From e177de63d02718a3bed6816fee075076c94181cd Mon Sep 17 00:00:00 2001 From: Trammell hudson Date: Fri, 28 Sep 2018 06:25:00 -0400 Subject: [PATCH 01/52] Enable verbose bootup debugging and ensure that the serial IO base port is configured --- config/linux-linuxboot.config | 2 +- patches/linux-4.14.62/0000-efi_bds.patch | 9 +++++++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/config/linux-linuxboot.config b/config/linux-linuxboot.config index 1074b6ac5..3db4274b5 100644 --- a/config/linux-linuxboot.config +++ b/config/linux-linuxboot.config @@ -291,7 +291,7 @@ CONFIG_STACKTRACE=y # CONFIG_RCU_TRACE is not set # CONFIG_FTRACE is not set # CONFIG_STRICT_DEVMEM is not set -# CONFIG_X86_VERBOSE_BOOTUP is not set +CONFIG_X86_VERBOSE_BOOTUP=y # CONFIG_DOUBLEFAULT is not set CONFIG_IO_DELAY_0XED=y CONFIG_OPTIMIZE_INLINING=y diff --git a/patches/linux-4.14.62/0000-efi_bds.patch b/patches/linux-4.14.62/0000-efi_bds.patch index 5ffbf62bd..0d2d76ea3 100644 --- a/patches/linux-4.14.62/0000-efi_bds.patch +++ b/patches/linux-4.14.62/0000-efi_bds.patch @@ -43,3 +43,12 @@ diff -u --recursive ../../clean/linux-4.14.62/arch/x86/boot/compressed/eboot.c l return boot_params; fail2: +--- clean/linux-4.14.62/arch/x86/boot/compressed/early_serial_console.c 2018-08-09 12:16:40.000000000 +0200 ++++ linux-4.14.62/arch/x86/boot/compressed/early_serial_console.c 2018-09-28 11:59:36.824015244 +0200 +@@ -1,5 +1,5 @@ + #include "misc.h" + +-int early_serial_base; ++int early_serial_base = 0x3f8; + + #include "../early_serial_console.c" From 25113cb8c2f431bb0e0c038cbd2a306069159bcb Mon Sep 17 00:00:00 2001 From: Francis Lam Date: Sat, 10 Nov 2018 13:41:01 -0800 Subject: [PATCH 02/52] Fix coreboot build for kgpe-d16 --- modules/coreboot | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/coreboot b/modules/coreboot index 7081fe086..7c62b6f34 100644 --- a/modules/coreboot +++ b/modules/coreboot @@ -16,7 +16,7 @@ CONFIG_COREBOOT_CONFIG ?= config/coreboot-$(BOARD).config # Ensure that touching the config file will force a rebuild $(build)/$(coreboot_dir)/.configured: $(CONFIG_COREBOOT_CONFIG) -EXTRA_FLAGS := -fdebug-prefix-map=$(pwd)=heads -gno-record-gcc-switches +EXTRA_FLAGS := -fdebug-prefix-map=$(pwd)=heads -gno-record-gcc-switches -Wno-error=packed-not-aligned coreboot_configure := \ mkdir -p "$(build)/$(coreboot_dir)" \ From 7bc90cd8a202d476fbfbd1774af8604c2f8ef0c2 Mon Sep 17 00:00:00 2001 From: Martin Kepplinger Date: Thu, 23 May 2019 09:39:35 +0200 Subject: [PATCH 03/52] initrd: remove unused keylime-init Besides the fact that keylime-init uses a local network location for downloading something, it is unused. Remove dead code. Was is this anyways? --- initrd/etc/keylime-init | 17 ----------------- 1 file changed, 17 deletions(-) delete mode 100755 initrd/etc/keylime-init diff --git a/initrd/etc/keylime-init b/initrd/etc/keylime-init deleted file mode 100755 index e0974e960..000000000 --- a/initrd/etc/keylime-init +++ /dev/null @@ -1,17 +0,0 @@ -#!/bin/sh -# Bring up the x230's NIC, get a DHCP address and invoke keylime - -insmod /lib/modules/e1000e.ko -udhcpc -n - -cd / -wget-measure.sh 6 http://192.168.1.5/keylime.tar.gz -tar xf keylime.tar.gz - -if [ ! -x /keylime-node ]; then - echo '!!!! Keylime overlay not found?' - tpm extend -ix 4 -ic "recovery" - exec /bin/ash -fi - -exec /keylime-node From 5fa06316cfc125c29c6ec3fe07f234cab91dc8d4 Mon Sep 17 00:00:00 2001 From: MrChromebox Date: Mon, 30 Sep 2019 12:10:58 -0500 Subject: [PATCH 04/52] blobs/librem_skl: update get_blobs script update file hashes to match Purism fork --- blobs/librem_skl/get_blobs.sh | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/blobs/librem_skl/get_blobs.sh b/blobs/librem_skl/get_blobs.sh index 02ffad77d..1bbb1003f 100755 --- a/blobs/librem_skl/get_blobs.sh +++ b/blobs/librem_skl/get_blobs.sh @@ -2,10 +2,11 @@ # depends on : wget sha256sum gunzip # Purism source -PURISM_SOURCE="https://source.puri.sm/coreboot/releases/raw/master" +RELEASES_GIT_HASH="ced905accd065df3de6561ee7278400f320f14f7" +PURISM_SOURCE="https://source.puri.sm/coreboot/releases/raw/${RELEASES_GIT_HASH}" # Librem 13 v2/v3 and Librem 15 v3 binary blob hashes -SKL_UCODE_SHA="9c84936df700d74612a99e6ab581640ecf423d25a0b74a1ea23a6d9872349213" +SKL_UCODE_SHA="6c6e420fe0490de51a504303d4c5d12ef8832ffb98a2d5327a9a07f05e62b01f" SKL_DESCRIPTOR_SHA="642ca36f52aabb5198b82e013bf64a73a5148693a58376fffce322a4d438b524" SKL_ME_SHA="cf06d3eb8b24490a1ab46fd988b6cef822e5347cd6a2e92bc332cb4a376eb8bc" SKL_FSPM_SHA="5da3ad7718eb3f6700fb9d97be988d9c8bdd2d8b5910273a80928c49122d5b2d" @@ -26,7 +27,7 @@ IFDTOOL_BIN="./ifdtool" COREBOOT_IMAGE="coreboot-l13v3.rom" COREBOOT_IMAGE_FILE="$COREBOOT_IMAGE.gz" COREBOOT_IMAGE_URL="$PURISM_SOURCE/librem_13v3/$COREBOOT_IMAGE_FILE" -COREBOOT_IMAGE_SHA="34276a7b82624cfb29aed688df7f2b4e747a9e951196e376732e972c8575ece6" +COREBOOT_IMAGE_SHA="f20b999457205f033bf122a436f906172bc53ff718034a32f931d9e1712a1033" die () { local msg=$1 @@ -121,4 +122,4 @@ rm -f $COREBOOT_IMAGE >/dev/null 2>&1 rm -f *.gz >/dev/null 2>&1 echo "" -echo "All blobs have been verified and are ready for use" \ No newline at end of file +echo "All blobs have been verified and are ready for use" From 71a2ddfb1e69772a418c4d919fa9d1d72f50232f Mon Sep 17 00:00:00 2001 From: MrChromebox Date: Mon, 30 Sep 2019 12:12:36 -0500 Subject: [PATCH 05/52] blobs/librem_kbl: update get_blobs script update file hashes to match Purism fork --- blobs/librem_kbl/get_blobs.sh | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/blobs/librem_kbl/get_blobs.sh b/blobs/librem_kbl/get_blobs.sh index 7614119f1..dbf771f0a 100755 --- a/blobs/librem_kbl/get_blobs.sh +++ b/blobs/librem_kbl/get_blobs.sh @@ -2,10 +2,11 @@ # depends on : wget sha256sum gunzip # Purism source -PURISM_SOURCE="https://source.puri.sm/coreboot/releases/raw/master" +RELEASES_GIT_HASH="ced905accd065df3de6561ee7278400f320f14f7" +PURISM_SOURCE="https://source.puri.sm/coreboot/releases/raw/${RELEASES_GIT_HASH}" # Librem 13 v4 and Librem 15 v4 binary blob hashes -KBL_UCODE_SHA="a420274eecca369fcca465cc46725d61c0ae8ca2e18f201b1751faf9e081fb2e" +KBL_UCODE_SHA="0e3a06d8949a1d7df2c75b414765b98181766e3bd5bc7c317fad65bfcf7c276b" KBL_DESCRIPTOR_SHA="642ca36f52aabb5198b82e013bf64a73a5148693a58376fffce322a4d438b524" KBL_ME_SHA="0eec2e1135193941edd39d0ec0f463e353d0c6c9068867a2f32a72b64334fb34" KBL_FSPM_SHA="5da3ad7718eb3f6700fb9d97be988d9c8bdd2d8b5910273a80928c49122d5b2d" @@ -26,7 +27,7 @@ IFDTOOL_BIN="./ifdtool" COREBOOT_IMAGE="coreboot-l13v4.rom" COREBOOT_IMAGE_FILE="$COREBOOT_IMAGE.gz" COREBOOT_IMAGE_URL="$PURISM_SOURCE/librem_13v4/$COREBOOT_IMAGE_FILE" -COREBOOT_IMAGE_SHA="4491efd0a8b2de5a88fd7491a5d2605884ed956c3d271d7761906269b4cfb601" +COREBOOT_IMAGE_SHA="147b911aad362bc67084d1591950e22557ffaba056f42484b521aa48a617c5b0" die () { local msg=$1 @@ -121,4 +122,4 @@ rm -f $COREBOOT_IMAGE >/dev/null 2>&1 rm -f *.gz >/dev/null 2>&1 echo "" -echo "All blobs have been verified and are ready for use" \ No newline at end of file +echo "All blobs have been verified and are ready for use" From 4f0e7785824591c0e4463f459eff570904e09207 Mon Sep 17 00:00:00 2001 From: Trammell hudson Date: Tue, 29 Oct 2019 12:52:27 +0100 Subject: [PATCH 06/52] musl-cross: update patch for recent git commits (#617) Signed-off-by: Trammell hudson --- patches/musl-cross.patch | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/patches/musl-cross.patch b/patches/musl-cross.patch index 267c339a3..7161e6736 100644 --- a/patches/musl-cross.patch +++ b/patches/musl-cross.patch @@ -1,5 +1,5 @@ diff --git a/config.sh b/config.sh -index 4e321c9..6d9ea32 100644 +index ec3c1ce..844fb3d 100644 --- a/config.sh +++ b/config.sh @@ -1,13 +1,15 @@ @@ -20,7 +20,7 @@ index 4e321c9..6d9ea32 100644 # If you use arm, you may need more fine-tuning: # arm hardfloat v7 -@@ -20,7 +22,10 @@ CC_BASE_PREFIX=/opt/cross +@@ -20,11 +22,14 @@ CC_BASE_PREFIX=/opt/cross #GCC_BOOTSTRAP_CONFFLAGS="--with-arch=armv7-a --with-float=softfp" #GCC_CONFFLAGS="--with-arch=armv7-a --with-float=softfp" @@ -29,6 +29,10 @@ index 4e321c9..6d9ea32 100644 # Enable this to build the bootstrap gcc (thrown away) without optimization, to reduce build time GCC_STAGE1_NOOPT=1 -+ + +# Build GMP, MPFR and MPC +GCC_BUILTIN_PREREQS=yes ++ + # uncomment these to get smaller/stripped binaries + #export CFLAGS="-Os -g0 -s" + #export CXXFLAGS="-Os -g0" From 56aa508b8dd69915a94d237b52e6c428d95c7077 Mon Sep 17 00:00:00 2001 From: Trammell hudson Date: Tue, 29 Oct 2019 13:15:56 +0100 Subject: [PATCH 07/52] musl-cross: pin to a specific checkout (#617) Add `--strip 1` to tar file extraction in the `Makefile`, which ensures that the directory name in `build/` will match the one listed in `$($(MODULE)_dir)`. Signed-off-by: Trammell hudson --- Makefile | 7 ++++--- modules/musl-cross | 8 +++++--- .../{musl-cross.patch => musl-cross-81d563e.patch} | 12 ++++++++++++ 3 files changed, 21 insertions(+), 6 deletions(-) rename patches/{musl-cross.patch => musl-cross-81d563e.patch} (57%) diff --git a/Makefile b/Makefile index cc5cac6ad..21e38108b 100644 --- a/Makefile +++ b/Makefile @@ -264,9 +264,10 @@ define define_module = # Unpack the tar file and touch the canary so that we know # that the files are all present $(build)/$($1_base_dir)/.canary: $(packages)/.$1-$($1_version)_verify - tar -xf "$(packages)/$($1_tar)" -C "$(build)" + mkdir -p "$$(dir $$@)" + tar -xf "$(packages)/$($1_tar)" --strip 1 -C "$$(dir $$@)" if [ -r patches/$1-$($1_version).patch ]; then \ - ( cd $(build)/$($1_base_dir) ; patch -p1 ) \ + ( cd $$(dir $$@) ; patch -p1 ) \ < patches/$1-$($1_version).patch \ || exit 1 ; \ fi @@ -274,7 +275,7 @@ define define_module = [ -r patches/$1-$($1_version) ] ; then \ for patch in patches/$1-$($1_version)/*.patch ; do \ echo "Applying patch file : $$$$patch " ; \ - ( cd $(build)/$($1_base_dir) ; patch -p1 ) \ + ( cd $$(dir $$@) ; patch -p1 ) \ < $$$$patch \ || exit 1 ; \ done ; \ diff --git a/modules/musl-cross b/modules/musl-cross index 199731859..b15d670d6 100644 --- a/modules/musl-cross +++ b/modules/musl-cross @@ -23,9 +23,11 @@ else # Force a full build of the cross compiler modules-y += musl-cross -musl-cross_version := git -musl-cross_dir := musl-cross-$(musl-cross_version) -musl-cross_repo := https://github.com/GregorR/musl-cross +musl-cross_version := 81d563e +musl-cross_dir := musl-cross +musl-cross_url := https://github.com/GregorR/musl-cross/archive/$(musl-cross_version).tar.gz +musl-cross_tar := musl-cross-$(musl-cross_version).tar.gz +musl-cross_hash := 6362751b2442dc273c0889e5ef3ce6306a38b9c415cbe8cb4cfe3b8c6d776e96 CROSS_TOP := crossgcc/x86_64-linux-musl/bin/x86_64-musl-linux- CROSS := $(build)/../$(CROSS_TOP) diff --git a/patches/musl-cross.patch b/patches/musl-cross-81d563e.patch similarity index 57% rename from patches/musl-cross.patch rename to patches/musl-cross-81d563e.patch index 7161e6736..e7633b7ba 100644 --- a/patches/musl-cross.patch +++ b/patches/musl-cross-81d563e.patch @@ -36,3 +36,15 @@ index ec3c1ce..844fb3d 100644 # uncomment these to get smaller/stripped binaries #export CFLAGS="-Os -g0 -s" #export CXXFLAGS="-Os -g0" +--- /dev/null 2019-10-28 16:42:28.211999999 +0100 ++++ musl-cross/hashes/gmp-6.1.0.tar.bz2.sha256 2019-10-29 13:08:53.288687684 +0100 +@@ -0,0 +1 @@ ++498449a994efeba527885c10405993427995d3f86b8768d8cdf8d9dd7c6b73e8 gmp-6.1.0.tar.bz2 +--- /dev/null 2019-10-28 16:42:28.211999999 +0100 ++++ musl-cross/hashes/mpfr-3.1.4.tar.bz2.sha256 2019-10-29 13:08:53.292687684 +0100 +@@ -0,0 +1 @@ ++d3103a80cdad2407ed581f3618c4bed04e0c92d1cf771a65ead662cc397f7775 mpfr-3.1.4.tar.bz2 +--- /dev/null 2019-10-28 16:42:28.211999999 +0100 ++++ musl-cross/hashes/mpc-1.0.3.tar.gz.sha256 2019-10-29 13:08:53.296687684 +0100 +@@ -0,0 +1 @@ ++617decc6ea09889fb08ede330917a00b16809b8db88c29c31bfbb49cbf88ecc3 mpc-1.0.3.tar.gz From e5038e6adf9133a51c80b9699e552a68167db63b Mon Sep 17 00:00:00 2001 From: Trammell hudson Date: Tue, 29 Oct 2019 13:26:23 +0100 Subject: [PATCH 08/52] musl-cross: crossgcc binary changed names (#617) Signed-off-by: Trammell hudson --- modules/musl-cross | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/musl-cross b/modules/musl-cross index b15d670d6..f04a0799d 100644 --- a/modules/musl-cross +++ b/modules/musl-cross @@ -29,7 +29,7 @@ musl-cross_url := https://github.com/GregorR/musl-cross/archive/$(musl-cross_ver musl-cross_tar := musl-cross-$(musl-cross_version).tar.gz musl-cross_hash := 6362751b2442dc273c0889e5ef3ce6306a38b9c415cbe8cb4cfe3b8c6d776e96 -CROSS_TOP := crossgcc/x86_64-linux-musl/bin/x86_64-musl-linux- +CROSS_TOP := crossgcc/x86_64-linux-musl/bin/x86_64-linux-musl- CROSS := $(build)/../$(CROSS_TOP) musl-cross_output := ../../$(CROSS_TOP)gcc From 2980eb0522bfaf52f74ccbd33b564089e6abf933 Mon Sep 17 00:00:00 2001 From: Trammell hudson Date: Tue, 29 Oct 2019 13:36:04 +0100 Subject: [PATCH 09/52] pin msrtools and tpmtotp to current git heads Signed-off-by: Trammell hudson --- modules/msrtools | 11 ++++++----- modules/tpmtotp | 10 +++++----- 2 files changed, 11 insertions(+), 10 deletions(-) diff --git a/modules/msrtools b/modules/msrtools index 9adfab0cb..6cfc30c2c 100644 --- a/modules/msrtools +++ b/modules/msrtools @@ -2,14 +2,15 @@ modules-$(CONFIG_MSRTOOLS) += msrtools msrtools_depends := $(musl_dep) -msrtools_version := git -msrtools_repo := https://github.com/osresearch/msr-tools +#msrtools_version := git +#msrtools_repo := https://github.com/osresearch/msr-tools -#msrtools_version := 1.3 +msrtools_version := 572ef8a msrtools_dir := msrtools-$(msrtools_version) msrtools_tar := msr-tools-$(msrtools_version).tar.gz -msrtools_url := https://github.com/intel/msr-tools/archive/msr-tools-$(msrtools_version).tar.gz -msrtools_hash := e8205aa3d19e536080f5974ed06ab9a88c4c3f37870c2f6a3a08a2f39302c22c +#msrtools_url := https://github.com/intel/msr-tools/archive/msr-tools-$(msrtools_version).tar.gz +msrtools_url := https://github.com/osresearch/msr-tools/archive/$(msrtools_version).tar.gz +msrtools_hash := 80554790d0a404205fe215c9ae8d2de159e980ec23821d636f201f12550e6ac0 msrtools_target := \ $(CROSS_TOOLS) \ diff --git a/modules/tpmtotp b/modules/tpmtotp index 792dd512c..6c870ca42 100644 --- a/modules/tpmtotp +++ b/modules/tpmtotp @@ -2,14 +2,14 @@ modules-$(CONFIG_TPMTOTP) += tpmtotp tpmtotp_depends := mbedtls qrencode $(musl_dep) -tpmtotp_version := git -tpmtotp_repo := https://github.com/osresearch/tpmtotp +#tpmtotp_version := git +#tpmtotp_repo := https://github.com/osresearch/tpmtotp -#tpmtotp_version := 0.3.0 +tpmtotp_version := 18b860f tpmtotp_dir := tpmtotp-$(tpmtotp_version) tpmtotp_tar := tpmtotp-$(tpmtotp_version).tar.gz -tpmtotp_url := https://github.com/osresearch/tpmtotp/archive/v$(tpmtotp_version).tar.gz -tpmtotp_hash := e8205aa3d19e536080f5974ed06ab9a88c4c3f37870c2f6a3a08a2f39302c22c +tpmtotp_url := https://github.com/osresearch/tpmtotp/archive/$(tpmtotp_version).tar.gz +tpmtotp_hash := 1082f2b0e4af833e04220dddedcc21a39eb39ee4dc5668bb010e7bcc795c606c tpmtotp_target := \ $(CROSS_TOOLS) \ From 5a4cb4acbbe4c28a8e8502db865eb8b440bc1222 Mon Sep 17 00:00:00 2001 From: Matt DeVillier Date: Wed, 13 Nov 2019 16:55:16 -0600 Subject: [PATCH 10/52] blobs/librem_*: update CPU microcode Update hashes for CPU microcde, git releases repo, precompiled images used for extraction Signed-off-by: Matt DeVillier --- blobs/librem_kbl/get_blobs.sh | 6 +++--- blobs/librem_skl/get_blobs.sh | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/blobs/librem_kbl/get_blobs.sh b/blobs/librem_kbl/get_blobs.sh index dbf771f0a..c7a13376b 100755 --- a/blobs/librem_kbl/get_blobs.sh +++ b/blobs/librem_kbl/get_blobs.sh @@ -2,11 +2,11 @@ # depends on : wget sha256sum gunzip # Purism source -RELEASES_GIT_HASH="ced905accd065df3de6561ee7278400f320f14f7" +RELEASES_GIT_HASH="631b4a4e9bf562768afc262647ef4ef4f4ffaebd" PURISM_SOURCE="https://source.puri.sm/coreboot/releases/raw/${RELEASES_GIT_HASH}" # Librem 13 v4 and Librem 15 v4 binary blob hashes -KBL_UCODE_SHA="0e3a06d8949a1d7df2c75b414765b98181766e3bd5bc7c317fad65bfcf7c276b" +KBL_UCODE_SHA="bb07f0f77abe08e553f85b99d18fa129f991bf3613cf73d77c4f0ece87dd251e" KBL_DESCRIPTOR_SHA="642ca36f52aabb5198b82e013bf64a73a5148693a58376fffce322a4d438b524" KBL_ME_SHA="0eec2e1135193941edd39d0ec0f463e353d0c6c9068867a2f32a72b64334fb34" KBL_FSPM_SHA="5da3ad7718eb3f6700fb9d97be988d9c8bdd2d8b5910273a80928c49122d5b2d" @@ -27,7 +27,7 @@ IFDTOOL_BIN="./ifdtool" COREBOOT_IMAGE="coreboot-l13v4.rom" COREBOOT_IMAGE_FILE="$COREBOOT_IMAGE.gz" COREBOOT_IMAGE_URL="$PURISM_SOURCE/librem_13v4/$COREBOOT_IMAGE_FILE" -COREBOOT_IMAGE_SHA="147b911aad362bc67084d1591950e22557ffaba056f42484b521aa48a617c5b0" +COREBOOT_IMAGE_SHA="93c86230c618f9f19c29672f15f431f516db9247fac95bb2eacbc0fa33ea1e6a" die () { local msg=$1 diff --git a/blobs/librem_skl/get_blobs.sh b/blobs/librem_skl/get_blobs.sh index 1bbb1003f..10482e811 100755 --- a/blobs/librem_skl/get_blobs.sh +++ b/blobs/librem_skl/get_blobs.sh @@ -2,11 +2,11 @@ # depends on : wget sha256sum gunzip # Purism source -RELEASES_GIT_HASH="ced905accd065df3de6561ee7278400f320f14f7" +RELEASES_GIT_HASH="631b4a4e9bf562768afc262647ef4ef4f4ffaebd" PURISM_SOURCE="https://source.puri.sm/coreboot/releases/raw/${RELEASES_GIT_HASH}" # Librem 13 v2/v3 and Librem 15 v3 binary blob hashes -SKL_UCODE_SHA="6c6e420fe0490de51a504303d4c5d12ef8832ffb98a2d5327a9a07f05e62b01f" +SKL_UCODE_SHA="e528d2ccc5d76cd04bfabb556a3fbb70b93d9aca43e291e0f0104fbaae5720fd" SKL_DESCRIPTOR_SHA="642ca36f52aabb5198b82e013bf64a73a5148693a58376fffce322a4d438b524" SKL_ME_SHA="cf06d3eb8b24490a1ab46fd988b6cef822e5347cd6a2e92bc332cb4a376eb8bc" SKL_FSPM_SHA="5da3ad7718eb3f6700fb9d97be988d9c8bdd2d8b5910273a80928c49122d5b2d" @@ -27,7 +27,7 @@ IFDTOOL_BIN="./ifdtool" COREBOOT_IMAGE="coreboot-l13v3.rom" COREBOOT_IMAGE_FILE="$COREBOOT_IMAGE.gz" COREBOOT_IMAGE_URL="$PURISM_SOURCE/librem_13v3/$COREBOOT_IMAGE_FILE" -COREBOOT_IMAGE_SHA="f20b999457205f033bf122a436f906172bc53ff718034a32f931d9e1712a1033" +COREBOOT_IMAGE_SHA="784d8c9e9e3cf11e99b7f8a473d0ec18738193b2b57bb7a37386b536dab84be2" die () { local msg=$1 From 0599ce97afc9f8b6141b83ec5acb338bb823280e Mon Sep 17 00:00:00 2001 From: Matt DeVillier Date: Mon, 18 Nov 2019 11:13:27 -0600 Subject: [PATCH 11/52] config-gui: fix Save Config option when commit [928f003] config-gui: add 'Full Reset' option was added, the bottom end of the save config option was accidentally truncated; restore it to fix save config option Signed-off-by: Matt DeVillier --- initrd/bin/config-gui.sh | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/initrd/bin/config-gui.sh b/initrd/bin/config-gui.sh index ed31c478f..683738e0a 100755 --- a/initrd/bin/config-gui.sh +++ b/initrd/bin/config-gui.sh @@ -116,6 +116,16 @@ while true; do cbfs -o /tmp/config-gui.rom -d "heads/initrd/etc/config.user" fi cbfs -o /tmp/config-gui.rom -a "heads/initrd/etc/config.user" -f /etc/config.user + + if (whiptail --title 'Update ROM?' \ + --yesno "This will reflash your BIOS with the updated version\n\nDo you want to proceed?" 16 90) then + /bin/flash.sh /tmp/config-gui.rom + whiptail --title 'BIOS Updated Successfully' \ + --msgbox "BIOS updated successfully.\n\nIf your keys have changed, be sure to re-sign all files in /boot\nafter you reboot.\n\nPress Enter to reboot" 16 60 + /bin/reboot + else + exit 0 + fi ;; "r" ) # prompt for confirmation @@ -150,6 +160,8 @@ while true; do whiptail --title 'Configuration Reset Updated Successfully' \ --msgbox "Configuration reset and BIOS updated successfully.\n\nPress Enter to reboot" 16 60 /bin/reboot + else + exit 0 fi ;; esac From 5dc9b0b457bcbd4936697f256667931cdcf525fa Mon Sep 17 00:00:00 2001 From: Matt DeVillier Date: Wed, 28 Aug 2019 21:47:45 -0500 Subject: [PATCH 12/52] config-gui: mount new /boot after selection Users may wish to temporarily boot an OS from a drive other than their primary boot drive, without changing the default and saving to ROM. Mounting /boot after changing the device selection facilitates this by allowing the user to then choose an unsafe boot from the newly-selected boot drive. Signed-off-by: Matt DeVillier --- initrd/bin/config-gui.sh | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/initrd/bin/config-gui.sh b/initrd/bin/config-gui.sh index 683738e0a..74e8e7f98 100755 --- a/initrd/bin/config-gui.sh +++ b/initrd/bin/config-gui.sh @@ -101,6 +101,15 @@ while true; do replace_config /etc/config.user "CONFIG_BOOT_DEV" "$SELECTED_FILE" combine_configs + # mount newly selected /boot device + if ! ( umount /boot 2>/tmp/error && \ + mount -o ro $SELECTED_FILE /boot 2>/tmp/error ); then + ERROR=`cat /tmp/error` + whiptail $CONFIG_ERROR_BG_COLOR --title 'ERROR: unable to mount /boot' \ + --msgbox "Unable to un/re-mount /boot:\n\n$ERROR" 16 60 + exit 1 + fi + whiptail --title 'Config change successful' \ --msgbox "The /boot device was successfully changed to $SELECTED_FILE" 16 60 ;; From c14c09b60216a0861538eaf024347010f466eb12 Mon Sep 17 00:00:00 2001 From: Matt DeVillier Date: Wed, 28 Aug 2019 10:47:53 -0500 Subject: [PATCH 13/52] flash-gui: clear boot signatures after flashing a cleaned ROM If the user chooses to flash a "cleaned" ROM (not persisting settings or GPG keys) then the signatures on /boot are no longer valid, so clear them out. This allows for the OEM factory reset prompt to be shown on the next boot. Signed-off-by: Matt DeVillier --- initrd/bin/flash-gui.sh | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/initrd/bin/flash-gui.sh b/initrd/bin/flash-gui.sh index 4105a9aea..dba97d405 100755 --- a/initrd/bin/flash-gui.sh +++ b/initrd/bin/flash-gui.sh @@ -71,7 +71,7 @@ file_selector() { while true; do unset menu_choice whiptail --clear --title "Firmware Management Menu" \ - --menu "Select the firmware function to perform\n\nRetaining settings copies existing settings to the new firmware:\n* Keeps your GPG keyring\n* Keeps changes to the default /boot device\n\nErasing settings uses the new firmware as-is:\n* Erases any existing GPG keyring\n* Restores firmware to default factory settings\n\nIf you are just updating your firmware, you probably want to retain\nyour settings." 20 90 10 \ + --menu "Select the firmware function to perform\n\nRetaining settings copies existing settings to the new firmware:\n* Keeps your GPG keyring\n* Keeps changes to the default /boot device\n\nErasing settings uses the new firmware as-is:\n* Erases any existing GPG keyring\n* Restores firmware to default factory settings\n* Clears out /boot signatures\n\nIf you are just updating your firmware, you probably want to retain\nyour settings." 20 90 10 \ 'f' ' Flash the firmware with a new ROM, retain settings' \ 'c' ' Flash the firmware with a new ROM, erase settings' \ 'x' ' Exit' \ @@ -100,6 +100,14 @@ while true; do --yesno "This will replace your old ROM with $ROM\n\nDo you want to proceed?" 16 90) then if [ "$menu_choice" == "c" ]; then /bin/flash.sh -c "$ROM" + # after flash, /boot signatures are now invalid so go ahead and clear them + if ls /boot/kexec* >/dev/null 2>&1 ; then + ( + mount -o remount,rw /boot 2>/dev/null + rm /boot/kexec* 2>/dev/null + mount -o remount,ro /boot 2>/dev/null + ) + fi else /bin/flash.sh "$ROM" fi From 018279b2bf6d30c0bd591e58ca1998647a7e530e Mon Sep 17 00:00:00 2001 From: Kyle Rankin Date: Thu, 7 Nov 2019 11:01:49 -0800 Subject: [PATCH 14/52] Add ability to enter custom password for OEM reset Normally we resort to default passwords for OEM reset, however we have a use case where it would be convenient to set a custom password instead. This patch adds a simple prompt (that defaults to the defaults if you hit Enter) that enables someone using the OEM reset to enter a single password that will replace the defaults (TPM, GPG Admin, GPG User). --- initrd/bin/oem-factory-reset | 48 +++++++++++++++++++++++++++++++++++- 1 file changed, 47 insertions(+), 1 deletion(-) diff --git a/initrd/bin/oem-factory-reset b/initrd/bin/oem-factory-reset index e5138387a..1b40bcd22 100755 --- a/initrd/bin/oem-factory-reset +++ b/initrd/bin/oem-factory-reset @@ -18,6 +18,7 @@ WIDTH="220" USER_PIN_DEF=123456 ADMIN_PIN_DEF=12345678 TPM_PASS_DEF=12345678 +CUSTOM_PASS="" ## External files sourced @@ -85,6 +86,29 @@ gpg_key_reset() whiptail_error_die "GPG Key automatic keygen failed!\n\n$ERROR" fi } +gpg_key_change_pin() +{ + # 1 = user PIN, 3 = admin PIN + PIN_TYPE=$1 + PIN_ORIG=$2 + PIN_NEW=$3 + # Change PIN + { + echo admin + echo passwd + echo ${PIN_TYPE} + echo ${PIN_ORIG} + echo ${PIN_NEW} + echo ${PIN_NEW} + echo q + echo q + } | gpg --command-fd=0 --status-fd=2 --pinentry-mode=loopback --card-edit \ + > /tmp/gpg_card_edit_output 2>/dev/null + if [ $? -ne 0 ]; then + ERROR=`cat /tmp/gpg_card_edit_output` + whiptail_error_die "GPG Key PIN change failed!\n\n$ERROR" + fi +} generate_checksums() { @@ -130,7 +154,7 @@ generate_checksums() # sign kexec boot files if sha256sum $param_files 2>/dev/null | gpg \ --pinentry-mode loopback \ - --passphrase $USER_PIN_DEF \ + --passphrase "$USER_PIN_DEF" \ --digest-algo SHA256 \ --detach-sign \ -a \ @@ -217,6 +241,19 @@ if ! whiptail --yesno " exit 1 fi +# Prompt to change default passwords +echo -e -n "Would you like to set a custom password? [y/N]:" +read -n 1 prompt_output +echo +if [ "$prompt_output" == "y" \ + -o "$prompt_output" == "Y" ] \ +; then + echo -e -n "Enter the custom password: " + read CUSTOM_PASS + echo + TPM_PASS_DEF=$CUSTOM_PASS +fi + ## sanity check the USB, GPG key, and boot device before proceeding further # mount USB, then remount rw @@ -272,6 +309,15 @@ gpg --list-keys >/dev/null 2>&1 echo -e "\nResetting GPG Key...\n(this will take a minute or two)\n" gpg_key_reset +if [ "$CUSTOM_PASS" != "" ]; then + echo -e "\nChanging default GPG Admin PIN\n" + gpg_key_change_pin "3" "$ADMIN_PIN_DEF" "$CUSTOM_PASS" + echo -e "\nChanging default GPG User PIN\n" + gpg_key_change_pin "1" "$USER_PIN_DEF" "$CUSTOM_PASS" + USER_PIN_DEF=$CUSTOM_PASS + ADMIN_PIN_DEF=$CUSTOM_PASS +fi + ## export generated key to USB echo -e "\nExporting generated key to USB...