Closed
Conversation
… passing: -j8 --load-average=12 from current Makefile helper Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Coreboot version bump 24.02.01 -> 24.12 for most board + Thinkpad T480 addition (coreboot upstream in WiP state)
Board name was changed due to being untested. It still builds, so the packages still sync to mirrors for now. Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
…d-talos-2 bin/seed_package_mirror.sh: Update talos-2 -> UNTESTED_talos-2
2 tasks
tlaurion
requested changes
Mar 16, 2025
…d because replaced by t480-hotp-maximized by error) Signed-off-by: Thierry Laurion <insurgo@riseup.net>
…_back_x230-hotp-maximized bugfix: readd x230-hotp-maximized board build in CircleCI (was dropped because replaced by t480-hotp-maximized by error)
…ives call hierarchy, fix HOTP resealing only on OS reinstall, clarify TPM increment workflow Signed-off-by: Thierry Laurion <insurgo@riseup.net>
…hecksums. Warn user prior of effectively booting (shows console warning, wait 2s then reboot) Signed-off-by: Thierry Laurion <insurgo@riseup.net>
…red,yellow,green) Signed-off-by: Thierry Laurion <insurgo@riseup.net>
… prompt for recovery shell access, state where debug logs are in centralized way Note for linuxboot#1888: warn in code is used mostly to actually warn user of something requiring his attention, and pausing for 2 seconds. Goal is: die: blocking: tell user that something failed, requiring acknowledgement for corrective actions. warn: display "WARNING:" prepended messages which pauses for 2 seconds prior of continuing. This is not an error, nor INFO INFO: gives a trace to the user when in QUIET mode, under /tmp/debug.log related to core components output, typically related to measurements traces. Consequently, putting what is currently under warn->INFO wold be console silenced. We want to get rid of manual "echo +++++" messages. So it seems we lack what is currently named INFO to go into measurement_log, and INFO (green), warn (yellow) and die (red) messages to console. Signed-off-by: Thierry Laurion <insurgo@riseup.net>
… being set: observed in fbwhiptail-tpm2-hotp-prod_quiet
991 root 3272 S {gui-init} /bin/bash /bin/gui-init
2024 root 2792 S {kexec-select-bo} /bin/bash /bin/kexec-select-boot -
2025 root 1364 S sha256sum -c /tmp/kexec/kexec_default_hashes.txt
2105 root 2068 S /bin/bash
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
…. Logs for first under usb.raw to check against HOTP reseal Signed-off-by: Thierry Laurion <insurgo@riseup.net>
…view.coreboot.org https://review.coreboot.org is having HTTPS issue. Reported on coreboot matrix channel, but need to build. Log from CircleCI failing when trying to pull deguard: https://app.circleci.com/pipelines/github/tlaurion/heads/3267/workflows/588f8aeb-4d73-4f71-9e6e-fd286e46353e/jobs/66442/parallel-runs/0/steps/0-111 Reasoning: We might dislike GitHub, but when comes maintaining a project and using free systems for bandwidth and CI because no money, we need to rely on systems that don't randomly fall. Using github does that purpose here Signed-off-by: Thierry Laurion <insurgo@riseup.net>
…built Fixes linuxboot#1948 Signed-off-by: Thierry Laurion <insurgo@riseup.net>
…eview bugfix: modules/coreboot + blobs/xx80: rely on github for git, not review.coreboot.org
