) 4 | 5 | fbwhiptail_version := 1.3 6 | fbwhiptail_dir := fbwhiptail-$(fbwhiptail_version) 7 | fbwhiptail_tar := fbwhiptail-$(fbwhiptail_version).tar.gz 8 | fbwhiptail_url := https://source.puri.sm/firmware/fbwhiptail/-/archive/$(fbwhiptail_version)/fbwhiptail-$(fbwhiptail_version).tar.gz 9 | fbwhiptail_hash := 2eb8fadfd3e2d574de52327bbc80ed6313739a3db9f4d87840c534352c66df5a 10 | 11 | fbwhiptail_target := \ 12 | $(MAKE_JOBS) \ 13 | CFLAGS="-g0 -Os" \ 14 | LDFLAGS="-s" \ 15 | $(CROSS_TOOLS) \ 16 | fbwhiptail 17 | 18 | fbwhiptail_output := \ 19 | fbwhiptail whiptail 20 | -------------------------------------------------------------------------------- /modules/flashprog: -------------------------------------------------------------------------------- 1 | modules-$(CONFIG_FLASHPROG) += flashprog 2 | 3 | flashprog_depends := pciutils $(musl_dep) 4 | 5 | flashprog_version := eb2c04185f8f471c768b742d66e4c552effdd9cb 6 | flashprog_dir := flashprog-$(flashprog_version) 7 | flashprog_tar := $(flashprog_dir).tar.gz 8 | flashprog_url := https://github.com/SourceArcade/flashprog/archive/$(flashprog_version).tar.gz 9 | flashprog_hash := 0d4186be9f2088d624a9a708c352d0dfafa2264e1436b11ec3cc1a350fd45a77 10 | 11 | # Default options for flashprog 12 | flashprog_cfg := \ 13 | WARNERROR=no \ 14 | CONFIG_NOTHING=yes \ 15 | CONFIG_INTERNAL=yes \ 16 | CONFIG_INTERNAL_X86=yes \ 17 | 18 | ifeq "$(CONFIG_TARGET_ARCH)" "ppc64" 19 | flashprog_cfg := \ 20 | WARNERROR=no \ 21 | CONFIG_NOTHING=yes \ 22 | CONFIG_LINUX_MTD=yes 23 | endif 24 | 25 | #Only enable AST1100 if requested per board configs 26 | ifeq "$(CONFIG_FLASHPROG_AST1100)" "y" 27 | flashprog_cfg += CONFIG_AST1100=yes 28 | endif 29 | 30 | flashprog_target := \ 31 | $(MAKE_JOBS) \ 32 | CFLAGS="-Os -I$(INSTALL)/include/pci" \ 33 | DESTDIR="$(INSTALL)" \ 34 | INSTALL="$(INSTALL)" \ 35 | LDFLAGS="-L$(INSTALL)/lib" \ 36 | PREFIX="$(INSTALL)" \ 37 | $(CROSS_TOOLS) \ 38 | $(flashprog_cfg) \ 39 | flashprog 40 | 41 | flashprog_output := \ 42 | flashprog 43 | 44 | flashprog_libraries := \ 45 | 46 | flashprog_configure := 47 | -------------------------------------------------------------------------------- /modules/flashrom: -------------------------------------------------------------------------------- 1 | modules-$(CONFIG_FLASHROM) += flashrom 2 | 3 | flashrom_depends := pciutils $(musl_dep) 4 | 5 | flashrom_version := 1776bb46ba6ea3d1ab2ec3f0cd88158aabed7400 6 | flashrom_dir := flashrom-$(flashrom_version) 7 | flashrom_tar := $(flashrom_dir).tar.gz 8 | flashrom_url := https://github.com/flashrom/flashrom/archive/$(flashrom_version).tar.gz 9 | flashrom_hash := 65e262ca4428a0ceddd73f481ed0d8444393b73a78469f266a4457dfc834ecb7 10 | 11 | # Default options for flashrom 12 | flashrom_cfg := \ 13 | WARNERROR=no \ 14 | CONFIG_NOTHING=yes \ 15 | CONFIG_INTERNAL=yes \ 16 | CONFIG_INTERNAL_X86=yes \ 17 | 18 | ifeq "$(CONFIG_TARGET_ARCH)" "ppc64" 19 | flashrom_cfg := \ 20 | WARNERROR=no \ 21 | CONFIG_NOTHING=yes \ 22 | CONFIG_LINUX_MTD=yes 23 | endif 24 | 25 | #Only enable AST1100 if requested per board configs 26 | ifeq "$(CONFIG_FLASHROM_AST1100)" "y" 27 | flashrom_cfg += CONFIG_AST1100=yes 28 | endif 29 | 30 | flashrom_target := \ 31 | $(MAKE_JOBS) \ 32 | CFLAGS="-Os -I$(INSTALL)/include/pci" \ 33 | DESTDIR="$(INSTALL)" \ 34 | INSTALL="$(INSTALL)" \ 35 | LDFLAGS="-L$(INSTALL)/lib" \ 36 | PREFIX="$(INSTALL)" \ 37 | $(CROSS_TOOLS) \ 38 | $(flashrom_cfg) \ 39 | flashrom 40 | 41 | flashrom_output := \ 42 | flashrom 43 | 44 | flashrom_libraries := \ 45 | 46 | flashrom_configure := 47 | -------------------------------------------------------------------------------- /modules/flashtools: -------------------------------------------------------------------------------- 1 | modules-$(CONFIG_FLASHTOOLS) += flashtools 2 | 3 | flashtools_depends := $(musl_dep) 4 | 5 | flashtools_version := d1e6f12568cb23387144a4b7a6535fe1bc1e79b1 6 | flashtools_dir := flashtools-$(flashtools_version) 7 | flashtools_tar := flashtools-$(flashtools_version).tar.gz 8 | flashtools_url := https://github.com/osresearch/flashtools/archive/$(flashtools_version).tar.gz 9 | flashtools_hash := a68cdb4a2e312f96862119a6d829ac900b53d0cbc80caa5632efd43b5b7eed6c 10 | 11 | flashtools_target := \ 12 | $(CROSS_TOOLS) \ 13 | $(MAKE_JOBS) \ 14 | CFLAGS="-Os -I$(INSTALL)/include" \ 15 | LDFLAGS="-L$(INSTALL)/lib" \ 16 | 17 | flashtools_output := \ 18 | flashtool \ 19 | peek \ 20 | poke \ 21 | cbfs \ 22 | uefi \ 23 | 24 | ifeq "$(CONFIG_TARGET_ARCH)" "ppc64" 25 | flashtools_output += pnor 26 | endif 27 | 28 | flashtools_libraries := \ 29 | 30 | flashtools_configure := 31 | -------------------------------------------------------------------------------- /modules/frotz: -------------------------------------------------------------------------------- 1 | modules-$(CONFIG_FROTZ) += frotz 2 | 3 | frotz_version := 2.44 4 | frotz_dir := frotz-$(frotz_version) 5 | frotz_tar := frotz-$(frotz_version).tar.gz 6 | frotz_url := https://github.com/DavidGriffith/frotz/archive/$(frotz_version).tar.gz 7 | frotz_hash := dbb5eb3bc95275dcb984c4bdbaea58bc1f1b085b20092ce6e86d9f0bf3ba858f 8 | 9 | frotz_configure := touch .config 10 | 11 | frotz_target := \ 12 | $(MAKE_JOBS) \ 13 | $(CROSS_TOOLS) \ 14 | dumb && \ 15 | mv $(build)/$(frotz_dir)/dfrotz $(build)/$(frotz_dir)/frotz 16 | 17 | frotz_output := frotz 18 | 19 | frotz_depends := $(musl_dep) 20 | -------------------------------------------------------------------------------- /modules/gpg: -------------------------------------------------------------------------------- 1 | modules-$(CONFIG_GPG) += gpg 2 | 3 | # we install gpgv 1.4, which is an older version that has fewer 4 | # dependencies. This may need to be revisted later. 5 | gpg_version := 1.4.21 6 | gpg_dir := gnupg-$(gpg_version) 7 | gpg_tar := gnupg-$(gpg_version).tar.bz2 8 | gpg_url := https://www.gnupg.org/ftp/gcrypt/gnupg/$(gpg_tar) 9 | gpg_hash := 6b47a3100c857dcab3c60e6152e56a997f2c7862c1b8b2b25adf3884a1ae2276 10 | 11 | # For reproducibility reasons we have to override the exec_prefix 12 | # and datarootdir on the configure line so that the Makefiles will 13 | # be generated with the correct paths, but then re-write them when 14 | # we use the install target so that they will be copied to the correct 15 | # location. 16 | # 17 | # Force a different host/build setting so that it detects a cross compile. 18 | # Otherwise it wil try to run tests. 19 | # 20 | gpg_configure := \ 21 | CFLAGS="-Os" \ 22 | $(CROSS_TOOLS) \ 23 | ./configure \ 24 | --build $(MUSL_ARCH)-elf-linux \ 25 | --host $(MUSL_ARCH)-linux-musl \ 26 | --prefix "/" \ 27 | --disable-asm \ 28 | --disable-bzip2 \ 29 | --disable-dns-cert \ 30 | --disable-dns-srv \ 31 | --disable-exec \ 32 | --disable-finger \ 33 | --disable-hkp \ 34 | --disable-keyserver-helpers \ 35 | --disable-ldap \ 36 | --disable-photo-viewers \ 37 | --disable-regex \ 38 | --enable-card-support \ 39 | --with-libusb="$(INSTALL)" \ 40 | 41 | # Run one build to generate the executables with the pre-defined 42 | # exec_prefix and datarootdir, then a second make to install the binaries 43 | # into our actual target location 44 | gpg_target := $(MAKE_JOBS) \ 45 | && $(MAKE) -C $(build)/$(gpg_dir) \ 46 | DESTDIR="$(INSTALL)" \ 47 | install 48 | 49 | gpg_output := g10/gpg 50 | 51 | gpg_depends := libusb-compat $(musl_dep) 52 | -------------------------------------------------------------------------------- /modules/hidapi: -------------------------------------------------------------------------------- 1 | # empty placeholder file 2 | # This submodule is defined in modules/hotp-verification 3 | -------------------------------------------------------------------------------- /modules/io386: -------------------------------------------------------------------------------- 1 | modules-$(CONFIG_IO386) += io386 2 | 3 | io386_depends := $(musl_dep) 4 | 5 | io386_version := fc73fcf8e51a70638679c3e9b0ada10527f8a7c1 6 | io386_dir := io386-$(io386_version) 7 | io386_tar := io386-$(io386_version).tar.gz 8 | io386_url := https://github.com/hardenedlinux/io386/archive/$(io386_version).tar.gz 9 | io386_hash := 874898af57d86dc057cea39b4a7e0621fc64aa4fb777dfb1eeb11e9134bc9a06 10 | 11 | io386_target := \ 12 | $(MAKE_JOBS) \ 13 | $(CROSS_TOOLS) \ 14 | CFLAGS="-Os" \ 15 | SHARED=yes \ 16 | PREFIX="/" \ 17 | && \ 18 | $(MAKE) \ 19 | -C $(build)/$(io386_dir) \ 20 | $(CROSS_TOOLS) \ 21 | SHARED=yes \ 22 | PREFIX="/" \ 23 | DESTDIR="$(INSTALL)" \ 24 | install \ 25 | 26 | io386_output := \ 27 | io386 28 | 29 | io386_libraries := 30 | 31 | io386_configure := 32 | -------------------------------------------------------------------------------- /modules/ioport: -------------------------------------------------------------------------------- 1 | modules-$(CONFIG_IOPORT) += ioport 2 | 3 | ioport_version := 1.2.orig 4 | ioport_dir := ioport-$(ioport_version) 5 | ioport_tar := ioport_$(ioport_version).tar.gz 6 | ioport_url := https://deb.debian.org/debian/pool/main/i/ioport/$(ioport_tar) 7 | ioport_hash := 7fac1c4b61eb9411275de0e1e7d7a8c3f34166f64f16413f50741e8fce2b8dc0 8 | 9 | ioport_configure := CFLAGS=-Os ./configure \ 10 | $(CROSS_TOOLS) \ 11 | --host i386-elf-linux \ 12 | --prefix "/" \ 13 | 14 | ioport_target := \ 15 | $(MAKE_JOBS) $(CROSS_TOOLS) inb && \ 16 | $(MAKE) -C "$(build)/$(ioport_dir)" all-local 17 | 18 | ioport_output := \ 19 | inb \ 20 | outb 21 | 22 | ioport_depends := $(musl_dep) 23 | -------------------------------------------------------------------------------- /modules/json-c: -------------------------------------------------------------------------------- 1 | modules-$(CONFIG_CRYPTSETUP2) += json-c 2 | 3 | json-c_version := 0.14 4 | json-c_dir := json-c-$(json-c_version) 5 | json-c_tar := json-c-$(json-c_version).tar.gz 6 | json-c_url := https://s3.amazonaws.com/json-c_releases/releases/json-c-$(json-c_version)-nodoc.tar.gz 7 | json-c_hash := 99914e644a25201d82ccefa20430f7515c110923360f9ef46755527c02412afa 8 | 9 | # there is a bug in cmake-configure so that it can not be used with a "=", fxed in next 10 | # release though (then it needs to read '--prefix="$(INSTALL)"' here instead 11 | define toolchain_file = 12 | set\(CMAKE_SYSTEM_NAME Linux\)\n\ 13 | set\(CMAKE_SYSROOT $(INSTALL)\)\n\ 14 | set\(CMAKE_C_COMPILER $(CROSS)gcc\)\n\ 15 | set\(CMAKE_AR $(CROSS)ar\)\n\ 16 | set\(CMAKE_LINKER $(CROSS)ld\)\n\ 17 | set\(CMAKE_NM $(CROSS)nm\)\n\ 18 | set\(CMAKE_OBJCOPY $(CROSS)objcopy\)\n\ 19 | set\(CMAKE_OBJDUMP $(CROSS)objdump\)\n\ 20 | set\(INSTALL_PKGCONFIG_DIR $(INSTALL)/lib/pkgconfig\)\n\ 21 | set\(CMAKE_FIND_ROOT_PATH_MODE_PROGRAM NEVER\)\n\ 22 | set\(CMAKE_FIND_ROOT_PATH_MODE_LIBRARY ONLY\)\n\ 23 | set\(CMAKE_FIND_ROOT_PATH_MODE_INCLUDE ONLY\)\n\ 24 | set\(CMAKE_FIND_ROOT_PATH_MODE_PACKAGE ONLY\) 25 | endef 26 | 27 | json-c_configure := \ 28 | echo -e "$(toolchain_file)" | sed 's/\\//g' > toolchain && \ 29 | mkdir -p build && \ 30 | cd build && \ 31 | cmake .. -DCMAKE_INSTALL_PREFIX="$(INSTALL)" -DCMAKE_TOOLCHAIN_FILE=../toolchain -DCMAKE_BUILD_TYPE=minsizerel 32 | 33 | json-c_target := \ 34 | $(CROSS_TOOLS) $(MAKE_JOBS) -C $(build)/$(json-c_dir)/build \ 35 | all install 36 | 37 | json-c_libraries := build/libjson-c.so.5 38 | -------------------------------------------------------------------------------- /modules/kbd: -------------------------------------------------------------------------------- 1 | # kbd: Linux keyboard tools 2 | # 3 | # Provides: 4 | # - setfont - set the Linux console font 5 | # - loadkeys - load a key map for the Linux console (CONFIG_KBD_LOADKEYS) 6 | # 7 | # To also provide showkey and dumpkeys (normally only needed for development), 8 | # set CONFIG_KBD_DEVTOOLS=y. 9 | modules-$(CONFIG_KBD) += kbd 10 | 11 | kbd_version := 2.6.1 12 | kbd_dir := kbd-$(kbd_version) 13 | kbd_tar := kbd-$(kbd_version).tar.gz 14 | kbd_url := https://www.kernel.org/pub/linux/utils/kbd/$(kbd_tar) 15 | kbd_hash := aaed530a1490d63d041448372e2ad4f38c3179042903251000b71d527c46e945 16 | 17 | kbd_configure := CFLAGS=-Os ./configure \ 18 | $(CROSS_TOOLS) \ 19 | --host i386-elf-linux \ 20 | --prefix "" \ 21 | --disable-libkeymap \ 22 | --disable-libkfont \ 23 | --disable-optional-progs \ 24 | --disable-vlock \ 25 | 26 | kbd_target := \ 27 | $(MAKE_JOBS) $(CROSS_TOOLS) 28 | 29 | kbd_output := \ 30 | src/setfont 31 | 32 | ifeq "$(CONFIG_KBD_LOADKEYS)" "y" 33 | kbd_output += src/loadkeys 34 | endif 35 | 36 | ifeq "$(CONFIG_KBD_EXTRATOOLS)" "y" 37 | kbd_output += src/showkey src/dumpkeys 38 | endif 39 | 40 | kbd_depends := $(musl_dep) 41 | 42 | kbd_data += \ 43 | $(build)/$(kbd_dir)/data/keymaps|usr/lib/kbd/keymaps 44 | -------------------------------------------------------------------------------- /modules/kexec: -------------------------------------------------------------------------------- 1 | modules-$(CONFIG_KEXEC) += kexec 2 | 3 | kexec_version := 2.0.26 4 | kexec_dir := kexec-tools-$(kexec_version) 5 | kexec_tar := kexec-tools-$(kexec_version).tar.gz 6 | kexec_url := https://kernel.org/pub/linux/utils/kernel/kexec/$(kexec_tar) 7 | kexec_hash := 89bdd941542c64fec16311858df304ed3a3908c1a60874d69df5d9bf1611e062 8 | 9 | kexec_configure := \ 10 | CFLAGS="-g -Os -fno-strict-aliasing -Wall -Wstrict-prototypes" \ 11 | ./configure \ 12 | $(CROSS_TOOLS) \ 13 | --host $(MUSL_ARCH)-elf-linux \ 14 | --target $(MUSL_ARCH) \ 15 | --prefix="/" \ 16 | --without-lzma \ 17 | && $(MAKE) clean 18 | 19 | kexec_target := \ 20 | $(MAKE_JOBS) \ 21 | $(CROSS_TOOLS) \ 22 | DESTDIR="$(INSTALL)" \ 23 | install \ 24 | 25 | kexec_output := build/sbin/kexec 26 | 27 | kexec_depends := zlib $(musl_dep) 28 | -------------------------------------------------------------------------------- /modules/libaio: -------------------------------------------------------------------------------- 1 | modules-$(CONFIG_LVM2) += libaio 2 | 3 | libaio_version := 0.3.113 4 | libaio_dir := libaio-$(libaio_version) 5 | libaio_tar := libaio_$(libaio_version).orig.tar.gz 6 | libaio_url := https://deb.debian.org/debian/pool/main/liba/libaio/$(libaio_tar) 7 | libaio_hash := 2c44d1c5fd0d43752287c9ae1eb9c023f04ef848ea8d4aafa46e9aedb678200b 8 | 9 | libaio_target := \ 10 | DESTDIR="$(INSTALL)" \ 11 | prefix="/" \ 12 | $(CROSS_TOOLS) \ 13 | install \ 14 | && mv $(build)/$(libaio_dir)/src/libaio.so.1.0.2 $(build)/$(libaio_dir)/src/libaio.so.1 \ 15 | 16 | libaio_libraries:= src/libaio.so.1 17 | 18 | libaio_depends := $(musl_dep) 19 | 20 | -------------------------------------------------------------------------------- /modules/libassuan: -------------------------------------------------------------------------------- 1 | modules-$(CONFIG_GPG2) += libassuan 2 | 3 | libassuan_version := 2.5.5 4 | libassuan_dir := libassuan-$(libassuan_version) 5 | libassuan_tar := libassuan-$(libassuan_version).tar.bz2 6 | libassuan_url := https://gnupg.org/ftp/gcrypt/libassuan/$(libassuan_tar) 7 | libassuan_hash := 8e8c2fcc982f9ca67dcbb1d95e2dc746b1739a4668bc20b3a3c5be632edb34e4 8 | 9 | libassuan_configure := \ 10 | CFLAGS="-Os" \ 11 | $(CROSS_TOOLS) \ 12 | ./configure \ 13 | --host $(MUSL_ARCH)-linux-musl \ 14 | --prefix "/" \ 15 | --disable-doc \ 16 | --disable-static \ 17 | --with-gpg-error-prefix="$(INSTALL)" \ 18 | 19 | libassuan_target := $(MAKE_JOBS) \ 20 | DESTDIR="$(INSTALL)" \ 21 | $(CROSS_TOOLS) \ 22 | install \ 23 | 24 | libassuan_libraries := src/.libs/libassuan.so.0 25 | 26 | libassuan_depends := libgpg-error $(musl_dep) 27 | -------------------------------------------------------------------------------- /modules/libgcrypt: -------------------------------------------------------------------------------- 1 | modules-$(CONFIG_GPG2) += libgcrypt 2 | 3 | libgcrypt_version := 1.10.1 4 | libgcrypt_dir := libgcrypt-$(libgcrypt_version) 5 | libgcrypt_tar := libgcrypt-$(libgcrypt_version).tar.bz2 6 | libgcrypt_url := https://gnupg.org/ftp/gcrypt/libgcrypt/$(libgcrypt_tar) 7 | libgcrypt_hash := ef14ae546b0084cd84259f61a55e07a38c3b53afc0f546bffcef2f01baffe9de 8 | 9 | libgcrypt_configure := \ 10 | $(CROSS_TOOLS) \ 11 | CFLAGS="-Os" \ 12 | ./configure \ 13 | --host=$(MUSL_ARCH)-linux-musl \ 14 | --prefix "/" \ 15 | --disable-doc \ 16 | --disable-static \ 17 | --with-gpg-error-prefix="$(INSTALL)" \ 18 | 19 | libgcrypt_target := $(MAKE_JOBS) \ 20 | DESTDIR="$(INSTALL)" \ 21 | $(CROSS_TOOLS) \ 22 | install \ 23 | 24 | libgcrypt_libraries := src/.libs/libgcrypt.so.20 25 | 26 | libgcrypt_depends := libgpg-error $(musl_dep) 27 | -------------------------------------------------------------------------------- /modules/libgpg-error: -------------------------------------------------------------------------------- 1 | modules-$(CONFIG_GPG2) += libgpg-error 2 | 3 | libgpg-error_version := 1.46 4 | libgpg-error_dir := libgpg-error-$(libgpg-error_version) 5 | libgpg-error_tar := libgpg-error-$(libgpg-error_version).tar.bz2 6 | libgpg-error_url := https://gnupg.org/ftp/gcrypt/libgpg-error/$(libgpg-error_tar) 7 | libgpg-error_hash := b7e11a64246bbe5ef37748de43b245abd72cfcd53c9ae5e7fc5ca59f1c81268d 8 | 9 | libgpg-error_configure := \ 10 | $(CROSS_TOOLS) \ 11 | CFLAGS="-Os" \ 12 | ./configure \ 13 | --host=$(MUSL_ARCH)-linux-musl \ 14 | --prefix "/" \ 15 | --disable-doc \ 16 | --disable-languages \ 17 | --disable-nls \ 18 | --disable-static \ 19 | --disable-tests \ 20 | --enable-install-gpg-error-config \ 21 | 22 | libgpg-error_target := $(MAKE_JOBS) \ 23 | DESTDIR="$(INSTALL)" \ 24 | $(CROSS_TOOLS) \ 25 | install \ 26 | 27 | libgpg-error_libraries := src/.libs/libgpg-error.so.0 28 | 29 | libgpg-error_depends := $(musl_dep) 30 | -------------------------------------------------------------------------------- /modules/libhidapi-libusb: -------------------------------------------------------------------------------- 1 | modules-$(CONFIG_NKSTORECLI) += libhidapi-libusb 2 | 3 | libhidapi-libusb_depends += libusb 4 | 5 | libhidapi-libusb_version := 0.9.0 6 | libhidapi-libusb_dir := hidapi-hidapi-$(libhidapi-libusb_version) 7 | libhidapi-libusb_tar := hidapi-$(libhidapi-libusb_version).tar.gz 8 | libhidapi-libusb_url := https://github.com/libusb/hidapi/archive/$(libhidapi-libusb_tar) 9 | libhidapi-libusb_hash := 630ee1834bdd5c5761ab079fd04f463a89585df8fcae51a7bfe4229b1e02a652 10 | 11 | MY_CROSS_TOOLS := \ 12 | CC="$(heads_cc) -Os" \ 13 | $(CROSS_TOOLS_NOCC) \ 14 | 15 | 16 | libhidapi-libusb_configure := ./bootstrap && \ 17 | ./configure \ 18 | $(MY_CROSS_TOOLS) \ 19 | --host $(MUSL_ARCH)-elf-linux\ 20 | --prefix "/" 21 | 22 | 23 | libhidapi-libusb_target := $(MAKE_JOBS) -C libusb \ 24 | DESTDIR="$(INSTALL)" \ 25 | $(MY_CROSS_TOOLS) \ 26 | install && \ 27 | cp $(INSTALL)/../build/$(libhidapi-libusb_dir)/pc/hidapi-libusb.pc $(INSTALL)/lib/pkgconfig/ \ 28 | 29 | -------------------------------------------------------------------------------- /modules/libksba: -------------------------------------------------------------------------------- 1 | modules-$(CONFIG_GPG2) += libksba 2 | 3 | libksba_version := 1.6.3 4 | libksba_dir := libksba-$(libksba_version) 5 | libksba_tar := libksba-$(libksba_version).tar.bz2 6 | libksba_url := https://gnupg.org/ftp/gcrypt/libksba/$(libksba_tar) 7 | libksba_hash := 3f72c68db30971ebbf14367527719423f0a4d5f8103fc9f4a1c01a9fa440de5c 8 | 9 | libksba_configure := \ 10 | $(CROSS_TOOLS) \ 11 | CFLAGS="-Os" \ 12 | ./configure \ 13 | --host $(MUSL_ARCH)-linux-musl \ 14 | --prefix "/" \ 15 | --disable-static \ 16 | --with-gpg-error-prefix="$(INSTALL)" \ 17 | 18 | libksba_target := $(MAKE_JOBS) \ 19 | DESTDIR="$(INSTALL)" \ 20 | $(CROSS_TOOLS) \ 21 | install \ 22 | 23 | libksba_libraries := src/.libs/libksba.so.8 24 | 25 | libksba_depends := libgpg-error $(musl_dep) 26 | -------------------------------------------------------------------------------- /modules/libpng: -------------------------------------------------------------------------------- 1 | modules-$(CONFIG_CAIRO) += libpng 2 | 3 | libpng_version := 1.6.34 4 | libpng_dir := libpng-$(libpng_version) 5 | libpng_tar := libpng-$(libpng_version).tar.gz 6 | libpng_url := https://github.com/glennrp/libpng-releases/raw/master/$(libpng_tar) 7 | libpng_hash := 574623a4901a9969080ab4a2df9437026c8a87150dfd5c235e28c94b212964a7 8 | 9 | libpng_configure := \ 10 | $(CROSS_TOOLS) \ 11 | CFLAGS="-Os" \ 12 | ./configure \ 13 | --host $(MUSL_ARCH)-elf-linux \ 14 | --prefix="/" \ 15 | 16 | libpng_target := \ 17 | $(MAKE_JOBS) \ 18 | $(CROSS_TOOLS) \ 19 | DESTDIR="$(INSTALL)" \ 20 | install \ 21 | 22 | libpng_libraries := .libs/libpng16.so.16 23 | 24 | libpng_depends := zlib $(musl_dep) 25 | -------------------------------------------------------------------------------- /modules/libusb: -------------------------------------------------------------------------------- 1 | # GPG with Yubikey support requires libusb 2 | modules-$(CONFIG_GPG) += libusb 3 | modules-$(CONFIG_GPG2) += libusb 4 | 5 | libusb_version := 1.0.21 6 | libusb_dir := libusb-$(libusb_version) 7 | libusb_tar := libusb-$(libusb_version).tar.bz2 8 | libusb_url := https://downloads.sourceforge.net/project/libusb/libusb-1.0/libusb-$(libusb_version)/$(libusb_tar) 9 | libusb_url := https://github.com/libusb/libusb/releases/download/v$(libusb_version)/$(libusb_tar) 10 | libusb_hash := 7dce9cce9a81194b7065ee912bcd55eeffebab694ea403ffb91b67db66b1824b 11 | 12 | libusb_configure := \ 13 | CFLAGS="-Os" \ 14 | ./configure \ 15 | $(CROSS_TOOLS) \ 16 | --host $(MUSL_ARCH)-elf-linux \ 17 | --prefix "/" \ 18 | --disable-udev \ 19 | 20 | # Run one build to generate the executables with the pre-defined 21 | # exec_prefix and datarootdir, then a second make to install the binaries 22 | # into our actual target location 23 | 24 | libusb_target := $(MAKE_JOBS) \ 25 | DESTDIR="$(INSTALL)" \ 26 | $(CROSS_TOOLS) \ 27 | install \ 28 | 29 | libusb_libraries := libusb/.libs/libusb-1.0.so.0 30 | 31 | libusb_depends := $(musl_dep) 32 | -------------------------------------------------------------------------------- /modules/libusb-compat: -------------------------------------------------------------------------------- 1 | # GPG 1.4.21 uses an old version of libusb, which 2 | # is emulated with the compatibility library. 3 | # This is a bit of a hack to set it up. 4 | 5 | modules-$(CONFIG_GPG) += libusb-compat 6 | 7 | libusb-compat_version := 0.1.5 8 | libusb-compat_dir := libusb-compat-$(libusb-compat_version) 9 | libusb-compat_tar := libusb-compat-$(libusb-compat_version).tar.bz2 10 | libusb-compat_url := https://downloads.sourceforge.net/project/libusb/libusb-compat-0.1/libusb-compat-$(libusb-compat_version)/$(libusb-compat_tar) 11 | libusb-compat_hash := 404ef4b6b324be79ac1bfb3d839eac860fbc929e6acb1ef88793a6ea328bc55a 12 | 13 | libusb-compat_configure := \ 14 | CFLAGS="-Os" \ 15 | ./configure \ 16 | $(CROSS_TOOLS) \ 17 | --host $(MUSL_ARCH)-elf-linux \ 18 | --prefix "/" \ 19 | PKG_CONFIG=/bin/false \ 20 | LIBUSB_1_0_CFLAGS="-I$(INSTALL)/include/libusb-1.0" \ 21 | LIBUSB_1_0_LIBS="$(INSTALL)/libusb-1.0.so" \ 22 | 23 | # Run one build to generate the executables with the pre-defined 24 | # exec_prefix and datarootdir, then a second make to install the binaries 25 | # into our actual target location 26 | libusb-compat_target := $(MAKE_JOBS) \ 27 | DESTDIR="$(INSTALL)" \ 28 | $(CROSS_TOOLS) \ 29 | install \ 30 | 31 | libusb-compat_libraries := libusb/.libs/libusb-0.1.so.4 32 | 33 | libusb-compat_depends := libusb $(musl_dep) 34 | -------------------------------------------------------------------------------- /modules/mbedtls: -------------------------------------------------------------------------------- 1 | modules-$(CONFIG_MBEDTLS) += mbedtls 2 | 3 | mbedtls_version := 2.4.2 4 | mbedtls_dir := mbedtls-$(mbedtls_version) 5 | mbedtls_tar := mbedtls-$(mbedtls_version).tar.gz 6 | mbedtls_url := https://github.com/ARMmbed/mbedtls/archive/$(mbedtls_tar) 7 | mbedtls_hash := b7afab6a0f86e29c6055848b70d183c4e2531cb0ec955b66c0e4e1b7e4954bf4 8 | 9 | mbedtls_libraries := library/libmbedcrypto.so.0 10 | 11 | mbedtls_configure := 12 | 13 | mbedtls_target := \ 14 | SHARED=1 \ 15 | CFLAGS="-Os" \ 16 | DESTDIR=$(INSTALL) \ 17 | $(CROSS_TOOLS) \ 18 | $(MAKE_JOBS) \ 19 | install 20 | 21 | mbedtls_depends := $(musl_dep) 22 | -------------------------------------------------------------------------------- /modules/msrtools: -------------------------------------------------------------------------------- 1 | modules-$(CONFIG_MSRTOOLS) += msrtools 2 | 3 | msrtools_depends := $(musl_dep) 4 | 5 | #msrtools_version := git 6 | #msrtools_repo := https://github.com/osresearch/msr-tools 7 | 8 | msrtools_version := 572ef8a2b873eda15a322daa48861140a078b92c 9 | msrtools_dir := msrtools-$(msrtools_version) 10 | msrtools_tar := msr-tools-$(msrtools_version).tar.gz 11 | #msrtools_url := https://github.com/intel/msr-tools/archive/msr-tools-$(msrtools_version).tar.gz 12 | msrtools_url := https://github.com/osresearch/msr-tools/archive/$(msrtools_version).tar.gz 13 | msrtools_hash := 80554790d0a404205fe215c9ae8d2de159e980ec23821d636f201f12550e6ac0 14 | 15 | msrtools_target := \ 16 | $(MAKE_JOBS) \ 17 | $(CROSS_TOOLS) \ 18 | CFLAGS="-I$(INSTALL)/include" \ 19 | LDFLAGS="-L$(INSTALL)/lib" \ 20 | 21 | msrtools_output := \ 22 | wrmsr \ 23 | rdmsr \ 24 | cpuid \ 25 | 26 | msrtools_libraries := \ 27 | 28 | msrtools_configure := 29 | -------------------------------------------------------------------------------- /modules/ncurses: -------------------------------------------------------------------------------- 1 | modules-$(CONFIG_NEWT) += ncurses 2 | 3 | ncurses_depends := $(musl_dep) 4 | 5 | ncurses_version := 6.5 6 | ncurses_dir := ncurses-$(ncurses_version) 7 | ncurses_tar := ncurses-$(ncurses_version).tar.gz 8 | ncurses_url := https://invisible-island.net/archives/ncurses/ncurses-$(ncurses_version).tar.gz 9 | ncurses_hash := 136d91bc269a9a5785e5f9e980bc76ab57428f604ce3e5a5a90cebc767971cc6 10 | 11 | ncurses_configure := \ 12 | CFLAGS="-Os" ./configure \ 13 | $(CROSS_TOOLS) \ 14 | --host $(MUSL_ARCH)-elf-linux \ 15 | --without-ada \ 16 | --without-cxx \ 17 | --without-cxx-binding \ 18 | --without-manpages \ 19 | --without-shared 20 | 21 | # Build and install ncurses data 22 | ncurses_target := $(MAKE_JOBS) \ 23 | $(CROSS_TOOLS) \ 24 | DESTDIR="$(INSTALL)" \ 25 | install.data 26 | 27 | # Specify terminfo file for data.cpio if ncurses is enabled 28 | ncurses_data += $(INSTALL)/usr/lib/terminfo/l/linux|etc/terminfo/l/linux 29 | -------------------------------------------------------------------------------- /modules/newt: -------------------------------------------------------------------------------- 1 | modules-$(CONFIG_NEWT) += newt 2 | 3 | newt_depends := popt slang ncurses $(musl_dep) 4 | 5 | newt_version := 0.52.24 6 | newt_dir := newt-$(newt_version) 7 | newt_tar := newt-$(newt_version).tar.gz 8 | newt_url := https://releases.pagure.org/newt/$(newt_tar) 9 | newt_hash := 5ded7e221f85f642521c49b1826c8de19845aa372baf5d630a51774b544fbdbb 10 | 11 | newt_target := \ 12 | #We remove Makefile passed number of jobs to only pass one job, otherwise fails to build 13 | #$(MAKE_JOBS) \ 14 | $(CROSS_TOOLS) \ 15 | 16 | newt_output := \ 17 | whiptail \ 18 | 19 | newt_libraries := \ 20 | libnewt.so.0.52 \ 21 | 22 | newt_configure := \ 23 | ./autogen.sh && CFLAGS="-Os" ./configure \ 24 | $(CROSS_TOOLS) \ 25 | --host $(MUSL_ARCH)-elf-linux \ 26 | --prefix "/" \ 27 | --without-tcl 28 | -------------------------------------------------------------------------------- /modules/nkstorecli: -------------------------------------------------------------------------------- 1 | modules-$(CONFIG_NKSTORECLI) += nkstorecli 2 | 3 | nkstorecli_depends := libnitrokey libusb $(musl_dep) 4 | 5 | nkstorecli_version := 0.4.1 6 | nkstorecli_dir := nkstorecli-$(nkstorecli_version) 7 | nkstorecli_tar := nkstorecli-$(nkstorecli_version).tar.gz 8 | nkstorecli_url := https://github.com/Nitrokey/nitrokey-storage-cli/releases/download/v$(nkstorecli_version)/nkstorecli-$(nkstorecli_version).tar.gz 9 | nkstorecli_hash := 0fa7dbbede453b9c40d920c0563afdd2b0f7d08625aeb68f065512613b6fbb6b 10 | 11 | nkstorecli_target := $(MAKE_JOBS) -C src $(CROSS_TOOLS) DESTDIR=$(INSTALL) install 12 | 13 | nkstorecli_output := \ 14 | src/nkstorecli 15 | 16 | -------------------------------------------------------------------------------- /modules/npth: -------------------------------------------------------------------------------- 1 | modules-$(CONFIG_GPG2) += npth 2 | 3 | npth_version := 1.6 4 | npth_dir := npth-$(npth_version) 5 | npth_tar := npth-$(npth_version).tar.bz2 6 | npth_url := https://gnupg.org/ftp/gcrypt/npth/$(npth_tar) 7 | npth_hash := 1393abd9adcf0762d34798dc34fdcf4d0d22a8410721e76f1e3afcd1daa4e2d1 8 | 9 | npth_configure := ./configure \ 10 | $(CROSS_TOOLS) \ 11 | --host $(MUSL_ARCH)-linux-musl \ 12 | --prefix "/" \ 13 | --disable-static \ 14 | 15 | npth_target := $(MAKE_JOBS) \ 16 | DESTDIR="$(INSTALL)" \ 17 | $(CROSS_TOOLS) \ 18 | install \ 19 | 20 | npth_libraries := src/.libs/libnpth.so.0 21 | 22 | npth_depends := libgpg-error $(musl_dep) 23 | -------------------------------------------------------------------------------- /modules/openssl: -------------------------------------------------------------------------------- 1 | # OpenSSL library 2 | modules-$(CONFIG_OPENSSL) += openssl 3 | 4 | openssl_version := 3.0.8 5 | openssl_dir := openssl-$(openssl_version) 6 | openssl_tar := openssl-$(openssl_version).tar.gz 7 | openssl_url := https://www.openssl.org/source/$(openssl_tar) 8 | openssl_hash := 6c13d2bf38fdf31eac3ce2a347073673f5d63263398f1f69d0df4a41253e4b3e 9 | 10 | # The only optional algorithm that's enabled is SM3. tpm2-tss uses SHA, AES, 11 | # and SM3. 12 | openssl_configure := \ 13 | $(CROSS_TOOLS) \ 14 | CFLAGS="-Os" \ 15 | ./Configure \ 16 | --prefix="/" \ 17 | linux-$(strip $(arch)) \ 18 | no-aria \ 19 | no-bf \ 20 | no-blake2 \ 21 | no-camellia \ 22 | no-cast \ 23 | no-chacha \ 24 | no-cmac \ 25 | no-des \ 26 | no-dh \ 27 | no-dsa \ 28 | no-ecdh \ 29 | no-ecdsa \ 30 | no-idea \ 31 | no-md4 \ 32 | no-mdc2 \ 33 | no-ocb \ 34 | no-poly1305 \ 35 | no-rc2 \ 36 | no-rc4 \ 37 | no-rmd160 \ 38 | no-scrypt \ 39 | no-seed \ 40 | no-siphash \ 41 | no-siv \ 42 | no-sm2 \ 43 | no-sm4 \ 44 | no-tests \ 45 | no-whirlpool \ 46 | 47 | openssl_target := $(MAKE_JOBS) \ 48 | build_programs \ 49 | && \ 50 | $(MAKE) \ 51 | -C "$(build)/$(openssl_dir)" \ 52 | DESTDIR="$(INSTALL)" \ 53 | LIBDIR="lib" \ 54 | install_sw \ 55 | 56 | # Only libcrypto is needed currently, libssl is not included in initrd 57 | openssl_libraries := \ 58 | libcrypto.so.3 \ 59 | 60 | openssl_depends := $(musl_dep) 61 | -------------------------------------------------------------------------------- /modules/pciutils: -------------------------------------------------------------------------------- 1 | modules-$(CONFIG_PCIUTILS) += pciutils 2 | 3 | pciutils_depends := $(musl_dep) 4 | 5 | #pciutils_version := git 6 | #pciutils_repo := https://github.com/osresearch/pciutils 7 | 8 | pciutils_version := 3.5.4 9 | pciutils_dir := pciutils-$(pciutils_version) 10 | pciutils_tar := pciutils-$(pciutils_version).tar.xz 11 | pciutils_url := https://www.kernel.org/pub/software/utils/pciutils/$(pciutils_tar) 12 | pciutils_hash := 64293c6ab9318c40ef262b76d87bd9097531759752bac556e50979b1e63cfe66 13 | 14 | # IDSDIR must be set to a constant during the build, 15 | # but not during the install to make the libpci.so.3 16 | # reproducible. Otherwise the build path will be embedded 17 | # in the library and executables. 18 | 19 | pciutils_target := \ 20 | $(MAKE_JOBS) \ 21 | $(CROSS_TOOLS) \ 22 | HOST=$(MUSL_ARCH)-linux-musl \ 23 | ZLIB=no \ 24 | HWDB=no \ 25 | LIBKMOD=no \ 26 | SHARED=yes \ 27 | IDSDIR="/" \ 28 | PREFIX="/" \ 29 | && \ 30 | $(MAKE) \ 31 | -C $(build)/$(pciutils_dir) \ 32 | $(CROSS_TOOLS) \ 33 | ZLIB=no \ 34 | HWDB=no \ 35 | LIBKMOD=no \ 36 | SHARED=yes \ 37 | PREFIX="/" \ 38 | DESTDIR="$(INSTALL)" \ 39 | install \ 40 | install-lib \ 41 | 42 | pciutils_output := \ 43 | lspci \ 44 | 45 | pciutils_libraries := \ 46 | lib/libpci.so.3.5.4 \ 47 | $(INSTALL)/lib/libpci.so.3\ 48 | 49 | pciutils_configure := 50 | -------------------------------------------------------------------------------- /modules/pixman: -------------------------------------------------------------------------------- 1 | modules-$(CONFIG_CAIRO) += pixman 2 | 3 | pixman_version := 0.34.0 4 | pixman_dir := pixman-$(pixman_version) 5 | pixman_tar := pixman-$(pixman_version).tar.gz 6 | pixman_url := https://www.cairographics.org/releases/$(pixman_tar) 7 | pixman_hash := 21b6b249b51c6800dc9553b65106e1e37d0e25df942c90531d4c3997aa20a88e 8 | 9 | pixman_configure := \ 10 | $(CROSS_TOOLS) \ 11 | CFLAGS="-Os" \ 12 | ./configure \ 13 | --host $(MUSL_ARCH)-elf-linux \ 14 | --prefix="/" \ 15 | --disable-gtk 16 | 17 | pixman_target := \ 18 | $(MAKE_JOBS) \ 19 | $(CROSS_TOOLS) \ 20 | DESTDIR="$(INSTALL)" \ 21 | install \ 22 | 23 | pixman_libraries := pixman/.libs/libpixman-1.so.0 24 | 25 | pixman_depends := libpng $(musl_dep) 26 | -------------------------------------------------------------------------------- /modules/popt: -------------------------------------------------------------------------------- 1 | modules-$(CONFIG_POPT) += popt 2 | 3 | popt_version := 1.19 4 | popt_dir := popt-$(popt_version) 5 | popt_tar := popt-$(popt_version).tar.gz 6 | popt_url := https://fossies.org/linux/misc/$(popt_tar) 7 | popt_hash := c25a4838fc8e4c1c8aacb8bd620edb3084a3d63bf8987fdad3ca2758c63240f9 8 | 9 | popt_configure := ./configure \ 10 | $(CROSS_TOOLS) \ 11 | --host $(MUSL_ARCH)-elf-linux \ 12 | --prefix "/" \ 13 | 14 | popt_target := \ 15 | $(MAKE_JOBS) \ 16 | $(CROSS_TOOLS) \ 17 | && $(MAKE) \ 18 | -C "$(build)/$(popt_dir)" \ 19 | $(CROSS_TOOLS) \ 20 | DESTDIR="$(INSTALL)" \ 21 | install 22 | 23 | popt_libraries := src/.libs/libpopt.so.0 24 | 25 | popt_depends := $(musl_dep) 26 | -------------------------------------------------------------------------------- /modules/powerpc-utils: -------------------------------------------------------------------------------- 1 | modules-$(CONFIG_POWERPC_UTILS) += powerpc-utils 2 | 3 | powerpc-utils_version := 1.3.5 4 | powerpc-utils_dir := powerpc-utils-$(powerpc-utils_version) 5 | powerpc-utils_tar := powerpc-utils-$(powerpc-utils_version).tar.gz 6 | powerpc-utils_url := https://github.com/ibm-power-utilities/powerpc-utils/archive/v$(powerpc-utils_version)/$(powerpc-utils_tar) 7 | powerpc-utils_hash := 77efe3978ac9c251c4728a35b9aebd6076583939a8e26cc7f07ffa86432a8bf0 8 | 9 | powerpc-utils_configure := \ 10 | ./autogen.sh && \ 11 | $(CROSS_TOOLS) \ 12 | CFLAGS="-Os" \ 13 | ./configure \ 14 | --host $(MUSL_ARCH)-elf-linux \ 15 | --prefix "/" \ 16 | --without-librtas \ 17 | --without-systemd \ 18 | 19 | powerpc-utils_target := \ 20 | $(MAKE_JOBS) \ 21 | $(CROSS_TOOLS) \ 22 | DESTDIR="$(INSTALL)" \ 23 | install 24 | 25 | powerpc-utils_output := src/nvram 26 | 27 | powerpc-utils_depends := $(musl_dep) 28 | -------------------------------------------------------------------------------- /modules/purism-blobs: -------------------------------------------------------------------------------- 1 | modules-$(CONFIG_PURISM_BLOBS) += purism-blobs 2 | 3 | purism-blobs_base_dir := coreboot-$(CONFIG_COREBOOT_VERSION)/3rdparty/purism-blobs 4 | purism-blobs_version := 995f66c445841b86e6596e9b297cc4888c0257e5 5 | purism-blobs_tar := purism-blobs-${purism-blobs_version}.tar.gz 6 | purism-blobs_tar_opt := --strip 1 7 | purism-blobs_url := https://source.puri.sm/coreboot/purism-blobs/-/archive/${purism-blobs_version}/${purism-blobs_tar} 8 | purism-blobs_hash := 6d26c129fe8d719a49f4f726383baaf7edb6131183bada4167711b5a5312f516 9 | 10 | ## there is nothing to be built 11 | purism-blobs_output := .built 12 | purism-blobs_configure := echo -e 'all:\n\ttouch .built' > Makefile 13 | -------------------------------------------------------------------------------- /modules/qrencode: -------------------------------------------------------------------------------- 1 | modules-$(CONFIG_QRENCODE) += qrencode 2 | 3 | qrencode_version := 3.4.4 4 | qrencode_dir := qrencode-$(qrencode_version) 5 | qrencode_tar := qrencode-$(qrencode_version).tar.gz 6 | qrencode_url := https://fukuchi.org/works/qrencode/$(qrencode_tar) 7 | qrencode_hash := e794e26a96019013c0e3665cb06b18992668f352c5553d0a553f5d144f7f2a72 8 | 9 | qrencode_libraries := .libs/libqrencode.so.3 10 | 11 | qrencode_configure := \ 12 | CFLAGS="-Os" \ 13 | ./configure \ 14 | $(CROSS_TOOLS) \ 15 | --host $(MUSL_ARCH)-elf-linux \ 16 | --prefix "/" \ 17 | --without-tools \ 18 | 19 | qrencode_target := \ 20 | $(MAKE_JOBS) \ 21 | $(CROSS_TOOLS) \ 22 | && $(MAKE) \ 23 | -C "$(build)/$(qrencode_dir)" \ 24 | DESTDIR="$(INSTALL)" \ 25 | install 26 | 27 | qrencode_depends := $(musl_dep) 28 | -------------------------------------------------------------------------------- /modules/slang: -------------------------------------------------------------------------------- 1 | modules-$(CONFIG_SLANG) += slang 2 | 3 | slang_version := 2.3.3 4 | slang_dir := slang-$(slang_version) 5 | slang_tar := slang-$(slang_version).tar.bz2 6 | slang_url := https://www.jedsoft.org/releases/slang/$(slang_tar) 7 | slang_hash := f9145054ae131973c61208ea82486d5dd10e3c5cdad23b7c4a0617743c8f5a18 8 | 9 | slang_configure := ./configure \ 10 | $(CROSS_TOOLS) \ 11 | ac_cv_path_nc5config=ncurses-config \ 12 | --host $(MUSL_ARCH)-elf-linux \ 13 | --prefix "/" \ 14 | --with-onig=no \ 15 | --with-pcre=no \ 16 | --with-png=no \ 17 | --with-z=no \ 18 | --disable-termcap \ 19 | && mkdir -p src/elfobjs 20 | 21 | # Disable parallel make for the install target 22 | slang_target := \ 23 | $(MAKE_JOBS) \ 24 | $(CROSS_TOOLS) \ 25 | && $(MAKE) \ 26 | -j1 \ 27 | -C "$(build)/$(slang_dir)" \ 28 | $(CROSS_TOOLS) \ 29 | DESTDIR="$(INSTALL)" \ 30 | install 31 | 32 | slang_libraries := src/elfobjs/libslang.so.2 33 | 34 | slang_depends := $(musl_dep) 35 | -------------------------------------------------------------------------------- /modules/tpmtotp: -------------------------------------------------------------------------------- 1 | modules-$(CONFIG_TPMTOTP) += tpmtotp 2 | 3 | tpmtotp_depends := mbedtls qrencode $(musl_dep) 4 | 5 | tpmtotp_version := 4d63d21c8b7db2e92ddb393057f168aead147f47 6 | tpmtotp_dir := tpmtotp-$(tpmtotp_version) 7 | tpmtotp_tar := tpmtotp-$(tpmtotp_version).tar.gz 8 | tpmtotp_url := https://github.com/osresearch/tpmtotp/archive/$(tpmtotp_version).tar.gz 9 | tpmtotp_hash := eaac1e8f652f1da7f5a1ed6a8cfefb6511f1e5e1dabf93b44db3b29c18c5ae53 10 | 11 | tpmtotp_target := \ 12 | $(CROSS_TOOLS) \ 13 | $(MAKE_JOBS) \ 14 | CFLAGS="-I$(INSTALL)/include -Os" \ 15 | LDFLAGS="-L$(INSTALL)/lib" \ 16 | 17 | tpmtotp_output := \ 18 | totp \ 19 | hotp \ 20 | qrenc \ 21 | util/tpm \ 22 | 23 | tpmtotp_libraries := \ 24 | libtpm/libtpm.so \ 25 | 26 | tpmtotp_configure := 27 | -------------------------------------------------------------------------------- /modules/u-root: -------------------------------------------------------------------------------- 1 | # 2 | # u-root go runtime 3 | # 4 | # This is not a normal Heads module, since it builds all of its 5 | # own dependencies. 6 | # 7 | u-root_url := github.com/u-root/u-root 8 | u-root_output := $(build)/$(BOARD)/u-root.cpio 9 | UROOT_CMDS ?= 10 | 11 | export GOPATH=$(build)/go 12 | u-root_src_cmds := $(foreach cmd,$(UROOT_CMDS),github.com/u-root/u-root/cmds/$(cmd)) 13 | 14 | u-root_build := $(GOPATH)/bin/u-root 15 | 16 | $(GOPATH)/bin/u-root: 17 | go get github.com/u-root/u-root/... 18 | # 19 | # If the board directory has its own go commands, copy them 20 | # into the u-root tree so that they will be bundled into the go initrd 21 | # TODO: generalize this to support more commands 22 | # TODO: fix this sort that it doesn't leave commands lying around 23 | # 24 | ifeq "y" "$(shell [ -r 'boards/$(BOARD)/uinit.go' ] && echo y)" 25 | u-root_uinit := $(GOPATH)/src/github.com/u-root/u-root/cmds/uinit/uinit.go 26 | $(u-root_uinit): $(u-root_build) boards/$(BOARD)/uinit.go 27 | $(call install,boards/$(BOARD)/uinit.go,$@) 28 | endif 29 | 30 | $(u-root_output): $(u-root_build) $(u-root_uinit) 31 | $(call do,U-ROOT,$@,\ 32 | $(GOPATH)/bin/u-root \ 33 | -build=bb \ 34 | -format=cpio \ 35 | -o $@ \ 36 | $(u-root_src_cmds)\ 37 | ) 38 | 39 | # Override the initrd inputs and add in the kernel modules 40 | initrd-$(CONFIG_UROOT) += $(u-root_output) 41 | 42 | 43 | ifeq "$(CONFIG_UROOT)" "y" 44 | # If we are building for u-root, disable the default CONFIG_HEADS 45 | # so that the heads/initrd/etc directories will not be included 46 | CONFIG_HEADS=n 47 | 48 | # Since we do not include u-root in modules-y, we have to define our 49 | # own intermediate and clean targets here 50 | $(build)/$(u-root_dir)/.build: $(u-root_output) 51 | u-root.clean: 52 | $(RM) $(u-root_output) 53 | endif 54 | -------------------------------------------------------------------------------- /modules/util-linux: -------------------------------------------------------------------------------- 1 | modules-$(CONFIG_UTIL_LINUX) += util-linux 2 | 3 | util-linux_version := 2.39 4 | util-linux_dir := util-linux-$(util-linux_version) 5 | util-linux_tar := util-linux-$(util-linux_version).tar.xz 6 | util-linux_url := https://www.kernel.org/pub/linux/utils/util-linux/v2.39/$(util-linux_tar) 7 | util-linux_hash := 32b30a336cda903182ed61feb3e9b908b762a5e66fe14e43efb88d37162075cb 8 | 9 | util-linux_configure := \ 10 | $(CROSS_TOOLS) \ 11 | CFLAGS="-Os" \ 12 | ./configure \ 13 | --host $(MUSL_ARCH)-elf-linux \ 14 | --prefix "/" \ 15 | --oldincludedir "$(INSTALL)/include" \ 16 | --disable-all-programs \ 17 | --disable-bash-completion \ 18 | --enable-agetty \ 19 | --enable-libblkid \ 20 | --enable-libuuid \ 21 | --without-ncurses \ 22 | --without-ncursesw \ 23 | --without-python \ 24 | --without-tinfo \ 25 | --without-udev \ 26 | 27 | 28 | util-linux_target := \ 29 | $(MAKE_JOBS) \ 30 | $(CROSS_TOOLS) \ 31 | DESTDIR="$(INSTALL)" \ 32 | install && \ 33 | rm $(INSTALL)/lib/libblkid.la && \ 34 | rm $(INSTALL)/lib/libuuid.la 35 | 36 | util-linux_libraries += \ 37 | .libs/libuuid.so.1 \ 38 | .libs/libblkid.so.1 \ 39 | 40 | util-linux_agetty-$(CONFIG_USE_AGETTY) := agetty 41 | util-linux_output := $(util-linux_agetty-y) 42 | 43 | util-linux_depends := $(musl_dep) 44 | -------------------------------------------------------------------------------- /modules/zlib: -------------------------------------------------------------------------------- 1 | CONFIG_ZLIB ?= y 2 | modules-$(CONFIG_ZLIB) += zlib 3 | 4 | zlib_version := 1.2.11 5 | zlib_dir := zlib-$(zlib_version) 6 | zlib_tar := zlib-$(zlib_version).tar.gz 7 | zlib_url := https://zlib.net/fossils/$(zlib_tar) 8 | zlib_hash := c3e5e9fdd5004dcb542feda5ee4f0ff0744628baf8ed2dd5d66f8ca1197cb1a1 9 | 10 | zlib_configure := \ 11 | $(CROSS_TOOLS) \ 12 | ./configure \ 13 | --prefix="/" \ 14 | 15 | zlib_target := \ 16 | $(MAKE_JOBS) \ 17 | $(CROSS_TOOLS) \ 18 | DESTDIR="$(INSTALL)" \ 19 | install \ 20 | 21 | zlib_libraries := libz.so.1 22 | 23 | zlib_depends := $(musl_dep) 24 | -------------------------------------------------------------------------------- /modules/zstd: -------------------------------------------------------------------------------- 1 | # ZSTD is always included, unless explicitly turned off 2 | # Needed by initrd/bin/unpack_initramfs.sh under LUKS TPM Disk Unlock Key setup 3 | CONFIG_ZSTD ?= y 4 | modules-$(CONFIG_ZSTD) += zstd 5 | 6 | zstd_version := 1.5.5 7 | zstd_dir := zstd-$(zstd_version) 8 | zstd_tar := zstd-$(zstd_version).tar.gz 9 | zstd_url := https://github.com/facebook/zstd/releases/download/v$(zstd_version)/$(zstd_tar) 10 | zstd_hash := 9c4396cc829cfae319a6e2615202e82aad41372073482fce286fac78646d3ee4 11 | 12 | zstd_configure := true 13 | 14 | # Only the decompressor is built and installed, to be able to read zstd-compressed 15 | # initramfs archives. 16 | zstd_target := \ 17 | $(MAKE_JOBS) $(CROSS_TOOLS) -C programs CFLAGS="-g0 -Os" \ 18 | HAVE_ZLIB=0 \ 19 | HAVE_LZMA=0 \ 20 | HAVE_LZ4=0 \ 21 | zstd-decompress 22 | 23 | zstd_output := programs/zstd-decompress 24 | -------------------------------------------------------------------------------- /packages/.gitignore: -------------------------------------------------------------------------------- 1 | * 2 | -------------------------------------------------------------------------------- /patches/bash-5.1.16.patch: -------------------------------------------------------------------------------- 1 | --- clean/bash-5.1.16/Makefile.in 2020-12-16 16:13:10.000000000 -0600 2 | +++ bash-5.1.16/Makefile.in 2023-04-25 14:16:38.849618679 -0600 3 | @@ -626,7 +626,7 @@ 4 | @${MAKE} ${MFLAGS} tests TESTSCRIPT=run-gprof 5 | 6 | version.h: $(SOURCES) config.h Makefile patchlevel.h 7 | - $(SHELL) $(SUPPORT_SRC)mkversion.sh -b -S ${topdir} -s $(RELSTATUS) -d $(Version) -o newversion.h \ 8 | + $(SHELL) $(SUPPORT_SRC)mkversion.sh -S ${topdir} -s $(RELSTATUS) -d $(Version) -o newversion.h \ 9 | && mv newversion.h version.h 10 | 11 | bashversion$(EXEEXT): buildversion.o $(SUPPORT_SRC)bashversion.c 12 | -------------------------------------------------------------------------------- /patches/busybox-1.36.1.patch: -------------------------------------------------------------------------------- 1 | diff -u --recursive clean/busybox-1.33.2/libbb/messages.c busybox-1.33.2/libbb/messages.c 2 | --- clean/busybox-1.33.2/libbb/messages.c 2017-10-20 04:36:58.000000000 -0400 3 | +++ busybox-1.33.2/libbb/messages.c 2018-02-09 12:02:45.918726483 -0500 4 | @@ -13,7 +13,7 @@ 5 | 6 | /* allow version to be extended, via CFLAGS */ 7 | #ifndef BB_EXTRA_VERSION 8 | -#define BB_EXTRA_VERSION " ("AUTOCONF_TIMESTAMP")" 9 | +#define BB_EXTRA_VERSION " (heads)" 10 | #endif 11 | 12 | const char bb_banner[] ALIGN1 = "BusyBox v" BB_VER BB_EXTRA_VERSION; 13 | -------------------------------------------------------------------------------- /patches/coreboot-24.02.01/0004-cbmem_tpm-clear_whole_log_on_creation.patch: -------------------------------------------------------------------------------- 1 | From b83a7607203d285b76e94ffd2013c55b184f5d42 Mon Sep 17 00:00:00 2001 2 | From: =?UTF-8?q?Micha=C5=82=20=C5=BBygowski?= 3 | Date: Wed, 30 Oct 2024 10:50:37 +0100 4 | Subject: [PATCH] security/tpm/tspi/log-tpm1.c: Clear whole log area on 5 | creation 6 | MIME-Version: 1.0 7 | Content-Type: text/plain; charset=UTF-8 8 | Content-Transfer-Encoding: 8bit 9 | 10 | The log area was not entirely cleared on creation resulting in 11 | garbage after the last valid lgo entry. It caused the cbmem utility 12 | to parse invalid events and access data outside the log area. 13 | In the TPM2 log sources, the entire area is being cleared, thus the 14 | issue has not been observed. 15 | 16 | Change-Id: I7c780b62b1c6507e1dd1806b20b0270e364cde3d 17 | Signed-off-by: Michał Żygowski 18 | --- 19 | src/security/tpm/tspi/log-tpm1.c | 2 +- 20 | 1 file changed, 1 insertion(+), 1 deletion(-) 21 | 22 | diff --git a/src/security/tpm/tspi/log-tpm1.c b/src/security/tpm/tspi/log-tpm1.c 23 | index 481b569cd5..453e74b4e8 100644 24 | --- a/src/security/tpm/tspi/log-tpm1.c 25 | +++ b/src/security/tpm/tspi/log-tpm1.c 26 | @@ -33,7 +33,7 @@ void *tpm1_log_cbmem_init(void) 27 | if (!tclt) 28 | return NULL; 29 | 30 | - memset(tclt, 0, sizeof(*tclt)); 31 | + memset(tclt, 0, tpm_log_len); 32 | hdr = &tclt->spec_id; 33 | 34 | /* Fill in first "header" entry. */ 35 | -- 36 | 2.39.5 37 | 38 | -------------------------------------------------------------------------------- /patches/coreboot-24.12/0002-soc-intel-skylake-Enable-4E-4F-PNP-I-O-ports-in-boot.patch: -------------------------------------------------------------------------------- 1 | From aa6dd7aa4693bd9ce1fe7f35b9532e5411fc1098 Mon Sep 17 00:00:00 2001 2 | From: Mate Kukri 3 | Date: Fri, 22 Nov 2024 21:26:48 +0000 4 | Subject: [PATCH 02/11] soc/intel/skylake: Enable 4E/4F PNP I/O ports in 5 | bootblock 6 | 7 | Change-Id: I57c9d8a9513a268e2ca6a0abd1306cd038598173 8 | Signed-off-by: Mate Kukri 9 | --- 10 | src/soc/intel/skylake/bootblock/pch.c | 4 ++-- 11 | 1 file changed, 2 insertions(+), 2 deletions(-) 12 | 13 | diff --git a/src/soc/intel/skylake/bootblock/pch.c b/src/soc/intel/skylake/bootblock/pch.c 14 | index df00bb85a9..beaece960b 100644 15 | --- a/src/soc/intel/skylake/bootblock/pch.c 16 | +++ b/src/soc/intel/skylake/bootblock/pch.c 17 | @@ -100,8 +100,8 @@ static void soc_config_pwrmbase(void) 18 | 19 | void pch_early_iorange_init(void) 20 | { 21 | - uint16_t io_enables = LPC_IOE_SUPERIO_2E_2F | LPC_IOE_KBC_60_64 | 22 | - LPC_IOE_EC_62_66; 23 | + uint16_t io_enables = LPC_IOE_EC_4E_4F | LPC_IOE_SUPERIO_2E_2F | 24 | + LPC_IOE_KBC_60_64 | LPC_IOE_EC_62_66; 25 | 26 | const config_t *config = config_of_soc(); 27 | 28 | -- 29 | 2.39.5 30 | 31 | -------------------------------------------------------------------------------- /patches/coreboot-24.12/0006-ec-dasharo-Comment-EC_DASHARO_EC_FLASH_SIZE.patch: -------------------------------------------------------------------------------- 1 | From 916c7b027faba625b922e74e45e50f9ceab64a64 Mon Sep 17 00:00:00 2001 2 | From: Leah Rowe 3 | Date: Mon, 6 Jan 2025 01:16:01 +0000 4 | Subject: [PATCH 1/1] ec/dasharo: Comment EC_DASHARO_EC_FLASH_SIZE 5 | 6 | We don't use anything dasharo in Libreboot. 7 | 8 | This patch prevents the following config item appearing 9 | in T480 and 3050 Micro configs: 10 | 11 | CONFIG_EC_DASHARO_EC_FLASH_SIZE=0x20000 12 | 13 | Otherwise, make-oldconfig adds it automatically. 14 | 15 | Signed-off-by: Leah Rowe 16 | --- 17 | src/ec/dasharo/ec/Kconfig | 2 +- 18 | 1 file changed, 1 insertion(+), 1 deletion(-) 19 | 20 | diff --git a/src/ec/dasharo/ec/Kconfig b/src/ec/dasharo/ec/Kconfig 21 | index 901d3ce514..071e37f95e 100644 22 | --- a/src/ec/dasharo/ec/Kconfig 23 | +++ b/src/ec/dasharo/ec/Kconfig 24 | @@ -28,4 +28,4 @@ config EC_DASHARO_EC_UPDATE_FILE 25 | 26 | config EC_DASHARO_EC_FLASH_SIZE 27 | hex 28 | - default 0x20000 29 | + # default 0x20000 30 | -- 31 | 2.39.5 32 | 33 | -------------------------------------------------------------------------------- /patches/coreboot-24.12/0008-src-intel-x4x-Disable-stack-overflow-debug.patch: -------------------------------------------------------------------------------- 1 | From 5671d54d347b110ffade5b8b6e2d052612a8716c Mon Sep 17 00:00:00 2001 2 | From: Leah Rowe 3 | Date: Mon, 6 Jan 2025 01:53:53 +0000 4 | Subject: [PATCH 1/1] src/intel/x4x: Disable stack overflow debug 5 | 6 | Signed-off-by: Leah Rowe 7 | --- 8 | src/northbridge/intel/x4x/Kconfig | 9 +++++++++ 9 | 1 file changed, 9 insertions(+) 10 | 11 | diff --git a/src/northbridge/intel/x4x/Kconfig b/src/northbridge/intel/x4x/Kconfig 12 | index 097e11126c..7e4e14cf94 100644 13 | --- a/src/northbridge/intel/x4x/Kconfig 14 | +++ b/src/northbridge/intel/x4x/Kconfig 15 | @@ -28,6 +28,15 @@ config ECAM_MMCONF_BUS_NUMBER 16 | int 17 | default 256 18 | 19 | +# Override DEBUG Kconfig to avoid false alarm about stack overflow. 20 | +config DEBUG_STACK_OVERFLOW_BREAKPOINTS 21 | + bool 22 | + default n 23 | + 24 | +config DEBUG_STACK_OVERFLOW_BREAKPOINTS_IN_ALL_STAGES 25 | + bool 26 | + default n 27 | + 28 | # This number must be equal or lower than what's reported in ACPI PCI _CRS 29 | config DOMAIN_RESOURCE_32BIT_LIMIT 30 | default 0xfec00000 31 | -- 32 | 2.39.5 33 | 34 | -------------------------------------------------------------------------------- /patches/coreboot-24.12/0010-cbmem_tpm-clear_whole_log_on_creation.patch: -------------------------------------------------------------------------------- 1 | From b83a7607203d285b76e94ffd2013c55b184f5d42 Mon Sep 17 00:00:00 2001 2 | From: =?UTF-8?q?Micha=C5=82=20=C5=BBygowski?