Merge remote-tracking branch 'osresearch/master' into cryptsetup_version_bump-reencryption_cleanup

Signed-off-by: Thierry Laurion <[email protected]>

Author: tlaurion

BOARD_TESTERS.md

@@ -15,21 +15,22 @@ Laptops
 
 xx20 (Sandy):
 ===
-- [ ] t420 (xx20): @alexmaloteaux @natterangell (iGPU) @akfhasodh @doob85
-- [ ] x220 (xx20): @Thrilleratplay @BlackMaria @srgrint
+- [ ] t420 (xx20): @natterangell(iGPU) @alexmaloteaux @akfhasodh @doob85
+- [ ] x220 (xx20): @srgrint @Thrilleratplay
 
 xx30 (Ivy):
 ===
 - [ ] t430 (xx30): @nestire(t430-legacy, t430-maximized) @Thrilleratplay @alexmaloteaux @lsafd @bwachter(iGPU maximized) @shamen123 @eganonoa(iGPU) @nitrosimon @jans23 @icequbes1 (iGPU) @weyounsix (t430-dgpu)
-- [ ] w530 (xx30): @eganonoa @zifxify @weyounsix (dGPU: w530-k2000m) @jnscmns (dGPU K1000M) @computer-user123 (w530 / & w530 k2000 : prefers iGPU)
+- [ ] w530 (xx30): @eganonoa @zifxify @weyounsix (dGPU: w530-k2000m) @jnscmns (dGPU K1000M) @computer-user123 (w530 / & w530 k2000 : prefers iGPU) @tlaurion
 - [ ] x230 (xx30): @nestire(x230-legacy, x230-maximized) @tlaurion(maximized) @osresearch @merge @jan23 @MrChromebox @shamen123 @eganonoa @bwachter @Thrilleratplay @jnscmns @doob85 @natterangell (x230i variant: irrelevant individual board)
 - [ ] x230-fhd/edp variant: @n4ru @computer-user123 (nitro caster board) @Tonux599 @househead @pcm720 (eDP 4.0 board and 1440p display)
+- [ ] x230t : @fhvyhjriur
 - [ ] t530 (xx30): @fhvyhjriur @3hhh (Opportunity to mainstream and close https://github.com/linuxboot/heads/issues/1682)
 
 xx4x(Haswell):
 ===
-- [ ] t440p: @ThePlexus @srgrint @akunterkontrolle @rbreslow
-- [ ] w541 (similar to t440p): @resende-gustavo @gaspar-ilom
+- [ ] t440p: @fhvyhjriur @ThePlexus @srgrint @akunterkontrolle @rbreslow
+- [ ] w541 (similar to t440p): @ResendeGHF @gaspar-ilom (Always tested late: Needs more responsive board testers or risk to become unmaintained.)
 
 Librems:
 ===
@@ -43,13 +44,13 @@ Librems:
 Clevo:
 ===
 - [ ] Nitropad NS50 (AlderLake) : @daringer
-- [ ] Nitropad NV41 (AlderLake) : @daringer, @tlaurion
+- [ ] Nitropad NV41 (AlderLake) : @tlaurion @daringer
 
 
 Desktops/Servers
 ==
-- [ ] kgpe-d16 (AMD fam15h) (dropped in coreboot 4.12): @tlaurion @Tonux599 @zifxify @arhabd
+- [ ] kgpe-d16 (AMD fam15h) (dropped in coreboot 4.12): @arhabd @Tonux599 @zifxify @tlaurion
 - [ ] Librem L1UM v1 (Broadwell): @JonathonHall-Purism
 - [ ] Librem L1Um v2 (CoffeeLake): @JonathonHall-Purism
-- [ ] Talos II (PPC64LE, Power9) : @tlaurion
+- [ ] Talos II (PPC64LE, Power9) : @tlaurion (Will become untested, no other known users, not worth my time nor effort even though massive investment of all forms)
 - [ ] z220-cmt (HP Z220 CMT): @d-wid