… still pointing to old musl-cross-make First layer cache of CircleCI is reused when second cache is invalidated: that is, to not compiled musl-cross-make from source for x86/ppc64 at each build when any other thing changed under Heads. Unfortunately, linuxboot#1947 was incomplete in that regard, as showed per build: - last save cache step https://app.circleci.com/pipelines/github/tlaurion/heads/3270/workflows/07dee00e-926e-4023-b8a7-669078e6ef31/jobs/66483 - first layer cache saving https://app.circleci.com/pipelines/github/tlaurion/heads/3270/workflows/07dee00e-926e-4023-b8a7-669078e6ef31/jobs/66483 - Warning: could not archive /root/heads/build/ppc64/musl-cross-make-38e52db8358c043ae82b346a2e6e66bc86a53bc1 - Not found - Warning: could not archive /root/heads/build/x86/musl-cross-make-38e52db8358c043ae82b346a2e6e66bc86a53bc1 - Not found It is also irrelevant to bind first layer cache with .circleci/config.yml, nor Makefile related changes. After all the first layer is related to reusing musl-cross-make to reduce build times on CI Therefore, only flake.lock and modules/musl-cross-make is relevant to be part of hashed files that should nto change to construct/reuse that cache Signed-off-by: Thierry Laurion <insurgo@riseup.net>
…cache-fix_musl-cross-make CircleCI: first layer cache: musl-cross-make+packages downloaded, was still pointing to old musl-cross-make
…titions detection Signed-off-by: Thierry Laurion <insurgo@riseup.net>
…optional. Change Questionnaire and validate size properly Fixes linuxboot#1949 Signed-off-by: Thierry Laurion <insurgo@riseup.net>
…ng reset_nk3_secret_app, so HOTP PIN not set to GPG PIN when that feature is used (not really used it seems) Fixes linuxboot#1951 Signed-off-by: Thierry Laurion <insurgo@riseup.net>
… GPG User PIN, GPG Admin PIN, Secrets app PIN Signed-off-by: Thierry Laurion <insurgo@riseup.net>
…ed on git repo now
Repro:
sudo sed -i 's/# CONFIG_USE_BLOBS is not set/CONFIG_USE_BLOBS=y/g' config/coreboot-*
sudo git restore config/coreboot-kgpe-d16_server.config config/coreboot-kgpe-d16_workstation-usb_keyboard.config config/coreboot-kgpe-d16_workstation.config
./docker_repro.sh
find ./boards/ -type d | awk -F "/" {'print $3'} | while read board; do make BOARD=$board coreboot.save_in_oldconfig_format_in_place; done
Test @miczyg1 hypothesis from linuxboot#1940 (comment)
- We use git repo for coreboot 24.12 as opposed to tarball for previous 22.04.01
- 3rdparty microcode git submodule might be empty for some reason if not instructed to be synced by kconfig)
- TODO: Review linuxboot#1940 (comment)
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
…O: ") Signed-off-by: Thierry Laurion <insurgo@riseup.net>
…obs_on_2412_boards_coreboot_configs Add kconfig to use blobs on 24.12 boards coreboot configs and proper build output to console
…s_detection BUGFIXes : luks-functions + oem-factory-reset: fix logic for nvme/non-nvme based LUKS partitions checks + Force GPG Comment under oem-factory-reset + reset nk3 secrets app when in-memory keygen
…n dev cycle helpers Signed-off-by: Thierry Laurion <insurgo@riseup.net>
…tion and recovery shell, populated in init repro from within Heads: source /etc/functions ec_version v540tu: 2024-07-17_4ae73b9 v4x_adl: 1.07.02 Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Clarify that PR0 is implemented in all forks while not merged upstream Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Remove board tester upon request, fix typo on tlaurio Signed-off-by: Thierry Laurion <insurgo@riseup.net>
…bles
fdisk -l can’t be trusted inside Heads’ initrd: busybox limits it to
2 TiB and parsing its output is fragile.
Changes relative to origin/master:
* add new function disk_info_sysfs() in initrd/etc/functions
– walks /sys/block, skips partition entries, and computes a byte
count (preferring blockdev --getsize64, otherwise size*512)
– converts to decimal GB, switching to TB for ≥1000 GB
* update show_system_info() (gui_functions & oem‑system‑info‑xx30) to call the
helper and no longer invoke `fdisk -l` for size output
* add TRACE_FUNC/DEBUG logging around the helper invocation
Tested in qemu/debian‑13/PureOS; only the size line differs, other behaviour
is identical to master.