= 3 | Date: Wed, 30 Oct 2024 10:50:37 +0100 4 | Subject: [PATCH] security/tpm/tspi/log-tpm1.c: Clear whole log area on 5 | creation 6 | MIME-Version: 1.0 7 | Content-Type: text/plain; charset=UTF-8 8 | Content-Transfer-Encoding: 8bit 9 | 10 | The log area was not entirely cleared on creation resulting in 11 | garbage after the last valid lgo entry. It caused the cbmem utility 12 | to parse invalid events and access data outside the log area. 13 | In the TPM2 log sources, the entire area is being cleared, thus the 14 | issue has not been observed. 15 | 16 | Change-Id: I7c780b62b1c6507e1dd1806b20b0270e364cde3d 17 | Signed-off-by: Michał Żygowski 18 | --- 19 | src/security/tpm/tspi/log-tpm1.c | 2 +- 20 | 1 file changed, 1 insertion(+), 1 deletion(-) 21 | 22 | diff --git a/src/security/tpm/tspi/log-tpm1.c b/src/security/tpm/tspi/log-tpm1.c 23 | index 481b569cd5..453e74b4e8 100644 24 | --- a/src/security/tpm/tspi/log-tpm1.c 25 | +++ b/src/security/tpm/tspi/log-tpm1.c 26 | @@ -33,7 +33,7 @@ void *tpm1_log_cbmem_init(void) 27 | if (!tclt) 28 | return NULL; 29 | 30 | - memset(tclt, 0, sizeof(*tclt)); 31 | + memset(tclt, 0, tpm_log_len); 32 | hdr = &tclt->spec_id; 33 | 34 | /* Fill in first "header" entry. */ 35 | -- 36 | 2.39.5 37 | 38 | -------------------------------------------------------------------------------- /patches/coreboot-4.11/0000-cpu-x86-smm-Use-PRIxPTR-to-print-uintptr_t.patch: -------------------------------------------------------------------------------- 1 | From 06f2fcc0ffc1a903f304d8a3382f3a57163989a1 Mon Sep 17 00:00:00 2001 2 | From: Jacob Garber 3 | Date: Mon, 4 Nov 2019 09:35:15 -0700 4 | Subject: [PATCH] cpu/x86/smm: Use PRIxPTR to print uintptr_t 5 | 6 | Since 'base' is a uintptr_t, it needs the PRIxPTR format specifier. This 7 | fixes a compilation error when targeting x86_64 or using Clang 9.0.0. 8 | 9 | Change-Id: Ib806e2b3cbb255ef208b361744ac4547b8ba262f 10 | Signed-off-by: Jacob Garber 11 | Reviewed-on: https://review.coreboot.org/c/coreboot/+/36785 12 | Tested-by: build bot (Jenkins) 13 | Reviewed-by: HAOUAS Elyes 14 | --- 15 | src/cpu/x86/smm/tseg_region.c | 5 +++-- 16 | 1 file changed, 3 insertions(+), 2 deletions(-) 17 | 18 | diff --git a/src/cpu/x86/smm/tseg_region.c b/src/cpu/x86/smm/tseg_region.c 19 | index a8b8bb7b9a..5b5c5729d5 100644 20 | --- a/src/cpu/x86/smm/tseg_region.c 21 | +++ b/src/cpu/x86/smm/tseg_region.c 22 | @@ -17,6 +17,7 @@ 23 | #include 24 | #include 25 | #include 26 | +#include 27 | 28 | /* 29 | * Subregions within SMM 30 | @@ -88,11 +89,11 @@ void smm_list_regions(void) 31 | return; 32 | 33 | printk(BIOS_DEBUG, "SMM Memory Map\n"); 34 | - printk(BIOS_DEBUG, "SMRAM : 0x%zx 0x%zx\n", base, size); 35 | + printk(BIOS_DEBUG, "SMRAM : 0x%" PRIxPTR " 0x%zx\n", base, size); 36 | 37 | for (i = 0; i < SMM_SUBREGION_NUM; i++) { 38 | if (smm_subregion(i, &base, &size)) 39 | continue; 40 | - printk(BIOS_DEBUG, " Subregion %d: 0x%zx 0x%zx\n", i, base, size); 41 | + printk(BIOS_DEBUG, " Subregion %d: 0x%" PRIxPTR " 0x%zx\n", i, base, size); 42 | } 43 | } 44 | -- 45 | 2.21.1 46 | 47 | 48 | -------------------------------------------------------------------------------- /patches/coreboot-4.11/0002-soc-intel-broadwell_de-Add-measured-boot-support.patch: -------------------------------------------------------------------------------- 1 | diff --git a/src/soc/intel/fsp_broadwell_de/romstage/romstage.c b/src/soc/intel/fsp_broadwell_de/romstage/romstage.c 2 | index 8438b1035c..ff7a29271f 100644 3 | --- a/src/soc/intel/fsp_broadwell_de/romstage/romstage.c 4 | +++ b/src/soc/intel/fsp_broadwell_de/romstage/romstage.c 5 | @@ -28,6 +28,8 @@ 6 | #include 7 | #include 8 | #include 9 | +#include 10 | +#include 11 | #include 12 | #include 13 | #include 14 | @@ -156,6 +158,20 @@ void *asmlinkage main(FSP_INFO_HEADER *fsp_info_header) 15 | early_iio_hide(); 16 | timestamp_add_now(TS_BEFORE_INITRAM); 17 | post_code(0x48); 18 | + 19 | + if (CONFIG(MEASURED_BOOT) && CONFIG(LPC_TPM)) { 20 | + // we don't know if we are coming out of a resume 21 | + // at this point, but want to setup the tpm ASAP 22 | + tpm_setup(0); 23 | + tlcl_lib_init(); 24 | + const void *const bootblock = (const void *) 0xFFFFF800; 25 | + const unsigned int bootblock_size = 0x800; 26 | + tlcl_measure(2, bootblock, bootblock_size); 27 | + 28 | + extern char _romstage, _eromstage; 29 | + tlcl_measure(2, &_romstage, &_eromstage - &_romstage); 30 | + } 31 | + 32 | /* 33 | * Call early init to initialize memory and chipset. This function returns 34 | * to the romstage_main_continue function with a pointer to the HOB 35 | @@ -214,3 +230,9 @@ uint64_t get_initial_timestamp(void) 36 | { 37 | return 0; 38 | } 39 | + 40 | +void platform_segment_loaded(uintptr_t start, size_t size, int flags) 41 | +{ 42 | + if (CONFIG(MEASURED_BOOT) && !(flags & SEG_NO_MEASURE)) 43 | + tlcl_measure(2, (const void *) start, size); 44 | +} 45 | -- 46 | 2.20.1 47 | 48 | -------------------------------------------------------------------------------- /patches/coreboot-4.11/0005-soc-fsp_broadwell_de-acpi-Remove-ADR-from-uncore-obj.patch: -------------------------------------------------------------------------------- 1 | From d04b1b034221371c2f6a8179fea4f6cecebf2d53 Mon Sep 17 00:00:00 2001 2 | From: Matt DeVillier 3 | Date: Fri, 15 Oct 2021 13:05:47 -0500 4 | Subject: [PATCH] soc/fsp_broadwell_de/acpi: Remove ADR from uncore object 5 | 6 | ACPI objects can have an HID or ADR, but not both. 7 | Remove the ADR since the HID is more relevent. 8 | 9 | Change-Id: I5cd0f786d12456a5788e9fd89335a1a2750dc4ba 10 | Signed-off-by: Matt DeVillier 11 | --- 12 | src/soc/intel/fsp_broadwell_de/acpi/uncore.asl | 1 - 13 | 1 file changed, 1 deletion(-) 14 | 15 | diff --git a/src/soc/intel/fsp_broadwell_de/acpi/uncore.asl b/src/soc/intel/fsp_broadwell_de/acpi/uncore.asl 16 | index 86b1410c39..aded1db836 100644 17 | --- a/src/soc/intel/fsp_broadwell_de/acpi/uncore.asl 18 | +++ b/src/soc/intel/fsp_broadwell_de/acpi/uncore.asl 19 | @@ -238,7 +238,6 @@ Device (UNC0) 20 | Return (0xff) 21 | } 22 | 23 | - Name (_ADR, 0x00) 24 | Method (_STA, 0, NotSerialized) 25 | { 26 | Return (0xf) 27 | -- 28 | 2.30.2 29 | 30 | -------------------------------------------------------------------------------- /patches/coreboot-4.11/0022-kgpe-d16_dstd-asl_Remove-HID-for-PCI-devices.patch: -------------------------------------------------------------------------------- 1 | --- ./src/mainboard/asus/kgpe-d16/dsdt.asl.orig 2021-10-15 16:17:56.496000000 -0400 2 | +++ ./src/mainboard/asus/kgpe-d16/dsdt.asl 2021-10-15 16:27:27.393000000 -0400 3 | @@ -126,7 +126,6 @@ 4 | { 5 | /* BUS0 root bus */ 6 | 7 | - Name (_HID, EisaId ("PNP0A08")) /* PCI-e root bus (SR5690) */ 8 | Name (_CID, EisaId ("PNP0A03")) /* PCI root bus (SP5100) */ 9 | Name (_ADR, 0x00180001) 10 | Name (_UID, 0x00) 11 | @@ -483,7 +482,6 @@ 12 | 13 | /* 0:14.3 SP5100 LPC */ 14 | Device (LPC) { 15 | - Name (_HID, EisaId ("PNP0A05")) 16 | Name (_ADR, 0x00140003) 17 | 18 | /* Real Time Clock Device */ 19 | -------------------------------------------------------------------------------- /patches/coreboot-4.11/0071-crossgcc-binutils-gold-error-strings.patch: -------------------------------------------------------------------------------- 1 | diff -ruN ./util/crossgcc/patches.orig/binutils-2.32_gold-errors-include-strings.patch ./util/crossgcc/patches/binutils-2.32_gold-errors-include-strings.patch 2 | --- ./util/crossgcc/patches.orig/binutils-2.32_gold-errors-include-strings.patch 1969-12-31 19:00:00.000000000 -0500 3 | +++ ./util/crossgcc/patches/binutils-2.32_gold-errors-include-strings.patch 2021-10-12 13:53:14.158000000 -0400 4 | @@ -0,0 +1,11 @@ 5 | +--- binutils-2.32/gold/errors.h.orig 2021-10-12 13:47:36.647000000 -0400 6 | ++++ binutils-2.32/gold/errors.h 2021-10-12 13:42:38.712000000 -0400 7 | +@@ -25,6 +25,7 @@ 8 | + #include 9 | + 10 | + #include "gold-threads.h" 11 | ++#include 12 | + 13 | + namespace gold 14 | + { 15 | + 16 | -------------------------------------------------------------------------------- /patches/coreboot-4.11/0073-build-race-condition-fixes.patch: -------------------------------------------------------------------------------- 1 | src/arch/x86: Ensure $(objgenerated) exists before it's used 2 | 3 | In some rare cases it seems that make tries to build 4 | $(objgenerated)/assembly.inc before the build-dirs target has finished, 5 | and so assembly.inc can't be written. Enforce that build-dirs is done 6 | before assembly.inc starts. 7 | 8 | BUG=chromium:1098215 9 | BRANCH=none 10 | TEST=none 11 | 12 | Change-Id: Ib141ea45a43836cfdde0059523c331fe5286b06d 13 | Signed-off-by: Patrick Georgi 14 | Reviewed-on: https://review.coreboot.org/c/coreboot/+/42883 15 | Tested-by: build bot (Jenkins) 16 | Reviewed-by: Aaron Durbin 17 | 18 | diff --git a/src/arch/x86/Makefile.inc b/src/arch/x86/Makefile.inc 19 | index cc094d1..132c6d8 100644 20 | --- a/src/arch/x86/Makefile.inc 21 | +++ b/src/arch/x86/Makefile.inc 22 | @@ -56,7 +56,7 @@ pci$(stripped_vgabios_dgpu_id).rom-type := optionrom 23 | # into a single generated file. 24 | crt0s = $(cpu_incs-y) 25 | 26 | -$(objgenerated)/assembly.inc: $$(crt0s) 27 | +$(objgenerated)/assembly.inc: build-dirs $$(crt0s) 28 | @printf " GEN $(subst $(obj)/,,$(@))\n" 29 | printf '$(foreach crt0,$(crt0s),#include "$(crt0)"\n)' > $@ 30 | 31 | -------------------------------------------------------------------------------- /patches/coreboot-purism/0001-cbmem_tpm-clear_whole_log_on_creation.patch: -------------------------------------------------------------------------------- 1 | From b83a7607203d285b76e94ffd2013c55b184f5d42 Mon Sep 17 00:00:00 2001 2 | From: =?UTF-8?q?Micha=C5=82=20=C5=BBygowski?= 3 | Date: Wed, 30 Oct 2024 10:50:37 +0100 4 | Subject: [PATCH] security/tpm/tspi/log-tpm1.c: Clear whole log area on 5 | creation 6 | MIME-Version: 1.0 7 | Content-Type: text/plain; charset=UTF-8 8 | Content-Transfer-Encoding: 8bit 9 | 10 | The log area was not entirely cleared on creation resulting in 11 | garbage after the last valid lgo entry. It caused the cbmem utility 12 | to parse invalid events and access data outside the log area. 13 | In the TPM2 log sources, the entire area is being cleared, thus the 14 | issue has not been observed. 15 | 16 | Change-Id: I7c780b62b1c6507e1dd1806b20b0270e364cde3d 17 | Signed-off-by: Michał Żygowski 18 | --- 19 | src/security/tpm/tspi/log-tpm1.c | 2 +- 20 | 1 file changed, 1 insertion(+), 1 deletion(-) 21 | 22 | diff --git a/src/security/tpm/tspi/log-tpm1.c b/src/security/tpm/tspi/log-tpm1.c 23 | index 481b569cd5..453e74b4e8 100644 24 | --- a/src/security/tpm/tspi/log-tpm1.c 25 | +++ b/src/security/tpm/tspi/log-tpm1.c 26 | @@ -33,7 +33,7 @@ void *tpm1_log_cbmem_init(void) 27 | if (!tclt) 28 | return NULL; 29 | 30 | - memset(tclt, 0, sizeof(*tclt)); 31 | + memset(tclt, 0, tpm_log_len); 32 | hdr = &tclt->spec_id; 33 | 34 | /* Fill in first "header" entry. */ 35 | -- 36 | 2.39.5 37 | 38 | -------------------------------------------------------------------------------- /patches/coreboot-talos_2/0002-acpi-unix2-mirror.patch: -------------------------------------------------------------------------------- 1 | From 8093bd4df682a49ab87845e4154e87885ad41734 Mon Sep 17 00:00:00 2001 2 | From: Jonathon Hall 3 | Date: Tue, 11 Jul 2023 14:48:33 -0400 4 | Subject: [PATCH] util/crossgcc/buildgcc: Use different mirror 5 | 6 | acpica.org now redirects to Intel and all the links no longer work. 7 | 8 | Intel has a mirror of this archive, use it. 9 | 10 | Change-Id: I4fbfe33a4614aec97c631904d78ec391ed438bec 11 | Signed-off-by: Jonathon Hall 12 | --- 13 | util/crossgcc/buildgcc | 3 ++- 14 | 1 file changed, 2 insertions(+), 1 deletion(-) 15 | 16 | diff --git a/util/crossgcc/buildgcc b/util/crossgcc/buildgcc 17 | index b25b260807..24916c5ab8 100755 18 | --- a/util/crossgcc/buildgcc 19 | +++ b/util/crossgcc/buildgcc 20 | @@ -52,7 +52,8 @@ MPFR_ARCHIVE="https://ftpmirror.gnu.org/mpfr/mpfr-${MPFR_VERSION}.tar.xz" 21 | MPC_ARCHIVE="https://ftpmirror.gnu.org/mpc/mpc-${MPC_VERSION}.tar.gz" 22 | GCC_ARCHIVE="https://ftpmirror.gnu.org/gcc/gcc-${GCC_VERSION}/gcc-${GCC_VERSION}.tar.xz" 23 | BINUTILS_ARCHIVE="https://ftpmirror.gnu.org/binutils/binutils-${BINUTILS_VERSION}.tar.xz" 24 | -IASL_ARCHIVE="https://acpica.org/sites/acpica/files/acpica-unix2-${IASL_VERSION}.tar.gz" 25 | +# acpica.org links rotted, use Intel mirror for 20220331 26 | +IASL_ARCHIVE="https://downloadmirror.intel.com/774879/acpica-unix2-${IASL_VERSION}.tar.gz" 27 | # CLANG toolchain archive locations 28 | LLVM_ARCHIVE="https://github.com/llvm/llvm-project/releases/download/llvmorg-${CLANG_VERSION}/llvm-${CLANG_VERSION}.src.tar.xz" 29 | CLANG_ARCHIVE="https://github.com/llvm/llvm-project/releases/download/llvmorg-${CLANG_VERSION}/clang-${CLANG_VERSION}.src.tar.xz" 30 | -- 31 | 2.30.2 32 | 33 | -------------------------------------------------------------------------------- /patches/coreboot-talos_2/0003-ugly_skiboot-patch_fix_for_newer_gcc_from_musl_125.patch: -------------------------------------------------------------------------------- 1 | diff --git a/payloads/external/skiboot/patches/0002-ugly_fix_for_newer_gcc_from_musl_125.patch b/payloads/external/skiboot/patches/0002-ugly_fix_for_newer_gcc_from_musl_125.patch 2 | new file mode 100644 3 | index 0000000..5db9bca 4 | --- /dev/null 5 | +++ b/payloads/external/skiboot/patches/0002-ugly_fix_for_newer_gcc_from_musl_125.patch 6 | @@ -0,0 +1,11 @@ 7 | +--- Makefile.main.orig 2024-11-06 16:19:12.161240140 -0500 8 | ++++ Makefile.main 2024-11-06 16:23:01.119252412 -0500 9 | +@@ -74,7 +74,7 @@ 10 | + CPPFLAGS += -DDEBUG -DCCAN_LIST_DEBUG 11 | + endif 12 | + 13 | +-CFLAGS := -fno-strict-aliasing -pie -fpie -fno-pic -mbig-endian -m64 -fno-asynchronous-unwind-tables 14 | ++CFLAGS := -Wno-error=address-of-packed-member -Wno-error=format-overflow -fno-strict-aliasing -pie -fpie -fno-pic -mbig-endian -m64 -fno-asynchronous-unwind-tables 15 | + CFLAGS += -mcpu=power7 16 | + CFLAGS += -Wl,--oformat,elf64-powerpc -ggdb 17 | + CFLAGS += $(call try-cflag,$(CC),-ffixed-r13) 18 | -------------------------------------------------------------------------------- /patches/cryptsetup-1.7.3.patch: -------------------------------------------------------------------------------- 1 | diff -u --recursive ../../clean/cryptsetup-1.7.3/src/Makefile.in ./cryptsetup-1.7.3/src/Makefile.in 2 | --- ../../clean/cryptsetup-1.7.3/src/Makefile.in 2016-10-28 09:45:06.000000000 -0400 3 | +++ cryptsetup-1.7.3/src/Makefile.in 2017-01-27 17:24:13.115962328 -0500 4 | @@ -479,6 +479,8 @@ 5 | cryptsetup_LDADD = \ 6 | $(top_builddir)/lib/libcryptsetup.la \ 7 | @POPT_LIBS@ \ 8 | + @UUID_LIBS@ \ 9 | + @DEVMAPPER_LIBS@ \ 10 | @PWQUALITY_LIBS@ \ 11 | @PASSWDQC_LIBS@ 12 | 13 | @@ -503,6 +505,8 @@ 14 | 15 | @VERITYSETUP_TRUE@veritysetup_LDADD = \ 16 | @VERITYSETUP_TRUE@ $(top_builddir)/lib/libcryptsetup.la \ 17 | +@VERITYSETUP_TRUE@ @UUID_LIBS@ \ 18 | +@VERITYSETUP_TRUE@ @DEVMAPPER_LIBS@ \ 19 | @VERITYSETUP_TRUE@ @POPT_LIBS@ 20 | 21 | @VERITYSETUP_TRUE@veritysetup_CFLAGS = $(cryptsetup_CFLAGS) 22 | -------------------------------------------------------------------------------- /patches/dropbear-2016.74.patch: -------------------------------------------------------------------------------- 1 | diff --recursive -u ../clean/dropbear-2016.74/svr-chansession.c ./dropbear-2016.74/svr-chansession.c 2 | --- ../clean/dropbear-2016.74/svr-chansession.c 2016-07-21 11:17:09.000000000 -0400 3 | +++ dropbear-2016.74/svr-chansession.c 2017-09-19 11:01:34.889121503 -0400 4 | @@ -925,10 +925,10 @@ 5 | if ((setgid(ses.authstate.pw_gid) < 0) || 6 | (initgroups(ses.authstate.pw_name, 7 | ses.authstate.pw_gid) < 0)) { 8 | - dropbear_exit("Error changing user group"); 9 | + //dropbear_exit("Error changing user group"); 10 | } 11 | if (setuid(ses.authstate.pw_uid) < 0) { 12 | - dropbear_exit("Error changing user"); 13 | + //dropbear_exit("Error changing user"); 14 | } 15 | } else { 16 | /* ... but if the daemon is the same uid as the requested uid, we don't 17 | -------------------------------------------------------------------------------- /patches/gpg-1.4.21.patch: -------------------------------------------------------------------------------- 1 | diff -u --recursive /home/hudson/build/clean/gnupg-1.4.21/configure gnupg-1.4.21/configure 2 | --- /home/hudson/build/clean/gnupg-1.4.21/configure 2016-08-17 09:20:25.000000000 -0400 3 | +++ gnupg-1.4.21/configure 2018-01-20 16:55:14.502067084 -0500 4 | @@ -572,7 +572,7 @@ 5 | ac_clean_files= 6 | ac_config_libobj_dir=. 7 | LIBOBJS= 8 | -cross_compiling=no 9 | +cross_compiling=yes 10 | subdirs= 11 | MFLAGS= 12 | MAKEFLAGS= 13 | @@ -17100,7 +17100,7 @@ 14 | _libusb_try_libs=`$LIBS $_usb_config --libs` 15 | _libusb_try_cflags=`$LIBS $_usb_config --cflags` 16 | else 17 | - _libusb_try_libs="-lusb" 18 | + _libusb_try_libs="-lusb -lusb-1.0" 19 | _libusb_try_cflags="" 20 | fi 21 | 22 | @@ -17112,6 +17112,7 @@ 23 | 24 | cat confdefs.h - <<_ACEOF >conftest.