\n" # parse name of generated key From 4d32b4adf841fff539da5cc8977af0937b565aec Mon Sep 17 00:00:00 2001 From: Matt DeVillier Date: Wed, 13 Nov 2019 17:28:12 -0600 Subject: [PATCH 15/52] functions: fix handling of checksum update fail If kexec-sign-config fails due to GPG key not present, the double die() results in a kernel panic (and if it didn't, /boot would be left mounted RW). Fix this by removing call to die() and ensuring /boot remounted RO regardless checksum update success or failure. Signed-off-by: Matt DeVillier --- initrd/etc/functions | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/initrd/etc/functions b/initrd/etc/functions index 056c3e822..dc3b67651 100755 --- a/initrd/etc/functions +++ b/initrd/etc/functions @@ -287,8 +287,10 @@ update_checksums() if [ "$CONFIG_TPM" = "y" ]; then extparam=-u fi - kexec-sign-config -p /boot $extparam \ - || die "Failed to sign default config" + if ! kexec-sign-config -p /boot $extparam ; then + echo "Failed to sign default config; press Enter to continue." + read + fi # switch back to ro mode mount -o ro,remount /boot From 7998e96b98bfde7eb4a6911aaf5eb237ece86bef Mon Sep 17 00:00:00 2001 From: Matt DeVillier Date: Wed, 13 Nov 2019 17:36:29 -0600 Subject: [PATCH 16/52] functions: check both grub/grub2 dirs for boot files Signed-off-by: Matt DeVillier --- initrd/etc/functions | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/initrd/etc/functions b/initrd/etc/functions index dc3b67651..2e8bd6a4b 100755 --- a/initrd/etc/functions +++ b/initrd/etc/functions @@ -305,10 +305,11 @@ detect_boot_device() # check $CONFIG_BOOT_DEV if set/valid if [ -e "$CONFIG_BOOT_DEV" ]; then - mount -o ro $CONFIG_BOOT_DEV /boot >/dev/null 2>&1 - if [[ $? && -d /boot/grub ]]; then - # CONFIG_BOOT_DEV is valid device and contains an installed OS - return 0 + if mount -o ro $CONFIG_BOOT_DEV /boot >/dev/null 2>&1; then + if ls -d /boot/grub* >/dev/null 2>&1; then + # CONFIG_BOOT_DEV is valid device and contains an installed OS + return 0 + fi fi fi @@ -330,10 +331,11 @@ detect_boot_device() # iterate thru possible options and check for grub dir for i in `cat /tmp/boot_device_list`; do umount /boot 2>/dev/null - mount -o ro $i /boot >/dev/null 2>&1 - if [[ $? && -d /boot/grub ]]; then - CONFIG_BOOT_DEV="$i" - return 0 + if mount -o ro $i /boot >/dev/null 2>&1; then + if ls -d /boot/grub* >/dev/null 2>&1; then + CONFIG_BOOT_DEV="$i" + return 0 + fi fi done From 858f0272850eec7b7135c8182c4c70650b9e7259 Mon Sep 17 00:00:00 2001 From: Matt DeVillier Date: Mon, 18 Nov 2019 19:12:06 -0600 Subject: [PATCH 17/52] config/coreboot-librem*: drop secondary payloads Drop coreinto/memtest secondary payloads as they are not usable with Linux as primary payload. Leftover copy-pasta from original SeaBIOS configs. Signed-off-by: Matt DeVillier --- config/coreboot-librem13v2.config | 2 -- config/coreboot-librem13v4.config | 2 -- config/coreboot-librem15v3.config | 2 -- config/coreboot-librem15v4.config | 2 -- 4 files changed, 8 deletions(-) diff --git a/config/coreboot-librem13v2.config b/config/coreboot-librem13v2.config index b56ba9d32..44f152bb7 100644 --- a/config/coreboot-librem13v2.config +++ b/config/coreboot-librem13v2.config @@ -28,5 +28,3 @@ CONFIG_PAYLOAD_LINUX=y CONFIG_PAYLOAD_FILE="../../build/librem13v2/bzImage" CONFIG_LINUX_COMMAND_LINE="intel_iommu=on quiet loglevel=3" CONFIG_LINUX_INITRD="../../build/librem13v2/initrd.cpio.xz" -CONFIG_COREINFO_SECONDARY_PAYLOAD=y -CONFIG_MEMTEST_SECONDARY_PAYLOAD=y diff --git a/config/coreboot-librem13v4.config b/config/coreboot-librem13v4.config index c2935736c..e95562dc5 100644 --- a/config/coreboot-librem13v4.config +++ b/config/coreboot-librem13v4.config @@ -28,5 +28,3 @@ CONFIG_PAYLOAD_LINUX=y CONFIG_PAYLOAD_FILE="../../build/librem13v4/bzImage" CONFIG_LINUX_COMMAND_LINE="intel_iommu=on quiet loglevel=3" CONFIG_LINUX_INITRD="../../build/librem13v4/initrd.cpio.xz" -CONFIG_COREINFO_SECONDARY_PAYLOAD=y -CONFIG_MEMTEST_SECONDARY_PAYLOAD=y diff --git a/config/coreboot-librem15v3.config b/config/coreboot-librem15v3.config index bf5a2bc14..1d3f829dc 100644 --- a/config/coreboot-librem15v3.config +++ b/config/coreboot-librem15v3.config @@ -28,5 +28,3 @@ CONFIG_PAYLOAD_LINUX=y CONFIG_PAYLOAD_FILE="../../build/librem15v3/bzImage" CONFIG_LINUX_COMMAND_LINE="intel_iommu=on quiet loglevel=3" CONFIG_LINUX_INITRD="../../build/librem15v3/initrd.cpio.xz" -CONFIG_COREINFO_SECONDARY_PAYLOAD=y -CONFIG_MEMTEST_SECONDARY_PAYLOAD=y diff --git a/config/coreboot-librem15v4.config b/config/coreboot-librem15v4.config index 541d558a7..1baa87bd2 100644 --- a/config/coreboot-librem15v4.config +++ b/config/coreboot-librem15v4.config @@ -28,5 +28,3 @@ CONFIG_PAYLOAD_LINUX=y CONFIG_PAYLOAD_FILE="../../build/librem15v4/bzImage" CONFIG_LINUX_COMMAND_LINE="intel_iommu=on quiet loglevel=3" CONFIG_LINUX_INITRD="../../build/librem15v4/initrd.cpio.xz" -CONFIG_COREINFO_SECONDARY_PAYLOAD=y -CONFIG_MEMTEST_SECONDARY_PAYLOAD=y From 5d28532a0f1311b3f6832d6f199c466888d558f1 Mon Sep 17 00:00:00 2001 From: Matt DeVillier Date: Wed, 28 Aug 2019 10:59:43 -0500 Subject: [PATCH 18/52] board/librem*.config: set default boot device to NVMe Automatic /boot detection will fall back to /dev/sd* Signed-off-by: Matt DeVillier --- boards/librem13v2/librem13v2.config | 2 +- boards/librem13v4/librem13v4.config | 2 +- boards/librem15v3/librem15v3.config | 2 +- boards/librem15v4/librem15v4.config | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/boards/librem13v2/librem13v2.config b/boards/librem13v2/librem13v2.config index eca005831..e37d506b7 100644 --- a/boards/librem13v2/librem13v2.config +++ b/boards/librem13v2/librem13v2.config @@ -30,7 +30,7 @@ export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on" export CONFIG_BOOT_KERNEL_REMOVE="" -export CONFIG_BOOT_DEV="/dev/sda1" +export CONFIG_BOOT_DEV="/dev/nvme0n1p1" export CONFIG_BOOT_GUI_MENU_NAME="Purism Librem 13v2 Heads Boot Menu" export CONFIG_USB_BOOT_DEV="/dev/sdb1" export CONFIG_WARNING_BG_COLOR="--background-gradient 0 0 0 150 125 0" diff --git a/boards/librem13v4/librem13v4.config b/boards/librem13v4/librem13v4.config index 12fe04886..f78f13a92 100644 --- a/boards/librem13v4/librem13v4.config +++ b/boards/librem13v4/librem13v4.config @@ -30,7 +30,7 @@ export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on" export CONFIG_BOOT_KERNEL_REMOVE="" -export CONFIG_BOOT_DEV="/dev/sda1" +export CONFIG_BOOT_DEV="/dev/nvme0n1p1" export CONFIG_BOOT_GUI_MENU_NAME="Purism Librem 13v2 Heads Boot Menu" export CONFIG_USB_BOOT_DEV="/dev/sdb1" export CONFIG_WARNING_BG_COLOR="--background-gradient 0 0 0 150 125 0" diff --git a/boards/librem15v3/librem15v3.config b/boards/librem15v3/librem15v3.config index 80c522952..f9d05253f 100644 --- a/boards/librem15v3/librem15v3.config +++ b/boards/librem15v3/librem15v3.config @@ -32,7 +32,7 @@ export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on" export CONFIG_BOOT_KERNEL_REMOVE="" -export CONFIG_BOOT_DEV="/dev/sda1" +export CONFIG_BOOT_DEV="/dev/nvme0n1p1" export CONFIG_BOOT_GUI_MENU_NAME="Purism Librem 15v3 Heads Boot Menu" export CONFIG_USB_BOOT_DEV="/dev/sdb1" export CONFIG_WARNING_BG_COLOR="--background-gradient 0 0 0 150 125 0" diff --git a/boards/librem15v4/librem15v4.config b/boards/librem15v4/librem15v4.config index 16f6aa44c..5f79a91d4 100644 --- a/boards/librem15v4/librem15v4.config +++ b/boards/librem15v4/librem15v4.config @@ -32,7 +32,7 @@ export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on" export CONFIG_BOOT_KERNEL_REMOVE="" -export CONFIG_BOOT_DEV="/dev/sda1" +export CONFIG_BOOT_DEV="/dev/nvme0n1p1" export CONFIG_BOOT_GUI_MENU_NAME="Purism Librem 15v4 Heads Boot Menu" export CONFIG_USB_BOOT_DEV="/dev/sdb1" export CONFIG_WARNING_BG_COLOR="--background-gradient 0 0 0 150 125 0" From b9fd6e27086fe3ff3dbdfa856bf5cd2e69566da6 Mon Sep 17 00:00:00 2001 From: Matt DeVillier Date: Wed, 21 Aug 2019 15:39:34 -0500 Subject: [PATCH 19/52] gui-init: update TOTP error prompt Update text on TOTP error prompt to provide better guidance for users following the use of the OEM factory reset function Signed-off-by: Matt DeVillier --- initrd/bin/gui-init | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/initrd/bin/gui-init b/initrd/bin/gui-init index dfa6a9233..2b28fc212 100755 --- a/initrd/bin/gui-init +++ b/initrd/bin/gui-init @@ -169,8 +169,14 @@ while true; do TOTP=`unseal-totp` if [ $? -ne 0 ]; then whiptail $CONFIG_ERROR_BG_COLOR --clear --title "ERROR: TOTP Generation Failed!" \ - --menu "ERROR: Heads couldn't generate the TOTP code.\n\nIf this is the first time the system has booted, you should reset the TPM\nand set your own password\n\nIf you just reflashed your BIOS, you'll need to generate a new TOTP secret.\n\nIf you have not just reflashed your BIOS, THIS COULD INDICATE TAMPERING!\n\nHow would you like to proceed?" 30 90 4 \ - 'g' ' Generate new TOTP/HOTP secret' \ + --menu " ERROR: Heads couldn't generate the TOTP code.\n + If you have just completed a Factory Reset, or just reflashed + your BIOS, you should generate a new HOTP/TOTP secret.\n + If this is the first time the system has booted, you should + reset the TPM and set your own password.\n + If you have not just reflashed your BIOS, THIS COULD INDICATE TAMPERING!\n + How would you like to proceed?" 30 90 4 \ + 'g' ' Generate new HOTP/TOTP secret' \ 'i' ' Ignore error and continue to default boot menu' \ 'p' ' Reset the TPM' \ 'x' ' Exit to recovery shell' \ From 0dbc748233b2103cf2bbe1b655e952a094268389 Mon Sep 17 00:00:00 2001 From: Matt DeVillier Date: Sat, 18 May 2019 20:22:11 -0500 Subject: [PATCH 20/52] unseal-hotp: ensure /boot mounted before checking HOTP secret If /boot isn't mounted, we can't read the HOTP counter, so no point in reading from the TPM. This speeds up getting to the main menu in the case of an inaccessible or non-existant /boot. Signed-off-by: Matt DeVillier --- initrd/bin/unseal-hotp | 29 ++++++++++++++--------------- 1 file changed, 14 insertions(+), 15 deletions(-) diff --git a/initrd/bin/unseal-hotp b/initrd/bin/unseal-hotp index f4d397ec8..0fc3fb28e 100755 --- a/initrd/bin/unseal-hotp +++ b/initrd/bin/unseal-hotp @@ -21,21 +21,6 @@ mount_boot_or_die() # get current value of HOTP counter in TPM, create if absent mount_boot_or_die -tpm nv_readvalue \ - -in 4d47 \ - -sz 312 \ - -of "$HOTP_SEALED" \ -|| die "Unable to retrieve sealed file from TPM NV" - -tpm unsealfile \ - -hk 40000000 \ - -if "$HOTP_SEALED" \ - -of "$HOTP_SECRET" \ -|| die "Unable to unseal HOTP secret" - -shred -n 10 -z -u "$HOTP_SEALED" 2> /dev/null - - #check_tpm_counter $HOTP_COUNTER hotp \ #|| die "Unable to find/create TPM counter" #counter="$TPM_COUNTER" @@ -51,6 +36,20 @@ fi #counter_value=$(printf "%d" 0x${counter_value}) +tpm nv_readvalue \ + -in 4d47 \ + -sz 312 \ + -of "$HOTP_SEALED" \ +|| die "Unable to retrieve sealed file from TPM NV" + +tpm unsealfile \ + -hk 40000000 \ + -if "$HOTP_SEALED" \ + -of "$HOTP_SECRET" \ +|| die "Unable to unseal HOTP secret" + +shred -n 10 -z -u "$HOTP_SEALED" 2> /dev/null + if ! hotp $counter_value < "$HOTP_SECRET"; then shred -n 10 -z -u "$HOTP_SECRET" 2> /dev/null die 'Unable to compute HOTP hash?' From e8fb231bc7ee45dd35ba4ed235a78020dd6c4569 Mon Sep 17 00:00:00 2001 From: Matt DeVillier Date: Thu, 21 Nov 2019 15:38:38 -0600 Subject: [PATCH 21/52] config/coreboot-librem*: disable iGPU IOMMU for Linux payload Disabling IOMMU on the iGPU for Heads (mostly) eliminates display corruption when kexec'ing to new kernel (and has no effect on iGPU/IOMMU for kexec'ed kernel) Signed-off-by: Matt DeVillier --- config/coreboot-librem13v2.config | 2 +- config/coreboot-librem13v4.config | 2 +- config/coreboot-librem15v3.config | 2 +- config/coreboot-librem15v4.config | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/config/coreboot-librem13v2.config b/config/coreboot-librem13v2.config index 44f152bb7..a27a26274 100644 --- a/config/coreboot-librem13v2.config +++ b/config/coreboot-librem13v2.config @@ -26,5 +26,5 @@ CONFIG_FSP_M_XIP=y CONFIG_DEFAULT_CONSOLE_LOGLEVEL_8=y CONFIG_PAYLOAD_LINUX=y CONFIG_PAYLOAD_FILE="../../build/librem13v2/bzImage" -CONFIG_LINUX_COMMAND_LINE="intel_iommu=on quiet loglevel=3" +CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet loglevel=3" CONFIG_LINUX_INITRD="../../build/librem13v2/initrd.cpio.xz" diff --git a/config/coreboot-librem13v4.config b/config/coreboot-librem13v4.config index e95562dc5..79aacb18a 100644 --- a/config/coreboot-librem13v4.config +++ b/config/coreboot-librem13v4.config @@ -26,5 +26,5 @@ CONFIG_FSP_M_XIP=y CONFIG_DEFAULT_CONSOLE_LOGLEVEL_8=y CONFIG_PAYLOAD_LINUX=y CONFIG_PAYLOAD_FILE="../../build/librem13v4/bzImage" -CONFIG_LINUX_COMMAND_LINE="intel_iommu=on quiet loglevel=3" +CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet loglevel=3" CONFIG_LINUX_INITRD="../../build/librem13v4/initrd.cpio.xz" diff --git a/config/coreboot-librem15v3.config b/config/coreboot-librem15v3.config index 1d3f829dc..c81c72dfc 100644 --- a/config/coreboot-librem15v3.config +++ b/config/coreboot-librem15v3.config @@ -26,5 +26,5 @@ CONFIG_FSP_M_XIP=y CONFIG_DEFAULT_CONSOLE_LOGLEVEL_8=y CONFIG_PAYLOAD_LINUX=y CONFIG_PAYLOAD_FILE="../../build/librem15v3/bzImage" -CONFIG_LINUX_COMMAND_LINE="intel_iommu=on quiet loglevel=3" +CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet loglevel=3" CONFIG_LINUX_INITRD="../../build/librem15v3/initrd.cpio.xz" diff --git a/config/coreboot-librem15v4.config b/config/coreboot-librem15v4.config index 1baa87bd2..32a0742da 100644 --- a/config/coreboot-librem15v4.config +++ b/config/coreboot-librem15v4.config @@ -26,5 +26,5 @@ CONFIG_FSP_M_XIP=y CONFIG_DEFAULT_CONSOLE_LOGLEVEL_8=y CONFIG_PAYLOAD_LINUX=y CONFIG_PAYLOAD_FILE="../../build/librem15v4/bzImage" -CONFIG_LINUX_COMMAND_LINE="intel_iommu=on quiet loglevel=3" +CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet loglevel=3" CONFIG_LINUX_INITRD="../../build/librem15v4/initrd.cpio.xz" From 4db6fbd51a66aa01f63797f98568b339d05c5f39 Mon Sep 17 00:00:00 2001 From: Matt DeVillier Date: Wed, 20 Nov 2019 16:27:40 -0600 Subject: [PATCH 22/52] oem-factory-reset: enforce 8-char min on custom password Since the custom password is used to set the GPG admin password as well as the TPM and GPG user passwords, an 8-character minimum is required. Inform the user of this, and validate custom password length upon entry. Signed-off-by: Matt DeVillier --- initrd/bin/oem-factory-reset | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/initrd/bin/oem-factory-reset b/initrd/bin/oem-factory-reset index 1b40bcd22..d30ac7fa9 100755 --- a/initrd/bin/oem-factory-reset +++ b/initrd/bin/oem-factory-reset @@ -242,14 +242,21 @@ if ! whiptail --yesno " fi # Prompt to change default passwords -echo -e -n "Would you like to set a custom password? [y/N]:" +echo -e -n "Would you like to set a custom password? [y/N]: " read -n 1 prompt_output echo if [ "$prompt_output" == "y" \ -o "$prompt_output" == "Y" ] \ ; then - echo -e -n "Enter the custom password: " - read CUSTOM_PASS + echo -e "\nThe custom password will be used for the +TPM admin and GPG user/admin passwords. +It must be at least 8 characters in length.\n" + CUSTOM_PASS="" + echo + while [[ ${#CUSTOM_PASS} -lt 8 ]] ; do + echo -e -n "Enter the custom password: " + read CUSTOM_PASS + done echo TPM_PASS_DEF=$CUSTOM_PASS fi From 81df9496323db45a1c71f16d8923e54e27821568 Mon Sep 17 00:00:00 2001 From: Martin Kepplinger Date: Tue, 26 Nov 2019 18:10:39 +0100 Subject: [PATCH 23/52] oem-factory-reset: Fix description for rebooting when finished As is in many cases in Heads, not any key will work, just Enter. Signed-off-by: Martin Kepplinger --- initrd/bin/oem-factory-reset | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/initrd/bin/oem-factory-reset b/initrd/bin/oem-factory-reset index d30ac7fa9..fcd2b1066 100755 --- a/initrd/bin/oem-factory-reset +++ b/initrd/bin/oem-factory-reset @@ -402,7 +402,7 @@ whiptail --msgbox " The OEM Factory Reset has completed successfully\n\n After rebooting, you will need to generate new TOTP/HOTP secrets\n when prompted in order to complete the setup process.\n\n - Press any key to reboot.\n" \ + Press Enter to reboot.\n" \ $WIDTH $HEIGHT --title "OEM Factory Reset Complete" reboot From 7370b75945681cbf49db392e3e25a3eb839ce533 Mon Sep 17 00:00:00 2001 From: rofl0r Date: Mon, 2 Dec 2019 23:03:09 +0000 Subject: [PATCH 24/52] update musl-cross to 1952975 this should fix issues with compressed ELF header sections. --- modules/musl-cross | 4 ++-- ...-cross-81d563e.patch => musl-cross-1952975.patch} | 12 ------------ 2 files changed, 2 insertions(+), 14 deletions(-) rename patches/{musl-cross-81d563e.patch => musl-cross-1952975.patch} (57%) diff --git a/modules/musl-cross b/modules/musl-cross index f04a0799d..5865cbd91 100644 --- a/modules/musl-cross +++ b/modules/musl-cross @@ -23,11 +23,11 @@ else # Force a full build of the cross compiler modules-y += musl-cross -musl-cross_version := 81d563e +musl-cross_version := 1952975 musl-cross_dir := musl-cross musl-cross_url := https://github.com/GregorR/musl-cross/archive/$(musl-cross_version).tar.gz musl-cross_tar := musl-cross-$(musl-cross_version).tar.gz -musl-cross_hash := 6362751b2442dc273c0889e5ef3ce6306a38b9c415cbe8cb4cfe3b8c6d776e96 +musl-cross_hash := dea10cfe4bfe5f5b131d8f98e65127cf5093477af56054d15563e858dc3b25cb CROSS_TOP := crossgcc/x86_64-linux-musl/bin/x86_64-linux-musl- CROSS := $(build)/../$(CROSS_TOP) diff --git a/patches/musl-cross-81d563e.patch b/patches/musl-cross-1952975.patch similarity index 57% rename from patches/musl-cross-81d563e.patch rename to patches/musl-cross-1952975.patch index e7633b7ba..7161e6736 100644 --- a/patches/musl-cross-81d563e.patch +++ b/patches/musl-cross-1952975.patch @@ -36,15 +36,3 @@ index ec3c1ce..844fb3d 100644 # uncomment these to get smaller/stripped binaries #export CFLAGS="-Os -g0 -s" #export CXXFLAGS="-Os -g0" ---- /dev/null 2019-10-28 16:42:28.211999999 +0100 -+++ musl-cross/hashes/gmp-6.1.0.tar.bz2.sha256 2019-10-29 13:08:53.288687684 +0100 -@@ -0,0 +1 @@ -+498449a994efeba527885c10405993427995d3f86b8768d8cdf8d9dd7c6b73e8 gmp-6.1.0.tar.bz2 ---- /dev/null 2019-10-28 16:42:28.211999999 +0100 -+++ musl-cross/hashes/mpfr-3.1.4.tar.bz2.sha256 2019-10-29 13:08:53.292687684 +0100 -@@ -0,0 +1 @@ -+d3103a80cdad2407ed581f3618c4bed04e0c92d1cf771a65ead662cc397f7775 mpfr-3.1.4.tar.bz2 ---- /dev/null 2019-10-28 16:42:28.211999999 +0100 -+++ musl-cross/hashes/mpc-1.0.3.tar.gz.sha256 2019-10-29 13:08:53.296687684 +0100 -@@ -0,0 +1 @@ -+617decc6ea09889fb08ede330917a00b16809b8db88c29c31bfbb49cbf88ecc3 mpc-1.0.3.tar.gz From 027ae39abe602a8d229746e100fbf62375563cdf Mon Sep 17 00:00:00 2001 From: Trammell hudson Date: Tue, 3 Dec 2019 10:48:10 +0100 Subject: [PATCH 25/52] modules: add module_tar_opt to allow different strip options Signed-off-by: Trammell hudson --- Makefile | 2 +- modules/coreboot | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 21e38108b..c95527aab 100644 --- a/Makefile +++ b/Makefile @@ -265,7 +265,7 @@ define define_module = # that the files are all present $(build)/$($1_base_dir)/.canary: $(packages)/.$1-$($1_version)_verify mkdir -p "$$(dir $$@)" - tar -xf "$(packages)/$($1_tar)" --strip 1 -C "$$(dir $$@)" + tar -xf "$(packages)/$($1_tar)" $(or $($1_tar_opt),--strip 1) -C "$$(dir $$@)" if [ -r patches/$1-$($1_version).patch ]; then \ ( cd $$(dir $$@) ; patch -p1 ) \ < patches/$1-$($1_version).patch \ diff --git a/modules/coreboot b/modules/coreboot index b2dfec590..15441ca1c 100644 --- a/modules/coreboot +++ b/modules/coreboot @@ -108,6 +108,7 @@ modules-y += coreboot-blobs coreboot-blobs_version := $(coreboot_version) coreboot-blobs_tar := coreboot-blobs-$(coreboot-blobs_version).tar.xz +coreboot-blobs_tar_opt := --strip 3 coreboot-blobs_dir := coreboot-$(coreboot-blobs_version)/3rdparty/blobs coreboot-blobs_url := https://www.coreboot.org/releases/$(coreboot-blobs_tar) coreboot-blobs_hash := 18aa509ae3af005a05d7b1e0b0246dc640249c14fc828f5144b6fd20bb10e295 From 69f3cc46ab55311d4389408fcba5ec8f37b423f6 Mon Sep 17 00:00:00 2001 From: Trammell Hudson Date: Tue, 7 Jan 2020 19:01:59 +0100 Subject: [PATCH 26/52] libksba: fix qsort handler to sort the string table in a reproducible way Signed-off-by: Trammell Hudson --- patches/libkbsa-1.3.5.patch | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 patches/libkbsa-1.3.5.patch diff --git a/patches/libkbsa-1.3.5.patch b/patches/libkbsa-1.3.5.patch new file mode 100644 index 000000000..594083d5b --- /dev/null +++ b/patches/libkbsa-1.3.5.patch @@ -0,0 +1,20 @@ +--- clean/libksba-1.3.5/src/asn1-gentables.c 2016-08-22 11:38:21.000000000 +0200 ++++ libksba-1.3.5/src/asn1-gentables.c 2020-01-07 18:56:03.658790390 +0100 +@@ -112,7 +112,16 @@ + const struct name_list_s **a = (const struct name_list_s **)aptr; + const struct name_list_s **b = (const struct name_list_s **)bptr; + +- return strlen ((*a)->name) < strlen ((*b)->name); ++ const size_t len_a = strlen((*a)->name); ++ const size_t len_b = strlen((*b)->name); ++ ++ if (len_a == len_b) ++ return strcmp((*a)->name, (*b)->name); ++ else ++ if (len_a < len_b) ++ return -1; ++ else ++ return +1; + } + + static void From 6c93a5e85407aa1199fd205d63212e0a7263f5d2 Mon Sep 17 00:00:00 2001 From: Trammell hudson Date: Wed, 8 Jan 2020 10:01:21 +0100 Subject: [PATCH 27/52] libksba: fix name of patch file Signed-off-by: Trammell hudson --- patches/libkbsa-1.3.5.patch | 20 -------------------- patches/libksba-1.3.5.patch | 23 +++++++++++++++++++++++ 2 files changed, 23 insertions(+), 20 deletions(-) delete mode 100644 patches/libkbsa-1.3.5.patch create mode 100644 patches/libksba-1.3.5.patch diff --git a/patches/libkbsa-1.3.5.patch b/patches/libkbsa-1.3.5.patch deleted file mode 100644 index 594083d5b..000000000 --- a/patches/libkbsa-1.3.5.patch +++ /dev/null @@ -1,20 +0,0 @@ ---- clean/libksba-1.3.5/src/asn1-gentables.c 2016-08-22 11:38:21.000000000 +0200 -+++ libksba-1.3.5/src/asn1-gentables.c 2020-01-07 18:56:03.658790390 +0100 -@@ -112,7 +112,16 @@ - const struct name_list_s **a = (const struct name_list_s **)aptr; - const struct name_list_s **b = (const struct name_list_s **)bptr; - -- return strlen ((*a)->name) < strlen ((*b)->name); -+ const size_t len_a = strlen((*a)->name); -+ const size_t len_b = strlen((*b)->name); -+ -+ if (len_a == len_b) -+ return strcmp((*a)->name, (*b)->name); -+ else -+ if (len_a < len_b) -+ return -1; -+ else -+ return +1; - } - - static void diff --git a/patches/libksba-1.3.5.patch b/patches/libksba-1.3.5.patch new file mode 100644 index 000000000..13fa7be47 --- /dev/null +++ b/patches/libksba-1.3.5.patch @@ -0,0 +1,23 @@ +--- clean/libksba-1.3.5/src/asn1-gentables.c 2016-08-22 11:38:21.000000000 +0200 ++++ libksba-1.3.5/src/asn1-gentables.c 2020-01-08 10:00:27.297737650 +0100 +@@ -109,10 +109,17 @@ + static int + cmp_string (const void *aptr, const void *bptr) + { +- const struct name_list_s **a = (const struct name_list_s **)aptr; +- const struct name_list_s **b = (const struct name_list_s **)bptr; ++ const char *a = (*(const struct name_list_s **)aptr)->name; ++ const char *b = (*(const struct name_list_s **)bptr)->name; + +- return strlen ((*a)->name) < strlen ((*b)->name); ++ const size_t len_a = strlen(a); ++ const size_t len_b = strlen(b); ++ ++ if (len_a < len_b) ++ return -1; ++ if (len_a > len_b) ++ return +1; ++ return strcmp(a, b); + } + + static void From 791d064397594ab5f62374b1fe6f5dfc6aa72883 Mon Sep 17 00:00:00 2001 From: Trammell Hudson Date: Wed, 8 Jan 2020 17:08:15 +0100 Subject: [PATCH 28/52] musl-cross-make: replace all cross compilers with musl-cross-make Signed-off-by: Trammell Hudson --- Makefile | 14 +++-- blobs/dev.cpio | Bin 508 -> 1024 bytes config/coreboot-kgpe-d16.config | 1 + config/coreboot-librem13v2.config | 1 + config/coreboot-librem13v4.config | 1 + config/coreboot-librem15v3.config | 1 + config/coreboot-librem15v4.config | 1 + config/coreboot-qemu.config | 1 + config/coreboot-x220.config | 1 + config/coreboot-x230-flash.config | 1 + config/coreboot-x230.config | 1 + modules/coreboot | 45 +++++--------- modules/musl | 41 ------------- modules/musl-cross | 55 ++++++++++++------ .../0010-cross-compiler-support.patch | 27 +++++++++ 15 files changed, 95 insertions(+), 96 deletions(-) delete mode 100644 modules/musl create mode 100644 patches/coreboot-4.8.1/0010-cross-compiler-support.patch diff --git a/Makefile b/Makefile index c95527aab..a0bda55be 100644 --- a/Makefile +++ b/Makefile @@ -106,11 +106,13 @@ SHELL := /bin/bash # be defined prior to any other module. include modules/musl-cross -musl_dep := musl -heads_cc := $(INSTALL)/bin/musl-gcc \ +musl_dep := musl-cross +heads_cc := $(CROSS)gcc \ -fdebug-prefix-map=$(pwd)=heads \ -gno-record-gcc-switches \ -D__MUSL__ \ + -I$(INSTALL)/include \ + -L$(INSTALL)/lib \ CROSS_TOOLS_NOCC := \ AR="$(CROSS)ar" \ @@ -145,8 +147,9 @@ all: FORCE: # Make helpers to operate on lists of things +# Prefix is "smart" and doesn't add the prefix for absolute file paths define prefix = -$(foreach _, $2, $1$_) +$(foreach _, $2, $(if $(patsubst /%,,$_),$1$_,$_)) endef define map = $(foreach _,$2,$(eval $(call $1,$_))) @@ -410,6 +413,7 @@ endef # Only some modules have binaries that we install # Shouldn't this be specified in the module file? +#bin_modules-$(CONFIG_MUSL) += musl-cross bin_modules-$(CONFIG_KEXEC) += kexec bin_modules-$(CONFIG_TPMTOTP) += tpmtotp bin_modules-$(CONFIG_PCIUTILS) += pciutils @@ -451,8 +455,7 @@ endif $(COREBOOT_UTIL_DIR)/cbmem/cbmem \ $(COREBOOT_UTIL_DIR)/superiotool/superiotool \ $(COREBOOT_UTIL_DIR)/inteltool/inteltool \ -: $(build)/$(coreboot_base_dir)/.canary \ - $(build)/$(musl_dir)/.build +: $(build)/$(coreboot_base_dir)/.canary +$(call do,MAKE,$(notdir $@),\ $(MAKE) -C "$(dir $@)" $(CROSS_TOOLS) \ ) @@ -564,7 +567,6 @@ modules.clean: real.clean: for dir in \ $(module_dirs) \ - $(musl_dir) \ $(kernel_headers) \ ; do \ if [ ! -z "$$dir" ]; then \ diff --git a/blobs/dev.cpio b/blobs/dev.cpio index 5e71bf641315bab5d49848930892cf945486101c..43f1088091ea1eabac3cece67ee3fd1e492355b2 100644 GIT binary patch literal 1024 zcmeH@zYc;h5XN~G9suY8EihL8BqmP8-9%t8DKZd^kM993#L@_(gST9JckS=Hk3=LQ zKnP_#$O?iHLOLW<_%sKaC8;)0WO5k)F-EAWb@Q|=3yG4M1axHj5UUYA!%ilZ50!>l zBQm|JyZ4=FG&bkM8xF;&K?mb~Vy7gLy=cmt`_9XV+tm}bgIqjSZr^?E&PLxh`HSB> v`HPv7-#&Wbykd4?A!=~JpvSQNx}>~acfMB+s(mi`@syXgZKH&L{D1>*A%TLW delta 90 zcmZqR_`}R+U=DL}LRWFfz25Y{+CX lS%HaX;z?cpv_wnu6w72Ykd&jLGf+x{(HuysO}@go0suG77wiB4 diff --git a/config/coreboot-kgpe-d16.config b/config/coreboot-kgpe-d16.config index 4be5a04b7..01cf91ee6 100644 --- a/config/coreboot-kgpe-d16.config +++ b/config/coreboot-kgpe-d16.config @@ -1,4 +1,5 @@ CONFIG_LOCALVERSION="heads" +CONFIG_ANY_TOOLCHAIN=y CONFIG_USE_OPTION_TABLE=y # CONFIG_COLLECT_TIMESTAMPS is not set CONFIG_VENDOR_ASUS=y diff --git a/config/coreboot-librem13v2.config b/config/coreboot-librem13v2.config index a27a26274..412c2bfc2 100644 --- a/config/coreboot-librem13v2.config +++ b/config/coreboot-librem13v2.config @@ -1,4 +1,5 @@ CONFIG_LOCALVERSION="4.8.1-Purism-1-heads-beta" +CONFIG_ANY_TOOLCHAIN=y CONFIG_USE_BLOBS=y CONFIG_MEASURED_BOOT=y CONFIG_VENDOR_PURISM=y diff --git a/config/coreboot-librem13v4.config b/config/coreboot-librem13v4.config index 79aacb18a..0d4abc8b5 100644 --- a/config/coreboot-librem13v4.config +++ b/config/coreboot-librem13v4.config @@ -1,4 +1,5 @@ CONFIG_LOCALVERSION="4.8.1-Purism-1-heads-beta" +CONFIG_ANY_TOOLCHAIN=y CONFIG_USE_BLOBS=y CONFIG_MEASURED_BOOT=y CONFIG_VENDOR_PURISM=y diff --git a/config/coreboot-librem15v3.config b/config/coreboot-librem15v3.config index c81c72dfc..4359227eb 100644 --- a/config/coreboot-librem15v3.config +++ b/config/coreboot-librem15v3.config @@ -1,4 +1,5 @@ CONFIG_LOCALVERSION="4.8.1-Purism-1-heads-beta" +CONFIG_ANY_TOOLCHAIN=y CONFIG_USE_BLOBS=y CONFIG_MEASURED_BOOT=y CONFIG_VENDOR_PURISM=y diff --git a/config/coreboot-librem15v4.config b/config/coreboot-librem15v4.config index 32a0742da..013718c26 100644 --- a/config/coreboot-librem15v4.config +++ b/config/coreboot-librem15v4.config @@ -1,4 +1,5 @@ CONFIG_LOCALVERSION="4.8.1-Purism-1-heads-beta" +CONFIG_ANY_TOOLCHAIN=y CONFIG_USE_BLOBS=y CONFIG_MEASURED_BOOT=y CONFIG_VENDOR_PURISM=y diff --git a/config/coreboot-qemu.config b/config/coreboot-qemu.config index cfccf5269..73856e412 100644 --- a/config/coreboot-qemu.config +++ b/config/coreboot-qemu.config @@ -1,4 +1,5 @@ CONFIG_LOCALVERSION="-heads" +CONFIG_ANY_TOOLCHAIN=y # CONFIG_INCLUDE_CONFIG_FILE is not set CONFIG_CBFS_SIZE=0x700000 # CONFIG_POST_IO is not set diff --git a/config/coreboot-x220.config b/config/coreboot-x220.config index a91aef7dc..5671c71ba 100644 --- a/config/coreboot-x220.config +++ b/config/coreboot-x220.config @@ -1,4 +1,5 @@ CONFIG_LOCALVERSION="heads" +CONFIG_ANY_TOOLCHAIN=y # CONFIG_INCLUDE_CONFIG_FILE is not set # CONFIG_COLLECT_TIMESTAMPS is not set CONFIG_USE_BLOBS=y diff --git a/config/coreboot-x230-flash.config b/config/coreboot-x230-flash.config index 66f3a53cb..6461d02be 100644 --- a/config/coreboot-x230-flash.config +++ b/config/coreboot-x230-flash.config @@ -1,4 +1,5 @@ CONFIG_LOCALVERSION="heads" +CONFIG_ANY_TOOLCHAIN=y # CONFIG_INCLUDE_CONFIG_FILE is not set # CONFIG_COLLECT_TIMESTAMPS is not set CONFIG_USE_BLOBS=y diff --git a/config/coreboot-x230.config b/config/coreboot-x230.config index 65b13b581..c69f4174e 100644 --- a/config/coreboot-x230.config +++ b/config/coreboot-x230.config @@ -1,4 +1,5 @@ CONFIG_LOCALVERSION="heads" +CONFIG_ANY_TOOLCHAIN=y # CONFIG_INCLUDE_CONFIG_FILE is not set # CONFIG_COLLECT_TIMESTAMPS is not set CONFIG_USE_BLOBS=y diff --git a/modules/coreboot b/modules/coreboot index 15441ca1c..2ba9473d0 100644 --- a/modules/coreboot +++ b/modules/coreboot @@ -9,7 +9,7 @@ coreboot_tar := coreboot-$(coreboot_version).tar.xz coreboot_url := https://www.coreboot.org/releases/$(coreboot_tar) coreboot_hash := f0ddf4db0628c1fe1e8348c40084d9cbeb5771400c963fd419cda3995b69ad23 -# Coreboot builds are specialized on a per-target basis. +# coreboot builds are specialized on a per-target basis. # The builds are done in a per-target subdirectory CONFIG_COREBOOT_CONFIG ?