Signed-off-by: Thierry Laurion <insurgo@riseup.net>
… enabled Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Compared to HEAD^, this commit updates initrd root-hash probing in: - initrd/bin/root-hashes-gui.sh - initrd/etc/functions Behavior expected to work: - Root-hash create/verify flow on latest Ubuntu, Debian, and PureOS under KVM. - LUKS/LVM root probing based on mountability + expected root directory checks. - Clear unsupported-layout whiptail guidance for unsupported filesystem/layout combinations. Current status and non-goals: - Fedora and QubesOS are untested in this change set. - QubesOS on coreboot q35 with Heads still does not support qemu/kvm; no regression is implied. Signed-off-by: Thierry Laurion <insurgo@riseup.net>
…er comparison guidance Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Introduces a maintainable structure for keeping distro signing keys under initrd/etc/distro/keys/ up to date: bin/update_distro_signing_key/lib/helper.sh -- shared logic bin/update_distro_signing_key/tails.sh -- Tails bin/update_distro_signing_key/archlinux.sh -- Arch Linux bin/update_distro_signing_key/qubes.sh -- Qubes OS 4.2/4.3/weekly bin/update_distro_signing_keys.sh -- meta: runs all scripts The meta script auto-discovers all *.sh in update_distro_signing_key/; adding a new distro only requires adding one script there. Exit codes of the meta script: 0 all keys up to date, no action needed 1 one or more keys changed (review with git diff, then commit) 2 one or more per-distro scripts failed (download/import error) The helper normalizes each key with: --export-options export-minimal,export-clean --export-filter drop-subkey=expired -gt 0 || usage !~ s Only the primary key and non-expired signing subkeys are kept -- no encryption, authentication, or expired subkeys. The helper also reports primary key expiry with days remaining, and emits a color-coded warning (yellow) when expiry is within 365 days (one full release cycle) or red if already expired -- so rotations are caught before they ship in a release and break users in the field. All gpg calls use --batch to prevent interactive prompts in CI. git diff uses -C flag to avoid cd side-effects. qubes.sh propagates the highest exit code across all three key updates. GPG work is done in a mktemp directory wiped via trap on EXIT. Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Re-export both keys through the new update_distro_signing_key scripts to strip non-signing subkeys (encryption, authentication) and expired subkeys that had accumulated in the in-tree copies. Only the primary key and currently-valid signing subkeys are retained. archlinux.key: 1168B -> 673B (495B saved, auth+encrypt subkeys removed) tails.key: 21282B -> 7376B (13906B saved, expired+non-signing subkeys removed) Qubes OS keys (4.2, 4.3, weekly builds) were already minimal -- no change. Fixes linuxboot#2066. This class of manual update has been needed repeatedly in the past and was caught late each time, causing distro ISO verification failures in the field for Tails and other supported distros: linuxboot#1808 (issue: Tails key expired, ISOs unbootable) linuxboot#1631 (PR: update tails.key, replay of manual steps) linuxboot#1809 (PR: replay of linuxboot#1631 for next Tails rotation) linuxboot#2000 (PR: Tails 7.0 key, same manual process again) linuxboot#1457 (PR: Arch Linux key update) linuxboot#2033 (PR: Qubes OS 4.3 key addition) TODO: wire bin/update_distro_signing_keys.sh into CI (e.g. a scheduled workflow) so upstream key rotations are detected automatically before they break users. Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Use git mv for all script renames for proper tracking. Renamed files: - initrd/bin: cbfs-init, generic-init, gpgv, gui-init, gui-init-basic, kexec-boot, kexec-insert-key, kexec-iso-init, kexec-parse-bls, kexec-parse-boot, kexec-save-default, kexec-save-key, kexec-seal-key, kexec-select-boot, kexec-sign-config, kexec-unseal-key, key-init, lock_chip, media-scan, mount-usb, network-init-recovery, oem-factory-reset, oem-system-info-xx30, poweroff, qubes-measure-luks, reboot, seal-hotpkey, seal-totp, tpm-reset, tpmr, uefi-init, unseal-hotp, unseal-totp, usb-init, wipe-totp - initrd/etc: functions, gui_functions, luks-functions - initrd: mount-boot - initrd/sbin: insmod Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Add initrd/etc/dongle-versions with USB security dongle firmware version constants (firmware versions, VID:PID) used by OEM reset and firmware display. Add initrd/etc/gpg_functions.sh with shared GPG functions factored out of gpg-gui.sh for reusability across scripts. Signed-off-by: Thierry Laurion <insurgo@riseup.net>