$ac_ext 25 | /* end confdefs.h. */ 26 | +#include 27 | #include 28 | int 29 | main () 30 | diff -u --recursive /home/hudson/build/clean/gnupg-1.4.21/util/ttyio.c gnupg-1.4.21/util/ttyio.c 31 | --- /home/hudson/build/clean/gnupg-1.4.21/util/ttyio.c 2016-04-22 03:30:18.000000000 -0400 32 | +++ gnupg-1.4.21/util/ttyio.c 2018-01-20 13:44:46.186273642 -0500 33 | @@ -183,7 +183,8 @@ 34 | #elif defined(__EMX__) 35 | ttyfp = stdout; /* Fixme: replace by the real functions: see wklib */ 36 | #else 37 | - ttyfp = batchmode? stderr : fopen( tty_get_ttyname (), "r+"); 38 | + //ttyfp = batchmode? stderr : fopen( tty_get_ttyname (), "r+"); 39 | + ttyfp = stderr; 40 | if( !ttyfp ) { 41 | ttyfp = stderr; /* Use stderr as fallback for log_error. */ 42 | initialized = 1; /* Make sure log_error won't try to init 43 | -------------------------------------------------------------------------------- /patches/gpg2-2.4.0.patch: -------------------------------------------------------------------------------- 1 | diff -u --recursive gnupg-2.4.0/configure gnupg-2.4.0/configure 2 | --- gnupg-2.4.0/configure 2016-08-17 09:20:25.000000000 -0400 3 | +++ gnupg-2.4.0/configure 2018-01-20 16:55:14.502067084 -0500 4 | @@ -572,7 +572,7 @@ 5 | ac_clean_files= 6 | ac_config_libobj_dir=. 7 | LIBOBJS= 8 | -cross_compiling=no 9 | +cross_compiling=yes 10 | subdirs= 11 | MFLAGS= 12 | MAKEFLAGS= 13 | --- gnupg-2.4.0/common/ttyio.c.orig 2023-03-24 02:37:40.384435064 +0100 14 | +++ gnupg-2.4.0/common/ttyio.c 2023-03-24 02:38:21.825961221 +0100 15 | @@ -186,7 +186,7 @@ 16 | SetConsoleMode (con.out, DEF_OUTMODE); 17 | 18 | #else /* Unix */ 19 | - ttyfp = batchmode? stderr : fopen (tty_get_ttyname (), "r+"); 20 | + ttyfp = stderr; 21 | if (!ttyfp) 22 | { 23 | log_error ("cannot open '%s': %s\n", tty_get_ttyname (), strerror(errno)); 24 | -------------------------------------------------------------------------------- /patches/libgpg-error-1.46.patch: -------------------------------------------------------------------------------- 1 | diff --git a/src/syscfg/lock-obj-pub.powerpc64le-unknown-linux-musl.h b/src/syscfg/lock-obj-pub.powerpc64le-unknown-linux-musl.h 2 | new file mode 100644 3 | index 0000000..635e6eb 4 | --- /dev/null 5 | +++ b/src/syscfg/lock-obj-pub.powerpc64le-unknown-linux-musl.h 6 | @@ -0,0 +1,25 @@ 7 | +## lock-obj-pub.powerpc64le-unknown-linux-musl.h 8 | +## File created by gen-posix-lock-obj - DO NOT EDIT 9 | +## To be included by mkheader into gpg-error.h 10 | + 11 | +typedef struct 12 | +{ 13 | + long _vers; 14 | + union { 15 | + volatile char _priv[40]; 16 | + long _x_align; 17 | + long *_xp_align; 18 | + } u; 19 | +} gpgrt_lock_t; 20 | + 21 | +#define GPGRT_LOCK_INITIALIZER {1,{{0,0,0,0,0,0,0,0, \ 22 | + 0,0,0,0,0,0,0,0, \ 23 | + 0,0,0,0,0,0,0,0, \ 24 | + 0,0,0,0,0,0,0,0, \ 25 | + 0,0,0,0,0,0,0,0}}} 26 | +## 27 | +## Local Variables: 28 | +## mode: c 29 | +## buffer-read-only: t 30 | +## End: 31 | +## 32 | -------------------------------------------------------------------------------- /patches/linux-4.14.62/0001-fake-acpi.patch: -------------------------------------------------------------------------------- 1 | diff --recursive -u ./clean/linux-4.9.80/drivers/acpi/acpica/evxfevnt.c linux-4.9.80/drivers/acpi/acpica/evxfevnt.c 2 | --- ./clean/linux-4.9.80/drivers/acpi/acpica/evxfevnt.c 2018-02-03 11:05:43.000000000 -0500 3 | +++ linux-4.9.80/drivers/acpi/acpica/evxfevnt.c 2018-02-07 15:51:28.786502597 -0500 4 | @@ -111,6 +111,8 @@ 5 | } 6 | 7 | ACPI_ERROR((AE_INFO, "Hardware did not enter ACPI mode")); 8 | +printk("%s:%d faking ACPI mode\n", __func__, __LINE__); 9 | + return_ACPI_STATUS(AE_OK); 10 | return_ACPI_STATUS(AE_NO_HARDWARE_RESPONSE); 11 | } 12 | 13 | diff --recursive -u ./clean/linux-4.9.80/drivers/acpi/acpica/hwacpi.c linux-4.9.80/drivers/acpi/acpica/hwacpi.c 14 | --- ./clean/linux-4.9.80/drivers/acpi/acpica/hwacpi.c 2018-02-03 11:05:43.000000000 -0500 15 | +++ linux-4.9.80/drivers/acpi/acpica/hwacpi.c 2018-02-07 15:51:35.126557868 -0500 16 | @@ -168,12 +168,16 @@ 17 | 18 | status = acpi_read_bit_register(ACPI_BITREG_SCI_ENABLE, &value); 19 | if (ACPI_FAILURE(status)) { 20 | +printk("%s:%d faking ACPI mode\n", __func__, __LINE__); 21 | + return_UINT32(ACPI_SYS_MODE_ACPI); 22 | return_UINT32(ACPI_SYS_MODE_LEGACY); 23 | } 24 | 25 | if (value) { 26 | return_UINT32(ACPI_SYS_MODE_ACPI); 27 | } else { 28 | +//printk("%s:%d faking ACPI mode\n", __func__, __LINE__); 29 | +// return_UINT32(ACPI_SYS_MODE_ACPI); 30 | return_UINT32(ACPI_SYS_MODE_LEGACY); 31 | } 32 | } 33 | -------------------------------------------------------------------------------- /patches/linux-4.14.62/0002-nmi-squelch.patch: -------------------------------------------------------------------------------- 1 | diff --recursive -u ./clean/linux-4.9.80/arch/x86/kernel/nmi.c linux-4.9.80/arch/x86/kernel/nmi.c 2 | --- ./clean/linux-4.9.80/arch/x86/kernel/nmi.c 2018-02-03 11:05:43.000000000 -0500 3 | +++ linux-4.9.80/arch/x86/kernel/nmi.c 2018-02-07 18:56:10.475613884 -0500 4 | @@ -303,6 +303,8 @@ 5 | 6 | __this_cpu_add(nmi_stats.unknown, 1); 7 | 8 | +#if 0 9 | +// qemu generates these for some reason 10 | pr_emerg("Uhhuh. NMI received for unknown reason %02x on CPU %d.\n", 11 | reason, smp_processor_id()); 12 | 13 | @@ -311,6 +313,7 @@ 14 | nmi_panic(regs, "NMI: Not continuing"); 15 | 16 | pr_emerg("Dazed and confused, but trying to continue\n"); 17 | +#endif 18 | } 19 | NOKPROBE_SYMBOL(unknown_nmi_error); 20 | 21 | -------------------------------------------------------------------------------- /patches/linux-4.14.62/0003-fake-trampoline.patch: -------------------------------------------------------------------------------- 1 | diff --recursive -u ./clean/linux-4.9.80/arch/x86/realmode/init.c linux-4.9.80/arch/x86/realmode/init.c 2 | --- ./clean/linux-4.9.80/arch/x86/realmode/init.c 2018-02-03 11:05:43.000000000 -0500 3 | +++ linux-4.9.80/arch/x86/realmode/init.c 2018-02-07 15:51:28.538500435 -0500 4 | @@ -35,8 +35,8 @@ 5 | /* Has to be under 1M so we can execute real-mode AP code. */ 6 | mem = memblock_find_in_range(0, 1<<20, size, PAGE_SIZE); 7 | if (!mem) { 8 | - pr_info("No sub-1M memory is available for the trampoline\n"); 9 | - return; 10 | + mem = 0x4000; 11 | + pr_info("No sub-1M memory is available for the trampoline, guessing %p\n", mem); 12 | } 13 | 14 | memblock_reserve(mem, size); 15 | @@ -138,7 +138,12 @@ 16 | static int __init init_real_mode(void) 17 | { 18 | if (!real_mode_header) 19 | - panic("Real mode trampoline was not allocated"); 20 | + { 21 | + // ignore for now 22 | + //panic("Real mode trampoline was not allocated"); 23 | + pr_warn("Real mode trampoline was not allocated"); 24 | + return 0; 25 | + } 26 | 27 | setup_real_mode(); 28 | set_real_mode_permissions(); 29 | -------------------------------------------------------------------------------- /patches/linux-4.14.62/0010-winterfell-ahci.patch: -------------------------------------------------------------------------------- 1 | diff --recursive -u ./clean/linux-4.9.80/drivers/ata/libahci.c linux-4.9.80/drivers/ata/libahci.c 2 | --- ./clean/linux-4.9.80/drivers/ata/libahci.c 2018-02-03 11:05:43.000000000 -0500 3 | +++ linux-4.9.80/drivers/ata/libahci.c 2018-02-07 18:02:32.526535910 -0500 4 | @@ -537,8 +537,12 @@ 5 | } 6 | 7 | /* fabricate port_map from cap.nr_ports for < AHCI 1.3 */ 8 | - if (!port_map && vers < 0x10300) { 9 | - port_map = (1 << ahci_nr_ports(cap)) - 1; 10 | + if (!port_map) { // && vers < 0x10300) { 11 | + printk("%s: saved_port=%02x\n", __func__, hpriv->saved_port_map); 12 | + writel(0x1, mmio + HOST_PORTS_IMPL); 13 | + port_map = readl(mmio + HOST_PORTS_IMPL); 14 | + 15 | + //port_map = (1 << ahci_nr_ports(cap)) - 1; 16 | dev_warn(dev, "forcing PORTS_IMPL to 0x%x\n", port_map); 17 | 18 | /* write the fixed up value to the PI register */ 19 | -------------------------------------------------------------------------------- /patches/linux-4.19.139/0001-fake-acpi.patch: -------------------------------------------------------------------------------- 1 | diff --recursive -u ./clean/linux-4.9.80/drivers/acpi/acpica/evxfevnt.c linux-4.9.80/drivers/acpi/acpica/evxfevnt.c 2 | --- ./clean/linux-4.9.80/drivers/acpi/acpica/evxfevnt.c 2018-02-03 11:05:43.000000000 -0500 3 | +++ linux-4.9.80/drivers/acpi/acpica/evxfevnt.c 2018-02-07 15:51:28.786502597 -0500 4 | @@ -111,6 +111,8 @@ 5 | } 6 | 7 | ACPI_ERROR((AE_INFO, "Hardware did not enter ACPI mode")); 8 | +printk("%s:%d faking ACPI mode\n", __func__, __LINE__); 9 | + return_ACPI_STATUS(AE_OK); 10 | return_ACPI_STATUS(AE_NO_HARDWARE_RESPONSE); 11 | } 12 | 13 | diff --recursive -u ./clean/linux-4.9.80/drivers/acpi/acpica/hwacpi.c linux-4.9.80/drivers/acpi/acpica/hwacpi.c 14 | --- ./clean/linux-4.9.80/drivers/acpi/acpica/hwacpi.c 2018-02-03 11:05:43.000000000 -0500 15 | +++ linux-4.9.80/drivers/acpi/acpica/hwacpi.c 2018-02-07 15:51:35.126557868 -0500 16 | @@ -168,12 +168,16 @@ 17 | 18 | status = acpi_read_bit_register(ACPI_BITREG_SCI_ENABLE, &value); 19 | if (ACPI_FAILURE(status)) { 20 | +printk("%s:%d faking ACPI mode\n", __func__, __LINE__); 21 | + return_UINT32(ACPI_SYS_MODE_ACPI); 22 | return_UINT32(ACPI_SYS_MODE_LEGACY); 23 | } 24 | 25 | if (value) { 26 | return_UINT32(ACPI_SYS_MODE_ACPI); 27 | } else { 28 | +//printk("%s:%d faking ACPI mode\n", __func__, __LINE__); 29 | +// return_UINT32(ACPI_SYS_MODE_ACPI); 30 | return_UINT32(ACPI_SYS_MODE_LEGACY); 31 | } 32 | } 33 | -------------------------------------------------------------------------------- /patches/linux-4.19.139/0002-nmi-squelch.patch: -------------------------------------------------------------------------------- 1 | diff --recursive -u ./clean/linux-4.9.80/arch/x86/kernel/nmi.c linux-4.9.80/arch/x86/kernel/nmi.c 2 | --- ./clean/linux-4.9.80/arch/x86/kernel/nmi.c 2018-02-03 11:05:43.000000000 -0500 3 | +++ linux-4.9.80/arch/x86/kernel/nmi.c 2018-02-07 18:56:10.475613884 -0500 4 | @@ -303,6 +303,8 @@ 5 | 6 | __this_cpu_add(nmi_stats.unknown, 1); 7 | 8 | +#if 0 9 | +// qemu generates these for some reason 10 | pr_emerg("Uhhuh. NMI received for unknown reason %02x on CPU %d.\n", 11 | reason, smp_processor_id()); 12 | 13 | @@ -311,6 +313,7 @@ 14 | nmi_panic(regs, "NMI: Not continuing"); 15 | 16 | pr_emerg("Dazed and confused, but trying to continue\n"); 17 | +#endif 18 | } 19 | NOKPROBE_SYMBOL(unknown_nmi_error); 20 | 21 | -------------------------------------------------------------------------------- /patches/linux-4.19.139/0003-fake-trampoline.patch: -------------------------------------------------------------------------------- 1 | diff --recursive -u ./clean/linux-4.9.80/arch/x86/realmode/init.c linux-4.9.80/arch/x86/realmode/init.c 2 | --- ./clean/linux-4.9.80/arch/x86/realmode/init.c 2018-02-03 11:05:43.000000000 -0500 3 | +++ linux-4.9.80/arch/x86/realmode/init.c 2018-02-07 15:51:28.538500435 -0500 4 | @@ -35,8 +35,8 @@ 5 | /* Has to be under 1M so we can execute real-mode AP code. */ 6 | mem = memblock_find_in_range(0, 1<<20, size, PAGE_SIZE); 7 | if (!mem) { 8 | - pr_info("No sub-1M memory is available for the trampoline\n"); 9 | - return; 10 | + mem = 0x4000; 11 | + pr_info("No sub-1M memory is available for the trampoline, guessing %p\n", mem); 12 | } 13 | 14 | memblock_reserve(mem, size); 15 | @@ -138,7 +138,12 @@ 16 | static int __init init_real_mode(void) 17 | { 18 | if (!real_mode_header) 19 | - panic("Real mode trampoline was not allocated"); 20 | + { 21 | + // ignore for now 22 | + //panic("Real mode trampoline was not allocated"); 23 | + pr_warn("Real mode trampoline was not allocated"); 24 | + return 0; 25 | + } 26 | 27 | setup_real_mode(); 28 | set_real_mode_permissions(); 29 | -------------------------------------------------------------------------------- /patches/linux-4.19.139/0010-winterfell-ahci.patch: -------------------------------------------------------------------------------- 1 | diff --recursive -u ./clean/linux-4.9.80/drivers/ata/libahci.c linux-4.9.80/drivers/ata/libahci.c 2 | --- ./clean/linux-4.9.80/drivers/ata/libahci.c 2018-02-03 11:05:43.000000000 -0500 3 | +++ linux-4.9.80/drivers/ata/libahci.c 2018-02-07 18:02:32.526535910 -0500 4 | @@ -537,8 +537,12 @@ 5 | } 6 | 7 | /* fabricate port_map from cap.nr_ports for < AHCI 1.3 */ 8 | - if (!port_map && vers < 0x10300) { 9 | - port_map = (1 << ahci_nr_ports(cap)) - 1; 10 | + if (!port_map) { // && vers < 0x10300) { 11 | + printk("%s: saved_port=%02x\n", __func__, hpriv->saved_port_map); 12 | + writel(0x1, mmio + HOST_PORTS_IMPL); 13 | + port_map = readl(mmio + HOST_PORTS_IMPL); 14 | + 15 | + //port_map = (1 << ahci_nr_ports(cap)) - 1; 16 | dev_warn(dev, "forcing PORTS_IMPL to 0x%x\n", port_map); 17 | 18 | /* write the fixed up value to the PI register */ 19 | -------------------------------------------------------------------------------- /patches/linux-5.10.214/0001-fake-acpi.patch: -------------------------------------------------------------------------------- 1 | diff --recursive -u ./clean/linux-4.9.80/drivers/acpi/acpica/evxfevnt.c linux-4.9.80/drivers/acpi/acpica/evxfevnt.c 2 | --- ./clean/linux-4.9.80/drivers/acpi/acpica/evxfevnt.c 2018-02-03 11:05:43.000000000 -0500 3 | +++ linux-4.9.80/drivers/acpi/acpica/evxfevnt.c 2018-02-07 15:51:28.786502597 -0500 4 | @@ -111,6 +111,8 @@ 5 | } 6 | 7 | ACPI_ERROR((AE_INFO, "Hardware did not enter ACPI mode")); 8 | +printk("%s:%d faking ACPI mode\n", __func__, __LINE__); 9 | + return_ACPI_STATUS(AE_OK); 10 | return_ACPI_STATUS(AE_NO_HARDWARE_RESPONSE); 11 | } 12 | 13 | diff --recursive -u ./clean/linux-4.9.80/drivers/acpi/acpica/hwacpi.c linux-4.9.80/drivers/acpi/acpica/hwacpi.c 14 | --- ./clean/linux-4.9.80/drivers/acpi/acpica/hwacpi.c 2018-02-03 11:05:43.000000000 -0500 15 | +++ linux-4.9.80/drivers/acpi/acpica/hwacpi.c 2018-02-07 15:51:35.126557868 -0500 16 | @@ -168,12 +168,16 @@ 17 | 18 | status = acpi_read_bit_register(ACPI_BITREG_SCI_ENABLE, &value); 19 | if (ACPI_FAILURE(status)) { 20 | +printk("%s:%d faking ACPI mode\n", __func__, __LINE__); 21 | + return_UINT32(ACPI_SYS_MODE_ACPI); 22 | return_UINT32(ACPI_SYS_MODE_LEGACY); 23 | } 24 | 25 | if (value) { 26 | return_UINT32(ACPI_SYS_MODE_ACPI); 27 | } else { 28 | +//printk("%s:%d faking ACPI mode\n", __func__, __LINE__); 29 | +// return_UINT32(ACPI_SYS_MODE_ACPI); 30 | return_UINT32(ACPI_SYS_MODE_LEGACY); 31 | } 32 | } 33 | -------------------------------------------------------------------------------- /patches/linux-5.10.214/0002-nmi-squelch.patch: -------------------------------------------------------------------------------- 1 | diff --recursive -u ./clean/linux-4.9.80/arch/x86/kernel/nmi.c linux-4.9.80/arch/x86/kernel/nmi.c 2 | --- ./clean/linux-4.9.80/arch/x86/kernel/nmi.c 2018-02-03 11:05:43.000000000 -0500 3 | +++ linux-4.9.80/arch/x86/kernel/nmi.c 2018-02-07 18:56:10.475613884 -0500 4 | @@ -303,6 +303,8 @@ 5 | 6 | __this_cpu_add(nmi_stats.unknown, 1); 7 | 8 | +#if 0 9 | +// qemu generates these for some reason 10 | pr_emerg("Uhhuh. NMI received for unknown reason %02x on CPU %d.\n", 11 | reason, smp_processor_id()); 12 | 13 | @@ -311,6 +313,7 @@ 14 | nmi_panic(regs, "NMI: Not continuing"); 15 | 16 | pr_emerg("Dazed and confused, but trying to continue\n"); 17 | +#endif 18 | } 19 | NOKPROBE_SYMBOL(unknown_nmi_error); 20 | 21 | -------------------------------------------------------------------------------- /patches/linux-5.10.214/0003-fake-trampoline.patch: -------------------------------------------------------------------------------- 1 | diff --recursive -u ./clean/linux-4.9.80/arch/x86/realmode/init.c linux-4.9.80/arch/x86/realmode/init.c 2 | --- ./clean/linux-4.9.80/arch/x86/realmode/init.c 2018-02-03 11:05:43.000000000 -0500 3 | +++ linux-4.9.80/arch/x86/realmode/init.c 2018-02-07 15:51:28.538500435 -0500 4 | @@ -35,8 +35,8 @@ 5 | /* Has to be under 1M so we can execute real-mode AP code. */ 6 | mem = memblock_find_in_range(0, 1<<20, size, PAGE_SIZE); 7 | if (!mem) { 8 | - pr_info("No sub-1M memory is available for the trampoline\n"); 9 | - return; 10 | + mem = 0x4000; 11 | + pr_info("No sub-1M memory is available for the trampoline, guessing %p\n", mem); 12 | } 13 | 14 | memblock_reserve(mem, size); 15 | @@ -138,7 +138,12 @@ 16 | static int __init init_real_mode(void) 17 | { 18 | if (!real_mode_header) 19 | - panic("Real mode trampoline was not allocated"); 20 | + { 21 | + // ignore for now 22 | + //panic("Real mode trampoline was not allocated"); 23 | + pr_warn("Real mode trampoline was not allocated"); 24 | + return 0; 25 | + } 26 | 27 | setup_real_mode(); 28 | set_real_mode_permissions(); 29 | -------------------------------------------------------------------------------- /patches/linux-5.10.214/0010-winterfell-ahci.patch: -------------------------------------------------------------------------------- 1 | diff --recursive -u ./clean/linux-4.9.80/drivers/ata/libahci.c linux-4.9.80/drivers/ata/libahci.c 2 | --- ./clean/linux-4.9.80/drivers/ata/libahci.c 2018-02-03 11:05:43.000000000 -0500 3 | +++ linux-4.9.80/drivers/ata/libahci.c 2018-02-07 18:02:32.526535910 -0500 4 | @@ -537,8 +537,12 @@ 5 | } 6 | 7 | /* fabricate port_map from cap.nr_ports for < AHCI 1.3 */ 8 | - if (!port_map && vers < 0x10300) { 9 | - port_map = (1 << ahci_nr_ports(cap)) - 1; 10 | + if (!port_map) { // && vers < 0x10300) { 11 | + printk("%s: saved_port=%02x\n", __func__, hpriv->saved_port_map); 12 | + writel(0x1, mmio + HOST_PORTS_IMPL); 13 | + port_map = readl(mmio + HOST_PORTS_IMPL); 14 | + 15 | + //port_map = (1 << ahci_nr_ports(cap)) - 1; 16 | dev_warn(dev, "forcing PORTS_IMPL to 0x%x\n", port_map); 17 | 18 | /* write the fixed up value to the PI register */ 19 | -------------------------------------------------------------------------------- /patches/linux-5.10.214/shebangs.patch: -------------------------------------------------------------------------------- 1 | diff --git a/scripts/check-sysctl-docs b/scripts/check-sysctl-docs 2 | index 8bcb9e26c7bc..90137319c50a 100755 3 | --- a/scripts/check-sysctl-docs 4 | +++ b/scripts/check-sysctl-docs 5 | @@ -1,4 +1,4 @@ 6 | -#!