From 4e34cc097a87adf0affd2c775c31616f9a146565 Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Fri, 12 Apr 2024 13:56:41 -0400 Subject: [PATCH 1/8] ash_functions: move sleep 2 after all usb modules being loaded Otherwise we get ehci-pci and xhci_hcd kernel messages in dmesg debug AFTER "Verifying presence of GPG card" which explains why dongle might not be found in time and fails in oem-factory-reset Fixes https://github.com/Nitrokey/heads/issues/48 Signed-off-by: Thierry Laurion --- initrd/etc/ash_functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/initrd/etc/ash_functions b/initrd/etc/ash_functions index 078c3bdd2..f4e6cfb6a 100644 --- a/initrd/etc/ash_functions +++ b/initrd/etc/ash_functions @@ -347,8 +347,8 @@ enable_usb() if ! lsmod | grep -q xhci_pci; then insmod /lib/modules/xhci-pci.ko \ || die "xhci_pci: module load failed" - sleep 2 fi + sleep 2 if [ "$CONFIG_USB_KEYBOARD" = y ]; then if ! lsmod | grep -q usbhid; then From 3d611afb92a711dd240177be84bc3087b62c48c3 Mon Sep 17 00:00:00 2001 From: nestire Date: Tue, 21 May 2024 13:24:36 +0200 Subject: [PATCH 2/8] bump hotp version to 1.6 Signed-off-by: nestire --- modules/hotp-verification | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/hotp-verification b/modules/hotp-verification index 6085a7680..14957e74b 100644 --- a/modules/hotp-verification +++ b/modules/hotp-verification @@ -2,12 +2,12 @@ modules-$(CONFIG_HOTPKEY) += hotp-verification hotp-verification_depends := libusb $(musl_dep) -# v1.5 -hotp-verification_version := 70c04f51387eee8f777e943ba83b6405764a3cd2 +# v1.6 +hotp-verification_version := e9050e0c914e7a8ffef5d1c82a014e0e2bf79346 hotp-verification_dir := hotp-verification-$(hotp-verification_version) hotp-verification_tar := nitrokey-hotp-verification-$(hotp-verification_version).tar.gz hotp-verification_url := https://github.com/Nitrokey/nitrokey-hotp-verification/archive/$(hotp-verification_version).tar.gz -hotp-verification_hash := 5244b6b514117f955a03be2363fd51567a125cb8dc904d1bd89351be27eb8bb3 +hotp-verification_hash := 480c978d3585eee73b9aa5186b471d4caeeeeba411217e1544eef7cfd90312ac hotp-verification_target := \ $(MAKE_JOBS) \ From 7015e6e221d32bb5775e299746d8a3fa304faf45 Mon Sep 17 00:00:00 2001 From: nestire Date: Tue, 21 May 2024 13:34:00 +0200 Subject: [PATCH 3/8] extent hotp error message for nitrokeys Signed-off-by: nestire --- initrd/bin/seal-hotpkey | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/initrd/bin/seal-hotpkey b/initrd/bin/seal-hotpkey index 1abbf8b11..c70ddf89f 100755 --- a/initrd/bin/seal-hotpkey +++ b/initrd/bin/seal-hotpkey @@ -136,12 +136,16 @@ if [ "$admin_pin_status" -ne 0 ]; then if ! hotp_initialize "$admin_pin" $HOTP_SECRET $counter_value "$HOTPKEY_BRANDING" ; then # don't leak key on failure shred -n 10 -z -u "$HOTP_SECRET" 2> /dev/null - fatal_error "Setting HOTP secret failed" + if [ "$HOTPKEY_BRANDING" == "Nitrokey" ]; then + fatal_error "Setting HOTP secret