- functions.sh: Add detect_usb_security_dongle_branding() to identify dongle type by USB VID:PID. Add hotpkey_fw_display() for firmware version display. Add whiptail wrapper functions (whiptail_error, whiptail_info, whiptail_yesno). - gui_functions.sh: Add whiptail wrapper functions for consistent UI. - luks-functions.sh: Add luks_tpm_reseal_prompt() to guide users to reseal TPM after LUKS modifications. - init: Add CBMEM console capture before PCR extensions for measuring_trace.log. Add STATUS messages for boot progress. Add boot script respawn loop. Improve quiet mode messaging. - mount-boot.sh, sbin/*: Various consistency updates. Signed-off-by: Thierry Laurion <insurgo@riseup.net>
This is the core commit of PR linuxboot#2068. It introduces: Integrity gating (gui-init.sh): - gate_reseal_with_integrity_report(): blocks reseal/reset unless /boot integrity is confirmed; set INTEGRITY_GATE_REQUIRED=y on TOTP/HOTP failure to trigger the gate before any signing or secret-sealing - report_integrity_measurements(): shows /boot hash state (OK/CHANGED/UNKNOWN) - investigate_integrity_discrepancies(): guided flow when hashes mismatch, letting the user inspect changed files before deciding to re-sign - tpm_reset_required() guard in update_checksums() and gate_reseal_with_integrity_report(): forces TPM reset before signing if the rollback counter is broken/absent - LUKS_PARTITION_DETECTED reuse to distinguish "no /boot" from "no OS" and route user to the correct recovery path Dongle branding (gui-init.sh, oem-factory-reset.sh, gpg-gui.sh): - DONGLE_BRAND set from detect_usb_security_dongle_branding() (VID:PID); displayed in menu headers, HOTP prompts and error messages - hotpkey_fw_display() called for firmware version in HOTP prompts - oem-factory-reset.sh: STATUS messages use DONGLE_BRAND; adds Nitrokey 3 Secrets app reset GPG / kexec signing: - gpg-gui.sh: refactored to use shared gpg_functions.sh - kexec-seal-key.sh: LUKS DUK setup with per-device unlock validation, partial-device handling, and 3-attempt recovery - kexec-unseal-key.sh: STATUS/WARN output for unlock flow General: - config-gui.sh, flash-gui.sh: improved prompts and error handling - All scripts: tabs indentation, die() -> DIE() Signed-off-by: Thierry Laurion <insurgo@riseup.net>
- Add Canokey QEMU USB (20a0:42d4) to detect_usb_security_dongle_branding() with debug logging - Display Nitrokey 3 firmware version in hotpkey_fw_display(); warn when firmware is below the minimum supported version - Re-detect DONGLE_BRAND in cache_gpg_signing_pin() after GPG card is confirmed present; fixes generic 'USB security dongle' label when dongle enumerates after the initial detection in gui-init.sh - Combine DONGLE_BRAND assignment and export into a single line Signed-off-by: Thierry Laurion <insurgo@riseup.net>
- Add prod_quiet board variants to QEMU coreboot configs - Fix cpio dependency tracking to correctly rebuild initrd when root files change - Sync board configs and root file references Signed-off-by: Thierry Laurion <insurgo@riseup.net>
- Add documentation under doc/ for architecture, boot process, building, configuring keys, development, Docker, FAQ, GPG, keys, logging, prerequisites, QEMU, recovery shell, security model, TPM, UX patterns - gpg.md: add GPG Command Requirements section documenting scdaemon PIN caching behaviour and keytocard slot syntax; remove stale example showing ADMIN_PIN_DEF repeated for every subkey - configuring-keys.md: fix key generation step ordering (TPM reset before key generation, LUKS changes first, TOTP/HOTP sealing happens on first normal boot after reset -- not during OEM Factory Reset) Signed-off-by: Thierry Laurion <insurgo@riseup.net>
… NK3 Secrets app PIN - Auto-adjust RSA key size based on dongle type; show firmware version before reset; add firmware-aware RSA keygen timing guidance - Fix GPG signing failure by clearing scdaemon CCID lock before signing - Fix keytocard 'Invalid command': remove spurious echo arguments from RSA subkey generation and keytocard operations (scdaemon caches card admin PIN after first keytocard; stale ADMIN_PIN_DEF was landing at keyedit.prompt causing 'No user ID with index 12345678') - Fix set_card_identity sending ADMIN_PIN_DEF to cardedit.prompt after name/login commands (scdaemon caches admin PIN; no re-prompt needed) - Fix ECC P-256 encryption subkey generation: remove invalid 'echo Q' (option 12 skips capabilities menu, goes straight to curve selection) - Use DONGLE_BRAND variable in GPG User PIN prompt for consistent branding - Label ADMIN_PIN as 'NK3 Secrets app PIN / GPG Admin PIN' when Nitrokey 3 is detected, in all user-facing prompts and status messages Signed-off-by: Thierry Laurion <insurgo@riseup.net>