Makefile

@@ -604,6 +604,7 @@ bin_modules-$(CONFIG_KEXEC) += kexec
 bin_modules-$(CONFIG_TPMTOTP) += tpmtotp
 bin_modules-$(CONFIG_PCIUTILS) += pciutils
 bin_modules-$(CONFIG_FLASHROM) += flashrom
+bin_modules-$(CONFIG_FLASHPROG) += flashprog
 bin_modules-$(CONFIG_CRYPTSETUP) += cryptsetup
 bin_modules-$(CONFIG_CRYPTSETUP2) += cryptsetup2
 bin_modules-$(CONFIG_GPG) += gpg
@@ -791,15 +792,20 @@ modules.clean:
 	done
 
 board.move_untested_to_tested:
-	@echo "NEW_BOARD variable will remove UNTESTED_ prefix from $(BOARD)"
+	@echo "Moving $(BOARD) from UNTESTED to tested status"
 	@NEW_BOARD=$$(echo $(BOARD) | sed 's/^UNTESTED_//'); \
-	echo "Renaming boards/$$BOARD/$$BOARD.config to boards/$$BOARD/$$NEW_BOARD.config"; \
-	mv boards/$$BOARD/$$BOARD.config boards/$$BOARD/$$NEW_BOARD.config; \
-	echo "Renaming boards/$$BOARD to boards/$$NEW_BOARD"; \
-	rm -rf boards/$$NEW_BOARD; \
-	mv boards/$$BOARD boards/$$NEW_BOARD; \
-	echo "Replacing $$BOARD with $$NEW_BOARD in .circleci/config.yml"; \
-	sed -i "s/$$BOARD/$$NEW_BOARD/g" .circleci/config.yml
+	INCLUDE_BOARD=$$(grep "include \$$(pwd)/boards/" boards/$(BOARD)/$(BOARD).config | sed 's/.*boards\/\(.*\)\/.*/\1/'); \
+	NEW_INCLUDE_BOARD=$$(echo $$INCLUDE_BOARD | sed 's/^UNTESTED_//'); \
+	echo "Updating config file: boards/$(BOARD)/$(BOARD).config"; \
+	sed -i 's/$(BOARD)/'$${NEW_BOARD}'/g' boards/$(BOARD)/$(BOARD).config; \
+	sed -i 's/'$$INCLUDE_BOARD'/'$$NEW_INCLUDE_BOARD'/g' boards/$(BOARD)/$(BOARD).config; \
+	echo "Renaming config file to $${NEW_BOARD}.config"; \
+	mv boards/$(BOARD)/$(BOARD).config boards/$(BOARD)/$${NEW_BOARD}.config; \
+	echo "Renaming board directory to $${NEW_BOARD}"; \
+	mv boards/$(BOARD) boards/$${NEW_BOARD}; \
+	echo "Updating .circleci/config.yml"; \
+	sed -i "s/$(BOARD)/$${NEW_BOARD}/g" .circleci/config.yml; \
+	echo "Operation completed for $(BOARD) -> $${NEW_BOARD}"
 
 board.move_unmaintained_to_tested:
 	@echo "NEW_BOARD variable will remove UNMAINTAINED_ prefix from $(BOARD)"
@@ -830,13 +836,37 @@ board.move_tested_to_untested:
 	@echo "NEW_BOARD variable will add UNTESTED_ prefix to $(BOARD)"
 	@NEW_BOARD=UNTESTED_$(BOARD); \
 	rm -rf boards/$${NEW_BOARD}; \
+	echo "changing $(BOARD) name under boards/$(BOARD)/$(BOARD).config to $${NEW_BOARD}"; \
+	sed boards/$(BOARD)/$(BOARD).config 's/$(BOARD)/$${NEW_BOARD}/g'; \
 	echo "Renaming boards/$(BOARD)/$(BOARD).config to boards/$(BOARD)/$${NEW_BOARD}.config"; \
 	mv boards/$(BOARD)/$(BOARD).config boards/$(BOARD)/$${NEW_BOARD}.config; \
 	echo "Renaming boards/$(BOARD) to boards/$${NEW_BOARD}"; \
 	mv boards/$(BOARD) boards/$${NEW_BOARD}; \
-	echo "Replacing $(BOARD) with $${NEW_BOARD} in .circleci/config.yml"; \
+	echo "Replacing $(BOARD) with $${NEW_BOARD} in .circleci/config.yml"; \
 	sed -i "s/$(BOARD)/$${NEW_BOARD}/g" .circleci/config.yml
 