failed, to reset nitrokey pin use: nitropy nk3 secrets reset or the Nitrokey App 2" + else + fatal_error "Setting HOTP secret failed" + fi fi fi else # remind user to change admin password - echo -e "\nWARNING: default GPG admin PIN detected: please change this as soon as possible." + echo -e "\nWARNING: default admin PIN detected: please change this as soon as possible." fi # HOTP key no longer needed From 0fb3886f48ec3e08b0c41c7340a1b41d57bac3fc Mon Sep 17 00:00:00 2001 From: Maciej Pijanowski Date: Thu, 20 Jun 2024 16:25:09 +0200 Subject: [PATCH 4/8] nitropad-nx: use standard shutdown/reboot commands This commit effectively reverts commits a1c13ff and 902866cc. There is no need for this special EC-based poweroff command. See more details in issue linked below. Fixes: https://github.com/Dasharo/dasharo-issues/issues/711 Signed-off-by: Maciej Pijanowski --- initrd/bin/nitropad-shutdown.sh | 36 --------------------------------- initrd/bin/poweroff | 5 ----- initrd/bin/reboot | 5 ----- 3 files changed, 46 deletions(-) delete mode 100755 initrd/bin/nitropad-shutdown.sh diff --git a/initrd/bin/nitropad-shutdown.sh b/initrd/bin/nitropad-shutdown.sh deleted file mode 100755 index e449bc311..000000000 --- a/initrd/bin/nitropad-shutdown.sh +++ /dev/null @@ -1,36 +0,0 @@ -#!/bin/ash - -# Method to access IT5570 IO Depth 2 registers -it5570_i2ec() { - # TODO: Use /dev/port instead of iotools - - # Address high byte - iotools io_write8 0x2e 0x2e - iotools io_write8 0x2f 0x11 - iotools io_write8 0x2e 0x2f - iotools io_write8 0x2f $(($2>>8 & 0xff)) - - # Address low byte - iotools io_write8 0x2e 0x2e - iotools io_write8 0x2f 0x10 - iotools io_write8 0x2e 0x2f - iotools io_write8 0x2f $(($2 & 0xff)) - - # Data - iotools io_write8 0x2e 0x2e - iotools io_write8 0x2f 0x12 - iotools io_write8 0x2e 0x2f - - case $1 in - "r") - iotools io_read8 0x2f - ;; - "w") - iotools io_write8 0x2f "$3" - ;; - esac -} - -# shut down using EC external watchdog reset -it5570_i2ec w 0x1f01 0x20 -it5570_i2ec w 0x1f07 0x01 diff --git a/initrd/bin/poweroff b/initrd/bin/poweroff index a27da23b8..ef4bdf863 100755 --- a/initrd/bin/poweroff +++ b/initrd/bin/poweroff @@ -8,11 +8,6 @@ if [ "$CONFIG_TPM" = "y" ]; then tpmr shutdown fi -# Run special EC-based poweroff for Nitropad-Nxx -if [ "$CONFIG_BOARD" = "nitropad-nv41" ] || [ "$CONFIG_BOARD" = "nitropad-ns50" ]; then - /bin/nitropad-shutdown.sh -fi - # Sync all mounted filesystems echo s > /proc/sysrq-trigger diff --git a/initrd/bin/reboot b/initrd/bin/reboot index 26255f12c..358931e9c 100755 --- a/initrd/bin/reboot +++ b/initrd/bin/reboot @@ -17,11 +17,6 @@ if [ "$CONFIG_TPM" = "y" ]; then tpmr shutdown fi -# Run special EC-based poweroff for Nitropad-Nxx -if [ "$CONFIG_BOARD" = "nitropad-nv41" ] || [ "$CONFIG_BOARD" = "nitropad-ns50" ]; then - /bin/nitropad-shutdown.sh -fi - # Sync all mounted filesystems echo s > /proc/sysrq-trigger From f49ec86d4b5b0239788872558b0c229b73c0524c Mon