…hell respawn Signed-off-by: Thierry Laurion <insurgo@riseup.net>
When a passphrase is supplied (--pass) and multiple USB partitions are present, scan for the one LUKS partition and mount it automatically. This removes the need for the user to manually pick the correct partition when using the GPG key-material backup thumb drive, which always has two partitions: a LUKS-encrypted private partition and an exFAT public one. If exactly one LUKS partition is found it is selected silently; if zero or more than one LUKS partition is found the existing interactive menu is shown as before, so the behavior is unchanged for all other cases. Remove the now-redundant WARN in cache_gpg_signing_pin that instructed the user to select the encrypted LUKS partition manually. Signed-off-by: Thierry Laurion <insurgo@riseup.net>
The prompt_tpm_owner_password() function sets tpm_owner_passphrase variable, but tpm2_seal was using an unset tpm_owner_password variable instead. This caused evictcontrol to fail with auth error (0x9A2) since no passphrase was being passed to the TPM command. Also standardizes all user-facing strings and variables to use 'passphrase' instead of 'password' for TPM owner auth, including the cache file path. Fixes regression introduced in commit 16648ca. Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Not all distros have /bin/bash, use env to get bash from the PATH Signed-off-by: Daniel Schaefer <git@danielschaefer.me>
…ecks - Add HEADS_FORCE_DOCKER_REBUILD=1 to force rebuild from flake.nix/flake.lock - Delete cached nix store result when forcing rebuild - Add --print-build-logs to nix build for visibility - Use docker load -i instead of docker load < for consistency - Improve reproducibility check: explain config vs manifest digests - Show method used (registry+jq, registry+sed, or pulled) - Add tip to install jq and curl for faster registry checks - Add get_remote_manifest_digest() with correct Docker Hub URL format - Update doc/docker.md explaining config vs manifest digests - Normalize indentation to tabs across docker scripts - Use script-relative paths for deterministic nix build (--out-link) - Add shared _parse_docker_image helper for consistent registry parsing - Handle localhost as registry hostname (not Docker Hub) Fixes: - local result_target declaration in force rebuild - handle regular file case for result (not just symlink) - use printf instead of echo in hash computation - fall back to shasum when sha256sum unavailable - ensure temp directory cleanup on all paths - handle @digest references in get_remote_manifest_digest - restrict sha256 regex to exactly 64 hex chars - use remote_method instead of hardcoded message - Docker Hub URL uses sha256-{digest} not sha256:{digest} - fix regex in get_remote_config_digest: use \. not \. for dot matching - remove unused get_local_manifest_digest function - move End marker to actual end points - distinguish fetch_failed from mismatch in fallback message - update documentation mismatch example to match current output - check curl availability in get_remote_config_digest - only show Docker Hub URL for Docker Hub images - add curl availability check to get_remote_manifest_digest - fix readlink -f fallback to use quoted variable - fix pin-and-run.sh: strip :tag before appending @digest for valid Docker ref Signed-off-by: Thierry Laurion <insurgo@riseup.net>
- Add 5 missing docs to the documentation table (prerequisites, faq, keys, development, build-freshness) - Add note that Docker provides swtpm and canokey for full software testing without specialized hardware - Add troubleshooting links to faq and build-freshness - Fix component list: add musl-cross-make (was missing), correct 'musl-libc' misconception, clarify not exhaustive - Improve clarity throughout Signed-off-by: Thierry Laurion <insurgo@riseup.net>
