heads icon indicating copy to clipboard operation
heads copied to clipboard

Published 20 hours ago verified publisher icon linuxboot

Enable cryptsetup2 on all maximized boards

Open tlaurion opened this issue 3 years ago • 2 comments
trafficstars

Thanks @walliams to report that some maximized boards were still on cryptsetup1 (so TPM Disk encryption key cannot be defined under Heads for Qubes 4.1).

  • [x] This is based on #1178 which should be merged first. This should be rebased on master before merging.

tlaurion avatar Jun 23 '22 20:06 tlaurion

@williams So we see that t520 maximized boards cannot be bumped to cryptsetup2 without additional work, pruning kernel and/or building optimizing for space (-Os).

So turning into draft.

tlaurion avatar Jun 23 '22 22:06 tlaurion

Master now has cryptsetup added for all xx30 boards, which are not so short on SPI space.

xx20 boards require kernel cleanup and -O2 to -Os optimization for space in modules

tlaurion avatar Sep 20 '22 14:09 tlaurion

As of today only the following (mostly untested boards) do not have cryptsetup2


user@heads-tests:~/heads$ grep -Rn CRYPTSETUP boards/ | grep -v CRYPTSETUP2
grep: boards/qemu-coreboot-whiptail-tpm1/qemu-coreboot-whiptail-tpm1.mdboards/kgpe-d16_workstation/kgpe-d16_workstation.config:25:CONFIG_CRYPTSETUP=y
boards/r630/r630.config:10:#CONFIG_CRYPTSETUP=y
boards/kgpe-d16_server-whiptail/kgpe-d16_server-whiptail.config:27:CONFIG_CRYPTSETUP=y
boards/kgpe-d16_server/kgpe-d16_server.config:25:CONFIG_CRYPTSETUP=y
boards/t520-maximized/t520-maximized.config:18:CONFIG_CRYPTSETUP=y
boards/qemu-linuxboot/qemu-linuxboot.config:12:CONFIG_CRYPTSETUP=y
: No such file or directory
boards/winterfell/winterfell.config:19:#CONFIG_CRYPTSETUP=y
boards/tioga/tioga.config:19:#CONFIG_CRYPTSETUP=y
boards/leopard/leopard.config:17:#CONFIG_CRYPTSETUP=y
boards/t520-hotp-maximized/t520-hotp-maximized.config:18:CONFIG_CRYPTSETUP=y
boards/s2600wf/s2600wf.config:18:#CONFIG_CRYPTSETUP=y
boards/kgpe-d16_workstation-usb_keyboard/kgpe-d16_workstation-usb_keyboard.config:21:CONFIG_CRYPTSETUP=y

So t520 is still not compliant with other xx30 boards and #1386 is a pinned issue since that board has no board owner. My kgpe-d16 is not passing memory training as of today. I may have bad ram or bad cpu, not had time to investigate the issue. As for linuxboot supported platforms, issues needs to be fixed, including pinning of linuxboot module to a certain commit and making sure ed2k is compiling. First step would be to have a linuxboot qemu instance compiling and working there, but all of this irrelevant ot this ticket.

Updating OP.

tlaurion avatar May 01 '23 15:05 tlaurion