Sep 17 00:00:00 2001 From: Maciej Pijanowski Date: Thu, 20 Jun 2024 17:15:33 +0200 Subject: [PATCH 5/8] site-local/config: bump to v0.9.1 Signed-off-by: Maciej Pijanowski --- site-local/config | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/site-local/config b/site-local/config index 85a8b8e52..63462c01d 100644 --- a/site-local/config +++ b/site-local/config @@ -3,31 +3,31 @@ BRAND_NAME=Dasharo ifeq "nitropad-nv41" "$(BOARD)" export CONFIG_BOARD_NAME="NovaCustom NV4xPZ" -export CONFIG_COREBOOT_LOCALVERSION="\(coreboot+heads\) v0.9.0" +export CONFIG_COREBOOT_LOCALVERSION="\(coreboot+heads\) v0.9.1" export CONFIG_COREBOOT_SMBIOS_PRODUCT_NAME=NV4xPZ export CONFIG_COREBOOT_SMBIOS_MANUFACTURER=Notebook else ifeq "nitropad-ns50" "$(BOARD)" export CONFIG_BOARD_NAME="NovaCustom NS5x_NS7xPU" -export CONFIG_COREBOOT_LOCALVERSION="\(coreboot+heads\) v0.9.0" +export CONFIG_COREBOOT_LOCALVERSION="\(coreboot+heads\) v0.9.1" export CONFIG_COREBOOT_SMBIOS_PRODUCT_NAME=NS5x_NS7xPU export CONFIG_COREBOOT_SMBIOS_MANUFACTURER=Notebook else ifeq "msi_z690a_ddr4" "$(BOARD)" -export CONFIG_COREBOOT_LOCALVERSION="\(coreboot+heads\) v0.9.0" +export CONFIG_COREBOOT_LOCALVERSION="\(coreboot+heads\) v0.9.1" else ifeq "msi_z690a_ddr5" "$(BOARD)" -export CONFIG_COREBOOT_LOCALVERSION="\(coreboot+heads\) v0.9.0" +export CONFIG_COREBOOT_LOCALVERSION="\(coreboot+heads\) v0.9.1" else ifeq "msi_z790p_ddr4" "$(BOARD)" -export CONFIG_COREBOOT_LOCALVERSION="\(coreboot+heads\) v0.9.0" +export CONFIG_COREBOOT_LOCALVERSION="\(coreboot+heads\) v0.9.1" else ifeq "msi_z790p_ddr5" "$(BOARD)" -export CONFIG_COREBOOT_LOCALVERSION="\(coreboot+heads\) v0.9.0" +export CONFIG_COREBOOT_LOCALVERSION="\(coreboot+heads\) v0.9.1" endif From a9395cadf8cfb1cb8518a9a468b8a129923973fe Mon Sep 17 00:00:00 2001 From: Matthew Drobnak Date: Mon, 3 Jun 2024 16:07:08 -0600 Subject: [PATCH 6/8] 1692 Update text for TPM Primary Handle error with correct remediation steps. Signed-off-by: Matthew Drobnak --- initrd/bin/kexec-select-boot | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/initrd/bin/kexec-select-boot b/initrd/bin/kexec-select-boot index edf3abba7..d3c97b57e 100755 --- a/initrd/bin/kexec-select-boot +++ b/initrd/bin/kexec-select-boot @@ -69,7 +69,9 @@ if [ "$CONFIG_TPM2_TOOLS" = "y" ]; then } else warn "Hash of TPM2 primary key handle does not exist" - warn "Please rebuild the boot hash tree" + warn "Please rebuild the TPM2 primary key handle by settings a default OS to boot." + warn "Select Options-> Boot Options -> Show OS Boot Menu -> -> Make default" + #TODO: Simplify/Automatize TPM2 firmware upgrade process. Today: upgrade, reboot, reseal(type TPM owner pass), resign, boot default_failed="y" DEBUG "Hash of TPM2 primary key handle does not exist under $PRIMHASH_FILE" fi From 7c3c3cf54409d534b7ba024a868a92b32c12ef19 Mon Sep 17 00:00:00 2001 From: Maciej Pijanowski Date: Fri, 21 Jun 2024 16:44:50 +0200 Subject: [PATCH 7/8] nitropad: drop