/usr/bin/gawk -f 7 | +#!/usr/bin/env -S gawk -f 8 | # SPDX-License-Identifier: GPL-2.0 9 | 10 | # Script to check sysctl documentation against source files 11 | diff --git a/scripts/ld-version.sh b/scripts/ld-version.sh 12 | index f2be0ff9a738..7a5b546ece16 100755 13 | --- a/scripts/ld-version.sh 14 | +++ b/scripts/ld-version.sh 15 | @@ -1,4 +1,4 @@ 16 | -#!/usr/bin/awk -f 17 | +#!/usr/bin/env -S awk -f 18 | # SPDX-License-Identifier: GPL-2.0 19 | # extract linker version number from stdin and turn into single number 20 | { 21 | diff --git a/scripts/parse-maintainers.pl b/scripts/parse-maintainers.pl 22 | index 2ca4eb3f190d..9515765158fa 100755 23 | --- a/scripts/parse-maintainers.pl 24 | +++ b/scripts/parse-maintainers.pl 25 | @@ -1,4 +1,4 @@ 26 | -#!/usr/bin/perl -w 27 | +#!/usr/bin/env -S perl -w 28 | # SPDX-License-Identifier: GPL-2.0 29 | 30 | use strict; 31 | diff --git a/scripts/ver_linux b/scripts/ver_linux 32 | index 0968a3070eff..345b92f71d2d 100755 33 | --- a/scripts/ver_linux 34 | +++ b/scripts/ver_linux 35 | @@ -1,4 +1,4 @@ 36 | -#!/usr/bin/awk -f 37 | +#!/usr/bin/env -S awk -f 38 | # SPDX-License-Identifier: GPL-2.0 39 | # Before running this script please ensure that your PATH is 40 | # typical as you use for compilation/installation. I use 41 | -------------------------------------------------------------------------------- /patches/linux-5.4.69/0001-fake-acpi.patch: -------------------------------------------------------------------------------- 1 | diff --recursive -u ./clean/linux-4.9.80/drivers/acpi/acpica/evxfevnt.c linux-4.9.80/drivers/acpi/acpica/evxfevnt.c 2 | --- ./clean/linux-4.9.80/drivers/acpi/acpica/evxfevnt.c 2018-02-03 11:05:43.000000000 -0500 3 | +++ linux-4.9.80/drivers/acpi/acpica/evxfevnt.c 2018-02-07 15:51:28.786502597 -0500 4 | @@ -111,6 +111,8 @@ 5 | } 6 | 7 | ACPI_ERROR((AE_INFO, "Hardware did not enter ACPI mode")); 8 | +printk("%s:%d faking ACPI mode\n", __func__, __LINE__); 9 | + return_ACPI_STATUS(AE_OK); 10 | return_ACPI_STATUS(AE_NO_HARDWARE_RESPONSE); 11 | } 12 | 13 | diff --recursive -u ./clean/linux-4.9.80/drivers/acpi/acpica/hwacpi.c linux-4.9.80/drivers/acpi/acpica/hwacpi.c 14 | --- ./clean/linux-4.9.80/drivers/acpi/acpica/hwacpi.c 2018-02-03 11:05:43.000000000 -0500 15 | +++ linux-4.9.80/drivers/acpi/acpica/hwacpi.c 2018-02-07 15:51:35.126557868 -0500 16 | @@ -168,12 +168,16 @@ 17 | 18 | status = acpi_read_bit_register(ACPI_BITREG_SCI_ENABLE, &value); 19 | if (ACPI_FAILURE(status)) { 20 | +printk("%s:%d faking ACPI mode\n", __func__, __LINE__); 21 | + return_UINT32(ACPI_SYS_MODE_ACPI); 22 | return_UINT32(ACPI_SYS_MODE_LEGACY); 23 | } 24 | 25 | if (value) { 26 | return_UINT32(ACPI_SYS_MODE_ACPI); 27 | } else { 28 | +//printk("%s:%d faking ACPI mode\n", __func__, __LINE__); 29 | +// return_UINT32(ACPI_SYS_MODE_ACPI); 30 | return_UINT32(ACPI_SYS_MODE_LEGACY); 31 | } 32 | } 33 | -------------------------------------------------------------------------------- /patches/linux-5.4.69/0002-nmi-squelch.patch: -------------------------------------------------------------------------------- 1 | diff --recursive -u ./clean/linux-4.9.80/arch/x86/kernel/nmi.c linux-4.9.80/arch/x86/kernel/nmi.c 2 | --- ./clean/linux-4.9.80/arch/x86/kernel/nmi.c 2018-02-03 11:05:43.000000000 -0500 3 | +++ linux-4.9.80/arch/x86/kernel/nmi.c 2018-02-07 18:56:10.475613884 -0500 4 | @@ -303,6 +303,8 @@ 5 | 6 | __this_cpu_add(nmi_stats.unknown, 1); 7 | 8 | +#if 0 9 | +// qemu generates these for some reason 10 | pr_emerg("Uhhuh. NMI received for unknown reason %02x on CPU %d.\n", 11 | reason, smp_processor_id()); 12 | 13 | @@ -311,6 +313,7 @@ 14 | nmi_panic(regs, "NMI: Not continuing"); 15 | 16 | pr_emerg("Dazed and confused, but trying to continue\n"); 17 | +#endif 18 | } 19 | NOKPROBE_SYMBOL(unknown_nmi_error); 20 | 21 | -------------------------------------------------------------------------------- /patches/linux-5.4.69/0003-fake-trampoline.patch: -------------------------------------------------------------------------------- 1 | diff --recursive -u ./clean/linux-4.9.80/arch/x86/realmode/init.c linux-4.9.80/arch/x86/realmode/init.c 2 | --- ./clean/linux-4.9.80/arch/x86/realmode/init.c 2018-02-03 11:05:43.000000000 -0500 3 | +++ linux-4.9.80/arch/x86/realmode/init.c 2018-02-07 15:51:28.538500435 -0500 4 | @@ -35,8 +35,8 @@ 5 | /* Has to be under 1M so we can execute real-mode AP code. */ 6 | mem = memblock_find_in_range(0, 1<<20, size, PAGE_SIZE); 7 | if (!mem) { 8 | - pr_info("No sub-1M memory is available for the trampoline\n"); 9 | - return; 10 | + mem = 0x4000; 11 | + pr_info("No sub-1M memory is available for the trampoline, guessing %p\n", mem); 12 | } 13 | 14 | memblock_reserve(mem, size); 15 | @@ -138,7 +138,12 @@ 16 | static int __init init_real_mode(void) 17 | { 18 | if (!real_mode_header) 19 | - panic("Real mode trampoline was not allocated"); 20 | + { 21 | + // ignore for now 22 | + //panic("Real mode trampoline was not allocated"); 23 | + pr_warn("Real mode trampoline was not allocated"); 24 | + return 0; 25 | + } 26 | 27 | setup_real_mode(); 28 | set_real_mode_permissions(); 29 | -------------------------------------------------------------------------------- /patches/linux-5.4.69/0010-winterfell-ahci.patch: -------------------------------------------------------------------------------- 1 | diff --recursive -u ./clean/linux-4.9.80/drivers/ata/libahci.c linux-4.9.80/drivers/ata/libahci.c 2 | --- ./clean/linux-4.9.80/drivers/ata/libahci.c 2018-02-03 11:05:43.000000000 -0500 3 | +++ linux-4.9.80/drivers/ata/libahci.c 2018-02-07 18:02:32.526535910 -0500 4 | @@ -537,8 +537,12 @@ 5 | } 6 | 7 | /* fabricate port_map from cap.nr_ports for < AHCI 1.3 */ 8 | - if (!port_map && vers < 0x10300) { 9 | - port_map = (1 << ahci_nr_ports(cap)) - 1; 10 | + if (!port_map) { // && vers < 0x10300) { 11 | + printk("%s: saved_port=%02x\n", __func__, hpriv->saved_port_map); 12 | + writel(0x1, mmio + HOST_PORTS_IMPL); 13 | + port_map = readl(mmio + HOST_PORTS_IMPL); 14 | + 15 | + //port_map = (1 << ahci_nr_ports(cap)) - 1; 16 | dev_warn(dev, "forcing PORTS_IMPL to 0x%x\n", port_map); 17 | 18 | /* write the fixed up value to the PI register */ 19 | -------------------------------------------------------------------------------- /patches/linux-5.5-openpower/0001-xhci-Reset-controller-on-xhci-shutdown.patch: -------------------------------------------------------------------------------- 1 | From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 2 | From: Raptor Engineering Development Team 3 | Date: Wed, 3 Apr 2019 10:58:35 +1030 4 | Subject: [xhci] Reset controller on xhci shutdown 5 | 6 | diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c 7 | index dbac0fa..30a4ea6 100644 8 | --- a/drivers/usb/host/xhci.c 9 | +++ b/drivers/usb/host/xhci.c 10 | @@ -784,6 +784,7 @@ void xhci_shutdown(struct usb_hcd *hcd) 11 | xhci_reset(xhci); 12 | spin_unlock_irq(&xhci->lock); 13 | 14 | + pci_reset_function_locked(to_pci_dev(hcd->self.sysdev)); 15 | xhci_cleanup_msix(xhci); 16 | 17 | xhci_dbg_trace(xhci, trace_xhci_dbg_init, 18 | -------------------------------------------------------------------------------- /patches/linux-5.5-openpower/0002-Release-OpenPower-kernel.patch: -------------------------------------------------------------------------------- 1 | From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 2 | From: Joel Stanley 3 | Date: Wed, 3 Apr 2019 10:58:35 +1030 4 | Subject: [PATCH 2/2] Release OpenPower kernel 5 | 6 | Signed-off-by: Joel Stanley 7 | --- 8 | Makefile | 2 +- 9 | 1 file changed, 1 insertion(+), 1 deletion(-) 10 | 11 | diff --git a/Makefile b/Makefile 12 | index 63152c5ca136..d5bfc0358601 100644 13 | --- a/Makefile 14 | +++ b/Makefile 15 | @@ -2,7 +2,7 @@ 16 | VERSION = 5 17 | PATCHLEVEL = 5 18 | SUBLEVEL = 0 19 | -EXTRAVERSION = 20 | +EXTRAVERSION = -openpower1 21 | NAME = Kleptomaniac Octopus 22 | 23 | # *DOCUMENTATION* 24 | -------------------------------------------------------------------------------- /patches/linux-5.5-openpower/0005-Force-ASpeed-RAMDAC-palette-reset.patch: -------------------------------------------------------------------------------- 1 | From 33cb4510b70e7625636a4280e29081ce7cef69e9 Mon Sep 17 00:00:00 2001 2 | From: Raptor Engineering Development Team 3 | Date: Fri, 2 Feb 2018 07:37:41 -0600 4 | Subject: [PATCH] Force ASpeed RAMDAC palette reset 5 | 6 | --- 7 | drivers/gpu/drm/ast/ast_drv.c | 2 +- 8 | 1 file changed, 1 insertion(+), 1 deletion(-) 9 | 10 | diff --git a/drivers/gpu/drm/ast/ast_drv.c b/drivers/gpu/drm/ast/ast_drv.c 11 | index 8124eaa92ed3..c44797598760 100644 12 | --- a/drivers/gpu/drm/ast/ast_drv.c 13 | +++ b/drivers/gpu/drm/ast/ast_drv.c 14 | @@ -35,7 +35,7 @@ 15 | #include "ast_drv.h" 16 | 17 | int ast_modeset = -1; 18 | -int ast_resetpalette = -1; 19 | +int ast_resetpalette = 1; 20 | 21 | MODULE_PARM_DESC(modeset, "Disable/Enable modesetting"); 22 | MODULE_PARM_DESC(resetpalette, "Disable/Enable palette reset on load"); 23 | -- 24 | 2.15.1 25 | 26 | 27 | -------------------------------------------------------------------------------- /patches/linux-5.5-openpower/0009-Fix-build-with-gcc-10-and-up.patch: -------------------------------------------------------------------------------- 1 | GCC 10+ defaults to `-fno-common`, breaking build of dtc binary. 2 | 3 | Signed-off-by: Sergii Dmytruk 4 | 5 | diff --git a/scripts/dtc/Makefile b/scripts/dtc/Makefile 6 | index b5a5b1c..5c2f139 100644 7 | --- a/scripts/dtc/Makefile 8 | +++ b/scripts/dtc/Makefile 9 | @@ -11,6 +11,9 @@ dtc-objs += dtc-lexer.lex.o dtc-parser.tab.o 10 | # Source files need to get at the userspace version of libfdt_env.h to compile 11 | HOST_EXTRACFLAGS := -I $(srctree)/$(src)/libfdt 12 | 13 | +# Combine `yylloc` declarations from dtc-lexer.lex.o and dtc-parser.tab.o 14 | +HOST_EXTRACFLAGS += -fcommon 15 | + 16 | ifeq ($(shell pkg-config --exists yaml-0.1 2>/dev/null && echo yes),) 17 | ifneq ($(CHECK_DTBS),) 18 | $(error dtc needs libyaml for DT schema validation support. \ 19 | -------------------------------------------------------------------------------- /patches/linux-5.5-openpower/0010-arch-powerpc-Kconfig-enable-inclusion-of-drivers-fir.patch: -------------------------------------------------------------------------------- 1 | From c6b1bf6bb60a5a71e5e480e7e0c95c4bcde0198b Mon Sep 17 00:00:00 2001 2 | From: Krystian Hebel 3 | Date: Wed, 8 Mar 2023 13:53:10 +0100 4 | Subject: [PATCH] arch/powerpc/Kconfig: enable inclusion of drivers/firmware 5 | 6 | Signed-off-by: Krystian Hebel 7 | --- 8 | arch/powerpc/Kconfig | 2 ++ 9 | drivers/of/platform.c | 2 -- 10 | 2 files changed, 2 insertions(+), 2 deletions(-) 11 | 12 | diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig 13 | index e2a412113359..bf60c7bdbf88 100644 14 | --- a/arch/powerpc/Kconfig 15 | +++ b/arch/powerpc/Kconfig 16 | @@ -1269,3 +1269,5 @@ config PPC_LIB_RHEAP 17 | source "arch/powerpc/kvm/Kconfig" 18 | 19 | source "kernel/livepatch/Kconfig" 20 | + 21 | +source "drivers/firmware/Kconfig" 22 | diff --git a/drivers/of/platform.c b/drivers/of/platform.c 23 | index 3371e4a06248..c2bb08380ef7 100644 24 | --- a/drivers/of/platform.c 25 | +++ b/drivers/of/platform.c 26 | @@ -506,7 +506,6 @@ int of_platform_default_populate(struct device_node *root, 27 | } 28 | EXPORT_SYMBOL_GPL(of_platform_default_populate); 29 | 30 | -#ifndef CONFIG_PPC 31 | static const struct of_device_id reserved_mem_matches[] = { 32 | { .compatible = "qcom,rmtfs-mem" }, 33 | { .compatible = "qcom,cmd-db" }, 34 | @@ -550,7 +549,6 @@ static int __init of_platform_sync_state_init(void) 35 | return 0; 36 | } 37 | late_initcall_sync(of_platform_sync_state_init); 38 | -#endif 39 | 40 | int of_platform_device_destroy(struct device *dev, void *data) 41 | { 42 | -- 43 | 2.25.1 44 | 45 | -------------------------------------------------------------------------------- /patches/linux-6.1.8/0001-fake-acpi.patch: -------------------------------------------------------------------------------- 1 | diff --recursive -u ./clean/linux-4.9.80/drivers/acpi/acpica/evxfevnt.c linux-4.9.80/drivers/acpi/acpica/evxfevnt.c 2 | --- ./clean/linux-4.9.80/drivers/acpi/acpica/evxfevnt.c 2018-02-03 11:05:43.000000000 -0500 3 | +++ linux-4.9.80/drivers/acpi/acpica/evxfevnt.c 2018-02-07 15:51:28.786502597 -0500 4 | @@ -111,6 +111,8 @@ 5 | } 6 | 7 | ACPI_ERROR((AE_INFO, "Hardware did not enter ACPI mode")); 8 | +printk("%s:%d faking ACPI mode\n", __func__, __LINE__); 9 | + return_ACPI_STATUS(AE_OK); 10 | return_ACPI_STATUS(AE_NO_HARDWARE_RESPONSE); 11 | } 12 | 13 | diff --recursive -u ./clean/linux-4.9.80/drivers/acpi/acpica/hwacpi.c linux-4.9.80/drivers/acpi/acpica/hwacpi.c 14 | --- ./clean/linux-4.9.80/drivers/acpi/acpica/hwacpi.c 2018-02-03 11:05:43.000000000 -0500 15 | +++ linux-4.9.80/drivers/acpi/acpica/hwacpi.c 2018-02-07 15:51:35.126557868 -0500 16 | @@ -168,12 +168,16 @@ 17 | 18 | status = acpi_read_bit_register(ACPI_BITREG_SCI_ENABLE, &value); 19 | if (ACPI_FAILURE(status)) { 20 | +printk("%s:%d faking ACPI mode\n", __func__, __LINE__); 21 | + return_UINT32(ACPI_SYS_MODE_ACPI); 22 | return_UINT32(ACPI_SYS_MODE_LEGACY); 23 | } 24 | 25 | if (value) { 26 | return_UINT32(ACPI_SYS_MODE_ACPI); 27 | } else { 28 | +//printk("%s:%d faking ACPI mode\n", __func__, __LINE__); 29 | +// return_UINT32(ACPI_SYS_MODE_ACPI); 30 | return_UINT32(ACPI_SYS_MODE_LEGACY); 31 | } 32 | } 33 | -------------------------------------------------------------------------------- /patches/linux-6.1.8/0002-nmi-squelch.patch: -------------------------------------------------------------------------------- 1 | diff --recursive -u ./clean/linux-4.9.80/arch/x86/kernel/nmi.c linux-4.9.80/arch/x86/kernel/nmi.c 2 | --- ./clean/linux-4.9.80/arch/x86/kernel/nmi.c 2018-02-03 11:05:43.000000000 -0500 3 | +++ linux-4.9.80/arch/x86/kernel/nmi.c 2018-02-07 18:56:10.475613884 -0500 4 | @@ -303,6 +303,8 @@ 5 | 6 | __this_cpu_add(nmi_stats.unknown, 1); 7 | 8 | +#if 0 9 | +// qemu generates these for some reason 10 | pr_emerg("Uhhuh. NMI received for unknown reason %02x on CPU %d.\n", 11 | reason, smp_processor_id()); 12 | 13 | @@ -311,6 +313,7 @@ 14 | nmi_panic(regs, "NMI: Not continuing"); 15 | 16 | pr_emerg("Dazed and confused, but trying to continue\n"); 17 | +#endif 18 | } 19 | NOKPROBE_SYMBOL(unknown_nmi_error); 20 | 21 | -------------------------------------------------------------------------------- /patches/linux-6.1.8/0010-winterfell-ahci.patch: -------------------------------------------------------------------------------- 1 | diff --recursive -u ./clean/linux-4.9.80/drivers/ata/libahci.c linux-4.9.80/drivers/ata/libahci.c 2 | --- ./clean/linux-4.9.80/drivers/ata/libahci.c 2018-02-03 11:05:43.000000000 -0500 3 | +++ linux-4.9.80/drivers/ata/libahci.c 2018-02-07 18:02:32.526535910 -0500 4 | @@ -537,8 +537,12 @@ 5 | } 6 | 7 | /* fabricate port_map from cap.nr_ports for < AHCI 1.3 */ 8 | - if (!port_map && vers < 0x10300) { 9 | - port_map = (1 << ahci_nr_ports(cap)) - 1; 10 | + if (!port_map) { // && vers < 0x10300) { 11 | + printk("%s: saved_port=%02x\n", __func__, hpriv->saved_port_map); 12 | + writel(0x1, mmio + HOST_PORTS_IMPL); 13 | + port_map = readl(mmio + HOST_PORTS_IMPL); 14 | + 15 | + //port_map = (1 << ahci_nr_ports(cap)) - 1; 16 | dev_warn(dev, "forcing PORTS_IMPL to 0x%lx\n", port_map); 17 | 18 | /* write the fixed up value to the PI register */ 19 | -------------------------------------------------------------------------------- /patches/linux-6.6.16-openpower/0001-xhci-Reset-controller-on-xhci-shutdown.patch: -------------------------------------------------------------------------------- 1 | From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 2 | From: Brian King 3 | Date: Wed, 25 Oct 2017 10:42:59 +1100 4 | Subject: [PATCH 1/2] xhci: Reset controller on xhci shutdown 5 | 6 | Fixes kexec boot. Without a hard reset, some USB chips will fail to 7 | initialize in a kexec booted kernel. 