= config/coreboot-$(BOARD).config @@ -29,9 +29,18 @@ coreboot_configure := \ CFLAGS_x86_32="$(EXTRA_FLAGS)" \ CFLAGS_x86_64="$(EXTRA_FLAGS)" \ +COREBOOT_IASL="$(build)/$(coreboot_base_dir)/util/crossgcc/xgcc/bin/iasl" + +# coreboot is built with the 32-bit compiler; ideally we could use the same +# x86_64-linux-musl -m32 to build it, but this causes some link errors that need +# to be tracked down. +# CROSS="$(CROSS)" \ + coreboot_target := \ -C "$(build)/$(coreboot_base_dir)" \ obj="$(build)/$(coreboot_dir)" \ + CROSS="$(dir $(CROSS))i386-linux-musl-" \ + IASL="$(COREBOOT_IASL)" \ DOTCONFIG="$(build)/$(coreboot_dir)/.config" \ BUILD_TIMELESS=1 \ CFLAGS_x86_32="$(EXTRA_FLAGS)" \ @@ -39,35 +48,11 @@ coreboot_target := \ $(MAKE_JOBS) coreboot_output := coreboot.rom -coreboot_depend += linux initrd - -COREBOOT_XGCC_REL := $(coreboot_base_dir)/util/crossgcc/xgcc -COREBOOT_XGCC_PATH := $(build)/$(COREBOOT_XGCC_REL) -COREBOOT_XGCC := $(COREBOOT_XGCC_PATH)/bin/i386-elf-gcc - -# hack to force a build dependency on the cross compiler -coreboot-gcc $(build)/$(coreboot_dir)/.configured: $(COREBOOT_XGCC) - -ifeq "$(TOOLCHAIN)" "" -# Force a rebuild of the entire coreboot toolchain -$(COREBOOT_XGCC): $(build)/$(coreboot_base_dir)/.canary - echo '******* Building crossgcc-i386 (this might take a while) ******' - $(MAKE) -C "$(build)/$(coreboot_base_dir)" CPUS=`nproc` crossgcc-i386 - #echo '******* Building crossgcc-arm (this might take a while) ******' - #$(MAKE) -C "$(build)/$(coreboot_base_dir)" crossgcc-arm -else -# Use the pre-build one from the external toolchain build -$(COREBOOT_XGCC): $(build)/$(coreboot_base_dir)/.canary - if [ ! -e "$(TOOLCHAIN)/build/$(COREBOOT_XGCC_REL)" ]; then \ - echo >&2 "ERROR: TOOLCHAIN=$(TOOLCHAIN) does not have coreboot" ; \ - exit 1 ; \ - fi - if [ ! -e "$(COREBOOT_XGCC_PATH)" ]; then \ - ln -s \ - "$(TOOLCHAIN)/build/$(COREBOOT_XGCC_REL)" \ - "$(COREBOOT_XGCC_PATH)" ; \ - fi -endif +coreboot_depend += linux initrd $(musl_dep) + +$(build)/$(coreboot_dir)/.configured: $(COREBOOT_IASL) +$(COREBOOT_IASL): $(build)/$(coreboot_base_dir)/.canary + $(MAKE) -C "$(build)/$(coreboot_base_dir)" CPUS=`nproc` iasl # Force a rebuild if the inputs have changed $(build)/$(coreboot_dir)/.build: \ diff --git a/modules/musl b/modules/musl deleted file mode 100644 index eec76de34..000000000 --- a/modules/musl +++ /dev/null @@ -1,41 +0,0 @@ -CONFIG_MUSL ?= y -modules-$(CONFIG_MUSL) += musl - -musl_version := 1.1.15 -musl_dir := musl-$(musl_version) -musl_tar := musl-$(musl_version).tar.gz -musl_url := https://www.musl-libc.org/releases/$(musl_tar) -musl_hash := 97e447c7ee2a7f613186ec54a93054fe15469fe34d7d323080f7ef38f5ecb0fa - -musl_output := ../../install/bin/musl-gcc - -# -# Note that for syslibdir to be /lib the install will fail. -# this is unfortunate since it prevents the binaries from running -# and requires that we treat the rest of the build as a cross compile. -# -# That works, with some hacks... -# -musl_configure := ./configure \ - $(CROSS_TOOLS_NOCC) \ - CC="$(CROSS)gcc" \ - --prefix="$(INSTALL)" \ - --syslibdir="/lib" \ - --enable-gcc-wrapper \ - --enable-shared \ - -musl_target := \ - $(MAKE_JOBS) \ - $(CROSS_TOOLS_NOCC) \ - CC="$(CROSS)gcc" \ - install \ - -musl_libraries := \ - lib/libc.so \ - - -musl_depends := musl-cross - -# Fake a target so that musl will force a header install by the -# Linux kernel sources. -$(build)/$(musl_dir)/.build: $(INSTALL)/include/linux/limits.h diff --git a/modules/musl-cross b/modules/musl-cross index 5865cbd91..617c66e3a 100644 --- a/modules/musl-cross +++ b/modules/musl-cross @@ -1,5 +1,14 @@ +CONFIG_MUSL ?= y + ifeq "$(MUSL_CROSS_ONCE)" "" MUSL_CROSS_ONCE := 1 +modules-$(CONFIG_MUSL) += musl-cross + +musl-cross_version := 38e52db +musl-cross_dir := musl-cross-$(musl-cross_version) +musl-cross_url := https://github.com/richfelker/musl-cross-make/archive/$(musl-cross_version).tar.gz +musl-cross_tar := musl-cross-$(musl-cross_version).tar.gz +musl-cross_hash := b4b85d6d3ddab0f2b8650a53e775673f8c346fa2fb07d652a9880bd206ade100 ifneq "$(CROSS)" "" @@ -7,39 +16,47 @@ ifneq "$(CROSS)" "" # check that $(CROSS)gcc exists or else things just won't work ifneq "y" "$(shell [ -x '$(CROSS)gcc' ] && echo y)" $(error $(CROSS)gcc does not exist - can not build) +else +$(info Using $(CROSS)gcc) endif # The cross compiler has already been built, so the musl-cross target -# is a NOP. -#musl-cross.intermediate: +# is a NOP. We really don't need to check out this code tree, but it is easier +# if we have a target for it. +musl-cross_target := --version -musl-cross_dir := musl-cross-ext -$(build)/$(musl-cross_dir)/.build: - mkdir -p $(dir $@) - touch $@ +# Ask the compiler where to find its own libc.so +musl-cross_libraries := \ + $(shell $(CROSS)gcc --print-file-name=libc.so) \ else # Force a full build of the cross compiler +# have to build both x86_64 and i386 versions for coreboot -modules-y += musl-cross -musl-cross_version := 1952975 -musl-cross_dir := musl-cross -musl-cross_url := https://github.com/GregorR/musl-cross/archive/$(musl-cross_version).tar.gz -musl-cross_tar := musl-cross-$(musl-cross_version).tar.gz -musl-cross_hash := dea10cfe4bfe5f5b131d8f98e65127cf5093477af56054d15563e858dc3b25cb +musl-cross_configure := \ + /bin/echo -e >> Makefile 'both:' ; \ + /bin/echo -e >> Makefile '\t$$$$(MAKE) TARGET=x86_64-linux-musl install' ; \ + /bin/echo -e >> Makefile '\t$$$$(MAKE) TARGET=i386-linux-musl install' ; \ -CROSS_TOP := crossgcc/x86_64-linux-musl/bin/x86_64-linux-musl- -CROSS := $(build)/../$(CROSS_TOP) -musl-cross_output := ../../$(CROSS_TOP)gcc +CROSS_PATH ?= $(pwd)/crossgcc -musl-cross_configure := \ - /bin/echo -e > Makefile \ - '$(musl-cross_output):\n\tCC_BASE_PREFIX="$(pwd)/crossgcc" ./build.sh' +musl-cross_target := \ + OUTPUT="$(CROSS_PATH)" \ + MAKE="$(MAKE)" \ + both +CROSS := $(CROSS_PATH)/bin/x86_64-linux-musl- +musl-cross_libraries := $(CROSS_PATH)/x86_64-linux-musl/lib/libc.so endif -musl-cross_target := + +musl-cross_output := $(CROSS)gcc + +## Fake a target so that musl will force a header install by the +## Linux kernel sources. +$(build)/$(musl-cross_dir)/.build: $(INSTALL)/include/linux/limits.h + endif diff --git a/patches/coreboot-4.8.1/0010-cross-compiler-support.patch b/patches/coreboot-4.8.1/0010-cross-compiler-support.patch new file mode 100644 index 000000000..b99941df7 --- /dev/null +++ b/patches/coreboot-4.8.1/0010-cross-compiler-support.patch @@ -0,0 +1,27 @@ +--- clean/coreboot-4.8.1/Makefile 2018-05-16 21:00:17.000000000 +0200 ++++ coreboot-4.8.1/Makefile 2020-01-08 17:01:32.998287979 +0100 +@@ -152,6 +152,24 @@ + + -include .xcompile + ++ifneq "$(CROSS)" "" ++ $(info coreboot: Using $(CROSS)gcc) ++ CROSS_COMPILE_x86_32 := $(CROSS) ++ CC_x86_32 := $(CROSS_COMPILE_x86_32)gcc ++ CPP_x86_32 := $(CROSS_COMPILE_x86_32)cpp ++ AS_x86_32 := $(CROSS_COMPILE_x86_32)as --32 ++ LD_x86_32 := $(CROSS_COMPILE_x86_32)ld.bfd -b elf32-i386 -melf_i386 ++ NM_x86_32 := $(CROSS_COMPILE_x86_32)nm ++ OBJCOPY_x86_32 := $(CROSS_COMPILE_x86_32)objcopy ++ OBJDUMP_x86_32 := $(CROSS_COMPILE_x86_32)objdump ++ READELF_x86_32 := $(CROSS_COMPILE_x86_32)readelf ++ STRIP_x86_32 := $(CROSS_COMPILE_x86_32)strip ++ AR_x86_32 := $(CROSS_COMPILE_x86_32)ar ++ GNATBIND_x86_32 := $(CROSS_COMPILE_x86_32)gnatbind ++ COMPILER_RT_x86_32 := $(shell $(CC_x86_32) --print-libgcc-file-name) ++endif ++ ++ + ifneq ($(XCOMPILE_COMPLETE),1) + $(shell rm -f .xcompile) + $(error .xcompile deleted because it's invalid. \ From fed0858126f09f1701a415d2ca2e13ff25e6966a Mon Sep 17 00:00:00 2001 From: Trammell Hudson Date: Wed, 8 Jan 2020 17:33:49 +0100 Subject: [PATCH 29/52] circleci: try using the osresearch/musl-cross docker image Signed-off-by: Trammell Hudson --- .circleci/config.yml | 46 ++++---------------------------------------- 1 file changed, 4 insertions(+), 42 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index c23a19e10..56ecdf1be 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -2,35 +2,8 @@ version: 2 jobs: build: docker: - - image: osresearch/heads-ubuntu:16.04 + - image: osresearch/musl-cross:38e52db steps: - - run: - name: Install dependencies - command: | - apt update - apt install -y \ - build-essential \ - zlib1g-dev \ - uuid-dev \ - libdigest-sha-perl \ - libelf-dev \ - bc \ - bzip2 \ - bison \ - flex \ - git \ - gnupg \ - iasl \ - m4 \ - nasm \ - patch \ - python \ - wget \ - gnat \ - cpio \ - ccache \ - lzma \ - - checkout - run: @@ -38,22 +11,11 @@ jobs: command: | make -j4 bootstrap - - run: - name: Bootstrap coreboot-gcc - command: | - ./build/make-4.2.1/make \ - TOOLCHAIN=/home/builder/heads \ - V=1 \ - BOARD=qemu-coreboot \ - coreboot-gcc - - - run: name: qemu-coreboot command: | ./build/make-4.2.1/make \ - TOOLCHAIN=/home/builder/heads \ - V=1 \ + CROSS=/cross/bin/x86_64-linux-musl- \ -j4 \ BOARD=qemu-coreboot \ @@ -67,7 +29,7 @@ jobs: name: qemu-linuxboot command: | ./build/make-4.2.1/make \ - TOOLCHAIN=/home/builder/heads \ + CROSS=/cross/bin/x86_64-linux-musl- \ V=1 \ -j4 \ BOARD=qemu-linuxboot \ @@ -82,7 +44,7 @@ jobs: name: x230 command: | ./build/make-4.2.1/make \ - TOOLCHAIN=/home/builder/heads \ + CROSS=/cross/bin/x86_64-linux-musl- \ -j4 \ V=1 \ BOARD=x230 \ From 35ddd3e065c65b16e77d14cf443e55d000950d0d Mon Sep 17 00:00:00 2001 From: Trammell hudson Date: Wed, 8 Jan 2020 22:45:39 +0100 Subject: [PATCH 30/52] circleci: pre-build edk2 for linuxboot Signed-off-by: Trammell hudson --- .circleci/config.yml | 28 +++++++++++++++++----------- 1 file changed, 17 insertions(+), 11 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 56ecdf1be..8f87d8530 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -12,25 +12,19 @@ jobs: make -j4 bootstrap - run: - name: qemu-coreboot + name: qemu-linuxboot-edk2 command: | ./build/make-4.2.1/make \ CROSS=/cross/bin/x86_64-linux-musl- \ - -j4 \ - BOARD=qemu-coreboot \ - - - store-artifacts: - path: build/qemu-coreboot/coreboot.rom - - store-artifacts: - path: build/qemu-coreboot/hashes.txt - + BOARD=qemu-linuxboot \ + `/bin/pwd`/build/linuxboot-git/build/qemu/.configured \ + # Run first to avoid too many processes - run: name: qemu-linuxboot command: | ./build/make-4.2.1/make \ CROSS=/cross/bin/x86_64-linux-musl- \ - V=1 \ -j4 \ BOARD=qemu-linuxboot \ @@ -40,13 +34,25 @@ jobs: path: build/qemu-linuxboot/hashes.txt + - run: + name: qemu-coreboot + command: | + ./build/make-4.2.1/make \ + CROSS=/cross/bin/x86_64-linux-musl- \ + -j4 \ + BOARD=qemu-coreboot \ + + - store-artifacts: + path: build/qemu-coreboot/coreboot.rom + - store-artifacts: + path: build/qemu-coreboot/hashes.txt + - run: name: x230 command: | ./build/make-4.2.1/make \ CROSS=/cross/bin/x86_64-linux-musl- \ -j4 \ - V=1 \ BOARD=x230 \ - store-artifacts: From c069901f90bacfc5091fbe70c53b71b1fa77fb93 Mon Sep 17 00:00:00 2001 From: Trammell hudson Date: Wed, 8 Jan 2020 22:47:27 +0100 Subject: [PATCH 31/52] circleci: no tabs! Signed-off-by: Trammell hudson --- .circleci/config.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 8f87d8530..f854666e0 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -17,8 +17,8 @@ jobs: ./build/make-4.2.1/make \ CROSS=/cross/bin/x86_64-linux-musl- \ BOARD=qemu-linuxboot \ - `/bin/pwd`/build/linuxboot-git/build/qemu/.configured \ - # Run first to avoid too many processes + `/bin/pwd`/build/linuxboot-git/build/qemu/.configured \ + # Run first to avoid too many processes - run: name: qemu-linuxboot From 97402ed32db6e2b15fd7c812283349eefbd1f330 Mon Sep 17 00:00:00 2001 From: Trammell hudson Date: Wed, 8 Jan 2020 23:10:46 +0100 Subject: [PATCH 32/52] circleci: replace -j4 with --load 2 --- .circleci/config.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index f854666e0..5aea39c6c 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -25,7 +25,7 @@ jobs: command: | ./build/make-4.2.1/make \ CROSS=/cross/bin/x86_64-linux-musl- \ - -j4 \ + --load 2 \ BOARD=qemu-linuxboot \ - store-artifacts: @@ -39,7 +39,7 @@ jobs: command: | ./build/make-4.2.1/make \ CROSS=/cross/bin/x86_64-linux-musl- \ - -j4 \ + --load 2 \ BOARD=qemu-coreboot \ - store-artifacts: @@ -52,7 +52,7 @@ jobs: command: | ./build/make-4.2.1/make \ CROSS=/cross/bin/x86_64-linux-musl- \ - -j4 \ + --load 2 \ BOARD=x230 \ - store-artifacts: From 31f021e5f7fc2d13c05c23c1d17a1e9b036bebf8 Mon Sep 17 00:00:00 2001 From: Trammell hudson Date: Wed, 8 Jan 2020 23:26:20 +0100 Subject: [PATCH 33/52] circleci: enable V=1 to produce more output and avoid timing out Signed-off-by: Trammell hudson --- .circleci/config.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.circleci/config.yml b/.circleci/config.yml index 5aea39c6c..332b0843b 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -26,6 +26,7 @@ jobs: ./build/make-4.2.1/make \ CROSS=/cross/bin/x86_64-linux-musl- \ --load 2 \ + V=1 \ BOARD=qemu-linuxboot \ - store-artifacts: @@ -40,6 +41,7 @@ jobs: ./build/make-4.2.1/make \ CROSS=/cross/bin/x86_64-linux-musl- \ --load 2 \ + V=1 \ BOARD=qemu-coreboot \ - store-artifacts: @@ -53,6 +55,7 @@ jobs: ./build/make-4.2.1/make \ CROSS=/cross/bin/x86_64-linux-musl- \ --load 2 \ + V=1 \ BOARD=x230 \ - store-artifacts: From 1e77a72f99f270f3b19fed39f4f73f88509a9927 Mon Sep 17 00:00:00 2001 From: Trammell hudson Date: Thu, 9 Jan 2020 00:07:19 +0100 Subject: [PATCH 34/52] circleci: skip linuxboot steps for now Signed-off-by: Trammell hudson --- .circleci/config.yml | 46 +++++++++++++++++++++++--------------------- 1 file changed, 24 insertions(+), 22 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 332b0843b..4d4ff24f4 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -11,28 +11,30 @@ jobs: command: | make -j4 bootstrap - - run: - name: qemu-linuxboot-edk2 - command: | - ./build/make-4.2.1/make \ - CROSS=/cross/bin/x86_64-linux-musl- \ - BOARD=qemu-linuxboot \ - `/bin/pwd`/build/linuxboot-git/build/qemu/.configured \ - # Run first to avoid too many processes - - - run: - name: qemu-linuxboot - command: | - ./build/make-4.2.1/make \ - CROSS=/cross/bin/x86_64-linux-musl- \ - --load 2 \ - V=1 \ - BOARD=qemu-linuxboot \ - - - store-artifacts: - path: build/qemu-linuxboot/linuxboot.rom - - store-artifacts: - path: build/qemu-linuxboot/hashes.txt +# linuxboot steps need something to pass in the kernel header path +# skipping for now +# - run: +# name: qemu-linuxboot-edk2 +# command: | +# ./build/make-4.2.1/make \ +# CROSS=/cross/bin/x86_64-linux-musl- \ +# BOARD=qemu-linuxboot \ +# `/bin/pwd`/build/linuxboot-git/build/qemu/.configured \ +# # Run first to avoid too many processes +# +# - run: +# name: qemu-linuxboot +# command: | +# ./build/make-4.2.1/make \ +# CROSS=/cross/bin/x86_64-linux-musl- \ +# --load 2 \ +# V=1 \ +# BOARD=qemu-linuxboot \ +# +# - store-artifacts: +# path: build/qemu-linuxboot/linuxboot.rom +# - store-artifacts: +# path: build/qemu-linuxboot/hashes.txt - run: From 6962bfda10772606dcbc33477c81adb04c41c9c3 Mon Sep 17 00:00:00 2001 From: Trammell hudson Date: Thu, 9 Jan 2020 13:27:09 +0100 Subject: [PATCH 35/52] lvm2: turn off buffering, which prevents segfault with new musl (#651) Signed-off-by: Trammell hudson --- modules/lvm2 | 2 +- patches/lvm2-2.02.168.patch | 50 ++++++++++++++++++++++++------------- 2 files changed, 34 insertions(+), 18 deletions(-) diff --git a/modules/lvm2 b/modules/lvm2 index 91f0f53f0..e3005f1bd 100644 --- a/modules/lvm2 +++ b/modules/lvm2 @@ -1,7 +1,7 @@ modules-$(CONFIG_LVM2) += lvm2 lvm2_version := 2.02.168 -lvm2_dir := LVM2.$(lvm2_version) +lvm2_dir := lvm2.$(lvm2_version) lvm2_tar := LVM2.$(lvm2_version).tgz lvm2_url := https://mirrors.kernel.org/sourceware/lvm2/$(lvm2_tar) lvm2_hash := 23a3d1cddd41b3ef51812ebf83e9fa491f502fe74130d4263be327a91914660d diff --git a/patches/lvm2-2.02.168.patch b/patches/lvm2-2.02.168.patch index d6547c475..0a0956998 100644 --- a/patches/lvm2-2.02.168.patch +++ b/patches/lvm2-2.02.168.patch @@ -1,6 +1,6 @@ -diff -u --recursive ../clean/LVM2.2.02.168/lib/mm/memlock.c LVM2.2.02.168/lib/mm/memlock.c ---- ../clean/LVM2.2.02.168/lib/mm/memlock.c 2016-11-30 18:17:29.000000000 -0500 -+++ LVM2.2.02.168/lib/mm/memlock.c 2017-04-12 08:18:18.533783802 -0400 +diff --recursive -u clean/LVM2.2.02.168/lib/mm/memlock.c lvm2.2.02.168/lib/mm/memlock.c +--- clean/LVM2.2.02.168/lib/mm/memlock.c 2016-12-01 00:17:29.000000000 +0100 ++++ lvm2.2.02.168/lib/mm/memlock.c 2020-01-09 13:23:14.017310025 +0100 @@ -150,6 +150,7 @@ static void _allocate_memory(void) @@ -9,7 +9,7 @@ diff -u --recursive ../clean/LVM2.2.02.168/lib/mm/memlock.c LVM2.2.02.168/lib/mm #ifndef VALGRIND_POOL void *stack_mem; struct rlimit limit; -@@ -208,6 +209,7 @@ +@@ -208,11 +209,14 @@ for (i = 0; i < area; ++i) free(areas[i]); #endif @@ -17,7 +17,14 @@ diff -u --recursive ../clean/LVM2.2.02.168/lib/mm/memlock.c LVM2.2.02.168/lib/mm } static void _release_memory(void) -@@ -288,7 +290,7 @@ + { ++#if 0 + free(_malloc_mem); ++#endif + } + + /* +@@ -288,7 +292,7 @@ if (lock == LVM_MLOCK) { if (mlock((const void*)from, sz) < 0) { @@ -26,9 +33,9 @@ diff -u --recursive ../clean/LVM2.2.02.168/lib/mm/memlock.c LVM2.2.02.168/lib/mm return 0; } } else { -diff -u --recursive ../clean/LVM2.2.02.168/libdm/libdm-stats.c LVM2.2.02.168/libdm/libdm-stats.c ---- ../clean/LVM2.2.02.168/libdm/libdm-stats.c 2016-11-30 18:17:30.000000000 -0500 -+++ LVM2.2.02.168/libdm/libdm-stats.c 2017-04-10 16:50:01.622529656 -0400 +diff --recursive -u clean/LVM2.2.02.168/libdm/libdm-stats.c lvm2.2.02.168/libdm/libdm-stats.c +--- clean/LVM2.2.02.168/libdm/libdm-stats.c 2016-12-01 00:17:30.000000000 +0100 ++++ lvm2.2.02.168/libdm/libdm-stats.c 2020-01-09 13:23:14.017310025 +0100 @@ -17,7 +17,24 @@ #include "dmlib.h" @@ -90,9 +97,9 @@ diff -u --recursive ../clean/LVM2.2.02.168/libdm/libdm-stats.c LVM2.2.02.168/lib buflen += id_len + 1; /* range end plus "-" */ } buflen++; -diff -u --recursive ../clean/LVM2.2.02.168/libdm/Makefile.in LVM2.2.02.168/libdm/Makefile.in ---- ../clean/LVM2.2.02.168/libdm/Makefile.in 2016-11-30 18:17:30.000000000 -0500 -+++ LVM2.2.02.168/libdm/Makefile.in 2017-04-10 16:50:01.622529656 -0400 +diff --recursive -u clean/LVM2.2.02.168/libdm/Makefile.in lvm2.2.02.168/libdm/Makefile.in +--- clean/LVM2.2.02.168/libdm/Makefile.in 2016-12-01 00:17:30.000000000 +0100 ++++ lvm2.2.02.168/libdm/Makefile.in 2020-01-09 13:23:14.017310025 +0100 @@ -56,7 +56,8 @@ CFLAGS += $(UDEV_CFLAGS) $(VALGRIND_CFLAGS) @@ -103,9 +110,9 @@ diff -u --recursive ../clean/LVM2.2.02.168/libdm/Makefile.in LVM2.2.02.168/libdm device-mapper: all -diff -u --recursive ../clean/LVM2.2.02.168/make.tmpl.in LVM2.2.02.168/make.tmpl.in ---- ../clean/LVM2.2.02.168/make.tmpl.in 2016-11-30 18:17:30.000000000 -0500 -+++ LVM2.2.02.168/make.tmpl.in 2017-04-10 16:50:01.626529699 -0400 +diff --recursive -u clean/LVM2.2.02.168/make.tmpl.in lvm2.2.02.168/make.tmpl.in +--- clean/LVM2.2.02.168/make.tmpl.in 2016-12-01 00:17:30.000000000 +0100 ++++ lvm2.2.02.168/make.tmpl.in 2020-01-09 13:23:14.017310025 +0100 @@ -142,7 +142,7 @@ M_INSTALL_PROGRAM = -m 555 M_INSTALL_DATA = -m 444 @@ -126,9 +133,9 @@ diff -u --recursive ../clean/LVM2.2.02.168/make.tmpl.in LVM2.2.02.168/make.tmpl. LVM_VERSION := $(shell cat $(top_srcdir)/VERSION) -diff -u --recursive ../clean/LVM2.2.02.168/tools/lvmcmdline.c LVM2.2.02.168/tools/lvmcmdline.c ---- ../clean/LVM2.2.02.168/tools/lvmcmdline.c 2016-11-30 18:17:32.000000000 -0500 -+++ LVM2.2.02.168/tools/lvmcmdline.c 2017-04-10 16:50:01.626529699 -0400 +diff --recursive -u clean/LVM2.2.02.168/tools/lvmcmdline.c lvm2.2.02.168/tools/lvmcmdline.c +--- clean/LVM2.2.02.168/tools/lvmcmdline.c 2016-12-01 00:17:32.000000000 +0100 ++++ lvm2.2.02.168/tools/lvmcmdline.c 2020-01-09 13:23:49.057418263 +0100 @@ -1817,6 +1817,7 @@ { int err = is_valid_fd(STDERR_FILENO); @@ -145,3 +152,12 @@ diff -u --recursive ../clean/LVM2.2.02.168/tools/lvmcmdline.c LVM2.2.02.168/tool return 1; } +@@ -2023,7 +2025,7 @@ + */ + dm_set_name_mangling_mode(DM_STRING_MANGLING_NONE); + +- if (!(cmd = create_toolcontext(0, NULL, 1, 0, ++ if (!(cmd = create_toolcontext(0, NULL, 0, 0, + set_connections, set_filters))) { + udev_fin_library_context(); + return_NULL; From 23d012640739d5a85fbf2afe307e50d3bd281b88 Mon Sep 17 00:00:00 2001 From: Francis Lam Date: Thu, 16 Jan 2020 09:30:15 -0800 Subject: [PATCH 36/52] kexec: update to 2.0.20 Fix issue with kexec failing to load the target kernel when building with musl-cross-make --- modules/kexec | 4 +- patches/kexec-2.0.16.patch | 89 -------------------------------------- patches/kexec-2.0.20.patch | 76 ++++++++++++++++++++++++++++++++ 3 files changed, 78 insertions(+), 91 deletions(-) delete mode 100644 patches/kexec-2.0.16.patch create mode 100644 patches/kexec-2.0.20.patch diff --git a/modules/kexec b/modules/kexec index d2311c218..18f27dcf0 100644 --- a/modules/kexec +++ b/modules/kexec @@ -1,10 +1,10 @@ modules-$(CONFIG_KEXEC) += kexec -kexec_version := 2.0.16 +kexec_version := 2.0.20 kexec_dir := kexec-tools-$(kexec_version) kexec_tar := kexec-tools-$(kexec_version).tar.gz kexec_url := https://kernel.org/pub/linux/utils/kernel/kexec/$(kexec_tar) -kexec_hash := cf17fc99bf77c9b39f06ee88ac0e86d0349c4a0c3f8214a3cc78eece872f6f3a +kexec_hash := cb16d79818e0c9de3bb3e33ede5677c34a1d28c646379c7ab44e0faa3eb57a16 kexec_configure := ./configure \ $(CROSS_TOOLS) \ diff --git a/patches/kexec-2.0.16.patch b/patches/kexec-2.0.16.patch deleted file mode 100644 index fc9a2579e..000000000 --- a/patches/kexec-2.0.16.patch +++ /dev/null @@ -1,89 +0,0 @@ -diff -u --recursive clean/kexec-tools-2.0.16/Makefile.in kexec-tools-2.0.16/Makefile.in ---- clean/kexec-tools-2.0.16/Makefile.in 2016-12-09 04:42:06.000000000 -0500 -+++ kexec-tools-2.0.16/Makefile.in 2018-02-28 05:39:20.461000000 -0500 -@@ -158,16 +158,16 @@ - - # kdump (read a crashdump from memory) - # --include $(srcdir)/kdump/Makefile -+#include $(srcdir)/kdump/Makefile - - # vmcore-dmesg (read dmesg from a vmcore) - # --include $(srcdir)/vmcore-dmesg/Makefile -+#include $(srcdir)/vmcore-dmesg/Makefile - - # - # kexec_test (test program) - # --include $(srcdir)/kexec_test/Makefile -+#include $(srcdir)/kexec_test/Makefile - - SPEC=$(PACKAGE_NAME).spec - GENERATED_SRCS:= $(SPEC) -diff -u --recursive clean/kexec-tools-2.0.16/include/config.h kexec-tools-2.0.16/include/config.h ---- clean/kexec-tools-2.0.16/include/config.h 2017-11-20 04:17:12.000000000 -0500 -+++ kexec-tools-2.0.16/include/config.h 2018-02-28 05:39:22.420000000 -0500 -@@ -17,7 +17,7 @@ - /* #undef HAVE_LIBXENCTRL */ - - /* Define to 1 if you have the `z' library (-lz). */ --/* #undef HAVE_LIBZ */ -+#define HAVE_LIBZ 1 - - /* Define to 1 if you have the header file. */ - #define HAVE_MEMORY_H 1 -diff -u --recursive clean/kexec-tools-2.0.16/kexec/kexec.c kexec-tools-2.0.16/kexec/kexec.c ---- clean/kexec-tools-2.0.16/kexec/kexec.c 2017-03-02 04:45:46.000000000 -0500 -+++ kexec-tools-2.0.16/kexec/kexec.c 2018-02-28 10:40:01.662000000 -0500 -@@ -794,6 +794,27 @@ - if (sort_segments(&info) < 0) { - return -1; - } -+ -+#if 1 -+ // force segment 0 to have memsz == bufsz -+ // so that it won't overwrite EBDA -+ if (info.segment[0].mem == 0) -+ { -+ if (kexec_debug) -+ printf("hack ebda into segment 0!\n"); -+ -+ uint8_t * ebda = calloc(1, info.segment[0].memsz); -+ memcpy(ebda, info.segment[0].buf, info.segment[0].bufsz); -+ info.segment[0].bufsz = info.segment[0].memsz; -+ info.segment[0].buf = ebda; -+ -+ // install some default EBDA values that are off scale, -+ // which will force Xen to use the multiboot info -+ *(uint16_t*)(ebda + 0x40e) = 0xFFFF; // segment -+ *(uint16_t*)(ebda + 0x413) = 0xFFFF; // size -+ } -+#endif -+ - /* if purgatory is loaded update it */ - update_purgatory(&info); - if (entry) -diff -u --recursive clean/kexec-tools-2.0.16/purgatory/Makefile kexec-tools-2.0.16/purgatory/Makefile ---- clean/kexec-tools-2.0.16/purgatory/Makefile 2017-01-31 06:23:48.000000000 -0500 -+++ kexec-tools-2.0.16/purgatory/Makefile 2018-02-28 05:39:20.461000000 -0500 -@@ -44,7 +44,6 @@ - mkdir -p $(@D) - $(COMPILE.c) -o $@ $^ - --$(PURGATORY): CC=$(TARGET_CC) - $(PURGATORY): CFLAGS+=$(PURGATORY_EXTRA_CFLAGS) \ - $($(ARCH)_PURGATORY_EXTRA_CFLAGS) \ - -Os -fno-builtin -ffreestanding \ -diff -u --recursive clean/kexec-tools-2.0.16/util/Makefile kexec-tools-2.0.16/util/Makefile ---- clean/kexec-tools-2.0.16/util/Makefile 2010-07-29 05:22:16.000000000 -0400 -+++ kexec-tools-2.0.16/util/Makefile 2018-02-28 05:39:20.461000000 -0500 -@@ -2,7 +2,7 @@ - - $(BIN_TO_HEX): $(srcdir)/util/bin-to-hex.c - @$(MKDIR) -p $(@D) -- $(LINK.o) $(CFLAGS) -o $@ $^ -+ $(BUILD_CC) $(BUILD_CFLAGS) -o $@ $^ - - $(BIN_TO_HEX): CC=$(BUILD_CC) - $(BIN_TO_HEX): CFLAGS=$(BUILD_CFLAGS) diff --git a/patches/kexec-2.0.20.patch b/patches/kexec-2.0.20.patch new file mode 100644 index 000000000..9e940494a --- /dev/null +++ b/patches/kexec-2.0.20.patch @@ -0,0 +1,76 @@ +diff --git ./Makefile.in ./Makefile.in +index fb01134..bf1973e 100644 +--- ./Makefile.in ++++ ./Makefile.in +@@ -157,12 +157,12 @@ include $(srcdir)/kexec/Makefile + + # vmcore-dmesg (read dmesg from a vmcore) + # +-include $(srcdir)/vmcore-dmesg/Makefile ++#include $(srcdir)/vmcore-dmesg/Makefile + + # + # kexec_test (test program) + # +-include $(srcdir)/kexec_test/Makefile ++#include $(srcdir)/kexec_test/Makefile + + SPEC=$(PACKAGE_NAME).spec + GENERATED_SRCS:= $(SPEC) +diff --git ./kexec/kexec.c ./kexec/kexec.c +index bc6ab3d..b82725b 100644 +--- ./kexec/kexec.c ++++ ./kexec/kexec.c +@@ -805,6 +805,27 @@ static int my_load(const char *type, int fileind, int argc, char **argv, + if (sort_segments(&info) < 0) { + return -1; + } ++ ++#if 1 ++ // force segment 0 to have memsz == bufsz ++ // so that it won't overwrite EBDA ++ if (info.segment[0].mem == 0) ++ { ++ if (kexec_debug) ++ printf("hack ebda into segment 0!