+board.move_tested_to_unmaintained:
+	@echo "Moving $(BOARD) from tested to unmaintained status"
+	@NEW_BOARD=UNMAINTAINED_$(BOARD); \
+	INCLUDE_BOARD=$$(grep "include \$$(pwd)/boards/" boards/$(BOARD)/$(BOARD).config | sed 's/.*boards\/\(.*\)\/.*/\1/'); \
+	NEW_INCLUDE_BOARD=UNMAINTAINED_$${INCLUDE_BOARD}; \
+	echo "Updating config file: boards/$(BOARD)/$(BOARD).config"; \
+	sed -i 's/$(BOARD)/'$${NEW_BOARD}'/g' boards/$(BOARD)/$(BOARD).config; \
+	if [ -n "$$INCLUDE_BOARD" ]; then \
+		sed -i 's/'$$INCLUDE_BOARD'/'$$NEW_INCLUDE_BOARD'/g' boards/$(BOARD)/$(BOARD).config; \
+	fi; \
+	echo "Creating unmaintained_boards directory if it doesn't exist"; \
+	mkdir -p unmaintained_boards/$${NEW_BOARD}; \
+	echo "Moving and renaming config file to unmaintained_boards/$${NEW_BOARD}/$${NEW_BOARD}.config"; \
+	mv boards/$(BOARD)/$(BOARD).config unmaintained_boards/$${NEW_BOARD}/$${NEW_BOARD}.config; \
+	echo "Moving board directory contents to unmaintained_boards/$${NEW_BOARD}"; \
+	mv boards/$(BOARD)/* unmaintained_boards/$${NEW_BOARD}/; \
+	rmdir boards/$(BOARD); \
+	echo "Updating .circleci/config.yml"; \
+	sed -i "s/$(BOARD)/$${NEW_BOARD}/g" .circleci/config.yml; \
+	echo "Operation completed for $(BOARD) -> $${NEW_BOARD}"; \
+	echo "Please manually review and remove any unnecessary entries in .circleci/config.yml"
+
 # Inject a GPG key into the image - this is most useful when testing in qemu,
 # since we can't reflash the firmware in qemu to update the keychain.  Instead,
 # inject the public key ahead of time.  Specify the location of the key with

WP_NOTES.md

@@ -0,0 +1,22 @@
+Flashrom was passed to flashprog under https://github.com/linuxboot/heads/pull/1769
+
+Those are notes for @i-c-o-n and others wanting to move WP forward but track issues and users
+
+The problem with WP is that it is desired but even if partial write protection regions is present, WP is widely unused.
+
+Some random notes since support is incomplete (depends on chips, really)
+-QDPI is problematic for WP (same IO2 PIN)
+  - Might be turned on by chipset for ME read https://matrix.to/#/!pAlHOfxQNPXOgFGTmo:matrix.org/$NCNidoPsw1ze6zv3m2jlPuGuNrdlDQmDcU81If-q55A?via=matrix.org&via=nitro.chat&via=tchncs.de
+- WP wanted, WP done, WP unused
+  - WP wanted https://github.com/flashrom/flashrom/issues/185 https://github.com/linuxboot/heads/issues/985
+  - WP done: https://github.com/linuxboot/heads/issues/1741 https://github.com/linuxboot/heads/issues/1546
+   - Documented https://docs.dasharo.com/variants/asus_kgpe_d16/spi-wp/
+  - WP still unused
+
+Alternative, as suggested by @i-c-o-n is Chipset Platform Locking (PR0) which is enforced at platform's chipset level for a boot
+- This is implemented and enforced on <= Haswell from this PR merged : https://github.com/linuxboot/heads/pull/1373
+- Non-upstreamed work has been made from @root-hardenedvault work in vaultboot downstream fork of Heads at https://github.com/hardenedvault/vaultboot/blob/master/patches/coreboot/0001-x11.patch
+- Discussion point under flashrom-> flashprog PR under https://github.com/linuxboot/heads/pull/1769/files/f8eb0a27c3dcb17a8c6fcb85dd7f03e8513798ae#r1752395865 tagging @i-c-o-n
+
+
+Not sure what is the way forward here, but lets keep this file in tree to track improvements over time.