8 | 9 | Signed-off-by: Brian King 10 | Signed-off-by: Samuel Mendoza-Jonas 11 | Signed-off-by: Joel Stanley 12 | --- 13 | drivers/usb/host/xhci.c | 3 +++ 14 | 1 file changed, 3 insertions(+) 15 | 16 | diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c 17 | index 473b0b64dd57..ca0c642ce935 100644 18 | --- a/drivers/usb/host/xhci.c 19 | +++ b/drivers/usb/host/xhci.c 20 | @@ -812,6 +812,9 @@ void xhci_shutdown(struct usb_hcd *hcd) 21 | xhci_dbg_trace(xhci, trace_xhci_dbg_init, 22 | "xhci_shutdown completed - status = %x", 23 | readl(&xhci->op_regs->status)); 24 | + 25 | + /* TI XHCI controllers do not come back after kexec without this hack */ 26 | + pci_reset_function_locked(to_pci_dev(hcd->self.sysdev)); 27 | } 28 | EXPORT_SYMBOL_GPL(xhci_shutdown); 29 | 30 | -------------------------------------------------------------------------------- /patches/linux-6.6.16-openpower/0002-Release-OpenPower-kernel.patch: -------------------------------------------------------------------------------- 1 | From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 2 | From: Joel Stanley 3 | Date: Thu, 15 Jul 2021 17:21:55 +0930 4 | Subject: [PATCH 2/2] Release OpenPower kernel 5 | 6 | Signed-off-by: Joel Stanley 7 | --- 8 | Makefile | 2 +- 9 | 1 file changed, 1 insertion(+), 1 deletion(-) 10 | 11 | diff --git a/Makefile b/Makefile 12 | index 92accf2ddc08..18dcc81a67e4 100644 13 | --- a/Makefile 14 | +++ b/Makefile 15 | @@ -2,7 +2,7 @@ 16 | VERSION = 6 17 | PATCHLEVEL = 6 18 | SUBLEVEL = 16 19 | -EXTRAVERSION = 20 | +EXTRAVERSION = -openpower1 21 | NAME = Hurr durr I'ma ninja sloth 22 | 23 | # *DOCUMENTATION* 24 | -------------------------------------------------------------------------------- /patches/linux-6.6.16-openpower/0004-Force-ASpeed-RAMDAC-palette-reset.patch: -------------------------------------------------------------------------------- 1 | From 33cb4510b70e7625636a4280e29081ce7cef69e9 Mon Sep 17 00:00:00 2001 2 | From: Raptor Engineering Development Team 3 | Date: Fri, 2 Feb 2018 07:37:41 -0600 4 | Subject: [PATCH] Force ASpeed RAMDAC palette reset 5 | 6 | --- 7 | drivers/gpu/drm/ast/ast_drv.c | 2 +- 8 | 1 file changed, 1 insertion(+), 1 deletion(-) 9 | 10 | diff --git a/drivers/gpu/drm/ast/ast_drv.c b/drivers/gpu/drm/ast/ast_drv.c 11 | index 8124eaa92ed3..c44797598760 100644 12 | --- a/drivers/gpu/drm/ast/ast_drv.c 13 | +++ b/drivers/gpu/drm/ast/ast_drv.c 14 | @@ -35,7 +35,7 @@ 15 | #include "ast_drv.h" 16 | 17 | static int ast_modeset = -1; 18 | -int ast_resetpalette = -1; 19 | +int ast_resetpalette = 1; 20 | 21 | MODULE_PARM_DESC(modeset, "Disable/Enable modesetting"); 22 | MODULE_PARM_DESC(resetpalette, "Disable/Enable palette reset on load"); 23 | -- 24 | 2.15.1 25 | 26 | 27 | -------------------------------------------------------------------------------- /patches/linux-6.6.16-openpower/0006-arch-powerpc-Kconfig-enable-inclusion-of-drivers-fir.patch: -------------------------------------------------------------------------------- 1 | From 6fca185285b3c355511885cdb4344a758550c9ba Mon Sep 17 00:00:00 2001 2 | From: Krystian Hebel 3 | Date: Wed, 8 Mar 2023 13:53:10 +0100 4 | Subject: [PATCH 6/7] arch/powerpc/Kconfig: enable inclusion of 5 | drivers/firmware 6 | 7 | Signed-off-by: Krystian Hebel 8 | --- 9 | arch/powerpc/Kconfig | 2 ++ 10 | 1 file changed, 2 insertions(+) 11 | 12 | diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig 13 | index 2fe51e0ad..76cfc1277 100644 14 | --- a/arch/powerpc/Kconfig 15 | +++ b/arch/powerpc/Kconfig 16 | @@ -1309,3 +1309,5 @@ config PPC_LIB_RHEAP 17 | source "arch/powerpc/kvm/Kconfig" 18 | 19 | source "kernel/livepatch/Kconfig" 20 | + 21 | +source "drivers/firmware/Kconfig" 22 | -- 23 | 2.47.1 24 | 25 | -------------------------------------------------------------------------------- /patches/newt-0.52.24.patch: -------------------------------------------------------------------------------- 1 | --- ./listbox.c.orig 2023-10-11 15:26:20.365000000 -0400 2 | +++ ./listbox.c 2023-10-11 15:27:26.762000000 -0400 3 | @@ -652,7 +652,7 @@ 4 | for(i = 0, item = li->boxItems; item != NULL && 5 | i < li->currItem; i++, item = item->next); 6 | 7 | - if (item && item->text && (toupper(*item->text) == toupper(ev.u.key))) { 8 | + if (item && item->text && *item->text == ev.u.key) { 9 | item = item->next; 10 | i++; 11 | } else { 12 | @@ -660,7 +660,7 @@ 13 | i = 0; 14 | } 15 | while (item && item->text && 16 | - toupper(*item->text) != toupper(ev.u.key)) { 17 | + *item->text != ev.u.key) { 18 | item = item->next; 19 | i++; 20 | } 21 | -------------------------------------------------------------------------------- /patches/openssl-3.0.8.patch: -------------------------------------------------------------------------------- 1 | --- ./util/mkbuildinf.pl.orig 2023-02-07 08:43:33.000000000 -0500 2 | +++ ./util/mkbuildinf.pl 2024-03-27 14:36:49.974651246 -0400 3 | @@ -12,7 +12,7 @@ 4 | my ($cflags, $platform) = @ARGV; 5 | $cflags = "compiler: $cflags"; 6 | 7 | -my $date = gmtime($ENV{'SOURCE_DATE_EPOCH'} || time()) . " UTC"; 8 | +my $date = gmtime($ENV{'SOURCE_DATE_EPOCH'} || '0') . " UTC"; 9 | 10 | print <<"END_OUTPUT"; 11 | /* 12 | @@ -36,21 +36,7 @@ 13 | * literal 14 | */ 15 | static const char compiler_flags[] = { 16 | -END_OUTPUT 17 | - 18 | -my $ctr = 0; 19 | -foreach my $c (split //, $cflags) { 20 | - $c =~ s|([\\'])|\\$1|; 21 | - # Max 16 characters per line 22 | - if (($ctr++ % 16) == 0) { 23 | - if ($ctr != 1) { 24 | - print "\n"; 25 | - } 26 | - print " "; 27 | - } 28 | - print "'$c',"; 29 | -} 30 | -print <<"END_OUTPUT"; 31 | -'\\0' 32 | + 'r','e','p','r','o','d','u','c','i','b','l','e',' ','b','u','i', 33 | + 'l','d','\\0' 34 | }; 35 | END_OUTPUT 36 | -------------------------------------------------------------------------------- /patches/pciutils-3.5.4.patch: -------------------------------------------------------------------------------- 1 | diff -u --recursive clean/pciutils-3.5.4/lib/types.h pciutils-3.5.4/lib/types.h 2 | --- clean/pciutils-3.5.4/lib/types.h 2017-02-24 15:22:04.000000000 -0500 3 | +++ pciutils-3.5.4/lib/types.h 2018-03-02 09:31:29.115000000 -0500 4 | @@ -8,6 +8,8 @@ 5 | 6 | #include 7 | 8 | +#define PCI_HAVE_STDINT_H 9 | + 10 | #ifndef PCI_HAVE_Uxx_TYPES 11 | 12 | #ifdef PCI_OS_WINDOWS 13 | -------------------------------------------------------------------------------- /patches/powerpc-utils-1.3.5.patch: -------------------------------------------------------------------------------- 1 | AC_FUNC_MALLOC somehow fails to find malloc(), so drop the check 2 | 3 | Weirdly, it doesn't fail configuration, but instead adds -Dmalloc=rpl_malloc 4 | and fails linking. 5 | 6 | diff --git a/configure.ac.orig b/configure.ac 7 | index a7be3ee95c..74aade323b 100644 8 | --- a/configure.ac 9 | +++ b/configure.ac 10 | @@ -33,7 +33,6 @@ AC_TYPE_UINT8_T 11 | # Checks for library functions. 12 | AC_FUNC_FORK 13 | AC_FUNC_LSTAT_FOLLOWS_SLASHED_SYMLINK 14 | -AC_FUNC_MALLOC 15 | AC_FUNC_MKTIME 16 | AC_CHECK_FUNCS([memset strchr strcspn strdup strerror strrchr strstr strtol strtoul strtoull gettimeofday]) 17 | 18 | -------------------------------------------------------------------------------- /patches/slang-2.3.3/unhardcode-ln-in-Makefile.patch: -------------------------------------------------------------------------------- 1 | diff --git a/src/Makefile.in b/src/Makefile.in 2 | index 7fe4dc2..38fe174 100644 3 | --- a/src/Makefile.in 4 | +++ b/src/Makefile.in 5 | @@ -75,7 +75,7 @@ RM = rm -f 6 | RM_R = rm -rf 7 | AR_CR = ar cr 8 | RMDIR = rmdir 9 | -LN = /bin/ln -sf 10 | +LN = ln -sf 11 | CP = cp 12 | @SET_MAKE@ 13 | #--------------------------------------------------------------------------- 14 | -------------------------------------------------------------------------------- /patches/tpm2-tools-5.6.patch: -------------------------------------------------------------------------------- 1 | --- ./bootstrap.orig 2023-11-08 02:19:36.000000000 -0500 2 | +++ ./bootstrap 2024-04-03 12:18:46.722995465 -0400 3 | @@ -5,7 +5,7 @@ 4 | 5 | # Generate a VERSION file that is included in the dist tarball to avoid needed git 6 | # when calling autoreconf in a release tarball. 7 | -git describe --tags --always --dirty > VERSION 8 | +#git describe --tags --always --dirty > VERSION 9 | 10 | # generate list of source files for use in Makefile.am 11 | # if you add new source files, you must run ./bootstrap again 12 | diff --git a/Makefile.am b/Makefile.am 13 | index 7132215..32e2193 100644 14 | --- a/Makefile.am 15 | +++ b/Makefile.am 16 | @@ -93,7 +93,7 @@ tss2_tools = \ 17 | 18 | # Bundle all the tools into a single program similar to busybox 19 | bin_PROGRAMS += tools/tpm2 20 | -tools_tpm2_LDADD = $(LDADD) $(CURL_LIBS) 21 | +tools_tpm2_LDADD = $(LDADD) 22 | tools_tpm2_CFLAGS = $(AM_CFLAGS) -DTPM2_TOOLS_MAX="$(words $(tpm2_tools))" 23 | tools_tpm2_SOURCES = \ 24 | tools/tpm2_tool.c \ 25 | @@ -127,7 +127,6 @@ tpm2_tools = \ 26 | tools/tpm2_encryptdecrypt.c \ 27 | tools/tpm2_evictcontrol.c \ 28 | tools/tpm2_flushcontext.c \ 29 | - tools/tpm2_getekcertificate.c \ 30 | tools/tpm2_getrandom.c \ 31 | tools/tpm2_gettime.c \ 32 | tools/tpm2_hash.c \ 33 | --- ./configure.ac.orig 2023-11-08 02:19:36.000000000 -0500 34 | +++ ./configure.ac 2024-04-02 12:05:00.270985575 -0400 35 | @@ -80,7 +80,6 @@ 36 | AC_CHECK_LIB(crypto, [EVP_sm4_cfb128], [ 37 | AC_DEFINE([HAVE_EVP_SM4_CFB], [1], [Support EVP_sm4_cfb in openssl])], 38 | []) 39 | -PKG_CHECK_MODULES([CURL], [libcurl]) 40 | 41 | # pretty print of devicepath if efivar library is present 42 | # auto detect if not specified via the --with-efivar option. 43 | -------------------------------------------------------------------------------- /patches/tpm2-tss-3.2.2.patch: -------------------------------------------------------------------------------- 1 | --- a/configure.ac 2022-05-21 14:40:59.686470575 +0800 2 | +++ b/configure.ac 2022-05-21 14:41:21.406671435 +0800 3 | @@ -488,17 +488,6 @@ AM_CONDITIONAL(SYSD_SYSUSERS, test "x$sy 4 | AC_CHECK_PROG(systemd_tmpfiles, systemd-tmpfiles, yes) 5 | AM_CONDITIONAL(SYSD_TMPFILES, test "x$systemd_tmpfiles" = "xyes") 6 | 7 | -# Check all tools used by make install 8 | -AS_IF([test "$HOSTOS" = "Linux"], 9 | - [ AC_CHECK_PROG(useradd, useradd, yes) 10 | - AC_CHECK_PROG(groupadd, groupadd, yes) 11 | - AC_CHECK_PROG(adduser, adduser, yes) 12 | - AC_CHECK_PROG(addgroup, addgroup, yes) 13 | - AS_IF([test "x$addgroup" != "xyes" && test "x$groupadd" != "xyes" ], 14 | - [AC_MSG_ERROR([addgroup or groupadd are needed.])]) 15 | - AS_IF([test "x$adduser" != "xyes" && test "x$useradd" != "xyes" ], 16 | - [AC_MSG_ERROR([adduser or useradd are needed.])])]) 17 | - 18 | AC_SUBST([PATH]) 19 | 20 | dnl --------- Doxy Gen ----------------------- 21 | -------------------------------------------------------------------------------- /targets/legacy_flash.mk: -------------------------------------------------------------------------------- 1 | # legacy-flash boards are "special" in that we need a 4MB top SPI flashable ROM. 2 | # This is enough to allow the board to boot into a minimal Heads and read the full Legacy 3 | # ROM from an external USB media. 4 | # 5 | # No tools outside of flashrom are provided here as you can see per activated modules above. 6 | # Everything Heads is now delegated to the Legacy ROM to be flashed 7 | # from xx30-flash ROMs. 8 | # 9 | # Instructions to mount USB thumb drive and flash legacy 12Mb image will be given on screen 10 | # per CONFIG_BOOTSCRIPT script above. 11 | # 12 | # Below, we just move produced ROM with a name appended with -top.rom for clarity. 13 | all: $(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-top.rom 14 | $(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-top.rom: $(board_build)/$(CB_OUTPUT_FILE) 15 | $(call do,MV 4MB top ROM,$@, mv $< $@) 16 | @sha256sum $@ 17 | -------------------------------------------------------------------------------- /targets/optiplex_blobs.mk: -------------------------------------------------------------------------------- 1 | # Targets for downloading optiplex 7010/9010 blobs: including ACM, SINIT and EC blobs 2 | 3 | REQUIRED_BLOBS := \ 4 | $(pwd)/blobs/xx30/IVB_BIOSAC_PRODUCTION.bin \ 5 | $(pwd)/blobs/xx30/SNB_IVB_SINIT_20190708_PW.bin \ 6 | $(pwd)/blobs/xx30/sch5545_ecfw.bin 7 | 8 | # Make the Coreboot build depend on the required blobs 9 | $(build)/coreboot-$(CONFIG_COREBOOT_VERSION)/$(BOARD)/.build: $(REQUIRED_BLOBS) 10 | 11 | # Rule to generate all required blobs 12 | $(REQUIRED_BLOBS): 13 | $(pwd)/blobs/xx30/optiplex_7010_9010.sh $(pwd)/blobs/xx30 14 | -------------------------------------------------------------------------------- /targets/ppc_tgz.mk: -------------------------------------------------------------------------------- 1 | OUTPUT_PREFIX := heads-$(BOARD)-$(HEADS_GIT_VERSION) 2 | BUNDLED_LINUX := $(OUTPUT_PREFIX)-zImage.bundled 3 | OUTPUT_FILES := $(CB_OUTPUT_FILE) $(CB_BOOTBLOCK_FILE) $(BUNDLED_LINUX) 4 | 5 | all: $(board_build)/$(BUNDLED_LINUX) 6 | $(board_build)/$(BUNDLED_LINUX): $(board_build)/zImage.bundled 7 | $(call do-copy,$<,$@) 8 | 9 | all: $(board_build)/$(OUTPUT_PREFIX).tgz 10 | $(board_build)/$(OUTPUT_PREFIX).tgz: \ 11 | $(addprefix $(board_build)/,$(OUTPUT_FILES)) 12 | rm -rf $(board_build)/pkg # cleanup in case directory exists 13 | mkdir $(board_build)/pkg 14 | cp $^ $(board_build)/pkg 15 | cd $(board_build)/pkg && sha256sum * > sha256sum.txt 16 | cd $(board_build)/pkg && tar zcf $@ * 17 | rm -r $(board_build)/pkg 18 | -------------------------------------------------------------------------------- /targets/split_8mb4mb.mk: -------------------------------------------------------------------------------- 1 | # Many Lenovo boards have two SPI flash chips, an 8 MB that holds the IFD, 2 | # the ME image and part of the coreboot image, and a 4 MB one that 3 | # has the rest of the coreboot and the reset vector. 4 | # 5 | # As a consequence, this replaces the need of having to flash a legacy-flash ROM 6 | # and expands available CBFS region (11.5Mb available CBFS space) 7 | # 8 | # When flashing via an external programmer it is easiest to have 9 | # two separate files for these pieces. 10 | all: bottom top 11 | 12 | bottom: $(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-bottom.rom 13 | 14 | $(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-bottom.rom: $(board_build)/$(CB_OUTPUT_FILE) FORCE 15 | @rm -f $(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-bottom.rom 16 | $(call do,DD 8MB,$(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-bottom.rom,dd if=$< of=$@ bs=65536 count=128 skip=0 status=none) 17 | @sha256sum $(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-bottom.rom | tee -a "$(HASHES)" 18 | @stat -c "%8s:%n" $(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-bottom.rom | tee -a "$(SIZES)" 19 | 20 | top: $(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-top.rom 21 | 22 | $(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-top.rom: $(board_build)/$(CB_OUTPUT_FILE) FORCE 23 | @rm -f $(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-top.rom 24 | $(call do,DD 4MB,$(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-top.rom,dd if=$< of=$@ bs=65536 count=64 skip=128 status=none) 25 | @sha256sum $(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-top.rom | tee -a "$(HASHES)" 26 | @stat -c "%8s:%n" $(board_build)/heads-$(BOARD)-$(HEADS_GIT_VERSION)-top.rom | tee -a "$(SIZES)" 27 | 28 | FORCE: 29 | 30 | .PHONY: all bottom top FORCE 31 | -------------------------------------------------------------------------------- /targets/xx20_me_blobs.mk: -------------------------------------------------------------------------------- 1 | # Targets for downloading xx20 ME blob, neutering it down to BUP region and deactivating ME. 2 | 3 | # xx20 boards require of you initially call one of the following to habe gbe.bin ifd.bin and me.bin 4 | # - blobs/xx20/download_parse_me.sh 5 | # To download Lenovo update ME binary, neuter+deactivate ME, produce reduced IFD ME region and expended BIOS IFD region. 6 | 7 | # Make the Coreboot build depend on the following 3rd party blobs: 8 | $(build)/coreboot-$(CONFIG_COREBOOT_VERSION)/$(BOARD)/.build: \ 9 | $(pwd)/blobs/xx20/me.bin 10 | 11 | 12 | $(pwd)/blobs/xx20/me.bin: 13 | COREBOOT_DIR="$(build)/$(coreboot_base_dir)" \ 14 | $(pwd)/blobs/xx20/download_parse_me.sh 15 | 16 | -------------------------------------------------------------------------------- /targets/xx30_me_blobs.mk: -------------------------------------------------------------------------------- 1 | # Targets for downloading xx30 ME blob, neutering it down to BUP+ROMP region and deactivating ME. 2 | 3 | # xx30-*-maximized boards require of you initially call one of the 4 | # following to have gbe.bin ifd.bin and me.bin 5 | # - blobs/xx30/download_clean_me.sh 6 | # To download Lenovo original ME binary, neuter+deactivate ME, produce 7 | # reduced IFD ME region and expanded BIOS IFD region. 8 | # - blobs/xx30/extract.sh 9 | # To extract from backuped 8M (bottom SPI) ME binary, GBE and IFD blobs. 10 | 11 | # Make the Coreboot build depend on the following 3rd party blobs: 12 | $(build)/coreboot-$(CONFIG_COREBOOT_VERSION)/$(BOARD)/.build: \ 13 | $(pwd)/blobs/xx30/me.bin 14 | 15 | 16 | $(pwd)/blobs/xx30/me.bin: 17 | COREBOOT_DIR="$(build)/$(coreboot_base_dir)" \ 18 | $(pwd)/blobs/xx30/download_clean_me.sh $(pwd)/blobs/xx30 19 | -------------------------------------------------------------------------------- /targets/xx80_me_blobs.mk: -------------------------------------------------------------------------------- 1 | # Targets for downloading xx80 ME blob, neutering it and deactivating ME. 2 | # This also uses the deguard tool to bypass Intel Boot Guard exploiting CVE-2017-5705. 3 | # See https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00086.html 4 | 5 | # xx80-*-maximized boards require of you initially call one of the 6 | # following to have gbe.bin ifd.bin and me.bin 7 | # - blobs/xx80/download_clean_me_and_deguard.sh 8 | # To download Lenovo original ME binary, neuter+deactivate ME, produce 9 | # reduced IFD ME region and expanded BIOS IFD region. 