iotools As discussed in: linuxboot#1704 there is no need to include iotools module for nitropads. Signed-off-by: Maciej Pijanowski --- boards/nitropad-ns50/nitropad-ns50.config | 2 -- boards/nitropad-nv41/nitropad-nv41.config | 2 -- 2 files changed, 4 deletions(-) diff --git a/boards/nitropad-ns50/nitropad-ns50.config b/boards/nitropad-ns50/nitropad-ns50.config index a9fcdc913..e7fbb8f1c 100644 --- a/boards/nitropad-ns50/nitropad-ns50.config +++ b/boards/nitropad-ns50/nitropad-ns50.config @@ -20,8 +20,6 @@ CONFIG_GPG2=y CONFIG_LVM2=y CONFIG_MBEDTLS=y -CONFIG_IOTOOLS=y - CONFIG_DROPBEAR=y CONFIG_MSRTOOLS=y diff --git a/boards/nitropad-nv41/nitropad-nv41.config b/boards/nitropad-nv41/nitropad-nv41.config index 7f6c17c15..472d51ff8 100644 --- a/boards/nitropad-nv41/nitropad-nv41.config +++ b/boards/nitropad-nv41/nitropad-nv41.config @@ -20,8 +20,6 @@ CONFIG_GPG2=y CONFIG_LVM2=y CONFIG_MBEDTLS=y -CONFIG_IOTOOLS=y - CONFIG_DROPBEAR=y CONFIG_MSRTOOLS=y From 0af24590538f43c17e1fcf56865a02fb07c9459e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20Kope=C4=87?= Date: Wed, 24 Apr 2024 10:53:13 +0200 Subject: [PATCH 8/8] config/coreboot-nitropad-n[v41,s50].config: disable power on AC MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: https://github.com/Dasharo/dasharo-issues/issues/783 Signed-off-by: Michał Kopeć --- config/coreboot-nitropad-ns50.config | 6 +++--- config/coreboot-nitropad-nv41.config | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/config/coreboot-nitropad-ns50.config b/config/coreboot-nitropad-ns50.config index 37740dd1c..809339396 100644 --- a/config/coreboot-nitropad-ns50.config +++ b/config/coreboot-nitropad-ns50.config @@ -214,10 +214,10 @@ CONFIG_COREBOOT_ROMSIZE_KB=32768 CONFIG_ROM_SIZE=0x02000000 CONFIG_HAVE_POWER_STATE_AFTER_FAILURE=y CONFIG_HAVE_POWER_STATE_PREVIOUS_AFTER_FAILURE=y -# CONFIG_POWER_STATE_OFF_AFTER_FAILURE is not set -CONFIG_POWER_STATE_ON_AFTER_FAILURE=y +CONFIG_POWER_STATE_OFF_AFTER_FAILURE=y +# CONFIG_POWER_STATE_ON_AFTER_FAILURE is not set # CONFIG_POWER_STATE_PREVIOUS_AFTER_FAILURE is not set -CONFIG_MAINBOARD_POWER_FAILURE_STATE=1 +CONFIG_MAINBOARD_POWER_FAILURE_STATE=0 # end of Mainboard CONFIG_SYSTEM_TYPE_LAPTOP=y diff --git a/config/coreboot-nitropad-nv41.config b/config/coreboot-nitropad-nv41.config index 43562ff57..68169478e 100644 --- a/config/coreboot-nitropad-nv41.config +++ b/config/coreboot-nitropad-nv41.config @@ -213,10 +213,10 @@ CONFIG_COREBOOT_ROMSIZE_KB=32768 CONFIG_ROM_SIZE=0x02000000 CONFIG_HAVE_POWER_STATE_AFTER_FAILURE=y CONFIG_HAVE_POWER_STATE_PREVIOUS_AFTER_FAILURE=y -# CONFIG_POWER_STATE_OFF_AFTER_FAILURE is not set -CONFIG_POWER_STATE_ON_AFTER_FAILURE=y +CONFIG_POWER_STATE_OFF_AFTER_FAILURE=y +#CONFIG_POWER_STATE_ON_AFTER_FAILURE is not set # CONFIG_POWER_STATE_PREVIOUS_AFTER_FAILURE is not set -CONFIG_MAINBOARD_POWER_FAILURE_STATE=1 +CONFIG_MAINBOARD_POWER_FAILURE_STATE=0 # end of Mainboard CONFIG_SYSTEM_TYPE_LAPTOP=y