\n"); ++ ++ uint8_t * ebda = calloc(1, info.segment[0].memsz); ++ memcpy(ebda, info.segment[0].buf, info.segment[0].bufsz); ++ info.segment[0].bufsz = info.segment[0].memsz; ++ info.segment[0].buf = ebda; ++ ++ // install some default EBDA values that are off scale, ++ // which will force Xen to use the multiboot info ++ *(uint16_t*)(ebda + 0x40e) = 0xFFFF; // segment ++ *(uint16_t*)(ebda + 0x413) = 0xFFFF; // size ++ } ++#endif ++ + /* if purgatory is loaded update it */ + update_purgatory(&info); + if (entry) +diff --git ./purgatory/Makefile ./purgatory/Makefile +index 2dd6c47..2de8f07 100644 +--- ./purgatory/Makefile ++++ ./purgatory/Makefile +@@ -44,7 +44,6 @@ purgatory/sha256.o: $(srcdir)/util_lib/sha256.c + mkdir -p $(@D) + $(COMPILE.c) -o $@ $^ + +-$(PURGATORY): CC=$(TARGET_CC) + $(PURGATORY): CFLAGS=$(PURGATORY_EXTRA_CFLAGS) \ + $($(ARCH)_PURGATORY_EXTRA_CFLAGS) \ + -Os -fno-builtin -ffreestanding \ +diff --git ./util/Makefile ./util/Makefile +index 948ee63..833a897 100644 +--- ./util/Makefile ++++ ./util/Makefile +@@ -2,7 +2,7 @@ BIN_TO_HEX:= bin/bin-to-hex + + $(BIN_TO_HEX): $(srcdir)/util/bin-to-hex.c + @$(MKDIR) -p $(@D) +- $(LINK.o) $(CFLAGS) -o $@ $^ ++ $(BUILD_CC) $(BUILD_CFLAGS) -o $@ $^ + + $(BIN_TO_HEX): CC=$(BUILD_CC) + $(BIN_TO_HEX): CFLAGS=$(BUILD_CFLAGS) From d63d5b4508072fef03223342879e349e97860587 Mon Sep 17 00:00:00 2001 From: Francis Lam Date: Thu, 16 Jan 2020 09:30:48 -0800 Subject: [PATCH 37/52] modules: update to use full commit id The short commit id can cause the tar archive potentially cause the root directory in the archive to be named with the short id causing the verification to fail --- modules/msrtools | 2 +- modules/musl-cross | 2 +- modules/tpmtotp | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/msrtools b/modules/msrtools index 6cfc30c2c..8a9b6b5b2 100644 --- a/modules/msrtools +++ b/modules/msrtools @@ -5,7 +5,7 @@ msrtools_depends := $(musl_dep) #msrtools_version := git #msrtools_repo := https://github.com/osresearch/msr-tools -msrtools_version := 572ef8a +msrtools_version := 572ef8a2b873eda15a322daa48861140a078b92c msrtools_dir := msrtools-$(msrtools_version) msrtools_tar := msr-tools-$(msrtools_version).tar.gz #msrtools_url := https://github.com/intel/msr-tools/archive/msr-tools-$(msrtools_version).tar.gz diff --git a/modules/musl-cross b/modules/musl-cross index 617c66e3a..f9cf79db0 100644 --- a/modules/musl-cross +++ b/modules/musl-cross @@ -4,7 +4,7 @@ ifeq "$(MUSL_CROSS_ONCE)" "" MUSL_CROSS_ONCE := 1 modules-$(CONFIG_MUSL) += musl-cross -musl-cross_version := 38e52db +musl-cross_version := 38e52db8358c043ae82b346a2e6e66bc86a53bc1 musl-cross_dir := musl-cross-$(musl-cross_version) musl-cross_url := https://github.com/richfelker/musl-cross-make/archive/$(musl-cross_version).tar.gz musl-cross_tar := musl-cross-$(musl-cross_version).tar.gz diff --git a/modules/tpmtotp b/modules/tpmtotp index 6c870ca42..433df8ceb 100644 --- a/modules/tpmtotp +++ b/modules/tpmtotp @@ -5,7 +5,7 @@ tpmtotp_depends := mbedtls qrencode $(musl_dep) #tpmtotp_version := git #tpmtotp_repo := https://github.com/osresearch/tpmtotp -tpmtotp_version := 18b860f +tpmtotp_version := 18b860fdcf5a55537c8395b891f2b2a5c24fc00a tpmtotp_dir := tpmtotp-$(tpmtotp_version) tpmtotp_tar := tpmtotp-$(tpmtotp_version).tar.gz tpmtotp_url := https://github.com/osresearch/tpmtotp/archive/$(tpmtotp_version).tar.gz From c3213e150a16bcacd1fea8d189efbe1be69573b5 Mon Sep 17 00:00:00 2001 From: Francis Lam Date: Thu, 16 Jan 2020 09:33:41 -0800 Subject: [PATCH 38/52] initrd: update distro keys Update distro keys to the latest with updated expiration dates --- initrd/etc/distro/keys/fedora.key | 360 ++++++++++++++---------------- initrd/etc/distro/keys/tails.key | 186 +++++++-------- 2 files changed, 262 insertions(+), 284 deletions(-) diff --git a/initrd/etc/distro/keys/fedora.key b/initrd/etc/distro/keys/fedora.key index e14b4cadb..684a758a0 100644 --- a/initrd/etc/distro/keys/fedora.key +++ b/initrd/etc/distro/keys/fedora.key @@ -1,194 +1,172 @@ -----BEGIN PGP PUBLIC KEY BLOCK----- -mQINBFfTPiIBEACnRl8tUymlDOBNJWjtICofXNyM4qt2qfGTme3YZ0ZVOay55pK6 -1OLiyNLXyJfDH9d2U6dZn5UYLNdE3QXRVua5GXlSituY0+pzs7n9doW/U8kdhm9a -zOfyR1Wh/u/FHUmiXUvuwLVzqee7lSU3Ry1voDzPIyM/3/eXDa4wAkbYuestYV2F -G2VqcMgDIEudYlkz6N1OigMWvkvYXFHVC1A55ydHenWffQzQaPpGuJLA61ARZ5Cu -X46xgOCPc+aSvAm/D0cmOS7xhZcUqs1A5uGtViZqsRt59Bp0HVNxftfBCO/rQx+9 -FrV1vYXkbTdzG3unlVCJxxC2dW2W6hb3SNgPbE5fgiG9twvVU+3GsFUwARclRWiZ -HjbWdjlRTkRySzkkdnXalJo3G4UAEDfkvujM2dB4Dt6gVkCPvSKVpK6HTtBdHmDO -scYfazX/j86somO9npHSrb11tYaLbx2PYfEvw6F7rsxr78/GBjzPnKkK3suXxDlS -8q7tT1FYV89EzjME5+ThJOyPxyXHKQQwozIXcB/BUfyWGlfFFh8baD+DA8lNgQvl -/TVFvW6bUV6ll5JoVJJhC87EACL7mlo6AQtwCivUEPxusVXM6u53UKbsc4gVdkZd -WpUyT2YsgKK05/eVDIkMLHXb3efVbJ6NCj88Fq6hYB7+Y5MRbRFJpvS4DQARAQAB -tDxGZWRvcmEgMjYgUHJpbWFyeSAoMjYpIDxmZWRvcmEtMjYtcHJpbWFyeUBmZWRv -cmFwcm9qZWN0Lm9yZz6JAjgEEwECACIFAlfTPiICGw8GCwkIBwMCBhUIAgkKCwQW -AgMBAh4BAheAAAoJEIEqa0tk2rhdFk8P/1WZFEEBfUr9ywRxeVAwiKx9Ggzf8m61 -p98spnUGj8N53bKwguKnMqAUtm9/XQPRGYRfqKKuKF/4AySCOmqFP86zHThnbFcb -fMyiJOxBN5N/5dhUxTkZG1M51vFPQx53dnea3w7ypJekTwfEna46PKUD7dTV3HJg -d2YOojD9mxup0iAmi7/3mi0cHwTCZS9FF/A4eBWjuEd4OM3KzPF7HBdY37a1IBLR -k7wruMEGSq6EXcoeqG2sMmU7RnEeQxy3WqMYdRdzUjbfBN7mCAcuv2yKB1FFW4/v -PhP7ObpCCLiaL46APdGFHZ30EC4oaeqSygJ8+zAIFK40t/a0iNNf8ZKKeeuasinr -qNJAep/WoVjIpx/LlF9vw522fhYXJ75LYLBCQNke/4rQ1Rl29io2Dg29aPrEwFPj -+7zDztdvaGmu5wLPvsC+w5pyqOT2LPC19y3D7T+KfXp0gEwyZedviDwZdIXz1PX1 -IMytlwRXlrhkp/2WzJvAkJCmRSb8QsxY9Y2A4rfqrNCk6kgjc+3pXNdxumaXEp33 -pjm+z61Qrg2XXFHUhQyRiBnEtyo2Hj3tJQdrPxwGIgtKFZCv+oAwewnMw9TFycI6 -rYEfS4wdAIOGoSF/PL9Eq2xoUJQw8QFCrURm7sfS0/VmvXoSjqzZLeWI4e+JvId0 -QFFBR5ZKOqzomQINBFeocJYBEAD0YKTqzt0QVgmHkRO0G8HpwdsNEzPANkDWe4KC -1YnKTDjl4ojvBfGc4bzLb+jXM4364DWGxArW6QJFW0DWI9DsK8+5TO+Zi9xtLi5B -XKImw2cYh7HKbCdNtBxT3xI1UVUuAkL8qbschWTUKgLYC1ywwjiFmjY7fEUpr3jz -QrhYxazqN0NvR/lq9k3VAetXTRfOEOhUrIhrTRQnsK58rspF4nWqZTj6D8jkSGcQ -qs9D3/btbsx69QkFKIIfxvfZxIHccaYfJhjgNU75b4Zl6NQvRm0jB8jpFqMTvG7z -vwubRiCku0YST+jy5RiZyaL5Yue0RP8dW0xfsVdRE7zsNaTRuvwVOBfXIFuGj81q -0JrO7G5HW2Kmo2byOeqidPyrlFtJv1PfByUFKIZ530HM4mnVH8193ZbravjJCpj1 -Ye07cq0yy0Nt2rvEpi63EYCBOaOQ9SJaYf77SZlZj/r7W2Hnnn40RqfzRUS3EAIu -cx1KtqNly5B4zm56J8I9rPmqf/zfj+0/kGj8YRm8MP2+F7Se836PGF5d3zjazamc -f0ORQmG67dwqddB+a5JhAxWl8OlFNsNBdRnu4qY3i6jK8jhI4U6NwQYEcWmnEeK5 -rbU20lEKPKla+1bK5OlU02JINuS0iXyCMEYyLdheCRQVGXGADVgXy790nTb/IpGV -mDj7lQARAQABtEBGZWRvcmEgMjYgU2Vjb25kYXJ5ICgyNikgPGZlZG9yYS0yNi1z -ZWNvbmRhcnlAZmVkb3JhcHJvamVjdC5vcmc+iQI4BBMBAgAiBQJXqHCWAhsPBgsJ -CAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRBFYP1NO5IdCWGXD/wOG5fluN233GHQ -sZ1WQneDaq/zi/GyyNelbR5TVJhmZ/ifi51EGx4/w6ZdWokmVQ6UejatdeQCQhlF -lF1g9Ax/oYoEbdJVmFRP7HzXqWcENXnCSXcpha3C1N8g12a1B3qew0gbuRbhwnnz -cDUQSSrcefS1XpnhRmDUt7WanbWOWQ6kktYdAkfVd2/k/Y5nHUZp25mnjsNPbsff -ev6xTdUB4dVkirBR4quMYwDXzzKKLz5E7pZB94C8WUCAYPOKM5pCuJR3L4pAjHGj -UyrSSxAaCepfiwJcCOQHMJY7CpuRqmhc1o3BaV8nO1HWMzbI78RChYshKCDY38Cz -h6SoeMJzaKUDAsvz7tNhOl816s0dbtVw43Ngou7G7tOxmnI47AMNHBuBbA/qKRg6 -et96lWcjmJiS1xks4FZFSEoA9BzH2G9o5LgYKKTRZIRPVZ61nsKa+as4E5oyDbXn -UmnbanrfUvALL+vOYTEeFCB7qif2Ek58ujIQBLczmU+2S74pdQlu7kSYnrqNkkRx -FOgFWt5udiOw5R2vnUO2VAISDlUnkgyHp2SUnHAE2Q4StccvR9JeZUH9IuVioN/n -AwzYTTKyOiZXzipkxwznSjukiS4WPqdnLrTCNQ7WPpyygQDS/Z1DLt/+Rdxz4wkX -76JjNVL+8hBF07H2vzBvtkCoZXEQ17kCDQRXqHCWEAgA6UwG6HiPE0EY3UpaAJDQ -SibtS5zaId0H8SXhdAk3ZVtzbskmI8FVuAyi6+Phl9Ps2RjVR88p9Uk6dV2QnRp8 -DpXQFeGfjMkfokl5TmnGu5txXWMGdGeiAs/VlMzRuUZI05fJR6eeA8gn4wpBPmuX -BgFre/3tuMxuahBLIhrLuThMMKZrfV42zaYN9waddnN+upM96aKQziNbmU7CSVGX -K1wKtvbSF51BXeO7w7KdTspKedjVLMhWrlUEAKmdeZDj+9slw4QXpqWMP8vmmIxb -rYXm94r6IgYFKYk1eZ2t8JbNdjFfRKGLKsPI2W9uH8+fI9/Xqw+mSwFMGqruBpmx -ZwADBQf/R2o8TOghFlNt90wrfP0XaumUP+aZLvb6ndjESTS7PaX1R1wsHtPaVDWn -aTgfA66rrCp/66vmKf6uHlPeUx0RREaIJ56uKP3n0x8HDn1ZBba83NoriWdVqar6 -f3+UBoZ0u1GBK/F8vG70Xj3x0dJ2psFP62yrDg5z+/TCM+o7EnUl5KYOpa3R25W6 -UEHoEexUIqxZp9+4FGH7+aO2LKbslEL3AVgraUBiFknJl7ikH3ZxljiFVigjBq/J -N2F5CrmeAhdAZedF3lE/epQ+LSQ+TTN7ukGt2l37aJDTRGNHqe6KCy9KqIBr8XAa -z9mJ34QF4hB/tDUSGQP5eg93ecG5PokCHwQYAQIACQUCV6hwlgIbDAAKCRBFYP1N -O5IdCQHSEAC4g0BMaQu5qzLHeh/bFXtxT4vFucXLAenyLH+oIEo43crSUpjQiXzB -itUc9sWMX7/mjj8EWOGbIQNYZO712Ei7fPO7u/auZ7qIlVUKlEHZ+du1ORC5+khK -rimgjP/ZIhTYKHiIJD3BLs2rEGXdx3TQCYRIgRm066KKZ2gQy3YHngqipmOzvz9j -4ctpmD6NabgX3eWjUCzxofd3m67c6sQVKxUNQzujCgtaLIClYQEMO0E7Xq9auq9L -OvD+40dLE63jfYKSIvsQ+3qUmT0CEfk5K3GDYC30xQU4cvqCybOreSTQR0L/f/wU -bTYt7Iyj/8eZwfi9wh2zVY2MOoe2zT6XIW2oKJFD9ka7IZsezMR4PBhEGCg69uWb -PXbwIP3har1pzIrwR1Uto9qCosupnkz3+ILQOiGxY5vtKXUr/0ulQ3gjZiLNL12m -5MvnAUg4aoms0W76wYUQG/NnccBzKE9hUAlgSak8n0gZPSRbG0wjOIcbE/arSpQ2 -k8WkwxkcUuHfOnBq/2ME1njWkNp+h+F/ifZcwcBiRNZ+S8Y/kV2kh36pjkic4mCc -4JjoNLxMic3Jpbf15Q8X0mgDbp1RVPtm4QTagq3kXRGjFpVaUfJF6ZdzPBm5qJ6F -7ZX9p/av2zCpAw7ZjY7u8pfCZttaiaHYd6KYgPX5LEQK5QSTxy/JNJkCDQRYrJKj -ARAA027KAF6Qz5PhbXMARD2UFXtGEGHTqmr30EFQ/0WAHB5yVvytW2YULrAY1CHn -PUnxot7gTTZm84gL6Xf8nDCslh7lkC5gYGyJq6pz2wTzF5sXjRp2YwNYY1Q6dKc4 -9voGUIamFkn+pEMvbvQNZklOtypf7X8O/oV+03NyPH3hgBQh3BUIBEsVIm/DMPzj -hkdwJvXynQPitZCXkCImb1zHDRcftwn6Gr4RXYnLqE9im3Ers0Zu+nbijR5S2j+v -yG2cTYg1ofEg1aRWhT5akf0f/sImwOnvcDH+gmeL31GOzSmH+LWAbNBGHZJ94/yo -SScXW/jOOkP8cKvaL2aO1yIS6yFD7jMPdV/XG75FP2vZBNX33aTZhdXw51HBJLrh -KjpfmjFbFARGwEPOsq8KQ3y+F0/b8JwyJIICmcrw02eqtNFyoNxnqyrmbUAZf2HB -w17gZQdX86RpfGvIav/hnk9rFcY5WMD1467CndTXj+nLULEeoB7j91uaIT+KwK7T -OjjTfK5U4qHQy1RhwaVMyEXYK+0Qi9QKgfb63UNjFWTGrE3FJ1LyqNB+JqbPsdOY -xmqNG9GdEyXOsK+smxx9/DVRtOlV+ayWZX2XIRsJFs5mMWouef+5Z9byZpPpG3Uu -6StI35nlSfAO+1ywi9+qCRQogq2I1fmRoLwfs9PCc8HO7IMAEQEAAbQsRmVkb3Jh -IDI3ICgyNykgPGZlZG9yYS0yN0BmZWRvcmFwcm9qZWN0Lm9yZz6JAjgEEwECACIF -AliskqMCGw8GCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEPVedDD1KC7k3MMP -/ixT1RMlYLjHlP0AARLBORRDe5HA0XmbXcKu6f2igtvZswsXh4IIrWDhpayDZCdu -gKuqfqFusOycQViZyqEwWCQxczSG6f+hmxuKCnBJ1kGX050S06+WrpFXVgRXr8wt -Ibq2qGys946GESF/NulVM0vwONfM6Zw1T7aaN8fOlfX9vdq6otrZ/UOXEAuQpN/3 -I0AxMJDfYB8+I/3NaGuswTnB2ypGmXVgNnSLOlzsQiB4O/IulUMDDLPr35tr21dw -AgnDlZ3d3ejcSELgyxEMHbXQdsyPEe+G42nKLK3Gnyvhdg55DO1qy0gokyiyQTEQ -8fl9pzo0+aS7rbOBQv12ETtt0jLTwDM0POdmdZZI7GlQ7I8zagmrFAdLwzxy0BPG -o9M3ITQUs7h6CqVzWE8ic7XpFi/0F5FLF7tMezeVoQZWfpZ4ui7WVOdZewSXdZ/m -Sp0OIJo0NX31S24M2/WdTDY3tLOtRXSplCUBlC2Kod9luBlfkS77SOgCVfxJhQlB -H0Sd3gPLSYsinuddsIopv1g4b8xbrjwbqdmd07n4miUDsrC5Tefh1EIrU7XHe4/G -YKbCACGbUljjMWyACVm85/II3yI+GQ3qNGWVx9FYA5F7ab9YPEdmkQM+qG+WGFuV -ZyNlBK+d8dWe5ZlIb/01GZ9uiHlNeowifNJO6Sb0EhfGmQINBFmSAVYBEADakUeJ -gNnAP2CE3vw+iI0Um9XvuBP6NdESRiJIEPgXhKWM058JPZDkpRETS4pbB3xUyPLo -ogoO76lheBEOPEAGp5mb/7vEcwlYqjtuetFi9hcsbNPxDeOLQ9KR7Xs2idU+DlCJ -W1WyU9UiLoyZpQgAqF7Y50MoxPKJtfDuM52YkulYLU+MleRtxJzHYcXArU3x3Czz -1FnemVtol3/1/BvmGQPIyj2HdG4vxWbiX79AUSlchh+MbNqOOpVVK16lLEbJCxCb -PdCsKCTOI+FsdQsB4bnX5ddNcvxxACwHNUifVD/1XH8Ax77DHohRbccRtIZqZEIK -ecHxVyFdr2mAl9mEXSzaFvRzWa+5seCgGoV0INBhj6NEtHhSxBYzLmr5noQ8JNPa -6eRipPvYTle2vstq2YUJ8D0ZbKbxaCPstemCQZrQKzh0tgezIgVXKc2U0i3ZOEYf -4ISMHeBnH36nRMBnaH/HkLyZyHXNE4vswJpwPjNtaofzQDD+TmCe2ObKei8iUqfL -o/8Je8IvnodS9C5l0fyEaMmo5BWc+SYRSTR9libNruwu4j6Kuoxge9SbRuD2S0qz -KK2LYRZrlkxjP8REnpvXxUfeSvNYHrbjzYDv677S6pqWdNqyoPduKiZWy6Vg4g+p -Ymk5T7vrpNizGK6exKiYZ5tAUaO3lrdpHOolUwARAQABtCxGZWRvcmEgMjggKDI4 -KSA8ZmVkb3JhLTI4QGZlZG9yYXByb2plY3Qub3JnPokCOAQTAQIAIgUCWZIBVgIb -DwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQ4I5+Yp22L7GMDhAAwwQhpXFX -xegkgi0pFbA98Om3UBiQtcDemQSls0HEJh+J9sm4g0Sj2K7khFnJCKsQNVnJDVxv -xJ9j/AFZErRMjudUF7ACZfKDtNxq3gkH7qICPKk/DzeXblrzPc/RX+kkl9I5jFBh -apypsExa2yilfk8IiKq6nd2Ro7K+gEh/CMhfe7YBGInZ3FmZWsq1+WKTZCUNmA8+ -+eWIbmukrAoieTHTvIcOmc+dfaUAmjWtOnc69E9UmTCwEMEbPVMSmZv0qnp0kByW -UeV5cZR7NoXmaMaTr5aUY6wJuLshbWzgmudorf1udUwqYlpxZJtQCxlHezulrDJG -19d4dC5vGdYbnpeq01s9L9yieccKafWfldBU+YBZbo9e9Uzu/766pxEAtqYYSyZb -oiqsj5NCoq2fRc4DjfCDVEaK7HSPcQpQFA+p18sD2qccEPPo+F2+M8PZLf4khipG -RH1nm9AmM/v25a/9w22bDuUUvpcWwW45YsNToTTM4d6Ts750lCw/4K3jHnrQWxL7 -VfwLw0H1xlxnVqIXlL3HeOIn9EoaygxV2gJtPjB/Gwr2z/K+HoibAxvo7VcpxD+N -38LaPtrx/ERMxeYBJvMgSqGaC3MXj36/qv0zTyyTItYX9JfbOrikoJa+aKQGmTWL -rcuKaYl6Jzsq3vRTbNRRi4SpXwTwMyuW4pWZAg0EWohlNwEQAKOHQMrLA93QfH0j -icZixtRuohTtMZmDFpP2OdVJGCRx19Gq3YI/sR21FvKqQxQrIvbcIvADP5hKZ/0V -/2fEFKXwWIpQI01ZRg7d9oQBmRnmt4OvqHpbhrSeIExZ9UuqZiOlmaRwGqAuCX7b -BWr38T0Wr1LMOS3NzNQXvDABauwpbmvAQSr6LyOToVJRM0ypZmrr3LsO+jHyTxAj -G2i7l0gvdnypB2Rz/TKdOzht1pz3gWwkEzrSopIc/bcxjumnA6XvC20CydojMFoI -PRQgzmq18UE0Vph94nmQfWt/43OAWMnzLUPGJl0Rfa3g7Je+G4BBK9jKi0OsnMJu -6yNdBgxhiqd8ZyoyZMKSAbFht19UZsyzfHWYw5tlYxBtv0cY3QpMFoV3ADsScwGs -IbLcj1bGeAYgYBM49aQ89RTGVoj2PDFPe2pvBhjkqfZGEPgJnKPhUhpC8Z0xqinT -U7vxBUUeF0fbhpuo24+tioQNn5pJOCdgUolykZKxFUv4rD/HXCKTw9jOkL203NTU -tEKL2OxfSmT2A4NKBsotavJkSBloh1wFwkPhTeyUON0F5MNjyklX3P2vvP6AU8Ac -upK0YqPaJxu/zR0wZN+BSbcepYRL9deiZf1lYDW1XRmU04zz8i6eYhLP0w2lzcsK -Glxxx9+Ot+9YF+iQMppc72oJSBy3ABEBAAG0LEZlZG9yYSAyOSAoMjkpIDxmZWRv -cmEtMjlAZmVkb3JhcHJvamVjdC5vcmc+iQI4BBMBAgAiBQJaiGU3AhsPBgsJCAcD -AgYVCAIJCgsEFgIDAQIeAQIXgAAKCRCiCqVrQpR2tHtrEACW40dD3dPu7/IhBpMK -zi4Zv+MSDupubqFHHmeyqt2beoo2qfJcrrWec82gMk2TVaFnDDhF2u/EIM4bLI2E -ZJ6OO9czpEEMQ5j8qYPqG4+jzE3mLslUb4TaaXBMZ7sdKDjt3TAfJ0M1NEtCpPRV -memTFF7em5DgM00clkbVKxGX9J/ZUjVfIH+EdsUZstL0q8ffaUIgAC23p1sZNFkL -2CwYvpdH/qjsRTl+mPtTmtiINMVpiqaobbUtllX3G2oKgdwoSVjuNftF+aTxafUb -bMLZdHQtft5UfsYF5fDoluYtmPFKB3bfnMTWU1JpIswc4cxyBIdagQL1QvMtgm5N -qCMrdyOTRWQouhxqRFyxv120VzGBkZ1Ad8xfuYP16m4maoHhrpM5mgv+2Krbw5Fq -RRuNh8vP2eCep3+kmSf0w1ZzHLfIG051Nipx77rX9dCThxHa0fxXZ4/t8vxgxug2 -Q89txsqVy8ob9OBpLS1WsUxSYDXGYOKHN/qC6kAA2VwyRijSGb7PWEu+CqiynXih -Ohwl5csAVXDl3Gdv1uaqMHL7vu7+uqtjQSQtB31edeCjBRCXRFI1eBwgh8SRUGKk -v/ZgH4wUGYxApxMNdfuVz+GXpbgEWZWPYoeQ91nNQ4lBVh973RG3eF9cdWJTDXXy -GRNomGsI9XCQVtpRaxwQDY5oUpkCDQRL0ilCARAAyxp1I9uGVSlu5YhTfyQOQoLc -5TZyrO7AYO31WzVq8ohN1EW59SV763cB7ZCsmPev4n2dS3d5RNoDhetWxmdglsCT -Xnu+kqfWforD/EUF2xuY8I/+ATPRyu6YZLahVSfFW2No3043H8UbxjPGAcFxfIcd -Ag2VEQI739cUUkCe4gKOfKnB517cTgL0JgG0fc+kP4fw/mPz4aCCadTleFTRwmwr -PTOx1FQaYAudzw3E1ELsHIHmOqUIKPXk9XizUmVayeQXLYr5dVHA+j+giBpJHk9o -DYaop3UT54FFxl1u0M6Hn3vn1UKiUpu06tqvaKlWeOifeuMGgkSLUckqbluXcWTt -+FjOsLMNgT9jJQAmx+Jd5bqraV6Nwb355PhwBR9x3DLsHWrpcb+82ClwnzaEn4K6 -RH6NhMeCJvyN1nbcDBPxm58Hat1Sc4AMS1RYXMwx8DZI5iHTwJTSff4sUY4qeHYG -bVvFXAQqzaC/i4Q6yH475y3UbrwR8vT97AhexWcnGh5TFj+kYi7R5xDBnG2fEKUB -4tnUXlNcMq/UIILhlPo6kl2Gq9chHLHURmrKaTSGfPkGsG5v2uHaE9dExLTwK4Uq -B5cG76kw2I7X1fdpQv9osIDuoGIBvV6zuFfHVd/RX5u6CxX7024OZr+EPxOgFqP4 -JI5rcZHLpW8gL4xbWAEAEQEAAbQhRVBFTCAoNikgPGVwZWxAZmVkb3JhcHJvamVj -dC5vcmc+iQI2BBMBAgAgBQJL0ilCAhsPBgsJCAcDAgQVAggDBBYCAwECHgECF4AA -CgkQO0nfKgYIuJUfxg/8Cxj7/ajt/Xsm/TZa8HynVBKNbR8Sna4Tc/l2KzuMlQ0w -WUT0rry9smqHkiIUDioTT3xIE/ZnbG7IHH5qB8ZhlXJ/pW4XlrEr3IK17s9IC7fE -xhihhkTgKC16blLG9RzbShDsD0OM9bkNpzs+YS0cgzldCNi8GFfAYxiIwSlDBRFM -RU7C+1zmZKwIP1m0x9j1t4a30lrXEQOxGKJyNwfNHd/X38LO0psim0uT5mY6jj7k -71dhdLTISiIZ3AcKKI1mTxMX7R6SocylYfH3Qzv9z9ctRZNwop/FGwjvTFjBTUdu -31cwgDZRD5Y7BwPtxM+Be7m6BadDjhKL+GMouARG4KmZ7YUxuLm/Z8orqSGd3JDx -6951XA1BnC+pUA/55JjVSHi2D8dbhzzkpVn7qIwGIM0R+iy+yHYOBRxwQNLaOxVv -HUFxSDsjYiRQDk9o/D+frVXavMAdDw0h/MkaZ+B3SfUWKrmruDpI5bsTln9LkWkv -/0lHAmYftfygRDpnLwR2EWQOSZf52pAoMRm9qWkDs6qqTnByr5ci7szubsmzF2oq -SxMUxiVwZV622wEn12v8hmEgBolaxs/QhOuu+nTJZvBfrN11xNd0Ga15o5aHOo8D -pY53wJI0xl44gezlCxEnnfejEV7Xy5NFuQG/aXe7Sg0ekByO64B13wqKUZ2dlVWZ -Ag0EUq5ohAEQALVSmFfAyoIBqs9Qf9mw4WyVpt5NU7akOTlic73p/6uBkHvECsE5 -J5CTsH3SKpInzn9zvY4Cfg5di9PreB8J5ekmzkzt6ZeQ+w1BZZKO732Vb4CpI2aN -haGZGUtEaXQ47uAjCPvvp0he9ww0WXNI+PTQ3bECqMxuOWdXafZpsATmCrpWmo+8 -VdXJ+tVr+5qWiANWZ/qHa3hF2mJ+rypMewcVTfGkLP5Pr90ZYoZDjZlB9NoucMyN -OgCyZjQDJ6+QhtfqJlW3Ma9qdik9xZbhfREM9ymp8U1mTrjfEjiWxn5jYSv1i7lL -/zHSXL62aYiiRoTTDBt1S7vjRhNmMJ6yuhhaJGDnO5DbF8rEmhXkT4SH61jAYMmf -od9aFGCe51FHC+4njnO1hW0q6UrDxBCl3ZJNatxBAMlpFaacyihf88BNOMIETEH1 -2TPfwOu6+TsiQcy2wiqWQA5Ax2xfV3dOi/oETZcOMgbTMXEt24kZtXBz/qshz3lP -TnmPfoTPQeuPF2lMY44fFGowrmb1+UVtrHG0OdLvDvtarNbseMWsPRV5PHa+eOMa -pyEcRCl8OkU7NvwtMWGBiJ3JE1R+VBjflYs7Ms1X6lXd5DcmDXVQXB6VI0up9B+4 -VEZz7NzCQ2MeHnI++b2h1HUEh+onqwoY8Zu081ejsRExHKlbJHPTOLS3ABEBAAG0 -KEZlZG9yYSBFUEVMICg3KSA8ZXBlbEBmZWRvcmFwcm9qZWN0Lm9yZz6JAjgEEwEC -ACIFAlKuaIQCGw8GCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEGovrqI1LGTl -x8YP/iymqmxOO0MzuqnK0oscqu5m2+5aKq3lF+9P3DD0ZRQUxnhlkZfidReDj2qL -EMtrJZHx10b+zmTI6LcLS5f/qKfNpjJGD4GHvRuuopQrXgXUGus+Lb15op8b4a4w -W1d0EbZrs60+bDfK4qar0Sm/oHSY/oTkpJ29JFKola0ZwDrBFL/APNckQ0enmt70 -iybcJjJ2nLQYtEDnCjh88Hm4t1SEsRQO+HYor/98yONrejQv5I3Pw3RoNnKfkDEJ -T1EHcQdxN5wWCjLm6ZGP30Fmt5tHU077iAGuK8h928Ph8k180EdfCFIf0AIYI28e -ddWMdAX2IdYCkqREh6HwWvafl218kQXtIRfwZtfsVuxajb2RcytWA2oc3IOd8AFW -g+5uBB20lkmRVkCRoesy7wDK3BPrZDh42qYkjVpZtlA0jmNZipzpEq4Irr8X32q2 -EVP2Ak7Xv7JG4vpS/b++DNVHVEZ3BUsrCVSMY8CNh+WkJDBYwABLGK/24/Jg8dwS -tKttEbTCMh8BHe+6zU5I7HfFkdmlcV+ZBOwM/vNVE4vNX3xHcnAUDEnj/Gp443i8 -I8VTo6xPeVZDzDuKXmiFj3nCa6N+vqWTz2QTMl05PNyfsMFtSu7fcJAwYpncS+1G -OwLsUNsvTXurFL5lUD8caTJ+K7hymBXxVSduqXl4Bn7UuXoP -=PJUG +mQINBFturGcBEACv0xBo91V2n0uEC2vh69ywCiSyvUgN/AQH8EZpCVtM7NyjKgKm +bbY4G3R0M3ir1xXmvUDvK0493/qOiFrjkplvzXFTGpPTi0ypqGgxc5d0ohRA1M75 +L+0AIlXoOgHQ358/c4uO8X0JAA1NYxCkAW1KSJgFJ3RjukrfqSHWthS1d4o8fhHy +KJKEnirE5hHqB50dafXrBfgZdaOs3C6ppRIePFe2o4vUEapMTCHFw0woQR8Ah4/R +n7Z9G9Ln+0Cinmy0nbIDiZJ+pgLAXCOWBfDUzcOjDGKvcpoZharA07c0q1/5ojzO +4F0Fh4g/BUmtrASwHfcIbjHyCSr1j/3Iz883iy07gJY5Yhiuaqmp0o0f9fgHkG53 +2xCU1owmACqaIBNQMukvXRDtB2GJMuKa/asTZDP6R5re+iXs7+s9ohcRRAKGyAyc +YKIQKcaA+6M8T7/G+TPHZX6HJWqJJiYB+EC2ERblpvq9TPlLguEWcmvjbVc31nyq +SDoO3ncFWKFmVsbQPTbP+pKUmlLfJwtb5XqxNR5GEXSwVv4I7IqBmJz1MmRafnBZ +g0FJUtH668GnldO20XbnSVBr820F5SISMXVwCXDXEvGwwiB8Lt8PvqzXnGIFDAu3 +DlQI5sxSqpPVWSyw08ppKT2Tpmy8adiBotLfaCFl2VTHwOae48X2dMPBvQARAQAB +tDFGZWRvcmEgKDMwKSA8ZmVkb3JhLTMwLXByaW1hcnlAZmVkb3JhcHJvamVjdC5v +cmc+iQI4BBMBAgAiBQJbbqxnAhsPBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAK +CRDvPBEfz8ZZudTnD/9170LL3nyTVUCFmBjT9wZ4gYnpwtKVPa/pKnxbbS+Bmmac +g9TrT9pZbqOHrNJLiZ3Zx1Hp+8uxr3Lo6kbYwImLhkOEDrf4aP17HfQ6VYFbQZI8 +f79OFxWJ7si9+3gfzeh9UYFEqOQfzIjLWFyfnas0OnV/P+RMQ1Zr+vPRqO7AR2va +N9wg+Xl7157dhXPCGYnGMNSoxCbpRs0JNlzvJMuAea5nTTznRaJZtK/xKsqLn51D +K07k9MHVFXakOH8QtMCUglbwfTfIpO5YRq5imxlWbqsYWVQy1WGJFyW6hWC0+RcJ +Ox5zGtOfi4/dN+xJ+ibnbyvy/il7Qm+vyFhCYqIPyS5m2UVJUuao3eApE38k78/o +8aQOTnFQZ+U1Sw+6woFTxjqRQBXlQm2+7Bt3bqGATg4sXXWPbmwdL87Ic+mxn/ml +SMfQux/5k6iAu1kQhwkO2YJn9eII6HIPkW+2m5N1JsUyJQe4cbtZE5Yh3TRA0dm7 ++zoBRfCXkOW4krchbgww/ptVmzMMP7GINJdROrJnsGl5FVeid9qHzV7aZycWSma7 +CxBYB1J8HCbty5NjtD6XMYRrMLxXugvX6Q4NPPH+2NKjzX4SIDejS6JjgrP3KA3O +pMuo7ZHMfveBngv8yP+ZD/1sS6l+dfExvdaJdOdgFCnp4p3gPbw5+Lv70HrMjJkC +DQRcat0DARAA1IRnwnz9Yo4oIAblW0f6QQ0ljAt01m3wvKbe34WZGK4pc31lDH07 +IpD8pkq4knDjVz+gzcmea+7YKyFXVayb0SKiBUTtJrn6fR8n1igzv/wrcqezkM2M +OjVbYTv2lqchXyaY+rOImbGBqn/YAclfG6wQfL/IxLArVTo9QVN2zGy5DLESPflo +i4w2Mr6KajQULiHvKIMUsaWHW1M+vo8c374UaAc1nYyE3f/xo3fdJJKwTjFpDi06 +jtd9zg9VjE9PBuTbkOCoY2LFb0mwaX3ZE3Dbj/IAT/S8QkA3PntXgIWfeYN6pFy3 +ihCvY/hfsLhvzqxAMQbLHAsV0VAd/EB+ghXt1MRqEjJwYvoxIYnLnaPiLaRTsu6z +2mMkYeD5ruEB3AvN2zY6fDSOs0x6wZlbj6pMTJ9OxjAEGr/XswV4+rpqk1+HFHbC +VGryayd7u609JYQXYhq0Pcz2y9O7tip/jlzwAt3Skn+xvE78DQHa8vXrBkqYt/Gm +tZskGFWbwJbCAZGzd329cLwyROXM1Yc8EO+1dreuo8XoNKPf9jmVR9wqMw9mY79v +Cx7lv450B7bENH1MkGEZh8TRFZFtdBhjO30MMc6cRRUtTv9lxJ3zLu8gR2bIC0qI +31HLdBYS4RDf4PyCDV/WQla8yufw3tuwjY2BNXIGA/5U5kNEso3ylcMAEQEAAbQx +RmVkb3JhICgzMSkgPGZlZG9yYS0zMS1wcmltYXJ5QGZlZG9yYXByb2plY3Qub3Jn +PokCPgQTAQIAKAIbDwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AFAlxq5E0FCRLP +D/0ACgkQUMs5CzwzWcQZgw//dCBcAHxXEKuRDZe/6NgmEPZNmnUx21eUaCDlgv6P +SOf27Z9cvFg4TzlDZrIG1Kkas+rK5VaZYPi5KSI+uz1SwwcKVWwiQvKNX87XdjK8 +lanb7uetllYVKKyCPolu536g9Mr+eZx/W/yUdapaFGvC6XisPOCYL8RecFX8kYnd +VoyNAwZNrWhUeMQn1OU29utn23RY+YgfcbJD+6DXktvfknw45Z8m7ZRaKq/VAJ2N +br4QT5Bpo+OUiZKXz/i/pBmF1WlHdvTP6vz7eOl9Sg76+mdJfG0lBJN833DXY7hI +bRwakstVDzwIpBl9UOcBnbu0e/pr/wEanyOjguOIqaDjDStQIruvrJWz2KYcF4oI +Us/cmLhtBHVre2pHykdEdOCrno+C1y1nMU0eJfFw804WIDz9IPs9F0CawJFYYkq8 +yAngtytRj0olLTQMUky/qlloML0MgDzaD1fzmJmPsFMVJygmaRFj5C+/ZYegjGyc +f85azjM0bpks2jpylvQDpYr4h+EY/PTpg4nwRLENAnsHRzfZcuoOGRSSRmFyeR02 ++Y3QbrUwt7Q37x/Ge3bVynQuIqiQiMY+vfF5/FI1Xn2UNp27+Xl3GS3x7b2zQU07 +9b7wVeBu2ohymEUo+x5sYSwWQvGP55hQHpjqDmA6UeXlJj5kmxWsqC30bBV5ghy7 +O3OZAg0EXVFWqwEQANYwGpi/8bWvg/DKI9AJ+Dl9cUZdXUUJnfaoyL2AtRO/UJfu +tjIfgieP3eiJz6W3WRDSRAKQg07BBzM6SbpcOQR6SYyseScmkUvCtMrgBLbxtgXZ +GMsz5An90ZcMw9iw/S2Qu+jFoev1ZNGrz0D4CY41xQBAgwmDcnFcABp8GLZSzNRQ +Q8hTfkzK58W3Z493WT/qFUA7xLZVPvZPFdJjsdrhfYnSkbNupDoOrcBXOiCyegiL +T0Dt9i61hk9VUAQZFSpq+XS2HwvK5lKEBJnfwJ0AcEy9ZXhtVmCF3/ANXl6/ctdQ +TSiK0sCo1J6IMneCspY3q/Sp1TSXdhrrSy6AAF3fFoT5E57yQMLLdaYBo7nVDzzR +kDaJc5MkU5uqQFM/2P35l5D4o0TxIGiIfUTJsq0FTwebKBm+7xkLVMpTIvmDAZQm +3y96uDLkHDdDtq/nbSw0YPdwhavh8EBVjB0GhlPxFyydTU8/rs2Y4YVzBIUn8umI +4wKlnUgG+M4LsrIoRljb/reSNbveYHs4c53XwEe0ZWQDdAB1WVxK6V7/PrxU4DLp +uKETqZ3E/bwPgg2y2zzDrKvgb7doQg3y7SpFCrrpGLmY5dPKV74425218aDdT2WC +JyDPqhWTXtFPSNX24vorjWwZnWwf/rJNdApqB0BivfDWLHYvjomDML7/7pJLABEB +AAG0MUZlZG9yYSAoMzIpIDxmZWRvcmEtMzItcHJpbWFyeUBmZWRvcmFwcm9qZWN0 +Lm9yZz6JAjgEEwECACIFAl1RVqsCGw8GCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheA +AAoJEGwTAm0SyUTQt0AP/Ap0Ay1/Ovs7bLTr+w4+etvcPf1jYNdsHzLSISZF0Evb +0Grlu3HCYCRrsllElUXE+w5WpnooBGNLT+gIGYlzSMJEA0UK0zhSNUdNKzGsl+4+ +R6W+uU0T21xHo4JGm6P89mBRrf2KJ8X8VNR8OCHhD3XGJCgup8HE4nOtq9Aegr1X +Osw1M67onqXjN4bNj+hyPoOlP7l91Q7/ceAYU2I1g8LoZXN6IDcABVHSwLIYQ26q +p2DBTFXcEiG3TkzlZx2/GDVT3HkjfKOQtDD6J29fil69OIKH3/S77iDzRxP/bULG +x3Hv4NUdp7BdsXztBAhw4CKeDRLlATruva49XGZbL/npMpSoOjI/xI2xXraVPaO6 +2yMt683FSTLTXWDnDdtzrVR5p4quu6sV1Gz5HAFWRea2qb+LqDRlNZnJYY7qAl34 +dYCpjU1iKrj5wy80tq2YDaw6gKxE2YT2rqMz8RJWBofyFKnwZwu7O33+vg9lkaXk +K9R6V06IPbbW7yvO4eYuzh2yDAkn2mAtPRxQCw6lsw8jQmkYg9DZIbrIrsuY7ocU +7FsCTPsgZS3SDLUzM9PIG+cH5aAPUj4hBdewluE/n5353eY6eqx3qgMz+CsoHOuG +hR6g1p1z27OOoqU6uat0hHcHPfxJKJaV17l+7rE+ol2YZlE2Ne1zImVtI9UMiWjH +mQINBEvSKUIBEADLGnUj24ZVKW7liFN/JA5CgtzlNnKs7sBg7fVbNWryiE3URbn1 +JXvrdwHtkKyY96/ifZ1Ld3lE2gOF61bGZ2CWwJNee76Sp9Z+isP8RQXbG5jwj/4B +M9HK7phktqFVJ8VbY2jfTjcfxRvGM8YBwXF8hx0CDZURAjvf1xRSQJ7iAo58qcHn +XtxOAvQmAbR9z6Q/h/D+Y/PhoIJp1OV4VNHCbCs9M7HUVBpgC53PDcTUQuwcgeY6 +pQgo9eT1eLNSZVrJ5Bctivl1UcD6P6CIGkkeT2gNhqindRPngUXGXW7Qzoefe+fV +QqJSm7Tq2q9oqVZ46J964waCRItRySpuW5dxZO34WM6wsw2BP2MlACbH4l3luqtp +Xo3Bvfnk+HAFH3HcMuwdaulxv7zYKXCfNoSfgrpEfo2Ex4Im/I3WdtwME/Gbnwdq +3VJzgAxLVFhczDHwNkjmIdPAlNJ9/ixRjip4dgZtW8VcBCrNoL+LhDrIfjvnLdRu +vBHy9P3sCF7FZycaHlMWP6RiLtHnEMGcbZ8QpQHi2dReU1wyr9QgguGU+jqSXYar +1yEcsdRGasppNIZ8+Qawbm/a4doT10TEtPArhSoHlwbvqTDYjtfV92lC/2iwgO6g +YgG9XrO4V8dV39Ffm7oLFfvTbg5mv4Q/E6AWo/gkjmtxkculbyAvjFtYAQARAQAB +tCFFUEVMICg2KSA8ZXBlbEBmZWRvcmFwcm9qZWN0Lm9yZz6JAjYEEwECACAFAkvS +KUICGw8GCwkIBwMCBBUCCAMEFgIDAQIeAQIXgAAKCRA7Sd8qBgi4lR/GD/wLGPv9 +qO39eyb9NlrwfKdUEo1tHxKdrhNz+XYrO4yVDTBZRPSuvL2yaoeSIhQOKhNPfEgT +9mdsbsgcfmoHxmGVcn+lbheWsSvcgrXuz0gLt8TGGKGGROAoLXpuUsb1HNtKEOwP +Q4z1uQ2nOz5hLRyDOV0I2LwYV8BjGIjBKUMFEUxFTsL7XOZkrAg/WbTH2PW3hrfS +WtcRA7EYonI3B80d39ffws7SmyKbS5PmZjqOPuTvV2F0tMhKIhncBwoojWZPExft +HpKhzKVh8fdDO/3P1y1Fk3Cin8UbCO9MWMFNR27fVzCANlEPljsHA+3Ez4F7uboF +p0OOEov4Yyi4BEbgqZnthTG4ub9nyiupIZ3ckPHr3nVcDUGcL6lQD/nkmNVIeLYP +x1uHPOSlWfuojAYgzRH6LL7Idg4FHHBA0to7FW8dQXFIOyNiJFAOT2j8P5+tVdq8 +wB0PDSH8yRpn4HdJ9RYquau4OkjluxOWf0uRaS//SUcCZh+1/KBEOmcvBHYRZA5J +l/nakCgxGb2paQOzqqpOcHKvlyLuzO5uybMXaipLExTGJXBlXrbbASfXa/yGYSAG +iVrGz9CE6676dMlm8F+s3XXE13QZrXmjloc6jwOljnfAkjTGXjiB7OULESed96MR +XtfLk0W5Ab9pd7tKDR6QHI7rgHXfCopRnZ2VVZkCDQRSrmiEARAAtVKYV8DKggGq +z1B/2bDhbJWm3k1TtqQ5OWJzven/q4GQe8QKwTknkJOwfdIqkifOf3O9jgJ+Dl2L +0+t4Hwnl6SbOTO3pl5D7DUFlko7vfZVvgKkjZo2FoZkZS0RpdDju4CMI+++nSF73 +DDRZc0j49NDdsQKozG45Z1dp9mmwBOYKulaaj7xV1cn61Wv7mpaIA1Zn+odreEXa +Yn6vKkx7BxVN8aQs/k+v3RlihkONmUH02i5wzI06ALJmNAMnr5CG1+omVbcxr2p2 +KT3FluF9EQz3KanxTWZOuN8SOJbGfmNhK/WLuUv/MdJcvrZpiKJGhNMMG3VLu+NG +E2YwnrK6GFokYOc7kNsXysSaFeRPhIfrWMBgyZ+h31oUYJ7nUUcL7ieOc7WFbSrp +SsPEEKXdkk1q3EEAyWkVppzKKF/zwE04wgRMQfXZM9/A67r5OyJBzLbCKpZADkDH +bF9Xd06L+gRNlw4yBtMxcS3biRm1cHP+qyHPeU9OeY9+hM9B648XaUxjjh8UajCu +ZvX5RW2scbQ50u8O+1qs1ux4xaw9FXk8dr544xqnIRxEKXw6RTs2/C0xYYGInckT +VH5UGN+VizsyzVfqVd3kNyYNdVBcHpUjS6n0H7hURnPs3MJDYx4ecj75vaHUdQSH +6ierChjxm7TzV6OxETEcqVskc9M4tLcAEQEAAbQoRmVkb3JhIEVQRUwgKDcpIDxl +cGVsQGZlZG9yYXByb2plY3Qub3JnPokCOAQTAQIAIgUCUq5ohAIbDwYLCQgHAwIG +FQgCCQoLBBYCAwECHgECF4AACgkQai+uojUsZOXHxg/+LKaqbE47QzO6qcrSixyq +7mbb7loqreUX70/cMPRlFBTGeGWRl+J1F4OPaosQy2slkfHXRv7OZMjotwtLl/+o +p82mMkYPgYe9G66ilCteBdQa6z4tvXminxvhrjBbV3QRtmuzrT5sN8ripqvRKb+g +dJj+hOSknb0kUqiVrRnAOsEUv8A81yRDR6ea3vSLJtwmMnactBi0QOcKOHzwebi3 +VISxFA74diiv/3zI42t6NC/kjc/DdGg2cp+QMQlPUQdxB3E3nBYKMubpkY/fQWa3 +m0dTTvuIAa4ryH3bw+HyTXzQR18IUh/QAhgjbx511Yx0BfYh1gKSpESHofBa9p+X +bXyRBe0hF/Bm1+xW7FqNvZFzK1YDahzcg53wAVaD7m4EHbSWSZFWQJGh6zLvAMrc +E+tkOHjapiSNWlm2UDSOY1mKnOkSrgiuvxffarYRU/YCTte/skbi+lL9v74M1UdU +RncFSysJVIxjwI2H5aQkMFjAAEsYr/bj8mDx3BK0q20RtMIyHwEd77rNTkjsd8WR +2aVxX5kE7Az+81UTi81ffEdycBQMSeP8anjjeLwjxVOjrE95VkPMO4peaIWPecJr +o36+pZPPZBMyXTk83J+wwW1K7t9wkDBimdxL7UY7AuxQ2y9Ne6sUvmVQPxxpMn4r +uHKYFfFVJ26peXgGftS5eg+ZAg0EXPfO+wEQAMk4ghaWUa53Gem8meTFDPYK2hYj +uCh1WehyWt2XzeRWOpJCn7Z2DG4bmZSIANR9gdpFDPErDx5+5CfDHNT2RnvSeALG +2ZtBYaZSZ9JOGJqk7PTTTXz56jkwVpt3a92IajXL7nWbaxEOk3yp0JqpeSjrlzIy +4teuiMkci69ED/HuKo6tF/JrzHc7ELg8SCXmmAOc/ylUrSUtidwMRAI3voP25uFl +BaEhIX/Mkj57zTpXvWHN/Iv8y3eZCb+WL6VEpTblSyT11Zp/g0f/Bkcwg8CRUni4 +Pgf+5Lj3CpafKJNgZPuFRuJ5wXtyuEsKaVHO8lHyaRE/r/hP8Xe00M9Zl4M0QNUV +SRMUc1Tr+Hb47f3ww1j986HIpo0reecTSDpAnV04ffWVccBGWkU61a3dWZlTQmdY +t5h29qngR9/2pNZkmEjsKrRabwOAtSleA2WSaq68Ts/ZbkQCvYTkCopCgNt/D8aJ +Z1G8dYp40YxEucYjdC6hfdSkCVcPu/XdV1nE3J2+l7Klt/8B9HKsdEqGRSPdxTWl +iQzcM1kTvsLklR7r/SfFu3gRNRkFOAuBgkY/xzs9uRWc7oj8qAvWPD7sxboDPw7H +5FdkvIYxWZtb9MxzyFol8osyhSjdNWTyc+JSGg4LT+QjuP2KUWsHEFTl1S0XghMB +ZzzGcbqMmz8iy9GlABEBAAG0KEZlZG9yYSBFUEVMICg4KSA8ZXBlbEBmZWRvcmFw +cm9qZWN0Lm9yZz6JAjgEEwECACIFAlz3zvsCGw8GCwkIBwMCBhUIAgkKCwQWAgMB +Ah4BAheAAAoJECHqRasvhtahZqAP/jGctbCzfgYHJUNCSOmuTR9fsjKGmb9TsGwg +cqykcsv5jjq8AAZj/28y90TR9yv0STZmnvMTVFaZILPPNSBMboEWhMbUfgWGj/tn +wFcr+PJujBdJl+pedM5+FIVqXAN3CVIm99g1X0xvK9vE3yplFTXPs8RZmsjMUMNO +gVGTRHvXMemc9M0gnn9hdPA2pT07EgjyExCPi58XXXTjQAlBntuvevN6uXIE4H4l +3XNI9WsA+l4zImmlYUdIMAhYrrH5qbXdUgide2oH8LPgYEcsUrl3b8hiylXDjtKi +WPyOIUS2cCrr7UCrlYfeIHhsTZ7rPTQNIX3d+vA7JY3taY8ihzZCw1EmGB8kL6Kw +ZADDCrzEBscQF67IwbwZmPPGiGDQfhs5IS6NUtOMfXFsAbgOeFY7/VVctf4tcQvJ +w7xlBNyOP/gBAq6jjC8w+u/0DXr2gRMb5XBCU13vhUE8YK+GfPAZc1tMr8ofX5ZE +fRhJv7jV+UHc0qExJTp0YjRIa0jENIeFVU2bHb/peJP1T/OetmwbkrDychtsXP70 +wZRRaAkyx3VmX1HyDPtX1+mfsvvLkuEnwc4Iyxj9nv/sdSz638DUwjiDtDmDlS5J +l2CLTPG6SJa4KQt4CIA/jLvMorg6Mnrjg0NxYIdrfrOfBWaTPeLEvxDRq5HXk6qr +YGNH9/KimQINBFvrElgBEACjNft3anFHNzwHW6dzxGinWEzFin3xBUjhre7e23Dg +DRIceDtePOqXGnIN5yGGH4VZrEGHfjTPoCcrRSpM75ryPLa3Pi0UHXRso/OkO2ta ++VaQRlwU2WAYqd3g/eck+x7MZHuKKyfyxDSUywuJumWhIqeJLyG/J9e1riHwaxYw +tLDvHCAtK4osoJ6GZDx95Rr4El/N5CtZBlIzRQUJMo695MIxeKA6RmlQVp8mGPQm +20Hveo0kBsLYFJxTW4D+KnwpQr2mJLsEQnCgKcr8TF5hDowz8+o3wdUrfteiVfkd +X64kXJm85jaR/K0ubnv96iTxoeh2Wf2jNAn3EjKhPzEeYFI2gCm2tzwUEzSuOjtr +x7FqDp7/iJRANmKQJ9KzhCT5JLkeS5do8d196xiI79Zlx8ISQRvCNuu1Or7idwvI +gHy/+BCyPUARv430YvXU4d01FVKTlNrbRsq91SVojek4UXkAk9oh4d3Y/AQF1DLs +4nK1vBukwWIKwcfVA/RidSqXofx6pahTPvguTkAARhMEJPLtbQBzD5kqkdgdP/6s +7ziTwGkGO8iF0TvkCwMXWXHl1B/m6b3h/wWOIFNfAZ0FxZmmD5UhytjVjhdI7jiy +Zf6JjNupVCVx1eqMGZfm3jkZqzWOB9wrVrb6rtI25ZuoRQJ/idnXkxZmq4m1MCZb +CQARAQABtDVGZWRvcmEgKGlvdCAyMDE5KSA8ZmVkb3JhLWlvdC0yMDE5QGZlZG9y +YXByb2plY3Qub3JnPokCPgQTAQIAKAUCW+sSWAIbDwUJEw5BKAYLCQgHAwIGFQgC +CQoLBBYCAwECHgECF4AACgkQe7kHItu9z3xs8Q/9HqL76vo5xZjl78USwgX7t2f8 +Aa6sqD6OIV4V9KPCaNeqP8OF6LqYFxkv3GX3FMHGPHVKOBLQ6LvuGozcnnpZ3ypq +6ChAy2L4W7ytFggpluArxSN5jmHoOXO51wPDPCSjd4rRi1+XnMDiA3VIk0vTcGHU +K13JgvzuUrIbFYhVwwCn8Rt0GvCWVLyvKRbykN3xgFmromREKdDCUymYS/u4hXw5 +xQt2AE9IgX9puLlGH5AdbJumMipcaI9erH/KVoBvtAHA5ozkL0PDocRaWA/W+i8r +XEeI8TJBA7Q/Xb/L12aIOCzeyEKGP911iR3/99UGMgfswKvF4WT4KdAV2VZoPizu +0Am2MUYhoexdnHY6GtU1UKcWt2hW7HmGBCZVdVpUF3W/gebe+ahLPT9UhqNTin2v +w7MxMKy2uWPZri76R165F3TP434dZLNfkNa1rdtQrRaD1Be9/hAQthYWKoCFowbM +LAr1BgzkUs97arxBTzqkr9GTCy5CX+nObIbwkrFYugRfA4bSzNFSpCo71cudqNwK +JEw65lF90+T5ma7lM6ZwijH1A9pYeGQS0eUOrV/0VTsxXQOyS6Mcfper+dkOpypZ +dSnJGzid9HPUSUdjI94wtRYInrcD09v5OnJcoxUDVVjVhH4FIqKVYstucn/LB67n +nn+55uTOKdm729ex0UI= +=FHrh -----END PGP PUBLIC KEY BLOCK----- diff --git a/initrd/etc/distro/keys/tails.key b/initrd/etc/distro/keys/tails.key index b43b9a543..dae415b93 100644 --- a/initrd/etc/distro/keys/tails.key +++ b/initrd/etc/distro/keys/tails.key @@ -12,34 +12,34 @@ zXSl42yg3EEsJlijBSR3wsIJ3+sWvQPMBdjgN0RjvoyI+zI7BeP8LC6ngz3GC8JS D5B8XNUYV32tlCs1ILdUPUF1BbxH2sWxysbpl9RvOG56JArSG2k+KlihXH5fmNiC NMWZ5vBShQ+bpBXh55fu3F7axequpWzocRfH+mfvBh5yvZnjDRGC3UZ06CFWN6JP 8wDFR+o8ZHSsq0Gx/2mIXVsJT6h0mF92Q1iqH2SQhFeRL3M+RcED6Bx33QARAQAB -tEJUYWlscyBkZXZlbG9wZXJzIChvZmZsaW5lIGxvbmctdGVybSBpZGVudGl0eSBr -ZXkpIDx0YWlsc0Bib3VtLm9yZz6JAlQEEwEKAD4CGwEFCwkIBwMFFQoJCAsFFgID -AQACHgECF4AWIQSkkND00xGkFT4rt8rbuAKyWKzYTwUCW4f3egUJCV4TZAAKCRDb -uAKyWKzYTy6iEACJ2vlgJLNN/IYTH1b3rBwRJDreicvOnOYjo8E1fWhsMv+ATs3G -0KgxOz6FzwERqmdbYAf+J39k+uQ8s+bBSgZ2J8YTQnF0unlrVQwCCxWOB2jpBUj+ -yhmFrtP3pcDYf42OFO3TjidIGzOwweYsavRFi66otgCtdCCp6NczLUNasBFlWGeT -QET9RSzhYlJypPTh2WJqTohn1eXqKesWao9B25JlTKosSWgc9v25fBslMZvWpb+V -cm/ePHcDz/8iiUBxZYCTYzmxHfS+j2gSZaphEEC2i5ftJzaRAOQ5JaRYHbpuoOhL -L4lEzGD5vEYg8mSUCUEJlx+fAUviJJ8fQR74mosdU1/7z2CeMzBbccQfhmq4wD0R -89YKmQUrLy+BTB8IqWCBco6Ht8AahIFMUK/ZjquOaPEPQU3iVPhuHv/hOE4mFWNC -/+GKzRnVv3mmZ49BG5tjjPlukJ6N9gV+3xTnjTseZAWGhySuk8+F66+OYHGnFUv+ -/fA9AqQOnNGVVhUpmIpC+V9xw5h6hr72V8zQ9gBdmFHGJjx2ua3AFItQgrJK05JV -64yApq9BjmqMlFfDmcbjNyq4/HY/ibLhzlswofJAwOy5Up3Y3EGxe2fmDO9ktlEY -extaMjQNcgik+e+FbqPDEbxJQ3Z/F4gf4YziHlxN31CE46g53UO2CdRv9rQhVGFp -bHMgZGV2ZWxvcGVycyA8dGFpbHNAYm91bS5vcmc+iQJUBBMBCgA+AhsBBQsJCAcD -BRUKCQgLBRYCAwEAAh4BAheAFiEEpJDQ9NMRpBU+K7fK27gCslis2E8FAluH93MF -CQleE2QACgkQ27gCslis2E+R2Q/+JE4gEhi+e/EMnDRflMYjiCdwssr8ZovyoxWQ -6Cz1AsWuLmRzTIWlMjkfQxs+fAXK/+yys85jiXzzDJkiw13BXTESdWpe7WAZImNy -GLe7lA0A+UMfD52FIjjkcuestH/J1CadykACyARZCL7l2eqY2UZL+oLRH4uNAqK4 -YRs9dey2bEQsZk4fvbEGf5RxY3799AHtcucIkJIzZjiUWZcKtYAW8FrspBj0cX5T -Lyd298or61lQf1IixnHyD2dxy1yTx3SwWyxAF5YFFvwkvTrPiyQSQEhQyUcLzOs5 -v69zd09MOfR+atyxpeG/p6HnOtsAuCc/hvghvsYalGK8eq/Ods6h97xPb01UOCgZ -bcXcy798KZzu9MM1ZZIqz+M+SvCCpch/dKH8yyZUipR+dR8ABYA7noZFdyAwlTzk -PaHwBzJ7g3CuABH8KA2KpP8POIAgyVosxm7q/73NdoH0ngRlx5oTBwblNRNxjd4Z -+FhZsrqN+NVlOOOFQRMeI9SAsXFHEsvZnRUbEwoeroFUUymJfQm5okXz99EZY6pM -Wd79Tr3fLNuBM+sUc8yx/wX31NwQRCrW+RwZj5TfKHTt99M9EIiLlSqUz6Gj5GYC -nf97bq4PqqF7/kGkkaNV+k/T4+mkvHW4IVyvuqhqna0E2WeoSRsSDq/pR0MGDyFZ -pP7t0hy5Ag0EVLvR7AEQAN/E325mECH9+a8jCu0yHu5s5GOT9MOjyChyAFuont9Y +tCFUYWlscyBkZXZlbG9wZXJzIDx0YWlsc0Bib3VtLm9yZz6JAlQEEwEKAD4CGwEF +CwkIBwMFFQoJCAsFFgIDAQACHgECF4AWIQSkkND00xGkFT4rt8rbuAKyWKzYTwUC +XZyG4AUJCsH5xgAKCRDbuAKyWKzYTwa3D/9JVmXlwcyi7F8/VpodUpjDlkJ+0aB4 +XPwunstpF6hq3v66JcCHcIvqXyEvp62pnmFgcANw88f05T+bl5bIOvR3+xlGGUlN +ybAAo7D9JfYbdOmlZSlQB+oxLD70ulGx9ZoC4smMrfOF7z/5zVtk+RRNKCemk2CG +dhAXCwI2OqGDurmAMBiPnrGKMrwInt9LzTLnVi3XmqNjGn10uOCUJLS2PZnIDvXW +KuevABfKbEIAFk2tYlhG27Yz3CL0luZmYzVuqFLn6Wa80NQ0RqDBiUHkvLi1T5f6 +R1QImtaTRB9GesAUhaoXrSNBSSJBcc8Xi4s6feathNcvvLG+GiYDGlJ/qoewVnzM +Ml1YOVBlKOXL6zNvL3mxRRYeV73w8+2jHozYaAhRWybAyybDH4AEzP0JVUe7zaNV +8F6kLgJ3f/vj18imNsSu2SRIKfUMEzQCN0/NBX8Cn8B5k99erYdd11P2oHPXK4qH +kYZrpknyXNqIURuDa45HgkIRAGToGer99R74iOdmMwO5RRjWqc8uAnUVaZD871xx +mF+ns9FXUEn2DcgX6l4Yvsl1QiWI2MR/G615b5Jkihyp5qptKteZnpVUasdSUIOI +93NKH/wEaHAHHiD78AjxZaQBTBVhOVFQvkXYteWZ2V+5PJBk7A67L8inFP1NoHdk +QnbURTdJEIrxJLRCVGFpbHMgZGV2ZWxvcGVycyAob2ZmbGluZSBsb25nLXRlcm0g +aWRlbnRpdHkga2V5KSA8dGFpbHNAYm91bS5vcmc+iQJUBBMBCgA+AhsBBQsJCAcD +BRUKCQgLBRYCAwEAAh4BAheAFiEEpJDQ9NMRpBU+K7fK27gCslis2E8FAl2chtUF +CQrB+cYACgkQ27gCslis2E8vkQ//Z+KpA+LY2xjy6SxAPLxLH30oGpYKPyA1ri0P +NmhGp/cj30iLr4aDXw/N4FM6XRILcce1pSxvaUbx+UGijm6KyDhcOmA309Vm2cEy +14Ik+89csjhfK+Q4kcZAhPEcQoVrM18JtKEDW61iEdkO8FxFKkkZiaui/uEyY22F +KpZQiJos9pyNMxb1bFKgWUKXgZBcSZSbE9Eo76jIIkra/4A8gww/nHcGdoBIcjSd +rAlLUzKF4k9Q3a2nN9UpAzUEoG6VaFVaM9ytgnpigHKuwQmk1EqnNPeynjjmSHxo +q3VAll8oaPO5yDFSM0XXIDypc7aXarzC1rCnZHEOMG4Zmi/SPO0SpdPDq9ZBT4hX +PmQrByRWMkHwxSm9Kcarcl4eCH08aY2akd98MpTByc1s8jO78Dqwpmw0BDR0vfZx +1J8E6+kou2+j3OXuXrPRwkT0/RnUdlM2/nsfWJQ7g6e+qfkZtGyA/etX0nfrutRr +DMtxncy6xHWRHyAEYJx5n/tD+zGzEEBNZ+zI2BX75hBvyF4UnVp4cyqe/6+0rrD7 +hcOSP4svAQXQdGHOcMiaiBFa+2AVzmtKvjX2YnaF0YfjD8Q5+9AqJKdkVWJhIJC2 +1OpXaaSzvQgUzUpmAlrn37vFZeeyCEbyL8Xjx6pSo2ckyNm2nrlXeF3YBlUWNfv3 +pGogBnK5Ag0EVLvR7AEQAN/E325mECH9+a8jCu0yHu5s5GOT9MOjyChyAFuont9Y KiUj+1f3Eu65rHmuGDAjAz6NZS9ONENzIcDvrKvTcQbtfggtQJ5ExUPt6n2X7xdN FW53KkonS+DjXwTQrr2vpnImb42XsNnZVBjaSzqpbxWF6rXWgTMeICWVuvkRfRab 8qNLh4ugPuC+dqVermt98uTf6eKa2sssBw4m36/sPXqoJ/TWahoCglob/uKbh3mr @@ -198,8 +198,8 @@ Z+0fex3DsVwXMdyMS78zfnm21bMpsgfJx7YZI1gFQXAKtVlEWPHajyjd2tCysYHy 1AnbehkHRIsYVqXV1AwF2bSN2rKf+nCTjvNgt5VNAiJGy4N+QuXFy5X4NdgMdYq7 vYT66IeZwlT9HV0wEB1jsX1y+50faxfn2YOPFpKXzNd7VOQDDx19J1IsNw2Q7gnr 4woqqJw+bLG7ClRuNfN861Dlxc52sH6rjdceiFsLKBj7T1mQFAUZB7TCMIvK2rry -lc5iXQARAQABiQRyBBgBCgAmAhsCFiEEpJDQ9NMRpBU+K7fK27gCslis2E8FAluH -+M8FCQR1mLkCQMF0IAQZAQoAHRYhBAVGn7herWWJtD1B09IdrTivKBwLBQJZpDyW +lc5iXQARAQABiQRyBBgBCgAmAhsCFiEEpJDQ9NMRpBU+K7fK27gCslis2E8FAl2c +hw4FCQXZffgCQMF0IAQZAQoAHRYhBAVGn7herWWJtD1B09IdrTivKBwLBQJZpDyW AAoJENIdrTivKBwLz48P/jgM5REXNkh4oW2GHC2ZfPMiupF11zTBKWuIrsjLzUhO IqMypbKDBAQfqV+TSal6RTvvZHQxYUxak4OK/TtjDL47XzHGQmzZbFndH42XVOua kD5dT2Sv+5oWNSZDz+Yk/1tg4aRCD1MqATPD7N2O8Y7+NFU2dtQLV2MPa/70K/Fm @@ -211,17 +211,17 @@ ghRuv6XsgjUz137gNkT2P+PNOBV19sTV3haz4i6gBr180xvvtOArwP1vTxnAa+Pm s9bJt6W60PO6kjWmDXnPykwq7fpmI7qgJ2svlqRcLN3GRLX3bc0jCpspUEWAiq2J QP3ejT2QmNF8GFCITQSB64Vb+aOBE3aifBjt82k+KSvy/P8gkPCc3fsxdYSgnesr k6EngA7vOM/x9unm3yPMctpT2kKav/xh0IYQdsyF6QX/ScKl3kvuRt3LTkx7nd/L -CRDbuAKyWKzYT7FlD/4m0ohmF5KffUQGW0L514b5uU1BkmhLv5kFEPPB3qxClfP/ -SzxdiiCyZHCSOqsGwepf3E+1X1KJEMt2Hv1XAAxLbfgyPv+uBrSjxqi1LWE8+2UB -W2zVAvGksKbzVn/GnGevKxknkvmxN9GEqiRTXdtMCNY/PtG1jISAYM9Li2TmL/IE -mmZlSHhxbaVfrIrsI5Sx20Xwp/WhQ5+ZDMLZEUQ9a1ptVsCHLgs/rJhyCfrZc8VT -KfTklb4dMWYg+8QdUO9YkzSdpwLulfVIYD3wIOZPKLzaxiXxP9lJWEiEuXvt+HAG -kWn1yeIBBqlBFRDF57EN58xPxNJ2Gq6RYW9vb3/h4GWpC6znoHeHYOwJAFPL7Jr3 -7G1YPlYEJWcprLoGsJpiHFixluopp+LVMmqoa6td2JRl4HIjsJy9Ocw/suVX+EXs -hgRfyKEkuODqayHeiP1Pof89/WvMqCC305LvBlT104CA3p4RqBho88tcJQDpVYib -FJOiuOTZn1NE8COo5Uu0j19R/amI4pLOrtfEDy63kaTVmfOrFkdGxDxikyt2DgXG -i41HNbWc0PiinSt5NGoR1oXyV4ouEYWuNEQe90hPtiuOXP5cHcekjUAgofhhtP06 -uUtwaDwLzno/gL/xChXWGboT58+c01lxBpis7grO3dW2siCtXC3HNat+WVn1gbkC +CRDbuAKyWKzYT4rbD/9nPA8b0jGyEJvdCv8y3W3CpgDV8WSs7JTlAojJ+m2826kL +fAmBbbsTSAY6DikZzbiU+il+m/sWUjTvtbmoirIwrbRhom+eQvXTC0IwOCBaqBO8 +lWfr/r2w0v9pypTuU2QzypJD59bf4ozV2+XPhpI3Jo8812/zpPQ2C9vxJzZLIzUb +kPw90uOedX9BIa3gQ5i9kdMrp09K0pa6JHQGr5+V4Q4yHZt0DjFFnU/mjmGr1Lt0 +wZ6D4S5OE+EOmQLHajqKBSklUaCJ/Q+f7BENnMSPvLL7rQmm8X7jE+jB8N27bV5y +qt+Wqdm2l0BJj/IwzWtXO2dZcPo6KYZ63V7J8NQY4pcyU80xjxHCgFtS1rCn7phX +HRFac+klAfTkord+CvsOTdWhO78nY2qlkHl/MErJzZQ2k4BLwgFbIudmOScg0N/g +JDQoPvCmv8WmxflsZx+ZRH1pDSwrB0trCIyzf6cA/t/7S8GhC1Ecd7GFmKr7CE5J +K44faVqQVH0iDYuI4ERBZ9kkf1qtsv9VDc51ghQn8wqe6yXKqyJc2DyOCQsP9AQM +L3+nziTPQ0Rj6AY/qpu+hVO0UDRXI8c/2JvM4LYJPMa24aSJSX0t+7Rl3tUagOle +1mpkxLGyf1jAZzXUgFvstI3iMzGB9sxQZzb4G1PaRMGjP5dhfupCkkPxSuXS9rkC DQRZpDyvARAAtfnSrtM7lNxN5FPfT0V8cUpXW5D3jhM6mC6NUSvKSDAeITNdQ5Rv o+k2GaN2dORrFSTRlBnGlF2DDpXY128zcvJakG3jadgGvAMflrpTDbFN52591u/+ JGbZ3rhTSKb0a+Vmo4MxDPKWF6ic69Ktk2NMze8pgJMpaqBSOqjWGnVpQw/eE/aO @@ -233,7 +233,7 @@ ef7D52q8Kt+DyfLSBjudGV0g7mRXEGDpJxBPhbkGJMwCoXTWlV5mPafpNIk1HR6i gC8ndBGxNk/yENfSGQpAHmVR9LzfXwFBdoDgUL1CzAu0iGfiRO62rGMlx0ZkUADL REpeLqZexYmQ3DJ1G/czh9f6aA1CDbD37kZ83St8GcDSFI+jvud5Dn7/zfOp+B61 Ykn3Zm5dHQ8BO07LbbqyAH+312aBlCWdsj8sIGF4KcxQSzuj1tuCLUUAEQEAAYkE -cgQYAQoAJgIbAhYhBKSQ0PTTEaQVPiu3ytu4ArJYrNhPBQJbh/jPBQkEdZigAkDB +cgQYAQoAJgIbAhYhBKSQ0PTTEaQVPiu3ytu4ArJYrNhPBQJdnIcPBQkF2X3fAkDB dCAEGQEKAB0WIQQvr5ug1luzcfC8LUYwIKepwrcnMwUCWaQ8rwAKCRAwIKepwrcn MxWKEACjpk4elL0hsOygwHaWilUwGIWnM/s8J/COeZ4aPJYL0uBRd4duvewHEf7c Ws9N/69HRY1m5o1wI/lBOKB32QXMaaLVXDuMkuXrZaNkT9D4WdCJ719izhkBQ45d @@ -245,34 +245,34 @@ Lvg07g/JA9p8+6lBlmMUkC7p4zihcUIoNXehfFsumReFea5qzQn7VWOQEYTNwtv/ FKV7kRBGctnHuOYgjmgKxIwmUO6ufA5grrE16peYhkRLeN4+m+pOG9swUwtvVdzS 7zY0Qq0qP5zWrh9P13znHb8zexd9DafgIGbP7lJqPP1Lh2/Kc676/SpyT+2A8teg sFdlc7yU0fHAOcbhOpMccXkYNGjqzAUnqY3K17Pi4JHHKM0xHYmRlZYWJ2fZb5IN -54EM0sGPZsOcIa1qg79qzjrY8ep0XJOLK3DMXKTjlWW+zxhZlAkQ27gCslis2E8X -AA/8CqeuxtsKzSosGloWVUkK7YrhwgMAMVxjdqCSetsO5oTB3OWAHAPlYoTaPcJh -69/Aixib6Ijs0sAf5nUlFRXeMON+gWo+52YW4HYf4+B87KUPye8XL8S9fsibxJ6V -rR5kRAoqxSUfpUhxUoNvaJhGD11SSCnMELxvpm86z1uAEkJH4cZ4vZtrdmD5gQNB -d9Xi58xV8Skzpu2W9PypFupM8K/9z/JfzAnm6HFAOVItAkv8S9sT0F5LGdS/G6Qc -SfDZGZUUSmNwy1+igCQdzReWkSFzzB2UJxX2Ap/b8gy7v8BLeP/VTG7BTZfKLrPv -i1V7Z0+w7iGW+tksP9ElK4cHSLMglcWoebY3DC9r98vBYmPTKHzB99LLcFnJHDJp -wqAUJIvw1NggjkFjNKSMQhJhuo1I4Rg+x/i8zPxcpCMCRol1vWC9Kts1cHDMwlrT -9v3W69gcOkVcfpD0MAE3xLCApR7C0Aky2BgWvQt00O38SCnOzdK/Thja61lSbPij -xmUL52K5d5v3WKKCo9vBCr/hqXwJxDApgn3YMLbndw0skmZ1sWKEGLJisYfrZTCQ -QmgBdN/C7RGf67XaXHjj966XOleBYI9QjciavBl0eX+nIJV1oSa41+/zLXYD90f0 -OPd1CpCoFgq+quk8lv6xlr8jsCLKZp8RNx7tj8UGBV9Bn0W4MwRZpCe2FgkrBgEE +54EM0sGPZsOcIa1qg79qzjrY8ep0XJOLK3DMXKTjlWW+zxhZlAkQ27gCslis2E+5 +hA/9FQDQu1N2EZl7FrrAdP9xO7y1ZUs33gys9eA7bY8ETMlDqchnEbnbqP25W2yO +bzrKtshVn44fWUGOwSmIDfVm0ATkuJgMReMTo3APfOHlV4HKlMZYMF7NufJs4f+0 +/DYCq2FN1ZscQmph8YKAsTFKxXWNw60ilfQoY/KxLbQ6YTw8rfd2FM0ZwjV1PbsF +7HR0FkZjbaJKry1vqtOS+cjs360t1rclm1KRMV9/yJJMow2VV+9FIhbZMowrfZI7 +Qx/Sx1pYNT07D9dBNeGSRnLWEubO/mb8s1Hzgty6CEf6qlEwdRMVELXaVJcf53CK +EqZe6uhVmTq7wrmbpnb/I0Wer6igL+aUvtkM46O8zVCT6T/mnsXyoCV6zmCPYM9R +ECEyRACx4Ik+ExjLnRLezYhOkl7uN3qTS5rxR2otbESgWNx9L85Iz75ahU0zas4F +R1cZ+YC2fCRAqmPveAidJbJ0ZJrx/JH09udX5LafUQIVkY6xmoE/9T8bIVSbDFwi +fig9OdP/OtaDJBS0BOfQ9QdlpIWe2owVZa9Aa54U2jjiupCGY0XB/LoNWe02WGUN +amnXegG+pHGGGt/atMAFAtsAJeXpLIddO3mQdbR25QgJ58fHtkX9y/FMT4bb3FII +Vfd4PMmQibGXEwi641+MtwlJ52QVZRmL+2XahXoqCx3hpPy4MwRZpCe2FgkrBgEE AdpHDwEBB0DtqAgreIYCHrjvjYlBdMOugNUQhW+E0ko4ynwSUi10l4kCswQYAQoA -JgIbAhYhBKSQ0PTTEaQVPiu3ytu4ArJYrNhPBQJbh/jPBQkEda2ZAIF2IAQZFgoA +JgIbAhYhBKSQ0PTTEaQVPiu3ytu4ArJYrNhPBQJdnIcPBQkF2ZLYAIF2IAQZFgoA HRYhBM1NQ1GvppM/V0qa+5CytL167SNfBQJZpCe2AAoJEJCytL167SNfLMcA/iHy x9wWfgOAHlRrf7lWpk5OF5BHNSrTqJay+OiAOJG2AP9PA+oPGmdr3WZpf6OcWc/U -vzu7VzEY4UorRPpt0sEKBgkQ27gCslis2E9pPxAAiCSmy+UOcnMzvtXQqczXPUys -OFmJBZI/AIxa67NtOWPHmbii2KA2YnoHxbXoUJVmq25EHjJQITjOhEM7GvDknkHq -Gq7+bcjvPTQURK/LL+5VEAfapUHHRrlEOJaUBhA5TXIHYMi6ND+IRG1o4e4ljLMp -oHyS4Nl8yqWmjr/mUWXUpw/D4K7+Xy9CCNA7PT7NLgtHp83sdLZ7DR1jUX1GTXNl -vEoILlFEtqSL/cp8nbIvnhPX6LmGoIq1Mh7UtdAp93b+JPDzobZBtRI73jPAxesm -b6Ipnju3jH6Pj6ig88OV9ah3eHmpplti0b/R41oq+JZONxs+e1Mp/T9/QGHH9L+n -j2uPdsFQ+x1FM2HeYjl68RLX1iP1TFUTlHBAIjKzVc1gFMO6mx2dsrhZR/4462/Z -lZg/EhtHK6lIIC0rsM2z5DY2jdvbKvNc24DVxFCtTy74/fuJWmClNVwLz/TstAUK -nVhTM33U/qUwelF63tPvYnna/Iq0NkAAB8UpcEuh0Vmzo/rSokeiuNStJp3eRVHN -PmIt58YVo+kTQSvNYAmXYEFjj4dmv1WaZbi4qdl8Eqq+Y9UXS5QO2GjDZs8+/NkA -fWIjjzHwa/blm0C03b5PkvzUv2qfkFHuYVYvlcEA7F0DyJcHcQlWthB6HEDTwx0L -8yYhRA/TeCS394jPwxe5Ag0EW4f3OwEQAL9qkAF7ImnL8bakmqQ640hqsh4SLjjF +vzu7VzEY4UorRPpt0sEKBgkQ27gCslis2E9AiA//XhNebVlk5rGxYXG/DfV2ulDI +YLAp4gkCD29msFRz57+QOYWnEwjA8cyICK3NHc1CfZFP03vJT0P/CDiZnljxFs9C +YstAjUMF8niiclOzyN7qAHSYQCmTWo88HUru7YhGo8tTSJj4D5gkvuXSgu7TW95M +ZhQnbUehy2H8Y1TbVTh7bv4cUw293RNN8nvoP/JO85u0rwOKwNsuqKjLVM7t6YxF +LW/ObS9CiIoAuPuwy/5zziRy78SfquQTkmrDVzndcurEJJEw51CZpVkOD1uhy3u5 +7/3h4AYeHSttEplRhbf37M/fFH2G0ASuRx2higAA0hEpgmo6oPk9CNWCQTZt/J90 +JzoXwa9xTQjjPP/TvGJ1EmUY6isnV5cQk3BCQaW5Bscp5yHIHe8n+TrJDI2CPzX1 +JFOTKx6eJ3aEROXR7lLBftcf3iP/pi5fcvbAuPkTXc2AJpBMXbPw1Q10v0Of7K/t +sj+FS3G0oPeSNaXNRmB5WDc1wqh3kA8sBgw1k7K6lO+stGQE2RgJFQIXmhyRn6Kr +XurlafdSlrXS30dn676Bus5p8yp2aho5AxkwJm76BSnczjMV1JBJqBJRZ52ntIzq +fW0Cl2qZ4S1SIxShW/vfgGBld0CdhPHpkpZP/jzInUucdZbYsBiLaLdnKFb8q6m2 +KRpjnPmgkok8w6gYDne5Ag0EW4f3OwEQAL9qkAF7ImnL8bakmqQ640hqsh4SLjjF E4XJb/VzXZmYJGbTDBDmNhQUpupyn2W6vJ7HRzW/cCOKZ4IpHxF3qoBYiLMQybjS cSEZcbvxBdhgxxWcPZXsdCnmq70+a3mUa1qODYjR8iAhyibDXZodPkpVSOCa1WSt opJ48EopahUBOkYwa3K/uM/SnCGvMV8iFbnVPfKA0VlJrbi/0jS2lbrOVSJTKxaI @@ -283,30 +283,30 @@ wWVoY0dq3HS0WH/BC4R9oT4euD/7177t8mLpCkFOiTPyn16cfgyubdRB6bXJMiNW jq1vMUNfceZnfR1tLdUEdKbgveIsR4VdNvVqBhwpRvzETa7ansTh9ifdPXIV5Cy+ Q5UJaguDGcHUGIE+QbGE52Wqu7s9MWiO904d4VUt6avJpF7g8Khvf+f6ccltIqS3 zQE+E5f74WmWsjEjGlpSpPo9rptYIGtCV11qyUfrEb1oYGCwn1y8TjqCE6oCkEaM -9n7dCClfYEv/ABEBAAGJBHIEGAEKACYWIQSkkND00xGkFT4rt8rbuAKyWKzYTwUC -W4f3OwIbAgUJApHcgAJACRDbuAKyWKzYT8F0IAQZAQoAHRYhBP4CnLSq1HiOHXgo -6Kiw9ORbG1DiBQJbh/c7AAoJEKiw9ORbG1DiPlsP/3SW95eFOmne+DNYROtGzPba -n3NCY2IkYMaZZgb2PvtnhRFTekCai/W0iemueOupPbNVdapkHADU+kO2RmnJshw+ -agKV/qDsWxldIaaTIiRIKv5yCDV3vNMFaZ/JcxTA7aLU+mWYNmWL0diIWVFqS62/ -1NTmpu2A0mwBNnNVChOH+R8AAgOIc5bc1cVaX6GTInbJMcuBFR3upziO0o4qSEEy -M6nQVNzM8Ejbi0k1OVtToF83oJ8n7ScaVxp8JGeHYXxLBQ/tzhIaM8KiIQo3Au75 -hmVwKTt2oA1swyZ4uBvttmk8DzduyoaCwmWjC556cGAhurDrB2e5Rs4CrzNbqQBa -WMpI/+92679l/Zg5Iw1mOU6qbidciLi70ZkZzbYUV7RXZU6XUKDo54WoEOR3jmGp -m5QTY7XSY5ZFPnAXt8So+YL/MrRC3ncwlKR2LRLa32pytTx3a/Ama8HWaySdnR7d -VQYljMZuNniD1FRjBiJXu/dvRKMyJQv2mU15m+/wAiwuKG70Q4CzkxRZFv/Y184U -57GVx7yiR5m5Og/VWRid2uno1Q+8XrXkyf5yYSEXaA0BUlmltRqiuMl4nEayKj7k -vP9AUVUkv5NbiFOuF7VRMi2hafiUfIowM9fTyV+tCBxk+/nx4O9pM60TSxo8TRQY -pNJ3jTN3WblMfOJ8vK2yXwcP/3EuXy+Wnc0oQ3B3X+riPohxPep6OX6NC6s80Y1N -7nHPP9BUlSTgNGxR4VoHzrRxuAgQeEM0faw0OjmXmaI9KqeJFU4RyMuZaGyOVzxg -jCOeJfxogkVmPpS7IHMOSWkagPaRymBXBZgNMxnLxMew1EnfngvMCV5tJQ1Uv0pP -sBnmdf1+TQnhZyaHUA3VYyC8lA9ZuQhtXzjuCdA4F5w9kIx27CnSAtyqNobyHGke -aB62qPobjIU1Ek7BGrvUDFXPTwr8SM4wbnmwky7eQ9UL6t++/I5d4QMzVp8WRW71 -2KeAgTmO3VGhJ1F1hFz5f2ENOQ/5nt0fvNBsDrigc6XouZDCkYY877TRCBvKr7gN -X5xCpLMRJecyezctAZSegySOWqv/ODmZ7r8Nmf9PMuWeAbGJktUPCHkcKkTT7IoX -cTtxyP5SJ6Pj5BArkX/RGt3RX0JWclqckJ1Lr5U7xFft79nXAmvVHahXJwYNFefv -/sJIGTDaAavQdiujiuxWemtqli3jjII0rrxKEb+WlqhWq4gK6epjixuiKEfyUbEZ -cBEB3KAiwLudRfKp7+7c9j/+Q6/JXdIJ0oCnI/tMndqdBHlWJUHMJGyutg91MfHd -qdDoafsIclj3n7qzixWlJ1iqcfnCK17cOhHGrI5JLz10irjz6hMu4LOUNGWeDO2O -zerI -=B0uR +9n7dCClfYEv/ABEBAAGJBHIEGAEKACYCGwIWIQSkkND00xGkFT4rt8rbuAKyWKzY +TwUCXZyHDwUJA/XDUwJAwXQgBBkBCgAdFiEE/gKctKrUeI4deCjoqLD05FsbUOIF +AluH9zsACgkQqLD05FsbUOI+Ww//dJb3l4U6ad74M1hE60bM9tqfc0JjYiRgxplm +BvY++2eFEVN6QJqL9bSJ6a5466k9s1V1qmQcANT6Q7ZGacmyHD5qApX+oOxbGV0h +ppMiJEgq/nIINXe80wVpn8lzFMDtotT6ZZg2ZYvR2IhZUWpLrb/U1Oam7YDSbAE2 +c1UKE4f5HwACA4hzltzVxVpfoZMidskxy4EVHe6nOI7SjipIQTIzqdBU3MzwSNuL +STU5W1OgXzegnyftJxpXGnwkZ4dhfEsFD+3OEhozwqIhCjcC7vmGZXApO3agDWzD +Jni4G+22aTwPN27KhoLCZaMLnnpwYCG6sOsHZ7lGzgKvM1upAFpYykj/73brv2X9 +mDkjDWY5TqpuJ1yIuLvRmRnNthRXtFdlTpdQoOjnhagQ5HeOYamblBNjtdJjlkU+ +cBe3xKj5gv8ytELedzCUpHYtEtrfanK1PHdr8CZrwdZrJJ2dHt1VBiWMxm42eIPU +VGMGIle7929EozIlC/aZTXmb7/ACLC4obvRDgLOTFFkW/9jXzhTnsZXHvKJHmbk6 +D9VZGJ3a6ejVD7xeteTJ/nJhIRdoDQFSWaW1GqK4yXicRrIqPuS8/0BRVSS/k1uI +U64XtVEyLaFp+JR8ijAz19PJX60IHGT7+fHg72kzrRNLGjxNFBik0neNM3dZuUx8 +4ny8rbIJENu4ArJYrNhP5GYP/AvzdcT6Z8F9qmH1y4WN3fjfqyJcL6rBMNUSQI4z +OhGXJV3NncONmu3gitfkwx8+GA0ieGR7DwS7wSZZRj331vnU67AKqDgxXegF0pfv +DxAuPH06hC9kYHIZJlP4tqvaJNTgUXwdGE88lihhEK6ZpJhj19IYLim72UbaPHWr +WJLKh1V+dUacCTrzvW/Y+U6hHX5gmMN4zXGoLwVQHynwh2yaCraiNcQnpYZCt95I ++xpO0dlF83rcsJab94hmxjmkZG3joih3bCzH+AoUzJ/LjcOjsaULiwgkfig+FE5i +N5OmaBXYRo+AZ8ujAldexvO0fHFawSd2DyU4igN35OVcZmulUoTegDaPDTvSStFO +1deWAP7BtkNFPPJ91BX+GhT6An6hTOI2GTfn45Rbk40n5nqYFqIRsF1p+PdxAGHJ +lu5Hsd37F1Yz7tmN0M/lK7IVsS25+E8ld/mwvuQYCreO0YuveV9HcyB+94GQ24MI +DsJQdNzHFIuxw1PktV33+YTu8qX05x3IgPrkRndq4u4BXRhtcONT52CoPQSlxiaD +QuUDwwJQVA2YHJxWFkSKkbUEOGAQZLm256uGToMMllaDM0jlmZVbP/Trwn/4D2JM +nmSMb56qXS5EANtrvBWB4dw70BHF01qnreMNkMmoF6YNf+8ru9L0V0TlAgaSKb9H +kP8+ +=KGfa -----END PGP PUBLIC KEY BLOCK----- From ed3602f0ba62ccdb806cda5a5a055bbc386c2185 Mon Sep 17 00:00:00 2001 From: Francis Lam Date: Thu, 16 Jan 2020 09:36:42 -0800 Subject: [PATCH 39/52] modules: maintain reproducibility by removing rpath --- modules/libgcrypt | 3 +- patches/cryptsetup-1.7.3.patch | 512 ++++++++++++++++++++++++++++++++- patches/libassuan-2.5.1.patch | 176 ++++++++++++ patches/libgcrypt-1.8.3.patch | 176 ++++++++++++ patches/libksba-1.3.5.patch | 181 +++++++++++- 5 files changed, 1041 insertions(+), 7 deletions(-) create mode 100644 patches/libassuan-2.5.1.patch create mode 100644 patches/libgcrypt-1.8.3.patch diff --git a/modules/libgcrypt b/modules/libgcrypt index aa7e1ef8e..1ba82fceb 100644 --- a/modules/libgcrypt +++ b/modules/libgcrypt @@ -12,8 +12,7 @@ libgcrypt_configure := ./configure \ --disable-static \ --with-libgpg-error-prefix="$(INSTALL)" \ --disable-asm \ - --disable-nls \ - + libgcrypt_target := $(MAKE_JOBS) \ DESTDIR="$(INSTALL)" \ $(CROSS_TOOLS) \ diff --git a/patches/cryptsetup-1.7.3.patch b/patches/cryptsetup-1.7.3.patch index c36d36fd8..be7350d85 100644 --- a/patches/cryptsetup-1.7.3.patch +++ b/patches/cryptsetup-1.7.3.patch @@ -1,6 +1,512 @@ -diff -u --recursive ../../clean/cryptsetup-1.7.3/src/Makefile.in ./cryptsetup-1.7.3/src/Makefile.in ---- ../../clean/cryptsetup-1.7.3/src/Makefile.in 2016-10-28 09:45:06.000000000 -0400 -+++ cryptsetup-1.7.3/src/Makefile.in 2017-01-27 17:24:13.115962328 -0500 +diff -u -r cryptsetup-1.7.3-clean/configure cryptsetup-1.7.3/configure +--- cryptsetup-1.7.3-clean/configure 2016-10-28 06:45:06.000000000 -0700 ++++ cryptsetup-1.7.3/configure 2020-01-12 14:12:13.835035728 -0800 +@@ -10113,7 +10113,7 @@ + hardcode_automatic=no + hardcode_direct=no + hardcode_direct_absolute=no +- hardcode_libdir_flag_spec= ++ hardcode_libdir_flag_spec=" " + hardcode_libdir_separator= + hardcode_minus_L=no + hardcode_shlibpath_var=unsupported +@@ -10197,7 +10197,7 @@ + # are reset later if shared libraries are not supported. Putting them + # here allows them to be overridden if necessary. + runpath_var=LD_RUN_PATH +- hardcode_libdir_flag_spec='$wl-rpath $wl$libdir' ++ hardcode_libdir_flag_spec=" " + export_dynamic_flag_spec='$wl--export-dynamic' + # ancient GNU ld didn't support --whole-archive et. al. + if $LD --help 2>&1 | $GREP 'no-whole-archive' > /dev/null; then +@@ -10243,7 +10243,7 @@ + ;; + m68k) + archive_cmds='$RM $output_objdir/a2ixlibrary.data~$ECHO "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$ECHO "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$ECHO "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$ECHO "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)' +- hardcode_libdir_flag_spec='-L$libdir' ++ hardcode_libdir_flag_spec=" " + hardcode_minus_L=yes + ;; + esac +@@ -10263,7 +10263,7 @@ + cygwin* | mingw* | pw32* | cegcc*) + # _LT_TAGVAR(hardcode_libdir_flag_spec, ) is actually meaningless, + # as there is no search path for DLLs. +- hardcode_libdir_flag_spec='-L$libdir' ++ hardcode_libdir_flag_spec=" " + export_dynamic_flag_spec='$wl--export-all-symbols' + allow_undefined_flag=unsupported + always_export_symbols=no +@@ -10293,7 +10293,7 @@ + ;; + + os2*) +- hardcode_libdir_flag_spec='-L$libdir' ++ hardcode_libdir_flag_spec=" " + hardcode_minus_L=yes + allow_undefined_flag=unsupported + shrext_cmds=.dll +@@ -10323,7 +10323,7 @@ + interix[3-9]*) + hardcode_direct=no + hardcode_shlibpath_var=no +- hardcode_libdir_flag_spec='$wl-rpath,$libdir' ++ hardcode_libdir_flag_spec=" " + export_dynamic_flag_spec='$wl-E' + # Hack: On Interix 3.x, we cannot compile PIC because of a broken gcc. + # Instead, shared libraries are loaded at an image base (0x10000000 by +@@ -10399,7 +10399,7 @@ + xlf* | bgf* | bgxlf* | mpixlf*) + # IBM XL Fortran 10.1 on PPC cannot create shared libs itself + whole_archive_flag_spec='--whole-archive$convenience --no-whole-archive' +- hardcode_libdir_flag_spec='$wl-rpath $wl$libdir' ++ hardcode_libdir_flag_spec=" " + archive_cmds='$LD -shared $libobjs $deplibs $linker_flags -soname $soname -o $lib' + if test yes = "$supports_anon_versioning"; then + archive_expsym_cmds='echo "{ global:" > $output_objdir/$libname.ver~ +@@ -10466,7 +10466,7 @@ + # DT_RUNPATH tag from executables and libraries. But doing so + # requires that you compile everything twice, which is a pain. + if $LD --help 2>&1 | $GREP ': supported targets:.* elf' > /dev/null; then +- hardcode_libdir_flag_spec='$wl-rpath $wl$libdir' ++ hardcode_libdir_flag_spec=" " + archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags $wl-soname $wl$soname -o $lib' + archive_expsym_cmds='$CC -shared $libobjs $deplibs $compiler_flags $wl-soname $wl$soname $wl-retain-symbols-file $wl$export_symbols -o $lib' + else +@@ -10495,7 +10495,7 @@ + + if test no = "$ld_shlibs"; then + runpath_var= +- hardcode_libdir_flag_spec= ++ hardcode_libdir_flag_spec=" " + export_dynamic_flag_spec= + whole_archive_flag_spec= + fi +@@ -10613,7 +10613,7 @@ + # path is not listed in the libpath. Setting hardcode_minus_L + # to unsupported forces relinking + hardcode_minus_L=yes +- hardcode_libdir_flag_spec='-L$libdir' ++ hardcode_libdir_flag_spec=" " + hardcode_libdir_separator= + fi + ;; +@@ -10697,11 +10697,11 @@ + aix_libpath=$lt_cv_aix_libpath_ + fi + +- hardcode_libdir_flag_spec='$wl-blibpath:$libdir:'"$aix_libpath" ++ hardcode_libdir_flag_spec=" " + archive_expsym_cmds='$CC -o $output_objdir/$soname $libobjs $deplibs $wl'$no_entry_flag' $compiler_flags `if test -n "$allow_undefined_flag"; then func_echo_all "$wl$allow_undefined_flag"; else :; fi` $wl'$exp_sym_flag:\$export_symbols' '$shared_flag + else + if test ia64 = "$host_cpu"; then +- hardcode_libdir_flag_spec='$wl-R $libdir:/usr/lib:/lib' ++ hardcode_libdir_flag_spec=" " + allow_undefined_flag="-z nodefs" + archive_expsym_cmds="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs '"\$wl$no_entry_flag"' $compiler_flags $wl$allow_undefined_flag '"\$wl$exp_sym_flag:\$export_symbols" + else +@@ -10750,7 +10750,7 @@ + aix_libpath=$lt_cv_aix_libpath_ + fi + +- hardcode_libdir_flag_spec='$wl-blibpath:$libdir:'"$aix_libpath" ++ hardcode_libdir_flag_spec=" " + # Warning - without using the other run time loading flags, + # -berok will link without error, but may produce a broken library. + no_undefined_flag=' $wl-bernotok' +@@ -10790,7 +10790,7 @@ + ;; + m68k) + archive_cmds='$RM $output_objdir/a2ixlibrary.data~$ECHO "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$ECHO "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$ECHO "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$ECHO "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)' +- hardcode_libdir_flag_spec='-L$libdir' ++ hardcode_libdir_flag_spec=" " + hardcode_minus_L=yes + ;; + esac +@@ -10808,7 +10808,7 @@ + case $cc_basename in + cl*) + # Native MSVC +- hardcode_libdir_flag_spec=' ' ++ hardcode_libdir_flag_spec=" " + allow_undefined_flag=unsupported + always_export_symbols=yes + file_list_spec='@' +@@ -10849,7 +10849,7 @@ + ;; + *) + # Assume MSVC wrapper +- hardcode_libdir_flag_spec=' ' ++ hardcode_libdir_flag_spec=" " + allow_undefined_flag=unsupported + # Tell ltmain to make .lib files, not .a files. + libext=lib +@@ -10900,7 +10900,7 @@ + + dgux*) + archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' +- hardcode_libdir_flag_spec='-L$libdir' ++ hardcode_libdir_flag_spec=" " + hardcode_shlibpath_var=no + ;; + +@@ -10910,7 +10910,7 @@ + # extra space). + freebsd2.2*) + archive_cmds='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags /usr/lib/c++rt0.o' +- hardcode_libdir_flag_spec='-R$libdir' ++ hardcode_libdir_flag_spec=" " + hardcode_direct=yes + hardcode_shlibpath_var=no + ;; +@@ -10926,7 +10926,7 @@ + # FreeBSD 3 and greater uses gcc -shared to do shared libraries. + freebsd* | dragonfly*) + archive_cmds='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags' +- hardcode_libdir_flag_spec='-R$libdir' ++ hardcode_libdir_flag_spec=" " + hardcode_direct=yes + hardcode_shlibpath_var=no + ;; +@@ -10937,7 +10937,7 @@ + else + archive_cmds='$RM $output_objdir/$soname~$LD -b +b $install_libdir -o $output_objdir/$soname $libobjs $deplibs $linker_flags~test "x$output_objdir/$soname" = "x$lib" || mv $output_objdir/$soname $lib' + fi +- hardcode_libdir_flag_spec='$wl+b $wl$libdir' ++ hardcode_libdir_flag_spec=" " + hardcode_libdir_separator=: + hardcode_direct=yes + +@@ -10954,7 +10954,7 @@ + archive_cmds='$LD -b +h $soname +b $install_libdir -o $lib $libobjs $deplibs $linker_flags' + fi + if test no = "$with_gnu_ld"; then +- hardcode_libdir_flag_spec='$wl+b $wl$libdir' ++ hardcode_libdir_flag_spec=" " + hardcode_libdir_separator=: + hardcode_direct=yes + hardcode_direct_absolute=yes +@@ -11031,7 +11031,7 @@ + esac + fi + if test no = "$with_gnu_ld"; then +- hardcode_libdir_flag_spec='$wl+b $wl$libdir' ++ hardcode_libdir_flag_spec=" " + hardcode_libdir_separator=: + + case $host_cpu in +@@ -11090,7 +11090,7 @@ + archive_expsym_cmds='$CC -shared $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry $output_objdir/so_locations -exports_file $export_symbols -o $lib' + fi + archive_cmds_need_lc='no' +- hardcode_libdir_flag_spec='$wl-rpath $wl$libdir' ++ hardcode_libdir_flag_spec=" " + hardcode_libdir_separator=: + inherit_rpath=yes + link_all_deplibs=yes +@@ -11112,7 +11112,7 @@ + else + archive_cmds='$LD -shared -o $lib $libobjs $deplibs $linker_flags' # ELF + fi +- hardcode_libdir_flag_spec='-R$libdir' ++ hardcode_libdir_flag_spec=" " + hardcode_direct=yes + hardcode_shlibpath_var=no + ;; +@@ -11120,7 +11120,7 @@ + newsos6) + archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' + hardcode_direct=yes +- hardcode_libdir_flag_spec='$wl-rpath $wl$libdir' ++ hardcode_libdir_flag_spec=" " + hardcode_libdir_separator=: + hardcode_shlibpath_var=no + ;; +@@ -11136,11 +11136,11 @@ + if test -z "`echo __ELF__ | $CC -E - | $GREP __ELF__`"; then + archive_cmds='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags' + archive_expsym_cmds='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags $wl-retain-symbols-file,$export_symbols' +- hardcode_libdir_flag_spec='$wl-rpath,$libdir' ++ hardcode_libdir_flag_spec=" " + export_dynamic_flag_spec='$wl-E' + else + archive_cmds='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags' +- hardcode_libdir_flag_spec='$wl-rpath,$libdir' ++ hardcode_libdir_flag_spec=" " + fi + else + ld_shlibs=no +@@ -11148,7 +11148,7 @@ + ;; + + os2*) +- hardcode_libdir_flag_spec='-L$libdir' ++ hardcode_libdir_flag_spec=" " + hardcode_minus_L=yes + allow_undefined_flag=unsupported + shrext_cmds=.dll +@@ -11184,7 +11184,7 @@ + archive_cmds='$CC -shared$allow_undefined_flag $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry $output_objdir/so_locations -o $lib' + fi + archive_cmds_need_lc='no' +- hardcode_libdir_flag_spec='$wl-rpath $wl$libdir' ++ hardcode_libdir_flag_spec=" " + hardcode_libdir_separator=: + ;; + +@@ -11192,7 +11192,7 @@ + if test yes = "$GCC"; then + allow_undefined_flag=' $wl-expect_unresolved $wl\*' + archive_cmds='$CC -shared$allow_undefined_flag $pic_flag $libobjs $deplibs $compiler_flags $wl-msym $wl-soname $wl$soname `test -n "$verstring" && func_echo_all "$wl-set_version $wl$verstring"` $wl-update_registry $wl$output_objdir/so_locations -o $lib' +- hardcode_libdir_flag_spec='$wl-rpath $wl$libdir' ++ hardcode_libdir_flag_spec=" " + else + allow_undefined_flag=' -expect_unresolved \*' + archive_cmds='$CC -shared$allow_undefined_flag $libobjs $deplibs $compiler_flags -msym -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry $output_objdir/so_locations -o $lib' +@@ -11200,7 +11200,7 @@ + $CC -shared$allow_undefined_flag $wl-input $wl$lib.exp $compiler_flags $libobjs $deplibs -soname $soname `test -n "$verstring" && $ECHO "-set_version $verstring"` -update_registry $output_objdir/so_locations -o $lib~$RM $lib.exp' + + # Both c and cxx compiler support -rpath directly +- hardcode_libdir_flag_spec='-rpath $libdir' ++ hardcode_libdir_flag_spec=" " + fi + archive_cmds_need_lc='no' + hardcode_libdir_separator=: +@@ -11229,7 +11229,7 @@ + ;; + esac + fi +- hardcode_libdir_flag_spec='-R$libdir' ++ hardcode_libdir_flag_spec=" " + hardcode_shlibpath_var=no + case $host_os in + solaris2.