…codebase The NK3 uses 'Secrets app' terminology and has 8 PIN retry attempts (vs 3 for older devices), but the codebase had inconsistent UX messaging that referred to 'GPG Admin PIN', 'USB security dongle', 'TOKEN', etc. instead of the actual brand and PIN type. Fix 1: PIN label - $prompt_message is used in all user-facing strings (status, prompts, error messages, reminder note) with correct value: 'Secrets app' for NK3, 'GPG Admin' for older devices. Fix 2: Dynamic attempt counting - after the default PIN trial consumes an attempt, re-read the counter and limit user attempts to min(retries-1, 3). If the counter read is unreliable (0 or 1), fall back to 3 attempts so the user is never blocked from sealing. Documented with example outcomes for NK3 (8 retries) and pre-NK3 (3 retries). Fix 3: NK3-specific error message now references 'Secrets app PIN' instead of 'GPG Admin PIN' in the PIN reset instructions. Fix 4: Use $DONGLE_BRAND consistently in all USB security dongle messaging (STATUS, prompts, dialog titles, guidance strings, integrity report, DEBUG logs, error messages, NOTES) instead of hardcoded 'USB security dongle', 'OpenPGP signing card', 'GPG security dongle', 'dongle', 'signing card', 'Dongle key'. Also replaces 'TOKEN' in hotp_state/hotp_display with $DONGLE_BRAND so integrity report shows actual brand (e.g. 'Nitrokey 3 PRESENT' instead of 'TOKEN PRESENT'). Fix 5: Centralize branding detection in standalone script entry points: - gui-init.sh: already detects at boot flow entry (line ~965) - oem-factory-reset.sh: added detection at script start (was missing) - confirm_gpg_card: detects for gpg-gui.sh and kexec-sign-config.sh - report_integrity_measurements: detects for hotp/gpg flow - seal-hotpkey.sh: has its own detection at script start Fix 6: detect_usb_security_dongle_branding now guards against redundant re-detection while preserving USB init safety: it skips USB re-init and lsusb re-scan only when a specific DONGLE_BRAND is already set and _USB_ENABLED=y in the current process. In child scripts that inherit DONGLE_BRAND but reset _USB_ENABLED, it still runs enable_usb, then returns without re-scan if branding is already specific. Fix 7: Comment casing fix in oem-factory-reset.sh (Secrets App -> Secrets app) to match user-facing strings and hotp_verification output. Fix 8: Remove duplicate show_pin_retries call before PIN entry loop in seal-hotpkey.sh. The function was being called twice before the first prompt (once before the loop, once at loop start), showing 'Nitrokey 3 Secrets app PIN retries remaining: 8' twice. Fix 9: Clarify and enforce fast-path behavior for detect_usb_security_dongle_branding in mixed parent/child script contexts: avoid redundant module loads and scans in the same process, but do not skip USB initialization when only branding is inherited. Fix 10: detect_usb_security_dongle_branding now reuses wait_for_usb_devices after enable_usb only when USB was not already initialized in the current process. This avoids early lsusb enumeration races without regressing the no-redundant-load/no-re-scan fast path. Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Add coreboot-15h module pointing to the AGESA-based 15h fork: repo: https://git.15h.org/mrothfuss/coreboot-15h.git branch: 4.11_wip-tpm commit: 1afdea5572e4908c51c5b4bed43fcdc2a98fd768 Builds its own toolchain (not reusing coreboot 4.11 buildstack). Move all four kgpe-d16 boards out of unmaintained_boards/ to boards/: git mv unmaintained_boards/UNMAINTAINED_kgpe-d16_workstation boards/kgpe-d16_workstation git mv unmaintained_boards/UNMAINTAINED_kgpe-d16_workstation-usb_keyboard boards/kgpe-d16_workstation-usb_keyboard git mv unmaintained_boards/UNMAINTAINED_kgpe-d16_server boards/kgpe-d16_server git mv unmaintained_boards/UNMAINTAINED_kgpe-d16_server-whiptail boards/kgpe-d16_server-whiptail Save all four coreboot configs in defconfig format: ./docker_repro.sh make BOARD=kgpe-d16_workstation coreboot.save_in_defconfig_format_in_place ./docker_repro.sh make BOARD=kgpe-d16_workstation-usb_keyboard coreboot.save_in_defconfig_format_in_place ./docker_repro.sh make BOARD=kgpe-d16_server coreboot.save_in_defconfig_format_in_place ./docker_repro.sh make BOARD=kgpe-d16_server-whiptail coreboot.save_in_defconfig_format_in_place Enable TPM measured boot via menuconfig for kgpe-d16 boards. Update kgpe-d16 server and workstation coreboot configs to use 15h fork. circleci: add fam15h build jobs with standalone x86-musl-cross-make dep. doc/BOARDS_AND_TESTERS.md: note KGPE-D16 revived via 15h fork. Signed-off-by: arhabd <arhabodey@proton.me> Signed-off-by: Thierry Laurion <insurgo@riseup.net>
Collaborator
|
superseded by #2092 |
tlaurion
added a commit
that referenced
this pull request
Apr 23, 2026
- Add coreboot-15h module pointing to AGESA-based 15h fork - Move kgpe-d16 boards from UNMAINTAINED to maintained - Add TPM1 and TPM2 board variants with proper coreboot configs - Add defconfig and oldconfig helper targets documentation - Update CircleCI config to build kgpe-d16 boards - Add board documentation referencing 15h.org wiki Supersedes #1931 Signed-off-by: Thierry Laurion <insurgo@riseup.net>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Supersedes #1929