boards/UNMAINTAINED_kgpe-d16_server-whiptail/UNMAINTAINED_kgpe-d16_server-whiptail.config

@@ -25,7 +25,7 @@ CONFIG_COREBOOT_CONFIG=config/coreboot-kgpe-d16_server-whiptail.config
 CONFIG_LINUX_CONFIG=config/linux-kgpe-d16_server-whiptail.config
 
 CONFIG_CRYPTSETUP=y
-CONFIG_FLASHROM=y
+CONFIG_FLASHPROG=y
 CONFIG_FLASHTOOLS=y
 CONFIG_GPG2=y
 CONFIG_KEXEC=y
@@ -72,5 +72,5 @@ export CONFIG_BOOT_REQ_ROLLBACK=n
 export CONFIG_BOOT_KERNEL_REMOVE="plymouth.ignore-serial-consoles"
 export CONFIG_BOARD_NAME="KGPE-D16 Server-whiptail"
 export CONFIG_USB_BOOT_DEV="/dev/sdb1"
-export CONFIG_FLASHROM_OPTIONS="--force --noverify -p internal"
+export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal"
 #export CONFIG_BOOT_STATIC_IP=192.168.1.2

boards/UNMAINTAINED_kgpe-d16_server/UNMAINTAINED_kgpe-d16_server.config

@@ -23,7 +23,9 @@ CONFIG_COREBOOT_CONFIG=config/coreboot-kgpe-d16_server.config
 CONFIG_LINUX_CONFIG=config/linux-kgpe-d16_server.config
 
 CONFIG_CRYPTSETUP=y
-CONFIG_FLASHROM=y
+CONFIG_FLASHPROG=y
+#flashprog to support internal flashing of BMC
+CONFIG_FLASHPROG_AST1100=y
 CONFIG_FLASHTOOLS=y
 CONFIG_GPG2=y
 CONFIG_KEXEC=y
@@ -59,5 +61,5 @@ export CONFIG_BOOT_KERNEL_REMOVE="plymouth.ignore-serial-consoles"
 export CONFIG_BOARD_NAME="KGPE-D16 Server"
 export CONFIG_USB_BOOT_DEV="/dev/sdb1"
 
-export CONFIG_FLASHROM_OPTIONS="--force --noverify -p internal"
+export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal"
 #export CONFIG_BOOT_STATIC_IP=192.168.1.2

boards/UNMAINTAINED_kgpe-d16_workstation-usb_keyboard/UNMAINTAINED_kgpe-d16_workstation-usb_keyboard.config

@@ -19,7 +19,7 @@ CONFIG_COREBOOT_CONFIG=config/coreboot-kgpe-d16_workstation-usb_keyboard.config
 CONFIG_LINUX_CONFIG=config/linux-kgpe-d16_workstation.config
 
 CONFIG_CRYPTSETUP=y
-CONFIG_FLASHROM=y
+CONFIG_FLASHPROG=y
 CONFIG_FLASHTOOLS=y
 CONFIG_GPG2=y
 CONFIG_KEXEC=y
@@ -67,4 +67,4 @@ export CONFIG_BOOT_REQ_ROLLBACK=n
 #export CONFIG_BOOT_KERNEL_REMOVE="plymouth.ignore-serial-consoles"
 export CONFIG_BOARD_NAME="KGPE-D16 Workstation-USB-Keyboard"
 export CONFIG_USB_BOOT_DEV="/dev/sdb1"
-export CONFIG_FLASHROM_OPTIONS="--force --noverify -p internal"
+export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal"

boards/UNMAINTAINED_kgpe-d16_workstation/UNMAINTAINED_kgpe-d16_workstation.config

@@ -23,7 +23,7 @@ CONFIG_COREBOOT_CONFIG=config/coreboot-kgpe-d16_workstation.config
 CONFIG_LINUX_CONFIG=config/linux-kgpe-d16_workstation.config
 