[0-5] | solaris2.[0-5].*) ;; +@@ -11256,7 +11256,7 @@ + else + archive_cmds='$LD -assert pure-text -Bstatic -o $lib $libobjs $deplibs $linker_flags' + fi +- hardcode_libdir_flag_spec='-L$libdir' ++ hardcode_libdir_flag_spec=" " + hardcode_direct=yes + hardcode_minus_L=yes + hardcode_shlibpath_var=no +@@ -11326,7 +11326,7 @@ + allow_undefined_flag='$wl-z,nodefs' + archive_cmds_need_lc=no + hardcode_shlibpath_var=no +- hardcode_libdir_flag_spec='$wl-R,$libdir' ++ hardcode_libdir_flag_spec=" " + hardcode_libdir_separator=':' + link_all_deplibs=yes + export_dynamic_flag_spec='$wl-Bexport' +@@ -11343,7 +11343,7 @@ + + uts4*) + archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' +- hardcode_libdir_flag_spec='-L$libdir' ++ hardcode_libdir_flag_spec=" " + hardcode_shlibpath_var=no + ;; + +@@ -11711,7 +11711,7 @@ + version_type=linux # correct to gnu/linux during the next big refactor + need_lib_prefix=no + need_version=no +- hardcode_into_libs=yes ++ hardcode_into_libs=no + if test ia64 = "$host_cpu"; then + # AIX 5 supports IA64 + library_names_spec='$libname$release$shared_ext$major $libname$release$shared_ext$versuffix $libname$shared_ext' +@@ -12001,16 +12001,16 @@ + ;; + freebsd3.[01]* | freebsdelf3.[01]*) + shlibpath_overrides_runpath=yes +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + freebsd3.[2-9]* | freebsdelf3.[2-9]* | \ + freebsd4.[0-5] | freebsdelf4.[0-5] | freebsd4.1.1 | freebsdelf4.1.1) + shlibpath_overrides_runpath=no +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + *) # from 4.6 on, and DragonFly + shlibpath_overrides_runpath=yes +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + esac + ;; +@@ -12025,7 +12025,7 @@ + shlibpath_var=LIBRARY_PATH + shlibpath_overrides_runpath=no + sys_lib_dlsearch_path_spec='/boot/home/config/lib /boot/common/lib /boot/system/lib' +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + + hpux9* | hpux10* | hpux11*) +@@ -12037,7 +12037,7 @@ + case $host_cpu in + ia64*) + shrext_cmds='.so' +- hardcode_into_libs=yes ++ hardcode_into_libs=no + dynamic_linker="$host_os dld.so" + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=yes # Unless +noenvvar is specified. +@@ -12053,7 +12053,7 @@ + ;; + hppa*64*) + shrext_cmds='.sl' +- hardcode_into_libs=yes ++ hardcode_into_libs=no + dynamic_linker="$host_os dld.sl" + shlibpath_var=LD_LIBRARY_PATH # How should we handle SHLIB_PATH + shlibpath_overrides_runpath=yes # Unless +noenvvar is specified. +@@ -12086,7 +12086,7 @@ + dynamic_linker='Interix 3.x ld.so.1 (PE, like ELF)' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=no +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + + irix5* | irix6* | nonstopux*) +@@ -12123,7 +12123,7 @@ + shlibpath_overrides_runpath=no + sys_lib_search_path_spec="/usr/lib$libsuff /lib$libsuff /usr/local/lib$libsuff" + sys_lib_dlsearch_path_spec="/usr/lib$libsuff /lib$libsuff" +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + + # No shared lib support for Linux oldld, aout, or coff. +@@ -12144,11 +12144,11 @@ + # This implies no fast_install, which is unacceptable. + # Some rework will be needed to allow for fast_install + # before this can be enabled. +- hardcode_into_libs=yes ++ hardcode_into_libs=no + + dynamic_linker='Android linker' + # Don't embed -rpath directories since the linker doesn't support them. +- hardcode_libdir_flag_spec='-L$libdir' ++ hardcode_libdir_flag_spec=" " + ;; + + # This must be glibc/ELF. +@@ -12199,7 +12199,7 @@ + # This implies no fast_install, which is unacceptable. + # Some rework will be needed to allow for fast_install + # before this can be enabled. +- hardcode_into_libs=yes ++ hardcode_into_libs=no + + # Ideally, we could use ldconfig to report *all* directores which are + # searched for libraries, however this is still not possible. Aside from not +@@ -12229,7 +12229,7 @@ + soname_spec='${libname}${release}${shared_ext}$major' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=no +- hardcode_into_libs=yes ++ hardcode_into_libs=no + dynamic_linker='NetBSD ld.elf_so' + ;; + +@@ -12248,7 +12248,7 @@ + fi + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=yes +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + + newsos6) +@@ -12266,7 +12266,7 @@ + soname_spec='$libname$release$shared_ext$major' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=no +- hardcode_into_libs=yes ++ hardcode_into_libs=no + dynamic_linker='ldqnx.so' + ;; + +@@ -12338,7 +12338,7 @@ + soname_spec='$libname$release$shared_ext$major' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=yes +- hardcode_into_libs=yes ++ hardcode_into_libs=no + # ldd complains unless libraries are executable + postinstall_cmds='chmod +x $lib' + ;; +@@ -12395,7 +12395,7 @@ + soname_spec='$libname$release$shared_ext$major' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=yes +- hardcode_into_libs=yes ++ hardcode_into_libs=no + if test yes = "$with_gnu_ld"; then + sys_lib_search_path_spec='/usr/local/lib /usr/gnu/lib /usr/ccs/lib /usr/lib /lib' + else +@@ -12417,7 +12417,7 @@ + library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$shared_ext' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=no +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + + uts4*) +@@ -14964,7 +14964,7 @@ + wl="$acl_cv_wl" + libext="$acl_cv_libext" + shlibext="$acl_cv_shlibext" +- hardcode_libdir_flag_spec="$acl_cv_hardcode_libdir_flag_spec" ++ hardcode_libdir_flag_spec=" " + hardcode_libdir_separator="$acl_cv_hardcode_libdir_separator" + hardcode_direct="$acl_cv_hardcode_direct" + hardcode_minus_L="$acl_cv_hardcode_minus_L" +@@ -19683,7 +19683,7 @@ + with_gnu_ld='`$ECHO "$with_gnu_ld" | $SED "$delay_single_quote_subst"`' + allow_undefined_flag='`$ECHO "$allow_undefined_flag" | $SED "$delay_single_quote_subst"`' + no_undefined_flag='`$ECHO "$no_undefined_flag" | $SED "$delay_single_quote_subst"`' +-hardcode_libdir_flag_spec='`$ECHO "$hardcode_libdir_flag_spec" | $SED "$delay_single_quote_subst"`' ++hardcode_libdir_flag_spec=" " + hardcode_libdir_separator='`$ECHO "$hardcode_libdir_separator" | $SED "$delay_single_quote_subst"`' + hardcode_direct='`$ECHO "$hardcode_direct" | $SED "$delay_single_quote_subst"`' + hardcode_direct_absolute='`$ECHO "$hardcode_direct_absolute" | $SED "$delay_single_quote_subst"`' +@@ -19714,7 +19714,7 @@ + postuninstall_cmds='`$ECHO "$postuninstall_cmds" | $SED "$delay_single_quote_subst"`' + finish_cmds='`$ECHO "$finish_cmds" | $SED "$delay_single_quote_subst"`' + finish_eval='`$ECHO "$finish_eval" | $SED "$delay_single_quote_subst"`' +-hardcode_into_libs='`$ECHO "$hardcode_into_libs" | $SED "$delay_single_quote_subst"`' ++hardcode_into_libs=no + sys_lib_search_path_spec='`$ECHO "$sys_lib_search_path_spec" | $SED "$delay_single_quote_subst"`' + configure_time_dlsearch_path='`$ECHO "$configure_time_dlsearch_path" | $SED "$delay_single_quote_subst"`' + configure_time_lt_sys_library_path='`$ECHO "$configure_time_lt_sys_library_path" | $SED "$delay_single_quote_subst"`' +@@ -20877,7 +20877,7 @@ + finish_eval=$lt_finish_eval + + # Whether we should hardcode library paths into libraries. +-hardcode_into_libs=$hardcode_into_libs ++hardcode_into_libs=no + + # Compile-time system search path for libraries. + sys_lib_search_path_spec=$lt_sys_lib_search_path_spec +@@ -20974,7 +20974,7 @@ + + # Flag to hardcode \$libdir into a binary during linking. + # This must work even if \$libdir does not exist +-hardcode_libdir_flag_spec=$lt_hardcode_libdir_flag_spec ++hardcode_libdir_flag_spec=" " + + # Whether we need a single "-rpath" flag with a separated argument. + hardcode_libdir_separator=$lt_hardcode_libdir_separator +diff -u -r cryptsetup-1.7.3-clean/src/Makefile.in cryptsetup-1.7.3/src/Makefile.in +--- cryptsetup-1.7.3-clean/src/Makefile.in 2016-10-28 06:45:06.000000000 -0700 ++++ cryptsetup-1.7.3/src/Makefile.in 2020-01-12 13:42:22.744734385 -0800 @@ -479,6 +479,8 @@ cryptsetup_LDADD = \ $(top_builddir)/lib/libcryptsetup.la \ diff --git a/patches/libassuan-2.5.1.patch b/patches/libassuan-2.5.1.patch new file mode 100644 index 000000000..ff27dbd27 --- /dev/null +++ b/patches/libassuan-2.5.1.patch @@ -0,0 +1,176 @@ +diff -u -r libassuan-2.5.1-clean/configure libassuan-2.5.1/configure +--- libassuan-2.5.1-clean/configure 2017-12-07 06:55:50.000000000 -0800 ++++ libassuan-2.5.1/configure 2020-01-12 13:39:50.655638965 -0800 +@@ -10781,7 +10781,7 @@ + version_type=linux # correct to gnu/linux during the next big refactor + need_lib_prefix=no + need_version=no +- hardcode_into_libs=yes ++ hardcode_into_libs=no + if test "$host_cpu" = ia64; then + # AIX 5 supports IA64 + library_names_spec='${libname}${release}${shared_ext}$major ${libname}${release}${shared_ext}$versuffix $libname${shared_ext}' +@@ -11020,16 +11020,16 @@ + ;; + freebsd3.[01]* | freebsdelf3.[01]*) + shlibpath_overrides_runpath=yes +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + freebsd3.[2-9]* | freebsdelf3.[2-9]* | \ + freebsd4.[0-5] | freebsdelf4.[0-5] | freebsd4.1.1 | freebsdelf4.1.1) + shlibpath_overrides_runpath=no +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + *) # from 4.6 on, and DragonFly + shlibpath_overrides_runpath=yes +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + esac + ;; +@@ -11042,7 +11042,7 @@ + soname_spec='${libname}${release}${shared_ext}$major' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=no +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + + haiku*) +@@ -11055,7 +11055,7 @@ + shlibpath_var=LIBRARY_PATH + shlibpath_overrides_runpath=yes + sys_lib_dlsearch_path_spec='/boot/home/config/lib /boot/common/lib /boot/system/lib' +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + + hpux9* | hpux10* | hpux11*) +@@ -11067,7 +11067,7 @@ + case $host_cpu in + ia64*) + shrext_cmds='.so' +- hardcode_into_libs=yes ++ hardcode_into_libs=no + dynamic_linker="$host_os dld.so" + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=yes # Unless +noenvvar is specified. +@@ -11082,7 +11082,7 @@ + ;; + hppa*64*) + shrext_cmds='.sl' +- hardcode_into_libs=yes ++ hardcode_into_libs=no + dynamic_linker="$host_os dld.sl" + shlibpath_var=LD_LIBRARY_PATH # How should we handle SHLIB_PATH + shlibpath_overrides_runpath=yes # Unless +noenvvar is specified. +@@ -11115,7 +11115,7 @@ + dynamic_linker='Interix 3.x ld.so.1 (PE, like ELF)' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=no +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + + irix5* | irix6* | nonstopux*) +@@ -11152,7 +11152,7 @@ + shlibpath_overrides_runpath=no + sys_lib_search_path_spec="/usr/lib${libsuff} /lib${libsuff} /usr/local/lib${libsuff}" + sys_lib_dlsearch_path_spec="/usr/lib${libsuff} /lib${libsuff}" +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + + # No shared lib support for Linux oldld, aout, or coff. +@@ -11173,7 +11173,7 @@ + # This implies no fast_install, which is unacceptable. + # Some rework will be needed to allow for fast_install + # before this can be enabled. +- hardcode_into_libs=yes ++ hardcode_into_libs=no + + dynamic_linker='Android linker' + # Don't embed -rpath directories since the linker doesn't support them. +@@ -11228,7 +11228,7 @@ + # This implies no fast_install, which is unacceptable. + # Some rework will be needed to allow for fast_install + # before this can be enabled. +- hardcode_into_libs=yes ++ hardcode_into_libs=no + + # Append ld.so.conf contents to the search path + if test -f /etc/ld.so.conf; then +@@ -11253,7 +11253,7 @@ + soname_spec='${libname}${release}${shared_ext}$major' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=no +- hardcode_into_libs=yes ++ hardcode_into_libs=no + dynamic_linker='NetBSD ld.elf_so' + ;; + +@@ -11272,7 +11272,7 @@ + fi + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=yes +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + + newsos6) +@@ -11290,7 +11290,7 @@ + soname_spec='${libname}${release}${shared_ext}$major' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=no +- hardcode_into_libs=yes ++ hardcode_into_libs=no + dynamic_linker='ldqnx.so' + ;; + +@@ -11352,7 +11352,7 @@ + soname_spec='${libname}${release}${shared_ext}$major' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=yes +- hardcode_into_libs=yes ++ hardcode_into_libs=no + # ldd complains unless libraries are executable + postinstall_cmds='chmod +x $lib' + ;; +@@ -11409,7 +11409,7 @@ + soname_spec='${libname}${release}${shared_ext}$major' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=yes +- hardcode_into_libs=yes ++ hardcode_into_libs=no + if test "$with_gnu_ld" = yes; then + sys_lib_search_path_spec='/usr/local/lib /usr/gnu/lib /usr/ccs/lib /usr/lib /lib' + else +@@ -11431,7 +11431,7 @@ + library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=no +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + + uts4*) +@@ -15680,7 +15680,7 @@ + postuninstall_cmds='`$ECHO "$postuninstall_cmds" | $SED "$delay_single_quote_subst"`' + finish_cmds='`$ECHO "$finish_cmds" | $SED "$delay_single_quote_subst"`' + finish_eval='`$ECHO "$finish_eval" | $SED "$delay_single_quote_subst"`' +-hardcode_into_libs='`$ECHO "$hardcode_into_libs" | $SED "$delay_single_quote_subst"`' ++hardcode_into_libs=no + sys_lib_search_path_spec='`$ECHO "$sys_lib_search_path_spec" | $SED "$delay_single_quote_subst"`' + sys_lib_dlsearch_path_spec='`$ECHO "$sys_lib_dlsearch_path_spec" | $SED "$delay_single_quote_subst"`' + hardcode_action='`$ECHO "$hardcode_action" | $SED "$delay_single_quote_subst"`' +@@ -16896,7 +16896,7 @@ + finish_eval=$lt_finish_eval + + # Whether we should hardcode library paths into libraries. +-hardcode_into_libs=$hardcode_into_libs ++hardcode_into_libs=no + + # Compile-time system search path for libraries. + sys_lib_search_path_spec=$lt_sys_lib_search_path_spec diff --git a/patches/libgcrypt-1.8.3.patch b/patches/libgcrypt-1.8.3.patch new file mode 100644 index 000000000..902d96ec2 --- /dev/null +++ b/patches/libgcrypt-1.8.3.patch @@ -0,0 +1,176 @@ +diff -u -r libgcrypt-1.8.3-clean/configure libgcrypt-1.8.3/configure +--- libgcrypt-1.8.3-clean/configure 2018-06-13 00:39:33.000000000 -0700 ++++ libgcrypt-1.8.3/configure 2020-01-12 13:32:34.840010800 -0800 +@@ -11292,7 +11292,7 @@ + version_type=linux # correct to gnu/linux during the next big refactor + need_lib_prefix=no + need_version=no +- hardcode_into_libs=yes ++ hardcode_into_libs=no + if test "$host_cpu" = ia64; then + # AIX 5 supports IA64 + library_names_spec='${libname}${release}${shared_ext}$major ${libname}${release}${shared_ext}$versuffix $libname${shared_ext}' +@@ -11531,16 +11531,16 @@ + ;; + freebsd3.[01]* | freebsdelf3.[01]*) + shlibpath_overrides_runpath=yes +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + freebsd3.[2-9]* | freebsdelf3.[2-9]* | \ + freebsd4.[0-5] | freebsdelf4.[0-5] | freebsd4.1.1 | freebsdelf4.1.1) + shlibpath_overrides_runpath=no +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + *) # from 4.6 on, and DragonFly + shlibpath_overrides_runpath=yes +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + esac + ;; +@@ -11553,7 +11553,7 @@ + soname_spec='${libname}${release}${shared_ext}$major' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=no +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + + haiku*) +@@ -11566,7 +11566,7 @@ + shlibpath_var=LIBRARY_PATH + shlibpath_overrides_runpath=yes + sys_lib_dlsearch_path_spec='/boot/home/config/lib /boot/common/lib /boot/system/lib' +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + + hpux9* | hpux10* | hpux11*) +@@ -11578,7 +11578,7 @@ + case $host_cpu in + ia64*) + shrext_cmds='.so' +- hardcode_into_libs=yes ++ hardcode_into_libs=no + dynamic_linker="$host_os dld.so" + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=yes # Unless +noenvvar is specified. +@@ -11593,7 +11593,7 @@ + ;; + hppa*64*) + shrext_cmds='.sl' +- hardcode_into_libs=yes ++ hardcode_into_libs=no + dynamic_linker="$host_os dld.sl" + shlibpath_var=LD_LIBRARY_PATH # How should we handle SHLIB_PATH + shlibpath_overrides_runpath=yes # Unless +noenvvar is specified. +@@ -11626,7 +11626,7 @@ + dynamic_linker='Interix 3.x ld.so.1 (PE, like ELF)' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=no +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + + irix5* | irix6* | nonstopux*) +@@ -11663,7 +11663,7 @@ + shlibpath_overrides_runpath=no + sys_lib_search_path_spec="/usr/lib${libsuff} /lib${libsuff} /usr/local/lib${libsuff}" + sys_lib_dlsearch_path_spec="/usr/lib${libsuff} /lib${libsuff}" +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + + # No shared lib support for Linux oldld, aout, or coff. +@@ -11684,7 +11684,7 @@ + # This implies no fast_install, which is unacceptable. + # Some rework will be needed to allow for fast_install + # before this can be enabled. +- hardcode_into_libs=yes ++ hardcode_into_libs=no + + dynamic_linker='Android linker' + # Don't embed -rpath directories since the linker doesn't support them. +@@ -11739,7 +11739,7 @@ + # This implies no fast_install, which is unacceptable. + # Some rework will be needed to allow for fast_install + # before this can be enabled. +- hardcode_into_libs=yes ++ hardcode_into_libs=no + + # Append ld.so.conf contents to the search path + if test -f /etc/ld.so.conf; then +@@ -11764,7 +11764,7 @@ + soname_spec='${libname}${release}${shared_ext}$major' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=no +- hardcode_into_libs=yes ++ hardcode_into_libs=no + dynamic_linker='NetBSD ld.elf_so' + ;; + +@@ -11783,7 +11783,7 @@ + fi + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=yes +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + + newsos6) +@@ -11801,7 +11801,7 @@ + soname_spec='${libname}${release}${shared_ext}$major' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=no +- hardcode_into_libs=yes ++ hardcode_into_libs=no + dynamic_linker='ldqnx.so' + ;; + +@@ -11863,7 +11863,7 @@ + soname_spec='${libname}${release}${shared_ext}$major' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=yes +- hardcode_into_libs=yes ++ hardcode_into_libs=no + # ldd complains unless libraries are executable + postinstall_cmds='chmod +x $lib' + ;; +@@ -11920,7 +11920,7 @@ + soname_spec='${libname}${release}${shared_ext}$major' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=yes +- hardcode_into_libs=yes ++ hardcode_into_libs=no + if test "$with_gnu_ld" = yes; then + sys_lib_search_path_spec='/usr/local/lib /usr/gnu/lib /usr/ccs/lib /usr/lib /lib' + else +@@ -11942,7 +11942,7 @@ + library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=no +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + + uts4*) +@@ -19824,7 +19824,7 @@ + postuninstall_cmds='`$ECHO "$postuninstall_cmds" | $SED "$delay_single_quote_subst"`' + finish_cmds='`$ECHO "$finish_cmds" | $SED "$delay_single_quote_subst"`' + finish_eval='`$ECHO "$finish_eval" | $SED "$delay_single_quote_subst"`' +-hardcode_into_libs='`$ECHO "$hardcode_into_libs" | $SED "$delay_single_quote_subst"`' ++hardcode_into_libs=no + sys_lib_search_path_spec='`$ECHO "$sys_lib_search_path_spec" | $SED "$delay_single_quote_subst"`' + sys_lib_dlsearch_path_spec='`$ECHO "$sys_lib_dlsearch_path_spec" | $SED "$delay_single_quote_subst"`' + hardcode_action='`$ECHO "$hardcode_action" | $SED "$delay_single_quote_subst"`' +@@ -21088,7 +21088,7 @@ + finish_eval=$lt_finish_eval + + # Whether we should hardcode library paths into libraries. +-hardcode_into_libs=$hardcode_into_libs ++hardcode_into_libs=no + + # Compile-time system search path for libraries. + sys_lib_search_path_spec=$lt_sys_lib_search_path_spec diff --git a/patches/libksba-1.3.5.patch b/patches/libksba-1.3.5.patch index 13fa7be47..8c1ee16e9 100644 --- a/patches/libksba-1.3.5.patch +++ b/patches/libksba-1.3.5.patch @@ -1,5 +1,182 @@ ---- clean/libksba-1.3.5/src/asn1-gentables.c 2016-08-22 11:38:21.000000000 +0200 -+++ libksba-1.3.5/src/asn1-gentables.c 2020-01-08 10:00:27.297737650 +0100 +diff -u -r libksba-1.3.5-clean/configure libksba-1.3.5/configure +--- libksba-1.3.5-clean/configure 2016-08-22 02:56:54.000000000 -0700 ++++ libksba-1.3.5/configure 2020-01-12 13:34:53.557259138 -0800 +@@ -10734,7 +10734,7 @@ + version_type=linux # correct to gnu/linux during the next big refactor + need_lib_prefix=no + need_version=no +- hardcode_into_libs=yes ++ hardcode_into_libs=no + if test "$host_cpu" = ia64; then + # AIX 5 supports IA64 + library_names_spec='${libname}${release}${shared_ext}$major ${libname}${release}${shared_ext}$versuffix $libname${shared_ext}' +@@ -10973,16 +10973,16 @@ + ;; + freebsd3.[01]* | freebsdelf3.[01]*) + shlibpath_overrides_runpath=yes +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + freebsd3.[2-9]* | freebsdelf3.[2-9]* | \ + freebsd4.[0-5] | freebsdelf4.[0-5] | freebsd4.1.1 | freebsdelf4.1.1) + shlibpath_overrides_runpath=no +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + *) # from 4.6 on, and DragonFly + shlibpath_overrides_runpath=yes +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + esac + ;; +@@ -10995,7 +10995,7 @@ + soname_spec='${libname}${release}${shared_ext}$major' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=no +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + + haiku*) +@@ -11008,7 +11008,7 @@ + shlibpath_var=LIBRARY_PATH + shlibpath_overrides_runpath=yes + sys_lib_dlsearch_path_spec='/boot/home/config/lib /boot/common/lib /boot/system/lib' +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + + hpux9* | hpux10* | hpux11*) +@@ -11020,7 +11020,7 @@ + case $host_cpu in + ia64*) + shrext_cmds='.so' +- hardcode_into_libs=yes ++ hardcode_into_libs=no + dynamic_linker="$host_os dld.so" + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=yes # Unless +noenvvar is specified. +@@ -11035,7 +11035,7 @@ + ;; + hppa*64*) + shrext_cmds='.sl' +- hardcode_into_libs=yes ++ hardcode_into_libs=no + dynamic_linker="$host_os dld.sl" + shlibpath_var=LD_LIBRARY_PATH # How should we handle SHLIB_PATH + shlibpath_overrides_runpath=yes # Unless +noenvvar is specified. +@@ -11068,7 +11068,7 @@ + dynamic_linker='Interix 3.x ld.so.1 (PE, like ELF)' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=no +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + + irix5* | irix6* | nonstopux*) +@@ -11105,7 +11105,7 @@ + shlibpath_overrides_runpath=no + sys_lib_search_path_spec="/usr/lib${libsuff} /lib${libsuff} /usr/local/lib${libsuff}" + sys_lib_dlsearch_path_spec="/usr/lib${libsuff} /lib${libsuff}" +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + + # No shared lib support for Linux oldld, aout, or coff. +@@ -11126,7 +11126,7 @@ + # This implies no fast_install, which is unacceptable. + # Some rework will be needed to allow for fast_install + # before this can be enabled. +- hardcode_into_libs=yes ++ hardcode_into_libs=no + + dynamic_linker='Android linker' + # Don't embed -rpath directories since the linker doesn't support them. +@@ -11181,7 +11181,7 @@ + # This implies no fast_install, which is unacceptable. + # Some rework will be needed to allow for fast_install + # before this can be enabled. +- hardcode_into_libs=yes ++ hardcode_into_libs=no + + # Append ld.so.conf contents to the search path + if test -f /etc/ld.so.conf; then +@@ -11206,7 +11206,7 @@ + soname_spec='${libname}${release}${shared_ext}$major' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=no +- hardcode_into_libs=yes ++ hardcode_into_libs=no + dynamic_linker='NetBSD ld.elf_so' + ;; + +@@ -11225,7 +11225,7 @@ + fi + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=yes +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + + newsos6) +@@ -11243,7 +11243,7 @@ + soname_spec='${libname}${release}${shared_ext}$major' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=no +- hardcode_into_libs=yes ++ hardcode_into_libs=no + dynamic_linker='ldqnx.so' + ;; + +@@ -11305,7 +11305,7 @@ + soname_spec='${libname}${release}${shared_ext}$major' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=yes +- hardcode_into_libs=yes ++ hardcode_into_libs=no + # ldd complains unless libraries are executable + postinstall_cmds='chmod +x $lib' + ;; +@@ -11362,7 +11362,7 @@ + soname_spec='${libname}${release}${shared_ext}$major' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=yes +- hardcode_into_libs=yes ++ hardcode_into_libs=no + if test "$with_gnu_ld" = yes; then + sys_lib_search_path_spec='/usr/local/lib /usr/gnu/lib /usr/ccs/lib /usr/lib /lib' + else +@@ -11384,7 +11384,7 @@ + library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=no +- hardcode_into_libs=yes ++ hardcode_into_libs=no + ;; + + uts4*) +@@ -15804,7 +15804,7 @@ + postuninstall_cmds='`$ECHO "$postuninstall_cmds" | $SED "$delay_single_quote_subst"`' + finish_cmds='`$ECHO "$finish_cmds" | $SED "$delay_single_quote_subst"`' + finish_eval='`$ECHO "$finish_eval" | $SED "$delay_single_quote_subst"`' +-hardcode_into_libs='`$ECHO "$hardcode_into_libs" | $SED "$delay_single_quote_subst"`' ++hardcode_into_libs=no + sys_lib_search_path_spec='`$ECHO "$sys_lib_search_path_spec" | $SED "$delay_single_quote_subst"`' + sys_lib_dlsearch_path_spec='`$ECHO "$sys_lib_dlsearch_path_spec" | $SED "$delay_single_quote_subst"`' + hardcode_action='`$ECHO "$hardcode_action" | $SED "$delay_single_quote_subst"`' +@@ -17021,7 +17021,7 @@ + finish_eval=$lt_finish_eval + + # Whether we should hardcode library paths into libraries. +-hardcode_into_libs=$hardcode_into_libs ++hardcode_into_libs=no + + # Compile-time system search path for libraries. + sys_lib_search_path_spec=$lt_sys_lib_search_path_spec +diff -u -r libksba-1.3.5-clean/src/asn1-gentables.c libksba-1.3.5/src/asn1-gentables.c +--- libksba-1.3.5-clean/src/asn1-gentables.c 2016-08-22 02:38:21.000000000 -0700 ++++ libksba-1.3.5/src/asn1-gentables.c 2020-01-12 13:34:45.877191990 -0800 @@ -109,10 +109,17 @@ static int cmp_string (const void *aptr, const void *bptr) From ad2395d3db59668779cc0d303fd1cbea0cdaa330 Mon Sep 17 00:00:00 2001 From: Matt DeVillier Date: Tue, 21 Jan 2020 21:43:56 -0600 Subject: [PATCH 40/52] libremkey-hotp-verification: toolchain adjustments Pass through new toolchain path via $(CROSS) so we can set the c/c++ compiler paths correctly for CMake. Adjust patch to use new paths, and fix compiler/linker paths to correct a libusb linking issue. Signed-off-by: Matt DeVillier --- modules/libremkey-hotp-verification | 1 + patches/libremkey-hotp-verification.patch | 17 +++++++++++++---- 2 files changed, 14 insertions(+), 4 deletions(-) diff --git a/modules/libremkey-hotp-verification b/modules/libremkey-hotp-verification index c9b9d45ab..c8339df41 100644 --- a/modules/libremkey-hotp-verification +++ b/modules/libremkey-hotp-verification @@ -16,4 +16,5 @@ libremkey-hotp-verification_output := \ libremkey-hotp-verification_configure := \ INSTALL="$(INSTALL)" \ + CROSS="$(CROSS)" \ cmake -DCMAKE_TOOLCHAIN_FILE=./Toolchain-heads.cmake -DCMAKE_AR="$(CROSS)ar" . diff --git a/patches/libremkey-hotp-verification.patch b/patches/libremkey-hotp-verification.patch index c2b5dfeae..5f058f22d 100644 --- a/patches/libremkey-hotp-verification.patch +++ b/patches/libremkey-hotp-verification.patch @@ -1,15 +1,24 @@ --- nitrokey-hotp-verification-a/Toolchain-heads.cmake 2018-05-22 09:55:46.907209235 -0700 +++ nitrokey-hotp-verification-b/Toolchain-heads.cmake 2018-05-22 09:55:26.659371966 -0700 -@@ -0,0 +1,18 @@ +@@ -0,0 +1,27 @@ +SET(CMAKE_SYSTEM_NAME Linux) +SET(CMAKE_SYSTEM_VERSION 1) + +# Specify the cross compiler -+SET(CMAKE_C_COMPILER $ENV{INSTALL}/bin/musl-gcc) -+SET(CMAKE_CXX_COMPILER $ENV{INSTALL}/bin/musl-gcc) ++SET(CMAKE_C_COMPILER $ENV{CROSS}gcc) ++SET(CMAKE_CXX_COMPILER $ENV{CROSS}gcc) ++ ++#sysroot location ++set(MYSYSROOT $ENV{INSTALL}) ++ ++# compiler/linker flags ++set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} --sysroot=${MYSYSROOT}" CACHE INTERNAL "" FORCE) ++set(CMAKE_C_LINK_FLAGS "${CMAKE_C_LINK_FLAGS} --sysroot=${MYSYSROOT}" CACHE INTERNAL "" FORCE) ++set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} --sysroot=${MYSYSROOT}" CACHE INTERNAL "" FORCE) ++set(CMAKE_CXX_LINK_FLAGS "${CMAKE_CXX_LINK_FLAGS} --sysroot=${MYSYSROOT}" CACHE INTERNAL "" FORCE) + +# Where is the target environment -+SET(CMAKE_FIND_ROOT_PATH $ENV{INSTALL}) ++SET(CMAKE_FIND_ROOT_PATH "${MYSYSROOT}") + +# Search for programs only in the build host directories +SET(CMAKE_FIND_ROOT_PATH_MODE_PROGRAM NEVER) From a3bbdbab540386317596a2ac7124c85a9523b843 Mon Sep 17 00:00:00 2001 From: Matt DeVillier Date: Tue, 26 Nov 2019 17:52:57 -0600 Subject: [PATCH 41/52] blobs/librem*: update hashes for FSP and VBT Update hashes of coreboot images, releases repo, FSP blobs, and VBT file. Updated VBT from coreboot 4.11 release eliminates flickering on some 13v4/15v4 displays. Signed-off-by: Matt DeVillier --- blobs/librem_kbl/get_blobs.sh | 10 +++++----- blobs/librem_skl/get_blobs.sh | 14 +++++++------- 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/blobs/librem_kbl/get_blobs.sh b/blobs/librem_kbl/get_blobs.sh index c7a13376b..ff7087f64 100755 --- a/blobs/librem_kbl/get_blobs.sh +++ b/blobs/librem_kbl/get_blobs.sh @@ -2,16 +2,16 @@ # depends on : wget sha256sum gunzip # Purism source -RELEASES_GIT_HASH="631b4a4e9bf562768afc262647ef4ef4f4ffaebd" +RELEASES_GIT_HASH="9828ffc0fbe7e0da65f10fe5e14f68f0ef061d5d" PURISM_SOURCE="https://source.puri.sm/coreboot/releases/raw/${RELEASES_GIT_HASH}" # Librem 13 v4 and Librem 15 v4 binary blob hashes KBL_UCODE_SHA="bb07f0f77abe08e553f85b99d18fa129f991bf3613cf73d77c4f0ece87dd251e" KBL_DESCRIPTOR_SHA="642ca36f52aabb5198b82e013bf64a73a5148693a58376fffce322a4d438b524" KBL_ME_SHA="0eec2e1135193941edd39d0ec0f463e353d0c6c9068867a2f32a72b64334fb34" -KBL_FSPM_SHA="5da3ad7718eb3f6700fb9d97be988d9c8bdd2d8b5910273a80928c49122d5b2d" -KBL_FSPS_SHA="c81ffa40df0b6cd6cfde4f476d452a1f6f2217bc96a3b98a4fa4a037ee7039cf" -KBL_VBT_SHA="0ba40c1b8c0fb030a0e1a789eda8b2a7369339a410ad8c4620719e451ea69b98" +KBL_FSPM_SHA="b285fc2240df7fee4fa069444cc2be2ebf5ea70af21b722b0e3dd102321b4877" +KBL_FSPS_SHA="223d0f3d3ff28c46a3ac33442385ffedefe2d3063774784d4fef432013568019" +KBL_VBT_SHA="45135459f7cbc06675fec5688479c2e2f4335d77c61bb58e4016d32ba7daa9d0" # cbfstool, ifdtool, coreboot image from Purism repo CBFSTOOL_FILE="cbfstool.gz" @@ -27,7 +27,7 @@ IFDTOOL_BIN="./ifdtool" COREBOOT_IMAGE="coreboot-l13v4.rom" COREBOOT_IMAGE_FILE="$COREBOOT_IMAGE.gz" COREBOOT_IMAGE_URL="$PURISM_SOURCE/librem_13v4/$COREBOOT_IMAGE_FILE" -COREBOOT_IMAGE_SHA="93c86230c618f9f19c29672f15f431f516db9247fac95bb2eacbc0fa33ea1e6a" +COREBOOT_IMAGE_SHA="5a7548e2742289fa66339f817f4247599d51bc7a5a6a9e887efd39fcf7f9e831" die () { local msg=$1 diff --git a/blobs/librem_skl/get_blobs.sh b/blobs/librem_skl/get_blobs.sh index 10482e811..e455f3d41 100755 --- a/blobs/librem_skl/get_blobs.sh +++ b/blobs/librem_skl/get_blobs.sh @@ -2,16 +2,16 @@ # depends on : wget sha256sum gunzip # Purism source -RELEASES_GIT_HASH="631b4a4e9bf562768afc262647ef4ef4f4ffaebd" +RELEASES_GIT_HASH="9828ffc0fbe7e0da65f10fe5e14f68f0ef061d5d" PURISM_SOURCE="https://source.puri.sm/coreboot/releases/raw/${RELEASES_GIT_HASH}" # Librem 13 v2/v3 and Librem 15 v3 binary blob hashes SKL_UCODE_SHA="e528d2ccc5d76cd04bfabb556a3fbb70b93d9aca43e291e0f0104fbaae5720fd" SKL_DESCRIPTOR_SHA="642ca36f52aabb5198b82e013bf64a73a5148693a58376fffce322a4d438b524" SKL_ME_SHA="cf06d3eb8b24490a1ab46fd988b6cef822e5347cd6a2e92bc332cb4a376eb8bc" -SKL_FSPM_SHA="5da3ad7718eb3f6700fb9d97be988d9c8bdd2d8b5910273a80928c49122d5b2d" -SKL_FSPS_SHA="c81ffa40df0b6cd6cfde4f476d452a1f6f2217bc96a3b98a4fa4a037ee7039cf" -SKL_VBT_SHA="0ba40c1b8c0fb030a0e1a789eda8b2a7369339a410ad8c4620719e451ea69b98" +SKL_FSPM_SHA="5f402416894c324b6cbf8cba85068ac2c3de9be8dd4f37fae3af6cfed7acc38e" +SKL_FSPS_SHA="223d0f3d3ff28c46a3ac33442385ffedefe2d3063774784d4fef432013568019" +SKL_VBT_SHA="45135459f7cbc06675fec5688479c2e2f4335d77c61bb58e4016d32ba7daa9d0" # cbfstool, ifdtool, coreboot image from Purism repo CBFSTOOL_FILE="cbfstool.gz" @@ -24,10 +24,10 @@ IFDTOOL_URL="$PURISM_SOURCE/tools/$IFDTOOL_FILE" IFDTOOL_SHA="08228ece4968794499ebd49a851f7d3f7f1b81352da8cd6e0c7916ac931a7d72" IFDTOOL_BIN="./ifdtool" -COREBOOT_IMAGE="coreboot-l13v3.rom" +COREBOOT_IMAGE="coreboot-l13v2.rom" COREBOOT_IMAGE_FILE="$COREBOOT_IMAGE.gz" -COREBOOT_IMAGE_URL="$PURISM_SOURCE/librem_13v3/$COREBOOT_IMAGE_FILE" -COREBOOT_IMAGE_SHA="784d8c9e9e3cf11e99b7f8a473d0ec18738193b2b57bb7a37386b536dab84be2" +COREBOOT_IMAGE_URL="$PURISM_SOURCE/librem_13v2/$COREBOOT_IMAGE_FILE" +COREBOOT_IMAGE_SHA="c703e0e705554bc7eb90814ae933d4372c0042927a6bbd7f27024cb99a8993d6" die () { local msg=$1 From 92e706bf1bd6affdbf28f99d9de0ed513ceaff48 Mon Sep 17 00:00:00 2001 From: Francis Lam Date: Sat, 25 Jan 2020 20:45:03 -0800 Subject: [PATCH 42/52] init: fix invalid GPG_TTY variable busyboy tty isn't working after the musl-cross-make change so revert to known good value. --- initrd/init | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/initrd/init b/initrd/init index 892a2a7c8..3bac630b2 100755 --- a/initrd/init +++ b/initrd/init @@ -52,7 +52,7 @@ if [ "$CONFIG_LINUXBOOT" = "y" ]; then fi # Set GPG_TTY before calling gpg in key-init -export GPG_TTY=$(tty) +export GPG_TTY=/dev/console /bin/key-init From 132dcb234425770045780592c1726828cecf6719 Mon Sep 17 00:00:00 2001 From: Matt DeVillier Date: Tue, 28 Jan 2020 20:44:34 -0600 Subject: [PATCH 43/52] flash-gui: set unset variable USB_FAILED Not setting USB_FAILED when call to mount-usb succeeds results in a spurious 'sh: 0 unknown operand' error printed to console. Signed-off-by: Matt DeVillier --- initrd/bin/flash-gui.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/initrd/bin/flash-gui.sh b/initrd/bin/flash-gui.sh index dba97d405..8a4e05b9a 100755 --- a/initrd/bin/flash-gui.sh +++ b/initrd/bin/flash-gui.sh @@ -7,7 +7,7 @@ set -e -o pipefail mount_usb(){ # Mount the USB boot device if ! grep -q /media /proc/mounts ; then - mount-usb "$CONFIG_USB_BOOT_DEV" || USB_FAILED=1 + mount-usb "$CONFIG_USB_BOOT_DEV" && USB_FAILED=0 || USB_FAILED=1 if [ $USB_FAILED -ne 0 ]; then if [ ! -e "$CONFIG_USB_BOOT_DEV" ]; then whiptail --title 'USB Drive Missing' \ From f0d85ba2d732a4944c8d2065aee6def74996b28c Mon Sep 17 00:00:00 2001 From: Sebastian McMillan <22755892+SebastianMcMillan@users.noreply.github.com> Date: Wed, 19 Feb 2020 11:04:56 -0600 Subject: [PATCH 44/52] Flash.sh cleanup : flashrom specifics now in board configs (#592) Flash.sh cleanup : flashrom specifics now in board configs (#592) --- boards/kgpe-d16/kgpe-d16.config | 1 + boards/librem13v2/librem13v2.config | 1 + boards/librem13v4/librem13v4.config | 1 + boards/librem15v3/librem15v3.config | 1 + boards/librem15v4/librem15v4.config | 1 + boards/x220/x220.config | 1 + boards/x230-flash/x230-flash.config | 1 + boards/x230/x230.config | 1 + initrd/bin/flash.sh | 12 +++--------- 9 files changed, 11 insertions(+), 9 deletions(-) diff --git a/boards/kgpe-d16/kgpe-d16.config b/boards/kgpe-d16/kgpe-d16.config index 466fdf015..40c5f737e 100644 --- a/boards/kgpe-d16/kgpe-d16.config +++ b/boards/kgpe-d16/kgpe-d16.config @@ -30,4 +30,5 @@ export CONFIG_BOOT_KERNEL_REMOVE="" export CONFIG_BOOT_DEV="/dev/sda1" export CONFIG_USB_BOOT_DEV="/dev/sdb1" export CONFIG_BOOT_RECOVERY_SERIAL="/dev/ttyS0" +export FLASHROM_OPTIONS='--force --noverify -p internal' #export CONFIG_BOOT_STATIC_IP=192.168.1.2 diff --git a/boards/librem13v2/librem13v2.config b/boards/librem13v2/librem13v2.config index e37d506b7..0e562f4f4 100644 --- a/boards/librem13v2/librem13v2.config +++ b/boards/librem13v2/librem13v2.config @@ -35,3 +35,4 @@ export CONFIG_BOOT_GUI_MENU_NAME="Purism Librem 13v2 Heads Boot Menu" export CONFIG_USB_BOOT_DEV="/dev/sdb1" export CONFIG_WARNING_BG_COLOR="--background-gradient 0 0 0 150 125 0" export CONFIG_ERROR_BG_COLOR="--background-gradient 0 0 0 150 0 0" +export FLASHROM_OPTIONS='-p internal:laptop=force_I_want_a_brick,ich_spi_mode=hwseq' diff --git a/boards/librem13v4/librem13v4.config b/boards/librem13v4/librem13v4.config index f78f13a92..f76dd3280 100644 --- a/boards/librem13v4/librem13v4.config +++ b/boards/librem13v4/librem13v4.config @@ -35,3 +35,4 @@ export CONFIG_BOOT_GUI_MENU_NAME="Purism Librem 13v2 Heads Boot Menu" export CONFIG_USB_BOOT_DEV="/dev/sdb1" export CONFIG_WARNING_BG_COLOR="--background-gradient 0 0 0 150 125 0" export CONFIG_ERROR_BG_COLOR="--background-gradient 0 0 0 150 0 0" +export FLASHROM_OPTIONS='-p internal:laptop=force_I_want_a_brick,ich_spi_mode=hwseq' diff --git a/boards/librem15v3/librem15v3.config b/boards/librem15v3/librem15v3.config index f9d05253f..d4d47163a 100644 --- a/boards/librem15v3/librem15v3.config +++ b/boards/librem15v3/librem15v3.config @@ -37,3 +37,4 @@ export CONFIG_BOOT_GUI_MENU_NAME="Purism Librem 15v3 Heads Boot Menu" export CONFIG_USB_BOOT_DEV="/dev/sdb1" export CONFIG_WARNING_BG_COLOR="--background-gradient 0 0 0 150 125 0" export CONFIG_ERROR_BG_COLOR="--background-gradient 0 0 0 150 0 0" +export FLASHROM_OPTIONS='-p internal:laptop=force_I_want_a_brick,ich_spi_mode=hwseq' diff --git a/boards/librem15v4/librem15v4.config b/boards/librem15v4/librem15v4.config index 5f79a91d4..23e776711 100644 --- a/boards/librem15v4/librem15v4.config +++ b/boards/librem15v4/librem15v4.config @@ -37,3 +37,4 @@ export CONFIG_BOOT_GUI_MENU_NAME="Purism Librem 15v4 Heads Boot Menu" export CONFIG_USB_BOOT_DEV="/dev/sdb1" export CONFIG_WARNING_BG_COLOR="--background-gradient 0 0 0 150 125 0" export CONFIG_ERROR_BG_COLOR="--background-gradient 0 0 0 150 0 0" +export FLASHROM_OPTIONS='-p internal:laptop=force_I_want_a_brick,ich_spi_mode=hwseq' diff --git a/boards/x220/x220.config b/boards/x220/x220.config index 0b901bdba..f731c0e68 100644 --- a/boards/x220/x220.config +++ b/boards/x220/x220.config @@ -28,3 +28,4 @@ export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on" export CONFIG_BOOT_KERNEL_REMOVE="quiet" export CONFIG_BOOT_DEV="/dev/sda1" export CONFIG_USB_BOOT_DEV="/dev/sdb1" +export FLASHROM_OPTIONS='--force --noverify-all -p internal:laptop=force_I_want_a_brick,ich_spi_mode=hwseq --ifd --image bios' diff --git a/boards/x230-flash/x230-flash.config b/boards/x230-flash/x230-flash.config index b10d17aff..e8a9abf6d 100644 --- a/boards/x230-flash/x230-flash.config +++ b/boards/x230-flash/x230-flash.config @@ -17,6 +17,7 @@ CONFIG_LINUX_E1000E=y export CONFIG_USB_BOOT_DEV="/dev/sdb1" export CONFIG_BOOTSCRIPT=/bin/x230-flash.init +export FLASHROM_OPTIONS='--force --noverify-all -p internal:laptop=force_I_want_a_brick,ich_spi_mode=hwseq --ifd --image bios' # This board is "special" in that we only want the top 4 MB of the ROM # for flashing into SPI flash 1 on the mainboard. This is enough to diff --git a/boards/x230/x230.config b/boards/x230/x230.config index 1d46ba920..acbf3dbae 100644 --- a/boards/x230/x230.config +++ b/boards/x230/x230.config @@ -34,6 +34,7 @@ export CONFIG_BOOT_GUI_MENU_NAME="Thinkpad X230 Heads Boot Menu" export CONFIG_USB_BOOT_DEV="/dev/sdb1" export CONFIG_WARNING_BG_COLOR="--background-gradient 0 0 0 150 125 0" export CONFIG_ERROR_BG_COLOR="--background-gradient 0 0 0 150 0 0" +export FLASHROM_OPTIONS='--force --noverify-all -p internal:laptop=force_I_want_a_brick,ich_spi_mode=hwseq --ifd --image bios' # This board has two SPI flash chips, an 8 MB that holds the IFD, # the ME image and part of the coreboot image, and a 4 MB one that diff --git a/initrd/bin/flash.sh b/initrd/bin/flash.sh index 121b42b1e..f73bda98d 100755 --- a/initrd/bin/flash.sh +++ b/initrd/bin/flash.sh @@ -6,15 +6,9 @@ set -e -o pipefail . /etc/functions . /tmp/config -case "$CONFIG_BOARD" in - librem* ) - FLASHROM_OPTIONS='-p internal:laptop=force_I_want_a_brick,ich_spi_mode=hwseq' - ;; - x230* ) - FLASHROM_OPTIONS='--force --noverify-all --programmer internal --ifd --image bios' - ;; - "kgpe-d16" ) - FLASHROM_OPTIONS='--force --noverify --programmer internal' +case "$FLASHROM_OPTIONS" in + -* ) + echo "Board $CONFIG_BOARD detected, continuing..." ;; * ) die "ERROR: No board has been configured!\n\nEach board requires specific flashrom options and it's unsafe to flash without them.\n\nAborting." From 6b5adcca6f002ab440d616186942ce44ca3bd152 Mon Sep 17 00:00:00 2001 From: Matt DeVillier Date: Wed, 19 Feb 2020 11:40:34 -0600 Subject: [PATCH 45/52] init: load usb modules for devices using USB keyboard Some (out of tree) servers require use of a USB keyboard, and need the USB kernel modules loaded prior to checking for keypress to enter a recovery console. Since loading the modules affects the value in PRC5 and can cause issues putting a LUKS key in TPM, guard the loading of the USB modules with CONFIG_USB_KEYBOARD and remove the unguarded call from gui-init. This should resolve issues #603 and #674. Signed-off-by: Matt DeVillier --- initrd/bin/gui-init | 3 --- initrd/init | 5 +++++ 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/initrd/bin/gui-init b/initrd/bin/gui-init index 2b28fc212..757dfc9a0 100755 --- a/initrd/bin/gui-init +++ b/initrd/bin/gui-init @@ -128,9 +128,6 @@ clean_boot_check() "Clean Boot Detected - Perform OEM Factory Reset?" "$CONFIG_WARNING_BG_COLOR" } -# enable USB to load modules for external kb -enable_usb - if detect_boot_device ; then # /boot device with installed OS found clean_boot_check diff --git a/initrd/init b/initrd/init index 3bac630b2..509024bff 100755 --- a/initrd/init +++ b/initrd/init @@ -64,6 +64,11 @@ if [ ! -z "$CONFIG_BOOT_RECOVERY_SERIAL" ]; then > "$CONFIG_BOOT_RECOVERY_SERIAL" 2>&1 & fi +# load USB modules for boards using a USB keyboard +if [ "$CONFIG_USB_KEYBOARD" = "y" ]; then + enable_usb +fi + # If the user has been holding down r, enter a recovery shell # otherwise immediately start the configured boot script. # We don't print a prompt, since this is a near instant timeout. From 21faf524b9d791a75f1710ada502f21298b8fa77 Mon Sep 17 00:00:00 2001 From: Sebastian McMillan <22755892+SebastianMcMillan@users.noreply.github.com> Date: Wed, 19 Feb 2020 11:51:03 -0600 Subject: [PATCH 46/52] T420 initial support + X220 FBWhiptail Support (#578) * Add support for the Lenovo ThinkPad T420 and X220. * Fix the autodetection of ifdtool and me_cleaner. * Enable FBWhiptail mode for X220 and T420 * Decreased CBFS size to fix 50 seconds boot delay problems --- blobs/t420/extract.sh | 65 +++++++++++++++++++++++++++++++++++++ blobs/t420/layout.txt | 4 +++ blobs/t420/readme.md | 29 +++++++++++++++++ blobs/x220/extract.sh | 7 ++-- boards/t420/t420.config | 37 +++++++++++++++++++++ boards/x220/x220.config | 16 ++++++--- config/coreboot-t420.config | 25 ++++++++++++++ config/coreboot-x220.config | 7 ++-- 8 files changed, 178 insertions(+), 12 deletions(-) create mode 100755 blobs/t420/extract.sh create mode 100644 blobs/t420/layout.txt create mode 100644 blobs/t420/readme.md create mode 100644 boards/t420/t420.config create mode 100644 config/coreboot-t420.config diff --git a/blobs/t420/extract.sh b/blobs/t420/extract.sh new file mode 100755 index 000000000..e34c3f907 --- /dev/null +++ b/blobs/t420/extract.sh @@ -0,0 +1,65 @@ +#!/bin/bash + +function printusage { + echo "Usage: $0 -f -m (optional) -i (optional)" + exit 0 +} + +BLOBDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" + +if [ "$#" -eq 0 ]; then printusage; fi + +while getopts ":f:m:i:" opt; do + case $opt in + f) + FILE="$OPTARG" + ;; + m) + if [ -x "$OPTARG" ]; then + MECLEAN="$OPTARG" + fi + ;; + i) + if [ -x "$OPTARG" ]; then + IFDTOOL="$OPTARG" + fi + ;; + esac +done + +if [ -z "$MECLEAN" ]; then + MECLEAN=`command -v $BLOBDIR/../../build/coreboot-*/util/me_cleaner/me_cleaner.py 2>&1` + if [ -z "$MECLEAN" ]; then + echo "me_cleaner.py required but not found or specified with -m. Aborting." + exit 1; + fi +fi + +if [ -z "$IFDTOOL" ]; then + IFDTOOL=`command -v $BLOBDIR/../../build/coreboot-*/util/ifdtool/ifdtool 2>&1` + if [ -z "$IFDTOOL" ]; then + echo "ifdtool required but not found or specified with -m. Aborting." + exit 1; + fi +fi + +echo "FILE: $FILE" +echo "ME: $MECLEAN" +echo "IFD: $IFDTOOL" + +bioscopy=$(mktemp) +extractdir=$(mktemp -d) + +cp "$FILE" $bioscopy + +cd "$extractdir" +$IFDTOOL -x $bioscopy +cp "$extractdir/flashregion_3_gbe.bin" "$BLOBDIR/gbe.bin" +$MECLEAN -O "$BLOBDIR/me.bin" -r -t "$extractdir/flashregion_2_intel_me.bin" +$IFDTOOL -n "$BLOBDIR/layout.txt" $bioscopy +$IFDTOOL -x $bioscopy.new +cp "$extractdir/flashregion_0_flashdescriptor.bin" "$BLOBDIR/ifd.bin" + +rm "$bioscopy" +rm "$bioscopy.new" +rm -r "$extractdir" diff --git a/blobs/t420/layout.txt b/blobs/t420/layout.txt new file mode 100644 index 000000000..bbd90962c --- /dev/null +++ b/blobs/t420/layout.txt @@ -0,0 +1,4 @@ +00000000:00000fff fd +00018000:007fffff bios +00003000:00017fff me +00001000:00002fff gbe diff --git a/blobs/t420/readme.md b/blobs/t420/readme.md new file mode 100644 index 000000000..4a40a0528 --- /dev/null +++ b/blobs/t420/readme.md @@ -0,0 +1,29 @@ +To build for T420, we need to have the following files in this folder: +* `me.bin` - ME binary that has been stripped and truncated with me_cleaner +* `gbe.bin` - Network card blob from the original firmware +* `ifd.bin` - Flash layout file has been provided as text + +To get the binaries, start with a copy of the original Lenovo firmware image. +If you do not have one already, you can read one out from the laptops SPI flash with flashrom + +``` +flashrom -p -r original.bin +``` + +Set `` to the flashrom programmer type that you will use (for example, `linux_spi:dev=/dev/spidev0.0` on a Raspberry Pi). + +Once you have the image, the provided extraction script will extract the files needed. + +``` +./extract.sh -f +``` + +Use the options '-m' and '-i' to provide me_cleaner and ifdtool if they can not be located automatically. + +The flash layout will be automatically adjusted and the ME image cleaned and truncated. + +You can now compile the image with: + +``` +make BOARD=t420 +``` diff --git a/blobs/x220/extract.sh b/blobs/x220/extract.sh index 173ed7fc6..e34c3f907 100755 --- a/blobs/x220/extract.sh +++ b/blobs/x220/extract.sh @@ -5,6 +5,8 @@ function printusage { exit 0 } +BLOBDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" + if [ "$#" -eq 0 ]; then printusage; fi while getopts ":f:m:i:" opt; do @@ -26,7 +28,7 @@ while getopts ":f:m:i:" opt; do done if [ -z "$MECLEAN" ]; then - MECLEAN=`command -v me_cleaner.py 2>&1` + MECLEAN=`command -v $BLOBDIR/../../build/coreboot-*/util/me_cleaner/me_cleaner.py 2>&1` if [ -z "$MECLEAN" ]; then echo "me_cleaner.py required but not found or specified with -m. Aborting." exit 1; @@ -34,7 +36,7 @@ if [ -z "$MECLEAN" ]; then fi if [ -z "$IFDTOOL" ]; then - IFDTOOL=`command -v ifdtool 2>&1` + IFDTOOL=`command -v $BLOBDIR/../../build/coreboot-*/util/ifdtool/ifdtool 2>&1` if [ -z "$IFDTOOL" ]; then echo "ifdtool required but not found or specified with -m. Aborting." exit 1; @@ -47,7 +49,6 @@ echo "IFD: $IFDTOOL" bioscopy=$(mktemp) extractdir=$(mktemp -d) -BLOBDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" cp "$FILE" $bioscopy diff --git a/boards/t420/t420.config b/boards/t420/t420.config new file mode 100644 index 000000000..5b2946248 --- /dev/null +++ b/boards/t420/t420.config @@ -0,0 +1,37 @@ +# Configuration for a T420 running Qubes and other OS, T420 is identical to X230 on the Linux Side of things. +export CONFIG_COREBOOT=y +CONFIG_COREBOOT_CONFIG=config/coreboot-t420.config +CONFIG_LINUX_CONFIG=config/linux-x230.config + +CONFIG_CRYPTSETUP=y +CONFIG_FLASHROM=y +CONFIG_FLASHTOOLS=y +CONFIG_GPG2=y +CONFIG_KEXEC=y +CONFIG_UTIL_LINUX=y +CONFIG_LVM2=y +CONFIG_MBEDTLS=y +CONFIG_PCIUTILS=y +CONFIG_POPT=y +CONFIG_QRENCODE=y +CONFIG_TPMTOTP=y +CONFIG_DROPBEAR=y + +CONFIG_CAIRO=y +CONFIG_FBWHIPTAIL=y + +CONFIG_LINUX_USB=y +CONFIG_LINUX_E1000E=y + +export CONFIG_TPM=y +export CONFIG_BOOTSCRIPT=/bin/gui-init +export CONFIG_BOOT_REQ_HASH=n +export CONFIG_BOOT_REQ_ROLLBACK=n +export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on intel_iommu=igfx_off" +export CONFIG_BOOT_KERNEL_REMOVE="quiet" +export CONFIG_BOOT_DEV="/dev/sda1" +export CONFIG_BOOT_GUI_MENU_NAME="ThinkPad T420 Heads Boot Menu" +export CONFIG_USB_BOOT_DEV="/dev/sdb1" +export CONFIG_WARNING_BG_COLOR="--background-gradient 0 0 0 150 125 0" +export CONFIG_ERROR_BG_COLOR="--background-gradient 0 0 0 150 0 0" +export FLASHROM_OPTIONS='--force --noverify-all -p internal:laptop=force_I_want_a_brick,ich_spi_mode=hwseq --ifd --image bios' diff --git a/boards/x220/x220.config b/boards/x220/x220.config index f731c0e68..39b21751a 100644 --- a/boards/x220/x220.config +++ b/boards/x220/x220.config @@ -1,12 +1,12 @@ -# Configuration for a x220 running Qubes and other OS -# The Linux configuration is close enough to the x230 +# Configuration for a x220 running Qubes and other OS, X220 is identical to X230 on the Linux Side of things. export CONFIG_COREBOOT=y CONFIG_COREBOOT_CONFIG=config/coreboot-x220.config CONFIG_LINUX_CONFIG=config/linux-x230.config CONFIG_CRYPTSETUP=y CONFIG_FLASHROM=y -CONFIG_GPG=y +CONFIG_FLASHTOOLS=y +CONFIG_GPG2=y CONFIG_KEXEC=y CONFIG_UTIL_LINUX=y CONFIG_LVM2=y @@ -17,15 +17,21 @@ CONFIG_QRENCODE=y CONFIG_TPMTOTP=y CONFIG_DROPBEAR=y +CONFIG_CAIRO=y +CONFIG_FBWHIPTAIL=y + CONFIG_LINUX_USB=y CONFIG_LINUX_E1000E=y -export CONFIG_BOOTSCRIPT=/bin/generic-init export CONFIG_TPM=y +export CONFIG_BOOTSCRIPT=/bin/gui-init export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n -export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on" +export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on intel_iommu=igfx_off" export CONFIG_BOOT_KERNEL_REMOVE="quiet" export CONFIG_BOOT_DEV="/dev/sda1" +export CONFIG_BOOT_GUI_MENU_NAME="ThinkPad X220 Heads Boot Menu" export CONFIG_USB_BOOT_DEV="/dev/sdb1" +export CONFIG_WARNING_BG_COLOR="--background-gradient 0 0 0 150 125 0" +export CONFIG_ERROR_BG_COLOR="--background-gradient 0 0 0 150 0 0" export FLASHROM_OPTIONS='--force --noverify-all -p internal:laptop=force_I_want_a_brick,ich_spi_mode=hwseq --ifd --image bios' diff --git a/config/coreboot-t420.config b/config/coreboot-t420.config new file mode 100644 index 000000000..dfce0080d --- /dev/null +++ b/config/coreboot-t420.config @@ -0,0 +1,25 @@ +CONFIG_LOCALVERSION="heads" +CONFIG_ANY_TOOLCHAIN=y +# CONFIG_INCLUDE_CONFIG_FILE is not set +# CONFIG_COLLECT_TIMESTAMPS is not set +CONFIG_USE_BLOBS=y +CONFIG_MEASURED_BOOT=y +CONFIG_VENDOR_LENOVO=y +CONFIG_CBFS_SIZE=0x700000 +CONFIG_ONBOARD_VGA_IS_PRIMARY=y +CONFIG_HAVE_IFD_BIN=y +CONFIG_HAVE_ME_BIN=y +CONFIG_HAVE_GBE_BIN=y +CONFIG_IFD_BIN_PATH="../../blobs/t420/ifd.bin" +CONFIG_ME_BIN_PATH="../../blobs/t420/me.bin" +CONFIG_BOARD_LENOVO_T420=y +CONFIG_DRIVERS_PS2_KEYBOARD=y +CONFIG_NO_POST=y +CONFIG_GBE_BIN_PATH="../../blobs/t420/gbe.bin" +CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000 +CONFIG_DEFAULT_CONSOLE_LOGLEVEL_5=y +CONFIG_PAYLOAD_LINUX=y +CONFIG_PAYLOAD_FILE="../../build/t420/bzImage" +CONFIG_LINUX_COMMAND_LINE="quiet" +CONFIG_LINUX_INITRD="../../build/t420/initrd.cpio.xz" +CONFIG_DEBUG_SMM_RELOCATION=y diff --git a/config/coreboot-x220.config b/config/coreboot-x220.config index 5671c71ba..ab22774a7 100644 --- a/config/coreboot-x220.config +++ b/config/coreboot-x220.config @@ -5,7 +5,7 @@ CONFIG_ANY_TOOLCHAIN=y CONFIG_USE_BLOBS=y CONFIG_MEASURED_BOOT=y CONFIG_VENDOR_LENOVO=y -CONFIG_CBFS_SIZE=0x7e8000 +CONFIG_CBFS_SIZE=0x700000 CONFIG_ONBOARD_VGA_IS_PRIMARY=y CONFIG_HAVE_IFD_BIN=y CONFIG_HAVE_ME_BIN=y @@ -15,12 +15,11 @@ CONFIG_ME_BIN_PATH="../../blobs/x220/me.bin" CONFIG_BOARD_LENOVO_X220=y CONFIG_DRIVERS_PS2_KEYBOARD=y CONFIG_NO_POST=y -CONFIG_CHECK_ME=y CONFIG_GBE_BIN_PATH="../../blobs/x220/gbe.bin" +#CONFIG_DEBUG_TPM=y CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000 -CONFIG_DEFAULT_CONSOLE_LOGLEVEL_5=y CONFIG_PAYLOAD_LINUX=y CONFIG_PAYLOAD_FILE="../../build/x220/bzImage" -CONFIG_LINUX_COMMAND_LINE="quiet" +CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet loglevel=3" CONFIG_LINUX_INITRD="../../build/x220/initrd.cpio.xz" CONFIG_DEBUG_SMM_RELOCATION=y From 28fedf9a7e6040fabd323f16a4166099e24f6c38 Mon Sep 17 00:00:00 2001 From: Matt DeVillier Date: Wed, 19 Feb 2020 13:28:15 -0600 Subject: [PATCH 47/52] modules/libremkey-hotp-verification: make reproducible Modeled after modules/tpmtotp, use a specific git commit hash for module libremkey-hotp-verification. Add hidapi as a submodule with dummy/placeholder in modules (like coreboot-blobs), also specified by git commit hash. Adjust libremkey-hotp-verification patch file name so patch applied properly. Addresses issue #640 Test: build Librem 13v4 Signed-off-by: Matt DeVillier --- modules/hidapi | 2 ++ modules/libremkey-hotp-verification | 23 ++++++++++++++++--- ...6a7a1950226d0ef94e2eeed0ffb510eba89.patch} | 0 3 files changed, 22 insertions(+), 3 deletions(-) create mode 100644 modules/hidapi rename patches/{libremkey-hotp-verification.patch => libremkey-hotp-verification-e5fa36a7a1950226d0ef94e2eeed0ffb510eba89.patch} (100%) diff --git a/modules/hidapi b/modules/hidapi new file mode 100644 index 000000000..0a0ab5b10 --- /dev/null +++ b/modules/hidapi @@ -0,0 +1,2 @@ +# empty placeholder file +# This submodule is defined in modules/libremkey-hotp-verification diff --git a/modules/libremkey-hotp-verification b/modules/libremkey-hotp-verification index c8339df41..1a943847a 100644 --- a/modules/libremkey-hotp-verification +++ b/modules/libremkey-hotp-verification @@ -2,9 +2,11 @@ modules-$(CONFIG_LIBREMKEY) += libremkey-hotp-verification libremkey-hotp-verification_depends := libusb $(musl_dep) -libremkey-hotp-verification_version := git -libremkey-hotp-verification_dir := libremkey-hotp-verification -libremkey-hotp-verification_repo := --recursive https://github.com/Nitrokey/nitrokey-hotp-verification +libremkey-hotp-verification_version := e5fa36a7a1950226d0ef94e2eeed0ffb510eba89 +libremkey-hotp-verification_dir := libremkey-hotp-verification-$(libremkey-hotp-verification_version) +libremkey-hotp-verification_tar := nitrokey-hotp-verification-$(libremkey-hotp-verification_version).tar.gz +libremkey-hotp-verification_url := https://github.com/Nitrokey/nitrokey-hotp-verification/archive/$(libremkey-hotp-verification_version).tar.gz +libremkey-hotp-verification_hash := 668113ebc21cc875d49266c8d3a47acfd524a8d6b64f75b7ce5833d595415469 libremkey-hotp-verification_target := \ $(MAKE_JOBS) \ @@ -18,3 +20,18 @@ libremkey-hotp-verification_configure := \ INSTALL="$(INSTALL)" \ CROSS="$(CROSS)" \ cmake -DCMAKE_TOOLCHAIN_FILE=./Toolchain-heads.cmake -DCMAKE_AR="$(CROSS)ar" . + +libremkey-hotp-verification_depends += hidapi +modules-y += hidapi + +hidapi_version := e5ae0d30a523c565595bdfba3d5f2e9e1faf0bd0 +hidapi_dir := libremkey-hotp-verification-$(libremkey-hotp-verification_version)/hidapi +hidapi_tar := hidapi-$(hidapi_version).tar.xz +hidapi_url := https://github.com/Nitrokey/hidapi/archive/$(hidapi_version).tar.gz +hidapi_hash := acc2a5089a8917085c2b3ebe9446065a21c760ba7e13cb54917043c4122188e0 + + +## hidapi will be built as part of libremkey-hotp-verification +## so nothing to do here (but need make to be happy) +hidapi_output := .built +hidapi_configure := echo -e 'all:\n\ttouch .built' > Makefile diff --git a/patches/libremkey-hotp-verification.patch b/patches/libremkey-hotp-verification-e5fa36a7a1950226d0ef94e2eeed0ffb510eba89.patch similarity index 100% rename from patches/libremkey-hotp-verification.patch rename to patches/libremkey-hotp-verification-e5fa36a7a1950226d0ef94e2eeed0ffb510eba89.patch From 62f180d0983ceed06bc948d44e184fd75111f79a Mon Sep 17 00:00:00 2001 From: Thierry Laurion Date: Wed, 19 Feb 2020 16:33:43 -0500 Subject: [PATCH 48/52] Flash.sh cleanup: Fix FLASHROM_OPTIONS -> CONFIG_FLASHROM_OPTIONS to be exported by Makefile --- boards/kgpe-d16/kgpe-d16.config | 2 +- boards/librem13v2/librem13v2.config | 2 +- boards/librem13v4/librem13v4.config | 2 +- boards/librem15v3/librem15v3.config | 2 +- boards/librem15v4/librem15v4.config | 2 +- boards/t420/t420.config | 2 +- boards/x220/x220.config | 2 +- boards/x230-flash/x230-flash.config | 2 +- boards/x230/x230.config | 2 +- initrd/bin/flash.sh | 10 +++++----- 10 files changed, 14 insertions(+), 14 deletions(-) diff --git a/boards/kgpe-d16/kgpe-d16.config b/boards/kgpe-d16/kgpe-d16.config index 40c5f737e..d34aa60c5 100644 --- a/boards/kgpe-d16/kgpe-d16.config +++ b/boards/kgpe-d16/kgpe-d16.config @@ -30,5 +30,5 @@ export CONFIG_BOOT_KERNEL_REMOVE="" export CONFIG_BOOT_DEV="/dev/sda1" export CONFIG_USB_BOOT_DEV="/dev/sdb1" export CONFIG_BOOT_RECOVERY_SERIAL="/dev/ttyS0" -export FLASHROM_OPTIONS='--force --noverify -p internal' +export CONFIG_FLASHROM_OPTIONS="--force --noverify -p internal" #export CONFIG_BOOT_STATIC_IP=192.168.1.2 diff --git a/boards/librem13v2/librem13v2.config b/boards/librem13v2/librem13v2.config index 0e562f4f4..515bd7737 100644 --- a/boards/librem13v2/librem13v2.config +++ b/boards/librem13v2/librem13v2.config @@ -35,4 +35,4 @@ export CONFIG_BOOT_GUI_MENU_NAME="Purism Librem 13v2 Heads Boot Menu" export CONFIG_USB_BOOT_DEV="/dev/sdb1" export CONFIG_WARNING_BG_COLOR="--background-gradient 0 0 0 150 125 0" export CONFIG_ERROR_BG_COLOR="--background-gradient 0 0 0 150 0 0" -export FLASHROM_OPTIONS='-p internal:laptop=force_I_want_a_brick,ich_spi_mode=hwseq' +export CONFIG_FLASHROM_OPTIONS="-p internal:laptop=force_I_want_a_brick,ich_spi_mode=hwseq" diff --git a/boards/librem13v4/librem13v4.config b/boards/librem13v4/librem13v4.config index f76dd3280..ece2fc5c5 100644 --- a/boards/librem13v4/librem13v4.config +++ b/boards/librem13v4/librem13v4.config @@ -35,4 +35,4 @@ export CONFIG_BOOT_GUI_MENU_NAME="Purism Librem 13v2 Heads Boot Menu" export CONFIG_USB_BOOT_DEV="/dev/sdb1" export CONFIG_WARNING_BG_COLOR="--background-gradient 0 0 0 150 125 0" export CONFIG_ERROR_BG_COLOR="--background-gradient 0 0 0 150 0 0" -export FLASHROM_OPTIONS='-p internal:laptop=force_I_want_a_brick,ich_spi_mode=hwseq' +export CONFIG_FLASHROM_OPTIONS="-p internal:laptop=force_I_want_a_brick,ich_spi_mode=hwseq" diff --git a/boards/librem15v3/librem15v3.config b/boards/librem15v3/librem15v3.config index d4d47163a..9174b50c6 100644 --- a/boards/librem15v3/librem15v3.config +++ b/boards/librem15v3/librem15v3.config @@ -37,4 +37,4 @@ export CONFIG_BOOT_GUI_MENU_NAME="Purism Librem 15v3 Heads Boot Menu" export CONFIG_USB_BOOT_DEV="/dev/sdb1" export CONFIG_WARNING_BG_COLOR="--background-gradient 0 0 0 150 125 0" export CONFIG_ERROR_BG_COLOR="--background-gradient 0 0 0 150 0 0" -export FLASHROM_OPTIONS='-p internal:laptop=force_I_want_a_brick,ich_spi_mode=hwseq' +export CONFIG_FLASHROM_OPTIONS="-p internal:laptop=force_I_want_a_brick,ich_spi_mode=hwseq" diff --git a/boards/librem15v4/librem15v4.config b/boards/librem15v4/librem15v4.config index 23e776711..cd9224617 100644 --- a/boards/librem15v4/librem15v4.config +++ b/boards/librem15v4/librem15v4.config @@ -37,4 +37,4 @@ export CONFIG_BOOT_GUI_MENU_NAME="Purism Librem 15v4 Heads Boot Menu" export CONFIG_USB_BOOT_DEV="/dev/sdb1" export CONFIG_WARNING_BG_COLOR="--background-gradient 0 0 0 150 125 0" export CONFIG_ERROR_BG_COLOR="--background-gradient 0 0 0 150 0 0" -export FLASHROM_OPTIONS='-p internal:laptop=force_I_want_a_brick,ich_spi_mode=hwseq' +export CONFIG_FLASHROM_OPTIONS="-p internal:laptop=force_I_want_a_brick,ich_spi_mode=hwseq" diff --git a/boards/t420/t420.config b/boards/t420/t420.config index 5b2946248..7d436d910 100644 --- a/boards/t420/t420.config +++ b/boards/t420/t420.config @@ -34,4 +34,4 @@ export CONFIG_BOOT_GUI_MENU_NAME="ThinkPad T420 Heads Boot Menu" export CONFIG_USB_BOOT_DEV="/dev/sdb1" export CONFIG_WARNING_BG_COLOR="--background-gradient 0 0 0 150 125 0" export CONFIG_ERROR_BG_COLOR="--background-gradient 0 0 0 150 0 0" -export FLASHROM_OPTIONS='--force --noverify-all -p internal:laptop=force_I_want_a_brick,ich_spi_mode=hwseq --ifd --image bios' +export CONFIG_FLASHROM_OPTIONS="--force --noverify-all -p internal:laptop=force_I_want_a_brick,ich_spi_mode=hwseq --ifd --image bios" diff --git a/boards/x220/x220.config b/boards/x220/x220.config index 39b21751a..5840d8722 100644 --- a/boards/x220/x220.config +++ b/boards/x220/x220.config @@ -34,4 +34,4 @@ export CONFIG_BOOT_GUI_MENU_NAME="ThinkPad X220 Heads Boot Menu" export CONFIG_USB_BOOT_DEV="/dev/sdb1" export CONFIG_WARNING_BG_COLOR="--background-gradient 0 0 0 150 125 0" export CONFIG_ERROR_BG_COLOR="--background-gradient 0 0 0 150 0 0" -export FLASHROM_OPTIONS='--force --noverify-all -p internal:laptop=force_I_want_a_brick,ich_spi_mode=hwseq --ifd --image bios' +export CONFIG_FLASHROM_OPTIONS="--force --noverify-all -p internal:laptop=force_I_want_a_brick,ich_spi_mode=hwseq --ifd --image bios" diff --git a/boards/x230-flash/x230-flash.config b/boards/x230-flash/x230-flash.config index e8a9abf6d..0cce66730 100644 --- a/boards/x230-flash/x230-flash.config +++ b/boards/x230-flash/x230-flash.config @@ -17,7 +17,7 @@ CONFIG_LINUX_E1000E=y export CONFIG_USB_BOOT_DEV="/dev/sdb1" export CONFIG_BOOTSCRIPT=/bin/x230-flash.init -export FLASHROM_OPTIONS='--force --noverify-all -p internal:laptop=force_I_want_a_brick,ich_spi_mode=hwseq --ifd --image bios' +export CONFIG_FLASHROM_OPTIONS="--force --noverify-all -p internal:laptop=force_I_want_a_brick,ich_spi_mode=hwseq --ifd --image bios" # This board is "special" in that we only want the top 4 MB of the ROM # for flashing into SPI flash 1 on the mainboard. This is enough to diff --git a/boards/x230/x230.config b/boards/x230/x230.config index acbf3dbae..f800b6a8b 100644 --- a/boards/x230/x230.config +++ b/boards/x230/x230.config @@ -34,7 +34,7 @@ export CONFIG_BOOT_GUI_MENU_NAME="Thinkpad X230 Heads Boot Menu" export CONFIG_USB_BOOT_DEV="/dev/sdb1" export CONFIG_WARNING_BG_COLOR="--background-gradient 0 0 0 150 125 0" export CONFIG_ERROR_BG_COLOR="--background-gradient 0 0 0 150 0 0" -export FLASHROM_OPTIONS='--force --noverify-all -p internal:laptop=force_I_want_a_brick,ich_spi_mode=hwseq --ifd --image bios' +export CONFIG_FLASHROM_OPTIONS="--force --noverify-all -p internal:laptop=force_I_want_a_brick,ich_spi_mode=hwseq --ifd --image bios" # This board has two SPI flash chips, an 8 MB that holds the IFD, # the ME image and part of the coreboot image, and a 4 MB one that diff --git a/initrd/bin/flash.sh b/initrd/bin/flash.sh index f73bda98d..d82d43b71 100755 --- a/initrd/bin/flash.sh +++ b/initrd/bin/flash.sh @@ -6,7 +6,7 @@ set -e -o pipefail . /etc/functions . /tmp/config -case "$FLASHROM_OPTIONS" in +case "$CONFIG_FLASHROM_OPTIONS" in -* ) echo "Board $CONFIG_BOARD detected, continuing..." ;; @@ -18,11 +18,11 @@ esac flash_rom() { ROM=$1 if [ "$READ" -eq 1 ]; then - flashrom $FLASHROM_OPTIONS -r "${ROM}.1" \ + flashrom $CONFIG_FLASHROM_OPTIONS -r "${ROM}.1" \ || die "$ROM: Read failed" - flashrom $FLASHROM_OPTIONS -r "${ROM}.2" \ + flashrom $CONFIG_FLASHROM_OPTIONS -r "${ROM}.2" \ || die "$ROM: Read failed" - flashrom $FLASHROM_OPTIONS -r "${ROM}.3" \ + flashrom $CONFIG_FLASHROM_OPTIONS -r "${ROM}.3" \ || die "$ROM: Read failed" if [ `sha256sum ${ROM}.[123] | cut -f1 -d ' ' | uniq | wc -l` -eq 1 ]; then mv ${ROM}.1 $ROM @@ -44,7 +44,7 @@ flash_rom() { cbfs -o /tmp/${CONFIG_BOARD}.rom -a serial_number -f /tmp/serial fi - flashrom $FLASHROM_OPTIONS -w /tmp/${CONFIG_BOARD}.rom \ + flashrom $CONFIG_FLASHROM_OPTIONS -w /tmp/${CONFIG_BOARD}.rom \ || die "$ROM: Flash failed" fi } From 30b098bfacd08a5877a7f7c25f85345844481aa5 Mon Sep 17 00:00:00 2001 From: Matt DeVillier Date: Wed, 19 Feb 2020 16:27:57 -0600 Subject: [PATCH 49/52] gui-init: fix checking librem key card-status Commit 6b5adcca moved the call to enable_usb from gui-init to init and guarded it with CONFIG_USB_KEYBOARD, but it was missed that this is needed for the clean boot check logic when a librem key is used. Add the call back to gui-init and guard it properly Test: clean_boot_detect works properly on a librem 13v4 Signed-off-by: Matt DeVillier --- initrd/bin/gui-init | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/initrd/bin/gui-init b/initrd/bin/gui-init index 757dfc9a0..1ac0273f8 100755 --- a/initrd/bin/gui-init +++ b/initrd/bin/gui-init @@ -118,8 +118,11 @@ clean_boot_check() [ $GPG_KEY_COUNT -ne 0 ] && return # check for USB security token - if ! gpg --card-status > /dev/null ; then - return + if [ "$CONFIG_LIBREMKEY" = "y" ]; then + enable_usb + if ! gpg --card-status > /dev/null ; then + return + fi fi # OS is installed, no kexec files present, no GPG keys in keyring, security token present From 83a67d27988ae1663b0b5fa2092778035f286dd6 Mon Sep 17 00:00:00 2001 From: Matt DeVillier Date: Wed, 19 Feb 2020 14:15:27 -0600 Subject: [PATCH 50/52] oem-factory-reset: fix GPG key backup filename fix $GPG_GEN_KEY getting clobbered when using a custom password Signed-off-by: Matt DeVillier --- initrd/bin/oem-factory-reset | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/initrd/bin/oem-factory-reset b/initrd/bin/oem-factory-reset index fcd2b1066..2628eed91 100755 --- a/initrd/bin/oem-factory-reset +++ b/initrd/bin/oem-factory-reset @@ -316,6 +316,10 @@ gpg --list-keys >/dev/null 2>&1 echo -e "\nResetting GPG Key...\n(this will take a minute or two)\n" gpg_key_reset +# parse name of generated key +GPG_GEN_KEY=`grep -A1 pub /tmp/gpg_card_edit_output | tail -n1 | sed -nr 's/^([ ])*//p'` +PUBKEY="/tmp/${GPG_GEN_KEY}.asc" + if [ "$CUSTOM_PASS" != "" ]; then echo -e "\nChanging default GPG Admin PIN\n" gpg_key_change_pin "3" "$ADMIN_PIN_DEF" "$CUSTOM_PASS" @@ -327,9 +331,6 @@ fi ## export generated key to USB echo -e "\nExporting generated key to USB...\n" -# parse name of generated key -GPG_GEN_KEY=`grep -A1 pub /tmp/gpg_card_edit_output | tail -n1 | sed -nr 's/^([ ])*//p'` -PUBKEY="/tmp/${GPG_GEN_KEY}.asc" # export pubkey to file if ! gpg --export --armor $GPG_GEN_KEY > "${PUBKEY}" 2>/tmp/error ; then ERROR=$(tail -n 1 /tmp/error) From 3165ba60f6d6262e8890b3821a0ea01c6924b805 Mon Sep 17 00:00:00 2001 From: Sebastian McMillan <22755892+SebastianMcMillan@users.noreply.github.com> Date: Wed, 19 Feb 2020 19:03:31 -0600 Subject: [PATCH 51/52] Update coreboot-t420.config Fix Screen Garble --- config/coreboot-t420.config | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/coreboot-t420.config b/config/coreboot-t420.config index dfce0080d..82095d22a 100644 --- a/config/coreboot-t420.config +++ b/config/coreboot-t420.config @@ -20,6 +20,6 @@ CONFIG_CONSOLE_CBMEM_BUFFER_SIZE=0x80000 CONFIG_DEFAULT_CONSOLE_LOGLEVEL_5=y CONFIG_PAYLOAD_LINUX=y CONFIG_PAYLOAD_FILE="../../build/t420/bzImage" -CONFIG_LINUX_COMMAND_LINE="quiet" +CONFIG_LINUX_COMMAND_LINE="intel_iommu=igfx_off quiet loglevel=3" CONFIG_LINUX_INITRD="../../build/t420/initrd.cpio.xz" CONFIG_DEBUG_SMM_RELOCATION=y From 1bd93d66790075403ca193417b11e21d2eb2447b Mon Sep 17 00:00:00 2001 From: Matt DeVillier Date: Wed, 19 Feb 2020 22:16:39 -0600 Subject: [PATCH 52/52] Eliminate use of CONFIG_USB_BOOT_DEV mount-usb switched to dynamic USB device detection a while back, so eliminate instances of CONFIG_BOOT_USB_DEV, and derive the mounted USB device from /etc/mtab in the one place where it's actually needed (usb-scan). Clean up areas around calls to mount-usb for clarity/readability. Addresses issue #673 Test: Build Librem 13v4, boot ISO file on USB Signed-off-by: Matt DeVillier --- boards/kgpe-d16/kgpe-d16.config | 1 - boards/leopard/leopard.config | 1 - boards/librem13v2/librem13v2.config | 1 - boards/librem13v4/librem13v4.config | 1 - boards/librem15v3/librem15v3.config | 1 - boards/librem15v4/librem15v4.config | 1 - boards/qemu-coreboot/qemu-coreboot.config | 1 - boards/qemu-linuxboot/qemu-linuxboot.config | 1 - boards/r630/r630.config | 1 - boards/s2600wf/s2600wf.config | 1 - boards/t420/t420.config | 1 - boards/tioga/tioga.config | 1 - boards/winterfell/winterfell.config | 1 - boards/x220/x220.config | 1 - boards/x230-flash/x230-flash.config | 1 - boards/x230/x230.config | 1 - initrd/bin/flash-gui.sh | 12 +++++------- initrd/bin/gpg-gui.sh | 12 +++++------- initrd/bin/usb-scan | 4 +++- initrd/init | 3 --- 20 files changed, 13 insertions(+), 34 deletions(-) diff --git a/boards/kgpe-d16/kgpe-d16.config b/boards/kgpe-d16/kgpe-d16.config index d34aa60c5..072f36ac8 100644 --- a/boards/kgpe-d16/kgpe-d16.config +++ b/boards/kgpe-d16/kgpe-d16.config @@ -28,7 +28,6 @@ export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOOT_KERNEL_ADD="nohz=on console=ttyS1,115200n8 " export CONFIG_BOOT_KERNEL_REMOVE="" export CONFIG_BOOT_DEV="/dev/sda1" -export CONFIG_USB_BOOT_DEV="/dev/sdb1" export CONFIG_BOOT_RECOVERY_SERIAL="/dev/ttyS0" export CONFIG_FLASHROM_OPTIONS="--force --noverify -p internal" #export CONFIG_BOOT_STATIC_IP=192.168.1.2 diff --git a/boards/leopard/leopard.config b/boards/leopard/leopard.config index d0471623c..672ed47f8 100644 --- a/boards/leopard/leopard.config +++ b/boards/leopard/leopard.config @@ -42,7 +42,6 @@ export CONFIG_TPM=n export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOOT_DEV="/dev/sda1" -export CONFIG_USB_BOOT_DEV="/dev/sdb1" $(build)/$(BOARD)/linuxboot.rom: linuxboot.intermediate diff --git a/boards/librem13v2/librem13v2.config b/boards/librem13v2/librem13v2.config index 515bd7737..2d3f3aca2 100644 --- a/boards/librem13v2/librem13v2.config +++ b/boards/librem13v2/librem13v2.config @@ -32,7 +32,6 @@ export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on" export CONFIG_BOOT_KERNEL_REMOVE="" export CONFIG_BOOT_DEV="/dev/nvme0n1p1" export CONFIG_BOOT_GUI_MENU_NAME="Purism Librem 13v2 Heads Boot Menu" -export CONFIG_USB_BOOT_DEV="/dev/sdb1" export CONFIG_WARNING_BG_COLOR="--background-gradient 0 0 0 150 125 0" export CONFIG_ERROR_BG_COLOR="--background-gradient 0 0 0 150 0 0" export CONFIG_FLASHROM_OPTIONS="-p internal:laptop=force_I_want_a_brick,ich_spi_mode=hwseq" diff --git a/boards/librem13v4/librem13v4.config b/boards/librem13v4/librem13v4.config index ece2fc5c5..e1a4bbc09 100644 --- a/boards/librem13v4/librem13v4.config +++ b/boards/librem13v4/librem13v4.config @@ -32,7 +32,6 @@ export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on" export CONFIG_BOOT_KERNEL_REMOVE="" export CONFIG_BOOT_DEV="/dev/nvme0n1p1" export CONFIG_BOOT_GUI_MENU_NAME="Purism Librem 13v2 Heads Boot Menu" -export CONFIG_USB_BOOT_DEV="/dev/sdb1" export CONFIG_WARNING_BG_COLOR="--background-gradient 0 0 0 150 125 0" export CONFIG_ERROR_BG_COLOR="--background-gradient 0 0 0 150 0 0" export CONFIG_FLASHROM_OPTIONS="-p internal:laptop=force_I_want_a_brick,ich_spi_mode=hwseq" diff --git a/boards/librem15v3/librem15v3.config b/boards/librem15v3/librem15v3.config index 9174b50c6..2580e15b1 100644 --- a/boards/librem15v3/librem15v3.config +++ b/boards/librem15v3/librem15v3.config @@ -34,7 +34,6 @@ export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on" export CONFIG_BOOT_KERNEL_REMOVE="" export CONFIG_BOOT_DEV="/dev/nvme0n1p1" export CONFIG_BOOT_GUI_MENU_NAME="Purism Librem 15v3 Heads Boot Menu" -export CONFIG_USB_BOOT_DEV="/dev/sdb1" export CONFIG_WARNING_BG_COLOR="--background-gradient 0 0 0 150 125 0" export CONFIG_ERROR_BG_COLOR="--background-gradient 0 0 0 150 0 0" export CONFIG_FLASHROM_OPTIONS="-p internal:laptop=force_I_want_a_brick,ich_spi_mode=hwseq" diff --git a/boards/librem15v4/librem15v4.config b/boards/librem15v4/librem15v4.config index cd9224617..107be0325 100644 --- a/boards/librem15v4/librem15v4.config +++ b/boards/librem15v4/librem15v4.config @@ -34,7 +34,6 @@ export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on" export CONFIG_BOOT_KERNEL_REMOVE="" export CONFIG_BOOT_DEV="/dev/nvme0n1p1" export CONFIG_BOOT_GUI_MENU_NAME="Purism Librem 15v4 Heads Boot Menu" -export CONFIG_USB_BOOT_DEV="/dev/sdb1" export CONFIG_WARNING_BG_COLOR="--background-gradient 0 0 0 150 125 0" export CONFIG_ERROR_BG_COLOR="--background-gradient 0 0 0 150 0 0" export CONFIG_FLASHROM_OPTIONS="-p internal:laptop=force_I_want_a_brick,ich_spi_mode=hwseq" diff --git a/boards/qemu-coreboot/qemu-coreboot.config b/boards/qemu-coreboot/qemu-coreboot.config index 1dc025692..aeb57c787 100644 --- a/boards/qemu-coreboot/qemu-coreboot.config +++ b/boards/qemu-coreboot/qemu-coreboot.config @@ -49,7 +49,6 @@ export CONFIG_BOOTSCRIPT=/bin/generic-init export CONFIG_TPM=n export CONFIG_BOOT_DEV="/dev/sda1" -export CONFIG_USB_BOOT_DEV="/dev/sdb1" #run: coreboot.intermediate run: diff --git a/boards/qemu-linuxboot/qemu-linuxboot.config b/boards/qemu-linuxboot/qemu-linuxboot.config index 730ce633d..4a9a3317d 100644 --- a/boards/qemu-linuxboot/qemu-linuxboot.config +++ b/boards/qemu-linuxboot/qemu-linuxboot.config @@ -36,7 +36,6 @@ export CONFIG_BOOTSCRIPT_NETWORK=/bin/network-init-recovery export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOOT_DEV="/dev/sda1" -export CONFIG_USB_BOOT_DEV="/dev/sdb1" export CONFIG_BOOT_STATIC_IP=10.0.2.15 # You can ssh into the qemu instance by running diff --git a/boards/r630/r630.config b/boards/r630/r630.config index 23c8d43b5..8f24f0573 100644 --- a/boards/r630/r630.config +++ b/boards/r630/r630.config @@ -28,4 +28,3 @@ export CONFIG_BOOTSCRIPT=/bin/generic-init export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOOT_DEV="/dev/sda1" -export CONFIG_USB_BOOT_DEV="/dev/sdb1" diff --git a/boards/s2600wf/s2600wf.config b/boards/s2600wf/s2600wf.config index 8af985110..2c810da0f 100644 --- a/boards/s2600wf/s2600wf.config +++ b/boards/s2600wf/s2600wf.config @@ -40,4 +40,3 @@ export CONFIG_BOOTSCRIPT=/bin/generic-init export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOOT_DEV="/dev/sda1" -export CONFIG_USB_BOOT_DEV="/dev/sdb1" diff --git a/boards/t420/t420.config b/boards/t420/t420.config index 7d436d910..ea4406424 100644 --- a/boards/t420/t420.config +++ b/boards/t420/t420.config @@ -31,7 +31,6 @@ export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on intel_iommu=igfx_off" export CONFIG_BOOT_KERNEL_REMOVE="quiet" export CONFIG_BOOT_DEV="/dev/sda1" export CONFIG_BOOT_GUI_MENU_NAME="ThinkPad T420 Heads Boot Menu" -export CONFIG_USB_BOOT_DEV="/dev/sdb1" export CONFIG_WARNING_BG_COLOR="--background-gradient 0 0 0 150 125 0" export CONFIG_ERROR_BG_COLOR="--background-gradient 0 0 0 150 0 0" export CONFIG_FLASHROM_OPTIONS="--force --noverify-all -p internal:laptop=force_I_want_a_brick,ich_spi_mode=hwseq --ifd --image bios" diff --git a/boards/tioga/tioga.config b/boards/tioga/tioga.config index f1144254e..af16c1ce7 100644 --- a/boards/tioga/tioga.config +++ b/boards/tioga/tioga.config @@ -43,7 +43,6 @@ export CONFIG_TPM=n export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOOT_DEV="/dev/sda1" -export CONFIG_USB_BOOT_DEV="/dev/sdb1" $(build)/$(BOARD)/linuxboot.rom: linuxboot.intermediate diff --git a/boards/winterfell/winterfell.config b/boards/winterfell/winterfell.config index 8e457c6b5..b49421c2f 100644 --- a/boards/winterfell/winterfell.config +++ b/boards/winterfell/winterfell.config @@ -42,7 +42,6 @@ export CONFIG_TPM=n export CONFIG_BOOT_REQ_HASH=n export CONFIG_BOOT_REQ_ROLLBACK=n export CONFIG_BOOT_DEV="/dev/sda1" -export CONFIG_USB_BOOT_DEV="/dev/sdb1" #$(build)/$(BOARD)/linuxboot.rom: $(build)/$(linuxboot_dir)/ diff --git a/boards/x220/x220.config b/boards/x220/x220.config index 5840d8722..3af04149e 100644 --- a/boards/x220/x220.config +++ b/boards/x220/x220.config @@ -31,7 +31,6 @@ export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on intel_iommu=igfx_off" export CONFIG_BOOT_KERNEL_REMOVE="quiet" export CONFIG_BOOT_DEV="/dev/sda1" export CONFIG_BOOT_GUI_MENU_NAME="ThinkPad X220 Heads Boot Menu" -export CONFIG_USB_BOOT_DEV="/dev/sdb1" export CONFIG_WARNING_BG_COLOR="--background-gradient 0 0 0 150 125 0" export CONFIG_ERROR_BG_COLOR="--background-gradient 0 0 0 150 0 0" export CONFIG_FLASHROM_OPTIONS="--force --noverify-all -p internal:laptop=force_I_want_a_brick,ich_spi_mode=hwseq --ifd --image bios" diff --git a/boards/x230-flash/x230-flash.config b/boards/x230-flash/x230-flash.config index 0cce66730..5530ba27a 100644 --- a/boards/x230-flash/x230-flash.config +++ b/boards/x230-flash/x230-flash.config @@ -15,7 +15,6 @@ CONFIG_LINUX_CONFIG=config/linux-x230-flash.config CONFIG_LINUX_USB=y CONFIG_LINUX_E1000E=y -export CONFIG_USB_BOOT_DEV="/dev/sdb1" export CONFIG_BOOTSCRIPT=/bin/x230-flash.init export CONFIG_FLASHROM_OPTIONS="--force --noverify-all -p internal:laptop=force_I_want_a_brick,ich_spi_mode=hwseq --ifd --image bios" diff --git a/boards/x230/x230.config b/boards/x230/x230.config index f800b6a8b..ad49270eb 100644 --- a/boards/x230/x230.config +++ b/boards/x230/x230.config @@ -31,7 +31,6 @@ export CONFIG_BOOT_KERNEL_ADD="intel_iommu=on intel_iommu=igfx_off" export CONFIG_BOOT_KERNEL_REMOVE="quiet" export CONFIG_BOOT_DEV="/dev/sda1" export CONFIG_BOOT_GUI_MENU_NAME="Thinkpad X230 Heads Boot Menu" -export CONFIG_USB_BOOT_DEV="/dev/sdb1" export CONFIG_WARNING_BG_COLOR="--background-gradient 0 0 0 150 125 0" export CONFIG_ERROR_BG_COLOR="--background-gradient 0 0 0 150 0 0" export CONFIG_FLASHROM_OPTIONS="--force --noverify-all -p internal:laptop=force_I_want_a_brick,ich_spi_mode=hwseq --ifd --image bios" diff --git a/initrd/bin/flash-gui.sh b/initrd/bin/flash-gui.sh index 8a4e05b9a..c8cbd364b 100755 --- a/initrd/bin/flash-gui.sh +++ b/initrd/bin/flash-gui.sh @@ -7,16 +7,14 @@ set -e -o pipefail mount_usb(){ # Mount the USB boot device if ! grep -q /media /proc/mounts ; then - mount-usb "$CONFIG_USB_BOOT_DEV" && USB_FAILED=0 || USB_FAILED=1 + mount-usb && USB_FAILED=0 || USB_FAILED=1 if [ $USB_FAILED -ne 0 ]; then - if [ ! -e "$CONFIG_USB_BOOT_DEV" ]; then - whiptail --title 'USB Drive Missing' \ - --msgbox "Insert your USB drive and press Enter to continue." 16 60 USB_FAILED=0 - mount-usb "$CONFIG_USB_BOOT_DEV" || USB_FAILED=1 - fi + whiptail --title 'USB Drive Missing' \ + --msgbox "Insert your USB drive and press Enter to continue." 16 60 + mount-usb && USB_FAILED=0 || USB_FAILED=1 if [ $USB_FAILED -ne 0 ]; then whiptail $CONFIG_ERROR_BG_COLOR --title 'ERROR: Mounting /media Failed' \ - --msgbox "Unable to mount $CONFIG_USB_BOOT_DEV" 16 60 + --msgbox "Unable to mount USB device" 16 60 fi fi fi diff --git a/initrd/bin/gpg-gui.sh b/initrd/bin/gpg-gui.sh index c7d179e33..9ab70b6cc 100755 --- a/initrd/bin/gpg-gui.sh +++ b/initrd/bin/gpg-gui.sh @@ -7,16 +7,14 @@ set -e -o pipefail mount_usb(){ # Mount the USB boot device if ! grep -q /media /proc/mounts ; then - mount-usb "$CONFIG_USB_BOOT_DEV" || USB_FAILED=1 + mount-usb && USB_FAILED=0 || USB_FAILED=1 if [ $USB_FAILED -ne 0 ]; then - if [ ! -e "$CONFIG_USB_BOOT_DEV" ]; then - whiptail --title 'USB Drive Missing' \ - --msgbox "Insert your USB drive and press Enter to continue." 16 60 USB_FAILED=0 - mount-usb "$CONFIG_USB_BOOT_DEV" || USB_FAILED=1 - fi + whiptail --title 'USB Drive Missing' \ + --msgbox "Insert your USB drive and press Enter to continue." 16 60 + mount-usb && USB_FAILED=0 || USB_FAILED=1 if [ $USB_FAILED -ne 0 ]; then whiptail $CONFIG_ERROR_BG_COLOR --title 'ERROR: Mounting /media Failed' \ - --msgbox "Unable to mount $CONFIG_USB_BOOT_DEV" 16 60 + --msgbox "Unable to mount USB device" 16 60 fi fi fi diff --git a/initrd/bin/usb-scan b/initrd/bin/usb-scan index 4d576555c..a9debdf5c 100755 --- a/initrd/bin/usb-scan +++ b/initrd/bin/usb-scan @@ -15,6 +15,8 @@ if ! grep -q /media /proc/mounts ; then mount-usb "$CONFIG_USB_BOOT_DEV" \ || die "Unable to mount /media" fi +# Get USB boot device +USB_BOOT_DEV=$(grep "/media" /etc/mtab | cut -f 1 -d' ') # Check for ISO first get_menu_option() { @@ -72,7 +74,7 @@ if [ `cat /tmp/iso_menu.txt | wc -l` -gt 0 ]; then if [ -n "$option" ]; then MOUNTED_ISO=$option ISO=${option:7} # remove /media/ to get device relative path - kexec-iso-init $MOUNTED_ISO $ISO $CONFIG_USB_BOOT_DEV + kexec-iso-init $MOUNTED_ISO $ISO $USB_BOOT_DEV die "Something failed in iso init" fi diff --git a/initrd/init b/initrd/init index 509024bff..40063deaa 100755 --- a/initrd/init +++ b/initrd/init @@ -97,9 +97,6 @@ combine_configs if [ ! -z "$CONFIG_BOOT_DEV" ]; then echo >> /etc/fstab "$CONFIG_BOOT_DEV /boot auto defaults,ro 0 0" fi -if [ ! -z "$CONFIG_USB_BOOT_DEV" ]; then - echo >> /etc/fstab "$CONFIG_USB_BOOT_DEV /media auto defaults,ro 0 0" -fi if [ ! -x "$CONFIG_BOOTSCRIPT" -a ! -x "$CONFIG_BOOTSCRIPT_NETWORK" ]; then recovery 'Boot script missing? Entering recovery shell'