diff --git a/README.md b/README.md new file mode 100644 index 0000000..70fb540 --- /dev/null +++ b/README.md @@ -0,0 +1,2 @@ + +sudo qubes-dom0-update python3-dnf-plugin-post-transaction-actions \ No newline at end of file diff --git a/build.sh b/build.sh index abe3086..439c163 100644 --- a/build.sh +++ b/build.sh @@ -1,4 +1,6 @@ -#!/bin/bash +#!/usr/bin/env bash + + # use TERM to exit on error trap "exit 1" TERM export TOP_PID=$$ @@ -516,18 +518,10 @@ build_coreboot() { # calculate hash of BIOS region before injecting bootorder/serial ${IFDTOOL_CB} -x ${COREBOOT_IMAGE} - bios_sha=$(sha256sum flashregion_1_bios.bin | awk '{print $1}') - rm -f flashregion*.bin # set serial set_serial_number ${COREBOOT_IMAGE} - #set boot delay - # add an 8s boot delay for the Librem Mini so splash screen - # actually shown on displays with sluggish init - if [[ ${LIBREM_MODEL^^} == "MINI"* ]]; then - ${CBFSTOOL_CB} ${COREBOOT_IMAGE} add-int -i 8000 -n etc/boot-menu-wait >/dev/null - fi # print CBFS contents ${CBFSTOOL_CB} ${COREBOOT_IMAGE} print @@ -535,56 +529,41 @@ build_coreboot() { echo "" echo "Finished building coreboot for Librem ${LIBREM_MODEL^}" echo "" - COREBOOT_BIOS_SHA="COREBOOT_BIOS_SHA_${LIBREM_MODEL^^}" - COREBOOT_BIOS_SHA=${!COREBOOT_BIOS_SHA} - if [ "${bios_sha}" != "${COREBOOT_BIOS_SHA}" ]; then - echo "WARNING: Built coreboot image hash does not match expected reproducible build hash" - echo "Built: ${bios_sha}" - echo "Expected: ${COREBOOT_BIOS_SHA}" - else - echo "Built coreboot image hash matches expected reproducible build hash" - fi + # prompt to flash echo "" - if [ ${CURRENT_FW_TYPE} != "HEADS" ]; then - flash=0 - while [ "$flash" != "y" ] && [ "$flash" != "n" ]; do - read -r -p "Do you want to flash the coreboot update now (y/N) ? " flash - if [ "$flash" = "" ] || [ "$flash" == "N" ]; then - flash="n" - fi - if [ "$flash" == "Y" ]; then - flash="y" - fi - done - if [ "$flash" == "y" ]; then - # check for / get flashrom - get_flashrom + flash=0 + while [ "$flash" != "y" ] && [ "$flash" != "n" ]; do + read -r -p "Do you want to flash the coreboot update now (y/N) ? " flash + if [ "$flash" = "" ] || [ "$flash" == "N" ]; then + flash="n" + fi + if [ "$flash" == "Y" ]; then + flash="y" + fi + done + if [ "$flash" == "y" ]; then + # check for / get flashrom + get_flashrom + echo "" + echo "coreboot flashing in progress. Do NOT interrupt this process." + echo "" + flash_firmware_internal ${COREBOOT_IMAGE} + if [ $? -eq 0 ]; then echo "" - echo "coreboot flashing in progress. Do NOT interrupt this process." + echo "You must reboot for the coreboot update to take effect." echo "" - flash_firmware_internal ${COREBOOT_IMAGE} - if [ $? -eq 0 ]; then - echo "" - echo "You must reboot for the coreboot update to take effect." - echo "" - read -r -p "Reboot now? (y/N) ? " rb - if [ "$rb" = "Y" ] || [ "$rb" == "y" ]; then - cleanup - reboot - fi + read -r -p "Reboot now? (y/N) ? " rb + if [ "$rb" = "Y" ] || [ "$rb" == "y" ]; then + cleanup + reboot fi - else - echo "" fi else - echo "You may now copy the coreboot update file ($COREBOOT_IMAGE) to USB for updating via Heads." echo "" - read -ep "Press [Enter] to exit." - cleanup - exit 0 fi + } check_dependencies() { diff --git a/resources/00-kernel-xen-symlink.conf b/resources/00-kernel-xen-symlink.conf new file mode 100644 index 0000000..779d8a6 --- /dev/null +++ b/resources/00-kernel-xen-symlink.conf @@ -0,0 +1,3 @@ +kernel:upgraded:/usr/bin/ln -sfn /boot/initramfs-${ver}-${rel}.fc32.qubes.${arch} +kernel:upgraded:/usr/bin/ln -sfn /boot/vmlinuz-${ver}-${rel}.fc32.qubes.