 CONFIG_CRYPTSETUP=y
-CONFIG_FLASHROM=y
+CONFIG_FLASHPROG=y
 CONFIG_FLASHTOOLS=y
 CONFIG_GPG2=y
 CONFIG_KEXEC=y
@@ -68,4 +68,4 @@ export CONFIG_BOOT_REQ_ROLLBACK=n
 #export CONFIG_BOOT_KERNEL_REMOVE="plymouth.ignore-serial-consoles"
 export CONFIG_BOARD_NAME="KGPE-D16 Workstation"
 export CONFIG_USB_BOOT_DEV="/dev/sdb1"
-export CONFIG_FLASHROM_OPTIONS="--force --noverify -p internal"
+export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal"

boards/librem_11/librem_11.config

@@ -7,7 +7,7 @@ export CONFIG_COREBOOT_VERSION=purism
 export CONFIG_LINUX_VERSION=6.1.8
 
 CONFIG_CRYPTSETUP2=y
-CONFIG_FLASHROM=y
+CONFIG_FLASHPROG=y
 CONFIG_FLASHTOOLS=y
 CONFIG_GPG2=y
 CONFIG_KEXEC=y
@@ -36,7 +36,7 @@ export CONFIG_BOOT_REQ_ROLLBACK=n
 export CONFIG_BOOT_KERNEL_ADD=""
 export CONFIG_BOOT_KERNEL_REMOVE=""
 export CONFIG_BOARD_NAME="Librem 11"
-export CONFIG_FLASHROM_OPTIONS="-p internal"
+export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal"
 export CONFIG_USB_KEYBOARD_REQUIRED=y
 export CONFIG_AUTO_BOOT_TIMEOUT=5
 export CONFIG_ROOT_DEV="/dev/nvme0n1p2"

boards/librem_13v2/librem_13v2.config

@@ -7,7 +7,7 @@ export CONFIG_COREBOOT_VERSION=purism
 export CONFIG_LINUX_VERSION=6.1.8
 
 CONFIG_CRYPTSETUP2=y
-CONFIG_FLASHROM=y
+CONFIG_FLASHPROG=y
 CONFIG_FLASHTOOLS=y
 CONFIG_GPG2=y
 CONFIG_KEXEC=y
@@ -36,7 +36,7 @@ export CONFIG_BOOT_REQ_ROLLBACK=n
 export CONFIG_BOOT_KERNEL_ADD=""
 export CONFIG_BOOT_KERNEL_REMOVE=""
 export CONFIG_BOARD_NAME="Librem 13 v2/v3"
-export CONFIG_FLASHROM_OPTIONS="-p internal"
+export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal"
 export CONFIG_AUTO_BOOT_TIMEOUT=5
 export CONFIG_ROOT_DEV="/dev/nvme0n1p2"
 export CONFIG_ROOT_DIRLIST="bin boot lib sbin usr"

boards/librem_13v4/librem_13v4.config

@@ -7,7 +7,7 @@ export CONFIG_COREBOOT_VERSION=purism
 export CONFIG_LINUX_VERSION=6.1.8
 
 CONFIG_CRYPTSETUP2=y
-CONFIG_FLASHROM=y
+CONFIG_FLASHPROG=y
 CONFIG_FLASHTOOLS=y
 CONFIG_GPG2=y
 CONFIG_KEXEC=y
@@ -36,7 +36,7 @@ export CONFIG_BOOT_REQ_ROLLBACK=n
 export CONFIG_BOOT_KERNEL_ADD=""
 export CONFIG_BOOT_KERNEL_REMOVE=""
 export CONFIG_BOARD_NAME="Librem 13 v4"
-export CONFIG_FLASHROM_OPTIONS="-p internal"
+export CONFIG_FLASH_OPTIONS="flashprog --progress --programmer internal"
 export CONFIG_AUTO_BOOT_TIMEOUT=5
 export CONFIG_ROOT_DEV="/dev/nvme0n1p2"
 export CONFIG_ROOT_DIRLIST="bin boot lib sbin usr"