10 | # Also creates the tb.bin blob to flash the Thunderbolt SPI. 11 | 12 | # Make the Coreboot build depend on the following 3rd party blobs: 13 | $(build)/coreboot-$(CONFIG_COREBOOT_VERSION)/$(BOARD)/.build: \ 14 | $(pwd)/blobs/xx80/me.bin $(pwd)/blobs/xx80/tb.bin $(build)/$(BOARD)/tb.bin 15 | 16 | $(pwd)/blobs/xx80/me.bin $(pwd)/blobs/xx80/tb.bin &: 17 | $(pwd)/blobs/xx80/download_clean_deguard_me_pad_tb.sh \ 18 | -m $(pwd)/blobs/utils/me_cleaner/me_cleaner.py $(pwd)/blobs/xx80 19 | 20 | $(build)/$(BOARD)/tb.bin: $(pwd)/blobs/xx80/tb.bin 21 | cp $(pwd)/blobs/xx80/tb.bin $(build)/$(BOARD) 22 | -------------------------------------------------------------------------------- /unmaintained_boards/UNMAINTAINED_p8z77-m_pro-tpm1-hotp-maximized/UNMAINTAINED_p8z77-m_pro-tpm1-hotp-maximized.config: -------------------------------------------------------------------------------- 1 | # Inherit the rest from the base Asus P8Z77-M Pro config. 2 | include $(pwd)/boards/UNTESTED_p8z77-m_pro-tpm1-maximized/UNTESTED_p8z77-m_pro-tpm1-maximized.config 3 | 4 | CONFIG_HOTPKEY=y 5 | export CONFIG_AUTO_BOOT_TIMEOUT=5 6 | 7 | export CONFIG_BOARD_NAME="P8Z77-M PRO-HOTP" 8 | -------------------------------------------------------------------------------- /unmaintained_boards/UNMAINTAINED_qemu-linuxboot/UNMAINTAINED_qemu-linuxboot.config: -------------------------------------------------------------------------------- 1 | # Configuration for emulating LinuxBoot+Heads with qemu 2 | # 3 | export CONFIG_LINUXBOOT=y 4 | export CONFIG_LINUX_VERSION=4.14.62 5 | 6 | CONFIG_LINUXBOOT_BOARD=qemu 7 | CONFIG_LINUX_CONFIG=config/linux-linuxboot.config 8 | 9 | ifeq "$(CONFIG_UROOT)" "y" 10 | CONFIG_BUSYBOX=n 11 | else 12 | CONFIG_CRYPTSETUP=y 13 | CONFIG_LVM2=y 14 | CONFIG_MBEDTLS=y 15 | CONFIG_PCIUTILS=y 16 | CONFIG_POPT=y 17 | CONFIG_QRENCODE=y 18 | CONFIG_TPMTOTP=y 19 | endif 20 | 21 | CONFIG_FLASHPROG=y 22 | CONFIG_FLASHTOOLS=y 23 | CONFIG_GPG2=y 24 | CONFIG_KEXEC=y 25 | CONFIG_UTIL_LINUX=y 26 | CONFIG_DROPBEAR=y 27 | #CONFIG_FROTZ=y 28 | 29 | CONFIG_LINUX_USB=y 30 | CONFIG_LINUX_E1000=y 31 | CONFIG_LINUX_SCSI_GDTH=y 32 | CONFIG_LINUX_ATA=y 33 | CONFIG_LINUX_AHCI=y 34 | 35 | export CONFIG_BOOTSCRIPT=/bin/generic-init 36 | export CONFIG_BOOTSCRIPT_NETWORK=/bin/network-init-recovery 37 | 38 | export CONFIG_BOOT_REQ_HASH=n 39 | export CONFIG_BOOT_REQ_ROLLBACK=n 40 | export CONFIG_BOOT_STATIC_IP=10.0.2.15 41 | 42 | # You can ssh into the qemu instance by running 43 | # ssh -p 5555 root@localhost 44 | # The LinuxBoot firmware should set its ip address to 10.0.2.15 45 | # or run udhcpc to get a qemu address 46 | 47 | run: 48 | qemu-system-x86_64 \ 49 | -machine q35,smm=on \ 50 | -global ICH9-LPC.disable_s3=1 \ 51 | -global driver=cfi.pflash01,property=secure,value=on \ 52 | -redir tcp:5555::22 \ 53 | --serial $(or $(SERIAL),/dev/tty) \ 54 | -drive if=pflash,format=raw,unit=0,file=$(board_build)/linuxboot.rom 55 | stty sane 56 | 57 | -------------------------------------------------------------------------------- /unmaintained_boards/UNMAINTAINED_t420/UNMAINTAINED_t420.config: -------------------------------------------------------------------------------- 1 | # Configuration for a t420 running Qubes 4.1 and other OS, X220 is identical to X230 on the Linux Side of things. 2 | export CONFIG_COREBOOT=y 3 | export CONFIG_COREBOOT_VERSION=4.22.01 4 | export CONFIG_LINUX_VERSION=6.1.8 5 | 6 | CONFIG_COREBOOT_CONFIG=config/coreboot-t420.config 7 | CONFIG_LINUX_CONFIG=config/linux-x230-legacy.config 8 | 9 | CONFIG_CRYPTSETUP2=y 10 | CONFIG_FLASHPROG=y 11 | CONFIG_FLASHTOOLS=y 12 | CONFIG_GPG2=y 13 | CONFIG_KEXEC=y 14 | CONFIG_UTIL_LINUX=y 15 | CONFIG_LVM2=y 16 | CONFIG_MBEDTLS=y 17 | CONFIG_PCIUTILS=y 18 | CONFIG_POPT=y 19 | CONFIG_QRENCODE=y 20 | CONFIG_TPMTOTP=y 21 | CONFIG_DROPBEAR=n 22 | 23 | CONFIG_CAIRO=y 24 | CONFIG_FBWHIPTAIL=y 25 | 26 | CONFIG_LINUX_USB=y 27 | CONFIG_LINUX_E1000E=y 28 | 29 | export CONFIG_TPM=y 30 | export CONFIG_BOOTSCRIPT=/bin/gui-init 31 | export CONFIG_BOOT_REQ_HASH=n 32 | export CONFIG_BOOT_REQ_ROLLBACK=n 33 | export CONFIG_BOOT_KERNEL_ADD="" 34 | export CONFIG_BOOT_KERNEL_REMOVE="intel_iommu=on intel_iommu=igfx_off" 35 | export CONFIG_BOARD_NAME="ThinkPad T420" 36 | export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal:ich_spi_mode=hwseq --ifd --image bios" 37 | -------------------------------------------------------------------------------- /unmaintained_boards/UNMAINTAINED_t430-legacy-flash/UNMAINTAINED_t430-legacy-flash.config: -------------------------------------------------------------------------------- 1 | # Minimal configuration for a t430 to support flashrom and USB 2 | # This top SPI flash image needed to flash legacy board counterpart internally 3 | # This image can be flashed through 1vyrain and skulls 4 | # IDEALLY you should flash maximized top and bottom rom images exteranlly once instead. 5 | 6 | export CONFIG_COREBOOT=y 7 | export CONFIG_COREBOOT_VERSION=4.22.01 8 | export CONFIG_LINUX_VERSION=6.1.8 9 | 10 | CONFIG_COREBOOT_CONFIG=config/coreboot-x230-legacy-flash.config 11 | CONFIG_LINUX_CONFIG=config/linux-x230-flash.config 12 | 13 | #Add bare minimal tools for flashing boards 14 | CONFIG_BASH=n 15 | CONFIG_FLASHPROG=y 16 | CONFIG_ZSTD=n 17 | #CONFIG_GPG=y 18 | #CONFIG_FLASHTOOLS=y 19 | CONFIG_PCIUTILS=y 20 | #CONFIG_MBEDTLS=y 21 | #CONFIG_QRENCODE=y 22 | #CONFIG_TPMTOTP=y 23 | #CONFIG_DROPBEAR=y 24 | 25 | #Additional hardware support 26 | CONFIG_LINUX_USB=y 27 | #CONFIG_LINUX_E1000E=y 28 | 29 | export CONFIG_BOOTSCRIPT=/bin/xx30-flash.init 30 | export CONFIG_BOARD_NAME="ThinkPad T430-legacy-flash" 31 | export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal --ifd --image bios" 32 | 33 | CONFIG_LEGACY_FLASH=y 34 | 35 | BOARD_TARGETS := legacy_flash 36 | -------------------------------------------------------------------------------- /unmaintained_boards/UNMAINTAINED_x230-legacy-flash/UNMAINTAINED_x230-legacy-flash.config: -------------------------------------------------------------------------------- 1 | # Minimal configuration for a x230 to support flashrom and USB 2 | # This top SPI flash image needed to flash legacy board counterpart internally 3 | # This image can be flashed through 1vyrain and skulls 4 | # IDEALLY you should flash maximized top and bottom rom images exteranlly once instead. 5 | 6 | export CONFIG_COREBOOT=y 7 | export CONFIG_COREBOOT_VERSION=24.02.01 8 | export CONFIG_LINUX_VERSION=6.1.8 9 | 10 | CONFIG_COREBOOT_CONFIG=config/coreboot-UNMAINTAINED_x230-legacy-flash.config 11 | CONFIG_LINUX_CONFIG=config/linux-x230-flash.config 12 | 13 | #Add bare minimal tools for flashing boards 14 | CONFIG_BASH=n 15 | CONFIG_FLASHPROG=y 16 | CONFIG_ZSTD=n 17 | #CONFIG_GPG=y 18 | #CONFIG_FLASHTOOLS=y 19 | CONFIG_PCIUTILS=y 20 | #CONFIG_MBEDTLS=y 21 | #CONFIG_QRENCODE=y 22 | #CONFIG_TPMTOTP=y 23 | #CONFIG_DROPBEAR=y 24 | 25 | 26 | #Additional hardware support 27 | CONFIG_LINUX_USB=y 28 | #CONFIG_LINUX_E1000E=y 29 | 30 | export CONFIG_BOOTSCRIPT=/bin/xx30-flash.init 31 | export CONFIG_BOARD_NAME="ThinkPad X230-legacy-flash" 32 | export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal --ifd --image bios" 33 | 34 | CONFIG_LEGACY_FLASH=y 35 | 36 | BOARD_TARGETS := legacy_flash 37 | -------------------------------------------------------------------------------- /unmaintained_boards/UNTESTED_leopard/UNTESTED_leopard.config: -------------------------------------------------------------------------------- 1 | # Configuration for a Leopard OCP node 2 | # and it uses LinuxBoot, not coreboot. 3 | CONFIG_LINUXBOOT=y 4 | CONFIG_LINUXBOOT_ROM=blobs/leopard.rom 5 | CONFIG_LINUX_CONFIG=config/linux-linuxboot.config 6 | 7 | # If you want to build with the go-based u-root instead of Heads 8 | CONFIG_UROOT ?= n 9 | 10 | ifeq "$(CONFIG_UROOT)" "y" 11 | # The busybox will likely be redundant and can be trimmed for space. 12 | CONFIG_BUSYBOX=n 13 | CONFIG_ZLIB=n 14 | CONFIG_MUSL=n 15 | else 16 | # These don't fit if u-root is turned on 17 | #CONFIG_CRYPTSETUP=y 18 | #CONFIG_FLASHPROG=y 19 | CONFIG_FLASHTOOLS=y 20 | #CONFIG_GPG=y 21 | CONFIG_KEXEC=y 22 | CONFIG_UTIL_LINUX=y 23 | #CONFIG_LVM2=y 24 | #CONFIG_MBEDTLS=y 25 | CONFIG_PCIUTILS=y 26 | #CONFIG_POPT=y 27 | #CONFIG_QRENCODE=y 28 | #CONFIG_TPMTOTP=y 29 | CONFIG_DROPBEAR=y 30 | endif 31 | 32 | # Linux modules will still be linked into the u-root tree 33 | CONFIG_LINUX_USB=y 34 | #CONFIG_LINUX_MLX4=y 35 | #CONFIG_LINUX_ATA=y 36 | #CONFIG_LINUX_AHCI=y 37 | #CONFIG_LINUX_E1000E=y 38 | #CONFIG_LINUX_NVME=y 39 | 40 | export CONFIG_BOOTSCRIPT=/bin/generic-init 41 | export CONFIG_TPM=n 42 | export CONFIG_BOOT_REQ_HASH=n 43 | export CONFIG_BOOT_REQ_ROLLBACK=n 44 | 45 | $(board_build)/linuxboot.rom: linuxboot.intermediate 46 | 47 | -------------------------------------------------------------------------------- /unmaintained_boards/UNTESTED_r630/UNTESTED_r630.config: -------------------------------------------------------------------------------- 1 | # Configuration for a Dell R630 2 | # flashrom doesn't work on this mainboard 3 | # and it is NERF, not coreboot. 4 | CONFIG_LINUXBOOT=y 5 | CONFIG_LINUXBOOT_ROM=blobs/r630-1.3.6.rom 6 | CONFIG_LINUX_CONFIG=config/linux-linuxboot.config 7 | 8 | export CONFIG_LINUX_VERSION=4.14.62 9 | 10 | #CONFIG_CRYPTSETUP=y 11 | CONFIG_FLASHPROG=y 12 | #CONFIG_GPG=y 13 | CONFIG_KEXEC=y 14 | CONFIG_UTIL_LINUX=y 15 | #CONFIG_LVM2=y 16 | CONFIG_MBEDTLS=y 17 | CONFIG_PCIUTILS=y 18 | CONFIG_POPT=y 19 | CONFIG_QRENCODE=y 20 | CONFIG_TPMTOTP=y 21 | CONFIG_DROPBEAR=y 22 | 23 | CONFIG_LINUX_USB=y 24 | CONFIG_LINUX_IGB=y 25 | CONFIG_LINUX_MEGARAID=y 26 | CONFIG_LINUX_E1000E=y 27 | 28 | export CONFIG_BOOTSCRIPT=/bin/generic-init 29 | 30 | export CONFIG_BOOT_REQ_HASH=n 31 | export CONFIG_BOOT_REQ_ROLLBACK=n 32 | -------------------------------------------------------------------------------- /unmaintained_boards/UNTESTED_s2600wf/UNTESTED_s2600wf.config: -------------------------------------------------------------------------------- 1 | # Configuration for a Intel S2600wf server mainboard 2 | # and it is NERF, not coreboot. 3 | # 4 | # Booting with UEFI in recovery (0xFEC00000) potentially 5 | # gives us 7 MB of # space for Heads and NERF. However, 6 | # there appears to be a bug if the fvh spans a 4 MB 7 | # region. 8 | # 9 | # The DxeCore also needs to be updated to know about the 10 | # new firmware volume location. 11 | # 12 | CONFIG_LINUXBOOT=y 13 | CONFIG_LINUXBOOT_ROM=blobs/s2600wf.rom 14 | CONFIG_LINUX_CONFIG=config/linux-linuxboot.config 15 | 16 | export CONFIG_LINUX_VERSION=4.14.62 17 | 18 | #CONFIG_CRYPTSETUP=y 19 | #CONFIG_FLASHPROG=y 20 | CONFIG_FLASHTOOLS=y 21 | CONFIG_GPG=y 22 | CONFIG_KEXEC=y 23 | CONFIG_UTIL_LINUX=y 24 | #CONFIG_LVM2=y 25 | #CONFIG_MBEDTLS=y 26 | CONFIG_PCIUTILS=y 27 | #CONFIG_POPT=y 28 | #CONFIG_QRENCODE=y 29 | #CONFIG_TPMTOTP=y 30 | CONFIG_DROPBEAR=y 31 | 32 | CONFIG_LINUX_USB=y 33 | #CONFIG_LINUX_IGB=y 34 | #CONFIG_LINUX_MEGARAID=y 35 | #CONFIG_LINUX_E1000E=y 36 | CONFIG_LINUX_SCSI_GDTH=y 37 | CONFIG_LINUX_ATA=y 38 | CONFIG_LINUX_AHCI=y 39 | 40 | export CONFIG_TPM=n 41 | export CONFIG_BOOTSCRIPT=/bin/generic-init 42 | export CONFIG_BOOT_REQ_HASH=n 43 | export CONFIG_BOOT_REQ_ROLLBACK=n 44 | -------------------------------------------------------------------------------- /unmaintained_boards/UNTESTED_tioga/UNTESTED_tioga.config: -------------------------------------------------------------------------------- 1 | # Configuration for a Tioga Pass (Wiwynn) OCP node 2 | # and it uses LinuxBoot, not coreboot. 3 | CONFIG_LINUXBOOT=y 4 | CONFIG_LINUXBOOT_ROM=blobs/tioga.rom 5 | CONFIG_LINUX_CONFIG=config/linux-linuxboot.config 6 | 7 | export CONFIG_LINUX_VERSION=4.14.62 8 | 9 | # If you want to build with the go-based u-root instead of Heads 10 | CONFIG_UROOT ?= n 11 | 12 | ifeq "$(CONFIG_UROOT)" "y" 13 | # The busybox will likely be redundant and can be trimmed for space. 14 | CONFIG_BUSYBOX=n 15 | CONFIG_ZLIB=n 16 | CONFIG_MUSL=n 17 | else 18 | # These don't fit if u-root is turned on 19 | #CONFIG_CRYPTSETUP=y 20 | #CONFIG_FLASHPROG=y 21 | CONFIG_FLASHTOOLS=y 22 | #CONFIG_GPG=y 23 | CONFIG_KEXEC=y 24 | CONFIG_UTIL_LINUX=y 25 | #CONFIG_LVM2=y 26 | CONFIG_MBEDTLS=y 27 | CONFIG_PCIUTILS=y 28 | CONFIG_POPT=y 29 | CONFIG_QRENCODE=y 30 | CONFIG_TPMTOTP=y 31 | CONFIG_DROPBEAR=y 32 | endif 33 | 34 | # Linux modules will still be linked into the u-root tree 35 | CONFIG_LINUX_USB=y 36 | #CONFIG_LINUX_MLX4=y 37 | #CONFIG_LINUX_ATA=y 38 | #CONFIG_LINUX_AHCI=y 39 | #CONFIG_LINUX_E1000E=y 40 | CONFIG_LINUX_NVME=y 41 | CONFIG_LINUX_BCM=y 42 | 43 | export CONFIG_BOOTSCRIPT=/bin/generic-init 44 | export CONFIG_TPM=n 45 | export CONFIG_BOOT_REQ_HASH=n 46 | export CONFIG_BOOT_REQ_ROLLBACK=n 47 | 48 | $(board_build)/linuxboot.rom: linuxboot.intermediate 49 | 50 | -------------------------------------------------------------------------------- /unmaintained_boards/UNTESTED_winterfell/UNTESTED_winterfell.config: -------------------------------------------------------------------------------- 1 | # Configuration for a Winterfell OCP node 2 | # and it uses LinuxBoot, not coreboot. 3 | CONFIG_LINUXBOOT=y 4 | CONFIG_LINUXBOOT_ROM=blobs/winterfell.rom 5 | CONFIG_LINUX_CONFIG=config/linux-linuxboot.config 6 | 7 | export CONFIG_LINUX_VERSION=4.14.62 8 | 9 | # If you want to build with the go-based u-root instead of Heads 10 | CONFIG_UROOT ?= y 11 | 12 | ifeq "$(CONFIG_UROOT)" "y" 13 | # The busybox will likely be redundant and can be trimmed for space. 14 | CONFIG_BUSYBOX=n 15 | CONFIG_ZLIB=n 16 | CONFIG_MUSL=n 17 | else 18 | # These don't fit if u-root is turned on 19 | #CONFIG_CRYPTSETUP=y 20 | #CONFIG_FLASHPROG=y 21 | CONFIG_FLASHTOOLS=y 22 | CONFIG_GPG=y 23 | CONFIG_KEXEC=y 24 | CONFIG_UTIL_LINUX=y 25 | #CONFIG_LVM2=y 26 | #CONFIG_MBEDTLS=y 27 | CONFIG_PCIUTILS=y 28 | CONFIG_POPT=y 29 | #CONFIG_QRENCODE=y 30 | #CONFIG_TPMTOTP=y 31 | CONFIG_DROPBEAR=y 32 | endif 33 | 34 | # Linux modules will still be linked into the u-root tree 35 | CONFIG_LINUX_USB=y 36 | CONFIG_LINUX_MLX4=y 37 | CONFIG_LINUX_ATA=y 38 | CONFIG_LINUX_AHCI=y 39 | CONFIG_LINUX_E1000E=y 40 | CONFIG_LINUX_NVME=y 41 | 42 | export CONFIG_BOOTSCRIPT=/bin/generic-init 43 | export CONFIG_TPM=n 44 | export CONFIG_BOOT_REQ_HASH=n 45 | export CONFIG_BOOT_REQ_ROLLBACK=n 46 | 47 | #$(board_build)/linuxboot.rom: $(build)/$(linuxboot_dir)/ 48 | 49 | # No 0x on these since the flasher doesn't handle that 50 | dxe_offset := 860000 51 | dxe_size := 6a0000 52 | flash-dxe: $(board_build)/linuxboot.rom 53 | ( echo u$(dxe_offset) $(dxe_size) ; \ 54 | pv $(build)/linuxboot-git/build/$(BOARD)/dxe.vol \ 55 | ) > /dev/ttyACM0 56 | 57 | flash: $(board_build)/linuxboot.rom 58 | ( echo u0 1000000 ; \ 59 | pv $< \ 60 | ) > /dev/ttyACM0 61 | -------------------------------------------------------------------------------- /unmaintained_boards/UNTESTED_winterfell/uinit.go: -------------------------------------------------------------------------------- 1 | // Copyright 2012-2017 the u-root Authors. All rights reserved 2 | // Use of this source code is governed by a BSD-style 3 | // license that can be found in the LICENSE file. 4 | 5 | // This is winterfell init script 6 | package main 7 | 8 | import ( 9 | "log" 10 | "os" 11 | "os/exec" 12 | "strings" 13 | ) 14 | 15 | var ( 16 | commands = []string{ 17 | "/bbin/insmod /lib/modules/nvme-core.ko", 18 | "/bbin/insmod /lib/modules/nvme.ko", 19 | "/bbin/insmod /lib/modules/libata.ko", 20 | "/bbin/insmod /lib/modules/libahci.ko", 21 | "/bbin/insmod /lib/modules/ahci.ko", 22 | "/bbin/rsdp", 23 | } 24 | ) 25 | 26 | func main() { 27 | for _, line := range commands { 28 | log.Printf("Executing Command: %v", line) 29 | cmdSplit := strings.Split(line, " ") 30 | if len(cmdSplit) == 0 { 31 | continue 32 | } 33 | 34 | cmd := exec.Command(cmdSplit[0], cmdSplit[1:]...) 35 | cmd.Stdin = os.Stdin 36 | cmd.Stderr = os.Stderr 37 | cmd.Stdout = os.Stdout 38 | if err := cmd.Run(); err != nil { 39 | log.Print(err) 40 | } 41 | 42 | } 43 | log.Print("Uinit Done!") 44 | } 45 | -------------------------------------------------------------------------------- /unmaintained_boards/x230-legacy-flash/x230-legacy-flash.config: -------------------------------------------------------------------------------- 1 | # Minimal configuration for a x230 to support flashrom and USB 2 | # This top SPI flash image needed to flash legacy board counterpart internally 3 | # This image can be flashed through 1vyrain and skulls 4 | # IDEALLY you should flash maximized top and bottom rom images exteranlly once instead. 5 | 6 | export CONFIG_COREBOOT=y 7 | export CONFIG_COREBOOT_VERSION=24.02.01 8 | export CONFIG_LINUX_VERSION=5.10.5 9 | 10 | CONFIG_COREBOOT_CONFIG=config/coreboot-UNMAINTAINED_x230-legacy-flash.config 11 | CONFIG_LINUX_CONFIG=config/linux-x230-flash.config 12 | 13 | #Add bare minimal tools for flashing boards 14 | CONFIG_BASH=n 15 | CONFIG_FLASHPROG=y 16 | CONFIG_ZSTD=n 17 | #CONFIG_GPG=y 18 | #CONFIG_FLASHTOOLS=y 19 | CONFIG_PCIUTILS=y 20 | #CONFIG_MBEDTLS=y 21 | #CONFIG_QRENCODE=y 22 | #CONFIG_TPMTOTP=y 23 | #CONFIG_DROPBEAR=y 24 | 25 | 26 | #Additional hardware support 27 | CONFIG_LINUX_USB=y 28 | #CONFIG_LINUX_E1000E=y 29 | 30 | export CONFIG_BOOTSCRIPT=/bin/xx30-flash.init 31 | export CONFIG_BOARD_NAME="ThinkPad X230-legacy-flash" 32 | export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal --ifd --image bios" 33 | 34 | CONFIG_LEGACY_FLASH=y 35 | 36 | BOARD_TARGETS := legacy_flash 37 | --------------------------------------------------------------------------------