${arch} +xen-hypervisor:upgraded:/usr/bin/ln -sfn /boot/xen-${ver}.gz /boot/xen-latest.gz \ No newline at end of file diff --git a/resources/dejavusansmono.pf2 b/resources/dejavusansmono.pf2 new file mode 100644 index 0000000..9ba557e Binary files /dev/null and b/resources/dejavusansmono.pf2 differ diff --git a/resources/grub.cfg b/resources/grub.cfg index e69de29..b6cd6ae 100644 --- a/resources/grub.cfg +++ b/resources/grub.cfg @@ -0,0 +1,144 @@ +set prefix=(memdisk)/boot/grub + +insmod nativedisk +insmod usb +insmod usbms +insmod part_msdos +insmod ext2 +insmod lvm +insmod gcry_rijndael +insmod gcry_sha256 +insmod luks +insmod cryptodisk +insmod gfxmenu +insmod gfxterm_menu +insmod gfxterm_background +insmod chain +insmod jpeg + +terminal_input --append at_keyboard +terminal_output --append cbmemc + +gfxpayload=keep +terminal_output --append gfxterm + +set menu_color_normal=white/black +set menu_color_highlight=white/cyan + +# Default to first option, automatically boot after 1 second +set default="0>0" +set timeout=1 + +# This is useful when using 'cat' on long files on GRUB terminal +set pager=1 + +# Set a background image from CBFS +background_image (cbfsdisk)/background.jpg + +# Set DejaVu Sans Mono as the default font +loadfont (cbfsdisk)/dejavusansmono.pf2 + +# Default keymap +keymap usqwerty + +# Users +set superusers="admin" +password_pbkdf2 admin #password_placeholder# +export superusers + +function try_user_config { + set root="${1}" + for dir in boot grub grub2 boot/grub boot/grub2; do + for name in '' autoboot_ libreboot_ coreboot_; do + if [ -f /"${dir}"/"${name}"grub.cfg ]; then + unset superusers + configfile /"${dir}"/"${name}"grub.cfg + fi + done + done +} + +function search_grub { + for i in 0 1; do + # raw devices + try_user_config "(${1}${i})" + for part in 1 2 3 4 5; do + # MBR/GPT partitions + try_user_config "(${1}${i},${part})" + done + done +} + +function try_isolinux_config { + set root="${1}" + for dir in '' /boot; do + if [ -f "${dir}"/isolinux/isolinux.cfg ]; then + syslinux_configfile -i "${dir}"/isolinux/isolinux.cfg + elif [ -f "${dir}"/syslinux/syslinux.cfg ]; then + syslinux_configfile -s "${dir}"/syslinux/syslinux.cfg + fi + done +} + +function search_isolinux { + for i in 0 1; do + # raw devices + try_isolinux_config "(${1}${i})" + for part in 1 2 3 4 5; do + # MBR/GPT partitions + try_isolinux_config "(${1}${i},${part})" + done + done +} + +menuentry 'Qubes, with Xen hypervisor' --class qubes --class gnu-linux --class gnu --class os --class xen $menuentry_id_option 'xen-gnulinux-simple-/dev/mapper/qubes_dom0-root' { + insmod part_msdos + insmod ext2 + cryptomount -a + set root='lvm/qubes_dom0-boot' + set root='hd0,msdos1' + if [ x$feature_platform_search_hint = xy ]; then + search --no-floppy --fs-uuid --set=root --hint-bios=hd0,msdos1 --hint-efi=hd0,msdos1 --hint-baremetal=ahci0,msdos1 --hint='hd0,msdos1' 2c68125e-e8df-4d9f-b67f-74c44a6e9873 + else + search --no-floppy --fs-uuid --set=root 2c68125e-e8df-4d9f-b67f-74c44a6e9873 + fi + echo 'Loading Xen..' + if [ "$grub_platform" = "pc" -o "$grub_platform" = "" ]; then + xen_rm_opts= + else + xen_rm_opts="no-real-mode edd=off" + fi + multiboot2 /xen-latest placeholder console=none dom0_mem=min:1024M dom0_mem=max:4096M ucode=scan smt=off gnttab_max_frames=2048 gnttab_max_maptrack_frames=4096 ${xen_rm_opts} + echo 'Loading Linux...' + module2 /vmlinuz-latest placeholder root=/dev/mapper/qubes_dom0-root ro rd.luks.uuid=luks-f8d0a06a-fb7a-411a-a662-4f7a6bf4931c rd.lvm.lv=qubes_dom0/root rd.lvm.lv=qubes_dom0/swap plymouth.ignore-serial-consoles i915.alpha_support=1 rd.driver.pre=btrfs rhgb quiet rd.qubes.hide_all_usb + echo 'Loading initial ramdisk...' + module2 --nounzip /initramfs-latest +} + +submenu 'Search for systems on external media' { + menuentry 'Search ISOLINUX menu (USB)' { + search_isolinux usb + } + menuentry 'Search ISOLINUX menu (AHCI)' { + search_isolinux ahci + } + menuentry 'Search for GRUB2 configuration on external media' { + search_grub usb + } + menuentry 'Load test configuration (grubtest.cfg) inside of CBFS' { + set root='(cbfsdisk)' + configfile /grubtest.cfg + } + menuentry 'Chainload bootloader on external media' { + set root='(usb0)' + chainloader +1 + } +} + +menuentry 'Reboot [r]' --hotkey='r' { + reboot +} + +menuentry 'Poweroff [p]' --hotkey='p' { + halt +}